lib/auth_rsa.c

   1 /*
   2  * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2007 Free Software Foundation
   3  *
   4  * Author: Nikos Mavrogiannopoulos
   5  *
   6  * This file is part of GNUTLS.
   7  *
   8  * The GNUTLS library is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public License
  10  * as published by the Free Software Foundation; either version 2.1 of
  11  * the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public
  19  * License along with this library; if not, write to the Free Software
  20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
  21  * USA
  22  *
  23  */
  24
  25 /* This file contains the RSA key exchange part of the certificate
  26  * authentication.
  27  */
  28
  29 #include "gnutls_int.h"
  30 #include "gnutls_auth_int.h"
  31 #include "gnutls_errors.h"
  32 #include "gnutls_dh.h"
  33 #include "gnutls_num.h"
  34 #include "libtasn1.h"
  35 #include "gnutls_datum.h"
  36 #include "auth_cert.h"
  37 #include <gnutls_pk.h>
  38 #include <gnutls_algorithms.h>
  39 #include <gnutls_global.h>
  40 #include "debug.h"
  41 #include <gnutls_sig.h>
  42 #include <gnutls_x509.h>
  43 #include <random.h>
  44
  45 int _gnutls_gen_rsa_client_kx (gnutls_session_t, opaque **);
  46 int _gnutls_proc_rsa_client_kx (gnutls_session_t, opaque *, size_t);
  47
  48 const mod_auth_st rsa_auth_struct = {
  49   "RSA",
  50   _gnutls_gen_cert_server_certificate,
  51   _gnutls_gen_cert_client_certificate,
  52   NULL,                         /* gen server kx */
  53   _gnutls_gen_rsa_client_kx,
  54   _gnutls_gen_cert_client_cert_vrfy,    /* gen client cert vrfy */
  55   _gnutls_gen_cert_server_cert_req,     /* server cert request */
  56
  57   _gnutls_proc_cert_server_certificate,
  58   _gnutls_proc_cert_client_certificate,
  59   NULL,                         /* proc server kx */
  60   _gnutls_proc_rsa_client_kx,   /* proc client kx */
  61   _gnutls_proc_cert_client_cert_vrfy,   /* proc client cert vrfy */
  62   _gnutls_proc_cert_cert_req    /* proc server cert request */
  63 };
  64
  65 /* This function reads the RSA parameters from peer's certificate;
  66  */
  67 int
  68 _gnutls_get_public_rsa_params (gnutls_session_t session,
  69                                mpi_t params[MAX_PUBLIC_PARAMS_SIZE],
  70                                int *params_len)
  71 {
  72   int ret;
  73   cert_auth_info_t info;
  74   gnutls_cert peer_cert;
  75   int i;
  76
  77   /* normal non export case */
  78
  79   info = _gnutls_get_auth_info (session);
  80
  81   if (info == NULL || info->ncerts == 0)
  82     {
  83       gnutls_assert ();
  84       return GNUTLS_E_INTERNAL_ERROR;
  85     }
  86
  87   ret =
  88     _gnutls_get_auth_info_gcert (&peer_cert,
  89                                session->security_parameters.cert_type,
  90                                info, CERT_ONLY_PUBKEY | CERT_NO_COPY);
  91
  92   if (ret < 0)
  93     {
  94       gnutls_assert ();
  95       return ret;
  96     }
  97
  98
  99   /* EXPORT case: */
 100   if (_gnutls_cipher_suite_get_kx_algo
 101       (&session->security_parameters.current_cipher_suite)
 102       == GNUTLS_KX_RSA_EXPORT
 103       && _gnutls_mpi_get_nbits (peer_cert.params[0]) > 512)
 104     {
 105
 106       _gnutls_gcert_deinit (&peer_cert);
 107
 108       if (session->key->rsa[0] == NULL || session->key->rsa[1] == NULL)
 109         {
 110           gnutls_assert ();
 111           return GNUTLS_E_INTERNAL_ERROR;
 112         }
 113
 114       if (*params_len < 2)
 115         {
 116           gnutls_assert ();
 117           return GNUTLS_E_INTERNAL_ERROR;
 118         }
 119       *params_len = 2;
 120       for (i = 0; i < *params_len; i++)
 121         {
 122           params[i] = _gnutls_mpi_copy (session->key->rsa[i]);
 123         }
 124
 125       return 0;
 126     }
 127
 128   /* end of export case */
 129
 130   if (*params_len < peer_cert.params_size)
 131     {
 132       gnutls_assert ();
 133       return GNUTLS_E_INTERNAL_ERROR;
 134     }
 135   *params_len = peer_cert.params_size;
 136
 137   for (i = 0; i < *params_len; i++)
 138     {
 139       params[i] = _gnutls_mpi_copy (peer_cert.params[i]);
 140     }
 141   _gnutls_gcert_deinit (&peer_cert);
 142
 143   return 0;
 144 }
 145
 146 /* This function reads the RSA parameters from the private key
 147  */
 148 int
 149 _gnutls_get_private_rsa_params (gnutls_session_t session,
 150                                 mpi_t ** params, int *params_size)
 151 {
 152   int bits;
 153   gnutls_certificate_credentials_t cred;
 154   gnutls_rsa_params_t rsa_params;
 155
 156   cred = (gnutls_certificate_credentials_t)
 157     _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
 158   if (cred == NULL)
 159     {
 160       gnutls_assert ();
 161       return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
 162     }
 163
 164   if (session->internals.selected_cert_list == NULL)
 165     {
 166       gnutls_assert ();
 167       return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
 168     }
 169
 170   bits =
 171     _gnutls_mpi_get_nbits (session->internals.selected_cert_list[0].
 172                            params[0]);
 173
 174   if (_gnutls_cipher_suite_get_kx_algo
 175       (&session->security_parameters.current_cipher_suite)
 176       == GNUTLS_KX_RSA_EXPORT && bits > 512)
 177     {
 178
 179       rsa_params =
 180         _gnutls_certificate_get_rsa_params (cred->rsa_params,
 181                                             cred->params_func, session);
 182       /* EXPORT case: */
 183       if (rsa_params == NULL)
 184         {
 185           gnutls_assert ();
 186           return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS;
 187         }
 188
 189       /* In the export case, we do use temporary RSA params
 190        * of 512 bits size. The params in the certificate are
 191        * used to sign this temporary stuff.
 192        */
 193       *params_size = RSA_PRIVATE_PARAMS;
 194       *params = rsa_params->params;
 195
 196       return 0;
 197     }
 198
 199   /* non export cipher suites. */
 200
 201   *params_size = session->internals.selected_key->params_size;
 202   *params = session->internals.selected_key->params;
 203
 204   return 0;
 205 }
 206
 207 int
 208 _gnutls_proc_rsa_client_kx (gnutls_session_t session, opaque * data,
 209                             size_t _data_size)
 210 {
 211   gnutls_datum_t plaintext;
 212   gnutls_datum_t ciphertext;
 213   int ret, dsize;
 214   mpi_t *params;
 215   int params_len;
 216   int randomize_key = 0;
 217   ssize_t data_size = _data_size;
 218
 219   if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
 220     {
 221       /* SSL 3.0
 222        */
 223       ciphertext.data = data;
 224       ciphertext.size = data_size;
 225     }
 226   else
 227     {
 228       /* TLS 1.0
 229        */
 230       DECR_LEN (data_size, 2);
 231       ciphertext.data = &data[2];
 232       dsize = _gnutls_read_uint16 (data);
 233
 234       if (dsize != data_size)
 235         {
 236           gnutls_assert ();
 237           return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
 238         }
 239       ciphertext.size = dsize;
 240     }
 241
 242   ret = _gnutls_get_private_rsa_params (session, &params, &params_len);
 243   if (ret < 0)
 244     {
 245       gnutls_assert ();
 246       return ret;
 247     }
 248
 249   ret = _gnutls_pkcs1_rsa_decrypt (&plaintext, &ciphertext, params, params_len, 2);     /* btype==2 */
 250
 251   if (ret < 0 || plaintext.size != TLS_MASTER_SIZE)
 252     {
 253       /* In case decryption fails then don't inform
 254        * the peer. Just use a random key. (in order to avoid
 255        * attack against pkcs-1 formating).
 256        */
 257       gnutls_assert ();
 258       _gnutls_x509_log ("auth_rsa: Possible PKCS #1 format attack\n");
 259       randomize_key = 1;
 260     }
 261   else
 262     {
 263       /* If the secret was properly formatted, then
 264        * check the version number.
 265        */
 266       if (_gnutls_get_adv_version_major (session) != plaintext.data[0]
 267           || _gnutls_get_adv_version_minor (session) != plaintext.data[1])
 268         {
 269           /* No error is returned here, if the version number check
 270            * fails. We proceed normally.
 271            * That is to defend against the attack described in the paper
 272            * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
 273            * Ondej Pokorny and Tomas Rosa.
 274            */
 275           gnutls_assert ();
 276           _gnutls_x509_log
 277             ("auth_rsa: Possible PKCS #1 version check format attack\n");
 278         }
 279     }
 280
 281   if (randomize_key != 0)
 282     {
 283       session->key->key.size = TLS_MASTER_SIZE;
 284       session->key->key.data = gnutls_malloc (session->key->key.size);
 285       if (session->key->key.data == NULL)
 286         {
 287           gnutls_assert ();
 288           return GNUTLS_E_MEMORY_ERROR;
 289         }
 290
 291       /* we do not need strong random numbers here.
 292        */
 293       ret = _gnutls_rnd (RND_NONCE, session->key->key.data, session->key->key.size);
 294       if (ret < 0)
 295         {
 296           gnutls_assert ();
 297           return ret;
 298         }
 299
 300     }
 301   else
 302     {
 303       session->key->key.data = plaintext.data;
 304       session->key->key.size = plaintext.size;
 305     }
 306
 307   /* This is here to avoid the version check attack
 308    * discussed above.
 309    */
 310   session->key->key.data[0] = _gnutls_get_adv_version_major (session);
 311   session->key->key.data[1] = _gnutls_get_adv_version_minor (session);
 312
 313   return 0;
 314 }
 315
 316
 317
 318 /* return RSA(random) using the peers public key
 319  */
 320 int
 321 _gnutls_gen_rsa_client_kx (gnutls_session_t session, opaque ** data)
 322 {
 323   cert_auth_info_t auth = session->key->auth_info;
 324   gnutls_datum_t sdata;         /* data to send */
 325   mpi_t params[MAX_PUBLIC_PARAMS_SIZE];
 326   int params_len = MAX_PUBLIC_PARAMS_SIZE;
 327   int ret, i;
 328   gnutls_protocol_t ver;
 329
 330   if (auth == NULL)
 331     {
 332       /* this shouldn't have happened. The proc_certificate
 333        * function should have detected that.
 334        */
 335       gnutls_assert ();
 336       return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
 337     }
 338
 339   session->key->key.size = TLS_MASTER_SIZE;
 340   session->key->key.data = gnutls_secure_malloc (session->key->key.size);
 341
 342   if (session->key->key.data == NULL)
 343     {
 344       gnutls_assert ();
 345       return GNUTLS_E_MEMORY_ERROR;
 346     }
 347
 348   ret = _gnutls_rnd( RND_RANDOM, session->key->key.data, session->key->key.size);
 349   if ( ret < 0)
 350     {
 351       gnutls_assert ();
 352       return ret;
 353     }
 354
 355   ver = _gnutls_get_adv_version (session);
 356
 357   if (session->internals.rsa_pms_version[0] == 0)
 358     {
 359       session->key->key.data[0] = _gnutls_version_get_major (ver);
 360       session->key->key.data[1] = _gnutls_version_get_minor (ver);
 361     }
 362   else
 363     {                           /* use the version provided */
 364       session->key->key.data[0] = session->internals.rsa_pms_version[0];
 365       session->key->key.data[1] = session->internals.rsa_pms_version[1];
 366     }
 367
 368   /* move RSA parameters to key (session).
 369    */
 370   if ((ret =
 371        _gnutls_get_public_rsa_params (session, params, &params_len)) < 0)
 372     {
 373       gnutls_assert ();
 374       return ret;
 375     }
 376
 377   if ((ret =
 378        _gnutls_pkcs1_rsa_encrypt (&sdata, &session->key->key,
 379                                   params, params_len, 2)) < 0)
 380     {
 381       gnutls_assert ();
 382       return ret;
 383     }
 384
 385   for (i = 0; i < params_len; i++)
 386     _gnutls_mpi_release (&params[i]);
 387
 388   if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
 389     {
 390       /* SSL 3.0 */
 391       *data = sdata.data;
 392       return sdata.size;
 393     }
 394   else
 395     {                           /* TLS 1 */
 396       *data = gnutls_malloc (sdata.size + 2);
 397       if (*data == NULL)
 398         {
 399           _gnutls_free_datum (&sdata);
 400           return GNUTLS_E_MEMORY_ERROR;
 401         }
 402       _gnutls_write_datum16 (*data, sdata);
 403       ret = sdata.size + 2;
 404       _gnutls_free_datum (&sdata);
 405       return ret;
 406     }
 407
 408 }