1 /*
2 * Copyright (C) 2002-2016 Free Software Foundation, Inc.
3 * Copyright (C) 2014-2016 Nikos Mavrogiannopoulos
4 * Copyright (C) 2015-2018 Red Hat, Inc.
5 *
6 * Author: Nikos Mavrogiannopoulos
7 *
8 * This file is part of GnuTLS.
9 *
10 * The GnuTLS is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU Lesser General Public License
12 * as published by the Free Software Foundation; either version 2.1 of
13 * the License, or (at your option) any later version.
14 *
15 * This library is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 * Lesser General Public License for more details.
19 *
20 * You should have received a copy of the GNU Lesser General Public License
21 * along with this program. If not, see <https://www.gnu.org/licenses/>
22 *
23 */
24
25 /* Functions to manipulate the session (gnutls_int.h), and some other stuff
26 * are included here. The file's name is traditionally gnutls_state even if the
27 * state has been renamed to session.
28 */
29
30 #include "gnutls_int.h"
31 #include "errors.h"
32 #include <auth.h>
33 #include <num.h>
34 #include <datum.h>
35 #include <db.h>
36 #include <record.h>
37 #include <handshake.h>
38 #include <dh.h>
39 #include <buffers.h>
40 #include <mbuffers.h>
41 #include <state.h>
42 #include <constate.h>
43 #include <auth/cert.h>
44 #include <auth/anon.h>
45 #include <auth/psk.h>
46 #include <algorithms.h>
47 #include <hello_ext.h>
48 #include <system.h>
49 #include <random.h>
50 #include <fips.h>
51 #include <intprops.h>
52 #include <gnutls/dtls.h>
53 #include "dtls.h"
54 #include "tls13/session_ticket.h"
55 #include "ext/cert_types.h"
56 #include "locks.h"
57 #include "kx.h"
58 #ifdef HAVE_VALGRIND_MEMCHECK_H
59 #include <valgrind/memcheck.h>
60 #endif
61
62 /* to be used by supplemental data support to disable TLS1.3
63 * when supplemental data have been globally registered */
64 unsigned _gnutls_disable_tls13 = 0;
65
66 /* These should really be static, but src/tests.c calls them. Make
67 them public functions? */
68 void
69 _gnutls_rsa_pms_set_version(gnutls_session_t session,
70 unsigned char major, unsigned char minor);
71
72 /**
73 * gnutls_cipher_get:
74 * @session: is a #gnutls_session_t type.
75 *
76 * Get the currently used cipher.
77 *
78 * Returns: the currently used cipher, a #gnutls_cipher_algorithm_t
79 * type.
80 **/
gnutls_cipher_get(gnutls_session_t session)81 gnutls_cipher_algorithm_t gnutls_cipher_get(gnutls_session_t session)
82 {
83 record_parameters_st *record_params;
84 int ret;
85
86 ret =
87 _gnutls_epoch_get(session, EPOCH_READ_CURRENT, &record_params);
88 if (ret < 0)
89 return gnutls_assert_val(GNUTLS_CIPHER_NULL);
90
91 return record_params->cipher->id;
92 }
93
94 /**
95 * gnutls_certificate_type_get:
96 * @session: is a #gnutls_session_t type.
97 *
98 * This function returns the type of the certificate that is negotiated
99 * for this side to send to the peer. The certificate type is by default
100 * X.509, unless an alternative certificate type is enabled by
101 * gnutls_init() and negotiated during the session.
102 *
103 * Resumed sessions will return the certificate type that was negotiated
104 * and used in the original session.
105 *
106 * As of version 3.6.4 it is recommended to use
107 * gnutls_certificate_type_get2() which is more fine-grained.
108 *
109 * Returns: the currently used #gnutls_certificate_type_t certificate
110 * type as negotiated for 'our' side of the connection.
111 **/
112 gnutls_certificate_type_t
gnutls_certificate_type_get(gnutls_session_t session)113 gnutls_certificate_type_get(gnutls_session_t session)
114 {
115 return gnutls_certificate_type_get2(session, GNUTLS_CTYPE_OURS);
116 }
117
118 /**
119 * gnutls_certificate_type_get2:
120 * @session: is a #gnutls_session_t type.
121 * @target: is a #gnutls_ctype_target_t type.
122 *
123 * This function returns the type of the certificate that a side
124 * is negotiated to use. The certificate type is by default X.509,
125 * unless an alternative certificate type is enabled by gnutls_init() and
126 * negotiated during the session.
127 *
128 * The @target parameter specifies whether to request the negotiated
129 * certificate type for the client (%GNUTLS_CTYPE_CLIENT),
130 * or for the server (%GNUTLS_CTYPE_SERVER). Additionally, in P2P mode
131 * connection set up where you don't know in advance who will be client
132 * and who will be server you can use the flag (%GNUTLS_CTYPE_OURS) and
133 * (%GNUTLS_CTYPE_PEERS) to retrieve the corresponding certificate types.
134 *
135 * Resumed sessions will return the certificate type that was negotiated
136 * and used in the original session. That is, this function can be used
137 * to reliably determine the type of the certificate returned by
138 * gnutls_certificate_get_peers().
139 *
140 * Returns: the currently used #gnutls_certificate_type_t certificate
141 * type for the client or the server.
142 *
143 * Since: 3.6.4
144 **/
145 gnutls_certificate_type_t
gnutls_certificate_type_get2(gnutls_session_t session,gnutls_ctype_target_t target)146 gnutls_certificate_type_get2(gnutls_session_t session,
147 gnutls_ctype_target_t target)
148 {
149 /* We want to inline this function so therefore
150 * we've defined it in gnutls_int.h */
151 return get_certificate_type(session, target);
152 }
153
154 /**
155 * gnutls_kx_get:
156 * @session: is a #gnutls_session_t type.
157 *
158 * Get the currently used key exchange algorithm.
159 *
160 * This function will return %GNUTLS_KX_ECDHE_RSA, or %GNUTLS_KX_DHE_RSA
161 * under TLS 1.3, to indicate an elliptic curve DH key exchange or
162 * a finite field one. The precise group used is available
163 * by calling gnutls_group_get() instead.
164 *
165 * Returns: the key exchange algorithm used in the last handshake, a
166 * #gnutls_kx_algorithm_t value.
167 **/
gnutls_kx_get(gnutls_session_t session)168 gnutls_kx_algorithm_t gnutls_kx_get(gnutls_session_t session)
169 {
170 if (session->security_parameters.cs == 0)
171 return 0;
172
173 if (session->security_parameters.cs->kx_algorithm == 0) { /* TLS 1.3 */
174 const version_entry_st *ver = get_version(session);
175 const gnutls_group_entry_st *group = get_group(session);
176
177 if (ver->tls13_sem) {
178 if (session->internals.hsk_flags & HSK_PSK_SELECTED) {
179 if (group) {
180 if (group->pk == GNUTLS_PK_DH)
181 return GNUTLS_KX_DHE_PSK;
182 else
183 return GNUTLS_KX_ECDHE_PSK;
184 } else {
185 return GNUTLS_KX_PSK;
186 }
187 } else if (group) {
188 if (group->pk == GNUTLS_PK_DH)
189 return GNUTLS_KX_DHE_RSA;
190 else
191 return GNUTLS_KX_ECDHE_RSA;
192 }
193 }
194 }
195
196 return session->security_parameters.cs->kx_algorithm;
197 }
198
199 /**
200 * gnutls_mac_get:
201 * @session: is a #gnutls_session_t type.
202 *
203 * Get the currently used MAC algorithm.
204 *
205 * Returns: the currently used mac algorithm, a
206 * #gnutls_mac_algorithm_t value.
207 **/
gnutls_mac_get(gnutls_session_t session)208 gnutls_mac_algorithm_t gnutls_mac_get(gnutls_session_t session)
209 {
210 record_parameters_st *record_params;
211 int ret;
212
213 ret =
214 _gnutls_epoch_get(session, EPOCH_READ_CURRENT, &record_params);
215 if (ret < 0)
216 return gnutls_assert_val(GNUTLS_MAC_NULL);
217
218 return record_params->mac->id;
219 }
220
221 /**
222 * gnutls_compression_get:
223 * @session: is a #gnutls_session_t type.
224 *
225 * Get the currently used compression algorithm.
226 *
227 * Returns: the currently used compression method, a
228 * #gnutls_compression_method_t value.
229 **/
230 gnutls_compression_method_t
gnutls_compression_get(gnutls_session_t session)231 gnutls_compression_get(gnutls_session_t session)
232 {
233 return GNUTLS_COMP_NULL;
234 }
235
236 /**
237 * gnutls_prf_hash_get:
238 * @session: is a #gnutls_session_t type.
239 *
240 * Get the currently used hash algorithm. In TLS 1.3, the hash
241 * algorithm is used for both the key derivation function and
242 * handshake message authentication code. In TLS 1.2, it matches the
243 * hash algorithm used for PRF.
244 *
245 * Returns: the currently used hash algorithm, a
246 * #gnutls_digest_algorithm_t value.
247 *
248 * Since: 3.6.13
249 **/
250 gnutls_digest_algorithm_t
gnutls_prf_hash_get(const gnutls_session_t session)251 gnutls_prf_hash_get(const gnutls_session_t session)
252 {
253 if (session->security_parameters.prf == NULL)
254 return gnutls_assert_val(GNUTLS_DIG_UNKNOWN);
255
256 if (session->security_parameters.prf->id >= GNUTLS_MAC_AEAD)
257 return gnutls_assert_val(GNUTLS_DIG_UNKNOWN);
258
259 return (gnutls_digest_algorithm_t)session->security_parameters.prf->id;
260 }
261
reset_binders(gnutls_session_t session)262 void reset_binders(gnutls_session_t session)
263 {
264 _gnutls_free_temp_key_datum(&session->key.binders[0].psk);
265 _gnutls_free_temp_key_datum(&session->key.binders[1].psk);
266 memset(session->key.binders, 0, sizeof(session->key.binders));
267 }
268
269 /* Check whether certificate credentials of type @cert_type are set
270 * for the current session.
271 */
_gnutls_has_cert_credentials(gnutls_session_t session,gnutls_certificate_type_t cert_type)272 static bool _gnutls_has_cert_credentials(gnutls_session_t session,
273 gnutls_certificate_type_t cert_type)
274 {
275 unsigned i;
276 unsigned cert_found = 0;
277 gnutls_certificate_credentials_t cred;
278
279 /* First, check for certificate credentials. If we have no certificate
280 * credentials set then we don't support certificates at all.
281 */
282 cred = (gnutls_certificate_credentials_t)
283 _gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE);
284
285 if (cred == NULL)
286 return false;
287
288 /* There are credentials initialized. Now check whether we can find
289 * pre-set certificates of the required type, but only if we don't
290 * use the callback functions.
291 */
292 if (cred->get_cert_callback3 == NULL) {
293 for (i = 0; i < cred->ncerts; i++) {
294 if (cred->certs[i].cert_list[0].type == cert_type) {
295 cert_found = 1;
296 break;
297 }
298 }
299
300 if (cert_found == 0) {
301 /* No matching certificate found. */
302 return false;
303 }
304 }
305
306 return true; // OK
307 }
308
309 /* Check if the given certificate type is supported.
310 * This means that it is enabled by the priority functions,
311 * and in some cases a matching certificate exists. A check for
312 * the latter can be toggled via the parameter @check_credentials.
313 */
314 int
_gnutls_session_cert_type_supported(gnutls_session_t session,gnutls_certificate_type_t cert_type,bool check_credentials,gnutls_ctype_target_t target)315 _gnutls_session_cert_type_supported(gnutls_session_t session,
316 gnutls_certificate_type_t cert_type,
317 bool check_credentials,
318 gnutls_ctype_target_t target)
319 {
320 unsigned i;
321 priority_st* ctype_priorities;
322
323 // Check whether this cert type is enabled by the application
324 if (!is_cert_type_enabled(session, cert_type))
325 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE);
326
327 // Perform a credentials check if requested
328 if (check_credentials) {
329 if (!_gnutls_has_cert_credentials(session, cert_type))
330 return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE);
331 }
332
333 /* So far so good. We have the required credentials (if needed).
334 * Now check whether we are allowed to use them according to our
335 * priorities.
336 */
337 // Which certificate type should we query?
338 switch (target) {
339 case GNUTLS_CTYPE_CLIENT:
340 ctype_priorities =
341 &(session->internals.priorities->client_ctype);
342 break;
343 case GNUTLS_CTYPE_SERVER:
344 ctype_priorities =
345 &(session->internals.priorities->server_ctype);
346 break;
347 default:
348 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
349 }
350
351 // No explicit priorities set, and default ctype is asked
352 if (ctype_priorities->num_priorities == 0
353 && cert_type == DEFAULT_CERT_TYPE)
354 return 0;
355
356 /* Now lets find out whether our cert type is in our priority
357 * list, i.e. set of allowed cert types.
358 */
359 for (i = 0; i < ctype_priorities->num_priorities; i++) {
360 if (ctype_priorities->priorities[i] == cert_type)
361 return 0;
362 }
363
364 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
365 }
366
deinit_keys(gnutls_session_t session)367 static void deinit_keys(gnutls_session_t session)
368 {
369 const version_entry_st *vers = get_version(session);
370
371 if (vers == NULL)
372 return;
373
374 gnutls_pk_params_release(&session->key.kshare.ecdhx_params);
375 gnutls_pk_params_release(&session->key.kshare.ecdh_params);
376 gnutls_pk_params_release(&session->key.kshare.dh_params);
377
378 if (!vers->tls13_sem && session->key.binders[0].prf == NULL) {
379 gnutls_pk_params_release(&session->key.proto.tls12.ecdh.params);
380 gnutls_pk_params_release(&session->key.proto.tls12.dh.params);
381 zrelease_temp_mpi_key(&session->key.proto.tls12.ecdh.x);
382 zrelease_temp_mpi_key(&session->key.proto.tls12.ecdh.y);
383 _gnutls_free_temp_key_datum(&session->key.proto.tls12.ecdh.raw);
384
385 zrelease_temp_mpi_key(&session->key.proto.tls12.dh.client_Y);
386
387 /* SRP */
388 zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_p);
389 zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_g);
390 zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_key);
391
392 zrelease_temp_mpi_key(&session->key.proto.tls12.srp.u);
393 zrelease_temp_mpi_key(&session->key.proto.tls12.srp.a);
394 zrelease_temp_mpi_key(&session->key.proto.tls12.srp.x);
395 zrelease_temp_mpi_key(&session->key.proto.tls12.srp.A);
396 zrelease_temp_mpi_key(&session->key.proto.tls12.srp.B);
397 zrelease_temp_mpi_key(&session->key.proto.tls12.srp.b);
398 } else {
399 gnutls_memset(session->key.proto.tls13.temp_secret, 0,
400 sizeof(session->key.proto.tls13.temp_secret));
401 }
402
403 reset_binders(session);
404 _gnutls_free_temp_key_datum(&session->key.key);
405 }
406
407 /* An internal version of _gnutls_handshake_internal_state_clear(),
408 * it will not attempt to deallocate, only initialize */
handshake_internal_state_clear1(gnutls_session_t session)409 static void handshake_internal_state_clear1(gnutls_session_t session)
410 {
411 /* by default no selected certificate */
412 session->internals.adv_version_major = 0;
413 session->internals.adv_version_minor = 0;
414 session->internals.direction = 0;
415
416 /* use out of band data for the last
417 * handshake messages received.
418 */
419 session->internals.last_handshake_in = -1;
420 session->internals.last_handshake_out = -1;
421
422 session->internals.resumable = RESUME_TRUE;
423
424 session->internals.handshake_suspicious_loops = 0;
425 session->internals.dtls.hsk_read_seq = 0;
426 session->internals.dtls.hsk_write_seq = 0;
427
428 session->internals.cand_ec_group = 0;
429 session->internals.cand_dh_group = 0;
430
431 session->internals.hrr_cs[0] = CS_INVALID_MAJOR;
432 session->internals.hrr_cs[1] = CS_INVALID_MINOR;
433 }
434
435 /* This function will clear all the variables in internals
436 * structure within the session, which depend on the current handshake.
437 * This is used to allow further handshakes.
438 */
_gnutls_handshake_internal_state_clear(gnutls_session_t session)439 void _gnutls_handshake_internal_state_clear(gnutls_session_t session)
440 {
441 handshake_internal_state_clear1(session);
442
443 _gnutls_handshake_hash_buffers_clear(session);
444 deinit_keys(session);
445
446 _gnutls_epoch_gc(session);
447
448 session->internals.handshake_abs_timeout.tv_sec = 0;
449 session->internals.handshake_abs_timeout.tv_nsec = 0;
450 session->internals.handshake_in_progress = 0;
451
452 session->internals.tfo.connect_addrlen = 0;
453 session->internals.tfo.connect_only = 0;
454 session->internals.early_data_received = 0;
455 }
456
457 /**
458 * gnutls_init:
459 * @session: is a pointer to a #gnutls_session_t type.
460 * @flags: indicate if this session is to be used for server or client.
461 *
462 * This function initializes the provided session. Every
463 * session must be initialized before use, and must be deinitialized
464 * after used by calling gnutls_deinit().
465 *
466 * @flags can be any combination of flags from %gnutls_init_flags_t.
467 *
468 * Note that since version 3.1.2 this function enables some common
469 * TLS extensions such as session tickets and OCSP certificate status
470 * request in client side by default. To prevent that use the %GNUTLS_NO_EXTENSIONS
471 * flag.
472 *
473 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
474 **/
gnutls_init(gnutls_session_t * session,unsigned int flags)475 int gnutls_init(gnutls_session_t * session, unsigned int flags)
476 {
477 int ret;
478
479 FAIL_IF_LIB_ERROR;
480
481 *session = gnutls_calloc(1, sizeof(struct gnutls_session_int));
482 if (*session == NULL)
483 return GNUTLS_E_MEMORY_ERROR;
484
485 ret = gnutls_mutex_init(&(*session)->internals.post_negotiation_lock);
486 if (ret < 0) {
487 gnutls_assert();
488 gnutls_free(*session);
489 return ret;
490 }
491
492 ret = gnutls_mutex_init(&(*session)->internals.epoch_lock);
493 if (ret < 0) {
494 gnutls_assert();
495 gnutls_mutex_deinit(&(*session)->internals.post_negotiation_lock);
496 gnutls_free(*session);
497 return ret;
498 }
499
500 ret = _gnutls_epoch_setup_next(*session, 1, NULL);
501 if (ret < 0) {
502 gnutls_mutex_deinit(&(*session)->internals.post_negotiation_lock);
503 gnutls_mutex_deinit(&(*session)->internals.epoch_lock);
504 gnutls_free(*session);
505 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
506 }
507 _gnutls_epoch_bump(*session);
508
509 (*session)->security_parameters.entity =
510 (flags & GNUTLS_SERVER ? GNUTLS_SERVER : GNUTLS_CLIENT);
511
512 /* the default certificate type for TLS */
513 (*session)->security_parameters.client_ctype = DEFAULT_CERT_TYPE;
514 (*session)->security_parameters.server_ctype = DEFAULT_CERT_TYPE;
515
516 /* Initialize buffers */
517 _gnutls_buffer_init(&(*session)->internals.handshake_hash_buffer);
518 _gnutls_buffer_init(&(*session)->internals.post_handshake_hash_buffer);
519 _gnutls_buffer_init(&(*session)->internals.hb_remote_data);
520 _gnutls_buffer_init(&(*session)->internals.hb_local_data);
521 _gnutls_buffer_init(&(*session)->internals.record_presend_buffer);
522 _gnutls_buffer_init(&(*session)->internals.record_key_update_buffer);
523 _gnutls_buffer_init(&(*session)->internals.reauth_buffer);
524
525 _mbuffer_head_init(&(*session)->internals.record_buffer);
526 _mbuffer_head_init(&(*session)->internals.record_send_buffer);
527 _mbuffer_head_init(&(*session)->internals.record_recv_buffer);
528 _mbuffer_head_init(&(*session)->internals.early_data_recv_buffer);
529 _gnutls_buffer_init(&(*session)->internals.early_data_presend_buffer);
530
531 _mbuffer_head_init(&(*session)->internals.handshake_send_buffer);
532 _gnutls_handshake_recv_buffer_init(*session);
533
534 (*session)->internals.expire_time = DEFAULT_EXPIRE_TIME;
535
536 /* Ticket key rotation - set the default X to 3 times the ticket expire time */
537 (*session)->key.totp.last_result = 0;
538
539 gnutls_handshake_set_max_packet_length((*session),
540 MAX_HANDSHAKE_PACKET_SIZE);
541
542 /* set the socket pointers to -1;
543 */
544 (*session)->internals.transport_recv_ptr =
545 (gnutls_transport_ptr_t) - 1;
546 (*session)->internals.transport_send_ptr =
547 (gnutls_transport_ptr_t) - 1;
548
549 /* set the default maximum record size for TLS
550 */
551 (*session)->security_parameters.max_record_recv_size =
552 DEFAULT_MAX_RECORD_SIZE;
553 (*session)->security_parameters.max_record_send_size =
554 DEFAULT_MAX_RECORD_SIZE;
555 (*session)->security_parameters.max_user_record_recv_size =
556 DEFAULT_MAX_RECORD_SIZE;
557 (*session)->security_parameters.max_user_record_send_size =
558 DEFAULT_MAX_RECORD_SIZE;
559
560 /* set the default early data size for TLS
561 */
562 if ((*session)->security_parameters.entity == GNUTLS_SERVER) {
563 (*session)->security_parameters.max_early_data_size =
564 DEFAULT_MAX_EARLY_DATA_SIZE;
565 } else {
566 (*session)->security_parameters.max_early_data_size =
567 UINT32_MAX;
568 }
569
570 /* Everything else not initialized here is initialized as NULL
571 * or 0. This is why calloc is used. However, we want to
572 * ensure that certain portions of data are initialized at
573 * runtime before being used. Mark such regions with a
574 * valgrind client request as undefined.
575 */
576 #ifdef HAVE_VALGRIND_MEMCHECK_H
577 if (RUNNING_ON_VALGRIND) {
578 if (flags & GNUTLS_CLIENT)
579 VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.client_random,
580 GNUTLS_RANDOM_SIZE);
581 if (flags & GNUTLS_SERVER) {
582 VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.server_random,
583 GNUTLS_RANDOM_SIZE);
584 VALGRIND_MAKE_MEM_UNDEFINED((*session)->key.session_ticket_key,
585 TICKET_MASTER_KEY_SIZE);
586 }
587 }
588 #endif
589 handshake_internal_state_clear1(*session);
590
591 #ifdef HAVE_WRITEV
592 #ifdef MSG_NOSIGNAL
593 if (flags & GNUTLS_NO_SIGNAL)
594 gnutls_transport_set_vec_push_function(*session, system_writev_nosignal);
595 else
596 #endif
597 gnutls_transport_set_vec_push_function(*session, system_writev);
598 #else
599 gnutls_transport_set_push_function(*session, system_write);
600 #endif
601 (*session)->internals.pull_timeout_func = gnutls_system_recv_timeout;
602 (*session)->internals.pull_func = system_read;
603 (*session)->internals.errno_func = system_errno;
604
605 (*session)->internals.saved_username_size = -1;
606
607 /* heartbeat timeouts */
608 (*session)->internals.hb_retrans_timeout_ms = 1000;
609 (*session)->internals.hb_total_timeout_ms = 60000;
610
611 if (flags & GNUTLS_DATAGRAM) {
612 (*session)->internals.dtls.mtu = DTLS_DEFAULT_MTU;
613 (*session)->internals.transport = GNUTLS_DGRAM;
614
615 gnutls_dtls_set_timeouts(*session, DTLS_RETRANS_TIMEOUT, 60000);
616 } else {
617 (*session)->internals.transport = GNUTLS_STREAM;
618 }
619
620 /* Enable useful extensions */
621 if ((flags & GNUTLS_CLIENT) && !(flags & GNUTLS_NO_EXTENSIONS)) {
622 #ifdef ENABLE_OCSP
623 gnutls_ocsp_status_request_enable_client(*session, NULL, 0,
624 NULL);
625 #endif
626 }
627
628 /* session tickets in server side are enabled by setting a key */
629 if (flags & GNUTLS_SERVER)
630 flags |= GNUTLS_NO_TICKETS;
631
632 (*session)->internals.flags = flags;
633
634 if (_gnutls_disable_tls13 != 0)
635 (*session)->internals.flags |= INT_FLAG_NO_TLS13;
636
637 /* Install the default keylog function */
638 gnutls_session_set_keylog_function(*session, _gnutls_nss_keylog_func);
639
640 return 0;
641 }
642
643 /* returns RESUME_FALSE or RESUME_TRUE.
644 */
_gnutls_session_is_resumable(gnutls_session_t session)645 int _gnutls_session_is_resumable(gnutls_session_t session)
646 {
647 return session->internals.resumable;
648 }
649
650
651 /**
652 * gnutls_deinit:
653 * @session: is a #gnutls_session_t type.
654 *
655 * This function clears all buffers associated with the @session.
656 * This function will also remove session data from the session
657 * database if the session was terminated abnormally.
658 **/
gnutls_deinit(gnutls_session_t session)659 void gnutls_deinit(gnutls_session_t session)
660 {
661 unsigned int i;
662
663 if (session == NULL)
664 return;
665
666 /* remove auth info firstly */
667 _gnutls_free_auth_info(session);
668
669 _gnutls_handshake_internal_state_clear(session);
670 _gnutls_handshake_io_buffer_clear(session);
671 _gnutls_hello_ext_priv_deinit(session);
672
673 for (i = 0; i < MAX_EPOCH_INDEX; i++)
674 if (session->record_parameters[i] != NULL) {
675 _gnutls_epoch_free(session,
676 session->record_parameters[i]);
677 session->record_parameters[i] = NULL;
678 }
679
680 _gnutls_buffer_clear(&session->internals.handshake_hash_buffer);
681 _gnutls_buffer_clear(&session->internals.post_handshake_hash_buffer);
682 _gnutls_buffer_clear(&session->internals.hb_remote_data);
683 _gnutls_buffer_clear(&session->internals.hb_local_data);
684 _gnutls_buffer_clear(&session->internals.record_presend_buffer);
685 _gnutls_buffer_clear(&session->internals.record_key_update_buffer);
686 _gnutls_buffer_clear(&session->internals.reauth_buffer);
687
688 _mbuffer_head_clear(&session->internals.record_buffer);
689 _mbuffer_head_clear(&session->internals.record_recv_buffer);
690 _mbuffer_head_clear(&session->internals.record_send_buffer);
691
692 _mbuffer_head_clear(&session->internals.early_data_recv_buffer);
693 _gnutls_buffer_clear(&session->internals.early_data_presend_buffer);
694
695 _gnutls_free_datum(&session->internals.resumption_data);
696 _gnutls_free_datum(&session->internals.dtls.dcookie);
697
698 for (i = 0; i < session->internals.rexts_size; i++)
699 gnutls_free(session->internals.rexts[i].name);
700 gnutls_free(session->internals.rexts);
701 gnutls_free(session->internals.post_handshake_cr_context.data);
702
703 gnutls_free(session->internals.rsup);
704
705 gnutls_credentials_clear(session);
706 _gnutls_selected_certs_deinit(session);
707
708 /* destroy any session ticket we may have received */
709 _gnutls13_session_ticket_unset(session);
710
711 /* we rely on priorities' internal reference counting */
712 gnutls_priority_deinit(session->internals.priorities);
713
714 /* overwrite any temp TLS1.3 keys */
715 gnutls_memset(&session->key.proto, 0, sizeof(session->key.proto));
716
717 /* clear session ticket keys */
718 gnutls_memset(&session->key.session_ticket_key, 0,
719 TICKET_MASTER_KEY_SIZE);
720 gnutls_memset(&session->key.previous_ticket_key, 0,
721 TICKET_MASTER_KEY_SIZE);
722 gnutls_memset(&session->key.initial_stek, 0,
723 TICKET_MASTER_KEY_SIZE);
724
725 gnutls_mutex_deinit(&session->internals.post_negotiation_lock);
726 gnutls_mutex_deinit(&session->internals.epoch_lock);
727
728 gnutls_free(session);
729 }
730
_gnutls_dh_set_peer_public(gnutls_session_t session,bigint_t public)731 int _gnutls_dh_set_peer_public(gnutls_session_t session, bigint_t public)
732 {
733 dh_info_st *dh;
734 int ret;
735
736 switch (gnutls_auth_get_type(session)) {
737 case GNUTLS_CRD_ANON:
738 {
739 anon_auth_info_t info;
740 info = _gnutls_get_auth_info(session, GNUTLS_CRD_ANON);
741 if (info == NULL)
742 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
743
744 dh = &info->dh;
745 break;
746 }
747 case GNUTLS_CRD_PSK:
748 {
749 psk_auth_info_t info;
750 info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK);
751 if (info == NULL)
752 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
753
754 dh = &info->dh;
755 break;
756 }
757 case GNUTLS_CRD_CERTIFICATE:
758 {
759 cert_auth_info_t info;
760
761 info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE);
762 if (info == NULL)
763 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
764
765 dh = &info->dh;
766 break;
767 }
768 default:
769 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
770 }
771
772 if (dh->public_key.data)
773 _gnutls_free_datum(&dh->public_key);
774
775 ret = _gnutls_mpi_dprint_lz(public, &dh->public_key);
776 if (ret < 0) {
777 gnutls_assert();
778 return ret;
779 }
780
781 return 0;
782 }
783
_gnutls_dh_set_secret_bits(gnutls_session_t session,unsigned bits)784 int _gnutls_dh_set_secret_bits(gnutls_session_t session, unsigned bits)
785 {
786 switch (gnutls_auth_get_type(session)) {
787 case GNUTLS_CRD_ANON:
788 {
789 anon_auth_info_t info;
790 info = _gnutls_get_auth_info(session, GNUTLS_CRD_ANON);
791 if (info == NULL)
792 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
793 info->dh.secret_bits = bits;
794 break;
795 }
796 case GNUTLS_CRD_PSK:
797 {
798 psk_auth_info_t info;
799 info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK);
800 if (info == NULL)
801 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
802 info->dh.secret_bits = bits;
803 break;
804 }
805 case GNUTLS_CRD_CERTIFICATE:
806 {
807 cert_auth_info_t info;
808
809 info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE);
810 if (info == NULL)
811 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
812
813 info->dh.secret_bits = bits;
814 break;
815 default:
816 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
817 }
818 }
819
820 return 0;
821 }
822
823 /* Sets the prime and the generator in the auth info structure.
824 */
825 int
_gnutls_dh_save_group(gnutls_session_t session,bigint_t gen,bigint_t prime)826 _gnutls_dh_save_group(gnutls_session_t session, bigint_t gen,
827 bigint_t prime)
828 {
829 dh_info_st *dh;
830 int ret;
831
832 switch (gnutls_auth_get_type(session)) {
833 case GNUTLS_CRD_ANON:
834 {
835 anon_auth_info_t info;
836 info = _gnutls_get_auth_info(session, GNUTLS_CRD_ANON);
837 if (info == NULL)
838 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
839
840 dh = &info->dh;
841 break;
842 }
843 case GNUTLS_CRD_PSK:
844 {
845 psk_auth_info_t info;
846 info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK);
847 if (info == NULL)
848 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
849
850 dh = &info->dh;
851 break;
852 }
853 case GNUTLS_CRD_CERTIFICATE:
854 {
855 cert_auth_info_t info;
856
857 info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE);
858 if (info == NULL)
859 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
860
861 dh = &info->dh;
862 break;
863 }
864 default:
865 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
866 }
867
868 if (dh->prime.data)
869 _gnutls_free_datum(&dh->prime);
870
871 if (dh->generator.data)
872 _gnutls_free_datum(&dh->generator);
873
874 /* prime
875 */
876 ret = _gnutls_mpi_dprint_lz(prime, &dh->prime);
877 if (ret < 0) {
878 gnutls_assert();
879 return ret;
880 }
881
882 /* generator
883 */
884 ret = _gnutls_mpi_dprint_lz(gen, &dh->generator);
885 if (ret < 0) {
886 gnutls_assert();
887 _gnutls_free_datum(&dh->prime);
888 return ret;
889 }
890
891 return 0;
892 }
893
894 /**
895 * gnutls_certificate_send_x509_rdn_sequence:
896 * @session: a #gnutls_session_t type.
897 * @status: is 0 or 1
898 *
899 * If status is non zero, this function will order gnutls not to send
900 * the rdnSequence in the certificate request message. That is the
901 * server will not advertise its trusted CAs to the peer. If status
902 * is zero then the default behaviour will take effect, which is to
903 * advertise the server's trusted CAs.
904 *
905 * This function has no effect in clients, and in authentication
906 * methods other than certificate with X.509 certificates.
907 **/
908 void
gnutls_certificate_send_x509_rdn_sequence(gnutls_session_t session,int status)909 gnutls_certificate_send_x509_rdn_sequence(gnutls_session_t session,
910 int status)
911 {
912 session->internals.ignore_rdn_sequence = status;
913 }
914
915 /*-
916 * _gnutls_record_set_default_version - Used to set the default version for the first record packet
917 * @session: is a #gnutls_session_t type.
918 * @major: is a tls major version
919 * @minor: is a tls minor version
920 *
921 * This function sets the default version that we will use in the first
922 * record packet (client hello). This function is only useful to people
923 * that know TLS internals and want to debug other implementations.
924 -*/
925 void
_gnutls_record_set_default_version(gnutls_session_t session,unsigned char major,unsigned char minor)926 _gnutls_record_set_default_version(gnutls_session_t session,
927 unsigned char major,
928 unsigned char minor)
929 {
930 session->internals.default_record_version[0] = major;
931 session->internals.default_record_version[1] = minor;
932 }
933
934 /*-
935 * _gnutls_hello_set_default_version - Used to set the default version for the first record packet
936 * @session: is a #gnutls_session_t type.
937 * @major: is a tls major version
938 * @minor: is a tls minor version
939 *
940 * This function sets the default version that we will use in the first
941 * record packet (client hello). This function is only useful to people
942 * that know TLS internals and want to debug other implementations.
943 -*/
944 void
_gnutls_hello_set_default_version(gnutls_session_t session,unsigned char major,unsigned char minor)945 _gnutls_hello_set_default_version(gnutls_session_t session,
946 unsigned char major,
947 unsigned char minor)
948 {
949 session->internals.default_hello_version[0] = major;
950 session->internals.default_hello_version[1] = minor;
951 }
952
953 /**
954 * gnutls_handshake_set_private_extensions:
955 * @session: is a #gnutls_session_t type.
956 * @allow: is an integer (0 or 1)
957 *
958 * This function will enable or disable the use of private cipher
959 * suites (the ones that start with 0xFF). By default or if @allow
960 * is 0 then these cipher suites will not be advertised nor used.
961 *
962 * Currently GnuTLS does not include such cipher-suites or
963 * compression algorithms.
964 *
965 * Enabling the private ciphersuites when talking to other than
966 * gnutls servers and clients may cause interoperability problems.
967 **/
968 void
gnutls_handshake_set_private_extensions(gnutls_session_t session,int allow)969 gnutls_handshake_set_private_extensions(gnutls_session_t session,
970 int allow)
971 {
972 /* we have no private extensions */
973 return;
974 }
975
976
977 /**
978 * gnutls_session_is_resumed:
979 * @session: is a #gnutls_session_t type.
980 *
981 * Checks whether session is resumed or not. This is functional
982 * for both server and client side.
983 *
984 * Returns: non zero if this session is resumed, or a zero if this is
985 * a new session.
986 **/
gnutls_session_is_resumed(gnutls_session_t session)987 int gnutls_session_is_resumed(gnutls_session_t session)
988 {
989 if (session->security_parameters.entity == GNUTLS_CLIENT) {
990 const version_entry_st *ver = get_version(session);
991 if (ver && ver->tls13_sem &&
992 session->internals.resumed != RESUME_FALSE)
993 return 1;
994
995 if (session->security_parameters.session_id_size > 0 &&
996 session->security_parameters.session_id_size ==
997 session->internals.resumed_security_parameters.
998 session_id_size
999 && memcmp(session->security_parameters.session_id,
1000 session->
1001 internals.resumed_security_parameters.
1002 session_id,
1003 session->security_parameters.
1004 session_id_size) == 0)
1005 return 1;
1006 } else {
1007 if (session->internals.resumed != RESUME_FALSE)
1008 return 1;
1009 }
1010
1011 return 0;
1012 }
1013
1014 /**
1015 * gnutls_session_resumption_requested:
1016 * @session: is a #gnutls_session_t type.
1017 *
1018 * Check whether the client has asked for session resumption.
1019 * This function is valid only on server side.
1020 *
1021 * Returns: non zero if session resumption was asked, or a zero if not.
1022 **/
gnutls_session_resumption_requested(gnutls_session_t session)1023 int gnutls_session_resumption_requested(gnutls_session_t session)
1024 {
1025 if (session->security_parameters.entity == GNUTLS_CLIENT) {
1026 return 0;
1027 } else {
1028 return session->internals.resumption_requested;
1029 }
1030 }
1031
1032 /*-
1033 * _gnutls_session_is_psk - Used to check whether this session uses PSK kx
1034 * @session: is a #gnutls_session_t type.
1035 *
1036 * This function will return non zero if this session uses a PSK key
1037 * exchange algorithm.
1038 -*/
_gnutls_session_is_psk(gnutls_session_t session)1039 int _gnutls_session_is_psk(gnutls_session_t session)
1040 {
1041 gnutls_kx_algorithm_t kx;
1042
1043 kx = session->security_parameters.cs->kx_algorithm;
1044 if (kx == GNUTLS_KX_PSK || kx == GNUTLS_KX_DHE_PSK
1045 || kx == GNUTLS_KX_RSA_PSK)
1046 return 1;
1047
1048 return 0;
1049 }
1050
1051 /*-
1052 * _gnutls_session_is_ecc - Used to check whether this session uses ECC kx
1053 * @session: is a #gnutls_session_t type.
1054 *
1055 * This function will return non zero if this session uses an elliptic
1056 * curves key exchange exchange algorithm.
1057 -*/
_gnutls_session_is_ecc(gnutls_session_t session)1058 int _gnutls_session_is_ecc(gnutls_session_t session)
1059 {
1060 gnutls_kx_algorithm_t kx;
1061
1062 /* We get the key exchange algorithm through the ciphersuite because
1063 * the negotiated key exchange might not have been set yet.
1064 */
1065 kx = session->security_parameters.cs->kx_algorithm;
1066
1067 return _gnutls_kx_is_ecc(kx);
1068 }
1069
1070 /**
1071 * gnutls_session_get_ptr:
1072 * @session: is a #gnutls_session_t type.
1073 *
1074 * Get user pointer for session. Useful in callbacks. This is the
1075 * pointer set with gnutls_session_set_ptr().
1076 *
1077 * Returns: the user given pointer from the session structure, or
1078 * %NULL if it was never set.
1079 **/
gnutls_session_get_ptr(gnutls_session_t session)1080 void *gnutls_session_get_ptr(gnutls_session_t session)
1081 {
1082 return session->internals.user_ptr;
1083 }
1084
1085 /**
1086 * gnutls_session_set_ptr:
1087 * @session: is a #gnutls_session_t type.
1088 * @ptr: is the user pointer
1089 *
1090 * This function will set (associate) the user given pointer @ptr to
1091 * the session structure. This pointer can be accessed with
1092 * gnutls_session_get_ptr().
1093 **/
gnutls_session_set_ptr(gnutls_session_t session,void * ptr)1094 void gnutls_session_set_ptr(gnutls_session_t session, void *ptr)
1095 {
1096 session->internals.user_ptr = ptr;
1097 }
1098
1099 /**
1100 * gnutls_session_set_verify_function:
1101 * @session: is a #gnutls_session_t type.
1102 * @func: is the callback function
1103 *
1104 * This function sets a callback to be called when peer's certificate
1105 * has been received in order to verify it on receipt rather than
1106 * doing after the handshake is completed. This overrides any callback
1107 * set using gnutls_certificate_set_verify_function().
1108 *
1109 * The callback's function prototype is:
1110 * int (*callback)(gnutls_session_t);
1111 *
1112 * If the callback function is provided then gnutls will call it, in the
1113 * handshake, just after the certificate message has been received.
1114 * To verify or obtain the certificate the gnutls_certificate_verify_peers2(),
1115 * gnutls_certificate_type_get(), gnutls_certificate_get_peers() functions
1116 * can be used.
1117 *
1118 * The callback function should return 0 for the handshake to continue
1119 * or non-zero to terminate.
1120 *
1121 * Since: 3.4.6
1122 **/
1123 void
gnutls_session_set_verify_function(gnutls_session_t session,gnutls_certificate_verify_function * func)1124 gnutls_session_set_verify_function
1125 (gnutls_session_t session,
1126 gnutls_certificate_verify_function * func)
1127 {
1128 session->internals.verify_callback = func;
1129 }
1130
1131 /**
1132 * gnutls_record_get_direction:
1133 * @session: is a #gnutls_session_t type.
1134 *
1135 * This function is useful to determine whether a GnuTLS function was interrupted
1136 * while sending or receiving, so that select() or poll() may be called appropriately.
1137 *
1138 * It provides information about the internals of the record
1139 * protocol and is only useful if a prior gnutls function call,
1140 * e.g. gnutls_handshake(), was interrupted and returned
1141 * %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN. After such an interrupt
1142 * applications may call select() or poll() before restoring the
1143 * interrupted GnuTLS function.
1144 *
1145 * This function's output is unreliable if you are using the same
1146 * @session in different threads for sending and receiving.
1147 *
1148 * Returns: 0 if interrupted while trying to read data, or 1 while trying to write data.
1149 **/
gnutls_record_get_direction(gnutls_session_t session)1150 int gnutls_record_get_direction(gnutls_session_t session)
1151 {
1152 return session->internals.direction;
1153 }
1154
1155 /*-
1156 * _gnutls_rsa_pms_set_version - Sets a version to be used at the RSA PMS
1157 * @session: is a #gnutls_session_t type.
1158 * @major: is the major version to use
1159 * @minor: is the minor version to use
1160 *
1161 * This function will set the given version number to be used at the
1162 * RSA PMS secret. This is only useful to clients, which want to
1163 * test server's capabilities.
1164 -*/
1165 void
_gnutls_rsa_pms_set_version(gnutls_session_t session,unsigned char major,unsigned char minor)1166 _gnutls_rsa_pms_set_version(gnutls_session_t session,
1167 unsigned char major, unsigned char minor)
1168 {
1169 session->internals.rsa_pms_version[0] = major;
1170 session->internals.rsa_pms_version[1] = minor;
1171 }
1172
_gnutls_session_client_cert_type_set(gnutls_session_t session,gnutls_certificate_type_t ct)1173 void _gnutls_session_client_cert_type_set(gnutls_session_t session,
1174 gnutls_certificate_type_t ct)
1175 {
1176 _gnutls_handshake_log
1177 ("HSK[%p]: Selected client certificate type %s (%d)\n", session,
1178 gnutls_certificate_type_get_name(ct), ct);
1179 session->security_parameters.client_ctype = ct;
1180 }
1181
_gnutls_session_server_cert_type_set(gnutls_session_t session,gnutls_certificate_type_t ct)1182 void _gnutls_session_server_cert_type_set(gnutls_session_t session,
1183 gnutls_certificate_type_t ct)
1184 {
1185 _gnutls_handshake_log
1186 ("HSK[%p]: Selected server certificate type %s (%d)\n", session,
1187 gnutls_certificate_type_get_name(ct), ct);
1188 session->security_parameters.server_ctype = ct;
1189 }
1190
1191 /**
1192 * gnutls_handshake_set_post_client_hello_function:
1193 * @session: is a #gnutls_session_t type.
1194 * @func: is the function to be called
1195 *
1196 * This function will set a callback to be called after the client
1197 * hello has been received (callback valid in server side only). This
1198 * allows the server to adjust settings based on received extensions.
1199 *
1200 * Those settings could be ciphersuites, requesting certificate, or
1201 * anything else except for version negotiation (this is done before
1202 * the hello message is parsed).
1203 *
1204 * This callback must return 0 on success or a gnutls error code to
1205 * terminate the handshake.
1206 *
1207 * Since GnuTLS 3.3.5 the callback is
1208 * allowed to return %GNUTLS_E_AGAIN or %GNUTLS_E_INTERRUPTED to
1209 * put the handshake on hold. In that case gnutls_handshake()
1210 * will return %GNUTLS_E_INTERRUPTED and can be resumed when needed.
1211 *
1212 * Warning: You should not use this function to terminate the
1213 * handshake based on client input unless you know what you are
1214 * doing. Before the handshake is finished there is no way to know if
1215 * there is a man-in-the-middle attack being performed.
1216 **/
1217 void
gnutls_handshake_set_post_client_hello_function(gnutls_session_t session,gnutls_handshake_simple_hook_func func)1218 gnutls_handshake_set_post_client_hello_function(gnutls_session_t session,
1219 gnutls_handshake_simple_hook_func func)
1220 {
1221 session->internals.user_hello_func = func;
1222 }
1223
1224
1225 /**
1226 * gnutls_session_enable_compatibility_mode:
1227 * @session: is a #gnutls_session_t type.
1228 *
1229 * This function can be used to disable certain (security) features in
1230 * TLS in order to maintain maximum compatibility with buggy
1231 * clients. Because several trade-offs with security are enabled,
1232 * if required they will be reported through the audit subsystem.
1233 *
1234 * Normally only servers that require maximum compatibility with
1235 * everything out there, need to call this function.
1236 *
1237 * Note that this function must be called after any call to gnutls_priority
1238 * functions.
1239 *
1240 * Since: 2.1.4
1241 **/
gnutls_session_enable_compatibility_mode(gnutls_session_t session)1242 void gnutls_session_enable_compatibility_mode(gnutls_session_t session)
1243 {
1244 ENABLE_COMPAT(&session->internals);
1245 }
1246
1247 /**
1248 * gnutls_session_channel_binding:
1249 * @session: is a #gnutls_session_t type.
1250 * @cbtype: an #gnutls_channel_binding_t enumeration type
1251 * @cb: output buffer array with data
1252 *
1253 * Extract given channel binding data of the @cbtype (e.g.,
1254 * %GNUTLS_CB_TLS_UNIQUE) type.
1255 *
1256 * Returns: %GNUTLS_E_SUCCESS on success,
1257 * %GNUTLS_E_UNIMPLEMENTED_FEATURE if the @cbtype is unsupported,
1258 * %GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE if the data is not
1259 * currently available, or an error code.
1260 *
1261 * Since: 2.12.0
1262 **/
1263 int
gnutls_session_channel_binding(gnutls_session_t session,gnutls_channel_binding_t cbtype,gnutls_datum_t * cb)1264 gnutls_session_channel_binding(gnutls_session_t session,
1265 gnutls_channel_binding_t cbtype,
1266 gnutls_datum_t * cb)
1267 {
1268 if (cbtype != GNUTLS_CB_TLS_UNIQUE)
1269 return GNUTLS_E_UNIMPLEMENTED_FEATURE;
1270
1271 if (!session->internals.initial_negotiation_completed)
1272 return GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE;
1273
1274 cb->size = session->internals.cb_tls_unique_len;
1275 cb->data = gnutls_malloc(cb->size);
1276 if (cb->data == NULL)
1277 return GNUTLS_E_MEMORY_ERROR;
1278
1279 memcpy(cb->data, session->internals.cb_tls_unique, cb->size);
1280
1281 return 0;
1282 }
1283
1284 /**
1285 * gnutls_ecc_curve_get:
1286 * @session: is a #gnutls_session_t type.
1287 *
1288 * Returns the currently used elliptic curve for key exchange. Only valid
1289 * when using an elliptic curve ciphersuite.
1290 *
1291 * Returns: the currently used curve, a #gnutls_ecc_curve_t
1292 * type.
1293 *
1294 * Since: 3.0
1295 **/
gnutls_ecc_curve_get(gnutls_session_t session)1296 gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session)
1297 {
1298 const gnutls_group_entry_st *e;
1299
1300 e = get_group(session);
1301 if (e == NULL || e->curve == 0)
1302 return 0;
1303 return e->curve;
1304 }
1305
1306 /**
1307 * gnutls_group_get:
1308 * @session: is a #gnutls_session_t type.
1309 *
1310 * Returns the currently used group for key exchange. Only valid
1311 * when using an elliptic curve or DH ciphersuite.
1312 *
1313 * Returns: the currently used group, a #gnutls_group_t
1314 * type.
1315 *
1316 * Since: 3.6.0
1317 **/
gnutls_group_get(gnutls_session_t session)1318 gnutls_group_t gnutls_group_get(gnutls_session_t session)
1319 {
1320 const gnutls_group_entry_st *e;
1321
1322 e = get_group(session);
1323 if (e == NULL)
1324 return 0;
1325 return e->id;
1326 }
1327
1328 /**
1329 * gnutls_protocol_get_version:
1330 * @session: is a #gnutls_session_t type.
1331 *
1332 * Get TLS version, a #gnutls_protocol_t value.
1333 *
1334 * Returns: The version of the currently used protocol.
1335 **/
gnutls_protocol_get_version(gnutls_session_t session)1336 gnutls_protocol_t gnutls_protocol_get_version(gnutls_session_t session)
1337 {
1338 return get_num_version(session);
1339 }
1340
1341 /**
1342 * gnutls_session_get_random:
1343 * @session: is a #gnutls_session_t type.
1344 * @client: the client part of the random
1345 * @server: the server part of the random
1346 *
1347 * This function returns pointers to the client and server
1348 * random fields used in the TLS handshake. The pointers are
1349 * not to be modified or deallocated.
1350 *
1351 * If a client random value has not yet been established, the output
1352 * will be garbage.
1353 *
1354 * Since: 3.0
1355 **/
1356 void
gnutls_session_get_random(gnutls_session_t session,gnutls_datum_t * client,gnutls_datum_t * server)1357 gnutls_session_get_random(gnutls_session_t session,
1358 gnutls_datum_t * client, gnutls_datum_t * server)
1359 {
1360 if (client) {
1361 client->data = session->security_parameters.client_random;
1362 client->size =
1363 sizeof(session->security_parameters.client_random);
1364 }
1365
1366 if (server) {
1367 server->data = session->security_parameters.server_random;
1368 server->size =
1369 sizeof(session->security_parameters.server_random);
1370 }
1371 }
1372
1373 /**
1374 * gnutls_session_get_master_secret:
1375 * @session: is a #gnutls_session_t type.
1376 * @secret: the session's master secret
1377 *
1378 * This function returns pointers to the master secret
1379 * used in the TLS session. The pointers are not to be modified or deallocated.
1380 *
1381 * This function is only applicable under TLS 1.2 or earlier versions.
1382 *
1383 * Since: 3.5.0
1384 **/
1385 void
gnutls_session_get_master_secret(gnutls_session_t session,gnutls_datum_t * secret)1386 gnutls_session_get_master_secret(gnutls_session_t session, gnutls_datum_t *secret)
1387 {
1388 secret->data = session->security_parameters.master_secret;
1389 secret->size = sizeof(session->security_parameters.master_secret);
1390 }
1391
timespec_sub_ms(struct timespec * a,struct timespec * b)1392 unsigned int timespec_sub_ms(struct timespec *a, struct timespec *b)
1393 {
1394 time_t dsecs;
1395
1396 dsecs = a->tv_sec - b->tv_sec;
1397 if (!INT_MULTIPLY_OVERFLOW(dsecs, 1000)) {
1398 return (dsecs*1000 + (a->tv_nsec - b->tv_nsec) / (1000 * 1000));
1399 } else {
1400 return UINT_MAX;
1401 }
1402 }
1403
1404 /**
1405 * gnutls_handshake_set_random:
1406 * @session: is a #gnutls_session_t type.
1407 * @random: a random value of 32-bytes
1408 *
1409 * This function will explicitly set the server or client hello
1410 * random value in the subsequent TLS handshake. The random value
1411 * should be a 32-byte value.
1412 *
1413 * Note that this function should not normally be used as gnutls
1414 * will select automatically a random value for the handshake.
1415 *
1416 * This function should not be used when resuming a session.
1417 *
1418 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1419 *
1420 * Since 3.1.9
1421 **/
1422 int
gnutls_handshake_set_random(gnutls_session_t session,const gnutls_datum_t * random)1423 gnutls_handshake_set_random(gnutls_session_t session,
1424 const gnutls_datum_t * random)
1425 {
1426 if (random->size != GNUTLS_RANDOM_SIZE)
1427 return GNUTLS_E_INVALID_REQUEST;
1428
1429 session->internals.sc_random_set = 1;
1430 if (session->security_parameters.entity == GNUTLS_CLIENT)
1431 memcpy(session->internals.resumed_security_parameters.
1432 client_random, random->data, random->size);
1433 else
1434 memcpy(session->internals.resumed_security_parameters.
1435 server_random, random->data, random->size);
1436
1437 return 0;
1438 }
1439
1440 /**
1441 * gnutls_handshake_set_hook_function:
1442 * @session: is a #gnutls_session_t type
1443 * @htype: the %gnutls_handshake_description_t of the message to hook at
1444 * @when: %GNUTLS_HOOK_* depending on when the hook function should be called
1445 * @func: is the function to be called
1446 *
1447 * This function will set a callback to be called after or before the specified
1448 * handshake message has been received or generated. This is a
1449 * generalization of gnutls_handshake_set_post_client_hello_function().
1450 *
1451 * To call the hook function prior to the message being generated or processed
1452 * use %GNUTLS_HOOK_PRE as @when parameter, %GNUTLS_HOOK_POST to call
1453 * after, and %GNUTLS_HOOK_BOTH for both cases.
1454 *
1455 * This callback must return 0 on success or a gnutls error code to
1456 * terminate the handshake.
1457 *
1458 * To hook at all handshake messages use an @htype of %GNUTLS_HANDSHAKE_ANY.
1459 *
1460 * Warning: You should not use this function to terminate the
1461 * handshake based on client input unless you know what you are
1462 * doing. Before the handshake is finished there is no way to know if
1463 * there is a man-in-the-middle attack being performed.
1464 **/
1465 void
gnutls_handshake_set_hook_function(gnutls_session_t session,unsigned int htype,int when,gnutls_handshake_hook_func func)1466 gnutls_handshake_set_hook_function(gnutls_session_t session,
1467 unsigned int htype,
1468 int when,
1469 gnutls_handshake_hook_func func)
1470 {
1471 session->internals.h_hook = func;
1472 session->internals.h_type = htype;
1473 session->internals.h_post = when;
1474 }
1475
1476 /**
1477 * gnutls_record_get_state:
1478 * @session: is a #gnutls_session_t type
1479 * @read: if non-zero the read parameters are returned, otherwise the write
1480 * @mac_key: the key used for MAC (if a MAC is used)
1481 * @IV: the initialization vector or nonce used
1482 * @cipher_key: the cipher key
1483 * @seq_number: A 64-bit sequence number
1484 *
1485 * This function will return the parameters of the current record state.
1486 * These are only useful to be provided to an external off-loading device
1487 * or subsystem. The returned values should be considered constant
1488 * and valid for the lifetime of the session.
1489 *
1490 * In that case, to sync the state back you must call gnutls_record_set_state().
1491 *
1492 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1493 *
1494 * Since 3.4.0
1495 **/
1496 int
gnutls_record_get_state(gnutls_session_t session,unsigned read,gnutls_datum_t * mac_key,gnutls_datum_t * IV,gnutls_datum_t * cipher_key,unsigned char seq_number[8])1497 gnutls_record_get_state(gnutls_session_t session,
1498 unsigned read,
1499 gnutls_datum_t *mac_key,
1500 gnutls_datum_t *IV,
1501 gnutls_datum_t *cipher_key,
1502 unsigned char seq_number[8])
1503 {
1504 record_parameters_st *record_params;
1505 record_state_st *record_state;
1506 unsigned int epoch;
1507 int ret;
1508
1509 if (read)
1510 epoch = EPOCH_READ_CURRENT;
1511 else
1512 epoch = EPOCH_WRITE_CURRENT;
1513
1514 ret = _gnutls_epoch_get(session, epoch, &record_params);
1515 if (ret < 0)
1516 return gnutls_assert_val(ret);
1517
1518 if (!record_params->initialized)
1519 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1520
1521 if (read)
1522 record_state = &record_params->read;
1523 else
1524 record_state = &record_params->write;
1525
1526 if (mac_key) {
1527 mac_key->data = record_state->mac_key;
1528 mac_key->size = record_state->mac_key_size;
1529 }
1530
1531 if (IV) {
1532 IV->data = record_state->iv;
1533 IV->size = record_state->iv_size;
1534 }
1535
1536 if (cipher_key) {
1537 cipher_key->data = record_state->key;
1538 cipher_key->size = record_state->key_size;
1539 }
1540
1541 if (seq_number)
1542 _gnutls_write_uint64(record_state->sequence_number, seq_number);
1543 return 0;
1544 }
1545
1546 /**
1547 * gnutls_record_set_state:
1548 * @session: is a #gnutls_session_t type
1549 * @read: if non-zero the read parameters are returned, otherwise the write
1550 * @seq_number: A 64-bit sequence number
1551 *
1552 * This function will set the sequence number in the current record state.
1553 * This function is useful if sending and receiving are offloaded from
1554 * gnutls. That is, if gnutls_record_get_state() was used.
1555 *
1556 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1557 *
1558 * Since 3.4.0
1559 **/
1560 int
gnutls_record_set_state(gnutls_session_t session,unsigned read,const unsigned char seq_number[8])1561 gnutls_record_set_state(gnutls_session_t session,
1562 unsigned read,
1563 const unsigned char seq_number[8])
1564 {
1565 record_parameters_st *record_params;
1566 record_state_st *record_state;
1567 int epoch, ret;
1568
1569 if (read)
1570 epoch = EPOCH_READ_CURRENT;
1571 else
1572 epoch = EPOCH_WRITE_CURRENT;
1573
1574 ret = _gnutls_epoch_get(session, epoch, &record_params);
1575 if (ret < 0)
1576 return gnutls_assert_val(ret);
1577
1578 if (!record_params->initialized)
1579 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1580
1581 if (read)
1582 record_state = &record_params->read;
1583 else
1584 record_state = &record_params->write;
1585
1586 record_state->sequence_number = _gnutls_read_uint64(seq_number);
1587
1588 if (IS_DTLS(session)) {
1589 _dtls_reset_window(record_params);
1590 }
1591
1592 return 0;
1593 }
1594
1595 /**
1596 * gnutls_session_get_flags:
1597 * @session: is a #gnutls_session_t type.
1598 *
1599 * This function will return a series (ORed) of flags, applicable
1600 * for the current session.
1601 *
1602 * This replaces individual informational functions such as
1603 * gnutls_safe_renegotiation_status(), gnutls_session_ext_master_secret_status(),
1604 * etc.
1605 *
1606 * Returns: An ORed sequence of flags (see %gnutls_session_flags_t)
1607 *
1608 * Since: 3.5.0
1609 **/
gnutls_session_get_flags(gnutls_session_t session)1610 unsigned gnutls_session_get_flags(gnutls_session_t session)
1611 {
1612 unsigned flags = 0;
1613
1614 if (gnutls_safe_renegotiation_status(session))
1615 flags |= GNUTLS_SFLAGS_SAFE_RENEGOTIATION;
1616 if (gnutls_session_ext_master_secret_status(session))
1617 flags |= GNUTLS_SFLAGS_EXT_MASTER_SECRET;
1618 if (gnutls_session_etm_status(session))
1619 flags |= GNUTLS_SFLAGS_ETM;
1620 if (gnutls_heartbeat_allowed(session, GNUTLS_HB_LOCAL_ALLOWED_TO_SEND))
1621 flags |= GNUTLS_SFLAGS_HB_LOCAL_SEND;
1622 if (gnutls_heartbeat_allowed(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND))
1623 flags |= GNUTLS_SFLAGS_HB_PEER_SEND;
1624 if (session->internals.hsk_flags & HSK_FALSE_START_USED)
1625 flags |= GNUTLS_SFLAGS_FALSE_START;
1626 if ((session->internals.hsk_flags & HSK_EARLY_START_USED) &&
1627 (session->internals.flags & GNUTLS_ENABLE_EARLY_START))
1628 flags |= GNUTLS_SFLAGS_EARLY_START;
1629 if (session->internals.hsk_flags & HSK_USED_FFDHE)
1630 flags |= GNUTLS_SFLAGS_RFC7919;
1631 if (session->internals.hsk_flags & HSK_TICKET_RECEIVED)
1632 flags |= GNUTLS_SFLAGS_SESSION_TICKET;
1633 if (session->security_parameters.post_handshake_auth)
1634 flags |= GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH;
1635 if (session->internals.hsk_flags & HSK_EARLY_DATA_ACCEPTED)
1636 flags |= GNUTLS_SFLAGS_EARLY_DATA;
1637 if (session->internals.hsk_flags & HSK_OCSP_REQUESTED)
1638 flags |= GNUTLS_SFLAGS_CLI_REQUESTED_OCSP;
1639 if (session->internals.hsk_flags & HSK_CLIENT_OCSP_REQUESTED)
1640 flags |= GNUTLS_SFLAGS_SERV_REQUESTED_OCSP;
1641
1642 return flags;
1643 }
1644