LCOV - code coverage report
Current view: top level - builds/gnutls/coverage/gnutls-git/lib - gnutls_int.h (source / functions) Hit Total Coverage
Test: GnuTLS-3.6.14 Code Coverage Lines: 37 38 97.4 %
Date: 2020-10-30 04:50:48 Functions: 1 1 100.0 %
Legend: Lines: hit not hit

          Line data    Source code
       1             : /*
       2             :  * Copyright (C) 2000-2016 Free Software Foundation, Inc.
       3             :  * Copyright (C) 2015-2018 Red Hat, Inc.
       4             :  *
       5             :  * Author: Nikos Mavrogiannopoulos
       6             :  *
       7             :  * This file is part of GnuTLS.
       8             :  *
       9             :  * The GnuTLS is free software; you can redistribute it and/or
      10             :  * modify it under the terms of the GNU Lesser General Public License
      11             :  * as published by the Free Software Foundation; either version 2.1 of
      12             :  * the License, or (at your option) any later version.
      13             :  *
      14             :  * This library is distributed in the hope that it will be useful, but
      15             :  * WITHOUT ANY WARRANTY; without even the implied warranty of
      16             :  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      17             :  * Lesser General Public License for more details.
      18             :  *
      19             :  * You should have received a copy of the GNU Lesser General Public License
      20             :  * along with this program.  If not, see <https://www.gnu.org/licenses/>
      21             :  *
      22             :  */
      23             : 
      24             : #ifndef GNUTLS_LIB_GNUTLS_INT_H
      25             : #define GNUTLS_LIB_GNUTLS_INT_H
      26             : 
      27             : #ifdef HAVE_CONFIG_H
      28             : #include <config.h>
      29             : #endif
      30             : 
      31             : #include <stddef.h>
      32             : #include <string.h>
      33             : #include <stdlib.h>
      34             : #include <stdio.h>
      35             : #include <ctype.h>
      36             : #include <limits.h>
      37             : #include <stdint.h>
      38             : #include <stdbool.h>
      39             : #include <assert.h>
      40             : 
      41             : #ifdef NO_SSIZE_T
      42             : #define HAVE_SSIZE_T
      43             : typedef int ssize_t;
      44             : #endif
      45             : 
      46             : #include <sys/types.h>
      47             : #include <unistd.h>
      48             : #include <sys/stat.h>
      49             : #if HAVE_SYS_SOCKET_H
      50             : #include <sys/socket.h>
      51             : #elif HAVE_WS2TCPIP_H
      52             : #include <ws2tcpip.h>
      53             : #endif
      54             : #include <time.h>
      55             : 
      56             : #include <nettle/memxor.h>
      57             : 
      58             : #include "attribute.h"
      59             : 
      60             : #define ENABLE_ALIGN16
      61             : 
      62             : #ifdef __clang_major
      63             : # define _GNUTLS_CLANG_VERSION (__clang_major__ * 10000 + __clang_minor__ * 100 + __clang_patchlevel__)
      64             : #else
      65             : # define _GNUTLS_CLANG_VERSION 0
      66             : #endif
      67             : 
      68             : /* clang also defines __GNUC__. It promotes a GCC version of 4.2.1. */
      69             : #ifdef __GNUC__
      70             : # define _GNUTLS_GCC_VERSION (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__)
      71             : #endif
      72             : 
      73             : #if _GNUTLS_GCC_VERSION >= 30100
      74             : # define likely(x)      __builtin_expect((x), 1)
      75             : # define unlikely(x)    __builtin_expect((x), 0)
      76             : #else
      77             : # define likely
      78             : # define unlikely
      79             : #endif
      80             : 
      81             : #include <gnutls/gnutls.h>
      82             : #include <gnutls/dtls.h>
      83             : #include <gnutls/abstract.h>
      84             : #include <gnutls/socket.h>
      85             : #include <system.h>
      86             : 
      87             : /* in case we compile with system headers taking priority, we
      88             :  * make sure that some new attributes are still available.
      89             :  */
      90             : #ifndef __GNUTLS_CONST__
      91             : # define __GNUTLS_CONST__
      92             : #endif
      93             : 
      94             : /* The size of a handshake message should not
      95             :  * be larger than this value.
      96             :  */
      97             : #define MAX_HANDSHAKE_PACKET_SIZE 128*1024
      98             : 
      99             : #define GNUTLS_DEF_SESSION_ID_SIZE 32
     100             : 
     101             : /* The maximum digest size of hash algorithms.
     102             :  */
     103             : #define MAX_FILENAME 512
     104             : #define MAX_HASH_SIZE 64
     105             : 
     106             : #define MAX_MAC_KEY_SIZE 64
     107             : 
     108             : #define MAX_CIPHER_BLOCK_SIZE 64 /* CHACHA20 */
     109             : #define MAX_CIPHER_KEY_SIZE 32
     110             : 
     111             : #define MAX_CIPHER_IV_SIZE 16
     112             : 
     113             : #define MAX_USERNAME_SIZE 128
     114             : #define MAX_SERVER_NAME_SIZE 256
     115             : 
     116             : #define AEAD_EXPLICIT_DATA_SIZE 8
     117             : #define AEAD_IMPLICIT_DATA_SIZE 4
     118             : 
     119             : #define GNUTLS_MASTER_SIZE 48
     120             : #define GNUTLS_RANDOM_SIZE 32
     121             : 
     122             : /* Under TLS1.3 a hello retry request is sent as server hello */
     123             : #define REAL_HSK_TYPE(t) ((t)==GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST?GNUTLS_HANDSHAKE_SERVER_HELLO:t)
     124             : 
     125             : /* DTLS */
     126             : #define DTLS_RETRANS_TIMEOUT 1000
     127             : 
     128             : /* TLS Extensions */
     129             : /* we can receive up to MAX_EXT_TYPES extensions.
     130             :  */
     131             : #define MAX_EXT_TYPES 64
     132             : 
     133             : /* TLS-internal extension (will be parsed after a ciphersuite is selected).
     134             :  * This amends the gnutls_ext_parse_type_t. Not exported yet to allow more refining
     135             :  * prior to finalizing an API. */
     136             : #define _GNUTLS_EXT_TLS_POST_CS 177
     137             : 
     138             : /* expire time for resuming sessions */
     139             : #define DEFAULT_EXPIRE_TIME 21600
     140             : #define STEK_ROTATION_PERIOD_PRODUCT 3
     141             : #define DEFAULT_HANDSHAKE_TIMEOUT_MS 40*1000
     142             : 
     143             : /* The EC group to be used when the extension
     144             :  * supported groups/curves is not present */
     145             : #define DEFAULT_EC_GROUP GNUTLS_GROUP_SECP256R1
     146             : 
     147             : typedef enum transport_t {
     148             :         GNUTLS_STREAM,
     149             :         GNUTLS_DGRAM
     150             : } transport_t;
     151             : 
     152             : /* The TLS 1.3 stage of handshake */
     153             : typedef enum hs_stage_t {
     154             :         STAGE_HS,
     155             :         STAGE_APP,
     156             :         STAGE_UPD_OURS,
     157             :         STAGE_UPD_PEERS,
     158             :         STAGE_EARLY
     159             : } hs_stage_t;
     160             : 
     161             : typedef enum record_send_state_t {
     162             :         RECORD_SEND_NORMAL = 0,
     163             :         RECORD_SEND_CORKED, /* corked and transition to NORMAL afterwards */
     164             :         RECORD_SEND_CORKED_TO_KU, /* corked but must transition to RECORD_SEND_KEY_UPDATE_1 */
     165             :         RECORD_SEND_KEY_UPDATE_1,
     166             :         RECORD_SEND_KEY_UPDATE_2,
     167             :         RECORD_SEND_KEY_UPDATE_3
     168             : } record_send_state_t;
     169             : 
     170             : /* The mode check occurs a lot throughout GnuTLS and can be replaced by
     171             :  * the following shorter macro. Also easier to update one macro
     172             :  * in the future when the internal structure changes than all the conditionals
     173             :  * itself.
     174             :  */
     175             : #define IS_SERVER(session) (session->security_parameters.entity == GNUTLS_SERVER)
     176             : 
     177             : /* To check whether we have a DTLS session */
     178             : #define IS_DTLS(session) (session->internals.transport == GNUTLS_DGRAM)
     179             : 
     180             : /* the maximum size of encrypted packets */
     181             : #define DEFAULT_MAX_RECORD_SIZE 16384
     182             : #define DEFAULT_MAX_EARLY_DATA_SIZE 16384
     183             : #define TLS_RECORD_HEADER_SIZE 5
     184             : #define DTLS_RECORD_HEADER_SIZE (TLS_RECORD_HEADER_SIZE+8)
     185             : #define RECORD_HEADER_SIZE(session) (IS_DTLS(session) ? DTLS_RECORD_HEADER_SIZE : TLS_RECORD_HEADER_SIZE)
     186             : #define MAX_RECORD_HEADER_SIZE DTLS_RECORD_HEADER_SIZE
     187             : 
     188             : #define MIN_RECORD_SIZE 512
     189             : #define MIN_RECORD_SIZE_SMALL 64
     190             : 
     191             : /* The following macro is used to calculate the overhead when sending.
     192             :  * when receiving we use a different way as there are implementations that
     193             :  * store more data than allowed.
     194             :  */
     195             : #define MAX_RECORD_SEND_OVERHEAD(session) (MAX_CIPHER_BLOCK_SIZE/*iv*/+MAX_PAD_SIZE+MAX_HASH_SIZE/*MAC*/)
     196             : #define MAX_RECORD_SEND_SIZE(session) (IS_DTLS(session)? \
     197             :         (MIN((size_t)gnutls_dtls_get_mtu(session), (size_t)session->security_parameters.max_record_send_size+MAX_RECORD_SEND_OVERHEAD(session))): \
     198             :         ((size_t)session->security_parameters.max_record_send_size+MAX_RECORD_SEND_OVERHEAD(session)))
     199             : #define MAX_PAD_SIZE 255
     200             : #define EXTRA_COMP_SIZE 2048
     201             : 
     202             : #define TLS_HANDSHAKE_HEADER_SIZE 4
     203             : #define DTLS_HANDSHAKE_HEADER_SIZE (TLS_HANDSHAKE_HEADER_SIZE+8)
     204             : #define HANDSHAKE_HEADER_SIZE(session) (IS_DTLS(session) ? DTLS_HANDSHAKE_HEADER_SIZE : TLS_HANDSHAKE_HEADER_SIZE)
     205             : #define MAX_HANDSHAKE_HEADER_SIZE DTLS_HANDSHAKE_HEADER_SIZE
     206             : 
     207             : /* Maximum seed size for provable parameters */
     208             : #define MAX_PVP_SEED_SIZE 256
     209             : 
     210             : /* This is the maximum handshake message size we send without
     211             :    fragmentation. This currently ignores record layer overhead. */
     212             : #define DTLS_DEFAULT_MTU 1200
     213             : 
     214             : /* the maximum size of the DTLS cookie */
     215             : #define DTLS_MAX_COOKIE_SIZE 32
     216             : 
     217             : /* The maximum number of HELLO_VERIFY_REQUEST messages the client
     218             :    processes before aborting. */
     219             : #define MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS 5
     220             : 
     221             : #define MAX_PK_PARAM_SIZE 2048
     222             : 
     223             : /* defaults for verification functions
     224             :  */
     225             : #define DEFAULT_MAX_VERIFY_DEPTH 16
     226             : #define DEFAULT_MAX_VERIFY_BITS (MAX_PK_PARAM_SIZE*8)
     227             : #define MAX_VERIFY_DEPTH 4096
     228             : 
     229             : #include <mem.h>
     230             : 
     231             : #define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y))
     232             : 
     233             : #define DECR_LEN(len, x) DECR_LENGTH_RET(len, x, GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
     234             : #define DECR_LEN_FINAL(len, x) do { \
     235             :         if (len != x) \
     236             :                 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); \
     237             :         else \
     238             :                 len = 0; \
     239             :         } while (0)
     240             : #define DECR_LENGTH_RET(len, x, RET) DECR_LENGTH_COM(len, x, return RET)
     241             : #define DECR_LENGTH_COM(len, x, COM) do { if (len<x) {gnutls_assert(); COM;} else len-=x; } while (0)
     242             : 
     243             : #define GNUTLS_POINTER_TO_INT(_) ((int) GNUTLS_POINTER_TO_INT_CAST (_))
     244             : #define GNUTLS_INT_TO_POINTER(_) ((void*) GNUTLS_POINTER_TO_INT_CAST (_))
     245             : 
     246             : #define GNUTLS_KX_INVALID (-1)
     247             : 
     248             : #include <mpi.h>
     249             : 
     250             : typedef enum handshake_state_t { STATE0 = 0, STATE1, STATE2,
     251             :         STATE3, STATE4, STATE5, STATE6, STATE7, STATE8,
     252             :         STATE9, STATE10, STATE11, STATE12, STATE13, STATE14,
     253             :         STATE15, STATE16, STATE17, STATE18, STATE19,
     254             :         STATE20 = 20, STATE21, STATE22,
     255             :         STATE30 = 30, STATE31, STATE40 = 40, STATE41, STATE50 = 50,
     256             :         STATE90=90, STATE91, STATE92, STATE93, STATE94, STATE99=99,
     257             :         STATE100=100, STATE101, STATE102, STATE103, STATE104,
     258             :         STATE105, STATE106, STATE107, STATE108, STATE109, STATE110,
     259             :         STATE111, STATE112, STATE113, STATE114, STATE115,
     260             :         STATE150 /* key update */
     261             : } handshake_state_t;
     262             : 
     263             : typedef enum bye_state_t {
     264             :         BYE_STATE0 = 0, BYE_STATE1, BYE_STATE2
     265             : } bye_state_t;
     266             : 
     267             : typedef enum send_ticket_state_t {
     268             :         TICKET_STATE0 = 0, TICKET_STATE1
     269             : } send_ticket_state_t;
     270             : 
     271             : typedef enum reauth_state_t {
     272             :         REAUTH_STATE0 = 0, REAUTH_STATE1, REAUTH_STATE2, REAUTH_STATE3,
     273             :         REAUTH_STATE4, REAUTH_STATE5
     274             : } reauth_state_t;
     275             : 
     276             : #define TICKET_STATE session->internals.ticket_state
     277             : #define BYE_STATE session->internals.bye_state
     278             : #define REAUTH_STATE session->internals.reauth_state
     279             : 
     280             : typedef enum heartbeat_state_t {
     281             :         SHB_SEND1 = 0,
     282             :         SHB_SEND2,
     283             :         SHB_RECV
     284             : } heartbeat_state_t;
     285             : 
     286             : typedef enum recv_state_t {
     287             :         RECV_STATE_0 = 0,
     288             :         RECV_STATE_DTLS_RETRANSMIT,
     289             :         /* client-side false start state */
     290             :         RECV_STATE_FALSE_START_HANDLING, /* we are calling gnutls_handshake() within record_recv() */
     291             :         RECV_STATE_FALSE_START, /* gnutls_record_recv() should complete the handshake */
     292             :         /* async handshake msg state */
     293             :         RECV_STATE_ASYNC_HANDSHAKE, /* an incomplete async handshake message was seen */
     294             :         /* server-side early start under TLS1.3; enabled when no client cert is received */
     295             :         RECV_STATE_EARLY_START_HANDLING, /* we are calling gnutls_handshake() within record_recv() */
     296             :         RECV_STATE_EARLY_START, /* gnutls_record_recv() should complete the handshake */
     297             :         RECV_STATE_REHANDSHAKE, /* gnutls_record_recv() should complete any incoming re-handshake requests */
     298             :         RECV_STATE_REAUTH /* gnutls_record_recv() should complete any incoming reauthentication requests */
     299             : } recv_state_t;
     300             : 
     301             : #include "str.h"
     302             : 
     303             : /* This is the maximum number of algorithms (ciphers or macs etc).
     304             :  * keep it synced with GNUTLS_MAX_ALGORITHM_NUM in gnutls.h
     305             :  */
     306             : #define MAX_ALGOS GNUTLS_MAX_ALGORITHM_NUM
     307             : 
     308             : /* IDs are allocated in a way that all values fit in 64-bit integer as (1<<val) */
     309             : typedef enum extensions_t {
     310             :         GNUTLS_EXTENSION_INVALID = 0xffff,
     311             :         GNUTLS_EXTENSION_STATUS_REQUEST = 0,
     312             :         GNUTLS_EXTENSION_CERT_TYPE,
     313             :         GNUTLS_EXTENSION_CLIENT_CERT_TYPE,
     314             :         GNUTLS_EXTENSION_SERVER_CERT_TYPE,
     315             :         GNUTLS_EXTENSION_SUPPORTED_GROUPS,
     316             :         GNUTLS_EXTENSION_SUPPORTED_EC_POINT_FORMATS,
     317             :         GNUTLS_EXTENSION_SRP,
     318             :         GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
     319             :         GNUTLS_EXTENSION_SRTP,
     320             :         GNUTLS_EXTENSION_HEARTBEAT,
     321             :         GNUTLS_EXTENSION_ALPN,
     322             :         GNUTLS_EXTENSION_ETM,
     323             :         GNUTLS_EXTENSION_EXT_MASTER_SECRET,
     324             :         GNUTLS_EXTENSION_SESSION_TICKET,
     325             :         GNUTLS_EXTENSION_KEY_SHARE,
     326             :         GNUTLS_EXTENSION_SUPPORTED_VERSIONS,
     327             :         GNUTLS_EXTENSION_POST_HANDSHAKE,
     328             :         GNUTLS_EXTENSION_SAFE_RENEGOTIATION,
     329             :         GNUTLS_EXTENSION_SERVER_NAME,
     330             :         GNUTLS_EXTENSION_COOKIE,
     331             :         GNUTLS_EXTENSION_EARLY_DATA,
     332             :         GNUTLS_EXTENSION_PSK_KE_MODES,
     333             :         GNUTLS_EXTENSION_RECORD_SIZE_LIMIT,
     334             :         GNUTLS_EXTENSION_MAX_RECORD_SIZE,
     335             :         /*
     336             :          * pre_shared_key and dumbfw must always be the last extensions,
     337             :          * in that order */
     338             :         GNUTLS_EXTENSION_DUMBFW,
     339             :         GNUTLS_EXTENSION_PRE_SHARED_KEY,
     340             :         GNUTLS_EXTENSION_MAX /* not real extension - used for iterators */
     341             : } extensions_t;
     342             : 
     343             : #define GNUTLS_EXTENSION_MAX_VALUE 63
     344             : #define ext_track_t uint64_t
     345             : 
     346             : #include <verify.h>
     347             : 
     348             : verify(GNUTLS_EXTENSION_MAX < GNUTLS_EXTENSION_MAX_VALUE);
     349             : verify(GNUTLS_EXTENSION_MAX < MAX_EXT_TYPES);
     350             : 
     351             : /* we must provide at least 16 extensions for users to register;
     352             :  * increase GNUTLS_EXTENSION_MAX_VALUE, MAX_EXT_TYPES and used_exts
     353             :  * type if this fails
     354             :  */
     355             : verify(GNUTLS_EXTENSION_MAX_VALUE - GNUTLS_EXTENSION_MAX >= 16);
     356             : 
     357             : /* The 'verify' symbol from <verify.h> is used extensively in the
     358             :  * code; undef it to avoid clash
     359             :  */
     360             : #undef verify
     361             : 
     362             : typedef enum { CIPHER_STREAM, CIPHER_BLOCK, CIPHER_AEAD } cipher_type_t;
     363             : 
     364             : #define RESUME_TRUE 1
     365             : #define RESUME_FALSE 0
     366             : 
     367             : /* Record Protocol */
     368             : typedef enum content_type_t {
     369             :         GNUTLS_CHANGE_CIPHER_SPEC = 20, GNUTLS_ALERT,
     370             :         GNUTLS_HANDSHAKE, GNUTLS_APPLICATION_DATA,
     371             :         GNUTLS_HEARTBEAT
     372             : } content_type_t;
     373             : 
     374             : 
     375             : #define GNUTLS_PK_ANY (gnutls_pk_algorithm_t)-1
     376             : #define GNUTLS_PK_NONE (gnutls_pk_algorithm_t)-2
     377             : 
     378             : #define GNUTLS_PK_IS_RSA(pk) ((pk) == GNUTLS_PK_RSA || (pk) == GNUTLS_PK_RSA_PSS)
     379             : 
     380             : /* Message buffers (mbuffers) structures */
     381             : 
     382             : /* this is actually the maximum number of distinct handshake
     383             :  * messages that can arrive in a single flight
     384             :  */
     385             : #define MAX_HANDSHAKE_MSGS 6
     386             : typedef struct {
     387             :         /* Handshake layer type and sequence of message */
     388             :         gnutls_handshake_description_t htype;
     389             : 
     390             :         /* The "real" type received; that is, it does not distinguish
     391             :          * HRR from server hello, while htype does */
     392             :         gnutls_handshake_description_t rtype;
     393             :         uint32_t length;
     394             : 
     395             :         /* valid in DTLS */
     396             :         uint16_t sequence;
     397             : 
     398             :         /* indicate whether that message is complete.
     399             :          * complete means start_offset == 0 and end_offset == length
     400             :          */
     401             :         uint32_t start_offset;
     402             :         uint32_t end_offset;
     403             : 
     404             :         uint8_t header[MAX_HANDSHAKE_HEADER_SIZE];
     405             :         int header_size;
     406             : 
     407             :         gnutls_buffer_st data;
     408             : } handshake_buffer_st;
     409             : 
     410             : typedef struct mbuffer_st {
     411             :         /* when used in mbuffer_head_st */
     412             :         struct mbuffer_st *next;
     413             :         struct mbuffer_st *prev;
     414             : 
     415             :         /* msg->size - mark = number of bytes left to process in this
     416             :            message. Mark should only be non-zero when this buffer is the
     417             :            head of the queue. */
     418             :         size_t mark;
     419             : 
     420             : 
     421             :         /* the data */
     422             :         gnutls_datum_t msg;
     423             :         size_t maximum_size;
     424             : 
     425             :         /* used during fill in, to separate header from data
     426             :          * body. */
     427             :         unsigned int uhead_mark;
     428             : 
     429             :         /* Filled in by record layer on recv:
     430             :          * type, record_sequence
     431             :          */
     432             : 
     433             :         /* record layer content type */
     434             :         content_type_t type;
     435             : 
     436             :         /* record layer sequence */
     437             :         uint64_t record_sequence;
     438             : 
     439             :         /* Filled in by handshake layer on send:
     440             :          * type, epoch, htype, handshake_sequence
     441             :          */
     442             : 
     443             :         /* Record layer epoch of message */
     444             :         uint16_t epoch;
     445             : 
     446             :         /* Handshake layer type and sequence of message */
     447             :         gnutls_handshake_description_t htype;
     448             :         uint16_t handshake_sequence;
     449             : } mbuffer_st;
     450             : 
     451             : typedef struct mbuffer_head_st {
     452             :         mbuffer_st *head;
     453             :         mbuffer_st *tail;
     454             : 
     455             :         unsigned int length;
     456             :         size_t byte_length;
     457             : } mbuffer_head_st;
     458             : 
     459             : /* Store & Retrieve functions defines:
     460             :  */
     461             : 
     462             : typedef struct auth_cred_st {
     463             :         gnutls_credentials_type_t algorithm;
     464             : 
     465             :         /* the type of credentials depends on algorithm
     466             :          */
     467             :         void *credentials;
     468             :         struct auth_cred_st *next;
     469             : } auth_cred_st;
     470             : 
     471             : /* session ticket definitions */
     472             : #define TICKET_MASTER_KEY_SIZE (TICKET_KEY_NAME_SIZE+TICKET_CIPHER_KEY_SIZE+TICKET_MAC_SECRET_SIZE)
     473             : #define TICKET_KEY_NAME_SIZE 16
     474             : #define TICKET_CIPHER_KEY_SIZE 32
     475             : #define TICKET_MAC_SECRET_SIZE 16
     476             : 
     477             : /* These are restricted by TICKET_CIPHER_KEY_SIZE and TICKET_MAC_SECRET_SIZE */
     478             : #define TICKET_CIPHER GNUTLS_CIPHER_AES_256_CBC
     479             : #define TICKET_IV_SIZE 16
     480             : #define TICKET_BLOCK_SIZE 16
     481             : 
     482             : #define TICKET_MAC_ALGO GNUTLS_MAC_SHA1
     483             : #define TICKET_MAC_SIZE 20 /* HMAC-SHA1 */
     484             : 
     485             : struct ticket_st {
     486             :         uint8_t key_name[TICKET_KEY_NAME_SIZE];
     487             :         uint8_t IV[TICKET_IV_SIZE];
     488             :         uint8_t *encrypted_state;
     489             :         uint16_t encrypted_state_len;
     490             :         uint8_t mac[TICKET_MAC_SIZE];
     491             : };
     492             : 
     493             : struct binder_data_st {
     494             :         const struct mac_entry_st *prf; /* non-null if this struct is set */
     495             :         gnutls_datum_t psk;
     496             : 
     497             :         /* 0-based index of the selected PSK.
     498             :          * This only applies if the HSK_PSK_SELECTED flag is set in internals.hsk_flags,
     499             :          * which signals a PSK has indeed been selected. */
     500             :         uint8_t idx;
     501             :         uint8_t resumption; /* whether it is a resumption binder */
     502             : };
     503             : 
     504             : typedef void (* gnutls_stek_rotation_callback_t) (const gnutls_datum_t *prev_key,
     505             :                                                 const gnutls_datum_t *new_key,
     506             :                                                 uint64_t t);
     507             : 
     508             : struct gnutls_key_st {
     509             :         struct { /* These are kept outside the TLS1.3 union as they are
     510             :                   * negotiated via extension, even before protocol is negotiated */
     511             :                 gnutls_pk_params_st ecdh_params;
     512             :                 gnutls_pk_params_st ecdhx_params;
     513             :                 gnutls_pk_params_st dh_params;
     514             :         } kshare;
     515             : 
     516             :         /* The union contents depend on the negotiated protocol.
     517             :          * It should not contain any values which are allocated
     518             :          * prior to protocol negotiation, as it would be impossible
     519             :          * to deinitialize.
     520             :          */
     521             :         union {
     522             :                 struct {
     523             :                         /* the current (depending on state) secret, can be
     524             :                          * early_secret, client_early_traffic_secret, ... */
     525             :                         uint8_t temp_secret[MAX_HASH_SIZE];
     526             :                         unsigned temp_secret_size; /* depends on negotiated PRF size */
     527             :                         uint8_t e_ckey[MAX_HASH_SIZE]; /* client_early_traffic_secret */
     528             :                         uint8_t hs_ckey[MAX_HASH_SIZE]; /* client_hs_traffic_secret */
     529             :                         uint8_t hs_skey[MAX_HASH_SIZE]; /* server_hs_traffic_secret */
     530             :                         uint8_t ap_ckey[MAX_HASH_SIZE]; /* client_ap_traffic_secret */
     531             :                         uint8_t ap_skey[MAX_HASH_SIZE]; /* server_ap_traffic_secret */
     532             :                         uint8_t ap_expkey[MAX_HASH_SIZE]; /* {early_,}exporter_master_secret */
     533             :                         uint8_t ap_rms[MAX_HASH_SIZE]; /* resumption_master_secret */
     534             :                 } tls13; /* tls1.3 */
     535             : 
     536             :                 /* Follow the SSL3.0 and TLS1.2 key exchanges */
     537             :                 struct {
     538             :                         /* For ECDH KX */
     539             :                         struct {
     540             :                                 gnutls_pk_params_st params; /* private part */
     541             :                                 /* public part */
     542             :                                 bigint_t x;
     543             :                                 bigint_t y;
     544             :                                 gnutls_datum_t raw; /* public key used in ECDHX (point) */
     545             :                         } ecdh;
     546             : 
     547             :                         /* For DH KX */
     548             :                         struct {
     549             :                                 gnutls_pk_params_st params;
     550             :                                 bigint_t client_Y;
     551             :                         } dh;
     552             : 
     553             :                         /* for SRP KX */
     554             :                         struct {
     555             :                                 bigint_t srp_key;
     556             :                                 bigint_t srp_g;
     557             :                                 bigint_t srp_p;
     558             :                                 bigint_t A;
     559             :                                 bigint_t B;
     560             :                                 bigint_t u;
     561             :                                 bigint_t b;
     562             :                                 bigint_t a;
     563             :                                 bigint_t x;
     564             :                         } srp;
     565             :                 } tls12; /* from ssl3.0 to tls12 */
     566             :         } proto;
     567             : 
     568             :         /* binders / pre-shared keys in use; temporary storage.
     569             :          * On client side it will hold data for the resumption and external
     570             :          * PSKs After server hello is received the selected binder is set on 0 position
     571             :          * and HSK_PSK_SELECTED is set.
     572             :          *
     573             :          * On server side the first value is populated with
     574             :          * the selected PSK data if HSK_PSK_SELECTED flag is set. */
     575             :         struct binder_data_st binders[2];
     576             : 
     577             :         /* TLS pre-master key; applies to 1.2 and 1.3 */
     578             :         gnutls_datum_t key;
     579             : 
     580             :         uint8_t
     581             :                 /* The key to encrypt and decrypt session tickets */
     582             :                 session_ticket_key[TICKET_MASTER_KEY_SIZE],
     583             :                 /* Static buffer for the previous key, whenever we need it */
     584             :                 previous_ticket_key[TICKET_MASTER_KEY_SIZE],
     585             :                 /* Initial key supplied by the caller */
     586             :                 initial_stek[TICKET_MASTER_KEY_SIZE];
     587             : 
     588             :         /* this is used to hold the peers authentication data
     589             :          */
     590             :         /* auth_info_t structures SHOULD NOT contain malloced
     591             :          * elements. Check gnutls_session_pack.c, and gnutls_auth.c.
     592             :          * Remember that this should be calloced!
     593             :          */
     594             :         void *auth_info;
     595             :         gnutls_credentials_type_t auth_info_type;
     596             :         int auth_info_size;     /* needed in order to store to db for restoring
     597             :                                  */
     598             :         auth_cred_st *cred;     /* used to specify keys/certificates etc */
     599             : 
     600             :         struct {
     601             :                 uint64_t last_result;
     602             :                 uint8_t was_rotated;
     603             :                 gnutls_stek_rotation_callback_t cb;
     604             :         } totp;
     605             : };
     606             : 
     607             : typedef struct gnutls_key_st gnutls_key_st;
     608             : 
     609             : struct pin_info_st {
     610             :         gnutls_pin_callback_t cb;
     611             :         void *data;
     612             : };
     613             : 
     614             : struct record_state_st;
     615             : typedef struct record_state_st record_state_st;
     616             : 
     617             : struct record_parameters_st;
     618             : typedef struct record_parameters_st record_parameters_st;
     619             : 
     620             : #define GNUTLS_CIPHER_FLAG_ONLY_AEAD    (1 << 0) /* When set, this cipher is only available through the new AEAD API */
     621             : #define GNUTLS_CIPHER_FLAG_XOR_NONCE    (1 << 1) /* In this TLS AEAD cipher xor the implicit_iv with the nonce */
     622             : #define GNUTLS_CIPHER_FLAG_NO_REKEY     (1 << 2) /* whether this tls1.3 cipher doesn't need to rekey after 2^24 messages */
     623             : 
     624             : /* cipher and mac parameters */
     625             : typedef struct cipher_entry_st {
     626             :         const char *name;
     627             :         gnutls_cipher_algorithm_t id;
     628             :         uint16_t blocksize;
     629             :         uint16_t keysize;
     630             :         cipher_type_t type;
     631             :         uint16_t implicit_iv;   /* the size of implicit IV - the IV generated but not sent */
     632             :         uint16_t explicit_iv;   /* the size of explicit IV - the IV stored in record */
     633             :         uint16_t cipher_iv;     /* the size of IV needed by the cipher */
     634             :         uint16_t tagsize;
     635             :         unsigned flags;
     636             : } cipher_entry_st;
     637             : 
     638             : typedef struct gnutls_cipher_suite_entry_st {
     639             :         const char *name;
     640             :         const uint8_t id[2];
     641             :         gnutls_cipher_algorithm_t block_algorithm;
     642             :         gnutls_kx_algorithm_t kx_algorithm;
     643             :         gnutls_mac_algorithm_t mac_algorithm;
     644             :         gnutls_protocol_t min_version;  /* this cipher suite is supported
     645             :                                          * from 'version' and above;
     646             :                                          */
     647             :         gnutls_protocol_t max_version;  /* this cipher suite is not supported
     648             :                                          * after 'version' and above;
     649             :                                          */
     650             :         gnutls_protocol_t min_dtls_version;     /* DTLS min version */
     651             :         gnutls_protocol_t max_dtls_version;     /* DTLS max version */
     652             :         gnutls_mac_algorithm_t prf;
     653             : } gnutls_cipher_suite_entry_st;
     654             : 
     655             : 
     656             : typedef struct gnutls_group_entry_st {
     657             :         const char *name;
     658             :         gnutls_group_t id;
     659             :         const gnutls_datum_t *prime;
     660             :         const gnutls_datum_t *q;
     661             :         const gnutls_datum_t *generator;
     662             :         const unsigned *q_bits;
     663             :         gnutls_ecc_curve_t curve;
     664             :         gnutls_pk_algorithm_t pk;
     665             :         unsigned tls_id;                /* The RFC4492 namedCurve ID or TLS 1.3 group ID */
     666             : } gnutls_group_entry_st;
     667             : 
     668             : #define GNUTLS_MAC_FLAG_PREIMAGE_INSECURE       1  /* if this algorithm should not be trusted for pre-image attacks */
     669             : #define GNUTLS_MAC_FLAG_CONTINUOUS_MAC          (1 << 1) /* if this MAC should be used in a 'continuous' way in TLS */
     670             : /* This structure is used both for MACs and digests
     671             :  */
     672             : typedef struct mac_entry_st {
     673             :         const char *name;
     674             :         const char *oid;        /* OID of the hash - if it is a hash */
     675             :         const char *mac_oid;    /* OID of the MAC algorithm - if it is a MAC */
     676             :         gnutls_mac_algorithm_t id;
     677             :         unsigned output_size;
     678             :         unsigned key_size;
     679             :         unsigned nonce_size;
     680             :         unsigned placeholder;   /* if set, then not a real MAC */
     681             :         unsigned block_size;    /* internal block size for HMAC */
     682             :         unsigned flags;
     683             : } mac_entry_st;
     684             : 
     685             : typedef struct {
     686             :         const char *name;
     687             :         gnutls_protocol_t id;   /* gnutls internal version number */
     688             :         unsigned age;           /* internal ordering by protocol age */
     689             :         uint8_t major;          /* defined by the protocol */
     690             :         uint8_t minor;          /* defined by the protocol */
     691             :         transport_t transport;  /* Type of transport, stream or datagram */
     692             :         bool supported; /* 0 not supported, > 0 is supported */
     693             :         bool explicit_iv;
     694             :         bool extensions;        /* whether it supports extensions */
     695             :         bool selectable_sighash;        /* whether signatures can be selected */
     696             :         bool selectable_prf;    /* whether the PRF is ciphersuite-defined */
     697             : 
     698             :         /* if SSL3 is disabled this flag indicates that this protocol is a placeholder,
     699             :          * otherwise it prevents this protocol from being set as record version */
     700             :         bool obsolete;
     701             :         bool tls13_sem;         /* The TLS 1.3 handshake semantics */
     702             :         bool false_start;       /* That version can be used with false start */
     703             :         bool only_extension;    /* negotiated only with an extension */
     704             :         bool post_handshake_auth;       /* Supports the TLS 1.3 post handshake auth */
     705             :         bool key_shares;        /* TLS 1.3 key share key exchange */
     706             :         bool multi_ocsp;        /* TLS 1.3 multiple OCSP responses */
     707             :         /*
     708             :          * TLS versions modify the semantics of signature algorithms. This number
     709             :          * is there to distinguish signature algorithms semantics between versions
     710             :          * (maps to sign_algorithm_st->tls_sem)
     711             :          */
     712             :         uint8_t tls_sig_sem;
     713             : } version_entry_st;
     714             : 
     715             : 
     716             : /* STATE (cont) */
     717             : 
     718             : #include <hash_int.h>
     719             : #include <cipher_int.h>
     720             : 
     721             : typedef struct {
     722             :         uint8_t id[2]; /* used to be (in TLS 1.2) hash algorithm , PK algorithm */
     723             :         uint8_t tls_sem; /* should match the protocol version's tls_sig_sem. */
     724             : } sign_algorithm_st;
     725             : 
     726             : /* This structure holds parameters got from TLS extension
     727             :  * mechanism. (some extensions may hold parameters in auth_info_t
     728             :  * structures also - see SRP).
     729             :  */
     730             : 
     731             : #define MAX_VERIFY_DATA_SIZE 36 /* in SSL 3.0, 12 in TLS 1.0 */
     732             : 
     733             : /* auth_info_t structures now MAY contain malloced
     734             :  * elements.
     735             :  */
     736             : 
     737             : /* This structure and auth_info_t, are stored in the resume database,
     738             :  * and are restored, in case of resume.
     739             :  * Holds all the required parameters to resume the current
     740             :  * session.
     741             :  */
     742             : 
     743             : /* Note that the security parameters structure is set up after the
     744             :  * handshake has finished. The only value you may depend on while
     745             :  * the handshake is in progress is the cipher suite value.
     746             :  */
     747             : typedef struct {
     748             :         unsigned int entity;    /* GNUTLS_SERVER or GNUTLS_CLIENT */
     749             : 
     750             :         /* The epoch used to read and write */
     751             :         uint16_t epoch_read;
     752             :         uint16_t epoch_write;
     753             : 
     754             :         /* The epoch that the next handshake will initialize. */
     755             :         uint16_t epoch_next;
     756             : 
     757             :         /* The epoch at index 0 of record_parameters. */
     758             :         uint16_t epoch_min;
     759             : 
     760             :         /* this is the ciphersuite we are going to use
     761             :          * moved here from internals in order to be restored
     762             :          * on resume;
     763             :          */
     764             :         const struct gnutls_cipher_suite_entry_st *cs;
     765             : 
     766             :         /* This is kept outside the ciphersuite entry as on certain
     767             :          * TLS versions we need a separate PRF MAC, i.e., MD5_SHA1. */
     768             :         const mac_entry_st *prf;
     769             : 
     770             :         uint8_t master_secret[GNUTLS_MASTER_SIZE];
     771             :         uint8_t client_random[GNUTLS_RANDOM_SIZE];
     772             :         uint8_t server_random[GNUTLS_RANDOM_SIZE];
     773             :         uint8_t session_id[GNUTLS_MAX_SESSION_ID_SIZE];
     774             :         uint8_t session_id_size;
     775             :         time_t timestamp;
     776             : 
     777             :         /* whether client has agreed in post handshake auth - only set on server side */
     778             :         uint8_t post_handshake_auth;
     779             : 
     780             :         /* The maximum amount of plaintext sent in a record,
     781             :          * negotiated with the peer.
     782             :          */
     783             :         uint16_t max_record_send_size;
     784             :         uint16_t max_record_recv_size;
     785             : 
     786             :         /* The maximum amount of plaintext sent in a record, set by
     787             :          * the programmer.
     788             :          */
     789             :         uint16_t max_user_record_send_size;
     790             :         uint16_t max_user_record_recv_size;
     791             : 
     792             :         /* The maximum amount of early data */
     793             :         uint32_t max_early_data_size;
     794             : 
     795             :         /* holds the negotiated certificate types */
     796             :         gnutls_certificate_type_t client_ctype;
     797             :         gnutls_certificate_type_t server_ctype;
     798             : 
     799             :         /* The selected (after server hello EC or DH group */
     800             :         const gnutls_group_entry_st *grp;
     801             : 
     802             :         /* Holds the signature algorithm that will be used in this session,
     803             :          * selected by the server at the time of Ciphersuite/certificate
     804             :          * selection - see select_sign_algorithm() */
     805             :         gnutls_sign_algorithm_t server_sign_algo;
     806             : 
     807             :         /* Holds the signature algorithm used in this session - If any */
     808             :         gnutls_sign_algorithm_t client_sign_algo;
     809             : 
     810             :         /* Whether the master secret negotiation will be according to
     811             :          * draft-ietf-tls-session-hash-01
     812             :          */
     813             :         uint8_t ext_master_secret;
     814             :         /* encrypt-then-mac -> rfc7366 */
     815             :         uint8_t etm;
     816             : 
     817             :         uint8_t client_auth_type; /* gnutls_credentials_type_t */
     818             :         uint8_t server_auth_type;
     819             : 
     820             :         /* Note: if you add anything in Security_Parameters struct, then
     821             :          * also modify CPY_COMMON in constate.c, and session_pack.c,
     822             :          * in order to save it in the session storage.
     823             :          */
     824             : 
     825             :         /* Used by extensions that enable supplemental data: Which ones
     826             :          * do that? Do they belong in security parameters?
     827             :          */
     828             :         int do_recv_supplemental, do_send_supplemental;
     829             :         const version_entry_st *pversion;
     830             : } security_parameters_st;
     831             : 
     832             : typedef struct api_aead_cipher_hd_st {
     833             :         cipher_hd_st ctx_enc;
     834             : } api_aead_cipher_hd_st;
     835             : 
     836             : struct record_state_st {
     837             :         /* mac keys can be as long as the hash size */
     838             :         uint8_t mac_key[MAX_HASH_SIZE];
     839             :         unsigned mac_key_size;
     840             : 
     841             :         uint8_t iv[MAX_CIPHER_IV_SIZE];
     842             :         unsigned iv_size;
     843             : 
     844             :         uint8_t key[MAX_CIPHER_KEY_SIZE];
     845             :         unsigned key_size;
     846             : 
     847             :         union {
     848             :                 auth_cipher_hd_st tls12;
     849             :                 api_aead_cipher_hd_st aead;
     850             :         } ctx;
     851             :         unsigned aead_tag_size;
     852             :         unsigned is_aead;
     853             :         uint64_t sequence_number;
     854             : };
     855             : 
     856             : 
     857             : /* These are used to resolve relative epochs. These values are just
     858             :    outside the 16 bit range to prevent off-by-one errors. An absolute
     859             :    epoch may be referred to by its numeric id in the range
     860             :    0x0000-0xffff. */
     861             : #define EPOCH_READ_CURRENT  70000
     862             : #define EPOCH_WRITE_CURRENT 70001
     863             : #define EPOCH_NEXT        70002
     864             : 
     865             : struct record_parameters_st {
     866             :         uint16_t epoch;
     867             :         int initialized;
     868             : 
     869             :         const cipher_entry_st *cipher;
     870             :         bool etm;
     871             :         const mac_entry_st *mac;
     872             : 
     873             :         /* for DTLS sliding window */
     874             :         uint64_t dtls_sw_next; /* The end point (next expected packet) of the sliding window without epoch */
     875             :         uint64_t dtls_sw_bits;
     876             :         unsigned dtls_sw_have_recv; /* whether at least a packet has been received */
     877             : 
     878             :         record_state_st read;
     879             :         record_state_st write;
     880             : 
     881             :         /* Whether this state is in use, i.e., if there is
     882             :            a pending handshake message waiting to be encrypted
     883             :            under this epoch's parameters.
     884             :          */
     885             :         int usage_cnt;
     886             : };
     887             : 
     888             : typedef struct {
     889             :         unsigned int priorities[MAX_ALGOS];
     890             :         unsigned int num_priorities;
     891             : } priority_st;
     892             : 
     893             : typedef enum {
     894             :         SR_DISABLED,
     895             :         SR_UNSAFE,
     896             :         SR_PARTIAL,
     897             :         SR_SAFE
     898             : } safe_renegotiation_t;
     899             : 
     900             : #define MAX_CIPHERSUITE_SIZE 256
     901             : 
     902             : typedef struct ciphersuite_list_st {
     903             :         const gnutls_cipher_suite_entry_st *entry[MAX_CIPHERSUITE_SIZE];
     904             :         unsigned int size;
     905             : } ciphersuite_list_st;
     906             : 
     907             : typedef struct group_list_st {
     908             :         const gnutls_group_entry_st *entry[MAX_ALGOS];
     909             :         unsigned int size;
     910             :         bool have_ffdhe;
     911             : } group_list_st;
     912             : 
     913             : typedef struct sign_algo_list_st {
     914             :         const struct gnutls_sign_entry_st *entry[MAX_ALGOS];
     915             :         unsigned int size;
     916             : } sign_algo_list_st;
     917             : 
     918             : #include "atomic.h"
     919             : 
     920             : /* For the external api */
     921             : struct gnutls_priority_st {
     922             :         priority_st protocol;
     923             :         priority_st client_ctype;
     924             :         priority_st server_ctype;
     925             : 
     926             :         /* The following are not necessary to be stored in
     927             :          * the structure; however they are required by the
     928             :          * external APIs: gnutls_priority_*_list() */
     929             :         priority_st _cipher;
     930             :         priority_st _mac;
     931             :         priority_st _kx;
     932             :         priority_st _sign_algo;
     933             :         priority_st _supported_ecc;
     934             : 
     935             :         /* the supported groups */
     936             :         group_list_st groups;
     937             : 
     938             :         /* the supported signature algorithms */
     939             :         sign_algo_list_st sigalg;
     940             : 
     941             :         /* the supported ciphersuites */
     942             :         ciphersuite_list_st cs;
     943             : 
     944             :         /* to disable record padding */
     945             :         bool no_extensions;
     946             : 
     947             : 
     948             :         safe_renegotiation_t sr;
     949             :         bool min_record_version;
     950             :         bool server_precedence;
     951             :         bool allow_server_key_usage_violation; /* for test suite purposes only */
     952             :         bool no_tickets;
     953             :         bool have_cbc;
     954             :         bool have_psk;
     955             :         bool force_etm;
     956             :         unsigned int additional_verify_flags;
     957             : 
     958             :         /* TLS_FALLBACK_SCSV */
     959             :         bool fallback;
     960             : 
     961             :         /* The session's expected security level.
     962             :          * Will be used to determine the minimum DH bits,
     963             :          * (or the acceptable certificate security level).
     964             :          */
     965             :         gnutls_sec_param_t level;
     966             : 
     967             :         /* these should be accessed from
     968             :          * session->internals.VAR names */
     969             :         bool _allow_large_records;
     970             :         bool _allow_small_records;
     971             :         bool _no_etm;
     972             :         bool _no_ext_master_secret;
     973             :         bool _allow_key_usage_violation;
     974             :         bool _allow_wrong_pms;
     975             :         bool _dumbfw;
     976             :         unsigned int _dh_prime_bits;    /* old (deprecated) variable */
     977             : 
     978             :         DEF_ATOMIC_INT(usage_cnt);
     979             : };
     980             : 
     981             : /* Allow around 50KB of length-hiding padding
     982             :  * when using legacy padding,
     983             :  * or around 3.2MB when using new padding. */
     984             : #define DEFAULT_MAX_EMPTY_RECORDS 200
     985             : 
     986             : #define ENABLE_COMPAT(x) \
     987             :               (x)->allow_large_records = 1; \
     988             :               (x)->allow_small_records = 1; \
     989             :               (x)->no_etm = 1; \
     990             :               (x)->no_ext_master_secret = 1; \
     991             :               (x)->allow_key_usage_violation = 1; \
     992             :               (x)->allow_wrong_pms = 1; \
     993             :               (x)->dumbfw = 1
     994             : 
     995             : #define ENABLE_PRIO_COMPAT(x) \
     996             :               (x)->_allow_large_records = 1; \
     997             :               (x)->_allow_small_records = 1; \
     998             :               (x)->_no_etm = 1; \
     999             :               (x)->_no_ext_master_secret = 1; \
    1000             :               (x)->_allow_key_usage_violation = 1; \
    1001             :               (x)->_allow_wrong_pms = 1; \
    1002             :               (x)->_dumbfw = 1
    1003             : 
    1004             : /* DH and RSA parameters types.
    1005             :  */
    1006             : typedef struct gnutls_dh_params_int {
    1007             :         /* [0] is the prime, [1] is the generator, [2] is Q if available.
    1008             :          */
    1009             :         bigint_t params[3];
    1010             :         int q_bits;             /* length of q in bits. If zero then length is unknown.
    1011             :                                  */
    1012             : } dh_params_st;
    1013             : 
    1014             : /* TLS 1.3 session ticket
    1015             :  */
    1016             : typedef struct {
    1017             :         struct timespec arrival_time;
    1018             :         struct timespec creation_time;
    1019             :         uint32_t lifetime;
    1020             :         uint32_t age_add;
    1021             :         uint8_t nonce[255];
    1022             :         size_t nonce_size;
    1023             :         const mac_entry_st *prf;
    1024             :         uint8_t resumption_master_secret[MAX_HASH_SIZE];
    1025             :         gnutls_datum_t ticket;
    1026             : } tls13_ticket_st;
    1027             : 
    1028             : /* DTLS session state
    1029             :  */
    1030             : typedef struct {
    1031             :         /* HelloVerifyRequest DOS prevention cookie */
    1032             :         gnutls_datum_t dcookie;
    1033             : 
    1034             :         /* For DTLS handshake fragmentation and reassembly. */
    1035             :         uint16_t hsk_write_seq;
    1036             :         /* the sequence number of the expected packet */
    1037             :         unsigned int hsk_read_seq;
    1038             :         uint16_t mtu;
    1039             : 
    1040             :         /* a flight transmission is in process */
    1041             :         bool flight_init;
    1042             :         /* whether this is the last flight in the protocol  */
    1043             :         bool last_flight;
    1044             : 
    1045             :         /* the retransmission timeout in milliseconds */
    1046             :         unsigned int retrans_timeout_ms;
    1047             : 
    1048             :         unsigned int hsk_hello_verify_requests;
    1049             : 
    1050             :         /* The actual retrans_timeout for the next message (e.g. doubled or so)
    1051             :          */
    1052             :         unsigned int actual_retrans_timeout_ms;
    1053             : 
    1054             :         /* timers to handle async handshake after gnutls_handshake()
    1055             :          * has terminated. Required to handle retransmissions.
    1056             :          */
    1057             :         time_t async_term;
    1058             : 
    1059             :         /* last retransmission triggered by record layer */
    1060             :         struct timespec last_retransmit;
    1061             :         unsigned int packets_dropped;
    1062             : } dtls_st;
    1063             : 
    1064             : typedef struct tfo_st {
    1065             :         int fd;
    1066             :         int flags;
    1067             :         bool connect_only; /* a previous sendmsg() failed, attempting connect() */
    1068             :         struct sockaddr_storage connect_addr;
    1069             :         socklen_t connect_addrlen;
    1070             : } tfo_st;
    1071             : 
    1072             : typedef struct {
    1073             :         /* holds all the parsed data received by the record layer */
    1074             :         mbuffer_head_st record_buffer;
    1075             : 
    1076             :         int handshake_hash_buffer_prev_len;     /* keeps the length of handshake_hash_buffer, excluding
    1077             :                                                  * the last received message */
    1078             :         unsigned handshake_hash_buffer_client_hello_len; /* if non-zero it is the length of data until the client hello message */
    1079             :         unsigned handshake_hash_buffer_client_kx_len;/* if non-zero it is the length of data until the
    1080             :                                                  * the client key exchange message */
    1081             :         unsigned handshake_hash_buffer_server_finished_len;/* if non-zero it is the length of data until the
    1082             :                                                  * the server finished message */
    1083             :         unsigned handshake_hash_buffer_client_finished_len;/* if non-zero it is the length of data until the
    1084             :                                                  * the client finished message */
    1085             :         gnutls_buffer_st handshake_hash_buffer; /* used to keep the last received handshake
    1086             :                                                  * message */
    1087             : 
    1088             :         bool resumable; /* TRUE or FALSE - if we can resume that session */
    1089             : 
    1090             :         send_ticket_state_t ticket_state; /* used by gnutls_session_ticket_send() */
    1091             :         bye_state_t bye_state; /* used by gnutls_bye() */
    1092             :         reauth_state_t reauth_state; /* used by gnutls_reauth() */
    1093             : 
    1094             :         handshake_state_t handshake_final_state;
    1095             :         handshake_state_t handshake_state;      /* holds
    1096             :                                                  * a number which indicates where
    1097             :                                                  * the handshake procedure has been
    1098             :                                                  * interrupted. If it is 0 then
    1099             :                                                  * no interruption has happened.
    1100             :                                                  */
    1101             : 
    1102             :         bool invalid_connection;        /* true or FALSE - if this session is valid */
    1103             : 
    1104             :         bool may_not_read;      /* if it's 0 then we can read/write, otherwise it's forbidden to read/write
    1105             :                                  */
    1106             :         bool may_not_write;
    1107             :         bool read_eof;          /* non-zero if we have received a closure alert. */
    1108             : 
    1109             :         int last_alert;         /* last alert received */
    1110             : 
    1111             :         /* The last handshake messages sent or received.
    1112             :          */
    1113             :         int last_handshake_in;
    1114             :         int last_handshake_out;
    1115             : 
    1116             :         /* priorities */
    1117             :         struct gnutls_priority_st *priorities;
    1118             : 
    1119             :         /* variables directly set when setting the priorities above, or
    1120             :          * when overriding them */
    1121             :         bool allow_large_records;
    1122             :         bool allow_small_records;
    1123             :         bool no_etm;
    1124             :         bool no_ext_master_secret;
    1125             :         bool allow_key_usage_violation;
    1126             :         bool allow_wrong_pms;
    1127             :         bool dumbfw;
    1128             : 
    1129             :         /* old (deprecated) variable. This is used for both srp_prime_bits
    1130             :          * and dh_prime_bits as they don't overlap */
    1131             :         /* For SRP: minimum bits to allow for SRP
    1132             :          * use gnutls_srp_set_prime_bits() to adjust it.
    1133             :          */
    1134             :         uint16_t dh_prime_bits; /* srp_prime_bits */
    1135             : 
    1136             :         /* resumed session */
    1137             :         bool resumed;   /* RESUME_TRUE or FALSE - if we are resuming a session */
    1138             : 
    1139             :         /* server side: non-zero if resumption was requested by client
    1140             :          * client side: non-zero if we set resumption parameters */
    1141             :         bool resumption_requested;
    1142             :         security_parameters_st resumed_security_parameters;
    1143             :         gnutls_datum_t resumption_data; /* copy of input to gnutls_session_set_data() */
    1144             : 
    1145             :         /* These buffers are used in the handshake
    1146             :          * protocol only. freed using _gnutls_handshake_io_buffer_clear();
    1147             :          */
    1148             :         mbuffer_head_st handshake_send_buffer;
    1149             :         mbuffer_head_st handshake_header_recv_buffer;
    1150             :         handshake_buffer_st handshake_recv_buffer[MAX_HANDSHAKE_MSGS];
    1151             :         int handshake_recv_buffer_size;
    1152             : 
    1153             :         /* this buffer holds a record packet -mostly used for
    1154             :          * non blocking IO.
    1155             :          */
    1156             :         mbuffer_head_st record_recv_buffer;     /* buffer holding the unparsed record that is currently
    1157             :                                                  * being received */
    1158             :         mbuffer_head_st record_send_buffer;     /* holds cached data
    1159             :                                                  * for the gnutls_io_write_buffered()
    1160             :                                                  * function.
    1161             :                                                  */
    1162             :         size_t record_send_buffer_user_size;    /* holds the
    1163             :                                                  * size of the user specified data to
    1164             :                                                  * send.
    1165             :                                                  */
    1166             : 
    1167             :         mbuffer_head_st early_data_recv_buffer;
    1168             :         gnutls_buffer_st early_data_presend_buffer;
    1169             : 
    1170             :         record_send_state_t rsend_state;
    1171             :         /* buffer used temporarily during key update */
    1172             :         gnutls_buffer_st record_key_update_buffer;
    1173             :         gnutls_buffer_st record_presend_buffer; /* holds cached data
    1174             :                                                  * for the gnutls_record_send()
    1175             :                                                  * function.
    1176             :                                                  */
    1177             : 
    1178             :         /* buffer used temporarily during TLS1.3 reauthentication */
    1179             :         gnutls_buffer_st reauth_buffer;
    1180             : 
    1181             :         time_t expire_time;     /* after expire_time seconds this session will expire */
    1182             :         const struct mod_auth_st_int *auth_struct;      /* used in handshake packets and KX algorithms */
    1183             : 
    1184             :         /* this is the highest version available
    1185             :          * to the peer. (advertized version).
    1186             :          * This is obtained by the Handshake Client Hello
    1187             :          * message. (some implementations read the Record version)
    1188             :          */
    1189             :         uint8_t adv_version_major;
    1190             :         uint8_t adv_version_minor;
    1191             : 
    1192             :         /* if this is non zero a certificate request message
    1193             :          * will be sent to the client. - only if the ciphersuite
    1194             :          * supports it. In server side it contains GNUTLS_CERT_REQUIRE
    1195             :          * or similar.
    1196             :          */
    1197             :         gnutls_certificate_request_t send_cert_req;
    1198             : 
    1199             :         size_t max_handshake_data_buffer_size;
    1200             : 
    1201             :         /* PUSH & PULL functions.
    1202             :          */
    1203             :         gnutls_pull_timeout_func pull_timeout_func;
    1204             :         gnutls_pull_func pull_func;
    1205             :         gnutls_push_func push_func;
    1206             :         gnutls_vec_push_func vec_push_func;
    1207             :         gnutls_errno_func errno_func;
    1208             :         /* Holds the first argument of PUSH and PULL
    1209             :          * functions;
    1210             :          */
    1211             :         gnutls_transport_ptr_t transport_recv_ptr;
    1212             :         gnutls_transport_ptr_t transport_send_ptr;
    1213             : 
    1214             :         /* STORE & RETRIEVE functions. Only used if other
    1215             :          * backend than gdbm is used.
    1216             :          */
    1217             :         gnutls_db_store_func db_store_func;
    1218             :         gnutls_db_retr_func db_retrieve_func;
    1219             :         gnutls_db_remove_func db_remove_func;
    1220             :         void *db_ptr;
    1221             : 
    1222             :         /* post client hello callback (server side only)
    1223             :          */
    1224             :         gnutls_handshake_post_client_hello_func user_hello_func;
    1225             :         /* handshake hook function */
    1226             :         gnutls_handshake_hook_func h_hook;
    1227             :         unsigned int h_type;    /* the hooked type */
    1228             :         int16_t h_post;         /* whether post-generation/receive */
    1229             : 
    1230             :         gnutls_keylog_func keylog_func;
    1231             : 
    1232             :         /* holds the selected certificate and key.
    1233             :          * use _gnutls_selected_certs_deinit() and _gnutls_selected_certs_set()
    1234             :          * to change them.
    1235             :          */
    1236             :         gnutls_pcert_st *selected_cert_list;
    1237             :         uint16_t selected_cert_list_length;
    1238             :         struct gnutls_privkey_st *selected_key;
    1239             : 
    1240             :         /* new callbacks such as gnutls_certificate_retrieve_function3
    1241             :          * set the selected_ocsp datum values. The older OCSP callback-based
    1242             :          * functions, set the ocsp_func. The former takes precedence when
    1243             :          * set.
    1244             :          */
    1245             :         gnutls_ocsp_data_st *selected_ocsp;
    1246             :         uint16_t selected_ocsp_length;
    1247             :         gnutls_status_request_ocsp_func selected_ocsp_func;
    1248             :         void *selected_ocsp_func_ptr;
    1249             :         bool selected_need_free;
    1250             : 
    1251             : 
    1252             :         /* This holds the default version that our first
    1253             :          * record packet will have. */
    1254             :         uint8_t default_record_version[2];
    1255             :         uint8_t default_hello_version[2];
    1256             : 
    1257             :         void *user_ptr;
    1258             : 
    1259             :         /* Holds 0 if the last called function was interrupted while
    1260             :          * receiving, and non zero otherwise.
    1261             :          */
    1262             :         bool direction;
    1263             : 
    1264             :         /* If non zero the server will not advertise the CA's he
    1265             :          * trusts (do not send an RDN sequence).
    1266             :          */
    1267             :         bool ignore_rdn_sequence;
    1268             : 
    1269             :         /* This is used to set an arbitrary version in the RSA
    1270             :          * PMS secret. Can be used by clients to test whether the
    1271             :          * server checks that version. (** only used in gnutls-cli-debug)
    1272             :          */
    1273             :         uint8_t rsa_pms_version[2];
    1274             : 
    1275             :         /* To avoid using global variables, and especially on Windows where
    1276             :          * the application may use a different errno variable than GnuTLS,
    1277             :          * it is possible to use gnutls_transport_set_errno to set a
    1278             :          * session-specific errno variable in the user-replaceable push/pull
    1279             :          * functions.  This value is used by the send/recv functions.  (The
    1280             :          * strange name of this variable is because 'errno' is typically
    1281             :          * #define'd.)
    1282             :          */
    1283             :         int errnum;
    1284             : 
    1285             :         /* A handshake process has been completed */
    1286             :         bool initial_negotiation_completed;
    1287             :         void *post_negotiation_lock; /* protects access to the variable above
    1288             :                                       * in the cases where negotiation is incomplete
    1289             :                                       * after gnutls_handshake() - early/false start */
    1290             : 
    1291             :         /* The type of transport protocol; stream or datagram */
    1292             :         transport_t transport;
    1293             : 
    1294             :         /* DTLS session state */
    1295             :         dtls_st dtls;
    1296             :         /* Protect from infinite loops due to GNUTLS_E_LARGE_PACKET non-handling
    1297             :          * or due to multiple alerts being received. */
    1298             :         unsigned handshake_suspicious_loops;
    1299             :         /* should be non-zero when a handshake is in progress */
    1300             :         bool handshake_in_progress;
    1301             : 
    1302             :         /* if set it means that the master key was set using
    1303             :          * gnutls_session_set_master() rather than being negotiated. */
    1304             :         bool premaster_set;
    1305             : 
    1306             :         unsigned int cb_tls_unique_len;
    1307             :         unsigned char cb_tls_unique[MAX_VERIFY_DATA_SIZE];
    1308             : 
    1309             :         /* starting time of current handshake */
    1310             :         struct timespec handshake_start_time;
    1311             : 
    1312             :         /* expected end time of current handshake (start+timeout);
    1313             :          * this is only filled if a handshake_time_ms is set. */
    1314             :         struct timespec handshake_abs_timeout;
    1315             : 
    1316             :         /* An estimation of round-trip time under TLS1.3; populated in client side only */
    1317             :         unsigned ertt;
    1318             : 
    1319             :         unsigned int handshake_timeout_ms;      /* timeout in milliseconds */
    1320             :         unsigned int record_timeout_ms; /* timeout in milliseconds */
    1321             : 
    1322             :         /* saved context of post handshake certificate request. In
    1323             :          * client side is what we received in server's certificate request;
    1324             :          * in server side is what we sent to client. */
    1325             :         gnutls_datum_t post_handshake_cr_context;
    1326             :         /* it is a copy of the handshake hash buffer if post handshake is used */
    1327             :         gnutls_buffer_st post_handshake_hash_buffer;
    1328             : 
    1329             : /* When either of PSK or DHE-PSK is received */
    1330             : #define HSK_PSK_KE_MODES_RECEIVED (HSK_PSK_KE_MODE_PSK|HSK_PSK_KE_MODE_DHE_PSK|HSK_PSK_KE_MODE_INVALID)
    1331             : 
    1332             : #define HSK_CRT_VRFY_EXPECTED 1
    1333             : #define HSK_CRT_ASKED (1<<2)
    1334             : #define HSK_HRR_SENT (1<<3)
    1335             : #define HSK_HRR_RECEIVED (1<<4)
    1336             : #define HSK_CRT_REQ_SENT (1<<5)
    1337             : #define HSK_KEY_UPDATE_ASKED (1<<7) /* flag is not used during handshake */
    1338             : #define HSK_FALSE_START_USED (1<<8) /* TLS1.2 only */
    1339             : #define HSK_HAVE_FFDHE (1<<9) /* whether the peer has advertized at least an FFDHE group */
    1340             : #define HSK_USED_FFDHE (1<<10) /* whether ffdhe was actually negotiated and used */
    1341             : #define HSK_PSK_KE_MODES_SENT (1<<11)
    1342             : #define HSK_PSK_KE_MODE_PSK (1<<12) /* client: whether PSK without DH is allowed,
    1343             :                                      * server: whether PSK without DH is selected. */
    1344             : #define HSK_PSK_KE_MODE_INVALID (1<<13) /* server: no compatible PSK modes were seen */
    1345             : #define HSK_PSK_KE_MODE_DHE_PSK (1<<14) /* server: whether PSK with DH is selected
    1346             :                                          * client: whether PSK with DH is allowed
    1347             :                                          */
    1348             : #define HSK_PSK_SELECTED (1<<15) /* server: whether PSK was selected, either for resumption or not;
    1349             :                                   *         on resumption session->internals.resumed will be set as well.
    1350             :                                   * client: the same */
    1351             : #define HSK_KEY_SHARE_SENT (1<<16) /* server: key share was sent to client */
    1352             : #define HSK_KEY_SHARE_RECEIVED (1<<17) /* client: key share was received
    1353             :                                         * server: key share was received and accepted */
    1354             : #define HSK_TLS13_TICKET_SENT (1<<18) /* client: sent a ticket under TLS1.3;
    1355             :                                          * server: a ticket was sent to client.
    1356             :                                          */
    1357             : #define HSK_TLS12_TICKET_SENT (1<<19) /* client: sent a ticket under TLS1.2;
    1358             :                                        * server: a ticket was sent to client.
    1359             :                                        */
    1360             : #define HSK_TICKET_RECEIVED (1<<20) /* client: a session ticket was received */
    1361             : #define HSK_EARLY_START_USED (1<<21)
    1362             : #define HSK_EARLY_DATA_IN_FLIGHT (1<<22) /* client: sent early_data extension in ClientHello
    1363             :                                           * server: early_data extension was seen in ClientHello
    1364             :                                           */
    1365             : #define HSK_EARLY_DATA_ACCEPTED (1<<23) /* client: early_data extension was seen in EncryptedExtensions
    1366             :                                          * server: intend to process early data
    1367             :                                          */
    1368             : #define HSK_RECORD_SIZE_LIMIT_NEGOTIATED (1<<24)
    1369             : #define HSK_RECORD_SIZE_LIMIT_SENT (1<<25) /* record_size_limit extension was sent */
    1370             : #define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */
    1371             : #define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */
    1372             : #define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */
    1373             : #define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */
    1374             : 
    1375             :         /* The hsk_flags are for use within the ongoing handshake;
    1376             :          * they are reset to zero prior to handshake start by gnutls_handshake. */
    1377             :         unsigned hsk_flags;
    1378             :         struct timespec last_key_update;
    1379             :         unsigned key_update_count;
    1380             :         /* Read-only pointer to the full ClientHello message */
    1381             :         gnutls_buffer_st full_client_hello;
    1382             :         /* The offset at which extensions start in the ClientHello buffer */
    1383             :         int extensions_offset;
    1384             : 
    1385             :         gnutls_buffer_st hb_local_data;
    1386             :         gnutls_buffer_st hb_remote_data;
    1387             :         struct timespec hb_ping_start;  /* timestamp: when first HeartBeat ping was sent */
    1388             :         struct timespec hb_ping_sent;   /* timestamp: when last HeartBeat ping was sent */
    1389             :         unsigned int hb_actual_retrans_timeout_ms;      /* current timeout, in milliseconds */
    1390             :         unsigned int hb_retrans_timeout_ms;     /* the default timeout, in milliseconds */
    1391             :         unsigned int hb_total_timeout_ms;       /* the total timeout, in milliseconds */
    1392             : 
    1393             :         bool ocsp_check_ok;     /* will be zero if the OCSP response TLS extension
    1394             :                                          * check failed (OCSP was old/unrelated or so). */
    1395             : 
    1396             :         heartbeat_state_t hb_state;     /* for ping */
    1397             : 
    1398             :         recv_state_t recv_state;        /* state of the receive function */
    1399             : 
    1400             :         /* if set, server and client random were set by the application */
    1401             :         bool sc_random_set;
    1402             : 
    1403             : #define INT_FLAG_NO_TLS13 (1LL<<60)
    1404             :         uint64_t flags; /* the flags in gnutls_init() and GNUTLS_INT_FLAGS */
    1405             : 
    1406             :         /* a verify callback to override the verify callback from the credentials
    1407             :          * structure */
    1408             :         gnutls_certificate_verify_function *verify_callback;
    1409             :         gnutls_typed_vdata_st *vc_data;
    1410             :         gnutls_typed_vdata_st vc_sdata;
    1411             :         unsigned vc_elements;
    1412             :         unsigned vc_status;
    1413             :         unsigned int additional_verify_flags; /* may be set by priorities or the vc functions */
    1414             : 
    1415             :         /* we append the verify flags because these can be set,
    1416             :          * either by this function or by gnutls_session_set_verify_cert().
    1417             :          * However, we ensure that a single profile is set. */
    1418             : #define ADD_PROFILE_VFLAGS(session, vflags) do { \
    1419             :         if ((session->internals.additional_verify_flags & GNUTLS_VFLAGS_PROFILE_MASK) && \
    1420             :             (vflags & GNUTLS_VFLAGS_PROFILE_MASK)) \
    1421             :                 session->internals.additional_verify_flags &= ~GNUTLS_VFLAGS_PROFILE_MASK; \
    1422             :         session->internals.additional_verify_flags |= vflags; \
    1423             :         } while(0)
    1424             : 
    1425             :         /* the SHA256 hash of the peer's certificate */
    1426             :         uint8_t cert_hash[32];
    1427             :         bool cert_hash_set;
    1428             : 
    1429             :         /* The saved username from PSK or SRP auth */
    1430             :         char saved_username[MAX_USERNAME_SIZE+1];
    1431             :         int saved_username_size;
    1432             : 
    1433             :         /* Needed for TCP Fast Open (TFO), set by gnutls_transport_set_fastopen() */
    1434             :         tfo_st tfo;
    1435             : 
    1436             :         struct gnutls_supplemental_entry_st *rsup;
    1437             :         unsigned rsup_size;
    1438             : 
    1439             :         struct hello_ext_entry_st *rexts;
    1440             :         unsigned rexts_size;
    1441             : 
    1442             :         struct { /* ext_data[id] contains data for extension_t id */
    1443             :                 gnutls_ext_priv_data_t priv;
    1444             :                 gnutls_ext_priv_data_t resumed_priv;
    1445             :                 uint8_t set;
    1446             :                 uint8_t resumed_set;
    1447             :         } ext_data[MAX_EXT_TYPES];
    1448             : 
    1449             :         /* In case of a client holds the extensions we sent to the peer;
    1450             :          * otherwise the extensions we received from the client. This is
    1451             :          * an OR of (1<<extensions_t values).
    1452             :          */
    1453             :         ext_track_t used_exts;
    1454             : 
    1455             :         gnutls_ext_flags_t ext_msg; /* accessed through _gnutls_ext_get/set_msg() */
    1456             : 
    1457             :         /* this is not the negotiated max_record_recv_size, but the actual maximum
    1458             :          * receive size */
    1459             :         unsigned max_recv_size;
    1460             : 
    1461             :         /* candidate groups to be selected for security params groups, they are
    1462             :          * prioritized in isolation under TLS1.2 */
    1463             :         const gnutls_group_entry_st *cand_ec_group;
    1464             :         const gnutls_group_entry_st *cand_dh_group;
    1465             :         /* used under TLS1.3+ */
    1466             :         const gnutls_group_entry_st *cand_group;
    1467             : 
    1468             :         /* the ciphersuite received in HRR */
    1469             :         uint8_t hrr_cs[2];
    1470             : 
    1471             :         /* this is only used under TLS1.2 or earlier */
    1472             :         int session_ticket_renew;
    1473             : 
    1474             :         tls13_ticket_st tls13_ticket;
    1475             : 
    1476             :         /* the amount of early data received so far */
    1477             :         uint32_t early_data_received;
    1478             : 
    1479             :         /* anti-replay measure for 0-RTT mode */
    1480             :         gnutls_anti_replay_t anti_replay;
    1481             : 
    1482             :         /* Protects _gnutls_epoch_gc() from _gnutls_epoch_get(); these may be
    1483             :          * called in parallel when false start is used and false start is used. */
    1484             :         void *epoch_lock;
    1485             : 
    1486             :         /* If you add anything here, check _gnutls_handshake_internal_state_clear().
    1487             :          */
    1488             : } internals_st;
    1489             : 
    1490             : /* Maximum number of epochs we keep around. */
    1491             : #define MAX_EPOCH_INDEX 4
    1492             : 
    1493             : #define reset_cand_groups(session) \
    1494             :         session->internals.cand_ec_group = session->internals.cand_dh_group = \
    1495             :                 session->internals.cand_group = NULL
    1496             : 
    1497             : struct gnutls_session_int {
    1498             :         security_parameters_st security_parameters;
    1499             :         record_parameters_st *record_parameters[MAX_EPOCH_INDEX];
    1500             :         internals_st internals;
    1501             :         gnutls_key_st key;
    1502             : };
    1503             : 
    1504             : 
    1505             : /* functions
    1506             :  */
    1507             : void _gnutls_free_auth_info(gnutls_session_t session);
    1508             : 
    1509             : /* These two macros return the advertised TLS version of
    1510             :  * the peer.
    1511             :  */
    1512             : #define _gnutls_get_adv_version_major(session) \
    1513             :         session->internals.adv_version_major
    1514             : 
    1515             : #define _gnutls_get_adv_version_minor(session) \
    1516             :         session->internals.adv_version_minor
    1517             : 
    1518             : #define set_adv_version(session, major, minor) \
    1519             :         session->internals.adv_version_major = major; \
    1520             :         session->internals.adv_version_minor = minor
    1521             : 
    1522             : int _gnutls_is_secure_mem_null(const void *);
    1523             : 
    1524   220741840 : inline static const version_entry_st *get_version(gnutls_session_t session)
    1525             : {
    1526   220741840 :         return session->security_parameters.pversion;
    1527             : }
    1528             : 
    1529       14962 : inline static unsigned get_num_version(gnutls_session_t session)
    1530             : {
    1531       14962 :         if (likely(session->security_parameters.pversion != NULL))
    1532       14962 :                 return session->security_parameters.pversion->id;
    1533             :         else
    1534             :                 return GNUTLS_VERSION_UNKNOWN;
    1535             : }
    1536             : 
    1537             : void _gnutls_priority_update_fips(void);
    1538             : void _gnutls_priority_update_non_aesni(void);
    1539             : extern unsigned _gnutls_disable_tls13;
    1540             : 
    1541             : #define timespec_sub_ms _gnutls_timespec_sub_ms
    1542             : unsigned int
    1543             : /* returns a-b in ms */
    1544             :  timespec_sub_ms(struct timespec *a, struct timespec *b);
    1545             : 
    1546          80 : inline static int _gnutls_timespec_cmp(struct timespec *a, struct timespec *b) {
    1547          80 :         if (a->tv_sec < b->tv_sec)
    1548             :                 return -1;
    1549          79 :         if (a->tv_sec > b->tv_sec)
    1550             :                 return 1;
    1551          76 :         if (a->tv_nsec < b->tv_nsec)
    1552             :                 return -1;
    1553          65 :         if (a->tv_nsec > b->tv_nsec)
    1554          22 :                 return 1;
    1555             :         return 0;
    1556             : }
    1557             : 
    1558             : #include <algorithms.h>
    1559       30646 : inline static int _gnutls_set_current_version(gnutls_session_t s, unsigned v)
    1560             : {
    1561       30646 :         s->security_parameters.pversion = version_to_entry(v);
    1562       30646 :         if (s->security_parameters.pversion == NULL) {
    1563           0 :                 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
    1564             :         }
    1565             :         return 0;
    1566             : }
    1567             : 
    1568             : /* Returns the maximum amount of the plaintext to be sent, considering
    1569             :  * both user-specified/negotiated maximum values.
    1570             :  */
    1571     2515020 : inline static size_t max_record_send_size(gnutls_session_t session,
    1572             :                                           record_parameters_st *
    1573             :                                           record_params)
    1574             : {
    1575     2515020 :         size_t max;
    1576             : 
    1577     2515020 :         max = MIN(session->security_parameters.max_record_send_size,
    1578             :                   session->security_parameters.max_user_record_send_size);
    1579             : 
    1580     2515020 :         if (IS_DTLS(session))
    1581       10018 :                 max = MIN(gnutls_dtls_get_data_mtu(session), max);
    1582             : 
    1583     2515020 :         return max;
    1584             : }
    1585             : 
    1586             : /* Returns the during the handshake negotiated certificate type(s).
    1587             :  * See state.c for the full function documentation.
    1588             :  *
    1589             :  * This function is made static inline for optimization reasons.
    1590             :  */
    1591             : inline static gnutls_certificate_type_t
    1592       51256 : get_certificate_type(gnutls_session_t session,
    1593             :                      gnutls_ctype_target_t target)
    1594             : {
    1595       51256 :         switch (target) {
    1596        7260 :                 case GNUTLS_CTYPE_CLIENT:
    1597        7738 :                         return session->security_parameters.client_ctype;
    1598       37888 :                         break;
    1599       23354 :                 case GNUTLS_CTYPE_SERVER:
    1600       37888 :                         return session->security_parameters.server_ctype;
    1601         961 :                         break;
    1602         961 :                 case GNUTLS_CTYPE_OURS:
    1603         961 :                         if (IS_SERVER(session)) {
    1604         482 :                                 return session->security_parameters.server_ctype;
    1605             :                         } else {
    1606         479 :                                 return session->security_parameters.client_ctype;
    1607             :                         }
    1608       11026 :                         break;
    1609       11026 :                 case GNUTLS_CTYPE_PEERS:
    1610       11026 :                         if (IS_SERVER(session)) {
    1611        8374 :                                 return session->security_parameters.client_ctype;
    1612             :                         } else {
    1613        2652 :                                 return session->security_parameters.server_ctype;
    1614             :                         }
    1615             :                         break;
    1616             :                 default:        // Illegal parameter passed
    1617             :                         return GNUTLS_CRT_UNKNOWN;
    1618             :         }
    1619             : }
    1620             : 
    1621             : /* Macros to aide constant time/mem checks */
    1622             : #define CONSTCHECK_NOT_EQUAL(a, b) ((-((uint32_t)(a) ^ (uint32_t)(b))) >> 31)
    1623             : #define CONSTCHECK_EQUAL(a, b) (1U - CONSTCHECK_NOT_EQUAL(a, b))
    1624             : 
    1625             : extern unsigned int _gnutls_global_version;
    1626             : 
    1627             : #endif /* GNUTLS_LIB_GNUTLS_INT_H */

Generated by: LCOV version 1.14