2 * Copyright (C) 2000, 2001, 2004, 2005, 2006, 2008, 2010 Free Software
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 3 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this program. If not, see <http://www.gnu.org/licenses/>
24 /* This file contains functions which are wrappers for the key exchange
25 * part of TLS. They are called by the handshake functions (gnutls_handshake)
28 #include "gnutls_int.h"
29 #include "gnutls_handshake.h"
30 #include "gnutls_kx.h"
31 #include "gnutls_dh.h"
32 #include "gnutls_errors.h"
33 #include "algorithms.h"
35 #include "gnutls_mpi.h"
36 #include <gnutls_state.h>
37 #include <gnutls_datum.h>
38 #include <gnutls_rsa_export.h>
39 #include <gnutls_mbuffers.h>
41 /* This is a temporary function to be used before the generate_*
42 internal API is changed to use mbuffers. For now we don't avoid the
43 extra alloc + memcpy. */
45 send_handshake (gnutls_session_t session
, opaque
* data
, size_t size
,
46 gnutls_handshake_description_t type
)
50 if (data
== NULL
&& size
== 0)
51 return _gnutls_send_handshake (session
, NULL
, type
);
53 if (data
== NULL
&& size
> 0)
56 return GNUTLS_E_INVALID_REQUEST
;
59 bufel
= _gnutls_handshake_alloc(session
, size
, size
);
63 return GNUTLS_E_MEMORY_ERROR
;
66 _mbuffer_set_udata (bufel
, data
, size
);
68 return _gnutls_send_handshake (session
, bufel
, type
);
72 /* This file contains important thing for the TLS handshake procedure.
75 #define MASTER_SECRET "master secret"
76 #define MASTER_SECRET_SIZE (sizeof(MASTER_SECRET)-1)
77 static int generate_normal_master (gnutls_session_t session
, int);
80 _gnutls_generate_master (gnutls_session_t session
, int keep_premaster
)
82 if (session
->internals
.resumed
== RESUME_FALSE
)
83 return generate_normal_master (session
, keep_premaster
);
87 /* here we generate the TLS Master secret.
89 #define PREMASTER session->key->key
91 generate_normal_master (gnutls_session_t session
, int keep_premaster
)
96 _gnutls_hard_log ("INT: PREMASTER SECRET[%d]: %s\n", PREMASTER
.size
,
97 _gnutls_bin2hex (PREMASTER
.data
, PREMASTER
.size
, buf
,
99 _gnutls_hard_log ("INT: CLIENT RANDOM[%d]: %s\n", 32,
100 _gnutls_bin2hex (session
->
101 security_parameters
.client_random
, 32,
102 buf
, sizeof (buf
), NULL
));
103 _gnutls_hard_log ("INT: SERVER RANDOM[%d]: %s\n", 32,
104 _gnutls_bin2hex (session
->
105 security_parameters
.server_random
, 32,
106 buf
, sizeof (buf
), NULL
));
108 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
110 opaque rnd
[2 * GNUTLS_RANDOM_SIZE
+ 1];
112 memcpy (rnd
, session
->security_parameters
.client_random
,
114 memcpy (&rnd
[GNUTLS_RANDOM_SIZE
],
115 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
118 _gnutls_ssl3_generate_random (PREMASTER
.data
, PREMASTER
.size
,
119 rnd
, 2 * GNUTLS_RANDOM_SIZE
,
122 security_parameters
.master_secret
);
127 opaque rnd
[2 * GNUTLS_RANDOM_SIZE
+ 1];
129 memcpy (rnd
, session
->security_parameters
.client_random
,
131 memcpy (&rnd
[GNUTLS_RANDOM_SIZE
],
132 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
135 _gnutls_PRF (session
, PREMASTER
.data
, PREMASTER
.size
,
136 MASTER_SECRET
, MASTER_SECRET_SIZE
,
137 rnd
, 2 * GNUTLS_RANDOM_SIZE
, GNUTLS_MASTER_SIZE
,
138 session
->security_parameters
.master_secret
);
142 _gnutls_free_datum (&PREMASTER
);
147 _gnutls_hard_log ("INT: MASTER SECRET: %s\n",
148 _gnutls_bin2hex (session
->
149 security_parameters
.master_secret
,
150 GNUTLS_MASTER_SIZE
, buf
, sizeof (buf
),
157 /* This is called when we want to receive the key exchange message of the
158 * server. It does nothing if this type of message is not required
159 * by the selected ciphersuite.
162 _gnutls_send_server_kx_message (gnutls_session_t session
, int again
)
164 gnutls_buffer_st data
;
167 if (session
->internals
.auth_struct
->gnutls_generate_server_kx
== NULL
)
170 _gnutls_buffer_init( &data
);
175 session
->internals
.auth_struct
->gnutls_generate_server_kx (session
,
178 if (ret
== GNUTLS_E_INT_RET_0
)
192 ret
= send_handshake (session
, data
.data
, data
.length
,
193 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE
);
200 _gnutls_buffer_clear (&data
);
204 /* This function sends a certificate request message to the
208 _gnutls_send_server_certificate_request (gnutls_session_t session
, int again
)
210 gnutls_buffer_st data
;
213 if (session
->internals
.
214 auth_struct
->gnutls_generate_server_certificate_request
== NULL
)
217 if (session
->internals
.send_cert_req
<= 0)
220 _gnutls_buffer_init( &data
);
226 auth_struct
->gnutls_generate_server_certificate_request (session
,
236 ret
= send_handshake (session
, data
.data
, data
.length
,
237 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST
);
244 _gnutls_buffer_clear (&data
);
249 /* This is the function for the client to send the key
253 _gnutls_send_client_kx_message (gnutls_session_t session
, int again
)
255 gnutls_buffer_st data
;
258 if (session
->internals
.auth_struct
->gnutls_generate_client_kx
== NULL
)
261 _gnutls_buffer_init( &data
);
266 session
->internals
.auth_struct
->gnutls_generate_client_kx (session
,
274 ret
= send_handshake (session
, data
.data
, data
.length
,
275 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE
);
282 _gnutls_buffer_clear (&data
);
287 /* This is the function for the client to send the certificate
291 _gnutls_send_client_certificate_verify (gnutls_session_t session
, int again
)
293 gnutls_buffer_st data
;
296 /* This is a packet that is only sent by the client
298 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
301 /* if certificate verify is not needed just exit
303 if (session
->key
->certificate_requested
== 0)
307 if (session
->internals
.auth_struct
->gnutls_generate_client_cert_vrfy
==
311 return 0; /* this algorithm does not support cli_cert_vrfy
315 _gnutls_buffer_init( &data
);
321 auth_struct
->gnutls_generate_client_cert_vrfy (session
, &data
);
332 ret
= send_handshake (session
, data
.data
, data
.length
,
333 GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY
);
341 _gnutls_buffer_clear (&data
);
345 /* This is called when we want send our certificate
348 _gnutls_send_client_certificate (gnutls_session_t session
, int again
)
350 gnutls_buffer_st data
;
354 if (session
->key
->certificate_requested
== 0)
357 if (session
->internals
.auth_struct
->gnutls_generate_client_certificate
==
361 _gnutls_buffer_init( &data
);
365 if (gnutls_protocol_get_version (session
) != GNUTLS_SSL3
||
366 session
->internals
.selected_cert_list_length
> 0)
368 /* TLS 1.0 or SSL 3.0 with a valid certificate
372 auth_struct
->gnutls_generate_client_certificate (session
, &data
);
382 /* In the SSL 3.0 protocol we need to send a
383 * no certificate alert instead of an
386 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
&&
387 session
->internals
.selected_cert_list_length
== 0)
390 gnutls_alert_send (session
, GNUTLS_AL_WARNING
,
391 GNUTLS_A_SSL3_NO_CERTIFICATE
);
395 { /* TLS 1.0 or SSL 3.0 with a valid certificate
397 ret
= send_handshake (session
, data
.data
, data
.length
,
398 GNUTLS_HANDSHAKE_CERTIFICATE_PKT
);
402 _gnutls_buffer_clear (&data
);
407 /* This is called when we want send our certificate
410 _gnutls_send_server_certificate (gnutls_session_t session
, int again
)
412 gnutls_buffer_st data
;
416 if (session
->internals
.auth_struct
->gnutls_generate_server_certificate
==
420 _gnutls_buffer_init( &data
);
426 auth_struct
->gnutls_generate_server_certificate (session
, &data
);
434 ret
= send_handshake (session
, data
.data
, data
.length
,
435 GNUTLS_HANDSHAKE_CERTIFICATE_PKT
);
442 _gnutls_buffer_clear (&data
);
448 _gnutls_recv_server_kx_message (gnutls_session_t session
)
450 gnutls_buffer_st buf
;
452 optional_t optflag
= MANDATORY_PACKET
;
454 if (session
->internals
.auth_struct
->gnutls_process_server_kx
!= NULL
)
457 /* EXCEPTION FOR RSA_EXPORT cipher suite
459 if (_gnutls_session_is_export (session
) != 0 &&
460 _gnutls_peers_cert_less_512 (session
) != 0)
466 /* Server key exchange packet is optional for PSK. */
467 if (_gnutls_session_is_psk (session
))
468 optflag
= OPTIONAL_PACKET
;
471 _gnutls_recv_handshake (session
,
472 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE
,
481 session
->internals
.auth_struct
->gnutls_process_server_kx (session
,
484 _gnutls_buffer_clear(&buf
);
497 _gnutls_recv_server_certificate_request (gnutls_session_t session
)
499 gnutls_buffer_st buf
;
502 if (session
->internals
.
503 auth_struct
->gnutls_process_server_certificate_request
!= NULL
)
507 _gnutls_recv_handshake (session
,
508 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST
,
509 OPTIONAL_PACKET
, &buf
);
513 if (ret
== 0 && buf
.length
== 0)
515 _gnutls_buffer_clear(&buf
);
516 return 0; /* ignored */
521 auth_struct
->gnutls_process_server_certificate_request (session
, buf
.data
,
523 _gnutls_buffer_clear (&buf
);
532 _gnutls_recv_client_kx_message (gnutls_session_t session
)
534 gnutls_buffer_st buf
;
538 /* Do key exchange only if the algorithm permits it */
539 if (session
->internals
.auth_struct
->gnutls_process_client_kx
!= NULL
)
543 _gnutls_recv_handshake (session
,
544 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE
,
545 MANDATORY_PACKET
, &buf
);
550 session
->internals
.auth_struct
->gnutls_process_client_kx (session
,
553 _gnutls_buffer_clear (&buf
);
564 _gnutls_recv_client_certificate (gnutls_session_t session
)
566 gnutls_buffer_st buf
;
570 if (session
->internals
.auth_struct
->gnutls_process_client_certificate
==
574 /* if we have not requested a certificate then just return
576 if (session
->internals
.send_cert_req
== 0)
581 if (session
->internals
.send_cert_req
== GNUTLS_CERT_REQUIRE
)
582 optional
= MANDATORY_PACKET
;
584 optional
= OPTIONAL_PACKET
;
587 _gnutls_recv_handshake (session
, GNUTLS_HANDSHAKE_CERTIFICATE_PKT
,
592 /* Handle the case of old SSL3 clients who send
593 * a warning alert instead of an empty certificate to indicate
596 if (optional
== OPTIONAL_PACKET
&&
597 ret
== GNUTLS_E_WARNING_ALERT_RECEIVED
&&
598 gnutls_protocol_get_version (session
) == GNUTLS_SSL3
&&
599 gnutls_alert_get (session
) == GNUTLS_A_SSL3_NO_CERTIFICATE
)
602 /* SSL3 does not send an empty certificate,
603 * but this alert. So we just ignore it.
609 /* certificate was required
611 if ((ret
== GNUTLS_E_WARNING_ALERT_RECEIVED
612 || ret
== GNUTLS_E_FATAL_ALERT_RECEIVED
)
613 && optional
== MANDATORY_PACKET
)
616 return GNUTLS_E_NO_CERTIFICATE_FOUND
;
622 if (ret
== 0 && buf
.length
== 0 && optional
== OPTIONAL_PACKET
)
624 /* Client has not sent the certificate message.
625 * well I'm not sure we should accept this
634 auth_struct
->gnutls_process_client_certificate (session
, buf
.data
,
637 if (ret
< 0 && ret
!= GNUTLS_E_NO_CERTIFICATE_FOUND
)
643 /* ok we should expect a certificate verify message now
645 if (ret
== GNUTLS_E_NO_CERTIFICATE_FOUND
&& optional
== OPTIONAL_PACKET
)
648 session
->key
->certificate_requested
= 1;
651 _gnutls_buffer_clear(&buf
);
656 _gnutls_recv_server_certificate (gnutls_session_t session
)
658 gnutls_buffer_st buf
;
661 if (session
->internals
.auth_struct
->gnutls_process_server_certificate
!=
666 _gnutls_recv_handshake (session
,
667 GNUTLS_HANDSHAKE_CERTIFICATE_PKT
,
668 MANDATORY_PACKET
, &buf
);
677 auth_struct
->gnutls_process_server_certificate (session
, buf
.data
,
679 _gnutls_buffer_clear(&buf
);
691 /* Recv the client certificate verify. This packet may not
692 * arrive if the peer did not send us a certificate.
695 _gnutls_recv_client_certificate_verify_message (gnutls_session_t session
)
697 gnutls_buffer_st buf
;
701 if (session
->internals
.auth_struct
->gnutls_process_client_cert_vrfy
== NULL
)
704 if (session
->internals
.send_cert_req
== 0 ||
705 session
->key
->certificate_requested
== 0)
711 _gnutls_recv_handshake (session
,
712 GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY
,
713 OPTIONAL_PACKET
, &buf
);
717 if (ret
== 0 && buf
.length
== 0
718 && session
->internals
.send_cert_req
== GNUTLS_CERT_REQUIRE
)
720 /* certificate was required */
722 ret
= GNUTLS_E_NO_CERTIFICATE_FOUND
;
728 auth_struct
->gnutls_process_client_cert_vrfy (session
, buf
.data
,
732 _gnutls_buffer_clear(&buf
);