doc update
[gnutls.git] / lib / gnutls_kx.c
blob0cebd385f23b35d9fc5ceb9203bf0a437d18b6e9
1 /*
2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* This file contains functions which are wrappers for the key exchange
24 * part of TLS. They are called by the handshake functions (gnutls_handshake)
27 #include "gnutls_int.h"
28 #include "gnutls_handshake.h"
29 #include "gnutls_kx.h"
30 #include "gnutls_dh.h"
31 #include "gnutls_errors.h"
32 #include "algorithms.h"
33 #include "debug.h"
34 #include "gnutls_mpi.h"
35 #include <gnutls_state.h>
36 #include <gnutls_datum.h>
37 #include <gnutls_rsa_export.h>
38 #include <gnutls_mbuffers.h>
40 /* This is a temporary function to be used before the generate_*
41 internal API is changed to use mbuffers. For now we don't avoid the
42 extra alloc + memcpy. */
43 static inline int
44 send_handshake (gnutls_session_t session, uint8_t * data, size_t size,
45 gnutls_handshake_description_t type)
47 mbuffer_st *bufel;
49 if (data == NULL && size == 0)
50 return _gnutls_send_handshake (session, NULL, type);
52 if (data == NULL && size > 0)
54 gnutls_assert ();
55 return GNUTLS_E_INVALID_REQUEST;
58 bufel = _gnutls_handshake_alloc(session, size, size);
59 if (bufel == NULL)
61 gnutls_assert ();
62 return GNUTLS_E_MEMORY_ERROR;
65 _mbuffer_set_udata (bufel, data, size);
67 return _gnutls_send_handshake (session, bufel, type);
71 /* This file contains important thing for the TLS handshake procedure.
74 #define MASTER_SECRET "master secret"
75 #define MASTER_SECRET_SIZE (sizeof(MASTER_SECRET)-1)
76 static int generate_normal_master (gnutls_session_t session, gnutls_datum_t*, int);
78 int
79 _gnutls_generate_master (gnutls_session_t session, int keep_premaster)
81 if (session->internals.resumed == RESUME_FALSE)
82 return generate_normal_master (session, &session->key->key, keep_premaster);
83 else if (session->internals.premaster_set)
85 gnutls_datum_t premaster;
86 premaster.size = sizeof(session->internals.resumed_security_parameters.master_secret);
87 premaster.data = session->internals.resumed_security_parameters.master_secret;
88 return generate_normal_master(session, &premaster, 1);
90 return 0;
93 /* here we generate the TLS Master secret.
95 static int
96 generate_normal_master (gnutls_session_t session, gnutls_datum_t *premaster,
97 int keep_premaster)
99 int ret = 0;
100 char buf[512];
102 _gnutls_hard_log ("INT: PREMASTER SECRET[%d]: %s\n", premaster->size,
103 _gnutls_bin2hex (premaster->data, premaster->size, buf,
104 sizeof (buf), NULL));
105 _gnutls_hard_log ("INT: CLIENT RANDOM[%d]: %s\n", 32,
106 _gnutls_bin2hex (session->
107 security_parameters.client_random, 32,
108 buf, sizeof (buf), NULL));
109 _gnutls_hard_log ("INT: SERVER RANDOM[%d]: %s\n", 32,
110 _gnutls_bin2hex (session->
111 security_parameters.server_random, 32,
112 buf, sizeof (buf), NULL));
114 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
116 uint8_t rnd[2 * GNUTLS_RANDOM_SIZE + 1];
118 memcpy (rnd, session->security_parameters.client_random,
119 GNUTLS_RANDOM_SIZE);
120 memcpy (&rnd[GNUTLS_RANDOM_SIZE],
121 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
123 ret =
124 _gnutls_ssl3_generate_random (premaster->data, premaster->size,
125 rnd, 2 * GNUTLS_RANDOM_SIZE,
126 GNUTLS_MASTER_SIZE,
127 session->
128 security_parameters.master_secret);
131 else
133 uint8_t rnd[2 * GNUTLS_RANDOM_SIZE + 1];
135 memcpy (rnd, session->security_parameters.client_random,
136 GNUTLS_RANDOM_SIZE);
137 memcpy (&rnd[GNUTLS_RANDOM_SIZE],
138 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
140 ret =
141 _gnutls_PRF (session, premaster->data, premaster->size,
142 MASTER_SECRET, MASTER_SECRET_SIZE,
143 rnd, 2 * GNUTLS_RANDOM_SIZE, GNUTLS_MASTER_SIZE,
144 session->security_parameters.master_secret);
147 if (!keep_premaster)
148 _gnutls_free_datum (premaster);
150 if (ret < 0)
151 return ret;
153 _gnutls_hard_log ("INT: MASTER SECRET: %s\n",
154 _gnutls_bin2hex (session->
155 security_parameters.master_secret,
156 GNUTLS_MASTER_SIZE, buf, sizeof (buf),
157 NULL));
159 return ret;
163 /* This is called when we want to receive the key exchange message of the
164 * server. It does nothing if this type of message is not required
165 * by the selected ciphersuite.
168 _gnutls_send_server_kx_message (gnutls_session_t session, int again)
170 gnutls_buffer_st data;
171 int ret = 0;
173 if (session->internals.auth_struct->gnutls_generate_server_kx == NULL)
174 return 0;
176 _gnutls_buffer_init( &data);
178 if (again == 0)
180 ret =
181 session->internals.auth_struct->gnutls_generate_server_kx (session,
182 &data);
184 if (ret == GNUTLS_E_INT_RET_0)
186 gnutls_assert ();
187 ret = 0;
188 goto cleanup;
191 if (ret < 0)
193 gnutls_assert ();
194 goto cleanup;
198 ret = send_handshake (session, data.data, data.length,
199 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE);
200 if (ret < 0)
202 gnutls_assert ();
205 cleanup:
206 _gnutls_buffer_clear (&data);
207 return ret;
210 /* This function sends a certificate request message to the
211 * client.
214 _gnutls_send_server_crt_request (gnutls_session_t session, int again)
216 gnutls_buffer_st data;
217 int ret = 0;
219 if (session->internals.
220 auth_struct->gnutls_generate_server_crt_request == NULL)
221 return 0;
223 if (session->internals.send_cert_req <= 0)
224 return 0;
226 _gnutls_buffer_init( &data);
228 if (again == 0)
230 ret =
231 session->internals.
232 auth_struct->gnutls_generate_server_crt_request (session,
233 &data);
235 if (ret < 0)
237 gnutls_assert ();
238 goto cleanup;
242 ret = send_handshake (session, data.data, data.length,
243 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST);
244 if (ret < 0)
246 gnutls_assert ();
249 cleanup:
250 _gnutls_buffer_clear (&data);
251 return ret;
255 /* This is the function for the client to send the key
256 * exchange message
259 _gnutls_send_client_kx_message (gnutls_session_t session, int again)
261 gnutls_buffer_st data;
262 int ret = 0;
264 if (session->internals.auth_struct->gnutls_generate_client_kx == NULL)
265 return 0;
267 _gnutls_buffer_init( &data);
269 if (again == 0)
271 ret =
272 session->internals.auth_struct->gnutls_generate_client_kx (session,
273 &data);
274 if (ret < 0)
276 gnutls_assert();
277 goto cleanup;
280 ret = send_handshake (session, data.data, data.length,
281 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE);
282 if (ret < 0)
284 gnutls_assert ();
287 cleanup:
288 _gnutls_buffer_clear (&data);
289 return ret;
293 /* This is the function for the client to send the certificate
294 * verify message
297 _gnutls_send_client_certificate_verify (gnutls_session_t session, int again)
299 gnutls_buffer_st data;
300 int ret = 0;
302 /* This is a packet that is only sent by the client
304 if (session->security_parameters.entity == GNUTLS_SERVER)
305 return 0;
307 /* if certificate verify is not needed just exit
309 if (session->key->crt_requested == 0)
310 return 0;
313 if (session->internals.auth_struct->gnutls_generate_client_crt_vrfy ==
314 NULL)
316 gnutls_assert ();
317 return 0; /* this algorithm does not support cli_crt_vrfy
321 _gnutls_buffer_init( &data);
323 if (again == 0)
325 ret =
326 session->internals.
327 auth_struct->gnutls_generate_client_crt_vrfy (session, &data);
328 if (ret < 0)
330 gnutls_assert();
331 goto cleanup;
334 if (ret == 0)
335 goto cleanup;
338 ret = send_handshake (session, data.data, data.length,
339 GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY);
341 if (ret < 0)
343 gnutls_assert ();
346 cleanup:
347 _gnutls_buffer_clear (&data);
348 return ret;
351 /* This is called when we want send our certificate
354 _gnutls_send_client_certificate (gnutls_session_t session, int again)
356 gnutls_buffer_st data;
357 int ret = 0;
360 if (session->key->crt_requested == 0)
361 return 0;
363 if (session->internals.auth_struct->gnutls_generate_client_certificate ==
364 NULL)
365 return 0;
367 _gnutls_buffer_init( &data);
369 if (again == 0)
371 if (gnutls_protocol_get_version (session) != GNUTLS_SSL3 ||
372 session->internals.selected_cert_list_length > 0)
374 /* TLS 1.0 or SSL 3.0 with a valid certificate
376 ret =
377 session->internals.
378 auth_struct->gnutls_generate_client_certificate (session, &data);
380 if (ret < 0)
382 gnutls_assert();
383 goto cleanup;
388 /* In the SSL 3.0 protocol we need to send a
389 * no certificate alert instead of an
390 * empty certificate.
392 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3 &&
393 session->internals.selected_cert_list_length == 0)
395 ret =
396 gnutls_alert_send (session, GNUTLS_AL_WARNING,
397 GNUTLS_A_SSL3_NO_CERTIFICATE);
400 else
401 { /* TLS 1.0 or SSL 3.0 with a valid certificate
403 ret = send_handshake (session, data.data, data.length,
404 GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
407 cleanup:
408 _gnutls_buffer_clear (&data);
409 return ret;
413 /* This is called when we want send our certificate
416 _gnutls_send_server_certificate (gnutls_session_t session, int again)
418 gnutls_buffer_st data;
419 int ret = 0;
422 if (session->internals.auth_struct->gnutls_generate_server_certificate ==
423 NULL)
424 return 0;
426 _gnutls_buffer_init( &data);
428 if (again == 0)
430 ret =
431 session->internals.
432 auth_struct->gnutls_generate_server_certificate (session, &data);
434 if (ret < 0)
436 gnutls_assert();
437 goto cleanup;
440 ret = send_handshake (session, data.data, data.length,
441 GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
442 if (ret < 0)
444 gnutls_assert ();
447 cleanup:
448 _gnutls_buffer_clear (&data);
449 return ret;
454 _gnutls_recv_server_kx_message (gnutls_session_t session)
456 gnutls_buffer_st buf;
457 int ret = 0;
458 unsigned int optflag = 0;
460 if (session->internals.auth_struct->gnutls_process_server_kx != NULL)
463 /* EXCEPTION FOR RSA_EXPORT cipher suite
465 if (_gnutls_session_is_export (session) != 0 &&
466 _gnutls_peers_cert_less_512 (session) != 0)
468 gnutls_assert ();
469 return 0;
472 /* Server key exchange packet is optional for PSK. */
473 if (_gnutls_session_is_psk (session))
474 optflag = 1;
476 ret =
477 _gnutls_recv_handshake (session,
478 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE,
479 optflag, &buf);
480 if (ret < 0)
482 gnutls_assert ();
483 return ret;
486 ret =
487 session->internals.auth_struct->gnutls_process_server_kx (session,
488 buf.data,
489 buf.length);
490 _gnutls_buffer_clear(&buf);
492 if (ret < 0)
494 gnutls_assert ();
495 return ret;
499 return ret;
503 _gnutls_recv_server_crt_request (gnutls_session_t session)
505 gnutls_buffer_st buf;
506 int ret = 0;
508 if (session->internals.
509 auth_struct->gnutls_process_server_crt_request != NULL)
512 ret =
513 _gnutls_recv_handshake (session,
514 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST,
515 1, &buf);
516 if (ret < 0)
517 return ret;
519 if (ret == 0 && buf.length == 0)
521 _gnutls_buffer_clear(&buf);
522 return 0; /* ignored */
525 ret =
526 session->internals.
527 auth_struct->gnutls_process_server_crt_request (session, buf.data,
528 buf.length);
529 _gnutls_buffer_clear (&buf);
530 if (ret < 0)
531 return ret;
534 return ret;
538 _gnutls_recv_client_kx_message (gnutls_session_t session)
540 gnutls_buffer_st buf;
541 int ret = 0;
544 /* Do key exchange only if the algorithm permits it */
545 if (session->internals.auth_struct->gnutls_process_client_kx != NULL)
548 ret =
549 _gnutls_recv_handshake (session,
550 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE,
551 0, &buf);
552 if (ret < 0)
553 return ret;
555 ret =
556 session->internals.auth_struct->gnutls_process_client_kx (session,
557 buf.data,
558 buf.length);
559 _gnutls_buffer_clear (&buf);
560 if (ret < 0)
561 return ret;
565 return ret;
570 _gnutls_recv_client_certificate (gnutls_session_t session)
572 gnutls_buffer_st buf;
573 int ret = 0;
574 int optional;
576 if (session->internals.auth_struct->gnutls_process_client_certificate ==
577 NULL)
578 return 0;
580 /* if we have not requested a certificate then just return
582 if (session->internals.send_cert_req == 0)
584 return 0;
587 if (session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
588 optional = 0;
589 else
590 optional = 1;
592 ret =
593 _gnutls_recv_handshake (session, GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
594 optional, &buf);
596 if (ret < 0)
598 /* Handle the case of old SSL3 clients who send
599 * a warning alert instead of an empty certificate to indicate
600 * no certificate.
602 if (optional != 0 &&
603 ret == GNUTLS_E_WARNING_ALERT_RECEIVED &&
604 gnutls_protocol_get_version (session) == GNUTLS_SSL3 &&
605 gnutls_alert_get (session) == GNUTLS_A_SSL3_NO_CERTIFICATE)
608 /* SSL3 does not send an empty certificate,
609 * but this alert. So we just ignore it.
611 gnutls_assert ();
612 return 0;
615 /* certificate was required
617 if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED
618 || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
619 && optional == 0)
621 gnutls_assert ();
622 return GNUTLS_E_NO_CERTIFICATE_FOUND;
625 return ret;
628 if (ret == 0 && buf.length == 0 && optional != 0)
630 /* Client has not sent the certificate message.
631 * well I'm not sure we should accept this
632 * behaviour.
634 gnutls_assert ();
635 ret = 0;
636 goto cleanup;
638 ret =
639 session->internals.
640 auth_struct->gnutls_process_client_certificate (session, buf.data,
641 buf.length);
643 if (ret < 0 && ret != GNUTLS_E_NO_CERTIFICATE_FOUND)
645 gnutls_assert ();
646 goto cleanup;
649 /* ok we should expect a certificate verify message now
651 if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional != 0)
652 ret = 0;
653 else
654 session->key->crt_requested = 1;
656 cleanup:
657 _gnutls_buffer_clear(&buf);
658 return ret;
662 _gnutls_recv_server_certificate (gnutls_session_t session)
664 gnutls_buffer_st buf;
665 int ret = 0;
667 if (session->internals.auth_struct->gnutls_process_server_certificate !=
668 NULL)
671 ret =
672 _gnutls_recv_handshake (session,
673 GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
674 0, &buf);
675 if (ret < 0)
677 gnutls_assert ();
678 return ret;
681 ret =
682 session->internals.
683 auth_struct->gnutls_process_server_certificate (session, buf.data,
684 buf.length);
685 _gnutls_buffer_clear(&buf);
686 if (ret < 0)
688 gnutls_assert ();
689 return ret;
693 return ret;
697 /* Recv the client certificate verify. This packet may not
698 * arrive if the peer did not send us a certificate.
701 _gnutls_recv_client_certificate_verify_message (gnutls_session_t session)
703 gnutls_buffer_st buf;
704 int ret = 0;
707 if (session->internals.auth_struct->gnutls_process_client_crt_vrfy == NULL)
708 return 0;
710 if (session->internals.send_cert_req == 0 ||
711 session->key->crt_requested == 0)
713 return 0;
716 ret =
717 _gnutls_recv_handshake (session,
718 GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY,
719 1, &buf);
720 if (ret < 0)
721 return ret;
723 if (ret == 0 && buf.length == 0
724 && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
726 /* certificate was required */
727 gnutls_assert ();
728 ret = GNUTLS_E_NO_CERTIFICATE_FOUND;
729 goto cleanup;
732 ret =
733 session->internals.
734 auth_struct->gnutls_process_client_crt_vrfy (session, buf.data,
735 buf.length);
737 cleanup:
738 _gnutls_buffer_clear(&buf);
739 return ret;