diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-08-31 17:04:12 +0300 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-08-31 17:04:12 +0300 |
commit | 9b3273f6bf9674d63f1ee85155630e8fc2707dd0 (patch) | |
tree | a1042e7b36226d2fa26332276a39b36df584a048 | |
parent | f9ee722a969f250169bb1db84b9cfe98a037cba1 (diff) | |
download | gnutls-9b3273f6bf9674d63f1ee85155630e8fc2707dd0.tar.gz |
Improvements in RSA-PSK.
-rw-r--r-- | lib/auth/rsa_psk.c | 127 | ||||
-rw-r--r-- | lib/gnutls_int.h | 2 | ||||
-rw-r--r-- | lib/gnutls_state.c | 3 |
3 files changed, 39 insertions, 93 deletions
diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c index f02bbac983..e372ee9a79 100644 --- a/lib/auth/rsa_psk.c +++ b/lib/auth/rsa_psk.c @@ -74,46 +74,12 @@ const mod_auth_st rsa_psk_auth_struct = { */ static int set_rsa_psk_session_key (gnutls_session_t session, - gnutls_datum_t * rsa_secret) + gnutls_datum_t *ppsk, gnutls_datum_t * rsa_secret) { - gnutls_datum_t pwd_psk = { NULL, 0 }; - gnutls_datum_t *ppsk; unsigned char *p; size_t rsa_secret_size; int ret; - if (session->security_parameters.entity == GNUTLS_CLIENT) - { - gnutls_psk_client_credentials_t cred; - - cred = (gnutls_psk_client_credentials_t) - _gnutls_get_cred (session, GNUTLS_CRD_PSK, NULL); - - if (cred == NULL) - { - gnutls_assert (); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - ppsk = &cred->key; - - } - else - { /* SERVER side */ - psk_auth_info_t info; - - info = _gnutls_get_auth_info (session); - - /* find the key of this username - */ - ret = _gnutls_psk_pwd_find_entry (session, info->username, &pwd_psk); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - ppsk = &pwd_psk; - } rsa_secret_size = rsa_secret->size; @@ -144,7 +110,6 @@ set_rsa_psk_session_key (gnutls_session_t session, ret = 0; error: - _gnutls_free_datum (&pwd_psk); return ret; } @@ -166,7 +131,8 @@ _gnutls_gen_rsa_psk_client_kx (gnutls_session_t session, gnutls_datum_t sdata; /* data to send */ gnutls_pk_params_st params; gnutls_psk_client_credentials_t cred; - int ret; + gnutls_datum_t username, key; + int ret, free; if (auth == NULL) { @@ -236,51 +202,16 @@ _gnutls_gen_rsa_psk_client_kx (gnutls_session_t session, return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } - /* TODO: Bei dhe_psk wird keine PSK aufgerufen, wenn die Parameter - leer sind. Die Funktion wird an dieser Stelle dann abgebrochen. - Können diese womöglich an anderer Stelle übergeben werden? */ - if (cred->username.data == NULL && cred->key.data == NULL && - cred->get_function != NULL) - { - char *username; - gnutls_datum_t key; - - ret = cred->get_function (session, &username, &key); - if (ret) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_set_datum (&cred->username, username, strlen (username)); - gnutls_free (username); - if (ret < 0) - { - gnutls_assert (); - _gnutls_free_datum (&key); - return ret; - } - - ret = _gnutls_set_datum (&cred->key, key.data, key.size); - _gnutls_free_datum (&key); - if (ret < 0) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - } - else if (cred->username.data == NULL || cred->key.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } + ret = _gnutls_find_psk_key( session, cred, &username, &key, &free); + if (ret < 0) + return gnutls_assert_val(ret); /* Here we set the PSK key */ - ret = set_rsa_psk_session_key (session, &premaster_secret); + ret = set_rsa_psk_session_key (session, &key, &premaster_secret); if (ret < 0) { gnutls_assert (); - return ret; + goto cleanup; } /* Create message for client key exchange @@ -297,19 +228,27 @@ _gnutls_gen_rsa_psk_client_kx (gnutls_session_t session, cred->username.size); if (ret < 0) { - _gnutls_free_datum (&sdata); - return GNUTLS_E_MEMORY_ERROR; + gnutls_assert(); + goto cleanup; } ret = _gnutls_buffer_append_data_prefix (data, 16, sdata.data, sdata.size); if (ret < 0) { - _gnutls_free_datum (&sdata); - return GNUTLS_E_MEMORY_ERROR; + gnutls_assert(); + goto cleanup; } + ret = 0; + +cleanup: _gnutls_free_datum (&sdata); _gnutls_free_datum (&premaster_secret); + if (free) + { + gnutls_free(key.data); + gnutls_free(username.data); + } return data->length; } @@ -325,11 +264,12 @@ _gnutls_proc_rsa_psk_client_kx (gnutls_session_t session, uint8_t * data, psk_auth_info_t info; gnutls_datum_t plaintext; gnutls_datum_t ciphertext; + gnutls_datum_t pwd_psk = {NULL, 0}; int ret, dsize; int randomize_key = 0; ssize_t data_size = _data_size; gnutls_psk_server_credentials_t cred; - gnutls_datum_t premaster_secret; + gnutls_datum_t premaster_secret = {NULL, 0}; cred = (gnutls_psk_server_credentials_t) _gnutls_get_cred (session, GNUTLS_CRD_PSK, NULL); @@ -373,7 +313,6 @@ _gnutls_proc_rsa_psk_client_kx (gnutls_session_t session, uint8_t * data, /* Adjust data so it points to EncryptedPreMasterSecret */ data += username.size + 2; - /*** 2. Decrypt and extract EncryptedPreMasterSecret ***/ DECR_LEN (data_size, 2); @@ -438,7 +377,7 @@ _gnutls_proc_rsa_psk_client_kx (gnutls_session_t session, uint8_t * data, if (ret < 0) { gnutls_assert (); - return ret; + goto cleanup; } } else @@ -454,16 +393,28 @@ _gnutls_proc_rsa_psk_client_kx (gnutls_session_t session, uint8_t * data, premaster_secret.data[0] = _gnutls_get_adv_version_major (session); premaster_secret.data[1] = _gnutls_get_adv_version_minor (session); - ret = set_rsa_psk_session_key (session, &premaster_secret); - _gnutls_free_datum (&premaster_secret); + /* find the key of this username + */ + ret = _gnutls_psk_pwd_find_entry (session, info->username, &pwd_psk); + if (ret < 0) + { + gnutls_assert(); + goto cleanup; + } + ret = set_rsa_psk_session_key (session, &pwd_psk, &premaster_secret); if (ret < 0) { gnutls_assert (); - return ret; + goto cleanup; } - return 0; + ret = 0; +cleanup: + _gnutls_free_datum (&pwd_psk); + _gnutls_free_datum (&premaster_secret); + + return ret; } #endif /* ENABLE_PSK */ diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index eaccdbaaf5..bffa3e41d7 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -703,8 +703,6 @@ typedef struct { gnutls_dh_params_t dh_params; int free_dh_params; - gnutls_rsa_params_t rsa_params; - int free_rsa_params; } internal_params_st; /* DTLS session state diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 8ce1649a6e..5cccbd49bd 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -233,9 +233,6 @@ deinit_internal_params (gnutls_session_t session) gnutls_dh_params_deinit (session->internals.params.dh_params); #endif - if (session->internals.params.free_rsa_params) - gnutls_rsa_params_deinit (session->internals.params.rsa_params); - _gnutls_handshake_hash_buffers_clear (session); memset (&session->internals.params, 0, sizeof (session->internals.params)); |