added new functions
[gnutls.git] / lib / gnutls_handshake.c
blob5455ca35a88c2f9df44351b005a44cac45b9b562
1 /*
2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* Functions that relate to the TLS handshake procedure.
26 #include "gnutls_int.h"
27 #include "gnutls_errors.h"
28 #include "gnutls_dh.h"
29 #include "debug.h"
30 #include "algorithms.h"
31 #include "gnutls_compress.h"
32 #include "gnutls_cipher.h"
33 #include "gnutls_buffers.h"
34 #include "gnutls_mbuffers.h"
35 #include "gnutls_kx.h"
36 #include "gnutls_handshake.h"
37 #include "gnutls_num.h"
38 #include "gnutls_hash_int.h"
39 #include "gnutls_db.h"
40 #include "gnutls_extensions.h"
41 #include "gnutls_supplemental.h"
42 #include "gnutls_auth.h"
43 #include "gnutls_v2_compat.h"
44 #include <auth/cert.h>
45 #include "gnutls_constate.h"
46 #include <gnutls_record.h>
47 #include <gnutls_state.h>
48 #include <ext/srp.h>
49 #include <ext/session_ticket.h>
50 #include <ext/status_request.h>
51 #include <ext/safe_renegotiation.h>
52 #include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
53 #include <auth/anon.h> /* for gnutls_anon_server_credentials_t */
54 #include <auth/psk.h> /* for gnutls_psk_server_credentials_t */
55 #include <random.h>
56 #include <gnutls_dtls.h>
58 #ifdef HANDSHAKE_DEBUG
59 #define ERR(x, y) _gnutls_handshake_log("HSK[%p]: %s (%d)\n", session, x,y)
60 #else
61 #define ERR(x, y)
62 #endif
64 #define TRUE 1
65 #define FALSE 0
67 static int _gnutls_server_select_comp_method (gnutls_session_t session,
68 uint8_t * data, int datalen);
69 static int
70 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session,
71 uint8_t * cipher_suites,
72 int cipher_suites_size,
73 gnutls_pk_algorithm_t *pk_algos,
74 size_t pk_algos_size);
75 static int _gnutls_handshake_client (gnutls_session_t session);
76 static int _gnutls_handshake_server (gnutls_session_t session);
78 static int
79 _gnutls_recv_handshake_final (gnutls_session_t session, int init);
80 static int
81 _gnutls_send_handshake_final (gnutls_session_t session, int init);
83 /* Empties but does not free the buffer
85 static inline void
86 _gnutls_handshake_hash_buffer_empty (gnutls_session_t session)
89 _gnutls_buffers_log ("BUF[HSK]: Emptied buffer\n");
91 session->internals.handshake_hash_buffer_prev_len = 0;
92 session->internals.handshake_hash_buffer.length = 0;
93 return;
96 static int
97 _gnutls_handshake_hash_add_recvd (gnutls_session_t session,
98 gnutls_handshake_description_t recv_type,
99 uint8_t * header, uint16_t header_size,
100 uint8_t * dataptr, uint32_t datalen);
102 static int
103 _gnutls_handshake_hash_add_sent (gnutls_session_t session,
104 gnutls_handshake_description_t type,
105 uint8_t * dataptr, uint32_t datalen);
107 static int
108 _gnutls_recv_hello_verify_request (gnutls_session_t session,
109 uint8_t * data, int datalen);
112 /* Clears the handshake hash buffers and handles.
114 void
115 _gnutls_handshake_hash_buffers_clear (gnutls_session_t session)
117 session->internals.handshake_hash_buffer_prev_len = 0;
118 _gnutls_buffer_clear(&session->internals.handshake_hash_buffer);
121 /* this will copy the required values for resuming to
122 * internals, and to security_parameters.
123 * this will keep as less data to security_parameters.
125 static void
126 resume_copy_required_values (gnutls_session_t session)
128 /* get the new random values */
129 memcpy (session->internals.resumed_security_parameters.server_random,
130 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
131 memcpy (session->internals.resumed_security_parameters.client_random,
132 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
134 /* keep the ciphersuite and compression
135 * That is because the client must see these in our
136 * hello message.
138 memcpy (session->security_parameters.cipher_suite,
139 session->internals.resumed_security_parameters.cipher_suite, 2);
140 session->security_parameters.compression_method = session->internals.resumed_security_parameters.compression_method;
142 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
143 session->
144 internals.resumed_security_parameters.cipher_suite);
145 _gnutls_epoch_set_compression (session, EPOCH_NEXT,
146 session->
147 internals.resumed_security_parameters.compression_method);
149 /* or write_compression_algorithm
150 * they are the same
153 session->security_parameters.entity =
154 session->internals.resumed_security_parameters.entity;
156 _gnutls_set_current_version (session,
157 session->internals.resumed_security_parameters.
158 version);
160 session->security_parameters.cert_type =
161 session->internals.resumed_security_parameters.cert_type;
163 memcpy (session->security_parameters.session_id,
164 session->internals.resumed_security_parameters.session_id,
165 sizeof (session->security_parameters.session_id));
166 session->security_parameters.session_id_size =
167 session->internals.resumed_security_parameters.session_id_size;
171 void
172 _gnutls_set_server_random (gnutls_session_t session, uint8_t * rnd)
174 memcpy (session->security_parameters.server_random, rnd,
175 GNUTLS_RANDOM_SIZE);
178 void
179 _gnutls_set_client_random (gnutls_session_t session, uint8_t * rnd)
181 memcpy (session->security_parameters.client_random, rnd,
182 GNUTLS_RANDOM_SIZE);
185 /* Calculate The SSL3 Finished message
187 #define SSL3_CLIENT_MSG "CLNT"
188 #define SSL3_SERVER_MSG "SRVR"
189 #define SSL_MSG_LEN 4
190 static int
191 _gnutls_ssl3_finished (gnutls_session_t session, int type, uint8_t * ret, int sending)
193 digest_hd_st td_md5;
194 digest_hd_st td_sha;
195 const char *mesg;
196 int rc, len;
198 if (sending)
199 len = session->internals.handshake_hash_buffer.length;
200 else
201 len = session->internals.handshake_hash_buffer_prev_len;
203 rc = _gnutls_hash_init (&td_sha, GNUTLS_DIG_SHA1);
204 if (rc < 0)
205 return gnutls_assert_val(rc);
207 rc = _gnutls_hash_init (&td_md5, GNUTLS_DIG_MD5);
208 if (rc < 0)
210 _gnutls_hash_deinit (&td_sha, NULL);
211 return gnutls_assert_val(rc);
214 _gnutls_hash(&td_sha, session->internals.handshake_hash_buffer.data, len);
215 _gnutls_hash(&td_md5, session->internals.handshake_hash_buffer.data, len);
217 if (type == GNUTLS_SERVER)
218 mesg = SSL3_SERVER_MSG;
219 else
220 mesg = SSL3_CLIENT_MSG;
222 _gnutls_hash (&td_md5, mesg, SSL_MSG_LEN);
223 _gnutls_hash (&td_sha, mesg, SSL_MSG_LEN);
225 rc = _gnutls_mac_deinit_ssl3_handshake (&td_md5, ret,
226 session->
227 security_parameters.master_secret,
228 GNUTLS_MASTER_SIZE);
229 if (rc < 0)
231 _gnutls_hash_deinit (&td_md5, NULL);
232 _gnutls_hash_deinit (&td_sha, NULL);
233 return gnutls_assert_val(rc);
236 rc = _gnutls_mac_deinit_ssl3_handshake (&td_sha, &ret[16],
237 session->
238 security_parameters.master_secret,
239 GNUTLS_MASTER_SIZE);
240 if (rc < 0)
242 _gnutls_hash_deinit (&td_sha, NULL);
243 return gnutls_assert_val(rc);
246 return 0;
249 /* Hash the handshake messages as required by TLS 1.0
251 #define SERVER_MSG "server finished"
252 #define CLIENT_MSG "client finished"
253 #define TLS_MSG_LEN 15
254 static int
255 _gnutls_finished (gnutls_session_t session, int type, void *ret, int sending)
257 const int siz = TLS_MSG_LEN;
258 uint8_t concat[MAX_HASH_SIZE + 16 /*MD5 */ ];
259 size_t hash_len;
260 const char *mesg;
261 int rc, len;
263 if (sending)
264 len = session->internals.handshake_hash_buffer.length;
265 else
266 len = session->internals.handshake_hash_buffer_prev_len;
268 if (!_gnutls_version_has_selectable_prf (gnutls_protocol_get_version(session)))
270 rc = _gnutls_hash_fast( GNUTLS_DIG_SHA1, session->internals.handshake_hash_buffer.data, len, &concat[16]);
271 if (rc < 0)
272 return gnutls_assert_val(rc);
274 rc = _gnutls_hash_fast( GNUTLS_DIG_MD5, session->internals.handshake_hash_buffer.data, len, concat);
275 if (rc < 0)
276 return gnutls_assert_val(rc);
278 hash_len = 20 + 16;
280 else
282 int algorithm = _gnutls_cipher_suite_get_prf(session->security_parameters.cipher_suite);
284 rc = _gnutls_hash_fast( algorithm, session->internals.handshake_hash_buffer.data, len, concat);
285 if (rc < 0)
286 return gnutls_assert_val(rc);
288 hash_len = _gnutls_hash_get_algo_len (algorithm);
291 if (type == GNUTLS_SERVER)
293 mesg = SERVER_MSG;
295 else
297 mesg = CLIENT_MSG;
300 return _gnutls_PRF (session, session->security_parameters.master_secret,
301 GNUTLS_MASTER_SIZE, mesg, siz, concat, hash_len, 12, ret);
304 /* this function will produce GNUTLS_RANDOM_SIZE==32 bytes of random data
305 * and put it to dst.
308 _gnutls_tls_create_random (uint8_t * dst)
310 uint32_t tim;
311 int ret;
313 /* Use weak random numbers for the most of the
314 * buffer except for the first 4 that are the
315 * system's time.
318 tim = gnutls_time (NULL);
319 /* generate server random value */
320 _gnutls_write_uint32 (tim, dst);
322 ret = _gnutls_rnd (GNUTLS_RND_NONCE, &dst[4], GNUTLS_RANDOM_SIZE - 4);
323 if (ret < 0)
325 gnutls_assert ();
326 return ret;
329 return 0;
332 /* returns the 0 on success or a negative error code.
335 _gnutls_negotiate_version (gnutls_session_t session,
336 gnutls_protocol_t adv_version)
338 int ret;
340 /* if we do not support that version */
341 if (_gnutls_version_is_supported (session, adv_version) == 0)
343 /* If he requested something we do not support
344 * then we send him the highest we support.
346 ret = _gnutls_version_max (session);
347 if (ret == GNUTLS_VERSION_UNKNOWN)
349 /* this check is not really needed.
351 gnutls_assert ();
352 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
355 else
357 ret = adv_version;
360 _gnutls_set_current_version (session, ret);
362 return ret;
366 _gnutls_user_hello_func (gnutls_session_t session,
367 gnutls_protocol_t adv_version)
369 int ret;
371 if (session->internals.user_hello_func != NULL)
373 ret = session->internals.user_hello_func (session);
374 if (ret < 0)
376 gnutls_assert ();
377 return ret;
379 /* Here we need to renegotiate the version since the callee might
380 * have disabled some TLS versions.
382 ret = _gnutls_negotiate_version (session, adv_version);
383 if (ret < 0)
385 gnutls_assert ();
386 return ret;
389 return 0;
392 /* Read a client hello packet.
393 * A client hello must be a known version client hello
394 * or version 2.0 client hello (only for compatibility
395 * since SSL version 2.0 is not supported).
397 static int
398 _gnutls_read_client_hello (gnutls_session_t session, uint8_t * data,
399 int datalen)
401 uint8_t session_id_len;
402 int pos = 0, ret;
403 uint16_t suite_size, comp_size;
404 gnutls_protocol_t adv_version;
405 int neg_version;
406 int len = datalen;
407 uint8_t rnd[GNUTLS_RANDOM_SIZE], *suite_ptr, *comp_ptr, *session_id;
409 DECR_LEN (len, 2);
411 _gnutls_handshake_log ("HSK[%p]: Client's version: %d.%d\n", session,
412 data[pos], data[pos + 1]);
414 adv_version = _gnutls_version_get (data[pos], data[pos + 1]);
415 set_adv_version (session, data[pos], data[pos + 1]);
416 pos += 2;
418 neg_version = _gnutls_negotiate_version (session, adv_version);
419 if (neg_version < 0)
421 gnutls_assert ();
422 return neg_version;
425 /* Read client random value.
427 DECR_LEN (len, GNUTLS_RANDOM_SIZE);
428 _gnutls_set_client_random (session, &data[pos]);
429 pos += GNUTLS_RANDOM_SIZE;
431 _gnutls_tls_create_random (rnd);
432 _gnutls_set_server_random (session, rnd);
434 session->security_parameters.timestamp = gnutls_time (NULL);
436 DECR_LEN (len, 1);
437 session_id_len = data[pos++];
439 /* RESUME SESSION
441 if (session_id_len > TLS_MAX_SESSION_ID_SIZE)
443 gnutls_assert ();
444 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
446 DECR_LEN (len, session_id_len);
447 session_id = &data[pos];
448 pos += session_id_len;
450 if (IS_DTLS(session))
452 int cookie_size;
454 DECR_LEN (len, 1);
455 cookie_size = data[pos++];
456 DECR_LEN (len, cookie_size);
457 pos+=cookie_size;
460 ret = _gnutls_server_restore_session (session, session_id, session_id_len);
462 if (session_id_len > 0) session->internals.resumption_requested = 1;
464 if (ret == 0)
465 { /* resumed using default TLS resumption! */
466 /* Parse only the safe renegotiation extension
467 * We don't want to parse any other extensions since
468 * we don't want new extension values to overwrite the
469 * resumed ones.
472 /* move forward to extensions */
473 DECR_LEN (len, 2);
474 suite_size = _gnutls_read_uint16 (&data[pos]);
475 pos += 2;
477 DECR_LEN (len, suite_size);
478 pos += suite_size;
480 DECR_LEN (len, 1);
481 comp_size = data[pos++]; /* z is the number of compression methods */
482 DECR_LEN (len, comp_size);
483 pos += comp_size;
485 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
486 &data[pos], len);
487 if (ret < 0)
489 gnutls_assert ();
490 return ret;
493 resume_copy_required_values (session);
494 session->internals.resumed = RESUME_TRUE;
496 return _gnutls_user_hello_func (session, adv_version);
498 else
500 _gnutls_generate_session_id (session->security_parameters.session_id,
501 &session->
502 security_parameters.session_id_size);
504 session->internals.resumed = RESUME_FALSE;
507 /* Remember ciphersuites for later
509 DECR_LEN (len, 2);
510 suite_size = _gnutls_read_uint16 (&data[pos]);
511 pos += 2;
513 DECR_LEN (len, suite_size);
514 suite_ptr = &data[pos];
515 pos += suite_size;
517 /* Point to the compression methods
519 DECR_LEN (len, 1);
520 comp_size = data[pos++]; /* z is the number of compression methods */
522 DECR_LEN (len, comp_size);
523 comp_ptr = &data[pos];
524 pos += comp_size;
526 /* Parse the extensions (if any)
528 * Unconditionally try to parse extensions; safe renegotiation uses them in
529 * sslv3 and higher, even though sslv3 doesn't officially support them.
531 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION,
532 &data[pos], len);
533 /* len is the rest of the parsed length */
534 if (ret < 0)
536 gnutls_assert ();
537 return ret;
540 ret = _gnutls_user_hello_func (session, adv_version);
541 if (ret < 0)
543 gnutls_assert ();
544 return ret;
547 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
548 &data[pos], len);
549 if (ret < 0)
551 gnutls_assert ();
552 return ret;
555 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS, &data[pos], len);
556 if (ret < 0)
558 gnutls_assert ();
559 return ret;
562 /* resumed by session_ticket extension */
563 if (session->internals.resumed != RESUME_FALSE)
565 /* to indicate the client that the current session is resumed */
566 memcpy (session->internals.resumed_security_parameters.session_id,
567 session_id, session_id_len);
568 session->internals.resumed_security_parameters.session_id_size =
569 session_id_len;
571 session->internals.resumed_security_parameters.max_record_recv_size =
572 session->security_parameters.max_record_recv_size;
573 session->internals.resumed_security_parameters.max_record_send_size =
574 session->security_parameters.max_record_send_size;
576 resume_copy_required_values (session);
578 return _gnutls_user_hello_func (session, adv_version);
581 /* select an appropriate cipher suite
583 ret = _gnutls_server_select_suite (session, suite_ptr, suite_size);
584 if (ret < 0)
586 gnutls_assert ();
587 return ret;
590 /* select appropriate compression method */
591 ret = _gnutls_server_select_comp_method (session, comp_ptr, comp_size);
592 if (ret < 0)
594 gnutls_assert ();
595 return ret;
598 return 0;
601 /* This is to be called after sending CHANGE CIPHER SPEC packet
602 * and initializing encryption. This is the first encrypted message
603 * we send.
605 static int
606 _gnutls_send_finished (gnutls_session_t session, int again)
608 mbuffer_st *bufel;
609 uint8_t *data;
610 int ret;
611 size_t vdata_size = 0;
613 if (again == 0)
615 bufel = _gnutls_handshake_alloc (session, MAX_VERIFY_DATA_SIZE, MAX_VERIFY_DATA_SIZE);
616 if (bufel == NULL)
618 gnutls_assert ();
619 return GNUTLS_E_MEMORY_ERROR;
621 data = _mbuffer_get_udata_ptr (bufel);
623 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
625 ret =
626 _gnutls_ssl3_finished (session,
627 session->security_parameters.entity, data, 1);
628 _mbuffer_set_udata_size (bufel, 36);
630 else
631 { /* TLS 1.0+ */
632 ret = _gnutls_finished (session,
633 session->security_parameters.entity, data, 1);
634 _mbuffer_set_udata_size (bufel, 12);
637 if (ret < 0)
639 gnutls_assert ();
640 return ret;
643 vdata_size = _mbuffer_get_udata_size (bufel);
645 ret = _gnutls_ext_sr_finished (session, data, vdata_size, 0);
646 if (ret < 0)
648 gnutls_assert ();
649 return ret;
652 if ((session->internals.resumed == RESUME_FALSE
653 && session->security_parameters.entity == GNUTLS_CLIENT)
654 || (session->internals.resumed != RESUME_FALSE
655 && session->security_parameters.entity == GNUTLS_SERVER))
657 /* if we are a client not resuming - or we are a server resuming */
658 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (send)\n",
659 session);
660 memcpy (session->internals.cb_tls_unique, data, vdata_size);
661 session->internals.cb_tls_unique_len = vdata_size;
664 ret =
665 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_FINISHED);
667 else
669 ret = _gnutls_send_handshake (session, NULL, GNUTLS_HANDSHAKE_FINISHED);
672 return ret;
675 /* This is to be called after sending our finished message. If everything
676 * went fine we have negotiated a secure connection
678 static int
679 _gnutls_recv_finished (gnutls_session_t session)
681 uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy;
682 gnutls_buffer_st buf;
683 int data_size;
684 int ret;
685 int vrfy_size;
687 ret =
688 _gnutls_recv_handshake (session, GNUTLS_HANDSHAKE_FINISHED,
689 0, &buf);
690 if (ret < 0)
692 ERR ("recv finished int", ret);
693 gnutls_assert ();
694 return ret;
697 vrfy = buf.data;
698 vrfy_size = buf.length;
700 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
702 data_size = 36;
704 else
706 data_size = 12;
709 if (vrfy_size != data_size)
711 gnutls_assert ();
712 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
713 goto cleanup;
716 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
718 ret =
719 _gnutls_ssl3_finished (session,
720 (session->security_parameters.entity + 1) % 2,
721 data, 0);
723 else
724 { /* TLS 1.0 */
725 ret =
726 _gnutls_finished (session,
727 (session->security_parameters.entity +
728 1) % 2, data, 0);
731 if (ret < 0)
733 gnutls_assert ();
734 goto cleanup;
737 if (memcmp (vrfy, data, data_size) != 0)
739 gnutls_assert ();
740 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
741 goto cleanup;
744 ret = _gnutls_ext_sr_finished (session, data, data_size, 1);
745 if (ret < 0)
747 gnutls_assert ();
748 goto cleanup;
751 if ((session->internals.resumed != RESUME_FALSE
752 && session->security_parameters.entity == GNUTLS_CLIENT)
753 || (session->internals.resumed == RESUME_FALSE
754 && session->security_parameters.entity == GNUTLS_SERVER))
756 /* if we are a client resuming - or we are a server not resuming */
757 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (recv)\n",
758 session);
759 memcpy (session->internals.cb_tls_unique, data, data_size);
760 session->internals.cb_tls_unique_len = data_size;
764 session->internals.initial_negotiation_completed = 1;
766 cleanup:
767 _gnutls_buffer_clear(&buf);
769 return ret;
772 /* returns PK_RSA if the given cipher suite list only supports,
773 * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none.
775 static int
776 server_find_pk_algos_in_ciphersuites (const uint8_t *
777 data, unsigned int datalen,
778 gnutls_pk_algorithm_t * algos,
779 size_t* algos_size)
781 unsigned int j;
782 gnutls_kx_algorithm_t kx;
783 unsigned int max = *algos_size;
785 if (datalen % 2 != 0)
787 gnutls_assert ();
788 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
791 *algos_size = 0;
792 for (j = 0; j < datalen; j += 2)
794 kx = _gnutls_cipher_suite_get_kx_algo (&data[j]);
795 if (_gnutls_map_kx_get_cred (kx, 1) == GNUTLS_CRD_CERTIFICATE)
797 algos[(*algos_size)++] = _gnutls_map_pk_get_pk (kx);
799 if ((*algos_size) >= max)
800 return 0;
804 return 0;
807 /* This selects the best supported ciphersuite from the given ones. Then
808 * it adds the suite to the session and performs some checks.
811 _gnutls_server_select_suite (gnutls_session_t session, uint8_t * data,
812 unsigned int datalen)
814 int ret;
815 unsigned int i, j, cipher_suites_size;
816 size_t pk_algos_size;
817 uint8_t cipher_suites[MAX_CIPHERSUITE_SIZE];
818 int retval, err;
819 gnutls_pk_algorithm_t pk_algos[MAX_ALGOS]; /* will hold the pk algorithms
820 * supported by the peer.
823 /* First, check for safe renegotiation SCSV.
825 if (session->internals.priorities.sr != SR_DISABLED)
827 unsigned int offset;
829 for (offset = 0; offset < datalen; offset += 2)
831 /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
832 if (data[offset] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&
833 data[offset + 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR)
835 _gnutls_handshake_log
836 ("HSK[%p]: Received safe renegotiation CS\n", session);
837 retval = _gnutls_ext_sr_recv_cs (session);
838 if (retval < 0)
840 gnutls_assert ();
841 return retval;
843 break;
848 pk_algos_size = MAX_ALGOS;
849 ret = server_find_pk_algos_in_ciphersuites (data, datalen, pk_algos, &pk_algos_size);
850 if (ret < 0)
851 return gnutls_assert_val(ret);
853 ret = _gnutls_supported_ciphersuites (session, cipher_suites, sizeof(cipher_suites));
854 if (ret < 0)
855 return gnutls_assert_val(ret);
857 cipher_suites_size = ret;
859 /* Here we remove any ciphersuite that does not conform
860 * the certificate requested, or to the
861 * authentication requested (e.g. SRP).
863 ret = _gnutls_remove_unwanted_ciphersuites (session, cipher_suites, cipher_suites_size, pk_algos, pk_algos_size);
864 if (ret <= 0)
866 gnutls_assert ();
867 if (ret < 0)
868 return ret;
869 else
870 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
873 cipher_suites_size = ret;
875 /* Data length should be zero mod 2 since
876 * every ciphersuite is 2 bytes. (this check is needed
877 * see below).
879 if (datalen % 2 != 0)
881 gnutls_assert ();
882 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
885 memset (session->security_parameters.cipher_suite, 0, 2);
887 retval = GNUTLS_E_UNKNOWN_CIPHER_SUITE;
889 _gnutls_handshake_log ("HSK[%p]: Requested cipher suites[size: %d]: \n", session, (int)datalen);
891 if (session->internals.priorities.server_precedence == 0)
893 for (j = 0; j < datalen; j += 2)
895 _gnutls_handshake_log ("\t0x%.2x, 0x%.2x %s\n", data[j], data[j+1], _gnutls_cipher_suite_get_name (&data[j]));
896 for (i = 0; i < cipher_suites_size; i+=2)
898 if (memcmp (&cipher_suites[i], &data[j], 2) == 0)
900 _gnutls_handshake_log
901 ("HSK[%p]: Selected cipher suite: %s\n", session,
902 _gnutls_cipher_suite_get_name (&data[j]));
903 memcpy (session->security_parameters.cipher_suite,
904 &cipher_suites[i], 2);
905 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
906 session->
907 security_parameters.cipher_suite);
910 retval = 0;
911 goto finish;
916 else /* server selects */
918 for (i = 0; i < cipher_suites_size; i+=2)
920 for (j = 0; j < datalen; j += 2)
922 if (memcmp (&cipher_suites[i], &data[j], 2) == 0)
924 _gnutls_handshake_log
925 ("HSK[%p]: Selected cipher suite: %s\n", session,
926 _gnutls_cipher_suite_get_name (&data[j]));
927 memcpy (session->security_parameters.cipher_suite,
928 &cipher_suites[i], 2);
929 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
930 session->
931 security_parameters.cipher_suite);
934 retval = 0;
935 goto finish;
940 finish:
942 if (retval != 0)
944 gnutls_assert ();
945 return retval;
948 /* check if the credentials (username, public key etc.) are ok
950 if (_gnutls_get_kx_cred
951 (session,
952 _gnutls_cipher_suite_get_kx_algo (session->
953 security_parameters.cipher_suite),
954 &err) == NULL && err != 0)
956 gnutls_assert ();
957 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
961 /* set the mod_auth_st to the appropriate struct
962 * according to the KX algorithm. This is needed since all the
963 * handshake functions are read from there;
965 session->internals.auth_struct =
966 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
967 (session->
968 security_parameters.cipher_suite));
969 if (session->internals.auth_struct == NULL)
972 _gnutls_handshake_log
973 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
974 session);
975 gnutls_assert ();
976 return GNUTLS_E_INTERNAL_ERROR;
979 return 0;
984 /* This selects the best supported compression method from the ones provided
986 static int
987 _gnutls_server_select_comp_method (gnutls_session_t session,
988 uint8_t * data, int datalen)
990 int x, i, j;
991 uint8_t comps[MAX_ALGOS];
993 x = _gnutls_supported_compression_methods (session, comps, MAX_ALGOS);
994 if (x < 0)
996 gnutls_assert ();
997 return x;
1000 if (session->internals.priorities.server_precedence == 0)
1002 for (j = 0; j < datalen; j++)
1004 for (i = 0; i < x; i++)
1006 if (comps[i] == data[j])
1008 gnutls_compression_method_t method =
1009 _gnutls_compression_get_id (comps[i]);
1011 _gnutls_epoch_set_compression (session, EPOCH_NEXT, method);
1012 session->security_parameters.compression_method = method;
1014 _gnutls_handshake_log
1015 ("HSK[%p]: Selected Compression Method: %s\n", session,
1016 gnutls_compression_get_name (method));
1017 return 0;
1022 else
1024 for (i = 0; i < x; i++)
1026 for (j = 0; j < datalen; j++)
1028 if (comps[i] == data[j])
1030 gnutls_compression_method_t method =
1031 _gnutls_compression_get_id (comps[i]);
1033 _gnutls_epoch_set_compression (session, EPOCH_NEXT, method);
1034 session->security_parameters.compression_method = method;
1036 _gnutls_handshake_log
1037 ("HSK[%p]: Selected Compression Method: %s\n", session,
1038 gnutls_compression_get_name (method));
1039 return 0;
1045 /* we were not able to find a compatible compression
1046 * algorithm
1048 gnutls_assert ();
1049 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1053 /* This function sends an empty handshake packet. (like hello request).
1054 * If the previous _gnutls_send_empty_handshake() returned
1055 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1056 * (until it returns ok), with NULL parameters.
1058 static int
1059 _gnutls_send_empty_handshake (gnutls_session_t session,
1060 gnutls_handshake_description_t type, int again)
1062 mbuffer_st *bufel;
1064 if (again == 0)
1066 bufel = _gnutls_handshake_alloc (session, 0, 0);
1067 if (bufel == NULL)
1069 gnutls_assert ();
1070 return GNUTLS_E_MEMORY_ERROR;
1073 else
1074 bufel = NULL;
1076 return _gnutls_send_handshake (session, bufel, type);
1082 /* This function sends a handshake message of type 'type' containing the
1083 * data specified here. If the previous _gnutls_send_handshake() returned
1084 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1085 * (until it returns ok), with NULL parameters.
1088 _gnutls_send_handshake (gnutls_session_t session, mbuffer_st * bufel,
1089 gnutls_handshake_description_t type)
1091 int ret;
1092 uint8_t *data;
1093 uint32_t datasize, i_datasize;
1094 int pos = 0;
1096 if (bufel == NULL)
1098 /* we are resuming a previously interrupted
1099 * send.
1101 ret = _gnutls_handshake_io_write_flush (session);
1102 return ret;
1106 /* first run */
1107 data = _mbuffer_get_uhead_ptr (bufel);
1108 i_datasize = _mbuffer_get_udata_size(bufel);
1109 datasize = i_datasize + _mbuffer_get_uhead_size (bufel);
1111 data[pos++] = (uint8_t) type;
1112 _gnutls_write_uint24 (_mbuffer_get_udata_size (bufel), &data[pos]);
1113 pos += 3;
1115 /* Add DTLS handshake fragment headers. The message will be
1116 * fragmented later by the fragmentation sub-layer. All fields must
1117 * be set properly for HMAC. The HMAC requires we pretend that the
1118 * message was sent in a single fragment. */
1119 if (IS_DTLS(session))
1121 _gnutls_write_uint16 (session->internals.dtls.hsk_write_seq++, &data[pos]);
1122 pos += 2;
1124 /* Fragment offset */
1125 _gnutls_write_uint24 (0, &data[pos]);
1126 pos += 3;
1128 /* Fragment length */
1129 _gnutls_write_uint24 (i_datasize, &data[pos]);
1130 /* pos += 3; */
1133 _gnutls_handshake_log ("HSK[%p]: %s was queued [%ld bytes]\n",
1134 session, _gnutls_handshake2str (type),
1135 (long) datasize);
1137 /* Here we keep the handshake messages in order to hash them...
1139 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1140 if ((ret =
1141 _gnutls_handshake_hash_add_sent (session, type, data, datasize)) < 0)
1143 gnutls_assert ();
1144 _mbuffer_xfree(&bufel);
1145 return ret;
1148 session->internals.last_handshake_out = type;
1150 ret = _gnutls_handshake_io_cache_int (session, type, bufel);
1151 if (ret < 0)
1153 _mbuffer_xfree(&bufel);
1154 gnutls_assert();
1155 return ret;
1158 switch (type)
1160 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: /* this one is followed by ServerHelloDone
1161 * or ClientKeyExchange always.
1163 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1164 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE: /* as above */
1165 case GNUTLS_HANDSHAKE_SERVER_HELLO: /* as above */
1166 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: /* as above */
1167 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: /* followed by ChangeCipherSpec */
1169 /* now for client Certificate, ClientKeyExchange and
1170 * CertificateVerify are always followed by ChangeCipherSpec
1172 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1173 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1174 ret = 0;
1175 break;
1176 default:
1177 /* send cached messages */
1178 ret = _gnutls_handshake_io_write_flush (session);
1179 break;
1182 return ret;
1185 #define CHECK_SIZE(ll) \
1186 if ((session->internals.max_handshake_data_buffer_size > 0) && \
1187 (((ll) + session->internals.handshake_hash_buffer.length) > \
1188 session->internals.max_handshake_data_buffer_size)) \
1189 return gnutls_assert_val(GNUTLS_E_HANDSHAKE_TOO_LARGE)
1191 /* This function add the handshake headers and the
1192 * handshake data to the handshake hash buffers. Needed
1193 * for the finished messages calculations.
1195 static int
1196 _gnutls_handshake_hash_add_recvd (gnutls_session_t session,
1197 gnutls_handshake_description_t recv_type,
1198 uint8_t * header, uint16_t header_size,
1199 uint8_t * dataptr, uint32_t datalen)
1201 int ret;
1203 if ((gnutls_protocol_get_version (session) != GNUTLS_DTLS0_9 &&
1204 recv_type == GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST) ||
1205 recv_type == GNUTLS_HANDSHAKE_HELLO_REQUEST)
1206 return 0;
1208 CHECK_SIZE(header_size + datalen);
1210 session->internals.handshake_hash_buffer_prev_len = session->internals.handshake_hash_buffer.length;
1212 if (gnutls_protocol_get_version (session) != GNUTLS_DTLS0_9)
1214 ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer,
1215 header, header_size);
1216 if (ret < 0)
1217 return gnutls_assert_val(ret);
1219 if (datalen > 0)
1221 ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer,
1222 dataptr, datalen);
1223 if (ret < 0)
1224 return gnutls_assert_val(ret);
1227 return 0;
1230 /* This function will store the handshake message we sent.
1232 static int
1233 _gnutls_handshake_hash_add_sent (gnutls_session_t session,
1234 gnutls_handshake_description_t type,
1235 uint8_t * dataptr, uint32_t datalen)
1237 int ret;
1239 /* We don't check for GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST because it
1240 * is not sent via that channel.
1242 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1244 CHECK_SIZE(datalen);
1246 if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
1248 /* Old DTLS doesn't include the header in the MAC */
1249 if (datalen <= 12)
1251 gnutls_assert ();
1252 return GNUTLS_E_INVALID_REQUEST;
1254 dataptr += 12;
1255 datalen -= 12;
1258 ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer,
1259 dataptr, datalen);
1260 if (ret < 0)
1261 return gnutls_assert_val(ret);
1263 return 0;
1266 return 0;
1270 /* This function will receive handshake messages of the given types,
1271 * and will pass the message to the right place in order to be processed.
1272 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1273 * passed to _gnutls_recv_hello().
1276 _gnutls_recv_handshake (gnutls_session_t session,
1277 gnutls_handshake_description_t type,
1278 unsigned int optional, gnutls_buffer_st* buf)
1280 int ret;
1281 handshake_buffer_st hsk;
1283 ret =
1284 _gnutls_handshake_io_recv_int (session, type, &hsk, optional);
1285 if (ret < 0)
1287 if (optional != 0 && ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET)
1289 if (buf) _gnutls_buffer_init(buf);
1290 return 0;
1293 return gnutls_assert_val_fatal(ret);
1296 ret = _gnutls_handshake_hash_add_recvd (session, hsk.htype,
1297 hsk.header, hsk.header_size,
1298 hsk.data.data, hsk.data.length);
1299 if (ret < 0)
1301 gnutls_assert ();
1302 goto cleanup;
1305 switch (hsk.htype)
1307 case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2:
1308 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1309 case GNUTLS_HANDSHAKE_SERVER_HELLO:
1310 if (hsk.htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)
1311 ret = _gnutls_read_client_hello_v2 (session, hsk.data.data, hsk.data.length);
1312 else
1313 ret = _gnutls_recv_hello (session, hsk.data.data, hsk.data.length);
1315 if (ret < 0)
1317 gnutls_assert();
1318 goto cleanup;
1321 goto cleanup; /* caller doesn't need dataptr */
1323 break;
1324 case GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST:
1325 ret = _gnutls_recv_hello_verify_request (session, hsk.data.data, hsk.data.length);
1326 if (ret < 0)
1328 gnutls_assert();
1329 goto cleanup;
1331 else
1332 /* Signal our caller we have received a verification cookie
1333 and ClientHello needs to be sent again. */
1334 ret = 1;
1336 goto cleanup; /* caller doesn't need dataptr */
1338 break;
1339 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
1340 if (hsk.data.length == 0)
1341 ret = 0;
1342 else
1344 gnutls_assert();
1345 ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1346 goto cleanup;
1348 break;
1349 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1350 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1351 case GNUTLS_HANDSHAKE_FINISHED:
1352 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
1353 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1354 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
1355 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1356 case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
1357 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1358 ret = hsk.data.length;
1359 break;
1360 default:
1361 gnutls_assert ();
1362 /* we shouldn't actually arrive here in any case .
1363 * unexpected messages should be catched after _gnutls_handshake_io_recv_int()
1365 ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1366 goto cleanup;
1369 if (buf)
1371 *buf = hsk.data;
1372 return ret;
1375 cleanup:
1376 _gnutls_handshake_buffer_clear (&hsk);
1377 return ret;
1380 /* This function checks if the given cipher suite is supported, and sets it
1381 * to the session;
1383 static int
1384 _gnutls_client_set_ciphersuite (gnutls_session_t session, uint8_t suite[2])
1386 uint8_t z;
1387 uint8_t cipher_suites[MAX_CIPHERSUITE_SIZE];
1388 int cipher_suite_size;
1389 int i, err;
1391 z = 1;
1392 cipher_suite_size = _gnutls_supported_ciphersuites (session, cipher_suites, sizeof(cipher_suites));
1393 if (cipher_suite_size < 0)
1395 gnutls_assert ();
1396 return cipher_suite_size;
1399 for (i = 0; i < cipher_suite_size; i+=2)
1401 if (memcmp (&cipher_suites[i], suite, 2) == 0)
1403 z = 0;
1404 break;
1408 if (z != 0)
1410 gnutls_assert ();
1411 _gnutls_handshake_log("HSK[%p]: unsupported cipher suite %.2X.%.2X\n", session,
1412 (unsigned int)suite[0], (unsigned int)suite[1]);
1413 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
1416 memcpy (session->security_parameters.cipher_suite, suite, 2);
1417 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
1418 session->
1419 security_parameters.cipher_suite);
1421 _gnutls_handshake_log ("HSK[%p]: Selected cipher suite: %s\n", session,
1422 _gnutls_cipher_suite_get_name
1423 (session->
1424 security_parameters.cipher_suite));
1427 /* check if the credentials (username, public key etc.) are ok.
1428 * Actually checks if they exist.
1430 if (!session->internals.premaster_set &&
1431 _gnutls_get_kx_cred
1432 (session,
1433 _gnutls_cipher_suite_get_kx_algo
1434 (session->security_parameters.cipher_suite), &err) == NULL
1435 && err != 0)
1437 gnutls_assert ();
1438 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1442 /* set the mod_auth_st to the appropriate struct
1443 * according to the KX algorithm. This is needed since all the
1444 * handshake functions are read from there;
1446 session->internals.auth_struct =
1447 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1448 (session->
1449 security_parameters.cipher_suite));
1451 if (session->internals.auth_struct == NULL)
1454 _gnutls_handshake_log
1455 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1456 session);
1457 gnutls_assert ();
1458 return GNUTLS_E_INTERNAL_ERROR;
1462 return 0;
1465 /* This function sets the given comp method to the session.
1467 static int
1468 _gnutls_client_set_comp_method (gnutls_session_t session, uint8_t comp_method)
1470 int comp_methods_num;
1471 uint8_t compression_methods[MAX_ALGOS];
1472 int id = _gnutls_compression_get_id(comp_method);
1473 int i;
1475 _gnutls_handshake_log ("HSK[%p]: Selected compression method: %s (%d)\n", session,
1476 gnutls_compression_get_name(id), (int)comp_method);
1478 comp_methods_num = _gnutls_supported_compression_methods (session,
1479 compression_methods, MAX_ALGOS);
1480 if (comp_methods_num < 0)
1482 gnutls_assert ();
1483 return comp_methods_num;
1486 for (i = 0; i < comp_methods_num; i++)
1488 if (compression_methods[i] == comp_method)
1490 comp_methods_num = 0;
1491 break;
1495 if (comp_methods_num != 0)
1497 gnutls_assert ();
1498 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1501 session->security_parameters.compression_method = id;
1502 _gnutls_epoch_set_compression (session, EPOCH_NEXT, id);
1504 return 0;
1507 /* This function returns 0 if we are resuming a session or -1 otherwise.
1508 * This also sets the variables in the session. Used only while reading a server
1509 * hello.
1511 static int
1512 _gnutls_client_check_if_resuming (gnutls_session_t session,
1513 uint8_t * session_id, int session_id_len)
1515 char buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
1517 _gnutls_handshake_log ("HSK[%p]: SessionID length: %d\n", session,
1518 session_id_len);
1519 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session,
1520 _gnutls_bin2hex (session_id, session_id_len, buf,
1521 sizeof (buf), NULL));
1523 if (session_id_len > 0 &&
1524 session->internals.resumed_security_parameters.session_id_size ==
1525 session_id_len
1526 && memcmp (session_id,
1527 session->internals.resumed_security_parameters.session_id,
1528 session_id_len) == 0)
1530 /* resume session */
1531 memcpy (session->internals.resumed_security_parameters.server_random,
1532 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
1533 memcpy (session->internals.resumed_security_parameters.client_random,
1534 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
1536 _gnutls_epoch_set_cipher_suite
1537 (session, EPOCH_NEXT,
1538 session->internals.
1539 resumed_security_parameters.cipher_suite);
1540 _gnutls_epoch_set_compression (session, EPOCH_NEXT,
1541 session->
1542 internals.resumed_security_parameters.compression_method);
1544 session->internals.resumed = RESUME_TRUE; /* we are resuming */
1546 return 0;
1548 else
1550 /* keep the new session id */
1551 session->internals.resumed = RESUME_FALSE; /* we are not resuming */
1552 session->security_parameters.session_id_size = session_id_len;
1553 memcpy (session->security_parameters.session_id,
1554 session_id, session_id_len);
1556 return -1;
1561 /* This function reads and parses the server hello handshake message.
1562 * This function also restores resumed parameters if we are resuming a
1563 * session.
1565 static int
1566 _gnutls_read_server_hello (gnutls_session_t session,
1567 uint8_t * data, int datalen)
1569 uint8_t session_id_len = 0;
1570 int pos = 0;
1571 int ret = 0;
1572 gnutls_protocol_t version;
1573 int len = datalen;
1575 if (datalen < 38)
1577 gnutls_assert ();
1578 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1581 _gnutls_handshake_log ("HSK[%p]: Server's version: %d.%d\n",
1582 session, data[pos], data[pos + 1]);
1584 DECR_LEN (len, 2);
1585 version = _gnutls_version_get (data[pos], data[pos + 1]);
1586 if (_gnutls_version_is_supported (session, version) == 0)
1588 gnutls_assert ();
1589 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1591 else
1593 _gnutls_set_current_version (session, version);
1596 pos += 2;
1598 DECR_LEN (len, GNUTLS_RANDOM_SIZE);
1599 _gnutls_set_server_random (session, &data[pos]);
1600 pos += GNUTLS_RANDOM_SIZE;
1603 /* Read session ID
1605 DECR_LEN (len, 1);
1606 session_id_len = data[pos++];
1608 if (len < session_id_len)
1610 gnutls_assert ();
1611 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1613 DECR_LEN (len, session_id_len);
1615 /* check if we are resuming and set the appropriate
1616 * values;
1618 if (_gnutls_client_check_if_resuming
1619 (session, &data[pos], session_id_len) == 0)
1621 pos += session_id_len + 2 + 1;
1622 DECR_LEN (len, 2 + 1);
1624 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
1625 &data[pos], len);
1626 if (ret < 0)
1628 gnutls_assert ();
1629 return ret;
1631 return 0;
1634 pos += session_id_len;
1636 /* Check if the given cipher suite is supported and copy
1637 * it to the session.
1640 DECR_LEN (len, 2);
1641 ret = _gnutls_client_set_ciphersuite (session, &data[pos]);
1642 if (ret < 0)
1644 gnutls_assert ();
1645 return ret;
1647 pos += 2;
1649 /* move to compression
1651 DECR_LEN (len, 1);
1653 ret = _gnutls_client_set_comp_method (session, data[pos++]);
1654 if (ret < 0)
1656 gnutls_assert ();
1657 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1660 /* Parse extensions.
1662 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY, &data[pos], len);
1663 if (ret < 0)
1665 gnutls_assert ();
1666 return ret;
1669 return ret;
1673 /* This function copies the appropriate ciphersuites to a locally allocated buffer
1674 * Needed in client hello messages. Returns the new data length. If add_scsv is
1675 * true, add the special safe renegotiation CS.
1677 static int
1678 _gnutls_copy_ciphersuites (gnutls_session_t session,
1679 gnutls_buffer_st * cdata,
1680 int add_scsv)
1682 int ret;
1683 uint8_t cipher_suites[MAX_CIPHERSUITE_SIZE+2];
1684 int cipher_suites_size;
1685 size_t init_length = cdata->length;
1687 ret = _gnutls_supported_ciphersuites (session, cipher_suites, sizeof(cipher_suites)-2);
1688 if (ret < 0)
1689 return gnutls_assert_val(ret);
1691 /* Here we remove any ciphersuite that does not conform
1692 * the certificate requested, or to the
1693 * authentication requested (eg SRP).
1695 ret =
1696 _gnutls_remove_unwanted_ciphersuites (session, cipher_suites, ret, NULL, 0);
1697 if (ret < 0)
1698 return gnutls_assert_val(ret);
1700 /* If no cipher suites were enabled.
1702 if (ret == 0)
1703 return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
1705 cipher_suites_size = ret;
1706 if (add_scsv)
1708 cipher_suites[cipher_suites_size] = 0x00;
1709 cipher_suites[cipher_suites_size+1] = 0xff;
1710 cipher_suites_size += 2;
1712 ret = _gnutls_ext_sr_send_cs (session);
1713 if (ret < 0)
1714 return gnutls_assert_val(ret);
1717 ret = _gnutls_buffer_append_data_prefix(cdata, 16, cipher_suites, cipher_suites_size);
1718 if (ret < 0)
1719 return gnutls_assert_val(ret);
1721 ret = cdata->length - init_length;
1723 return ret;
1727 /* This function copies the appropriate compression methods, to a locally allocated buffer
1728 * Needed in hello messages. Returns the new data length.
1730 static int
1731 _gnutls_copy_comp_methods (gnutls_session_t session,
1732 gnutls_buffer_st * cdata)
1734 int ret;
1735 uint8_t compression_methods[MAX_ALGOS], comp_num;
1736 size_t init_length = cdata->length;
1738 ret = _gnutls_supported_compression_methods (session, compression_methods, MAX_ALGOS);
1739 if (ret < 0)
1740 return gnutls_assert_val(ret);
1742 comp_num = ret;
1744 /* put the number of compression methods */
1745 ret = _gnutls_buffer_append_prefix(cdata, 8, comp_num);
1746 if (ret < 0)
1747 return gnutls_assert_val(ret);
1749 ret = _gnutls_buffer_append_data(cdata, compression_methods, comp_num);
1750 if (ret < 0)
1751 return gnutls_assert_val(ret);
1753 ret = cdata->length - init_length;
1755 return ret;
1758 /* This should be sufficient by now. It should hold all the extensions
1759 * plus the headers in a hello message.
1761 #define MAX_EXT_DATA_LENGTH 32*1024
1763 /* This function sends the client hello handshake message.
1765 static int
1766 _gnutls_send_client_hello (gnutls_session_t session, int again)
1768 mbuffer_st *bufel = NULL;
1769 uint8_t *data = NULL;
1770 int pos = 0, type;
1771 int datalen = 0, ret = 0;
1772 uint8_t rnd[GNUTLS_RANDOM_SIZE];
1773 gnutls_protocol_t hver;
1774 gnutls_buffer_st extdata;
1775 int rehandshake = 0;
1776 uint8_t session_id_len =
1777 session->internals.resumed_security_parameters.session_id_size;
1778 uint8_t cookie_len;
1780 _gnutls_buffer_init(&extdata);
1782 /* note that rehandshake is different than resuming
1784 if (session->security_parameters.session_id_size)
1785 rehandshake = 1;
1787 if (again == 0)
1789 if(IS_DTLS(session))
1791 cookie_len = session->internals.dtls.cookie_len + 1;
1793 else
1795 cookie_len = 0;
1798 datalen = 2 + (session_id_len + 1) + GNUTLS_RANDOM_SIZE + cookie_len;
1799 /* 2 for version, (4 for unix time + 28 for random bytes==GNUTLS_RANDOM_SIZE)
1802 bufel = _gnutls_handshake_alloc (session, datalen, datalen+MAX_EXT_DATA_LENGTH);
1803 if (bufel == NULL)
1805 gnutls_assert ();
1806 return GNUTLS_E_MEMORY_ERROR;
1808 data = _mbuffer_get_udata_ptr (bufel);
1810 /* if we are resuming a session then we set the
1811 * version number to the previously established.
1813 if (session_id_len == 0)
1815 if (rehandshake) /* already negotiated version thus version_max == negotiated version */
1816 hver = session->security_parameters.version;
1817 else /* new handshake. just get the max */
1818 hver = _gnutls_version_max (session);
1820 else
1822 /* we are resuming a session */
1823 hver = session->internals.resumed_security_parameters.version;
1826 if (hver == GNUTLS_VERSION_UNKNOWN || hver == 0)
1828 gnutls_assert ();
1829 gnutls_free (bufel);
1830 return GNUTLS_E_INTERNAL_ERROR;
1833 data[pos++] = _gnutls_version_get_major (hver);
1834 data[pos++] = _gnutls_version_get_minor (hver);
1836 /* Set the version we advertized as maximum
1837 * (RSA uses it).
1839 _gnutls_set_adv_version (session, hver);
1840 _gnutls_set_current_version (session, hver);
1842 if (session->internals.priorities.ssl3_record_version != 0)
1844 /* Advertize the SSL 3.0 record packet version in
1845 * record packets during the handshake.
1846 * That is to avoid confusing implementations
1847 * that do not support TLS 1.2 and don't know
1848 * how 3,3 version of record packets look like.
1850 if (!IS_DTLS(session))
1851 _gnutls_record_set_default_version (session, 3, 0);
1852 else if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
1853 _gnutls_record_set_default_version (session, 1, 0);
1854 else
1855 _gnutls_record_set_default_version (session, 254, 255);
1858 /* In order to know when this session was initiated.
1860 session->security_parameters.timestamp = gnutls_time (NULL);
1862 /* Generate random data
1864 if (!IS_DTLS (session)
1865 || session->internals.dtls.hsk_hello_verify_requests == 0)
1867 _gnutls_tls_create_random (rnd);
1868 _gnutls_set_client_random (session, rnd);
1870 memcpy (&data[pos], rnd, GNUTLS_RANDOM_SIZE);
1872 else
1873 memcpy (&data[pos], session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
1875 pos += GNUTLS_RANDOM_SIZE;
1877 /* Copy the Session ID
1879 data[pos++] = session_id_len;
1881 if (session_id_len > 0)
1883 memcpy (&data[pos],
1884 session->internals.resumed_security_parameters.session_id,
1885 session_id_len);
1886 pos += session_id_len;
1889 /* Copy the DTLS cookie
1891 if (IS_DTLS(session))
1893 data[pos++] = session->internals.dtls.cookie_len;
1894 memcpy(&data[pos], &session->internals.dtls.cookie, session->internals.dtls.cookie_len);
1895 /* pos += session->internals.dtls.cookie_len; */
1898 /* Copy the ciphersuites.
1900 * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
1901 * prevention on initial negotiation (but not renegotiation; that's
1902 * handled with the RI extension below).
1904 if (!session->internals.initial_negotiation_completed &&
1905 session->security_parameters.entity == GNUTLS_CLIENT &&
1906 (gnutls_protocol_get_version (session) == GNUTLS_SSL3 ||
1907 session->internals.priorities.no_extensions != 0))
1909 ret =
1910 _gnutls_copy_ciphersuites (session, &extdata, TRUE);
1911 _gnutls_extension_list_add (session,
1912 GNUTLS_EXTENSION_SAFE_RENEGOTIATION);
1914 else
1915 ret = _gnutls_copy_ciphersuites (session, &extdata, FALSE);
1917 if (ret < 0)
1919 gnutls_assert();
1920 goto cleanup;
1923 /* Copy the compression methods.
1925 ret = _gnutls_copy_comp_methods (session, &extdata);
1926 if (ret < 0)
1928 gnutls_assert();
1929 goto cleanup;
1932 /* Generate and copy TLS extensions.
1934 if (session->internals.priorities.no_extensions == 0)
1936 if (_gnutls_version_has_extensions (hver))
1937 type = GNUTLS_EXT_ANY;
1938 else
1940 if (session->internals.initial_negotiation_completed != 0)
1941 type = GNUTLS_EXT_MANDATORY;
1942 else
1943 type = GNUTLS_EXT_NONE;
1946 ret = _gnutls_gen_extensions (session, &extdata, type);
1947 if (ret < 0)
1949 gnutls_assert();
1950 goto cleanup;
1955 ret = _mbuffer_append_data (bufel, extdata.data, extdata.length);
1956 if (ret < 0)
1958 gnutls_assert ();
1959 goto cleanup;
1963 _gnutls_buffer_clear(&extdata);
1965 return
1966 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_CLIENT_HELLO);
1968 cleanup:
1969 _mbuffer_xfree(&bufel);
1970 _gnutls_buffer_clear(&extdata);
1971 return ret;
1974 static int
1975 _gnutls_send_server_hello (gnutls_session_t session, int again)
1977 mbuffer_st *bufel = NULL;
1978 uint8_t *data = NULL;
1979 gnutls_buffer_st extdata;
1980 int pos = 0;
1981 int datalen, ret = 0;
1982 uint8_t comp;
1983 uint8_t session_id_len = session->security_parameters.session_id_size;
1984 char buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
1986 _gnutls_buffer_init(&extdata);
1988 if (again == 0)
1990 datalen = 2 + session_id_len + 1 + GNUTLS_RANDOM_SIZE + 3;
1991 ret =
1992 _gnutls_gen_extensions (session, &extdata, GNUTLS_EXT_ANY);
1993 if (ret < 0)
1995 gnutls_assert ();
1996 goto fail;
1999 bufel = _gnutls_handshake_alloc (session, datalen + extdata.length, datalen + extdata.length);
2000 if (bufel == NULL)
2002 gnutls_assert ();
2003 ret = GNUTLS_E_MEMORY_ERROR;
2004 goto fail;
2006 data = _mbuffer_get_udata_ptr (bufel);
2008 data[pos++] =
2009 _gnutls_version_get_major (session->security_parameters.version);
2010 data[pos++] =
2011 _gnutls_version_get_minor (session->security_parameters.version);
2013 memcpy (&data[pos],
2014 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
2015 pos += GNUTLS_RANDOM_SIZE;
2017 data[pos++] = session_id_len;
2018 if (session_id_len > 0)
2020 memcpy (&data[pos], session->security_parameters.session_id,
2021 session_id_len);
2023 pos += session_id_len;
2025 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session,
2026 _gnutls_bin2hex (session->security_parameters.
2027 session_id, session_id_len, buf,
2028 sizeof (buf), NULL));
2030 memcpy (&data[pos],
2031 session->security_parameters.cipher_suite, 2);
2032 pos += 2;
2034 comp = _gnutls_compression_get_num ( session->security_parameters.compression_method);
2035 data[pos++] = comp;
2037 if (extdata.length > 0)
2039 memcpy (&data[pos], extdata.data, extdata.length);
2043 ret =
2044 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_SERVER_HELLO);
2046 fail:
2047 _gnutls_buffer_clear(&extdata);
2048 return ret;
2052 _gnutls_send_hello (gnutls_session_t session, int again)
2054 int ret;
2056 if (session->security_parameters.entity == GNUTLS_CLIENT)
2058 ret = _gnutls_send_client_hello (session, again);
2061 else
2062 { /* SERVER */
2063 ret = _gnutls_send_server_hello (session, again);
2066 return ret;
2069 /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a
2070 * hello message is expected. It uses the security_parameters.cipher_suite
2071 * and internals.compression_method.
2074 _gnutls_recv_hello (gnutls_session_t session, uint8_t * data, int datalen)
2076 int ret;
2078 if (session->security_parameters.entity == GNUTLS_CLIENT)
2080 ret = _gnutls_read_server_hello (session, data, datalen);
2081 if (ret < 0)
2083 gnutls_assert ();
2084 return ret;
2087 else
2088 { /* Server side reading a client hello */
2090 ret = _gnutls_read_client_hello (session, data, datalen);
2091 if (ret < 0)
2093 gnutls_assert ();
2094 return ret;
2098 ret = _gnutls_ext_sr_verify (session);
2099 if (ret < 0)
2101 gnutls_assert ();
2102 return ret;
2105 return 0;
2108 static int
2109 _gnutls_recv_hello_verify_request (gnutls_session_t session,
2110 uint8_t * data, int datalen)
2112 ssize_t len = datalen;
2113 size_t pos = 0;
2114 uint8_t cookie_len;
2115 unsigned int nb_verifs;
2117 if (!IS_DTLS (session)
2118 || session->security_parameters.entity == GNUTLS_SERVER)
2120 gnutls_assert ();
2121 return GNUTLS_E_INTERNAL_ERROR;
2124 nb_verifs = ++session->internals.dtls.hsk_hello_verify_requests;
2125 if (nb_verifs >= MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS)
2127 /* The server is either buggy, malicious or changing cookie
2128 secrets _way_ too fast. */
2129 gnutls_assert ();
2130 return GNUTLS_E_UNEXPECTED_PACKET;
2133 /* TODO: determine if we need to do anything with the server version field */
2134 DECR_LEN (len, 2);
2135 pos += 2;
2137 DECR_LEN (len, 1);
2138 cookie_len = data[pos];
2139 pos++;
2141 if (cookie_len > DTLS_MAX_COOKIE_SIZE)
2143 gnutls_assert ();
2144 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2147 DECR_LEN (len, cookie_len);
2149 session->internals.dtls.cookie_len = cookie_len;
2150 memcpy (session->internals.dtls.cookie, &data[pos], cookie_len);
2152 if (len != 0)
2154 gnutls_assert ();
2155 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2158 /* reset handshake hash buffers */
2159 _gnutls_handshake_hash_buffer_empty (session);
2161 return 0;
2164 /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
2166 * Client Server
2168 * ClientHello -------->
2169 * <-------- ServerHello
2171 * Certificate*
2172 * ServerKeyExchange*
2173 * <-------- CertificateRequest*
2175 * <-------- ServerHelloDone
2176 * Certificate*
2177 * ClientKeyExchange
2178 * CertificateVerify*
2179 * [ChangeCipherSpec]
2180 * Finished -------->
2181 * NewSessionTicket
2182 * [ChangeCipherSpec]
2183 * <-------- Finished
2185 * (*): means optional packet.
2188 /* Handshake when resumming session:
2189 * Client Server
2191 * ClientHello -------->
2192 * ServerHello
2193 * [ChangeCipherSpec]
2194 * <-------- Finished
2195 * [ChangeCipherSpec]
2196 * Finished -------->
2201 * gnutls_rehandshake:
2202 * @session: is a #gnutls_session_t structure.
2204 * This function will renegotiate security parameters with the
2205 * client. This should only be called in case of a server.
2207 * This message informs the peer that we want to renegotiate
2208 * parameters (perform a handshake).
2210 * If this function succeeds (returns 0), you must call the
2211 * gnutls_handshake() function in order to negotiate the new
2212 * parameters.
2214 * Since TLS is full duplex some application data might have been
2215 * sent during peer's processing of this message. In that case
2216 * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE
2217 * is returned to clear any pending data. Care must be taken if
2218 * rehandshake is mandatory to terminate if it does not start after
2219 * some threshold.
2221 * If the client does not wish to renegotiate parameters he will
2222 * should with an alert message, thus the return code will be
2223 * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
2224 * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2225 * this message.
2227 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2230 gnutls_rehandshake (gnutls_session_t session)
2232 int ret;
2234 /* only server sends that handshake packet */
2235 if (session->security_parameters.entity == GNUTLS_CLIENT)
2236 return GNUTLS_E_INVALID_REQUEST;
2238 _dtls_async_timer_delete(session);
2240 ret =
2241 _gnutls_send_empty_handshake (session, GNUTLS_HANDSHAKE_HELLO_REQUEST,
2242 AGAIN (STATE50));
2243 STATE = STATE50;
2245 if (ret < 0)
2247 gnutls_assert ();
2248 return ret;
2250 STATE = STATE0;
2252 return 0;
2255 inline static int
2256 _gnutls_abort_handshake (gnutls_session_t session, int ret)
2258 if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
2259 (gnutls_alert_get (session) == GNUTLS_A_NO_RENEGOTIATION))
2260 || ret == GNUTLS_E_GOT_APPLICATION_DATA)
2261 return 0;
2263 /* this doesn't matter */
2264 return GNUTLS_E_INTERNAL_ERROR;
2269 static int
2270 _gnutls_send_supplemental (gnutls_session_t session, int again)
2272 mbuffer_st *bufel;
2273 int ret = 0;
2275 _gnutls_debug_log ("EXT[%p]: Sending supplemental data\n", session);
2277 if (again)
2278 ret =
2279 _gnutls_send_handshake (session, NULL, GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2280 else
2282 gnutls_buffer_st buf;
2283 _gnutls_buffer_init (&buf);
2285 ret = _gnutls_gen_supplemental (session, &buf);
2286 if (ret < 0)
2288 gnutls_assert ();
2289 return ret;
2292 bufel = _gnutls_handshake_alloc(session, buf.length, buf.length);
2293 if (bufel == NULL)
2295 gnutls_assert ();
2296 return GNUTLS_E_MEMORY_ERROR;
2299 _mbuffer_set_udata (bufel, buf.data, buf.length);
2300 _gnutls_buffer_clear (&buf);
2302 ret = _gnutls_send_handshake (session, bufel,
2303 GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2306 return ret;
2309 static int
2310 _gnutls_recv_supplemental (gnutls_session_t session)
2312 gnutls_buffer_st buf;
2313 int ret;
2315 _gnutls_debug_log ("EXT[%p]: Expecting supplemental data\n", session);
2317 ret = _gnutls_recv_handshake (session, GNUTLS_HANDSHAKE_SUPPLEMENTAL,
2318 1, &buf);
2319 if (ret < 0)
2321 gnutls_assert ();
2322 return ret;
2325 ret = _gnutls_parse_supplemental (session, buf.data, buf.length);
2326 if (ret < 0)
2328 gnutls_assert ();
2329 goto cleanup;
2332 cleanup:
2333 _gnutls_buffer_clear(&buf);
2335 return ret;
2339 * gnutls_handshake:
2340 * @session: is a #gnutls_session_t structure.
2342 * This function does the handshake of the TLS/SSL protocol, and
2343 * initializes the TLS connection.
2345 * This function will fail if any problem is encountered, and will
2346 * return a negative error code. In case of a client, if the client
2347 * has asked to resume a session, but the server couldn't, then a
2348 * full handshake will be performed.
2350 * The non-fatal errors such as %GNUTLS_E_AGAIN and
2351 * %GNUTLS_E_INTERRUPTED interrupt the handshake procedure, which
2352 * should be resumed later. Call this function again, until it
2353 * returns 0; cf. gnutls_record_get_direction() and
2354 * gnutls_error_is_fatal().
2356 * If this function is called by a server after a rehandshake request
2357 * then %GNUTLS_E_GOT_APPLICATION_DATA or
2358 * %GNUTLS_E_WARNING_ALERT_RECEIVED may be returned. Note that these
2359 * are non fatal errors, only in the specific case of a rehandshake.
2360 * Their meaning is that the client rejected the rehandshake request or
2361 * in the case of %GNUTLS_E_GOT_APPLICATION_DATA it might also mean that
2362 * some data were pending.
2364 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2367 gnutls_handshake (gnutls_session_t session)
2369 int ret;
2370 record_parameters_st *params;
2372 /* sanity check. Verify that there are priorities setup.
2374 if (session->internals.priorities.protocol.algorithms == 0)
2375 return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
2377 if (session->internals.handshake_timeout_ms &&
2378 session->internals.handshake_endtime == 0)
2379 session->internals.handshake_endtime = gnutls_time(0) +
2380 session->internals.handshake_timeout_ms / 1000;
2382 ret = _gnutls_epoch_get (session, session->security_parameters.epoch_next,
2383 &params);
2384 if (ret < 0)
2386 /* We assume the epoch is not allocated if _gnutls_epoch_get fails. */
2387 ret =
2388 _gnutls_epoch_alloc (session, session->security_parameters.epoch_next,
2389 NULL);
2390 if (ret < 0)
2391 return gnutls_assert_val(ret);
2394 if (session->security_parameters.entity == GNUTLS_CLIENT)
2398 ret = _gnutls_handshake_client (session);
2399 } while (ret == 1);
2401 else
2403 ret = _gnutls_handshake_server (session);
2405 if (ret < 0)
2407 /* In the case of a rehandshake abort
2408 * we should reset the handshake's internal state.
2410 if (_gnutls_abort_handshake (session, ret) == 0)
2411 STATE = STATE0;
2413 return ret;
2416 /* clear handshake buffer */
2417 _gnutls_handshake_hash_buffers_clear (session);
2419 if (IS_DTLS(session)==0)
2421 _gnutls_handshake_io_buffer_clear (session);
2423 else
2425 _dtls_async_timer_init(session);
2428 _gnutls_handshake_internal_state_clear (session);
2430 session->security_parameters.epoch_next++;
2432 return 0;
2436 * gnutls_handshake_set_timeout:
2437 * @session: is a #gnutls_session_t structure.
2438 * @ms: is a timeout value in milliseconds
2440 * This function sets the timeout for the handshake process
2441 * to the provided value. Use an @ms value of zero to disable
2442 * timeout.
2444 * Note that in order for the timeout to be enforced
2445 * gnutls_transport_set_pull_timeout_function() must be set.
2448 void
2449 gnutls_handshake_set_timeout (gnutls_session_t session, unsigned int ms)
2451 if (ms == GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT)
2452 ms = 40*1000;
2453 session->internals.handshake_timeout_ms = ms;
2457 #define IMED_RET( str, ret, allow_alert) do { \
2458 if (ret < 0) { \
2459 /* EAGAIN and INTERRUPTED are always non-fatal */ \
2460 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) \
2461 return ret; \
2462 /* a warning alert might interrupt handshake */ \
2463 if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) return ret; \
2464 gnutls_assert(); \
2465 ERR( str, ret); \
2466 _gnutls_handshake_hash_buffers_clear(session); \
2467 return ret; \
2468 } } while (0)
2471 /* Runs the certificate verification callback.
2472 * side is either GNUTLS_CLIENT or GNUTLS_SERVER.
2474 static int run_verify_callback(gnutls_session_t session, unsigned int side)
2476 gnutls_certificate_credentials_t cred;
2477 int ret, type;
2479 cred =
2480 (gnutls_certificate_credentials_t) _gnutls_get_cred (session,
2481 GNUTLS_CRD_CERTIFICATE,
2482 NULL);
2484 if (side == GNUTLS_CLIENT)
2485 type = gnutls_auth_server_get_type(session);
2486 else
2487 type = gnutls_auth_client_get_type(session);
2489 if (type != GNUTLS_CRD_CERTIFICATE)
2490 return 0;
2492 if (cred != NULL && cred->verify_callback != NULL)
2494 ret = cred->verify_callback (session);
2495 if (ret != 0)
2496 return GNUTLS_E_CERTIFICATE_ERROR;
2499 return 0;
2503 * _gnutls_handshake_client
2504 * This function performs the client side of the handshake of the TLS/SSL protocol.
2506 static int
2507 _gnutls_handshake_client (gnutls_session_t session)
2509 int ret = 0;
2511 #ifdef HANDSHAKE_DEBUG
2512 char buf[64];
2514 if (session->internals.resumed_security_parameters.session_id_size > 0)
2515 _gnutls_handshake_log ("HSK[%p]: Ask to resume: %s\n", session,
2516 _gnutls_bin2hex (session->
2517 internals.resumed_security_parameters.session_id,
2518 session->
2519 internals.resumed_security_parameters.session_id_size,
2520 buf, sizeof (buf), NULL));
2521 #endif
2523 switch (STATE)
2525 case STATE0:
2526 case STATE1:
2527 ret = _gnutls_send_hello (session, AGAIN (STATE1));
2528 STATE = STATE1;
2529 IMED_RET ("send hello", ret, 1);
2531 case STATE2:
2532 if (IS_DTLS (session))
2534 ret =
2535 _gnutls_recv_handshake (session,
2536 GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST,
2537 1, NULL);
2538 STATE = STATE2;
2539 IMED_RET ("recv hello verify", ret, 1);
2541 if (ret == 1)
2543 STATE = STATE0;
2544 return 1;
2547 case STATE3:
2548 /* receive the server hello */
2549 ret =
2550 _gnutls_recv_handshake (session,
2551 GNUTLS_HANDSHAKE_SERVER_HELLO,
2552 0, NULL);
2553 STATE = STATE3;
2554 IMED_RET ("recv hello", ret, 1);
2556 case STATE4:
2557 if (session->security_parameters.do_recv_supplemental)
2559 ret = _gnutls_recv_supplemental (session);
2560 STATE = STATE4;
2561 IMED_RET ("recv supplemental", ret, 1);
2564 case STATE5:
2565 /* RECV CERTIFICATE */
2566 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2567 ret = _gnutls_recv_server_certificate (session);
2568 STATE = STATE5;
2569 IMED_RET ("recv server certificate", ret, 1);
2571 case STATE6:
2572 /* RECV CERTIFICATE STATUS */
2573 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2574 ret = _gnutls_recv_server_certificate_status (session);
2575 STATE = STATE6;
2576 IMED_RET ("recv server certificate", ret, 1);
2578 case STATE7:
2579 ret = run_verify_callback(session, GNUTLS_CLIENT);
2580 STATE = STATE7;
2581 if (ret < 0)
2582 return gnutls_assert_val(ret);
2583 case STATE8:
2584 /* receive the server key exchange */
2585 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2586 ret = _gnutls_recv_server_kx_message (session);
2587 STATE = STATE8;
2588 IMED_RET ("recv server kx message", ret, 1);
2590 case STATE9:
2591 /* receive the server certificate request - if any
2594 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2595 ret = _gnutls_recv_server_crt_request (session);
2596 STATE = STATE9;
2597 IMED_RET ("recv server certificate request message", ret, 1);
2599 case STATE10:
2600 /* receive the server hello done */
2601 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2602 ret =
2603 _gnutls_recv_handshake (session,
2604 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2605 0, NULL);
2606 STATE = STATE10;
2607 IMED_RET ("recv server hello done", ret, 1);
2609 case STATE11:
2610 if (session->security_parameters.do_send_supplemental)
2612 ret = _gnutls_send_supplemental (session, AGAIN (STATE11));
2613 STATE = STATE11;
2614 IMED_RET ("send supplemental", ret, 0);
2617 case STATE12:
2618 /* send our certificate - if any and if requested
2620 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2621 ret = _gnutls_send_client_certificate (session, AGAIN (STATE12));
2622 STATE = STATE12;
2623 IMED_RET ("send client certificate", ret, 0);
2625 case STATE13:
2626 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2627 ret = _gnutls_send_client_kx_message (session, AGAIN (STATE13));
2628 STATE = STATE13;
2629 IMED_RET ("send client kx", ret, 0);
2631 case STATE14:
2632 /* send client certificate verify */
2633 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2634 ret =
2635 _gnutls_send_client_certificate_verify (session, AGAIN (STATE14));
2636 STATE = STATE14;
2637 IMED_RET ("send client certificate verify", ret, 1);
2639 case STATE15:
2640 STATE = STATE15;
2641 if (session->internals.resumed == RESUME_FALSE)
2643 ret = _gnutls_send_handshake_final (session, TRUE);
2644 IMED_RET ("send handshake final 2", ret, 1);
2646 else
2648 ret = _gnutls_recv_new_session_ticket (session);
2649 IMED_RET ("recv handshake new session ticket", ret, 1);
2652 case STATE16:
2653 STATE = STATE16;
2654 if (session->internals.resumed == RESUME_FALSE)
2656 ret = _gnutls_recv_new_session_ticket (session);
2657 IMED_RET ("recv handshake new session ticket", ret, 1);
2659 else
2661 ret = _gnutls_recv_handshake_final (session, TRUE);
2662 IMED_RET ("recv handshake final", ret, 1);
2665 case STATE17:
2666 STATE = STATE17;
2667 if (session->internals.resumed == RESUME_FALSE)
2669 ret = _gnutls_recv_handshake_final (session, FALSE);
2670 IMED_RET ("recv handshake final 2", ret, 1);
2672 else
2674 ret = _gnutls_send_handshake_final (session, FALSE);
2675 IMED_RET ("send handshake final", ret, 1);
2678 STATE = STATE0;
2679 default:
2680 break;
2683 return 0;
2688 /* This function is to be called if the handshake was successfully
2689 * completed. This sends a Change Cipher Spec packet to the peer.
2691 static ssize_t
2692 send_change_cipher_spec (gnutls_session_t session, int again)
2694 uint8_t* data;
2695 mbuffer_st * bufel;
2696 int ret;
2698 if (again == 0)
2700 bufel = _gnutls_handshake_alloc (session, 1, 1);
2701 if (bufel == NULL)
2702 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
2704 if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
2705 _mbuffer_set_uhead_size(bufel, 3);
2706 else
2707 _mbuffer_set_uhead_size(bufel, 1);
2708 _mbuffer_set_udata_size(bufel, 0);
2710 data = _mbuffer_get_uhead_ptr (bufel);
2712 data[0] = 1;
2713 if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
2715 _gnutls_write_uint16 (session->internals.dtls.hsk_write_seq, &data[1]);
2716 session->internals.dtls.hsk_write_seq++;
2719 ret = _gnutls_handshake_io_cache_int (session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, bufel);
2720 if (ret < 0)
2722 _mbuffer_xfree(&bufel);
2723 return gnutls_assert_val(ret);
2726 _gnutls_handshake_log ("REC[%p]: Sent ChangeCipherSpec\n", session);
2729 return 0;
2732 /* This function sends the final handshake packets and initializes connection
2734 static int
2735 _gnutls_send_handshake_final (gnutls_session_t session, int init)
2737 int ret = 0;
2739 /* Send the CHANGE CIPHER SPEC PACKET */
2741 switch (FINAL_STATE)
2743 case STATE0:
2744 case STATE1:
2745 ret = send_change_cipher_spec (session, FAGAIN (STATE1));
2746 FINAL_STATE = STATE0;
2748 if (ret < 0)
2750 ERR ("send ChangeCipherSpec", ret);
2751 gnutls_assert ();
2752 return ret;
2754 /* Initialize the connection session (start encryption) - in case of client
2756 if (init == TRUE)
2758 ret = _gnutls_connection_state_init (session);
2759 if (ret < 0)
2761 gnutls_assert ();
2762 return ret;
2766 ret = _gnutls_write_connection_state_init (session);
2767 if (ret < 0)
2769 gnutls_assert ();
2770 return ret;
2773 case STATE2:
2774 /* send the finished message */
2775 ret = _gnutls_send_finished (session, FAGAIN (STATE2));
2776 FINAL_STATE = STATE2;
2777 if (ret < 0)
2779 ERR ("send Finished", ret);
2780 gnutls_assert ();
2781 return ret;
2784 FINAL_STATE = STATE0;
2785 default:
2786 break;
2789 return 0;
2792 /* This function receives the final handshake packets
2793 * And executes the appropriate function to initialize the
2794 * read session.
2796 static int
2797 _gnutls_recv_handshake_final (gnutls_session_t session, int init)
2799 int ret = 0;
2800 uint8_t ch;
2801 unsigned int ccs_len = 1;
2802 unsigned int tleft;
2804 ret = handshake_remaining_time(session);
2805 if (ret < 0)
2806 return gnutls_assert_val(ret);
2807 tleft = ret;
2809 switch (FINAL_STATE)
2811 case STATE0:
2812 case STATE30:
2813 FINAL_STATE = STATE30;
2815 /* This is the last flight and peer cannot be sure
2816 * we have received it unless we notify him. So we
2817 * wait for a message and retransmit if needed. */
2818 if (IS_DTLS(session) && !_dtls_is_async(session) &&
2819 (gnutls_record_check_pending (session) +
2820 record_check_unprocessed (session)) == 0)
2822 ret = _dtls_wait_and_retransmit(session);
2823 if (ret < 0)
2824 return gnutls_assert_val(ret);
2827 if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
2828 ccs_len = 3;
2830 ret = _gnutls_recv_int (session, GNUTLS_CHANGE_CIPHER_SPEC, -1, &ch, ccs_len, NULL,
2831 tleft);
2832 if (ret <= 0)
2834 ERR ("recv ChangeCipherSpec", ret);
2835 gnutls_assert ();
2836 return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2839 if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
2840 session->internals.dtls.hsk_read_seq++;
2842 /* Initialize the connection session (start encryption) - in case of server */
2843 if (init == TRUE)
2845 ret = _gnutls_connection_state_init (session);
2846 if (ret < 0)
2848 gnutls_assert ();
2849 return ret;
2853 ret = _gnutls_read_connection_state_init (session);
2854 if (ret < 0)
2856 gnutls_assert ();
2857 return ret;
2860 case STATE31:
2861 FINAL_STATE = STATE31;
2863 if (IS_DTLS(session) && !_dtls_is_async(session) &&
2864 (gnutls_record_check_pending( session) +
2865 record_check_unprocessed (session)) == 0)
2867 ret = _dtls_wait_and_retransmit(session);
2868 if (ret < 0)
2869 return gnutls_assert_val(ret);
2872 ret = _gnutls_recv_finished (session);
2873 if (ret < 0)
2875 ERR ("recv finished", ret);
2876 gnutls_assert ();
2877 return ret;
2879 FINAL_STATE = STATE0;
2880 default:
2881 break;
2885 return 0;
2889 * _gnutls_handshake_server
2890 * This function does the server stuff of the handshake protocol.
2892 static int
2893 _gnutls_handshake_server (gnutls_session_t session)
2895 int ret = 0;
2897 switch (STATE)
2899 case STATE0:
2900 case STATE1:
2901 ret =
2902 _gnutls_recv_handshake (session,
2903 GNUTLS_HANDSHAKE_CLIENT_HELLO,
2904 0, NULL);
2905 STATE = STATE1;
2906 IMED_RET ("recv hello", ret, 1);
2908 case STATE2:
2909 ret = _gnutls_send_hello (session, AGAIN (STATE2));
2910 STATE = STATE2;
2911 IMED_RET ("send hello", ret, 1);
2913 case STATE70:
2914 if (session->security_parameters.do_send_supplemental)
2916 ret = _gnutls_send_supplemental (session, AGAIN (STATE70));
2917 STATE = STATE70;
2918 IMED_RET ("send supplemental data", ret, 0);
2921 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
2922 case STATE3:
2923 /* NOTE: these should not be send if we are resuming */
2925 if (session->internals.resumed == RESUME_FALSE)
2926 ret = _gnutls_send_server_certificate (session, AGAIN (STATE3));
2927 STATE = STATE3;
2928 IMED_RET ("send server certificate", ret, 0);
2930 case STATE4:
2931 if (session->internals.resumed == RESUME_FALSE)
2932 ret = _gnutls_send_server_certificate_status (session, AGAIN (STATE4));
2933 STATE = STATE4;
2934 IMED_RET ("send server certificate status", ret, 0);
2936 case STATE5:
2937 /* send server key exchange (A) */
2938 if (session->internals.resumed == RESUME_FALSE)
2939 ret = _gnutls_send_server_kx_message (session, AGAIN (STATE5));
2940 STATE = STATE5;
2941 IMED_RET ("send server kx", ret, 0);
2943 case STATE6:
2944 /* Send certificate request - if requested to */
2945 if (session->internals.resumed == RESUME_FALSE)
2946 ret =
2947 _gnutls_send_server_crt_request (session, AGAIN (STATE6));
2948 STATE = STATE6;
2949 IMED_RET ("send server cert request", ret, 0);
2951 case STATE7:
2952 /* send the server hello done */
2953 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2954 ret =
2955 _gnutls_send_empty_handshake (session,
2956 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2957 AGAIN (STATE7));
2958 STATE = STATE7;
2959 IMED_RET ("send server hello done", ret, 1);
2961 case STATE71:
2962 if (session->security_parameters.do_recv_supplemental)
2964 ret = _gnutls_recv_supplemental (session);
2965 STATE = STATE71;
2966 IMED_RET ("recv client supplemental", ret, 1);
2969 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
2970 case STATE8:
2971 /* receive the client certificate message */
2972 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2973 ret = _gnutls_recv_client_certificate (session);
2974 STATE = STATE8;
2975 IMED_RET ("recv client certificate", ret, 1);
2977 case STATE9:
2978 ret = run_verify_callback(session, GNUTLS_SERVER);
2979 STATE = STATE9;
2980 if (ret < 0)
2981 return gnutls_assert_val(ret);
2983 case STATE10:
2984 /* receive the client key exchange message */
2985 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2986 ret = _gnutls_recv_client_kx_message (session);
2987 STATE = STATE10;
2988 IMED_RET ("recv client kx", ret, 1);
2990 case STATE11:
2991 /* receive the client certificate verify message */
2992 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2993 ret = _gnutls_recv_client_certificate_verify_message (session);
2994 STATE = STATE11;
2995 IMED_RET ("recv client certificate verify", ret, 1);
2997 case STATE12:
2998 STATE = STATE12;
2999 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3001 ret = _gnutls_recv_handshake_final (session, TRUE);
3002 IMED_RET ("recv handshake final", ret, 1);
3004 else
3006 ret = _gnutls_send_handshake_final (session, TRUE);
3007 IMED_RET ("send handshake final 2", ret, 1);
3010 case STATE13:
3011 ret = _gnutls_send_new_session_ticket (session, AGAIN (STATE13));
3012 STATE = STATE13;
3013 IMED_RET ("send handshake new session ticket", ret, 0);
3015 case STATE14:
3016 STATE = STATE14;
3017 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3019 ret = _gnutls_send_handshake_final (session, FALSE);
3020 IMED_RET ("send handshake final", ret, 1);
3022 else
3024 ret = _gnutls_recv_handshake_final (session, FALSE);
3025 IMED_RET ("recv handshake final 2", ret, 1);
3028 if (session->security_parameters.entity == GNUTLS_SERVER && session->internals.ticket_sent == 0)
3030 /* if no ticket, save session data */
3031 _gnutls_server_register_current_session (session);
3034 STATE = STATE0;
3035 default:
3036 break;
3039 return 0;
3044 _gnutls_generate_session_id (uint8_t * session_id, uint8_t * len)
3046 int ret;
3048 *len = TLS_MAX_SESSION_ID_SIZE;
3050 ret = _gnutls_rnd (GNUTLS_RND_NONCE, session_id, *len);
3051 if (ret < 0)
3053 gnutls_assert ();
3054 return ret;
3057 return 0;
3061 _gnutls_recv_hello_request (gnutls_session_t session, void *data,
3062 uint32_t data_size)
3064 uint8_t type;
3066 if (session->security_parameters.entity == GNUTLS_SERVER)
3068 gnutls_assert ();
3069 return GNUTLS_E_UNEXPECTED_PACKET;
3071 if (data_size < 1)
3073 gnutls_assert ();
3074 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
3076 type = ((uint8_t *) data)[0];
3077 if (type == GNUTLS_HANDSHAKE_HELLO_REQUEST)
3079 if (IS_DTLS(session))
3080 session->internals.dtls.hsk_read_seq++;
3081 return GNUTLS_E_REHANDSHAKE;
3083 else
3085 gnutls_assert ();
3086 return GNUTLS_E_UNEXPECTED_PACKET;
3090 /* Returns 1 if the given KX has not the corresponding parameters
3091 * (DH or RSA) set up. Otherwise returns 0.
3093 inline static int
3094 check_server_params (gnutls_session_t session,
3095 gnutls_kx_algorithm_t kx,
3096 gnutls_kx_algorithm_t * alg, int alg_size)
3098 int cred_type;
3099 gnutls_dh_params_t dh_params = NULL;
3100 gnutls_rsa_params_t rsa_params = NULL;
3101 int j;
3103 cred_type = _gnutls_map_kx_get_cred (kx, 1);
3105 /* Read the Diffie-Hellman parameters, if any.
3107 if (cred_type == GNUTLS_CRD_CERTIFICATE)
3109 int delete;
3110 gnutls_certificate_credentials_t x509_cred =
3111 (gnutls_certificate_credentials_t) _gnutls_get_cred (session,
3112 cred_type, NULL);
3114 if (x509_cred != NULL)
3116 dh_params =
3117 _gnutls_get_dh_params (x509_cred->dh_params,
3118 x509_cred->params_func, session);
3119 rsa_params =
3120 _gnutls_certificate_get_rsa_params (x509_cred->rsa_params,
3121 x509_cred->params_func,
3122 session);
3125 /* Check also if the certificate supports the
3126 * KX method.
3128 delete = 1;
3129 for (j = 0; j < alg_size; j++)
3131 if (alg[j] == kx)
3133 delete = 0;
3134 break;
3138 if (delete == 1)
3139 return 1;
3141 #ifdef ENABLE_ANON
3143 else if (cred_type == GNUTLS_CRD_ANON)
3145 gnutls_anon_server_credentials_t anon_cred =
3146 (gnutls_anon_server_credentials_t) _gnutls_get_cred (session,
3147 cred_type, NULL);
3149 if (anon_cred != NULL)
3151 dh_params =
3152 _gnutls_get_dh_params (anon_cred->dh_params,
3153 anon_cred->params_func, session);
3155 #endif
3156 #ifdef ENABLE_PSK
3158 else if (cred_type == GNUTLS_CRD_PSK)
3160 gnutls_psk_server_credentials_t psk_cred =
3161 (gnutls_psk_server_credentials_t) _gnutls_get_cred (session,
3162 cred_type, NULL);
3164 if (psk_cred != NULL)
3166 dh_params =
3167 _gnutls_get_dh_params (psk_cred->dh_params, psk_cred->params_func,
3168 session);
3170 #endif
3172 else
3173 return 0; /* no need for params */
3176 /* If the key exchange method needs RSA or DH params,
3177 * but they are not set then remove it.
3179 if (_gnutls_kx_needs_rsa_params (kx) != 0)
3181 /* needs rsa params. */
3182 if (_gnutls_rsa_params_to_mpi (rsa_params) == NULL)
3184 gnutls_assert ();
3185 return 1;
3189 if (_gnutls_kx_needs_dh_params (kx) != 0)
3191 /* needs DH params. */
3192 if (_gnutls_dh_params_to_mpi (dh_params) == NULL)
3194 gnutls_assert ();
3195 return 1;
3199 return 0;
3202 /* This function will remove algorithms that are not supported by
3203 * the requested authentication method. We remove an algorithm if
3204 * we have a certificate with keyUsage bits set.
3206 * This does a more high level check than gnutls_supported_ciphersuites(),
3207 * by checking certificates etc.
3209 static int
3210 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session,
3211 uint8_t * cipher_suites,
3212 int cipher_suites_size,
3213 gnutls_pk_algorithm_t *pk_algos,
3214 size_t pk_algos_size)
3217 int ret = 0;
3218 int i, new_suites_size;
3219 gnutls_certificate_credentials_t cert_cred;
3220 gnutls_kx_algorithm_t kx;
3221 int server = session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0;
3222 gnutls_kx_algorithm_t alg[MAX_ALGOS];
3223 int alg_size = MAX_ALGOS;
3225 /* if we should use a specific certificate,
3226 * we should remove all algorithms that are not supported
3227 * by that certificate and are on the same authentication
3228 * method (CERTIFICATE).
3231 cert_cred =
3232 (gnutls_certificate_credentials_t) _gnutls_get_cred (session,
3233 GNUTLS_CRD_CERTIFICATE,
3234 NULL);
3236 /* If there are certificate credentials, find an appropriate certificate
3237 * or disable them;
3239 if (session->security_parameters.entity == GNUTLS_SERVER
3240 && cert_cred != NULL && pk_algos_size > 0)
3242 ret = _gnutls_server_select_cert (session, pk_algos, pk_algos_size);
3243 if (ret < 0)
3245 gnutls_assert ();
3246 _gnutls_debug_log ("Could not find an appropriate certificate: %s\n",
3247 gnutls_strerror (ret));
3251 /* get all the key exchange algorithms that are
3252 * supported by the X509 certificate parameters.
3254 if ((ret =
3255 _gnutls_selected_cert_supported_kx (session, alg, &alg_size)) < 0)
3257 gnutls_assert ();
3258 return ret;
3261 new_suites_size = 0;
3263 /* now removes ciphersuites based on the KX algorithm
3265 for (i = 0; i < cipher_suites_size; i+=2)
3267 int delete = 0;
3269 /* finds the key exchange algorithm in
3270 * the ciphersuite
3272 kx = _gnutls_cipher_suite_get_kx_algo (&cipher_suites[i]);
3274 /* if it is defined but had no credentials
3276 if (!session->internals.premaster_set &&
3277 _gnutls_get_kx_cred (session, kx, NULL) == NULL)
3279 delete = 1;
3281 else
3283 delete = 0;
3285 if (server)
3286 delete = check_server_params (session, kx, alg, alg_size);
3289 /* If we have not agreed to a common curve with the peer don't bother
3290 * negotiating ECDH.
3292 if (server != 0 && _gnutls_kx_is_ecc(kx))
3294 if (_gnutls_session_ecc_curve_get(session) == GNUTLS_ECC_CURVE_INVALID)
3296 delete = 1;
3300 /* These two SRP kx's are marked to require a CRD_CERTIFICATE,
3301 (see cred_mappings in gnutls_algorithms.c), but it also
3302 requires a SRP credential. Don't use SRP kx unless we have a
3303 SRP credential too. */
3304 if (kx == GNUTLS_KX_SRP_RSA || kx == GNUTLS_KX_SRP_DSS)
3306 if (!_gnutls_get_cred (session, GNUTLS_CRD_SRP, NULL))
3308 delete = 1;
3312 if (delete == 0)
3315 _gnutls_handshake_log ("HSK[%p]: Keeping ciphersuite: %s (%.2X.%.2X)\n",
3316 session,
3317 _gnutls_cipher_suite_get_name (&cipher_suites[i]),
3318 cipher_suites[i], cipher_suites[i+1]);
3320 if (i != new_suites_size)
3321 memmove( &cipher_suites[new_suites_size], &cipher_suites[i], 2);
3322 new_suites_size+=2;
3324 else
3326 _gnutls_handshake_log ("HSK[%p]: Removing ciphersuite: %s\n",
3327 session,
3328 _gnutls_cipher_suite_get_name (&cipher_suites[i]));
3333 ret = new_suites_size;
3335 return ret;
3340 * gnutls_handshake_set_max_packet_length:
3341 * @session: is a #gnutls_session_t structure.
3342 * @max: is the maximum number.
3344 * This function will set the maximum size of all handshake messages.
3345 * Handshakes over this size are rejected with
3346 * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is
3347 * 48kb which is typically large enough. Set this to 0 if you do not
3348 * want to set an upper limit.
3350 * The reason for restricting the handshake message sizes are to
3351 * limit Denial of Service attacks.
3353 void
3354 gnutls_handshake_set_max_packet_length (gnutls_session_t session, size_t max)
3356 session->internals.max_handshake_data_buffer_size = max;
3359 void
3360 _gnutls_set_adv_version (gnutls_session_t session, gnutls_protocol_t ver)
3362 set_adv_version (session, _gnutls_version_get_major (ver),
3363 _gnutls_version_get_minor (ver));
3366 gnutls_protocol_t
3367 _gnutls_get_adv_version (gnutls_session_t session)
3369 return _gnutls_version_get (_gnutls_get_adv_version_major (session),
3370 _gnutls_get_adv_version_minor (session));
3374 * gnutls_handshake_get_last_in:
3375 * @session: is a #gnutls_session_t structure.
3377 * This function is only useful to check where the last performed
3378 * handshake failed. If the previous handshake succeed or was not
3379 * performed at all then no meaningful value will be returned.
3381 * Check %gnutls_handshake_description_t in gnutls.h for the
3382 * available handshake descriptions.
3384 * Returns: the last handshake message type received, a
3385 * %gnutls_handshake_description_t.
3387 gnutls_handshake_description_t
3388 gnutls_handshake_get_last_in (gnutls_session_t session)
3390 return session->internals.last_handshake_in;
3394 * gnutls_handshake_get_last_out:
3395 * @session: is a #gnutls_session_t structure.
3397 * This function is only useful to check where the last performed
3398 * handshake failed. If the previous handshake succeed or was not
3399 * performed at all then no meaningful value will be returned.
3401 * Check %gnutls_handshake_description_t in gnutls.h for the
3402 * available handshake descriptions.
3404 * Returns: the last handshake message type sent, a
3405 * %gnutls_handshake_description_t.
3407 gnutls_handshake_description_t
3408 gnutls_handshake_get_last_out (gnutls_session_t session)
3410 return session->internals.last_handshake_out;