1 /*
2 * Copyright (C) 2000-2016 Free Software Foundation, Inc.
3 * Copyright (C) 2015-2018 Red Hat, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this program. If not, see <https://www.gnu.org/licenses/>
21 *
22 */
23
24 /* Functions that relate to the TLS handshake procedure.
25 */
26
27 #include "gnutls_int.h"
28 #include "errors.h"
29 #include "dh.h"
30 #include "debug.h"
31 #include "algorithms.h"
32 #include "cipher.h"
33 #include "buffers.h"
34 #include "mbuffers.h"
35 #include "kx.h"
36 #include "handshake.h"
37 #include "num.h"
38 #include "hash_int.h"
39 #include "db.h"
40 #include "hello_ext.h"
41 #include "supplemental.h"
42 #include "auth.h"
43 #include "sslv2_compat.h"
44 #include <auth/cert.h>
45 #include "constate.h"
46 #include <record.h>
47 #include <state.h>
48 #include <ext/pre_shared_key.h>
49 #include <ext/srp.h>
50 #include <ext/session_ticket.h>
51 #include <ext/status_request.h>
52 #include <ext/safe_renegotiation.h>
53 #include <auth/anon.h> /* for gnutls_anon_server_credentials_t */
54 #include <auth/psk.h> /* for gnutls_psk_server_credentials_t */
55 #include <random.h>
56 #include <dtls.h>
57 #include "secrets.h"
58 #include "tls13/session_ticket.h"
59 #include "locks.h"
60 #ifdef HAVE_VALGRIND_MEMCHECK_H
61 #include <valgrind/memcheck.h>
62 #endif
63
64 #define TRUE 1
65 #define FALSE 0
66
67 static int check_if_null_comp_present(gnutls_session_t session,
68 uint8_t * data, int datalen);
69 static int handshake_client(gnutls_session_t session);
70 static int handshake_server(gnutls_session_t session);
71
72 static int
73 read_server_hello(gnutls_session_t session,
74 uint8_t * data, int datalen);
75
76 static int
77 recv_handshake_final(gnutls_session_t session, int init);
78 static int
79 send_handshake_final(gnutls_session_t session, int init);
80
81 /* Empties but does not free the buffer
82 */
83 inline static void
handshake_hash_buffer_reset(gnutls_session_t session)84 handshake_hash_buffer_reset(gnutls_session_t session)
85 {
86 _gnutls_buffers_log("BUF[HSK]: Emptied buffer\n");
87
88 session->internals.handshake_hash_buffer_client_hello_len = 0;
89 session->internals.handshake_hash_buffer_client_kx_len = 0;
90 session->internals.handshake_hash_buffer_server_finished_len = 0;
91 session->internals.handshake_hash_buffer_client_finished_len = 0;
92 session->internals.handshake_hash_buffer_prev_len = 0;
93 session->internals.handshake_hash_buffer.length = 0;
94 session->internals.full_client_hello.length = 0;
95 return;
96 }
97
98 static int
99 handshake_hash_add_recvd(gnutls_session_t session,
100 gnutls_handshake_description_t recv_type,
101 uint8_t * header, uint16_t header_size,
102 uint8_t * dataptr, uint32_t datalen);
103
104 static int
105 handshake_hash_add_sent(gnutls_session_t session,
106 gnutls_handshake_description_t type,
107 uint8_t * dataptr, uint32_t datalen);
108
109 static int
110 recv_hello_verify_request(gnutls_session_t session,
111 uint8_t * data, int datalen);
112
113
114 /* Clears the handshake hash buffers and handles.
115 */
_gnutls_handshake_hash_buffers_clear(gnutls_session_t session)116 void _gnutls_handshake_hash_buffers_clear(gnutls_session_t session)
117 {
118 handshake_hash_buffer_reset(session);
119 _gnutls_buffer_clear(&session->internals.handshake_hash_buffer);
120 _gnutls_buffer_clear(&session->internals.full_client_hello);
121 }
122
123 /* Replace handshake message buffer, with the special synthetic message
124 * needed by TLS1.3 when HRR is sent. */
_gnutls13_handshake_hash_buffers_synth(gnutls_session_t session,const mac_entry_st * prf,unsigned client)125 int _gnutls13_handshake_hash_buffers_synth(gnutls_session_t session,
126 const mac_entry_st *prf,
127 unsigned client)
128 {
129 int ret;
130 uint8_t hdata[4+MAX_HASH_SIZE];
131 size_t length;
132
133 if (client)
134 length = session->internals.handshake_hash_buffer_prev_len;
135 else
136 length = session->internals.handshake_hash_buffer.length;
137
138 /* calculate hash */
139 hdata[0] = 254;
140 _gnutls_write_uint24(prf->output_size, &hdata[1]);
141
142 ret = gnutls_hash_fast((gnutls_digest_algorithm_t)prf->id,
143 session->internals.handshake_hash_buffer.data,
144 length, hdata+4);
145 if (ret < 0)
146 return gnutls_assert_val(ret);
147
148 handshake_hash_buffer_reset(session);
149
150 ret =
151 _gnutls_buffer_append_data(&session->internals.
152 handshake_hash_buffer,
153 hdata, prf->output_size+4);
154 if (ret < 0)
155 return gnutls_assert_val(ret);
156
157 _gnutls_buffers_log("BUF[HSK]: Replaced handshake buffer with synth message (%d bytes)\n",
158 prf->output_size+4);
159
160 return 0;
161 }
162
163 /* this will copy the required values for resuming to
164 * internals, and to security_parameters.
165 * this will keep as less data to security_parameters.
166 */
tls12_resume_copy_required_vals(gnutls_session_t session,unsigned ticket)167 static int tls12_resume_copy_required_vals(gnutls_session_t session, unsigned ticket)
168 {
169 int ret;
170
171 /* get the new random values */
172 memcpy(session->internals.resumed_security_parameters.
173 server_random, session->security_parameters.server_random,
174 GNUTLS_RANDOM_SIZE);
175 memcpy(session->internals.resumed_security_parameters.
176 client_random, session->security_parameters.client_random,
177 GNUTLS_RANDOM_SIZE);
178
179 /* keep the ciphersuite and compression
180 * That is because the client must see these in our
181 * hello message.
182 */
183 ret = _gnutls_set_cipher_suite2(session,
184 session->internals.
185 resumed_security_parameters.
186 cs);
187 if (ret < 0)
188 return gnutls_assert_val(ret);
189
190 /* or write_compression_algorithm
191 * they are the same
192 */
193
194 session->security_parameters.entity =
195 session->internals.resumed_security_parameters.entity;
196
197 if (session->internals.resumed_security_parameters.pversion ==
198 NULL)
199 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
200
201 if (_gnutls_set_current_version(session,
202 session->internals.
203 resumed_security_parameters.pversion->
204 id) < 0)
205 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
206
207 session->security_parameters.client_ctype =
208 session->internals.resumed_security_parameters.client_ctype;
209 session->security_parameters.server_ctype =
210 session->internals.resumed_security_parameters.server_ctype;
211
212 if (!ticket) {
213 memcpy(session->security_parameters.session_id,
214 session->internals.resumed_security_parameters.session_id,
215 sizeof(session->security_parameters.session_id));
216 session->security_parameters.session_id_size =
217 session->internals.resumed_security_parameters.session_id_size;
218 }
219
220 return 0;
221 }
222
_gnutls_set_client_random(gnutls_session_t session,uint8_t * rnd)223 void _gnutls_set_client_random(gnutls_session_t session, uint8_t * rnd)
224 {
225 memcpy(session->security_parameters.client_random, rnd,
226 GNUTLS_RANDOM_SIZE);
227 }
228
229 static
_gnutls_gen_client_random(gnutls_session_t session)230 int _gnutls_gen_client_random(gnutls_session_t session)
231 {
232 int ret;
233
234 /* no random given, we generate. */
235 if (session->internals.sc_random_set != 0) {
236 memcpy(session->security_parameters.client_random,
237 session->internals.
238 resumed_security_parameters.client_random,
239 GNUTLS_RANDOM_SIZE);
240 } else {
241 ret = gnutls_rnd(GNUTLS_RND_NONCE,
242 session->security_parameters.client_random,
243 GNUTLS_RANDOM_SIZE);
244 if (ret < 0)
245 return gnutls_assert_val(ret);
246 }
247
248 #ifdef HAVE_VALGRIND_MEMCHECK_H
249 if (RUNNING_ON_VALGRIND)
250 VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.client_random,
251 GNUTLS_RANDOM_SIZE);
252 #endif
253
254 return 0;
255 }
256
257 static
_gnutls_set_server_random(gnutls_session_t session,const version_entry_st * vers,uint8_t * rnd)258 int _gnutls_set_server_random(gnutls_session_t session, const version_entry_st *vers, uint8_t * rnd)
259 {
260 const version_entry_st *max;
261
262 memcpy(session->security_parameters.server_random, rnd,
263 GNUTLS_RANDOM_SIZE);
264
265 /* check whether the server random value is set according to
266 * to TLS 1.3. p4.1.3 requirements */
267 if (!IS_DTLS(session) && vers->id <= GNUTLS_TLS1_2 && have_creds_for_tls13(session)) {
268
269 max = _gnutls_version_max(session);
270 if (max->id <= GNUTLS_TLS1_2)
271 return 0;
272
273 if (vers->id == GNUTLS_TLS1_2 &&
274 memcmp(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
275 "\x44\x4F\x57\x4E\x47\x52\x44\x01", 8) == 0) {
276
277 _gnutls_audit_log(session,
278 "Detected downgrade to TLS 1.2 from TLS 1.3\n");
279 return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
280 } else if (vers->id <= GNUTLS_TLS1_1 &&
281 memcmp(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
282 "\x44\x4F\x57\x4E\x47\x52\x44\x00", 8) == 0) {
283
284 _gnutls_audit_log(session,
285 "Detected downgrade to TLS 1.1 or earlier from TLS 1.3\n");
286 return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
287 }
288 }
289
290 return 0;
291 }
292
_gnutls_gen_server_random(gnutls_session_t session,int version)293 int _gnutls_gen_server_random(gnutls_session_t session, int version)
294 {
295 int ret;
296 const version_entry_st *max;
297
298 if (session->internals.sc_random_set != 0) {
299 memcpy(session->security_parameters.server_random,
300 session->internals.
301 resumed_security_parameters.server_random,
302 GNUTLS_RANDOM_SIZE);
303 return 0;
304 }
305
306 max = _gnutls_version_max(session);
307 if (max == NULL)
308 return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES);
309
310 if (!IS_DTLS(session) && max->id >= GNUTLS_TLS1_3 &&
311 version <= GNUTLS_TLS1_2) {
312 if (version == GNUTLS_TLS1_2) {
313 memcpy(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
314 "\x44\x4F\x57\x4E\x47\x52\x44\x01", 8);
315 } else {
316 memcpy(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
317 "\x44\x4F\x57\x4E\x47\x52\x44\x00", 8);
318 }
319 ret =
320 gnutls_rnd(GNUTLS_RND_NONCE, session->security_parameters.server_random, GNUTLS_RANDOM_SIZE-8);
321
322 } else {
323 ret =
324 gnutls_rnd(GNUTLS_RND_NONCE, session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
325 }
326
327 if (ret < 0) {
328 gnutls_assert();
329 return ret;
330 }
331
332 #ifdef HAVE_VALGRIND_MEMCHECK_H
333 if (RUNNING_ON_VALGRIND)
334 VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.server_random,
335 GNUTLS_RANDOM_SIZE);
336 #endif
337
338 return 0;
339 }
340
341 #ifdef ENABLE_SSL3
342 /* Calculate The SSL3 Finished message
343 */
344 #define SSL3_CLIENT_MSG "CLNT"
345 #define SSL3_SERVER_MSG "SRVR"
346 #define SSL_MSG_LEN 4
347 static int
_gnutls_ssl3_finished(gnutls_session_t session,int type,uint8_t * ret,int sending)348 _gnutls_ssl3_finished(gnutls_session_t session, int type, uint8_t * ret,
349 int sending)
350 {
351 digest_hd_st td_md5;
352 digest_hd_st td_sha;
353 const char *mesg;
354 int rc, len;
355
356 if (sending)
357 len = session->internals.handshake_hash_buffer.length;
358 else
359 len = session->internals.handshake_hash_buffer_prev_len;
360
361 rc = _gnutls_hash_init(&td_sha, hash_to_entry(GNUTLS_DIG_SHA1));
362 if (rc < 0)
363 return gnutls_assert_val(rc);
364
365 rc = _gnutls_hash_init(&td_md5, hash_to_entry(GNUTLS_DIG_MD5));
366 if (rc < 0) {
367 _gnutls_hash_deinit(&td_sha, NULL);
368 return gnutls_assert_val(rc);
369 }
370
371 _gnutls_hash(&td_sha,
372 session->internals.handshake_hash_buffer.data, len);
373 _gnutls_hash(&td_md5,
374 session->internals.handshake_hash_buffer.data, len);
375
376 if (type == GNUTLS_SERVER)
377 mesg = SSL3_SERVER_MSG;
378 else
379 mesg = SSL3_CLIENT_MSG;
380
381 _gnutls_hash(&td_md5, mesg, SSL_MSG_LEN);
382 _gnutls_hash(&td_sha, mesg, SSL_MSG_LEN);
383
384 rc = _gnutls_mac_deinit_ssl3_handshake(&td_md5, ret,
385 session->security_parameters.
386 master_secret,
387 GNUTLS_MASTER_SIZE);
388 if (rc < 0) {
389 _gnutls_hash_deinit(&td_md5, NULL);
390 _gnutls_hash_deinit(&td_sha, NULL);
391 return gnutls_assert_val(rc);
392 }
393
394 rc = _gnutls_mac_deinit_ssl3_handshake(&td_sha, &ret[16],
395 session->security_parameters.
396 master_secret,
397 GNUTLS_MASTER_SIZE);
398 if (rc < 0) {
399 _gnutls_hash_deinit(&td_sha, NULL);
400 return gnutls_assert_val(rc);
401 }
402
403 return 0;
404 }
405 #endif
406
407 /* Hash the handshake messages as required by TLS 1.0
408 */
409 #define SERVER_MSG "server finished"
410 #define CLIENT_MSG "client finished"
411 #define TLS_MSG_LEN 15
412 static int
_gnutls_finished(gnutls_session_t session,int type,void * ret,int sending)413 _gnutls_finished(gnutls_session_t session, int type, void *ret,
414 int sending)
415 {
416 const int siz = TLS_MSG_LEN;
417 uint8_t concat[MAX_HASH_SIZE];
418 size_t hash_len;
419 const char *mesg;
420 int rc, len, algorithm;
421
422 if (sending)
423 len = session->internals.handshake_hash_buffer.length;
424 else
425 len = session->internals.handshake_hash_buffer_prev_len;
426
427 algorithm = session->security_parameters.prf->id;
428 rc = _gnutls_hash_fast(algorithm,
429 session->internals.
430 handshake_hash_buffer.data, len,
431 concat);
432 if (rc < 0)
433 return gnutls_assert_val(rc);
434
435 hash_len = session->security_parameters.prf->output_size;
436
437 if (type == GNUTLS_SERVER) {
438 mesg = SERVER_MSG;
439 } else {
440 mesg = CLIENT_MSG;
441 }
442
443 return _gnutls_PRF(session,
444 session->security_parameters.master_secret,
445 GNUTLS_MASTER_SIZE, mesg, siz, concat, hash_len,
446 12, ret);
447 }
448
449
450 /* returns the 0 on success or a negative error code.
451 */
452 int
_gnutls_negotiate_version(gnutls_session_t session,uint8_t major,uint8_t minor,unsigned allow_tls13)453 _gnutls_negotiate_version(gnutls_session_t session,
454 uint8_t major, uint8_t minor, unsigned allow_tls13)
455 {
456 const version_entry_st *vers;
457 const version_entry_st *aversion = nversion_to_entry(major, minor);
458
459 /* if we do not support that version, unless that version is TLS 1.2;
460 * TLS 1.2 is handled separately because it is always advertized under TLS 1.3 or later */
461 if (aversion == NULL ||
462 _gnutls_nversion_is_supported(session, major, minor) == 0) {
463
464 if (aversion && aversion->id == GNUTLS_TLS1_2) {
465 vers = _gnutls_version_max(session);
466 if (unlikely(vers == NULL))
467 return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES);
468
469 if (vers->id >= GNUTLS_TLS1_2) {
470 session->security_parameters.pversion = aversion;
471 return 0;
472 }
473 }
474
475 /* if we get an unknown/unsupported version, then fail if the version we
476 * got is too low to be supported */
477 if (!_gnutls_version_is_too_high(session, major, minor))
478 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
479
480 /* If he requested something we do not support
481 * then we send him the highest we support.
482 */
483 vers = _gnutls_legacy_version_max(session);
484 if (vers == NULL) {
485 /* this check is not really needed.
486 */
487 gnutls_assert();
488 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
489 }
490
491 session->security_parameters.pversion = vers;
492
493 return 0;
494 } else {
495 session->security_parameters.pversion = aversion;
496
497 /* we do not allow TLS1.3 negotiation using this mechanism */
498 if (aversion->tls13_sem && !allow_tls13) {
499 vers = _gnutls_legacy_version_max(session);
500 session->security_parameters.pversion = vers;
501 }
502
503 return 0;
504 }
505 }
506
507 /* This function returns:
508 * - zero on success
509 * - GNUTLS_E_INT_RET_0 if GNUTLS_E_AGAIN || GNUTLS_E_INTERRUPTED were returned by the callback
510 * - a negative error code on other error
511 */
512 int
_gnutls_user_hello_func(gnutls_session_t session,uint8_t major,uint8_t minor)513 _gnutls_user_hello_func(gnutls_session_t session,
514 uint8_t major, uint8_t minor)
515 {
516 int ret, sret = 0;
517 const version_entry_st *vers, *old_vers;
518 const version_entry_st *new_max;
519
520 if (session->internals.user_hello_func != NULL) {
521 ret = session->internals.user_hello_func(session);
522
523 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) {
524 gnutls_assert();
525 sret = GNUTLS_E_INT_RET_0;
526 } else if (ret < 0) {
527 gnutls_assert();
528 return ret;
529 }
530
531 /* This callback is often used to switch the priority string of the
532 * server, and that includes switching version which we have already
533 * negotiated; note that this doesn't apply when resuming as the version
534 * negotiation is already complete. */
535 if (session->internals.resumed != RESUME_TRUE) {
536 new_max = _gnutls_version_max(session);
537 old_vers = get_version(session);
538
539 if (!old_vers->tls13_sem || (new_max && !new_max->tls13_sem)) {
540 #if GNUTLS_TLS_VERSION_MAX != GNUTLS_TLS1_3
541 # error "Need to update the following logic"
542 #endif
543 /* Here we need to renegotiate the version since the callee might
544 * have disabled some TLS versions. This logic does not cope for
545 * protocols later than TLS1.3 if they have the tls13_sem set */
546 ret = _gnutls_negotiate_version(session, major, minor, 0);
547 if (ret < 0)
548 return gnutls_assert_val(ret);
549
550 vers = get_version(session);
551 if (old_vers != vers) {
552 /* at this point we need to regenerate the random value to
553 * avoid the peer detecting this session as a rollback
554 * attempt. */
555 ret = _gnutls_gen_server_random(session, vers->id);
556 if (ret < 0)
557 return gnutls_assert_val(ret);
558 }
559 }
560 }
561 }
562 return sret;
563 }
564
565 /* Associates the right credential types for the session, and
566 * performs sanity checks. */
set_auth_types(gnutls_session_t session)567 static int set_auth_types(gnutls_session_t session)
568 {
569 const version_entry_st *ver = get_version(session);
570 gnutls_kx_algorithm_t kx;
571
572 /* sanity check:
573 * we see TLS1.3 negotiated but no key share was sent */
574 if (ver->tls13_sem) {
575 if (unlikely(!(session->internals.hsk_flags & HSK_PSK_KE_MODE_PSK) &&
576 !(session->internals.hsk_flags & HSK_KEY_SHARE_RECEIVED))) {
577 return gnutls_assert_val(GNUTLS_E_MISSING_EXTENSION);
578 }
579
580 /* Under TLS1.3 this returns a KX which matches the negotiated
581 * groups from the key shares; if we are resuming then the KX seen
582 * here doesn't match the original session. */
583 if (session->internals.resumed == RESUME_FALSE)
584 kx = gnutls_kx_get(session);
585 else
586 kx = GNUTLS_KX_UNKNOWN;
587 } else {
588 /* TLS1.2 or earlier, kx is associated with ciphersuite */
589 kx = session->security_parameters.cs->kx_algorithm;
590 }
591
592 if (kx != GNUTLS_KX_UNKNOWN) {
593 session->security_parameters.server_auth_type = _gnutls_map_kx_get_cred(kx, 1);
594 session->security_parameters.client_auth_type = _gnutls_map_kx_get_cred(kx, 0);
595 } else if (unlikely(session->internals.resumed == RESUME_FALSE)) {
596 /* Here we can only arrive if something we received
597 * prevented the session from completing. */
598 return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
599 }
600
601 return 0;
602 }
603
604 /* Read a client hello packet.
605 * A client hello must be a known version client hello
606 * or version 2.0 client hello (only for compatibility
607 * since SSL version 2.0 is not supported).
608 */
609 static int
read_client_hello(gnutls_session_t session,uint8_t * data,int datalen)610 read_client_hello(gnutls_session_t session, uint8_t * data,
611 int datalen)
612 {
613 uint8_t session_id_len;
614 int pos = 0, ret;
615 uint16_t suite_size, comp_size;
616 int ext_size;
617 int neg_version, sret = 0;
618 int len = datalen;
619 uint8_t major, minor;
620 uint8_t *suite_ptr, *comp_ptr, *session_id, *ext_ptr;
621 const version_entry_st *vers;
622
623 DECR_LEN(len, 2);
624 _gnutls_handshake_log("HSK[%p]: Client's version: %d.%d\n",
625 session, data[pos], data[pos + 1]);
626
627 major = data[pos];
628 minor = data[pos+1];
629
630 set_adv_version(session, major, minor);
631
632 ret = _gnutls_negotiate_version(session, major, minor, 0);
633 if (ret < 0)
634 return gnutls_assert_val(ret);
635
636 vers = get_version(session);
637 if (vers == NULL)
638 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
639
640 neg_version = vers->id;
641
642 pos += 2;
643
644 /* Read client random value.
645 */
646 DECR_LEN(len, GNUTLS_RANDOM_SIZE);
647 _gnutls_set_client_random(session, &data[pos]);
648
649 pos += GNUTLS_RANDOM_SIZE;
650
651 ret = _gnutls_gen_server_random(session, neg_version);
652 if (ret < 0)
653 return gnutls_assert_val(ret);
654
655 session->security_parameters.timestamp = gnutls_time(NULL);
656
657 DECR_LEN(len, 1);
658 session_id_len = data[pos++];
659
660 /* RESUME SESSION
661 */
662 if (session_id_len > GNUTLS_MAX_SESSION_ID_SIZE) {
663 gnutls_assert();
664 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
665 }
666 DECR_LEN(len, session_id_len);
667 session_id = &data[pos];
668 pos += session_id_len;
669
670 if (IS_DTLS(session)) {
671 int cookie_size;
672
673 DECR_LEN(len, 1);
674 cookie_size = data[pos++];
675 DECR_LEN(len, cookie_size);
676 pos += cookie_size;
677 }
678
679 /* move forward to extensions and store other vals */
680 DECR_LEN(len, 2);
681 suite_size = _gnutls_read_uint16(&data[pos]);
682 pos += 2;
683
684 if (suite_size == 0 || (suite_size % 2) != 0)
685 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
686
687 suite_ptr = &data[pos];
688 DECR_LEN(len, suite_size);
689 pos += suite_size;
690
691 DECR_LEN(len, 1);
692 comp_size = data[pos++]; /* the number of compression methods */
693
694 if (comp_size == 0)
695 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
696
697 comp_ptr = &data[pos];
698 DECR_LEN(len, comp_size);
699 pos += comp_size;
700
701 ext_ptr = &data[pos];
702 ext_size = len;
703
704 /* Parse only the mandatory to read extensions for resumption
705 * and version negotiation. We don't want to parse any other
706 * extensions since we don't want new extension values to override
707 * the resumed ones. */
708 ret =
709 _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
710 GNUTLS_EXT_VERSION_NEG,
711 ext_ptr, ext_size);
712 if (ret < 0)
713 return gnutls_assert_val(ret);
714
715 ret =
716 _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
717 GNUTLS_EXT_MANDATORY,
718 ext_ptr, ext_size);
719 if (ret < 0)
720 return gnutls_assert_val(ret);
721
722 vers = get_version(session);
723 if (unlikely(vers == NULL))
724 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
725
726 if (!vers->tls13_sem) {
727 ret =
728 _gnutls_server_restore_session(session, session_id,
729 session_id_len);
730
731 if (session_id_len > 0)
732 session->internals.resumption_requested = 1;
733
734 if (ret == 0) { /* resumed using default TLS resumption! */
735 ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 1);
736 if (ret < 0)
737 return gnutls_assert_val(ret);
738
739 ret = tls12_resume_copy_required_vals(session, 0);
740 if (ret < 0)
741 return gnutls_assert_val(ret);
742
743 session->internals.resumed = RESUME_TRUE;
744
745 return _gnutls_user_hello_func(session, major, minor);
746 } else {
747 ret = _gnutls_generate_session_id(session->security_parameters.
748 session_id,
749 &session->security_parameters.
750 session_id_size);
751 if (ret < 0)
752 return gnutls_assert_val(ret);
753
754 session->internals.resumed = RESUME_FALSE;
755 }
756 } else { /* TLS1.3 */
757 /* we echo client's session ID - length was checked previously */
758 assert(session_id_len <= GNUTLS_MAX_SESSION_ID_SIZE);
759 if (session_id_len > 0)
760 memcpy(session->security_parameters.session_id, session_id, session_id_len);
761 session->security_parameters.session_id_size = session_id_len;
762 }
763
764 /* Parse the extensions (if any)
765 *
766 * Unconditionally try to parse extensions; safe renegotiation uses them in
767 * sslv3 and higher, even though sslv3 doesn't officially support them.
768 */
769 ret = _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
770 GNUTLS_EXT_APPLICATION,
771 ext_ptr, ext_size);
772 /* len is the rest of the parsed length */
773 if (ret < 0) {
774 gnutls_assert();
775 return ret;
776 }
777
778 /* we cache this error code */
779 sret = _gnutls_user_hello_func(session, major, minor);
780 if (sret < 0 && sret != GNUTLS_E_INT_RET_0) {
781 gnutls_assert();
782 return sret;
783 }
784
785 /* Session tickets are parsed in this point */
786 ret =
787 _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
788 GNUTLS_EXT_TLS, ext_ptr, ext_size);
789 if (ret < 0) {
790 gnutls_assert();
791 return ret;
792 }
793
794 /* resumed by session_ticket extension */
795 if (!vers->tls13_sem && session->internals.resumed != RESUME_FALSE) {
796 session->internals.resumed_security_parameters.
797 max_record_recv_size =
798 session->security_parameters.max_record_recv_size;
799 session->internals.resumed_security_parameters.
800 max_record_send_size =
801 session->security_parameters.max_record_send_size;
802
803 ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 1);
804 if (ret < 0)
805 return gnutls_assert_val(ret);
806
807 ret = tls12_resume_copy_required_vals(session, 1);
808 if (ret < 0)
809 return gnutls_assert_val(ret);
810
811 /* to indicate to the client that the current session is resumed */
812 memcpy(session->security_parameters.session_id, session_id, session_id_len);
813 session->security_parameters.session_id_size = session_id_len;
814
815 return 0;
816 }
817
818 /* select an appropriate cipher suite (as well as certificate)
819 */
820 ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 0);
821 if (ret < 0) {
822 gnutls_assert();
823 return ret;
824 }
825
826 /* Only at this point we know the version we are actually going to use
827 * ("supported_versions" extension is parsed, user_hello_func is called,
828 * legacy version negotiation is done). */
829 vers = get_version(session);
830 if (unlikely(vers == NULL))
831 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
832
833 if (_gnutls_version_priority(session, vers->id) < 0)
834 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
835
836 _gnutls_handshake_log("HSK[%p]: Selected version %s\n", session, vers->name);
837
838 /* select appropriate compression method */
839 ret =
840 check_if_null_comp_present(session, comp_ptr,
841 comp_size);
842 if (ret < 0) {
843 gnutls_assert();
844 return ret;
845 }
846
847 /* call extensions that are intended to be parsed after the ciphersuite/cert
848 * are known. */
849 ret =
850 _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
851 _GNUTLS_EXT_TLS_POST_CS, ext_ptr, ext_size);
852 if (ret < 0) {
853 gnutls_assert();
854 return ret;
855 }
856
857 /* Calculate TLS 1.3 Early Secret */
858 if (session->security_parameters.pversion->tls13_sem &&
859 !(session->internals.hsk_flags & HSK_PSK_SELECTED)) {
860 ret = _tls13_init_secret(session, NULL, 0);
861 if (ret < 0)
862 return gnutls_assert_val(ret);
863 }
864
865 ret = set_auth_types(session);
866 if (ret < 0) {
867 gnutls_assert();
868 return ret;
869 }
870
871 return sret;
872 }
873
874 /* This is to be called after sending CHANGE CIPHER SPEC packet
875 * and initializing encryption. This is the first encrypted message
876 * we send.
877 */
_gnutls_send_finished(gnutls_session_t session,int again)878 int _gnutls_send_finished(gnutls_session_t session, int again)
879 {
880 mbuffer_st *bufel;
881 uint8_t *data;
882 int ret;
883 size_t vdata_size = 0;
884 const version_entry_st *vers;
885
886 if (again == 0) {
887 bufel =
888 _gnutls_handshake_alloc(session,
889 MAX_VERIFY_DATA_SIZE);
890 if (bufel == NULL) {
891 gnutls_assert();
892 return GNUTLS_E_MEMORY_ERROR;
893 }
894 data = _mbuffer_get_udata_ptr(bufel);
895
896 vers = get_version(session);
897 if (unlikely(vers == NULL))
898 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
899
900 #ifdef ENABLE_SSL3
901 if (vers->id == GNUTLS_SSL3) {
902 ret =
903 _gnutls_ssl3_finished(session,
904 session->
905 security_parameters.
906 entity, data, 1);
907 _mbuffer_set_udata_size(bufel, 36);
908 } else { /* TLS 1.0+ */
909 #endif
910 ret = _gnutls_finished(session,
911 session->
912 security_parameters.entity,
913 data, 1);
914 _mbuffer_set_udata_size(bufel, 12);
915 #ifdef ENABLE_SSL3
916 }
917 #endif
918
919 if (ret < 0) {
920 gnutls_assert();
921 return ret;
922 }
923
924 vdata_size = _mbuffer_get_udata_size(bufel);
925
926 ret =
927 _gnutls_ext_sr_finished(session, data, vdata_size, 0);
928 if (ret < 0) {
929 gnutls_assert();
930 return ret;
931 }
932
933 if ((session->internals.resumed == RESUME_FALSE
934 && session->security_parameters.entity ==
935 GNUTLS_CLIENT)
936 || (session->internals.resumed != RESUME_FALSE
937 && session->security_parameters.entity ==
938 GNUTLS_SERVER)) {
939 /* if we are a client not resuming - or we are a server resuming */
940 _gnutls_handshake_log
941 ("HSK[%p]: recording tls-unique CB (send)\n",
942 session);
943 memcpy(session->internals.cb_tls_unique, data,
944 vdata_size);
945 session->internals.cb_tls_unique_len = vdata_size;
946 }
947
948 ret =
949 _gnutls_send_handshake(session, bufel,
950 GNUTLS_HANDSHAKE_FINISHED);
951 } else {
952 ret =
953 _gnutls_send_handshake(session, NULL,
954 GNUTLS_HANDSHAKE_FINISHED);
955 }
956
957 return ret;
958 }
959
960 /* This is to be called after sending our finished message. If everything
961 * went fine we have negotiated a secure connection
962 */
_gnutls_recv_finished(gnutls_session_t session)963 int _gnutls_recv_finished(gnutls_session_t session)
964 {
965 uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy;
966 gnutls_buffer_st buf;
967 int data_size;
968 int ret;
969 int vrfy_size;
970 const version_entry_st *vers = get_version(session);
971
972 if (unlikely(vers == NULL))
973 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
974
975 ret =
976 _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_FINISHED,
977 0, &buf);
978 if (ret < 0) {
979 gnutls_assert();
980 return ret;
981 }
982
983 vrfy = buf.data;
984 vrfy_size = buf.length;
985
986 #ifdef ENABLE_SSL3
987 if (vers->id == GNUTLS_SSL3)
988 data_size = 36;
989 else
990 #endif
991 data_size = 12;
992
993 if (vrfy_size != data_size) {
994 gnutls_assert();
995 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
996 goto cleanup;
997 }
998
999 #ifdef ENABLE_SSL3
1000 if (vers->id == GNUTLS_SSL3) {
1001 ret =
1002 _gnutls_ssl3_finished(session,
1003 (session->security_parameters.
1004 entity + 1) % 2, data, 0);
1005 } else /* TLS 1.0+ */
1006 #endif
1007 ret =
1008 _gnutls_finished(session,
1009 (session->security_parameters.entity +
1010 1) % 2, data, 0);
1011
1012 if (ret < 0) {
1013 gnutls_assert();
1014 goto cleanup;
1015 }
1016
1017 #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
1018 /* When fuzzying allow to proceed without verifying the handshake
1019 * consistency */
1020 (void) vrfy;
1021 # warning This is unsafe for production builds
1022
1023 #else
1024 if (memcmp(vrfy, data, data_size) != 0) {
1025 gnutls_assert();
1026 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
1027 goto cleanup;
1028 }
1029 #endif
1030
1031 ret = _gnutls_ext_sr_finished(session, data, data_size, 1);
1032 if (ret < 0) {
1033 gnutls_assert();
1034 goto cleanup;
1035 }
1036
1037 if ((session->internals.resumed != RESUME_FALSE
1038 && session->security_parameters.entity == GNUTLS_CLIENT)
1039 || (session->internals.resumed == RESUME_FALSE
1040 && session->security_parameters.entity == GNUTLS_SERVER)) {
1041 /* if we are a client resuming - or we are a server not resuming */
1042 _gnutls_handshake_log
1043 ("HSK[%p]: recording tls-unique CB (recv)\n", session);
1044 memcpy(session->internals.cb_tls_unique, data, data_size);
1045 session->internals.cb_tls_unique_len = data_size;
1046 }
1047
1048
1049 cleanup:
1050 _gnutls_buffer_clear(&buf);
1051
1052 return ret;
1053 }
1054
1055 /* This selects the best supported ciphersuite from the given ones. Then
1056 * it adds the suite to the session and performs some checks.
1057 *
1058 * When @scsv_only is non-zero only the available SCSVs are parsed
1059 * and acted upon.
1060 */
1061 int
_gnutls_server_select_suite(gnutls_session_t session,uint8_t * data,unsigned int datalen,unsigned scsv_only)1062 _gnutls_server_select_suite(gnutls_session_t session, uint8_t * data,
1063 unsigned int datalen, unsigned scsv_only)
1064 {
1065 int ret;
1066 unsigned int i;
1067 ciphersuite_list_st peer_clist;
1068 const gnutls_cipher_suite_entry_st *selected;
1069 gnutls_kx_algorithm_t kx;
1070 int retval;
1071 const version_entry_st *vers = get_version(session);
1072
1073 peer_clist.size = 0;
1074
1075 for (i = 0; i < datalen; i += 2) {
1076 /* we support the TLS renegotiation SCSV, even if we are
1077 * not under SSL 3.0, because openssl sends this SCSV
1078 * on resumption unconditionally. */
1079 /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
1080 if (session->internals.priorities->sr != SR_DISABLED &&
1081 data[i] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&
1082 data[i + 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR) {
1083 _gnutls_handshake_log
1084 ("HSK[%p]: Received safe renegotiation CS\n",
1085 session);
1086 retval = _gnutls_ext_sr_recv_cs(session);
1087 if (retval < 0) {
1088 gnutls_assert();
1089 return retval;
1090 }
1091 }
1092
1093 /* TLS_FALLBACK_SCSV */
1094 if (data[i] == GNUTLS_FALLBACK_SCSV_MAJOR &&
1095 data[i + 1] == GNUTLS_FALLBACK_SCSV_MINOR) {
1096 const version_entry_st *max = _gnutls_version_max(session);
1097
1098 _gnutls_handshake_log
1099 ("HSK[%p]: Received fallback CS\n",
1100 session);
1101
1102 if (vers != max)
1103 return gnutls_assert_val(GNUTLS_E_INAPPROPRIATE_FALLBACK);
1104 } else if (!scsv_only) {
1105 if (peer_clist.size < MAX_CIPHERSUITE_SIZE) {
1106 peer_clist.entry[peer_clist.size] = ciphersuite_to_entry(&data[i]);
1107 if (peer_clist.entry[peer_clist.size] != NULL)
1108 peer_clist.size++;
1109 }
1110 }
1111 }
1112
1113 if (scsv_only)
1114 return 0;
1115
1116 ret = _gnutls_figure_common_ciphersuite(session, &peer_clist, &selected);
1117 if (ret < 0) {
1118 return gnutls_assert_val(ret);
1119 }
1120
1121 _gnutls_handshake_log
1122 ("HSK[%p]: Selected cipher suite: %s\n", session, selected->name);
1123
1124 ret = _gnutls_set_cipher_suite2(session, selected);
1125 if (ret < 0) {
1126 gnutls_assert();
1127 return ret;
1128 }
1129
1130 if (!vers->tls13_sem) {
1131 /* check if the credentials (username, public key etc.) are ok
1132 */
1133 kx = selected->kx_algorithm;
1134 if (_gnutls_get_kx_cred(session, kx) == NULL) {
1135 gnutls_assert();
1136 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1137 }
1138
1139 /* set the mod_auth_st to the appropriate struct
1140 * according to the KX algorithm. This is needed since all the
1141 * handshake functions are read from there;
1142 */
1143 session->internals.auth_struct = _gnutls_kx_auth_struct(kx);
1144 if (session->internals.auth_struct == NULL) {
1145 _gnutls_handshake_log
1146 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1147 session);
1148 gnutls_assert();
1149 return GNUTLS_E_INTERNAL_ERROR;
1150 }
1151 }
1152
1153 return 0;
1154
1155 }
1156
1157
1158 /* This checks whether the null compression method is present.
1159 */
1160 static int
check_if_null_comp_present(gnutls_session_t session,uint8_t * data,int datalen)1161 check_if_null_comp_present(gnutls_session_t session,
1162 uint8_t * data, int datalen)
1163 {
1164 int j;
1165
1166 for (j = 0; j < datalen; j++) {
1167 if (data[j] == 0)
1168 return 0;
1169 }
1170
1171 /* we were not able to find a the NULL compression
1172 * algorithm
1173 */
1174 gnutls_assert();
1175 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1176
1177 }
1178
1179 /* This function sends an empty handshake packet. (like hello request).
1180 * If the previous _gnutls_send_empty_handshake() returned
1181 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1182 * (until it returns ok), with NULL parameters.
1183 */
1184 static int
_gnutls_send_empty_handshake(gnutls_session_t session,gnutls_handshake_description_t type,int again)1185 _gnutls_send_empty_handshake(gnutls_session_t session,
1186 gnutls_handshake_description_t type,
1187 int again)
1188 {
1189 mbuffer_st *bufel;
1190
1191 if (again == 0) {
1192 bufel = _gnutls_handshake_alloc(session, 0);
1193 if (bufel == NULL) {
1194 gnutls_assert();
1195 return GNUTLS_E_MEMORY_ERROR;
1196 }
1197 } else
1198 bufel = NULL;
1199
1200 return _gnutls_send_handshake(session, bufel, type);
1201 }
1202
_gnutls_call_hook_func(gnutls_session_t session,gnutls_handshake_description_t type,int post,unsigned incoming,const uint8_t * data,unsigned data_size)1203 int _gnutls_call_hook_func(gnutls_session_t session,
1204 gnutls_handshake_description_t type,
1205 int post, unsigned incoming,
1206 const uint8_t *data, unsigned data_size)
1207 {
1208 gnutls_datum_t msg = {(void*)data, data_size};
1209
1210 if (session->internals.h_hook != NULL) {
1211 if ((session->internals.h_type == type
1212 || session->internals.h_type == GNUTLS_HANDSHAKE_ANY)
1213 && (session->internals.h_post == post
1214 || session->internals.h_post == GNUTLS_HOOK_BOTH)) {
1215
1216 /* internal API for testing: when we are expected to
1217 * wait for GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, we
1218 * do so, but not when doing for all messages. The
1219 * reason is that change cipher specs are not handshake
1220 * messages, and we don't support waiting for them
1221 * consistently (only sending is tracked, not receiving).
1222 */
1223 if (type == GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC &&
1224 session->internals.h_type != GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC)
1225 return 0;
1226
1227 return session->internals.h_hook(session, type,
1228 post, incoming, &msg);
1229 }
1230 }
1231 return 0;
1232 }
1233
1234 /* Note that the "New session ticket" handshake packet behaves differently under
1235 * TLS 1.2 or 1.3. In 1.2 it is included in the handshake process, while in 1.3
1236 * it is sent asynchronously */
1237 #define IS_ASYNC(t, v) \
1238 (t == GNUTLS_HANDSHAKE_HELLO_REQUEST || t == GNUTLS_HANDSHAKE_KEY_UPDATE || \
1239 (t == GNUTLS_HANDSHAKE_NEW_SESSION_TICKET && v->tls13_sem))
1240
1241 int
_gnutls_send_handshake(gnutls_session_t session,mbuffer_st * bufel,gnutls_handshake_description_t type)1242 _gnutls_send_handshake(gnutls_session_t session, mbuffer_st * bufel,
1243 gnutls_handshake_description_t type)
1244 {
1245 return _gnutls_send_handshake2(session, bufel, type, 0);
1246 }
1247
1248 /* This function sends a handshake message of type 'type' containing the
1249 * data specified here. If the previous _gnutls_send_handshake() returned
1250 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1251 * (until it returns ok), with NULL parameters.
1252 */
1253 int
_gnutls_send_handshake2(gnutls_session_t session,mbuffer_st * bufel,gnutls_handshake_description_t type,unsigned queue_only)1254 _gnutls_send_handshake2(gnutls_session_t session, mbuffer_st * bufel,
1255 gnutls_handshake_description_t type, unsigned queue_only)
1256 {
1257 int ret;
1258 uint8_t *data;
1259 uint32_t datasize, i_datasize;
1260 int pos = 0;
1261 const version_entry_st *vers = get_version(session);
1262
1263 if (bufel == NULL) {
1264 /* we are resuming a previously interrupted
1265 * send.
1266 */
1267 ret = _gnutls_handshake_io_write_flush(session);
1268 return ret;
1269
1270 }
1271
1272 /* first run */
1273 data = _mbuffer_get_uhead_ptr(bufel);
1274 i_datasize = _mbuffer_get_udata_size(bufel);
1275 datasize = i_datasize + _mbuffer_get_uhead_size(bufel);
1276
1277 data[pos++] = (uint8_t) REAL_HSK_TYPE(type);
1278 _gnutls_write_uint24(_mbuffer_get_udata_size(bufel), &data[pos]);
1279 pos += 3;
1280
1281 /* Add DTLS handshake fragment headers. The message will be
1282 * fragmented later by the fragmentation sub-layer. All fields must
1283 * be set properly for HMAC. The HMAC requires we pretend that the
1284 * message was sent in a single fragment. */
1285 if (IS_DTLS(session)) {
1286 _gnutls_write_uint16(session->internals.dtls.
1287 hsk_write_seq++, &data[pos]);
1288 pos += 2;
1289
1290 /* Fragment offset */
1291 _gnutls_write_uint24(0, &data[pos]);
1292 pos += 3;
1293
1294 /* Fragment length */
1295 _gnutls_write_uint24(i_datasize, &data[pos]);
1296 /* pos += 3; */
1297 }
1298
1299 _gnutls_handshake_log("HSK[%p]: %s was queued [%ld bytes]\n",
1300 session, _gnutls_handshake2str(type),
1301 (long) datasize);
1302
1303 /* Here we keep the handshake messages in order to hash them...
1304 */
1305 if (!IS_ASYNC(type, vers)) {
1306 if ((ret =
1307 handshake_hash_add_sent(session, type, data,
1308 datasize)) < 0) {
1309 gnutls_assert();
1310 _mbuffer_xfree(&bufel);
1311 return ret;
1312 }
1313 /* If we are sending a PSK, generate early secrets here.
1314 * This cannot be done in pre_shared_key.c, because it
1315 * relies on transcript hash of a Client Hello. */
1316 if (type == GNUTLS_HANDSHAKE_CLIENT_HELLO &&
1317 session->key.binders[0].prf != NULL) {
1318 ret = _gnutls_generate_early_secrets_for_psk(session);
1319 if (ret < 0) {
1320 gnutls_assert();
1321 _mbuffer_xfree(&bufel);
1322 return ret;
1323 }
1324 }
1325 }
1326
1327 ret = _gnutls_call_hook_func(session, type, GNUTLS_HOOK_PRE, 0,
1328 _mbuffer_get_udata_ptr(bufel), _mbuffer_get_udata_size(bufel));
1329 if (ret < 0) {
1330 gnutls_assert();
1331 _mbuffer_xfree(&bufel);
1332 return ret;
1333 }
1334
1335 session->internals.last_handshake_out = type;
1336
1337 ret = _gnutls_handshake_io_cache_int(session, type, bufel);
1338 if (ret < 0) {
1339 _mbuffer_xfree(&bufel);
1340 gnutls_assert();
1341 return ret;
1342 }
1343
1344 ret = _gnutls_call_hook_func(session, type, GNUTLS_HOOK_POST, 0,
1345 _mbuffer_get_udata_ptr(bufel), _mbuffer_get_udata_size(bufel));
1346 if (ret < 0) {
1347 gnutls_assert();
1348 return ret;
1349 }
1350
1351 if (queue_only)
1352 return 0;
1353
1354 /* Decide when to cache and when to send */
1355 if (vers && vers->tls13_sem) {
1356
1357 if (session->internals.initial_negotiation_completed) {
1358 /* we are under TLS1.3 in a re-authentication phase.
1359 * we don't attempt to cache any messages */
1360 goto force_send;
1361 }
1362
1363 /* The messages which are followed by another are not sent by default
1364 * but are cached instead */
1365 switch (type) {
1366 case GNUTLS_HANDSHAKE_SERVER_HELLO: /* always followed by something */
1367 case GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS: /* followed by finished or cert */
1368 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: /* followed by certificate */
1369 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: /* this one is followed by cert verify */
1370 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY: /* followed by finished */
1371 ret = 0; /* cache */
1372 break;
1373 default:
1374 /* send this and any cached messages */
1375 goto force_send;
1376 }
1377 } else {
1378 /* The messages which are followed by another are not sent by default
1379 * but are cached instead */
1380 switch (type) {
1381 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: /* this one is followed by ServerHelloDone
1382 * or ClientKeyExchange always.
1383 */
1384 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1385 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE: /* as above */
1386 case GNUTLS_HANDSHAKE_SERVER_HELLO: /* as above */
1387 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: /* as above */
1388 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: /* followed by ChangeCipherSpec */
1389
1390 /* now for client Certificate, ClientKeyExchange and
1391 * CertificateVerify are always followed by ChangeCipherSpec
1392 */
1393 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1394 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1395 ret = 0;
1396 break;
1397 default:
1398 /* send this and any cached messages */
1399 goto force_send;
1400 }
1401 }
1402
1403 return ret;
1404
1405 force_send:
1406 return _gnutls_handshake_io_write_flush(session);
1407 }
1408
1409 #define CHECK_SIZE(ll) \
1410 if ((session->internals.max_handshake_data_buffer_size > 0) && \
1411 (((ll) + session->internals.handshake_hash_buffer.length) > \
1412 session->internals.max_handshake_data_buffer_size)) { \
1413 _gnutls_debug_log("Handshake buffer length is %u (max: %u)\n", (unsigned)((ll) + session->internals.handshake_hash_buffer.length), (unsigned)session->internals.max_handshake_data_buffer_size); \
1414 return gnutls_assert_val(GNUTLS_E_HANDSHAKE_TOO_LARGE); \
1415 }
1416
1417
1418 /* This function add the handshake headers and the
1419 * handshake data to the handshake hash buffers. Needed
1420 * for the finished messages calculations.
1421 */
1422 static int
handshake_hash_add_recvd(gnutls_session_t session,gnutls_handshake_description_t recv_type,uint8_t * header,uint16_t header_size,uint8_t * dataptr,uint32_t datalen)1423 handshake_hash_add_recvd(gnutls_session_t session,
1424 gnutls_handshake_description_t recv_type,
1425 uint8_t * header, uint16_t header_size,
1426 uint8_t * dataptr, uint32_t datalen)
1427 {
1428 int ret;
1429 const version_entry_st *vers = get_version(session);
1430
1431 if (unlikely(vers == NULL))
1432 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1433
1434 if ((vers->id != GNUTLS_DTLS0_9 &&
1435 recv_type == GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST) ||
1436 IS_ASYNC(recv_type, vers))
1437 return 0;
1438
1439 CHECK_SIZE(header_size + datalen);
1440
1441 session->internals.handshake_hash_buffer_prev_len =
1442 session->internals.handshake_hash_buffer.length;
1443
1444 if (vers->id != GNUTLS_DTLS0_9) {
1445 ret =
1446 _gnutls_buffer_append_data(&session->internals.
1447 handshake_hash_buffer,
1448 header, header_size);
1449 if (ret < 0)
1450 return gnutls_assert_val(ret);
1451 }
1452 if (datalen > 0) {
1453 ret =
1454 _gnutls_buffer_append_data(&session->internals.
1455 handshake_hash_buffer,
1456 dataptr, datalen);
1457 if (ret < 0)
1458 return gnutls_assert_val(ret);
1459 }
1460
1461 /* save the size until client KX. That is because the TLS
1462 * session hash is calculated up to this message.
1463 */
1464 if (recv_type == GNUTLS_HANDSHAKE_CLIENT_HELLO)
1465 session->internals.handshake_hash_buffer_client_hello_len =
1466 session->internals.handshake_hash_buffer.length;
1467 if (recv_type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE)
1468 session->internals.handshake_hash_buffer_client_kx_len =
1469 session->internals.handshake_hash_buffer.length;
1470 if (recv_type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_CLIENT)
1471 session->internals.handshake_hash_buffer_server_finished_len =
1472 session->internals.handshake_hash_buffer.length;
1473 if (recv_type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_SERVER)
1474 session->internals.handshake_hash_buffer_client_finished_len =
1475 session->internals.handshake_hash_buffer.length;
1476
1477 return 0;
1478 }
1479
1480 /* This function will store the handshake message we sent.
1481 */
1482 static int
handshake_hash_add_sent(gnutls_session_t session,gnutls_handshake_description_t type,uint8_t * dataptr,uint32_t datalen)1483 handshake_hash_add_sent(gnutls_session_t session,
1484 gnutls_handshake_description_t type,
1485 uint8_t * dataptr, uint32_t datalen)
1486 {
1487 int ret;
1488 const version_entry_st *vers = get_version(session);
1489
1490 if (unlikely(vers == NULL))
1491 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1492
1493 if (IS_ASYNC(type, vers))
1494 return 0;
1495
1496 CHECK_SIZE(datalen);
1497
1498 if (vers->id == GNUTLS_DTLS0_9) {
1499 /* Old DTLS doesn't include the header in the MAC */
1500 if (datalen < 12) {
1501 gnutls_assert();
1502 return GNUTLS_E_INTERNAL_ERROR;
1503 }
1504 dataptr += 12;
1505 datalen -= 12;
1506
1507 if (datalen == 0)
1508 return 0;
1509 }
1510
1511 ret =
1512 _gnutls_buffer_append_data(&session->internals.
1513 handshake_hash_buffer,
1514 dataptr, datalen);
1515 if (ret < 0)
1516 return gnutls_assert_val(ret);
1517
1518 if (type == GNUTLS_HANDSHAKE_CLIENT_HELLO)
1519 session->internals.handshake_hash_buffer_client_hello_len =
1520 session->internals.handshake_hash_buffer.length;
1521 if (type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE)
1522 session->internals.handshake_hash_buffer_client_kx_len =
1523 session->internals.handshake_hash_buffer.length;
1524 if (type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_SERVER)
1525 session->internals.handshake_hash_buffer_server_finished_len =
1526 session->internals.handshake_hash_buffer.length;
1527 if (type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_CLIENT)
1528 session->internals.handshake_hash_buffer_client_finished_len =
1529 session->internals.handshake_hash_buffer.length;
1530
1531 return 0;
1532 }
1533
1534 /* This function will receive handshake messages of the given types,
1535 * and will pass the message to the right place in order to be processed.
1536 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1537 * passed to _gnutls_recv_hello().
1538 */
1539 int
_gnutls_recv_handshake(gnutls_session_t session,gnutls_handshake_description_t type,unsigned int optional,gnutls_buffer_st * buf)1540 _gnutls_recv_handshake(gnutls_session_t session,
1541 gnutls_handshake_description_t type,
1542 unsigned int optional, gnutls_buffer_st * buf)
1543 {
1544 int ret, ret2;
1545 handshake_buffer_st hsk;
1546
1547 ret = _gnutls_handshake_io_recv_int(session, type, &hsk, optional);
1548 if (ret < 0) {
1549 if (optional != 0
1550 && ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET) {
1551 if (buf)
1552 _gnutls_buffer_init(buf);
1553 return 0;
1554 }
1555
1556 return gnutls_assert_val_fatal(ret);
1557 }
1558 session->internals.last_handshake_in = hsk.htype;
1559
1560 ret = _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_PRE, 1, hsk.data.data, hsk.data.length);
1561 if (ret < 0) {
1562 gnutls_assert();
1563 goto cleanup;
1564 }
1565
1566 ret = handshake_hash_add_recvd(session, hsk.rtype,
1567 hsk.header, hsk.header_size,
1568 hsk.data.data,
1569 hsk.data.length);
1570 if (ret < 0) {
1571 gnutls_assert();
1572 goto cleanup;
1573 }
1574
1575 switch (hsk.htype) {
1576 case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2:
1577 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1578 if (!(IS_SERVER(session))) {
1579 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
1580 goto cleanup;
1581 }
1582
1583 #ifdef ENABLE_SSL2
1584 if (hsk.htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)
1585 ret =
1586 _gnutls_read_client_hello_v2(session,
1587 hsk.data.data,
1588 hsk.data.length);
1589 else
1590 #endif
1591 {
1592 /* Reference the full ClientHello in case an extension needs it */
1593 ret = _gnutls_ext_set_full_client_hello(session, &hsk);
1594 if (ret < 0)
1595 return gnutls_assert_val(ret);
1596
1597 ret = read_client_hello(session, hsk.data.data,
1598 hsk.data.length);
1599 }
1600
1601 if (ret < 0) {
1602 gnutls_assert();
1603 goto cleanup;
1604 }
1605
1606 break;
1607
1608 case GNUTLS_HANDSHAKE_SERVER_HELLO:
1609 if (IS_SERVER(session)) {
1610 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
1611 goto cleanup;
1612 }
1613
1614 ret = read_server_hello(session, hsk.data.data,
1615 hsk.data.length);
1616
1617 if (ret < 0) {
1618 gnutls_assert();
1619 goto cleanup;
1620 }
1621
1622 break;
1623 case GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST:
1624 if (IS_SERVER(session)) {
1625 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
1626 goto cleanup;
1627 }
1628
1629 ret =
1630 recv_hello_verify_request(session,
1631 hsk.data.data,
1632 hsk.data.length);
1633 if (ret < 0) {
1634 gnutls_assert();
1635 goto cleanup;
1636 } else {
1637 /* Signal our caller we have received a verification cookie
1638 and ClientHello needs to be sent again. */
1639 ret = 1;
1640 }
1641
1642 break;
1643 case GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST: {
1644 /* hash buffer synth message is generated during hello retry parsing */
1645 gnutls_datum_t hrr = {hsk.data.data, hsk.data.length};
1646
1647 if (IS_SERVER(session)) {
1648 ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
1649 goto cleanup;
1650 }
1651
1652 ret =
1653 _gnutls13_recv_hello_retry_request(session,
1654 &hsk.data);
1655 if (ret < 0) {
1656 gnutls_assert();
1657 goto cleanup;
1658 } else {
1659 /* during hello retry parsing, we reset handshake hash buffer,
1660 * re-add this message */
1661 ret = handshake_hash_add_recvd(session, hsk.htype,
1662 hsk.header, hsk.header_size,
1663 hrr.data,
1664 hrr.size);
1665 if (ret < 0) {
1666 gnutls_assert();
1667 goto cleanup;
1668 }
1669
1670 /* Signal our caller we have received a retry request
1671 and ClientHello needs to be sent again. */
1672 ret = 1;
1673 }
1674
1675 break;
1676 }
1677 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
1678 if (hsk.data.length == 0)
1679 ret = 0;
1680 else {
1681 gnutls_assert();
1682 ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1683 goto cleanup;
1684 }
1685 break;
1686 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1687 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1688 case GNUTLS_HANDSHAKE_FINISHED:
1689 case GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS:
1690 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
1691 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1692 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
1693 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1694 case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
1695 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1696 case GNUTLS_HANDSHAKE_END_OF_EARLY_DATA:
1697 ret = hsk.data.length;
1698 break;
1699 default:
1700 gnutls_assert();
1701 /* we shouldn't actually arrive here in any case .
1702 * unexpected messages should be caught after _gnutls_handshake_io_recv_int()
1703 */
1704 ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1705 goto cleanup;
1706 }
1707
1708 ret2 = _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_POST, 1, hsk.data.data, hsk.data.length);
1709 if (ret2 < 0) {
1710 ret = ret2;
1711 gnutls_assert();
1712 goto cleanup;
1713 }
1714
1715 if (buf) {
1716 *buf = hsk.data;
1717 return ret;
1718 }
1719
1720 cleanup:
1721 _gnutls_handshake_buffer_clear(&hsk);
1722 return ret;
1723 }
1724
1725 /* This function checks if the given cipher suite is supported, and sets it
1726 * to the session;
1727 */
1728 static int
set_client_ciphersuite(gnutls_session_t session,uint8_t suite[2])1729 set_client_ciphersuite(gnutls_session_t session, uint8_t suite[2])
1730 {
1731 unsigned j;
1732 int ret;
1733 const gnutls_cipher_suite_entry_st *selected = NULL;
1734 const version_entry_st *vers = get_version(session);
1735 gnutls_kx_algorithm_t kx;
1736
1737 for (j = 0; j < session->internals.priorities->cs.size; j++) {
1738 if (suite[0] == session->internals.priorities->cs.entry[j]->id[0] &&
1739 suite[1] == session->internals.priorities->cs.entry[j]->id[1]) {
1740 selected = session->internals.priorities->cs.entry[j];
1741 break;
1742 }
1743 }
1744
1745 if (!selected) {
1746 gnutls_assert();
1747 _gnutls_handshake_log
1748 ("HSK[%p]: unsupported cipher suite %.2X.%.2X was negotiated\n",
1749 session, (unsigned int) suite[0],
1750 (unsigned int) suite[1]);
1751 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
1752 }
1753
1754 ret = _gnutls_set_cipher_suite2(session, selected);
1755 if (ret < 0)
1756 return gnutls_assert_val(ret);
1757
1758 _gnutls_handshake_log("HSK[%p]: Selected cipher suite: %s\n",
1759 session,
1760 selected->name);
1761
1762 /* check if the credentials (username, public key etc.) are ok.
1763 * Actually checks if they exist.
1764 */
1765 if (!vers->tls13_sem) {
1766 kx = selected->kx_algorithm;
1767
1768 if (!session->internals.premaster_set &&
1769 _gnutls_get_kx_cred
1770 (session, kx) == NULL) {
1771 gnutls_assert();
1772 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1773 }
1774
1775 /* set the mod_auth_st to the appropriate struct
1776 * according to the KX algorithm. This is needed since all the
1777 * handshake functions are read from there;
1778 */
1779 session->internals.auth_struct =
1780 _gnutls_kx_auth_struct(kx);
1781
1782 if (session->internals.auth_struct == NULL) {
1783 _gnutls_handshake_log
1784 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1785 session);
1786 gnutls_assert();
1787 return GNUTLS_E_INTERNAL_ERROR;
1788 }
1789 } else {
1790 if (session->internals.hsk_flags & HSK_PSK_SELECTED) {
1791 if (session->key.binders[0].prf->id != selected->prf) {
1792 _gnutls_handshake_log
1793 ("HSK[%p]: PRF of ciphersuite differs with the PSK identity (cs: %s, id: %s)\n",
1794 session, selected->name, session->key.binders[0].prf->name);
1795 gnutls_assert();
1796 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
1797 }
1798 }
1799 }
1800
1801 return 0;
1802 }
1803
1804 /* This function returns 0 if we are resuming a session or -1 otherwise.
1805 * This also sets the variables in the session. Used only while reading a server
1806 * hello. Only applicable to TLS1.2 or earlier.
1807 */
1808 static int
client_check_if_resuming(gnutls_session_t session,uint8_t * session_id,int session_id_len)1809 client_check_if_resuming(gnutls_session_t session,
1810 uint8_t * session_id, int session_id_len)
1811 {
1812 char buf[2 * GNUTLS_MAX_SESSION_ID_SIZE + 1];
1813 int ret;
1814
1815 _gnutls_handshake_log("HSK[%p]: SessionID length: %d\n", session,
1816 session_id_len);
1817 _gnutls_handshake_log("HSK[%p]: SessionID: %s\n", session,
1818 _gnutls_bin2hex(session_id, session_id_len,
1819 buf, sizeof(buf), NULL));
1820
1821 if ((session->internals.resumption_requested != 0 ||
1822 session->internals.premaster_set != 0) &&
1823 session_id_len > 0 &&
1824 session->internals.resumed_security_parameters.
1825 session_id_size == session_id_len
1826 && memcmp(session_id,
1827 session->internals.resumed_security_parameters.
1828 session_id, session_id_len) == 0) {
1829 /* resume session */
1830 memcpy(session->internals.resumed_security_parameters.
1831 server_random,
1832 session->security_parameters.server_random,
1833 GNUTLS_RANDOM_SIZE);
1834 memcpy(session->internals.resumed_security_parameters.
1835 client_random,
1836 session->security_parameters.client_random,
1837 GNUTLS_RANDOM_SIZE);
1838
1839 ret = _gnutls_set_cipher_suite2
1840 (session,
1841 session->internals.resumed_security_parameters.
1842 cs);
1843 if (ret < 0) {
1844 gnutls_assert();
1845 goto no_resume;
1846 }
1847
1848 session->internals.resumed = RESUME_TRUE; /* we are resuming */
1849
1850 return 0;
1851 } else {
1852 no_resume:
1853 /* keep the new session id */
1854 session->internals.resumed = RESUME_FALSE; /* we are not resuming */
1855 return -1;
1856 }
1857 }
1858
1859
1860 /* This function reads and parses the server hello handshake message.
1861 * This function also restores resumed parameters if we are resuming a
1862 * session.
1863 */
1864 static int
read_server_hello(gnutls_session_t session,uint8_t * data,int datalen)1865 read_server_hello(gnutls_session_t session,
1866 uint8_t * data, int datalen)
1867 {
1868 uint8_t session_id_len = 0;
1869 uint8_t *session_id;
1870 uint8_t *cs_pos, *comp_pos, *srandom_pos;
1871 uint8_t major, minor;
1872 int pos = 0;
1873 int ret;
1874 int len = datalen;
1875 unsigned ext_parse_flag = 0;
1876 const version_entry_st *vers, *saved_vers;
1877
1878 if (datalen < GNUTLS_RANDOM_SIZE+2) {
1879 gnutls_assert();
1880 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1881 }
1882
1883 _gnutls_handshake_log("HSK[%p]: Server's version: %d.%d\n",
1884 session, data[pos], data[pos + 1]);
1885
1886 DECR_LEN(len, 2);
1887 major = data[pos];
1888 minor = data[pos+1];
1889
1890 saved_vers = get_version(session); /* will be non-null if HRR has been received */
1891
1892 vers = nversion_to_entry(major, minor);
1893 if (unlikely(vers == NULL))
1894 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
1895
1896 if (vers->tls13_sem) /* that shouldn't have been negotiated here */
1897 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
1898
1899 if (_gnutls_set_current_version(session, vers->id) < 0)
1900 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
1901
1902 pos += 2;
1903
1904 DECR_LEN(len, GNUTLS_RANDOM_SIZE);
1905 srandom_pos = &data[pos];
1906 pos += GNUTLS_RANDOM_SIZE;
1907
1908 /* Read session ID
1909 */
1910 DECR_LEN(len, 1);
1911 session_id_len = data[pos++];
1912
1913 if (len < session_id_len || session_id_len > GNUTLS_MAX_SESSION_ID_SIZE) {
1914 gnutls_assert();
1915 return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
1916 }
1917 DECR_LEN(len, session_id_len);
1918 session_id = &data[pos];
1919 pos += session_id_len;
1920
1921 DECR_LEN(len, 2);
1922 cs_pos = &data[pos];
1923 pos += 2;
1924
1925 /* move to compression
1926 */
1927 DECR_LEN(len, 1);
1928 comp_pos = &data[pos];
1929 pos++;
1930
1931 /* parse extensions to figure version */
1932 ret =
1933 _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO|
1934 GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO,
1935 GNUTLS_EXT_VERSION_NEG,
1936 &data[pos], len);
1937 if (ret < 0)
1938 return gnutls_assert_val(ret);
1939
1940 vers = get_version(session);
1941 if (unlikely(vers == NULL))
1942 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
1943 if (vers->tls13_sem) {
1944 if (major != 0x03 || minor != 0x03)
1945 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
1946 }
1947
1948 if (_gnutls_nversion_is_supported(session, vers->major, vers->minor) == 0)
1949 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
1950
1951 /* set server random - done after final version is selected */
1952 ret = _gnutls_set_server_random(session, vers, srandom_pos);
1953 if (ret < 0)
1954 return gnutls_assert_val(ret);
1955
1956 /* reset keys and binders if we are not using TLS 1.3 */
1957 if (!vers->tls13_sem) {
1958 gnutls_memset(&session->key.proto.tls13, 0,
1959 sizeof(session->key.proto.tls13));
1960 reset_binders(session);
1961 }
1962
1963 /* check if we are resuming and set the appropriate
1964 * values;
1965 */
1966 if (!vers->tls13_sem &&
1967 client_check_if_resuming(session, session_id, session_id_len) == 0) {
1968 ret =
1969 _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
1970 GNUTLS_EXT_MANDATORY,
1971 &data[pos], len);
1972 if (ret < 0)
1973 return gnutls_assert_val(ret);
1974
1975 return 0;
1976 } else {
1977 session->security_parameters.session_id_size = session_id_len;
1978 if (session_id_len > 0)
1979 memcpy(session->security_parameters.session_id, session_id,
1980 session_id_len);
1981 }
1982
1983 /* Check if the given cipher suite is supported and copy
1984 * it to the session.
1985 */
1986 ret = set_client_ciphersuite(session, cs_pos);
1987 if (ret < 0) {
1988 gnutls_assert();
1989 return ret;
1990 }
1991
1992 if (session->internals.hsk_flags & HSK_HRR_RECEIVED) {
1993 /* check if ciphersuite matches */
1994 if (memcmp(cs_pos, session->internals.hrr_cs, 2) != 0)
1995 return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
1996
1997 /* check if HRR version matches this version */
1998 if (vers != saved_vers)
1999 return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
2000 }
2001
2002 if (*comp_pos != 0)
2003 return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
2004
2005 if (vers->tls13_sem)
2006 ext_parse_flag |= GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO;
2007 else
2008 ext_parse_flag |= GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO;
2009
2010 /* Parse extensions in order.
2011 */
2012 ret =
2013 _gnutls_parse_hello_extensions(session,
2014 ext_parse_flag,
2015 GNUTLS_EXT_MANDATORY,
2016 &data[pos], len);
2017 if (ret < 0)
2018 return gnutls_assert_val(ret);
2019
2020 /* check if EtM is required */
2021 if (!vers->tls13_sem && session->internals.priorities->force_etm && !session->security_parameters.etm) {
2022 const cipher_entry_st *cipher = cipher_to_entry(session->security_parameters.cs->block_algorithm);
2023 if (_gnutls_cipher_type(cipher) == CIPHER_BLOCK)
2024 return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
2025 }
2026
2027
2028 ret =
2029 _gnutls_parse_hello_extensions(session,
2030 ext_parse_flag,
2031 GNUTLS_EXT_APPLICATION,
2032 &data[pos], len);
2033 if (ret < 0)
2034 return gnutls_assert_val(ret);
2035
2036 ret =
2037 _gnutls_parse_hello_extensions(session,
2038 ext_parse_flag,
2039 GNUTLS_EXT_TLS,
2040 &data[pos], len);
2041 if (ret < 0)
2042 return gnutls_assert_val(ret);
2043
2044 ret =
2045 _gnutls_parse_hello_extensions(session,
2046 ext_parse_flag,
2047 _GNUTLS_EXT_TLS_POST_CS,
2048 &data[pos], len);
2049 if (ret < 0)
2050 return gnutls_assert_val(ret);
2051
2052 /* Calculate TLS 1.3 Early Secret */
2053 if (vers->tls13_sem &&
2054 !(session->internals.hsk_flags & HSK_PSK_SELECTED)) {
2055 ret = _tls13_init_secret(session, NULL, 0);
2056 if (ret < 0)
2057 return gnutls_assert_val(ret);
2058 }
2059
2060 ret = set_auth_types(session);
2061 if (ret < 0)
2062 return gnutls_assert_val(ret);
2063
2064 session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED;
2065
2066 return 0;
2067 }
2068
2069 /* This function copies the appropriate compression methods, to a locally allocated buffer
2070 * Needed in hello messages. Returns the new data length.
2071 */
2072 static int
append_null_comp(gnutls_session_t session,gnutls_buffer_st * cdata)2073 append_null_comp(gnutls_session_t session,
2074 gnutls_buffer_st * cdata)
2075 {
2076 uint8_t compression_methods[2] = {0x01, 0x00};
2077 size_t init_length = cdata->length;
2078 int ret;
2079
2080 ret =
2081 _gnutls_buffer_append_data(cdata, compression_methods, 2);
2082 if (ret < 0)
2083 return gnutls_assert_val(ret);
2084
2085 ret = cdata->length - init_length;
2086
2087 return ret;
2088 }
2089
2090 /* This function sends the client hello handshake message.
2091 */
send_client_hello(gnutls_session_t session,int again)2092 static int send_client_hello(gnutls_session_t session, int again)
2093 {
2094 mbuffer_st *bufel = NULL;
2095 int type;
2096 int ret = 0;
2097 const version_entry_st *hver, *min_ver, *max_ver;
2098 uint8_t tver[2];
2099 gnutls_buffer_st extdata;
2100 int rehandshake = 0;
2101 unsigned add_sr_scsv = 0;
2102 uint8_t session_id_len =
2103 session->internals.resumed_security_parameters.session_id_size;
2104
2105
2106 if (again == 0) {
2107 /* note that rehandshake is different than resuming
2108 */
2109 if (session->internals.initial_negotiation_completed)
2110 rehandshake = 1;
2111
2112 ret = _gnutls_buffer_init_handshake_mbuffer(&extdata);
2113 if (ret < 0)
2114 return gnutls_assert_val(ret);
2115
2116 /* if we are resuming a session then we set the
2117 * version number to the previously established.
2118 */
2119 if (session->internals.resumption_requested == 0 &&
2120 session->internals.premaster_set == 0) {
2121 if (rehandshake) /* already negotiated version thus version_max == negotiated version */
2122 hver = get_version(session);
2123 else /* new handshake. just get the max */
2124 hver = _gnutls_legacy_version_max(session);
2125 } else {
2126 /* we are resuming a session */
2127 hver =
2128 session->internals.resumed_security_parameters.
2129 pversion;
2130
2131 if (hver && hver->tls13_sem)
2132 hver = _gnutls_legacy_version_max(session);
2133 }
2134
2135 if (hver == NULL) {
2136 gnutls_assert();
2137 if (session->internals.flags & INT_FLAG_NO_TLS13)
2138 ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS;
2139 else
2140 ret = GNUTLS_E_NO_PRIORITIES_WERE_SET;
2141 goto cleanup;
2142 }
2143
2144 if (unlikely(session->internals.default_hello_version[0] != 0)) {
2145 tver[0] = session->internals.default_hello_version[0];
2146 tver[1] = session->internals.default_hello_version[1];
2147 } else {
2148 tver[0] = hver->major;
2149 tver[1] = hver->minor;
2150 }
2151 ret = _gnutls_buffer_append_data(&extdata, tver, 2);
2152 if (ret < 0) {
2153 gnutls_assert();
2154 goto cleanup;
2155 }
2156 _gnutls_handshake_log("HSK[%p]: Adv. version: %u.%u\n", session,
2157 (unsigned)tver[0], (unsigned)tver[1]);
2158
2159 min_ver = _gnutls_version_lowest(session);
2160 max_ver = _gnutls_version_max(session);
2161 if (min_ver == NULL || max_ver == NULL) {
2162 gnutls_assert();
2163 ret = GNUTLS_E_NO_PRIORITIES_WERE_SET;
2164 goto cleanup;
2165 }
2166
2167 /* if we are replying to an HRR the version is already negotiated */
2168 if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) || !get_version(session)) {
2169 /* Set the version we advertized as maximum
2170 * (RSA uses it). */
2171 set_adv_version(session, hver->major, hver->minor);
2172 if (_gnutls_set_current_version(session, hver->id) < 0) {
2173 ret = gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
2174 goto cleanup;
2175 }
2176 }
2177
2178 if (session->internals.priorities->min_record_version != 0) {
2179 /* Advertise the lowest supported (SSL 3.0) record packet
2180 * version in record packets during the handshake.
2181 * That is to avoid confusing implementations
2182 * that do not support TLS 1.2 and don't know
2183 * how 3,3 version of record packets look like.
2184 */
2185 set_default_version(session, min_ver);
2186 } else {
2187 set_default_version(session, hver);
2188 }
2189
2190 /* In order to know when this session was initiated.
2191 */
2192 session->security_parameters.timestamp = gnutls_time(NULL);
2193
2194 /* Generate random data
2195 */
2196 if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) &&
2197 !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) {
2198 ret = _gnutls_gen_client_random(session);
2199 if (ret < 0) {
2200 gnutls_assert();
2201 goto cleanup;
2202 }
2203
2204 }
2205
2206 ret = _gnutls_buffer_append_data(&extdata,
2207 session->security_parameters.client_random,
2208 GNUTLS_RANDOM_SIZE);
2209 if (ret < 0) {
2210 gnutls_assert();
2211 goto cleanup;
2212 }
2213
2214 #ifdef TLS13_APPENDIX_D4
2215 if (max_ver->tls13_sem &&
2216 session->security_parameters.session_id_size == 0) {
2217
2218 /* Under TLS1.3 we generate a random session ID to make
2219 * the TLS1.3 session look like a resumed TLS1.2 session */
2220 ret = _gnutls_generate_session_id(session->security_parameters.
2221 session_id,
2222 &session->security_parameters.
2223 session_id_size);
2224 if (ret < 0) {
2225 gnutls_assert();
2226 goto cleanup;
2227 }
2228 }
2229 #endif
2230
2231 /* Copy the Session ID - if any
2232 */
2233 ret = _gnutls_buffer_append_data_prefix(&extdata, 8,
2234 session->internals.resumed_security_parameters.session_id,
2235 session_id_len);
2236 if (ret < 0) {
2237 gnutls_assert();
2238 goto cleanup;
2239 }
2240
2241 /* Copy the DTLS cookie
2242 */
2243 if (IS_DTLS(session)) {
2244 ret = _gnutls_buffer_append_data_prefix(&extdata, 8,
2245 session->internals.dtls.dcookie.data,
2246 session->internals.dtls.dcookie.size);
2247 if (ret < 0) {
2248 gnutls_assert();
2249 goto cleanup;
2250 }
2251 _gnutls_free_datum(&session->internals.dtls.dcookie);
2252 }
2253
2254 /* Copy the ciphersuites.
2255 */
2256 #ifdef ENABLE_SSL3
2257 /* If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
2258 * prevention on initial negotiation (but not renegotiation; that's
2259 * handled with the RI extension below).
2260 */
2261 if (!session->internals.initial_negotiation_completed &&
2262 session->security_parameters.entity == GNUTLS_CLIENT &&
2263 (hver->id == GNUTLS_SSL3 &&
2264 session->internals.priorities->no_extensions != 0)) {
2265 add_sr_scsv = 1;
2266 }
2267 #endif
2268 ret = _gnutls_get_client_ciphersuites(session, &extdata, min_ver, add_sr_scsv);
2269 if (ret < 0) {
2270 gnutls_assert();
2271 goto cleanup;
2272 }
2273
2274 /* Copy the compression methods.
2275 */
2276 ret = append_null_comp(session, &extdata);
2277 if (ret < 0) {
2278 gnutls_assert();
2279 goto cleanup;
2280 }
2281
2282 /* Generate and copy TLS extensions.
2283 */
2284 if (session->internals.priorities->no_extensions == 0) {
2285 if (_gnutls_version_has_extensions(hver)) {
2286 type = GNUTLS_EXT_ANY;
2287 } else {
2288 type = GNUTLS_EXT_MANDATORY;
2289 }
2290
2291 ret =
2292 _gnutls_gen_hello_extensions(session, &extdata,
2293 GNUTLS_EXT_FLAG_CLIENT_HELLO,
2294 type);
2295 if (ret < 0) {
2296 gnutls_assert();
2297 goto cleanup;
2298 }
2299 }
2300
2301 bufel = _gnutls_buffer_to_mbuffer(&extdata);
2302 }
2303
2304 ret = _gnutls_send_handshake(session, bufel,
2305 GNUTLS_HANDSHAKE_CLIENT_HELLO);
2306
2307 return ret;
2308
2309 cleanup:
2310 _gnutls_buffer_clear(&extdata);
2311 return ret;
2312 }
2313
_gnutls_send_server_hello(gnutls_session_t session,int again)2314 int _gnutls_send_server_hello(gnutls_session_t session, int again)
2315 {
2316 mbuffer_st *bufel = NULL;
2317 gnutls_buffer_st buf;
2318 int ret;
2319 uint8_t session_id_len =
2320 session->security_parameters.session_id_size;
2321 char tmpbuf[2 * GNUTLS_MAX_SESSION_ID_SIZE + 1];
2322 const version_entry_st *vers;
2323 uint8_t vbytes[2];
2324 unsigned extflag = 0;
2325 gnutls_ext_parse_type_t etype;
2326
2327 _gnutls_buffer_init(&buf);
2328
2329 if (again == 0) {
2330 vers = get_version(session);
2331 if (unlikely(vers == NULL || session->security_parameters.cs == NULL))
2332 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
2333
2334 if (vers->tls13_sem) {
2335 vbytes[0] = 0x03; /* TLS1.2 */
2336 vbytes[1] = 0x03;
2337 extflag |= GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO;
2338 } else {
2339 vbytes[0] = vers->major;
2340 vbytes[1] = vers->minor;
2341 extflag |= GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO;
2342 }
2343
2344 ret = _gnutls_buffer_init_handshake_mbuffer(&buf);
2345 if (ret < 0) {
2346 gnutls_assert();
2347 goto fail;
2348 }
2349
2350 ret = _gnutls_buffer_append_data(&buf, vbytes, 2);
2351 if (ret < 0) {
2352 gnutls_assert();
2353 goto fail;
2354 }
2355
2356 ret = _gnutls_buffer_append_data(&buf,
2357 session->security_parameters.server_random,
2358 GNUTLS_RANDOM_SIZE);
2359 if (ret < 0) {
2360 gnutls_assert();
2361 goto fail;
2362 }
2363
2364 ret = _gnutls_buffer_append_data_prefix(&buf, 8,
2365 session->security_parameters.session_id,
2366 session_id_len);
2367 if (ret < 0) {
2368 gnutls_assert();
2369 goto fail;
2370 }
2371
2372 _gnutls_handshake_log("HSK[%p]: SessionID: %s\n", session,
2373 _gnutls_bin2hex(session->
2374 security_parameters.session_id,
2375 session_id_len, tmpbuf,
2376 sizeof(tmpbuf), NULL));
2377
2378 ret = _gnutls_buffer_append_data(&buf,
2379 session->security_parameters.cs->id,
2380 2);
2381 if (ret < 0) {
2382 gnutls_assert();
2383 goto fail;
2384 }
2385
2386 /* compression */
2387 ret = _gnutls_buffer_append_prefix(&buf, 8, 0);
2388 if (ret < 0) {
2389 gnutls_assert();
2390 goto fail;
2391 }
2392
2393 if (!vers->tls13_sem && session->internals.resumed != RESUME_FALSE)
2394 etype = GNUTLS_EXT_MANDATORY;
2395 else
2396 etype = GNUTLS_EXT_ANY;
2397 ret =
2398 _gnutls_gen_hello_extensions(session, &buf, extflag, etype);
2399 if (ret < 0) {
2400 gnutls_assert();
2401 goto fail;
2402 }
2403
2404 if (vers->tls13_sem) {
2405 /* Under TLS1.3, the session ID is used for different purposes than
2406 * the TLS1.0 session ID. Ensure that there is an internally set
2407 * value which the server will see on the original and resumed sessions */
2408 ret = _gnutls_generate_session_id(session->security_parameters.
2409 session_id,
2410 &session->security_parameters.
2411 session_id_size);
2412 if (ret < 0) {
2413 gnutls_assert();
2414 goto fail;
2415 }
2416 }
2417
2418 bufel = _gnutls_buffer_to_mbuffer(&buf);
2419 }
2420
2421 ret =
2422 _gnutls_send_handshake(session, bufel,
2423 GNUTLS_HANDSHAKE_SERVER_HELLO);
2424
2425 fail:
2426 _gnutls_buffer_clear(&buf);
2427 return ret;
2428 }
2429
2430 static int
recv_hello_verify_request(gnutls_session_t session,uint8_t * data,int datalen)2431 recv_hello_verify_request(gnutls_session_t session,
2432 uint8_t * data, int datalen)
2433 {
2434 ssize_t len = datalen;
2435 size_t pos = 0;
2436 uint8_t cookie_len;
2437 unsigned int nb_verifs;
2438 int ret;
2439
2440 if (!IS_DTLS(session)) {
2441 gnutls_assert();
2442 return GNUTLS_E_UNEXPECTED_PACKET;
2443 }
2444
2445 nb_verifs = ++session->internals.dtls.hsk_hello_verify_requests;
2446 if (nb_verifs >= MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS) {
2447 /* The server is either buggy, malicious or changing cookie
2448 secrets _way_ too fast. */
2449 gnutls_assert();
2450 return GNUTLS_E_UNEXPECTED_PACKET;
2451 }
2452
2453 DECR_LEN(len, 2);
2454 pos += 2;
2455
2456 DECR_LEN(len, 1);
2457 cookie_len = data[pos];
2458 pos++;
2459
2460 if (cookie_len > DTLS_MAX_COOKIE_SIZE) {
2461 gnutls_assert();
2462 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2463 }
2464
2465 DECR_LEN(len, cookie_len);
2466
2467 gnutls_free(session->internals.dtls.dcookie.data);
2468 ret = _gnutls_set_datum(&session->internals.dtls.dcookie, &data[pos], cookie_len);
2469 if (ret < 0)
2470 return gnutls_assert_val(ret);
2471
2472 if (len != 0) {
2473 gnutls_assert();
2474 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2475 }
2476
2477 /* reset handshake hash buffers */
2478 handshake_hash_buffer_reset(session);
2479 /* reset extensions used in previous hello */
2480 session->internals.used_exts = 0;
2481
2482 return 0;
2483 }
2484
2485 /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
2486 *
2487 * Client Server
2488 *
2489 * ClientHello -------->
2490 * <-------- ServerHello
2491 *
2492 * Certificate*
2493 * ServerKeyExchange*
2494 * <-------- CertificateRequest*
2495 *
2496 * <-------- ServerHelloDone
2497 * Certificate*
2498 * ClientKeyExchange
2499 * CertificateVerify*
2500 * [ChangeCipherSpec]
2501 * Finished -------->
2502 * NewSessionTicket
2503 * [ChangeCipherSpec]
2504 * <-------- Finished
2505 *
2506 * (*): means optional packet.
2507 */
2508
2509 /* Handshake when resumming session:
2510 * Client Server
2511 *
2512 * ClientHello -------->
2513 * ServerHello
2514 * [ChangeCipherSpec]
2515 * <-------- Finished
2516 * [ChangeCipherSpec]
2517 * Finished -------->
2518 *
2519 */
2520
2521 /**
2522 * gnutls_rehandshake:
2523 * @session: is a #gnutls_session_t type.
2524 *
2525 * This function can only be called in server side, and
2526 * instructs a TLS 1.2 or earlier client to renegotiate
2527 * parameters (perform a handshake), by sending a
2528 * hello request message.
2529 *
2530 * If this function succeeds, the calling application
2531 * should call gnutls_record_recv() until %GNUTLS_E_REHANDSHAKE
2532 * is returned to clear any pending data. If the %GNUTLS_E_REHANDSHAKE
2533 * error code is not seen, then the handshake request was
2534 * not followed by the peer (the TLS protocol does not require
2535 * the client to do, and such compliance should be handled
2536 * by the application protocol).
2537 *
2538 * Once the %GNUTLS_E_REHANDSHAKE error code is seen, the
2539 * calling application should proceed to calling
2540 * gnutls_handshake() to negotiate the new
2541 * parameters.
2542 *
2543 * If the client does not wish to renegotiate parameters he
2544 * may reply with an alert message, and in that case the return code seen
2545 * by subsequent gnutls_record_recv() will be
2546 * %GNUTLS_E_WARNING_ALERT_RECEIVED with the specific alert being
2547 * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2548 * this request.
2549 *
2550 * Under TLS 1.3 this function is equivalent to gnutls_session_key_update()
2551 * with the %GNUTLS_KU_PEER flag. In that case subsequent calls to
2552 * gnutls_record_recv() will not return %GNUTLS_E_REHANDSHAKE, and
2553 * calls to gnutls_handshake() in server side are a no-op.
2554 *
2555 * This function always fails with %GNUTLS_E_INVALID_REQUEST when
2556 * called in client side.
2557 *
2558 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2559 **/
gnutls_rehandshake(gnutls_session_t session)2560 int gnutls_rehandshake(gnutls_session_t session)
2561 {
2562 int ret;
2563 const version_entry_st *vers = get_version(session);
2564
2565 /* only server sends that handshake packet */
2566 if (session->security_parameters.entity == GNUTLS_CLIENT)
2567 return GNUTLS_E_INVALID_REQUEST;
2568
2569 if (vers->tls13_sem) {
2570 return gnutls_session_key_update(session, GNUTLS_KU_PEER);
2571 }
2572
2573 _dtls_async_timer_delete(session);
2574
2575 ret =
2576 _gnutls_send_empty_handshake(session,
2577 GNUTLS_HANDSHAKE_HELLO_REQUEST,
2578 AGAIN(STATE50));
2579 STATE = STATE50;
2580
2581 if (ret < 0) {
2582 gnutls_assert();
2583 return ret;
2584 }
2585 STATE = STATE0;
2586
2587 return 0;
2588 }
2589
2590 /* This function checks whether the error code should be treated fatal
2591 * or not, and also does the necessary state transition. In
2592 * particular, in the case of a rehandshake abort it resets the
2593 * handshake's internal state.
2594 */
2595 inline static int
_gnutls_abort_handshake(gnutls_session_t session,int ret)2596 _gnutls_abort_handshake(gnutls_session_t session, int ret)
2597 {
2598 switch (ret) {
2599 case GNUTLS_E_WARNING_ALERT_RECEIVED:
2600 if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) {
2601 /* The server always toleretes a "no_renegotiation" alert. */
2602 if (session->security_parameters.entity == GNUTLS_SERVER) {
2603 STATE = STATE0;
2604 return ret;
2605 }
2606
2607 /* The client should tolerete a "no_renegotiation" alert only if:
2608 * - the initial handshake has completed, or
2609 * - a Server Hello is not yet received
2610 */
2611 if (session->internals.initial_negotiation_completed ||
2612 !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) {
2613 STATE = STATE0;
2614 return ret;
2615 }
2616
2617 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
2618 }
2619 return ret;
2620 case GNUTLS_E_GOT_APPLICATION_DATA:
2621 STATE = STATE0;
2622 return ret;
2623 default:
2624 return ret;
2625 }
2626 }
2627
2628
_gnutls_send_supplemental(gnutls_session_t session,int again)2629 static int _gnutls_send_supplemental(gnutls_session_t session, int again)
2630 {
2631 mbuffer_st *bufel = NULL;
2632 int ret = 0;
2633
2634 _gnutls_debug_log("EXT[%p]: Sending supplemental data\n", session);
2635
2636 if (!again) {
2637 gnutls_buffer_st buf;
2638 ret = _gnutls_buffer_init_handshake_mbuffer(&buf);
2639 if (ret < 0)
2640 return gnutls_assert_val(ret);
2641
2642 ret = _gnutls_gen_supplemental(session, &buf);
2643 if (ret < 0) {
2644 gnutls_assert();
2645 _gnutls_buffer_clear(&buf);
2646 return ret;
2647 }
2648
2649 bufel = _gnutls_buffer_to_mbuffer(&buf);
2650 }
2651
2652 return _gnutls_send_handshake(session, bufel,
2653 GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2654 }
2655
_gnutls_recv_supplemental(gnutls_session_t session)2656 static int _gnutls_recv_supplemental(gnutls_session_t session)
2657 {
2658 gnutls_buffer_st buf;
2659 int ret;
2660
2661 _gnutls_debug_log("EXT[%p]: Expecting supplemental data\n",
2662 session);
2663
2664 ret =
2665 _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_SUPPLEMENTAL,
2666 1, &buf);
2667 if (ret < 0) {
2668 gnutls_assert();
2669 return ret;
2670 }
2671
2672 ret = _gnutls_parse_supplemental(session, buf.data, buf.length);
2673 if (ret < 0) {
2674 gnutls_assert();
2675 goto cleanup;
2676 }
2677
2678 cleanup:
2679 _gnutls_buffer_clear(&buf);
2680
2681 return ret;
2682 }
2683
2684 /**
2685 * gnutls_handshake:
2686 * @session: is a #gnutls_session_t type.
2687 *
2688 * This function performs the handshake of the TLS/SSL protocol, and
2689 * initializes the TLS session parameters.
2690 *
2691 * The non-fatal errors expected by this function are:
2692 * %GNUTLS_E_INTERRUPTED, %GNUTLS_E_AGAIN,
2693 * %GNUTLS_E_WARNING_ALERT_RECEIVED. When this function is called
2694 * for re-handshake under TLS 1.2 or earlier, the non-fatal error code
2695 * %GNUTLS_E_GOT_APPLICATION_DATA may also be returned.
2696 *
2697 * The former two interrupt the handshake procedure due to the transport
2698 * layer being interrupted, and the latter because of a "warning" alert that
2699 * was sent by the peer (it is always a good idea to check any
2700 * received alerts). On these non-fatal errors call this function again,
2701 * until it returns 0; cf. gnutls_record_get_direction() and
2702 * gnutls_error_is_fatal(). In DTLS sessions the non-fatal error
2703 * %GNUTLS_E_LARGE_PACKET is also possible, and indicates that
2704 * the MTU should be adjusted.
2705 *
2706 * When this function is called by a server after a rehandshake request
2707 * under TLS 1.2 or earlier the %GNUTLS_E_GOT_APPLICATION_DATA error code indicates
2708 * that some data were pending prior to peer initiating the handshake.
2709 * Under TLS 1.3 this function when called after a successful handshake, is a no-op
2710 * and always succeeds in server side; in client side this function is
2711 * equivalent to gnutls_session_key_update() with %GNUTLS_KU_PEER flag.
2712 *
2713 * This function handles both full and abbreviated TLS handshakes (resumption).
2714 * For abbreviated handshakes, in client side, the gnutls_session_set_data()
2715 * should be called prior to this function to set parameters from a previous session.
2716 * In server side, resumption is handled by either setting a DB back-end, or setting
2717 * up keys for session tickets.
2718 *
2719 * Returns: %GNUTLS_E_SUCCESS on a successful handshake, otherwise a negative error code.
2720 **/
gnutls_handshake(gnutls_session_t session)2721 int gnutls_handshake(gnutls_session_t session)
2722 {
2723 const version_entry_st *vers = get_version(session);
2724 int ret;
2725
2726 if (unlikely(session->internals.initial_negotiation_completed)) {
2727 if (vers->tls13_sem) {
2728 if (session->security_parameters.entity == GNUTLS_CLIENT) {
2729 return gnutls_session_key_update(session, GNUTLS_KU_PEER);
2730 } else {
2731 /* This is a no-op for a server under TLS 1.3, as
2732 * a server has already called gnutls_rehandshake()
2733 * which performed a key update.
2734 */
2735 return 0;
2736 }
2737 }
2738 }
2739
2740 if (STATE == STATE0) {
2741 unsigned int tmo_ms;
2742 struct timespec *end;
2743 struct timespec *start;
2744
2745 /* first call */
2746 if (session->internals.priorities == NULL ||
2747 session->internals.priorities->cs.size == 0)
2748 return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
2749
2750 ret =
2751 _gnutls_epoch_setup_next(session, 0, NULL);
2752 if (ret < 0)
2753 return gnutls_assert_val(ret);
2754
2755 session->internals.used_exts = 0;
2756 session->internals.hsk_flags = 0;
2757 session->internals.handshake_in_progress = 1;
2758 session->internals.vc_status = -1;
2759 gnutls_gettime(&session->internals.handshake_start_time);
2760
2761 tmo_ms = session->internals.handshake_timeout_ms;
2762 end = &session->internals.handshake_abs_timeout;
2763 start = &session->internals.handshake_start_time;
2764
2765 if (tmo_ms && end->tv_sec == 0 && end->tv_nsec == 0) {
2766 end->tv_sec =
2767 start->tv_sec + (start->tv_nsec + tmo_ms * 1000000LL) / 1000000000LL;
2768 end->tv_nsec =
2769 (start->tv_nsec + tmo_ms * 1000000LL) % 1000000000LL;
2770 }
2771 }
2772
2773 if (session->internals.recv_state == RECV_STATE_FALSE_START) {
2774 session_invalidate(session);
2775 return gnutls_assert_val(GNUTLS_E_HANDSHAKE_DURING_FALSE_START);
2776 }
2777
2778 if (session->security_parameters.entity == GNUTLS_CLIENT) {
2779 do {
2780 ret = handshake_client(session);
2781 } while (ret == 1);
2782 } else {
2783 ret = handshake_server(session);
2784 }
2785
2786 if (ret < 0) {
2787 return _gnutls_abort_handshake(session, ret);
2788 }
2789
2790 /* clear handshake buffer */
2791 if (session->internals.recv_state != RECV_STATE_FALSE_START &&
2792 session->internals.recv_state != RECV_STATE_EARLY_START) {
2793
2794 _gnutls_handshake_hash_buffers_clear(session);
2795
2796 if (IS_DTLS(session) == 0) {
2797 _gnutls_handshake_io_buffer_clear(session);
2798 } else {
2799 _dtls_async_timer_init(session);
2800 }
2801
2802 _gnutls_handshake_internal_state_clear(session);
2803
2804 _gnutls_buffer_clear(&session->internals.record_presend_buffer);
2805
2806 _gnutls_epoch_bump(session);
2807 }
2808
2809 /* Give an estimation of the round-trip under TLS1.3, used by gnutls_session_get_data2() */
2810 if (!IS_SERVER(session) && vers->tls13_sem) {
2811 struct timespec handshake_finish_time;
2812 gnutls_gettime(&handshake_finish_time);
2813
2814 if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED)) {
2815 session->internals.ertt = timespec_sub_ms(&handshake_finish_time, &session->internals.handshake_start_time)/2;
2816 } else {
2817 session->internals.ertt = timespec_sub_ms(&handshake_finish_time, &session->internals.handshake_start_time)/4;
2818 }
2819 }
2820
2821 return 0;
2822 }
2823
2824 /**
2825 * gnutls_handshake_set_timeout:
2826 * @session: is a #gnutls_session_t type.
2827 * @ms: is a timeout value in milliseconds
2828 *
2829 * This function sets the timeout for the TLS handshake process
2830 * to the provided value. Use an @ms value of zero to disable
2831 * timeout, or %GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT for a reasonable
2832 * default value. For the DTLS protocol, the more detailed
2833 * gnutls_dtls_set_timeouts() is provided.
2834 *
2835 * This function requires to set a pull timeout callback. See
2836 * gnutls_transport_set_pull_timeout_function().
2837 *
2838 * Since: 3.1.0
2839 **/
2840 void
gnutls_handshake_set_timeout(gnutls_session_t session,unsigned int ms)2841 gnutls_handshake_set_timeout(gnutls_session_t session, unsigned int ms)
2842 {
2843 if (ms == GNUTLS_INDEFINITE_TIMEOUT) {
2844 session->internals.handshake_timeout_ms = 0;
2845 return;
2846 }
2847
2848 if (ms == GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT)
2849 ms = DEFAULT_HANDSHAKE_TIMEOUT_MS;
2850
2851 if (IS_DTLS(session)) {
2852 gnutls_dtls_set_timeouts(session, DTLS_RETRANS_TIMEOUT, ms);
2853 return;
2854 }
2855
2856 session->internals.handshake_timeout_ms = ms;
2857 }
2858
2859 /* Runs the certificate verification callback.
2860 * side is the side that we verify the certificate
2861 * from (either GNUTLS_CLIENT or GNUTLS_SERVER).
2862 */
_gnutls_run_verify_callback(gnutls_session_t session,unsigned int side)2863 int _gnutls_run_verify_callback(gnutls_session_t session, unsigned int side)
2864 {
2865 gnutls_certificate_credentials_t cred;
2866 int ret, type;
2867
2868 if (session->internals.hsk_flags & HSK_PSK_SELECTED)
2869 return 0;
2870
2871 cred =
2872 (gnutls_certificate_credentials_t) _gnutls_get_cred(session,
2873 GNUTLS_CRD_CERTIFICATE);
2874
2875 if (side == GNUTLS_CLIENT)
2876 type = gnutls_auth_server_get_type(session);
2877 else
2878 type = gnutls_auth_client_get_type(session);
2879
2880 if (type != GNUTLS_CRD_CERTIFICATE)
2881 return 0;
2882
2883 /* verify whether the certificate of the peer remained the same
2884 * as with any previous handshakes */
2885 if (cred != NULL) {
2886 ret = _gnutls_check_if_cert_hash_is_same(session, cred);
2887 if (ret < 0) {
2888 return gnutls_assert_val(ret);
2889 }
2890 }
2891
2892 if (cred != NULL &&
2893 (cred->verify_callback != NULL || session->internals.verify_callback != NULL) &&
2894 (session->security_parameters.entity == GNUTLS_CLIENT ||
2895 session->internals.send_cert_req != GNUTLS_CERT_IGNORE)) {
2896 if (session->internals.verify_callback)
2897 ret = session->internals.verify_callback(session);
2898 else
2899 ret = cred->verify_callback(session);
2900 if (ret < -1)
2901 return gnutls_assert_val(ret);
2902 else if (ret != 0)
2903 return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR);
2904 }
2905
2906 return 0;
2907 }
2908
can_send_false_start(gnutls_session_t session)2909 static bool can_send_false_start(gnutls_session_t session)
2910 {
2911 const version_entry_st *vers;
2912
2913 vers = get_version(session);
2914 if (unlikely(vers == NULL || !vers->false_start))
2915 return 0;
2916
2917 if (session->internals.selected_cert_list != NULL)
2918 return 0;
2919
2920 if (!_gnutls_kx_allows_false_start(session))
2921 return 0;
2922
2923 return 1;
2924 }
2925
2926 /*
2927 * handshake_client
2928 * This function performs the client side of the handshake of the TLS/SSL protocol.
2929 */
handshake_client(gnutls_session_t session)2930 static int handshake_client(gnutls_session_t session)
2931 {
2932 int ret = 0;
2933 const version_entry_st *ver;
2934
2935 reset:
2936 if (STATE >= STATE99)
2937 return _gnutls13_handshake_client(session);
2938
2939 switch (STATE) {
2940 case STATE0:
2941 case STATE1:
2942 ret = send_client_hello(session, AGAIN(STATE1));
2943 STATE = STATE1;
2944 IMED_RET("send hello", ret, 1);
2945 FALLTHROUGH;
2946 case STATE2:
2947 if (IS_DTLS(session)) {
2948 ret =
2949 _gnutls_recv_handshake(session,
2950 GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST,
2951 1, NULL);
2952 STATE = STATE2;
2953 IMED_RET("recv hello verify", ret, 1);
2954
2955 if (ret == 1) {
2956 STATE = STATE0;
2957 return 1;
2958 }
2959 } else {
2960 ret =
2961 _gnutls_recv_handshake(session,
2962 GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST,
2963 1, NULL);
2964 STATE = STATE2;
2965 IMED_RET("recv hello retry", ret, 1);
2966
2967 if (ret == 1) {
2968 STATE = STATE0;
2969 return 1;
2970 }
2971 }
2972 FALLTHROUGH;
2973 case STATE3:
2974 /* receive the server hello */
2975 ret =
2976 _gnutls_recv_handshake(session,
2977 GNUTLS_HANDSHAKE_SERVER_HELLO,
2978 0, NULL);
2979 STATE = STATE3;
2980 IMED_RET("recv hello", ret, 1);
2981 FALLTHROUGH;
2982 case STATE4:
2983 ver = get_version(session);
2984 if (ver->tls13_sem) { /* TLS 1.3 state machine */
2985 STATE = STATE99;
2986 goto reset;
2987 }
2988
2989 ret = _gnutls_ext_sr_verify(session);
2990 STATE = STATE4;
2991 IMED_RET_FATAL("recv hello", ret, 0);
2992 FALLTHROUGH;
2993 case STATE5:
2994 if (session->security_parameters.do_recv_supplemental) {
2995 ret = _gnutls_recv_supplemental(session);
2996 STATE = STATE5;
2997 IMED_RET("recv supplemental", ret, 1);
2998 }
2999 FALLTHROUGH;
3000 case STATE6:
3001 /* RECV CERTIFICATE */
3002 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3003 ret = _gnutls_recv_server_certificate(session);
3004 STATE = STATE6;
3005 IMED_RET("recv server certificate", ret, 1);
3006 FALLTHROUGH;
3007 case STATE7:
3008 #ifdef ENABLE_OCSP
3009 /* RECV CERTIFICATE STATUS */
3010 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3011 ret =
3012 _gnutls_recv_server_certificate_status
3013 (session);
3014 STATE = STATE7;
3015 IMED_RET("recv server certificate", ret, 1);
3016 #endif
3017 FALLTHROUGH;
3018 case STATE8:
3019 ret = _gnutls_run_verify_callback(session, GNUTLS_CLIENT);
3020 STATE = STATE8;
3021 if (ret < 0)
3022 return gnutls_assert_val(ret);
3023
3024 FALLTHROUGH;
3025 case STATE9:
3026 /* receive the server key exchange */
3027 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3028 ret = _gnutls_recv_server_kx_message(session);
3029 STATE = STATE9;
3030 IMED_RET("recv server kx message", ret, 1);
3031 FALLTHROUGH;
3032 case STATE10:
3033 /* receive the server certificate request - if any
3034 */
3035
3036 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3037 ret = _gnutls_recv_server_crt_request(session);
3038 STATE = STATE10;
3039 IMED_RET("recv server certificate request message", ret,
3040 1);
3041 FALLTHROUGH;
3042 case STATE11:
3043 /* receive the server hello done */
3044 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3045 ret =
3046 _gnutls_recv_handshake(session,
3047 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
3048 0, NULL);
3049 STATE = STATE11;
3050 IMED_RET("recv server hello done", ret, 1);
3051 FALLTHROUGH;
3052 case STATE12:
3053 if (session->security_parameters.do_send_supplemental) {
3054 ret =
3055 _gnutls_send_supplemental(session,
3056 AGAIN(STATE12));
3057 STATE = STATE12;
3058 IMED_RET("send supplemental", ret, 0);
3059 }
3060 FALLTHROUGH;
3061 case STATE13:
3062 /* send our certificate - if any and if requested
3063 */
3064 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3065 ret =
3066 _gnutls_send_client_certificate(session,
3067 AGAIN
3068 (STATE13));
3069 STATE = STATE13;
3070 IMED_RET("send client certificate", ret, 0);
3071 FALLTHROUGH;
3072 case STATE14:
3073 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3074 ret =
3075 _gnutls_send_client_kx_message(session,
3076 AGAIN(STATE14));
3077 STATE = STATE14;
3078 IMED_RET("send client kx", ret, 0);
3079 FALLTHROUGH;
3080 case STATE15:
3081 /* send client certificate verify */
3082 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3083 ret =
3084 _gnutls_send_client_certificate_verify(session,
3085 AGAIN
3086 (STATE15));
3087 STATE = STATE15;
3088 IMED_RET("send client certificate verify", ret, 1);
3089 FALLTHROUGH;
3090 case STATE16:
3091 STATE = STATE16;
3092 if (session->internals.resumed == RESUME_FALSE) {
3093 ret = send_handshake_final(session, TRUE);
3094 IMED_RET("send handshake final 2", ret, 1);
3095 } else {
3096 ret = _gnutls_recv_new_session_ticket(session);
3097 IMED_RET("recv handshake new session ticket", ret,
3098 1);
3099 }
3100 FALLTHROUGH;
3101 case STATE17:
3102 STATE = STATE17;
3103 if (session->internals.resumed == RESUME_FALSE && (session->internals.flags & GNUTLS_ENABLE_FALSE_START) && can_send_false_start(session)) {
3104 session->internals.hsk_flags |= HSK_FALSE_START_USED;
3105 session->internals.recv_state = RECV_STATE_FALSE_START;
3106 /* complete this phase of the handshake. We
3107 * should be called again by gnutls_record_recv()
3108 */
3109 STATE = STATE18;
3110 gnutls_assert();
3111
3112 return 0;
3113 }
3114 FALLTHROUGH;
3115 case STATE18:
3116 STATE = STATE18;
3117
3118 if (session->internals.resumed == RESUME_FALSE) {
3119 ret = _gnutls_recv_new_session_ticket(session);
3120 IMED_RET("recv handshake new session ticket", ret,
3121 1);
3122 } else {
3123 ret = recv_handshake_final(session, TRUE);
3124 IMED_RET("recv handshake final", ret, 1);
3125 }
3126 FALLTHROUGH;
3127 case STATE19:
3128 STATE = STATE19;
3129 if (session->internals.resumed == RESUME_FALSE) {
3130 ret = recv_handshake_final(session, FALSE);
3131 IMED_RET("recv handshake final 2", ret, 1);
3132 } else {
3133 ret = send_handshake_final(session, FALSE);
3134 IMED_RET("send handshake final", ret, 1);
3135 }
3136
3137 STATE = STATE0;
3138 FALLTHROUGH;
3139 default:
3140 break;
3141 }
3142
3143 /* explicitly reset any false start flags */
3144 gnutls_mutex_lock(&session->internals.post_negotiation_lock);
3145 session->internals.initial_negotiation_completed = 1;
3146 session->internals.recv_state = RECV_STATE_0;
3147 gnutls_mutex_unlock(&session->internals.post_negotiation_lock);
3148
3149 return 0;
3150 }
3151
3152
3153
3154 /* This function is to be called if the handshake was successfully
3155 * completed. This sends a Change Cipher Spec packet to the peer.
3156 */
_gnutls_send_change_cipher_spec(gnutls_session_t session,int again)3157 ssize_t _gnutls_send_change_cipher_spec(gnutls_session_t session, int again)
3158 {
3159 uint8_t *data;
3160 mbuffer_st *bufel;
3161 int ret;
3162 const version_entry_st *vers;
3163
3164 if (again == 0) {
3165 bufel = _gnutls_handshake_alloc(session, 3); /* max for DTLS0.9 */
3166 if (bufel == NULL)
3167 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
3168
3169 vers = get_version(session);
3170 if (unlikely(vers == NULL))
3171 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
3172
3173 if (vers->id == GNUTLS_DTLS0_9)
3174 _mbuffer_set_uhead_size(bufel, 3);
3175 else
3176 _mbuffer_set_uhead_size(bufel, 1);
3177 _mbuffer_set_udata_size(bufel, 0);
3178
3179 data = _mbuffer_get_uhead_ptr(bufel);
3180
3181 data[0] = 1;
3182 if (vers->id == GNUTLS_DTLS0_9) {
3183 _gnutls_write_uint16(session->internals.dtls.
3184 hsk_write_seq, &data[1]);
3185 session->internals.dtls.hsk_write_seq++;
3186 }
3187
3188 ret = _gnutls_call_hook_func(session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, GNUTLS_HOOK_PRE, 0,
3189 data, 1);
3190 if (ret < 0) {
3191 _mbuffer_xfree(&bufel);
3192 return gnutls_assert_val(ret);
3193 }
3194
3195 ret =
3196 _gnutls_handshake_io_cache_int(session,
3197 GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC,
3198 bufel);
3199 if (ret < 0) {
3200 _mbuffer_xfree(&bufel);
3201 return gnutls_assert_val(ret);
3202 }
3203
3204 ret = _gnutls_call_hook_func(session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, GNUTLS_HOOK_POST, 0,
3205 data, 1);
3206 if (ret < 0) {
3207 return gnutls_assert_val(ret);
3208 }
3209
3210 /* under TLS 1.3, CCS may be immediately followed by
3211 * receiving ClientHello thus cannot be cached */
3212 if (vers->tls13_sem) {
3213 ret = _gnutls_handshake_io_write_flush(session);
3214 if (ret < 0)
3215 return gnutls_assert_val(ret);
3216 }
3217
3218 _gnutls_handshake_log("REC[%p]: Sent ChangeCipherSpec\n",
3219 session);
3220 }
3221
3222 return 0;
3223 }
3224
3225 /* This function sends the final handshake packets and initializes connection
3226 */
send_handshake_final(gnutls_session_t session,int init)3227 static int send_handshake_final(gnutls_session_t session, int init)
3228 {
3229 int ret = 0;
3230
3231 /* Send the CHANGE CIPHER SPEC PACKET */
3232
3233 switch (FINAL_STATE) {
3234 case STATE0:
3235 case STATE1:
3236 ret = _gnutls_send_change_cipher_spec(session, FAGAIN(STATE1));
3237 FINAL_STATE = STATE0;
3238
3239 if (ret < 0) {
3240 gnutls_assert();
3241 return ret;
3242 }
3243 /* Initialize the connection session (start encryption) - in case of client
3244 */
3245 if (init == TRUE) {
3246 ret = _gnutls_connection_state_init(session);
3247 if (ret < 0) {
3248 gnutls_assert();
3249 return ret;
3250 }
3251 }
3252
3253 ret = _gnutls_write_connection_state_init(session);
3254 if (ret < 0) {
3255 gnutls_assert();
3256 return ret;
3257 }
3258
3259 FALLTHROUGH;
3260 case STATE2:
3261 /* send the finished message */
3262 ret = _gnutls_send_finished(session, FAGAIN(STATE2));
3263 FINAL_STATE = STATE2;
3264 if (ret < 0) {
3265 gnutls_assert();
3266 return ret;
3267 }
3268
3269 FINAL_STATE = STATE0;
3270 FALLTHROUGH;
3271 default:
3272 break;
3273 }
3274
3275 return 0;
3276 }
3277
3278 /* This function receives the final handshake packets
3279 * And executes the appropriate function to initialize the
3280 * read session.
3281 */
recv_handshake_final(gnutls_session_t session,int init)3282 static int recv_handshake_final(gnutls_session_t session, int init)
3283 {
3284 int ret = 0;
3285 uint8_t ccs[3];
3286 unsigned int ccs_len = 1;
3287 unsigned int tleft;
3288 const version_entry_st *vers;
3289
3290 ret = handshake_remaining_time(session);
3291 if (ret < 0)
3292 return gnutls_assert_val(ret);
3293 tleft = ret;
3294
3295 switch (FINAL_STATE) {
3296 case STATE0:
3297 case STATE30:
3298 FINAL_STATE = STATE30;
3299
3300 /* This is the last flight and peer cannot be sure
3301 * we have received it unless we notify him. So we
3302 * wait for a message and retransmit if needed. */
3303 if (IS_DTLS(session) && !_dtls_is_async(session) &&
3304 (gnutls_record_check_pending(session) +
3305 record_check_unprocessed(session)) == 0) {
3306 ret = _dtls_wait_and_retransmit(session);
3307 if (ret < 0)
3308 return gnutls_assert_val(ret);
3309 }
3310
3311 vers = get_version(session);
3312 if (unlikely(vers == NULL))
3313 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
3314
3315 if (vers->id == GNUTLS_DTLS0_9)
3316 ccs_len = 3;
3317
3318 ret =
3319 _gnutls_recv_int(session, GNUTLS_CHANGE_CIPHER_SPEC,
3320 ccs, ccs_len, NULL, tleft);
3321 if (ret <= 0) {
3322 gnutls_assert();
3323 return (ret<0)?ret:GNUTLS_E_UNEXPECTED_PACKET;
3324 }
3325
3326 if (vers->id == GNUTLS_DTLS0_9)
3327 session->internals.dtls.hsk_read_seq++;
3328
3329 /* Initialize the connection session (start encryption) - in case of server */
3330 if (init == TRUE) {
3331 ret = _gnutls_connection_state_init(session);
3332 if (ret < 0) {
3333 gnutls_assert();
3334 return ret;
3335 }
3336 }
3337
3338 ret = _gnutls_read_connection_state_init(session);
3339 if (ret < 0) {
3340 gnutls_assert();
3341 return ret;
3342 }
3343 FALLTHROUGH;
3344 case STATE31:
3345 FINAL_STATE = STATE31;
3346
3347 if (IS_DTLS(session) && !_dtls_is_async(session) &&
3348 (gnutls_record_check_pending(session) +
3349 record_check_unprocessed(session)) == 0) {
3350 ret = _dtls_wait_and_retransmit(session);
3351 if (ret < 0)
3352 return gnutls_assert_val(ret);
3353 }
3354
3355 ret = _gnutls_recv_finished(session);
3356 if (ret < 0) {
3357 gnutls_assert();
3358 return ret;
3359 }
3360 FINAL_STATE = STATE0;
3361 FALLTHROUGH;
3362 default:
3363 break;
3364 }
3365
3366 return 0;
3367 }
3368
3369 /*
3370 * handshake_server
3371 * This function does the server stuff of the handshake protocol.
3372 */
handshake_server(gnutls_session_t session)3373 static int handshake_server(gnutls_session_t session)
3374 {
3375 int ret = 0;
3376 const version_entry_st *ver;
3377
3378 reset:
3379
3380 if (STATE >= STATE90)
3381 return _gnutls13_handshake_server(session);
3382
3383 switch (STATE) {
3384 case STATE0:
3385 case STATE1:
3386 ret =
3387 _gnutls_recv_handshake(session,
3388 GNUTLS_HANDSHAKE_CLIENT_HELLO,
3389 0, NULL);
3390 if (ret == GNUTLS_E_INT_RET_0) {
3391 /* this is triggered by post_client_hello, and instructs the
3392 * handshake to proceed but be put on hold */
3393 ret = GNUTLS_E_INTERRUPTED;
3394 STATE = STATE2; /* hello already parsed -> move on */
3395 } else {
3396 STATE = STATE1;
3397 }
3398
3399 if (ret == GNUTLS_E_NO_COMMON_KEY_SHARE) {
3400 STATE = STATE90;
3401 session->internals.hsk_flags |= HSK_HRR_SENT;
3402 goto reset;
3403 }
3404
3405 IMED_RET("recv hello", ret, 1);
3406 FALLTHROUGH;
3407 case STATE2:
3408
3409 ret = _gnutls_ext_sr_verify(session);
3410 STATE = STATE2;
3411 IMED_RET_FATAL("recv hello", ret, 0);
3412 FALLTHROUGH;
3413 case STATE3:
3414 ret = _gnutls_send_server_hello(session, AGAIN(STATE3));
3415 STATE = STATE3;
3416 IMED_RET("send hello", ret, 1);
3417
3418 ver = get_version(session);
3419 if (ver->tls13_sem) { /* TLS 1.3 state machine */
3420 STATE = STATE99;
3421 goto reset;
3422 }
3423
3424 FALLTHROUGH;
3425 case STATE4:
3426 if (session->security_parameters.do_send_supplemental) {
3427 ret =
3428 _gnutls_send_supplemental(session,
3429 AGAIN(STATE4));
3430 STATE = STATE4;
3431 IMED_RET("send supplemental data", ret, 0);
3432 }
3433 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
3434 FALLTHROUGH;
3435 case STATE5:
3436 /* NOTE: these should not be send if we are resuming */
3437
3438 if (session->internals.resumed == RESUME_FALSE)
3439 ret =
3440 _gnutls_send_server_certificate(session,
3441 AGAIN(STATE5));
3442 STATE = STATE5;
3443 IMED_RET("send server certificate", ret, 0);
3444 FALLTHROUGH;
3445 case STATE6:
3446 #ifdef ENABLE_OCSP
3447 if (session->internals.resumed == RESUME_FALSE)
3448 ret =
3449 _gnutls_send_server_certificate_status(session,
3450 AGAIN
3451 (STATE6));
3452 STATE = STATE6;
3453 IMED_RET("send server certificate status", ret, 0);
3454 #endif
3455 FALLTHROUGH;
3456 case STATE7:
3457 /* send server key exchange (A) */
3458 if (session->internals.resumed == RESUME_FALSE)
3459 ret =
3460 _gnutls_send_server_kx_message(session,
3461 AGAIN(STATE7));
3462 STATE = STATE7;
3463 IMED_RET("send server kx", ret, 0);
3464 FALLTHROUGH;
3465 case STATE8:
3466 /* Send certificate request - if requested to */
3467 if (session->internals.resumed == RESUME_FALSE)
3468 ret =
3469 _gnutls_send_server_crt_request(session,
3470 AGAIN(STATE8));
3471 STATE = STATE8;
3472 IMED_RET("send server cert request", ret, 0);
3473 FALLTHROUGH;
3474 case STATE9:
3475 /* send the server hello done */
3476 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3477 ret =
3478 _gnutls_send_empty_handshake(session,
3479 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
3480 AGAIN(STATE9));
3481 STATE = STATE9;
3482 IMED_RET("send server hello done", ret, 1);
3483 FALLTHROUGH;
3484 case STATE10:
3485 if (session->security_parameters.do_recv_supplemental) {
3486 ret = _gnutls_recv_supplemental(session);
3487 STATE = STATE10;
3488 IMED_RET("recv client supplemental", ret, 1);
3489 }
3490 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
3491 FALLTHROUGH;
3492 case STATE11:
3493 /* receive the client certificate message */
3494 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3495 ret = _gnutls_recv_client_certificate(session);
3496 STATE = STATE11;
3497 IMED_RET("recv client certificate", ret, 1);
3498 FALLTHROUGH;
3499 case STATE12:
3500 ret = _gnutls_run_verify_callback(session, GNUTLS_SERVER);
3501 STATE = STATE12;
3502 if (ret < 0)
3503 return gnutls_assert_val(ret);
3504 FALLTHROUGH;
3505 case STATE13:
3506 /* receive the client key exchange message */
3507 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3508 ret = _gnutls_recv_client_kx_message(session);
3509 STATE = STATE13;
3510 IMED_RET("recv client kx", ret, 1);
3511 FALLTHROUGH;
3512 case STATE14:
3513 /* receive the client certificate verify message */
3514 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3515 ret =
3516 _gnutls_recv_client_certificate_verify_message
3517 (session);
3518 STATE = STATE14;
3519 IMED_RET("recv client certificate verify", ret, 1);
3520 FALLTHROUGH;
3521 case STATE15:
3522 STATE = STATE15;
3523 if (session->internals.resumed == RESUME_FALSE) { /* if we are not resuming */
3524 ret = recv_handshake_final(session, TRUE);
3525 IMED_RET("recv handshake final", ret, 1);
3526 } else {
3527 ret = send_handshake_final(session, TRUE);
3528 IMED_RET("send handshake final 2", ret, 1);
3529 }
3530 FALLTHROUGH;
3531 case STATE16:
3532 ret =
3533 _gnutls_send_new_session_ticket(session,
3534 AGAIN(STATE16));
3535 STATE = STATE16;
3536 IMED_RET("send handshake new session ticket", ret, 0);
3537 FALLTHROUGH;
3538 case STATE17:
3539 STATE = STATE17;
3540 if (session->internals.resumed == RESUME_FALSE) { /* if we are not resuming */
3541 ret = send_handshake_final(session, FALSE);
3542 IMED_RET("send handshake final", ret, 1);
3543
3544 if (session->security_parameters.entity ==
3545 GNUTLS_SERVER
3546 && !(session->internals.hsk_flags & HSK_TLS12_TICKET_SENT)) {
3547 /* if no ticket, save session data */
3548 _gnutls_server_register_current_session
3549 (session);
3550 }
3551 } else {
3552 ret = recv_handshake_final(session, FALSE);
3553 IMED_RET("recv handshake final 2", ret, 1);
3554 }
3555
3556 STATE = STATE0;
3557 FALLTHROUGH;
3558 default:
3559 break;
3560 }
3561
3562 /* no lock of post_negotiation_lock is required here as this is not run
3563 * after handshake */
3564 session->internals.initial_negotiation_completed = 1;
3565
3566 return _gnutls_check_id_for_change(session);
3567 }
3568
_gnutls_generate_session_id(uint8_t * session_id,uint8_t * len)3569 int _gnutls_generate_session_id(uint8_t * session_id, uint8_t *len)
3570 {
3571 int ret;
3572
3573 *len = GNUTLS_DEF_SESSION_ID_SIZE;
3574
3575 ret =
3576 gnutls_rnd(GNUTLS_RND_NONCE, session_id,
3577 GNUTLS_DEF_SESSION_ID_SIZE);
3578 if (ret < 0) {
3579 gnutls_assert();
3580 return ret;
3581 }
3582
3583 return 0;
3584 }
3585
3586
3587 /**
3588 * gnutls_handshake_set_max_packet_length:
3589 * @session: is a #gnutls_session_t type.
3590 * @max: is the maximum number.
3591 *
3592 * This function will set the maximum size of all handshake messages.
3593 * Handshakes over this size are rejected with
3594 * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is
3595 * 128kb which is typically large enough. Set this to 0 if you do not
3596 * want to set an upper limit.
3597 *
3598 * The reason for restricting the handshake message sizes are to
3599 * limit Denial of Service attacks.
3600 *
3601 * Note that the maximum handshake size was increased to 128kb
3602 * from 48kb in GnuTLS 3.5.5.
3603 **/
3604 void
gnutls_handshake_set_max_packet_length(gnutls_session_t session,size_t max)3605 gnutls_handshake_set_max_packet_length(gnutls_session_t session,
3606 size_t max)
3607 {
3608 session->internals.max_handshake_data_buffer_size = max;
3609 }
3610
3611 /**
3612 * gnutls_handshake_get_last_in:
3613 * @session: is a #gnutls_session_t type.
3614 *
3615 * This function is only useful to check where the last performed
3616 * handshake failed. If the previous handshake succeed or was not
3617 * performed at all then no meaningful value will be returned.
3618 *
3619 * Check %gnutls_handshake_description_t in gnutls.h for the
3620 * available handshake descriptions.
3621 *
3622 * Returns: the last handshake message type received, a
3623 * %gnutls_handshake_description_t.
3624 **/
3625 gnutls_handshake_description_t
gnutls_handshake_get_last_in(gnutls_session_t session)3626 gnutls_handshake_get_last_in(gnutls_session_t session)
3627 {
3628 return session->internals.last_handshake_in;
3629 }
3630
3631 /**
3632 * gnutls_handshake_get_last_out:
3633 * @session: is a #gnutls_session_t type.
3634 *
3635 * This function is only useful to check where the last performed
3636 * handshake failed. If the previous handshake succeed or was not
3637 * performed at all then no meaningful value will be returned.
3638 *
3639 * Check %gnutls_handshake_description_t in gnutls.h for the
3640 * available handshake descriptions.
3641 *
3642 * Returns: the last handshake message type sent, a
3643 * %gnutls_handshake_description_t.
3644 **/
3645 gnutls_handshake_description_t
gnutls_handshake_get_last_out(gnutls_session_t session)3646 gnutls_handshake_get_last_out(gnutls_session_t session)
3647 {
3648 return session->internals.last_handshake_out;
3649 }
3650
3651 /* This returns the session hash as in draft-ietf-tls-session-hash-02.
3652 */
_gnutls_handshake_get_session_hash(gnutls_session_t session,gnutls_datum_t * shash)3653 int _gnutls_handshake_get_session_hash(gnutls_session_t session, gnutls_datum_t *shash)
3654 {
3655 const version_entry_st *ver = get_version(session);
3656 int ret;
3657 uint8_t concat[2*MAX_HASH_SIZE];
3658
3659 if (unlikely(ver == NULL))
3660 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
3661
3662 if (session->internals.handshake_hash_buffer_client_kx_len == 0 ||
3663 (session->internals.handshake_hash_buffer.length <
3664 session->internals.handshake_hash_buffer_client_kx_len)) {
3665 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
3666 }
3667
3668 ret =
3669 _gnutls_hash_fast((gnutls_digest_algorithm_t)session->security_parameters.prf->id,
3670 session->internals.handshake_hash_buffer.
3671 data,
3672 session->internals.handshake_hash_buffer_client_kx_len,
3673 concat);
3674 if (ret < 0)
3675 return gnutls_assert_val(ret);
3676
3677 return _gnutls_set_datum(shash, concat, session->security_parameters.prf->output_size);
3678 }
3679