/* return RSA(random) using the peers public key
*/
int
_gnutls_gen_rsa_client_kx(gnutls_session_t session,
gnutls_buffer_st * data)
{
cert_auth_info_t auth = session->key.auth_info;
gnutls_datum_t sdata; /* data to send */
gnutls_pk_params_st params;
int ret;
if (auth == NULL) {
/* this shouldn't have happened. The proc_certificate
* function should have detected that.
*/
gnutls_assert();
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
}
session->key.key.size = GNUTLS_MASTER_SIZE;
session->key.key.data = gnutls_malloc(session->key.key.size);
if (session->key.key.data == NULL) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
ret = _gnutls_rnd(GNUTLS_RND_RANDOM, session->key.key.data,
session->key.key.size);
if (ret < 0) {
gnutls_assert();
return ret;
}
if (session->internals.rsa_pms_version[0] == 0) {
session->key.key.data[0] =
_gnutls_get_adv_version_major(session);
session->key.key.data[1] =
_gnutls_get_adv_version_minor(session);
} else { /* use the version provided */
session->key.key.data[0] =
session->internals.rsa_pms_version[0];
session->key.key.data[1] =
session->internals.rsa_pms_version[1];
}
/* move RSA parameters to key (session).
*/
if ((ret = _gnutls_get_public_rsa_params(session, ¶ms)) < 0) {
gnutls_assert();
return ret;
}
ret =
_gnutls_pk_encrypt(GNUTLS_PK_RSA, &sdata, &session->key.key,
¶ms);
gnutls_pk_params_release(¶ms);
if (ret < 0)
return gnutls_assert_val(ret);
if (get_num_version(session) == GNUTLS_SSL3) {
/* SSL 3.0 */
_gnutls_buffer_replace_data(data, &sdata);
return data->length;
} else { /* TLS 1 */
ret =
_gnutls_buffer_append_data_prefix(data, 16, sdata.data,
sdata.size);
_gnutls_free_datum(&sdata);
return ret;
}
}
static int
proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
size_t _data_size)
{
gnutls_datum_t plaintext;
gnutls_datum_t ciphertext;
int ret, dsize;
int use_rnd_key = 0;
ssize_t data_size = _data_size;
gnutls_datum_t rndkey = {NULL, 0};
if (get_num_version(session) == GNUTLS_SSL3) {
/* SSL 3.0
*/
ciphertext.data = data;
ciphertext.size = data_size;
} else {
/* TLS 1.0
*/
DECR_LEN(data_size, 2);
ciphertext.data = &data[2];
dsize = _gnutls_read_uint16(data);
if (dsize != data_size) {
gnutls_assert();
return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
}
ciphertext.size = dsize;
}
rndkey.size = GNUTLS_MASTER_SIZE;
rndkey.data = gnutls_malloc(rndkey.size);
if (rndkey.data == NULL) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
/* we do not need strong random numbers here.
*/
ret = _gnutls_rnd(GNUTLS_RND_NONCE, rndkey.data,
rndkey.size);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret =
gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
&ciphertext, &plaintext);
if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
/* In case decryption fails then don't inform
* the peer. Just use a random key. (in order to avoid
* attack against pkcs-1 formating).
*/
_gnutls_debug_log("auth_rsa: Possible PKCS #1 format attack\n");
use_rnd_key = 1;
} else {
/* If the secret was properly formatted, then
* check the version number.
*/
if (_gnutls_get_adv_version_major(session) !=
plaintext.data[0]
|| (session->internals.priorities.allow_wrong_pms == 0
&& _gnutls_get_adv_version_minor(session) !=
plaintext.data[1])) {
/* No error is returned here, if the version number check
* fails. We proceed normally.
* That is to defend against the attack described in the paper
* "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
* Ondej Pokorny and Tomas Rosa.
*/
_gnutls_debug_log("auth_rsa: Possible PKCS #1 version check format attack\n");
}
}
if (use_rnd_key != 0) {
session->key.key.data = rndkey.data;
session->key.key.size = rndkey.size;
rndkey.data = NULL;
} else {
session->key.key.data = plaintext.data;
session->key.key.size = plaintext.size;
}
/* This is here to avoid the version check attack
* discussed above.
*/
session->key.key.data[0] = _gnutls_get_adv_version_major(session);
session->key.key.data[1] = _gnutls_get_adv_version_minor(session);
ret = 0;
cleanup:
gnutls_free(rndkey.data);
return ret;
}
/* Generate client key exchange message
*
*
* struct {
* select (KeyExchangeAlgorithm) {
* uint8_t psk_identity<0..2^16-1>;
* EncryptedPreMasterSecret;
* } exchange_keys;
* } ClientKeyExchange;
*/
static int
_gnutls_gen_rsa_psk_client_kx(gnutls_session_t session,
gnutls_buffer_st * data)
{
cert_auth_info_t auth = session->key.auth_info;
gnutls_datum_t sdata; /* data to send */
gnutls_pk_params_st params;
gnutls_psk_client_credentials_t cred;
gnutls_datum_t username, key;
int ret, free;
unsigned init_pos;
if (auth == NULL) {
/* this shouldn't have happened. The proc_certificate
* function should have detected that.
*/
gnutls_assert();
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
}
gnutls_datum_t premaster_secret;
premaster_secret.size = GNUTLS_MASTER_SIZE;
premaster_secret.data =
gnutls_malloc(premaster_secret.size);
if (premaster_secret.data == NULL) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
/* Generate random */
ret = gnutls_rnd(GNUTLS_RND_RANDOM, premaster_secret.data,
premaster_secret.size);
if (ret < 0) {
gnutls_assert();
return ret;
}
/* Set version */
if (session->internals.rsa_pms_version[0] == 0) {
premaster_secret.data[0] =
_gnutls_get_adv_version_major(session);
premaster_secret.data[1] =
_gnutls_get_adv_version_minor(session);
} else { /* use the version provided */
premaster_secret.data[0] =
session->internals.rsa_pms_version[0];
premaster_secret.data[1] =
session->internals.rsa_pms_version[1];
}
/* move RSA parameters to key (session).
*/
if ((ret = _gnutls_get_public_rsa_params(session, ¶ms)) < 0) {
gnutls_assert();
return ret;
}
/* Encrypt premaster secret */
if ((ret =
_gnutls_pk_encrypt(GNUTLS_PK_RSA, &sdata, &premaster_secret,
¶ms)) < 0) {
gnutls_assert();
return ret;
}
gnutls_pk_params_release(¶ms);
cred = (gnutls_psk_client_credentials_t)
_gnutls_get_cred(session, GNUTLS_CRD_PSK);
if (cred == NULL) {
gnutls_assert();
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
}
ret = _gnutls_find_psk_key(session, cred, &username, &key, &free);
if (ret < 0)
return gnutls_assert_val(ret);
/* Here we set the PSK key */
ret = set_rsa_psk_session_key(session, &key, &premaster_secret);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
/* Create message for client key exchange
*
* struct {
* uint8_t psk_identity<0..2^16-1>;
* EncryptedPreMasterSecret;
* }
*/
init_pos = data->length;
/* Write psk_identity and EncryptedPreMasterSecret into data stream
*/
ret =
_gnutls_buffer_append_data_prefix(data, 16,
username.data,
username.size);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret =
_gnutls_buffer_append_data_prefix(data, 16, sdata.data,
sdata.size);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = data->length - init_pos;
cleanup:
_gnutls_free_datum(&sdata);
_gnutls_free_temp_key_datum(&premaster_secret);
if (free) {
_gnutls_free_temp_key_datum(&key);
gnutls_free(username.data);
}
return ret;
}
/*
Process the client key exchange message
*/
static int
_gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
size_t _data_size)
{
gnutls_datum_t username;
psk_auth_info_t info;
gnutls_datum_t plaintext;
gnutls_datum_t ciphertext;
gnutls_datum_t pwd_psk = { NULL, 0 };
int ret, dsize;
int randomize_key = 0;
ssize_t data_size = _data_size;
gnutls_psk_server_credentials_t cred;
gnutls_datum_t premaster_secret = { NULL, 0 };
cred = (gnutls_psk_server_credentials_t)
_gnutls_get_cred(session, GNUTLS_CRD_PSK);
if (cred == NULL) {
gnutls_assert();
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
}
ret = _gnutls_auth_info_init(session, GNUTLS_CRD_PSK,
sizeof(psk_auth_info_st), 1);
if (ret < 0) {
gnutls_assert();
return ret;
}
/*** 1. Extract user psk_identity ***/
DECR_LEN(data_size, 2);
username.size = _gnutls_read_uint16(&data[0]);
DECR_LEN(data_size, username.size);
username.data = &data[2];
/* copy the username to the auth info structures
*/
info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK);
if (info == NULL) {
gnutls_assert();
return GNUTLS_E_INTERNAL_ERROR;
}
if (username.size > MAX_USERNAME_SIZE) {
gnutls_assert();
return GNUTLS_E_ILLEGAL_SRP_USERNAME;
}
memcpy(info->username, username.data, username.size);
info->username[username.size] = 0;
/* Adjust data so it points to EncryptedPreMasterSecret */
data += username.size + 2;
/*** 2. Decrypt and extract EncryptedPreMasterSecret ***/
DECR_LEN(data_size, 2);
ciphertext.data = &data[2];
dsize = _gnutls_read_uint16(data);
if (dsize != data_size) {
gnutls_assert();
return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
}
ciphertext.size = dsize;
ret =
gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
&ciphertext, &plaintext);
if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
/* In case decryption fails then don't inform
* the peer. Just use a random key. (in order to avoid
* attack against pkcs-1 formatting).
*/
gnutls_assert();
_gnutls_debug_log
("auth_rsa_psk: Possible PKCS #1 format attack\n");
if (ret >= 0) {
gnutls_free(plaintext.data);
}
randomize_key = 1;
} else {
/* If the secret was properly formatted, then
* check the version number.
*/
if (_gnutls_get_adv_version_major(session) !=
plaintext.data[0]
|| (session->internals.allow_wrong_pms == 0
&& _gnutls_get_adv_version_minor(session) !=
plaintext.data[1])) {
/* No error is returned here, if the version number check
* fails. We proceed normally.
* That is to defend against the attack described in the paper
* "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
* Ondej Pokorny and Tomas Rosa.
*/
gnutls_assert();
_gnutls_debug_log
("auth_rsa: Possible PKCS #1 version check format attack\n");
}
}
if (randomize_key != 0) {
premaster_secret.size = GNUTLS_MASTER_SIZE;
premaster_secret.data =
gnutls_malloc(premaster_secret.size);
if (premaster_secret.data == NULL) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
/* we do not need strong random numbers here.
*/
ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
premaster_secret.size);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
} else {
premaster_secret.data = plaintext.data;
premaster_secret.size = plaintext.size;
}
/* This is here to avoid the version check attack
* discussed above.
*/
premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
/* find the key of this username
*/
ret =
_gnutls_psk_pwd_find_entry(session, info->username, &pwd_psk);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret =
set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = 0;
cleanup:
_gnutls_free_key_datum(&pwd_psk);
_gnutls_free_temp_key_datum(&premaster_secret);
return ret;
}
int
proc_rsa_export_client_kx (gnutls_session_t session, opaque * data,
size_t _data_size)
{
gnutls_datum_t plaintext;
gnutls_datum_t ciphertext;
int ret, dsize;
bigint_t *params;
int params_len;
int randomize_key = 0;
ssize_t data_size = _data_size;
if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
{
/* SSL 3.0
*/
ciphertext.data = data;
ciphertext.size = data_size;
}
else
{
/* TLS 1.0
*/
DECR_LEN (data_size, 2);
ciphertext.data = &data[2];
dsize = _gnutls_read_uint16 (data);
if (dsize != data_size)
{
gnutls_assert ();
return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
}
ciphertext.size = dsize;
}
ret = _gnutls_get_private_rsa_params (session, ¶ms, ¶ms_len);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
ret = _gnutls_pkcs1_rsa_decrypt (&plaintext, &ciphertext, params, params_len, 2); /* btype==2 */
if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE)
{
/* In case decryption fails then don't inform
* the peer. Just use a random key. (in order to avoid
* attack against pkcs-1 formating).
*/
gnutls_assert ();
_gnutls_audit_log ("auth_rsa: Possible PKCS #1 format attack\n");
randomize_key = 1;
}
else
{
/* If the secret was properly formatted, then
* check the version number.
*/
if (_gnutls_get_adv_version_major (session) != plaintext.data[0]
|| _gnutls_get_adv_version_minor (session) != plaintext.data[1])
{
/* No error is returned here, if the version number check
* fails. We proceed normally.
* That is to defend against the attack described in the paper
* "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
* Ondej Pokorny and Tomas Rosa.
*/
gnutls_assert ();
_gnutls_audit_log
("auth_rsa: Possible PKCS #1 version check format attack\n");
}
}
if (randomize_key != 0)
{
session->key->key.size = GNUTLS_MASTER_SIZE;
session->key->key.data = gnutls_malloc (session->key->key.size);
if (session->key->key.data == NULL)
{
gnutls_assert ();
return GNUTLS_E_MEMORY_ERROR;
}
/* we do not need strong random numbers here.
*/
ret = _gnutls_rnd (GNUTLS_RND_NONCE, session->key->key.data,
session->key->key.size);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
}
else
{
session->key->key.data = plaintext.data;
session->key->key.size = plaintext.size;
}
/* This is here to avoid the version check attack
* discussed above.
*/
session->key->key.data[0] = _gnutls_get_adv_version_major (session);
session->key->key.data[1] = _gnutls_get_adv_version_minor (session);
return 0;
}
