2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
3 * 2009, 2010 Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GNUTLS.
9 * The GNUTLS library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
46 #include <sys/types.h>
49 #include <sys/socket.h>
52 /* some systems had problems with long long int, thus,
60 #include <gnutls/gnutls.h>
63 * They are not needed any more. You can simply enable
64 * the gnutls_log callback to get error descriptions.
69 #define HANDSHAKE_DEBUG // Prints some information on handshake
70 #define COMPRESSION_DEBUG
74 /* The size of a handshake message should not
75 * be larger than this value.
77 #define MAX_HANDSHAKE_PACKET_SIZE 48*1024
79 #define TLS_MAX_SESSION_ID_SIZE 32
81 /* The maximum digest size of hash algorithms.
83 #define MAX_HASH_SIZE 64
84 #define MAX_CIPHER_BLOCK_SIZE 16
85 #define MAX_CIPHER_KEY_SIZE 32
87 #define MAX_SRP_USERNAME 128
88 #define MAX_SERVER_NAME_SIZE 128
89 #define MAX_SESSION_TICKET_SIZE 65535
91 #define SESSION_TICKET_KEY_NAME_SIZE 16
92 #define SESSION_TICKET_KEY_SIZE 16
93 #define SESSION_TICKET_IV_SIZE 16
94 #define SESSION_TICKET_MAC_SECRET_SIZE 32
96 /* we can receive up to MAX_EXT_TYPES extensions.
98 #define MAX_EXT_TYPES 64
100 /* The initial size of the receive
101 * buffer size. This will grow if larger
102 * packets are received.
104 #define INITIAL_RECV_BUFFER_SIZE 256
106 /* the default for TCP */
107 #define DEFAULT_LOWAT 1
109 /* expire time for resuming sessions */
110 #define DEFAULT_EXPIRE_TIME 3600
112 /* the maximum size of encrypted packets */
113 #define DEFAULT_MAX_RECORD_SIZE 16384
114 #define RECORD_HEADER_SIZE 5
115 #define MAX_RECORD_SEND_SIZE (size_t)session->security_parameters.max_record_send_size
116 #define MAX_RECORD_RECV_SIZE (size_t)session->security_parameters.max_record_recv_size
117 #define MAX_PAD_SIZE 255
118 #define EXTRA_COMP_SIZE 2048
119 #define MAX_RECORD_OVERHEAD MAX_PAD_SIZE+EXTRA_COMP_SIZE
120 #define MAX_RECV_SIZE MAX_RECORD_OVERHEAD+MAX_RECORD_RECV_SIZE+RECORD_HEADER_SIZE
122 #define HANDSHAKE_HEADER_SIZE 4
124 /* defaults for verification functions
126 #define DEFAULT_VERIFY_DEPTH 32
127 #define DEFAULT_VERIFY_BITS 16*1024
129 #include <gnutls_mem.h>
131 #define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y))
133 #define DECR_LEN(len, x) do { len-=x; if (len<0) {gnutls_assert(); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;} } while (0)
134 #define DECR_LENGTH_RET(len, x, RET) do { len-=x; if (len<0) {gnutls_assert(); return RET;} } while (0)
135 #define DECR_LENGTH_COM(len, x, COM) do { len-=x; if (len<0) {gnutls_assert(); COM;} } while (0)
137 #define HASH2MAC(x) ((gnutls_mac_algorithm_t)x)
139 #define GNUTLS_POINTER_TO_INT(_) ((int) GNUTLS_POINTER_TO_INT_CAST (_))
140 #define GNUTLS_INT_TO_POINTER(_) ((void*) GNUTLS_POINTER_TO_INT_CAST (_))
142 typedef unsigned char opaque
;
148 #include <gnutls_mpi.h>
150 typedef enum change_cipher_spec_t
151 { GNUTLS_TYPE_CHANGE_CIPHER_SPEC
= 1
152 } change_cipher_spec_t
;
154 typedef enum handshake_state_t
155 { STATE0
= 0, STATE1
, STATE2
,
156 STATE3
, STATE4
, STATE5
,
157 STATE6
, STATE7
, STATE8
, STATE9
, STATE20
= 20, STATE21
,
158 STATE30
= 30, STATE31
, STATE40
= 40, STATE41
, STATE50
= 50,
159 STATE60
= 60, STATE61
, STATE62
, STATE70
, STATE71
162 #include <gnutls_str.h>
164 /* This is the maximum number of algorithms (ciphers or macs etc).
165 * keep it synced with GNUTLS_MAX_ALGORITHM_NUM in gnutls.h
169 #define MAX_CIPHERSUITES 256
171 typedef enum extensions_t
172 { GNUTLS_EXTENSION_SERVER_NAME
= 0,
173 GNUTLS_EXTENSION_MAX_RECORD_SIZE
= 1,
174 GNUTLS_EXTENSION_CERT_TYPE
= 9,
176 GNUTLS_EXTENSION_OPAQUE_PRF_INPUT
= ENABLE_OPRFI
,
178 GNUTLS_EXTENSION_SRP
= 12,
179 GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS
= 13,
180 GNUTLS_EXTENSION_SESSION_TICKET
= 35,
181 GNUTLS_EXTENSION_INNER_APPLICATION
= 37703,
182 GNUTLS_EXTENSION_SAFE_RENEGOTIATION
= 65281, /* aka: 0xff01 */
186 { CIPHER_STREAM
, CIPHER_BLOCK
} cipher_type_t
;
188 typedef enum valid_session_t
189 { VALID_TRUE
, VALID_FALSE
} valid_session_t
;
190 typedef enum resumable_session_t
193 } resumable_session_t
;
195 /* Record Protocol */
196 typedef enum content_type_t
198 GNUTLS_CHANGE_CIPHER_SPEC
= 20, GNUTLS_ALERT
,
199 GNUTLS_HANDSHAKE
, GNUTLS_APPLICATION_DATA
,
200 GNUTLS_INNER_APPLICATION
= 24
203 #define GNUTLS_PK_ANY (gnutls_pk_algorithm_t)-1
204 #define GNUTLS_PK_NONE (gnutls_pk_algorithm_t)-2
208 HANDSHAKE_MAC_TYPE_10
=1,
209 HANDSHAKE_MAC_TYPE_12
210 } handshake_mac_type_t
;
212 /* Store & Retrieve functions defines:
215 typedef struct auth_cred_st
217 gnutls_credentials_type_t algorithm
;
219 /* the type of credentials depends on algorithm
222 struct auth_cred_st
*next
;
245 /* this is used to hold the peers authentication data
247 /* auth_info_t structures SHOULD NOT contain malloced
248 * elements. Check gnutls_session_pack.c, and gnutls_auth.c.
249 * Rememember that this should be calloced!
252 gnutls_credentials_type_t auth_info_type
;
253 int auth_info_size
; /* needed in order to store to db for restoring
257 auth_cred_st
*cred
; /* used to specify keys/certificates etc */
259 int certificate_requested
;
260 /* some ciphersuites use this
261 * to provide client authentication.
262 * 1 if client auth was requested
263 * by the peer, 0 otherwise
264 *** In case of a server this
265 * holds 1 if we should wait
266 * for a client certificate verify
269 typedef struct gnutls_key_st
*gnutls_key_st
;
274 #include <gnutls_hash_int.h>
275 #include <gnutls_cipher_int.h>
276 #include <gnutls_compress.h>
277 #include <gnutls_cert.h>
286 uint8_t hash_algorithm
;
287 uint8_t sign_algorithm
; /* pk algorithm actually */
290 /* This structure holds parameters got from TLS extension
291 * mechanism. (some extensions may hold parameters in auth_info_t
292 * structures also - see SRP).
297 opaque name
[MAX_SERVER_NAME_SIZE
];
298 unsigned name_length
;
299 gnutls_server_name_type_t type
;
302 #define MAX_SERVER_NAME_EXTENSIONS 3
303 #define MAX_SIGNATURE_ALGORITHMS 16
305 struct gnutls_session_ticket_key_st
{
306 opaque key_name
[SESSION_TICKET_KEY_NAME_SIZE
];
307 opaque key
[SESSION_TICKET_KEY_SIZE
];
308 opaque mac_secret
[SESSION_TICKET_MAC_SECRET_SIZE
];
311 #define MAX_VERIFY_DATA_SIZE 36 /* in SSL 3.0, 12 in TLS 1.0 */
313 /* If you want the extension data to be kept across resuming sessions
314 * then modify CPY_EXTENSIONS in gnutls_constate.c
318 server_name_st server_names
[MAX_SERVER_NAME_EXTENSIONS
];
319 /* limit server_name extensions */
320 unsigned server_names_size
;
322 opaque srp_username
[MAX_SRP_USERNAME
+ 1];
324 /* TLS 1.2 signature algorithms */
325 gnutls_sign_algorithm_t sign_algorithms
[MAX_SIGNATURE_ALGORITHMS
];
326 uint16_t sign_algorithms_size
;
329 int gnutls_ia_enable
, gnutls_ia_peer_enable
;
330 int gnutls_ia_allowskip
, gnutls_ia_peer_allowskip
;
332 /* Used by extensions that enable supplemental data. */
333 int do_recv_supplemental
, do_send_supplemental
;
335 opaque
*session_ticket
;
336 uint16_t session_ticket_len
;
338 /*** Those below do not get copied when resuming session
341 /* Opaque PRF input. */
342 opaque
*oprfi_client
;
343 uint16_t oprfi_client_len
;
344 opaque
*oprfi_server
;
345 uint16_t oprfi_server_len
;
347 /* Safe renegotiation. */
348 uint8_t client_verify_data
[MAX_VERIFY_DATA_SIZE
];
349 size_t client_verify_data_len
;
350 uint8_t server_verify_data
[MAX_VERIFY_DATA_SIZE
];
351 size_t server_verify_data_len
;
352 uint8_t ri_extension_data
[MAX_VERIFY_DATA_SIZE
*2]; /* max signal is 72 bytes in s->c sslv3 */
353 size_t ri_extension_data_len
;
357 /* auth_info_t structures now MAY contain malloced
361 /* This structure and auth_info_t, are stored in the resume database,
362 * and are restored, in case of resume.
363 * Holds all the required parameters to resume the current
367 /* if you add anything in Security_Parameters struct, then
368 * also modify CPY_COMMON in gnutls_constate.c.
371 /* Note that the security parameters structure is set up after the
372 * handshake has finished. The only value you may depend on while
373 * the handshake is in progress is the cipher suite value.
377 gnutls_connection_end_t entity
;
378 gnutls_kx_algorithm_t kx_algorithm
;
379 /* we've got separate write/read bulk/macs because
380 * there is a time in handshake where the peer has
381 * null cipher and we don't
383 gnutls_cipher_algorithm_t read_bulk_cipher_algorithm
;
384 gnutls_mac_algorithm_t read_mac_algorithm
;
385 gnutls_compression_method_t read_compression_algorithm
;
387 gnutls_cipher_algorithm_t write_bulk_cipher_algorithm
;
388 gnutls_mac_algorithm_t write_mac_algorithm
;
389 gnutls_compression_method_t write_compression_algorithm
;
390 handshake_mac_type_t handshake_mac_handle_type
; /* one of HANDSHAKE_TYPE_10 and HANDSHAKE_TYPE_12 */
392 /* this is the ciphersuite we are going to use
393 * moved here from internals in order to be restored
396 cipher_suite_st current_cipher_suite
;
397 opaque master_secret
[GNUTLS_MASTER_SIZE
];
398 opaque client_random
[GNUTLS_RANDOM_SIZE
];
399 opaque server_random
[GNUTLS_RANDOM_SIZE
];
400 opaque session_id
[TLS_MAX_SESSION_ID_SIZE
];
401 uint8_t session_id_size
;
403 tls_ext_st extensions
;
405 /* The send size is the one requested by the programmer.
406 * The recv size is the one negotiated with the peer.
408 uint16_t max_record_send_size
;
409 uint16_t max_record_recv_size
;
410 /* holds the negotiated certificate type */
411 gnutls_certificate_type_t cert_type
;
412 gnutls_protocol_t version
; /* moved here */
414 /* For TLS/IA. XXX: Move to IA credential? */
415 opaque inner_secret
[GNUTLS_MASTER_SIZE
];
416 } security_parameters_st
;
418 /* This structure holds the generated keys
422 gnutls_datum_t server_write_mac_secret
;
423 gnutls_datum_t client_write_mac_secret
;
424 gnutls_datum_t server_write_IV
;
425 gnutls_datum_t client_write_IV
;
426 gnutls_datum_t server_write_key
;
427 gnutls_datum_t client_write_key
;
428 int generated_keys
; /* zero if keys have not
429 * been generated. Non zero
437 cipher_hd_st write_cipher_state
;
438 cipher_hd_st read_cipher_state
;
439 comp_hd_t read_compression_state
;
440 comp_hd_t write_compression_state
;
441 gnutls_datum_t read_mac_secret
;
442 gnutls_datum_t write_mac_secret
;
443 uint64 read_sequence_number
;
444 uint64 write_sequence_number
;
449 unsigned int priority
[MAX_ALGOS
];
450 unsigned int algorithms
;
453 /* For the external api */
454 struct gnutls_priority_st
459 priority_st compression
;
460 priority_st protocol
;
461 priority_st cert_type
;
462 priority_st sign_algo
;
464 /* to disable record padding */
466 int unsafe_renegotiation
:1;
467 int initial_safe_renegotiation
:1;
468 int disable_safe_renegotiation
:1;
469 int ssl3_record_version
;
470 int additional_verify_flags
;
474 /* DH and RSA parameters types.
476 typedef struct gnutls_dh_params_int
478 /* [0] is the prime, [1] is the generator.
485 gnutls_dh_params_t dh_params
;
487 gnutls_rsa_params_t rsa_params
;
489 } internal_params_st
;
495 opaque header
[HANDSHAKE_HEADER_SIZE
];
496 /* this holds the number of bytes in the handshake_header[] */
498 /* this holds the length of the handshake packet */
499 size_t packet_length
;
500 gnutls_handshake_description_t recv_type
;
501 } handshake_header_buffer_st
;
506 gnutls_buffer application_data_buffer
; /* holds data to be delivered to application layer */
507 gnutls_buffer handshake_hash_buffer
; /* used to keep the last received handshake
513 digest_hd_st sha
; /* hash of the handshake messages */
514 digest_hd_st md5
; /* hash of the handshake messages */
518 digest_hd_st sha1
; /* hash of the handshake messages for TLS 1.2+ */
519 digest_hd_st sha256
; /* hash of the handshake messages for TLS 1.2+ */
521 } handshake_mac_handle
;
522 int handshake_mac_handle_init
; /* 1 when the previous union and type were initialized */
524 gnutls_buffer handshake_data_buffer
; /* this is a buffer that holds the current handshake message */
525 gnutls_buffer ia_data_buffer
; /* holds inner application data (TLS/IA) */
526 resumable_session_t resumable
; /* TRUE or FALSE - if we can resume that session */
527 handshake_state_t handshake_state
; /* holds
528 * a number which indicates where
529 * the handshake procedure has been
530 * interrupted. If it is 0 then
531 * no interruption has happened.
534 valid_session_t valid_connection
; /* true or FALSE - if this session is valid */
536 int may_not_read
; /* if it's 0 then we can read/write, otherwise it's forbiden to read/write
539 int read_eof
; /* non-zero if we have received a closure alert. */
541 int last_alert
; /* last alert received */
543 /* The last handshake messages sent or received.
545 int last_handshake_in
;
546 int last_handshake_out
;
548 /* this is the compression method we are going to use */
549 gnutls_compression_method_t compression_method
;
552 struct gnutls_priority_st priorities
;
554 /* resumed session */
555 resumable_session_t resumed
; /* RESUME_TRUE or FALSE - if we are resuming a session */
556 security_parameters_st resumed_security_parameters
;
558 /* sockets internals */
561 /* These buffers are used in the handshake
562 * protocol only. freed using _gnutls_handshake_io_buffer_clear();
564 gnutls_buffer handshake_send_buffer
;
565 size_t handshake_send_buffer_prev_size
;
566 content_type_t handshake_send_buffer_type
;
567 gnutls_handshake_description_t handshake_send_buffer_htype
;
568 content_type_t handshake_recv_buffer_type
;
569 gnutls_handshake_description_t handshake_recv_buffer_htype
;
570 gnutls_buffer handshake_recv_buffer
;
572 /* this buffer holds a record packet -mostly used for
575 gnutls_buffer record_recv_buffer
;
576 gnutls_buffer record_send_buffer
; /* holds cached data
577 * for the gnutls_io_write_buffered()
580 size_t record_send_buffer_prev_size
; /* holds the
581 * data written in the previous runs.
583 size_t record_send_buffer_user_size
; /* holds the
584 * size of the user specified data to
588 /* 0 if no peeked data was kept, 1 otherwise.
590 int have_peeked_data
;
592 int expire_time
; /* after expire_time seconds this session will expire */
593 struct mod_auth_st_int
*auth_struct
; /* used in handshake packets and KX algorithms */
594 int v2_hello
; /* 0 if the client hello is v3+.
595 * non-zero if we got a v2 hello.
597 /* keeps the headers of the handshake packet
599 handshake_header_buffer_st handshake_header_buffer
;
601 /* this is the highest version available
602 * to the peer. (advertized version).
603 * This is obtained by the Handshake Client Hello
604 * message. (some implementations read the Record version)
606 uint8_t adv_version_major
;
607 uint8_t adv_version_minor
;
609 /* if this is non zero a certificate request message
610 * will be sent to the client. - only if the ciphersuite
615 /* bits to use for DHE and DHA
616 * use _gnutls_dh_get_prime_bits() and gnutls_dh_set_prime_bits()
619 uint16_t dh_prime_bits
;
621 size_t max_handshake_data_buffer_size
;
623 /* PUSH & PULL functions.
625 gnutls_pull_func _gnutls_pull_func
;
626 gnutls_push_func _gnutls_push_func
;
627 /* Holds the first argument of PUSH and PULL
630 gnutls_transport_ptr_t transport_recv_ptr
;
631 gnutls_transport_ptr_t transport_send_ptr
;
633 /* STORE & RETRIEVE functions. Only used if other
634 * backend than gdbm is used.
636 gnutls_db_store_func db_store_func
;
637 gnutls_db_retr_func db_retrieve_func
;
638 gnutls_db_remove_func db_remove_func
;
641 /* post client hello callback (server side only)
643 gnutls_handshake_post_client_hello_func user_hello_func
;
645 /* Holds the record size requested by the
648 uint16_t proposed_record_size
;
650 /* holds the selected certificate and key.
651 * use _gnutls_selected_certs_deinit() and _gnutls_selected_certs_set()
654 gnutls_cert
*selected_cert_list
;
655 int selected_cert_list_length
;
656 gnutls_privkey
*selected_key
;
657 int selected_need_free
;
659 /* holds the extensions we sent to the peer
660 * (in case of a client)
662 uint16_t extensions_sent
[MAX_EXT_TYPES
];
663 uint16_t extensions_sent_size
;
665 /* is 0 if we are to send the whole PGP key, or non zero
666 * if the fingerprint is to be sent.
670 /* This holds the default version that our first
671 * record packet will have. */
672 opaque default_record_version
[2];
674 int cbc_protection_hack
;
678 int enable_private
; /* non zero to
679 * enable cipher suites
680 * which have 0xFF status.
683 /* Holds 0 if the last called function was interrupted while
684 * receiving, and non zero otherwise.
688 /* This callback will be used (if set) to receive an
689 * openpgp key. (if the peer sends a fingerprint)
691 gnutls_openpgp_recv_key_func openpgp_recv_key_func
;
693 /* If non zero the server will not advertize the CA's he
694 * trusts (do not send an RDN sequence).
696 int ignore_rdn_sequence
;
698 /* This is used to set an arbitary version in the RSA
699 * PMS secret. Can be used by clients to test whether the
700 * server checks that version. (** only used in gnutls-cli-debug)
702 opaque rsa_pms_version
[2];
707 /* Here we cache the DH or RSA parameters got from the
708 * credentials structure, or from a callback. That is to
709 * minimize external calls.
711 internal_params_st params
;
713 /* This buffer is used by the record recv functions,
714 * as a temporary store buffer.
716 gnutls_datum_t recv_buffer
;
718 /* To avoid using global variables, and especially on Windows where
719 * the application may use a different errno variable than GnuTLS,
720 * it is possible to use gnutls_transport_set_errno to set a
721 * session-specific errno variable in the user-replaceable push/pull
722 * functions. This value is used by the send/recv functions. (The
723 * strange name of this variable is because 'errno' is typically
728 /* Function used to perform public-key signing operation during
729 handshake. Used by gnutls_sig.c:_gnutls_tls_sign(), see also
730 gnutls_sign_callback_set(). */
731 gnutls_sign_func sign_func
;
732 void *sign_func_userdata
;
734 /* Callback to extract TLS Finished message. */
735 gnutls_finished_callback_func finished_func
;
737 /* minimum bits to allow for SRP
738 * use gnutls_srp_set_prime_bits() to adjust it.
740 uint16_t srp_prime_bits
;
742 int session_ticket_enable
, session_ticket_renew
;
744 int safe_renegotiation_received
:1;
745 int initial_negotiation_completed
:1;
746 int connection_using_safe_renegotiation
:1;
749 gnutls_oprfi_callback_func oprfi_cb
;
750 const void *oprfi_userdata
;
753 struct gnutls_session_ticket_key_st
*session_ticket_key
;
754 opaque session_ticket_IV
[SESSION_TICKET_IV_SIZE
];
756 /* If you add anything here, check _gnutls_handshake_internal_state_clear().
760 struct gnutls_session_int
762 security_parameters_st security_parameters
;
763 cipher_specs_st cipher_specs
;
764 conn_stat_st connection_state
;
765 internals_st internals
;
773 void _gnutls_set_current_version (gnutls_session_t session
,
774 gnutls_protocol_t version
);
775 void _gnutls_free_auth_info (gnutls_session_t session
);
777 /* These two macros return the advertized TLS version of
780 #define _gnutls_get_adv_version_major( session) \
781 session->internals.adv_version_major
783 #define _gnutls_get_adv_version_minor( session) \
784 session->internals.adv_version_minor
786 #define set_adv_version( session, major, minor) \
787 session->internals.adv_version_major = major; \
788 session->internals.adv_version_minor = minor
790 void _gnutls_set_adv_version (gnutls_session_t
, gnutls_protocol_t
);
791 gnutls_protocol_t
_gnutls_get_adv_version (gnutls_session_t
);
793 int _gnutls_is_secure_mem_null (const void *);
795 #endif /* GNUTLS_INT_H */