search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
corrected typo
[gnutls.git] / lib / gnutls_record.c
blob2a616338e0023fde07b1decc4382b3b7f29349b8
1 /*
2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* Functions that are record layer specific, are included in this file.
24 */
25
26 /* allocate this many bytes more when encrypting or decrypting, to
27 * compensate for broken backends such as cryptodev.
28 */
29 #define CIPHER_SLACK_SIZE 32
30
31 #include "gnutls_int.h"
32 #include "gnutls_errors.h"
33 #include "debug.h"
34 #include "gnutls_compress.h"
35 #include "gnutls_cipher.h"
36 #include "gnutls_buffers.h"
37 #include "gnutls_mbuffers.h"
38 #include "gnutls_handshake.h"
39 #include "gnutls_hash_int.h"
40 #include "gnutls_cipher_int.h"
41 #include "algorithms.h"
42 #include "gnutls_db.h"
43 #include "gnutls_auth.h"
44 #include "gnutls_num.h"
45 #include "gnutls_record.h"
46 #include "gnutls_datum.h"
47 #include "gnutls_constate.h"
48 #include "ext/max_record.h"
49 #include <ext/heartbeat.h>
50 #include <gnutls_state.h>
51 #include <gnutls_dtls.h>
52 #include <gnutls_dh.h>
53 #include <random.h>
54
55 struct tls_record_st {
56 uint16_t header_size;
57 uint8_t version[2];
58 uint64 sequence; /* DTLS */
59 uint16_t length;
60 uint16_t packet_size; /* header_size + length */
61 content_type_t type;
62 uint16_t epoch; /* valid in DTLS only */
63 int v2:1; /* whether an SSLv2 client hello */
64 /* the data */
65 };
66
67 /**
68 * gnutls_record_disable_padding:
69 * @session: is a #gnutls_session_t structure.
70 *
71 * Used to disabled padding in TLS 1.0 and above. Normally you do not
72 * need to use this function, but there are buggy clients that
73 * complain if a server pads the encrypted data. This of course will
74 * disable protection against statistical attacks on the data.
75 *
76 * Normally only servers that require maximum compatibility with everything
77 * out there, need to call this function.
78 **/
79 void
80 gnutls_record_disable_padding (gnutls_session_t session)
81 {
82 session->internals.priorities.no_padding = 1;
83 }
84
85 /**
86 * gnutls_transport_set_ptr:
87 * @session: is a #gnutls_session_t structure.
88 * @ptr: is the value.
89 *
90 * Used to set the first argument of the transport function (for push
91 * and pull callbacks). In berkeley style sockets this function will set the
92 * connection descriptor.
93 **/
94 void
95 gnutls_transport_set_ptr (gnutls_session_t session,
96 gnutls_transport_ptr_t ptr)
97 {
98 session->internals.transport_recv_ptr = ptr;
99 session->internals.transport_send_ptr = ptr;
100 }
101
102 /**
103 * gnutls_transport_set_ptr2:
104 * @session: is a #gnutls_session_t structure.
105 * @recv_ptr: is the value for the pull function
106 * @send_ptr: is the value for the push function
107 *
108 * Used to set the first argument of the transport function (for push
109 * and pull callbacks). In berkeley style sockets this function will set the
110 * connection descriptor. With this function you can use two different
111 * pointers for receiving and sending.
112 **/
113 void
114 gnutls_transport_set_ptr2 (gnutls_session_t session,
115 gnutls_transport_ptr_t recv_ptr,
116 gnutls_transport_ptr_t send_ptr)
117 {
118 session->internals.transport_send_ptr = send_ptr;
119 session->internals.transport_recv_ptr = recv_ptr;
120 }
121
122 /**
123 * gnutls_transport_get_ptr:
124 * @session: is a #gnutls_session_t structure.
125 *
126 * Used to get the first argument of the transport function (like
127 * PUSH and PULL). This must have been set using
128 * gnutls_transport_set_ptr().
129 *
130 * Returns: The first argument of the transport function.
131 **/
132 gnutls_transport_ptr_t
133 gnutls_transport_get_ptr (gnutls_session_t session)
134 {
135 return session->internals.transport_recv_ptr;
136 }
137
138 /**
139 * gnutls_transport_get_ptr2:
140 * @session: is a #gnutls_session_t structure.
141 * @recv_ptr: will hold the value for the pull function
142 * @send_ptr: will hold the value for the push function
143 *
144 * Used to get the arguments of the transport functions (like PUSH
145 * and PULL). These should have been set using
146 * gnutls_transport_set_ptr2().
147 **/
148 void
149 gnutls_transport_get_ptr2 (gnutls_session_t session,
150 gnutls_transport_ptr_t * recv_ptr,
151 gnutls_transport_ptr_t * send_ptr)
152 {
153
154 *recv_ptr = session->internals.transport_recv_ptr;
155 *send_ptr = session->internals.transport_send_ptr;
156 }
157
158 /**
159 * gnutls_bye:
160 * @session: is a #gnutls_session_t structure.
161 * @how: is an integer
162 *
163 * Terminates the current TLS/SSL connection. The connection should
164 * have been initiated using gnutls_handshake(). @how should be one
165 * of %GNUTLS_SHUT_RDWR, %GNUTLS_SHUT_WR.
166 *
167 * In case of %GNUTLS_SHUT_RDWR the TLS session gets
168 * terminated and further receives and sends will be disallowed. If
169 * the return value is zero you may continue using the underlying
170 * transport layer. %GNUTLS_SHUT_RDWR sends an alert containing a close
171 * request and waits for the peer to reply with the same message.
172 *
173 * In case of %GNUTLS_SHUT_WR the TLS session gets terminated
174 * and further sends will be disallowed. In order to reuse the
175 * connection you should wait for an EOF from the peer.
176 * %GNUTLS_SHUT_WR sends an alert containing a close request.
177 *
178 * Note that not all implementations will properly terminate a TLS
179 * connection. Some of them, usually for performance reasons, will
180 * terminate only the underlying transport layer, and thus not
181 * distinguishing between a malicious party prematurely terminating
182 * the connection and normal termination.
183 *
184 * This function may also return %GNUTLS_E_AGAIN or
185 * %GNUTLS_E_INTERRUPTED; cf. gnutls_record_get_direction().
186 *
187 * Returns: %GNUTLS_E_SUCCESS on success, or an error code, see
188 * function documentation for entire semantics.
189 **/
190 int
191 gnutls_bye (gnutls_session_t session, gnutls_close_request_t how)
192 {
193 int ret = 0;
194
195 switch (STATE)
196 {
197 case STATE0:
198 case STATE60:
199 ret = _gnutls_io_write_flush (session);
200 STATE = STATE60;
201 if (ret < 0)
202 {
203 gnutls_assert ();
204 return ret;
205 }
206
207 case STATE61:
208 ret =
209 gnutls_alert_send (session, GNUTLS_AL_WARNING, GNUTLS_A_CLOSE_NOTIFY);
210 STATE = STATE61;
211 if (ret < 0)
212 {
213 gnutls_assert ();
214 return ret;
215 }
216
217 case STATE62:
218 STATE = STATE62;
219 if (how == GNUTLS_SHUT_RDWR)
220 {
221 do
222 {
223 ret = _gnutls_recv_int (session, GNUTLS_ALERT, -1, NULL, 0, NULL);
224 }
225 while (ret == GNUTLS_E_GOT_APPLICATION_DATA);
226
227 if (ret >= 0)
228 session->internals.may_not_read = 1;
229
230 if (ret < 0)
231 {
232 gnutls_assert ();
233 return ret;
234 }
235 }
236 STATE = STATE62;
237
238 break;
239 default:
240 gnutls_assert ();
241 return GNUTLS_E_INTERNAL_ERROR;
242 }
243
244 STATE = STATE0;
245
246 session->internals.may_not_write = 1;
247 return 0;
248 }
249
250 inline static void
251 session_invalidate (gnutls_session_t session)
252 {
253 session->internals.invalid_connection = 1;
254 }
255
256
257 inline static void
258 session_unresumable (gnutls_session_t session)
259 {
260 session->internals.resumable = RESUME_FALSE;
261 }
262
263 /* returns 0 if session is valid
264 */
265 inline static int
266 session_is_valid (gnutls_session_t session)
267 {
268 if (session->internals.invalid_connection != 0)
269 return GNUTLS_E_INVALID_SESSION;
270
271 return 0;
272 }
273
274 /* Copies the record version into the headers. The
275 * version must have 2 bytes at least.
276 */
277 inline static void
278 copy_record_version (gnutls_session_t session,
279 gnutls_handshake_description_t htype, uint8_t version[2])
280 {
281 gnutls_protocol_t lver;
282
283 if (session->internals.initial_negotiation_completed || htype != GNUTLS_HANDSHAKE_CLIENT_HELLO
284 || session->internals.default_record_version[0] == 0)
285 {
286 lver = gnutls_protocol_get_version (session);
287
288 version[0] = _gnutls_version_get_major (lver);
289 version[1] = _gnutls_version_get_minor (lver);
290 }
291 else
292 {
293 version[0] = session->internals.default_record_version[0];
294 version[1] = session->internals.default_record_version[1];
295 }
296 }
297
298 /* Increments the sequence value
299 */
300 inline static int
301 sequence_increment (gnutls_session_t session,
302 uint64 * value)
303 {
304 if (IS_DTLS(session))
305 {
306 return _gnutls_uint48pp(value);
307 }
308 else
309 {
310 return _gnutls_uint64pp(value);
311 }
312 }
313
314 /* This function behaves exactly like write(). The only difference is
315 * that it accepts, the gnutls_session_t and the content_type_t of data to
316 * send (if called by the user the Content is specific)
317 * It is intended to transfer data, under the current session.
318 *
319 * Oct 30 2001: Removed capability to send data more than MAX_RECORD_SIZE.
320 * This makes the function much easier to read, and more error resistant
321 * (there were cases were the old function could mess everything up).
322 * --nmav
323 *
324 * This function may accept a NULL pointer for data, and 0 for size, if
325 * and only if the previous send was interrupted for some reason.
326 *
327 */
328 ssize_t
329 _gnutls_send_int (gnutls_session_t session, content_type_t type,
330 gnutls_handshake_description_t htype,
331 unsigned int epoch_rel, const void *_data,
332 size_t data_size, unsigned int mflags)
333 {
334 mbuffer_st *bufel;
335 ssize_t cipher_size;
336 int retval, ret;
337 int send_data_size;
338 uint8_t headers[MAX_RECORD_HEADER_SIZE];
339 int header_size;
340 const uint8_t *data = _data;
341 record_parameters_st *record_params;
342 record_state_st *record_state;
343
344 ret = _gnutls_epoch_get (session, epoch_rel, &record_params);
345 if (ret < 0)
346 return gnutls_assert_val(ret);
347
348 /* Safeguard against processing data with an incomplete cipher state. */
349 if (!record_params->initialized)
350 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
351
352 record_state = &record_params->write;
353
354 /* Do not allow null pointer if the send buffer is empty.
355 * If the previous send was interrupted then a null pointer is
356 * ok, and means to resume.
357 */
358 if (session->internals.record_send_buffer.byte_length == 0 &&
359 (data_size == 0 && _data == NULL))
360 {
361 gnutls_assert ();
362 return GNUTLS_E_INVALID_REQUEST;
363 }
364
365 if (type != GNUTLS_ALERT) /* alert messages are sent anyway */
366 if (session_is_valid (session) || session->internals.may_not_write != 0)
367 {
368 gnutls_assert ();
369 return GNUTLS_E_INVALID_SESSION;
370 }
371
372 headers[0] = type;
373
374 /* Use the default record version, if it is
375 * set.
376 */
377 copy_record_version (session, htype, &headers[1]);
378
379 header_size = RECORD_HEADER_SIZE(session);
380 /* Adjust header length and add sequence for DTLS */
381 if (IS_DTLS(session))
382 memcpy(&headers[3], &record_state->sequence_number.i, 8);
383
384 _gnutls_record_log
385 ("REC[%p]: Preparing Packet %s(%d) with length: %d\n", session,
386 _gnutls_packet2str (type), type, (int) data_size);
387
388 if (data_size > MAX_RECORD_SEND_SIZE(session))
389 {
390 if (IS_DTLS(session))
391 {
392 gnutls_assert ();
393 return GNUTLS_E_LARGE_PACKET;
394 }
395 send_data_size = MAX_RECORD_SEND_SIZE(session);
396 }
397 else
398 send_data_size = data_size;
399
400 /* Only encrypt if we don't have data to send
401 * from the previous run. - probably interrupted.
402 */
403 if (mflags != 0 && session->internals.record_send_buffer.byte_length > 0)
404 {
405 ret = _gnutls_io_write_flush (session);
406 if (ret > 0)
407 cipher_size = ret;
408 else
409 cipher_size = 0;
410
411 retval = session->internals.record_send_buffer_user_size;
412 }
413 else
414 {
415 /* now proceed to packet encryption
416 */
417 cipher_size = send_data_size + MAX_RECORD_OVERHEAD + CIPHER_SLACK_SIZE;
418 bufel = _mbuffer_alloc (cipher_size, cipher_size);
419 if (bufel == NULL)
420 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
421
422 ret =
423 _gnutls_encrypt (session, headers, header_size, data,
424 send_data_size, _mbuffer_get_udata_ptr (bufel),
425 cipher_size, type, record_params);
426 if (ret <= 0)
427 {
428 gnutls_assert ();
429 if (ret == 0)
430 ret = GNUTLS_E_ENCRYPTION_FAILED;
431 gnutls_free (bufel);
432 return ret; /* error */
433 }
434
435 cipher_size = ret;
436 retval = send_data_size;
437 session->internals.record_send_buffer_user_size = send_data_size;
438
439 /* increase sequence number
440 */
441 if (sequence_increment (session, &record_state->sequence_number) != 0)
442 {
443 session_invalidate (session);
444 gnutls_free (bufel);
445 return gnutls_assert_val(GNUTLS_E_RECORD_LIMIT_REACHED);
446 }
447
448 _mbuffer_set_udata_size (bufel, cipher_size);
449 ret = _gnutls_io_write_buffered (session, bufel, mflags);
450 }
451
452 if (ret != cipher_size)
453 {
454 /* If we have sent any data then just return
455 * the error value. Do not invalidate the session.
456 */
457 if (ret < 0 && gnutls_error_is_fatal (ret) == 0)
458 return gnutls_assert_val(ret);
459
460 if (ret > 0)
461 ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
462
463 session_unresumable (session);
464 session->internals.may_not_write = 1;
465 return gnutls_assert_val(ret);
466 }
467
468 session->internals.record_send_buffer_user_size = 0;
469
470 _gnutls_record_log ("REC[%p]: Sent Packet[%d] %s(%d) in epoch %d and length: %d\n",
471 session,
472 (unsigned int)
473 _gnutls_uint64touint32
474 (&record_state->sequence_number),
475 _gnutls_packet2str (type), type,
476 (int) record_params->epoch,
477 (int) cipher_size);
478
479 return retval;
480 }
481
482 inline static int
483 check_recv_type (gnutls_session_t session, content_type_t recv_type)
484 {
485 switch (recv_type)
486 {
487 case GNUTLS_CHANGE_CIPHER_SPEC:
488 case GNUTLS_ALERT:
489 case GNUTLS_HANDSHAKE:
490 case GNUTLS_HEARTBEAT:
491 case GNUTLS_APPLICATION_DATA:
492 return 0;
493 default:
494 gnutls_assert ();
495 _gnutls_audit_log(session, "Received record packet of unknown type %u\n", (unsigned int)recv_type);
496 return GNUTLS_E_UNEXPECTED_PACKET;
497 }
498
499 }
500
501
502 /* Checks if there are pending data in the record buffers. If there are
503 * then it copies the data.
504 */
505 static int
506 check_buffers (gnutls_session_t session, content_type_t type,
507 uint8_t * data, int data_size, void* seq)
508 {
509 if ((type == GNUTLS_APPLICATION_DATA ||
510 type == GNUTLS_HANDSHAKE ||
511 type == GNUTLS_HEARTBEAT ||
512 type == GNUTLS_CHANGE_CIPHER_SPEC)
513 && _gnutls_record_buffer_get_size (session) > 0)
514 {
515 int ret;
516 ret = _gnutls_record_buffer_get (type, session, data, data_size, seq);
517 if (ret < 0)
518 {
519 if (IS_DTLS(session))
520 {
521 if (ret == GNUTLS_E_UNEXPECTED_PACKET)
522 {
523 ret = GNUTLS_E_AGAIN;
524 }
525 }
526 gnutls_assert ();
527 return ret;
528 }
529
530 return ret;
531 }
532
533 return 0;
534 }
535
536
537
538 /* Here we check if the advertized version is the one we
539 * negotiated in the handshake.
540 */
541 inline static int
542 record_check_version (gnutls_session_t session,
543 gnutls_handshake_description_t htype, uint8_t version[2])
544 {
545 if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO)
546 {
547 /* Reject hello packets with major version higher than 3.
548 */
549 if (!(IS_DTLS(session)) && version[0] > 3)
550 {
551 gnutls_assert ();
552 _gnutls_record_log
553 ("REC[%p]: INVALID VERSION PACKET: (%d) %d.%d\n", session,
554 htype, version[0], version[1]);
555 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
556 }
557 }
558 else if (htype != GNUTLS_HANDSHAKE_SERVER_HELLO &&
559 gnutls_protocol_get_version (session) !=
560 _gnutls_version_get (version[0], version[1]))
561 {
562 /* Reject record packets that have a different version than the
563 * one negotiated. Note that this version is not protected by any
564 * mac. I don't really think that this check serves any purpose.
565 */
566 gnutls_assert ();
567 _gnutls_record_log ("REC[%p]: INVALID VERSION PACKET: (%d) %d.%d\n",
568 session, htype, version[0], version[1]);
569
570 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
571 }
572
573 return 0;
574 }
575
576 /* This function will check if the received record type is
577 * the one we actually expect and adds it to the proper
578 * buffer. The bufel will be deinitialized after calling
579 * this function, even if it fails.
580 */
581 static int
582 record_add_to_buffers (gnutls_session_t session,
583 struct tls_record_st *recv, content_type_t type,
584 gnutls_handshake_description_t htype,
585 uint64* seq,
586 mbuffer_st* bufel)
587 {
588
589 int ret;
590
591 if ((recv->type == type)
592 && (type == GNUTLS_APPLICATION_DATA ||
593 type == GNUTLS_CHANGE_CIPHER_SPEC ||
594 type == GNUTLS_HEARTBEAT ||
595 type == GNUTLS_HANDSHAKE))
596 {
597 _gnutls_record_buffer_put (session, type, seq, bufel);
598
599 /* if we received application data as expected then we
600 * deactivate the async timer */
601 _dtls_async_timer_delete(session);
602 }
603 else
604 {
605 /* if the expected type is different than the received
606 */
607 switch (recv->type)
608 {
609 case GNUTLS_ALERT:
610 if (bufel->msg.size < 2)
611 {
612 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
613 goto unexpected_packet;
614 }
615
616 _gnutls_record_log
617 ("REC[%p]: Alert[%d|%d] - %s - was received\n", session,
618 bufel->msg.data[0], bufel->msg.data[1], gnutls_alert_get_name ((int) bufel->msg.data[1]));
619
620 session->internals.last_alert = bufel->msg.data[1];
621
622 /* if close notify is received and
623 * the alert is not fatal
624 */
625 if (bufel->msg.data[1] == GNUTLS_A_CLOSE_NOTIFY && bufel->msg.data[0] != GNUTLS_AL_FATAL)
626 {
627 /* If we have been expecting for an alert do
628 */
629 session->internals.read_eof = 1;
630 ret = GNUTLS_E_SESSION_EOF;
631 goto cleanup;
632 }
633 else
634 {
635 /* if the alert is FATAL or WARNING
636 * return the apropriate message
637 */
638
639 gnutls_assert ();
640 ret = GNUTLS_E_WARNING_ALERT_RECEIVED;
641 if (bufel->msg.data[0] == GNUTLS_AL_FATAL)
642 {
643 session_unresumable (session);
644 session_invalidate (session);
645 ret = gnutls_assert_val(GNUTLS_E_FATAL_ALERT_RECEIVED);
646 }
647 goto cleanup;
648 }
649 break;
650
651 case GNUTLS_CHANGE_CIPHER_SPEC:
652 if (!(IS_DTLS(session)))
653 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
654
655 _gnutls_record_buffer_put (session, recv->type, seq, bufel);
656
657 break;
658
659 case GNUTLS_HEARTBEAT:
660 ret = _gnutls_heartbeat_handle (session, bufel);
661 goto cleanup;
662
663 case GNUTLS_APPLICATION_DATA:
664 if (session->internals.initial_negotiation_completed == 0)
665 {
666 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
667 goto unexpected_packet;
668 }
669
670
671 /* the got_application data is only returned
672 * if expecting client hello (for rehandshake
673 * reasons). Otherwise it is an unexpected packet
674 */
675 if (type == GNUTLS_ALERT || (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO
676 && type == GNUTLS_HANDSHAKE))
677 {
678 /* even if data is unexpected put it into the buffer */
679 if ((ret =
680 _gnutls_record_buffer_put (session, recv->type, seq,
681 bufel)) < 0)
682 {
683 gnutls_assert ();
684 goto cleanup;
685 }
686
687 return gnutls_assert_val(GNUTLS_E_GOT_APPLICATION_DATA);
688 }
689 else
690 {
691 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
692 goto unexpected_packet;
693 }
694
695 break;
696
697 case GNUTLS_HANDSHAKE:
698 /* In DTLS we might receive a handshake replay from the peer to indicate
699 * the our last TLS handshake messages were not received.
700 */
701 if (IS_DTLS(session))
702 {
703 if (type == GNUTLS_CHANGE_CIPHER_SPEC)
704 {
705 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
706 goto unexpected_packet;
707 }
708
709 if (_dtls_is_async(session) && _dtls_async_timer_active(session))
710 {
711 if (session->security_parameters.entity == GNUTLS_SERVER &&
712 bufel->htype == GNUTLS_HANDSHAKE_CLIENT_HELLO)
713 {
714 /* client requested rehandshake. Delete the timer */
715 _dtls_async_timer_delete(session);
716 }
717 else
718 {
719 ret = _dtls_retransmit(session);
720 if (ret == 0)
721 {
722 ret = gnutls_assert_val(GNUTLS_E_AGAIN);
723 goto unexpected_packet;
724 }
725 goto cleanup;
726 }
727 }
728 }
729
730 /* This is legal if HELLO_REQUEST is received - and we are a client.
731 * If we are a server, a client may initiate a renegotiation at any time.
732 */
733 if (session->security_parameters.entity == GNUTLS_SERVER &&
734 bufel->htype == GNUTLS_HANDSHAKE_CLIENT_HELLO)
735 {
736 gnutls_assert ();
737 ret =
738 _gnutls_record_buffer_put (session, recv->type, seq, bufel);
739 if (ret < 0)
740 {
741 gnutls_assert ();
742 goto cleanup;
743 }
744 return GNUTLS_E_REHANDSHAKE;
745 }
746
747 /* If we are already in a handshake then a Hello
748 * Request is illegal. But here we don't really care
749 * since this message will never make it up here.
750 */
751
752 /* So we accept it, if it is a Hello. If not, this will
753 * fail and trigger flight retransmissions after some time. */
754 ret = _gnutls_recv_hello_request (session, bufel->msg.data, bufel->msg.size);
755 goto unexpected_packet;
756
757 break;
758 default:
759
760 _gnutls_record_log
761 ("REC[%p]: Received unexpected packet %d (%s) expecting %d (%s)\n",
762 session, recv->type, _gnutls_packet2str(recv->type), type, _gnutls_packet2str(type));
763
764 gnutls_assert ();
765 ret = GNUTLS_E_UNEXPECTED_PACKET;
766 goto unexpected_packet;
767 }
768 }
769
770 return 0;
771
772 unexpected_packet:
773 if (IS_DTLS(session) && ret != GNUTLS_E_REHANDSHAKE)
774 {
775 _mbuffer_xfree(&bufel);
776 RETURN_DTLS_EAGAIN_OR_TIMEOUT(session, ret);
777 }
778
779 cleanup:
780 _mbuffer_xfree(&bufel);
781 return ret;
782
783 }
784
785 int _gnutls_get_max_decrypted_data(gnutls_session_t session)
786 {
787 int ret;
788
789 if (gnutls_compression_get (session) != GNUTLS_COMP_NULL ||
790 session->internals.priorities.allow_large_records != 0)
791 ret = MAX_RECORD_RECV_SIZE(session) + EXTRA_COMP_SIZE;
792 else
793 ret = MAX_RECORD_RECV_SIZE(session);
794
795 return ret;
796 }
797
798 /* Checks the record headers and returns the length, version and
799 * content type.
800 */
801 static void
802 record_read_headers (gnutls_session_t session,
803 uint8_t headers[MAX_RECORD_HEADER_SIZE],
804 content_type_t type,
805 gnutls_handshake_description_t htype,
806 struct tls_record_st* record)
807 {
808
809 /* Read the first two bytes to determine if this is a
810 * version 2 message
811 */
812
813 if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && type == GNUTLS_HANDSHAKE
814 && headers[0] > 127 && !(IS_DTLS(session)))
815 {
816
817 /* if msb set and expecting handshake message
818 * it should be SSL 2 hello
819 */
820 record->version[0] = 3; /* assume SSL 3.0 */
821 record->version[1] = 0;
822
823 record->length = (((headers[0] & 0x7f) << 8)) | headers[1];
824
825 /* SSL 2.0 headers */
826 record->header_size = record->packet_size = 2;
827 record->type = GNUTLS_HANDSHAKE; /* we accept only v2 client hello
828 */
829
830 /* in order to assist the handshake protocol.
831 * V2 compatibility is a mess.
832 */
833 record->v2 = 1;
834 record->epoch = 0;
835
836 _gnutls_record_log ("REC[%p]: SSL 2.0 %s packet received. Length: %d\n",
837 session,
838 _gnutls_packet2str (record->type),
839 record->length);
840
841 }
842 else
843 {
844 /* dtls version 1.0 and TLS version 1.x */
845 record->v2 = 0;
846
847 record->type = headers[0];
848 record->version[0] = headers[1];
849 record->version[1] = headers[2];
850
851 if(IS_DTLS(session))
852 {
853 memcpy(record->sequence.i, &headers[3], 8);
854 record->length = _gnutls_read_uint16 (&headers[11]);
855 record->epoch = _gnutls_read_uint16(record->sequence.i);
856 }
857 else
858 {
859 record->length = _gnutls_read_uint16 (&headers[3]);
860 record->epoch = 0;
861 }
862
863 _gnutls_record_log ("REC[%p]: SSL %d.%d %s packet received. Epoch %d, length: %d\n",
864 session, (int)record->version[0], (int)record->version[1],
865 _gnutls_packet2str (record->type),
866 (int)record->epoch, record->length);
867
868 }
869
870 record->packet_size += record->length;
871 }
872
873
874 static int recv_headers( gnutls_session_t session, content_type_t type,
875 gnutls_handshake_description_t htype,
876 struct tls_record_st* record,
877 unsigned int ms)
878 {
879 int ret;
880 gnutls_datum_t raw; /* raw headers */
881 /* Read the headers.
882 */
883 record->header_size = record->packet_size = RECORD_HEADER_SIZE(session);
884
885 if ((ret =
886 _gnutls_io_read_buffered (session, record->header_size, -1, ms)) != record->header_size)
887 {
888 if (ret < 0 && gnutls_error_is_fatal (ret) == 0)
889 return ret;
890
891 if (ret > 0)
892 ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
893 else if (ret == 0)
894 ret = GNUTLS_E_PREMATURE_TERMINATION;
895
896 return gnutls_assert_val(ret);
897 }
898
899 ret = _mbuffer_linearize (&session->internals.record_recv_buffer);
900 if (ret < 0)
901 return gnutls_assert_val(ret);
902
903 _mbuffer_head_get_first (&session->internals.record_recv_buffer, &raw);
904 if (raw.size < RECORD_HEADER_SIZE(session))
905 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
906
907 record_read_headers (session, raw.data, type, htype, record);
908
909 /* Check if the DTLS epoch is valid */
910 if (IS_DTLS(session))
911 {
912 if (_gnutls_epoch_is_valid(session, record->epoch) == 0)
913 {
914 _gnutls_audit_log(session, "Discarded message[%u] with invalid epoch %u.\n",
915 (unsigned int)_gnutls_uint64touint32 (&record->sequence),
916 (unsigned int)record->sequence.i[0]*256+(unsigned int)record->sequence.i[1]);
917 gnutls_assert();
918 /* doesn't matter, just a fatal error */
919 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
920 }
921 }
922
923 /* Here we check if the Type of the received packet is
924 * ok.
925 */
926 if ((ret = check_recv_type (session, record->type)) < 0)
927 return gnutls_assert_val(ret);
928
929 /* Here we check if the advertized version is the one we
930 * negotiated in the handshake.
931 */
932 if ((ret = record_check_version (session, htype, record->version)) < 0)
933 return gnutls_assert_val(ret);
934
935 if (record->length > MAX_RECV_SIZE(session))
936 {
937 _gnutls_audit_log
938 (session, "Received packet with illegal length: %u\n", (unsigned int)record->length);
939 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
940 }
941
942 _gnutls_record_log
943 ("REC[%p]: Expected Packet %s(%d)\n", session,
944 _gnutls_packet2str (type), type);
945 _gnutls_record_log ("REC[%p]: Received Packet %s(%d) with length: %d\n",
946 session,
947 _gnutls_packet2str (record->type), record->type, record->length);
948
949
950 return 0;
951 }
952
953 #define MAX_EMPTY_PACKETS_SEQUENCE 4
954
955 /* This will receive record layer packets and add them to
956 * application_data_buffer and handshake_data_buffer.
957 *
958 * If the htype is not -1 then handshake timeouts
959 * will be enforced.
960 */
961 ssize_t
962 _gnutls_recv_in_buffers (gnutls_session_t session, content_type_t type,
963 gnutls_handshake_description_t htype)
964 {
965 uint64 *packet_sequence;
966 uint8_t *ciphertext;
967 mbuffer_st* bufel = NULL, *decrypted = NULL;
968 int ret;
969 int empty_packet = 0;
970 record_parameters_st *record_params;
971 record_state_st *record_state;
972 struct tls_record_st record;
973 time_t now, tleft = 0;
974
975 begin:
976
977 if (empty_packet > MAX_EMPTY_PACKETS_SEQUENCE)
978 {
979 gnutls_assert ();
980 return GNUTLS_E_TOO_MANY_EMPTY_PACKETS;
981 }
982
983 memset(&record, 0, sizeof(record));
984
985 if (session->internals.read_eof != 0)
986 {
987 /* if we have already read an EOF
988 */
989 return 0;
990 }
991 else if (session_is_valid (session) != 0
992 || session->internals.may_not_read != 0)
993 return gnutls_assert_val(GNUTLS_E_INVALID_SESSION);
994
995 /* get the record state parameters */
996 ret = _gnutls_epoch_get (session, EPOCH_READ_CURRENT, &record_params);
997 if (ret < 0)
998 return gnutls_assert_val (ret);
999
1000 /* Safeguard against processing data with an incomplete cipher state. */
1001 if (!record_params->initialized)
1002 return gnutls_assert_val (GNUTLS_E_INTERNAL_ERROR);
1003
1004 record_state = &record_params->read;
1005
1006 if (htype != (unsigned)-1 && session->internals.handshake_endtime > 0)
1007 {
1008 now = gnutls_time(0);
1009 if (now < session->internals.handshake_endtime)
1010 tleft = (session->internals.handshake_endtime - now) * 1000;
1011 else
1012 return gnutls_assert_val(GNUTLS_E_TIMEDOUT);
1013 }
1014
1015 /* receive headers */
1016 ret = recv_headers(session, type, htype, &record, tleft);
1017 if (ret < 0)
1018 {
1019 ret = gnutls_assert_val_fatal(ret);
1020 goto recv_error;
1021 }
1022
1023 if (IS_DTLS(session))
1024 packet_sequence = &record.sequence;
1025 else
1026 packet_sequence = &record_state->sequence_number;
1027
1028 if (htype != (unsigned)-1 && session->internals.handshake_endtime > 0)
1029 {
1030 now = gnutls_time(0);
1031 if (now < session->internals.handshake_endtime)
1032 tleft = (session->internals.handshake_endtime - now) * 1000;
1033 else
1034 return gnutls_assert_val(GNUTLS_E_TIMEDOUT);
1035 }
1036
1037 /* Read the packet data and insert it to record_recv_buffer.
1038 */
1039 ret =
1040 _gnutls_io_read_buffered (session, record.packet_size,
1041 record.type, tleft);
1042 if (ret != record.packet_size)
1043 {
1044 gnutls_assert();
1045 goto recv_error;
1046 }
1047
1048 /* ok now we are sure that we have read all the data - so
1049 * move on !
1050 */
1051 ret = _mbuffer_linearize (&session->internals.record_recv_buffer);
1052 if (ret < 0)
1053 return gnutls_assert_val(ret);
1054
1055 bufel = _mbuffer_head_get_first (&session->internals.record_recv_buffer, NULL);
1056 if (bufel == NULL)
1057 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1058
1059 /* We allocate the maximum possible to allow few compressed bytes to expand to a
1060 * full record.
1061 */
1062 decrypted = _mbuffer_alloc(MAX_RECORD_RECV_SIZE(session),
1063 MAX_RECORD_RECV_SIZE(session));
1064 if (decrypted == NULL)
1065 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1066
1067 ciphertext = (uint8_t*)_mbuffer_get_udata_ptr(bufel) + record.header_size;
1068
1069 /* decrypt the data we got.
1070 */
1071 ret =
1072 _gnutls_decrypt (session, ciphertext, record.length,
1073 _mbuffer_get_udata_ptr(decrypted), _mbuffer_get_udata_size(decrypted),
1074 record.type, record_params, packet_sequence);
1075 if (ret >= 0) _mbuffer_set_udata_size(decrypted, ret);
1076
1077 _mbuffer_head_remove_bytes (&session->internals.record_recv_buffer,
1078 record.header_size + record.length);
1079 if (ret < 0)
1080 {
1081 gnutls_assert();
1082 _gnutls_audit_log(session, "Discarded message[%u] due to invalid decryption\n",
1083 (unsigned int)_gnutls_uint64touint32 (packet_sequence));
1084 goto sanity_check_error;
1085 }
1086
1087 /* check for duplicates. We check after the message
1088 * is processed and authenticated to avoid someone
1089 * messing with our windows.
1090 */
1091 if (IS_DTLS(session))
1092 {
1093 ret = _dtls_record_check(record_params, packet_sequence);
1094 if (ret < 0)
1095 {
1096 _gnutls_audit_log(session, "Discarded duplicate message[%u]: %s\n",
1097 (unsigned int) _gnutls_uint64touint32 (packet_sequence), _gnutls_packet2str (record.type));
1098 goto sanity_check_error;
1099 }
1100 _gnutls_record_log
1101 ("REC[%p]: Decrypted Packet[%u.%u] %s(%d) with length: %d\n", session,
1102 (unsigned int)record.sequence.i[0]*256 +(unsigned int)record.sequence.i[1],
1103 (unsigned int) _gnutls_uint64touint32 (packet_sequence),
1104 _gnutls_packet2str (record.type), record.type, (int)_mbuffer_get_udata_size(decrypted));
1105 }
1106 else
1107 {
1108 _gnutls_record_log
1109 ("REC[%p]: Decrypted Packet[%u] %s(%d) with length: %d\n", session,
1110 (unsigned int) _gnutls_uint64touint32 (packet_sequence),
1111 _gnutls_packet2str (record.type), record.type, (int)_mbuffer_get_udata_size(decrypted));
1112 }
1113
1114 /* increase sequence number
1115 */
1116 if (!IS_DTLS(session) && sequence_increment (session, &record_state->sequence_number) != 0)
1117 {
1118 session_invalidate (session);
1119 gnutls_assert ();
1120 ret = GNUTLS_E_RECORD_LIMIT_REACHED;
1121 goto sanity_check_error;
1122 }
1123
1124 /* (originally for) TLS 1.0 CBC protection.
1125 * Actually this code is called if we just received
1126 * an empty packet. An empty TLS packet is usually
1127 * sent to protect some vulnerabilities in the CBC mode.
1128 * In that case we go to the beginning and start reading
1129 * the next packet.
1130 */
1131 if (_mbuffer_get_udata_size(decrypted) == 0)
1132 {
1133 _mbuffer_xfree(&decrypted);
1134 empty_packet++;
1135 goto begin;
1136 }
1137
1138 if (record.v2)
1139 decrypted->htype = GNUTLS_HANDSHAKE_CLIENT_HELLO_V2;
1140 else
1141 {
1142 uint8_t * p = _mbuffer_get_udata_ptr(decrypted);
1143 decrypted->htype = p[0];
1144 }
1145
1146 ret =
1147 record_add_to_buffers (session, &record, type, htype,
1148 packet_sequence, decrypted);
1149
1150 /* bufel is now either deinitialized or buffered somewhere else */
1151
1152 if (ret < 0)
1153 return gnutls_assert_val(ret);
1154
1155 return ret;
1156
1157 discard:
1158 session->internals.dtls.packets_dropped++;
1159
1160 /* discard the whole received fragment. */
1161 bufel = _mbuffer_head_pop_first(&session->internals.record_recv_buffer);
1162 _mbuffer_xfree(&bufel);
1163 return gnutls_assert_val(GNUTLS_E_AGAIN);
1164
1165 sanity_check_error:
1166 if (IS_DTLS(session))
1167 {
1168 session->internals.dtls.packets_dropped++;
1169 ret = gnutls_assert_val(GNUTLS_E_AGAIN);
1170 goto cleanup;
1171 }
1172
1173 session_unresumable (session);
1174 session_invalidate (session);
1175
1176 cleanup:
1177 _mbuffer_xfree(&decrypted);
1178 return ret;
1179
1180 recv_error:
1181 if (ret < 0 && gnutls_error_is_fatal (ret) == 0)
1182 return ret;
1183
1184 if (IS_DTLS(session))
1185 {
1186 goto discard;
1187 }
1188
1189 session_invalidate (session);
1190 if (type == GNUTLS_ALERT) /* we were expecting close notify */
1191 {
1192 gnutls_assert ();
1193 return 0;
1194 }
1195 session_unresumable (session);
1196
1197 if (ret == 0)
1198 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1199 else
1200 return ret;
1201 }
1202
1203 /* This function behaves exactly like read(). The only difference is
1204 * that it accepts the gnutls_session_t and the content_type_t of data to
1205 * receive (if called by the user the Content is Userdata only)
1206 * It is intended to receive data, under the current session.
1207 *
1208 * The gnutls_handshake_description_t was introduced to support SSL V2.0 client hellos.
1209 */
1210 ssize_t
1211 _gnutls_recv_int (gnutls_session_t session, content_type_t type,
1212 gnutls_handshake_description_t htype,
1213 uint8_t * data, size_t data_size, void* seq)
1214 {
1215 int ret;
1216
1217 if (type != GNUTLS_ALERT && (data_size == 0 || data == NULL))
1218 {
1219 return GNUTLS_E_INVALID_REQUEST;
1220 }
1221
1222 if (session->internals.read_eof != 0)
1223 {
1224 /* if we have already read an EOF
1225 */
1226 return 0;
1227 }
1228 else if (session_is_valid (session) != 0
1229 || session->internals.may_not_read != 0)
1230 {
1231 gnutls_assert ();
1232 return GNUTLS_E_INVALID_SESSION;
1233 }
1234
1235 _dtls_async_timer_check(session);
1236
1237 /* If we have enough data in the cache do not bother receiving
1238 * a new packet. (in order to flush the cache)
1239 */
1240 ret = check_buffers (session, type, data, data_size, seq);
1241 if (ret != 0)
1242 return ret;
1243
1244 ret = _gnutls_recv_in_buffers(session, type, htype);
1245 if (ret < 0 && ret != GNUTLS_E_SESSION_EOF)
1246 return gnutls_assert_val(ret);
1247
1248 return check_buffers (session, type, data, data_size, seq);
1249 }
1250
1251 /**
1252 * gnutls_record_send:
1253 * @session: is a #gnutls_session_t structure.
1254 * @data: contains the data to send
1255 * @data_size: is the length of the data
1256 *
1257 * This function has the similar semantics with send(). The only
1258 * difference is that it accepts a GnuTLS session, and uses different
1259 * error codes.
1260 * Note that if the send buffer is full, send() will block this
1261 * function. See the send() documentation for full information. You
1262 * can replace the default push function by using
1263 * gnutls_transport_set_ptr2() with a call to send() with a
1264 * MSG_DONTWAIT flag if blocking is a problem.
1265 * If the EINTR is returned by the internal push function (the
1266 * default is send()) then %GNUTLS_E_INTERRUPTED will be returned. If
1267 * %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN is returned, you must
1268 * call this function again, with the same parameters; alternatively
1269 * you could provide a %NULL pointer for data, and 0 for
1270 * size. cf. gnutls_record_get_direction(). The errno value EMSGSIZE
1271 * maps to %GNUTLS_E_LARGE_PACKET.
1272 *
1273 * Returns: The number of bytes sent, or a negative error code. The
1274 * number of bytes sent might be less than @data_size. The maximum
1275 * number of bytes this function can send in a single call depends
1276 * on the negotiated maximum record size.
1277 **/
1278 ssize_t
1279 gnutls_record_send (gnutls_session_t session, const void *data,
1280 size_t data_size)
1281 {
1282 return _gnutls_send_int (session, GNUTLS_APPLICATION_DATA, -1,
1283 EPOCH_WRITE_CURRENT, data, data_size,
1284 MBUFFER_FLUSH);
1285 }
1286
1287 /**
1288 * gnutls_record_recv:
1289 * @session: is a #gnutls_session_t structure.
1290 * @data: the buffer that the data will be read into
1291 * @data_size: the number of requested bytes
1292 *
1293 * This function has the similar semantics with recv(). The only
1294 * difference is that it accepts a GnuTLS session, and uses different
1295 * error codes.
1296 * In the special case that a server requests a renegotiation, the
1297 * client may receive an error code of %GNUTLS_E_REHANDSHAKE. This
1298 * message may be simply ignored, replied with an alert
1299 * %GNUTLS_A_NO_RENEGOTIATION, or replied with a new handshake,
1300 * depending on the client's will.
1301 * If %EINTR is returned by the internal push function (the default
1302 * is recv()) then %GNUTLS_E_INTERRUPTED will be returned. If
1303 * %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN is returned, you must
1304 * call this function again to get the data. See also
1305 * gnutls_record_get_direction().
1306 * A server may also receive %GNUTLS_E_REHANDSHAKE when a client has
1307 * initiated a handshake. In that case the server can only initiate a
1308 * handshake or terminate the connection.
1309 *
1310 * Returns: The number of bytes received and zero on EOF (for stream
1311 * connections). A negative error code is returned in case of an error.
1312 * The number of bytes received might be less than the requested @data_size.
1313 **/
1314 ssize_t
1315 gnutls_record_recv (gnutls_session_t session, void *data, size_t data_size) {
1316 return _gnutls_recv_int (session, GNUTLS_APPLICATION_DATA, -1, data, data_size, NULL);
1317 }
1318
1319 /**
1320 * gnutls_record_recv_seq:
1321 * @session: is a #gnutls_session_t structure.
1322 * @data: the buffer that the data will be read into
1323 * @data_size: the number of requested bytes
1324 * @seq: is the packet's 64-bit sequence number. Should have space for 8 bytes.
1325 *
1326 * This function is the same as gnutls_record_recv(), except that
1327 * it returns in addition to data, the sequence number of the data.
1328 * This is useful in DTLS where record packets might be received
1329 * out-of-order. The returned 8-byte sequence number is an
1330 * integer in big-endian format and should be
1331 * treated as a unique message identification.
1332 *
1333 * Returns: The number of bytes received and zero on EOF. A negative
1334 * error code is returned in case of an error. The number of bytes
1335 * received might be less than @data_size.
1336 *
1337 * Since: 3.0
1338 **/
1339 ssize_t
1340 gnutls_record_recv_seq (gnutls_session_t session, void *data, size_t data_size,
1341 unsigned char *seq)
1342 {
1343 return _gnutls_recv_int (session, GNUTLS_APPLICATION_DATA, -1, data,
1344 data_size, seq);
1345 }
Implementation of the SSL/TLS protocol