2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
3 * 2009, 2010, 2011 Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 /* Functions that relate to the TLS handshake procedure.
29 #include "gnutls_int.h"
30 #include "gnutls_errors.h"
31 #include "gnutls_dh.h"
33 #include "gnutls_algorithms.h"
34 #include "gnutls_compress.h"
35 #include "gnutls_cipher.h"
36 #include "gnutls_buffers.h"
37 #include "gnutls_mbuffers.h"
38 #include "gnutls_kx.h"
39 #include "gnutls_handshake.h"
40 #include "gnutls_num.h"
41 #include "gnutls_hash_int.h"
42 #include "gnutls_db.h"
43 #include "gnutls_extensions.h"
44 #include "gnutls_supplemental.h"
45 #include "gnutls_auth.h"
46 #include "gnutls_v2_compat.h"
47 #include "auth_cert.h"
48 #include "gnutls_cert.h"
49 #include "gnutls_constate.h"
50 #include <gnutls_record.h>
51 #include <gnutls_state.h>
53 #include <ext_session_ticket.h>
54 #include <ext_safe_renegotiation.h>
55 #include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
56 #include <auth_anon.h> /* for gnutls_anon_server_credentials_t */
57 #include <auth_psk.h> /* for gnutls_psk_server_credentials_t */
60 #ifdef HANDSHAKE_DEBUG
61 #define ERR(x, y) _gnutls_handshake_log("HSK[%p]: %s (%d)\n", session, x,y)
69 static int _gnutls_handshake_hash_init (gnutls_session_t session
);
70 static int _gnutls_server_select_comp_method (gnutls_session_t session
,
71 opaque
* data
, int datalen
);
73 _gnutls_handshake_hash_add_recvd (gnutls_session_t session
,
74 gnutls_handshake_description_t recv_type
,
75 opaque
* header
, uint16_t header_size
,
76 opaque
* dataptr
, uint32_t datalen
);
79 _gnutls_recv_hello_verify_request (gnutls_session_t session
,
80 opaque
* data
, int datalen
);
83 /* Clears the handshake hash buffers and handles.
86 _gnutls_handshake_hash_buffers_clear (gnutls_session_t session
)
88 if (session
->security_parameters
.handshake_mac_handle_type
==
89 HANDSHAKE_MAC_TYPE_10
)
91 _gnutls_hash_deinit (&session
->internals
.handshake_mac_handle
.tls10
.md5
,
93 _gnutls_hash_deinit (&session
->internals
.handshake_mac_handle
.tls10
.sha
,
96 else if (session
->security_parameters
.handshake_mac_handle_type
==
97 HANDSHAKE_MAC_TYPE_12
)
99 _gnutls_hash_deinit (&session
->internals
.handshake_mac_handle
.tls12
.
101 _gnutls_hash_deinit (&session
->internals
.handshake_mac_handle
.tls12
.
104 session
->security_parameters
.handshake_mac_handle_type
= 0;
105 session
->internals
.handshake_mac_handle_init
= 0;
106 _gnutls_handshake_buffer_clear (session
);
109 /* this will copy the required values for resuming to
110 * internals, and to security_parameters.
111 * this will keep as less data to security_parameters.
114 resume_copy_required_values (gnutls_session_t session
)
116 /* get the new random values */
117 memcpy (session
->internals
.resumed_security_parameters
.server_random
,
118 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
119 memcpy (session
->internals
.resumed_security_parameters
.client_random
,
120 session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
122 /* keep the ciphersuite and compression
123 * That is because the client must see these in our
126 memcpy (session
->security_parameters
.current_cipher_suite
.suite
,
127 session
->internals
.resumed_security_parameters
.current_cipher_suite
.
130 _gnutls_epoch_set_cipher_suite (session
, EPOCH_NEXT
,
132 internals
.resumed_security_parameters
.current_cipher_suite
);
133 _gnutls_epoch_set_compression (session
, EPOCH_NEXT
,
135 internals
.resumed_compression_method
);
137 /* or write_compression_algorithm
141 session
->security_parameters
.entity
=
142 session
->internals
.resumed_security_parameters
.entity
;
144 _gnutls_set_current_version (session
,
145 session
->internals
.resumed_security_parameters
.
148 session
->security_parameters
.cert_type
=
149 session
->internals
.resumed_security_parameters
.cert_type
;
151 memcpy (session
->security_parameters
.session_id
,
152 session
->internals
.resumed_security_parameters
.session_id
,
153 sizeof (session
->security_parameters
.session_id
));
154 session
->security_parameters
.session_id_size
=
155 session
->internals
.resumed_security_parameters
.session_id_size
;
160 _gnutls_set_server_random (gnutls_session_t session
, uint8_t * rnd
)
162 memcpy (session
->security_parameters
.server_random
, rnd
,
167 _gnutls_set_client_random (gnutls_session_t session
, uint8_t * rnd
)
169 memcpy (session
->security_parameters
.client_random
, rnd
,
173 /* Calculate The SSL3 Finished message
175 #define SSL3_CLIENT_MSG "CLNT"
176 #define SSL3_SERVER_MSG "SRVR"
177 #define SSL_MSG_LEN 4
179 _gnutls_ssl3_finished (gnutls_session_t session
, int type
, opaque
* ret
)
181 const int siz
= SSL_MSG_LEN
;
187 if (session
->security_parameters
.handshake_mac_handle_type
==
188 HANDSHAKE_MAC_TYPE_10
)
191 _gnutls_hash_copy (&td_md5
,
192 &session
->internals
.handshake_mac_handle
.tls10
.
201 _gnutls_hash_copy (&td_sha
,
202 &session
->internals
.handshake_mac_handle
.tls10
.
207 _gnutls_hash_deinit (&td_md5
, NULL
);
214 return GNUTLS_E_INTERNAL_ERROR
;
217 if (type
== GNUTLS_SERVER
)
219 mesg
= SSL3_SERVER_MSG
;
223 mesg
= SSL3_CLIENT_MSG
;
226 _gnutls_hash (&td_md5
, mesg
, siz
);
227 _gnutls_hash (&td_sha
, mesg
, siz
);
229 rc
= _gnutls_mac_deinit_ssl3_handshake (&td_md5
, ret
,
231 security_parameters
.master_secret
,
235 _gnutls_hash_deinit (&td_md5
, NULL
);
236 _gnutls_hash_deinit (&td_sha
, NULL
);
237 return gnutls_assert_val(rc
);
240 rc
= _gnutls_mac_deinit_ssl3_handshake (&td_sha
, &ret
[16],
242 security_parameters
.master_secret
,
246 _gnutls_hash_deinit (&td_sha
, NULL
);
247 return gnutls_assert_val(rc
);
253 /* Hash the handshake messages as required by TLS 1.0
255 #define SERVER_MSG "server finished"
256 #define CLIENT_MSG "client finished"
257 #define TLS_MSG_LEN 15
259 _gnutls_finished (gnutls_session_t session
, int type
, void *ret
)
261 const int siz
= TLS_MSG_LEN
;
262 opaque concat
[MAX_HASH_SIZE
+ 16 /*MD5 */ ];
263 size_t len
= 20 + 16;
269 if (session
->security_parameters
.handshake_mac_handle_type
==
270 HANDSHAKE_MAC_TYPE_10
)
273 _gnutls_hash_copy (&td_md5
,
274 &session
->internals
.handshake_mac_handle
.tls10
.
283 _gnutls_hash_copy (&td_sha
,
284 &session
->internals
.handshake_mac_handle
.tls10
.
289 _gnutls_hash_deinit (&td_md5
, NULL
);
293 _gnutls_hash_deinit (&td_md5
, concat
);
294 _gnutls_hash_deinit (&td_sha
, &concat
[16]);
296 else if (session
->security_parameters
.handshake_mac_handle_type
==
297 HANDSHAKE_MAC_TYPE_12
)
300 _gnutls_hash_copy (&td_sha
,
301 &session
->internals
.handshake_mac_handle
.tls12
.
309 _gnutls_hash_deinit (&td_sha
, concat
);
310 len
= _gnutls_hash_get_algo_len (td_sha
.algorithm
);
313 if (type
== GNUTLS_SERVER
)
322 return _gnutls_PRF (session
, session
->security_parameters
.master_secret
,
323 GNUTLS_MASTER_SIZE
, mesg
, siz
, concat
, len
, 12, ret
);
326 /* this function will produce GNUTLS_RANDOM_SIZE==32 bytes of random data
330 _gnutls_tls_create_random (opaque
* dst
)
335 /* Use weak random numbers for the most of the
336 * buffer except for the first 4 that are the
341 /* generate server random value */
342 _gnutls_write_uint32 (tim
, dst
);
344 ret
= _gnutls_rnd (GNUTLS_RND_NONCE
, &dst
[4], GNUTLS_RANDOM_SIZE
- 4);
354 /* returns the 0 on success or a negative value.
357 _gnutls_negotiate_version (gnutls_session_t session
,
358 gnutls_protocol_t adv_version
)
362 /* if we do not support that version */
363 if (_gnutls_version_is_supported (session
, adv_version
) == 0)
365 /* If he requested something we do not support
366 * then we send him the highest we support.
368 ret
= _gnutls_version_max (session
);
369 if (ret
== GNUTLS_VERSION_UNKNOWN
)
371 /* this check is not really needed.
374 return GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
382 _gnutls_set_current_version (session
, ret
);
388 _gnutls_user_hello_func (gnutls_session_t session
,
389 gnutls_protocol_t adv_version
)
393 if (session
->internals
.user_hello_func
!= NULL
)
395 ret
= session
->internals
.user_hello_func (session
);
401 /* Here we need to renegotiate the version since the callee might
402 * have disabled some TLS versions.
404 ret
= _gnutls_negotiate_version (session
, adv_version
);
414 /* Read a client hello packet.
415 * A client hello must be a known version client hello
416 * or version 2.0 client hello (only for compatibility
417 * since SSL version 2.0 is not supported).
420 _gnutls_read_client_hello (gnutls_session_t session
, opaque
* data
,
423 uint8_t session_id_len
;
425 uint16_t suite_size
, comp_size
;
426 gnutls_protocol_t adv_version
;
429 opaque rnd
[GNUTLS_RANDOM_SIZE
], *suite_ptr
, *comp_ptr
, *session_id
;
431 if (session
->internals
.v2_hello
!= 0)
433 return _gnutls_read_client_hello_v2 (session
, data
, datalen
);
437 _gnutls_handshake_log ("HSK[%p]: Client's version: %d.%d\n", session
,
438 data
[pos
], data
[pos
+ 1]);
440 adv_version
= _gnutls_version_get (data
[pos
], data
[pos
+ 1]);
441 set_adv_version (session
, data
[pos
], data
[pos
+ 1]);
444 neg_version
= _gnutls_negotiate_version (session
, adv_version
);
451 /* Read client random value.
453 DECR_LEN (len
, GNUTLS_RANDOM_SIZE
);
454 _gnutls_set_client_random (session
, &data
[pos
]);
455 pos
+= GNUTLS_RANDOM_SIZE
;
457 _gnutls_tls_create_random (rnd
);
458 _gnutls_set_server_random (session
, rnd
);
460 session
->security_parameters
.timestamp
= time (NULL
);
463 session_id_len
= data
[pos
++];
467 if (session_id_len
> TLS_MAX_SESSION_ID_SIZE
)
470 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
472 DECR_LEN (len
, session_id_len
);
474 session_id
= &data
[pos
];
475 ret
= _gnutls_server_restore_session (session
, session_id
, session_id_len
);
476 pos
+= session_id_len
;
479 { /* resumed using default TLS resumption! */
480 /* Parse only the safe renegotiation extension
481 * We don't want to parse any other extensions since
482 * we don't want new extension values to overwrite the
486 /* move forward to extensions */
488 suite_size
= _gnutls_read_uint16 (&data
[pos
]);
491 DECR_LEN (len
, suite_size
);
495 comp_size
= data
[pos
++]; /* z is the number of compression methods */
496 DECR_LEN (len
, comp_size
);
499 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_MANDATORY
,
507 resume_copy_required_values (session
);
508 session
->internals
.resumed
= RESUME_TRUE
;
510 return _gnutls_user_hello_func (session
, adv_version
);
514 _gnutls_generate_session_id (session
->security_parameters
.session_id
,
516 security_parameters
.session_id_size
);
518 session
->internals
.resumed
= RESUME_FALSE
;
521 if (_gnutls_is_dtls(session
))
526 cookie_size
= data
[pos
++];
527 DECR_LEN (len
, cookie_size
);
531 /* Remember ciphersuites for later
534 suite_size
= _gnutls_read_uint16 (&data
[pos
]);
537 DECR_LEN (len
, suite_size
);
538 suite_ptr
= &data
[pos
];
541 /* Point to the compression methods
544 comp_size
= data
[pos
++]; /* z is the number of compression methods */
546 DECR_LEN (len
, comp_size
);
547 comp_ptr
= &data
[pos
];
550 /* Parse the extensions (if any)
552 * Unconditionally try to parse extensions; safe renegotiation uses them in
553 * sslv3 and higher, even though sslv3 doesn't officially support them.
555 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_APPLICATION
,
557 /* len is the rest of the parsed length */
564 ret
= _gnutls_user_hello_func (session
, adv_version
);
571 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_MANDATORY
,
579 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_TLS
, &data
[pos
], len
);
586 /* resumed by session_ticket extension */
587 if (session
->internals
.resumed
== RESUME_TRUE
)
589 /* to indicate the client that the current session is resumed */
590 memcpy (session
->internals
.resumed_security_parameters
.session_id
,
591 session_id
, session_id_len
);
592 session
->internals
.resumed_security_parameters
.session_id_size
=
595 session
->internals
.resumed_security_parameters
.max_record_recv_size
=
596 session
->security_parameters
.max_record_recv_size
;
597 session
->internals
.resumed_security_parameters
.max_record_send_size
=
598 session
->security_parameters
.max_record_send_size
;
600 resume_copy_required_values (session
);
602 return _gnutls_user_hello_func (session
, adv_version
);
605 /* select an appropriate cipher suite
607 ret
= _gnutls_server_select_suite (session
, suite_ptr
, suite_size
);
614 /* select appropriate compression method */
615 ret
= _gnutls_server_select_comp_method (session
, comp_ptr
, comp_size
);
625 /* here we hash all pending data.
628 _gnutls_handshake_hash_pending (gnutls_session_t session
)
634 if (session
->internals
.handshake_mac_handle_init
== 0)
637 return GNUTLS_E_INTERNAL_ERROR
;
640 /* We check if there are pending data to hash.
642 if ((ret
= _gnutls_handshake_buffer_get_ptr (session
, &data
, &siz
)) < 0)
650 if (session
->security_parameters
.handshake_mac_handle_type
==
651 HANDSHAKE_MAC_TYPE_10
)
653 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls10
.sha
,
655 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls10
.md5
,
658 else if (session
->security_parameters
.handshake_mac_handle_type
==
659 HANDSHAKE_MAC_TYPE_12
)
661 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls12
.sha256
,
663 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls12
.sha1
,
668 _gnutls_handshake_buffer_empty (session
);
674 /* This is to be called after sending CHANGE CIPHER SPEC packet
675 * and initializing encryption. This is the first encrypted message
679 _gnutls_send_finished (gnutls_session_t session
, int again
)
684 size_t vdata_size
= 0;
688 bufel
= _gnutls_handshake_alloc (session
, MAX_VERIFY_DATA_SIZE
, MAX_VERIFY_DATA_SIZE
);
692 return GNUTLS_E_MEMORY_ERROR
;
694 data
= _mbuffer_get_udata_ptr (bufel
);
696 /* This is needed in order to hash all the required
699 if ((ret
= _gnutls_handshake_hash_pending (session
)) < 0)
705 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
708 _gnutls_ssl3_finished (session
,
709 session
->security_parameters
.entity
, data
);
710 _mbuffer_set_udata_size (bufel
, 36);
714 ret
= _gnutls_finished (session
,
715 session
->security_parameters
.entity
, data
);
716 _mbuffer_set_udata_size (bufel
, 12);
725 vdata_size
= _mbuffer_get_udata_size (bufel
);
727 ret
= _gnutls_ext_sr_finished (session
, data
, vdata_size
, 0);
734 if ((session
->internals
.resumed
== RESUME_FALSE
735 && session
->security_parameters
.entity
== GNUTLS_CLIENT
)
736 || (session
->internals
.resumed
== RESUME_TRUE
737 && session
->security_parameters
.entity
== GNUTLS_SERVER
))
739 /* if we are a client not resuming - or we are a server resuming */
740 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (send)\n",
742 memcpy (session
->internals
.cb_tls_unique
, data
, vdata_size
);
743 session
->internals
.cb_tls_unique_len
= vdata_size
;
747 _gnutls_send_handshake (session
, bufel
, GNUTLS_HANDSHAKE_FINISHED
);
751 ret
= _gnutls_send_handshake (session
, NULL
, GNUTLS_HANDSHAKE_FINISHED
);
757 /* This is to be called after sending our finished message. If everything
758 * went fine we have negotiated a secure connection
761 _gnutls_recv_finished (gnutls_session_t session
)
763 uint8_t data
[MAX_VERIFY_DATA_SIZE
], *vrfy
;
769 _gnutls_recv_handshake (session
, &vrfy
, &vrfysize
,
770 GNUTLS_HANDSHAKE_FINISHED
, MANDATORY_PACKET
);
773 ERR ("recv finished int", ret
);
779 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
788 if (vrfysize
!= data_size
)
792 return GNUTLS_E_ERROR_IN_FINISHED_PACKET
;
795 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
798 _gnutls_ssl3_finished (session
,
799 (session
->security_parameters
.entity
+ 1) % 2,
805 _gnutls_finished (session
,
806 (session
->security_parameters
.entity
+
817 if (memcmp (vrfy
, data
, data_size
) != 0)
820 ret
= GNUTLS_E_ERROR_IN_FINISHED_PACKET
;
824 ret
= _gnutls_ext_sr_finished (session
, data
, data_size
, 1);
831 if ((session
->internals
.resumed
== RESUME_TRUE
832 && session
->security_parameters
.entity
== GNUTLS_CLIENT
)
833 || (session
->internals
.resumed
== RESUME_FALSE
834 && session
->security_parameters
.entity
== GNUTLS_SERVER
))
836 /* if we are a client resuming - or we are a server not resuming */
837 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (recv)\n",
839 memcpy (session
->internals
.cb_tls_unique
, data
, data_size
);
840 session
->internals
.cb_tls_unique_len
= data_size
;
843 session
->internals
.initial_negotiation_completed
= 1;
848 /* returns PK_RSA if the given cipher suite list only supports,
849 * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none.
852 server_find_pk_algos_in_ciphersuites (const opaque
*
853 data
, unsigned int datalen
)
856 gnutls_pk_algorithm_t algo
= GNUTLS_PK_NONE
, prev_algo
= 0;
857 gnutls_kx_algorithm_t kx
;
860 if (datalen
% 2 != 0)
863 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
866 for (j
= 0; j
< datalen
; j
+= 2)
868 memcpy (&cs
.suite
, &data
[j
], 2);
869 kx
= _gnutls_cipher_suite_get_kx_algo (&cs
);
871 if (_gnutls_map_kx_get_cred (kx
, 1) == GNUTLS_CRD_CERTIFICATE
)
873 algo
= _gnutls_map_pk_get_pk (kx
);
875 if (algo
!= prev_algo
&& prev_algo
!= 0)
876 return GNUTLS_PK_ANY
;
884 /* This selects the best supported ciphersuite from the given ones. Then
885 * it adds the suite to the session and performs some checks.
888 _gnutls_server_select_suite (gnutls_session_t session
, opaque
* data
,
892 cipher_suite_st
*ciphers
, cs
;
894 gnutls_pk_algorithm_t pk_algo
; /* will hold the pk algorithms
895 * supported by the peer.
898 /* First, check for safe renegotiation SCSV.
900 if (session
->internals
.priorities
.sr
!= SR_DISABLED
)
904 for (offset
= 0; offset
< datalen
; offset
+= 2)
906 /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
907 if (data
[offset
] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR
&&
908 data
[offset
+ 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR
)
910 _gnutls_handshake_log
911 ("HSK[%p]: Received safe renegotiation CS\n", session
);
912 retval
= _gnutls_ext_sr_recv_cs (session
);
923 pk_algo
= server_find_pk_algos_in_ciphersuites (data
, datalen
);
925 x
= _gnutls_supported_ciphersuites (session
, &ciphers
);
927 { /* the case x==0 is handled within the function. */
932 /* Here we remove any ciphersuite that does not conform
933 * the certificate requested, or to the
934 * authentication requested (e.g. SRP).
936 x
= _gnutls_remove_unwanted_ciphersuites (session
, &ciphers
, x
, pk_algo
);
940 gnutls_free (ciphers
);
944 return GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
947 /* Data length should be zero mod 2 since
948 * every ciphersuite is 2 bytes. (this check is needed
951 if (datalen
% 2 != 0)
954 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
957 memset (session
->security_parameters
.current_cipher_suite
.suite
, 0, 2);
959 retval
= GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
961 _gnutls_handshake_log ("HSK[%p]: Requested cipher suites[size: %d]: \n", session
, (int)datalen
);
962 for (j
= 0; j
< datalen
; j
+= 2)
964 memcpy (&cs
.suite
, &data
[j
], 2);
965 _gnutls_handshake_log ("\t0x%.2x, 0x%.2x %s\n", data
[j
], data
[j
+1], _gnutls_cipher_suite_get_name (&cs
));
966 for (i
= 0; i
< x
; i
++)
968 if (memcmp (ciphers
[i
].suite
, &data
[j
], 2) == 0)
970 _gnutls_handshake_log
971 ("HSK[%p]: Selected cipher suite: %s\n", session
,
972 _gnutls_cipher_suite_get_name (&cs
));
973 memcpy (session
->security_parameters
.current_cipher_suite
.suite
,
974 ciphers
[i
].suite
, 2);
975 _gnutls_epoch_set_cipher_suite (session
, EPOCH_NEXT
,
977 security_parameters
.current_cipher_suite
);
987 gnutls_free (ciphers
);
995 /* check if the credentials (username, public key etc.) are ok
997 if (_gnutls_get_kx_cred
999 _gnutls_cipher_suite_get_kx_algo (&session
->
1000 security_parameters
.current_cipher_suite
),
1001 &err
) == NULL
&& err
!= 0)
1004 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
1008 /* set the mod_auth_st to the appropriate struct
1009 * according to the KX algorithm. This is needed since all the
1010 * handshake functions are read from there;
1012 session
->internals
.auth_struct
=
1013 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1015 security_parameters
.current_cipher_suite
));
1016 if (session
->internals
.auth_struct
== NULL
)
1019 _gnutls_handshake_log
1020 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1023 return GNUTLS_E_INTERNAL_ERROR
;
1031 /* This selects the best supported compression method from the ones provided
1034 _gnutls_server_select_comp_method (gnutls_session_t session
,
1035 opaque
* data
, int datalen
)
1040 x
= _gnutls_supported_compression_methods (session
, &comps
);
1047 memset (&session
->internals
.compression_method
, 0,
1048 sizeof (gnutls_compression_method_t
));
1050 for (j
= 0; j
< datalen
; j
++)
1052 for (i
= 0; i
< x
; i
++)
1054 if (comps
[i
] == data
[j
])
1056 gnutls_compression_method_t method
=
1057 _gnutls_compression_get_id (comps
[i
]);
1059 session
->internals
.compression_method
= method
;
1060 gnutls_free (comps
);
1062 _gnutls_epoch_set_compression (session
, EPOCH_NEXT
, method
);
1064 _gnutls_handshake_log
1065 ("HSK[%p]: Selected Compression Method: %s\n", session
,
1066 gnutls_compression_get_name (session
->
1067 internals
.compression_method
));
1075 /* we were not able to find a compatible compression
1078 gnutls_free (comps
);
1080 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM
;
1084 /* This function sends an empty handshake packet. (like hello request).
1085 * If the previous _gnutls_send_empty_handshake() returned
1086 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1087 * (until it returns ok), with NULL parameters.
1090 _gnutls_send_empty_handshake (gnutls_session_t session
,
1091 gnutls_handshake_description_t type
, int again
)
1097 bufel
= _gnutls_handshake_alloc (session
, 0, 0);
1101 return GNUTLS_E_MEMORY_ERROR
;
1107 return _gnutls_send_handshake (session
, bufel
, type
);
1111 /* This function will hash the handshake message we sent.
1114 _gnutls_handshake_hash_add_sent (gnutls_session_t session
,
1115 gnutls_handshake_description_t type
,
1116 opaque
* dataptr
, uint32_t datalen
)
1120 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
1121 && type
== GNUTLS_HANDSHAKE_CLIENT_HELLO
)
1123 /* do not hash immediatelly since the hash has not yet been initialized */
1125 _gnutls_handshake_buffer_put (session
, dataptr
, datalen
)) < 0)
1133 if ((ret
= _gnutls_handshake_hash_pending (session
)) < 0)
1139 if (type
!= GNUTLS_HANDSHAKE_HELLO_REQUEST
)
1141 if (session
->security_parameters
.handshake_mac_handle_type
==
1142 HANDSHAKE_MAC_TYPE_10
)
1144 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls10
.sha
,
1146 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls10
.md5
,
1149 else if (session
->security_parameters
.handshake_mac_handle_type
==
1150 HANDSHAKE_MAC_TYPE_12
)
1152 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls12
.sha256
,
1154 _gnutls_hash (&session
->internals
.handshake_mac_handle
.tls12
.sha1
,
1163 /* This function sends a handshake message of type 'type' containing the
1164 * data specified here. If the previous _gnutls_send_handshake() returned
1165 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1166 * (until it returns ok), with NULL parameters.
1169 _gnutls_send_handshake (gnutls_session_t session
, mbuffer_st
* bufel
,
1170 gnutls_handshake_description_t type
)
1174 uint32_t datasize
, i_datasize
;
1179 /* we are resuming a previously interrupted
1182 ret
= _gnutls_handshake_io_write_flush (session
);
1188 data
= _mbuffer_get_uhead_ptr (bufel
);
1189 i_datasize
= _mbuffer_get_udata_size(bufel
);
1190 datasize
= i_datasize
+ _mbuffer_get_uhead_size (bufel
);
1192 data
[pos
++] = (uint8_t) type
;
1193 _gnutls_write_uint24 (_mbuffer_get_udata_size (bufel
), &data
[pos
]);
1196 /* Add DTLS handshake fragment headers. The message will be
1197 * fragmented later by the fragmentation sub-layer. All fields must
1198 * be set properly for HMAC. The HMAC requires we pretend that the
1199 * message was sent in a single fragment. */
1200 if (_gnutls_is_dtls(session
))
1202 _gnutls_write_uint16 (session
->internals
.dtls
.hsk_write_seq
++, &data
[pos
]);
1205 /* Fragment offset */
1206 _gnutls_write_uint24 (0, &data
[pos
]);
1209 /* Fragment length */
1210 _gnutls_write_uint24 (i_datasize
, &data
[pos
]);
1214 _gnutls_handshake_log ("HSK[%p]: %s was queued [%ld bytes]\n",
1215 session
, _gnutls_handshake2str (type
),
1219 /* If we send a second or more ClientHello due to a
1220 HelloVerifyRequest, we only remember the last ClientHello
1221 sent for hashing purposes. */
1222 if (_gnutls_is_dtls(session
)
1223 && type
== GNUTLS_HANDSHAKE_CLIENT_HELLO
1224 && (session
->internals
.last_handshake_out
== GNUTLS_HANDSHAKE_CLIENT_HELLO
1225 || session
->internals
.last_handshake_out
== -1))
1227 _gnutls_handshake_hash_buffers_clear (session
);
1228 if ((ret
= _gnutls_handshake_hash_init (session
)) < 0)
1235 /* Here we keep the handshake messages in order to hash them...
1237 if (type
!= GNUTLS_HANDSHAKE_HELLO_REQUEST
)
1239 _gnutls_handshake_hash_add_sent (session
, type
, data
, datasize
)) < 0)
1242 _mbuffer_xfree(&bufel
);
1246 session
->internals
.last_handshake_out
= type
;
1248 ret
= _gnutls_handshake_io_cache_int (session
, type
, bufel
);
1251 _mbuffer_xfree(&bufel
);
1258 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT
: /* this one is followed by ServerHelloDone
1259 * or ClientKeyExchange always.
1261 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE
: /* as above */
1262 case GNUTLS_HANDSHAKE_SERVER_HELLO
: /* as above */
1263 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST
: /* as above */
1264 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET
: /* followed by ChangeCipherSpec */
1266 /* now for client Certificate, ClientKeyExchange and
1267 * CertificateVerify are always followed by ChangeCipherSpec
1269 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY
:
1270 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE
:
1274 /* send cached messages */
1275 ret
= _gnutls_handshake_io_write_flush (session
);
1282 #define _gnutls_handshake_header_buffer_clear( session) session->internals.handshake_header_buffer.header_size = 0; \
1283 session->internals.handshake_header_buffer.sequence = -1; \
1284 session->internals.handshake_header_buffer.frag_offset = 0; \
1285 session->internals.handshake_header_buffer.frag_length = 0
1287 /* This function will read the handshake header and return it to the caller. If the
1288 * received handshake packet is not the one expected then it buffers the header, and
1289 * returns UNEXPECTED_HANDSHAKE_PACKET.
1291 * FIXME: This function is complex.
1293 #define SSL2_HEADERS 1
1295 _gnutls_recv_handshake_header (gnutls_session_t session
,
1296 gnutls_handshake_description_t type
,
1297 gnutls_handshake_description_t
* recv_type
)
1300 uint32_t length32
= 0;
1301 uint8_t *dataptr
= NULL
; /* for realloc */
1302 size_t handshake_header_size
= HANDSHAKE_HEADER_SIZE(session
);
1304 /* if we have data into the buffer then return them, do not read the next packet.
1305 * In order to return we need a full TLS handshake header, or in case of a version 2
1306 * packet, then we return the first byte.
1308 if (session
->internals
.handshake_header_buffer
.header_size
==
1309 handshake_header_size
|| (session
->internals
.v2_hello
!= 0
1310 && type
== GNUTLS_HANDSHAKE_CLIENT_HELLO
1311 && session
->internals
.handshake_header_buffer
.
1315 *recv_type
= session
->internals
.handshake_header_buffer
.recv_type
;
1317 if (*recv_type
!= type
)
1320 _gnutls_handshake_log
1321 ("HSK[%p]: Handshake type mismatch (under attack?)\n", session
);
1322 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
;
1325 return session
->internals
.handshake_header_buffer
.packet_length
;
1328 /* Note: SSL2_HEADERS == 1 */
1330 dataptr
= session
->internals
.handshake_header_buffer
.header
;
1332 /* If we haven't already read the handshake headers.
1334 if (session
->internals
.handshake_header_buffer
.header_size
< SSL2_HEADERS
)
1337 _gnutls_handshake_io_recv_int (session
, GNUTLS_HANDSHAKE
,
1338 type
, dataptr
, SSL2_HEADERS
);
1345 /* The case ret==0 is caught here.
1347 if (ret
!= SSL2_HEADERS
)
1350 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1352 session
->internals
.handshake_header_buffer
.header_size
= SSL2_HEADERS
;
1355 if (session
->internals
.v2_hello
== 0
1356 || type
!= GNUTLS_HANDSHAKE_CLIENT_HELLO
)
1359 _gnutls_handshake_io_recv_int (session
, GNUTLS_HANDSHAKE
,
1363 internals
.handshake_header_buffer
.
1365 HANDSHAKE_HEADER_SIZE(session
) -
1367 internals
.handshake_header_buffer
.
1372 return (ret
< 0) ? ret
: GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1375 HANDSHAKE_HEADER_SIZE(session
) -
1376 session
->internals
.handshake_header_buffer
.header_size
)
1379 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1381 *recv_type
= dataptr
[0];
1383 /* we do not use DECR_LEN because we know
1384 * that the packet has enough data.
1386 length32
= _gnutls_read_uint24 (&dataptr
[1]);
1387 handshake_header_size
= HANDSHAKE_HEADER_SIZE(session
);
1389 if (IS_DTLS(session
))
1391 session
->internals
.handshake_header_buffer
.sequence
= _gnutls_read_uint16 (&dataptr
[4]);
1392 session
->internals
.handshake_header_buffer
.frag_offset
= _gnutls_read_uint24 (&dataptr
[6]);
1393 session
->internals
.handshake_header_buffer
.frag_length
= _gnutls_read_uint24 (&dataptr
[9]);
1397 _gnutls_handshake_log ("HSK[%p]: %s was received [%ld bytes]\n",
1398 session
, _gnutls_handshake2str (dataptr
[0]),
1399 (long int) (length32
+ HANDSHAKE_HEADER_SIZE(session
)));
1404 length32
= session
->internals
.v2_hello
- SSL2_HEADERS
; /* we've read the first byte */
1406 handshake_header_size
= SSL2_HEADERS
; /* we've already read one byte */
1408 *recv_type
= dataptr
[0];
1410 _gnutls_handshake_log ("HSK[%p]: %s(v2) was received [%ld bytes]\n",
1411 session
, _gnutls_handshake2str (*recv_type
),
1412 (long int) (length32
+ handshake_header_size
));
1414 /* The IS_DTLS() check is redundant since the record layer will
1415 * prevent us from reaching here.
1417 if (IS_DTLS(session
) || *recv_type
!= GNUTLS_HANDSHAKE_CLIENT_HELLO
)
1418 { /* it should be one or nothing */
1420 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
;
1424 /* put the packet into the buffer */
1425 session
->internals
.handshake_header_buffer
.header_size
=
1426 handshake_header_size
;
1427 session
->internals
.handshake_header_buffer
.packet_length
= length32
;
1428 session
->internals
.handshake_header_buffer
.recv_type
= *recv_type
;
1430 if (IS_DTLS(session
))
1432 if ((int)session
->internals
.handshake_header_buffer
.sequence
<= session
->internals
.dtls
.hsk_read_seq
)
1434 _gnutls_audit_log("Dropping replayed handshake packet with sequence %d\n", session
->internals
.handshake_header_buffer
.sequence
);
1435 ret
= _gnutls_handshake_io_recv_skip(session
, GNUTLS_HANDSHAKE
, *recv_type
, length32
);
1437 return gnutls_assert_val(ret
);
1439 _gnutls_handshake_header_buffer_clear (session
);
1440 return GNUTLS_E_AGAIN
;
1442 session
->internals
.dtls
.hsk_read_seq
= session
->internals
.handshake_header_buffer
.sequence
;
1444 if (type
== GNUTLS_HANDSHAKE_SERVER_HELLO
1445 && *recv_type
== GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST
)
1449 if (*recv_type
!= type
)
1451 _gnutls_handshake_log ("HSK[%p]: %s was received, expected %s\n",
1452 session
, _gnutls_handshake2str (*recv_type
),
1453 _gnutls_handshake2str (type
));
1455 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
;
1461 /* This function will hash the handshake headers and the
1465 _gnutls_handshake_hash_add_recvd (gnutls_session_t session
,
1466 gnutls_handshake_description_t recv_type
,
1467 opaque
* header
, uint16_t header_size
,
1468 opaque
* dataptr
, uint32_t datalen
)
1472 /* The idea here is to hash the previous message we received,
1473 * and add the one we just received into the handshake_hash_buffer.
1475 if ((session
->security_parameters
.entity
== GNUTLS_SERVER
1476 || recv_type
!= GNUTLS_HANDSHAKE_SERVER_HELLO
)
1477 && (session
->security_parameters
.entity
== GNUTLS_CLIENT
1478 || recv_type
!= GNUTLS_HANDSHAKE_CLIENT_HELLO
))
1480 if ((ret
= _gnutls_handshake_hash_pending (session
)) < 0)
1487 /* here we buffer the handshake messages - needed at Finished message */
1488 if (recv_type
!= GNUTLS_HANDSHAKE_HELLO_REQUEST
)
1492 _gnutls_handshake_buffer_put (session
, header
, header_size
)) < 0)
1501 _gnutls_handshake_buffer_put (session
, dataptr
, datalen
)) < 0)
1513 /* This function will receive handshake messages of the given types,
1514 * and will pass the message to the right place in order to be processed.
1515 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1516 * passed to _gnutls_recv_hello().
1519 _gnutls_recv_handshake (gnutls_session_t session
, uint8_t ** data
,
1520 int *datalen
, gnutls_handshake_description_t type
,
1521 optional_t optional
)
1524 uint32_t length32
= 0;
1525 opaque
*dataptr
= NULL
;
1526 gnutls_handshake_description_t recv_type
;
1528 ret
= _gnutls_recv_handshake_header (session
, type
, &recv_type
);
1531 if (ret
== GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
1532 && optional
== OPTIONAL_PACKET
)
1534 if (datalen
!= NULL
)
1538 return 0; /* ok just ignore the packet */
1544 session
->internals
.last_handshake_in
= recv_type
;
1549 dataptr
= gnutls_malloc (length32
);
1550 else if (recv_type
!= GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
)
1553 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1556 if (dataptr
== NULL
&& length32
> 0)
1559 return GNUTLS_E_MEMORY_ERROR
;
1562 if (datalen
!= NULL
)
1563 *datalen
= length32
;
1568 _gnutls_handshake_io_recv_int (session
, GNUTLS_HANDSHAKE
,
1569 type
, dataptr
, length32
);
1574 ret
= GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1579 if (data
!= NULL
&& length32
> 0)
1582 ret
= _gnutls_handshake_hash_add_recvd (session
, recv_type
,
1584 internals
.handshake_header_buffer
.
1587 internals
.handshake_header_buffer
.
1588 header_size
, dataptr
, length32
);
1590 /* If we fail before this then we will reuse the handshake header
1591 * have have received above. if we get here the we clear the handshake
1592 * header we received.
1594 _gnutls_handshake_header_buffer_clear (session
);
1604 case GNUTLS_HANDSHAKE_CLIENT_HELLO
:
1605 case GNUTLS_HANDSHAKE_SERVER_HELLO
:
1606 ret
= _gnutls_recv_hello (session
, dataptr
, length32
);
1613 /* initialize the hashes for both - (client will know server's version
1614 * and server as well at this point) */
1615 if ((ret
= _gnutls_handshake_hash_init (session
)) < 0)
1621 goto cleanup
; /* caller doesn't need dataptr */
1624 case GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST
:
1625 ret
= _gnutls_recv_hello_verify_request (session
, dataptr
, length32
);
1632 /* Signal our caller we have received a verification cookie
1633 and ClientHello needs to be sent again. */
1636 goto cleanup
; /* caller doesn't need dataptr */
1639 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
:
1644 ret
= GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1648 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT
:
1649 case GNUTLS_HANDSHAKE_FINISHED
:
1650 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE
:
1651 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE
:
1652 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST
:
1653 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY
:
1654 case GNUTLS_HANDSHAKE_SUPPLEMENTAL
:
1655 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET
:
1660 ret
= GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
;
1667 gnutls_free (dataptr
);
1673 /* This function checks if the given cipher suite is supported, and sets it
1677 _gnutls_client_set_ciphersuite (gnutls_session_t session
, opaque suite
[2])
1680 cipher_suite_st
*cipher_suites
;
1681 int cipher_suite_num
;
1685 cipher_suite_num
= _gnutls_supported_ciphersuites (session
, &cipher_suites
);
1686 if (cipher_suite_num
< 0)
1689 return cipher_suite_num
;
1692 for (i
= 0; i
< cipher_suite_num
; i
++)
1694 if (memcmp (&cipher_suites
[i
], suite
, 2) == 0)
1701 gnutls_free (cipher_suites
);
1706 return GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
1709 memcpy (session
->security_parameters
.current_cipher_suite
.suite
, suite
, 2);
1710 _gnutls_epoch_set_cipher_suite (session
, EPOCH_NEXT
,
1712 security_parameters
.current_cipher_suite
);
1714 _gnutls_handshake_log ("HSK[%p]: Selected cipher suite: %s\n", session
,
1715 _gnutls_cipher_suite_get_name
1717 security_parameters
.current_cipher_suite
));
1720 /* check if the credentials (username, public key etc.) are ok.
1721 * Actually checks if they exist.
1723 if (_gnutls_get_kx_cred
1725 _gnutls_cipher_suite_get_kx_algo
1726 (&session
->security_parameters
.current_cipher_suite
), &err
) == NULL
1730 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
1734 /* set the mod_auth_st to the appropriate struct
1735 * according to the KX algorithm. This is needed since all the
1736 * handshake functions are read from there;
1738 session
->internals
.auth_struct
=
1739 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1741 security_parameters
.current_cipher_suite
));
1743 if (session
->internals
.auth_struct
== NULL
)
1746 _gnutls_handshake_log
1747 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1750 return GNUTLS_E_INTERNAL_ERROR
;
1757 /* This function sets the given comp method to the session.
1760 _gnutls_client_set_comp_method (gnutls_session_t session
, opaque comp_method
)
1762 int comp_methods_num
;
1763 uint8_t *compression_methods
;
1766 comp_methods_num
= _gnutls_supported_compression_methods (session
,
1767 &compression_methods
);
1768 if (comp_methods_num
< 0)
1771 return comp_methods_num
;
1774 for (i
= 0; i
< comp_methods_num
; i
++)
1776 if (compression_methods
[i
] == comp_method
)
1778 comp_methods_num
= 0;
1783 gnutls_free (compression_methods
);
1785 if (comp_methods_num
!= 0)
1788 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM
;
1791 session
->internals
.compression_method
=
1792 _gnutls_compression_get_id (comp_method
);
1793 _gnutls_epoch_set_compression (session
, EPOCH_NEXT
,
1794 session
->internals
.compression_method
);
1799 /* This function returns 0 if we are resuming a session or -1 otherwise.
1800 * This also sets the variables in the session. Used only while reading a server
1804 _gnutls_client_check_if_resuming (gnutls_session_t session
,
1805 opaque
* session_id
, int session_id_len
)
1807 opaque buf
[2 * TLS_MAX_SESSION_ID_SIZE
+ 1];
1809 _gnutls_handshake_log ("HSK[%p]: SessionID length: %d\n", session
,
1811 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session
,
1812 _gnutls_bin2hex (session_id
, session_id_len
, buf
,
1813 sizeof (buf
), NULL
));
1815 if (session_id_len
> 0 &&
1816 session
->internals
.resumed_security_parameters
.session_id_size
==
1818 && memcmp (session_id
,
1819 session
->internals
.resumed_security_parameters
.session_id
,
1820 session_id_len
) == 0)
1822 /* resume session */
1823 memcpy (session
->internals
.resumed_security_parameters
.server_random
,
1824 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
1825 memcpy (session
->internals
.resumed_security_parameters
.client_random
,
1826 session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
1828 _gnutls_epoch_set_cipher_suite
1829 (session
, EPOCH_NEXT
,
1830 &session
->internals
.
1831 resumed_security_parameters
.current_cipher_suite
);
1832 _gnutls_epoch_set_compression (session
, EPOCH_NEXT
,
1834 internals
.resumed_compression_method
);
1836 session
->internals
.resumed
= RESUME_TRUE
; /* we are resuming */
1842 /* keep the new session id */
1843 session
->internals
.resumed
= RESUME_FALSE
; /* we are not resuming */
1844 session
->security_parameters
.session_id_size
= session_id_len
;
1845 memcpy (session
->security_parameters
.session_id
,
1846 session_id
, session_id_len
);
1853 /* This function reads and parses the server hello handshake message.
1854 * This function also restores resumed parameters if we are resuming a
1858 _gnutls_read_server_hello (gnutls_session_t session
,
1859 opaque
* data
, int datalen
)
1861 uint8_t session_id_len
= 0;
1864 gnutls_protocol_t version
;
1870 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1873 _gnutls_handshake_log ("HSK[%p]: Server's version: %d.%d\n",
1874 session
, data
[pos
], data
[pos
+ 1]);
1877 version
= _gnutls_version_get (data
[pos
], data
[pos
+ 1]);
1878 if (_gnutls_version_is_supported (session
, version
) == 0)
1881 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET
;
1885 _gnutls_set_current_version (session
, version
);
1890 DECR_LEN (len
, GNUTLS_RANDOM_SIZE
);
1891 _gnutls_set_server_random (session
, &data
[pos
]);
1892 pos
+= GNUTLS_RANDOM_SIZE
;
1898 session_id_len
= data
[pos
++];
1900 if (len
< session_id_len
)
1903 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET
;
1905 DECR_LEN (len
, session_id_len
);
1907 /* check if we are resuming and set the appropriate
1910 if (_gnutls_client_check_if_resuming
1911 (session
, &data
[pos
], session_id_len
) == 0)
1913 pos
+= session_id_len
+ 2 + 1;
1914 DECR_LEN (len
, 2 + 1);
1916 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_MANDATORY
,
1926 pos
+= session_id_len
;
1928 /* Check if the given cipher suite is supported and copy
1929 * it to the session.
1933 ret
= _gnutls_client_set_ciphersuite (session
, &data
[pos
]);
1941 /* move to compression
1945 ret
= _gnutls_client_set_comp_method (session
, data
[pos
++]);
1949 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM
;
1952 /* Parse extensions.
1954 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_ANY
, &data
[pos
], len
);
1965 /* This function copies the appropriate ciphersuites to a locally allocated buffer
1966 * Needed in client hello messages. Returns the new data length. If add_scsv is
1967 * true, add the special safe renegotiation CS.
1970 _gnutls_copy_ciphersuites (gnutls_session_t session
,
1971 gnutls_buffer_st
* cdata
,
1975 cipher_suite_st
*cipher_suites
;
1976 uint16_t cipher_num
;
1978 size_t init_length
= cdata
->length
;
1980 ret
= _gnutls_supported_ciphersuites_sorted (session
, &cipher_suites
);
1987 /* Here we remove any ciphersuite that does not conform
1988 * the certificate requested, or to the
1989 * authentication requested (eg SRP).
1992 _gnutls_remove_unwanted_ciphersuites (session
, &cipher_suites
, ret
, -1);
1996 gnutls_free (cipher_suites
);
2000 /* If no cipher suites were enabled.
2005 gnutls_free (cipher_suites
);
2006 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
2014 cipher_num
*= sizeof (uint16_t); /* in order to get bytes */
2016 ret
= _gnutls_buffer_append_prefix(cdata
, 16, cipher_num
);
2024 loop_max
= add_scsv
? cipher_num
- 2 : cipher_num
;
2025 for (i
= 0; i
< (loop_max
/ 2); i
++)
2027 ret
= _gnutls_buffer_append_data( cdata
, cipher_suites
[i
].suite
, 2);
2038 /* Safe renegotiation signalling CS value is { 0x00, 0xff } */
2041 ret
= _gnutls_buffer_append_data( cdata
, p
, 2);
2048 ret
= _gnutls_ext_sr_send_cs (session
);
2056 ret
= cdata
->length
- init_length
;
2059 gnutls_free (cipher_suites
);
2065 /* This function copies the appropriate compression methods, to a locally allocated buffer
2066 * Needed in hello messages. Returns the new data length.
2069 _gnutls_copy_comp_methods (gnutls_session_t session
,
2070 gnutls_buffer_st
* cdata
)
2073 uint8_t *compression_methods
, comp_num
;
2074 size_t init_length
= cdata
->length
;
2076 ret
= _gnutls_supported_compression_methods (session
, &compression_methods
);
2085 /* put the number of compression methods */
2086 ret
= _gnutls_buffer_append_prefix(cdata
, 8, comp_num
);
2093 for (i
= 0; i
< comp_num
; i
++)
2095 ret
= _gnutls_buffer_append_data(cdata
, &compression_methods
[i
], 1);
2103 ret
= cdata
->length
- init_length
;
2106 gnutls_free (compression_methods
);
2111 /* This should be sufficient by now. It should hold all the extensions
2112 * plus the headers in a hello message.
2114 #define MAX_EXT_DATA_LENGTH 32*1024
2116 /* This function sends the client hello handshake message.
2119 _gnutls_send_client_hello (gnutls_session_t session
, int again
)
2121 mbuffer_st
*bufel
= NULL
;
2122 opaque
*data
= NULL
;
2124 int datalen
= 0, ret
= 0;
2125 opaque rnd
[GNUTLS_RANDOM_SIZE
];
2126 gnutls_protocol_t hver
;
2127 gnutls_buffer_st extdata
;
2128 int rehandshake
= 0;
2129 uint8_t session_id_len
=
2130 session
->internals
.resumed_security_parameters
.session_id_size
;
2133 _gnutls_buffer_init(&extdata
);
2135 /* note that rehandshake is different than resuming
2137 if (session
->security_parameters
.session_id_size
)
2142 if(_gnutls_is_dtls(session
))
2144 cookie_len
= session
->internals
.dtls
.cookie_len
+ 1;
2151 datalen
= 2 + (session_id_len
+ 1) + GNUTLS_RANDOM_SIZE
+ cookie_len
;
2152 /* 2 for version, (4 for unix time + 28 for random bytes==GNUTLS_RANDOM_SIZE)
2155 bufel
= _gnutls_handshake_alloc (session
, datalen
, datalen
+MAX_EXT_DATA_LENGTH
);
2159 return GNUTLS_E_MEMORY_ERROR
;
2161 data
= _mbuffer_get_udata_ptr (bufel
);
2163 /* if we are resuming a session then we set the
2164 * version number to the previously established.
2166 if (session_id_len
== 0)
2168 if (rehandshake
) /* already negotiated version thus version_max == negotiated version */
2169 hver
= session
->security_parameters
.version
;
2170 else /* new handshake. just get the max */
2171 hver
= _gnutls_version_max (session
);
2175 /* we are resuming a session */
2176 hver
= session
->internals
.resumed_security_parameters
.version
;
2179 if (hver
== GNUTLS_VERSION_UNKNOWN
|| hver
== 0)
2182 gnutls_free (bufel
);
2183 return GNUTLS_E_INTERNAL_ERROR
;
2186 data
[pos
++] = _gnutls_version_get_major (hver
);
2187 data
[pos
++] = _gnutls_version_get_minor (hver
);
2189 /* Set the version we advertized as maximum
2192 _gnutls_set_adv_version (session
, hver
);
2193 _gnutls_set_current_version (session
, hver
);
2195 if (session
->internals
.priorities
.no_ssl3_record_version
!= 0)
2197 /* Advertize the SSL 3.0 record packet version in
2198 * record packets during the handshake.
2199 * That is to avoid confusing implementations
2200 * that do not support TLS 1.2 and don't know
2201 * how 3,3 version of record packets look like.
2203 _gnutls_record_set_default_version (session
, 3, 0);
2206 /* In order to know when this session was initiated.
2208 session
->security_parameters
.timestamp
= time (NULL
);
2210 /* Generate random data
2212 if (!_gnutls_is_dtls (session
)
2213 || session
->internals
.dtls
.hsk_hello_verify_requests
== 0)
2215 _gnutls_tls_create_random (rnd
);
2216 _gnutls_set_client_random (session
, rnd
);
2218 memcpy (&data
[pos
], rnd
, GNUTLS_RANDOM_SIZE
);
2221 memcpy (&data
[pos
], session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
2223 pos
+= GNUTLS_RANDOM_SIZE
;
2225 /* Copy the Session ID
2227 data
[pos
++] = session_id_len
;
2229 if (session_id_len
> 0)
2232 session
->internals
.resumed_security_parameters
.session_id
,
2234 pos
+= session_id_len
;
2237 /* Copy the DTLS cookie
2239 if (_gnutls_is_dtls(session
))
2241 data
[pos
++] = session
->internals
.dtls
.cookie_len
;
2242 memcpy(&data
[pos
], &session
->internals
.dtls
.cookie
, session
->internals
.dtls
.cookie_len
);
2243 pos
+= session
->internals
.dtls
.cookie_len
;
2246 /* Copy the ciphersuites.
2248 * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
2249 * prevention on initial negotiation (but not renegotiation; that's
2250 * handled with the RI extension below).
2252 if (!session
->internals
.initial_negotiation_completed
&&
2253 session
->security_parameters
.entity
== GNUTLS_CLIENT
&&
2254 gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
2257 _gnutls_copy_ciphersuites (session
, &extdata
, TRUE
);
2258 _gnutls_extension_list_add (session
,
2259 GNUTLS_EXTENSION_SAFE_RENEGOTIATION
);
2262 ret
= _gnutls_copy_ciphersuites (session
, &extdata
, FALSE
);
2270 /* Copy the compression methods.
2272 ret
= _gnutls_copy_comp_methods (session
, &extdata
);
2279 /* Generate and copy TLS extensions.
2281 if (_gnutls_version_has_extensions (hver
))
2282 type
= GNUTLS_EXT_ANY
;
2285 if (session
->internals
.initial_negotiation_completed
!= 0)
2286 type
= GNUTLS_EXT_MANDATORY
;
2288 type
= GNUTLS_EXT_NONE
;
2291 ret
= _gnutls_gen_extensions (session
, &extdata
, type
);
2298 ret
= _mbuffer_append_data (bufel
, extdata
.data
, extdata
.length
);
2306 _gnutls_buffer_clear(&extdata
);
2309 _gnutls_send_handshake (session
, bufel
, GNUTLS_HANDSHAKE_CLIENT_HELLO
);
2312 _mbuffer_xfree(&bufel
);
2313 _gnutls_buffer_clear(&extdata
);
2318 _gnutls_send_server_hello (gnutls_session_t session
, int again
)
2320 mbuffer_st
*bufel
= NULL
;
2321 opaque
*data
= NULL
;
2322 gnutls_buffer_st extdata
;
2324 int datalen
, ret
= 0;
2326 uint8_t session_id_len
= session
->security_parameters
.session_id_size
;
2327 opaque buf
[2 * TLS_MAX_SESSION_ID_SIZE
+ 1];
2331 _gnutls_buffer_init(&extdata
);
2335 datalen
= 2 + session_id_len
+ 1 + GNUTLS_RANDOM_SIZE
+ 3;
2337 _gnutls_gen_extensions (session
, &extdata
, GNUTLS_EXT_ANY
);
2344 bufel
= _gnutls_handshake_alloc (session
, datalen
+ extdata
.length
, datalen
+ extdata
.length
);
2348 ret
= GNUTLS_E_MEMORY_ERROR
;
2351 data
= _mbuffer_get_udata_ptr (bufel
);
2354 _gnutls_version_get_major (session
->security_parameters
.version
);
2356 _gnutls_version_get_minor (session
->security_parameters
.version
);
2359 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
2360 pos
+= GNUTLS_RANDOM_SIZE
;
2362 data
[pos
++] = session_id_len
;
2363 if (session_id_len
> 0)
2365 memcpy (&data
[pos
], session
->security_parameters
.session_id
,
2368 pos
+= session_id_len
;
2370 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session
,
2371 _gnutls_bin2hex (session
->security_parameters
.
2372 session_id
, session_id_len
, buf
,
2373 sizeof (buf
), NULL
));
2376 session
->security_parameters
.current_cipher_suite
.suite
, 2);
2380 (uint8_t) _gnutls_compression_get_num (session
->internals
.
2381 compression_method
);
2385 if (extdata
.length
> 0)
2387 datalen
+= extdata
.length
;
2388 memcpy (&data
[pos
], extdata
.data
, extdata
.length
);
2393 _gnutls_send_handshake (session
, bufel
, GNUTLS_HANDSHAKE_SERVER_HELLO
);
2396 _gnutls_buffer_clear(&extdata
);
2401 _gnutls_send_hello (gnutls_session_t session
, int again
)
2405 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2407 ret
= _gnutls_send_client_hello (session
, again
);
2412 ret
= _gnutls_send_server_hello (session
, again
);
2418 /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a
2419 * hello message is expected. It uses the security_parameters.current_cipher_suite
2420 * and internals.compression_method.
2423 _gnutls_recv_hello (gnutls_session_t session
, opaque
* data
, int datalen
)
2427 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2429 ret
= _gnutls_read_server_hello (session
, data
, datalen
);
2437 { /* Server side reading a client hello */
2439 ret
= _gnutls_read_client_hello (session
, data
, datalen
);
2447 ret
= _gnutls_ext_sr_verify (session
);
2458 _gnutls_recv_hello_verify_request (gnutls_session_t session
,
2459 opaque
* data
, int datalen
)
2461 ssize_t len
= datalen
;
2464 unsigned int nb_verifs
;
2466 if (!_gnutls_is_dtls (session
)
2467 || session
->security_parameters
.entity
== GNUTLS_SERVER
)
2470 return GNUTLS_E_UNEXPECTED_PACKET
;
2473 nb_verifs
= ++session
->internals
.dtls
.hsk_hello_verify_requests
;
2474 if (nb_verifs
>= MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS
)
2476 /* The server is either buggy, malicious or changing cookie
2477 secrets _way_ too fast. */
2479 return GNUTLS_E_UNEXPECTED_PACKET
;
2482 /* TODO: determine if we need to do anything with the server version field */
2487 cookie_len
= data
[pos
];
2490 if (cookie_len
> DTLS_MAX_COOKIE_SIZE
)
2493 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
2496 DECR_LEN (len
, cookie_len
);
2498 session
->internals
.dtls
.cookie_len
= cookie_len
;
2499 memcpy (session
->internals
.dtls
.cookie
, &data
[pos
], cookie_len
);
2506 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
2512 /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
2516 * ClientHello -------->
2517 * <-------- ServerHello
2520 * ServerKeyExchange*
2521 * <-------- CertificateRequest*
2523 * <-------- ServerHelloDone
2526 * CertificateVerify*
2527 * [ChangeCipherSpec]
2528 * Finished -------->
2530 * [ChangeCipherSpec]
2531 * <-------- Finished
2533 * (*): means optional packet.
2536 /* Handshake when resumming session:
2539 * ClientHello -------->
2541 * [ChangeCipherSpec]
2542 * <-------- Finished
2543 * [ChangeCipherSpec]
2544 * Finished -------->
2549 * gnutls_rehandshake:
2550 * @session: is a #gnutls_session_t structure.
2552 * This function will renegotiate security parameters with the
2553 * client. This should only be called in case of a server.
2555 * This message informs the peer that we want to renegotiate
2556 * parameters (perform a handshake).
2558 * If this function succeeds (returns 0), you must call the
2559 * gnutls_handshake() function in order to negotiate the new
2562 * Since TLS is full duplex some application data might have been
2563 * sent during peer's processing of this message. In that case
2564 * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE
2565 * is returned to clear any pending data. Care must be taken if
2566 * rehandshake is mandatory to terminate if it does not start after
2569 * If the client does not wish to renegotiate parameters he will
2570 * should with an alert message, thus the return code will be
2571 * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
2572 * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2575 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
2578 gnutls_rehandshake (gnutls_session_t session
)
2582 /* only server sends that handshake packet */
2583 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2584 return GNUTLS_E_INVALID_REQUEST
;
2587 _gnutls_send_empty_handshake (session
, GNUTLS_HANDSHAKE_HELLO_REQUEST
,
2602 _gnutls_abort_handshake (gnutls_session_t session
, int ret
)
2604 if (((ret
== GNUTLS_E_WARNING_ALERT_RECEIVED
) &&
2605 (gnutls_alert_get (session
) == GNUTLS_A_NO_RENEGOTIATION
))
2606 || ret
== GNUTLS_E_GOT_APPLICATION_DATA
)
2609 /* this doesn't matter */
2610 return GNUTLS_E_INTERNAL_ERROR
;
2614 /* This function initialized the handshake hash session.
2615 * required for finished messages.
2618 _gnutls_handshake_hash_init (gnutls_session_t session
)
2620 gnutls_protocol_t ver
= gnutls_protocol_get_version (session
);
2622 if (session
->internals
.handshake_mac_handle_init
== 0)
2626 /* set the hash type for handshake message hashing */
2627 if (_gnutls_version_has_selectable_prf (ver
))
2628 session
->security_parameters
.handshake_mac_handle_type
=
2629 HANDSHAKE_MAC_TYPE_12
;
2631 session
->security_parameters
.handshake_mac_handle_type
=
2632 HANDSHAKE_MAC_TYPE_10
;
2635 if (session
->security_parameters
.handshake_mac_handle_type
==
2636 HANDSHAKE_MAC_TYPE_10
)
2639 _gnutls_hash_init (&session
->internals
.handshake_mac_handle
.tls10
.
2640 md5
, GNUTLS_MAC_MD5
);
2649 _gnutls_hash_init (&session
->internals
.handshake_mac_handle
.tls10
.
2650 sha
, GNUTLS_MAC_SHA1
);
2654 _gnutls_hash_deinit (&session
->internals
.handshake_mac_handle
.
2656 return GNUTLS_E_MEMORY_ERROR
;
2659 else if (session
->security_parameters
.handshake_mac_handle_type
==
2660 HANDSHAKE_MAC_TYPE_12
)
2662 /* The algorithm to compute hash over handshake messages must be
2663 same as the one used as the basis for PRF. By now we use
2666 _gnutls_hash_init (&session
->internals
.handshake_mac_handle
.tls12
.
2667 sha256
, GNUTLS_DIG_SHA256
);
2671 return GNUTLS_E_MEMORY_ERROR
;
2675 _gnutls_hash_init (&session
->internals
.handshake_mac_handle
.tls12
.
2676 sha1
, GNUTLS_DIG_SHA1
);
2680 _gnutls_hash_deinit (&session
->internals
.handshake_mac_handle
.
2681 tls12
.sha256
, NULL
);
2682 return GNUTLS_E_MEMORY_ERROR
;
2686 session
->internals
.handshake_mac_handle_init
= 1;
2693 _gnutls_send_supplemental (gnutls_session_t session
, int again
)
2698 _gnutls_debug_log ("EXT[%p]: Sending supplemental data\n", session
);
2702 _gnutls_send_handshake (session
, NULL
, GNUTLS_HANDSHAKE_SUPPLEMENTAL
);
2705 gnutls_buffer_st buf
;
2706 _gnutls_buffer_init (&buf
);
2708 ret
= _gnutls_gen_supplemental (session
, &buf
);
2715 bufel
= _gnutls_handshake_alloc(session
, buf
.length
, buf
.length
);
2719 return GNUTLS_E_MEMORY_ERROR
;
2722 _mbuffer_set_udata (bufel
, buf
.data
, buf
.length
);
2723 _gnutls_buffer_clear (&buf
);
2725 ret
= _gnutls_send_handshake (session
, bufel
,
2726 GNUTLS_HANDSHAKE_SUPPLEMENTAL
);
2733 _gnutls_recv_supplemental (gnutls_session_t session
)
2735 uint8_t *data
= NULL
;
2739 _gnutls_debug_log ("EXT[%p]: Expecting supplemental data\n", session
);
2741 ret
= _gnutls_recv_handshake (session
, &data
, &datalen
,
2742 GNUTLS_HANDSHAKE_SUPPLEMENTAL
,
2750 ret
= _gnutls_parse_supplemental (session
, data
, datalen
);
2764 * @session: is a #gnutls_session_t structure.
2766 * This function does the handshake of the TLS/SSL protocol, and
2767 * initializes the TLS connection.
2769 * This function will fail if any problem is encountered, and will
2770 * return a negative error code. In case of a client, if the client
2771 * has asked to resume a session, but the server couldn't, then a
2772 * full handshake will be performed.
2774 * The non-fatal errors such as %GNUTLS_E_AGAIN and
2775 * %GNUTLS_E_INTERRUPTED interrupt the handshake procedure, which
2776 * should be later be resumed. Call this function again, until it
2777 * returns 0; cf. gnutls_record_get_direction() and
2778 * gnutls_error_is_fatal().
2780 * If this function is called by a server after a rehandshake request
2781 * then %GNUTLS_E_GOT_APPLICATION_DATA or
2782 * %GNUTLS_E_WARNING_ALERT_RECEIVED may be returned. Note that these
2783 * are non fatal errors, only in the specific case of a rehandshake.
2784 * Their meaning is that the client rejected the rehandshake request or
2785 * in the case of %GNUTLS_E_GOT_APPLICATION_DATA it might also mean that
2786 * some data were pending.
2788 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
2791 gnutls_handshake (gnutls_session_t session
)
2794 record_parameters_st
*params
;
2796 ret
= _gnutls_epoch_get (session
, session
->security_parameters
.epoch_next
,
2800 /* We assume the epoch is not allocated if _gnutls_epoch_get fails. */
2802 _gnutls_epoch_alloc (session
, session
->security_parameters
.epoch_next
,
2811 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2815 ret
= _gnutls_handshake_client (session
);
2820 ret
= _gnutls_handshake_server (session
);
2824 /* In the case of a rehandshake abort
2825 * we should reset the handshake's internal state.
2827 if (_gnutls_abort_handshake (session
, ret
) == 0)
2833 ret
= _gnutls_handshake_common (session
);
2837 if (_gnutls_abort_handshake (session
, ret
) == 0)
2845 _gnutls_handshake_io_buffer_clear (session
);
2846 _gnutls_handshake_internal_state_clear (session
);
2848 session
->security_parameters
.epoch_next
++;
2854 #define IMED_RET( str, ret, allow_alert) do { \
2856 /* EAGAIN and INTERRUPTED are always non-fatal */ \
2857 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) \
2859 /* a warning alert might interrupt handshake */ \
2860 if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) return ret; \
2863 _gnutls_handshake_hash_buffers_clear(session); \
2870 * _gnutls_handshake_client
2871 * This function performs the client side of the handshake of the TLS/SSL protocol.
2874 _gnutls_handshake_client (gnutls_session_t session
)
2878 #ifdef HANDSHAKE_DEBUG
2881 if (session
->internals
.resumed_security_parameters
.session_id_size
> 0)
2882 _gnutls_handshake_log ("HSK[%p]: Ask to resume: %s\n", session
,
2883 _gnutls_bin2hex (session
->
2884 internals
.resumed_security_parameters
.session_id
,
2886 internals
.resumed_security_parameters
.session_id_size
,
2887 buf
, sizeof (buf
), NULL
));
2894 ret
= _gnutls_send_hello (session
, AGAIN (STATE1
));
2896 IMED_RET ("send hello", ret
, 1);
2899 if (_gnutls_is_dtls (session
))
2902 _gnutls_recv_handshake (session
, NULL
, NULL
,
2903 GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST
,
2906 IMED_RET ("recv hello verify", ret
, 1);
2915 /* receive the server hello */
2917 _gnutls_recv_handshake (session
, NULL
, NULL
,
2918 GNUTLS_HANDSHAKE_SERVER_HELLO
,
2921 IMED_RET ("recv hello", ret
, 1);
2924 if (session
->security_parameters
.do_recv_supplemental
)
2926 ret
= _gnutls_recv_supplemental (session
);
2928 IMED_RET ("recv supplemental", ret
, 1);
2932 /* RECV CERTIFICATE */
2933 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2934 ret
= _gnutls_recv_server_certificate (session
);
2936 IMED_RET ("recv server certificate", ret
, 1);
2939 /* receive the server key exchange */
2940 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2941 ret
= _gnutls_recv_server_kx_message (session
);
2943 IMED_RET ("recv server kx message", ret
, 1);
2946 /* receive the server certificate request - if any
2949 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2950 ret
= _gnutls_recv_server_certificate_request (session
);
2952 IMED_RET ("recv server certificate request message", ret
, 1);
2955 /* receive the server hello done */
2956 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2958 _gnutls_recv_handshake (session
, NULL
, NULL
,
2959 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
,
2962 IMED_RET ("recv server hello done", ret
, 1);
2965 if (session
->security_parameters
.do_send_supplemental
)
2967 ret
= _gnutls_send_supplemental (session
, AGAIN (STATE71
));
2969 IMED_RET ("send supplemental", ret
, 0);
2973 /* send our certificate - if any and if requested
2975 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2976 ret
= _gnutls_send_client_certificate (session
, AGAIN (STATE7
));
2978 IMED_RET ("send client certificate", ret
, 0);
2981 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2982 ret
= _gnutls_send_client_kx_message (session
, AGAIN (STATE8
));
2984 IMED_RET ("send client kx", ret
, 0);
2987 /* send client certificate verify */
2988 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2990 _gnutls_send_client_certificate_verify (session
, AGAIN (STATE9
));
2992 IMED_RET ("send client certificate verify", ret
, 1);
3005 /* This function is to be called if the handshake was successfully
3006 * completed. This sends a Change Cipher Spec packet to the peer.
3009 send_change_cipher_spec (gnutls_session_t session
, int again
)
3017 bufel
= _gnutls_handshake_alloc (session
, 1, 1);
3019 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
3021 _mbuffer_set_uhead_size(bufel
, 1);
3022 _mbuffer_set_udata_size(bufel
, 0);
3024 data
= _mbuffer_get_uhead_ptr (bufel
);
3028 ret
= _gnutls_handshake_io_cache_int (session
, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC
, bufel
);
3031 _mbuffer_xfree(&bufel
);
3032 return gnutls_assert_val(ret
);
3035 _gnutls_handshake_log ("REC[%p]: Sent ChangeCipherSpec\n", session
);
3041 /* This function sends the final handshake packets and initializes connection
3044 _gnutls_send_handshake_final (gnutls_session_t session
, int init
)
3048 /* Send the CHANGE CIPHER SPEC PACKET */
3054 ret
= send_change_cipher_spec (session
, AGAIN (STATE20
));
3059 ERR ("send ChangeCipherSpec", ret
);
3063 /* Initialize the connection session (start encryption) - in case of client
3067 ret
= _gnutls_connection_state_init (session
);
3075 ret
= _gnutls_write_connection_state_init (session
);
3083 /* send the finished message */
3084 ret
= _gnutls_send_finished (session
, AGAIN (STATE21
));
3088 ERR ("send Finished", ret
);
3101 /* This function receives the final handshake packets
3102 * And executes the appropriate function to initialize the
3106 _gnutls_recv_handshake_final (gnutls_session_t session
, int init
)
3115 ret
= _gnutls_recv_int (session
, GNUTLS_CHANGE_CIPHER_SPEC
, -1, &ch
, 1, NULL
);
3119 ERR ("recv ChangeCipherSpec", ret
);
3121 return (ret
< 0) ? ret
: GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
3124 /* Initialize the connection session (start encryption) - in case of server */
3127 ret
= _gnutls_connection_state_init (session
);
3135 ret
= _gnutls_read_connection_state_init (session
);
3143 ret
= _gnutls_recv_finished (session
);
3147 ERR ("recv finished", ret
);
3161 * _gnutls_handshake_server
3162 * This function does the server stuff of the handshake protocol.
3165 _gnutls_handshake_server (gnutls_session_t session
)
3174 _gnutls_recv_handshake (session
, NULL
, NULL
,
3175 GNUTLS_HANDSHAKE_CLIENT_HELLO
,
3178 IMED_RET ("recv hello", ret
, 1);
3181 ret
= _gnutls_send_hello (session
, AGAIN (STATE2
));
3183 IMED_RET ("send hello", ret
, 1);
3186 if (session
->security_parameters
.do_send_supplemental
)
3188 ret
= _gnutls_send_supplemental (session
, AGAIN (STATE70
));
3190 IMED_RET ("send supplemental data", ret
, 0);
3193 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
3195 /* NOTE: these should not be send if we are resuming */
3197 if (session
->internals
.resumed
== RESUME_FALSE
)
3198 ret
= _gnutls_send_server_certificate (session
, AGAIN (STATE3
));
3200 IMED_RET ("send server certificate", ret
, 0);
3203 /* send server key exchange (A) */
3204 if (session
->internals
.resumed
== RESUME_FALSE
)
3205 ret
= _gnutls_send_server_kx_message (session
, AGAIN (STATE4
));
3207 IMED_RET ("send server kx", ret
, 0);
3210 /* Send certificate request - if requested to */
3211 if (session
->internals
.resumed
== RESUME_FALSE
)
3213 _gnutls_send_server_certificate_request (session
, AGAIN (STATE5
));
3215 IMED_RET ("send server cert request", ret
, 0);
3218 /* send the server hello done */
3219 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
3221 _gnutls_send_empty_handshake (session
,
3222 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
,
3225 IMED_RET ("send server hello done", ret
, 1);
3228 if (session
->security_parameters
.do_recv_supplemental
)
3230 ret
= _gnutls_recv_supplemental (session
);
3232 IMED_RET ("recv client supplemental", ret
, 1);
3235 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
3237 /* receive the client certificate message */
3238 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
3239 ret
= _gnutls_recv_client_certificate (session
);
3241 IMED_RET ("recv client certificate", ret
, 1);
3244 /* receive the client key exchange message */
3245 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
3246 ret
= _gnutls_recv_client_kx_message (session
);
3248 IMED_RET ("recv client kx", ret
, 1);
3251 /* receive the client certificate verify message */
3252 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
3253 ret
= _gnutls_recv_client_certificate_verify_message (session
);
3255 IMED_RET ("recv client certificate verify", ret
, 1);
3257 STATE
= STATE0
; /* finished thus clear session */
3266 _gnutls_handshake_common (gnutls_session_t session
)
3270 /* send and recv the change cipher spec and finished messages */
3271 if ((session
->internals
.resumed
== RESUME_TRUE
3272 && session
->security_parameters
.entity
== GNUTLS_CLIENT
)
3273 || (session
->internals
.resumed
== RESUME_FALSE
3274 && session
->security_parameters
.entity
== GNUTLS_SERVER
))
3276 /* if we are a client resuming - or we are a server not resuming */
3278 ret
= _gnutls_recv_handshake_final (session
, TRUE
);
3279 IMED_RET ("recv handshake final", ret
, 1);
3281 #ifdef ENABLE_SESSION_TICKET
3286 ret
= _gnutls_send_new_session_ticket (session
, AGAIN (STATE40
));
3288 IMED_RET ("send handshake new session ticket", ret
, 0);
3295 ret
= _gnutls_send_handshake_final (session
, FALSE
);
3296 IMED_RET ("send handshake final", ret
, 1);
3298 /* only store if we are not resuming */
3299 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
3301 /* in order to support session resuming */
3302 _gnutls_server_register_current_session (session
);
3306 { /* if we are a client not resuming - or we are a server resuming */
3308 ret
= _gnutls_send_handshake_final (session
, TRUE
);
3309 IMED_RET ("send handshake final 2", ret
, 1);
3311 #ifdef ENABLE_SESSION_TICKET
3316 ret
= _gnutls_recv_new_session_ticket (session
);
3318 IMED_RET ("recv handshake new session ticket", ret
, 1);
3325 ret
= _gnutls_recv_handshake_final (session
, FALSE
);
3326 IMED_RET ("recv handshake final 2", ret
, 1);
3331 /* clear handshake buffer */
3332 _gnutls_handshake_hash_buffers_clear (session
);
3338 _gnutls_generate_session_id (opaque
* session_id
, uint8_t * len
)
3342 *len
= TLS_MAX_SESSION_ID_SIZE
;
3344 ret
= _gnutls_rnd (GNUTLS_RND_NONCE
, session_id
, *len
);
3355 _gnutls_recv_hello_request (gnutls_session_t session
, void *data
,
3360 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
3363 return GNUTLS_E_UNEXPECTED_PACKET
;
3368 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
3370 type
= ((uint8_t *) data
)[0];
3371 if (type
== GNUTLS_HANDSHAKE_HELLO_REQUEST
)
3372 return GNUTLS_E_REHANDSHAKE
;
3376 return GNUTLS_E_UNEXPECTED_PACKET
;
3380 /* Returns 1 if the given KX has not the corresponding parameters
3381 * (DH or RSA) set up. Otherwise returns 0.
3384 check_server_params (gnutls_session_t session
,
3385 gnutls_kx_algorithm_t kx
,
3386 gnutls_kx_algorithm_t
* alg
, int alg_size
)
3389 gnutls_dh_params_t dh_params
= NULL
;
3390 gnutls_rsa_params_t rsa_params
= NULL
;
3393 cred_type
= _gnutls_map_kx_get_cred (kx
, 1);
3395 /* Read the Diffie-Hellman parameters, if any.
3397 if (cred_type
== GNUTLS_CRD_CERTIFICATE
)
3400 gnutls_certificate_credentials_t x509_cred
=
3401 (gnutls_certificate_credentials_t
) _gnutls_get_cred (session
->key
,
3404 if (x509_cred
!= NULL
)
3407 _gnutls_get_dh_params (x509_cred
->dh_params
,
3408 x509_cred
->params_func
, session
);
3410 _gnutls_certificate_get_rsa_params (x509_cred
->rsa_params
,
3411 x509_cred
->params_func
,
3415 /* Check also if the certificate supports the
3419 for (j
= 0; j
< alg_size
; j
++)
3433 else if (cred_type
== GNUTLS_CRD_ANON
)
3435 gnutls_anon_server_credentials_t anon_cred
=
3436 (gnutls_anon_server_credentials_t
) _gnutls_get_cred (session
->key
,
3439 if (anon_cred
!= NULL
)
3442 _gnutls_get_dh_params (anon_cred
->dh_params
,
3443 anon_cred
->params_func
, session
);
3448 else if (cred_type
== GNUTLS_CRD_PSK
)
3450 gnutls_psk_server_credentials_t psk_cred
=
3451 (gnutls_psk_server_credentials_t
) _gnutls_get_cred (session
->key
,
3454 if (psk_cred
!= NULL
)
3457 _gnutls_get_dh_params (psk_cred
->dh_params
, psk_cred
->params_func
,
3463 return 0; /* no need for params */
3466 /* If the key exchange method needs RSA or DH params,
3467 * but they are not set then remove it.
3469 if (_gnutls_kx_needs_rsa_params (kx
) != 0)
3471 /* needs rsa params. */
3472 if (_gnutls_rsa_params_to_mpi (rsa_params
) == NULL
)
3479 if (_gnutls_kx_needs_dh_params (kx
) != 0)
3481 /* needs DH params. */
3482 if (_gnutls_dh_params_to_mpi (dh_params
) == NULL
)
3492 /* This function will remove algorithms that are not supported by
3493 * the requested authentication method. We remove an algorithm if
3494 * we have a certificate with keyUsage bits set.
3496 * This does a more high level check than gnutls_supported_ciphersuites(),
3497 * by checking certificates etc.
3500 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session
,
3501 cipher_suite_st
** cipherSuites
,
3502 int numCipherSuites
,
3503 gnutls_pk_algorithm_t requested_pk_algo
)
3507 cipher_suite_st
*newSuite
, cs
;
3508 int newSuiteSize
= 0, i
;
3509 gnutls_certificate_credentials_t cert_cred
;
3510 gnutls_kx_algorithm_t kx
;
3511 int server
= session
->security_parameters
.entity
== GNUTLS_SERVER
? 1 : 0;
3512 gnutls_kx_algorithm_t
*alg
= NULL
;
3515 /* if we should use a specific certificate,
3516 * we should remove all algorithms that are not supported
3517 * by that certificate and are on the same authentication
3518 * method (CERTIFICATE).
3522 (gnutls_certificate_credentials_t
) _gnutls_get_cred (session
->key
,
3523 GNUTLS_CRD_CERTIFICATE
,
3526 /* If there are certificate credentials, find an appropriate certificate
3529 if (session
->security_parameters
.entity
== GNUTLS_SERVER
3530 && cert_cred
!= NULL
)
3532 ret
= _gnutls_server_select_cert (session
, requested_pk_algo
);
3536 _gnutls_debug_log ("Could not find an appropriate certificate: %s\n",
3537 gnutls_strerror (ret
));
3542 /* get all the key exchange algorithms that are
3543 * supported by the X509 certificate parameters.
3546 _gnutls_selected_cert_supported_kx (session
, &alg
, &alg_size
)) < 0)
3552 newSuite
= gnutls_malloc (numCipherSuites
* sizeof (cipher_suite_st
));
3553 if (newSuite
== NULL
)
3557 return GNUTLS_E_MEMORY_ERROR
;
3560 /* now removes ciphersuites based on the KX algorithm
3562 for (i
= 0; i
< numCipherSuites
; i
++)
3566 /* finds the key exchange algorithm in
3569 kx
= _gnutls_cipher_suite_get_kx_algo (&(*cipherSuites
)[i
]);
3571 /* if it is defined but had no credentials
3573 if (_gnutls_get_kx_cred (session
, kx
, NULL
) == NULL
)
3582 delete = check_server_params (session
, kx
, alg
, alg_size
);
3585 /* These two SRP kx's are marked to require a CRD_CERTIFICATE,
3586 (see cred_mappings in gnutls_algorithms.c), but it also
3587 requires a SRP credential. Don't use SRP kx unless we have a
3588 SRP credential too. */
3589 if (kx
== GNUTLS_KX_SRP_RSA
|| kx
== GNUTLS_KX_SRP_DSS
)
3591 if (!_gnutls_get_cred (session
->key
, GNUTLS_CRD_SRP
, NULL
))
3595 memcpy (&cs
.suite
, &(*cipherSuites
)[i
].suite
, 2);
3600 _gnutls_handshake_log ("HSK[%p]: Keeping ciphersuite: %s\n",
3602 _gnutls_cipher_suite_get_name (&cs
));
3604 memcpy (newSuite
[newSuiteSize
].suite
, (*cipherSuites
)[i
].suite
, 2);
3609 _gnutls_handshake_log ("HSK[%p]: Removing ciphersuite: %s\n",
3611 _gnutls_cipher_suite_get_name (&cs
));
3617 gnutls_free (*cipherSuites
);
3618 *cipherSuites
= newSuite
;
3627 * gnutls_handshake_set_max_packet_length:
3628 * @session: is a #gnutls_session_t structure.
3629 * @max: is the maximum number.
3631 * This function will set the maximum size of all handshake messages.
3632 * Handshakes over this size are rejected with
3633 * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is
3634 * 48kb which is typically large enough. Set this to 0 if you do not
3635 * want to set an upper limit.
3637 * The reason for restricting the handshake message sizes are to
3638 * limit Denial of Service attacks.
3641 gnutls_handshake_set_max_packet_length (gnutls_session_t session
, size_t max
)
3643 session
->internals
.max_handshake_data_buffer_size
= max
;
3647 _gnutls_set_adv_version (gnutls_session_t session
, gnutls_protocol_t ver
)
3649 set_adv_version (session
, _gnutls_version_get_major (ver
),
3650 _gnutls_version_get_minor (ver
));
3654 _gnutls_get_adv_version (gnutls_session_t session
)
3656 return _gnutls_version_get (_gnutls_get_adv_version_major (session
),
3657 _gnutls_get_adv_version_minor (session
));
3661 * gnutls_handshake_get_last_in:
3662 * @session: is a #gnutls_session_t structure.
3664 * This function is only useful to check where the last performed
3665 * handshake failed. If the previous handshake succeed or was not
3666 * performed at all then no meaningful value will be returned.
3668 * Check %gnutls_handshake_description_t in gnutls.h for the
3669 * available handshake descriptions.
3671 * Returns: the last handshake message type received, a
3672 * %gnutls_handshake_description_t.
3674 gnutls_handshake_description_t
3675 gnutls_handshake_get_last_in (gnutls_session_t session
)
3677 return session
->internals
.last_handshake_in
;
3681 * gnutls_handshake_get_last_out:
3682 * @session: is a #gnutls_session_t structure.
3684 * This function is only useful to check where the last performed
3685 * handshake failed. If the previous handshake succeed or was not
3686 * performed at all then no meaningful value will be returned.
3688 * Check %gnutls_handshake_description_t in gnutls.h for the
3689 * available handshake descriptions.
3691 * Returns: the last handshake message type sent, a
3692 * %gnutls_handshake_description_t.
3694 gnutls_handshake_description_t
3695 gnutls_handshake_get_last_out (gnutls_session_t session
)
3697 return session
->internals
.last_handshake_out
;