static int
_gnutls_srp_gx(uint8_t * text, size_t textsize, uint8_t ** result,
bigint_t g, bigint_t prime)
{
bigint_t x, e = NULL;
size_t result_size;
int ret;
if (_gnutls_mpi_init_scan_nz(&x, text, textsize)) {
gnutls_assert();
return GNUTLS_E_MPI_SCAN_FAILED;
}
ret = _gnutls_mpi_init(&e);
if (ret < 0)
goto cleanup;
/* e = g^x mod prime (n) */
ret = _gnutls_mpi_powm(e, g, x, prime);
if (ret < 0)
goto cleanup;
ret = _gnutls_mpi_print(e, NULL, &result_size);
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
*result = gnutls_malloc(result_size);
if ((*result) == NULL) {
ret = GNUTLS_E_MEMORY_ERROR;
goto cleanup;
}
ret = _gnutls_mpi_print(e, *result, &result_size);
if (ret < 0)
goto cleanup;
ret = result_size;
} else {
gnutls_assert();
ret = GNUTLS_E_MPI_PRINT_FAILED;
}
cleanup:
_gnutls_mpi_release(&e);
_gnutls_mpi_release(&x);
return ret;
}
/* Checks if a%n==0,+1,-1%n which is a fatal srp error.
* Returns a proper error code in that case, and 0 when
* all are ok.
*/
inline static int check_param_mod_n(bigint_t a, bigint_t n, int is_a)
{
int ret, err = 0;
bigint_t r;
ret = _gnutls_mpi_init(&r);
if (ret < 0)
return gnutls_assert_val(ret);
ret = _gnutls_mpi_modm(r, a, n);
if (ret < 0) {
_gnutls_mpi_release(&r);
return gnutls_assert_val(ret);
}
ret = _gnutls_mpi_cmp_ui(r, 0);
if (ret == 0)
err = 1;
if (is_a != 0) {
ret = _gnutls_mpi_cmp_ui(r, 1);
if (ret == 0)
err = 1;
ret = _gnutls_mpi_add_ui(r, r, 1);
if (ret < 0) {
_gnutls_mpi_release(&r);
return gnutls_assert_val(ret);
}
ret = _gnutls_mpi_cmp(r, n);
if (ret == 0)
err = 1;
}
_gnutls_mpi_release(&r);
if (err != 0) {
gnutls_assert();
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
}
return 0;
}
static int
wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo,
gnutls_direction_t direction,
gnutls_pk_params_st * params)
{
int ret;
if (direction == GNUTLS_IMPORT && algo == GNUTLS_PK_RSA) {
/* do not trust the generated values. Some old private keys
* generated by us have mess on the values. Those were very
* old but it seemed some of the shipped example private
* keys were as old.
*/
if (params->params_nr < RSA_PRIVATE_PARAMS - 3)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
if (params->params[RSA_COEF] == NULL) {
ret = _gnutls_mpi_init(¶ms->params[RSA_COEF]);
if (ret < 0)
return gnutls_assert_val(ret);
}
mpz_invert(TOMPZ(params->params[RSA_COEF]),
TOMPZ(params->params[RSA_PRIME2]),
TOMPZ(params->params[RSA_PRIME1]));
/* calculate exp1 [6] and exp2 [7] */
zrelease_mpi_key(¶ms->params[RSA_E1]);
zrelease_mpi_key(¶ms->params[RSA_E2]);
ret = calc_rsa_exp(params);
if (ret < 0)
return gnutls_assert_val(ret);
params->params_nr = RSA_PRIVATE_PARAMS;
}
return 0;
}
/* Decodes an DSA privateKey and params from a PKCS8 structure.
*/
static int
_decode_pkcs8_dsa_key(ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey)
{
int ret;
gnutls_datum_t tmp = {NULL, 0};
gnutls_pk_params_init(&pkey->params);
ret = _gnutls_x509_read_value(pkcs8_asn, "privateKey", &tmp);
if (ret < 0) {
gnutls_assert();
goto error;
}
ret =
_gnutls_x509_read_der_int(tmp.data, tmp.size,
&pkey->params.params[4]);
_gnutls_free_key_datum(&tmp);
if (ret < 0) {
gnutls_assert();
goto error;
}
ret =
_gnutls_x509_read_value(pkcs8_asn,
"privateKeyAlgorithm.parameters",
&tmp);
if (ret < 0) {
gnutls_assert();
goto error;
}
ret =
_gnutls_x509_read_pubkey_params(GNUTLS_PK_DSA, tmp.data,
tmp.size, &pkey->params);
_gnutls_free_datum(&tmp);
if (ret < 0) {
gnutls_assert();
goto error;
}
if (_gnutls_mpi_cmp_ui(pkey->params.params[0], 0) == 0) {
gnutls_assert();
ret = GNUTLS_E_ILLEGAL_PARAMETER;
goto error;
}
/* the public key can be generated as g^x mod p */
ret = _gnutls_mpi_init(&pkey->params.params[3]);
if (ret < 0) {
gnutls_assert();
goto error;
}
ret = _gnutls_mpi_powm(pkey->params.params[3], pkey->params.params[2],
pkey->params.params[4], pkey->params.params[0]);
if (ret < 0) {
gnutls_assert();
goto error;
}
pkey->params.algo = GNUTLS_PK_DSA;
pkey->params.params_nr = DSA_PRIVATE_PARAMS;
ret =
_gnutls_asn1_encode_privkey(&pkey->key,
&pkey->params);
if (ret < 0) {
gnutls_assert();
goto error;
}
return 0;
error:
if (pkey->params.params_nr != DSA_PRIVATE_PARAMS)
_gnutls_mpi_release(&pkey->params.params[4]);
return ret;
}
/* Decodes a GOST privateKey from a PKCS8 structure.
*/
static int
_decode_pkcs8_gost_key(ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey,
gnutls_pk_algorithm_t algo)
{
int ret;
gnutls_datum_t tmp;
unsigned char oid[3 * MAX_OID_SIZE]; /* GOST parameters can have 3 OIDs at most */
int len, result;
gnutls_pk_params_init(&pkey->params);
len = sizeof(oid);
result = asn1_read_value(pkcs8_asn, "privateKeyAlgorithm.parameters",
oid, &len);
if (result != ASN1_SUCCESS) {
gnutls_assert();
ret = GNUTLS_E_PARSING_ERROR;
goto error;
} else {
ret = _gnutls_x509_read_gost_params(oid, len, &pkey->params, algo);
if (ret < 0) {
gnutls_assert();
goto error;
}
}
/* Will be fixed later by pk_fixup */
ret = _gnutls_mpi_init(&pkey->params.params[GOST_X]);
if (ret < 0) {
gnutls_assert();
goto error;
}
pkey->params.params_nr++;
ret = _gnutls_mpi_init(&pkey->params.params[GOST_Y]);
if (ret < 0) {
gnutls_assert();
goto error;
}
pkey->params.params_nr++;
_gnutls_mpi_set_ui(pkey->params.params[GOST_X], 0);
_gnutls_mpi_set_ui(pkey->params.params[GOST_Y], 0);
ret = _gnutls_x509_read_value(pkcs8_asn, "privateKey", &tmp);
if (ret < 0) {
gnutls_assert();
goto error;
}
ret = _privkey_decode_gost_key(&tmp, pkey);
_gnutls_free_key_datum(&tmp);
if (ret < 0) {
gnutls_assert();
goto error;
}
pkey->params.algo = algo;
return 0;
error:
gnutls_pk_params_clear(&pkey->params);
gnutls_pk_params_release(&pkey->params);
return ret;
}
static int
wrap_nettle_pk_verify_priv_params(gnutls_pk_algorithm_t algo,
const gnutls_pk_params_st * params)
{
int ret;
switch (algo) {
case GNUTLS_PK_RSA:
{
bigint_t t1 = NULL, t2 = NULL;
if (params->params_nr != RSA_PRIVATE_PARAMS)
return
gnutls_assert_val
(GNUTLS_E_INVALID_REQUEST);
ret = _gnutls_mpi_init_multi(&t1, &t2, NULL);
if (ret < 0)
return
gnutls_assert_val(ret);
_gnutls_mpi_mulm(t1, params->params[RSA_PRIME1],
params->params[RSA_PRIME2],
params->params[RSA_MODULUS]);
if (_gnutls_mpi_cmp_ui(t1, 0) != 0) {
ret =
gnutls_assert_val
(GNUTLS_E_ILLEGAL_PARAMETER);
goto rsa_cleanup;
}
mpz_invert(TOMPZ(t1),
TOMPZ(params->params[RSA_PRIME2]),
TOMPZ(params->params[RSA_PRIME1]));
if (_gnutls_mpi_cmp(t1, params->params[RSA_COEF])
!= 0) {
ret =
gnutls_assert_val
(GNUTLS_E_ILLEGAL_PARAMETER);
goto rsa_cleanup;
}
/* [RSA_PRIME1] = d % p-1, [RSA_PRIME2] = d % q-1 */
_gnutls_mpi_sub_ui(t1, params->params[RSA_PRIME1],
1);
ret = _gnutls_mpi_modm(t2, params->params[RSA_PRIV], t1);
if (ret < 0) {
ret =
gnutls_assert_val
(GNUTLS_E_MEMORY_ERROR);
goto rsa_cleanup;
}
if (_gnutls_mpi_cmp(params->params[RSA_E1], t2) !=
0) {
ret =
gnutls_assert_val
(GNUTLS_E_ILLEGAL_PARAMETER);
goto rsa_cleanup;
}
_gnutls_mpi_sub_ui(t1, params->params[RSA_PRIME2],
1);
ret = _gnutls_mpi_modm(t2, params->params[RSA_PRIV], t1);
if (ret < 0) {
ret =
gnutls_assert_val
(GNUTLS_E_MEMORY_ERROR);
goto rsa_cleanup;
}
if (_gnutls_mpi_cmp(params->params[RSA_E2], t2) !=
0) {
ret =
gnutls_assert_val
(GNUTLS_E_ILLEGAL_PARAMETER);
goto rsa_cleanup;
}
ret = 0;
rsa_cleanup:
zrelease_mpi_key(&t1);
zrelease_mpi_key(&t2);
}
break;
case GNUTLS_PK_DSA:
{
bigint_t t1 = NULL;
if (params->params_nr != DSA_PRIVATE_PARAMS)
return
gnutls_assert_val
(GNUTLS_E_INVALID_REQUEST);
ret = _gnutls_mpi_init(&t1);
if (ret < 0)
return
gnutls_assert_val(ret);
ret = _gnutls_mpi_powm(t1, params->params[DSA_G],
params->params[DSA_X],
params->params[DSA_P]);
if (ret < 0) {
gnutls_assert();
goto dsa_cleanup;
}
if (_gnutls_mpi_cmp(t1, params->params[DSA_Y]) !=
0) {
ret =
gnutls_assert_val
(GNUTLS_E_ILLEGAL_PARAMETER);
goto dsa_cleanup;
}
ret = 0;
dsa_cleanup:
zrelease_mpi_key(&t1);
}
break;
case GNUTLS_PK_EC:
{
struct ecc_point r, pub;
struct ecc_scalar priv;
mpz_t x1, y1, x2, y2;
const struct ecc_curve *curve;
if (params->params_nr != ECC_PRIVATE_PARAMS)
return
gnutls_assert_val
(GNUTLS_E_INVALID_REQUEST);
curve = get_supported_curve(params->flags);
if (curve == NULL)
return
gnutls_assert_val
(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
ret = _ecc_params_to_pubkey(params, &pub, curve);
if (ret < 0)
return gnutls_assert_val(ret);
ret = _ecc_params_to_privkey(params, &priv, curve);
if (ret < 0) {
ecc_point_clear(&pub);
return gnutls_assert_val(ret);
}
ecc_point_init(&r, curve);
/* verify that x,y lie on the curve */
ret =
ecc_point_set(&r, TOMPZ(params->params[ECC_X]),
TOMPZ(params->params[ECC_Y]));
if (ret == 0) {
ret =
gnutls_assert_val
(GNUTLS_E_ILLEGAL_PARAMETER);
goto ecc_cleanup;
}
ecc_point_clear(&r);
ecc_point_init(&r, curve);
ecc_point_mul_g(&r, &priv);
mpz_init(x1);
mpz_init(y1);
ecc_point_get(&r, x1, y1);
ecc_point_zclear(&r);
mpz_init(x2);
mpz_init(y2);
ecc_point_get(&pub, x2, y2);
/* verify that k*(Gx,Gy)=(x,y) */
if (mpz_cmp(x1, x2) != 0 || mpz_cmp(y1, y2) != 0) {
ret =
gnutls_assert_val
(GNUTLS_E_ILLEGAL_PARAMETER);
goto ecc_cleanup;
}
ret = 0;
ecc_cleanup:
ecc_scalar_zclear(&priv);
ecc_point_clear(&pub);
}
break;
default:
ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
}
return ret;
}
/* To generate a DH key either q must be set in the params or
* level should be set to the number of required bits.
*/
static int
wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
unsigned int level /*bits */ ,
gnutls_pk_params_st * params)
{
int ret;
unsigned int i;
switch (algo) {
case GNUTLS_PK_DSA:
#ifdef ENABLE_FIPS140
{
struct dsa_public_key pub;
struct dsa_private_key priv;
if (params->params[DSA_Q] == NULL)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
_dsa_params_to_pubkey(params, &pub);
dsa_private_key_init(&priv);
mpz_init(pub.y);
ret =
dsa_generate_dss_keypair(&pub, &priv,
NULL, rnd_func,
NULL, NULL);
if (ret != 1) {
gnutls_assert();
ret = GNUTLS_E_PK_GENERATION_ERROR;
goto dsa_fail;
}
ret = _gnutls_mpi_init_multi(¶ms->params[DSA_Y], ¶ms->params[DSA_X], NULL);
if (ret < 0) {
gnutls_assert();
goto dsa_fail;
}
mpz_set(TOMPZ(params->params[DSA_Y]), pub.y);
mpz_set(TOMPZ(params->params[DSA_X]), priv.x);
params->params_nr += 2;
dsa_fail:
dsa_private_key_clear(&priv);
mpz_clear(pub.y);
if (ret < 0)
goto fail;
break;
}
#endif
case GNUTLS_PK_DH:
{
struct dsa_public_key pub;
mpz_t r;
mpz_t x, y;
int max_tries;
unsigned have_q = 0;
if (algo != params->algo)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
_dsa_params_to_pubkey(params, &pub);
if (params->params[DSA_Q] != NULL)
have_q = 1;
/* This check is for the case !ENABLE_FIPS140 */
if (algo == GNUTLS_PK_DSA && have_q == 0)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
mpz_init(r);
mpz_init(x);
mpz_init(y);
max_tries = 3;
do {
if (have_q) {
mpz_set(r, pub.q);
mpz_sub_ui(r, r, 2);
nettle_mpz_random(x, NULL, rnd_func, r);
mpz_add_ui(x, x, 1);
} else {
unsigned size = mpz_sizeinbase(pub.p, 2);
if (level == 0)
level = MIN(size, DH_EXPONENT_SIZE(size));
nettle_mpz_random_size(x, NULL, rnd_func, level);
if (level >= size)
mpz_mod(x, x, pub.p);
}
mpz_powm(y, pub.g, x, pub.p);
max_tries--;
if (max_tries <= 0) {
gnutls_assert();
ret = GNUTLS_E_RANDOM_FAILED;
goto dh_fail;
}
} while(mpz_cmp_ui(y, 1) == 0);
ret = _gnutls_mpi_init_multi(¶ms->params[DSA_Y], ¶ms->params[DSA_X], NULL);
if (ret < 0) {
gnutls_assert();
goto dh_fail;
}
mpz_set(TOMPZ(params->params[DSA_Y]), y);
mpz_set(TOMPZ(params->params[DSA_X]), x);
params->params_nr += 2;
ret = 0;
dh_fail:
mpz_clear(r);
mpz_clear(x);
mpz_clear(y);
if (ret < 0)
goto fail;
break;
}
case GNUTLS_PK_RSA:
{
struct rsa_public_key pub;
struct rsa_private_key priv;
rsa_public_key_init(&pub);
rsa_private_key_init(&priv);
mpz_set_ui(pub.e, 65537);
#ifdef ENABLE_FIPS140
ret =
rsa_generate_fips186_4_keypair(&pub, &priv, NULL,
rnd_func, NULL, NULL,
level);
#else
ret =
rsa_generate_keypair(&pub, &priv, NULL,
rnd_func, NULL, NULL,
level, 0);
#endif
if (ret != 1) {
gnutls_assert();
ret = GNUTLS_E_PK_GENERATION_ERROR;
goto rsa_fail;
}
params->params_nr = 0;
for (i = 0; i < RSA_PRIVATE_PARAMS; i++) {
ret = _gnutls_mpi_init(¶ms->params[i]);
if (ret < 0) {
gnutls_assert();
goto rsa_fail;
}
params->params_nr++;
}
mpz_set(TOMPZ(params->params[0]), pub.n);
mpz_set(TOMPZ(params->params[1]), pub.e);
mpz_set(TOMPZ(params->params[2]), priv.d);
mpz_set(TOMPZ(params->params[3]), priv.p);
mpz_set(TOMPZ(params->params[4]), priv.q);
mpz_set(TOMPZ(params->params[5]), priv.c);
mpz_set(TOMPZ(params->params[6]), priv.a);
mpz_set(TOMPZ(params->params[7]), priv.b);
ret = 0;
rsa_fail:
rsa_private_key_clear(&priv);
rsa_public_key_clear(&pub);
if (ret < 0)
goto fail;
break;
}
case GNUTLS_PK_EC:
{
struct ecc_scalar key;
struct ecc_point pub;
const struct ecc_curve *curve;
curve = get_supported_curve(level);
if (curve == NULL)
return
gnutls_assert_val
(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
ecc_scalar_init(&key, curve);
ecc_point_init(&pub, curve);
ecdsa_generate_keypair(&pub, &key, NULL, rnd_func);
ret = _gnutls_mpi_init_multi(¶ms->params[ECC_X], ¶ms->params[ECC_Y],
¶ms->params[ECC_K], NULL);
if (ret < 0) {
gnutls_assert();
goto ecc_fail;
}
params->flags = level;
params->params_nr = ECC_PRIVATE_PARAMS;
ecc_point_get(&pub, TOMPZ(params->params[ECC_X]),
TOMPZ(params->params[ECC_Y]));
ecc_scalar_get(&key, TOMPZ(params->params[ECC_K]));
ret = 0;
ecc_fail:
ecc_point_clear(&pub);
ecc_scalar_clear(&key);
if (ret < 0)
goto fail;
break;
}
default:
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
FAIL_IF_LIB_ERROR;
return 0;
fail:
for (i = 0; i < params->params_nr; i++) {
_gnutls_mpi_release(¶ms->params[i]);
}
params->params_nr = 0;
FAIL_IF_LIB_ERROR;
return ret;
}
