Coverage Report

Created: 2023-03-26 07:33

/src/gnutls/lib/handshake.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (C) 2000-2016 Free Software Foundation, Inc.
3
 * Copyright (C) 2015-2018 Red Hat, Inc.
4
 *
5
 * Author: Nikos Mavrogiannopoulos
6
 *
7
 * This file is part of GnuTLS.
8
 *
9
 * The GnuTLS is free software; you can redistribute it and/or
10
 * modify it under the terms of the GNU Lesser General Public License
11
 * as published by the Free Software Foundation; either version 2.1 of
12
 * the License, or (at your option) any later version.
13
 *
14
 * This library is distributed in the hope that it will be useful, but
15
 * WITHOUT ANY WARRANTY; without even the implied warranty of
16
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
17
 * Lesser General Public License for more details.
18
 *
19
 * You should have received a copy of the GNU Lesser General Public License
20
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
21
 *
22
 */
23
24
/* Functions that relate to the TLS handshake procedure.
25
 */
26
27
#include "gnutls_int.h"
28
#include "errors.h"
29
#include "dh.h"
30
#include "debug.h"
31
#include "algorithms.h"
32
#include "cipher.h"
33
#include "buffers.h"
34
#include "mbuffers.h"
35
#include "kx.h"
36
#include "handshake.h"
37
#include "num.h"
38
#include "hash_int.h"
39
#include "db.h"
40
#include "hello_ext.h"
41
#include "supplemental.h"
42
#include "auth.h"
43
#include "sslv2_compat.h"
44
#include <auth/cert.h>
45
#include "constate.h"
46
#include <record.h>
47
#include <state.h>
48
#include <ext/pre_shared_key.h>
49
#include <ext/srp.h>
50
#include <ext/session_ticket.h>
51
#include <ext/status_request.h>
52
#include <ext/safe_renegotiation.h>
53
#include <auth/anon.h>    /* for gnutls_anon_server_credentials_t */
54
#include <auth/psk.h>   /* for gnutls_psk_server_credentials_t */
55
#include <random.h>
56
#include <dtls.h>
57
#include "secrets.h"
58
#include "tls13/early_data.h"
59
#include "tls13/session_ticket.h"
60
#include "locks.h"
61
#include "system/ktls.h"
62
63
static int check_if_null_comp_present(gnutls_session_t session,
64
              uint8_t * data, int datalen);
65
static int handshake_client(gnutls_session_t session);
66
static int handshake_server(gnutls_session_t session);
67
68
static int
69
read_server_hello(gnutls_session_t session, uint8_t * data, int datalen);
70
71
static int recv_handshake_final(gnutls_session_t session, int init);
72
static int send_handshake_final(gnutls_session_t session, int init);
73
74
/* Empties but does not free the buffer
75
 */
76
inline static void handshake_hash_buffer_reset(gnutls_session_t session)
77
0
{
78
0
  _gnutls_buffers_log("BUF[HSK]: Emptied buffer\n");
79
80
0
  session->internals.handshake_hash_buffer_client_hello_len = 0;
81
0
  session->internals.handshake_hash_buffer_client_kx_len = 0;
82
0
  session->internals.handshake_hash_buffer_server_finished_len = 0;
83
0
  session->internals.handshake_hash_buffer_client_finished_len = 0;
84
0
  session->internals.handshake_hash_buffer_prev_len = 0;
85
0
  session->internals.handshake_hash_buffer.length = 0;
86
0
  session->internals.full_client_hello.length = 0;
87
0
  return;
88
0
}
89
90
static int
91
handshake_hash_add_recvd(gnutls_session_t session,
92
       gnutls_handshake_description_t recv_type,
93
       uint8_t * header, uint16_t header_size,
94
       uint8_t * dataptr, uint32_t datalen);
95
96
static int
97
handshake_hash_add_sent(gnutls_session_t session,
98
      gnutls_handshake_description_t type,
99
      uint8_t * dataptr, uint32_t datalen);
100
101
static int
102
recv_hello_verify_request(gnutls_session_t session,
103
        uint8_t * data, int datalen);
104
105
/* Clears the handshake hash buffers and handles.
106
 */
107
void _gnutls_handshake_hash_buffers_clear(gnutls_session_t session)
108
0
{
109
0
  handshake_hash_buffer_reset(session);
110
0
  _gnutls_buffer_clear(&session->internals.handshake_hash_buffer);
111
0
  _gnutls_buffer_clear(&session->internals.full_client_hello);
112
0
}
113
114
/* Replace handshake message buffer, with the special synthetic message
115
 * needed by TLS1.3 when HRR is sent. */
116
int _gnutls13_handshake_hash_buffers_synth(gnutls_session_t session,
117
             const mac_entry_st * prf,
118
             unsigned client)
119
0
{
120
0
  int ret;
121
0
  uint8_t hdata[4 + MAX_HASH_SIZE];
122
0
  size_t length;
123
124
0
  if (client)
125
0
    length = session->internals.handshake_hash_buffer_prev_len;
126
0
  else
127
0
    length = session->internals.handshake_hash_buffer.length;
128
129
  /* calculate hash */
130
0
  hdata[0] = 254;
131
0
  _gnutls_write_uint24(prf->output_size, &hdata[1]);
132
133
0
  ret = gnutls_hash_fast((gnutls_digest_algorithm_t) prf->id,
134
0
             session->internals.handshake_hash_buffer.data,
135
0
             length, hdata + 4);
136
0
  if (ret < 0)
137
0
    return gnutls_assert_val(ret);
138
139
0
  handshake_hash_buffer_reset(session);
140
141
0
  ret =
142
0
      _gnutls_buffer_append_data(&session->internals.
143
0
               handshake_hash_buffer, hdata,
144
0
               prf->output_size + 4);
145
0
  if (ret < 0)
146
0
    return gnutls_assert_val(ret);
147
148
0
  _gnutls_buffers_log
149
0
      ("BUF[HSK]: Replaced handshake buffer with synth message (%d bytes)\n",
150
0
       prf->output_size + 4);
151
152
0
  return 0;
153
0
}
154
155
/* this will copy the required values for resuming to
156
 * internals, and to security_parameters.
157
 * this will keep as less data to security_parameters.
158
 */
159
static int tls12_resume_copy_required_vals(gnutls_session_t session,
160
             unsigned ticket)
161
0
{
162
0
  int ret;
163
164
  /* get the new random values */
165
0
  memcpy(session->internals.resumed_security_parameters.server_random,
166
0
         session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
167
0
  memcpy(session->internals.resumed_security_parameters.client_random,
168
0
         session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
169
170
  /* keep the ciphersuite and compression
171
   * That is because the client must see these in our
172
   * hello message.
173
   */
174
0
  ret = _gnutls_set_cipher_suite2(session,
175
0
          session->internals.
176
0
          resumed_security_parameters.cs);
177
0
  if (ret < 0)
178
0
    return gnutls_assert_val(ret);
179
180
  /* or write_compression_algorithm
181
   * they are the same
182
   */
183
184
0
  session->security_parameters.entity =
185
0
      session->internals.resumed_security_parameters.entity;
186
187
0
  if (session->internals.resumed_security_parameters.pversion == NULL)
188
0
    return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
189
190
0
  if (_gnutls_set_current_version(session,
191
0
          session->internals.
192
0
          resumed_security_parameters.pversion->
193
0
          id) < 0)
194
0
    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
195
196
0
  session->security_parameters.client_ctype =
197
0
      session->internals.resumed_security_parameters.client_ctype;
198
0
  session->security_parameters.server_ctype =
199
0
      session->internals.resumed_security_parameters.server_ctype;
200
201
0
  if (!ticket) {
202
0
    memcpy(session->security_parameters.session_id,
203
0
           session->internals.
204
0
           resumed_security_parameters.session_id,
205
0
           sizeof(session->security_parameters.session_id));
206
0
    session->security_parameters.session_id_size =
207
0
        session->internals.
208
0
        resumed_security_parameters.session_id_size;
209
0
  }
210
211
0
  return 0;
212
0
}
213
214
void _gnutls_set_client_random(gnutls_session_t session, uint8_t * rnd)
215
0
{
216
0
  _gnutls_memory_mark_defined(session->security_parameters.client_random,
217
0
            GNUTLS_RANDOM_SIZE);
218
0
  memcpy(session->security_parameters.client_random, rnd,
219
0
         GNUTLS_RANDOM_SIZE);
220
0
}
221
222
static
223
int _gnutls_gen_client_random(gnutls_session_t session)
224
0
{
225
0
  int ret;
226
227
  /* no random given, we generate. */
228
0
  if (session->internals.sc_random_set != 0) {
229
0
    _gnutls_memory_mark_defined(session->
230
0
              security_parameters.client_random,
231
0
              GNUTLS_RANDOM_SIZE);
232
0
    memcpy(session->security_parameters.client_random,
233
0
           session->internals.
234
0
           resumed_security_parameters.client_random,
235
0
           GNUTLS_RANDOM_SIZE);
236
0
  } else {
237
0
    _gnutls_memory_mark_defined(session->
238
0
              security_parameters.client_random,
239
0
              GNUTLS_RANDOM_SIZE);
240
0
    ret =
241
0
        gnutls_rnd(GNUTLS_RND_NONCE,
242
0
             session->security_parameters.client_random,
243
0
             GNUTLS_RANDOM_SIZE);
244
0
    if (ret < 0) {
245
0
      _gnutls_memory_mark_undefined
246
0
          (session->security_parameters.client_random,
247
0
           GNUTLS_RANDOM_SIZE);
248
0
      return gnutls_assert_val(ret);
249
0
    }
250
0
  }
251
252
0
  return 0;
253
0
}
254
255
static
256
int _gnutls_set_server_random(gnutls_session_t session,
257
            const version_entry_st * vers, uint8_t * rnd)
258
0
{
259
0
  const version_entry_st *max;
260
261
0
  _gnutls_memory_mark_defined(session->security_parameters.server_random,
262
0
            GNUTLS_RANDOM_SIZE);
263
0
  memcpy(session->security_parameters.server_random, rnd,
264
0
         GNUTLS_RANDOM_SIZE);
265
266
  /* check whether the server random value is set according to
267
   * to TLS 1.3. p4.1.3 requirements */
268
0
  if (!IS_DTLS(session) && vers->id <= GNUTLS_TLS1_2
269
0
      && have_creds_for_tls13(session)) {
270
271
0
    max = _gnutls_version_max(session);
272
0
    if (max->id <= GNUTLS_TLS1_2)
273
0
      return 0;
274
275
0
    if (vers->id == GNUTLS_TLS1_2 &&
276
0
        memcmp(&session->
277
0
         security_parameters.server_random[GNUTLS_RANDOM_SIZE
278
0
                   - 8],
279
0
         "\x44\x4F\x57\x4E\x47\x52\x44\x01", 8) == 0) {
280
281
0
      _gnutls_audit_log(session,
282
0
            "Detected downgrade to TLS 1.2 from TLS 1.3\n");
283
0
      return
284
0
          gnutls_assert_val
285
0
          (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
286
0
    } else if (vers->id <= GNUTLS_TLS1_1
287
0
         && memcmp(&session->security_parameters.server_random
288
0
             [GNUTLS_RANDOM_SIZE - 8],
289
0
             "\x44\x4F\x57\x4E\x47\x52\x44\x00",
290
0
             8) == 0) {
291
292
0
      _gnutls_audit_log(session,
293
0
            "Detected downgrade to TLS 1.1 or earlier from TLS 1.3\n");
294
0
      return
295
0
          gnutls_assert_val
296
0
          (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
297
0
    }
298
0
  }
299
300
0
  return 0;
301
0
}
302
303
int _gnutls_gen_server_random(gnutls_session_t session, int version)
304
0
{
305
0
  int ret;
306
0
  const version_entry_st *max;
307
308
0
  if (session->internals.sc_random_set != 0) {
309
0
    _gnutls_memory_mark_defined(session->
310
0
              security_parameters.server_random,
311
0
              GNUTLS_RANDOM_SIZE);
312
0
    memcpy(session->security_parameters.server_random,
313
0
           session->internals.
314
0
           resumed_security_parameters.server_random,
315
0
           GNUTLS_RANDOM_SIZE);
316
0
    return 0;
317
0
  }
318
319
0
  max = _gnutls_version_max(session);
320
0
  if (max == NULL)
321
0
    return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES);
322
323
0
  _gnutls_memory_mark_defined(session->security_parameters.server_random,
324
0
            GNUTLS_RANDOM_SIZE);
325
326
0
  if (!IS_DTLS(session) && max->id >= GNUTLS_TLS1_3 &&
327
0
      version <= GNUTLS_TLS1_2) {
328
0
    if (version == GNUTLS_TLS1_2) {
329
0
      memcpy(&session->security_parameters.server_random
330
0
             [GNUTLS_RANDOM_SIZE - 8],
331
0
             "\x44\x4F\x57\x4E\x47\x52\x44\x01", 8);
332
0
    } else {
333
0
      memcpy(&session->security_parameters.server_random
334
0
             [GNUTLS_RANDOM_SIZE - 8],
335
0
             "\x44\x4F\x57\x4E\x47\x52\x44\x00", 8);
336
0
    }
337
0
    ret =
338
0
        gnutls_rnd(GNUTLS_RND_NONCE,
339
0
             session->security_parameters.server_random,
340
0
             GNUTLS_RANDOM_SIZE - 8);
341
342
0
  } else {
343
0
    ret =
344
0
        gnutls_rnd(GNUTLS_RND_NONCE,
345
0
             session->security_parameters.server_random,
346
0
             GNUTLS_RANDOM_SIZE);
347
0
  }
348
349
0
  if (ret < 0) {
350
0
    gnutls_assert();
351
0
    _gnutls_memory_mark_undefined(session->
352
0
                security_parameters.server_random,
353
0
                GNUTLS_RANDOM_SIZE);
354
0
    return ret;
355
0
  }
356
357
0
  return 0;
358
0
}
359
360
#ifdef ENABLE_SSL3
361
/* Calculate The SSL3 Finished message
362
 */
363
# define SSL3_CLIENT_MSG "CLNT"
364
# define SSL3_SERVER_MSG "SRVR"
365
# define SSL_MSG_LEN 4
366
static int
367
_gnutls_ssl3_finished(gnutls_session_t session, int type, uint8_t * ret,
368
          int sending)
369
{
370
  digest_hd_st td_md5;
371
  digest_hd_st td_sha;
372
  const char *mesg;
373
  int rc, len;
374
375
  if (sending)
376
    len = session->internals.handshake_hash_buffer.length;
377
  else
378
    len = session->internals.handshake_hash_buffer_prev_len;
379
380
  rc = _gnutls_hash_init(&td_sha, hash_to_entry(GNUTLS_DIG_SHA1));
381
  if (rc < 0)
382
    return gnutls_assert_val(rc);
383
384
  rc = _gnutls_hash_init(&td_md5, hash_to_entry(GNUTLS_DIG_MD5));
385
  if (rc < 0) {
386
    _gnutls_hash_deinit(&td_sha, NULL);
387
    return gnutls_assert_val(rc);
388
  }
389
390
  _gnutls_hash(&td_sha,
391
         session->internals.handshake_hash_buffer.data, len);
392
  _gnutls_hash(&td_md5,
393
         session->internals.handshake_hash_buffer.data, len);
394
395
  if (type == GNUTLS_SERVER)
396
    mesg = SSL3_SERVER_MSG;
397
  else
398
    mesg = SSL3_CLIENT_MSG;
399
400
  _gnutls_hash(&td_md5, mesg, SSL_MSG_LEN);
401
  _gnutls_hash(&td_sha, mesg, SSL_MSG_LEN);
402
403
  rc = _gnutls_mac_deinit_ssl3_handshake(&td_md5, ret,
404
                 session->security_parameters.
405
                 master_secret,
406
                 GNUTLS_MASTER_SIZE);
407
  if (rc < 0) {
408
    _gnutls_hash_deinit(&td_md5, NULL);
409
    _gnutls_hash_deinit(&td_sha, NULL);
410
    return gnutls_assert_val(rc);
411
  }
412
413
  rc = _gnutls_mac_deinit_ssl3_handshake(&td_sha, &ret[16],
414
                 session->security_parameters.
415
                 master_secret,
416
                 GNUTLS_MASTER_SIZE);
417
  if (rc < 0) {
418
    _gnutls_hash_deinit(&td_sha, NULL);
419
    return gnutls_assert_val(rc);
420
  }
421
422
  return 0;
423
}
424
#endif
425
426
/* Hash the handshake messages as required by TLS 1.0
427
 */
428
0
#define SERVER_MSG "server finished"
429
0
#define CLIENT_MSG "client finished"
430
0
#define TLS_MSG_LEN 15
431
static int
432
_gnutls_finished(gnutls_session_t session, int type, void *ret, int sending)
433
0
{
434
0
  const int siz = TLS_MSG_LEN;
435
0
  uint8_t concat[MAX_HASH_SIZE];
436
0
  size_t hash_len;
437
0
  const char *mesg;
438
0
  int rc, len, algorithm;
439
440
0
  if (sending)
441
0
    len = session->internals.handshake_hash_buffer.length;
442
0
  else
443
0
    len = session->internals.handshake_hash_buffer_prev_len;
444
445
0
  algorithm = session->security_parameters.prf->id;
446
0
  rc = _gnutls_hash_fast(algorithm,
447
0
             session->internals.handshake_hash_buffer.data,
448
0
             len, concat);
449
0
  if (rc < 0)
450
0
    return gnutls_assert_val(rc);
451
452
0
  hash_len = session->security_parameters.prf->output_size;
453
454
0
  if (type == GNUTLS_SERVER) {
455
0
    mesg = SERVER_MSG;
456
0
  } else {
457
0
    mesg = CLIENT_MSG;
458
0
  }
459
460
0
  _gnutls_memory_mark_defined(session->security_parameters.master_secret,
461
0
            GNUTLS_MASTER_SIZE);
462
0
  rc = _gnutls_PRF(session,
463
0
       session->security_parameters.master_secret,
464
0
       GNUTLS_MASTER_SIZE, mesg, siz, concat, hash_len,
465
0
       12, ret);
466
0
  if (rc < 0) {
467
0
    _gnutls_memory_mark_undefined(session->
468
0
                security_parameters.master_secret,
469
0
                GNUTLS_MASTER_SIZE);
470
0
  }
471
0
  return rc;
472
0
}
473
474
/* returns the 0 on success or a negative error code.
475
 */
476
int
477
_gnutls_negotiate_version(gnutls_session_t session,
478
        uint8_t major, uint8_t minor, unsigned allow_tls13)
479
0
{
480
0
  const version_entry_st *vers;
481
0
  const version_entry_st *aversion = nversion_to_entry(major, minor);
482
483
  /* if we do not support that version, unless that version is TLS 1.2;
484
   * TLS 1.2 is handled separately because it is always advertized under TLS 1.3 or later */
485
0
  if (aversion == NULL ||
486
0
      _gnutls_nversion_is_supported(session, major, minor) == 0) {
487
488
0
    if (aversion && aversion->id == GNUTLS_TLS1_2) {
489
0
      vers = _gnutls_version_max(session);
490
0
      if (unlikely(vers == NULL))
491
0
        return
492
0
            gnutls_assert_val
493
0
            (GNUTLS_E_NO_CIPHER_SUITES);
494
495
0
      if (vers->id >= GNUTLS_TLS1_2) {
496
0
        session->security_parameters.pversion =
497
0
            aversion;
498
0
        return 0;
499
0
      }
500
0
    }
501
502
    /* if we get an unknown/unsupported version, then fail if the version we
503
     * got is too low to be supported */
504
0
    if (!_gnutls_version_is_too_high(session, major, minor))
505
0
      return
506
0
          gnutls_assert_val
507
0
          (GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
508
509
    /* If he requested something we do not support
510
     * then we send him the highest we support.
511
     */
512
0
    vers = _gnutls_legacy_version_max(session);
513
0
    if (vers == NULL) {
514
      /* this check is not really needed.
515
       */
516
0
      gnutls_assert();
517
0
      return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
518
0
    }
519
520
0
    session->security_parameters.pversion = vers;
521
522
0
    return 0;
523
0
  } else {
524
0
    session->security_parameters.pversion = aversion;
525
526
    /* we do not allow TLS1.3 negotiation using this mechanism */
527
0
    if (aversion->tls13_sem && !allow_tls13) {
528
0
      vers = _gnutls_legacy_version_max(session);
529
0
      session->security_parameters.pversion = vers;
530
0
    }
531
532
0
    return 0;
533
0
  }
534
0
}
535
536
/* This function returns:
537
 *  - zero on success
538
 *  - GNUTLS_E_INT_RET_0 if GNUTLS_E_AGAIN || GNUTLS_E_INTERRUPTED were returned by the callback
539
 *  - a negative error code on other error
540
 */
541
int
542
_gnutls_user_hello_func(gnutls_session_t session, uint8_t major, uint8_t minor)
543
0
{
544
0
  int ret, sret = 0;
545
0
  const version_entry_st *vers, *old_vers;
546
0
  const version_entry_st *new_max;
547
548
0
  if (session->internals.user_hello_func != NULL) {
549
0
    ret = session->internals.user_hello_func(session);
550
551
0
    if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) {
552
0
      gnutls_assert();
553
0
      sret = GNUTLS_E_INT_RET_0;
554
0
    } else if (ret < 0) {
555
0
      gnutls_assert();
556
0
      return ret;
557
0
    }
558
559
    /* This callback is often used to switch the priority string of the
560
     * server, and that includes switching version which we have already
561
     * negotiated; note that this doesn't apply when resuming as the version
562
     * negotiation is already complete. */
563
0
    if (!session->internals.resumed) {
564
0
      new_max = _gnutls_version_max(session);
565
0
      old_vers = get_version(session);
566
567
0
      if (!old_vers->tls13_sem
568
0
          || (new_max && !new_max->tls13_sem)) {
569
#if GNUTLS_TLS_VERSION_MAX != GNUTLS_TLS1_3
570
# error "Need to update the following logic"
571
#endif
572
        /* Here we need to renegotiate the version since the callee might
573
         * have disabled some TLS versions. This logic does not cope for
574
         * protocols later than TLS1.3 if they have the tls13_sem set */
575
0
        ret =
576
0
            _gnutls_negotiate_version(session, major,
577
0
                    minor, 0);
578
0
        if (ret < 0)
579
0
          return gnutls_assert_val(ret);
580
581
0
        vers = get_version(session);
582
0
        if (old_vers != vers) {
583
          /* at this point we need to regenerate the random value to
584
           * avoid the peer detecting this session as a rollback
585
           * attempt. */
586
0
          ret =
587
0
              _gnutls_gen_server_random(session,
588
0
                      vers->id);
589
0
          if (ret < 0)
590
0
            return gnutls_assert_val(ret);
591
0
        }
592
0
      }
593
0
    }
594
0
  }
595
0
  return sret;
596
0
}
597
598
/* Associates the right credential types for the session, and
599
 * performs sanity checks. */
600
static int set_auth_types(gnutls_session_t session)
601
0
{
602
0
  const version_entry_st *ver = get_version(session);
603
0
  gnutls_kx_algorithm_t kx;
604
605
  /* sanity check:
606
   * we see TLS1.3 negotiated but no key share was sent */
607
0
  if (ver->tls13_sem) {
608
0
    if (unlikely
609
0
        (!(session->internals.hsk_flags & HSK_PSK_KE_MODE_PSK)
610
0
         && !(session->
611
0
        internals.hsk_flags & HSK_KEY_SHARE_RECEIVED))) {
612
0
      return gnutls_assert_val(GNUTLS_E_MISSING_EXTENSION);
613
0
    }
614
615
    /* Under TLS1.3 this returns a KX which matches the negotiated
616
     * groups from the key shares; if we are resuming then the KX seen
617
     * here doesn't match the original session. */
618
0
    if (!session->internals.resumed)
619
0
      kx = gnutls_kx_get(session);
620
0
    else
621
0
      kx = GNUTLS_KX_UNKNOWN;
622
0
  } else {
623
    /* TLS1.2 or earlier, kx is associated with ciphersuite */
624
0
    kx = session->security_parameters.cs->kx_algorithm;
625
0
  }
626
627
0
  if (kx != GNUTLS_KX_UNKNOWN) {
628
0
    session->security_parameters.server_auth_type =
629
0
        _gnutls_map_kx_get_cred(kx, 1);
630
0
    session->security_parameters.client_auth_type =
631
0
        _gnutls_map_kx_get_cred(kx, 0);
632
0
  } else if (unlikely(!session->internals.resumed)) {
633
    /* Here we can only arrive if something we received
634
     * prevented the session from completing. */
635
0
    return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
636
0
  }
637
638
0
  return 0;
639
0
}
640
641
/* Read a client hello packet.
642
 * A client hello must be a known version client hello
643
 * or version 2.0 client hello (only for compatibility
644
 * since SSL version 2.0 is not supported).
645
 */
646
static int
647
read_client_hello(gnutls_session_t session, uint8_t * data, int datalen)
648
0
{
649
0
  uint8_t session_id_len;
650
0
  int pos = 0, ret;
651
0
  uint16_t suite_size, comp_size;
652
0
  int ext_size;
653
0
  int neg_version, sret = 0;
654
0
  int len = datalen;
655
0
  uint8_t major, minor;
656
0
  uint8_t *suite_ptr, *comp_ptr, *session_id, *ext_ptr;
657
0
  const version_entry_st *vers;
658
659
0
  DECR_LEN(len, 2);
660
0
  _gnutls_handshake_log("HSK[%p]: Client's version: %d.%d\n",
661
0
            session, data[pos], data[pos + 1]);
662
663
0
  major = data[pos];
664
0
  minor = data[pos + 1];
665
666
0
  set_adv_version(session, major, minor);
667
668
0
  ret = _gnutls_negotiate_version(session, major, minor, 0);
669
0
  if (ret < 0)
670
0
    return gnutls_assert_val(ret);
671
672
0
  vers = get_version(session);
673
0
  if (vers == NULL)
674
0
    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
675
676
0
  neg_version = vers->id;
677
678
0
  pos += 2;
679
680
  /* Read client random value.
681
   */
682
0
  DECR_LEN(len, GNUTLS_RANDOM_SIZE);
683
0
  _gnutls_set_client_random(session, &data[pos]);
684
685
0
  pos += GNUTLS_RANDOM_SIZE;
686
687
0
  ret = _gnutls_gen_server_random(session, neg_version);
688
0
  if (ret < 0)
689
0
    return gnutls_assert_val(ret);
690
691
0
  session->security_parameters.timestamp = gnutls_time(NULL);
692
693
0
  DECR_LEN(len, 1);
694
0
  session_id_len = data[pos++];
695
696
  /* RESUME SESSION
697
   */
698
0
  if (session_id_len > GNUTLS_MAX_SESSION_ID_SIZE) {
699
0
    gnutls_assert();
700
0
    return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
701
0
  }
702
0
  DECR_LEN(len, session_id_len);
703
0
  session_id = &data[pos];
704
0
  pos += session_id_len;
705
706
0
  if (IS_DTLS(session)) {
707
0
    int cookie_size;
708
709
0
    DECR_LEN(len, 1);
710
0
    cookie_size = data[pos++];
711
0
    DECR_LEN(len, cookie_size);
712
0
    pos += cookie_size;
713
0
  }
714
715
  /* move forward to extensions and store other vals */
716
0
  DECR_LEN(len, 2);
717
0
  suite_size = _gnutls_read_uint16(&data[pos]);
718
0
  pos += 2;
719
720
0
  if (suite_size == 0 || (suite_size % 2) != 0)
721
0
    return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
722
723
0
  suite_ptr = &data[pos];
724
0
  DECR_LEN(len, suite_size);
725
0
  pos += suite_size;
726
727
0
  DECR_LEN(len, 1);
728
0
  comp_size = data[pos++];  /* the number of compression methods */
729
730
0
  if (comp_size == 0)
731
0
    return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
732
733
0
  comp_ptr = &data[pos];
734
0
  DECR_LEN(len, comp_size);
735
0
  pos += comp_size;
736
737
0
  ext_ptr = &data[pos];
738
0
  ext_size = len;
739
740
  /* Parse only the mandatory to read extensions for resumption
741
   * and version negotiation. We don't want to parse any other
742
   * extensions since  we don't want new extension values to override
743
   * the resumed ones. */
744
0
  ret =
745
0
      _gnutls_parse_hello_extensions(session,
746
0
             GNUTLS_EXT_FLAG_CLIENT_HELLO,
747
0
             GNUTLS_EXT_VERSION_NEG, ext_ptr,
748
0
             ext_size);
749
0
  if (ret < 0)
750
0
    return gnutls_assert_val(ret);
751
752
0
  ret =
753
0
      _gnutls_parse_hello_extensions(session,
754
0
             GNUTLS_EXT_FLAG_CLIENT_HELLO,
755
0
             GNUTLS_EXT_MANDATORY, ext_ptr,
756
0
             ext_size);
757
0
  if (ret < 0)
758
0
    return gnutls_assert_val(ret);
759
760
0
  vers = get_version(session);
761
0
  if (unlikely(vers == NULL))
762
0
    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
763
764
0
  if (!vers->tls13_sem) {
765
0
    ret =
766
0
        _gnutls_server_restore_session(session, session_id,
767
0
               session_id_len);
768
769
0
    if (session_id_len > 0)
770
0
      session->internals.resumption_requested = 1;
771
772
0
    if (ret == 0) { /* resumed using default TLS resumption! */
773
0
      ret =
774
0
          _gnutls_server_select_suite(session, suite_ptr,
775
0
              suite_size, 1);
776
0
      if (ret < 0)
777
0
        return gnutls_assert_val(ret);
778
779
0
      ret = tls12_resume_copy_required_vals(session, 0);
780
0
      if (ret < 0)
781
0
        return gnutls_assert_val(ret);
782
783
0
      session->internals.resumed = true;
784
785
0
      return _gnutls_user_hello_func(session, major, minor);
786
0
    } else {
787
0
      ret =
788
0
          _gnutls_generate_session_id
789
0
          (session->security_parameters.session_id,
790
0
           &session->security_parameters.session_id_size);
791
0
      if (ret < 0)
792
0
        return gnutls_assert_val(ret);
793
794
0
      session->internals.resumed = false;
795
0
    }
796
0
  } else {   /* TLS1.3 */
797
    /* we echo client's session ID - length was checked previously */
798
0
    assert(session_id_len <= GNUTLS_MAX_SESSION_ID_SIZE);
799
0
    if (session_id_len > 0)
800
0
      memcpy(session->security_parameters.session_id,
801
0
             session_id, session_id_len);
802
0
    session->security_parameters.session_id_size = session_id_len;
803
0
  }
804
805
  /* Parse the extensions (if any)
806
   *
807
   * Unconditionally try to parse extensions; safe renegotiation uses them in
808
   * sslv3 and higher, even though sslv3 doesn't officially support them.
809
   */
810
0
  ret =
811
0
      _gnutls_parse_hello_extensions(session,
812
0
             GNUTLS_EXT_FLAG_CLIENT_HELLO,
813
0
             GNUTLS_EXT_APPLICATION, ext_ptr,
814
0
             ext_size);
815
  /* len is the rest of the parsed length */
816
0
  if (ret < 0) {
817
0
    gnutls_assert();
818
0
    return ret;
819
0
  }
820
821
  /* we cache this error code */
822
0
  sret = _gnutls_user_hello_func(session, major, minor);
823
0
  if (sret < 0 && sret != GNUTLS_E_INT_RET_0) {
824
0
    gnutls_assert();
825
0
    return sret;
826
0
  }
827
828
  /* Session tickets are parsed in this point */
829
0
  ret =
830
0
      _gnutls_parse_hello_extensions(session,
831
0
             GNUTLS_EXT_FLAG_CLIENT_HELLO,
832
0
             GNUTLS_EXT_TLS, ext_ptr, ext_size);
833
0
  if (ret < 0) {
834
0
    gnutls_assert();
835
0
    return ret;
836
0
  }
837
838
0
  if (session->internals.hsk_flags & HSK_EARLY_DATA_ACCEPTED) {
839
0
    const cipher_entry_st *ce;
840
0
    const mac_entry_st *me;
841
0
    record_parameters_st *params;
842
843
0
    ce = cipher_to_entry(session->internals.
844
0
             resumed_security_parameters.
845
0
             cs->block_algorithm);
846
0
    me = mac_to_entry(session->internals.
847
0
          resumed_security_parameters.
848
0
          cs->mac_algorithm);
849
850
0
    ret = _gnutls_epoch_get(session, EPOCH_NEXT, &params);
851
0
    if (ret < 0) {
852
0
      return gnutls_assert_val(ret);
853
0
    }
854
855
0
    params->cipher = ce;
856
0
    params->mac = me;
857
858
0
    ret = _tls13_read_connection_state_init(session, STAGE_EARLY);
859
0
    if (ret < 0) {
860
0
      return gnutls_assert_val(ret);
861
0
    }
862
863
0
    _gnutls_epoch_bump(session);
864
0
    ret = _gnutls_epoch_dup(session, EPOCH_READ_CURRENT);
865
0
    if (ret < 0) {
866
0
      return gnutls_assert_val(ret);
867
0
    }
868
0
  }
869
870
  /* resumed by session_ticket extension */
871
0
  if (!vers->tls13_sem && session->internals.resumed) {
872
0
    session->internals.resumed_security_parameters.
873
0
        max_record_recv_size =
874
0
        session->security_parameters.max_record_recv_size;
875
0
    session->internals.resumed_security_parameters.
876
0
        max_record_send_size =
877
0
        session->security_parameters.max_record_send_size;
878
879
0
    ret =
880
0
        _gnutls_server_select_suite(session, suite_ptr, suite_size,
881
0
            1);
882
0
    if (ret < 0)
883
0
      return gnutls_assert_val(ret);
884
885
0
    ret = tls12_resume_copy_required_vals(session, 1);
886
0
    if (ret < 0)
887
0
      return gnutls_assert_val(ret);
888
889
    /* to indicate to the client that the current session is resumed */
890
0
    memcpy(session->security_parameters.session_id, session_id,
891
0
           session_id_len);
892
0
    session->security_parameters.session_id_size = session_id_len;
893
894
0
    return 0;
895
0
  }
896
897
  /* select an appropriate cipher suite (as well as certificate)
898
   */
899
0
  ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 0);
900
0
  if (ret < 0) {
901
0
    gnutls_assert();
902
0
    return ret;
903
0
  }
904
905
  /* Only at this point we know the version we are actually going to use
906
   * ("supported_versions" extension is parsed, user_hello_func is called,
907
   * legacy version negotiation is done). */
908
0
  vers = get_version(session);
909
0
  if (unlikely(vers == NULL))
910
0
    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
911
912
0
  if (_gnutls_version_priority(session, vers->id) < 0)
913
0
    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
914
915
  /* check if EMS is required */
916
0
  if (!vers->tls13_sem &&
917
0
      vers->id != GNUTLS_SSL3 && vers->id != GNUTLS_DTLS0_9 &&
918
0
      session->internals.priorities->force_ext_master_secret &&
919
0
      !session->security_parameters.ext_master_secret) {
920
0
    return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
921
0
  }
922
923
0
  _gnutls_handshake_log("HSK[%p]: Selected version %s\n", session,
924
0
            vers->name);
925
926
  /* select appropriate compression method */
927
0
  ret = check_if_null_comp_present(session, comp_ptr, comp_size);
928
0
  if (ret < 0) {
929
0
    gnutls_assert();
930
0
    return ret;
931
0
  }
932
933
  /* call extensions that are intended to be parsed after the ciphersuite/cert
934
   * are known. */
935
0
  ret =
936
0
      _gnutls_parse_hello_extensions(session,
937
0
             GNUTLS_EXT_FLAG_CLIENT_HELLO,
938
0
             _GNUTLS_EXT_TLS_POST_CS, ext_ptr,
939
0
             ext_size);
940
0
  if (ret < 0) {
941
0
    gnutls_assert();
942
0
    return ret;
943
0
  }
944
945
  /* Calculate TLS 1.3 Early Secret */
946
0
  if (session->security_parameters.pversion->tls13_sem &&
947
0
      !(session->internals.hsk_flags & HSK_PSK_SELECTED)) {
948
0
    ret = _tls13_init_secret(session, NULL, 0);
949
0
    if (ret < 0)
950
0
      return gnutls_assert_val(ret);
951
0
  }
952
953
0
  ret = set_auth_types(session);
954
0
  if (ret < 0) {
955
0
    gnutls_assert();
956
0
    return ret;
957
0
  }
958
959
0
  return sret;
960
0
}
961
962
/* This is to be called after sending CHANGE CIPHER SPEC packet
963
 * and initializing encryption. This is the first encrypted message
964
 * we send.
965
 */
966
int _gnutls_send_finished(gnutls_session_t session, int again)
967
0
{
968
0
  mbuffer_st *bufel;
969
0
  uint8_t *data;
970
0
  int ret;
971
0
  size_t vdata_size = 0;
972
0
  const version_entry_st *vers;
973
974
0
  if (again == 0) {
975
0
    bufel = _gnutls_handshake_alloc(session, MAX_VERIFY_DATA_SIZE);
976
0
    if (bufel == NULL) {
977
0
      gnutls_assert();
978
0
      return GNUTLS_E_MEMORY_ERROR;
979
0
    }
980
0
    data = _mbuffer_get_udata_ptr(bufel);
981
982
0
    vers = get_version(session);
983
0
    if (unlikely(vers == NULL))
984
0
      return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
985
986
#ifdef ENABLE_SSL3
987
    if (vers->id == GNUTLS_SSL3) {
988
      ret =
989
          _gnutls_ssl3_finished(session,
990
              session->security_parameters.
991
              entity, data, 1);
992
      _mbuffer_set_udata_size(bufel, 36);
993
    } else {  /* TLS 1.0+ */
994
#endif
995
0
      ret = _gnutls_finished(session,
996
0
                 session->
997
0
                 security_parameters.entity, data,
998
0
                 1);
999
0
      _mbuffer_set_udata_size(bufel, 12);
1000
#ifdef ENABLE_SSL3
1001
    }
1002
#endif
1003
1004
0
    if (ret < 0) {
1005
0
      gnutls_assert();
1006
0
      return ret;
1007
0
    }
1008
1009
0
    vdata_size = _mbuffer_get_udata_size(bufel);
1010
1011
0
    ret = _gnutls_ext_sr_finished(session, data, vdata_size, 0);
1012
0
    if (ret < 0) {
1013
0
      gnutls_assert();
1014
0
      return ret;
1015
0
    }
1016
1017
0
    if ((!session->internals.resumed
1018
0
         && session->security_parameters.entity == GNUTLS_CLIENT)
1019
0
        || (session->internals.resumed
1020
0
      && session->security_parameters.entity ==
1021
0
      GNUTLS_SERVER)) {
1022
      /* if we are a client not resuming - or we are a server resuming */
1023
0
      _gnutls_handshake_log
1024
0
          ("HSK[%p]: recording tls-unique CB (send)\n",
1025
0
           session);
1026
0
      memcpy(session->internals.cb_tls_unique, data,
1027
0
             vdata_size);
1028
0
      session->internals.cb_tls_unique_len = vdata_size;
1029
0
    }
1030
1031
0
    ret =
1032
0
        _gnutls_send_handshake(session, bufel,
1033
0
             GNUTLS_HANDSHAKE_FINISHED);
1034
0
  } else {
1035
0
    ret =
1036
0
        _gnutls_send_handshake(session, NULL,
1037
0
             GNUTLS_HANDSHAKE_FINISHED);
1038
0
  }
1039
1040
0
  return ret;
1041
0
}
1042
1043
/* This is to be called after sending our finished message. If everything
1044
 * went fine we have negotiated a secure connection
1045
 */
1046
int _gnutls_recv_finished(gnutls_session_t session)
1047
0
{
1048
0
  uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy;
1049
0
  gnutls_buffer_st buf;
1050
0
  int data_size;
1051
0
  int ret;
1052
0
  int vrfy_size;
1053
0
  const version_entry_st *vers = get_version(session);
1054
1055
0
  if (unlikely(vers == NULL))
1056
0
    return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1057
1058
0
  ret =
1059
0
      _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_FINISHED, 0, &buf);
1060
0
  if (ret < 0) {
1061
0
    gnutls_assert();
1062
0
    return ret;
1063
0
  }
1064
1065
0
  vrfy = buf.data;
1066
0
  vrfy_size = buf.length;
1067
1068
#ifdef ENABLE_SSL3
1069
  if (vers->id == GNUTLS_SSL3)
1070
    data_size = 36;
1071
  else
1072
#endif
1073
0
    data_size = 12;
1074
1075
0
  if (vrfy_size != data_size) {
1076
0
    gnutls_assert();
1077
0
    ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
1078
0
    goto cleanup;
1079
0
  }
1080
1081
#ifdef ENABLE_SSL3
1082
  if (vers->id == GNUTLS_SSL3) {
1083
    ret =
1084
        _gnutls_ssl3_finished(session,
1085
            (session->security_parameters.entity +
1086
             1) % 2, data, 0);
1087
  } else      /* TLS 1.0+ */
1088
#endif
1089
0
    ret =
1090
0
        _gnutls_finished(session,
1091
0
             (session->security_parameters.entity +
1092
0
              1) % 2, data, 0);
1093
1094
0
  if (ret < 0) {
1095
0
    gnutls_assert();
1096
0
    goto cleanup;
1097
0
  }
1098
1099
#if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
1100
  /* When fuzzying allow to proceed without verifying the handshake
1101
   * consistency */
1102
  (void)vrfy;
1103
# warning This is unsafe for production builds
1104
1105
#else
1106
0
  if (memcmp(vrfy, data, data_size) != 0) {
1107
0
    gnutls_assert();
1108
0
    ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
1109
0
    goto cleanup;
1110
0
  }
1111
0
#endif
1112
1113
0
  ret = _gnutls_ext_sr_finished(session, data, data_size, 1);
1114
0
  if (ret < 0) {
1115
0
    gnutls_assert();
1116
0
    goto cleanup;
1117
0
  }
1118
1119
0
  if ((session->internals.resumed
1120
0
       && session->security_parameters.entity == GNUTLS_CLIENT)
1121
0
      || (!session->internals.resumed
1122
0
    && session->security_parameters.entity == GNUTLS_SERVER)) {
1123
    /* if we are a client resuming - or we are a server not resuming */
1124
0
    _gnutls_handshake_log
1125
0
        ("HSK[%p]: recording tls-unique CB (recv)\n", session);
1126
0
    memcpy(session->internals.cb_tls_unique, data, data_size);
1127
0
    session->internals.cb_tls_unique_len = data_size;
1128
0
  }
1129
1130
0
 cleanup:
1131
0
  _gnutls_buffer_clear(&buf);
1132
1133
0
  return ret;
1134
0
}
1135
1136
/* This selects the best supported ciphersuite from the given ones. Then
1137
 * it adds the suite to the session and performs some checks.
1138
 *
1139
 * When @scsv_only is non-zero only the available SCSVs are parsed
1140
 * and acted upon.
1141
 */
1142
int
1143
_gnutls_server_select_suite(gnutls_session_t session, uint8_t * data,
1144
          unsigned int datalen, unsigned scsv_only)
1145
0
{
1146
0
  int ret;
1147
0
  unsigned int i;
1148
0
  ciphersuite_list_st peer_clist;
1149
0
  const gnutls_cipher_suite_entry_st *selected;
1150
0
  gnutls_kx_algorithm_t kx;
1151
0
  int retval;
1152
0
  const version_entry_st *vers = get_version(session);
1153
1154
0
  peer_clist.size = 0;
1155
1156
0
  for (i = 0; i < datalen; i += 2) {
1157
    /* we support the TLS renegotiation SCSV, even if we are
1158
     * not under SSL 3.0, because openssl sends this SCSV
1159
     * on resumption unconditionally. */
1160
    /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
1161
0
    if (session->internals.priorities->sr != SR_DISABLED &&
1162
0
        data[i] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&
1163
0
        data[i + 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR) {
1164
0
      _gnutls_handshake_log
1165
0
          ("HSK[%p]: Received safe renegotiation CS\n",
1166
0
           session);
1167
0
      retval = _gnutls_ext_sr_recv_cs(session);
1168
0
      if (retval < 0) {
1169
0
        gnutls_assert();
1170
0
        return retval;
1171
0
      }
1172
0
    }
1173
1174
    /* TLS_FALLBACK_SCSV */
1175
0
    if (data[i] == GNUTLS_FALLBACK_SCSV_MAJOR &&
1176
0
        data[i + 1] == GNUTLS_FALLBACK_SCSV_MINOR) {
1177
0
      const version_entry_st *max =
1178
0
          _gnutls_version_max(session);
1179
1180
0
      _gnutls_handshake_log
1181
0
          ("HSK[%p]: Received fallback CS\n", session);
1182
1183
0
      if (vers != max)
1184
0
        return
1185
0
            gnutls_assert_val
1186
0
            (GNUTLS_E_INAPPROPRIATE_FALLBACK);
1187
0
    } else if (!scsv_only) {
1188
0
      if (peer_clist.size < MAX_CIPHERSUITE_SIZE) {
1189
0
        peer_clist.entry[peer_clist.size] =
1190
0
            ciphersuite_to_entry(&data[i]);
1191
0
        if (peer_clist.entry[peer_clist.size] != NULL)
1192
0
          peer_clist.size++;
1193
0
      }
1194
0
    }
1195
0
  }
1196
1197
0
  if (scsv_only)
1198
0
    return 0;
1199
1200
0
  ret =
1201
0
      _gnutls_figure_common_ciphersuite(session, &peer_clist, &selected);
1202
0
  if (ret < 0) {
1203
0
    return gnutls_assert_val(ret);
1204
0
  }
1205
1206
0
  _gnutls_handshake_log
1207
0
      ("HSK[%p]: Selected cipher suite: %s\n", session, selected->name);
1208
1209
0
  ret = _gnutls_set_cipher_suite2(session, selected);
1210
0
  if (ret < 0) {
1211
0
    gnutls_assert();
1212
0
    return ret;
1213
0
  }
1214
1215
0
  if (!vers->tls13_sem) {
1216
    /* check if the credentials (username, public key etc.) are ok
1217
     */
1218
0
    kx = selected->kx_algorithm;
1219
0
    if (_gnutls_get_kx_cred(session, kx) == NULL) {
1220
0
      gnutls_assert();
1221
0
      return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1222
0
    }
1223
1224
    /* set the mod_auth_st to the appropriate struct
1225
     * according to the KX algorithm. This is needed since all the
1226
     * handshake functions are read from there;
1227
     */
1228
0
    session->internals.auth_struct = _gnutls_kx_auth_struct(kx);
1229
0
    if (session->internals.auth_struct == NULL) {
1230
0
      _gnutls_handshake_log
1231
0
          ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1232
0
           session);
1233
0
      gnutls_assert();
1234
0
      return GNUTLS_E_INTERNAL_ERROR;
1235
0
    }
1236
0
  }
1237
1238
0
  return 0;
1239
1240
0
}
1241
1242
/* This checks whether the null compression method is present.
1243
 */
1244
static int
1245
check_if_null_comp_present(gnutls_session_t session,
1246
         uint8_t * data, int datalen)
1247
0
{
1248
0
  int j;
1249
1250
0
  for (j = 0; j < datalen; j++) {
1251
0
    if (data[j] == 0)
1252
0
      return 0;
1253
0
  }
1254
1255
  /* we were not able to find a the NULL compression
1256
   * algorithm
1257
   */
1258
0
  gnutls_assert();
1259
0
  return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1260
1261
0
}
1262
1263
/* This function sends an empty handshake packet. (like hello request).
1264
 * If the previous _gnutls_send_empty_handshake() returned
1265
 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1266
 * (until it returns ok), with NULL parameters.
1267
 */
1268
static int
1269
_gnutls_send_empty_handshake(gnutls_session_t session,
1270
           gnutls_handshake_description_t type, int again)
1271
0
{
1272
0
  mbuffer_st *bufel;
1273
1274
0
  if (again == 0) {
1275
0
    bufel = _gnutls_handshake_alloc(session, 0);
1276
0
    if (bufel == NULL) {
1277
0
      gnutls_assert();
1278
0
      return GNUTLS_E_MEMORY_ERROR;
1279
0
    }
1280
0
  } else
1281
0
    bufel = NULL;
1282
1283
0
  return _gnutls_send_handshake(session, bufel, type);
1284
0
}
1285
1286
int _gnutls_call_hook_func(gnutls_session_t session,
1287
         gnutls_handshake_description_t type,
1288
         int post, unsigned incoming,
1289
         const uint8_t * data, unsigned data_size)
1290
0
{
1291
0
  gnutls_datum_t msg = { (void *)data, data_size };
1292
1293
0
  if (session->internals.h_hook != NULL) {
1294
0
    if ((session->internals.h_type == type
1295
0
         || session->internals.h_type == GNUTLS_HANDSHAKE_ANY)
1296
0
        && (session->internals.h_post == post
1297
0
      || session->internals.h_post == GNUTLS_HOOK_BOTH)) {
1298
1299
      /* internal API for testing: when we are expected to
1300
       * wait for GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, we
1301
       * do so, but not when doing for all messages. The
1302
       * reason is that change cipher specs are not handshake
1303
       * messages, and we don't support waiting for them
1304
       * consistently (only sending is tracked, not receiving).
1305
       */
1306
0
      if (type == GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC &&
1307
0
          session->internals.h_type !=
1308
0
          GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC)
1309
0
        return 0;
1310
1311
0
      return session->internals.h_hook(session, type,
1312
0
               post, incoming, &msg);
1313
0
    }
1314
0
  }
1315
0
  return 0;
1316
0
}
1317
1318
/* Note that the "New session ticket" handshake packet behaves differently under
1319
 * TLS 1.2 or 1.3. In 1.2 it is included in the handshake process, while in 1.3
1320
 * it is sent asynchronously */
1321
#define IS_ASYNC(t, v) \
1322
0
  (t == GNUTLS_HANDSHAKE_HELLO_REQUEST || t == GNUTLS_HANDSHAKE_KEY_UPDATE || \
1323
0
   (t == GNUTLS_HANDSHAKE_NEW_SESSION_TICKET && v->tls13_sem))
1324
1325
int
1326
_gnutls_send_handshake(gnutls_session_t session, mbuffer_st * bufel,
1327
           gnutls_handshake_description_t type)
1328
0
{
1329
0
  return _gnutls_send_handshake2(session, bufel, type, 0);
1330
0
}
1331
1332
/* This function sends a handshake message of type 'type' containing the
1333
 * data specified here. If the previous _gnutls_send_handshake() returned
1334
 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1335
 * (until it returns ok), with NULL parameters.
1336
 */
1337
int
1338
_gnutls_send_handshake2(gnutls_session_t session, mbuffer_st * bufel,
1339
      gnutls_handshake_description_t type,
1340
      unsigned queue_only)
1341
0
{
1342
0
  int ret;
1343
0
  uint8_t *data;
1344
0
  uint32_t datasize, i_datasize;
1345
0
  int pos = 0;
1346
0
  const version_entry_st *vers = get_version(session);
1347
1348
0
  if (bufel == NULL) {
1349
    /* we are resuming a previously interrupted
1350
     * send.
1351
     */
1352
0
    ret = _gnutls_handshake_io_write_flush(session);
1353
0
    return ret;
1354
1355
0
  }
1356
1357
  /* first run */
1358
0
  data = _mbuffer_get_uhead_ptr(bufel);
1359
0
  i_datasize = _mbuffer_get_udata_size(bufel);
1360
0
  datasize = i_datasize + _mbuffer_get_uhead_size(bufel);
1361
1362
0
  data[pos++] = (uint8_t) REAL_HSK_TYPE(type);
1363
0
  _gnutls_write_uint24(_mbuffer_get_udata_size(bufel), &data[pos]);
1364
0
  pos += 3;
1365
1366
  /* Add DTLS handshake fragment headers.  The message will be
1367
   * fragmented later by the fragmentation sub-layer. All fields must
1368
   * be set properly for HMAC. The HMAC requires we pretend that the
1369
   * message was sent in a single fragment. */
1370
0
  if (IS_DTLS(session)) {
1371
0
    _gnutls_write_uint16(session->internals.dtls.hsk_write_seq++,
1372
0
             &data[pos]);
1373
0
    pos += 2;
1374
1375
    /* Fragment offset */
1376
0
    _gnutls_write_uint24(0, &data[pos]);
1377
0
    pos += 3;
1378
1379
    /* Fragment length */
1380
0
    _gnutls_write_uint24(i_datasize, &data[pos]);
1381
    /* pos += 3; */
1382
0
  }
1383
1384
0
  _gnutls_handshake_log("HSK[%p]: %s was queued [%ld bytes]\n",
1385
0
            session, _gnutls_handshake2str(type),
1386
0
            (long)datasize);
1387
1388
  /* Here we keep the handshake messages in order to hash them...
1389
   */
1390
0
  if (!IS_ASYNC(type, vers)) {
1391
0
    if ((ret =
1392
0
         handshake_hash_add_sent(session, type, data,
1393
0
               datasize)) < 0) {
1394
0
      gnutls_assert();
1395
0
      _mbuffer_xfree(&bufel);
1396
0
      return ret;
1397
0
    }
1398
    /* If we are sending a PSK, generate early secrets here.
1399
     * This cannot be done in pre_shared_key.c, because it
1400
     * relies on transcript hash of a Client Hello. */
1401
0
    if (type == GNUTLS_HANDSHAKE_CLIENT_HELLO &&
1402
0
        session->key.binders[0].prf != NULL) {
1403
0
      ret = _gnutls_generate_early_secrets_for_psk(session);
1404
0
      if (ret < 0) {
1405
0
        gnutls_assert();
1406
0
        _mbuffer_xfree(&bufel);
1407
0
        return ret;
1408
0
      }
1409
0
    }
1410
0
  }
1411
1412
0
  ret = _gnutls_call_hook_func(session, type, GNUTLS_HOOK_PRE, 0,
1413
0
             _mbuffer_get_udata_ptr(bufel),
1414
0
             _mbuffer_get_udata_size(bufel));
1415
0
  if (ret < 0) {
1416
0
    gnutls_assert();
1417
0
    _mbuffer_xfree(&bufel);
1418
0
    return ret;
1419
0
  }
1420
1421
0
  session->internals.last_handshake_out = type;
1422
1423
0
  ret = _gnutls_handshake_io_cache_int(session, type, bufel);
1424
0
  if (ret < 0) {
1425
0
    _mbuffer_xfree(&bufel);
1426
0
    gnutls_assert();
1427
0
    return ret;
1428
0
  }
1429
1430
0
  ret = _gnutls_call_hook_func(session, type, GNUTLS_HOOK_POST, 0,
1431
0
             _mbuffer_get_udata_ptr(bufel),
1432
0
             _mbuffer_get_udata_size(bufel));
1433
0
  if (ret < 0) {
1434
0
    gnutls_assert();
1435
0
    return ret;
1436
0
  }
1437
1438
0
  if (queue_only)
1439
0
    return 0;
1440
1441
  /* Decide when to cache and when to send */
1442
0
  if (vers && vers->tls13_sem) {
1443
1444
0
    if (session->internals.initial_negotiation_completed) {
1445
      /* we are under TLS1.3 in a re-authentication phase.
1446
       * we don't attempt to cache any messages */
1447
0
      goto force_send;
1448
0
    }
1449
1450
    /* The messages which are followed by another are not sent by default
1451
     * but are cached instead */
1452
0
    switch (type) {
1453
0
    case GNUTLS_HANDSHAKE_SERVER_HELLO: /* always followed by something */
1454
0
    case GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS: /* followed by finished or cert */
1455
0
    case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:  /* followed by certificate */
1456
0
    case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:  /* this one is followed by cert verify */
1457
0
    case GNUTLS_HANDSHAKE_COMPRESSED_CERTIFICATE_PKT: /* as above */
1458
0
    case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY: /* followed by finished */
1459
0
      ret = 0;  /* cache */
1460
0
      break;
1461
0
    default:
1462
      /* send this and any cached messages */
1463
0
      goto force_send;
1464
0
    }
1465
0
  } else {
1466
    /* The messages which are followed by another are not sent by default
1467
     * but are cached instead */
1468
0
    switch (type) {
1469
0
    case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:  /* this one is followed by ServerHelloDone
1470
               * or ClientKeyExchange always.
1471
               */
1472
0
    case GNUTLS_HANDSHAKE_COMPRESSED_CERTIFICATE_PKT: /* as above */
1473
0
    case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1474
0
    case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:  /* as above */
1475
0
    case GNUTLS_HANDSHAKE_SERVER_HELLO: /* as above */
1476
0
    case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:  /* as above */
1477
0
    case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: /* followed by ChangeCipherSpec */
1478
1479
      /* now for client Certificate, ClientKeyExchange and
1480
       * CertificateVerify are always followed by ChangeCipherSpec
1481
       */
1482
0
    case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1483
0
    case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1484
0
      ret = 0;
1485
0
      break;
1486
0
    default:
1487
      /* send this and any cached messages */
1488
0
      goto force_send;
1489
0
    }
1490
0
  }
1491
1492
0
  return ret;
1493
1494
0
 force_send:
1495
0
  return _gnutls_handshake_io_write_flush(session);
1496
0
}
1497
1498
#define CHECK_SIZE(ll) \
1499
0
  if ((session->internals.max_handshake_data_buffer_size > 0) && \
1500
0
      (((ll) + session->internals.handshake_hash_buffer.length) > \
1501
0
       session->internals.max_handshake_data_buffer_size)) { \
1502
0
    _gnutls_debug_log("Handshake buffer length is %u (max: %u)\n", (unsigned)((ll) + session->internals.handshake_hash_buffer.length), (unsigned)session->internals.max_handshake_data_buffer_size); \
1503
0
    return gnutls_assert_val(GNUTLS_E_HANDSHAKE_TOO_LARGE); \
1504
0
    }
1505
1506
/* This function add the handshake headers and the
1507
 * handshake data to the handshake hash buffers. Needed
1508
 * for the finished messages calculations.
1509
 */
1510
static int
1511
handshake_hash_add_recvd(gnutls_session_t session,
1512
       gnutls_handshake_description_t recv_type,
1513
       uint8_t * header, uint16_t header_size,
1514
       uint8_t * dataptr, uint32_t datalen)
1515
0
{
1516
0
  int ret;
1517
0
  const version_entry_st *vers = get_version(session);
1518
1519
0
  if (unlikely(vers == NULL))
1520
0
    return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1521
1522
0
  if ((vers->id != GNUTLS_DTLS0_9 &&
1523
0
       recv_type == GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST) ||
1524
0
      IS_ASYNC(recv_type, vers))
1525
0
    return 0;
1526
1527
0
  CHECK_SIZE(header_size + datalen);
1528
1529
0
  session->internals.handshake_hash_buffer_prev_len =
1530
0
      session->internals.handshake_hash_buffer.length;
1531
1532
0
  if (vers->id != GNUTLS_DTLS0_9) {
1533
0
    ret =
1534
0
        _gnutls_buffer_append_data(&session->internals.
1535
0
                 handshake_hash_buffer, header,
1536
0
                 header_size);
1537
0
    if (ret < 0)
1538
0
      return gnutls_assert_val(ret);
1539
0
  }
1540
0
  if (datalen > 0) {
1541
0
    ret =
1542
0
        _gnutls_buffer_append_data(&session->internals.
1543
0
                 handshake_hash_buffer, dataptr,
1544
0
                 datalen);
1545
0
    if (ret < 0)
1546
0
      return gnutls_assert_val(ret);
1547
0
  }
1548
1549
  /* save the size until client KX. That is because the TLS
1550
   * session hash is calculated up to this message.
1551
   */
1552
0
  if (recv_type == GNUTLS_HANDSHAKE_CLIENT_HELLO)
1553
0
    session->internals.handshake_hash_buffer_client_hello_len =
1554
0
        session->internals.handshake_hash_buffer.length;
1555
0
  if (recv_type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE)
1556
0
    session->internals.handshake_hash_buffer_client_kx_len =
1557
0
        session->internals.handshake_hash_buffer.length;
1558
0
  if (recv_type == GNUTLS_HANDSHAKE_FINISHED
1559
0
      && session->security_parameters.entity == GNUTLS_CLIENT)
1560
0
    session->internals.handshake_hash_buffer_server_finished_len =
1561
0
        session->internals.handshake_hash_buffer.length;
1562
0
  if (recv_type == GNUTLS_HANDSHAKE_FINISHED
1563
0
      && session->security_parameters.entity == GNUTLS_SERVER)
1564
0
    session->internals.handshake_hash_buffer_client_finished_len =
1565
0
        session->internals.handshake_hash_buffer.length;
1566
1567
0
  return 0;
1568
0
}
1569
1570
/* This function will store the handshake message we sent.
1571
 */
1572
static int
1573
handshake_hash_add_sent(gnutls_session_t session,
1574
      gnutls_handshake_description_t type,
1575
      uint8_t * dataptr, uint32_t datalen)
1576
0
{
1577
0
  int ret;
1578
0
  const version_entry_st *vers = get_version(session);
1579
1580
0
  if (unlikely(vers == NULL))
1581
0
    return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1582
1583
0
  if (IS_ASYNC(type, vers))
1584
0
    return 0;
1585
1586
0
  CHECK_SIZE(datalen);
1587
1588
0
  if (vers->id == GNUTLS_DTLS0_9) {
1589
    /* Old DTLS doesn't include the header in the MAC */
1590
0
    if (datalen < 12) {
1591
0
      gnutls_assert();
1592
0
      return GNUTLS_E_INTERNAL_ERROR;
1593
0
    }
1594
0
    dataptr += 12;
1595
0
    datalen -= 12;
1596
1597
0
    if (datalen == 0)
1598
0
      return 0;
1599
0
  }
1600
1601
0
  ret =
1602
0
      _gnutls_buffer_append_data(&session->internals.
1603
0
               handshake_hash_buffer, dataptr, datalen);
1604
0
  if (ret < 0)
1605
0
    return gnutls_assert_val(ret);
1606
1607
0
  if (type == GNUTLS_HANDSHAKE_CLIENT_HELLO)
1608
0
    session->internals.handshake_hash_buffer_client_hello_len =
1609
0
        session->internals.handshake_hash_buffer.length;
1610
0
  if (type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE)
1611
0
    session->internals.handshake_hash_buffer_client_kx_len =
1612
0
        session->internals.handshake_hash_buffer.length;
1613
0
  if (type == GNUTLS_HANDSHAKE_FINISHED
1614
0
      && session->security_parameters.entity == GNUTLS_SERVER)
1615
0
    session->internals.handshake_hash_buffer_server_finished_len =
1616
0
        session->internals.handshake_hash_buffer.length;
1617
0
  if (type == GNUTLS_HANDSHAKE_FINISHED
1618
0
      && session->security_parameters.entity == GNUTLS_CLIENT)
1619
0
    session->internals.handshake_hash_buffer_client_finished_len =
1620
0
        session->internals.handshake_hash_buffer.length;
1621
1622
0
  return 0;
1623
0
}
1624
1625
/* This function will receive handshake messages of the given types,
1626
 * and will pass the message to the right place in order to be processed.
1627
 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1628
 * passed to _gnutls_recv_hello().
1629
 */
1630
int
1631
_gnutls_recv_handshake(gnutls_session_t session,
1632
           gnutls_handshake_description_t type,
1633
           unsigned int optional, gnutls_buffer_st * buf)
1634
0
{
1635
0
  int ret, ret2;
1636
0
  handshake_buffer_st hsk;
1637
1638
0
  ret = _gnutls_handshake_io_recv_int(session, type, &hsk, optional);
1639
0
  if (ret < 0) {
1640
0
    if (optional != 0
1641
0
        && ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET) {
1642
0
      if (buf)
1643
0
        _gnutls_buffer_init(buf);
1644
0
      return 0;
1645
0
    }
1646
1647
0
    return gnutls_assert_val_fatal(ret);
1648
0
  }
1649
0
  session->internals.last_handshake_in = hsk.htype;
1650
1651
0
  ret =
1652
0
      _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_PRE, 1,
1653
0
           hsk.data.data, hsk.data.length);
1654
0
  if (ret < 0) {
1655
0
    gnutls_assert();
1656
0
    goto cleanup;
1657
0
  }
1658
1659
0
  ret = handshake_hash_add_recvd(session, hsk.rtype,
1660
0
               hsk.header, hsk.header_size,
1661
0
               hsk.data.data, hsk.data.length);
1662
0
  if (ret < 0) {
1663
0
    gnutls_assert();
1664
0
    goto cleanup;
1665
0
  }
1666
1667
0
  switch (hsk.htype) {
1668
0
  case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2:
1669
0
  case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1670
0
    if (!(IS_SERVER(session))) {
1671
0
      ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
1672
0
      goto cleanup;
1673
0
    }
1674
1675
0
#ifdef ENABLE_SSL2
1676
0
    if (hsk.htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)
1677
0
      ret =
1678
0
          _gnutls_read_client_hello_v2(session,
1679
0
               hsk.data.data,
1680
0
               hsk.data.length);
1681
0
    else
1682
0
#endif
1683
0
    {
1684
      /* Reference the full ClientHello in case an extension needs it */
1685
0
      ret = _gnutls_ext_set_full_client_hello(session, &hsk);
1686
0
      if (ret < 0)
1687
0
        return gnutls_assert_val(ret);
1688
1689
0
      ret = read_client_hello(session, hsk.data.data,
1690
0
            hsk.data.length);
1691
0
    }
1692
1693
0
    if (ret < 0) {
1694
0
      gnutls_assert();
1695
0
      goto cleanup;
1696
0
    }
1697
1698
0
    break;
1699
1700
0
  case GNUTLS_HANDSHAKE_SERVER_HELLO:
1701
0
    if (IS_SERVER(session)) {
1702
0
      ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
1703
0
      goto cleanup;
1704
0
    }
1705
1706
0
    ret = read_server_hello(session, hsk.data.data,
1707
0
          hsk.data.length);
1708
1709
0
    if (ret < 0) {
1710
0
      gnutls_assert();
1711
0
      goto cleanup;
1712
0
    }
1713
1714
0
    break;
1715
0
  case GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST:
1716
0
    if (IS_SERVER(session)) {
1717
0
      ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
1718
0
      goto cleanup;
1719
0
    }
1720
1721
0
    ret =
1722
0
        recv_hello_verify_request(session,
1723
0
                hsk.data.data, hsk.data.length);
1724
0
    if (ret < 0) {
1725
0
      gnutls_assert();
1726
0
      goto cleanup;
1727
0
    } else {
1728
      /* Signal our caller we have received a verification cookie
1729
         and ClientHello needs to be sent again. */
1730
0
      ret = 1;
1731
0
    }
1732
1733
0
    break;
1734
0
  case GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST:{
1735
      /* hash buffer synth message is generated during hello retry parsing */
1736
0
      gnutls_datum_t hrr = { hsk.data.data, hsk.data.length };
1737
1738
0
      if (IS_SERVER(session)) {
1739
0
        ret =
1740
0
            gnutls_assert_val
1741
0
            (GNUTLS_E_UNEXPECTED_PACKET);
1742
0
        goto cleanup;
1743
0
      }
1744
1745
0
      ret =
1746
0
          _gnutls13_recv_hello_retry_request(session,
1747
0
                     &hsk.data);
1748
0
      if (ret < 0) {
1749
0
        gnutls_assert();
1750
0
        goto cleanup;
1751
0
      } else {
1752
        /* during hello retry parsing, we reset handshake hash buffer,
1753
         * re-add this message */
1754
0
        ret =
1755
0
            handshake_hash_add_recvd(session, hsk.htype,
1756
0
                   hsk.header,
1757
0
                   hsk.header_size,
1758
0
                   hrr.data,
1759
0
                   hrr.size);
1760
0
        if (ret < 0) {
1761
0
          gnutls_assert();
1762
0
          goto cleanup;
1763
0
        }
1764
1765
        /* Signal our caller we have received a retry request
1766
           and ClientHello needs to be sent again. */
1767
0
        ret = 1;
1768
0
      }
1769
1770
0
      break;
1771
0
    }
1772
0
  case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
1773
0
    if (hsk.data.length == 0)
1774
0
      ret = 0;
1775
0
    else {
1776
0
      gnutls_assert();
1777
0
      ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1778
0
      goto cleanup;
1779
0
    }
1780
0
    break;
1781
0
  case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1782
0
  case GNUTLS_HANDSHAKE_COMPRESSED_CERTIFICATE_PKT:
1783
0
  case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1784
0
  case GNUTLS_HANDSHAKE_FINISHED:
1785
0
  case GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS:
1786
0
  case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
1787
0
  case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1788
0
  case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
1789
0
  case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1790
0
  case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
1791
0
  case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1792
0
  case GNUTLS_HANDSHAKE_END_OF_EARLY_DATA:
1793
0
    ret = hsk.data.length;
1794
0
    break;
1795
0
  default:
1796
0
    gnutls_assert();
1797
    /* we shouldn't actually arrive here in any case .
1798
     * unexpected messages should be caught after _gnutls_handshake_io_recv_int()
1799
     */
1800
0
    ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1801
0
    goto cleanup;
1802
0
  }
1803
1804
0
  ret2 =
1805
0
      _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_POST, 1,
1806
0
           hsk.data.data, hsk.data.length);
1807
0
  if (ret2 < 0) {
1808
0
    ret = ret2;
1809
0
    gnutls_assert();
1810
0
    goto cleanup;
1811
0
  }
1812
1813
0
  if (buf) {
1814
0
    *buf = hsk.data;
1815
0
    return ret;
1816
0
  }
1817
1818
0
 cleanup:
1819
0
  _gnutls_handshake_buffer_clear(&hsk);
1820
0
  return ret;
1821
0
}
1822
1823
/* This function checks if the given cipher suite is supported, and sets it
1824
 * to the session;
1825
 */
1826
static int set_client_ciphersuite(gnutls_session_t session, uint8_t suite[2])
1827
0
{
1828
0
  unsigned j;
1829
0
  int ret;
1830
0
  const gnutls_cipher_suite_entry_st *selected = NULL;
1831
0
  const version_entry_st *vers = get_version(session);
1832
0
  gnutls_kx_algorithm_t kx;
1833
1834
0
  for (j = 0; j < session->internals.priorities->cs.size; j++) {
1835
0
    if (suite[0] ==
1836
0
        session->internals.priorities->cs.entry[j]->id[0]
1837
0
        && suite[1] ==
1838
0
        session->internals.priorities->cs.entry[j]->id[1]) {
1839
0
      selected = session->internals.priorities->cs.entry[j];
1840
0
      break;
1841
0
    }
1842
0
  }
1843
1844
0
  if (!selected) {
1845
0
    gnutls_assert();
1846
0
    _gnutls_handshake_log
1847
0
        ("HSK[%p]: unsupported cipher suite %.2X.%.2X was negotiated\n",
1848
0
         session, (unsigned int)suite[0], (unsigned int)suite[1]);
1849
0
    return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
1850
0
  }
1851
1852
0
  ret = _gnutls_set_cipher_suite2(session, selected);
1853
0
  if (ret < 0)
1854
0
    return gnutls_assert_val(ret);
1855
1856
0
  _gnutls_handshake_log("HSK[%p]: Selected cipher suite: %s\n",
1857
0
            session, selected->name);
1858
1859
  /* check if the credentials (username, public key etc.) are ok.
1860
   * Actually checks if they exist.
1861
   */
1862
0
  if (!vers->tls13_sem) {
1863
0
    kx = selected->kx_algorithm;
1864
1865
0
    if (!session->internals.premaster_set &&
1866
0
        _gnutls_get_kx_cred(session, kx) == NULL) {
1867
0
      gnutls_assert();
1868
0
      return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1869
0
    }
1870
1871
    /* set the mod_auth_st to the appropriate struct
1872
     * according to the KX algorithm. This is needed since all the
1873
     * handshake functions are read from there;
1874
     */
1875
0
    session->internals.auth_struct = _gnutls_kx_auth_struct(kx);
1876
1877
0
    if (session->internals.auth_struct == NULL) {
1878
0
      _gnutls_handshake_log
1879
0
          ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1880
0
           session);
1881
0
      gnutls_assert();
1882
0
      return GNUTLS_E_INTERNAL_ERROR;
1883
0
    }
1884
0
  } else {
1885
0
    if (session->internals.hsk_flags & HSK_PSK_SELECTED) {
1886
0
      if (session->key.binders[0].prf->id != selected->prf) {
1887
0
        _gnutls_handshake_log
1888
0
            ("HSK[%p]: PRF of ciphersuite differs with the PSK identity (cs: %s, id: %s)\n",
1889
0
             session, selected->name,
1890
0
             session->key.binders[0].prf->name);
1891
0
        gnutls_assert();
1892
0
        return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
1893
0
      }
1894
0
    }
1895
0
  }
1896
1897
0
  return 0;
1898
0
}
1899
1900
/* This function returns 0 if we are resuming a session or -1 otherwise.
1901
 * This also sets the variables in the session. Used only while reading a server
1902
 * hello. Only applicable to TLS1.2 or earlier.
1903
 */
1904
static int
1905
client_check_if_resuming(gnutls_session_t session,
1906
       uint8_t * session_id, int session_id_len)
1907
0
{
1908
0
  char buf[2 * GNUTLS_MAX_SESSION_ID_SIZE + 1];
1909
0
  int ret;
1910
1911
0
  _gnutls_handshake_log("HSK[%p]: SessionID length: %d\n", session,
1912
0
            session_id_len);
1913
0
  _gnutls_handshake_log("HSK[%p]: SessionID: %s\n", session,
1914
0
            _gnutls_bin2hex(session_id, session_id_len,
1915
0
                buf, sizeof(buf), NULL));
1916
1917
0
  if ((session->internals.resumption_requested != 0 ||
1918
0
       session->internals.premaster_set != 0) &&
1919
0
      session_id_len > 0 &&
1920
0
      session->internals.resumed_security_parameters.session_id_size ==
1921
0
      session_id_len
1922
0
      && memcmp(session_id,
1923
0
          session->internals.resumed_security_parameters.session_id,
1924
0
          session_id_len) == 0) {
1925
    /* resume session */
1926
0
    memcpy(session->internals.resumed_security_parameters.
1927
0
           server_random,
1928
0
           session->security_parameters.server_random,
1929
0
           GNUTLS_RANDOM_SIZE);
1930
0
    memcpy(session->internals.resumed_security_parameters.
1931
0
           client_random,
1932
0
           session->security_parameters.client_random,
1933
0
           GNUTLS_RANDOM_SIZE);
1934
1935
0
    ret = _gnutls_set_cipher_suite2
1936
0
        (session,
1937
0
         session->internals.resumed_security_parameters.cs);
1938
0
    if (ret < 0) {
1939
0
      gnutls_assert();
1940
0
      goto no_resume;
1941
0
    }
1942
1943
0
    session->internals.resumed = true;  /* we are resuming */
1944
1945
0
    return 0;
1946
0
  } else {
1947
0
 no_resume:
1948
    /* keep the new session id */
1949
0
    session->internals.resumed = false; /* we are not resuming */
1950
0
    return -1;
1951
0
  }
1952
0
}
1953
1954
/* This function reads and parses the server hello handshake message.
1955
 * This function also restores resumed parameters if we are resuming a
1956
 * session.
1957
 */
1958
static int
1959
read_server_hello(gnutls_session_t session, uint8_t * data, int datalen)
1960
0
{
1961
0
  uint8_t session_id_len = 0;
1962
0
  uint8_t *session_id;
1963
0
  uint8_t *cs_pos, *comp_pos, *srandom_pos;
1964
0
  uint8_t major, minor;
1965
0
  int pos = 0;
1966
0
  int ret;
1967
0
  int len = datalen;
1968
0
  unsigned ext_parse_flag = 0;
1969
0
  const version_entry_st *vers, *saved_vers;
1970
1971
0
  if (datalen < GNUTLS_RANDOM_SIZE + 2) {
1972
0
    gnutls_assert();
1973
0
    return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1974
0
  }
1975
1976
0
  _gnutls_handshake_log("HSK[%p]: Server's version: %d.%d\n",
1977
0
            session, data[pos], data[pos + 1]);
1978
1979
0
  DECR_LEN(len, 2);
1980
0
  major = data[pos];
1981
0
  minor = data[pos + 1];
1982
1983
0
  saved_vers = get_version(session);  /* will be non-null if HRR has been received */
1984
1985
0
  vers = nversion_to_entry(major, minor);
1986
0
  if (unlikely(vers == NULL))
1987
0
    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
1988
1989
0
  if (vers->tls13_sem) /* that shouldn't have been negotiated here */
1990
0
    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
1991
1992
0
  if (_gnutls_set_current_version(session, vers->id) < 0)
1993
0
    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
1994
1995
0
  pos += 2;
1996
1997
0
  DECR_LEN(len, GNUTLS_RANDOM_SIZE);
1998
0
  srandom_pos = &data[pos];
1999
0
  pos += GNUTLS_RANDOM_SIZE;
2000
2001
  /* Read session ID
2002
   */
2003
0
  DECR_LEN(len, 1);
2004
0
  session_id_len = data[pos++];
2005
2006
0
  if (len < session_id_len || session_id_len > GNUTLS_MAX_SESSION_ID_SIZE) {
2007
0
    gnutls_assert();
2008
0
    return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
2009
0
  }
2010
0
  DECR_LEN(len, session_id_len);
2011
0
  session_id = &data[pos];
2012
0
  pos += session_id_len;
2013
2014
0
  DECR_LEN(len, 2);
2015
0
  cs_pos = &data[pos];
2016
0
  pos += 2;
2017
2018
  /* move to compression
2019
   */
2020
0
  DECR_LEN(len, 1);
2021
0
  comp_pos = &data[pos];
2022
0
  pos++;
2023
2024
  /* parse extensions to figure version */
2025
0
  ret =
2026
0
      _gnutls_parse_hello_extensions(session,
2027
0
             GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO |
2028
0
             GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO,
2029
0
             GNUTLS_EXT_VERSION_NEG, &data[pos],
2030
0
             len);
2031
0
  if (ret < 0)
2032
0
    return gnutls_assert_val(ret);
2033
2034
0
  vers = get_version(session);
2035
0
  if (unlikely(vers == NULL))
2036
0
    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
2037
0
  if (vers->tls13_sem) {
2038
0
    if (major != 0x03 || minor != 0x03)
2039
0
      return
2040
0
          gnutls_assert_val
2041
0
          (GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
2042
0
  }
2043
2044
0
  if (_gnutls_nversion_is_supported(session, vers->major, vers->minor) ==
2045
0
      0)
2046
0
    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
2047
2048
  /* set server random - done after final version is selected */
2049
0
  ret = _gnutls_set_server_random(session, vers, srandom_pos);
2050
0
  if (ret < 0)
2051
0
    return gnutls_assert_val(ret);
2052
2053
  /* reset keys and binders if we are not using TLS 1.3 */
2054
0
  if (!vers->tls13_sem) {
2055
0
    gnutls_memset(&session->key.proto.tls13, 0,
2056
0
            sizeof(session->key.proto.tls13));
2057
0
    reset_binders(session);
2058
0
  }
2059
2060
  /* check if we are resuming and set the appropriate
2061
   * values;
2062
   */
2063
0
  if (!vers->tls13_sem &&
2064
0
      client_check_if_resuming(session, session_id,
2065
0
             session_id_len) == 0) {
2066
0
    ret =
2067
0
        _gnutls_parse_hello_extensions(session,
2068
0
               GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
2069
0
               GNUTLS_EXT_MANDATORY,
2070
0
               &data[pos], len);
2071
0
    if (ret < 0)
2072
0
      return gnutls_assert_val(ret);
2073
2074
0
    return 0;
2075
0
  } else {
2076
0
    session->security_parameters.session_id_size = session_id_len;
2077
0
    if (session_id_len > 0)
2078
0
      memcpy(session->security_parameters.session_id,
2079
0
             session_id, session_id_len);
2080
0
  }
2081
2082
  /* Check if the given cipher suite is supported and copy
2083
   * it to the session.
2084
   */
2085
0
  ret = set_client_ciphersuite(session, cs_pos);
2086
0
  if (ret < 0) {
2087
0
    gnutls_assert();
2088
0
    return ret;
2089
0
  }
2090
2091
0
  if (session->internals.hsk_flags & HSK_HRR_RECEIVED) {
2092
    /* check if ciphersuite matches */
2093
0
    if (memcmp(cs_pos, session->internals.hrr_cs, 2) != 0)
2094
0
      return
2095
0
          gnutls_assert_val
2096
0
          (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
2097
2098
    /* check if HRR version matches this version */
2099
0
    if (vers != saved_vers)
2100
0
      return
2101
0
          gnutls_assert_val
2102
0
          (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
2103
0
  }
2104
2105
0
  if (*comp_pos != 0)
2106
0
    return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
2107
2108
0
  if (vers->tls13_sem)
2109
0
    ext_parse_flag |= GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO;
2110
0
  else
2111
0
    ext_parse_flag |= GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO;
2112
2113
  /* Parse extensions in order.
2114
   */
2115
0
  ret =
2116
0
      _gnutls_parse_hello_extensions(session,
2117
0
             ext_parse_flag,
2118
0
             GNUTLS_EXT_MANDATORY,
2119
0
             &data[pos], len);
2120
0
  if (ret < 0)
2121
0
    return gnutls_assert_val(ret);
2122
2123
0
  if (!vers->tls13_sem) {
2124
    /* check if EtM is required */
2125
0
    if (session->internals.priorities->force_etm &&
2126
0
        !session->security_parameters.etm) {
2127
0
      const cipher_entry_st *cipher =
2128
0
          cipher_to_entry(session->security_parameters.
2129
0
              cs->block_algorithm);
2130
0
      if (_gnutls_cipher_type(cipher) == CIPHER_BLOCK)
2131
0
        return
2132
0
            gnutls_assert_val
2133
0
            (GNUTLS_E_UNWANTED_ALGORITHM);
2134
0
    }
2135
2136
    /* check if EMS is required */
2137
0
    if (vers->id != GNUTLS_SSL3 && vers->id != GNUTLS_DTLS0_9 &&
2138
0
        session->internals.priorities->force_ext_master_secret &&
2139
0
        !session->security_parameters.ext_master_secret) {
2140
0
      return
2141
0
          gnutls_assert_val(GNUTLS_E_INSUFFICIENT_SECURITY);
2142
0
    }
2143
0
  }
2144
2145
0
  ret =
2146
0
      _gnutls_parse_hello_extensions(session,
2147
0
             ext_parse_flag,
2148
0
             GNUTLS_EXT_APPLICATION,
2149
0
             &data[pos], len);
2150
0
  if (ret < 0)
2151
0
    return gnutls_assert_val(ret);
2152
2153
0
  ret =
2154
0
      _gnutls_parse_hello_extensions(session,
2155
0
             ext_parse_flag,
2156
0
             GNUTLS_EXT_TLS, &data[pos], len);
2157
0
  if (ret < 0)
2158
0
    return gnutls_assert_val(ret);
2159
2160
0
  ret =
2161
0
      _gnutls_parse_hello_extensions(session,
2162
0
             ext_parse_flag,
2163
0
             _GNUTLS_EXT_TLS_POST_CS,
2164
0
             &data[pos], len);
2165
0
  if (ret < 0)
2166
0
    return gnutls_assert_val(ret);
2167
2168
  /* Calculate TLS 1.3 Early Secret */
2169
0
  if (vers->tls13_sem &&
2170
0
      !(session->internals.hsk_flags & HSK_PSK_SELECTED)) {
2171
0
    ret = _tls13_init_secret(session, NULL, 0);
2172
0
    if (ret < 0)
2173
0
      return gnutls_assert_val(ret);
2174
0
  }
2175
2176
0
  ret = set_auth_types(session);
2177
0
  if (ret < 0)
2178
0
    return gnutls_assert_val(ret);
2179
2180
0
  session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED;
2181
2182
0
  return 0;
2183
0
}
2184
2185
/* This function copies the appropriate compression methods, to a locally allocated buffer
2186
 * Needed in hello messages. Returns the new data length.
2187
 */
2188
static int append_null_comp(gnutls_session_t session, gnutls_buffer_st * cdata)
2189
0
{
2190
0
  uint8_t compression_methods[2] = { 0x01, 0x00 };
2191
0
  size_t init_length = cdata->length;
2192
0
  int ret;
2193
2194
0
  ret = _gnutls_buffer_append_data(cdata, compression_methods, 2);
2195
0
  if (ret < 0)
2196
0
    return gnutls_assert_val(ret);
2197
2198
0
  ret = cdata->length - init_length;
2199
2200
0
  return ret;
2201
0
}
2202
2203
/* This function sends the client hello handshake message.
2204
 */
2205
static int send_client_hello(gnutls_session_t session, int again)
2206
0
{
2207
0
  mbuffer_st *bufel = NULL;
2208
0
  int type;
2209
0
  int ret = 0;
2210
0
  const version_entry_st *hver, *min_ver, *max_ver;
2211
0
  uint8_t tver[2];
2212
0
  gnutls_buffer_st extdata;
2213
0
  bool rehandshake = false;
2214
0
  bool resuming = false;
2215
0
  unsigned add_sr_scsv = 0;
2216
0
  uint8_t *session_id =
2217
0
      session->internals.resumed_security_parameters.session_id;
2218
0
  uint8_t session_id_len =
2219
0
      session->internals.resumed_security_parameters.session_id_size;
2220
2221
0
  if (again == 0) {
2222
    /* note that rehandshake is different than resuming
2223
     */
2224
0
    if (session->internals.initial_negotiation_completed)
2225
0
      rehandshake = true;
2226
2227
0
    ret = _gnutls_buffer_init_handshake_mbuffer(&extdata);
2228
0
    if (ret < 0)
2229
0
      return gnutls_assert_val(ret);
2230
2231
    /* if we are resuming a session then we set the
2232
     * version number to the previously established.
2233
     */
2234
0
    if (session->internals.resumption_requested == 0 &&
2235
0
        session->internals.premaster_set == 0) {
2236
0
      if (rehandshake) /* already negotiated version thus version_max == negotiated version */
2237
0
        hver = get_version(session);
2238
0
      else  /* new handshake. just get the max */
2239
0
        hver = _gnutls_legacy_version_max(session);
2240
0
    } else {
2241
      /* we are resuming a session */
2242
0
      resuming = true;
2243
2244
0
      hver =
2245
0
          session->internals.resumed_security_parameters.
2246
0
          pversion;
2247
2248
0
      if (hver && hver->tls13_sem)
2249
0
        hver = _gnutls_legacy_version_max(session);
2250
0
    }
2251
2252
0
    if (hver == NULL) {
2253
0
      gnutls_assert();
2254
0
      if (session->internals.flags & INT_FLAG_NO_TLS13)
2255
0
        ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS;
2256
0
      else
2257
0
        ret = GNUTLS_E_NO_PRIORITIES_WERE_SET;
2258
0
      goto cleanup;
2259
0
    }
2260
2261
0
    if (unlikely(session->internals.default_hello_version[0] != 0)) {
2262
0
      tver[0] = session->internals.default_hello_version[0];
2263
0
      tver[1] = session->internals.default_hello_version[1];
2264
0
    } else {
2265
0
      tver[0] = hver->major;
2266
0
      tver[1] = hver->minor;
2267
0
    }
2268
0
    ret = _gnutls_buffer_append_data(&extdata, tver, 2);
2269
0
    if (ret < 0) {
2270
0
      gnutls_assert();
2271
0
      goto cleanup;
2272
0
    }
2273
0
    _gnutls_handshake_log("HSK[%p]: Adv. version: %u.%u\n", session,
2274
0
              (unsigned)tver[0], (unsigned)tver[1]);
2275
2276
0
    min_ver = _gnutls_version_lowest(session);
2277
0
    max_ver = _gnutls_version_max(session);
2278
0
    if (min_ver == NULL || max_ver == NULL) {
2279
0
      gnutls_assert();
2280
0
      ret = GNUTLS_E_NO_PRIORITIES_WERE_SET;
2281
0
      goto cleanup;
2282
0
    }
2283
2284
    /* if we are replying to an HRR the version is already negotiated */
2285
0
    if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED)
2286
0
        || !get_version(session)) {
2287
      /* Set the version we advertized as maximum
2288
       * (RSA uses it). */
2289
0
      set_adv_version(session, hver->major, hver->minor);
2290
0
      if (_gnutls_set_current_version(session, hver->id) < 0) {
2291
0
        ret =
2292
0
            gnutls_assert_val
2293
0
            (GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
2294
0
        goto cleanup;
2295
0
      }
2296
0
    }
2297
2298
0
    if (session->internals.priorities->min_record_version != 0) {
2299
      /* Advertise the lowest supported (SSL 3.0) record packet
2300
       * version in record packets during the handshake.
2301
       * That is to avoid confusing implementations
2302
       * that do not support TLS 1.2 and don't know
2303
       * how 3,3 version of record packets look like.
2304
       */
2305
0
      set_default_version(session, min_ver);
2306
0
    } else {
2307
0
      set_default_version(session, hver);
2308
0
    }
2309
2310
    /* In order to know when this session was initiated.
2311
     */
2312
0
    session->security_parameters.timestamp = gnutls_time(NULL);
2313
2314
    /* Generate random data
2315
     */
2316
0
    if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) &&
2317
0
        !(IS_DTLS(session)
2318
0
          && session->internals.dtls.hsk_hello_verify_requests !=
2319
0
          0)) {
2320
0
      ret = _gnutls_gen_client_random(session);
2321
0
      if (ret < 0) {
2322
0
        gnutls_assert();
2323
0
        goto cleanup;
2324
0
      }
2325
2326
0
    }
2327
2328
0
    ret = _gnutls_buffer_append_data(&extdata,
2329
0
             session->
2330
0
             security_parameters.client_random,
2331
0
             GNUTLS_RANDOM_SIZE);
2332
0
    if (ret < 0) {
2333
0
      gnutls_assert();
2334
0
      goto cleanup;
2335
0
    }
2336
2337
0
#ifdef TLS13_APPENDIX_D4
2338
0
    if (max_ver->tls13_sem &&
2339
0
        session->internals.priorities->tls13_compat_mode &&
2340
0
        !resuming) {
2341
0
      if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED)) {
2342
        /* Under TLS1.3 we generate a random session ID to make
2343
         * the TLS1.3 session look like a resumed TLS1.2 session */
2344
0
        ret =
2345
0
            _gnutls_generate_session_id
2346
0
            (session->security_parameters.session_id,
2347
0
             &session->security_parameters.
2348
0
             session_id_size);
2349
0
        if (ret < 0) {
2350
0
          gnutls_assert();
2351
0
          goto cleanup;
2352
0
        }
2353
0
      }
2354
0
      session_id = session->security_parameters.session_id;
2355
0
      session_id_len =
2356
0
          session->security_parameters.session_id_size;
2357
0
    }
2358
0
#endif
2359
2360
    /* Copy the Session ID - if any
2361
     */
2362
0
    ret = _gnutls_buffer_append_data_prefix(&extdata, 8,
2363
0
              session_id,
2364
0
              session_id_len);
2365
0
    if (ret < 0) {
2366
0
      gnutls_assert();
2367
0
      goto cleanup;
2368
0
    }
2369
2370
    /* Copy the DTLS cookie
2371
     */
2372
0
    if (IS_DTLS(session)) {
2373
0
      ret = _gnutls_buffer_append_data_prefix(&extdata, 8,
2374
0
                session->internals.
2375
0
                dtls.dcookie.
2376
0
                data,
2377
0
                session->internals.
2378
0
                dtls.dcookie.
2379
0
                size);
2380
0
      if (ret < 0) {
2381
0
        gnutls_assert();
2382
0
        goto cleanup;
2383
0
      }
2384
0
      _gnutls_free_datum(&session->internals.dtls.dcookie);
2385
0
    }
2386
2387
    /* Copy the ciphersuites.
2388
     */
2389
#ifdef ENABLE_SSL3
2390
    /* If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
2391
     * prevention on initial negotiation (but not renegotiation; that's
2392
     * handled with the RI extension below).
2393
     */
2394
    if (!session->internals.initial_negotiation_completed &&
2395
        session->security_parameters.entity == GNUTLS_CLIENT &&
2396
        (hver->id == GNUTLS_SSL3 &&
2397
         session->internals.priorities->no_extensions != 0)) {
2398
      add_sr_scsv = 1;
2399
    }
2400
#endif
2401
0
    ret =
2402
0
        _gnutls_get_client_ciphersuites(session, &extdata, min_ver,
2403
0
                add_sr_scsv);
2404
0
    if (ret < 0) {
2405
0
      gnutls_assert();
2406
0
      goto cleanup;
2407
0
    }
2408
2409
    /* Copy the compression methods.
2410
     */
2411
0
    ret = append_null_comp(session, &extdata);
2412
0
    if (ret < 0) {
2413
0
      gnutls_assert();
2414
0
      goto cleanup;
2415
0
    }
2416
2417
    /* Generate and copy TLS extensions.
2418
     */
2419
0
    if (session->internals.priorities->no_extensions == 0) {
2420
0
      if (_gnutls_version_has_extensions(hver)) {
2421
0
        type = GNUTLS_EXT_ANY;
2422
0
      } else {
2423
0
        type = GNUTLS_EXT_MANDATORY;
2424
0
      }
2425
2426
0
      ret =
2427
0
          _gnutls_gen_hello_extensions(session, &extdata,
2428
0
               GNUTLS_EXT_FLAG_CLIENT_HELLO,
2429
0
               type);
2430
0
      if (ret < 0) {
2431
0
        gnutls_assert();
2432
0
        goto cleanup;
2433
0
      }
2434
0
    }
2435
2436
0
    bufel = _gnutls_buffer_to_mbuffer(&extdata);
2437
0
  }
2438
2439
0
  ret = _gnutls_send_handshake(session, bufel,
2440
0
             GNUTLS_HANDSHAKE_CLIENT_HELLO);
2441
2442
0
  if (session->internals.hsk_flags & HSK_EARLY_DATA_IN_FLIGHT) {
2443
0
    const cipher_entry_st *ce;
2444
0
    const mac_entry_st *me;
2445
0
    record_parameters_st *params;
2446
2447
0
    ce = cipher_to_entry(session->internals.
2448
0
             resumed_security_parameters.
2449
0
             cs->block_algorithm);
2450
0
    me = mac_to_entry(session->internals.
2451
0
          resumed_security_parameters.
2452
0
          cs->mac_algorithm);
2453
2454
0
    ret = _gnutls_epoch_get(session, EPOCH_NEXT, &params);
2455
0
    if (ret < 0) {
2456
0
      return gnutls_assert_val(ret);
2457
0
    }
2458
2459
0
    params->cipher = ce;
2460
0
    params->mac = me;
2461
2462
0
    ret = _tls13_write_connection_state_init(session, STAGE_EARLY);
2463
0
    if (ret < 0) {
2464
0
      return gnutls_assert_val(ret);
2465
0
    }
2466
2467
0
    _gnutls_epoch_bump(session);
2468
0
    ret = _gnutls_epoch_dup(session, EPOCH_WRITE_CURRENT);
2469
0
    if (ret < 0) {
2470
0
      return gnutls_assert_val(ret);
2471
0
    }
2472
2473
0
    ret = _gnutls13_send_early_data(session);
2474
0
    if (ret < 0) {
2475
0
      return gnutls_assert_val(ret);
2476
0
    }
2477
0
  }
2478
2479
0
  return ret;
2480
2481
0
 cleanup:
2482
0
  _gnutls_buffer_clear(&extdata);
2483
0
  return ret;
2484
0
}
2485
2486
int _gnutls_send_server_hello(gnutls_session_t session, int again)
2487
0
{
2488
0
  mbuffer_st *bufel = NULL;
2489
0
  gnutls_buffer_st buf;
2490
0
  int ret;
2491
0
  uint8_t session_id_len = session->security_parameters.session_id_size;
2492
0
  char tmpbuf[2 * GNUTLS_MAX_SESSION_ID_SIZE + 1];
2493
0
  const version_entry_st *vers;
2494
0
  uint8_t vbytes[2];
2495
0
  unsigned extflag = 0;
2496
0
  gnutls_ext_parse_type_t etype;
2497
2498
0
  _gnutls_buffer_init(&buf);
2499
2500
0
  if (again == 0) {
2501
0
    vers = get_version(session);
2502
0
    if (unlikely
2503
0
        (vers == NULL || session->security_parameters.cs == NULL))
2504
0
      return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
2505
2506
0
    if (vers->tls13_sem) {
2507
0
      vbytes[0] = 0x03; /* TLS1.2 */
2508
0
      vbytes[1] = 0x03;
2509
0
      extflag |= GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO;
2510
0
    } else {
2511
0
      vbytes[0] = vers->major;
2512
0
      vbytes[1] = vers->minor;
2513
0
      extflag |= GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO;
2514
0
    }
2515
2516
0
    ret = _gnutls_buffer_init_handshake_mbuffer(&buf);
2517
0
    if (ret < 0) {
2518
0
      gnutls_assert();
2519
0
      goto fail;
2520
0
    }
2521
2522
0
    ret = _gnutls_buffer_append_data(&buf, vbytes, 2);
2523
0
    if (ret < 0) {
2524
0
      gnutls_assert();
2525
0
      goto fail;
2526
0
    }
2527
2528
0
    ret = _gnutls_buffer_append_data(&buf,
2529
0
             session->
2530
0
             security_parameters.server_random,
2531
0
             GNUTLS_RANDOM_SIZE);
2532
0
    if (ret < 0) {
2533
0
      gnutls_assert();
2534
0
      goto fail;
2535
0
    }
2536
2537
0
    ret = _gnutls_buffer_append_data_prefix(&buf, 8,
2538
0
              session->security_parameters.session_id,
2539
0
              session_id_len);
2540
0
    if (ret < 0) {
2541
0
      gnutls_assert();
2542
0
      goto fail;
2543
0
    }
2544
2545
0
    _gnutls_handshake_log("HSK[%p]: SessionID: %s\n", session,
2546
0
              _gnutls_bin2hex
2547
0
              (session->security_parameters.session_id,
2548
0
               session_id_len, tmpbuf, sizeof(tmpbuf),
2549
0
               NULL));
2550
2551
0
    ret = _gnutls_buffer_append_data(&buf,
2552
0
             session->
2553
0
             security_parameters.cs->id, 2);
2554
0
    if (ret < 0) {
2555
0
      gnutls_assert();
2556
0
      goto fail;
2557
0
    }
2558
2559
    /* compression */
2560
0
    ret = _gnutls_buffer_append_prefix(&buf, 8, 0);
2561
0
    if (ret < 0) {
2562
0
      gnutls_assert();
2563
0
      goto fail;
2564
0
    }
2565
2566
0
    if (!vers->tls13_sem && session->internals.resumed)
2567
0
      etype = GNUTLS_EXT_MANDATORY;
2568
0
    else
2569
0
      etype = GNUTLS_EXT_ANY;
2570
0
    ret =
2571
0
        _gnutls_gen_hello_extensions(session, &buf, extflag, etype);
2572
0
    if (ret < 0) {
2573
0
      gnutls_assert();
2574
0
      goto fail;
2575
0
    }
2576
2577
0
    if (vers->tls13_sem) {
2578
      /* Under TLS1.3, the session ID is used for different purposes than
2579
       * the TLS1.0 session ID. Ensure that there is an internally set
2580
       * value which the server will see on the original and resumed sessions */
2581
0
      ret =
2582
0
          _gnutls_generate_session_id
2583
0
          (session->security_parameters.session_id,
2584
0
           &session->security_parameters.session_id_size);
2585
0
      if (ret < 0) {
2586
0
        gnutls_assert();
2587
0
        goto fail;
2588
0
      }
2589
0
    }
2590
2591
0
    bufel = _gnutls_buffer_to_mbuffer(&buf);
2592
0
  }
2593
2594
0
  ret =
2595
0
      _gnutls_send_handshake(session, bufel,
2596
0
           GNUTLS_HANDSHAKE_SERVER_HELLO);
2597
2598
0
 fail:
2599
0
  _gnutls_buffer_clear(&buf);
2600
0
  return ret;
2601
0
}
2602
2603
static int
2604
recv_hello_verify_request(gnutls_session_t session, uint8_t * data, int datalen)
2605
0
{
2606
0
  ssize_t len = datalen;
2607
0
  size_t pos = 0;
2608
0
  uint8_t cookie_len;
2609
0
  unsigned int nb_verifs;
2610
0
  int ret;
2611
2612
0
  if (!IS_DTLS(session)) {
2613
0
    gnutls_assert();
2614
0
    return GNUTLS_E_UNEXPECTED_PACKET;
2615
0
  }
2616
2617
0
  nb_verifs = ++session->internals.dtls.hsk_hello_verify_requests;
2618
0
  if (nb_verifs >= MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS) {
2619
    /* The server is either buggy, malicious or changing cookie
2620
       secrets _way_ too fast. */
2621
0
    gnutls_assert();
2622
0
    return GNUTLS_E_UNEXPECTED_PACKET;
2623
0
  }
2624
2625
0
  DECR_LEN(len, 2);
2626
0
  pos += 2;
2627
2628
0
  DECR_LEN(len, 1);
2629
0
  cookie_len = data[pos];
2630
0
  pos++;
2631
2632
0
  if (cookie_len > DTLS_MAX_COOKIE_SIZE) {
2633
0
    gnutls_assert();
2634
0
    return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2635
0
  }
2636
2637
0
  DECR_LEN(len, cookie_len);
2638
2639
0
  gnutls_free(session->internals.dtls.dcookie.data);
2640
0
  ret =
2641
0
      _gnutls_set_datum(&session->internals.dtls.dcookie, &data[pos],
2642
0
            cookie_len);
2643
0
  if (ret < 0)
2644
0
    return gnutls_assert_val(ret);
2645
2646
0
  if (len != 0) {
2647
0
    gnutls_assert();
2648
0
    return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2649
0
  }
2650
2651
  /* reset handshake hash buffers */
2652
0
  handshake_hash_buffer_reset(session);
2653
  /* reset extensions used in previous hello */
2654
0
  session->internals.used_exts = 0;
2655
2656
0
  return 0;
2657
0
}
2658
2659
/* The packets in gnutls_handshake (it's more broad than original TLS handshake)
2660
 *
2661
 *     Client                Server
2662
 *
2663
 *     ClientHello      -------->
2664
 *          <--------  ServerHello
2665
 *
2666
 *                Certificate*
2667
 *                ServerKeyExchange*
2668
 *          <--------   CertificateRequest*
2669
 *
2670
 *          <--------      ServerHelloDone
2671
 *     Certificate*
2672
 *     ClientKeyExchange
2673
 *     CertificateVerify*
2674
 *     [ChangeCipherSpec]
2675
 *     Finished        -------->
2676
 *            NewSessionTicket
2677
 *                [ChangeCipherSpec]
2678
 *          <--------      Finished
2679
 *
2680
 * (*): means optional packet.
2681
 */
2682
2683
/* Handshake when resumming session:
2684
 *      Client            Server
2685
 *
2686
 *      ClientHello      -------->
2687
 *                  ServerHello
2688
 *                 [ChangeCipherSpec]
2689
 *           <--------       Finished
2690
 *     [ChangeCipherSpec]
2691
 *     Finished         -------->
2692
 *
2693
 */
2694
2695
/**
2696
 * gnutls_rehandshake:
2697
 * @session: is a #gnutls_session_t type.
2698
 *
2699
 * This function can only be called in server side, and
2700
 * instructs a TLS 1.2 or earlier client to renegotiate
2701
 * parameters (perform a handshake), by sending a
2702
 * hello request message.
2703
 *
2704
 * If this function succeeds, the calling application
2705
 * should call gnutls_record_recv() until %GNUTLS_E_REHANDSHAKE
2706
 * is returned to clear any pending data. If the %GNUTLS_E_REHANDSHAKE
2707
 * error code is not seen, then the handshake request was
2708
 * not followed by the peer (the TLS protocol does not require
2709
 * the client to do, and such compliance should be handled
2710
 * by the application protocol).
2711
 *
2712
 * Once the %GNUTLS_E_REHANDSHAKE error code is seen, the
2713
 * calling application should proceed to calling
2714
 * gnutls_handshake() to negotiate the new
2715
 * parameters.
2716
 *
2717
 * If the client does not wish to renegotiate parameters he
2718
 * may reply with an alert message, and in that case the return code seen
2719
 * by subsequent gnutls_record_recv() will be
2720
 * %GNUTLS_E_WARNING_ALERT_RECEIVED with the specific alert being
2721
 * %GNUTLS_A_NO_RENEGOTIATION.  A client may also choose to ignore
2722
 * this request.
2723
 *
2724
 * Under TLS 1.3 this function is equivalent to gnutls_session_key_update()
2725
 * with the %GNUTLS_KU_PEER flag. In that case subsequent calls to
2726
 * gnutls_record_recv() will not return %GNUTLS_E_REHANDSHAKE, and
2727
 * calls to gnutls_handshake() in server side are a no-op.
2728
 *
2729
 * This function always fails with %GNUTLS_E_INVALID_REQUEST when
2730
 * called in client side.
2731
 *
2732
 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2733
 **/
2734
int gnutls_rehandshake(gnutls_session_t session)
2735
0
{
2736
0
  int ret;
2737
0
  const version_entry_st *vers = get_version(session);
2738
2739
  /* only server sends that handshake packet */
2740
0
  if (session->security_parameters.entity == GNUTLS_CLIENT)
2741
0
    return GNUTLS_E_INVALID_REQUEST;
2742
2743
0
  if (vers->tls13_sem) {
2744
0
    return gnutls_session_key_update(session, GNUTLS_KU_PEER);
2745
0
  }
2746
2747
0
  _dtls_async_timer_delete(session);
2748
2749
0
  ret =
2750
0
      _gnutls_send_empty_handshake(session,
2751
0
           GNUTLS_HANDSHAKE_HELLO_REQUEST,
2752
0
           AGAIN(STATE50));
2753
0
  STATE = STATE50;
2754
2755
0
  if (ret < 0) {
2756
0
    gnutls_assert();
2757
0
    return ret;
2758
0
  }
2759
0
  STATE = STATE0;
2760
2761
0
  return 0;
2762
0
}
2763
2764
/* This function checks whether the error code should be treated fatal
2765
 * or not, and also does the necessary state transition.  In
2766
 * particular, in the case of a rehandshake abort it resets the
2767
 * handshake's internal state.
2768
 */
2769
inline static int _gnutls_abort_handshake(gnutls_session_t session, int ret)
2770
0
{
2771
0
  switch (ret) {
2772
0
  case GNUTLS_E_WARNING_ALERT_RECEIVED:
2773
0
    if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) {
2774
      /* The server always toleretes a "no_renegotiation" alert. */
2775
0
      if (session->security_parameters.entity ==
2776
0
          GNUTLS_SERVER) {
2777
0
        STATE = STATE0;
2778
0
        return ret;
2779
0
      }
2780
2781
      /* The client should tolerete a "no_renegotiation" alert only if:
2782
       * - the initial handshake has completed, or
2783
       * - a Server Hello is not yet received
2784
       */
2785
0
      if (session->internals.initial_negotiation_completed ||
2786
0
          !(session->
2787
0
            internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED))
2788
0
      {
2789
0
        STATE = STATE0;
2790
0
        return ret;
2791
0
      }
2792
2793
0
      return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
2794
0
    }
2795
0
    return ret;
2796
0
  case GNUTLS_E_GOT_APPLICATION_DATA:
2797
0
    STATE = STATE0;
2798
0
    return ret;
2799
0
  default:
2800
0
    return ret;
2801
0
  }
2802
0
}
2803
2804
static int _gnutls_send_supplemental(gnutls_session_t session, int again)
2805
0
{
2806
0
  mbuffer_st *bufel = NULL;
2807
0
  int ret = 0;
2808
2809
0
  _gnutls_debug_log("EXT[%p]: Sending supplemental data\n", session);
2810
2811
0
  if (!again) {
2812
0
    gnutls_buffer_st buf;
2813
0
    ret = _gnutls_buffer_init_handshake_mbuffer(&buf);
2814
0
    if (ret < 0)
2815
0
      return gnutls_assert_val(ret);
2816
2817
0
    ret = _gnutls_gen_supplemental(session, &buf);
2818
0
    if (ret < 0) {
2819
0
      gnutls_assert();
2820
0
      _gnutls_buffer_clear(&buf);
2821
0
      return ret;
2822
0
    }
2823
2824
0
    bufel = _gnutls_buffer_to_mbuffer(&buf);
2825
0
  }
2826
2827
0
  return _gnutls_send_handshake(session, bufel,
2828
0
              GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2829
0
}
2830
2831
static int _gnutls_recv_supplemental(gnutls_session_t session)
2832
0
{
2833
0
  gnutls_buffer_st buf;
2834
0
  int ret;
2835
2836
0
  _gnutls_debug_log("EXT[%p]: Expecting supplemental data\n", session);
2837
2838
0
  ret =
2839
0
      _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_SUPPLEMENTAL,
2840
0
           1, &buf);
2841
0
  if (ret < 0) {
2842
0
    gnutls_assert();
2843
0
    return ret;
2844
0
  }
2845
2846
0
  ret = _gnutls_parse_supplemental(session, buf.data, buf.length);
2847
0
  if (ret < 0) {
2848
0
    gnutls_assert();
2849
0
    goto cleanup;
2850
0
  }
2851
2852
0
 cleanup:
2853
0
  _gnutls_buffer_clear(&buf);
2854
2855
0
  return ret;
2856
0
}
2857
2858
/**
2859
 * gnutls_handshake:
2860
 * @session: is a #gnutls_session_t type.
2861
 *
2862
 * This function performs the handshake of the TLS/SSL protocol, and
2863
 * initializes the TLS session parameters.
2864
 *
2865
 * The non-fatal errors expected by this function are:
2866
 * %GNUTLS_E_INTERRUPTED, %GNUTLS_E_AGAIN,
2867
 * %GNUTLS_E_WARNING_ALERT_RECEIVED. When this function is called
2868
 * for re-handshake under TLS 1.2 or earlier, the non-fatal error code
2869
 * %GNUTLS_E_GOT_APPLICATION_DATA may also be returned.
2870
 *
2871
 * The former two interrupt the handshake procedure due to the transport
2872
 * layer being interrupted, and the latter because of a "warning" alert that
2873
 * was sent by the peer (it is always a good idea to check any
2874
 * received alerts). On these non-fatal errors call this function again,
2875
 * until it returns 0; cf.  gnutls_record_get_direction() and
2876
 * gnutls_error_is_fatal(). In DTLS sessions the non-fatal error
2877
 * %GNUTLS_E_LARGE_PACKET is also possible, and indicates that
2878
 * the MTU should be adjusted.
2879
 *
2880
 * When this function is called by a server after a rehandshake request
2881
 * under TLS 1.2 or earlier the %GNUTLS_E_GOT_APPLICATION_DATA error code indicates
2882
 * that some data were pending prior to peer initiating the handshake.
2883
 * Under TLS 1.3 this function when called after a successful handshake, is a no-op
2884
 * and always succeeds in server side; in client side this function is
2885
 * equivalent to gnutls_session_key_update() with %GNUTLS_KU_PEER flag.
2886
 *
2887
 * This function handles both full and abbreviated TLS handshakes (resumption).
2888
 * For abbreviated handshakes, in client side, the gnutls_session_set_data()
2889
 * should be called prior to this function to set parameters from a previous session.
2890
 * In server side, resumption is handled by either setting a DB back-end, or setting
2891
 * up keys for session tickets.
2892
 *
2893
 * Returns: %GNUTLS_E_SUCCESS on a successful handshake, otherwise a negative error code.
2894
 **/
2895
int gnutls_handshake(gnutls_session_t session)
2896
0
{
2897
0
  const version_entry_st *vers = get_version(session);
2898
0
  int ret;
2899
2900
0
  if (unlikely(session->internals.initial_negotiation_completed)) {
2901
0
    if (vers->tls13_sem) {
2902
0
      if (session->security_parameters.entity ==
2903
0
          GNUTLS_CLIENT) {
2904
0
        return gnutls_session_key_update(session,
2905
0
                 GNUTLS_KU_PEER);
2906
0
      } else {
2907
        /* This is a no-op for a server under TLS 1.3, as
2908
         * a server has already called gnutls_rehandshake()
2909
         * which performed a key update.
2910
         */
2911
0
        return 0;
2912
0
      }
2913
0
    }
2914
0
  }
2915
2916
0
  if (STATE == STATE0) {
2917
0
    unsigned int tmo_ms;
2918
0
    struct timespec *end;
2919
0
    struct timespec *start;
2920
2921
    /* first call */
2922
0
    if (session->internals.priorities == NULL ||
2923
0
        session->internals.priorities->cs.size == 0)
2924
0
      return
2925
0
          gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
2926
2927
0
    ret = _gnutls_epoch_setup_next(session, 0, NULL);
2928
0
    if (ret < 0)
2929
0
      return gnutls_assert_val(ret);
2930
2931
0
    session->internals.used_exts = 0;
2932
0
    session->internals.hsk_flags = 0;
2933
0
    session->internals.handshake_in_progress = 1;
2934
0
    session->internals.vc_status = -1;
2935
0
    gnutls_gettime(&session->internals.handshake_start_time);
2936
2937
0
    tmo_ms = session->internals.handshake_timeout_ms;
2938
0
    end = &session->internals.handshake_abs_timeout;
2939
0
    start = &session->internals.handshake_start_time;
2940
2941
0
    if (tmo_ms && end->tv_sec == 0 && end->tv_nsec == 0) {
2942
0
      end->tv_sec =
2943
0
          start->tv_sec + (start->tv_nsec +
2944
0
               tmo_ms * 1000000LL) / 1000000000LL;
2945
0
      end->tv_nsec =
2946
0
          (start->tv_nsec +
2947
0
           tmo_ms * 1000000LL) % 1000000000LL;
2948
0
    }
2949
2950
#ifdef ENABLE_KTLS
2951
    if (_gnutls_config_is_ktls_enabled()) {
2952
      if ((session->internals.pull_func &&
2953
           session->internals.pull_func != system_read) ||
2954
          session->internals.push_func) {
2955
        _gnutls_audit_log(session,
2956
              "Not enabling KTLS with "
2957
              "custom pull/push function\n");
2958
      } else {
2959
        _gnutls_ktls_enable(session);
2960
      }
2961
    }
2962
#endif
2963
0
  }
2964
2965
0
  if (session->internals.recv_state == RECV_STATE_FALSE_START) {
2966
0
    session_invalidate(session);
2967
0
    return gnutls_assert_val(GNUTLS_E_HANDSHAKE_DURING_FALSE_START);
2968
0
  }
2969
2970
0
  if (session->security_parameters.entity == GNUTLS_CLIENT) {
2971
0
    do {
2972
0
      ret = handshake_client(session);
2973
0
    } while (ret == 1);
2974
0
  } else {
2975
0
    ret = handshake_server(session);
2976
0
  }
2977
2978
0
  if (ret < 0) {
2979
0
    return _gnutls_abort_handshake(session, ret);
2980
0
  }
2981
2982
  /* clear handshake buffer */
2983
0
  if (session->internals.recv_state != RECV_STATE_FALSE_START &&
2984
0
      session->internals.recv_state != RECV_STATE_EARLY_START) {
2985
2986
0
    _gnutls_handshake_hash_buffers_clear(session);
2987
2988
0
    if (IS_DTLS(session) == 0) {
2989
0
      _gnutls_handshake_io_buffer_clear(session);
2990
0
    } else {
2991
0
      _dtls_async_timer_init(session);
2992
0
    }
2993
2994
0
    _gnutls_handshake_internal_state_clear(session);
2995
2996
0
    _gnutls_buffer_clear(&session->internals.record_presend_buffer);
2997
2998
0
    _gnutls_epoch_bump(session);
2999
0
  }
3000
3001
  /* Give an estimation of the round-trip under TLS1.3, used by gnutls_session_get_data2() */
3002
0
  if (!IS_SERVER(session) && vers->tls13_sem) {
3003
0
    struct timespec handshake_finish_time;
3004
0
    gnutls_gettime(&handshake_finish_time);
3005
3006
0
    if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED)) {
3007
0
      session->internals.ertt =
3008
0
          timespec_sub_ms(&handshake_finish_time,
3009
0
              &session->
3010
0
              internals.handshake_start_time) / 2;
3011
0
    } else {
3012
0
      session->internals.ertt =
3013
0
          timespec_sub_ms(&handshake_finish_time,
3014
0
              &session->
3015
0
              internals.handshake_start_time) / 4;
3016
0
    }
3017
0
  }
3018
3019
#ifdef ENABLE_KTLS
3020
  if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) {
3021
    ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX);
3022
    if (ret < 0) {
3023
      /* no need to invalidate the session as keys were not set */
3024
      session->internals.ktls_enabled = 0;
3025
      _gnutls_audit_log(session,
3026
            "disabling KTLS: failed to set keys\n");
3027
    }
3028
  }
3029
#endif
3030
3031
0
  return 0;
3032
0
}
3033
3034
/**
3035
 * gnutls_handshake_set_timeout:
3036
 * @session: is a #gnutls_session_t type.
3037
 * @ms: is a timeout value in milliseconds
3038
 *
3039
 * This function sets the timeout for the TLS handshake process
3040
 * to the provided value. Use an @ms value of zero to disable
3041
 * timeout, or %GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT for a reasonable
3042
 * default value. For the DTLS protocol, the more detailed
3043
 * gnutls_dtls_set_timeouts() is provided.
3044
 *
3045
 * This function requires to set a pull timeout callback. See
3046
 * gnutls_transport_set_pull_timeout_function().
3047
 *
3048
 * Since: 3.1.0
3049
 **/
3050
void gnutls_handshake_set_timeout(gnutls_session_t session, unsigned int ms)
3051
0
{
3052
0
  if (ms == GNUTLS_INDEFINITE_TIMEOUT) {
3053
0
    session->internals.handshake_timeout_ms = 0;
3054
0
    return;
3055
0
  }
3056
3057
0
  if (ms == GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT)
3058
0
    ms = DEFAULT_HANDSHAKE_TIMEOUT_MS;
3059
3060
0
  if (IS_DTLS(session)) {
3061
0
    gnutls_dtls_set_timeouts(session, DTLS_RETRANS_TIMEOUT, ms);
3062
0
    return;
3063
0
  }
3064
3065
0
  session->internals.handshake_timeout_ms = ms;
3066
0
}
3067
3068
/* Runs the certificate verification callback.
3069
 * side is the side that we verify the certificate
3070
 * from (either GNUTLS_CLIENT or GNUTLS_SERVER).
3071
 */
3072
int _gnutls_run_verify_callback(gnutls_session_t session, unsigned int side)
3073
0
{
3074
0
  gnutls_certificate_credentials_t cred;
3075
0
  int ret, type;
3076
3077
0
  if (session->internals.hsk_flags & HSK_PSK_SELECTED)
3078
0
    return 0;
3079
3080
0
  cred =
3081
0
      (gnutls_certificate_credentials_t) _gnutls_get_cred(session,
3082
0
                GNUTLS_CRD_CERTIFICATE);
3083
3084
0
  if (side == GNUTLS_CLIENT)
3085
0
    type = gnutls_auth_server_get_type(session);
3086
0
  else
3087
0
    type = gnutls_auth_client_get_type(session);
3088
3089
0
  if (type != GNUTLS_CRD_CERTIFICATE)
3090
0
    return 0;
3091
3092
  /* verify whether the certificate of the peer remained the same
3093
   * as with any previous handshakes */
3094
0
  if (cred != NULL) {
3095
0
    ret = _gnutls_check_if_cert_hash_is_same(session, cred);
3096
0
    if (ret < 0) {
3097
0
      return gnutls_assert_val(ret);
3098
0
    }
3099
0
  }
3100
3101
0
  if (cred != NULL &&
3102
0
      (cred->verify_callback != NULL
3103
0
       || session->internals.verify_callback != NULL)
3104
0
      && (session->security_parameters.entity == GNUTLS_CLIENT
3105
0
    || session->internals.send_cert_req != GNUTLS_CERT_IGNORE)) {
3106
0
    if (session->internals.verify_callback)
3107
0
      ret = session->internals.verify_callback(session);
3108
0
    else
3109
0
      ret = cred->verify_callback(session);
3110
0
    if (ret < -1)
3111
0
      return gnutls_assert_val(ret);
3112
0
    else if (ret != 0)
3113
0
      return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR);
3114
0
  }
3115
3116
0
  return 0;
3117
0
}
3118
3119
static bool can_send_false_start(gnutls_session_t session)
3120
0
{
3121
0
  const version_entry_st *vers;
3122
3123
0
  vers = get_version(session);
3124
0
  if (unlikely(vers == NULL || !vers->false_start))
3125
0
    return 0;
3126
3127
0
  if (session->internals.selected_cert_list != NULL)
3128
0
    return 0;
3129
3130
0
  if (!_gnutls_kx_allows_false_start(session))
3131
0
    return 0;
3132
3133
0
  return 1;
3134
0
}
3135
3136
/*
3137
 * handshake_client
3138
 * This function performs the client side of the handshake of the TLS/SSL protocol.
3139
 */
3140
static int handshake_client(gnutls_session_t session)
3141
0
{
3142
0
  int ret = 0;
3143
0
  const version_entry_st *ver;
3144
3145
0
 reset:
3146
0
  if (STATE >= STATE99)
3147
0
    return _gnutls13_handshake_client(session);
3148
3149
0
  switch (STATE) {
3150
0
  case STATE0:
3151
0
  case STATE1:
3152
0
    ret = send_client_hello(session, AGAIN(STATE1));
3153
0
    STATE = STATE1;
3154
0
    IMED_RET("send hello", ret, 1);
3155
0
    FALLTHROUGH;
3156
0
  case STATE2:
3157
0
    if (IS_DTLS(session)) {
3158
0
      ret =
3159
0
          _gnutls_recv_handshake(session,
3160
0
               GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST,
3161
0
               1, NULL);
3162
0
      STATE = STATE2;
3163
0
      IMED_RET("recv hello verify", ret, 1);
3164
3165
0
      if (ret == 1) {
3166
0
        STATE = STATE0;
3167
0
        return 1;
3168
0
      }
3169
0
    } else {
3170
0
      ret =
3171
0
          _gnutls_recv_handshake(session,
3172
0
               GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST,
3173
0
               1, NULL);
3174
0
      STATE = STATE2;
3175
0
      IMED_RET("recv hello retry", ret, 1);
3176
3177
0
      if (ret == 1) {
3178
0
        STATE = STATE0;
3179
0
        return 1;
3180
0
      }
3181
0
    }
3182
0
    FALLTHROUGH;
3183
0
  case STATE3:
3184
    /* receive the server hello */
3185
0
    ret =
3186
0
        _gnutls_recv_handshake(session,
3187
0
             GNUTLS_HANDSHAKE_SERVER_HELLO,
3188
0
             0, NULL);
3189
0
    STATE = STATE3;
3190
0
    IMED_RET("recv hello", ret, 1);
3191
0
    FALLTHROUGH;
3192
0
  case STATE4:
3193
0
    ver = get_version(session);
3194
0
    if (ver->tls13_sem) { /* TLS 1.3 state machine */
3195
0
      STATE = STATE99;
3196
0
      goto reset;
3197
0
    }
3198
3199
0
    ret = _gnutls_ext_sr_verify(session);
3200
0
    STATE = STATE4;
3201
0
    IMED_RET_FATAL("recv hello", ret, 0);
3202
0
    FALLTHROUGH;
3203
0
  case STATE5:
3204
0
    if (session->security_parameters.do_recv_supplemental) {
3205
0
      ret = _gnutls_recv_supplemental(session);
3206
0
      STATE = STATE5;
3207
0
      IMED_RET("recv supplemental", ret, 1);
3208
0
    }
3209
0
    FALLTHROUGH;
3210
0
  case STATE6:
3211
    /* RECV CERTIFICATE */
3212
0
    if (!session->internals.resumed) /* if we are not resuming */
3213
0
      ret = _gnutls_recv_server_certificate(session);
3214
0
    STATE = STATE6;
3215
0
    IMED_RET("recv server certificate", ret, 1);
3216
0
    FALLTHROUGH;
3217
0
  case STATE7:
3218
0
#ifdef ENABLE_OCSP
3219
    /* RECV CERTIFICATE STATUS */
3220
0
    if (!session->internals.resumed) /* if we are not resuming */
3221
0
      ret = _gnutls_recv_server_certificate_status(session);
3222
0
    STATE = STATE7;
3223
0
    IMED_RET("recv server certificate", ret, 1);
3224
0
#endif
3225
0
    FALLTHROUGH;
3226
0
  case STATE8:
3227
0
    ret = _gnutls_run_verify_callback(session, GNUTLS_CLIENT);
3228
0
    STATE = STATE8;
3229
0
    if (ret < 0)
3230
0
      return gnutls_assert_val(ret);
3231
3232
0
    FALLTHROUGH;
3233
0
  case STATE9:
3234
    /* receive the server key exchange */
3235
0
    if (!session->internals.resumed) /* if we are not resuming */
3236
0
      ret = _gnutls_recv_server_kx_message(session);
3237
0
    STATE = STATE9;
3238
0
    IMED_RET("recv server kx message", ret, 1);
3239
0
    FALLTHROUGH;
3240
0
  case STATE10:
3241
    /* receive the server certificate request - if any
3242
     */
3243
3244
0
    if (!session->internals.resumed) /* if we are not resuming */
3245
0
      ret = _gnutls_recv_server_crt_request(session);
3246
0
    STATE = STATE10;
3247
0
    IMED_RET("recv server certificate request message", ret, 1);
3248
0
    FALLTHROUGH;
3249
0
  case STATE11:
3250
    /* receive the server hello done */
3251
0
    if (!session->internals.resumed) /* if we are not resuming */
3252
0
      ret =
3253
0
          _gnutls_recv_handshake(session,
3254
0
               GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
3255
0
               0, NULL);
3256
0
    STATE = STATE11;
3257
0
    IMED_RET("recv server hello done", ret, 1);
3258
0
    FALLTHROUGH;
3259
0
  case STATE12:
3260
0
    if (session->security_parameters.do_send_supplemental) {
3261
0
      ret =
3262
0
          _gnutls_send_supplemental(session, AGAIN(STATE12));
3263
0
      STATE = STATE12;
3264
0
      IMED_RET("send supplemental", ret, 0);
3265
0
    }
3266
0
    FALLTHROUGH;
3267
0
  case STATE13:
3268
    /* send our certificate - if any and if requested
3269
     */
3270
0
    if (!session->internals.resumed) /* if we are not resuming */
3271
0
      ret =
3272
0
          _gnutls_send_client_certificate(session,
3273
0
                  AGAIN(STATE13));
3274
0
    STATE = STATE13;
3275
0
    IMED_RET("send client certificate", ret, 0);
3276
0
    FALLTHROUGH;
3277
0
  case STATE14:
3278
0
    if (!session->internals.resumed) /* if we are not resuming */
3279
0
      ret =
3280
0
          _gnutls_send_client_kx_message(session,
3281
0
                 AGAIN(STATE14));
3282
0
    STATE = STATE14;
3283
0
    IMED_RET("send client kx", ret, 0);
3284
0
    FALLTHROUGH;
3285
0
  case STATE15:
3286
    /* send client certificate verify */
3287
0
    if (!session->internals.resumed) /* if we are not resuming */
3288
0
      ret =
3289
0
          _gnutls_send_client_certificate_verify(session,
3290
0
                   AGAIN
3291
0
                   (STATE15));
3292
0
    STATE = STATE15;
3293
0
    IMED_RET("send client certificate verify", ret, 1);
3294
0
    FALLTHROUGH;
3295
0
  case STATE16:
3296
0
    STATE = STATE16;
3297
0
    if (!session->internals.resumed) {
3298
0
      ret = send_handshake_final(session, true);
3299
0
      IMED_RET("send handshake final 2", ret, 1);
3300
0
    } else {
3301
0
      ret = _gnutls_recv_new_session_ticket(session);
3302
0
      IMED_RET("recv handshake new session ticket", ret, 1);
3303
0
    }
3304
0
    FALLTHROUGH;
3305
0
  case STATE17:
3306
0
    STATE = STATE17;
3307
0
    if (!session->internals.resumed
3308
0
        && (session->internals.flags & GNUTLS_ENABLE_FALSE_START)
3309
0
        && can_send_false_start(session)) {
3310
0
      session->internals.hsk_flags |= HSK_FALSE_START_USED;
3311
0
      session->internals.recv_state = RECV_STATE_FALSE_START;
3312
      /* complete this phase of the handshake. We
3313
       * should be called again by gnutls_record_recv()
3314
       */
3315
0
      STATE = STATE18;
3316
0
      gnutls_assert();
3317
3318
0
      return 0;
3319
0
    }
3320
0
    FALLTHROUGH;
3321
0
  case STATE18:
3322
0
    STATE = STATE18;
3323
3324
0
    if (!session->internals.resumed) {
3325
0
      ret = _gnutls_recv_new_session_ticket(session);
3326
0
      IMED_RET("recv handshake new session ticket", ret, 1);
3327
0
    } else {
3328
0
      ret = recv_handshake_final(session, true);
3329
0
      IMED_RET("recv handshake final", ret, 1);
3330
0
    }
3331
0
    FALLTHROUGH;
3332
0
  case STATE19:
3333
0
    STATE = STATE19;
3334
0
    if (!session->internals.resumed) {
3335
0
      ret = recv_handshake_final(session, false);
3336
0
      IMED_RET("recv handshake final 2", ret, 1);
3337
0
    } else {
3338
0
      ret = send_handshake_final(session, false);
3339
0
      IMED_RET("send handshake final", ret, 1);
3340
0
    }
3341
3342
0
    STATE = STATE0;
3343
0
    FALLTHROUGH;
3344
0
  default:
3345
0
    break;
3346
0
  }
3347
3348
  /* explicitly reset any false start flags */
3349
0
  gnutls_mutex_lock(&session->internals.post_negotiation_lock);
3350
0
  session->internals.initial_negotiation_completed = 1;
3351
0
  session->internals.recv_state = RECV_STATE_0;
3352
0
  gnutls_mutex_unlock(&session->internals.post_negotiation_lock);
3353
3354
0
  return 0;
3355
0
}
3356
3357
/* This function is to be called if the handshake was successfully
3358
 * completed. This sends a Change Cipher Spec packet to the peer.
3359
 */
3360
ssize_t _gnutls_send_change_cipher_spec(gnutls_session_t session, int again)
3361
0
{
3362
0
  uint8_t *data;
3363
0
  mbuffer_st *bufel;
3364
0
  int ret;
3365
0
  const version_entry_st *vers;
3366
3367
0
  if (again == 0) {
3368
0
    bufel = _gnutls_handshake_alloc(session, 3);  /* max for DTLS0.9 */
3369
0
    if (bufel == NULL)
3370
0
      return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
3371
3372
0
    vers = get_version(session);
3373
0
    if (unlikely(vers == NULL))
3374
0
      return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
3375
3376
0
    if (vers->id == GNUTLS_DTLS0_9)
3377
0
      _mbuffer_set_uhead_size(bufel, 3);
3378
0
    else
3379
0
      _mbuffer_set_uhead_size(bufel, 1);
3380
0
    _mbuffer_set_udata_size(bufel, 0);
3381
3382
0
    data = _mbuffer_get_uhead_ptr(bufel);
3383
3384
0
    data[0] = 1;
3385
0
    if (vers->id == GNUTLS_DTLS0_9) {
3386
0
      _gnutls_write_uint16(session->internals.dtls.
3387
0
               hsk_write_seq, &data[1]);
3388
0
      session->internals.dtls.hsk_write_seq++;
3389
0
    }
3390
3391
0
    ret =
3392
0
        _gnutls_call_hook_func(session,
3393
0
             GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC,
3394
0
             GNUTLS_HOOK_PRE, 0, data, 1);
3395
0
    if (ret < 0) {
3396
0
      _mbuffer_xfree(&bufel);
3397
0
      return gnutls_assert_val(ret);
3398
0
    }
3399
3400
0
    ret =
3401
0
        _gnutls_handshake_io_cache_int(session,
3402
0
               GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC,
3403
0
               bufel);
3404
0
    if (ret < 0) {
3405
0
      _mbuffer_xfree(&bufel);
3406
0
      return gnutls_assert_val(ret);
3407
0
    }
3408
3409
0
    ret =
3410
0
        _gnutls_call_hook_func(session,
3411
0
             GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC,
3412
0
             GNUTLS_HOOK_POST, 0, data, 1);
3413
0
    if (ret < 0) {
3414
0
      return gnutls_assert_val(ret);
3415
0
    }
3416
3417
    /* under TLS 1.3, CCS may be immediately followed by
3418
     * receiving ClientHello thus cannot be cached */
3419
0
    if (vers->tls13_sem) {
3420
0
      ret = _gnutls_handshake_io_write_flush(session);
3421
0
      if (ret < 0)
3422
0
        return gnutls_assert_val(ret);
3423
0
    }
3424
3425
0
    _gnutls_handshake_log("REC[%p]: Sent ChangeCipherSpec\n",
3426
0
              session);
3427
0
  }
3428
3429
0
  return 0;
3430
0
}
3431
3432
/* This function sends the final handshake packets and initializes connection
3433
 */
3434
static int send_handshake_final(gnutls_session_t session, int init)
3435
0
{
3436
0
  int ret = 0;
3437
3438
  /* Send the CHANGE CIPHER SPEC PACKET */
3439
3440
0
  switch (FINAL_STATE) {
3441
0
  case STATE0:
3442
0
  case STATE1:
3443
0
    ret = _gnutls_send_change_cipher_spec(session, FAGAIN(STATE1));
3444
0
    FINAL_STATE = STATE0;
3445
3446
0
    if (ret < 0) {
3447
0
      gnutls_assert();
3448
0
      return ret;
3449
0
    }
3450
    /* Initialize the connection session (start encryption) - in case of client
3451
     */
3452
0
    if (init) {
3453
0
      ret = _gnutls_connection_state_init(session);
3454
0
      if (ret < 0) {
3455
0
        gnutls_assert();
3456
0
        return ret;
3457
0
      }
3458
0
    }
3459
3460
0
    ret = _gnutls_write_connection_state_init(session);
3461
0
    if (ret < 0) {
3462
0
      gnutls_assert();
3463
0
      return ret;
3464
0
    }
3465
3466
0
    FALLTHROUGH;
3467
0
  case STATE2:
3468
    /* send the finished message */
3469
0
    ret = _gnutls_send_finished(session, FAGAIN(STATE2));
3470
0
    FINAL_STATE = STATE2;
3471
0
    if (ret < 0) {
3472
0
      gnutls_assert();
3473
0
      return ret;
3474
0
    }
3475
3476
0
    FINAL_STATE = STATE0;
3477
0
    FALLTHROUGH;
3478
0
  default:
3479
0
    break;
3480
0
  }
3481
3482
0
  return 0;
3483
0
}
3484
3485
/* This function receives the final handshake packets
3486
 * And executes the appropriate function to initialize the
3487
 * read session.
3488
 */
3489
static int recv_handshake_final(gnutls_session_t session, int init)
3490
0
{
3491
0
  int ret = 0;
3492
0
  uint8_t ccs[3];
3493
0
  unsigned int ccs_len = 1;
3494
0
  unsigned int tleft;
3495
0
  const version_entry_st *vers;
3496
3497
0
  ret = handshake_remaining_time(session);
3498
0
  if (ret < 0)
3499
0
    return gnutls_assert_val(ret);
3500
0
  tleft = ret;
3501
3502
0
  switch (FINAL_STATE) {
3503
0
  case STATE0:
3504
0
  case STATE30:
3505
0
    FINAL_STATE = STATE30;
3506
3507
    /* This is the last flight and peer cannot be sure
3508
     * we have received it unless we notify him. So we
3509
     * wait for a message and retransmit if needed. */
3510
0
    if (IS_DTLS(session) && !_dtls_is_async(session) &&
3511
0
        (gnutls_record_check_pending(session) +
3512
0
         record_check_unprocessed(session)) == 0) {
3513
0
      ret = _dtls_wait_and_retransmit(session);
3514
0
      if (ret < 0)
3515
0
        return gnutls_assert_val(ret);
3516
0
    }
3517
3518
0
    vers = get_version(session);
3519
0
    if (unlikely(vers == NULL))
3520
0
      return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
3521
3522
0
    if (vers->id == GNUTLS_DTLS0_9)
3523
0
      ccs_len = 3;
3524
3525
0
    ret =
3526
0
        _gnutls_recv_int(session, GNUTLS_CHANGE_CIPHER_SPEC,
3527
0
             ccs, ccs_len, NULL, tleft);
3528
0
    if (ret <= 0) {
3529
0
      gnutls_assert();
3530
0
      return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET;
3531
0
    }
3532
3533
0
    if (vers->id == GNUTLS_DTLS0_9)
3534
0
      session->internals.dtls.hsk_read_seq++;
3535
3536
    /* Initialize the connection session (start encryption) - in case of server */
3537
0
    if (init) {
3538
0
      ret = _gnutls_connection_state_init(session);
3539
0
      if (ret < 0) {
3540
0
        gnutls_assert();
3541
0
        return ret;
3542
0
      }
3543
0
    }
3544
3545
0
    ret = _gnutls_read_connection_state_init(session);
3546
0
    if (ret < 0) {
3547
0
      gnutls_assert();
3548
0
      return ret;
3549
0
    }
3550
0
    FALLTHROUGH;
3551
0
  case STATE31:
3552
0
    FINAL_STATE = STATE31;
3553
3554
0
    if (IS_DTLS(session) && !_dtls_is_async(session) &&
3555
0
        (gnutls_record_check_pending(session) +
3556
0
         record_check_unprocessed(session)) == 0) {
3557
0
      ret = _dtls_wait_and_retransmit(session);
3558
0
      if (ret < 0)
3559
0
        return gnutls_assert_val(ret);
3560
0
    }
3561
3562
0
    ret = _gnutls_recv_finished(session);
3563
0
    if (ret < 0) {
3564
0
      gnutls_assert();
3565
0
      return ret;
3566
0
    }
3567
0
    FINAL_STATE = STATE0;
3568
0
    FALLTHROUGH;
3569
0
  default:
3570
0
    break;
3571
0
  }
3572
3573
0
  return 0;
3574
0
}
3575
3576
/*
3577
 * handshake_server
3578
 * This function does the server stuff of the handshake protocol.
3579
 */
3580
static int handshake_server(gnutls_session_t session)
3581
0
{
3582
0
  int ret = 0;
3583
0
  const version_entry_st *ver;
3584
3585
0
 reset:
3586
3587
0
  if (STATE >= STATE90)
3588
0
    return _gnutls13_handshake_server(session);
3589
3590
0
  switch (STATE) {
3591
0
  case STATE0:
3592
0
  case STATE1:
3593
0
    ret =
3594
0
        _gnutls_recv_handshake(session,
3595
0
             GNUTLS_HANDSHAKE_CLIENT_HELLO,
3596
0
             0, NULL);
3597
0
    if (ret == GNUTLS_E_INT_RET_0) {
3598
      /* this is triggered by post_client_hello, and instructs the
3599
       * handshake to proceed but be put on hold */
3600
0
      ret = GNUTLS_E_INTERRUPTED;
3601
0
      STATE = STATE2;  /* hello already parsed -> move on */
3602
0
    } else {
3603
0
      STATE = STATE1;
3604
0
    }
3605
3606
0
    if (ret == GNUTLS_E_NO_COMMON_KEY_SHARE) {
3607
0
      STATE = STATE90;
3608
0
      session->internals.hsk_flags |= HSK_HRR_SENT;
3609
0
      goto reset;
3610
0
    }
3611
3612
0
    IMED_RET("recv hello", ret, 1);
3613
0
    FALLTHROUGH;
3614
0
  case STATE2:
3615
3616
0
    ret = _gnutls_ext_sr_verify(session);
3617
0
    STATE = STATE2;
3618
0
    IMED_RET_FATAL("recv hello", ret, 0);
3619
0
    FALLTHROUGH;
3620
0
  case STATE3:
3621
0
    ret = _gnutls_send_server_hello(session, AGAIN(STATE3));
3622
0
    STATE = STATE3;
3623
0
    IMED_RET("send hello", ret, 1);
3624
3625
0
    ver = get_version(session);
3626
0
    if (ver->tls13_sem) { /* TLS 1.3 state machine */
3627
0
      STATE = STATE99;
3628
0
      goto reset;
3629
0
    }
3630
3631
0
    FALLTHROUGH;
3632
0
  case STATE4:
3633
0
    if (session->security_parameters.do_send_supplemental) {
3634
0
      ret = _gnutls_send_supplemental(session, AGAIN(STATE4));
3635
0
      STATE = STATE4;
3636
0
      IMED_RET("send supplemental data", ret, 0);
3637
0
    }
3638
    /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
3639
0
    FALLTHROUGH;
3640
0
  case STATE5:
3641
    /* NOTE: these should not be send if we are resuming */
3642
3643
0
    if (!session->internals.resumed)
3644
0
      ret =
3645
0
          _gnutls_send_server_certificate(session,
3646
0
                  AGAIN(STATE5));
3647
0
    STATE = STATE5;
3648
0
    IMED_RET("send server certificate", ret, 0);
3649
0
    FALLTHROUGH;
3650
0
  case STATE6:
3651
0
#ifdef ENABLE_OCSP
3652
0
    if (!session->internals.resumed)
3653
0
      ret =
3654
0
          _gnutls_send_server_certificate_status(session,
3655
0
                   AGAIN
3656
0
                   (STATE6));
3657
0
    STATE = STATE6;
3658
0
    IMED_RET("send server certificate status", ret, 0);
3659
0
#endif
3660
0
    FALLTHROUGH;
3661
0
  case STATE7:
3662
    /* send server key exchange (A) */
3663
0
    if (!session->internals.resumed)
3664
0
      ret =
3665
0
          _gnutls_send_server_kx_message(session,
3666
0
                 AGAIN(STATE7));
3667
0
    STATE = STATE7;
3668
0
    IMED_RET("send server kx", ret, 0);
3669
0
    FALLTHROUGH;
3670
0
  case STATE8:
3671
    /* Send certificate request - if requested to */
3672
0
    if (!session->internals.resumed)
3673
0
      ret =
3674
0
          _gnutls_send_server_crt_request(session,
3675
0
                  AGAIN(STATE8));
3676
0
    STATE = STATE8;
3677
0
    IMED_RET("send server cert request", ret, 0);
3678
0
    FALLTHROUGH;
3679
0
  case STATE9:
3680
    /* send the server hello done */
3681
0
    if (!session->internals.resumed) /* if we are not resuming */
3682
0
      ret =
3683
0
          _gnutls_send_empty_handshake(session,
3684
0
               GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
3685
0
               AGAIN(STATE9));
3686
0
    STATE = STATE9;
3687
0
    IMED_RET("send server hello done", ret, 1);
3688
0
    FALLTHROUGH;
3689
0
  case STATE10:
3690
0
    if (session->security_parameters.do_recv_supplemental) {
3691
0
      ret = _gnutls_recv_supplemental(session);
3692
0
      STATE = STATE10;
3693
0
      IMED_RET("recv client supplemental", ret, 1);
3694
0
    }
3695
    /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
3696
0
    FALLTHROUGH;
3697
0
  case STATE11:
3698
    /* receive the client certificate message */
3699
0
    if (!session->internals.resumed) /* if we are not resuming */
3700
0
      ret = _gnutls_recv_client_certificate(session);
3701
0
    STATE = STATE11;
3702
0
    IMED_RET("recv client certificate", ret, 1);
3703
0
    FALLTHROUGH;
3704
0
  case STATE12:
3705
0
    ret = _gnutls_run_verify_callback(session, GNUTLS_SERVER);
3706
0
    STATE = STATE12;
3707
0
    if (ret < 0)
3708
0
      return gnutls_assert_val(ret);
3709
0
    FALLTHROUGH;
3710
0
  case STATE13:
3711
    /* receive the client key exchange message */
3712
0
    if (!session->internals.resumed) /* if we are not resuming */
3713
0
      ret = _gnutls_recv_client_kx_message(session);
3714
0
    STATE = STATE13;
3715
0
    IMED_RET("recv client kx", ret, 1);
3716
0
    FALLTHROUGH;
3717
0
  case STATE14:
3718
    /* receive the client certificate verify message */
3719
0
    if (!session->internals.resumed) /* if we are not resuming */
3720
0
      ret =
3721
0
          _gnutls_recv_client_certificate_verify_message
3722
0
          (session);
3723
0
    STATE = STATE14;
3724
0
    IMED_RET("recv client certificate verify", ret, 1);
3725
0
    FALLTHROUGH;
3726
0
  case STATE15:
3727
0
    STATE = STATE15;
3728
0
    if (!session->internals.resumed) { /* if we are not resuming */
3729
0
      ret = recv_handshake_final(session, true);
3730
0
      IMED_RET("recv handshake final", ret, 1);
3731
0
    } else {
3732
0
      ret = send_handshake_final(session, true);
3733
0
      IMED_RET("send handshake final 2", ret, 1);
3734
0
    }
3735
0
    FALLTHROUGH;
3736
0
  case STATE16:
3737
0
    ret = _gnutls_send_new_session_ticket(session, AGAIN(STATE16));
3738
0
    STATE = STATE16;
3739
0
    IMED_RET("send handshake new session ticket", ret, 0);
3740
0
    FALLTHROUGH;
3741
0
  case STATE17:
3742
0
    STATE = STATE17;
3743
0
    if (!session->internals.resumed) { /* if we are not resuming */
3744
0
      ret = send_handshake_final(session, false);
3745
0
      IMED_RET("send handshake final", ret, 1);
3746
3747
0
      if (session->security_parameters.entity ==
3748
0
          GNUTLS_SERVER
3749
0
          && !(session->
3750
0
         internals.hsk_flags & HSK_TLS12_TICKET_SENT)) {
3751
        /* if no ticket, save session data */
3752
0
        _gnutls_server_register_current_session
3753
0
            (session);
3754
0
      }
3755
0
    } else {
3756
0
      ret = recv_handshake_final(session, false);
3757
0
      IMED_RET("recv handshake final 2", ret, 1);
3758
0
    }
3759
3760
0
    STATE = STATE0;
3761
0
    FALLTHROUGH;
3762
0
  default:
3763
0
    break;
3764
0
  }
3765
3766
  /* no lock of post_negotiation_lock is required here as this is not run
3767
   * after handshake */
3768
0
  session->internals.initial_negotiation_completed = 1;
3769
3770
0
  return _gnutls_check_id_for_change(session);
3771
0
}
3772
3773
int _gnutls_generate_session_id(uint8_t * session_id, uint8_t * len)
3774
0
{
3775
0
  int ret;
3776
3777
0
  *len = GNUTLS_DEF_SESSION_ID_SIZE;
3778
3779
0
  ret =
3780
0
      gnutls_rnd(GNUTLS_RND_NONCE, session_id,
3781
0
           GNUTLS_DEF_SESSION_ID_SIZE);
3782
0
  if (ret < 0) {
3783
0
    gnutls_assert();
3784
0
    return ret;
3785
0
  }
3786
3787
0
  return 0;
3788
0
}
3789
3790
/**
3791
 * gnutls_handshake_set_max_packet_length:
3792
 * @session: is a #gnutls_session_t type.
3793
 * @max: is the maximum number.
3794
 *
3795
 * This function will set the maximum size of all handshake messages.
3796
 * Handshakes over this size are rejected with
3797
 * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code.  The default value is
3798
 * 128kb which is typically large enough.  Set this to 0 if you do not
3799
 * want to set an upper limit.
3800
 *
3801
 * The reason for restricting the handshake message sizes are to
3802
 * limit Denial of Service attacks.
3803
 *
3804
 * Note that the maximum handshake size was increased to 128kb
3805
 * from 48kb in GnuTLS 3.5.5.
3806
 **/
3807
void
3808
gnutls_handshake_set_max_packet_length(gnutls_session_t session, size_t max)
3809
0
{
3810
0
  session->internals.max_handshake_data_buffer_size = max;
3811
0
}
3812
3813
/**
3814
 * gnutls_handshake_get_last_in:
3815
 * @session: is a #gnutls_session_t type.
3816
 *
3817
 * This function is only useful to check where the last performed
3818
 * handshake failed.  If the previous handshake succeed or was not
3819
 * performed at all then no meaningful value will be returned.
3820
 *
3821
 * Check %gnutls_handshake_description_t in gnutls.h for the
3822
 * available handshake descriptions.
3823
 *
3824
 * Returns: the last handshake message type received, a
3825
 * %gnutls_handshake_description_t.
3826
 **/
3827
gnutls_handshake_description_t
3828
gnutls_handshake_get_last_in(gnutls_session_t session)
3829
0
{
3830
0
  return session->internals.last_handshake_in;
3831
0
}
3832
3833
/**
3834
 * gnutls_handshake_get_last_out:
3835
 * @session: is a #gnutls_session_t type.
3836
 *
3837
 * This function is only useful to check where the last performed
3838
 * handshake failed.  If the previous handshake succeed or was not
3839
 * performed at all then no meaningful value will be returned.
3840
 *
3841
 * Check %gnutls_handshake_description_t in gnutls.h for the
3842
 * available handshake descriptions.
3843
 *
3844
 * Returns: the last handshake message type sent, a
3845
 * %gnutls_handshake_description_t.
3846
 **/
3847
gnutls_handshake_description_t
3848
gnutls_handshake_get_last_out(gnutls_session_t session)
3849
0
{
3850
0
  return session->internals.last_handshake_out;
3851
0
}
3852
3853
/* This returns the session hash as in draft-ietf-tls-session-hash-02.
3854
 */
3855
int _gnutls_handshake_get_session_hash(gnutls_session_t session,
3856
               gnutls_datum_t * shash)
3857
0
{
3858
0
  const version_entry_st *ver = get_version(session);
3859
0
  int ret;
3860
0
  uint8_t concat[2 * MAX_HASH_SIZE];
3861
3862
0
  if (unlikely(ver == NULL))
3863
0
    return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
3864
3865
0
  if (session->internals.handshake_hash_buffer_client_kx_len == 0 ||
3866
0
      (session->internals.handshake_hash_buffer.length <
3867
0
       session->internals.handshake_hash_buffer_client_kx_len)) {
3868
0
    return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
3869
0
  }
3870
3871
0
  ret = _gnutls_hash_fast((gnutls_digest_algorithm_t)
3872
0
        session->security_parameters.prf->id,
3873
0
        session->internals.handshake_hash_buffer.data,
3874
0
        session->
3875
0
        internals.handshake_hash_buffer_client_kx_len,
3876
0
        concat);
3877
0
  if (ret < 0)
3878
0
    return gnutls_assert_val(ret);
3879
3880
0
  return _gnutls_set_datum(shash, concat,
3881
0
         session->security_parameters.prf->output_size);
3882
0
}