search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Corrected initialization of key when generating request. Reported by Petr Pisar.
[gnutls.git] / lib / gnutls_pk.c
blob337204b2eae4794943e825da39a7cfea723be78b
1 /*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2008, 2009, 2010
3 * Free Software Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
22 * USA
23 *
24 */
25
26 /* This file contains the functions needed for RSA/DSA public key
27 * encryption and signatures.
28 */
29
30 #include <gnutls_int.h>
31 #include <gnutls_mpi.h>
32 #include <gnutls_pk.h>
33 #include <gnutls_errors.h>
34 #include <gnutls_datum.h>
35 #include <gnutls_global.h>
36 #include <gnutls_num.h>
37 #include "debug.h"
38 #include <x509/x509_int.h>
39 #include <x509/common.h>
40 #include <random.h>
41
42 /* Do PKCS-1 RSA encryption.
43 * params is modulus, public exp.
44 */
45 int
46 _gnutls_pkcs1_rsa_encrypt (gnutls_datum_t * ciphertext,
47 const gnutls_datum_t * plaintext,
48 bigint_t * params, unsigned params_len,
49 unsigned btype)
50 {
51 unsigned int i, pad;
52 int ret;
53 opaque *edata, *ps;
54 size_t k, psize;
55 size_t mod_bits;
56 gnutls_pk_params_st pk_params;
57 gnutls_datum_t to_encrypt, encrypted;
58
59 for (i = 0; i < params_len; i++)
60 pk_params.params[i] = params[i];
61 pk_params.params_nr = params_len;
62
63 mod_bits = _gnutls_mpi_get_nbits (params[0]);
64 k = mod_bits / 8;
65 if (mod_bits % 8 != 0)
66 k++;
67
68 if (plaintext->size > k - 11)
69 {
70 gnutls_assert ();
71 return GNUTLS_E_PK_ENCRYPTION_FAILED;
72 }
73
74 edata = gnutls_malloc (k);
75 if (edata == NULL)
76 {
77 gnutls_assert ();
78 return GNUTLS_E_MEMORY_ERROR;
79 }
80
81 /* EB = 00||BT||PS||00||D
82 * (use block type 'btype')
83 */
84
85 edata[0] = 0;
86 edata[1] = btype;
87 psize = k - 3 - plaintext->size;
88
89 ps = &edata[2];
90 switch (btype)
91 {
92 case 2:
93 /* using public key */
94 if (params_len < RSA_PUBLIC_PARAMS)
95 {
96 gnutls_assert ();
97 gnutls_free (edata);
98 return GNUTLS_E_INTERNAL_ERROR;
99 }
100
101 ret = _gnutls_rnd (GNUTLS_RND_RANDOM, ps, psize);
102 if (ret < 0)
103 {
104 gnutls_assert ();
105 gnutls_free (edata);
106 return ret;
107 }
108 for (i = 0; i < psize; i++)
109 while (ps[i] == 0)
110 {
111 ret = _gnutls_rnd (GNUTLS_RND_RANDOM, &ps[i], 1);
112 if (ret < 0)
113 {
114 gnutls_assert ();
115 gnutls_free (edata);
116 return ret;
117 }
118 }
119 break;
120 case 1:
121 /* using private key */
122
123 if (params_len < RSA_PRIVATE_PARAMS)
124 {
125 gnutls_assert ();
126 gnutls_free (edata);
127 return GNUTLS_E_INTERNAL_ERROR;
128 }
129
130 for (i = 0; i < psize; i++)
131 ps[i] = 0xff;
132 break;
133 default:
134 gnutls_assert ();
135 gnutls_free (edata);
136 return GNUTLS_E_INTERNAL_ERROR;
137 }
138
139 ps[psize] = 0;
140 memcpy (&ps[psize + 1], plaintext->data, plaintext->size);
141
142 to_encrypt.data = edata;
143 to_encrypt.size = k;
144
145 if (btype == 2) /* encrypt */
146 ret =
147 _gnutls_pk_encrypt (GNUTLS_PK_RSA, &encrypted, &to_encrypt, &pk_params);
148 else /* sign */
149 ret =
150 _gnutls_pk_sign (GNUTLS_PK_RSA, &encrypted, &to_encrypt, &pk_params);
151
152 gnutls_free (edata);
153
154 if (ret < 0)
155 {
156 gnutls_assert ();
157 return ret;
158 }
159
160 psize = encrypted.size;
161 if (psize < k)
162 {
163 /* padding psize */
164 pad = k - psize;
165 psize = k;
166 }
167 else if (psize == k)
168 {
169 /* pad = 0;
170 * no need to do anything else
171 */
172 ciphertext->data = encrypted.data;
173 ciphertext->size = encrypted.size;
174 return 0;
175 }
176 else
177 { /* psize > k !!! */
178 /* This is an impossible situation */
179 gnutls_assert ();
180 _gnutls_free_datum (&encrypted);
181 return GNUTLS_E_INTERNAL_ERROR;
182 }
183
184 ciphertext->data = gnutls_malloc (psize);
185 if (ciphertext->data == NULL)
186 {
187 gnutls_assert ();
188 _gnutls_free_datum (&encrypted);
189 return GNUTLS_E_MEMORY_ERROR;
190 }
191
192 memcpy (&ciphertext->data[pad], encrypted.data, encrypted.size);
193 for (i = 0; i < pad; i++)
194 ciphertext->data[i] = 0;
195
196 ciphertext->size = k;
197
198 _gnutls_free_datum (&encrypted);
199
200 return 0;
201 }
202
203
204 /* Do PKCS-1 RSA decryption.
205 * params is modulus, public exp., private key
206 * Can decrypt block type 1 and type 2 packets.
207 */
208 int
209 _gnutls_pkcs1_rsa_decrypt (gnutls_datum_t * plaintext,
210 const gnutls_datum_t * ciphertext,
211 bigint_t * params, unsigned params_len,
212 unsigned btype)
213 {
214 unsigned int k, i;
215 int ret;
216 size_t esize, mod_bits;
217 gnutls_pk_params_st pk_params;
218
219 for (i = 0; i < params_len; i++)
220 pk_params.params[i] = params[i];
221 pk_params.params_nr = params_len;
222
223 mod_bits = _gnutls_mpi_get_nbits (params[0]);
224 k = mod_bits / 8;
225 if (mod_bits % 8 != 0)
226 k++;
227
228 esize = ciphertext->size;
229
230 if (esize != k)
231 {
232 gnutls_assert ();
233 return GNUTLS_E_PK_DECRYPTION_FAILED;
234 }
235
236 /* we can use btype to see if the private key is
237 * available.
238 */
239 if (btype == 2)
240 {
241 ret =
242 _gnutls_pk_decrypt (GNUTLS_PK_RSA, plaintext, ciphertext, &pk_params);
243 }
244 else
245 {
246 ret =
247 _gnutls_pk_encrypt (GNUTLS_PK_RSA, plaintext, ciphertext, &pk_params);
248 }
249
250 if (ret < 0)
251 {
252 gnutls_assert ();
253 return ret;
254 }
255
256 /* EB = 00||BT||PS||00||D
257 * (use block type 'btype')
258 *
259 * From now on, return GNUTLS_E_DECRYPTION_FAILED on errors, to
260 * avoid attacks similar to the one described by Bleichenbacher in:
261 * "Chosen Ciphertext Attacks against Protocols Based on RSA
262 * Encryption Standard PKCS #1".
263 */
264 if (plaintext->data[0] != 0 || plaintext->data[1] != btype)
265 {
266 gnutls_assert ();
267 return GNUTLS_E_DECRYPTION_FAILED;
268 }
269
270 ret = GNUTLS_E_DECRYPTION_FAILED;
271 switch (btype)
272 {
273 case 2:
274 for (i = 2; i < plaintext->size; i++)
275 {
276 if (plaintext->data[i] == 0)
277 {
278 ret = 0;
279 break;
280 }
281 }
282 break;
283 case 1:
284 for (i = 2; i < plaintext->size; i++)
285 {
286 if (plaintext->data[i] == 0 && i > 2)
287 {
288 ret = 0;
289 break;
290 }
291 if (plaintext->data[i] != 0xff)
292 {
293 _gnutls_handshake_log ("PKCS #1 padding error");
294 _gnutls_free_datum (plaintext);
295 /* PKCS #1 padding error. Don't use
296 GNUTLS_E_PKCS1_WRONG_PAD here. */
297 break;
298 }
299 }
300 break;
301 default:
302 gnutls_assert ();
303 _gnutls_free_datum (plaintext);
304 break;
305 }
306 i++;
307
308 if (ret < 0)
309 {
310 gnutls_assert ();
311 _gnutls_free_datum (plaintext);
312 return GNUTLS_E_DECRYPTION_FAILED;
313 }
314
315 memmove (plaintext->data, &plaintext->data[i], esize - i);
316 plaintext->size = esize - i;
317
318 return 0;
319 }
320
321
322 int
323 _gnutls_rsa_verify (const gnutls_datum_t * vdata,
324 const gnutls_datum_t * ciphertext, bigint_t * params,
325 int params_len, int btype)
326 {
327
328 gnutls_datum_t plain;
329 int ret;
330
331 /* decrypt signature */
332 if ((ret =
333 _gnutls_pkcs1_rsa_decrypt (&plain, ciphertext, params, params_len,
334 btype)) < 0)
335 {
336 gnutls_assert ();
337 return ret;
338 }
339
340 if (plain.size != vdata->size)
341 {
342 gnutls_assert ();
343 _gnutls_free_datum (&plain);
344 return GNUTLS_E_PK_SIG_VERIFY_FAILED;
345 }
346
347 if (memcmp (plain.data, vdata->data, plain.size) != 0)
348 {
349 gnutls_assert ();
350 _gnutls_free_datum (&plain);
351 return GNUTLS_E_PK_SIG_VERIFY_FAILED;
352 }
353
354 _gnutls_free_datum (&plain);
355
356 return 0; /* ok */
357 }
358
359 /* encodes the Dss-Sig-Value structure
360 */
361 int
362 _gnutls_encode_ber_rs (gnutls_datum_t * sig_value, bigint_t r, bigint_t s)
363 {
364 ASN1_TYPE sig;
365 int result;
366
367 if ((result =
368 asn1_create_element (_gnutls_get_gnutls_asn (),
369 "GNUTLS.DSASignatureValue",
370 &sig)) != ASN1_SUCCESS)
371 {
372 gnutls_assert ();
373 return _gnutls_asn2err (result);
374 }
375
376 result = _gnutls_x509_write_int (sig, "r", r, 1);
377 if (result < 0)
378 {
379 gnutls_assert ();
380 asn1_delete_structure (&sig);
381 return result;
382 }
383
384 result = _gnutls_x509_write_int (sig, "s", s, 1);
385 if (result < 0)
386 {
387 gnutls_assert ();
388 asn1_delete_structure (&sig);
389 return result;
390 }
391
392 result = _gnutls_x509_der_encode (sig, "", sig_value, 0);
393
394 asn1_delete_structure (&sig);
395
396 if (result < 0)
397 {
398 gnutls_assert ();
399 return result;
400 }
401
402 return 0;
403 }
404
405
406 /* Do DSA signature calculation. params is p, q, g, y, x in that order.
407 */
408 int
409 _gnutls_dsa_sign (gnutls_datum_t * signature,
410 const gnutls_datum_t * hash, bigint_t * params,
411 unsigned int params_len)
412 {
413 int ret;
414 size_t i;
415 size_t k;
416 gnutls_pk_params_st pk_params;
417
418 for (i = 0; i < params_len; i++)
419 pk_params.params[i] = params[i];
420 pk_params.params_nr = params_len;
421
422 k = hash->size;
423 if (k < 20)
424 { /* SHA1 or better only */
425 gnutls_assert ();
426 return GNUTLS_E_PK_SIGN_FAILED;
427 }
428
429 ret = _gnutls_pk_sign (GNUTLS_PK_DSA, signature, hash, &pk_params);
430 /* rs[0], rs[1] now hold r,s */
431
432 if (ret < 0)
433 {
434 gnutls_assert ();
435 return ret;
436 }
437
438 return 0;
439 }
440
441 /* decodes the Dss-Sig-Value structure
442 */
443 int
444 _gnutls_decode_ber_rs (const gnutls_datum_t * sig_value, bigint_t * r,
445 bigint_t * s)
446 {
447 ASN1_TYPE sig;
448 int result;
449
450 if ((result =
451 asn1_create_element (_gnutls_get_gnutls_asn (),
452 "GNUTLS.DSASignatureValue",
453 &sig)) != ASN1_SUCCESS)
454 {
455 gnutls_assert ();
456 return _gnutls_asn2err (result);
457 }
458
459 result = asn1_der_decoding (&sig, sig_value->data, sig_value->size, NULL);
460 if (result != ASN1_SUCCESS)
461 {
462 gnutls_assert ();
463 asn1_delete_structure (&sig);
464 return _gnutls_asn2err (result);
465 }
466
467 result = _gnutls_x509_read_int (sig, "r", r);
468 if (result < 0)
469 {
470 gnutls_assert ();
471 asn1_delete_structure (&sig);
472 return result;
473 }
474
475 result = _gnutls_x509_read_int (sig, "s", s);
476 if (result < 0)
477 {
478 gnutls_assert ();
479 _gnutls_mpi_release (s);
480 asn1_delete_structure (&sig);
481 return result;
482 }
483
484 asn1_delete_structure (&sig);
485
486 return 0;
487 }
488
489 /* params is p, q, g, y in that order
490 */
491 int
492 _gnutls_dsa_verify (const gnutls_datum_t * vdata,
493 const gnutls_datum_t * sig_value, bigint_t * params,
494 int params_len)
495 {
496
497 int ret, i;
498 gnutls_pk_params_st pk_params;
499
500 for (i = 0; i < params_len; i++)
501 pk_params.params[i] = params[i];
502 pk_params.params_nr = params_len;
503
504 if (vdata->size < 20)
505 { /* SHA1 or better only */
506 gnutls_assert ();
507 return GNUTLS_E_PK_SIG_VERIFY_FAILED;
508 }
509
510 /* decrypt signature */
511 ret = _gnutls_pk_verify (GNUTLS_PK_DSA, vdata, sig_value, &pk_params);
512
513 if (ret < 0)
514 {
515 gnutls_assert ();
516 return ret;
517 }
518
519 return 0; /* ok */
520 }
521
522 /* some generic pk functions */
523 static int
524 _generate_params (int algo, bigint_t * resarr, unsigned int *resarr_len,
525 int bits)
526 {
527 gnutls_pk_params_st params;
528 int ret;
529 unsigned int i;
530
531 ret = _gnutls_pk_ops.generate (algo, bits, &params);
532
533 if (ret < 0)
534 {
535 gnutls_assert ();
536 return ret;
537 }
538
539 if (resarr && resarr_len && *resarr_len >= params.params_nr)
540 {
541 *resarr_len = params.params_nr;
542 for (i = 0; i < params.params_nr; i++)
543 resarr[i] = params.params[i];
544 }
545 else
546 {
547 gnutls_assert ();
548 return GNUTLS_E_INVALID_REQUEST;
549 }
550 return 0;
551 }
552
553
554
555 int
556 _gnutls_rsa_generate_params (bigint_t * resarr, unsigned int *resarr_len,
557 int bits)
558 {
559 return _generate_params (GNUTLS_PK_RSA, resarr, resarr_len, bits);
560 }
561
562 int
563 _gnutls_dsa_generate_params (bigint_t * resarr, unsigned int *resarr_len,
564 int bits)
565 {
566 return _generate_params (GNUTLS_PK_DSA, resarr, resarr_len, bits);
567 }
568
569 int
570 _gnutls_pk_params_copy (gnutls_pk_params_st * dst, bigint_t * params,
571 int params_len)
572 {
573 int i, j;
574 dst->params_nr = 0;
575
576 if (params_len == 0 || params == NULL)
577 {
578 gnutls_assert ();
579 return GNUTLS_E_INVALID_REQUEST;
580 }
581
582 for (i = 0; i < params_len; i++)
583 {
584 dst->params[i] = _gnutls_mpi_set (NULL, params[i]);
585 if (dst->params[i] == NULL)
586 {
587 for (j = 0; j < i; j++)
588 _gnutls_mpi_release (&dst->params[j]);
589 return GNUTLS_E_MEMORY_ERROR;
590 }
591 dst->params_nr++;
592 }
593
594 return 0;
595 }
596
597 void
598 gnutls_pk_params_init (gnutls_pk_params_st * p)
599 {
600 memset (p, 0, sizeof (gnutls_pk_params_st));
601 }
602
603 void
604 gnutls_pk_params_release (gnutls_pk_params_st * p)
605 {
606 unsigned int i;
607 for (i = 0; i < p->params_nr; i++)
608 {
609 _gnutls_mpi_release (&p->params[i]);
610 }
611 }
612
613 int
614 _gnutls_calc_rsa_exp (bigint_t * params, unsigned int params_size)
615 {
616 bigint_t tmp = _gnutls_mpi_alloc_like (params[0]);
617
618 if (params_size < RSA_PRIVATE_PARAMS - 2)
619 {
620 gnutls_assert ();
621 return GNUTLS_E_INTERNAL_ERROR;
622 }
623
624 if (tmp == NULL)
625 {
626 gnutls_assert ();
627 return GNUTLS_E_MEMORY_ERROR;
628 }
629
630 /* [6] = d % p-1, [7] = d % q-1 */
631 _gnutls_mpi_sub_ui (tmp, params[3], 1);
632 params[6] = _gnutls_mpi_mod (params[2] /*d */ , tmp);
633
634 _gnutls_mpi_sub_ui (tmp, params[4], 1);
635 params[7] = _gnutls_mpi_mod (params[2] /*d */ , tmp);
636
637 _gnutls_mpi_release (&tmp);
638
639 if (params[7] == NULL || params[6] == NULL)
640 {
641 gnutls_assert ();
642 return GNUTLS_E_MEMORY_ERROR;
643 }
644
645 return 0;
646 }
647
648 int
649 _gnutls_pk_get_hash_algorithm (gnutls_pk_algorithm_t pk, bigint_t * params,
650 int params_size,
651 gnutls_digest_algorithm_t * dig,
652 unsigned int *mand)
653 {
654 if (mand)
655 {
656 if (pk == GNUTLS_PK_DSA)
657 *mand = 1;
658 else
659 *mand = 0;
660 }
661
662 return _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) dig,
663 NULL, pk, params, params_size);
664
665 }
Implementation of the SSL/TLS protocol