2 * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GNUTLS.
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
25 /* Functions to manipulate the session (gnutls_int.h), and some other stuff
26 * are included here. The file's name is traditionally gnutls_state even if the
27 * state has been renamed to session.
30 #include <gnutls_int.h>
31 #include <gnutls_errors.h>
32 #include <gnutls_auth.h>
33 #include <gnutls_num.h>
34 #include <gnutls_datum.h>
35 #include <gnutls_db.h>
36 #include <gnutls_record.h>
37 #include <gnutls_handshake.h>
38 #include <gnutls_dh.h>
39 #include <gnutls_buffers.h>
40 #include <gnutls_state.h>
41 #include <auth_cert.h>
42 #include <auth_anon.h>
44 #include <gnutls_algorithms.h>
45 #include <gnutls_rsa_export.h>
47 /* These should really be static, but src/tests.c calls them. Make
48 them public functions? */
50 _gnutls_record_set_default_version (gnutls_session_t session
,
51 unsigned char major
, unsigned char minor
);
53 _gnutls_rsa_pms_set_version (gnutls_session_t session
,
54 unsigned char major
, unsigned char minor
);
57 _gnutls_session_cert_type_set (gnutls_session_t session
,
58 gnutls_certificate_type_t ct
)
60 session
->security_parameters
.cert_type
= ct
;
64 * gnutls_cipher_get - Returns the currently used cipher.
65 * @session: is a #gnutls_session_t structure.
67 * Get currently used cipher.
69 * Returns: the currently used cipher, a #gnutls_cipher_algorithm_t
72 gnutls_cipher_algorithm_t
73 gnutls_cipher_get (gnutls_session_t session
)
75 return session
->security_parameters
.read_bulk_cipher_algorithm
;
79 * gnutls_certificate_type_get - Returns the currently used certificate type.
80 * @session: is a #gnutls_session_t structure.
82 * The certificate type is by default X.509, unless it is negotiated
85 * Returns: the currently used #gnutls_certificate_type_t certificate
88 gnutls_certificate_type_t
89 gnutls_certificate_type_get (gnutls_session_t session
)
91 return session
->security_parameters
.cert_type
;
95 * gnutls_kx_get - Returns the key exchange algorithm.
96 * @session: is a #gnutls_session_t structure.
98 * Get currently used key exchange algorithm.
100 * Returns: the key exchange algorithm used in the last handshake, a
101 * #gnutls_kx_algorithm_t value.
103 gnutls_kx_algorithm_t
104 gnutls_kx_get (gnutls_session_t session
)
106 return session
->security_parameters
.kx_algorithm
;
110 * gnutls_mac_get - Returns the currently used mac algorithm.
111 * @session: is a #gnutls_session_t structure.
113 * Get currently used MAC algorithm.
115 * Returns: the currently used mac algorithm, a
116 * #gnutls_mac_algorithm_t value.
118 gnutls_mac_algorithm_t
119 gnutls_mac_get (gnutls_session_t session
)
121 return session
->security_parameters
.read_mac_algorithm
;
125 * gnutls_compression_get - Returns the currently used compression algorithm.
126 * @session: is a #gnutls_session_t structure.
128 * Get currently used compression algorithm.
130 * Returns: the currently used compression method, a
131 * #gnutls_compression_method_t value.
133 gnutls_compression_method_t
134 gnutls_compression_get (gnutls_session_t session
)
136 return session
->security_parameters
.read_compression_algorithm
;
139 /* Check if the given certificate type is supported.
140 * This means that it is enabled by the priority functions,
141 * and a matching certificate exists.
144 _gnutls_session_cert_type_supported (gnutls_session_t session
,
145 gnutls_certificate_type_t cert_type
)
148 unsigned cert_found
= 0;
149 gnutls_certificate_credentials_t cred
;
151 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
153 cred
= (gnutls_certificate_credentials_t
)
154 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
157 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
159 if (cred
->server_get_cert_callback
== NULL
)
161 for (i
= 0; i
< cred
->ncerts
; i
++)
163 if (cred
->cert_list
[i
][0].cert_type
== cert_type
)
171 /* no certificate is of that type.
173 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
177 if (session
->internals
.priorities
.cert_type
.algorithms
== 0
178 && cert_type
== DEFAULT_CERT_TYPE
)
181 for (i
= 0; i
< session
->internals
.priorities
.cert_type
.algorithms
; i
++)
183 if (session
->internals
.priorities
.cert_type
.priority
[i
] == cert_type
)
189 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
193 /* this function deinitializes all the internal parameters stored
194 * in a session struct.
197 deinit_internal_params (gnutls_session_t session
)
199 if (session
->internals
.params
.free_dh_params
)
200 gnutls_dh_params_deinit (session
->internals
.params
.dh_params
);
202 if (session
->internals
.params
.free_rsa_params
)
203 gnutls_rsa_params_deinit (session
->internals
.params
.rsa_params
);
205 _gnutls_handshake_hash_buffers_clear(session
);
207 memset (&session
->internals
.params
, 0, sizeof (session
->internals
.params
));
210 /* This function will clear all the variables in internals
211 * structure within the session, which depend on the current handshake.
212 * This is used to allow further handshakes.
215 _gnutls_handshake_internal_state_init (gnutls_session_t session
)
217 session
->internals
.extensions_sent_size
= 0;
219 /* by default no selected certificate */
220 session
->internals
.proposed_record_size
= DEFAULT_MAX_RECORD_SIZE
;
221 session
->internals
.adv_version_major
= 0;
222 session
->internals
.adv_version_minor
= 0;
223 session
->internals
.v2_hello
= 0;
224 memset (&session
->internals
.handshake_header_buffer
, 0,
225 sizeof (handshake_header_buffer_st
));
226 session
->internals
.adv_version_minor
= 0;
227 session
->internals
.adv_version_minor
= 0;
228 session
->internals
.direction
= 0;
230 /* use out of band data for the last
231 * handshake messages received.
233 session
->internals
.last_handshake_in
= -1;
234 session
->internals
.last_handshake_out
= -1;
236 session
->internals
.resumable
= RESUME_TRUE
;
240 _gnutls_handshake_internal_state_clear (gnutls_session_t session
)
242 _gnutls_handshake_internal_state_init(session
);
244 _gnutls_free_datum (&session
->internals
.recv_buffer
);
246 deinit_internal_params (session
);
250 #define MIN_DH_BITS 727
252 * gnutls_init - initialize the session to null (null encryption etc...).
253 * @con_end: indicate if this session is to be used for server or client.
254 * @session: is a pointer to a #gnutls_session_t structure.
256 * This function initializes the current session to null. Every
257 * session must be initialized before use, so internal structures can
258 * be allocated. This function allocates structures which can only
259 * be free'd by calling gnutls_deinit(). Returns zero on success.
261 * @con_end can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER.
263 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
266 gnutls_init (gnutls_session_t
* session
, gnutls_connection_end_t con_end
)
268 *session
= gnutls_calloc (1, sizeof (struct gnutls_session_int
));
269 if (*session
== NULL
)
270 return GNUTLS_E_MEMORY_ERROR
;
272 (*session
)->security_parameters
.entity
= con_end
;
274 /* the default certificate type for TLS */
275 (*session
)->security_parameters
.cert_type
= DEFAULT_CERT_TYPE
;
277 /* Set the defaults for initial handshake */
278 (*session
)->security_parameters
.read_bulk_cipher_algorithm
=
279 (*session
)->security_parameters
.write_bulk_cipher_algorithm
=
282 (*session
)->security_parameters
.read_mac_algorithm
=
283 (*session
)->security_parameters
.write_mac_algorithm
= GNUTLS_MAC_NULL
;
285 (*session
)->security_parameters
.read_compression_algorithm
=
287 (*session
)->security_parameters
.write_compression_algorithm
=
290 (*session
)->internals
.enable_private
= 0;
292 /* Initialize buffers */
293 _gnutls_buffer_init (&(*session
)->internals
.application_data_buffer
);
294 _gnutls_buffer_init (&(*session
)->internals
.handshake_data_buffer
);
295 _gnutls_buffer_init (&(*session
)->internals
.handshake_hash_buffer
);
296 _gnutls_buffer_init (&(*session
)->internals
.ia_data_buffer
);
298 _gnutls_buffer_init (&(*session
)->internals
.record_send_buffer
);
299 _gnutls_buffer_init (&(*session
)->internals
.record_recv_buffer
);
301 _gnutls_buffer_init (&(*session
)->internals
.handshake_send_buffer
);
302 _gnutls_buffer_init (&(*session
)->internals
.handshake_recv_buffer
);
304 (*session
)->key
= gnutls_calloc (1, sizeof (struct gnutls_key_st
));
305 if ((*session
)->key
== NULL
)
308 gnutls_free (*session
);
310 return GNUTLS_E_MEMORY_ERROR
;
313 (*session
)->internals
.expire_time
= DEFAULT_EXPIRE_TIME
; /* one hour default */
315 gnutls_dh_set_prime_bits ((*session
), MIN_DH_BITS
);
317 gnutls_transport_set_lowat ((*session
), DEFAULT_LOWAT
); /* the default for tcp */
319 gnutls_handshake_set_max_packet_length ((*session
),
320 MAX_HANDSHAKE_PACKET_SIZE
);
322 /* Allocate a minimum size for recv_data
323 * This is allocated in order to avoid small messages, making
324 * the receive procedure slow.
326 if (_gnutls_buffer_resize (&(*session
)->internals
.record_recv_buffer
,
327 INITIAL_RECV_BUFFER_SIZE
))
329 gnutls_free ((*session
)->key
);
330 goto cleanup_session
;
333 /* set the socket pointers to -1;
335 (*session
)->internals
.transport_recv_ptr
= (gnutls_transport_ptr_t
) - 1;
336 (*session
)->internals
.transport_send_ptr
= (gnutls_transport_ptr_t
) - 1;
338 /* set the default maximum record size for TLS
340 (*session
)->security_parameters
.max_record_recv_size
=
341 DEFAULT_MAX_RECORD_SIZE
;
342 (*session
)->security_parameters
.max_record_send_size
=
343 DEFAULT_MAX_RECORD_SIZE
;
345 /* everything else not initialized here is initialized
346 * as NULL or 0. This is why calloc is used.
349 _gnutls_handshake_internal_state_init (*session
);
354 /* returns RESUME_FALSE or RESUME_TRUE.
357 _gnutls_session_is_resumable (gnutls_session_t session
)
359 return session
->internals
.resumable
;
364 * gnutls_deinit - clear all buffers associated with a session
365 * @session: is a #gnutls_session_t structure.
367 * This function clears all buffers associated with the @session.
368 * This function will also remove session data from the session
369 * database if the session was terminated abnormally.
372 gnutls_deinit (gnutls_session_t session
)
378 /* remove auth info firstly */
379 _gnutls_free_auth_info (session
);
381 _gnutls_handshake_internal_state_clear (session
);
382 _gnutls_handshake_io_buffer_clear (session
);
384 _gnutls_free_datum (&session
->connection_state
.read_mac_secret
);
385 _gnutls_free_datum (&session
->connection_state
.write_mac_secret
);
387 _gnutls_buffer_clear (&session
->internals
.ia_data_buffer
);
388 _gnutls_buffer_clear (&session
->internals
.handshake_hash_buffer
);
389 _gnutls_buffer_clear (&session
->internals
.handshake_data_buffer
);
390 _gnutls_buffer_clear (&session
->internals
.application_data_buffer
);
391 _gnutls_buffer_clear (&session
->internals
.record_recv_buffer
);
392 _gnutls_buffer_clear (&session
->internals
.record_send_buffer
);
394 gnutls_credentials_clear (session
);
395 _gnutls_selected_certs_deinit (session
);
397 _gnutls_cipher_deinit (&session
->connection_state
.read_cipher_state
);
398 _gnutls_cipher_deinit (&session
->connection_state
.write_cipher_state
);
400 if (session
->connection_state
.read_compression_state
!= NULL
)
401 _gnutls_comp_deinit (session
->connection_state
.read_compression_state
, 1);
402 if (session
->connection_state
.write_compression_state
!= NULL
)
403 _gnutls_comp_deinit (session
->connection_state
.write_compression_state
,
406 _gnutls_free_datum (&session
->cipher_specs
.server_write_mac_secret
);
407 _gnutls_free_datum (&session
->cipher_specs
.client_write_mac_secret
);
408 _gnutls_free_datum (&session
->cipher_specs
.server_write_IV
);
409 _gnutls_free_datum (&session
->cipher_specs
.client_write_IV
);
410 _gnutls_free_datum (&session
->cipher_specs
.server_write_key
);
411 _gnutls_free_datum (&session
->cipher_specs
.client_write_key
);
413 if (session
->key
!= NULL
)
415 _gnutls_mpi_release (&session
->key
->KEY
);
416 _gnutls_mpi_release (&session
->key
->client_Y
);
417 _gnutls_mpi_release (&session
->key
->client_p
);
418 _gnutls_mpi_release (&session
->key
->client_g
);
420 _gnutls_mpi_release (&session
->key
->u
);
421 _gnutls_mpi_release (&session
->key
->a
);
422 _gnutls_mpi_release (&session
->key
->x
);
423 _gnutls_mpi_release (&session
->key
->A
);
424 _gnutls_mpi_release (&session
->key
->B
);
425 _gnutls_mpi_release (&session
->key
->b
);
428 _gnutls_mpi_release (&session
->key
->rsa
[0]);
429 _gnutls_mpi_release (&session
->key
->rsa
[1]);
431 _gnutls_mpi_release (&session
->key
->dh_secret
);
432 gnutls_free (session
->key
);
437 gnutls_free (session
->internals
.srp_username
);
439 if (session
->internals
.srp_password
)
441 memset (session
->internals
.srp_password
, 0,
442 strlen (session
->internals
.srp_password
));
443 gnutls_free (session
->internals
.srp_password
);
446 gnutls_free (session
->security_parameters
.extensions
.session_ticket
);
447 gnutls_free (session
->internals
.resumed_security_parameters
.extensions
.
450 memset (session
, 0, sizeof (struct gnutls_session_int
));
451 gnutls_free (session
);
454 /* Returns the minimum prime bits that are acceptable.
457 _gnutls_dh_get_allowed_prime_bits (gnutls_session_t session
)
459 return session
->internals
.dh_prime_bits
;
463 _gnutls_dh_set_peer_public (gnutls_session_t session
, bigint_t
public)
468 switch (gnutls_auth_get_type (session
))
470 case GNUTLS_CRD_ANON
:
472 anon_auth_info_t info
;
473 info
= _gnutls_get_auth_info (session
);
475 return GNUTLS_E_INTERNAL_ERROR
;
482 psk_auth_info_t info
;
483 info
= _gnutls_get_auth_info (session
);
485 return GNUTLS_E_INTERNAL_ERROR
;
490 case GNUTLS_CRD_CERTIFICATE
:
492 cert_auth_info_t info
;
494 info
= _gnutls_get_auth_info (session
);
496 return GNUTLS_E_INTERNAL_ERROR
;
503 return GNUTLS_E_INTERNAL_ERROR
;
506 if (dh
->public_key
.data
)
507 _gnutls_free_datum (&dh
->public_key
);
509 ret
= _gnutls_mpi_dprint_lz (public, &dh
->public_key
);
520 _gnutls_dh_set_secret_bits (gnutls_session_t session
, unsigned bits
)
522 switch (gnutls_auth_get_type (session
))
524 case GNUTLS_CRD_ANON
:
526 anon_auth_info_t info
;
527 info
= _gnutls_get_auth_info (session
);
529 return GNUTLS_E_INTERNAL_ERROR
;
530 info
->dh
.secret_bits
= bits
;
535 psk_auth_info_t info
;
536 info
= _gnutls_get_auth_info (session
);
538 return GNUTLS_E_INTERNAL_ERROR
;
539 info
->dh
.secret_bits
= bits
;
542 case GNUTLS_CRD_CERTIFICATE
:
544 cert_auth_info_t info
;
546 info
= _gnutls_get_auth_info (session
);
548 return GNUTLS_E_INTERNAL_ERROR
;
550 info
->dh
.secret_bits
= bits
;
554 return GNUTLS_E_INTERNAL_ERROR
;
561 /* This function will set in the auth info structure the
562 * RSA exponent and the modulus.
565 _gnutls_rsa_export_set_pubkey (gnutls_session_t session
,
566 bigint_t exponent
, bigint_t modulus
)
568 cert_auth_info_t info
;
571 info
= _gnutls_get_auth_info (session
);
573 return GNUTLS_E_INTERNAL_ERROR
;
575 if (info
->rsa_export
.modulus
.data
)
576 _gnutls_free_datum (&info
->rsa_export
.modulus
);
578 if (info
->rsa_export
.exponent
.data
)
579 _gnutls_free_datum (&info
->rsa_export
.exponent
);
581 ret
= _gnutls_mpi_dprint_lz (modulus
, &info
->rsa_export
.modulus
);
588 ret
= _gnutls_mpi_dprint_lz (exponent
, &info
->rsa_export
.exponent
);
592 _gnutls_free_datum (&info
->rsa_export
.modulus
);
600 /* Sets the prime and the generator in the auth info structure.
603 _gnutls_dh_set_group (gnutls_session_t session
, bigint_t gen
, bigint_t prime
)
608 switch (gnutls_auth_get_type (session
))
610 case GNUTLS_CRD_ANON
:
612 anon_auth_info_t info
;
613 info
= _gnutls_get_auth_info (session
);
615 return GNUTLS_E_INTERNAL_ERROR
;
622 psk_auth_info_t info
;
623 info
= _gnutls_get_auth_info (session
);
625 return GNUTLS_E_INTERNAL_ERROR
;
630 case GNUTLS_CRD_CERTIFICATE
:
632 cert_auth_info_t info
;
634 info
= _gnutls_get_auth_info (session
);
636 return GNUTLS_E_INTERNAL_ERROR
;
643 return GNUTLS_E_INTERNAL_ERROR
;
647 _gnutls_free_datum (&dh
->prime
);
649 if (dh
->generator
.data
)
650 _gnutls_free_datum (&dh
->generator
);
654 ret
= _gnutls_mpi_dprint_lz (prime
, &dh
->prime
);
663 ret
= _gnutls_mpi_dprint_lz (gen
, &dh
->generator
);
667 _gnutls_free_datum (&dh
->prime
);
674 #ifdef ENABLE_OPENPGP
676 * gnutls_openpgp_send_cert - order gnutls to send the openpgp fingerprint instead of the key
677 * @session: is a pointer to a #gnutls_session_t structure.
678 * @status: is one of GNUTLS_OPENPGP_CERT, or GNUTLS_OPENPGP_CERT_FINGERPRINT
680 * This function will order gnutls to send the key fingerprint
681 * instead of the key in the initial handshake procedure. This should
682 * be used with care and only when there is indication or knowledge
683 * that the server can obtain the client's key.
686 gnutls_openpgp_send_cert (gnutls_session_t session
,
687 gnutls_openpgp_crt_status_t status
)
689 session
->internals
.pgp_fingerprint
= status
;
694 * gnutls_certificate_send_x509_rdn_sequence - order gnutls to send or not the x.509 rdn sequence
695 * @session: is a pointer to a #gnutls_session_t structure.
698 * If status is non zero, this function will order gnutls not to send
699 * the rdnSequence in the certificate request message. That is the
700 * server will not advertize it's trusted CAs to the peer. If status
701 * is zero then the default behaviour will take effect, which is to
702 * advertize the server's trusted CAs.
704 * This function has no effect in clients, and in authentication
705 * methods other than certificate with X.509 certificates.
708 gnutls_certificate_send_x509_rdn_sequence (gnutls_session_t session
,
711 session
->internals
.ignore_rdn_sequence
= status
;
714 #ifdef ENABLE_OPENPGP
716 _gnutls_openpgp_send_fingerprint (gnutls_session_t session
)
718 return session
->internals
.pgp_fingerprint
;
723 * _gnutls_record_set_default_version - Used to set the default version for the first record packet
724 * @session: is a #gnutls_session_t structure.
725 * @major: is a tls major version
726 * @minor: is a tls minor version
728 * This function sets the default version that we will use in the first
729 * record packet (client hello). This function is only useful to people
730 * that know TLS internals and want to debug other implementations.
734 _gnutls_record_set_default_version (gnutls_session_t session
,
735 unsigned char major
, unsigned char minor
)
737 session
->internals
.default_record_version
[0] = major
;
738 session
->internals
.default_record_version
[1] = minor
;
742 * gnutls_handshake_set_private_extensions - Used to enable the private cipher suites
743 * @session: is a #gnutls_session_t structure.
744 * @allow: is an integer (0 or 1)
746 * This function will enable or disable the use of private cipher
747 * suites (the ones that start with 0xFF). By default or if @allow
748 * is 0 then these cipher suites will not be advertized nor used.
750 * Unless this function is called with the option to allow (1), then
751 * no compression algorithms, like LZO. That is because these
752 * algorithms are not yet defined in any RFC or even internet draft.
754 * Enabling the private ciphersuites when talking to other than
755 * gnutls servers and clients may cause interoperability problems.
758 gnutls_handshake_set_private_extensions (gnutls_session_t session
, int allow
)
760 session
->internals
.enable_private
= allow
;
764 _gnutls_cal_PRF_A (gnutls_mac_algorithm_t algorithm
,
765 const void *secret
, int secret_size
,
766 const void *seed
, int seed_size
, void *result
)
771 ret
= _gnutls_hmac_init (&td1
, algorithm
, secret
, secret_size
);
778 _gnutls_hmac (&td1
, seed
, seed_size
);
779 _gnutls_hmac_deinit (&td1
, result
);
784 #define MAX_SEED_SIZE 200
786 /* Produces "total_bytes" bytes using the hash algorithm specified.
787 * (used in the PRF function)
790 _gnutls_P_hash (gnutls_mac_algorithm_t algorithm
,
791 const opaque
* secret
, int secret_size
,
792 const opaque
* seed
, int seed_size
,
793 int total_bytes
, opaque
* ret
)
797 int i
, times
, how
, blocksize
, A_size
;
798 opaque final
[MAX_HASH_SIZE
], Atmp
[MAX_SEED_SIZE
];
799 int output_bytes
, result
;
801 if (seed_size
> MAX_SEED_SIZE
|| total_bytes
<= 0)
804 return GNUTLS_E_INTERNAL_ERROR
;
807 blocksize
= _gnutls_hmac_get_algo_len (algorithm
);
812 output_bytes
+= blocksize
;
814 while (output_bytes
< total_bytes
);
818 memcpy (Atmp
, seed
, seed_size
);
821 times
= output_bytes
/ blocksize
;
823 for (i
= 0; i
< times
; i
++)
825 result
= _gnutls_hmac_init (&td2
, algorithm
, secret
, secret_size
);
832 /* here we calculate A(i+1) */
834 _gnutls_cal_PRF_A (algorithm
, secret
, secret_size
, Atmp
,
838 _gnutls_hmac_deinit (&td2
, final
);
844 _gnutls_hmac (&td2
, Atmp
, A_size
);
845 _gnutls_hmac (&td2
, seed
, seed_size
);
846 _gnutls_hmac_deinit (&td2
, final
);
848 if ((1 + i
) * blocksize
< total_bytes
)
854 how
= total_bytes
- (i
) * blocksize
;
859 memcpy (&ret
[i
* blocksize
], final
, how
);
866 /* Xor's two buffers and puts the output in the first one.
869 _gnutls_xor (opaque
* o1
, opaque
* o2
, int length
)
872 for (i
= 0; i
< length
; i
++)
880 #define MAX_PRF_BYTES 200
882 /* The PRF function expands a given secret
883 * needed by the TLS specification. ret must have a least total_bytes
887 _gnutls_PRF (gnutls_session_t session
,
888 const opaque
* secret
, int secret_size
, const char *label
,
889 int label_size
, const opaque
* seed
, int seed_size
,
890 int total_bytes
, void *ret
)
892 int l_s
, s_seed_size
;
893 const opaque
*s1
, *s2
;
894 opaque s_seed
[MAX_SEED_SIZE
];
895 opaque o1
[MAX_PRF_BYTES
], o2
[MAX_PRF_BYTES
];
897 gnutls_protocol_t ver
= gnutls_protocol_get_version (session
);
899 if (total_bytes
> MAX_PRF_BYTES
)
902 return GNUTLS_E_INTERNAL_ERROR
;
904 /* label+seed = s_seed */
905 s_seed_size
= seed_size
+ label_size
;
907 if (s_seed_size
> MAX_SEED_SIZE
)
910 return GNUTLS_E_INTERNAL_ERROR
;
913 memcpy (s_seed
, label
, label_size
);
914 memcpy (&s_seed
[label_size
], seed
, seed_size
);
916 if (_gnutls_version_has_selectable_prf(ver
))
919 _gnutls_P_hash (GNUTLS_MAC_SHA256
, secret
, secret_size
,
920 s_seed
, s_seed_size
, total_bytes
, ret
);
929 l_s
= secret_size
/ 2;
934 if (secret_size
% 2 != 0)
940 _gnutls_P_hash (GNUTLS_MAC_MD5
, s1
, l_s
, s_seed
, s_seed_size
,
949 _gnutls_P_hash (GNUTLS_MAC_SHA1
, s2
, l_s
, s_seed
, s_seed_size
,
957 _gnutls_xor (o1
, o2
, total_bytes
);
959 memcpy (ret
, o1
, total_bytes
);
967 * gnutls_prf_raw - access the TLS PRF directly
968 * @session: is a #gnutls_session_t structure.
969 * @label_size: length of the @label variable.
970 * @label: label used in PRF computation, typically a short string.
971 * @seed_size: length of the @seed variable.
972 * @seed: optional extra data to seed the PRF with.
973 * @outsize: size of pre-allocated output buffer to hold the output.
974 * @out: pre-allocate buffer to hold the generated data.
976 * Apply the TLS Pseudo-Random-Function (PRF) using the master secret
979 * The @label variable usually contain a string denoting the purpose
980 * for the generated data. The @seed usually contain data such as the
981 * client and server random, perhaps together with some additional
982 * data that is added to guarantee uniqueness of the output for a
983 * particular purpose.
985 * Because the output is not guaranteed to be unique for a particular
986 * session unless @seed include the client random and server random
987 * fields (the PRF would output the same data on another connection
988 * resumed from the first one), it is not recommended to use this
989 * function directly. The gnutls_prf() function seed the PRF with the
990 * client and server random fields directly, and is recommended if you
991 * want to generate pseudo random data unique for each session.
993 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
996 gnutls_prf_raw (gnutls_session_t session
,
999 size_t seed_size
, const char *seed
, size_t outsize
, char *out
)
1003 ret
= _gnutls_PRF (session
,
1004 session
->security_parameters
.master_secret
,
1007 label_size
, (opaque
*) seed
, seed_size
, outsize
, out
);
1013 * gnutls_prf - derive pseudo-random data using the TLS PRF
1014 * @session: is a #gnutls_session_t structure.
1015 * @label_size: length of the @label variable.
1016 * @label: label used in PRF computation, typically a short string.
1017 * @server_random_first: non-0 if server random field should be first in seed
1018 * @extra_size: length of the @extra variable.
1019 * @extra: optional extra data to seed the PRF with.
1020 * @outsize: size of pre-allocated output buffer to hold the output.
1021 * @out: pre-allocate buffer to hold the generated data.
1023 * Apply the TLS Pseudo-Random-Function (PRF) using the master secret
1024 * on some data, seeded with the client and server random fields.
1026 * The @label variable usually contain a string denoting the purpose
1027 * for the generated data. The @server_random_first indicate whether
1028 * the client random field or the server random field should be first
1029 * in the seed. Non-0 indicate that the server random field is first,
1030 * 0 that the client random field is first.
1032 * The @extra variable can be used to add more data to the seed, after
1033 * the random variables. It can be used to tie make sure the
1034 * generated output is strongly connected to some additional data
1035 * (e.g., a string used in user authentication).
1037 * The output is placed in *@OUT, which must be pre-allocated.
1039 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1042 gnutls_prf (gnutls_session_t session
,
1045 int server_random_first
,
1046 size_t extra_size
, const char *extra
, size_t outsize
, char *out
)
1050 size_t seedsize
= 2 * GNUTLS_RANDOM_SIZE
+ extra_size
;
1052 seed
= gnutls_malloc (seedsize
);
1056 return GNUTLS_E_MEMORY_ERROR
;
1059 memcpy (seed
, server_random_first
?
1060 session
->security_parameters
.server_random
:
1061 session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
1062 memcpy (seed
+ GNUTLS_RANDOM_SIZE
, server_random_first
?
1063 session
->security_parameters
.client_random
:
1064 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
1066 memcpy (seed
+ 2 * GNUTLS_RANDOM_SIZE
, extra
, extra_size
);
1068 ret
= _gnutls_PRF (session
, session
->security_parameters
.master_secret
,
1070 label
, label_size
, seed
, seedsize
, outsize
, out
);
1078 * gnutls_session_get_client_random - get the session's client random value
1079 * @session: is a #gnutls_session_t structure.
1081 * Return a pointer to the 32-byte client random field used in the
1082 * session. The pointer must not be modified or deallocated.
1084 * If a client random value has not yet been established, the output
1085 * will be garbage; in particular, a %NULL return value should not be
1088 * Returns: pointer to client random data.
1091 gnutls_session_get_client_random (gnutls_session_t session
)
1093 return (char *) session
->security_parameters
.client_random
;
1097 * gnutls_session_get_server_random - get the session's server random value
1098 * @session: is a #gnutls_session_t structure.
1100 * Return a pointer to the 32-byte server random field used in the
1101 * session. The pointer must not be modified or deallocated.
1103 * If a server random value has not yet been established, the output
1104 * will be garbage; in particular, a %NULL return value should not be
1107 * Returns: pointer to server random data.
1110 gnutls_session_get_server_random (gnutls_session_t session
)
1112 return (char *) session
->security_parameters
.server_random
;
1116 * gnutls_session_get_master_secret - get the session's master secret value
1117 * @session: is a #gnutls_session_t structure.
1119 * Return a pointer to the 48-byte master secret in the session. The
1120 * pointer must not be modified or deallocated.
1122 * If a master secret value has not yet been established, the output
1123 * will be garbage; in particular, a %NULL return value should not be
1126 * Consider using gnutls_prf() rather than extracting the master
1127 * secret and use it to derive further data.
1129 * Returns: pointer to master secret data.
1132 gnutls_session_get_master_secret (gnutls_session_t session
)
1134 return (char *) session
->security_parameters
.master_secret
;
1138 * gnutls_session_set_finished_function:
1139 * @session: is a #gnutls_session_t structure.
1140 * @func: a #gnutls_finished_callback_func callback.
1142 * Register a callback function for the session that will be called
1143 * when a TLS Finished message has been generated. The function is
1144 * typically used to copy away the TLS finished message for later use
1145 * as a channel binding or similar purpose.
1147 * The callback should follow this prototype:
1149 * void callback (gnutls_session_t @session, const void *@finished, size_t @len);
1151 * The @finished parameter will contain the binary TLS finished
1152 * message, and @len will contains its length. For SSLv3 connections,
1153 * the @len parameter will be 36 and for TLS connections it will be
1156 * It is recommended that the function returns quickly in order to not
1157 * delay the handshake. Use the function to store a copy of the TLS
1158 * finished message for later use.
1163 gnutls_session_set_finished_function (gnutls_session_t session
,
1164 gnutls_finished_callback_func func
)
1166 session
->internals
.finished_func
= func
;
1170 * gnutls_session_is_resumed - check whether this session is a resumed one
1171 * @session: is a #gnutls_session_t structure.
1173 * Check whether session is resumed or not.
1175 * Returns: non zero if this session is resumed, or a zero if this is
1179 gnutls_session_is_resumed (gnutls_session_t session
)
1181 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
1183 if (session
->security_parameters
.session_id_size
> 0 &&
1184 session
->security_parameters
.session_id_size
==
1185 session
->internals
.resumed_security_parameters
.session_id_size
1186 && memcmp (session
->security_parameters
.session_id
,
1187 session
->internals
.resumed_security_parameters
.
1189 session
->security_parameters
.session_id_size
) == 0)
1194 if (session
->internals
.resumed
== RESUME_TRUE
)
1202 * _gnutls_session_is_export - Used to check whether this session is of export grade
1203 * @session: is a #gnutls_session_t structure.
1205 * This function will return non zero if this session is of export grade.
1209 _gnutls_session_is_export (gnutls_session_t session
)
1211 gnutls_cipher_algorithm_t cipher
;
1214 _gnutls_cipher_suite_get_cipher_algo (&session
->security_parameters
.
1215 current_cipher_suite
);
1217 if (_gnutls_cipher_get_export_flag (cipher
) != 0)
1224 * _gnutls_session_is_psk - Used to check whether this session uses PSK kx
1225 * @session: is a #gnutls_session_t structure.
1227 * This function will return non zero if this session uses a PSK key
1228 * exchange algorithm.
1232 _gnutls_session_is_psk (gnutls_session_t session
)
1234 gnutls_kx_algorithm_t kx
;
1237 _gnutls_cipher_suite_get_kx_algo (&session
->security_parameters
.
1238 current_cipher_suite
);
1239 if (kx
== GNUTLS_KX_PSK
|| kx
== GNUTLS_KX_DHE_PSK
)
1246 * gnutls_session_get_ptr - Get the user pointer from the session structure
1247 * @session: is a #gnutls_session_t structure.
1249 * Get user pointer for session. Useful in callbacks. This is the
1250 * pointer set with gnutls_session_set_ptr().
1252 * Returns: the user given pointer from the session structure, or
1253 * %NULL if it was never set.
1256 gnutls_session_get_ptr (gnutls_session_t session
)
1258 return session
->internals
.user_ptr
;
1262 * gnutls_session_set_ptr - Used to set the user pointer to the session structure
1263 * @session: is a #gnutls_session_t structure.
1264 * @ptr: is the user pointer
1266 * This function will set (associate) the user given pointer @ptr to
1267 * the session structure. This is pointer can be accessed with
1268 * gnutls_session_get_ptr().
1271 gnutls_session_set_ptr (gnutls_session_t session
, void *ptr
)
1273 session
->internals
.user_ptr
= ptr
;
1278 * gnutls_record_get_direction - return the direction of the last interrupted function call
1279 * @session: is a #gnutls_session_t structure.
1281 * This function provides information about the internals of the
1282 * record protocol and is only useful if a prior gnutls function call
1283 * (e.g. gnutls_handshake()) was interrupted for some reason, that
1284 * is, if a function returned %GNUTLS_E_INTERRUPTED or
1285 * %GNUTLS_E_AGAIN. In such a case, you might want to call select()
1286 * or poll() before calling the interrupted gnutls function again. To
1287 * tell you whether a file descriptor should be selected for either
1288 * reading or writing, gnutls_record_get_direction() returns 0 if the
1289 * interrupted function was trying to read data, and 1 if it was
1290 * trying to write data.
1292 * Returns: 0 if trying to read data, 1 if trying to write data.
1295 gnutls_record_get_direction (gnutls_session_t session
)
1297 return session
->internals
.direction
;
1301 * _gnutls_rsa_pms_set_version - Sets a version to be used at the RSA PMS
1302 * @session: is a #gnutls_session_t structure.
1303 * @major: is the major version to use
1304 * @minor: is the minor version to use
1306 * This function will set the given version number to be used at the
1307 * RSA PMS secret. This is only useful to clients, which want to
1308 * test server's capabilities.
1312 _gnutls_rsa_pms_set_version (gnutls_session_t session
,
1313 unsigned char major
, unsigned char minor
)
1315 session
->internals
.rsa_pms_version
[0] = major
;
1316 session
->internals
.rsa_pms_version
[1] = minor
;
1320 * gnutls_handshake_set_post_client_hello_function - set callback to be called after the client hello is received
1321 * @session: is a #gnutls_session_t structure.
1322 * @func: is the function to be called
1324 * This function will set a callback to be called after the client
1325 * hello has been received (callback valid in server side only). This
1326 * allows the server to adjust settings based on received extensions.
1328 * Those settings could be ciphersuites, requesting certificate, or
1329 * anything else except for version negotiation (this is done before
1330 * the hello message is parsed).
1332 * This callback must return 0 on success or a gnutls error code to
1333 * terminate the handshake.
1335 * Warning: You should not use this function to terminate the
1336 * handshake based on client input unless you know what you are
1337 * doing. Before the handshake is finished there is no way to know if
1338 * there is a man-in-the-middle attack being performed.
1341 gnutls_handshake_set_post_client_hello_function (gnutls_session_t session
,
1342 gnutls_handshake_post_client_hello_func func
)
1344 session
->internals
.user_hello_func
= func
;
1348 * gnutls_session_enable_compatibility_mode - disable certain features in TLS in order to honour compatibility
1349 * @session: is a #gnutls_session_t structure.
1351 * This function can be used to disable certain (security) features in
1352 * TLS in order to maintain maximum compatibility with buggy
1353 * clients. It is equivalent to calling:
1354 * gnutls_record_disable_padding()
1356 * Normally only servers that require maximum compatibility with
1357 * everything out there, need to call this function.
1360 gnutls_session_enable_compatibility_mode (gnutls_session_t session
)
1362 gnutls_record_disable_padding (session
);