2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
3 * Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GNUTLS.
9 * The GNUTLS library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 /* Functions to manipulate the session (gnutls_int.h), and some other stuff
27 * are included here. The file's name is traditionally gnutls_state even if the
28 * state has been renamed to session.
31 #include <gnutls_int.h>
32 #include <gnutls_errors.h>
33 #include <gnutls_auth.h>
34 #include <gnutls_num.h>
35 #include <gnutls_datum.h>
36 #include <gnutls_db.h>
37 #include <gnutls_record.h>
38 #include <gnutls_handshake.h>
39 #include <gnutls_dh.h>
40 #include <gnutls_buffers.h>
41 #include <gnutls_state.h>
42 #include <auth_cert.h>
43 #include <auth_anon.h>
45 #include <gnutls_algorithms.h>
46 #include <gnutls_rsa_export.h>
48 /* These should really be static, but src/tests.c calls them. Make
49 them public functions? */
51 _gnutls_record_set_default_version (gnutls_session_t session
,
52 unsigned char major
, unsigned char minor
);
54 _gnutls_rsa_pms_set_version (gnutls_session_t session
,
55 unsigned char major
, unsigned char minor
);
58 _gnutls_session_cert_type_set (gnutls_session_t session
,
59 gnutls_certificate_type_t ct
)
61 session
->security_parameters
.cert_type
= ct
;
66 * @session: is a #gnutls_session_t structure.
68 * Get currently used cipher.
70 * Returns: the currently used cipher, a #gnutls_cipher_algorithm_t
73 gnutls_cipher_algorithm_t
74 gnutls_cipher_get (gnutls_session_t session
)
76 return session
->security_parameters
.read_bulk_cipher_algorithm
;
80 * gnutls_certificate_type_get:
81 * @session: is a #gnutls_session_t structure.
83 * The certificate type is by default X.509, unless it is negotiated
86 * Returns: the currently used #gnutls_certificate_type_t certificate
89 gnutls_certificate_type_t
90 gnutls_certificate_type_get (gnutls_session_t session
)
92 return session
->security_parameters
.cert_type
;
97 * @session: is a #gnutls_session_t structure.
99 * Get currently used key exchange algorithm.
101 * Returns: the key exchange algorithm used in the last handshake, a
102 * #gnutls_kx_algorithm_t value.
104 gnutls_kx_algorithm_t
105 gnutls_kx_get (gnutls_session_t session
)
107 return session
->security_parameters
.kx_algorithm
;
112 * @session: is a #gnutls_session_t structure.
114 * Get currently used MAC algorithm.
116 * Returns: the currently used mac algorithm, a
117 * #gnutls_mac_algorithm_t value.
119 gnutls_mac_algorithm_t
120 gnutls_mac_get (gnutls_session_t session
)
122 return session
->security_parameters
.read_mac_algorithm
;
126 * gnutls_compression_get:
127 * @session: is a #gnutls_session_t structure.
129 * Get currently used compression algorithm.
131 * Returns: the currently used compression method, a
132 * #gnutls_compression_method_t value.
134 gnutls_compression_method_t
135 gnutls_compression_get (gnutls_session_t session
)
137 return session
->security_parameters
.read_compression_algorithm
;
140 /* Check if the given certificate type is supported.
141 * This means that it is enabled by the priority functions,
142 * and a matching certificate exists.
145 _gnutls_session_cert_type_supported (gnutls_session_t session
,
146 gnutls_certificate_type_t cert_type
)
149 unsigned cert_found
= 0;
150 gnutls_certificate_credentials_t cred
;
152 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
154 cred
= (gnutls_certificate_credentials_t
)
155 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
158 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
160 if (cred
->server_get_cert_callback
== NULL
)
162 for (i
= 0; i
< cred
->ncerts
; i
++)
164 if (cred
->cert_list
[i
][0].cert_type
== cert_type
)
172 /* no certificate is of that type.
174 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
178 if (session
->internals
.priorities
.cert_type
.algorithms
== 0
179 && cert_type
== DEFAULT_CERT_TYPE
)
182 for (i
= 0; i
< session
->internals
.priorities
.cert_type
.algorithms
; i
++)
184 if (session
->internals
.priorities
.cert_type
.priority
[i
] == cert_type
)
190 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
194 /* this function deinitializes all the internal parameters stored
195 * in a session struct.
198 deinit_internal_params (gnutls_session_t session
)
200 if (session
->internals
.params
.free_dh_params
)
201 gnutls_dh_params_deinit (session
->internals
.params
.dh_params
);
203 if (session
->internals
.params
.free_rsa_params
)
204 gnutls_rsa_params_deinit (session
->internals
.params
.rsa_params
);
206 _gnutls_handshake_hash_buffers_clear (session
);
208 memset (&session
->internals
.params
, 0, sizeof (session
->internals
.params
));
211 /* This function will clear all the variables in internals
212 * structure within the session, which depend on the current handshake.
213 * This is used to allow further handshakes.
216 _gnutls_handshake_internal_state_init (gnutls_session_t session
)
218 session
->internals
.extensions_sent_size
= 0;
220 /* by default no selected certificate */
221 session
->internals
.proposed_record_size
= DEFAULT_MAX_RECORD_SIZE
;
222 session
->internals
.adv_version_major
= 0;
223 session
->internals
.adv_version_minor
= 0;
224 session
->internals
.v2_hello
= 0;
225 memset (&session
->internals
.handshake_header_buffer
, 0,
226 sizeof (handshake_header_buffer_st
));
227 session
->internals
.adv_version_minor
= 0;
228 session
->internals
.adv_version_minor
= 0;
229 session
->internals
.direction
= 0;
230 session
->internals
.safe_renegotiation_received
= 0;
232 /* use out of band data for the last
233 * handshake messages received.
235 session
->internals
.last_handshake_in
= -1;
236 session
->internals
.last_handshake_out
= -1;
238 session
->internals
.resumable
= RESUME_TRUE
;
242 _gnutls_handshake_internal_state_clear (gnutls_session_t session
)
244 _gnutls_handshake_internal_state_init (session
);
246 _gnutls_free_datum (&session
->internals
.recv_buffer
);
248 deinit_internal_params (session
);
252 #define MIN_DH_BITS 727
255 * @con_end: indicate if this session is to be used for server or client.
256 * @session: is a pointer to a #gnutls_session_t structure.
258 * This function initializes the current session to null. Every
259 * session must be initialized before use, so internal structures can
260 * be allocated. This function allocates structures which can only
261 * be free'd by calling gnutls_deinit(). Returns zero on success.
263 * @con_end can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER.
265 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
268 gnutls_init (gnutls_session_t
* session
, gnutls_connection_end_t con_end
)
270 *session
= gnutls_calloc (1, sizeof (struct gnutls_session_int
));
271 if (*session
== NULL
)
272 return GNUTLS_E_MEMORY_ERROR
;
274 (*session
)->security_parameters
.entity
= con_end
;
276 /* the default certificate type for TLS */
277 (*session
)->security_parameters
.cert_type
= DEFAULT_CERT_TYPE
;
279 /* Set the defaults for initial handshake */
280 (*session
)->security_parameters
.read_bulk_cipher_algorithm
=
281 (*session
)->security_parameters
.write_bulk_cipher_algorithm
=
284 (*session
)->security_parameters
.read_mac_algorithm
=
285 (*session
)->security_parameters
.write_mac_algorithm
= GNUTLS_MAC_NULL
;
287 (*session
)->security_parameters
.read_compression_algorithm
=
289 (*session
)->security_parameters
.write_compression_algorithm
=
292 (*session
)->internals
.enable_private
= 0;
294 /* Initialize buffers */
295 _gnutls_buffer_init (&(*session
)->internals
.application_data_buffer
);
296 _gnutls_buffer_init (&(*session
)->internals
.handshake_data_buffer
);
297 _gnutls_buffer_init (&(*session
)->internals
.handshake_hash_buffer
);
298 _gnutls_buffer_init (&(*session
)->internals
.ia_data_buffer
);
300 _gnutls_buffer_init (&(*session
)->internals
.record_send_buffer
);
301 _gnutls_buffer_init (&(*session
)->internals
.record_recv_buffer
);
303 _gnutls_buffer_init (&(*session
)->internals
.handshake_send_buffer
);
304 _gnutls_buffer_init (&(*session
)->internals
.handshake_recv_buffer
);
306 (*session
)->key
= gnutls_calloc (1, sizeof (struct gnutls_key_st
));
307 if ((*session
)->key
== NULL
)
310 gnutls_free (*session
);
312 return GNUTLS_E_MEMORY_ERROR
;
315 (*session
)->internals
.expire_time
= DEFAULT_EXPIRE_TIME
; /* one hour default */
317 gnutls_dh_set_prime_bits ((*session
), MIN_DH_BITS
);
319 gnutls_transport_set_lowat ((*session
), DEFAULT_LOWAT
); /* the default for tcp */
321 gnutls_handshake_set_max_packet_length ((*session
),
322 MAX_HANDSHAKE_PACKET_SIZE
);
324 /* Allocate a minimum size for recv_data
325 * This is allocated in order to avoid small messages, making
326 * the receive procedure slow.
328 if (_gnutls_buffer_resize (&(*session
)->internals
.record_recv_buffer
,
329 INITIAL_RECV_BUFFER_SIZE
))
331 gnutls_free ((*session
)->key
);
332 goto cleanup_session
;
335 /* set the socket pointers to -1;
337 (*session
)->internals
.transport_recv_ptr
= (gnutls_transport_ptr_t
) - 1;
338 (*session
)->internals
.transport_send_ptr
= (gnutls_transport_ptr_t
) - 1;
340 /* set the default maximum record size for TLS
342 (*session
)->security_parameters
.max_record_recv_size
=
343 DEFAULT_MAX_RECORD_SIZE
;
344 (*session
)->security_parameters
.max_record_send_size
=
345 DEFAULT_MAX_RECORD_SIZE
;
347 /* everything else not initialized here is initialized
348 * as NULL or 0. This is why calloc is used.
351 _gnutls_handshake_internal_state_init (*session
);
356 /* returns RESUME_FALSE or RESUME_TRUE.
359 _gnutls_session_is_resumable (gnutls_session_t session
)
361 return session
->internals
.resumable
;
367 * @session: is a #gnutls_session_t structure.
369 * This function clears all buffers associated with the @session.
370 * This function will also remove session data from the session
371 * database if the session was terminated abnormally.
374 gnutls_deinit (gnutls_session_t session
)
380 /* remove auth info firstly */
381 _gnutls_free_auth_info (session
);
383 _gnutls_handshake_internal_state_clear (session
);
384 _gnutls_handshake_io_buffer_clear (session
);
386 _gnutls_free_datum (&session
->connection_state
.read_mac_secret
);
387 _gnutls_free_datum (&session
->connection_state
.write_mac_secret
);
389 _gnutls_buffer_clear (&session
->internals
.ia_data_buffer
);
390 _gnutls_buffer_clear (&session
->internals
.handshake_hash_buffer
);
391 _gnutls_buffer_clear (&session
->internals
.handshake_data_buffer
);
392 _gnutls_buffer_clear (&session
->internals
.application_data_buffer
);
393 _gnutls_buffer_clear (&session
->internals
.record_recv_buffer
);
394 _gnutls_buffer_clear (&session
->internals
.record_send_buffer
);
396 gnutls_credentials_clear (session
);
397 _gnutls_selected_certs_deinit (session
);
399 _gnutls_cipher_deinit (&session
->connection_state
.read_cipher_state
);
400 _gnutls_cipher_deinit (&session
->connection_state
.write_cipher_state
);
402 if (session
->connection_state
.read_compression_state
!= NULL
)
403 _gnutls_comp_deinit (session
->connection_state
.read_compression_state
, 1);
404 if (session
->connection_state
.write_compression_state
!= NULL
)
405 _gnutls_comp_deinit (session
->connection_state
.write_compression_state
,
408 _gnutls_free_datum (&session
->cipher_specs
.server_write_mac_secret
);
409 _gnutls_free_datum (&session
->cipher_specs
.client_write_mac_secret
);
410 _gnutls_free_datum (&session
->cipher_specs
.server_write_IV
);
411 _gnutls_free_datum (&session
->cipher_specs
.client_write_IV
);
412 _gnutls_free_datum (&session
->cipher_specs
.server_write_key
);
413 _gnutls_free_datum (&session
->cipher_specs
.client_write_key
);
415 if (session
->key
!= NULL
)
417 _gnutls_mpi_release (&session
->key
->KEY
);
418 _gnutls_mpi_release (&session
->key
->client_Y
);
419 _gnutls_mpi_release (&session
->key
->client_p
);
420 _gnutls_mpi_release (&session
->key
->client_g
);
422 _gnutls_mpi_release (&session
->key
->u
);
423 _gnutls_mpi_release (&session
->key
->a
);
424 _gnutls_mpi_release (&session
->key
->x
);
425 _gnutls_mpi_release (&session
->key
->A
);
426 _gnutls_mpi_release (&session
->key
->B
);
427 _gnutls_mpi_release (&session
->key
->b
);
430 _gnutls_mpi_release (&session
->key
->rsa
[0]);
431 _gnutls_mpi_release (&session
->key
->rsa
[1]);
433 _gnutls_mpi_release (&session
->key
->dh_secret
);
434 gnutls_free (session
->key
);
439 gnutls_free (session
->internals
.srp_username
);
441 if (session
->internals
.srp_password
)
443 memset (session
->internals
.srp_password
, 0,
444 strlen (session
->internals
.srp_password
));
445 gnutls_free (session
->internals
.srp_password
);
448 gnutls_free (session
->security_parameters
.extensions
.session_ticket
);
449 gnutls_free (session
->internals
.resumed_security_parameters
.
450 extensions
.session_ticket
);
452 memset (session
, 0, sizeof (struct gnutls_session_int
));
453 gnutls_free (session
);
456 /* Returns the minimum prime bits that are acceptable.
459 _gnutls_dh_get_allowed_prime_bits (gnutls_session_t session
)
461 return session
->internals
.dh_prime_bits
;
465 _gnutls_dh_set_peer_public (gnutls_session_t session
, bigint_t
public)
470 switch (gnutls_auth_get_type (session
))
472 case GNUTLS_CRD_ANON
:
474 anon_auth_info_t info
;
475 info
= _gnutls_get_auth_info (session
);
477 return GNUTLS_E_INTERNAL_ERROR
;
484 psk_auth_info_t info
;
485 info
= _gnutls_get_auth_info (session
);
487 return GNUTLS_E_INTERNAL_ERROR
;
492 case GNUTLS_CRD_CERTIFICATE
:
494 cert_auth_info_t info
;
496 info
= _gnutls_get_auth_info (session
);
498 return GNUTLS_E_INTERNAL_ERROR
;
505 return GNUTLS_E_INTERNAL_ERROR
;
508 if (dh
->public_key
.data
)
509 _gnutls_free_datum (&dh
->public_key
);
511 ret
= _gnutls_mpi_dprint_lz (public, &dh
->public_key
);
522 _gnutls_dh_set_secret_bits (gnutls_session_t session
, unsigned bits
)
524 switch (gnutls_auth_get_type (session
))
526 case GNUTLS_CRD_ANON
:
528 anon_auth_info_t info
;
529 info
= _gnutls_get_auth_info (session
);
531 return GNUTLS_E_INTERNAL_ERROR
;
532 info
->dh
.secret_bits
= bits
;
537 psk_auth_info_t info
;
538 info
= _gnutls_get_auth_info (session
);
540 return GNUTLS_E_INTERNAL_ERROR
;
541 info
->dh
.secret_bits
= bits
;
544 case GNUTLS_CRD_CERTIFICATE
:
546 cert_auth_info_t info
;
548 info
= _gnutls_get_auth_info (session
);
550 return GNUTLS_E_INTERNAL_ERROR
;
552 info
->dh
.secret_bits
= bits
;
556 return GNUTLS_E_INTERNAL_ERROR
;
563 /* This function will set in the auth info structure the
564 * RSA exponent and the modulus.
567 _gnutls_rsa_export_set_pubkey (gnutls_session_t session
,
568 bigint_t exponent
, bigint_t modulus
)
570 cert_auth_info_t info
;
573 info
= _gnutls_get_auth_info (session
);
575 return GNUTLS_E_INTERNAL_ERROR
;
577 if (info
->rsa_export
.modulus
.data
)
578 _gnutls_free_datum (&info
->rsa_export
.modulus
);
580 if (info
->rsa_export
.exponent
.data
)
581 _gnutls_free_datum (&info
->rsa_export
.exponent
);
583 ret
= _gnutls_mpi_dprint_lz (modulus
, &info
->rsa_export
.modulus
);
590 ret
= _gnutls_mpi_dprint_lz (exponent
, &info
->rsa_export
.exponent
);
594 _gnutls_free_datum (&info
->rsa_export
.modulus
);
602 /* Sets the prime and the generator in the auth info structure.
605 _gnutls_dh_set_group (gnutls_session_t session
, bigint_t gen
, bigint_t prime
)
610 switch (gnutls_auth_get_type (session
))
612 case GNUTLS_CRD_ANON
:
614 anon_auth_info_t info
;
615 info
= _gnutls_get_auth_info (session
);
617 return GNUTLS_E_INTERNAL_ERROR
;
624 psk_auth_info_t info
;
625 info
= _gnutls_get_auth_info (session
);
627 return GNUTLS_E_INTERNAL_ERROR
;
632 case GNUTLS_CRD_CERTIFICATE
:
634 cert_auth_info_t info
;
636 info
= _gnutls_get_auth_info (session
);
638 return GNUTLS_E_INTERNAL_ERROR
;
645 return GNUTLS_E_INTERNAL_ERROR
;
649 _gnutls_free_datum (&dh
->prime
);
651 if (dh
->generator
.data
)
652 _gnutls_free_datum (&dh
->generator
);
656 ret
= _gnutls_mpi_dprint_lz (prime
, &dh
->prime
);
665 ret
= _gnutls_mpi_dprint_lz (gen
, &dh
->generator
);
669 _gnutls_free_datum (&dh
->prime
);
676 #ifdef ENABLE_OPENPGP
678 * gnutls_openpgp_send_cert:
679 * @session: is a pointer to a #gnutls_session_t structure.
680 * @status: is one of GNUTLS_OPENPGP_CERT, or GNUTLS_OPENPGP_CERT_FINGERPRINT
682 * This function will order gnutls to send the key fingerprint
683 * instead of the key in the initial handshake procedure. This should
684 * be used with care and only when there is indication or knowledge
685 * that the server can obtain the client's key.
688 gnutls_openpgp_send_cert (gnutls_session_t session
,
689 gnutls_openpgp_crt_status_t status
)
691 session
->internals
.pgp_fingerprint
= status
;
696 * gnutls_certificate_send_x509_rdn_sequence:
697 * @session: is a pointer to a #gnutls_session_t structure.
700 * If status is non zero, this function will order gnutls not to send
701 * the rdnSequence in the certificate request message. That is the
702 * server will not advertize it's trusted CAs to the peer. If status
703 * is zero then the default behaviour will take effect, which is to
704 * advertize the server's trusted CAs.
706 * This function has no effect in clients, and in authentication
707 * methods other than certificate with X.509 certificates.
710 gnutls_certificate_send_x509_rdn_sequence (gnutls_session_t session
,
713 session
->internals
.ignore_rdn_sequence
= status
;
716 #ifdef ENABLE_OPENPGP
718 _gnutls_openpgp_send_fingerprint (gnutls_session_t session
)
720 return session
->internals
.pgp_fingerprint
;
725 * _gnutls_record_set_default_version - Used to set the default version for the first record packet
726 * @session: is a #gnutls_session_t structure.
727 * @major: is a tls major version
728 * @minor: is a tls minor version
730 * This function sets the default version that we will use in the first
731 * record packet (client hello). This function is only useful to people
732 * that know TLS internals and want to debug other implementations.
735 _gnutls_record_set_default_version (gnutls_session_t session
,
736 unsigned char major
, unsigned char minor
)
738 session
->internals
.default_record_version
[0] = major
;
739 session
->internals
.default_record_version
[1] = minor
;
743 * gnutls_handshake_set_private_extensions:
744 * @session: is a #gnutls_session_t structure.
745 * @allow: is an integer (0 or 1)
747 * This function will enable or disable the use of private cipher
748 * suites (the ones that start with 0xFF). By default or if @allow
749 * is 0 then these cipher suites will not be advertized nor used.
751 * Unless this function is called with the option to allow (1), then
752 * no compression algorithms, like LZO. That is because these
753 * algorithms are not yet defined in any RFC or even internet draft.
755 * Enabling the private ciphersuites when talking to other than
756 * gnutls servers and clients may cause interoperability problems.
759 gnutls_handshake_set_private_extensions (gnutls_session_t session
, int allow
)
761 session
->internals
.enable_private
= allow
;
765 _gnutls_cal_PRF_A (gnutls_mac_algorithm_t algorithm
,
766 const void *secret
, int secret_size
,
767 const void *seed
, int seed_size
, void *result
)
772 ret
= _gnutls_hmac_init (&td1
, algorithm
, secret
, secret_size
);
779 _gnutls_hmac (&td1
, seed
, seed_size
);
780 _gnutls_hmac_deinit (&td1
, result
);
785 #define MAX_SEED_SIZE 200
787 /* Produces "total_bytes" bytes using the hash algorithm specified.
788 * (used in the PRF function)
791 _gnutls_P_hash (gnutls_mac_algorithm_t algorithm
,
792 const opaque
* secret
, int secret_size
,
793 const opaque
* seed
, int seed_size
,
794 int total_bytes
, opaque
* ret
)
798 int i
, times
, how
, blocksize
, A_size
;
799 opaque final
[MAX_HASH_SIZE
], Atmp
[MAX_SEED_SIZE
];
800 int output_bytes
, result
;
802 if (seed_size
> MAX_SEED_SIZE
|| total_bytes
<= 0)
805 return GNUTLS_E_INTERNAL_ERROR
;
808 blocksize
= _gnutls_hmac_get_algo_len (algorithm
);
813 output_bytes
+= blocksize
;
815 while (output_bytes
< total_bytes
);
819 memcpy (Atmp
, seed
, seed_size
);
822 times
= output_bytes
/ blocksize
;
824 for (i
= 0; i
< times
; i
++)
826 result
= _gnutls_hmac_init (&td2
, algorithm
, secret
, secret_size
);
833 /* here we calculate A(i+1) */
835 _gnutls_cal_PRF_A (algorithm
, secret
, secret_size
, Atmp
,
839 _gnutls_hmac_deinit (&td2
, final
);
845 _gnutls_hmac (&td2
, Atmp
, A_size
);
846 _gnutls_hmac (&td2
, seed
, seed_size
);
847 _gnutls_hmac_deinit (&td2
, final
);
849 if ((1 + i
) * blocksize
< total_bytes
)
855 how
= total_bytes
- (i
) * blocksize
;
860 memcpy (&ret
[i
* blocksize
], final
, how
);
867 /* Xor's two buffers and puts the output in the first one.
870 _gnutls_xor (opaque
* o1
, opaque
* o2
, int length
)
873 for (i
= 0; i
< length
; i
++)
881 #define MAX_PRF_BYTES 200
883 /* The PRF function expands a given secret
884 * needed by the TLS specification. ret must have a least total_bytes
888 _gnutls_PRF (gnutls_session_t session
,
889 const opaque
* secret
, int secret_size
, const char *label
,
890 int label_size
, const opaque
* seed
, int seed_size
,
891 int total_bytes
, void *ret
)
893 int l_s
, s_seed_size
;
894 const opaque
*s1
, *s2
;
895 opaque s_seed
[MAX_SEED_SIZE
];
896 opaque o1
[MAX_PRF_BYTES
], o2
[MAX_PRF_BYTES
];
898 gnutls_protocol_t ver
= gnutls_protocol_get_version (session
);
900 if (total_bytes
> MAX_PRF_BYTES
)
903 return GNUTLS_E_INTERNAL_ERROR
;
905 /* label+seed = s_seed */
906 s_seed_size
= seed_size
+ label_size
;
908 if (s_seed_size
> MAX_SEED_SIZE
)
911 return GNUTLS_E_INTERNAL_ERROR
;
914 memcpy (s_seed
, label
, label_size
);
915 memcpy (&s_seed
[label_size
], seed
, seed_size
);
917 if (_gnutls_version_has_selectable_prf (ver
))
920 _gnutls_P_hash (GNUTLS_MAC_SHA256
, secret
, secret_size
,
921 s_seed
, s_seed_size
, total_bytes
, ret
);
930 l_s
= secret_size
/ 2;
935 if (secret_size
% 2 != 0)
941 _gnutls_P_hash (GNUTLS_MAC_MD5
, s1
, l_s
, s_seed
, s_seed_size
,
950 _gnutls_P_hash (GNUTLS_MAC_SHA1
, s2
, l_s
, s_seed
, s_seed_size
,
958 _gnutls_xor (o1
, o2
, total_bytes
);
960 memcpy (ret
, o1
, total_bytes
);
969 * @session: is a #gnutls_session_t structure.
970 * @label_size: length of the @label variable.
971 * @label: label used in PRF computation, typically a short string.
972 * @seed_size: length of the @seed variable.
973 * @seed: optional extra data to seed the PRF with.
974 * @outsize: size of pre-allocated output buffer to hold the output.
975 * @out: pre-allocate buffer to hold the generated data.
977 * Apply the TLS Pseudo-Random-Function (PRF) using the master secret
980 * The @label variable usually contain a string denoting the purpose
981 * for the generated data. The @seed usually contain data such as the
982 * client and server random, perhaps together with some additional
983 * data that is added to guarantee uniqueness of the output for a
984 * particular purpose.
986 * Because the output is not guaranteed to be unique for a particular
987 * session unless @seed include the client random and server random
988 * fields (the PRF would output the same data on another connection
989 * resumed from the first one), it is not recommended to use this
990 * function directly. The gnutls_prf() function seed the PRF with the
991 * client and server random fields directly, and is recommended if you
992 * want to generate pseudo random data unique for each session.
994 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
997 gnutls_prf_raw (gnutls_session_t session
,
1000 size_t seed_size
, const char *seed
, size_t outsize
, char *out
)
1004 ret
= _gnutls_PRF (session
,
1005 session
->security_parameters
.master_secret
,
1008 label_size
, (opaque
*) seed
, seed_size
, outsize
, out
);
1015 * @session: is a #gnutls_session_t structure.
1016 * @label_size: length of the @label variable.
1017 * @label: label used in PRF computation, typically a short string.
1018 * @server_random_first: non-0 if server random field should be first in seed
1019 * @extra_size: length of the @extra variable.
1020 * @extra: optional extra data to seed the PRF with.
1021 * @outsize: size of pre-allocated output buffer to hold the output.
1022 * @out: pre-allocate buffer to hold the generated data.
1024 * Apply the TLS Pseudo-Random-Function (PRF) using the master secret
1025 * on some data, seeded with the client and server random fields.
1027 * The @label variable usually contain a string denoting the purpose
1028 * for the generated data. The @server_random_first indicate whether
1029 * the client random field or the server random field should be first
1030 * in the seed. Non-0 indicate that the server random field is first,
1031 * 0 that the client random field is first.
1033 * The @extra variable can be used to add more data to the seed, after
1034 * the random variables. It can be used to tie make sure the
1035 * generated output is strongly connected to some additional data
1036 * (e.g., a string used in user authentication).
1038 * The output is placed in *@OUT, which must be pre-allocated.
1040 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1043 gnutls_prf (gnutls_session_t session
,
1046 int server_random_first
,
1047 size_t extra_size
, const char *extra
, size_t outsize
, char *out
)
1051 size_t seedsize
= 2 * GNUTLS_RANDOM_SIZE
+ extra_size
;
1053 seed
= gnutls_malloc (seedsize
);
1057 return GNUTLS_E_MEMORY_ERROR
;
1060 memcpy (seed
, server_random_first
?
1061 session
->security_parameters
.server_random
:
1062 session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
1063 memcpy (seed
+ GNUTLS_RANDOM_SIZE
, server_random_first
?
1064 session
->security_parameters
.client_random
:
1065 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
1067 memcpy (seed
+ 2 * GNUTLS_RANDOM_SIZE
, extra
, extra_size
);
1069 ret
= _gnutls_PRF (session
, session
->security_parameters
.master_secret
,
1071 label
, label_size
, seed
, seedsize
, outsize
, out
);
1079 * gnutls_session_get_client_random:
1080 * @session: is a #gnutls_session_t structure.
1082 * Return a pointer to the 32-byte client random field used in the
1083 * session. The pointer must not be modified or deallocated.
1085 * If a client random value has not yet been established, the output
1086 * will be garbage; in particular, a %NULL return value should not be
1089 * Returns: pointer to client random data.
1092 gnutls_session_get_client_random (gnutls_session_t session
)
1094 return (char *) session
->security_parameters
.client_random
;
1098 * gnutls_session_get_server_random:
1099 * @session: is a #gnutls_session_t structure.
1101 * Return a pointer to the 32-byte server random field used in the
1102 * session. The pointer must not be modified or deallocated.
1104 * If a server random value has not yet been established, the output
1105 * will be garbage; in particular, a %NULL return value should not be
1108 * Returns: pointer to server random data.
1111 gnutls_session_get_server_random (gnutls_session_t session
)
1113 return (char *) session
->security_parameters
.server_random
;
1117 * gnutls_session_get_master_secret:
1118 * @session: is a #gnutls_session_t structure.
1120 * Return a pointer to the 48-byte master secret in the session. The
1121 * pointer must not be modified or deallocated.
1123 * If a master secret value has not yet been established, the output
1124 * will be garbage; in particular, a %NULL return value should not be
1127 * Consider using gnutls_prf() rather than extracting the master
1128 * secret and use it to derive further data.
1130 * Returns: pointer to master secret data.
1133 gnutls_session_get_master_secret (gnutls_session_t session
)
1135 return (char *) session
->security_parameters
.master_secret
;
1139 * gnutls_session_set_finished_function:
1140 * @session: is a #gnutls_session_t structure.
1141 * @func: a #gnutls_finished_callback_func callback.
1143 * Register a callback function for the session that will be called
1144 * when a TLS Finished message has been generated. The function is
1145 * typically used to copy away the TLS finished message for later use
1146 * as a channel binding or similar purpose.
1148 * The callback should follow this prototype:
1150 * void callback (gnutls_session_t @session, const void *@finished, size_t @len);
1152 * The @finished parameter will contain the binary TLS finished
1153 * message, and @len will contains its length. For SSLv3 connections,
1154 * the @len parameter will be 36 and for TLS connections it will be
1157 * It is recommended that the function returns quickly in order to not
1158 * delay the handshake. Use the function to store a copy of the TLS
1159 * finished message for later use.
1164 gnutls_session_set_finished_function (gnutls_session_t session
,
1165 gnutls_finished_callback_func func
)
1167 session
->internals
.finished_func
= func
;
1171 * gnutls_session_is_resumed:
1172 * @session: is a #gnutls_session_t structure.
1174 * Check whether session is resumed or not.
1176 * Returns: non zero if this session is resumed, or a zero if this is
1180 gnutls_session_is_resumed (gnutls_session_t session
)
1182 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
1184 if (session
->security_parameters
.session_id_size
> 0 &&
1185 session
->security_parameters
.session_id_size
==
1186 session
->internals
.resumed_security_parameters
.session_id_size
1187 && memcmp (session
->security_parameters
.session_id
,
1189 resumed_security_parameters
.session_id
,
1190 session
->security_parameters
.session_id_size
) == 0)
1195 if (session
->internals
.resumed
== RESUME_TRUE
)
1203 * _gnutls_session_is_export - Used to check whether this session is of export grade
1204 * @session: is a #gnutls_session_t structure.
1206 * This function will return non zero if this session is of export grade.
1209 _gnutls_session_is_export (gnutls_session_t session
)
1211 gnutls_cipher_algorithm_t cipher
;
1214 _gnutls_cipher_suite_get_cipher_algo (&session
->
1215 security_parameters
.current_cipher_suite
);
1217 if (_gnutls_cipher_get_export_flag (cipher
) != 0)
1224 * _gnutls_session_is_psk - Used to check whether this session uses PSK kx
1225 * @session: is a #gnutls_session_t structure.
1227 * This function will return non zero if this session uses a PSK key
1228 * exchange algorithm.
1231 _gnutls_session_is_psk (gnutls_session_t session
)
1233 gnutls_kx_algorithm_t kx
;
1236 _gnutls_cipher_suite_get_kx_algo (&session
->
1237 security_parameters
.current_cipher_suite
);
1238 if (kx
== GNUTLS_KX_PSK
|| kx
== GNUTLS_KX_DHE_PSK
)
1245 * gnutls_session_get_ptr:
1246 * @session: is a #gnutls_session_t structure.
1248 * Get user pointer for session. Useful in callbacks. This is the
1249 * pointer set with gnutls_session_set_ptr().
1251 * Returns: the user given pointer from the session structure, or
1252 * %NULL if it was never set.
1255 gnutls_session_get_ptr (gnutls_session_t session
)
1257 return session
->internals
.user_ptr
;
1261 * gnutls_session_set_ptr:
1262 * @session: is a #gnutls_session_t structure.
1263 * @ptr: is the user pointer
1265 * This function will set (associate) the user given pointer @ptr to
1266 * the session structure. This is pointer can be accessed with
1267 * gnutls_session_get_ptr().
1270 gnutls_session_set_ptr (gnutls_session_t session
, void *ptr
)
1272 session
->internals
.user_ptr
= ptr
;
1277 * gnutls_record_get_direction:
1278 * @session: is a #gnutls_session_t structure.
1280 * This function provides information about the internals of the
1281 * record protocol and is only useful if a prior gnutls function call
1282 * (e.g. gnutls_handshake()) was interrupted for some reason, that
1283 * is, if a function returned %GNUTLS_E_INTERRUPTED or
1284 * %GNUTLS_E_AGAIN. In such a case, you might want to call select()
1285 * or poll() before calling the interrupted gnutls function again. To
1286 * tell you whether a file descriptor should be selected for either
1287 * reading or writing, gnutls_record_get_direction() returns 0 if the
1288 * interrupted function was trying to read data, and 1 if it was
1289 * trying to write data.
1291 * Returns: 0 if trying to read data, 1 if trying to write data.
1294 gnutls_record_get_direction (gnutls_session_t session
)
1296 return session
->internals
.direction
;
1300 * _gnutls_rsa_pms_set_version - Sets a version to be used at the RSA PMS
1301 * @session: is a #gnutls_session_t structure.
1302 * @major: is the major version to use
1303 * @minor: is the minor version to use
1305 * This function will set the given version number to be used at the
1306 * RSA PMS secret. This is only useful to clients, which want to
1307 * test server's capabilities.
1310 _gnutls_rsa_pms_set_version (gnutls_session_t session
,
1311 unsigned char major
, unsigned char minor
)
1313 session
->internals
.rsa_pms_version
[0] = major
;
1314 session
->internals
.rsa_pms_version
[1] = minor
;
1318 * gnutls_handshake_set_post_client_hello_function:
1319 * @session: is a #gnutls_session_t structure.
1320 * @func: is the function to be called
1322 * This function will set a callback to be called after the client
1323 * hello has been received (callback valid in server side only). This
1324 * allows the server to adjust settings based on received extensions.
1326 * Those settings could be ciphersuites, requesting certificate, or
1327 * anything else except for version negotiation (this is done before
1328 * the hello message is parsed).
1330 * This callback must return 0 on success or a gnutls error code to
1331 * terminate the handshake.
1333 * Warning: You should not use this function to terminate the
1334 * handshake based on client input unless you know what you are
1335 * doing. Before the handshake is finished there is no way to know if
1336 * there is a man-in-the-middle attack being performed.
1339 gnutls_handshake_set_post_client_hello_function (gnutls_session_t session
,
1340 gnutls_handshake_post_client_hello_func
1343 session
->internals
.user_hello_func
= func
;
1347 * gnutls_session_enable_compatibility_mode:
1348 * @session: is a #gnutls_session_t structure.
1350 * This function can be used to disable certain (security) features in
1351 * TLS in order to maintain maximum compatibility with buggy
1352 * clients. It is equivalent to calling:
1353 * gnutls_record_disable_padding()
1355 * Normally only servers that require maximum compatibility with
1356 * everything out there, need to call this function.
1359 gnutls_session_enable_compatibility_mode (gnutls_session_t session
)
1361 gnutls_record_disable_padding (session
);