2 * Copyright (C) 2002 Nikos Mavroyanopoulos
4 * This file is part of GNUTLS.
6 * The GNUTLS library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 #include <gnutls_int.h>
23 #include <gnutls_errors.h>
24 #include <gnutls_auth_int.h>
25 #include <gnutls_priority.h>
26 #include <gnutls_num.h>
27 #include "gnutls_datum.h"
28 #include "gnutls_db.h"
29 #include <gnutls_record.h>
30 #include <gnutls_handshake.h>
31 #include <gnutls_dh.h>
32 #include <gnutls_buffers.h>
33 #include <gnutls_state.h>
34 #include <auth_cert.h>
35 #include <auth_anon.h>
37 #define CHECK_AUTH(auth, ret) if (gnutls_auth_get_type(state) != auth) { \
42 void _gnutls_state_cert_type_set( GNUTLS_STATE state
, CertificateType ct
) {
43 state
->security_parameters
.cert_type
= ct
;
47 * gnutls_cipher_get - Returns the currently used cipher.
48 * @state: is a &GNUTLS_STATE structure.
50 * Returns the currently used cipher.
52 GNUTLS_BulkCipherAlgorithm
gnutls_cipher_get( GNUTLS_STATE state
) {
53 return state
->security_parameters
.read_bulk_cipher_algorithm
;
57 * gnutls_cert_type_get - Returns the currently used certificate type.
58 * @state: is a &GNUTLS_STATE structure.
60 * Returns the currently used certificate type. The certificate type
61 * is by default X.509, unless it is negotiated as a TLS extension.
64 GNUTLS_CertificateType
gnutls_cert_type_get( GNUTLS_STATE state
) {
65 return state
->security_parameters
.cert_type
;
69 * gnutls_kx_get - Returns the key exchange algorithm.
70 * @state: is a &GNUTLS_STATE structure.
72 * Returns the key exchange algorithm used in the last handshake.
74 GNUTLS_KXAlgorithm
gnutls_kx_get( GNUTLS_STATE state
) {
75 return state
->security_parameters
.kx_algorithm
;
79 * gnutls_mac_get - Returns the currently used mac algorithm.
80 * @state: is a &GNUTLS_STATE structure.
82 * Returns the currently used mac algorithm.
84 GNUTLS_MACAlgorithm
gnutls_mac_get( GNUTLS_STATE state
) {
85 return state
->security_parameters
.read_mac_algorithm
;
89 * gnutls_compression_get - Returns the currently used compression algorithm.
90 * @state: is a &GNUTLS_STATE structure.
92 * Returns the currently used compression method.
94 GNUTLS_CompressionMethod
gnutls_compression_get( GNUTLS_STATE state
) {
95 return state
->security_parameters
.read_compression_algorithm
;
98 int _gnutls_state_cert_type_supported( GNUTLS_STATE state
, CertificateType cert_type
) {
101 if (state
->gnutls_internals
.cert_type_priority
.algorithms
==0 && cert_type
==
102 DEFAULT_CERT_TYPE
) return 0;
104 for (i
=0;i
<state
->gnutls_internals
.cert_type_priority
.algorithms
;i
++) {
105 if (state
->gnutls_internals
.cert_type_priority
.algorithm_priority
[i
]
111 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
114 /* This function will clear all the variables in gnutls_internals
115 * structure within the state, which depend on the current handshake.
116 * This is used to allow further handshakes.
118 void _gnutls_handshake_internal_state_clear( GNUTLS_STATE state
) {
119 state
->gnutls_internals
.extensions_sent_size
= 0;
121 /* by default no selected certificate */
122 state
->gnutls_internals
.selected_cert_index
= -1;
123 state
->gnutls_internals
.proposed_record_size
= DEFAULT_MAX_RECORD_SIZE
;
124 state
->gnutls_internals
.adv_version_major
= 0;
125 state
->gnutls_internals
.adv_version_minor
= 0;
126 state
->gnutls_internals
.v2_hello
= 0;
127 memset( &state
->gnutls_internals
.handshake_header_buffer
, 0,
128 sizeof(HANDSHAKE_HEADER_BUFFER
));
129 state
->gnutls_internals
.adv_version_minor
= 0;
130 state
->gnutls_internals
.adv_version_minor
= 0;
132 state
->gnutls_internals
.resumable
= RESUME_TRUE
;
137 #define _gnutls_free(x) if(x!=NULL) gnutls_free(x)
139 * gnutls_init - This function initializes the state to null (null encryption etc...).
140 * @con_end: is used to indicate if this state is to be used for server or
141 * client. Can be one of GNUTLS_CLIENT and GNUTLS_SERVER.
142 * @state: is a pointer to a &GNUTLS_STATE structure.
144 * This function initializes the current state to null. Every state
145 * must be initialized before use, so internal structures can be allocated.
146 * This function allocates structures which can only be free'd
147 * by calling gnutls_deinit(). Returns zero on success.
149 int gnutls_init(GNUTLS_STATE
* state
, GNUTLS_ConnectionEnd con_end
)
151 int default_protocol_list
[] = { GNUTLS_TLS1
, 0 };
153 *state
= gnutls_calloc(1, sizeof(struct GNUTLS_STATE_INT
));
154 if (*state
==NULL
) return GNUTLS_E_MEMORY_ERROR
;
156 (*state
)->security_parameters
.entity
= con_end
;
158 /* the default certificate type for TLS */
159 (*state
)->security_parameters
.cert_type
= DEFAULT_CERT_TYPE
;
161 /* Set the defaults for initial handshake */
162 (*state
)->security_parameters
.read_bulk_cipher_algorithm
=
163 (*state
)->security_parameters
.write_bulk_cipher_algorithm
= GNUTLS_CIPHER_NULL
;
165 (*state
)->security_parameters
.read_mac_algorithm
=
166 (*state
)->security_parameters
.write_mac_algorithm
= GNUTLS_MAC_NULL
;
168 (*state
)->security_parameters
.read_compression_algorithm
= GNUTLS_COMP_NULL
;
169 (*state
)->security_parameters
.write_compression_algorithm
= GNUTLS_COMP_NULL
;
172 gnutls_protocol_set_priority( *state
, default_protocol_list
); /* default */
174 (*state
)->gnutls_key
= gnutls_calloc(1, sizeof(struct GNUTLS_KEY_INT
));
175 if ( (*state
)->gnutls_key
== NULL
) {
176 gnutls_free( *state
);
177 return GNUTLS_E_MEMORY_ERROR
;
180 (*state
)->gnutls_internals
.expire_time
= DEFAULT_EXPIRE_TIME
; /* one hour default */
182 gnutls_dh_set_prime_bits( (*state
), MIN_BITS
);
184 gnutls_transport_set_lowat((*state
), DEFAULT_LOWAT
); /* the default for tcp */
186 gnutls_handshake_set_max_packet_length( (*state
), MAX_HANDSHAKE_PACKET_SIZE
);
188 /* Allocate a minimum size for recv_data
189 * This is allocated in order to avoid small messages, makeing
190 * the receive procedure slow.
192 (*state
)->gnutls_internals
.record_recv_buffer
.data
= gnutls_malloc(INITIAL_RECV_BUFFER_SIZE
);
194 /* set the default maximum record size for TLS
196 (*state
)->security_parameters
.max_record_size
= DEFAULT_MAX_RECORD_SIZE
;
199 /* everything else not initialized here is initialized
200 * as NULL or 0. This is why calloc is used.
203 _gnutls_handshake_internal_state_clear( *state
);
209 * gnutls_deinit - This function clears all buffers associated with the &state
210 * @state: is a &GNUTLS_STATE structure.
212 * This function clears all buffers associated with the &state.
214 void gnutls_deinit(GNUTLS_STATE state
)
217 /* remove auth info firstly */
218 _gnutls_free_auth_info(state
);
221 /* close the database - resuming sessions */
222 if ( state
->gnutls_internals
.db_reader
!= NULL
)
223 gdbm_close(state
->gnutls_internals
.db_reader
);
226 _gnutls_handshake_io_buffer_clear( state
);
228 gnutls_sfree_datum(&state
->connection_state
.read_mac_secret
);
229 gnutls_sfree_datum(&state
->connection_state
.write_mac_secret
);
231 _gnutls_free(state
->gnutls_internals
.application_data_buffer
.data
);
232 _gnutls_free(state
->gnutls_internals
.handshake_data_buffer
.data
);
233 _gnutls_free(state
->gnutls_internals
.handshake_hash_buffer
.data
);
234 _gnutls_free(state
->gnutls_internals
.record_recv_buffer
.data
);
235 _gnutls_free(state
->gnutls_internals
.record_send_buffer
.data
);
237 gnutls_clear_creds( state
);
239 if (state
->connection_state
.read_cipher_state
!= NULL
)
240 _gnutls_cipher_deinit(state
->connection_state
.read_cipher_state
);
241 if (state
->connection_state
.write_cipher_state
!= NULL
)
242 _gnutls_cipher_deinit(state
->connection_state
.write_cipher_state
);
244 if (state
->connection_state
.read_compression_state
!= NULL
)
245 _gnutls_comp_deinit(state
->connection_state
.read_compression_state
, 1);
246 if (state
->connection_state
.write_compression_state
!= NULL
)
247 _gnutls_comp_deinit(state
->connection_state
.write_compression_state
, 0);
249 gnutls_sfree_datum( &state
->cipher_specs
.server_write_mac_secret
);
250 gnutls_sfree_datum( &state
->cipher_specs
.client_write_mac_secret
);
251 gnutls_sfree_datum( &state
->cipher_specs
.server_write_IV
);
252 gnutls_sfree_datum( &state
->cipher_specs
.client_write_IV
);
253 gnutls_sfree_datum( &state
->cipher_specs
.server_write_key
);
254 gnutls_sfree_datum( &state
->cipher_specs
.client_write_key
);
256 if (state
->gnutls_key
!= NULL
) {
257 _gnutls_mpi_release(&state
->gnutls_key
->KEY
);
258 _gnutls_mpi_release(&state
->gnutls_key
->client_Y
);
259 _gnutls_mpi_release(&state
->gnutls_key
->client_p
);
260 _gnutls_mpi_release(&state
->gnutls_key
->client_g
);
262 _gnutls_mpi_release(&state
->gnutls_key
->u
);
263 _gnutls_mpi_release(&state
->gnutls_key
->a
);
264 _gnutls_mpi_release(&state
->gnutls_key
->x
);
265 _gnutls_mpi_release(&state
->gnutls_key
->A
);
266 _gnutls_mpi_release(&state
->gnutls_key
->B
);
267 _gnutls_mpi_release(&state
->gnutls_key
->b
);
269 _gnutls_mpi_release(&state
->gnutls_key
->dh_secret
);
270 _gnutls_free(state
->gnutls_key
);
272 state
->gnutls_key
= NULL
;
275 _gnutls_free(state
->gnutls_internals
.db_name
);
277 memset( state
, 0, sizeof(struct GNUTLS_STATE_INT
));
283 int _gnutls_dh_get_prime_bits( GNUTLS_STATE state
) {
284 return state
->gnutls_internals
.dh_prime_bits
;
287 int _gnutls_dh_set_peer_public_bits( GNUTLS_STATE state
, int bits
) {
288 switch( gnutls_auth_get_type( state
)) {
289 case GNUTLS_CRD_ANON
: {
290 ANON_SERVER_AUTH_INFO info
;
291 info
= _gnutls_get_auth_info(state
);
293 return GNUTLS_E_UNKNOWN_ERROR
;
294 info
->dh_peer_public_bits
= bits
;
297 case GNUTLS_CRD_CERTIFICATE
: {
298 CERTIFICATE_AUTH_INFO info
;
300 info
= _gnutls_get_auth_info(state
);
302 return GNUTLS_E_UNKNOWN_ERROR
;
304 info
->dh_peer_public_bits
= bits
;
309 return GNUTLS_E_UNKNOWN_ERROR
;
315 int _gnutls_dh_set_secret_bits( GNUTLS_STATE state
, int bits
) {
316 switch( gnutls_auth_get_type( state
)) {
317 case GNUTLS_CRD_ANON
: {
318 ANON_SERVER_AUTH_INFO info
;
319 info
= _gnutls_get_auth_info(state
);
321 return GNUTLS_E_UNKNOWN_ERROR
;
322 info
->dh_secret_bits
= bits
;
325 case GNUTLS_CRD_CERTIFICATE
: {
326 CERTIFICATE_AUTH_INFO info
;
328 info
= _gnutls_get_auth_info(state
);
330 return GNUTLS_E_UNKNOWN_ERROR
;
332 info
->dh_secret_bits
= bits
;
336 return GNUTLS_E_UNKNOWN_ERROR
;
343 int _gnutls_dh_set_prime_bits( GNUTLS_STATE state
, int bits
) {
344 switch( gnutls_auth_get_type( state
)) {
345 case GNUTLS_CRD_ANON
: {
346 ANON_SERVER_AUTH_INFO info
;
347 info
= _gnutls_get_auth_info(state
);
349 return GNUTLS_E_UNKNOWN_ERROR
;
350 info
->dh_prime_bits
= bits
;
353 case GNUTLS_CRD_CERTIFICATE
: {
354 CERTIFICATE_AUTH_INFO info
;
356 info
= _gnutls_get_auth_info(state
);
358 return GNUTLS_E_UNKNOWN_ERROR
;
360 info
->dh_prime_bits
= bits
;
365 return GNUTLS_E_UNKNOWN_ERROR
;
373 * gnutls_openpgp_send_key - This function will order gnutls to send the openpgp fingerprint instead of the key
374 * @state: is a pointer to a &GNUTLS_STATE structure.
375 * @status: is one of OPENPGP_KEY, or OPENPGP_KEY_FINGERPRINT
377 * This function will order gnutls to send the key fingerprint instead
378 * of the key in the initial handshake procedure. This should be used
379 * with care and only when there is indication or knowledge that the
380 * server can obtain the client's key.
383 void gnutls_openpgp_send_key(GNUTLS_STATE state
, GNUTLS_OpenPGPKeyStatus status
) {
384 state
->gnutls_internals
.pgp_fingerprint
= status
;
387 int _gnutls_openpgp_send_fingerprint(GNUTLS_STATE state
) {
388 return state
->gnutls_internals
.pgp_fingerprint
;
392 * _gnutls_record_set_default_version - Used to set the default version for the first record packet
393 * @state: is a &GNUTLS_STATE structure.
394 * @version: is a tls version
396 * This function sets the default version that we will use in the first
397 * record packet (client hello). This function is only useful to people
398 * that know TLS internals and want to debug other implementations.
401 void _gnutls_record_set_default_version(GNUTLS_STATE state
, GNUTLS_Version version
)
403 state
->gnutls_internals
.default_record_version
= version
;
407 * gnutls_record_set_cbc_protection - Used to disable the CBC protection
408 * @state: is a &GNUTLS_STATE structure.
409 * @prot: is an integer (0 or 1)
411 * A newly discovered attack against the record protocol requires some
412 * counter-measures to be taken. GnuTLS will not enable them by default
413 * thus, sends an empty record packet, before each actual record packet,
414 * in order to assure that the IV is not known to potential attackers.
416 * This function will enable or disable the chosen plaintext protection
417 * in the TLS record protocol (used with ciphers in CBC mode).
418 * if prot == 0 then protection is disabled (default), otherwise it
421 * The protection used will slightly decrease performance, and add
422 * 20 or more bytes per record packet.
425 void gnutls_record_set_cbc_protection(GNUTLS_STATE state
, int prot
)
427 state
->gnutls_internals
.cbc_protection_hack
= prot
;
431 * gnutls_handshake_set_rsa_pms_check - Used to disable the RSA PMS check
432 * @state: is a &GNUTLS_STATE structure.
433 * @prot: is an integer (0 or 1)
435 * The TLS 1.0 handshake protocol includes a check in the in the RSA
436 * encrypted data (only in the case of RSA key exchange), which allows
437 * to detect version roll back attacks.
439 * However it seems that some broken TLS clients exist which do not
440 * use this check properly. The only solution is to disable this
443 * if check == 0 then the check is enabled (default), otherwise it
446 * The protection used will slightly decrease performance, and add
447 * 20 or more bytes per record packet.
450 void gnutls_handshake_set_rsa_pms_check(GNUTLS_STATE state
, int check
)
452 state
->gnutls_internals
.rsa_pms_check
= check
;
456 static void _gnutls_cal_PRF_A( MACAlgorithm algorithm
, void *secret
, int secret_size
, void *seed
, int seed_size
, void* result
)
458 GNUTLS_MAC_HANDLE td1
;
460 td1
= _gnutls_hmac_init(algorithm
, secret
, secret_size
);
461 _gnutls_hmac(td1
, seed
, seed_size
);
462 _gnutls_hmac_deinit(td1
, result
);
467 #define MAX_SEED_SIZE 200
469 /* Produces "total_bytes" bytes using the hash algorithm specified.
470 * (used in the PRF function)
472 static int _gnutls_P_hash( MACAlgorithm algorithm
, opaque
* secret
, int secret_size
, opaque
* seed
, int seed_size
, int total_bytes
, opaque
* ret
)
475 GNUTLS_MAC_HANDLE td2
;
476 int i
= 0, times
, how
, blocksize
, A_size
;
477 opaque final
[20], Atmp
[MAX_SEED_SIZE
];
479 if (seed_size
> MAX_SEED_SIZE
|| total_bytes
<=0) {
481 return GNUTLS_E_INTERNAL_ERROR
;
484 blocksize
= _gnutls_hmac_get_algo_len(algorithm
);
487 } while (i
< total_bytes
);
491 memcpy( Atmp
, seed
, seed_size
);
494 times
= i
/ blocksize
;
495 for (i
= 0; i
< times
; i
++) {
496 td2
= _gnutls_hmac_init(algorithm
, secret
, secret_size
);
498 /* here we calculate A(i+1) */
499 _gnutls_cal_PRF_A( algorithm
, secret
, secret_size
, Atmp
, A_size
, Atmp
);
503 _gnutls_hmac(td2
, Atmp
, A_size
);
504 _gnutls_hmac(td2
, seed
, seed_size
);
505 _gnutls_hmac_deinit(td2
, final
);
507 if ( (1+i
) * blocksize
< total_bytes
) {
510 how
= total_bytes
- (i
) * blocksize
;
514 memcpy(&ret
[i
* blocksize
], final
, how
);
521 /* Function that xor's buffers using the maximum word size supported
522 * by the system. It should be faster. - only if one / and % are much faster
523 * than the whole xor operation.
526 void _gnutls_xor(void* _o1
, void* _o2
, int _length
) {
527 unsigned long int* o1
= _o1
;
528 unsigned long int* o2
= _o2
;
529 int i
, length
= _length
/sizeof(unsigned long int);
530 int modlen
= _length
%sizeof(unsigned long int);
532 for (i
= 0; i
< length
; i
++) {
535 i
*=sizeof(unsigned long int);
536 for (;i
<modlen
;i
++) {
537 ((unsigned char*)_o1
)[i
] ^= ((unsigned char*)_o2
)[i
];
544 #define MAX_PRF_BYTES 200
546 /* The PRF function expands a given secret
547 * needed by the TLS specification. ret must have a least total_bytes
550 int _gnutls_PRF( opaque
* secret
, int secret_size
, uint8
* label
, int label_size
, opaque
* seed
, int seed_size
, int total_bytes
, void* ret
)
552 int l_s
, s_seed_size
;
554 opaque s_seed
[MAX_SEED_SIZE
];
555 opaque o1
[MAX_PRF_BYTES
], o2
[MAX_PRF_BYTES
];
558 if (total_bytes
> MAX_PRF_BYTES
) {
560 return GNUTLS_E_INTERNAL_ERROR
;
562 /* label+seed = s_seed */
563 s_seed_size
= seed_size
+ label_size
;
565 if (s_seed_size
> MAX_SEED_SIZE
) {
567 return GNUTLS_E_INTERNAL_ERROR
;
570 memcpy(s_seed
, label
, label_size
);
571 memcpy(&s_seed
[label_size
], seed
, seed_size
);
573 l_s
= secret_size
/ 2;
577 if (secret_size
% 2 != 0) {
581 result
= _gnutls_P_hash( GNUTLS_MAC_MD5
, s1
, l_s
, s_seed
, s_seed_size
, total_bytes
, o1
);
587 result
= _gnutls_P_hash( GNUTLS_MAC_SHA
, s2
, l_s
, s_seed
, s_seed_size
, total_bytes
, o2
);
593 _gnutls_xor(o1
, o2
, total_bytes
);
595 memcpy( ret
, o1
, total_bytes
);
602 * gnutls_session_is_resumed - Used to check whether this session is a resumed one
603 * @state: is a &GNUTLS_STATE structure.
605 * This function will return non zero if this session is a resumed one,
606 * or a zero if this is a new session.
609 int gnutls_session_is_resumed(GNUTLS_STATE state
)
611 if (state
->security_parameters
.entity
==GNUTLS_CLIENT
) {
612 if (memcmp( state
->security_parameters
.session_id
,
613 state
->gnutls_internals
.resumed_security_parameters
.session_id
,
614 state
->security_parameters
.session_id_size
)==0)
617 if (state
->gnutls_internals
.resumed
==RESUME_TRUE
)
625 * gnutls_state_get_ptr - Used to get the user pointer from the state structure
626 * @state: is a &GNUTLS_STATE structure.
628 * This function will return the user given pointer from the state structure.
629 * This is the pointer set with gnutls_state_set_ptr().
632 void* gnutls_state_get_ptr(GNUTLS_STATE state
)
634 return state
->gnutls_internals
.user_ptr
;
638 * gnutls_state_set_ptr - Used to set the user pointer to the state structure
639 * @state: is a &GNUTLS_STATE structure.
640 * @ptr: is the user pointer
642 * This function will set (assosiate) the user given pointer to the state structure.
643 * This is pointer can be accessed with gnutls_state_get_ptr().
646 void gnutls_state_set_ptr(GNUTLS_STATE state
, void* ptr
)
648 state
->gnutls_internals
.user_ptr
= ptr
;