| blob | 3761b17353757e145d0733c1f81e16871ae32ae8 |
1 /*
2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
23 /* Functions that relate to the TLS handshake procedure.
24 */
44 #include <auth/cert.h>
46 #include <gnutls_record.h>
47 #include <gnutls_state.h>
48 #include <ext/srp.h>
49 #include <ext/session_ticket.h>
50 #include <ext/safe_renegotiation.h>
54 #include <random.h>
55 #include <gnutls_dtls.h>
57 #ifdef HANDSHAKE_DEBUG
59 #else
60 #define ERR(x, y)
61 #endif
63 #define TRUE 1
64 #define FALSE 0
68 static int
75 /* Empties but does not free the buffer
76 */
79 {
86 }
88 static int
90 gnutls_handshake_description_t recv_type,
94 static int
96 gnutls_handshake_description_t type,
99 static int
104 /* Clears the handshake hash buffers and handles.
105 */
106 void
108 {
111 }
113 /* this will copy the required values for resuming to
114 * internals, and to security_parameters.
115 * this will keep as less data to security_parameters.
116 */
117 static void
119 {
120 /* get the new random values */
126 /* keep the ciphersuite and compression
127 * That is because the client must see these in our
128 * hello message.
129 */
132 session->security_parameters.compression_method = session->internals.resumed_security_parameters.compression_method;
135 session->
138 session->
141 /* or write_compression_algorithm
142 * they are the same
143 */
150 version);
161 }
163 void
165 {
167 GNUTLS_RANDOM_SIZE);
168 }
170 void
172 {
174 GNUTLS_RANDOM_SIZE);
175 }
177 /* Calculate The SSL3 Finished message
178 */
181 #define SSL_MSG_LEN 4
182 static int
184 {
185 digest_hd_st td_md5;
186 digest_hd_st td_sha;
192 else
201 {
204 }
211 else
218 session->
220 GNUTLS_MASTER_SIZE);
222 {
226 }
229 session->
231 GNUTLS_MASTER_SIZE);
233 {
236 }
239 }
241 /* Hash the handshake messages as required by TLS 1.0
242 */
245 #define TLS_MSG_LEN 15
246 static int
248 {
257 else
261 {
262 rc = _gnutls_hash_fast( GNUTLS_DIG_SHA1, session->internals.handshake_hash_buffer.data, len, &concat[16]);
266 rc = _gnutls_hash_fast( GNUTLS_DIG_MD5, session->internals.handshake_hash_buffer.data, len, concat);
271 }
272 else
273 {
281 }
284 {
286 }
287 else
288 {
290 }
294 }
296 /* this function will produce GNUTLS_RANDOM_SIZE==32 bytes of random data
297 * and put it to dst.
298 */
299 int
301 {
305 /* Use weak random numbers for the most of the
306 * buffer except for the first 4 that are the
307 * system's time.
308 */
311 /* generate server random value */
316 {
319 }
322 }
324 /* returns the 0 on success or a negative error code.
325 */
326 int
328 gnutls_protocol_t adv_version)
329 {
332 /* if we do not support that version */
334 {
335 /* If he requested something we do not support
336 * then we send him the highest we support.
337 */
340 {
341 /* this check is not really needed.
342 */
345 }
346 }
347 else
348 {
350 }
355 }
357 int
359 gnutls_protocol_t adv_version)
360 {
364 {
367 {
370 }
371 /* Here we need to renegotiate the version since the callee might
372 * have disabled some TLS versions.
373 */
376 {
379 }
380 }
382 }
384 /* Read a client hello packet.
385 * A client hello must be a known version client hello
386 * or version 2.0 client hello (only for compatibility
387 * since SSL version 2.0 is not supported).
388 */
389 static int
392 {
396 gnutls_protocol_t adv_version;
412 {
415 }
417 /* Read client random value.
418 */
431 /* RESUME SESSION
432 */
434 {
437 }
443 {
450 }
458 /* Parse only the safe renegotiation extension
459 * We don't want to parse any other extensions since
460 * we don't want new extension values to overwrite the
461 * resumed ones.
462 */
464 /* move forward to extensions */
480 {
483 }
489 }
490 else
491 {
497 }
499 /* Remember ciphersuites for later
500 */
509 /* Point to the compression methods
510 */
518 /* Parse the extensions (if any)
519 *
520 * Unconditionally try to parse extensions; safe renegotiation uses them in
521 * sslv3 and higher, even though sslv3 doesn't officially support them.
522 */
525 /* len is the rest of the parsed length */
527 {
530 }
534 {
537 }
542 {
545 }
549 {
552 }
554 /* resumed by session_ticket extension */
556 {
557 /* to indicate the client that the current session is resumed */
561 session_id_len;
571 }
573 /* select an appropriate cipher suite
574 */
577 {
580 }
582 /* select appropriate compression method */
585 {
588 }
591 }
593 /* This is to be called after sending CHANGE CIPHER SPEC packet
594 * and initializing encryption. This is the first encrypted message
595 * we send.
596 */
597 static int
599 {
606 {
609 {
612 }
616 {
617 ret =
621 }
622 else
627 }
630 {
633 }
639 {
642 }
648 {
649 /* if we are a client not resuming - or we are a server resuming */
651 session);
654 }
656 ret =
658 }
659 else
660 {
662 }
665 }
667 /* This is to be called after sending our finished message. If everything
668 * went fine we have negotiated a secure connection
669 */
670 static int
672 {
674 gnutls_buffer_st buf;
679 ret =
683 {
687 }
693 {
695 }
696 else
697 {
699 }
702 {
706 }
709 {
710 ret =
714 }
715 else
717 ret =
721 }
724 {
727 }
730 {
734 }
738 {
741 }
747 {
748 /* if we are a client resuming - or we are a server not resuming */
750 session);
753 }
758 cleanup:
762 }
764 /* returns PK_RSA if the given cipher suite list only supports,
765 * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none.
766 */
767 static int
772 {
774 gnutls_kx_algorithm_t kx;
778 {
781 }
785 {
788 {
793 }
794 }
797 }
799 /* This selects the best supported ciphersuite from the given ones. Then
800 * it adds the suite to the session and performs some checks.
801 */
802 int
805 {
812 * supported by the peer.
813 */
815 /* First, check for safe renegotiation SCSV.
816 */
818 {
822 {
823 /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
826 {
827 _gnutls_handshake_log
831 {
834 }
836 }
837 }
838 }
851 /* Here we remove any ciphersuite that does not conform
852 * the certificate requested, or to the
853 * authentication requested (e.g. SRP).
854 */
855 ret = _gnutls_remove_unwanted_ciphersuites (session, cipher_suites, cipher_suites_size, pk_algos, pk_algos_size);
857 {
861 else
863 }
867 /* Data length should be zero mod 2 since
868 * every ciphersuite is 2 bytes. (this check is needed
869 * see below).
870 */
872 {
875 }
881 _gnutls_handshake_log ("HSK[%p]: Requested cipher suites[size: %d]: \n", session, (int)datalen);
884 {
886 {
887 _gnutls_handshake_log ("\t0x%.2x, 0x%.2x %s\n", data[j], data[j+1], _gnutls_cipher_suite_get_name (&data[j]));
889 {
891 {
892 _gnutls_handshake_log
898 session->
904 }
905 }
906 }
907 }
909 {
911 {
913 {
915 {
916 _gnutls_handshake_log
922 session->
928 }
929 }
930 }
931 }
932 finish:
935 {
938 }
940 /* check if the credentials (username, public key etc.) are ok
941 */
947 {
950 }
953 /* set the mod_auth_st to the appropriate struct
954 * according to the KX algorithm. This is needed since all the
955 * handshake functions are read from there;
956 */
962 {
964 _gnutls_handshake_log
966 session);
969 }
973 }
976 /* This selects the best supported compression method from the ones provided
977 */
978 static int
981 {
987 {
990 }
993 {
995 {
997 {
999 {
1000 gnutls_compression_method_t method =
1006 _gnutls_handshake_log
1010 }
1011 }
1012 }
1013 }
1014 else
1015 {
1017 {
1019 {
1021 {
1022 gnutls_compression_method_t method =
1028 _gnutls_handshake_log
1032 }
1033 }
1034 }
1035 }
1037 /* we were not able to find a compatible compression
1038 * algorithm
1039 */
1043 }
1045 /* This function sends an empty handshake packet. (like hello request).
1046 * If the previous _gnutls_send_empty_handshake() returned
1047 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1048 * (until it returns ok), with NULL parameters.
1049 */
1050 static int
1053 {
1057 {
1060 {
1063 }
1064 }
1065 else
1069 }
1074 /* This function sends a handshake message of type 'type' containing the
1075 * data specified here. If the previous _gnutls_send_handshake() returned
1076 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1077 * (until it returns ok), with NULL parameters.
1078 */
1079 int
1081 gnutls_handshake_description_t type)
1082 {
1089 {
1090 /* we are resuming a previously interrupted
1091 * send.
1092 */
1096 }
1098 /* first run */
1107 /* Add DTLS handshake fragment headers. The message will be
1108 * fragmented later by the fragmentation sub-layer. All fields must
1109 * be set properly for HMAC. The HMAC requires we pretend that the
1110 * message was sent in a single fragment. */
1112 {
1116 /* Fragment offset */
1120 /* Fragment length */
1123 }
1129 /* Here we keep the handshake messages in order to hash them...
1130 */
1134 {
1138 }
1144 {
1148 }
1151 {
1153 * or ClientKeyExchange always.
1154 */
1160 /* now for client Certificate, ClientKeyExchange and
1161 * CertificateVerify are always followed by ChangeCipherSpec
1162 */
1168 /* send cached messages */
1171 }
1174 }
1176 #define CHECK_SIZE(ll) \
1177 if ((session->internals.max_handshake_data_buffer_size > 0) && \
1178 (((ll) + session->internals.handshake_hash_buffer.length) > \
1179 session->internals.max_handshake_data_buffer_size)) \
1180 return gnutls_assert_val(GNUTLS_E_HANDSHAKE_TOO_LARGE)
1182 /* This function add the handshake headers and the
1183 * handshake data to the handshake hash buffers. Needed
1184 * for the finished messages calculations.
1185 */
1186 static int
1188 gnutls_handshake_description_t recv_type,
1191 {
1200 session->internals.handshake_hash_buffer_prev_len = session->internals.handshake_hash_buffer.length;
1208 {
1213 }
1216 }
1218 /* This function will store the handshake message we sent.
1219 */
1220 static int
1222 gnutls_handshake_description_t type,
1224 {
1227 /* We don't check for GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST because it
1228 * is not sent via that channel.
1229 */
1231 {
1240 }
1243 }
1246 /* This function will receive handshake messages of the given types,
1247 * and will pass the message to the right place in order to be processed.
1248 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1249 * passed to _gnutls_recv_hello().
1250 */
1251 int
1253 gnutls_handshake_description_t type,
1255 {
1257 handshake_buffer_st hsk;
1259 ret =
1262 {
1264 {
1267 }
1270 }
1276 {
1279 }
1282 {
1288 else
1292 {
1295 }
1303 {
1306 }
1307 else
1308 /* Signal our caller we have received a verification cookie
1309 and ClientHello needs to be sent again. */
1318 else
1319 {
1323 }
1337 /* we shouldn't actually arrive here in any case .
1338 * unexpected messages should be catched after _gnutls_handshake_io_recv_int()
1339 */
1342 }
1345 {
1348 }
1350 cleanup:
1353 }
1355 /* This function checks if the given cipher suite is supported, and sets it
1356 * to the session;
1357 */
1358 static int
1360 {
1367 cipher_suite_size = _gnutls_supported_ciphersuites (session, cipher_suites, sizeof(cipher_suites));
1369 {
1372 }
1375 {
1377 {
1380 }
1381 }
1384 {
1387 }
1391 session->
1395 _gnutls_cipher_suite_get_name
1400 /* check if the credentials (username, public key etc.) are ok.
1401 * Actually checks if they exist.
1402 */
1405 _gnutls_cipher_suite_get_kx_algo
1408 {
1411 }
1414 /* set the mod_auth_st to the appropriate struct
1415 * according to the KX algorithm. This is needed since all the
1416 * handshake functions are read from there;
1417 */
1424 {
1426 _gnutls_handshake_log
1428 session);
1431 }
1435 }
1437 /* This function sets the given comp method to the session.
1438 */
1439 static int
1441 {
1453 {
1456 }
1459 {
1461 {
1464 }
1465 }
1468 {
1471 }
1477 }
1479 /* This function returns 0 if we are resuming a session or -1 otherwise.
1480 * This also sets the variables in the session. Used only while reading a server
1481 * hello.
1482 */
1483 static int
1486 {
1490 session_id_len);
1497 session_id_len
1501 {
1502 /* resume session */
1508 _gnutls_epoch_set_cipher_suite
1513 session->
1519 }
1520 else
1521 {
1522 /* keep the new session id */
1529 }
1530 }
1533 /* This function reads and parses the server hello handshake message.
1534 * This function also restores resumed parameters if we are resuming a
1535 * session.
1536 */
1537 static int
1540 {
1544 gnutls_protocol_t version;
1548 {
1551 }
1559 {
1562 }
1563 else
1564 {
1566 }
1575 /* Read session ID
1576 */
1581 {
1584 }
1587 /* check if we are resuming and set the appropriate
1588 * values;
1589 */
1592 {
1599 {
1602 }
1604 }
1608 /* Check if the given cipher suite is supported and copy
1609 * it to the session.
1610 */
1615 {
1618 }
1621 /* move to compression
1622 */
1627 {
1630 }
1632 /* Parse extensions.
1633 */
1636 {
1639 }
1642 }
1645 /* This function copies the appropriate ciphersuites to a locally allocated buffer
1646 * Needed in client hello messages. Returns the new data length. If add_scsv is
1647 * true, add the special safe renegotiation CS.
1648 */
1649 static int
1653 {
1663 /* Here we remove any ciphersuite that does not conform
1664 * the certificate requested, or to the
1665 * authentication requested (eg SRP).
1666 */
1667 ret =
1672 /* If no cipher suites were enabled.
1673 */
1679 {
1687 }
1696 }
1699 /* This function copies the appropriate compression methods, to a locally allocated buffer
1700 * Needed in hello messages. Returns the new data length.
1701 */
1702 static int
1705 {
1716 /* put the number of compression methods */
1728 }
1730 /* This should be sufficient by now. It should hold all the extensions
1731 * plus the headers in a hello message.
1732 */
1733 #define MAX_EXT_DATA_LENGTH 32*1024
1735 /* This function sends the client hello handshake message.
1736 */
1737 static int
1739 {
1745 gnutls_protocol_t hver;
1746 gnutls_buffer_st extdata;
1754 /* note that rehandshake is different than resuming
1755 */
1760 {
1762 {
1764 }
1765 else
1766 {
1768 }
1771 /* 2 for version, (4 for unix time + 28 for random bytes==GNUTLS_RANDOM_SIZE)
1772 */
1776 {
1779 }
1782 /* if we are resuming a session then we set the
1783 * version number to the previously established.
1784 */
1786 {
1791 }
1792 else
1793 {
1794 /* we are resuming a session */
1796 }
1799 {
1803 }
1808 /* Set the version we advertized as maximum
1809 * (RSA uses it).
1810 */
1815 {
1816 /* Advertize the SSL 3.0 record packet version in
1817 * record packets during the handshake.
1818 * That is to avoid confusing implementations
1819 * that do not support TLS 1.2 and don't know
1820 * how 3,3 version of record packets look like.
1821 */
1824 else
1826 }
1828 /* In order to know when this session was initiated.
1829 */
1832 /* Generate random data
1833 */
1836 {
1841 }
1842 else
1847 /* Copy the Session ID
1848 */
1852 {
1855 session_id_len);
1857 }
1859 /* Copy the DTLS cookie
1860 */
1862 {
1866 }
1868 /* Copy the ciphersuites.
1869 *
1870 * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
1871 * prevention on initial negotiation (but not renegotiation; that's
1872 * handled with the RI extension below).
1873 */
1878 {
1879 ret =
1882 GNUTLS_EXTENSION_SAFE_RENEGOTIATION);
1883 }
1884 else
1888 {
1891 }
1893 /* Copy the compression methods.
1894 */
1897 {
1900 }
1902 /* Generate and copy TLS extensions.
1903 */
1905 {
1908 else
1909 {
1912 else
1914 }
1918 {
1921 }
1923 }
1927 {
1930 }
1931 }
1935 return
1938 cleanup:
1942 }
1944 static int
1946 {
1949 gnutls_buffer_st extdata;
1961 {
1963 ret =
1966 {
1969 }
1973 {
1977 }
1991 {
1993 session_id_len);
1994 }
2010 {
2013 }
2014 }
2016 ret =
2019 fail:
2022 }
2024 int
2026 {
2030 {
2033 }
2034 else
2037 }
2040 }
2042 /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a
2043 * hello message is expected. It uses the security_parameters.cipher_suite
2044 * and internals.compression_method.
2045 */
2046 int
2048 {
2052 {
2055 {
2058 }
2059 }
2060 else
2065 {
2068 }
2069 }
2073 {
2076 }
2079 }
2081 static int
2084 {
2092 {
2095 }
2099 {
2100 /* The server is either buggy, malicious or changing cookie
2101 secrets _way_ too fast. */
2104 }
2106 /* TODO: determine if we need to do anything with the server version field */
2112 pos++;
2115 {
2118 }
2128 {
2131 }
2133 /* reset handshake hash buffers */
2137 }
2139 /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
2140 *
2141 * Client Server
2142 *
2143 * ClientHello -------->
2144 * <-------- ServerHello
2145 *
2146 * Certificate*
2147 * ServerKeyExchange*
2148 * <-------- CertificateRequest*
2149 *
2150 * <-------- ServerHelloDone
2151 * Certificate*
2152 * ClientKeyExchange
2153 * CertificateVerify*
2154 * [ChangeCipherSpec]
2155 * Finished -------->
2156 * NewSessionTicket
2157 * [ChangeCipherSpec]
2158 * <-------- Finished
2159 *
2160 * (*): means optional packet.
2161 */
2163 /* Handshake when resumming session:
2164 * Client Server
2165 *
2166 * ClientHello -------->
2167 * ServerHello
2168 * [ChangeCipherSpec]
2169 * <-------- Finished
2170 * [ChangeCipherSpec]
2171 * Finished -------->
2172 *
2173 */
2175 /**
2176 * gnutls_rehandshake:
2177 * @session: is a #gnutls_session_t structure.
2178 *
2179 * This function will renegotiate security parameters with the
2180 * client. This should only be called in case of a server.
2181 *
2182 * This message informs the peer that we want to renegotiate
2183 * parameters (perform a handshake).
2184 *
2185 * If this function succeeds (returns 0), you must call the
2186 * gnutls_handshake() function in order to negotiate the new
2187 * parameters.
2188 *
2189 * Since TLS is full duplex some application data might have been
2190 * sent during peer's processing of this message. In that case
2191 * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE
2192 * is returned to clear any pending data. Care must be taken if
2193 * rehandshake is mandatory to terminate if it does not start after
2194 * some threshold.
2195 *
2196 * If the client does not wish to renegotiate parameters he will
2197 * should with an alert message, thus the return code will be
2198 * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
2199 * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2200 * this message.
2201 *
2202 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2203 **/
2204 int
2206 {
2209 /* only server sends that handshake packet */
2215 ret =
2221 {
2224 }
2228 }
2232 {
2238 /* this doesn't matter */
2240 }
2244 static int
2246 {
2253 ret =
2255 else
2256 {
2257 gnutls_buffer_st buf;
2262 {
2265 }
2269 {
2272 }
2278 GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2279 }
2282 }
2284 static int
2286 {
2287 gnutls_buffer_st buf;
2295 {
2298 }
2302 {
2305 }
2307 cleanup:
2311 }
2313 /**
2314 * gnutls_handshake:
2315 * @session: is a #gnutls_session_t structure.
2316 *
2317 * This function does the handshake of the TLS/SSL protocol, and
2318 * initializes the TLS connection.
2319 *
2320 * This function will fail if any problem is encountered, and will
2321 * return a negative error code. In case of a client, if the client
2322 * has asked to resume a session, but the server couldn't, then a
2323 * full handshake will be performed.
2324 *
2325 * The non-fatal errors such as %GNUTLS_E_AGAIN and
2326 * %GNUTLS_E_INTERRUPTED interrupt the handshake procedure, which
2327 * should be resumed later. Call this function again, until it
2328 * returns 0; cf. gnutls_record_get_direction() and
2329 * gnutls_error_is_fatal().
2330 *
2331 * If this function is called by a server after a rehandshake request
2332 * then %GNUTLS_E_GOT_APPLICATION_DATA or
2333 * %GNUTLS_E_WARNING_ALERT_RECEIVED may be returned. Note that these
2334 * are non fatal errors, only in the specific case of a rehandshake.
2335 * Their meaning is that the client rejected the rehandshake request or
2336 * in the case of %GNUTLS_E_GOT_APPLICATION_DATA it might also mean that
2337 * some data were pending.
2338 *
2339 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2340 **/
2341 int
2343 {
2347 /* sanity check. Verify that there are priorities setup.
2348 */
2355 {
2356 /* We assume the epoch is not allocated if _gnutls_epoch_get fails. */
2357 ret =
2359 NULL);
2362 }
2365 {
2366 do
2367 {
2370 }
2371 else
2372 {
2374 }
2376 {
2377 /* In the case of a rehandshake abort
2378 * we should reset the handshake's internal state.
2379 */
2384 }
2389 {
2394 }
2399 {
2401 }
2402 else
2403 {
2405 }
2412 }
2415 #define IMED_RET( str, ret, allow_alert) do { \
2416 if (ret < 0) { \
2418 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) \
2419 return ret; \
2421 if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) return ret; \
2422 gnutls_assert(); \
2423 ERR( str, ret); \
2424 _gnutls_handshake_hash_buffers_clear(session); \
2425 return ret; \
2426 } } while (0)
2430 /*
2431 * _gnutls_handshake_client
2432 * This function performs the client side of the handshake of the TLS/SSL protocol.
2433 */
2434 int
2436 {
2439 #ifdef HANDSHAKE_DEBUG
2446 session->
2449 #endif
2452 {
2461 {
2462 ret =
2464 GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST,
2470 {
2473 }
2474 }
2476 /* receive the server hello */
2477 ret =
2479 GNUTLS_HANDSHAKE_SERVER_HELLO,
2486 {
2490 }
2493 /* RECV CERTIFICATE */
2500 /* receive the server key exchange */
2507 /* receive the server certificate request - if any
2508 */
2516 /* receive the server hello done */
2518 ret =
2520 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2526 {
2530 }
2533 /* send our certificate - if any and if requested
2534 */
2547 /* send client certificate verify */
2549 ret =
2557 }
2561 }
2565 /* This function is to be called if the handshake was successfully
2566 * completed. This sends a Change Cipher Spec packet to the peer.
2567 */
2568 static ssize_t
2570 {
2576 {
2590 {
2593 }
2596 }
2599 }
2601 /* This function sends the final handshake packets and initializes connection
2602 */
2603 static int
2605 {
2608 /* Send the CHANGE CIPHER SPEC PACKET */
2611 {
2618 {
2622 }
2623 /* Initialize the connection session (start encryption) - in case of client
2624 */
2626 {
2629 {
2632 }
2633 }
2637 {
2640 }
2643 /* send the finished message */
2647 {
2651 }
2656 }
2659 }
2661 /* This function receives the final handshake packets
2662 * And executes the appropriate function to initialize the
2663 * read session.
2664 */
2665 static int
2667 {
2673 {
2678 /* This is the last flight and peer cannot be sure
2679 * we have received it unless we notify him. So we
2680 * wait for a message and retransmit if needed. */
2683 {
2687 }
2691 {
2695 }
2697 /* Initialize the connection session (start encryption) - in case of server */
2699 {
2702 {
2705 }
2706 }
2710 {
2713 }
2720 {
2724 }
2728 {
2732 }
2736 }
2740 }
2742 /*
2743 * _gnutls_handshake_server
2744 * This function does the server stuff of the handshake protocol.
2745 */
2746 int
2748 {
2752 {
2755 ret =
2757 GNUTLS_HANDSHAKE_CLIENT_HELLO,
2769 {
2773 }
2775 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
2777 /* NOTE: these should not be send if we are resuming */
2785 /* send server key exchange (A) */
2792 /* Send certificate request - if requested to */
2794 ret =
2800 /* send the server hello done */
2802 ret =
2804 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2811 {
2815 }
2817 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
2819 /* receive the client certificate message */
2826 /* receive the client key exchange message */
2833 /* receive the client certificate verify message */
2842 }
2845 }
2847 int
2849 {
2852 /* send and recv the change cipher spec and finished messages */
2857 {
2858 /* if we are a client resuming - or we are a server not resuming */
2863 {
2872 }
2877 /* only store if we are not resuming a session and we didn't previously send a ticket
2878 */
2879 if (session->security_parameters.entity == GNUTLS_SERVER && session->internals.ticket_sent == 0)
2880 {
2881 /* in order to support session resuming */
2883 }
2884 }
2885 else
2892 {
2901 }
2906 }
2909 /* clear handshake buffer */
2913 }
2915 int
2917 {
2924 {
2927 }
2930 }
2932 int
2935 {
2939 {
2942 }
2944 {
2947 }
2950 {
2954 }
2955 else
2956 {
2959 }
2960 }
2962 /* Returns 1 if the given KX has not the corresponding parameters
2963 * (DH or RSA) set up. Otherwise returns 0.
2964 */
2967 gnutls_kx_algorithm_t kx,
2969 {
2977 /* Read the Diffie-Hellman parameters, if any.
2978 */
2980 {
2982 gnutls_certificate_credentials_t x509_cred =
2987 {
2988 dh_params =
2991 rsa_params =
2994 session);
2995 }
2997 /* Check also if the certificate supports the
2998 * KX method.
2999 */
3002 {
3004 {
3007 }
3008 }
3013 #ifdef ENABLE_ANON
3014 }
3016 {
3017 gnutls_anon_server_credentials_t anon_cred =
3022 {
3023 dh_params =
3026 }
3027 #endif
3028 #ifdef ENABLE_PSK
3029 }
3031 {
3032 gnutls_psk_server_credentials_t psk_cred =
3037 {
3038 dh_params =
3040 session);
3041 }
3042 #endif
3043 }
3044 else
3048 /* If the key exchange method needs RSA or DH params,
3049 * but they are not set then remove it.
3050 */
3052 {
3053 /* needs rsa params. */
3055 {
3058 }
3059 }
3062 {
3063 /* needs DH params. */
3065 {
3068 }
3069 }
3072 }
3074 /* This function will remove algorithms that are not supported by
3075 * the requested authentication method. We remove an algorithm if
3076 * we have a certificate with keyUsage bits set.
3077 *
3078 * This does a more high level check than gnutls_supported_ciphersuites(),
3079 * by checking certificates etc.
3080 */
3081 static int
3087 {
3091 gnutls_certificate_credentials_t cert_cred;
3092 gnutls_kx_algorithm_t kx;
3097 /* if we should use a specific certificate,
3098 * we should remove all algorithms that are not supported
3099 * by that certificate and are on the same authentication
3100 * method (CERTIFICATE).
3101 */
3103 cert_cred =
3105 GNUTLS_CRD_CERTIFICATE,
3106 NULL);
3108 /* If there are certificate credentials, find an appropriate certificate
3109 * or disable them;
3110 */
3113 {
3116 {
3120 }
3121 }
3123 /* get all the key exchange algorithms that are
3124 * supported by the X509 certificate parameters.
3125 */
3128 {
3131 }
3135 /* now removes ciphersuites based on the KX algorithm
3136 */
3138 {
3141 /* finds the key exchange algorithm in
3142 * the ciphersuite
3143 */
3146 /* if it is defined but had no credentials
3147 */
3149 {
3151 }
3152 else
3153 {
3158 }
3160 /* If we have not agreed to a common curve with the peer don't bother
3161 * negotiating ECDH.
3162 */
3164 {
3166 {
3168 }
3169 }
3171 /* These two SRP kx's are marked to require a CRD_CERTIFICATE,
3172 (see cred_mappings in gnutls_algorithms.c), but it also
3173 requires a SRP credential. Don't use SRP kx unless we have a
3174 SRP credential too. */
3176 {
3178 {
3180 }
3181 }
3184 {
3187 session,
3193 }
3194 else
3195 {
3197 session,
3200 }
3201 }
3207 }
3209 /**
3210 * gnutls_handshake_set_max_packet_length:
3211 * @session: is a #gnutls_session_t structure.
3212 * @max: is the maximum number.
3213 *
3214 * This function will set the maximum size of all handshake messages.
3215 * Handshakes over this size are rejected with
3216 * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is
3217 * 48kb which is typically large enough. Set this to 0 if you do not
3218 * want to set an upper limit.
3219 *
3220 * The reason for restricting the handshake message sizes are to
3221 * limit Denial of Service attacks.
3222 **/
3223 void
3225 {
3227 }
3229 void
3231 {
3234 }
3236 gnutls_protocol_t
3238 {
3241 }
3243 /**
3244 * gnutls_handshake_get_last_in:
3245 * @session: is a #gnutls_session_t structure.
3246 *
3247 * This function is only useful to check where the last performed
3248 * handshake failed. If the previous handshake succeed or was not
3249 * performed at all then no meaningful value will be returned.
3250 *
3251 * Check %gnutls_handshake_description_t in gnutls.h for the
3252 * available handshake descriptions.
3253 *
3254 * Returns: the last handshake message type received, a
3255 * %gnutls_handshake_description_t.
3256 **/
3257 gnutls_handshake_description_t
3259 {
3261 }
3263 /**
3264 * gnutls_handshake_get_last_out:
3265 * @session: is a #gnutls_session_t structure.
3266 *
3267 * This function is only useful to check where the last performed
3268 * handshake failed. If the previous handshake succeed or was not
3269 * performed at all then no meaningful value will be returned.
3270 *
3271 * Check %gnutls_handshake_description_t in gnutls.h for the
3272 * available handshake descriptions.
3273 *
3274 * Returns: the last handshake message type sent, a
3275 * %gnutls_handshake_description_t.
3276 **/
3277 gnutls_handshake_description_t
3279 {
3281 }