search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add `gnutls/dtls.h' to the distribution.
[gnutls.git] / lib / gnutls_kx.c
blob7c390f0ec1909aa98cf2abbcf97a050c21fe4949
1 /*
2 * Copyright (C) 2000, 2001, 2004, 2005, 2006, 2008, 2010 Free Software
3 * Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
22 * USA
23 *
24 */
25
26 /* This file contains functions which are wrappers for the key exchange
27 * part of TLS. They are called by the handshake functions (gnutls_handshake)
28 */
29
30 #include "gnutls_int.h"
31 #include "gnutls_handshake.h"
32 #include "gnutls_kx.h"
33 #include "gnutls_dh.h"
34 #include "gnutls_errors.h"
35 #include "gnutls_algorithms.h"
36 #include "debug.h"
37 #include "gnutls_mpi.h"
38 #include <gnutls_state.h>
39 #include <gnutls_datum.h>
40 #include <gnutls_rsa_export.h>
41 #include <gnutls_mbuffers.h>
42
43 /* This is a temporary function to be used before the generate_*
44 internal API is changed to use mbuffers. For now we don't avoid the
45 extra alloc + memcpy. */
46 static inline int
47 send_handshake (gnutls_session_t session, opaque * data, size_t size,
48 gnutls_handshake_description_t type)
49 {
50 mbuffer_st *bufel;
51
52 if (data == NULL && size == 0)
53 return _gnutls_send_handshake (session, NULL, type);
54
55 if (data == NULL && size > 0)
56 {
57 gnutls_assert ();
58 return GNUTLS_E_INVALID_REQUEST;
59 }
60
61 bufel = _gnutls_handshake_alloc(session, size, size);
62 if (bufel == NULL)
63 {
64 gnutls_assert ();
65 return GNUTLS_E_MEMORY_ERROR;
66 }
67
68 _mbuffer_set_udata (bufel, data, size);
69
70 return _gnutls_send_handshake (session, bufel, type);
71 }
72
73
74 /* This file contains important thing for the TLS handshake procedure.
75 */
76
77 #define MASTER_SECRET "master secret"
78 #define MASTER_SECRET_SIZE (sizeof(MASTER_SECRET)-1)
79 static int generate_normal_master (gnutls_session_t session, int);
80
81 int
82 _gnutls_generate_master (gnutls_session_t session, int keep_premaster)
83 {
84 if (session->internals.resumed == RESUME_FALSE)
85 return generate_normal_master (session, keep_premaster);
86 return 0;
87 }
88
89 /* here we generate the TLS Master secret.
90 */
91 #define PREMASTER session->key->key
92 static int
93 generate_normal_master (gnutls_session_t session, int keep_premaster)
94 {
95 int ret = 0;
96 char buf[512];
97
98 _gnutls_hard_log ("INT: PREMASTER SECRET[%d]: %s\n", PREMASTER.size,
99 _gnutls_bin2hex (PREMASTER.data, PREMASTER.size, buf,
100 sizeof (buf), NULL));
101 _gnutls_hard_log ("INT: CLIENT RANDOM[%d]: %s\n", 32,
102 _gnutls_bin2hex (session->
103 security_parameters.client_random, 32,
104 buf, sizeof (buf), NULL));
105 _gnutls_hard_log ("INT: SERVER RANDOM[%d]: %s\n", 32,
106 _gnutls_bin2hex (session->
107 security_parameters.server_random, 32,
108 buf, sizeof (buf), NULL));
109
110 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
111 {
112 opaque rnd[2 * GNUTLS_RANDOM_SIZE + 1];
113
114 memcpy (rnd, session->security_parameters.client_random,
115 GNUTLS_RANDOM_SIZE);
116 memcpy (&rnd[GNUTLS_RANDOM_SIZE],
117 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
118
119 ret =
120 _gnutls_ssl3_generate_random (PREMASTER.data, PREMASTER.size,
121 rnd, 2 * GNUTLS_RANDOM_SIZE,
122 GNUTLS_MASTER_SIZE,
123 session->
124 security_parameters.master_secret);
125
126 }
127 else
128 {
129 opaque rnd[2 * GNUTLS_RANDOM_SIZE + 1];
130
131 memcpy (rnd, session->security_parameters.client_random,
132 GNUTLS_RANDOM_SIZE);
133 memcpy (&rnd[GNUTLS_RANDOM_SIZE],
134 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
135
136 ret =
137 _gnutls_PRF (session, PREMASTER.data, PREMASTER.size,
138 MASTER_SECRET, MASTER_SECRET_SIZE,
139 rnd, 2 * GNUTLS_RANDOM_SIZE, GNUTLS_MASTER_SIZE,
140 session->security_parameters.master_secret);
141 }
142
143 if (!keep_premaster)
144 _gnutls_free_datum (&PREMASTER);
145
146 if (ret < 0)
147 return ret;
148
149 _gnutls_hard_log ("INT: MASTER SECRET: %s\n",
150 _gnutls_bin2hex (session->
151 security_parameters.master_secret,
152 GNUTLS_MASTER_SIZE, buf, sizeof (buf),
153 NULL));
154
155 return ret;
156 }
157
158
159 /* This is called when we want to receive the key exchange message of the
160 * server. It does nothing if this type of message is not required
161 * by the selected ciphersuite.
162 */
163 int
164 _gnutls_send_server_kx_message (gnutls_session_t session, int again)
165 {
166 gnutls_buffer_st data;
167 int ret = 0;
168
169 if (session->internals.auth_struct->gnutls_generate_server_kx == NULL)
170 return 0;
171
172 _gnutls_buffer_init( &data);
173
174 if (again == 0)
175 {
176 ret =
177 session->internals.auth_struct->gnutls_generate_server_kx (session,
178 &data);
179
180 if (ret == GNUTLS_E_INT_RET_0)
181 {
182 gnutls_assert ();
183 ret = 0;
184 goto cleanup;
185 }
186
187 if (ret < 0)
188 {
189 gnutls_assert ();
190 goto cleanup;
191 }
192 }
193
194 ret = send_handshake (session, data.data, data.length,
195 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE);
196 if (ret < 0)
197 {
198 gnutls_assert ();
199 }
200
201 cleanup:
202 _gnutls_buffer_clear (&data);
203 return ret;
204 }
205
206 /* This function sends a certificate request message to the
207 * client.
208 */
209 int
210 _gnutls_send_server_certificate_request (gnutls_session_t session, int again)
211 {
212 gnutls_buffer_st data;
213 int ret = 0;
214
215 if (session->internals.
216 auth_struct->gnutls_generate_server_certificate_request == NULL)
217 return 0;
218
219 if (session->internals.send_cert_req <= 0)
220 return 0;
221
222 _gnutls_buffer_init( &data);
223
224 if (again == 0)
225 {
226 ret =
227 session->internals.
228 auth_struct->gnutls_generate_server_certificate_request (session,
229 &data);
230
231 if (ret < 0)
232 {
233 gnutls_assert ();
234 goto cleanup;
235 }
236 }
237
238 ret = send_handshake (session, data.data, data.length,
239 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST);
240 if (ret < 0)
241 {
242 gnutls_assert ();
243 }
244
245 cleanup:
246 _gnutls_buffer_clear (&data);
247 return ret;
248 }
249
250
251 /* This is the function for the client to send the key
252 * exchange message
253 */
254 int
255 _gnutls_send_client_kx_message (gnutls_session_t session, int again)
256 {
257 gnutls_buffer_st data;
258 int ret = 0;
259
260 if (session->internals.auth_struct->gnutls_generate_client_kx == NULL)
261 return 0;
262
263 _gnutls_buffer_init( &data);
264
265 if (again == 0)
266 {
267 ret =
268 session->internals.auth_struct->gnutls_generate_client_kx (session,
269 &data);
270 if (ret < 0)
271 {
272 gnutls_assert();
273 goto cleanup;
274 }
275 }
276 ret = send_handshake (session, data.data, data.length,
277 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE);
278 if (ret < 0)
279 {
280 gnutls_assert ();
281 }
282
283 cleanup:
284 _gnutls_buffer_clear (&data);
285 return ret;
286 }
287
288
289 /* This is the function for the client to send the certificate
290 * verify message
291 */
292 int
293 _gnutls_send_client_certificate_verify (gnutls_session_t session, int again)
294 {
295 gnutls_buffer_st data;
296 int ret = 0;
297
298 /* This is a packet that is only sent by the client
299 */
300 if (session->security_parameters.entity == GNUTLS_SERVER)
301 return 0;
302
303 /* if certificate verify is not needed just exit
304 */
305 if (session->key->certificate_requested == 0)
306 return 0;
307
308
309 if (session->internals.auth_struct->gnutls_generate_client_cert_vrfy ==
310 NULL)
311 {
312 gnutls_assert ();
313 return 0; /* this algorithm does not support cli_cert_vrfy
314 */
315 }
316
317 _gnutls_buffer_init( &data);
318
319 if (again == 0)
320 {
321 ret =
322 session->internals.
323 auth_struct->gnutls_generate_client_cert_vrfy (session, &data);
324 if (ret < 0)
325 {
326 gnutls_assert();
327 goto cleanup;
328 }
329
330 if (ret == 0)
331 goto cleanup;
332
333 }
334 ret = send_handshake (session, data.data, data.length,
335 GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY);
336
337 if (ret < 0)
338 {
339 gnutls_assert ();
340 }
341
342 cleanup:
343 _gnutls_buffer_clear (&data);
344 return ret;
345 }
346
347 /* This is called when we want send our certificate
348 */
349 int
350 _gnutls_send_client_certificate (gnutls_session_t session, int again)
351 {
352 gnutls_buffer_st data;
353 int ret = 0;
354
355
356 if (session->key->certificate_requested == 0)
357 return 0;
358
359 if (session->internals.auth_struct->gnutls_generate_client_certificate ==
360 NULL)
361 return 0;
362
363 _gnutls_buffer_init( &data);
364
365 if (again == 0)
366 {
367 if (gnutls_protocol_get_version (session) != GNUTLS_SSL3 ||
368 session->internals.selected_cert_list_length > 0)
369 {
370 /* TLS 1.0 or SSL 3.0 with a valid certificate
371 */
372 ret =
373 session->internals.
374 auth_struct->gnutls_generate_client_certificate (session, &data);
375
376 if (ret < 0)
377 {
378 gnutls_assert();
379 goto cleanup;
380 }
381 }
382 }
383
384 /* In the SSL 3.0 protocol we need to send a
385 * no certificate alert instead of an
386 * empty certificate.
387 */
388 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3 &&
389 session->internals.selected_cert_list_length == 0)
390 {
391 ret =
392 gnutls_alert_send (session, GNUTLS_AL_WARNING,
393 GNUTLS_A_SSL3_NO_CERTIFICATE);
394
395 }
396 else
397 { /* TLS 1.0 or SSL 3.0 with a valid certificate
398 */
399 ret = send_handshake (session, data.data, data.length,
400 GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
401 }
402
403 cleanup:
404 _gnutls_buffer_clear (&data);
405 return ret;
406 }
407
408
409 /* This is called when we want send our certificate
410 */
411 int
412 _gnutls_send_server_certificate (gnutls_session_t session, int again)
413 {
414 gnutls_buffer_st data;
415 int ret = 0;
416
417
418 if (session->internals.auth_struct->gnutls_generate_server_certificate ==
419 NULL)
420 return 0;
421
422 _gnutls_buffer_init( &data);
423
424 if (again == 0)
425 {
426 ret =
427 session->internals.
428 auth_struct->gnutls_generate_server_certificate (session, &data);
429
430 if (ret < 0)
431 {
432 gnutls_assert();
433 goto cleanup;
434 }
435 }
436 ret = send_handshake (session, data.data, data.length,
437 GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
438 if (ret < 0)
439 {
440 gnutls_assert ();
441 }
442
443 cleanup:
444 _gnutls_buffer_clear (&data);
445 return ret;
446 }
447
448
449 int
450 _gnutls_recv_server_kx_message (gnutls_session_t session)
451 {
452 uint8_t *data = NULL;
453 int datasize;
454 int ret = 0;
455 optional_t optflag = MANDATORY_PACKET;
456
457 if (session->internals.auth_struct->gnutls_process_server_kx != NULL)
458 {
459
460 /* EXCEPTION FOR RSA_EXPORT cipher suite
461 */
462 if (_gnutls_session_is_export (session) != 0 &&
463 _gnutls_peers_cert_less_512 (session) != 0)
464 {
465 gnutls_assert ();
466 return 0;
467 }
468
469 /* Server key exchange packet is optional for PSK. */
470 if (_gnutls_session_is_psk (session))
471 optflag = OPTIONAL_PACKET;
472
473 ret =
474 _gnutls_recv_handshake (session, &data,
475 &datasize,
476 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE,
477 optflag);
478 if (ret < 0)
479 {
480 gnutls_assert ();
481 return ret;
482 }
483
484 ret =
485 session->internals.auth_struct->gnutls_process_server_kx (session,
486 data,
487 datasize);
488 gnutls_free (data);
489
490 if (ret < 0)
491 {
492 gnutls_assert ();
493 return ret;
494 }
495
496 }
497 return ret;
498 }
499
500 int
501 _gnutls_recv_server_certificate_request (gnutls_session_t session)
502 {
503 uint8_t *data;
504 int datasize;
505 int ret = 0;
506
507 if (session->internals.
508 auth_struct->gnutls_process_server_certificate_request != NULL)
509 {
510
511 ret =
512 _gnutls_recv_handshake (session, &data,
513 &datasize,
514 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST,
515 OPTIONAL_PACKET);
516 if (ret < 0)
517 return ret;
518
519 if (ret == 0 && datasize == 0)
520 return 0; /* ignored */
521
522 ret =
523 session->internals.
524 auth_struct->gnutls_process_server_certificate_request (session, data,
525 datasize);
526 gnutls_free (data);
527 if (ret < 0)
528 return ret;
529
530 }
531 return ret;
532 }
533
534 int
535 _gnutls_recv_client_kx_message (gnutls_session_t session)
536 {
537 uint8_t *data;
538 int datasize;
539 int ret = 0;
540
541
542 /* Do key exchange only if the algorithm permits it */
543 if (session->internals.auth_struct->gnutls_process_client_kx != NULL)
544 {
545
546 ret =
547 _gnutls_recv_handshake (session, &data,
548 &datasize,
549 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE,
550 MANDATORY_PACKET);
551 if (ret < 0)
552 return ret;
553
554 ret =
555 session->internals.auth_struct->gnutls_process_client_kx (session,
556 data,
557 datasize);
558 gnutls_free (data);
559 if (ret < 0)
560 return ret;
561
562 }
563
564 return ret;
565 }
566
567
568
569
570 int
571 _gnutls_recv_client_certificate (gnutls_session_t session)
572 {
573 int datasize;
574 opaque *data;
575 int ret = 0;
576 int optional;
577
578 if (session->internals.auth_struct->gnutls_process_client_certificate !=
579 NULL)
580 {
581
582 /* if we have not requested a certificate then just return
583 */
584 if (session->internals.send_cert_req == 0)
585 {
586 return 0;
587 }
588
589 if (session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
590 optional = MANDATORY_PACKET;
591 else
592 optional = OPTIONAL_PACKET;
593
594 ret =
595 _gnutls_recv_handshake (session, &data,
596 &datasize,
597 GNUTLS_HANDSHAKE_CERTIFICATE_PKT, optional);
598
599 if (ret < 0)
600 {
601 /* Handle the case of old SSL3 clients who send
602 * a warning alert instead of an empty certificate to indicate
603 * no certificate.
604 */
605 if (optional == OPTIONAL_PACKET &&
606 ret == GNUTLS_E_WARNING_ALERT_RECEIVED &&
607 gnutls_protocol_get_version (session) == GNUTLS_SSL3 &&
608 gnutls_alert_get (session) == GNUTLS_A_SSL3_NO_CERTIFICATE)
609 {
610
611 /* SSL3 does not send an empty certificate,
612 * but this alert. So we just ignore it.
613 */
614 gnutls_assert ();
615 return 0;
616 }
617
618 /* certificate was required
619 */
620 if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED
621 || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
622 && optional == MANDATORY_PACKET)
623 {
624 gnutls_assert ();
625 return GNUTLS_E_NO_CERTIFICATE_FOUND;
626 }
627
628 return ret;
629 }
630
631 if (ret == 0 && datasize == 0 && optional == OPTIONAL_PACKET)
632 {
633 /* Client has not sent the certificate message.
634 * well I'm not sure we should accept this
635 * behaviour.
636 */
637 gnutls_assert ();
638 return 0;
639 }
640 ret =
641 session->internals.
642 auth_struct->gnutls_process_client_certificate (session, data,
643 datasize);
644
645 gnutls_free (data);
646 if (ret < 0 && ret != GNUTLS_E_NO_CERTIFICATE_FOUND)
647 {
648 gnutls_assert ();
649 return ret;
650 }
651
652 /* ok we should expect a certificate verify message now
653 */
654 if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional == OPTIONAL_PACKET)
655 ret = 0;
656 else
657 session->key->certificate_requested = 1;
658
659 }
660
661 return ret;
662 }
663
664 int
665 _gnutls_recv_server_certificate (gnutls_session_t session)
666 {
667 int datasize;
668 opaque *data;
669 int ret = 0;
670
671 if (session->internals.auth_struct->gnutls_process_server_certificate !=
672 NULL)
673 {
674
675 ret =
676 _gnutls_recv_handshake (session, &data,
677 &datasize,
678 GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
679 MANDATORY_PACKET);
680 if (ret < 0)
681 {
682 gnutls_assert ();
683 return ret;
684 }
685
686 ret =
687 session->internals.
688 auth_struct->gnutls_process_server_certificate (session, data,
689 datasize);
690 gnutls_free (data);
691 if (ret < 0)
692 {
693 gnutls_assert ();
694 return ret;
695 }
696 }
697
698 return ret;
699 }
700
701
702 /* Recv the client certificate verify. This packet may not
703 * arrive if the peer did not send us a certificate.
704 */
705 int
706 _gnutls_recv_client_certificate_verify_message (gnutls_session_t session)
707 {
708 uint8_t *data;
709 int datasize;
710 int ret = 0;
711
712
713 if (session->internals.auth_struct->gnutls_process_client_cert_vrfy != NULL)
714 {
715
716 if (session->internals.send_cert_req == 0 ||
717 session->key->certificate_requested == 0)
718 {
719 return 0;
720 }
721
722 ret =
723 _gnutls_recv_handshake (session, &data,
724 &datasize,
725 GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY,
726 OPTIONAL_PACKET);
727 if (ret < 0)
728 return ret;
729
730 if (ret == 0 && datasize == 0
731 && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
732 {
733 /* certificate was required */
734 gnutls_assert ();
735 return GNUTLS_E_NO_CERTIFICATE_FOUND;
736 }
737
738 ret =
739 session->internals.
740 auth_struct->gnutls_process_client_cert_vrfy (session, data,
741 datasize);
742 gnutls_free (data);
743 if (ret < 0)
744 return ret;
745
746 }
747
748 return ret;
749 }
Implementation of the SSL/TLS protocol