/* Allocate and generate keys */
void
init_rsa_array(struct rsa_public_key **pub,struct rsa_private_key **priv)
{
int i = 0;
struct yarrow256_ctx yarrow;
const char *random_name = NULL;
for(i=0; i < aspathlen; i++) {
yarrow256_init(&yarrow, 0, NULL);
/* Read some data to seed the generator */
if (!test_simple_random(&yarrow, random_name)) {
die("init_rsa_array :: Initialization of randomness generator failed.\n");
}
pub[i] = (struct rsa_public_key * ) malloc (sizeof(struct rsa_public_key));
priv[i] = (struct rsa_private_key *) malloc (sizeof(struct rsa_private_key));
if(!priv[i] || !pub[i])
die("init_rsa_array :: i = %d %s\n",strerror(errno));
rsa_public_key_init(pub[i]);
rsa_private_key_init(priv[i]);
if (!rsa_generate_keypair (pub[i], priv[i],
(void *) &yarrow, (nettle_random_func *) yarrow256_random,
NULL, progress,KEYSIZE, ESIZE)) {
die("Key generation failed.\n");
}
}
return ;
}
/**
\ingroup HighLevel_KeyGenerate
\brief Creates a self-signed RSA keypair
\param numbits Modulus size
\param e Public Exponent
\param userid User ID
\return The new keypair or NULL
\note It is the caller's responsibility to call __ops_keydata_free(keydata)
\sa rsa_generate_keypair()
\sa __ops_keydata_free()
*/
__ops_key_t *
__ops_rsa_new_selfsign_key(const int numbits,
const unsigned long e,
uint8_t *userid,
const char *hashalg,
const char *cipher)
{
__ops_key_t *keydata;
keydata = __ops_keydata_new();
if (!rsa_generate_keypair(keydata, numbits, e, hashalg, cipher) ||
!__ops_add_selfsigned_userid(keydata, userid)) {
__ops_keydata_free(keydata);
return NULL;
}
return keydata;
}
int main(int argc, char *argv[])
{
// seed RNG (in a shitty way)
// !!proper seeding needed here!!
unsigned int rseed = time(NULL);
void *buf = &rseed;
RAND_seed(buf, 9);
/** Set 6 Challenge 41 **/
/** RSA unpadded msg oracle attack **/
rsa_unpadded_msg_oracle_attack_test();
/** Set 6 Challenge 42 **/
/** Bleichenbacher e=3 RSA attack **/
rsa_simple_pad_test();
rsa_key_t pik, puk;
unsigned int sign_len;
unsigned char *sign;
unsigned char *sign_hex;
pik.e = BN_new();
pik.n = BN_new();
puk.e = BN_new();
puk.n = BN_new();
rsa_generate_keypair(&puk, &pik, 512);
sign_len = rsa_sign(&sign, "hi mom", 6, &pik);
hex_encode(&sign_hex, sign, sign_len);
printf("[s6c2] RSA signature (%d bits): %s\n", sign_len*8, sign_hex);
if(rsa_sign_verify("hi mom", 6, sign, sign_len, &puk)) {
printf("[s6c2] RSA signature successfully verified!\n");
} else {
printf("[s6c2] RSA signature *NOT* verified!\n");
}
free(sign_hex);
unsigned char *forged_sign = NULL;
unsigned int forged_sign_len = 0;
forged_sign_len = rsa_sign_forge(&forged_sign, "hi mom", 6, &puk);
sign_len = hex_encode(&sign_hex, forged_sign, forged_sign_len);
printf("[s6c2] Forged RSA signature (%d bits): %s\n", sign_len*8, sign_hex);
if(rsa_sign_verify("hi mom", 6, forged_sign, forged_sign_len, &puk)) {
printf("[s6c2] Forged RSA signature successfully verified!\n");
} else {
printf("[s6c2] Forged RSA signature *NOT* verified!\n");
}
free(forged_sign);
free(sign_hex);
free(sign);
/** Set 6 Challenge 43 **/
/** DSA key recovery from nonce **/
unsigned char sha1sum[41];
unsigned char *test_msg = "For those that envy a MC it can be hazardous to your health\n\
So be friendly, a matter of life and death, just like a etch-a-sketch\n";
hash_sha1(sha1sum, test_msg, strlen(test_msg));
printf("[s6c3] sha1() = %s\n", sha1sum);
dsa_key_t dsa_puk;
dsa_key_t dsa_pik;
dsa_signature_t dsa_sign;
dsa_puk.g = BN_new();
dsa_puk.p = BN_new();
dsa_puk.q = BN_new();
dsa_puk.xy = BN_new();
dsa_pik.g = BN_new();
dsa_pik.p = BN_new();
dsa_pik.q = BN_new();
dsa_pik.xy = BN_new();
dsa_sign.r = BN_new();
dsa_sign.s = BN_new();
dsa_generate_keypair(&dsa_puk, &dsa_pik, 256);
dsa_sha1_sign(&dsa_sign, test_msg, strlen(test_msg), &dsa_pik);
if(dsa_sha1_sign_verify(test_msg, strlen(test_msg), &dsa_sign, &dsa_puk)) {
printf("[s6c3] DSA-SHA1 signature successfully verified!\n");
} else {
printf("[s6c3] DSA-SHA1 signature *NOT* verified!\n");
}
BN_hex2bn(&dsa_puk.xy, "84ad4719d044495496a3201c8ff484feb45b962e7302e56a392aee4\
bab3e4bdebf2955b4736012f21a08084056b19bcd7fee56048e004\
e44984e2f411788efdc837a0d2e5abb7b555039fd243ac01f0fb2ed\
1dec568280ce678e931868d23eb095fde9d3779191b8c0299d6e07b\
bb283e6633451e535c45513b2d33c99ea17");
BN_dec2bn(&dsa_sign.r, "548099063082341131477253921760299949438196259240");
BN_dec2bn(&dsa_sign.s, "857042759984254168557880549501802188789837994940");
// BN_print_fp(stdout, dsa_sign.s);
// printf("\n");
// BN_dec2bn(&dsa_puk.g, "60");
// BN_dec2bn(&dsa_puk.p, "283");
// BN_dec2bn(&dsa_puk.q, "47");
// BN_dec2bn(&dsa_puk.xy, "158");
//
// BN_dec2bn(&dsa_sign.r, "19");
// BN_dec2bn(&dsa_sign.s, "30");
if(dsa_calc_private_key_from_k_range(&dsa_pik, &dsa_sign, 65536, test_msg, strlen(test_msg), &dsa_puk)) {
unsigned char *dsa_pik_hex = BN_bn2hex(dsa_pik.xy);
unsigned int i;
// convert to lower case
for(i=0; i<strlen(dsa_pik_hex); i++) {
dsa_pik_hex[i] = tolower(dsa_pik_hex[i]);
}
printf("[s6c3] DSA private key: %s\n", dsa_pik_hex);
unsigned char dsa_pik_hex_sha1[SHA_DIGEST_LENGTH*2+1];
hash_sha1(dsa_pik_hex_sha1, dsa_pik_hex, strlen(dsa_pik_hex));
printf("[s6c3] SHA1(private key): %s\n", dsa_pik_hex_sha1);
OPENSSL_free(dsa_pik_hex);
} else {
printf("[s6c3] DSA private key *NOT* found!\n");
}
dsa_signature_free(&dsa_sign);
/** Set 6 Challenge 44 **/
/** DSA nonce recovery from **/
/** repeated nonce **/
dsa_signature_t sigs[11];
// input messages
unsigned char *msgs[] = {
"Listen for me, you better listen for me now. ",
"Listen for me, you better listen for me now. ",
"When me rockin' the microphone me rock on steady, ",
"Yes a Daddy me Snow me are de article dan. ",
"But in a in an' a out de dance em ",
"Aye say where you come from a, ",
"People em say ya come from Jamaica, ",
"But me born an' raised in the ghetto that I want yas to know, ",
"Pure black people mon is all I mon know. ",
"Yeah me shoes a an tear up an' now me toes is a show a ",
"Where me a born in are de one Toronto, so "
};
// signature r values for msgs
unsigned char *sig_r[] = {
"1105520928110492191417703162650245113664610474875",
"51241962016175933742870323080382366896234169532",
"228998983350752111397582948403934722619745721541",
"1099349585689717635654222811555852075108857446485",
"425320991325990345751346113277224109611205133736",
"486260321619055468276539425880393574698069264007",
"537050122560927032962561247064393639163940220795",
"826843595826780327326695197394862356805575316699",
"1105520928110492191417703162650245113664610474875",
"51241962016175933742870323080382366896234169532",
"228998983350752111397582948403934722619745721541"
};
// signature s values for msgs
unsigned char *sig_s[] = {
"1267396447369736888040262262183731677867615804316",
"29097472083055673620219739525237952924429516683",
"277954141006005142760672187124679727147013405915",
"1013310051748123261520038320957902085950122277350",
"203941148183364719753516612269608665183595279549",
"502033987625712840101435170279955665681605114553",
"1133410958677785175751131958546453870649059955513",
"559339368782867010304266546527989050544914568162",
"1021643638653719618255840562522049391608552714967",
"506591325247687166499867321330657300306462367256",
"458429062067186207052865988429747640462282138703"
};
unsigned int i, j;
int identical_nonce[11];
BIGNUM *k = BN_new();
// init
BN_hex2bn(&dsa_puk.xy, "2d026f4bf30195ede3a088da85e398ef869611d0f68f07\
13d51c9c1a3a26c95105d915e2d8cdf26d056b86b8a7b8\
5519b1c23cc3ecdc6062650462e3063bd179c2a6581519\
f674a61f1d89a1fff27171ebc1b93d4dc57bceb7ae2430\
f98a6a4d83d8279ee65d71c1203d2c96d65ebbf7cce9d3\
2971c3de5084cce04a2e147821");
for(i=0; i<11; i++) {
sigs[i].r = BN_new();
sigs[i].s = BN_new();
BN_dec2bn(&(sigs[i].r), sig_r[i]);
BN_dec2bn(&(sigs[i].s), sig_s[i]);
identical_nonce[i] = -1;
}
// build array containing info about reused nonces
for(i=0; i<10; i++) {
for(j=i+1; j<11; j++) {
if(!dsa_sign_nonce_cmp(&sigs[i], &sigs[j])) {
identical_nonce[i] = j;
break;
}
}
// printf("[s6c4] id[%02d] = %02d\n", i, identical_nonce[i]);
}
int success = 0;
for(i=0; i<11; i++) {
j = identical_nonce[i];
if(j >= 0) {
if((success=dsa_calc_private_key_from_reused_k(&dsa_pik, k, &sigs[i], &sigs[j], msgs[i], strlen(msgs[i]), msgs[j], strlen(msgs[j]), &dsa_puk))) {
break;
}
}
}
if(success) {
unsigned char *dsa_pik_hex = BN_bn2hex(dsa_pik.xy);
// convert to lower case
for(i=0; i<strlen(dsa_pik_hex); i++) {
dsa_pik_hex[i] = tolower(dsa_pik_hex[i]);
}
printf("[s6c4] k = ");
BN_print_fp(stdout, k);
printf("\n[s6c4] DSA private key: %s\n", dsa_pik_hex);
unsigned char dsa_pik_hex_sha1[SHA_DIGEST_LENGTH*2+1];
hash_sha1(dsa_pik_hex_sha1, dsa_pik_hex, strlen(dsa_pik_hex));
printf("[s6c4] SHA1(private key): %s\n", dsa_pik_hex_sha1);
OPENSSL_free(dsa_pik_hex);
} else {
printf("[s6c3] DSA private key *NOT* found!\n");
}
// free
for(i=0; i<11; i++) {
dsa_signature_free(&sigs[i]);
}
BN_free(k);
dsa_key_free(&dsa_puk);
dsa_key_free(&dsa_pik);
return 0;
}
static int
wrap_nettle_pk_generate_params (gnutls_pk_algorithm_t algo,
unsigned int level /*bits */ ,
gnutls_pk_params_st * params)
{
int ret;
unsigned int i, q_bits;
memset(params, 0, sizeof(*params));
switch (algo)
{
case GNUTLS_PK_DSA:
{
struct dsa_public_key pub;
struct dsa_private_key priv;
dsa_public_key_init (&pub);
dsa_private_key_init (&priv);
/* the best would be to use _gnutls_pk_bits_to_subgroup_bits()
* but we do NIST DSA here */
if (level <= 1024)
q_bits = 160;
else
q_bits = 256;
ret =
dsa_generate_keypair (&pub, &priv, NULL,
rnd_func, NULL, NULL, level, q_bits);
if (ret != 1)
{
gnutls_assert ();
ret = GNUTLS_E_INTERNAL_ERROR;
goto dsa_fail;
}
params->params_nr = 0;
for (i = 0; i < DSA_PRIVATE_PARAMS; i++)
{
params->params[i] = _gnutls_mpi_alloc_like (&pub.p);
if (params->params[i] == NULL)
{
ret = GNUTLS_E_MEMORY_ERROR;
goto dsa_fail;
}
params->params_nr++;
}
ret = 0;
_gnutls_mpi_set (params->params[0], pub.p);
_gnutls_mpi_set (params->params[1], pub.q);
_gnutls_mpi_set (params->params[2], pub.g);
_gnutls_mpi_set (params->params[3], pub.y);
_gnutls_mpi_set (params->params[4], priv.x);
dsa_fail:
dsa_private_key_clear (&priv);
dsa_public_key_clear (&pub);
if (ret < 0)
goto fail;
break;
}
case GNUTLS_PK_RSA:
{
struct rsa_public_key pub;
struct rsa_private_key priv;
rsa_public_key_init (&pub);
rsa_private_key_init (&priv);
_gnutls_mpi_set_ui (&pub.e, 65537);
ret =
rsa_generate_keypair (&pub, &priv, NULL,
rnd_func, NULL, NULL, level, 0);
if (ret != 1)
{
gnutls_assert ();
ret = GNUTLS_E_INTERNAL_ERROR;
goto rsa_fail;
}
params->params_nr = 0;
for (i = 0; i < RSA_PRIVATE_PARAMS; i++)
{
params->params[i] = _gnutls_mpi_alloc_like (&pub.n);
if (params->params[i] == NULL)
{
ret = GNUTLS_E_MEMORY_ERROR;
goto rsa_fail;
}
params->params_nr++;
}
ret = 0;
_gnutls_mpi_set (params->params[0], pub.n);
_gnutls_mpi_set (params->params[1], pub.e);
_gnutls_mpi_set (params->params[2], priv.d);
_gnutls_mpi_set (params->params[3], priv.p);
_gnutls_mpi_set (params->params[4], priv.q);
_gnutls_mpi_set (params->params[5], priv.c);
_gnutls_mpi_set (params->params[6], priv.a);
_gnutls_mpi_set (params->params[7], priv.b);
rsa_fail:
rsa_private_key_clear (&priv);
rsa_public_key_clear (&pub);
if (ret < 0)
goto fail;
break;
}
case GNUTLS_PK_EC:
{
ecc_key key;
ecc_set_type tls_ecc_set;
const gnutls_ecc_curve_entry_st *st;
st = _gnutls_ecc_curve_get_params(level);
if (st == NULL)
return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
tls_ecc_set.size = st->size;
tls_ecc_set.prime = st->prime;
tls_ecc_set.order = st->order;
tls_ecc_set.Gx = st->Gx;
tls_ecc_set.Gy = st->Gy;
tls_ecc_set.A = st->A;
tls_ecc_set.B = st->B;
ret = ecc_make_key(NULL, rnd_func, &key, &tls_ecc_set, st->id);
if (ret != 0)
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
params->params_nr = 0;
for (i = 0; i < ECC_PRIVATE_PARAMS; i++)
{
params->params[i] = _gnutls_mpi_alloc_like(&key.prime);
if (params->params[i] == NULL)
{
ret = GNUTLS_E_MEMORY_ERROR;
goto ecc_fail;
}
params->params_nr++;
}
params->flags = level;
mpz_set(TOMPZ(params->params[ECC_PRIME]), key.prime);
mpz_set(TOMPZ(params->params[ECC_ORDER]), key.order);
mpz_set(TOMPZ(params->params[ECC_A]), key.A);
mpz_set(TOMPZ(params->params[ECC_B]), key.B);
mpz_set(TOMPZ(params->params[ECC_GX]), key.Gx);
mpz_set(TOMPZ(params->params[ECC_GY]), key.Gy);
mpz_set(TOMPZ(params->params[ECC_X]), key.pubkey.x);
mpz_set(TOMPZ(params->params[ECC_Y]), key.pubkey.y);
mpz_set(TOMPZ(params->params[ECC_K]), key.k);
ecc_fail:
ecc_free(&key);
if (ret < 0)
goto fail;
break;
}
default:
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
return 0;
fail:
for (i = 0; i < params->params_nr; i++)
{
_gnutls_mpi_release (¶ms->params[i]);
}
params->params_nr = 0;
return ret;
}
static int
wrap_nettle_pk_generate_params(gnutls_pk_algorithm_t algo,
unsigned int level /*bits */ ,
gnutls_pk_params_st * params)
{
int ret;
unsigned int i, q_bits;
memset(params, 0, sizeof(*params));
switch (algo) {
case GNUTLS_PK_DSA:
{
struct dsa_public_key pub;
struct dsa_private_key priv;
dsa_public_key_init(&pub);
dsa_private_key_init(&priv);
/* the best would be to use _gnutls_pk_bits_to_subgroup_bits()
* but we do NIST DSA here */
if (level <= 1024)
q_bits = 160;
else
q_bits = 256;
ret =
dsa_generate_keypair(&pub, &priv, NULL,
rnd_func, NULL, NULL,
level, q_bits);
if (ret != 1) {
gnutls_assert();
ret = GNUTLS_E_INTERNAL_ERROR;
goto dsa_fail;
}
params->params_nr = 0;
for (i = 0; i < DSA_PRIVATE_PARAMS; i++) {
params->params[i] =
_gnutls_mpi_alloc_like(&pub.p);
if (params->params[i] == NULL) {
ret = GNUTLS_E_MEMORY_ERROR;
goto dsa_fail;
}
params->params_nr++;
}
ret = 0;
_gnutls_mpi_set(params->params[0], pub.p);
_gnutls_mpi_set(params->params[1], pub.q);
_gnutls_mpi_set(params->params[2], pub.g);
_gnutls_mpi_set(params->params[3], pub.y);
_gnutls_mpi_set(params->params[4], priv.x);
dsa_fail:
dsa_private_key_clear(&priv);
dsa_public_key_clear(&pub);
if (ret < 0)
goto fail;
break;
}
case GNUTLS_PK_RSA:
{
struct rsa_public_key pub;
struct rsa_private_key priv;
rsa_public_key_init(&pub);
rsa_private_key_init(&priv);
_gnutls_mpi_set_ui(&pub.e, 65537);
ret =
rsa_generate_keypair(&pub, &priv, NULL,
rnd_func, NULL, NULL,
level, 0);
if (ret != 1) {
gnutls_assert();
ret = GNUTLS_E_INTERNAL_ERROR;
goto rsa_fail;
}
params->params_nr = 0;
for (i = 0; i < RSA_PRIVATE_PARAMS; i++) {
params->params[i] =
_gnutls_mpi_alloc_like(&pub.n);
if (params->params[i] == NULL) {
ret = GNUTLS_E_MEMORY_ERROR;
goto rsa_fail;
}
params->params_nr++;
}
ret = 0;
_gnutls_mpi_set(params->params[0], pub.n);
_gnutls_mpi_set(params->params[1], pub.e);
_gnutls_mpi_set(params->params[2], priv.d);
_gnutls_mpi_set(params->params[3], priv.p);
_gnutls_mpi_set(params->params[4], priv.q);
_gnutls_mpi_set(params->params[5], priv.c);
_gnutls_mpi_set(params->params[6], priv.a);
_gnutls_mpi_set(params->params[7], priv.b);
rsa_fail:
rsa_private_key_clear(&priv);
rsa_public_key_clear(&pub);
if (ret < 0)
goto fail;
break;
}
case GNUTLS_PK_EC:
{
struct ecc_scalar key;
struct ecc_point pub;
const struct ecc_curve *curve;
curve = get_supported_curve(level);
if (curve == NULL)
return
gnutls_assert_val
(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
ecc_scalar_init(&key, curve);
ecc_point_init(&pub, curve);
ecdsa_generate_keypair(&pub, &key, NULL, rnd_func);
params->params[ECC_X] = _gnutls_mpi_new(0);
params->params[ECC_Y] = _gnutls_mpi_new(0);
params->params[ECC_K] = _gnutls_mpi_new(0);
if (params->params[ECC_X] == NULL
|| params->params[ECC_Y] == NULL
|| params->params[ECC_K] == NULL) {
_gnutls_mpi_release(¶ms->
params[ECC_X]);
_gnutls_mpi_release(¶ms->
params[ECC_Y]);
_gnutls_mpi_release(¶ms->
params[ECC_K]);
goto ecc_cleanup;
}
params->flags = level;
params->params_nr = ECC_PRIVATE_PARAMS;
ecc_point_get(&pub, TOMPZ(params->params[ECC_X]),
TOMPZ(params->params[ECC_Y]));
ecc_scalar_get(&key, TOMPZ(params->params[ECC_K]));
ecc_cleanup:
ecc_point_clear(&pub);
ecc_scalar_clear(&key);
break;
}
default:
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
return 0;
fail:
for (i = 0; i < params->params_nr; i++) {
_gnutls_mpi_release(¶ms->params[i]);
}
params->params_nr = 0;
return ret;
}
/* To generate a DH key either q must be set in the params or
* level should be set to the number of required bits.
*/
static int
wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
unsigned int level /*bits */ ,
gnutls_pk_params_st * params)
{
int ret;
unsigned int i;
switch (algo) {
case GNUTLS_PK_DSA:
#ifdef ENABLE_FIPS140
{
struct dsa_public_key pub;
struct dsa_private_key priv;
if (params->params[DSA_Q] == NULL)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
_dsa_params_to_pubkey(params, &pub);
dsa_private_key_init(&priv);
mpz_init(pub.y);
ret =
dsa_generate_dss_keypair(&pub, &priv,
NULL, rnd_func,
NULL, NULL);
if (ret != 1) {
gnutls_assert();
ret = GNUTLS_E_PK_GENERATION_ERROR;
goto dsa_fail;
}
ret = _gnutls_mpi_init_multi(¶ms->params[DSA_Y], ¶ms->params[DSA_X], NULL);
if (ret < 0) {
gnutls_assert();
goto dsa_fail;
}
mpz_set(TOMPZ(params->params[DSA_Y]), pub.y);
mpz_set(TOMPZ(params->params[DSA_X]), priv.x);
params->params_nr += 2;
dsa_fail:
dsa_private_key_clear(&priv);
mpz_clear(pub.y);
if (ret < 0)
goto fail;
break;
}
#endif
case GNUTLS_PK_DH:
{
struct dsa_public_key pub;
mpz_t r;
mpz_t x, y;
int max_tries;
unsigned have_q = 0;
if (algo != params->algo)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
_dsa_params_to_pubkey(params, &pub);
if (params->params[DSA_Q] != NULL)
have_q = 1;
/* This check is for the case !ENABLE_FIPS140 */
if (algo == GNUTLS_PK_DSA && have_q == 0)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
mpz_init(r);
mpz_init(x);
mpz_init(y);
max_tries = 3;
do {
if (have_q) {
mpz_set(r, pub.q);
mpz_sub_ui(r, r, 2);
nettle_mpz_random(x, NULL, rnd_func, r);
mpz_add_ui(x, x, 1);
} else {
unsigned size = mpz_sizeinbase(pub.p, 2);
if (level == 0)
level = MIN(size, DH_EXPONENT_SIZE(size));
nettle_mpz_random_size(x, NULL, rnd_func, level);
if (level >= size)
mpz_mod(x, x, pub.p);
}
mpz_powm(y, pub.g, x, pub.p);
max_tries--;
if (max_tries <= 0) {
gnutls_assert();
ret = GNUTLS_E_RANDOM_FAILED;
goto dh_fail;
}
} while(mpz_cmp_ui(y, 1) == 0);
ret = _gnutls_mpi_init_multi(¶ms->params[DSA_Y], ¶ms->params[DSA_X], NULL);
if (ret < 0) {
gnutls_assert();
goto dh_fail;
}
mpz_set(TOMPZ(params->params[DSA_Y]), y);
mpz_set(TOMPZ(params->params[DSA_X]), x);
params->params_nr += 2;
ret = 0;
dh_fail:
mpz_clear(r);
mpz_clear(x);
mpz_clear(y);
if (ret < 0)
goto fail;
break;
}
case GNUTLS_PK_RSA:
{
struct rsa_public_key pub;
struct rsa_private_key priv;
rsa_public_key_init(&pub);
rsa_private_key_init(&priv);
mpz_set_ui(pub.e, 65537);
#ifdef ENABLE_FIPS140
ret =
rsa_generate_fips186_4_keypair(&pub, &priv, NULL,
rnd_func, NULL, NULL,
level);
#else
ret =
rsa_generate_keypair(&pub, &priv, NULL,
rnd_func, NULL, NULL,
level, 0);
#endif
if (ret != 1) {
gnutls_assert();
ret = GNUTLS_E_PK_GENERATION_ERROR;
goto rsa_fail;
}
params->params_nr = 0;
for (i = 0; i < RSA_PRIVATE_PARAMS; i++) {
ret = _gnutls_mpi_init(¶ms->params[i]);
if (ret < 0) {
gnutls_assert();
goto rsa_fail;
}
params->params_nr++;
}
mpz_set(TOMPZ(params->params[0]), pub.n);
mpz_set(TOMPZ(params->params[1]), pub.e);
mpz_set(TOMPZ(params->params[2]), priv.d);
mpz_set(TOMPZ(params->params[3]), priv.p);
mpz_set(TOMPZ(params->params[4]), priv.q);
mpz_set(TOMPZ(params->params[5]), priv.c);
mpz_set(TOMPZ(params->params[6]), priv.a);
mpz_set(TOMPZ(params->params[7]), priv.b);
ret = 0;
rsa_fail:
rsa_private_key_clear(&priv);
rsa_public_key_clear(&pub);
if (ret < 0)
goto fail;
break;
}
case GNUTLS_PK_EC:
{
struct ecc_scalar key;
struct ecc_point pub;
const struct ecc_curve *curve;
curve = get_supported_curve(level);
if (curve == NULL)
return
gnutls_assert_val
(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
ecc_scalar_init(&key, curve);
ecc_point_init(&pub, curve);
ecdsa_generate_keypair(&pub, &key, NULL, rnd_func);
ret = _gnutls_mpi_init_multi(¶ms->params[ECC_X], ¶ms->params[ECC_Y],
¶ms->params[ECC_K], NULL);
if (ret < 0) {
gnutls_assert();
goto ecc_fail;
}
params->flags = level;
params->params_nr = ECC_PRIVATE_PARAMS;
ecc_point_get(&pub, TOMPZ(params->params[ECC_X]),
TOMPZ(params->params[ECC_Y]));
ecc_scalar_get(&key, TOMPZ(params->params[ECC_K]));
ret = 0;
ecc_fail:
ecc_point_clear(&pub);
ecc_scalar_clear(&key);
if (ret < 0)
goto fail;
break;
}
default:
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
FAIL_IF_LIB_ERROR;
return 0;
fail:
for (i = 0; i < params->params_nr; i++) {
_gnutls_mpi_release(¶ms->params[i]);
}
params->params_nr = 0;
FAIL_IF_LIB_ERROR;
return ret;
}
int main(int argc, char *argv[])
{
/** SET 5 CHALLENGE 33 **/
/** DH KEY EXCHANGE **/
// small int
unsigned long a, A, b, B, s1, s2;
srand(time(NULL));
dh_generate_keypair_smallint(&a, &A);
dh_generate_keypair_smallint(&b, &B);
s1 = dh_generate_session_key_smallint(a, B);
s2 = dh_generate_session_key_smallint(b, A);
printf("[s5c1] *smallint* a = %ld, A = %ld, b = %ld, B = %ld, s = %ld ?= %ld\n", a, A, b, B, s1, s2);
// bigint
BIGNUM *p, *g;
BIGNUM *ba, *bA, *bb, *bB, *bs1, *bs2;
g = BN_new();
p = BN_new();
ba = BN_new();
bA = BN_new();
bb = BN_new();
bB = BN_new();
bs1 = BN_new();
bs2 = BN_new();
unsigned char c_s1[20], c_s2[20];
unsigned int i;
dh_init(p, g);
dh_generate_keypair(ba, bA, g, p);
dh_generate_keypair(bb, bB, g, p);
dh_generate_session_key(c_s1, bs1, ba, bB, p);
dh_generate_session_key(c_s2, bs2, bb, bA, p);
printf("[s5c1] *bignum* s1 = '");
// BN_print_fp(stdout, &bs1);
for(i=0; i<20; i++)
printf("%02x", c_s1[i]);
printf("'\n[s5c1] *bignum* s2 = '");
// BN_print_fp(stdout, &bs2);
for(i=0; i<20; i++)
printf("%02x", c_s2[i]);
printf("'\n");
BN_free(ba);
BN_free(bA);
BN_free(bb);
BN_free(bB);
BN_free(bs1);
BN_free(bs2);
/** SET 5 CHALLENGE 34 **/
/** DH-KE FIXED KEY MITM **/
unsigned char c_p[1024];
unsigned char c_g[1024];
unsigned char c_A[1024];
unsigned char c_B[1024];
ba = BN_new();
bA = BN_new();
// M -> B: p, g, p
printf("[s5c2] M -> B: p, g, p\n");
dhke_initiate(c_p, c_g, c_A, ba, bA, p, g);
// M -> A: p
printf("[s5c2] M -> A: p\n");
// dhke_initiate_reply(c_B, c_p, c_g, c_A, c_s2);
dhke_initiate_reply(c_B, c_p, c_g, c_p, c_s2);
// A -> B: cmsg, iv
// dhke_initiate_finalize(c_s1, c_B, &ba, &p);
dhke_initiate_finalize(c_s1, c_p, ba, p);
printf("[s5c2] *bignum* s1 = '");
for(i=0; i<20; i++)
printf("%02x", c_s1[i]);
printf("'\n[s5c2] *bignum* s2 = '");
for(i=0; i<20; i++)
printf("%02x", c_s2[i]);
printf("'\n");
unsigned char *plain_in = "YELLOW SUBMARINE";
unsigned char p_out[128];
unsigned char c_out[128];
unsigned char iv[16];
unsigned int c_len, p_len;
c_len = dhke_session_send(c_out, iv, plain_in, 16, c_s1);
printf("[s5c2] A -> B: cmsg = '");
for(i=0; i<c_len; i++) {
printf("%02x", c_out[i]);
}
printf("', iv\n");
// perform attack as M
unsigned char m_out[128];
// M performs decryption
dhke_attack_zero_session_key(m_out, c_out, c_len, iv);
printf("[s5c2] M decrypts msg='%s'\n", m_out);
// B performs decryption
p_len = dhke_session_recv(p_out, c_out, c_len, c_s2, iv);
printf("[s5c2] B recvd: msg = '%s'\n", p_out);
BN_free(ba);
BN_free(bA);
/** SET 5 CHALLENGE 35 **/
/** DH-KE MALICIOUS G MITM **/
memset(c_g, 0, 1024);
memset(c_p, 0, 1024);
memset(c_A, 0, 1024);
memset(c_B, 0, 1024);
memset(c_out, 0, 128);
memset(m_out, 0, 128);
BIGNUM *bn1, *g2;
ba = BN_new();
bA = BN_new();
bn1 = BN_new();
g2 = BN_new();
// prepare malicious g'
// g' = 0; --> perform dhke_attack_zero_session_key()
// printf("[s5c3] M sets g' = 0\n");
// BN_zero(&g2);
// g' = p --> perform dhke_attack_zero_session_key()
// printf("[s5c3] M sets g' = p\n");
// BN_copy(&g2, &p);
// g' = p-1
printf("[s5c3] M sets and distributes g' = p-1\n");
BN_one(bn1);
BN_sub(g2, p, bn1);
// M -> B: p, g', A'
printf("[s5c3] A -> B: A'\n");
dhke_initiate(c_p, c_g, c_A, ba, bA, p, g2);
// M -> A: B'
printf("[s5c3] B -> A: B'\n");
dhke_initiate_reply(c_B, c_p, c_g, c_A, c_s2);
// A -> B: cmsg, iv
dhke_initiate_finalize(c_s1, c_B, ba, p);
c_len = dhke_session_send(c_out, iv, plain_in, 16, c_s1);
printf("[s5c3] A -> B: cmsg = '");
for(i=0; i<c_len; i++) {
printf("%02x", c_out[i]);
}
printf("', iv\n");
// M performs decryption
// use for: g' = 0, g' = p
// dhke_attack_zero_session_key(m_out, c_out, c_len, iv);
// use for g' = p-1
dhke_attack_p_1_session_key(m_out, c_out, c_len, c_A, c_B, iv);
printf("[s5c3] M decrypts msg='%s'\n", m_out);
// B performs decryption
p_len = dhke_session_recv(p_out, c_out, c_len, c_s2, iv);
printf("[s5c3] B recvd: msg = '%s'\n", p_out);
BN_free(ba);
BN_free(bA);
BN_free(bn1);
BN_free(g2);
/** SET 5 CHALLENGE 36 **/
/** SECURE REMOTE PASSWORD **/
unsigned char srp_salt[9];
unsigned char *srp_pass = "******"; // 16
unsigned char str_hash[2*SHA256_DIGEST_LENGTH+1];
unsigned char hmac_s[SHA256_DIGEST_LENGTH];
unsigned int hmac_s_len;
unsigned char hmac_c[SHA256_DIGEST_LENGTH];
unsigned int hmac_c_len;
BIGNUM *v, *sS, *cS;
v = BN_new();
ba = BN_new();
bA = BN_new();
bb = BN_new();
bB = BN_new();
cS = BN_new();
sS = BN_new();
memset(srp_salt, 0, 9);
srp_server_init(srp_salt, v, bb, bB, srp_pass, g, p);
srp_client_init(ba, bA, g, p);
// printf("server calc S\n");
srp_server_calc_session_key(str_hash, sS, bA, bb, bB, v, p);
// printf("[s5c4] server: sha256(S) = %s\n", str_hash);
// calc HMAC_SHA256(&cS, salt)
hmac_s_len = sha256_secret_prefix_mac(hmac_s, str_hash, strlen(str_hash), srp_salt, strlen(srp_salt));
memset(str_hash, 0, 2*SHA256_DIGEST_LENGTH+1);
srp_client_calc_session_key(str_hash, cS, srp_salt, srp_pass, ba, bA, bB, g, p);
// printf("[s5c4] client: sha256(S) = %s\n", str_hash);
// calc HMAC_SHA256(&cS, salt)
hmac_c_len = sha256_secret_prefix_mac(hmac_c, str_hash, strlen(str_hash), srp_salt, strlen(srp_salt));
printf("[s5c4] server: HMAC(K,Salt) = ");
for(i=0; i<hmac_s_len; i++) {
printf("%02x", hmac_s[i]);
}
printf("\n");
printf("[s5c4] client: HMAC(K,Salt) = ");
for(i=0; i<hmac_c_len; i++) {
printf("%02x", hmac_c[i]);
}
printf("\n");
if((hmac_s_len == hmac_c_len) && !strncmp(hmac_s, hmac_c, hmac_s_len))
printf("[s5c4] server: Client HMAC-SHA256 successfully validated!\n");
else
printf("[s5c4] server: Client HMAC-SHA256 *NOT* validated!\n");
BN_free(v);
BN_free(ba);
BN_free(bA);
BN_free(bb);
BN_free(bB);
BN_free(cS);
BN_free(sS);
/** SET 5 CHALLENGE 37 **/
/** SRP MALICIOUS A ATTACK **/
// we're skipping the networking part here and just call the simulator
// functions from srp.c
ba = BN_new();
bA = BN_new();
bb = BN_new();
bB = BN_new();
sS = BN_new();
cS = BN_new();
v = BN_new();
srp_server_init(srp_salt, v, bb, bB, srp_pass, g, p);
srp_client_init(ba, bA, g, p);
// now modify A (bA) to be 0, N, c*N
// BN_zero(bA); // A = 0
BN_copy(bA, p); // A = N (doesn't matter if we use N, 2*N, c*N)
// send to server and let server do its calculations
srp_server_calc_session_key(str_hash, sS, bA, bb, bB, v, p);
// printf("[s5c5] server: sha256(S=0) = %s\n", str_hash);
// calc HMAC_SHA256(&cS, salt)
hmac_s_len = sha256_secret_prefix_mac(hmac_s, str_hash, strlen(str_hash), srp_salt, strlen(srp_salt));
// client now authenticates with HMAC_SHA256(K=SHA256(S=0), salt)
// K=SHA256(S=0)
srp_generate_salted_password_hash(cS, str_hash, "", "0");
// printf("[s5c5] client: sha256(S=0) = %s\n", str_hash);
// calc HMAC_SHA256(K, salt)
hmac_c_len = sha256_secret_prefix_mac(hmac_c, str_hash, strlen(str_hash), srp_salt, strlen(srp_salt));
printf("[s5c5] server: HMAC(K,Salt) = ");
for(i=0; i<hmac_s_len; i++) {
printf("%02x", hmac_s[i]);
}
printf("\n");
printf("[s5c5] client: HMAC(K,Salt) = ");
for(i=0; i<hmac_c_len; i++) {
printf("%02x", hmac_c[i]);
}
printf("\n");
if((hmac_s_len == hmac_c_len) && !strncmp(hmac_s, hmac_c, hmac_s_len))
printf("[s5c5] server: forged client HMAC-SHA256 successfully validated!\n");
else
printf("[s5c5] server: forged client HMAC-SHA256 *NOT* validated!\n");
BN_free(ba);
BN_free(bA);
BN_free(bb);
BN_free(bB);
BN_free(sS);
BN_free(cS);
BN_free(v);
/** SET 5 CHALLENGE 38 **/
/** SSRP OFFLINE DICTIONARY ATTACK **/
BIGNUM *u, *fb, *fB;
u = BN_new();
v = BN_new();
ba = BN_new();
bA = BN_new();
bb = BN_new();
bB = BN_new();
cS = BN_new();
sS = BN_new();
fb = BN_new();
fB = BN_new();
memset(srp_salt, 0, 9*sizeof(unsigned char));
ssrp_server_init(srp_salt, v, bb, bB, u, srp_pass, g, p);
ssrp_client_init(ba, bA, g, p);
ssrp_server_calc_session_key(str_hash, sS, bA, bb, u, v, p);
// printf("[s5c6] server: sha256(S=0) = %s\n", str_hash);
// calc HMAC_SHA256(&cS, salt)
hmac_s_len = sha256_secret_prefix_mac(hmac_s, str_hash, strlen(str_hash), srp_salt, strlen(srp_salt));
memset(str_hash, 0, 2*SHA256_DIGEST_LENGTH);
// original settings transmitted to client
// ssrp_client_calc_session_key(str_hash, cS, srp_salt, srp_pass, ba, bB, u, p);
// forged settings transmitted to client:
// u = 1, b = 1, B=g=2, salt=""
BN_one(u);
BN_one(fb);
BN_copy(fB, g);
ssrp_client_calc_session_key(str_hash, cS, "", srp_pass, ba, fB, u, p);
// printf("[s5c6] client: sha256(S) = %s\n", str_hash);
// calc HMAC_SHA256(&cS, salt)
hmac_c_len = sha256_secret_prefix_mac(hmac_c, str_hash, strlen(str_hash), "", 0);
// printf("[s5c6] server: HMAC(K,Salt) = ");
// for(i=0; i<hmac_s_len; i++) {
// printf("%02x", hmac_s[i]);
// }
// printf("\n");
printf("[s5c6] client: HMAC(K,\"\") = ");
for(i=0; i<hmac_c_len; i++) {
printf("%02x", hmac_c[i]);
}
printf("\n");
// perform offline dictionary attack
char pass[1024];
if(ssrp_dictionary_attack(pass, hmac_c, "dict.txt", bA, g, p)>0)
printf("[s5c6] Password cracked: '%s'\n", pass);
else
printf("[s5c6] Password not cracked!\n");
// if((hmac_s_len == hmac_c_len) && !strncmp(hmac_s, hmac_c, hmac_s_len))
// printf("[s5c6] server: Client HMAC-SHA256 successfully validated!\n");
// else
// printf("[s5c6] server: Client HMAC-SHA256 *NOT* validated!\n");
dh_clear(p, g);
BN_free(p);
BN_free(g);
BN_free(ba);
BN_free(bA);
BN_free(bb);
BN_free(bB);
BN_free(u);
BN_free(v);
BN_free(cS);
BN_free(sS);
BN_free(fb);
BN_free(fB);
/** SET 5 CHALLENGE 39 **/
/** RSA **/
BIO *out = NULL;
out = BIO_new(BIO_s_file());
BIO_set_fp(out, stdout, BIO_NOCLOSE);
egcd_test();
inv_mod_test();
// Testing RSA core functions
rsa_key_t puk;
rsa_key_t pik;
puk.e = BN_new();
puk.n = BN_new();
pik.e = BN_new();
pik.n = BN_new();
BIGNUM *BN_plain = BN_new();
BIGNUM *BN_crypt = BN_new();
BN_hex2bn(&BN_plain, "31337");
printf("[s5c7] BN_plain = ");
BN_print(out, BN_plain);
rsa_generate_keypair(&puk, &pik, 128);
rsa_bn_encrypt(BN_crypt, BN_plain, &puk);
printf("\n[s5c7] BN_crypt = ");
BN_print(out, BN_crypt);
rsa_bn_decrypt(BN_plain, BN_crypt, &pik);
printf("\n[s5c7] BN_plain'= ");
BN_print(out, BN_plain);
printf("\n");
BN_free(BN_plain);
BN_free(BN_crypt);
// test RSA 'wrapper' funcs
unsigned char *rsa_plain_in = "Hello RSA World!";
unsigned char *rsa_crypt = NULL;
unsigned int rsa_crypt_len = 0;
unsigned char *rsa_plain_out = NULL;
unsigned int rsa_plain_len;
rsa_crypt_len = rsa_encrypt(&rsa_crypt, rsa_plain_in, 16, &puk);
rsa_plain_len = rsa_decrypt(&rsa_plain_out, rsa_crypt, rsa_crypt_len, &pik);
//rsa_plain_out[rsa_plain_len-1] = 0;
printf("[s5c7] Encrypting '%s' using RSA...\n[s5c7] RSA crypted: '", rsa_plain_in);
for(i=0; i<rsa_crypt_len; i++) {
printf("%02x", rsa_crypt[i]);
}
printf("'\n[s5c7] RSA decrypted: '%s'\n", rsa_plain_out);
free(rsa_crypt);
free(rsa_plain_out);
/** SET 5 CHALLENGE 40 **/
/** RSA E=3 BROADCAST ATTACK (CRT) **/
// test chinese remainder theorem impl.
crt_test();
// test n-th root impl.
nthroot_test();
// let's do "the real thing"
rsa_broadcast_attack_test();
BN_free(puk.e);
BN_free(puk.n);
BN_free(pik.e);
BN_free(pik.n);
BIO_free(out);
return 0;
}
