2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* Functions that relate to the TLS handshake procedure.
26 #include "gnutls_int.h"
27 #include "gnutls_errors.h"
28 #include "gnutls_dh.h"
30 #include "algorithms.h"
31 #include "gnutls_compress.h"
32 #include "gnutls_cipher.h"
33 #include "gnutls_buffers.h"
34 #include "gnutls_mbuffers.h"
35 #include "gnutls_kx.h"
36 #include "gnutls_handshake.h"
37 #include "gnutls_num.h"
38 #include "gnutls_hash_int.h"
39 #include "gnutls_db.h"
40 #include "gnutls_extensions.h"
41 #include "gnutls_supplemental.h"
42 #include "gnutls_auth.h"
43 #include "gnutls_v2_compat.h"
44 #include <auth/cert.h>
45 #include "gnutls_constate.h"
46 #include <gnutls_record.h>
47 #include <gnutls_state.h>
49 #include <ext/session_ticket.h>
50 #include <ext/status_request.h>
51 #include <ext/safe_renegotiation.h>
52 #include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
53 #include <auth/anon.h> /* for gnutls_anon_server_credentials_t */
54 #include <auth/psk.h> /* for gnutls_psk_server_credentials_t */
56 #include <gnutls_dtls.h>
58 #ifdef HANDSHAKE_DEBUG
59 #define ERR(x, y) _gnutls_handshake_log("HSK[%p]: %s (%d)\n", session, x,y)
67 static int _gnutls_server_select_comp_method (gnutls_session_t session
,
68 uint8_t * data
, int datalen
);
70 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session
,
71 uint8_t * cipher_suites
,
72 int cipher_suites_size
,
73 gnutls_pk_algorithm_t
*pk_algos
,
74 size_t pk_algos_size
);
75 static int _gnutls_handshake_client (gnutls_session_t session
);
76 static int _gnutls_handshake_server (gnutls_session_t session
);
79 _gnutls_recv_handshake_final (gnutls_session_t session
, int init
);
81 _gnutls_send_handshake_final (gnutls_session_t session
, int init
);
83 /* Empties but does not free the buffer
86 _gnutls_handshake_hash_buffer_empty (gnutls_session_t session
)
89 _gnutls_buffers_log ("BUF[HSK]: Emptied buffer\n");
91 session
->internals
.handshake_hash_buffer_prev_len
= 0;
92 session
->internals
.handshake_hash_buffer
.length
= 0;
97 _gnutls_handshake_hash_add_recvd (gnutls_session_t session
,
98 gnutls_handshake_description_t recv_type
,
99 uint8_t * header
, uint16_t header_size
,
100 uint8_t * dataptr
, uint32_t datalen
);
103 _gnutls_handshake_hash_add_sent (gnutls_session_t session
,
104 gnutls_handshake_description_t type
,
105 uint8_t * dataptr
, uint32_t datalen
);
108 _gnutls_recv_hello_verify_request (gnutls_session_t session
,
109 uint8_t * data
, int datalen
);
112 /* Clears the handshake hash buffers and handles.
115 _gnutls_handshake_hash_buffers_clear (gnutls_session_t session
)
117 session
->internals
.handshake_hash_buffer_prev_len
= 0;
118 _gnutls_buffer_clear(&session
->internals
.handshake_hash_buffer
);
121 /* this will copy the required values for resuming to
122 * internals, and to security_parameters.
123 * this will keep as less data to security_parameters.
126 resume_copy_required_values (gnutls_session_t session
)
128 /* get the new random values */
129 memcpy (session
->internals
.resumed_security_parameters
.server_random
,
130 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
131 memcpy (session
->internals
.resumed_security_parameters
.client_random
,
132 session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
134 /* keep the ciphersuite and compression
135 * That is because the client must see these in our
138 memcpy (session
->security_parameters
.cipher_suite
,
139 session
->internals
.resumed_security_parameters
.cipher_suite
, 2);
140 session
->security_parameters
.compression_method
= session
->internals
.resumed_security_parameters
.compression_method
;
142 _gnutls_epoch_set_cipher_suite (session
, EPOCH_NEXT
,
144 internals
.resumed_security_parameters
.cipher_suite
);
145 _gnutls_epoch_set_compression (session
, EPOCH_NEXT
,
147 internals
.resumed_security_parameters
.compression_method
);
149 /* or write_compression_algorithm
153 session
->security_parameters
.entity
=
154 session
->internals
.resumed_security_parameters
.entity
;
156 _gnutls_set_current_version (session
,
157 session
->internals
.resumed_security_parameters
.
160 session
->security_parameters
.cert_type
=
161 session
->internals
.resumed_security_parameters
.cert_type
;
163 memcpy (session
->security_parameters
.session_id
,
164 session
->internals
.resumed_security_parameters
.session_id
,
165 sizeof (session
->security_parameters
.session_id
));
166 session
->security_parameters
.session_id_size
=
167 session
->internals
.resumed_security_parameters
.session_id_size
;
172 _gnutls_set_server_random (gnutls_session_t session
, uint8_t * rnd
)
174 memcpy (session
->security_parameters
.server_random
, rnd
,
179 _gnutls_set_client_random (gnutls_session_t session
, uint8_t * rnd
)
181 memcpy (session
->security_parameters
.client_random
, rnd
,
185 /* Calculate The SSL3 Finished message
187 #define SSL3_CLIENT_MSG "CLNT"
188 #define SSL3_SERVER_MSG "SRVR"
189 #define SSL_MSG_LEN 4
191 _gnutls_ssl3_finished (gnutls_session_t session
, int type
, uint8_t * ret
, int sending
)
199 len
= session
->internals
.handshake_hash_buffer
.length
;
201 len
= session
->internals
.handshake_hash_buffer_prev_len
;
203 rc
= _gnutls_hash_init (&td_sha
, GNUTLS_DIG_SHA1
);
205 return gnutls_assert_val(rc
);
207 rc
= _gnutls_hash_init (&td_md5
, GNUTLS_DIG_MD5
);
210 _gnutls_hash_deinit (&td_sha
, NULL
);
211 return gnutls_assert_val(rc
);
214 _gnutls_hash(&td_sha
, session
->internals
.handshake_hash_buffer
.data
, len
);
215 _gnutls_hash(&td_md5
, session
->internals
.handshake_hash_buffer
.data
, len
);
217 if (type
== GNUTLS_SERVER
)
218 mesg
= SSL3_SERVER_MSG
;
220 mesg
= SSL3_CLIENT_MSG
;
222 _gnutls_hash (&td_md5
, mesg
, SSL_MSG_LEN
);
223 _gnutls_hash (&td_sha
, mesg
, SSL_MSG_LEN
);
225 rc
= _gnutls_mac_deinit_ssl3_handshake (&td_md5
, ret
,
227 security_parameters
.master_secret
,
231 _gnutls_hash_deinit (&td_md5
, NULL
);
232 _gnutls_hash_deinit (&td_sha
, NULL
);
233 return gnutls_assert_val(rc
);
236 rc
= _gnutls_mac_deinit_ssl3_handshake (&td_sha
, &ret
[16],
238 security_parameters
.master_secret
,
242 _gnutls_hash_deinit (&td_sha
, NULL
);
243 return gnutls_assert_val(rc
);
249 /* Hash the handshake messages as required by TLS 1.0
251 #define SERVER_MSG "server finished"
252 #define CLIENT_MSG "client finished"
253 #define TLS_MSG_LEN 15
255 _gnutls_finished (gnutls_session_t session
, int type
, void *ret
, int sending
)
257 const int siz
= TLS_MSG_LEN
;
258 uint8_t concat
[MAX_HASH_SIZE
+ 16 /*MD5 */ ];
264 len
= session
->internals
.handshake_hash_buffer
.length
;
266 len
= session
->internals
.handshake_hash_buffer_prev_len
;
268 if (!_gnutls_version_has_selectable_prf (gnutls_protocol_get_version(session
)))
270 rc
= _gnutls_hash_fast( GNUTLS_DIG_SHA1
, session
->internals
.handshake_hash_buffer
.data
, len
, &concat
[16]);
272 return gnutls_assert_val(rc
);
274 rc
= _gnutls_hash_fast( GNUTLS_DIG_MD5
, session
->internals
.handshake_hash_buffer
.data
, len
, concat
);
276 return gnutls_assert_val(rc
);
282 int algorithm
= _gnutls_cipher_suite_get_prf(session
->security_parameters
.cipher_suite
);
284 rc
= _gnutls_hash_fast( algorithm
, session
->internals
.handshake_hash_buffer
.data
, len
, concat
);
286 return gnutls_assert_val(rc
);
288 hash_len
= _gnutls_hash_get_algo_len (algorithm
);
291 if (type
== GNUTLS_SERVER
)
300 return _gnutls_PRF (session
, session
->security_parameters
.master_secret
,
301 GNUTLS_MASTER_SIZE
, mesg
, siz
, concat
, hash_len
, 12, ret
);
304 /* this function will produce GNUTLS_RANDOM_SIZE==32 bytes of random data
308 _gnutls_tls_create_random (uint8_t * dst
)
313 /* Use weak random numbers for the most of the
314 * buffer except for the first 4 that are the
318 tim
= gnutls_time (NULL
);
319 /* generate server random value */
320 _gnutls_write_uint32 (tim
, dst
);
322 ret
= _gnutls_rnd (GNUTLS_RND_NONCE
, &dst
[4], GNUTLS_RANDOM_SIZE
- 4);
332 /* returns the 0 on success or a negative error code.
335 _gnutls_negotiate_version (gnutls_session_t session
,
336 gnutls_protocol_t adv_version
)
340 /* if we do not support that version */
341 if (_gnutls_version_is_supported (session
, adv_version
) == 0)
343 /* If he requested something we do not support
344 * then we send him the highest we support.
346 ret
= _gnutls_version_max (session
);
347 if (ret
== GNUTLS_VERSION_UNKNOWN
)
349 /* this check is not really needed.
352 return GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
360 _gnutls_set_current_version (session
, ret
);
366 _gnutls_user_hello_func (gnutls_session_t session
,
367 gnutls_protocol_t adv_version
)
371 if (session
->internals
.user_hello_func
!= NULL
)
373 ret
= session
->internals
.user_hello_func (session
);
379 /* Here we need to renegotiate the version since the callee might
380 * have disabled some TLS versions.
382 ret
= _gnutls_negotiate_version (session
, adv_version
);
392 /* Read a client hello packet.
393 * A client hello must be a known version client hello
394 * or version 2.0 client hello (only for compatibility
395 * since SSL version 2.0 is not supported).
398 _gnutls_read_client_hello (gnutls_session_t session
, uint8_t * data
,
401 uint8_t session_id_len
;
403 uint16_t suite_size
, comp_size
;
404 gnutls_protocol_t adv_version
;
407 uint8_t rnd
[GNUTLS_RANDOM_SIZE
], *suite_ptr
, *comp_ptr
, *session_id
;
411 _gnutls_handshake_log ("HSK[%p]: Client's version: %d.%d\n", session
,
412 data
[pos
], data
[pos
+ 1]);
414 adv_version
= _gnutls_version_get (data
[pos
], data
[pos
+ 1]);
415 set_adv_version (session
, data
[pos
], data
[pos
+ 1]);
418 neg_version
= _gnutls_negotiate_version (session
, adv_version
);
425 /* Read client random value.
427 DECR_LEN (len
, GNUTLS_RANDOM_SIZE
);
428 _gnutls_set_client_random (session
, &data
[pos
]);
429 pos
+= GNUTLS_RANDOM_SIZE
;
431 _gnutls_tls_create_random (rnd
);
432 _gnutls_set_server_random (session
, rnd
);
434 session
->security_parameters
.timestamp
= gnutls_time (NULL
);
437 session_id_len
= data
[pos
++];
441 if (session_id_len
> TLS_MAX_SESSION_ID_SIZE
)
444 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
446 DECR_LEN (len
, session_id_len
);
447 session_id
= &data
[pos
];
448 pos
+= session_id_len
;
450 if (IS_DTLS(session
))
455 cookie_size
= data
[pos
++];
456 DECR_LEN (len
, cookie_size
);
460 ret
= _gnutls_server_restore_session (session
, session_id
, session_id_len
);
462 if (session_id_len
> 0) session
->internals
.resumption_requested
= 1;
465 { /* resumed using default TLS resumption! */
466 /* Parse only the safe renegotiation extension
467 * We don't want to parse any other extensions since
468 * we don't want new extension values to overwrite the
472 /* move forward to extensions */
474 suite_size
= _gnutls_read_uint16 (&data
[pos
]);
477 DECR_LEN (len
, suite_size
);
481 comp_size
= data
[pos
++]; /* z is the number of compression methods */
482 DECR_LEN (len
, comp_size
);
485 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_MANDATORY
,
493 resume_copy_required_values (session
);
494 session
->internals
.resumed
= RESUME_TRUE
;
496 return _gnutls_user_hello_func (session
, adv_version
);
500 _gnutls_generate_session_id (session
->security_parameters
.session_id
,
502 security_parameters
.session_id_size
);
504 session
->internals
.resumed
= RESUME_FALSE
;
507 /* Remember ciphersuites for later
510 suite_size
= _gnutls_read_uint16 (&data
[pos
]);
513 DECR_LEN (len
, suite_size
);
514 suite_ptr
= &data
[pos
];
517 /* Point to the compression methods
520 comp_size
= data
[pos
++]; /* z is the number of compression methods */
522 DECR_LEN (len
, comp_size
);
523 comp_ptr
= &data
[pos
];
526 /* Parse the extensions (if any)
528 * Unconditionally try to parse extensions; safe renegotiation uses them in
529 * sslv3 and higher, even though sslv3 doesn't officially support them.
531 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_APPLICATION
,
533 /* len is the rest of the parsed length */
540 ret
= _gnutls_user_hello_func (session
, adv_version
);
547 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_MANDATORY
,
555 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_TLS
, &data
[pos
], len
);
562 /* resumed by session_ticket extension */
563 if (session
->internals
.resumed
!= RESUME_FALSE
)
565 /* to indicate the client that the current session is resumed */
566 memcpy (session
->internals
.resumed_security_parameters
.session_id
,
567 session_id
, session_id_len
);
568 session
->internals
.resumed_security_parameters
.session_id_size
=
571 session
->internals
.resumed_security_parameters
.max_record_recv_size
=
572 session
->security_parameters
.max_record_recv_size
;
573 session
->internals
.resumed_security_parameters
.max_record_send_size
=
574 session
->security_parameters
.max_record_send_size
;
576 resume_copy_required_values (session
);
578 return _gnutls_user_hello_func (session
, adv_version
);
581 /* select an appropriate cipher suite
583 ret
= _gnutls_server_select_suite (session
, suite_ptr
, suite_size
);
590 /* select appropriate compression method */
591 ret
= _gnutls_server_select_comp_method (session
, comp_ptr
, comp_size
);
601 /* This is to be called after sending CHANGE CIPHER SPEC packet
602 * and initializing encryption. This is the first encrypted message
606 _gnutls_send_finished (gnutls_session_t session
, int again
)
611 size_t vdata_size
= 0;
615 bufel
= _gnutls_handshake_alloc (session
, MAX_VERIFY_DATA_SIZE
, MAX_VERIFY_DATA_SIZE
);
619 return GNUTLS_E_MEMORY_ERROR
;
621 data
= _mbuffer_get_udata_ptr (bufel
);
623 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
626 _gnutls_ssl3_finished (session
,
627 session
->security_parameters
.entity
, data
, 1);
628 _mbuffer_set_udata_size (bufel
, 36);
632 ret
= _gnutls_finished (session
,
633 session
->security_parameters
.entity
, data
, 1);
634 _mbuffer_set_udata_size (bufel
, 12);
643 vdata_size
= _mbuffer_get_udata_size (bufel
);
645 ret
= _gnutls_ext_sr_finished (session
, data
, vdata_size
, 0);
652 if ((session
->internals
.resumed
== RESUME_FALSE
653 && session
->security_parameters
.entity
== GNUTLS_CLIENT
)
654 || (session
->internals
.resumed
!= RESUME_FALSE
655 && session
->security_parameters
.entity
== GNUTLS_SERVER
))
657 /* if we are a client not resuming - or we are a server resuming */
658 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (send)\n",
660 memcpy (session
->internals
.cb_tls_unique
, data
, vdata_size
);
661 session
->internals
.cb_tls_unique_len
= vdata_size
;
665 _gnutls_send_handshake (session
, bufel
, GNUTLS_HANDSHAKE_FINISHED
);
669 ret
= _gnutls_send_handshake (session
, NULL
, GNUTLS_HANDSHAKE_FINISHED
);
675 /* This is to be called after sending our finished message. If everything
676 * went fine we have negotiated a secure connection
679 _gnutls_recv_finished (gnutls_session_t session
)
681 uint8_t data
[MAX_VERIFY_DATA_SIZE
], *vrfy
;
682 gnutls_buffer_st buf
;
688 _gnutls_recv_handshake (session
, GNUTLS_HANDSHAKE_FINISHED
,
692 ERR ("recv finished int", ret
);
698 vrfy_size
= buf
.length
;
700 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
709 if (vrfy_size
!= data_size
)
712 ret
= GNUTLS_E_ERROR_IN_FINISHED_PACKET
;
716 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
719 _gnutls_ssl3_finished (session
,
720 (session
->security_parameters
.entity
+ 1) % 2,
726 _gnutls_finished (session
,
727 (session
->security_parameters
.entity
+
737 if (memcmp (vrfy
, data
, data_size
) != 0)
740 ret
= GNUTLS_E_ERROR_IN_FINISHED_PACKET
;
744 ret
= _gnutls_ext_sr_finished (session
, data
, data_size
, 1);
751 if ((session
->internals
.resumed
!= RESUME_FALSE
752 && session
->security_parameters
.entity
== GNUTLS_CLIENT
)
753 || (session
->internals
.resumed
== RESUME_FALSE
754 && session
->security_parameters
.entity
== GNUTLS_SERVER
))
756 /* if we are a client resuming - or we are a server not resuming */
757 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (recv)\n",
759 memcpy (session
->internals
.cb_tls_unique
, data
, data_size
);
760 session
->internals
.cb_tls_unique_len
= data_size
;
764 session
->internals
.initial_negotiation_completed
= 1;
767 _gnutls_buffer_clear(&buf
);
772 /* returns PK_RSA if the given cipher suite list only supports,
773 * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none.
776 server_find_pk_algos_in_ciphersuites (const uint8_t *
777 data
, unsigned int datalen
,
778 gnutls_pk_algorithm_t
* algos
,
782 gnutls_kx_algorithm_t kx
;
783 unsigned int max
= *algos_size
;
785 if (datalen
% 2 != 0)
788 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
792 for (j
= 0; j
< datalen
; j
+= 2)
794 kx
= _gnutls_cipher_suite_get_kx_algo (&data
[j
]);
795 if (_gnutls_map_kx_get_cred (kx
, 1) == GNUTLS_CRD_CERTIFICATE
)
797 algos
[(*algos_size
)++] = _gnutls_map_pk_get_pk (kx
);
799 if ((*algos_size
) >= max
)
807 /* This selects the best supported ciphersuite from the given ones. Then
808 * it adds the suite to the session and performs some checks.
811 _gnutls_server_select_suite (gnutls_session_t session
, uint8_t * data
,
812 unsigned int datalen
)
815 unsigned int i
, j
, cipher_suites_size
;
816 size_t pk_algos_size
;
817 uint8_t cipher_suites
[MAX_CIPHERSUITE_SIZE
];
819 gnutls_pk_algorithm_t pk_algos
[MAX_ALGOS
]; /* will hold the pk algorithms
820 * supported by the peer.
823 /* First, check for safe renegotiation SCSV.
825 if (session
->internals
.priorities
.sr
!= SR_DISABLED
)
829 for (offset
= 0; offset
< datalen
; offset
+= 2)
831 /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
832 if (data
[offset
] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR
&&
833 data
[offset
+ 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR
)
835 _gnutls_handshake_log
836 ("HSK[%p]: Received safe renegotiation CS\n", session
);
837 retval
= _gnutls_ext_sr_recv_cs (session
);
848 pk_algos_size
= MAX_ALGOS
;
849 ret
= server_find_pk_algos_in_ciphersuites (data
, datalen
, pk_algos
, &pk_algos_size
);
851 return gnutls_assert_val(ret
);
853 ret
= _gnutls_supported_ciphersuites (session
, cipher_suites
, sizeof(cipher_suites
));
855 return gnutls_assert_val(ret
);
857 cipher_suites_size
= ret
;
859 /* Here we remove any ciphersuite that does not conform
860 * the certificate requested, or to the
861 * authentication requested (e.g. SRP).
863 ret
= _gnutls_remove_unwanted_ciphersuites (session
, cipher_suites
, cipher_suites_size
, pk_algos
, pk_algos_size
);
870 return GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
873 cipher_suites_size
= ret
;
875 /* Data length should be zero mod 2 since
876 * every ciphersuite is 2 bytes. (this check is needed
879 if (datalen
% 2 != 0)
882 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
885 memset (session
->security_parameters
.cipher_suite
, 0, 2);
887 retval
= GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
889 _gnutls_handshake_log ("HSK[%p]: Requested cipher suites[size: %d]: \n", session
, (int)datalen
);
891 if (session
->internals
.priorities
.server_precedence
== 0)
893 for (j
= 0; j
< datalen
; j
+= 2)
895 _gnutls_handshake_log ("\t0x%.2x, 0x%.2x %s\n", data
[j
], data
[j
+1], _gnutls_cipher_suite_get_name (&data
[j
]));
896 for (i
= 0; i
< cipher_suites_size
; i
+=2)
898 if (memcmp (&cipher_suites
[i
], &data
[j
], 2) == 0)
900 _gnutls_handshake_log
901 ("HSK[%p]: Selected cipher suite: %s\n", session
,
902 _gnutls_cipher_suite_get_name (&data
[j
]));
903 memcpy (session
->security_parameters
.cipher_suite
,
904 &cipher_suites
[i
], 2);
905 _gnutls_epoch_set_cipher_suite (session
, EPOCH_NEXT
,
907 security_parameters
.cipher_suite
);
916 else /* server selects */
918 for (i
= 0; i
< cipher_suites_size
; i
+=2)
920 for (j
= 0; j
< datalen
; j
+= 2)
922 if (memcmp (&cipher_suites
[i
], &data
[j
], 2) == 0)
924 _gnutls_handshake_log
925 ("HSK[%p]: Selected cipher suite: %s\n", session
,
926 _gnutls_cipher_suite_get_name (&data
[j
]));
927 memcpy (session
->security_parameters
.cipher_suite
,
928 &cipher_suites
[i
], 2);
929 _gnutls_epoch_set_cipher_suite (session
, EPOCH_NEXT
,
931 security_parameters
.cipher_suite
);
948 /* check if the credentials (username, public key etc.) are ok
950 if (_gnutls_get_kx_cred
952 _gnutls_cipher_suite_get_kx_algo (session
->
953 security_parameters
.cipher_suite
),
954 &err
) == NULL
&& err
!= 0)
957 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
961 /* set the mod_auth_st to the appropriate struct
962 * according to the KX algorithm. This is needed since all the
963 * handshake functions are read from there;
965 session
->internals
.auth_struct
=
966 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
968 security_parameters
.cipher_suite
));
969 if (session
->internals
.auth_struct
== NULL
)
972 _gnutls_handshake_log
973 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
976 return GNUTLS_E_INTERNAL_ERROR
;
984 /* This selects the best supported compression method from the ones provided
987 _gnutls_server_select_comp_method (gnutls_session_t session
,
988 uint8_t * data
, int datalen
)
991 uint8_t comps
[MAX_ALGOS
];
993 x
= _gnutls_supported_compression_methods (session
, comps
, MAX_ALGOS
);
1000 if (session
->internals
.priorities
.server_precedence
== 0)
1002 for (j
= 0; j
< datalen
; j
++)
1004 for (i
= 0; i
< x
; i
++)
1006 if (comps
[i
] == data
[j
])
1008 gnutls_compression_method_t method
=
1009 _gnutls_compression_get_id (comps
[i
]);
1011 _gnutls_epoch_set_compression (session
, EPOCH_NEXT
, method
);
1012 session
->security_parameters
.compression_method
= method
;
1014 _gnutls_handshake_log
1015 ("HSK[%p]: Selected Compression Method: %s\n", session
,
1016 gnutls_compression_get_name (method
));
1024 for (i
= 0; i
< x
; i
++)
1026 for (j
= 0; j
< datalen
; j
++)
1028 if (comps
[i
] == data
[j
])
1030 gnutls_compression_method_t method
=
1031 _gnutls_compression_get_id (comps
[i
]);
1033 _gnutls_epoch_set_compression (session
, EPOCH_NEXT
, method
);
1034 session
->security_parameters
.compression_method
= method
;
1036 _gnutls_handshake_log
1037 ("HSK[%p]: Selected Compression Method: %s\n", session
,
1038 gnutls_compression_get_name (method
));
1045 /* we were not able to find a compatible compression
1049 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM
;
1053 /* This function sends an empty handshake packet. (like hello request).
1054 * If the previous _gnutls_send_empty_handshake() returned
1055 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1056 * (until it returns ok), with NULL parameters.
1059 _gnutls_send_empty_handshake (gnutls_session_t session
,
1060 gnutls_handshake_description_t type
, int again
)
1066 bufel
= _gnutls_handshake_alloc (session
, 0, 0);
1070 return GNUTLS_E_MEMORY_ERROR
;
1076 return _gnutls_send_handshake (session
, bufel
, type
);
1082 /* This function sends a handshake message of type 'type' containing the
1083 * data specified here. If the previous _gnutls_send_handshake() returned
1084 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1085 * (until it returns ok), with NULL parameters.
1088 _gnutls_send_handshake (gnutls_session_t session
, mbuffer_st
* bufel
,
1089 gnutls_handshake_description_t type
)
1093 uint32_t datasize
, i_datasize
;
1098 /* we are resuming a previously interrupted
1101 ret
= _gnutls_handshake_io_write_flush (session
);
1107 data
= _mbuffer_get_uhead_ptr (bufel
);
1108 i_datasize
= _mbuffer_get_udata_size(bufel
);
1109 datasize
= i_datasize
+ _mbuffer_get_uhead_size (bufel
);
1111 data
[pos
++] = (uint8_t) type
;
1112 _gnutls_write_uint24 (_mbuffer_get_udata_size (bufel
), &data
[pos
]);
1115 /* Add DTLS handshake fragment headers. The message will be
1116 * fragmented later by the fragmentation sub-layer. All fields must
1117 * be set properly for HMAC. The HMAC requires we pretend that the
1118 * message was sent in a single fragment. */
1119 if (IS_DTLS(session
))
1121 _gnutls_write_uint16 (session
->internals
.dtls
.hsk_write_seq
++, &data
[pos
]);
1124 /* Fragment offset */
1125 _gnutls_write_uint24 (0, &data
[pos
]);
1128 /* Fragment length */
1129 _gnutls_write_uint24 (i_datasize
, &data
[pos
]);
1133 _gnutls_handshake_log ("HSK[%p]: %s was queued [%ld bytes]\n",
1134 session
, _gnutls_handshake2str (type
),
1137 /* Here we keep the handshake messages in order to hash them...
1139 if (type
!= GNUTLS_HANDSHAKE_HELLO_REQUEST
)
1141 _gnutls_handshake_hash_add_sent (session
, type
, data
, datasize
)) < 0)
1144 _mbuffer_xfree(&bufel
);
1148 session
->internals
.last_handshake_out
= type
;
1150 ret
= _gnutls_handshake_io_cache_int (session
, type
, bufel
);
1153 _mbuffer_xfree(&bufel
);
1160 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT
: /* this one is followed by ServerHelloDone
1161 * or ClientKeyExchange always.
1163 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS
:
1164 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE
: /* as above */
1165 case GNUTLS_HANDSHAKE_SERVER_HELLO
: /* as above */
1166 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST
: /* as above */
1167 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET
: /* followed by ChangeCipherSpec */
1169 /* now for client Certificate, ClientKeyExchange and
1170 * CertificateVerify are always followed by ChangeCipherSpec
1172 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY
:
1173 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE
:
1177 /* send cached messages */
1178 ret
= _gnutls_handshake_io_write_flush (session
);
1185 #define CHECK_SIZE(ll) \
1186 if ((session->internals.max_handshake_data_buffer_size > 0) && \
1187 (((ll) + session->internals.handshake_hash_buffer.length) > \
1188 session->internals.max_handshake_data_buffer_size)) \
1189 return gnutls_assert_val(GNUTLS_E_HANDSHAKE_TOO_LARGE)
1191 /* This function add the handshake headers and the
1192 * handshake data to the handshake hash buffers. Needed
1193 * for the finished messages calculations.
1196 _gnutls_handshake_hash_add_recvd (gnutls_session_t session
,
1197 gnutls_handshake_description_t recv_type
,
1198 uint8_t * header
, uint16_t header_size
,
1199 uint8_t * dataptr
, uint32_t datalen
)
1203 if ((gnutls_protocol_get_version (session
) != GNUTLS_DTLS0_9
&&
1204 recv_type
== GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST
) ||
1205 recv_type
== GNUTLS_HANDSHAKE_HELLO_REQUEST
)
1208 CHECK_SIZE(header_size
+ datalen
);
1210 session
->internals
.handshake_hash_buffer_prev_len
= session
->internals
.handshake_hash_buffer
.length
;
1212 if (gnutls_protocol_get_version (session
) != GNUTLS_DTLS0_9
)
1214 ret
= _gnutls_buffer_append_data(&session
->internals
.handshake_hash_buffer
,
1215 header
, header_size
);
1217 return gnutls_assert_val(ret
);
1221 ret
= _gnutls_buffer_append_data(&session
->internals
.handshake_hash_buffer
,
1224 return gnutls_assert_val(ret
);
1230 /* This function will store the handshake message we sent.
1233 _gnutls_handshake_hash_add_sent (gnutls_session_t session
,
1234 gnutls_handshake_description_t type
,
1235 uint8_t * dataptr
, uint32_t datalen
)
1239 /* We don't check for GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST because it
1240 * is not sent via that channel.
1242 if (type
!= GNUTLS_HANDSHAKE_HELLO_REQUEST
)
1244 CHECK_SIZE(datalen
);
1246 if (gnutls_protocol_get_version (session
) == GNUTLS_DTLS0_9
)
1248 /* Old DTLS doesn't include the header in the MAC */
1252 return GNUTLS_E_INVALID_REQUEST
;
1258 ret
= _gnutls_buffer_append_data(&session
->internals
.handshake_hash_buffer
,
1261 return gnutls_assert_val(ret
);
1270 /* This function will receive handshake messages of the given types,
1271 * and will pass the message to the right place in order to be processed.
1272 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1273 * passed to _gnutls_recv_hello().
1276 _gnutls_recv_handshake (gnutls_session_t session
,
1277 gnutls_handshake_description_t type
,
1278 unsigned int optional
, gnutls_buffer_st
* buf
)
1281 handshake_buffer_st hsk
;
1284 _gnutls_handshake_io_recv_int (session
, type
, &hsk
, optional
);
1287 if (optional
!= 0 && ret
== GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
)
1289 if (buf
) _gnutls_buffer_init(buf
);
1293 return gnutls_assert_val_fatal(ret
);
1296 ret
= _gnutls_handshake_hash_add_recvd (session
, hsk
.htype
,
1297 hsk
.header
, hsk
.header_size
,
1298 hsk
.data
.data
, hsk
.data
.length
);
1307 case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2
:
1308 case GNUTLS_HANDSHAKE_CLIENT_HELLO
:
1309 case GNUTLS_HANDSHAKE_SERVER_HELLO
:
1310 if (hsk
.htype
== GNUTLS_HANDSHAKE_CLIENT_HELLO_V2
)
1311 ret
= _gnutls_read_client_hello_v2 (session
, hsk
.data
.data
, hsk
.data
.length
);
1313 ret
= _gnutls_recv_hello (session
, hsk
.data
.data
, hsk
.data
.length
);
1321 goto cleanup
; /* caller doesn't need dataptr */
1324 case GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST
:
1325 ret
= _gnutls_recv_hello_verify_request (session
, hsk
.data
.data
, hsk
.data
.length
);
1332 /* Signal our caller we have received a verification cookie
1333 and ClientHello needs to be sent again. */
1336 goto cleanup
; /* caller doesn't need dataptr */
1339 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
:
1340 if (hsk
.data
.length
== 0)
1345 ret
= GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1349 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT
:
1350 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS
:
1351 case GNUTLS_HANDSHAKE_FINISHED
:
1352 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE
:
1353 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE
:
1354 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST
:
1355 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY
:
1356 case GNUTLS_HANDSHAKE_SUPPLEMENTAL
:
1357 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET
:
1358 ret
= hsk
.data
.length
;
1362 /* we shouldn't actually arrive here in any case .
1363 * unexpected messages should be catched after _gnutls_handshake_io_recv_int()
1365 ret
= GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
;
1376 _gnutls_handshake_buffer_clear (&hsk
);
1380 /* This function checks if the given cipher suite is supported, and sets it
1384 _gnutls_client_set_ciphersuite (gnutls_session_t session
, uint8_t suite
[2])
1387 uint8_t cipher_suites
[MAX_CIPHERSUITE_SIZE
];
1388 int cipher_suite_size
;
1392 cipher_suite_size
= _gnutls_supported_ciphersuites (session
, cipher_suites
, sizeof(cipher_suites
));
1393 if (cipher_suite_size
< 0)
1396 return cipher_suite_size
;
1399 for (i
= 0; i
< cipher_suite_size
; i
+=2)
1401 if (memcmp (&cipher_suites
[i
], suite
, 2) == 0)
1411 _gnutls_handshake_log("HSK[%p]: unsupported cipher suite %.2X.%.2X\n", session
,
1412 (unsigned int)suite
[0], (unsigned int)suite
[1]);
1413 return GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
1416 memcpy (session
->security_parameters
.cipher_suite
, suite
, 2);
1417 _gnutls_epoch_set_cipher_suite (session
, EPOCH_NEXT
,
1419 security_parameters
.cipher_suite
);
1421 _gnutls_handshake_log ("HSK[%p]: Selected cipher suite: %s\n", session
,
1422 _gnutls_cipher_suite_get_name
1424 security_parameters
.cipher_suite
));
1427 /* check if the credentials (username, public key etc.) are ok.
1428 * Actually checks if they exist.
1430 if (!session
->internals
.premaster_set
&&
1433 _gnutls_cipher_suite_get_kx_algo
1434 (session
->security_parameters
.cipher_suite
), &err
) == NULL
1438 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
1442 /* set the mod_auth_st to the appropriate struct
1443 * according to the KX algorithm. This is needed since all the
1444 * handshake functions are read from there;
1446 session
->internals
.auth_struct
=
1447 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1449 security_parameters
.cipher_suite
));
1451 if (session
->internals
.auth_struct
== NULL
)
1454 _gnutls_handshake_log
1455 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1458 return GNUTLS_E_INTERNAL_ERROR
;
1465 /* This function sets the given comp method to the session.
1468 _gnutls_client_set_comp_method (gnutls_session_t session
, uint8_t comp_method
)
1470 int comp_methods_num
;
1471 uint8_t compression_methods
[MAX_ALGOS
];
1472 int id
= _gnutls_compression_get_id(comp_method
);
1475 _gnutls_handshake_log ("HSK[%p]: Selected compression method: %s (%d)\n", session
,
1476 gnutls_compression_get_name(id
), (int)comp_method
);
1478 comp_methods_num
= _gnutls_supported_compression_methods (session
,
1479 compression_methods
, MAX_ALGOS
);
1480 if (comp_methods_num
< 0)
1483 return comp_methods_num
;
1486 for (i
= 0; i
< comp_methods_num
; i
++)
1488 if (compression_methods
[i
] == comp_method
)
1490 comp_methods_num
= 0;
1495 if (comp_methods_num
!= 0)
1498 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM
;
1501 session
->security_parameters
.compression_method
= id
;
1502 _gnutls_epoch_set_compression (session
, EPOCH_NEXT
, id
);
1507 /* This function returns 0 if we are resuming a session or -1 otherwise.
1508 * This also sets the variables in the session. Used only while reading a server
1512 _gnutls_client_check_if_resuming (gnutls_session_t session
,
1513 uint8_t * session_id
, int session_id_len
)
1515 char buf
[2 * TLS_MAX_SESSION_ID_SIZE
+ 1];
1517 _gnutls_handshake_log ("HSK[%p]: SessionID length: %d\n", session
,
1519 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session
,
1520 _gnutls_bin2hex (session_id
, session_id_len
, buf
,
1521 sizeof (buf
), NULL
));
1523 if (session_id_len
> 0 &&
1524 session
->internals
.resumed_security_parameters
.session_id_size
==
1526 && memcmp (session_id
,
1527 session
->internals
.resumed_security_parameters
.session_id
,
1528 session_id_len
) == 0)
1530 /* resume session */
1531 memcpy (session
->internals
.resumed_security_parameters
.server_random
,
1532 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
1533 memcpy (session
->internals
.resumed_security_parameters
.client_random
,
1534 session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
1536 _gnutls_epoch_set_cipher_suite
1537 (session
, EPOCH_NEXT
,
1539 resumed_security_parameters
.cipher_suite
);
1540 _gnutls_epoch_set_compression (session
, EPOCH_NEXT
,
1542 internals
.resumed_security_parameters
.compression_method
);
1544 session
->internals
.resumed
= RESUME_TRUE
; /* we are resuming */
1550 /* keep the new session id */
1551 session
->internals
.resumed
= RESUME_FALSE
; /* we are not resuming */
1552 session
->security_parameters
.session_id_size
= session_id_len
;
1553 memcpy (session
->security_parameters
.session_id
,
1554 session_id
, session_id_len
);
1561 /* This function reads and parses the server hello handshake message.
1562 * This function also restores resumed parameters if we are resuming a
1566 _gnutls_read_server_hello (gnutls_session_t session
,
1567 uint8_t * data
, int datalen
)
1569 uint8_t session_id_len
= 0;
1572 gnutls_protocol_t version
;
1578 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1581 _gnutls_handshake_log ("HSK[%p]: Server's version: %d.%d\n",
1582 session
, data
[pos
], data
[pos
+ 1]);
1585 version
= _gnutls_version_get (data
[pos
], data
[pos
+ 1]);
1586 if (_gnutls_version_is_supported (session
, version
) == 0)
1589 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET
;
1593 _gnutls_set_current_version (session
, version
);
1598 DECR_LEN (len
, GNUTLS_RANDOM_SIZE
);
1599 _gnutls_set_server_random (session
, &data
[pos
]);
1600 pos
+= GNUTLS_RANDOM_SIZE
;
1606 session_id_len
= data
[pos
++];
1608 if (len
< session_id_len
)
1611 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET
;
1613 DECR_LEN (len
, session_id_len
);
1615 /* check if we are resuming and set the appropriate
1618 if (_gnutls_client_check_if_resuming
1619 (session
, &data
[pos
], session_id_len
) == 0)
1621 pos
+= session_id_len
+ 2 + 1;
1622 DECR_LEN (len
, 2 + 1);
1624 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_MANDATORY
,
1634 pos
+= session_id_len
;
1636 /* Check if the given cipher suite is supported and copy
1637 * it to the session.
1641 ret
= _gnutls_client_set_ciphersuite (session
, &data
[pos
]);
1649 /* move to compression
1653 ret
= _gnutls_client_set_comp_method (session
, data
[pos
++]);
1657 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM
;
1660 /* Parse extensions.
1662 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_ANY
, &data
[pos
], len
);
1673 /* This function copies the appropriate ciphersuites to a locally allocated buffer
1674 * Needed in client hello messages. Returns the new data length. If add_scsv is
1675 * true, add the special safe renegotiation CS.
1678 _gnutls_copy_ciphersuites (gnutls_session_t session
,
1679 gnutls_buffer_st
* cdata
,
1683 uint8_t cipher_suites
[MAX_CIPHERSUITE_SIZE
+2];
1684 int cipher_suites_size
;
1685 size_t init_length
= cdata
->length
;
1687 ret
= _gnutls_supported_ciphersuites (session
, cipher_suites
, sizeof(cipher_suites
)-2);
1689 return gnutls_assert_val(ret
);
1691 /* Here we remove any ciphersuite that does not conform
1692 * the certificate requested, or to the
1693 * authentication requested (eg SRP).
1696 _gnutls_remove_unwanted_ciphersuites (session
, cipher_suites
, ret
, NULL
, 0);
1698 return gnutls_assert_val(ret
);
1700 /* If no cipher suites were enabled.
1703 return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS
);
1705 cipher_suites_size
= ret
;
1708 cipher_suites
[cipher_suites_size
] = 0x00;
1709 cipher_suites
[cipher_suites_size
+1] = 0xff;
1710 cipher_suites_size
+= 2;
1712 ret
= _gnutls_ext_sr_send_cs (session
);
1714 return gnutls_assert_val(ret
);
1717 ret
= _gnutls_buffer_append_data_prefix(cdata
, 16, cipher_suites
, cipher_suites_size
);
1719 return gnutls_assert_val(ret
);
1721 ret
= cdata
->length
- init_length
;
1727 /* This function copies the appropriate compression methods, to a locally allocated buffer
1728 * Needed in hello messages. Returns the new data length.
1731 _gnutls_copy_comp_methods (gnutls_session_t session
,
1732 gnutls_buffer_st
* cdata
)
1735 uint8_t compression_methods
[MAX_ALGOS
], comp_num
;
1736 size_t init_length
= cdata
->length
;
1738 ret
= _gnutls_supported_compression_methods (session
, compression_methods
, MAX_ALGOS
);
1740 return gnutls_assert_val(ret
);
1744 /* put the number of compression methods */
1745 ret
= _gnutls_buffer_append_prefix(cdata
, 8, comp_num
);
1747 return gnutls_assert_val(ret
);
1749 ret
= _gnutls_buffer_append_data(cdata
, compression_methods
, comp_num
);
1751 return gnutls_assert_val(ret
);
1753 ret
= cdata
->length
- init_length
;
1758 /* This should be sufficient by now. It should hold all the extensions
1759 * plus the headers in a hello message.
1761 #define MAX_EXT_DATA_LENGTH 32*1024
1763 /* This function sends the client hello handshake message.
1766 _gnutls_send_client_hello (gnutls_session_t session
, int again
)
1768 mbuffer_st
*bufel
= NULL
;
1769 uint8_t *data
= NULL
;
1771 int datalen
= 0, ret
= 0;
1772 uint8_t rnd
[GNUTLS_RANDOM_SIZE
];
1773 gnutls_protocol_t hver
;
1774 gnutls_buffer_st extdata
;
1775 int rehandshake
= 0;
1776 uint8_t session_id_len
=
1777 session
->internals
.resumed_security_parameters
.session_id_size
;
1780 _gnutls_buffer_init(&extdata
);
1782 /* note that rehandshake is different than resuming
1784 if (session
->security_parameters
.session_id_size
)
1789 if(IS_DTLS(session
))
1791 cookie_len
= session
->internals
.dtls
.cookie_len
+ 1;
1798 datalen
= 2 + (session_id_len
+ 1) + GNUTLS_RANDOM_SIZE
+ cookie_len
;
1799 /* 2 for version, (4 for unix time + 28 for random bytes==GNUTLS_RANDOM_SIZE)
1802 bufel
= _gnutls_handshake_alloc (session
, datalen
, datalen
+MAX_EXT_DATA_LENGTH
);
1806 return GNUTLS_E_MEMORY_ERROR
;
1808 data
= _mbuffer_get_udata_ptr (bufel
);
1810 /* if we are resuming a session then we set the
1811 * version number to the previously established.
1813 if (session_id_len
== 0)
1815 if (rehandshake
) /* already negotiated version thus version_max == negotiated version */
1816 hver
= session
->security_parameters
.version
;
1817 else /* new handshake. just get the max */
1818 hver
= _gnutls_version_max (session
);
1822 /* we are resuming a session */
1823 hver
= session
->internals
.resumed_security_parameters
.version
;
1826 if (hver
== GNUTLS_VERSION_UNKNOWN
|| hver
== 0)
1829 gnutls_free (bufel
);
1830 return GNUTLS_E_INTERNAL_ERROR
;
1833 data
[pos
++] = _gnutls_version_get_major (hver
);
1834 data
[pos
++] = _gnutls_version_get_minor (hver
);
1836 /* Set the version we advertized as maximum
1839 _gnutls_set_adv_version (session
, hver
);
1840 _gnutls_set_current_version (session
, hver
);
1842 if (session
->internals
.priorities
.ssl3_record_version
!= 0)
1844 /* Advertize the SSL 3.0 record packet version in
1845 * record packets during the handshake.
1846 * That is to avoid confusing implementations
1847 * that do not support TLS 1.2 and don't know
1848 * how 3,3 version of record packets look like.
1850 if (!IS_DTLS(session
))
1851 _gnutls_record_set_default_version (session
, 3, 0);
1852 else if (gnutls_protocol_get_version (session
) == GNUTLS_DTLS0_9
)
1853 _gnutls_record_set_default_version (session
, 1, 0);
1855 _gnutls_record_set_default_version (session
, 254, 255);
1858 /* In order to know when this session was initiated.
1860 session
->security_parameters
.timestamp
= gnutls_time (NULL
);
1862 /* Generate random data
1864 if (!IS_DTLS (session
)
1865 || session
->internals
.dtls
.hsk_hello_verify_requests
== 0)
1867 _gnutls_tls_create_random (rnd
);
1868 _gnutls_set_client_random (session
, rnd
);
1870 memcpy (&data
[pos
], rnd
, GNUTLS_RANDOM_SIZE
);
1873 memcpy (&data
[pos
], session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
1875 pos
+= GNUTLS_RANDOM_SIZE
;
1877 /* Copy the Session ID
1879 data
[pos
++] = session_id_len
;
1881 if (session_id_len
> 0)
1884 session
->internals
.resumed_security_parameters
.session_id
,
1886 pos
+= session_id_len
;
1889 /* Copy the DTLS cookie
1891 if (IS_DTLS(session
))
1893 data
[pos
++] = session
->internals
.dtls
.cookie_len
;
1894 memcpy(&data
[pos
], &session
->internals
.dtls
.cookie
, session
->internals
.dtls
.cookie_len
);
1895 /* pos += session->internals.dtls.cookie_len; */
1898 /* Copy the ciphersuites.
1900 * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
1901 * prevention on initial negotiation (but not renegotiation; that's
1902 * handled with the RI extension below).
1904 if (!session
->internals
.initial_negotiation_completed
&&
1905 session
->security_parameters
.entity
== GNUTLS_CLIENT
&&
1906 (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
||
1907 session
->internals
.priorities
.no_extensions
!= 0))
1910 _gnutls_copy_ciphersuites (session
, &extdata
, TRUE
);
1911 _gnutls_extension_list_add (session
,
1912 GNUTLS_EXTENSION_SAFE_RENEGOTIATION
);
1915 ret
= _gnutls_copy_ciphersuites (session
, &extdata
, FALSE
);
1923 /* Copy the compression methods.
1925 ret
= _gnutls_copy_comp_methods (session
, &extdata
);
1932 /* Generate and copy TLS extensions.
1934 if (session
->internals
.priorities
.no_extensions
== 0)
1936 if (_gnutls_version_has_extensions (hver
))
1937 type
= GNUTLS_EXT_ANY
;
1940 if (session
->internals
.initial_negotiation_completed
!= 0)
1941 type
= GNUTLS_EXT_MANDATORY
;
1943 type
= GNUTLS_EXT_NONE
;
1946 ret
= _gnutls_gen_extensions (session
, &extdata
, type
);
1955 ret
= _mbuffer_append_data (bufel
, extdata
.data
, extdata
.length
);
1963 _gnutls_buffer_clear(&extdata
);
1966 _gnutls_send_handshake (session
, bufel
, GNUTLS_HANDSHAKE_CLIENT_HELLO
);
1969 _mbuffer_xfree(&bufel
);
1970 _gnutls_buffer_clear(&extdata
);
1975 _gnutls_send_server_hello (gnutls_session_t session
, int again
)
1977 mbuffer_st
*bufel
= NULL
;
1978 uint8_t *data
= NULL
;
1979 gnutls_buffer_st extdata
;
1981 int datalen
, ret
= 0;
1983 uint8_t session_id_len
= session
->security_parameters
.session_id_size
;
1984 char buf
[2 * TLS_MAX_SESSION_ID_SIZE
+ 1];
1986 _gnutls_buffer_init(&extdata
);
1990 datalen
= 2 + session_id_len
+ 1 + GNUTLS_RANDOM_SIZE
+ 3;
1992 _gnutls_gen_extensions (session
, &extdata
, GNUTLS_EXT_ANY
);
1999 bufel
= _gnutls_handshake_alloc (session
, datalen
+ extdata
.length
, datalen
+ extdata
.length
);
2003 ret
= GNUTLS_E_MEMORY_ERROR
;
2006 data
= _mbuffer_get_udata_ptr (bufel
);
2009 _gnutls_version_get_major (session
->security_parameters
.version
);
2011 _gnutls_version_get_minor (session
->security_parameters
.version
);
2014 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
2015 pos
+= GNUTLS_RANDOM_SIZE
;
2017 data
[pos
++] = session_id_len
;
2018 if (session_id_len
> 0)
2020 memcpy (&data
[pos
], session
->security_parameters
.session_id
,
2023 pos
+= session_id_len
;
2025 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session
,
2026 _gnutls_bin2hex (session
->security_parameters
.
2027 session_id
, session_id_len
, buf
,
2028 sizeof (buf
), NULL
));
2031 session
->security_parameters
.cipher_suite
, 2);
2034 comp
= _gnutls_compression_get_num ( session
->security_parameters
.compression_method
);
2037 if (extdata
.length
> 0)
2039 memcpy (&data
[pos
], extdata
.data
, extdata
.length
);
2044 _gnutls_send_handshake (session
, bufel
, GNUTLS_HANDSHAKE_SERVER_HELLO
);
2047 _gnutls_buffer_clear(&extdata
);
2052 _gnutls_send_hello (gnutls_session_t session
, int again
)
2056 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2058 ret
= _gnutls_send_client_hello (session
, again
);
2063 ret
= _gnutls_send_server_hello (session
, again
);
2069 /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a
2070 * hello message is expected. It uses the security_parameters.cipher_suite
2071 * and internals.compression_method.
2074 _gnutls_recv_hello (gnutls_session_t session
, uint8_t * data
, int datalen
)
2078 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2080 ret
= _gnutls_read_server_hello (session
, data
, datalen
);
2088 { /* Server side reading a client hello */
2090 ret
= _gnutls_read_client_hello (session
, data
, datalen
);
2098 ret
= _gnutls_ext_sr_verify (session
);
2109 _gnutls_recv_hello_verify_request (gnutls_session_t session
,
2110 uint8_t * data
, int datalen
)
2112 ssize_t len
= datalen
;
2115 unsigned int nb_verifs
;
2117 if (!IS_DTLS (session
)
2118 || session
->security_parameters
.entity
== GNUTLS_SERVER
)
2121 return GNUTLS_E_INTERNAL_ERROR
;
2124 nb_verifs
= ++session
->internals
.dtls
.hsk_hello_verify_requests
;
2125 if (nb_verifs
>= MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS
)
2127 /* The server is either buggy, malicious or changing cookie
2128 secrets _way_ too fast. */
2130 return GNUTLS_E_UNEXPECTED_PACKET
;
2133 /* TODO: determine if we need to do anything with the server version field */
2138 cookie_len
= data
[pos
];
2141 if (cookie_len
> DTLS_MAX_COOKIE_SIZE
)
2144 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
2147 DECR_LEN (len
, cookie_len
);
2149 session
->internals
.dtls
.cookie_len
= cookie_len
;
2150 memcpy (session
->internals
.dtls
.cookie
, &data
[pos
], cookie_len
);
2155 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
2158 /* reset handshake hash buffers */
2159 _gnutls_handshake_hash_buffer_empty (session
);
2164 /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
2168 * ClientHello -------->
2169 * <-------- ServerHello
2172 * ServerKeyExchange*
2173 * <-------- CertificateRequest*
2175 * <-------- ServerHelloDone
2178 * CertificateVerify*
2179 * [ChangeCipherSpec]
2180 * Finished -------->
2182 * [ChangeCipherSpec]
2183 * <-------- Finished
2185 * (*): means optional packet.
2188 /* Handshake when resumming session:
2191 * ClientHello -------->
2193 * [ChangeCipherSpec]
2194 * <-------- Finished
2195 * [ChangeCipherSpec]
2196 * Finished -------->
2201 * gnutls_rehandshake:
2202 * @session: is a #gnutls_session_t structure.
2204 * This function will renegotiate security parameters with the
2205 * client. This should only be called in case of a server.
2207 * This message informs the peer that we want to renegotiate
2208 * parameters (perform a handshake).
2210 * If this function succeeds (returns 0), you must call the
2211 * gnutls_handshake() function in order to negotiate the new
2214 * Since TLS is full duplex some application data might have been
2215 * sent during peer's processing of this message. In that case
2216 * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE
2217 * is returned to clear any pending data. Care must be taken if
2218 * rehandshake is mandatory to terminate if it does not start after
2221 * If the client does not wish to renegotiate parameters he will
2222 * should with an alert message, thus the return code will be
2223 * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
2224 * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2227 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2230 gnutls_rehandshake (gnutls_session_t session
)
2234 /* only server sends that handshake packet */
2235 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2236 return GNUTLS_E_INVALID_REQUEST
;
2238 _dtls_async_timer_delete(session
);
2241 _gnutls_send_empty_handshake (session
, GNUTLS_HANDSHAKE_HELLO_REQUEST
,
2256 _gnutls_abort_handshake (gnutls_session_t session
, int ret
)
2258 if (((ret
== GNUTLS_E_WARNING_ALERT_RECEIVED
) &&
2259 (gnutls_alert_get (session
) == GNUTLS_A_NO_RENEGOTIATION
))
2260 || ret
== GNUTLS_E_GOT_APPLICATION_DATA
)
2263 /* this doesn't matter */
2264 return GNUTLS_E_INTERNAL_ERROR
;
2270 _gnutls_send_supplemental (gnutls_session_t session
, int again
)
2275 _gnutls_debug_log ("EXT[%p]: Sending supplemental data\n", session
);
2279 _gnutls_send_handshake (session
, NULL
, GNUTLS_HANDSHAKE_SUPPLEMENTAL
);
2282 gnutls_buffer_st buf
;
2283 _gnutls_buffer_init (&buf
);
2285 ret
= _gnutls_gen_supplemental (session
, &buf
);
2292 bufel
= _gnutls_handshake_alloc(session
, buf
.length
, buf
.length
);
2296 return GNUTLS_E_MEMORY_ERROR
;
2299 _mbuffer_set_udata (bufel
, buf
.data
, buf
.length
);
2300 _gnutls_buffer_clear (&buf
);
2302 ret
= _gnutls_send_handshake (session
, bufel
,
2303 GNUTLS_HANDSHAKE_SUPPLEMENTAL
);
2310 _gnutls_recv_supplemental (gnutls_session_t session
)
2312 gnutls_buffer_st buf
;
2315 _gnutls_debug_log ("EXT[%p]: Expecting supplemental data\n", session
);
2317 ret
= _gnutls_recv_handshake (session
, GNUTLS_HANDSHAKE_SUPPLEMENTAL
,
2325 ret
= _gnutls_parse_supplemental (session
, buf
.data
, buf
.length
);
2333 _gnutls_buffer_clear(&buf
);
2340 * @session: is a #gnutls_session_t structure.
2342 * This function does the handshake of the TLS/SSL protocol, and
2343 * initializes the TLS connection.
2345 * This function will fail if any problem is encountered, and will
2346 * return a negative error code. In case of a client, if the client
2347 * has asked to resume a session, but the server couldn't, then a
2348 * full handshake will be performed.
2350 * The non-fatal errors such as %GNUTLS_E_AGAIN and
2351 * %GNUTLS_E_INTERRUPTED interrupt the handshake procedure, which
2352 * should be resumed later. Call this function again, until it
2353 * returns 0; cf. gnutls_record_get_direction() and
2354 * gnutls_error_is_fatal().
2356 * If this function is called by a server after a rehandshake request
2357 * then %GNUTLS_E_GOT_APPLICATION_DATA or
2358 * %GNUTLS_E_WARNING_ALERT_RECEIVED may be returned. Note that these
2359 * are non fatal errors, only in the specific case of a rehandshake.
2360 * Their meaning is that the client rejected the rehandshake request or
2361 * in the case of %GNUTLS_E_GOT_APPLICATION_DATA it might also mean that
2362 * some data were pending.
2364 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2367 gnutls_handshake (gnutls_session_t session
)
2370 record_parameters_st
*params
;
2372 /* sanity check. Verify that there are priorities setup.
2374 if (session
->internals
.priorities
.protocol
.algorithms
== 0)
2375 return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET
);
2377 if (session
->internals
.handshake_timeout_ms
&&
2378 session
->internals
.handshake_endtime
== 0)
2379 session
->internals
.handshake_endtime
= gnutls_time(0) +
2380 session
->internals
.handshake_timeout_ms
/ 1000;
2382 ret
= _gnutls_epoch_get (session
, session
->security_parameters
.epoch_next
,
2386 /* We assume the epoch is not allocated if _gnutls_epoch_get fails. */
2388 _gnutls_epoch_alloc (session
, session
->security_parameters
.epoch_next
,
2391 return gnutls_assert_val(ret
);
2394 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2398 ret
= _gnutls_handshake_client (session
);
2403 ret
= _gnutls_handshake_server (session
);
2407 /* In the case of a rehandshake abort
2408 * we should reset the handshake's internal state.
2410 if (_gnutls_abort_handshake (session
, ret
) == 0)
2416 /* clear handshake buffer */
2417 _gnutls_handshake_hash_buffers_clear (session
);
2419 if (IS_DTLS(session
)==0)
2421 _gnutls_handshake_io_buffer_clear (session
);
2425 _dtls_async_timer_init(session
);
2428 _gnutls_handshake_internal_state_clear (session
);
2430 session
->security_parameters
.epoch_next
++;
2436 * gnutls_handshake_set_timeout:
2437 * @session: is a #gnutls_session_t structure.
2438 * @ms: is a timeout value in milliseconds
2440 * This function sets the timeout for the handshake process
2441 * to the provided value. Use an @ms value of zero to disable
2444 * Note that in order for the timeout to be enforced
2445 * gnutls_transport_set_pull_timeout_function() must be set.
2449 gnutls_handshake_set_timeout (gnutls_session_t session
, unsigned int ms
)
2451 if (ms
== GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT
)
2453 session
->internals
.handshake_timeout_ms
= ms
;
2457 #define IMED_RET( str, ret, allow_alert) do { \
2459 /* EAGAIN and INTERRUPTED are always non-fatal */ \
2460 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) \
2462 /* a warning alert might interrupt handshake */ \
2463 if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) return ret; \
2466 _gnutls_handshake_hash_buffers_clear(session); \
2471 /* Runs the certificate verification callback.
2472 * side is either GNUTLS_CLIENT or GNUTLS_SERVER.
2474 static int run_verify_callback(gnutls_session_t session
, unsigned int side
)
2476 gnutls_certificate_credentials_t cred
;
2480 (gnutls_certificate_credentials_t
) _gnutls_get_cred (session
,
2481 GNUTLS_CRD_CERTIFICATE
,
2484 if (side
== GNUTLS_CLIENT
)
2485 type
= gnutls_auth_server_get_type(session
);
2487 type
= gnutls_auth_client_get_type(session
);
2489 if (type
!= GNUTLS_CRD_CERTIFICATE
)
2492 if (cred
!= NULL
&& cred
->verify_callback
!= NULL
)
2494 ret
= cred
->verify_callback (session
);
2496 return GNUTLS_E_CERTIFICATE_ERROR
;
2503 * _gnutls_handshake_client
2504 * This function performs the client side of the handshake of the TLS/SSL protocol.
2507 _gnutls_handshake_client (gnutls_session_t session
)
2511 #ifdef HANDSHAKE_DEBUG
2514 if (session
->internals
.resumed_security_parameters
.session_id_size
> 0)
2515 _gnutls_handshake_log ("HSK[%p]: Ask to resume: %s\n", session
,
2516 _gnutls_bin2hex (session
->
2517 internals
.resumed_security_parameters
.session_id
,
2519 internals
.resumed_security_parameters
.session_id_size
,
2520 buf
, sizeof (buf
), NULL
));
2527 ret
= _gnutls_send_hello (session
, AGAIN (STATE1
));
2529 IMED_RET ("send hello", ret
, 1);
2532 if (IS_DTLS (session
))
2535 _gnutls_recv_handshake (session
,
2536 GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST
,
2539 IMED_RET ("recv hello verify", ret
, 1);
2548 /* receive the server hello */
2550 _gnutls_recv_handshake (session
,
2551 GNUTLS_HANDSHAKE_SERVER_HELLO
,
2554 IMED_RET ("recv hello", ret
, 1);
2557 if (session
->security_parameters
.do_recv_supplemental
)
2559 ret
= _gnutls_recv_supplemental (session
);
2561 IMED_RET ("recv supplemental", ret
, 1);
2565 /* RECV CERTIFICATE */
2566 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2567 ret
= _gnutls_recv_server_certificate (session
);
2569 IMED_RET ("recv server certificate", ret
, 1);
2572 /* RECV CERTIFICATE STATUS */
2573 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2574 ret
= _gnutls_recv_server_certificate_status (session
);
2576 IMED_RET ("recv server certificate", ret
, 1);
2579 ret
= run_verify_callback(session
, GNUTLS_CLIENT
);
2582 return gnutls_assert_val(ret
);
2584 /* receive the server key exchange */
2585 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2586 ret
= _gnutls_recv_server_kx_message (session
);
2588 IMED_RET ("recv server kx message", ret
, 1);
2591 /* receive the server certificate request - if any
2594 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2595 ret
= _gnutls_recv_server_crt_request (session
);
2597 IMED_RET ("recv server certificate request message", ret
, 1);
2600 /* receive the server hello done */
2601 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2603 _gnutls_recv_handshake (session
,
2604 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
,
2607 IMED_RET ("recv server hello done", ret
, 1);
2610 if (session
->security_parameters
.do_send_supplemental
)
2612 ret
= _gnutls_send_supplemental (session
, AGAIN (STATE11
));
2614 IMED_RET ("send supplemental", ret
, 0);
2618 /* send our certificate - if any and if requested
2620 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2621 ret
= _gnutls_send_client_certificate (session
, AGAIN (STATE12
));
2623 IMED_RET ("send client certificate", ret
, 0);
2626 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2627 ret
= _gnutls_send_client_kx_message (session
, AGAIN (STATE13
));
2629 IMED_RET ("send client kx", ret
, 0);
2632 /* send client certificate verify */
2633 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2635 _gnutls_send_client_certificate_verify (session
, AGAIN (STATE14
));
2637 IMED_RET ("send client certificate verify", ret
, 1);
2641 if (session
->internals
.resumed
== RESUME_FALSE
)
2643 ret
= _gnutls_send_handshake_final (session
, TRUE
);
2644 IMED_RET ("send handshake final 2", ret
, 1);
2648 ret
= _gnutls_recv_new_session_ticket (session
);
2649 IMED_RET ("recv handshake new session ticket", ret
, 1);
2654 if (session
->internals
.resumed
== RESUME_FALSE
)
2656 ret
= _gnutls_recv_new_session_ticket (session
);
2657 IMED_RET ("recv handshake new session ticket", ret
, 1);
2661 ret
= _gnutls_recv_handshake_final (session
, TRUE
);
2662 IMED_RET ("recv handshake final", ret
, 1);
2667 if (session
->internals
.resumed
== RESUME_FALSE
)
2669 ret
= _gnutls_recv_handshake_final (session
, FALSE
);
2670 IMED_RET ("recv handshake final 2", ret
, 1);
2674 ret
= _gnutls_send_handshake_final (session
, FALSE
);
2675 IMED_RET ("send handshake final", ret
, 1);
2688 /* This function is to be called if the handshake was successfully
2689 * completed. This sends a Change Cipher Spec packet to the peer.
2692 send_change_cipher_spec (gnutls_session_t session
, int again
)
2700 bufel
= _gnutls_handshake_alloc (session
, 1, 1);
2702 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
2704 if (gnutls_protocol_get_version (session
) == GNUTLS_DTLS0_9
)
2705 _mbuffer_set_uhead_size(bufel
, 3);
2707 _mbuffer_set_uhead_size(bufel
, 1);
2708 _mbuffer_set_udata_size(bufel
, 0);
2710 data
= _mbuffer_get_uhead_ptr (bufel
);
2713 if (gnutls_protocol_get_version (session
) == GNUTLS_DTLS0_9
)
2715 _gnutls_write_uint16 (session
->internals
.dtls
.hsk_write_seq
, &data
[1]);
2716 session
->internals
.dtls
.hsk_write_seq
++;
2719 ret
= _gnutls_handshake_io_cache_int (session
, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC
, bufel
);
2722 _mbuffer_xfree(&bufel
);
2723 return gnutls_assert_val(ret
);
2726 _gnutls_handshake_log ("REC[%p]: Sent ChangeCipherSpec\n", session
);
2732 /* This function sends the final handshake packets and initializes connection
2735 _gnutls_send_handshake_final (gnutls_session_t session
, int init
)
2739 /* Send the CHANGE CIPHER SPEC PACKET */
2741 switch (FINAL_STATE
)
2745 ret
= send_change_cipher_spec (session
, FAGAIN (STATE1
));
2746 FINAL_STATE
= STATE0
;
2750 ERR ("send ChangeCipherSpec", ret
);
2754 /* Initialize the connection session (start encryption) - in case of client
2758 ret
= _gnutls_connection_state_init (session
);
2766 ret
= _gnutls_write_connection_state_init (session
);
2774 /* send the finished message */
2775 ret
= _gnutls_send_finished (session
, FAGAIN (STATE2
));
2776 FINAL_STATE
= STATE2
;
2779 ERR ("send Finished", ret
);
2784 FINAL_STATE
= STATE0
;
2792 /* This function receives the final handshake packets
2793 * And executes the appropriate function to initialize the
2797 _gnutls_recv_handshake_final (gnutls_session_t session
, int init
)
2801 unsigned int ccs_len
= 1;
2804 ret
= handshake_remaining_time(session
);
2806 return gnutls_assert_val(ret
);
2809 switch (FINAL_STATE
)
2813 FINAL_STATE
= STATE30
;
2815 /* This is the last flight and peer cannot be sure
2816 * we have received it unless we notify him. So we
2817 * wait for a message and retransmit if needed. */
2818 if (IS_DTLS(session
) && !_dtls_is_async(session
) &&
2819 (gnutls_record_check_pending (session
) +
2820 record_check_unprocessed (session
)) == 0)
2822 ret
= _dtls_wait_and_retransmit(session
);
2824 return gnutls_assert_val(ret
);
2827 if (gnutls_protocol_get_version (session
) == GNUTLS_DTLS0_9
)
2830 ret
= _gnutls_recv_int (session
, GNUTLS_CHANGE_CIPHER_SPEC
, -1, &ch
, ccs_len
, NULL
,
2834 ERR ("recv ChangeCipherSpec", ret
);
2836 return (ret
< 0) ? ret
: GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
2839 if (gnutls_protocol_get_version (session
) == GNUTLS_DTLS0_9
)
2840 session
->internals
.dtls
.hsk_read_seq
++;
2842 /* Initialize the connection session (start encryption) - in case of server */
2845 ret
= _gnutls_connection_state_init (session
);
2853 ret
= _gnutls_read_connection_state_init (session
);
2861 FINAL_STATE
= STATE31
;
2863 if (IS_DTLS(session
) && !_dtls_is_async(session
) &&
2864 (gnutls_record_check_pending( session
) +
2865 record_check_unprocessed (session
)) == 0)
2867 ret
= _dtls_wait_and_retransmit(session
);
2869 return gnutls_assert_val(ret
);
2872 ret
= _gnutls_recv_finished (session
);
2875 ERR ("recv finished", ret
);
2879 FINAL_STATE
= STATE0
;
2889 * _gnutls_handshake_server
2890 * This function does the server stuff of the handshake protocol.
2893 _gnutls_handshake_server (gnutls_session_t session
)
2902 _gnutls_recv_handshake (session
,
2903 GNUTLS_HANDSHAKE_CLIENT_HELLO
,
2906 IMED_RET ("recv hello", ret
, 1);
2909 ret
= _gnutls_send_hello (session
, AGAIN (STATE2
));
2911 IMED_RET ("send hello", ret
, 1);
2914 if (session
->security_parameters
.do_send_supplemental
)
2916 ret
= _gnutls_send_supplemental (session
, AGAIN (STATE70
));
2918 IMED_RET ("send supplemental data", ret
, 0);
2921 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
2923 /* NOTE: these should not be send if we are resuming */
2925 if (session
->internals
.resumed
== RESUME_FALSE
)
2926 ret
= _gnutls_send_server_certificate (session
, AGAIN (STATE3
));
2928 IMED_RET ("send server certificate", ret
, 0);
2931 if (session
->internals
.resumed
== RESUME_FALSE
)
2932 ret
= _gnutls_send_server_certificate_status (session
, AGAIN (STATE4
));
2934 IMED_RET ("send server certificate status", ret
, 0);
2937 /* send server key exchange (A) */
2938 if (session
->internals
.resumed
== RESUME_FALSE
)
2939 ret
= _gnutls_send_server_kx_message (session
, AGAIN (STATE5
));
2941 IMED_RET ("send server kx", ret
, 0);
2944 /* Send certificate request - if requested to */
2945 if (session
->internals
.resumed
== RESUME_FALSE
)
2947 _gnutls_send_server_crt_request (session
, AGAIN (STATE6
));
2949 IMED_RET ("send server cert request", ret
, 0);
2952 /* send the server hello done */
2953 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2955 _gnutls_send_empty_handshake (session
,
2956 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
,
2959 IMED_RET ("send server hello done", ret
, 1);
2962 if (session
->security_parameters
.do_recv_supplemental
)
2964 ret
= _gnutls_recv_supplemental (session
);
2966 IMED_RET ("recv client supplemental", ret
, 1);
2969 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
2971 /* receive the client certificate message */
2972 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2973 ret
= _gnutls_recv_client_certificate (session
);
2975 IMED_RET ("recv client certificate", ret
, 1);
2978 ret
= run_verify_callback(session
, GNUTLS_SERVER
);
2981 return gnutls_assert_val(ret
);
2984 /* receive the client key exchange message */
2985 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2986 ret
= _gnutls_recv_client_kx_message (session
);
2988 IMED_RET ("recv client kx", ret
, 1);
2991 /* receive the client certificate verify message */
2992 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2993 ret
= _gnutls_recv_client_certificate_verify_message (session
);
2995 IMED_RET ("recv client certificate verify", ret
, 1);
2999 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
3001 ret
= _gnutls_recv_handshake_final (session
, TRUE
);
3002 IMED_RET ("recv handshake final", ret
, 1);
3006 ret
= _gnutls_send_handshake_final (session
, TRUE
);
3007 IMED_RET ("send handshake final 2", ret
, 1);
3011 ret
= _gnutls_send_new_session_ticket (session
, AGAIN (STATE13
));
3013 IMED_RET ("send handshake new session ticket", ret
, 0);
3017 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
3019 ret
= _gnutls_send_handshake_final (session
, FALSE
);
3020 IMED_RET ("send handshake final", ret
, 1);
3024 ret
= _gnutls_recv_handshake_final (session
, FALSE
);
3025 IMED_RET ("recv handshake final 2", ret
, 1);
3028 if (session
->security_parameters
.entity
== GNUTLS_SERVER
&& session
->internals
.ticket_sent
== 0)
3030 /* if no ticket, save session data */
3031 _gnutls_server_register_current_session (session
);
3044 _gnutls_generate_session_id (uint8_t * session_id
, uint8_t * len
)
3048 *len
= TLS_MAX_SESSION_ID_SIZE
;
3050 ret
= _gnutls_rnd (GNUTLS_RND_NONCE
, session_id
, *len
);
3061 _gnutls_recv_hello_request (gnutls_session_t session
, void *data
,
3066 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
3069 return GNUTLS_E_UNEXPECTED_PACKET
;
3074 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
3076 type
= ((uint8_t *) data
)[0];
3077 if (type
== GNUTLS_HANDSHAKE_HELLO_REQUEST
)
3079 if (IS_DTLS(session
))
3080 session
->internals
.dtls
.hsk_read_seq
++;
3081 return GNUTLS_E_REHANDSHAKE
;
3086 return GNUTLS_E_UNEXPECTED_PACKET
;
3090 /* Returns 1 if the given KX has not the corresponding parameters
3091 * (DH or RSA) set up. Otherwise returns 0.
3094 check_server_params (gnutls_session_t session
,
3095 gnutls_kx_algorithm_t kx
,
3096 gnutls_kx_algorithm_t
* alg
, int alg_size
)
3099 gnutls_dh_params_t dh_params
= NULL
;
3100 gnutls_rsa_params_t rsa_params
= NULL
;
3103 cred_type
= _gnutls_map_kx_get_cred (kx
, 1);
3105 /* Read the Diffie-Hellman parameters, if any.
3107 if (cred_type
== GNUTLS_CRD_CERTIFICATE
)
3110 gnutls_certificate_credentials_t x509_cred
=
3111 (gnutls_certificate_credentials_t
) _gnutls_get_cred (session
,
3114 if (x509_cred
!= NULL
)
3117 _gnutls_get_dh_params (x509_cred
->dh_params
,
3118 x509_cred
->params_func
, session
);
3120 _gnutls_certificate_get_rsa_params (x509_cred
->rsa_params
,
3121 x509_cred
->params_func
,
3125 /* Check also if the certificate supports the
3129 for (j
= 0; j
< alg_size
; j
++)
3143 else if (cred_type
== GNUTLS_CRD_ANON
)
3145 gnutls_anon_server_credentials_t anon_cred
=
3146 (gnutls_anon_server_credentials_t
) _gnutls_get_cred (session
,
3149 if (anon_cred
!= NULL
)
3152 _gnutls_get_dh_params (anon_cred
->dh_params
,
3153 anon_cred
->params_func
, session
);
3158 else if (cred_type
== GNUTLS_CRD_PSK
)
3160 gnutls_psk_server_credentials_t psk_cred
=
3161 (gnutls_psk_server_credentials_t
) _gnutls_get_cred (session
,
3164 if (psk_cred
!= NULL
)
3167 _gnutls_get_dh_params (psk_cred
->dh_params
, psk_cred
->params_func
,
3173 return 0; /* no need for params */
3176 /* If the key exchange method needs RSA or DH params,
3177 * but they are not set then remove it.
3179 if (_gnutls_kx_needs_rsa_params (kx
) != 0)
3181 /* needs rsa params. */
3182 if (_gnutls_rsa_params_to_mpi (rsa_params
) == NULL
)
3189 if (_gnutls_kx_needs_dh_params (kx
) != 0)
3191 /* needs DH params. */
3192 if (_gnutls_dh_params_to_mpi (dh_params
) == NULL
)
3202 /* This function will remove algorithms that are not supported by
3203 * the requested authentication method. We remove an algorithm if
3204 * we have a certificate with keyUsage bits set.
3206 * This does a more high level check than gnutls_supported_ciphersuites(),
3207 * by checking certificates etc.
3210 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session
,
3211 uint8_t * cipher_suites
,
3212 int cipher_suites_size
,
3213 gnutls_pk_algorithm_t
*pk_algos
,
3214 size_t pk_algos_size
)
3218 int i
, new_suites_size
;
3219 gnutls_certificate_credentials_t cert_cred
;
3220 gnutls_kx_algorithm_t kx
;
3221 int server
= session
->security_parameters
.entity
== GNUTLS_SERVER
? 1 : 0;
3222 gnutls_kx_algorithm_t alg
[MAX_ALGOS
];
3223 int alg_size
= MAX_ALGOS
;
3225 /* if we should use a specific certificate,
3226 * we should remove all algorithms that are not supported
3227 * by that certificate and are on the same authentication
3228 * method (CERTIFICATE).
3232 (gnutls_certificate_credentials_t
) _gnutls_get_cred (session
,
3233 GNUTLS_CRD_CERTIFICATE
,
3236 /* If there are certificate credentials, find an appropriate certificate
3239 if (session
->security_parameters
.entity
== GNUTLS_SERVER
3240 && cert_cred
!= NULL
&& pk_algos_size
> 0)
3242 ret
= _gnutls_server_select_cert (session
, pk_algos
, pk_algos_size
);
3246 _gnutls_debug_log ("Could not find an appropriate certificate: %s\n",
3247 gnutls_strerror (ret
));
3251 /* get all the key exchange algorithms that are
3252 * supported by the X509 certificate parameters.
3255 _gnutls_selected_cert_supported_kx (session
, alg
, &alg_size
)) < 0)
3261 new_suites_size
= 0;
3263 /* now removes ciphersuites based on the KX algorithm
3265 for (i
= 0; i
< cipher_suites_size
; i
+=2)
3269 /* finds the key exchange algorithm in
3272 kx
= _gnutls_cipher_suite_get_kx_algo (&cipher_suites
[i
]);
3274 /* if it is defined but had no credentials
3276 if (!session
->internals
.premaster_set
&&
3277 _gnutls_get_kx_cred (session
, kx
, NULL
) == NULL
)
3286 delete = check_server_params (session
, kx
, alg
, alg_size
);
3289 /* If we have not agreed to a common curve with the peer don't bother
3292 if (server
!= 0 && _gnutls_kx_is_ecc(kx
))
3294 if (_gnutls_session_ecc_curve_get(session
) == GNUTLS_ECC_CURVE_INVALID
)
3300 /* These two SRP kx's are marked to require a CRD_CERTIFICATE,
3301 (see cred_mappings in gnutls_algorithms.c), but it also
3302 requires a SRP credential. Don't use SRP kx unless we have a
3303 SRP credential too. */
3304 if (kx
== GNUTLS_KX_SRP_RSA
|| kx
== GNUTLS_KX_SRP_DSS
)
3306 if (!_gnutls_get_cred (session
, GNUTLS_CRD_SRP
, NULL
))
3315 _gnutls_handshake_log ("HSK[%p]: Keeping ciphersuite: %s (%.2X.%.2X)\n",
3317 _gnutls_cipher_suite_get_name (&cipher_suites
[i
]),
3318 cipher_suites
[i
], cipher_suites
[i
+1]);
3320 if (i
!= new_suites_size
)
3321 memmove( &cipher_suites
[new_suites_size
], &cipher_suites
[i
], 2);
3326 _gnutls_handshake_log ("HSK[%p]: Removing ciphersuite: %s\n",
3328 _gnutls_cipher_suite_get_name (&cipher_suites
[i
]));
3333 ret
= new_suites_size
;
3340 * gnutls_handshake_set_max_packet_length:
3341 * @session: is a #gnutls_session_t structure.
3342 * @max: is the maximum number.
3344 * This function will set the maximum size of all handshake messages.
3345 * Handshakes over this size are rejected with
3346 * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is
3347 * 48kb which is typically large enough. Set this to 0 if you do not
3348 * want to set an upper limit.
3350 * The reason for restricting the handshake message sizes are to
3351 * limit Denial of Service attacks.
3354 gnutls_handshake_set_max_packet_length (gnutls_session_t session
, size_t max
)
3356 session
->internals
.max_handshake_data_buffer_size
= max
;
3360 _gnutls_set_adv_version (gnutls_session_t session
, gnutls_protocol_t ver
)
3362 set_adv_version (session
, _gnutls_version_get_major (ver
),
3363 _gnutls_version_get_minor (ver
));
3367 _gnutls_get_adv_version (gnutls_session_t session
)
3369 return _gnutls_version_get (_gnutls_get_adv_version_major (session
),
3370 _gnutls_get_adv_version_minor (session
));
3374 * gnutls_handshake_get_last_in:
3375 * @session: is a #gnutls_session_t structure.
3377 * This function is only useful to check where the last performed
3378 * handshake failed. If the previous handshake succeed or was not
3379 * performed at all then no meaningful value will be returned.
3381 * Check %gnutls_handshake_description_t in gnutls.h for the
3382 * available handshake descriptions.
3384 * Returns: the last handshake message type received, a
3385 * %gnutls_handshake_description_t.
3387 gnutls_handshake_description_t
3388 gnutls_handshake_get_last_in (gnutls_session_t session
)
3390 return session
->internals
.last_handshake_in
;
3394 * gnutls_handshake_get_last_out:
3395 * @session: is a #gnutls_session_t structure.
3397 * This function is only useful to check where the last performed
3398 * handshake failed. If the previous handshake succeed or was not
3399 * performed at all then no meaningful value will be returned.
3401 * Check %gnutls_handshake_description_t in gnutls.h for the
3402 * available handshake descriptions.
3404 * Returns: the last handshake message type sent, a
3405 * %gnutls_handshake_description_t.
3407 gnutls_handshake_description_t
3408 gnutls_handshake_get_last_out (gnutls_session_t session
)
3410 return session
->internals
.last_handshake_out
;