2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
3 * 2009, 2010 Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GNUTLS.
9 * The GNUTLS library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 /* Functions that relate to the TLS handshake procedure.
29 #include "gnutls_int.h"
30 #include "gnutls_errors.h"
31 #include "gnutls_dh.h"
33 #include "gnutls_algorithms.h"
34 #include "gnutls_compress.h"
35 #include "gnutls_cipher.h"
36 #include "gnutls_buffers.h"
37 #include "gnutls_kx.h"
38 #include "gnutls_handshake.h"
39 #include "gnutls_num.h"
40 #include "gnutls_hash_int.h"
41 #include "gnutls_db.h"
42 #include "gnutls_extensions.h"
43 #include "gnutls_supplemental.h"
44 #include "gnutls_auth.h"
45 #include "gnutls_v2_compat.h"
46 #include "auth_cert.h"
47 #include "gnutls_cert.h"
48 #include "gnutls_constate.h"
49 #include <gnutls_record.h>
50 #include <gnutls_state.h>
52 #include <ext_session_ticket.h>
53 #include <ext_safe_renegotiation.h>
54 #include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
55 #include <auth_anon.h> /* for gnutls_anon_server_credentials_t */
56 #include <auth_psk.h> /* for gnutls_psk_server_credentials_t */
59 #ifdef HANDSHAKE_DEBUG
60 #define ERR(x, y) _gnutls_handshake_log("HSK[%p]: %s (%d)\n", session, x,y)
68 static int _gnutls_handshake_hash_init (gnutls_session_t session
);
69 static int _gnutls_server_select_comp_method (gnutls_session_t session
,
70 opaque
* data
, int datalen
);
72 _gnutls_handshake_hash_add_recvd (gnutls_session_t session
,
73 gnutls_handshake_description_t recv_type
,
74 opaque
* header
, uint16_t header_size
,
75 opaque
* dataptr
, uint32_t datalen
);
78 /* Clears the handshake hash buffers and handles.
81 _gnutls_handshake_hash_buffers_clear (gnutls_session_t session
)
83 if (session
->security_parameters
.handshake_mac_handle_type
==
84 HANDSHAKE_MAC_TYPE_10
)
86 _gnutls_hash_deinit (&session
->internals
.handshake_mac_handle
.tls10
.md5
,
88 _gnutls_hash_deinit (&session
->internals
.handshake_mac_handle
.tls10
.sha
,
91 else if (session
->security_parameters
.handshake_mac_handle_type
==
92 HANDSHAKE_MAC_TYPE_12
)
94 _gnutls_hash_deinit (&session
->internals
.handshake_mac_handle
.
96 _gnutls_hash_deinit (&session
->internals
.handshake_mac_handle
.
99 session
->security_parameters
.handshake_mac_handle_type
= 0;
100 session
->internals
.handshake_mac_handle_init
= 0;
101 _gnutls_handshake_buffer_clear (session
);
104 /* this will copy the required values for resuming to
105 * internals, and to security_parameters.
106 * this will keep as less data to security_parameters.
109 resume_copy_required_values (gnutls_session_t session
)
111 /* get the new random values */
112 memcpy (session
->internals
.resumed_security_parameters
.server_random
,
113 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
114 memcpy (session
->internals
.resumed_security_parameters
.client_random
,
115 session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
117 /* keep the ciphersuite and compression
118 * That is because the client must see these in our
121 memcpy (session
->security_parameters
.current_cipher_suite
.suite
,
122 session
->internals
.resumed_security_parameters
.
123 current_cipher_suite
.suite
, 2);
125 session
->internals
.compression_method
=
126 session
->internals
.resumed_security_parameters
.read_compression_algorithm
;
127 /* or write_compression_algorithm
131 session
->security_parameters
.entity
=
132 session
->internals
.resumed_security_parameters
.entity
;
134 _gnutls_set_current_version (session
,
136 resumed_security_parameters
.version
);
138 session
->security_parameters
.cert_type
=
139 session
->internals
.resumed_security_parameters
.cert_type
;
141 memcpy (session
->security_parameters
.session_id
,
142 session
->internals
.resumed_security_parameters
.session_id
,
143 sizeof (session
->security_parameters
.session_id
));
144 session
->security_parameters
.session_id_size
=
145 session
->internals
.resumed_security_parameters
.session_id_size
;
150 _gnutls_set_server_random (gnutls_session_t session
, uint8_t * rnd
)
152 memcpy (session
->security_parameters
.server_random
, rnd
,
157 _gnutls_set_client_random (gnutls_session_t session
, uint8_t * rnd
)
159 memcpy (session
->security_parameters
.client_random
, rnd
,
163 /* Calculate The SSL3 Finished message
165 #define SSL3_CLIENT_MSG "CLNT"
166 #define SSL3_SERVER_MSG "SRVR"
167 #define SSL_MSG_LEN 4
169 _gnutls_ssl3_finished (gnutls_session_t session
, int type
, opaque
* ret
)
171 const int siz
= SSL_MSG_LEN
;
177 if (session
->security_parameters
.handshake_mac_handle_type
==
178 HANDSHAKE_MAC_TYPE_10
)
181 _gnutls_hash_copy (&td_md5
,
182 &session
->internals
.handshake_mac_handle
.
191 _gnutls_hash_copy (&td_sha
,
192 &session
->internals
.handshake_mac_handle
.
197 _gnutls_hash_deinit (&td_md5
, NULL
);
204 return GNUTLS_E_INTERNAL_ERROR
;
207 if (type
== GNUTLS_SERVER
)
209 mesg
= SSL3_SERVER_MSG
;
213 mesg
= SSL3_CLIENT_MSG
;
216 _gnutls_hash (&td_md5
, mesg
, siz
);
217 _gnutls_hash (&td_sha
, mesg
, siz
);
219 _gnutls_mac_deinit_ssl3_handshake (&td_md5
, ret
,
220 session
->security_parameters
.
221 master_secret
, GNUTLS_MASTER_SIZE
);
222 _gnutls_mac_deinit_ssl3_handshake (&td_sha
, &ret
[16],
223 session
->security_parameters
.
224 master_secret
, GNUTLS_MASTER_SIZE
);
229 /* Hash the handshake messages as required by TLS 1.0
231 #define SERVER_MSG "server finished"
232 #define CLIENT_MSG "client finished"
233 #define TLS_MSG_LEN 15
235 _gnutls_finished (gnutls_session_t session
, int type
, void *ret
)
237 const int siz
= TLS_MSG_LEN
;
238 opaque concat
[MAX_HASH_SIZE
+ 16 /*MD5 */ ];
239 size_t len
= 20 + 16;
245 if (session
->security_parameters
.handshake_mac_handle_type
==
246 HANDSHAKE_MAC_TYPE_10
)
249 _gnutls_hash_copy (&td_md5
,
250 &session
->internals
.handshake_mac_handle
.
259 _gnutls_hash_copy (&td_sha
,
260 &session
->internals
.handshake_mac_handle
.
265 _gnutls_hash_deinit (&td_md5
, NULL
);
269 _gnutls_hash_deinit (&td_md5
, concat
);
270 _gnutls_hash_deinit (&td_sha
, &concat
[16]);
272 else if (session
->security_parameters
.handshake_mac_handle_type
==
273 HANDSHAKE_MAC_TYPE_12
)
276 _gnutls_hash_copy (&td_sha
,
277 &session
->internals
.handshake_mac_handle
.
285 _gnutls_hash_deinit (&td_sha
, concat
);
286 len
= _gnutls_hash_get_algo_len (td_sha
.algorithm
);
289 if (type
== GNUTLS_SERVER
)
298 return _gnutls_PRF (session
, session
->security_parameters
.master_secret
,
299 GNUTLS_MASTER_SIZE
, mesg
, siz
, concat
, len
, 12, ret
);
302 /* this function will produce GNUTLS_RANDOM_SIZE==32 bytes of random data
306 _gnutls_tls_create_random (opaque
* dst
)
311 /* Use weak random numbers for the most of the
312 * buffer except for the first 4 that are the
317 /* generate server random value */
318 _gnutls_write_uint32 (tim
, dst
);
320 ret
= _gnutls_rnd (GNUTLS_RND_NONCE
, &dst
[4], GNUTLS_RANDOM_SIZE
- 4);
330 /* returns the 0 on success or a negative value.
333 _gnutls_negotiate_version (gnutls_session_t session
,
334 gnutls_protocol_t adv_version
)
338 /* if we do not support that version */
339 if (_gnutls_version_is_supported (session
, adv_version
) == 0)
341 /* If he requested something we do not support
342 * then we send him the highest we support.
344 ret
= _gnutls_version_max (session
);
345 if (ret
== GNUTLS_VERSION_UNKNOWN
)
347 /* this check is not really needed.
350 return GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
358 _gnutls_set_current_version (session
, ret
);
364 _gnutls_user_hello_func (gnutls_session_t session
,
365 gnutls_protocol_t adv_version
)
369 if (session
->internals
.user_hello_func
!= NULL
)
371 ret
= session
->internals
.user_hello_func (session
);
377 /* Here we need to renegotiate the version since the callee might
378 * have disabled some TLS versions.
380 ret
= _gnutls_negotiate_version (session
, adv_version
);
390 /* Read a client hello packet.
391 * A client hello must be a known version client hello
392 * or version 2.0 client hello (only for compatibility
393 * since SSL version 2.0 is not supported).
396 _gnutls_read_client_hello (gnutls_session_t session
, opaque
* data
,
399 uint8_t session_id_len
;
401 uint16_t suite_size
, comp_size
;
402 gnutls_protocol_t adv_version
;
405 opaque rnd
[GNUTLS_RANDOM_SIZE
], *suite_ptr
, *comp_ptr
, *session_id
;
407 if (session
->internals
.v2_hello
!= 0)
409 return _gnutls_read_client_hello_v2 (session
, data
, datalen
);
413 _gnutls_handshake_log ("HSK[%p]: Client's version: %d.%d\n", session
,
414 data
[pos
], data
[pos
+ 1]);
416 adv_version
= _gnutls_version_get (data
[pos
], data
[pos
+ 1]);
417 set_adv_version (session
, data
[pos
], data
[pos
+ 1]);
420 neg_version
= _gnutls_negotiate_version (session
, adv_version
);
427 /* Read client random value.
429 DECR_LEN (len
, GNUTLS_RANDOM_SIZE
);
430 _gnutls_set_client_random (session
, &data
[pos
]);
431 pos
+= GNUTLS_RANDOM_SIZE
;
433 _gnutls_tls_create_random (rnd
);
434 _gnutls_set_server_random (session
, rnd
);
436 session
->security_parameters
.timestamp
= time (NULL
);
439 session_id_len
= data
[pos
++];
443 if (session_id_len
> TLS_MAX_SESSION_ID_SIZE
)
446 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
448 DECR_LEN (len
, session_id_len
);
450 session_id
= &data
[pos
];
451 ret
= _gnutls_server_restore_session (session
, session_id
, session_id_len
);
452 pos
+= session_id_len
;
455 { /* resumed using default TLS resumption! */
456 /* Parse only the safe renegotiation extension
457 * We don't want to parse any other extensions since
458 * we don't want new extension values to overwrite the
462 /* move forward to extensions */
464 suite_size
= _gnutls_read_uint16 (&data
[pos
]);
467 DECR_LEN (len
, suite_size
);
471 comp_size
= data
[pos
++]; /* z is the number of compression methods */
472 DECR_LEN (len
, comp_size
);
475 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_RESUMED
,
483 resume_copy_required_values (session
);
484 session
->internals
.resumed
= RESUME_TRUE
;
486 return _gnutls_user_hello_func (session
, adv_version
);
490 _gnutls_generate_session_id (session
->security_parameters
.session_id
,
491 &session
->security_parameters
.
494 session
->internals
.resumed
= RESUME_FALSE
;
497 /* Remember ciphersuites for later
500 suite_size
= _gnutls_read_uint16 (&data
[pos
]);
503 DECR_LEN (len
, suite_size
);
504 suite_ptr
= &data
[pos
];
507 /* Point to the compression methods
510 comp_size
= data
[pos
++]; /* z is the number of compression methods */
512 DECR_LEN (len
, comp_size
);
513 comp_ptr
= &data
[pos
];
516 /* Parse the extensions (if any)
518 * Unconditionally try to parse extensions; safe renegotiation uses them in
519 * sslv3 and higher, even though sslv3 doesn't officially support them.
521 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_APPLICATION
,
523 /* len is the rest of the parsed length */
530 ret
= _gnutls_user_hello_func (session
, adv_version
);
537 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_RESUMED
,
545 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_TLS
,
553 /* resumed by session_ticket extension */
554 if (session
->internals
.resumed
== RESUME_TRUE
)
556 /* to indicate the client that the current session is resumed */
557 memcpy (session
->internals
.resumed_security_parameters
.session_id
,
558 session_id
, session_id_len
);
559 session
->internals
.resumed_security_parameters
.session_id_size
=
563 resumed_security_parameters
.max_record_recv_size
=
564 session
->security_parameters
.max_record_recv_size
;
566 resumed_security_parameters
.max_record_send_size
=
567 session
->security_parameters
.max_record_send_size
;
569 resume_copy_required_values (session
);
571 return _gnutls_user_hello_func (session
, adv_version
);
574 /* select an appropriate cipher suite
576 ret
= _gnutls_server_select_suite (session
, suite_ptr
, suite_size
);
583 /* select appropriate compression method */
584 ret
= _gnutls_server_select_comp_method (session
, comp_ptr
, comp_size
);
594 /* here we hash all pending data.
597 _gnutls_handshake_hash_pending (gnutls_session_t session
)
603 if (session
->internals
.handshake_mac_handle_init
== 0)
606 return GNUTLS_E_INTERNAL_ERROR
;
609 /* We check if there are pending data to hash.
611 if ((ret
= _gnutls_handshake_buffer_get_ptr (session
, &data
, &siz
)) < 0)
619 if (session
->security_parameters
.handshake_mac_handle_type
==
620 HANDSHAKE_MAC_TYPE_10
)
622 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls10
.sha
,
624 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls10
.md5
,
627 else if (session
->security_parameters
.handshake_mac_handle_type
==
628 HANDSHAKE_MAC_TYPE_12
)
630 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls12
.sha256
,
632 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls12
.sha1
,
637 _gnutls_handshake_buffer_empty (session
);
643 /* This is to be called after sending CHANGE CIPHER SPEC packet
644 * and initializing encryption. This is the first encrypted message
648 _gnutls_send_finished (gnutls_session_t session
, int again
)
650 uint8_t data
[MAX_VERIFY_DATA_SIZE
];
658 /* This is needed in order to hash all the required
661 if ((ret
= _gnutls_handshake_hash_pending (session
)) < 0)
667 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
670 _gnutls_ssl3_finished (session
,
671 session
->security_parameters
.entity
, data
);
676 ret
= _gnutls_finished (session
,
677 session
->security_parameters
.entity
, data
);
687 if (session
->internals
.finished_func
)
688 session
->internals
.finished_func (session
, data
, data_size
);
691 /* Save data for safe renegotiation.
693 if (data_size
> MAX_VERIFY_DATA_SIZE
)
696 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
699 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
701 session
->security_parameters
.extensions
.client_verify_data_len
=
704 memcpy (session
->security_parameters
.extensions
.client_verify_data
,
709 session
->security_parameters
.extensions
.server_verify_data_len
=
712 memcpy (session
->security_parameters
.extensions
.server_verify_data
,
717 _gnutls_send_handshake (session
, data_size
? data
: NULL
, data_size
,
718 GNUTLS_HANDSHAKE_FINISHED
);
723 /* This is to be called after sending our finished message. If everything
724 * went fine we have negotiated a secure connection
727 _gnutls_recv_finished (gnutls_session_t session
)
729 uint8_t data
[MAX_VERIFY_DATA_SIZE
], *vrfy
;
736 _gnutls_recv_handshake (session
, &vrfy
, &vrfysize
,
737 GNUTLS_HANDSHAKE_FINISHED
, MANDATORY_PACKET
);
740 ERR ("recv finished int", ret
);
746 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
755 if (vrfysize
!= data_size
)
759 return GNUTLS_E_ERROR_IN_FINISHED_PACKET
;
762 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
765 _gnutls_ssl3_finished (session
,
766 (session
->security_parameters
.entity
+ 1) % 2,
772 _gnutls_finished (session
,
773 (session
->security_parameters
.entity
+
784 if (memcmp (vrfy
, data
, data_size
) != 0)
787 ret
= GNUTLS_E_ERROR_IN_FINISHED_PACKET
;
791 /* Save peer's verify data for safe renegotiation */
792 if (data_size
> MAX_VERIFY_DATA_SIZE
)
795 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
798 ext
= &session
->security_parameters
.extensions
;
800 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
802 memcpy (ext
->server_verify_data
, data
, data_size
);
803 ext
->server_verify_data_len
= data_size
;
807 memcpy (ext
->client_verify_data
, data
, data_size
);
808 ext
->client_verify_data_len
= data_size
;
811 session
->internals
.initial_negotiation_completed
= 1;
816 /* returns PK_RSA if the given cipher suite list only supports,
817 * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none.
820 _gnutls_server_find_pk_algos_in_ciphersuites (const opaque
*
821 data
, unsigned int datalen
)
824 gnutls_pk_algorithm_t algo
= GNUTLS_PK_NONE
, prev_algo
= 0;
825 gnutls_kx_algorithm_t kx
;
828 if (datalen
% 2 != 0)
831 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
834 for (j
= 0; j
< datalen
; j
+= 2)
836 memcpy (&cs
.suite
, &data
[j
], 2);
837 kx
= _gnutls_cipher_suite_get_kx_algo (&cs
);
839 if (_gnutls_map_kx_get_cred (kx
, 1) == GNUTLS_CRD_CERTIFICATE
)
841 algo
= _gnutls_map_pk_get_pk (kx
);
843 if (algo
!= prev_algo
&& prev_algo
!= 0)
844 return GNUTLS_PK_ANY
;
852 /* This selects the best supported ciphersuite from the given ones. Then
853 * it adds the suite to the session and performs some checks.
856 _gnutls_server_select_suite (gnutls_session_t session
, opaque
* data
,
860 cipher_suite_st
*ciphers
, cs
;
862 gnutls_pk_algorithm_t pk_algo
; /* will hold the pk algorithms
863 * supported by the peer.
866 /* First, check for safe renegotiation SCSV.
871 for(offset
= 0; offset
< datalen
; offset
+= 2)
873 /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
874 if (data
[offset
] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR
&&
875 data
[offset
+1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR
)
877 _gnutls_handshake_log ("HSK[%p]: Received safe renegotiation CS\n", session
);
878 session
->internals
.safe_renegotiation_received
= 1;
879 session
->internals
.connection_using_safe_renegotiation
= 1;
885 pk_algo
= _gnutls_server_find_pk_algos_in_ciphersuites (data
, datalen
);
887 x
= _gnutls_supported_ciphersuites (session
, &ciphers
);
889 { /* the case x==0 is handled within the function. */
894 /* Here we remove any ciphersuite that does not conform
895 * the certificate requested, or to the
896 * authentication requested (e.g. SRP).
898 x
= _gnutls_remove_unwanted_ciphersuites (session
, &ciphers
, x
, pk_algo
);
902 gnutls_free (ciphers
);
906 return GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
909 /* Data length should be zero mod 2 since
910 * every ciphersuite is 2 bytes. (this check is needed
913 if (datalen
% 2 != 0)
916 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
918 #ifdef HANDSHAKE_DEBUG
920 _gnutls_handshake_log ("HSK[%p]: Requested cipher suites: \n", session
);
921 for (j
= 0; j
< datalen
; j
+= 2)
923 memcpy (&cs
.suite
, &data
[j
], 2);
924 _gnutls_handshake_log ("\t%s\n", _gnutls_cipher_suite_get_name (&cs
));
926 _gnutls_handshake_log ("HSK[%p]: Supported cipher suites: \n", session
);
927 for (j
= 0; j
< x
; j
++)
928 _gnutls_handshake_log ("\t%s\n",
929 _gnutls_cipher_suite_get_name (&ciphers
[j
]));
931 memset (session
->security_parameters
.current_cipher_suite
.suite
, '\0', 2);
933 retval
= GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
935 for (j
= 0; j
< datalen
; j
+= 2)
937 for (i
= 0; i
< x
; i
++)
939 if (memcmp (ciphers
[i
].suite
, &data
[j
], 2) == 0)
941 memcpy (&cs
.suite
, &data
[j
], 2);
943 _gnutls_handshake_log
944 ("HSK[%p]: Selected cipher suite: %s\n", session
,
945 _gnutls_cipher_suite_get_name (&cs
));
946 memcpy (session
->security_parameters
.current_cipher_suite
.suite
,
947 ciphers
[i
].suite
, 2);
955 gnutls_free (ciphers
);
963 /* check if the credentials (username, public key etc.) are ok
965 if (_gnutls_get_kx_cred
967 _gnutls_cipher_suite_get_kx_algo (&session
->security_parameters
.
968 current_cipher_suite
), &err
) == NULL
972 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
976 /* set the mod_auth_st to the appropriate struct
977 * according to the KX algorithm. This is needed since all the
978 * handshake functions are read from there;
980 session
->internals
.auth_struct
=
981 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
982 (&session
->security_parameters
.
983 current_cipher_suite
));
984 if (session
->internals
.auth_struct
== NULL
)
987 _gnutls_handshake_log
988 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
991 return GNUTLS_E_INTERNAL_ERROR
;
999 /* This selects the best supported compression method from the ones provided
1002 _gnutls_server_select_comp_method (gnutls_session_t session
,
1003 opaque
* data
, int datalen
)
1008 x
= _gnutls_supported_compression_methods (session
, &comps
);
1015 memset (&session
->internals
.compression_method
, 0,
1016 sizeof (gnutls_compression_method_t
));
1018 for (j
= 0; j
< datalen
; j
++)
1020 for (i
= 0; i
< x
; i
++)
1022 if (comps
[i
] == data
[j
])
1024 gnutls_compression_method_t method
=
1025 _gnutls_compression_get_id (comps
[i
]);
1027 session
->internals
.compression_method
= method
;
1028 gnutls_free (comps
);
1030 _gnutls_handshake_log
1031 ("HSK[%p]: Selected Compression Method: %s\n", session
,
1032 gnutls_compression_get_name (session
->internals
.
1033 compression_method
));
1041 /* we were not able to find a compatible compression
1044 gnutls_free (comps
);
1046 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM
;
1050 /* This function sends an empty handshake packet. (like hello request).
1051 * If the previous _gnutls_send_empty_handshake() returned
1052 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1053 * (until it returns ok), with NULL parameters.
1056 _gnutls_send_empty_handshake (gnutls_session_t session
,
1057 gnutls_handshake_description_t type
, int again
)
1067 return _gnutls_send_handshake (session
, ptr
, 0, type
);
1071 /* This function will hash the handshake message we sent.
1074 _gnutls_handshake_hash_add_sent (gnutls_session_t session
,
1075 gnutls_handshake_description_t type
,
1076 opaque
* dataptr
, uint32_t datalen
)
1080 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
1081 && type
== GNUTLS_HANDSHAKE_CLIENT_HELLO
)
1083 /* do not hash immediatelly since the hash has not yet been initialized */
1085 _gnutls_handshake_buffer_put (session
, dataptr
, datalen
)) < 0)
1093 if ((ret
= _gnutls_handshake_hash_pending (session
)) < 0)
1099 if (type
!= GNUTLS_HANDSHAKE_HELLO_REQUEST
)
1101 if (session
->security_parameters
.handshake_mac_handle_type
==
1102 HANDSHAKE_MAC_TYPE_10
)
1104 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls10
.sha
,
1106 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls10
.md5
,
1109 else if (session
->security_parameters
.handshake_mac_handle_type
==
1110 HANDSHAKE_MAC_TYPE_12
)
1112 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls12
.sha256
,
1114 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls12
.sha1
,
1123 /* This function sends a handshake message of type 'type' containing the
1124 * data specified here. If the previous _gnutls_send_handshake() returned
1125 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1126 * (until it returns ok), with NULL parameters.
1129 _gnutls_send_handshake (gnutls_session_t session
, void *i_data
,
1130 uint32_t i_datasize
,
1131 gnutls_handshake_description_t type
)
1138 if (i_data
== NULL
&& i_datasize
== 0)
1140 /* we are resuming a previously interrupted
1143 ret
= _gnutls_handshake_io_write_flush (session
);
1148 if (i_data
== NULL
&& i_datasize
> 0)
1151 return GNUTLS_E_INVALID_REQUEST
;
1155 datasize
= i_datasize
+ HANDSHAKE_HEADER_SIZE
;
1156 data
= gnutls_malloc (datasize
);
1160 return GNUTLS_E_MEMORY_ERROR
;
1163 data
[pos
++] = (uint8_t) type
;
1164 _gnutls_write_uint24 (i_datasize
, &data
[pos
]);
1168 memcpy (&data
[pos
], i_data
, i_datasize
);
1170 _gnutls_handshake_log ("HSK[%p]: %s was sent [%ld bytes]\n",
1171 session
, _gnutls_handshake2str (type
),
1175 /* Here we keep the handshake messages in order to hash them...
1177 if (type
!= GNUTLS_HANDSHAKE_HELLO_REQUEST
)
1179 _gnutls_handshake_hash_add_sent (session
, type
, data
, datasize
)) < 0)
1186 session
->internals
.last_handshake_out
= type
;
1189 _gnutls_handshake_io_send_int (session
, GNUTLS_HANDSHAKE
, type
,
1197 /* This function will read the handshake header and return it to the caller. If the
1198 * received handshake packet is not the one expected then it buffers the header, and
1199 * returns UNEXPECTED_HANDSHAKE_PACKET.
1201 * FIXME: This function is complex.
1203 #define SSL2_HEADERS 1
1205 _gnutls_recv_handshake_header (gnutls_session_t session
,
1206 gnutls_handshake_description_t type
,
1207 gnutls_handshake_description_t
* recv_type
)
1210 uint32_t length32
= 0;
1211 uint8_t *dataptr
= NULL
; /* for realloc */
1212 size_t handshake_header_size
= HANDSHAKE_HEADER_SIZE
;
1214 /* if we have data into the buffer then return them, do not read the next packet.
1215 * In order to return we need a full TLS handshake header, or in case of a version 2
1216 * packet, then we return the first byte.
1218 if (session
->internals
.handshake_header_buffer
.header_size
==
1219 handshake_header_size
|| (session
->internals
.v2_hello
!= 0
1220 && type
== GNUTLS_HANDSHAKE_CLIENT_HELLO
1221 && session
->internals
.
1222 handshake_header_buffer
.packet_length
> 0))
1225 *recv_type
= session
->internals
.handshake_header_buffer
.recv_type
;
1227 if (*recv_type
!= type
)
1230 _gnutls_handshake_log
1231 ("HSK[%p]: Handshake type mismatch (under attack?)\n", session
);
1232 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
;
1235 return session
->internals
.handshake_header_buffer
.packet_length
;
1238 /* Note: SSL2_HEADERS == 1 */
1240 dataptr
= session
->internals
.handshake_header_buffer
.header
;
1242 /* If we haven't already read the handshake headers.
1244 if (session
->internals
.handshake_header_buffer
.header_size
< SSL2_HEADERS
)
1247 _gnutls_handshake_io_recv_int (session
, GNUTLS_HANDSHAKE
,
1248 type
, dataptr
, SSL2_HEADERS
);
1255 /* The case ret==0 is caught here.
1257 if (ret
!= SSL2_HEADERS
)
1260 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1262 session
->internals
.handshake_header_buffer
.header_size
= SSL2_HEADERS
;
1265 if (session
->internals
.v2_hello
== 0
1266 || type
!= GNUTLS_HANDSHAKE_CLIENT_HELLO
)
1269 _gnutls_handshake_io_recv_int (session
, GNUTLS_HANDSHAKE
,
1272 [session
->internals
.
1273 handshake_header_buffer
.header_size
],
1274 HANDSHAKE_HEADER_SIZE
-
1276 handshake_header_buffer
.header_size
);
1280 return (ret
< 0) ? ret
: GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1283 HANDSHAKE_HEADER_SIZE
-
1284 session
->internals
.handshake_header_buffer
.header_size
)
1287 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1289 *recv_type
= dataptr
[0];
1291 /* we do not use DECR_LEN because we know
1292 * that the packet has enough data.
1294 length32
= _gnutls_read_uint24 (&dataptr
[1]);
1295 handshake_header_size
= HANDSHAKE_HEADER_SIZE
;
1297 _gnutls_handshake_log ("HSK[%p]: %s was received [%ld bytes]\n",
1298 session
, _gnutls_handshake2str (dataptr
[0]),
1299 (long int) (length32
+ HANDSHAKE_HEADER_SIZE
));
1304 length32
= session
->internals
.v2_hello
- SSL2_HEADERS
; /* we've read the first byte */
1306 handshake_header_size
= SSL2_HEADERS
; /* we've already read one byte */
1308 *recv_type
= dataptr
[0];
1310 _gnutls_handshake_log ("HSK[%p]: %s(v2) was received [%ld bytes]\n",
1311 session
, _gnutls_handshake2str (*recv_type
),
1312 (long int) (length32
+ handshake_header_size
));
1314 if (*recv_type
!= GNUTLS_HANDSHAKE_CLIENT_HELLO
)
1315 { /* it should be one or nothing */
1317 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
;
1321 /* put the packet into the buffer */
1322 session
->internals
.handshake_header_buffer
.header_size
=
1323 handshake_header_size
;
1324 session
->internals
.handshake_header_buffer
.packet_length
= length32
;
1325 session
->internals
.handshake_header_buffer
.recv_type
= *recv_type
;
1327 if (*recv_type
!= type
)
1330 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
;
1336 #define _gnutls_handshake_header_buffer_clear( session) session->internals.handshake_header_buffer.header_size = 0
1340 /* This function will hash the handshake headers and the
1344 _gnutls_handshake_hash_add_recvd (gnutls_session_t session
,
1345 gnutls_handshake_description_t recv_type
,
1346 opaque
* header
, uint16_t header_size
,
1347 opaque
* dataptr
, uint32_t datalen
)
1351 /* The idea here is to hash the previous message we received,
1352 * and add the one we just received into the handshake_hash_buffer.
1354 if ((session
->security_parameters
.entity
== GNUTLS_SERVER
1355 || recv_type
!= GNUTLS_HANDSHAKE_SERVER_HELLO
)
1356 && (session
->security_parameters
.entity
== GNUTLS_CLIENT
1357 || recv_type
!= GNUTLS_HANDSHAKE_CLIENT_HELLO
))
1359 if ((ret
= _gnutls_handshake_hash_pending (session
)) < 0)
1366 /* here we buffer the handshake messages - needed at Finished message */
1367 if (recv_type
!= GNUTLS_HANDSHAKE_HELLO_REQUEST
)
1371 _gnutls_handshake_buffer_put (session
, header
, header_size
)) < 0)
1380 _gnutls_handshake_buffer_put (session
, dataptr
, datalen
)) < 0)
1392 /* This function will receive handshake messages of the given types,
1393 * and will pass the message to the right place in order to be processed.
1394 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1395 * passed to _gnutls_recv_hello().
1398 _gnutls_recv_handshake (gnutls_session_t session
, uint8_t ** data
,
1399 int *datalen
, gnutls_handshake_description_t type
,
1403 uint32_t length32
= 0;
1404 opaque
*dataptr
= NULL
;
1405 gnutls_handshake_description_t recv_type
;
1407 ret
= _gnutls_recv_handshake_header (session
, type
, &recv_type
);
1411 if (ret
== GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
1412 && optional
== OPTIONAL_PACKET
)
1414 if (datalen
!= NULL
)
1418 return 0; /* ok just ignore the packet */
1424 session
->internals
.last_handshake_in
= recv_type
;
1429 dataptr
= gnutls_malloc (length32
);
1430 else if (recv_type
!= GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
)
1433 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1436 if (dataptr
== NULL
&& length32
> 0)
1439 return GNUTLS_E_MEMORY_ERROR
;
1442 if (datalen
!= NULL
)
1443 *datalen
= length32
;
1448 _gnutls_handshake_io_recv_int (session
, GNUTLS_HANDSHAKE
,
1449 type
, dataptr
, length32
);
1453 gnutls_free (dataptr
);
1454 return (ret
== 0) ? GNUTLS_E_UNEXPECTED_PACKET_LENGTH
: ret
;
1458 if (data
!= NULL
&& length32
> 0)
1462 ret
= _gnutls_handshake_hash_add_recvd (session
, recv_type
,
1464 handshake_header_buffer
.header
,
1466 handshake_header_buffer
.header_size
,
1471 _gnutls_handshake_header_buffer_clear (session
);
1475 /* If we fail before this then we will reuse the handshake header
1476 * have have received above. if we get here the we clear the handshake
1477 * header we received.
1479 _gnutls_handshake_header_buffer_clear (session
);
1483 case GNUTLS_HANDSHAKE_CLIENT_HELLO
:
1484 case GNUTLS_HANDSHAKE_SERVER_HELLO
:
1485 ret
= _gnutls_recv_hello (session
, dataptr
, length32
);
1487 /* dataptr is freed because the caller does not
1489 gnutls_free (dataptr
);
1496 /* initialize the hashes for both - (client will know server's version
1497 * and server as well at this point) */
1498 if ((ret
= _gnutls_handshake_hash_init (session
)) < 0)
1505 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
:
1509 ret
= GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1511 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT
:
1512 case GNUTLS_HANDSHAKE_FINISHED
:
1513 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE
:
1514 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE
:
1515 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST
:
1516 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY
:
1517 case GNUTLS_HANDSHAKE_SUPPLEMENTAL
:
1518 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET
:
1523 gnutls_free (dataptr
);
1526 ret
= GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
;
1532 /* This function checks if the given cipher suite is supported, and sets it
1536 _gnutls_client_set_ciphersuite (gnutls_session_t session
, opaque suite
[2])
1539 cipher_suite_st
*cipher_suites
;
1540 int cipher_suite_num
;
1544 cipher_suite_num
= _gnutls_supported_ciphersuites (session
, &cipher_suites
);
1545 if (cipher_suite_num
< 0)
1548 return cipher_suite_num
;
1551 for (i
= 0; i
< cipher_suite_num
; i
++)
1553 if (memcmp (&cipher_suites
[i
], suite
, 2) == 0)
1560 gnutls_free (cipher_suites
);
1565 return GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
1568 memcpy (session
->security_parameters
.current_cipher_suite
.suite
, suite
, 2);
1570 _gnutls_handshake_log ("HSK[%p]: Selected cipher suite: %s\n", session
,
1571 _gnutls_cipher_suite_get_name
1572 (&session
->security_parameters
.
1573 current_cipher_suite
));
1576 /* check if the credentials (username, public key etc.) are ok.
1577 * Actually checks if they exist.
1579 if (_gnutls_get_kx_cred
1581 _gnutls_cipher_suite_get_kx_algo
1582 (&session
->security_parameters
.current_cipher_suite
), &err
) == NULL
1586 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
1590 /* set the mod_auth_st to the appropriate struct
1591 * according to the KX algorithm. This is needed since all the
1592 * handshake functions are read from there;
1594 session
->internals
.auth_struct
=
1595 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1596 (&session
->security_parameters
.
1597 current_cipher_suite
));
1599 if (session
->internals
.auth_struct
== NULL
)
1602 _gnutls_handshake_log
1603 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1606 return GNUTLS_E_INTERNAL_ERROR
;
1613 /* This function sets the given comp method to the session.
1616 _gnutls_client_set_comp_method (gnutls_session_t session
, opaque comp_method
)
1618 int comp_methods_num
;
1619 uint8_t *compression_methods
;
1622 comp_methods_num
= _gnutls_supported_compression_methods (session
,
1623 &compression_methods
);
1624 if (comp_methods_num
< 0)
1627 return comp_methods_num
;
1630 for (i
= 0; i
< comp_methods_num
; i
++)
1632 if (compression_methods
[i
] == comp_method
)
1634 comp_methods_num
= 0;
1639 gnutls_free (compression_methods
);
1641 if (comp_methods_num
!= 0)
1644 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM
;
1647 session
->internals
.compression_method
=
1648 _gnutls_compression_get_id (comp_method
);
1654 /* This function returns 0 if we are resuming a session or -1 otherwise.
1655 * This also sets the variables in the session. Used only while reading a server
1659 _gnutls_client_check_if_resuming (gnutls_session_t session
,
1660 opaque
* session_id
, int session_id_len
)
1662 opaque buf
[2 * TLS_MAX_SESSION_ID_SIZE
+ 1];
1664 _gnutls_handshake_log ("HSK[%p]: SessionID length: %d\n", session
,
1666 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session
,
1667 _gnutls_bin2hex (session_id
, session_id_len
, buf
,
1670 if (session_id_len
> 0 &&
1671 session
->internals
.resumed_security_parameters
.session_id_size
==
1673 && memcmp (session_id
,
1674 session
->internals
.resumed_security_parameters
.session_id
,
1675 session_id_len
) == 0)
1677 /* resume session */
1678 memcpy (session
->internals
.resumed_security_parameters
.server_random
,
1679 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
1680 memcpy (session
->internals
.resumed_security_parameters
.client_random
,
1681 session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
1682 session
->internals
.resumed
= RESUME_TRUE
; /* we are resuming */
1688 /* keep the new session id */
1689 session
->internals
.resumed
= RESUME_FALSE
; /* we are not resuming */
1690 session
->security_parameters
.session_id_size
= session_id_len
;
1691 memcpy (session
->security_parameters
.session_id
,
1692 session_id
, session_id_len
);
1699 /* This function reads and parses the server hello handshake message.
1700 * This function also restores resumed parameters if we are resuming a
1704 _gnutls_read_server_hello (gnutls_session_t session
,
1705 opaque
* data
, int datalen
)
1707 uint8_t session_id_len
= 0;
1710 gnutls_protocol_t version
;
1716 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1719 _gnutls_handshake_log ("HSK[%p]: Server's version: %d.%d\n",
1720 session
, data
[pos
], data
[pos
+ 1]);
1723 version
= _gnutls_version_get (data
[pos
], data
[pos
+ 1]);
1724 if (_gnutls_version_is_supported (session
, version
) == 0)
1727 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET
;
1731 _gnutls_set_current_version (session
, version
);
1736 DECR_LEN (len
, GNUTLS_RANDOM_SIZE
);
1737 _gnutls_set_server_random (session
, &data
[pos
]);
1738 pos
+= GNUTLS_RANDOM_SIZE
;
1744 session_id_len
= data
[pos
++];
1746 if (len
< session_id_len
)
1749 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET
;
1751 DECR_LEN (len
, session_id_len
);
1753 /* check if we are resuming and set the appropriate
1756 if (_gnutls_client_check_if_resuming
1757 (session
, &data
[pos
], session_id_len
) == 0)
1759 pos
+= session_id_len
+ 2 + 1;
1760 DECR_LEN (len
, 2+1);
1762 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_RESUMED
,
1772 pos
+= session_id_len
;
1774 /* Check if the given cipher suite is supported and copy
1775 * it to the session.
1779 ret
= _gnutls_client_set_ciphersuite (session
, &data
[pos
]);
1787 /* move to compression
1791 ret
= _gnutls_client_set_comp_method (session
, data
[pos
++]);
1795 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM
;
1798 /* Parse extensions.
1800 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_ANY
,
1812 /* This function copies the appropriate ciphersuites to a locally allocated buffer
1813 * Needed in client hello messages. Returns the new data length. If add_scsv is
1814 * true, add the special safe renegotiation CS.
1817 _gnutls_copy_ciphersuites (gnutls_session_t session
,
1818 opaque
* ret_data
, size_t ret_data_size
,
1822 cipher_suite_st
*cipher_suites
;
1823 uint16_t cipher_num
;
1827 ret
= _gnutls_supported_ciphersuites_sorted (session
, &cipher_suites
);
1834 /* Here we remove any ciphersuite that does not conform
1835 * the certificate requested, or to the
1836 * authentication requested (eg SRP).
1839 _gnutls_remove_unwanted_ciphersuites (session
, &cipher_suites
, ret
, -1);
1843 gnutls_free (cipher_suites
);
1847 /* If no cipher suites were enabled.
1852 gnutls_free (cipher_suites
);
1853 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
1861 cipher_num
*= sizeof (uint16_t); /* in order to get bytes */
1865 datalen
+= sizeof (uint16_t) + cipher_num
;
1867 if ((size_t) datalen
> ret_data_size
)
1870 return GNUTLS_E_INTERNAL_ERROR
;
1873 _gnutls_write_uint16 (cipher_num
, ret_data
);
1876 loop_max
= add_scsv
? cipher_num
- 2 : cipher_num
;
1878 for (i
= 0; i
< (loop_max
/ 2); i
++)
1880 memcpy (&ret_data
[pos
], cipher_suites
[i
].suite
, 2);
1886 /* Safe renegotiation signalling CS value is { 0x00, 0xff } */
1887 ret_data
[pos
++] = 0x00;
1888 ret_data
[pos
++] = 0xff;
1891 gnutls_free (cipher_suites
);
1897 /* This function copies the appropriate compression methods, to a locally allocated buffer
1898 * Needed in hello messages. Returns the new data length.
1901 _gnutls_copy_comp_methods (gnutls_session_t session
,
1902 opaque
* ret_data
, size_t ret_data_size
)
1905 uint8_t *compression_methods
, comp_num
;
1908 ret
= _gnutls_supported_compression_methods (session
, &compression_methods
);
1918 datalen
+= comp_num
+ 1;
1920 if ((size_t) datalen
> ret_data_size
)
1923 return GNUTLS_E_INTERNAL_ERROR
;
1926 ret_data
[pos
++] = comp_num
; /* put the number of compression methods */
1928 for (i
= 0; i
< comp_num
; i
++)
1930 ret_data
[pos
++] = compression_methods
[i
];
1933 gnutls_free (compression_methods
);
1938 /* This should be sufficient by now. It should hold all the extensions
1939 * plus the headers in a hello message.
1941 #define MAX_EXT_DATA_LENGTH 1024
1943 /* This function sends the client hello handshake message.
1946 _gnutls_send_client_hello (gnutls_session_t session
, int again
)
1948 opaque
*data
= NULL
;
1951 int datalen
= 0, ret
= 0;
1952 opaque rnd
[GNUTLS_RANDOM_SIZE
];
1953 gnutls_protocol_t hver
;
1954 opaque
*extdata
= NULL
;
1955 int rehandshake
= 0;
1956 uint8_t session_id_len
=
1957 session
->internals
.resumed_security_parameters
.session_id_size
;
1959 /* note that rehandshake is different than resuming
1961 if (session
->security_parameters
.session_id_size
)
1967 datalen
= 2 + (session_id_len
+ 1) + GNUTLS_RANDOM_SIZE
;
1968 /* 2 for version, (4 for unix time + 28 for random bytes==GNUTLS_RANDOM_SIZE)
1971 data
= gnutls_malloc (datalen
);
1975 return GNUTLS_E_MEMORY_ERROR
;
1978 extdatalen
= MAX_EXT_DATA_LENGTH
1980 session
->internals
.resumed_security_parameters
.extensions
.
1982 extdata
= gnutls_malloc (extdatalen
);
1983 if (extdata
== NULL
)
1987 return GNUTLS_E_MEMORY_ERROR
;
1990 /* if we are resuming a session then we set the
1991 * version number to the previously established.
1993 if (session_id_len
== 0)
1995 if (rehandshake
) /* already negotiated version thus version_max == negotiated version */
1996 hver
= session
->security_parameters
.version
;
1997 else /* new handshake. just get the max */
1998 hver
= _gnutls_version_max (session
);
2002 /* we are resuming a session */
2003 hver
= session
->internals
.resumed_security_parameters
.version
;
2006 if (hver
== GNUTLS_VERSION_UNKNOWN
|| hver
== 0)
2010 gnutls_free (extdata
);
2011 return GNUTLS_E_INTERNAL_ERROR
;
2014 data
[pos
++] = _gnutls_version_get_major (hver
);
2015 data
[pos
++] = _gnutls_version_get_minor (hver
);
2017 /* Set the version we advertized as maximum
2020 _gnutls_set_adv_version (session
, hver
);
2022 if (session
->internals
.priorities
.ssl3_record_version
)
2024 /* Honor the SSL3_RECORD_VERSION option
2026 _gnutls_set_current_version (session
, GNUTLS_SSL3
);
2030 /* Some old implementations do not interoperate if we send a
2031 * different version in the record layer.
2032 * It seems they prefer to read the record's version
2033 * as the one we actually requested.
2034 * The proper behaviour is to use the one in the client hello
2035 * handshake packet and ignore the one in the packet's record
2038 _gnutls_set_current_version (session
, hver
);
2041 /* In order to know when this session was initiated.
2043 session
->security_parameters
.timestamp
= time (NULL
);
2045 /* Generate random data
2047 _gnutls_tls_create_random (rnd
);
2048 _gnutls_set_client_random (session
, rnd
);
2050 memcpy (&data
[pos
], rnd
, GNUTLS_RANDOM_SIZE
);
2051 pos
+= GNUTLS_RANDOM_SIZE
;
2053 /* Copy the Session ID
2055 data
[pos
++] = session_id_len
;
2057 if (session_id_len
> 0)
2059 memcpy (&data
[pos
], session
->internals
.resumed_security_parameters
.session_id
, session_id_len
);
2060 pos
+= session_id_len
;
2064 /* Copy the ciphersuites.
2066 * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
2067 * prevention on initial negotiation (but not renegotiation; that's
2068 * handled with the RI extension below).
2070 if(!session
->internals
.initial_negotiation_completed
&&
2071 session
->security_parameters
.entity
== GNUTLS_CLIENT
&&
2072 gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
2074 ret
= _gnutls_copy_ciphersuites (session
, extdata
, extdatalen
, TRUE
);
2075 _gnutls_extension_list_add (session
, GNUTLS_EXTENSION_SAFE_RENEGOTIATION
);
2078 ret
= _gnutls_copy_ciphersuites (session
, extdata
, extdatalen
, FALSE
);
2083 data
= gnutls_realloc_fast (data
, datalen
);
2087 gnutls_free (extdata
);
2088 return GNUTLS_E_MEMORY_ERROR
;
2091 memcpy (&data
[pos
], extdata
, ret
);
2098 ret
= GNUTLS_E_INTERNAL_ERROR
;
2100 gnutls_free (extdata
);
2106 /* Copy the compression methods.
2108 ret
= _gnutls_copy_comp_methods (session
, extdata
, extdatalen
);
2112 data
= gnutls_realloc_fast (data
, datalen
);
2116 gnutls_free (extdata
);
2117 return GNUTLS_E_MEMORY_ERROR
;
2120 memcpy (&data
[pos
], extdata
, ret
);
2127 ret
= GNUTLS_E_INTERNAL_ERROR
;
2129 gnutls_free (extdata
);
2134 /* Generate and copy TLS extensions.
2136 if (_gnutls_version_has_extensions (hver
))
2138 ret
= _gnutls_gen_extensions (session
, extdata
, extdatalen
);
2143 data
= gnutls_realloc_fast (data
, datalen
);
2147 gnutls_free (extdata
);
2148 return GNUTLS_E_MEMORY_ERROR
;
2151 memcpy (&data
[pos
], extdata
, ret
);
2157 gnutls_free (extdata
);
2161 else if(session
->internals
.initial_negotiation_completed
!= 0)
2163 opaque buf
[256]; /* opaque renegotiated_connection<0..255> */
2165 /* For SSLv3 only, we will (only) to send the RI extension; we must
2166 * send it every time we renegotiate. We don't want to send anything
2167 * else, out of concern for interoperability.
2169 * If this is an initial negotiation, we already sent SCSV above.
2172 ret
= _gnutls_safe_renegotiation_send_params (session
, buf
, sizeof(buf
));
2178 gnutls_free (extdata
);
2182 datalen
+= ret
+ 6; /* extlen(2) + type(2) + len(2) + ret */
2184 data
= gnutls_realloc_fast (data
, datalen
);
2188 gnutls_free (extdata
);
2189 return GNUTLS_E_MEMORY_ERROR
;
2192 /* total extensions length (one extension, with type(2) + len(2)) */
2193 _gnutls_write_uint16 (4 + ret
, &data
[pos
]);
2196 /* TLS RI extension type is 0xff01 */
2200 _gnutls_write_uint16 (ret
, &data
[pos
]);
2203 memcpy(&data
[pos
], buf
, ret
);
2206 _gnutls_debug_log ("EXT[%p]: Sending extension safe renegotiation (SSLv3)\n",
2209 gnutls_free (extdata
);
2213 _gnutls_send_handshake (session
, data
, datalen
,
2214 GNUTLS_HANDSHAKE_CLIENT_HELLO
);
2221 _gnutls_send_server_hello (gnutls_session_t session
, int again
)
2223 opaque
*data
= NULL
;
2224 opaque extdata
[MAX_EXT_DATA_LENGTH
];
2227 int datalen
, ret
= 0;
2229 uint8_t session_id_len
= session
->security_parameters
.session_id_size
;
2230 opaque buf
[2 * TLS_MAX_SESSION_ID_SIZE
+ 1];
2236 (_gnutls_cipher_suite_get_kx_algo
2237 (&session
->security_parameters
.current_cipher_suite
)))
2239 /* While resuming we cannot check the username extension since it is
2240 * not available at this point. It will be copied on connection
2243 if (session
->internals
.resumed
== RESUME_FALSE
&&
2244 session
->security_parameters
.extensions
.srp_username
[0] == 0)
2246 /* The peer didn't send a valid SRP extension with the
2247 * SRP username. The draft requires that we send a fatal
2251 ret
= gnutls_alert_send (session
, GNUTLS_AL_FATAL
,
2252 GNUTLS_A_UNKNOWN_PSK_IDENTITY
);
2259 return GNUTLS_E_ILLEGAL_SRP_USERNAME
;
2266 datalen
= 2 + session_id_len
+ 1 + GNUTLS_RANDOM_SIZE
+ 3;
2268 _gnutls_gen_extensions (session
, extdata
, sizeof (extdata
));
2276 data
= gnutls_malloc (datalen
+ extdatalen
);
2280 return GNUTLS_E_MEMORY_ERROR
;
2284 _gnutls_version_get_major (session
->security_parameters
.version
);
2286 _gnutls_version_get_minor (session
->security_parameters
.version
);
2289 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
2290 pos
+= GNUTLS_RANDOM_SIZE
;
2292 data
[pos
++] = session_id_len
;
2293 if (session_id_len
> 0)
2295 memcpy (&data
[pos
], session
->security_parameters
.session_id
, session_id_len
);
2297 pos
+= session_id_len
;
2299 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session
,
2300 _gnutls_bin2hex (session
->security_parameters
.session_id
, session_id_len
,
2301 buf
, sizeof (buf
)));
2304 session
->security_parameters
.current_cipher_suite
.suite
, 2);
2308 (uint8_t) _gnutls_compression_get_num (session
->
2309 internals
.compression_method
);
2315 datalen
+= extdatalen
;
2317 memcpy (&data
[pos
], extdata
, extdatalen
);
2322 _gnutls_send_handshake (session
, data
, datalen
,
2323 GNUTLS_HANDSHAKE_SERVER_HELLO
);
2330 _gnutls_send_hello (gnutls_session_t session
, int again
)
2334 session
->internals
.safe_renegotiation_received
= 0;
2336 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2338 ret
= _gnutls_send_client_hello (session
, again
);
2343 ret
= _gnutls_send_server_hello (session
, again
);
2349 /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a
2350 * hello message is expected. It uses the security_parameters.current_cipher_suite
2351 * and internals.compression_method.
2354 _gnutls_recv_hello (gnutls_session_t session
, opaque
* data
, int datalen
)
2359 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2361 ret
= _gnutls_read_server_hello (session
, data
, datalen
);
2369 { /* Server side reading a client hello */
2371 ret
= _gnutls_read_client_hello (session
, data
, datalen
);
2379 if (session
->internals
.priorities
.disable_safe_renegotiation
!= 0)
2385 /* Safe renegotiation */
2386 ext
= &session
->security_parameters
.extensions
;
2388 if (session
->internals
.safe_renegotiation_received
)
2390 if ((ext
->ri_extension_data_len
< ext
->client_verify_data_len
) ||
2391 (memcmp (ext
->ri_extension_data
,
2392 ext
->client_verify_data
,
2393 ext
->client_verify_data_len
)))
2396 _gnutls_handshake_log ("Safe renegotiation failed [1]\n");
2397 return GNUTLS_E_SAFE_RENEGOTIATION_FAILED
;
2399 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2401 if ((ext
->ri_extension_data_len
!=
2402 ext
->client_verify_data_len
+ ext
->server_verify_data_len
) ||
2403 memcmp (ext
->ri_extension_data
+ ext
->client_verify_data_len
,
2404 ext
->server_verify_data
, ext
->server_verify_data_len
) != 0)
2407 _gnutls_handshake_log ("Safe renegotiation failed [2]\n");
2408 return GNUTLS_E_SAFE_RENEGOTIATION_FAILED
;
2411 else /* Make sure there are 0 extra bytes */
2413 if (ext
->ri_extension_data_len
!= ext
->client_verify_data_len
)
2416 _gnutls_handshake_log ("Safe renegotiation failed [3]\n");
2417 return GNUTLS_E_SAFE_RENEGOTIATION_FAILED
;
2421 _gnutls_handshake_log ("Safe renegotiation succeeded.\n");
2423 else /* safe renegotiation not received... */
2425 if (session
->internals
.connection_using_safe_renegotiation
)
2428 _gnutls_handshake_log ("Peer previously asked for safe renegotiation!\n");
2429 return GNUTLS_E_SAFE_RENEGOTIATION_FAILED
;
2432 /* Clients can't tell if it's an initial negotiation */
2433 if (session
->internals
.initial_negotiation_completed
||
2434 session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2436 if (session
->internals
.priorities
.unsafe_renegotiation
!= 0)
2438 _gnutls_handshake_log ("Allowing unsafe renegotiation!\n");
2443 _gnutls_handshake_log ("Denying unsafe renegotiation.\n");
2444 ret
= gnutls_alert_send (session
, GNUTLS_AL_WARNING
,
2445 GNUTLS_A_NO_RENEGOTIATION
);
2453 return GNUTLS_E_SAFE_RENEGOTIATION_FAILED
;
2458 if (session
->internals
.priorities
.initial_safe_renegotiation
==0)
2460 _gnutls_handshake_log ("Allowing unsafe initial negotiation!\n");
2465 _gnutls_handshake_log ("Denying unsafe initial negotiation.\n");
2466 return GNUTLS_E_SAFE_RENEGOTIATION_FAILED
;
2474 /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
2478 * ClientHello -------->
2479 * <-------- ServerHello
2482 * ServerKeyExchange*
2483 * <-------- CertificateRequest*
2485 * <-------- ServerHelloDone
2488 * CertificateVerify*
2489 * [ChangeCipherSpec]
2490 * Finished -------->
2491 * [ChangeCipherSpec]
2492 * <-------- Finished
2494 * (*): means optional packet.
2498 * gnutls_rehandshake - renegotiate security parameters
2499 * @session: is a #gnutls_session_t structure.
2501 * This function will renegotiate security parameters with the
2502 * client. This should only be called in case of a server.
2504 * This message informs the peer that we want to renegotiate
2505 * parameters (perform a handshake).
2507 * If this function succeeds (returns 0), you must call the
2508 * gnutls_handshake() function in order to negotiate the new
2511 * Since TLS is full duplex some application data might have been
2512 * sent during peer's processing of this message. In that case
2513 * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE
2514 * is returned to clear any pending data. Care must be taken if
2515 * rehandshake is mandatory to terminate if it does not start after
2518 * If the client does not wish to renegotiate parameters he will
2519 * should with an alert message, thus the return code will be
2520 * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
2521 * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2524 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
2528 gnutls_rehandshake (gnutls_session_t session
)
2532 /* only server sends that handshake packet */
2533 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2534 return GNUTLS_E_INVALID_REQUEST
;
2537 _gnutls_send_empty_handshake (session
, GNUTLS_HANDSHAKE_HELLO_REQUEST
,
2552 _gnutls_abort_handshake (gnutls_session_t session
, int ret
)
2554 if (((ret
== GNUTLS_E_WARNING_ALERT_RECEIVED
) &&
2555 (gnutls_alert_get (session
) == GNUTLS_A_NO_RENEGOTIATION
))
2556 || ret
== GNUTLS_E_GOT_APPLICATION_DATA
)
2559 /* this doesn't matter */
2560 return GNUTLS_E_INTERNAL_ERROR
;
2564 /* This function initialized the handshake hash session.
2565 * required for finished messages.
2568 _gnutls_handshake_hash_init (gnutls_session_t session
)
2570 gnutls_protocol_t ver
= gnutls_protocol_get_version (session
);
2572 if (session
->internals
.handshake_mac_handle_init
== 0)
2576 /* set the hash type for handshake message hashing */
2577 if (_gnutls_version_has_selectable_prf (ver
))
2578 session
->security_parameters
.handshake_mac_handle_type
=
2579 HANDSHAKE_MAC_TYPE_12
;
2581 session
->security_parameters
.handshake_mac_handle_type
=
2582 HANDSHAKE_MAC_TYPE_10
;
2585 if (session
->security_parameters
.handshake_mac_handle_type
==
2586 HANDSHAKE_MAC_TYPE_10
)
2589 _gnutls_hash_init (&session
->internals
.handshake_mac_handle
.
2590 tls10
.md5
, GNUTLS_MAC_MD5
);
2599 _gnutls_hash_init (&session
->internals
.handshake_mac_handle
.
2600 tls10
.sha
, GNUTLS_MAC_SHA1
);
2604 _gnutls_hash_deinit (&session
->internals
.
2605 handshake_mac_handle
.tls10
.md5
, NULL
);
2606 return GNUTLS_E_MEMORY_ERROR
;
2609 else if (session
->security_parameters
.handshake_mac_handle_type
==
2610 HANDSHAKE_MAC_TYPE_12
)
2612 /* The algorithm to compute hash over handshake messages must be
2613 same as the one used as the basis for PRF. By now we use
2616 _gnutls_hash_init (&session
->internals
.handshake_mac_handle
.
2617 tls12
.sha256
, GNUTLS_DIG_SHA256
);
2621 return GNUTLS_E_MEMORY_ERROR
;
2625 _gnutls_hash_init (&session
->internals
.handshake_mac_handle
.
2626 tls12
.sha1
, GNUTLS_DIG_SHA1
);
2630 _gnutls_hash_deinit (&session
->internals
.
2631 handshake_mac_handle
.tls12
.sha256
, NULL
);
2632 return GNUTLS_E_MEMORY_ERROR
;
2636 session
->internals
.handshake_mac_handle_init
= 1;
2643 _gnutls_send_supplemental (gnutls_session_t session
, int again
)
2647 _gnutls_debug_log ("EXT[%p]: Sending supplemental data\n", session
);
2650 ret
= _gnutls_send_handshake (session
, NULL
, 0,
2651 GNUTLS_HANDSHAKE_SUPPLEMENTAL
);
2655 _gnutls_buffer_init (&buf
);
2657 ret
= _gnutls_gen_supplemental (session
, &buf
);
2664 ret
= _gnutls_send_handshake (session
, buf
.data
, buf
.length
,
2665 GNUTLS_HANDSHAKE_SUPPLEMENTAL
);
2666 _gnutls_buffer_clear (&buf
);
2673 _gnutls_recv_supplemental (gnutls_session_t session
)
2675 uint8_t *data
= NULL
;
2679 _gnutls_debug_log ("EXT[%p]: Expecting supplemental data\n", session
);
2681 ret
= _gnutls_recv_handshake (session
, &data
, &datalen
,
2682 GNUTLS_HANDSHAKE_SUPPLEMENTAL
,
2690 ret
= _gnutls_parse_supplemental (session
, data
, datalen
);
2703 * gnutls_handshake - This is the main function in the handshake protocol.
2704 * @session: is a #gnutls_session_t structure.
2706 * This function does the handshake of the TLS/SSL protocol, and
2707 * initializes the TLS connection.
2709 * This function will fail if any problem is encountered, and will
2710 * return a negative error code. In case of a client, if the client
2711 * has asked to resume a session, but the server couldn't, then a
2712 * full handshake will be performed.
2714 * The non-fatal errors such as %GNUTLS_E_AGAIN and
2715 * %GNUTLS_E_INTERRUPTED interrupt the handshake procedure, which
2716 * should be later be resumed. Call this function again, until it
2717 * returns 0; cf. gnutls_record_get_direction() and
2718 * gnutls_error_is_fatal().
2720 * If this function is called by a server after a rehandshake request
2721 * then %GNUTLS_E_GOT_APPLICATION_DATA or
2722 * %GNUTLS_E_WARNING_ALERT_RECEIVED may be returned. Note that these
2723 * are non fatal errors, only in the specific case of a rehandshake.
2724 * Their meaning is that the client rejected the rehandshake request or
2725 * in the case of %GNUTLS_E_GOT_APPLICATION_DATA it might also mean that
2726 * some data were pending.
2728 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
2732 gnutls_handshake (gnutls_session_t session
)
2736 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2738 ret
= _gnutls_handshake_client (session
);
2742 ret
= _gnutls_handshake_server (session
);
2746 /* In the case of a rehandshake abort
2747 * we should reset the handshake's internal state.
2749 if (_gnutls_abort_handshake (session
, ret
) == 0)
2755 ret
= _gnutls_handshake_common (session
);
2759 if (_gnutls_abort_handshake (session
, ret
) == 0)
2767 _gnutls_handshake_io_buffer_clear (session
);
2768 _gnutls_handshake_internal_state_clear (session
);
2773 #define IMED_RET( str, ret, check_fatal) do { \
2775 if (check_fatal != 0 && gnutls_error_is_fatal(ret)==0) return ret; \
2778 _gnutls_handshake_hash_buffers_clear(session); \
2785 * _gnutls_handshake_client
2786 * This function performs the client side of the handshake of the TLS/SSL protocol.
2789 _gnutls_handshake_client (gnutls_session_t session
)
2793 #ifdef HANDSHAKE_DEBUG
2796 if (session
->internals
.resumed_security_parameters
.session_id_size
> 0)
2797 _gnutls_handshake_log ("HSK[%p]: Ask to resume: %s\n", session
,
2798 _gnutls_bin2hex (session
->internals
.
2799 resumed_security_parameters
.
2802 resumed_security_parameters
.
2803 session_id_size
, buf
,
2811 ret
= _gnutls_send_hello (session
, AGAIN (STATE1
));
2813 IMED_RET ("send hello", ret
, 0);
2816 /* receive the server hello */
2818 _gnutls_recv_handshake (session
, NULL
, NULL
,
2819 GNUTLS_HANDSHAKE_SERVER_HELLO
,
2822 IMED_RET ("recv hello", ret
, 1);
2825 if (session
->security_parameters
.extensions
.do_recv_supplemental
)
2827 ret
= _gnutls_recv_supplemental (session
);
2829 IMED_RET ("recv supplemental", ret
, 1);
2833 /* RECV CERTIFICATE */
2834 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2835 ret
= _gnutls_recv_server_certificate (session
);
2837 IMED_RET ("recv server certificate", ret
, 1);
2840 /* receive the server key exchange */
2841 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2842 ret
= _gnutls_recv_server_kx_message (session
);
2844 IMED_RET ("recv server kx message", ret
, 1);
2847 /* receive the server certificate request - if any
2850 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2851 ret
= _gnutls_recv_server_certificate_request (session
);
2853 IMED_RET ("recv server certificate request message", ret
, 1);
2856 /* receive the server hello done */
2857 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2859 _gnutls_recv_handshake (session
, NULL
, NULL
,
2860 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
,
2863 IMED_RET ("recv server hello done", ret
, 1);
2866 if (session
->security_parameters
.extensions
.do_send_supplemental
)
2868 ret
= _gnutls_send_supplemental (session
, AGAIN (STATE71
));
2870 IMED_RET ("send supplemental", ret
, 0);
2874 /* send our certificate - if any and if requested
2876 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2877 ret
= _gnutls_send_client_certificate (session
, AGAIN (STATE7
));
2879 IMED_RET ("send client certificate", ret
, 0);
2882 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2883 ret
= _gnutls_send_client_kx_message (session
, AGAIN (STATE8
));
2885 IMED_RET ("send client kx", ret
, 0);
2888 /* send client certificate verify */
2889 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2891 _gnutls_send_client_certificate_verify (session
, AGAIN (STATE9
));
2893 IMED_RET ("send client certificate verify", ret
, 0);
2904 /* This function sends the final handshake packets and initializes connection
2907 _gnutls_send_handshake_final (gnutls_session_t session
, int init
)
2911 /* Send the CHANGE CIPHER SPEC PACKET */
2917 ret
= _gnutls_send_change_cipher_spec (session
, AGAIN (STATE20
));
2921 ERR ("send ChangeCipherSpec", ret
);
2926 /* Initialize the connection session (start encryption) - in case of client
2930 ret
= _gnutls_connection_state_init (session
);
2938 ret
= _gnutls_write_connection_state_init (session
);
2946 /* send the finished message */
2947 ret
= _gnutls_send_finished (session
, AGAIN (STATE21
));
2951 ERR ("send Finished", ret
);
2964 /* This function receives the final handshake packets
2965 * And executes the appropriate function to initialize the
2969 _gnutls_recv_handshake_final (gnutls_session_t session
, int init
)
2978 ret
= _gnutls_recv_int (session
, GNUTLS_CHANGE_CIPHER_SPEC
, -1, &ch
, 1);
2982 ERR ("recv ChangeCipherSpec", ret
);
2984 return (ret
< 0) ? ret
: GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
2987 /* Initialize the connection session (start encryption) - in case of server */
2990 ret
= _gnutls_connection_state_init (session
);
2998 ret
= _gnutls_read_connection_state_init (session
);
3006 ret
= _gnutls_recv_finished (session
);
3010 ERR ("recv finished", ret
);
3024 * _gnutls_handshake_server
3025 * This function does the server stuff of the handshake protocol.
3029 _gnutls_handshake_server (gnutls_session_t session
)
3038 _gnutls_recv_handshake (session
, NULL
, NULL
,
3039 GNUTLS_HANDSHAKE_CLIENT_HELLO
,
3042 IMED_RET ("recv hello", ret
, 1);
3045 ret
= _gnutls_send_hello (session
, AGAIN (STATE2
));
3047 IMED_RET ("send hello", ret
, 0);
3050 if (session
->security_parameters
.extensions
.do_send_supplemental
)
3052 ret
= _gnutls_send_supplemental (session
, AGAIN (STATE70
));
3054 IMED_RET ("send supplemental data", ret
, 0);
3057 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
3059 /* NOTE: these should not be send if we are resuming */
3061 if (session
->internals
.resumed
== RESUME_FALSE
)
3062 ret
= _gnutls_send_server_certificate (session
, AGAIN (STATE3
));
3064 IMED_RET ("send server certificate", ret
, 0);
3067 /* send server key exchange (A) */
3068 if (session
->internals
.resumed
== RESUME_FALSE
)
3069 ret
= _gnutls_send_server_kx_message (session
, AGAIN (STATE4
));
3071 IMED_RET ("send server kx", ret
, 0);
3074 /* Send certificate request - if requested to */
3075 if (session
->internals
.resumed
== RESUME_FALSE
)
3077 _gnutls_send_server_certificate_request (session
, AGAIN (STATE5
));
3079 IMED_RET ("send server cert request", ret
, 0);
3082 /* send the server hello done */
3083 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
3085 _gnutls_send_empty_handshake (session
,
3086 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
,
3089 IMED_RET ("send server hello done", ret
, 0);
3092 if (session
->security_parameters
.extensions
.do_recv_supplemental
)
3094 ret
= _gnutls_recv_supplemental (session
);
3096 IMED_RET ("recv client supplemental", ret
, 1);
3099 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
3101 /* receive the client certificate message */
3102 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
3103 ret
= _gnutls_recv_client_certificate (session
);
3105 IMED_RET ("recv client certificate", ret
, 1);
3108 /* receive the client key exchange message */
3109 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
3110 ret
= _gnutls_recv_client_kx_message (session
);
3112 IMED_RET ("recv client kx", ret
, 1);
3115 /* receive the client certificate verify message */
3116 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
3117 ret
= _gnutls_recv_client_certificate_verify_message (session
);
3119 IMED_RET ("recv client certificate verify", ret
, 1);
3121 STATE
= STATE0
; /* finished thus clear session */
3130 _gnutls_handshake_common (gnutls_session_t session
)
3134 /* send and recv the change cipher spec and finished messages */
3135 if ((session
->internals
.resumed
== RESUME_TRUE
3136 && session
->security_parameters
.entity
== GNUTLS_CLIENT
)
3137 || (session
->internals
.resumed
== RESUME_FALSE
3138 && session
->security_parameters
.entity
== GNUTLS_SERVER
))
3140 /* if we are a client resuming - or we are a server not resuming */
3142 ret
= _gnutls_recv_handshake_final (session
, TRUE
);
3143 IMED_RET ("recv handshake final", ret
, 1);
3145 #ifdef ENABLE_SESSION_TICKET
3150 if (session
->internals
.session_ticket_renew
)
3153 _gnutls_send_new_session_ticket (session
, AGAIN (STATE40
));
3155 IMED_RET ("send handshake new session ticket", ret
, 0);
3163 ret
= _gnutls_send_handshake_final (session
, FALSE
);
3164 IMED_RET ("send handshake final", ret
, 0);
3166 /* only store if we are not resuming */
3167 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
3169 /* in order to support session resuming */
3170 _gnutls_server_register_current_session (session
);
3174 { /* if we are a client not resuming - or we are a server resuming */
3176 ret
= _gnutls_send_handshake_final (session
, TRUE
);
3177 IMED_RET ("send handshake final 2", ret
, 0);
3179 #ifdef ENABLE_SESSION_TICKET
3184 if (session
->internals
.session_ticket_renew
)
3186 ret
= _gnutls_recv_new_session_ticket (session
);
3188 IMED_RET ("recv handshake new session ticket", ret
, 1);
3196 ret
= _gnutls_recv_handshake_final (session
, FALSE
);
3197 IMED_RET ("recv handshake final 2", ret
, 1);
3202 /* clear handshake buffer */
3203 _gnutls_handshake_hash_buffers_clear (session
);
3209 _gnutls_generate_session_id (opaque
* session_id
, uint8_t * len
)
3213 *len
= TLS_MAX_SESSION_ID_SIZE
;
3215 ret
= _gnutls_rnd (GNUTLS_RND_NONCE
, session_id
, *len
);
3226 _gnutls_recv_hello_request (gnutls_session_t session
, void *data
,
3231 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
3234 return GNUTLS_E_UNEXPECTED_PACKET
;
3239 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
3241 type
= ((uint8_t *) data
)[0];
3242 if (type
== GNUTLS_HANDSHAKE_HELLO_REQUEST
)
3243 return GNUTLS_E_REHANDSHAKE
;
3247 return GNUTLS_E_UNEXPECTED_PACKET
;
3251 /* Returns 1 if the given KX has not the corresponding parameters
3252 * (DH or RSA) set up. Otherwise returns 0.
3255 check_server_params (gnutls_session_t session
,
3256 gnutls_kx_algorithm_t kx
,
3257 gnutls_kx_algorithm_t
* alg
, int alg_size
)
3260 gnutls_dh_params_t dh_params
= NULL
;
3261 gnutls_rsa_params_t rsa_params
= NULL
;
3264 cred_type
= _gnutls_map_kx_get_cred (kx
, 1);
3266 /* Read the Diffie-Hellman parameters, if any.
3268 if (cred_type
== GNUTLS_CRD_CERTIFICATE
)
3271 gnutls_certificate_credentials_t x509_cred
=
3272 (gnutls_certificate_credentials_t
) _gnutls_get_cred (session
->key
,
3275 if (x509_cred
!= NULL
)
3278 _gnutls_get_dh_params (x509_cred
->dh_params
,
3279 x509_cred
->params_func
, session
);
3281 _gnutls_certificate_get_rsa_params (x509_cred
->rsa_params
,
3282 x509_cred
->params_func
,
3286 /* Check also if the certificate supports the
3290 for (j
= 0; j
< alg_size
; j
++)
3304 else if (cred_type
== GNUTLS_CRD_ANON
)
3306 gnutls_anon_server_credentials_t anon_cred
=
3307 (gnutls_anon_server_credentials_t
) _gnutls_get_cred (session
->key
,
3310 if (anon_cred
!= NULL
)
3313 _gnutls_get_dh_params (anon_cred
->dh_params
,
3314 anon_cred
->params_func
, session
);
3319 else if (cred_type
== GNUTLS_CRD_PSK
)
3321 gnutls_psk_server_credentials_t psk_cred
=
3322 (gnutls_psk_server_credentials_t
) _gnutls_get_cred (session
->key
,
3325 if (psk_cred
!= NULL
)
3328 _gnutls_get_dh_params (psk_cred
->dh_params
, psk_cred
->params_func
,
3334 return 0; /* no need for params */
3337 /* If the key exchange method needs RSA or DH params,
3338 * but they are not set then remove it.
3340 if (_gnutls_kx_needs_rsa_params (kx
) != 0)
3342 /* needs rsa params. */
3343 if (_gnutls_rsa_params_to_mpi (rsa_params
) == NULL
)
3350 if (_gnutls_kx_needs_dh_params (kx
) != 0)
3352 /* needs DH params. */
3353 if (_gnutls_dh_params_to_mpi (dh_params
) == NULL
)
3363 /* This function will remove algorithms that are not supported by
3364 * the requested authentication method. We remove an algorithm if
3365 * we have a certificate with keyUsage bits set.
3367 * This does a more high level check than gnutls_supported_ciphersuites(),
3368 * by checking certificates etc.
3371 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session
,
3372 cipher_suite_st
** cipherSuites
,
3373 int numCipherSuites
,
3374 gnutls_pk_algorithm_t requested_pk_algo
)
3378 cipher_suite_st
*newSuite
, cs
;
3379 int newSuiteSize
= 0, i
;
3380 gnutls_certificate_credentials_t cert_cred
;
3381 gnutls_kx_algorithm_t kx
;
3382 int server
= session
->security_parameters
.entity
== GNUTLS_SERVER
? 1 : 0;
3383 gnutls_kx_algorithm_t
*alg
= NULL
;
3386 /* if we should use a specific certificate,
3387 * we should remove all algorithms that are not supported
3388 * by that certificate and are on the same authentication
3389 * method (CERTIFICATE).
3393 (gnutls_certificate_credentials_t
) _gnutls_get_cred (session
->key
,
3394 GNUTLS_CRD_CERTIFICATE
,
3397 /* If there are certificate credentials, find an appropriate certificate
3400 if (session
->security_parameters
.entity
== GNUTLS_SERVER
3401 && cert_cred
!= NULL
)
3403 ret
= _gnutls_server_select_cert (session
, requested_pk_algo
);
3407 _gnutls_x509_log ("Could not find an appropriate certificate: %s\n",
3408 gnutls_strerror (ret
));
3413 /* get all the key exchange algorithms that are
3414 * supported by the X509 certificate parameters.
3417 _gnutls_selected_cert_supported_kx (session
, &alg
, &alg_size
)) < 0)
3423 newSuite
= gnutls_malloc (numCipherSuites
* sizeof (cipher_suite_st
));
3424 if (newSuite
== NULL
)
3428 return GNUTLS_E_MEMORY_ERROR
;
3431 /* now removes ciphersuites based on the KX algorithm
3433 for (i
= 0; i
< numCipherSuites
; i
++)
3437 /* finds the key exchange algorithm in
3440 kx
= _gnutls_cipher_suite_get_kx_algo (&(*cipherSuites
)[i
]);
3442 /* if it is defined but had no credentials
3444 if (_gnutls_get_kx_cred (session
, kx
, NULL
) == NULL
)
3453 delete = check_server_params (session
, kx
, alg
, alg_size
);
3456 /* These two SRP kx's are marked to require a CRD_CERTIFICATE,
3457 (see cred_mappings in gnutls_algorithms.c), but it also
3458 requires a SRP credential. Don't use SRP kx unless we have a
3459 SRP credential too. */
3460 if (kx
== GNUTLS_KX_SRP_RSA
|| kx
== GNUTLS_KX_SRP_DSS
)
3462 if (!_gnutls_get_cred (session
->key
, GNUTLS_CRD_SRP
, NULL
))
3466 memcpy (&cs
.suite
, &(*cipherSuites
)[i
].suite
, 2);
3471 _gnutls_handshake_log ("HSK[%p]: Keeping ciphersuite: %s\n",
3473 _gnutls_cipher_suite_get_name (&cs
));
3475 memcpy (newSuite
[newSuiteSize
].suite
, (*cipherSuites
)[i
].suite
, 2);
3480 _gnutls_handshake_log ("HSK[%p]: Removing ciphersuite: %s\n",
3482 _gnutls_cipher_suite_get_name (&cs
));
3488 gnutls_free (*cipherSuites
);
3489 *cipherSuites
= newSuite
;
3498 * gnutls_handshake_set_max_packet_length - set the maximum size of the handshake
3499 * @session: is a #gnutls_session_t structure.
3500 * @max: is the maximum number.
3502 * This function will set the maximum size of all handshake messages.
3503 * Handshakes over this size are rejected with
3504 * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is
3505 * 48kb which is typically large enough. Set this to 0 if you do not
3506 * want to set an upper limit.
3508 * The reason for restricting the handshake message sizes are to
3509 * limit Denial of Service attacks.
3512 gnutls_handshake_set_max_packet_length (gnutls_session_t session
, size_t max
)
3514 session
->internals
.max_handshake_data_buffer_size
= max
;
3518 _gnutls_set_adv_version (gnutls_session_t session
, gnutls_protocol_t ver
)
3520 set_adv_version (session
, _gnutls_version_get_major (ver
),
3521 _gnutls_version_get_minor (ver
));
3525 _gnutls_get_adv_version (gnutls_session_t session
)
3527 return _gnutls_version_get (_gnutls_get_adv_version_major (session
),
3528 _gnutls_get_adv_version_minor (session
));
3532 * gnutls_handshake_get_last_in - Returns the last handshake message received.
3533 * @session: is a #gnutls_session_t structure.
3535 * This function is only useful to check where the last performed
3536 * handshake failed. If the previous handshake succeed or was not
3537 * performed at all then no meaningful value will be returned.
3539 * Check %gnutls_handshake_description_t in gnutls.h for the
3540 * available handshake descriptions.
3542 * Returns: the last handshake message type received, a
3543 * %gnutls_handshake_description_t.
3545 gnutls_handshake_description_t
3546 gnutls_handshake_get_last_in (gnutls_session_t session
)
3548 return session
->internals
.last_handshake_in
;
3552 * gnutls_handshake_get_last_out - Returns the last handshake message sent.
3553 * @session: is a #gnutls_session_t structure.
3555 * This function is only useful to check where the last performed
3556 * handshake failed. If the previous handshake succeed or was not
3557 * performed at all then no meaningful value will be returned.
3559 * Check %gnutls_handshake_description_t in gnutls.h for the
3560 * available handshake descriptions.
3562 * Returns: the last handshake message type sent, a
3563 * %gnutls_handshake_description_t.
3565 gnutls_handshake_description_t
3566 gnutls_handshake_get_last_out (gnutls_session_t session
)
3568 return session
->internals
.last_handshake_out
;