/*

 * Copyright (C) 2009-2012 Free Software Foundation, Inc.

 *

 * Author: Steve Dispensa (<dispensa@phonefactor.com>)

 *

 * This file is part of GnuTLS.

 *

 * The GnuTLS is free software; you can redistribute it and/or

 * modify it under the terms of the GNU Lesser General Public License

 * as published by the Free Software Foundation; either version 2.1 of

 * the License, or (at your option) any later version.

 *

 * This library is distributed in the hope that it will be useful, but

 * WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

 * Lesser General Public License for more details.

 *

 * You should have received a copy of the GNU Lesser General Public License

 * along with this program.  If not, see <https://www.gnu.org/licenses/>

 *

 */

#include "gnutls_int.h"

#include <ext/safe_renegotiation.h>

#include "errors.h"

static int _gnutls_sr_recv_params(gnutls_session_t state,

				  const uint8_t * data, size_t data_size);

static int _gnutls_sr_send_params(gnutls_session_t state,

				  gnutls_buffer_st *);

static void _gnutls_sr_deinit_data(gnutls_ext_priv_data_t priv);

const hello_ext_entry_st ext_mod_sr = {

	.name = "Safe Renegotiation",

	.tls_id = 65281,

	.gid = GNUTLS_EXTENSION_SAFE_RENEGOTIATION,

	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO |

		    GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,

	.client_parse_point = GNUTLS_EXT_MANDATORY,

	.server_parse_point = GNUTLS_EXT_MANDATORY,

	.recv_func = _gnutls_sr_recv_params,

	.send_func = _gnutls_sr_send_params,

	.pack_func = NULL,

	.unpack_func = NULL,

	.deinit_func = _gnutls_sr_deinit_data,

	.cannot_be_overriden = 1

};

int

_gnutls_ext_sr_finished(gnutls_session_t session, void *vdata,

			size_t vdata_size, int dir)

{

	int ret;

	sr_ext_st *priv;

	gnutls_ext_priv_data_t epriv;

	if (session->internals.priorities->sr == SR_DISABLED ||

	    session->internals.priorities->no_extensions) {

		return 0;

	}

	ret = _gnutls_hello_ext_get_priv(session,

					   GNUTLS_EXTENSION_SAFE_RENEGOTIATION,

					   &epriv);

	if (ret < 0) {

		gnutls_assert();

		/* if a client didn't advertise safe renegotiation, we treat

		 * it as disabled. */

		if (session->security_parameters.entity == GNUTLS_SERVER)

			return 0;

		return ret;

	}

	priv = epriv;

	/* Save data for safe renegotiation. 

	 */

	if (vdata_size > MAX_VERIFY_DATA_SIZE) {

		gnutls_assert();

		return GNUTLS_E_INTERNAL_ERROR;

	}

	if ((session->security_parameters.entity == GNUTLS_CLIENT

	     && dir == 0)

	    || (session->security_parameters.entity == GNUTLS_SERVER

		&& dir == 1)) {

		priv->client_verify_data_len = vdata_size;

		memcpy(priv->client_verify_data, vdata, vdata_size);

	} else {

		priv->server_verify_data_len = vdata_size;

		memcpy(priv->server_verify_data, vdata, vdata_size);

	}

	return 0;

}

int _gnutls_ext_sr_verify(gnutls_session_t session)

{

	int ret;

	sr_ext_st *priv = NULL;

	gnutls_ext_priv_data_t epriv;

	if (session->internals.priorities->sr == SR_DISABLED) {

		gnutls_assert();

		return 0;

	}

	ret = _gnutls_hello_ext_get_priv(session,

					   GNUTLS_EXTENSION_SAFE_RENEGOTIATION,

					   &epriv);

	if (ret >= 0)

		priv = epriv;

	/* Safe renegotiation */

	if (priv && priv->safe_renegotiation_received) {

		if ((priv->ri_extension_data_len <

		     priv->client_verify_data_len)

		    ||

		    (memcmp

		     (priv->ri_extension_data, priv->client_verify_data,

		      priv->client_verify_data_len))) {

			gnutls_assert();

			_gnutls_handshake_log

			    ("HSK[%p]: Safe renegotiation failed [1]\n",

			     session);

			return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;

		}

		if (session->security_parameters.entity == GNUTLS_CLIENT) {

			if ((priv->ri_extension_data_len !=

			     priv->client_verify_data_len +

			     priv->server_verify_data_len)

			    || memcmp(priv->ri_extension_data +

				      priv->client_verify_data_len,

				      priv->server_verify_data,

				      priv->server_verify_data_len) != 0) {

				gnutls_assert();

				_gnutls_handshake_log

				    ("HSK[%p]: Safe renegotiation failed [2]\n",

				     session);

				return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;

			}

		} else {	/* Make sure there are 0 extra bytes */

			if (priv->ri_extension_data_len !=

			    priv->client_verify_data_len) {

				gnutls_assert();

				_gnutls_handshake_log

				    ("HSK[%p]: Safe renegotiation failed [3]\n",

				     session);

				return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;

			}

		}

		_gnutls_handshake_log

		    ("HSK[%p]: Safe renegotiation succeeded\n", session);

	} else {		/* safe renegotiation not received... */

		if (priv && priv->connection_using_safe_renegotiation) {

			gnutls_assert();

			_gnutls_handshake_log

			    ("HSK[%p]: Peer previously asked for safe renegotiation\n",

			     session);

			return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;

		}

		/* Clients can't tell if it's an initial negotiation */

		if (session->internals.initial_negotiation_completed) {

			if (session->internals.priorities->sr < SR_PARTIAL) {

				_gnutls_handshake_log

				    ("HSK[%p]: Allowing unsafe (re)negotiation\n",

				     session);

			} else {

				gnutls_assert();

				_gnutls_handshake_log

				    ("HSK[%p]: Denying unsafe (re)negotiation\n",

				     session);

				return

				    GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED;

			}

		} else {

			if (session->internals.priorities->sr < SR_SAFE) {

				_gnutls_handshake_log

				    ("HSK[%p]: Allowing unsafe initial negotiation\n",

				     session);

			} else {

				gnutls_assert();

				_gnutls_handshake_log

				    ("HSK[%p]: Denying unsafe initial negotiation\n",

				     session);

				return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;

			}

		}

	}

	return 0;

}

/* if a server received the special ciphersuite.

 */

int _gnutls_ext_sr_recv_cs(gnutls_session_t session)

{

	int ret, set = 0;

	sr_ext_st *priv;

	gnutls_ext_priv_data_t epriv;

	ret = _gnutls_hello_ext_get_priv(session,

					   GNUTLS_EXTENSION_SAFE_RENEGOTIATION,

					   &epriv);

	if (ret < 0) {

		set = 1;

	}

	if (set != 0) {

		priv = gnutls_calloc(1, sizeof(*priv));

		if (priv == NULL) {

			gnutls_assert();

			return GNUTLS_E_MEMORY_ERROR;

		}

		epriv = priv;

	} else

		priv = epriv;

	priv->safe_renegotiation_received = 1;

	priv->connection_using_safe_renegotiation = 1;

	_gnutls_hello_ext_save_sr(session);

	if (set != 0)

		_gnutls_hello_ext_set_priv(session,

					     GNUTLS_EXTENSION_SAFE_RENEGOTIATION,

					     epriv);

	return 0;

}

int _gnutls_ext_sr_send_cs(gnutls_session_t session)

{

	int ret, set = 0;

	sr_ext_st *priv;

	gnutls_ext_priv_data_t epriv;

	ret = _gnutls_hello_ext_get_priv(session,

					   GNUTLS_EXTENSION_SAFE_RENEGOTIATION,

					   &epriv);

	if (ret < 0) {

		set = 1;

	}

	if (set != 0) {

		priv = gnutls_calloc(1, sizeof(*priv));

		if (priv == NULL) {

			gnutls_assert();

			return GNUTLS_E_MEMORY_ERROR;

		}

		epriv = priv;

	}

	if (set != 0)

		_gnutls_hello_ext_set_priv(session,

					     GNUTLS_EXTENSION_SAFE_RENEGOTIATION,

					     epriv);

	return 0;

}

static int

_gnutls_sr_recv_params(gnutls_session_t session,

		       const uint8_t * data, size_t data_size)

{

	unsigned int len;

	sr_ext_st *priv;

	gnutls_ext_priv_data_t epriv;

	int set = 0, ret;

	if (data_size == 0)

		return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);

	len = data[0];

	DECR_LEN(data_size,

		 len + 1 /* count the first byte and payload */ );

	if (session->internals.priorities->sr == SR_DISABLED) {

		gnutls_assert();

		return 0;

	}

	ret = _gnutls_hello_ext_get_priv(session,

					   GNUTLS_EXTENSION_SAFE_RENEGOTIATION,

					   &epriv);

	if (ret < 0

	    && session->security_parameters.entity == GNUTLS_SERVER) {

		set = 1;

	} else if (ret < 0) {

		gnutls_assert();

		return ret;

	}

	if (set != 0) {

		priv = gnutls_calloc(1, sizeof(*priv));

		if (priv == NULL) {

			gnutls_assert();

			return GNUTLS_E_MEMORY_ERROR;

		}

		epriv = priv;

		_gnutls_hello_ext_set_priv(session,

					     GNUTLS_EXTENSION_SAFE_RENEGOTIATION,

					     epriv);

	} else {

		priv = epriv;

	}

	/* It is not legal to receive this extension on a renegotiation and

	 * not receive it on the initial negotiation.

	 */

	if (session->internals.initial_negotiation_completed != 0 &&

	    priv->connection_using_safe_renegotiation == 0) {

		gnutls_assert();

		return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;

	}

	if (len > sizeof(priv->ri_extension_data)) {

		gnutls_assert();

		return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;

	}

	if (len > 0)

		memcpy(priv->ri_extension_data, &data[1], len);

	priv->ri_extension_data_len = len;

	/* "safe renegotiation received" means on *this* handshake; "connection using

	 * safe renegotiation" means that the initial hello received on the connection

	 * indicated safe renegotiation.

	 */

	priv->safe_renegotiation_received = 1;

	priv->connection_using_safe_renegotiation = 1;

	return 0;

}

static int

_gnutls_sr_send_params(gnutls_session_t session,

		       gnutls_buffer_st * extdata)

{

	/* The format of this extension is a one-byte length of verify data followed

	 * by the verify data itself. Note that the length byte does not include

	 * itself; IOW, empty verify data is represented as a length of 0. That means

	 * the minimum extension is one byte: 0x00.

	 */

	sr_ext_st *priv;

	int ret, set = 0, len;

	gnutls_ext_priv_data_t epriv;

	size_t init_length = extdata->length;

	if (session->internals.priorities->sr == SR_DISABLED) {

		gnutls_assert();

		return 0;

	}

	ret = _gnutls_hello_ext_get_priv(session,

					   GNUTLS_EXTENSION_SAFE_RENEGOTIATION,

					   &epriv);

	if (ret < 0) {

		set = 1;

	}

	if (set != 0) {

		priv = gnutls_calloc(1, sizeof(*priv));

		if (priv == NULL) {

			gnutls_assert();

			return GNUTLS_E_MEMORY_ERROR;

		}

		epriv = priv;

		_gnutls_hello_ext_set_priv(session,

					     GNUTLS_EXTENSION_SAFE_RENEGOTIATION,

					     epriv);

	} else

		priv = epriv;

	/* Always offer the extension if we're a client */

	if (priv->connection_using_safe_renegotiation ||

	    session->security_parameters.entity == GNUTLS_CLIENT) {

		len = priv->client_verify_data_len;

		if (session->security_parameters.entity == GNUTLS_SERVER)

			len += priv->server_verify_data_len;

		ret = _gnutls_buffer_append_prefix(extdata, 8, len);

		if (ret < 0)

			return gnutls_assert_val(ret);

		ret =

		    _gnutls_buffer_append_data(extdata,

					       priv->client_verify_data,

					       priv->

					       client_verify_data_len);

		if (ret < 0)

			return gnutls_assert_val(ret);

		if (session->security_parameters.entity == GNUTLS_SERVER) {

			ret =

			    _gnutls_buffer_append_data(extdata,

						       priv->

						       server_verify_data,

						       priv->

						       server_verify_data_len);

			if (ret < 0)

				return gnutls_assert_val(ret);

		}

	} else

		return 0;

	return extdata->length - init_length;

}

static void _gnutls_sr_deinit_data(gnutls_ext_priv_data_t priv)

{

	gnutls_free(priv);

}

/**

 * gnutls_safe_renegotiation_status:

 * @session: is a #gnutls_session_t type.

 *

 * Can be used to check whether safe renegotiation is being used

 * in the current session.

 *

 * Returns: 0 when safe renegotiation is not used and non (0) when

 *   safe renegotiation is used.

 *

 * Since: 2.10.0

 **/

unsigned gnutls_safe_renegotiation_status(gnutls_session_t session)

{

	int ret;

	sr_ext_st *priv;

	gnutls_ext_priv_data_t epriv;

	ret = _gnutls_hello_ext_get_priv(session,

					   GNUTLS_EXTENSION_SAFE_RENEGOTIATION,

					   &epriv);

	if (ret < 0) {

		gnutls_assert();

		return 0;

	}

	priv = epriv;

	return priv->connection_using_safe_renegotiation;

}