summaryrefslogtreecommitdiffstats
path: root/lib/handshake.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--lib/handshake.c3788
1 files changed, 3788 insertions, 0 deletions
diff --git a/lib/handshake.c b/lib/handshake.c
new file mode 100644
index 0000000..21edc5e
--- /dev/null
+++ b/lib/handshake.c
@@ -0,0 +1,3788 @@
+/*
+ * Copyright (C) 2000-2016 Free Software Foundation, Inc.
+ * Copyright (C) 2015-2018 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
+ *
+ */
+
+/* Functions that relate to the TLS handshake procedure.
+ */
+
+#include "gnutls_int.h"
+#include "errors.h"
+#include "dh.h"
+#include "debug.h"
+#include "algorithms.h"
+#include "cipher.h"
+#include "buffers.h"
+#include "mbuffers.h"
+#include "kx.h"
+#include "handshake.h"
+#include "num.h"
+#include "hash_int.h"
+#include "db.h"
+#include "hello_ext.h"
+#include "supplemental.h"
+#include "auth.h"
+#include "sslv2_compat.h"
+#include <auth/cert.h>
+#include "constate.h"
+#include <record.h>
+#include <state.h>
+#include <ext/pre_shared_key.h>
+#include <ext/srp.h>
+#include <ext/session_ticket.h>
+#include <ext/status_request.h>
+#include <ext/safe_renegotiation.h>
+#include <auth/anon.h> /* for gnutls_anon_server_credentials_t */
+#include <auth/psk.h> /* for gnutls_psk_server_credentials_t */
+#include <random.h>
+#include <dtls.h>
+#include "secrets.h"
+#include "tls13/early_data.h"
+#include "tls13/session_ticket.h"
+#include "locks.h"
+#include "system/ktls.h"
+
+
+static int check_if_null_comp_present(gnutls_session_t session,
+ uint8_t * data, int datalen);
+static int handshake_client(gnutls_session_t session);
+static int handshake_server(gnutls_session_t session);
+
+static int
+read_server_hello(gnutls_session_t session,
+ uint8_t * data, int datalen);
+
+static int
+recv_handshake_final(gnutls_session_t session, int init);
+static int
+send_handshake_final(gnutls_session_t session, int init);
+
+/* Empties but does not free the buffer
+ */
+inline static void
+handshake_hash_buffer_reset(gnutls_session_t session)
+{
+ _gnutls_buffers_log("BUF[HSK]: Emptied buffer\n");
+
+ session->internals.handshake_hash_buffer_client_hello_len = 0;
+ session->internals.handshake_hash_buffer_client_kx_len = 0;
+ session->internals.handshake_hash_buffer_server_finished_len = 0;
+ session->internals.handshake_hash_buffer_client_finished_len = 0;
+ session->internals.handshake_hash_buffer_prev_len = 0;
+ session->internals.handshake_hash_buffer.length = 0;
+ session->internals.full_client_hello.length = 0;
+ return;
+}
+
+static int
+handshake_hash_add_recvd(gnutls_session_t session,
+ gnutls_handshake_description_t recv_type,
+ uint8_t * header, uint16_t header_size,
+ uint8_t * dataptr, uint32_t datalen);
+
+static int
+handshake_hash_add_sent(gnutls_session_t session,
+ gnutls_handshake_description_t type,
+ uint8_t * dataptr, uint32_t datalen);
+
+static int
+recv_hello_verify_request(gnutls_session_t session,
+ uint8_t * data, int datalen);
+
+
+/* Clears the handshake hash buffers and handles.
+ */
+void _gnutls_handshake_hash_buffers_clear(gnutls_session_t session)
+{
+ handshake_hash_buffer_reset(session);
+ _gnutls_buffer_clear(&session->internals.handshake_hash_buffer);
+ _gnutls_buffer_clear(&session->internals.full_client_hello);
+}
+
+/* Replace handshake message buffer, with the special synthetic message
+ * needed by TLS1.3 when HRR is sent. */
+int _gnutls13_handshake_hash_buffers_synth(gnutls_session_t session,
+ const mac_entry_st *prf,
+ unsigned client)
+{
+ int ret;
+ uint8_t hdata[4+MAX_HASH_SIZE];
+ size_t length;
+
+ if (client)
+ length = session->internals.handshake_hash_buffer_prev_len;
+ else
+ length = session->internals.handshake_hash_buffer.length;
+
+ /* calculate hash */
+ hdata[0] = 254;
+ _gnutls_write_uint24(prf->output_size, &hdata[1]);
+
+ ret = gnutls_hash_fast((gnutls_digest_algorithm_t)prf->id,
+ session->internals.handshake_hash_buffer.data,
+ length, hdata+4);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ handshake_hash_buffer_reset(session);
+
+ ret =
+ _gnutls_buffer_append_data(&session->internals.
+ handshake_hash_buffer,
+ hdata, prf->output_size+4);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ _gnutls_buffers_log("BUF[HSK]: Replaced handshake buffer with synth message (%d bytes)\n",
+ prf->output_size+4);
+
+ return 0;
+}
+
+/* this will copy the required values for resuming to
+ * internals, and to security_parameters.
+ * this will keep as less data to security_parameters.
+ */
+static int tls12_resume_copy_required_vals(gnutls_session_t session, unsigned ticket)
+{
+ int ret;
+
+ /* get the new random values */
+ memcpy(session->internals.resumed_security_parameters.
+ server_random, session->security_parameters.server_random,
+ GNUTLS_RANDOM_SIZE);
+ memcpy(session->internals.resumed_security_parameters.
+ client_random, session->security_parameters.client_random,
+ GNUTLS_RANDOM_SIZE);
+
+ /* keep the ciphersuite and compression
+ * That is because the client must see these in our
+ * hello message.
+ */
+ ret = _gnutls_set_cipher_suite2(session,
+ session->internals.
+ resumed_security_parameters.
+ cs);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ /* or write_compression_algorithm
+ * they are the same
+ */
+
+ session->security_parameters.entity =
+ session->internals.resumed_security_parameters.entity;
+
+ if (session->internals.resumed_security_parameters.pversion ==
+ NULL)
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+ if (_gnutls_set_current_version(session,
+ session->internals.
+ resumed_security_parameters.pversion->
+ id) < 0)
+ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
+
+ session->security_parameters.client_ctype =
+ session->internals.resumed_security_parameters.client_ctype;
+ session->security_parameters.server_ctype =
+ session->internals.resumed_security_parameters.server_ctype;
+
+ if (!ticket) {
+ memcpy(session->security_parameters.session_id,
+ session->internals.resumed_security_parameters.session_id,
+ sizeof(session->security_parameters.session_id));
+ session->security_parameters.session_id_size =
+ session->internals.resumed_security_parameters.session_id_size;
+ }
+
+ return 0;
+}
+
+void _gnutls_set_client_random(gnutls_session_t session, uint8_t * rnd)
+{
+ _gnutls_memory_mark_defined(session->security_parameters.client_random,
+ GNUTLS_RANDOM_SIZE);
+ memcpy(session->security_parameters.client_random, rnd,
+ GNUTLS_RANDOM_SIZE);
+}
+
+static
+int _gnutls_gen_client_random(gnutls_session_t session)
+{
+ int ret;
+
+ /* no random given, we generate. */
+ if (session->internals.sc_random_set != 0) {
+ _gnutls_memory_mark_defined(session->security_parameters.client_random,
+ GNUTLS_RANDOM_SIZE);
+ memcpy(session->security_parameters.client_random,
+ session->internals.
+ resumed_security_parameters.client_random,
+ GNUTLS_RANDOM_SIZE);
+ } else {
+ _gnutls_memory_mark_defined(session->security_parameters.client_random,
+ GNUTLS_RANDOM_SIZE);
+ ret = gnutls_rnd(GNUTLS_RND_NONCE,
+ session->security_parameters.client_random,
+ GNUTLS_RANDOM_SIZE);
+ if (ret < 0) {
+ _gnutls_memory_mark_undefined(session->security_parameters.client_random,
+ GNUTLS_RANDOM_SIZE);
+ return gnutls_assert_val(ret);
+ }
+ }
+
+ return 0;
+}
+
+static
+int _gnutls_set_server_random(gnutls_session_t session, const version_entry_st *vers, uint8_t * rnd)
+{
+ const version_entry_st *max;
+
+ _gnutls_memory_mark_defined(session->security_parameters.server_random,
+ GNUTLS_RANDOM_SIZE);
+ memcpy(session->security_parameters.server_random, rnd,
+ GNUTLS_RANDOM_SIZE);
+
+ /* check whether the server random value is set according to
+ * to TLS 1.3. p4.1.3 requirements */
+ if (!IS_DTLS(session) && vers->id <= GNUTLS_TLS1_2 && have_creds_for_tls13(session)) {
+
+ max = _gnutls_version_max(session);
+ if (max->id <= GNUTLS_TLS1_2)
+ return 0;
+
+ if (vers->id == GNUTLS_TLS1_2 &&
+ memcmp(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
+ "\x44\x4F\x57\x4E\x47\x52\x44\x01", 8) == 0) {
+
+ _gnutls_audit_log(session,
+ "Detected downgrade to TLS 1.2 from TLS 1.3\n");
+ return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+ } else if (vers->id <= GNUTLS_TLS1_1 &&
+ memcmp(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
+ "\x44\x4F\x57\x4E\x47\x52\x44\x00", 8) == 0) {
+
+ _gnutls_audit_log(session,
+ "Detected downgrade to TLS 1.1 or earlier from TLS 1.3\n");
+ return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+ }
+ }
+
+ return 0;
+}
+
+int _gnutls_gen_server_random(gnutls_session_t session, int version)
+{
+ int ret;
+ const version_entry_st *max;
+
+ if (session->internals.sc_random_set != 0) {
+ _gnutls_memory_mark_defined(session->security_parameters.server_random,
+ GNUTLS_RANDOM_SIZE);
+ memcpy(session->security_parameters.server_random,
+ session->internals.
+ resumed_security_parameters.server_random,
+ GNUTLS_RANDOM_SIZE);
+ return 0;
+ }
+
+ max = _gnutls_version_max(session);
+ if (max == NULL)
+ return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES);
+
+ _gnutls_memory_mark_defined(session->security_parameters.server_random,
+ GNUTLS_RANDOM_SIZE);
+
+ if (!IS_DTLS(session) && max->id >= GNUTLS_TLS1_3 &&
+ version <= GNUTLS_TLS1_2) {
+ if (version == GNUTLS_TLS1_2) {
+ memcpy(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
+ "\x44\x4F\x57\x4E\x47\x52\x44\x01", 8);
+ } else {
+ memcpy(&session->security_parameters.server_random[GNUTLS_RANDOM_SIZE-8],
+ "\x44\x4F\x57\x4E\x47\x52\x44\x00", 8);
+ }
+ ret =
+ gnutls_rnd(GNUTLS_RND_NONCE, session->security_parameters.server_random, GNUTLS_RANDOM_SIZE-8);
+
+ } else {
+ ret =
+ gnutls_rnd(GNUTLS_RND_NONCE, session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
+ }
+
+ if (ret < 0) {
+ gnutls_assert();
+ _gnutls_memory_mark_undefined(session->security_parameters.server_random,
+ GNUTLS_RANDOM_SIZE);
+ return ret;
+ }
+
+ return 0;
+}
+
+#ifdef ENABLE_SSL3
+/* Calculate The SSL3 Finished message
+ */
+#define SSL3_CLIENT_MSG "CLNT"
+#define SSL3_SERVER_MSG "SRVR"
+#define SSL_MSG_LEN 4
+static int
+_gnutls_ssl3_finished(gnutls_session_t session, int type, uint8_t * ret,
+ int sending)
+{
+ digest_hd_st td_md5;
+ digest_hd_st td_sha;
+ const char *mesg;
+ int rc, len;
+
+ if (sending)
+ len = session->internals.handshake_hash_buffer.length;
+ else
+ len = session->internals.handshake_hash_buffer_prev_len;
+
+ rc = _gnutls_hash_init(&td_sha, hash_to_entry(GNUTLS_DIG_SHA1));
+ if (rc < 0)
+ return gnutls_assert_val(rc);
+
+ rc = _gnutls_hash_init(&td_md5, hash_to_entry(GNUTLS_DIG_MD5));
+ if (rc < 0) {
+ _gnutls_hash_deinit(&td_sha, NULL);
+ return gnutls_assert_val(rc);
+ }
+
+ _gnutls_hash(&td_sha,
+ session->internals.handshake_hash_buffer.data, len);
+ _gnutls_hash(&td_md5,
+ session->internals.handshake_hash_buffer.data, len);
+
+ if (type == GNUTLS_SERVER)
+ mesg = SSL3_SERVER_MSG;
+ else
+ mesg = SSL3_CLIENT_MSG;
+
+ _gnutls_hash(&td_md5, mesg, SSL_MSG_LEN);
+ _gnutls_hash(&td_sha, mesg, SSL_MSG_LEN);
+
+ rc = _gnutls_mac_deinit_ssl3_handshake(&td_md5, ret,
+ session->security_parameters.
+ master_secret,
+ GNUTLS_MASTER_SIZE);
+ if (rc < 0) {
+ _gnutls_hash_deinit(&td_md5, NULL);
+ _gnutls_hash_deinit(&td_sha, NULL);
+ return gnutls_assert_val(rc);
+ }
+
+ rc = _gnutls_mac_deinit_ssl3_handshake(&td_sha, &ret[16],
+ session->security_parameters.
+ master_secret,
+ GNUTLS_MASTER_SIZE);
+ if (rc < 0) {
+ _gnutls_hash_deinit(&td_sha, NULL);
+ return gnutls_assert_val(rc);
+ }
+
+ return 0;
+}
+#endif
+
+/* Hash the handshake messages as required by TLS 1.0
+ */
+#define SERVER_MSG "server finished"
+#define CLIENT_MSG "client finished"
+#define TLS_MSG_LEN 15
+static int
+_gnutls_finished(gnutls_session_t session, int type, void *ret,
+ int sending)
+{
+ const int siz = TLS_MSG_LEN;
+ uint8_t concat[MAX_HASH_SIZE];
+ size_t hash_len;
+ const char *mesg;
+ int rc, len, algorithm;
+
+ if (sending)
+ len = session->internals.handshake_hash_buffer.length;
+ else
+ len = session->internals.handshake_hash_buffer_prev_len;
+
+ algorithm = session->security_parameters.prf->id;
+ rc = _gnutls_hash_fast(algorithm,
+ session->internals.
+ handshake_hash_buffer.data, len,
+ concat);
+ if (rc < 0)
+ return gnutls_assert_val(rc);
+
+ hash_len = session->security_parameters.prf->output_size;
+
+ if (type == GNUTLS_SERVER) {
+ mesg = SERVER_MSG;
+ } else {
+ mesg = CLIENT_MSG;
+ }
+
+ _gnutls_memory_mark_defined(session->security_parameters.master_secret,
+ GNUTLS_MASTER_SIZE);
+ rc = _gnutls_PRF(session,
+ session->security_parameters.master_secret,
+ GNUTLS_MASTER_SIZE, mesg, siz, concat, hash_len,
+ 12, ret);
+ if (rc < 0) {
+ _gnutls_memory_mark_undefined(session->security_parameters.master_secret,
+ GNUTLS_MASTER_SIZE);
+ }
+ return rc;
+}
+
+
+/* returns the 0 on success or a negative error code.
+ */
+int
+_gnutls_negotiate_version(gnutls_session_t session,
+ uint8_t major, uint8_t minor, unsigned allow_tls13)
+{
+ const version_entry_st *vers;
+ const version_entry_st *aversion = nversion_to_entry(major, minor);
+
+ /* if we do not support that version, unless that version is TLS 1.2;
+ * TLS 1.2 is handled separately because it is always advertized under TLS 1.3 or later */
+ if (aversion == NULL ||
+ _gnutls_nversion_is_supported(session, major, minor) == 0) {
+
+ if (aversion && aversion->id == GNUTLS_TLS1_2) {
+ vers = _gnutls_version_max(session);
+ if (unlikely(vers == NULL))
+ return gnutls_assert_val(GNUTLS_E_NO_CIPHER_SUITES);
+
+ if (vers->id >= GNUTLS_TLS1_2) {
+ session->security_parameters.pversion = aversion;
+ return 0;
+ }
+ }
+
+ /* if we get an unknown/unsupported version, then fail if the version we
+ * got is too low to be supported */
+ if (!_gnutls_version_is_too_high(session, major, minor))
+ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
+
+ /* If he requested something we do not support
+ * then we send him the highest we support.
+ */
+ vers = _gnutls_legacy_version_max(session);
+ if (vers == NULL) {
+ /* this check is not really needed.
+ */
+ gnutls_assert();
+ return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
+ }
+
+ session->security_parameters.pversion = vers;
+
+ return 0;
+ } else {
+ session->security_parameters.pversion = aversion;
+
+ /* we do not allow TLS1.3 negotiation using this mechanism */
+ if (aversion->tls13_sem && !allow_tls13) {
+ vers = _gnutls_legacy_version_max(session);
+ session->security_parameters.pversion = vers;
+ }
+
+ return 0;
+ }
+}
+
+/* This function returns:
+ * - zero on success
+ * - GNUTLS_E_INT_RET_0 if GNUTLS_E_AGAIN || GNUTLS_E_INTERRUPTED were returned by the callback
+ * - a negative error code on other error
+ */
+int
+_gnutls_user_hello_func(gnutls_session_t session,
+ uint8_t major, uint8_t minor)
+{
+ int ret, sret = 0;
+ const version_entry_st *vers, *old_vers;
+ const version_entry_st *new_max;
+
+ if (session->internals.user_hello_func != NULL) {
+ ret = session->internals.user_hello_func(session);
+
+ if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) {
+ gnutls_assert();
+ sret = GNUTLS_E_INT_RET_0;
+ } else if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ /* This callback is often used to switch the priority string of the
+ * server, and that includes switching version which we have already
+ * negotiated; note that this doesn't apply when resuming as the version
+ * negotiation is already complete. */
+ if (!session->internals.resumed) {
+ new_max = _gnutls_version_max(session);
+ old_vers = get_version(session);
+
+ if (!old_vers->tls13_sem || (new_max && !new_max->tls13_sem)) {
+#if GNUTLS_TLS_VERSION_MAX != GNUTLS_TLS1_3
+# error "Need to update the following logic"
+#endif
+ /* Here we need to renegotiate the version since the callee might
+ * have disabled some TLS versions. This logic does not cope for
+ * protocols later than TLS1.3 if they have the tls13_sem set */
+ ret = _gnutls_negotiate_version(session, major, minor, 0);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ vers = get_version(session);
+ if (old_vers != vers) {
+ /* at this point we need to regenerate the random value to
+ * avoid the peer detecting this session as a rollback
+ * attempt. */
+ ret = _gnutls_gen_server_random(session, vers->id);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ }
+ }
+ }
+ }
+ return sret;
+}
+
+/* Associates the right credential types for the session, and
+ * performs sanity checks. */
+static int set_auth_types(gnutls_session_t session)
+{
+ const version_entry_st *ver = get_version(session);
+ gnutls_kx_algorithm_t kx;
+
+ /* sanity check:
+ * we see TLS1.3 negotiated but no key share was sent */
+ if (ver->tls13_sem) {
+ if (unlikely(!(session->internals.hsk_flags & HSK_PSK_KE_MODE_PSK) &&
+ !(session->internals.hsk_flags & HSK_KEY_SHARE_RECEIVED))) {
+ return gnutls_assert_val(GNUTLS_E_MISSING_EXTENSION);
+ }
+
+ /* Under TLS1.3 this returns a KX which matches the negotiated
+ * groups from the key shares; if we are resuming then the KX seen
+ * here doesn't match the original session. */
+ if (!session->internals.resumed)
+ kx = gnutls_kx_get(session);
+ else
+ kx = GNUTLS_KX_UNKNOWN;
+ } else {
+ /* TLS1.2 or earlier, kx is associated with ciphersuite */
+ kx = session->security_parameters.cs->kx_algorithm;
+ }
+
+ if (kx != GNUTLS_KX_UNKNOWN) {
+ session->security_parameters.server_auth_type = _gnutls_map_kx_get_cred(kx, 1);
+ session->security_parameters.client_auth_type = _gnutls_map_kx_get_cred(kx, 0);
+ } else if (unlikely(!session->internals.resumed)) {
+ /* Here we can only arrive if something we received
+ * prevented the session from completing. */
+ return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+ }
+
+ return 0;
+}
+
+/* Read a client hello packet.
+ * A client hello must be a known version client hello
+ * or version 2.0 client hello (only for compatibility
+ * since SSL version 2.0 is not supported).
+ */
+static int
+read_client_hello(gnutls_session_t session, uint8_t * data,
+ int datalen)
+{
+ uint8_t session_id_len;
+ int pos = 0, ret;
+ uint16_t suite_size, comp_size;
+ int ext_size;
+ int neg_version, sret = 0;
+ int len = datalen;
+ uint8_t major, minor;
+ uint8_t *suite_ptr, *comp_ptr, *session_id, *ext_ptr;
+ const version_entry_st *vers;
+
+ DECR_LEN(len, 2);
+ _gnutls_handshake_log("HSK[%p]: Client's version: %d.%d\n",
+ session, data[pos], data[pos + 1]);
+
+ major = data[pos];
+ minor = data[pos+1];
+
+ set_adv_version(session, major, minor);
+
+ ret = _gnutls_negotiate_version(session, major, minor, 0);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ vers = get_version(session);
+ if (vers == NULL)
+ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
+
+ neg_version = vers->id;
+
+ pos += 2;
+
+ /* Read client random value.
+ */
+ DECR_LEN(len, GNUTLS_RANDOM_SIZE);
+ _gnutls_set_client_random(session, &data[pos]);
+
+ pos += GNUTLS_RANDOM_SIZE;
+
+ ret = _gnutls_gen_server_random(session, neg_version);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ session->security_parameters.timestamp = gnutls_time(NULL);
+
+ DECR_LEN(len, 1);
+ session_id_len = data[pos++];
+
+ /* RESUME SESSION
+ */
+ if (session_id_len > GNUTLS_MAX_SESSION_ID_SIZE) {
+ gnutls_assert();
+ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
+ }
+ DECR_LEN(len, session_id_len);
+ session_id = &data[pos];
+ pos += session_id_len;
+
+ if (IS_DTLS(session)) {
+ int cookie_size;
+
+ DECR_LEN(len, 1);
+ cookie_size = data[pos++];
+ DECR_LEN(len, cookie_size);
+ pos += cookie_size;
+ }
+
+ /* move forward to extensions and store other vals */
+ DECR_LEN(len, 2);
+ suite_size = _gnutls_read_uint16(&data[pos]);
+ pos += 2;
+
+ if (suite_size == 0 || (suite_size % 2) != 0)
+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
+ suite_ptr = &data[pos];
+ DECR_LEN(len, suite_size);
+ pos += suite_size;
+
+ DECR_LEN(len, 1);
+ comp_size = data[pos++]; /* the number of compression methods */
+
+ if (comp_size == 0)
+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
+ comp_ptr = &data[pos];
+ DECR_LEN(len, comp_size);
+ pos += comp_size;
+
+ ext_ptr = &data[pos];
+ ext_size = len;
+
+ /* Parse only the mandatory to read extensions for resumption
+ * and version negotiation. We don't want to parse any other
+ * extensions since we don't want new extension values to override
+ * the resumed ones. */
+ ret =
+ _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
+ GNUTLS_EXT_VERSION_NEG,
+ ext_ptr, ext_size);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret =
+ _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
+ GNUTLS_EXT_MANDATORY,
+ ext_ptr, ext_size);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ vers = get_version(session);
+ if (unlikely(vers == NULL))
+ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
+
+ if (!vers->tls13_sem) {
+ ret =
+ _gnutls_server_restore_session(session, session_id,
+ session_id_len);
+
+ if (session_id_len > 0)
+ session->internals.resumption_requested = 1;
+
+ if (ret == 0) { /* resumed using default TLS resumption! */
+ ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 1);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = tls12_resume_copy_required_vals(session, 0);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ session->internals.resumed = true;
+
+ return _gnutls_user_hello_func(session, major, minor);
+ } else {
+ ret = _gnutls_generate_session_id(session->security_parameters.
+ session_id,
+ &session->security_parameters.
+ session_id_size);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ session->internals.resumed = false;
+ }
+ } else { /* TLS1.3 */
+ /* we echo client's session ID - length was checked previously */
+ assert(session_id_len <= GNUTLS_MAX_SESSION_ID_SIZE);
+ if (session_id_len > 0)
+ memcpy(session->security_parameters.session_id, session_id, session_id_len);
+ session->security_parameters.session_id_size = session_id_len;
+ }
+
+ /* Parse the extensions (if any)
+ *
+ * Unconditionally try to parse extensions; safe renegotiation uses them in
+ * sslv3 and higher, even though sslv3 doesn't officially support them.
+ */
+ ret = _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
+ GNUTLS_EXT_APPLICATION,
+ ext_ptr, ext_size);
+ /* len is the rest of the parsed length */
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ /* we cache this error code */
+ sret = _gnutls_user_hello_func(session, major, minor);
+ if (sret < 0 && sret != GNUTLS_E_INT_RET_0) {
+ gnutls_assert();
+ return sret;
+ }
+
+ /* Session tickets are parsed in this point */
+ ret =
+ _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
+ GNUTLS_EXT_TLS, ext_ptr, ext_size);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ if (session->internals.hsk_flags & HSK_EARLY_DATA_ACCEPTED) {
+ const cipher_entry_st *ce;
+ const mac_entry_st *me;
+ record_parameters_st *params;
+
+ ce = cipher_to_entry(session->internals.
+ resumed_security_parameters.
+ cs->block_algorithm);
+ me = mac_to_entry(session->internals.
+ resumed_security_parameters.
+ cs->mac_algorithm);
+
+ ret = _gnutls_epoch_get(session, EPOCH_NEXT, &params);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+
+ params->cipher = ce;
+ params->mac = me;
+
+ ret = _tls13_read_connection_state_init(session, STAGE_EARLY);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+
+ _gnutls_epoch_bump(session);
+ ret = _gnutls_epoch_dup(session, EPOCH_READ_CURRENT);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+ }
+
+ /* resumed by session_ticket extension */
+ if (!vers->tls13_sem && session->internals.resumed) {
+ session->internals.resumed_security_parameters.
+ max_record_recv_size =
+ session->security_parameters.max_record_recv_size;
+ session->internals.resumed_security_parameters.
+ max_record_send_size =
+ session->security_parameters.max_record_send_size;
+
+ ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 1);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = tls12_resume_copy_required_vals(session, 1);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ /* to indicate to the client that the current session is resumed */
+ memcpy(session->security_parameters.session_id, session_id, session_id_len);
+ session->security_parameters.session_id_size = session_id_len;
+
+ return 0;
+ }
+
+ /* select an appropriate cipher suite (as well as certificate)
+ */
+ ret = _gnutls_server_select_suite(session, suite_ptr, suite_size, 0);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ /* Only at this point we know the version we are actually going to use
+ * ("supported_versions" extension is parsed, user_hello_func is called,
+ * legacy version negotiation is done). */
+ vers = get_version(session);
+ if (unlikely(vers == NULL))
+ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
+
+ if (_gnutls_version_priority(session, vers->id) < 0)
+ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
+
+ _gnutls_handshake_log("HSK[%p]: Selected version %s\n", session, vers->name);
+
+ /* select appropriate compression method */
+ ret =
+ check_if_null_comp_present(session, comp_ptr,
+ comp_size);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ /* call extensions that are intended to be parsed after the ciphersuite/cert
+ * are known. */
+ ret =
+ _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_CLIENT_HELLO,
+ _GNUTLS_EXT_TLS_POST_CS, ext_ptr, ext_size);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ /* Calculate TLS 1.3 Early Secret */
+ if (session->security_parameters.pversion->tls13_sem &&
+ !(session->internals.hsk_flags & HSK_PSK_SELECTED)) {
+ ret = _tls13_init_secret(session, NULL, 0);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ }
+
+ ret = set_auth_types(session);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ return sret;
+}
+
+/* This is to be called after sending CHANGE CIPHER SPEC packet
+ * and initializing encryption. This is the first encrypted message
+ * we send.
+ */
+int _gnutls_send_finished(gnutls_session_t session, int again)
+{
+ mbuffer_st *bufel;
+ uint8_t *data;
+ int ret;
+ size_t vdata_size = 0;
+ const version_entry_st *vers;
+
+ if (again == 0) {
+ bufel =
+ _gnutls_handshake_alloc(session,
+ MAX_VERIFY_DATA_SIZE);
+ if (bufel == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+ data = _mbuffer_get_udata_ptr(bufel);
+
+ vers = get_version(session);
+ if (unlikely(vers == NULL))
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+#ifdef ENABLE_SSL3
+ if (vers->id == GNUTLS_SSL3) {
+ ret =
+ _gnutls_ssl3_finished(session,
+ session->
+ security_parameters.
+ entity, data, 1);
+ _mbuffer_set_udata_size(bufel, 36);
+ } else { /* TLS 1.0+ */
+#endif
+ ret = _gnutls_finished(session,
+ session->
+ security_parameters.entity,
+ data, 1);
+ _mbuffer_set_udata_size(bufel, 12);
+#ifdef ENABLE_SSL3
+ }
+#endif
+
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ vdata_size = _mbuffer_get_udata_size(bufel);
+
+ ret =
+ _gnutls_ext_sr_finished(session, data, vdata_size, 0);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ if ((!session->internals.resumed
+ && session->security_parameters.entity ==
+ GNUTLS_CLIENT)
+ || (session->internals.resumed
+ && session->security_parameters.entity ==
+ GNUTLS_SERVER)) {
+ /* if we are a client not resuming - or we are a server resuming */
+ _gnutls_handshake_log
+ ("HSK[%p]: recording tls-unique CB (send)\n",
+ session);
+ memcpy(session->internals.cb_tls_unique, data,
+ vdata_size);
+ session->internals.cb_tls_unique_len = vdata_size;
+ }
+
+ ret =
+ _gnutls_send_handshake(session, bufel,
+ GNUTLS_HANDSHAKE_FINISHED);
+ } else {
+ ret =
+ _gnutls_send_handshake(session, NULL,
+ GNUTLS_HANDSHAKE_FINISHED);
+ }
+
+ return ret;
+}
+
+/* This is to be called after sending our finished message. If everything
+ * went fine we have negotiated a secure connection
+ */
+int _gnutls_recv_finished(gnutls_session_t session)
+{
+ uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy;
+ gnutls_buffer_st buf;
+ int data_size;
+ int ret;
+ int vrfy_size;
+ const version_entry_st *vers = get_version(session);
+
+ if (unlikely(vers == NULL))
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+ ret =
+ _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_FINISHED,
+ 0, &buf);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ vrfy = buf.data;
+ vrfy_size = buf.length;
+
+#ifdef ENABLE_SSL3
+ if (vers->id == GNUTLS_SSL3)
+ data_size = 36;
+ else
+#endif
+ data_size = 12;
+
+ if (vrfy_size != data_size) {
+ gnutls_assert();
+ ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
+ goto cleanup;
+ }
+
+#ifdef ENABLE_SSL3
+ if (vers->id == GNUTLS_SSL3) {
+ ret =
+ _gnutls_ssl3_finished(session,
+ (session->security_parameters.
+ entity + 1) % 2, data, 0);
+ } else /* TLS 1.0+ */
+#endif
+ ret =
+ _gnutls_finished(session,
+ (session->security_parameters.entity +
+ 1) % 2, data, 0);
+
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+#if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
+ /* When fuzzying allow to proceed without verifying the handshake
+ * consistency */
+ (void) vrfy;
+# warning This is unsafe for production builds
+
+#else
+ if (memcmp(vrfy, data, data_size) != 0) {
+ gnutls_assert();
+ ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
+ goto cleanup;
+ }
+#endif
+
+ ret = _gnutls_ext_sr_finished(session, data, data_size, 1);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ if ((session->internals.resumed
+ && session->security_parameters.entity == GNUTLS_CLIENT)
+ || (!session->internals.resumed
+ && session->security_parameters.entity == GNUTLS_SERVER)) {
+ /* if we are a client resuming - or we are a server not resuming */
+ _gnutls_handshake_log
+ ("HSK[%p]: recording tls-unique CB (recv)\n", session);
+ memcpy(session->internals.cb_tls_unique, data, data_size);
+ session->internals.cb_tls_unique_len = data_size;
+ }
+
+
+ cleanup:
+ _gnutls_buffer_clear(&buf);
+
+ return ret;
+}
+
+/* This selects the best supported ciphersuite from the given ones. Then
+ * it adds the suite to the session and performs some checks.
+ *
+ * When @scsv_only is non-zero only the available SCSVs are parsed
+ * and acted upon.
+ */
+int
+_gnutls_server_select_suite(gnutls_session_t session, uint8_t * data,
+ unsigned int datalen, unsigned scsv_only)
+{
+ int ret;
+ unsigned int i;
+ ciphersuite_list_st peer_clist;
+ const gnutls_cipher_suite_entry_st *selected;
+ gnutls_kx_algorithm_t kx;
+ int retval;
+ const version_entry_st *vers = get_version(session);
+
+ peer_clist.size = 0;
+
+ for (i = 0; i < datalen; i += 2) {
+ /* we support the TLS renegotiation SCSV, even if we are
+ * not under SSL 3.0, because openssl sends this SCSV
+ * on resumption unconditionally. */
+ /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
+ if (session->internals.priorities->sr != SR_DISABLED &&
+ data[i] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&
+ data[i + 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR) {
+ _gnutls_handshake_log
+ ("HSK[%p]: Received safe renegotiation CS\n",
+ session);
+ retval = _gnutls_ext_sr_recv_cs(session);
+ if (retval < 0) {
+ gnutls_assert();
+ return retval;
+ }
+ }
+
+ /* TLS_FALLBACK_SCSV */
+ if (data[i] == GNUTLS_FALLBACK_SCSV_MAJOR &&
+ data[i + 1] == GNUTLS_FALLBACK_SCSV_MINOR) {
+ const version_entry_st *max = _gnutls_version_max(session);
+
+ _gnutls_handshake_log
+ ("HSK[%p]: Received fallback CS\n",
+ session);
+
+ if (vers != max)
+ return gnutls_assert_val(GNUTLS_E_INAPPROPRIATE_FALLBACK);
+ } else if (!scsv_only) {
+ if (peer_clist.size < MAX_CIPHERSUITE_SIZE) {
+ peer_clist.entry[peer_clist.size] = ciphersuite_to_entry(&data[i]);
+ if (peer_clist.entry[peer_clist.size] != NULL)
+ peer_clist.size++;
+ }
+ }
+ }
+
+ if (scsv_only)
+ return 0;
+
+ ret = _gnutls_figure_common_ciphersuite(session, &peer_clist, &selected);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+
+ _gnutls_handshake_log
+ ("HSK[%p]: Selected cipher suite: %s\n", session, selected->name);
+
+ ret = _gnutls_set_cipher_suite2(session, selected);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ if (!vers->tls13_sem) {
+ /* check if the credentials (username, public key etc.) are ok
+ */
+ kx = selected->kx_algorithm;
+ if (_gnutls_get_kx_cred(session, kx) == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
+ }
+
+ /* set the mod_auth_st to the appropriate struct
+ * according to the KX algorithm. This is needed since all the
+ * handshake functions are read from there;
+ */
+ session->internals.auth_struct = _gnutls_kx_auth_struct(kx);
+ if (session->internals.auth_struct == NULL) {
+ _gnutls_handshake_log
+ ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
+ session);
+ gnutls_assert();
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+ }
+
+ return 0;
+
+}
+
+
+/* This checks whether the null compression method is present.
+ */
+static int
+check_if_null_comp_present(gnutls_session_t session,
+ uint8_t * data, int datalen)
+{
+ int j;
+
+ for (j = 0; j < datalen; j++) {
+ if (data[j] == 0)
+ return 0;
+ }
+
+ /* we were not able to find a the NULL compression
+ * algorithm
+ */
+ gnutls_assert();
+ return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
+
+}
+
+/* This function sends an empty handshake packet. (like hello request).
+ * If the previous _gnutls_send_empty_handshake() returned
+ * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
+ * (until it returns ok), with NULL parameters.
+ */
+static int
+_gnutls_send_empty_handshake(gnutls_session_t session,
+ gnutls_handshake_description_t type,
+ int again)
+{
+ mbuffer_st *bufel;
+
+ if (again == 0) {
+ bufel = _gnutls_handshake_alloc(session, 0);
+ if (bufel == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+ } else
+ bufel = NULL;
+
+ return _gnutls_send_handshake(session, bufel, type);
+}
+
+int _gnutls_call_hook_func(gnutls_session_t session,
+ gnutls_handshake_description_t type,
+ int post, unsigned incoming,
+ const uint8_t *data, unsigned data_size)
+{
+ gnutls_datum_t msg = {(void*)data, data_size};
+
+ if (session->internals.h_hook != NULL) {
+ if ((session->internals.h_type == type
+ || session->internals.h_type == GNUTLS_HANDSHAKE_ANY)
+ && (session->internals.h_post == post
+ || session->internals.h_post == GNUTLS_HOOK_BOTH)) {
+
+ /* internal API for testing: when we are expected to
+ * wait for GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, we
+ * do so, but not when doing for all messages. The
+ * reason is that change cipher specs are not handshake
+ * messages, and we don't support waiting for them
+ * consistently (only sending is tracked, not receiving).
+ */
+ if (type == GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC &&
+ session->internals.h_type != GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC)
+ return 0;
+
+ return session->internals.h_hook(session, type,
+ post, incoming, &msg);
+ }
+ }
+ return 0;
+}
+
+/* Note that the "New session ticket" handshake packet behaves differently under
+ * TLS 1.2 or 1.3. In 1.2 it is included in the handshake process, while in 1.3
+ * it is sent asynchronously */
+#define IS_ASYNC(t, v) \
+ (t == GNUTLS_HANDSHAKE_HELLO_REQUEST || t == GNUTLS_HANDSHAKE_KEY_UPDATE || \
+ (t == GNUTLS_HANDSHAKE_NEW_SESSION_TICKET && v->tls13_sem))
+
+int
+_gnutls_send_handshake(gnutls_session_t session, mbuffer_st * bufel,
+ gnutls_handshake_description_t type)
+{
+ return _gnutls_send_handshake2(session, bufel, type, 0);
+}
+
+/* This function sends a handshake message of type 'type' containing the
+ * data specified here. If the previous _gnutls_send_handshake() returned
+ * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
+ * (until it returns ok), with NULL parameters.
+ */
+int
+_gnutls_send_handshake2(gnutls_session_t session, mbuffer_st * bufel,
+ gnutls_handshake_description_t type, unsigned queue_only)
+{
+ int ret;
+ uint8_t *data;
+ uint32_t datasize, i_datasize;
+ int pos = 0;
+ const version_entry_st *vers = get_version(session);
+
+ if (bufel == NULL) {
+ /* we are resuming a previously interrupted
+ * send.
+ */
+ ret = _gnutls_handshake_io_write_flush(session);
+ return ret;
+
+ }
+
+ /* first run */
+ data = _mbuffer_get_uhead_ptr(bufel);
+ i_datasize = _mbuffer_get_udata_size(bufel);
+ datasize = i_datasize + _mbuffer_get_uhead_size(bufel);
+
+ data[pos++] = (uint8_t) REAL_HSK_TYPE(type);
+ _gnutls_write_uint24(_mbuffer_get_udata_size(bufel), &data[pos]);
+ pos += 3;
+
+ /* Add DTLS handshake fragment headers. The message will be
+ * fragmented later by the fragmentation sub-layer. All fields must
+ * be set properly for HMAC. The HMAC requires we pretend that the
+ * message was sent in a single fragment. */
+ if (IS_DTLS(session)) {
+ _gnutls_write_uint16(session->internals.dtls.
+ hsk_write_seq++, &data[pos]);
+ pos += 2;
+
+ /* Fragment offset */
+ _gnutls_write_uint24(0, &data[pos]);
+ pos += 3;
+
+ /* Fragment length */
+ _gnutls_write_uint24(i_datasize, &data[pos]);
+ /* pos += 3; */
+ }
+
+ _gnutls_handshake_log("HSK[%p]: %s was queued [%ld bytes]\n",
+ session, _gnutls_handshake2str(type),
+ (long) datasize);
+
+ /* Here we keep the handshake messages in order to hash them...
+ */
+ if (!IS_ASYNC(type, vers)) {
+ if ((ret =
+ handshake_hash_add_sent(session, type, data,
+ datasize)) < 0) {
+ gnutls_assert();
+ _mbuffer_xfree(&bufel);
+ return ret;
+ }
+ /* If we are sending a PSK, generate early secrets here.
+ * This cannot be done in pre_shared_key.c, because it
+ * relies on transcript hash of a Client Hello. */
+ if (type == GNUTLS_HANDSHAKE_CLIENT_HELLO &&
+ session->key.binders[0].prf != NULL) {
+ ret = _gnutls_generate_early_secrets_for_psk(session);
+ if (ret < 0) {
+ gnutls_assert();
+ _mbuffer_xfree(&bufel);
+ return ret;
+ }
+ }
+ }
+
+ ret = _gnutls_call_hook_func(session, type, GNUTLS_HOOK_PRE, 0,
+ _mbuffer_get_udata_ptr(bufel), _mbuffer_get_udata_size(bufel));
+ if (ret < 0) {
+ gnutls_assert();
+ _mbuffer_xfree(&bufel);
+ return ret;
+ }
+
+ session->internals.last_handshake_out = type;
+
+ ret = _gnutls_handshake_io_cache_int(session, type, bufel);
+ if (ret < 0) {
+ _mbuffer_xfree(&bufel);
+ gnutls_assert();
+ return ret;
+ }
+
+ ret = _gnutls_call_hook_func(session, type, GNUTLS_HOOK_POST, 0,
+ _mbuffer_get_udata_ptr(bufel), _mbuffer_get_udata_size(bufel));
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ if (queue_only)
+ return 0;
+
+ /* Decide when to cache and when to send */
+ if (vers && vers->tls13_sem) {
+
+ if (session->internals.initial_negotiation_completed) {
+ /* we are under TLS1.3 in a re-authentication phase.
+ * we don't attempt to cache any messages */
+ goto force_send;
+ }
+
+ /* The messages which are followed by another are not sent by default
+ * but are cached instead */
+ switch (type) {
+ case GNUTLS_HANDSHAKE_SERVER_HELLO: /* always followed by something */
+ case GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS: /* followed by finished or cert */
+ case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: /* followed by certificate */
+ case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: /* this one is followed by cert verify */
+ case GNUTLS_HANDSHAKE_COMPRESSED_CERTIFICATE_PKT: /* as above */
+ case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY: /* followed by finished */
+ ret = 0; /* cache */
+ break;
+ default:
+ /* send this and any cached messages */
+ goto force_send;
+ }
+ } else {
+ /* The messages which are followed by another are not sent by default
+ * but are cached instead */
+ switch (type) {
+ case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: /* this one is followed by ServerHelloDone
+ * or ClientKeyExchange always.
+ */
+ case GNUTLS_HANDSHAKE_COMPRESSED_CERTIFICATE_PKT: /* as above */
+ case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
+ case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE: /* as above */
+ case GNUTLS_HANDSHAKE_SERVER_HELLO: /* as above */
+ case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: /* as above */
+ case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: /* followed by ChangeCipherSpec */
+
+ /* now for client Certificate, ClientKeyExchange and
+ * CertificateVerify are always followed by ChangeCipherSpec
+ */
+ case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
+ case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
+ ret = 0;
+ break;
+ default:
+ /* send this and any cached messages */
+ goto force_send;
+ }
+ }
+
+ return ret;
+
+ force_send:
+ return _gnutls_handshake_io_write_flush(session);
+}
+
+#define CHECK_SIZE(ll) \
+ if ((session->internals.max_handshake_data_buffer_size > 0) && \
+ (((ll) + session->internals.handshake_hash_buffer.length) > \
+ session->internals.max_handshake_data_buffer_size)) { \
+ _gnutls_debug_log("Handshake buffer length is %u (max: %u)\n", (unsigned)((ll) + session->internals.handshake_hash_buffer.length), (unsigned)session->internals.max_handshake_data_buffer_size); \
+ return gnutls_assert_val(GNUTLS_E_HANDSHAKE_TOO_LARGE); \
+ }
+
+
+/* This function add the handshake headers and the
+ * handshake data to the handshake hash buffers. Needed
+ * for the finished messages calculations.
+ */
+static int
+handshake_hash_add_recvd(gnutls_session_t session,
+ gnutls_handshake_description_t recv_type,
+ uint8_t * header, uint16_t header_size,
+ uint8_t * dataptr, uint32_t datalen)
+{
+ int ret;
+ const version_entry_st *vers = get_version(session);
+
+ if (unlikely(vers == NULL))
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+ if ((vers->id != GNUTLS_DTLS0_9 &&
+ recv_type == GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST) ||
+ IS_ASYNC(recv_type, vers))
+ return 0;
+
+ CHECK_SIZE(header_size + datalen);
+
+ session->internals.handshake_hash_buffer_prev_len =
+ session->internals.handshake_hash_buffer.length;
+
+ if (vers->id != GNUTLS_DTLS0_9) {
+ ret =
+ _gnutls_buffer_append_data(&session->internals.
+ handshake_hash_buffer,
+ header, header_size);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ }
+ if (datalen > 0) {
+ ret =
+ _gnutls_buffer_append_data(&session->internals.
+ handshake_hash_buffer,
+ dataptr, datalen);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ }
+
+ /* save the size until client KX. That is because the TLS
+ * session hash is calculated up to this message.
+ */
+ if (recv_type == GNUTLS_HANDSHAKE_CLIENT_HELLO)
+ session->internals.handshake_hash_buffer_client_hello_len =
+ session->internals.handshake_hash_buffer.length;
+ if (recv_type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE)
+ session->internals.handshake_hash_buffer_client_kx_len =
+ session->internals.handshake_hash_buffer.length;
+ if (recv_type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_CLIENT)
+ session->internals.handshake_hash_buffer_server_finished_len =
+ session->internals.handshake_hash_buffer.length;
+ if (recv_type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_SERVER)
+ session->internals.handshake_hash_buffer_client_finished_len =
+ session->internals.handshake_hash_buffer.length;
+
+ return 0;
+}
+
+/* This function will store the handshake message we sent.
+ */
+static int
+handshake_hash_add_sent(gnutls_session_t session,
+ gnutls_handshake_description_t type,
+ uint8_t * dataptr, uint32_t datalen)
+{
+ int ret;
+ const version_entry_st *vers = get_version(session);
+
+ if (unlikely(vers == NULL))
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+ if (IS_ASYNC(type, vers))
+ return 0;
+
+ CHECK_SIZE(datalen);
+
+ if (vers->id == GNUTLS_DTLS0_9) {
+ /* Old DTLS doesn't include the header in the MAC */
+ if (datalen < 12) {
+ gnutls_assert();
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+ dataptr += 12;
+ datalen -= 12;
+
+ if (datalen == 0)
+ return 0;
+ }
+
+ ret =
+ _gnutls_buffer_append_data(&session->internals.
+ handshake_hash_buffer,
+ dataptr, datalen);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ if (type == GNUTLS_HANDSHAKE_CLIENT_HELLO)
+ session->internals.handshake_hash_buffer_client_hello_len =
+ session->internals.handshake_hash_buffer.length;
+ if (type == GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE)
+ session->internals.handshake_hash_buffer_client_kx_len =
+ session->internals.handshake_hash_buffer.length;
+ if (type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_SERVER)
+ session->internals.handshake_hash_buffer_server_finished_len =
+ session->internals.handshake_hash_buffer.length;
+ if (type == GNUTLS_HANDSHAKE_FINISHED && session->security_parameters.entity == GNUTLS_CLIENT)
+ session->internals.handshake_hash_buffer_client_finished_len =
+ session->internals.handshake_hash_buffer.length;
+
+ return 0;
+}
+
+/* This function will receive handshake messages of the given types,
+ * and will pass the message to the right place in order to be processed.
+ * E.g. for the SERVER_HELLO message (if it is expected), it will be
+ * passed to _gnutls_recv_hello().
+ */
+int
+_gnutls_recv_handshake(gnutls_session_t session,
+ gnutls_handshake_description_t type,
+ unsigned int optional, gnutls_buffer_st * buf)
+{
+ int ret, ret2;
+ handshake_buffer_st hsk;
+
+ ret = _gnutls_handshake_io_recv_int(session, type, &hsk, optional);
+ if (ret < 0) {
+ if (optional != 0
+ && ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET) {
+ if (buf)
+ _gnutls_buffer_init(buf);
+ return 0;
+ }
+
+ return gnutls_assert_val_fatal(ret);
+ }
+ session->internals.last_handshake_in = hsk.htype;
+
+ ret = _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_PRE, 1, hsk.data.data, hsk.data.length);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ ret = handshake_hash_add_recvd(session, hsk.rtype,
+ hsk.header, hsk.header_size,
+ hsk.data.data,
+ hsk.data.length);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ switch (hsk.htype) {
+ case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2:
+ case GNUTLS_HANDSHAKE_CLIENT_HELLO:
+ if (!(IS_SERVER(session))) {
+ ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
+ goto cleanup;
+ }
+
+#ifdef ENABLE_SSL2
+ if (hsk.htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)
+ ret =
+ _gnutls_read_client_hello_v2(session,
+ hsk.data.data,
+ hsk.data.length);
+ else
+#endif
+ {
+ /* Reference the full ClientHello in case an extension needs it */
+ ret = _gnutls_ext_set_full_client_hello(session, &hsk);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = read_client_hello(session, hsk.data.data,
+ hsk.data.length);
+ }
+
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ break;
+
+ case GNUTLS_HANDSHAKE_SERVER_HELLO:
+ if (IS_SERVER(session)) {
+ ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
+ goto cleanup;
+ }
+
+ ret = read_server_hello(session, hsk.data.data,
+ hsk.data.length);
+
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ break;
+ case GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST:
+ if (IS_SERVER(session)) {
+ ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
+ goto cleanup;
+ }
+
+ ret =
+ recv_hello_verify_request(session,
+ hsk.data.data,
+ hsk.data.length);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ } else {
+ /* Signal our caller we have received a verification cookie
+ and ClientHello needs to be sent again. */
+ ret = 1;
+ }
+
+ break;
+ case GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST: {
+ /* hash buffer synth message is generated during hello retry parsing */
+ gnutls_datum_t hrr = {hsk.data.data, hsk.data.length};
+
+ if (IS_SERVER(session)) {
+ ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
+ goto cleanup;
+ }
+
+ ret =
+ _gnutls13_recv_hello_retry_request(session,
+ &hsk.data);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ } else {
+ /* during hello retry parsing, we reset handshake hash buffer,
+ * re-add this message */
+ ret = handshake_hash_add_recvd(session, hsk.htype,
+ hsk.header, hsk.header_size,
+ hrr.data,
+ hrr.size);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ /* Signal our caller we have received a retry request
+ and ClientHello needs to be sent again. */
+ ret = 1;
+ }
+
+ break;
+ }
+ case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
+ if (hsk.data.length == 0)
+ ret = 0;
+ else {
+ gnutls_assert();
+ ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
+ goto cleanup;
+ }
+ break;
+ case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
+ case GNUTLS_HANDSHAKE_COMPRESSED_CERTIFICATE_PKT:
+ case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
+ case GNUTLS_HANDSHAKE_FINISHED:
+ case GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS:
+ case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
+ case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
+ case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
+ case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
+ case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
+ case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
+ case GNUTLS_HANDSHAKE_END_OF_EARLY_DATA:
+ ret = hsk.data.length;
+ break;
+ default:
+ gnutls_assert();
+ /* we shouldn't actually arrive here in any case .
+ * unexpected messages should be caught after _gnutls_handshake_io_recv_int()
+ */
+ ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
+ goto cleanup;
+ }
+
+ ret2 = _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_POST, 1, hsk.data.data, hsk.data.length);
+ if (ret2 < 0) {
+ ret = ret2;
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ if (buf) {
+ *buf = hsk.data;
+ return ret;
+ }
+
+ cleanup:
+ _gnutls_handshake_buffer_clear(&hsk);
+ return ret;
+}
+
+/* This function checks if the given cipher suite is supported, and sets it
+ * to the session;
+ */
+static int
+set_client_ciphersuite(gnutls_session_t session, uint8_t suite[2])
+{
+ unsigned j;
+ int ret;
+ const gnutls_cipher_suite_entry_st *selected = NULL;
+ const version_entry_st *vers = get_version(session);
+ gnutls_kx_algorithm_t kx;
+
+ for (j = 0; j < session->internals.priorities->cs.size; j++) {
+ if (suite[0] == session->internals.priorities->cs.entry[j]->id[0] &&
+ suite[1] == session->internals.priorities->cs.entry[j]->id[1]) {
+ selected = session->internals.priorities->cs.entry[j];
+ break;
+ }
+ }
+
+ if (!selected) {
+ gnutls_assert();
+ _gnutls_handshake_log
+ ("HSK[%p]: unsupported cipher suite %.2X.%.2X was negotiated\n",
+ session, (unsigned int) suite[0],
+ (unsigned int) suite[1]);
+ return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
+ }
+
+ ret = _gnutls_set_cipher_suite2(session, selected);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ _gnutls_handshake_log("HSK[%p]: Selected cipher suite: %s\n",
+ session,
+ selected->name);
+
+ /* check if the credentials (username, public key etc.) are ok.
+ * Actually checks if they exist.
+ */
+ if (!vers->tls13_sem) {
+ kx = selected->kx_algorithm;
+
+ if (!session->internals.premaster_set &&
+ _gnutls_get_kx_cred
+ (session, kx) == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
+ }
+
+ /* set the mod_auth_st to the appropriate struct
+ * according to the KX algorithm. This is needed since all the
+ * handshake functions are read from there;
+ */
+ session->internals.auth_struct =
+ _gnutls_kx_auth_struct(kx);
+
+ if (session->internals.auth_struct == NULL) {
+ _gnutls_handshake_log
+ ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
+ session);
+ gnutls_assert();
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+ } else {
+ if (session->internals.hsk_flags & HSK_PSK_SELECTED) {
+ if (session->key.binders[0].prf->id != selected->prf) {
+ _gnutls_handshake_log
+ ("HSK[%p]: PRF of ciphersuite differs with the PSK identity (cs: %s, id: %s)\n",
+ session, selected->name, session->key.binders[0].prf->name);
+ gnutls_assert();
+ return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+ }
+ }
+ }
+
+ return 0;
+}
+
+/* This function returns 0 if we are resuming a session or -1 otherwise.
+ * This also sets the variables in the session. Used only while reading a server
+ * hello. Only applicable to TLS1.2 or earlier.
+ */
+static int
+client_check_if_resuming(gnutls_session_t session,
+ uint8_t * session_id, int session_id_len)
+{
+ char buf[2 * GNUTLS_MAX_SESSION_ID_SIZE + 1];
+ int ret;
+
+ _gnutls_handshake_log("HSK[%p]: SessionID length: %d\n", session,
+ session_id_len);
+ _gnutls_handshake_log("HSK[%p]: SessionID: %s\n", session,
+ _gnutls_bin2hex(session_id, session_id_len,
+ buf, sizeof(buf), NULL));
+
+ if ((session->internals.resumption_requested != 0 ||
+ session->internals.premaster_set != 0) &&
+ session_id_len > 0 &&
+ session->internals.resumed_security_parameters.
+ session_id_size == session_id_len
+ && memcmp(session_id,
+ session->internals.resumed_security_parameters.
+ session_id, session_id_len) == 0) {
+ /* resume session */
+ memcpy(session->internals.resumed_security_parameters.
+ server_random,
+ session->security_parameters.server_random,
+ GNUTLS_RANDOM_SIZE);
+ memcpy(session->internals.resumed_security_parameters.
+ client_random,
+ session->security_parameters.client_random,
+ GNUTLS_RANDOM_SIZE);
+
+ ret = _gnutls_set_cipher_suite2
+ (session,
+ session->internals.resumed_security_parameters.
+ cs);
+ if (ret < 0) {
+ gnutls_assert();
+ goto no_resume;
+ }
+
+ session->internals.resumed = true; /* we are resuming */
+
+ return 0;
+ } else {
+no_resume:
+ /* keep the new session id */
+ session->internals.resumed = false; /* we are not resuming */
+ return -1;
+ }
+}
+
+
+/* This function reads and parses the server hello handshake message.
+ * This function also restores resumed parameters if we are resuming a
+ * session.
+ */
+static int
+read_server_hello(gnutls_session_t session,
+ uint8_t * data, int datalen)
+{
+ uint8_t session_id_len = 0;
+ uint8_t *session_id;
+ uint8_t *cs_pos, *comp_pos, *srandom_pos;
+ uint8_t major, minor;
+ int pos = 0;
+ int ret;
+ int len = datalen;
+ unsigned ext_parse_flag = 0;
+ const version_entry_st *vers, *saved_vers;
+
+ if (datalen < GNUTLS_RANDOM_SIZE+2) {
+ gnutls_assert();
+ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
+ }
+
+ _gnutls_handshake_log("HSK[%p]: Server's version: %d.%d\n",
+ session, data[pos], data[pos + 1]);
+
+ DECR_LEN(len, 2);
+ major = data[pos];
+ minor = data[pos+1];
+
+ saved_vers = get_version(session); /* will be non-null if HRR has been received */
+
+ vers = nversion_to_entry(major, minor);
+ if (unlikely(vers == NULL))
+ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
+
+ if (vers->tls13_sem) /* that shouldn't have been negotiated here */
+ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
+
+ if (_gnutls_set_current_version(session, vers->id) < 0)
+ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
+
+ pos += 2;
+
+ DECR_LEN(len, GNUTLS_RANDOM_SIZE);
+ srandom_pos = &data[pos];
+ pos += GNUTLS_RANDOM_SIZE;
+
+ /* Read session ID
+ */
+ DECR_LEN(len, 1);
+ session_id_len = data[pos++];
+
+ if (len < session_id_len || session_id_len > GNUTLS_MAX_SESSION_ID_SIZE) {
+ gnutls_assert();
+ return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+ }
+ DECR_LEN(len, session_id_len);
+ session_id = &data[pos];
+ pos += session_id_len;
+
+ DECR_LEN(len, 2);
+ cs_pos = &data[pos];
+ pos += 2;
+
+ /* move to compression
+ */
+ DECR_LEN(len, 1);
+ comp_pos = &data[pos];
+ pos++;
+
+ /* parse extensions to figure version */
+ ret =
+ _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO|
+ GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO,
+ GNUTLS_EXT_VERSION_NEG,
+ &data[pos], len);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ vers = get_version(session);
+ if (unlikely(vers == NULL))
+ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
+ if (vers->tls13_sem) {
+ if (major != 0x03 || minor != 0x03)
+ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
+ }
+
+ if (_gnutls_nversion_is_supported(session, vers->major, vers->minor) == 0)
+ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
+
+ /* set server random - done after final version is selected */
+ ret = _gnutls_set_server_random(session, vers, srandom_pos);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ /* reset keys and binders if we are not using TLS 1.3 */
+ if (!vers->tls13_sem) {
+ gnutls_memset(&session->key.proto.tls13, 0,
+ sizeof(session->key.proto.tls13));
+ reset_binders(session);
+ }
+
+ /* check if we are resuming and set the appropriate
+ * values;
+ */
+ if (!vers->tls13_sem &&
+ client_check_if_resuming(session, session_id, session_id_len) == 0) {
+ ret =
+ _gnutls_parse_hello_extensions(session, GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
+ GNUTLS_EXT_MANDATORY,
+ &data[pos], len);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ return 0;
+ } else {
+ session->security_parameters.session_id_size = session_id_len;
+ if (session_id_len > 0)
+ memcpy(session->security_parameters.session_id, session_id,
+ session_id_len);
+ }
+
+ /* Check if the given cipher suite is supported and copy
+ * it to the session.
+ */
+ ret = set_client_ciphersuite(session, cs_pos);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ if (session->internals.hsk_flags & HSK_HRR_RECEIVED) {
+ /* check if ciphersuite matches */
+ if (memcmp(cs_pos, session->internals.hrr_cs, 2) != 0)
+ return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
+ /* check if HRR version matches this version */
+ if (vers != saved_vers)
+ return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+ }
+
+ if (*comp_pos != 0)
+ return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
+ if (vers->tls13_sem)
+ ext_parse_flag |= GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO;
+ else
+ ext_parse_flag |= GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO;
+
+ /* Parse extensions in order.
+ */
+ ret =
+ _gnutls_parse_hello_extensions(session,
+ ext_parse_flag,
+ GNUTLS_EXT_MANDATORY,
+ &data[pos], len);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ /* check if EtM is required */
+ if (!vers->tls13_sem && session->internals.priorities->force_etm && !session->security_parameters.etm) {
+ const cipher_entry_st *cipher = cipher_to_entry(session->security_parameters.cs->block_algorithm);
+ if (_gnutls_cipher_type(cipher) == CIPHER_BLOCK)
+ return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
+ }
+
+
+ ret =
+ _gnutls_parse_hello_extensions(session,
+ ext_parse_flag,
+ GNUTLS_EXT_APPLICATION,
+ &data[pos], len);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret =
+ _gnutls_parse_hello_extensions(session,
+ ext_parse_flag,
+ GNUTLS_EXT_TLS,
+ &data[pos], len);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret =
+ _gnutls_parse_hello_extensions(session,
+ ext_parse_flag,
+ _GNUTLS_EXT_TLS_POST_CS,
+ &data[pos], len);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ /* Calculate TLS 1.3 Early Secret */
+ if (vers->tls13_sem &&
+ !(session->internals.hsk_flags & HSK_PSK_SELECTED)) {
+ ret = _tls13_init_secret(session, NULL, 0);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ }
+
+ ret = set_auth_types(session);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED;
+
+ return 0;
+}
+
+/* This function copies the appropriate compression methods, to a locally allocated buffer
+ * Needed in hello messages. Returns the new data length.
+ */
+static int
+append_null_comp(gnutls_session_t session,
+ gnutls_buffer_st * cdata)
+{
+ uint8_t compression_methods[2] = {0x01, 0x00};
+ size_t init_length = cdata->length;
+ int ret;
+
+ ret =
+ _gnutls_buffer_append_data(cdata, compression_methods, 2);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = cdata->length - init_length;
+
+ return ret;
+}
+
+/* This function sends the client hello handshake message.
+ */
+static int send_client_hello(gnutls_session_t session, int again)
+{
+ mbuffer_st *bufel = NULL;
+ int type;
+ int ret = 0;
+ const version_entry_st *hver, *min_ver, *max_ver;
+ uint8_t tver[2];
+ gnutls_buffer_st extdata;
+ bool rehandshake = false;
+ bool resuming = false;
+ unsigned add_sr_scsv = 0;
+ uint8_t *session_id =
+ session->internals.resumed_security_parameters.session_id;
+ uint8_t session_id_len =
+ session->internals.resumed_security_parameters.session_id_size;
+
+ if (again == 0) {
+ /* note that rehandshake is different than resuming
+ */
+ if (session->internals.initial_negotiation_completed)
+ rehandshake = true;
+
+ ret = _gnutls_buffer_init_handshake_mbuffer(&extdata);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ /* if we are resuming a session then we set the
+ * version number to the previously established.
+ */
+ if (session->internals.resumption_requested == 0 &&
+ session->internals.premaster_set == 0) {
+ if (rehandshake) /* already negotiated version thus version_max == negotiated version */
+ hver = get_version(session);
+ else /* new handshake. just get the max */
+ hver = _gnutls_legacy_version_max(session);
+ } else {
+ /* we are resuming a session */
+ resuming = true;
+
+ hver =
+ session->internals.resumed_security_parameters.
+ pversion;
+
+ if (hver && hver->tls13_sem)
+ hver = _gnutls_legacy_version_max(session);
+ }
+
+ if (hver == NULL) {
+ gnutls_assert();
+ if (session->internals.flags & INT_FLAG_NO_TLS13)
+ ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS;
+ else
+ ret = GNUTLS_E_NO_PRIORITIES_WERE_SET;
+ goto cleanup;
+ }
+
+ if (unlikely(session->internals.default_hello_version[0] != 0)) {
+ tver[0] = session->internals.default_hello_version[0];
+ tver[1] = session->internals.default_hello_version[1];
+ } else {
+ tver[0] = hver->major;
+ tver[1] = hver->minor;
+ }
+ ret = _gnutls_buffer_append_data(&extdata, tver, 2);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ _gnutls_handshake_log("HSK[%p]: Adv. version: %u.%u\n", session,
+ (unsigned)tver[0], (unsigned)tver[1]);
+
+ min_ver = _gnutls_version_lowest(session);
+ max_ver = _gnutls_version_max(session);
+ if (min_ver == NULL || max_ver == NULL) {
+ gnutls_assert();
+ ret = GNUTLS_E_NO_PRIORITIES_WERE_SET;
+ goto cleanup;
+ }
+
+ /* if we are replying to an HRR the version is already negotiated */
+ if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) || !get_version(session)) {
+ /* Set the version we advertized as maximum
+ * (RSA uses it). */
+ set_adv_version(session, hver->major, hver->minor);
+ if (_gnutls_set_current_version(session, hver->id) < 0) {
+ ret = gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
+ goto cleanup;
+ }
+ }
+
+ if (session->internals.priorities->min_record_version != 0) {
+ /* Advertise the lowest supported (SSL 3.0) record packet
+ * version in record packets during the handshake.
+ * That is to avoid confusing implementations
+ * that do not support TLS 1.2 and don't know
+ * how 3,3 version of record packets look like.
+ */
+ set_default_version(session, min_ver);
+ } else {
+ set_default_version(session, hver);
+ }
+
+ /* In order to know when this session was initiated.
+ */
+ session->security_parameters.timestamp = gnutls_time(NULL);
+
+ /* Generate random data
+ */
+ if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) &&
+ !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) {
+ ret = _gnutls_gen_client_random(session);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ }
+
+ ret = _gnutls_buffer_append_data(&extdata,
+ session->security_parameters.client_random,
+ GNUTLS_RANDOM_SIZE);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+#ifdef TLS13_APPENDIX_D4
+ if (max_ver->tls13_sem &&
+ session->internals.priorities->tls13_compat_mode &&
+ !resuming) {
+ if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED)) {
+ /* Under TLS1.3 we generate a random session ID to make
+ * the TLS1.3 session look like a resumed TLS1.2 session */
+ ret = _gnutls_generate_session_id(session->security_parameters.
+ session_id,
+ &session->security_parameters.
+ session_id_size);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ }
+ session_id = session->security_parameters.session_id;
+ session_id_len = session->security_parameters.session_id_size;
+ }
+#endif
+
+ /* Copy the Session ID - if any
+ */
+ ret = _gnutls_buffer_append_data_prefix(&extdata, 8,
+ session_id,
+ session_id_len);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ /* Copy the DTLS cookie
+ */
+ if (IS_DTLS(session)) {
+ ret = _gnutls_buffer_append_data_prefix(&extdata, 8,
+ session->internals.dtls.dcookie.data,
+ session->internals.dtls.dcookie.size);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ _gnutls_free_datum(&session->internals.dtls.dcookie);
+ }
+
+ /* Copy the ciphersuites.
+ */
+#ifdef ENABLE_SSL3
+ /* If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
+ * prevention on initial negotiation (but not renegotiation; that's
+ * handled with the RI extension below).
+ */
+ if (!session->internals.initial_negotiation_completed &&
+ session->security_parameters.entity == GNUTLS_CLIENT &&
+ (hver->id == GNUTLS_SSL3 &&
+ session->internals.priorities->no_extensions != 0)) {
+ add_sr_scsv = 1;
+ }
+#endif
+ ret = _gnutls_get_client_ciphersuites(session, &extdata, min_ver, add_sr_scsv);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ /* Copy the compression methods.
+ */
+ ret = append_null_comp(session, &extdata);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ /* Generate and copy TLS extensions.
+ */
+ if (session->internals.priorities->no_extensions == 0) {
+ if (_gnutls_version_has_extensions(hver)) {
+ type = GNUTLS_EXT_ANY;
+ } else {
+ type = GNUTLS_EXT_MANDATORY;
+ }
+
+ ret =
+ _gnutls_gen_hello_extensions(session, &extdata,
+ GNUTLS_EXT_FLAG_CLIENT_HELLO,
+ type);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ }
+
+ bufel = _gnutls_buffer_to_mbuffer(&extdata);
+ }
+
+ ret = _gnutls_send_handshake(session, bufel,
+ GNUTLS_HANDSHAKE_CLIENT_HELLO);
+
+ if (session->internals.hsk_flags & HSK_EARLY_DATA_IN_FLIGHT) {
+ const cipher_entry_st *ce;
+ const mac_entry_st *me;
+ record_parameters_st *params;
+
+ ce = cipher_to_entry(session->internals.
+ resumed_security_parameters.
+ cs->block_algorithm);
+ me = mac_to_entry(session->internals.
+ resumed_security_parameters.
+ cs->mac_algorithm);
+
+ ret = _gnutls_epoch_get(session, EPOCH_NEXT, &params);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+
+ params->cipher = ce;
+ params->mac = me;
+
+ ret = _tls13_write_connection_state_init(session, STAGE_EARLY);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+
+ _gnutls_epoch_bump(session);
+ ret = _gnutls_epoch_dup(session, EPOCH_WRITE_CURRENT);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+
+ ret = _gnutls13_send_early_data(session);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+ }
+
+ return ret;
+
+ cleanup:
+ _gnutls_buffer_clear(&extdata);
+ return ret;
+}
+
+int _gnutls_send_server_hello(gnutls_session_t session, int again)
+{
+ mbuffer_st *bufel = NULL;
+ gnutls_buffer_st buf;
+ int ret;
+ uint8_t session_id_len =
+ session->security_parameters.session_id_size;
+ char tmpbuf[2 * GNUTLS_MAX_SESSION_ID_SIZE + 1];
+ const version_entry_st *vers;
+ uint8_t vbytes[2];
+ unsigned extflag = 0;
+ gnutls_ext_parse_type_t etype;
+
+ _gnutls_buffer_init(&buf);
+
+ if (again == 0) {
+ vers = get_version(session);
+ if (unlikely(vers == NULL || session->security_parameters.cs == NULL))
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+ if (vers->tls13_sem) {
+ vbytes[0] = 0x03; /* TLS1.2 */
+ vbytes[1] = 0x03;
+ extflag |= GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO;
+ } else {
+ vbytes[0] = vers->major;
+ vbytes[1] = vers->minor;
+ extflag |= GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO;
+ }
+
+ ret = _gnutls_buffer_init_handshake_mbuffer(&buf);
+ if (ret < 0) {
+ gnutls_assert();
+ goto fail;
+ }
+
+ ret = _gnutls_buffer_append_data(&buf, vbytes, 2);
+ if (ret < 0) {
+ gnutls_assert();
+ goto fail;
+ }
+
+ ret = _gnutls_buffer_append_data(&buf,
+ session->security_parameters.server_random,
+ GNUTLS_RANDOM_SIZE);
+ if (ret < 0) {
+ gnutls_assert();
+ goto fail;
+ }
+
+ ret = _gnutls_buffer_append_data_prefix(&buf, 8,
+ session->security_parameters.session_id,
+ session_id_len);
+ if (ret < 0) {
+ gnutls_assert();
+ goto fail;
+ }
+
+ _gnutls_handshake_log("HSK[%p]: SessionID: %s\n", session,
+ _gnutls_bin2hex(session->
+ security_parameters.session_id,
+ session_id_len, tmpbuf,
+ sizeof(tmpbuf), NULL));
+
+ ret = _gnutls_buffer_append_data(&buf,
+ session->security_parameters.cs->id,
+ 2);
+ if (ret < 0) {
+ gnutls_assert();
+ goto fail;
+ }
+
+ /* compression */
+ ret = _gnutls_buffer_append_prefix(&buf, 8, 0);
+ if (ret < 0) {
+ gnutls_assert();
+ goto fail;
+ }
+
+ if (!vers->tls13_sem && session->internals.resumed)
+ etype = GNUTLS_EXT_MANDATORY;
+ else
+ etype = GNUTLS_EXT_ANY;
+ ret =
+ _gnutls_gen_hello_extensions(session, &buf, extflag, etype);
+ if (ret < 0) {
+ gnutls_assert();
+ goto fail;
+ }
+
+ if (vers->tls13_sem) {
+ /* Under TLS1.3, the session ID is used for different purposes than
+ * the TLS1.0 session ID. Ensure that there is an internally set
+ * value which the server will see on the original and resumed sessions */
+ ret = _gnutls_generate_session_id(session->security_parameters.
+ session_id,
+ &session->security_parameters.
+ session_id_size);
+ if (ret < 0) {
+ gnutls_assert();
+ goto fail;
+ }
+ }
+
+ bufel = _gnutls_buffer_to_mbuffer(&buf);
+ }
+
+ ret =
+ _gnutls_send_handshake(session, bufel,
+ GNUTLS_HANDSHAKE_SERVER_HELLO);
+
+fail:
+ _gnutls_buffer_clear(&buf);
+ return ret;
+}
+
+static int
+recv_hello_verify_request(gnutls_session_t session,
+ uint8_t * data, int datalen)
+{
+ ssize_t len = datalen;
+ size_t pos = 0;
+ uint8_t cookie_len;
+ unsigned int nb_verifs;
+ int ret;
+
+ if (!IS_DTLS(session)) {
+ gnutls_assert();
+ return GNUTLS_E_UNEXPECTED_PACKET;
+ }
+
+ nb_verifs = ++session->internals.dtls.hsk_hello_verify_requests;
+ if (nb_verifs >= MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS) {
+ /* The server is either buggy, malicious or changing cookie
+ secrets _way_ too fast. */
+ gnutls_assert();
+ return GNUTLS_E_UNEXPECTED_PACKET;
+ }
+
+ DECR_LEN(len, 2);
+ pos += 2;
+
+ DECR_LEN(len, 1);
+ cookie_len = data[pos];
+ pos++;
+
+ if (cookie_len > DTLS_MAX_COOKIE_SIZE) {
+ gnutls_assert();
+ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
+ }
+
+ DECR_LEN(len, cookie_len);
+
+ gnutls_free(session->internals.dtls.dcookie.data);
+ ret = _gnutls_set_datum(&session->internals.dtls.dcookie, &data[pos], cookie_len);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ if (len != 0) {
+ gnutls_assert();
+ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
+ }
+
+ /* reset handshake hash buffers */
+ handshake_hash_buffer_reset(session);
+ /* reset extensions used in previous hello */
+ session->internals.used_exts = 0;
+
+ return 0;
+}
+
+/* The packets in gnutls_handshake (it's more broad than original TLS handshake)
+ *
+ * Client Server
+ *
+ * ClientHello -------->
+ * <-------- ServerHello
+ *
+ * Certificate*
+ * ServerKeyExchange*
+ * <-------- CertificateRequest*
+ *
+ * <-------- ServerHelloDone
+ * Certificate*
+ * ClientKeyExchange
+ * CertificateVerify*
+ * [ChangeCipherSpec]
+ * Finished -------->
+ * NewSessionTicket
+ * [ChangeCipherSpec]
+ * <-------- Finished
+ *
+ * (*): means optional packet.
+ */
+
+/* Handshake when resumming session:
+ * Client Server
+ *
+ * ClientHello -------->
+ * ServerHello
+ * [ChangeCipherSpec]
+ * <-------- Finished
+ * [ChangeCipherSpec]
+ * Finished -------->
+ *
+ */
+
+/**
+ * gnutls_rehandshake:
+ * @session: is a #gnutls_session_t type.
+ *
+ * This function can only be called in server side, and
+ * instructs a TLS 1.2 or earlier client to renegotiate
+ * parameters (perform a handshake), by sending a
+ * hello request message.
+ *
+ * If this function succeeds, the calling application
+ * should call gnutls_record_recv() until %GNUTLS_E_REHANDSHAKE
+ * is returned to clear any pending data. If the %GNUTLS_E_REHANDSHAKE
+ * error code is not seen, then the handshake request was
+ * not followed by the peer (the TLS protocol does not require
+ * the client to do, and such compliance should be handled
+ * by the application protocol).
+ *
+ * Once the %GNUTLS_E_REHANDSHAKE error code is seen, the
+ * calling application should proceed to calling
+ * gnutls_handshake() to negotiate the new
+ * parameters.
+ *
+ * If the client does not wish to renegotiate parameters he
+ * may reply with an alert message, and in that case the return code seen
+ * by subsequent gnutls_record_recv() will be
+ * %GNUTLS_E_WARNING_ALERT_RECEIVED with the specific alert being
+ * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
+ * this request.
+ *
+ * Under TLS 1.3 this function is equivalent to gnutls_session_key_update()
+ * with the %GNUTLS_KU_PEER flag. In that case subsequent calls to
+ * gnutls_record_recv() will not return %GNUTLS_E_REHANDSHAKE, and
+ * calls to gnutls_handshake() in server side are a no-op.
+ *
+ * This function always fails with %GNUTLS_E_INVALID_REQUEST when
+ * called in client side.
+ *
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
+ **/
+int gnutls_rehandshake(gnutls_session_t session)
+{
+ int ret;
+ const version_entry_st *vers = get_version(session);
+
+ /* only server sends that handshake packet */
+ if (session->security_parameters.entity == GNUTLS_CLIENT)
+ return GNUTLS_E_INVALID_REQUEST;
+
+ if (vers->tls13_sem) {
+ return gnutls_session_key_update(session, GNUTLS_KU_PEER);
+ }
+
+ _dtls_async_timer_delete(session);
+
+ ret =
+ _gnutls_send_empty_handshake(session,
+ GNUTLS_HANDSHAKE_HELLO_REQUEST,
+ AGAIN(STATE50));
+ STATE = STATE50;
+
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+ STATE = STATE0;
+
+ return 0;
+}
+
+/* This function checks whether the error code should be treated fatal
+ * or not, and also does the necessary state transition. In
+ * particular, in the case of a rehandshake abort it resets the
+ * handshake's internal state.
+ */
+inline static int
+_gnutls_abort_handshake(gnutls_session_t session, int ret)
+{
+ switch (ret) {
+ case GNUTLS_E_WARNING_ALERT_RECEIVED:
+ if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) {
+ /* The server always toleretes a "no_renegotiation" alert. */
+ if (session->security_parameters.entity == GNUTLS_SERVER) {
+ STATE = STATE0;
+ return ret;
+ }
+
+ /* The client should tolerete a "no_renegotiation" alert only if:
+ * - the initial handshake has completed, or
+ * - a Server Hello is not yet received
+ */
+ if (session->internals.initial_negotiation_completed ||
+ !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) {
+ STATE = STATE0;
+ return ret;
+ }
+
+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
+ }
+ return ret;
+ case GNUTLS_E_GOT_APPLICATION_DATA:
+ STATE = STATE0;
+ return ret;
+ default:
+ return ret;
+ }
+}
+
+
+static int _gnutls_send_supplemental(gnutls_session_t session, int again)
+{
+ mbuffer_st *bufel = NULL;
+ int ret = 0;
+
+ _gnutls_debug_log("EXT[%p]: Sending supplemental data\n", session);
+
+ if (!again) {
+ gnutls_buffer_st buf;
+ ret = _gnutls_buffer_init_handshake_mbuffer(&buf);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = _gnutls_gen_supplemental(session, &buf);
+ if (ret < 0) {
+ gnutls_assert();
+ _gnutls_buffer_clear(&buf);
+ return ret;
+ }
+
+ bufel = _gnutls_buffer_to_mbuffer(&buf);
+ }
+
+ return _gnutls_send_handshake(session, bufel,
+ GNUTLS_HANDSHAKE_SUPPLEMENTAL);
+}
+
+static int _gnutls_recv_supplemental(gnutls_session_t session)
+{
+ gnutls_buffer_st buf;
+ int ret;
+
+ _gnutls_debug_log("EXT[%p]: Expecting supplemental data\n",
+ session);
+
+ ret =
+ _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_SUPPLEMENTAL,
+ 1, &buf);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ ret = _gnutls_parse_supplemental(session, buf.data, buf.length);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ cleanup:
+ _gnutls_buffer_clear(&buf);
+
+ return ret;
+}
+
+/**
+ * gnutls_handshake:
+ * @session: is a #gnutls_session_t type.
+ *
+ * This function performs the handshake of the TLS/SSL protocol, and
+ * initializes the TLS session parameters.
+ *
+ * The non-fatal errors expected by this function are:
+ * %GNUTLS_E_INTERRUPTED, %GNUTLS_E_AGAIN,
+ * %GNUTLS_E_WARNING_ALERT_RECEIVED. When this function is called
+ * for re-handshake under TLS 1.2 or earlier, the non-fatal error code
+ * %GNUTLS_E_GOT_APPLICATION_DATA may also be returned.
+ *
+ * The former two interrupt the handshake procedure due to the transport
+ * layer being interrupted, and the latter because of a "warning" alert that
+ * was sent by the peer (it is always a good idea to check any
+ * received alerts). On these non-fatal errors call this function again,
+ * until it returns 0; cf. gnutls_record_get_direction() and
+ * gnutls_error_is_fatal(). In DTLS sessions the non-fatal error
+ * %GNUTLS_E_LARGE_PACKET is also possible, and indicates that
+ * the MTU should be adjusted.
+ *
+ * When this function is called by a server after a rehandshake request
+ * under TLS 1.2 or earlier the %GNUTLS_E_GOT_APPLICATION_DATA error code indicates
+ * that some data were pending prior to peer initiating the handshake.
+ * Under TLS 1.3 this function when called after a successful handshake, is a no-op
+ * and always succeeds in server side; in client side this function is
+ * equivalent to gnutls_session_key_update() with %GNUTLS_KU_PEER flag.
+ *
+ * This function handles both full and abbreviated TLS handshakes (resumption).
+ * For abbreviated handshakes, in client side, the gnutls_session_set_data()
+ * should be called prior to this function to set parameters from a previous session.
+ * In server side, resumption is handled by either setting a DB back-end, or setting
+ * up keys for session tickets.
+ *
+ * Returns: %GNUTLS_E_SUCCESS on a successful handshake, otherwise a negative error code.
+ **/
+int gnutls_handshake(gnutls_session_t session)
+{
+ const version_entry_st *vers = get_version(session);
+ int ret;
+
+ if (unlikely(session->internals.initial_negotiation_completed)) {
+ if (vers->tls13_sem) {
+ if (session->security_parameters.entity == GNUTLS_CLIENT) {
+ return gnutls_session_key_update(session, GNUTLS_KU_PEER);
+ } else {
+ /* This is a no-op for a server under TLS 1.3, as
+ * a server has already called gnutls_rehandshake()
+ * which performed a key update.
+ */
+ return 0;
+ }
+ }
+ }
+
+ if (STATE == STATE0) {
+ unsigned int tmo_ms;
+ struct timespec *end;
+ struct timespec *start;
+
+ /* first call */
+ if (session->internals.priorities == NULL ||
+ session->internals.priorities->cs.size == 0)
+ return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
+
+ ret =
+ _gnutls_epoch_setup_next(session, 0, NULL);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ session->internals.used_exts = 0;
+ session->internals.hsk_flags = 0;
+ session->internals.handshake_in_progress = 1;
+ session->internals.vc_status = -1;
+ gnutls_gettime(&session->internals.handshake_start_time);
+
+ tmo_ms = session->internals.handshake_timeout_ms;
+ end = &session->internals.handshake_abs_timeout;
+ start = &session->internals.handshake_start_time;
+
+ if (tmo_ms && end->tv_sec == 0 && end->tv_nsec == 0) {
+ end->tv_sec =
+ start->tv_sec + (start->tv_nsec + tmo_ms * 1000000LL) / 1000000000LL;
+ end->tv_nsec =
+ (start->tv_nsec + tmo_ms * 1000000LL) % 1000000000LL;
+ }
+
+#ifdef ENABLE_KTLS
+ if (_gnutls_config_is_ktls_enabled()) {
+ if ((session->internals.pull_func &&
+ session->internals.pull_func != system_read) ||
+ session->internals.push_func) {
+ _gnutls_audit_log(session,
+ "Not enabling KTLS with "
+ "custom pull/push function\n");
+ } else {
+ _gnutls_ktls_enable(session);
+ }
+ }
+#endif
+ }
+
+ if (session->internals.recv_state == RECV_STATE_FALSE_START) {
+ session_invalidate(session);
+ return gnutls_assert_val(GNUTLS_E_HANDSHAKE_DURING_FALSE_START);
+ }
+
+ if (session->security_parameters.entity == GNUTLS_CLIENT) {
+ do {
+ ret = handshake_client(session);
+ } while (ret == 1);
+ } else {
+ ret = handshake_server(session);
+ }
+
+ if (ret < 0) {
+ return _gnutls_abort_handshake(session, ret);
+ }
+
+ /* clear handshake buffer */
+ if (session->internals.recv_state != RECV_STATE_FALSE_START &&
+ session->internals.recv_state != RECV_STATE_EARLY_START) {
+
+ _gnutls_handshake_hash_buffers_clear(session);
+
+ if (IS_DTLS(session) == 0) {
+ _gnutls_handshake_io_buffer_clear(session);
+ } else {
+ _dtls_async_timer_init(session);
+ }
+
+ _gnutls_handshake_internal_state_clear(session);
+
+ _gnutls_buffer_clear(&session->internals.record_presend_buffer);
+
+ _gnutls_epoch_bump(session);
+ }
+
+ /* Give an estimation of the round-trip under TLS1.3, used by gnutls_session_get_data2() */
+ if (!IS_SERVER(session) && vers->tls13_sem) {
+ struct timespec handshake_finish_time;
+ gnutls_gettime(&handshake_finish_time);
+
+ if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED)) {
+ session->internals.ertt = timespec_sub_ms(&handshake_finish_time, &session->internals.handshake_start_time)/2;
+ } else {
+ session->internals.ertt = timespec_sub_ms(&handshake_finish_time, &session->internals.handshake_start_time)/4;
+ }
+ }
+
+#ifdef ENABLE_KTLS
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) {
+ _gnutls_ktls_set_keys(session);
+ }
+#endif
+
+ return 0;
+}
+
+/**
+ * gnutls_handshake_set_timeout:
+ * @session: is a #gnutls_session_t type.
+ * @ms: is a timeout value in milliseconds
+ *
+ * This function sets the timeout for the TLS handshake process
+ * to the provided value. Use an @ms value of zero to disable
+ * timeout, or %GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT for a reasonable
+ * default value. For the DTLS protocol, the more detailed
+ * gnutls_dtls_set_timeouts() is provided.
+ *
+ * This function requires to set a pull timeout callback. See
+ * gnutls_transport_set_pull_timeout_function().
+ *
+ * Since: 3.1.0
+ **/
+void
+gnutls_handshake_set_timeout(gnutls_session_t session, unsigned int ms)
+{
+ if (ms == GNUTLS_INDEFINITE_TIMEOUT) {
+ session->internals.handshake_timeout_ms = 0;
+ return;
+ }
+
+ if (ms == GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT)
+ ms = DEFAULT_HANDSHAKE_TIMEOUT_MS;
+
+ if (IS_DTLS(session)) {
+ gnutls_dtls_set_timeouts(session, DTLS_RETRANS_TIMEOUT, ms);
+ return;
+ }
+
+ session->internals.handshake_timeout_ms = ms;
+}
+
+/* Runs the certificate verification callback.
+ * side is the side that we verify the certificate
+ * from (either GNUTLS_CLIENT or GNUTLS_SERVER).
+ */
+int _gnutls_run_verify_callback(gnutls_session_t session, unsigned int side)
+{
+ gnutls_certificate_credentials_t cred;
+ int ret, type;
+
+ if (session->internals.hsk_flags & HSK_PSK_SELECTED)
+ return 0;
+
+ cred =
+ (gnutls_certificate_credentials_t) _gnutls_get_cred(session,
+ GNUTLS_CRD_CERTIFICATE);
+
+ if (side == GNUTLS_CLIENT)
+ type = gnutls_auth_server_get_type(session);
+ else
+ type = gnutls_auth_client_get_type(session);
+
+ if (type != GNUTLS_CRD_CERTIFICATE)
+ return 0;
+
+ /* verify whether the certificate of the peer remained the same
+ * as with any previous handshakes */
+ if (cred != NULL) {
+ ret = _gnutls_check_if_cert_hash_is_same(session, cred);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+ }
+
+ if (cred != NULL &&
+ (cred->verify_callback != NULL || session->internals.verify_callback != NULL) &&
+ (session->security_parameters.entity == GNUTLS_CLIENT ||
+ session->internals.send_cert_req != GNUTLS_CERT_IGNORE)) {
+ if (session->internals.verify_callback)
+ ret = session->internals.verify_callback(session);
+ else
+ ret = cred->verify_callback(session);
+ if (ret < -1)
+ return gnutls_assert_val(ret);
+ else if (ret != 0)
+ return gnutls_assert_val(GNUTLS_E_CERTIFICATE_ERROR);
+ }
+
+ return 0;
+}
+
+static bool can_send_false_start(gnutls_session_t session)
+{
+ const version_entry_st *vers;
+
+ vers = get_version(session);
+ if (unlikely(vers == NULL || !vers->false_start))
+ return 0;
+
+ if (session->internals.selected_cert_list != NULL)
+ return 0;
+
+ if (!_gnutls_kx_allows_false_start(session))
+ return 0;
+
+ return 1;
+}
+
+/*
+ * handshake_client
+ * This function performs the client side of the handshake of the TLS/SSL protocol.
+ */
+static int handshake_client(gnutls_session_t session)
+{
+ int ret = 0;
+ const version_entry_st *ver;
+
+ reset:
+ if (STATE >= STATE99)
+ return _gnutls13_handshake_client(session);
+
+ switch (STATE) {
+ case STATE0:
+ case STATE1:
+ ret = send_client_hello(session, AGAIN(STATE1));
+ STATE = STATE1;
+ IMED_RET("send hello", ret, 1);
+ FALLTHROUGH;
+ case STATE2:
+ if (IS_DTLS(session)) {
+ ret =
+ _gnutls_recv_handshake(session,
+ GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST,
+ 1, NULL);
+ STATE = STATE2;
+ IMED_RET("recv hello verify", ret, 1);
+
+ if (ret == 1) {
+ STATE = STATE0;
+ return 1;
+ }
+ } else {
+ ret =
+ _gnutls_recv_handshake(session,
+ GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST,
+ 1, NULL);
+ STATE = STATE2;
+ IMED_RET("recv hello retry", ret, 1);
+
+ if (ret == 1) {
+ STATE = STATE0;
+ return 1;
+ }
+ }
+ FALLTHROUGH;
+ case STATE3:
+ /* receive the server hello */
+ ret =
+ _gnutls_recv_handshake(session,
+ GNUTLS_HANDSHAKE_SERVER_HELLO,
+ 0, NULL);
+ STATE = STATE3;
+ IMED_RET("recv hello", ret, 1);
+ FALLTHROUGH;
+ case STATE4:
+ ver = get_version(session);
+ if (ver->tls13_sem) { /* TLS 1.3 state machine */
+ STATE = STATE99;
+ goto reset;
+ }
+
+ ret = _gnutls_ext_sr_verify(session);
+ STATE = STATE4;
+ IMED_RET_FATAL("recv hello", ret, 0);
+ FALLTHROUGH;
+ case STATE5:
+ if (session->security_parameters.do_recv_supplemental) {
+ ret = _gnutls_recv_supplemental(session);
+ STATE = STATE5;
+ IMED_RET("recv supplemental", ret, 1);
+ }
+ FALLTHROUGH;
+ case STATE6:
+ /* RECV CERTIFICATE */
+ if (!session->internals.resumed) /* if we are not resuming */
+ ret = _gnutls_recv_server_certificate(session);
+ STATE = STATE6;
+ IMED_RET("recv server certificate", ret, 1);
+ FALLTHROUGH;
+ case STATE7:
+#ifdef ENABLE_OCSP
+ /* RECV CERTIFICATE STATUS */
+ if (!session->internals.resumed) /* if we are not resuming */
+ ret =
+ _gnutls_recv_server_certificate_status
+ (session);
+ STATE = STATE7;
+ IMED_RET("recv server certificate", ret, 1);
+#endif
+ FALLTHROUGH;
+ case STATE8:
+ ret = _gnutls_run_verify_callback(session, GNUTLS_CLIENT);
+ STATE = STATE8;
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ FALLTHROUGH;
+ case STATE9:
+ /* receive the server key exchange */
+ if (!session->internals.resumed) /* if we are not resuming */
+ ret = _gnutls_recv_server_kx_message(session);
+ STATE = STATE9;
+ IMED_RET("recv server kx message", ret, 1);
+ FALLTHROUGH;
+ case STATE10:
+ /* receive the server certificate request - if any
+ */
+
+ if (!session->internals.resumed) /* if we are not resuming */
+ ret = _gnutls_recv_server_crt_request(session);
+ STATE = STATE10;
+ IMED_RET("recv server certificate request message", ret,
+ 1);
+ FALLTHROUGH;
+ case STATE11:
+ /* receive the server hello done */
+ if (!session->internals.resumed) /* if we are not resuming */
+ ret =
+ _gnutls_recv_handshake(session,
+ GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
+ 0, NULL);
+ STATE = STATE11;
+ IMED_RET("recv server hello done", ret, 1);
+ FALLTHROUGH;
+ case STATE12:
+ if (session->security_parameters.do_send_supplemental) {
+ ret =
+ _gnutls_send_supplemental(session,
+ AGAIN(STATE12));
+ STATE = STATE12;
+ IMED_RET("send supplemental", ret, 0);
+ }
+ FALLTHROUGH;
+ case STATE13:
+ /* send our certificate - if any and if requested
+ */
+ if (!session->internals.resumed) /* if we are not resuming */
+ ret =
+ _gnutls_send_client_certificate(session,
+ AGAIN
+ (STATE13));
+ STATE = STATE13;
+ IMED_RET("send client certificate", ret, 0);
+ FALLTHROUGH;
+ case STATE14:
+ if (!session->internals.resumed) /* if we are not resuming */
+ ret =
+ _gnutls_send_client_kx_message(session,
+ AGAIN(STATE14));
+ STATE = STATE14;
+ IMED_RET("send client kx", ret, 0);
+ FALLTHROUGH;
+ case STATE15:
+ /* send client certificate verify */
+ if (!session->internals.resumed) /* if we are not resuming */
+ ret =
+ _gnutls_send_client_certificate_verify(session,
+ AGAIN
+ (STATE15));
+ STATE = STATE15;
+ IMED_RET("send client certificate verify", ret, 1);
+ FALLTHROUGH;
+ case STATE16:
+ STATE = STATE16;
+ if (!session->internals.resumed) {
+ ret = send_handshake_final(session, true);
+ IMED_RET("send handshake final 2", ret, 1);
+ } else {
+ ret = _gnutls_recv_new_session_ticket(session);
+ IMED_RET("recv handshake new session ticket", ret,
+ 1);
+ }
+ FALLTHROUGH;
+ case STATE17:
+ STATE = STATE17;
+ if (!session->internals.resumed && (session->internals.flags & GNUTLS_ENABLE_FALSE_START) && can_send_false_start(session)) {
+ session->internals.hsk_flags |= HSK_FALSE_START_USED;
+ session->internals.recv_state = RECV_STATE_FALSE_START;
+ /* complete this phase of the handshake. We
+ * should be called again by gnutls_record_recv()
+ */
+ STATE = STATE18;
+ gnutls_assert();
+
+ return 0;
+ }
+ FALLTHROUGH;
+ case STATE18:
+ STATE = STATE18;
+
+ if (!session->internals.resumed) {
+ ret = _gnutls_recv_new_session_ticket(session);
+ IMED_RET("recv handshake new session ticket", ret,
+ 1);
+ } else {
+ ret = recv_handshake_final(session, true);
+ IMED_RET("recv handshake final", ret, 1);
+ }
+ FALLTHROUGH;
+ case STATE19:
+ STATE = STATE19;
+ if (!session->internals.resumed) {
+ ret = recv_handshake_final(session, false);
+ IMED_RET("recv handshake final 2", ret, 1);
+ } else {
+ ret = send_handshake_final(session, false);
+ IMED_RET("send handshake final", ret, 1);
+ }
+
+ STATE = STATE0;
+ FALLTHROUGH;
+ default:
+ break;
+ }
+
+ /* explicitly reset any false start flags */
+ gnutls_mutex_lock(&session->internals.post_negotiation_lock);
+ session->internals.initial_negotiation_completed = 1;
+ session->internals.recv_state = RECV_STATE_0;
+ gnutls_mutex_unlock(&session->internals.post_negotiation_lock);
+
+ return 0;
+}
+
+
+
+/* This function is to be called if the handshake was successfully
+ * completed. This sends a Change Cipher Spec packet to the peer.
+ */
+ssize_t _gnutls_send_change_cipher_spec(gnutls_session_t session, int again)
+{
+ uint8_t *data;
+ mbuffer_st *bufel;
+ int ret;
+ const version_entry_st *vers;
+
+ if (again == 0) {
+ bufel = _gnutls_handshake_alloc(session, 3); /* max for DTLS0.9 */
+ if (bufel == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+ vers = get_version(session);
+ if (unlikely(vers == NULL))
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+ if (vers->id == GNUTLS_DTLS0_9)
+ _mbuffer_set_uhead_size(bufel, 3);
+ else
+ _mbuffer_set_uhead_size(bufel, 1);
+ _mbuffer_set_udata_size(bufel, 0);
+
+ data = _mbuffer_get_uhead_ptr(bufel);
+
+ data[0] = 1;
+ if (vers->id == GNUTLS_DTLS0_9) {
+ _gnutls_write_uint16(session->internals.dtls.
+ hsk_write_seq, &data[1]);
+ session->internals.dtls.hsk_write_seq++;
+ }
+
+ ret = _gnutls_call_hook_func(session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, GNUTLS_HOOK_PRE, 0,
+ data, 1);
+ if (ret < 0) {
+ _mbuffer_xfree(&bufel);
+ return gnutls_assert_val(ret);
+ }
+
+ ret =
+ _gnutls_handshake_io_cache_int(session,
+ GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC,
+ bufel);
+ if (ret < 0) {
+ _mbuffer_xfree(&bufel);
+ return gnutls_assert_val(ret);
+ }
+
+ ret = _gnutls_call_hook_func(session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, GNUTLS_HOOK_POST, 0,
+ data, 1);
+ if (ret < 0) {
+ return gnutls_assert_val(ret);
+ }
+
+ /* under TLS 1.3, CCS may be immediately followed by
+ * receiving ClientHello thus cannot be cached */
+ if (vers->tls13_sem) {
+ ret = _gnutls_handshake_io_write_flush(session);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ }
+
+ _gnutls_handshake_log("REC[%p]: Sent ChangeCipherSpec\n",
+ session);
+ }
+
+ return 0;
+}
+
+/* This function sends the final handshake packets and initializes connection
+ */
+static int send_handshake_final(gnutls_session_t session, int init)
+{
+ int ret = 0;
+
+ /* Send the CHANGE CIPHER SPEC PACKET */
+
+ switch (FINAL_STATE) {
+ case STATE0:
+ case STATE1:
+ ret = _gnutls_send_change_cipher_spec(session, FAGAIN(STATE1));
+ FINAL_STATE = STATE0;
+
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+ /* Initialize the connection session (start encryption) - in case of client
+ */
+ if (init) {
+ ret = _gnutls_connection_state_init(session);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+ }
+
+ ret = _gnutls_write_connection_state_init(session);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ FALLTHROUGH;
+ case STATE2:
+ /* send the finished message */
+ ret = _gnutls_send_finished(session, FAGAIN(STATE2));
+ FINAL_STATE = STATE2;
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ FINAL_STATE = STATE0;
+ FALLTHROUGH;
+ default:
+ break;
+ }
+
+ return 0;
+}
+
+/* This function receives the final handshake packets
+ * And executes the appropriate function to initialize the
+ * read session.
+ */
+static int recv_handshake_final(gnutls_session_t session, int init)
+{
+ int ret = 0;
+ uint8_t ccs[3];
+ unsigned int ccs_len = 1;
+ unsigned int tleft;
+ const version_entry_st *vers;
+
+ ret = handshake_remaining_time(session);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ tleft = ret;
+
+ switch (FINAL_STATE) {
+ case STATE0:
+ case STATE30:
+ FINAL_STATE = STATE30;
+
+ /* This is the last flight and peer cannot be sure
+ * we have received it unless we notify him. So we
+ * wait for a message and retransmit if needed. */
+ if (IS_DTLS(session) && !_dtls_is_async(session) &&
+ (gnutls_record_check_pending(session) +
+ record_check_unprocessed(session)) == 0) {
+ ret = _dtls_wait_and_retransmit(session);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ }
+
+ vers = get_version(session);
+ if (unlikely(vers == NULL))
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+ if (vers->id == GNUTLS_DTLS0_9)
+ ccs_len = 3;
+
+ ret =
+ _gnutls_recv_int(session, GNUTLS_CHANGE_CIPHER_SPEC,
+ ccs, ccs_len, NULL, tleft);
+ if (ret <= 0) {
+ gnutls_assert();
+ return (ret<0)?ret:GNUTLS_E_UNEXPECTED_PACKET;
+ }
+
+ if (vers->id == GNUTLS_DTLS0_9)
+ session->internals.dtls.hsk_read_seq++;
+
+ /* Initialize the connection session (start encryption) - in case of server */
+ if (init) {
+ ret = _gnutls_connection_state_init(session);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+ }
+
+ ret = _gnutls_read_connection_state_init(session);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+ FALLTHROUGH;
+ case STATE31:
+ FINAL_STATE = STATE31;
+
+ if (IS_DTLS(session) && !_dtls_is_async(session) &&
+ (gnutls_record_check_pending(session) +
+ record_check_unprocessed(session)) == 0) {
+ ret = _dtls_wait_and_retransmit(session);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ }
+
+ ret = _gnutls_recv_finished(session);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+ FINAL_STATE = STATE0;
+ FALLTHROUGH;
+ default:
+ break;
+ }
+
+ return 0;
+}
+
+/*
+ * handshake_server
+ * This function does the server stuff of the handshake protocol.
+ */
+static int handshake_server(gnutls_session_t session)
+{
+ int ret = 0;
+ const version_entry_st *ver;
+
+ reset:
+
+ if (STATE >= STATE90)
+ return _gnutls13_handshake_server(session);
+
+ switch (STATE) {
+ case STATE0:
+ case STATE1:
+ ret =
+ _gnutls_recv_handshake(session,
+ GNUTLS_HANDSHAKE_CLIENT_HELLO,
+ 0, NULL);
+ if (ret == GNUTLS_E_INT_RET_0) {
+ /* this is triggered by post_client_hello, and instructs the
+ * handshake to proceed but be put on hold */
+ ret = GNUTLS_E_INTERRUPTED;
+ STATE = STATE2; /* hello already parsed -> move on */
+ } else {
+ STATE = STATE1;
+ }
+
+ if (ret == GNUTLS_E_NO_COMMON_KEY_SHARE) {
+ STATE = STATE90;
+ session->internals.hsk_flags |= HSK_HRR_SENT;
+ goto reset;
+ }
+
+ IMED_RET("recv hello", ret, 1);
+ FALLTHROUGH;
+ case STATE2:
+
+ ret = _gnutls_ext_sr_verify(session);
+ STATE = STATE2;
+ IMED_RET_FATAL("recv hello", ret, 0);
+ FALLTHROUGH;
+ case STATE3:
+ ret = _gnutls_send_server_hello(session, AGAIN(STATE3));
+ STATE = STATE3;
+ IMED_RET("send hello", ret, 1);
+
+ ver = get_version(session);
+ if (ver->tls13_sem) { /* TLS 1.3 state machine */
+ STATE = STATE99;
+ goto reset;
+ }
+
+ FALLTHROUGH;
+ case STATE4:
+ if (session->security_parameters.do_send_supplemental) {
+ ret =
+ _gnutls_send_supplemental(session,
+ AGAIN(STATE4));
+ STATE = STATE4;
+ IMED_RET("send supplemental data", ret, 0);
+ }
+ /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
+ FALLTHROUGH;
+ case STATE5:
+ /* NOTE: these should not be send if we are resuming */
+
+ if (!session->internals.resumed)
+ ret =
+ _gnutls_send_server_certificate(session,
+ AGAIN(STATE5));
+ STATE = STATE5;
+ IMED_RET("send server certificate", ret, 0);
+ FALLTHROUGH;
+ case STATE6:
+#ifdef ENABLE_OCSP
+ if (!session->internals.resumed)
+ ret =
+ _gnutls_send_server_certificate_status(session,
+ AGAIN
+ (STATE6));
+ STATE = STATE6;
+ IMED_RET("send server certificate status", ret, 0);
+#endif
+ FALLTHROUGH;
+ case STATE7:
+ /* send server key exchange (A) */
+ if (!session->internals.resumed)
+ ret =
+ _gnutls_send_server_kx_message(session,
+ AGAIN(STATE7));
+ STATE = STATE7;
+ IMED_RET("send server kx", ret, 0);
+ FALLTHROUGH;
+ case STATE8:
+ /* Send certificate request - if requested to */
+ if (!session->internals.resumed)
+ ret =
+ _gnutls_send_server_crt_request(session,
+ AGAIN(STATE8));
+ STATE = STATE8;
+ IMED_RET("send server cert request", ret, 0);
+ FALLTHROUGH;
+ case STATE9:
+ /* send the server hello done */
+ if (!session->internals.resumed) /* if we are not resuming */
+ ret =
+ _gnutls_send_empty_handshake(session,
+ GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
+ AGAIN(STATE9));
+ STATE = STATE9;
+ IMED_RET("send server hello done", ret, 1);
+ FALLTHROUGH;
+ case STATE10:
+ if (session->security_parameters.do_recv_supplemental) {
+ ret = _gnutls_recv_supplemental(session);
+ STATE = STATE10;
+ IMED_RET("recv client supplemental", ret, 1);
+ }
+ /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
+ FALLTHROUGH;
+ case STATE11:
+ /* receive the client certificate message */
+ if (!session->internals.resumed) /* if we are not resuming */
+ ret = _gnutls_recv_client_certificate(session);
+ STATE = STATE11;
+ IMED_RET("recv client certificate", ret, 1);
+ FALLTHROUGH;
+ case STATE12:
+ ret = _gnutls_run_verify_callback(session, GNUTLS_SERVER);
+ STATE = STATE12;
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ FALLTHROUGH;
+ case STATE13:
+ /* receive the client key exchange message */
+ if (!session->internals.resumed) /* if we are not resuming */
+ ret = _gnutls_recv_client_kx_message(session);
+ STATE = STATE13;
+ IMED_RET("recv client kx", ret, 1);
+ FALLTHROUGH;
+ case STATE14:
+ /* receive the client certificate verify message */
+ if (!session->internals.resumed) /* if we are not resuming */
+ ret =
+ _gnutls_recv_client_certificate_verify_message
+ (session);
+ STATE = STATE14;
+ IMED_RET("recv client certificate verify", ret, 1);
+ FALLTHROUGH;
+ case STATE15:
+ STATE = STATE15;
+ if (!session->internals.resumed) { /* if we are not resuming */
+ ret = recv_handshake_final(session, true);
+ IMED_RET("recv handshake final", ret, 1);
+ } else {
+ ret = send_handshake_final(session, true);
+ IMED_RET("send handshake final 2", ret, 1);
+ }
+ FALLTHROUGH;
+ case STATE16:
+ ret =
+ _gnutls_send_new_session_ticket(session,
+ AGAIN(STATE16));
+ STATE = STATE16;
+ IMED_RET("send handshake new session ticket", ret, 0);
+ FALLTHROUGH;
+ case STATE17:
+ STATE = STATE17;
+ if (!session->internals.resumed) { /* if we are not resuming */
+ ret = send_handshake_final(session, false);
+ IMED_RET("send handshake final", ret, 1);
+
+ if (session->security_parameters.entity ==
+ GNUTLS_SERVER
+ && !(session->internals.hsk_flags & HSK_TLS12_TICKET_SENT)) {
+ /* if no ticket, save session data */
+ _gnutls_server_register_current_session
+ (session);
+ }
+ } else {
+ ret = recv_handshake_final(session, false);
+ IMED_RET("recv handshake final 2", ret, 1);
+ }
+
+ STATE = STATE0;
+ FALLTHROUGH;
+ default:
+ break;
+ }
+
+ /* no lock of post_negotiation_lock is required here as this is not run
+ * after handshake */
+ session->internals.initial_negotiation_completed = 1;
+
+ return _gnutls_check_id_for_change(session);
+}
+
+int _gnutls_generate_session_id(uint8_t * session_id, uint8_t *len)
+{
+ int ret;
+
+ *len = GNUTLS_DEF_SESSION_ID_SIZE;
+
+ ret =
+ gnutls_rnd(GNUTLS_RND_NONCE, session_id,
+ GNUTLS_DEF_SESSION_ID_SIZE);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ return 0;
+}
+
+
+/**
+ * gnutls_handshake_set_max_packet_length:
+ * @session: is a #gnutls_session_t type.
+ * @max: is the maximum number.
+ *
+ * This function will set the maximum size of all handshake messages.
+ * Handshakes over this size are rejected with
+ * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is
+ * 128kb which is typically large enough. Set this to 0 if you do not
+ * want to set an upper limit.
+ *
+ * The reason for restricting the handshake message sizes are to
+ * limit Denial of Service attacks.
+ *
+ * Note that the maximum handshake size was increased to 128kb
+ * from 48kb in GnuTLS 3.5.5.
+ **/
+void
+gnutls_handshake_set_max_packet_length(gnutls_session_t session,
+ size_t max)
+{
+ session->internals.max_handshake_data_buffer_size = max;
+}
+
+/**
+ * gnutls_handshake_get_last_in:
+ * @session: is a #gnutls_session_t type.
+ *
+ * This function is only useful to check where the last performed
+ * handshake failed. If the previous handshake succeed or was not
+ * performed at all then no meaningful value will be returned.
+ *
+ * Check %gnutls_handshake_description_t in gnutls.h for the
+ * available handshake descriptions.
+ *
+ * Returns: the last handshake message type received, a
+ * %gnutls_handshake_description_t.
+ **/
+gnutls_handshake_description_t
+gnutls_handshake_get_last_in(gnutls_session_t session)
+{
+ return session->internals.last_handshake_in;
+}
+
+/**
+ * gnutls_handshake_get_last_out:
+ * @session: is a #gnutls_session_t type.
+ *
+ * This function is only useful to check where the last performed
+ * handshake failed. If the previous handshake succeed or was not
+ * performed at all then no meaningful value will be returned.
+ *
+ * Check %gnutls_handshake_description_t in gnutls.h for the
+ * available handshake descriptions.
+ *
+ * Returns: the last handshake message type sent, a
+ * %gnutls_handshake_description_t.
+ **/
+gnutls_handshake_description_t
+gnutls_handshake_get_last_out(gnutls_session_t session)
+{
+ return session->internals.last_handshake_out;
+}
+
+/* This returns the session hash as in draft-ietf-tls-session-hash-02.
+ */
+int _gnutls_handshake_get_session_hash(gnutls_session_t session, gnutls_datum_t *shash)
+{
+ const version_entry_st *ver = get_version(session);
+ int ret;
+ uint8_t concat[2*MAX_HASH_SIZE];
+
+ if (unlikely(ver == NULL))
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+ if (session->internals.handshake_hash_buffer_client_kx_len == 0 ||
+ (session->internals.handshake_hash_buffer.length <
+ session->internals.handshake_hash_buffer_client_kx_len)) {
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+ }
+
+ ret =
+ _gnutls_hash_fast((gnutls_digest_algorithm_t)session->security_parameters.prf->id,
+ session->internals.handshake_hash_buffer.
+ data,
+ session->internals.handshake_hash_buffer_client_kx_len,
+ concat);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ return _gnutls_set_datum(shash, concat, session->security_parameters.prf->output_size);
+}