2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 #include "gnutls_int.h"
24 #include "gnutls_errors.h"
25 #include "gnutls_auth.h"
26 #include "gnutls_auth.h"
27 #include "algorithms.h"
28 #include <auth/cert.h>
30 #include <auth/anon.h>
31 #include <gnutls_datum.h>
33 /* The functions here are used in order for authentication algorithms
34 * to be able to retrieve the needed credentials eg public and private
39 * gnutls_credentials_clear:
40 * @session: is a #gnutls_session_t structure.
42 * Clears all the credentials previously set in this session.
45 gnutls_credentials_clear (gnutls_session_t session
)
47 if (session
->key
.cred
)
48 { /* beginning of the list */
49 auth_cred_st
*ccred
, *ncred
;
50 ccred
= session
->key
.cred
;
57 session
->key
.cred
= NULL
;
62 * This creates a linked list of the form:
63 * { algorithm, credentials, pointer to next }
66 * gnutls_credentials_set:
67 * @session: is a #gnutls_session_t structure.
68 * @type: is the type of the credentials
69 * @cred: is a pointer to a structure.
71 * Sets the needed credentials for the specified type. Eg username,
72 * password - or public and private keys etc. The @cred parameter is
73 * a structure that depends on the specified type and on the current
74 * session (client or server).
76 * In order to minimize memory usage, and share credentials between
77 * several threads gnutls keeps a pointer to cred, and not the whole
78 * cred structure. Thus you will have to keep the structure allocated
79 * until you call gnutls_deinit().
81 * For %GNUTLS_CRD_ANON, @cred should be
82 * #gnutls_anon_client_credentials_t in case of a client. In case of
83 * a server it should be #gnutls_anon_server_credentials_t.
85 * For %GNUTLS_CRD_SRP, @cred should be #gnutls_srp_client_credentials_t
86 * in case of a client, and #gnutls_srp_server_credentials_t, in case
89 * For %GNUTLS_CRD_CERTIFICATE, @cred should be
90 * #gnutls_certificate_credentials_t.
92 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
93 * otherwise a negative error code is returned.
96 gnutls_credentials_set (gnutls_session_t session
,
97 gnutls_credentials_type_t type
, void *cred
)
99 auth_cred_st
*ccred
= NULL
, *pcred
= NULL
;
102 if (session
->key
.cred
== NULL
)
103 { /* beginning of the list */
105 session
->key
.cred
= gnutls_malloc (sizeof (auth_cred_st
));
106 if (session
->key
.cred
== NULL
)
107 return GNUTLS_E_MEMORY_ERROR
;
109 /* copy credentials locally */
110 session
->key
.cred
->credentials
= cred
;
112 session
->key
.cred
->next
= NULL
;
113 session
->key
.cred
->algorithm
= type
;
117 ccred
= session
->key
.cred
;
118 while (ccred
!= NULL
)
120 if (ccred
->algorithm
== type
)
128 /* After this, pcred is not null.
133 pcred
->next
= gnutls_malloc (sizeof (auth_cred_st
));
134 if (pcred
->next
== NULL
)
135 return GNUTLS_E_MEMORY_ERROR
;
139 /* copy credentials locally */
140 ccred
->credentials
= cred
;
143 ccred
->algorithm
= type
;
146 { /* modify existing entry */
147 ccred
->credentials
= cred
;
155 * gnutls_auth_get_type:
156 * @session: is a #gnutls_session_t structure.
158 * Returns type of credentials for the current authentication schema.
159 * The returned information is to be used to distinguish the function used
160 * to access authentication data.
162 * Eg. for CERTIFICATE ciphersuites (key exchange algorithms:
163 * %GNUTLS_KX_RSA, %GNUTLS_KX_DHE_RSA), the same function are to be
164 * used to access the authentication data.
166 * Returns: The type of credentials for the current authentication
167 * schema, a #gnutls_credentials_type_t type.
169 gnutls_credentials_type_t
170 gnutls_auth_get_type (gnutls_session_t session
)
172 /* This is not the credentials we must set, but the authentication data
173 * we get by the peer, so it should be reversed.
175 int server
= session
->security_parameters
.entity
== GNUTLS_SERVER
? 0 : 1;
178 _gnutls_map_kx_get_cred (_gnutls_cipher_suite_get_kx_algo
180 security_parameters
.cipher_suite
),
185 * gnutls_auth_server_get_type:
186 * @session: is a #gnutls_session_t structure.
188 * Returns the type of credentials that were used for server authentication.
189 * The returned information is to be used to distinguish the function used
190 * to access authentication data.
192 * Returns: The type of credentials for the server authentication
193 * schema, a #gnutls_credentials_type_t type.
195 gnutls_credentials_type_t
196 gnutls_auth_server_get_type (gnutls_session_t session
)
199 _gnutls_map_kx_get_cred (_gnutls_cipher_suite_get_kx_algo
201 security_parameters
.cipher_suite
), 1);
205 * gnutls_auth_client_get_type:
206 * @session: is a #gnutls_session_t structure.
208 * Returns the type of credentials that were used for client authentication.
209 * The returned information is to be used to distinguish the function used
210 * to access authentication data.
212 * Returns: The type of credentials for the client authentication
213 * schema, a #gnutls_credentials_type_t type.
215 gnutls_credentials_type_t
216 gnutls_auth_client_get_type (gnutls_session_t session
)
219 _gnutls_map_kx_get_cred (_gnutls_cipher_suite_get_kx_algo
221 security_parameters
.cipher_suite
), 0);
226 * This returns a pointer to the linked list. Don't
230 _gnutls_get_kx_cred (gnutls_session_t session
,
231 gnutls_kx_algorithm_t algo
, int *err
)
233 int server
= session
->security_parameters
.entity
== GNUTLS_SERVER
? 1 : 0;
235 return _gnutls_get_cred (session
,
236 _gnutls_map_kx_get_cred (algo
, server
), err
);
240 _gnutls_get_cred (gnutls_session_t session
, gnutls_credentials_type_t type
, int *err
)
242 const void *retval
= NULL
;
245 gnutls_key_st
* key
= &session
->key
;
248 while (ccred
!= NULL
)
250 if (ccred
->algorithm
== type
)
260 retval
= ccred
->credentials
;
269 * _gnutls_get_auth_info - Returns a pointer to authentication information.
270 * @session: is a #gnutls_session_t structure.
272 * This function must be called after a successful gnutls_handshake().
273 * Returns a pointer to authentication information. That information
274 * is data obtained by the handshake protocol, the key exchange algorithm,
275 * and the TLS extensions messages.
277 * In case of GNUTLS_CRD_ANON returns a type of &anon_(server/client)_auth_info_t;
278 * In case of GNUTLS_CRD_CERTIFICATE returns a type of &cert_auth_info_t;
279 * In case of GNUTLS_CRD_SRP returns a type of &srp_(server/client)_auth_info_t;
282 _gnutls_get_auth_info (gnutls_session_t session
)
284 return session
->key
.auth_info
;
288 * _gnutls_free_auth_info - Frees the auth info structure
289 * @session: is a #gnutls_session_t structure.
291 * This function frees the auth info structure and sets it to
292 * null. It must be called since some structures contain malloced
296 _gnutls_free_auth_info (gnutls_session_t session
)
299 rsa_info_st
*rsa_info
;
307 switch (session
->key
.auth_info_type
)
311 case GNUTLS_CRD_ANON
:
313 anon_auth_info_t info
= _gnutls_get_auth_info (session
);
319 _gnutls_free_dh_info (dh_info
);
324 psk_auth_info_t info
= _gnutls_get_auth_info (session
);
330 _gnutls_free_dh_info (dh_info
);
333 case GNUTLS_CRD_CERTIFICATE
:
336 cert_auth_info_t info
= _gnutls_get_auth_info (session
);
342 rsa_info
= &info
->rsa_export
;
343 for (i
= 0; i
< info
->ncerts
; i
++)
345 _gnutls_free_datum (&info
->raw_certificate_list
[i
]);
348 gnutls_free (info
->raw_certificate_list
);
349 info
->raw_certificate_list
= NULL
;
352 _gnutls_free_dh_info (dh_info
);
353 _gnutls_free_rsa_info (rsa_info
);
363 gnutls_free (session
->key
.auth_info
);
364 session
->key
.auth_info
= NULL
;
365 session
->key
.auth_info_size
= 0;
366 session
->key
.auth_info_type
= 0;
370 /* This function will set the auth info structure in the key
372 * If allow change is !=0 then this will allow changing the auth
373 * info structure to a different type.
376 _gnutls_auth_info_set (gnutls_session_t session
,
377 gnutls_credentials_type_t type
, int size
,
380 if (session
->key
.auth_info
== NULL
)
382 session
->key
.auth_info
= gnutls_calloc (1, size
);
383 if (session
->key
.auth_info
== NULL
)
386 return GNUTLS_E_MEMORY_ERROR
;
388 session
->key
.auth_info_type
= type
;
389 session
->key
.auth_info_size
= size
;
393 if (allow_change
== 0)
395 /* If the credentials for the current authentication scheme,
396 * are not the one we want to set, then it's an error.
397 * This may happen if a rehandshake is performed an the
398 * ciphersuite which is negotiated has different authentication
401 if (gnutls_auth_get_type (session
) != session
->key
.auth_info_type
)
404 return GNUTLS_E_INVALID_REQUEST
;
409 /* The new behaviour: Here we reallocate the auth info structure
410 * in order to be able to negotiate different authentication
411 * types. Ie. perform an auth_anon and then authenticate again using a
412 * certificate (in order to prevent revealing the certificate's contents,
413 * to passive eavesdropers.
415 if (gnutls_auth_get_type (session
) != session
->key
.auth_info_type
)
418 _gnutls_free_auth_info (session
);
420 session
->key
.auth_info
= calloc (1, size
);
421 if (session
->key
.auth_info
== NULL
)
424 return GNUTLS_E_MEMORY_ERROR
;
427 session
->key
.auth_info_type
= type
;
428 session
->key
.auth_info_size
= size
;