If OCSP revocation data are invalid or too old set appropriate verification flags.
[gnutls.git] / lib / gnutls_state.c
blob84a62b76f061185acd29e8404e4fcc7b142f71a7
1 /*
2 * Copyright (C) 2002-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* Functions to manipulate the session (gnutls_int.h), and some other stuff
24 * are included here. The file's name is traditionally gnutls_state even if the
25 * state has been renamed to session.
28 #include <gnutls_int.h>
29 #include <gnutls_errors.h>
30 #include <gnutls_auth.h>
31 #include <gnutls_num.h>
32 #include <gnutls_datum.h>
33 #include <gnutls_db.h>
34 #include <gnutls_record.h>
35 #include <gnutls_handshake.h>
36 #include <gnutls_dh.h>
37 #include <gnutls_buffers.h>
38 #include <gnutls_mbuffers.h>
39 #include <gnutls_state.h>
40 #include <gnutls_constate.h>
41 #include <auth/cert.h>
42 #include <auth/anon.h>
43 #include <auth/psk.h>
44 #include <algorithms.h>
45 #include <gnutls_rsa_export.h>
46 #include <gnutls_extensions.h>
47 #include <system.h>
48 #include <gnutls/dtls.h>
49 #include <timespec.h>
51 /* These should really be static, but src/tests.c calls them. Make
52 them public functions? */
53 void
54 _gnutls_rsa_pms_set_version (gnutls_session_t session,
55 unsigned char major, unsigned char minor);
57 void
58 _gnutls_session_cert_type_set (gnutls_session_t session,
59 gnutls_certificate_type_t ct)
61 _gnutls_handshake_log("HSK[%p]: Selected certificate type %s (%d)\n", session,
62 gnutls_certificate_type_get_name(ct), ct);
63 session->security_parameters.cert_type = ct;
66 void
67 _gnutls_session_ecc_curve_set (gnutls_session_t session,
68 gnutls_ecc_curve_t c)
70 _gnutls_handshake_log("HSK[%p]: Selected ECC curve %s (%d)\n", session, gnutls_ecc_curve_get_name(c), c);
71 session->security_parameters.ecc_curve = c;
74 /**
75 * gnutls_cipher_get:
76 * @session: is a #gnutls_session_t structure.
78 * Get currently used cipher.
80 * Returns: the currently used cipher, a #gnutls_cipher_algorithm_t
81 * type.
82 **/
83 gnutls_cipher_algorithm_t
84 gnutls_cipher_get (gnutls_session_t session)
86 record_parameters_st *record_params;
87 int ret;
89 ret = _gnutls_epoch_get (session, EPOCH_READ_CURRENT, &record_params);
90 if (ret < 0)
91 return gnutls_assert_val(GNUTLS_CIPHER_NULL);
93 return record_params->cipher_algorithm;
96 /**
97 * gnutls_certificate_type_get:
98 * @session: is a #gnutls_session_t structure.
100 * The certificate type is by default X.509, unless it is negotiated
101 * as a TLS extension.
103 * Returns: the currently used #gnutls_certificate_type_t certificate
104 * type.
106 gnutls_certificate_type_t
107 gnutls_certificate_type_get (gnutls_session_t session)
109 return session->security_parameters.cert_type;
113 * gnutls_kx_get:
114 * @session: is a #gnutls_session_t structure.
116 * Get currently used key exchange algorithm.
118 * Returns: the key exchange algorithm used in the last handshake, a
119 * #gnutls_kx_algorithm_t value.
121 gnutls_kx_algorithm_t
122 gnutls_kx_get (gnutls_session_t session)
124 return session->security_parameters.kx_algorithm;
128 * gnutls_mac_get:
129 * @session: is a #gnutls_session_t structure.
131 * Get currently used MAC algorithm.
133 * Returns: the currently used mac algorithm, a
134 * #gnutls_mac_algorithm_t value.
136 gnutls_mac_algorithm_t
137 gnutls_mac_get (gnutls_session_t session)
139 record_parameters_st *record_params;
140 int ret;
142 ret = _gnutls_epoch_get (session, EPOCH_READ_CURRENT, &record_params);
143 if (ret < 0)
144 return gnutls_assert_val(GNUTLS_MAC_NULL);
146 return record_params->mac_algorithm;
150 * gnutls_compression_get:
151 * @session: is a #gnutls_session_t structure.
153 * Get currently used compression algorithm.
155 * Returns: the currently used compression method, a
156 * #gnutls_compression_method_t value.
158 gnutls_compression_method_t
159 gnutls_compression_get (gnutls_session_t session)
161 record_parameters_st *record_params;
162 int ret;
164 ret = _gnutls_epoch_get (session, EPOCH_READ_CURRENT, &record_params);
165 if (ret < 0)
166 return gnutls_assert_val(GNUTLS_COMP_NULL);
168 return record_params->compression_algorithm;
171 /* Check if the given certificate type is supported.
172 * This means that it is enabled by the priority functions,
173 * and a matching certificate exists.
176 _gnutls_session_cert_type_supported (gnutls_session_t session,
177 gnutls_certificate_type_t cert_type)
179 unsigned i;
180 unsigned cert_found = 0;
181 gnutls_certificate_credentials_t cred;
183 if (session->security_parameters.entity == GNUTLS_SERVER)
185 cred = (gnutls_certificate_credentials_t)
186 _gnutls_get_cred (session, GNUTLS_CRD_CERTIFICATE, NULL);
188 if (cred == NULL)
189 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
191 if (cred->server_get_cert_callback == NULL
192 && cred->get_cert_callback == NULL)
194 for (i = 0; i < cred->ncerts; i++)
196 if (cred->certs[i].cert_list[0].type == cert_type)
198 cert_found = 1;
199 break;
203 if (cert_found == 0)
204 /* no certificate is of that type.
206 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
210 if (session->internals.priorities.cert_type.algorithms == 0
211 && cert_type == DEFAULT_CERT_TYPE)
212 return 0;
214 for (i = 0; i < session->internals.priorities.cert_type.algorithms; i++)
216 if (session->internals.priorities.cert_type.priority[i] == cert_type)
218 return 0; /* ok */
222 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
226 /* this function deinitializes all the internal parameters stored
227 * in a session struct.
229 inline static void
230 deinit_internal_params (gnutls_session_t session)
232 if (session->internals.params.free_dh_params)
233 gnutls_dh_params_deinit (session->internals.params.dh_params);
235 if (session->internals.params.free_rsa_params)
236 gnutls_rsa_params_deinit (session->internals.params.rsa_params);
238 _gnutls_handshake_hash_buffers_clear (session);
240 memset (&session->internals.params, 0, sizeof (session->internals.params));
243 /* This function will clear all the variables in internals
244 * structure within the session, which depend on the current handshake.
245 * This is used to allow further handshakes.
247 static void
248 _gnutls_handshake_internal_state_init (gnutls_session_t session)
250 session->internals.extensions_sent_size = 0;
252 /* by default no selected certificate */
253 session->internals.adv_version_major = 0;
254 session->internals.adv_version_minor = 0;
255 session->internals.direction = 0;
257 /* use out of band data for the last
258 * handshake messages received.
260 session->internals.last_handshake_in = -1;
261 session->internals.last_handshake_out = -1;
263 session->internals.resumable = RESUME_TRUE;
265 session->internals.dtls.hsk_read_seq = 0;
266 session->internals.dtls.hsk_write_seq = 0;
267 gettime(&session->internals.dtls.handshake_start_time);
270 void
271 _gnutls_handshake_internal_state_clear (gnutls_session_t session)
273 _gnutls_handshake_internal_state_init (session);
275 deinit_internal_params (session);
277 _gnutls_epoch_gc(session);
279 session->internals.handshake_endtime = 0;
282 #define MIN_DH_BITS 727
284 * gnutls_init:
285 * @session: is a pointer to a #gnutls_session_t structure.
286 * @flags: indicate if this session is to be used for server or client.
288 * This function initializes the current session to null. Every
289 * session must be initialized before use, so internal structures can
290 * be allocated. This function allocates structures which can only
291 * be free'd by calling gnutls_deinit(). Returns %GNUTLS_E_SUCCESS (0) on success.
293 * @flags can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER. For a DTLS
294 * entity, the flags %GNUTLS_DATAGRAM and %GNUTLS_NONBLOCK are
295 * also available. The latter flag will enable a non-blocking
296 * operation of the DTLS timers.
298 * Note that since version 3.1.2 this function enables some common
299 * TLS extensions such as session tickets and OCSP certificate status
300 * request in client side by default. To prevent that use the %GNUTLS_NO_EXTENSIONS
301 * flag.
303 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
306 gnutls_init (gnutls_session_t * session, unsigned int flags)
308 int ret;
309 record_parameters_st *epoch;
311 *session = gnutls_calloc (1, sizeof (struct gnutls_session_int));
312 if (*session == NULL)
313 return GNUTLS_E_MEMORY_ERROR;
315 ret = _gnutls_epoch_alloc (*session, 0, &epoch);
316 if (ret < 0)
318 gnutls_assert ();
319 return GNUTLS_E_MEMORY_ERROR;
322 /* Set all NULL algos on epoch 0 */
323 _gnutls_epoch_set_null_algos (*session, epoch);
325 (*session)->security_parameters.epoch_next = 1;
327 (*session)->security_parameters.entity = (flags&GNUTLS_SERVER?GNUTLS_SERVER:GNUTLS_CLIENT);
329 /* the default certificate type for TLS */
330 (*session)->security_parameters.cert_type = DEFAULT_CERT_TYPE;
332 /* Initialize buffers */
333 _gnutls_buffer_init (&(*session)->internals.handshake_hash_buffer);
334 _gnutls_buffer_init (&(*session)->internals.hb_remote_data);
335 _gnutls_buffer_init (&(*session)->internals.hb_local_data);
337 _mbuffer_head_init (&(*session)->internals.record_buffer);
338 _mbuffer_head_init (&(*session)->internals.record_send_buffer);
339 _mbuffer_head_init (&(*session)->internals.record_recv_buffer);
341 _mbuffer_head_init (&(*session)->internals.handshake_send_buffer);
342 _gnutls_handshake_recv_buffer_init(*session);
344 (*session)->internals.expire_time = DEFAULT_EXPIRE_TIME; /* one hour default */
346 gnutls_dh_set_prime_bits ((*session), MIN_DH_BITS);
348 gnutls_handshake_set_max_packet_length ((*session),
349 MAX_HANDSHAKE_PACKET_SIZE);
351 /* set the socket pointers to -1;
353 (*session)->internals.transport_recv_ptr = (gnutls_transport_ptr_t) - 1;
354 (*session)->internals.transport_send_ptr = (gnutls_transport_ptr_t) - 1;
356 /* set the default maximum record size for TLS
358 (*session)->security_parameters.max_record_recv_size =
359 DEFAULT_MAX_RECORD_SIZE;
360 (*session)->security_parameters.max_record_send_size =
361 DEFAULT_MAX_RECORD_SIZE;
363 /* everything else not initialized here is initialized
364 * as NULL or 0. This is why calloc is used.
367 _gnutls_handshake_internal_state_init (*session);
369 /* emulate old gnutls behavior for old applications that do not use the priority_*
370 * functions.
372 (*session)->internals.priorities.sr = SR_PARTIAL;
374 #ifdef HAVE_WRITEV
375 gnutls_transport_set_vec_push_function (*session, system_writev);
376 #else
377 gnutls_transport_set_push_function (*session, system_write);
378 #endif
379 gnutls_transport_set_pull_function (*session, system_read);
380 gnutls_transport_set_errno_function (*session, system_errno);
381 gnutls_transport_set_pull_timeout_function (*session, system_recv_timeout);
383 (*session)->internals.hb_retrans_timeout_ms = 1000;
384 (*session)->internals.hb_total_timeout_ms = 60000;
386 if (flags & GNUTLS_DATAGRAM)
388 (*session)->internals.dtls.mtu = DTLS_DEFAULT_MTU;
389 (*session)->internals.transport = GNUTLS_DGRAM;
391 (*session)->internals.dtls.retrans_timeout_ms = 1000;
392 (*session)->internals.dtls.total_timeout_ms = 60000;
394 else
395 (*session)->internals.transport = GNUTLS_STREAM;
397 if (flags & GNUTLS_NONBLOCK)
398 (*session)->internals.dtls.blocking = 0;
399 else
400 (*session)->internals.dtls.blocking = 1;
402 /* Enable useful extensions */
403 if ((flags & GNUTLS_CLIENT) && !(flags & GNUTLS_NO_EXTENSIONS))
405 gnutls_session_ticket_enable_client(*session);
406 gnutls_ocsp_status_request_enable_client(*session, NULL, 0, NULL);
409 return 0;
412 /* returns RESUME_FALSE or RESUME_TRUE.
415 _gnutls_session_is_resumable (gnutls_session_t session)
417 return session->internals.resumable;
422 * gnutls_deinit:
423 * @session: is a #gnutls_session_t structure.
425 * This function clears all buffers associated with the @session.
426 * This function will also remove session data from the session
427 * database if the session was terminated abnormally.
429 void
430 gnutls_deinit (gnutls_session_t session)
432 unsigned int i;
434 if (session == NULL)
435 return;
437 /* remove auth info firstly */
438 _gnutls_free_auth_info (session);
440 _gnutls_handshake_internal_state_clear (session);
441 _gnutls_handshake_io_buffer_clear (session);
442 _gnutls_ext_free_session_data (session);
444 for (i = 0; i < MAX_EPOCH_INDEX; i++)
445 if (session->record_parameters[i] != NULL)
447 _gnutls_epoch_free (session, session->record_parameters[i]);
448 session->record_parameters[i] = NULL;
451 _gnutls_buffer_clear (&session->internals.handshake_hash_buffer);
452 _gnutls_buffer_clear (&session->internals.hb_remote_data);
453 _gnutls_buffer_clear (&session->internals.hb_local_data);
455 _mbuffer_head_clear (&session->internals.record_buffer);
456 _mbuffer_head_clear (&session->internals.record_recv_buffer);
457 _mbuffer_head_clear (&session->internals.record_send_buffer);
459 gnutls_credentials_clear (session);
460 _gnutls_selected_certs_deinit (session);
462 gnutls_pk_params_release(&session->key.ecdh_params);
463 _gnutls_mpi_release (&session->key.ecdh_x);
464 _gnutls_mpi_release (&session->key.ecdh_y);
466 _gnutls_mpi_release (&session->key.KEY);
467 _gnutls_mpi_release (&session->key.client_Y);
468 _gnutls_mpi_release (&session->key.client_p);
469 _gnutls_mpi_release (&session->key.client_g);
471 _gnutls_mpi_release (&session->key.u);
472 _gnutls_mpi_release (&session->key.a);
473 _gnutls_mpi_release (&session->key.x);
474 _gnutls_mpi_release (&session->key.A);
475 _gnutls_mpi_release (&session->key.B);
476 _gnutls_mpi_release (&session->key.b);
478 /* RSA */
479 _gnutls_mpi_release (&session->key.rsa[0]);
480 _gnutls_mpi_release (&session->key.rsa[1]);
482 _gnutls_mpi_release (&session->key.dh_secret);
484 memset (session, 0, sizeof (struct gnutls_session_int));
485 gnutls_free (session);
488 /* Returns the minimum prime bits that are acceptable.
491 _gnutls_dh_set_peer_public (gnutls_session_t session, bigint_t public)
493 dh_info_st *dh;
494 int ret;
496 switch (gnutls_auth_get_type (session))
498 case GNUTLS_CRD_ANON:
500 anon_auth_info_t info;
501 info = _gnutls_get_auth_info (session);
502 if (info == NULL)
503 return GNUTLS_E_INTERNAL_ERROR;
505 dh = &info->dh;
506 break;
508 case GNUTLS_CRD_PSK:
510 psk_auth_info_t info;
511 info = _gnutls_get_auth_info (session);
512 if (info == NULL)
513 return GNUTLS_E_INTERNAL_ERROR;
515 dh = &info->dh;
516 break;
518 case GNUTLS_CRD_CERTIFICATE:
520 cert_auth_info_t info;
522 info = _gnutls_get_auth_info (session);
523 if (info == NULL)
524 return GNUTLS_E_INTERNAL_ERROR;
526 dh = &info->dh;
527 break;
529 default:
530 gnutls_assert ();
531 return GNUTLS_E_INTERNAL_ERROR;
534 if (dh->public_key.data)
535 _gnutls_free_datum (&dh->public_key);
537 ret = _gnutls_mpi_dprint_lz (public, &dh->public_key);
538 if (ret < 0)
540 gnutls_assert ();
541 return ret;
544 return 0;
548 _gnutls_dh_set_secret_bits (gnutls_session_t session, unsigned bits)
550 switch (gnutls_auth_get_type (session))
552 case GNUTLS_CRD_ANON:
554 anon_auth_info_t info;
555 info = _gnutls_get_auth_info (session);
556 if (info == NULL)
557 return GNUTLS_E_INTERNAL_ERROR;
558 info->dh.secret_bits = bits;
559 break;
561 case GNUTLS_CRD_PSK:
563 psk_auth_info_t info;
564 info = _gnutls_get_auth_info (session);
565 if (info == NULL)
566 return GNUTLS_E_INTERNAL_ERROR;
567 info->dh.secret_bits = bits;
568 break;
570 case GNUTLS_CRD_CERTIFICATE:
572 cert_auth_info_t info;
574 info = _gnutls_get_auth_info (session);
575 if (info == NULL)
576 return GNUTLS_E_INTERNAL_ERROR;
578 info->dh.secret_bits = bits;
579 break;
580 default:
581 gnutls_assert ();
582 return GNUTLS_E_INTERNAL_ERROR;
586 return 0;
589 /* This function will set in the auth info structure the
590 * RSA exponent and the modulus.
593 _gnutls_rsa_export_set_pubkey (gnutls_session_t session,
594 bigint_t exponent, bigint_t modulus)
596 cert_auth_info_t info;
597 int ret;
599 info = _gnutls_get_auth_info (session);
600 if (info == NULL)
601 return GNUTLS_E_INTERNAL_ERROR;
603 if (info->rsa_export.modulus.data)
604 _gnutls_free_datum (&info->rsa_export.modulus);
606 if (info->rsa_export.exponent.data)
607 _gnutls_free_datum (&info->rsa_export.exponent);
609 ret = _gnutls_mpi_dprint_lz (modulus, &info->rsa_export.modulus);
610 if (ret < 0)
612 gnutls_assert ();
613 return ret;
616 ret = _gnutls_mpi_dprint_lz (exponent, &info->rsa_export.exponent);
617 if (ret < 0)
619 gnutls_assert ();
620 _gnutls_free_datum (&info->rsa_export.modulus);
621 return ret;
624 return 0;
628 /* Sets the prime and the generator in the auth info structure.
631 _gnutls_dh_set_group (gnutls_session_t session, bigint_t gen, bigint_t prime)
633 dh_info_st *dh;
634 int ret;
636 switch (gnutls_auth_get_type (session))
638 case GNUTLS_CRD_ANON:
640 anon_auth_info_t info;
641 info = _gnutls_get_auth_info (session);
642 if (info == NULL)
643 return GNUTLS_E_INTERNAL_ERROR;
645 dh = &info->dh;
646 break;
648 case GNUTLS_CRD_PSK:
650 psk_auth_info_t info;
651 info = _gnutls_get_auth_info (session);
652 if (info == NULL)
653 return GNUTLS_E_INTERNAL_ERROR;
655 dh = &info->dh;
656 break;
658 case GNUTLS_CRD_CERTIFICATE:
660 cert_auth_info_t info;
662 info = _gnutls_get_auth_info (session);
663 if (info == NULL)
664 return GNUTLS_E_INTERNAL_ERROR;
666 dh = &info->dh;
667 break;
669 default:
670 gnutls_assert ();
671 return GNUTLS_E_INTERNAL_ERROR;
674 if (dh->prime.data)
675 _gnutls_free_datum (&dh->prime);
677 if (dh->generator.data)
678 _gnutls_free_datum (&dh->generator);
680 /* prime
682 ret = _gnutls_mpi_dprint_lz (prime, &dh->prime);
683 if (ret < 0)
685 gnutls_assert ();
686 return ret;
689 /* generator
691 ret = _gnutls_mpi_dprint_lz (gen, &dh->generator);
692 if (ret < 0)
694 gnutls_assert ();
695 _gnutls_free_datum (&dh->prime);
696 return ret;
699 return 0;
702 #ifdef ENABLE_OPENPGP
704 * gnutls_openpgp_send_cert:
705 * @session: is a pointer to a #gnutls_session_t structure.
706 * @status: is one of GNUTLS_OPENPGP_CERT, or GNUTLS_OPENPGP_CERT_FINGERPRINT
708 * This function will order gnutls to send the key fingerprint
709 * instead of the key in the initial handshake procedure. This should
710 * be used with care and only when there is indication or knowledge
711 * that the server can obtain the client's key.
713 void
714 gnutls_openpgp_send_cert (gnutls_session_t session,
715 gnutls_openpgp_crt_status_t status)
717 session->internals.pgp_fingerprint = status;
719 #endif
722 * gnutls_certificate_send_x509_rdn_sequence:
723 * @session: is a pointer to a #gnutls_session_t structure.
724 * @status: is 0 or 1
726 * If status is non zero, this function will order gnutls not to send
727 * the rdnSequence in the certificate request message. That is the
728 * server will not advertise its trusted CAs to the peer. If status
729 * is zero then the default behaviour will take effect, which is to
730 * advertise the server's trusted CAs.
732 * This function has no effect in clients, and in authentication
733 * methods other than certificate with X.509 certificates.
735 void
736 gnutls_certificate_send_x509_rdn_sequence (gnutls_session_t session,
737 int status)
739 session->internals.ignore_rdn_sequence = status;
742 #ifdef ENABLE_OPENPGP
744 _gnutls_openpgp_send_fingerprint (gnutls_session_t session)
746 return session->internals.pgp_fingerprint;
748 #endif
751 * _gnutls_record_set_default_version - Used to set the default version for the first record packet
752 * @session: is a #gnutls_session_t structure.
753 * @major: is a tls major version
754 * @minor: is a tls minor version
756 * This function sets the default version that we will use in the first
757 * record packet (client hello). This function is only useful to people
758 * that know TLS internals and want to debug other implementations.
760 void
761 _gnutls_record_set_default_version (gnutls_session_t session,
762 unsigned char major, unsigned char minor)
764 session->internals.default_record_version[0] = major;
765 session->internals.default_record_version[1] = minor;
769 * gnutls_handshake_set_private_extensions:
770 * @session: is a #gnutls_session_t structure.
771 * @allow: is an integer (0 or 1)
773 * This function will enable or disable the use of private cipher
774 * suites (the ones that start with 0xFF). By default or if @allow
775 * is 0 then these cipher suites will not be advertized nor used.
777 * Currently GnuTLS does not include such cipher-suites or
778 * compression algorithms.
780 * Enabling the private ciphersuites when talking to other than
781 * gnutls servers and clients may cause interoperability problems.
783 void
784 gnutls_handshake_set_private_extensions (gnutls_session_t session, int allow)
786 session->internals.enable_private = allow;
789 inline static int
790 _gnutls_cal_PRF_A (gnutls_mac_algorithm_t algorithm,
791 const void *secret, int secret_size,
792 const void *seed, int seed_size, void *result)
794 int ret;
796 ret = _gnutls_hmac_fast (algorithm, secret, secret_size, seed, seed_size, result);
797 if (ret < 0)
798 return gnutls_assert_val(ret);
800 return 0;
803 #define MAX_SEED_SIZE 200
805 /* Produces "total_bytes" bytes using the hash algorithm specified.
806 * (used in the PRF function)
808 static int
809 P_hash (gnutls_mac_algorithm_t algorithm,
810 const uint8_t * secret, int secret_size,
811 const uint8_t * seed, int seed_size,
812 int total_bytes, uint8_t * ret)
815 digest_hd_st td2;
816 int i, times, how, blocksize, A_size;
817 uint8_t final[MAX_HASH_SIZE], Atmp[MAX_SEED_SIZE];
818 int output_bytes, result;
820 if (seed_size > MAX_SEED_SIZE || total_bytes <= 0)
822 gnutls_assert ();
823 return GNUTLS_E_INTERNAL_ERROR;
826 blocksize = _gnutls_hmac_get_algo_len (algorithm);
828 output_bytes = 0;
831 output_bytes += blocksize;
833 while (output_bytes < total_bytes);
835 /* calculate A(0) */
837 memcpy (Atmp, seed, seed_size);
838 A_size = seed_size;
840 times = output_bytes / blocksize;
842 for (i = 0; i < times; i++)
844 result = _gnutls_hmac_init (&td2, algorithm, secret, secret_size);
845 if (result < 0)
847 gnutls_assert ();
848 return result;
851 /* here we calculate A(i+1) */
852 if ((result =
853 _gnutls_cal_PRF_A (algorithm, secret, secret_size, Atmp,
854 A_size, Atmp)) < 0)
856 gnutls_assert ();
857 _gnutls_hmac_deinit (&td2, final);
858 return result;
861 A_size = blocksize;
863 _gnutls_hmac (&td2, Atmp, A_size);
864 _gnutls_hmac (&td2, seed, seed_size);
865 _gnutls_hmac_deinit (&td2, final);
867 if ((1 + i) * blocksize < total_bytes)
869 how = blocksize;
871 else
873 how = total_bytes - (i) * blocksize;
876 if (how > 0)
878 memcpy (&ret[i * blocksize], final, how);
882 return 0;
885 #define MAX_PRF_BYTES 200
887 /* The PRF function expands a given secret
888 * needed by the TLS specification. ret must have a least total_bytes
889 * available.
892 _gnutls_PRF (gnutls_session_t session,
893 const uint8_t * secret, unsigned int secret_size, const char *label,
894 int label_size, const uint8_t * seed, int seed_size,
895 int total_bytes, void *ret)
897 int l_s, s_seed_size;
898 const uint8_t *s1, *s2;
899 uint8_t s_seed[MAX_SEED_SIZE];
900 uint8_t o1[MAX_PRF_BYTES], o2[MAX_PRF_BYTES];
901 int result;
902 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
904 if (total_bytes > MAX_PRF_BYTES)
906 gnutls_assert ();
907 return GNUTLS_E_INTERNAL_ERROR;
909 /* label+seed = s_seed */
910 s_seed_size = seed_size + label_size;
912 if (s_seed_size > MAX_SEED_SIZE)
914 gnutls_assert ();
915 return GNUTLS_E_INTERNAL_ERROR;
918 memcpy (s_seed, label, label_size);
919 memcpy (&s_seed[label_size], seed, seed_size);
921 if (_gnutls_version_has_selectable_prf (ver))
923 result =
924 P_hash (_gnutls_cipher_suite_get_prf(session->security_parameters.cipher_suite),
925 secret, secret_size,
926 s_seed, s_seed_size, total_bytes, ret);
927 if (result < 0)
929 gnutls_assert ();
930 return result;
933 else
935 l_s = secret_size / 2;
937 s1 = &secret[0];
938 s2 = &secret[l_s];
940 if (secret_size % 2 != 0)
942 l_s++;
945 result =
946 P_hash (GNUTLS_MAC_MD5, s1, l_s, s_seed, s_seed_size,
947 total_bytes, o1);
948 if (result < 0)
950 gnutls_assert ();
951 return result;
954 result =
955 P_hash (GNUTLS_MAC_SHA1, s2, l_s, s_seed, s_seed_size,
956 total_bytes, o2);
957 if (result < 0)
959 gnutls_assert ();
960 return result;
963 memxor (o1, o2, total_bytes);
965 memcpy (ret, o1, total_bytes);
968 return 0; /* ok */
973 * gnutls_prf_raw:
974 * @session: is a #gnutls_session_t structure.
975 * @label_size: length of the @label variable.
976 * @label: label used in PRF computation, typically a short string.
977 * @seed_size: length of the @seed variable.
978 * @seed: optional extra data to seed the PRF with.
979 * @outsize: size of pre-allocated output buffer to hold the output.
980 * @out: pre-allocate buffer to hold the generated data.
982 * Apply the TLS Pseudo-Random-Function (PRF) on the master secret
983 * and the provided data.
985 * The @label variable usually contains a string denoting the purpose
986 * for the generated data. The @seed usually contains data such as the
987 * client and server random, perhaps together with some additional
988 * data that is added to guarantee uniqueness of the output for a
989 * particular purpose.
991 * Because the output is not guaranteed to be unique for a particular
992 * session unless @seed includes the client random and server random
993 * fields (the PRF would output the same data on another connection
994 * resumed from the first one), it is not recommended to use this
995 * function directly. The gnutls_prf() function seeds the PRF with the
996 * client and server random fields directly, and is recommended if you
997 * want to generate pseudo random data unique for each session.
999 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1002 gnutls_prf_raw (gnutls_session_t session,
1003 size_t label_size,
1004 const char *label,
1005 size_t seed_size, const char *seed, size_t outsize, char *out)
1007 int ret;
1009 ret = _gnutls_PRF (session,
1010 session->security_parameters.master_secret,
1011 GNUTLS_MASTER_SIZE,
1012 label,
1013 label_size, (uint8_t *) seed, seed_size, outsize, out);
1015 return ret;
1019 * gnutls_prf:
1020 * @session: is a #gnutls_session_t structure.
1021 * @label_size: length of the @label variable.
1022 * @label: label used in PRF computation, typically a short string.
1023 * @server_random_first: non-0 if server random field should be first in seed
1024 * @extra_size: length of the @extra variable.
1025 * @extra: optional extra data to seed the PRF with.
1026 * @outsize: size of pre-allocated output buffer to hold the output.
1027 * @out: pre-allocate buffer to hold the generated data.
1029 * Apply the TLS Pseudo-Random-Function (PRF) on the master secret
1030 * and the provided data, seeded with the client and server random fields.
1032 * The @label variable usually contains a string denoting the purpose
1033 * for the generated data. The @server_random_first indicates whether
1034 * the client random field or the server random field should be first
1035 * in the seed. Non-0 indicates that the server random field is first,
1036 * 0 that the client random field is first.
1038 * The @extra variable can be used to add more data to the seed, after
1039 * the random variables. It can be used to make sure the
1040 * generated output is strongly connected to some additional data
1041 * (e.g., a string used in user authentication).
1043 * The output is placed in @out, which must be pre-allocated.
1045 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1048 gnutls_prf (gnutls_session_t session,
1049 size_t label_size,
1050 const char *label,
1051 int server_random_first,
1052 size_t extra_size, const char *extra, size_t outsize, char *out)
1054 int ret;
1055 uint8_t *seed;
1056 size_t seedsize = 2 * GNUTLS_RANDOM_SIZE + extra_size;
1058 seed = gnutls_malloc (seedsize);
1059 if (!seed)
1061 gnutls_assert ();
1062 return GNUTLS_E_MEMORY_ERROR;
1065 memcpy (seed, server_random_first ?
1066 session->security_parameters.server_random :
1067 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
1068 memcpy (seed + GNUTLS_RANDOM_SIZE, server_random_first ?
1069 session->security_parameters.client_random :
1070 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
1072 memcpy (seed + 2 * GNUTLS_RANDOM_SIZE, extra, extra_size);
1074 ret = _gnutls_PRF (session, session->security_parameters.master_secret,
1075 GNUTLS_MASTER_SIZE,
1076 label, label_size, seed, seedsize, outsize, out);
1078 gnutls_free (seed);
1080 return ret;
1084 * gnutls_session_is_resumed:
1085 * @session: is a #gnutls_session_t structure.
1087 * Check whether session is resumed or not.
1089 * Returns: non zero if this session is resumed, or a zero if this is
1090 * a new session.
1093 gnutls_session_is_resumed (gnutls_session_t session)
1095 if (session->security_parameters.entity == GNUTLS_CLIENT)
1097 if (session->security_parameters.session_id_size > 0 &&
1098 session->security_parameters.session_id_size ==
1099 session->internals.resumed_security_parameters.session_id_size
1100 && memcmp (session->security_parameters.session_id,
1101 session->internals.
1102 resumed_security_parameters.session_id,
1103 session->security_parameters.session_id_size) == 0)
1104 return 1;
1106 else
1108 if (session->internals.resumed != RESUME_FALSE)
1109 return 1;
1112 return 0;
1116 * gnutls_session_resumption_requested:
1117 * @session: is a #gnutls_session_t structure.
1119 * Check whether the client has asked for session resumption.
1120 * This function is valid only on server side.
1122 * Returns: non zero if session resumption was asked, or a zero if not.
1125 gnutls_session_resumption_requested(gnutls_session_t session)
1127 if (session->security_parameters.entity == GNUTLS_CLIENT)
1129 return 0;
1131 else
1133 return session->internals.resumption_requested;
1138 * _gnutls_session_is_export - Used to check whether this session is of export grade
1139 * @session: is a #gnutls_session_t structure.
1141 * This function will return non zero if this session is of export grade.
1144 _gnutls_session_is_export (gnutls_session_t session)
1146 gnutls_cipher_algorithm_t cipher;
1148 cipher =
1149 _gnutls_cipher_suite_get_cipher_algo (session->
1150 security_parameters.cipher_suite);
1152 if (_gnutls_cipher_get_export_flag (cipher) != 0)
1153 return 1;
1155 return 0;
1159 * _gnutls_session_is_psk - Used to check whether this session uses PSK kx
1160 * @session: is a #gnutls_session_t structure.
1162 * This function will return non zero if this session uses a PSK key
1163 * exchange algorithm.
1166 _gnutls_session_is_psk (gnutls_session_t session)
1168 gnutls_kx_algorithm_t kx;
1170 kx =
1171 _gnutls_cipher_suite_get_kx_algo (session->
1172 security_parameters.cipher_suite);
1173 if (kx == GNUTLS_KX_PSK || kx == GNUTLS_KX_DHE_PSK)
1174 return 1;
1176 return 0;
1180 * _gnutls_session_is_ecc - Used to check whether this session uses ECC kx
1181 * @session: is a #gnutls_session_t structure.
1183 * This function will return non zero if this session uses an elliptic
1184 * curves key exchange exchange algorithm.
1187 _gnutls_session_is_ecc (gnutls_session_t session)
1189 gnutls_kx_algorithm_t kx;
1191 /* We get the key exchange algorithm through the ciphersuite because
1192 * the negotiated key exchange might not have been set yet.
1194 kx =
1195 _gnutls_cipher_suite_get_kx_algo (session->
1196 security_parameters.cipher_suite);
1198 return _gnutls_kx_is_ecc(kx);
1202 * gnutls_session_get_ptr:
1203 * @session: is a #gnutls_session_t structure.
1205 * Get user pointer for session. Useful in callbacks. This is the
1206 * pointer set with gnutls_session_set_ptr().
1208 * Returns: the user given pointer from the session structure, or
1209 * %NULL if it was never set.
1211 void *
1212 gnutls_session_get_ptr (gnutls_session_t session)
1214 return session->internals.user_ptr;
1218 * gnutls_session_set_ptr:
1219 * @session: is a #gnutls_session_t structure.
1220 * @ptr: is the user pointer
1222 * This function will set (associate) the user given pointer @ptr to
1223 * the session structure. This pointer can be accessed with
1224 * gnutls_session_get_ptr().
1226 void
1227 gnutls_session_set_ptr (gnutls_session_t session, void *ptr)
1229 session->internals.user_ptr = ptr;
1234 * gnutls_record_get_direction:
1235 * @session: is a #gnutls_session_t structure.
1237 * This function provides information about the internals of the
1238 * record protocol and is only useful if a prior gnutls function call
1239 * (e.g. gnutls_handshake()) was interrupted for some reason, that
1240 * is, if a function returned %GNUTLS_E_INTERRUPTED or
1241 * %GNUTLS_E_AGAIN. In such a case, you might want to call select()
1242 * or poll() before calling the interrupted gnutls function again. To
1243 * tell you whether a file descriptor should be selected for either
1244 * reading or writing, gnutls_record_get_direction() returns 0 if the
1245 * interrupted function was trying to read data, and 1 if it was
1246 * trying to write data.
1248 * Returns: 0 if trying to read data, 1 if trying to write data.
1251 gnutls_record_get_direction (gnutls_session_t session)
1253 return session->internals.direction;
1257 * _gnutls_rsa_pms_set_version - Sets a version to be used at the RSA PMS
1258 * @session: is a #gnutls_session_t structure.
1259 * @major: is the major version to use
1260 * @minor: is the minor version to use
1262 * This function will set the given version number to be used at the
1263 * RSA PMS secret. This is only useful to clients, which want to
1264 * test server's capabilities.
1266 void
1267 _gnutls_rsa_pms_set_version (gnutls_session_t session,
1268 unsigned char major, unsigned char minor)
1270 session->internals.rsa_pms_version[0] = major;
1271 session->internals.rsa_pms_version[1] = minor;
1275 * gnutls_handshake_set_post_client_hello_function:
1276 * @session: is a #gnutls_session_t structure.
1277 * @func: is the function to be called
1279 * This function will set a callback to be called after the client
1280 * hello has been received (callback valid in server side only). This
1281 * allows the server to adjust settings based on received extensions.
1283 * Those settings could be ciphersuites, requesting certificate, or
1284 * anything else except for version negotiation (this is done before
1285 * the hello message is parsed).
1287 * This callback must return 0 on success or a gnutls error code to
1288 * terminate the handshake.
1290 * Warning: You should not use this function to terminate the
1291 * handshake based on client input unless you know what you are
1292 * doing. Before the handshake is finished there is no way to know if
1293 * there is a man-in-the-middle attack being performed.
1295 void
1296 gnutls_handshake_set_post_client_hello_function (gnutls_session_t session,
1297 gnutls_handshake_post_client_hello_func
1298 func)
1300 session->internals.user_hello_func = func;
1304 * gnutls_session_enable_compatibility_mode:
1305 * @session: is a #gnutls_session_t structure.
1307 * This function can be used to disable certain (security) features in
1308 * TLS in order to maintain maximum compatibility with buggy
1309 * clients. Because several trade-offs with security are enabled,
1310 * if required they will be reported through the audit subsystem.
1312 * Normally only servers that require maximum compatibility with
1313 * everything out there, need to call this function.
1315 void
1316 gnutls_session_enable_compatibility_mode (gnutls_session_t session)
1318 ENABLE_COMPAT(&session->internals.priorities);
1322 * gnutls_session_channel_binding:
1323 * @session: is a #gnutls_session_t structure.
1324 * @cbtype: an #gnutls_channel_binding_t enumeration type
1325 * @cb: output buffer array with data
1327 * Extract given channel binding data of the @cbtype (e.g.,
1328 * %GNUTLS_CB_TLS_UNIQUE) type.
1330 * Returns: %GNUTLS_E_SUCCESS on success,
1331 * %GNUTLS_E_UNIMPLEMENTED_FEATURE if the @cbtype is unsupported,
1332 * %GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE if the data is not
1333 * currently available, or an error code.
1335 * Since: 2.12.0
1338 gnutls_session_channel_binding (gnutls_session_t session,
1339 gnutls_channel_binding_t cbtype,
1340 gnutls_datum_t * cb)
1342 if (cbtype != GNUTLS_CB_TLS_UNIQUE)
1343 return GNUTLS_E_UNIMPLEMENTED_FEATURE;
1345 if (!session->internals.initial_negotiation_completed)
1346 return GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE;
1348 cb->size = session->internals.cb_tls_unique_len;
1349 cb->data = gnutls_malloc (cb->size);
1350 if (cb->data == NULL)
1351 return GNUTLS_E_MEMORY_ERROR;
1353 memcpy (cb->data, session->internals.cb_tls_unique, cb->size);
1355 return 0;
1359 * gnutls_ecc_curve_get:
1360 * @session: is a #gnutls_session_t structure.
1362 * Returns the currently used elliptic curve. Only valid
1363 * when using an elliptic curve ciphersuite.
1365 * Returns: the currently used curve, a #gnutls_ecc_curve_t
1366 * type.
1368 * Since: 3.0
1370 gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session)
1372 return _gnutls_session_ecc_curve_get(session);
1375 #undef gnutls_protocol_get_version
1377 * gnutls_protocol_get_version:
1378 * @session: is a #gnutls_session_t structure.
1380 * Get TLS version, a #gnutls_protocol_t value.
1382 * Returns: The version of the currently used protocol.
1384 gnutls_protocol_t
1385 gnutls_protocol_get_version (gnutls_session_t session)
1387 return _gnutls_protocol_get_version(session);
1391 * gnutls_session_get_random:
1392 * @session: is a #gnutls_session_t structure.
1393 * @client: the client part of the random
1394 * @server: the server part of the random
1396 * This function returns pointers to the client and server
1397 * random fields used in the TLS handshake. The pointers are
1398 * not to be modified or deallocated.
1400 * If a client random value has not yet been established, the output
1401 * will be garbage.
1403 * Since: 3.0
1405 void
1406 gnutls_session_get_random (gnutls_session_t session, gnutls_datum_t* client, gnutls_datum_t* server)
1408 if (client)
1410 client->data = session->security_parameters.client_random;
1411 client->size = sizeof(session->security_parameters.client_random);
1414 if (server)
1416 server->data = session->security_parameters.server_random;
1417 server->size = sizeof(session->security_parameters.server_random);