search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add.
[gnutls.git] / lib / gnutls_kx.c
blob950366d52fd1cc77f79fdc929b1495d0e4dd31cf
1 /*
2 * Copyright (C) 2000, 2001, 2004, 2005, 2006, 2008 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25 /* This file contains functions which are wrappers for the key exchange
26 * part of TLS. They are called by the handshake functions (gnutls_handshake)
27 */
28
29 #include "gnutls_int.h"
30 #include "gnutls_handshake.h"
31 #include "gnutls_kx.h"
32 #include "gnutls_dh.h"
33 #include "gnutls_errors.h"
34 #include "gnutls_algorithms.h"
35 #include "debug.h"
36 #include "gnutls_mpi.h"
37 #include <gnutls_state.h>
38 #include <gnutls_datum.h>
39 #include <gnutls_rsa_export.h>
40
41 /* This file contains important thing for the TLS handshake procedure.
42 */
43
44 #define MASTER_SECRET "master secret"
45 static int generate_normal_master (gnutls_session_t session, int);
46
47 int
48 _gnutls_generate_master (gnutls_session_t session, int keep_premaster)
49 {
50 if (session->internals.resumed == RESUME_FALSE)
51 return generate_normal_master (session, keep_premaster);
52 return 0;
53 }
54
55 /* here we generate the TLS Master secret.
56 */
57 #define PREMASTER session->key->key
58 static int
59 generate_normal_master (gnutls_session_t session, int keep_premaster)
60 {
61 int ret = 0;
62 char buf[512];
63
64 _gnutls_hard_log ("INT: PREMASTER SECRET[%d]: %s\n", PREMASTER.size,
65 _gnutls_bin2hex (PREMASTER.data, PREMASTER.size, buf,
66 sizeof (buf)));
67 _gnutls_hard_log ("INT: CLIENT RANDOM[%d]: %s\n", 32,
68 _gnutls_bin2hex (session->security_parameters.
69 client_random, 32, buf, sizeof (buf)));
70 _gnutls_hard_log ("INT: SERVER RANDOM[%d]: %s\n", 32,
71 _gnutls_bin2hex (session->security_parameters.
72 server_random, 32, buf, sizeof (buf)));
73
74 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
75 {
76 opaque rnd[2 * TLS_RANDOM_SIZE + 1];
77
78 memcpy (rnd, session->security_parameters.client_random, TLS_RANDOM_SIZE);
79 memcpy (&rnd[TLS_RANDOM_SIZE],
80 session->security_parameters.server_random, TLS_RANDOM_SIZE);
81
82 ret =
83 _gnutls_ssl3_generate_random (PREMASTER.data, PREMASTER.size,
84 rnd, 2 * TLS_RANDOM_SIZE,
85 TLS_MASTER_SIZE,
86 session->security_parameters.
87 master_secret);
88
89 }
90 else if (session->security_parameters.extensions.oprfi_client_len > 0 &&
91 session->security_parameters.extensions.oprfi_server_len > 0)
92 {
93 opaque *rnd;
94 size_t rndlen = 2 * TLS_RANDOM_SIZE;
95
96 rndlen += session->security_parameters.extensions.oprfi_client_len;
97 rndlen += session->security_parameters.extensions.oprfi_server_len;
98
99 rnd = gnutls_malloc (rndlen + 1);
100 if (!rnd)
101 {
102 gnutls_assert ();
103 return GNUTLS_E_MEMORY_ERROR;
104 }
105
106 _gnutls_hard_log ("INT: CLIENT OPRFI[%d]: %s\n",
107 session->security_parameters.
108 extensions.oprfi_server_len,
109 _gnutls_bin2hex (session->security_parameters.
110 extensions.oprfi_client,
111 session->security_parameters.
112 extensions.oprfi_client_len,
113 buf, sizeof (buf)));
114 _gnutls_hard_log ("INT: SERVER OPRFI[%d]: %s\n",
115 session->security_parameters.
116 extensions.oprfi_server_len,
117 _gnutls_bin2hex (session->security_parameters.
118 extensions.oprfi_server,
119 session->security_parameters.
120 extensions.oprfi_server_len,
121 buf, sizeof (buf)));
122
123 memcpy (rnd, session->security_parameters.client_random,
124 TLS_RANDOM_SIZE);
125 memcpy (rnd + TLS_RANDOM_SIZE,
126 session->security_parameters.extensions.oprfi_client,
127 session->security_parameters.extensions.oprfi_client_len);
128 memcpy (rnd + TLS_RANDOM_SIZE +
129 session->security_parameters.extensions.oprfi_client_len,
130 session->security_parameters.server_random,
131 TLS_RANDOM_SIZE);
132 memcpy (rnd + TLS_RANDOM_SIZE +
133 session->security_parameters.extensions.oprfi_client_len +
134 TLS_RANDOM_SIZE,
135 session->security_parameters.extensions.oprfi_server,
136 session->security_parameters.extensions.oprfi_server_len);
137
138 ret = _gnutls_PRF (session, PREMASTER.data, PREMASTER.size,
139 MASTER_SECRET, strlen (MASTER_SECRET),
140 rnd, rndlen, TLS_MASTER_SIZE,
141 session->security_parameters.master_secret);
142
143 gnutls_free (rnd);
144 }
145 else
146 {
147 opaque rnd[2 * TLS_RANDOM_SIZE + 1];
148
149 memcpy (rnd, session->security_parameters.client_random, TLS_RANDOM_SIZE);
150 memcpy (&rnd[TLS_RANDOM_SIZE],
151 session->security_parameters.server_random, TLS_RANDOM_SIZE);
152
153 ret =
154 _gnutls_PRF (session, PREMASTER.data, PREMASTER.size,
155 MASTER_SECRET, strlen (MASTER_SECRET),
156 rnd, 2 * TLS_RANDOM_SIZE, TLS_MASTER_SIZE,
157 session->security_parameters.master_secret);
158 }
159
160 /* TLS/IA inner secret is derived from the master secret. */
161 memcpy (session->security_parameters.inner_secret,
162 session->security_parameters.master_secret, TLS_MASTER_SIZE);
163
164 if (!keep_premaster)
165 _gnutls_free_datum (&PREMASTER);
166
167 if (ret < 0)
168 return ret;
169
170 _gnutls_hard_log ("INT: MASTER SECRET: %s\n",
171 _gnutls_bin2hex (session->security_parameters.
172 master_secret, TLS_MASTER_SIZE, buf,
173 sizeof (buf)));
174
175 return ret;
176 }
177
178
179 /* This is called when we want to receive the key exchange message of the
180 * server. It does nothing if this type of message is not required
181 * by the selected ciphersuite.
182 */
183 int
184 _gnutls_send_server_kx_message (gnutls_session_t session, int again)
185 {
186 uint8_t *data = NULL;
187 int data_size = 0;
188 int ret = 0;
189
190 if (session->internals.auth_struct->gnutls_generate_server_kx == NULL)
191 return 0;
192
193 data = NULL;
194 data_size = 0;
195
196 if (again == 0)
197 {
198 data_size =
199 session->internals.auth_struct->
200 gnutls_generate_server_kx (session, &data);
201
202 if (data_size == GNUTLS_E_INT_RET_0)
203 {
204 gnutls_assert ();
205 return 0;
206 }
207
208 if (data_size < 0)
209 {
210 gnutls_assert ();
211 return data_size;
212 }
213 }
214
215 ret =
216 _gnutls_send_handshake (session, data, data_size,
217 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE);
218 gnutls_free (data);
219
220 if (ret < 0)
221 {
222 gnutls_assert ();
223 return ret;
224 }
225 return data_size;
226 }
227
228 /* This function sends a certificate request message to the
229 * client.
230 */
231 int
232 _gnutls_send_server_certificate_request (gnutls_session_t session, int again)
233 {
234 uint8_t *data = NULL;
235 int data_size = 0;
236 int ret = 0;
237
238 if (session->internals.auth_struct->
239 gnutls_generate_server_certificate_request == NULL)
240 return 0;
241
242 if (session->internals.send_cert_req <= 0)
243 return 0;
244
245 data = NULL;
246 data_size = 0;
247
248 if (again == 0)
249 {
250 data_size =
251 session->internals.auth_struct->
252 gnutls_generate_server_certificate_request (session, &data);
253
254 if (data_size < 0)
255 {
256 gnutls_assert ();
257 return data_size;
258 }
259 }
260 ret =
261 _gnutls_send_handshake (session, data, data_size,
262 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST);
263 gnutls_free (data);
264
265 if (ret < 0)
266 {
267 gnutls_assert ();
268 return ret;
269 }
270 return data_size;
271 }
272
273
274 /* This is the function for the client to send the key
275 * exchange message
276 */
277 int
278 _gnutls_send_client_kx_message (gnutls_session_t session, int again)
279 {
280 uint8_t *data;
281 int data_size;
282 int ret = 0;
283
284 if (session->internals.auth_struct->gnutls_generate_client_kx == NULL)
285 return 0;
286
287
288 data = NULL;
289 data_size = 0;
290
291 if (again == 0)
292 {
293 data_size =
294 session->internals.auth_struct->
295 gnutls_generate_client_kx (session, &data);
296 if (data_size < 0)
297 {
298 gnutls_assert ();
299 return data_size;
300 }
301 }
302 ret =
303 _gnutls_send_handshake (session, data, data_size,
304 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE);
305 gnutls_free (data);
306
307 if (ret < 0)
308 {
309 gnutls_assert ();
310 return ret;
311 }
312
313 return ret;
314 }
315
316
317 /* This is the function for the client to send the certificate
318 * verify message
319 */
320 int
321 _gnutls_send_client_certificate_verify (gnutls_session_t session, int again)
322 {
323 uint8_t *data;
324 int ret = 0;
325 int data_size;
326
327 /* This is a packet that is only sent by the client
328 */
329 if (session->security_parameters.entity == GNUTLS_SERVER)
330 return 0;
331
332 /* if certificate verify is not needed just exit
333 */
334 if (session->key->certificate_requested == 0)
335 return 0;
336
337 if (session->internals.auth_struct->gnutls_generate_client_cert_vrfy ==
338 NULL)
339 {
340 gnutls_assert ();
341 return 0; /* this algorithm does not support cli_cert_vrfy
342 */
343 }
344
345 data = NULL;
346 data_size = 0;
347
348 if (again == 0)
349 {
350 data_size =
351 session->internals.auth_struct->
352 gnutls_generate_client_cert_vrfy (session, &data);
353 if (data_size < 0)
354 {
355 gnutls_assert ();
356 return data_size;
357 }
358 if (data_size == 0)
359 return 0;
360
361 }
362 ret =
363 _gnutls_send_handshake (session, data,
364 data_size, GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY);
365 gnutls_free (data);
366
367 return ret;
368 }
369
370
371 int
372 _gnutls_recv_server_kx_message (gnutls_session_t session)
373 {
374 uint8_t *data = NULL;
375 int datasize;
376 int ret = 0;
377 Optional optflag = MANDATORY_PACKET;
378
379 if (session->internals.auth_struct->gnutls_process_server_kx != NULL)
380 {
381
382 /* EXCEPTION FOR RSA_EXPORT cipher suite
383 */
384 if (_gnutls_session_is_export (session) != 0 &&
385 _gnutls_peers_cert_less_512 (session) != 0)
386 {
387 gnutls_assert ();
388 return 0;
389 }
390
391 /* Server key exchange packet is optional for PSK. */
392 if (_gnutls_session_is_psk (session))
393 optflag = OPTIONAL_PACKET;
394
395 ret =
396 _gnutls_recv_handshake (session, &data,
397 &datasize,
398 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE,
399 optflag);
400 if (ret < 0)
401 {
402 gnutls_assert ();
403 return ret;
404 }
405
406 ret =
407 session->internals.auth_struct->
408 gnutls_process_server_kx (session, data, datasize);
409 gnutls_free (data);
410
411 if (ret < 0)
412 {
413 gnutls_assert ();
414 return ret;
415 }
416
417 }
418 return ret;
419 }
420
421 int
422 _gnutls_recv_server_certificate_request (gnutls_session_t session)
423 {
424 uint8_t *data;
425 int datasize;
426 int ret = 0;
427
428 if (session->internals.auth_struct->
429 gnutls_process_server_certificate_request != NULL)
430 {
431
432 ret =
433 _gnutls_recv_handshake (session, &data,
434 &datasize,
435 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST,
436 OPTIONAL_PACKET);
437 if (ret < 0)
438 return ret;
439
440 if (ret == 0 && datasize == 0)
441 return 0; /* ignored */
442
443 ret =
444 session->internals.auth_struct->
445 gnutls_process_server_certificate_request (session, data, datasize);
446 gnutls_free (data);
447 if (ret < 0)
448 return ret;
449
450 }
451 return ret;
452 }
453
454 int
455 _gnutls_recv_client_kx_message (gnutls_session_t session)
456 {
457 uint8_t *data;
458 int datasize;
459 int ret = 0;
460
461
462 /* Do key exchange only if the algorithm permits it */
463 if (session->internals.auth_struct->gnutls_process_client_kx != NULL)
464 {
465
466 ret =
467 _gnutls_recv_handshake (session, &data,
468 &datasize,
469 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE,
470 MANDATORY_PACKET);
471 if (ret < 0)
472 return ret;
473
474 ret =
475 session->internals.auth_struct->
476 gnutls_process_client_kx (session, data, datasize);
477 gnutls_free (data);
478 if (ret < 0)
479 return ret;
480
481 }
482
483 return ret;
484 }
485
486
487 /* This is called when we want send our certificate
488 */
489 int
490 _gnutls_send_client_certificate (gnutls_session_t session, int again)
491 {
492 uint8_t *data = NULL;
493 int data_size = 0;
494 int ret = 0;
495
496
497 if (session->key->certificate_requested == 0)
498 return 0;
499
500 if (session->internals.auth_struct->
501 gnutls_generate_client_certificate == NULL)
502 return 0;
503
504 data = NULL;
505 data_size = 0;
506
507 if (again == 0)
508 {
509 if (gnutls_protocol_get_version (session) != GNUTLS_SSL3 ||
510 session->internals.selected_cert_list_length > 0)
511 {
512 /* TLS 1.0 or SSL 3.0 with a valid certificate
513 */
514 data_size =
515 session->internals.auth_struct->
516 gnutls_generate_client_certificate (session, &data);
517
518 if (data_size < 0)
519 {
520 gnutls_assert ();
521 return data_size;
522 }
523 }
524 }
525
526 /* In the SSL 3.0 protocol we need to send a
527 * no certificate alert instead of an
528 * empty certificate.
529 */
530 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3 &&
531 session->internals.selected_cert_list_length == 0)
532 {
533 ret =
534 gnutls_alert_send (session, GNUTLS_AL_WARNING,
535 GNUTLS_A_SSL3_NO_CERTIFICATE);
536
537 }
538 else
539 { /* TLS 1.0 or SSL 3.0 with a valid certificate
540 */
541 ret =
542 _gnutls_send_handshake (session, data, data_size,
543 GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
544 gnutls_free (data);
545 }
546
547 if (ret < 0)
548 {
549 gnutls_assert ();
550 return ret;
551 }
552
553 return data_size;
554 }
555
556
557 /* This is called when we want send our certificate
558 */
559 int
560 _gnutls_send_server_certificate (gnutls_session_t session, int again)
561 {
562 uint8_t *data = NULL;
563 int data_size = 0;
564 int ret = 0;
565
566
567 if (session->internals.auth_struct->
568 gnutls_generate_server_certificate == NULL)
569 return 0;
570
571 data = NULL;
572 data_size = 0;
573
574 if (again == 0)
575 {
576 data_size =
577 session->internals.auth_struct->
578 gnutls_generate_server_certificate (session, &data);
579
580 if (data_size < 0)
581 {
582 gnutls_assert ();
583 return data_size;
584 }
585 }
586 ret =
587 _gnutls_send_handshake (session, data, data_size,
588 GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
589 gnutls_free (data);
590
591 if (ret < 0)
592 {
593 gnutls_assert ();
594 return ret;
595 }
596
597 return data_size;
598 }
599
600
601 int
602 _gnutls_recv_client_certificate (gnutls_session_t session)
603 {
604 int datasize;
605 opaque *data;
606 int ret = 0;
607 int optional;
608
609 if (session->internals.auth_struct->
610 gnutls_process_client_certificate != NULL)
611 {
612
613 /* if we have not requested a certificate then just return
614 */
615 if (session->internals.send_cert_req == 0)
616 {
617 return 0;
618 }
619
620 if (session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
621 optional = MANDATORY_PACKET;
622 else
623 optional = OPTIONAL_PACKET;
624
625 ret =
626 _gnutls_recv_handshake (session, &data,
627 &datasize,
628 GNUTLS_HANDSHAKE_CERTIFICATE_PKT, optional);
629
630 if (ret < 0)
631 {
632 /* Handle the case of old SSL3 clients who send
633 * a warning alert instead of an empty certificate to indicate
634 * no certificate.
635 */
636 if (optional == OPTIONAL_PACKET &&
637 ret == GNUTLS_E_WARNING_ALERT_RECEIVED &&
638 gnutls_protocol_get_version (session) == GNUTLS_SSL3 &&
639 gnutls_alert_get (session) == GNUTLS_A_SSL3_NO_CERTIFICATE)
640 {
641
642 /* SSL3 does not send an empty certificate,
643 * but this alert. So we just ignore it.
644 */
645 gnutls_assert ();
646 return 0;
647 }
648
649 /* certificate was required
650 */
651 if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED
652 || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
653 && optional == MANDATORY_PACKET)
654 {
655 gnutls_assert ();
656 return GNUTLS_E_NO_CERTIFICATE_FOUND;
657 }
658
659 return ret;
660 }
661
662 if (ret == 0 && datasize == 0 && optional == OPTIONAL_PACKET)
663 {
664 /* Client has not sent the certificate message.
665 * well I'm not sure we should accept this
666 * behaviour.
667 */
668 gnutls_assert ();
669 return 0;
670 }
671 ret =
672 session->internals.auth_struct->
673 gnutls_process_client_certificate (session, data, datasize);
674
675 gnutls_free (data);
676 if (ret < 0 && ret != GNUTLS_E_NO_CERTIFICATE_FOUND)
677 {
678 gnutls_assert ();
679 return ret;
680 }
681
682 /* ok we should expect a certificate verify message now
683 */
684 if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional == OPTIONAL_PACKET)
685 ret = 0;
686 else
687 session->key->certificate_requested = 1;
688
689 }
690
691 return ret;
692 }
693
694 int
695 _gnutls_recv_server_certificate (gnutls_session_t session)
696 {
697 int datasize;
698 opaque *data;
699 int ret = 0;
700
701 if (session->internals.auth_struct->
702 gnutls_process_server_certificate != NULL)
703 {
704
705 ret =
706 _gnutls_recv_handshake (session, &data,
707 &datasize,
708 GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
709 MANDATORY_PACKET);
710 if (ret < 0)
711 {
712 gnutls_assert ();
713 return ret;
714 }
715
716 ret =
717 session->internals.auth_struct->
718 gnutls_process_server_certificate (session, data, datasize);
719 gnutls_free (data);
720 if (ret < 0)
721 {
722 gnutls_assert ();
723 return ret;
724 }
725 }
726
727 return ret;
728 }
729
730
731 /* Recv the client certificate verify. This packet may not
732 * arrive if the peer did not send us a certificate.
733 */
734 int
735 _gnutls_recv_client_certificate_verify_message (gnutls_session_t session)
736 {
737 uint8_t *data;
738 int datasize;
739 int ret = 0;
740
741
742 if (session->internals.auth_struct->gnutls_process_client_cert_vrfy != NULL)
743 {
744
745 if (session->internals.send_cert_req == 0 ||
746 session->key->certificate_requested == 0)
747 {
748 return 0;
749 }
750
751 ret =
752 _gnutls_recv_handshake (session, &data,
753 &datasize,
754 GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY,
755 OPTIONAL_PACKET);
756 if (ret < 0)
757 return ret;
758
759 if (ret == 0 && datasize == 0
760 && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
761 {
762 /* certificate was required */
763 gnutls_assert ();
764 return GNUTLS_E_NO_CERTIFICATE_FOUND;
765 }
766
767 ret =
768 session->internals.auth_struct->
769 gnutls_process_client_cert_vrfy (session, data, datasize);
770 gnutls_free (data);
771 if (ret < 0)
772 return ret;
773
774 }
775
776 return ret;
777 }
Implementation of the SSL/TLS protocol