search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added gnutls-dane.pc.
[gnutls.git] / lib / gnutls_record.c
bloba361e054211b581830c107f66e0ef1d4ae9d9e73
1 /*
2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* Functions that are record layer specific, are included in this file.
24 */
25
26 /* allocate this many bytes more when encrypting or decrypting, to
27 * compensate for broken backends such as cryptodev.
28 */
29 #define CIPHER_SLACK_SIZE 32
30
31 #include "gnutls_int.h"
32 #include "gnutls_errors.h"
33 #include "debug.h"
34 #include "gnutls_compress.h"
35 #include "gnutls_cipher.h"
36 #include "gnutls_buffers.h"
37 #include "gnutls_mbuffers.h"
38 #include "gnutls_handshake.h"
39 #include "gnutls_hash_int.h"
40 #include "gnutls_cipher_int.h"
41 #include "algorithms.h"
42 #include "gnutls_db.h"
43 #include "gnutls_auth.h"
44 #include "gnutls_num.h"
45 #include "gnutls_record.h"
46 #include "gnutls_datum.h"
47 #include "gnutls_constate.h"
48 #include "ext/max_record.h"
49 #include <ext/heartbeat.h>
50 #include <gnutls_state.h>
51 #include <gnutls_dtls.h>
52 #include <gnutls_dh.h>
53 #include <random.h>
54
55 struct tls_record_st {
56 uint16_t header_size;
57 uint8_t version[2];
58 uint64 sequence; /* DTLS */
59 uint16_t length;
60 uint16_t packet_size; /* header_size + length */
61 content_type_t type;
62 uint16_t epoch; /* valid in DTLS only */
63 int v2:1; /* whether an SSLv2 client hello */
64 /* the data */
65 };
66
67 /**
68 * gnutls_record_disable_padding:
69 * @session: is a #gnutls_session_t structure.
70 *
71 * Used to disabled padding in TLS 1.0 and above. Normally you do not
72 * need to use this function, but there are buggy clients that
73 * complain if a server pads the encrypted data. This of course will
74 * disable protection against statistical attacks on the data.
75 *
76 * Normally only servers that require maximum compatibility with everything
77 * out there, need to call this function.
78 **/
79 void
80 gnutls_record_disable_padding (gnutls_session_t session)
81 {
82 session->internals.priorities.no_padding = 1;
83 }
84
85 /**
86 * gnutls_transport_set_ptr:
87 * @session: is a #gnutls_session_t structure.
88 * @ptr: is the value.
89 *
90 * Used to set the first argument of the transport function (for push
91 * and pull callbacks). In berkeley style sockets this function will set the
92 * connection descriptor.
93 **/
94 void
95 gnutls_transport_set_ptr (gnutls_session_t session,
96 gnutls_transport_ptr_t ptr)
97 {
98 session->internals.transport_recv_ptr = ptr;
99 session->internals.transport_send_ptr = ptr;
100 }
101
102 /**
103 * gnutls_transport_set_ptr2:
104 * @session: is a #gnutls_session_t structure.
105 * @recv_ptr: is the value for the pull function
106 * @send_ptr: is the value for the push function
107 *
108 * Used to set the first argument of the transport function (for push
109 * and pull callbacks). In berkeley style sockets this function will set the
110 * connection descriptor. With this function you can use two different
111 * pointers for receiving and sending.
112 **/
113 void
114 gnutls_transport_set_ptr2 (gnutls_session_t session,
115 gnutls_transport_ptr_t recv_ptr,
116 gnutls_transport_ptr_t send_ptr)
117 {
118 session->internals.transport_send_ptr = send_ptr;
119 session->internals.transport_recv_ptr = recv_ptr;
120 }
121
122 /**
123 * gnutls_transport_get_ptr:
124 * @session: is a #gnutls_session_t structure.
125 *
126 * Used to get the first argument of the transport function (like
127 * PUSH and PULL). This must have been set using
128 * gnutls_transport_set_ptr().
129 *
130 * Returns: The first argument of the transport function.
131 **/
132 gnutls_transport_ptr_t
133 gnutls_transport_get_ptr (gnutls_session_t session)
134 {
135 return session->internals.transport_recv_ptr;
136 }
137
138 /**
139 * gnutls_transport_get_ptr2:
140 * @session: is a #gnutls_session_t structure.
141 * @recv_ptr: will hold the value for the pull function
142 * @send_ptr: will hold the value for the push function
143 *
144 * Used to get the arguments of the transport functions (like PUSH
145 * and PULL). These should have been set using
146 * gnutls_transport_set_ptr2().
147 **/
148 void
149 gnutls_transport_get_ptr2 (gnutls_session_t session,
150 gnutls_transport_ptr_t * recv_ptr,
151 gnutls_transport_ptr_t * send_ptr)
152 {
153
154 *recv_ptr = session->internals.transport_recv_ptr;
155 *send_ptr = session->internals.transport_send_ptr;
156 }
157
158 /**
159 * gnutls_bye:
160 * @session: is a #gnutls_session_t structure.
161 * @how: is an integer
162 *
163 * Terminates the current TLS/SSL connection. The connection should
164 * have been initiated using gnutls_handshake(). @how should be one
165 * of %GNUTLS_SHUT_RDWR, %GNUTLS_SHUT_WR.
166 *
167 * In case of %GNUTLS_SHUT_RDWR the TLS session gets
168 * terminated and further receives and sends will be disallowed. If
169 * the return value is zero you may continue using the underlying
170 * transport layer. %GNUTLS_SHUT_RDWR sends an alert containing a close
171 * request and waits for the peer to reply with the same message.
172 *
173 * In case of %GNUTLS_SHUT_WR the TLS session gets terminated
174 * and further sends will be disallowed. In order to reuse the
175 * connection you should wait for an EOF from the peer.
176 * %GNUTLS_SHUT_WR sends an alert containing a close request.
177 *
178 * Note that not all implementations will properly terminate a TLS
179 * connection. Some of them, usually for performance reasons, will
180 * terminate only the underlying transport layer, and thus not
181 * distinguishing between a malicious party prematurely terminating
182 * the connection and normal termination.
183 *
184 * This function may also return %GNUTLS_E_AGAIN or
185 * %GNUTLS_E_INTERRUPTED; cf. gnutls_record_get_direction().
186 *
187 * Returns: %GNUTLS_E_SUCCESS on success, or an error code, see
188 * function documentation for entire semantics.
189 **/
190 int
191 gnutls_bye (gnutls_session_t session, gnutls_close_request_t how)
192 {
193 int ret = 0;
194
195 switch (STATE)
196 {
197 case STATE0:
198 case STATE60:
199 ret = _gnutls_io_write_flush (session);
200 STATE = STATE60;
201 if (ret < 0)
202 {
203 gnutls_assert ();
204 return ret;
205 }
206
207 case STATE61:
208 ret =
209 gnutls_alert_send (session, GNUTLS_AL_WARNING, GNUTLS_A_CLOSE_NOTIFY);
210 STATE = STATE61;
211 if (ret < 0)
212 {
213 gnutls_assert ();
214 return ret;
215 }
216
217 case STATE62:
218 STATE = STATE62;
219 if (how == GNUTLS_SHUT_RDWR)
220 {
221 do
222 {
223 ret = _gnutls_recv_int (session, GNUTLS_ALERT, -1, NULL, 0, NULL, 0);
224 }
225 while (ret == GNUTLS_E_GOT_APPLICATION_DATA);
226
227 if (ret >= 0)
228 session->internals.may_not_read = 1;
229
230 if (ret < 0)
231 {
232 gnutls_assert ();
233 return ret;
234 }
235 }
236 STATE = STATE62;
237
238 break;
239 default:
240 gnutls_assert ();
241 return GNUTLS_E_INTERNAL_ERROR;
242 }
243
244 STATE = STATE0;
245
246 session->internals.may_not_write = 1;
247 return 0;
248 }
249
250 inline static void
251 session_invalidate (gnutls_session_t session)
252 {
253 session->internals.invalid_connection = 1;
254 }
255
256
257 inline static void
258 session_unresumable (gnutls_session_t session)
259 {
260 session->internals.resumable = RESUME_FALSE;
261 }
262
263 /* returns 0 if session is valid
264 */
265 inline static int
266 session_is_valid (gnutls_session_t session)
267 {
268 if (session->internals.invalid_connection != 0)
269 return GNUTLS_E_INVALID_SESSION;
270
271 return 0;
272 }
273
274 /* Copies the record version into the headers. The
275 * version must have 2 bytes at least.
276 */
277 inline static void
278 copy_record_version (gnutls_session_t session,
279 gnutls_handshake_description_t htype, uint8_t version[2])
280 {
281 gnutls_protocol_t lver;
282
283 if (session->internals.initial_negotiation_completed || htype != GNUTLS_HANDSHAKE_CLIENT_HELLO
284 || session->internals.default_record_version[0] == 0)
285 {
286 lver = gnutls_protocol_get_version (session);
287
288 version[0] = _gnutls_version_get_major (lver);
289 version[1] = _gnutls_version_get_minor (lver);
290 }
291 else
292 {
293 version[0] = session->internals.default_record_version[0];
294 version[1] = session->internals.default_record_version[1];
295 }
296 }
297
298 /* Increments the sequence value
299 */
300 inline static int
301 sequence_increment (gnutls_session_t session,
302 uint64 * value)
303 {
304 if (IS_DTLS(session))
305 {
306 return _gnutls_uint48pp(value);
307 }
308 else
309 {
310 return _gnutls_uint64pp(value);
311 }
312 }
313
314 /* This function behaves exactly like write(). The only difference is
315 * that it accepts, the gnutls_session_t and the content_type_t of data to
316 * send (if called by the user the Content is specific)
317 * It is intended to transfer data, under the current session.
318 *
319 * Oct 30 2001: Removed capability to send data more than MAX_RECORD_SIZE.
320 * This makes the function much easier to read, and more error resistant
321 * (there were cases were the old function could mess everything up).
322 * --nmav
323 *
324 * This function may accept a NULL pointer for data, and 0 for size, if
325 * and only if the previous send was interrupted for some reason.
326 *
327 */
328 ssize_t
329 _gnutls_send_int (gnutls_session_t session, content_type_t type,
330 gnutls_handshake_description_t htype,
331 unsigned int epoch_rel, const void *_data,
332 size_t data_size, unsigned int mflags)
333 {
334 mbuffer_st *bufel;
335 ssize_t cipher_size;
336 int retval, ret;
337 int send_data_size;
338 uint8_t headers[MAX_RECORD_HEADER_SIZE];
339 int header_size;
340 const uint8_t *data = _data;
341 record_parameters_st *record_params;
342 record_state_st *record_state;
343
344 ret = _gnutls_epoch_get (session, epoch_rel, &record_params);
345 if (ret < 0)
346 return gnutls_assert_val(ret);
347
348 /* Safeguard against processing data with an incomplete cipher state. */
349 if (!record_params->initialized)
350 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
351
352 record_state = &record_params->write;
353
354 /* Do not allow null pointer if the send buffer is empty.
355 * If the previous send was interrupted then a null pointer is
356 * ok, and means to resume.
357 */
358 if (session->internals.record_send_buffer.byte_length == 0 &&
359 (data_size == 0 && _data == NULL))
360 {
361 gnutls_assert ();
362 return GNUTLS_E_INVALID_REQUEST;
363 }
364
365 if (type != GNUTLS_ALERT) /* alert messages are sent anyway */
366 if (session_is_valid (session) || session->internals.may_not_write != 0)
367 {
368 gnutls_assert ();
369 return GNUTLS_E_INVALID_SESSION;
370 }
371
372 headers[0] = type;
373
374 /* Use the default record version, if it is
375 * set.
376 */
377 copy_record_version (session, htype, &headers[1]);
378
379 header_size = RECORD_HEADER_SIZE(session);
380 /* Adjust header length and add sequence for DTLS */
381 if (IS_DTLS(session))
382 memcpy(&headers[3], &record_state->sequence_number.i, 8);
383
384 _gnutls_record_log
385 ("REC[%p]: Preparing Packet %s(%d) with length: %d\n", session,
386 _gnutls_packet2str (type), type, (int) data_size);
387
388 if (data_size > MAX_RECORD_SEND_SIZE(session))
389 {
390 if (IS_DTLS(session))
391 {
392 gnutls_assert ();
393 return GNUTLS_E_LARGE_PACKET;
394 }
395 send_data_size = MAX_RECORD_SEND_SIZE(session);
396 }
397 else
398 send_data_size = data_size;
399
400 /* Only encrypt if we don't have data to send
401 * from the previous run. - probably interrupted.
402 */
403 if (mflags != 0 && session->internals.record_send_buffer.byte_length > 0)
404 {
405 ret = _gnutls_io_write_flush (session);
406 if (ret > 0)
407 cipher_size = ret;
408 else
409 cipher_size = 0;
410
411 retval = session->internals.record_send_buffer_user_size;
412 }
413 else
414 {
415 /* now proceed to packet encryption
416 */
417 cipher_size = send_data_size + MAX_RECORD_OVERHEAD + CIPHER_SLACK_SIZE;
418 bufel = _mbuffer_alloc (cipher_size, cipher_size);
419 if (bufel == NULL)
420 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
421
422 ret =
423 _gnutls_encrypt (session, headers, header_size, data,
424 send_data_size, _mbuffer_get_udata_ptr (bufel),
425 cipher_size, type, record_params);
426 if (ret <= 0)
427 {
428 gnutls_assert ();
429 if (ret == 0)
430 ret = GNUTLS_E_ENCRYPTION_FAILED;
431 gnutls_free (bufel);
432 return ret; /* error */
433 }
434
435 cipher_size = ret;
436 retval = send_data_size;
437 session->internals.record_send_buffer_user_size = send_data_size;
438
439 /* increase sequence number
440 */
441 if (sequence_increment (session, &record_state->sequence_number) != 0)
442 {
443 session_invalidate (session);
444 gnutls_free (bufel);
445 return gnutls_assert_val(GNUTLS_E_RECORD_LIMIT_REACHED);
446 }
447
448 _mbuffer_set_udata_size (bufel, cipher_size);
449 ret = _gnutls_io_write_buffered (session, bufel, mflags);
450 }
451
452 if (ret != cipher_size)
453 {
454 /* If we have sent any data then just return
455 * the error value. Do not invalidate the session.
456 */
457 if (ret < 0 && gnutls_error_is_fatal (ret) == 0)
458 return gnutls_assert_val(ret);
459
460 if (ret > 0)
461 ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
462
463 session_unresumable (session);
464 session->internals.may_not_write = 1;
465 return gnutls_assert_val(ret);
466 }
467
468 session->internals.record_send_buffer_user_size = 0;
469
470 _gnutls_record_log ("REC[%p]: Sent Packet[%d] %s(%d) in epoch %d and length: %d\n",
471 session,
472 (unsigned int)
473 _gnutls_uint64touint32
474 (&record_state->sequence_number),
475 _gnutls_packet2str (type), type,
476 (int) record_params->epoch,
477 (int) cipher_size);
478
479 return retval;
480 }
481
482 inline static int
483 check_recv_type (gnutls_session_t session, content_type_t recv_type)
484 {
485 switch (recv_type)
486 {
487 case GNUTLS_CHANGE_CIPHER_SPEC:
488 case GNUTLS_ALERT:
489 case GNUTLS_HANDSHAKE:
490 case GNUTLS_HEARTBEAT:
491 case GNUTLS_APPLICATION_DATA:
492 return 0;
493 default:
494 gnutls_assert ();
495 _gnutls_audit_log(session, "Received record packet of unknown type %u\n", (unsigned int)recv_type);
496 return GNUTLS_E_UNEXPECTED_PACKET;
497 }
498
499 }
500
501
502 /* Checks if there are pending data in the record buffers. If there are
503 * then it copies the data.
504 */
505 static int
506 check_buffers (gnutls_session_t session, content_type_t type,
507 uint8_t * data, int data_size, void* seq)
508 {
509 if ((type == GNUTLS_APPLICATION_DATA ||
510 type == GNUTLS_HANDSHAKE ||
511 type == GNUTLS_CHANGE_CIPHER_SPEC)
512 && _gnutls_record_buffer_get_size (session) > 0)
513 {
514 int ret;
515 ret = _gnutls_record_buffer_get (type, session, data, data_size, seq);
516 if (ret < 0)
517 {
518 if (IS_DTLS(session))
519 {
520 if (ret == GNUTLS_E_UNEXPECTED_PACKET)
521 {
522 ret = GNUTLS_E_AGAIN;
523 }
524 }
525 gnutls_assert ();
526 return ret;
527 }
528
529 return ret;
530 }
531
532 return 0;
533 }
534
535
536
537 /* Here we check if the advertized version is the one we
538 * negotiated in the handshake.
539 */
540 inline static int
541 record_check_version (gnutls_session_t session,
542 gnutls_handshake_description_t htype, uint8_t version[2])
543 {
544 if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO)
545 {
546 /* Reject hello packets with major version higher than 3.
547 */
548 if (!(IS_DTLS(session)) && version[0] > 3)
549 {
550 gnutls_assert ();
551 _gnutls_record_log
552 ("REC[%p]: INVALID VERSION PACKET: (%d) %d.%d\n", session,
553 htype, version[0], version[1]);
554 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
555 }
556 }
557 else if (htype != GNUTLS_HANDSHAKE_SERVER_HELLO &&
558 gnutls_protocol_get_version (session) !=
559 _gnutls_version_get (version[0], version[1]))
560 {
561 /* Reject record packets that have a different version than the
562 * one negotiated. Note that this version is not protected by any
563 * mac. I don't really think that this check serves any purpose.
564 */
565 gnutls_assert ();
566 _gnutls_record_log ("REC[%p]: INVALID VERSION PACKET: (%d) %d.%d\n",
567 session, htype, version[0], version[1]);
568
569 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
570 }
571
572 return 0;
573 }
574
575 /* This function will check if the received record type is
576 * the one we actually expect and adds it to the proper
577 * buffer. The bufel will be deinitialized after calling
578 * this function, even if it fails.
579 */
580 static int
581 record_add_to_buffers (gnutls_session_t session,
582 struct tls_record_st *recv, content_type_t type,
583 gnutls_handshake_description_t htype,
584 uint64* seq,
585 mbuffer_st* bufel)
586 {
587
588 int ret;
589
590 if ((recv->type == type)
591 && (type == GNUTLS_APPLICATION_DATA ||
592 type == GNUTLS_CHANGE_CIPHER_SPEC ||
593 type == GNUTLS_HANDSHAKE))
594 {
595 _gnutls_record_buffer_put (session, type, seq, bufel);
596
597 /* if we received application data as expected then we
598 * deactivate the async timer */
599 _dtls_async_timer_delete(session);
600 }
601 else
602 {
603 /* if the expected type is different than the received
604 */
605 switch (recv->type)
606 {
607 case GNUTLS_ALERT:
608 if (bufel->msg.size < 2)
609 {
610 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
611 goto unexpected_packet;
612 }
613
614 _gnutls_record_log
615 ("REC[%p]: Alert[%d|%d] - %s - was received\n", session,
616 bufel->msg.data[0], bufel->msg.data[1], gnutls_alert_get_name ((int) bufel->msg.data[1]));
617
618 session->internals.last_alert = bufel->msg.data[1];
619
620 /* if close notify is received and
621 * the alert is not fatal
622 */
623 if (bufel->msg.data[1] == GNUTLS_A_CLOSE_NOTIFY && bufel->msg.data[0] != GNUTLS_AL_FATAL)
624 {
625 /* If we have been expecting for an alert do
626 */
627 session->internals.read_eof = 1;
628 ret = GNUTLS_E_SESSION_EOF;
629 goto cleanup;
630 }
631 else
632 {
633 /* if the alert is FATAL or WARNING
634 * return the apropriate message
635 */
636
637 gnutls_assert ();
638 ret = GNUTLS_E_WARNING_ALERT_RECEIVED;
639 if (bufel->msg.data[0] == GNUTLS_AL_FATAL)
640 {
641 session_unresumable (session);
642 session_invalidate (session);
643 ret = gnutls_assert_val(GNUTLS_E_FATAL_ALERT_RECEIVED);
644 }
645 goto cleanup;
646 }
647 break;
648
649 case GNUTLS_CHANGE_CIPHER_SPEC:
650 if (!(IS_DTLS(session)))
651 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
652
653 _gnutls_record_buffer_put (session, recv->type, seq, bufel);
654
655 break;
656
657 case GNUTLS_HEARTBEAT:
658 ret = _gnutls_heartbeat_handle (session, bufel);
659 goto cleanup;
660
661 case GNUTLS_APPLICATION_DATA:
662 if (session->internals.initial_negotiation_completed == 0)
663 {
664 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
665 goto unexpected_packet;
666 }
667
668
669 /* the got_application data is only returned
670 * if expecting client hello (for rehandshake
671 * reasons). Otherwise it is an unexpected packet
672 */
673 if (type == GNUTLS_ALERT || (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO
674 && type == GNUTLS_HANDSHAKE))
675 {
676 /* even if data is unexpected put it into the buffer */
677 if ((ret =
678 _gnutls_record_buffer_put (session, recv->type, seq,
679 bufel)) < 0)
680 {
681 gnutls_assert ();
682 goto cleanup;
683 }
684
685 return gnutls_assert_val(GNUTLS_E_GOT_APPLICATION_DATA);
686 }
687 else
688 {
689 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
690 goto unexpected_packet;
691 }
692
693 break;
694
695 case GNUTLS_HANDSHAKE:
696 /* In DTLS we might receive a handshake replay from the peer to indicate
697 * the our last TLS handshake messages were not received.
698 */
699 if (IS_DTLS(session))
700 {
701 if (type == GNUTLS_CHANGE_CIPHER_SPEC)
702 {
703 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
704 goto unexpected_packet;
705 }
706
707 if (_dtls_is_async(session) && _dtls_async_timer_active(session))
708 {
709 if (session->security_parameters.entity == GNUTLS_SERVER &&
710 bufel->htype == GNUTLS_HANDSHAKE_CLIENT_HELLO)
711 {
712 /* client requested rehandshake. Delete the timer */
713 _dtls_async_timer_delete(session);
714 }
715 else
716 {
717 session->internals.recv_state = RECV_STATE_DTLS_RETRANSMIT;
718 ret = _dtls_retransmit(session);
719 if (ret == 0)
720 {
721 session->internals.recv_state = RECV_STATE_0;
722 ret = gnutls_assert_val(GNUTLS_E_AGAIN);
723 goto unexpected_packet;
724 }
725 goto cleanup;
726 }
727 }
728 }
729
730 /* This is legal if HELLO_REQUEST is received - and we are a client.
731 * If we are a server, a client may initiate a renegotiation at any time.
732 */
733 if (session->security_parameters.entity == GNUTLS_SERVER &&
734 bufel->htype == GNUTLS_HANDSHAKE_CLIENT_HELLO)
735 {
736 gnutls_assert ();
737 ret =
738 _gnutls_record_buffer_put (session, recv->type, seq, bufel);
739 if (ret < 0)
740 {
741 gnutls_assert ();
742 goto cleanup;
743 }
744 return GNUTLS_E_REHANDSHAKE;
745 }
746
747 /* If we are already in a handshake then a Hello
748 * Request is illegal. But here we don't really care
749 * since this message will never make it up here.
750 */
751
752 /* So we accept it, if it is a Hello. If not, this will
753 * fail and trigger flight retransmissions after some time. */
754 ret = _gnutls_recv_hello_request (session, bufel->msg.data, bufel->msg.size);
755 goto unexpected_packet;
756
757 break;
758 default:
759
760 _gnutls_record_log
761 ("REC[%p]: Received unexpected packet %d (%s) expecting %d (%s)\n",
762 session, recv->type, _gnutls_packet2str(recv->type), type, _gnutls_packet2str(type));
763
764 gnutls_assert ();
765 ret = GNUTLS_E_UNEXPECTED_PACKET;
766 goto unexpected_packet;
767 }
768 }
769
770 return 0;
771
772 unexpected_packet:
773 if (IS_DTLS(session) && ret != GNUTLS_E_REHANDSHAKE)
774 {
775 _mbuffer_xfree(&bufel);
776 RETURN_DTLS_EAGAIN_OR_TIMEOUT(session, ret);
777 }
778
779 cleanup:
780 _mbuffer_xfree(&bufel);
781 return ret;
782
783 }
784
785 int _gnutls_get_max_decrypted_data(gnutls_session_t session)
786 {
787 int ret;
788
789 if (gnutls_compression_get (session) != GNUTLS_COMP_NULL ||
790 session->internals.priorities.allow_large_records != 0)
791 ret = MAX_RECORD_RECV_SIZE(session) + EXTRA_COMP_SIZE;
792 else
793 ret = MAX_RECORD_RECV_SIZE(session);
794
795 return ret;
796 }
797
798 /* Checks the record headers and returns the length, version and
799 * content type.
800 */
801 static void
802 record_read_headers (gnutls_session_t session,
803 uint8_t headers[MAX_RECORD_HEADER_SIZE],
804 content_type_t type,
805 gnutls_handshake_description_t htype,
806 struct tls_record_st* record)
807 {
808
809 /* Read the first two bytes to determine if this is a
810 * version 2 message
811 */
812
813 if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && type == GNUTLS_HANDSHAKE
814 && headers[0] > 127 && !(IS_DTLS(session)))
815 {
816
817 /* if msb set and expecting handshake message
818 * it should be SSL 2 hello
819 */
820 record->version[0] = 3; /* assume SSL 3.0 */
821 record->version[1] = 0;
822
823 record->length = (((headers[0] & 0x7f) << 8)) | headers[1];
824
825 /* SSL 2.0 headers */
826 record->header_size = record->packet_size = 2;
827 record->type = GNUTLS_HANDSHAKE; /* we accept only v2 client hello
828 */
829
830 /* in order to assist the handshake protocol.
831 * V2 compatibility is a mess.
832 */
833 record->v2 = 1;
834 record->epoch = 0;
835
836 _gnutls_record_log ("REC[%p]: SSL 2.0 %s packet received. Length: %d\n",
837 session,
838 _gnutls_packet2str (record->type),
839 record->length);
840
841 }
842 else
843 {
844 /* dtls version 1.0 and TLS version 1.x */
845 record->v2 = 0;
846
847 record->type = headers[0];
848 record->version[0] = headers[1];
849 record->version[1] = headers[2];
850
851 if(IS_DTLS(session))
852 {
853 memcpy(record->sequence.i, &headers[3], 8);
854 record->length = _gnutls_read_uint16 (&headers[11]);
855 record->epoch = _gnutls_read_uint16(record->sequence.i);
856 }
857 else
858 {
859 record->length = _gnutls_read_uint16 (&headers[3]);
860 record->epoch = 0;
861 }
862
863 _gnutls_record_log ("REC[%p]: SSL %d.%d %s packet received. Epoch %d, length: %d\n",
864 session, (int)record->version[0], (int)record->version[1],
865 _gnutls_packet2str (record->type),
866 (int)record->epoch, record->length);
867
868 }
869
870 record->packet_size += record->length;
871 }
872
873
874 static int recv_headers( gnutls_session_t session, content_type_t type,
875 gnutls_handshake_description_t htype,
876 struct tls_record_st* record,
877 unsigned int *ms)
878 {
879 int ret;
880 gnutls_datum_t raw; /* raw headers */
881 /* Read the headers.
882 */
883 record->header_size = record->packet_size = RECORD_HEADER_SIZE(session);
884
885 if ((ret =
886 _gnutls_io_read_buffered (session, record->header_size, -1, ms)) != record->header_size)
887 {
888 if (ret < 0 && gnutls_error_is_fatal (ret) == 0)
889 return ret;
890
891 if (ret > 0)
892 ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
893 else if (ret == 0)
894 ret = GNUTLS_E_PREMATURE_TERMINATION;
895
896 return gnutls_assert_val(ret);
897 }
898
899 ret = _mbuffer_linearize (&session->internals.record_recv_buffer);
900 if (ret < 0)
901 return gnutls_assert_val(ret);
902
903 _mbuffer_head_get_first (&session->internals.record_recv_buffer, &raw);
904 if (raw.size < RECORD_HEADER_SIZE(session))
905 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
906
907 record_read_headers (session, raw.data, type, htype, record);
908
909 /* Check if the DTLS epoch is valid */
910 if (IS_DTLS(session))
911 {
912 if (_gnutls_epoch_is_valid(session, record->epoch) == 0)
913 {
914 _gnutls_audit_log(session, "Discarded message[%u] with invalid epoch %u.\n",
915 (unsigned int)_gnutls_uint64touint32 (&record->sequence),
916 (unsigned int)record->sequence.i[0]*256+(unsigned int)record->sequence.i[1]);
917 gnutls_assert();
918 /* doesn't matter, just a fatal error */
919 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
920 }
921 }
922
923 /* Here we check if the Type of the received packet is
924 * ok.
925 */
926 if ((ret = check_recv_type (session, record->type)) < 0)
927 return gnutls_assert_val(ret);
928
929 /* Here we check if the advertized version is the one we
930 * negotiated in the handshake.
931 */
932 if ((ret = record_check_version (session, htype, record->version)) < 0)
933 return gnutls_assert_val(ret);
934
935 if (record->length > MAX_RECV_SIZE(session))
936 {
937 _gnutls_audit_log
938 (session, "Received packet with illegal length: %u\n", (unsigned int)record->length);
939 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
940 }
941
942 _gnutls_record_log
943 ("REC[%p]: Expected Packet %s(%d)\n", session,
944 _gnutls_packet2str (type), type);
945 _gnutls_record_log ("REC[%p]: Received Packet %s(%d) with length: %d\n",
946 session,
947 _gnutls_packet2str (record->type), record->type, record->length);
948
949
950 return 0;
951 }
952
953 #define MAX_EMPTY_PACKETS_SEQUENCE 4
954
955 /* @ms: is the number of milliseconds to wait for data. Use zero for indefinite.
956 *
957 * This will receive record layer packets and add them to
958 * application_data_buffer and handshake_data_buffer.
959 *
960 * If the htype is not -1 then handshake timeouts
961 * will be enforced.
962 */
963 ssize_t
964 _gnutls_recv_in_buffers (gnutls_session_t session, content_type_t type,
965 gnutls_handshake_description_t htype, unsigned int ms)
966 {
967 uint64 *packet_sequence;
968 uint8_t *ciphertext;
969 mbuffer_st* bufel = NULL, *decrypted = NULL;
970 int ret;
971 int empty_packet = 0;
972 record_parameters_st *record_params;
973 record_state_st *record_state;
974 struct tls_record_st record;
975
976 begin:
977
978 if (empty_packet > MAX_EMPTY_PACKETS_SEQUENCE)
979 {
980 gnutls_assert ();
981 return GNUTLS_E_TOO_MANY_EMPTY_PACKETS;
982 }
983
984 memset(&record, 0, sizeof(record));
985
986 if (session->internals.read_eof != 0)
987 {
988 /* if we have already read an EOF
989 */
990 return 0;
991 }
992 else if (session_is_valid (session) != 0
993 || session->internals.may_not_read != 0)
994 return gnutls_assert_val(GNUTLS_E_INVALID_SESSION);
995
996 /* get the record state parameters */
997 ret = _gnutls_epoch_get (session, EPOCH_READ_CURRENT, &record_params);
998 if (ret < 0)
999 return gnutls_assert_val (ret);
1000
1001 /* Safeguard against processing data with an incomplete cipher state. */
1002 if (!record_params->initialized)
1003 return gnutls_assert_val (GNUTLS_E_INTERNAL_ERROR);
1004
1005 record_state = &record_params->read;
1006
1007 /* receive headers */
1008 ret = recv_headers(session, type, htype, &record, &ms);
1009 if (ret < 0)
1010 {
1011 ret = gnutls_assert_val_fatal(ret);
1012 goto recv_error;
1013 }
1014
1015 if (IS_DTLS(session))
1016 packet_sequence = &record.sequence;
1017 else
1018 packet_sequence = &record_state->sequence_number;
1019
1020 /* Read the packet data and insert it to record_recv_buffer.
1021 */
1022 ret =
1023 _gnutls_io_read_buffered (session, record.packet_size,
1024 record.type, &ms);
1025 if (ret != record.packet_size)
1026 {
1027 gnutls_assert();
1028 goto recv_error;
1029 }
1030
1031 /* ok now we are sure that we have read all the data - so
1032 * move on !
1033 */
1034 ret = _mbuffer_linearize (&session->internals.record_recv_buffer);
1035 if (ret < 0)
1036 return gnutls_assert_val(ret);
1037
1038 bufel = _mbuffer_head_get_first (&session->internals.record_recv_buffer, NULL);
1039 if (bufel == NULL)
1040 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1041
1042 /* We allocate the maximum possible to allow few compressed bytes to expand to a
1043 * full record.
1044 */
1045 decrypted = _mbuffer_alloc(MAX_RECORD_RECV_SIZE(session),
1046 MAX_RECORD_RECV_SIZE(session));
1047 if (decrypted == NULL)
1048 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1049
1050 ciphertext = (uint8_t*)_mbuffer_get_udata_ptr(bufel) + record.header_size;
1051
1052 /* decrypt the data we got.
1053 */
1054 ret =
1055 _gnutls_decrypt (session, ciphertext, record.length,
1056 _mbuffer_get_udata_ptr(decrypted), _mbuffer_get_udata_size(decrypted),
1057 record.type, record_params, packet_sequence);
1058 if (ret >= 0) _mbuffer_set_udata_size(decrypted, ret);
1059
1060 _mbuffer_head_remove_bytes (&session->internals.record_recv_buffer,
1061 record.header_size + record.length);
1062 if (ret < 0)
1063 {
1064 gnutls_assert();
1065 _gnutls_audit_log(session, "Discarded message[%u] due to invalid decryption\n",
1066 (unsigned int)_gnutls_uint64touint32 (packet_sequence));
1067 goto sanity_check_error;
1068 }
1069
1070 /* check for duplicates. We check after the message
1071 * is processed and authenticated to avoid someone
1072 * messing with our windows.
1073 */
1074 if (IS_DTLS(session))
1075 {
1076 ret = _dtls_record_check(record_params, packet_sequence);
1077 if (ret < 0)
1078 {
1079 _gnutls_audit_log(session, "Discarded duplicate message[%u]: %s\n",
1080 (unsigned int) _gnutls_uint64touint32 (packet_sequence), _gnutls_packet2str (record.type));
1081 goto sanity_check_error;
1082 }
1083 _gnutls_record_log
1084 ("REC[%p]: Decrypted Packet[%u.%u] %s(%d) with length: %d\n", session,
1085 (unsigned int)record.sequence.i[0]*256 +(unsigned int)record.sequence.i[1],
1086 (unsigned int) _gnutls_uint64touint32 (packet_sequence),
1087 _gnutls_packet2str (record.type), record.type, (int)_mbuffer_get_udata_size(decrypted));
1088 }
1089 else
1090 {
1091 _gnutls_record_log
1092 ("REC[%p]: Decrypted Packet[%u] %s(%d) with length: %d\n", session,
1093 (unsigned int) _gnutls_uint64touint32 (packet_sequence),
1094 _gnutls_packet2str (record.type), record.type, (int)_mbuffer_get_udata_size(decrypted));
1095 }
1096
1097 /* increase sequence number
1098 */
1099 if (!IS_DTLS(session) && sequence_increment (session, &record_state->sequence_number) != 0)
1100 {
1101 session_invalidate (session);
1102 gnutls_assert ();
1103 ret = GNUTLS_E_RECORD_LIMIT_REACHED;
1104 goto sanity_check_error;
1105 }
1106
1107 /* (originally for) TLS 1.0 CBC protection.
1108 * Actually this code is called if we just received
1109 * an empty packet. An empty TLS packet is usually
1110 * sent to protect some vulnerabilities in the CBC mode.
1111 * In that case we go to the beginning and start reading
1112 * the next packet.
1113 */
1114 if (_mbuffer_get_udata_size(decrypted) == 0)
1115 {
1116 _mbuffer_xfree(&decrypted);
1117 empty_packet++;
1118 goto begin;
1119 }
1120
1121 if (record.v2)
1122 decrypted->htype = GNUTLS_HANDSHAKE_CLIENT_HELLO_V2;
1123 else
1124 {
1125 uint8_t * p = _mbuffer_get_udata_ptr(decrypted);
1126 decrypted->htype = p[0];
1127 }
1128
1129 ret =
1130 record_add_to_buffers (session, &record, type, htype,
1131 packet_sequence, decrypted);
1132
1133 /* bufel is now either deinitialized or buffered somewhere else */
1134
1135 if (ret < 0)
1136 return gnutls_assert_val(ret);
1137
1138 return ret;
1139
1140 discard:
1141 session->internals.dtls.packets_dropped++;
1142
1143 /* discard the whole received fragment. */
1144 bufel = _mbuffer_head_pop_first(&session->internals.record_recv_buffer);
1145 _mbuffer_xfree(&bufel);
1146 return gnutls_assert_val(GNUTLS_E_AGAIN);
1147
1148 sanity_check_error:
1149 if (IS_DTLS(session))
1150 {
1151 session->internals.dtls.packets_dropped++;
1152 ret = gnutls_assert_val(GNUTLS_E_AGAIN);
1153 goto cleanup;
1154 }
1155
1156 session_unresumable (session);
1157 session_invalidate (session);
1158
1159 cleanup:
1160 _mbuffer_xfree(&decrypted);
1161 return ret;
1162
1163 recv_error:
1164 if (ret < 0 && (gnutls_error_is_fatal (ret) == 0 || ret == GNUTLS_E_TIMEDOUT))
1165 return ret;
1166
1167 if (IS_DTLS(session))
1168 {
1169 goto discard;
1170 }
1171
1172 session_invalidate (session);
1173 if (type == GNUTLS_ALERT) /* we were expecting close notify */
1174 {
1175 gnutls_assert ();
1176 return 0;
1177 }
1178 session_unresumable (session);
1179
1180 if (ret == 0)
1181 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1182 else
1183 return ret;
1184 }
1185
1186 /* This function behaves exactly like read(). The only difference is
1187 * that it accepts the gnutls_session_t and the content_type_t of data to
1188 * receive (if called by the user the Content is Userdata only)
1189 * It is intended to receive data, under the current session.
1190 *
1191 * The gnutls_handshake_description_t was introduced to support SSL V2.0 client hellos.
1192 */
1193 ssize_t
1194 _gnutls_recv_int (gnutls_session_t session, content_type_t type,
1195 gnutls_handshake_description_t htype,
1196 uint8_t * data, size_t data_size, void* seq,
1197 unsigned int ms)
1198 {
1199 int ret;
1200
1201 if ((type != GNUTLS_ALERT && type != GNUTLS_HEARTBEAT) && (data_size == 0 || data == NULL))
1202 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1203
1204 if (session->internals.read_eof != 0)
1205 {
1206 /* if we have already read an EOF
1207 */
1208 return 0;
1209 }
1210 else if (session_is_valid (session) != 0
1211 || session->internals.may_not_read != 0)
1212 {
1213 gnutls_assert ();
1214 return GNUTLS_E_INVALID_SESSION;
1215 }
1216
1217 switch(session->internals.recv_state)
1218 {
1219 case RECV_STATE_DTLS_RETRANSMIT:
1220 ret = _dtls_retransmit(session);
1221 if (ret < 0)
1222 return gnutls_assert_val(ret);
1223
1224 session->internals.recv_state = RECV_STATE_0;
1225 case RECV_STATE_0:
1226
1227 _dtls_async_timer_check(session);
1228 /* If we have enough data in the cache do not bother receiving
1229 * a new packet. (in order to flush the cache)
1230 */
1231 ret = check_buffers (session, type, data, data_size, seq);
1232 if (ret != 0)
1233 return ret;
1234
1235 ret = _gnutls_recv_in_buffers(session, type, htype, ms);
1236 if (ret < 0 && ret != GNUTLS_E_SESSION_EOF)
1237 return gnutls_assert_val(ret);
1238
1239 return check_buffers (session, type, data, data_size, seq);
1240 default:
1241 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1242 }
1243 }
1244
1245 /**
1246 * gnutls_record_send:
1247 * @session: is a #gnutls_session_t structure.
1248 * @data: contains the data to send
1249 * @data_size: is the length of the data
1250 *
1251 * This function has the similar semantics with send(). The only
1252 * difference is that it accepts a GnuTLS session, and uses different
1253 * error codes.
1254 * Note that if the send buffer is full, send() will block this
1255 * function. See the send() documentation for full information. You
1256 * can replace the default push function by using
1257 * gnutls_transport_set_ptr2() with a call to send() with a
1258 * MSG_DONTWAIT flag if blocking is a problem.
1259 * If the EINTR is returned by the internal push function (the
1260 * default is send()) then %GNUTLS_E_INTERRUPTED will be returned. If
1261 * %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN is returned, you must
1262 * call this function again, with the same parameters; alternatively
1263 * you could provide a %NULL pointer for data, and 0 for
1264 * size. cf. gnutls_record_get_direction(). The errno value EMSGSIZE
1265 * maps to %GNUTLS_E_LARGE_PACKET.
1266 *
1267 * Returns: The number of bytes sent, or a negative error code. The
1268 * number of bytes sent might be less than @data_size. The maximum
1269 * number of bytes this function can send in a single call depends
1270 * on the negotiated maximum record size.
1271 **/
1272 ssize_t
1273 gnutls_record_send (gnutls_session_t session, const void *data,
1274 size_t data_size)
1275 {
1276 return _gnutls_send_int (session, GNUTLS_APPLICATION_DATA, -1,
1277 EPOCH_WRITE_CURRENT, data, data_size,
1278 MBUFFER_FLUSH);
1279 }
1280
1281 /**
1282 * gnutls_record_recv:
1283 * @session: is a #gnutls_session_t structure.
1284 * @data: the buffer that the data will be read into
1285 * @data_size: the number of requested bytes
1286 *
1287 * This function has the similar semantics with recv(). The only
1288 * difference is that it accepts a GnuTLS session, and uses different
1289 * error codes.
1290 * In the special case that a server requests a renegotiation, the
1291 * client may receive an error code of %GNUTLS_E_REHANDSHAKE. This
1292 * message may be simply ignored, replied with an alert
1293 * %GNUTLS_A_NO_RENEGOTIATION, or replied with a new handshake,
1294 * depending on the client's will.
1295 * If %EINTR is returned by the internal push function (the default
1296 * is recv()) then %GNUTLS_E_INTERRUPTED will be returned. If
1297 * %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN is returned, you must
1298 * call this function again to get the data. See also
1299 * gnutls_record_get_direction().
1300 * A server may also receive %GNUTLS_E_REHANDSHAKE when a client has
1301 * initiated a handshake. In that case the server can only initiate a
1302 * handshake or terminate the connection.
1303 *
1304 * Returns: The number of bytes received and zero on EOF (for stream
1305 * connections). A negative error code is returned in case of an error.
1306 * The number of bytes received might be less than the requested @data_size.
1307 **/
1308 ssize_t
1309 gnutls_record_recv (gnutls_session_t session, void *data, size_t data_size)
1310 {
1311 return _gnutls_recv_int (session, GNUTLS_APPLICATION_DATA, -1, data, data_size, NULL, 0);
1312 }
1313
1314 /**
1315 * gnutls_record_recv_seq:
1316 * @session: is a #gnutls_session_t structure.
1317 * @data: the buffer that the data will be read into
1318 * @data_size: the number of requested bytes
1319 * @seq: is the packet's 64-bit sequence number. Should have space for 8 bytes.
1320 *
1321 * This function is the same as gnutls_record_recv(), except that
1322 * it returns in addition to data, the sequence number of the data.
1323 * This is useful in DTLS where record packets might be received
1324 * out-of-order. The returned 8-byte sequence number is an
1325 * integer in big-endian format and should be
1326 * treated as a unique message identification.
1327 *
1328 * Returns: The number of bytes received and zero on EOF. A negative
1329 * error code is returned in case of an error. The number of bytes
1330 * received might be less than @data_size.
1331 *
1332 * Since: 3.0
1333 **/
1334 ssize_t
1335 gnutls_record_recv_seq (gnutls_session_t session, void *data, size_t data_size,
1336 unsigned char *seq)
1337 {
1338 return _gnutls_recv_int (session, GNUTLS_APPLICATION_DATA, -1, data,
1339 data_size, seq, 0);
1340 }
Implementation of the SSL/TLS protocol