lib/gnutls_kx.c

   1 /*
   2  * Copyright (C) 2000, 2001, 2004, 2005, 2006, 2008, 2010 Free Software
   3  * Foundation, Inc.
   4  *
   5  * Author: Nikos Mavrogiannopoulos
   6  *
   7  * This file is part of GnuTLS.
   8  *
   9  * The GnuTLS is free software; you can redistribute it and/or
  10  * modify it under the terms of the GNU Lesser General Public License
  11  * as published by the Free Software Foundation; either version 3 of
  12  * the License, or (at your option) any later version.
  13  *
  14  * This library is distributed in the hope that it will be useful, but
  15  * WITHOUT ANY WARRANTY; without even the implied warranty of
  16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  17  * Lesser General Public License for more details.
  18  *
  19  * You should have received a copy of the GNU Lesser General Public License
  20  * along with this program.  If not, see <http://www.gnu.org/licenses/>
  21  *
  22  */
  23
  24 /* This file contains functions which are wrappers for the key exchange
  25  * part of TLS. They are called by the handshake functions (gnutls_handshake)
  26  */
  27
  28 #include "gnutls_int.h"
  29 #include "gnutls_handshake.h"
  30 #include "gnutls_kx.h"
  31 #include "gnutls_dh.h"
  32 #include "gnutls_errors.h"
  33 #include "algorithms.h"
  34 #include "debug.h"
  35 #include "gnutls_mpi.h"
  36 #include <gnutls_state.h>
  37 #include <gnutls_datum.h>
  38 #include <gnutls_rsa_export.h>
  39 #include <gnutls_mbuffers.h>
  40
  41 /* This is a temporary function to be used before the generate_*
  42    internal API is changed to use mbuffers. For now we don't avoid the
  43    extra alloc + memcpy. */
  44 static inline int
  45 send_handshake (gnutls_session_t session, opaque * data, size_t size,
  46                 gnutls_handshake_description_t type)
  47 {
  48   mbuffer_st *bufel;
  49
  50   if (data == NULL && size == 0)
  51     return _gnutls_send_handshake (session, NULL, type);
  52
  53   if (data == NULL && size > 0)
  54     {
  55       gnutls_assert ();
  56       return GNUTLS_E_INVALID_REQUEST;
  57     }
  58
  59   bufel = _gnutls_handshake_alloc(session, size, size);
  60   if (bufel == NULL)
  61     {
  62       gnutls_assert ();
  63       return GNUTLS_E_MEMORY_ERROR;
  64     }
  65
  66   _mbuffer_set_udata (bufel, data, size);
  67
  68   return _gnutls_send_handshake (session, bufel, type);
  69 }
  70
  71
  72 /* This file contains important thing for the TLS handshake procedure.
  73  */
  74
  75 #define MASTER_SECRET "master secret"
  76 #define MASTER_SECRET_SIZE (sizeof(MASTER_SECRET)-1)
  77 static int generate_normal_master (gnutls_session_t session, int);
  78
  79 int
  80 _gnutls_generate_master (gnutls_session_t session, int keep_premaster)
  81 {
  82   if (session->internals.resumed == RESUME_FALSE)
  83     return generate_normal_master (session, keep_premaster);
  84   return 0;
  85 }
  86
  87 /* here we generate the TLS Master secret.
  88  */
  89 #define PREMASTER session->key->key
  90 static int
  91 generate_normal_master (gnutls_session_t session, int keep_premaster)
  92 {
  93   int ret = 0;
  94   char buf[512];
  95
  96   _gnutls_hard_log ("INT: PREMASTER SECRET[%d]: %s\n", PREMASTER.size,
  97                     _gnutls_bin2hex (PREMASTER.data, PREMASTER.size, buf,
  98                                      sizeof (buf), NULL));
  99   _gnutls_hard_log ("INT: CLIENT RANDOM[%d]: %s\n", 32,
 100                     _gnutls_bin2hex (session->
 101                                      security_parameters.client_random, 32,
 102                                      buf, sizeof (buf), NULL));
 103   _gnutls_hard_log ("INT: SERVER RANDOM[%d]: %s\n", 32,
 104                     _gnutls_bin2hex (session->
 105                                      security_parameters.server_random, 32,
 106                                      buf, sizeof (buf), NULL));
 107
 108   if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
 109     {
 110       opaque rnd[2 * GNUTLS_RANDOM_SIZE + 1];
 111
 112       memcpy (rnd, session->security_parameters.client_random,
 113               GNUTLS_RANDOM_SIZE);
 114       memcpy (&rnd[GNUTLS_RANDOM_SIZE],
 115               session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
 116
 117       ret =
 118         _gnutls_ssl3_generate_random (PREMASTER.data, PREMASTER.size,
 119                                       rnd, 2 * GNUTLS_RANDOM_SIZE,
 120                                       GNUTLS_MASTER_SIZE,
 121                                       session->
 122                                       security_parameters.master_secret);
 123
 124     }
 125   else
 126     {
 127       opaque rnd[2 * GNUTLS_RANDOM_SIZE + 1];
 128
 129       memcpy (rnd, session->security_parameters.client_random,
 130               GNUTLS_RANDOM_SIZE);
 131       memcpy (&rnd[GNUTLS_RANDOM_SIZE],
 132               session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
 133
 134       ret =
 135         _gnutls_PRF (session, PREMASTER.data, PREMASTER.size,
 136                      MASTER_SECRET, MASTER_SECRET_SIZE,
 137                      rnd, 2 * GNUTLS_RANDOM_SIZE, GNUTLS_MASTER_SIZE,
 138                      session->security_parameters.master_secret);
 139     }
 140
 141   if (!keep_premaster)
 142     _gnutls_free_datum (&PREMASTER);
 143
 144   if (ret < 0)
 145     return ret;
 146
 147   _gnutls_hard_log ("INT: MASTER SECRET: %s\n",
 148                     _gnutls_bin2hex (session->
 149                                      security_parameters.master_secret,
 150                                      GNUTLS_MASTER_SIZE, buf, sizeof (buf),
 151                                      NULL));
 152
 153   return ret;
 154 }
 155
 156
 157 /* This is called when we want to receive the key exchange message of the
 158  * server. It does nothing if this type of message is not required
 159  * by the selected ciphersuite.
 160  */
 161 int
 162 _gnutls_send_server_kx_message (gnutls_session_t session, int again)
 163 {
 164   gnutls_buffer_st data;
 165   int ret = 0;
 166
 167   if (session->internals.auth_struct->gnutls_generate_server_kx == NULL)
 168     return 0;
 169
 170   _gnutls_buffer_init( &data);
 171
 172   if (again == 0)
 173     {
 174       ret =
 175         session->internals.auth_struct->gnutls_generate_server_kx (session,
 176                                                                    &data);
 177
 178       if (ret == GNUTLS_E_INT_RET_0)
 179         {
 180           gnutls_assert ();
 181           ret = 0;
 182           goto cleanup;
 183         }
 184
 185       if (ret < 0)
 186         {
 187           gnutls_assert ();
 188           goto cleanup;
 189         }
 190     }
 191
 192   ret = send_handshake (session, data.data, data.length,
 193                         GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE);
 194   if (ret < 0)
 195     {
 196       gnutls_assert ();
 197     }
 198
 199 cleanup:
 200   _gnutls_buffer_clear (&data);
 201   return ret;
 202 }
 203
 204 /* This function sends a certificate request message to the
 205  * client.
 206  */
 207 int
 208 _gnutls_send_server_certificate_request (gnutls_session_t session, int again)
 209 {
 210   gnutls_buffer_st data;
 211   int ret = 0;
 212
 213   if (session->internals.
 214       auth_struct->gnutls_generate_server_certificate_request == NULL)
 215     return 0;
 216
 217   if (session->internals.send_cert_req <= 0)
 218     return 0;
 219
 220   _gnutls_buffer_init( &data);
 221
 222   if (again == 0)
 223     {
 224       ret =
 225         session->internals.
 226         auth_struct->gnutls_generate_server_certificate_request (session,
 227                                                                  &data);
 228
 229       if (ret < 0)
 230         {
 231           gnutls_assert ();
 232           goto cleanup;
 233         }
 234     }
 235
 236   ret = send_handshake (session, data.data, data.length,
 237                         GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST);
 238   if (ret < 0)
 239     {
 240       gnutls_assert ();
 241     }
 242
 243 cleanup:
 244   _gnutls_buffer_clear (&data);
 245   return ret;
 246 }
 247
 248
 249 /* This is the function for the client to send the key
 250  * exchange message
 251  */
 252 int
 253 _gnutls_send_client_kx_message (gnutls_session_t session, int again)
 254 {
 255   gnutls_buffer_st data;
 256   int ret = 0;
 257
 258   if (session->internals.auth_struct->gnutls_generate_client_kx == NULL)
 259     return 0;
 260
 261   _gnutls_buffer_init( &data);
 262
 263   if (again == 0)
 264     {
 265       ret =
 266         session->internals.auth_struct->gnutls_generate_client_kx (session,
 267                                                                    &data);
 268       if (ret < 0)
 269         {
 270           gnutls_assert();
 271           goto cleanup;
 272         }
 273     }
 274   ret = send_handshake (session, data.data, data.length,
 275                         GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE);
 276   if (ret < 0)
 277     {
 278       gnutls_assert ();
 279     }
 280
 281 cleanup:
 282   _gnutls_buffer_clear (&data);
 283   return ret;
 284 }
 285
 286
 287 /* This is the function for the client to send the certificate
 288  * verify message
 289  */
 290 int
 291 _gnutls_send_client_certificate_verify (gnutls_session_t session, int again)
 292 {
 293   gnutls_buffer_st data;
 294   int ret = 0;
 295
 296   /* This is a packet that is only sent by the client
 297    */
 298   if (session->security_parameters.entity == GNUTLS_SERVER)
 299     return 0;
 300
 301   /* if certificate verify is not needed just exit
 302    */
 303   if (session->key->certificate_requested == 0)
 304     return 0;
 305
 306
 307   if (session->internals.auth_struct->gnutls_generate_client_cert_vrfy ==
 308       NULL)
 309     {
 310       gnutls_assert ();
 311       return 0;                 /* this algorithm does not support cli_cert_vrfy
 312                                  */
 313     }
 314
 315   _gnutls_buffer_init( &data);
 316
 317   if (again == 0)
 318     {
 319       ret =
 320         session->internals.
 321         auth_struct->gnutls_generate_client_cert_vrfy (session, &data);
 322       if (ret < 0)
 323         {
 324           gnutls_assert();
 325           goto cleanup;
 326         }
 327
 328       if (ret == 0)
 329           goto cleanup;
 330
 331     }
 332   ret = send_handshake (session, data.data, data.length,
 333                         GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY);
 334
 335   if (ret < 0)
 336     {
 337       gnutls_assert ();
 338     }
 339
 340 cleanup:
 341   _gnutls_buffer_clear (&data);
 342   return ret;
 343 }
 344
 345 /* This is called when we want send our certificate
 346  */
 347 int
 348 _gnutls_send_client_certificate (gnutls_session_t session, int again)
 349 {
 350   gnutls_buffer_st data;
 351   int ret = 0;
 352
 353
 354   if (session->key->certificate_requested == 0)
 355     return 0;
 356
 357   if (session->internals.auth_struct->gnutls_generate_client_certificate ==
 358       NULL)
 359     return 0;
 360
 361   _gnutls_buffer_init( &data);
 362
 363   if (again == 0)
 364     {
 365       if (gnutls_protocol_get_version (session) != GNUTLS_SSL3 ||
 366           session->internals.selected_cert_list_length > 0)
 367         {
 368           /* TLS 1.0 or SSL 3.0 with a valid certificate
 369            */
 370           ret =
 371             session->internals.
 372             auth_struct->gnutls_generate_client_certificate (session, &data);
 373
 374           if (ret < 0)
 375             {
 376               gnutls_assert();
 377               goto cleanup;
 378             }
 379         }
 380     }
 381
 382   /* In the SSL 3.0 protocol we need to send a
 383    * no certificate alert instead of an
 384    * empty certificate.
 385    */
 386   if (gnutls_protocol_get_version (session) == GNUTLS_SSL3 &&
 387       session->internals.selected_cert_list_length == 0)
 388     {
 389       ret =
 390         gnutls_alert_send (session, GNUTLS_AL_WARNING,
 391                            GNUTLS_A_SSL3_NO_CERTIFICATE);
 392
 393     }
 394   else
 395     {                           /* TLS 1.0 or SSL 3.0 with a valid certificate
 396                                  */
 397       ret = send_handshake (session, data.data, data.length,
 398                             GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
 399     }
 400
 401 cleanup:
 402   _gnutls_buffer_clear (&data);
 403   return ret;
 404 }
 405
 406
 407 /* This is called when we want send our certificate
 408  */
 409 int
 410 _gnutls_send_server_certificate (gnutls_session_t session, int again)
 411 {
 412   gnutls_buffer_st data;
 413   int ret = 0;
 414
 415
 416   if (session->internals.auth_struct->gnutls_generate_server_certificate ==
 417       NULL)
 418     return 0;
 419
 420   _gnutls_buffer_init( &data);
 421
 422   if (again == 0)
 423     {
 424       ret =
 425         session->internals.
 426         auth_struct->gnutls_generate_server_certificate (session, &data);
 427
 428         if (ret < 0)
 429           {
 430             gnutls_assert();
 431             goto cleanup;
 432           }
 433     }
 434   ret = send_handshake (session, data.data, data.length,
 435                         GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
 436   if (ret < 0)
 437     {
 438       gnutls_assert ();
 439     }
 440
 441 cleanup:
 442   _gnutls_buffer_clear (&data);
 443   return ret;
 444 }
 445
 446
 447 int
 448 _gnutls_recv_server_kx_message (gnutls_session_t session)
 449 {
 450   gnutls_buffer_st buf;
 451   int ret = 0;
 452   optional_t optflag = MANDATORY_PACKET;
 453
 454   if (session->internals.auth_struct->gnutls_process_server_kx != NULL)
 455     {
 456
 457       /* EXCEPTION FOR RSA_EXPORT cipher suite
 458        */
 459       if (_gnutls_session_is_export (session) != 0 &&
 460           _gnutls_peers_cert_less_512 (session) != 0)
 461         {
 462           gnutls_assert ();
 463           return 0;
 464         }
 465
 466       /* Server key exchange packet is optional for PSK. */
 467       if (_gnutls_session_is_psk (session))
 468         optflag = OPTIONAL_PACKET;
 469
 470       ret =
 471         _gnutls_recv_handshake (session,
 472                                 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE,
 473                                 optflag, &buf);
 474       if (ret < 0)
 475         {
 476           gnutls_assert ();
 477           return ret;
 478         }
 479
 480       ret =
 481         session->internals.auth_struct->gnutls_process_server_kx (session,
 482                                                                   buf.data,
 483                                                                   buf.length);
 484       _gnutls_buffer_clear(&buf);
 485
 486       if (ret < 0)
 487         {
 488           gnutls_assert ();
 489           return ret;
 490         }
 491
 492     }
 493   return ret;
 494 }
 495
 496 int
 497 _gnutls_recv_server_certificate_request (gnutls_session_t session)
 498 {
 499   gnutls_buffer_st buf;
 500   int ret = 0;
 501
 502   if (session->internals.
 503       auth_struct->gnutls_process_server_certificate_request != NULL)
 504     {
 505
 506       ret =
 507         _gnutls_recv_handshake (session,
 508                                 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST,
 509                                 OPTIONAL_PACKET, &buf);
 510       if (ret < 0)
 511         return ret;
 512
 513       if (ret == 0 && buf.length == 0)
 514         {
 515           _gnutls_buffer_clear(&buf);
 516           return 0;               /* ignored */
 517         }
 518
 519       ret =
 520         session->internals.
 521         auth_struct->gnutls_process_server_certificate_request (session, buf.data,
 522                                                                 buf.length);
 523       _gnutls_buffer_clear (&buf);
 524       if (ret < 0)
 525         return ret;
 526
 527     }
 528   return ret;
 529 }
 530
 531 int
 532 _gnutls_recv_client_kx_message (gnutls_session_t session)
 533 {
 534   gnutls_buffer_st buf;
 535   int ret = 0;
 536
 537
 538   /* Do key exchange only if the algorithm permits it */
 539   if (session->internals.auth_struct->gnutls_process_client_kx != NULL)
 540     {
 541
 542       ret =
 543         _gnutls_recv_handshake (session,
 544                                 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE,
 545                                 MANDATORY_PACKET, &buf);
 546       if (ret < 0)
 547         return ret;
 548
 549       ret =
 550         session->internals.auth_struct->gnutls_process_client_kx (session,
 551                                                                   buf.data,
 552                                                                   buf.length);
 553       _gnutls_buffer_clear (&buf);
 554       if (ret < 0)
 555         return ret;
 556
 557     }
 558
 559   return ret;
 560 }
 561
 562
 563 int
 564 _gnutls_recv_client_certificate (gnutls_session_t session)
 565 {
 566   gnutls_buffer_st buf;
 567   int ret = 0;
 568   int optional;
 569
 570   if (session->internals.auth_struct->gnutls_process_client_certificate ==
 571       NULL)
 572     return 0;
 573
 574   /* if we have not requested a certificate then just return
 575    */
 576   if (session->internals.send_cert_req == 0)
 577     {
 578       return 0;
 579     }
 580
 581   if (session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
 582     optional = MANDATORY_PACKET;
 583   else
 584     optional = OPTIONAL_PACKET;
 585
 586   ret =
 587     _gnutls_recv_handshake (session, GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
 588       optional, &buf);
 589
 590   if (ret < 0)
 591     {
 592       /* Handle the case of old SSL3 clients who send
 593        * a warning alert instead of an empty certificate to indicate
 594        * no certificate.
 595        */
 596       if (optional == OPTIONAL_PACKET &&
 597           ret == GNUTLS_E_WARNING_ALERT_RECEIVED &&
 598           gnutls_protocol_get_version (session) == GNUTLS_SSL3 &&
 599           gnutls_alert_get (session) == GNUTLS_A_SSL3_NO_CERTIFICATE)
 600         {
 601
 602           /* SSL3 does not send an empty certificate,
 603            * but this alert. So we just ignore it.
 604            */
 605           gnutls_assert ();
 606           return 0;
 607         }
 608
 609       /* certificate was required
 610        */
 611       if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED
 612            || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
 613           && optional == MANDATORY_PACKET)
 614         {
 615           gnutls_assert ();
 616           return GNUTLS_E_NO_CERTIFICATE_FOUND;
 617         }
 618
 619       return ret;
 620     }
 621
 622   if (ret == 0 && buf.length == 0 && optional == OPTIONAL_PACKET)
 623     {
 624       /* Client has not sent the certificate message.
 625        * well I'm not sure we should accept this
 626        * behaviour.
 627        */
 628       gnutls_assert ();
 629       ret = 0;
 630       goto cleanup;
 631     }
 632   ret =
 633     session->internals.
 634     auth_struct->gnutls_process_client_certificate (session, buf.data,
 635                                                     buf.length);
 636
 637   if (ret < 0 && ret != GNUTLS_E_NO_CERTIFICATE_FOUND)
 638     {
 639       gnutls_assert ();
 640       goto cleanup;
 641     }
 642
 643   /* ok we should expect a certificate verify message now
 644    */
 645   if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional == OPTIONAL_PACKET)
 646     ret = 0;
 647   else
 648     session->key->certificate_requested = 1;
 649
 650 cleanup:
 651   _gnutls_buffer_clear(&buf);
 652   return ret;
 653 }
 654
 655 int
 656 _gnutls_recv_server_certificate (gnutls_session_t session)
 657 {
 658   gnutls_buffer_st buf;
 659   int ret = 0;
 660
 661   if (session->internals.auth_struct->gnutls_process_server_certificate !=
 662       NULL)
 663     {
 664
 665       ret =
 666         _gnutls_recv_handshake (session,
 667                                 GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
 668                                 MANDATORY_PACKET, &buf);
 669       if (ret < 0)
 670         {
 671           gnutls_assert ();
 672           return ret;
 673         }
 674
 675       ret =
 676         session->internals.
 677         auth_struct->gnutls_process_server_certificate (session, buf.data,
 678                                                         buf.length);
 679       _gnutls_buffer_clear(&buf);
 680       if (ret < 0)
 681         {
 682           gnutls_assert ();
 683           return ret;
 684         }
 685     }
 686
 687   return ret;
 688 }
 689
 690
 691 /* Recv the client certificate verify. This packet may not
 692  * arrive if the peer did not send us a certificate.
 693  */
 694 int
 695 _gnutls_recv_client_certificate_verify_message (gnutls_session_t session)
 696 {
 697   gnutls_buffer_st buf;
 698   int ret = 0;
 699
 700
 701   if (session->internals.auth_struct->gnutls_process_client_cert_vrfy == NULL)
 702     return 0;
 703
 704   if (session->internals.send_cert_req == 0 ||
 705       session->key->certificate_requested == 0)
 706     {
 707       return 0;
 708     }
 709
 710   ret =
 711     _gnutls_recv_handshake (session,
 712                             GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY,
 713                             OPTIONAL_PACKET, &buf);
 714   if (ret < 0)
 715     return ret;
 716
 717   if (ret == 0 && buf.length == 0
 718       && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
 719     {
 720       /* certificate was required */
 721       gnutls_assert ();
 722       ret = GNUTLS_E_NO_CERTIFICATE_FOUND;
 723       goto cleanup;
 724     }
 725
 726   ret =
 727     session->internals.
 728     auth_struct->gnutls_process_client_cert_vrfy (session, buf.data,
 729                                                   buf.length);
 730
 731 cleanup:
 732   _gnutls_buffer_clear(&buf);
 733   return ret;
 734 }