2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
3 * Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GNUTLS.
9 * The GNUTLS library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 /* Functions to manipulate the session (gnutls_int.h), and some other stuff
27 * are included here. The file's name is traditionally gnutls_state even if the
28 * state has been renamed to session.
31 #include <gnutls_int.h>
32 #include <gnutls_errors.h>
33 #include <gnutls_auth.h>
34 #include <gnutls_num.h>
35 #include <gnutls_datum.h>
36 #include <gnutls_db.h>
37 #include <gnutls_record.h>
38 #include <gnutls_handshake.h>
39 #include <gnutls_dh.h>
40 #include <gnutls_buffers.h>
41 #include <gnutls_state.h>
42 #include <auth_cert.h>
43 #include <auth_anon.h>
45 #include <gnutls_algorithms.h>
46 #include <gnutls_rsa_export.h>
48 /* These should really be static, but src/tests.c calls them. Make
49 them public functions? */
51 _gnutls_record_set_default_version (gnutls_session_t session
,
52 unsigned char major
, unsigned char minor
);
54 _gnutls_rsa_pms_set_version (gnutls_session_t session
,
55 unsigned char major
, unsigned char minor
);
58 _gnutls_session_cert_type_set (gnutls_session_t session
,
59 gnutls_certificate_type_t ct
)
61 session
->security_parameters
.cert_type
= ct
;
65 * gnutls_cipher_get - Returns the currently used cipher.
66 * @session: is a #gnutls_session_t structure.
68 * Get currently used cipher.
70 * Returns: the currently used cipher, a #gnutls_cipher_algorithm_t
73 gnutls_cipher_algorithm_t
74 gnutls_cipher_get (gnutls_session_t session
)
76 return session
->security_parameters
.read_bulk_cipher_algorithm
;
80 * gnutls_certificate_type_get - Returns the currently used certificate type.
81 * @session: is a #gnutls_session_t structure.
83 * The certificate type is by default X.509, unless it is negotiated
86 * Returns: the currently used #gnutls_certificate_type_t certificate
89 gnutls_certificate_type_t
90 gnutls_certificate_type_get (gnutls_session_t session
)
92 return session
->security_parameters
.cert_type
;
96 * gnutls_kx_get - Returns the key exchange algorithm.
97 * @session: is a #gnutls_session_t structure.
99 * Get currently used key exchange algorithm.
101 * Returns: the key exchange algorithm used in the last handshake, a
102 * #gnutls_kx_algorithm_t value.
104 gnutls_kx_algorithm_t
105 gnutls_kx_get (gnutls_session_t session
)
107 return session
->security_parameters
.kx_algorithm
;
111 * gnutls_mac_get - Returns the currently used mac algorithm.
112 * @session: is a #gnutls_session_t structure.
114 * Get currently used MAC algorithm.
116 * Returns: the currently used mac algorithm, a
117 * #gnutls_mac_algorithm_t value.
119 gnutls_mac_algorithm_t
120 gnutls_mac_get (gnutls_session_t session
)
122 return session
->security_parameters
.read_mac_algorithm
;
126 * gnutls_compression_get - Returns the currently used compression algorithm.
127 * @session: is a #gnutls_session_t structure.
129 * Get currently used compression algorithm.
131 * Returns: the currently used compression method, a
132 * #gnutls_compression_method_t value.
134 gnutls_compression_method_t
135 gnutls_compression_get (gnutls_session_t session
)
137 return session
->security_parameters
.read_compression_algorithm
;
140 /* Check if the given certificate type is supported.
141 * This means that it is enabled by the priority functions,
142 * and a matching certificate exists.
145 _gnutls_session_cert_type_supported (gnutls_session_t session
,
146 gnutls_certificate_type_t cert_type
)
149 unsigned cert_found
= 0;
150 gnutls_certificate_credentials_t cred
;
152 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
154 cred
= (gnutls_certificate_credentials_t
)
155 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
158 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
160 if (cred
->server_get_cert_callback
== NULL
)
162 for (i
= 0; i
< cred
->ncerts
; i
++)
164 if (cred
->cert_list
[i
][0].cert_type
== cert_type
)
172 /* no certificate is of that type.
174 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
178 if (session
->internals
.priorities
.cert_type
.algorithms
== 0
179 && cert_type
== DEFAULT_CERT_TYPE
)
182 for (i
= 0; i
< session
->internals
.priorities
.cert_type
.algorithms
; i
++)
184 if (session
->internals
.priorities
.cert_type
.priority
[i
] == cert_type
)
190 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
194 /* this function deinitializes all the internal parameters stored
195 * in a session struct.
198 deinit_internal_params (gnutls_session_t session
)
200 if (session
->internals
.params
.free_dh_params
)
201 gnutls_dh_params_deinit (session
->internals
.params
.dh_params
);
203 if (session
->internals
.params
.free_rsa_params
)
204 gnutls_rsa_params_deinit (session
->internals
.params
.rsa_params
);
206 _gnutls_handshake_hash_buffers_clear (session
);
208 memset (&session
->internals
.params
, 0, sizeof (session
->internals
.params
));
211 /* This function will clear all the variables in internals
212 * structure within the session, which depend on the current handshake.
213 * This is used to allow further handshakes.
216 _gnutls_handshake_internal_state_init (gnutls_session_t session
)
218 session
->internals
.extensions_sent_size
= 0;
220 /* by default no selected certificate */
221 session
->internals
.proposed_record_size
= DEFAULT_MAX_RECORD_SIZE
;
222 session
->internals
.adv_version_major
= 0;
223 session
->internals
.adv_version_minor
= 0;
224 session
->internals
.v2_hello
= 0;
225 memset (&session
->internals
.handshake_header_buffer
, 0,
226 sizeof (handshake_header_buffer_st
));
227 session
->internals
.adv_version_minor
= 0;
228 session
->internals
.adv_version_minor
= 0;
229 session
->internals
.direction
= 0;
230 session
->internals
.safe_renegotiation_received
= 0;
232 /* use out of band data for the last
233 * handshake messages received.
235 session
->internals
.last_handshake_in
= -1;
236 session
->internals
.last_handshake_out
= -1;
238 session
->internals
.resumable
= RESUME_TRUE
;
242 _gnutls_handshake_internal_state_clear (gnutls_session_t session
)
244 _gnutls_handshake_internal_state_init (session
);
246 _gnutls_free_datum (&session
->internals
.recv_buffer
);
248 deinit_internal_params (session
);
252 #define MIN_DH_BITS 727
254 * gnutls_init - initialize the session to null (null encryption etc...).
255 * @con_end: indicate if this session is to be used for server or client.
256 * @session: is a pointer to a #gnutls_session_t structure.
258 * This function initializes the current session to null. Every
259 * session must be initialized before use, so internal structures can
260 * be allocated. This function allocates structures which can only
261 * be free'd by calling gnutls_deinit(). Returns zero on success.
263 * @con_end can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER.
265 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
268 gnutls_init (gnutls_session_t
* session
, gnutls_connection_end_t con_end
)
270 *session
= gnutls_calloc (1, sizeof (struct gnutls_session_int
));
271 if (*session
== NULL
)
272 return GNUTLS_E_MEMORY_ERROR
;
274 (*session
)->security_parameters
.entity
= con_end
;
276 /* the default certificate type for TLS */
277 (*session
)->security_parameters
.cert_type
= DEFAULT_CERT_TYPE
;
279 /* Set the defaults for initial handshake */
280 (*session
)->security_parameters
.read_bulk_cipher_algorithm
=
281 (*session
)->security_parameters
.write_bulk_cipher_algorithm
=
284 (*session
)->security_parameters
.read_mac_algorithm
=
285 (*session
)->security_parameters
.write_mac_algorithm
= GNUTLS_MAC_NULL
;
287 (*session
)->security_parameters
.read_compression_algorithm
=
289 (*session
)->security_parameters
.write_compression_algorithm
=
292 (*session
)->internals
.enable_private
= 0;
294 /* Initialize buffers */
295 _gnutls_buffer_init (&(*session
)->internals
.application_data_buffer
);
296 _gnutls_buffer_init (&(*session
)->internals
.handshake_data_buffer
);
297 _gnutls_buffer_init (&(*session
)->internals
.handshake_hash_buffer
);
298 _gnutls_buffer_init (&(*session
)->internals
.ia_data_buffer
);
300 _gnutls_buffer_init (&(*session
)->internals
.record_send_buffer
);
301 _gnutls_buffer_init (&(*session
)->internals
.record_recv_buffer
);
303 _gnutls_buffer_init (&(*session
)->internals
.handshake_send_buffer
);
304 _gnutls_buffer_init (&(*session
)->internals
.handshake_recv_buffer
);
306 (*session
)->key
= gnutls_calloc (1, sizeof (struct gnutls_key_st
));
307 if ((*session
)->key
== NULL
)
310 gnutls_free (*session
);
312 return GNUTLS_E_MEMORY_ERROR
;
315 (*session
)->internals
.expire_time
= DEFAULT_EXPIRE_TIME
; /* one hour default */
317 gnutls_dh_set_prime_bits ((*session
), MIN_DH_BITS
);
319 gnutls_transport_set_lowat ((*session
), DEFAULT_LOWAT
); /* the default for tcp */
321 gnutls_handshake_set_max_packet_length ((*session
),
322 MAX_HANDSHAKE_PACKET_SIZE
);
324 /* Allocate a minimum size for recv_data
325 * This is allocated in order to avoid small messages, making
326 * the receive procedure slow.
328 if (_gnutls_buffer_resize (&(*session
)->internals
.record_recv_buffer
,
329 INITIAL_RECV_BUFFER_SIZE
))
331 gnutls_free ((*session
)->key
);
332 goto cleanup_session
;
335 /* set the socket pointers to -1;
337 (*session
)->internals
.transport_recv_ptr
= (gnutls_transport_ptr_t
) - 1;
338 (*session
)->internals
.transport_send_ptr
= (gnutls_transport_ptr_t
) - 1;
340 /* set the default maximum record size for TLS
342 (*session
)->security_parameters
.max_record_recv_size
=
343 DEFAULT_MAX_RECORD_SIZE
;
344 (*session
)->security_parameters
.max_record_send_size
=
345 DEFAULT_MAX_RECORD_SIZE
;
347 /* everything else not initialized here is initialized
348 * as NULL or 0. This is why calloc is used.
351 _gnutls_handshake_internal_state_init (*session
);
356 /* returns RESUME_FALSE or RESUME_TRUE.
359 _gnutls_session_is_resumable (gnutls_session_t session
)
361 return session
->internals
.resumable
;
366 * gnutls_deinit - clear all buffers associated with a session
367 * @session: is a #gnutls_session_t structure.
369 * This function clears all buffers associated with the @session.
370 * This function will also remove session data from the session
371 * database if the session was terminated abnormally.
374 gnutls_deinit (gnutls_session_t session
)
380 /* remove auth info firstly */
381 _gnutls_free_auth_info (session
);
383 _gnutls_handshake_internal_state_clear (session
);
384 _gnutls_handshake_io_buffer_clear (session
);
386 _gnutls_free_datum (&session
->connection_state
.read_mac_secret
);
387 _gnutls_free_datum (&session
->connection_state
.write_mac_secret
);
389 _gnutls_buffer_clear (&session
->internals
.ia_data_buffer
);
390 _gnutls_buffer_clear (&session
->internals
.handshake_hash_buffer
);
391 _gnutls_buffer_clear (&session
->internals
.handshake_data_buffer
);
392 _gnutls_buffer_clear (&session
->internals
.application_data_buffer
);
393 _gnutls_buffer_clear (&session
->internals
.record_recv_buffer
);
394 _gnutls_buffer_clear (&session
->internals
.record_send_buffer
);
396 gnutls_credentials_clear (session
);
397 _gnutls_selected_certs_deinit (session
);
399 _gnutls_cipher_deinit (&session
->connection_state
.read_cipher_state
);
400 _gnutls_cipher_deinit (&session
->connection_state
.write_cipher_state
);
402 if (session
->connection_state
.read_compression_state
!= NULL
)
403 _gnutls_comp_deinit (session
->connection_state
.read_compression_state
, 1);
404 if (session
->connection_state
.write_compression_state
!= NULL
)
405 _gnutls_comp_deinit (session
->connection_state
.write_compression_state
,
408 _gnutls_free_datum (&session
->cipher_specs
.server_write_mac_secret
);
409 _gnutls_free_datum (&session
->cipher_specs
.client_write_mac_secret
);
410 _gnutls_free_datum (&session
->cipher_specs
.server_write_IV
);
411 _gnutls_free_datum (&session
->cipher_specs
.client_write_IV
);
412 _gnutls_free_datum (&session
->cipher_specs
.server_write_key
);
413 _gnutls_free_datum (&session
->cipher_specs
.client_write_key
);
415 if (session
->key
!= NULL
)
417 _gnutls_mpi_release (&session
->key
->KEY
);
418 _gnutls_mpi_release (&session
->key
->client_Y
);
419 _gnutls_mpi_release (&session
->key
->client_p
);
420 _gnutls_mpi_release (&session
->key
->client_g
);
422 _gnutls_mpi_release (&session
->key
->u
);
423 _gnutls_mpi_release (&session
->key
->a
);
424 _gnutls_mpi_release (&session
->key
->x
);
425 _gnutls_mpi_release (&session
->key
->A
);
426 _gnutls_mpi_release (&session
->key
->B
);
427 _gnutls_mpi_release (&session
->key
->b
);
430 _gnutls_mpi_release (&session
->key
->rsa
[0]);
431 _gnutls_mpi_release (&session
->key
->rsa
[1]);
433 _gnutls_mpi_release (&session
->key
->dh_secret
);
434 gnutls_free (session
->key
);
439 gnutls_free (session
->internals
.srp_username
);
441 if (session
->internals
.srp_password
)
443 memset (session
->internals
.srp_password
, 0,
444 strlen (session
->internals
.srp_password
));
445 gnutls_free (session
->internals
.srp_password
);
448 gnutls_free (session
->security_parameters
.extensions
.session_ticket
);
449 gnutls_free (session
->internals
.resumed_security_parameters
.extensions
.
452 memset (session
, 0, sizeof (struct gnutls_session_int
));
453 gnutls_free (session
);
456 /* Returns the minimum prime bits that are acceptable.
459 _gnutls_dh_get_allowed_prime_bits (gnutls_session_t session
)
461 return session
->internals
.dh_prime_bits
;
465 _gnutls_dh_set_peer_public (gnutls_session_t session
, bigint_t
public)
470 switch (gnutls_auth_get_type (session
))
472 case GNUTLS_CRD_ANON
:
474 anon_auth_info_t info
;
475 info
= _gnutls_get_auth_info (session
);
477 return GNUTLS_E_INTERNAL_ERROR
;
484 psk_auth_info_t info
;
485 info
= _gnutls_get_auth_info (session
);
487 return GNUTLS_E_INTERNAL_ERROR
;
492 case GNUTLS_CRD_CERTIFICATE
:
494 cert_auth_info_t info
;
496 info
= _gnutls_get_auth_info (session
);
498 return GNUTLS_E_INTERNAL_ERROR
;
505 return GNUTLS_E_INTERNAL_ERROR
;
508 if (dh
->public_key
.data
)
509 _gnutls_free_datum (&dh
->public_key
);
511 ret
= _gnutls_mpi_dprint_lz (public, &dh
->public_key
);
522 _gnutls_dh_set_secret_bits (gnutls_session_t session
, unsigned bits
)
524 switch (gnutls_auth_get_type (session
))
526 case GNUTLS_CRD_ANON
:
528 anon_auth_info_t info
;
529 info
= _gnutls_get_auth_info (session
);
531 return GNUTLS_E_INTERNAL_ERROR
;
532 info
->dh
.secret_bits
= bits
;
537 psk_auth_info_t info
;
538 info
= _gnutls_get_auth_info (session
);
540 return GNUTLS_E_INTERNAL_ERROR
;
541 info
->dh
.secret_bits
= bits
;
544 case GNUTLS_CRD_CERTIFICATE
:
546 cert_auth_info_t info
;
548 info
= _gnutls_get_auth_info (session
);
550 return GNUTLS_E_INTERNAL_ERROR
;
552 info
->dh
.secret_bits
= bits
;
556 return GNUTLS_E_INTERNAL_ERROR
;
563 /* This function will set in the auth info structure the
564 * RSA exponent and the modulus.
567 _gnutls_rsa_export_set_pubkey (gnutls_session_t session
,
568 bigint_t exponent
, bigint_t modulus
)
570 cert_auth_info_t info
;
573 info
= _gnutls_get_auth_info (session
);
575 return GNUTLS_E_INTERNAL_ERROR
;
577 if (info
->rsa_export
.modulus
.data
)
578 _gnutls_free_datum (&info
->rsa_export
.modulus
);
580 if (info
->rsa_export
.exponent
.data
)
581 _gnutls_free_datum (&info
->rsa_export
.exponent
);
583 ret
= _gnutls_mpi_dprint_lz (modulus
, &info
->rsa_export
.modulus
);
590 ret
= _gnutls_mpi_dprint_lz (exponent
, &info
->rsa_export
.exponent
);
594 _gnutls_free_datum (&info
->rsa_export
.modulus
);
602 /* Sets the prime and the generator in the auth info structure.
605 _gnutls_dh_set_group (gnutls_session_t session
, bigint_t gen
, bigint_t prime
)
610 switch (gnutls_auth_get_type (session
))
612 case GNUTLS_CRD_ANON
:
614 anon_auth_info_t info
;
615 info
= _gnutls_get_auth_info (session
);
617 return GNUTLS_E_INTERNAL_ERROR
;
624 psk_auth_info_t info
;
625 info
= _gnutls_get_auth_info (session
);
627 return GNUTLS_E_INTERNAL_ERROR
;
632 case GNUTLS_CRD_CERTIFICATE
:
634 cert_auth_info_t info
;
636 info
= _gnutls_get_auth_info (session
);
638 return GNUTLS_E_INTERNAL_ERROR
;
645 return GNUTLS_E_INTERNAL_ERROR
;
649 _gnutls_free_datum (&dh
->prime
);
651 if (dh
->generator
.data
)
652 _gnutls_free_datum (&dh
->generator
);
656 ret
= _gnutls_mpi_dprint_lz (prime
, &dh
->prime
);
665 ret
= _gnutls_mpi_dprint_lz (gen
, &dh
->generator
);
669 _gnutls_free_datum (&dh
->prime
);
676 #ifdef ENABLE_OPENPGP
678 * gnutls_openpgp_send_cert - order gnutls to send the openpgp fingerprint instead of the key
679 * @session: is a pointer to a #gnutls_session_t structure.
680 * @status: is one of GNUTLS_OPENPGP_CERT, or GNUTLS_OPENPGP_CERT_FINGERPRINT
682 * This function will order gnutls to send the key fingerprint
683 * instead of the key in the initial handshake procedure. This should
684 * be used with care and only when there is indication or knowledge
685 * that the server can obtain the client's key.
688 gnutls_openpgp_send_cert (gnutls_session_t session
,
689 gnutls_openpgp_crt_status_t status
)
691 session
->internals
.pgp_fingerprint
= status
;
696 * gnutls_certificate_send_x509_rdn_sequence - order gnutls to send or not the x.509 rdn sequence
697 * @session: is a pointer to a #gnutls_session_t structure.
700 * If status is non zero, this function will order gnutls not to send
701 * the rdnSequence in the certificate request message. That is the
702 * server will not advertize it's trusted CAs to the peer. If status
703 * is zero then the default behaviour will take effect, which is to
704 * advertize the server's trusted CAs.
706 * This function has no effect in clients, and in authentication
707 * methods other than certificate with X.509 certificates.
710 gnutls_certificate_send_x509_rdn_sequence (gnutls_session_t session
,
713 session
->internals
.ignore_rdn_sequence
= status
;
716 #ifdef ENABLE_OPENPGP
718 _gnutls_openpgp_send_fingerprint (gnutls_session_t session
)
720 return session
->internals
.pgp_fingerprint
;
725 * _gnutls_record_set_default_version - Used to set the default version for the first record packet
726 * @session: is a #gnutls_session_t structure.
727 * @major: is a tls major version
728 * @minor: is a tls minor version
730 * This function sets the default version that we will use in the first
731 * record packet (client hello). This function is only useful to people
732 * that know TLS internals and want to debug other implementations.
736 _gnutls_record_set_default_version (gnutls_session_t session
,
737 unsigned char major
, unsigned char minor
)
739 session
->internals
.default_record_version
[0] = major
;
740 session
->internals
.default_record_version
[1] = minor
;
744 * gnutls_handshake_set_private_extensions - Used to enable the private cipher suites
745 * @session: is a #gnutls_session_t structure.
746 * @allow: is an integer (0 or 1)
748 * This function will enable or disable the use of private cipher
749 * suites (the ones that start with 0xFF). By default or if @allow
750 * is 0 then these cipher suites will not be advertized nor used.
752 * Unless this function is called with the option to allow (1), then
753 * no compression algorithms, like LZO. That is because these
754 * algorithms are not yet defined in any RFC or even internet draft.
756 * Enabling the private ciphersuites when talking to other than
757 * gnutls servers and clients may cause interoperability problems.
760 gnutls_handshake_set_private_extensions (gnutls_session_t session
, int allow
)
762 session
->internals
.enable_private
= allow
;
766 _gnutls_cal_PRF_A (gnutls_mac_algorithm_t algorithm
,
767 const void *secret
, int secret_size
,
768 const void *seed
, int seed_size
, void *result
)
773 ret
= _gnutls_hmac_init (&td1
, algorithm
, secret
, secret_size
);
780 _gnutls_hmac (&td1
, seed
, seed_size
);
781 _gnutls_hmac_deinit (&td1
, result
);
786 #define MAX_SEED_SIZE 200
788 /* Produces "total_bytes" bytes using the hash algorithm specified.
789 * (used in the PRF function)
792 _gnutls_P_hash (gnutls_mac_algorithm_t algorithm
,
793 const opaque
* secret
, int secret_size
,
794 const opaque
* seed
, int seed_size
,
795 int total_bytes
, opaque
* ret
)
799 int i
, times
, how
, blocksize
, A_size
;
800 opaque final
[MAX_HASH_SIZE
], Atmp
[MAX_SEED_SIZE
];
801 int output_bytes
, result
;
803 if (seed_size
> MAX_SEED_SIZE
|| total_bytes
<= 0)
806 return GNUTLS_E_INTERNAL_ERROR
;
809 blocksize
= _gnutls_hmac_get_algo_len (algorithm
);
814 output_bytes
+= blocksize
;
816 while (output_bytes
< total_bytes
);
820 memcpy (Atmp
, seed
, seed_size
);
823 times
= output_bytes
/ blocksize
;
825 for (i
= 0; i
< times
; i
++)
827 result
= _gnutls_hmac_init (&td2
, algorithm
, secret
, secret_size
);
834 /* here we calculate A(i+1) */
836 _gnutls_cal_PRF_A (algorithm
, secret
, secret_size
, Atmp
,
840 _gnutls_hmac_deinit (&td2
, final
);
846 _gnutls_hmac (&td2
, Atmp
, A_size
);
847 _gnutls_hmac (&td2
, seed
, seed_size
);
848 _gnutls_hmac_deinit (&td2
, final
);
850 if ((1 + i
) * blocksize
< total_bytes
)
856 how
= total_bytes
- (i
) * blocksize
;
861 memcpy (&ret
[i
* blocksize
], final
, how
);
868 /* Xor's two buffers and puts the output in the first one.
871 _gnutls_xor (opaque
* o1
, opaque
* o2
, int length
)
874 for (i
= 0; i
< length
; i
++)
882 #define MAX_PRF_BYTES 200
884 /* The PRF function expands a given secret
885 * needed by the TLS specification. ret must have a least total_bytes
889 _gnutls_PRF (gnutls_session_t session
,
890 const opaque
* secret
, int secret_size
, const char *label
,
891 int label_size
, const opaque
* seed
, int seed_size
,
892 int total_bytes
, void *ret
)
894 int l_s
, s_seed_size
;
895 const opaque
*s1
, *s2
;
896 opaque s_seed
[MAX_SEED_SIZE
];
897 opaque o1
[MAX_PRF_BYTES
], o2
[MAX_PRF_BYTES
];
899 gnutls_protocol_t ver
= gnutls_protocol_get_version (session
);
901 if (total_bytes
> MAX_PRF_BYTES
)
904 return GNUTLS_E_INTERNAL_ERROR
;
906 /* label+seed = s_seed */
907 s_seed_size
= seed_size
+ label_size
;
909 if (s_seed_size
> MAX_SEED_SIZE
)
912 return GNUTLS_E_INTERNAL_ERROR
;
915 memcpy (s_seed
, label
, label_size
);
916 memcpy (&s_seed
[label_size
], seed
, seed_size
);
918 if (_gnutls_version_has_selectable_prf (ver
))
921 _gnutls_P_hash (GNUTLS_MAC_SHA256
, secret
, secret_size
,
922 s_seed
, s_seed_size
, total_bytes
, ret
);
931 l_s
= secret_size
/ 2;
936 if (secret_size
% 2 != 0)
942 _gnutls_P_hash (GNUTLS_MAC_MD5
, s1
, l_s
, s_seed
, s_seed_size
,
951 _gnutls_P_hash (GNUTLS_MAC_SHA1
, s2
, l_s
, s_seed
, s_seed_size
,
959 _gnutls_xor (o1
, o2
, total_bytes
);
961 memcpy (ret
, o1
, total_bytes
);
969 * gnutls_prf_raw - access the TLS PRF directly
970 * @session: is a #gnutls_session_t structure.
971 * @label_size: length of the @label variable.
972 * @label: label used in PRF computation, typically a short string.
973 * @seed_size: length of the @seed variable.
974 * @seed: optional extra data to seed the PRF with.
975 * @outsize: size of pre-allocated output buffer to hold the output.
976 * @out: pre-allocate buffer to hold the generated data.
978 * Apply the TLS Pseudo-Random-Function (PRF) using the master secret
981 * The @label variable usually contain a string denoting the purpose
982 * for the generated data. The @seed usually contain data such as the
983 * client and server random, perhaps together with some additional
984 * data that is added to guarantee uniqueness of the output for a
985 * particular purpose.
987 * Because the output is not guaranteed to be unique for a particular
988 * session unless @seed include the client random and server random
989 * fields (the PRF would output the same data on another connection
990 * resumed from the first one), it is not recommended to use this
991 * function directly. The gnutls_prf() function seed the PRF with the
992 * client and server random fields directly, and is recommended if you
993 * want to generate pseudo random data unique for each session.
995 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
998 gnutls_prf_raw (gnutls_session_t session
,
1001 size_t seed_size
, const char *seed
, size_t outsize
, char *out
)
1005 ret
= _gnutls_PRF (session
,
1006 session
->security_parameters
.master_secret
,
1009 label_size
, (opaque
*) seed
, seed_size
, outsize
, out
);
1015 * gnutls_prf - derive pseudo-random data using the TLS PRF
1016 * @session: is a #gnutls_session_t structure.
1017 * @label_size: length of the @label variable.
1018 * @label: label used in PRF computation, typically a short string.
1019 * @server_random_first: non-0 if server random field should be first in seed
1020 * @extra_size: length of the @extra variable.
1021 * @extra: optional extra data to seed the PRF with.
1022 * @outsize: size of pre-allocated output buffer to hold the output.
1023 * @out: pre-allocate buffer to hold the generated data.
1025 * Apply the TLS Pseudo-Random-Function (PRF) using the master secret
1026 * on some data, seeded with the client and server random fields.
1028 * The @label variable usually contain a string denoting the purpose
1029 * for the generated data. The @server_random_first indicate whether
1030 * the client random field or the server random field should be first
1031 * in the seed. Non-0 indicate that the server random field is first,
1032 * 0 that the client random field is first.
1034 * The @extra variable can be used to add more data to the seed, after
1035 * the random variables. It can be used to tie make sure the
1036 * generated output is strongly connected to some additional data
1037 * (e.g., a string used in user authentication).
1039 * The output is placed in *@OUT, which must be pre-allocated.
1041 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1044 gnutls_prf (gnutls_session_t session
,
1047 int server_random_first
,
1048 size_t extra_size
, const char *extra
, size_t outsize
, char *out
)
1052 size_t seedsize
= 2 * GNUTLS_RANDOM_SIZE
+ extra_size
;
1054 seed
= gnutls_malloc (seedsize
);
1058 return GNUTLS_E_MEMORY_ERROR
;
1061 memcpy (seed
, server_random_first
?
1062 session
->security_parameters
.server_random
:
1063 session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
1064 memcpy (seed
+ GNUTLS_RANDOM_SIZE
, server_random_first
?
1065 session
->security_parameters
.client_random
:
1066 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
1068 memcpy (seed
+ 2 * GNUTLS_RANDOM_SIZE
, extra
, extra_size
);
1070 ret
= _gnutls_PRF (session
, session
->security_parameters
.master_secret
,
1072 label
, label_size
, seed
, seedsize
, outsize
, out
);
1080 * gnutls_session_get_client_random - get the session's client random value
1081 * @session: is a #gnutls_session_t structure.
1083 * Return a pointer to the 32-byte client random field used in the
1084 * session. The pointer must not be modified or deallocated.
1086 * If a client random value has not yet been established, the output
1087 * will be garbage; in particular, a %NULL return value should not be
1090 * Returns: pointer to client random data.
1093 gnutls_session_get_client_random (gnutls_session_t session
)
1095 return (char *) session
->security_parameters
.client_random
;
1099 * gnutls_session_get_server_random - get the session's server random value
1100 * @session: is a #gnutls_session_t structure.
1102 * Return a pointer to the 32-byte server random field used in the
1103 * session. The pointer must not be modified or deallocated.
1105 * If a server random value has not yet been established, the output
1106 * will be garbage; in particular, a %NULL return value should not be
1109 * Returns: pointer to server random data.
1112 gnutls_session_get_server_random (gnutls_session_t session
)
1114 return (char *) session
->security_parameters
.server_random
;
1118 * gnutls_session_get_master_secret - get the session's master secret value
1119 * @session: is a #gnutls_session_t structure.
1121 * Return a pointer to the 48-byte master secret in the session. The
1122 * pointer must not be modified or deallocated.
1124 * If a master secret value has not yet been established, the output
1125 * will be garbage; in particular, a %NULL return value should not be
1128 * Consider using gnutls_prf() rather than extracting the master
1129 * secret and use it to derive further data.
1131 * Returns: pointer to master secret data.
1134 gnutls_session_get_master_secret (gnutls_session_t session
)
1136 return (char *) session
->security_parameters
.master_secret
;
1140 * gnutls_session_set_finished_function:
1141 * @session: is a #gnutls_session_t structure.
1142 * @func: a #gnutls_finished_callback_func callback.
1144 * Register a callback function for the session that will be called
1145 * when a TLS Finished message has been generated. The function is
1146 * typically used to copy away the TLS finished message for later use
1147 * as a channel binding or similar purpose.
1149 * The callback should follow this prototype:
1151 * void callback (gnutls_session_t @session, const void *@finished, size_t @len);
1153 * The @finished parameter will contain the binary TLS finished
1154 * message, and @len will contains its length. For SSLv3 connections,
1155 * the @len parameter will be 36 and for TLS connections it will be
1158 * It is recommended that the function returns quickly in order to not
1159 * delay the handshake. Use the function to store a copy of the TLS
1160 * finished message for later use.
1165 gnutls_session_set_finished_function (gnutls_session_t session
,
1166 gnutls_finished_callback_func func
)
1168 session
->internals
.finished_func
= func
;
1172 * gnutls_session_is_resumed - check whether this session is a resumed one
1173 * @session: is a #gnutls_session_t structure.
1175 * Check whether session is resumed or not.
1177 * Returns: non zero if this session is resumed, or a zero if this is
1181 gnutls_session_is_resumed (gnutls_session_t session
)
1183 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
1185 if (session
->security_parameters
.session_id_size
> 0 &&
1186 session
->security_parameters
.session_id_size
==
1187 session
->internals
.resumed_security_parameters
.session_id_size
1188 && memcmp (session
->security_parameters
.session_id
,
1189 session
->internals
.resumed_security_parameters
.
1191 session
->security_parameters
.session_id_size
) == 0)
1196 if (session
->internals
.resumed
== RESUME_TRUE
)
1204 * _gnutls_session_is_export - Used to check whether this session is of export grade
1205 * @session: is a #gnutls_session_t structure.
1207 * This function will return non zero if this session is of export grade.
1211 _gnutls_session_is_export (gnutls_session_t session
)
1213 gnutls_cipher_algorithm_t cipher
;
1216 _gnutls_cipher_suite_get_cipher_algo (&session
->security_parameters
.
1217 current_cipher_suite
);
1219 if (_gnutls_cipher_get_export_flag (cipher
) != 0)
1226 * _gnutls_session_is_psk - Used to check whether this session uses PSK kx
1227 * @session: is a #gnutls_session_t structure.
1229 * This function will return non zero if this session uses a PSK key
1230 * exchange algorithm.
1234 _gnutls_session_is_psk (gnutls_session_t session
)
1236 gnutls_kx_algorithm_t kx
;
1239 _gnutls_cipher_suite_get_kx_algo (&session
->security_parameters
.
1240 current_cipher_suite
);
1241 if (kx
== GNUTLS_KX_PSK
|| kx
== GNUTLS_KX_DHE_PSK
)
1248 * gnutls_session_get_ptr - Get the user pointer from the session structure
1249 * @session: is a #gnutls_session_t structure.
1251 * Get user pointer for session. Useful in callbacks. This is the
1252 * pointer set with gnutls_session_set_ptr().
1254 * Returns: the user given pointer from the session structure, or
1255 * %NULL if it was never set.
1258 gnutls_session_get_ptr (gnutls_session_t session
)
1260 return session
->internals
.user_ptr
;
1264 * gnutls_session_set_ptr - Used to set the user pointer to the session structure
1265 * @session: is a #gnutls_session_t structure.
1266 * @ptr: is the user pointer
1268 * This function will set (associate) the user given pointer @ptr to
1269 * the session structure. This is pointer can be accessed with
1270 * gnutls_session_get_ptr().
1273 gnutls_session_set_ptr (gnutls_session_t session
, void *ptr
)
1275 session
->internals
.user_ptr
= ptr
;
1280 * gnutls_record_get_direction - return the direction of the last interrupted function call
1281 * @session: is a #gnutls_session_t structure.
1283 * This function provides information about the internals of the
1284 * record protocol and is only useful if a prior gnutls function call
1285 * (e.g. gnutls_handshake()) was interrupted for some reason, that
1286 * is, if a function returned %GNUTLS_E_INTERRUPTED or
1287 * %GNUTLS_E_AGAIN. In such a case, you might want to call select()
1288 * or poll() before calling the interrupted gnutls function again. To
1289 * tell you whether a file descriptor should be selected for either
1290 * reading or writing, gnutls_record_get_direction() returns 0 if the
1291 * interrupted function was trying to read data, and 1 if it was
1292 * trying to write data.
1294 * Returns: 0 if trying to read data, 1 if trying to write data.
1297 gnutls_record_get_direction (gnutls_session_t session
)
1299 return session
->internals
.direction
;
1303 * _gnutls_rsa_pms_set_version - Sets a version to be used at the RSA PMS
1304 * @session: is a #gnutls_session_t structure.
1305 * @major: is the major version to use
1306 * @minor: is the minor version to use
1308 * This function will set the given version number to be used at the
1309 * RSA PMS secret. This is only useful to clients, which want to
1310 * test server's capabilities.
1314 _gnutls_rsa_pms_set_version (gnutls_session_t session
,
1315 unsigned char major
, unsigned char minor
)
1317 session
->internals
.rsa_pms_version
[0] = major
;
1318 session
->internals
.rsa_pms_version
[1] = minor
;
1322 * gnutls_handshake_set_post_client_hello_function - set callback to be called after the client hello is received
1323 * @session: is a #gnutls_session_t structure.
1324 * @func: is the function to be called
1326 * This function will set a callback to be called after the client
1327 * hello has been received (callback valid in server side only). This
1328 * allows the server to adjust settings based on received extensions.
1330 * Those settings could be ciphersuites, requesting certificate, or
1331 * anything else except for version negotiation (this is done before
1332 * the hello message is parsed).
1334 * This callback must return 0 on success or a gnutls error code to
1335 * terminate the handshake.
1337 * Warning: You should not use this function to terminate the
1338 * handshake based on client input unless you know what you are
1339 * doing. Before the handshake is finished there is no way to know if
1340 * there is a man-in-the-middle attack being performed.
1343 gnutls_handshake_set_post_client_hello_function (gnutls_session_t session
,
1344 gnutls_handshake_post_client_hello_func
1347 session
->internals
.user_hello_func
= func
;
1351 * gnutls_session_enable_compatibility_mode - disable certain features in TLS in order to honour compatibility
1352 * @session: is a #gnutls_session_t structure.
1354 * This function can be used to disable certain (security) features in
1355 * TLS in order to maintain maximum compatibility with buggy
1356 * clients. It is equivalent to calling:
1357 * gnutls_record_disable_padding()
1359 * Normally only servers that require maximum compatibility with
1360 * everything out there, need to call this function.
1363 gnutls_session_enable_compatibility_mode (gnutls_session_t session
)
1365 gnutls_record_disable_padding (session
);