search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
corrected news entry.
[gnutls.git] / lib / gnutls_record.c
blobfbb84a1447b796977082e04724c52f1cc895578b
1 /*
2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* Functions that are record layer specific, are included in this file.
24 */
25
26 /* allocate this many bytes more when encrypting or decrypting, to
27 * compensate for broken backends such as cryptodev.
28 */
29 #define CIPHER_SLACK_SIZE 32
30
31 #include "gnutls_int.h"
32 #include "gnutls_errors.h"
33 #include "debug.h"
34 #include "gnutls_compress.h"
35 #include "gnutls_cipher.h"
36 #include "gnutls_buffers.h"
37 #include "gnutls_mbuffers.h"
38 #include "gnutls_handshake.h"
39 #include "gnutls_hash_int.h"
40 #include "gnutls_cipher_int.h"
41 #include "algorithms.h"
42 #include "gnutls_db.h"
43 #include "gnutls_auth.h"
44 #include "gnutls_num.h"
45 #include "gnutls_record.h"
46 #include "gnutls_datum.h"
47 #include "gnutls_constate.h"
48 #include "ext/max_record.h"
49 #include <gnutls_state.h>
50 #include <gnutls_dtls.h>
51 #include <gnutls_dh.h>
52
53 struct tls_record_st {
54 uint16_t header_size;
55 uint8_t version[2];
56 uint64 sequence; /* DTLS */
57 uint16_t length;
58 uint16_t packet_size; /* header_size + length */
59 content_type_t type;
60 uint16_t epoch; /* valid in DTLS only */
61 int v2:1; /* whether an SSLv2 client hello */
62 /* the data */
63 };
64
65 /**
66 * gnutls_record_disable_padding:
67 * @session: is a #gnutls_session_t structure.
68 *
69 * Used to disabled padding in TLS 1.0 and above. Normally you do not
70 * need to use this function, but there are buggy clients that
71 * complain if a server pads the encrypted data. This of course will
72 * disable protection against statistical attacks on the data.
73 *
74 * Normally only servers that require maximum compatibility with everything
75 * out there, need to call this function.
76 **/
77 void
78 gnutls_record_disable_padding (gnutls_session_t session)
79 {
80 session->internals.priorities.no_padding = 1;
81 }
82
83 /**
84 * gnutls_transport_set_ptr:
85 * @session: is a #gnutls_session_t structure.
86 * @ptr: is the value.
87 *
88 * Used to set the first argument of the transport function (for push
89 * and pull callbacks). In berkeley style sockets this function will set the
90 * connection descriptor.
91 **/
92 void
93 gnutls_transport_set_ptr (gnutls_session_t session,
94 gnutls_transport_ptr_t ptr)
95 {
96 session->internals.transport_recv_ptr = ptr;
97 session->internals.transport_send_ptr = ptr;
98 }
99
100 /**
101 * gnutls_transport_set_ptr2:
102 * @session: is a #gnutls_session_t structure.
103 * @recv_ptr: is the value for the pull function
104 * @send_ptr: is the value for the push function
105 *
106 * Used to set the first argument of the transport function (for push
107 * and pull callbacks). In berkeley style sockets this function will set the
108 * connection descriptor. With this function you can use two different
109 * pointers for receiving and sending.
110 **/
111 void
112 gnutls_transport_set_ptr2 (gnutls_session_t session,
113 gnutls_transport_ptr_t recv_ptr,
114 gnutls_transport_ptr_t send_ptr)
115 {
116 session->internals.transport_send_ptr = send_ptr;
117 session->internals.transport_recv_ptr = recv_ptr;
118 }
119
120 /**
121 * gnutls_transport_get_ptr:
122 * @session: is a #gnutls_session_t structure.
123 *
124 * Used to get the first argument of the transport function (like
125 * PUSH and PULL). This must have been set using
126 * gnutls_transport_set_ptr().
127 *
128 * Returns: The first argument of the transport function.
129 **/
130 gnutls_transport_ptr_t
131 gnutls_transport_get_ptr (gnutls_session_t session)
132 {
133 return session->internals.transport_recv_ptr;
134 }
135
136 /**
137 * gnutls_transport_get_ptr2:
138 * @session: is a #gnutls_session_t structure.
139 * @recv_ptr: will hold the value for the pull function
140 * @send_ptr: will hold the value for the push function
141 *
142 * Used to get the arguments of the transport functions (like PUSH
143 * and PULL). These should have been set using
144 * gnutls_transport_set_ptr2().
145 **/
146 void
147 gnutls_transport_get_ptr2 (gnutls_session_t session,
148 gnutls_transport_ptr_t * recv_ptr,
149 gnutls_transport_ptr_t * send_ptr)
150 {
151
152 *recv_ptr = session->internals.transport_recv_ptr;
153 *send_ptr = session->internals.transport_send_ptr;
154 }
155
156 /**
157 * gnutls_bye:
158 * @session: is a #gnutls_session_t structure.
159 * @how: is an integer
160 *
161 * Terminates the current TLS/SSL connection. The connection should
162 * have been initiated using gnutls_handshake(). @how should be one
163 * of %GNUTLS_SHUT_RDWR, %GNUTLS_SHUT_WR.
164 *
165 * In case of %GNUTLS_SHUT_RDWR the TLS session gets
166 * terminated and further receives and sends will be disallowed. If
167 * the return value is zero you may continue using the underlying
168 * transport layer. %GNUTLS_SHUT_RDWR sends an alert containing a close
169 * request and waits for the peer to reply with the same message.
170 *
171 * In case of %GNUTLS_SHUT_WR the TLS session gets terminated
172 * and further sends will be disallowed. In order to reuse the
173 * connection you should wait for an EOF from the peer.
174 * %GNUTLS_SHUT_WR sends an alert containing a close request.
175 *
176 * Note that not all implementations will properly terminate a TLS
177 * connection. Some of them, usually for performance reasons, will
178 * terminate only the underlying transport layer, and thus not
179 * distinguishing between a malicious party prematurely terminating
180 * the connection and normal termination.
181 *
182 * This function may also return %GNUTLS_E_AGAIN or
183 * %GNUTLS_E_INTERRUPTED; cf. gnutls_record_get_direction().
184 *
185 * Returns: %GNUTLS_E_SUCCESS on success, or an error code, see
186 * function documentation for entire semantics.
187 **/
188 int
189 gnutls_bye (gnutls_session_t session, gnutls_close_request_t how)
190 {
191 int ret = 0;
192
193 switch (STATE)
194 {
195 case STATE0:
196 case STATE60:
197 ret = _gnutls_io_write_flush (session);
198 STATE = STATE60;
199 if (ret < 0)
200 {
201 gnutls_assert ();
202 return ret;
203 }
204
205 case STATE61:
206 ret =
207 gnutls_alert_send (session, GNUTLS_AL_WARNING, GNUTLS_A_CLOSE_NOTIFY);
208 STATE = STATE61;
209 if (ret < 0)
210 {
211 gnutls_assert ();
212 return ret;
213 }
214
215 case STATE62:
216 STATE = STATE62;
217 if (how == GNUTLS_SHUT_RDWR)
218 {
219 do
220 {
221 ret = _gnutls_recv_int (session, GNUTLS_ALERT, -1, NULL, 0, NULL);
222 }
223 while (ret == GNUTLS_E_GOT_APPLICATION_DATA);
224
225 if (ret >= 0)
226 session->internals.may_not_read = 1;
227
228 if (ret < 0)
229 {
230 gnutls_assert ();
231 return ret;
232 }
233 }
234 STATE = STATE62;
235
236 break;
237 default:
238 gnutls_assert ();
239 return GNUTLS_E_INTERNAL_ERROR;
240 }
241
242 STATE = STATE0;
243
244 session->internals.may_not_write = 1;
245 return 0;
246 }
247
248 inline static void
249 session_invalidate (gnutls_session_t session)
250 {
251 session->internals.invalid_connection = 1;
252 }
253
254
255 inline static void
256 session_unresumable (gnutls_session_t session)
257 {
258 session->internals.resumable = RESUME_FALSE;
259 }
260
261 /* returns 0 if session is valid
262 */
263 inline static int
264 session_is_valid (gnutls_session_t session)
265 {
266 if (session->internals.invalid_connection != 0)
267 return GNUTLS_E_INVALID_SESSION;
268
269 return 0;
270 }
271
272 /* Copies the record version into the headers. The
273 * version must have 2 bytes at least.
274 */
275 inline static void
276 copy_record_version (gnutls_session_t session,
277 gnutls_handshake_description_t htype, uint8_t version[2])
278 {
279 gnutls_protocol_t lver;
280
281 if (session->internals.initial_negotiation_completed || htype != GNUTLS_HANDSHAKE_CLIENT_HELLO
282 || session->internals.default_record_version[0] == 0)
283 {
284 lver = gnutls_protocol_get_version (session);
285
286 version[0] = _gnutls_version_get_major (lver);
287 version[1] = _gnutls_version_get_minor (lver);
288 }
289 else
290 {
291 version[0] = session->internals.default_record_version[0];
292 version[1] = session->internals.default_record_version[1];
293 }
294 }
295
296 /* Increments the sequence value
297 */
298 inline static int
299 sequence_increment (gnutls_session_t session,
300 uint64 * value)
301 {
302 if (IS_DTLS(session))
303 {
304 return _gnutls_uint48pp(value);
305 }
306 else
307 {
308 return _gnutls_uint64pp(value);
309 }
310 }
311
312 /* This function behaves exactly like write(). The only difference is
313 * that it accepts, the gnutls_session_t and the content_type_t of data to
314 * send (if called by the user the Content is specific)
315 * It is intended to transfer data, under the current session.
316 *
317 * Oct 30 2001: Removed capability to send data more than MAX_RECORD_SIZE.
318 * This makes the function much easier to read, and more error resistant
319 * (there were cases were the old function could mess everything up).
320 * --nmav
321 *
322 * This function may accept a NULL pointer for data, and 0 for size, if
323 * and only if the previous send was interrupted for some reason.
324 *
325 */
326 ssize_t
327 _gnutls_send_int (gnutls_session_t session, content_type_t type,
328 gnutls_handshake_description_t htype,
329 unsigned int epoch_rel, const void *_data,
330 size_t data_size, unsigned int mflags)
331 {
332 mbuffer_st *bufel;
333 ssize_t cipher_size;
334 int retval, ret;
335 int send_data_size;
336 uint8_t headers[MAX_RECORD_HEADER_SIZE];
337 int header_size;
338 const uint8_t *data = _data;
339 record_parameters_st *record_params;
340 record_state_st *record_state;
341
342 ret = _gnutls_epoch_get (session, epoch_rel, &record_params);
343 if (ret < 0)
344 return gnutls_assert_val(ret);
345
346 /* Safeguard against processing data with an incomplete cipher state. */
347 if (!record_params->initialized)
348 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
349
350 record_state = &record_params->write;
351
352 /* Do not allow null pointer if the send buffer is empty.
353 * If the previous send was interrupted then a null pointer is
354 * ok, and means to resume.
355 */
356 if (session->internals.record_send_buffer.byte_length == 0 &&
357 (data_size == 0 && _data == NULL))
358 {
359 gnutls_assert ();
360 return GNUTLS_E_INVALID_REQUEST;
361 }
362
363 if (type != GNUTLS_ALERT) /* alert messages are sent anyway */
364 if (session_is_valid (session) || session->internals.may_not_write != 0)
365 {
366 gnutls_assert ();
367 return GNUTLS_E_INVALID_SESSION;
368 }
369
370 headers[0] = type;
371
372 /* Use the default record version, if it is
373 * set.
374 */
375 copy_record_version (session, htype, &headers[1]);
376
377 header_size = RECORD_HEADER_SIZE(session);
378 /* Adjust header length and add sequence for DTLS */
379 if (IS_DTLS(session))
380 memcpy(&headers[3], &record_state->sequence_number.i, 8);
381
382 _gnutls_record_log
383 ("REC[%p]: Preparing Packet %s(%d) with length: %d\n", session,
384 _gnutls_packet2str (type), type, (int) data_size);
385
386 if (data_size > MAX_RECORD_SEND_SIZE(session))
387 {
388 if (IS_DTLS(session))
389 {
390 gnutls_assert ();
391 return GNUTLS_E_LARGE_PACKET;
392 }
393 send_data_size = MAX_RECORD_SEND_SIZE(session);
394 }
395 else
396 send_data_size = data_size;
397
398 /* Only encrypt if we don't have data to send
399 * from the previous run. - probably interrupted.
400 */
401 if (mflags != 0 && session->internals.record_send_buffer.byte_length > 0)
402 {
403 ret = _gnutls_io_write_flush (session);
404 if (ret > 0)
405 cipher_size = ret;
406 else
407 cipher_size = 0;
408
409 retval = session->internals.record_send_buffer_user_size;
410 }
411 else
412 {
413 /* now proceed to packet encryption
414 */
415 cipher_size = send_data_size + MAX_RECORD_OVERHEAD + CIPHER_SLACK_SIZE;
416 bufel = _mbuffer_alloc (cipher_size, cipher_size);
417 if (bufel == NULL)
418 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
419
420 ret =
421 _gnutls_encrypt (session, headers, header_size, data,
422 send_data_size, _mbuffer_get_udata_ptr (bufel),
423 cipher_size, type, record_params);
424 if (ret <= 0)
425 {
426 gnutls_assert ();
427 if (ret == 0)
428 ret = GNUTLS_E_ENCRYPTION_FAILED;
429 gnutls_free (bufel);
430 return ret; /* error */
431 }
432
433 cipher_size = ret;
434 retval = send_data_size;
435 session->internals.record_send_buffer_user_size = send_data_size;
436
437 /* increase sequence number
438 */
439 if (sequence_increment (session, &record_state->sequence_number) != 0)
440 {
441 session_invalidate (session);
442 gnutls_free (bufel);
443 return gnutls_assert_val(GNUTLS_E_RECORD_LIMIT_REACHED);
444 }
445
446 _mbuffer_set_udata_size (bufel, cipher_size);
447 ret = _gnutls_io_write_buffered (session, bufel, mflags);
448 }
449
450 if (ret != cipher_size)
451 {
452 /* If we have sent any data then just return
453 * the error value. Do not invalidate the session.
454 */
455 if (ret < 0 && gnutls_error_is_fatal (ret) == 0)
456 return gnutls_assert_val(ret);
457
458 if (ret > 0)
459 ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
460
461 session_unresumable (session);
462 session->internals.may_not_write = 1;
463 return gnutls_assert_val(ret);
464 }
465
466 session->internals.record_send_buffer_user_size = 0;
467
468 _gnutls_record_log ("REC[%p]: Sent Packet[%d] %s(%d) in epoch %d and length: %d\n",
469 session,
470 (unsigned int)
471 _gnutls_uint64touint32
472 (&record_state->sequence_number),
473 _gnutls_packet2str (type), type,
474 (int) record_params->epoch,
475 (int) cipher_size);
476
477 return retval;
478 }
479
480 inline static int
481 check_recv_type (gnutls_session_t session, content_type_t recv_type)
482 {
483 switch (recv_type)
484 {
485 case GNUTLS_CHANGE_CIPHER_SPEC:
486 case GNUTLS_ALERT:
487 case GNUTLS_HANDSHAKE:
488 case GNUTLS_APPLICATION_DATA:
489 return 0;
490 default:
491 gnutls_assert ();
492 _gnutls_audit_log(session, "Received record packet of unknown type %u\n", (unsigned int)recv_type);
493 return GNUTLS_E_UNEXPECTED_PACKET;
494 }
495
496 }
497
498
499 /* Checks if there are pending data in the record buffers. If there are
500 * then it copies the data.
501 */
502 static int
503 check_buffers (gnutls_session_t session, content_type_t type,
504 uint8_t * data, int data_size, void* seq)
505 {
506 if ((type == GNUTLS_APPLICATION_DATA ||
507 type == GNUTLS_HANDSHAKE ||
508 type == GNUTLS_CHANGE_CIPHER_SPEC)
509 && _gnutls_record_buffer_get_size (session) > 0)
510 {
511 int ret;
512 ret = _gnutls_record_buffer_get (type, session, data, data_size, seq);
513 if (ret < 0)
514 {
515 if (IS_DTLS(session))
516 {
517 if (ret == GNUTLS_E_UNEXPECTED_PACKET)
518 {
519 ret = GNUTLS_E_AGAIN;
520 }
521 }
522 gnutls_assert ();
523 return ret;
524 }
525
526 return ret;
527 }
528
529 return 0;
530 }
531
532
533
534 /* Here we check if the advertized version is the one we
535 * negotiated in the handshake.
536 */
537 inline static int
538 record_check_version (gnutls_session_t session,
539 gnutls_handshake_description_t htype, uint8_t version[2])
540 {
541 if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO)
542 {
543 /* Reject hello packets with major version higher than 3.
544 */
545 if (!(IS_DTLS(session)) && version[0] > 3)
546 {
547 gnutls_assert ();
548 _gnutls_record_log
549 ("REC[%p]: INVALID VERSION PACKET: (%d) %d.%d\n", session,
550 htype, version[0], version[1]);
551 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
552 }
553 }
554 else if (htype != GNUTLS_HANDSHAKE_SERVER_HELLO &&
555 gnutls_protocol_get_version (session) !=
556 _gnutls_version_get (version[0], version[1]))
557 {
558 /* Reject record packets that have a different version than the
559 * one negotiated. Note that this version is not protected by any
560 * mac. I don't really think that this check serves any purpose.
561 */
562 gnutls_assert ();
563 _gnutls_record_log ("REC[%p]: INVALID VERSION PACKET: (%d) %d.%d\n",
564 session, htype, version[0], version[1]);
565
566 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
567 }
568
569 return 0;
570 }
571
572 /* This function will check if the received record type is
573 * the one we actually expect and adds it to the proper
574 * buffer. The bufel will be deinitialized after calling
575 * this function, even if it fails.
576 */
577 static int
578 record_add_to_buffers (gnutls_session_t session,
579 struct tls_record_st *recv, content_type_t type,
580 gnutls_handshake_description_t htype,
581 uint64* seq,
582 mbuffer_st* bufel)
583 {
584
585 int ret;
586
587 if ((recv->type == type)
588 && (type == GNUTLS_APPLICATION_DATA ||
589 type == GNUTLS_CHANGE_CIPHER_SPEC ||
590 type == GNUTLS_HANDSHAKE))
591 {
592 _gnutls_record_buffer_put (session, type, seq, bufel);
593
594 /* if we received application data as expected then we
595 * deactivate the async timer */
596 _dtls_async_timer_delete(session);
597 }
598 else
599 {
600 /* if the expected type is different than the received
601 */
602 switch (recv->type)
603 {
604 case GNUTLS_ALERT:
605 if (bufel->msg.size < 2)
606 {
607 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
608 goto unexpected_packet;
609 }
610
611 _gnutls_record_log
612 ("REC[%p]: Alert[%d|%d] - %s - was received\n", session,
613 bufel->msg.data[0], bufel->msg.data[1], gnutls_alert_get_name ((int) bufel->msg.data[1]));
614
615 session->internals.last_alert = bufel->msg.data[1];
616
617 /* if close notify is received and
618 * the alert is not fatal
619 */
620 if (bufel->msg.data[1] == GNUTLS_A_CLOSE_NOTIFY && bufel->msg.data[0] != GNUTLS_AL_FATAL)
621 {
622 /* If we have been expecting for an alert do
623 */
624 session->internals.read_eof = 1;
625 ret = GNUTLS_E_SESSION_EOF;
626 goto cleanup;
627 }
628 else
629 {
630 /* if the alert is FATAL or WARNING
631 * return the apropriate message
632 */
633
634 gnutls_assert ();
635 ret = GNUTLS_E_WARNING_ALERT_RECEIVED;
636 if (bufel->msg.data[0] == GNUTLS_AL_FATAL)
637 {
638 session_unresumable (session);
639 session_invalidate (session);
640 ret = gnutls_assert_val(GNUTLS_E_FATAL_ALERT_RECEIVED);
641 }
642 goto cleanup;
643 }
644 break;
645
646 case GNUTLS_CHANGE_CIPHER_SPEC:
647 if (!(IS_DTLS(session)))
648 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
649
650 _gnutls_record_buffer_put (session, recv->type, seq, bufel);
651
652 break;
653 case GNUTLS_APPLICATION_DATA:
654 if (session->internals.initial_negotiation_completed == 0)
655 {
656 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
657 goto unexpected_packet;
658 }
659
660
661 /* the got_application data is only returned
662 * if expecting client hello (for rehandshake
663 * reasons). Otherwise it is an unexpected packet
664 */
665 if (type == GNUTLS_ALERT || (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO
666 && type == GNUTLS_HANDSHAKE))
667 {
668 /* even if data is unexpected put it into the buffer */
669 if ((ret =
670 _gnutls_record_buffer_put (session, recv->type, seq,
671 bufel)) < 0)
672 {
673 gnutls_assert ();
674 goto cleanup;
675 }
676
677 return gnutls_assert_val(GNUTLS_E_GOT_APPLICATION_DATA);
678 }
679 else
680 {
681 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
682 goto unexpected_packet;
683 }
684
685 break;
686 case GNUTLS_HANDSHAKE:
687 /* In DTLS we might receive a handshake replay from the peer to indicate
688 * the our last TLS handshake messages were not received.
689 */
690 if (IS_DTLS(session))
691 {
692 if (type == GNUTLS_CHANGE_CIPHER_SPEC)
693 {
694 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
695 goto unexpected_packet;
696 }
697
698 if (_dtls_is_async(session) && _dtls_async_timer_active(session))
699 {
700 if (session->security_parameters.entity == GNUTLS_SERVER &&
701 bufel->htype == GNUTLS_HANDSHAKE_CLIENT_HELLO)
702 {
703 /* client requested rehandshake. Delete the timer */
704 _dtls_async_timer_delete(session);
705 }
706 else
707 {
708 ret = _dtls_retransmit(session);
709 if (ret == 0)
710 {
711 ret = gnutls_assert_val(GNUTLS_E_AGAIN);
712 goto unexpected_packet;
713 }
714 goto cleanup;
715 }
716 }
717 }
718
719 /* This is legal if HELLO_REQUEST is received - and we are a client.
720 * If we are a server, a client may initiate a renegotiation at any time.
721 */
722 if (session->security_parameters.entity == GNUTLS_SERVER &&
723 bufel->htype == GNUTLS_HANDSHAKE_CLIENT_HELLO)
724 {
725 gnutls_assert ();
726 ret =
727 _gnutls_record_buffer_put (session, recv->type, seq, bufel);
728 if (ret < 0)
729 {
730 gnutls_assert ();
731 goto cleanup;
732 }
733 return GNUTLS_E_REHANDSHAKE;
734 }
735
736 /* If we are already in a handshake then a Hello
737 * Request is illegal. But here we don't really care
738 * since this message will never make it up here.
739 */
740
741 /* So we accept it, if it is a Hello. If not, this will
742 * fail and trigger flight retransmissions after some time. */
743 ret = _gnutls_recv_hello_request (session, bufel->msg.data, bufel->msg.size);
744 goto unexpected_packet;
745
746 break;
747 default:
748
749 _gnutls_record_log
750 ("REC[%p]: Received Unknown packet %d expecting %d\n",
751 session, recv->type, type);
752
753 gnutls_assert ();
754 ret = GNUTLS_E_UNEXPECTED_PACKET;
755 goto unexpected_packet;
756 }
757 }
758
759 return 0;
760
761 unexpected_packet:
762 if (IS_DTLS(session) && ret != GNUTLS_E_REHANDSHAKE)
763 {
764 _mbuffer_xfree(&bufel);
765 RETURN_DTLS_EAGAIN_OR_TIMEOUT(session, ret);
766 }
767
768 cleanup:
769 _mbuffer_xfree(&bufel);
770 return ret;
771
772 }
773
774 int _gnutls_get_max_decrypted_data(gnutls_session_t session)
775 {
776 int ret;
777
778 if (gnutls_compression_get (session) != GNUTLS_COMP_NULL ||
779 session->internals.priorities.allow_large_records != 0)
780 ret = MAX_RECORD_RECV_SIZE(session) + EXTRA_COMP_SIZE;
781 else
782 ret = MAX_RECORD_RECV_SIZE(session);
783
784 return ret;
785 }
786
787 /* Checks the record headers and returns the length, version and
788 * content type.
789 */
790 static void
791 record_read_headers (gnutls_session_t session,
792 uint8_t headers[MAX_RECORD_HEADER_SIZE],
793 content_type_t type,
794 gnutls_handshake_description_t htype,
795 struct tls_record_st* record)
796 {
797
798 /* Read the first two bytes to determine if this is a
799 * version 2 message
800 */
801
802 if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && type == GNUTLS_HANDSHAKE
803 && headers[0] > 127 && !(IS_DTLS(session)))
804 {
805
806 /* if msb set and expecting handshake message
807 * it should be SSL 2 hello
808 */
809 record->version[0] = 3; /* assume SSL 3.0 */
810 record->version[1] = 0;
811
812 record->length = (((headers[0] & 0x7f) << 8)) | headers[1];
813
814 /* SSL 2.0 headers */
815 record->header_size = record->packet_size = 2;
816 record->type = GNUTLS_HANDSHAKE; /* we accept only v2 client hello
817 */
818
819 /* in order to assist the handshake protocol.
820 * V2 compatibility is a mess.
821 */
822 record->v2 = 1;
823 record->epoch = 0;
824
825 _gnutls_record_log ("REC[%p]: SSL 2.0 %s packet received. Length: %d\n",
826 session,
827 _gnutls_packet2str (record->type),
828 record->length);
829
830 }
831 else
832 {
833 /* dtls version 1.0 and TLS version 1.x */
834 record->v2 = 0;
835
836 record->type = headers[0];
837 record->version[0] = headers[1];
838 record->version[1] = headers[2];
839
840 if(IS_DTLS(session))
841 {
842 memcpy(record->sequence.i, &headers[3], 8);
843 record->length = _gnutls_read_uint16 (&headers[11]);
844 record->epoch = _gnutls_read_uint16(record->sequence.i);
845 }
846 else
847 {
848 record->length = _gnutls_read_uint16 (&headers[3]);
849 record->epoch = 0;
850 }
851
852 _gnutls_record_log ("REC[%p]: SSL %d.%d %s packet received. Epoch %d, length: %d\n",
853 session, (int)record->version[0], (int)record->version[1],
854 _gnutls_packet2str (record->type),
855 (int)record->epoch, record->length);
856
857 }
858
859 record->packet_size += record->length;
860 }
861
862
863 static int recv_headers( gnutls_session_t session, content_type_t type,
864 gnutls_handshake_description_t htype, struct tls_record_st* record)
865 {
866 int ret;
867 gnutls_datum_t raw; /* raw headers */
868 /* Read the headers.
869 */
870 record->header_size = record->packet_size = RECORD_HEADER_SIZE(session);
871
872 if ((ret =
873 _gnutls_io_read_buffered (session, record->header_size, -1)) != record->header_size)
874 {
875 if (ret < 0 && gnutls_error_is_fatal (ret) == 0)
876 return ret;
877
878 if (ret > 0)
879 ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
880 else if (ret == 0)
881 ret = GNUTLS_E_PREMATURE_TERMINATION;
882
883 return gnutls_assert_val(ret);
884 }
885
886 ret = _mbuffer_linearize (&session->internals.record_recv_buffer);
887 if (ret < 0)
888 return gnutls_assert_val(ret);
889
890 _mbuffer_head_get_first (&session->internals.record_recv_buffer, &raw);
891 if (raw.size < RECORD_HEADER_SIZE(session))
892 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
893
894 record_read_headers (session, raw.data, type, htype, record);
895
896 /* Check if the DTLS epoch is valid */
897 if (IS_DTLS(session))
898 {
899 if (_gnutls_epoch_is_valid(session, record->epoch) == 0)
900 {
901 _gnutls_audit_log(session, "Discarded message[%u] with invalid epoch %u.\n",
902 (unsigned int)_gnutls_uint64touint32 (&record->sequence),
903 (unsigned int)record->sequence.i[0]*256+(unsigned int)record->sequence.i[1]);
904 gnutls_assert();
905 /* doesn't matter, just a fatal error */
906 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
907 }
908 }
909
910 /* Here we check if the Type of the received packet is
911 * ok.
912 */
913 if ((ret = check_recv_type (session, record->type)) < 0)
914 return gnutls_assert_val(ret);
915
916 /* Here we check if the advertized version is the one we
917 * negotiated in the handshake.
918 */
919 if ((ret = record_check_version (session, htype, record->version)) < 0)
920 return gnutls_assert_val(ret);
921
922 if (record->length > MAX_RECV_SIZE(session))
923 {
924 _gnutls_audit_log
925 (session, "Received packet with illegal length: %u\n", (unsigned int)record->length);
926 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
927 }
928
929 _gnutls_record_log
930 ("REC[%p]: Expected Packet %s(%d)\n", session,
931 _gnutls_packet2str (type), type);
932 _gnutls_record_log ("REC[%p]: Received Packet %s(%d) with length: %d\n",
933 session,
934 _gnutls_packet2str (record->type), record->type, record->length);
935
936
937 return 0;
938 }
939
940 #define MAX_EMPTY_PACKETS_SEQUENCE 4
941
942 /* This will receive record layer packets and add them to
943 * application_data_buffer and handshake_data_buffer.
944 */
945 ssize_t
946 _gnutls_recv_in_buffers (gnutls_session_t session, content_type_t type,
947 gnutls_handshake_description_t htype)
948 {
949 uint64 *packet_sequence;
950 uint8_t *ciphertext;
951 mbuffer_st* bufel = NULL, *decrypted = NULL;
952 int ret;
953 int empty_packet = 0;
954 record_parameters_st *record_params;
955 record_state_st *record_state;
956 struct tls_record_st record;
957
958 begin:
959
960 if (empty_packet > MAX_EMPTY_PACKETS_SEQUENCE)
961 {
962 gnutls_assert ();
963 return GNUTLS_E_TOO_MANY_EMPTY_PACKETS;
964 }
965
966 memset(&record, 0, sizeof(record));
967
968 if (session->internals.read_eof != 0)
969 {
970 /* if we have already read an EOF
971 */
972 return 0;
973 }
974 else if (session_is_valid (session) != 0
975 || session->internals.may_not_read != 0)
976 return gnutls_assert_val(GNUTLS_E_INVALID_SESSION);
977
978 /* get the record state parameters */
979 ret = _gnutls_epoch_get (session, EPOCH_READ_CURRENT, &record_params);
980 if (ret < 0)
981 return gnutls_assert_val (ret);
982
983 /* Safeguard against processing data with an incomplete cipher state. */
984 if (!record_params->initialized)
985 return gnutls_assert_val (GNUTLS_E_INTERNAL_ERROR);
986
987 record_state = &record_params->read;
988
989 /* receive headers */
990 ret = recv_headers(session, type, htype, &record);
991 if (ret < 0)
992 {
993 ret = gnutls_assert_val_fatal(ret);
994 goto recv_error;
995 }
996
997 if (IS_DTLS(session))
998 packet_sequence = &record.sequence;
999 else
1000 packet_sequence = &record_state->sequence_number;
1001
1002 /* Read the packet data and insert it to record_recv_buffer.
1003 */
1004 ret =
1005 _gnutls_io_read_buffered (session, record.packet_size,
1006 record.type);
1007 if (ret != record.packet_size)
1008 {
1009 gnutls_assert();
1010 goto recv_error;
1011 }
1012
1013 /* ok now we are sure that we have read all the data - so
1014 * move on !
1015 */
1016 ret = _mbuffer_linearize (&session->internals.record_recv_buffer);
1017 if (ret < 0)
1018 return gnutls_assert_val(ret);
1019
1020 bufel = _mbuffer_head_get_first (&session->internals.record_recv_buffer, NULL);
1021 if (bufel == NULL)
1022 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1023
1024 /* We allocate the maximum possible to allow few compressed bytes to expand to a
1025 * full record.
1026 */
1027 decrypted = _mbuffer_alloc(MAX_RECORD_RECV_SIZE(session),
1028 MAX_RECORD_RECV_SIZE(session));
1029 if (decrypted == NULL)
1030 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1031
1032 ciphertext = (uint8_t*)_mbuffer_get_udata_ptr(bufel) + record.header_size;
1033
1034 /* decrypt the data we got.
1035 */
1036 ret =
1037 _gnutls_decrypt (session, ciphertext, record.length,
1038 _mbuffer_get_udata_ptr(decrypted), _mbuffer_get_udata_size(decrypted),
1039 record.type, record_params, packet_sequence);
1040 if (ret >= 0) _mbuffer_set_udata_size(decrypted, ret);
1041
1042 _mbuffer_head_remove_bytes (&session->internals.record_recv_buffer,
1043 record.header_size + record.length);
1044 if (ret < 0)
1045 {
1046 gnutls_assert();
1047 _gnutls_audit_log(session, "Discarded message[%u] due to invalid decryption\n",
1048 (unsigned int)_gnutls_uint64touint32 (packet_sequence));
1049 goto sanity_check_error;
1050 }
1051
1052 /* check for duplicates. We check after the message
1053 * is processed and authenticated to avoid someone
1054 * messing with our windows.
1055 */
1056 if (IS_DTLS(session))
1057 {
1058 ret = _dtls_record_check(record_params, packet_sequence);
1059 if (ret < 0)
1060 {
1061 _gnutls_audit_log(session, "Discarded duplicate message[%u]: %s\n",
1062 (unsigned int) _gnutls_uint64touint32 (packet_sequence), _gnutls_packet2str (record.type));
1063 goto sanity_check_error;
1064 }
1065 _gnutls_record_log
1066 ("REC[%p]: Decrypted Packet[%u.%u] %s(%d) with length: %d\n", session,
1067 (unsigned int)record.sequence.i[0]*256 +(unsigned int)record.sequence.i[1],
1068 (unsigned int) _gnutls_uint64touint32 (packet_sequence),
1069 _gnutls_packet2str (record.type), record.type, (int)_mbuffer_get_udata_size(decrypted));
1070 }
1071 else
1072 {
1073 _gnutls_record_log
1074 ("REC[%p]: Decrypted Packet[%u] %s(%d) with length: %d\n", session,
1075 (unsigned int) _gnutls_uint64touint32 (packet_sequence),
1076 _gnutls_packet2str (record.type), record.type, (int)_mbuffer_get_udata_size(decrypted));
1077 }
1078
1079 /* increase sequence number
1080 */
1081 if (!IS_DTLS(session) && sequence_increment (session, &record_state->sequence_number) != 0)
1082 {
1083 session_invalidate (session);
1084 gnutls_assert ();
1085 ret = GNUTLS_E_RECORD_LIMIT_REACHED;
1086 goto sanity_check_error;
1087 }
1088
1089 /* (originally for) TLS 1.0 CBC protection.
1090 * Actually this code is called if we just received
1091 * an empty packet. An empty TLS packet is usually
1092 * sent to protect some vulnerabilities in the CBC mode.
1093 * In that case we go to the beginning and start reading
1094 * the next packet.
1095 */
1096 if (_mbuffer_get_udata_size(decrypted) == 0)
1097 {
1098 _mbuffer_xfree(&decrypted);
1099 empty_packet++;
1100 goto begin;
1101 }
1102
1103 if (record.v2)
1104 decrypted->htype = GNUTLS_HANDSHAKE_CLIENT_HELLO_V2;
1105 else
1106 {
1107 uint8_t * p = _mbuffer_get_udata_ptr(decrypted);
1108 decrypted->htype = p[0];
1109 }
1110
1111 ret =
1112 record_add_to_buffers (session, &record, type, htype,
1113 packet_sequence, decrypted);
1114
1115 /* bufel is now either deinitialized or buffered somewhere else */
1116
1117 if (ret < 0)
1118 return gnutls_assert_val(ret);
1119
1120 return ret;
1121
1122 discard:
1123 session->internals.dtls.packets_dropped++;
1124
1125 /* discard the whole received fragment. */
1126 bufel = _mbuffer_head_pop_first(&session->internals.record_recv_buffer);
1127 _mbuffer_xfree(&bufel);
1128 return gnutls_assert_val(GNUTLS_E_AGAIN);
1129
1130 sanity_check_error:
1131 if (IS_DTLS(session))
1132 {
1133 session->internals.dtls.packets_dropped++;
1134 ret = gnutls_assert_val(GNUTLS_E_AGAIN);
1135 goto cleanup;
1136 }
1137
1138 session_unresumable (session);
1139 session_invalidate (session);
1140
1141 cleanup:
1142 _mbuffer_xfree(&decrypted);
1143 return ret;
1144
1145 recv_error:
1146 if (ret < 0 && gnutls_error_is_fatal (ret) == 0)
1147 return ret;
1148
1149 if (IS_DTLS(session))
1150 {
1151 goto discard;
1152 }
1153
1154 session_invalidate (session);
1155 if (type == GNUTLS_ALERT) /* we were expecting close notify */
1156 {
1157 gnutls_assert ();
1158 return 0;
1159 }
1160 session_unresumable (session);
1161
1162 if (ret == 0)
1163 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1164 else
1165 return ret;
1166 }
1167
1168 /* This function behaves exactly like read(). The only difference is
1169 * that it accepts the gnutls_session_t and the content_type_t of data to
1170 * receive (if called by the user the Content is Userdata only)
1171 * It is intended to receive data, under the current session.
1172 *
1173 * The gnutls_handshake_description_t was introduced to support SSL V2.0 client hellos.
1174 */
1175 ssize_t
1176 _gnutls_recv_int (gnutls_session_t session, content_type_t type,
1177 gnutls_handshake_description_t htype,
1178 uint8_t * data, size_t data_size, void* seq)
1179 {
1180 int ret;
1181
1182 if (type != GNUTLS_ALERT && (data_size == 0 || data == NULL))
1183 {
1184 return GNUTLS_E_INVALID_REQUEST;
1185 }
1186
1187 if (session->internals.read_eof != 0)
1188 {
1189 /* if we have already read an EOF
1190 */
1191 return 0;
1192 }
1193 else if (session_is_valid (session) != 0
1194 || session->internals.may_not_read != 0)
1195 {
1196 gnutls_assert ();
1197 return GNUTLS_E_INVALID_SESSION;
1198 }
1199
1200 _dtls_async_timer_check(session);
1201
1202 /* If we have enough data in the cache do not bother receiving
1203 * a new packet. (in order to flush the cache)
1204 */
1205 ret = check_buffers (session, type, data, data_size, seq);
1206 if (ret != 0)
1207 return ret;
1208
1209 ret = _gnutls_recv_in_buffers(session, type, htype);
1210 if (ret < 0 && ret != GNUTLS_E_SESSION_EOF)
1211 return gnutls_assert_val(ret);
1212
1213 return check_buffers (session, type, data, data_size, seq);
1214 }
1215
1216
1217 /**
1218 * gnutls_record_send:
1219 * @session: is a #gnutls_session_t structure.
1220 * @data: contains the data to send
1221 * @data_size: is the length of the data
1222 *
1223 * This function has the similar semantics with send(). The only
1224 * difference is that it accepts a GnuTLS session, and uses different
1225 * error codes.
1226 * Note that if the send buffer is full, send() will block this
1227 * function. See the send() documentation for full information. You
1228 * can replace the default push function by using
1229 * gnutls_transport_set_ptr2() with a call to send() with a
1230 * MSG_DONTWAIT flag if blocking is a problem.
1231 * If the EINTR is returned by the internal push function (the
1232 * default is send()) then %GNUTLS_E_INTERRUPTED will be returned. If
1233 * %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN is returned, you must
1234 * call this function again, with the same parameters; alternatively
1235 * you could provide a %NULL pointer for data, and 0 for
1236 * size. cf. gnutls_record_get_direction(). The errno value EMSGSIZE
1237 * maps to %GNUTLS_E_LARGE_PACKET.
1238 *
1239 * Returns: The number of bytes sent, or a negative error code. The
1240 * number of bytes sent might be less than @data_size. The maximum
1241 * number of bytes this function can send in a single call depends
1242 * on the negotiated maximum record size.
1243 **/
1244 ssize_t
1245 gnutls_record_send (gnutls_session_t session, const void *data,
1246 size_t data_size)
1247 {
1248 return _gnutls_send_int (session, GNUTLS_APPLICATION_DATA, -1,
1249 EPOCH_WRITE_CURRENT, data, data_size,
1250 MBUFFER_FLUSH);
1251 }
1252
1253 /**
1254 * gnutls_record_recv:
1255 * @session: is a #gnutls_session_t structure.
1256 * @data: the buffer that the data will be read into
1257 * @data_size: the number of requested bytes
1258 *
1259 * This function has the similar semantics with recv(). The only
1260 * difference is that it accepts a GnuTLS session, and uses different
1261 * error codes.
1262 * In the special case that a server requests a renegotiation, the
1263 * client may receive an error code of %GNUTLS_E_REHANDSHAKE. This
1264 * message may be simply ignored, replied with an alert
1265 * %GNUTLS_A_NO_RENEGOTIATION, or replied with a new handshake,
1266 * depending on the client's will.
1267 * If %EINTR is returned by the internal push function (the default
1268 * is recv()) then %GNUTLS_E_INTERRUPTED will be returned. If
1269 * %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN is returned, you must
1270 * call this function again to get the data. See also
1271 * gnutls_record_get_direction().
1272 * A server may also receive %GNUTLS_E_REHANDSHAKE when a client has
1273 * initiated a handshake. In that case the server can only initiate a
1274 * handshake or terminate the connection.
1275 *
1276 * Returns: The number of bytes received and zero on EOF (for stream
1277 * connections). A negative error code is returned in case of an error.
1278 * The number of bytes received might be less than the requested @data_size.
1279 **/
1280 ssize_t
1281 gnutls_record_recv (gnutls_session_t session, void *data, size_t data_size)
1282 {
1283 return _gnutls_recv_int (session, GNUTLS_APPLICATION_DATA, -1, data,
1284 data_size, NULL);
1285 }
1286
1287 /**
1288 * gnutls_record_recv_seq:
1289 * @session: is a #gnutls_session_t structure.
1290 * @data: the buffer that the data will be read into
1291 * @data_size: the number of requested bytes
1292 * @seq: is the packet's 64-bit sequence number. Should have space for 8 bytes.
1293 *
1294 * This function is the same as gnutls_record_recv(), except that
1295 * it returns in addition to data, the sequence number of the data.
1296 * This is useful in DTLS where record packets might be received
1297 * out-of-order. The returned 8-byte sequence number is an
1298 * integer in big-endian format and should be
1299 * treated as a unique message identification.
1300 *
1301 * Returns: The number of bytes received and zero on EOF. A negative
1302 * error code is returned in case of an error. The number of bytes
1303 * received might be less than @data_size.
1304 *
1305 * Since: 3.0
1306 **/
1307 ssize_t
1308 gnutls_record_recv_seq (gnutls_session_t session, void *data, size_t data_size,
1309 unsigned char *seq)
1310 {
1311 return _gnutls_recv_int (session, GNUTLS_APPLICATION_DATA, -1, data,
1312 data_size, seq);
1313 }
Implementation of the SSL/TLS protocol