2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
3 * 2009, 2010 Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 /* Functions that relate to the TLS handshake procedure.
29 #include "gnutls_int.h"
30 #include "gnutls_errors.h"
31 #include "gnutls_dh.h"
33 #include "gnutls_algorithms.h"
34 #include "gnutls_compress.h"
35 #include "gnutls_cipher.h"
36 #include "gnutls_buffers.h"
37 #include "gnutls_mbuffers.h"
38 #include "gnutls_kx.h"
39 #include "gnutls_handshake.h"
40 #include "gnutls_num.h"
41 #include "gnutls_hash_int.h"
42 #include "gnutls_db.h"
43 #include "gnutls_extensions.h"
44 #include "gnutls_supplemental.h"
45 #include "gnutls_auth.h"
46 #include "gnutls_v2_compat.h"
47 #include "auth_cert.h"
48 #include "gnutls_cert.h"
49 #include "gnutls_constate.h"
50 #include <gnutls_record.h>
51 #include <gnutls_state.h>
53 #include <ext_session_ticket.h>
54 #include <ext_safe_renegotiation.h>
55 #include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
56 #include <auth_anon.h> /* for gnutls_anon_server_credentials_t */
57 #include <auth_psk.h> /* for gnutls_psk_server_credentials_t */
60 #ifdef HANDSHAKE_DEBUG
61 #define ERR(x, y) _gnutls_handshake_log("HSK[%p]: %s (%d)\n", session, x,y)
69 static int _gnutls_handshake_hash_init (gnutls_session_t session);
70 static int _gnutls_server_select_comp_method (gnutls_session_t session,
71 opaque * data, int datalen);
73 _gnutls_handshake_hash_add_recvd (gnutls_session_t session,
74 gnutls_handshake_description_t recv_type,
75 opaque * header, uint16_t header_size,
76 opaque * dataptr, uint32_t datalen);
80 /* Clears the handshake hash buffers and handles.
83 _gnutls_handshake_hash_buffers_clear (gnutls_session_t session)
85 if (session->security_parameters.handshake_mac_handle_type ==
86 HANDSHAKE_MAC_TYPE_10)
88 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.tls10.md5,
90 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.tls10.sha,
93 else if (session->security_parameters.handshake_mac_handle_type ==
94 HANDSHAKE_MAC_TYPE_12)
96 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.tls12.
98 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.tls12.
101 session->security_parameters.handshake_mac_handle_type = 0;
102 session->internals.handshake_mac_handle_init = 0;
103 _gnutls_handshake_buffer_clear (session);
106 /* this will copy the required values for resuming to
107 * internals, and to security_parameters.
108 * this will keep as less data to security_parameters.
111 resume_copy_required_values (gnutls_session_t session)
113 /* get the new random values */
114 memcpy (session->internals.resumed_security_parameters.server_random,
115 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
116 memcpy (session->internals.resumed_security_parameters.client_random,
117 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
119 /* keep the ciphersuite and compression
120 * That is because the client must see these in our
123 memcpy (session->security_parameters.current_cipher_suite.suite,
124 session->internals.resumed_security_parameters.current_cipher_suite.
126 session->internals.compression_method = session->internals.resumed_compression_method;
128 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
130 internals.resumed_security_parameters.current_cipher_suite);
131 _gnutls_epoch_set_compression (session, EPOCH_NEXT,
133 internals.resumed_compression_method);
135 /* or write_compression_algorithm
139 session->security_parameters.entity =
140 session->internals.resumed_security_parameters.entity;
142 _gnutls_set_current_version (session,
143 session->internals.resumed_security_parameters.
146 session->security_parameters.cert_type =
147 session->internals.resumed_security_parameters.cert_type;
149 memcpy (session->security_parameters.session_id,
150 session->internals.resumed_security_parameters.session_id,
151 sizeof (session->security_parameters.session_id));
152 session->security_parameters.session_id_size =
153 session->internals.resumed_security_parameters.session_id_size;
158 _gnutls_set_server_random (gnutls_session_t session, uint8_t * rnd)
160 memcpy (session->security_parameters.server_random, rnd,
165 _gnutls_set_client_random (gnutls_session_t session, uint8_t * rnd)
167 memcpy (session->security_parameters.client_random, rnd,
171 /* Calculate The SSL3 Finished message
173 #define SSL3_CLIENT_MSG "CLNT"
174 #define SSL3_SERVER_MSG "SRVR"
175 #define SSL_MSG_LEN 4
177 _gnutls_ssl3_finished (gnutls_session_t session, int type, opaque * ret)
179 const int siz = SSL_MSG_LEN;
185 if (session->security_parameters.handshake_mac_handle_type ==
186 HANDSHAKE_MAC_TYPE_10)
189 _gnutls_hash_copy (&td_md5,
190 &session->internals.handshake_mac_handle.tls10.
199 _gnutls_hash_copy (&td_sha,
200 &session->internals.handshake_mac_handle.tls10.
205 _gnutls_hash_deinit (&td_md5, NULL);
212 return GNUTLS_E_INTERNAL_ERROR;
215 if (type == GNUTLS_SERVER)
217 mesg = SSL3_SERVER_MSG;
221 mesg = SSL3_CLIENT_MSG;
224 _gnutls_hash (&td_md5, mesg, siz);
225 _gnutls_hash (&td_sha, mesg, siz);
227 _gnutls_mac_deinit_ssl3_handshake (&td_md5, ret,
229 security_parameters.master_secret,
231 _gnutls_mac_deinit_ssl3_handshake (&td_sha, &ret[16],
233 security_parameters.master_secret,
239 /* Hash the handshake messages as required by TLS 1.0
241 #define SERVER_MSG "server finished"
242 #define CLIENT_MSG "client finished"
243 #define TLS_MSG_LEN 15
245 _gnutls_finished (gnutls_session_t session, int type, void *ret)
247 const int siz = TLS_MSG_LEN;
248 opaque concat[MAX_HASH_SIZE + 16 /*MD5 */ ];
249 size_t len = 20 + 16;
255 if (session->security_parameters.handshake_mac_handle_type ==
256 HANDSHAKE_MAC_TYPE_10)
259 _gnutls_hash_copy (&td_md5,
260 &session->internals.handshake_mac_handle.tls10.
269 _gnutls_hash_copy (&td_sha,
270 &session->internals.handshake_mac_handle.tls10.
275 _gnutls_hash_deinit (&td_md5, NULL);
279 _gnutls_hash_deinit (&td_md5, concat);
280 _gnutls_hash_deinit (&td_sha, &concat[16]);
282 else if (session->security_parameters.handshake_mac_handle_type ==
283 HANDSHAKE_MAC_TYPE_12)
286 _gnutls_hash_copy (&td_sha,
287 &session->internals.handshake_mac_handle.tls12.
295 _gnutls_hash_deinit (&td_sha, concat);
296 len = _gnutls_hash_get_algo_len (td_sha.algorithm);
299 if (type == GNUTLS_SERVER)
308 return _gnutls_PRF (session, session->security_parameters.master_secret,
309 GNUTLS_MASTER_SIZE, mesg, siz, concat, len, 12, ret);
312 /* this function will produce GNUTLS_RANDOM_SIZE==32 bytes of random data
316 _gnutls_tls_create_random (opaque * dst)
321 /* Use weak random numbers for the most of the
322 * buffer except for the first 4 that are the
326 tim = gnutls_time (NULL);
327 /* generate server random value */
328 _gnutls_write_uint32 (tim, dst);
330 ret = _gnutls_rnd (GNUTLS_RND_NONCE, &dst[4], GNUTLS_RANDOM_SIZE - 4);
340 /* returns the 0 on success or a negative value.
343 _gnutls_negotiate_version (gnutls_session_t session,
344 gnutls_protocol_t adv_version)
348 /* if we do not support that version */
349 if (_gnutls_version_is_supported (session, adv_version) == 0)
351 /* If he requested something we do not support
352 * then we send him the highest we support.
354 ret = _gnutls_version_max (session);
355 if (ret == GNUTLS_VERSION_UNKNOWN)
357 /* this check is not really needed.
360 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
368 _gnutls_set_current_version (session, ret);
374 _gnutls_user_hello_func (gnutls_session_t session,
375 gnutls_protocol_t adv_version)
379 if (session->internals.user_hello_func != NULL)
381 ret = session->internals.user_hello_func (session);
387 /* Here we need to renegotiate the version since the callee might
388 * have disabled some TLS versions.
390 ret = _gnutls_negotiate_version (session, adv_version);
400 /* Read a client hello packet.
401 * A client hello must be a known version client hello
402 * or version 2.0 client hello (only for compatibility
403 * since SSL version 2.0 is not supported).
406 _gnutls_read_client_hello (gnutls_session_t session, opaque * data,
409 uint8_t session_id_len;
411 uint16_t suite_size, comp_size;
412 gnutls_protocol_t adv_version;
415 opaque rnd[GNUTLS_RANDOM_SIZE], *suite_ptr, *comp_ptr, *session_id;
417 if (session->internals.v2_hello != 0)
419 return _gnutls_read_client_hello_v2 (session, data, datalen);
423 _gnutls_handshake_log ("HSK[%p]: Client's version: %d.%d\n", session,
424 data[pos], data[pos + 1]);
426 adv_version = _gnutls_version_get (data[pos], data[pos + 1]);
427 set_adv_version (session, data[pos], data[pos + 1]);
430 neg_version = _gnutls_negotiate_version (session, adv_version);
437 /* Read client random value.
439 DECR_LEN (len, GNUTLS_RANDOM_SIZE);
440 _gnutls_set_client_random (session, &data[pos]);
441 pos += GNUTLS_RANDOM_SIZE;
443 _gnutls_tls_create_random (rnd);
444 _gnutls_set_server_random (session, rnd);
446 session->security_parameters.timestamp = gnutls_time (NULL);
449 session_id_len = data[pos++];
453 if (session_id_len > TLS_MAX_SESSION_ID_SIZE)
456 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
458 DECR_LEN (len, session_id_len);
460 session_id = &data[pos];
461 ret = _gnutls_server_restore_session (session, session_id, session_id_len);
462 pos += session_id_len;
465 { /* resumed using default TLS resumption! */
466 /* Parse only the safe renegotiation extension
467 * We don't want to parse any other extensions since
468 * we don't want new extension values to overwrite the
472 /* move forward to extensions */
474 suite_size = _gnutls_read_uint16 (&data[pos]);
477 DECR_LEN (len, suite_size);
481 comp_size = data[pos++]; /* z is the number of compression methods */
482 DECR_LEN (len, comp_size);
485 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
493 resume_copy_required_values (session);
494 session->internals.resumed = RESUME_TRUE;
496 return _gnutls_user_hello_func (session, adv_version);
500 _gnutls_generate_session_id (session->security_parameters.session_id,
502 security_parameters.session_id_size);
504 session->internals.resumed = RESUME_FALSE;
507 /* Remember ciphersuites for later
510 suite_size = _gnutls_read_uint16 (&data[pos]);
513 DECR_LEN (len, suite_size);
514 suite_ptr = &data[pos];
517 /* Point to the compression methods
520 comp_size = data[pos++]; /* z is the number of compression methods */
522 DECR_LEN (len, comp_size);
523 comp_ptr = &data[pos];
526 /* Parse the extensions (if any)
528 * Unconditionally try to parse extensions; safe renegotiation uses them in
529 * sslv3 and higher, even though sslv3 doesn't officially support them.
531 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION,
533 /* len is the rest of the parsed length */
540 ret = _gnutls_user_hello_func (session, adv_version);
547 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
555 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS, &data[pos], len);
562 /* resumed by session_ticket extension */
563 if (session->internals.resumed == RESUME_TRUE)
565 /* to indicate the client that the current session is resumed */
566 memcpy (session->internals.resumed_security_parameters.session_id,
567 session_id, session_id_len);
568 session->internals.resumed_security_parameters.session_id_size =
571 session->internals.resumed_security_parameters.max_record_recv_size =
572 session->security_parameters.max_record_recv_size;
573 session->internals.resumed_security_parameters.max_record_send_size =
574 session->security_parameters.max_record_send_size;
576 resume_copy_required_values (session);
578 return _gnutls_user_hello_func (session, adv_version);
581 /* select an appropriate cipher suite
583 ret = _gnutls_server_select_suite (session, suite_ptr, suite_size);
590 /* select appropriate compression method */
591 ret = _gnutls_server_select_comp_method (session, comp_ptr, comp_size);
601 /* here we hash all pending data.
604 _gnutls_handshake_hash_pending (gnutls_session_t session)
610 if (session->internals.handshake_mac_handle_init == 0)
613 return GNUTLS_E_INTERNAL_ERROR;
616 /* We check if there are pending data to hash.
618 if ((ret = _gnutls_handshake_buffer_get_ptr (session, &data, &siz)) < 0)
626 if (session->security_parameters.handshake_mac_handle_type ==
627 HANDSHAKE_MAC_TYPE_10)
629 _gnutls_hash (&session->internals.handshake_mac_handle.tls10.sha,
631 _gnutls_hash (&session->internals.handshake_mac_handle.tls10.md5,
634 else if (session->security_parameters.handshake_mac_handle_type ==
635 HANDSHAKE_MAC_TYPE_12)
637 _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha256,
639 _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha1,
644 _gnutls_handshake_buffer_empty (session);
650 /* This is to be called after sending CHANGE CIPHER SPEC packet
651 * and initializing encryption. This is the first encrypted message
655 _gnutls_send_finished (gnutls_session_t session, int again)
660 size_t vdata_size = 0;
665 _gnutls_handshake_alloc (MAX_VERIFY_DATA_SIZE, MAX_VERIFY_DATA_SIZE);
669 return GNUTLS_E_MEMORY_ERROR;
671 data = _mbuffer_get_udata_ptr (bufel);
673 /* This is needed in order to hash all the required
676 if ((ret = _gnutls_handshake_hash_pending (session)) < 0)
682 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
685 _gnutls_ssl3_finished (session,
686 session->security_parameters.entity, data);
687 _mbuffer_set_udata_size (bufel, 36);
691 ret = _gnutls_finished (session,
692 session->security_parameters.entity, data);
693 _mbuffer_set_udata_size (bufel, 12);
702 vdata_size = _mbuffer_get_udata_size (bufel);
704 if (session->internals.finished_func)
705 session->internals.finished_func (session, data, vdata_size);
707 ret = _gnutls_ext_sr_finished (session, data, vdata_size, 0);
714 if ((session->internals.resumed == RESUME_FALSE
715 && session->security_parameters.entity == GNUTLS_CLIENT)
716 || (session->internals.resumed == RESUME_TRUE
717 && session->security_parameters.entity == GNUTLS_SERVER))
719 /* if we are a client not resuming - or we are a server resuming */
720 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (send)\n",
722 memcpy (session->internals.cb_tls_unique, data, vdata_size);
723 session->internals.cb_tls_unique_len = vdata_size;
727 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_FINISHED);
731 ret = _gnutls_send_handshake (session, NULL, GNUTLS_HANDSHAKE_FINISHED);
737 /* This is to be called after sending our finished message. If everything
738 * went fine we have negotiated a secure connection
741 _gnutls_recv_finished (gnutls_session_t session)
743 uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy;
749 _gnutls_recv_handshake (session, &vrfy, &vrfysize,
750 GNUTLS_HANDSHAKE_FINISHED, MANDATORY_PACKET);
753 ERR ("recv finished int", ret);
759 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
768 if (vrfysize != data_size)
772 return GNUTLS_E_ERROR_IN_FINISHED_PACKET;
775 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
778 _gnutls_ssl3_finished (session,
779 (session->security_parameters.entity + 1) % 2,
785 _gnutls_finished (session,
786 (session->security_parameters.entity +
797 ret = memcmp (vrfy, data, data_size);
803 return GNUTLS_E_ERROR_IN_FINISHED_PACKET;
806 ret = _gnutls_ext_sr_finished (session, data, data_size, 1);
813 if ((session->internals.resumed == RESUME_TRUE
814 && session->security_parameters.entity == GNUTLS_CLIENT)
815 || (session->internals.resumed == RESUME_FALSE
816 && session->security_parameters.entity == GNUTLS_SERVER))
818 /* if we are a client resuming - or we are a server not resuming */
819 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (recv)\n",
821 memcpy (session->internals.cb_tls_unique, data, data_size);
822 session->internals.cb_tls_unique_len = data_size;
825 session->internals.initial_negotiation_completed = 1;
830 /* returns PK_RSA if the given cipher suite list only supports,
831 * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none.
834 _gnutls_server_find_pk_algos_in_ciphersuites (const opaque *
835 data, unsigned int datalen)
838 gnutls_pk_algorithm_t algo = GNUTLS_PK_NONE, prev_algo = 0;
839 gnutls_kx_algorithm_t kx;
842 if (datalen % 2 != 0)
845 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
848 for (j = 0; j < datalen; j += 2)
850 memcpy (&cs.suite, &data[j], 2);
851 kx = _gnutls_cipher_suite_get_kx_algo (&cs);
853 if (_gnutls_map_kx_get_cred (kx, 1) == GNUTLS_CRD_CERTIFICATE)
855 algo = _gnutls_map_pk_get_pk (kx);
857 if (algo != prev_algo && prev_algo != 0)
858 return GNUTLS_PK_ANY;
866 /* This selects the best supported ciphersuite from the given ones. Then
867 * it adds the suite to the session and performs some checks.
870 _gnutls_server_select_suite (gnutls_session_t session, opaque * data,
874 cipher_suite_st *ciphers, cs;
876 gnutls_pk_algorithm_t pk_algo; /* will hold the pk algorithms
877 * supported by the peer.
880 /* First, check for safe renegotiation SCSV.
882 if (session->internals.priorities.sr != SR_DISABLED)
886 for (offset = 0; offset < datalen; offset += 2)
888 /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
889 if (data[offset] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&
890 data[offset + 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR)
892 _gnutls_handshake_log
893 ("HSK[%p]: Received safe renegotiation CS\n", session);
894 retval = _gnutls_ext_sr_recv_cs (session);
905 pk_algo = _gnutls_server_find_pk_algos_in_ciphersuites (data, datalen);
907 x = _gnutls_supported_ciphersuites (session, &ciphers);
909 { /* the case x==0 is handled within the function. */
914 /* Here we remove any ciphersuite that does not conform
915 * the certificate requested, or to the
916 * authentication requested (e.g. SRP).
918 x = _gnutls_remove_unwanted_ciphersuites (session, &ciphers, x, pk_algo);
922 gnutls_free (ciphers);
926 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
929 /* Data length should be zero mod 2 since
930 * every ciphersuite is 2 bytes. (this check is needed
933 if (datalen % 2 != 0)
936 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
938 #ifdef HANDSHAKE_DEBUG
940 _gnutls_handshake_log ("HSK[%p]: Requested cipher suites: \n", session);
941 for (j = 0; j < datalen; j += 2)
943 memcpy (&cs.suite, &data[j], 2);
944 _gnutls_handshake_log ("\t%s\n", _gnutls_cipher_suite_get_name (&cs));
946 _gnutls_handshake_log ("HSK[%p]: Supported cipher suites: \n", session);
947 for (j = 0; j < x; j++)
948 _gnutls_handshake_log ("\t%s\n",
949 _gnutls_cipher_suite_get_name (&ciphers[j]));
951 memset (session->security_parameters.current_cipher_suite.suite, '\0', 2);
953 retval = GNUTLS_E_UNKNOWN_CIPHER_SUITE;
955 for (j = 0; j < datalen; j += 2)
957 for (i = 0; i < x; i++)
959 if (memcmp (ciphers[i].suite, &data[j], 2) == 0)
961 memcpy (&cs.suite, &data[j], 2);
963 _gnutls_handshake_log
964 ("HSK[%p]: Selected cipher suite: %s\n", session,
965 _gnutls_cipher_suite_get_name (&cs));
966 memcpy (session->security_parameters.current_cipher_suite.suite,
967 ciphers[i].suite, 2);
968 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
970 security_parameters.current_cipher_suite);
980 gnutls_free (ciphers);
988 /* check if the credentials (username, public key etc.) are ok
990 if (_gnutls_get_kx_cred
992 _gnutls_cipher_suite_get_kx_algo (&session->
993 security_parameters.current_cipher_suite),
994 &err) == NULL && err != 0)
997 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1001 /* set the mod_auth_st to the appropriate struct
1002 * according to the KX algorithm. This is needed since all the
1003 * handshake functions are read from there;
1005 session->internals.auth_struct =
1006 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1008 security_parameters.current_cipher_suite));
1009 if (session->internals.auth_struct == NULL)
1012 _gnutls_handshake_log
1013 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1016 return GNUTLS_E_INTERNAL_ERROR;
1024 /* This selects the best supported compression method from the ones provided
1027 _gnutls_server_select_comp_method (gnutls_session_t session,
1028 opaque * data, int datalen)
1033 x = _gnutls_supported_compression_methods (session, &comps);
1040 memset (&session->internals.compression_method, 0,
1041 sizeof (gnutls_compression_method_t));
1043 for (j = 0; j < datalen; j++)
1045 for (i = 0; i < x; i++)
1047 if (comps[i] == data[j])
1049 gnutls_compression_method_t method =
1050 _gnutls_compression_get_id (comps[i]);
1052 session->internals.compression_method = method;
1053 gnutls_free (comps);
1055 _gnutls_epoch_set_compression (session, EPOCH_NEXT, method);
1057 _gnutls_handshake_log
1058 ("HSK[%p]: Selected Compression Method: %s\n", session,
1059 gnutls_compression_get_name (session->
1060 internals.compression_method));
1068 /* we were not able to find a compatible compression
1071 gnutls_free (comps);
1073 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1077 /* This function sends an empty handshake packet. (like hello request).
1078 * If the previous _gnutls_send_empty_handshake() returned
1079 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1080 * (until it returns ok), with NULL parameters.
1083 _gnutls_send_empty_handshake (gnutls_session_t session,
1084 gnutls_handshake_description_t type, int again)
1090 bufel = _gnutls_handshake_alloc (0, 0);
1094 return GNUTLS_E_MEMORY_ERROR;
1100 return _gnutls_send_handshake (session, bufel, type);
1104 /* This function will hash the handshake message we sent.
1107 _gnutls_handshake_hash_add_sent (gnutls_session_t session,
1108 gnutls_handshake_description_t type,
1109 opaque * dataptr, uint32_t datalen)
1113 if (session->security_parameters.entity == GNUTLS_CLIENT
1114 && type == GNUTLS_HANDSHAKE_CLIENT_HELLO)
1116 /* do not hash immediatelly since the hash has not yet been initialized */
1118 _gnutls_handshake_buffer_put (session, dataptr, datalen)) < 0)
1126 if ((ret = _gnutls_handshake_hash_pending (session)) < 0)
1132 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1134 if (session->security_parameters.handshake_mac_handle_type ==
1135 HANDSHAKE_MAC_TYPE_10)
1137 _gnutls_hash (&session->internals.handshake_mac_handle.tls10.sha,
1139 _gnutls_hash (&session->internals.handshake_mac_handle.tls10.md5,
1142 else if (session->security_parameters.handshake_mac_handle_type ==
1143 HANDSHAKE_MAC_TYPE_12)
1145 _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha256,
1147 _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha1,
1156 /* This function sends a handshake message of type 'type' containing the
1157 * data specified here. If the previous _gnutls_send_handshake() returned
1158 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1159 * (until it returns ok), with NULL parameters.
1162 _gnutls_send_handshake (gnutls_session_t session, mbuffer_st * bufel,
1163 gnutls_handshake_description_t type)
1172 /* we are resuming a previously interrupted
1175 ret = _gnutls_handshake_io_write_flush (session);
1181 data = _mbuffer_get_uhead_ptr (bufel);
1183 _mbuffer_get_udata_size (bufel) + _mbuffer_get_uhead_size (bufel);
1185 data[pos++] = (uint8_t) type;
1186 _gnutls_write_uint24 (_mbuffer_get_udata_size (bufel), &data[pos]);
1189 _gnutls_handshake_log ("HSK[%p]: %s was sent [%ld bytes]\n",
1190 session, _gnutls_handshake2str (type),
1194 /* Here we keep the handshake messages in order to hash them...
1196 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1198 _gnutls_handshake_hash_add_sent (session, type, data, datasize)) < 0)
1201 gnutls_free (bufel);
1205 session->internals.last_handshake_out = type;
1207 _gnutls_handshake_io_cache_int (session, type, bufel);
1211 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: /* this one is followed by ServerHelloDone
1212 * or ClientKeyExchange always.
1214 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE: /* as above */
1215 case GNUTLS_HANDSHAKE_SERVER_HELLO: /* as above */
1216 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: /* as above */
1217 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: /* followed by ChangeCipherSpec */
1219 /* now for client Certificate, ClientKeyExchange and
1220 * CertificateVerify are always followed by ChangeCipherSpec
1222 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1223 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1227 /* send cached messages */
1228 ret = _gnutls_handshake_io_write_flush (session);
1235 /* This function will read the handshake header and return it to the caller. If the
1236 * received handshake packet is not the one expected then it buffers the header, and
1237 * returns UNEXPECTED_HANDSHAKE_PACKET.
1239 * FIXME: This function is complex.
1241 #define SSL2_HEADERS 1
1243 _gnutls_recv_handshake_header (gnutls_session_t session,
1244 gnutls_handshake_description_t type,
1245 gnutls_handshake_description_t * recv_type)
1248 uint32_t length32 = 0;
1249 uint8_t *dataptr = NULL; /* for realloc */
1250 size_t handshake_header_size = HANDSHAKE_HEADER_SIZE;
1252 /* if we have data into the buffer then return them, do not read the next packet.
1253 * In order to return we need a full TLS handshake header, or in case of a version 2
1254 * packet, then we return the first byte.
1256 if (session->internals.handshake_header_buffer.header_size ==
1257 handshake_header_size || (session->internals.v2_hello != 0
1258 && type == GNUTLS_HANDSHAKE_CLIENT_HELLO
1259 && session->internals.handshake_header_buffer.
1263 *recv_type = session->internals.handshake_header_buffer.recv_type;
1265 if (*recv_type != type)
1268 _gnutls_handshake_log
1269 ("HSK[%p]: Handshake type mismatch (under attack?)\n", session);
1270 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1273 return session->internals.handshake_header_buffer.packet_length;
1276 /* Note: SSL2_HEADERS == 1 */
1278 dataptr = session->internals.handshake_header_buffer.header;
1280 /* If we haven't already read the handshake headers.
1282 if (session->internals.handshake_header_buffer.header_size < SSL2_HEADERS)
1285 _gnutls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE,
1286 type, dataptr, SSL2_HEADERS);
1293 /* The case ret==0 is caught here.
1295 if (ret != SSL2_HEADERS)
1298 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1300 session->internals.handshake_header_buffer.header_size = SSL2_HEADERS;
1303 if (session->internals.v2_hello == 0
1304 || type != GNUTLS_HANDSHAKE_CLIENT_HELLO)
1307 _gnutls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE,
1311 internals.handshake_header_buffer.
1313 HANDSHAKE_HEADER_SIZE -
1315 internals.handshake_header_buffer.
1320 return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1323 HANDSHAKE_HEADER_SIZE -
1324 session->internals.handshake_header_buffer.header_size)
1327 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1329 *recv_type = dataptr[0];
1331 /* we do not use DECR_LEN because we know
1332 * that the packet has enough data.
1334 length32 = _gnutls_read_uint24 (&dataptr[1]);
1335 handshake_header_size = HANDSHAKE_HEADER_SIZE;
1337 _gnutls_handshake_log ("HSK[%p]: %s was received [%ld bytes]\n",
1338 session, _gnutls_handshake2str (dataptr[0]),
1339 (long int) (length32 + HANDSHAKE_HEADER_SIZE));
1344 length32 = session->internals.v2_hello - SSL2_HEADERS; /* we've read the first byte */
1346 handshake_header_size = SSL2_HEADERS; /* we've already read one byte */
1348 *recv_type = dataptr[0];
1350 _gnutls_handshake_log ("HSK[%p]: %s(v2) was received [%ld bytes]\n",
1351 session, _gnutls_handshake2str (*recv_type),
1352 (long int) (length32 + handshake_header_size));
1354 if (*recv_type != GNUTLS_HANDSHAKE_CLIENT_HELLO)
1355 { /* it should be one or nothing */
1357 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1361 /* put the packet into the buffer */
1362 session->internals.handshake_header_buffer.header_size =
1363 handshake_header_size;
1364 session->internals.handshake_header_buffer.packet_length = length32;
1365 session->internals.handshake_header_buffer.recv_type = *recv_type;
1367 if (*recv_type != type)
1370 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1376 #define _gnutls_handshake_header_buffer_clear( session) session->internals.handshake_header_buffer.header_size = 0
1380 /* This function will hash the handshake headers and the
1384 _gnutls_handshake_hash_add_recvd (gnutls_session_t session,
1385 gnutls_handshake_description_t recv_type,
1386 opaque * header, uint16_t header_size,
1387 opaque * dataptr, uint32_t datalen)
1391 /* The idea here is to hash the previous message we received,
1392 * and add the one we just received into the handshake_hash_buffer.
1394 if ((session->security_parameters.entity == GNUTLS_SERVER
1395 || recv_type != GNUTLS_HANDSHAKE_SERVER_HELLO)
1396 && (session->security_parameters.entity == GNUTLS_CLIENT
1397 || recv_type != GNUTLS_HANDSHAKE_CLIENT_HELLO))
1399 if ((ret = _gnutls_handshake_hash_pending (session)) < 0)
1406 /* here we buffer the handshake messages - needed at Finished message */
1407 if (recv_type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1411 _gnutls_handshake_buffer_put (session, header, header_size)) < 0)
1420 _gnutls_handshake_buffer_put (session, dataptr, datalen)) < 0)
1432 /* This function will receive handshake messages of the given types,
1433 * and will pass the message to the right place in order to be processed.
1434 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1435 * passed to _gnutls_recv_hello().
1438 _gnutls_recv_handshake (gnutls_session_t session, uint8_t ** data,
1439 int *datalen, gnutls_handshake_description_t type,
1443 uint32_t length32 = 0;
1444 opaque *dataptr = NULL;
1445 gnutls_handshake_description_t recv_type;
1447 ret = _gnutls_recv_handshake_header (session, type, &recv_type);
1451 if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
1452 && optional == OPTIONAL_PACKET)
1454 if (datalen != NULL)
1458 return 0; /* ok just ignore the packet */
1464 session->internals.last_handshake_in = recv_type;
1469 dataptr = gnutls_malloc (length32);
1470 else if (recv_type != GNUTLS_HANDSHAKE_SERVER_HELLO_DONE)
1473 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1476 if (dataptr == NULL && length32 > 0)
1479 return GNUTLS_E_MEMORY_ERROR;
1482 if (datalen != NULL)
1483 *datalen = length32;
1488 _gnutls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE,
1489 type, dataptr, length32);
1493 gnutls_free (dataptr);
1494 return (ret == 0) ? GNUTLS_E_UNEXPECTED_PACKET_LENGTH : ret;
1498 if (data != NULL && length32 > 0)
1502 ret = _gnutls_handshake_hash_add_recvd (session, recv_type,
1504 internals.handshake_header_buffer.
1507 internals.handshake_header_buffer.
1508 header_size, dataptr, length32);
1512 _gnutls_handshake_header_buffer_clear (session);
1516 /* If we fail before this then we will reuse the handshake header
1517 * have have received above. if we get here the we clear the handshake
1518 * header we received.
1520 _gnutls_handshake_header_buffer_clear (session);
1524 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1525 case GNUTLS_HANDSHAKE_SERVER_HELLO:
1526 ret = _gnutls_recv_hello (session, dataptr, length32);
1528 /* dataptr is freed because the caller does not
1530 gnutls_free (dataptr);
1537 /* initialize the hashes for both - (client will know server's version
1538 * and server as well at this point) */
1539 if ((ret = _gnutls_handshake_hash_init (session)) < 0)
1546 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
1550 ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1552 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1553 case GNUTLS_HANDSHAKE_FINISHED:
1554 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
1555 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1556 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
1557 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1558 case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
1559 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1564 gnutls_free (dataptr);
1567 ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1573 /* This function checks if the given cipher suite is supported, and sets it
1577 _gnutls_client_set_ciphersuite (gnutls_session_t session, opaque suite[2])
1580 cipher_suite_st *cipher_suites;
1581 int cipher_suite_num;
1585 cipher_suite_num = _gnutls_supported_ciphersuites (session, &cipher_suites);
1586 if (cipher_suite_num < 0)
1589 return cipher_suite_num;
1592 for (i = 0; i < cipher_suite_num; i++)
1594 if (memcmp (&cipher_suites[i], suite, 2) == 0)
1601 gnutls_free (cipher_suites);
1606 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
1609 memcpy (session->security_parameters.current_cipher_suite.suite, suite, 2);
1610 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
1612 security_parameters.current_cipher_suite);
1614 _gnutls_handshake_log ("HSK[%p]: Selected cipher suite: %s\n", session,
1615 _gnutls_cipher_suite_get_name
1617 security_parameters.current_cipher_suite));
1620 /* check if the credentials (username, public key etc.) are ok.
1621 * Actually checks if they exist.
1623 if (_gnutls_get_kx_cred
1625 _gnutls_cipher_suite_get_kx_algo
1626 (&session->security_parameters.current_cipher_suite), &err) == NULL
1630 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1634 /* set the mod_auth_st to the appropriate struct
1635 * according to the KX algorithm. This is needed since all the
1636 * handshake functions are read from there;
1638 session->internals.auth_struct =
1639 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1641 security_parameters.current_cipher_suite));
1643 if (session->internals.auth_struct == NULL)
1646 _gnutls_handshake_log
1647 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1650 return GNUTLS_E_INTERNAL_ERROR;
1657 /* This function sets the given comp method to the session.
1660 _gnutls_client_set_comp_method (gnutls_session_t session, opaque comp_method)
1662 int comp_methods_num;
1663 uint8_t *compression_methods;
1666 comp_methods_num = _gnutls_supported_compression_methods (session,
1667 &compression_methods);
1668 if (comp_methods_num < 0)
1671 return comp_methods_num;
1674 for (i = 0; i < comp_methods_num; i++)
1676 if (compression_methods[i] == comp_method)
1678 comp_methods_num = 0;
1683 gnutls_free (compression_methods);
1685 if (comp_methods_num != 0)
1688 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1691 session->internals.compression_method =
1692 _gnutls_compression_get_id (comp_method);
1693 _gnutls_epoch_set_compression (session, EPOCH_NEXT,
1694 session->internals.compression_method);
1699 /* This function returns 0 if we are resuming a session or -1 otherwise.
1700 * This also sets the variables in the session. Used only while reading a server
1704 _gnutls_client_check_if_resuming (gnutls_session_t session,
1705 opaque * session_id, int session_id_len)
1707 opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
1709 _gnutls_handshake_log ("HSK[%p]: SessionID length: %d\n", session,
1711 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session,
1712 _gnutls_bin2hex (session_id, session_id_len, buf,
1713 sizeof (buf), NULL));
1715 if (session_id_len > 0 &&
1716 session->internals.resumed_security_parameters.session_id_size ==
1718 && memcmp (session_id,
1719 session->internals.resumed_security_parameters.session_id,
1720 session_id_len) == 0)
1722 /* resume session */
1723 memcpy (session->internals.resumed_security_parameters.server_random,
1724 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
1725 memcpy (session->internals.resumed_security_parameters.client_random,
1726 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
1728 _gnutls_epoch_set_cipher_suite
1729 (session, EPOCH_NEXT,
1730 &session->internals.
1731 resumed_security_parameters.current_cipher_suite);
1732 _gnutls_epoch_set_compression (session, EPOCH_NEXT,
1734 internals.resumed_compression_method);
1736 session->internals.resumed = RESUME_TRUE; /* we are resuming */
1742 /* keep the new session id */
1743 session->internals.resumed = RESUME_FALSE; /* we are not resuming */
1744 session->security_parameters.session_id_size = session_id_len;
1745 memcpy (session->security_parameters.session_id,
1746 session_id, session_id_len);
1753 /* This function reads and parses the server hello handshake message.
1754 * This function also restores resumed parameters if we are resuming a
1758 _gnutls_read_server_hello (gnutls_session_t session,
1759 opaque * data, int datalen)
1761 uint8_t session_id_len = 0;
1764 gnutls_protocol_t version;
1770 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1773 _gnutls_handshake_log ("HSK[%p]: Server's version: %d.%d\n",
1774 session, data[pos], data[pos + 1]);
1777 version = _gnutls_version_get (data[pos], data[pos + 1]);
1778 if (_gnutls_version_is_supported (session, version) == 0)
1781 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1785 _gnutls_set_current_version (session, version);
1790 DECR_LEN (len, GNUTLS_RANDOM_SIZE);
1791 _gnutls_set_server_random (session, &data[pos]);
1792 pos += GNUTLS_RANDOM_SIZE;
1798 session_id_len = data[pos++];
1800 if (len < session_id_len)
1803 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1805 DECR_LEN (len, session_id_len);
1807 /* check if we are resuming and set the appropriate
1810 if (_gnutls_client_check_if_resuming
1811 (session, &data[pos], session_id_len) == 0)
1813 pos += session_id_len + 2 + 1;
1814 DECR_LEN (len, 2 + 1);
1816 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
1826 pos += session_id_len;
1828 /* Check if the given cipher suite is supported and copy
1829 * it to the session.
1833 ret = _gnutls_client_set_ciphersuite (session, &data[pos]);
1841 /* move to compression
1845 ret = _gnutls_client_set_comp_method (session, data[pos++]);
1849 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1852 /* Parse extensions.
1854 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY, &data[pos], len);
1865 /* This function copies the appropriate ciphersuites to a locally allocated buffer
1866 * Needed in client hello messages. Returns the new data length. If add_scsv is
1867 * true, add the special safe renegotiation CS.
1870 _gnutls_copy_ciphersuites (gnutls_session_t session,
1871 opaque * ret_data, size_t ret_data_size,
1875 cipher_suite_st *cipher_suites;
1876 uint16_t cipher_num;
1880 ret = _gnutls_supported_ciphersuites_sorted (session, &cipher_suites);
1887 /* Here we remove any ciphersuite that does not conform
1888 * the certificate requested, or to the
1889 * authentication requested (eg SRP).
1892 _gnutls_remove_unwanted_ciphersuites (session, &cipher_suites, ret, -1);
1896 gnutls_free (cipher_suites);
1900 /* If no cipher suites were enabled.
1905 gnutls_free (cipher_suites);
1906 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1914 cipher_num *= sizeof (uint16_t); /* in order to get bytes */
1918 datalen += sizeof (uint16_t) + cipher_num;
1920 if ((size_t) datalen > ret_data_size)
1923 return GNUTLS_E_INTERNAL_ERROR;
1926 _gnutls_write_uint16 (cipher_num, ret_data);
1929 loop_max = add_scsv ? cipher_num - 2 : cipher_num;
1931 for (i = 0; i < (loop_max / 2); i++)
1933 memcpy (&ret_data[pos], cipher_suites[i].suite, 2);
1939 /* Safe renegotiation signalling CS value is { 0x00, 0xff } */
1940 ret_data[pos++] = 0x00;
1941 ret_data[pos++] = 0xff;
1942 ret = _gnutls_ext_sr_send_cs (session);
1946 gnutls_free (cipher_suites);
1951 gnutls_free (cipher_suites);
1957 /* This function copies the appropriate compression methods, to a locally allocated buffer
1958 * Needed in hello messages. Returns the new data length.
1961 _gnutls_copy_comp_methods (gnutls_session_t session,
1962 opaque * ret_data, size_t ret_data_size)
1965 uint8_t *compression_methods, comp_num;
1968 ret = _gnutls_supported_compression_methods (session, &compression_methods);
1978 datalen += comp_num + 1;
1980 if ((size_t) datalen > ret_data_size)
1983 return GNUTLS_E_INTERNAL_ERROR;
1986 ret_data[pos++] = comp_num; /* put the number of compression methods */
1988 for (i = 0; i < comp_num; i++)
1990 ret_data[pos++] = compression_methods[i];
1993 gnutls_free (compression_methods);
1998 /* This should be sufficient by now. It should hold all the extensions
1999 * plus the headers in a hello message.
2001 #define MAX_EXT_DATA_LENGTH 32*1024
2003 /* This function sends the client hello handshake message.
2006 _gnutls_send_client_hello (gnutls_session_t session, int again)
2008 mbuffer_st *bufel = NULL;
2009 opaque *data = NULL;
2012 int datalen = 0, ret = 0;
2013 opaque rnd[GNUTLS_RANDOM_SIZE];
2014 gnutls_protocol_t hver;
2015 opaque *extdata = NULL;
2016 int rehandshake = 0;
2017 uint8_t session_id_len =
2018 session->internals.resumed_security_parameters.session_id_size;
2020 /* note that rehandshake is different than resuming
2022 if (session->security_parameters.session_id_size)
2028 datalen = 2 + (session_id_len + 1) + GNUTLS_RANDOM_SIZE;
2029 /* 2 for version, (4 for unix time + 28 for random bytes==GNUTLS_RANDOM_SIZE)
2033 _gnutls_handshake_alloc (datalen, datalen + MAX_EXT_DATA_LENGTH);
2037 return GNUTLS_E_MEMORY_ERROR;
2039 data = _mbuffer_get_udata_ptr (bufel);
2040 extdatalen = MAX_EXT_DATA_LENGTH;
2042 extdata = gnutls_malloc (extdatalen);
2043 if (extdata == NULL)
2046 return GNUTLS_E_MEMORY_ERROR;
2049 /* if we are resuming a session then we set the
2050 * version number to the previously established.
2052 if (session_id_len == 0)
2054 if (rehandshake) /* already negotiated version thus version_max == negotiated version */
2055 hver = session->security_parameters.version;
2056 else /* new handshake. just get the max */
2057 hver = _gnutls_version_max (session);
2061 /* we are resuming a session */
2062 hver = session->internals.resumed_security_parameters.version;
2065 if (hver == GNUTLS_VERSION_UNKNOWN || hver == 0)
2068 gnutls_free (bufel);
2069 gnutls_free (extdata);
2070 return GNUTLS_E_INTERNAL_ERROR;
2073 data[pos++] = _gnutls_version_get_major (hver);
2074 data[pos++] = _gnutls_version_get_minor (hver);
2076 /* Set the version we advertized as maximum
2079 _gnutls_set_adv_version (session, hver);
2080 _gnutls_set_current_version (session, hver);
2082 if (session->internals.priorities.ssl3_record_version != 0)
2084 /* Advertize the SSL 3.0 record packet version in
2085 * record packets during the handshake.
2086 * That is to avoid confusing implementations
2087 * that do not support TLS 1.2 and don't know
2088 * how 3,3 version of record packets look like.
2090 _gnutls_record_set_default_version (session, 3, 0);
2093 /* In order to know when this session was initiated.
2095 session->security_parameters.timestamp = gnutls_time (NULL);
2097 /* Generate random data
2099 _gnutls_tls_create_random (rnd);
2100 _gnutls_set_client_random (session, rnd);
2102 memcpy (&data[pos], rnd, GNUTLS_RANDOM_SIZE);
2103 pos += GNUTLS_RANDOM_SIZE;
2105 /* Copy the Session ID
2107 data[pos++] = session_id_len;
2109 if (session_id_len > 0)
2112 session->internals.resumed_security_parameters.session_id,
2114 pos += session_id_len;
2118 /* Copy the ciphersuites.
2120 * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
2121 * prevention on initial negotiation (but not renegotiation; that's
2122 * handled with the RI extension below).
2124 if (!session->internals.initial_negotiation_completed &&
2125 session->security_parameters.entity == GNUTLS_CLIENT &&
2126 gnutls_protocol_get_version (session) == GNUTLS_SSL3)
2129 _gnutls_copy_ciphersuites (session, extdata, extdatalen, TRUE);
2130 _gnutls_extension_list_add (session,
2131 GNUTLS_EXTENSION_SAFE_RENEGOTIATION);
2134 ret = _gnutls_copy_ciphersuites (session, extdata, extdatalen, FALSE);
2138 ret = _mbuffer_append_data (bufel, extdata, ret);
2142 gnutls_free (extdata);
2148 if (extdatalen == 0)
2149 extdatalen = GNUTLS_E_INTERNAL_ERROR;
2150 gnutls_free (bufel);
2151 gnutls_free (extdata);
2157 /* Copy the compression methods.
2159 ret = _gnutls_copy_comp_methods (session, extdata, extdatalen);
2162 ret = _mbuffer_append_data (bufel, extdata, ret);
2166 gnutls_free (extdata);
2172 if (extdatalen == 0)
2173 extdatalen = GNUTLS_E_INTERNAL_ERROR;
2174 gnutls_free (bufel);
2175 gnutls_free (extdata);
2180 /* Generate and copy TLS extensions.
2182 if (_gnutls_version_has_extensions (hver))
2183 type = GNUTLS_EXT_ANY;
2186 if (session->internals.initial_negotiation_completed != 0)
2187 type = GNUTLS_EXT_MANDATORY;
2189 type = GNUTLS_EXT_NONE;
2192 ret = _gnutls_gen_extensions (session, extdata, extdatalen, type);
2196 ret = _mbuffer_append_data (bufel, extdata, ret);
2200 gnutls_free (extdata);
2207 gnutls_free (bufel);
2208 gnutls_free (extdata);
2213 gnutls_free (extdata);
2216 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_CLIENT_HELLO);
2222 _gnutls_send_server_hello (gnutls_session_t session, int again)
2224 mbuffer_st *bufel = NULL;
2225 opaque *data = NULL;
2226 opaque *extdata = NULL;
2229 int datalen, ret = 0;
2231 uint8_t session_id_len = session->security_parameters.session_id_size;
2232 opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
2239 extdata = gnutls_malloc (MAX_EXT_DATA_LENGTH);
2240 if (extdata == NULL)
2243 return GNUTLS_E_MEMORY_ERROR;
2246 datalen = 2 + session_id_len + 1 + GNUTLS_RANDOM_SIZE + 3;
2248 _gnutls_gen_extensions (session, extdata, MAX_EXT_DATA_LENGTH,
2259 _gnutls_handshake_alloc (datalen + extdatalen, datalen + extdatalen);
2263 ret = GNUTLS_E_MEMORY_ERROR;
2266 data = _mbuffer_get_udata_ptr (bufel);
2269 _gnutls_version_get_major (session->security_parameters.version);
2271 _gnutls_version_get_minor (session->security_parameters.version);
2274 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
2275 pos += GNUTLS_RANDOM_SIZE;
2277 data[pos++] = session_id_len;
2278 if (session_id_len > 0)
2280 memcpy (&data[pos], session->security_parameters.session_id,
2283 pos += session_id_len;
2285 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session,
2286 _gnutls_bin2hex (session->security_parameters.
2287 session_id, session_id_len, buf,
2288 sizeof (buf), NULL));
2291 session->security_parameters.current_cipher_suite.suite, 2);
2295 (uint8_t) _gnutls_compression_get_num (session->internals.
2296 compression_method);
2302 datalen += extdatalen;
2304 memcpy (&data[pos], extdata, extdatalen);
2309 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_SERVER_HELLO);
2312 gnutls_free (extdata);
2317 _gnutls_send_hello (gnutls_session_t session, int again)
2321 if (session->security_parameters.entity == GNUTLS_CLIENT)
2323 ret = _gnutls_send_client_hello (session, again);
2328 ret = _gnutls_send_server_hello (session, again);
2334 /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a
2335 * hello message is expected. It uses the security_parameters.current_cipher_suite
2336 * and internals.compression_method.
2339 _gnutls_recv_hello (gnutls_session_t session, opaque * data, int datalen)
2343 if (session->security_parameters.entity == GNUTLS_CLIENT)
2345 ret = _gnutls_read_server_hello (session, data, datalen);
2353 { /* Server side reading a client hello */
2355 ret = _gnutls_read_client_hello (session, data, datalen);
2363 ret = _gnutls_ext_sr_verify (session);
2373 /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
2377 * ClientHello -------->
2378 * <-------- ServerHello
2381 * ServerKeyExchange*
2382 * <-------- CertificateRequest*
2384 * <-------- ServerHelloDone
2387 * CertificateVerify*
2388 * [ChangeCipherSpec]
2389 * Finished -------->
2391 * [ChangeCipherSpec]
2392 * <-------- Finished
2394 * (*): means optional packet.
2397 /* Handshake when resumming session:
2400 * ClientHello -------->
2402 * [ChangeCipherSpec]
2403 * <-------- Finished
2404 * [ChangeCipherSpec]
2405 * Finished -------->
2410 * gnutls_rehandshake:
2411 * @session: is a #gnutls_session_t structure.
2413 * This function will renegotiate security parameters with the
2414 * client. This should only be called in case of a server.
2416 * This message informs the peer that we want to renegotiate
2417 * parameters (perform a handshake).
2419 * If this function succeeds (returns 0), you must call the
2420 * gnutls_handshake() function in order to negotiate the new
2423 * Since TLS is full duplex some application data might have been
2424 * sent during peer's processing of this message. In that case
2425 * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE
2426 * is returned to clear any pending data. Care must be taken if
2427 * rehandshake is mandatory to terminate if it does not start after
2430 * If the client does not wish to renegotiate parameters he will
2431 * should with an alert message, thus the return code will be
2432 * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
2433 * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2436 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
2439 gnutls_rehandshake (gnutls_session_t session)
2443 /* only server sends that handshake packet */
2444 if (session->security_parameters.entity == GNUTLS_CLIENT)
2445 return GNUTLS_E_INVALID_REQUEST;
2448 _gnutls_send_empty_handshake (session, GNUTLS_HANDSHAKE_HELLO_REQUEST,
2463 _gnutls_abort_handshake (gnutls_session_t session, int ret)
2465 if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
2466 (gnutls_alert_get (session) == GNUTLS_A_NO_RENEGOTIATION))
2467 || ret == GNUTLS_E_GOT_APPLICATION_DATA)
2470 /* this doesn't matter */
2471 return GNUTLS_E_INTERNAL_ERROR;
2475 /* This function initialized the handshake hash session.
2476 * required for finished messages.
2479 _gnutls_handshake_hash_init (gnutls_session_t session)
2481 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
2483 if (session->internals.handshake_mac_handle_init == 0)
2487 /* set the hash type for handshake message hashing */
2488 if (_gnutls_version_has_selectable_prf (ver))
2489 session->security_parameters.handshake_mac_handle_type =
2490 HANDSHAKE_MAC_TYPE_12;
2492 session->security_parameters.handshake_mac_handle_type =
2493 HANDSHAKE_MAC_TYPE_10;
2495 if (session->security_parameters.handshake_mac_handle_type ==
2496 HANDSHAKE_MAC_TYPE_10)
2499 _gnutls_hash_init (&session->internals.handshake_mac_handle.tls10.
2500 md5, GNUTLS_MAC_MD5);
2509 _gnutls_hash_init (&session->internals.handshake_mac_handle.tls10.
2510 sha, GNUTLS_MAC_SHA1);
2514 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.
2516 return GNUTLS_E_MEMORY_ERROR;
2519 else if (session->security_parameters.handshake_mac_handle_type ==
2520 HANDSHAKE_MAC_TYPE_12)
2522 /* The algorithm to compute hash over handshake messages must be
2523 same as the one used as the basis for PRF. By now we use
2526 _gnutls_hash_init (&session->internals.handshake_mac_handle.tls12.
2527 sha256, GNUTLS_DIG_SHA256);
2531 return GNUTLS_E_MEMORY_ERROR;
2535 _gnutls_hash_init (&session->internals.handshake_mac_handle.tls12.
2536 sha1, GNUTLS_DIG_SHA1);
2540 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.
2541 tls12.sha256, NULL);
2542 return GNUTLS_E_MEMORY_ERROR;
2546 session->internals.handshake_mac_handle_init = 1;
2553 _gnutls_send_supplemental (gnutls_session_t session, int again)
2558 _gnutls_debug_log ("EXT[%p]: Sending supplemental data\n", session);
2562 _gnutls_send_handshake (session, NULL, GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2565 gnutls_buffer_st buf;
2566 _gnutls_buffer_init (&buf);
2568 ret = _gnutls_gen_supplemental (session, &buf);
2575 bufel = _gnutls_handshake_alloc (buf.length, buf.length);
2579 return GNUTLS_E_MEMORY_ERROR;
2582 _mbuffer_set_udata (bufel, buf.data, buf.length);
2583 _gnutls_buffer_clear (&buf);
2585 ret = _gnutls_send_handshake (session, bufel,
2586 GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2593 _gnutls_recv_supplemental (gnutls_session_t session)
2595 uint8_t *data = NULL;
2599 _gnutls_debug_log ("EXT[%p]: Expecting supplemental data\n", session);
2601 ret = _gnutls_recv_handshake (session, &data, &datalen,
2602 GNUTLS_HANDSHAKE_SUPPLEMENTAL,
2610 ret = _gnutls_parse_supplemental (session, data, datalen);
2624 * @session: is a #gnutls_session_t structure.
2626 * This function does the handshake of the TLS/SSL protocol, and
2627 * initializes the TLS connection.
2629 * This function will fail if any problem is encountered, and will
2630 * return a negative error code. In case of a client, if the client
2631 * has asked to resume a session, but the server couldn't, then a
2632 * full handshake will be performed.
2634 * The non-fatal errors such as %GNUTLS_E_AGAIN and
2635 * %GNUTLS_E_INTERRUPTED interrupt the handshake procedure, which
2636 * should be later be resumed. Call this function again, until it
2637 * returns 0; cf. gnutls_record_get_direction() and
2638 * gnutls_error_is_fatal().
2640 * If this function is called by a server after a rehandshake request
2641 * then %GNUTLS_E_GOT_APPLICATION_DATA or
2642 * %GNUTLS_E_WARNING_ALERT_RECEIVED may be returned. Note that these
2643 * are non fatal errors, only in the specific case of a rehandshake.
2644 * Their meaning is that the client rejected the rehandshake request or
2645 * in the case of %GNUTLS_E_GOT_APPLICATION_DATA it might also mean that
2646 * some data were pending.
2648 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
2651 gnutls_handshake (gnutls_session_t session)
2654 record_parameters_st *params;
2656 ret = _gnutls_epoch_get (session, session->security_parameters.epoch_next,
2660 /* We assume the epoch is not allocated if _gnutls_epoch_get fails. */
2662 _gnutls_epoch_alloc (session, session->security_parameters.epoch_next,
2671 if (session->security_parameters.entity == GNUTLS_CLIENT)
2673 ret = _gnutls_handshake_client (session);
2677 ret = _gnutls_handshake_server (session);
2681 /* In the case of a rehandshake abort
2682 * we should reset the handshake's internal state.
2684 if (_gnutls_abort_handshake (session, ret) == 0)
2690 ret = _gnutls_handshake_common (session);
2694 if (_gnutls_abort_handshake (session, ret) == 0)
2702 _gnutls_handshake_io_buffer_clear (session);
2703 _gnutls_handshake_internal_state_clear (session);
2705 session->security_parameters.epoch_next++;
2711 #define IMED_RET( str, ret, allow_alert) do { \
2713 /* EAGAIN and INTERRUPTED are always non-fatal */ \
2714 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) \
2716 /* a warning alert might interrupt handshake */ \
2717 if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) return ret; \
2720 _gnutls_handshake_hash_buffers_clear(session); \
2727 * _gnutls_handshake_client
2728 * This function performs the client side of the handshake of the TLS/SSL protocol.
2731 _gnutls_handshake_client (gnutls_session_t session)
2735 #ifdef HANDSHAKE_DEBUG
2738 if (session->internals.resumed_security_parameters.session_id_size > 0)
2739 _gnutls_handshake_log ("HSK[%p]: Ask to resume: %s\n", session,
2740 _gnutls_bin2hex (session->
2741 internals.resumed_security_parameters.session_id,
2743 internals.resumed_security_parameters.session_id_size,
2744 buf, sizeof (buf), NULL));
2751 ret = _gnutls_send_hello (session, AGAIN (STATE1));
2753 IMED_RET ("send hello", ret, 1);
2756 /* receive the server hello */
2758 _gnutls_recv_handshake (session, NULL, NULL,
2759 GNUTLS_HANDSHAKE_SERVER_HELLO,
2762 IMED_RET ("recv hello", ret, 1);
2765 if (session->security_parameters.do_recv_supplemental)
2767 ret = _gnutls_recv_supplemental (session);
2769 IMED_RET ("recv supplemental", ret, 1);
2773 /* RECV CERTIFICATE */
2774 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2775 ret = _gnutls_recv_server_certificate (session);
2777 IMED_RET ("recv server certificate", ret, 1);
2780 /* receive the server key exchange */
2781 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2782 ret = _gnutls_recv_server_kx_message (session);
2784 IMED_RET ("recv server kx message", ret, 1);
2787 /* receive the server certificate request - if any
2790 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2791 ret = _gnutls_recv_server_certificate_request (session);
2793 IMED_RET ("recv server certificate request message", ret, 1);
2796 /* receive the server hello done */
2797 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2799 _gnutls_recv_handshake (session, NULL, NULL,
2800 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2803 IMED_RET ("recv server hello done", ret, 1);
2806 if (session->security_parameters.do_send_supplemental)
2808 ret = _gnutls_send_supplemental (session, AGAIN (STATE71));
2810 IMED_RET ("send supplemental", ret, 0);
2814 /* send our certificate - if any and if requested
2816 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2817 ret = _gnutls_send_client_certificate (session, AGAIN (STATE7));
2819 IMED_RET ("send client certificate", ret, 0);
2822 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2823 ret = _gnutls_send_client_kx_message (session, AGAIN (STATE8));
2825 IMED_RET ("send client kx", ret, 0);
2828 /* send client certificate verify */
2829 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2831 _gnutls_send_client_certificate_verify (session, AGAIN (STATE9));
2833 IMED_RET ("send client certificate verify", ret, 1);
2844 /* This function sends the final handshake packets and initializes connection
2847 _gnutls_send_handshake_final (gnutls_session_t session, int init)
2851 /* Send the CHANGE CIPHER SPEC PACKET */
2859 ret = _gnutls_handshake_io_write_flush (session);
2867 ret = _gnutls_send_change_cipher_spec (session, AGAIN (STATE21));
2872 ERR ("send ChangeCipherSpec", ret);
2876 /* Initialize the connection session (start encryption) - in case of client
2880 ret = _gnutls_connection_state_init (session);
2888 ret = _gnutls_write_connection_state_init (session);
2896 /* send the finished message */
2897 ret = _gnutls_send_finished (session, AGAIN (STATE22));
2901 ERR ("send Finished", ret);
2914 /* This function receives the final handshake packets
2915 * And executes the appropriate function to initialize the
2919 _gnutls_recv_handshake_final (gnutls_session_t session, int init)
2928 ret = _gnutls_recv_int (session, GNUTLS_CHANGE_CIPHER_SPEC, -1, &ch, 1);
2932 ERR ("recv ChangeCipherSpec", ret);
2934 return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2937 /* Initialize the connection session (start encryption) - in case of server */
2940 ret = _gnutls_connection_state_init (session);
2948 ret = _gnutls_read_connection_state_init (session);
2956 ret = _gnutls_recv_finished (session);
2960 ERR ("recv finished", ret);
2974 * _gnutls_handshake_server
2975 * This function does the server stuff of the handshake protocol.
2978 _gnutls_handshake_server (gnutls_session_t session)
2987 _gnutls_recv_handshake (session, NULL, NULL,
2988 GNUTLS_HANDSHAKE_CLIENT_HELLO,
2991 IMED_RET ("recv hello", ret, 1);
2994 ret = _gnutls_send_hello (session, AGAIN (STATE2));
2996 IMED_RET ("send hello", ret, 1);
2999 if (session->security_parameters.do_send_supplemental)
3001 ret = _gnutls_send_supplemental (session, AGAIN (STATE70));
3003 IMED_RET ("send supplemental data", ret, 0);
3006 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
3008 /* NOTE: these should not be send if we are resuming */
3010 if (session->internals.resumed == RESUME_FALSE)
3011 ret = _gnutls_send_server_certificate (session, AGAIN (STATE3));
3013 IMED_RET ("send server certificate", ret, 0);
3016 /* send server key exchange (A) */
3017 if (session->internals.resumed == RESUME_FALSE)
3018 ret = _gnutls_send_server_kx_message (session, AGAIN (STATE4));
3020 IMED_RET ("send server kx", ret, 0);
3023 /* Send certificate request - if requested to */
3024 if (session->internals.resumed == RESUME_FALSE)
3026 _gnutls_send_server_certificate_request (session, AGAIN (STATE5));
3028 IMED_RET ("send server cert request", ret, 0);
3031 /* send the server hello done */
3032 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3034 _gnutls_send_empty_handshake (session,
3035 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
3038 IMED_RET ("send server hello done", ret, 1);
3041 if (session->security_parameters.do_recv_supplemental)
3043 ret = _gnutls_recv_supplemental (session);
3045 IMED_RET ("recv client supplemental", ret, 1);
3048 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
3050 /* receive the client certificate message */
3051 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3052 ret = _gnutls_recv_client_certificate (session);
3054 IMED_RET ("recv client certificate", ret, 1);
3057 /* receive the client key exchange message */
3058 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3059 ret = _gnutls_recv_client_kx_message (session);
3061 IMED_RET ("recv client kx", ret, 1);
3064 /* receive the client certificate verify message */
3065 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3066 ret = _gnutls_recv_client_certificate_verify_message (session);
3068 IMED_RET ("recv client certificate verify", ret, 1);
3070 STATE = STATE0; /* finished thus clear session */
3079 _gnutls_handshake_common (gnutls_session_t session)
3083 /* send and recv the change cipher spec and finished messages */
3084 if ((session->internals.resumed == RESUME_TRUE
3085 && session->security_parameters.entity == GNUTLS_CLIENT)
3086 || (session->internals.resumed == RESUME_FALSE
3087 && session->security_parameters.entity == GNUTLS_SERVER))
3089 /* if we are a client resuming - or we are a server not resuming */
3091 ret = _gnutls_recv_handshake_final (session, TRUE);
3092 IMED_RET ("recv handshake final", ret, 1);
3094 #ifdef ENABLE_SESSION_TICKET
3099 ret = _gnutls_send_new_session_ticket (session, AGAIN (STATE40));
3101 IMED_RET ("send handshake new session ticket", ret, 0);
3108 ret = _gnutls_send_handshake_final (session, FALSE);
3109 IMED_RET ("send handshake final", ret, 1);
3111 /* only store if we are not resuming */
3112 if (session->security_parameters.entity == GNUTLS_SERVER)
3114 /* in order to support session resuming */
3115 _gnutls_server_register_current_session (session);
3119 { /* if we are a client not resuming - or we are a server resuming */
3121 ret = _gnutls_send_handshake_final (session, TRUE);
3122 IMED_RET ("send handshake final 2", ret, 1);
3124 #ifdef ENABLE_SESSION_TICKET
3129 ret = _gnutls_recv_new_session_ticket (session);
3131 IMED_RET ("recv handshake new session ticket", ret, 1);
3138 ret = _gnutls_recv_handshake_final (session, FALSE);
3139 IMED_RET ("recv handshake final 2", ret, 1);
3144 /* clear handshake buffer */
3145 _gnutls_handshake_hash_buffers_clear (session);
3151 _gnutls_generate_session_id (opaque * session_id, uint8_t * len)
3155 *len = TLS_MAX_SESSION_ID_SIZE;
3157 ret = _gnutls_rnd (GNUTLS_RND_NONCE, session_id, *len);
3168 _gnutls_recv_hello_request (gnutls_session_t session, void *data,
3173 if (session->security_parameters.entity == GNUTLS_SERVER)
3176 return GNUTLS_E_UNEXPECTED_PACKET;
3181 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
3183 type = ((uint8_t *) data)[0];
3184 if (type == GNUTLS_HANDSHAKE_HELLO_REQUEST)
3185 return GNUTLS_E_REHANDSHAKE;
3189 return GNUTLS_E_UNEXPECTED_PACKET;
3193 /* Returns 1 if the given KX has not the corresponding parameters
3194 * (DH or RSA) set up. Otherwise returns 0.
3197 check_server_params (gnutls_session_t session,
3198 gnutls_kx_algorithm_t kx,
3199 gnutls_kx_algorithm_t * alg, int alg_size)
3202 gnutls_dh_params_t dh_params = NULL;
3203 gnutls_rsa_params_t rsa_params = NULL;
3206 cred_type = _gnutls_map_kx_get_cred (kx, 1);
3208 /* Read the Diffie-Hellman parameters, if any.
3210 if (cred_type == GNUTLS_CRD_CERTIFICATE)
3213 gnutls_certificate_credentials_t x509_cred =
3214 (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
3217 if (x509_cred != NULL)
3220 _gnutls_get_dh_params (x509_cred->dh_params,
3221 x509_cred->params_func, session);
3223 _gnutls_certificate_get_rsa_params (x509_cred->rsa_params,
3224 x509_cred->params_func,
3228 /* Check also if the certificate supports the
3232 for (j = 0; j < alg_size; j++)
3246 else if (cred_type == GNUTLS_CRD_ANON)
3248 gnutls_anon_server_credentials_t anon_cred =
3249 (gnutls_anon_server_credentials_t) _gnutls_get_cred (session->key,
3252 if (anon_cred != NULL)
3255 _gnutls_get_dh_params (anon_cred->dh_params,
3256 anon_cred->params_func, session);
3261 else if (cred_type == GNUTLS_CRD_PSK)
3263 gnutls_psk_server_credentials_t psk_cred =
3264 (gnutls_psk_server_credentials_t) _gnutls_get_cred (session->key,
3267 if (psk_cred != NULL)
3270 _gnutls_get_dh_params (psk_cred->dh_params, psk_cred->params_func,
3276 return 0; /* no need for params */
3279 /* If the key exchange method needs RSA or DH params,
3280 * but they are not set then remove it.
3282 if (_gnutls_kx_needs_rsa_params (kx) != 0)
3284 /* needs rsa params. */
3285 if (_gnutls_rsa_params_to_mpi (rsa_params) == NULL)
3292 if (_gnutls_kx_needs_dh_params (kx) != 0)
3294 /* needs DH params. */
3295 if (_gnutls_dh_params_to_mpi (dh_params) == NULL)
3305 /* This function will remove algorithms that are not supported by
3306 * the requested authentication method. We remove an algorithm if
3307 * we have a certificate with keyUsage bits set.
3309 * This does a more high level check than gnutls_supported_ciphersuites(),
3310 * by checking certificates etc.
3313 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session,
3314 cipher_suite_st ** cipherSuites,
3315 int numCipherSuites,
3316 gnutls_pk_algorithm_t requested_pk_algo)
3320 cipher_suite_st *newSuite, cs;
3321 int newSuiteSize = 0, i;
3322 gnutls_certificate_credentials_t cert_cred;
3323 gnutls_kx_algorithm_t kx;
3324 int server = session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0;
3325 gnutls_kx_algorithm_t *alg = NULL;
3328 /* if we should use a specific certificate,
3329 * we should remove all algorithms that are not supported
3330 * by that certificate and are on the same authentication
3331 * method (CERTIFICATE).
3335 (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
3336 GNUTLS_CRD_CERTIFICATE,
3339 /* If there are certificate credentials, find an appropriate certificate
3342 if (session->security_parameters.entity == GNUTLS_SERVER
3343 && cert_cred != NULL)
3345 ret = _gnutls_server_select_cert (session, requested_pk_algo);
3349 _gnutls_x509_log ("Could not find an appropriate certificate: %s\n",
3350 gnutls_strerror (ret));
3355 /* get all the key exchange algorithms that are
3356 * supported by the X509 certificate parameters.
3359 _gnutls_selected_cert_supported_kx (session, &alg, &alg_size)) < 0)
3365 newSuite = gnutls_malloc (numCipherSuites * sizeof (cipher_suite_st));
3366 if (newSuite == NULL)
3370 return GNUTLS_E_MEMORY_ERROR;
3373 /* now removes ciphersuites based on the KX algorithm
3375 for (i = 0; i < numCipherSuites; i++)
3379 /* finds the key exchange algorithm in
3382 kx = _gnutls_cipher_suite_get_kx_algo (&(*cipherSuites)[i]);
3384 /* if it is defined but had no credentials
3386 if (_gnutls_get_kx_cred (session, kx, NULL) == NULL)
3395 delete = check_server_params (session, kx, alg, alg_size);
3398 /* These two SRP kx's are marked to require a CRD_CERTIFICATE,
3399 (see cred_mappings in gnutls_algorithms.c), but it also
3400 requires a SRP credential. Don't use SRP kx unless we have a
3401 SRP credential too. */
3402 if (kx == GNUTLS_KX_SRP_RSA || kx == GNUTLS_KX_SRP_DSS)
3404 if (!_gnutls_get_cred (session->key, GNUTLS_CRD_SRP, NULL))
3408 memcpy (&cs.suite, &(*cipherSuites)[i].suite, 2);
3413 _gnutls_handshake_log ("HSK[%p]: Keeping ciphersuite: %s\n",
3415 _gnutls_cipher_suite_get_name (&cs));
3417 memcpy (newSuite[newSuiteSize].suite, (*cipherSuites)[i].suite, 2);
3422 _gnutls_handshake_log ("HSK[%p]: Removing ciphersuite: %s\n",
3424 _gnutls_cipher_suite_get_name (&cs));
3430 gnutls_free (*cipherSuites);
3431 *cipherSuites = newSuite;
3440 * gnutls_handshake_set_max_packet_length:
3441 * @session: is a #gnutls_session_t structure.
3442 * @max: is the maximum number.
3444 * This function will set the maximum size of all handshake messages.
3445 * Handshakes over this size are rejected with
3446 * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is
3447 * 48kb which is typically large enough. Set this to 0 if you do not
3448 * want to set an upper limit.
3450 * The reason for restricting the handshake message sizes are to
3451 * limit Denial of Service attacks.
3454 gnutls_handshake_set_max_packet_length (gnutls_session_t session, size_t max)
3456 session->internals.max_handshake_data_buffer_size = max;
3460 _gnutls_set_adv_version (gnutls_session_t session, gnutls_protocol_t ver)
3462 set_adv_version (session, _gnutls_version_get_major (ver),
3463 _gnutls_version_get_minor (ver));
3467 _gnutls_get_adv_version (gnutls_session_t session)
3469 return _gnutls_version_get (_gnutls_get_adv_version_major (session),
3470 _gnutls_get_adv_version_minor (session));
3474 * gnutls_handshake_get_last_in:
3475 * @session: is a #gnutls_session_t structure.
3477 * This function is only useful to check where the last performed
3478 * handshake failed. If the previous handshake succeed or was not
3479 * performed at all then no meaningful value will be returned.
3481 * Check %gnutls_handshake_description_t in gnutls.h for the
3482 * available handshake descriptions.
3484 * Returns: the last handshake message type received, a
3485 * %gnutls_handshake_description_t.
3487 gnutls_handshake_description_t
3488 gnutls_handshake_get_last_in (gnutls_session_t session)
3490 return session->internals.last_handshake_in;
3494 * gnutls_handshake_get_last_out:
3495 * @session: is a #gnutls_session_t structure.
3497 * This function is only useful to check where the last performed
3498 * handshake failed. If the previous handshake succeed or was not
3499 * performed at all then no meaningful value will be returned.
3501 * Check %gnutls_handshake_description_t in gnutls.h for the
3502 * available handshake descriptions.
3504 * Returns: the last handshake message type sent, a
3505 * %gnutls_handshake_description_t.
3507 gnutls_handshake_description_t
3508 gnutls_handshake_get_last_out (gnutls_session_t session)
3510 return session->internals.last_handshake_out;
projects / external / libgnutls26.git / blob