2 * Copyright (C) 2000, 2001, 2004, 2005, 2006, 2008 Free Software Foundation
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GNUTLS.
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
25 /* This file contains functions which are wrappers for the key exchange
26 * part of TLS. They are called by the handshake functions (gnutls_handshake)
29 #include "gnutls_int.h"
30 #include "gnutls_handshake.h"
31 #include "gnutls_kx.h"
32 #include "gnutls_dh.h"
33 #include "gnutls_errors.h"
34 #include "gnutls_algorithms.h"
36 #include "gnutls_mpi.h"
37 #include <gnutls_state.h>
38 #include <gnutls_datum.h>
39 #include <gnutls_rsa_export.h>
41 /* This file contains important thing for the TLS handshake procedure.
44 #define MASTER_SECRET "master secret"
45 static int generate_normal_master (gnutls_session_t session
, int);
48 _gnutls_generate_master (gnutls_session_t session
, int keep_premaster
)
50 if (session
->internals
.resumed
== RESUME_FALSE
)
51 return generate_normal_master (session
, keep_premaster
);
55 /* here we generate the TLS Master secret.
57 #define PREMASTER session->key->key
59 generate_normal_master (gnutls_session_t session
, int keep_premaster
)
64 _gnutls_hard_log ("INT: PREMASTER SECRET[%d]: %s\n", PREMASTER
.size
,
65 _gnutls_bin2hex (PREMASTER
.data
, PREMASTER
.size
, buf
,
67 _gnutls_hard_log ("INT: CLIENT RANDOM[%d]: %s\n", 32,
68 _gnutls_bin2hex (session
->security_parameters
.
69 client_random
, 32, buf
, sizeof (buf
)));
70 _gnutls_hard_log ("INT: SERVER RANDOM[%d]: %s\n", 32,
71 _gnutls_bin2hex (session
->security_parameters
.
72 server_random
, 32, buf
, sizeof (buf
)));
74 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
76 opaque rnd
[2 * GNUTLS_RANDOM_SIZE
+ 1];
78 memcpy (rnd
, session
->security_parameters
.client_random
,
80 memcpy (&rnd
[GNUTLS_RANDOM_SIZE
],
81 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
84 _gnutls_ssl3_generate_random (PREMASTER
.data
, PREMASTER
.size
,
85 rnd
, 2 * GNUTLS_RANDOM_SIZE
,
87 session
->security_parameters
.
91 else if (session
->security_parameters
.extensions
.oprfi_client_len
> 0 &&
92 session
->security_parameters
.extensions
.oprfi_server_len
> 0)
95 size_t rndlen
= 2 * GNUTLS_RANDOM_SIZE
;
97 rndlen
+= session
->security_parameters
.extensions
.oprfi_client_len
;
98 rndlen
+= session
->security_parameters
.extensions
.oprfi_server_len
;
100 rnd
= gnutls_malloc (rndlen
+ 1);
104 return GNUTLS_E_MEMORY_ERROR
;
107 _gnutls_hard_log ("INT: CLIENT OPRFI[%d]: %s\n",
108 session
->security_parameters
.
109 extensions
.oprfi_server_len
,
110 _gnutls_bin2hex (session
->security_parameters
.
111 extensions
.oprfi_client
,
112 session
->security_parameters
.
113 extensions
.oprfi_client_len
, buf
,
115 _gnutls_hard_log ("INT: SERVER OPRFI[%d]: %s\n",
116 session
->security_parameters
.
117 extensions
.oprfi_server_len
,
118 _gnutls_bin2hex (session
->security_parameters
.
119 extensions
.oprfi_server
,
120 session
->security_parameters
.
121 extensions
.oprfi_server_len
, buf
,
124 memcpy (rnd
, session
->security_parameters
.client_random
,
126 memcpy (rnd
+ GNUTLS_RANDOM_SIZE
,
127 session
->security_parameters
.extensions
.oprfi_client
,
128 session
->security_parameters
.extensions
.oprfi_client_len
);
129 memcpy (rnd
+ GNUTLS_RANDOM_SIZE
+
130 session
->security_parameters
.extensions
.oprfi_client_len
,
131 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
132 memcpy (rnd
+ GNUTLS_RANDOM_SIZE
+
133 session
->security_parameters
.extensions
.oprfi_client_len
+
135 session
->security_parameters
.extensions
.oprfi_server
,
136 session
->security_parameters
.extensions
.oprfi_server_len
);
138 ret
= _gnutls_PRF (session
, PREMASTER
.data
, PREMASTER
.size
,
139 MASTER_SECRET
, strlen (MASTER_SECRET
),
140 rnd
, rndlen
, GNUTLS_MASTER_SIZE
,
141 session
->security_parameters
.master_secret
);
147 opaque rnd
[2 * GNUTLS_RANDOM_SIZE
+ 1];
149 memcpy (rnd
, session
->security_parameters
.client_random
,
151 memcpy (&rnd
[GNUTLS_RANDOM_SIZE
],
152 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
155 _gnutls_PRF (session
, PREMASTER
.data
, PREMASTER
.size
,
156 MASTER_SECRET
, strlen (MASTER_SECRET
),
157 rnd
, 2 * GNUTLS_RANDOM_SIZE
, GNUTLS_MASTER_SIZE
,
158 session
->security_parameters
.master_secret
);
161 /* TLS/IA inner secret is derived from the master secret. */
162 memcpy (session
->security_parameters
.inner_secret
,
163 session
->security_parameters
.master_secret
, GNUTLS_MASTER_SIZE
);
166 _gnutls_free_datum (&PREMASTER
);
171 _gnutls_hard_log ("INT: MASTER SECRET: %s\n",
172 _gnutls_bin2hex (session
->security_parameters
.
173 master_secret
, GNUTLS_MASTER_SIZE
, buf
,
180 /* This is called when we want to receive the key exchange message of the
181 * server. It does nothing if this type of message is not required
182 * by the selected ciphersuite.
185 _gnutls_send_server_kx_message (gnutls_session_t session
, int again
)
187 uint8_t *data
= NULL
;
191 if (session
->internals
.auth_struct
->gnutls_generate_server_kx
== NULL
)
200 session
->internals
.auth_struct
->gnutls_generate_server_kx (session
,
203 if (data_size
== GNUTLS_E_INT_RET_0
)
217 _gnutls_send_handshake (session
, data
, data_size
,
218 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE
);
229 /* This function sends a certificate request message to the
233 _gnutls_send_server_certificate_request (gnutls_session_t session
, int again
)
235 uint8_t *data
= NULL
;
239 if (session
->internals
.auth_struct
->
240 gnutls_generate_server_certificate_request
== NULL
)
243 if (session
->internals
.send_cert_req
<= 0)
252 session
->internals
.auth_struct
->
253 gnutls_generate_server_certificate_request (session
, &data
);
262 _gnutls_send_handshake (session
, data
, data_size
,
263 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST
);
275 /* This is the function for the client to send the key
279 _gnutls_send_client_kx_message (gnutls_session_t session
, int again
)
285 if (session
->internals
.auth_struct
->gnutls_generate_client_kx
== NULL
)
295 session
->internals
.auth_struct
->gnutls_generate_client_kx (session
,
304 _gnutls_send_handshake (session
, data
, data_size
,
305 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE
);
318 /* This is the function for the client to send the certificate
322 _gnutls_send_client_certificate_verify (gnutls_session_t session
, int again
)
328 /* This is a packet that is only sent by the client
330 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
333 /* if certificate verify is not needed just exit
335 if (session
->key
->certificate_requested
== 0)
338 if (session
->internals
.auth_struct
->gnutls_generate_client_cert_vrfy
==
342 return 0; /* this algorithm does not support cli_cert_vrfy
352 session
->internals
.auth_struct
->
353 gnutls_generate_client_cert_vrfy (session
, &data
);
364 _gnutls_send_handshake (session
, data
,
365 data_size
, GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY
);
373 _gnutls_recv_server_kx_message (gnutls_session_t session
)
375 uint8_t *data
= NULL
;
378 Optional optflag
= MANDATORY_PACKET
;
380 if (session
->internals
.auth_struct
->gnutls_process_server_kx
!= NULL
)
383 /* EXCEPTION FOR RSA_EXPORT cipher suite
385 if (_gnutls_session_is_export (session
) != 0 &&
386 _gnutls_peers_cert_less_512 (session
) != 0)
392 /* Server key exchange packet is optional for PSK. */
393 if (_gnutls_session_is_psk (session
))
394 optflag
= OPTIONAL_PACKET
;
397 _gnutls_recv_handshake (session
, &data
,
399 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE
,
408 session
->internals
.auth_struct
->gnutls_process_server_kx (session
,
424 _gnutls_recv_server_certificate_request (gnutls_session_t session
)
430 if (session
->internals
.auth_struct
->
431 gnutls_process_server_certificate_request
!= NULL
)
435 _gnutls_recv_handshake (session
, &data
,
437 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST
,
442 if (ret
== 0 && datasize
== 0)
443 return 0; /* ignored */
446 session
->internals
.auth_struct
->
447 gnutls_process_server_certificate_request (session
, data
, datasize
);
457 _gnutls_recv_client_kx_message (gnutls_session_t session
)
464 /* Do key exchange only if the algorithm permits it */
465 if (session
->internals
.auth_struct
->gnutls_process_client_kx
!= NULL
)
469 _gnutls_recv_handshake (session
, &data
,
471 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE
,
477 session
->internals
.auth_struct
->gnutls_process_client_kx (session
,
490 /* This is called when we want send our certificate
493 _gnutls_send_client_certificate (gnutls_session_t session
, int again
)
495 uint8_t *data
= NULL
;
500 if (session
->key
->certificate_requested
== 0)
503 if (session
->internals
.auth_struct
->gnutls_generate_client_certificate
==
512 if (gnutls_protocol_get_version (session
) != GNUTLS_SSL3
||
513 session
->internals
.selected_cert_list_length
> 0)
515 /* TLS 1.0 or SSL 3.0 with a valid certificate
518 session
->internals
.auth_struct
->
519 gnutls_generate_client_certificate (session
, &data
);
529 /* In the SSL 3.0 protocol we need to send a
530 * no certificate alert instead of an
533 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
&&
534 session
->internals
.selected_cert_list_length
== 0)
537 gnutls_alert_send (session
, GNUTLS_AL_WARNING
,
538 GNUTLS_A_SSL3_NO_CERTIFICATE
);
542 { /* TLS 1.0 or SSL 3.0 with a valid certificate
545 _gnutls_send_handshake (session
, data
, data_size
,
546 GNUTLS_HANDSHAKE_CERTIFICATE_PKT
);
560 /* This is called when we want send our certificate
563 _gnutls_send_server_certificate (gnutls_session_t session
, int again
)
565 uint8_t *data
= NULL
;
570 if (session
->internals
.auth_struct
->gnutls_generate_server_certificate
==
580 session
->internals
.auth_struct
->
581 gnutls_generate_server_certificate (session
, &data
);
590 _gnutls_send_handshake (session
, data
, data_size
,
591 GNUTLS_HANDSHAKE_CERTIFICATE_PKT
);
605 _gnutls_recv_client_certificate (gnutls_session_t session
)
612 if (session
->internals
.auth_struct
->gnutls_process_client_certificate
!=
616 /* if we have not requested a certificate then just return
618 if (session
->internals
.send_cert_req
== 0)
623 if (session
->internals
.send_cert_req
== GNUTLS_CERT_REQUIRE
)
624 optional
= MANDATORY_PACKET
;
626 optional
= OPTIONAL_PACKET
;
629 _gnutls_recv_handshake (session
, &data
,
631 GNUTLS_HANDSHAKE_CERTIFICATE_PKT
, optional
);
635 /* Handle the case of old SSL3 clients who send
636 * a warning alert instead of an empty certificate to indicate
639 if (optional
== OPTIONAL_PACKET
&&
640 ret
== GNUTLS_E_WARNING_ALERT_RECEIVED
&&
641 gnutls_protocol_get_version (session
) == GNUTLS_SSL3
&&
642 gnutls_alert_get (session
) == GNUTLS_A_SSL3_NO_CERTIFICATE
)
645 /* SSL3 does not send an empty certificate,
646 * but this alert. So we just ignore it.
652 /* certificate was required
654 if ((ret
== GNUTLS_E_WARNING_ALERT_RECEIVED
655 || ret
== GNUTLS_E_FATAL_ALERT_RECEIVED
)
656 && optional
== MANDATORY_PACKET
)
659 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
665 if (ret
== 0 && datasize
== 0 && optional
== OPTIONAL_PACKET
)
667 /* Client has not sent the certificate message.
668 * well I'm not sure we should accept this
675 session
->internals
.auth_struct
->
676 gnutls_process_client_certificate (session
, data
, datasize
);
679 if (ret
< 0 && ret
!= GNUTLS_E_NO_CERTIFICATE_FOUND
)
685 /* ok we should expect a certificate verify message now
687 if (ret
== GNUTLS_E_NO_CERTIFICATE_FOUND
&& optional
== OPTIONAL_PACKET
)
690 session
->key
->certificate_requested
= 1;
698 _gnutls_recv_server_certificate (gnutls_session_t session
)
704 if (session
->internals
.auth_struct
->gnutls_process_server_certificate
!=
709 _gnutls_recv_handshake (session
, &data
,
711 GNUTLS_HANDSHAKE_CERTIFICATE_PKT
,
720 session
->internals
.auth_struct
->
721 gnutls_process_server_certificate (session
, data
, datasize
);
734 /* Recv the client certificate verify. This packet may not
735 * arrive if the peer did not send us a certificate.
738 _gnutls_recv_client_certificate_verify_message (gnutls_session_t session
)
745 if (session
->internals
.auth_struct
->gnutls_process_client_cert_vrfy
!= NULL
)
748 if (session
->internals
.send_cert_req
== 0 ||
749 session
->key
->certificate_requested
== 0)
755 _gnutls_recv_handshake (session
, &data
,
757 GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY
,
762 if (ret
== 0 && datasize
== 0
763 && session
->internals
.send_cert_req
== GNUTLS_CERT_REQUIRE
)
765 /* certificate was required */
767 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
771 session
->internals
.auth_struct
->
772 gnutls_process_client_cert_vrfy (session
, data
, datasize
);