search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
documented fix
[gnutls.git] / lib / gnutls_handshake.c
blob10c6ecb10e2f87978e32d5c00a6acfc0d0feda5c
1 /*
2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* Functions that relate to the TLS handshake procedure.
24 */
25
26 #include "gnutls_int.h"
27 #include "gnutls_errors.h"
28 #include "gnutls_dh.h"
29 #include "debug.h"
30 #include "algorithms.h"
31 #include "gnutls_compress.h"
32 #include "gnutls_cipher.h"
33 #include "gnutls_buffers.h"
34 #include "gnutls_mbuffers.h"
35 #include "gnutls_kx.h"
36 #include "gnutls_handshake.h"
37 #include "gnutls_num.h"
38 #include "gnutls_hash_int.h"
39 #include "gnutls_db.h"
40 #include "gnutls_extensions.h"
41 #include "gnutls_supplemental.h"
42 #include "gnutls_auth.h"
43 #include "gnutls_v2_compat.h"
44 #include <auth/cert.h>
45 #include "gnutls_constate.h"
46 #include <gnutls_record.h>
47 #include <gnutls_state.h>
48 #include <ext/srp.h>
49 #include <ext/session_ticket.h>
50 #include <ext/safe_renegotiation.h>
51 #include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
52 #include <auth/anon.h> /* for gnutls_anon_server_credentials_t */
53 #include <auth/psk.h> /* for gnutls_psk_server_credentials_t */
54 #include <random.h>
55 #include <gnutls_dtls.h>
56
57 #ifdef HANDSHAKE_DEBUG
58 #define ERR(x, y) _gnutls_handshake_log("HSK[%p]: %s (%d)\n", session, x,y)
59 #else
60 #define ERR(x, y)
61 #endif
62
63 #define TRUE 1
64 #define FALSE 0
65
66 static int _gnutls_server_select_comp_method (gnutls_session_t session,
67 uint8_t * data, int datalen);
68 static int
69 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session,
70 uint8_t * cipher_suites,
71 int cipher_suites_size,
72 gnutls_pk_algorithm_t *pk_algos,
73 size_t pk_algos_size);
74 static int _gnutls_handshake_common (gnutls_session_t session);
75 static int _gnutls_handshake_client (gnutls_session_t session);
76 static int _gnutls_handshake_server (gnutls_session_t session);
77
78 /* Empties but does not free the buffer
79 */
80 static inline void
81 _gnutls_handshake_hash_buffer_empty (gnutls_session_t session)
82 {
83
84 _gnutls_buffers_log ("BUF[HSK]: Emptied buffer\n");
85
86 session->internals.handshake_hash_buffer_prev_len = 0;
87 session->internals.handshake_hash_buffer.length = 0;
88 return;
89 }
90
91 static int
92 _gnutls_handshake_hash_add_recvd (gnutls_session_t session,
93 gnutls_handshake_description_t recv_type,
94 uint8_t * header, uint16_t header_size,
95 uint8_t * dataptr, uint32_t datalen);
96
97 static int
98 _gnutls_handshake_hash_add_sent (gnutls_session_t session,
99 gnutls_handshake_description_t type,
100 uint8_t * dataptr, uint32_t datalen);
101
102 static int
103 _gnutls_recv_hello_verify_request (gnutls_session_t session,
104 uint8_t * data, int datalen);
105
106
107 /* Clears the handshake hash buffers and handles.
108 */
109 void
110 _gnutls_handshake_hash_buffers_clear (gnutls_session_t session)
111 {
112 session->internals.handshake_hash_buffer_prev_len = 0;
113 _gnutls_buffer_clear(&session->internals.handshake_hash_buffer);
114 }
115
116 /* this will copy the required values for resuming to
117 * internals, and to security_parameters.
118 * this will keep as less data to security_parameters.
119 */
120 static void
121 resume_copy_required_values (gnutls_session_t session)
122 {
123 /* get the new random values */
124 memcpy (session->internals.resumed_security_parameters.server_random,
125 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
126 memcpy (session->internals.resumed_security_parameters.client_random,
127 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
128
129 /* keep the ciphersuite and compression
130 * That is because the client must see these in our
131 * hello message.
132 */
133 memcpy (session->security_parameters.cipher_suite,
134 session->internals.resumed_security_parameters.cipher_suite, 2);
135 session->security_parameters.compression_method = session->internals.resumed_security_parameters.compression_method;
136
137 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
138 session->
139 internals.resumed_security_parameters.cipher_suite);
140 _gnutls_epoch_set_compression (session, EPOCH_NEXT,
141 session->
142 internals.resumed_security_parameters.compression_method);
143
144 /* or write_compression_algorithm
145 * they are the same
146 */
147
148 session->security_parameters.entity =
149 session->internals.resumed_security_parameters.entity;
150
151 _gnutls_set_current_version (session,
152 session->internals.resumed_security_parameters.
153 version);
154
155 session->security_parameters.cert_type =
156 session->internals.resumed_security_parameters.cert_type;
157
158 memcpy (session->security_parameters.session_id,
159 session->internals.resumed_security_parameters.session_id,
160 sizeof (session->security_parameters.session_id));
161 session->security_parameters.session_id_size =
162 session->internals.resumed_security_parameters.session_id_size;
163
164 }
165
166 void
167 _gnutls_set_server_random (gnutls_session_t session, uint8_t * rnd)
168 {
169 memcpy (session->security_parameters.server_random, rnd,
170 GNUTLS_RANDOM_SIZE);
171 }
172
173 void
174 _gnutls_set_client_random (gnutls_session_t session, uint8_t * rnd)
175 {
176 memcpy (session->security_parameters.client_random, rnd,
177 GNUTLS_RANDOM_SIZE);
178 }
179
180 /* Calculate The SSL3 Finished message
181 */
182 #define SSL3_CLIENT_MSG "CLNT"
183 #define SSL3_SERVER_MSG "SRVR"
184 #define SSL_MSG_LEN 4
185 static int
186 _gnutls_ssl3_finished (gnutls_session_t session, int type, uint8_t * ret, int sending)
187 {
188 digest_hd_st td_md5;
189 digest_hd_st td_sha;
190 const char *mesg;
191 int rc, len;
192
193 if (sending)
194 len = session->internals.handshake_hash_buffer.length;
195 else
196 len = session->internals.handshake_hash_buffer_prev_len;
197
198 rc = _gnutls_hash_init (&td_sha, GNUTLS_DIG_SHA1);
199 if (rc < 0)
200 return gnutls_assert_val(rc);
201
202 rc = _gnutls_hash_init (&td_md5, GNUTLS_DIG_MD5);
203 if (rc < 0)
204 {
205 _gnutls_hash_deinit (&td_sha, NULL);
206 return gnutls_assert_val(rc);
207 }
208
209 _gnutls_hash(&td_sha, session->internals.handshake_hash_buffer.data, len);
210 _gnutls_hash(&td_md5, session->internals.handshake_hash_buffer.data, len);
211
212 if (type == GNUTLS_SERVER)
213 mesg = SSL3_SERVER_MSG;
214 else
215 mesg = SSL3_CLIENT_MSG;
216
217 _gnutls_hash (&td_md5, mesg, SSL_MSG_LEN);
218 _gnutls_hash (&td_sha, mesg, SSL_MSG_LEN);
219
220 rc = _gnutls_mac_deinit_ssl3_handshake (&td_md5, ret,
221 session->
222 security_parameters.master_secret,
223 GNUTLS_MASTER_SIZE);
224 if (rc < 0)
225 {
226 _gnutls_hash_deinit (&td_md5, NULL);
227 _gnutls_hash_deinit (&td_sha, NULL);
228 return gnutls_assert_val(rc);
229 }
230
231 rc = _gnutls_mac_deinit_ssl3_handshake (&td_sha, &ret[16],
232 session->
233 security_parameters.master_secret,
234 GNUTLS_MASTER_SIZE);
235 if (rc < 0)
236 {
237 _gnutls_hash_deinit (&td_sha, NULL);
238 return gnutls_assert_val(rc);
239 }
240
241 return 0;
242 }
243
244 /* Hash the handshake messages as required by TLS 1.0
245 */
246 #define SERVER_MSG "server finished"
247 #define CLIENT_MSG "client finished"
248 #define TLS_MSG_LEN 15
249 static int
250 _gnutls_finished (gnutls_session_t session, int type, void *ret, int sending)
251 {
252 const int siz = TLS_MSG_LEN;
253 uint8_t concat[MAX_HASH_SIZE + 16 /*MD5 */ ];
254 size_t hash_len;
255 const char *mesg;
256 int rc, len;
257
258 if (sending)
259 len = session->internals.handshake_hash_buffer.length;
260 else
261 len = session->internals.handshake_hash_buffer_prev_len;
262
263 if (!_gnutls_version_has_selectable_prf (gnutls_protocol_get_version(session)))
264 {
265 rc = _gnutls_hash_fast( GNUTLS_DIG_SHA1, session->internals.handshake_hash_buffer.data, len, &concat[16]);
266 if (rc < 0)
267 return gnutls_assert_val(rc);
268
269 rc = _gnutls_hash_fast( GNUTLS_DIG_MD5, session->internals.handshake_hash_buffer.data, len, concat);
270 if (rc < 0)
271 return gnutls_assert_val(rc);
272
273 hash_len = 20 + 16;
274 }
275 else
276 {
277 int algorithm = _gnutls_cipher_suite_get_prf(session->security_parameters.cipher_suite);
278
279 rc = _gnutls_hash_fast( algorithm, session->internals.handshake_hash_buffer.data, len, concat);
280 if (rc < 0)
281 return gnutls_assert_val(rc);
282
283 hash_len = _gnutls_hash_get_algo_len (algorithm);
284 }
285
286 if (type == GNUTLS_SERVER)
287 {
288 mesg = SERVER_MSG;
289 }
290 else
291 {
292 mesg = CLIENT_MSG;
293 }
294
295 return _gnutls_PRF (session, session->security_parameters.master_secret,
296 GNUTLS_MASTER_SIZE, mesg, siz, concat, hash_len, 12, ret);
297 }
298
299 /* this function will produce GNUTLS_RANDOM_SIZE==32 bytes of random data
300 * and put it to dst.
301 */
302 int
303 _gnutls_tls_create_random (uint8_t * dst)
304 {
305 uint32_t tim;
306 int ret;
307
308 /* Use weak random numbers for the most of the
309 * buffer except for the first 4 that are the
310 * system's time.
311 */
312
313 tim = gnutls_time (NULL);
314 /* generate server random value */
315 _gnutls_write_uint32 (tim, dst);
316
317 ret = _gnutls_rnd (GNUTLS_RND_NONCE, &dst[4], GNUTLS_RANDOM_SIZE - 4);
318 if (ret < 0)
319 {
320 gnutls_assert ();
321 return ret;
322 }
323
324 return 0;
325 }
326
327 /* returns the 0 on success or a negative error code.
328 */
329 int
330 _gnutls_negotiate_version (gnutls_session_t session,
331 gnutls_protocol_t adv_version)
332 {
333 int ret;
334
335 /* if we do not support that version */
336 if (_gnutls_version_is_supported (session, adv_version) == 0)
337 {
338 /* If he requested something we do not support
339 * then we send him the highest we support.
340 */
341 ret = _gnutls_version_max (session);
342 if (ret == GNUTLS_VERSION_UNKNOWN)
343 {
344 /* this check is not really needed.
345 */
346 gnutls_assert ();
347 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
348 }
349 }
350 else
351 {
352 ret = adv_version;
353 }
354
355 _gnutls_set_current_version (session, ret);
356
357 return ret;
358 }
359
360 int
361 _gnutls_user_hello_func (gnutls_session_t session,
362 gnutls_protocol_t adv_version)
363 {
364 int ret;
365
366 if (session->internals.user_hello_func != NULL)
367 {
368 ret = session->internals.user_hello_func (session);
369 if (ret < 0)
370 {
371 gnutls_assert ();
372 return ret;
373 }
374 /* Here we need to renegotiate the version since the callee might
375 * have disabled some TLS versions.
376 */
377 ret = _gnutls_negotiate_version (session, adv_version);
378 if (ret < 0)
379 {
380 gnutls_assert ();
381 return ret;
382 }
383 }
384 return 0;
385 }
386
387 /* Read a client hello packet.
388 * A client hello must be a known version client hello
389 * or version 2.0 client hello (only for compatibility
390 * since SSL version 2.0 is not supported).
391 */
392 static int
393 _gnutls_read_client_hello (gnutls_session_t session, uint8_t * data,
394 int datalen)
395 {
396 uint8_t session_id_len;
397 int pos = 0, ret;
398 uint16_t suite_size, comp_size;
399 gnutls_protocol_t adv_version;
400 int neg_version;
401 int len = datalen;
402 uint8_t rnd[GNUTLS_RANDOM_SIZE], *suite_ptr, *comp_ptr, *session_id;
403
404 DECR_LEN (len, 2);
405
406 _gnutls_handshake_log ("HSK[%p]: Client's version: %d.%d\n", session,
407 data[pos], data[pos + 1]);
408
409 adv_version = _gnutls_version_get (data[pos], data[pos + 1]);
410 set_adv_version (session, data[pos], data[pos + 1]);
411 pos += 2;
412
413 neg_version = _gnutls_negotiate_version (session, adv_version);
414 if (neg_version < 0)
415 {
416 gnutls_assert ();
417 return neg_version;
418 }
419
420 /* Read client random value.
421 */
422 DECR_LEN (len, GNUTLS_RANDOM_SIZE);
423 _gnutls_set_client_random (session, &data[pos]);
424 pos += GNUTLS_RANDOM_SIZE;
425
426 _gnutls_tls_create_random (rnd);
427 _gnutls_set_server_random (session, rnd);
428
429 session->security_parameters.timestamp = gnutls_time (NULL);
430
431 DECR_LEN (len, 1);
432 session_id_len = data[pos++];
433
434 /* RESUME SESSION
435 */
436 if (session_id_len > TLS_MAX_SESSION_ID_SIZE)
437 {
438 gnutls_assert ();
439 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
440 }
441 DECR_LEN (len, session_id_len);
442 session_id = &data[pos];
443 pos += session_id_len;
444
445 if (IS_DTLS(session))
446 {
447 int cookie_size;
448
449 DECR_LEN (len, 1);
450 cookie_size = data[pos++];
451 DECR_LEN (len, cookie_size);
452 pos+=cookie_size;
453 }
454
455 ret = _gnutls_server_restore_session (session, session_id, session_id_len);
456
457 if (session_id_len > 0) session->internals.resumption_requested = 1;
458
459 if (ret == 0)
460 { /* resumed using default TLS resumption! */
461 /* Parse only the safe renegotiation extension
462 * We don't want to parse any other extensions since
463 * we don't want new extension values to overwrite the
464 * resumed ones.
465 */
466
467 /* move forward to extensions */
468 DECR_LEN (len, 2);
469 suite_size = _gnutls_read_uint16 (&data[pos]);
470 pos += 2;
471
472 DECR_LEN (len, suite_size);
473 pos += suite_size;
474
475 DECR_LEN (len, 1);
476 comp_size = data[pos++]; /* z is the number of compression methods */
477 DECR_LEN (len, comp_size);
478 pos += comp_size;
479
480 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
481 &data[pos], len);
482 if (ret < 0)
483 {
484 gnutls_assert ();
485 return ret;
486 }
487
488 resume_copy_required_values (session);
489 session->internals.resumed = RESUME_TRUE;
490
491 return _gnutls_user_hello_func (session, adv_version);
492 }
493 else
494 {
495 _gnutls_generate_session_id (session->security_parameters.session_id,
496 &session->
497 security_parameters.session_id_size);
498
499 session->internals.resumed = RESUME_FALSE;
500 }
501
502 /* Remember ciphersuites for later
503 */
504 DECR_LEN (len, 2);
505 suite_size = _gnutls_read_uint16 (&data[pos]);
506 pos += 2;
507
508 DECR_LEN (len, suite_size);
509 suite_ptr = &data[pos];
510 pos += suite_size;
511
512 /* Point to the compression methods
513 */
514 DECR_LEN (len, 1);
515 comp_size = data[pos++]; /* z is the number of compression methods */
516
517 DECR_LEN (len, comp_size);
518 comp_ptr = &data[pos];
519 pos += comp_size;
520
521 /* Parse the extensions (if any)
522 *
523 * Unconditionally try to parse extensions; safe renegotiation uses them in
524 * sslv3 and higher, even though sslv3 doesn't officially support them.
525 */
526 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION,
527 &data[pos], len);
528 /* len is the rest of the parsed length */
529 if (ret < 0)
530 {
531 gnutls_assert ();
532 return ret;
533 }
534
535 ret = _gnutls_user_hello_func (session, adv_version);
536 if (ret < 0)
537 {
538 gnutls_assert ();
539 return ret;
540 }
541
542 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
543 &data[pos], len);
544 if (ret < 0)
545 {
546 gnutls_assert ();
547 return ret;
548 }
549
550 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS, &data[pos], len);
551 if (ret < 0)
552 {
553 gnutls_assert ();
554 return ret;
555 }
556
557 /* resumed by session_ticket extension */
558 if (session->internals.resumed != RESUME_FALSE)
559 {
560 /* to indicate the client that the current session is resumed */
561 memcpy (session->internals.resumed_security_parameters.session_id,
562 session_id, session_id_len);
563 session->internals.resumed_security_parameters.session_id_size =
564 session_id_len;
565
566 session->internals.resumed_security_parameters.max_record_recv_size =
567 session->security_parameters.max_record_recv_size;
568 session->internals.resumed_security_parameters.max_record_send_size =
569 session->security_parameters.max_record_send_size;
570
571 resume_copy_required_values (session);
572
573 return _gnutls_user_hello_func (session, adv_version);
574 }
575
576 /* select an appropriate cipher suite
577 */
578 ret = _gnutls_server_select_suite (session, suite_ptr, suite_size);
579 if (ret < 0)
580 {
581 gnutls_assert ();
582 return ret;
583 }
584
585 /* select appropriate compression method */
586 ret = _gnutls_server_select_comp_method (session, comp_ptr, comp_size);
587 if (ret < 0)
588 {
589 gnutls_assert ();
590 return ret;
591 }
592
593 return 0;
594 }
595
596 /* This is to be called after sending CHANGE CIPHER SPEC packet
597 * and initializing encryption. This is the first encrypted message
598 * we send.
599 */
600 static int
601 _gnutls_send_finished (gnutls_session_t session, int again)
602 {
603 mbuffer_st *bufel;
604 uint8_t *data;
605 int ret;
606 size_t vdata_size = 0;
607
608 if (again == 0)
609 {
610 bufel = _gnutls_handshake_alloc (session, MAX_VERIFY_DATA_SIZE, MAX_VERIFY_DATA_SIZE);
611 if (bufel == NULL)
612 {
613 gnutls_assert ();
614 return GNUTLS_E_MEMORY_ERROR;
615 }
616 data = _mbuffer_get_udata_ptr (bufel);
617
618 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
619 {
620 ret =
621 _gnutls_ssl3_finished (session,
622 session->security_parameters.entity, data, 1);
623 _mbuffer_set_udata_size (bufel, 36);
624 }
625 else
626 { /* TLS 1.0+ */
627 ret = _gnutls_finished (session,
628 session->security_parameters.entity, data, 1);
629 _mbuffer_set_udata_size (bufel, 12);
630 }
631
632 if (ret < 0)
633 {
634 gnutls_assert ();
635 return ret;
636 }
637
638 vdata_size = _mbuffer_get_udata_size (bufel);
639
640 ret = _gnutls_ext_sr_finished (session, data, vdata_size, 0);
641 if (ret < 0)
642 {
643 gnutls_assert ();
644 return ret;
645 }
646
647 if ((session->internals.resumed == RESUME_FALSE
648 && session->security_parameters.entity == GNUTLS_CLIENT)
649 || (session->internals.resumed != RESUME_FALSE
650 && session->security_parameters.entity == GNUTLS_SERVER))
651 {
652 /* if we are a client not resuming - or we are a server resuming */
653 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (send)\n",
654 session);
655 memcpy (session->internals.cb_tls_unique, data, vdata_size);
656 session->internals.cb_tls_unique_len = vdata_size;
657 }
658
659 ret =
660 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_FINISHED);
661 }
662 else
663 {
664 ret = _gnutls_send_handshake (session, NULL, GNUTLS_HANDSHAKE_FINISHED);
665 }
666
667 return ret;
668 }
669
670 /* This is to be called after sending our finished message. If everything
671 * went fine we have negotiated a secure connection
672 */
673 static int
674 _gnutls_recv_finished (gnutls_session_t session)
675 {
676 uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy;
677 gnutls_buffer_st buf;
678 int data_size;
679 int ret;
680 int vrfy_size;
681
682 ret =
683 _gnutls_recv_handshake (session, GNUTLS_HANDSHAKE_FINISHED,
684 0, &buf);
685 if (ret < 0)
686 {
687 ERR ("recv finished int", ret);
688 gnutls_assert ();
689 return ret;
690 }
691
692 vrfy = buf.data;
693 vrfy_size = buf.length;
694
695 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
696 {
697 data_size = 36;
698 }
699 else
700 {
701 data_size = 12;
702 }
703
704 if (vrfy_size != data_size)
705 {
706 gnutls_assert ();
707 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
708 goto cleanup;
709 }
710
711 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
712 {
713 ret =
714 _gnutls_ssl3_finished (session,
715 (session->security_parameters.entity + 1) % 2,
716 data, 0);
717 }
718 else
719 { /* TLS 1.0 */
720 ret =
721 _gnutls_finished (session,
722 (session->security_parameters.entity +
723 1) % 2, data, 0);
724 }
725
726 if (ret < 0)
727 {
728 gnutls_assert ();
729 goto cleanup;
730 }
731
732 if (memcmp (vrfy, data, data_size) != 0)
733 {
734 gnutls_assert ();
735 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
736 goto cleanup;
737 }
738
739 ret = _gnutls_ext_sr_finished (session, data, data_size, 1);
740 if (ret < 0)
741 {
742 gnutls_assert ();
743 goto cleanup;
744 }
745
746 if ((session->internals.resumed != RESUME_FALSE
747 && session->security_parameters.entity == GNUTLS_CLIENT)
748 || (session->internals.resumed == RESUME_FALSE
749 && session->security_parameters.entity == GNUTLS_SERVER))
750 {
751 /* if we are a client resuming - or we are a server not resuming */
752 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (recv)\n",
753 session);
754 memcpy (session->internals.cb_tls_unique, data, data_size);
755 session->internals.cb_tls_unique_len = data_size;
756 }
757
758
759 session->internals.initial_negotiation_completed = 1;
760
761 cleanup:
762 _gnutls_buffer_clear(&buf);
763
764 return ret;
765 }
766
767 /* returns PK_RSA if the given cipher suite list only supports,
768 * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none.
769 */
770 static int
771 server_find_pk_algos_in_ciphersuites (const uint8_t *
772 data, unsigned int datalen,
773 gnutls_pk_algorithm_t * algos,
774 size_t* algos_size)
775 {
776 unsigned int j;
777 gnutls_kx_algorithm_t kx;
778 unsigned int max = *algos_size;
779
780 if (datalen % 2 != 0)
781 {
782 gnutls_assert ();
783 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
784 }
785
786 *algos_size = 0;
787 for (j = 0; j < datalen; j += 2)
788 {
789 kx = _gnutls_cipher_suite_get_kx_algo (&data[j]);
790 if (_gnutls_map_kx_get_cred (kx, 1) == GNUTLS_CRD_CERTIFICATE)
791 {
792 algos[(*algos_size)++] = _gnutls_map_pk_get_pk (kx);
793
794 if ((*algos_size) >= max)
795 return 0;
796 }
797 }
798
799 return 0;
800 }
801
802 /* This selects the best supported ciphersuite from the given ones. Then
803 * it adds the suite to the session and performs some checks.
804 */
805 int
806 _gnutls_server_select_suite (gnutls_session_t session, uint8_t * data,
807 unsigned int datalen)
808 {
809 int ret;
810 unsigned int i, j, cipher_suites_size;
811 size_t pk_algos_size;
812 uint8_t cipher_suites[MAX_CIPHERSUITE_SIZE];
813 int retval, err;
814 gnutls_pk_algorithm_t pk_algos[MAX_ALGOS]; /* will hold the pk algorithms
815 * supported by the peer.
816 */
817
818 /* First, check for safe renegotiation SCSV.
819 */
820 if (session->internals.priorities.sr != SR_DISABLED)
821 {
822 unsigned int offset;
823
824 for (offset = 0; offset < datalen; offset += 2)
825 {
826 /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
827 if (data[offset] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&
828 data[offset + 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR)
829 {
830 _gnutls_handshake_log
831 ("HSK[%p]: Received safe renegotiation CS\n", session);
832 retval = _gnutls_ext_sr_recv_cs (session);
833 if (retval < 0)
834 {
835 gnutls_assert ();
836 return retval;
837 }
838 break;
839 }
840 }
841 }
842
843 pk_algos_size = MAX_ALGOS;
844 ret = server_find_pk_algos_in_ciphersuites (data, datalen, pk_algos, &pk_algos_size);
845 if (ret < 0)
846 return gnutls_assert_val(ret);
847
848 ret = _gnutls_supported_ciphersuites (session, cipher_suites, sizeof(cipher_suites));
849 if (ret < 0)
850 return gnutls_assert_val(ret);
851
852 cipher_suites_size = ret;
853
854 /* Here we remove any ciphersuite that does not conform
855 * the certificate requested, or to the
856 * authentication requested (e.g. SRP).
857 */
858 ret = _gnutls_remove_unwanted_ciphersuites (session, cipher_suites, cipher_suites_size, pk_algos, pk_algos_size);
859 if (ret <= 0)
860 {
861 gnutls_assert ();
862 if (ret < 0)
863 return ret;
864 else
865 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
866 }
867
868 cipher_suites_size = ret;
869
870 /* Data length should be zero mod 2 since
871 * every ciphersuite is 2 bytes. (this check is needed
872 * see below).
873 */
874 if (datalen % 2 != 0)
875 {
876 gnutls_assert ();
877 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
878 }
879
880 memset (session->security_parameters.cipher_suite, 0, 2);
881
882 retval = GNUTLS_E_UNKNOWN_CIPHER_SUITE;
883
884 _gnutls_handshake_log ("HSK[%p]: Requested cipher suites[size: %d]: \n", session, (int)datalen);
885
886 if (session->internals.priorities.server_precedence == 0)
887 {
888 for (j = 0; j < datalen; j += 2)
889 {
890 _gnutls_handshake_log ("\t0x%.2x, 0x%.2x %s\n", data[j], data[j+1], _gnutls_cipher_suite_get_name (&data[j]));
891 for (i = 0; i < cipher_suites_size; i+=2)
892 {
893 if (memcmp (&cipher_suites[i], &data[j], 2) == 0)
894 {
895 _gnutls_handshake_log
896 ("HSK[%p]: Selected cipher suite: %s\n", session,
897 _gnutls_cipher_suite_get_name (&data[j]));
898 memcpy (session->security_parameters.cipher_suite,
899 &cipher_suites[i], 2);
900 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
901 session->
902 security_parameters.cipher_suite);
903
904
905 retval = 0;
906 goto finish;
907 }
908 }
909 }
910 }
911 else /* server selects */
912 {
913 for (i = 0; i < cipher_suites_size; i+=2)
914 {
915 for (j = 0; j < datalen; j += 2)
916 {
917 if (memcmp (&cipher_suites[i], &data[j], 2) == 0)
918 {
919 _gnutls_handshake_log
920 ("HSK[%p]: Selected cipher suite: %s\n", session,
921 _gnutls_cipher_suite_get_name (&data[j]));
922 memcpy (session->security_parameters.cipher_suite,
923 &cipher_suites[i], 2);
924 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
925 session->
926 security_parameters.cipher_suite);
927
928
929 retval = 0;
930 goto finish;
931 }
932 }
933 }
934 }
935 finish:
936
937 if (retval != 0)
938 {
939 gnutls_assert ();
940 return retval;
941 }
942
943 /* check if the credentials (username, public key etc.) are ok
944 */
945 if (_gnutls_get_kx_cred
946 (session,
947 _gnutls_cipher_suite_get_kx_algo (session->
948 security_parameters.cipher_suite),
949 &err) == NULL && err != 0)
950 {
951 gnutls_assert ();
952 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
953 }
954
955
956 /* set the mod_auth_st to the appropriate struct
957 * according to the KX algorithm. This is needed since all the
958 * handshake functions are read from there;
959 */
960 session->internals.auth_struct =
961 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
962 (session->
963 security_parameters.cipher_suite));
964 if (session->internals.auth_struct == NULL)
965 {
966
967 _gnutls_handshake_log
968 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
969 session);
970 gnutls_assert ();
971 return GNUTLS_E_INTERNAL_ERROR;
972 }
973
974 return 0;
975
976 }
977
978
979 /* This selects the best supported compression method from the ones provided
980 */
981 static int
982 _gnutls_server_select_comp_method (gnutls_session_t session,
983 uint8_t * data, int datalen)
984 {
985 int x, i, j;
986 uint8_t comps[MAX_ALGOS];
987
988 x = _gnutls_supported_compression_methods (session, comps, MAX_ALGOS);
989 if (x < 0)
990 {
991 gnutls_assert ();
992 return x;
993 }
994
995 if (session->internals.priorities.server_precedence == 0)
996 {
997 for (j = 0; j < datalen; j++)
998 {
999 for (i = 0; i < x; i++)
1000 {
1001 if (comps[i] == data[j])
1002 {
1003 gnutls_compression_method_t method =
1004 _gnutls_compression_get_id (comps[i]);
1005
1006 _gnutls_epoch_set_compression (session, EPOCH_NEXT, method);
1007 session->security_parameters.compression_method = method;
1008
1009 _gnutls_handshake_log
1010 ("HSK[%p]: Selected Compression Method: %s\n", session,
1011 gnutls_compression_get_name (method));
1012 return 0;
1013 }
1014 }
1015 }
1016 }
1017 else
1018 {
1019 for (i = 0; i < x; i++)
1020 {
1021 for (j = 0; j < datalen; j++)
1022 {
1023 if (comps[i] == data[j])
1024 {
1025 gnutls_compression_method_t method =
1026 _gnutls_compression_get_id (comps[i]);
1027
1028 _gnutls_epoch_set_compression (session, EPOCH_NEXT, method);
1029 session->security_parameters.compression_method = method;
1030
1031 _gnutls_handshake_log
1032 ("HSK[%p]: Selected Compression Method: %s\n", session,
1033 gnutls_compression_get_name (method));
1034 return 0;
1035 }
1036 }
1037 }
1038 }
1039
1040 /* we were not able to find a compatible compression
1041 * algorithm
1042 */
1043 gnutls_assert ();
1044 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1045
1046 }
1047
1048 /* This function sends an empty handshake packet. (like hello request).
1049 * If the previous _gnutls_send_empty_handshake() returned
1050 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1051 * (until it returns ok), with NULL parameters.
1052 */
1053 static int
1054 _gnutls_send_empty_handshake (gnutls_session_t session,
1055 gnutls_handshake_description_t type, int again)
1056 {
1057 mbuffer_st *bufel;
1058
1059 if (again == 0)
1060 {
1061 bufel = _gnutls_handshake_alloc (session, 0, 0);
1062 if (bufel == NULL)
1063 {
1064 gnutls_assert ();
1065 return GNUTLS_E_MEMORY_ERROR;
1066 }
1067 }
1068 else
1069 bufel = NULL;
1070
1071 return _gnutls_send_handshake (session, bufel, type);
1072 }
1073
1074
1075
1076
1077 /* This function sends a handshake message of type 'type' containing the
1078 * data specified here. If the previous _gnutls_send_handshake() returned
1079 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1080 * (until it returns ok), with NULL parameters.
1081 */
1082 int
1083 _gnutls_send_handshake (gnutls_session_t session, mbuffer_st * bufel,
1084 gnutls_handshake_description_t type)
1085 {
1086 int ret;
1087 uint8_t *data;
1088 uint32_t datasize, i_datasize;
1089 int pos = 0;
1090
1091 if (bufel == NULL)
1092 {
1093 /* we are resuming a previously interrupted
1094 * send.
1095 */
1096 ret = _gnutls_handshake_io_write_flush (session);
1097 return ret;
1098
1099 }
1100
1101 /* first run */
1102 data = _mbuffer_get_uhead_ptr (bufel);
1103 i_datasize = _mbuffer_get_udata_size(bufel);
1104 datasize = i_datasize + _mbuffer_get_uhead_size (bufel);
1105
1106 data[pos++] = (uint8_t) type;
1107 _gnutls_write_uint24 (_mbuffer_get_udata_size (bufel), &data[pos]);
1108 pos += 3;
1109
1110 /* Add DTLS handshake fragment headers. The message will be
1111 * fragmented later by the fragmentation sub-layer. All fields must
1112 * be set properly for HMAC. The HMAC requires we pretend that the
1113 * message was sent in a single fragment. */
1114 if (IS_DTLS(session))
1115 {
1116 _gnutls_write_uint16 (session->internals.dtls.hsk_write_seq++, &data[pos]);
1117 pos += 2;
1118
1119 /* Fragment offset */
1120 _gnutls_write_uint24 (0, &data[pos]);
1121 pos += 3;
1122
1123 /* Fragment length */
1124 _gnutls_write_uint24 (i_datasize, &data[pos]);
1125 /* pos += 3; */
1126 }
1127
1128 _gnutls_handshake_log ("HSK[%p]: %s was queued [%ld bytes]\n",
1129 session, _gnutls_handshake2str (type),
1130 (long) datasize);
1131
1132 /* Here we keep the handshake messages in order to hash them...
1133 */
1134 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1135 if ((ret =
1136 _gnutls_handshake_hash_add_sent (session, type, data, datasize)) < 0)
1137 {
1138 gnutls_assert ();
1139 _mbuffer_xfree(&bufel);
1140 return ret;
1141 }
1142
1143 session->internals.last_handshake_out = type;
1144
1145 ret = _gnutls_handshake_io_cache_int (session, type, bufel);
1146 if (ret < 0)
1147 {
1148 _mbuffer_xfree(&bufel);
1149 gnutls_assert();
1150 return ret;
1151 }
1152
1153 switch (type)
1154 {
1155 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: /* this one is followed by ServerHelloDone
1156 * or ClientKeyExchange always.
1157 */
1158 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE: /* as above */
1159 case GNUTLS_HANDSHAKE_SERVER_HELLO: /* as above */
1160 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: /* as above */
1161 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: /* followed by ChangeCipherSpec */
1162
1163 /* now for client Certificate, ClientKeyExchange and
1164 * CertificateVerify are always followed by ChangeCipherSpec
1165 */
1166 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1167 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1168 ret = 0;
1169 break;
1170 default:
1171 /* send cached messages */
1172 ret = _gnutls_handshake_io_write_flush (session);
1173 break;
1174 }
1175
1176 return ret;
1177 }
1178
1179 #define CHECK_SIZE(ll) \
1180 if ((session->internals.max_handshake_data_buffer_size > 0) && \
1181 (((ll) + session->internals.handshake_hash_buffer.length) > \
1182 session->internals.max_handshake_data_buffer_size)) \
1183 return gnutls_assert_val(GNUTLS_E_HANDSHAKE_TOO_LARGE)
1184
1185 /* This function add the handshake headers and the
1186 * handshake data to the handshake hash buffers. Needed
1187 * for the finished messages calculations.
1188 */
1189 static int
1190 _gnutls_handshake_hash_add_recvd (gnutls_session_t session,
1191 gnutls_handshake_description_t recv_type,
1192 uint8_t * header, uint16_t header_size,
1193 uint8_t * dataptr, uint32_t datalen)
1194 {
1195 int ret;
1196
1197 if ((gnutls_protocol_get_version (session) != GNUTLS_DTLS0_9 &&
1198 recv_type == GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST) ||
1199 recv_type == GNUTLS_HANDSHAKE_HELLO_REQUEST)
1200 return 0;
1201
1202 CHECK_SIZE(header_size + datalen);
1203
1204 session->internals.handshake_hash_buffer_prev_len = session->internals.handshake_hash_buffer.length;
1205
1206 if (gnutls_protocol_get_version (session) != GNUTLS_DTLS0_9)
1207 {
1208 ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer,
1209 header, header_size);
1210 if (ret < 0)
1211 return gnutls_assert_val(ret);
1212 }
1213 if (datalen > 0)
1214 {
1215 ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer,
1216 dataptr, datalen);
1217 if (ret < 0)
1218 return gnutls_assert_val(ret);
1219 }
1220
1221 return 0;
1222 }
1223
1224 /* This function will store the handshake message we sent.
1225 */
1226 static int
1227 _gnutls_handshake_hash_add_sent (gnutls_session_t session,
1228 gnutls_handshake_description_t type,
1229 uint8_t * dataptr, uint32_t datalen)
1230 {
1231 int ret;
1232
1233 /* We don't check for GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST because it
1234 * is not sent via that channel.
1235 */
1236 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1237 {
1238 CHECK_SIZE(datalen);
1239
1240 if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
1241 {
1242 /* Old DTLS doesn't include the header in the MAC */
1243 if (datalen <= 12)
1244 {
1245 gnutls_assert ();
1246 return GNUTLS_E_INVALID_REQUEST;
1247 }
1248 dataptr += 12;
1249 datalen -= 12;
1250 }
1251
1252 ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer,
1253 dataptr, datalen);
1254 if (ret < 0)
1255 return gnutls_assert_val(ret);
1256
1257 return 0;
1258 }
1259
1260 return 0;
1261 }
1262
1263
1264 /* This function will receive handshake messages of the given types,
1265 * and will pass the message to the right place in order to be processed.
1266 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1267 * passed to _gnutls_recv_hello().
1268 */
1269 int
1270 _gnutls_recv_handshake (gnutls_session_t session,
1271 gnutls_handshake_description_t type,
1272 unsigned int optional, gnutls_buffer_st* buf)
1273 {
1274 int ret;
1275 handshake_buffer_st hsk;
1276
1277 ret =
1278 _gnutls_handshake_io_recv_int (session, type, &hsk, optional);
1279 if (ret < 0)
1280 {
1281 if (optional != 0 && ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET)
1282 {
1283 if (buf) _gnutls_buffer_init(buf);
1284 return 0;
1285 }
1286
1287 return gnutls_assert_val_fatal(ret);
1288 }
1289
1290 ret = _gnutls_handshake_hash_add_recvd (session, hsk.htype,
1291 hsk.header, hsk.header_size,
1292 hsk.data.data, hsk.data.length);
1293 if (ret < 0)
1294 {
1295 gnutls_assert ();
1296 goto cleanup;
1297 }
1298
1299 switch (hsk.htype)
1300 {
1301 case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2:
1302 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1303 case GNUTLS_HANDSHAKE_SERVER_HELLO:
1304 if (hsk.htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)
1305 ret = _gnutls_read_client_hello_v2 (session, hsk.data.data, hsk.data.length);
1306 else
1307 ret = _gnutls_recv_hello (session, hsk.data.data, hsk.data.length);
1308
1309 if (ret < 0)
1310 {
1311 gnutls_assert();
1312 goto cleanup;
1313 }
1314
1315 goto cleanup; /* caller doesn't need dataptr */
1316
1317 break;
1318 case GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST:
1319 ret = _gnutls_recv_hello_verify_request (session, hsk.data.data, hsk.data.length);
1320 if (ret < 0)
1321 {
1322 gnutls_assert();
1323 goto cleanup;
1324 }
1325 else
1326 /* Signal our caller we have received a verification cookie
1327 and ClientHello needs to be sent again. */
1328 ret = 1;
1329
1330 goto cleanup; /* caller doesn't need dataptr */
1331
1332 break;
1333 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
1334 if (hsk.data.length == 0)
1335 ret = 0;
1336 else
1337 {
1338 gnutls_assert();
1339 ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1340 goto cleanup;
1341 }
1342 break;
1343 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1344 case GNUTLS_HANDSHAKE_FINISHED:
1345 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
1346 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1347 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
1348 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1349 case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
1350 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1351 ret = hsk.data.length;
1352 break;
1353 default:
1354 gnutls_assert ();
1355 /* we shouldn't actually arrive here in any case .
1356 * unexpected messages should be catched after _gnutls_handshake_io_recv_int()
1357 */
1358 ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1359 goto cleanup;
1360 }
1361
1362 if (buf)
1363 {
1364 *buf = hsk.data;
1365 return ret;
1366 }
1367
1368 cleanup:
1369 _gnutls_handshake_buffer_clear (&hsk);
1370 return ret;
1371 }
1372
1373 /* This function checks if the given cipher suite is supported, and sets it
1374 * to the session;
1375 */
1376 static int
1377 _gnutls_client_set_ciphersuite (gnutls_session_t session, uint8_t suite[2])
1378 {
1379 uint8_t z;
1380 uint8_t cipher_suites[MAX_CIPHERSUITE_SIZE];
1381 int cipher_suite_size;
1382 int i, err;
1383
1384 z = 1;
1385 cipher_suite_size = _gnutls_supported_ciphersuites (session, cipher_suites, sizeof(cipher_suites));
1386 if (cipher_suite_size < 0)
1387 {
1388 gnutls_assert ();
1389 return cipher_suite_size;
1390 }
1391
1392 for (i = 0; i < cipher_suite_size; i+=2)
1393 {
1394 if (memcmp (&cipher_suites[i], suite, 2) == 0)
1395 {
1396 z = 0;
1397 break;
1398 }
1399 }
1400
1401 if (z != 0)
1402 {
1403 gnutls_assert ();
1404 _gnutls_handshake_log("HSK[%p]: unsupported cipher suite %.2X.%.2X\n", session,
1405 (unsigned int)suite[0], (unsigned int)suite[1]);
1406 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
1407 }
1408
1409 memcpy (session->security_parameters.cipher_suite, suite, 2);
1410 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
1411 session->
1412 security_parameters.cipher_suite);
1413
1414 _gnutls_handshake_log ("HSK[%p]: Selected cipher suite: %s\n", session,
1415 _gnutls_cipher_suite_get_name
1416 (session->
1417 security_parameters.cipher_suite));
1418
1419
1420 /* check if the credentials (username, public key etc.) are ok.
1421 * Actually checks if they exist.
1422 */
1423 if (!session->internals.premaster_set &&
1424 _gnutls_get_kx_cred
1425 (session,
1426 _gnutls_cipher_suite_get_kx_algo
1427 (session->security_parameters.cipher_suite), &err) == NULL
1428 && err != 0)
1429 {
1430 gnutls_assert ();
1431 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1432 }
1433
1434
1435 /* set the mod_auth_st to the appropriate struct
1436 * according to the KX algorithm. This is needed since all the
1437 * handshake functions are read from there;
1438 */
1439 session->internals.auth_struct =
1440 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1441 (session->
1442 security_parameters.cipher_suite));
1443
1444 if (session->internals.auth_struct == NULL)
1445 {
1446
1447 _gnutls_handshake_log
1448 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1449 session);
1450 gnutls_assert ();
1451 return GNUTLS_E_INTERNAL_ERROR;
1452 }
1453
1454
1455 return 0;
1456 }
1457
1458 /* This function sets the given comp method to the session.
1459 */
1460 static int
1461 _gnutls_client_set_comp_method (gnutls_session_t session, uint8_t comp_method)
1462 {
1463 int comp_methods_num;
1464 uint8_t compression_methods[MAX_ALGOS];
1465 int id = _gnutls_compression_get_id(comp_method);
1466 int i;
1467
1468 _gnutls_handshake_log ("HSK[%p]: Selected compression method: %s (%d)\n", session,
1469 gnutls_compression_get_name(id), (int)comp_method);
1470
1471 comp_methods_num = _gnutls_supported_compression_methods (session,
1472 compression_methods, MAX_ALGOS);
1473 if (comp_methods_num < 0)
1474 {
1475 gnutls_assert ();
1476 return comp_methods_num;
1477 }
1478
1479 for (i = 0; i < comp_methods_num; i++)
1480 {
1481 if (compression_methods[i] == comp_method)
1482 {
1483 comp_methods_num = 0;
1484 break;
1485 }
1486 }
1487
1488 if (comp_methods_num != 0)
1489 {
1490 gnutls_assert ();
1491 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1492 }
1493
1494 session->security_parameters.compression_method = id;
1495 _gnutls_epoch_set_compression (session, EPOCH_NEXT, id);
1496
1497 return 0;
1498 }
1499
1500 /* This function returns 0 if we are resuming a session or -1 otherwise.
1501 * This also sets the variables in the session. Used only while reading a server
1502 * hello.
1503 */
1504 static int
1505 _gnutls_client_check_if_resuming (gnutls_session_t session,
1506 uint8_t * session_id, int session_id_len)
1507 {
1508 char buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
1509
1510 _gnutls_handshake_log ("HSK[%p]: SessionID length: %d\n", session,
1511 session_id_len);
1512 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session,
1513 _gnutls_bin2hex (session_id, session_id_len, buf,
1514 sizeof (buf), NULL));
1515
1516 if (session_id_len > 0 &&
1517 session->internals.resumed_security_parameters.session_id_size ==
1518 session_id_len
1519 && memcmp (session_id,
1520 session->internals.resumed_security_parameters.session_id,
1521 session_id_len) == 0)
1522 {
1523 /* resume session */
1524 memcpy (session->internals.resumed_security_parameters.server_random,
1525 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
1526 memcpy (session->internals.resumed_security_parameters.client_random,
1527 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
1528
1529 _gnutls_epoch_set_cipher_suite
1530 (session, EPOCH_NEXT,
1531 session->internals.
1532 resumed_security_parameters.cipher_suite);
1533 _gnutls_epoch_set_compression (session, EPOCH_NEXT,
1534 session->
1535 internals.resumed_security_parameters.compression_method);
1536
1537 session->internals.resumed = RESUME_TRUE; /* we are resuming */
1538
1539 return 0;
1540 }
1541 else
1542 {
1543 /* keep the new session id */
1544 session->internals.resumed = RESUME_FALSE; /* we are not resuming */
1545 session->security_parameters.session_id_size = session_id_len;
1546 memcpy (session->security_parameters.session_id,
1547 session_id, session_id_len);
1548
1549 return -1;
1550 }
1551 }
1552
1553
1554 /* This function reads and parses the server hello handshake message.
1555 * This function also restores resumed parameters if we are resuming a
1556 * session.
1557 */
1558 static int
1559 _gnutls_read_server_hello (gnutls_session_t session,
1560 uint8_t * data, int datalen)
1561 {
1562 uint8_t session_id_len = 0;
1563 int pos = 0;
1564 int ret = 0;
1565 gnutls_protocol_t version;
1566 int len = datalen;
1567
1568 if (datalen < 38)
1569 {
1570 gnutls_assert ();
1571 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1572 }
1573
1574 _gnutls_handshake_log ("HSK[%p]: Server's version: %d.%d\n",
1575 session, data[pos], data[pos + 1]);
1576
1577 DECR_LEN (len, 2);
1578 version = _gnutls_version_get (data[pos], data[pos + 1]);
1579 if (_gnutls_version_is_supported (session, version) == 0)
1580 {
1581 gnutls_assert ();
1582 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1583 }
1584 else
1585 {
1586 _gnutls_set_current_version (session, version);
1587 }
1588
1589 pos += 2;
1590
1591 DECR_LEN (len, GNUTLS_RANDOM_SIZE);
1592 _gnutls_set_server_random (session, &data[pos]);
1593 pos += GNUTLS_RANDOM_SIZE;
1594
1595
1596 /* Read session ID
1597 */
1598 DECR_LEN (len, 1);
1599 session_id_len = data[pos++];
1600
1601 if (len < session_id_len)
1602 {
1603 gnutls_assert ();
1604 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1605 }
1606 DECR_LEN (len, session_id_len);
1607
1608 /* check if we are resuming and set the appropriate
1609 * values;
1610 */
1611 if (_gnutls_client_check_if_resuming
1612 (session, &data[pos], session_id_len) == 0)
1613 {
1614 pos += session_id_len + 2 + 1;
1615 DECR_LEN (len, 2 + 1);
1616
1617 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
1618 &data[pos], len);
1619 if (ret < 0)
1620 {
1621 gnutls_assert ();
1622 return ret;
1623 }
1624 return 0;
1625 }
1626
1627 pos += session_id_len;
1628
1629 /* Check if the given cipher suite is supported and copy
1630 * it to the session.
1631 */
1632
1633 DECR_LEN (len, 2);
1634 ret = _gnutls_client_set_ciphersuite (session, &data[pos]);
1635 if (ret < 0)
1636 {
1637 gnutls_assert ();
1638 return ret;
1639 }
1640 pos += 2;
1641
1642 /* move to compression
1643 */
1644 DECR_LEN (len, 1);
1645
1646 ret = _gnutls_client_set_comp_method (session, data[pos++]);
1647 if (ret < 0)
1648 {
1649 gnutls_assert ();
1650 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1651 }
1652
1653 /* Parse extensions.
1654 */
1655 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY, &data[pos], len);
1656 if (ret < 0)
1657 {
1658 gnutls_assert ();
1659 return ret;
1660 }
1661
1662 return ret;
1663 }
1664
1665
1666 /* This function copies the appropriate ciphersuites to a locally allocated buffer
1667 * Needed in client hello messages. Returns the new data length. If add_scsv is
1668 * true, add the special safe renegotiation CS.
1669 */
1670 static int
1671 _gnutls_copy_ciphersuites (gnutls_session_t session,
1672 gnutls_buffer_st * cdata,
1673 int add_scsv)
1674 {
1675 int ret;
1676 uint8_t cipher_suites[MAX_CIPHERSUITE_SIZE+2];
1677 int cipher_suites_size;
1678 size_t init_length = cdata->length;
1679
1680 ret = _gnutls_supported_ciphersuites (session, cipher_suites, sizeof(cipher_suites)-2);
1681 if (ret < 0)
1682 return gnutls_assert_val(ret);
1683
1684 /* Here we remove any ciphersuite that does not conform
1685 * the certificate requested, or to the
1686 * authentication requested (eg SRP).
1687 */
1688 ret =
1689 _gnutls_remove_unwanted_ciphersuites (session, cipher_suites, ret, NULL, 0);
1690 if (ret < 0)
1691 return gnutls_assert_val(ret);
1692
1693 /* If no cipher suites were enabled.
1694 */
1695 if (ret == 0)
1696 return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
1697
1698 cipher_suites_size = ret;
1699 if (add_scsv)
1700 {
1701 cipher_suites[cipher_suites_size] = 0x00;
1702 cipher_suites[cipher_suites_size+1] = 0xff;
1703 cipher_suites_size += 2;
1704
1705 ret = _gnutls_ext_sr_send_cs (session);
1706 if (ret < 0)
1707 return gnutls_assert_val(ret);
1708 }
1709
1710 ret = _gnutls_buffer_append_data_prefix(cdata, 16, cipher_suites, cipher_suites_size);
1711 if (ret < 0)
1712 return gnutls_assert_val(ret);
1713
1714 ret = cdata->length - init_length;
1715
1716 return ret;
1717 }
1718
1719
1720 /* This function copies the appropriate compression methods, to a locally allocated buffer
1721 * Needed in hello messages. Returns the new data length.
1722 */
1723 static int
1724 _gnutls_copy_comp_methods (gnutls_session_t session,
1725 gnutls_buffer_st * cdata)
1726 {
1727 int ret;
1728 uint8_t compression_methods[MAX_ALGOS], comp_num;
1729 size_t init_length = cdata->length;
1730
1731 ret = _gnutls_supported_compression_methods (session, compression_methods, MAX_ALGOS);
1732 if (ret < 0)
1733 return gnutls_assert_val(ret);
1734
1735 comp_num = ret;
1736
1737 /* put the number of compression methods */
1738 ret = _gnutls_buffer_append_prefix(cdata, 8, comp_num);
1739 if (ret < 0)
1740 return gnutls_assert_val(ret);
1741
1742 ret = _gnutls_buffer_append_data(cdata, compression_methods, comp_num);
1743 if (ret < 0)
1744 return gnutls_assert_val(ret);
1745
1746 ret = cdata->length - init_length;
1747
1748 return ret;
1749 }
1750
1751 /* This should be sufficient by now. It should hold all the extensions
1752 * plus the headers in a hello message.
1753 */
1754 #define MAX_EXT_DATA_LENGTH 32*1024
1755
1756 /* This function sends the client hello handshake message.
1757 */
1758 static int
1759 _gnutls_send_client_hello (gnutls_session_t session, int again)
1760 {
1761 mbuffer_st *bufel = NULL;
1762 uint8_t *data = NULL;
1763 int pos = 0, type;
1764 int datalen = 0, ret = 0;
1765 uint8_t rnd[GNUTLS_RANDOM_SIZE];
1766 gnutls_protocol_t hver;
1767 gnutls_buffer_st extdata;
1768 int rehandshake = 0;
1769 uint8_t session_id_len =
1770 session->internals.resumed_security_parameters.session_id_size;
1771 uint8_t cookie_len;
1772
1773 _gnutls_buffer_init(&extdata);
1774
1775 /* note that rehandshake is different than resuming
1776 */
1777 if (session->security_parameters.session_id_size)
1778 rehandshake = 1;
1779
1780 if (again == 0)
1781 {
1782 if(IS_DTLS(session))
1783 {
1784 cookie_len = session->internals.dtls.cookie_len + 1;
1785 }
1786 else
1787 {
1788 cookie_len = 0;
1789 }
1790
1791 datalen = 2 + (session_id_len + 1) + GNUTLS_RANDOM_SIZE + cookie_len;
1792 /* 2 for version, (4 for unix time + 28 for random bytes==GNUTLS_RANDOM_SIZE)
1793 */
1794
1795 bufel = _gnutls_handshake_alloc (session, datalen, datalen+MAX_EXT_DATA_LENGTH);
1796 if (bufel == NULL)
1797 {
1798 gnutls_assert ();
1799 return GNUTLS_E_MEMORY_ERROR;
1800 }
1801 data = _mbuffer_get_udata_ptr (bufel);
1802
1803 /* if we are resuming a session then we set the
1804 * version number to the previously established.
1805 */
1806 if (session_id_len == 0)
1807 {
1808 if (rehandshake) /* already negotiated version thus version_max == negotiated version */
1809 hver = session->security_parameters.version;
1810 else /* new handshake. just get the max */
1811 hver = _gnutls_version_max (session);
1812 }
1813 else
1814 {
1815 /* we are resuming a session */
1816 hver = session->internals.resumed_security_parameters.version;
1817 }
1818
1819 if (hver == GNUTLS_VERSION_UNKNOWN || hver == 0)
1820 {
1821 gnutls_assert ();
1822 gnutls_free (bufel);
1823 return GNUTLS_E_INTERNAL_ERROR;
1824 }
1825
1826 data[pos++] = _gnutls_version_get_major (hver);
1827 data[pos++] = _gnutls_version_get_minor (hver);
1828
1829 /* Set the version we advertized as maximum
1830 * (RSA uses it).
1831 */
1832 _gnutls_set_adv_version (session, hver);
1833 _gnutls_set_current_version (session, hver);
1834
1835 if (session->internals.priorities.ssl3_record_version != 0)
1836 {
1837 /* Advertize the SSL 3.0 record packet version in
1838 * record packets during the handshake.
1839 * That is to avoid confusing implementations
1840 * that do not support TLS 1.2 and don't know
1841 * how 3,3 version of record packets look like.
1842 */
1843 if (!IS_DTLS(session))
1844 _gnutls_record_set_default_version (session, 3, 0);
1845 else if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
1846 _gnutls_record_set_default_version (session, 1, 0);
1847 else
1848 _gnutls_record_set_default_version (session, 254, 255);
1849 }
1850
1851 /* In order to know when this session was initiated.
1852 */
1853 session->security_parameters.timestamp = gnutls_time (NULL);
1854
1855 /* Generate random data
1856 */
1857 if (!IS_DTLS (session)
1858 || session->internals.dtls.hsk_hello_verify_requests == 0)
1859 {
1860 _gnutls_tls_create_random (rnd);
1861 _gnutls_set_client_random (session, rnd);
1862
1863 memcpy (&data[pos], rnd, GNUTLS_RANDOM_SIZE);
1864 }
1865 else
1866 memcpy (&data[pos], session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
1867
1868 pos += GNUTLS_RANDOM_SIZE;
1869
1870 /* Copy the Session ID
1871 */
1872 data[pos++] = session_id_len;
1873
1874 if (session_id_len > 0)
1875 {
1876 memcpy (&data[pos],
1877 session->internals.resumed_security_parameters.session_id,
1878 session_id_len);
1879 pos += session_id_len;
1880 }
1881
1882 /* Copy the DTLS cookie
1883 */
1884 if (IS_DTLS(session))
1885 {
1886 data[pos++] = session->internals.dtls.cookie_len;
1887 memcpy(&data[pos], &session->internals.dtls.cookie, session->internals.dtls.cookie_len);
1888 /* pos += session->internals.dtls.cookie_len; */
1889 }
1890
1891 /* Copy the ciphersuites.
1892 *
1893 * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
1894 * prevention on initial negotiation (but not renegotiation; that's
1895 * handled with the RI extension below).
1896 */
1897 if (!session->internals.initial_negotiation_completed &&
1898 session->security_parameters.entity == GNUTLS_CLIENT &&
1899 (gnutls_protocol_get_version (session) == GNUTLS_SSL3 ||
1900 session->internals.priorities.no_extensions != 0))
1901 {
1902 ret =
1903 _gnutls_copy_ciphersuites (session, &extdata, TRUE);
1904 _gnutls_extension_list_add (session,
1905 GNUTLS_EXTENSION_SAFE_RENEGOTIATION);
1906 }
1907 else
1908 ret = _gnutls_copy_ciphersuites (session, &extdata, FALSE);
1909
1910 if (ret < 0)
1911 {
1912 gnutls_assert();
1913 goto cleanup;
1914 }
1915
1916 /* Copy the compression methods.
1917 */
1918 ret = _gnutls_copy_comp_methods (session, &extdata);
1919 if (ret < 0)
1920 {
1921 gnutls_assert();
1922 goto cleanup;
1923 }
1924
1925 /* Generate and copy TLS extensions.
1926 */
1927 if (session->internals.priorities.no_extensions == 0)
1928 {
1929 if (_gnutls_version_has_extensions (hver))
1930 type = GNUTLS_EXT_ANY;
1931 else
1932 {
1933 if (session->internals.initial_negotiation_completed != 0)
1934 type = GNUTLS_EXT_MANDATORY;
1935 else
1936 type = GNUTLS_EXT_NONE;
1937 }
1938
1939 ret = _gnutls_gen_extensions (session, &extdata, type);
1940 if (ret < 0)
1941 {
1942 gnutls_assert();
1943 goto cleanup;
1944 }
1945
1946 }
1947
1948 ret = _mbuffer_append_data (bufel, extdata.data, extdata.length);
1949 if (ret < 0)
1950 {
1951 gnutls_assert ();
1952 goto cleanup;
1953 }
1954 }
1955
1956 _gnutls_buffer_clear(&extdata);
1957
1958 return
1959 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_CLIENT_HELLO);
1960
1961 cleanup:
1962 _mbuffer_xfree(&bufel);
1963 _gnutls_buffer_clear(&extdata);
1964 return ret;
1965 }
1966
1967 static int
1968 _gnutls_send_server_hello (gnutls_session_t session, int again)
1969 {
1970 mbuffer_st *bufel = NULL;
1971 uint8_t *data = NULL;
1972 gnutls_buffer_st extdata;
1973 int pos = 0;
1974 int datalen, ret = 0;
1975 uint8_t comp;
1976 uint8_t session_id_len = session->security_parameters.session_id_size;
1977 char buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
1978
1979 _gnutls_buffer_init(&extdata);
1980
1981 if (again == 0)
1982 {
1983 datalen = 2 + session_id_len + 1 + GNUTLS_RANDOM_SIZE + 3;
1984 ret =
1985 _gnutls_gen_extensions (session, &extdata, GNUTLS_EXT_ANY);
1986 if (ret < 0)
1987 {
1988 gnutls_assert ();
1989 goto fail;
1990 }
1991
1992 bufel = _gnutls_handshake_alloc (session, datalen + extdata.length, datalen + extdata.length);
1993 if (bufel == NULL)
1994 {
1995 gnutls_assert ();
1996 ret = GNUTLS_E_MEMORY_ERROR;
1997 goto fail;
1998 }
1999 data = _mbuffer_get_udata_ptr (bufel);
2000
2001 data[pos++] =
2002 _gnutls_version_get_major (session->security_parameters.version);
2003 data[pos++] =
2004 _gnutls_version_get_minor (session->security_parameters.version);
2005
2006 memcpy (&data[pos],
2007 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
2008 pos += GNUTLS_RANDOM_SIZE;
2009
2010 data[pos++] = session_id_len;
2011 if (session_id_len > 0)
2012 {
2013 memcpy (&data[pos], session->security_parameters.session_id,
2014 session_id_len);
2015 }
2016 pos += session_id_len;
2017
2018 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session,
2019 _gnutls_bin2hex (session->security_parameters.
2020 session_id, session_id_len, buf,
2021 sizeof (buf), NULL));
2022
2023 memcpy (&data[pos],
2024 session->security_parameters.cipher_suite, 2);
2025 pos += 2;
2026
2027 comp = _gnutls_compression_get_num ( session->security_parameters.compression_method);
2028 data[pos++] = comp;
2029
2030 if (extdata.length > 0)
2031 {
2032 memcpy (&data[pos], extdata.data, extdata.length);
2033 }
2034 }
2035
2036 ret =
2037 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_SERVER_HELLO);
2038
2039 fail:
2040 _gnutls_buffer_clear(&extdata);
2041 return ret;
2042 }
2043
2044 int
2045 _gnutls_send_hello (gnutls_session_t session, int again)
2046 {
2047 int ret;
2048
2049 if (session->security_parameters.entity == GNUTLS_CLIENT)
2050 {
2051 ret = _gnutls_send_client_hello (session, again);
2052
2053 }
2054 else
2055 { /* SERVER */
2056 ret = _gnutls_send_server_hello (session, again);
2057 }
2058
2059 return ret;
2060 }
2061
2062 /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a
2063 * hello message is expected. It uses the security_parameters.cipher_suite
2064 * and internals.compression_method.
2065 */
2066 int
2067 _gnutls_recv_hello (gnutls_session_t session, uint8_t * data, int datalen)
2068 {
2069 int ret;
2070
2071 if (session->security_parameters.entity == GNUTLS_CLIENT)
2072 {
2073 ret = _gnutls_read_server_hello (session, data, datalen);
2074 if (ret < 0)
2075 {
2076 gnutls_assert ();
2077 return ret;
2078 }
2079 }
2080 else
2081 { /* Server side reading a client hello */
2082
2083 ret = _gnutls_read_client_hello (session, data, datalen);
2084 if (ret < 0)
2085 {
2086 gnutls_assert ();
2087 return ret;
2088 }
2089 }
2090
2091 ret = _gnutls_ext_sr_verify (session);
2092 if (ret < 0)
2093 {
2094 gnutls_assert ();
2095 return ret;
2096 }
2097
2098 return 0;
2099 }
2100
2101 static int
2102 _gnutls_recv_hello_verify_request (gnutls_session_t session,
2103 uint8_t * data, int datalen)
2104 {
2105 ssize_t len = datalen;
2106 size_t pos = 0;
2107 uint8_t cookie_len;
2108 unsigned int nb_verifs;
2109
2110 if (!IS_DTLS (session)
2111 || session->security_parameters.entity == GNUTLS_SERVER)
2112 {
2113 gnutls_assert ();
2114 return GNUTLS_E_INTERNAL_ERROR;
2115 }
2116
2117 nb_verifs = ++session->internals.dtls.hsk_hello_verify_requests;
2118 if (nb_verifs >= MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS)
2119 {
2120 /* The server is either buggy, malicious or changing cookie
2121 secrets _way_ too fast. */
2122 gnutls_assert ();
2123 return GNUTLS_E_UNEXPECTED_PACKET;
2124 }
2125
2126 /* TODO: determine if we need to do anything with the server version field */
2127 DECR_LEN (len, 2);
2128 pos += 2;
2129
2130 DECR_LEN (len, 1);
2131 cookie_len = data[pos];
2132 pos++;
2133
2134 if (cookie_len > DTLS_MAX_COOKIE_SIZE)
2135 {
2136 gnutls_assert ();
2137 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2138 }
2139
2140 DECR_LEN (len, cookie_len);
2141
2142 session->internals.dtls.cookie_len = cookie_len;
2143 memcpy (session->internals.dtls.cookie, &data[pos], cookie_len);
2144
2145 if (len != 0)
2146 {
2147 gnutls_assert ();
2148 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2149 }
2150
2151 /* reset handshake hash buffers */
2152 _gnutls_handshake_hash_buffer_empty (session);
2153
2154 return 0;
2155 }
2156
2157 /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
2158 *
2159 * Client Server
2160 *
2161 * ClientHello -------->
2162 * <-------- ServerHello
2163 *
2164 * Certificate*
2165 * ServerKeyExchange*
2166 * <-------- CertificateRequest*
2167 *
2168 * <-------- ServerHelloDone
2169 * Certificate*
2170 * ClientKeyExchange
2171 * CertificateVerify*
2172 * [ChangeCipherSpec]
2173 * Finished -------->
2174 * NewSessionTicket
2175 * [ChangeCipherSpec]
2176 * <-------- Finished
2177 *
2178 * (*): means optional packet.
2179 */
2180
2181 /* Handshake when resumming session:
2182 * Client Server
2183 *
2184 * ClientHello -------->
2185 * ServerHello
2186 * [ChangeCipherSpec]
2187 * <-------- Finished
2188 * [ChangeCipherSpec]
2189 * Finished -------->
2190 *
2191 */
2192
2193 /**
2194 * gnutls_rehandshake:
2195 * @session: is a #gnutls_session_t structure.
2196 *
2197 * This function will renegotiate security parameters with the
2198 * client. This should only be called in case of a server.
2199 *
2200 * This message informs the peer that we want to renegotiate
2201 * parameters (perform a handshake).
2202 *
2203 * If this function succeeds (returns 0), you must call the
2204 * gnutls_handshake() function in order to negotiate the new
2205 * parameters.
2206 *
2207 * Since TLS is full duplex some application data might have been
2208 * sent during peer's processing of this message. In that case
2209 * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE
2210 * is returned to clear any pending data. Care must be taken if
2211 * rehandshake is mandatory to terminate if it does not start after
2212 * some threshold.
2213 *
2214 * If the client does not wish to renegotiate parameters he will
2215 * should with an alert message, thus the return code will be
2216 * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
2217 * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2218 * this message.
2219 *
2220 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2221 **/
2222 int
2223 gnutls_rehandshake (gnutls_session_t session)
2224 {
2225 int ret;
2226
2227 /* only server sends that handshake packet */
2228 if (session->security_parameters.entity == GNUTLS_CLIENT)
2229 return GNUTLS_E_INVALID_REQUEST;
2230
2231 _dtls_async_timer_delete(session);
2232
2233 ret =
2234 _gnutls_send_empty_handshake (session, GNUTLS_HANDSHAKE_HELLO_REQUEST,
2235 AGAIN (STATE50));
2236 STATE = STATE50;
2237
2238 if (ret < 0)
2239 {
2240 gnutls_assert ();
2241 return ret;
2242 }
2243 STATE = STATE0;
2244
2245 return 0;
2246 }
2247
2248 inline static int
2249 _gnutls_abort_handshake (gnutls_session_t session, int ret)
2250 {
2251 if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
2252 (gnutls_alert_get (session) == GNUTLS_A_NO_RENEGOTIATION))
2253 || ret == GNUTLS_E_GOT_APPLICATION_DATA)
2254 return 0;
2255
2256 /* this doesn't matter */
2257 return GNUTLS_E_INTERNAL_ERROR;
2258 }
2259
2260
2261
2262 static int
2263 _gnutls_send_supplemental (gnutls_session_t session, int again)
2264 {
2265 mbuffer_st *bufel;
2266 int ret = 0;
2267
2268 _gnutls_debug_log ("EXT[%p]: Sending supplemental data\n", session);
2269
2270 if (again)
2271 ret =
2272 _gnutls_send_handshake (session, NULL, GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2273 else
2274 {
2275 gnutls_buffer_st buf;
2276 _gnutls_buffer_init (&buf);
2277
2278 ret = _gnutls_gen_supplemental (session, &buf);
2279 if (ret < 0)
2280 {
2281 gnutls_assert ();
2282 return ret;
2283 }
2284
2285 bufel = _gnutls_handshake_alloc(session, buf.length, buf.length);
2286 if (bufel == NULL)
2287 {
2288 gnutls_assert ();
2289 return GNUTLS_E_MEMORY_ERROR;
2290 }
2291
2292 _mbuffer_set_udata (bufel, buf.data, buf.length);
2293 _gnutls_buffer_clear (&buf);
2294
2295 ret = _gnutls_send_handshake (session, bufel,
2296 GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2297 }
2298
2299 return ret;
2300 }
2301
2302 static int
2303 _gnutls_recv_supplemental (gnutls_session_t session)
2304 {
2305 gnutls_buffer_st buf;
2306 int ret;
2307
2308 _gnutls_debug_log ("EXT[%p]: Expecting supplemental data\n", session);
2309
2310 ret = _gnutls_recv_handshake (session, GNUTLS_HANDSHAKE_SUPPLEMENTAL,
2311 1, &buf);
2312 if (ret < 0)
2313 {
2314 gnutls_assert ();
2315 return ret;
2316 }
2317
2318 ret = _gnutls_parse_supplemental (session, buf.data, buf.length);
2319 if (ret < 0)
2320 {
2321 gnutls_assert ();
2322 goto cleanup;
2323 }
2324
2325 cleanup:
2326 _gnutls_buffer_clear(&buf);
2327
2328 return ret;
2329 }
2330
2331 /**
2332 * gnutls_handshake:
2333 * @session: is a #gnutls_session_t structure.
2334 *
2335 * This function does the handshake of the TLS/SSL protocol, and
2336 * initializes the TLS connection.
2337 *
2338 * This function will fail if any problem is encountered, and will
2339 * return a negative error code. In case of a client, if the client
2340 * has asked to resume a session, but the server couldn't, then a
2341 * full handshake will be performed.
2342 *
2343 * The non-fatal errors such as %GNUTLS_E_AGAIN and
2344 * %GNUTLS_E_INTERRUPTED interrupt the handshake procedure, which
2345 * should be resumed later. Call this function again, until it
2346 * returns 0; cf. gnutls_record_get_direction() and
2347 * gnutls_error_is_fatal().
2348 *
2349 * If this function is called by a server after a rehandshake request
2350 * then %GNUTLS_E_GOT_APPLICATION_DATA or
2351 * %GNUTLS_E_WARNING_ALERT_RECEIVED may be returned. Note that these
2352 * are non fatal errors, only in the specific case of a rehandshake.
2353 * Their meaning is that the client rejected the rehandshake request or
2354 * in the case of %GNUTLS_E_GOT_APPLICATION_DATA it might also mean that
2355 * some data were pending.
2356 *
2357 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2358 **/
2359 int
2360 gnutls_handshake (gnutls_session_t session)
2361 {
2362 int ret;
2363 record_parameters_st *params;
2364
2365 /* sanity check. Verify that there are priorities setup.
2366 */
2367 if (session->internals.priorities.protocol.algorithms == 0)
2368 return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
2369
2370 if (session->internals.handshake_timeout_ms &&
2371 session->internals.handshake_endtime == 0)
2372 session->internals.handshake_endtime = gnutls_time(0) +
2373 session->internals.handshake_timeout_ms / 1000;
2374
2375 ret = _gnutls_epoch_get (session, session->security_parameters.epoch_next,
2376 &params);
2377 if (ret < 0)
2378 {
2379 /* We assume the epoch is not allocated if _gnutls_epoch_get fails. */
2380 ret =
2381 _gnutls_epoch_alloc (session, session->security_parameters.epoch_next,
2382 NULL);
2383 if (ret < 0)
2384 return gnutls_assert_val(ret);
2385 }
2386
2387 if (session->security_parameters.entity == GNUTLS_CLIENT)
2388 {
2389 do
2390 {
2391 ret = _gnutls_handshake_client (session);
2392 } while (ret == 1);
2393 }
2394 else
2395 {
2396 ret = _gnutls_handshake_server (session);
2397 }
2398 if (ret < 0)
2399 {
2400 /* In the case of a rehandshake abort
2401 * we should reset the handshake's internal state.
2402 */
2403 if (_gnutls_abort_handshake (session, ret) == 0)
2404 STATE = STATE0;
2405
2406 return ret;
2407 }
2408
2409 ret = _gnutls_handshake_common (session);
2410
2411 if (ret < 0)
2412 {
2413 if (_gnutls_abort_handshake (session, ret) == 0)
2414 STATE = STATE0;
2415
2416 return ret;
2417 }
2418
2419 STATE = STATE0;
2420
2421 if (IS_DTLS(session)==0)
2422 {
2423 _gnutls_handshake_io_buffer_clear (session);
2424 }
2425 else
2426 {
2427 _dtls_async_timer_init(session);
2428 }
2429
2430 _gnutls_handshake_internal_state_clear (session);
2431
2432 session->security_parameters.epoch_next++;
2433
2434 return 0;
2435 }
2436
2437 /**
2438 * gnutls_handshake_set_timeout:
2439 * @session: is a #gnutls_session_t structure.
2440 * @ms: is a timeout value in milliseconds
2441 *
2442 * This function sets the timeout for the handshake process
2443 * to the provided value. Use an @ms value of zero to disable
2444 * timeout.
2445 *
2446 * Note that in order for the timeout to be enforced
2447 * gnutls_transport_set_pull_timeout_function() must be set.
2448 *
2449 **/
2450 void
2451 gnutls_handshake_set_timeout (gnutls_session_t session, unsigned int ms)
2452 {
2453 if (ms == GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT)
2454 ms = 40*1000;
2455 session->internals.handshake_timeout_ms = ms;
2456 }
2457
2458
2459 #define IMED_RET( str, ret, allow_alert) do { \
2460 if (ret < 0) { \
2461 /* EAGAIN and INTERRUPTED are always non-fatal */ \
2462 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) \
2463 return ret; \
2464 /* a warning alert might interrupt handshake */ \
2465 if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) return ret; \
2466 gnutls_assert(); \
2467 ERR( str, ret); \
2468 _gnutls_handshake_hash_buffers_clear(session); \
2469 return ret; \
2470 } } while (0)
2471
2472
2473
2474 /*
2475 * _gnutls_handshake_client
2476 * This function performs the client side of the handshake of the TLS/SSL protocol.
2477 */
2478 static int
2479 _gnutls_handshake_client (gnutls_session_t session)
2480 {
2481 int ret = 0;
2482
2483 #ifdef HANDSHAKE_DEBUG
2484 char buf[64];
2485
2486 if (session->internals.resumed_security_parameters.session_id_size > 0)
2487 _gnutls_handshake_log ("HSK[%p]: Ask to resume: %s\n", session,
2488 _gnutls_bin2hex (session->
2489 internals.resumed_security_parameters.session_id,
2490 session->
2491 internals.resumed_security_parameters.session_id_size,
2492 buf, sizeof (buf), NULL));
2493 #endif
2494
2495 switch (STATE)
2496 {
2497 case STATE0:
2498 case STATE1:
2499 ret = _gnutls_send_hello (session, AGAIN (STATE1));
2500 STATE = STATE1;
2501 IMED_RET ("send hello", ret, 1);
2502
2503 case STATE11:
2504 if (IS_DTLS (session))
2505 {
2506 ret =
2507 _gnutls_recv_handshake (session,
2508 GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST,
2509 1, NULL);
2510 STATE = STATE11;
2511 IMED_RET ("recv hello verify", ret, 1);
2512
2513 if (ret == 1)
2514 {
2515 STATE = STATE0;
2516 return 1;
2517 }
2518 }
2519 case STATE2:
2520 /* receive the server hello */
2521 ret =
2522 _gnutls_recv_handshake (session,
2523 GNUTLS_HANDSHAKE_SERVER_HELLO,
2524 0, NULL);
2525 STATE = STATE2;
2526 IMED_RET ("recv hello", ret, 1);
2527
2528 case STATE70:
2529 if (session->security_parameters.do_recv_supplemental)
2530 {
2531 ret = _gnutls_recv_supplemental (session);
2532 STATE = STATE70;
2533 IMED_RET ("recv supplemental", ret, 1);
2534 }
2535
2536 case STATE3:
2537 /* RECV CERTIFICATE */
2538 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2539 ret = _gnutls_recv_server_certificate (session);
2540 STATE = STATE3;
2541 IMED_RET ("recv server certificate", ret, 1);
2542
2543 case STATE4:
2544 /* receive the server key exchange */
2545 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2546 ret = _gnutls_recv_server_kx_message (session);
2547 STATE = STATE4;
2548 IMED_RET ("recv server kx message", ret, 1);
2549
2550 case STATE5:
2551 /* receive the server certificate request - if any
2552 */
2553
2554 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2555 ret = _gnutls_recv_server_crt_request (session);
2556 STATE = STATE5;
2557 IMED_RET ("recv server certificate request message", ret, 1);
2558
2559 case STATE6:
2560 /* receive the server hello done */
2561 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2562 ret =
2563 _gnutls_recv_handshake (session,
2564 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2565 0, NULL);
2566 STATE = STATE6;
2567 IMED_RET ("recv server hello done", ret, 1);
2568 case STATE71:
2569 if (session->security_parameters.do_send_supplemental)
2570 {
2571 ret = _gnutls_send_supplemental (session, AGAIN (STATE71));
2572 STATE = STATE71;
2573 IMED_RET ("send supplemental", ret, 0);
2574 }
2575
2576 case STATE7:
2577 /* send our certificate - if any and if requested
2578 */
2579 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2580 ret = _gnutls_send_client_certificate (session, AGAIN (STATE7));
2581 STATE = STATE7;
2582 IMED_RET ("send client certificate", ret, 0);
2583
2584 case STATE8:
2585 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2586 ret = _gnutls_send_client_kx_message (session, AGAIN (STATE8));
2587 STATE = STATE8;
2588 IMED_RET ("send client kx", ret, 0);
2589
2590 case STATE9:
2591 /* send client certificate verify */
2592 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2593 ret =
2594 _gnutls_send_client_certificate_verify (session, AGAIN (STATE9));
2595 STATE = STATE9;
2596 IMED_RET ("send client certificate verify", ret, 1);
2597
2598 STATE = STATE0;
2599 default:
2600 break;
2601 }
2602
2603
2604 return 0;
2605 }
2606
2607
2608
2609 /* This function is to be called if the handshake was successfully
2610 * completed. This sends a Change Cipher Spec packet to the peer.
2611 */
2612 static ssize_t
2613 send_change_cipher_spec (gnutls_session_t session, int again)
2614 {
2615 uint8_t* data;
2616 mbuffer_st * bufel;
2617 int ret;
2618
2619 if (again == 0)
2620 {
2621 bufel = _gnutls_handshake_alloc (session, 1, 1);
2622 if (bufel == NULL)
2623 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
2624
2625 if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
2626 _mbuffer_set_uhead_size(bufel, 3);
2627 else
2628 _mbuffer_set_uhead_size(bufel, 1);
2629 _mbuffer_set_udata_size(bufel, 0);
2630
2631 data = _mbuffer_get_uhead_ptr (bufel);
2632
2633 data[0] = 1;
2634 if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
2635 {
2636 _gnutls_write_uint16 (session->internals.dtls.hsk_write_seq, &data[1]);
2637 session->internals.dtls.hsk_write_seq++;
2638 }
2639
2640 ret = _gnutls_handshake_io_cache_int (session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, bufel);
2641 if (ret < 0)
2642 {
2643 _mbuffer_xfree(&bufel);
2644 return gnutls_assert_val(ret);
2645 }
2646
2647 _gnutls_handshake_log ("REC[%p]: Sent ChangeCipherSpec\n", session);
2648 }
2649
2650 return 0;
2651 }
2652
2653 /* This function sends the final handshake packets and initializes connection
2654 */
2655 static int
2656 _gnutls_send_handshake_final (gnutls_session_t session, int init)
2657 {
2658 int ret = 0;
2659
2660 /* Send the CHANGE CIPHER SPEC PACKET */
2661
2662 switch (STATE)
2663 {
2664 case STATE0:
2665 case STATE20:
2666 ret = send_change_cipher_spec (session, AGAIN (STATE20));
2667 STATE = STATE0;
2668
2669 if (ret < 0)
2670 {
2671 ERR ("send ChangeCipherSpec", ret);
2672 gnutls_assert ();
2673 return ret;
2674 }
2675 /* Initialize the connection session (start encryption) - in case of client
2676 */
2677 if (init == TRUE)
2678 {
2679 ret = _gnutls_connection_state_init (session);
2680 if (ret < 0)
2681 {
2682 gnutls_assert ();
2683 return ret;
2684 }
2685 }
2686
2687 ret = _gnutls_write_connection_state_init (session);
2688 if (ret < 0)
2689 {
2690 gnutls_assert ();
2691 return ret;
2692 }
2693
2694 case STATE21:
2695 /* send the finished message */
2696 ret = _gnutls_send_finished (session, AGAIN (STATE21));
2697 STATE = STATE21;
2698 if (ret < 0)
2699 {
2700 ERR ("send Finished", ret);
2701 gnutls_assert ();
2702 return ret;
2703 }
2704
2705 STATE = STATE0;
2706 default:
2707 break;
2708 }
2709
2710 return 0;
2711 }
2712
2713 /* This function receives the final handshake packets
2714 * And executes the appropriate function to initialize the
2715 * read session.
2716 */
2717 static int
2718 _gnutls_recv_handshake_final (gnutls_session_t session, int init)
2719 {
2720 int ret = 0;
2721 uint8_t ch;
2722 unsigned int ccs_len = 1;
2723 unsigned int tleft;
2724
2725 ret = handshake_remaining_time(session);
2726 if (ret < 0)
2727 return gnutls_assert_val(ret);
2728 tleft = ret;
2729
2730 switch (STATE)
2731 {
2732 case STATE0:
2733 case STATE30:
2734 STATE = STATE30;
2735
2736 /* This is the last flight and peer cannot be sure
2737 * we have received it unless we notify him. So we
2738 * wait for a message and retransmit if needed. */
2739 if (IS_DTLS(session) && !_dtls_is_async(session) &&
2740 (gnutls_record_check_pending (session) +
2741 record_check_unprocessed (session)) == 0)
2742 {
2743 ret = _dtls_wait_and_retransmit(session);
2744 if (ret < 0)
2745 return gnutls_assert_val(ret);
2746 }
2747
2748 if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
2749 ccs_len = 3;
2750
2751 ret = _gnutls_recv_int (session, GNUTLS_CHANGE_CIPHER_SPEC, -1, &ch, ccs_len, NULL,
2752 tleft);
2753 if (ret <= 0)
2754 {
2755 ERR ("recv ChangeCipherSpec", ret);
2756 gnutls_assert ();
2757 return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2758 }
2759
2760 if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
2761 session->internals.dtls.hsk_read_seq++;
2762
2763 /* Initialize the connection session (start encryption) - in case of server */
2764 if (init == TRUE)
2765 {
2766 ret = _gnutls_connection_state_init (session);
2767 if (ret < 0)
2768 {
2769 gnutls_assert ();
2770 return ret;
2771 }
2772 }
2773
2774 ret = _gnutls_read_connection_state_init (session);
2775 if (ret < 0)
2776 {
2777 gnutls_assert ();
2778 return ret;
2779 }
2780
2781 case STATE31:
2782 STATE = STATE31;
2783
2784 if (IS_DTLS(session) && !_dtls_is_async(session) &&
2785 (gnutls_record_check_pending( session) +
2786 record_check_unprocessed (session)) == 0)
2787 {
2788 ret = _dtls_wait_and_retransmit(session);
2789 if (ret < 0)
2790 return gnutls_assert_val(ret);
2791 }
2792
2793 ret = _gnutls_recv_finished (session);
2794 if (ret < 0)
2795 {
2796 ERR ("recv finished", ret);
2797 gnutls_assert ();
2798 return ret;
2799 }
2800 STATE = STATE0;
2801 default:
2802 break;
2803 }
2804
2805
2806 return 0;
2807 }
2808
2809 /*
2810 * _gnutls_handshake_server
2811 * This function does the server stuff of the handshake protocol.
2812 */
2813 static int
2814 _gnutls_handshake_server (gnutls_session_t session)
2815 {
2816 int ret = 0;
2817
2818 switch (STATE)
2819 {
2820 case STATE0:
2821 case STATE1:
2822 ret =
2823 _gnutls_recv_handshake (session,
2824 GNUTLS_HANDSHAKE_CLIENT_HELLO,
2825 0, NULL);
2826 STATE = STATE1;
2827 IMED_RET ("recv hello", ret, 1);
2828
2829 case STATE2:
2830 ret = _gnutls_send_hello (session, AGAIN (STATE2));
2831 STATE = STATE2;
2832 IMED_RET ("send hello", ret, 1);
2833
2834 case STATE70:
2835 if (session->security_parameters.do_send_supplemental)
2836 {
2837 ret = _gnutls_send_supplemental (session, AGAIN (STATE70));
2838 STATE = STATE70;
2839 IMED_RET ("send supplemental data", ret, 0);
2840 }
2841
2842 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
2843 case STATE3:
2844 /* NOTE: these should not be send if we are resuming */
2845
2846 if (session->internals.resumed == RESUME_FALSE)
2847 ret = _gnutls_send_server_certificate (session, AGAIN (STATE3));
2848 STATE = STATE3;
2849 IMED_RET ("send server certificate", ret, 0);
2850
2851 case STATE4:
2852 /* send server key exchange (A) */
2853 if (session->internals.resumed == RESUME_FALSE)
2854 ret = _gnutls_send_server_kx_message (session, AGAIN (STATE4));
2855 STATE = STATE4;
2856 IMED_RET ("send server kx", ret, 0);
2857
2858 case STATE5:
2859 /* Send certificate request - if requested to */
2860 if (session->internals.resumed == RESUME_FALSE)
2861 ret =
2862 _gnutls_send_server_crt_request (session, AGAIN (STATE5));
2863 STATE = STATE5;
2864 IMED_RET ("send server cert request", ret, 0);
2865
2866 case STATE6:
2867 /* send the server hello done */
2868 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2869 ret =
2870 _gnutls_send_empty_handshake (session,
2871 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2872 AGAIN (STATE6));
2873 STATE = STATE6;
2874 IMED_RET ("send server hello done", ret, 1);
2875
2876 case STATE71:
2877 if (session->security_parameters.do_recv_supplemental)
2878 {
2879 ret = _gnutls_recv_supplemental (session);
2880 STATE = STATE71;
2881 IMED_RET ("recv client supplemental", ret, 1);
2882 }
2883
2884 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
2885 case STATE7:
2886 /* receive the client certificate message */
2887 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2888 ret = _gnutls_recv_client_certificate (session);
2889 STATE = STATE7;
2890 IMED_RET ("recv client certificate", ret, 1);
2891
2892 case STATE8:
2893 /* receive the client key exchange message */
2894 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2895 ret = _gnutls_recv_client_kx_message (session);
2896 STATE = STATE8;
2897 IMED_RET ("recv client kx", ret, 1);
2898
2899 case STATE9:
2900 /* receive the client certificate verify message */
2901 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2902 ret = _gnutls_recv_client_certificate_verify_message (session);
2903 STATE = STATE9;
2904 IMED_RET ("recv client certificate verify", ret, 1);
2905
2906 STATE = STATE0; /* finished thus clear session */
2907 default:
2908 break;
2909 }
2910
2911 return 0;
2912 }
2913
2914 static int
2915 _gnutls_handshake_common (gnutls_session_t session)
2916 {
2917 int ret = 0;
2918
2919 /* send and recv the change cipher spec and finished messages */
2920 if ((session->internals.resumed != RESUME_FALSE
2921 && session->security_parameters.entity == GNUTLS_CLIENT)
2922 || (session->internals.resumed == RESUME_FALSE
2923 && session->security_parameters.entity == GNUTLS_SERVER))
2924 {
2925 /* if we are a client resuming - or we are a server not resuming */
2926 ret = _gnutls_recv_handshake_final (session, TRUE);
2927 IMED_RET ("recv handshake final", ret, 1);
2928
2929 switch (STATE)
2930 {
2931 case STATE0:
2932 case STATE40:
2933 ret = _gnutls_send_new_session_ticket (session, AGAIN (STATE40));
2934 STATE = STATE40;
2935 IMED_RET ("send handshake new session ticket", ret, 0);
2936 STATE = STATE0;
2937 default:
2938 break;
2939 }
2940
2941 ret = _gnutls_send_handshake_final (session, FALSE);
2942 IMED_RET ("send handshake final", ret, 1);
2943
2944 /* only store if we are not resuming a session and we didn't previously send a ticket
2945 */
2946 if (session->security_parameters.entity == GNUTLS_SERVER && session->internals.ticket_sent == 0)
2947 {
2948 /* in order to support session resuming */
2949 _gnutls_server_register_current_session (session);
2950 }
2951 }
2952 else
2953 { /* if we are a client not resuming - or we are a server resuming */
2954
2955 ret = _gnutls_send_handshake_final (session, TRUE);
2956 IMED_RET ("send handshake final 2", ret, 1);
2957
2958 switch (STATE)
2959 {
2960 case STATE0:
2961 case STATE41:
2962 ret = _gnutls_recv_new_session_ticket (session);
2963 STATE = STATE41;
2964 IMED_RET ("recv handshake new session ticket", ret, 1);
2965 STATE = STATE0;
2966 default:
2967 break;
2968 }
2969
2970 ret = _gnutls_recv_handshake_final (session, FALSE);
2971 IMED_RET ("recv handshake final 2", ret, 1);
2972
2973 }
2974
2975
2976 /* clear handshake buffer */
2977 _gnutls_handshake_hash_buffers_clear (session);
2978 return ret;
2979
2980 }
2981
2982 int
2983 _gnutls_generate_session_id (uint8_t * session_id, uint8_t * len)
2984 {
2985 int ret;
2986
2987 *len = TLS_MAX_SESSION_ID_SIZE;
2988
2989 ret = _gnutls_rnd (GNUTLS_RND_NONCE, session_id, *len);
2990 if (ret < 0)
2991 {
2992 gnutls_assert ();
2993 return ret;
2994 }
2995
2996 return 0;
2997 }
2998
2999 int
3000 _gnutls_recv_hello_request (gnutls_session_t session, void *data,
3001 uint32_t data_size)
3002 {
3003 uint8_t type;
3004
3005 if (session->security_parameters.entity == GNUTLS_SERVER)
3006 {
3007 gnutls_assert ();
3008 return GNUTLS_E_UNEXPECTED_PACKET;
3009 }
3010 if (data_size < 1)
3011 {
3012 gnutls_assert ();
3013 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
3014 }
3015 type = ((uint8_t *) data)[0];
3016 if (type == GNUTLS_HANDSHAKE_HELLO_REQUEST)
3017 {
3018 if (IS_DTLS(session))
3019 session->internals.dtls.hsk_read_seq++;
3020 return GNUTLS_E_REHANDSHAKE;
3021 }
3022 else
3023 {
3024 gnutls_assert ();
3025 return GNUTLS_E_UNEXPECTED_PACKET;
3026 }
3027 }
3028
3029 /* Returns 1 if the given KX has not the corresponding parameters
3030 * (DH or RSA) set up. Otherwise returns 0.
3031 */
3032 inline static int
3033 check_server_params (gnutls_session_t session,
3034 gnutls_kx_algorithm_t kx,
3035 gnutls_kx_algorithm_t * alg, int alg_size)
3036 {
3037 int cred_type;
3038 gnutls_dh_params_t dh_params = NULL;
3039 gnutls_rsa_params_t rsa_params = NULL;
3040 int j;
3041
3042 cred_type = _gnutls_map_kx_get_cred (kx, 1);
3043
3044 /* Read the Diffie-Hellman parameters, if any.
3045 */
3046 if (cred_type == GNUTLS_CRD_CERTIFICATE)
3047 {
3048 int delete;
3049 gnutls_certificate_credentials_t x509_cred =
3050 (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
3051 cred_type, NULL);
3052
3053 if (x509_cred != NULL)
3054 {
3055 dh_params =
3056 _gnutls_get_dh_params (x509_cred->dh_params,
3057 x509_cred->params_func, session);
3058 rsa_params =
3059 _gnutls_certificate_get_rsa_params (x509_cred->rsa_params,
3060 x509_cred->params_func,
3061 session);
3062 }
3063
3064 /* Check also if the certificate supports the
3065 * KX method.
3066 */
3067 delete = 1;
3068 for (j = 0; j < alg_size; j++)
3069 {
3070 if (alg[j] == kx)
3071 {
3072 delete = 0;
3073 break;
3074 }
3075 }
3076
3077 if (delete == 1)
3078 return 1;
3079
3080 #ifdef ENABLE_ANON
3081 }
3082 else if (cred_type == GNUTLS_CRD_ANON)
3083 {
3084 gnutls_anon_server_credentials_t anon_cred =
3085 (gnutls_anon_server_credentials_t) _gnutls_get_cred (session->key,
3086 cred_type, NULL);
3087
3088 if (anon_cred != NULL)
3089 {
3090 dh_params =
3091 _gnutls_get_dh_params (anon_cred->dh_params,
3092 anon_cred->params_func, session);
3093 }
3094 #endif
3095 #ifdef ENABLE_PSK
3096 }
3097 else if (cred_type == GNUTLS_CRD_PSK)
3098 {
3099 gnutls_psk_server_credentials_t psk_cred =
3100 (gnutls_psk_server_credentials_t) _gnutls_get_cred (session->key,
3101 cred_type, NULL);
3102
3103 if (psk_cred != NULL)
3104 {
3105 dh_params =
3106 _gnutls_get_dh_params (psk_cred->dh_params, psk_cred->params_func,
3107 session);
3108 }
3109 #endif
3110 }
3111 else
3112 return 0; /* no need for params */
3113
3114
3115 /* If the key exchange method needs RSA or DH params,
3116 * but they are not set then remove it.
3117 */
3118 if (_gnutls_kx_needs_rsa_params (kx) != 0)
3119 {
3120 /* needs rsa params. */
3121 if (_gnutls_rsa_params_to_mpi (rsa_params) == NULL)
3122 {
3123 gnutls_assert ();
3124 return 1;
3125 }
3126 }
3127
3128 if (_gnutls_kx_needs_dh_params (kx) != 0)
3129 {
3130 /* needs DH params. */
3131 if (_gnutls_dh_params_to_mpi (dh_params) == NULL)
3132 {
3133 gnutls_assert ();
3134 return 1;
3135 }
3136 }
3137
3138 return 0;
3139 }
3140
3141 /* This function will remove algorithms that are not supported by
3142 * the requested authentication method. We remove an algorithm if
3143 * we have a certificate with keyUsage bits set.
3144 *
3145 * This does a more high level check than gnutls_supported_ciphersuites(),
3146 * by checking certificates etc.
3147 */
3148 static int
3149 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session,
3150 uint8_t * cipher_suites,
3151 int cipher_suites_size,
3152 gnutls_pk_algorithm_t *pk_algos,
3153 size_t pk_algos_size)
3154 {
3155
3156 int ret = 0;
3157 int i, new_suites_size;
3158 gnutls_certificate_credentials_t cert_cred;
3159 gnutls_kx_algorithm_t kx;
3160 int server = session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0;
3161 gnutls_kx_algorithm_t alg[MAX_ALGOS];
3162 int alg_size = MAX_ALGOS;
3163
3164 /* if we should use a specific certificate,
3165 * we should remove all algorithms that are not supported
3166 * by that certificate and are on the same authentication
3167 * method (CERTIFICATE).
3168 */
3169
3170 cert_cred =
3171 (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
3172 GNUTLS_CRD_CERTIFICATE,
3173 NULL);
3174
3175 /* If there are certificate credentials, find an appropriate certificate
3176 * or disable them;
3177 */
3178 if (session->security_parameters.entity == GNUTLS_SERVER
3179 && cert_cred != NULL && pk_algos_size > 0)
3180 {
3181 ret = _gnutls_server_select_cert (session, pk_algos, pk_algos_size);
3182 if (ret < 0)
3183 {
3184 gnutls_assert ();
3185 _gnutls_debug_log ("Could not find an appropriate certificate: %s\n",
3186 gnutls_strerror (ret));
3187 }
3188 }
3189
3190 /* get all the key exchange algorithms that are
3191 * supported by the X509 certificate parameters.
3192 */
3193 if ((ret =
3194 _gnutls_selected_cert_supported_kx (session, alg, &alg_size)) < 0)
3195 {
3196 gnutls_assert ();
3197 return ret;
3198 }
3199
3200 new_suites_size = 0;
3201
3202 /* now removes ciphersuites based on the KX algorithm
3203 */
3204 for (i = 0; i < cipher_suites_size; i+=2)
3205 {
3206 int delete = 0;
3207
3208 /* finds the key exchange algorithm in
3209 * the ciphersuite
3210 */
3211 kx = _gnutls_cipher_suite_get_kx_algo (&cipher_suites[i]);
3212
3213 /* if it is defined but had no credentials
3214 */
3215 if (!session->internals.premaster_set &&
3216 _gnutls_get_kx_cred (session, kx, NULL) == NULL)
3217 {
3218 delete = 1;
3219 }
3220 else
3221 {
3222 delete = 0;
3223
3224 if (server)
3225 delete = check_server_params (session, kx, alg, alg_size);
3226 }
3227
3228 /* If we have not agreed to a common curve with the peer don't bother
3229 * negotiating ECDH.
3230 */
3231 if (server != 0 && _gnutls_kx_is_ecc(kx))
3232 {
3233 if (_gnutls_session_ecc_curve_get(session) == GNUTLS_ECC_CURVE_INVALID)
3234 {
3235 delete = 1;
3236 }
3237 }
3238
3239 /* These two SRP kx's are marked to require a CRD_CERTIFICATE,
3240 (see cred_mappings in gnutls_algorithms.c), but it also
3241 requires a SRP credential. Don't use SRP kx unless we have a
3242 SRP credential too. */
3243 if (kx == GNUTLS_KX_SRP_RSA || kx == GNUTLS_KX_SRP_DSS)
3244 {
3245 if (!_gnutls_get_cred (session->key, GNUTLS_CRD_SRP, NULL))
3246 {
3247 delete = 1;
3248 }
3249 }
3250
3251 if (delete == 0)
3252 {
3253
3254 _gnutls_handshake_log ("HSK[%p]: Keeping ciphersuite: %s (%.2X.%.2X)\n",
3255 session,
3256 _gnutls_cipher_suite_get_name (&cipher_suites[i]),
3257 cipher_suites[i], cipher_suites[i+1]);
3258
3259 if (i != new_suites_size)
3260 memmove( &cipher_suites[new_suites_size], &cipher_suites[i], 2);
3261 new_suites_size+=2;
3262 }
3263 else
3264 {
3265 _gnutls_handshake_log ("HSK[%p]: Removing ciphersuite: %s\n",
3266 session,
3267 _gnutls_cipher_suite_get_name (&cipher_suites[i]));
3268
3269 }
3270 }
3271
3272 ret = new_suites_size;
3273
3274 return ret;
3275
3276 }
3277
3278 /**
3279 * gnutls_handshake_set_max_packet_length:
3280 * @session: is a #gnutls_session_t structure.
3281 * @max: is the maximum number.
3282 *
3283 * This function will set the maximum size of all handshake messages.
3284 * Handshakes over this size are rejected with
3285 * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is
3286 * 48kb which is typically large enough. Set this to 0 if you do not
3287 * want to set an upper limit.
3288 *
3289 * The reason for restricting the handshake message sizes are to
3290 * limit Denial of Service attacks.
3291 **/
3292 void
3293 gnutls_handshake_set_max_packet_length (gnutls_session_t session, size_t max)
3294 {
3295 session->internals.max_handshake_data_buffer_size = max;
3296 }
3297
3298 void
3299 _gnutls_set_adv_version (gnutls_session_t session, gnutls_protocol_t ver)
3300 {
3301 set_adv_version (session, _gnutls_version_get_major (ver),
3302 _gnutls_version_get_minor (ver));
3303 }
3304
3305 gnutls_protocol_t
3306 _gnutls_get_adv_version (gnutls_session_t session)
3307 {
3308 return _gnutls_version_get (_gnutls_get_adv_version_major (session),
3309 _gnutls_get_adv_version_minor (session));
3310 }
3311
3312 /**
3313 * gnutls_handshake_get_last_in:
3314 * @session: is a #gnutls_session_t structure.
3315 *
3316 * This function is only useful to check where the last performed
3317 * handshake failed. If the previous handshake succeed or was not
3318 * performed at all then no meaningful value will be returned.
3319 *
3320 * Check %gnutls_handshake_description_t in gnutls.h for the
3321 * available handshake descriptions.
3322 *
3323 * Returns: the last handshake message type received, a
3324 * %gnutls_handshake_description_t.
3325 **/
3326 gnutls_handshake_description_t
3327 gnutls_handshake_get_last_in (gnutls_session_t session)
3328 {
3329 return session->internals.last_handshake_in;
3330 }
3331
3332 /**
3333 * gnutls_handshake_get_last_out:
3334 * @session: is a #gnutls_session_t structure.
3335 *
3336 * This function is only useful to check where the last performed
3337 * handshake failed. If the previous handshake succeed or was not
3338 * performed at all then no meaningful value will be returned.
3339 *
3340 * Check %gnutls_handshake_description_t in gnutls.h for the
3341 * available handshake descriptions.
3342 *
3343 * Returns: the last handshake message type sent, a
3344 * %gnutls_handshake_description_t.
3345 **/
3346 gnutls_handshake_description_t
3347 gnutls_handshake_get_last_out (gnutls_session_t session)
3348 {
3349 return session->internals.last_handshake_out;
3350 }
Implementation of the SSL/TLS protocol