|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
* Copyright (C) 2002-2016 Free Software Foundation, Inc.
|
|
Packit Service |
4684c1 |
* Copyright (C) 2014-2016 Nikos Mavrogiannopoulos
|
|
Packit Service |
4684c1 |
* Copyright (C) 2015-2018 Red Hat, Inc.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Author: Nikos Mavrogiannopoulos
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This file is part of GnuTLS.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The GnuTLS is free software; you can redistribute it and/or
|
|
Packit Service |
4684c1 |
* modify it under the terms of the GNU Lesser General Public License
|
|
Packit Service |
4684c1 |
* as published by the Free Software Foundation; either version 2.1 of
|
|
Packit Service |
4684c1 |
* the License, or (at your option) any later version.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This library is distributed in the hope that it will be useful, but
|
|
Packit Service |
4684c1 |
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
4684c1 |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit Service |
4684c1 |
* Lesser General Public License for more details.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit Service |
4684c1 |
* along with this program. If not, see <https://www.gnu.org/licenses/>
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Functions to manipulate the session (gnutls_int.h), and some other stuff
|
|
Packit Service |
4684c1 |
* are included here. The file's name is traditionally gnutls_state even if the
|
|
Packit Service |
4684c1 |
* state has been renamed to session.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#include "gnutls_int.h"
|
|
Packit Service |
4684c1 |
#include "errors.h"
|
|
Packit Service |
4684c1 |
#include <auth.h>
|
|
Packit Service |
4684c1 |
#include <num.h>
|
|
Packit Service |
4684c1 |
#include <datum.h>
|
|
Packit Service |
4684c1 |
#include <db.h>
|
|
Packit Service |
4684c1 |
#include <record.h>
|
|
Packit Service |
4684c1 |
#include <handshake.h>
|
|
Packit Service |
4684c1 |
#include <dh.h>
|
|
Packit Service |
4684c1 |
#include <buffers.h>
|
|
Packit Service |
4684c1 |
#include <mbuffers.h>
|
|
Packit Service |
4684c1 |
#include <state.h>
|
|
Packit Service |
4684c1 |
#include <constate.h>
|
|
Packit Service |
4684c1 |
#include <auth/cert.h>
|
|
Packit Service |
4684c1 |
#include <auth/anon.h>
|
|
Packit Service |
4684c1 |
#include <auth/psk.h>
|
|
Packit Service |
4684c1 |
#include <algorithms.h>
|
|
Packit Service |
4684c1 |
#include <hello_ext.h>
|
|
Packit Service |
4684c1 |
#include <system.h>
|
|
Packit Service |
4684c1 |
#include <random.h>
|
|
Packit Service |
4684c1 |
#include <fips.h>
|
|
Packit Service |
4684c1 |
#include <intprops.h>
|
|
Packit Service |
4684c1 |
#include <gnutls/dtls.h>
|
|
Packit Service |
4684c1 |
#include "dtls.h"
|
|
Packit Service |
4684c1 |
#include "tls13/session_ticket.h"
|
|
Packit Service |
4684c1 |
#include "ext/cert_types.h"
|
|
Packit Service |
4684c1 |
#include "locks.h"
|
|
Packit Service |
4684c1 |
#include "kx.h"
|
|
Packit Service |
4684c1 |
#ifdef HAVE_VALGRIND_MEMCHECK_H
|
|
Packit Service |
4684c1 |
#include <valgrind/memcheck.h>
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* to be used by supplemental data support to disable TLS1.3
|
|
Packit Service |
4684c1 |
* when supplemental data have been globally registered */
|
|
Packit Service |
4684c1 |
unsigned _gnutls_disable_tls13 = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* These should really be static, but src/tests.c calls them. Make
|
|
Packit Service |
4684c1 |
them public functions? */
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
_gnutls_rsa_pms_set_version(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
unsigned char major, unsigned char minor);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_cipher_get:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get the currently used cipher.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the currently used cipher, a #gnutls_cipher_algorithm_t
|
|
Packit Service |
4684c1 |
* type.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
gnutls_cipher_algorithm_t gnutls_cipher_get(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
record_parameters_st *record_params;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret =
|
|
Packit Service |
4684c1 |
_gnutls_epoch_get(session, EPOCH_READ_CURRENT, &record_params);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_CIPHER_NULL);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return record_params->cipher->id;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_type_get:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function returns the type of the certificate that is negotiated
|
|
Packit Service |
4684c1 |
* for this side to send to the peer. The certificate type is by default
|
|
Packit Service |
4684c1 |
* X.509, unless an alternative certificate type is enabled by
|
|
Packit Service |
4684c1 |
* gnutls_init() and negotiated during the session.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Resumed sessions will return the certificate type that was negotiated
|
|
Packit Service |
4684c1 |
* and used in the original session.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* As of version 3.6.4 it is recommended to use
|
|
Packit Service |
4684c1 |
* gnutls_certificate_type_get2() which is more fine-grained.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the currently used #gnutls_certificate_type_t certificate
|
|
Packit Service |
4684c1 |
* type as negotiated for 'our' side of the connection.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
gnutls_certificate_type_t
|
|
Packit Service |
4684c1 |
gnutls_certificate_type_get(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
return gnutls_certificate_type_get2(session, GNUTLS_CTYPE_OURS);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_type_get2:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @target: is a #gnutls_ctype_target_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function returns the type of the certificate that a side
|
|
Packit Service |
4684c1 |
* is negotiated to use. The certificate type is by default X.509,
|
|
Packit Service |
4684c1 |
* unless an alternative certificate type is enabled by gnutls_init() and
|
|
Packit Service |
4684c1 |
* negotiated during the session.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The @target parameter specifies whether to request the negotiated
|
|
Packit Service |
4684c1 |
* certificate type for the client (%GNUTLS_CTYPE_CLIENT),
|
|
Packit Service |
4684c1 |
* or for the server (%GNUTLS_CTYPE_SERVER). Additionally, in P2P mode
|
|
Packit Service |
4684c1 |
* connection set up where you don't know in advance who will be client
|
|
Packit Service |
4684c1 |
* and who will be server you can use the flag (%GNUTLS_CTYPE_OURS) and
|
|
Packit Service |
4684c1 |
* (%GNUTLS_CTYPE_PEERS) to retrieve the corresponding certificate types.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Resumed sessions will return the certificate type that was negotiated
|
|
Packit Service |
4684c1 |
* and used in the original session. That is, this function can be used
|
|
Packit Service |
4684c1 |
* to reliably determine the type of the certificate returned by
|
|
Packit Service |
4684c1 |
* gnutls_certificate_get_peers().
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the currently used #gnutls_certificate_type_t certificate
|
|
Packit Service |
4684c1 |
* type for the client or the server.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.4
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
gnutls_certificate_type_t
|
|
Packit Service |
4684c1 |
gnutls_certificate_type_get2(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
gnutls_ctype_target_t target)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
/* We want to inline this function so therefore
|
|
Packit Service |
4684c1 |
* we've defined it in gnutls_int.h */
|
|
Packit Service |
4684c1 |
return get_certificate_type(session, target);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_kx_get:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get the currently used key exchange algorithm.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will return %GNUTLS_KX_ECDHE_RSA, or %GNUTLS_KX_DHE_RSA
|
|
Packit Service |
4684c1 |
* under TLS 1.3, to indicate an elliptic curve DH key exchange or
|
|
Packit Service |
4684c1 |
* a finite field one. The precise group used is available
|
|
Packit Service |
4684c1 |
* by calling gnutls_group_get() instead.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the key exchange algorithm used in the last handshake, a
|
|
Packit Service |
4684c1 |
* #gnutls_kx_algorithm_t value.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
gnutls_kx_algorithm_t gnutls_kx_get(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (session->security_parameters.cs == 0)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (session->security_parameters.cs->kx_algorithm == 0) { /* TLS 1.3 */
|
|
Packit Service |
4684c1 |
const version_entry_st *ver = get_version(session);
|
|
Packit Service |
4684c1 |
const gnutls_group_entry_st *group = get_group(session);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (ver->tls13_sem) {
|
|
Packit Service |
4684c1 |
if (session->internals.hsk_flags & HSK_PSK_SELECTED) {
|
|
Packit Service |
4684c1 |
if (group) {
|
|
Packit Service |
4684c1 |
if (group->pk == GNUTLS_PK_DH)
|
|
Packit Service |
4684c1 |
return GNUTLS_KX_DHE_PSK;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
return GNUTLS_KX_ECDHE_PSK;
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
return GNUTLS_KX_PSK;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
} else if (group) {
|
|
Packit Service |
4684c1 |
if (group->pk == GNUTLS_PK_DH)
|
|
Packit Service |
4684c1 |
return GNUTLS_KX_DHE_RSA;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
return GNUTLS_KX_ECDHE_RSA;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return session->security_parameters.cs->kx_algorithm;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_mac_get:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get the currently used MAC algorithm.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the currently used mac algorithm, a
|
|
Packit Service |
4684c1 |
* #gnutls_mac_algorithm_t value.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
gnutls_mac_algorithm_t gnutls_mac_get(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
record_parameters_st *record_params;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret =
|
|
Packit Service |
4684c1 |
_gnutls_epoch_get(session, EPOCH_READ_CURRENT, &record_params);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_MAC_NULL);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return record_params->mac->id;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_compression_get:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get the currently used compression algorithm.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the currently used compression method, a
|
|
Packit Service |
4684c1 |
* #gnutls_compression_method_t value.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
gnutls_compression_method_t
|
|
Packit Service |
4684c1 |
gnutls_compression_get(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
return GNUTLS_COMP_NULL;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_prf_hash_get:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get the currently used hash algorithm. In TLS 1.3, the hash
|
|
Packit Service |
4684c1 |
* algorithm is used for both the key derivation function and
|
|
Packit Service |
4684c1 |
* handshake message authentication code. In TLS 1.2, it matches the
|
|
Packit Service |
4684c1 |
* hash algorithm used for PRF.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the currently used hash algorithm, a
|
|
Packit Service |
4684c1 |
* #gnutls_digest_algorithm_t value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.13
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
gnutls_digest_algorithm_t
|
|
Packit Service |
4684c1 |
gnutls_prf_hash_get(const gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (session->security_parameters.prf == NULL)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_DIG_UNKNOWN);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (session->security_parameters.prf->id >= GNUTLS_MAC_AEAD)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_DIG_UNKNOWN);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return (gnutls_digest_algorithm_t)session->security_parameters.prf->id;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
void reset_binders(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
_gnutls_free_temp_key_datum(&session->key.binders[0].psk);
|
|
Packit Service |
4684c1 |
_gnutls_free_temp_key_datum(&session->key.binders[1].psk);
|
|
Packit Service |
4684c1 |
memset(session->key.binders, 0, sizeof(session->key.binders));
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Check whether certificate credentials of type @cert_type are set
|
|
Packit Service |
4684c1 |
* for the current session.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
static bool _gnutls_has_cert_credentials(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
gnutls_certificate_type_t cert_type)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
unsigned i;
|
|
Packit Service |
4684c1 |
unsigned cert_found = 0;
|
|
Packit Service |
4684c1 |
gnutls_certificate_credentials_t cred;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* First, check for certificate credentials. If we have no certificate
|
|
Packit Service |
4684c1 |
* credentials set then we don't support certificates at all.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
cred = (gnutls_certificate_credentials_t)
|
|
Packit Service |
4684c1 |
_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (cred == NULL)
|
|
Packit Service |
4684c1 |
return false;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* There are credentials initialized. Now check whether we can find
|
|
Packit Service |
4684c1 |
* pre-set certificates of the required type, but only if we don't
|
|
Packit Service |
4684c1 |
* use the callback functions.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
if (cred->get_cert_callback3 == NULL) {
|
|
Packit Service |
4684c1 |
for (i = 0; i < cred->ncerts; i++) {
|
|
Packit Service |
4684c1 |
if (cred->certs[i].cert_list[0].type == cert_type) {
|
|
Packit Service |
4684c1 |
cert_found = 1;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (cert_found == 0) {
|
|
Packit Service |
4684c1 |
/* No matching certificate found. */
|
|
Packit Service |
4684c1 |
return false;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return true; // OK
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Check if the given certificate type is supported.
|
|
Packit Service |
4684c1 |
* This means that it is enabled by the priority functions,
|
|
Packit Service |
4684c1 |
* and in some cases a matching certificate exists. A check for
|
|
Packit Service |
4684c1 |
* the latter can be toggled via the parameter @check_credentials.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
_gnutls_session_cert_type_supported(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
gnutls_certificate_type_t cert_type,
|
|
Packit Service |
4684c1 |
bool check_credentials,
|
|
Packit Service |
4684c1 |
gnutls_ctype_target_t target)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
unsigned i;
|
|
Packit Service |
4684c1 |
priority_st* ctype_priorities;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
// Check whether this cert type is enabled by the application
|
|
Packit Service |
4684c1 |
if (!is_cert_type_enabled(session, cert_type))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
// Perform a credentials check if requested
|
|
Packit Service |
4684c1 |
if (check_credentials) {
|
|
Packit Service |
4684c1 |
if (!_gnutls_has_cert_credentials(session, cert_type))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* So far so good. We have the required credentials (if needed).
|
|
Packit Service |
4684c1 |
* Now check whether we are allowed to use them according to our
|
|
Packit Service |
4684c1 |
* priorities.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
// Which certificate type should we query?
|
|
Packit Service |
4684c1 |
switch (target) {
|
|
Packit Service |
4684c1 |
case GNUTLS_CTYPE_CLIENT:
|
|
Packit Service |
4684c1 |
ctype_priorities =
|
|
Packit Service |
4684c1 |
&(session->internals.priorities->client_ctype);
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
case GNUTLS_CTYPE_SERVER:
|
|
Packit Service |
4684c1 |
ctype_priorities =
|
|
Packit Service |
4684c1 |
&(session->internals.priorities->server_ctype);
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
default:
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
// No explicit priorities set, and default ctype is asked
|
|
Packit Service |
4684c1 |
if (ctype_priorities->num_priorities == 0
|
|
Packit Service |
4684c1 |
&& cert_type == DEFAULT_CERT_TYPE)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Now lets find out whether our cert type is in our priority
|
|
Packit Service |
4684c1 |
* list, i.e. set of allowed cert types.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
for (i = 0; i < ctype_priorities->num_priorities; i++) {
|
|
Packit Service |
4684c1 |
if (ctype_priorities->priorities[i] == cert_type)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static void deinit_keys(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
const version_entry_st *vers = get_version(session);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (vers == NULL)
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&session->key.kshare.ecdhx_params);
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&session->key.kshare.ecdh_params);
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&session->key.kshare.dh_params);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (!vers->tls13_sem && session->key.binders[0].prf == NULL) {
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&session->key.proto.tls12.ecdh.params);
|
|
Packit Service |
4684c1 |
gnutls_pk_params_release(&session->key.proto.tls12.dh.params);
|
|
Packit Service |
4684c1 |
zrelease_temp_mpi_key(&session->key.proto.tls12.ecdh.x);
|
|
Packit Service |
4684c1 |
zrelease_temp_mpi_key(&session->key.proto.tls12.ecdh.y);
|
|
Packit Service |
4684c1 |
_gnutls_free_temp_key_datum(&session->key.proto.tls12.ecdh.raw);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
zrelease_temp_mpi_key(&session->key.proto.tls12.dh.client_Y);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* SRP */
|
|
Packit Service |
4684c1 |
zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_p);
|
|
Packit Service |
4684c1 |
zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_g);
|
|
Packit Service |
4684c1 |
zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_key);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
zrelease_temp_mpi_key(&session->key.proto.tls12.srp.u);
|
|
Packit Service |
4684c1 |
zrelease_temp_mpi_key(&session->key.proto.tls12.srp.a);
|
|
Packit Service |
4684c1 |
zrelease_temp_mpi_key(&session->key.proto.tls12.srp.x);
|
|
Packit Service |
4684c1 |
zrelease_temp_mpi_key(&session->key.proto.tls12.srp.A);
|
|
Packit Service |
4684c1 |
zrelease_temp_mpi_key(&session->key.proto.tls12.srp.B);
|
|
Packit Service |
4684c1 |
zrelease_temp_mpi_key(&session->key.proto.tls12.srp.b);
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
gnutls_memset(session->key.proto.tls13.temp_secret, 0,
|
|
Packit Service |
4684c1 |
sizeof(session->key.proto.tls13.temp_secret));
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
reset_binders(session);
|
|
Packit Service |
4684c1 |
_gnutls_free_temp_key_datum(&session->key.key);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* An internal version of _gnutls_handshake_internal_state_clear(),
|
|
Packit Service |
4684c1 |
* it will not attempt to deallocate, only initialize */
|
|
Packit Service |
4684c1 |
static void handshake_internal_state_clear1(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
/* by default no selected certificate */
|
|
Packit Service |
4684c1 |
session->internals.adv_version_major = 0;
|
|
Packit Service |
4684c1 |
session->internals.adv_version_minor = 0;
|
|
Packit Service |
4684c1 |
session->internals.direction = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* use out of band data for the last
|
|
Packit Service |
4684c1 |
* handshake messages received.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
session->internals.last_handshake_in = -1;
|
|
Packit Service |
4684c1 |
session->internals.last_handshake_out = -1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
session->internals.resumable = RESUME_TRUE;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
session->internals.handshake_suspicious_loops = 0;
|
|
Packit Service |
4684c1 |
session->internals.dtls.hsk_read_seq = 0;
|
|
Packit Service |
4684c1 |
session->internals.dtls.hsk_write_seq = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
session->internals.cand_ec_group = 0;
|
|
Packit Service |
4684c1 |
session->internals.cand_dh_group = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
session->internals.hrr_cs[0] = CS_INVALID_MAJOR;
|
|
Packit Service |
4684c1 |
session->internals.hrr_cs[1] = CS_INVALID_MINOR;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* This function will clear all the variables in internals
|
|
Packit Service |
4684c1 |
* structure within the session, which depend on the current handshake.
|
|
Packit Service |
4684c1 |
* This is used to allow further handshakes.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
void _gnutls_handshake_internal_state_clear(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
handshake_internal_state_clear1(session);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_handshake_hash_buffers_clear(session);
|
|
Packit Service |
4684c1 |
deinit_keys(session);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_epoch_gc(session);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
session->internals.handshake_abs_timeout.tv_sec = 0;
|
|
Packit Service |
4684c1 |
session->internals.handshake_abs_timeout.tv_nsec = 0;
|
|
Packit Service |
4684c1 |
session->internals.handshake_in_progress = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
session->internals.tfo.connect_addrlen = 0;
|
|
Packit Service |
4684c1 |
session->internals.tfo.connect_only = 0;
|
|
Packit Service |
4684c1 |
session->internals.early_data_received = 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_init:
|
|
Packit Service |
4684c1 |
* @session: is a pointer to a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @flags: indicate if this session is to be used for server or client.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function initializes the provided session. Every
|
|
Packit Service |
4684c1 |
* session must be initialized before use, and must be deinitialized
|
|
Packit Service |
4684c1 |
* after used by calling gnutls_deinit().
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* @flags can be any combination of flags from %gnutls_init_flags_t.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Note that since version 3.1.2 this function enables some common
|
|
Packit Service |
4684c1 |
* TLS extensions such as session tickets and OCSP certificate status
|
|
Packit Service |
4684c1 |
* request in client side by default. To prevent that use the %GNUTLS_NO_EXTENSIONS
|
|
Packit Service |
4684c1 |
* flag.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int gnutls_init(gnutls_session_t * session, unsigned int flags)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
FAIL_IF_LIB_ERROR;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*session = gnutls_calloc(1, sizeof(struct gnutls_session_int));
|
|
Packit Service |
4684c1 |
if (*session == NULL)
|
|
Packit Service |
4684c1 |
return GNUTLS_E_MEMORY_ERROR;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_mutex_init(&(*session)->internals.post_negotiation_lock);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
gnutls_free(*session);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_mutex_init(&(*session)->internals.epoch_lock);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
gnutls_mutex_deinit(&(*session)->internals.post_negotiation_lock);
|
|
Packit Service |
4684c1 |
gnutls_free(*session);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_epoch_setup_next(*session, 1, NULL);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_mutex_deinit(&(*session)->internals.post_negotiation_lock);
|
|
Packit Service |
4684c1 |
gnutls_mutex_deinit(&(*session)->internals.epoch_lock);
|
|
Packit Service |
4684c1 |
gnutls_free(*session);
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
_gnutls_epoch_bump(*session);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
(*session)->security_parameters.entity =
|
|
Packit Service |
4684c1 |
(flags & GNUTLS_SERVER ? GNUTLS_SERVER : GNUTLS_CLIENT);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* the default certificate type for TLS */
|
|
Packit Service |
4684c1 |
(*session)->security_parameters.client_ctype = DEFAULT_CERT_TYPE;
|
|
Packit Service |
4684c1 |
(*session)->security_parameters.server_ctype = DEFAULT_CERT_TYPE;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Initialize buffers */
|
|
Packit Service |
4684c1 |
_gnutls_buffer_init(&(*session)->internals.handshake_hash_buffer);
|
|
Packit Service |
4684c1 |
_gnutls_buffer_init(&(*session)->internals.post_handshake_hash_buffer);
|
|
Packit Service |
4684c1 |
_gnutls_buffer_init(&(*session)->internals.hb_remote_data);
|
|
Packit Service |
4684c1 |
_gnutls_buffer_init(&(*session)->internals.hb_local_data);
|
|
Packit Service |
4684c1 |
_gnutls_buffer_init(&(*session)->internals.record_presend_buffer);
|
|
Packit Service |
4684c1 |
_gnutls_buffer_init(&(*session)->internals.record_key_update_buffer);
|
|
Packit Service |
4684c1 |
_gnutls_buffer_init(&(*session)->internals.reauth_buffer);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_mbuffer_head_init(&(*session)->internals.record_buffer);
|
|
Packit Service |
4684c1 |
_mbuffer_head_init(&(*session)->internals.record_send_buffer);
|
|
Packit Service |
4684c1 |
_mbuffer_head_init(&(*session)->internals.record_recv_buffer);
|
|
Packit Service |
4684c1 |
_mbuffer_head_init(&(*session)->internals.early_data_recv_buffer);
|
|
Packit Service |
4684c1 |
_gnutls_buffer_init(&(*session)->internals.early_data_presend_buffer);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_mbuffer_head_init(&(*session)->internals.handshake_send_buffer);
|
|
Packit Service |
4684c1 |
_gnutls_handshake_recv_buffer_init(*session);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
(*session)->internals.expire_time = DEFAULT_EXPIRE_TIME;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Ticket key rotation - set the default X to 3 times the ticket expire time */
|
|
Packit Service |
4684c1 |
(*session)->key.totp.last_result = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_handshake_set_max_packet_length((*session),
|
|
Packit Service |
4684c1 |
MAX_HANDSHAKE_PACKET_SIZE);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* set the socket pointers to -1;
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
(*session)->internals.transport_recv_ptr =
|
|
Packit Service |
4684c1 |
(gnutls_transport_ptr_t) - 1;
|
|
Packit Service |
4684c1 |
(*session)->internals.transport_send_ptr =
|
|
Packit Service |
4684c1 |
(gnutls_transport_ptr_t) - 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* set the default maximum record size for TLS
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
(*session)->security_parameters.max_record_recv_size =
|
|
Packit Service |
4684c1 |
DEFAULT_MAX_RECORD_SIZE;
|
|
Packit Service |
4684c1 |
(*session)->security_parameters.max_record_send_size =
|
|
Packit Service |
4684c1 |
DEFAULT_MAX_RECORD_SIZE;
|
|
Packit Service |
4684c1 |
(*session)->security_parameters.max_user_record_recv_size =
|
|
Packit Service |
4684c1 |
DEFAULT_MAX_RECORD_SIZE;
|
|
Packit Service |
4684c1 |
(*session)->security_parameters.max_user_record_send_size =
|
|
Packit Service |
4684c1 |
DEFAULT_MAX_RECORD_SIZE;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* set the default early data size for TLS
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
if ((*session)->security_parameters.entity == GNUTLS_SERVER) {
|
|
Packit Service |
4684c1 |
(*session)->security_parameters.max_early_data_size =
|
|
Packit Service |
4684c1 |
DEFAULT_MAX_EARLY_DATA_SIZE;
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
(*session)->security_parameters.max_early_data_size =
|
|
Packit Service |
4684c1 |
UINT32_MAX;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Everything else not initialized here is initialized as NULL
|
|
Packit Service |
4684c1 |
* or 0. This is why calloc is used. However, we want to
|
|
Packit Service |
4684c1 |
* ensure that certain portions of data are initialized at
|
|
Packit Service |
4684c1 |
* runtime before being used. Mark such regions with a
|
|
Packit Service |
4684c1 |
* valgrind client request as undefined.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
#ifdef HAVE_VALGRIND_MEMCHECK_H
|
|
Packit Service |
4684c1 |
if (RUNNING_ON_VALGRIND) {
|
|
Packit Service |
4684c1 |
if (flags & GNUTLS_CLIENT)
|
|
Packit Service |
4684c1 |
VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.client_random,
|
|
Packit Service |
4684c1 |
GNUTLS_RANDOM_SIZE);
|
|
Packit Service |
4684c1 |
if (flags & GNUTLS_SERVER) {
|
|
Packit Service |
4684c1 |
VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.server_random,
|
|
Packit Service |
4684c1 |
GNUTLS_RANDOM_SIZE);
|
|
Packit Service |
4684c1 |
VALGRIND_MAKE_MEM_UNDEFINED((*session)->key.session_ticket_key,
|
|
Packit Service |
4684c1 |
TICKET_MASTER_KEY_SIZE);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
handshake_internal_state_clear1(*session);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#ifdef HAVE_WRITEV
|
|
Packit Service |
4684c1 |
#ifdef MSG_NOSIGNAL
|
|
Packit Service |
4684c1 |
if (flags & GNUTLS_NO_SIGNAL)
|
|
Packit Service |
4684c1 |
gnutls_transport_set_vec_push_function(*session, system_writev_nosignal);
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
gnutls_transport_set_vec_push_function(*session, system_writev);
|
|
Packit Service |
4684c1 |
#else
|
|
Packit Service |
4684c1 |
gnutls_transport_set_push_function(*session, system_write);
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
(*session)->internals.pull_timeout_func = gnutls_system_recv_timeout;
|
|
Packit Service |
4684c1 |
(*session)->internals.pull_func = system_read;
|
|
Packit Service |
4684c1 |
(*session)->internals.errno_func = system_errno;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
(*session)->internals.saved_username_size = -1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* heartbeat timeouts */
|
|
Packit Service |
4684c1 |
(*session)->internals.hb_retrans_timeout_ms = 1000;
|
|
Packit Service |
4684c1 |
(*session)->internals.hb_total_timeout_ms = 60000;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (flags & GNUTLS_DATAGRAM) {
|
|
Packit Service |
4684c1 |
(*session)->internals.dtls.mtu = DTLS_DEFAULT_MTU;
|
|
Packit Service |
4684c1 |
(*session)->internals.transport = GNUTLS_DGRAM;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_dtls_set_timeouts(*session, DTLS_RETRANS_TIMEOUT, 60000);
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
(*session)->internals.transport = GNUTLS_STREAM;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Enable useful extensions */
|
|
Packit Service |
4684c1 |
if ((flags & GNUTLS_CLIENT) && !(flags & GNUTLS_NO_EXTENSIONS)) {
|
|
Packit Service |
4684c1 |
#ifdef ENABLE_OCSP
|
|
Packit Service |
4684c1 |
gnutls_ocsp_status_request_enable_client(*session, NULL, 0,
|
|
Packit Service |
4684c1 |
NULL);
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* session tickets in server side are enabled by setting a key */
|
|
Packit Service |
4684c1 |
if (flags & GNUTLS_SERVER)
|
|
Packit Service |
4684c1 |
flags |= GNUTLS_NO_TICKETS;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
(*session)->internals.flags = flags;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (_gnutls_disable_tls13 != 0)
|
|
Packit Service |
4684c1 |
(*session)->internals.flags |= INT_FLAG_NO_TLS13;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Install the default keylog function */
|
|
Packit Service |
4684c1 |
gnutls_session_set_keylog_function(*session, _gnutls_nss_keylog_func);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* returns RESUME_FALSE or RESUME_TRUE.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
int _gnutls_session_is_resumable(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
return session->internals.resumable;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_deinit:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function clears all buffers associated with the @session.
|
|
Packit Service |
4684c1 |
* This function will also remove session data from the session
|
|
Packit Service |
4684c1 |
* database if the session was terminated abnormally.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void gnutls_deinit(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
unsigned int i;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (session == NULL)
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* remove auth info firstly */
|
|
Packit Service |
4684c1 |
_gnutls_free_auth_info(session);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_handshake_internal_state_clear(session);
|
|
Packit Service |
4684c1 |
_gnutls_handshake_io_buffer_clear(session);
|
|
Packit Service |
4684c1 |
_gnutls_hello_ext_priv_deinit(session);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i = 0; i < MAX_EPOCH_INDEX; i++)
|
|
Packit Service |
4684c1 |
if (session->record_parameters[i] != NULL) {
|
|
Packit Service |
4684c1 |
_gnutls_epoch_free(session,
|
|
Packit Service |
4684c1 |
session->record_parameters[i]);
|
|
Packit Service |
4684c1 |
session->record_parameters[i] = NULL;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_buffer_clear(&session->internals.handshake_hash_buffer);
|
|
Packit Service |
4684c1 |
_gnutls_buffer_clear(&session->internals.post_handshake_hash_buffer);
|
|
Packit Service |
4684c1 |
_gnutls_buffer_clear(&session->internals.hb_remote_data);
|
|
Packit Service |
4684c1 |
_gnutls_buffer_clear(&session->internals.hb_local_data);
|
|
Packit Service |
4684c1 |
_gnutls_buffer_clear(&session->internals.record_presend_buffer);
|
|
Packit Service |
4684c1 |
_gnutls_buffer_clear(&session->internals.record_key_update_buffer);
|
|
Packit Service |
4684c1 |
_gnutls_buffer_clear(&session->internals.reauth_buffer);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_mbuffer_head_clear(&session->internals.record_buffer);
|
|
Packit Service |
4684c1 |
_mbuffer_head_clear(&session->internals.record_recv_buffer);
|
|
Packit Service |
4684c1 |
_mbuffer_head_clear(&session->internals.record_send_buffer);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_mbuffer_head_clear(&session->internals.early_data_recv_buffer);
|
|
Packit Service |
4684c1 |
_gnutls_buffer_clear(&session->internals.early_data_presend_buffer);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(&session->internals.resumption_data);
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(&session->internals.dtls.dcookie);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i = 0; i < session->internals.rexts_size; i++)
|
|
Packit Service |
4684c1 |
gnutls_free(session->internals.rexts[i].name);
|
|
Packit Service |
4684c1 |
gnutls_free(session->internals.rexts);
|
|
Packit Service |
4684c1 |
gnutls_free(session->internals.post_handshake_cr_context.data);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_free(session->internals.rsup);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_credentials_clear(session);
|
|
Packit Service |
4684c1 |
_gnutls_selected_certs_deinit(session);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* destroy any session ticket we may have received */
|
|
Packit Service |
4684c1 |
_gnutls13_session_ticket_unset(session);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* we rely on priorities' internal reference counting */
|
|
Packit Service |
4684c1 |
gnutls_priority_deinit(session->internals.priorities);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* overwrite any temp TLS1.3 keys */
|
|
Packit Service |
4684c1 |
gnutls_memset(&session->key.proto, 0, sizeof(session->key.proto));
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_mutex_deinit(&session->internals.post_negotiation_lock);
|
|
Packit Service |
4684c1 |
gnutls_mutex_deinit(&session->internals.epoch_lock);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_free(session);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
int _gnutls_dh_set_peer_public(gnutls_session_t session, bigint_t public)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
dh_info_st *dh;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
switch (gnutls_auth_get_type(session)) {
|
|
Packit Service |
4684c1 |
case GNUTLS_CRD_ANON:
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
anon_auth_info_t info;
|
|
Packit Service |
4684c1 |
info = _gnutls_get_auth_info(session, GNUTLS_CRD_ANON);
|
|
Packit Service |
4684c1 |
if (info == NULL)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
dh = &info->dh;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
case GNUTLS_CRD_PSK:
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
psk_auth_info_t info;
|
|
Packit Service |
4684c1 |
info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK);
|
|
Packit Service |
4684c1 |
if (info == NULL)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
dh = &info->dh;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
case GNUTLS_CRD_CERTIFICATE:
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
cert_auth_info_t info;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE);
|
|
Packit Service |
4684c1 |
if (info == NULL)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
dh = &info->dh;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
default:
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (dh->public_key.data)
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(&dh->public_key);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_mpi_dprint_lz(public, &dh->public_key);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
int _gnutls_dh_set_secret_bits(gnutls_session_t session, unsigned bits)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
switch (gnutls_auth_get_type(session)) {
|
|
Packit Service |
4684c1 |
case GNUTLS_CRD_ANON:
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
anon_auth_info_t info;
|
|
Packit Service |
4684c1 |
info = _gnutls_get_auth_info(session, GNUTLS_CRD_ANON);
|
|
Packit Service |
4684c1 |
if (info == NULL)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit Service |
4684c1 |
info->dh.secret_bits = bits;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
case GNUTLS_CRD_PSK:
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
psk_auth_info_t info;
|
|
Packit Service |
4684c1 |
info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK);
|
|
Packit Service |
4684c1 |
if (info == NULL)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit Service |
4684c1 |
info->dh.secret_bits = bits;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
case GNUTLS_CRD_CERTIFICATE:
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
cert_auth_info_t info;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE);
|
|
Packit Service |
4684c1 |
if (info == NULL)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
info->dh.secret_bits = bits;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
default:
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Sets the prime and the generator in the auth info structure.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
_gnutls_dh_save_group(gnutls_session_t session, bigint_t gen,
|
|
Packit Service |
4684c1 |
bigint_t prime)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
dh_info_st *dh;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
switch (gnutls_auth_get_type(session)) {
|
|
Packit Service |
4684c1 |
case GNUTLS_CRD_ANON:
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
anon_auth_info_t info;
|
|
Packit Service |
4684c1 |
info = _gnutls_get_auth_info(session, GNUTLS_CRD_ANON);
|
|
Packit Service |
4684c1 |
if (info == NULL)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
dh = &info->dh;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
case GNUTLS_CRD_PSK:
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
psk_auth_info_t info;
|
|
Packit Service |
4684c1 |
info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK);
|
|
Packit Service |
4684c1 |
if (info == NULL)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
dh = &info->dh;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
case GNUTLS_CRD_CERTIFICATE:
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
cert_auth_info_t info;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE);
|
|
Packit Service |
4684c1 |
if (info == NULL)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
dh = &info->dh;
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
default:
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (dh->prime.data)
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(&dh->prime);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (dh->generator.data)
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(&dh->generator);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* prime
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
ret = _gnutls_mpi_dprint_lz(prime, &dh->prime);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* generator
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
ret = _gnutls_mpi_dprint_lz(gen, &dh->generator);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
gnutls_assert();
|
|
Packit Service |
4684c1 |
_gnutls_free_datum(&dh->prime);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_certificate_send_x509_rdn_sequence:
|
|
Packit Service |
4684c1 |
* @session: a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @status: is 0 or 1
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* If status is non zero, this function will order gnutls not to send
|
|
Packit Service |
4684c1 |
* the rdnSequence in the certificate request message. That is the
|
|
Packit Service |
4684c1 |
* server will not advertise its trusted CAs to the peer. If status
|
|
Packit Service |
4684c1 |
* is zero then the default behaviour will take effect, which is to
|
|
Packit Service |
4684c1 |
* advertise the server's trusted CAs.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function has no effect in clients, and in authentication
|
|
Packit Service |
4684c1 |
* methods other than certificate with X.509 certificates.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
gnutls_certificate_send_x509_rdn_sequence(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
int status)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
session->internals.ignore_rdn_sequence = status;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/*-
|
|
Packit Service |
4684c1 |
* _gnutls_record_set_default_version - Used to set the default version for the first record packet
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @major: is a tls major version
|
|
Packit Service |
4684c1 |
* @minor: is a tls minor version
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function sets the default version that we will use in the first
|
|
Packit Service |
4684c1 |
* record packet (client hello). This function is only useful to people
|
|
Packit Service |
4684c1 |
* that know TLS internals and want to debug other implementations.
|
|
Packit Service |
4684c1 |
-*/
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
_gnutls_record_set_default_version(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
unsigned char major,
|
|
Packit Service |
4684c1 |
unsigned char minor)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
session->internals.default_record_version[0] = major;
|
|
Packit Service |
4684c1 |
session->internals.default_record_version[1] = minor;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/*-
|
|
Packit Service |
4684c1 |
* _gnutls_hello_set_default_version - Used to set the default version for the first record packet
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @major: is a tls major version
|
|
Packit Service |
4684c1 |
* @minor: is a tls minor version
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function sets the default version that we will use in the first
|
|
Packit Service |
4684c1 |
* record packet (client hello). This function is only useful to people
|
|
Packit Service |
4684c1 |
* that know TLS internals and want to debug other implementations.
|
|
Packit Service |
4684c1 |
-*/
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
_gnutls_hello_set_default_version(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
unsigned char major,
|
|
Packit Service |
4684c1 |
unsigned char minor)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
session->internals.default_hello_version[0] = major;
|
|
Packit Service |
4684c1 |
session->internals.default_hello_version[1] = minor;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_handshake_set_private_extensions:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @allow: is an integer (0 or 1)
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will enable or disable the use of private cipher
|
|
Packit Service |
4684c1 |
* suites (the ones that start with 0xFF). By default or if @allow
|
|
Packit Service |
4684c1 |
* is 0 then these cipher suites will not be advertised nor used.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Currently GnuTLS does not include such cipher-suites or
|
|
Packit Service |
4684c1 |
* compression algorithms.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Enabling the private ciphersuites when talking to other than
|
|
Packit Service |
4684c1 |
* gnutls servers and clients may cause interoperability problems.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
gnutls_handshake_set_private_extensions(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
int allow)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
/* we have no private extensions */
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_session_is_resumed:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Checks whether session is resumed or not. This is functional
|
|
Packit Service |
4684c1 |
* for both server and client side.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: non zero if this session is resumed, or a zero if this is
|
|
Packit Service |
4684c1 |
* a new session.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int gnutls_session_is_resumed(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (session->security_parameters.entity == GNUTLS_CLIENT) {
|
|
Packit Service |
4684c1 |
const version_entry_st *ver = get_version(session);
|
|
Packit Service |
4684c1 |
if (ver && ver->tls13_sem &&
|
|
Packit Service |
4684c1 |
session->internals.resumed != RESUME_FALSE)
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (session->security_parameters.session_id_size > 0 &&
|
|
Packit Service |
4684c1 |
session->security_parameters.session_id_size ==
|
|
Packit Service |
4684c1 |
session->internals.resumed_security_parameters.
|
|
Packit Service |
4684c1 |
session_id_size
|
|
Packit Service |
4684c1 |
&& memcmp(session->security_parameters.session_id,
|
|
Packit Service |
4684c1 |
session->
|
|
Packit Service |
4684c1 |
internals.resumed_security_parameters.
|
|
Packit Service |
4684c1 |
session_id,
|
|
Packit Service |
4684c1 |
session->security_parameters.
|
|
Packit Service |
4684c1 |
session_id_size) == 0)
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
if (session->internals.resumed != RESUME_FALSE)
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_session_resumption_requested:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Check whether the client has asked for session resumption.
|
|
Packit Service |
4684c1 |
* This function is valid only on server side.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: non zero if session resumption was asked, or a zero if not.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int gnutls_session_resumption_requested(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (session->security_parameters.entity == GNUTLS_CLIENT) {
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
return session->internals.resumption_requested;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/*-
|
|
Packit Service |
4684c1 |
* _gnutls_session_is_psk - Used to check whether this session uses PSK kx
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will return non zero if this session uses a PSK key
|
|
Packit Service |
4684c1 |
* exchange algorithm.
|
|
Packit Service |
4684c1 |
-*/
|
|
Packit Service |
4684c1 |
int _gnutls_session_is_psk(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_kx_algorithm_t kx;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
kx = session->security_parameters.cs->kx_algorithm;
|
|
Packit Service |
4684c1 |
if (kx == GNUTLS_KX_PSK || kx == GNUTLS_KX_DHE_PSK
|
|
Packit Service |
4684c1 |
|| kx == GNUTLS_KX_RSA_PSK)
|
|
Packit Service |
4684c1 |
return 1;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/*-
|
|
Packit Service |
4684c1 |
* _gnutls_session_is_ecc - Used to check whether this session uses ECC kx
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will return non zero if this session uses an elliptic
|
|
Packit Service |
4684c1 |
* curves key exchange exchange algorithm.
|
|
Packit Service |
4684c1 |
-*/
|
|
Packit Service |
4684c1 |
int _gnutls_session_is_ecc(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
gnutls_kx_algorithm_t kx;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* We get the key exchange algorithm through the ciphersuite because
|
|
Packit Service |
4684c1 |
* the negotiated key exchange might not have been set yet.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
kx = session->security_parameters.cs->kx_algorithm;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return _gnutls_kx_is_ecc(kx);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_session_get_ptr:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get user pointer for session. Useful in callbacks. This is the
|
|
Packit Service |
4684c1 |
* pointer set with gnutls_session_set_ptr().
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the user given pointer from the session structure, or
|
|
Packit Service |
4684c1 |
* %NULL if it was never set.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void *gnutls_session_get_ptr(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
return session->internals.user_ptr;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_session_set_ptr:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @ptr: is the user pointer
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will set (associate) the user given pointer @ptr to
|
|
Packit Service |
4684c1 |
* the session structure. This pointer can be accessed with
|
|
Packit Service |
4684c1 |
* gnutls_session_get_ptr().
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void gnutls_session_set_ptr(gnutls_session_t session, void *ptr)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
session->internals.user_ptr = ptr;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_session_set_verify_function:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @func: is the callback function
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function sets a callback to be called when peer's certificate
|
|
Packit Service |
4684c1 |
* has been received in order to verify it on receipt rather than
|
|
Packit Service |
4684c1 |
* doing after the handshake is completed. This overrides any callback
|
|
Packit Service |
4684c1 |
* set using gnutls_certificate_set_verify_function().
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The callback's function prototype is:
|
|
Packit Service |
4684c1 |
* int (*callback)(gnutls_session_t);
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* If the callback function is provided then gnutls will call it, in the
|
|
Packit Service |
4684c1 |
* handshake, just after the certificate message has been received.
|
|
Packit Service |
4684c1 |
* To verify or obtain the certificate the gnutls_certificate_verify_peers2(),
|
|
Packit Service |
4684c1 |
* gnutls_certificate_type_get(), gnutls_certificate_get_peers() functions
|
|
Packit Service |
4684c1 |
* can be used.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The callback function should return 0 for the handshake to continue
|
|
Packit Service |
4684c1 |
* or non-zero to terminate.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.4.6
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
gnutls_session_set_verify_function
|
|
Packit Service |
4684c1 |
(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
gnutls_certificate_verify_function * func)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
session->internals.verify_callback = func;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_record_get_direction:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function is useful to determine whether a GnuTLS function was interrupted
|
|
Packit Service |
4684c1 |
* while sending or receiving, so that select() or poll() may be called appropriately.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* It provides information about the internals of the record
|
|
Packit Service |
4684c1 |
* protocol and is only useful if a prior gnutls function call,
|
|
Packit Service |
4684c1 |
* e.g. gnutls_handshake(), was interrupted and returned
|
|
Packit Service |
4684c1 |
* %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN. After such an interrupt
|
|
Packit Service |
4684c1 |
* applications may call select() or poll() before restoring the
|
|
Packit Service |
4684c1 |
* interrupted GnuTLS function.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function's output is unreliable if you are using the same
|
|
Packit Service |
4684c1 |
* @session in different threads for sending and receiving.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: 0 if interrupted while trying to read data, or 1 while trying to write data.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int gnutls_record_get_direction(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
return session->internals.direction;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/*-
|
|
Packit Service |
4684c1 |
* _gnutls_rsa_pms_set_version - Sets a version to be used at the RSA PMS
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @major: is the major version to use
|
|
Packit Service |
4684c1 |
* @minor: is the minor version to use
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will set the given version number to be used at the
|
|
Packit Service |
4684c1 |
* RSA PMS secret. This is only useful to clients, which want to
|
|
Packit Service |
4684c1 |
* test server's capabilities.
|
|
Packit Service |
4684c1 |
-*/
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
_gnutls_rsa_pms_set_version(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
unsigned char major, unsigned char minor)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
session->internals.rsa_pms_version[0] = major;
|
|
Packit Service |
4684c1 |
session->internals.rsa_pms_version[1] = minor;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
void _gnutls_session_client_cert_type_set(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
gnutls_certificate_type_t ct)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
_gnutls_handshake_log
|
|
Packit Service |
4684c1 |
("HSK[%p]: Selected client certificate type %s (%d)\n", session,
|
|
Packit Service |
4684c1 |
gnutls_certificate_type_get_name(ct), ct);
|
|
Packit Service |
4684c1 |
session->security_parameters.client_ctype = ct;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
void _gnutls_session_server_cert_type_set(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
gnutls_certificate_type_t ct)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
_gnutls_handshake_log
|
|
Packit Service |
4684c1 |
("HSK[%p]: Selected server certificate type %s (%d)\n", session,
|
|
Packit Service |
4684c1 |
gnutls_certificate_type_get_name(ct), ct);
|
|
Packit Service |
4684c1 |
session->security_parameters.server_ctype = ct;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_handshake_set_post_client_hello_function:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @func: is the function to be called
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will set a callback to be called after the client
|
|
Packit Service |
4684c1 |
* hello has been received (callback valid in server side only). This
|
|
Packit Service |
4684c1 |
* allows the server to adjust settings based on received extensions.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Those settings could be ciphersuites, requesting certificate, or
|
|
Packit Service |
4684c1 |
* anything else except for version negotiation (this is done before
|
|
Packit Service |
4684c1 |
* the hello message is parsed).
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This callback must return 0 on success or a gnutls error code to
|
|
Packit Service |
4684c1 |
* terminate the handshake.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since GnuTLS 3.3.5 the callback is
|
|
Packit Service |
4684c1 |
* allowed to return %GNUTLS_E_AGAIN or %GNUTLS_E_INTERRUPTED to
|
|
Packit Service |
4684c1 |
* put the handshake on hold. In that case gnutls_handshake()
|
|
Packit Service |
4684c1 |
* will return %GNUTLS_E_INTERRUPTED and can be resumed when needed.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Warning: You should not use this function to terminate the
|
|
Packit Service |
4684c1 |
* handshake based on client input unless you know what you are
|
|
Packit Service |
4684c1 |
* doing. Before the handshake is finished there is no way to know if
|
|
Packit Service |
4684c1 |
* there is a man-in-the-middle attack being performed.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
gnutls_handshake_set_post_client_hello_function(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
gnutls_handshake_simple_hook_func func)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
session->internals.user_hello_func = func;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_session_enable_compatibility_mode:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function can be used to disable certain (security) features in
|
|
Packit Service |
4684c1 |
* TLS in order to maintain maximum compatibility with buggy
|
|
Packit Service |
4684c1 |
* clients. Because several trade-offs with security are enabled,
|
|
Packit Service |
4684c1 |
* if required they will be reported through the audit subsystem.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Normally only servers that require maximum compatibility with
|
|
Packit Service |
4684c1 |
* everything out there, need to call this function.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Note that this function must be called after any call to gnutls_priority
|
|
Packit Service |
4684c1 |
* functions.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.1.4
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void gnutls_session_enable_compatibility_mode(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
ENABLE_COMPAT(&session->internals);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_session_channel_binding:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @cbtype: an #gnutls_channel_binding_t enumeration type
|
|
Packit Service |
4684c1 |
* @cb: output buffer array with data
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Extract given channel binding data of the @cbtype (e.g.,
|
|
Packit Service |
4684c1 |
* %GNUTLS_CB_TLS_UNIQUE) type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success,
|
|
Packit Service |
4684c1 |
* %GNUTLS_E_UNIMPLEMENTED_FEATURE if the @cbtype is unsupported,
|
|
Packit Service |
4684c1 |
* %GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE if the data is not
|
|
Packit Service |
4684c1 |
* currently available, or an error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 2.12.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_session_channel_binding(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
gnutls_channel_binding_t cbtype,
|
|
Packit Service |
4684c1 |
gnutls_datum_t * cb)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (cbtype != GNUTLS_CB_TLS_UNIQUE)
|
|
Packit Service |
4684c1 |
return GNUTLS_E_UNIMPLEMENTED_FEATURE;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (!session->internals.initial_negotiation_completed)
|
|
Packit Service |
4684c1 |
return GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cb->size = session->internals.cb_tls_unique_len;
|
|
Packit Service |
4684c1 |
cb->data = gnutls_malloc(cb->size);
|
|
Packit Service |
4684c1 |
if (cb->data == NULL)
|
|
Packit Service |
4684c1 |
return GNUTLS_E_MEMORY_ERROR;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
memcpy(cb->data, session->internals.cb_tls_unique, cb->size);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_ecc_curve_get:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns the currently used elliptic curve for key exchange. Only valid
|
|
Packit Service |
4684c1 |
* when using an elliptic curve ciphersuite.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the currently used curve, a #gnutls_ecc_curve_t
|
|
Packit Service |
4684c1 |
* type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
const gnutls_group_entry_st *e;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
e = get_group(session);
|
|
Packit Service |
4684c1 |
if (e == NULL || e->curve == 0)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
return e->curve;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_group_get:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns the currently used group for key exchange. Only valid
|
|
Packit Service |
4684c1 |
* when using an elliptic curve or DH ciphersuite.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: the currently used group, a #gnutls_group_t
|
|
Packit Service |
4684c1 |
* type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.6.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
gnutls_group_t gnutls_group_get(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
const gnutls_group_entry_st *e;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
e = get_group(session);
|
|
Packit Service |
4684c1 |
if (e == NULL)
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
return e->id;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_protocol_get_version:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Get TLS version, a #gnutls_protocol_t value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: The version of the currently used protocol.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
gnutls_protocol_t gnutls_protocol_get_version(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
return get_num_version(session);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_session_get_random:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @client: the client part of the random
|
|
Packit Service |
4684c1 |
* @server: the server part of the random
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function returns pointers to the client and server
|
|
Packit Service |
4684c1 |
* random fields used in the TLS handshake. The pointers are
|
|
Packit Service |
4684c1 |
* not to be modified or deallocated.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* If a client random value has not yet been established, the output
|
|
Packit Service |
4684c1 |
* will be garbage.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
gnutls_session_get_random(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
gnutls_datum_t * client, gnutls_datum_t * server)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (client) {
|
|
Packit Service |
4684c1 |
client->data = session->security_parameters.client_random;
|
|
Packit Service |
4684c1 |
client->size =
|
|
Packit Service |
4684c1 |
sizeof(session->security_parameters.client_random);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (server) {
|
|
Packit Service |
4684c1 |
server->data = session->security_parameters.server_random;
|
|
Packit Service |
4684c1 |
server->size =
|
|
Packit Service |
4684c1 |
sizeof(session->security_parameters.server_random);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_session_get_master_secret:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @secret: the session's master secret
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function returns pointers to the master secret
|
|
Packit Service |
4684c1 |
* used in the TLS session. The pointers are not to be modified or deallocated.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function is only applicable under TLS 1.2 or earlier versions.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.5.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
gnutls_session_get_master_secret(gnutls_session_t session, gnutls_datum_t *secret)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
secret->data = session->security_parameters.master_secret;
|
|
Packit Service |
4684c1 |
secret->size = sizeof(session->security_parameters.master_secret);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
unsigned int timespec_sub_ms(struct timespec *a, struct timespec *b)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
time_t dsecs;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
dsecs = a->tv_sec - b->tv_sec;
|
|
Packit Service |
4684c1 |
if (!INT_MULTIPLY_OVERFLOW(dsecs, 1000)) {
|
|
Packit Service |
4684c1 |
return (dsecs*1000 + (a->tv_nsec - b->tv_nsec) / (1000 * 1000));
|
|
Packit Service |
4684c1 |
} else {
|
|
Packit Service |
4684c1 |
return UINT_MAX;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_handshake_set_random:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
* @random: a random value of 32-bytes
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will explicitly set the server or client hello
|
|
Packit Service |
4684c1 |
* random value in the subsequent TLS handshake. The random value
|
|
Packit Service |
4684c1 |
* should be a 32-byte value.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Note that this function should not normally be used as gnutls
|
|
Packit Service |
4684c1 |
* will select automatically a random value for the handshake.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function should not be used when resuming a session.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since 3.1.9
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_handshake_set_random(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
const gnutls_datum_t * random)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (random->size != GNUTLS_RANDOM_SIZE)
|
|
Packit Service |
4684c1 |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
session->internals.sc_random_set = 1;
|
|
Packit Service |
4684c1 |
if (session->security_parameters.entity == GNUTLS_CLIENT)
|
|
Packit Service |
4684c1 |
memcpy(session->internals.resumed_security_parameters.
|
|
Packit Service |
4684c1 |
client_random, random->data, random->size);
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
memcpy(session->internals.resumed_security_parameters.
|
|
Packit Service |
4684c1 |
server_random, random->data, random->size);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_handshake_set_hook_function:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type
|
|
Packit Service |
4684c1 |
* @htype: the %gnutls_handshake_description_t of the message to hook at
|
|
Packit Service |
4684c1 |
* @when: %GNUTLS_HOOK_* depending on when the hook function should be called
|
|
Packit Service |
4684c1 |
* @func: is the function to be called
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will set a callback to be called after or before the specified
|
|
Packit Service |
4684c1 |
* handshake message has been received or generated. This is a
|
|
Packit Service |
4684c1 |
* generalization of gnutls_handshake_set_post_client_hello_function().
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* To call the hook function prior to the message being generated or processed
|
|
Packit Service |
4684c1 |
* use %GNUTLS_HOOK_PRE as @when parameter, %GNUTLS_HOOK_POST to call
|
|
Packit Service |
4684c1 |
* after, and %GNUTLS_HOOK_BOTH for both cases.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This callback must return 0 on success or a gnutls error code to
|
|
Packit Service |
4684c1 |
* terminate the handshake.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* To hook at all handshake messages use an @htype of %GNUTLS_HANDSHAKE_ANY.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Warning: You should not use this function to terminate the
|
|
Packit Service |
4684c1 |
* handshake based on client input unless you know what you are
|
|
Packit Service |
4684c1 |
* doing. Before the handshake is finished there is no way to know if
|
|
Packit Service |
4684c1 |
* there is a man-in-the-middle attack being performed.
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
gnutls_handshake_set_hook_function(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
unsigned int htype,
|
|
Packit Service |
4684c1 |
int when,
|
|
Packit Service |
4684c1 |
gnutls_handshake_hook_func func)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
session->internals.h_hook = func;
|
|
Packit Service |
4684c1 |
session->internals.h_type = htype;
|
|
Packit Service |
4684c1 |
session->internals.h_post = when;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_record_get_state:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type
|
|
Packit Service |
4684c1 |
* @read: if non-zero the read parameters are returned, otherwise the write
|
|
Packit Service |
4684c1 |
* @mac_key: the key used for MAC (if a MAC is used)
|
|
Packit Service |
4684c1 |
* @IV: the initialization vector or nonce used
|
|
Packit Service |
4684c1 |
* @cipher_key: the cipher key
|
|
Packit Service |
4684c1 |
* @seq_number: A 64-bit sequence number
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will return the parameters of the current record state.
|
|
Packit Service |
4684c1 |
* These are only useful to be provided to an external off-loading device
|
|
Packit Service |
4684c1 |
* or subsystem. The returned values should be considered constant
|
|
Packit Service |
4684c1 |
* and valid for the lifetime of the session.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* In that case, to sync the state back you must call gnutls_record_set_state().
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since 3.4.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_record_get_state(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
unsigned read,
|
|
Packit Service |
4684c1 |
gnutls_datum_t *mac_key,
|
|
Packit Service |
4684c1 |
gnutls_datum_t *IV,
|
|
Packit Service |
4684c1 |
gnutls_datum_t *cipher_key,
|
|
Packit Service |
4684c1 |
unsigned char seq_number[8])
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
record_parameters_st *record_params;
|
|
Packit Service |
4684c1 |
record_state_st *record_state;
|
|
Packit Service |
4684c1 |
unsigned int epoch;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (read)
|
|
Packit Service |
4684c1 |
epoch = EPOCH_READ_CURRENT;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
epoch = EPOCH_WRITE_CURRENT;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_epoch_get(session, epoch, &record_params);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (!record_params->initialized)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (read)
|
|
Packit Service |
4684c1 |
record_state = &record_params->read;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
record_state = &record_params->write;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (mac_key) {
|
|
Packit Service |
4684c1 |
mac_key->data = record_state->mac_key;
|
|
Packit Service |
4684c1 |
mac_key->size = record_state->mac_key_size;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (IV) {
|
|
Packit Service |
4684c1 |
IV->data = record_state->iv;
|
|
Packit Service |
4684c1 |
IV->size = record_state->iv_size;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (cipher_key) {
|
|
Packit Service |
4684c1 |
cipher_key->data = record_state->key;
|
|
Packit Service |
4684c1 |
cipher_key->size = record_state->key_size;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (seq_number)
|
|
Packit Service |
4684c1 |
_gnutls_write_uint64(record_state->sequence_number, seq_number);
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_record_set_state:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type
|
|
Packit Service |
4684c1 |
* @read: if non-zero the read parameters are returned, otherwise the write
|
|
Packit Service |
4684c1 |
* @seq_number: A 64-bit sequence number
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will set the sequence number in the current record state.
|
|
Packit Service |
4684c1 |
* This function is useful if sending and receiving are offloaded from
|
|
Packit Service |
4684c1 |
* gnutls. That is, if gnutls_record_get_state() was used.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since 3.4.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
int
|
|
Packit Service |
4684c1 |
gnutls_record_set_state(gnutls_session_t session,
|
|
Packit Service |
4684c1 |
unsigned read,
|
|
Packit Service |
4684c1 |
const unsigned char seq_number[8])
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
record_parameters_st *record_params;
|
|
Packit Service |
4684c1 |
record_state_st *record_state;
|
|
Packit Service |
4684c1 |
int epoch, ret;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (read)
|
|
Packit Service |
4684c1 |
epoch = EPOCH_READ_CURRENT;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
epoch = EPOCH_WRITE_CURRENT;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = _gnutls_epoch_get(session, epoch, &record_params);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (!record_params->initialized)
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (read)
|
|
Packit Service |
4684c1 |
record_state = &record_params->read;
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
record_state = &record_params->write;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
record_state->sequence_number = _gnutls_read_uint64(seq_number);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (IS_DTLS(session)) {
|
|
Packit Service |
4684c1 |
_dtls_reset_window(record_params);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/**
|
|
Packit Service |
4684c1 |
* gnutls_session_get_flags:
|
|
Packit Service |
4684c1 |
* @session: is a #gnutls_session_t type.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This function will return a series (ORed) of flags, applicable
|
|
Packit Service |
4684c1 |
* for the current session.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This replaces individual informational functions such as
|
|
Packit Service |
4684c1 |
* gnutls_safe_renegotiation_status(), gnutls_session_ext_master_secret_status(),
|
|
Packit Service |
4684c1 |
* etc.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Returns: An ORed sequence of flags (see %gnutls_session_flags_t)
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Since: 3.5.0
|
|
Packit Service |
4684c1 |
**/
|
|
Packit Service |
4684c1 |
unsigned gnutls_session_get_flags(gnutls_session_t session)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
unsigned flags = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (gnutls_safe_renegotiation_status(session))
|
|
Packit Service |
4684c1 |
flags |= GNUTLS_SFLAGS_SAFE_RENEGOTIATION;
|
|
Packit Service |
4684c1 |
if (gnutls_session_ext_master_secret_status(session))
|
|
Packit Service |
4684c1 |
flags |= GNUTLS_SFLAGS_EXT_MASTER_SECRET;
|
|
Packit Service |
4684c1 |
if (gnutls_session_etm_status(session))
|
|
Packit Service |
4684c1 |
flags |= GNUTLS_SFLAGS_ETM;
|
|
Packit Service |
4684c1 |
if (gnutls_heartbeat_allowed(session, GNUTLS_HB_LOCAL_ALLOWED_TO_SEND))
|
|
Packit Service |
4684c1 |
flags |= GNUTLS_SFLAGS_HB_LOCAL_SEND;
|
|
Packit Service |
4684c1 |
if (gnutls_heartbeat_allowed(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND))
|
|
Packit Service |
4684c1 |
flags |= GNUTLS_SFLAGS_HB_PEER_SEND;
|
|
Packit Service |
4684c1 |
if (session->internals.hsk_flags & HSK_FALSE_START_USED)
|
|
Packit Service |
4684c1 |
flags |= GNUTLS_SFLAGS_FALSE_START;
|
|
Packit Service |
4684c1 |
if ((session->internals.hsk_flags & HSK_EARLY_START_USED) &&
|
|
Packit Service |
4684c1 |
(session->internals.flags & GNUTLS_ENABLE_EARLY_START))
|
|
Packit Service |
4684c1 |
flags |= GNUTLS_SFLAGS_EARLY_START;
|
|
Packit Service |
4684c1 |
if (session->internals.hsk_flags & HSK_USED_FFDHE)
|
|
Packit Service |
4684c1 |
flags |= GNUTLS_SFLAGS_RFC7919;
|
|
Packit Service |
4684c1 |
if (session->internals.hsk_flags & HSK_TICKET_RECEIVED)
|
|
Packit Service |
4684c1 |
flags |= GNUTLS_SFLAGS_SESSION_TICKET;
|
|
Packit Service |
4684c1 |
if (session->security_parameters.post_handshake_auth)
|
|
Packit Service |
4684c1 |
flags |= GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH;
|
|
Packit Service |
4684c1 |
if (session->internals.hsk_flags & HSK_EARLY_DATA_ACCEPTED)
|
|
Packit Service |
4684c1 |
flags |= GNUTLS_SFLAGS_EARLY_DATA;
|
|
Packit Service |
4684c1 |
if (session->internals.hsk_flags & HSK_OCSP_REQUESTED)
|
|
Packit Service |
4684c1 |
flags |= GNUTLS_SFLAGS_CLI_REQUESTED_OCSP;
|
|
Packit Service |
4684c1 |
if (session->internals.hsk_flags & HSK_CLIENT_OCSP_REQUESTED)
|
|
Packit Service |
4684c1 |
flags |= GNUTLS_SFLAGS_SERV_REQUESTED_OCSP;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return flags;
|
|
Packit Service |
4684c1 |
}
|