search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added gnutls-dane.pc.
[gnutls.git] / lib / gnutls_kx.c
blob9654a5e578892408d7d5d0bcac0e294b4546b424
1 /*
2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* This file contains functions which are wrappers for the key exchange
24 * part of TLS. They are called by the handshake functions (gnutls_handshake)
25 */
26
27 #include "gnutls_int.h"
28 #include "gnutls_handshake.h"
29 #include "gnutls_kx.h"
30 #include "gnutls_dh.h"
31 #include "gnutls_errors.h"
32 #include "algorithms.h"
33 #include "debug.h"
34 #include "gnutls_mpi.h"
35 #include <gnutls_state.h>
36 #include <gnutls_datum.h>
37 #include <gnutls_rsa_export.h>
38 #include <gnutls_mbuffers.h>
39
40 /* This is a temporary function to be used before the generate_*
41 internal API is changed to use mbuffers. For now we don't avoid the
42 extra alloc + memcpy. */
43 static inline int
44 send_handshake (gnutls_session_t session, uint8_t * data, size_t size,
45 gnutls_handshake_description_t type)
46 {
47 mbuffer_st *bufel;
48
49 if (data == NULL && size == 0)
50 return _gnutls_send_handshake (session, NULL, type);
51
52 if (data == NULL && size > 0)
53 {
54 gnutls_assert ();
55 return GNUTLS_E_INVALID_REQUEST;
56 }
57
58 bufel = _gnutls_handshake_alloc(session, size, size);
59 if (bufel == NULL)
60 {
61 gnutls_assert ();
62 return GNUTLS_E_MEMORY_ERROR;
63 }
64
65 _mbuffer_set_udata (bufel, data, size);
66
67 return _gnutls_send_handshake (session, bufel, type);
68 }
69
70
71 /* This file contains important thing for the TLS handshake procedure.
72 */
73
74 #define MASTER_SECRET "master secret"
75 #define MASTER_SECRET_SIZE (sizeof(MASTER_SECRET)-1)
76 static int generate_normal_master (gnutls_session_t session, gnutls_datum_t*, int);
77
78 int
79 _gnutls_generate_master (gnutls_session_t session, int keep_premaster)
80 {
81 if (session->internals.resumed == RESUME_FALSE)
82 return generate_normal_master (session, &session->key.key, keep_premaster);
83 else if (session->internals.premaster_set)
84 {
85 gnutls_datum_t premaster;
86 premaster.size = sizeof(session->internals.resumed_security_parameters.master_secret);
87 premaster.data = session->internals.resumed_security_parameters.master_secret;
88 return generate_normal_master(session, &premaster, 1);
89 }
90 return 0;
91 }
92
93 /* here we generate the TLS Master secret.
94 */
95 static int
96 generate_normal_master (gnutls_session_t session, gnutls_datum_t *premaster,
97 int keep_premaster)
98 {
99 int ret = 0;
100 char buf[512];
101
102 _gnutls_hard_log ("INT: PREMASTER SECRET[%d]: %s\n", premaster->size,
103 _gnutls_bin2hex (premaster->data, premaster->size, buf,
104 sizeof (buf), NULL));
105 _gnutls_hard_log ("INT: CLIENT RANDOM[%d]: %s\n", 32,
106 _gnutls_bin2hex (session->
107 security_parameters.client_random, 32,
108 buf, sizeof (buf), NULL));
109 _gnutls_hard_log ("INT: SERVER RANDOM[%d]: %s\n", 32,
110 _gnutls_bin2hex (session->
111 security_parameters.server_random, 32,
112 buf, sizeof (buf), NULL));
113
114 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
115 {
116 uint8_t rnd[2 * GNUTLS_RANDOM_SIZE + 1];
117
118 memcpy (rnd, session->security_parameters.client_random,
119 GNUTLS_RANDOM_SIZE);
120 memcpy (&rnd[GNUTLS_RANDOM_SIZE],
121 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
122
123 ret =
124 _gnutls_ssl3_generate_random (premaster->data, premaster->size,
125 rnd, 2 * GNUTLS_RANDOM_SIZE,
126 GNUTLS_MASTER_SIZE,
127 session->
128 security_parameters.master_secret);
129
130 }
131 else
132 {
133 uint8_t rnd[2 * GNUTLS_RANDOM_SIZE + 1];
134
135 memcpy (rnd, session->security_parameters.client_random,
136 GNUTLS_RANDOM_SIZE);
137 memcpy (&rnd[GNUTLS_RANDOM_SIZE],
138 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
139
140 ret =
141 _gnutls_PRF (session, premaster->data, premaster->size,
142 MASTER_SECRET, MASTER_SECRET_SIZE,
143 rnd, 2 * GNUTLS_RANDOM_SIZE, GNUTLS_MASTER_SIZE,
144 session->security_parameters.master_secret);
145 }
146
147 if (!keep_premaster)
148 _gnutls_free_datum (premaster);
149
150 if (ret < 0)
151 return ret;
152
153 _gnutls_hard_log ("INT: MASTER SECRET: %s\n",
154 _gnutls_bin2hex (session->
155 security_parameters.master_secret,
156 GNUTLS_MASTER_SIZE, buf, sizeof (buf),
157 NULL));
158
159 return ret;
160 }
161
162
163 /* This is called when we want to receive the key exchange message of the
164 * server. It does nothing if this type of message is not required
165 * by the selected ciphersuite.
166 */
167 int
168 _gnutls_send_server_kx_message (gnutls_session_t session, int again)
169 {
170 gnutls_buffer_st data;
171 int ret = 0;
172
173 if (session->internals.auth_struct->gnutls_generate_server_kx == NULL)
174 return 0;
175
176 _gnutls_buffer_init( &data);
177
178 if (again == 0)
179 {
180 ret =
181 session->internals.auth_struct->gnutls_generate_server_kx (session,
182 &data);
183
184 if (ret == GNUTLS_E_INT_RET_0)
185 {
186 gnutls_assert ();
187 ret = 0;
188 goto cleanup;
189 }
190
191 if (ret < 0)
192 {
193 gnutls_assert ();
194 goto cleanup;
195 }
196 }
197
198 ret = send_handshake (session, data.data, data.length,
199 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE);
200 if (ret < 0)
201 {
202 gnutls_assert ();
203 }
204
205 cleanup:
206 _gnutls_buffer_clear (&data);
207 return ret;
208 }
209
210 /* This function sends a certificate request message to the
211 * client.
212 */
213 int
214 _gnutls_send_server_crt_request (gnutls_session_t session, int again)
215 {
216 gnutls_buffer_st data;
217 int ret = 0;
218
219 if (session->internals.
220 auth_struct->gnutls_generate_server_crt_request == NULL)
221 return 0;
222
223 if (session->internals.send_cert_req <= 0)
224 return 0;
225
226 _gnutls_buffer_init( &data);
227
228 if (again == 0)
229 {
230 ret =
231 session->internals.
232 auth_struct->gnutls_generate_server_crt_request (session,
233 &data);
234
235 if (ret < 0)
236 {
237 gnutls_assert ();
238 goto cleanup;
239 }
240 }
241
242 ret = send_handshake (session, data.data, data.length,
243 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST);
244 if (ret < 0)
245 {
246 gnutls_assert ();
247 }
248
249 cleanup:
250 _gnutls_buffer_clear (&data);
251 return ret;
252 }
253
254
255 /* This is the function for the client to send the key
256 * exchange message
257 */
258 int
259 _gnutls_send_client_kx_message (gnutls_session_t session, int again)
260 {
261 gnutls_buffer_st data;
262 int ret = 0;
263
264 if (session->internals.auth_struct->gnutls_generate_client_kx == NULL)
265 return 0;
266
267 _gnutls_buffer_init( &data);
268
269 if (again == 0)
270 {
271 ret =
272 session->internals.auth_struct->gnutls_generate_client_kx (session,
273 &data);
274 if (ret < 0)
275 {
276 gnutls_assert();
277 goto cleanup;
278 }
279 }
280 ret = send_handshake (session, data.data, data.length,
281 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE);
282 if (ret < 0)
283 {
284 gnutls_assert ();
285 }
286
287 cleanup:
288 _gnutls_buffer_clear (&data);
289 return ret;
290 }
291
292
293 /* This is the function for the client to send the certificate
294 * verify message
295 */
296 int
297 _gnutls_send_client_certificate_verify (gnutls_session_t session, int again)
298 {
299 gnutls_buffer_st data;
300 int ret = 0;
301
302 /* This is a packet that is only sent by the client
303 */
304 if (session->security_parameters.entity == GNUTLS_SERVER)
305 return 0;
306
307 /* if certificate verify is not needed just exit
308 */
309 if (session->key.crt_requested == 0)
310 return 0;
311
312
313 if (session->internals.auth_struct->gnutls_generate_client_crt_vrfy ==
314 NULL)
315 {
316 gnutls_assert ();
317 return 0; /* this algorithm does not support cli_crt_vrfy
318 */
319 }
320
321 _gnutls_buffer_init( &data);
322
323 if (again == 0)
324 {
325 ret =
326 session->internals.
327 auth_struct->gnutls_generate_client_crt_vrfy (session, &data);
328 if (ret < 0)
329 {
330 gnutls_assert();
331 goto cleanup;
332 }
333
334 if (ret == 0)
335 goto cleanup;
336
337 }
338 ret = send_handshake (session, data.data, data.length,
339 GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY);
340
341 if (ret < 0)
342 {
343 gnutls_assert ();
344 }
345
346 cleanup:
347 _gnutls_buffer_clear (&data);
348 return ret;
349 }
350
351 /* This is called when we want send our certificate
352 */
353 int
354 _gnutls_send_client_certificate (gnutls_session_t session, int again)
355 {
356 gnutls_buffer_st data;
357 int ret = 0;
358
359
360 if (session->key.crt_requested == 0)
361 return 0;
362
363 if (session->internals.auth_struct->gnutls_generate_client_certificate ==
364 NULL)
365 return 0;
366
367 _gnutls_buffer_init( &data);
368
369 if (again == 0)
370 {
371 if (gnutls_protocol_get_version (session) != GNUTLS_SSL3 ||
372 session->internals.selected_cert_list_length > 0)
373 {
374 /* TLS 1.0 or SSL 3.0 with a valid certificate
375 */
376 ret =
377 session->internals.
378 auth_struct->gnutls_generate_client_certificate (session, &data);
379
380 if (ret < 0)
381 {
382 gnutls_assert();
383 goto cleanup;
384 }
385 }
386 }
387
388 /* In the SSL 3.0 protocol we need to send a
389 * no certificate alert instead of an
390 * empty certificate.
391 */
392 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3 &&
393 session->internals.selected_cert_list_length == 0)
394 {
395 ret =
396 gnutls_alert_send (session, GNUTLS_AL_WARNING,
397 GNUTLS_A_SSL3_NO_CERTIFICATE);
398
399 }
400 else
401 { /* TLS 1.0 or SSL 3.0 with a valid certificate
402 */
403 ret = send_handshake (session, data.data, data.length,
404 GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
405 }
406
407 cleanup:
408 _gnutls_buffer_clear (&data);
409 return ret;
410 }
411
412
413 /* This is called when we want send our certificate
414 */
415 int
416 _gnutls_send_server_certificate (gnutls_session_t session, int again)
417 {
418 gnutls_buffer_st data;
419 int ret = 0;
420
421
422 if (session->internals.auth_struct->gnutls_generate_server_certificate ==
423 NULL)
424 return 0;
425
426 _gnutls_buffer_init( &data);
427
428 if (again == 0)
429 {
430 ret =
431 session->internals.
432 auth_struct->gnutls_generate_server_certificate (session, &data);
433
434 if (ret < 0)
435 {
436 gnutls_assert();
437 goto cleanup;
438 }
439 }
440 ret = send_handshake (session, data.data, data.length,
441 GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
442 if (ret < 0)
443 {
444 gnutls_assert ();
445 }
446
447 cleanup:
448 _gnutls_buffer_clear (&data);
449 return ret;
450 }
451
452
453 int
454 _gnutls_recv_server_kx_message (gnutls_session_t session)
455 {
456 gnutls_buffer_st buf;
457 int ret = 0;
458 unsigned int optflag = 0;
459
460 if (session->internals.auth_struct->gnutls_process_server_kx != NULL)
461 {
462
463 /* EXCEPTION FOR RSA_EXPORT cipher suite
464 */
465 if (_gnutls_session_is_export (session) != 0 &&
466 _gnutls_peers_cert_less_512 (session) != 0)
467 {
468 gnutls_assert ();
469 return 0;
470 }
471
472 /* Server key exchange packet is optional for PSK. */
473 if (_gnutls_session_is_psk (session))
474 optflag = 1;
475
476 ret =
477 _gnutls_recv_handshake (session,
478 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE,
479 optflag, &buf);
480 if (ret < 0)
481 {
482 gnutls_assert ();
483 return ret;
484 }
485
486 ret =
487 session->internals.auth_struct->gnutls_process_server_kx (session,
488 buf.data,
489 buf.length);
490 _gnutls_buffer_clear(&buf);
491
492 if (ret < 0)
493 {
494 gnutls_assert ();
495 return ret;
496 }
497
498 }
499 return ret;
500 }
501
502 int
503 _gnutls_recv_server_crt_request (gnutls_session_t session)
504 {
505 gnutls_buffer_st buf;
506 int ret = 0;
507
508 if (session->internals.
509 auth_struct->gnutls_process_server_crt_request != NULL)
510 {
511
512 ret =
513 _gnutls_recv_handshake (session,
514 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST,
515 1, &buf);
516 if (ret < 0)
517 return ret;
518
519 if (ret == 0 && buf.length == 0)
520 {
521 _gnutls_buffer_clear(&buf);
522 return 0; /* ignored */
523 }
524
525 ret =
526 session->internals.
527 auth_struct->gnutls_process_server_crt_request (session, buf.data,
528 buf.length);
529 _gnutls_buffer_clear (&buf);
530 if (ret < 0)
531 return ret;
532
533 }
534 return ret;
535 }
536
537 int
538 _gnutls_recv_client_kx_message (gnutls_session_t session)
539 {
540 gnutls_buffer_st buf;
541 int ret = 0;
542
543
544 /* Do key exchange only if the algorithm permits it */
545 if (session->internals.auth_struct->gnutls_process_client_kx != NULL)
546 {
547
548 ret =
549 _gnutls_recv_handshake (session,
550 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE,
551 0, &buf);
552 if (ret < 0)
553 return ret;
554
555 ret =
556 session->internals.auth_struct->gnutls_process_client_kx (session,
557 buf.data,
558 buf.length);
559 _gnutls_buffer_clear (&buf);
560 if (ret < 0)
561 return ret;
562
563 }
564
565 return ret;
566 }
567
568
569 int
570 _gnutls_recv_client_certificate (gnutls_session_t session)
571 {
572 gnutls_buffer_st buf;
573 int ret = 0;
574 int optional;
575
576 if (session->internals.auth_struct->gnutls_process_client_certificate ==
577 NULL)
578 return 0;
579
580 /* if we have not requested a certificate then just return
581 */
582 if (session->internals.send_cert_req == 0)
583 {
584 return 0;
585 }
586
587 if (session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
588 optional = 0;
589 else
590 optional = 1;
591
592 ret =
593 _gnutls_recv_handshake (session, GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
594 optional, &buf);
595
596 if (ret < 0)
597 {
598 /* Handle the case of old SSL3 clients who send
599 * a warning alert instead of an empty certificate to indicate
600 * no certificate.
601 */
602 if (optional != 0 &&
603 ret == GNUTLS_E_WARNING_ALERT_RECEIVED &&
604 gnutls_protocol_get_version (session) == GNUTLS_SSL3 &&
605 gnutls_alert_get (session) == GNUTLS_A_SSL3_NO_CERTIFICATE)
606 {
607
608 /* SSL3 does not send an empty certificate,
609 * but this alert. So we just ignore it.
610 */
611 gnutls_assert ();
612 return 0;
613 }
614
615 /* certificate was required
616 */
617 if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED
618 || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
619 && optional == 0)
620 {
621 gnutls_assert ();
622 return GNUTLS_E_NO_CERTIFICATE_FOUND;
623 }
624
625 return ret;
626 }
627
628 if (ret == 0 && buf.length == 0 && optional != 0)
629 {
630 /* Client has not sent the certificate message.
631 * well I'm not sure we should accept this
632 * behaviour.
633 */
634 gnutls_assert ();
635 ret = 0;
636 goto cleanup;
637 }
638 ret =
639 session->internals.
640 auth_struct->gnutls_process_client_certificate (session, buf.data,
641 buf.length);
642
643 if (ret < 0 && ret != GNUTLS_E_NO_CERTIFICATE_FOUND)
644 {
645 gnutls_assert ();
646 goto cleanup;
647 }
648
649 /* ok we should expect a certificate verify message now
650 */
651 if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional != 0)
652 ret = 0;
653 else
654 session->key.crt_requested = 1;
655
656 cleanup:
657 _gnutls_buffer_clear(&buf);
658 return ret;
659 }
660
661 int
662 _gnutls_recv_server_certificate (gnutls_session_t session)
663 {
664 gnutls_buffer_st buf;
665 int ret = 0;
666
667 if (session->internals.auth_struct->gnutls_process_server_certificate !=
668 NULL)
669 {
670
671 ret =
672 _gnutls_recv_handshake (session,
673 GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
674 0, &buf);
675 if (ret < 0)
676 {
677 gnutls_assert ();
678 return ret;
679 }
680
681 ret =
682 session->internals.
683 auth_struct->gnutls_process_server_certificate (session, buf.data,
684 buf.length);
685 _gnutls_buffer_clear(&buf);
686 if (ret < 0)
687 {
688 gnutls_assert ();
689 return ret;
690 }
691 }
692
693 return ret;
694 }
695
696
697 /* Recv the client certificate verify. This packet may not
698 * arrive if the peer did not send us a certificate.
699 */
700 int
701 _gnutls_recv_client_certificate_verify_message (gnutls_session_t session)
702 {
703 gnutls_buffer_st buf;
704 int ret = 0;
705
706
707 if (session->internals.auth_struct->gnutls_process_client_crt_vrfy == NULL)
708 return 0;
709
710 if (session->internals.send_cert_req == 0 ||
711 session->key.crt_requested == 0)
712 {
713 return 0;
714 }
715
716 ret =
717 _gnutls_recv_handshake (session,
718 GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY,
719 1, &buf);
720 if (ret < 0)
721 return ret;
722
723 if (ret == 0 && buf.length == 0
724 && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
725 {
726 /* certificate was required */
727 gnutls_assert ();
728 ret = GNUTLS_E_NO_CERTIFICATE_FOUND;
729 goto cleanup;
730 }
731
732 ret =
733 session->internals.
734 auth_struct->gnutls_process_client_crt_vrfy (session, buf.data,
735 buf.length);
736
737 cleanup:
738 _gnutls_buffer_clear(&buf);
739 return ret;
740 }
Implementation of the SSL/TLS protocol