2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* This file contains functions which are wrappers for the key exchange
24 * part of TLS. They are called by the handshake functions (gnutls_handshake)
27 #include "gnutls_int.h"
28 #include "gnutls_handshake.h"
29 #include "gnutls_kx.h"
30 #include "gnutls_dh.h"
31 #include "gnutls_errors.h"
32 #include "algorithms.h"
34 #include "gnutls_mpi.h"
35 #include <gnutls_state.h>
36 #include <gnutls_datum.h>
37 #include <gnutls_mbuffers.h>
39 /* This is a temporary function to be used before the generate_*
40 internal API is changed to use mbuffers. For now we don't avoid the
41 extra alloc + memcpy. */
43 send_handshake(gnutls_session_t session, uint8_t * data, size_t size,
44 gnutls_handshake_description_t type)
48 if (data == NULL && size == 0)
49 return _gnutls_send_handshake(session, NULL, type);
51 if (data == NULL && size > 0) {
53 return GNUTLS_E_INVALID_REQUEST;
56 bufel = _gnutls_handshake_alloc(session, size);
59 return GNUTLS_E_MEMORY_ERROR;
62 _mbuffer_set_udata(bufel, data, size);
64 return _gnutls_send_handshake(session, bufel, type);
68 /* This file contains important thing for the TLS handshake procedure.
71 #define MASTER_SECRET "master secret"
72 #define MASTER_SECRET_SIZE (sizeof(MASTER_SECRET)-1)
73 static int generate_normal_master(gnutls_session_t session,
74 gnutls_datum_t *, int);
76 int _gnutls_generate_master(gnutls_session_t session, int keep_premaster)
78 if (session->internals.resumed == RESUME_FALSE)
79 return generate_normal_master(session, &session->key.key,
81 else if (session->internals.premaster_set) {
82 gnutls_datum_t premaster;
84 sizeof(session->internals.resumed_security_parameters.
87 session->internals.resumed_security_parameters.
89 return generate_normal_master(session, &premaster, 1);
94 /* here we generate the TLS Master secret.
97 generate_normal_master(gnutls_session_t session,
98 gnutls_datum_t * premaster, int keep_premaster)
103 _gnutls_hard_log("INT: PREMASTER SECRET[%d]: %s\n",
104 premaster->size, _gnutls_bin2hex(premaster->data,
108 _gnutls_hard_log("INT: CLIENT RANDOM[%d]: %s\n", 32,
109 _gnutls_bin2hex(session->security_parameters.
110 client_random, 32, buf,
112 _gnutls_hard_log("INT: SERVER RANDOM[%d]: %s\n", 32,
113 _gnutls_bin2hex(session->security_parameters.
114 server_random, 32, buf,
117 if (get_num_version(session) == GNUTLS_SSL3) {
118 uint8_t rnd[2 * GNUTLS_RANDOM_SIZE + 1];
120 memcpy(rnd, session->security_parameters.client_random,
122 memcpy(&rnd[GNUTLS_RANDOM_SIZE],
123 session->security_parameters.server_random,
127 _gnutls_ssl3_generate_random(premaster->data,
128 premaster->size, rnd,
129 2 * GNUTLS_RANDOM_SIZE,
131 session->security_parameters.
135 uint8_t rnd[2 * GNUTLS_RANDOM_SIZE + 1];
137 memcpy(rnd, session->security_parameters.client_random,
139 memcpy(&rnd[GNUTLS_RANDOM_SIZE],
140 session->security_parameters.server_random,
144 _gnutls_PRF(session, premaster->data, premaster->size,
145 MASTER_SECRET, MASTER_SECRET_SIZE,
146 rnd, 2 * GNUTLS_RANDOM_SIZE,
148 session->security_parameters.
153 _gnutls_free_temp_key_datum(premaster);
158 _gnutls_hard_log("INT: MASTER SECRET: %s\n",
159 _gnutls_bin2hex(session->security_parameters.
160 master_secret, GNUTLS_MASTER_SIZE,
161 buf, sizeof(buf), NULL));
167 /* This is called when we want to receive the key exchange message of the
168 * server. It does nothing if this type of message is not required
169 * by the selected ciphersuite.
171 int _gnutls_send_server_kx_message(gnutls_session_t session, int again)
173 gnutls_buffer_st data;
176 if (session->internals.auth_struct->gnutls_generate_server_kx ==
180 _gnutls_buffer_init(&data);
184 session->internals.auth_struct->
185 gnutls_generate_server_kx(session, &data);
187 if (ret == GNUTLS_E_INT_RET_0) {
199 ret = send_handshake(session, data.data, data.length,
200 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE);
206 _gnutls_buffer_clear(&data);
210 /* This function sends a certificate request message to the
213 int _gnutls_send_server_crt_request(gnutls_session_t session, int again)
215 gnutls_buffer_st data;
218 if (session->internals.auth_struct->
219 gnutls_generate_server_crt_request == NULL)
222 if (session->internals.send_cert_req <= 0)
225 _gnutls_buffer_init(&data);
229 session->internals.auth_struct->
230 gnutls_generate_server_crt_request(session, &data);
238 ret = send_handshake(session, data.data, data.length,
239 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST);
245 _gnutls_buffer_clear(&data);
250 /* This is the function for the client to send the key
253 int _gnutls_send_client_kx_message(gnutls_session_t session, int again)
255 gnutls_buffer_st data;
258 if (session->internals.auth_struct->gnutls_generate_client_kx ==
262 _gnutls_buffer_init(&data);
266 session->internals.auth_struct->
267 gnutls_generate_client_kx(session, &data);
273 ret = send_handshake(session, data.data, data.length,
274 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE);
280 _gnutls_buffer_clear(&data);
285 /* This is the function for the client to send the certificate
289 _gnutls_send_client_certificate_verify(gnutls_session_t session, int again)
291 gnutls_buffer_st data;
294 /* This is a packet that is only sent by the client
296 if (session->security_parameters.entity == GNUTLS_SERVER)
299 /* if certificate verify is not needed just exit
301 if (session->key.crt_requested == 0)
305 if (session->internals.auth_struct->
306 gnutls_generate_client_crt_vrfy == NULL) {
308 return 0; /* this algorithm does not support cli_crt_vrfy
312 _gnutls_buffer_init(&data);
316 session->internals.auth_struct->
317 gnutls_generate_client_crt_vrfy(session, &data);
327 ret = send_handshake(session, data.data, data.length,
328 GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY);
335 _gnutls_buffer_clear(&data);
339 /* This is called when we want send our certificate
341 int _gnutls_send_client_certificate(gnutls_session_t session, int again)
343 gnutls_buffer_st data;
347 if (session->key.crt_requested == 0)
350 if (session->internals.auth_struct->
351 gnutls_generate_client_certificate == NULL)
354 _gnutls_buffer_init(&data);
357 if (get_num_version(session) != GNUTLS_SSL3 ||
358 session->internals.selected_cert_list_length > 0) {
359 /* TLS 1.0 or SSL 3.0 with a valid certificate
362 session->internals.auth_struct->
363 gnutls_generate_client_certificate(session,
373 /* In the SSL 3.0 protocol we need to send a
374 * no certificate alert instead of an
377 if (get_num_version(session) == GNUTLS_SSL3 &&
378 session->internals.selected_cert_list_length == 0) {
380 gnutls_alert_send(session, GNUTLS_AL_WARNING,
381 GNUTLS_A_SSL3_NO_CERTIFICATE);
383 } else { /* TLS 1.0 or SSL 3.0 with a valid certificate
385 ret = send_handshake(session, data.data, data.length,
386 GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
390 _gnutls_buffer_clear(&data);
395 /* This is called when we want send our certificate
397 int _gnutls_send_server_certificate(gnutls_session_t session, int again)
399 gnutls_buffer_st data;
403 if (session->internals.auth_struct->
404 gnutls_generate_server_certificate == NULL)
407 _gnutls_buffer_init(&data);
411 session->internals.auth_struct->
412 gnutls_generate_server_certificate(session, &data);
419 ret = send_handshake(session, data.data, data.length,
420 GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
426 _gnutls_buffer_clear(&data);
431 int _gnutls_recv_server_kx_message(gnutls_session_t session)
433 gnutls_buffer_st buf;
435 unsigned int optflag = 0;
437 if (session->internals.auth_struct->gnutls_process_server_kx !=
439 /* Server key exchange packet is optional for PSK. */
440 if (_gnutls_session_is_psk(session))
444 _gnutls_recv_handshake(session,
445 GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE,
453 session->internals.auth_struct->
454 gnutls_process_server_kx(session, buf.data,
456 _gnutls_buffer_clear(&buf);
467 int _gnutls_recv_server_crt_request(gnutls_session_t session)
469 gnutls_buffer_st buf;
472 if (session->internals.auth_struct->
473 gnutls_process_server_crt_request != NULL) {
476 _gnutls_recv_handshake(session,
477 GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST,
482 if (ret == 0 && buf.length == 0) {
483 _gnutls_buffer_clear(&buf);
484 return 0; /* ignored */
488 session->internals.auth_struct->
489 gnutls_process_server_crt_request(session, buf.data,
491 _gnutls_buffer_clear(&buf);
499 int _gnutls_recv_client_kx_message(gnutls_session_t session)
501 gnutls_buffer_st buf;
505 /* Do key exchange only if the algorithm permits it */
506 if (session->internals.auth_struct->gnutls_process_client_kx !=
510 _gnutls_recv_handshake(session,
511 GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE,
517 session->internals.auth_struct->
518 gnutls_process_client_kx(session, buf.data,
520 _gnutls_buffer_clear(&buf);
530 int _gnutls_recv_client_certificate(gnutls_session_t session)
532 gnutls_buffer_st buf;
536 if (session->internals.auth_struct->
537 gnutls_process_client_certificate == NULL)
540 /* if we have not requested a certificate then just return
542 if (session->internals.send_cert_req == 0) {
546 if (session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
552 _gnutls_recv_handshake(session,
553 GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
557 /* Handle the case of old SSL3 clients who send
558 * a warning alert instead of an empty certificate to indicate
562 ret == GNUTLS_E_WARNING_ALERT_RECEIVED &&
563 get_num_version(session) == GNUTLS_SSL3 &&
564 gnutls_alert_get(session) ==
565 GNUTLS_A_SSL3_NO_CERTIFICATE) {
567 /* SSL3 does not send an empty certificate,
568 * but this alert. So we just ignore it.
574 /* certificate was required
576 if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED
577 || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
580 return GNUTLS_E_NO_CERTIFICATE_FOUND;
586 if (ret == 0 && buf.length == 0 && optional != 0) {
587 /* Client has not sent the certificate message.
588 * well I'm not sure we should accept this
596 session->internals.auth_struct->
597 gnutls_process_client_certificate(session, buf.data,
600 if (ret < 0 && ret != GNUTLS_E_NO_CERTIFICATE_FOUND) {
605 /* ok we should expect a certificate verify message now
607 if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional != 0)
610 session->key.crt_requested = 1;
613 _gnutls_buffer_clear(&buf);
617 int _gnutls_recv_server_certificate(gnutls_session_t session)
619 gnutls_buffer_st buf;
622 if (session->internals.auth_struct->
623 gnutls_process_server_certificate != NULL) {
626 _gnutls_recv_handshake(session,
627 GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
635 session->internals.auth_struct->
636 gnutls_process_server_certificate(session, buf.data,
638 _gnutls_buffer_clear(&buf);
649 /* Recv the client certificate verify. This packet may not
650 * arrive if the peer did not send us a certificate.
653 _gnutls_recv_client_certificate_verify_message(gnutls_session_t session)
655 gnutls_buffer_st buf;
659 if (session->internals.auth_struct->
660 gnutls_process_client_crt_vrfy == NULL)
663 if (session->internals.send_cert_req == 0 ||
664 session->key.crt_requested == 0) {
669 _gnutls_recv_handshake(session,
670 GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY,
675 if (ret == 0 && buf.length == 0
676 && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE) {
677 /* certificate was required */
679 ret = GNUTLS_E_NO_CERTIFICATE_FOUND;
684 session->internals.auth_struct->
685 gnutls_process_client_crt_vrfy(session, buf.data, buf.length);
688 _gnutls_buffer_clear(&buf);