search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
documented updates
[gnutls.git] / lib / auth / psk.c
blob858f2f9978b60c5a65efe0a9975b480b2bc8eb08
1 /*
2 * Copyright (C) 2005-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 #include <gnutls_int.h>
24
25 #ifdef ENABLE_PSK
26
27 #include "gnutls_errors.h"
28 #include "gnutls_auth.h"
29 #include "gnutls_auth.h"
30 #include "debug.h"
31 #include "gnutls_num.h"
32 #include <auth/psk.h>
33 #include <auth/psk_passwd.h>
34 #include <gnutls_str.h>
35 #include <gnutls_datum.h>
36
37 int _gnutls_gen_psk_server_kx (gnutls_session_t session, gnutls_buffer_st* data);
38 int _gnutls_gen_psk_client_kx (gnutls_session_t, gnutls_buffer_st*);
39
40 int _gnutls_proc_psk_client_kx (gnutls_session_t, uint8_t *, size_t);
41
42 int _gnutls_proc_psk_server_kx (gnutls_session_t session, uint8_t * data,
43 size_t _data_size);
44
45 const mod_auth_st psk_auth_struct = {
46 "PSK",
47 NULL,
48 NULL,
49 _gnutls_gen_psk_server_kx,
50 _gnutls_gen_psk_client_kx,
51 NULL,
52 NULL,
53
54 NULL,
55 NULL, /* certificate */
56 _gnutls_proc_psk_server_kx,
57 _gnutls_proc_psk_client_kx,
58 NULL,
59 NULL
60 };
61
62 /* Set the PSK premaster secret.
63 */
64 int
65 _gnutls_set_psk_session_key (gnutls_session_t session,
66 gnutls_datum_t * ppsk /* key */,
67 gnutls_datum_t * dh_secret)
68 {
69 gnutls_datum_t pwd_psk = { NULL, 0 };
70 size_t dh_secret_size;
71 uint8_t * p;
72 int ret;
73
74 if (dh_secret == NULL)
75 dh_secret_size = ppsk->size;
76 else
77 dh_secret_size = dh_secret->size;
78
79 /* set the session key
80 */
81 session->key->key.size = 4 + dh_secret_size + ppsk->size;
82 session->key->key.data = gnutls_malloc (session->key->key.size);
83 if (session->key->key.data == NULL)
84 {
85 gnutls_assert ();
86 ret = GNUTLS_E_MEMORY_ERROR;
87 goto error;
88 }
89
90 /* format of the premaster secret:
91 * (uint16_t) psk_size
92 * psk_size bytes of (0)s
93 * (uint16_t) psk_size
94 * the psk
95 */
96 p = session->key->key.data;
97 _gnutls_write_uint16 (dh_secret_size, p);
98 p+=2;
99 if (dh_secret == NULL)
100 memset (p, 0, dh_secret_size);
101 else
102 memcpy (p, dh_secret->data, dh_secret->size);
103
104 p += dh_secret_size;
105 _gnutls_write_uint16 (ppsk->size, p);
106 if (ppsk->data != NULL)
107 memcpy (p+2, ppsk->data, ppsk->size);
108
109 ret = 0;
110
111 error:
112 _gnutls_free_datum (&pwd_psk);
113 return ret;
114 }
115
116 /* returns the username and they key for the PSK session.
117 * Free is non (0) if they have to be freed.
118 */
119 int _gnutls_find_psk_key( gnutls_session_t session, gnutls_psk_client_credentials_t cred,
120 gnutls_datum_t * username, gnutls_datum_t* key, int* free)
121 {
122 char* user_p;
123 int ret;
124
125 *free = 0;
126
127 if (cred->username.data != NULL && cred->key.data != NULL)
128 {
129 username->data = cred->username.data;
130 username->size = cred->username.size;
131 key->data = cred->key.data;
132 key->size = cred->key.size;
133 }
134 else if (cred->get_function != NULL)
135 {
136 ret = cred->get_function (session, &user_p, key);
137 if (ret)
138 return gnutls_assert_val(ret);
139
140 username->data = (uint8_t*)user_p;
141 username->size = strlen(user_p);
142
143 *free = 1;
144 }
145 else
146 return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
147
148 return 0;
149 }
150
151
152 /* Generates the PSK client key exchange
153 *
154 *
155 * struct {
156 * select (KeyExchangeAlgorithm) {
157 * uint8_t psk_identity<0..2^16-1>;
158 * } exchange_keys;
159 * } ClientKeyExchange;
160 *
161 */
162 int
163 _gnutls_gen_psk_client_kx (gnutls_session_t session, gnutls_buffer_st* data)
164 {
165 int ret, free;
166 gnutls_datum_t username;
167 gnutls_datum_t key;
168 gnutls_psk_client_credentials_t cred;
169
170 cred = (gnutls_psk_client_credentials_t)
171 _gnutls_get_cred (session->key, GNUTLS_CRD_PSK, NULL);
172
173 if (cred == NULL)
174 {
175 gnutls_assert ();
176 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
177 }
178
179 ret = _gnutls_find_psk_key( session, cred, &username, &key, &free);
180 if (ret < 0)
181 return gnutls_assert_val(ret);
182
183 ret = _gnutls_set_psk_session_key (session, &key, NULL);
184 if (ret < 0)
185 {
186 gnutls_assert();
187 goto cleanup;
188 }
189
190 ret = _gnutls_buffer_append_data_prefix(data, 16, username.data, username.size);
191 if (ret < 0)
192 {
193 gnutls_assert();
194 }
195
196 cleanup:
197 if (free)
198 {
199 gnutls_free(username.data);
200 gnutls_free(key.data);
201 }
202
203 return ret;
204 }
205
206
207 /* just read the username from the client key exchange.
208 */
209 int
210 _gnutls_proc_psk_client_kx (gnutls_session_t session, uint8_t * data,
211 size_t _data_size)
212 {
213 ssize_t data_size = _data_size;
214 int ret;
215 gnutls_datum_t username, psk_key;
216 gnutls_psk_server_credentials_t cred;
217 psk_auth_info_t info;
218
219 cred = (gnutls_psk_server_credentials_t)
220 _gnutls_get_cred (session->key, GNUTLS_CRD_PSK, NULL);
221
222 if (cred == NULL)
223 {
224 gnutls_assert ();
225 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
226 }
227
228 if ((ret =
229 _gnutls_auth_info_set (session, GNUTLS_CRD_PSK,
230 sizeof (psk_auth_info_st), 1)) < 0)
231 {
232 gnutls_assert ();
233 return ret;
234 }
235
236 DECR_LEN (data_size, 2);
237 username.size = _gnutls_read_uint16 (&data[0]);
238
239 DECR_LEN (data_size, username.size);
240
241 username.data = &data[2];
242
243
244 /* copy the username to the auth info structures
245 */
246 info = _gnutls_get_auth_info (session);
247
248 if (username.size > MAX_USERNAME_SIZE)
249 {
250 gnutls_assert ();
251 return GNUTLS_E_ILLEGAL_SRP_USERNAME;
252 }
253
254 memcpy (info->username, username.data, username.size);
255 info->username[username.size] = 0;
256
257 ret = _gnutls_psk_pwd_find_entry(session, info->username, &psk_key);
258 if (ret < 0)
259 return gnutls_assert_val(ret);
260
261 ret = _gnutls_set_psk_session_key (session, &psk_key, NULL);
262 if (ret < 0)
263 {
264 gnutls_assert ();
265 goto error;
266 }
267
268 ret = 0;
269
270 error:
271 _gnutls_free_datum(&psk_key);
272
273 return ret;
274 }
275
276
277 /* Generates the PSK server key exchange
278 *
279 * struct {
280 * select (KeyExchangeAlgorithm) {
281 * // other cases for rsa, diffie_hellman, etc.
282 * case psk: // NEW
283 * uint8_t psk_identity_hint<0..2^16-1>;
284 * };
285 * } ServerKeyExchange;
286 *
287 */
288 int
289 _gnutls_gen_psk_server_kx (gnutls_session_t session, gnutls_buffer_st* data)
290 {
291 gnutls_psk_server_credentials_t cred;
292 gnutls_datum_t hint;
293
294 cred = (gnutls_psk_server_credentials_t)
295 _gnutls_get_cred (session->key, GNUTLS_CRD_PSK, NULL);
296
297 if (cred == NULL)
298 {
299 gnutls_assert ();
300 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
301 }
302
303 /* Abort sending this message if there is no PSK identity hint. */
304 if (cred->hint == NULL)
305 {
306 gnutls_assert ();
307 return GNUTLS_E_INT_RET_0;
308 }
309
310 hint.data = (uint8_t*)cred->hint;
311 hint.size = strlen (cred->hint);
312
313 return _gnutls_buffer_append_data_prefix(data, 16, hint.data, hint.size);
314 }
315
316
317 /* just read the hint from the server key exchange.
318 */
319 int
320 _gnutls_proc_psk_server_kx (gnutls_session_t session, uint8_t * data,
321 size_t _data_size)
322 {
323 ssize_t data_size = _data_size;
324 int ret;
325 gnutls_datum_t hint;
326 gnutls_psk_client_credentials_t cred;
327 psk_auth_info_t info;
328
329 cred = (gnutls_psk_client_credentials_t)
330 _gnutls_get_cred (session->key, GNUTLS_CRD_PSK, NULL);
331
332 if (cred == NULL)
333 {
334 gnutls_assert ();
335 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
336 }
337
338 if ((ret =
339 _gnutls_auth_info_set (session, GNUTLS_CRD_PSK,
340 sizeof (psk_auth_info_st), 1)) < 0)
341 {
342 gnutls_assert ();
343 return ret;
344 }
345
346 DECR_LENGTH_RET (data_size, 2, 0);
347 hint.size = _gnutls_read_uint16 (&data[0]);
348
349 DECR_LEN (data_size, hint.size);
350
351 hint.data = &data[2];
352
353 /* copy the hint to the auth info structures
354 */
355 info = _gnutls_get_auth_info (session);
356
357 if (hint.size > MAX_USERNAME_SIZE)
358 {
359 gnutls_assert ();
360 return GNUTLS_E_ILLEGAL_SRP_USERNAME;
361 }
362
363 memcpy (info->hint, hint.data, hint.size);
364 info->hint[hint.size] = 0;
365
366 ret = _gnutls_set_psk_session_key (session, &cred->key, NULL);
367 if (ret < 0)
368 {
369 gnutls_assert ();
370 goto error;
371 }
372
373 ret = 0;
374
375 error:
376 return ret;
377 }
378
379 #endif /* ENABLE_PSK */
Implementation of the SSL/TLS protocol