lib/auth/dh_common.c

   1 /*
   2  * Copyright (C) 2002-2012 Free Software Foundation, Inc.
   3  *
   4  * Author: Nikos Mavrogiannopoulos
   5  *
   6  * This file is part of GnuTLS.
   7  *
   8  * The GnuTLS is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public License
  10  * as published by the Free Software Foundation; either version 3 of
  11  * the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public License
  19  * along with this program.  If not, see <http://www.gnu.org/licenses/>
  20  *
  21  */
  22
  23 /* This file contains common stuff in Ephemeral Diffie-Hellman (DHE)
  24  * and Anonymous DH key exchange(DHA). These are used in the handshake
  25  * procedure of the certificate and anoymous authentication.
  26  */
  27
  28 #include "gnutls_int.h"
  29 #include "gnutls_auth.h"
  30 #include "gnutls_errors.h"
  31 #include "gnutls_dh.h"
  32 #include "gnutls_num.h"
  33 #include "gnutls_sig.h"
  34 #include <gnutls_datum.h>
  35 #include <gnutls_x509.h>
  36 #include <gnutls_state.h>
  37 #include <auth/dh_common.h>
  38 #include <algorithms.h>
  39 #include <auth/psk.h>
  40
  41 /* Frees the dh_info_st structure.
  42  */
  43 void
  44 _gnutls_free_dh_info (dh_info_st * dh)
  45 {
  46   dh->secret_bits = 0;
  47   _gnutls_free_datum (&dh->prime);
  48   _gnutls_free_datum (&dh->generator);
  49   _gnutls_free_datum (&dh->public_key);
  50 }
  51
  52 int
  53 _gnutls_proc_dh_common_client_kx (gnutls_session_t session,
  54                                   uint8_t * data, size_t _data_size,
  55                                   bigint_t g, bigint_t p,
  56                                   gnutls_datum_t* psk_key)
  57 {
  58   uint16_t n_Y;
  59   size_t _n_Y;
  60   int ret;
  61   ssize_t data_size = _data_size;
  62
  63
  64   DECR_LEN (data_size, 2);
  65   n_Y = _gnutls_read_uint16 (&data[0]);
  66   _n_Y = n_Y;
  67
  68   DECR_LEN (data_size, n_Y);
  69   if (_gnutls_mpi_scan_nz (&session->key->client_Y, &data[2], _n_Y))
  70     {
  71       gnutls_assert ();
  72       return GNUTLS_E_MPI_SCAN_FAILED;
  73     }
  74
  75   _gnutls_dh_set_peer_public (session, session->key->client_Y);
  76
  77   session->key->KEY =
  78     gnutls_calc_dh_key (session->key->client_Y, session->key->dh_secret, p);
  79
  80   if (session->key->KEY == NULL)
  81     {
  82       gnutls_assert ();
  83       return GNUTLS_E_MEMORY_ERROR;
  84     }
  85
  86   _gnutls_mpi_release (&session->key->client_Y);
  87   _gnutls_mpi_release (&session->key->dh_secret);
  88
  89
  90   if (psk_key == NULL)
  91     {
  92       ret = _gnutls_mpi_dprint (session->key->KEY, &session->key->key);
  93     }
  94   else                          /* In DHE_PSK the key is set differently */
  95     {
  96       gnutls_datum_t tmp_dh_key;
  97       ret = _gnutls_mpi_dprint (session->key->KEY, &tmp_dh_key);
  98       if (ret < 0)
  99         {
 100           gnutls_assert ();
 101           return ret;
 102         }
 103
 104       ret = _gnutls_set_psk_session_key (session, psk_key, &tmp_dh_key);
 105       _gnutls_free_datum (&tmp_dh_key);
 106
 107     }
 108
 109   _gnutls_mpi_release (&session->key->KEY);
 110
 111   if (ret < 0)
 112     {
 113       return ret;
 114     }
 115
 116   return 0;
 117 }
 118
 119 int _gnutls_gen_dh_common_client_kx (gnutls_session_t session, gnutls_buffer_st* data)
 120 {
 121   return _gnutls_gen_dh_common_client_kx_int(session, data, NULL);
 122 }
 123
 124 int
 125 _gnutls_gen_dh_common_client_kx_int (gnutls_session_t session, gnutls_buffer_st* data, gnutls_datum_t* pskkey)
 126 {
 127   bigint_t x = NULL, X = NULL;
 128   int ret;
 129
 130   X = gnutls_calc_dh_secret (&x, session->key->client_g,
 131                              session->key->client_p, 0);
 132   if (X == NULL || x == NULL)
 133     {
 134       gnutls_assert ();
 135       ret = GNUTLS_E_MEMORY_ERROR;
 136       goto error;
 137     }
 138
 139   _gnutls_dh_set_secret_bits (session, _gnutls_mpi_get_nbits (x));
 140
 141   ret = _gnutls_buffer_append_mpi( data, 16, X, 0);
 142   if (ret < 0)
 143     {
 144       gnutls_assert();
 145       goto error;
 146     }
 147
 148   /* calculate the key after calculating the message */
 149   session->key->KEY =
 150     gnutls_calc_dh_key (session->key->client_Y, x, session->key->client_p);
 151
 152   if (session->key->KEY == NULL)
 153     {
 154       gnutls_assert ();
 155       ret = GNUTLS_E_MEMORY_ERROR;
 156       goto error;
 157     }
 158
 159   /* THESE SHOULD BE DISCARDED */
 160   _gnutls_mpi_release (&session->key->client_Y);
 161   _gnutls_mpi_release (&session->key->client_p);
 162   _gnutls_mpi_release (&session->key->client_g);
 163
 164   if (_gnutls_cipher_suite_get_kx_algo
 165       (session->security_parameters.cipher_suite)
 166       != GNUTLS_KX_DHE_PSK)
 167     {
 168       ret = _gnutls_mpi_dprint (session->key->KEY, &session->key->key);
 169     }
 170   else                          /* In DHE_PSK the key is set differently */
 171     {
 172       gnutls_datum_t tmp_dh_key;
 173
 174       ret = _gnutls_mpi_dprint (session->key->KEY, &tmp_dh_key);
 175       if (ret < 0)
 176         {
 177           gnutls_assert ();
 178           goto error;
 179         }
 180
 181       ret = _gnutls_set_psk_session_key (session, pskkey, &tmp_dh_key);
 182       _gnutls_free_datum (&tmp_dh_key);
 183     }
 184
 185   _gnutls_mpi_release (&session->key->KEY);
 186
 187   if (ret < 0)
 188     {
 189       gnutls_assert ();
 190       goto error;
 191     }
 192
 193   ret = data->length;
 194
 195 error:
 196   _gnutls_mpi_release (&x);
 197   _gnutls_mpi_release (&X);
 198   return ret;
 199 }
 200
 201 /* Returns the bytes parsed */
 202 int
 203 _gnutls_proc_dh_common_server_kx (gnutls_session_t session,
 204                                   uint8_t * data, size_t _data_size)
 205 {
 206   uint16_t n_Y, n_g, n_p;
 207   size_t _n_Y, _n_g, _n_p;
 208   uint8_t *data_p;
 209   uint8_t *data_g;
 210   uint8_t *data_Y;
 211   int i, bits, ret;
 212   ssize_t data_size = _data_size;
 213
 214   i = 0;
 215
 216   DECR_LEN (data_size, 2);
 217   n_p = _gnutls_read_uint16 (&data[i]);
 218   i += 2;
 219
 220   DECR_LEN (data_size, n_p);
 221   data_p = &data[i];
 222   i += n_p;
 223
 224   DECR_LEN (data_size, 2);
 225   n_g = _gnutls_read_uint16 (&data[i]);
 226   i += 2;
 227
 228   DECR_LEN (data_size, n_g);
 229   data_g = &data[i];
 230   i += n_g;
 231
 232   DECR_LEN (data_size, 2);
 233   n_Y = _gnutls_read_uint16 (&data[i]);
 234   i += 2;
 235
 236   DECR_LEN (data_size, n_Y);
 237   data_Y = &data[i];
 238   i += n_Y;
 239
 240   _n_Y = n_Y;
 241   _n_g = n_g;
 242   _n_p = n_p;
 243
 244   if (_gnutls_mpi_scan_nz (&session->key->client_Y, data_Y, _n_Y) != 0)
 245     {
 246       gnutls_assert ();
 247       return GNUTLS_E_MPI_SCAN_FAILED;
 248     }
 249
 250   if (_gnutls_mpi_scan_nz (&session->key->client_g, data_g, _n_g) != 0)
 251     {
 252       gnutls_assert ();
 253       return GNUTLS_E_MPI_SCAN_FAILED;
 254     }
 255   if (_gnutls_mpi_scan_nz (&session->key->client_p, data_p, _n_p) != 0)
 256     {
 257       gnutls_assert ();
 258       return GNUTLS_E_MPI_SCAN_FAILED;
 259     }
 260
 261   bits = _gnutls_dh_get_allowed_prime_bits (session);
 262   if (bits < 0)
 263     {
 264       gnutls_assert ();
 265       return bits;
 266     }
 267
 268   if (_gnutls_mpi_get_nbits (session->key->client_p) < (size_t) bits)
 269     {
 270       /* the prime used by the peer is not acceptable
 271        */
 272       gnutls_assert ();
 273       return GNUTLS_E_DH_PRIME_UNACCEPTABLE;
 274     }
 275
 276   _gnutls_dh_set_group (session, session->key->client_g,
 277                         session->key->client_p);
 278   _gnutls_dh_set_peer_public (session, session->key->client_Y);
 279
 280   ret = n_Y + n_p + n_g + 6;
 281
 282   return ret;
 283 }
 284
 285 int
 286 _gnutls_dh_common_print_server_kx (gnutls_session_t session,
 287                                    bigint_t g, bigint_t p, unsigned int q_bits,
 288                                    gnutls_buffer_st* data)
 289 {
 290   bigint_t x, Y;
 291   int ret;
 292
 293   /* Y=g^x mod p */
 294   Y = gnutls_calc_dh_secret (&x, g, p, q_bits);
 295   if (Y == NULL || x == NULL)
 296     {
 297       gnutls_assert ();
 298       return GNUTLS_E_MEMORY_ERROR;
 299     }
 300
 301   session->key->dh_secret = x;
 302   _gnutls_dh_set_secret_bits (session, _gnutls_mpi_get_nbits (x));
 303
 304   ret = _gnutls_buffer_append_mpi(data, 16, p, 0);
 305   if (ret < 0)
 306     {
 307       ret = gnutls_assert_val(ret);
 308       goto cleanup;
 309     }
 310
 311   ret = _gnutls_buffer_append_mpi(data, 16, g, 0);
 312   if (ret < 0)
 313     {
 314       ret = gnutls_assert_val(ret);
 315       goto cleanup;
 316     }
 317
 318   ret = _gnutls_buffer_append_mpi(data, 16, Y, 0);
 319   if (ret < 0)
 320     {
 321       ret = gnutls_assert_val(ret);
 322       goto cleanup;
 323     }
 324
 325 cleanup:
 326   _gnutls_mpi_release (&Y);
 327
 328   return data->length;
 329 }