Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2005-2012 Free Software Foundation, Inc. |
3 | | * |
4 | | * Author: Nikos Mavrogiannopoulos |
5 | | * |
6 | | * This file is part of GnuTLS. |
7 | | * |
8 | | * The GnuTLS is free software; you can redistribute it and/or |
9 | | * modify it under the terms of the GNU Lesser General Public License |
10 | | * as published by the Free Software Foundation; either version 2.1 of |
11 | | * the License, or (at your option) any later version. |
12 | | * |
13 | | * This library is distributed in the hope that it will be useful, but |
14 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
16 | | * Lesser General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public License |
19 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
20 | | * |
21 | | */ |
22 | | |
23 | | /* Functions for manipulating the PSK credentials. */ |
24 | | |
25 | | #include "gnutls_int.h" |
26 | | #include "errors.h" |
27 | | #include "str.h" |
28 | | #include "auth/psk.h" |
29 | | #include "state.h" |
30 | | |
31 | | #ifdef ENABLE_PSK |
32 | | |
33 | | #include "auth/psk_passwd.h" |
34 | | #include "num.h" |
35 | | #include "file.h" |
36 | | #include "datum.h" |
37 | | #include "debug.h" |
38 | | #include "dh.h" |
39 | | |
40 | | /** |
41 | | * gnutls_psk_free_client_credentials: |
42 | | * @sc: is a #gnutls_psk_client_credentials_t type. |
43 | | * |
44 | | * Free a gnutls_psk_client_credentials_t structure. |
45 | | **/ |
46 | | void gnutls_psk_free_client_credentials(gnutls_psk_client_credentials_t sc) |
47 | 0 | { |
48 | 0 | _gnutls_free_datum(&sc->username); |
49 | 0 | _gnutls_free_datum(&sc->key); |
50 | 0 | gnutls_free(sc); |
51 | 0 | } |
52 | | |
53 | | /** |
54 | | * gnutls_psk_allocate_client_credentials: |
55 | | * @sc: is a pointer to a #gnutls_psk_client_credentials_t type. |
56 | | * |
57 | | * Allocate a gnutls_psk_client_credentials_t structure. |
58 | | * |
59 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise |
60 | | * an error code is returned. |
61 | | **/ |
62 | | int gnutls_psk_allocate_client_credentials(gnutls_psk_client_credentials_t *sc) |
63 | 0 | { |
64 | 0 | *sc = gnutls_calloc(1, sizeof(psk_client_credentials_st)); |
65 | |
|
66 | 0 | if (*sc == NULL) |
67 | 0 | return GNUTLS_E_MEMORY_ERROR; |
68 | | |
69 | | /* TLS 1.3 - Default binder HMAC algorithm is SHA-256 */ |
70 | 0 | (*sc)->binder_algo = _gnutls_mac_to_entry(GNUTLS_MAC_SHA256); |
71 | 0 | return 0; |
72 | 0 | } |
73 | | |
74 | | /** |
75 | | * gnutls_psk_set_client_credentials: |
76 | | * @res: is a #gnutls_psk_client_credentials_t type. |
77 | | * @username: is the user's zero-terminated userid |
78 | | * @key: is the user's key |
79 | | * @flags: indicate the format of the key, either |
80 | | * %GNUTLS_PSK_KEY_RAW or %GNUTLS_PSK_KEY_HEX. |
81 | | * |
82 | | * This function sets the username and password, in a |
83 | | * gnutls_psk_client_credentials_t type. Those will be used in |
84 | | * PSK authentication. @username should be an ASCII string or UTF-8 |
85 | | * string. In case of a UTF-8 string it is recommended to be following |
86 | | * the PRECIS framework for usernames (rfc8265). The key can be either |
87 | | * in raw byte format or in Hex format (without the 0x prefix). |
88 | | * |
89 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise |
90 | | * an error code is returned. |
91 | | **/ |
92 | | int gnutls_psk_set_client_credentials(gnutls_psk_client_credentials_t res, |
93 | | const char *username, |
94 | | const gnutls_datum_t *key, |
95 | | gnutls_psk_key_flags flags) |
96 | 0 | { |
97 | 0 | gnutls_datum_t dat; |
98 | |
|
99 | 0 | if (username == NULL) |
100 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
101 | | |
102 | 0 | dat.data = (unsigned char *)username; |
103 | 0 | dat.size = strlen(username); |
104 | |
|
105 | 0 | return gnutls_psk_set_client_credentials2(res, &dat, key, flags); |
106 | 0 | } |
107 | | |
108 | | /** |
109 | | * gnutls_psk_set_client_credentials2: |
110 | | * @res: is a #gnutls_psk_client_credentials_t type. |
111 | | * @username: is the userid |
112 | | * @key: is the user's key |
113 | | * @flags: indicate the format of the key, either |
114 | | * %GNUTLS_PSK_KEY_RAW or %GNUTLS_PSK_KEY_HEX. |
115 | | * |
116 | | * This function is identical to gnutls_psk_set_client_credentials(), |
117 | | * except that it allows a non-null-terminated username to be introduced. |
118 | | * |
119 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise |
120 | | * an error code is returned. |
121 | | */ |
122 | | int gnutls_psk_set_client_credentials2(gnutls_psk_client_credentials_t res, |
123 | | const gnutls_datum_t *username, |
124 | | const gnutls_datum_t *key, |
125 | | gnutls_psk_key_flags flags) |
126 | 0 | { |
127 | 0 | int ret; |
128 | |
|
129 | 0 | if (username == NULL || username->data == NULL || key == NULL || |
130 | 0 | key->data == NULL) { |
131 | 0 | gnutls_assert(); |
132 | 0 | return GNUTLS_E_INVALID_REQUEST; |
133 | 0 | } |
134 | | |
135 | 0 | ret = _gnutls_set_datum(&res->username, username->data, username->size); |
136 | 0 | if (ret < 0) |
137 | 0 | return ret; |
138 | | |
139 | 0 | if (flags == GNUTLS_PSK_KEY_RAW) { |
140 | 0 | if (_gnutls_set_datum(&res->key, key->data, key->size) < 0) { |
141 | 0 | gnutls_assert(); |
142 | 0 | ret = GNUTLS_E_MEMORY_ERROR; |
143 | 0 | goto error; |
144 | 0 | } |
145 | 0 | } else { /* HEX key */ |
146 | 0 | size_t size; |
147 | 0 | size = res->key.size = key->size / 2; |
148 | 0 | res->key.data = gnutls_malloc(size); |
149 | 0 | if (res->key.data == NULL) { |
150 | 0 | gnutls_assert(); |
151 | 0 | ret = GNUTLS_E_MEMORY_ERROR; |
152 | 0 | goto error; |
153 | 0 | } |
154 | | |
155 | 0 | ret = gnutls_hex_decode(key, (char *)res->key.data, &size); |
156 | 0 | res->key.size = (unsigned int)size; |
157 | 0 | if (ret < 0) { |
158 | 0 | gnutls_assert(); |
159 | 0 | goto error; |
160 | 0 | } |
161 | | |
162 | 0 | if (size < 4) { |
163 | 0 | gnutls_assert(); |
164 | 0 | ret = GNUTLS_E_INVALID_REQUEST; |
165 | 0 | goto error; |
166 | 0 | } |
167 | 0 | } |
168 | | |
169 | 0 | return 0; |
170 | | |
171 | 0 | error: |
172 | 0 | _gnutls_free_datum(&res->username); |
173 | 0 | _gnutls_free_datum(&res->key); |
174 | |
|
175 | 0 | return ret; |
176 | 0 | } |
177 | | |
178 | | /** |
179 | | * gnutls_psk_free_server_credentials: |
180 | | * @sc: is a #gnutls_psk_server_credentials_t type. |
181 | | * |
182 | | * Free a gnutls_psk_server_credentials_t structure. |
183 | | **/ |
184 | | void gnutls_psk_free_server_credentials(gnutls_psk_server_credentials_t sc) |
185 | 0 | { |
186 | 0 | if (sc->deinit_dh_params) { |
187 | 0 | gnutls_dh_params_deinit(sc->dh_params); |
188 | 0 | } |
189 | |
|
190 | 0 | gnutls_free(sc->password_file); |
191 | 0 | gnutls_free(sc->hint); |
192 | 0 | gnutls_free(sc); |
193 | 0 | } |
194 | | |
195 | | /** |
196 | | * gnutls_psk_allocate_server_credentials: |
197 | | * @sc: is a pointer to a #gnutls_psk_server_credentials_t type. |
198 | | * |
199 | | * Allocate a gnutls_psk_server_credentials_t structure. |
200 | | * |
201 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise |
202 | | * an error code is returned. |
203 | | **/ |
204 | | int gnutls_psk_allocate_server_credentials(gnutls_psk_server_credentials_t *sc) |
205 | 0 | { |
206 | 0 | *sc = gnutls_calloc(1, sizeof(psk_server_cred_st)); |
207 | |
|
208 | 0 | if (*sc == NULL) |
209 | 0 | return GNUTLS_E_MEMORY_ERROR; |
210 | | |
211 | | /* TLS 1.3 - Default binder HMAC algorithm is SHA-256 */ |
212 | 0 | (*sc)->binder_algo = _gnutls_mac_to_entry(GNUTLS_MAC_SHA256); |
213 | 0 | return 0; |
214 | 0 | } |
215 | | |
216 | | /** |
217 | | * gnutls_psk_set_server_credentials_file: |
218 | | * @res: is a #gnutls_psk_server_credentials_t type. |
219 | | * @password_file: is the PSK password file (passwd.psk) |
220 | | * |
221 | | * This function sets the password file, in a |
222 | | * #gnutls_psk_server_credentials_t type. This password file |
223 | | * holds usernames and keys and will be used for PSK authentication. |
224 | | * |
225 | | * Each entry in the file consists of a username, followed by a colon |
226 | | * (':') and a hex-encoded key. If the username contains a colon or |
227 | | * any other special character, it can be hex-encoded preceded by a |
228 | | * '#'. |
229 | | * |
230 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise |
231 | | * an error code is returned. |
232 | | **/ |
233 | | int gnutls_psk_set_server_credentials_file(gnutls_psk_server_credentials_t res, |
234 | | const char *password_file) |
235 | 0 | { |
236 | 0 | if (password_file == NULL) { |
237 | 0 | gnutls_assert(); |
238 | 0 | return GNUTLS_E_INVALID_REQUEST; |
239 | 0 | } |
240 | | |
241 | | /* Check if the files can be opened */ |
242 | 0 | if (_gnutls_file_exists(password_file) != 0) { |
243 | 0 | gnutls_assert(); |
244 | 0 | return GNUTLS_E_FILE_ERROR; |
245 | 0 | } |
246 | | |
247 | 0 | res->password_file = gnutls_strdup(password_file); |
248 | 0 | if (res->password_file == NULL) { |
249 | 0 | gnutls_assert(); |
250 | 0 | return GNUTLS_E_MEMORY_ERROR; |
251 | 0 | } |
252 | | |
253 | 0 | return 0; |
254 | 0 | } |
255 | | |
256 | | /** |
257 | | * gnutls_psk_set_server_credentials_hint: |
258 | | * @res: is a #gnutls_psk_server_credentials_t type. |
259 | | * @hint: is the PSK identity hint string |
260 | | * |
261 | | * This function sets the identity hint, in a |
262 | | * #gnutls_psk_server_credentials_t type. This hint is sent to |
263 | | * the client to help it chose a good PSK credential (i.e., username |
264 | | * and password). |
265 | | * |
266 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise |
267 | | * an error code is returned. |
268 | | * |
269 | | * Since: 2.4.0 |
270 | | **/ |
271 | | int gnutls_psk_set_server_credentials_hint(gnutls_psk_server_credentials_t res, |
272 | | const char *hint) |
273 | 0 | { |
274 | 0 | res->hint = gnutls_strdup(hint); |
275 | 0 | if (res->hint == NULL) { |
276 | 0 | gnutls_assert(); |
277 | 0 | return GNUTLS_E_MEMORY_ERROR; |
278 | 0 | } |
279 | | |
280 | 0 | return 0; |
281 | 0 | } |
282 | | |
283 | | static int call_server_callback1(gnutls_session_t session, |
284 | | const gnutls_datum_t *username, |
285 | | gnutls_datum_t *key) |
286 | 0 | { |
287 | 0 | gnutls_psk_server_credentials_t cred = |
288 | 0 | (gnutls_psk_server_credentials_t)_gnutls_get_cred( |
289 | 0 | session, GNUTLS_CRD_PSK); |
290 | 0 | if (unlikely(cred == NULL)) |
291 | 0 | return gnutls_assert_val(-1); |
292 | | |
293 | 0 | return cred->pwd_callback1(session, (const char *)username->data, key); |
294 | 0 | } |
295 | | |
296 | | static int call_server_callback2(gnutls_session_t session, |
297 | | const gnutls_datum_t *username, |
298 | | gnutls_datum_t *key, |
299 | | gnutls_psk_key_flags *flags) |
300 | 0 | { |
301 | 0 | gnutls_psk_server_credentials_t cred; |
302 | 0 | int ret; |
303 | |
|
304 | 0 | cred = (gnutls_psk_server_credentials_t)_gnutls_get_cred( |
305 | 0 | session, GNUTLS_CRD_PSK); |
306 | 0 | if (unlikely(cred == NULL)) |
307 | 0 | return gnutls_assert_val(-1); |
308 | | |
309 | 0 | ret = cred->pwd_callback2(session, username, key); |
310 | 0 | if (ret >= 0) { |
311 | 0 | if (flags) { |
312 | 0 | *flags = 0; |
313 | 0 | } |
314 | 0 | } |
315 | 0 | return ret; |
316 | 0 | } |
317 | | |
318 | | /** |
319 | | * gnutls_psk_set_server_credentials_function: |
320 | | * @cred: is a #gnutls_psk_server_credentials_t type. |
321 | | * @func: is the callback function |
322 | | * |
323 | | * This function can be used to set a callback to retrieve the user's PSK credentials. |
324 | | * The callback's function form is: |
325 | | * int (*callback)(gnutls_session_t, const char* username, |
326 | | * gnutls_datum_t* key); |
327 | | * |
328 | | * @username contains the actual username. |
329 | | * The @key must be filled in using the gnutls_malloc(). |
330 | | * |
331 | | * In case the callback returned a negative number then gnutls will |
332 | | * assume that the username does not exist. |
333 | | * |
334 | | * The callback function will only be called once per handshake. The |
335 | | * callback function should return 0 on success, while -1 indicates |
336 | | * an error. |
337 | | **/ |
338 | | void gnutls_psk_set_server_credentials_function( |
339 | | gnutls_psk_server_credentials_t cred, |
340 | | gnutls_psk_server_credentials_function *func) |
341 | 0 | { |
342 | 0 | cred->pwd_callback1 = func; |
343 | 0 | cred->pwd_callback2 = call_server_callback1; |
344 | 0 | cred->pwd_callback = call_server_callback2; |
345 | 0 | } |
346 | | |
347 | | /** |
348 | | * gnutls_psk_set_server_credentials_function2: |
349 | | * @cred: is a #gnutls_psk_server_credentials_t type. |
350 | | * @func: is the callback function |
351 | | * |
352 | | * This function can be used to set a callback to retrieve the user's PSK credentials. |
353 | | * The callback's function form is: |
354 | | * int (*callback)(gnutls_session_t, const gnutls_datum_t* username, |
355 | | * gnutls_datum_t* key); |
356 | | * |
357 | | * This callback function has the same semantics as that of gnutls_psk_set_server_credentials_function(), |
358 | | * but it allows non-string usernames to be used. |
359 | | * |
360 | | * @username contains the actual username. |
361 | | * The @key must be filled in using the gnutls_malloc(). |
362 | | * |
363 | | * In case the callback returned a negative number then gnutls will |
364 | | * assume that the username does not exist. |
365 | | * |
366 | | * The callback function will only be called once per handshake. The |
367 | | * callback function should return 0 on success, while -1 indicates |
368 | | * an error. |
369 | | **/ |
370 | | void gnutls_psk_set_server_credentials_function2( |
371 | | gnutls_psk_server_credentials_t cred, |
372 | | gnutls_psk_server_credentials_function2 func) |
373 | 0 | { |
374 | 0 | cred->pwd_callback1 = NULL; |
375 | 0 | cred->pwd_callback2 = func; |
376 | 0 | cred->pwd_callback = call_server_callback2; |
377 | 0 | } |
378 | | |
379 | | /** |
380 | | * gnutls_psk_set_server_credentials_function3: |
381 | | * @cred: is a #gnutls_psk_server_credentials_t type. |
382 | | * @func: is the callback function |
383 | | * |
384 | | * This function can be used to set a callback to retrieve the user's PSK credentials. |
385 | | * The callback's function form is: |
386 | | * int (*callback)(gnutls_session_t, const gnutls_datum_t* username, |
387 | | * gnutls_datum_t* key, gnutls_psk_key_flags *flags); |
388 | | * |
389 | | * This callback function has the same semantics as that of |
390 | | * gnutls_psk_set_server_credentials_function2(), but it returns flags |
391 | | * associated with the key. The callback may import external PSK |
392 | | * using the method described in RFC 9258 by using |
393 | | * gnutls_psk_format_imported_identity(). |
394 | | * |
395 | | * @username contains the actual username. |
396 | | * The @key must be filled in using the gnutls_malloc(). |
397 | | * |
398 | | * In case the callback returned a negative number then gnutls will |
399 | | * assume that the username does not exist. |
400 | | * |
401 | | * The callback function will only be called once per handshake. The |
402 | | * callback function should return 0 on success, while -1 indicates |
403 | | * an error. |
404 | | **/ |
405 | | void gnutls_psk_set_server_credentials_function3( |
406 | | gnutls_psk_server_credentials_t cred, |
407 | | gnutls_psk_server_credentials_function3 func) |
408 | 0 | { |
409 | 0 | cred->pwd_callback1 = NULL; |
410 | 0 | cred->pwd_callback2 = NULL; |
411 | 0 | cred->pwd_callback = func; |
412 | 0 | } |
413 | | |
414 | | static int call_client_callback1(gnutls_session_t session, |
415 | | gnutls_datum_t *username, gnutls_datum_t *key) |
416 | 0 | { |
417 | 0 | gnutls_psk_client_credentials_t cred; |
418 | 0 | int ret; |
419 | 0 | char *user_p; |
420 | |
|
421 | 0 | cred = (gnutls_psk_client_credentials_t)_gnutls_get_cred( |
422 | 0 | session, GNUTLS_CRD_PSK); |
423 | 0 | if (unlikely(cred == NULL)) |
424 | 0 | return gnutls_assert_val(-1); |
425 | | |
426 | 0 | ret = cred->get_function1(session, &user_p, key); |
427 | 0 | if (ret >= 0) { |
428 | 0 | username->data = (uint8_t *)user_p; |
429 | 0 | username->size = strlen(user_p); |
430 | 0 | } |
431 | |
|
432 | 0 | return ret; |
433 | 0 | } |
434 | | |
435 | | static int call_client_callback2(gnutls_session_t session, |
436 | | gnutls_datum_t *username, gnutls_datum_t *key, |
437 | | gnutls_psk_key_flags *flags) |
438 | 0 | { |
439 | 0 | gnutls_psk_client_credentials_t cred; |
440 | 0 | int ret; |
441 | |
|
442 | 0 | cred = (gnutls_psk_client_credentials_t)_gnutls_get_cred( |
443 | 0 | session, GNUTLS_CRD_PSK); |
444 | 0 | if (unlikely(cred == NULL)) |
445 | 0 | return gnutls_assert_val(-1); |
446 | | |
447 | 0 | ret = cred->get_function2(session, username, key); |
448 | 0 | if (ret < 0) { |
449 | 0 | return ret; |
450 | 0 | } |
451 | | |
452 | 0 | if (flags) { |
453 | 0 | *flags = 0; |
454 | 0 | } |
455 | |
|
456 | 0 | return ret; |
457 | 0 | } |
458 | | |
459 | | /** |
460 | | * gnutls_psk_set_client_credentials_function: |
461 | | * @cred: is a #gnutls_psk_server_credentials_t type. |
462 | | * @func: is the callback function |
463 | | * |
464 | | * This function can be used to set a callback to retrieve the username and |
465 | | * password for client PSK authentication. |
466 | | * The callback's function form is: |
467 | | * int (*callback)(gnutls_session_t, char** username, |
468 | | * gnutls_datum_t* key); |
469 | | * |
470 | | * The @username and @key->data must be allocated using gnutls_malloc(). |
471 | | * The @username should be an ASCII string or UTF-8 |
472 | | * string. In case of a UTF-8 string it is recommended to be following |
473 | | * the PRECIS framework for usernames (rfc8265). |
474 | | * |
475 | | * The callback function will be called once per handshake. |
476 | | * |
477 | | * The callback function should return 0 on success. |
478 | | * -1 indicates an error. |
479 | | **/ |
480 | | void gnutls_psk_set_client_credentials_function( |
481 | | gnutls_psk_client_credentials_t cred, |
482 | | gnutls_psk_client_credentials_function *func) |
483 | 0 | { |
484 | 0 | cred->get_function1 = func; |
485 | 0 | cred->get_function2 = call_client_callback1; |
486 | 0 | cred->get_function = call_client_callback2; |
487 | 0 | } |
488 | | |
489 | | /** |
490 | | * gnutls_psk_set_client_credentials_function2: |
491 | | * @cred: is a #gnutls_psk_server_credentials_t type. |
492 | | * @func: is the callback function |
493 | | * |
494 | | * This function can be used to set a callback to retrieve the username and |
495 | | * password for client PSK authentication. |
496 | | * The callback's function form is: |
497 | | * int (*callback)(gnutls_session_t, gnutls_datum_t* username, |
498 | | * gnutls_datum_t* key); |
499 | | * |
500 | | * This callback function has the same semantics as that of gnutls_psk_set_client_credentials_function(), |
501 | | * but it allows non-string usernames to be used. |
502 | | * |
503 | | * The @username and @key->data must be allocated using gnutls_malloc(). |
504 | | * The @username should be an ASCII string or UTF-8 |
505 | | * string. In case of a UTF-8 string it is recommended to be following |
506 | | * the PRECIS framework for usernames (rfc8265). |
507 | | * |
508 | | * The callback function will be called once per handshake. |
509 | | * |
510 | | * The callback function should return 0 on success. |
511 | | * -1 indicates an error. |
512 | | **/ |
513 | | void gnutls_psk_set_client_credentials_function2( |
514 | | gnutls_psk_client_credentials_t cred, |
515 | | gnutls_psk_client_credentials_function2 *func) |
516 | 0 | { |
517 | 0 | cred->get_function1 = NULL; |
518 | 0 | cred->get_function2 = func; |
519 | 0 | cred->get_function = call_client_callback2; |
520 | 0 | } |
521 | | |
522 | | /** |
523 | | * gnutls_psk_set_client_credentials_function3: |
524 | | * @cred: is a #gnutls_psk_server_credentials_t type. |
525 | | * @func: is the callback function |
526 | | * |
527 | | * This function can be used to set a callback to retrieve the username and |
528 | | * password for client PSK authentication. |
529 | | * The callback's function form is: |
530 | | * int (*callback)(gnutls_session_t, gnutls_datum_t* username, |
531 | | * gnutls_datum_t* key, gnutls_datum_t* context, gnutls_psk_key_flags *flags); |
532 | | * |
533 | | * This callback function has the same semantics as that of |
534 | | * gnutls_psk_set_client_credentials_function2(), but it returns flags |
535 | | * associated with the key. The callback may import external PSK |
536 | | * using the method described in RFC 9258 by using |
537 | | * gnutls_psk_format_imported_identity(). |
538 | | * |
539 | | * The data field of @username, @key, and @context must be allocated |
540 | | * using gnutls_malloc(). The @username should be an ASCII string or |
541 | | * UTF-8 string. In case of a UTF-8 string it is recommended to be |
542 | | * following the PRECIS framework for usernames (rfc8265). |
543 | | * |
544 | | * The callback function will be called once per handshake. |
545 | | * |
546 | | * The callback function should return 0 on success. |
547 | | * -1 indicates an error. |
548 | | **/ |
549 | | void gnutls_psk_set_client_credentials_function3( |
550 | | gnutls_psk_client_credentials_t cred, |
551 | | gnutls_psk_client_credentials_function3 *func) |
552 | 0 | { |
553 | 0 | cred->get_function1 = NULL; |
554 | 0 | cred->get_function2 = NULL; |
555 | 0 | cred->get_function = func; |
556 | 0 | } |
557 | | |
558 | | /** |
559 | | * gnutls_psk_server_get_username: |
560 | | * @session: is a gnutls session |
561 | | * |
562 | | * This should only be called in case of PSK authentication and in |
563 | | * case of a server. |
564 | | * |
565 | | * The returned pointer should be considered constant (do not free) and valid |
566 | | * for the lifetime of the session. |
567 | | * |
568 | | * This function will return %NULL if the username has embedded NULL bytes. |
569 | | * In that case, gnutls_psk_server_get_username2() should be used to retrieve the username. |
570 | | * |
571 | | * Returns: the username of the peer, or %NULL in case of an error, |
572 | | * or if the username has embedded NULLs. |
573 | | **/ |
574 | | const char *gnutls_psk_server_get_username(gnutls_session_t session) |
575 | 0 | { |
576 | 0 | psk_auth_info_t info; |
577 | |
|
578 | 0 | CHECK_AUTH_TYPE(GNUTLS_CRD_PSK, NULL); |
579 | |
|
580 | 0 | info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK); |
581 | 0 | if (info == NULL) |
582 | 0 | return NULL; |
583 | | |
584 | 0 | if (info->username && !memchr(info->username, '\0', info->username_len)) |
585 | 0 | return info->username; |
586 | | |
587 | 0 | return NULL; |
588 | 0 | } |
589 | | |
590 | | /** |
591 | | * gnutls_psk_server_get_username2: |
592 | | * @session: is a gnutls session |
593 | | * @username: a datum that will be filled in by this function |
594 | | * |
595 | | * Return a pointer to the username of the peer in the supplied datum. Does not |
596 | | * need to be null-terminated. |
597 | | * |
598 | | * This should only be called in case of PSK authentication and in |
599 | | * case of a server. |
600 | | * |
601 | | * The returned pointer should be considered constant (do not free) and valid |
602 | | * for the lifetime of the session. |
603 | | * |
604 | | * Returns: %GNUTLS_E_SUCCESS, or a negative value in case of an error. |
605 | | **/ |
606 | | int gnutls_psk_server_get_username2(gnutls_session_t session, |
607 | | gnutls_datum_t *username) |
608 | 0 | { |
609 | 0 | psk_auth_info_t info; |
610 | |
|
611 | 0 | CHECK_AUTH_TYPE(GNUTLS_CRD_PSK, GNUTLS_E_INVALID_REQUEST); |
612 | |
|
613 | 0 | info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK); |
614 | 0 | if (info == NULL) |
615 | 0 | return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; |
616 | | |
617 | 0 | if (info->username_len > 0) { |
618 | 0 | username->data = (unsigned char *)info->username; |
619 | 0 | username->size = info->username_len; |
620 | 0 | return 0; |
621 | 0 | } |
622 | | |
623 | 0 | return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; |
624 | 0 | } |
625 | | |
626 | | /** |
627 | | * gnutls_psk_client_get_hint: |
628 | | * @session: is a gnutls session |
629 | | * |
630 | | * The PSK identity hint may give the client help in deciding which |
631 | | * username to use. This should only be called in case of PSK |
632 | | * authentication and in case of a client. |
633 | | * |
634 | | * Note: there is no hint in TLS 1.3, so this function will return %NULL |
635 | | * if TLS 1.3 has been negotiated. |
636 | | * |
637 | | * Returns: the identity hint of the peer, or %NULL in case of an error or if TLS 1.3 is being used. |
638 | | * |
639 | | * Since: 2.4.0 |
640 | | **/ |
641 | | const char *gnutls_psk_client_get_hint(gnutls_session_t session) |
642 | 0 | { |
643 | 0 | psk_auth_info_t info; |
644 | |
|
645 | 0 | CHECK_AUTH_TYPE(GNUTLS_CRD_PSK, NULL); |
646 | |
|
647 | 0 | info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK); |
648 | 0 | return info ? info->hint : NULL; |
649 | 0 | } |
650 | | |
651 | | /** |
652 | | * gnutls_psk_set_server_dh_params: |
653 | | * @res: is a gnutls_psk_server_credentials_t type |
654 | | * @dh_params: is a structure that holds Diffie-Hellman parameters. |
655 | | * |
656 | | * This function will set the Diffie-Hellman parameters for an |
657 | | * anonymous server to use. These parameters will be used in |
658 | | * Diffie-Hellman exchange with PSK cipher suites. |
659 | | * |
660 | | * Deprecated: This function is unnecessary and discouraged on GnuTLS 3.6.0 |
661 | | * or later. Since 3.6.0, DH parameters are negotiated |
662 | | * following RFC7919. |
663 | | * |
664 | | **/ |
665 | | void gnutls_psk_set_server_dh_params(gnutls_psk_server_credentials_t res, |
666 | | gnutls_dh_params_t dh_params) |
667 | 0 | { |
668 | 0 | if (res->deinit_dh_params) { |
669 | 0 | res->deinit_dh_params = 0; |
670 | 0 | gnutls_dh_params_deinit(res->dh_params); |
671 | 0 | res->dh_params = NULL; |
672 | 0 | } |
673 | |
|
674 | 0 | res->dh_params = dh_params; |
675 | 0 | res->dh_sec_param = gnutls_pk_bits_to_sec_param( |
676 | 0 | GNUTLS_PK_DH, _gnutls_mpi_get_nbits(dh_params->params[0])); |
677 | 0 | } |
678 | | |
679 | | /** |
680 | | * gnutls_psk_set_server_known_dh_params: |
681 | | * @res: is a gnutls_psk_server_credentials_t type |
682 | | * @sec_param: is an option of the %gnutls_sec_param_t enumeration |
683 | | * |
684 | | * This function will set the Diffie-Hellman parameters for a |
685 | | * PSK server to use. These parameters will be used in |
686 | | * Ephemeral Diffie-Hellman cipher suites and will be selected from |
687 | | * the FFDHE set of RFC7919 according to the security level provided. |
688 | | * |
689 | | * Deprecated: This function is unnecessary and discouraged on GnuTLS 3.6.0 |
690 | | * or later. Since 3.6.0, DH parameters are negotiated |
691 | | * following RFC7919. |
692 | | * |
693 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a |
694 | | * negative error value. |
695 | | * |
696 | | * Since: 3.5.6 |
697 | | **/ |
698 | | int gnutls_psk_set_server_known_dh_params(gnutls_psk_server_credentials_t res, |
699 | | gnutls_sec_param_t sec_param) |
700 | 0 | { |
701 | 0 | res->dh_sec_param = sec_param; |
702 | |
|
703 | 0 | return 0; |
704 | 0 | } |
705 | | |
706 | | /** |
707 | | * gnutls_psk_set_server_params_function: |
708 | | * @res: is a #gnutls_certificate_credentials_t type |
709 | | * @func: is the function to be called |
710 | | * |
711 | | * This function will set a callback in order for the server to get |
712 | | * the Diffie-Hellman parameters for PSK authentication. The callback |
713 | | * should return %GNUTLS_E_SUCCESS (0) on success. |
714 | | * |
715 | | * Deprecated: This function is unnecessary and discouraged on GnuTLS 3.6.0 |
716 | | * or later. Since 3.6.0, DH parameters are negotiated |
717 | | * following RFC7919. |
718 | | * |
719 | | **/ |
720 | | void gnutls_psk_set_server_params_function(gnutls_psk_server_credentials_t res, |
721 | | gnutls_params_function *func) |
722 | 0 | { |
723 | 0 | res->params_func = func; |
724 | 0 | } |
725 | | |
726 | | /** |
727 | | * gnutls_psk_set_params_function: |
728 | | * @res: is a gnutls_psk_server_credentials_t type |
729 | | * @func: is the function to be called |
730 | | * |
731 | | * This function will set a callback in order for the server to get |
732 | | * the Diffie-Hellman or RSA parameters for PSK authentication. The |
733 | | * callback should return %GNUTLS_E_SUCCESS (0) on success. |
734 | | * |
735 | | * Deprecated: This function is unnecessary and discouraged on GnuTLS 3.6.0 |
736 | | * or later. Since 3.6.0, DH parameters are negotiated |
737 | | * following RFC7919. |
738 | | * |
739 | | **/ |
740 | | void gnutls_psk_set_params_function(gnutls_psk_server_credentials_t res, |
741 | | gnutls_params_function *func) |
742 | 0 | { |
743 | 0 | res->params_func = func; |
744 | 0 | } |
745 | | |
746 | | #endif /* ENABLE_PSK */ |