lib/auth_psk.c

   1 /*
   2  * Copyright (C) 2005, 2007 Free Software Foundation
   3  *
   4  * Author: Nikos Mavrogiannopoulos
   5  *
   6  * This file is part of GNUTLS.
   7  *
   8  * The GNUTLS library is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public License
  10  * as published by the Free Software Foundation; either version 2.1 of
  11  * the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public
  19  * License along with this library; if not, write to the Free Software
  20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
  21  * USA
  22  *
  23  */
  24
  25 #include <gnutls_int.h>
  26
  27 #ifdef ENABLE_PSK
  28
  29 #include "gnutls_errors.h"
  30 #include "gnutls_auth.h"
  31 #include "gnutls_auth_int.h"
  32 #include "debug.h"
  33 #include "gnutls_num.h"
  34 #include <auth_psk.h>
  35 #include <auth_psk_passwd.h>
  36 #include <gnutls_str.h>
  37 #include <gnutls_datum.h>
  38
  39 int _gnutls_gen_psk_client_kx (gnutls_session_t, opaque **);
  40
  41 int _gnutls_proc_psk_client_kx (gnutls_session_t, opaque *, size_t);
  42
  43 const mod_auth_st psk_auth_struct = {
  44   "PSK",
  45   NULL,
  46   NULL,
  47   NULL,
  48   _gnutls_gen_psk_client_kx,
  49   NULL,
  50   NULL,
  51
  52   NULL,
  53   NULL,                         /* certificate */
  54   NULL,
  55   _gnutls_proc_psk_client_kx,
  56   NULL,
  57   NULL
  58 };
  59
  60 /* Set the PSK premaster secret.
  61  */
  62 int
  63 _gnutls_set_psk_session_key (gnutls_session_t session,
  64                              gnutls_datum_t * dh_secret)
  65 {
  66   gnutls_datum_t pwd_psk = { NULL, 0 };
  67   gnutls_datum_t *ppsk;
  68   size_t dh_secret_size;
  69   int ret;
  70
  71   if (session->security_parameters.entity == GNUTLS_CLIENT)
  72     {
  73       gnutls_psk_client_credentials_t cred;
  74
  75       cred = (gnutls_psk_client_credentials_t)
  76         _gnutls_get_cred (session->key, GNUTLS_CRD_PSK, NULL);
  77
  78       if (cred == NULL)
  79         {
  80           gnutls_assert ();
  81           return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
  82         }
  83
  84       ppsk = &cred->key;
  85
  86     }
  87   else
  88     {                           /* SERVER side */
  89       psk_auth_info_t info;
  90
  91       info = _gnutls_get_auth_info (session);
  92
  93       /* find the key of this username
  94        */
  95       ret = _gnutls_psk_pwd_find_entry (session, info->username, &pwd_psk);
  96       if (ret < 0)
  97         {
  98           gnutls_assert ();
  99           return ret;
 100         }
 101       ppsk = &pwd_psk;
 102     }
 103
 104
 105   if (dh_secret == NULL)
 106     dh_secret_size = ppsk->size;
 107   else
 108     dh_secret_size = dh_secret->size;
 109
 110   /* set the session key
 111    */
 112   session->key->key.size = 4 + dh_secret_size + ppsk->size;
 113   session->key->key.data = gnutls_malloc (session->key->key.size);
 114   if (session->key->key.data == NULL)
 115     {
 116       gnutls_assert ();
 117       ret = GNUTLS_E_MEMORY_ERROR;
 118       goto error;
 119     }
 120
 121   /* format of the premaster secret:
 122    * (uint16_t) psk_size
 123    * psk_size bytes of zeros
 124    * (uint16_t) psk_size
 125    * the psk
 126    */
 127   _gnutls_write_uint16 (dh_secret_size, session->key->key.data);
 128   if (dh_secret == NULL)
 129     memset (&session->key->key.data[2], 0, dh_secret_size);
 130   else
 131     memcpy (&session->key->key.data[2], dh_secret->data, dh_secret->size);
 132   _gnutls_write_datum16 (&session->key->key.data[dh_secret_size + 2], *ppsk);
 133
 134   ret = 0;
 135
 136 error:
 137   _gnutls_free_datum (&pwd_psk);
 138   return ret;
 139 }
 140
 141
 142 /* Generates the PSK client key exchange
 143  *
 144  *
 145  * struct {
 146  *    select (KeyExchangeAlgorithm) {
 147  *       opaque psk_identity<0..2^16-1>;
 148  *    } exchange_keys;
 149  * } ClientKeyExchange;
 150  *
 151  */
 152 int
 153 _gnutls_gen_psk_client_kx (gnutls_session_t session, opaque ** data)
 154 {
 155   int ret;
 156   gnutls_psk_client_credentials_t cred;
 157
 158   cred = (gnutls_psk_client_credentials_t)
 159     _gnutls_get_cred (session->key, GNUTLS_CRD_PSK, NULL);
 160
 161   if (cred == NULL)
 162     {
 163       gnutls_assert ();
 164       return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
 165     }
 166
 167   if (cred->username.data == NULL || cred->key.data == NULL)
 168     {
 169       gnutls_assert ();
 170       return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
 171     }
 172
 173   ret = _gnutls_set_psk_session_key (session, NULL);
 174   if (ret < 0)
 175     {
 176       gnutls_assert ();
 177       return ret;
 178     }
 179
 180   (*data) = gnutls_malloc (2 + cred->username.size);
 181   if ((*data) == NULL)
 182     {
 183       gnutls_assert ();
 184       return GNUTLS_E_MEMORY_ERROR;
 185     }
 186
 187   _gnutls_write_datum16 (*data, cred->username);
 188
 189   return (cred->username.size + 2);
 190 }
 191
 192
 193 /* just read the username from the client key exchange.
 194  */
 195 int
 196 _gnutls_proc_psk_client_kx (gnutls_session_t session, opaque * data,
 197                             size_t _data_size)
 198 {
 199   ssize_t data_size = _data_size;
 200   int ret;
 201   gnutls_datum_t username;
 202   gnutls_psk_server_credentials_t cred;
 203   psk_auth_info_t info;
 204
 205   cred = (gnutls_psk_server_credentials_t)
 206     _gnutls_get_cred (session->key, GNUTLS_CRD_PSK, NULL);
 207
 208   if (cred == NULL)
 209     {
 210       gnutls_assert ();
 211       return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
 212     }
 213
 214   if ((ret =
 215        _gnutls_auth_info_set (session, GNUTLS_CRD_PSK,
 216                               sizeof (psk_auth_info_st), 1)) < 0)
 217     {
 218       gnutls_assert ();
 219       return ret;
 220     }
 221
 222   DECR_LEN (data_size, 2);
 223   username.size = _gnutls_read_uint16 (&data[0]);
 224
 225   DECR_LEN (data_size, username.size);
 226
 227   username.data = &data[2];
 228
 229
 230   /* copy the username to the auth info structures
 231    */
 232   info = _gnutls_get_auth_info (session);
 233
 234   if (username.size > MAX_SRP_USERNAME)
 235     {
 236       gnutls_assert ();
 237       return GNUTLS_E_ILLEGAL_SRP_USERNAME;
 238     }
 239
 240   memcpy (info->username, username.data, username.size);
 241   info->username[username.size] = 0;
 242
 243   ret = _gnutls_set_psk_session_key (session, NULL);
 244   if (ret < 0)
 245     {
 246       gnutls_assert ();
 247       goto error;
 248     }
 249
 250   ret = 0;
 251
 252 error:
 253   return ret;
 254 }
 255
 256
 257 #endif /* ENABLE_SRP */