/**
* gnutls_privkey_decrypt_data:
* @key: Holds the key
* @flags: zero for now
* @ciphertext: holds the data to be decrypted
* @plaintext: will contain the decrypted data, allocated with gnutls_malloc()
*
* This function will decrypt the given data using the algorithm
* supported by the private key.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.12.0
**/
int
gnutls_privkey_decrypt_data(gnutls_privkey_t key,
unsigned int flags,
const gnutls_datum_t * ciphertext,
gnutls_datum_t * plaintext)
{
switch (key->type) {
#ifdef ENABLE_OPENPGP
case GNUTLS_PRIVKEY_OPENPGP:
return _gnutls_openpgp_privkey_decrypt_data(key->key.openpgp,
flags, ciphertext,
plaintext);
#endif
case GNUTLS_PRIVKEY_X509:
return _gnutls_pk_decrypt(key->pk_algorithm, plaintext,
ciphertext, &key->key.x509->params);
#ifdef ENABLE_PKCS11
case GNUTLS_PRIVKEY_PKCS11:
return _gnutls_pkcs11_privkey_decrypt_data(key->key.pkcs11,
flags,
ciphertext,
plaintext);
#endif
case GNUTLS_PRIVKEY_EXT:
if (key->key.ext.decrypt_func == NULL)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
return key->key.ext.decrypt_func(key,
key->key.ext.userdata,
ciphertext, plaintext);
default:
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
}
/*-
* _gnutls_openpgp_privkey_decrypt_data:
* @key: Holds the key
* @flags: (0) for now
* @ciphertext: holds the data to be decrypted
* @plaintext: will contain newly allocated plaintext
*
* This function will sign the given hash using the private key. You
* should use gnutls_openpgp_privkey_set_preferred_key_id() before
* calling this function to set the subkey to use.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
-*/
int
_gnutls_openpgp_privkey_decrypt_data (gnutls_openpgp_privkey_t key,
unsigned int flags,
const gnutls_datum_t * ciphertext,
gnutls_datum_t * plaintext)
{
int result, i;
gnutls_pk_params_st params;
int pk_algorithm;
uint8_t keyid[GNUTLS_OPENPGP_KEYID_SIZE];
char buf[2*GNUTLS_OPENPGP_KEYID_SIZE+1];
if (key == NULL)
{
gnutls_assert ();
return GNUTLS_E_INVALID_REQUEST;
}
result = gnutls_openpgp_privkey_get_preferred_key_id (key, keyid);
if (result == 0)
{
uint32_t kid[2];
KEYID_IMPORT (kid, keyid);
_gnutls_hard_log("Decrypting using PGP key ID %s\n", _gnutls_bin2hex(keyid, GNUTLS_OPENPGP_KEYID_SIZE, buf, sizeof(buf), NULL));
result = _gnutls_openpgp_privkey_get_mpis (key, kid, ¶ms);
i = gnutls_openpgp_privkey_get_subkey_idx (key, keyid);
pk_algorithm = gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, i, NULL);
}
else
{
_gnutls_hard_log("Decrypting using master PGP key\n");
pk_algorithm = gnutls_openpgp_privkey_get_pk_algorithm (key, NULL);
result = _gnutls_openpgp_privkey_get_mpis (key, NULL, ¶ms);
}
if (result < 0)
{
gnutls_assert ();
return result;
}
result = _gnutls_pk_decrypt (pk_algorithm, plaintext, ciphertext, ¶ms);
gnutls_pk_params_clear(¶ms);
gnutls_pk_params_release(¶ms);
if (result < 0)
return gnutls_assert_val(result);
return 0;
}
/* Do PKCS-1 RSA decryption.
* params is modulus, public exp., private key
* Can decrypt block type 1 and type 2 packets.
*/
int
_gnutls_pkcs1_rsa_decrypt (gnutls_datum_t * plaintext,
const gnutls_datum_t * ciphertext,
mpi_t * params, unsigned params_len,
unsigned btype)
{
unsigned k, i;
int ret;
mpi_t c, res;
opaque *edata;
size_t esize, mod_bits;
mod_bits = _gnutls_mpi_get_nbits (params[0]);
k = mod_bits / 8;
if (mod_bits % 8 != 0)
k++;
esize = ciphertext->size;
if (esize != k)
{
gnutls_assert ();
return GNUTLS_E_PK_DECRYPTION_FAILED;
}
if (_gnutls_mpi_scan_nz (&c, ciphertext->data, &esize) != 0)
{
gnutls_assert ();
return GNUTLS_E_MPI_SCAN_FAILED;
}
/* we can use btype to see if the private key is
* available.
*/
if (btype == 2)
ret = _gnutls_pk_decrypt (GCRY_PK_RSA, &res, c, params, params_len);
else
{
ret = _gnutls_pk_encrypt (GCRY_PK_RSA, &res, c, params, params_len);
}
_gnutls_mpi_release (&c);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
_gnutls_mpi_print (NULL, &esize, res);
edata = gnutls_alloca (esize + 1);
if (edata == NULL)
{
gnutls_assert ();
_gnutls_mpi_release (&res);
return GNUTLS_E_MEMORY_ERROR;
}
_gnutls_mpi_print (&edata[1], &esize, res);
_gnutls_mpi_release (&res);
/* EB = 00||BT||PS||00||D
* (use block type 'btype')
*
* From now on, return GNUTLS_E_DECRYPTION_FAILED on errors, to
* avoid attacks similar to the one described by Bleichenbacher in:
* "Chosen Ciphertext Attacks against Protocols Based on RSA
* Encryption Standard PKCS #1".
*/
edata[0] = 0;
esize++;
if (edata[0] != 0 || edata[1] != btype)
{
gnutls_assert ();
gnutls_afree (edata);
return GNUTLS_E_DECRYPTION_FAILED;
}
ret = GNUTLS_E_DECRYPTION_FAILED;
switch (btype)
{
case 2:
for (i = 2; i < esize; i++)
{
if (edata[i] == 0)
{
ret = 0;
break;
}
}
break;
case 1:
for (i = 2; i < esize; i++)
{
if (edata[i] == 0 && i > 2)
{
ret = 0;
break;
}
if (edata[i] != 0xff)
{
_gnutls_handshake_log ("PKCS #1 padding error");
/* PKCS #1 padding error. Don't use
GNUTLS_E_PKCS1_WRONG_PAD here. */
break;
}
}
break;
default:
gnutls_assert ();
gnutls_afree (edata);
break;
}
i++;
if (ret < 0)
{
gnutls_assert ();
gnutls_afree (edata);
return GNUTLS_E_DECRYPTION_FAILED;
}
if (_gnutls_sset_datum (plaintext, &edata[i], esize - i) < 0)
{
gnutls_assert ();
gnutls_afree (edata);
return GNUTLS_E_MEMORY_ERROR;
}
gnutls_afree (edata);
return 0;
}
/* Do PKCS-1 RSA decryption.
* params is modulus, public exp., private key
* Can decrypt block type 1 and type 2 packets.
*/
int
_gnutls_pkcs1_rsa_decrypt (gnutls_datum_t * plaintext,
const gnutls_datum_t * ciphertext,
bigint_t * params, unsigned params_len,
unsigned btype)
{
unsigned int k, i;
int ret;
size_t esize, mod_bits;
gnutls_pk_params_st pk_params;
for (i = 0; i < params_len; i++)
pk_params.params[i] = params[i];
pk_params.params_nr = params_len;
mod_bits = _gnutls_mpi_get_nbits (params[0]);
k = mod_bits / 8;
if (mod_bits % 8 != 0)
k++;
esize = ciphertext->size;
if (esize != k)
{
gnutls_assert ();
return GNUTLS_E_PK_DECRYPTION_FAILED;
}
/* we can use btype to see if the private key is
* available.
*/
if (btype == 2)
{
ret =
_gnutls_pk_decrypt (GNUTLS_PK_RSA, plaintext, ciphertext, &pk_params);
}
else
{
ret =
_gnutls_pk_encrypt (GNUTLS_PK_RSA, plaintext, ciphertext, &pk_params);
}
if (ret < 0)
{
gnutls_assert ();
return ret;
}
/* EB = 00||BT||PS||00||D
* (use block type 'btype')
*
* From now on, return GNUTLS_E_DECRYPTION_FAILED on errors, to
* avoid attacks similar to the one described by Bleichenbacher in:
* "Chosen Ciphertext Attacks against Protocols Based on RSA
* Encryption Standard PKCS #1".
*/
if (plaintext->data[0] != 0 || plaintext->data[1] != btype)
{
gnutls_assert ();
return GNUTLS_E_DECRYPTION_FAILED;
}
ret = GNUTLS_E_DECRYPTION_FAILED;
switch (btype)
{
case 2:
for (i = 2; i < plaintext->size; i++)
{
if (plaintext->data[i] == 0)
{
ret = 0;
break;
}
}
break;
case 1:
for (i = 2; i < plaintext->size; i++)
{
if (plaintext->data[i] == 0 && i > 2)
{
ret = 0;
break;
}
if (plaintext->data[i] != 0xff)
{
_gnutls_handshake_log ("PKCS #1 padding error");
_gnutls_free_datum (plaintext);
/* PKCS #1 padding error. Don't use
GNUTLS_E_PKCS1_WRONG_PAD here. */
break;
}
}
break;
default:
gnutls_assert ();
_gnutls_free_datum (plaintext);
break;
}
i++;
if (ret < 0)
{
gnutls_assert ();
_gnutls_free_datum (plaintext);
return GNUTLS_E_DECRYPTION_FAILED;
}
memmove (plaintext->data, &plaintext->data[i], esize - i);
plaintext->size = esize - i;
return 0;
}
int
proc_rsa_export_client_kx (gnutls_session_t session, uint8_t * data,
size_t _data_size)
{
gnutls_datum_t plaintext;
gnutls_datum_t ciphertext;
int ret, dsize;
gnutls_pk_params_st *params;
int randomize_key = 0;
ssize_t data_size = _data_size;
if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
{
/* SSL 3.0
*/
ciphertext.data = data;
ciphertext.size = data_size;
}
else
{
/* TLS 1.0
*/
DECR_LEN (data_size, 2);
ciphertext.data = &data[2];
dsize = _gnutls_read_uint16 (data);
if (dsize != data_size)
{
gnutls_assert ();
return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
}
ciphertext.size = dsize;
}
ret = _gnutls_get_private_rsa_params (session, ¶ms);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
ret = _gnutls_pk_decrypt (GNUTLS_PK_RSA, &plaintext, &ciphertext, params);
if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE)
{
/* In case decryption fails then don't inform
* the peer. Just use a random key. (in order to avoid
* attack against pkcs-1 formating).
*/
gnutls_assert ();
_gnutls_audit_log (session, "auth_rsa: Possible PKCS #1 format attack\n");
randomize_key = 1;
}
else
{
/* If the secret was properly formatted, then
* check the version number.
*/
if (_gnutls_get_adv_version_major (session) != plaintext.data[0]
|| _gnutls_get_adv_version_minor (session) != plaintext.data[1])
{
/* No error is returned here, if the version number check
* fails. We proceed normally.
* That is to defend against the attack described in the paper
* "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
* Ondej Pokorny and Tomas Rosa.
*/
gnutls_assert ();
_gnutls_audit_log
(session, "auth_rsa: Possible PKCS #1 version check format attack\n");
}
}
if (randomize_key != 0)
{
session->key->key.size = GNUTLS_MASTER_SIZE;
session->key->key.data = gnutls_malloc (session->key->key.size);
if (session->key->key.data == NULL)
{
gnutls_assert ();
return GNUTLS_E_MEMORY_ERROR;
}
/* we do not need strong random numbers here.
*/
ret = _gnutls_rnd (GNUTLS_RND_NONCE, session->key->key.data,
session->key->key.size);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
}
else
{
session->key->key.data = plaintext.data;
session->key->key.size = plaintext.size;
}
/* This is here to avoid the version check attack
* discussed above.
*/
session->key->key.data[0] = _gnutls_get_adv_version_major (session);
session->key->key.data[1] = _gnutls_get_adv_version_minor (session);
return 0;
}
static int pct_test(gnutls_pk_algorithm_t algo, const gnutls_pk_params_st* params)
{
int ret;
gnutls_datum_t sig = {NULL, 0};
const char const_data[20] = "onetwothreefourfive";
gnutls_datum_t ddata, tmp = {NULL,0};
char* gen_data = NULL;
if (algo == GNUTLS_PK_DSA || algo == GNUTLS_PK_EC) {
unsigned hash_len;
_gnutls_dsa_q_to_hash(algo, params, &hash_len);
gen_data = gnutls_malloc(hash_len);
gnutls_rnd(GNUTLS_RND_NONCE, gen_data, hash_len);
ddata.data = (void*)gen_data;
ddata.size = hash_len;
} else {
ddata.data = (void*)const_data;
ddata.size = sizeof(const_data);
}
switch (algo) {
case GNUTLS_PK_RSA:
ret = _gnutls_pk_encrypt(algo, &sig, &ddata, params);
if (ret < 0) {
ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
goto cleanup;
}
if (ddata.size == sig.size && memcmp(ddata.data, sig.data, sig.size) == 0) {
ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
gnutls_assert();
goto cleanup;
}
ret = _gnutls_pk_decrypt(algo, &tmp, &sig, params);
if (ret < 0) {
ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
gnutls_assert();
goto cleanup;
}
if (tmp.size != ddata.size || memcmp(tmp.data, ddata.data, tmp.size) != 0) {
ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
gnutls_assert();
goto cleanup;
}
free(sig.data);
sig.data = NULL;
/* Here we don't know the purpose of the key. Check both
* signing and encryption.
*/
case GNUTLS_PK_EC: /* we only do keys for ECDSA */
case GNUTLS_PK_DSA:
ret = _gnutls_pk_sign(algo, &sig, &ddata, params);
if (ret < 0) {
ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
goto cleanup;
}
ret = _gnutls_pk_verify(algo, &ddata, &sig, params);
if (ret < 0) {
ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
gnutls_assert();
goto cleanup;
}
break;
default:
ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
goto cleanup;
}
ret = 0;
cleanup:
if (ret == GNUTLS_E_PK_GENERATION_ERROR) {
_gnutls_switch_lib_state(LIB_STATE_ERROR);
}
gnutls_free(gen_data);
gnutls_free(sig.data);
gnutls_free(tmp.data);
return ret;
}
