|
Packit |
aea12f |
/*
|
|
Packit |
aea12f |
* Copyright (C) 2005-2012 Free Software Foundation, Inc.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Author: Nikos Mavrogiannopoulos
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This file is part of GnuTLS.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* The GnuTLS is free software; you can redistribute it and/or
|
|
Packit |
aea12f |
* modify it under the terms of the GNU Lesser General Public License
|
|
Packit |
aea12f |
* as published by the Free Software Foundation; either version 2.1 of
|
|
Packit |
aea12f |
* the License, or (at your option) any later version.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This library is distributed in the hope that it will be useful, but
|
|
Packit |
aea12f |
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
aea12f |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit |
aea12f |
* Lesser General Public License for more details.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit |
aea12f |
* along with this program. If not, see <https://www.gnu.org/licenses/>
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* Functions for manipulating the PSK credentials. */
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#include "gnutls_int.h"
|
|
Packit |
aea12f |
#include "errors.h"
|
|
Packit Service |
991b93 |
#include <str.h>
|
|
Packit |
aea12f |
#include <auth/psk.h>
|
|
Packit |
aea12f |
#include <state.h>
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#ifdef ENABLE_PSK
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#include <auth/psk_passwd.h>
|
|
Packit |
aea12f |
#include <num.h>
|
|
Packit |
aea12f |
#include <file.h>
|
|
Packit |
aea12f |
#include <datum.h>
|
|
Packit |
aea12f |
#include "debug.h"
|
|
Packit |
aea12f |
#include "dh.h"
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_psk_free_client_credentials:
|
|
Packit |
aea12f |
* @sc: is a #gnutls_psk_client_credentials_t type.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Free a gnutls_psk_client_credentials_t structure.
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
void gnutls_psk_free_client_credentials(gnutls_psk_client_credentials_t sc)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
_gnutls_free_datum(&sc->username);
|
|
Packit |
aea12f |
_gnutls_free_datum(&sc->key);
|
|
Packit |
aea12f |
gnutls_free(sc);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_psk_allocate_client_credentials:
|
|
Packit |
aea12f |
* @sc: is a pointer to a #gnutls_psk_server_credentials_t type.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Allocate a gnutls_psk_client_credentials_t structure.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
|
|
Packit |
aea12f |
* an error code is returned.
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
int
|
|
Packit |
aea12f |
gnutls_psk_allocate_client_credentials(gnutls_psk_client_credentials_t *
|
|
Packit |
aea12f |
sc)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
*sc = gnutls_calloc(1, sizeof(psk_client_credentials_st));
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (*sc == NULL)
|
|
Packit |
aea12f |
return GNUTLS_E_MEMORY_ERROR;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* TLS 1.3 - Default binder HMAC algorithm is SHA-256 */
|
|
Packit |
aea12f |
(*sc)->binder_algo = _gnutls_mac_to_entry(GNUTLS_MAC_SHA256);
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_psk_set_client_credentials:
|
|
Packit |
aea12f |
* @res: is a #gnutls_psk_client_credentials_t type.
|
|
Packit |
aea12f |
* @username: is the user's zero-terminated userid
|
|
Packit |
aea12f |
* @key: is the user's key
|
|
Packit |
aea12f |
* @flags: indicate the format of the key, either
|
|
Packit |
aea12f |
* %GNUTLS_PSK_KEY_RAW or %GNUTLS_PSK_KEY_HEX.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This function sets the username and password, in a
|
|
Packit |
aea12f |
* gnutls_psk_client_credentials_t type. Those will be used in
|
|
Packit |
aea12f |
* PSK authentication. @username should be an ASCII string or UTF-8
|
|
Packit |
aea12f |
* string. In case of a UTF-8 string it is recommended to be following
|
|
Packit |
aea12f |
* the PRECIS framework for usernames (rfc8265). The key can be either
|
|
Packit |
aea12f |
* in raw byte format or in Hex format (without the 0x prefix).
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
|
|
Packit |
aea12f |
* an error code is returned.
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
int
|
|
Packit |
aea12f |
gnutls_psk_set_client_credentials(gnutls_psk_client_credentials_t res,
|
|
Packit |
aea12f |
const char *username,
|
|
Packit |
aea12f |
const gnutls_datum_t * key,
|
|
Packit |
aea12f |
gnutls_psk_key_flags flags)
|
|
Packit |
aea12f |
{
|
|
Packit Service |
991b93 |
gnutls_datum_t dat;
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
if (username == NULL)
|
|
Packit Service |
991b93 |
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
dat.data = (unsigned char *) username;
|
|
Packit Service |
991b93 |
dat.size = strlen(username);
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
return gnutls_psk_set_client_credentials2(res, &dat, key, flags);
|
|
Packit Service |
991b93 |
}
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
/**
|
|
Packit Service |
991b93 |
* gnutls_psk_set_client_credentials2:
|
|
Packit Service |
991b93 |
* @res: is a #gnutls_psk_client_credentials_t type.
|
|
Packit Service |
991b93 |
* @username: is the userid
|
|
Packit Service |
991b93 |
* @key: is the user's key
|
|
Packit Service |
991b93 |
* @flags: indicate the format of the key, either
|
|
Packit Service |
991b93 |
* %GNUTLS_PSK_KEY_RAW or %GNUTLS_PSK_KEY_HEX.
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* This function is identical to gnutls_psk_set_client_credentials(),
|
|
Packit Service |
991b93 |
* except that it allows a non-null-terminated username to be introduced.
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
|
|
Packit Service |
991b93 |
* an error code is returned.
|
|
Packit Service |
991b93 |
*/
|
|
Packit Service |
991b93 |
int
|
|
Packit Service |
991b93 |
gnutls_psk_set_client_credentials2(gnutls_psk_client_credentials_t res,
|
|
Packit Service |
991b93 |
const gnutls_datum_t *username,
|
|
Packit Service |
991b93 |
const gnutls_datum_t *key,
|
|
Packit Service |
991b93 |
gnutls_psk_key_flags flags)
|
|
Packit Service |
991b93 |
{
|
|
Packit |
aea12f |
int ret;
|
|
Packit |
aea12f |
|
|
Packit Service |
991b93 |
if (username == NULL || username->data == NULL || key == NULL || key->data == NULL) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ret =
|
|
Packit Service |
991b93 |
_gnutls_set_datum(&res->username, username->data, username->size);
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return ret;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (flags == GNUTLS_PSK_KEY_RAW) {
|
|
Packit |
aea12f |
if (_gnutls_set_datum(&res->key, key->data, key->size) < 0) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
ret = GNUTLS_E_MEMORY_ERROR;
|
|
Packit |
aea12f |
goto error;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
} else { /* HEX key */
|
|
Packit |
aea12f |
size_t size;
|
|
Packit |
aea12f |
size = res->key.size = key->size / 2;
|
|
Packit |
aea12f |
res->key.data = gnutls_malloc(size);
|
|
Packit |
aea12f |
if (res->key.data == NULL) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
ret = GNUTLS_E_MEMORY_ERROR;
|
|
Packit |
aea12f |
goto error;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
gnutls_hex_decode(key, (char *) res->key.data, &size);
|
|
Packit |
aea12f |
res->key.size = (unsigned int) size;
|
|
Packit |
aea12f |
if (ret < 0) {
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
goto error;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (size < 4) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
ret = GNUTLS_E_INVALID_REQUEST;
|
|
Packit |
aea12f |
goto error;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
error:
|
|
Packit |
aea12f |
_gnutls_free_datum(&res->username);
|
|
Packit |
aea12f |
_gnutls_free_datum(&res->key);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return ret;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_psk_free_server_credentials:
|
|
Packit |
aea12f |
* @sc: is a #gnutls_psk_server_credentials_t type.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Free a gnutls_psk_server_credentials_t structure.
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
void gnutls_psk_free_server_credentials(gnutls_psk_server_credentials_t sc)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
if (sc->deinit_dh_params) {
|
|
Packit |
aea12f |
gnutls_dh_params_deinit(sc->dh_params);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
gnutls_free(sc->password_file);
|
|
Packit |
aea12f |
gnutls_free(sc->hint);
|
|
Packit |
aea12f |
gnutls_free(sc);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_psk_allocate_server_credentials:
|
|
Packit |
aea12f |
* @sc: is a pointer to a #gnutls_psk_server_credentials_t type.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Allocate a gnutls_psk_server_credentials_t structure.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
|
|
Packit |
aea12f |
* an error code is returned.
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
int
|
|
Packit |
aea12f |
gnutls_psk_allocate_server_credentials(gnutls_psk_server_credentials_t *
|
|
Packit |
aea12f |
sc)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
*sc = gnutls_calloc(1, sizeof(psk_server_cred_st));
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (*sc == NULL)
|
|
Packit |
aea12f |
return GNUTLS_E_MEMORY_ERROR;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* TLS 1.3 - Default binder HMAC algorithm is SHA-256 */
|
|
Packit |
aea12f |
(*sc)->binder_algo = _gnutls_mac_to_entry(GNUTLS_MAC_SHA256);
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_psk_set_server_credentials_file:
|
|
Packit |
aea12f |
* @res: is a #gnutls_psk_server_credentials_t type.
|
|
Packit |
aea12f |
* @password_file: is the PSK password file (passwd.psk)
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This function sets the password file, in a
|
|
Packit |
aea12f |
* #gnutls_psk_server_credentials_t type. This password file
|
|
Packit |
aea12f |
* holds usernames and keys and will be used for PSK authentication.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
|
|
Packit |
aea12f |
* an error code is returned.
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
int
|
|
Packit |
aea12f |
gnutls_psk_set_server_credentials_file(gnutls_psk_server_credentials_t
|
|
Packit |
aea12f |
res, const char *password_file)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (password_file == NULL) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
return GNUTLS_E_INVALID_REQUEST;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* Check if the files can be opened */
|
|
Packit |
aea12f |
if (_gnutls_file_exists(password_file) != 0) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
return GNUTLS_E_FILE_ERROR;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
res->password_file = gnutls_strdup(password_file);
|
|
Packit |
aea12f |
if (res->password_file == NULL) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
return GNUTLS_E_MEMORY_ERROR;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_psk_set_server_credentials_hint:
|
|
Packit |
aea12f |
* @res: is a #gnutls_psk_server_credentials_t type.
|
|
Packit |
aea12f |
* @hint: is the PSK identity hint string
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This function sets the identity hint, in a
|
|
Packit |
aea12f |
* #gnutls_psk_server_credentials_t type. This hint is sent to
|
|
Packit |
aea12f |
* the client to help it chose a good PSK credential (i.e., username
|
|
Packit |
aea12f |
* and password).
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
|
|
Packit |
aea12f |
* an error code is returned.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Since: 2.4.0
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
int
|
|
Packit |
aea12f |
gnutls_psk_set_server_credentials_hint(gnutls_psk_server_credentials_t res,
|
|
Packit |
aea12f |
const char *hint)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
res->hint = gnutls_strdup(hint);
|
|
Packit |
aea12f |
if (res->hint == NULL) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
return GNUTLS_E_MEMORY_ERROR;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit Service |
991b93 |
static int call_server_callback_legacy(gnutls_session_t session,
|
|
Packit Service |
991b93 |
const gnutls_datum_t *username,
|
|
Packit Service |
991b93 |
gnutls_datum_t *key)
|
|
Packit Service |
991b93 |
{
|
|
Packit Service |
991b93 |
gnutls_psk_server_credentials_t cred =
|
|
Packit Service |
991b93 |
(gnutls_psk_server_credentials_t)
|
|
Packit Service |
991b93 |
_gnutls_get_cred(session, GNUTLS_CRD_PSK);
|
|
Packit Service |
991b93 |
if (unlikely(cred == NULL))
|
|
Packit Service |
991b93 |
return gnutls_assert_val(-1);
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
return cred->pwd_callback_legacy(session, (const char *) username->data, key);
|
|
Packit Service |
991b93 |
}
|
|
Packit Service |
991b93 |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_psk_set_server_credentials_function:
|
|
Packit |
aea12f |
* @cred: is a #gnutls_psk_server_credentials_t type.
|
|
Packit |
aea12f |
* @func: is the callback function
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This function can be used to set a callback to retrieve the user's PSK credentials.
|
|
Packit |
aea12f |
* The callback's function form is:
|
|
Packit |
aea12f |
* int (*callback)(gnutls_session_t, const char* username,
|
|
Packit |
aea12f |
* gnutls_datum_t* key);
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* @username contains the actual username.
|
|
Packit |
aea12f |
* The @key must be filled in using the gnutls_malloc().
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* In case the callback returned a negative number then gnutls will
|
|
Packit |
aea12f |
* assume that the username does not exist.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* The callback function will only be called once per handshake. The
|
|
Packit |
aea12f |
* callback function should return 0 on success, while -1 indicates
|
|
Packit |
aea12f |
* an error.
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
void
|
|
Packit |
aea12f |
gnutls_psk_set_server_credentials_function(gnutls_psk_server_credentials_t
|
|
Packit |
aea12f |
cred,
|
|
Packit |
aea12f |
gnutls_psk_server_credentials_function
|
|
Packit |
aea12f |
* func)
|
|
Packit |
aea12f |
{
|
|
Packit Service |
991b93 |
cred->pwd_callback_legacy = func;
|
|
Packit Service |
991b93 |
cred->pwd_callback = call_server_callback_legacy;
|
|
Packit Service |
991b93 |
}
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
/**
|
|
Packit Service |
991b93 |
* gnutls_psk_set_server_credentials_function2:
|
|
Packit Service |
991b93 |
* @cred: is a #gnutls_psk_server_credentials_t type.
|
|
Packit Service |
991b93 |
* @func: is the callback function
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* This function can be used to set a callback to retrieve the user's PSK credentials.
|
|
Packit Service |
991b93 |
* The callback's function form is:
|
|
Packit Service |
991b93 |
* int (*callback)(gnutls_session_t, const gnutls_datum_t* username,
|
|
Packit Service |
991b93 |
* gnutls_datum_t* key);
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* This callback function has the same semantics as that of gnutls_psk_set_server_credentials_function(),
|
|
Packit Service |
991b93 |
* but it allows non-string usernames to be used.
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* @username contains the actual username.
|
|
Packit Service |
991b93 |
* The @key must be filled in using the gnutls_malloc().
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* In case the callback returned a negative number then gnutls will
|
|
Packit Service |
991b93 |
* assume that the username does not exist.
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* The callback function will only be called once per handshake. The
|
|
Packit Service |
991b93 |
* callback function should return 0 on success, while -1 indicates
|
|
Packit Service |
991b93 |
* an error.
|
|
Packit Service |
991b93 |
**/
|
|
Packit Service |
991b93 |
void
|
|
Packit Service |
991b93 |
gnutls_psk_set_server_credentials_function2(gnutls_psk_server_credentials_t cred,
|
|
Packit Service |
991b93 |
gnutls_psk_server_credentials_function2 func)
|
|
Packit Service |
991b93 |
{
|
|
Packit |
aea12f |
cred->pwd_callback = func;
|
|
Packit Service |
991b93 |
cred->pwd_callback_legacy = NULL;
|
|
Packit Service |
991b93 |
}
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
static int call_client_callback_legacy(gnutls_session_t session,
|
|
Packit Service |
991b93 |
gnutls_datum_t *username,
|
|
Packit Service |
991b93 |
gnutls_datum_t *key)
|
|
Packit Service |
991b93 |
{
|
|
Packit Service |
991b93 |
int ret;
|
|
Packit Service |
991b93 |
char *user_p;
|
|
Packit Service |
991b93 |
gnutls_psk_client_credentials_t cred =
|
|
Packit Service |
991b93 |
(gnutls_psk_client_credentials_t)
|
|
Packit Service |
991b93 |
_gnutls_get_cred(session, GNUTLS_CRD_PSK);
|
|
Packit Service |
991b93 |
if (unlikely(cred == NULL))
|
|
Packit Service |
991b93 |
return gnutls_assert_val(-1);
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
ret = cred->get_function_legacy(session, &user_p, key);
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
if (ret)
|
|
Packit Service |
991b93 |
goto end;
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
username->data = (uint8_t *) user_p;
|
|
Packit Service |
991b93 |
username->size = strlen(user_p);
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
end:
|
|
Packit Service |
991b93 |
return ret;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_psk_set_client_credentials_function:
|
|
Packit |
aea12f |
* @cred: is a #gnutls_psk_server_credentials_t type.
|
|
Packit |
aea12f |
* @func: is the callback function
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This function can be used to set a callback to retrieve the username and
|
|
Packit |
aea12f |
* password for client PSK authentication.
|
|
Packit |
aea12f |
* The callback's function form is:
|
|
Packit |
aea12f |
* int (*callback)(gnutls_session_t, char** username,
|
|
Packit |
aea12f |
* gnutls_datum_t* key);
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* The @username and @key->data must be allocated using gnutls_malloc().
|
|
Packit |
aea12f |
* The @username should be an ASCII string or UTF-8
|
|
Packit |
aea12f |
* string. In case of a UTF-8 string it is recommended to be following
|
|
Packit |
aea12f |
* the PRECIS framework for usernames (rfc8265).
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* The callback function will be called once per handshake.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* The callback function should return 0 on success.
|
|
Packit |
aea12f |
* -1 indicates an error.
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
void
|
|
Packit |
aea12f |
gnutls_psk_set_client_credentials_function(gnutls_psk_client_credentials_t
|
|
Packit |
aea12f |
cred,
|
|
Packit |
aea12f |
gnutls_psk_client_credentials_function
|
|
Packit |
aea12f |
* func)
|
|
Packit |
aea12f |
{
|
|
Packit Service |
991b93 |
cred->get_function = call_client_callback_legacy;
|
|
Packit Service |
991b93 |
cred->get_function_legacy = func;
|
|
Packit Service |
991b93 |
}
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
/**
|
|
Packit Service |
991b93 |
* gnutls_psk_set_client_credentials_function2:
|
|
Packit Service |
991b93 |
* @cred: is a #gnutls_psk_server_credentials_t type.
|
|
Packit Service |
991b93 |
* @func: is the callback function
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* This function can be used to set a callback to retrieve the username and
|
|
Packit Service |
991b93 |
* password for client PSK authentication.
|
|
Packit Service |
991b93 |
* The callback's function form is:
|
|
Packit Service |
991b93 |
* int (*callback)(gnutls_session_t, gnutls_datum_t* username,
|
|
Packit Service |
991b93 |
* gnutls_datum_t* key);
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* This callback function has the same semantics as that of gnutls_psk_set_client_credentials_function(),
|
|
Packit Service |
991b93 |
* but it allows non-string usernames to be used.
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* The @username and @key->data must be allocated using gnutls_malloc().
|
|
Packit Service |
991b93 |
* The @username should be an ASCII string or UTF-8
|
|
Packit Service |
991b93 |
* string. In case of a UTF-8 string it is recommended to be following
|
|
Packit Service |
991b93 |
* the PRECIS framework for usernames (rfc8265).
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* The callback function will be called once per handshake.
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* The callback function should return 0 on success.
|
|
Packit Service |
991b93 |
* -1 indicates an error.
|
|
Packit Service |
991b93 |
**/
|
|
Packit Service |
991b93 |
void
|
|
Packit Service |
991b93 |
gnutls_psk_set_client_credentials_function2(gnutls_psk_client_credentials_t cred,
|
|
Packit Service |
991b93 |
gnutls_psk_client_credentials_function2 *func)
|
|
Packit Service |
991b93 |
{
|
|
Packit |
aea12f |
cred->get_function = func;
|
|
Packit Service |
991b93 |
cred->get_function_legacy = NULL;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_psk_server_get_username:
|
|
Packit |
aea12f |
* @session: is a gnutls session
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This should only be called in case of PSK authentication and in
|
|
Packit |
aea12f |
* case of a server.
|
|
Packit |
aea12f |
*
|
|
Packit Service |
991b93 |
* The returned pointer should be considered constant (do not free) and valid
|
|
Packit Service |
991b93 |
* for the lifetime of the session.
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* This function will return %NULL if the username has embedded NULL bytes.
|
|
Packit Service |
991b93 |
* In that case, gnutls_psk_server_get_username2() should be used to retrieve the username.
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* Returns: the username of the peer, or %NULL in case of an error,
|
|
Packit Service |
991b93 |
* or if the username has embedded NULLs.
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
const char *gnutls_psk_server_get_username(gnutls_session_t session)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
psk_auth_info_t info;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
CHECK_AUTH_TYPE(GNUTLS_CRD_PSK, NULL);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK);
|
|
Packit |
aea12f |
if (info == NULL)
|
|
Packit |
aea12f |
return NULL;
|
|
Packit |
aea12f |
|
|
Packit Service |
991b93 |
if (info->username[0] != 0 && !_gnutls_has_embedded_null(info->username, info->username_len))
|
|
Packit |
aea12f |
return info->username;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return NULL;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit Service |
991b93 |
* gnutls_psk_server_get_username2:
|
|
Packit Service |
991b93 |
* @session: is a gnutls session
|
|
Packit Service |
991b93 |
* @username: a datum that will be filled in by this function
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* Return a pointer to the username of the peer in the supplied datum. Does not
|
|
Packit Service |
991b93 |
* need to be null-terminated.
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* This should only be called in case of PSK authentication and in
|
|
Packit Service |
991b93 |
* case of a server.
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* The returned pointer should be considered constant (do not free) and valid
|
|
Packit Service |
991b93 |
* for the lifetime of the session.
|
|
Packit Service |
991b93 |
*
|
|
Packit Service |
991b93 |
* Returns: %GNUTLS_E_SUCCESS, or a negative value in case of an error.
|
|
Packit Service |
991b93 |
**/
|
|
Packit Service |
991b93 |
int gnutls_psk_server_get_username2(gnutls_session_t session, gnutls_datum_t *username)
|
|
Packit Service |
991b93 |
{
|
|
Packit Service |
991b93 |
psk_auth_info_t info;
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
CHECK_AUTH_TYPE(GNUTLS_CRD_PSK, GNUTLS_E_INVALID_REQUEST);
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK);
|
|
Packit Service |
991b93 |
if (info == NULL)
|
|
Packit Service |
991b93 |
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
if (info->username_len > 0) {
|
|
Packit Service |
991b93 |
username->data = (unsigned char *) info->username;
|
|
Packit Service |
991b93 |
username->size = info->username_len;
|
|
Packit Service |
991b93 |
return 0;
|
|
Packit Service |
991b93 |
}
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
|
|
Packit Service |
991b93 |
}
|
|
Packit Service |
991b93 |
|
|
Packit Service |
991b93 |
/**
|
|
Packit |
aea12f |
* gnutls_psk_client_get_hint:
|
|
Packit |
aea12f |
* @session: is a gnutls session
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* The PSK identity hint may give the client help in deciding which
|
|
Packit |
aea12f |
* username to use. This should only be called in case of PSK
|
|
Packit |
aea12f |
* authentication and in case of a client.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Note: there is no hint in TLS 1.3, so this function will return %NULL
|
|
Packit |
aea12f |
* if TLS 1.3 has been negotiated.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Returns: the identity hint of the peer, or %NULL in case of an error or if TLS 1.3 is being used.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Since: 2.4.0
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
const char *gnutls_psk_client_get_hint(gnutls_session_t session)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
psk_auth_info_t info;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
CHECK_AUTH_TYPE(GNUTLS_CRD_PSK, NULL);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK);
|
|
Packit |
aea12f |
if (info == NULL)
|
|
Packit |
aea12f |
return NULL;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (info->hint[0] != 0)
|
|
Packit |
aea12f |
return info->hint;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return NULL;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_psk_set_server_dh_params:
|
|
Packit |
aea12f |
* @res: is a gnutls_psk_server_credentials_t type
|
|
Packit |
aea12f |
* @dh_params: is a structure that holds Diffie-Hellman parameters.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This function will set the Diffie-Hellman parameters for an
|
|
Packit |
aea12f |
* anonymous server to use. These parameters will be used in
|
|
Packit |
aea12f |
* Diffie-Hellman exchange with PSK cipher suites.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Deprecated: This function is unnecessary and discouraged on GnuTLS 3.6.0
|
|
Packit |
aea12f |
* or later. Since 3.6.0, DH parameters are negotiated
|
|
Packit |
aea12f |
* following RFC7919.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
void
|
|
Packit |
aea12f |
gnutls_psk_set_server_dh_params(gnutls_psk_server_credentials_t res,
|
|
Packit |
aea12f |
gnutls_dh_params_t dh_params)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
if (res->deinit_dh_params) {
|
|
Packit |
aea12f |
res->deinit_dh_params = 0;
|
|
Packit |
aea12f |
gnutls_dh_params_deinit(res->dh_params);
|
|
Packit |
aea12f |
res->dh_params = NULL;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
res->dh_params = dh_params;
|
|
Packit |
aea12f |
res->dh_sec_param = gnutls_pk_bits_to_sec_param(GNUTLS_PK_DH, _gnutls_mpi_get_nbits(dh_params->params[0]));
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_psk_set_server_known_dh_params:
|
|
Packit |
aea12f |
* @res: is a gnutls_psk_server_credentials_t type
|
|
Packit |
aea12f |
* @sec_param: is an option of the %gnutls_sec_param_t enumeration
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This function will set the Diffie-Hellman parameters for a
|
|
Packit |
aea12f |
* PSK server to use. These parameters will be used in
|
|
Packit |
aea12f |
* Ephemeral Diffie-Hellman cipher suites and will be selected from
|
|
Packit |
aea12f |
* the FFDHE set of RFC7919 according to the security level provided.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Deprecated: This function is unnecessary and discouraged on GnuTLS 3.6.0
|
|
Packit |
aea12f |
* or later. Since 3.6.0, DH parameters are negotiated
|
|
Packit |
aea12f |
* following RFC7919.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
|
|
Packit |
aea12f |
* negative error value.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Since: 3.5.6
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
int
|
|
Packit |
aea12f |
gnutls_psk_set_server_known_dh_params(gnutls_psk_server_credentials_t res,
|
|
Packit |
aea12f |
gnutls_sec_param_t sec_param)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
res->dh_sec_param = sec_param;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return 0;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_psk_set_server_params_function:
|
|
Packit |
aea12f |
* @res: is a #gnutls_certificate_credentials_t type
|
|
Packit |
aea12f |
* @func: is the function to be called
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This function will set a callback in order for the server to get
|
|
Packit |
aea12f |
* the Diffie-Hellman parameters for PSK authentication. The callback
|
|
Packit |
aea12f |
* should return %GNUTLS_E_SUCCESS (0) on success.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Deprecated: This function is unnecessary and discouraged on GnuTLS 3.6.0
|
|
Packit |
aea12f |
* or later. Since 3.6.0, DH parameters are negotiated
|
|
Packit |
aea12f |
* following RFC7919.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
void
|
|
Packit |
aea12f |
gnutls_psk_set_server_params_function(gnutls_psk_server_credentials_t res,
|
|
Packit |
aea12f |
gnutls_params_function * func)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
res->params_func = func;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/**
|
|
Packit |
aea12f |
* gnutls_psk_set_params_function:
|
|
Packit |
aea12f |
* @res: is a gnutls_psk_server_credentials_t type
|
|
Packit |
aea12f |
* @func: is the function to be called
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This function will set a callback in order for the server to get
|
|
Packit |
aea12f |
* the Diffie-Hellman or RSA parameters for PSK authentication. The
|
|
Packit |
aea12f |
* callback should return %GNUTLS_E_SUCCESS (0) on success.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Deprecated: This function is unnecessary and discouraged on GnuTLS 3.6.0
|
|
Packit |
aea12f |
* or later. Since 3.6.0, DH parameters are negotiated
|
|
Packit |
aea12f |
* following RFC7919.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
**/
|
|
Packit |
aea12f |
void
|
|
Packit |
aea12f |
gnutls_psk_set_params_function(gnutls_psk_server_credentials_t res,
|
|
Packit |
aea12f |
gnutls_params_function * func)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
res->params_func = func;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#endif /* ENABLE_PSK */
|