lib/gnutls_kx.c

   1 /*
   2  * Copyright (C) 2000-2012 Free Software Foundation, Inc.
   3  *
   4  * Author: Nikos Mavrogiannopoulos
   5  *
   6  * This file is part of GnuTLS.
   7  *
   8  * The GnuTLS is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public License
  10  * as published by the Free Software Foundation; either version 2.1 of
  11  * the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public License
  19  * along with this program.  If not, see <http://www.gnu.org/licenses/>
  20  *
  21  */
  22
  23 /* This file contains functions which are wrappers for the key exchange
  24  * part of TLS. They are called by the handshake functions (gnutls_handshake)
  25  */
  26
  27 #include "gnutls_int.h"
  28 #include "gnutls_handshake.h"
  29 #include "gnutls_kx.h"
  30 #include "gnutls_dh.h"
  31 #include "gnutls_errors.h"
  32 #include "algorithms.h"
  33 #include "debug.h"
  34 #include "gnutls_mpi.h"
  35 #include <gnutls_state.h>
  36 #include <gnutls_datum.h>
  37 #include <gnutls_mbuffers.h>
  38
  39 /* This is a temporary function to be used before the generate_*
  40    internal API is changed to use mbuffers. For now we don't avoid the
  41    extra alloc + memcpy. */
  42 static int
  43 send_handshake(gnutls_session_t session, uint8_t * data, size_t size,
  44                gnutls_handshake_description_t type)
  45 {
  46         mbuffer_st *bufel;
  47
  48         if (data == NULL && size == 0)
  49                 return _gnutls_send_handshake(session, NULL, type);
  50
  51         if (data == NULL && size > 0) {
  52                 gnutls_assert();
  53                 return GNUTLS_E_INVALID_REQUEST;
  54         }
  55
  56         bufel = _gnutls_handshake_alloc(session, size);
  57         if (bufel == NULL) {
  58                 gnutls_assert();
  59                 return GNUTLS_E_MEMORY_ERROR;
  60         }
  61
  62         _mbuffer_set_udata(bufel, data, size);
  63
  64         return _gnutls_send_handshake(session, bufel, type);
  65 }
  66
  67
  68 /* This file contains important thing for the TLS handshake procedure.
  69  */
  70
  71 #define MASTER_SECRET "master secret"
  72 #define MASTER_SECRET_SIZE (sizeof(MASTER_SECRET)-1)
  73 static int generate_normal_master(gnutls_session_t session,
  74                                   gnutls_datum_t *, int);
  75
  76 int _gnutls_generate_master(gnutls_session_t session, int keep_premaster)
  77 {
  78         if (session->internals.resumed == RESUME_FALSE)
  79                 return generate_normal_master(session, &session->key.key,
  80                                               keep_premaster);
  81         else if (session->internals.premaster_set) {
  82                 gnutls_datum_t premaster;
  83                 premaster.size =
  84                     sizeof(session->internals.resumed_security_parameters.
  85                            master_secret);
  86                 premaster.data =
  87                     session->internals.resumed_security_parameters.
  88                     master_secret;
  89                 return generate_normal_master(session, &premaster, 1);
  90         }
  91         return 0;
  92 }
  93
  94 /* here we generate the TLS Master secret.
  95  */
  96 static int
  97 generate_normal_master(gnutls_session_t session,
  98                        gnutls_datum_t * premaster, int keep_premaster)
  99 {
 100         int ret = 0;
 101         char buf[512];
 102
 103         _gnutls_hard_log("INT: PREMASTER SECRET[%d]: %s\n",
 104                          premaster->size, _gnutls_bin2hex(premaster->data,
 105                                                           premaster->size,
 106                                                           buf, sizeof(buf),
 107                                                           NULL));
 108         _gnutls_hard_log("INT: CLIENT RANDOM[%d]: %s\n", 32,
 109                          _gnutls_bin2hex(session->security_parameters.
 110                                          client_random, 32, buf,
 111                                          sizeof(buf), NULL));
 112         _gnutls_hard_log("INT: SERVER RANDOM[%d]: %s\n", 32,
 113                          _gnutls_bin2hex(session->security_parameters.
 114                                          server_random, 32, buf,
 115                                          sizeof(buf), NULL));
 116
 117         if (get_num_version(session) == GNUTLS_SSL3) {
 118                 uint8_t rnd[2 * GNUTLS_RANDOM_SIZE + 1];
 119
 120                 memcpy(rnd, session->security_parameters.client_random,
 121                        GNUTLS_RANDOM_SIZE);
 122                 memcpy(&rnd[GNUTLS_RANDOM_SIZE],
 123                        session->security_parameters.server_random,
 124                        GNUTLS_RANDOM_SIZE);
 125
 126                 ret =
 127                     _gnutls_ssl3_generate_random(premaster->data,
 128                                                  premaster->size, rnd,
 129                                                  2 * GNUTLS_RANDOM_SIZE,
 130                                                  GNUTLS_MASTER_SIZE,
 131                                                  session->security_parameters.
 132                                                  master_secret);
 133
 134         } else {
 135                 uint8_t rnd[2 * GNUTLS_RANDOM_SIZE + 1];
 136
 137                 memcpy(rnd, session->security_parameters.client_random,
 138                        GNUTLS_RANDOM_SIZE);
 139                 memcpy(&rnd[GNUTLS_RANDOM_SIZE],
 140                        session->security_parameters.server_random,
 141                        GNUTLS_RANDOM_SIZE);
 142
 143                 ret =
 144                     _gnutls_PRF(session, premaster->data, premaster->size,
 145                                 MASTER_SECRET, MASTER_SECRET_SIZE,
 146                                 rnd, 2 * GNUTLS_RANDOM_SIZE,
 147                                 GNUTLS_MASTER_SIZE,
 148                                 session->security_parameters.
 149                                 master_secret);
 150         }
 151
 152         if (!keep_premaster)
 153                 _gnutls_free_temp_key_datum(premaster);
 154
 155         if (ret < 0)
 156                 return ret;
 157
 158         _gnutls_hard_log("INT: MASTER SECRET: %s\n",
 159                          _gnutls_bin2hex(session->security_parameters.
 160                                          master_secret, GNUTLS_MASTER_SIZE,
 161                                          buf, sizeof(buf), NULL));
 162
 163         return ret;
 164 }
 165
 166
 167 /* This is called when we want to receive the key exchange message of the
 168  * server. It does nothing if this type of message is not required
 169  * by the selected ciphersuite.
 170  */
 171 int _gnutls_send_server_kx_message(gnutls_session_t session, int again)
 172 {
 173         gnutls_buffer_st data;
 174         int ret = 0;
 175
 176         if (session->internals.auth_struct->gnutls_generate_server_kx ==
 177             NULL)
 178                 return 0;
 179
 180         _gnutls_buffer_init(&data);
 181
 182         if (again == 0) {
 183                 ret =
 184                     session->internals.auth_struct->
 185                     gnutls_generate_server_kx(session, &data);
 186
 187                 if (ret == GNUTLS_E_INT_RET_0) {
 188                         gnutls_assert();
 189                         ret = 0;
 190                         goto cleanup;
 191                 }
 192
 193                 if (ret < 0) {
 194                         gnutls_assert();
 195                         goto cleanup;
 196                 }
 197         }
 198
 199         ret = send_handshake(session, data.data, data.length,
 200                              GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE);
 201         if (ret < 0) {
 202                 gnutls_assert();
 203         }
 204
 205       cleanup:
 206         _gnutls_buffer_clear(&data);
 207         return ret;
 208 }
 209
 210 /* This function sends a certificate request message to the
 211  * client.
 212  */
 213 int _gnutls_send_server_crt_request(gnutls_session_t session, int again)
 214 {
 215         gnutls_buffer_st data;
 216         int ret = 0;
 217
 218         if (session->internals.auth_struct->
 219             gnutls_generate_server_crt_request == NULL)
 220                 return 0;
 221
 222         if (session->internals.send_cert_req <= 0)
 223                 return 0;
 224
 225         _gnutls_buffer_init(&data);
 226
 227         if (again == 0) {
 228                 ret =
 229                     session->internals.auth_struct->
 230                     gnutls_generate_server_crt_request(session, &data);
 231
 232                 if (ret < 0) {
 233                         gnutls_assert();
 234                         goto cleanup;
 235                 }
 236         }
 237
 238         ret = send_handshake(session, data.data, data.length,
 239                              GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST);
 240         if (ret < 0) {
 241                 gnutls_assert();
 242         }
 243
 244       cleanup:
 245         _gnutls_buffer_clear(&data);
 246         return ret;
 247 }
 248
 249
 250 /* This is the function for the client to send the key
 251  * exchange message
 252  */
 253 int _gnutls_send_client_kx_message(gnutls_session_t session, int again)
 254 {
 255         gnutls_buffer_st data;
 256         int ret = 0;
 257
 258         if (session->internals.auth_struct->gnutls_generate_client_kx ==
 259             NULL)
 260                 return 0;
 261
 262         _gnutls_buffer_init(&data);
 263
 264         if (again == 0) {
 265                 ret =
 266                     session->internals.auth_struct->
 267                     gnutls_generate_client_kx(session, &data);
 268                 if (ret < 0) {
 269                         gnutls_assert();
 270                         goto cleanup;
 271                 }
 272         }
 273         ret = send_handshake(session, data.data, data.length,
 274                              GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE);
 275         if (ret < 0) {
 276                 gnutls_assert();
 277         }
 278
 279       cleanup:
 280         _gnutls_buffer_clear(&data);
 281         return ret;
 282 }
 283
 284
 285 /* This is the function for the client to send the certificate
 286  * verify message
 287  */
 288 int
 289 _gnutls_send_client_certificate_verify(gnutls_session_t session, int again)
 290 {
 291         gnutls_buffer_st data;
 292         int ret = 0;
 293
 294         /* This is a packet that is only sent by the client
 295          */
 296         if (session->security_parameters.entity == GNUTLS_SERVER)
 297                 return 0;
 298
 299         /* if certificate verify is not needed just exit
 300          */
 301         if (session->key.crt_requested == 0)
 302                 return 0;
 303
 304
 305         if (session->internals.auth_struct->
 306             gnutls_generate_client_crt_vrfy == NULL) {
 307                 gnutls_assert();
 308                 return 0;       /* this algorithm does not support cli_crt_vrfy
 309                                  */
 310         }
 311
 312         _gnutls_buffer_init(&data);
 313
 314         if (again == 0) {
 315                 ret =
 316                     session->internals.auth_struct->
 317                     gnutls_generate_client_crt_vrfy(session, &data);
 318                 if (ret < 0) {
 319                         gnutls_assert();
 320                         goto cleanup;
 321                 }
 322
 323                 if (ret == 0)
 324                         goto cleanup;
 325
 326         }
 327         ret = send_handshake(session, data.data, data.length,
 328                              GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY);
 329
 330         if (ret < 0) {
 331                 gnutls_assert();
 332         }
 333
 334       cleanup:
 335         _gnutls_buffer_clear(&data);
 336         return ret;
 337 }
 338
 339 /* This is called when we want send our certificate
 340  */
 341 int _gnutls_send_client_certificate(gnutls_session_t session, int again)
 342 {
 343         gnutls_buffer_st data;
 344         int ret = 0;
 345
 346
 347         if (session->key.crt_requested == 0)
 348                 return 0;
 349
 350         if (session->internals.auth_struct->
 351             gnutls_generate_client_certificate == NULL)
 352                 return 0;
 353
 354         _gnutls_buffer_init(&data);
 355
 356         if (again == 0) {
 357                 if (get_num_version(session) != GNUTLS_SSL3 ||
 358                     session->internals.selected_cert_list_length > 0) {
 359                         /* TLS 1.0 or SSL 3.0 with a valid certificate
 360                          */
 361                         ret =
 362                             session->internals.auth_struct->
 363                             gnutls_generate_client_certificate(session,
 364                                                                &data);
 365
 366                         if (ret < 0) {
 367                                 gnutls_assert();
 368                                 goto cleanup;
 369                         }
 370                 }
 371         }
 372
 373         /* In the SSL 3.0 protocol we need to send a
 374          * no certificate alert instead of an
 375          * empty certificate.
 376          */
 377         if (get_num_version(session) == GNUTLS_SSL3 &&
 378             session->internals.selected_cert_list_length == 0) {
 379                 ret =
 380                     gnutls_alert_send(session, GNUTLS_AL_WARNING,
 381                                       GNUTLS_A_SSL3_NO_CERTIFICATE);
 382
 383         } else {                /* TLS 1.0 or SSL 3.0 with a valid certificate
 384                                  */
 385                 ret = send_handshake(session, data.data, data.length,
 386                                      GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
 387         }
 388
 389       cleanup:
 390         _gnutls_buffer_clear(&data);
 391         return ret;
 392 }
 393
 394
 395 /* This is called when we want send our certificate
 396  */
 397 int _gnutls_send_server_certificate(gnutls_session_t session, int again)
 398 {
 399         gnutls_buffer_st data;
 400         int ret = 0;
 401
 402
 403         if (session->internals.auth_struct->
 404             gnutls_generate_server_certificate == NULL)
 405                 return 0;
 406
 407         _gnutls_buffer_init(&data);
 408
 409         if (again == 0) {
 410                 ret =
 411                     session->internals.auth_struct->
 412                     gnutls_generate_server_certificate(session, &data);
 413
 414                 if (ret < 0) {
 415                         gnutls_assert();
 416                         goto cleanup;
 417                 }
 418         }
 419         ret = send_handshake(session, data.data, data.length,
 420                              GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
 421         if (ret < 0) {
 422                 gnutls_assert();
 423         }
 424
 425       cleanup:
 426         _gnutls_buffer_clear(&data);
 427         return ret;
 428 }
 429
 430
 431 int _gnutls_recv_server_kx_message(gnutls_session_t session)
 432 {
 433         gnutls_buffer_st buf;
 434         int ret = 0;
 435         unsigned int optflag = 0;
 436
 437         if (session->internals.auth_struct->gnutls_process_server_kx !=
 438             NULL) {
 439                 /* Server key exchange packet is optional for PSK. */
 440                 if (_gnutls_session_is_psk(session))
 441                         optflag = 1;
 442
 443                 ret =
 444                     _gnutls_recv_handshake(session,
 445                                            GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE,
 446                                            optflag, &buf);
 447                 if (ret < 0) {
 448                         gnutls_assert();
 449                         return ret;
 450                 }
 451
 452                 ret =
 453                     session->internals.auth_struct->
 454                     gnutls_process_server_kx(session, buf.data,
 455                                              buf.length);
 456                 _gnutls_buffer_clear(&buf);
 457
 458                 if (ret < 0) {
 459                         gnutls_assert();
 460                         return ret;
 461                 }
 462
 463         }
 464         return ret;
 465 }
 466
 467 int _gnutls_recv_server_crt_request(gnutls_session_t session)
 468 {
 469         gnutls_buffer_st buf;
 470         int ret = 0;
 471
 472         if (session->internals.auth_struct->
 473             gnutls_process_server_crt_request != NULL) {
 474
 475                 ret =
 476                     _gnutls_recv_handshake(session,
 477                                            GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST,
 478                                            1, &buf);
 479                 if (ret < 0)
 480                         return ret;
 481
 482                 if (ret == 0 && buf.length == 0) {
 483                         _gnutls_buffer_clear(&buf);
 484                         return 0;       /* ignored */
 485                 }
 486
 487                 ret =
 488                     session->internals.auth_struct->
 489                     gnutls_process_server_crt_request(session, buf.data,
 490                                                       buf.length);
 491                 _gnutls_buffer_clear(&buf);
 492                 if (ret < 0)
 493                         return ret;
 494
 495         }
 496         return ret;
 497 }
 498
 499 int _gnutls_recv_client_kx_message(gnutls_session_t session)
 500 {
 501         gnutls_buffer_st buf;
 502         int ret = 0;
 503
 504
 505         /* Do key exchange only if the algorithm permits it */
 506         if (session->internals.auth_struct->gnutls_process_client_kx !=
 507             NULL) {
 508
 509                 ret =
 510                     _gnutls_recv_handshake(session,
 511                                            GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE,
 512                                            0, &buf);
 513                 if (ret < 0)
 514                         return ret;
 515
 516                 ret =
 517                     session->internals.auth_struct->
 518                     gnutls_process_client_kx(session, buf.data,
 519                                              buf.length);
 520                 _gnutls_buffer_clear(&buf);
 521                 if (ret < 0)
 522                         return ret;
 523
 524         }
 525
 526         return ret;
 527 }
 528
 529
 530 int _gnutls_recv_client_certificate(gnutls_session_t session)
 531 {
 532         gnutls_buffer_st buf;
 533         int ret = 0;
 534         int optional;
 535
 536         if (session->internals.auth_struct->
 537             gnutls_process_client_certificate == NULL)
 538                 return 0;
 539
 540         /* if we have not requested a certificate then just return
 541          */
 542         if (session->internals.send_cert_req == 0) {
 543                 return 0;
 544         }
 545
 546         if (session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
 547                 optional = 0;
 548         else
 549                 optional = 1;
 550
 551         ret =
 552             _gnutls_recv_handshake(session,
 553                                    GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
 554                                    optional, &buf);
 555
 556         if (ret < 0) {
 557                 /* Handle the case of old SSL3 clients who send
 558                  * a warning alert instead of an empty certificate to indicate
 559                  * no certificate.
 560                  */
 561                 if (optional != 0 &&
 562                     ret == GNUTLS_E_WARNING_ALERT_RECEIVED &&
 563                     get_num_version(session) == GNUTLS_SSL3 &&
 564                     gnutls_alert_get(session) ==
 565                     GNUTLS_A_SSL3_NO_CERTIFICATE) {
 566
 567                         /* SSL3 does not send an empty certificate,
 568                          * but this alert. So we just ignore it.
 569                          */
 570                         gnutls_assert();
 571                         return 0;
 572                 }
 573
 574                 /* certificate was required
 575                  */
 576                 if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED
 577                      || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
 578                     && optional == 0) {
 579                         gnutls_assert();
 580                         return GNUTLS_E_NO_CERTIFICATE_FOUND;
 581                 }
 582
 583                 return ret;
 584         }
 585
 586         if (ret == 0 && buf.length == 0 && optional != 0) {
 587                 /* Client has not sent the certificate message.
 588                  * well I'm not sure we should accept this
 589                  * behaviour.
 590                  */
 591                 gnutls_assert();
 592                 ret = 0;
 593                 goto cleanup;
 594         }
 595         ret =
 596             session->internals.auth_struct->
 597             gnutls_process_client_certificate(session, buf.data,
 598                                               buf.length);
 599
 600         if (ret < 0 && ret != GNUTLS_E_NO_CERTIFICATE_FOUND) {
 601                 gnutls_assert();
 602                 goto cleanup;
 603         }
 604
 605         /* ok we should expect a certificate verify message now
 606          */
 607         if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional != 0)
 608                 ret = 0;
 609         else
 610                 session->key.crt_requested = 1;
 611
 612       cleanup:
 613         _gnutls_buffer_clear(&buf);
 614         return ret;
 615 }
 616
 617 int _gnutls_recv_server_certificate(gnutls_session_t session)
 618 {
 619         gnutls_buffer_st buf;
 620         int ret = 0;
 621
 622         if (session->internals.auth_struct->
 623             gnutls_process_server_certificate != NULL) {
 624
 625                 ret =
 626                     _gnutls_recv_handshake(session,
 627                                            GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
 628                                            0, &buf);
 629                 if (ret < 0) {
 630                         gnutls_assert();
 631                         return ret;
 632                 }
 633
 634                 ret =
 635                     session->internals.auth_struct->
 636                     gnutls_process_server_certificate(session, buf.data,
 637                                                       buf.length);
 638                 _gnutls_buffer_clear(&buf);
 639                 if (ret < 0) {
 640                         gnutls_assert();
 641                         return ret;
 642                 }
 643         }
 644
 645         return ret;
 646 }
 647
 648
 649 /* Recv the client certificate verify. This packet may not
 650  * arrive if the peer did not send us a certificate.
 651  */
 652 int
 653 _gnutls_recv_client_certificate_verify_message(gnutls_session_t session)
 654 {
 655         gnutls_buffer_st buf;
 656         int ret = 0;
 657
 658
 659         if (session->internals.auth_struct->
 660             gnutls_process_client_crt_vrfy == NULL)
 661                 return 0;
 662
 663         if (session->internals.send_cert_req == 0 ||
 664             session->key.crt_requested == 0) {
 665                 return 0;
 666         }
 667
 668         ret =
 669             _gnutls_recv_handshake(session,
 670                                    GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY,
 671                                    1, &buf);
 672         if (ret < 0)
 673                 return ret;
 674
 675         if (ret == 0 && buf.length == 0
 676             && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE) {
 677                 /* certificate was required */
 678                 gnutls_assert();
 679                 ret = GNUTLS_E_NO_CERTIFICATE_FOUND;
 680                 goto cleanup;
 681         }
 682
 683         ret =
 684             session->internals.auth_struct->
 685             gnutls_process_client_crt_vrfy(session, buf.data, buf.length);
 686
 687       cleanup:
 688         _gnutls_buffer_clear(&buf);
 689         return ret;
 690 }