2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011
3 * Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 3 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this program. If not, see <http://www.gnu.org/licenses/>
24 /* Functions to manipulate the session (gnutls_int.h), and some other stuff
25 * are included here. The file's name is traditionally gnutls_state even if the
26 * state has been renamed to session.
29 #include <gnutls_int.h>
30 #include <gnutls_errors.h>
31 #include <gnutls_auth.h>
32 #include <gnutls_num.h>
33 #include <gnutls_datum.h>
34 #include <gnutls_db.h>
35 #include <gnutls_record.h>
36 #include <gnutls_handshake.h>
37 #include <gnutls_dh.h>
38 #include <gnutls_buffers.h>
39 #include <gnutls_mbuffers.h>
40 #include <gnutls_state.h>
41 #include <gnutls_constate.h>
42 #include <auth/cert.h>
43 #include <auth/anon.h>
45 #include <algorithms.h>
46 #include <gnutls_rsa_export.h>
47 #include <gnutls_extensions.h>
49 #include <gnutls/dtls.h>
51 /* These should really be static, but src/tests.c calls them. Make
52 them public functions? */
54 _gnutls_rsa_pms_set_version (gnutls_session_t session
,
55 unsigned char major
, unsigned char minor
);
58 _gnutls_session_cert_type_set (gnutls_session_t session
,
59 gnutls_certificate_type_t ct
)
61 _gnutls_handshake_log("HSK[%p]: Selected certificate type %s (%d)\n", session
,
62 gnutls_certificate_type_get_name(ct
), ct
);
63 session
->security_parameters
.cert_type
= ct
;
67 _gnutls_session_ecc_curve_set (gnutls_session_t session
,
70 _gnutls_handshake_log("HSK[%p]: Selected ECC curve (%d)\n", session
, c
);
71 session
->security_parameters
.ecc_curve
= c
;
76 * @session: is a #gnutls_session_t structure.
78 * Get currently used cipher.
80 * Returns: the currently used cipher, a #gnutls_cipher_algorithm_t
83 gnutls_cipher_algorithm_t
84 gnutls_cipher_get (gnutls_session_t session
)
86 record_parameters_st
*record_params
;
89 ret
= _gnutls_epoch_get (session
, EPOCH_READ_CURRENT
, &record_params
);
91 return gnutls_assert_val(GNUTLS_CIPHER_NULL
);
93 return record_params
->cipher_algorithm
;
97 * gnutls_certificate_type_get:
98 * @session: is a #gnutls_session_t structure.
100 * The certificate type is by default X.509, unless it is negotiated
101 * as a TLS extension.
103 * Returns: the currently used #gnutls_certificate_type_t certificate
106 gnutls_certificate_type_t
107 gnutls_certificate_type_get (gnutls_session_t session
)
109 return session
->security_parameters
.cert_type
;
114 * @session: is a #gnutls_session_t structure.
116 * Get currently used key exchange algorithm.
118 * Returns: the key exchange algorithm used in the last handshake, a
119 * #gnutls_kx_algorithm_t value.
121 gnutls_kx_algorithm_t
122 gnutls_kx_get (gnutls_session_t session
)
124 return session
->security_parameters
.kx_algorithm
;
129 * @session: is a #gnutls_session_t structure.
131 * Get currently used MAC algorithm.
133 * Returns: the currently used mac algorithm, a
134 * #gnutls_mac_algorithm_t value.
136 gnutls_mac_algorithm_t
137 gnutls_mac_get (gnutls_session_t session
)
139 record_parameters_st
*record_params
;
142 ret
= _gnutls_epoch_get (session
, EPOCH_READ_CURRENT
, &record_params
);
144 return gnutls_assert_val(GNUTLS_MAC_NULL
);
146 return record_params
->mac_algorithm
;
150 * gnutls_compression_get:
151 * @session: is a #gnutls_session_t structure.
153 * Get currently used compression algorithm.
155 * Returns: the currently used compression method, a
156 * #gnutls_compression_method_t value.
158 gnutls_compression_method_t
159 gnutls_compression_get (gnutls_session_t session
)
161 record_parameters_st
*record_params
;
164 ret
= _gnutls_epoch_get (session
, EPOCH_READ_CURRENT
, &record_params
);
166 return gnutls_assert_val(GNUTLS_COMP_NULL
);
168 return record_params
->compression_algorithm
;
171 /* Check if the given certificate type is supported.
172 * This means that it is enabled by the priority functions,
173 * and a matching certificate exists.
176 _gnutls_session_cert_type_supported (gnutls_session_t session
,
177 gnutls_certificate_type_t cert_type
)
180 unsigned cert_found
= 0;
181 gnutls_certificate_credentials_t cred
;
183 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
185 cred
= (gnutls_certificate_credentials_t
)
186 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
189 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
191 if (cred
->server_get_cert_callback
== NULL
192 && cred
->get_cert_callback
== NULL
)
194 for (i
= 0; i
< cred
->ncerts
; i
++)
196 if (cred
->certs
[i
].cert_list
[0].type
== cert_type
)
204 /* no certificate is of that type.
206 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
210 if (session
->internals
.priorities
.cert_type
.algorithms
== 0
211 && cert_type
== DEFAULT_CERT_TYPE
)
214 for (i
= 0; i
< session
->internals
.priorities
.cert_type
.algorithms
; i
++)
216 if (session
->internals
.priorities
.cert_type
.priority
[i
] == cert_type
)
222 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
226 /* this function deinitializes all the internal parameters stored
227 * in a session struct.
230 deinit_internal_params (gnutls_session_t session
)
232 if (session
->internals
.params
.free_dh_params
)
233 gnutls_dh_params_deinit (session
->internals
.params
.dh_params
);
235 if (session
->internals
.params
.free_rsa_params
)
236 gnutls_rsa_params_deinit (session
->internals
.params
.rsa_params
);
238 _gnutls_handshake_hash_buffers_clear (session
);
240 memset (&session
->internals
.params
, 0, sizeof (session
->internals
.params
));
243 /* This function will clear all the variables in internals
244 * structure within the session, which depend on the current handshake.
245 * This is used to allow further handshakes.
248 _gnutls_handshake_internal_state_init (gnutls_session_t session
)
250 session
->internals
.extensions_sent_size
= 0;
252 /* by default no selected certificate */
253 session
->internals
.adv_version_major
= 0;
254 session
->internals
.adv_version_minor
= 0;
255 session
->internals
.direction
= 0;
257 /* use out of band data for the last
258 * handshake messages received.
260 session
->internals
.last_handshake_in
= -1;
261 session
->internals
.last_handshake_out
= -1;
263 session
->internals
.resumable
= RESUME_TRUE
;
265 session
->internals
.dtls
.hsk_read_seq
= 0;
266 session
->internals
.dtls
.hsk_write_seq
= 0;
267 session
->internals
.dtls
.handshake_start_time
= time(0);
271 _gnutls_handshake_internal_state_clear (gnutls_session_t session
)
273 _gnutls_handshake_internal_state_init (session
);
275 deinit_internal_params (session
);
277 _gnutls_epoch_gc(session
);
280 #define MIN_DH_BITS 727
283 * @session: is a pointer to a #gnutls_session_t structure.
284 * @flags: indicate if this session is to be used for server or client.
286 * This function initializes the current session to null. Every
287 * session must be initialized before use, so internal structures can
288 * be allocated. This function allocates structures which can only
289 * be free'd by calling gnutls_deinit(). Returns %GNUTLS_E_SUCCESS (0) on success.
291 * @flags can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER. For a DTLS
292 * entity, the flags %GNUTLS_DATAGRAM and %GNUTLS_NONBLOCK are
293 * also available. The latter flag will enable a non-blocking
294 * operation of the DTLS timers.
296 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
299 gnutls_init (gnutls_session_t
* session
, unsigned int flags
)
302 record_parameters_st
*epoch
;
304 *session
= gnutls_calloc (1, sizeof (struct gnutls_session_int
));
305 if (*session
== NULL
)
306 return GNUTLS_E_MEMORY_ERROR
;
308 ret
= _gnutls_epoch_alloc (*session
, 0, &epoch
);
312 return GNUTLS_E_MEMORY_ERROR
;
315 /* Set all NULL algos on epoch 0 */
316 _gnutls_epoch_set_null_algos (*session
, epoch
);
318 (*session
)->security_parameters
.epoch_next
= 1;
320 (*session
)->security_parameters
.entity
= (flags
&GNUTLS_SERVER
?GNUTLS_SERVER
:GNUTLS_CLIENT
);
322 /* the default certificate type for TLS */
323 (*session
)->security_parameters
.cert_type
= DEFAULT_CERT_TYPE
;
325 /* Initialize buffers */
326 _gnutls_buffer_init (&(*session
)->internals
.handshake_hash_buffer
);
328 _mbuffer_head_init (&(*session
)->internals
.record_buffer
);
329 _mbuffer_head_init (&(*session
)->internals
.record_send_buffer
);
330 _mbuffer_head_init (&(*session
)->internals
.record_recv_buffer
);
332 _mbuffer_head_init (&(*session
)->internals
.handshake_send_buffer
);
333 _gnutls_handshake_recv_buffer_init(*session
);
335 (*session
)->key
= gnutls_calloc (1, sizeof (struct gnutls_key_st
));
336 if ((*session
)->key
== NULL
)
338 gnutls_free (*session
);
340 return GNUTLS_E_MEMORY_ERROR
;
343 (*session
)->internals
.expire_time
= DEFAULT_EXPIRE_TIME
; /* one hour default */
345 gnutls_dh_set_prime_bits ((*session
), MIN_DH_BITS
);
347 gnutls_handshake_set_max_packet_length ((*session
),
348 MAX_HANDSHAKE_PACKET_SIZE
);
350 /* set the socket pointers to -1;
352 (*session
)->internals
.transport_recv_ptr
= (gnutls_transport_ptr_t
) - 1;
353 (*session
)->internals
.transport_send_ptr
= (gnutls_transport_ptr_t
) - 1;
355 /* set the default maximum record size for TLS
357 (*session
)->security_parameters
.max_record_recv_size
=
358 DEFAULT_MAX_RECORD_SIZE
;
359 (*session
)->security_parameters
.max_record_send_size
=
360 DEFAULT_MAX_RECORD_SIZE
;
362 /* everything else not initialized here is initialized
363 * as NULL or 0. This is why calloc is used.
366 _gnutls_handshake_internal_state_init (*session
);
368 /* emulate old gnutls behavior for old applications that do not use the priority_*
371 (*session
)->internals
.priorities
.sr
= SR_PARTIAL
;
374 gnutls_transport_set_vec_push_function (*session
, system_writev
);
376 gnutls_transport_set_push_function (*session
, system_write
);
378 gnutls_transport_set_pull_function (*session
, system_read
);
379 gnutls_transport_set_errno_function (*session
, system_errno
);
380 gnutls_transport_set_pull_timeout_function (*session
, system_recv_timeout
);
382 if (flags
& GNUTLS_DATAGRAM
)
384 (*session
)->internals
.dtls
.mtu
= DTLS_DEFAULT_MTU
;
385 (*session
)->internals
.transport
= GNUTLS_DGRAM
;
387 (*session
)->internals
.dtls
.retrans_timeout
= 1000;
388 (*session
)->internals
.dtls
.total_timeout
= 60000;
390 (*session
)->internals
.dtls
.record_sw_size
= 0;
393 (*session
)->internals
.transport
= GNUTLS_STREAM
;
395 if (flags
& GNUTLS_NONBLOCK
)
396 (*session
)->internals
.dtls
.blocking
= 0;
398 (*session
)->internals
.dtls
.blocking
= 1;
403 /* returns RESUME_FALSE or RESUME_TRUE.
406 _gnutls_session_is_resumable (gnutls_session_t session
)
408 return session
->internals
.resumable
;
414 * @session: is a #gnutls_session_t structure.
416 * This function clears all buffers associated with the @session.
417 * This function will also remove session data from the session
418 * database if the session was terminated abnormally.
421 gnutls_deinit (gnutls_session_t session
)
428 /* remove auth info firstly */
429 _gnutls_free_auth_info (session
);
431 _gnutls_handshake_internal_state_clear (session
);
432 _gnutls_handshake_io_buffer_clear (session
);
433 _gnutls_ext_free_session_data (session
);
435 for (i
= 0; i
< MAX_EPOCH_INDEX
; i
++)
436 if (session
->record_parameters
[i
] != NULL
)
438 _gnutls_epoch_free (session
, session
->record_parameters
[i
]);
439 session
->record_parameters
[i
] = NULL
;
442 _gnutls_buffer_clear (&session
->internals
.handshake_hash_buffer
);
443 _mbuffer_head_clear (&session
->internals
.record_buffer
);
444 _mbuffer_head_clear (&session
->internals
.record_recv_buffer
);
445 _mbuffer_head_clear (&session
->internals
.record_send_buffer
);
447 gnutls_credentials_clear (session
);
448 _gnutls_selected_certs_deinit (session
);
450 if (session
->key
!= NULL
)
452 gnutls_pk_params_release(&session
->key
->ecdh_params
);
453 _gnutls_mpi_release (&session
->key
->ecdh_x
);
454 _gnutls_mpi_release (&session
->key
->ecdh_y
);
456 _gnutls_mpi_release (&session
->key
->KEY
);
457 _gnutls_mpi_release (&session
->key
->client_Y
);
458 _gnutls_mpi_release (&session
->key
->client_p
);
459 _gnutls_mpi_release (&session
->key
->client_g
);
461 _gnutls_mpi_release (&session
->key
->u
);
462 _gnutls_mpi_release (&session
->key
->a
);
463 _gnutls_mpi_release (&session
->key
->x
);
464 _gnutls_mpi_release (&session
->key
->A
);
465 _gnutls_mpi_release (&session
->key
->B
);
466 _gnutls_mpi_release (&session
->key
->b
);
469 _gnutls_mpi_release (&session
->key
->rsa
[0]);
470 _gnutls_mpi_release (&session
->key
->rsa
[1]);
472 _gnutls_mpi_release (&session
->key
->dh_secret
);
473 gnutls_free (session
->key
);
478 memset (session
, 0, sizeof (struct gnutls_session_int
));
479 gnutls_free (session
);
482 /* Returns the minimum prime bits that are acceptable.
485 _gnutls_dh_get_allowed_prime_bits (gnutls_session_t session
)
487 return session
->internals
.dh_prime_bits
;
491 _gnutls_dh_set_peer_public (gnutls_session_t session
, bigint_t
public)
496 switch (gnutls_auth_get_type (session
))
498 case GNUTLS_CRD_ANON
:
500 anon_auth_info_t info
;
501 info
= _gnutls_get_auth_info (session
);
503 return GNUTLS_E_INTERNAL_ERROR
;
510 psk_auth_info_t info
;
511 info
= _gnutls_get_auth_info (session
);
513 return GNUTLS_E_INTERNAL_ERROR
;
518 case GNUTLS_CRD_CERTIFICATE
:
520 cert_auth_info_t info
;
522 info
= _gnutls_get_auth_info (session
);
524 return GNUTLS_E_INTERNAL_ERROR
;
531 return GNUTLS_E_INTERNAL_ERROR
;
534 if (dh
->public_key
.data
)
535 _gnutls_free_datum (&dh
->public_key
);
537 ret
= _gnutls_mpi_dprint_lz (public, &dh
->public_key
);
548 _gnutls_dh_set_secret_bits (gnutls_session_t session
, unsigned bits
)
550 switch (gnutls_auth_get_type (session
))
552 case GNUTLS_CRD_ANON
:
554 anon_auth_info_t info
;
555 info
= _gnutls_get_auth_info (session
);
557 return GNUTLS_E_INTERNAL_ERROR
;
558 info
->dh
.secret_bits
= bits
;
563 psk_auth_info_t info
;
564 info
= _gnutls_get_auth_info (session
);
566 return GNUTLS_E_INTERNAL_ERROR
;
567 info
->dh
.secret_bits
= bits
;
570 case GNUTLS_CRD_CERTIFICATE
:
572 cert_auth_info_t info
;
574 info
= _gnutls_get_auth_info (session
);
576 return GNUTLS_E_INTERNAL_ERROR
;
578 info
->dh
.secret_bits
= bits
;
582 return GNUTLS_E_INTERNAL_ERROR
;
589 /* This function will set in the auth info structure the
590 * RSA exponent and the modulus.
593 _gnutls_rsa_export_set_pubkey (gnutls_session_t session
,
594 bigint_t exponent
, bigint_t modulus
)
596 cert_auth_info_t info
;
599 info
= _gnutls_get_auth_info (session
);
601 return GNUTLS_E_INTERNAL_ERROR
;
603 if (info
->rsa_export
.modulus
.data
)
604 _gnutls_free_datum (&info
->rsa_export
.modulus
);
606 if (info
->rsa_export
.exponent
.data
)
607 _gnutls_free_datum (&info
->rsa_export
.exponent
);
609 ret
= _gnutls_mpi_dprint_lz (modulus
, &info
->rsa_export
.modulus
);
616 ret
= _gnutls_mpi_dprint_lz (exponent
, &info
->rsa_export
.exponent
);
620 _gnutls_free_datum (&info
->rsa_export
.modulus
);
628 /* Sets the prime and the generator in the auth info structure.
631 _gnutls_dh_set_group (gnutls_session_t session
, bigint_t gen
, bigint_t prime
)
636 switch (gnutls_auth_get_type (session
))
638 case GNUTLS_CRD_ANON
:
640 anon_auth_info_t info
;
641 info
= _gnutls_get_auth_info (session
);
643 return GNUTLS_E_INTERNAL_ERROR
;
650 psk_auth_info_t info
;
651 info
= _gnutls_get_auth_info (session
);
653 return GNUTLS_E_INTERNAL_ERROR
;
658 case GNUTLS_CRD_CERTIFICATE
:
660 cert_auth_info_t info
;
662 info
= _gnutls_get_auth_info (session
);
664 return GNUTLS_E_INTERNAL_ERROR
;
671 return GNUTLS_E_INTERNAL_ERROR
;
675 _gnutls_free_datum (&dh
->prime
);
677 if (dh
->generator
.data
)
678 _gnutls_free_datum (&dh
->generator
);
682 ret
= _gnutls_mpi_dprint_lz (prime
, &dh
->prime
);
691 ret
= _gnutls_mpi_dprint_lz (gen
, &dh
->generator
);
695 _gnutls_free_datum (&dh
->prime
);
702 #ifdef ENABLE_OPENPGP
704 * gnutls_openpgp_send_cert:
705 * @session: is a pointer to a #gnutls_session_t structure.
706 * @status: is one of GNUTLS_OPENPGP_CERT, or GNUTLS_OPENPGP_CERT_FINGERPRINT
708 * This function will order gnutls to send the key fingerprint
709 * instead of the key in the initial handshake procedure. This should
710 * be used with care and only when there is indication or knowledge
711 * that the server can obtain the client's key.
714 gnutls_openpgp_send_cert (gnutls_session_t session
,
715 gnutls_openpgp_crt_status_t status
)
717 session
->internals
.pgp_fingerprint
= status
;
722 * gnutls_certificate_send_x509_rdn_sequence:
723 * @session: is a pointer to a #gnutls_session_t structure.
726 * If status is non zero, this function will order gnutls not to send
727 * the rdnSequence in the certificate request message. That is the
728 * server will not advertize it's trusted CAs to the peer. If status
729 * is zero then the default behaviour will take effect, which is to
730 * advertize the server's trusted CAs.
732 * This function has no effect in clients, and in authentication
733 * methods other than certificate with X.509 certificates.
736 gnutls_certificate_send_x509_rdn_sequence (gnutls_session_t session
,
739 session
->internals
.ignore_rdn_sequence
= status
;
742 #ifdef ENABLE_OPENPGP
744 _gnutls_openpgp_send_fingerprint (gnutls_session_t session
)
746 return session
->internals
.pgp_fingerprint
;
751 * _gnutls_record_set_default_version - Used to set the default version for the first record packet
752 * @session: is a #gnutls_session_t structure.
753 * @major: is a tls major version
754 * @minor: is a tls minor version
756 * This function sets the default version that we will use in the first
757 * record packet (client hello). This function is only useful to people
758 * that know TLS internals and want to debug other implementations.
761 _gnutls_record_set_default_version (gnutls_session_t session
,
762 unsigned char major
, unsigned char minor
)
764 session
->internals
.default_record_version
[0] = major
;
765 session
->internals
.default_record_version
[1] = minor
;
769 * gnutls_handshake_set_private_extensions:
770 * @session: is a #gnutls_session_t structure.
771 * @allow: is an integer (0 or 1)
773 * This function will enable or disable the use of private cipher
774 * suites (the ones that start with 0xFF). By default or if @allow
775 * is 0 then these cipher suites will not be advertized nor used.
777 * Currently GnuTLS does not include such cipher-suites or
778 * compression algorithms.
780 * Enabling the private ciphersuites when talking to other than
781 * gnutls servers and clients may cause interoperability problems.
784 gnutls_handshake_set_private_extensions (gnutls_session_t session
, int allow
)
786 session
->internals
.enable_private
= allow
;
790 _gnutls_cal_PRF_A (gnutls_mac_algorithm_t algorithm
,
791 const void *secret
, int secret_size
,
792 const void *seed
, int seed_size
, void *result
)
796 ret
= _gnutls_hmac_fast (algorithm
, secret
, secret_size
, seed
, seed_size
, result
);
798 return gnutls_assert_val(ret
);
803 #define MAX_SEED_SIZE 200
805 /* Produces "total_bytes" bytes using the hash algorithm specified.
806 * (used in the PRF function)
809 P_hash (gnutls_mac_algorithm_t algorithm
,
810 const opaque
* secret
, int secret_size
,
811 const opaque
* seed
, int seed_size
,
812 int total_bytes
, opaque
* ret
)
816 int i
, times
, how
, blocksize
, A_size
;
817 opaque final
[MAX_HASH_SIZE
], Atmp
[MAX_SEED_SIZE
];
818 int output_bytes
, result
;
820 if (seed_size
> MAX_SEED_SIZE
|| total_bytes
<= 0)
823 return GNUTLS_E_INTERNAL_ERROR
;
826 blocksize
= _gnutls_hmac_get_algo_len (algorithm
);
831 output_bytes
+= blocksize
;
833 while (output_bytes
< total_bytes
);
837 memcpy (Atmp
, seed
, seed_size
);
840 times
= output_bytes
/ blocksize
;
842 for (i
= 0; i
< times
; i
++)
844 result
= _gnutls_hmac_init (&td2
, algorithm
, secret
, secret_size
);
851 /* here we calculate A(i+1) */
853 _gnutls_cal_PRF_A (algorithm
, secret
, secret_size
, Atmp
,
857 _gnutls_hmac_deinit (&td2
, final
);
863 _gnutls_hmac (&td2
, Atmp
, A_size
);
864 _gnutls_hmac (&td2
, seed
, seed_size
);
865 _gnutls_hmac_deinit (&td2
, final
);
867 if ((1 + i
) * blocksize
< total_bytes
)
873 how
= total_bytes
- (i
) * blocksize
;
878 memcpy (&ret
[i
* blocksize
], final
, how
);
885 #define MAX_PRF_BYTES 200
887 /* The PRF function expands a given secret
888 * needed by the TLS specification. ret must have a least total_bytes
892 _gnutls_PRF (gnutls_session_t session
,
893 const opaque
* secret
, int secret_size
, const char *label
,
894 int label_size
, const opaque
* seed
, int seed_size
,
895 int total_bytes
, void *ret
)
897 int l_s
, s_seed_size
;
898 const opaque
*s1
, *s2
;
899 opaque s_seed
[MAX_SEED_SIZE
];
900 opaque o1
[MAX_PRF_BYTES
], o2
[MAX_PRF_BYTES
];
902 gnutls_protocol_t ver
= gnutls_protocol_get_version (session
);
904 if (total_bytes
> MAX_PRF_BYTES
)
907 return GNUTLS_E_INTERNAL_ERROR
;
909 /* label+seed = s_seed */
910 s_seed_size
= seed_size
+ label_size
;
912 if (s_seed_size
> MAX_SEED_SIZE
)
915 return GNUTLS_E_INTERNAL_ERROR
;
918 memcpy (s_seed
, label
, label_size
);
919 memcpy (&s_seed
[label_size
], seed
, seed_size
);
921 if (_gnutls_version_has_selectable_prf (ver
))
924 P_hash (_gnutls_cipher_suite_get_prf(&session
->security_parameters
.current_cipher_suite
),
926 s_seed
, s_seed_size
, total_bytes
, ret
);
935 l_s
= secret_size
/ 2;
940 if (secret_size
% 2 != 0)
946 P_hash (GNUTLS_MAC_MD5
, s1
, l_s
, s_seed
, s_seed_size
,
955 P_hash (GNUTLS_MAC_SHA1
, s2
, l_s
, s_seed
, s_seed_size
,
963 memxor (o1
, o2
, total_bytes
);
965 memcpy (ret
, o1
, total_bytes
);
974 * @session: is a #gnutls_session_t structure.
975 * @label_size: length of the @label variable.
976 * @label: label used in PRF computation, typically a short string.
977 * @seed_size: length of the @seed variable.
978 * @seed: optional extra data to seed the PRF with.
979 * @outsize: size of pre-allocated output buffer to hold the output.
980 * @out: pre-allocate buffer to hold the generated data.
982 * Apply the TLS Pseudo-Random-Function (PRF) using the master secret
985 * The @label variable usually contain a string denoting the purpose
986 * for the generated data. The @seed usually contain data such as the
987 * client and server random, perhaps together with some additional
988 * data that is added to guarantee uniqueness of the output for a
989 * particular purpose.
991 * Because the output is not guaranteed to be unique for a particular
992 * session unless @seed include the client random and server random
993 * fields (the PRF would output the same data on another connection
994 * resumed from the first one), it is not recommended to use this
995 * function directly. The gnutls_prf() function seed the PRF with the
996 * client and server random fields directly, and is recommended if you
997 * want to generate pseudo random data unique for each session.
999 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1002 gnutls_prf_raw (gnutls_session_t session
,
1005 size_t seed_size
, const char *seed
, size_t outsize
, char *out
)
1009 ret
= _gnutls_PRF (session
,
1010 session
->security_parameters
.master_secret
,
1013 label_size
, (opaque
*) seed
, seed_size
, outsize
, out
);
1020 * @session: is a #gnutls_session_t structure.
1021 * @label_size: length of the @label variable.
1022 * @label: label used in PRF computation, typically a short string.
1023 * @server_random_first: non-0 if server random field should be first in seed
1024 * @extra_size: length of the @extra variable.
1025 * @extra: optional extra data to seed the PRF with.
1026 * @outsize: size of pre-allocated output buffer to hold the output.
1027 * @out: pre-allocate buffer to hold the generated data.
1029 * Apply the TLS Pseudo-Random-Function (PRF) using the master secret
1030 * on some data, seeded with the client and server random fields.
1032 * The @label variable usually contain a string denoting the purpose
1033 * for the generated data. The @server_random_first indicate whether
1034 * the client random field or the server random field should be first
1035 * in the seed. Non-0 indicate that the server random field is first,
1036 * 0 that the client random field is first.
1038 * The @extra variable can be used to add more data to the seed, after
1039 * the random variables. It can be used to tie make sure the
1040 * generated output is strongly connected to some additional data
1041 * (e.g., a string used in user authentication).
1043 * The output is placed in *@OUT, which must be pre-allocated.
1045 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1048 gnutls_prf (gnutls_session_t session
,
1051 int server_random_first
,
1052 size_t extra_size
, const char *extra
, size_t outsize
, char *out
)
1056 size_t seedsize
= 2 * GNUTLS_RANDOM_SIZE
+ extra_size
;
1058 seed
= gnutls_malloc (seedsize
);
1062 return GNUTLS_E_MEMORY_ERROR
;
1065 memcpy (seed
, server_random_first
?
1066 session
->security_parameters
.server_random
:
1067 session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
1068 memcpy (seed
+ GNUTLS_RANDOM_SIZE
, server_random_first
?
1069 session
->security_parameters
.client_random
:
1070 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
1072 memcpy (seed
+ 2 * GNUTLS_RANDOM_SIZE
, extra
, extra_size
);
1074 ret
= _gnutls_PRF (session
, session
->security_parameters
.master_secret
,
1076 label
, label_size
, seed
, seedsize
, outsize
, out
);
1084 * gnutls_session_is_resumed:
1085 * @session: is a #gnutls_session_t structure.
1087 * Check whether session is resumed or not.
1089 * Returns: non zero if this session is resumed, or a zero if this is
1093 gnutls_session_is_resumed (gnutls_session_t session
)
1095 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
1097 if (session
->security_parameters
.session_id_size
> 0 &&
1098 session
->security_parameters
.session_id_size
==
1099 session
->internals
.resumed_security_parameters
.session_id_size
1100 && memcmp (session
->security_parameters
.session_id
,
1102 resumed_security_parameters
.session_id
,
1103 session
->security_parameters
.session_id_size
) == 0)
1108 if (session
->internals
.resumed
!= RESUME_FALSE
)
1116 * _gnutls_session_is_export - Used to check whether this session is of export grade
1117 * @session: is a #gnutls_session_t structure.
1119 * This function will return non zero if this session is of export grade.
1122 _gnutls_session_is_export (gnutls_session_t session
)
1124 gnutls_cipher_algorithm_t cipher
;
1127 _gnutls_cipher_suite_get_cipher_algo (&session
->
1128 security_parameters
.current_cipher_suite
);
1130 if (_gnutls_cipher_get_export_flag (cipher
) != 0)
1137 * _gnutls_session_is_psk - Used to check whether this session uses PSK kx
1138 * @session: is a #gnutls_session_t structure.
1140 * This function will return non zero if this session uses a PSK key
1141 * exchange algorithm.
1144 _gnutls_session_is_psk (gnutls_session_t session
)
1146 gnutls_kx_algorithm_t kx
;
1149 _gnutls_cipher_suite_get_kx_algo (&session
->
1150 security_parameters
.current_cipher_suite
);
1151 if (kx
== GNUTLS_KX_PSK
|| kx
== GNUTLS_KX_DHE_PSK
)
1158 * _gnutls_session_is_ecc - Used to check whether this session uses ECC kx
1159 * @session: is a #gnutls_session_t structure.
1161 * This function will return non zero if this session uses an elliptic
1162 * curves key exchange exchange algorithm.
1165 _gnutls_session_is_ecc (gnutls_session_t session
)
1167 gnutls_kx_algorithm_t kx
;
1169 /* We get the key exchange algorithm through the ciphersuite because
1170 * the negotiated key exchange might not have been set yet.
1173 _gnutls_cipher_suite_get_kx_algo (&session
->
1174 security_parameters
.current_cipher_suite
);
1176 return _gnutls_kx_is_ecc(kx
);
1180 * gnutls_session_get_ptr:
1181 * @session: is a #gnutls_session_t structure.
1183 * Get user pointer for session. Useful in callbacks. This is the
1184 * pointer set with gnutls_session_set_ptr().
1186 * Returns: the user given pointer from the session structure, or
1187 * %NULL if it was never set.
1190 gnutls_session_get_ptr (gnutls_session_t session
)
1192 return session
->internals
.user_ptr
;
1196 * gnutls_session_set_ptr:
1197 * @session: is a #gnutls_session_t structure.
1198 * @ptr: is the user pointer
1200 * This function will set (associate) the user given pointer @ptr to
1201 * the session structure. This is pointer can be accessed with
1202 * gnutls_session_get_ptr().
1205 gnutls_session_set_ptr (gnutls_session_t session
, void *ptr
)
1207 session
->internals
.user_ptr
= ptr
;
1212 * gnutls_record_get_direction:
1213 * @session: is a #gnutls_session_t structure.
1215 * This function provides information about the internals of the
1216 * record protocol and is only useful if a prior gnutls function call
1217 * (e.g. gnutls_handshake()) was interrupted for some reason, that
1218 * is, if a function returned %GNUTLS_E_INTERRUPTED or
1219 * %GNUTLS_E_AGAIN. In such a case, you might want to call select()
1220 * or poll() before calling the interrupted gnutls function again. To
1221 * tell you whether a file descriptor should be selected for either
1222 * reading or writing, gnutls_record_get_direction() returns 0 if the
1223 * interrupted function was trying to read data, and 1 if it was
1224 * trying to write data.
1226 * Returns: 0 if trying to read data, 1 if trying to write data.
1229 gnutls_record_get_direction (gnutls_session_t session
)
1231 return session
->internals
.direction
;
1235 * _gnutls_rsa_pms_set_version - Sets a version to be used at the RSA PMS
1236 * @session: is a #gnutls_session_t structure.
1237 * @major: is the major version to use
1238 * @minor: is the minor version to use
1240 * This function will set the given version number to be used at the
1241 * RSA PMS secret. This is only useful to clients, which want to
1242 * test server's capabilities.
1245 _gnutls_rsa_pms_set_version (gnutls_session_t session
,
1246 unsigned char major
, unsigned char minor
)
1248 session
->internals
.rsa_pms_version
[0] = major
;
1249 session
->internals
.rsa_pms_version
[1] = minor
;
1253 * gnutls_handshake_set_post_client_hello_function:
1254 * @session: is a #gnutls_session_t structure.
1255 * @func: is the function to be called
1257 * This function will set a callback to be called after the client
1258 * hello has been received (callback valid in server side only). This
1259 * allows the server to adjust settings based on received extensions.
1261 * Those settings could be ciphersuites, requesting certificate, or
1262 * anything else except for version negotiation (this is done before
1263 * the hello message is parsed).
1265 * This callback must return 0 on success or a gnutls error code to
1266 * terminate the handshake.
1268 * Warning: You should not use this function to terminate the
1269 * handshake based on client input unless you know what you are
1270 * doing. Before the handshake is finished there is no way to know if
1271 * there is a man-in-the-middle attack being performed.
1274 gnutls_handshake_set_post_client_hello_function (gnutls_session_t session
,
1275 gnutls_handshake_post_client_hello_func
1278 session
->internals
.user_hello_func
= func
;
1282 * gnutls_session_enable_compatibility_mode:
1283 * @session: is a #gnutls_session_t structure.
1285 * This function can be used to disable certain (security) features in
1286 * TLS in order to maintain maximum compatibility with buggy
1287 * clients. It is equivalent to calling:
1288 * gnutls_record_disable_padding()
1290 * Normally only servers that require maximum compatibility with
1291 * everything out there, need to call this function.
1294 gnutls_session_enable_compatibility_mode (gnutls_session_t session
)
1296 gnutls_record_disable_padding (session
);
1300 * gnutls_session_channel_binding:
1301 * @session: is a #gnutls_session_t structure.
1302 * @cbtype: an #gnutls_channel_binding_t enumeration type
1303 * @cb: output buffer array with data
1305 * Extract given channel binding data of the @cbtype (e.g.,
1306 * %GNUTLS_CB_TLS_UNIQUE) type.
1308 * Returns: %GNUTLS_E_SUCCESS on success,
1309 * %GNUTLS_E_UNIMPLEMENTED_FEATURE if the @cbtype is unsupported,
1310 * %GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE if the data is not
1311 * currently available, or an error code.
1316 gnutls_session_channel_binding (gnutls_session_t session
,
1317 gnutls_channel_binding_t cbtype
,
1318 gnutls_datum_t
* cb
)
1320 if (cbtype
!= GNUTLS_CB_TLS_UNIQUE
)
1321 return GNUTLS_E_UNIMPLEMENTED_FEATURE
;
1323 if (!session
->internals
.initial_negotiation_completed
)
1324 return GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE
;
1326 cb
->size
= session
->internals
.cb_tls_unique_len
;
1327 cb
->data
= gnutls_malloc (cb
->size
);
1328 if (cb
->data
== NULL
)
1329 return GNUTLS_E_MEMORY_ERROR
;
1331 memcpy (cb
->data
, session
->internals
.cb_tls_unique
, cb
->size
);
1336 /* returns overhead imposed by the record layer (encryption/compression)
1337 * etc. It does include the record layer headers.
1339 * It may return a negative error code on error.
1341 int _gnutls_record_overhead_rt(gnutls_session_t session
)
1343 record_parameters_st
*params
;
1344 int total
= 0, ret
, iv_size
;
1346 if (session
->internals
.initial_negotiation_completed
== 0)
1347 return RECORD_HEADER_SIZE(session
);
1349 ret
= _gnutls_epoch_get (session
, EPOCH_WRITE_CURRENT
, ¶ms
);
1351 return gnutls_assert_val(ret
);
1353 /* requires padding */
1354 iv_size
= _gnutls_cipher_get_iv_size(params
->cipher_algorithm
);
1357 if (_gnutls_cipher_is_block (params
->cipher_algorithm
) == CIPHER_BLOCK
)
1359 if (!IS_DTLS(session
))
1360 total
+= MAX_PAD_SIZE
;
1362 total
+= iv_size
; /* iv_size == block_size */
1365 if (params
->mac_algorithm
== GNUTLS_MAC_AEAD
)
1366 total
+= _gnutls_cipher_get_tag_size(params
->cipher_algorithm
);
1369 ret
= _gnutls_hmac_get_algo_len(params
->mac_algorithm
);
1371 return gnutls_assert_val(ret
);
1375 if (params
->compression_algorithm
!= GNUTLS_COMP_NULL
)
1376 total
+= EXTRA_COMP_SIZE
;
1378 total
+= RECORD_HEADER_SIZE(session
);
1384 * gnutls_ecc_curve_get:
1385 * @session: is a #gnutls_session_t structure.
1387 * Returns the currently used elliptic curve. Only valid
1388 * when using an elliptic curve ciphersuite.
1390 * Returns: the currently used curve, a #gnutls_ecc_curve_t
1395 gnutls_ecc_curve_t
gnutls_ecc_curve_get(gnutls_session_t session
)
1397 return _gnutls_session_ecc_curve_get(session
);