/* Checks if a%n==0,+1,-1%n which is a fatal srp error.
* Returns a proper error code in that case, and 0 when
* all are ok.
*/
inline static int check_param_mod_n(bigint_t a, bigint_t n, int is_a)
{
int ret, err = 0;
bigint_t r;
ret = _gnutls_mpi_init(&r);
if (ret < 0)
return gnutls_assert_val(ret);
ret = _gnutls_mpi_modm(r, a, n);
if (ret < 0) {
_gnutls_mpi_release(&r);
return gnutls_assert_val(ret);
}
ret = _gnutls_mpi_cmp_ui(r, 0);
if (ret == 0)
err = 1;
if (is_a != 0) {
ret = _gnutls_mpi_cmp_ui(r, 1);
if (ret == 0)
err = 1;
ret = _gnutls_mpi_add_ui(r, r, 1);
if (ret < 0) {
_gnutls_mpi_release(&r);
return gnutls_assert_val(ret);
}
ret = _gnutls_mpi_cmp(r, n);
if (ret == 0)
err = 1;
}
_gnutls_mpi_release(&r);
if (err != 0) {
gnutls_assert();
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
}
return 0;
}
/* ID should be:
* 3 for MAC
* 2 for IV
* 1 for encryption key
*
* Note that this function produces different key for the
* NULL password, and for the password with zero length.
*/
int
_gnutls_pkcs12_string_to_key(const mac_entry_st * me,
unsigned int id, const uint8_t * salt,
unsigned int salt_size, unsigned int iter,
const char *pw, unsigned int req_keylen,
uint8_t * keybuf)
{
int rc;
unsigned int i, j;
digest_hd_st md;
bigint_t num_b1 = NULL, num_ij = NULL;
bigint_t mpi512 = NULL;
unsigned int pwlen;
uint8_t hash[MAX_HASH_SIZE], buf_b[64], buf_i[MAX_PASS_LEN * 2 + 64], *p;
uint8_t d[64];
size_t cur_keylen;
size_t n, m, p_size, i_size;
unsigned mac_len;
const uint8_t buf_512[] = /* 2^64 */
{ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00
};
cur_keylen = 0;
if (pw == NULL)
pwlen = 0;
else
pwlen = strlen(pw);
if (pwlen > MAX_PASS_LEN) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
if ((rc = _pkcs12_check_pass(pw, pwlen)) < 0) {
gnutls_assert();
return rc;
}
rc = _gnutls_mpi_init_scan(&mpi512, buf_512, sizeof(buf_512));
if (rc < 0) {
gnutls_assert();
return rc;
}
/* Store salt and password in BUF_I */
p_size = ((pwlen / 64) * 64) + 64;
if (p_size > sizeof(buf_i) - 64)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
p = buf_i;
for (i = 0; i < 64; i++)
*p++ = salt[i % salt_size];
if (pw) {
for (i = j = 0; i < p_size; i += 2) {
*p++ = 0;
*p++ = pw[j];
if (++j > pwlen) /* Note, that we include the trailing (0) */
j = 0;
}
} else
memset(p, 0, p_size);
i_size = 64 + p_size;
mac_len = _gnutls_mac_get_algo_len(me);
for (;;) {
rc = _gnutls_hash_init(&md, me);
if (rc < 0) {
gnutls_assert();
goto cleanup;
}
memset(d, id & 0xff, 64);
_gnutls_hash(&md, d, 64);
_gnutls_hash(&md, buf_i, pw ? i_size : 64);
_gnutls_hash_deinit(&md, hash);
for (i = 1; i < iter; i++) {
rc = _gnutls_hash_fast(me->id, hash, mac_len,
hash);
if (rc < 0) {
gnutls_assert();
goto cleanup;
}
}
for (i = 0; i < mac_len && cur_keylen < req_keylen; i++)
keybuf[cur_keylen++] = hash[i];
if (cur_keylen == req_keylen) {
rc = 0; /* ready */
goto cleanup;
}
/* need more bytes. */
for (i = 0; i < 64; i++)
buf_b[i] = hash[i % mac_len];
n = 64;
rc = _gnutls_mpi_init_scan(&num_b1, buf_b, n);
if (rc < 0) {
gnutls_assert();
goto cleanup;
}
rc = _gnutls_mpi_add_ui(num_b1, num_b1, 1);
if (rc < 0) {
gnutls_assert();
goto cleanup;
}
for (i = 0; i < 128; i += 64) {
n = 64;
rc = _gnutls_mpi_init_scan(&num_ij, buf_i + i, n);
if (rc < 0) {
gnutls_assert();
goto cleanup;
}
rc = _gnutls_mpi_addm(num_ij, num_ij, num_b1, mpi512);
if (rc < 0) {
gnutls_assert();
goto cleanup;
}
n = 64;
#ifndef PKCS12_BROKEN_KEYGEN
m = (_gnutls_mpi_get_nbits(num_ij) + 7) / 8;
#else
m = n;
#endif
memset(buf_i + i, 0, n - m);
rc = _gnutls_mpi_print(num_ij, buf_i + i + n - m,
&n);
if (rc < 0) {
gnutls_assert();
goto cleanup;
}
_gnutls_mpi_release(&num_ij);
}
}
cleanup:
_gnutls_mpi_release(&num_ij);
_gnutls_mpi_release(&num_b1);
_gnutls_mpi_release(&mpi512);
return rc;
}
/* Check if N is a prime and G a generator of the
* group. This is check only done if N is big enough.
* Otherwise only the included parameters must be used.
*/
static int
group_check_g_n (mpi_t g, mpi_t n)
{
mpi_t q = NULL, two = NULL, w = NULL;
int ret;
if (_gnutls_mpi_get_nbits (n) < 2048)
{
gnutls_assert ();
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
}
/* N must be of the form N=2q+1
* where q is also a prime.
*/
if (_gnutls_prime_check (n, 0) != 0)
{
_gnutls_dump_mpi ("no prime N: ", n);
gnutls_assert ();
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
}
two = _gnutls_mpi_new (4);
if (two == NULL)
{
gnutls_assert ();
return GNUTLS_E_MEMORY_ERROR;
}
q = _gnutls_mpi_alloc_like (n);
if (q == NULL)
{
gnutls_assert ();
ret = GNUTLS_E_MEMORY_ERROR;
goto error;
}
/* q = n-1
*/
_gnutls_mpi_sub_ui (q, n, 1);
/* q = q/2, remember that q is divisible by 2 (prime - 1)
*/
_gnutls_mpi_set_ui (two, 2);
_gnutls_mpi_div (q, NULL, q, two, 0);
if (_gnutls_prime_check (q, 0) != 0)
{
/* N was not on the form N=2q+1, where q = prime
*/
_gnutls_dump_mpi ("no prime Q: ", q);
gnutls_assert ();
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
}
/* We also check whether g is a generator,
*/
/* check if g < q < N
*/
if (_gnutls_mpi_cmp (g, q) >= 0)
{
gnutls_assert ();
ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
goto error;
}
w = _gnutls_mpi_alloc_like (q);
if (w == NULL)
{
gnutls_assert ();
ret = GNUTLS_E_MEMORY_ERROR;
goto error;
}
/* check if g^q mod N == N-1
* w = g^q mod N
*/
_gnutls_mpi_powm (w, g, q, n);
/* w++
*/
_gnutls_mpi_add_ui (w, w, 1);
if (_gnutls_mpi_cmp (w, n) != 0)
{
gnutls_assert ();
ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
goto error;
}
ret = 0;
error:
_gnutls_mpi_release (&q);
_gnutls_mpi_release (&two);
_gnutls_mpi_release (&w);
return ret;
}
/* Check if N is a prime and G a generator of the
* group. This check is only done if N is big enough.
* Otherwise only the included parameters must be used.
*/
static int
group_check_g_n(gnutls_session_t session, bigint_t g, bigint_t n)
{
bigint_t q = NULL, two = NULL, w = NULL;
int ret;
if (_gnutls_mpi_get_nbits(n) < (session->internals.srp_prime_bits
? session->internals.srp_prime_bits
: 2048)) {
gnutls_assert();
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
}
/* N must be of the form N=2q+1
* where q is also a prime.
*/
if (_gnutls_prime_check(n) != 0) {
_gnutls_mpi_log("no prime N: ", n);
gnutls_assert();
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
}
ret = _gnutls_mpi_init_multi(&two, &q, &w, NULL);
if (ret < 0) {
gnutls_assert();
return ret;
}
/* q = n-1
*/
ret = _gnutls_mpi_sub_ui(q, n, 1);
if (ret < 0) {
gnutls_assert();
goto error;
}
/* q = q/2, remember that q is divisible by 2 (prime - 1)
*/
ret = _gnutls_mpi_set_ui(two, 2);
if (ret < 0) {
gnutls_assert();
goto error;
}
ret = _gnutls_mpi_div(q, q, two);
if (ret < 0) {
gnutls_assert();
goto error;
}
if (_gnutls_prime_check(q) != 0) {
/* N was not on the form N=2q+1, where q = prime
*/
_gnutls_mpi_log("no prime Q: ", q);
gnutls_assert();
ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
goto error;
}
/* We also check whether g is a generator,
*/
/* check if g < q < N
*/
if (_gnutls_mpi_cmp(g, q) >= 0) {
gnutls_assert();
ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
goto error;
}
/* check if g^q mod N == N-1
* w = g^q mod N
*/
ret = _gnutls_mpi_powm(w, g, q, n);
if (ret < 0) {
gnutls_assert();
goto error;
}
/* w++
*/
ret = _gnutls_mpi_add_ui(w, w, 1);
if (ret < 0) {
gnutls_assert();
goto error;
}
if (_gnutls_mpi_cmp(w, n) != 0) {
gnutls_assert();
ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
goto error;
}
ret = 0;
error:
_gnutls_mpi_release(&q);
_gnutls_mpi_release(&two);
_gnutls_mpi_release(&w);
return ret;
}
/* ID should be:
* 3 for MAC
* 2 for IV
* 1 for encryption key
*/
int
_gnutls_pkcs12_string_to_key (unsigned int id, const opaque * salt,
unsigned int salt_size, unsigned int iter,
const char *pw, unsigned int req_keylen,
opaque * keybuf)
{
int rc;
unsigned int i, j;
digest_hd_st md;
bigint_t num_b1 = NULL, num_ij = NULL;
bigint_t mpi512 = NULL;
unsigned int pwlen;
opaque hash[20], buf_b[64], buf_i[128], *p;
size_t cur_keylen;
size_t n;
const opaque buf_512[] = /* 2^64 */
{ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
cur_keylen = 0;
if (pw == NULL)
pwlen = 0;
else
pwlen = strlen (pw);
if (pwlen > 63 / 2)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
if ((rc = _pkcs12_check_pass (pw, pwlen)) < 0)
{
gnutls_assert ();
return rc;
}
rc = _gnutls_mpi_scan (&mpi512, buf_512, sizeof (buf_512));
if (rc < 0)
{
gnutls_assert ();
return rc;
}
/* Store salt and password in BUF_I */
p = buf_i;
for (i = 0; i < 64; i++)
*p++ = salt[i % salt_size];
if (pw)
{
for (i = j = 0; i < 64; i += 2)
{
*p++ = 0;
*p++ = pw[j];
if (++j > pwlen) /* Note, that we include the trailing zero */
j = 0;
}
}
else
memset (p, 0, 64);
for (;;)
{
rc = _gnutls_hash_init (&md, GNUTLS_MAC_SHA1);
if (rc < 0)
{
gnutls_assert ();
goto cleanup;
}
for (i = 0; i < 64; i++)
{
unsigned char lid = id & 0xFF;
_gnutls_hash (&md, &lid, 1);
}
_gnutls_hash (&md, buf_i, pw ? 128 : 64);
_gnutls_hash_deinit (&md, hash);
for (i = 1; i < iter; i++)
{
rc = _gnutls_hash_init (&md, GNUTLS_MAC_SHA1);
if (rc < 0)
{
gnutls_assert ();
goto cleanup;
}
_gnutls_hash (&md, hash, 20);
_gnutls_hash_deinit (&md, hash);
}
for (i = 0; i < 20 && cur_keylen < req_keylen; i++)
keybuf[cur_keylen++] = hash[i];
if (cur_keylen == req_keylen)
{
rc = 0; /* ready */
goto cleanup;
}
/* need more bytes. */
for (i = 0; i < 64; i++)
buf_b[i] = hash[i % 20];
n = 64;
rc = _gnutls_mpi_scan (&num_b1, buf_b, n);
if (rc < 0)
{
gnutls_assert ();
goto cleanup;
}
_gnutls_mpi_add_ui (num_b1, num_b1, 1);
for (i = 0; i < 128; i += 64)
{
n = 64;
rc = _gnutls_mpi_scan (&num_ij, buf_i + i, n);
if (rc < 0)
{
gnutls_assert ();
goto cleanup;
}
_gnutls_mpi_addm (num_ij, num_ij, num_b1, mpi512);
n = 64;
rc = _gnutls_mpi_print (num_ij, buf_i + i, &n);
if (rc < 0)
{
gnutls_assert ();
goto cleanup;
}
_gnutls_mpi_release (&num_ij);
}
}
cleanup:
_gnutls_mpi_release (&num_ij);
_gnutls_mpi_release (&num_b1);
_gnutls_mpi_release (&mpi512);
return rc;
}
/* This is used for DH or ECDH key derivation. In DH for example
* it is given the peers Y and our x, and calculates Y^x
*/
static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
gnutls_datum_t * out,
const gnutls_pk_params_st * priv,
const gnutls_pk_params_st * pub)
{
int ret;
switch (algo) {
case GNUTLS_PK_DH: {
bigint_t f, x, prime;
bigint_t k = NULL, ff = NULL;
unsigned int bits;
f = pub->params[DH_Y];
x = priv->params[DH_X];
prime = priv->params[DH_P];
ret = _gnutls_mpi_init_multi(&k, &ff, NULL);
if (ret < 0)
return gnutls_assert_val(ret);
ret = _gnutls_mpi_modm(ff, f, prime);
if (ret < 0) {
gnutls_assert();
goto dh_cleanup;
}
ret = _gnutls_mpi_add_ui(ff, ff, 1);
if (ret < 0) {
gnutls_assert();
goto dh_cleanup;
}
/* check if f==0,1,p-1.
* or (ff=f+1) equivalently ff==1,2,p */
if ((_gnutls_mpi_cmp_ui(ff, 2) == 0)
|| (_gnutls_mpi_cmp_ui(ff, 1) == 0)
|| (_gnutls_mpi_cmp(ff, prime) == 0)) {
gnutls_assert();
ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
goto dh_cleanup;
}
/* prevent denial of service */
bits = _gnutls_mpi_get_nbits(prime);
if (bits == 0 || bits > MAX_DH_BITS) {
gnutls_assert();
ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
goto dh_cleanup;
}
ret = _gnutls_mpi_powm(k, f, x, prime);
if (ret < 0) {
gnutls_assert();
goto dh_cleanup;
}
ret = _gnutls_mpi_dprint(k, out);
if (ret < 0) {
gnutls_assert();
goto dh_cleanup;
}
ret = 0;
dh_cleanup:
_gnutls_mpi_release(&ff);
zrelease_temp_mpi_key(&k);
if (ret < 0)
goto cleanup;
break;
}
case GNUTLS_PK_EC:
{
struct ecc_scalar ecc_priv;
struct ecc_point ecc_pub;
const struct ecc_curve *curve;
out->data = NULL;
curve = get_supported_curve(priv->flags);
if (curve == NULL)
return
gnutls_assert_val
(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
ret = _ecc_params_to_pubkey(pub, &ecc_pub, curve);
if (ret < 0)
return gnutls_assert_val(ret);
ret =
_ecc_params_to_privkey(priv, &ecc_priv, curve);
if (ret < 0) {
ecc_point_clear(&ecc_pub);
return gnutls_assert_val(ret);
}
out->size = gnutls_ecc_curve_get_size(priv->flags);
/*ecc_size(curve)*sizeof(mp_limb_t); */
out->data = gnutls_malloc(out->size);
if (out->data == NULL) {
ret =
gnutls_assert_val
(GNUTLS_E_MEMORY_ERROR);
goto ecc_cleanup;
}
ecc_shared_secret(&ecc_priv, &ecc_pub, out->data,
out->size);
ecc_cleanup:
ecc_point_clear(&ecc_pub);
ecc_scalar_zclear(&ecc_priv);
if (ret < 0)
goto cleanup;
break;
}
default:
gnutls_assert();
ret = GNUTLS_E_INTERNAL_ERROR;
goto cleanup;
}
ret = 0;
cleanup:
return ret;
}