| blob | 57dff81f577943ea421752648d37b23f9c2c0e77 |
1 /*
2 * Copyright (C) 2005, 2006, 2008, 2009, 2010 Free Software Foundation,
3 * Inc.
4 *
5 * Author: Simon Josefsson
6 *
7 * This file is part of GnuTLS-EXTRA.
8 *
9 * GnuTLS-extra is free software: you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation, either version 3 of the License, or
12 * (at your option) any later version.
13 *
14 * GnuTLS-extra is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
28 #include <gnutls/extra.h>
29 #include <ext_inner_application.h>
31 #define CHECKSUM_SIZE 12
33 struct gnutls_ia_client_credentials_st
34 {
35 gnutls_ia_avp_func avp_func;
37 };
39 struct gnutls_ia_server_credentials_st
40 {
41 gnutls_ia_avp_func avp_func;
43 };
50 /*
51 * The TLS/IA packet is the InnerApplication token, described as
52 * follows in draft-funk-tls-inner-application-extension-01.txt:
53 *
54 * enum {
55 * application_payload(0), intermediate_phase_finished(1),
56 * final_phase_finished(2), (255)
57 * } InnerApplicationType;
58 *
59 * struct {
60 * InnerApplicationType msg_type;
61 * uint24 length;
62 * select (InnerApplicationType) {
63 * case application_payload: ApplicationPayload;
64 * case intermediate_phase_finished: IntermediatePhaseFinished;
65 * case final_phase_finished: FinalPhaseFinished;
66 * } body;
67 * } InnerApplication;
68 *
69 */
71 /* Send TLS/IA data. If data==NULL && sizeofdata==NULL, then the last
72 send was interrupted for some reason, and then we try to send it
73 again. Returns the number of bytes sent, or an error code. If
74 this return E_AGAIN and E_INTERRUPTED, call this function again
75 with data==NULL&&sizeofdata=0NULL until it returns successfully. */
76 static ssize_t
78 gnutls_ia_apptype_t msg_type,
80 {
83 ssize_t len;
86 {
90 {
93 }
98 }
100 len =
108 }
110 /* Receive TLS/IA data. Store received TLS/IA message type in
111 *MSG_TYPE, and the data in DATA of max SIZEOFDATA size. Return the
112 number of bytes read, or an error code. */
113 static ssize_t
117 {
118 ssize_t len;
124 {
127 }
133 {
136 }
139 {
140 /* XXX push back pkt to IA buffer? */
143 }
146 {
152 {
154 /* XXX Correct? */
156 }
157 }
160 }
162 /* Apply the TLS PRF using the TLS/IA inner secret as keying material,
163 where the seed is the client random concatenated with the server
164 random concatenated EXTRA of EXTRA_SIZE length (which can be NULL/0
165 respectively). LABEL and LABEL_SIZE is used as the label. The
166 result is placed in pre-allocated OUT of OUTSIZE length. */
167 static int
173 {
177 extension_priv_data_t epriv;
180 ret =
184 {
187 }
192 {
195 }
198 GNUTLS_RANDOM_SIZE);
204 GNUTLS_MASTER_SIZE,
210 }
212 /**
213 * gnutls_ia_permute_inner_secret:
214 * @session: is a #gnutls_session_t structure.
215 * @session_keys_size: Size of generated session keys (0 if none).
216 * @session_keys: Generated session keys, used to permute inner secret
217 * (NULL if none).
218 *
219 * Permute the inner secret using the generated session keys.
220 *
221 * This can be called in the TLS/IA AVP callback to mix any generated
222 * session keys with the TLS/IA inner secret.
223 *
224 * Return value: Return zero on success, or a negative error code.
225 **/
226 int
230 {
231 extension_priv_data_t epriv;
235 ret =
239 {
242 }
247 inner_permutation_label,
248 session_keys_size,
249 session_keys,
251 }
253 /**
254 * gnutls_ia_generate_challenge:
255 * @session: is a #gnutls_session_t structure.
256 * @buffer_size: size of output buffer.
257 * @buffer: pre-allocated buffer to contain @buffer_size bytes of output.
258 *
259 * Generate an application challenge that the client cannot control or
260 * predict, based on the TLS/IA inner secret.
261 *
262 * Return value: Returns 0 on success, or an negative error code.
263 **/
264 int
267 {
271 }
273 /**
274 * gnutls_ia_extract_inner_secret:
275 * @session: is a #gnutls_session_t structure.
276 * @buffer: pre-allocated buffer to hold 48 bytes of inner secret.
277 *
278 * Copy the 48 bytes large inner secret into the specified buffer
279 *
280 * This function is typically used after the TLS/IA handshake has
281 * concluded. The TLS/IA inner secret can be used as input to a PRF
282 * to derive session keys. Do not use the inner secret directly as a
283 * session key, because for a resumed session that does not include an
284 * application phase, the inner secret will be identical to the inner
285 * secret in the original session. It is important to include, for
286 * example, the client and server randomness when deriving a sesssion
287 * key from the inner secret.
288 **/
289 void
291 {
292 extension_priv_data_t epriv;
296 ret =
300 {
303 }
307 }
309 /**
310 * gnutls_ia_endphase_send:
311 * @session: is a #gnutls_session_t structure.
312 * @final_p: Set iff this should signal the final phase.
313 *
314 * Send a TLS/IA end phase message.
315 *
316 * In the client, this should only be used to acknowledge an end phase
317 * message sent by the server.
318 *
319 * In the server, this can be called instead of gnutls_ia_send() if
320 * the server wishes to end an application phase.
321 *
322 * Return value: Return 0 on success, or an error code.
323 **/
324 int
326 {
332 ssize_t len;
334 extension_priv_data_t epriv;
337 ret =
341 {
344 }
349 /* XXX specification unclear on seed. */
354 len = _gnutls_send_inner_application
359 /* XXX Instead of calling this function over and over...?
360 * while (len == GNUTLS_E_AGAIN || len == GNUTLS_E_INTERRUPTED)
361 * len = _gnutls_io_write_flush(session);
362 */
365 {
368 }
371 }
373 /**
374 * gnutls_ia_verify_endphase:
375 * @session: is a #gnutls_session_t structure.
376 * @checksum: 12-byte checksum data, received from gnutls_ia_recv().
377 *
378 * Verify TLS/IA end phase checksum data. If verification fails, the
379 * %GNUTLS_A_INNER_APPLICATION_VERIFICATION alert is sent to the other
380 * sie.
381 *
382 * This function is called when gnutls_ia_recv() return
383 * %GNUTLS_E_WARNING_IA_IPHF_RECEIVED or
384 * %GNUTLS_E_WARNING_IA_FPHF_RECEIVED.
385 *
386 * Return value: Return 0 on successful verification, or an error
387 * code. If the checksum verification of the end phase message fails,
388 * %GNUTLS_E_IA_VERIFY_FAILED is returned.
389 **/
390 int
392 {
399 extension_priv_data_t epriv;
402 ret =
406 {
409 }
413 GNUTLS_MASTER_SIZE,
417 {
420 }
423 {
425 GNUTLS_A_INNER_APPLICATION_VERIFICATION);
427 {
430 }
433 }
436 }
438 /**
439 * gnutls_ia_send:
440 * @session: is a #gnutls_session_t structure.
441 * @data: contains the data to send
442 * @sizeofdata: is the length of the data
443 *
444 * Send TLS/IA application payload data. This function has the
445 * similar semantics with send(). The only difference is that it
446 * accepts a GnuTLS session, and uses different error codes.
447 *
448 * The TLS/IA protocol is synchronous, so you cannot send more than
449 * one packet at a time. The client always send the first packet.
450 *
451 * To finish an application phase in the server, use
452 * gnutls_ia_endphase_send(). The client cannot end an application
453 * phase unilaterally; rather, a client is required to respond with an
454 * endphase of its own if gnutls_ia_recv indicates that the server has
455 * sent one.
456 *
457 * If the EINTR is returned by the internal push function (the default
458 * is send()} then %GNUTLS_E_INTERRUPTED will be returned. If
459 * %GNUTLS_E_INTERRUPTED or %GNUTLS_E_AGAIN is returned, you must call
460 * this function again, with the same parameters; alternatively you
461 * could provide a %NULL pointer for data, and 0 for size.
462 *
463 * Returns: The number of bytes sent, or a negative error code.
464 **/
465 ssize_t
467 {
468 ssize_t len;
471 GNUTLS_IA_APPLICATION_PAYLOAD,
475 }
477 /**
478 * gnutls_ia_recv:
479 * @session: is a #gnutls_session_t structure.
480 * @data: the buffer that the data will be read into, must hold >= 12 bytes.
481 * @sizeofdata: the number of requested bytes, must be >= 12.
482 *
483 * Receive TLS/IA data. This function has the similar semantics with
484 * recv(). The only difference is that it accepts a GnuTLS session,
485 * and uses different error codes.
486 *
487 * If the server attempt to finish an application phase, this function
488 * will return %GNUTLS_E_WARNING_IA_IPHF_RECEIVED or
489 * %GNUTLS_E_WARNING_IA_FPHF_RECEIVED. The caller should then invoke
490 * gnutls_ia_verify_endphase(), and if it runs the client side, also
491 * send an endphase message of its own using gnutls_ia_endphase_send.
492 *
493 * If EINTR is returned by the internal push function (the default is
494 * @code{recv()}) then GNUTLS_E_INTERRUPTED will be returned. If
495 * GNUTLS_E_INTERRUPTED or GNUTLS_E_AGAIN is returned, you must call
496 * this function again, with the same parameters; alternatively you
497 * could provide a NULL pointer for data, and 0 for size.
498 *
499 * Returns: The number of bytes received. A negative error code is
500 * returned in case of an error. The
501 * %GNUTLS_E_WARNING_IA_IPHF_RECEIVED and
502 * %GNUTLS_E_WARNING_IA_FPHF_RECEIVED errors are returned when an
503 * application phase finished message has been sent by the server.
504 **/
505 ssize_t
507 {
509 ssize_t len;
519 }
521 /* XXX rewrite the following two functions as state machines, to
522 handle EAGAIN/EINTERRUPTED? just add more problems to callers,
523 though. */
525 static int
527 {
531 ssize_t len;
540 {
547 {
550 GNUTLS_A_INNER_APPLICATION_FAILURE);
554 }
564 {
569 ret = gnutls_ia_endphase_send
573 }
576 {
580 }
589 }
592 }
594 static int
596 {
597 gnutls_ia_apptype_t msg_type;
598 ssize_t len;
607 do
608 {
615 {
619 }
634 {
637 GNUTLS_A_INNER_APPLICATION_FAILURE);
641 }
646 {
648 GNUTLS_IA_FINAL_PHASE_FINISHED);
651 }
652 else
653 {
658 }
659 }
663 }
665 /**
666 * gnutls_ia_handshake_p:
667 * @session: is a #gnutls_session_t structure.
668 *
669 * Predicate to be used after gnutls_handshake() to decide whether to
670 * invoke gnutls_ia_handshake(). Usable by both clients and servers.
671 *
672 * Return value: non-zero if TLS/IA handshake is expected, zero
673 * otherwise.
674 **/
675 int
677 {
678 extension_priv_data_t epriv;
682 ret =
686 {
689 }
692 /* Either local side or peer doesn't do TLS/IA: don't do IA */
697 /* Not resuming or we don't allow skipping on resumption locally: do IA */
702 /* If we're resuming and we and the peer both allow skipping on resumption:
703 * don't do IA */
706 }
709 /**
710 * gnutls_ia_handshake:
711 * @session: is a #gnutls_session_t structure.
712 *
713 * Perform a TLS/IA handshake. This should be called after
714 * gnutls_handshake() iff gnutls_ia_handshake_p().
715 *
716 * Returns: On success, %GNUTLS_E_SUCCESS (zero) is returned,
717 * otherwise an error code is returned.
718 **/
719 int
721 {
726 else
730 }
732 /**
733 * gnutls_ia_allocate_client_credentials:
734 * @sc: is a pointer to a #gnutls_ia_server_credentials_t structure.
735 *
736 * This structure is complex enough to manipulate directly thus this
737 * helper function is provided in order to allocate it.
738 *
739 * Adding this credential to a session will enable TLS/IA, and will
740 * require an Application Phase after the TLS handshake (if the server
741 * support TLS/IA). Use gnutls_ia_enable() to toggle the TLS/IA mode.
742 *
743 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
744 * an error code is returned.
745 **/
746 int
748 {
755 }
757 /**
758 * gnutls_ia_free_client_credentials:
759 * @sc: is a #gnutls_ia_client_credentials_t structure.
760 *
761 * This structure is complex enough to manipulate directly thus this
762 * helper function is provided in order to free (deallocate) it.
763 *
764 **/
765 void
767 {
769 }
771 /**
772 * gnutls_ia_set_client_avp_function:
773 * @cred: is a #gnutls_ia_client_credentials_t structure.
774 * @avp_func: is the callback function
775 *
776 * Set the TLS/IA AVP callback handler used for the session.
777 *
778 * The AVP callback is called to process AVPs received from the
779 * server, and to get a new AVP to send to the server.
780 *
781 * The callback's function form is:
782 * int (*avp_func) (gnutls_session_t session, void *ptr,
783 * const char *last, size_t lastlen,
784 * char **next, size_t *nextlen);
785 *
786 * The @session parameter is the #gnutls_session_t structure
787 * corresponding to the current session. The @ptr parameter is the
788 * application hook pointer, set through
789 * gnutls_ia_set_client_avp_ptr(). The AVP received from the server
790 * is present in @last of @lastlen size, which will be %NULL on the
791 * first invocation. The newly allocated output AVP to send to the
792 * server should be placed in *@next of *@nextlen size.
793 *
794 * The callback may invoke gnutls_ia_permute_inner_secret() to mix any
795 * generated session keys with the TLS/IA inner secret.
796 *
797 * Return 0 (%GNUTLS_IA_APPLICATION_PAYLOAD) on success, or a negative
798 * error code to abort the TLS/IA handshake.
799 *
800 * Note that the callback must use allocate the @next parameter using
801 * gnutls_malloc(), because it is released via gnutls_free() by the
802 * TLS/IA handshake function.
803 *
804 **/
805 void
807 gnutls_ia_avp_func avp_func)
808 {
810 }
812 /**
813 * gnutls_ia_set_client_avp_ptr:
814 * @cred: is a #gnutls_ia_client_credentials_t structure.
815 * @ptr: is the pointer
816 *
817 * Sets the pointer that will be provided to the TLS/IA callback
818 * function as the first argument.
819 **/
820 void
822 {
824 }
826 /**
827 * gnutls_ia_get_client_avp_ptr:
828 * @cred: is a #gnutls_ia_client_credentials_t structure.
829 *
830 * Returns the pointer that will be provided to the TLS/IA callback
831 * function as the first argument.
832 *
833 * Returns: The client callback data pointer.
834 **/
837 {
839 }
841 /**
842 * gnutls_ia_allocate_server_credentials:
843 * @sc: is a pointer to a #gnutls_ia_server_credentials_t structure.
844 *
845 * This structure is complex enough to manipulate directly thus this
846 * helper function is provided in order to allocate it.
847 *
848 * Adding this credential to a session will enable TLS/IA, and will
849 * require an Application Phase after the TLS handshake (if the client
850 * support TLS/IA). Use gnutls_ia_enable() to toggle the TLS/IA mode.
851 *
852 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
853 * an error code is returned.
854 **/
855 int
857 {
864 }
866 /**
867 * gnutls_ia_free_server_credentials:
868 * @sc: is a #gnutls_ia_server_credentials_t structure.
869 *
870 * This structure is complex enough to manipulate directly thus this
871 * helper function is provided in order to free (deallocate) it.
872 *
873 **/
874 void
876 {
878 }
880 /**
881 * gnutls_ia_set_server_credentials_function:
882 * @cred: is a #gnutls_ia_server_credentials_t structure.
883 * @func: is the callback function
884 *
885 * Set the TLS/IA AVP callback handler used for the session.
886 *
887 * The callback's function form is:
888 * int (*avp_func) (gnutls_session_t session, void *ptr,
889 * const char *last, size_t lastlen,
890 * char **next, size_t *nextlen);
891 *
892 * The @session parameter is the #gnutls_session_t structure
893 * corresponding to the current session. The @ptr parameter is the
894 * application hook pointer, set through
895 * gnutls_ia_set_server_avp_ptr(). The AVP received from the client
896 * is present in @last of @lastlen size. The newly allocated output
897 * AVP to send to the client should be placed in *@next of *@nextlen
898 * size.
899 *
900 * The AVP callback is called to process incoming AVPs from the
901 * client, and to get a new AVP to send to the client. It can also be
902 * used to instruct the TLS/IA handshake to do go into the
903 * Intermediate or Final phases. It return a negative error code, or
904 * a #gnutls_ia_apptype_t message type.
905 *
906 * The callback may invoke gnutls_ia_permute_inner_secret() to mix any
907 * generated session keys with the TLS/IA inner secret.
908 *
909 * Specifically, return %GNUTLS_IA_APPLICATION_PAYLOAD (0) to send
910 * another AVP to the client, return
911 * %GNUTLS_IA_INTERMEDIATE_PHASE_FINISHED (1) to indicate that an
912 * IntermediatePhaseFinished message should be sent, and return
913 * %GNUTLS_IA_FINAL_PHASE_FINISHED (2) to indicate that an
914 * FinalPhaseFinished message should be sent. In the last two cases,
915 * the contents of the @next and @nextlen parameter is not used.
916 *
917 * Note that the callback must use allocate the @next parameter using
918 * gnutls_malloc(), because it is released via gnutls_free() by the
919 * TLS/IA handshake function.
920 **/
921 void
923 gnutls_ia_avp_func avp_func)
924 {
926 }
928 /**
929 * gnutls_ia_set_server_avp_ptr:
930 * @cred: is a #gnutls_ia_client_credentials_t structure.
931 * @ptr: is the pointer
932 *
933 * Sets the pointer that will be provided to the TLS/IA callback
934 * function as the first argument.
935 **/
936 void
938 {
940 }
942 /**
943 * gnutls_ia_get_server_avp_ptr:
944 * @cred: is a #gnutls_ia_client_credentials_t structure.
945 *
946 * Returns the pointer that will be provided to the TLS/IA callback
947 * function as the first argument.
948 *
949 * Returns: The server callback data pointer.
950 **/
953 {
955 }
957 /**
958 * gnutls_ia_enable:
959 * @session: is a #gnutls_session_t structure.
960 * @allow_skip_on_resume: non-zero if local party allows one to skip the
961 * TLS/IA application phases for a resumed session.
962 *
963 * Specify whether we must advertise support for the TLS/IA extension
964 * during the handshake.
965 *
966 * At the client side, we always advertise TLS/IA if gnutls_ia_enable
967 * was called before the handshake; at the server side, we also
968 * require that the client has advertised that it wants to run TLS/IA
969 * before including the advertisement, as required by the protocol.
970 *
971 * Similarly, at the client side we always advertise that we allow
972 * TLS/IA to be skipped for resumed sessions if @allow_skip_on_resume
973 * is non-zero; at the server side, we also require that the session
974 * is indeed resumable and that the client has also advertised that it
975 * allows TLS/IA to be skipped for resumed sessions.
976 *
977 * After the TLS handshake, call gnutls_ia_handshake_p() to find out
978 * whether both parties agreed to do a TLS/IA handshake, before
979 * calling gnutls_ia_handshake() or one of the lower level gnutls_ia_*
980 * functions.
981 **/
982 void
984 {
985 extension_priv_data_t epriv;
990 {
993 }
1002 epriv);
1004 }