search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add `gnutls/dtls.h' to the distribution.
[gnutls.git] / lib / gnutls_handshake.c
blobe8c427ff4bb9d57eca420295bfef3a7883eeb37a
1 /*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
3 * 2009, 2010, 2011 Free Software Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
22 * USA
23 *
24 */
25
26 /* Functions that relate to the TLS handshake procedure.
27 */
28
29 #include "gnutls_int.h"
30 #include "gnutls_errors.h"
31 #include "gnutls_dh.h"
32 #include "debug.h"
33 #include "gnutls_algorithms.h"
34 #include "gnutls_compress.h"
35 #include "gnutls_cipher.h"
36 #include "gnutls_buffers.h"
37 #include "gnutls_mbuffers.h"
38 #include "gnutls_kx.h"
39 #include "gnutls_handshake.h"
40 #include "gnutls_num.h"
41 #include "gnutls_hash_int.h"
42 #include "gnutls_db.h"
43 #include "gnutls_extensions.h"
44 #include "gnutls_supplemental.h"
45 #include "gnutls_auth.h"
46 #include "gnutls_v2_compat.h"
47 #include "auth_cert.h"
48 #include "gnutls_cert.h"
49 #include "gnutls_constate.h"
50 #include <gnutls_record.h>
51 #include <gnutls_state.h>
52 #include <ext_srp.h>
53 #include <ext_session_ticket.h>
54 #include <ext_safe_renegotiation.h>
55 #include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
56 #include <auth_anon.h> /* for gnutls_anon_server_credentials_t */
57 #include <auth_psk.h> /* for gnutls_psk_server_credentials_t */
58 #include <random.h>
59
60 #ifdef HANDSHAKE_DEBUG
61 #define ERR(x, y) _gnutls_handshake_log("HSK[%p]: %s (%d)\n", session, x,y)
62 #else
63 #define ERR(x, y)
64 #endif
65
66 #define TRUE 1
67 #define FALSE 0
68
69 static int _gnutls_handshake_hash_init (gnutls_session_t session);
70 static int _gnutls_server_select_comp_method (gnutls_session_t session,
71 opaque * data, int datalen);
72 static int
73 _gnutls_handshake_hash_add_recvd (gnutls_session_t session,
74 gnutls_handshake_description_t recv_type,
75 opaque * header, uint16_t header_size,
76 opaque * dataptr, uint32_t datalen);
77
78 static int
79 _gnutls_recv_hello_verify_request (gnutls_session_t session,
80 opaque * data, int datalen);
81
82
83 /* Clears the handshake hash buffers and handles.
84 */
85 void
86 _gnutls_handshake_hash_buffers_clear (gnutls_session_t session)
87 {
88 if (session->security_parameters.handshake_mac_handle_type ==
89 HANDSHAKE_MAC_TYPE_10)
90 {
91 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.tls10.md5,
92 NULL);
93 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.tls10.sha,
94 NULL);
95 }
96 else if (session->security_parameters.handshake_mac_handle_type ==
97 HANDSHAKE_MAC_TYPE_12)
98 {
99 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.tls12.
100 sha256, NULL);
101 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.tls12.
102 sha1, NULL);
103 }
104 session->security_parameters.handshake_mac_handle_type = 0;
105 session->internals.handshake_mac_handle_init = 0;
106 _gnutls_handshake_buffer_clear (session);
107 }
108
109 /* this will copy the required values for resuming to
110 * internals, and to security_parameters.
111 * this will keep as less data to security_parameters.
112 */
113 static void
114 resume_copy_required_values (gnutls_session_t session)
115 {
116 /* get the new random values */
117 memcpy (session->internals.resumed_security_parameters.server_random,
118 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
119 memcpy (session->internals.resumed_security_parameters.client_random,
120 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
121
122 /* keep the ciphersuite and compression
123 * That is because the client must see these in our
124 * hello message.
125 */
126 memcpy (session->security_parameters.current_cipher_suite.suite,
127 session->internals.resumed_security_parameters.current_cipher_suite.
128 suite, 2);
129
130 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
131 &session->
132 internals.resumed_security_parameters.current_cipher_suite);
133 _gnutls_epoch_set_compression (session, EPOCH_NEXT,
134 session->
135 internals.resumed_compression_method);
136
137 /* or write_compression_algorithm
138 * they are the same
139 */
140
141 session->security_parameters.entity =
142 session->internals.resumed_security_parameters.entity;
143
144 _gnutls_set_current_version (session,
145 session->internals.resumed_security_parameters.
146 version);
147
148 session->security_parameters.cert_type =
149 session->internals.resumed_security_parameters.cert_type;
150
151 memcpy (session->security_parameters.session_id,
152 session->internals.resumed_security_parameters.session_id,
153 sizeof (session->security_parameters.session_id));
154 session->security_parameters.session_id_size =
155 session->internals.resumed_security_parameters.session_id_size;
156
157 }
158
159 void
160 _gnutls_set_server_random (gnutls_session_t session, uint8_t * rnd)
161 {
162 memcpy (session->security_parameters.server_random, rnd,
163 GNUTLS_RANDOM_SIZE);
164 }
165
166 void
167 _gnutls_set_client_random (gnutls_session_t session, uint8_t * rnd)
168 {
169 memcpy (session->security_parameters.client_random, rnd,
170 GNUTLS_RANDOM_SIZE);
171 }
172
173 /* Calculate The SSL3 Finished message
174 */
175 #define SSL3_CLIENT_MSG "CLNT"
176 #define SSL3_SERVER_MSG "SRVR"
177 #define SSL_MSG_LEN 4
178 static int
179 _gnutls_ssl3_finished (gnutls_session_t session, int type, opaque * ret)
180 {
181 const int siz = SSL_MSG_LEN;
182 digest_hd_st td_md5;
183 digest_hd_st td_sha;
184 const char *mesg;
185 int rc;
186
187 if (session->security_parameters.handshake_mac_handle_type ==
188 HANDSHAKE_MAC_TYPE_10)
189 {
190 rc =
191 _gnutls_hash_copy (&td_md5,
192 &session->internals.handshake_mac_handle.tls10.
193 md5);
194 if (rc < 0)
195 {
196 gnutls_assert ();
197 return rc;
198 }
199
200 rc =
201 _gnutls_hash_copy (&td_sha,
202 &session->internals.handshake_mac_handle.tls10.
203 sha);
204 if (rc < 0)
205 {
206 gnutls_assert ();
207 _gnutls_hash_deinit (&td_md5, NULL);
208 return rc;
209 }
210 }
211 else
212 {
213 gnutls_assert ();
214 return GNUTLS_E_INTERNAL_ERROR;
215 }
216
217 if (type == GNUTLS_SERVER)
218 {
219 mesg = SSL3_SERVER_MSG;
220 }
221 else
222 {
223 mesg = SSL3_CLIENT_MSG;
224 }
225
226 _gnutls_hash (&td_md5, mesg, siz);
227 _gnutls_hash (&td_sha, mesg, siz);
228
229 rc = _gnutls_mac_deinit_ssl3_handshake (&td_md5, ret,
230 session->
231 security_parameters.master_secret,
232 GNUTLS_MASTER_SIZE);
233 if (rc < 0)
234 {
235 _gnutls_hash_deinit (&td_md5, NULL);
236 _gnutls_hash_deinit (&td_sha, NULL);
237 return gnutls_assert_val(rc);
238 }
239
240 rc = _gnutls_mac_deinit_ssl3_handshake (&td_sha, &ret[16],
241 session->
242 security_parameters.master_secret,
243 GNUTLS_MASTER_SIZE);
244 if (rc < 0)
245 {
246 _gnutls_hash_deinit (&td_sha, NULL);
247 return gnutls_assert_val(rc);
248 }
249
250 return 0;
251 }
252
253 /* Hash the handshake messages as required by TLS 1.0
254 */
255 #define SERVER_MSG "server finished"
256 #define CLIENT_MSG "client finished"
257 #define TLS_MSG_LEN 15
258 static int
259 _gnutls_finished (gnutls_session_t session, int type, void *ret)
260 {
261 const int siz = TLS_MSG_LEN;
262 opaque concat[MAX_HASH_SIZE + 16 /*MD5 */ ];
263 size_t len = 20 + 16;
264 const char *mesg;
265 digest_hd_st td_md5;
266 digest_hd_st td_sha;
267 int rc;
268
269 if (session->security_parameters.handshake_mac_handle_type ==
270 HANDSHAKE_MAC_TYPE_10)
271 {
272 rc =
273 _gnutls_hash_copy (&td_md5,
274 &session->internals.handshake_mac_handle.tls10.
275 md5);
276 if (rc < 0)
277 {
278 gnutls_assert ();
279 return rc;
280 }
281
282 rc =
283 _gnutls_hash_copy (&td_sha,
284 &session->internals.handshake_mac_handle.tls10.
285 sha);
286 if (rc < 0)
287 {
288 gnutls_assert ();
289 _gnutls_hash_deinit (&td_md5, NULL);
290 return rc;
291 }
292
293 _gnutls_hash_deinit (&td_md5, concat);
294 _gnutls_hash_deinit (&td_sha, &concat[16]);
295 }
296 else if (session->security_parameters.handshake_mac_handle_type ==
297 HANDSHAKE_MAC_TYPE_12)
298 {
299 rc =
300 _gnutls_hash_copy (&td_sha,
301 &session->internals.handshake_mac_handle.tls12.
302 sha256);
303 if (rc < 0)
304 {
305 gnutls_assert ();
306 return rc;
307 }
308
309 _gnutls_hash_deinit (&td_sha, concat);
310 len = _gnutls_hash_get_algo_len (td_sha.algorithm);
311 }
312
313 if (type == GNUTLS_SERVER)
314 {
315 mesg = SERVER_MSG;
316 }
317 else
318 {
319 mesg = CLIENT_MSG;
320 }
321
322 return _gnutls_PRF (session, session->security_parameters.master_secret,
323 GNUTLS_MASTER_SIZE, mesg, siz, concat, len, 12, ret);
324 }
325
326 /* this function will produce GNUTLS_RANDOM_SIZE==32 bytes of random data
327 * and put it to dst.
328 */
329 int
330 _gnutls_tls_create_random (opaque * dst)
331 {
332 uint32_t tim;
333 int ret;
334
335 /* Use weak random numbers for the most of the
336 * buffer except for the first 4 that are the
337 * system's time.
338 */
339
340 tim = time (NULL);
341 /* generate server random value */
342 _gnutls_write_uint32 (tim, dst);
343
344 ret = _gnutls_rnd (GNUTLS_RND_NONCE, &dst[4], GNUTLS_RANDOM_SIZE - 4);
345 if (ret < 0)
346 {
347 gnutls_assert ();
348 return ret;
349 }
350
351 return 0;
352 }
353
354 /* returns the 0 on success or a negative value.
355 */
356 int
357 _gnutls_negotiate_version (gnutls_session_t session,
358 gnutls_protocol_t adv_version)
359 {
360 int ret;
361
362 /* if we do not support that version */
363 if (_gnutls_version_is_supported (session, adv_version) == 0)
364 {
365 /* If he requested something we do not support
366 * then we send him the highest we support.
367 */
368 ret = _gnutls_version_max (session);
369 if (ret == GNUTLS_VERSION_UNKNOWN)
370 {
371 /* this check is not really needed.
372 */
373 gnutls_assert ();
374 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
375 }
376 }
377 else
378 {
379 ret = adv_version;
380 }
381
382 _gnutls_set_current_version (session, ret);
383
384 return ret;
385 }
386
387 int
388 _gnutls_user_hello_func (gnutls_session_t session,
389 gnutls_protocol_t adv_version)
390 {
391 int ret;
392
393 if (session->internals.user_hello_func != NULL)
394 {
395 ret = session->internals.user_hello_func (session);
396 if (ret < 0)
397 {
398 gnutls_assert ();
399 return ret;
400 }
401 /* Here we need to renegotiate the version since the callee might
402 * have disabled some TLS versions.
403 */
404 ret = _gnutls_negotiate_version (session, adv_version);
405 if (ret < 0)
406 {
407 gnutls_assert ();
408 return ret;
409 }
410 }
411 return 0;
412 }
413
414 /* Read a client hello packet.
415 * A client hello must be a known version client hello
416 * or version 2.0 client hello (only for compatibility
417 * since SSL version 2.0 is not supported).
418 */
419 static int
420 _gnutls_read_client_hello (gnutls_session_t session, opaque * data,
421 int datalen)
422 {
423 uint8_t session_id_len;
424 int pos = 0, ret;
425 uint16_t suite_size, comp_size;
426 gnutls_protocol_t adv_version;
427 int neg_version;
428 int len = datalen;
429 opaque rnd[GNUTLS_RANDOM_SIZE], *suite_ptr, *comp_ptr, *session_id;
430
431 if (session->internals.v2_hello != 0)
432 { /* version 2.0 */
433 return _gnutls_read_client_hello_v2 (session, data, datalen);
434 }
435 DECR_LEN (len, 2);
436
437 _gnutls_handshake_log ("HSK[%p]: Client's version: %d.%d\n", session,
438 data[pos], data[pos + 1]);
439
440 adv_version = _gnutls_version_get (data[pos], data[pos + 1]);
441 set_adv_version (session, data[pos], data[pos + 1]);
442 pos += 2;
443
444 neg_version = _gnutls_negotiate_version (session, adv_version);
445 if (neg_version < 0)
446 {
447 gnutls_assert ();
448 return neg_version;
449 }
450
451 /* Read client random value.
452 */
453 DECR_LEN (len, GNUTLS_RANDOM_SIZE);
454 _gnutls_set_client_random (session, &data[pos]);
455 pos += GNUTLS_RANDOM_SIZE;
456
457 _gnutls_tls_create_random (rnd);
458 _gnutls_set_server_random (session, rnd);
459
460 session->security_parameters.timestamp = time (NULL);
461
462 DECR_LEN (len, 1);
463 session_id_len = data[pos++];
464
465 /* RESUME SESSION
466 */
467 if (session_id_len > TLS_MAX_SESSION_ID_SIZE)
468 {
469 gnutls_assert ();
470 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
471 }
472 DECR_LEN (len, session_id_len);
473
474 session_id = &data[pos];
475 ret = _gnutls_server_restore_session (session, session_id, session_id_len);
476 pos += session_id_len;
477
478 if (ret == 0)
479 { /* resumed using default TLS resumption! */
480 /* Parse only the safe renegotiation extension
481 * We don't want to parse any other extensions since
482 * we don't want new extension values to overwrite the
483 * resumed ones.
484 */
485
486 /* move forward to extensions */
487 DECR_LEN (len, 2);
488 suite_size = _gnutls_read_uint16 (&data[pos]);
489 pos += 2;
490
491 DECR_LEN (len, suite_size);
492 pos += suite_size;
493
494 DECR_LEN (len, 1);
495 comp_size = data[pos++]; /* z is the number of compression methods */
496 DECR_LEN (len, comp_size);
497 pos += comp_size;
498
499 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
500 &data[pos], len);
501 if (ret < 0)
502 {
503 gnutls_assert ();
504 return ret;
505 }
506
507 resume_copy_required_values (session);
508 session->internals.resumed = RESUME_TRUE;
509
510 return _gnutls_user_hello_func (session, adv_version);
511 }
512 else
513 {
514 _gnutls_generate_session_id (session->security_parameters.session_id,
515 &session->
516 security_parameters.session_id_size);
517
518 session->internals.resumed = RESUME_FALSE;
519 }
520
521 if (_gnutls_is_dtls(session))
522 {
523 int cookie_size;
524
525 DECR_LEN (len, 1);
526 cookie_size = data[pos++];
527 DECR_LEN (len, cookie_size);
528 pos+=cookie_size;
529 }
530
531 /* Remember ciphersuites for later
532 */
533 DECR_LEN (len, 2);
534 suite_size = _gnutls_read_uint16 (&data[pos]);
535 pos += 2;
536
537 DECR_LEN (len, suite_size);
538 suite_ptr = &data[pos];
539 pos += suite_size;
540
541 /* Point to the compression methods
542 */
543 DECR_LEN (len, 1);
544 comp_size = data[pos++]; /* z is the number of compression methods */
545
546 DECR_LEN (len, comp_size);
547 comp_ptr = &data[pos];
548 pos += comp_size;
549
550 /* Parse the extensions (if any)
551 *
552 * Unconditionally try to parse extensions; safe renegotiation uses them in
553 * sslv3 and higher, even though sslv3 doesn't officially support them.
554 */
555 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION,
556 &data[pos], len);
557 /* len is the rest of the parsed length */
558 if (ret < 0)
559 {
560 gnutls_assert ();
561 return ret;
562 }
563
564 ret = _gnutls_user_hello_func (session, adv_version);
565 if (ret < 0)
566 {
567 gnutls_assert ();
568 return ret;
569 }
570
571 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
572 &data[pos], len);
573 if (ret < 0)
574 {
575 gnutls_assert ();
576 return ret;
577 }
578
579 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS, &data[pos], len);
580 if (ret < 0)
581 {
582 gnutls_assert ();
583 return ret;
584 }
585
586 /* resumed by session_ticket extension */
587 if (session->internals.resumed == RESUME_TRUE)
588 {
589 /* to indicate the client that the current session is resumed */
590 memcpy (session->internals.resumed_security_parameters.session_id,
591 session_id, session_id_len);
592 session->internals.resumed_security_parameters.session_id_size =
593 session_id_len;
594
595 session->internals.resumed_security_parameters.max_record_recv_size =
596 session->security_parameters.max_record_recv_size;
597 session->internals.resumed_security_parameters.max_record_send_size =
598 session->security_parameters.max_record_send_size;
599
600 resume_copy_required_values (session);
601
602 return _gnutls_user_hello_func (session, adv_version);
603 }
604
605 /* select an appropriate cipher suite
606 */
607 ret = _gnutls_server_select_suite (session, suite_ptr, suite_size);
608 if (ret < 0)
609 {
610 gnutls_assert ();
611 return ret;
612 }
613
614 /* select appropriate compression method */
615 ret = _gnutls_server_select_comp_method (session, comp_ptr, comp_size);
616 if (ret < 0)
617 {
618 gnutls_assert ();
619 return ret;
620 }
621
622 return 0;
623 }
624
625 /* here we hash all pending data.
626 */
627 inline static int
628 _gnutls_handshake_hash_pending (gnutls_session_t session)
629 {
630 size_t siz;
631 int ret;
632 opaque *data;
633
634 if (session->internals.handshake_mac_handle_init == 0)
635 {
636 gnutls_assert ();
637 return GNUTLS_E_INTERNAL_ERROR;
638 }
639
640 /* We check if there are pending data to hash.
641 */
642 if ((ret = _gnutls_handshake_buffer_get_ptr (session, &data, &siz)) < 0)
643 {
644 gnutls_assert ();
645 return ret;
646 }
647
648 if (siz > 0)
649 {
650 if (session->security_parameters.handshake_mac_handle_type ==
651 HANDSHAKE_MAC_TYPE_10)
652 {
653 _gnutls_hash (&session->internals.handshake_mac_handle.tls10.sha,
654 data, siz);
655 _gnutls_hash (&session->internals.handshake_mac_handle.tls10.md5,
656 data, siz);
657 }
658 else if (session->security_parameters.handshake_mac_handle_type ==
659 HANDSHAKE_MAC_TYPE_12)
660 {
661 _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha256,
662 data, siz);
663 _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha1,
664 data, siz);
665 }
666 }
667
668 _gnutls_handshake_buffer_empty (session);
669
670 return 0;
671 }
672
673
674 /* This is to be called after sending CHANGE CIPHER SPEC packet
675 * and initializing encryption. This is the first encrypted message
676 * we send.
677 */
678 static int
679 _gnutls_send_finished (gnutls_session_t session, int again)
680 {
681 mbuffer_st *bufel;
682 opaque *data;
683 int ret;
684 size_t vdata_size = 0;
685
686 if (again == 0)
687 {
688 bufel = _gnutls_handshake_alloc (session, MAX_VERIFY_DATA_SIZE, MAX_VERIFY_DATA_SIZE);
689 if (bufel == NULL)
690 {
691 gnutls_assert ();
692 return GNUTLS_E_MEMORY_ERROR;
693 }
694 data = _mbuffer_get_udata_ptr (bufel);
695
696 /* This is needed in order to hash all the required
697 * messages.
698 */
699 if ((ret = _gnutls_handshake_hash_pending (session)) < 0)
700 {
701 gnutls_assert ();
702 return ret;
703 }
704
705 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
706 {
707 ret =
708 _gnutls_ssl3_finished (session,
709 session->security_parameters.entity, data);
710 _mbuffer_set_udata_size (bufel, 36);
711 }
712 else
713 { /* TLS 1.0+ */
714 ret = _gnutls_finished (session,
715 session->security_parameters.entity, data);
716 _mbuffer_set_udata_size (bufel, 12);
717 }
718
719 if (ret < 0)
720 {
721 gnutls_assert ();
722 return ret;
723 }
724
725 vdata_size = _mbuffer_get_udata_size (bufel);
726
727 ret = _gnutls_ext_sr_finished (session, data, vdata_size, 0);
728 if (ret < 0)
729 {
730 gnutls_assert ();
731 return ret;
732 }
733
734 if ((session->internals.resumed == RESUME_FALSE
735 && session->security_parameters.entity == GNUTLS_CLIENT)
736 || (session->internals.resumed == RESUME_TRUE
737 && session->security_parameters.entity == GNUTLS_SERVER))
738 {
739 /* if we are a client not resuming - or we are a server resuming */
740 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (send)\n",
741 session);
742 memcpy (session->internals.cb_tls_unique, data, vdata_size);
743 session->internals.cb_tls_unique_len = vdata_size;
744 }
745
746 ret =
747 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_FINISHED);
748 }
749 else
750 {
751 ret = _gnutls_send_handshake (session, NULL, GNUTLS_HANDSHAKE_FINISHED);
752 }
753
754 return ret;
755 }
756
757 /* This is to be called after sending our finished message. If everything
758 * went fine we have negotiated a secure connection
759 */
760 static int
761 _gnutls_recv_finished (gnutls_session_t session)
762 {
763 uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy;
764 int data_size;
765 int ret;
766 int vrfysize;
767
768 ret =
769 _gnutls_recv_handshake (session, &vrfy, &vrfysize,
770 GNUTLS_HANDSHAKE_FINISHED, MANDATORY_PACKET);
771 if (ret < 0)
772 {
773 ERR ("recv finished int", ret);
774 gnutls_assert ();
775 return ret;
776 }
777
778
779 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
780 {
781 data_size = 36;
782 }
783 else
784 {
785 data_size = 12;
786 }
787
788 if (vrfysize != data_size)
789 {
790 gnutls_assert ();
791 gnutls_free (vrfy);
792 return GNUTLS_E_ERROR_IN_FINISHED_PACKET;
793 }
794
795 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
796 {
797 ret =
798 _gnutls_ssl3_finished (session,
799 (session->security_parameters.entity + 1) % 2,
800 data);
801 }
802 else
803 { /* TLS 1.0 */
804 ret =
805 _gnutls_finished (session,
806 (session->security_parameters.entity +
807 1) % 2, data);
808 }
809
810 if (ret < 0)
811 {
812 gnutls_assert ();
813 gnutls_free (vrfy);
814 return ret;
815 }
816
817 if (memcmp (vrfy, data, data_size) != 0)
818 {
819 gnutls_assert ();
820 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
821 }
822 gnutls_free (vrfy);
823
824 ret = _gnutls_ext_sr_finished (session, data, data_size, 1);
825 if (ret < 0)
826 {
827 gnutls_assert ();
828 return ret;
829 }
830
831 if ((session->internals.resumed == RESUME_TRUE
832 && session->security_parameters.entity == GNUTLS_CLIENT)
833 || (session->internals.resumed == RESUME_FALSE
834 && session->security_parameters.entity == GNUTLS_SERVER))
835 {
836 /* if we are a client resuming - or we are a server not resuming */
837 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (recv)\n",
838 session);
839 memcpy (session->internals.cb_tls_unique, data, data_size);
840 session->internals.cb_tls_unique_len = data_size;
841 }
842
843 session->internals.initial_negotiation_completed = 1;
844
845 return ret;
846 }
847
848 /* returns PK_RSA if the given cipher suite list only supports,
849 * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none.
850 */
851 static int
852 server_find_pk_algos_in_ciphersuites (const opaque *
853 data, unsigned int datalen)
854 {
855 unsigned int j;
856 gnutls_pk_algorithm_t algo = GNUTLS_PK_NONE, prev_algo = 0;
857 gnutls_kx_algorithm_t kx;
858 cipher_suite_st cs;
859
860 if (datalen % 2 != 0)
861 {
862 gnutls_assert ();
863 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
864 }
865
866 for (j = 0; j < datalen; j += 2)
867 {
868 memcpy (&cs.suite, &data[j], 2);
869 kx = _gnutls_cipher_suite_get_kx_algo (&cs);
870
871 if (_gnutls_map_kx_get_cred (kx, 1) == GNUTLS_CRD_CERTIFICATE)
872 {
873 algo = _gnutls_map_pk_get_pk (kx);
874
875 if (algo != prev_algo && prev_algo != 0)
876 return GNUTLS_PK_ANY;
877 prev_algo = algo;
878 }
879 }
880
881 return algo;
882 }
883
884 /* This selects the best supported ciphersuite from the given ones. Then
885 * it adds the suite to the session and performs some checks.
886 */
887 int
888 _gnutls_server_select_suite (gnutls_session_t session, opaque * data,
889 int datalen)
890 {
891 int x, i, j;
892 cipher_suite_st *ciphers, cs;
893 int retval, err;
894 gnutls_pk_algorithm_t pk_algo; /* will hold the pk algorithms
895 * supported by the peer.
896 */
897
898 /* First, check for safe renegotiation SCSV.
899 */
900 if (session->internals.priorities.sr != SR_DISABLED)
901 {
902 int offset;
903
904 for (offset = 0; offset < datalen; offset += 2)
905 {
906 /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
907 if (data[offset] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&
908 data[offset + 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR)
909 {
910 _gnutls_handshake_log
911 ("HSK[%p]: Received safe renegotiation CS\n", session);
912 retval = _gnutls_ext_sr_recv_cs (session);
913 if (retval < 0)
914 {
915 gnutls_assert ();
916 return retval;
917 }
918 break;
919 }
920 }
921 }
922
923 pk_algo = server_find_pk_algos_in_ciphersuites (data, datalen);
924
925 x = _gnutls_supported_ciphersuites (session, &ciphers);
926 if (x < 0)
927 { /* the case x==0 is handled within the function. */
928 gnutls_assert ();
929 return x;
930 }
931
932 /* Here we remove any ciphersuite that does not conform
933 * the certificate requested, or to the
934 * authentication requested (e.g. SRP).
935 */
936 x = _gnutls_remove_unwanted_ciphersuites (session, &ciphers, x, pk_algo);
937 if (x <= 0)
938 {
939 gnutls_assert ();
940 gnutls_free (ciphers);
941 if (x < 0)
942 return x;
943 else
944 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
945 }
946
947 /* Data length should be zero mod 2 since
948 * every ciphersuite is 2 bytes. (this check is needed
949 * see below).
950 */
951 if (datalen % 2 != 0)
952 {
953 gnutls_assert ();
954 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
955 }
956
957 memset (session->security_parameters.current_cipher_suite.suite, 0, 2);
958
959 retval = GNUTLS_E_UNKNOWN_CIPHER_SUITE;
960
961 _gnutls_handshake_log ("HSK[%p]: Requested cipher suites[size: %d]: \n", session, (int)datalen);
962 for (j = 0; j < datalen; j += 2)
963 {
964 memcpy (&cs.suite, &data[j], 2);
965 _gnutls_handshake_log ("\t0x%.2x, 0x%.2x %s\n", data[j], data[j+1], _gnutls_cipher_suite_get_name (&cs));
966 for (i = 0; i < x; i++)
967 {
968 if (memcmp (ciphers[i].suite, &data[j], 2) == 0)
969 {
970 _gnutls_handshake_log
971 ("HSK[%p]: Selected cipher suite: %s\n", session,
972 _gnutls_cipher_suite_get_name (&cs));
973 memcpy (session->security_parameters.current_cipher_suite.suite,
974 ciphers[i].suite, 2);
975 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
976 &session->
977 security_parameters.current_cipher_suite);
978
979
980 retval = 0;
981 goto finish;
982 }
983 }
984 }
985
986 finish:
987 gnutls_free (ciphers);
988
989 if (retval != 0)
990 {
991 gnutls_assert ();
992 return retval;
993 }
994
995 /* check if the credentials (username, public key etc.) are ok
996 */
997 if (_gnutls_get_kx_cred
998 (session,
999 _gnutls_cipher_suite_get_kx_algo (&session->
1000 security_parameters.current_cipher_suite),
1001 &err) == NULL && err != 0)
1002 {
1003 gnutls_assert ();
1004 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1005 }
1006
1007
1008 /* set the mod_auth_st to the appropriate struct
1009 * according to the KX algorithm. This is needed since all the
1010 * handshake functions are read from there;
1011 */
1012 session->internals.auth_struct =
1013 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1014 (&session->
1015 security_parameters.current_cipher_suite));
1016 if (session->internals.auth_struct == NULL)
1017 {
1018
1019 _gnutls_handshake_log
1020 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1021 session);
1022 gnutls_assert ();
1023 return GNUTLS_E_INTERNAL_ERROR;
1024 }
1025
1026 return 0;
1027
1028 }
1029
1030
1031 /* This selects the best supported compression method from the ones provided
1032 */
1033 static int
1034 _gnutls_server_select_comp_method (gnutls_session_t session,
1035 opaque * data, int datalen)
1036 {
1037 int x, i, j;
1038 uint8_t *comps;
1039
1040 x = _gnutls_supported_compression_methods (session, &comps);
1041 if (x < 0)
1042 {
1043 gnutls_assert ();
1044 return x;
1045 }
1046
1047 memset (&session->internals.compression_method, 0,
1048 sizeof (gnutls_compression_method_t));
1049
1050 for (j = 0; j < datalen; j++)
1051 {
1052 for (i = 0; i < x; i++)
1053 {
1054 if (comps[i] == data[j])
1055 {
1056 gnutls_compression_method_t method =
1057 _gnutls_compression_get_id (comps[i]);
1058
1059 session->internals.compression_method = method;
1060 gnutls_free (comps);
1061
1062 _gnutls_epoch_set_compression (session, EPOCH_NEXT, method);
1063
1064 _gnutls_handshake_log
1065 ("HSK[%p]: Selected Compression Method: %s\n", session,
1066 gnutls_compression_get_name (session->
1067 internals.compression_method));
1068
1069
1070 return 0;
1071 }
1072 }
1073 }
1074
1075 /* we were not able to find a compatible compression
1076 * algorithm
1077 */
1078 gnutls_free (comps);
1079 gnutls_assert ();
1080 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1081
1082 }
1083
1084 /* This function sends an empty handshake packet. (like hello request).
1085 * If the previous _gnutls_send_empty_handshake() returned
1086 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1087 * (until it returns ok), with NULL parameters.
1088 */
1089 static int
1090 _gnutls_send_empty_handshake (gnutls_session_t session,
1091 gnutls_handshake_description_t type, int again)
1092 {
1093 mbuffer_st *bufel;
1094
1095 if (again == 0)
1096 {
1097 bufel = _gnutls_handshake_alloc (session, 0, 0);
1098 if (bufel == NULL)
1099 {
1100 gnutls_assert ();
1101 return GNUTLS_E_MEMORY_ERROR;
1102 }
1103 }
1104 else
1105 bufel = NULL;
1106
1107 return _gnutls_send_handshake (session, bufel, type);
1108 }
1109
1110
1111 /* This function will hash the handshake message we sent.
1112 */
1113 static int
1114 _gnutls_handshake_hash_add_sent (gnutls_session_t session,
1115 gnutls_handshake_description_t type,
1116 opaque * dataptr, uint32_t datalen)
1117 {
1118 int ret;
1119
1120 if (session->security_parameters.entity == GNUTLS_CLIENT
1121 && type == GNUTLS_HANDSHAKE_CLIENT_HELLO)
1122 {
1123 /* do not hash immediatelly since the hash has not yet been initialized */
1124 if ((ret =
1125 _gnutls_handshake_buffer_put (session, dataptr, datalen)) < 0)
1126 {
1127 gnutls_assert ();
1128 return ret;
1129 }
1130 return 0;
1131 }
1132
1133 if ((ret = _gnutls_handshake_hash_pending (session)) < 0)
1134 {
1135 gnutls_assert ();
1136 return ret;
1137 }
1138
1139 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1140 {
1141 if (session->security_parameters.handshake_mac_handle_type ==
1142 HANDSHAKE_MAC_TYPE_10)
1143 {
1144 _gnutls_hash (&session->internals.handshake_mac_handle.tls10.sha,
1145 dataptr, datalen);
1146 _gnutls_hash (&session->internals.handshake_mac_handle.tls10.md5,
1147 dataptr, datalen);
1148 }
1149 else if (session->security_parameters.handshake_mac_handle_type ==
1150 HANDSHAKE_MAC_TYPE_12)
1151 {
1152 _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha256,
1153 dataptr, datalen);
1154 _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha1,
1155 dataptr, datalen);
1156 }
1157 }
1158
1159 return 0;
1160 }
1161
1162
1163 /* This function sends a handshake message of type 'type' containing the
1164 * data specified here. If the previous _gnutls_send_handshake() returned
1165 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1166 * (until it returns ok), with NULL parameters.
1167 */
1168 int
1169 _gnutls_send_handshake (gnutls_session_t session, mbuffer_st * bufel,
1170 gnutls_handshake_description_t type)
1171 {
1172 int ret;
1173 uint8_t *data;
1174 uint32_t datasize, i_datasize;
1175 int pos = 0;
1176
1177 if (bufel == NULL)
1178 {
1179 /* we are resuming a previously interrupted
1180 * send.
1181 */
1182 ret = _gnutls_handshake_io_write_flush (session);
1183 return ret;
1184
1185 }
1186
1187 /* first run */
1188 data = _mbuffer_get_uhead_ptr (bufel);
1189 i_datasize = _mbuffer_get_udata_size(bufel);
1190 datasize = i_datasize + _mbuffer_get_uhead_size (bufel);
1191
1192 data[pos++] = (uint8_t) type;
1193 _gnutls_write_uint24 (_mbuffer_get_udata_size (bufel), &data[pos]);
1194 pos += 3;
1195
1196 /* Add DTLS handshake fragment headers. The message will be
1197 * fragmented later by the fragmentation sub-layer. All fields must
1198 * be set properly for HMAC. The HMAC requires we pretend that the
1199 * message was sent in a single fragment. */
1200 if (_gnutls_is_dtls(session))
1201 {
1202 _gnutls_write_uint16 (session->internals.dtls.hsk_write_seq++, &data[pos]);
1203 pos += 2;
1204
1205 /* Fragment offset */
1206 _gnutls_write_uint24 (0, &data[pos]);
1207 pos += 3;
1208
1209 /* Fragment length */
1210 _gnutls_write_uint24 (i_datasize, &data[pos]);
1211 pos += 3;
1212 }
1213
1214 _gnutls_handshake_log ("HSK[%p]: %s was queued [%ld bytes]\n",
1215 session, _gnutls_handshake2str (type),
1216 (long) datasize);
1217
1218
1219 /* If we send a second or more ClientHello due to a
1220 HelloVerifyRequest, we only remember the last ClientHello
1221 sent for hashing purposes. */
1222 if (_gnutls_is_dtls(session)
1223 && type == GNUTLS_HANDSHAKE_CLIENT_HELLO
1224 && (session->internals.last_handshake_out == GNUTLS_HANDSHAKE_CLIENT_HELLO
1225 || session->internals.last_handshake_out == -1))
1226 {
1227 _gnutls_handshake_hash_buffers_clear (session);
1228 if ((ret = _gnutls_handshake_hash_init (session)) < 0)
1229 {
1230 gnutls_assert ();
1231 return ret;
1232 }
1233 }
1234
1235 /* Here we keep the handshake messages in order to hash them...
1236 */
1237 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1238 if ((ret =
1239 _gnutls_handshake_hash_add_sent (session, type, data, datasize)) < 0)
1240 {
1241 gnutls_assert ();
1242 _mbuffer_xfree(&bufel);
1243 return ret;
1244 }
1245
1246 session->internals.last_handshake_out = type;
1247
1248 ret = _gnutls_handshake_io_cache_int (session, type, bufel);
1249 if (ret < 0)
1250 {
1251 _mbuffer_xfree(&bufel);
1252 gnutls_assert();
1253 return ret;
1254 }
1255
1256 switch (type)
1257 {
1258 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: /* this one is followed by ServerHelloDone
1259 * or ClientKeyExchange always.
1260 */
1261 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE: /* as above */
1262 case GNUTLS_HANDSHAKE_SERVER_HELLO: /* as above */
1263 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: /* as above */
1264 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: /* followed by ChangeCipherSpec */
1265
1266 /* now for client Certificate, ClientKeyExchange and
1267 * CertificateVerify are always followed by ChangeCipherSpec
1268 */
1269 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1270 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1271 ret = 0;
1272 break;
1273 default:
1274 /* send cached messages */
1275 ret = _gnutls_handshake_io_write_flush (session);
1276 break;
1277 }
1278
1279 return ret;
1280 }
1281
1282 #define _gnutls_handshake_header_buffer_clear( session) session->internals.handshake_header_buffer.header_size = 0; \
1283 session->internals.handshake_header_buffer.sequence = -1; \
1284 session->internals.handshake_header_buffer.frag_offset = 0; \
1285 session->internals.handshake_header_buffer.frag_length = 0
1286
1287 /* This function will read the handshake header and return it to the caller. If the
1288 * received handshake packet is not the one expected then it buffers the header, and
1289 * returns UNEXPECTED_HANDSHAKE_PACKET.
1290 *
1291 * FIXME: This function is complex.
1292 */
1293 #define SSL2_HEADERS 1
1294 static int
1295 _gnutls_recv_handshake_header (gnutls_session_t session,
1296 gnutls_handshake_description_t type,
1297 gnutls_handshake_description_t * recv_type)
1298 {
1299 int ret;
1300 uint32_t length32 = 0;
1301 uint8_t *dataptr = NULL; /* for realloc */
1302 size_t handshake_header_size = HANDSHAKE_HEADER_SIZE(session);
1303
1304 /* if we have data into the buffer then return them, do not read the next packet.
1305 * In order to return we need a full TLS handshake header, or in case of a version 2
1306 * packet, then we return the first byte.
1307 */
1308 if (session->internals.handshake_header_buffer.header_size ==
1309 handshake_header_size || (session->internals.v2_hello != 0
1310 && type == GNUTLS_HANDSHAKE_CLIENT_HELLO
1311 && session->internals.handshake_header_buffer.
1312 packet_length > 0))
1313 {
1314
1315 *recv_type = session->internals.handshake_header_buffer.recv_type;
1316
1317 if (*recv_type != type)
1318 {
1319 gnutls_assert ();
1320 _gnutls_handshake_log
1321 ("HSK[%p]: Handshake type mismatch (under attack?)\n", session);
1322 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1323 }
1324
1325 return session->internals.handshake_header_buffer.packet_length;
1326 }
1327
1328 /* Note: SSL2_HEADERS == 1 */
1329
1330 dataptr = session->internals.handshake_header_buffer.header;
1331
1332 /* If we haven't already read the handshake headers.
1333 */
1334 if (session->internals.handshake_header_buffer.header_size < SSL2_HEADERS)
1335 {
1336 ret =
1337 _gnutls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE,
1338 type, dataptr, SSL2_HEADERS);
1339
1340 if (ret < 0)
1341 {
1342 return ret;
1343 }
1344
1345 /* The case ret==0 is caught here.
1346 */
1347 if (ret != SSL2_HEADERS)
1348 {
1349 gnutls_assert ();
1350 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1351 }
1352 session->internals.handshake_header_buffer.header_size = SSL2_HEADERS;
1353 }
1354
1355 if (session->internals.v2_hello == 0
1356 || type != GNUTLS_HANDSHAKE_CLIENT_HELLO)
1357 {
1358 ret =
1359 _gnutls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE,
1360 type,
1361 &dataptr
1362 [session->
1363 internals.handshake_header_buffer.
1364 header_size],
1365 HANDSHAKE_HEADER_SIZE(session) -
1366 session->
1367 internals.handshake_header_buffer.
1368 header_size);
1369 if (ret <= 0)
1370 {
1371 gnutls_assert ();
1372 return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1373 }
1374 if ((size_t) ret !=
1375 HANDSHAKE_HEADER_SIZE(session) -
1376 session->internals.handshake_header_buffer.header_size)
1377 {
1378 gnutls_assert ();
1379 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1380 }
1381 *recv_type = dataptr[0];
1382
1383 /* we do not use DECR_LEN because we know
1384 * that the packet has enough data.
1385 */
1386 length32 = _gnutls_read_uint24 (&dataptr[1]);
1387 handshake_header_size = HANDSHAKE_HEADER_SIZE(session);
1388
1389 if (IS_DTLS(session))
1390 {
1391 session->internals.handshake_header_buffer.sequence = _gnutls_read_uint16 (&dataptr[4]);
1392 session->internals.handshake_header_buffer.frag_offset = _gnutls_read_uint24 (&dataptr[6]);
1393 session->internals.handshake_header_buffer.frag_length = _gnutls_read_uint24 (&dataptr[9]);
1394 }
1395
1396
1397 _gnutls_handshake_log ("HSK[%p]: %s was received [%ld bytes]\n",
1398 session, _gnutls_handshake2str (dataptr[0]),
1399 (long int) (length32 + HANDSHAKE_HEADER_SIZE(session)));
1400
1401 }
1402 else
1403 { /* v2 hello */
1404 length32 = session->internals.v2_hello - SSL2_HEADERS; /* we've read the first byte */
1405
1406 handshake_header_size = SSL2_HEADERS; /* we've already read one byte */
1407
1408 *recv_type = dataptr[0];
1409
1410 _gnutls_handshake_log ("HSK[%p]: %s(v2) was received [%ld bytes]\n",
1411 session, _gnutls_handshake2str (*recv_type),
1412 (long int) (length32 + handshake_header_size));
1413
1414 /* The IS_DTLS() check is redundant since the record layer will
1415 * prevent us from reaching here.
1416 */
1417 if (IS_DTLS(session) || *recv_type != GNUTLS_HANDSHAKE_CLIENT_HELLO)
1418 { /* it should be one or nothing */
1419 gnutls_assert ();
1420 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1421 }
1422 }
1423
1424 /* put the packet into the buffer */
1425 session->internals.handshake_header_buffer.header_size =
1426 handshake_header_size;
1427 session->internals.handshake_header_buffer.packet_length = length32;
1428 session->internals.handshake_header_buffer.recv_type = *recv_type;
1429
1430 if (IS_DTLS(session))
1431 {
1432 if ((int)session->internals.handshake_header_buffer.sequence <= session->internals.dtls.hsk_read_seq)
1433 {
1434 _gnutls_audit_log("Dropping replayed handshake packet with sequence %d\n", session->internals.handshake_header_buffer.sequence);
1435 ret = _gnutls_handshake_io_recv_skip(session, GNUTLS_HANDSHAKE, *recv_type, length32);
1436 if (ret < 0)
1437 return gnutls_assert_val(ret);
1438
1439 _gnutls_handshake_header_buffer_clear (session);
1440 return GNUTLS_E_AGAIN;
1441 }
1442 session->internals.dtls.hsk_read_seq = session->internals.handshake_header_buffer.sequence;
1443
1444 if (type == GNUTLS_HANDSHAKE_SERVER_HELLO
1445 && *recv_type == GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST)
1446 return length32;
1447 }
1448
1449 if (*recv_type != type)
1450 {
1451 _gnutls_handshake_log ("HSK[%p]: %s was received, expected %s\n",
1452 session, _gnutls_handshake2str (*recv_type),
1453 _gnutls_handshake2str (type));
1454 gnutls_assert ();
1455 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1456 }
1457
1458 return length32;
1459 }
1460
1461 /* This function will hash the handshake headers and the
1462 * handshake data.
1463 */
1464 static int
1465 _gnutls_handshake_hash_add_recvd (gnutls_session_t session,
1466 gnutls_handshake_description_t recv_type,
1467 opaque * header, uint16_t header_size,
1468 opaque * dataptr, uint32_t datalen)
1469 {
1470 int ret;
1471
1472 /* The idea here is to hash the previous message we received,
1473 * and add the one we just received into the handshake_hash_buffer.
1474 */
1475 if ((session->security_parameters.entity == GNUTLS_SERVER
1476 || recv_type != GNUTLS_HANDSHAKE_SERVER_HELLO)
1477 && (session->security_parameters.entity == GNUTLS_CLIENT
1478 || recv_type != GNUTLS_HANDSHAKE_CLIENT_HELLO))
1479 {
1480 if ((ret = _gnutls_handshake_hash_pending (session)) < 0)
1481 {
1482 gnutls_assert ();
1483 return ret;
1484 }
1485 }
1486
1487 /* here we buffer the handshake messages - needed at Finished message */
1488 if (recv_type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1489 {
1490
1491 if ((ret =
1492 _gnutls_handshake_buffer_put (session, header, header_size)) < 0)
1493 {
1494 gnutls_assert ();
1495 return ret;
1496 }
1497
1498 if (datalen > 0)
1499 {
1500 if ((ret =
1501 _gnutls_handshake_buffer_put (session, dataptr, datalen)) < 0)
1502 {
1503 gnutls_assert ();
1504 return ret;
1505 }
1506 }
1507 }
1508
1509 return 0;
1510 }
1511
1512
1513 /* This function will receive handshake messages of the given types,
1514 * and will pass the message to the right place in order to be processed.
1515 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1516 * passed to _gnutls_recv_hello().
1517 */
1518 int
1519 _gnutls_recv_handshake (gnutls_session_t session, uint8_t ** data,
1520 int *datalen, gnutls_handshake_description_t type,
1521 optional_t optional)
1522 {
1523 int ret;
1524 uint32_t length32 = 0;
1525 opaque *dataptr = NULL;
1526 gnutls_handshake_description_t recv_type;
1527
1528 ret = _gnutls_recv_handshake_header (session, type, &recv_type);
1529 if (ret < 0)
1530 {
1531 if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
1532 && optional == OPTIONAL_PACKET)
1533 {
1534 if (datalen != NULL)
1535 *datalen = 0;
1536 if (data != NULL)
1537 *data = NULL;
1538 return 0; /* ok just ignore the packet */
1539 }
1540
1541 return ret;
1542 }
1543
1544 session->internals.last_handshake_in = recv_type;
1545
1546 length32 = ret;
1547
1548 if (length32 > 0)
1549 dataptr = gnutls_malloc (length32);
1550 else if (recv_type != GNUTLS_HANDSHAKE_SERVER_HELLO_DONE)
1551 {
1552 gnutls_assert ();
1553 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1554 }
1555
1556 if (dataptr == NULL && length32 > 0)
1557 {
1558 gnutls_assert ();
1559 return GNUTLS_E_MEMORY_ERROR;
1560 }
1561
1562 if (datalen != NULL)
1563 *datalen = length32;
1564
1565 if (length32 > 0)
1566 {
1567 ret =
1568 _gnutls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE,
1569 type, dataptr, length32);
1570 if (ret <= 0)
1571 {
1572 gnutls_assert ();
1573 if (ret == 0)
1574 ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1575 goto cleanup;
1576 }
1577 }
1578
1579 if (data != NULL && length32 > 0)
1580 *data = dataptr;
1581
1582 ret = _gnutls_handshake_hash_add_recvd (session, recv_type,
1583 session->
1584 internals.handshake_header_buffer.
1585 header,
1586 session->
1587 internals.handshake_header_buffer.
1588 header_size, dataptr, length32);
1589
1590 /* If we fail before this then we will reuse the handshake header
1591 * have have received above. if we get here the we clear the handshake
1592 * header we received.
1593 */
1594 _gnutls_handshake_header_buffer_clear (session);
1595
1596 if (ret < 0)
1597 {
1598 gnutls_assert ();
1599 goto cleanup;
1600 }
1601
1602 switch (recv_type)
1603 {
1604 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1605 case GNUTLS_HANDSHAKE_SERVER_HELLO:
1606 ret = _gnutls_recv_hello (session, dataptr, length32);
1607 if (ret < 0)
1608 {
1609 gnutls_assert();
1610 goto cleanup;
1611 }
1612
1613 /* initialize the hashes for both - (client will know server's version
1614 * and server as well at this point) */
1615 if ((ret = _gnutls_handshake_hash_init (session)) < 0)
1616 {
1617 gnutls_assert ();
1618 goto cleanup;
1619 }
1620
1621 goto cleanup; /* caller doesn't need dataptr */
1622
1623 break;
1624 case GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST:
1625 ret = _gnutls_recv_hello_verify_request (session, dataptr, length32);
1626 if (ret < 0)
1627 {
1628 gnutls_assert();
1629 goto cleanup;
1630 }
1631 else
1632 /* Signal our caller we have received a verification cookie
1633 and ClientHello needs to be sent again. */
1634 ret = 1;
1635
1636 goto cleanup; /* caller doesn't need dataptr */
1637
1638 break;
1639 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
1640 if (length32 == 0)
1641 ret = 0;
1642 else
1643 {
1644 ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1645 goto cleanup;
1646 }
1647 break;
1648 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1649 case GNUTLS_HANDSHAKE_FINISHED:
1650 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
1651 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1652 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
1653 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1654 case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
1655 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1656 ret = length32;
1657 break;
1658 default:
1659 gnutls_assert ();
1660 ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1661 goto cleanup;
1662 }
1663
1664 return ret;
1665
1666 cleanup:
1667 gnutls_free (dataptr);
1668 if (data != NULL)
1669 *data = NULL;
1670 return ret;
1671 }
1672
1673 /* This function checks if the given cipher suite is supported, and sets it
1674 * to the session;
1675 */
1676 static int
1677 _gnutls_client_set_ciphersuite (gnutls_session_t session, opaque suite[2])
1678 {
1679 uint8_t z;
1680 cipher_suite_st *cipher_suites;
1681 int cipher_suite_num;
1682 int i, err;
1683
1684 z = 1;
1685 cipher_suite_num = _gnutls_supported_ciphersuites (session, &cipher_suites);
1686 if (cipher_suite_num < 0)
1687 {
1688 gnutls_assert ();
1689 return cipher_suite_num;
1690 }
1691
1692 for (i = 0; i < cipher_suite_num; i++)
1693 {
1694 if (memcmp (&cipher_suites[i], suite, 2) == 0)
1695 {
1696 z = 0;
1697 break;
1698 }
1699 }
1700
1701 gnutls_free (cipher_suites);
1702
1703 if (z != 0)
1704 {
1705 gnutls_assert ();
1706 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
1707 }
1708
1709 memcpy (session->security_parameters.current_cipher_suite.suite, suite, 2);
1710 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
1711 &session->
1712 security_parameters.current_cipher_suite);
1713
1714 _gnutls_handshake_log ("HSK[%p]: Selected cipher suite: %s\n", session,
1715 _gnutls_cipher_suite_get_name
1716 (&session->
1717 security_parameters.current_cipher_suite));
1718
1719
1720 /* check if the credentials (username, public key etc.) are ok.
1721 * Actually checks if they exist.
1722 */
1723 if (_gnutls_get_kx_cred
1724 (session,
1725 _gnutls_cipher_suite_get_kx_algo
1726 (&session->security_parameters.current_cipher_suite), &err) == NULL
1727 && err != 0)
1728 {
1729 gnutls_assert ();
1730 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1731 }
1732
1733
1734 /* set the mod_auth_st to the appropriate struct
1735 * according to the KX algorithm. This is needed since all the
1736 * handshake functions are read from there;
1737 */
1738 session->internals.auth_struct =
1739 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1740 (&session->
1741 security_parameters.current_cipher_suite));
1742
1743 if (session->internals.auth_struct == NULL)
1744 {
1745
1746 _gnutls_handshake_log
1747 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1748 session);
1749 gnutls_assert ();
1750 return GNUTLS_E_INTERNAL_ERROR;
1751 }
1752
1753
1754 return 0;
1755 }
1756
1757 /* This function sets the given comp method to the session.
1758 */
1759 static int
1760 _gnutls_client_set_comp_method (gnutls_session_t session, opaque comp_method)
1761 {
1762 int comp_methods_num;
1763 uint8_t *compression_methods;
1764 int i;
1765
1766 comp_methods_num = _gnutls_supported_compression_methods (session,
1767 &compression_methods);
1768 if (comp_methods_num < 0)
1769 {
1770 gnutls_assert ();
1771 return comp_methods_num;
1772 }
1773
1774 for (i = 0; i < comp_methods_num; i++)
1775 {
1776 if (compression_methods[i] == comp_method)
1777 {
1778 comp_methods_num = 0;
1779 break;
1780 }
1781 }
1782
1783 gnutls_free (compression_methods);
1784
1785 if (comp_methods_num != 0)
1786 {
1787 gnutls_assert ();
1788 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1789 }
1790
1791 session->internals.compression_method =
1792 _gnutls_compression_get_id (comp_method);
1793 _gnutls_epoch_set_compression (session, EPOCH_NEXT,
1794 session->internals.compression_method);
1795
1796 return 0;
1797 }
1798
1799 /* This function returns 0 if we are resuming a session or -1 otherwise.
1800 * This also sets the variables in the session. Used only while reading a server
1801 * hello.
1802 */
1803 static int
1804 _gnutls_client_check_if_resuming (gnutls_session_t session,
1805 opaque * session_id, int session_id_len)
1806 {
1807 opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
1808
1809 _gnutls_handshake_log ("HSK[%p]: SessionID length: %d\n", session,
1810 session_id_len);
1811 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session,
1812 _gnutls_bin2hex (session_id, session_id_len, buf,
1813 sizeof (buf), NULL));
1814
1815 if (session_id_len > 0 &&
1816 session->internals.resumed_security_parameters.session_id_size ==
1817 session_id_len
1818 && memcmp (session_id,
1819 session->internals.resumed_security_parameters.session_id,
1820 session_id_len) == 0)
1821 {
1822 /* resume session */
1823 memcpy (session->internals.resumed_security_parameters.server_random,
1824 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
1825 memcpy (session->internals.resumed_security_parameters.client_random,
1826 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
1827
1828 _gnutls_epoch_set_cipher_suite
1829 (session, EPOCH_NEXT,
1830 &session->internals.
1831 resumed_security_parameters.current_cipher_suite);
1832 _gnutls_epoch_set_compression (session, EPOCH_NEXT,
1833 session->
1834 internals.resumed_compression_method);
1835
1836 session->internals.resumed = RESUME_TRUE; /* we are resuming */
1837
1838 return 0;
1839 }
1840 else
1841 {
1842 /* keep the new session id */
1843 session->internals.resumed = RESUME_FALSE; /* we are not resuming */
1844 session->security_parameters.session_id_size = session_id_len;
1845 memcpy (session->security_parameters.session_id,
1846 session_id, session_id_len);
1847
1848 return -1;
1849 }
1850 }
1851
1852
1853 /* This function reads and parses the server hello handshake message.
1854 * This function also restores resumed parameters if we are resuming a
1855 * session.
1856 */
1857 static int
1858 _gnutls_read_server_hello (gnutls_session_t session,
1859 opaque * data, int datalen)
1860 {
1861 uint8_t session_id_len = 0;
1862 int pos = 0;
1863 int ret = 0;
1864 gnutls_protocol_t version;
1865 int len = datalen;
1866
1867 if (datalen < 38)
1868 {
1869 gnutls_assert ();
1870 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1871 }
1872
1873 _gnutls_handshake_log ("HSK[%p]: Server's version: %d.%d\n",
1874 session, data[pos], data[pos + 1]);
1875
1876 DECR_LEN (len, 2);
1877 version = _gnutls_version_get (data[pos], data[pos + 1]);
1878 if (_gnutls_version_is_supported (session, version) == 0)
1879 {
1880 gnutls_assert ();
1881 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1882 }
1883 else
1884 {
1885 _gnutls_set_current_version (session, version);
1886 }
1887
1888 pos += 2;
1889
1890 DECR_LEN (len, GNUTLS_RANDOM_SIZE);
1891 _gnutls_set_server_random (session, &data[pos]);
1892 pos += GNUTLS_RANDOM_SIZE;
1893
1894
1895 /* Read session ID
1896 */
1897 DECR_LEN (len, 1);
1898 session_id_len = data[pos++];
1899
1900 if (len < session_id_len)
1901 {
1902 gnutls_assert ();
1903 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1904 }
1905 DECR_LEN (len, session_id_len);
1906
1907 /* check if we are resuming and set the appropriate
1908 * values;
1909 */
1910 if (_gnutls_client_check_if_resuming
1911 (session, &data[pos], session_id_len) == 0)
1912 {
1913 pos += session_id_len + 2 + 1;
1914 DECR_LEN (len, 2 + 1);
1915
1916 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
1917 &data[pos], len);
1918 if (ret < 0)
1919 {
1920 gnutls_assert ();
1921 return ret;
1922 }
1923 return 0;
1924 }
1925
1926 pos += session_id_len;
1927
1928 /* Check if the given cipher suite is supported and copy
1929 * it to the session.
1930 */
1931
1932 DECR_LEN (len, 2);
1933 ret = _gnutls_client_set_ciphersuite (session, &data[pos]);
1934 if (ret < 0)
1935 {
1936 gnutls_assert ();
1937 return ret;
1938 }
1939 pos += 2;
1940
1941 /* move to compression
1942 */
1943 DECR_LEN (len, 1);
1944
1945 ret = _gnutls_client_set_comp_method (session, data[pos++]);
1946 if (ret < 0)
1947 {
1948 gnutls_assert ();
1949 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1950 }
1951
1952 /* Parse extensions.
1953 */
1954 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY, &data[pos], len);
1955 if (ret < 0)
1956 {
1957 gnutls_assert ();
1958 return ret;
1959 }
1960
1961 return ret;
1962 }
1963
1964
1965 /* This function copies the appropriate ciphersuites to a locally allocated buffer
1966 * Needed in client hello messages. Returns the new data length. If add_scsv is
1967 * true, add the special safe renegotiation CS.
1968 */
1969 static int
1970 _gnutls_copy_ciphersuites (gnutls_session_t session,
1971 gnutls_buffer_st * cdata,
1972 int add_scsv)
1973 {
1974 int ret, i;
1975 cipher_suite_st *cipher_suites;
1976 uint16_t cipher_num;
1977 uint16_t loop_max;
1978 size_t init_length = cdata->length;
1979
1980 ret = _gnutls_supported_ciphersuites_sorted (session, &cipher_suites);
1981 if (ret < 0)
1982 {
1983 gnutls_assert ();
1984 return ret;
1985 }
1986
1987 /* Here we remove any ciphersuite that does not conform
1988 * the certificate requested, or to the
1989 * authentication requested (eg SRP).
1990 */
1991 ret =
1992 _gnutls_remove_unwanted_ciphersuites (session, &cipher_suites, ret, -1);
1993 if (ret < 0)
1994 {
1995 gnutls_assert ();
1996 gnutls_free (cipher_suites);
1997 return ret;
1998 }
1999
2000 /* If no cipher suites were enabled.
2001 */
2002 if (ret == 0)
2003 {
2004 gnutls_assert ();
2005 gnutls_free (cipher_suites);
2006 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
2007 }
2008
2009 if (add_scsv)
2010 ++ret;
2011
2012 cipher_num = ret;
2013
2014 cipher_num *= sizeof (uint16_t); /* in order to get bytes */
2015
2016 ret = _gnutls_buffer_append_prefix(cdata, 16, cipher_num);
2017 if (ret < 0)
2018 {
2019 gnutls_assert();
2020 goto cleanup;
2021 }
2022
2023
2024 loop_max = add_scsv ? cipher_num - 2 : cipher_num;
2025 for (i = 0; i < (loop_max / 2); i++)
2026 {
2027 ret = _gnutls_buffer_append_data( cdata, cipher_suites[i].suite, 2);
2028 if (ret < 0)
2029 {
2030 gnutls_assert();
2031 goto cleanup;
2032 }
2033 }
2034
2035 if (add_scsv)
2036 {
2037 uint8_t p[2];
2038 /* Safe renegotiation signalling CS value is { 0x00, 0xff } */
2039 p[0] = 0x00;
2040 p[1] = 0xff;
2041 ret = _gnutls_buffer_append_data( cdata, p, 2);
2042 if (ret < 0)
2043 {
2044 gnutls_assert();
2045 goto cleanup;
2046 }
2047
2048 ret = _gnutls_ext_sr_send_cs (session);
2049 if (ret < 0)
2050 {
2051 gnutls_assert ();
2052 goto cleanup;
2053 }
2054 }
2055
2056 ret = cdata->length - init_length;
2057
2058 cleanup:
2059 gnutls_free (cipher_suites);
2060
2061 return ret;
2062 }
2063
2064
2065 /* This function copies the appropriate compression methods, to a locally allocated buffer
2066 * Needed in hello messages. Returns the new data length.
2067 */
2068 static int
2069 _gnutls_copy_comp_methods (gnutls_session_t session,
2070 gnutls_buffer_st * cdata)
2071 {
2072 int ret, i;
2073 uint8_t *compression_methods, comp_num;
2074 size_t init_length = cdata->length;
2075
2076 ret = _gnutls_supported_compression_methods (session, &compression_methods);
2077 if (ret < 0)
2078 {
2079 gnutls_assert ();
2080 return ret;
2081 }
2082
2083 comp_num = ret;
2084
2085 /* put the number of compression methods */
2086 ret = _gnutls_buffer_append_prefix(cdata, 8, comp_num);
2087 if (ret < 0)
2088 {
2089 gnutls_assert();
2090 goto cleanup;
2091 }
2092
2093 for (i = 0; i < comp_num; i++)
2094 {
2095 ret = _gnutls_buffer_append_data(cdata, &compression_methods[i], 1);
2096 if (ret < 0)
2097 {
2098 gnutls_assert();
2099 goto cleanup;
2100 }
2101 }
2102
2103 ret = cdata->length - init_length;
2104
2105 cleanup:
2106 gnutls_free (compression_methods);
2107
2108 return ret;
2109 }
2110
2111 /* This should be sufficient by now. It should hold all the extensions
2112 * plus the headers in a hello message.
2113 */
2114 #define MAX_EXT_DATA_LENGTH 32*1024
2115
2116 /* This function sends the client hello handshake message.
2117 */
2118 static int
2119 _gnutls_send_client_hello (gnutls_session_t session, int again)
2120 {
2121 mbuffer_st *bufel = NULL;
2122 opaque *data = NULL;
2123 int pos = 0, type;
2124 int datalen = 0, ret = 0;
2125 opaque rnd[GNUTLS_RANDOM_SIZE];
2126 gnutls_protocol_t hver;
2127 gnutls_buffer_st extdata;
2128 int rehandshake = 0;
2129 uint8_t session_id_len =
2130 session->internals.resumed_security_parameters.session_id_size;
2131 uint8_t cookie_len;
2132
2133 _gnutls_buffer_init(&extdata);
2134
2135 /* note that rehandshake is different than resuming
2136 */
2137 if (session->security_parameters.session_id_size)
2138 rehandshake = 1;
2139
2140 if (again == 0)
2141 {
2142 if(_gnutls_is_dtls(session))
2143 {
2144 cookie_len = session->internals.dtls.cookie_len + 1;
2145 }
2146 else
2147 {
2148 cookie_len = 0;
2149 }
2150
2151 datalen = 2 + (session_id_len + 1) + GNUTLS_RANDOM_SIZE + cookie_len;
2152 /* 2 for version, (4 for unix time + 28 for random bytes==GNUTLS_RANDOM_SIZE)
2153 */
2154
2155 bufel = _gnutls_handshake_alloc (session, datalen, datalen+MAX_EXT_DATA_LENGTH);
2156 if (bufel == NULL)
2157 {
2158 gnutls_assert ();
2159 return GNUTLS_E_MEMORY_ERROR;
2160 }
2161 data = _mbuffer_get_udata_ptr (bufel);
2162
2163 /* if we are resuming a session then we set the
2164 * version number to the previously established.
2165 */
2166 if (session_id_len == 0)
2167 {
2168 if (rehandshake) /* already negotiated version thus version_max == negotiated version */
2169 hver = session->security_parameters.version;
2170 else /* new handshake. just get the max */
2171 hver = _gnutls_version_max (session);
2172 }
2173 else
2174 {
2175 /* we are resuming a session */
2176 hver = session->internals.resumed_security_parameters.version;
2177 }
2178
2179 if (hver == GNUTLS_VERSION_UNKNOWN || hver == 0)
2180 {
2181 gnutls_assert ();
2182 gnutls_free (bufel);
2183 return GNUTLS_E_INTERNAL_ERROR;
2184 }
2185
2186 data[pos++] = _gnutls_version_get_major (hver);
2187 data[pos++] = _gnutls_version_get_minor (hver);
2188
2189 /* Set the version we advertized as maximum
2190 * (RSA uses it).
2191 */
2192 _gnutls_set_adv_version (session, hver);
2193 _gnutls_set_current_version (session, hver);
2194
2195 if (session->internals.priorities.no_ssl3_record_version != 0)
2196 {
2197 /* Advertize the SSL 3.0 record packet version in
2198 * record packets during the handshake.
2199 * That is to avoid confusing implementations
2200 * that do not support TLS 1.2 and don't know
2201 * how 3,3 version of record packets look like.
2202 */
2203 _gnutls_record_set_default_version (session, 3, 0);
2204 }
2205
2206 /* In order to know when this session was initiated.
2207 */
2208 session->security_parameters.timestamp = time (NULL);
2209
2210 /* Generate random data
2211 */
2212 if (!_gnutls_is_dtls (session)
2213 || session->internals.dtls.hsk_hello_verify_requests == 0)
2214 {
2215 _gnutls_tls_create_random (rnd);
2216 _gnutls_set_client_random (session, rnd);
2217
2218 memcpy (&data[pos], rnd, GNUTLS_RANDOM_SIZE);
2219 }
2220 else
2221 memcpy (&data[pos], session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
2222
2223 pos += GNUTLS_RANDOM_SIZE;
2224
2225 /* Copy the Session ID
2226 */
2227 data[pos++] = session_id_len;
2228
2229 if (session_id_len > 0)
2230 {
2231 memcpy (&data[pos],
2232 session->internals.resumed_security_parameters.session_id,
2233 session_id_len);
2234 pos += session_id_len;
2235 }
2236
2237 /* Copy the DTLS cookie
2238 */
2239 if (_gnutls_is_dtls(session))
2240 {
2241 data[pos++] = session->internals.dtls.cookie_len;
2242 memcpy(&data[pos], &session->internals.dtls.cookie, session->internals.dtls.cookie_len);
2243 pos += session->internals.dtls.cookie_len;
2244 }
2245
2246 /* Copy the ciphersuites.
2247 *
2248 * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
2249 * prevention on initial negotiation (but not renegotiation; that's
2250 * handled with the RI extension below).
2251 */
2252 if (!session->internals.initial_negotiation_completed &&
2253 session->security_parameters.entity == GNUTLS_CLIENT &&
2254 gnutls_protocol_get_version (session) == GNUTLS_SSL3)
2255 {
2256 ret =
2257 _gnutls_copy_ciphersuites (session, &extdata, TRUE);
2258 _gnutls_extension_list_add (session,
2259 GNUTLS_EXTENSION_SAFE_RENEGOTIATION);
2260 }
2261 else
2262 ret = _gnutls_copy_ciphersuites (session, &extdata, FALSE);
2263
2264 if (ret < 0)
2265 {
2266 gnutls_assert();
2267 goto cleanup;
2268 }
2269
2270 /* Copy the compression methods.
2271 */
2272 ret = _gnutls_copy_comp_methods (session, &extdata);
2273 if (ret < 0)
2274 {
2275 gnutls_assert();
2276 goto cleanup;
2277 }
2278
2279 /* Generate and copy TLS extensions.
2280 */
2281 if (_gnutls_version_has_extensions (hver))
2282 type = GNUTLS_EXT_ANY;
2283 else
2284 {
2285 if (session->internals.initial_negotiation_completed != 0)
2286 type = GNUTLS_EXT_MANDATORY;
2287 else
2288 type = GNUTLS_EXT_NONE;
2289 }
2290
2291 ret = _gnutls_gen_extensions (session, &extdata, type);
2292 if (ret < 0)
2293 {
2294 gnutls_assert();
2295 goto cleanup;
2296 }
2297
2298 ret = _mbuffer_append_data (bufel, extdata.data, extdata.length);
2299 if (ret < 0)
2300 {
2301 gnutls_assert ();
2302 goto cleanup;
2303 }
2304 }
2305
2306 _gnutls_buffer_clear(&extdata);
2307
2308 return
2309 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_CLIENT_HELLO);
2310
2311 cleanup:
2312 _mbuffer_xfree(&bufel);
2313 _gnutls_buffer_clear(&extdata);
2314 return ret;
2315 }
2316
2317 static int
2318 _gnutls_send_server_hello (gnutls_session_t session, int again)
2319 {
2320 mbuffer_st *bufel = NULL;
2321 opaque *data = NULL;
2322 gnutls_buffer_st extdata;
2323 int pos = 0;
2324 int datalen, ret = 0;
2325 uint8_t comp;
2326 uint8_t session_id_len = session->security_parameters.session_id_size;
2327 opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
2328
2329 datalen = 0;
2330
2331 _gnutls_buffer_init(&extdata);
2332
2333 if (again == 0)
2334 {
2335 datalen = 2 + session_id_len + 1 + GNUTLS_RANDOM_SIZE + 3;
2336 ret =
2337 _gnutls_gen_extensions (session, &extdata, GNUTLS_EXT_ANY);
2338 if (ret < 0)
2339 {
2340 gnutls_assert ();
2341 goto fail;
2342 }
2343
2344 bufel = _gnutls_handshake_alloc (session, datalen + extdata.length, datalen + extdata.length);
2345 if (bufel == NULL)
2346 {
2347 gnutls_assert ();
2348 ret = GNUTLS_E_MEMORY_ERROR;
2349 goto fail;
2350 }
2351 data = _mbuffer_get_udata_ptr (bufel);
2352
2353 data[pos++] =
2354 _gnutls_version_get_major (session->security_parameters.version);
2355 data[pos++] =
2356 _gnutls_version_get_minor (session->security_parameters.version);
2357
2358 memcpy (&data[pos],
2359 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
2360 pos += GNUTLS_RANDOM_SIZE;
2361
2362 data[pos++] = session_id_len;
2363 if (session_id_len > 0)
2364 {
2365 memcpy (&data[pos], session->security_parameters.session_id,
2366 session_id_len);
2367 }
2368 pos += session_id_len;
2369
2370 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session,
2371 _gnutls_bin2hex (session->security_parameters.
2372 session_id, session_id_len, buf,
2373 sizeof (buf), NULL));
2374
2375 memcpy (&data[pos],
2376 session->security_parameters.current_cipher_suite.suite, 2);
2377 pos += 2;
2378
2379 comp =
2380 (uint8_t) _gnutls_compression_get_num (session->internals.
2381 compression_method);
2382 data[pos++] = comp;
2383
2384
2385 if (extdata.length > 0)
2386 {
2387 datalen += extdata.length;
2388 memcpy (&data[pos], extdata.data, extdata.length);
2389 }
2390 }
2391
2392 ret =
2393 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_SERVER_HELLO);
2394
2395 fail:
2396 _gnutls_buffer_clear(&extdata);
2397 return ret;
2398 }
2399
2400 int
2401 _gnutls_send_hello (gnutls_session_t session, int again)
2402 {
2403 int ret;
2404
2405 if (session->security_parameters.entity == GNUTLS_CLIENT)
2406 {
2407 ret = _gnutls_send_client_hello (session, again);
2408
2409 }
2410 else
2411 { /* SERVER */
2412 ret = _gnutls_send_server_hello (session, again);
2413 }
2414
2415 return ret;
2416 }
2417
2418 /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a
2419 * hello message is expected. It uses the security_parameters.current_cipher_suite
2420 * and internals.compression_method.
2421 */
2422 int
2423 _gnutls_recv_hello (gnutls_session_t session, opaque * data, int datalen)
2424 {
2425 int ret;
2426
2427 if (session->security_parameters.entity == GNUTLS_CLIENT)
2428 {
2429 ret = _gnutls_read_server_hello (session, data, datalen);
2430 if (ret < 0)
2431 {
2432 gnutls_assert ();
2433 return ret;
2434 }
2435 }
2436 else
2437 { /* Server side reading a client hello */
2438
2439 ret = _gnutls_read_client_hello (session, data, datalen);
2440 if (ret < 0)
2441 {
2442 gnutls_assert ();
2443 return ret;
2444 }
2445 }
2446
2447 ret = _gnutls_ext_sr_verify (session);
2448 if (ret < 0)
2449 {
2450 gnutls_assert ();
2451 return ret;
2452 }
2453
2454 return 0;
2455 }
2456
2457 static int
2458 _gnutls_recv_hello_verify_request (gnutls_session_t session,
2459 opaque * data, int datalen)
2460 {
2461 ssize_t len = datalen;
2462 size_t pos = 0;
2463 uint8_t cookie_len;
2464 unsigned int nb_verifs;
2465
2466 if (!_gnutls_is_dtls (session)
2467 || session->security_parameters.entity == GNUTLS_SERVER)
2468 {
2469 gnutls_assert ();
2470 return GNUTLS_E_UNEXPECTED_PACKET;
2471 }
2472
2473 nb_verifs = ++session->internals.dtls.hsk_hello_verify_requests;
2474 if (nb_verifs >= MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS)
2475 {
2476 /* The server is either buggy, malicious or changing cookie
2477 secrets _way_ too fast. */
2478 gnutls_assert ();
2479 return GNUTLS_E_UNEXPECTED_PACKET;
2480 }
2481
2482 /* TODO: determine if we need to do anything with the server version field */
2483 DECR_LEN (len, 2);
2484 pos += 2;
2485
2486 DECR_LEN (len, 1);
2487 cookie_len = data[pos];
2488 pos++;
2489
2490 if (cookie_len > DTLS_MAX_COOKIE_SIZE)
2491 {
2492 gnutls_assert ();
2493 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2494 }
2495
2496 DECR_LEN (len, cookie_len);
2497
2498 session->internals.dtls.cookie_len = cookie_len;
2499 memcpy (session->internals.dtls.cookie, &data[pos], cookie_len);
2500
2501 pos += cookie_len;
2502
2503 if (len != 0)
2504 {
2505 gnutls_assert ();
2506 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2507 }
2508
2509 return 0;
2510 }
2511
2512 /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
2513 *
2514 * Client Server
2515 *
2516 * ClientHello -------->
2517 * <-------- ServerHello
2518 *
2519 * Certificate*
2520 * ServerKeyExchange*
2521 * <-------- CertificateRequest*
2522 *
2523 * <-------- ServerHelloDone
2524 * Certificate*
2525 * ClientKeyExchange
2526 * CertificateVerify*
2527 * [ChangeCipherSpec]
2528 * Finished -------->
2529 * NewSessionTicket
2530 * [ChangeCipherSpec]
2531 * <-------- Finished
2532 *
2533 * (*): means optional packet.
2534 */
2535
2536 /* Handshake when resumming session:
2537 * Client Server
2538 *
2539 * ClientHello -------->
2540 * ServerHello
2541 * [ChangeCipherSpec]
2542 * <-------- Finished
2543 * [ChangeCipherSpec]
2544 * Finished -------->
2545 *
2546 */
2547
2548 /**
2549 * gnutls_rehandshake:
2550 * @session: is a #gnutls_session_t structure.
2551 *
2552 * This function will renegotiate security parameters with the
2553 * client. This should only be called in case of a server.
2554 *
2555 * This message informs the peer that we want to renegotiate
2556 * parameters (perform a handshake).
2557 *
2558 * If this function succeeds (returns 0), you must call the
2559 * gnutls_handshake() function in order to negotiate the new
2560 * parameters.
2561 *
2562 * Since TLS is full duplex some application data might have been
2563 * sent during peer's processing of this message. In that case
2564 * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE
2565 * is returned to clear any pending data. Care must be taken if
2566 * rehandshake is mandatory to terminate if it does not start after
2567 * some threshold.
2568 *
2569 * If the client does not wish to renegotiate parameters he will
2570 * should with an alert message, thus the return code will be
2571 * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
2572 * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2573 * this message.
2574 *
2575 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
2576 **/
2577 int
2578 gnutls_rehandshake (gnutls_session_t session)
2579 {
2580 int ret;
2581
2582 /* only server sends that handshake packet */
2583 if (session->security_parameters.entity == GNUTLS_CLIENT)
2584 return GNUTLS_E_INVALID_REQUEST;
2585
2586 ret =
2587 _gnutls_send_empty_handshake (session, GNUTLS_HANDSHAKE_HELLO_REQUEST,
2588 AGAIN (STATE50));
2589 STATE = STATE50;
2590
2591 if (ret < 0)
2592 {
2593 gnutls_assert ();
2594 return ret;
2595 }
2596 STATE = STATE0;
2597
2598 return 0;
2599 }
2600
2601 inline static int
2602 _gnutls_abort_handshake (gnutls_session_t session, int ret)
2603 {
2604 if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
2605 (gnutls_alert_get (session) == GNUTLS_A_NO_RENEGOTIATION))
2606 || ret == GNUTLS_E_GOT_APPLICATION_DATA)
2607 return 0;
2608
2609 /* this doesn't matter */
2610 return GNUTLS_E_INTERNAL_ERROR;
2611 }
2612
2613
2614 /* This function initialized the handshake hash session.
2615 * required for finished messages.
2616 */
2617 static int
2618 _gnutls_handshake_hash_init (gnutls_session_t session)
2619 {
2620 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
2621
2622 if (session->internals.handshake_mac_handle_init == 0)
2623 {
2624 int ret;
2625
2626 /* set the hash type for handshake message hashing */
2627 if (_gnutls_version_has_selectable_prf (ver))
2628 session->security_parameters.handshake_mac_handle_type =
2629 HANDSHAKE_MAC_TYPE_12;
2630 else
2631 session->security_parameters.handshake_mac_handle_type =
2632 HANDSHAKE_MAC_TYPE_10;
2633
2634
2635 if (session->security_parameters.handshake_mac_handle_type ==
2636 HANDSHAKE_MAC_TYPE_10)
2637 {
2638 ret =
2639 _gnutls_hash_init (&session->internals.handshake_mac_handle.tls10.
2640 md5, GNUTLS_MAC_MD5);
2641
2642 if (ret < 0)
2643 {
2644 gnutls_assert ();
2645 return ret;
2646 }
2647
2648 ret =
2649 _gnutls_hash_init (&session->internals.handshake_mac_handle.tls10.
2650 sha, GNUTLS_MAC_SHA1);
2651 if (ret < 0)
2652 {
2653 gnutls_assert ();
2654 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.
2655 tls10.md5, NULL);
2656 return GNUTLS_E_MEMORY_ERROR;
2657 }
2658 }
2659 else if (session->security_parameters.handshake_mac_handle_type ==
2660 HANDSHAKE_MAC_TYPE_12)
2661 {
2662 /* The algorithm to compute hash over handshake messages must be
2663 same as the one used as the basis for PRF. By now we use
2664 SHA256. */
2665 ret =
2666 _gnutls_hash_init (&session->internals.handshake_mac_handle.tls12.
2667 sha256, GNUTLS_DIG_SHA256);
2668 if (ret < 0)
2669 {
2670 gnutls_assert ();
2671 return GNUTLS_E_MEMORY_ERROR;
2672 }
2673
2674 ret =
2675 _gnutls_hash_init (&session->internals.handshake_mac_handle.tls12.
2676 sha1, GNUTLS_DIG_SHA1);
2677 if (ret < 0)
2678 {
2679 gnutls_assert ();
2680 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.
2681 tls12.sha256, NULL);
2682 return GNUTLS_E_MEMORY_ERROR;
2683 }
2684 }
2685
2686 session->internals.handshake_mac_handle_init = 1;
2687 }
2688
2689 return 0;
2690 }
2691
2692 static int
2693 _gnutls_send_supplemental (gnutls_session_t session, int again)
2694 {
2695 mbuffer_st *bufel;
2696 int ret = 0;
2697
2698 _gnutls_debug_log ("EXT[%p]: Sending supplemental data\n", session);
2699
2700 if (again)
2701 ret =
2702 _gnutls_send_handshake (session, NULL, GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2703 else
2704 {
2705 gnutls_buffer_st buf;
2706 _gnutls_buffer_init (&buf);
2707
2708 ret = _gnutls_gen_supplemental (session, &buf);
2709 if (ret < 0)
2710 {
2711 gnutls_assert ();
2712 return ret;
2713 }
2714
2715 bufel = _gnutls_handshake_alloc(session, buf.length, buf.length);
2716 if (bufel == NULL)
2717 {
2718 gnutls_assert ();
2719 return GNUTLS_E_MEMORY_ERROR;
2720 }
2721
2722 _mbuffer_set_udata (bufel, buf.data, buf.length);
2723 _gnutls_buffer_clear (&buf);
2724
2725 ret = _gnutls_send_handshake (session, bufel,
2726 GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2727 }
2728
2729 return ret;
2730 }
2731
2732 static int
2733 _gnutls_recv_supplemental (gnutls_session_t session)
2734 {
2735 uint8_t *data = NULL;
2736 int datalen = 0;
2737 int ret;
2738
2739 _gnutls_debug_log ("EXT[%p]: Expecting supplemental data\n", session);
2740
2741 ret = _gnutls_recv_handshake (session, &data, &datalen,
2742 GNUTLS_HANDSHAKE_SUPPLEMENTAL,
2743 OPTIONAL_PACKET);
2744 if (ret < 0)
2745 {
2746 gnutls_assert ();
2747 return ret;
2748 }
2749
2750 ret = _gnutls_parse_supplemental (session, data, datalen);
2751 if (ret < 0)
2752 {
2753 gnutls_assert ();
2754 return ret;
2755 }
2756
2757 gnutls_free (data);
2758
2759 return ret;
2760 }
2761
2762 /**
2763 * gnutls_handshake:
2764 * @session: is a #gnutls_session_t structure.
2765 *
2766 * This function does the handshake of the TLS/SSL protocol, and
2767 * initializes the TLS connection.
2768 *
2769 * This function will fail if any problem is encountered, and will
2770 * return a negative error code. In case of a client, if the client
2771 * has asked to resume a session, but the server couldn't, then a
2772 * full handshake will be performed.
2773 *
2774 * The non-fatal errors such as %GNUTLS_E_AGAIN and
2775 * %GNUTLS_E_INTERRUPTED interrupt the handshake procedure, which
2776 * should be later be resumed. Call this function again, until it
2777 * returns 0; cf. gnutls_record_get_direction() and
2778 * gnutls_error_is_fatal().
2779 *
2780 * If this function is called by a server after a rehandshake request
2781 * then %GNUTLS_E_GOT_APPLICATION_DATA or
2782 * %GNUTLS_E_WARNING_ALERT_RECEIVED may be returned. Note that these
2783 * are non fatal errors, only in the specific case of a rehandshake.
2784 * Their meaning is that the client rejected the rehandshake request or
2785 * in the case of %GNUTLS_E_GOT_APPLICATION_DATA it might also mean that
2786 * some data were pending.
2787 *
2788 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
2789 **/
2790 int
2791 gnutls_handshake (gnutls_session_t session)
2792 {
2793 int ret;
2794 record_parameters_st *params;
2795
2796 ret = _gnutls_epoch_get (session, session->security_parameters.epoch_next,
2797 &params);
2798 if (ret < 0)
2799 {
2800 /* We assume the epoch is not allocated if _gnutls_epoch_get fails. */
2801 ret =
2802 _gnutls_epoch_alloc (session, session->security_parameters.epoch_next,
2803 NULL);
2804 if (ret < 0)
2805 {
2806 gnutls_assert ();
2807 return ret;
2808 }
2809 }
2810
2811 if (session->security_parameters.entity == GNUTLS_CLIENT)
2812 {
2813 do
2814 {
2815 ret = _gnutls_handshake_client (session);
2816 } while (ret == 1);
2817 }
2818 else
2819 {
2820 ret = _gnutls_handshake_server (session);
2821 }
2822 if (ret < 0)
2823 {
2824 /* In the case of a rehandshake abort
2825 * we should reset the handshake's internal state.
2826 */
2827 if (_gnutls_abort_handshake (session, ret) == 0)
2828 STATE = STATE0;
2829
2830 return ret;
2831 }
2832
2833 ret = _gnutls_handshake_common (session);
2834
2835 if (ret < 0)
2836 {
2837 if (_gnutls_abort_handshake (session, ret) == 0)
2838 STATE = STATE0;
2839
2840 return ret;
2841 }
2842
2843 STATE = STATE0;
2844
2845 _gnutls_handshake_io_buffer_clear (session);
2846 _gnutls_handshake_internal_state_clear (session);
2847
2848 session->security_parameters.epoch_next++;
2849
2850 return 0;
2851 }
2852
2853
2854 #define IMED_RET( str, ret, allow_alert) do { \
2855 if (ret < 0) { \
2856 /* EAGAIN and INTERRUPTED are always non-fatal */ \
2857 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) \
2858 return ret; \
2859 /* a warning alert might interrupt handshake */ \
2860 if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) return ret; \
2861 gnutls_assert(); \
2862 ERR( str, ret); \
2863 _gnutls_handshake_hash_buffers_clear(session); \
2864 return ret; \
2865 } } while (0)
2866
2867
2868
2869 /*
2870 * _gnutls_handshake_client
2871 * This function performs the client side of the handshake of the TLS/SSL protocol.
2872 */
2873 int
2874 _gnutls_handshake_client (gnutls_session_t session)
2875 {
2876 int ret = 0;
2877
2878 #ifdef HANDSHAKE_DEBUG
2879 char buf[64];
2880
2881 if (session->internals.resumed_security_parameters.session_id_size > 0)
2882 _gnutls_handshake_log ("HSK[%p]: Ask to resume: %s\n", session,
2883 _gnutls_bin2hex (session->
2884 internals.resumed_security_parameters.session_id,
2885 session->
2886 internals.resumed_security_parameters.session_id_size,
2887 buf, sizeof (buf), NULL));
2888 #endif
2889
2890 switch (STATE)
2891 {
2892 case STATE0:
2893 case STATE1:
2894 ret = _gnutls_send_hello (session, AGAIN (STATE1));
2895 STATE = STATE1;
2896 IMED_RET ("send hello", ret, 1);
2897
2898 case STATE11:
2899 if (_gnutls_is_dtls (session))
2900 {
2901 ret =
2902 _gnutls_recv_handshake (session, NULL, NULL,
2903 GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST,
2904 OPTIONAL_PACKET);
2905 STATE = STATE11;
2906 IMED_RET ("recv hello verify", ret, 1);
2907
2908 if (ret == 1)
2909 {
2910 STATE = STATE0;
2911 return 1;
2912 }
2913 }
2914 case STATE2:
2915 /* receive the server hello */
2916 ret =
2917 _gnutls_recv_handshake (session, NULL, NULL,
2918 GNUTLS_HANDSHAKE_SERVER_HELLO,
2919 MANDATORY_PACKET);
2920 STATE = STATE2;
2921 IMED_RET ("recv hello", ret, 1);
2922
2923 case STATE70:
2924 if (session->security_parameters.do_recv_supplemental)
2925 {
2926 ret = _gnutls_recv_supplemental (session);
2927 STATE = STATE70;
2928 IMED_RET ("recv supplemental", ret, 1);
2929 }
2930
2931 case STATE3:
2932 /* RECV CERTIFICATE */
2933 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2934 ret = _gnutls_recv_server_certificate (session);
2935 STATE = STATE3;
2936 IMED_RET ("recv server certificate", ret, 1);
2937
2938 case STATE4:
2939 /* receive the server key exchange */
2940 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2941 ret = _gnutls_recv_server_kx_message (session);
2942 STATE = STATE4;
2943 IMED_RET ("recv server kx message", ret, 1);
2944
2945 case STATE5:
2946 /* receive the server certificate request - if any
2947 */
2948
2949 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2950 ret = _gnutls_recv_server_certificate_request (session);
2951 STATE = STATE5;
2952 IMED_RET ("recv server certificate request message", ret, 1);
2953
2954 case STATE6:
2955 /* receive the server hello done */
2956 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2957 ret =
2958 _gnutls_recv_handshake (session, NULL, NULL,
2959 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2960 MANDATORY_PACKET);
2961 STATE = STATE6;
2962 IMED_RET ("recv server hello done", ret, 1);
2963
2964 case STATE71:
2965 if (session->security_parameters.do_send_supplemental)
2966 {
2967 ret = _gnutls_send_supplemental (session, AGAIN (STATE71));
2968 STATE = STATE71;
2969 IMED_RET ("send supplemental", ret, 0);
2970 }
2971
2972 case STATE7:
2973 /* send our certificate - if any and if requested
2974 */
2975 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2976 ret = _gnutls_send_client_certificate (session, AGAIN (STATE7));
2977 STATE = STATE7;
2978 IMED_RET ("send client certificate", ret, 0);
2979
2980 case STATE8:
2981 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2982 ret = _gnutls_send_client_kx_message (session, AGAIN (STATE8));
2983 STATE = STATE8;
2984 IMED_RET ("send client kx", ret, 0);
2985
2986 case STATE9:
2987 /* send client certificate verify */
2988 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2989 ret =
2990 _gnutls_send_client_certificate_verify (session, AGAIN (STATE9));
2991 STATE = STATE9;
2992 IMED_RET ("send client certificate verify", ret, 1);
2993
2994 STATE = STATE0;
2995 default:
2996 break;
2997 }
2998
2999
3000 return 0;
3001 }
3002
3003
3004
3005 /* This function is to be called if the handshake was successfully
3006 * completed. This sends a Change Cipher Spec packet to the peer.
3007 */
3008 static ssize_t
3009 send_change_cipher_spec (gnutls_session_t session, int again)
3010 {
3011 opaque* data;
3012 mbuffer_st * bufel;
3013 int ret;
3014
3015 if (again == 0)
3016 {
3017 bufel = _gnutls_handshake_alloc (session, 1, 1);
3018 if (bufel == NULL)
3019 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
3020
3021 _mbuffer_set_uhead_size(bufel, 1);
3022 _mbuffer_set_udata_size(bufel, 0);
3023
3024 data = _mbuffer_get_uhead_ptr (bufel);
3025
3026 data[0] = 1;
3027
3028 ret = _gnutls_handshake_io_cache_int (session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, bufel);
3029 if (ret < 0)
3030 {
3031 _mbuffer_xfree(&bufel);
3032 return gnutls_assert_val(ret);
3033 }
3034
3035 _gnutls_handshake_log ("REC[%p]: Sent ChangeCipherSpec\n", session);
3036 }
3037
3038 return 0;
3039 }
3040
3041 /* This function sends the final handshake packets and initializes connection
3042 */
3043 static int
3044 _gnutls_send_handshake_final (gnutls_session_t session, int init)
3045 {
3046 int ret = 0;
3047
3048 /* Send the CHANGE CIPHER SPEC PACKET */
3049
3050 switch (STATE)
3051 {
3052 case STATE0:
3053 case STATE20:
3054 ret = send_change_cipher_spec (session, AGAIN (STATE20));
3055 STATE = STATE0;
3056
3057 if (ret < 0)
3058 {
3059 ERR ("send ChangeCipherSpec", ret);
3060 gnutls_assert ();
3061 return ret;
3062 }
3063 /* Initialize the connection session (start encryption) - in case of client
3064 */
3065 if (init == TRUE)
3066 {
3067 ret = _gnutls_connection_state_init (session);
3068 if (ret < 0)
3069 {
3070 gnutls_assert ();
3071 return ret;
3072 }
3073 }
3074
3075 ret = _gnutls_write_connection_state_init (session);
3076 if (ret < 0)
3077 {
3078 gnutls_assert ();
3079 return ret;
3080 }
3081
3082 case STATE21:
3083 /* send the finished message */
3084 ret = _gnutls_send_finished (session, AGAIN (STATE21));
3085 STATE = STATE21;
3086 if (ret < 0)
3087 {
3088 ERR ("send Finished", ret);
3089 gnutls_assert ();
3090 return ret;
3091 }
3092
3093 STATE = STATE0;
3094 default:
3095 break;
3096 }
3097
3098 return 0;
3099 }
3100
3101 /* This function receives the final handshake packets
3102 * And executes the appropriate function to initialize the
3103 * read session.
3104 */
3105 static int
3106 _gnutls_recv_handshake_final (gnutls_session_t session, int init)
3107 {
3108 int ret = 0;
3109 uint8_t ch;
3110
3111 switch (STATE)
3112 {
3113 case STATE0:
3114 case STATE30:
3115 ret = _gnutls_recv_int (session, GNUTLS_CHANGE_CIPHER_SPEC, -1, &ch, 1, NULL);
3116 STATE = STATE30;
3117 if (ret <= 0)
3118 {
3119 ERR ("recv ChangeCipherSpec", ret);
3120 gnutls_assert ();
3121 return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
3122 }
3123
3124 /* Initialize the connection session (start encryption) - in case of server */
3125 if (init == TRUE)
3126 {
3127 ret = _gnutls_connection_state_init (session);
3128 if (ret < 0)
3129 {
3130 gnutls_assert ();
3131 return ret;
3132 }
3133 }
3134
3135 ret = _gnutls_read_connection_state_init (session);
3136 if (ret < 0)
3137 {
3138 gnutls_assert ();
3139 return ret;
3140 }
3141
3142 case STATE31:
3143 ret = _gnutls_recv_finished (session);
3144 STATE = STATE31;
3145 if (ret < 0)
3146 {
3147 ERR ("recv finished", ret);
3148 gnutls_assert ();
3149 return ret;
3150 }
3151 STATE = STATE0;
3152 default:
3153 break;
3154 }
3155
3156
3157 return 0;
3158 }
3159
3160 /*
3161 * _gnutls_handshake_server
3162 * This function does the server stuff of the handshake protocol.
3163 */
3164 int
3165 _gnutls_handshake_server (gnutls_session_t session)
3166 {
3167 int ret = 0;
3168
3169 switch (STATE)
3170 {
3171 case STATE0:
3172 case STATE1:
3173 ret =
3174 _gnutls_recv_handshake (session, NULL, NULL,
3175 GNUTLS_HANDSHAKE_CLIENT_HELLO,
3176 MANDATORY_PACKET);
3177 STATE = STATE1;
3178 IMED_RET ("recv hello", ret, 1);
3179
3180 case STATE2:
3181 ret = _gnutls_send_hello (session, AGAIN (STATE2));
3182 STATE = STATE2;
3183 IMED_RET ("send hello", ret, 1);
3184
3185 case STATE70:
3186 if (session->security_parameters.do_send_supplemental)
3187 {
3188 ret = _gnutls_send_supplemental (session, AGAIN (STATE70));
3189 STATE = STATE70;
3190 IMED_RET ("send supplemental data", ret, 0);
3191 }
3192
3193 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
3194 case STATE3:
3195 /* NOTE: these should not be send if we are resuming */
3196
3197 if (session->internals.resumed == RESUME_FALSE)
3198 ret = _gnutls_send_server_certificate (session, AGAIN (STATE3));
3199 STATE = STATE3;
3200 IMED_RET ("send server certificate", ret, 0);
3201
3202 case STATE4:
3203 /* send server key exchange (A) */
3204 if (session->internals.resumed == RESUME_FALSE)
3205 ret = _gnutls_send_server_kx_message (session, AGAIN (STATE4));
3206 STATE = STATE4;
3207 IMED_RET ("send server kx", ret, 0);
3208
3209 case STATE5:
3210 /* Send certificate request - if requested to */
3211 if (session->internals.resumed == RESUME_FALSE)
3212 ret =
3213 _gnutls_send_server_certificate_request (session, AGAIN (STATE5));
3214 STATE = STATE5;
3215 IMED_RET ("send server cert request", ret, 0);
3216
3217 case STATE6:
3218 /* send the server hello done */
3219 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3220 ret =
3221 _gnutls_send_empty_handshake (session,
3222 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
3223 AGAIN (STATE6));
3224 STATE = STATE6;
3225 IMED_RET ("send server hello done", ret, 1);
3226
3227 case STATE71:
3228 if (session->security_parameters.do_recv_supplemental)
3229 {
3230 ret = _gnutls_recv_supplemental (session);
3231 STATE = STATE71;
3232 IMED_RET ("recv client supplemental", ret, 1);
3233 }
3234
3235 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
3236 case STATE7:
3237 /* receive the client certificate message */
3238 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3239 ret = _gnutls_recv_client_certificate (session);
3240 STATE = STATE7;
3241 IMED_RET ("recv client certificate", ret, 1);
3242
3243 case STATE8:
3244 /* receive the client key exchange message */
3245 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3246 ret = _gnutls_recv_client_kx_message (session);
3247 STATE = STATE8;
3248 IMED_RET ("recv client kx", ret, 1);
3249
3250 case STATE9:
3251 /* receive the client certificate verify message */
3252 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3253 ret = _gnutls_recv_client_certificate_verify_message (session);
3254 STATE = STATE9;
3255 IMED_RET ("recv client certificate verify", ret, 1);
3256
3257 STATE = STATE0; /* finished thus clear session */
3258 default:
3259 break;
3260 }
3261
3262 return 0;
3263 }
3264
3265 int
3266 _gnutls_handshake_common (gnutls_session_t session)
3267 {
3268 int ret = 0;
3269
3270 /* send and recv the change cipher spec and finished messages */
3271 if ((session->internals.resumed == RESUME_TRUE
3272 && session->security_parameters.entity == GNUTLS_CLIENT)
3273 || (session->internals.resumed == RESUME_FALSE
3274 && session->security_parameters.entity == GNUTLS_SERVER))
3275 {
3276 /* if we are a client resuming - or we are a server not resuming */
3277
3278 ret = _gnutls_recv_handshake_final (session, TRUE);
3279 IMED_RET ("recv handshake final", ret, 1);
3280
3281 #ifdef ENABLE_SESSION_TICKET
3282 switch (STATE)
3283 {
3284 case STATE0:
3285 case STATE40:
3286 ret = _gnutls_send_new_session_ticket (session, AGAIN (STATE40));
3287 STATE = STATE40;
3288 IMED_RET ("send handshake new session ticket", ret, 0);
3289 STATE = STATE0;
3290 default:
3291 break;
3292 }
3293 #endif
3294
3295 ret = _gnutls_send_handshake_final (session, FALSE);
3296 IMED_RET ("send handshake final", ret, 1);
3297
3298 /* only store if we are not resuming */
3299 if (session->security_parameters.entity == GNUTLS_SERVER)
3300 {
3301 /* in order to support session resuming */
3302 _gnutls_server_register_current_session (session);
3303 }
3304 }
3305 else
3306 { /* if we are a client not resuming - or we are a server resuming */
3307
3308 ret = _gnutls_send_handshake_final (session, TRUE);
3309 IMED_RET ("send handshake final 2", ret, 1);
3310
3311 #ifdef ENABLE_SESSION_TICKET
3312 switch (STATE)
3313 {
3314 case STATE0:
3315 case STATE41:
3316 ret = _gnutls_recv_new_session_ticket (session);
3317 STATE = STATE41;
3318 IMED_RET ("recv handshake new session ticket", ret, 1);
3319 STATE = STATE0;
3320 default:
3321 break;
3322 }
3323 #endif
3324
3325 ret = _gnutls_recv_handshake_final (session, FALSE);
3326 IMED_RET ("recv handshake final 2", ret, 1);
3327
3328 }
3329
3330
3331 /* clear handshake buffer */
3332 _gnutls_handshake_hash_buffers_clear (session);
3333 return ret;
3334
3335 }
3336
3337 int
3338 _gnutls_generate_session_id (opaque * session_id, uint8_t * len)
3339 {
3340 int ret;
3341
3342 *len = TLS_MAX_SESSION_ID_SIZE;
3343
3344 ret = _gnutls_rnd (GNUTLS_RND_NONCE, session_id, *len);
3345 if (ret < 0)
3346 {
3347 gnutls_assert ();
3348 return ret;
3349 }
3350
3351 return 0;
3352 }
3353
3354 int
3355 _gnutls_recv_hello_request (gnutls_session_t session, void *data,
3356 uint32_t data_size)
3357 {
3358 uint8_t type;
3359
3360 if (session->security_parameters.entity == GNUTLS_SERVER)
3361 {
3362 gnutls_assert ();
3363 return GNUTLS_E_UNEXPECTED_PACKET;
3364 }
3365 if (data_size < 1)
3366 {
3367 gnutls_assert ();
3368 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
3369 }
3370 type = ((uint8_t *) data)[0];
3371 if (type == GNUTLS_HANDSHAKE_HELLO_REQUEST)
3372 return GNUTLS_E_REHANDSHAKE;
3373 else
3374 {
3375 gnutls_assert ();
3376 return GNUTLS_E_UNEXPECTED_PACKET;
3377 }
3378 }
3379
3380 /* Returns 1 if the given KX has not the corresponding parameters
3381 * (DH or RSA) set up. Otherwise returns 0.
3382 */
3383 inline static int
3384 check_server_params (gnutls_session_t session,
3385 gnutls_kx_algorithm_t kx,
3386 gnutls_kx_algorithm_t * alg, int alg_size)
3387 {
3388 int cred_type;
3389 gnutls_dh_params_t dh_params = NULL;
3390 gnutls_rsa_params_t rsa_params = NULL;
3391 int j;
3392
3393 cred_type = _gnutls_map_kx_get_cred (kx, 1);
3394
3395 /* Read the Diffie-Hellman parameters, if any.
3396 */
3397 if (cred_type == GNUTLS_CRD_CERTIFICATE)
3398 {
3399 int delete;
3400 gnutls_certificate_credentials_t x509_cred =
3401 (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
3402 cred_type, NULL);
3403
3404 if (x509_cred != NULL)
3405 {
3406 dh_params =
3407 _gnutls_get_dh_params (x509_cred->dh_params,
3408 x509_cred->params_func, session);
3409 rsa_params =
3410 _gnutls_certificate_get_rsa_params (x509_cred->rsa_params,
3411 x509_cred->params_func,
3412 session);
3413 }
3414
3415 /* Check also if the certificate supports the
3416 * KX method.
3417 */
3418 delete = 1;
3419 for (j = 0; j < alg_size; j++)
3420 {
3421 if (alg[j] == kx)
3422 {
3423 delete = 0;
3424 break;
3425 }
3426 }
3427
3428 if (delete == 1)
3429 return 1;
3430
3431 #ifdef ENABLE_ANON
3432 }
3433 else if (cred_type == GNUTLS_CRD_ANON)
3434 {
3435 gnutls_anon_server_credentials_t anon_cred =
3436 (gnutls_anon_server_credentials_t) _gnutls_get_cred (session->key,
3437 cred_type, NULL);
3438
3439 if (anon_cred != NULL)
3440 {
3441 dh_params =
3442 _gnutls_get_dh_params (anon_cred->dh_params,
3443 anon_cred->params_func, session);
3444 }
3445 #endif
3446 #ifdef ENABLE_PSK
3447 }
3448 else if (cred_type == GNUTLS_CRD_PSK)
3449 {
3450 gnutls_psk_server_credentials_t psk_cred =
3451 (gnutls_psk_server_credentials_t) _gnutls_get_cred (session->key,
3452 cred_type, NULL);
3453
3454 if (psk_cred != NULL)
3455 {
3456 dh_params =
3457 _gnutls_get_dh_params (psk_cred->dh_params, psk_cred->params_func,
3458 session);
3459 }
3460 #endif
3461 }
3462 else
3463 return 0; /* no need for params */
3464
3465
3466 /* If the key exchange method needs RSA or DH params,
3467 * but they are not set then remove it.
3468 */
3469 if (_gnutls_kx_needs_rsa_params (kx) != 0)
3470 {
3471 /* needs rsa params. */
3472 if (_gnutls_rsa_params_to_mpi (rsa_params) == NULL)
3473 {
3474 gnutls_assert ();
3475 return 1;
3476 }
3477 }
3478
3479 if (_gnutls_kx_needs_dh_params (kx) != 0)
3480 {
3481 /* needs DH params. */
3482 if (_gnutls_dh_params_to_mpi (dh_params) == NULL)
3483 {
3484 gnutls_assert ();
3485 return 1;
3486 }
3487 }
3488
3489 return 0;
3490 }
3491
3492 /* This function will remove algorithms that are not supported by
3493 * the requested authentication method. We remove an algorithm if
3494 * we have a certificate with keyUsage bits set.
3495 *
3496 * This does a more high level check than gnutls_supported_ciphersuites(),
3497 * by checking certificates etc.
3498 */
3499 int
3500 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session,
3501 cipher_suite_st ** cipherSuites,
3502 int numCipherSuites,
3503 gnutls_pk_algorithm_t requested_pk_algo)
3504 {
3505
3506 int ret = 0;
3507 cipher_suite_st *newSuite, cs;
3508 int newSuiteSize = 0, i;
3509 gnutls_certificate_credentials_t cert_cred;
3510 gnutls_kx_algorithm_t kx;
3511 int server = session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0;
3512 gnutls_kx_algorithm_t *alg = NULL;
3513 int alg_size = 0;
3514
3515 /* if we should use a specific certificate,
3516 * we should remove all algorithms that are not supported
3517 * by that certificate and are on the same authentication
3518 * method (CERTIFICATE).
3519 */
3520
3521 cert_cred =
3522 (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
3523 GNUTLS_CRD_CERTIFICATE,
3524 NULL);
3525
3526 /* If there are certificate credentials, find an appropriate certificate
3527 * or disable them;
3528 */
3529 if (session->security_parameters.entity == GNUTLS_SERVER
3530 && cert_cred != NULL)
3531 {
3532 ret = _gnutls_server_select_cert (session, requested_pk_algo);
3533 if (ret < 0)
3534 {
3535 gnutls_assert ();
3536 _gnutls_debug_log ("Could not find an appropriate certificate: %s\n",
3537 gnutls_strerror (ret));
3538 cert_cred = NULL;
3539 }
3540 }
3541
3542 /* get all the key exchange algorithms that are
3543 * supported by the X509 certificate parameters.
3544 */
3545 if ((ret =
3546 _gnutls_selected_cert_supported_kx (session, &alg, &alg_size)) < 0)
3547 {
3548 gnutls_assert ();
3549 return ret;
3550 }
3551
3552 newSuite = gnutls_malloc (numCipherSuites * sizeof (cipher_suite_st));
3553 if (newSuite == NULL)
3554 {
3555 gnutls_assert ();
3556 gnutls_free (alg);
3557 return GNUTLS_E_MEMORY_ERROR;
3558 }
3559
3560 /* now removes ciphersuites based on the KX algorithm
3561 */
3562 for (i = 0; i < numCipherSuites; i++)
3563 {
3564 int delete = 0;
3565
3566 /* finds the key exchange algorithm in
3567 * the ciphersuite
3568 */
3569 kx = _gnutls_cipher_suite_get_kx_algo (&(*cipherSuites)[i]);
3570
3571 /* if it is defined but had no credentials
3572 */
3573 if (_gnutls_get_kx_cred (session, kx, NULL) == NULL)
3574 {
3575 delete = 1;
3576 }
3577 else
3578 {
3579 delete = 0;
3580
3581 if (server)
3582 delete = check_server_params (session, kx, alg, alg_size);
3583 }
3584
3585 /* These two SRP kx's are marked to require a CRD_CERTIFICATE,
3586 (see cred_mappings in gnutls_algorithms.c), but it also
3587 requires a SRP credential. Don't use SRP kx unless we have a
3588 SRP credential too. */
3589 if (kx == GNUTLS_KX_SRP_RSA || kx == GNUTLS_KX_SRP_DSS)
3590 {
3591 if (!_gnutls_get_cred (session->key, GNUTLS_CRD_SRP, NULL))
3592 delete = 1;
3593 }
3594
3595 memcpy (&cs.suite, &(*cipherSuites)[i].suite, 2);
3596
3597 if (delete == 0)
3598 {
3599
3600 _gnutls_handshake_log ("HSK[%p]: Keeping ciphersuite: %s\n",
3601 session,
3602 _gnutls_cipher_suite_get_name (&cs));
3603
3604 memcpy (newSuite[newSuiteSize].suite, (*cipherSuites)[i].suite, 2);
3605 newSuiteSize++;
3606 }
3607 else
3608 {
3609 _gnutls_handshake_log ("HSK[%p]: Removing ciphersuite: %s\n",
3610 session,
3611 _gnutls_cipher_suite_get_name (&cs));
3612
3613 }
3614 }
3615
3616 gnutls_free (alg);
3617 gnutls_free (*cipherSuites);
3618 *cipherSuites = newSuite;
3619
3620 ret = newSuiteSize;
3621
3622 return ret;
3623
3624 }
3625
3626 /**
3627 * gnutls_handshake_set_max_packet_length:
3628 * @session: is a #gnutls_session_t structure.
3629 * @max: is the maximum number.
3630 *
3631 * This function will set the maximum size of all handshake messages.
3632 * Handshakes over this size are rejected with
3633 * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is
3634 * 48kb which is typically large enough. Set this to 0 if you do not
3635 * want to set an upper limit.
3636 *
3637 * The reason for restricting the handshake message sizes are to
3638 * limit Denial of Service attacks.
3639 **/
3640 void
3641 gnutls_handshake_set_max_packet_length (gnutls_session_t session, size_t max)
3642 {
3643 session->internals.max_handshake_data_buffer_size = max;
3644 }
3645
3646 void
3647 _gnutls_set_adv_version (gnutls_session_t session, gnutls_protocol_t ver)
3648 {
3649 set_adv_version (session, _gnutls_version_get_major (ver),
3650 _gnutls_version_get_minor (ver));
3651 }
3652
3653 gnutls_protocol_t
3654 _gnutls_get_adv_version (gnutls_session_t session)
3655 {
3656 return _gnutls_version_get (_gnutls_get_adv_version_major (session),
3657 _gnutls_get_adv_version_minor (session));
3658 }
3659
3660 /**
3661 * gnutls_handshake_get_last_in:
3662 * @session: is a #gnutls_session_t structure.
3663 *
3664 * This function is only useful to check where the last performed
3665 * handshake failed. If the previous handshake succeed or was not
3666 * performed at all then no meaningful value will be returned.
3667 *
3668 * Check %gnutls_handshake_description_t in gnutls.h for the
3669 * available handshake descriptions.
3670 *
3671 * Returns: the last handshake message type received, a
3672 * %gnutls_handshake_description_t.
3673 **/
3674 gnutls_handshake_description_t
3675 gnutls_handshake_get_last_in (gnutls_session_t session)
3676 {
3677 return session->internals.last_handshake_in;
3678 }
3679
3680 /**
3681 * gnutls_handshake_get_last_out:
3682 * @session: is a #gnutls_session_t structure.
3683 *
3684 * This function is only useful to check where the last performed
3685 * handshake failed. If the previous handshake succeed or was not
3686 * performed at all then no meaningful value will be returned.
3687 *
3688 * Check %gnutls_handshake_description_t in gnutls.h for the
3689 * available handshake descriptions.
3690 *
3691 * Returns: the last handshake message type sent, a
3692 * %gnutls_handshake_description_t.
3693 **/
3694 gnutls_handshake_description_t
3695 gnutls_handshake_get_last_out (gnutls_session_t session)
3696 {
3697 return session->internals.last_handshake_out;
3698 }
Implementation of the SSL/TLS protocol