Line data Source code
1 : /*
2 : * Copyright (C) 2000-2016 Free Software Foundation, Inc.
3 : * Copyright (C) 2015-2018 Red Hat, Inc.
4 : *
5 : * Author: Nikos Mavrogiannopoulos
6 : *
7 : * This file is part of GnuTLS.
8 : *
9 : * The GnuTLS is free software; you can redistribute it and/or
10 : * modify it under the terms of the GNU Lesser General Public License
11 : * as published by the Free Software Foundation; either version 2.1 of
12 : * the License, or (at your option) any later version.
13 : *
14 : * This library is distributed in the hope that it will be useful, but
15 : * WITHOUT ANY WARRANTY; without even the implied warranty of
16 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 : * Lesser General Public License for more details.
18 : *
19 : * You should have received a copy of the GNU Lesser General Public License
20 : * along with this program. If not, see <https://www.gnu.org/licenses/>
21 : *
22 : */
23 :
24 : /* Functions that relate to the TLS handshake procedure.
25 : */
26 :
27 : #include "gnutls_int.h"
28 : #include "errors.h"
29 : #include "dh.h"
30 : #include "debug.h"
31 : #include "algorithms.h"
32 : #include "cipher.h"
33 : #include "buffers.h"
34 : #include "mbuffers.h"
35 : #include "kx.h"
36 : #include "handshake.h"
37 : #include "num.h"
38 : #include "hash_int.h"
39 : #include "db.h"
40 : #include "hello_ext.h"
41 : #include "supplemental.h"
42 : #include "auth.h"
43 : #include "sslv2_compat.h"
44 : #include <auth/cert.h>
45 : #include "constate.h"
46 : #include <record.h>
47 : #include <state.h>
48 : #include <ext/pre_shared_key.h>
49 : #include <ext/srp.h>
50 : #include <ext/session_ticket.h>
51 : #include <ext/status_request.h>
52 : #include <ext/safe_renegotiation.h>
53 : #include <auth/anon.h> /* for gnutls_anon_server_credentials_t */
54 : #include <auth/psk.h> /* for gnutls_psk_server_credentials_t */
55 : #include <random.h>
56 : #include <dtls.h>
57 : #include "secrets.h"
58 : #include "tls13/session_ticket.h"
59 : #include "locks.h"
60 : #ifdef HAVE_VALGRIND_MEMCHECK_H
61 : #include <valgrind/memcheck.h>
62 : #endif
63 :
64 : #define TRUE 1
65 : #define FALSE 0
66 :
67 : static int check_if_null_comp_present(gnutls_session_t session,
68 : uint8_t * data, int datalen);
69 : static int handshake_client(gnutls_session_t session);
70 : static int handshake_server(gnutls_session_t session);
71 :
72 : static int
73 : read_server_hello(gnutls_session_t session,
74 : uint8_t * data, int datalen);
75 :
76 : static int
77 : recv_handshake_final(gnutls_session_t session, int init);
78 : static int
79 : send_handshake_final(gnutls_session_t session, int init);
80 :
81 : /* Empties but does not free the buffer
82 : */
83 : inline static void
84 60745 : handshake_hash_buffer_reset(gnutls_session_t session)
85 : {
86 60745 : _gnutls_buffers_log("BUF[HSK]: Emptied buffer\n");
87 :
88 60745 : session->internals.handshake_hash_buffer_client_hello_len = 0;
89 60745 : session->internals.handshake_hash_buffer_client_kx_len = 0;
90 60745 : session->internals.handshake_hash_buffer_server_finished_len = 0;
91 60745 : session->internals.handshake_hash_buffer_client_finished_len = 0;
92 60745 : session->internals.handshake_hash_buffer_prev_len = 0;
93 60745 : session->internals.handshake_hash_buffer.length = 0;
94 60745 : session->internals.full_client_hello.length = 0;
95 60745 : return;
96 : }
97 :
98 : static int
99 : handshake_hash_add_recvd(gnutls_session_t session,
100 : gnutls_handshake_description_t recv_type,
101 : uint8_t * header, uint16_t header_size,
102 : uint8_t * dataptr, uint32_t datalen);
103 :
104 : static int
105 : handshake_hash_add_sent(gnutls_session_t session,
106 : gnutls_handshake_description_t type,
107 : uint8_t * dataptr, uint32_t datalen);
108 :
109 : static int
110 : recv_hello_verify_request(gnutls_session_t session,
111 : uint8_t * data, int datalen);
112 :
113 :
114 : /* Clears the handshake hash buffers and handles.
115 : */
116 60475 : void _gnutls_handshake_hash_buffers_clear(gnutls_session_t session)
117 : {
118 60475 : handshake_hash_buffer_reset(session);
119 60475 : _gnutls_buffer_clear(&session->internals.handshake_hash_buffer);
120 60475 : _gnutls_buffer_clear(&session->internals.full_client_hello);
121 60475 : }
122 :
123 : /* Replace handshake message buffer, with the special synthetic message
124 : * needed by TLS1.3 when HRR is sent. */
125 243 : int _gnutls13_handshake_hash_buffers_synth(gnutls_session_t session,
126 : const mac_entry_st *prf,
127 : unsigned client)
128 : {
129 243 : int ret;
130 243 : uint8_t hdata[4+MAX_HASH_SIZE];
131 243 : size_t length;
132 :
133 243 : if (client)
134 24 : length = session->internals.handshake_hash_buffer_prev_len;
135 : else
136 219 : length = session->internals.handshake_hash_buffer.length;
137 :
138 : /* calculate hash */
139 243 : hdata[0] = 254;
140 243 : _gnutls_write_uint24(prf->output_size, &hdata[1]);
141 :
142 486 : ret = gnutls_hash_fast((gnutls_digest_algorithm_t)prf->id,
143 243 : session->internals.handshake_hash_buffer.data,
144 : length, hdata+4);
145 243 : if (ret < 0)
146 0 : return gnutls_assert_val(ret);
147 :
148 243 : handshake_hash_buffer_reset(session);
149 :
150 243 : ret =
151 486 : _gnutls_buffer_append_data(&session->internals.
152 : handshake_hash_buffer,
153 243 : hdata, prf->output_size+4);
154 243 : if (ret < 0)
155 0 : return gnutls_assert_val(ret);
156 :
157 243 : _gnutls_buffers_log("BUF[HSK]: Replaced handshake buffer with synth message (%d bytes)\n",
158 : prf->output_size+4);
159 :
160 : return 0;
161 : }
162 :
163 : /* this will copy the required values for resuming to
164 : * internals, and to security_parameters.
165 : * this will keep as less data to security_parameters.
166 : */
167 782 : static int tls12_resume_copy_required_vals(gnutls_session_t session, unsigned ticket)
168 : {
169 782 : int ret;
170 :
171 : /* get the new random values */
172 782 : memcpy(session->internals.resumed_security_parameters.
173 782 : server_random, session->security_parameters.server_random,
174 : GNUTLS_RANDOM_SIZE);
175 782 : memcpy(session->internals.resumed_security_parameters.
176 782 : client_random, session->security_parameters.client_random,
177 : GNUTLS_RANDOM_SIZE);
178 :
179 : /* keep the ciphersuite and compression
180 : * That is because the client must see these in our
181 : * hello message.
182 : */
183 1564 : ret = _gnutls_set_cipher_suite2(session,
184 : session->internals.
185 782 : resumed_security_parameters.
186 : cs);
187 782 : if (ret < 0)
188 0 : return gnutls_assert_val(ret);
189 :
190 : /* or write_compression_algorithm
191 : * they are the same
192 : */
193 :
194 782 : session->security_parameters.entity =
195 782 : session->internals.resumed_security_parameters.entity;
196 :
197 782 : if (session->internals.resumed_security_parameters.pversion ==
198 : NULL)
199 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
200 :
201 1564 : if (_gnutls_set_current_version(session,
202 : session->internals.
203 782 : resumed_security_parameters.pversion->
204 : id) < 0)
205 0 : return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
206 :
207 782 : session->security_parameters.client_ctype =
208 782 : session->internals.resumed_security_parameters.client_ctype;
209 782 : session->security_parameters.server_ctype =
210 782 : session->internals.resumed_security_parameters.server_ctype;
211 :
212 782 : if (!ticket) {
213 487 : memcpy(session->security_parameters.session_id,
214 487 : session->internals.resumed_security_parameters.session_id,
215 : sizeof(session->security_parameters.session_id));
216 487 : session->security_parameters.session_id_size =
217 487 : session->internals.resumed_security_parameters.session_id_size;
218 : }
219 :
220 : return 0;
221 : }
222 :
223 19134 : void _gnutls_set_client_random(gnutls_session_t session, uint8_t * rnd)
224 : {
225 19134 : memcpy(session->security_parameters.client_random, rnd,
226 : GNUTLS_RANDOM_SIZE);
227 19134 : }
228 :
229 : static
230 3696 : int _gnutls_gen_client_random(gnutls_session_t session)
231 : {
232 3696 : int ret;
233 :
234 : /* no random given, we generate. */
235 3696 : if (session->internals.sc_random_set != 0) {
236 8 : memcpy(session->security_parameters.client_random,
237 : session->internals.
238 8 : resumed_security_parameters.client_random,
239 : GNUTLS_RANDOM_SIZE);
240 : } else {
241 7376 : ret = gnutls_rnd(GNUTLS_RND_NONCE,
242 3688 : session->security_parameters.client_random,
243 : GNUTLS_RANDOM_SIZE);
244 3688 : if (ret < 0)
245 0 : return gnutls_assert_val(ret);
246 : }
247 :
248 : #ifdef HAVE_VALGRIND_MEMCHECK_H
249 : if (RUNNING_ON_VALGRIND)
250 : VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.client_random,
251 : GNUTLS_RANDOM_SIZE);
252 : #endif
253 :
254 : return 0;
255 : }
256 :
257 : static
258 2969 : int _gnutls_set_server_random(gnutls_session_t session, const version_entry_st *vers, uint8_t * rnd)
259 : {
260 2969 : const version_entry_st *max;
261 :
262 2969 : memcpy(session->security_parameters.server_random, rnd,
263 : GNUTLS_RANDOM_SIZE);
264 :
265 : /* check whether the server random value is set according to
266 : * to TLS 1.3. p4.1.3 requirements */
267 2969 : if (!IS_DTLS(session) && vers->id <= GNUTLS_TLS1_2 && have_creds_for_tls13(session)) {
268 :
269 1874 : max = _gnutls_version_max(session);
270 1874 : if (max->id <= GNUTLS_TLS1_2)
271 : return 0;
272 :
273 814 : if (vers->id == GNUTLS_TLS1_2 &&
274 702 : memcmp(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
275 : "\x44\x4F\x57\x4E\x47\x52\x44\x01", 8) == 0) {
276 :
277 2 : _gnutls_audit_log(session,
278 : "Detected downgrade to TLS 1.2 from TLS 1.3\n");
279 2 : return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
280 812 : } else if (vers->id <= GNUTLS_TLS1_1 &&
281 112 : memcmp(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
282 : "\x44\x4F\x57\x4E\x47\x52\x44\x00", 8) == 0) {
283 :
284 1 : _gnutls_audit_log(session,
285 : "Detected downgrade to TLS 1.1 or earlier from TLS 1.3\n");
286 1 : return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
287 : }
288 : }
289 :
290 : return 0;
291 : }
292 :
293 25262 : int _gnutls_gen_server_random(gnutls_session_t session, int version)
294 : {
295 25262 : int ret;
296 25262 : const version_entry_st *max;
297 :
298 25262 : if (session->internals.sc_random_set != 0) {
299 12 : memcpy(session->security_parameters.server_random,
300 : session->internals.
301 12 : resumed_security_parameters.server_random,
302 : GNUTLS_RANDOM_SIZE);
303 12 : return 0;
304 : }
305 :
306 25250 : max = _gnutls_version_max(session);
307 25250 : if (max == NULL)
308 0 : return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES);
309 :
310 25250 : if (!IS_DTLS(session) && max->id >= GNUTLS_TLS1_3 &&
311 : version <= GNUTLS_TLS1_2) {
312 13262 : if (version == GNUTLS_TLS1_2) {
313 11454 : memcpy(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
314 : "\x44\x4F\x57\x4E\x47\x52\x44\x01", 8);
315 : } else {
316 1808 : memcpy(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
317 : "\x44\x4F\x57\x4E\x47\x52\x44\x00", 8);
318 : }
319 13262 : ret =
320 13262 : gnutls_rnd(GNUTLS_RND_NONCE, session->security_parameters.server_random, GNUTLS_RANDOM_SIZE-8);
321 :
322 : } else {
323 11988 : ret =
324 11988 : gnutls_rnd(GNUTLS_RND_NONCE, session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
325 : }
326 :
327 25250 : if (ret < 0) {
328 0 : gnutls_assert();
329 0 : return ret;
330 : }
331 :
332 : #ifdef HAVE_VALGRIND_MEMCHECK_H
333 : if (RUNNING_ON_VALGRIND)
334 : VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.server_random,
335 : GNUTLS_RANDOM_SIZE);
336 : #endif
337 :
338 : return 0;
339 : }
340 :
341 : #ifdef ENABLE_SSL3
342 : /* Calculate The SSL3 Finished message
343 : */
344 : #define SSL3_CLIENT_MSG "CLNT"
345 : #define SSL3_SERVER_MSG "SRVR"
346 : #define SSL_MSG_LEN 4
347 : static int
348 : _gnutls_ssl3_finished(gnutls_session_t session, int type, uint8_t * ret,
349 : int sending)
350 : {
351 : digest_hd_st td_md5;
352 : digest_hd_st td_sha;
353 : const char *mesg;
354 : int rc, len;
355 :
356 : if (sending)
357 : len = session->internals.handshake_hash_buffer.length;
358 : else
359 : len = session->internals.handshake_hash_buffer_prev_len;
360 :
361 : rc = _gnutls_hash_init(&td_sha, hash_to_entry(GNUTLS_DIG_SHA1));
362 : if (rc < 0)
363 : return gnutls_assert_val(rc);
364 :
365 : rc = _gnutls_hash_init(&td_md5, hash_to_entry(GNUTLS_DIG_MD5));
366 : if (rc < 0) {
367 : _gnutls_hash_deinit(&td_sha, NULL);
368 : return gnutls_assert_val(rc);
369 : }
370 :
371 : _gnutls_hash(&td_sha,
372 : session->internals.handshake_hash_buffer.data, len);
373 : _gnutls_hash(&td_md5,
374 : session->internals.handshake_hash_buffer.data, len);
375 :
376 : if (type == GNUTLS_SERVER)
377 : mesg = SSL3_SERVER_MSG;
378 : else
379 : mesg = SSL3_CLIENT_MSG;
380 :
381 : _gnutls_hash(&td_md5, mesg, SSL_MSG_LEN);
382 : _gnutls_hash(&td_sha, mesg, SSL_MSG_LEN);
383 :
384 : rc = _gnutls_mac_deinit_ssl3_handshake(&td_md5, ret,
385 : session->security_parameters.
386 : master_secret,
387 : GNUTLS_MASTER_SIZE);
388 : if (rc < 0) {
389 : _gnutls_hash_deinit(&td_md5, NULL);
390 : _gnutls_hash_deinit(&td_sha, NULL);
391 : return gnutls_assert_val(rc);
392 : }
393 :
394 : rc = _gnutls_mac_deinit_ssl3_handshake(&td_sha, &ret[16],
395 : session->security_parameters.
396 : master_secret,
397 : GNUTLS_MASTER_SIZE);
398 : if (rc < 0) {
399 : _gnutls_hash_deinit(&td_sha, NULL);
400 : return gnutls_assert_val(rc);
401 : }
402 :
403 : return 0;
404 : }
405 : #endif
406 :
407 : /* Hash the handshake messages as required by TLS 1.0
408 : */
409 : #define SERVER_MSG "server finished"
410 : #define CLIENT_MSG "client finished"
411 : #define TLS_MSG_LEN 15
412 : static int
413 17823 : _gnutls_finished(gnutls_session_t session, int type, void *ret,
414 : int sending)
415 : {
416 17823 : const int siz = TLS_MSG_LEN;
417 17823 : uint8_t concat[MAX_HASH_SIZE];
418 17823 : size_t hash_len;
419 17823 : const char *mesg;
420 17823 : int rc, len, algorithm;
421 :
422 17823 : if (sending)
423 8980 : len = session->internals.handshake_hash_buffer.length;
424 : else
425 8843 : len = session->internals.handshake_hash_buffer_prev_len;
426 :
427 17823 : algorithm = session->security_parameters.prf->id;
428 35646 : rc = _gnutls_hash_fast(algorithm,
429 : session->internals.
430 17823 : handshake_hash_buffer.data, len,
431 : concat);
432 17823 : if (rc < 0)
433 0 : return gnutls_assert_val(rc);
434 :
435 17823 : hash_len = session->security_parameters.prf->output_size;
436 :
437 17823 : if (type == GNUTLS_SERVER) {
438 : mesg = SERVER_MSG;
439 : } else {
440 8987 : mesg = CLIENT_MSG;
441 : }
442 :
443 17823 : return _gnutls_PRF(session,
444 17823 : session->security_parameters.master_secret,
445 : GNUTLS_MASTER_SIZE, mesg, siz, concat, hash_len,
446 : 12, ret);
447 : }
448 :
449 :
450 : /* returns the 0 on success or a negative error code.
451 : */
452 : int
453 20099 : _gnutls_negotiate_version(gnutls_session_t session,
454 : uint8_t major, uint8_t minor, unsigned allow_tls13)
455 : {
456 20099 : const version_entry_st *vers;
457 20099 : const version_entry_st *aversion = nversion_to_entry(major, minor);
458 :
459 : /* if we do not support that version, unless that version is TLS 1.2;
460 : * TLS 1.2 is handled separately because it is always advertized under TLS 1.3 or later */
461 39532 : if (aversion == NULL ||
462 19433 : _gnutls_nversion_is_supported(session, major, minor) == 0) {
463 :
464 2557 : if (aversion && aversion->id == GNUTLS_TLS1_2) {
465 1851 : vers = _gnutls_version_max(session);
466 1851 : if (unlikely(vers == NULL))
467 2 : return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES);
468 :
469 1849 : if (vers->id >= GNUTLS_TLS1_2) {
470 1830 : session->security_parameters.pversion = aversion;
471 1830 : return 0;
472 : }
473 : }
474 :
475 : /* if we get an unknown/unsupported version, then fail if the version we
476 : * got is too low to be supported */
477 725 : if (!_gnutls_version_is_too_high(session, major, minor))
478 116 : return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
479 :
480 : /* If he requested something we do not support
481 : * then we send him the highest we support.
482 : */
483 654 : vers = _gnutls_legacy_version_max(session);
484 654 : if (vers == NULL) {
485 : /* this check is not really needed.
486 : */
487 0 : gnutls_assert();
488 0 : return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
489 : }
490 :
491 654 : session->security_parameters.pversion = vers;
492 :
493 654 : return 0;
494 : } else {
495 17542 : session->security_parameters.pversion = aversion;
496 :
497 : /* we do not allow TLS1.3 negotiation using this mechanism */
498 17542 : if (aversion->tls13_sem && !allow_tls13) {
499 11 : vers = _gnutls_legacy_version_max(session);
500 11 : session->security_parameters.pversion = vers;
501 : }
502 :
503 17542 : return 0;
504 : }
505 : }
506 :
507 : /* This function returns:
508 : * - zero on success
509 : * - GNUTLS_E_INT_RET_0 if GNUTLS_E_AGAIN || GNUTLS_E_INTERRUPTED were returned by the callback
510 : * - a negative error code on other error
511 : */
512 : int
513 18178 : _gnutls_user_hello_func(gnutls_session_t session,
514 : uint8_t major, uint8_t minor)
515 : {
516 18178 : int ret, sret = 0;
517 18178 : const version_entry_st *vers, *old_vers;
518 18178 : const version_entry_st *new_max;
519 :
520 18178 : if (session->internals.user_hello_func != NULL) {
521 226 : ret = session->internals.user_hello_func(session);
522 :
523 226 : if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) {
524 3 : gnutls_assert();
525 : sret = GNUTLS_E_INT_RET_0;
526 223 : } else if (ret < 0) {
527 2 : gnutls_assert();
528 2 : return ret;
529 : }
530 :
531 : /* This callback is often used to switch the priority string of the
532 : * server, and that includes switching version which we have already
533 : * negotiated; note that this doesn't apply when resuming as the version
534 : * negotiation is already complete. */
535 224 : if (session->internals.resumed != RESUME_TRUE) {
536 115 : new_max = _gnutls_version_max(session);
537 115 : old_vers = get_version(session);
538 :
539 115 : if (!old_vers->tls13_sem || (new_max && !new_max->tls13_sem)) {
540 : #if GNUTLS_TLS_VERSION_MAX != GNUTLS_TLS1_3
541 : # error "Need to update the following logic"
542 : #endif
543 : /* Here we need to renegotiate the version since the callee might
544 : * have disabled some TLS versions. This logic does not cope for
545 : * protocols later than TLS1.3 if they have the tls13_sem set */
546 63 : ret = _gnutls_negotiate_version(session, major, minor, 0);
547 63 : if (ret < 0)
548 0 : return gnutls_assert_val(ret);
549 :
550 63 : vers = get_version(session);
551 63 : if (old_vers != vers) {
552 : /* at this point we need to regenerate the random value to
553 : * avoid the peer detecting this session as a rollback
554 : * attempt. */
555 1 : ret = _gnutls_gen_server_random(session, vers->id);
556 1 : if (ret < 0)
557 0 : return gnutls_assert_val(ret);
558 : }
559 : }
560 : }
561 : }
562 : return sret;
563 : }
564 :
565 : /* Associates the right credential types for the session, and
566 : * performs sanity checks. */
567 17323 : static int set_auth_types(gnutls_session_t session)
568 : {
569 17323 : const version_entry_st *ver = get_version(session);
570 17323 : gnutls_kx_algorithm_t kx;
571 :
572 : /* sanity check:
573 : * we see TLS1.3 negotiated but no key share was sent */
574 17323 : if (ver->tls13_sem) {
575 5756 : if (unlikely(!(session->internals.hsk_flags & HSK_PSK_KE_MODE_PSK) &&
576 : !(session->internals.hsk_flags & HSK_KEY_SHARE_RECEIVED))) {
577 55 : return gnutls_assert_val(GNUTLS_E_MISSING_EXTENSION);
578 : }
579 :
580 : /* Under TLS1.3 this returns a KX which matches the negotiated
581 : * groups from the key shares; if we are resuming then the KX seen
582 : * here doesn't match the original session. */
583 5702 : if (session->internals.resumed == RESUME_FALSE)
584 5477 : kx = gnutls_kx_get(session);
585 : else
586 : kx = GNUTLS_KX_UNKNOWN;
587 : } else {
588 : /* TLS1.2 or earlier, kx is associated with ciphersuite */
589 11567 : kx = session->security_parameters.cs->kx_algorithm;
590 : }
591 :
592 17044 : if (kx != GNUTLS_KX_UNKNOWN) {
593 17044 : session->security_parameters.server_auth_type = _gnutls_map_kx_get_cred(kx, 1);
594 17044 : session->security_parameters.client_auth_type = _gnutls_map_kx_get_cred(kx, 0);
595 225 : } else if (unlikely(session->internals.resumed == RESUME_FALSE)) {
596 : /* Here we can only arrive if something we received
597 : * prevented the session from completing. */
598 0 : return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
599 : }
600 :
601 : return 0;
602 : }
603 :
604 : /* Read a client hello packet.
605 : * A client hello must be a known version client hello
606 : * or version 2.0 client hello (only for compatibility
607 : * since SSL version 2.0 is not supported).
608 : */
609 : static int
610 18659 : read_client_hello(gnutls_session_t session, uint8_t * data,
611 : int datalen)
612 : {
613 18659 : uint8_t session_id_len;
614 18659 : int pos = 0, ret;
615 18659 : uint16_t suite_size, comp_size;
616 18659 : int ext_size;
617 18659 : int neg_version, sret = 0;
618 18659 : int len = datalen;
619 18659 : uint8_t major, minor;
620 18659 : uint8_t *suite_ptr, *comp_ptr, *session_id, *ext_ptr;
621 18659 : const version_entry_st *vers;
622 :
623 18659 : DECR_LEN(len, 2);
624 18653 : _gnutls_handshake_log("HSK[%p]: Client's version: %d.%d\n",
625 : session, data[pos], data[pos + 1]);
626 :
627 18653 : major = data[pos];
628 18653 : minor = data[pos+1];
629 :
630 18653 : set_adv_version(session, major, minor);
631 :
632 18653 : ret = _gnutls_negotiate_version(session, major, minor, 0);
633 18653 : if (ret < 0)
634 44 : return gnutls_assert_val(ret);
635 :
636 18619 : vers = get_version(session);
637 18619 : if (vers == NULL)
638 0 : return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
639 :
640 18619 : neg_version = vers->id;
641 :
642 18619 : pos += 2;
643 :
644 : /* Read client random value.
645 : */
646 18619 : DECR_LEN(len, GNUTLS_RANDOM_SIZE);
647 18613 : _gnutls_set_client_random(session, &data[pos]);
648 :
649 18613 : pos += GNUTLS_RANDOM_SIZE;
650 :
651 18613 : ret = _gnutls_gen_server_random(session, neg_version);
652 18613 : if (ret < 0)
653 0 : return gnutls_assert_val(ret);
654 :
655 18613 : session->security_parameters.timestamp = gnutls_time(NULL);
656 :
657 18613 : DECR_LEN(len, 1);
658 18610 : session_id_len = data[pos++];
659 :
660 : /* RESUME SESSION
661 : */
662 18610 : if (session_id_len > GNUTLS_MAX_SESSION_ID_SIZE) {
663 6 : gnutls_assert();
664 6 : return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
665 : }
666 18604 : DECR_LEN(len, session_id_len);
667 18601 : session_id = &data[pos];
668 18601 : pos += session_id_len;
669 :
670 18601 : if (IS_DTLS(session)) {
671 303 : int cookie_size;
672 :
673 303 : DECR_LEN(len, 1);
674 303 : cookie_size = data[pos++];
675 303 : DECR_LEN(len, cookie_size);
676 303 : pos += cookie_size;
677 : }
678 :
679 : /* move forward to extensions and store other vals */
680 18601 : DECR_LEN(len, 2);
681 18596 : suite_size = _gnutls_read_uint16(&data[pos]);
682 18596 : pos += 2;
683 :
684 18596 : if (suite_size == 0 || (suite_size % 2) != 0)
685 35 : return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
686 :
687 18577 : suite_ptr = &data[pos];
688 18577 : DECR_LEN(len, suite_size);
689 18552 : pos += suite_size;
690 :
691 18552 : DECR_LEN(len, 1);
692 18548 : comp_size = data[pos++]; /* the number of compression methods */
693 :
694 18548 : if (comp_size == 0)
695 3 : return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
696 :
697 18545 : comp_ptr = &data[pos];
698 18545 : DECR_LEN(len, comp_size);
699 18540 : pos += comp_size;
700 :
701 18540 : ext_ptr = &data[pos];
702 18540 : ext_size = len;
703 :
704 : /* Parse only the mandatory to read extensions for resumption
705 : * and version negotiation. We don't want to parse any other
706 : * extensions since we don't want new extension values to override
707 : * the resumed ones. */
708 18540 : ret =
709 18540 : _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
710 : GNUTLS_EXT_VERSION_NEG,
711 : ext_ptr, ext_size);
712 18540 : if (ret < 0)
713 726 : return gnutls_assert_val(ret);
714 :
715 18107 : ret =
716 18107 : _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
717 : GNUTLS_EXT_MANDATORY,
718 : ext_ptr, ext_size);
719 18107 : if (ret < 0)
720 644 : return gnutls_assert_val(ret);
721 :
722 17502 : vers = get_version(session);
723 17502 : if (unlikely(vers == NULL))
724 0 : return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
725 :
726 17502 : if (!vers->tls13_sem) {
727 11403 : ret =
728 11403 : _gnutls_server_restore_session(session, session_id,
729 : session_id_len);
730 :
731 11403 : if (session_id_len > 0)
732 1771 : session->internals.resumption_requested = 1;
733 :
734 11403 : if (ret == 0) { /* resumed using default TLS resumption! */
735 487 : ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 1);
736 487 : if (ret < 0)
737 0 : return gnutls_assert_val(ret);
738 :
739 487 : ret = tls12_resume_copy_required_vals(session, 0);
740 487 : if (ret < 0)
741 0 : return gnutls_assert_val(ret);
742 :
743 487 : session->internals.resumed = RESUME_TRUE;
744 :
745 487 : return _gnutls_user_hello_func(session, major, minor);
746 : } else {
747 10916 : ret = _gnutls_generate_session_id(session->security_parameters.
748 : session_id,
749 : &session->security_parameters.
750 : session_id_size);
751 10916 : if (ret < 0)
752 0 : return gnutls_assert_val(ret);
753 :
754 10916 : session->internals.resumed = RESUME_FALSE;
755 : }
756 : } else { /* TLS1.3 */
757 : /* we echo client's session ID - length was checked previously */
758 6099 : assert(session_id_len <= GNUTLS_MAX_SESSION_ID_SIZE);
759 6099 : if (session_id_len > 0)
760 3333 : memcpy(session->security_parameters.session_id, session_id, session_id_len);
761 6099 : session->security_parameters.session_id_size = session_id_len;
762 : }
763 :
764 : /* Parse the extensions (if any)
765 : *
766 : * Unconditionally try to parse extensions; safe renegotiation uses them in
767 : * sslv3 and higher, even though sslv3 doesn't officially support them.
768 : */
769 17015 : ret = _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
770 : GNUTLS_EXT_APPLICATION,
771 : ext_ptr, ext_size);
772 : /* len is the rest of the parsed length */
773 17015 : if (ret < 0) {
774 3 : gnutls_assert();
775 3 : return ret;
776 : }
777 :
778 : /* we cache this error code */
779 17012 : sret = _gnutls_user_hello_func(session, major, minor);
780 17012 : if (sret < 0 && sret != GNUTLS_E_INT_RET_0) {
781 2 : gnutls_assert();
782 2 : return sret;
783 : }
784 :
785 : /* Session tickets are parsed in this point */
786 17010 : ret =
787 17010 : _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
788 : GNUTLS_EXT_TLS, ext_ptr, ext_size);
789 17010 : if (ret < 0) {
790 833 : gnutls_assert();
791 833 : return ret;
792 : }
793 :
794 : /* resumed by session_ticket extension */
795 16177 : if (!vers->tls13_sem && session->internals.resumed != RESUME_FALSE) {
796 295 : session->internals.resumed_security_parameters.
797 295 : max_record_recv_size =
798 295 : session->security_parameters.max_record_recv_size;
799 295 : session->internals.resumed_security_parameters.
800 295 : max_record_send_size =
801 295 : session->security_parameters.max_record_send_size;
802 :
803 295 : ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 1);
804 295 : if (ret < 0)
805 0 : return gnutls_assert_val(ret);
806 :
807 295 : ret = tls12_resume_copy_required_vals(session, 1);
808 295 : if (ret < 0)
809 0 : return gnutls_assert_val(ret);
810 :
811 : /* to indicate to the client that the current session is resumed */
812 295 : memcpy(session->security_parameters.session_id, session_id, session_id_len);
813 295 : session->security_parameters.session_id_size = session_id_len;
814 :
815 295 : return 0;
816 : }
817 :
818 : /* select an appropriate cipher suite (as well as certificate)
819 : */
820 15882 : ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 0);
821 15882 : if (ret < 0) {
822 836 : gnutls_assert();
823 836 : return ret;
824 : }
825 :
826 : /* Only at this point we know the version we are actually going to use
827 : * ("supported_versions" extension is parsed, user_hello_func is called,
828 : * legacy version negotiation is done). */
829 15046 : vers = get_version(session);
830 15046 : if (unlikely(vers == NULL))
831 0 : return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
832 :
833 15046 : if (_gnutls_version_priority(session, vers->id) < 0)
834 1 : return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
835 :
836 15045 : _gnutls_handshake_log("HSK[%p]: Selected version %s\n", session, vers->name);
837 :
838 : /* select appropriate compression method */
839 15045 : ret =
840 15045 : check_if_null_comp_present(session, comp_ptr,
841 : comp_size);
842 15045 : if (ret < 0) {
843 17 : gnutls_assert();
844 17 : return ret;
845 : }
846 :
847 : /* call extensions that are intended to be parsed after the ciphersuite/cert
848 : * are known. */
849 15028 : ret =
850 15028 : _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
851 : _GNUTLS_EXT_TLS_POST_CS, ext_ptr, ext_size);
852 15028 : if (ret < 0) {
853 360 : gnutls_assert();
854 360 : return ret;
855 : }
856 :
857 : /* Calculate TLS 1.3 Early Secret */
858 14668 : if (session->security_parameters.pversion->tls13_sem &&
859 5158 : !(session->internals.hsk_flags & HSK_PSK_SELECTED)) {
860 3698 : ret = _tls13_init_secret(session, NULL, 0);
861 3698 : if (ret < 0)
862 0 : return gnutls_assert_val(ret);
863 : }
864 :
865 14668 : ret = set_auth_types(session);
866 14668 : if (ret < 0) {
867 54 : gnutls_assert();
868 54 : return ret;
869 : }
870 :
871 : return sret;
872 : }
873 :
874 : /* This is to be called after sending CHANGE CIPHER SPEC packet
875 : * and initializing encryption. This is the first encrypted message
876 : * we send.
877 : */
878 9015 : int _gnutls_send_finished(gnutls_session_t session, int again)
879 : {
880 9015 : mbuffer_st *bufel;
881 9015 : uint8_t *data;
882 9015 : int ret;
883 9015 : size_t vdata_size = 0;
884 9015 : const version_entry_st *vers;
885 :
886 9015 : if (again == 0) {
887 8980 : bufel =
888 8980 : _gnutls_handshake_alloc(session,
889 : MAX_VERIFY_DATA_SIZE);
890 8980 : if (bufel == NULL) {
891 0 : gnutls_assert();
892 0 : return GNUTLS_E_MEMORY_ERROR;
893 : }
894 8980 : data = _mbuffer_get_udata_ptr(bufel);
895 :
896 8980 : vers = get_version(session);
897 8980 : if (unlikely(vers == NULL))
898 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
899 :
900 : #ifdef ENABLE_SSL3
901 : if (vers->id == GNUTLS_SSL3) {
902 : ret =
903 : _gnutls_ssl3_finished(session,
904 : session->
905 : security_parameters.
906 : entity, data, 1);
907 : _mbuffer_set_udata_size(bufel, 36);
908 : } else { /* TLS 1.0+ */
909 : #endif
910 17960 : ret = _gnutls_finished(session,
911 : session->
912 8980 : security_parameters.entity,
913 : data, 1);
914 8980 : _mbuffer_set_udata_size(bufel, 12);
915 : #ifdef ENABLE_SSL3
916 : }
917 : #endif
918 :
919 8980 : if (ret < 0) {
920 0 : gnutls_assert();
921 0 : return ret;
922 : }
923 :
924 8980 : vdata_size = _mbuffer_get_udata_size(bufel);
925 :
926 8980 : ret =
927 8980 : _gnutls_ext_sr_finished(session, data, vdata_size, 0);
928 8980 : if (ret < 0) {
929 0 : gnutls_assert();
930 0 : return ret;
931 : }
932 :
933 8980 : if ((session->internals.resumed == RESUME_FALSE
934 8084 : && session->security_parameters.entity ==
935 : GNUTLS_CLIENT)
936 7510 : || (session->internals.resumed != RESUME_FALSE
937 896 : && session->security_parameters.entity ==
938 : GNUTLS_SERVER)) {
939 : /* if we are a client not resuming - or we are a server resuming */
940 2252 : _gnutls_handshake_log
941 : ("HSK[%p]: recording tls-unique CB (send)\n",
942 : session);
943 2252 : memcpy(session->internals.cb_tls_unique, data,
944 : vdata_size);
945 2252 : session->internals.cb_tls_unique_len = vdata_size;
946 : }
947 :
948 8980 : ret =
949 8980 : _gnutls_send_handshake(session, bufel,
950 : GNUTLS_HANDSHAKE_FINISHED);
951 : } else {
952 35 : ret =
953 35 : _gnutls_send_handshake(session, NULL,
954 : GNUTLS_HANDSHAKE_FINISHED);
955 : }
956 :
957 : return ret;
958 : }
959 :
960 : /* This is to be called after sending our finished message. If everything
961 : * went fine we have negotiated a secure connection
962 : */
963 9348 : int _gnutls_recv_finished(gnutls_session_t session)
964 : {
965 9348 : uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy;
966 9348 : gnutls_buffer_st buf;
967 9348 : int data_size;
968 9348 : int ret;
969 9348 : int vrfy_size;
970 9348 : const version_entry_st *vers = get_version(session);
971 :
972 9348 : if (unlikely(vers == NULL))
973 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
974 :
975 9348 : ret =
976 9348 : _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_FINISHED,
977 : 0, &buf);
978 9348 : if (ret < 0) {
979 503 : gnutls_assert();
980 503 : return ret;
981 : }
982 :
983 8845 : vrfy = buf.data;
984 8845 : vrfy_size = buf.length;
985 :
986 : #ifdef ENABLE_SSL3
987 : if (vers->id == GNUTLS_SSL3)
988 : data_size = 36;
989 : else
990 : #endif
991 8845 : data_size = 12;
992 :
993 8845 : if (vrfy_size != data_size) {
994 2 : gnutls_assert();
995 2 : ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
996 2 : goto cleanup;
997 : }
998 :
999 : #ifdef ENABLE_SSL3
1000 : if (vers->id == GNUTLS_SSL3) {
1001 : ret =
1002 : _gnutls_ssl3_finished(session,
1003 : (session->security_parameters.
1004 : entity + 1) % 2, data, 0);
1005 : } else /* TLS 1.0+ */
1006 : #endif
1007 8843 : ret =
1008 17686 : _gnutls_finished(session,
1009 8843 : (session->security_parameters.entity +
1010 8843 : 1) % 2, data, 0);
1011 :
1012 8843 : if (ret < 0) {
1013 0 : gnutls_assert();
1014 0 : goto cleanup;
1015 : }
1016 :
1017 : #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
1018 : /* When fuzzying allow to proceed without verifying the handshake
1019 : * consistency */
1020 : (void) vrfy;
1021 : # warning This is unsafe for production builds
1022 :
1023 : #else
1024 8843 : if (memcmp(vrfy, data, data_size) != 0) {
1025 8 : gnutls_assert();
1026 8 : ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
1027 8 : goto cleanup;
1028 : }
1029 : #endif
1030 :
1031 8835 : ret = _gnutls_ext_sr_finished(session, data, data_size, 1);
1032 8835 : if (ret < 0) {
1033 0 : gnutls_assert();
1034 0 : goto cleanup;
1035 : }
1036 :
1037 8835 : if ((session->internals.resumed != RESUME_FALSE
1038 895 : && session->security_parameters.entity == GNUTLS_CLIENT)
1039 8721 : || (session->internals.resumed == RESUME_FALSE
1040 7940 : && session->security_parameters.entity == GNUTLS_SERVER)) {
1041 : /* if we are a client resuming - or we are a server not resuming */
1042 6728 : _gnutls_handshake_log
1043 : ("HSK[%p]: recording tls-unique CB (recv)\n", session);
1044 6728 : memcpy(session->internals.cb_tls_unique, data, data_size);
1045 6728 : session->internals.cb_tls_unique_len = data_size;
1046 : }
1047 :
1048 :
1049 2107 : cleanup:
1050 8845 : _gnutls_buffer_clear(&buf);
1051 :
1052 8845 : return ret;
1053 : }
1054 :
1055 : /* This selects the best supported ciphersuite from the given ones. Then
1056 : * it adds the suite to the session and performs some checks.
1057 : *
1058 : * When @scsv_only is non-zero only the available SCSVs are parsed
1059 : * and acted upon.
1060 : */
1061 : int
1062 17337 : _gnutls_server_select_suite(gnutls_session_t session, uint8_t * data,
1063 : unsigned int datalen, unsigned scsv_only)
1064 : {
1065 17337 : int ret;
1066 17337 : unsigned int i;
1067 17337 : ciphersuite_list_st peer_clist;
1068 17337 : const gnutls_cipher_suite_entry_st *selected;
1069 17337 : gnutls_kx_algorithm_t kx;
1070 17337 : int retval;
1071 17337 : const version_entry_st *vers = get_version(session);
1072 :
1073 17337 : peer_clist.size = 0;
1074 :
1075 229347 : for (i = 0; i < datalen; i += 2) {
1076 : /* we support the TLS renegotiation SCSV, even if we are
1077 : * not under SSL 3.0, because openssl sends this SCSV
1078 : * on resumption unconditionally. */
1079 : /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
1080 212044 : if (session->internals.priorities->sr != SR_DISABLED &&
1081 211251 : data[i] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&
1082 54702 : data[i + 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR) {
1083 8399 : _gnutls_handshake_log
1084 : ("HSK[%p]: Received safe renegotiation CS\n",
1085 : session);
1086 8399 : retval = _gnutls_ext_sr_recv_cs(session);
1087 8399 : if (retval < 0) {
1088 0 : gnutls_assert();
1089 0 : return retval;
1090 : }
1091 : }
1092 :
1093 : /* TLS_FALLBACK_SCSV */
1094 212044 : if (data[i] == GNUTLS_FALLBACK_SCSV_MAJOR &&
1095 2098 : data[i + 1] == GNUTLS_FALLBACK_SCSV_MINOR) {
1096 1160 : const version_entry_st *max = _gnutls_version_max(session);
1097 :
1098 1160 : _gnutls_handshake_log
1099 : ("HSK[%p]: Received fallback CS\n",
1100 : session);
1101 :
1102 1160 : if (vers != max)
1103 53 : return gnutls_assert_val(GNUTLS_E_INAPPROPRIATE_FALLBACK);
1104 210884 : } else if (!scsv_only) {
1105 203489 : if (peer_clist.size < MAX_CIPHERSUITE_SIZE) {
1106 203239 : peer_clist.entry[peer_clist.size] = ciphersuite_to_entry(&data[i]);
1107 203239 : if (peer_clist.entry[peer_clist.size] != NULL)
1108 97754 : peer_clist.size++;
1109 : }
1110 : }
1111 : }
1112 :
1113 17303 : if (scsv_only)
1114 : return 0;
1115 :
1116 16521 : ret = _gnutls_figure_common_ciphersuite(session, &peer_clist, &selected);
1117 16521 : if (ret < 0) {
1118 1094 : return gnutls_assert_val(ret);
1119 : }
1120 :
1121 15608 : _gnutls_handshake_log
1122 : ("HSK[%p]: Selected cipher suite: %s\n", session, selected->name);
1123 :
1124 15608 : ret = _gnutls_set_cipher_suite2(session, selected);
1125 15608 : if (ret < 0) {
1126 1 : gnutls_assert();
1127 1 : return ret;
1128 : }
1129 :
1130 15607 : if (!vers->tls13_sem) {
1131 : /* check if the credentials (username, public key etc.) are ok
1132 : */
1133 10142 : kx = selected->kx_algorithm;
1134 10142 : if (_gnutls_get_kx_cred(session, kx) == NULL) {
1135 31 : gnutls_assert();
1136 31 : return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1137 : }
1138 :
1139 : /* set the mod_auth_st to the appropriate struct
1140 : * according to the KX algorithm. This is needed since all the
1141 : * handshake functions are read from there;
1142 : */
1143 10111 : session->internals.auth_struct = _gnutls_kx_auth_struct(kx);
1144 10111 : if (session->internals.auth_struct == NULL) {
1145 0 : _gnutls_handshake_log
1146 : ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1147 : session);
1148 0 : gnutls_assert();
1149 0 : return GNUTLS_E_INTERNAL_ERROR;
1150 : }
1151 : }
1152 :
1153 : return 0;
1154 :
1155 : }
1156 :
1157 :
1158 : /* This checks whether the null compression method is present.
1159 : */
1160 : static int
1161 15045 : check_if_null_comp_present(gnutls_session_t session,
1162 : uint8_t * data, int datalen)
1163 : {
1164 15045 : int j;
1165 :
1166 16677 : for (j = 0; j < datalen; j++) {
1167 16660 : if (data[j] == 0)
1168 : return 0;
1169 : }
1170 :
1171 : /* we were not able to find a the NULL compression
1172 : * algorithm
1173 : */
1174 17 : gnutls_assert();
1175 : return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1176 :
1177 : }
1178 :
1179 : /* This function sends an empty handshake packet. (like hello request).
1180 : * If the previous _gnutls_send_empty_handshake() returned
1181 : * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1182 : * (until it returns ok), with NULL parameters.
1183 : */
1184 : static int
1185 6989030 : _gnutls_send_empty_handshake(gnutls_session_t session,
1186 : gnutls_handshake_description_t type,
1187 : int again)
1188 : {
1189 6989030 : mbuffer_st *bufel;
1190 :
1191 6989030 : if (again == 0) {
1192 10028 : bufel = _gnutls_handshake_alloc(session, 0);
1193 10028 : if (bufel == NULL) {
1194 0 : gnutls_assert();
1195 0 : return GNUTLS_E_MEMORY_ERROR;
1196 : }
1197 : } else
1198 : bufel = NULL;
1199 :
1200 6989030 : return _gnutls_send_handshake(session, bufel, type);
1201 : }
1202 :
1203 302371 : int _gnutls_call_hook_func(gnutls_session_t session,
1204 : gnutls_handshake_description_t type,
1205 : int post, unsigned incoming,
1206 : const uint8_t *data, unsigned data_size)
1207 : {
1208 302371 : gnutls_datum_t msg = {(void*)data, data_size};
1209 :
1210 302371 : if (session->internals.h_hook != NULL) {
1211 3618 : if ((session->internals.h_type == type
1212 3422 : || session->internals.h_type == GNUTLS_HANDSHAKE_ANY)
1213 1914 : && (session->internals.h_post == post
1214 1486 : || session->internals.h_post == GNUTLS_HOOK_BOTH)) {
1215 :
1216 : /* internal API for testing: when we are expected to
1217 : * wait for GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, we
1218 : * do so, but not when doing for all messages. The
1219 : * reason is that change cipher specs are not handshake
1220 : * messages, and we don't support waiting for them
1221 : * consistently (only sending is tracked, not receiving).
1222 : */
1223 1486 : if (type == GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC &&
1224 : session->internals.h_type != GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC)
1225 : return 0;
1226 :
1227 1342 : return session->internals.h_hook(session, type,
1228 : post, incoming, &msg);
1229 : }
1230 : }
1231 : return 0;
1232 : }
1233 :
1234 : /* Note that the "New session ticket" handshake packet behaves differently under
1235 : * TLS 1.2 or 1.3. In 1.2 it is included in the handshake process, while in 1.3
1236 : * it is sent asynchronously */
1237 : #define IS_ASYNC(t, v) \
1238 : (t == GNUTLS_HANDSHAKE_HELLO_REQUEST || t == GNUTLS_HANDSHAKE_KEY_UPDATE || \
1239 : (t == GNUTLS_HANDSHAKE_NEW_SESSION_TICKET && v->tls13_sem))
1240 :
1241 : int
1242 74912000 : _gnutls_send_handshake(gnutls_session_t session, mbuffer_st * bufel,
1243 : gnutls_handshake_description_t type)
1244 : {
1245 74912000 : return _gnutls_send_handshake2(session, bufel, type, 0);
1246 : }
1247 :
1248 : /* This function sends a handshake message of type 'type' containing the
1249 : * data specified here. If the previous _gnutls_send_handshake() returned
1250 : * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1251 : * (until it returns ok), with NULL parameters.
1252 : */
1253 : int
1254 74918800 : _gnutls_send_handshake2(gnutls_session_t session, mbuffer_st * bufel,
1255 : gnutls_handshake_description_t type, unsigned queue_only)
1256 : {
1257 74918800 : int ret;
1258 74918800 : uint8_t *data;
1259 74918800 : uint32_t datasize, i_datasize;
1260 74918800 : int pos = 0;
1261 74918800 : const version_entry_st *vers = get_version(session);
1262 :
1263 74918800 : if (bufel == NULL) {
1264 : /* we are resuming a previously interrupted
1265 : * send.
1266 : */
1267 74836000 : ret = _gnutls_handshake_io_write_flush(session);
1268 74836000 : return ret;
1269 :
1270 : }
1271 :
1272 : /* first run */
1273 82803 : data = _mbuffer_get_uhead_ptr(bufel);
1274 82803 : i_datasize = _mbuffer_get_udata_size(bufel);
1275 82803 : datasize = i_datasize + _mbuffer_get_uhead_size(bufel);
1276 :
1277 82803 : data[pos++] = (uint8_t) REAL_HSK_TYPE(type);
1278 82803 : _gnutls_write_uint24(_mbuffer_get_udata_size(bufel), &data[pos]);
1279 82803 : pos += 3;
1280 :
1281 : /* Add DTLS handshake fragment headers. The message will be
1282 : * fragmented later by the fragmentation sub-layer. All fields must
1283 : * be set properly for HMAC. The HMAC requires we pretend that the
1284 : * message was sent in a single fragment. */
1285 82803 : if (IS_DTLS(session)) {
1286 2382 : _gnutls_write_uint16(session->internals.dtls.
1287 2382 : hsk_write_seq++, &data[pos]);
1288 2382 : pos += 2;
1289 :
1290 : /* Fragment offset */
1291 2382 : _gnutls_write_uint24(0, &data[pos]);
1292 2382 : pos += 3;
1293 :
1294 : /* Fragment length */
1295 2382 : _gnutls_write_uint24(i_datasize, &data[pos]);
1296 : /* pos += 3; */
1297 : }
1298 :
1299 127092 : _gnutls_handshake_log("HSK[%p]: %s was queued [%ld bytes]\n",
1300 : session, _gnutls_handshake2str(type),
1301 : (long) datasize);
1302 :
1303 : /* Here we keep the handshake messages in order to hash them...
1304 : */
1305 82803 : if (!IS_ASYNC(type, vers)) {
1306 151686 : if ((ret =
1307 75843 : handshake_hash_add_sent(session, type, data,
1308 : datasize)) < 0) {
1309 0 : gnutls_assert();
1310 0 : _mbuffer_xfree(&bufel);
1311 0 : return ret;
1312 : }
1313 : /* If we are sending a PSK, generate early secrets here.
1314 : * This cannot be done in pre_shared_key.c, because it
1315 : * relies on transcript hash of a Client Hello. */
1316 75843 : if (type == GNUTLS_HANDSHAKE_CLIENT_HELLO &&
1317 3747 : session->key.binders[0].prf != NULL) {
1318 506 : ret = _gnutls_generate_early_secrets_for_psk(session);
1319 506 : if (ret < 0) {
1320 0 : gnutls_assert();
1321 0 : _mbuffer_xfree(&bufel);
1322 0 : return ret;
1323 : }
1324 : }
1325 : }
1326 :
1327 165606 : ret = _gnutls_call_hook_func(session, type, GNUTLS_HOOK_PRE, 0,
1328 82803 : _mbuffer_get_udata_ptr(bufel), _mbuffer_get_udata_size(bufel));
1329 82803 : if (ret < 0) {
1330 0 : gnutls_assert();
1331 0 : _mbuffer_xfree(&bufel);
1332 0 : return ret;
1333 : }
1334 :
1335 82803 : session->internals.last_handshake_out = type;
1336 :
1337 82803 : ret = _gnutls_handshake_io_cache_int(session, type, bufel);
1338 82803 : if (ret < 0) {
1339 0 : _mbuffer_xfree(&bufel);
1340 0 : gnutls_assert();
1341 0 : return ret;
1342 : }
1343 :
1344 165606 : ret = _gnutls_call_hook_func(session, type, GNUTLS_HOOK_POST, 0,
1345 82803 : _mbuffer_get_udata_ptr(bufel), _mbuffer_get_udata_size(bufel));
1346 82803 : if (ret < 0) {
1347 14 : gnutls_assert();
1348 14 : return ret;
1349 : }
1350 :
1351 82789 : if (queue_only)
1352 : return 0;
1353 :
1354 : /* Decide when to cache and when to send */
1355 75934 : if (vers && vers->tls13_sem) {
1356 :
1357 23683 : if (session->internals.initial_negotiation_completed) {
1358 : /* we are under TLS1.3 in a re-authentication phase.
1359 : * we don't attempt to cache any messages */
1360 80 : goto force_send;
1361 : }
1362 :
1363 : /* The messages which are followed by another are not sent by default
1364 : * but are cached instead */
1365 23603 : switch (type) {
1366 : case GNUTLS_HANDSHAKE_SERVER_HELLO: /* always followed by something */
1367 : case GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS: /* followed by finished or cert */
1368 : case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: /* followed by certificate */
1369 : case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: /* this one is followed by cert verify */
1370 : case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY: /* followed by finished */
1371 : ret = 0; /* cache */
1372 : break;
1373 5749 : default:
1374 : /* send this and any cached messages */
1375 5749 : goto force_send;
1376 : }
1377 : } else {
1378 : /* The messages which are followed by another are not sent by default
1379 : * but are cached instead */
1380 52251 : switch (type) {
1381 : case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: /* this one is followed by ServerHelloDone
1382 : * or ClientKeyExchange always.
1383 : */
1384 : case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1385 : case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE: /* as above */
1386 : case GNUTLS_HANDSHAKE_SERVER_HELLO: /* as above */
1387 : case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: /* as above */
1388 : case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: /* followed by ChangeCipherSpec */
1389 :
1390 : /* now for client Certificate, ClientKeyExchange and
1391 : * CertificateVerify are always followed by ChangeCipherSpec
1392 : */
1393 : case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1394 : case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1395 : ret = 0;
1396 : break;
1397 22761 : default:
1398 : /* send this and any cached messages */
1399 22761 : goto force_send;
1400 : }
1401 : }
1402 :
1403 : return ret;
1404 :
1405 28590 : force_send:
1406 28590 : return _gnutls_handshake_io_write_flush(session);
1407 : }
1408 :
1409 : #define CHECK_SIZE(ll) \
1410 : if ((session->internals.max_handshake_data_buffer_size > 0) && \
1411 : (((ll) + session->internals.handshake_hash_buffer.length) > \
1412 : session->internals.max_handshake_data_buffer_size)) { \
1413 : _gnutls_debug_log("Handshake buffer length is %u (max: %u)\n", (unsigned)((ll) + session->internals.handshake_hash_buffer.length), (unsigned)session->internals.max_handshake_data_buffer_size); \
1414 : return gnutls_assert_val(GNUTLS_E_HANDSHAKE_TOO_LARGE); \
1415 : }
1416 :
1417 :
1418 : /* This function add the handshake headers and the
1419 : * handshake data to the handshake hash buffers. Needed
1420 : * for the finished messages calculations.
1421 : */
1422 : static int
1423 55256 : handshake_hash_add_recvd(gnutls_session_t session,
1424 : gnutls_handshake_description_t recv_type,
1425 : uint8_t * header, uint16_t header_size,
1426 : uint8_t * dataptr, uint32_t datalen)
1427 : {
1428 55256 : int ret;
1429 55256 : const version_entry_st *vers = get_version(session);
1430 :
1431 55256 : if (unlikely(vers == NULL))
1432 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1433 :
1434 55256 : if ((vers->id != GNUTLS_DTLS0_9 &&
1435 55229 : recv_type == GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST) ||
1436 55229 : IS_ASYNC(recv_type, vers))
1437 : return 0;
1438 :
1439 55230 : CHECK_SIZE(header_size + datalen);
1440 :
1441 55222 : session->internals.handshake_hash_buffer_prev_len =
1442 55222 : session->internals.handshake_hash_buffer.length;
1443 :
1444 55222 : if (vers->id != GNUTLS_DTLS0_9) {
1445 55205 : ret =
1446 55205 : _gnutls_buffer_append_data(&session->internals.
1447 : handshake_hash_buffer,
1448 : header, header_size);
1449 55205 : if (ret < 0)
1450 0 : return gnutls_assert_val(ret);
1451 : }
1452 55222 : if (datalen > 0) {
1453 53710 : ret =
1454 53710 : _gnutls_buffer_append_data(&session->internals.
1455 : handshake_hash_buffer,
1456 : dataptr, datalen);
1457 53710 : if (ret < 0)
1458 0 : return gnutls_assert_val(ret);
1459 : }
1460 :
1461 : /* save the size until client KX. That is because the TLS
1462 : * session hash is calculated up to this message.
1463 : */
1464 55222 : if (recv_type == GNUTLS_HANDSHAKE_CLIENT_HELLO)
1465 18659 : session->internals.handshake_hash_buffer_client_hello_len =
1466 18659 : session->internals.handshake_hash_buffer.length;
1467 55222 : if (recv_type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE)
1468 7762 : session->internals.handshake_hash_buffer_client_kx_len =
1469 7762 : session->internals.handshake_hash_buffer.length;
1470 55222 : if (recv_type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_CLIENT)
1471 2009 : session->internals.handshake_hash_buffer_server_finished_len =
1472 2009 : session->internals.handshake_hash_buffer.length;
1473 55222 : if (recv_type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_SERVER)
1474 12423 : session->internals.handshake_hash_buffer_client_finished_len =
1475 12423 : session->internals.handshake_hash_buffer.length;
1476 :
1477 : return 0;
1478 : }
1479 :
1480 : /* This function will store the handshake message we sent.
1481 : */
1482 : static int
1483 75843 : handshake_hash_add_sent(gnutls_session_t session,
1484 : gnutls_handshake_description_t type,
1485 : uint8_t * dataptr, uint32_t datalen)
1486 : {
1487 75843 : int ret;
1488 75843 : const version_entry_st *vers = get_version(session);
1489 :
1490 75843 : if (unlikely(vers == NULL))
1491 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1492 :
1493 75843 : if (IS_ASYNC(type, vers))
1494 : return 0;
1495 :
1496 75843 : CHECK_SIZE(datalen);
1497 :
1498 75843 : if (vers->id == GNUTLS_DTLS0_9) {
1499 : /* Old DTLS doesn't include the header in the MAC */
1500 17 : if (datalen < 12) {
1501 0 : gnutls_assert();
1502 0 : return GNUTLS_E_INTERNAL_ERROR;
1503 : }
1504 17 : dataptr += 12;
1505 17 : datalen -= 12;
1506 :
1507 17 : if (datalen == 0)
1508 : return 0;
1509 : }
1510 :
1511 75842 : ret =
1512 75842 : _gnutls_buffer_append_data(&session->internals.
1513 : handshake_hash_buffer,
1514 : dataptr, datalen);
1515 75842 : if (ret < 0)
1516 0 : return gnutls_assert_val(ret);
1517 :
1518 75842 : if (type == GNUTLS_HANDSHAKE_CLIENT_HELLO)
1519 3747 : session->internals.handshake_hash_buffer_client_hello_len =
1520 3747 : session->internals.handshake_hash_buffer.length;
1521 75842 : if (type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE)
1522 1473 : session->internals.handshake_hash_buffer_client_kx_len =
1523 1473 : session->internals.handshake_hash_buffer.length;
1524 75842 : if (type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_SERVER)
1525 12486 : session->internals.handshake_hash_buffer_server_finished_len =
1526 12486 : session->internals.handshake_hash_buffer.length;
1527 75842 : if (type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_CLIENT)
1528 2154 : session->internals.handshake_hash_buffer_client_finished_len =
1529 2154 : session->internals.handshake_hash_buffer.length;
1530 :
1531 : return 0;
1532 : }
1533 :
1534 : /* This function will receive handshake messages of the given types,
1535 : * and will pass the message to the right place in order to be processed.
1536 : * E.g. for the SERVER_HELLO message (if it is expected), it will be
1537 : * passed to _gnutls_recv_hello().
1538 : */
1539 : int
1540 19836700 : _gnutls_recv_handshake(gnutls_session_t session,
1541 : gnutls_handshake_description_t type,
1542 : unsigned int optional, gnutls_buffer_st * buf)
1543 : {
1544 19836700 : int ret, ret2;
1545 19836700 : handshake_buffer_st hsk;
1546 :
1547 19836700 : ret = _gnutls_handshake_io_recv_int(session, type, &hsk, optional);
1548 19836700 : if (ret < 0) {
1549 19781400 : if (optional != 0
1550 19781400 : && ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET) {
1551 4236 : if (buf)
1552 1072 : _gnutls_buffer_init(buf);
1553 4236 : return 0;
1554 : }
1555 :
1556 19780400 : return gnutls_assert_val_fatal(ret);
1557 : }
1558 55232 : session->internals.last_handshake_in = hsk.htype;
1559 :
1560 55232 : ret = _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_PRE, 1, hsk.data.data, hsk.data.length);
1561 55232 : if (ret < 0) {
1562 0 : gnutls_assert();
1563 0 : goto cleanup;
1564 : }
1565 :
1566 110464 : ret = handshake_hash_add_recvd(session, hsk.rtype,
1567 55232 : hsk.header, hsk.header_size,
1568 : hsk.data.data,
1569 55232 : hsk.data.length);
1570 55232 : if (ret < 0) {
1571 7 : gnutls_assert();
1572 7 : goto cleanup;
1573 : }
1574 :
1575 55225 : switch (hsk.htype) {
1576 19394 : case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2:
1577 : case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1578 19394 : if (!(IS_SERVER(session))) {
1579 0 : ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
1580 0 : goto cleanup;
1581 : }
1582 :
1583 : #ifdef ENABLE_SSL2
1584 19394 : if (hsk.htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)
1585 735 : ret =
1586 735 : _gnutls_read_client_hello_v2(session,
1587 : hsk.data.data,
1588 735 : hsk.data.length);
1589 : else
1590 : #endif
1591 : {
1592 : /* Reference the full ClientHello in case an extension needs it */
1593 18659 : ret = _gnutls_ext_set_full_client_hello(session, &hsk);
1594 18659 : if (ret < 0)
1595 0 : return gnutls_assert_val(ret);
1596 :
1597 18659 : ret = read_client_hello(session, hsk.data.data,
1598 18659 : hsk.data.length);
1599 : }
1600 :
1601 19394 : if (ret < 0) {
1602 3483 : gnutls_assert();
1603 3483 : goto cleanup;
1604 : }
1605 :
1606 : break;
1607 :
1608 3093 : case GNUTLS_HANDSHAKE_SERVER_HELLO:
1609 3093 : if (IS_SERVER(session)) {
1610 0 : ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
1611 0 : goto cleanup;
1612 : }
1613 :
1614 6186 : ret = read_server_hello(session, hsk.data.data,
1615 3093 : hsk.data.length);
1616 :
1617 3093 : if (ret < 0) {
1618 324 : gnutls_assert();
1619 324 : goto cleanup;
1620 : }
1621 :
1622 : break;
1623 27 : case GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST:
1624 27 : if (IS_SERVER(session)) {
1625 0 : ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
1626 0 : goto cleanup;
1627 : }
1628 :
1629 27 : ret =
1630 54 : recv_hello_verify_request(session,
1631 : hsk.data.data,
1632 27 : hsk.data.length);
1633 27 : if (ret < 0) {
1634 0 : gnutls_assert();
1635 0 : goto cleanup;
1636 : } else {
1637 : /* Signal our caller we have received a verification cookie
1638 : and ClientHello needs to be sent again. */
1639 : ret = 1;
1640 : }
1641 :
1642 : break;
1643 24 : case GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST: {
1644 : /* hash buffer synth message is generated during hello retry parsing */
1645 24 : gnutls_datum_t hrr = {hsk.data.data, hsk.data.length};
1646 :
1647 24 : if (IS_SERVER(session)) {
1648 0 : ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
1649 0 : goto cleanup;
1650 : }
1651 :
1652 24 : ret =
1653 24 : _gnutls13_recv_hello_retry_request(session,
1654 : &hsk.data);
1655 24 : if (ret < 0) {
1656 0 : gnutls_assert();
1657 0 : goto cleanup;
1658 : } else {
1659 : /* during hello retry parsing, we reset handshake hash buffer,
1660 : * re-add this message */
1661 48 : ret = handshake_hash_add_recvd(session, hsk.htype,
1662 24 : hsk.header, hsk.header_size,
1663 : hrr.data,
1664 : hrr.size);
1665 24 : if (ret < 0) {
1666 0 : gnutls_assert();
1667 0 : goto cleanup;
1668 : }
1669 :
1670 : /* Signal our caller we have received a retry request
1671 : and ClientHello needs to be sent again. */
1672 51415 : ret = 1;
1673 : }
1674 :
1675 : break;
1676 : }
1677 1483 : case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
1678 1483 : if (hsk.data.length == 0)
1679 : ret = 0;
1680 : else {
1681 3 : gnutls_assert();
1682 3 : ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1683 3 : goto cleanup;
1684 : }
1685 : break;
1686 31204 : case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1687 : case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1688 : case GNUTLS_HANDSHAKE_FINISHED:
1689 : case GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS:
1690 : case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
1691 : case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1692 : case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
1693 : case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1694 : case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
1695 : case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1696 : case GNUTLS_HANDSHAKE_END_OF_EARLY_DATA:
1697 31204 : ret = hsk.data.length;
1698 31204 : break;
1699 0 : default:
1700 0 : gnutls_assert();
1701 : /* we shouldn't actually arrive here in any case .
1702 : * unexpected messages should be caught after _gnutls_handshake_io_recv_int()
1703 : */
1704 0 : ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1705 0 : goto cleanup;
1706 : }
1707 :
1708 51415 : ret2 = _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_POST, 1, hsk.data.data, hsk.data.length);
1709 51415 : if (ret2 < 0) {
1710 0 : ret = ret2;
1711 0 : gnutls_assert();
1712 0 : goto cleanup;
1713 : }
1714 :
1715 51415 : if (buf) {
1716 31204 : *buf = hsk.data;
1717 31204 : return ret;
1718 : }
1719 :
1720 20211 : cleanup:
1721 24028 : _gnutls_handshake_buffer_clear(&hsk);
1722 24028 : return ret;
1723 : }
1724 :
1725 : /* This function checks if the given cipher suite is supported, and sets it
1726 : * to the session;
1727 : */
1728 : static int
1729 2852 : set_client_ciphersuite(gnutls_session_t session, uint8_t suite[2])
1730 : {
1731 2852 : unsigned j;
1732 2852 : int ret;
1733 2852 : const gnutls_cipher_suite_entry_st *selected = NULL;
1734 2852 : const version_entry_st *vers = get_version(session);
1735 2852 : gnutls_kx_algorithm_t kx;
1736 :
1737 24444 : for (j = 0; j < session->internals.priorities->cs.size; j++) {
1738 24368 : if (suite[0] == session->internals.priorities->cs.entry[j]->id[0] &&
1739 9211 : suite[1] == session->internals.priorities->cs.entry[j]->id[1]) {
1740 : selected = session->internals.priorities->cs.entry[j];
1741 : break;
1742 : }
1743 : }
1744 :
1745 2852 : if (!selected) {
1746 76 : gnutls_assert();
1747 76 : _gnutls_handshake_log
1748 : ("HSK[%p]: unsupported cipher suite %.2X.%.2X was negotiated\n",
1749 : session, (unsigned int) suite[0],
1750 : (unsigned int) suite[1]);
1751 76 : return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
1752 : }
1753 :
1754 2776 : ret = _gnutls_set_cipher_suite2(session, selected);
1755 2776 : if (ret < 0)
1756 0 : return gnutls_assert_val(ret);
1757 :
1758 2776 : _gnutls_handshake_log("HSK[%p]: Selected cipher suite: %s\n",
1759 : session,
1760 : selected->name);
1761 :
1762 : /* check if the credentials (username, public key etc.) are ok.
1763 : * Actually checks if they exist.
1764 : */
1765 2776 : if (!vers->tls13_sem) {
1766 2176 : kx = selected->kx_algorithm;
1767 :
1768 4352 : if (!session->internals.premaster_set &&
1769 2176 : _gnutls_get_kx_cred
1770 : (session, kx) == NULL) {
1771 2 : gnutls_assert();
1772 2 : return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1773 : }
1774 :
1775 : /* set the mod_auth_st to the appropriate struct
1776 : * according to the KX algorithm. This is needed since all the
1777 : * handshake functions are read from there;
1778 : */
1779 4348 : session->internals.auth_struct =
1780 2174 : _gnutls_kx_auth_struct(kx);
1781 :
1782 2174 : if (session->internals.auth_struct == NULL) {
1783 0 : _gnutls_handshake_log
1784 : ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1785 : session);
1786 0 : gnutls_assert();
1787 0 : return GNUTLS_E_INTERNAL_ERROR;
1788 : }
1789 : } else {
1790 600 : if (session->internals.hsk_flags & HSK_PSK_SELECTED) {
1791 0 : if (session->key.binders[0].prf->id != selected->prf) {
1792 0 : _gnutls_handshake_log
1793 : ("HSK[%p]: PRF of ciphersuite differs with the PSK identity (cs: %s, id: %s)\n",
1794 : session, selected->name, session->key.binders[0].prf->name);
1795 0 : gnutls_assert();
1796 0 : return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
1797 : }
1798 : }
1799 : }
1800 :
1801 : return 0;
1802 : }
1803 :
1804 : /* This function returns 0 if we are resuming a session or -1 otherwise.
1805 : * This also sets the variables in the session. Used only while reading a server
1806 : * hello. Only applicable to TLS1.2 or earlier.
1807 : */
1808 : static int
1809 2366 : client_check_if_resuming(gnutls_session_t session,
1810 : uint8_t * session_id, int session_id_len)
1811 : {
1812 2366 : char buf[2 * GNUTLS_MAX_SESSION_ID_SIZE + 1];
1813 2366 : int ret;
1814 :
1815 2366 : _gnutls_handshake_log("HSK[%p]: SessionID length: %d\n", session,
1816 : session_id_len);
1817 2366 : _gnutls_handshake_log("HSK[%p]: SessionID: %s\n", session,
1818 : _gnutls_bin2hex(session_id, session_id_len,
1819 : buf, sizeof(buf), NULL));
1820 :
1821 2366 : if ((session->internals.resumption_requested != 0 ||
1822 2366 : session->internals.premaster_set != 0) &&
1823 172 : session_id_len > 0 &&
1824 172 : session->internals.resumed_security_parameters.
1825 : session_id_size == session_id_len
1826 172 : && memcmp(session_id,
1827 172 : session->internals.resumed_security_parameters.
1828 : session_id, session_id_len) == 0) {
1829 : /* resume session */
1830 114 : memcpy(session->internals.resumed_security_parameters.
1831 : server_random,
1832 114 : session->security_parameters.server_random,
1833 : GNUTLS_RANDOM_SIZE);
1834 114 : memcpy(session->internals.resumed_security_parameters.
1835 : client_random,
1836 114 : session->security_parameters.client_random,
1837 : GNUTLS_RANDOM_SIZE);
1838 :
1839 228 : ret = _gnutls_set_cipher_suite2
1840 : (session,
1841 114 : session->internals.resumed_security_parameters.
1842 : cs);
1843 114 : if (ret < 0) {
1844 0 : gnutls_assert();
1845 0 : goto no_resume;
1846 : }
1847 :
1848 114 : session->internals.resumed = RESUME_TRUE; /* we are resuming */
1849 :
1850 114 : return 0;
1851 : } else {
1852 2252 : no_resume:
1853 : /* keep the new session id */
1854 2252 : session->internals.resumed = RESUME_FALSE; /* we are not resuming */
1855 2252 : return -1;
1856 : }
1857 : }
1858 :
1859 :
1860 : /* This function reads and parses the server hello handshake message.
1861 : * This function also restores resumed parameters if we are resuming a
1862 : * session.
1863 : */
1864 : static int
1865 3093 : read_server_hello(gnutls_session_t session,
1866 : uint8_t * data, int datalen)
1867 : {
1868 3093 : uint8_t session_id_len = 0;
1869 3093 : uint8_t *session_id;
1870 3093 : uint8_t *cs_pos, *comp_pos, *srandom_pos;
1871 3093 : uint8_t major, minor;
1872 3093 : int pos = 0;
1873 3093 : int ret;
1874 3093 : int len = datalen;
1875 3093 : unsigned ext_parse_flag = 0;
1876 3093 : const version_entry_st *vers, *saved_vers;
1877 :
1878 3093 : if (datalen < GNUTLS_RANDOM_SIZE+2) {
1879 3 : gnutls_assert();
1880 3 : return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1881 : }
1882 :
1883 3090 : _gnutls_handshake_log("HSK[%p]: Server's version: %d.%d\n",
1884 : session, data[pos], data[pos + 1]);
1885 :
1886 3090 : DECR_LEN(len, 2);
1887 3090 : major = data[pos];
1888 3090 : minor = data[pos+1];
1889 :
1890 3090 : saved_vers = get_version(session); /* will be non-null if HRR has been received */
1891 :
1892 3090 : vers = nversion_to_entry(major, minor);
1893 3090 : if (unlikely(vers == NULL))
1894 25 : return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
1895 :
1896 3065 : if (vers->tls13_sem) /* that shouldn't have been negotiated here */
1897 1 : return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
1898 :
1899 3064 : if (_gnutls_set_current_version(session, vers->id) < 0)
1900 0 : return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
1901 :
1902 3064 : pos += 2;
1903 :
1904 3064 : DECR_LEN(len, GNUTLS_RANDOM_SIZE);
1905 3064 : srandom_pos = &data[pos];
1906 3064 : pos += GNUTLS_RANDOM_SIZE;
1907 :
1908 : /* Read session ID
1909 : */
1910 3064 : DECR_LEN(len, 1);
1911 3061 : session_id_len = data[pos++];
1912 :
1913 3061 : if (len < session_id_len || session_id_len > GNUTLS_MAX_SESSION_ID_SIZE) {
1914 5 : gnutls_assert();
1915 5 : return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
1916 : }
1917 3056 : DECR_LEN(len, session_id_len);
1918 3056 : session_id = &data[pos];
1919 3056 : pos += session_id_len;
1920 :
1921 3056 : DECR_LEN(len, 2);
1922 3053 : cs_pos = &data[pos];
1923 3053 : pos += 2;
1924 :
1925 : /* move to compression
1926 : */
1927 3053 : DECR_LEN(len, 1);
1928 3049 : comp_pos = &data[pos];
1929 3049 : pos++;
1930 :
1931 : /* parse extensions to figure version */
1932 3049 : ret =
1933 6098 : _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO|
1934 : GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO,
1935 : GNUTLS_EXT_VERSION_NEG,
1936 3049 : &data[pos], len);
1937 3049 : if (ret < 0)
1938 77 : return gnutls_assert_val(ret);
1939 :
1940 2972 : vers = get_version(session);
1941 2972 : if (unlikely(vers == NULL))
1942 0 : return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
1943 2972 : if (vers->tls13_sem) {
1944 600 : if (major != 0x03 || minor != 0x03)
1945 0 : return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
1946 : }
1947 :
1948 2972 : if (_gnutls_nversion_is_supported(session, vers->major, vers->minor) == 0)
1949 3 : return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
1950 :
1951 : /* set server random - done after final version is selected */
1952 2969 : ret = _gnutls_set_server_random(session, vers, srandom_pos);
1953 2969 : if (ret < 0)
1954 3 : return gnutls_assert_val(ret);
1955 :
1956 : /* reset keys and binders if we are not using TLS 1.3 */
1957 2966 : if (!vers->tls13_sem) {
1958 2366 : gnutls_memset(&session->key.proto.tls13, 0,
1959 : sizeof(session->key.proto.tls13));
1960 2366 : reset_binders(session);
1961 : }
1962 :
1963 : /* check if we are resuming and set the appropriate
1964 : * values;
1965 : */
1966 5332 : if (!vers->tls13_sem &&
1967 2366 : client_check_if_resuming(session, session_id, session_id_len) == 0) {
1968 114 : ret =
1969 114 : _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
1970 : GNUTLS_EXT_MANDATORY,
1971 : &data[pos], len);
1972 114 : if (ret < 0)
1973 0 : return gnutls_assert_val(ret);
1974 :
1975 : return 0;
1976 : } else {
1977 2852 : session->security_parameters.session_id_size = session_id_len;
1978 2852 : if (session_id_len > 0)
1979 1670 : memcpy(session->security_parameters.session_id, session_id,
1980 : session_id_len);
1981 : }
1982 :
1983 : /* Check if the given cipher suite is supported and copy
1984 : * it to the session.
1985 : */
1986 2852 : ret = set_client_ciphersuite(session, cs_pos);
1987 2852 : if (ret < 0) {
1988 78 : gnutls_assert();
1989 78 : return ret;
1990 : }
1991 :
1992 2774 : if (session->internals.hsk_flags & HSK_HRR_RECEIVED) {
1993 : /* check if ciphersuite matches */
1994 24 : if (memcmp(cs_pos, session->internals.hrr_cs, 2) != 0)
1995 0 : return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
1996 :
1997 : /* check if HRR version matches this version */
1998 24 : if (vers != saved_vers)
1999 0 : return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
2000 : }
2001 :
2002 2774 : if (*comp_pos != 0)
2003 85 : return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
2004 :
2005 2689 : if (vers->tls13_sem)
2006 : ext_parse_flag |= GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO;
2007 : else
2008 2089 : ext_parse_flag |= GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO;
2009 :
2010 : /* Parse extensions in order.
2011 : */
2012 2689 : ret =
2013 2689 : _gnutls_parse_hello_extensions(session,
2014 : ext_parse_flag,
2015 : GNUTLS_EXT_MANDATORY,
2016 : &data[pos], len);
2017 2689 : if (ret < 0)
2018 8 : return gnutls_assert_val(ret);
2019 :
2020 : /* check if EtM is required */
2021 2681 : if (!vers->tls13_sem && session->internals.priorities->force_etm && !session->security_parameters.etm) {
2022 2 : const cipher_entry_st *cipher = cipher_to_entry(session->security_parameters.cs->block_algorithm);
2023 2 : if (_gnutls_cipher_type(cipher) == CIPHER_BLOCK)
2024 1 : return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
2025 : }
2026 :
2027 :
2028 2680 : ret =
2029 2680 : _gnutls_parse_hello_extensions(session,
2030 : ext_parse_flag,
2031 : GNUTLS_EXT_APPLICATION,
2032 : &data[pos], len);
2033 2680 : if (ret < 0)
2034 2 : return gnutls_assert_val(ret);
2035 :
2036 2678 : ret =
2037 2678 : _gnutls_parse_hello_extensions(session,
2038 : ext_parse_flag,
2039 : GNUTLS_EXT_TLS,
2040 : &data[pos], len);
2041 2678 : if (ret < 0)
2042 18 : return gnutls_assert_val(ret);
2043 :
2044 2660 : ret =
2045 2660 : _gnutls_parse_hello_extensions(session,
2046 : ext_parse_flag,
2047 : _GNUTLS_EXT_TLS_POST_CS,
2048 : &data[pos], len);
2049 2660 : if (ret < 0)
2050 5 : return gnutls_assert_val(ret);
2051 :
2052 : /* Calculate TLS 1.3 Early Secret */
2053 2655 : if (vers->tls13_sem &&
2054 598 : !(session->internals.hsk_flags & HSK_PSK_SELECTED)) {
2055 478 : ret = _tls13_init_secret(session, NULL, 0);
2056 478 : if (ret < 0)
2057 0 : return gnutls_assert_val(ret);
2058 : }
2059 :
2060 2655 : ret = set_auth_types(session);
2061 2655 : if (ret < 0)
2062 0 : return gnutls_assert_val(ret);
2063 :
2064 2655 : session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED;
2065 :
2066 2655 : return 0;
2067 : }
2068 :
2069 : /* This function copies the appropriate compression methods, to a locally allocated buffer
2070 : * Needed in hello messages. Returns the new data length.
2071 : */
2072 : static int
2073 3747 : append_null_comp(gnutls_session_t session,
2074 : gnutls_buffer_st * cdata)
2075 : {
2076 3747 : uint8_t compression_methods[2] = {0x01, 0x00};
2077 3747 : size_t init_length = cdata->length;
2078 3747 : int ret;
2079 :
2080 3747 : ret =
2081 3747 : _gnutls_buffer_append_data(cdata, compression_methods, 2);
2082 3747 : if (ret < 0)
2083 0 : return gnutls_assert_val(ret);
2084 :
2085 3747 : ret = cdata->length - init_length;
2086 :
2087 3747 : return ret;
2088 : }
2089 :
2090 : /* This function sends the client hello handshake message.
2091 : */
2092 12413400 : static int send_client_hello(gnutls_session_t session, int again)
2093 : {
2094 12413400 : mbuffer_st *bufel = NULL;
2095 12413400 : int type;
2096 12413400 : int ret = 0;
2097 12413400 : const version_entry_st *hver, *min_ver, *max_ver;
2098 12413400 : uint8_t tver[2];
2099 12413400 : gnutls_buffer_st extdata;
2100 12413400 : int rehandshake = 0;
2101 12413400 : unsigned add_sr_scsv = 0;
2102 12413400 : uint8_t session_id_len =
2103 : session->internals.resumed_security_parameters.session_id_size;
2104 :
2105 :
2106 12413400 : if (again == 0) {
2107 : /* note that rehandshake is different than resuming
2108 : */
2109 3749 : if (session->internals.initial_negotiation_completed)
2110 89 : rehandshake = 1;
2111 :
2112 7178 : ret = _gnutls_buffer_init_handshake_mbuffer(&extdata);
2113 3749 : if (ret < 0)
2114 0 : return gnutls_assert_val(ret);
2115 :
2116 : /* if we are resuming a session then we set the
2117 : * version number to the previously established.
2118 : */
2119 3749 : if (session->internals.resumption_requested == 0 &&
2120 3524 : session->internals.premaster_set == 0) {
2121 3517 : if (rehandshake) /* already negotiated version thus version_max == negotiated version */
2122 89 : hver = get_version(session);
2123 : else /* new handshake. just get the max */
2124 3428 : hver = _gnutls_legacy_version_max(session);
2125 : } else {
2126 : /* we are resuming a session */
2127 232 : hver =
2128 : session->internals.resumed_security_parameters.
2129 : pversion;
2130 :
2131 232 : if (hver && hver->tls13_sem)
2132 60 : hver = _gnutls_legacy_version_max(session);
2133 : }
2134 :
2135 3749 : if (hver == NULL) {
2136 2 : gnutls_assert();
2137 2 : if (session->internals.flags & INT_FLAG_NO_TLS13)
2138 : ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS;
2139 : else
2140 0 : ret = GNUTLS_E_NO_PRIORITIES_WERE_SET;
2141 2 : goto cleanup;
2142 : }
2143 :
2144 3747 : if (unlikely(session->internals.default_hello_version[0] != 0)) {
2145 15 : tver[0] = session->internals.default_hello_version[0];
2146 15 : tver[1] = session->internals.default_hello_version[1];
2147 : } else {
2148 3732 : tver[0] = hver->major;
2149 3732 : tver[1] = hver->minor;
2150 : }
2151 3747 : ret = _gnutls_buffer_append_data(&extdata, tver, 2);
2152 3747 : if (ret < 0) {
2153 0 : gnutls_assert();
2154 0 : goto cleanup;
2155 : }
2156 3747 : _gnutls_handshake_log("HSK[%p]: Adv. version: %u.%u\n", session,
2157 : (unsigned)tver[0], (unsigned)tver[1]);
2158 :
2159 3747 : min_ver = _gnutls_version_lowest(session);
2160 3747 : max_ver = _gnutls_version_max(session);
2161 3747 : if (min_ver == NULL || max_ver == NULL) {
2162 0 : gnutls_assert();
2163 0 : ret = GNUTLS_E_NO_PRIORITIES_WERE_SET;
2164 0 : goto cleanup;
2165 : }
2166 :
2167 : /* if we are replying to an HRR the version is already negotiated */
2168 3747 : if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) || !get_version(session)) {
2169 : /* Set the version we advertized as maximum
2170 : * (RSA uses it). */
2171 3723 : set_adv_version(session, hver->major, hver->minor);
2172 3723 : if (_gnutls_set_current_version(session, hver->id) < 0) {
2173 0 : ret = gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
2174 0 : goto cleanup;
2175 : }
2176 : }
2177 :
2178 3747 : if (session->internals.priorities->min_record_version != 0) {
2179 : /* Advertise the lowest supported (SSL 3.0) record packet
2180 : * version in record packets during the handshake.
2181 : * That is to avoid confusing implementations
2182 : * that do not support TLS 1.2 and don't know
2183 : * how 3,3 version of record packets look like.
2184 : */
2185 3746 : set_default_version(session, min_ver);
2186 : } else {
2187 1 : set_default_version(session, hver);
2188 : }
2189 :
2190 : /* In order to know when this session was initiated.
2191 : */
2192 3747 : session->security_parameters.timestamp = gnutls_time(NULL);
2193 :
2194 : /* Generate random data
2195 : */
2196 3747 : if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) &&
2197 3723 : !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) {
2198 3696 : ret = _gnutls_gen_client_random(session);
2199 3696 : if (ret < 0) {
2200 0 : gnutls_assert();
2201 0 : goto cleanup;
2202 : }
2203 :
2204 : }
2205 :
2206 7494 : ret = _gnutls_buffer_append_data(&extdata,
2207 3747 : session->security_parameters.client_random,
2208 : GNUTLS_RANDOM_SIZE);
2209 3747 : if (ret < 0) {
2210 0 : gnutls_assert();
2211 0 : goto cleanup;
2212 : }
2213 :
2214 : #ifdef TLS13_APPENDIX_D4
2215 3747 : if (max_ver->tls13_sem &&
2216 1863 : session->security_parameters.session_id_size == 0) {
2217 :
2218 : /* Under TLS1.3 we generate a random session ID to make
2219 : * the TLS1.3 session look like a resumed TLS1.2 session */
2220 1811 : ret = _gnutls_generate_session_id(session->security_parameters.
2221 : session_id,
2222 : &session->security_parameters.
2223 : session_id_size);
2224 1811 : if (ret < 0) {
2225 0 : gnutls_assert();
2226 0 : goto cleanup;
2227 : }
2228 : }
2229 : #endif
2230 :
2231 : /* Copy the Session ID - if any
2232 : */
2233 7494 : ret = _gnutls_buffer_append_data_prefix(&extdata, 8,
2234 3747 : session->internals.resumed_security_parameters.session_id,
2235 : session_id_len);
2236 3747 : if (ret < 0) {
2237 0 : gnutls_assert();
2238 0 : goto cleanup;
2239 : }
2240 :
2241 : /* Copy the DTLS cookie
2242 : */
2243 3747 : if (IS_DTLS(session)) {
2244 640 : ret = _gnutls_buffer_append_data_prefix(&extdata, 8,
2245 320 : session->internals.dtls.dcookie.data,
2246 320 : session->internals.dtls.dcookie.size);
2247 320 : if (ret < 0) {
2248 0 : gnutls_assert();
2249 0 : goto cleanup;
2250 : }
2251 320 : _gnutls_free_datum(&session->internals.dtls.dcookie);
2252 : }
2253 :
2254 : /* Copy the ciphersuites.
2255 : */
2256 : #ifdef ENABLE_SSL3
2257 : /* If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
2258 : * prevention on initial negotiation (but not renegotiation; that's
2259 : * handled with the RI extension below).
2260 : */
2261 : if (!session->internals.initial_negotiation_completed &&
2262 : session->security_parameters.entity == GNUTLS_CLIENT &&
2263 : (hver->id == GNUTLS_SSL3 &&
2264 : session->internals.priorities->no_extensions != 0)) {
2265 : add_sr_scsv = 1;
2266 : }
2267 : #endif
2268 3747 : ret = _gnutls_get_client_ciphersuites(session, &extdata, min_ver, add_sr_scsv);
2269 3747 : if (ret < 0) {
2270 0 : gnutls_assert();
2271 0 : goto cleanup;
2272 : }
2273 :
2274 : /* Copy the compression methods.
2275 : */
2276 3747 : ret = append_null_comp(session, &extdata);
2277 3747 : if (ret < 0) {
2278 0 : gnutls_assert();
2279 0 : goto cleanup;
2280 : }
2281 :
2282 : /* Generate and copy TLS extensions.
2283 : */
2284 3747 : if (session->internals.priorities->no_extensions == 0) {
2285 3742 : if (_gnutls_version_has_extensions(hver)) {
2286 : type = GNUTLS_EXT_ANY;
2287 : } else {
2288 0 : type = GNUTLS_EXT_MANDATORY;
2289 : }
2290 :
2291 3742 : ret =
2292 3742 : _gnutls_gen_hello_extensions(session, &extdata,
2293 : GNUTLS_EXT_FLAG_CLIENT_HELLO,
2294 : type);
2295 3742 : if (ret < 0) {
2296 0 : gnutls_assert();
2297 0 : goto cleanup;
2298 : }
2299 : }
2300 :
2301 3747 : bufel = _gnutls_buffer_to_mbuffer(&extdata);
2302 : }
2303 :
2304 12413300 : ret = _gnutls_send_handshake(session, bufel,
2305 : GNUTLS_HANDSHAKE_CLIENT_HELLO);
2306 :
2307 12413300 : return ret;
2308 :
2309 2 : cleanup:
2310 2 : _gnutls_buffer_clear(&extdata);
2311 2 : return ret;
2312 : }
2313 :
2314 15916 : int _gnutls_send_server_hello(gnutls_session_t session, int again)
2315 : {
2316 15916 : mbuffer_st *bufel = NULL;
2317 15916 : gnutls_buffer_st buf;
2318 15916 : int ret;
2319 15916 : uint8_t session_id_len =
2320 : session->security_parameters.session_id_size;
2321 15916 : char tmpbuf[2 * GNUTLS_MAX_SESSION_ID_SIZE + 1];
2322 15916 : const version_entry_st *vers;
2323 15916 : uint8_t vbytes[2];
2324 15916 : unsigned extflag = 0;
2325 15916 : gnutls_ext_parse_type_t etype;
2326 :
2327 15916 : _gnutls_buffer_init(&buf);
2328 :
2329 15916 : if (again == 0) {
2330 15905 : vers = get_version(session);
2331 15905 : if (unlikely(vers == NULL || session->security_parameters.cs == NULL))
2332 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
2333 :
2334 15905 : if (vers->tls13_sem) {
2335 5104 : vbytes[0] = 0x03; /* TLS1.2 */
2336 5104 : vbytes[1] = 0x03;
2337 5104 : extflag |= GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO;
2338 : } else {
2339 10801 : vbytes[0] = vers->major;
2340 10801 : vbytes[1] = vers->minor;
2341 10801 : extflag |= GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO;
2342 : }
2343 :
2344 31507 : ret = _gnutls_buffer_init_handshake_mbuffer(&buf);
2345 15905 : if (ret < 0) {
2346 0 : gnutls_assert();
2347 0 : goto fail;
2348 : }
2349 :
2350 15905 : ret = _gnutls_buffer_append_data(&buf, vbytes, 2);
2351 15905 : if (ret < 0) {
2352 0 : gnutls_assert();
2353 0 : goto fail;
2354 : }
2355 :
2356 31810 : ret = _gnutls_buffer_append_data(&buf,
2357 15905 : session->security_parameters.server_random,
2358 : GNUTLS_RANDOM_SIZE);
2359 15905 : if (ret < 0) {
2360 0 : gnutls_assert();
2361 0 : goto fail;
2362 : }
2363 :
2364 31810 : ret = _gnutls_buffer_append_data_prefix(&buf, 8,
2365 15905 : session->security_parameters.session_id,
2366 : session_id_len);
2367 15905 : if (ret < 0) {
2368 0 : gnutls_assert();
2369 0 : goto fail;
2370 : }
2371 :
2372 15905 : _gnutls_handshake_log("HSK[%p]: SessionID: %s\n", session,
2373 : _gnutls_bin2hex(session->
2374 : security_parameters.session_id,
2375 : session_id_len, tmpbuf,
2376 : sizeof(tmpbuf), NULL));
2377 :
2378 31810 : ret = _gnutls_buffer_append_data(&buf,
2379 15905 : session->security_parameters.cs->id,
2380 : 2);
2381 15905 : if (ret < 0) {
2382 0 : gnutls_assert();
2383 0 : goto fail;
2384 : }
2385 :
2386 : /* compression */
2387 15905 : ret = _gnutls_buffer_append_prefix(&buf, 8, 0);
2388 15905 : if (ret < 0) {
2389 0 : gnutls_assert();
2390 0 : goto fail;
2391 : }
2392 :
2393 15905 : if (!vers->tls13_sem && session->internals.resumed != RESUME_FALSE)
2394 : etype = GNUTLS_EXT_MANDATORY;
2395 : else
2396 15123 : etype = GNUTLS_EXT_ANY;
2397 15905 : ret =
2398 15905 : _gnutls_gen_hello_extensions(session, &buf, extflag, etype);
2399 15905 : if (ret < 0) {
2400 0 : gnutls_assert();
2401 0 : goto fail;
2402 : }
2403 :
2404 15905 : if (vers->tls13_sem) {
2405 : /* Under TLS1.3, the session ID is used for different purposes than
2406 : * the TLS1.0 session ID. Ensure that there is an internally set
2407 : * value which the server will see on the original and resumed sessions */
2408 5104 : ret = _gnutls_generate_session_id(session->security_parameters.
2409 : session_id,
2410 : &session->security_parameters.
2411 : session_id_size);
2412 5104 : if (ret < 0) {
2413 0 : gnutls_assert();
2414 0 : goto fail;
2415 : }
2416 : }
2417 :
2418 15905 : bufel = _gnutls_buffer_to_mbuffer(&buf);
2419 : }
2420 :
2421 15916 : ret =
2422 15916 : _gnutls_send_handshake(session, bufel,
2423 : GNUTLS_HANDSHAKE_SERVER_HELLO);
2424 :
2425 15916 : fail:
2426 15916 : _gnutls_buffer_clear(&buf);
2427 15916 : return ret;
2428 : }
2429 :
2430 : static int
2431 27 : recv_hello_verify_request(gnutls_session_t session,
2432 : uint8_t * data, int datalen)
2433 : {
2434 27 : ssize_t len = datalen;
2435 27 : size_t pos = 0;
2436 27 : uint8_t cookie_len;
2437 27 : unsigned int nb_verifs;
2438 27 : int ret;
2439 :
2440 27 : if (!IS_DTLS(session)) {
2441 0 : gnutls_assert();
2442 0 : return GNUTLS_E_UNEXPECTED_PACKET;
2443 : }
2444 :
2445 27 : nb_verifs = ++session->internals.dtls.hsk_hello_verify_requests;
2446 27 : if (nb_verifs >= MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS) {
2447 : /* The server is either buggy, malicious or changing cookie
2448 : secrets _way_ too fast. */
2449 0 : gnutls_assert();
2450 0 : return GNUTLS_E_UNEXPECTED_PACKET;
2451 : }
2452 :
2453 27 : DECR_LEN(len, 2);
2454 27 : pos += 2;
2455 :
2456 27 : DECR_LEN(len, 1);
2457 27 : cookie_len = data[pos];
2458 27 : pos++;
2459 :
2460 27 : if (cookie_len > DTLS_MAX_COOKIE_SIZE) {
2461 0 : gnutls_assert();
2462 0 : return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2463 : }
2464 :
2465 27 : DECR_LEN(len, cookie_len);
2466 :
2467 27 : gnutls_free(session->internals.dtls.dcookie.data);
2468 27 : ret = _gnutls_set_datum(&session->internals.dtls.dcookie, &data[pos], cookie_len);
2469 27 : if (ret < 0)
2470 0 : return gnutls_assert_val(ret);
2471 :
2472 27 : if (len != 0) {
2473 0 : gnutls_assert();
2474 0 : return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2475 : }
2476 :
2477 : /* reset handshake hash buffers */
2478 27 : handshake_hash_buffer_reset(session);
2479 : /* reset extensions used in previous hello */
2480 27 : session->internals.used_exts = 0;
2481 :
2482 27 : return 0;
2483 : }
2484 :
2485 : /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
2486 : *
2487 : * Client Server
2488 : *
2489 : * ClientHello -------->
2490 : * <-------- ServerHello
2491 : *
2492 : * Certificate*
2493 : * ServerKeyExchange*
2494 : * <-------- CertificateRequest*
2495 : *
2496 : * <-------- ServerHelloDone
2497 : * Certificate*
2498 : * ClientKeyExchange
2499 : * CertificateVerify*
2500 : * [ChangeCipherSpec]
2501 : * Finished -------->
2502 : * NewSessionTicket
2503 : * [ChangeCipherSpec]
2504 : * <-------- Finished
2505 : *
2506 : * (*): means optional packet.
2507 : */
2508 :
2509 : /* Handshake when resumming session:
2510 : * Client Server
2511 : *
2512 : * ClientHello -------->
2513 : * ServerHello
2514 : * [ChangeCipherSpec]
2515 : * <-------- Finished
2516 : * [ChangeCipherSpec]
2517 : * Finished -------->
2518 : *
2519 : */
2520 :
2521 : /**
2522 : * gnutls_rehandshake:
2523 : * @session: is a #gnutls_session_t type.
2524 : *
2525 : * This function can only be called in server side, and
2526 : * instructs a TLS 1.2 or earlier client to renegotiate
2527 : * parameters (perform a handshake), by sending a
2528 : * hello request message.
2529 : *
2530 : * If this function succeeds, the calling application
2531 : * should call gnutls_record_recv() until %GNUTLS_E_REHANDSHAKE
2532 : * is returned to clear any pending data. If the %GNUTLS_E_REHANDSHAKE
2533 : * error code is not seen, then the handshake request was
2534 : * not followed by the peer (the TLS protocol does not require
2535 : * the client to do, and such compliance should be handled
2536 : * by the application protocol).
2537 : *
2538 : * Once the %GNUTLS_E_REHANDSHAKE error code is seen, the
2539 : * calling application should proceed to calling
2540 : * gnutls_handshake() to negotiate the new
2541 : * parameters.
2542 : *
2543 : * If the client does not wish to renegotiate parameters he
2544 : * may reply with an alert message, and in that case the return code seen
2545 : * by subsequent gnutls_record_recv() will be
2546 : * %GNUTLS_E_WARNING_ALERT_RECEIVED with the specific alert being
2547 : * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2548 : * this request.
2549 : *
2550 : * Under TLS 1.3 this function is equivalent to gnutls_session_key_update()
2551 : * with the %GNUTLS_KU_PEER flag. In that case subsequent calls to
2552 : * gnutls_record_recv() will not return %GNUTLS_E_REHANDSHAKE, and
2553 : * calls to gnutls_handshake() in server side are a no-op.
2554 : *
2555 : * This function always fails with %GNUTLS_E_INVALID_REQUEST when
2556 : * called in client side.
2557 : *
2558 : * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2559 : **/
2560 59 : int gnutls_rehandshake(gnutls_session_t session)
2561 : {
2562 59 : int ret;
2563 59 : const version_entry_st *vers = get_version(session);
2564 :
2565 : /* only server sends that handshake packet */
2566 59 : if (session->security_parameters.entity == GNUTLS_CLIENT)
2567 : return GNUTLS_E_INVALID_REQUEST;
2568 :
2569 59 : if (vers->tls13_sem) {
2570 5 : return gnutls_session_key_update(session, GNUTLS_KU_PEER);
2571 : }
2572 :
2573 54 : _dtls_async_timer_delete(session);
2574 :
2575 54 : ret =
2576 108 : _gnutls_send_empty_handshake(session,
2577 : GNUTLS_HANDSHAKE_HELLO_REQUEST,
2578 54 : AGAIN(STATE50));
2579 54 : STATE = STATE50;
2580 :
2581 54 : if (ret < 0) {
2582 0 : gnutls_assert();
2583 0 : return ret;
2584 : }
2585 54 : STATE = STATE0;
2586 :
2587 54 : return 0;
2588 : }
2589 :
2590 : /* This function checks whether the error code should be treated fatal
2591 : * or not, and also does the necessary state transition. In
2592 : * particular, in the case of a rehandshake abort it resets the
2593 : * handshake's internal state.
2594 : */
2595 : inline static int
2596 39691700 : _gnutls_abort_handshake(gnutls_session_t session, int ret)
2597 : {
2598 39691700 : switch (ret) {
2599 1504 : case GNUTLS_E_WARNING_ALERT_RECEIVED:
2600 1504 : if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) {
2601 : /* The server always toleretes a "no_renegotiation" alert. */
2602 59 : if (session->security_parameters.entity == GNUTLS_SERVER) {
2603 16 : STATE = STATE0;
2604 16 : return ret;
2605 : }
2606 :
2607 : /* The client should tolerete a "no_renegotiation" alert only if:
2608 : * - the initial handshake has completed, or
2609 : * - a Server Hello is not yet received
2610 : */
2611 43 : if (session->internals.initial_negotiation_completed ||
2612 43 : !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) {
2613 35 : STATE = STATE0;
2614 35 : return ret;
2615 : }
2616 :
2617 8 : return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
2618 : }
2619 : return ret;
2620 5 : case GNUTLS_E_GOT_APPLICATION_DATA:
2621 5 : STATE = STATE0;
2622 5 : return ret;
2623 : default:
2624 : return ret;
2625 : }
2626 : }
2627 :
2628 :
2629 30 : static int _gnutls_send_supplemental(gnutls_session_t session, int again)
2630 : {
2631 30 : mbuffer_st *bufel = NULL;
2632 30 : int ret = 0;
2633 :
2634 30 : _gnutls_debug_log("EXT[%p]: Sending supplemental data\n", session);
2635 :
2636 30 : if (!again) {
2637 30 : gnutls_buffer_st buf;
2638 60 : ret = _gnutls_buffer_init_handshake_mbuffer(&buf);
2639 30 : if (ret < 0)
2640 0 : return gnutls_assert_val(ret);
2641 :
2642 30 : ret = _gnutls_gen_supplemental(session, &buf);
2643 30 : if (ret < 0) {
2644 0 : gnutls_assert();
2645 0 : _gnutls_buffer_clear(&buf);
2646 0 : return ret;
2647 : }
2648 :
2649 30 : bufel = _gnutls_buffer_to_mbuffer(&buf);
2650 : }
2651 :
2652 30 : return _gnutls_send_handshake(session, bufel,
2653 : GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2654 : }
2655 :
2656 30 : static int _gnutls_recv_supplemental(gnutls_session_t session)
2657 : {
2658 30 : gnutls_buffer_st buf;
2659 30 : int ret;
2660 :
2661 30 : _gnutls_debug_log("EXT[%p]: Expecting supplemental data\n",
2662 : session);
2663 :
2664 30 : ret =
2665 30 : _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_SUPPLEMENTAL,
2666 : 1, &buf);
2667 30 : if (ret < 0) {
2668 0 : gnutls_assert();
2669 0 : return ret;
2670 : }
2671 :
2672 30 : ret = _gnutls_parse_supplemental(session, buf.data, buf.length);
2673 30 : if (ret < 0) {
2674 0 : gnutls_assert();
2675 0 : goto cleanup;
2676 : }
2677 :
2678 30 : cleanup:
2679 30 : _gnutls_buffer_clear(&buf);
2680 :
2681 30 : return ret;
2682 : }
2683 :
2684 : /**
2685 : * gnutls_handshake:
2686 : * @session: is a #gnutls_session_t type.
2687 : *
2688 : * This function performs the handshake of the TLS/SSL protocol, and
2689 : * initializes the TLS session parameters.
2690 : *
2691 : * The non-fatal errors expected by this function are:
2692 : * %GNUTLS_E_INTERRUPTED, %GNUTLS_E_AGAIN,
2693 : * %GNUTLS_E_WARNING_ALERT_RECEIVED. When this function is called
2694 : * for re-handshake under TLS 1.2 or earlier, the non-fatal error code
2695 : * %GNUTLS_E_GOT_APPLICATION_DATA may also be returned.
2696 : *
2697 : * The former two interrupt the handshake procedure due to the transport
2698 : * layer being interrupted, and the latter because of a "warning" alert that
2699 : * was sent by the peer (it is always a good idea to check any
2700 : * received alerts). On these non-fatal errors call this function again,
2701 : * until it returns 0; cf. gnutls_record_get_direction() and
2702 : * gnutls_error_is_fatal(). In DTLS sessions the non-fatal error
2703 : * %GNUTLS_E_LARGE_PACKET is also possible, and indicates that
2704 : * the MTU should be adjusted.
2705 : *
2706 : * When this function is called by a server after a rehandshake request
2707 : * under TLS 1.2 or earlier the %GNUTLS_E_GOT_APPLICATION_DATA error code indicates
2708 : * that some data were pending prior to peer initiating the handshake.
2709 : * Under TLS 1.3 this function when called after a successful handshake, is a no-op
2710 : * and always succeeds in server side; in client side this function is
2711 : * equivalent to gnutls_session_key_update() with %GNUTLS_KU_PEER flag.
2712 : *
2713 : * This function handles both full and abbreviated TLS handshakes (resumption).
2714 : * For abbreviated handshakes, in client side, the gnutls_session_set_data()
2715 : * should be called prior to this function to set parameters from a previous session.
2716 : * In server side, resumption is handled by either setting a DB back-end, or setting
2717 : * up keys for session tickets.
2718 : *
2719 : * Returns: %GNUTLS_E_SUCCESS on a successful handshake, otherwise a negative error code.
2720 : **/
2721 39706200 : int gnutls_handshake(gnutls_session_t session)
2722 : {
2723 39706200 : const version_entry_st *vers = get_version(session);
2724 39706200 : int ret;
2725 :
2726 39706200 : if (unlikely(session->internals.initial_negotiation_completed)) {
2727 379 : if (vers->tls13_sem) {
2728 6 : if (session->security_parameters.entity == GNUTLS_CLIENT) {
2729 1 : return gnutls_session_key_update(session, GNUTLS_KU_PEER);
2730 : } else {
2731 : /* This is a no-op for a server under TLS 1.3, as
2732 : * a server has already called gnutls_rehandshake()
2733 : * which performed a key update.
2734 : */
2735 : return 0;
2736 : }
2737 : }
2738 : }
2739 :
2740 39706200 : if (STATE == STATE0) {
2741 23318 : unsigned int tmo_ms;
2742 23318 : struct timespec *end;
2743 23318 : struct timespec *start;
2744 :
2745 : /* first call */
2746 23318 : if (session->internals.priorities == NULL ||
2747 23318 : session->internals.priorities->cs.size == 0)
2748 0 : return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
2749 :
2750 23318 : ret =
2751 23318 : _gnutls_epoch_setup_next(session, 0, NULL);
2752 23318 : if (ret < 0)
2753 0 : return gnutls_assert_val(ret);
2754 :
2755 23318 : session->internals.used_exts = 0;
2756 23318 : session->internals.hsk_flags = 0;
2757 23318 : session->internals.handshake_in_progress = 1;
2758 23318 : session->internals.vc_status = -1;
2759 23318 : gnutls_gettime(&session->internals.handshake_start_time);
2760 :
2761 23318 : tmo_ms = session->internals.handshake_timeout_ms;
2762 23318 : end = &session->internals.handshake_abs_timeout;
2763 23318 : start = &session->internals.handshake_start_time;
2764 :
2765 23318 : if (tmo_ms && end->tv_sec == 0 && end->tv_nsec == 0) {
2766 13576 : end->tv_sec =
2767 13576 : start->tv_sec + (start->tv_nsec + tmo_ms * 1000000LL) / 1000000000LL;
2768 13576 : end->tv_nsec =
2769 13576 : (start->tv_nsec + tmo_ms * 1000000LL) % 1000000000LL;
2770 : }
2771 : }
2772 :
2773 39706200 : if (session->internals.recv_state == RECV_STATE_FALSE_START) {
2774 8 : session_invalidate(session);
2775 8 : return gnutls_assert_val(GNUTLS_E_HANDSHAKE_DURING_FALSE_START);
2776 : }
2777 :
2778 39706200 : if (session->security_parameters.entity == GNUTLS_CLIENT) {
2779 20681500 : do {
2780 20681500 : ret = handshake_client(session);
2781 20681500 : } while (ret == 1);
2782 : } else {
2783 19024700 : ret = handshake_server(session);
2784 : }
2785 :
2786 39706200 : if (ret < 0) {
2787 39691700 : return _gnutls_abort_handshake(session, ret);
2788 : }
2789 :
2790 : /* clear handshake buffer */
2791 14444 : if (session->internals.recv_state != RECV_STATE_FALSE_START &&
2792 : session->internals.recv_state != RECV_STATE_EARLY_START) {
2793 :
2794 14389 : _gnutls_handshake_hash_buffers_clear(session);
2795 :
2796 14389 : if (IS_DTLS(session) == 0) {
2797 13802 : _gnutls_handshake_io_buffer_clear(session);
2798 : } else {
2799 587 : _dtls_async_timer_init(session);
2800 : }
2801 :
2802 14389 : _gnutls_handshake_internal_state_clear(session);
2803 :
2804 14389 : _gnutls_buffer_clear(&session->internals.record_presend_buffer);
2805 :
2806 14389 : _gnutls_epoch_bump(session);
2807 : }
2808 :
2809 : /* Give an estimation of the round-trip under TLS1.3, used by gnutls_session_get_data2() */
2810 14444 : if (!IS_SERVER(session) && vers->tls13_sem) {
2811 366 : struct timespec handshake_finish_time;
2812 366 : gnutls_gettime(&handshake_finish_time);
2813 :
2814 366 : if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED)) {
2815 342 : session->internals.ertt = timespec_sub_ms(&handshake_finish_time, &session->internals.handshake_start_time)/2;
2816 : } else {
2817 24 : session->internals.ertt = timespec_sub_ms(&handshake_finish_time, &session->internals.handshake_start_time)/4;
2818 : }
2819 : }
2820 :
2821 : return 0;
2822 : }
2823 :
2824 : /**
2825 : * gnutls_handshake_set_timeout:
2826 : * @session: is a #gnutls_session_t type.
2827 : * @ms: is a timeout value in milliseconds
2828 : *
2829 : * This function sets the timeout for the TLS handshake process
2830 : * to the provided value. Use an @ms value of zero to disable
2831 : * timeout, or %GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT for a reasonable
2832 : * default value. For the DTLS protocol, the more detailed
2833 : * gnutls_dtls_set_timeouts() is provided.
2834 : *
2835 : * This function requires to set a pull timeout callback. See
2836 : * gnutls_transport_set_pull_timeout_function().
2837 : *
2838 : * Since: 3.1.0
2839 : **/
2840 : void
2841 13509 : gnutls_handshake_set_timeout(gnutls_session_t session, unsigned int ms)
2842 : {
2843 13509 : if (ms == GNUTLS_INDEFINITE_TIMEOUT) {
2844 0 : session->internals.handshake_timeout_ms = 0;
2845 0 : return;
2846 : }
2847 :
2848 13509 : if (ms == GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT)
2849 10926 : ms = DEFAULT_HANDSHAKE_TIMEOUT_MS;
2850 :
2851 13509 : if (IS_DTLS(session)) {
2852 578 : gnutls_dtls_set_timeouts(session, DTLS_RETRANS_TIMEOUT, ms);
2853 578 : return;
2854 : }
2855 :
2856 12931 : session->internals.handshake_timeout_ms = ms;
2857 : }
2858 :
2859 : /* Runs the certificate verification callback.
2860 : * side is the side that we verify the certificate
2861 : * from (either GNUTLS_CLIENT or GNUTLS_SERVER).
2862 : */
2863 16513 : int _gnutls_run_verify_callback(gnutls_session_t session, unsigned int side)
2864 : {
2865 16513 : gnutls_certificate_credentials_t cred;
2866 16513 : int ret, type;
2867 :
2868 16513 : if (session->internals.hsk_flags & HSK_PSK_SELECTED)
2869 : return 0;
2870 :
2871 14929 : cred =
2872 14929 : (gnutls_certificate_credentials_t) _gnutls_get_cred(session,
2873 : GNUTLS_CRD_CERTIFICATE);
2874 :
2875 14929 : if (side == GNUTLS_CLIENT)
2876 5845 : type = gnutls_auth_server_get_type(session);
2877 : else
2878 9084 : type = gnutls_auth_client_get_type(session);
2879 :
2880 14929 : if (type != GNUTLS_CRD_CERTIFICATE)
2881 : return 0;
2882 :
2883 : /* verify whether the certificate of the peer remained the same
2884 : * as with any previous handshakes */
2885 10167 : if (cred != NULL) {
2886 10167 : ret = _gnutls_check_if_cert_hash_is_same(session, cred);
2887 10167 : if (ret < 0) {
2888 2 : return gnutls_assert_val(ret);
2889 : }
2890 : }
2891 :
2892 10165 : if (cred != NULL &&
2893 10165 : (cred->verify_callback != NULL || session->internals.verify_callback != NULL) &&
2894 6935 : (session->security_parameters.entity == GNUTLS_CLIENT ||
2895 6665 : session->internals.send_cert_req != GNUTLS_CERT_IGNORE)) {
2896 1282 : if (session->internals.verify_callback)
2897 21 : ret = session->internals.verify_callback(session);
2898 : else
2899 1261 : ret = cred->verify_callback(session);
2900 1282 : if (ret < -1)
2901 8 : return gnutls_assert_val(ret);
2902 1274 : else if (ret != 0)
2903 22 : return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR);
2904 : }
2905 :
2906 : return 0;
2907 : }
2908 :
2909 61 : static bool can_send_false_start(gnutls_session_t session)
2910 : {
2911 61 : const version_entry_st *vers;
2912 :
2913 61 : vers = get_version(session);
2914 61 : if (unlikely(vers == NULL || !vers->false_start))
2915 : return 0;
2916 :
2917 61 : if (session->internals.selected_cert_list != NULL)
2918 : return 0;
2919 :
2920 61 : if (!_gnutls_kx_allows_false_start(session))
2921 18 : return 0;
2922 :
2923 : return 1;
2924 : }
2925 :
2926 : /*
2927 : * handshake_client
2928 : * This function performs the client side of the handshake of the TLS/SSL protocol.
2929 : */
2930 20681500 : static int handshake_client(gnutls_session_t session)
2931 : {
2932 20681500 : int ret = 0;
2933 20682100 : const version_entry_st *ver;
2934 :
2935 20682100 : reset:
2936 20682100 : if (STATE >= STATE99)
2937 750 : return _gnutls13_handshake_client(session);
2938 :
2939 20681400 : switch (STATE) {
2940 12413400 : case STATE0:
2941 : case STATE1:
2942 12413400 : ret = send_client_hello(session, AGAIN(STATE1));
2943 12413400 : STATE = STATE1;
2944 12413400 : IMED_RET("send hello", ret, 1);
2945 750952 : FALLTHROUGH;
2946 : case STATE2:
2947 750952 : if (IS_DTLS(session)) {
2948 348 : ret =
2949 348 : _gnutls_recv_handshake(session,
2950 : GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST,
2951 : 1, NULL);
2952 348 : STATE = STATE2;
2953 348 : IMED_RET("recv hello verify", ret, 1);
2954 :
2955 317 : if (ret == 1) {
2956 27 : STATE = STATE0;
2957 27 : return 1;
2958 : }
2959 : } else {
2960 750604 : ret =
2961 750604 : _gnutls_recv_handshake(session,
2962 : GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST,
2963 : 1, NULL);
2964 750604 : STATE = STATE2;
2965 750604 : IMED_RET("recv hello retry", ret, 1);
2966 :
2967 2898 : if (ret == 1) {
2968 24 : STATE = STATE0;
2969 24 : return 1;
2970 : }
2971 : }
2972 3164 : FALLTHROUGH;
2973 : case STATE3:
2974 : /* receive the server hello */
2975 3164 : ret =
2976 3164 : _gnutls_recv_handshake(session,
2977 : GNUTLS_HANDSHAKE_SERVER_HELLO,
2978 : 0, NULL);
2979 3164 : STATE = STATE3;
2980 3164 : IMED_RET("recv hello", ret, 1);
2981 2769 : FALLTHROUGH;
2982 : case STATE4:
2983 2769 : ver = get_version(session);
2984 2769 : if (ver->tls13_sem) { /* TLS 1.3 state machine */
2985 598 : STATE = STATE99;
2986 598 : goto reset;
2987 : }
2988 :
2989 2171 : ret = _gnutls_ext_sr_verify(session);
2990 2171 : STATE = STATE4;
2991 2171 : IMED_RET_FATAL("recv hello", ret, 0);
2992 2164 : FALLTHROUGH;
2993 : case STATE5:
2994 2164 : if (session->security_parameters.do_recv_supplemental) {
2995 6 : ret = _gnutls_recv_supplemental(session);
2996 6 : STATE = STATE5;
2997 6 : IMED_RET("recv supplemental", ret, 1);
2998 : }
2999 3221 : FALLTHROUGH;
3000 : case STATE6:
3001 : /* RECV CERTIFICATE */
3002 3221 : if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3003 3107 : ret = _gnutls_recv_server_certificate(session);
3004 3221 : STATE = STATE6;
3005 3221 : IMED_RET("recv server certificate", ret, 1);
3006 3634 : FALLTHROUGH;
3007 : case STATE7:
3008 : #ifdef ENABLE_OCSP
3009 : /* RECV CERTIFICATE STATUS */
3010 3634 : if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3011 3520 : ret =
3012 3520 : _gnutls_recv_server_certificate_status
3013 : (session);
3014 3634 : STATE = STATE7;
3015 3634 : IMED_RET("recv server certificate", ret, 1);
3016 : #endif
3017 1805 : FALLTHROUGH;
3018 : case STATE8:
3019 1805 : ret = _gnutls_run_verify_callback(session, GNUTLS_CLIENT);
3020 1805 : STATE = STATE8;
3021 1805 : if (ret < 0)
3022 6 : return gnutls_assert_val(ret);
3023 :
3024 6981550 : FALLTHROUGH;
3025 : case STATE9:
3026 : /* receive the server key exchange */
3027 6981550 : if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3028 6981440 : ret = _gnutls_recv_server_kx_message(session);
3029 6981550 : STATE = STATE9;
3030 6981550 : IMED_RET("recv server kx message", ret, 1);
3031 1935 : FALLTHROUGH;
3032 : case STATE10:
3033 : /* receive the server certificate request - if any
3034 : */
3035 :
3036 1935 : if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3037 1821 : ret = _gnutls_recv_server_crt_request(session);
3038 1935 : STATE = STATE10;
3039 1935 : IMED_RET("recv server certificate request message", ret,
3040 : 1);
3041 4075 : FALLTHROUGH;
3042 : case STATE11:
3043 : /* receive the server hello done */
3044 4075 : if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3045 3961 : ret =
3046 3961 : _gnutls_recv_handshake(session,
3047 : GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
3048 : 0, NULL);
3049 4075 : STATE = STATE11;
3050 4075 : IMED_RET("recv server hello done", ret, 1);
3051 1594 : FALLTHROUGH;
3052 : case STATE12:
3053 1594 : if (session->security_parameters.do_send_supplemental) {
3054 6 : ret =
3055 12 : _gnutls_send_supplemental(session,
3056 6 : AGAIN(STATE12));
3057 6 : STATE = STATE12;
3058 6 : IMED_RET("send supplemental", ret, 0);
3059 : }
3060 1594 : FALLTHROUGH;
3061 : case STATE13:
3062 : /* send our certificate - if any and if requested
3063 : */
3064 1594 : if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3065 1480 : ret =
3066 1480 : _gnutls_send_client_certificate(session,
3067 1480 : AGAIN
3068 : (STATE13));
3069 1594 : STATE = STATE13;
3070 1594 : IMED_RET("send client certificate", ret, 0);
3071 1594 : FALLTHROUGH;
3072 : case STATE14:
3073 1594 : if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3074 1480 : ret =
3075 1480 : _gnutls_send_client_kx_message(session,
3076 1480 : AGAIN(STATE14));
3077 1594 : STATE = STATE14;
3078 1594 : IMED_RET("send client kx", ret, 0);
3079 1587 : FALLTHROUGH;
3080 : case STATE15:
3081 : /* send client certificate verify */
3082 1587 : if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3083 1473 : ret =
3084 1473 : _gnutls_send_client_certificate_verify(session,
3085 1473 : AGAIN
3086 : (STATE15));
3087 1587 : STATE = STATE15;
3088 1587 : IMED_RET("send client certificate verify", ret, 1);
3089 1619 : FALLTHROUGH;
3090 : case STATE16:
3091 1619 : STATE = STATE16;
3092 1619 : if (session->internals.resumed == RESUME_FALSE) {
3093 1505 : ret = send_handshake_final(session, TRUE);
3094 1505 : IMED_RET("send handshake final 2", ret, 1);
3095 : } else {
3096 114 : ret = _gnutls_recv_new_session_ticket(session);
3097 114 : IMED_RET("recv handshake new session ticket", ret,
3098 : 1);
3099 : }
3100 1582 : FALLTHROUGH;
3101 : case STATE17:
3102 1582 : STATE = STATE17;
3103 1582 : if (session->internals.resumed == RESUME_FALSE && (session->internals.flags & GNUTLS_ENABLE_FALSE_START) && can_send_false_start(session)) {
3104 43 : session->internals.hsk_flags |= HSK_FALSE_START_USED;
3105 43 : session->internals.recv_state = RECV_STATE_FALSE_START;
3106 : /* complete this phase of the handshake. We
3107 : * should be called again by gnutls_record_recv()
3108 : */
3109 43 : STATE = STATE18;
3110 43 : gnutls_assert();
3111 :
3112 43 : return 0;
3113 : }
3114 4304 : FALLTHROUGH;
3115 : case STATE18:
3116 4304 : STATE = STATE18;
3117 :
3118 4304 : if (session->internals.resumed == RESUME_FALSE) {
3119 4159 : ret = _gnutls_recv_new_session_ticket(session);
3120 4159 : IMED_RET("recv handshake new session ticket", ret,
3121 : 1);
3122 : } else {
3123 145 : ret = recv_handshake_final(session, TRUE);
3124 145 : IMED_RET("recv handshake final", ret, 1);
3125 : }
3126 534205 : FALLTHROUGH;
3127 : case STATE19:
3128 534205 : STATE = STATE19;
3129 534205 : if (session->internals.resumed == RESUME_FALSE) {
3130 534091 : ret = recv_handshake_final(session, FALSE);
3131 534091 : IMED_RET("recv handshake final 2", ret, 1);
3132 : } else {
3133 114 : ret = send_handshake_final(session, FALSE);
3134 114 : IMED_RET("send handshake final", ret, 1);
3135 : }
3136 :
3137 1440 : STATE = STATE0;
3138 1440 : FALLTHROUGH;
3139 : default:
3140 1440 : break;
3141 : }
3142 :
3143 : /* explicitly reset any false start flags */
3144 1440 : gnutls_mutex_lock(&session->internals.post_negotiation_lock);
3145 1440 : session->internals.initial_negotiation_completed = 1;
3146 1440 : session->internals.recv_state = RECV_STATE_0;
3147 1440 : gnutls_mutex_unlock(&session->internals.post_negotiation_lock);
3148 :
3149 1440 : return 0;
3150 : }
3151 :
3152 :
3153 :
3154 : /* This function is to be called if the handshake was successfully
3155 : * completed. This sends a Change Cipher Spec packet to the peer.
3156 : */
3157 14683 : ssize_t _gnutls_send_change_cipher_spec(gnutls_session_t session, int again)
3158 : {
3159 14683 : uint8_t *data;
3160 14683 : mbuffer_st *bufel;
3161 14683 : int ret;
3162 14683 : const version_entry_st *vers;
3163 :
3164 14683 : if (again == 0) {
3165 14679 : bufel = _gnutls_handshake_alloc(session, 3); /* max for DTLS0.9 */
3166 14679 : if (bufel == NULL)
3167 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
3168 :
3169 14679 : vers = get_version(session);
3170 14679 : if (unlikely(vers == NULL))
3171 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
3172 :
3173 14679 : if (vers->id == GNUTLS_DTLS0_9)
3174 7 : _mbuffer_set_uhead_size(bufel, 3);
3175 : else
3176 14672 : _mbuffer_set_uhead_size(bufel, 1);
3177 14679 : _mbuffer_set_udata_size(bufel, 0);
3178 :
3179 14679 : data = _mbuffer_get_uhead_ptr(bufel);
3180 :
3181 14679 : data[0] = 1;
3182 14679 : if (vers->id == GNUTLS_DTLS0_9) {
3183 7 : _gnutls_write_uint16(session->internals.dtls.
3184 : hsk_write_seq, &data[1]);
3185 7 : session->internals.dtls.hsk_write_seq++;
3186 : }
3187 :
3188 14679 : ret = _gnutls_call_hook_func(session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, GNUTLS_HOOK_PRE, 0,
3189 : data, 1);
3190 14679 : if (ret < 0) {
3191 0 : _mbuffer_xfree(&bufel);
3192 0 : return gnutls_assert_val(ret);
3193 : }
3194 :
3195 14679 : ret =
3196 14679 : _gnutls_handshake_io_cache_int(session,
3197 : GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC,
3198 : bufel);
3199 14679 : if (ret < 0) {
3200 0 : _mbuffer_xfree(&bufel);
3201 0 : return gnutls_assert_val(ret);
3202 : }
3203 :
3204 14679 : ret = _gnutls_call_hook_func(session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, GNUTLS_HOOK_POST, 0,
3205 : data, 1);
3206 14679 : if (ret < 0) {
3207 0 : return gnutls_assert_val(ret);
3208 : }
3209 :
3210 : /* under TLS 1.3, CCS may be immediately followed by
3211 : * receiving ClientHello thus cannot be cached */
3212 14679 : if (vers->tls13_sem) {
3213 5699 : ret = _gnutls_handshake_io_write_flush(session);
3214 5699 : if (ret < 0)
3215 4 : return gnutls_assert_val(ret);
3216 : }
3217 :
3218 14675 : _gnutls_handshake_log("REC[%p]: Sent ChangeCipherSpec\n",
3219 : session);
3220 : }
3221 :
3222 : return 0;
3223 : }
3224 :
3225 : /* This function sends the final handshake packets and initializes connection
3226 : */
3227 9015 : static int send_handshake_final(gnutls_session_t session, int init)
3228 : {
3229 9015 : int ret = 0;
3230 :
3231 : /* Send the CHANGE CIPHER SPEC PACKET */
3232 :
3233 9015 : switch (FINAL_STATE) {
3234 8980 : case STATE0:
3235 : case STATE1:
3236 8980 : ret = _gnutls_send_change_cipher_spec(session, FAGAIN(STATE1));
3237 8980 : FINAL_STATE = STATE0;
3238 :
3239 8980 : if (ret < 0) {
3240 0 : gnutls_assert();
3241 0 : return ret;
3242 : }
3243 : /* Initialize the connection session (start encryption) - in case of client
3244 : */
3245 8980 : if (init == TRUE) {
3246 2252 : ret = _gnutls_connection_state_init(session);
3247 2252 : if (ret < 0) {
3248 0 : gnutls_assert();
3249 0 : return ret;
3250 : }
3251 : }
3252 :
3253 8980 : ret = _gnutls_write_connection_state_init(session);
3254 8980 : if (ret < 0) {
3255 0 : gnutls_assert();
3256 0 : return ret;
3257 : }
3258 :
3259 9015 : FALLTHROUGH;
3260 : case STATE2:
3261 : /* send the finished message */
3262 9015 : ret = _gnutls_send_finished(session, FAGAIN(STATE2));
3263 9015 : FINAL_STATE = STATE2;
3264 9015 : if (ret < 0) {
3265 37 : gnutls_assert();
3266 37 : return ret;
3267 : }
3268 :
3269 8978 : FINAL_STATE = STATE0;
3270 : FALLTHROUGH;
3271 : default:
3272 : break;
3273 : }
3274 :
3275 : return 0;
3276 : }
3277 :
3278 : /* This function receives the final handshake packets
3279 : * And executes the appropriate function to initialize the
3280 : * read session.
3281 : */
3282 542428 : static int recv_handshake_final(gnutls_session_t session, int init)
3283 : {
3284 542428 : int ret = 0;
3285 542428 : uint8_t ccs[3];
3286 542428 : unsigned int ccs_len = 1;
3287 542428 : unsigned int tleft;
3288 542428 : const version_entry_st *vers;
3289 :
3290 542428 : ret = handshake_remaining_time(session);
3291 542428 : if (ret < 0)
3292 0 : return gnutls_assert_val(ret);
3293 542428 : tleft = ret;
3294 :
3295 542428 : switch (FINAL_STATE) {
3296 542340 : case STATE0:
3297 : case STATE30:
3298 542340 : FINAL_STATE = STATE30;
3299 :
3300 : /* This is the last flight and peer cannot be sure
3301 : * we have received it unless we notify him. So we
3302 : * wait for a message and retransmit if needed. */
3303 542340 : if (IS_DTLS(session) && !_dtls_is_async(session) &&
3304 518003 : (gnutls_record_check_pending(session) +
3305 518003 : record_check_unprocessed(session)) == 0) {
3306 517944 : ret = _dtls_wait_and_retransmit(session);
3307 517944 : if (ret < 0)
3308 208 : return gnutls_assert_val(ret);
3309 : }
3310 :
3311 542132 : vers = get_version(session);
3312 542132 : if (unlikely(vers == NULL))
3313 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
3314 :
3315 542132 : if (vers->id == GNUTLS_DTLS0_9)
3316 7 : ccs_len = 3;
3317 :
3318 1084260 : ret =
3319 542132 : _gnutls_recv_int(session, GNUTLS_CHANGE_CIPHER_SPEC,
3320 : ccs, ccs_len, NULL, tleft);
3321 542132 : if (ret <= 0) {
3322 532842 : gnutls_assert();
3323 532842 : return (ret<0)?ret:GNUTLS_E_UNEXPECTED_PACKET;
3324 : }
3325 :
3326 9290 : if (vers->id == GNUTLS_DTLS0_9)
3327 7 : session->internals.dtls.hsk_read_seq++;
3328 :
3329 : /* Initialize the connection session (start encryption) - in case of server */
3330 9290 : if (init == TRUE) {
3331 7159 : ret = _gnutls_connection_state_init(session);
3332 7159 : if (ret < 0) {
3333 0 : gnutls_assert();
3334 0 : return ret;
3335 : }
3336 : }
3337 :
3338 9290 : ret = _gnutls_read_connection_state_init(session);
3339 9290 : if (ret < 0) {
3340 0 : gnutls_assert();
3341 0 : return ret;
3342 : }
3343 9378 : FALLTHROUGH;
3344 : case STATE31:
3345 9378 : FINAL_STATE = STATE31;
3346 :
3347 9378 : if (IS_DTLS(session) && !_dtls_is_async(session) &&
3348 337 : (gnutls_record_check_pending(session) +
3349 337 : record_check_unprocessed(session)) == 0) {
3350 88 : ret = _dtls_wait_and_retransmit(session);
3351 88 : if (ret < 0)
3352 30 : return gnutls_assert_val(ret);
3353 : }
3354 :
3355 9348 : ret = _gnutls_recv_finished(session);
3356 9348 : if (ret < 0) {
3357 513 : gnutls_assert();
3358 513 : return ret;
3359 : }
3360 8835 : FINAL_STATE = STATE0;
3361 : FALLTHROUGH;
3362 : default:
3363 : break;
3364 : }
3365 :
3366 : return 0;
3367 : }
3368 :
3369 : /*
3370 : * handshake_server
3371 : * This function does the server stuff of the handshake protocol.
3372 : */
3373 19024700 : static int handshake_server(gnutls_session_t session)
3374 : {
3375 19024700 : int ret = 0;
3376 19030000 : const version_entry_st *ver;
3377 :
3378 5257 : reset:
3379 :
3380 19030000 : if (STATE >= STATE90)
3381 5549 : return _gnutls13_handshake_server(session);
3382 :
3383 19024400 : switch (STATE) {
3384 12042200 : case STATE0:
3385 : case STATE1:
3386 12042200 : ret =
3387 12042200 : _gnutls_recv_handshake(session,
3388 : GNUTLS_HANDSHAKE_CLIENT_HELLO,
3389 : 0, NULL);
3390 12042200 : if (ret == GNUTLS_E_INT_RET_0) {
3391 : /* this is triggered by post_client_hello, and instructs the
3392 : * handshake to proceed but be put on hold */
3393 3 : ret = GNUTLS_E_INTERRUPTED;
3394 3 : STATE = STATE2; /* hello already parsed -> move on */
3395 : } else {
3396 12042200 : STATE = STATE1;
3397 : }
3398 :
3399 12042200 : if (ret == GNUTLS_E_NO_COMMON_KEY_SHARE) {
3400 219 : STATE = STATE90;
3401 219 : session->internals.hsk_flags |= HSK_HRR_SENT;
3402 219 : goto reset;
3403 : }
3404 :
3405 12042000 : IMED_RET("recv hello", ret, 1);
3406 15851 : FALLTHROUGH;
3407 : case STATE2:
3408 :
3409 15851 : ret = _gnutls_ext_sr_verify(session);
3410 15851 : STATE = STATE2;
3411 15851 : IMED_RET_FATAL("recv hello", ret, 0);
3412 15853 : FALLTHROUGH;
3413 : case STATE3:
3414 15853 : ret = _gnutls_send_server_hello(session, AGAIN(STATE3));
3415 15853 : STATE = STATE3;
3416 15853 : IMED_RET("send hello", ret, 1);
3417 :
3418 15839 : ver = get_version(session);
3419 15839 : if (ver->tls13_sem) { /* TLS 1.3 state machine */
3420 5038 : STATE = STATE99;
3421 5038 : goto reset;
3422 : }
3423 :
3424 10801 : FALLTHROUGH;
3425 : case STATE4:
3426 10801 : if (session->security_parameters.do_send_supplemental) {
3427 24 : ret =
3428 48 : _gnutls_send_supplemental(session,
3429 24 : AGAIN(STATE4));
3430 24 : STATE = STATE4;
3431 24 : IMED_RET("send supplemental data", ret, 0);
3432 : }
3433 : /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
3434 10801 : FALLTHROUGH;
3435 : case STATE5:
3436 : /* NOTE: these should not be send if we are resuming */
3437 :
3438 10801 : if (session->internals.resumed == RESUME_FALSE)
3439 10019 : ret =
3440 10019 : _gnutls_send_server_certificate(session,
3441 10019 : AGAIN(STATE5));
3442 10801 : STATE = STATE5;
3443 10801 : IMED_RET("send server certificate", ret, 0);
3444 10801 : FALLTHROUGH;
3445 : case STATE6:
3446 : #ifdef ENABLE_OCSP
3447 10801 : if (session->internals.resumed == RESUME_FALSE)
3448 10019 : ret =
3449 10019 : _gnutls_send_server_certificate_status(session,
3450 10019 : AGAIN
3451 : (STATE6));
3452 10801 : STATE = STATE6;
3453 10801 : IMED_RET("send server certificate status", ret, 0);
3454 : #endif
3455 10801 : FALLTHROUGH;
3456 : case STATE7:
3457 : /* send server key exchange (A) */
3458 10801 : if (session->internals.resumed == RESUME_FALSE)
3459 10019 : ret =
3460 10019 : _gnutls_send_server_kx_message(session,
3461 10019 : AGAIN(STATE7));
3462 10801 : STATE = STATE7;
3463 10801 : IMED_RET("send server kx", ret, 0);
3464 10756 : FALLTHROUGH;
3465 : case STATE8:
3466 : /* Send certificate request - if requested to */
3467 10756 : if (session->internals.resumed == RESUME_FALSE)
3468 9974 : ret =
3469 9974 : _gnutls_send_server_crt_request(session,
3470 9974 : AGAIN(STATE8));
3471 10756 : STATE = STATE8;
3472 10756 : IMED_RET("send server cert request", ret, 0);
3473 6989760 : FALLTHROUGH;
3474 : case STATE9:
3475 : /* send the server hello done */
3476 6989760 : if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3477 6988980 : ret =
3478 6988980 : _gnutls_send_empty_handshake(session,
3479 : GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
3480 6988980 : AGAIN(STATE9));
3481 6989760 : STATE = STATE9;
3482 6989760 : IMED_RET("send server hello done", ret, 1);
3483 10755 : FALLTHROUGH;
3484 : case STATE10:
3485 10755 : if (session->security_parameters.do_recv_supplemental) {
3486 24 : ret = _gnutls_recv_supplemental(session);
3487 24 : STATE = STATE10;
3488 24 : IMED_RET("recv client supplemental", ret, 1);
3489 : }
3490 : /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
3491 10827 : FALLTHROUGH;
3492 : case STATE11:
3493 : /* receive the client certificate message */
3494 10827 : if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3495 10045 : ret = _gnutls_recv_client_certificate(session);
3496 10827 : STATE = STATE11;
3497 10827 : IMED_RET("recv client certificate", ret, 1);
3498 9084 : FALLTHROUGH;
3499 : case STATE12:
3500 9084 : ret = _gnutls_run_verify_callback(session, GNUTLS_SERVER);
3501 9084 : STATE = STATE12;
3502 9084 : if (ret < 0)
3503 2 : return gnutls_assert_val(ret);
3504 11901 : FALLTHROUGH;
3505 : case STATE13:
3506 : /* receive the client key exchange message */
3507 11901 : if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3508 11119 : ret = _gnutls_recv_client_kx_message(session);
3509 11901 : STATE = STATE13;
3510 11901 : IMED_RET("recv client kx", ret, 1);
3511 8384 : FALLTHROUGH;
3512 : case STATE14:
3513 : /* receive the client certificate verify message */
3514 8384 : if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3515 7602 : ret =
3516 7602 : _gnutls_recv_client_certificate_verify_message
3517 : (session);
3518 8384 : STATE = STATE14;
3519 8384 : IMED_RET("recv client certificate verify", ret, 1);
3520 8125 : FALLTHROUGH;
3521 : case STATE15:
3522 8125 : STATE = STATE15;
3523 8125 : if (session->internals.resumed == RESUME_FALSE) { /* if we are not resuming */
3524 7343 : ret = recv_handshake_final(session, TRUE);
3525 7343 : IMED_RET("recv handshake final", ret, 1);
3526 : } else {
3527 782 : ret = send_handshake_final(session, TRUE);
3528 782 : IMED_RET("send handshake final 2", ret, 1);
3529 : }
3530 7396 : FALLTHROUGH;
3531 : case STATE16:
3532 7396 : ret =
3533 14792 : _gnutls_send_new_session_ticket(session,
3534 7396 : AGAIN(STATE16));
3535 7396 : STATE = STATE16;
3536 7396 : IMED_RET("send handshake new session ticket", ret, 0);
3537 7463 : FALLTHROUGH;
3538 : case STATE17:
3539 7463 : STATE = STATE17;
3540 7463 : if (session->internals.resumed == RESUME_FALSE) { /* if we are not resuming */
3541 6614 : ret = send_handshake_final(session, FALSE);
3542 6614 : IMED_RET("send handshake final", ret, 1);
3543 :
3544 6614 : if (session->security_parameters.entity ==
3545 : GNUTLS_SERVER
3546 6614 : && !(session->internals.hsk_flags & HSK_TLS12_TICKET_SENT)) {
3547 : /* if no ticket, save session data */
3548 5820 : _gnutls_server_register_current_session
3549 : (session);
3550 : }
3551 : } else {
3552 849 : ret = recv_handshake_final(session, FALSE);
3553 849 : IMED_RET("recv handshake final 2", ret, 1);
3554 : }
3555 :
3556 7395 : STATE = STATE0;
3557 7395 : FALLTHROUGH;
3558 : default:
3559 7395 : break;
3560 : }
3561 :
3562 : /* no lock of post_negotiation_lock is required here as this is not run
3563 : * after handshake */
3564 7395 : session->internals.initial_negotiation_completed = 1;
3565 :
3566 7395 : return _gnutls_check_id_for_change(session);
3567 : }
3568 :
3569 19520 : int _gnutls_generate_session_id(uint8_t * session_id, uint8_t *len)
3570 : {
3571 19520 : int ret;
3572 :
3573 19520 : *len = GNUTLS_DEF_SESSION_ID_SIZE;
3574 :
3575 19520 : ret =
3576 19520 : gnutls_rnd(GNUTLS_RND_NONCE, session_id,
3577 : GNUTLS_DEF_SESSION_ID_SIZE);
3578 19520 : if (ret < 0) {
3579 0 : gnutls_assert();
3580 0 : return ret;
3581 : }
3582 :
3583 : return 0;
3584 : }
3585 :
3586 :
3587 : /**
3588 : * gnutls_handshake_set_max_packet_length:
3589 : * @session: is a #gnutls_session_t type.
3590 : * @max: is the maximum number.
3591 : *
3592 : * This function will set the maximum size of all handshake messages.
3593 : * Handshakes over this size are rejected with
3594 : * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is
3595 : * 128kb which is typically large enough. Set this to 0 if you do not
3596 : * want to set an upper limit.
3597 : *
3598 : * The reason for restricting the handshake message sizes are to
3599 : * limit Denial of Service attacks.
3600 : *
3601 : * Note that the maximum handshake size was increased to 128kb
3602 : * from 48kb in GnuTLS 3.5.5.
3603 : **/
3604 : void
3605 23098 : gnutls_handshake_set_max_packet_length(gnutls_session_t session,
3606 : size_t max)
3607 : {
3608 23098 : session->internals.max_handshake_data_buffer_size = max;
3609 23098 : }
3610 :
3611 : /**
3612 : * gnutls_handshake_get_last_in:
3613 : * @session: is a #gnutls_session_t type.
3614 : *
3615 : * This function is only useful to check where the last performed
3616 : * handshake failed. If the previous handshake succeed or was not
3617 : * performed at all then no meaningful value will be returned.
3618 : *
3619 : * Check %gnutls_handshake_description_t in gnutls.h for the
3620 : * available handshake descriptions.
3621 : *
3622 : * Returns: the last handshake message type received, a
3623 : * %gnutls_handshake_description_t.
3624 : **/
3625 : gnutls_handshake_description_t
3626 7 : gnutls_handshake_get_last_in(gnutls_session_t session)
3627 : {
3628 7 : return session->internals.last_handshake_in;
3629 : }
3630 :
3631 : /**
3632 : * gnutls_handshake_get_last_out:
3633 : * @session: is a #gnutls_session_t type.
3634 : *
3635 : * This function is only useful to check where the last performed
3636 : * handshake failed. If the previous handshake succeed or was not
3637 : * performed at all then no meaningful value will be returned.
3638 : *
3639 : * Check %gnutls_handshake_description_t in gnutls.h for the
3640 : * available handshake descriptions.
3641 : *
3642 : * Returns: the last handshake message type sent, a
3643 : * %gnutls_handshake_description_t.
3644 : **/
3645 : gnutls_handshake_description_t
3646 9 : gnutls_handshake_get_last_out(gnutls_session_t session)
3647 : {
3648 9 : return session->internals.last_handshake_out;
3649 : }
3650 :
3651 : /* This returns the session hash as in draft-ietf-tls-session-hash-02.
3652 : */
3653 5150 : int _gnutls_handshake_get_session_hash(gnutls_session_t session, gnutls_datum_t *shash)
3654 : {
3655 5150 : const version_entry_st *ver = get_version(session);
3656 5150 : int ret;
3657 5150 : uint8_t concat[2*MAX_HASH_SIZE];
3658 :
3659 5150 : if (unlikely(ver == NULL))
3660 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
3661 :
3662 5150 : if (session->internals.handshake_hash_buffer_client_kx_len == 0 ||
3663 5150 : (session->internals.handshake_hash_buffer.length <
3664 5150 : session->internals.handshake_hash_buffer_client_kx_len)) {
3665 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
3666 : }
3667 :
3668 5150 : ret =
3669 10300 : _gnutls_hash_fast((gnutls_digest_algorithm_t)session->security_parameters.prf->id,
3670 5150 : session->internals.handshake_hash_buffer.
3671 : data,
3672 : session->internals.handshake_hash_buffer_client_kx_len,
3673 : concat);
3674 5150 : if (ret < 0)
3675 0 : return gnutls_assert_val(ret);
3676 :
3677 5150 : return _gnutls_set_datum(shash, concat, session->security_parameters.prf->output_size);
3678 : }
|