/src/gnutls/lib/handshake.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2000-2016 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2015-2018 Red Hat, Inc. |
4 | | * |
5 | | * Author: Nikos Mavrogiannopoulos |
6 | | * |
7 | | * This file is part of GnuTLS. |
8 | | * |
9 | | * The GnuTLS is free software; you can redistribute it and/or |
10 | | * modify it under the terms of the GNU Lesser General Public License |
11 | | * as published by the Free Software Foundation; either version 2.1 of |
12 | | * the License, or (at your option) any later version. |
13 | | * |
14 | | * This library is distributed in the hope that it will be useful, but |
15 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
17 | | * Lesser General Public License for more details. |
18 | | * |
19 | | * You should have received a copy of the GNU Lesser General Public License |
20 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
21 | | * |
22 | | */ |
23 | | |
24 | | /* Functions that relate to the TLS handshake procedure. |
25 | | */ |
26 | | |
27 | | #include "gnutls_int.h" |
28 | | #include "errors.h" |
29 | | #include "dh.h" |
30 | | #include "debug.h" |
31 | | #include "algorithms.h" |
32 | | #include "cipher.h" |
33 | | #include "buffers.h" |
34 | | #include "mbuffers.h" |
35 | | #include "kx.h" |
36 | | #include "handshake.h" |
37 | | #include "num.h" |
38 | | #include "hash_int.h" |
39 | | #include "db.h" |
40 | | #include "hello_ext.h" |
41 | | #include "supplemental.h" |
42 | | #include "auth.h" |
43 | | #include "sslv2_compat.h" |
44 | | #include "auth/cert.h" |
45 | | #include "constate.h" |
46 | | #include "record.h" |
47 | | #include "state.h" |
48 | | #include "ext/pre_shared_key.h" |
49 | | #include "ext/srp.h" |
50 | | #include "ext/session_ticket.h" |
51 | | #include "ext/status_request.h" |
52 | | #include "ext/safe_renegotiation.h" |
53 | | #include "auth/anon.h" /* for gnutls_anon_server_credentials_t */ |
54 | | #include "auth/psk.h" /* for gnutls_psk_server_credentials_t */ |
55 | | #include "random.h" |
56 | | #include "dtls.h" |
57 | | #include "secrets.h" |
58 | | #include "tls13/early_data.h" |
59 | | #include "tls13/session_ticket.h" |
60 | | #include "locks.h" |
61 | | #include "system/ktls.h" |
62 | | |
63 | | static int check_if_null_comp_present(gnutls_session_t session, uint8_t *data, |
64 | | int datalen); |
65 | | static int handshake_client(gnutls_session_t session); |
66 | | static int handshake_server(gnutls_session_t session); |
67 | | |
68 | | static int read_server_hello(gnutls_session_t session, uint8_t *data, |
69 | | int datalen); |
70 | | |
71 | | static int recv_handshake_final(gnutls_session_t session, int init); |
72 | | static int send_handshake_final(gnutls_session_t session, int init); |
73 | | |
74 | | /* Empties but does not free the buffer |
75 | | */ |
76 | | inline static void handshake_hash_buffer_reset(gnutls_session_t session) |
77 | 0 | { |
78 | 0 | _gnutls_buffers_log("BUF[HSK]: Emptied buffer\n"); |
79 | |
|
80 | 0 | session->internals.handshake_hash_buffer_client_hello_len = 0; |
81 | 0 | session->internals.handshake_hash_buffer_client_kx_len = 0; |
82 | 0 | session->internals.handshake_hash_buffer_server_finished_len = 0; |
83 | 0 | session->internals.handshake_hash_buffer_client_finished_len = 0; |
84 | 0 | session->internals.handshake_hash_buffer_prev_len = 0; |
85 | 0 | session->internals.handshake_hash_buffer.length = 0; |
86 | 0 | session->internals.full_client_hello.length = 0; |
87 | 0 | return; |
88 | 0 | } |
89 | | |
90 | | static int handshake_hash_add_recvd(gnutls_session_t session, |
91 | | gnutls_handshake_description_t recv_type, |
92 | | uint8_t *header, uint16_t header_size, |
93 | | uint8_t *dataptr, uint32_t datalen); |
94 | | |
95 | | static int handshake_hash_add_sent(gnutls_session_t session, |
96 | | gnutls_handshake_description_t type, |
97 | | uint8_t *dataptr, uint32_t datalen); |
98 | | |
99 | | static int recv_hello_verify_request(gnutls_session_t session, uint8_t *data, |
100 | | int datalen); |
101 | | |
102 | | /* Clears the handshake hash buffers and handles. |
103 | | */ |
104 | | void _gnutls_handshake_hash_buffers_clear(gnutls_session_t session) |
105 | 0 | { |
106 | 0 | handshake_hash_buffer_reset(session); |
107 | 0 | _gnutls_buffer_clear(&session->internals.handshake_hash_buffer); |
108 | 0 | _gnutls_buffer_clear(&session->internals.full_client_hello); |
109 | 0 | } |
110 | | |
111 | | /* Replace handshake message buffer, with the special synthetic message |
112 | | * needed by TLS1.3 when HRR is sent. */ |
113 | | int _gnutls13_handshake_hash_buffers_synth(gnutls_session_t session, |
114 | | const mac_entry_st *prf, |
115 | | unsigned client) |
116 | 0 | { |
117 | 0 | int ret; |
118 | 0 | uint8_t hdata[4 + MAX_HASH_SIZE]; |
119 | 0 | size_t length; |
120 | |
|
121 | 0 | if (client) |
122 | 0 | length = session->internals.handshake_hash_buffer_prev_len; |
123 | 0 | else |
124 | 0 | length = session->internals.handshake_hash_buffer.length; |
125 | | |
126 | | /* calculate hash */ |
127 | 0 | hdata[0] = 254; |
128 | 0 | _gnutls_write_uint24(prf->output_size, &hdata[1]); |
129 | |
|
130 | 0 | ret = gnutls_hash_fast((gnutls_digest_algorithm_t)prf->id, |
131 | 0 | session->internals.handshake_hash_buffer.data, |
132 | 0 | length, hdata + 4); |
133 | 0 | if (ret < 0) |
134 | 0 | return gnutls_assert_val(ret); |
135 | | |
136 | 0 | handshake_hash_buffer_reset(session); |
137 | |
|
138 | 0 | ret = _gnutls_buffer_append_data( |
139 | 0 | &session->internals.handshake_hash_buffer, hdata, |
140 | 0 | prf->output_size + 4); |
141 | 0 | if (ret < 0) |
142 | 0 | return gnutls_assert_val(ret); |
143 | | |
144 | 0 | _gnutls_buffers_log( |
145 | 0 | "BUF[HSK]: Replaced handshake buffer with synth message (%d bytes)\n", |
146 | 0 | prf->output_size + 4); |
147 | |
|
148 | 0 | return 0; |
149 | 0 | } |
150 | | |
151 | | /* this will copy the required values for resuming to |
152 | | * internals, and to security_parameters. |
153 | | * this will keep as less data to security_parameters. |
154 | | */ |
155 | | static int tls12_resume_copy_required_vals(gnutls_session_t session, |
156 | | unsigned ticket) |
157 | 0 | { |
158 | 0 | int ret; |
159 | | |
160 | | /* get the new random values */ |
161 | 0 | memcpy(session->internals.resumed_security_parameters.server_random, |
162 | 0 | session->security_parameters.server_random, GNUTLS_RANDOM_SIZE); |
163 | 0 | memcpy(session->internals.resumed_security_parameters.client_random, |
164 | 0 | session->security_parameters.client_random, GNUTLS_RANDOM_SIZE); |
165 | | |
166 | | /* keep the ciphersuite and compression |
167 | | * That is because the client must see these in our |
168 | | * hello message. |
169 | | */ |
170 | 0 | ret = _gnutls_set_cipher_suite2( |
171 | 0 | session, session->internals.resumed_security_parameters.cs); |
172 | 0 | if (ret < 0) |
173 | 0 | return gnutls_assert_val(ret); |
174 | | |
175 | | /* or write_compression_algorithm |
176 | | * they are the same |
177 | | */ |
178 | | |
179 | 0 | session->security_parameters.entity = |
180 | 0 | session->internals.resumed_security_parameters.entity; |
181 | |
|
182 | 0 | if (session->internals.resumed_security_parameters.pversion == NULL) |
183 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
184 | | |
185 | 0 | if (_gnutls_set_current_version( |
186 | 0 | session, session->internals.resumed_security_parameters |
187 | 0 | .pversion->id) < 0) |
188 | 0 | return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); |
189 | | |
190 | 0 | session->security_parameters.client_ctype = |
191 | 0 | session->internals.resumed_security_parameters.client_ctype; |
192 | 0 | session->security_parameters.server_ctype = |
193 | 0 | session->internals.resumed_security_parameters.server_ctype; |
194 | |
|
195 | 0 | if (!ticket) { |
196 | 0 | memcpy(session->security_parameters.session_id, |
197 | 0 | session->internals.resumed_security_parameters.session_id, |
198 | 0 | sizeof(session->security_parameters.session_id)); |
199 | 0 | session->security_parameters.session_id_size = |
200 | 0 | session->internals.resumed_security_parameters |
201 | 0 | .session_id_size; |
202 | 0 | } |
203 | |
|
204 | 0 | return 0; |
205 | 0 | } |
206 | | |
207 | | void _gnutls_set_client_random(gnutls_session_t session, uint8_t *rnd) |
208 | 0 | { |
209 | 0 | _gnutls_memory_mark_defined(session->security_parameters.client_random, |
210 | 0 | GNUTLS_RANDOM_SIZE); |
211 | 0 | memcpy(session->security_parameters.client_random, rnd, |
212 | 0 | GNUTLS_RANDOM_SIZE); |
213 | 0 | } |
214 | | |
215 | | static int _gnutls_gen_client_random(gnutls_session_t session) |
216 | 0 | { |
217 | 0 | int ret; |
218 | | |
219 | | /* no random given, we generate. */ |
220 | 0 | if (session->internals.sc_random_set != 0) { |
221 | 0 | _gnutls_memory_mark_defined( |
222 | 0 | session->security_parameters.client_random, |
223 | 0 | GNUTLS_RANDOM_SIZE); |
224 | 0 | memcpy(session->security_parameters.client_random, |
225 | 0 | session->internals.resumed_security_parameters |
226 | 0 | .client_random, |
227 | 0 | GNUTLS_RANDOM_SIZE); |
228 | 0 | } else { |
229 | 0 | _gnutls_memory_mark_defined( |
230 | 0 | session->security_parameters.client_random, |
231 | 0 | GNUTLS_RANDOM_SIZE); |
232 | 0 | ret = gnutls_rnd(GNUTLS_RND_NONCE, |
233 | 0 | session->security_parameters.client_random, |
234 | 0 | GNUTLS_RANDOM_SIZE); |
235 | 0 | if (ret < 0) { |
236 | 0 | _gnutls_memory_mark_undefined( |
237 | 0 | session->security_parameters.client_random, |
238 | 0 | GNUTLS_RANDOM_SIZE); |
239 | 0 | return gnutls_assert_val(ret); |
240 | 0 | } |
241 | 0 | } |
242 | | |
243 | 0 | return 0; |
244 | 0 | } |
245 | | |
246 | | static int _gnutls_set_server_random(gnutls_session_t session, |
247 | | const version_entry_st *vers, uint8_t *rnd) |
248 | 0 | { |
249 | 0 | const version_entry_st *max; |
250 | |
|
251 | 0 | _gnutls_memory_mark_defined(session->security_parameters.server_random, |
252 | 0 | GNUTLS_RANDOM_SIZE); |
253 | 0 | memcpy(session->security_parameters.server_random, rnd, |
254 | 0 | GNUTLS_RANDOM_SIZE); |
255 | | |
256 | | /* check whether the server random value is set according to |
257 | | * to TLS 1.3. p4.1.3 requirements */ |
258 | 0 | if (!IS_DTLS(session) && vers->id <= GNUTLS_TLS1_2 && |
259 | 0 | have_creds_for_tls13(session)) { |
260 | 0 | max = _gnutls_version_max(session); |
261 | 0 | if (max->id <= GNUTLS_TLS1_2) |
262 | 0 | return 0; |
263 | | |
264 | 0 | if (vers->id == GNUTLS_TLS1_2 && |
265 | 0 | memcmp(&session->security_parameters |
266 | 0 | .server_random[GNUTLS_RANDOM_SIZE - 8], |
267 | 0 | "\x44\x4F\x57\x4E\x47\x52\x44\x01", 8) == 0) { |
268 | 0 | _gnutls_audit_log( |
269 | 0 | session, |
270 | 0 | "Detected downgrade to TLS 1.2 from TLS 1.3\n"); |
271 | 0 | return gnutls_assert_val( |
272 | 0 | GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); |
273 | 0 | } else if (vers->id <= GNUTLS_TLS1_1 && |
274 | 0 | memcmp(&session->security_parameters |
275 | 0 | .server_random[GNUTLS_RANDOM_SIZE - |
276 | 0 | 8], |
277 | 0 | "\x44\x4F\x57\x4E\x47\x52\x44\x00", 8) == 0) { |
278 | 0 | _gnutls_audit_log( |
279 | 0 | session, |
280 | 0 | "Detected downgrade to TLS 1.1 or earlier from TLS 1.3\n"); |
281 | 0 | return gnutls_assert_val( |
282 | 0 | GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); |
283 | 0 | } |
284 | 0 | } |
285 | | |
286 | 0 | return 0; |
287 | 0 | } |
288 | | |
289 | | int _gnutls_gen_server_random(gnutls_session_t session, int version) |
290 | 0 | { |
291 | 0 | int ret; |
292 | 0 | const version_entry_st *max; |
293 | |
|
294 | 0 | if (session->internals.sc_random_set != 0) { |
295 | 0 | _gnutls_memory_mark_defined( |
296 | 0 | session->security_parameters.server_random, |
297 | 0 | GNUTLS_RANDOM_SIZE); |
298 | 0 | memcpy(session->security_parameters.server_random, |
299 | 0 | session->internals.resumed_security_parameters |
300 | 0 | .server_random, |
301 | 0 | GNUTLS_RANDOM_SIZE); |
302 | 0 | return 0; |
303 | 0 | } |
304 | | |
305 | 0 | max = _gnutls_version_max(session); |
306 | 0 | if (max == NULL) |
307 | 0 | return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES); |
308 | | |
309 | 0 | _gnutls_memory_mark_defined(session->security_parameters.server_random, |
310 | 0 | GNUTLS_RANDOM_SIZE); |
311 | |
|
312 | 0 | if (!IS_DTLS(session) && max->id >= GNUTLS_TLS1_3 && |
313 | 0 | version <= GNUTLS_TLS1_2) { |
314 | 0 | if (version == GNUTLS_TLS1_2) { |
315 | 0 | memcpy(&session->security_parameters |
316 | 0 | .server_random[GNUTLS_RANDOM_SIZE - 8], |
317 | 0 | "\x44\x4F\x57\x4E\x47\x52\x44\x01", 8); |
318 | 0 | } else { |
319 | 0 | memcpy(&session->security_parameters |
320 | 0 | .server_random[GNUTLS_RANDOM_SIZE - 8], |
321 | 0 | "\x44\x4F\x57\x4E\x47\x52\x44\x00", 8); |
322 | 0 | } |
323 | 0 | ret = gnutls_rnd(GNUTLS_RND_NONCE, |
324 | 0 | session->security_parameters.server_random, |
325 | 0 | GNUTLS_RANDOM_SIZE - 8); |
326 | |
|
327 | 0 | } else { |
328 | 0 | ret = gnutls_rnd(GNUTLS_RND_NONCE, |
329 | 0 | session->security_parameters.server_random, |
330 | 0 | GNUTLS_RANDOM_SIZE); |
331 | 0 | } |
332 | |
|
333 | 0 | if (ret < 0) { |
334 | 0 | gnutls_assert(); |
335 | 0 | _gnutls_memory_mark_undefined( |
336 | 0 | session->security_parameters.server_random, |
337 | 0 | GNUTLS_RANDOM_SIZE); |
338 | 0 | return ret; |
339 | 0 | } |
340 | | |
341 | 0 | return 0; |
342 | 0 | } |
343 | | |
344 | | #ifdef ENABLE_SSL3 |
345 | | /* Calculate The SSL3 Finished message |
346 | | */ |
347 | | #define SSL3_CLIENT_MSG "CLNT" |
348 | | #define SSL3_SERVER_MSG "SRVR" |
349 | | #define SSL_MSG_LEN 4 |
350 | | static int _gnutls_ssl3_finished(gnutls_session_t session, int type, |
351 | | uint8_t *ret, int sending) |
352 | | { |
353 | | digest_hd_st td_md5; |
354 | | digest_hd_st td_sha; |
355 | | const char *mesg; |
356 | | int rc, len; |
357 | | |
358 | | if (sending) |
359 | | len = session->internals.handshake_hash_buffer.length; |
360 | | else |
361 | | len = session->internals.handshake_hash_buffer_prev_len; |
362 | | |
363 | | rc = _gnutls_hash_init(&td_sha, hash_to_entry(GNUTLS_DIG_SHA1)); |
364 | | if (rc < 0) |
365 | | return gnutls_assert_val(rc); |
366 | | |
367 | | rc = _gnutls_hash_init(&td_md5, hash_to_entry(GNUTLS_DIG_MD5)); |
368 | | if (rc < 0) { |
369 | | _gnutls_hash_deinit(&td_sha, NULL); |
370 | | return gnutls_assert_val(rc); |
371 | | } |
372 | | |
373 | | _gnutls_hash(&td_sha, session->internals.handshake_hash_buffer.data, |
374 | | len); |
375 | | _gnutls_hash(&td_md5, session->internals.handshake_hash_buffer.data, |
376 | | len); |
377 | | |
378 | | if (type == GNUTLS_SERVER) |
379 | | mesg = SSL3_SERVER_MSG; |
380 | | else |
381 | | mesg = SSL3_CLIENT_MSG; |
382 | | |
383 | | _gnutls_hash(&td_md5, mesg, SSL_MSG_LEN); |
384 | | _gnutls_hash(&td_sha, mesg, SSL_MSG_LEN); |
385 | | |
386 | | rc = _gnutls_mac_deinit_ssl3_handshake( |
387 | | &td_md5, ret, session->security_parameters.master_secret, |
388 | | GNUTLS_MASTER_SIZE); |
389 | | if (rc < 0) { |
390 | | _gnutls_hash_deinit(&td_md5, NULL); |
391 | | _gnutls_hash_deinit(&td_sha, NULL); |
392 | | return gnutls_assert_val(rc); |
393 | | } |
394 | | |
395 | | rc = _gnutls_mac_deinit_ssl3_handshake( |
396 | | &td_sha, &ret[16], session->security_parameters.master_secret, |
397 | | GNUTLS_MASTER_SIZE); |
398 | | if (rc < 0) { |
399 | | _gnutls_hash_deinit(&td_sha, NULL); |
400 | | return gnutls_assert_val(rc); |
401 | | } |
402 | | |
403 | | return 0; |
404 | | } |
405 | | #endif |
406 | | |
407 | | /* Hash the handshake messages as required by TLS 1.0 |
408 | | */ |
409 | 0 | #define SERVER_MSG "server finished" |
410 | 0 | #define CLIENT_MSG "client finished" |
411 | 0 | #define TLS_MSG_LEN 15 |
412 | | static int _gnutls_finished(gnutls_session_t session, int type, void *ret, |
413 | | int sending) |
414 | 0 | { |
415 | 0 | const int siz = TLS_MSG_LEN; |
416 | 0 | uint8_t concat[MAX_HASH_SIZE]; |
417 | 0 | size_t hash_len; |
418 | 0 | const char *mesg; |
419 | 0 | int rc, len, algorithm; |
420 | |
|
421 | 0 | if (sending) |
422 | 0 | len = session->internals.handshake_hash_buffer.length; |
423 | 0 | else |
424 | 0 | len = session->internals.handshake_hash_buffer_prev_len; |
425 | |
|
426 | 0 | algorithm = session->security_parameters.prf->id; |
427 | 0 | rc = _gnutls_hash_fast(algorithm, |
428 | 0 | session->internals.handshake_hash_buffer.data, |
429 | 0 | len, concat); |
430 | 0 | if (rc < 0) |
431 | 0 | return gnutls_assert_val(rc); |
432 | | |
433 | 0 | hash_len = session->security_parameters.prf->output_size; |
434 | |
|
435 | 0 | if (type == GNUTLS_SERVER) { |
436 | 0 | mesg = SERVER_MSG; |
437 | 0 | } else { |
438 | 0 | mesg = CLIENT_MSG; |
439 | 0 | } |
440 | |
|
441 | 0 | _gnutls_memory_mark_defined(session->security_parameters.master_secret, |
442 | 0 | GNUTLS_MASTER_SIZE); |
443 | 0 | rc = _gnutls_PRF(session, session->security_parameters.master_secret, |
444 | 0 | GNUTLS_MASTER_SIZE, mesg, siz, concat, hash_len, 12, |
445 | 0 | ret); |
446 | 0 | if (rc < 0) { |
447 | 0 | _gnutls_memory_mark_undefined( |
448 | 0 | session->security_parameters.master_secret, |
449 | 0 | GNUTLS_MASTER_SIZE); |
450 | 0 | } |
451 | 0 | return rc; |
452 | 0 | } |
453 | | |
454 | | /* returns the 0 on success or a negative error code. |
455 | | */ |
456 | | int _gnutls_negotiate_version(gnutls_session_t session, uint8_t major, |
457 | | uint8_t minor, unsigned allow_tls13) |
458 | 0 | { |
459 | 0 | const version_entry_st *vers; |
460 | 0 | const version_entry_st *aversion = nversion_to_entry(major, minor); |
461 | | |
462 | | /* if we do not support that version, unless that version is TLS 1.2; |
463 | | * TLS 1.2 is handled separately because it is always advertised under TLS 1.3 or later */ |
464 | 0 | if (aversion == NULL || |
465 | 0 | _gnutls_nversion_is_supported(session, major, minor) == 0) { |
466 | 0 | if (aversion && aversion->id == GNUTLS_TLS1_2) { |
467 | 0 | vers = _gnutls_version_max(session); |
468 | 0 | if (unlikely(vers == NULL)) |
469 | 0 | return gnutls_assert_val( |
470 | 0 | GNUTLS_E_NO_CIPHER_SUITES); |
471 | | |
472 | 0 | if (vers->id >= GNUTLS_TLS1_2) { |
473 | 0 | session->security_parameters.pversion = |
474 | 0 | aversion; |
475 | 0 | return 0; |
476 | 0 | } |
477 | 0 | } |
478 | | |
479 | | /* if we get an unknown/unsupported version, then fail if the version we |
480 | | * got is too low to be supported */ |
481 | 0 | if (!_gnutls_version_is_too_high(session, major, minor)) |
482 | 0 | return gnutls_assert_val( |
483 | 0 | GNUTLS_E_UNSUPPORTED_VERSION_PACKET); |
484 | | |
485 | | /* If he requested something we do not support |
486 | | * then we send him the highest we support. |
487 | | */ |
488 | 0 | vers = _gnutls_legacy_version_max(session); |
489 | 0 | if (vers == NULL) { |
490 | | /* this check is not really needed. |
491 | | */ |
492 | 0 | gnutls_assert(); |
493 | 0 | return GNUTLS_E_UNKNOWN_CIPHER_SUITE; |
494 | 0 | } |
495 | | |
496 | 0 | session->security_parameters.pversion = vers; |
497 | |
|
498 | 0 | return 0; |
499 | 0 | } else { |
500 | 0 | session->security_parameters.pversion = aversion; |
501 | | |
502 | | /* we do not allow TLS1.3 negotiation using this mechanism */ |
503 | 0 | if (aversion->tls13_sem && !allow_tls13) { |
504 | 0 | vers = _gnutls_legacy_version_max(session); |
505 | 0 | session->security_parameters.pversion = vers; |
506 | 0 | } |
507 | |
|
508 | 0 | return 0; |
509 | 0 | } |
510 | 0 | } |
511 | | |
512 | | /* This function returns: |
513 | | * - zero on success |
514 | | * - GNUTLS_E_INT_RET_0 if GNUTLS_E_AGAIN || GNUTLS_E_INTERRUPTED were returned by the callback |
515 | | * - a negative error code on other error |
516 | | */ |
517 | | int _gnutls_user_hello_func(gnutls_session_t session, uint8_t major, |
518 | | uint8_t minor) |
519 | 0 | { |
520 | 0 | int ret, sret = 0; |
521 | 0 | const version_entry_st *vers, *old_vers; |
522 | 0 | const version_entry_st *new_max; |
523 | |
|
524 | 0 | if (session->internals.user_hello_func != NULL) { |
525 | 0 | ret = session->internals.user_hello_func(session); |
526 | |
|
527 | 0 | if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) { |
528 | 0 | gnutls_assert(); |
529 | 0 | sret = GNUTLS_E_INT_RET_0; |
530 | 0 | } else if (ret < 0) { |
531 | 0 | gnutls_assert(); |
532 | 0 | return ret; |
533 | 0 | } |
534 | | |
535 | | /* This callback is often used to switch the priority string of the |
536 | | * server, and that includes switching version which we have already |
537 | | * negotiated; note that this doesn't apply when resuming as the version |
538 | | * negotiation is already complete. */ |
539 | 0 | if (!session->internals.resumed) { |
540 | 0 | new_max = _gnutls_version_max(session); |
541 | 0 | old_vers = get_version(session); |
542 | |
|
543 | 0 | if (!old_vers->tls13_sem || |
544 | 0 | (new_max && !new_max->tls13_sem)) { |
545 | | #if GNUTLS_TLS_VERSION_MAX != GNUTLS_TLS1_3 |
546 | | #error "Need to update the following logic" |
547 | | #endif |
548 | | /* Here we need to renegotiate the version since the callee might |
549 | | * have disabled some TLS versions. This logic does not cope for |
550 | | * protocols later than TLS1.3 if they have the tls13_sem set */ |
551 | 0 | ret = _gnutls_negotiate_version(session, major, |
552 | 0 | minor, 0); |
553 | 0 | if (ret < 0) |
554 | 0 | return gnutls_assert_val(ret); |
555 | | |
556 | 0 | vers = get_version(session); |
557 | 0 | if (old_vers != vers) { |
558 | | /* at this point we need to regenerate the random value to |
559 | | * avoid the peer detecting this session as a rollback |
560 | | * attempt. */ |
561 | 0 | ret = _gnutls_gen_server_random( |
562 | 0 | session, vers->id); |
563 | 0 | if (ret < 0) |
564 | 0 | return gnutls_assert_val(ret); |
565 | 0 | } |
566 | 0 | } |
567 | 0 | } |
568 | 0 | } |
569 | 0 | return sret; |
570 | 0 | } |
571 | | |
572 | | /* Associates the right credential types for the session, and |
573 | | * performs sanity checks. */ |
574 | | static int set_auth_types(gnutls_session_t session) |
575 | 0 | { |
576 | 0 | const version_entry_st *ver = get_version(session); |
577 | 0 | gnutls_kx_algorithm_t kx; |
578 | | |
579 | | /* sanity check: |
580 | | * we see TLS1.3 negotiated but no key share was sent */ |
581 | 0 | if (ver->tls13_sem) { |
582 | 0 | if (unlikely(!(session->internals.hsk_flags & |
583 | 0 | HSK_PSK_KE_MODE_PSK) && |
584 | 0 | !(session->internals.hsk_flags & |
585 | 0 | HSK_KEY_SHARE_RECEIVED))) { |
586 | 0 | return gnutls_assert_val(GNUTLS_E_MISSING_EXTENSION); |
587 | 0 | } |
588 | | |
589 | | /* Under TLS1.3 this returns a KX which matches the negotiated |
590 | | * groups from the key shares; if we are resuming then the KX seen |
591 | | * here doesn't match the original session. */ |
592 | 0 | if (!session->internals.resumed) |
593 | 0 | kx = gnutls_kx_get(session); |
594 | 0 | else |
595 | 0 | kx = GNUTLS_KX_UNKNOWN; |
596 | 0 | } else { |
597 | | /* TLS1.2 or earlier, kx is associated with ciphersuite */ |
598 | 0 | kx = session->security_parameters.cs->kx_algorithm; |
599 | 0 | } |
600 | | |
601 | 0 | if (kx != GNUTLS_KX_UNKNOWN) { |
602 | 0 | session->security_parameters.server_auth_type = |
603 | 0 | _gnutls_map_kx_get_cred(kx, 1); |
604 | 0 | session->security_parameters.client_auth_type = |
605 | 0 | _gnutls_map_kx_get_cred(kx, 0); |
606 | 0 | } else if (unlikely(!session->internals.resumed)) { |
607 | | /* Here we can only arrive if something we received |
608 | | * prevented the session from completing. */ |
609 | 0 | return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); |
610 | 0 | } |
611 | | |
612 | 0 | return 0; |
613 | 0 | } |
614 | | |
615 | | /* Read a client hello packet. |
616 | | * A client hello must be a known version client hello |
617 | | * or version 2.0 client hello (only for compatibility |
618 | | * since SSL version 2.0 is not supported). |
619 | | */ |
620 | | static int read_client_hello(gnutls_session_t session, uint8_t *data, |
621 | | int datalen) |
622 | 0 | { |
623 | 0 | uint8_t session_id_len; |
624 | 0 | int pos = 0, ret; |
625 | 0 | uint16_t suite_size, comp_size; |
626 | 0 | int ext_size; |
627 | 0 | int neg_version, sret = 0; |
628 | 0 | int len = datalen; |
629 | 0 | uint8_t major, minor; |
630 | 0 | uint8_t *suite_ptr, *comp_ptr, *session_id, *ext_ptr; |
631 | 0 | const version_entry_st *vers; |
632 | |
|
633 | 0 | DECR_LEN(len, 2); |
634 | 0 | _gnutls_handshake_log("HSK[%p]: Client's version: %d.%d\n", session, |
635 | 0 | data[pos], data[pos + 1]); |
636 | |
|
637 | 0 | major = data[pos]; |
638 | 0 | minor = data[pos + 1]; |
639 | |
|
640 | 0 | set_adv_version(session, major, minor); |
641 | |
|
642 | 0 | ret = _gnutls_negotiate_version(session, major, minor, 0); |
643 | 0 | if (ret < 0) |
644 | 0 | return gnutls_assert_val(ret); |
645 | | |
646 | 0 | vers = get_version(session); |
647 | 0 | if (vers == NULL) |
648 | 0 | return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); |
649 | | |
650 | 0 | neg_version = vers->id; |
651 | |
|
652 | 0 | pos += 2; |
653 | | |
654 | | /* Read client random value. |
655 | | */ |
656 | 0 | DECR_LEN(len, GNUTLS_RANDOM_SIZE); |
657 | 0 | _gnutls_set_client_random(session, &data[pos]); |
658 | |
|
659 | 0 | pos += GNUTLS_RANDOM_SIZE; |
660 | |
|
661 | 0 | ret = _gnutls_gen_server_random(session, neg_version); |
662 | 0 | if (ret < 0) |
663 | 0 | return gnutls_assert_val(ret); |
664 | | |
665 | 0 | session->security_parameters.timestamp = gnutls_time(NULL); |
666 | |
|
667 | 0 | DECR_LEN(len, 1); |
668 | 0 | session_id_len = data[pos++]; |
669 | | |
670 | | /* RESUME SESSION |
671 | | */ |
672 | 0 | if (session_id_len > GNUTLS_MAX_SESSION_ID_SIZE) { |
673 | 0 | gnutls_assert(); |
674 | 0 | return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; |
675 | 0 | } |
676 | 0 | DECR_LEN(len, session_id_len); |
677 | 0 | session_id = &data[pos]; |
678 | 0 | pos += session_id_len; |
679 | |
|
680 | 0 | if (IS_DTLS(session)) { |
681 | 0 | int cookie_size; |
682 | |
|
683 | 0 | DECR_LEN(len, 1); |
684 | 0 | cookie_size = data[pos++]; |
685 | 0 | DECR_LEN(len, cookie_size); |
686 | 0 | pos += cookie_size; |
687 | 0 | } |
688 | | |
689 | | /* move forward to extensions and store other vals */ |
690 | 0 | DECR_LEN(len, 2); |
691 | 0 | suite_size = _gnutls_read_uint16(&data[pos]); |
692 | 0 | pos += 2; |
693 | |
|
694 | 0 | if (suite_size == 0 || (suite_size % 2) != 0) |
695 | 0 | return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); |
696 | | |
697 | 0 | suite_ptr = &data[pos]; |
698 | 0 | DECR_LEN(len, suite_size); |
699 | 0 | pos += suite_size; |
700 | |
|
701 | 0 | DECR_LEN(len, 1); |
702 | 0 | comp_size = data[pos++]; /* the number of compression methods */ |
703 | |
|
704 | 0 | if (comp_size == 0) |
705 | 0 | return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); |
706 | | |
707 | 0 | comp_ptr = &data[pos]; |
708 | 0 | DECR_LEN(len, comp_size); |
709 | 0 | pos += comp_size; |
710 | |
|
711 | 0 | ext_ptr = &data[pos]; |
712 | 0 | ext_size = len; |
713 | | |
714 | | /* Parse only the mandatory to read extensions for resumption |
715 | | * and version negotiation. We don't want to parse any other |
716 | | * extensions since we don't want new extension values to override |
717 | | * the resumed ones. */ |
718 | 0 | ret = _gnutls_parse_hello_extensions(session, |
719 | 0 | GNUTLS_EXT_FLAG_CLIENT_HELLO, |
720 | 0 | GNUTLS_EXT_VERSION_NEG, ext_ptr, |
721 | 0 | ext_size); |
722 | 0 | if (ret < 0) |
723 | 0 | return gnutls_assert_val(ret); |
724 | | |
725 | 0 | ret = _gnutls_parse_hello_extensions(session, |
726 | 0 | GNUTLS_EXT_FLAG_CLIENT_HELLO, |
727 | 0 | GNUTLS_EXT_MANDATORY, ext_ptr, |
728 | 0 | ext_size); |
729 | 0 | if (ret < 0) |
730 | 0 | return gnutls_assert_val(ret); |
731 | | |
732 | 0 | vers = get_version(session); |
733 | 0 | if (unlikely(vers == NULL)) |
734 | 0 | return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); |
735 | | |
736 | 0 | if (!vers->tls13_sem) { |
737 | 0 | ret = _gnutls_server_restore_session(session, session_id, |
738 | 0 | session_id_len); |
739 | |
|
740 | 0 | if (session_id_len > 0) |
741 | 0 | session->internals.resumption_requested = 1; |
742 | |
|
743 | 0 | if (ret == 0) { /* resumed using default TLS resumption! */ |
744 | 0 | ret = _gnutls_server_select_suite(session, suite_ptr, |
745 | 0 | suite_size, 1); |
746 | 0 | if (ret < 0) |
747 | 0 | return gnutls_assert_val(ret); |
748 | | |
749 | 0 | ret = tls12_resume_copy_required_vals(session, 0); |
750 | 0 | if (ret < 0) |
751 | 0 | return gnutls_assert_val(ret); |
752 | | |
753 | 0 | session->internals.resumed = true; |
754 | |
|
755 | 0 | return _gnutls_user_hello_func(session, major, minor); |
756 | 0 | } else { |
757 | 0 | ret = _gnutls_generate_session_id( |
758 | 0 | session->security_parameters.session_id, |
759 | 0 | &session->security_parameters.session_id_size); |
760 | 0 | if (ret < 0) |
761 | 0 | return gnutls_assert_val(ret); |
762 | | |
763 | 0 | session->internals.resumed = false; |
764 | 0 | } |
765 | 0 | } else { /* TLS1.3 */ |
766 | | /* we echo client's session ID - length was checked previously */ |
767 | 0 | assert(session_id_len <= GNUTLS_MAX_SESSION_ID_SIZE); |
768 | 0 | if (session_id_len > 0) |
769 | 0 | memcpy(session->security_parameters.session_id, |
770 | 0 | session_id, session_id_len); |
771 | 0 | session->security_parameters.session_id_size = session_id_len; |
772 | 0 | } |
773 | | |
774 | | /* Parse the extensions (if any) |
775 | | * |
776 | | * Unconditionally try to parse extensions; safe renegotiation uses them in |
777 | | * sslv3 and higher, even though sslv3 doesn't officially support them. |
778 | | */ |
779 | 0 | ret = _gnutls_parse_hello_extensions(session, |
780 | 0 | GNUTLS_EXT_FLAG_CLIENT_HELLO, |
781 | 0 | GNUTLS_EXT_APPLICATION, ext_ptr, |
782 | 0 | ext_size); |
783 | | /* len is the rest of the parsed length */ |
784 | 0 | if (ret < 0) { |
785 | 0 | gnutls_assert(); |
786 | 0 | return ret; |
787 | 0 | } |
788 | | |
789 | | /* we cache this error code */ |
790 | 0 | sret = _gnutls_user_hello_func(session, major, minor); |
791 | 0 | if (sret < 0 && sret != GNUTLS_E_INT_RET_0) { |
792 | 0 | gnutls_assert(); |
793 | 0 | return sret; |
794 | 0 | } |
795 | | |
796 | | /* Session tickets are parsed in this point */ |
797 | 0 | ret = _gnutls_parse_hello_extensions(session, |
798 | 0 | GNUTLS_EXT_FLAG_CLIENT_HELLO, |
799 | 0 | GNUTLS_EXT_TLS, ext_ptr, ext_size); |
800 | 0 | if (ret < 0) { |
801 | 0 | gnutls_assert(); |
802 | 0 | return ret; |
803 | 0 | } |
804 | | |
805 | 0 | if (session->internals.hsk_flags & HSK_EARLY_DATA_ACCEPTED) { |
806 | 0 | const cipher_entry_st *ce; |
807 | 0 | const mac_entry_st *me; |
808 | 0 | record_parameters_st *params; |
809 | |
|
810 | 0 | ce = cipher_to_entry( |
811 | 0 | session->internals.resumed_security_parameters.cs |
812 | 0 | ->block_algorithm); |
813 | 0 | me = mac_to_entry(session->internals.resumed_security_parameters |
814 | 0 | .cs->mac_algorithm); |
815 | |
|
816 | 0 | ret = _gnutls_epoch_get(session, EPOCH_NEXT, ¶ms); |
817 | 0 | if (ret < 0) { |
818 | 0 | return gnutls_assert_val(ret); |
819 | 0 | } |
820 | | |
821 | 0 | params->cipher = ce; |
822 | 0 | params->mac = me; |
823 | |
|
824 | 0 | ret = _tls13_read_connection_state_init(session, STAGE_EARLY); |
825 | 0 | if (ret < 0) { |
826 | 0 | return gnutls_assert_val(ret); |
827 | 0 | } |
828 | | |
829 | 0 | _gnutls_epoch_bump(session); |
830 | 0 | ret = _gnutls_epoch_dup(session, EPOCH_READ_CURRENT); |
831 | 0 | if (ret < 0) { |
832 | 0 | return gnutls_assert_val(ret); |
833 | 0 | } |
834 | 0 | } |
835 | | |
836 | | /* resumed by session_ticket extension */ |
837 | 0 | if (!vers->tls13_sem && session->internals.resumed) { |
838 | 0 | session->internals.resumed_security_parameters |
839 | 0 | .max_record_recv_size = |
840 | 0 | session->security_parameters.max_record_recv_size; |
841 | 0 | session->internals.resumed_security_parameters |
842 | 0 | .max_record_send_size = |
843 | 0 | session->security_parameters.max_record_send_size; |
844 | |
|
845 | 0 | ret = _gnutls_server_select_suite(session, suite_ptr, |
846 | 0 | suite_size, 1); |
847 | 0 | if (ret < 0) |
848 | 0 | return gnutls_assert_val(ret); |
849 | | |
850 | 0 | ret = tls12_resume_copy_required_vals(session, 1); |
851 | 0 | if (ret < 0) |
852 | 0 | return gnutls_assert_val(ret); |
853 | | |
854 | | /* to indicate to the client that the current session is resumed */ |
855 | 0 | memcpy(session->security_parameters.session_id, session_id, |
856 | 0 | session_id_len); |
857 | 0 | session->security_parameters.session_id_size = session_id_len; |
858 | |
|
859 | 0 | return 0; |
860 | 0 | } |
861 | | |
862 | | /* select an appropriate cipher suite (as well as certificate) |
863 | | */ |
864 | 0 | ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 0); |
865 | 0 | if (ret < 0) { |
866 | 0 | gnutls_assert(); |
867 | 0 | return ret; |
868 | 0 | } |
869 | | |
870 | | /* Only at this point we know the version we are actually going to use |
871 | | * ("supported_versions" extension is parsed, user_hello_func is called, |
872 | | * legacy version negotiation is done). */ |
873 | 0 | vers = get_version(session); |
874 | 0 | if (unlikely(vers == NULL)) |
875 | 0 | return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); |
876 | | |
877 | 0 | if (_gnutls_version_priority(session, vers->id) < 0) |
878 | 0 | return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); |
879 | | |
880 | | /* check if EMS is required */ |
881 | 0 | if (!vers->tls13_sem && vers->id != GNUTLS_SSL3 && |
882 | 0 | vers->id != GNUTLS_DTLS0_9 && |
883 | 0 | session->internals.priorities->force_ext_master_secret == |
884 | 0 | EMS_REQUIRE && |
885 | 0 | !session->security_parameters.ext_master_secret) { |
886 | 0 | return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY); |
887 | 0 | } |
888 | | |
889 | 0 | _gnutls_handshake_log("HSK[%p]: Selected version %s\n", session, |
890 | 0 | vers->name); |
891 | | |
892 | | /* select appropriate compression method */ |
893 | 0 | ret = check_if_null_comp_present(session, comp_ptr, comp_size); |
894 | 0 | if (ret < 0) { |
895 | 0 | gnutls_assert(); |
896 | 0 | return ret; |
897 | 0 | } |
898 | | |
899 | | /* call extensions that are intended to be parsed after the ciphersuite/cert |
900 | | * are known. */ |
901 | 0 | ret = _gnutls_parse_hello_extensions(session, |
902 | 0 | GNUTLS_EXT_FLAG_CLIENT_HELLO, |
903 | 0 | _GNUTLS_EXT_TLS_POST_CS, ext_ptr, |
904 | 0 | ext_size); |
905 | 0 | if (ret < 0) { |
906 | 0 | gnutls_assert(); |
907 | 0 | return ret; |
908 | 0 | } |
909 | | |
910 | | /* Calculate TLS 1.3 Early Secret */ |
911 | 0 | if (session->security_parameters.pversion->tls13_sem && |
912 | 0 | !(session->internals.hsk_flags & HSK_PSK_SELECTED)) { |
913 | 0 | ret = _tls13_init_secret(session, NULL, 0); |
914 | 0 | if (ret < 0) |
915 | 0 | return gnutls_assert_val(ret); |
916 | 0 | } |
917 | | |
918 | 0 | ret = set_auth_types(session); |
919 | 0 | if (ret < 0) { |
920 | 0 | gnutls_assert(); |
921 | 0 | return ret; |
922 | 0 | } |
923 | | |
924 | 0 | return sret; |
925 | 0 | } |
926 | | |
927 | | /* This is to be called after sending CHANGE CIPHER SPEC packet |
928 | | * and initializing encryption. This is the first encrypted message |
929 | | * we send. |
930 | | */ |
931 | | int _gnutls_send_finished(gnutls_session_t session, int again) |
932 | 0 | { |
933 | 0 | mbuffer_st *bufel; |
934 | 0 | uint8_t *data; |
935 | 0 | int ret; |
936 | 0 | size_t vdata_size = 0; |
937 | 0 | const version_entry_st *vers; |
938 | |
|
939 | 0 | if (again == 0) { |
940 | 0 | bufel = _gnutls_handshake_alloc(session, MAX_VERIFY_DATA_SIZE); |
941 | 0 | if (bufel == NULL) { |
942 | 0 | gnutls_assert(); |
943 | 0 | return GNUTLS_E_MEMORY_ERROR; |
944 | 0 | } |
945 | 0 | data = _mbuffer_get_udata_ptr(bufel); |
946 | |
|
947 | 0 | vers = get_version(session); |
948 | 0 | if (unlikely(vers == NULL)) |
949 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
950 | | |
951 | | #ifdef ENABLE_SSL3 |
952 | | if (vers->id == GNUTLS_SSL3) { |
953 | | ret = _gnutls_ssl3_finished( |
954 | | session, session->security_parameters.entity, |
955 | | data, 1); |
956 | | _mbuffer_set_udata_size(bufel, 36); |
957 | | } else { /* TLS 1.0+ */ |
958 | | #endif |
959 | 0 | ret = _gnutls_finished( |
960 | 0 | session, session->security_parameters.entity, |
961 | 0 | data, 1); |
962 | 0 | _mbuffer_set_udata_size(bufel, 12); |
963 | | #ifdef ENABLE_SSL3 |
964 | | } |
965 | | #endif |
966 | |
|
967 | 0 | if (ret < 0) { |
968 | 0 | gnutls_assert(); |
969 | 0 | return ret; |
970 | 0 | } |
971 | | |
972 | 0 | vdata_size = _mbuffer_get_udata_size(bufel); |
973 | |
|
974 | 0 | ret = _gnutls_ext_sr_finished(session, data, vdata_size, 0); |
975 | 0 | if (ret < 0) { |
976 | 0 | gnutls_assert(); |
977 | 0 | return ret; |
978 | 0 | } |
979 | | |
980 | 0 | if ((!session->internals.resumed && |
981 | 0 | session->security_parameters.entity == GNUTLS_CLIENT) || |
982 | 0 | (session->internals.resumed && |
983 | 0 | session->security_parameters.entity == GNUTLS_SERVER)) { |
984 | | /* if we are a client not resuming - or we are a server resuming */ |
985 | 0 | _gnutls_handshake_log( |
986 | 0 | "HSK[%p]: recording tls-unique CB (send)\n", |
987 | 0 | session); |
988 | 0 | memcpy(session->internals.cb_tls_unique, data, |
989 | 0 | vdata_size); |
990 | 0 | session->internals.cb_tls_unique_len = vdata_size; |
991 | 0 | } |
992 | |
|
993 | 0 | ret = _gnutls_send_handshake(session, bufel, |
994 | 0 | GNUTLS_HANDSHAKE_FINISHED); |
995 | 0 | } else { |
996 | 0 | ret = _gnutls_send_handshake(session, NULL, |
997 | 0 | GNUTLS_HANDSHAKE_FINISHED); |
998 | 0 | } |
999 | | |
1000 | 0 | return ret; |
1001 | 0 | } |
1002 | | |
1003 | | /* This is to be called after sending our finished message. If everything |
1004 | | * went fine we have negotiated a secure connection |
1005 | | */ |
1006 | | int _gnutls_recv_finished(gnutls_session_t session) |
1007 | 0 | { |
1008 | 0 | uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy; |
1009 | 0 | gnutls_buffer_st buf; |
1010 | 0 | int data_size; |
1011 | 0 | int ret; |
1012 | 0 | int vrfy_size; |
1013 | 0 | const version_entry_st *vers = get_version(session); |
1014 | |
|
1015 | 0 | if (unlikely(vers == NULL)) |
1016 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
1017 | | |
1018 | 0 | ret = _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_FINISHED, 0, |
1019 | 0 | &buf); |
1020 | 0 | if (ret < 0) { |
1021 | 0 | gnutls_assert(); |
1022 | 0 | return ret; |
1023 | 0 | } |
1024 | | |
1025 | 0 | vrfy = buf.data; |
1026 | 0 | vrfy_size = buf.length; |
1027 | |
|
1028 | | #ifdef ENABLE_SSL3 |
1029 | | if (vers->id == GNUTLS_SSL3) |
1030 | | data_size = 36; |
1031 | | else |
1032 | | #endif |
1033 | 0 | data_size = 12; |
1034 | |
|
1035 | 0 | if (vrfy_size != data_size) { |
1036 | 0 | gnutls_assert(); |
1037 | 0 | ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET; |
1038 | 0 | goto cleanup; |
1039 | 0 | } |
1040 | | |
1041 | | #ifdef ENABLE_SSL3 |
1042 | | if (vers->id == GNUTLS_SSL3) { |
1043 | | ret = _gnutls_ssl3_finished( |
1044 | | session, (session->security_parameters.entity + 1) % 2, |
1045 | | data, 0); |
1046 | | } else /* TLS 1.0+ */ |
1047 | | #endif |
1048 | 0 | ret = _gnutls_finished( |
1049 | 0 | session, (session->security_parameters.entity + 1) % 2, |
1050 | 0 | data, 0); |
1051 | |
|
1052 | 0 | if (ret < 0) { |
1053 | 0 | gnutls_assert(); |
1054 | 0 | goto cleanup; |
1055 | 0 | } |
1056 | | |
1057 | | #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) |
1058 | | /* When fuzzying allow to proceed without verifying the handshake |
1059 | | * consistency */ |
1060 | | (void)vrfy; |
1061 | | #warning This is unsafe for production builds |
1062 | | |
1063 | | #else |
1064 | 0 | if (memcmp(vrfy, data, data_size) != 0) { |
1065 | 0 | gnutls_assert(); |
1066 | 0 | ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET; |
1067 | 0 | goto cleanup; |
1068 | 0 | } |
1069 | 0 | #endif |
1070 | | |
1071 | 0 | ret = _gnutls_ext_sr_finished(session, data, data_size, 1); |
1072 | 0 | if (ret < 0) { |
1073 | 0 | gnutls_assert(); |
1074 | 0 | goto cleanup; |
1075 | 0 | } |
1076 | | |
1077 | 0 | if ((session->internals.resumed && |
1078 | 0 | session->security_parameters.entity == GNUTLS_CLIENT) || |
1079 | 0 | (!session->internals.resumed && |
1080 | 0 | session->security_parameters.entity == GNUTLS_SERVER)) { |
1081 | | /* if we are a client resuming - or we are a server not resuming */ |
1082 | 0 | _gnutls_handshake_log( |
1083 | 0 | "HSK[%p]: recording tls-unique CB (recv)\n", session); |
1084 | 0 | memcpy(session->internals.cb_tls_unique, data, data_size); |
1085 | 0 | session->internals.cb_tls_unique_len = data_size; |
1086 | 0 | } |
1087 | |
|
1088 | 0 | cleanup: |
1089 | 0 | _gnutls_buffer_clear(&buf); |
1090 | |
|
1091 | 0 | return ret; |
1092 | 0 | } |
1093 | | |
1094 | | /* This selects the best supported ciphersuite from the given ones. Then |
1095 | | * it adds the suite to the session and performs some checks. |
1096 | | * |
1097 | | * When @scsv_only is non-zero only the available SCSVs are parsed |
1098 | | * and acted upon. |
1099 | | */ |
1100 | | int _gnutls_server_select_suite(gnutls_session_t session, uint8_t *data, |
1101 | | unsigned int datalen, unsigned scsv_only) |
1102 | 0 | { |
1103 | 0 | int ret; |
1104 | 0 | unsigned int i; |
1105 | 0 | ciphersuite_list_st peer_clist; |
1106 | 0 | const gnutls_cipher_suite_entry_st *selected; |
1107 | 0 | gnutls_kx_algorithm_t kx; |
1108 | 0 | int retval; |
1109 | 0 | const version_entry_st *vers = get_version(session); |
1110 | |
|
1111 | 0 | peer_clist.size = 0; |
1112 | |
|
1113 | 0 | for (i = 0; i < datalen; i += 2) { |
1114 | | /* we support the TLS renegotiation SCSV, even if we are |
1115 | | * not under SSL 3.0, because openssl sends this SCSV |
1116 | | * on resumption unconditionally. */ |
1117 | | /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */ |
1118 | 0 | if (session->internals.priorities->sr != SR_DISABLED && |
1119 | 0 | data[i] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR && |
1120 | 0 | data[i + 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR) { |
1121 | 0 | _gnutls_handshake_log( |
1122 | 0 | "HSK[%p]: Received safe renegotiation CS\n", |
1123 | 0 | session); |
1124 | 0 | retval = _gnutls_ext_sr_recv_cs(session); |
1125 | 0 | if (retval < 0) { |
1126 | 0 | gnutls_assert(); |
1127 | 0 | return retval; |
1128 | 0 | } |
1129 | 0 | } |
1130 | | |
1131 | | /* TLS_FALLBACK_SCSV */ |
1132 | 0 | if (data[i] == GNUTLS_FALLBACK_SCSV_MAJOR && |
1133 | 0 | data[i + 1] == GNUTLS_FALLBACK_SCSV_MINOR) { |
1134 | 0 | const version_entry_st *max = |
1135 | 0 | _gnutls_version_max(session); |
1136 | |
|
1137 | 0 | _gnutls_handshake_log("HSK[%p]: Received fallback CS\n", |
1138 | 0 | session); |
1139 | |
|
1140 | 0 | if (vers != max) |
1141 | 0 | return gnutls_assert_val( |
1142 | 0 | GNUTLS_E_INAPPROPRIATE_FALLBACK); |
1143 | 0 | } else if (!scsv_only) { |
1144 | 0 | if (peer_clist.size < MAX_CIPHERSUITE_SIZE) { |
1145 | 0 | peer_clist.entry[peer_clist.size] = |
1146 | 0 | ciphersuite_to_entry(&data[i]); |
1147 | 0 | if (peer_clist.entry[peer_clist.size] != NULL) |
1148 | 0 | peer_clist.size++; |
1149 | 0 | } |
1150 | 0 | } |
1151 | 0 | } |
1152 | | |
1153 | 0 | if (scsv_only) |
1154 | 0 | return 0; |
1155 | | |
1156 | 0 | ret = _gnutls_figure_common_ciphersuite(session, &peer_clist, |
1157 | 0 | &selected); |
1158 | 0 | if (ret < 0) { |
1159 | 0 | return gnutls_assert_val(ret); |
1160 | 0 | } |
1161 | | |
1162 | 0 | _gnutls_handshake_log("HSK[%p]: Selected cipher suite: %s\n", session, |
1163 | 0 | selected->name); |
1164 | |
|
1165 | 0 | ret = _gnutls_set_cipher_suite2(session, selected); |
1166 | 0 | if (ret < 0) { |
1167 | 0 | gnutls_assert(); |
1168 | 0 | return ret; |
1169 | 0 | } |
1170 | | |
1171 | 0 | if (!vers->tls13_sem) { |
1172 | | /* check if the credentials (username, public key etc.) are ok |
1173 | | */ |
1174 | 0 | kx = selected->kx_algorithm; |
1175 | 0 | if (_gnutls_get_kx_cred(session, kx) == NULL) { |
1176 | 0 | gnutls_assert(); |
1177 | 0 | return GNUTLS_E_INSUFFICIENT_CREDENTIALS; |
1178 | 0 | } |
1179 | | |
1180 | | /* set the mod_auth_st to the appropriate struct |
1181 | | * according to the KX algorithm. This is needed since all the |
1182 | | * handshake functions are read from there; |
1183 | | */ |
1184 | 0 | session->internals.auth_struct = _gnutls_kx_auth_struct(kx); |
1185 | 0 | if (session->internals.auth_struct == NULL) { |
1186 | 0 | _gnutls_handshake_log( |
1187 | 0 | "HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n", |
1188 | 0 | session); |
1189 | 0 | gnutls_assert(); |
1190 | 0 | return GNUTLS_E_INTERNAL_ERROR; |
1191 | 0 | } |
1192 | 0 | } |
1193 | | |
1194 | 0 | return 0; |
1195 | 0 | } |
1196 | | |
1197 | | /* This checks whether the null compression method is present. |
1198 | | */ |
1199 | | static int check_if_null_comp_present(gnutls_session_t session, uint8_t *data, |
1200 | | int datalen) |
1201 | 0 | { |
1202 | 0 | int j; |
1203 | |
|
1204 | 0 | for (j = 0; j < datalen; j++) { |
1205 | 0 | if (data[j] == 0) |
1206 | 0 | return 0; |
1207 | 0 | } |
1208 | | |
1209 | | /* we were not able to find a the NULL compression |
1210 | | * algorithm |
1211 | | */ |
1212 | 0 | gnutls_assert(); |
1213 | 0 | return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; |
1214 | 0 | } |
1215 | | |
1216 | | /* This function sends an empty handshake packet. (like hello request). |
1217 | | * If the previous _gnutls_send_empty_handshake() returned |
1218 | | * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again |
1219 | | * (until it returns ok), with NULL parameters. |
1220 | | */ |
1221 | | static int _gnutls_send_empty_handshake(gnutls_session_t session, |
1222 | | gnutls_handshake_description_t type, |
1223 | | int again) |
1224 | 0 | { |
1225 | 0 | mbuffer_st *bufel; |
1226 | |
|
1227 | 0 | if (again == 0) { |
1228 | 0 | bufel = _gnutls_handshake_alloc(session, 0); |
1229 | 0 | if (bufel == NULL) { |
1230 | 0 | gnutls_assert(); |
1231 | 0 | return GNUTLS_E_MEMORY_ERROR; |
1232 | 0 | } |
1233 | 0 | } else |
1234 | 0 | bufel = NULL; |
1235 | | |
1236 | 0 | return _gnutls_send_handshake(session, bufel, type); |
1237 | 0 | } |
1238 | | |
1239 | | int _gnutls_call_hook_func(gnutls_session_t session, |
1240 | | gnutls_handshake_description_t type, int post, |
1241 | | unsigned incoming, const uint8_t *data, |
1242 | | unsigned data_size) |
1243 | 0 | { |
1244 | 0 | gnutls_datum_t msg = { (void *)data, data_size }; |
1245 | |
|
1246 | 0 | if (session->internals.h_hook != NULL) { |
1247 | 0 | if ((session->internals.h_type == type || |
1248 | 0 | session->internals.h_type == GNUTLS_HANDSHAKE_ANY) && |
1249 | 0 | (session->internals.h_post == post || |
1250 | 0 | session->internals.h_post == GNUTLS_HOOK_BOTH)) { |
1251 | | /* internal API for testing: when we are expected to |
1252 | | * wait for GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, we |
1253 | | * do so, but not when doing for all messages. The |
1254 | | * reason is that change cipher specs are not handshake |
1255 | | * messages, and we don't support waiting for them |
1256 | | * consistently (only sending is tracked, not receiving). |
1257 | | */ |
1258 | 0 | if (type == GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC && |
1259 | 0 | session->internals.h_type != |
1260 | 0 | GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC) |
1261 | 0 | return 0; |
1262 | | |
1263 | 0 | return session->internals.h_hook(session, type, post, |
1264 | 0 | incoming, &msg); |
1265 | 0 | } |
1266 | 0 | } |
1267 | 0 | return 0; |
1268 | 0 | } |
1269 | | |
1270 | | /* Note that the "New session ticket" handshake packet behaves differently under |
1271 | | * TLS 1.2 or 1.3. In 1.2 it is included in the handshake process, while in 1.3 |
1272 | | * it is sent asynchronously */ |
1273 | | #define IS_ASYNC(t, v) \ |
1274 | 0 | (t == GNUTLS_HANDSHAKE_HELLO_REQUEST || \ |
1275 | 0 | t == GNUTLS_HANDSHAKE_KEY_UPDATE || \ |
1276 | 0 | (t == GNUTLS_HANDSHAKE_NEW_SESSION_TICKET && v->tls13_sem)) |
1277 | | |
1278 | | int _gnutls_send_handshake(gnutls_session_t session, mbuffer_st *bufel, |
1279 | | gnutls_handshake_description_t type) |
1280 | 0 | { |
1281 | 0 | return _gnutls_send_handshake2(session, bufel, type, 0); |
1282 | 0 | } |
1283 | | |
1284 | | /* This function sends a handshake message of type 'type' containing the |
1285 | | * data specified here. If the previous _gnutls_send_handshake() returned |
1286 | | * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again |
1287 | | * (until it returns ok), with NULL parameters. |
1288 | | */ |
1289 | | int _gnutls_send_handshake2(gnutls_session_t session, mbuffer_st *bufel, |
1290 | | gnutls_handshake_description_t type, |
1291 | | unsigned queue_only) |
1292 | 0 | { |
1293 | 0 | int ret; |
1294 | 0 | uint8_t *data; |
1295 | 0 | uint32_t datasize, i_datasize; |
1296 | 0 | int pos = 0; |
1297 | 0 | const version_entry_st *vers = get_version(session); |
1298 | |
|
1299 | 0 | if (bufel == NULL) { |
1300 | | /* we are resuming a previously interrupted |
1301 | | * send. |
1302 | | */ |
1303 | 0 | ret = _gnutls_handshake_io_write_flush(session); |
1304 | 0 | return ret; |
1305 | 0 | } |
1306 | | |
1307 | | /* first run */ |
1308 | 0 | data = _mbuffer_get_uhead_ptr(bufel); |
1309 | 0 | i_datasize = _mbuffer_get_udata_size(bufel); |
1310 | 0 | datasize = i_datasize + _mbuffer_get_uhead_size(bufel); |
1311 | |
|
1312 | 0 | data[pos++] = (uint8_t)REAL_HSK_TYPE(type); |
1313 | 0 | _gnutls_write_uint24(_mbuffer_get_udata_size(bufel), &data[pos]); |
1314 | 0 | pos += 3; |
1315 | | |
1316 | | /* Add DTLS handshake fragment headers. The message will be |
1317 | | * fragmented later by the fragmentation sub-layer. All fields must |
1318 | | * be set properly for HMAC. The HMAC requires we pretend that the |
1319 | | * message was sent in a single fragment. */ |
1320 | 0 | if (IS_DTLS(session)) { |
1321 | 0 | _gnutls_write_uint16(session->internals.dtls.hsk_write_seq++, |
1322 | 0 | &data[pos]); |
1323 | 0 | pos += 2; |
1324 | | |
1325 | | /* Fragment offset */ |
1326 | 0 | _gnutls_write_uint24(0, &data[pos]); |
1327 | 0 | pos += 3; |
1328 | | |
1329 | | /* Fragment length */ |
1330 | 0 | _gnutls_write_uint24(i_datasize, &data[pos]); |
1331 | | /* pos += 3; */ |
1332 | 0 | } |
1333 | |
|
1334 | 0 | _gnutls_handshake_log("HSK[%p]: %s was queued [%ld bytes]\n", session, |
1335 | 0 | _gnutls_handshake2str(type), (long)datasize); |
1336 | | |
1337 | | /* Here we keep the handshake messages in order to hash them... |
1338 | | */ |
1339 | 0 | if (!IS_ASYNC(type, vers)) { |
1340 | 0 | if ((ret = handshake_hash_add_sent(session, type, data, |
1341 | 0 | datasize)) < 0) { |
1342 | 0 | gnutls_assert(); |
1343 | 0 | _mbuffer_xfree(&bufel); |
1344 | 0 | return ret; |
1345 | 0 | } |
1346 | | /* If we are sending a PSK, generate early secrets here. |
1347 | | * This cannot be done in pre_shared_key.c, because it |
1348 | | * relies on transcript hash of a Client Hello. */ |
1349 | 0 | if (type == GNUTLS_HANDSHAKE_CLIENT_HELLO && |
1350 | 0 | session->key.binders[0].prf != NULL) { |
1351 | 0 | ret = _gnutls_generate_early_secrets_for_psk(session); |
1352 | 0 | if (ret < 0) { |
1353 | 0 | gnutls_assert(); |
1354 | 0 | _mbuffer_xfree(&bufel); |
1355 | 0 | return ret; |
1356 | 0 | } |
1357 | 0 | } |
1358 | 0 | } |
1359 | | |
1360 | 0 | ret = _gnutls_call_hook_func(session, type, GNUTLS_HOOK_PRE, 0, |
1361 | 0 | _mbuffer_get_udata_ptr(bufel), |
1362 | 0 | _mbuffer_get_udata_size(bufel)); |
1363 | 0 | if (ret < 0) { |
1364 | 0 | gnutls_assert(); |
1365 | 0 | _mbuffer_xfree(&bufel); |
1366 | 0 | return ret; |
1367 | 0 | } |
1368 | | |
1369 | 0 | session->internals.last_handshake_out = type; |
1370 | |
|
1371 | 0 | ret = _gnutls_handshake_io_cache_int(session, type, bufel); |
1372 | 0 | if (ret < 0) { |
1373 | 0 | _mbuffer_xfree(&bufel); |
1374 | 0 | gnutls_assert(); |
1375 | 0 | return ret; |
1376 | 0 | } |
1377 | | |
1378 | 0 | ret = _gnutls_call_hook_func(session, type, GNUTLS_HOOK_POST, 0, |
1379 | 0 | _mbuffer_get_udata_ptr(bufel), |
1380 | 0 | _mbuffer_get_udata_size(bufel)); |
1381 | 0 | if (ret < 0) { |
1382 | 0 | gnutls_assert(); |
1383 | 0 | return ret; |
1384 | 0 | } |
1385 | | |
1386 | 0 | if (queue_only) |
1387 | 0 | return 0; |
1388 | | |
1389 | | /* Decide when to cache and when to send */ |
1390 | 0 | if (vers && vers->tls13_sem) { |
1391 | 0 | if (session->internals.initial_negotiation_completed) { |
1392 | | /* we are under TLS1.3 in a re-authentication phase. |
1393 | | * we don't attempt to cache any messages */ |
1394 | 0 | goto force_send; |
1395 | 0 | } |
1396 | | |
1397 | | /* The messages which are followed by another are not sent by default |
1398 | | * but are cached instead */ |
1399 | 0 | switch (type) { |
1400 | 0 | case GNUTLS_HANDSHAKE_SERVER_HELLO: /* always followed by something */ |
1401 | 0 | case GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS: /* followed by finished or cert */ |
1402 | 0 | case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: /* followed by certificate */ |
1403 | 0 | case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: /* this one is followed by cert verify */ |
1404 | 0 | case GNUTLS_HANDSHAKE_COMPRESSED_CERTIFICATE_PKT: /* as above */ |
1405 | 0 | case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY: /* followed by finished */ |
1406 | 0 | ret = 0; /* cache */ |
1407 | 0 | break; |
1408 | 0 | default: |
1409 | | /* send this and any cached messages */ |
1410 | 0 | goto force_send; |
1411 | 0 | } |
1412 | 0 | } else { |
1413 | | /* The messages which are followed by another are not sent by default |
1414 | | * but are cached instead */ |
1415 | 0 | switch (type) { |
1416 | 0 | case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: /* this one is followed by ServerHelloDone |
1417 | | * or ClientKeyExchange always. |
1418 | | */ |
1419 | 0 | case GNUTLS_HANDSHAKE_COMPRESSED_CERTIFICATE_PKT: /* as above */ |
1420 | 0 | case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS: |
1421 | 0 | case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE: /* as above */ |
1422 | 0 | case GNUTLS_HANDSHAKE_SERVER_HELLO: /* as above */ |
1423 | 0 | case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: /* as above */ |
1424 | 0 | case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: /* followed by ChangeCipherSpec */ |
1425 | | |
1426 | | /* now for client Certificate, ClientKeyExchange and |
1427 | | * CertificateVerify are always followed by ChangeCipherSpec |
1428 | | */ |
1429 | 0 | case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY: |
1430 | 0 | case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE: |
1431 | 0 | ret = 0; |
1432 | 0 | break; |
1433 | 0 | default: |
1434 | | /* send this and any cached messages */ |
1435 | 0 | goto force_send; |
1436 | 0 | } |
1437 | 0 | } |
1438 | | |
1439 | 0 | return ret; |
1440 | | |
1441 | 0 | force_send: |
1442 | 0 | return _gnutls_handshake_io_write_flush(session); |
1443 | 0 | } |
1444 | | |
1445 | | #define CHECK_SIZE(ll) \ |
1446 | 0 | if ((session->internals.max_handshake_data_buffer_size > 0) && \ |
1447 | 0 | (((ll) + session->internals.handshake_hash_buffer.length) > \ |
1448 | 0 | session->internals.max_handshake_data_buffer_size)) { \ |
1449 | 0 | _gnutls_debug_log( \ |
1450 | 0 | "Handshake buffer length is %u (max: %u)\n", \ |
1451 | 0 | (unsigned)((ll) + \ |
1452 | 0 | session->internals.handshake_hash_buffer \ |
1453 | 0 | .length), \ |
1454 | 0 | (unsigned)session->internals \ |
1455 | 0 | .max_handshake_data_buffer_size); \ |
1456 | 0 | return gnutls_assert_val(GNUTLS_E_HANDSHAKE_TOO_LARGE); \ |
1457 | 0 | } |
1458 | | |
1459 | | /* This function add the handshake headers and the |
1460 | | * handshake data to the handshake hash buffers. Needed |
1461 | | * for the finished messages calculations. |
1462 | | */ |
1463 | | static int handshake_hash_add_recvd(gnutls_session_t session, |
1464 | | gnutls_handshake_description_t recv_type, |
1465 | | uint8_t *header, uint16_t header_size, |
1466 | | uint8_t *dataptr, uint32_t datalen) |
1467 | 0 | { |
1468 | 0 | int ret; |
1469 | 0 | const version_entry_st *vers = get_version(session); |
1470 | |
|
1471 | 0 | if (unlikely(vers == NULL)) |
1472 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
1473 | | |
1474 | 0 | if ((vers->id != GNUTLS_DTLS0_9 && |
1475 | 0 | recv_type == GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST) || |
1476 | 0 | IS_ASYNC(recv_type, vers)) |
1477 | 0 | return 0; |
1478 | | |
1479 | 0 | CHECK_SIZE(header_size + datalen); |
1480 | |
|
1481 | 0 | session->internals.handshake_hash_buffer_prev_len = |
1482 | 0 | session->internals.handshake_hash_buffer.length; |
1483 | |
|
1484 | 0 | if (vers->id != GNUTLS_DTLS0_9) { |
1485 | 0 | ret = _gnutls_buffer_append_data( |
1486 | 0 | &session->internals.handshake_hash_buffer, header, |
1487 | 0 | header_size); |
1488 | 0 | if (ret < 0) |
1489 | 0 | return gnutls_assert_val(ret); |
1490 | 0 | } |
1491 | 0 | if (datalen > 0) { |
1492 | 0 | ret = _gnutls_buffer_append_data( |
1493 | 0 | &session->internals.handshake_hash_buffer, dataptr, |
1494 | 0 | datalen); |
1495 | 0 | if (ret < 0) |
1496 | 0 | return gnutls_assert_val(ret); |
1497 | 0 | } |
1498 | | |
1499 | | /* save the size until client KX. That is because the TLS |
1500 | | * session hash is calculated up to this message. |
1501 | | */ |
1502 | 0 | if (recv_type == GNUTLS_HANDSHAKE_CLIENT_HELLO) |
1503 | 0 | session->internals.handshake_hash_buffer_client_hello_len = |
1504 | 0 | session->internals.handshake_hash_buffer.length; |
1505 | 0 | if (recv_type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE) |
1506 | 0 | session->internals.handshake_hash_buffer_client_kx_len = |
1507 | 0 | session->internals.handshake_hash_buffer.length; |
1508 | 0 | if (recv_type == GNUTLS_HANDSHAKE_FINISHED && |
1509 | 0 | session->security_parameters.entity == GNUTLS_CLIENT) |
1510 | 0 | session->internals.handshake_hash_buffer_server_finished_len = |
1511 | 0 | session->internals.handshake_hash_buffer.length; |
1512 | 0 | if (recv_type == GNUTLS_HANDSHAKE_FINISHED && |
1513 | 0 | session->security_parameters.entity == GNUTLS_SERVER) |
1514 | 0 | session->internals.handshake_hash_buffer_client_finished_len = |
1515 | 0 | session->internals.handshake_hash_buffer.length; |
1516 | |
|
1517 | 0 | return 0; |
1518 | 0 | } |
1519 | | |
1520 | | /* This function will store the handshake message we sent. |
1521 | | */ |
1522 | | static int handshake_hash_add_sent(gnutls_session_t session, |
1523 | | gnutls_handshake_description_t type, |
1524 | | uint8_t *dataptr, uint32_t datalen) |
1525 | 0 | { |
1526 | 0 | int ret; |
1527 | 0 | const version_entry_st *vers = get_version(session); |
1528 | |
|
1529 | 0 | if (unlikely(vers == NULL)) |
1530 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
1531 | | |
1532 | 0 | if (IS_ASYNC(type, vers)) |
1533 | 0 | return 0; |
1534 | | |
1535 | 0 | CHECK_SIZE(datalen); |
1536 | |
|
1537 | 0 | if (vers->id == GNUTLS_DTLS0_9) { |
1538 | | /* Old DTLS doesn't include the header in the MAC */ |
1539 | 0 | if (datalen < 12) { |
1540 | 0 | gnutls_assert(); |
1541 | 0 | return GNUTLS_E_INTERNAL_ERROR; |
1542 | 0 | } |
1543 | 0 | dataptr += 12; |
1544 | 0 | datalen -= 12; |
1545 | |
|
1546 | 0 | if (datalen == 0) |
1547 | 0 | return 0; |
1548 | 0 | } |
1549 | | |
1550 | 0 | ret = _gnutls_buffer_append_data( |
1551 | 0 | &session->internals.handshake_hash_buffer, dataptr, datalen); |
1552 | 0 | if (ret < 0) |
1553 | 0 | return gnutls_assert_val(ret); |
1554 | | |
1555 | 0 | if (type == GNUTLS_HANDSHAKE_CLIENT_HELLO) |
1556 | 0 | session->internals.handshake_hash_buffer_client_hello_len = |
1557 | 0 | session->internals.handshake_hash_buffer.length; |
1558 | 0 | if (type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE) |
1559 | 0 | session->internals.handshake_hash_buffer_client_kx_len = |
1560 | 0 | session->internals.handshake_hash_buffer.length; |
1561 | 0 | if (type == GNUTLS_HANDSHAKE_FINISHED && |
1562 | 0 | session->security_parameters.entity == GNUTLS_SERVER) |
1563 | 0 | session->internals.handshake_hash_buffer_server_finished_len = |
1564 | 0 | session->internals.handshake_hash_buffer.length; |
1565 | 0 | if (type == GNUTLS_HANDSHAKE_FINISHED && |
1566 | 0 | session->security_parameters.entity == GNUTLS_CLIENT) |
1567 | 0 | session->internals.handshake_hash_buffer_client_finished_len = |
1568 | 0 | session->internals.handshake_hash_buffer.length; |
1569 | |
|
1570 | 0 | return 0; |
1571 | 0 | } |
1572 | | |
1573 | | /* This function will receive handshake messages of the given types, |
1574 | | * and will pass the message to the right place in order to be processed. |
1575 | | * E.g. for the SERVER_HELLO message (if it is expected), it will be |
1576 | | * passed to _gnutls_recv_hello(). |
1577 | | */ |
1578 | | int _gnutls_recv_handshake(gnutls_session_t session, |
1579 | | gnutls_handshake_description_t type, |
1580 | | unsigned int optional, gnutls_buffer_st *buf) |
1581 | 0 | { |
1582 | 0 | int ret, ret2; |
1583 | 0 | handshake_buffer_st hsk; |
1584 | |
|
1585 | 0 | ret = _gnutls_handshake_io_recv_int(session, type, &hsk, optional); |
1586 | 0 | if (ret < 0) { |
1587 | 0 | if (optional != 0 && |
1588 | 0 | ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET) { |
1589 | 0 | if (buf) |
1590 | 0 | _gnutls_buffer_init(buf); |
1591 | 0 | return 0; |
1592 | 0 | } |
1593 | | |
1594 | 0 | return gnutls_assert_val_fatal(ret); |
1595 | 0 | } |
1596 | 0 | session->internals.last_handshake_in = hsk.htype; |
1597 | |
|
1598 | 0 | ret = _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_PRE, 1, |
1599 | 0 | hsk.data.data, hsk.data.length); |
1600 | 0 | if (ret < 0) { |
1601 | 0 | gnutls_assert(); |
1602 | 0 | goto cleanup; |
1603 | 0 | } |
1604 | | |
1605 | 0 | ret = handshake_hash_add_recvd(session, hsk.rtype, hsk.header, |
1606 | 0 | hsk.header_size, hsk.data.data, |
1607 | 0 | hsk.data.length); |
1608 | 0 | if (ret < 0) { |
1609 | 0 | gnutls_assert(); |
1610 | 0 | goto cleanup; |
1611 | 0 | } |
1612 | | |
1613 | 0 | switch (hsk.htype) { |
1614 | 0 | case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2: |
1615 | 0 | case GNUTLS_HANDSHAKE_CLIENT_HELLO: |
1616 | 0 | if (!(IS_SERVER(session))) { |
1617 | 0 | ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET); |
1618 | 0 | goto cleanup; |
1619 | 0 | } |
1620 | | |
1621 | 0 | #ifdef ENABLE_SSL2 |
1622 | 0 | if (hsk.htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2) |
1623 | 0 | ret = _gnutls_read_client_hello_v2( |
1624 | 0 | session, hsk.data.data, hsk.data.length); |
1625 | 0 | else |
1626 | 0 | #endif |
1627 | 0 | { |
1628 | | /* Reference the full ClientHello in case an extension needs it */ |
1629 | 0 | ret = _gnutls_ext_set_full_client_hello(session, &hsk); |
1630 | 0 | if (ret < 0) { |
1631 | 0 | gnutls_assert(); |
1632 | 0 | goto cleanup; |
1633 | 0 | } |
1634 | | |
1635 | 0 | ret = read_client_hello(session, hsk.data.data, |
1636 | 0 | hsk.data.length); |
1637 | 0 | } |
1638 | | |
1639 | 0 | if (ret < 0) { |
1640 | 0 | gnutls_assert(); |
1641 | 0 | goto cleanup; |
1642 | 0 | } |
1643 | | |
1644 | 0 | break; |
1645 | | |
1646 | 0 | case GNUTLS_HANDSHAKE_SERVER_HELLO: |
1647 | 0 | if (IS_SERVER(session)) { |
1648 | 0 | ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET); |
1649 | 0 | goto cleanup; |
1650 | 0 | } |
1651 | | |
1652 | 0 | ret = read_server_hello(session, hsk.data.data, |
1653 | 0 | hsk.data.length); |
1654 | |
|
1655 | 0 | if (ret < 0) { |
1656 | 0 | gnutls_assert(); |
1657 | 0 | goto cleanup; |
1658 | 0 | } |
1659 | | |
1660 | 0 | break; |
1661 | 0 | case GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST: |
1662 | 0 | if (IS_SERVER(session)) { |
1663 | 0 | ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET); |
1664 | 0 | goto cleanup; |
1665 | 0 | } |
1666 | | |
1667 | 0 | ret = recv_hello_verify_request(session, hsk.data.data, |
1668 | 0 | hsk.data.length); |
1669 | 0 | if (ret < 0) { |
1670 | 0 | gnutls_assert(); |
1671 | 0 | goto cleanup; |
1672 | 0 | } else { |
1673 | | /* Signal our caller we have received a verification cookie |
1674 | | and ClientHello needs to be sent again. */ |
1675 | 0 | ret = 1; |
1676 | 0 | } |
1677 | | |
1678 | 0 | break; |
1679 | 0 | case GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST: { |
1680 | | /* hash buffer synth message is generated during hello retry parsing */ |
1681 | 0 | gnutls_datum_t hrr = { hsk.data.data, hsk.data.length }; |
1682 | |
|
1683 | 0 | if (IS_SERVER(session)) { |
1684 | 0 | ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET); |
1685 | 0 | goto cleanup; |
1686 | 0 | } |
1687 | | |
1688 | 0 | ret = _gnutls13_recv_hello_retry_request(session, &hsk.data); |
1689 | 0 | if (ret < 0) { |
1690 | 0 | gnutls_assert(); |
1691 | 0 | goto cleanup; |
1692 | 0 | } else { |
1693 | | /* during hello retry parsing, we reset handshake hash buffer, |
1694 | | * re-add this message */ |
1695 | 0 | ret = handshake_hash_add_recvd(session, hsk.htype, |
1696 | 0 | hsk.header, |
1697 | 0 | hsk.header_size, |
1698 | 0 | hrr.data, hrr.size); |
1699 | 0 | if (ret < 0) { |
1700 | 0 | gnutls_assert(); |
1701 | 0 | goto cleanup; |
1702 | 0 | } |
1703 | | |
1704 | | /* Signal our caller we have received a retry request |
1705 | | and ClientHello needs to be sent again. */ |
1706 | 0 | ret = 1; |
1707 | 0 | } |
1708 | | |
1709 | 0 | break; |
1710 | 0 | } |
1711 | 0 | case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE: |
1712 | 0 | if (hsk.data.length == 0) |
1713 | 0 | ret = 0; |
1714 | 0 | else { |
1715 | 0 | gnutls_assert(); |
1716 | 0 | ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH; |
1717 | 0 | goto cleanup; |
1718 | 0 | } |
1719 | 0 | break; |
1720 | 0 | case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: |
1721 | 0 | case GNUTLS_HANDSHAKE_COMPRESSED_CERTIFICATE_PKT: |
1722 | 0 | case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS: |
1723 | 0 | case GNUTLS_HANDSHAKE_FINISHED: |
1724 | 0 | case GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS: |
1725 | 0 | case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE: |
1726 | 0 | case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE: |
1727 | 0 | case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: |
1728 | 0 | case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY: |
1729 | 0 | case GNUTLS_HANDSHAKE_SUPPLEMENTAL: |
1730 | 0 | case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: |
1731 | 0 | case GNUTLS_HANDSHAKE_END_OF_EARLY_DATA: |
1732 | 0 | ret = hsk.data.length; |
1733 | 0 | break; |
1734 | 0 | default: |
1735 | 0 | gnutls_assert(); |
1736 | | /* we shouldn't actually arrive here in any case . |
1737 | | * unexpected messages should be caught after _gnutls_handshake_io_recv_int() |
1738 | | */ |
1739 | 0 | ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; |
1740 | 0 | goto cleanup; |
1741 | 0 | } |
1742 | | |
1743 | 0 | ret2 = _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_POST, 1, |
1744 | 0 | hsk.data.data, hsk.data.length); |
1745 | 0 | if (ret2 < 0) { |
1746 | 0 | ret = ret2; |
1747 | 0 | gnutls_assert(); |
1748 | 0 | goto cleanup; |
1749 | 0 | } |
1750 | | |
1751 | 0 | if (buf) { |
1752 | 0 | *buf = hsk.data; |
1753 | 0 | return ret; |
1754 | 0 | } |
1755 | | |
1756 | 0 | cleanup: |
1757 | 0 | _gnutls_handshake_buffer_clear(&hsk); |
1758 | 0 | return ret; |
1759 | 0 | } |
1760 | | |
1761 | | /* This function checks if the given cipher suite is supported, and sets it |
1762 | | * to the session; |
1763 | | */ |
1764 | | static int set_client_ciphersuite(gnutls_session_t session, uint8_t suite[2]) |
1765 | 0 | { |
1766 | 0 | unsigned j; |
1767 | 0 | int ret; |
1768 | 0 | const gnutls_cipher_suite_entry_st *selected = NULL; |
1769 | 0 | const version_entry_st *vers = get_version(session); |
1770 | 0 | gnutls_kx_algorithm_t kx; |
1771 | |
|
1772 | 0 | for (j = 0; j < session->internals.priorities->cs.size; j++) { |
1773 | 0 | if (suite[0] == |
1774 | 0 | session->internals.priorities->cs.entry[j]->id[0] && |
1775 | 0 | suite[1] == |
1776 | 0 | session->internals.priorities->cs.entry[j]->id[1]) { |
1777 | 0 | selected = session->internals.priorities->cs.entry[j]; |
1778 | 0 | break; |
1779 | 0 | } |
1780 | 0 | } |
1781 | |
|
1782 | 0 | if (!selected) { |
1783 | 0 | gnutls_assert(); |
1784 | 0 | _gnutls_handshake_log( |
1785 | 0 | "HSK[%p]: unsupported cipher suite %.2X.%.2X was negotiated\n", |
1786 | 0 | session, (unsigned int)suite[0], |
1787 | 0 | (unsigned int)suite[1]); |
1788 | 0 | return GNUTLS_E_UNKNOWN_CIPHER_SUITE; |
1789 | 0 | } |
1790 | | |
1791 | 0 | ret = _gnutls_set_cipher_suite2(session, selected); |
1792 | 0 | if (ret < 0) |
1793 | 0 | return gnutls_assert_val(ret); |
1794 | | |
1795 | 0 | _gnutls_handshake_log("HSK[%p]: Selected cipher suite: %s\n", session, |
1796 | 0 | selected->name); |
1797 | | |
1798 | | /* check if the credentials (username, public key etc.) are ok. |
1799 | | * Actually checks if they exist. |
1800 | | */ |
1801 | 0 | if (!vers->tls13_sem) { |
1802 | 0 | kx = selected->kx_algorithm; |
1803 | |
|
1804 | 0 | if (!session->internals.premaster_set && |
1805 | 0 | _gnutls_get_kx_cred(session, kx) == NULL) { |
1806 | 0 | gnutls_assert(); |
1807 | 0 | return GNUTLS_E_INSUFFICIENT_CREDENTIALS; |
1808 | 0 | } |
1809 | | |
1810 | | /* set the mod_auth_st to the appropriate struct |
1811 | | * according to the KX algorithm. This is needed since all the |
1812 | | * handshake functions are read from there; |
1813 | | */ |
1814 | 0 | session->internals.auth_struct = _gnutls_kx_auth_struct(kx); |
1815 | |
|
1816 | 0 | if (session->internals.auth_struct == NULL) { |
1817 | 0 | _gnutls_handshake_log( |
1818 | 0 | "HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n", |
1819 | 0 | session); |
1820 | 0 | gnutls_assert(); |
1821 | 0 | return GNUTLS_E_INTERNAL_ERROR; |
1822 | 0 | } |
1823 | 0 | } else { |
1824 | 0 | if (session->internals.hsk_flags & HSK_PSK_SELECTED) { |
1825 | 0 | if (session->key.binders[0].prf->id != selected->prf) { |
1826 | 0 | _gnutls_handshake_log( |
1827 | 0 | "HSK[%p]: PRF of ciphersuite differs with the PSK identity (cs: %s, id: %s)\n", |
1828 | 0 | session, selected->name, |
1829 | 0 | session->key.binders[0].prf->name); |
1830 | 0 | gnutls_assert(); |
1831 | 0 | return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; |
1832 | 0 | } |
1833 | 0 | } |
1834 | 0 | } |
1835 | | |
1836 | 0 | return 0; |
1837 | 0 | } |
1838 | | |
1839 | | /* This function returns 0 if we are resuming a session or -1 otherwise. |
1840 | | * This also sets the variables in the session. Used only while reading a server |
1841 | | * hello. Only applicable to TLS1.2 or earlier. |
1842 | | */ |
1843 | | static int client_check_if_resuming(gnutls_session_t session, |
1844 | | uint8_t *session_id, int session_id_len) |
1845 | 0 | { |
1846 | 0 | char buf[2 * GNUTLS_MAX_SESSION_ID_SIZE + 1]; |
1847 | 0 | int ret; |
1848 | |
|
1849 | 0 | _gnutls_handshake_log("HSK[%p]: SessionID length: %d\n", session, |
1850 | 0 | session_id_len); |
1851 | 0 | _gnutls_handshake_log("HSK[%p]: SessionID: %s\n", session, |
1852 | 0 | _gnutls_bin2hex(session_id, session_id_len, buf, |
1853 | 0 | sizeof(buf), NULL)); |
1854 | |
|
1855 | 0 | if ((session->internals.resumption_requested != 0 || |
1856 | 0 | session->internals.premaster_set != 0) && |
1857 | 0 | session_id_len > 0 && |
1858 | 0 | session->internals.resumed_security_parameters.session_id_size == |
1859 | 0 | session_id_len && |
1860 | 0 | memcmp(session_id, |
1861 | 0 | session->internals.resumed_security_parameters.session_id, |
1862 | 0 | session_id_len) == 0) { |
1863 | | /* resume session */ |
1864 | 0 | memcpy(session->internals.resumed_security_parameters |
1865 | 0 | .server_random, |
1866 | 0 | session->security_parameters.server_random, |
1867 | 0 | GNUTLS_RANDOM_SIZE); |
1868 | 0 | memcpy(session->internals.resumed_security_parameters |
1869 | 0 | .client_random, |
1870 | 0 | session->security_parameters.client_random, |
1871 | 0 | GNUTLS_RANDOM_SIZE); |
1872 | |
|
1873 | 0 | ret = _gnutls_set_cipher_suite2( |
1874 | 0 | session, |
1875 | 0 | session->internals.resumed_security_parameters.cs); |
1876 | 0 | if (ret < 0) { |
1877 | 0 | gnutls_assert(); |
1878 | 0 | goto no_resume; |
1879 | 0 | } |
1880 | | |
1881 | 0 | session->internals.resumed = true; /* we are resuming */ |
1882 | |
|
1883 | 0 | return 0; |
1884 | 0 | } else { |
1885 | 0 | no_resume: |
1886 | | /* keep the new session id */ |
1887 | 0 | session->internals.resumed = false; /* we are not resuming */ |
1888 | 0 | return -1; |
1889 | 0 | } |
1890 | 0 | } |
1891 | | |
1892 | | /* This function reads and parses the server hello handshake message. |
1893 | | * This function also restores resumed parameters if we are resuming a |
1894 | | * session. |
1895 | | */ |
1896 | | static int read_server_hello(gnutls_session_t session, uint8_t *data, |
1897 | | int datalen) |
1898 | 0 | { |
1899 | 0 | uint8_t session_id_len = 0; |
1900 | 0 | uint8_t *session_id; |
1901 | 0 | uint8_t *cs_pos, *comp_pos, *srandom_pos; |
1902 | 0 | uint8_t major, minor; |
1903 | 0 | int pos = 0; |
1904 | 0 | int ret; |
1905 | 0 | int len = datalen; |
1906 | 0 | unsigned ext_parse_flag = 0; |
1907 | 0 | const version_entry_st *vers, *saved_vers; |
1908 | |
|
1909 | 0 | if (datalen < GNUTLS_RANDOM_SIZE + 2) { |
1910 | 0 | gnutls_assert(); |
1911 | 0 | return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; |
1912 | 0 | } |
1913 | | |
1914 | 0 | _gnutls_handshake_log("HSK[%p]: Server's version: %d.%d\n", session, |
1915 | 0 | data[pos], data[pos + 1]); |
1916 | |
|
1917 | 0 | DECR_LEN(len, 2); |
1918 | 0 | major = data[pos]; |
1919 | 0 | minor = data[pos + 1]; |
1920 | |
|
1921 | 0 | saved_vers = get_version( |
1922 | 0 | session); /* will be non-null if HRR has been received */ |
1923 | |
|
1924 | 0 | vers = nversion_to_entry(major, minor); |
1925 | 0 | if (unlikely(vers == NULL)) |
1926 | 0 | return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); |
1927 | | |
1928 | 0 | if (vers->tls13_sem) /* that shouldn't have been negotiated here */ |
1929 | 0 | return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); |
1930 | | |
1931 | 0 | if (_gnutls_set_current_version(session, vers->id) < 0) |
1932 | 0 | return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); |
1933 | | |
1934 | 0 | pos += 2; |
1935 | |
|
1936 | 0 | DECR_LEN(len, GNUTLS_RANDOM_SIZE); |
1937 | 0 | srandom_pos = &data[pos]; |
1938 | 0 | pos += GNUTLS_RANDOM_SIZE; |
1939 | | |
1940 | | /* Read session ID |
1941 | | */ |
1942 | 0 | DECR_LEN(len, 1); |
1943 | 0 | session_id_len = data[pos++]; |
1944 | |
|
1945 | 0 | if (len < session_id_len || |
1946 | 0 | session_id_len > GNUTLS_MAX_SESSION_ID_SIZE) { |
1947 | 0 | gnutls_assert(); |
1948 | 0 | return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; |
1949 | 0 | } |
1950 | 0 | DECR_LEN(len, session_id_len); |
1951 | 0 | session_id = &data[pos]; |
1952 | 0 | pos += session_id_len; |
1953 | |
|
1954 | 0 | DECR_LEN(len, 2); |
1955 | 0 | cs_pos = &data[pos]; |
1956 | 0 | pos += 2; |
1957 | | |
1958 | | /* move to compression |
1959 | | */ |
1960 | 0 | DECR_LEN(len, 1); |
1961 | 0 | comp_pos = &data[pos]; |
1962 | 0 | pos++; |
1963 | | |
1964 | | /* parse extensions to figure version */ |
1965 | 0 | ret = _gnutls_parse_hello_extensions( |
1966 | 0 | session, |
1967 | 0 | GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO | |
1968 | 0 | GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO, |
1969 | 0 | GNUTLS_EXT_VERSION_NEG, &data[pos], len); |
1970 | 0 | if (ret < 0) |
1971 | 0 | return gnutls_assert_val(ret); |
1972 | | |
1973 | 0 | vers = get_version(session); |
1974 | 0 | if (unlikely(vers == NULL)) |
1975 | 0 | return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); |
1976 | 0 | if (vers->tls13_sem) { |
1977 | 0 | if (major != 0x03 || minor != 0x03) |
1978 | 0 | return gnutls_assert_val( |
1979 | 0 | GNUTLS_E_UNSUPPORTED_VERSION_PACKET); |
1980 | 0 | } |
1981 | | |
1982 | 0 | if (_gnutls_nversion_is_supported(session, vers->major, vers->minor) == |
1983 | 0 | 0) |
1984 | 0 | return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); |
1985 | | |
1986 | | /* set server random - done after final version is selected */ |
1987 | 0 | ret = _gnutls_set_server_random(session, vers, srandom_pos); |
1988 | 0 | if (ret < 0) |
1989 | 0 | return gnutls_assert_val(ret); |
1990 | | |
1991 | | /* reset keys and binders if we are not using TLS 1.3 */ |
1992 | 0 | if (!vers->tls13_sem) { |
1993 | 0 | gnutls_memset(&session->key.proto.tls13, 0, |
1994 | 0 | sizeof(session->key.proto.tls13)); |
1995 | 0 | reset_binders(session); |
1996 | 0 | } |
1997 | | |
1998 | | /* check if we are resuming and set the appropriate |
1999 | | * values; |
2000 | | */ |
2001 | 0 | if (!vers->tls13_sem && client_check_if_resuming(session, session_id, |
2002 | 0 | session_id_len) == 0) { |
2003 | 0 | ret = _gnutls_parse_hello_extensions( |
2004 | 0 | session, GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO, |
2005 | 0 | GNUTLS_EXT_MANDATORY, &data[pos], len); |
2006 | 0 | if (ret < 0) |
2007 | 0 | return gnutls_assert_val(ret); |
2008 | | |
2009 | 0 | return 0; |
2010 | 0 | } else { |
2011 | 0 | session->security_parameters.session_id_size = session_id_len; |
2012 | 0 | if (session_id_len > 0) |
2013 | 0 | memcpy(session->security_parameters.session_id, |
2014 | 0 | session_id, session_id_len); |
2015 | 0 | } |
2016 | | |
2017 | | /* Check if the given cipher suite is supported and copy |
2018 | | * it to the session. |
2019 | | */ |
2020 | 0 | ret = set_client_ciphersuite(session, cs_pos); |
2021 | 0 | if (ret < 0) { |
2022 | 0 | gnutls_assert(); |
2023 | 0 | return ret; |
2024 | 0 | } |
2025 | | |
2026 | 0 | if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { |
2027 | | /* check if ciphersuite matches */ |
2028 | 0 | if (memcmp(cs_pos, session->internals.hrr_cs, 2) != 0) |
2029 | 0 | return gnutls_assert_val( |
2030 | 0 | GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); |
2031 | | |
2032 | | /* check if HRR version matches this version */ |
2033 | 0 | if (vers != saved_vers) |
2034 | 0 | return gnutls_assert_val( |
2035 | 0 | GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); |
2036 | 0 | } |
2037 | | |
2038 | 0 | if (*comp_pos != 0) |
2039 | 0 | return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); |
2040 | | |
2041 | 0 | if (vers->tls13_sem) |
2042 | 0 | ext_parse_flag |= GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO; |
2043 | 0 | else |
2044 | 0 | ext_parse_flag |= GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO; |
2045 | | |
2046 | | /* Parse extensions in order. |
2047 | | */ |
2048 | 0 | ret = _gnutls_parse_hello_extensions( |
2049 | 0 | session, ext_parse_flag, GNUTLS_EXT_MANDATORY, &data[pos], len); |
2050 | 0 | if (ret < 0) |
2051 | 0 | return gnutls_assert_val(ret); |
2052 | | |
2053 | 0 | if (!vers->tls13_sem) { |
2054 | | /* check if EtM is required */ |
2055 | 0 | if (session->internals.priorities->force_etm && |
2056 | 0 | !session->security_parameters.etm) { |
2057 | 0 | const cipher_entry_st *cipher = |
2058 | 0 | cipher_to_entry(session->security_parameters.cs |
2059 | 0 | ->block_algorithm); |
2060 | 0 | if (_gnutls_cipher_type(cipher) == CIPHER_BLOCK) |
2061 | 0 | return gnutls_assert_val( |
2062 | 0 | GNUTLS_E_UNWANTED_ALGORITHM); |
2063 | 0 | } |
2064 | | |
2065 | | /* check if EMS is required */ |
2066 | 0 | if (vers->id != GNUTLS_SSL3 && vers->id != GNUTLS_DTLS0_9 && |
2067 | 0 | session->internals.priorities->force_ext_master_secret == |
2068 | 0 | EMS_REQUIRE && |
2069 | 0 | !session->security_parameters.ext_master_secret) { |
2070 | 0 | return gnutls_assert_val( |
2071 | 0 | GNUTLS_E_INSUFFICIENT_SECURITY); |
2072 | 0 | } |
2073 | 0 | } |
2074 | | |
2075 | 0 | ret = _gnutls_parse_hello_extensions(session, ext_parse_flag, |
2076 | 0 | GNUTLS_EXT_APPLICATION, &data[pos], |
2077 | 0 | len); |
2078 | 0 | if (ret < 0) |
2079 | 0 | return gnutls_assert_val(ret); |
2080 | | |
2081 | 0 | ret = _gnutls_parse_hello_extensions(session, ext_parse_flag, |
2082 | 0 | GNUTLS_EXT_TLS, &data[pos], len); |
2083 | 0 | if (ret < 0) |
2084 | 0 | return gnutls_assert_val(ret); |
2085 | | |
2086 | 0 | ret = _gnutls_parse_hello_extensions(session, ext_parse_flag, |
2087 | 0 | _GNUTLS_EXT_TLS_POST_CS, |
2088 | 0 | &data[pos], len); |
2089 | 0 | if (ret < 0) |
2090 | 0 | return gnutls_assert_val(ret); |
2091 | | |
2092 | | /* Calculate TLS 1.3 Early Secret */ |
2093 | 0 | if (vers->tls13_sem && |
2094 | 0 | !(session->internals.hsk_flags & HSK_PSK_SELECTED)) { |
2095 | 0 | ret = _tls13_init_secret(session, NULL, 0); |
2096 | 0 | if (ret < 0) |
2097 | 0 | return gnutls_assert_val(ret); |
2098 | 0 | } |
2099 | | |
2100 | 0 | ret = set_auth_types(session); |
2101 | 0 | if (ret < 0) |
2102 | 0 | return gnutls_assert_val(ret); |
2103 | | |
2104 | 0 | session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED; |
2105 | |
|
2106 | 0 | return 0; |
2107 | 0 | } |
2108 | | |
2109 | | /* This function copies the appropriate compression methods, to a locally allocated buffer |
2110 | | * Needed in hello messages. Returns the new data length. |
2111 | | */ |
2112 | | static int append_null_comp(gnutls_session_t session, gnutls_buffer_st *cdata) |
2113 | 0 | { |
2114 | 0 | uint8_t compression_methods[2] = { 0x01, 0x00 }; |
2115 | 0 | size_t init_length = cdata->length; |
2116 | 0 | int ret; |
2117 | |
|
2118 | 0 | ret = _gnutls_buffer_append_data(cdata, compression_methods, 2); |
2119 | 0 | if (ret < 0) |
2120 | 0 | return gnutls_assert_val(ret); |
2121 | | |
2122 | 0 | ret = cdata->length - init_length; |
2123 | |
|
2124 | 0 | return ret; |
2125 | 0 | } |
2126 | | |
2127 | | /* This function sends the client hello handshake message. |
2128 | | */ |
2129 | | static int send_client_hello(gnutls_session_t session, int again) |
2130 | 0 | { |
2131 | 0 | mbuffer_st *bufel = NULL; |
2132 | 0 | int type; |
2133 | 0 | int ret = 0; |
2134 | 0 | const version_entry_st *hver, *min_ver, *max_ver; |
2135 | 0 | uint8_t tver[2]; |
2136 | 0 | gnutls_buffer_st extdata; |
2137 | 0 | bool rehandshake = false; |
2138 | 0 | bool resuming = false; |
2139 | 0 | unsigned add_sr_scsv = 0; |
2140 | 0 | uint8_t *session_id = |
2141 | 0 | session->internals.resumed_security_parameters.session_id; |
2142 | 0 | uint8_t session_id_len = |
2143 | 0 | session->internals.resumed_security_parameters.session_id_size; |
2144 | |
|
2145 | 0 | if (again == 0) { |
2146 | | /* note that rehandshake is different than resuming |
2147 | | */ |
2148 | 0 | if (session->internals.initial_negotiation_completed) |
2149 | 0 | rehandshake = true; |
2150 | |
|
2151 | 0 | ret = _gnutls_buffer_init_handshake_mbuffer(&extdata); |
2152 | 0 | if (ret < 0) |
2153 | 0 | return gnutls_assert_val(ret); |
2154 | | |
2155 | | /* if we are resuming a session then we set the |
2156 | | * version number to the previously established. |
2157 | | */ |
2158 | 0 | if (session->internals.resumption_requested == 0 && |
2159 | 0 | session->internals.premaster_set == 0) { |
2160 | 0 | if (rehandshake) /* already negotiated version thus version_max == negotiated version */ |
2161 | 0 | hver = get_version(session); |
2162 | 0 | else /* new handshake. just get the max */ |
2163 | 0 | hver = _gnutls_legacy_version_max(session); |
2164 | 0 | } else { |
2165 | | /* we are resuming a session */ |
2166 | 0 | resuming = true; |
2167 | |
|
2168 | 0 | hver = session->internals.resumed_security_parameters |
2169 | 0 | .pversion; |
2170 | |
|
2171 | 0 | if (hver && hver->tls13_sem) |
2172 | 0 | hver = _gnutls_legacy_version_max(session); |
2173 | 0 | } |
2174 | |
|
2175 | 0 | if (hver == NULL) { |
2176 | 0 | gnutls_assert(); |
2177 | 0 | if (session->internals.flags & INT_FLAG_NO_TLS13) |
2178 | 0 | ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS; |
2179 | 0 | else |
2180 | 0 | ret = GNUTLS_E_NO_PRIORITIES_WERE_SET; |
2181 | 0 | goto cleanup; |
2182 | 0 | } |
2183 | | |
2184 | 0 | if (unlikely(session->internals.default_hello_version[0] != |
2185 | 0 | 0)) { |
2186 | 0 | tver[0] = session->internals.default_hello_version[0]; |
2187 | 0 | tver[1] = session->internals.default_hello_version[1]; |
2188 | 0 | } else { |
2189 | 0 | tver[0] = hver->major; |
2190 | 0 | tver[1] = hver->minor; |
2191 | 0 | } |
2192 | 0 | ret = _gnutls_buffer_append_data(&extdata, tver, 2); |
2193 | 0 | if (ret < 0) { |
2194 | 0 | gnutls_assert(); |
2195 | 0 | goto cleanup; |
2196 | 0 | } |
2197 | 0 | _gnutls_handshake_log("HSK[%p]: Adv. version: %u.%u\n", session, |
2198 | 0 | (unsigned)tver[0], (unsigned)tver[1]); |
2199 | |
|
2200 | 0 | min_ver = _gnutls_version_lowest(session); |
2201 | 0 | max_ver = _gnutls_version_max(session); |
2202 | 0 | if (min_ver == NULL || max_ver == NULL) { |
2203 | 0 | gnutls_assert(); |
2204 | 0 | ret = GNUTLS_E_NO_PRIORITIES_WERE_SET; |
2205 | 0 | goto cleanup; |
2206 | 0 | } |
2207 | | |
2208 | | /* if we are replying to an HRR the version is already negotiated */ |
2209 | 0 | if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) || |
2210 | 0 | !get_version(session)) { |
2211 | | /* Set the version we advertised as maximum |
2212 | | * (RSA uses it). */ |
2213 | 0 | set_adv_version(session, hver->major, hver->minor); |
2214 | 0 | if (_gnutls_set_current_version(session, hver->id) < |
2215 | 0 | 0) { |
2216 | 0 | ret = gnutls_assert_val( |
2217 | 0 | GNUTLS_E_UNSUPPORTED_VERSION_PACKET); |
2218 | 0 | goto cleanup; |
2219 | 0 | } |
2220 | 0 | } |
2221 | | |
2222 | 0 | if (session->internals.priorities->min_record_version != 0) { |
2223 | | /* Advertise the lowest supported (SSL 3.0) record packet |
2224 | | * version in record packets during the handshake. |
2225 | | * That is to avoid confusing implementations |
2226 | | * that do not support TLS 1.2 and don't know |
2227 | | * how 3,3 version of record packets look like. |
2228 | | */ |
2229 | 0 | set_default_version(session, min_ver); |
2230 | 0 | } else { |
2231 | 0 | set_default_version(session, hver); |
2232 | 0 | } |
2233 | | |
2234 | | /* In order to know when this session was initiated. |
2235 | | */ |
2236 | 0 | session->security_parameters.timestamp = gnutls_time(NULL); |
2237 | | |
2238 | | /* Generate random data |
2239 | | */ |
2240 | 0 | if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) && |
2241 | 0 | !(IS_DTLS(session) && |
2242 | 0 | session->internals.dtls.hsk_hello_verify_requests != 0)) { |
2243 | 0 | ret = _gnutls_gen_client_random(session); |
2244 | 0 | if (ret < 0) { |
2245 | 0 | gnutls_assert(); |
2246 | 0 | goto cleanup; |
2247 | 0 | } |
2248 | 0 | } |
2249 | | |
2250 | 0 | ret = _gnutls_buffer_append_data( |
2251 | 0 | &extdata, session->security_parameters.client_random, |
2252 | 0 | GNUTLS_RANDOM_SIZE); |
2253 | 0 | if (ret < 0) { |
2254 | 0 | gnutls_assert(); |
2255 | 0 | goto cleanup; |
2256 | 0 | } |
2257 | | |
2258 | 0 | #ifdef TLS13_APPENDIX_D4 |
2259 | 0 | if (max_ver->tls13_sem && |
2260 | 0 | session->internals.priorities->tls13_compat_mode && |
2261 | 0 | !resuming) { |
2262 | 0 | if (!(session->internals.hsk_flags & |
2263 | 0 | HSK_HRR_RECEIVED)) { |
2264 | | /* Under TLS1.3 we generate a random session ID to make |
2265 | | * the TLS1.3 session look like a resumed TLS1.2 session */ |
2266 | 0 | ret = _gnutls_generate_session_id( |
2267 | 0 | session->security_parameters.session_id, |
2268 | 0 | &session->security_parameters |
2269 | 0 | .session_id_size); |
2270 | 0 | if (ret < 0) { |
2271 | 0 | gnutls_assert(); |
2272 | 0 | goto cleanup; |
2273 | 0 | } |
2274 | 0 | } |
2275 | 0 | session_id = session->security_parameters.session_id; |
2276 | 0 | session_id_len = |
2277 | 0 | session->security_parameters.session_id_size; |
2278 | 0 | } |
2279 | 0 | #endif |
2280 | | |
2281 | | /* Copy the Session ID - if any |
2282 | | */ |
2283 | 0 | ret = _gnutls_buffer_append_data_prefix(&extdata, 8, session_id, |
2284 | 0 | session_id_len); |
2285 | 0 | if (ret < 0) { |
2286 | 0 | gnutls_assert(); |
2287 | 0 | goto cleanup; |
2288 | 0 | } |
2289 | | |
2290 | | /* Copy the DTLS cookie |
2291 | | */ |
2292 | 0 | if (IS_DTLS(session)) { |
2293 | 0 | ret = _gnutls_buffer_append_data_prefix( |
2294 | 0 | &extdata, 8, |
2295 | 0 | session->internals.dtls.dcookie.data, |
2296 | 0 | session->internals.dtls.dcookie.size); |
2297 | 0 | if (ret < 0) { |
2298 | 0 | gnutls_assert(); |
2299 | 0 | goto cleanup; |
2300 | 0 | } |
2301 | 0 | _gnutls_free_datum(&session->internals.dtls.dcookie); |
2302 | 0 | } |
2303 | | |
2304 | | /* Copy the ciphersuites. |
2305 | | */ |
2306 | | #ifdef ENABLE_SSL3 |
2307 | | /* If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM |
2308 | | * prevention on initial negotiation (but not renegotiation; that's |
2309 | | * handled with the RI extension below). |
2310 | | */ |
2311 | | if (!session->internals.initial_negotiation_completed && |
2312 | | session->security_parameters.entity == GNUTLS_CLIENT && |
2313 | | (hver->id == GNUTLS_SSL3 && |
2314 | | session->internals.priorities->no_extensions != 0)) { |
2315 | | add_sr_scsv = 1; |
2316 | | } |
2317 | | #endif |
2318 | 0 | ret = _gnutls_get_client_ciphersuites(session, &extdata, |
2319 | 0 | min_ver, add_sr_scsv); |
2320 | 0 | if (ret < 0) { |
2321 | 0 | gnutls_assert(); |
2322 | 0 | goto cleanup; |
2323 | 0 | } |
2324 | | |
2325 | | /* Copy the compression methods. |
2326 | | */ |
2327 | 0 | ret = append_null_comp(session, &extdata); |
2328 | 0 | if (ret < 0) { |
2329 | 0 | gnutls_assert(); |
2330 | 0 | goto cleanup; |
2331 | 0 | } |
2332 | | |
2333 | | /* Generate and copy TLS extensions. |
2334 | | */ |
2335 | 0 | if (session->internals.priorities->no_extensions == 0) { |
2336 | 0 | if (_gnutls_version_has_extensions(hver)) { |
2337 | 0 | type = GNUTLS_EXT_ANY; |
2338 | 0 | } else { |
2339 | 0 | type = GNUTLS_EXT_MANDATORY; |
2340 | 0 | } |
2341 | |
|
2342 | 0 | ret = _gnutls_gen_hello_extensions( |
2343 | 0 | session, &extdata, GNUTLS_EXT_FLAG_CLIENT_HELLO, |
2344 | 0 | type); |
2345 | 0 | if (ret < 0) { |
2346 | 0 | gnutls_assert(); |
2347 | 0 | goto cleanup; |
2348 | 0 | } |
2349 | 0 | } |
2350 | | |
2351 | 0 | bufel = _gnutls_buffer_to_mbuffer(&extdata); |
2352 | 0 | } |
2353 | | |
2354 | 0 | ret = _gnutls_send_handshake(session, bufel, |
2355 | 0 | GNUTLS_HANDSHAKE_CLIENT_HELLO); |
2356 | |
|
2357 | 0 | if (session->internals.hsk_flags & HSK_EARLY_DATA_IN_FLIGHT) { |
2358 | 0 | const cipher_entry_st *ce; |
2359 | 0 | const mac_entry_st *me; |
2360 | 0 | record_parameters_st *params; |
2361 | |
|
2362 | 0 | ce = cipher_to_entry( |
2363 | 0 | session->internals.resumed_security_parameters.cs |
2364 | 0 | ->block_algorithm); |
2365 | 0 | me = mac_to_entry(session->internals.resumed_security_parameters |
2366 | 0 | .cs->mac_algorithm); |
2367 | |
|
2368 | 0 | ret = _gnutls_epoch_get(session, EPOCH_NEXT, ¶ms); |
2369 | 0 | if (ret < 0) { |
2370 | 0 | return gnutls_assert_val(ret); |
2371 | 0 | } |
2372 | | |
2373 | 0 | params->cipher = ce; |
2374 | 0 | params->mac = me; |
2375 | |
|
2376 | 0 | ret = _tls13_write_connection_state_init(session, STAGE_EARLY); |
2377 | 0 | if (ret < 0) { |
2378 | 0 | return gnutls_assert_val(ret); |
2379 | 0 | } |
2380 | | |
2381 | 0 | _gnutls_epoch_bump(session); |
2382 | 0 | ret = _gnutls_epoch_dup(session, EPOCH_WRITE_CURRENT); |
2383 | 0 | if (ret < 0) { |
2384 | 0 | return gnutls_assert_val(ret); |
2385 | 0 | } |
2386 | | |
2387 | 0 | ret = _gnutls13_send_early_data(session); |
2388 | 0 | if (ret < 0) { |
2389 | 0 | return gnutls_assert_val(ret); |
2390 | 0 | } |
2391 | 0 | } |
2392 | | |
2393 | 0 | return ret; |
2394 | | |
2395 | 0 | cleanup: |
2396 | 0 | _gnutls_buffer_clear(&extdata); |
2397 | 0 | return ret; |
2398 | 0 | } |
2399 | | |
2400 | | int _gnutls_send_server_hello(gnutls_session_t session, int again) |
2401 | 0 | { |
2402 | 0 | mbuffer_st *bufel = NULL; |
2403 | 0 | gnutls_buffer_st buf; |
2404 | 0 | int ret; |
2405 | 0 | uint8_t session_id_len = session->security_parameters.session_id_size; |
2406 | 0 | char tmpbuf[2 * GNUTLS_MAX_SESSION_ID_SIZE + 1]; |
2407 | 0 | const version_entry_st *vers; |
2408 | 0 | uint8_t vbytes[2]; |
2409 | 0 | unsigned extflag = 0; |
2410 | 0 | gnutls_ext_parse_type_t etype; |
2411 | |
|
2412 | 0 | _gnutls_buffer_init(&buf); |
2413 | |
|
2414 | 0 | if (again == 0) { |
2415 | 0 | vers = get_version(session); |
2416 | 0 | if (unlikely(vers == NULL || |
2417 | 0 | session->security_parameters.cs == NULL)) |
2418 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
2419 | | |
2420 | 0 | if (vers->tls13_sem) { |
2421 | 0 | vbytes[0] = 0x03; /* TLS1.2 */ |
2422 | 0 | vbytes[1] = 0x03; |
2423 | 0 | extflag |= GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO; |
2424 | 0 | } else { |
2425 | 0 | vbytes[0] = vers->major; |
2426 | 0 | vbytes[1] = vers->minor; |
2427 | 0 | extflag |= GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO; |
2428 | 0 | } |
2429 | |
|
2430 | 0 | ret = _gnutls_buffer_init_handshake_mbuffer(&buf); |
2431 | 0 | if (ret < 0) { |
2432 | 0 | gnutls_assert(); |
2433 | 0 | goto fail; |
2434 | 0 | } |
2435 | | |
2436 | 0 | ret = _gnutls_buffer_append_data(&buf, vbytes, 2); |
2437 | 0 | if (ret < 0) { |
2438 | 0 | gnutls_assert(); |
2439 | 0 | goto fail; |
2440 | 0 | } |
2441 | | |
2442 | 0 | ret = _gnutls_buffer_append_data( |
2443 | 0 | &buf, session->security_parameters.server_random, |
2444 | 0 | GNUTLS_RANDOM_SIZE); |
2445 | 0 | if (ret < 0) { |
2446 | 0 | gnutls_assert(); |
2447 | 0 | goto fail; |
2448 | 0 | } |
2449 | | |
2450 | 0 | ret = _gnutls_buffer_append_data_prefix( |
2451 | 0 | &buf, 8, session->security_parameters.session_id, |
2452 | 0 | session_id_len); |
2453 | 0 | if (ret < 0) { |
2454 | 0 | gnutls_assert(); |
2455 | 0 | goto fail; |
2456 | 0 | } |
2457 | | |
2458 | 0 | _gnutls_handshake_log( |
2459 | 0 | "HSK[%p]: SessionID: %s\n", session, |
2460 | 0 | _gnutls_bin2hex(session->security_parameters.session_id, |
2461 | 0 | session_id_len, tmpbuf, sizeof(tmpbuf), |
2462 | 0 | NULL)); |
2463 | |
|
2464 | 0 | ret = _gnutls_buffer_append_data( |
2465 | 0 | &buf, session->security_parameters.cs->id, 2); |
2466 | 0 | if (ret < 0) { |
2467 | 0 | gnutls_assert(); |
2468 | 0 | goto fail; |
2469 | 0 | } |
2470 | | |
2471 | | /* compression */ |
2472 | 0 | ret = _gnutls_buffer_append_prefix(&buf, 8, 0); |
2473 | 0 | if (ret < 0) { |
2474 | 0 | gnutls_assert(); |
2475 | 0 | goto fail; |
2476 | 0 | } |
2477 | | |
2478 | 0 | if (!vers->tls13_sem && session->internals.resumed) |
2479 | 0 | etype = GNUTLS_EXT_MANDATORY; |
2480 | 0 | else |
2481 | 0 | etype = GNUTLS_EXT_ANY; |
2482 | 0 | ret = _gnutls_gen_hello_extensions(session, &buf, extflag, |
2483 | 0 | etype); |
2484 | 0 | if (ret < 0) { |
2485 | 0 | gnutls_assert(); |
2486 | 0 | goto fail; |
2487 | 0 | } |
2488 | | |
2489 | 0 | if (vers->tls13_sem) { |
2490 | | /* Under TLS1.3, the session ID is used for different purposes than |
2491 | | * the TLS1.0 session ID. Ensure that there is an internally set |
2492 | | * value which the server will see on the original and resumed sessions */ |
2493 | 0 | ret = _gnutls_generate_session_id( |
2494 | 0 | session->security_parameters.session_id, |
2495 | 0 | &session->security_parameters.session_id_size); |
2496 | 0 | if (ret < 0) { |
2497 | 0 | gnutls_assert(); |
2498 | 0 | goto fail; |
2499 | 0 | } |
2500 | 0 | } |
2501 | | |
2502 | 0 | bufel = _gnutls_buffer_to_mbuffer(&buf); |
2503 | 0 | } |
2504 | | |
2505 | 0 | ret = _gnutls_send_handshake(session, bufel, |
2506 | 0 | GNUTLS_HANDSHAKE_SERVER_HELLO); |
2507 | |
|
2508 | 0 | fail: |
2509 | 0 | _gnutls_buffer_clear(&buf); |
2510 | 0 | return ret; |
2511 | 0 | } |
2512 | | |
2513 | | static int recv_hello_verify_request(gnutls_session_t session, uint8_t *data, |
2514 | | int datalen) |
2515 | 0 | { |
2516 | 0 | ssize_t len = datalen; |
2517 | 0 | size_t pos = 0; |
2518 | 0 | uint8_t cookie_len; |
2519 | 0 | unsigned int nb_verifs; |
2520 | 0 | int ret; |
2521 | |
|
2522 | 0 | if (!IS_DTLS(session)) { |
2523 | 0 | gnutls_assert(); |
2524 | 0 | return GNUTLS_E_UNEXPECTED_PACKET; |
2525 | 0 | } |
2526 | | |
2527 | 0 | nb_verifs = ++session->internals.dtls.hsk_hello_verify_requests; |
2528 | 0 | if (nb_verifs >= MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS) { |
2529 | | /* The server is either buggy, malicious or changing cookie |
2530 | | secrets _way_ too fast. */ |
2531 | 0 | gnutls_assert(); |
2532 | 0 | return GNUTLS_E_UNEXPECTED_PACKET; |
2533 | 0 | } |
2534 | | |
2535 | 0 | DECR_LEN(len, 2); |
2536 | 0 | pos += 2; |
2537 | |
|
2538 | 0 | DECR_LEN(len, 1); |
2539 | 0 | cookie_len = data[pos]; |
2540 | 0 | pos++; |
2541 | |
|
2542 | 0 | if (cookie_len > DTLS_MAX_COOKIE_SIZE) { |
2543 | 0 | gnutls_assert(); |
2544 | 0 | return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; |
2545 | 0 | } |
2546 | | |
2547 | 0 | DECR_LEN(len, cookie_len); |
2548 | | |
2549 | 0 | gnutls_free(session->internals.dtls.dcookie.data); |
2550 | 0 | ret = _gnutls_set_datum(&session->internals.dtls.dcookie, &data[pos], |
2551 | 0 | cookie_len); |
2552 | 0 | if (ret < 0) |
2553 | 0 | return gnutls_assert_val(ret); |
2554 | | |
2555 | 0 | if (len != 0) { |
2556 | 0 | gnutls_assert(); |
2557 | 0 | return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; |
2558 | 0 | } |
2559 | | |
2560 | | /* reset handshake hash buffers */ |
2561 | 0 | handshake_hash_buffer_reset(session); |
2562 | | /* reset extensions used in previous hello */ |
2563 | 0 | session->internals.used_exts = 0; |
2564 | |
|
2565 | 0 | return 0; |
2566 | 0 | } |
2567 | | |
2568 | | /* The packets in gnutls_handshake (it's more broad than original TLS handshake) |
2569 | | * |
2570 | | * Client Server |
2571 | | * |
2572 | | * ClientHello --------> |
2573 | | * <-------- ServerHello |
2574 | | * |
2575 | | * Certificate* |
2576 | | * ServerKeyExchange* |
2577 | | * <-------- CertificateRequest* |
2578 | | * |
2579 | | * <-------- ServerHelloDone |
2580 | | * Certificate* |
2581 | | * ClientKeyExchange |
2582 | | * CertificateVerify* |
2583 | | * [ChangeCipherSpec] |
2584 | | * Finished --------> |
2585 | | * NewSessionTicket |
2586 | | * [ChangeCipherSpec] |
2587 | | * <-------- Finished |
2588 | | * |
2589 | | * (*): means optional packet. |
2590 | | */ |
2591 | | |
2592 | | /* Handshake when resumming session: |
2593 | | * Client Server |
2594 | | * |
2595 | | * ClientHello --------> |
2596 | | * ServerHello |
2597 | | * [ChangeCipherSpec] |
2598 | | * <-------- Finished |
2599 | | * [ChangeCipherSpec] |
2600 | | * Finished --------> |
2601 | | * |
2602 | | */ |
2603 | | |
2604 | | /** |
2605 | | * gnutls_rehandshake: |
2606 | | * @session: is a #gnutls_session_t type. |
2607 | | * |
2608 | | * This function can only be called in server side, and |
2609 | | * instructs a TLS 1.2 or earlier client to renegotiate |
2610 | | * parameters (perform a handshake), by sending a |
2611 | | * hello request message. |
2612 | | * |
2613 | | * If this function succeeds, the calling application |
2614 | | * should call gnutls_record_recv() until %GNUTLS_E_REHANDSHAKE |
2615 | | * is returned to clear any pending data. If the %GNUTLS_E_REHANDSHAKE |
2616 | | * error code is not seen, then the handshake request was |
2617 | | * not followed by the peer (the TLS protocol does not require |
2618 | | * the client to do, and such compliance should be handled |
2619 | | * by the application protocol). |
2620 | | * |
2621 | | * Once the %GNUTLS_E_REHANDSHAKE error code is seen, the |
2622 | | * calling application should proceed to calling |
2623 | | * gnutls_handshake() to negotiate the new |
2624 | | * parameters. |
2625 | | * |
2626 | | * If the client does not wish to renegotiate parameters he |
2627 | | * may reply with an alert message, and in that case the return code seen |
2628 | | * by subsequent gnutls_record_recv() will be |
2629 | | * %GNUTLS_E_WARNING_ALERT_RECEIVED with the specific alert being |
2630 | | * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore |
2631 | | * this request. |
2632 | | * |
2633 | | * Under TLS 1.3 this function is equivalent to gnutls_session_key_update() |
2634 | | * with the %GNUTLS_KU_PEER flag. In that case subsequent calls to |
2635 | | * gnutls_record_recv() will not return %GNUTLS_E_REHANDSHAKE, and |
2636 | | * calls to gnutls_handshake() in server side are a no-op. |
2637 | | * |
2638 | | * This function always fails with %GNUTLS_E_INVALID_REQUEST when |
2639 | | * called in client side. |
2640 | | * |
2641 | | * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code. |
2642 | | **/ |
2643 | | int gnutls_rehandshake(gnutls_session_t session) |
2644 | 0 | { |
2645 | 0 | int ret; |
2646 | 0 | const version_entry_st *vers = get_version(session); |
2647 | | |
2648 | | /* only server sends that handshake packet */ |
2649 | 0 | if (session->security_parameters.entity == GNUTLS_CLIENT) |
2650 | 0 | return GNUTLS_E_INVALID_REQUEST; |
2651 | | |
2652 | 0 | if (vers->tls13_sem) { |
2653 | 0 | return gnutls_session_key_update(session, GNUTLS_KU_PEER); |
2654 | 0 | } |
2655 | | |
2656 | 0 | _dtls_async_timer_delete(session); |
2657 | |
|
2658 | 0 | ret = _gnutls_send_empty_handshake( |
2659 | 0 | session, GNUTLS_HANDSHAKE_HELLO_REQUEST, AGAIN(STATE50)); |
2660 | 0 | STATE = STATE50; |
2661 | |
|
2662 | 0 | if (ret < 0) { |
2663 | 0 | gnutls_assert(); |
2664 | 0 | return ret; |
2665 | 0 | } |
2666 | 0 | STATE = STATE0; |
2667 | |
|
2668 | 0 | return 0; |
2669 | 0 | } |
2670 | | |
2671 | | /* This function checks whether the error code should be treated fatal |
2672 | | * or not, and also does the necessary state transition. In |
2673 | | * particular, in the case of a rehandshake abort it resets the |
2674 | | * handshake's internal state. |
2675 | | */ |
2676 | | inline static int _gnutls_abort_handshake(gnutls_session_t session, int ret) |
2677 | 0 | { |
2678 | 0 | switch (ret) { |
2679 | 0 | case GNUTLS_E_WARNING_ALERT_RECEIVED: |
2680 | 0 | if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) { |
2681 | | /* The server always toleretes a "no_renegotiation" alert. */ |
2682 | 0 | if (session->security_parameters.entity == |
2683 | 0 | GNUTLS_SERVER) { |
2684 | 0 | STATE = STATE0; |
2685 | 0 | return ret; |
2686 | 0 | } |
2687 | | |
2688 | | /* The client should tolerete a "no_renegotiation" alert only if: |
2689 | | * - the initial handshake has completed, or |
2690 | | * - a Server Hello is not yet received |
2691 | | */ |
2692 | 0 | if (session->internals.initial_negotiation_completed || |
2693 | 0 | !(session->internals.hsk_flags & |
2694 | 0 | HSK_SERVER_HELLO_RECEIVED)) { |
2695 | 0 | STATE = STATE0; |
2696 | 0 | return ret; |
2697 | 0 | } |
2698 | | |
2699 | 0 | return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET); |
2700 | 0 | } |
2701 | 0 | return ret; |
2702 | 0 | case GNUTLS_E_GOT_APPLICATION_DATA: |
2703 | 0 | STATE = STATE0; |
2704 | 0 | return ret; |
2705 | 0 | default: |
2706 | 0 | return ret; |
2707 | 0 | } |
2708 | 0 | } |
2709 | | |
2710 | | static int _gnutls_send_supplemental(gnutls_session_t session, int again) |
2711 | 0 | { |
2712 | 0 | mbuffer_st *bufel = NULL; |
2713 | 0 | int ret = 0; |
2714 | |
|
2715 | 0 | _gnutls_debug_log("EXT[%p]: Sending supplemental data\n", session); |
2716 | |
|
2717 | 0 | if (!again) { |
2718 | 0 | gnutls_buffer_st buf; |
2719 | 0 | ret = _gnutls_buffer_init_handshake_mbuffer(&buf); |
2720 | 0 | if (ret < 0) |
2721 | 0 | return gnutls_assert_val(ret); |
2722 | | |
2723 | 0 | ret = _gnutls_gen_supplemental(session, &buf); |
2724 | 0 | if (ret < 0) { |
2725 | 0 | gnutls_assert(); |
2726 | 0 | _gnutls_buffer_clear(&buf); |
2727 | 0 | return ret; |
2728 | 0 | } |
2729 | | |
2730 | 0 | bufel = _gnutls_buffer_to_mbuffer(&buf); |
2731 | 0 | } |
2732 | | |
2733 | 0 | return _gnutls_send_handshake(session, bufel, |
2734 | 0 | GNUTLS_HANDSHAKE_SUPPLEMENTAL); |
2735 | 0 | } |
2736 | | |
2737 | | static int _gnutls_recv_supplemental(gnutls_session_t session) |
2738 | 0 | { |
2739 | 0 | gnutls_buffer_st buf; |
2740 | 0 | int ret; |
2741 | |
|
2742 | 0 | _gnutls_debug_log("EXT[%p]: Expecting supplemental data\n", session); |
2743 | |
|
2744 | 0 | ret = _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_SUPPLEMENTAL, 1, |
2745 | 0 | &buf); |
2746 | 0 | if (ret < 0) { |
2747 | 0 | gnutls_assert(); |
2748 | 0 | return ret; |
2749 | 0 | } |
2750 | | |
2751 | 0 | ret = _gnutls_parse_supplemental(session, buf.data, buf.length); |
2752 | 0 | if (ret < 0) { |
2753 | 0 | gnutls_assert(); |
2754 | 0 | goto cleanup; |
2755 | 0 | } |
2756 | | |
2757 | 0 | cleanup: |
2758 | 0 | _gnutls_buffer_clear(&buf); |
2759 | |
|
2760 | 0 | return ret; |
2761 | 0 | } |
2762 | | |
2763 | | /** |
2764 | | * gnutls_handshake: |
2765 | | * @session: is a #gnutls_session_t type. |
2766 | | * |
2767 | | * This function performs the handshake of the TLS/SSL protocol, and |
2768 | | * initializes the TLS session parameters. |
2769 | | * |
2770 | | * The non-fatal errors expected by this function are: |
2771 | | * %GNUTLS_E_INTERRUPTED, %GNUTLS_E_AGAIN, |
2772 | | * %GNUTLS_E_WARNING_ALERT_RECEIVED. When this function is called |
2773 | | * for re-handshake under TLS 1.2 or earlier, the non-fatal error code |
2774 | | * %GNUTLS_E_GOT_APPLICATION_DATA may also be returned. |
2775 | | * |
2776 | | * The former two interrupt the handshake procedure due to the transport |
2777 | | * layer being interrupted, and the latter because of a "warning" alert that |
2778 | | * was sent by the peer (it is always a good idea to check any |
2779 | | * received alerts). On these non-fatal errors call this function again, |
2780 | | * until it returns 0; cf. gnutls_record_get_direction() and |
2781 | | * gnutls_error_is_fatal(). In DTLS sessions the non-fatal error |
2782 | | * %GNUTLS_E_LARGE_PACKET is also possible, and indicates that |
2783 | | * the MTU should be adjusted. |
2784 | | * |
2785 | | * When this function is called by a server after a rehandshake request |
2786 | | * under TLS 1.2 or earlier the %GNUTLS_E_GOT_APPLICATION_DATA error code indicates |
2787 | | * that some data were pending prior to peer initiating the handshake. |
2788 | | * Under TLS 1.3 this function when called after a successful handshake, is a no-op |
2789 | | * and always succeeds in server side; in client side this function is |
2790 | | * equivalent to gnutls_session_key_update() with %GNUTLS_KU_PEER flag. |
2791 | | * |
2792 | | * This function handles both full and abbreviated TLS handshakes (resumption). |
2793 | | * For abbreviated handshakes, in client side, the gnutls_session_set_data() |
2794 | | * should be called prior to this function to set parameters from a previous session. |
2795 | | * In server side, resumption is handled by either setting a DB back-end, or setting |
2796 | | * up keys for session tickets. |
2797 | | * |
2798 | | * Returns: %GNUTLS_E_SUCCESS on a successful handshake, otherwise a negative error code. |
2799 | | **/ |
2800 | | int gnutls_handshake(gnutls_session_t session) |
2801 | 0 | { |
2802 | 0 | const version_entry_st *vers = get_version(session); |
2803 | 0 | int ret; |
2804 | |
|
2805 | 0 | if (unlikely(session->internals.initial_negotiation_completed)) { |
2806 | 0 | if (vers->tls13_sem) { |
2807 | 0 | if (session->security_parameters.entity == |
2808 | 0 | GNUTLS_CLIENT) { |
2809 | 0 | return gnutls_session_key_update( |
2810 | 0 | session, GNUTLS_KU_PEER); |
2811 | 0 | } else { |
2812 | | /* This is a no-op for a server under TLS 1.3, as |
2813 | | * a server has already called gnutls_rehandshake() |
2814 | | * which performed a key update. |
2815 | | */ |
2816 | 0 | return 0; |
2817 | 0 | } |
2818 | 0 | } |
2819 | 0 | } |
2820 | | |
2821 | 0 | if (STATE == STATE0) { |
2822 | 0 | unsigned int tmo_ms; |
2823 | 0 | struct timespec *end; |
2824 | 0 | struct timespec *start; |
2825 | | |
2826 | | /* first call */ |
2827 | 0 | if (session->internals.priorities == NULL || |
2828 | 0 | session->internals.priorities->cs.size == 0) |
2829 | 0 | return gnutls_assert_val( |
2830 | 0 | GNUTLS_E_NO_PRIORITIES_WERE_SET); |
2831 | | |
2832 | 0 | ret = _gnutls_epoch_setup_next(session, 0, NULL); |
2833 | 0 | if (ret < 0) |
2834 | 0 | return gnutls_assert_val(ret); |
2835 | | |
2836 | 0 | session->internals.used_exts = 0; |
2837 | 0 | session->internals.hsk_flags = 0; |
2838 | 0 | session->internals.handshake_in_progress = 1; |
2839 | 0 | session->internals.vc_status = -1; |
2840 | 0 | gnutls_gettime(&session->internals.handshake_start_time); |
2841 | |
|
2842 | 0 | tmo_ms = session->internals.handshake_timeout_ms; |
2843 | 0 | end = &session->internals.handshake_abs_timeout; |
2844 | 0 | start = &session->internals.handshake_start_time; |
2845 | |
|
2846 | 0 | if (tmo_ms && end->tv_sec == 0 && end->tv_nsec == 0) { |
2847 | 0 | end->tv_sec = start->tv_sec + |
2848 | 0 | (start->tv_nsec + tmo_ms * 1000000LL) / |
2849 | 0 | 1000000000LL; |
2850 | 0 | end->tv_nsec = (start->tv_nsec + tmo_ms * 1000000LL) % |
2851 | 0 | 1000000000LL; |
2852 | 0 | } |
2853 | |
|
2854 | | #ifdef ENABLE_KTLS |
2855 | | if (_gnutls_config_is_ktls_enabled()) { |
2856 | | if ((session->internals.pull_func && |
2857 | | session->internals.pull_func != system_read) || |
2858 | | session->internals.push_func) { |
2859 | | _gnutls_audit_log( |
2860 | | session, "Not enabling KTLS with " |
2861 | | "custom pull/push function\n"); |
2862 | | } else { |
2863 | | _gnutls_ktls_enable(session); |
2864 | | } |
2865 | | } |
2866 | | #endif |
2867 | 0 | } |
2868 | | |
2869 | 0 | if (session->internals.recv_state == RECV_STATE_FALSE_START) { |
2870 | 0 | session_invalidate(session); |
2871 | 0 | return gnutls_assert_val(GNUTLS_E_HANDSHAKE_DURING_FALSE_START); |
2872 | 0 | } |
2873 | | |
2874 | 0 | if (session->security_parameters.entity == GNUTLS_CLIENT) { |
2875 | 0 | do { |
2876 | 0 | ret = handshake_client(session); |
2877 | 0 | } while (ret == 1); |
2878 | 0 | } else { |
2879 | 0 | ret = handshake_server(session); |
2880 | 0 | } |
2881 | |
|
2882 | 0 | if (ret < 0) { |
2883 | 0 | return _gnutls_abort_handshake(session, ret); |
2884 | 0 | } |
2885 | | |
2886 | | /* clear handshake buffer */ |
2887 | 0 | if (session->internals.recv_state != RECV_STATE_FALSE_START && |
2888 | 0 | session->internals.recv_state != RECV_STATE_EARLY_START) { |
2889 | 0 | _gnutls_handshake_hash_buffers_clear(session); |
2890 | |
|
2891 | 0 | if (IS_DTLS(session) == 0) { |
2892 | 0 | _gnutls_handshake_io_buffer_clear(session); |
2893 | 0 | } else { |
2894 | 0 | _dtls_async_timer_init(session); |
2895 | 0 | } |
2896 | |
|
2897 | 0 | _gnutls_handshake_internal_state_clear(session); |
2898 | |
|
2899 | 0 | _gnutls_buffer_clear(&session->internals.record_presend_buffer); |
2900 | |
|
2901 | 0 | _gnutls_epoch_bump(session); |
2902 | 0 | } |
2903 | | |
2904 | | /* Give an estimation of the round-trip under TLS1.3, used by gnutls_session_get_data2() */ |
2905 | 0 | if (!IS_SERVER(session) && vers->tls13_sem) { |
2906 | 0 | struct timespec handshake_finish_time; |
2907 | 0 | gnutls_gettime(&handshake_finish_time); |
2908 | |
|
2909 | 0 | if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED)) { |
2910 | 0 | session->internals.ertt = |
2911 | 0 | timespec_sub_ms( |
2912 | 0 | &handshake_finish_time, |
2913 | 0 | &session->internals |
2914 | 0 | .handshake_start_time) / |
2915 | 0 | 2; |
2916 | 0 | } else { |
2917 | 0 | session->internals.ertt = |
2918 | 0 | timespec_sub_ms( |
2919 | 0 | &handshake_finish_time, |
2920 | 0 | &session->internals |
2921 | 0 | .handshake_start_time) / |
2922 | 0 | 4; |
2923 | 0 | } |
2924 | 0 | } |
2925 | |
|
2926 | | #ifdef ENABLE_KTLS |
2927 | | if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) { |
2928 | | ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX); |
2929 | | if (ret < 0) { |
2930 | | /* no need to invalidate the session as keys were not set */ |
2931 | | session->internals.ktls_enabled = 0; |
2932 | | _gnutls_audit_log( |
2933 | | session, |
2934 | | "disabling KTLS: failed to set keys\n"); |
2935 | | } |
2936 | | } |
2937 | | #endif |
2938 | |
|
2939 | 0 | return 0; |
2940 | 0 | } |
2941 | | |
2942 | | /** |
2943 | | * gnutls_handshake_set_timeout: |
2944 | | * @session: is a #gnutls_session_t type. |
2945 | | * @ms: is a timeout value in milliseconds |
2946 | | * |
2947 | | * This function sets the timeout for the TLS handshake process |
2948 | | * to the provided value. Use an @ms value of zero to disable |
2949 | | * timeout, or %GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT for a reasonable |
2950 | | * default value. For the DTLS protocol, the more detailed |
2951 | | * gnutls_dtls_set_timeouts() is provided. |
2952 | | * |
2953 | | * This function requires to set a pull timeout callback. See |
2954 | | * gnutls_transport_set_pull_timeout_function(). |
2955 | | * |
2956 | | * Since: 3.1.0 |
2957 | | **/ |
2958 | | void gnutls_handshake_set_timeout(gnutls_session_t session, unsigned int ms) |
2959 | 0 | { |
2960 | 0 | if (ms == GNUTLS_INDEFINITE_TIMEOUT) { |
2961 | 0 | session->internals.handshake_timeout_ms = 0; |
2962 | 0 | return; |
2963 | 0 | } |
2964 | | |
2965 | 0 | if (ms == GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT) |
2966 | 0 | ms = DEFAULT_HANDSHAKE_TIMEOUT_MS; |
2967 | |
|
2968 | 0 | if (IS_DTLS(session)) { |
2969 | 0 | gnutls_dtls_set_timeouts(session, DTLS_RETRANS_TIMEOUT, ms); |
2970 | 0 | return; |
2971 | 0 | } |
2972 | | |
2973 | 0 | session->internals.handshake_timeout_ms = ms; |
2974 | 0 | } |
2975 | | |
2976 | | /* Runs the certificate verification callback. |
2977 | | * side is the side that we verify the certificate |
2978 | | * from (either GNUTLS_CLIENT or GNUTLS_SERVER). |
2979 | | */ |
2980 | | int _gnutls_run_verify_callback(gnutls_session_t session, unsigned int side) |
2981 | 0 | { |
2982 | 0 | gnutls_certificate_credentials_t cred; |
2983 | 0 | int ret, type; |
2984 | |
|
2985 | 0 | if (session->internals.hsk_flags & HSK_PSK_SELECTED) |
2986 | 0 | return 0; |
2987 | | |
2988 | 0 | cred = (gnutls_certificate_credentials_t)_gnutls_get_cred( |
2989 | 0 | session, GNUTLS_CRD_CERTIFICATE); |
2990 | |
|
2991 | 0 | if (side == GNUTLS_CLIENT) |
2992 | 0 | type = gnutls_auth_server_get_type(session); |
2993 | 0 | else |
2994 | 0 | type = gnutls_auth_client_get_type(session); |
2995 | |
|
2996 | 0 | if (type != GNUTLS_CRD_CERTIFICATE) |
2997 | 0 | return 0; |
2998 | | |
2999 | | /* verify whether the certificate of the peer remained the same |
3000 | | * as with any previous handshakes */ |
3001 | 0 | if (cred != NULL) { |
3002 | 0 | ret = _gnutls_check_if_cert_hash_is_same(session, cred); |
3003 | 0 | if (ret < 0) { |
3004 | 0 | return gnutls_assert_val(ret); |
3005 | 0 | } |
3006 | 0 | } |
3007 | | |
3008 | 0 | if (cred != NULL && |
3009 | 0 | (cred->verify_callback != NULL || |
3010 | 0 | session->internals.verify_callback != NULL) && |
3011 | 0 | (session->security_parameters.entity == GNUTLS_CLIENT || |
3012 | 0 | session->internals.send_cert_req != GNUTLS_CERT_IGNORE)) { |
3013 | 0 | if (session->internals.verify_callback) |
3014 | 0 | ret = session->internals.verify_callback(session); |
3015 | 0 | else |
3016 | 0 | ret = cred->verify_callback(session); |
3017 | 0 | if (ret < -1) |
3018 | 0 | return gnutls_assert_val(ret); |
3019 | 0 | else if (ret != 0) |
3020 | 0 | return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR); |
3021 | 0 | } |
3022 | | |
3023 | 0 | return 0; |
3024 | 0 | } |
3025 | | |
3026 | | static bool can_send_false_start(gnutls_session_t session) |
3027 | 0 | { |
3028 | 0 | const version_entry_st *vers; |
3029 | |
|
3030 | 0 | vers = get_version(session); |
3031 | 0 | if (unlikely(vers == NULL || !vers->false_start)) |
3032 | 0 | return 0; |
3033 | | |
3034 | 0 | if (session->internals.selected_cert_list != NULL) |
3035 | 0 | return 0; |
3036 | | |
3037 | 0 | if (!_gnutls_kx_allows_false_start(session)) |
3038 | 0 | return 0; |
3039 | | |
3040 | 0 | return 1; |
3041 | 0 | } |
3042 | | |
3043 | | /* |
3044 | | * handshake_client |
3045 | | * This function performs the client side of the handshake of the TLS/SSL protocol. |
3046 | | */ |
3047 | | static int handshake_client(gnutls_session_t session) |
3048 | 0 | { |
3049 | 0 | int ret = 0; |
3050 | 0 | const version_entry_st *ver; |
3051 | |
|
3052 | 0 | reset: |
3053 | 0 | if (STATE >= STATE99) |
3054 | 0 | return _gnutls13_handshake_client(session); |
3055 | | |
3056 | 0 | switch (STATE) { |
3057 | 0 | case STATE0: |
3058 | 0 | case STATE1: |
3059 | 0 | ret = send_client_hello(session, AGAIN(STATE1)); |
3060 | 0 | STATE = STATE1; |
3061 | 0 | IMED_RET("send hello", ret, 1); |
3062 | 0 | FALLTHROUGH; |
3063 | 0 | case STATE2: |
3064 | 0 | if (IS_DTLS(session)) { |
3065 | 0 | ret = _gnutls_recv_handshake( |
3066 | 0 | session, GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST, |
3067 | 0 | 1, NULL); |
3068 | 0 | STATE = STATE2; |
3069 | 0 | IMED_RET("recv hello verify", ret, 1); |
3070 | | |
3071 | 0 | if (ret == 1) { |
3072 | 0 | STATE = STATE0; |
3073 | 0 | return 1; |
3074 | 0 | } |
3075 | 0 | } else { |
3076 | 0 | ret = _gnutls_recv_handshake( |
3077 | 0 | session, GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST, |
3078 | 0 | 1, NULL); |
3079 | 0 | STATE = STATE2; |
3080 | 0 | IMED_RET("recv hello retry", ret, 1); |
3081 | | |
3082 | 0 | if (ret == 1) { |
3083 | 0 | STATE = STATE0; |
3084 | 0 | return 1; |
3085 | 0 | } |
3086 | 0 | } |
3087 | 0 | FALLTHROUGH; |
3088 | 0 | case STATE3: |
3089 | | /* receive the server hello */ |
3090 | 0 | ret = _gnutls_recv_handshake( |
3091 | 0 | session, GNUTLS_HANDSHAKE_SERVER_HELLO, 0, NULL); |
3092 | 0 | STATE = STATE3; |
3093 | 0 | IMED_RET("recv hello", ret, 1); |
3094 | 0 | FALLTHROUGH; |
3095 | 0 | case STATE4: |
3096 | 0 | ver = get_version(session); |
3097 | 0 | if (ver->tls13_sem) { /* TLS 1.3 state machine */ |
3098 | 0 | STATE = STATE99; |
3099 | 0 | goto reset; |
3100 | 0 | } |
3101 | | |
3102 | 0 | ret = _gnutls_ext_sr_verify(session); |
3103 | 0 | STATE = STATE4; |
3104 | 0 | IMED_RET_FATAL("recv hello", ret, 0); |
3105 | 0 | FALLTHROUGH; |
3106 | 0 | case STATE5: |
3107 | 0 | if (session->security_parameters.do_recv_supplemental) { |
3108 | 0 | ret = _gnutls_recv_supplemental(session); |
3109 | 0 | STATE = STATE5; |
3110 | 0 | IMED_RET("recv supplemental", ret, 1); |
3111 | 0 | } |
3112 | 0 | FALLTHROUGH; |
3113 | 0 | case STATE6: |
3114 | | /* RECV CERTIFICATE */ |
3115 | 0 | if (!session->internals.resumed) /* if we are not resuming */ |
3116 | 0 | ret = _gnutls_recv_server_certificate(session); |
3117 | 0 | STATE = STATE6; |
3118 | 0 | IMED_RET("recv server certificate", ret, 1); |
3119 | 0 | FALLTHROUGH; |
3120 | 0 | case STATE7: |
3121 | 0 | #ifdef ENABLE_OCSP |
3122 | | /* RECV CERTIFICATE STATUS */ |
3123 | 0 | if (!session->internals.resumed) /* if we are not resuming */ |
3124 | 0 | ret = _gnutls_recv_server_certificate_status(session); |
3125 | 0 | STATE = STATE7; |
3126 | 0 | IMED_RET("recv server certificate", ret, 1); |
3127 | 0 | #endif |
3128 | 0 | FALLTHROUGH; |
3129 | 0 | case STATE8: |
3130 | 0 | ret = _gnutls_run_verify_callback(session, GNUTLS_CLIENT); |
3131 | 0 | STATE = STATE8; |
3132 | 0 | if (ret < 0) |
3133 | 0 | return gnutls_assert_val(ret); |
3134 | |
|
3135 | 0 | FALLTHROUGH; |
3136 | 0 | case STATE9: |
3137 | | /* receive the server key exchange */ |
3138 | 0 | if (!session->internals.resumed) /* if we are not resuming */ |
3139 | 0 | ret = _gnutls_recv_server_kx_message(session); |
3140 | 0 | STATE = STATE9; |
3141 | 0 | IMED_RET("recv server kx message", ret, 1); |
3142 | 0 | FALLTHROUGH; |
3143 | 0 | case STATE10: |
3144 | | /* receive the server certificate request - if any |
3145 | | */ |
3146 | |
|
3147 | 0 | if (!session->internals.resumed) /* if we are not resuming */ |
3148 | 0 | ret = _gnutls_recv_server_crt_request(session); |
3149 | 0 | STATE = STATE10; |
3150 | 0 | IMED_RET("recv server certificate request message", ret, 1); |
3151 | 0 | FALLTHROUGH; |
3152 | 0 | case STATE11: |
3153 | | /* receive the server hello done */ |
3154 | 0 | if (!session->internals.resumed) /* if we are not resuming */ |
3155 | 0 | ret = _gnutls_recv_handshake( |
3156 | 0 | session, GNUTLS_HANDSHAKE_SERVER_HELLO_DONE, 0, |
3157 | 0 | NULL); |
3158 | 0 | STATE = STATE11; |
3159 | 0 | IMED_RET("recv server hello done", ret, 1); |
3160 | 0 | FALLTHROUGH; |
3161 | 0 | case STATE12: |
3162 | 0 | if (session->security_parameters.do_send_supplemental) { |
3163 | 0 | ret = _gnutls_send_supplemental(session, |
3164 | 0 | AGAIN(STATE12)); |
3165 | 0 | STATE = STATE12; |
3166 | 0 | IMED_RET("send supplemental", ret, 0); |
3167 | 0 | } |
3168 | 0 | FALLTHROUGH; |
3169 | 0 | case STATE13: |
3170 | | /* send our certificate - if any and if requested |
3171 | | */ |
3172 | 0 | if (!session->internals.resumed) /* if we are not resuming */ |
3173 | 0 | ret = _gnutls_send_client_certificate(session, |
3174 | 0 | AGAIN(STATE13)); |
3175 | 0 | STATE = STATE13; |
3176 | 0 | IMED_RET("send client certificate", ret, 0); |
3177 | 0 | FALLTHROUGH; |
3178 | 0 | case STATE14: |
3179 | 0 | if (!session->internals.resumed) /* if we are not resuming */ |
3180 | 0 | ret = _gnutls_send_client_kx_message(session, |
3181 | 0 | AGAIN(STATE14)); |
3182 | 0 | STATE = STATE14; |
3183 | 0 | IMED_RET("send client kx", ret, 0); |
3184 | 0 | FALLTHROUGH; |
3185 | 0 | case STATE15: |
3186 | | /* send client certificate verify */ |
3187 | 0 | if (!session->internals.resumed) /* if we are not resuming */ |
3188 | 0 | ret = _gnutls_send_client_certificate_verify( |
3189 | 0 | session, AGAIN(STATE15)); |
3190 | 0 | STATE = STATE15; |
3191 | 0 | IMED_RET("send client certificate verify", ret, 1); |
3192 | 0 | FALLTHROUGH; |
3193 | 0 | case STATE16: |
3194 | 0 | STATE = STATE16; |
3195 | 0 | if (!session->internals.resumed) { |
3196 | 0 | ret = send_handshake_final(session, true); |
3197 | 0 | IMED_RET("send handshake final 2", ret, 1); |
3198 | 0 | } else { |
3199 | 0 | ret = _gnutls_recv_new_session_ticket(session); |
3200 | 0 | IMED_RET("recv handshake new session ticket", ret, 1); |
3201 | 0 | } |
3202 | 0 | FALLTHROUGH; |
3203 | 0 | case STATE17: |
3204 | 0 | STATE = STATE17; |
3205 | 0 | if (!session->internals.resumed && |
3206 | 0 | (session->internals.flags & GNUTLS_ENABLE_FALSE_START) && |
3207 | 0 | can_send_false_start(session)) { |
3208 | 0 | session->internals.hsk_flags |= HSK_FALSE_START_USED; |
3209 | 0 | session->internals.recv_state = RECV_STATE_FALSE_START; |
3210 | | /* complete this phase of the handshake. We |
3211 | | * should be called again by gnutls_record_recv() |
3212 | | */ |
3213 | 0 | STATE = STATE18; |
3214 | 0 | gnutls_assert(); |
3215 | |
|
3216 | 0 | return 0; |
3217 | 0 | } |
3218 | 0 | FALLTHROUGH; |
3219 | 0 | case STATE18: |
3220 | 0 | STATE = STATE18; |
3221 | |
|
3222 | 0 | if (!session->internals.resumed) { |
3223 | 0 | ret = _gnutls_recv_new_session_ticket(session); |
3224 | 0 | IMED_RET("recv handshake new session ticket", ret, 1); |
3225 | 0 | } else { |
3226 | 0 | ret = recv_handshake_final(session, true); |
3227 | 0 | IMED_RET("recv handshake final", ret, 1); |
3228 | 0 | } |
3229 | 0 | FALLTHROUGH; |
3230 | 0 | case STATE19: |
3231 | 0 | STATE = STATE19; |
3232 | 0 | if (!session->internals.resumed) { |
3233 | 0 | ret = recv_handshake_final(session, false); |
3234 | 0 | IMED_RET("recv handshake final 2", ret, 1); |
3235 | 0 | } else { |
3236 | 0 | ret = send_handshake_final(session, false); |
3237 | 0 | IMED_RET("send handshake final", ret, 1); |
3238 | 0 | } |
3239 | | |
3240 | 0 | STATE = STATE0; |
3241 | 0 | FALLTHROUGH; |
3242 | 0 | default: |
3243 | 0 | break; |
3244 | 0 | } |
3245 | | |
3246 | | /* explicitly reset any false start flags */ |
3247 | 0 | gnutls_mutex_lock(&session->internals.post_negotiation_lock); |
3248 | 0 | session->internals.initial_negotiation_completed = 1; |
3249 | 0 | session->internals.recv_state = RECV_STATE_0; |
3250 | 0 | gnutls_mutex_unlock(&session->internals.post_negotiation_lock); |
3251 | |
|
3252 | 0 | return 0; |
3253 | 0 | } |
3254 | | |
3255 | | /* This function is to be called if the handshake was successfully |
3256 | | * completed. This sends a Change Cipher Spec packet to the peer. |
3257 | | */ |
3258 | | ssize_t _gnutls_send_change_cipher_spec(gnutls_session_t session, int again) |
3259 | 0 | { |
3260 | 0 | uint8_t *data; |
3261 | 0 | mbuffer_st *bufel; |
3262 | 0 | int ret; |
3263 | 0 | const version_entry_st *vers; |
3264 | |
|
3265 | 0 | if (again == 0) { |
3266 | 0 | bufel = _gnutls_handshake_alloc(session, |
3267 | 0 | 3); /* max for DTLS0.9 */ |
3268 | 0 | if (bufel == NULL) |
3269 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
3270 | | |
3271 | 0 | vers = get_version(session); |
3272 | 0 | if (unlikely(vers == NULL)) |
3273 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
3274 | | |
3275 | 0 | if (vers->id == GNUTLS_DTLS0_9) |
3276 | 0 | _mbuffer_set_uhead_size(bufel, 3); |
3277 | 0 | else |
3278 | 0 | _mbuffer_set_uhead_size(bufel, 1); |
3279 | 0 | _mbuffer_set_udata_size(bufel, 0); |
3280 | |
|
3281 | 0 | data = _mbuffer_get_uhead_ptr(bufel); |
3282 | |
|
3283 | 0 | data[0] = 1; |
3284 | 0 | if (vers->id == GNUTLS_DTLS0_9) { |
3285 | 0 | _gnutls_write_uint16( |
3286 | 0 | session->internals.dtls.hsk_write_seq, |
3287 | 0 | &data[1]); |
3288 | 0 | session->internals.dtls.hsk_write_seq++; |
3289 | 0 | } |
3290 | |
|
3291 | 0 | ret = _gnutls_call_hook_func( |
3292 | 0 | session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, |
3293 | 0 | GNUTLS_HOOK_PRE, 0, data, 1); |
3294 | 0 | if (ret < 0) { |
3295 | 0 | _mbuffer_xfree(&bufel); |
3296 | 0 | return gnutls_assert_val(ret); |
3297 | 0 | } |
3298 | | |
3299 | 0 | ret = _gnutls_handshake_io_cache_int( |
3300 | 0 | session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, bufel); |
3301 | 0 | if (ret < 0) { |
3302 | 0 | _mbuffer_xfree(&bufel); |
3303 | 0 | return gnutls_assert_val(ret); |
3304 | 0 | } |
3305 | | |
3306 | 0 | ret = _gnutls_call_hook_func( |
3307 | 0 | session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, |
3308 | 0 | GNUTLS_HOOK_POST, 0, data, 1); |
3309 | 0 | if (ret < 0) { |
3310 | 0 | return gnutls_assert_val(ret); |
3311 | 0 | } |
3312 | | |
3313 | | /* under TLS 1.3, CCS may be immediately followed by |
3314 | | * receiving ClientHello thus cannot be cached */ |
3315 | 0 | if (vers->tls13_sem) { |
3316 | 0 | ret = _gnutls_handshake_io_write_flush(session); |
3317 | 0 | if (ret < 0) |
3318 | 0 | return gnutls_assert_val(ret); |
3319 | 0 | } |
3320 | | |
3321 | 0 | _gnutls_handshake_log("REC[%p]: Sent ChangeCipherSpec\n", |
3322 | 0 | session); |
3323 | 0 | } |
3324 | | |
3325 | 0 | return 0; |
3326 | 0 | } |
3327 | | |
3328 | | /* This function sends the final handshake packets and initializes connection |
3329 | | */ |
3330 | | static int send_handshake_final(gnutls_session_t session, int init) |
3331 | 0 | { |
3332 | 0 | int ret = 0; |
3333 | | |
3334 | | /* Send the CHANGE CIPHER SPEC PACKET */ |
3335 | |
|
3336 | 0 | switch (FINAL_STATE) { |
3337 | 0 | case STATE0: |
3338 | 0 | case STATE1: |
3339 | 0 | ret = _gnutls_send_change_cipher_spec(session, FAGAIN(STATE1)); |
3340 | 0 | FINAL_STATE = STATE0; |
3341 | |
|
3342 | 0 | if (ret < 0) { |
3343 | 0 | gnutls_assert(); |
3344 | 0 | return ret; |
3345 | 0 | } |
3346 | | /* Initialize the connection session (start encryption) - in case of client |
3347 | | */ |
3348 | 0 | if (init) { |
3349 | 0 | ret = _gnutls_connection_state_init(session); |
3350 | 0 | if (ret < 0) { |
3351 | 0 | gnutls_assert(); |
3352 | 0 | return ret; |
3353 | 0 | } |
3354 | 0 | } |
3355 | | |
3356 | 0 | ret = _gnutls_write_connection_state_init(session); |
3357 | 0 | if (ret < 0) { |
3358 | 0 | gnutls_assert(); |
3359 | 0 | return ret; |
3360 | 0 | } |
3361 | |
|
3362 | 0 | FALLTHROUGH; |
3363 | 0 | case STATE2: |
3364 | | /* send the finished message */ |
3365 | 0 | ret = _gnutls_send_finished(session, FAGAIN(STATE2)); |
3366 | 0 | FINAL_STATE = STATE2; |
3367 | 0 | if (ret < 0) { |
3368 | 0 | gnutls_assert(); |
3369 | 0 | return ret; |
3370 | 0 | } |
3371 | | |
3372 | 0 | FINAL_STATE = STATE0; |
3373 | 0 | FALLTHROUGH; |
3374 | 0 | default: |
3375 | 0 | break; |
3376 | 0 | } |
3377 | | |
3378 | 0 | return 0; |
3379 | 0 | } |
3380 | | |
3381 | | /* This function receives the final handshake packets |
3382 | | * And executes the appropriate function to initialize the |
3383 | | * read session. |
3384 | | */ |
3385 | | static int recv_handshake_final(gnutls_session_t session, int init) |
3386 | 0 | { |
3387 | 0 | int ret = 0; |
3388 | 0 | uint8_t ccs[3]; |
3389 | 0 | unsigned int ccs_len = 1; |
3390 | 0 | unsigned int tleft; |
3391 | 0 | const version_entry_st *vers; |
3392 | |
|
3393 | 0 | ret = handshake_remaining_time(session); |
3394 | 0 | if (ret < 0) |
3395 | 0 | return gnutls_assert_val(ret); |
3396 | 0 | tleft = ret; |
3397 | |
|
3398 | 0 | switch (FINAL_STATE) { |
3399 | 0 | case STATE0: |
3400 | 0 | case STATE30: |
3401 | 0 | FINAL_STATE = STATE30; |
3402 | | |
3403 | | /* This is the last flight and peer cannot be sure |
3404 | | * we have received it unless we notify him. So we |
3405 | | * wait for a message and retransmit if needed. */ |
3406 | 0 | if (IS_DTLS(session) && !_dtls_is_async(session) && |
3407 | 0 | (gnutls_record_check_pending(session) + |
3408 | 0 | record_check_unprocessed(session)) == 0) { |
3409 | 0 | ret = _dtls_wait_and_retransmit(session); |
3410 | 0 | if (ret < 0) |
3411 | 0 | return gnutls_assert_val(ret); |
3412 | 0 | } |
3413 | | |
3414 | 0 | vers = get_version(session); |
3415 | 0 | if (unlikely(vers == NULL)) |
3416 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
3417 | | |
3418 | 0 | if (vers->id == GNUTLS_DTLS0_9) |
3419 | 0 | ccs_len = 3; |
3420 | |
|
3421 | 0 | ret = _gnutls_recv_int(session, GNUTLS_CHANGE_CIPHER_SPEC, ccs, |
3422 | 0 | ccs_len, NULL, tleft); |
3423 | 0 | if (ret <= 0) { |
3424 | 0 | gnutls_assert(); |
3425 | 0 | return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET; |
3426 | 0 | } |
3427 | | |
3428 | 0 | if (vers->id == GNUTLS_DTLS0_9) |
3429 | 0 | session->internals.dtls.hsk_read_seq++; |
3430 | | |
3431 | | /* Initialize the connection session (start encryption) - in case of server */ |
3432 | 0 | if (init) { |
3433 | 0 | ret = _gnutls_connection_state_init(session); |
3434 | 0 | if (ret < 0) { |
3435 | 0 | gnutls_assert(); |
3436 | 0 | return ret; |
3437 | 0 | } |
3438 | 0 | } |
3439 | | |
3440 | 0 | ret = _gnutls_read_connection_state_init(session); |
3441 | 0 | if (ret < 0) { |
3442 | 0 | gnutls_assert(); |
3443 | 0 | return ret; |
3444 | 0 | } |
3445 | 0 | FALLTHROUGH; |
3446 | 0 | case STATE31: |
3447 | 0 | FINAL_STATE = STATE31; |
3448 | |
|
3449 | 0 | if (IS_DTLS(session) && !_dtls_is_async(session) && |
3450 | 0 | (gnutls_record_check_pending(session) + |
3451 | 0 | record_check_unprocessed(session)) == 0) { |
3452 | 0 | ret = _dtls_wait_and_retransmit(session); |
3453 | 0 | if (ret < 0) |
3454 | 0 | return gnutls_assert_val(ret); |
3455 | 0 | } |
3456 | | |
3457 | 0 | ret = _gnutls_recv_finished(session); |
3458 | 0 | if (ret < 0) { |
3459 | 0 | gnutls_assert(); |
3460 | 0 | return ret; |
3461 | 0 | } |
3462 | 0 | FINAL_STATE = STATE0; |
3463 | 0 | FALLTHROUGH; |
3464 | 0 | default: |
3465 | 0 | break; |
3466 | 0 | } |
3467 | | |
3468 | 0 | return 0; |
3469 | 0 | } |
3470 | | |
3471 | | /* |
3472 | | * handshake_server |
3473 | | * This function does the server stuff of the handshake protocol. |
3474 | | */ |
3475 | | static int handshake_server(gnutls_session_t session) |
3476 | 0 | { |
3477 | 0 | int ret = 0; |
3478 | 0 | const version_entry_st *ver; |
3479 | |
|
3480 | 0 | reset: |
3481 | |
|
3482 | 0 | if (STATE >= STATE90) |
3483 | 0 | return _gnutls13_handshake_server(session); |
3484 | | |
3485 | 0 | switch (STATE) { |
3486 | 0 | case STATE0: |
3487 | 0 | case STATE1: |
3488 | 0 | ret = _gnutls_recv_handshake( |
3489 | 0 | session, GNUTLS_HANDSHAKE_CLIENT_HELLO, 0, NULL); |
3490 | 0 | if (ret == GNUTLS_E_INT_RET_0) { |
3491 | | /* this is triggered by post_client_hello, and instructs the |
3492 | | * handshake to proceed but be put on hold */ |
3493 | 0 | ret = GNUTLS_E_INTERRUPTED; |
3494 | 0 | STATE = STATE2; /* hello already parsed -> move on */ |
3495 | 0 | } else { |
3496 | 0 | STATE = STATE1; |
3497 | 0 | } |
3498 | |
|
3499 | 0 | if (ret == GNUTLS_E_NO_COMMON_KEY_SHARE) { |
3500 | 0 | STATE = STATE90; |
3501 | 0 | session->internals.hsk_flags |= HSK_HRR_SENT; |
3502 | 0 | goto reset; |
3503 | 0 | } |
3504 | | |
3505 | 0 | IMED_RET("recv hello", ret, 1); |
3506 | 0 | FALLTHROUGH; |
3507 | 0 | case STATE2: |
3508 | |
|
3509 | 0 | ret = _gnutls_ext_sr_verify(session); |
3510 | 0 | STATE = STATE2; |
3511 | 0 | IMED_RET_FATAL("recv hello", ret, 0); |
3512 | 0 | FALLTHROUGH; |
3513 | 0 | case STATE3: |
3514 | 0 | ret = _gnutls_send_server_hello(session, AGAIN(STATE3)); |
3515 | 0 | STATE = STATE3; |
3516 | 0 | IMED_RET("send hello", ret, 1); |
3517 | | |
3518 | 0 | ver = get_version(session); |
3519 | 0 | if (ver->tls13_sem) { /* TLS 1.3 state machine */ |
3520 | 0 | STATE = STATE99; |
3521 | 0 | goto reset; |
3522 | 0 | } |
3523 | |
|
3524 | 0 | FALLTHROUGH; |
3525 | 0 | case STATE4: |
3526 | 0 | if (session->security_parameters.do_send_supplemental) { |
3527 | 0 | ret = _gnutls_send_supplemental(session, AGAIN(STATE4)); |
3528 | 0 | STATE = STATE4; |
3529 | 0 | IMED_RET("send supplemental data", ret, 0); |
3530 | 0 | } |
3531 | | /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */ |
3532 | 0 | FALLTHROUGH; |
3533 | 0 | case STATE5: |
3534 | | /* NOTE: these should not be send if we are resuming */ |
3535 | |
|
3536 | 0 | if (!session->internals.resumed) |
3537 | 0 | ret = _gnutls_send_server_certificate(session, |
3538 | 0 | AGAIN(STATE5)); |
3539 | 0 | STATE = STATE5; |
3540 | 0 | IMED_RET("send server certificate", ret, 0); |
3541 | 0 | FALLTHROUGH; |
3542 | 0 | case STATE6: |
3543 | 0 | #ifdef ENABLE_OCSP |
3544 | 0 | if (!session->internals.resumed) |
3545 | 0 | ret = _gnutls_send_server_certificate_status( |
3546 | 0 | session, AGAIN(STATE6)); |
3547 | 0 | STATE = STATE6; |
3548 | 0 | IMED_RET("send server certificate status", ret, 0); |
3549 | 0 | #endif |
3550 | 0 | FALLTHROUGH; |
3551 | 0 | case STATE7: |
3552 | | /* send server key exchange (A) */ |
3553 | 0 | if (!session->internals.resumed) |
3554 | 0 | ret = _gnutls_send_server_kx_message(session, |
3555 | 0 | AGAIN(STATE7)); |
3556 | 0 | STATE = STATE7; |
3557 | 0 | IMED_RET("send server kx", ret, 0); |
3558 | 0 | FALLTHROUGH; |
3559 | 0 | case STATE8: |
3560 | | /* Send certificate request - if requested to */ |
3561 | 0 | if (!session->internals.resumed) |
3562 | 0 | ret = _gnutls_send_server_crt_request(session, |
3563 | 0 | AGAIN(STATE8)); |
3564 | 0 | STATE = STATE8; |
3565 | 0 | IMED_RET("send server cert request", ret, 0); |
3566 | 0 | FALLTHROUGH; |
3567 | 0 | case STATE9: |
3568 | | /* send the server hello done */ |
3569 | 0 | if (!session->internals.resumed) /* if we are not resuming */ |
3570 | 0 | ret = _gnutls_send_empty_handshake( |
3571 | 0 | session, GNUTLS_HANDSHAKE_SERVER_HELLO_DONE, |
3572 | 0 | AGAIN(STATE9)); |
3573 | 0 | STATE = STATE9; |
3574 | 0 | IMED_RET("send server hello done", ret, 1); |
3575 | 0 | FALLTHROUGH; |
3576 | 0 | case STATE10: |
3577 | 0 | if (session->security_parameters.do_recv_supplemental) { |
3578 | 0 | ret = _gnutls_recv_supplemental(session); |
3579 | 0 | STATE = STATE10; |
3580 | 0 | IMED_RET("recv client supplemental", ret, 1); |
3581 | 0 | } |
3582 | | /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */ |
3583 | 0 | FALLTHROUGH; |
3584 | 0 | case STATE11: |
3585 | | /* receive the client certificate message */ |
3586 | 0 | if (!session->internals.resumed) /* if we are not resuming */ |
3587 | 0 | ret = _gnutls_recv_client_certificate(session); |
3588 | 0 | STATE = STATE11; |
3589 | 0 | IMED_RET("recv client certificate", ret, 1); |
3590 | 0 | FALLTHROUGH; |
3591 | 0 | case STATE12: |
3592 | 0 | ret = _gnutls_run_verify_callback(session, GNUTLS_SERVER); |
3593 | 0 | STATE = STATE12; |
3594 | 0 | if (ret < 0) |
3595 | 0 | return gnutls_assert_val(ret); |
3596 | 0 | FALLTHROUGH; |
3597 | 0 | case STATE13: |
3598 | | /* receive the client key exchange message */ |
3599 | 0 | if (!session->internals.resumed) /* if we are not resuming */ |
3600 | 0 | ret = _gnutls_recv_client_kx_message(session); |
3601 | 0 | STATE = STATE13; |
3602 | 0 | IMED_RET("recv client kx", ret, 1); |
3603 | 0 | FALLTHROUGH; |
3604 | 0 | case STATE14: |
3605 | | /* receive the client certificate verify message */ |
3606 | 0 | if (!session->internals.resumed) /* if we are not resuming */ |
3607 | 0 | ret = _gnutls_recv_client_certificate_verify_message( |
3608 | 0 | session); |
3609 | 0 | STATE = STATE14; |
3610 | 0 | IMED_RET("recv client certificate verify", ret, 1); |
3611 | 0 | FALLTHROUGH; |
3612 | 0 | case STATE15: |
3613 | 0 | STATE = STATE15; |
3614 | 0 | if (!session->internals.resumed) { /* if we are not resuming */ |
3615 | 0 | ret = recv_handshake_final(session, true); |
3616 | 0 | IMED_RET("recv handshake final", ret, 1); |
3617 | 0 | } else { |
3618 | 0 | ret = send_handshake_final(session, true); |
3619 | 0 | IMED_RET("send handshake final 2", ret, 1); |
3620 | 0 | } |
3621 | 0 | FALLTHROUGH; |
3622 | 0 | case STATE16: |
3623 | 0 | ret = _gnutls_send_new_session_ticket(session, AGAIN(STATE16)); |
3624 | 0 | STATE = STATE16; |
3625 | 0 | IMED_RET("send handshake new session ticket", ret, 0); |
3626 | 0 | FALLTHROUGH; |
3627 | 0 | case STATE17: |
3628 | 0 | STATE = STATE17; |
3629 | 0 | if (!session->internals.resumed) { /* if we are not resuming */ |
3630 | 0 | ret = send_handshake_final(session, false); |
3631 | 0 | IMED_RET("send handshake final", ret, 1); |
3632 | | |
3633 | 0 | if (session->security_parameters.entity == |
3634 | 0 | GNUTLS_SERVER && |
3635 | 0 | !(session->internals.hsk_flags & |
3636 | 0 | HSK_TLS12_TICKET_SENT)) { |
3637 | | /* if no ticket, save session data */ |
3638 | 0 | _gnutls_server_register_current_session( |
3639 | 0 | session); |
3640 | 0 | } |
3641 | 0 | } else { |
3642 | 0 | ret = recv_handshake_final(session, false); |
3643 | 0 | IMED_RET("recv handshake final 2", ret, 1); |
3644 | 0 | } |
3645 | | |
3646 | 0 | STATE = STATE0; |
3647 | 0 | FALLTHROUGH; |
3648 | 0 | default: |
3649 | 0 | break; |
3650 | 0 | } |
3651 | | |
3652 | | /* no lock of post_negotiation_lock is required here as this is not run |
3653 | | * after handshake */ |
3654 | 0 | session->internals.initial_negotiation_completed = 1; |
3655 | |
|
3656 | 0 | return _gnutls_check_id_for_change(session); |
3657 | 0 | } |
3658 | | |
3659 | | int _gnutls_generate_session_id(uint8_t *session_id, uint8_t *len) |
3660 | 0 | { |
3661 | 0 | int ret; |
3662 | |
|
3663 | 0 | *len = GNUTLS_DEF_SESSION_ID_SIZE; |
3664 | |
|
3665 | 0 | ret = gnutls_rnd(GNUTLS_RND_NONCE, session_id, |
3666 | 0 | GNUTLS_DEF_SESSION_ID_SIZE); |
3667 | 0 | if (ret < 0) { |
3668 | 0 | gnutls_assert(); |
3669 | 0 | return ret; |
3670 | 0 | } |
3671 | | |
3672 | 0 | return 0; |
3673 | 0 | } |
3674 | | |
3675 | | /** |
3676 | | * gnutls_handshake_set_max_packet_length: |
3677 | | * @session: is a #gnutls_session_t type. |
3678 | | * @max: is the maximum number. |
3679 | | * |
3680 | | * This function will set the maximum size of all handshake messages. |
3681 | | * Handshakes over this size are rejected with |
3682 | | * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is |
3683 | | * 128kb which is typically large enough. Set this to 0 if you do not |
3684 | | * want to set an upper limit. |
3685 | | * |
3686 | | * The reason for restricting the handshake message sizes are to |
3687 | | * limit Denial of Service attacks. |
3688 | | * |
3689 | | * Note that the maximum handshake size was increased to 128kb |
3690 | | * from 48kb in GnuTLS 3.5.5. |
3691 | | **/ |
3692 | | void gnutls_handshake_set_max_packet_length(gnutls_session_t session, |
3693 | | size_t max) |
3694 | 0 | { |
3695 | 0 | session->internals.max_handshake_data_buffer_size = max; |
3696 | 0 | } |
3697 | | |
3698 | | /** |
3699 | | * gnutls_handshake_get_last_in: |
3700 | | * @session: is a #gnutls_session_t type. |
3701 | | * |
3702 | | * This function is only useful to check where the last performed |
3703 | | * handshake failed. If the previous handshake succeed or was not |
3704 | | * performed at all then no meaningful value will be returned. |
3705 | | * |
3706 | | * Check %gnutls_handshake_description_t in gnutls.h for the |
3707 | | * available handshake descriptions. |
3708 | | * |
3709 | | * Returns: the last handshake message type received, a |
3710 | | * %gnutls_handshake_description_t. |
3711 | | **/ |
3712 | | gnutls_handshake_description_t |
3713 | | gnutls_handshake_get_last_in(gnutls_session_t session) |
3714 | 0 | { |
3715 | 0 | return session->internals.last_handshake_in; |
3716 | 0 | } |
3717 | | |
3718 | | /** |
3719 | | * gnutls_handshake_get_last_out: |
3720 | | * @session: is a #gnutls_session_t type. |
3721 | | * |
3722 | | * This function is only useful to check where the last performed |
3723 | | * handshake failed. If the previous handshake succeed or was not |
3724 | | * performed at all then no meaningful value will be returned. |
3725 | | * |
3726 | | * Check %gnutls_handshake_description_t in gnutls.h for the |
3727 | | * available handshake descriptions. |
3728 | | * |
3729 | | * Returns: the last handshake message type sent, a |
3730 | | * %gnutls_handshake_description_t. |
3731 | | **/ |
3732 | | gnutls_handshake_description_t |
3733 | | gnutls_handshake_get_last_out(gnutls_session_t session) |
3734 | 0 | { |
3735 | 0 | return session->internals.last_handshake_out; |
3736 | 0 | } |
3737 | | |
3738 | | /* This returns the session hash as in draft-ietf-tls-session-hash-02. |
3739 | | */ |
3740 | | int _gnutls_handshake_get_session_hash(gnutls_session_t session, |
3741 | | gnutls_datum_t *shash) |
3742 | 0 | { |
3743 | 0 | const version_entry_st *ver = get_version(session); |
3744 | 0 | int ret; |
3745 | 0 | uint8_t concat[2 * MAX_HASH_SIZE]; |
3746 | |
|
3747 | 0 | if (unlikely(ver == NULL)) |
3748 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
3749 | | |
3750 | 0 | if (session->internals.handshake_hash_buffer_client_kx_len == 0 || |
3751 | 0 | (session->internals.handshake_hash_buffer.length < |
3752 | 0 | session->internals.handshake_hash_buffer_client_kx_len)) { |
3753 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
3754 | 0 | } |
3755 | | |
3756 | 0 | ret = _gnutls_hash_fast( |
3757 | 0 | (gnutls_digest_algorithm_t)session->security_parameters.prf->id, |
3758 | 0 | session->internals.handshake_hash_buffer.data, |
3759 | 0 | session->internals.handshake_hash_buffer_client_kx_len, concat); |
3760 | 0 | if (ret < 0) |
3761 | 0 | return gnutls_assert_val(ret); |
3762 | | |
3763 | 0 | return _gnutls_set_datum(shash, concat, |
3764 | 0 | session->security_parameters.prf->output_size); |
3765 | 0 | } |