lib/gnutls_pk.c

   1 /*
   2  * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2008, 2009 Free Software Foundation
   3  *
   4  * Author: Nikos Mavrogiannopoulos
   5  *
   6  * This file is part of GNUTLS.
   7  *
   8  * The GNUTLS library is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public License
  10  * as published by the Free Software Foundation; either version 2.1 of
  11  * the License, or (at your option) any later version.
  12  *
  13  * This library is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public
  19  * License along with this library; if not, write to the Free Software
  20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
  21  * USA
  22  *
  23  */
  24
  25 /* This file contains the functions needed for RSA/DSA public key
  26  * encryption and signatures.
  27  */
  28
  29 #include <gnutls_int.h>
  30 #include <gnutls_mpi.h>
  31 #include <gnutls_pk.h>
  32 #include <gnutls_errors.h>
  33 #include <gnutls_datum.h>
  34 #include <gnutls_global.h>
  35 #include <gnutls_num.h>
  36 #include "debug.h"
  37 #include <x509/x509_int.h>
  38 #include <x509/common.h>
  39 #include <random.h>
  40
  41 /* Do PKCS-1 RSA encryption.
  42  * params is modulus, public exp.
  43  */
  44 int
  45 _gnutls_pkcs1_rsa_encrypt (gnutls_datum_t * ciphertext,
  46                            const gnutls_datum_t * plaintext,
  47                            bigint_t * params, unsigned params_len,
  48                            unsigned btype)
  49 {
  50   unsigned int i, pad;
  51   int ret;
  52   opaque *edata, *ps;
  53   size_t k, psize;
  54   size_t mod_bits;
  55   gnutls_pk_params_st pk_params;
  56   gnutls_datum_t to_encrypt, encrypted;
  57
  58   for (i = 0; i < params_len; i++)
  59     pk_params.params[i] = params[i];
  60   pk_params.params_nr = params_len;
  61
  62   mod_bits = _gnutls_mpi_get_nbits (params[0]);
  63   k = mod_bits / 8;
  64   if (mod_bits % 8 != 0)
  65     k++;
  66
  67   if (plaintext->size > k - 11)
  68     {
  69       gnutls_assert ();
  70       return GNUTLS_E_PK_ENCRYPTION_FAILED;
  71     }
  72
  73   edata = gnutls_malloc (k);
  74   if (edata == NULL)
  75     {
  76       gnutls_assert ();
  77       return GNUTLS_E_MEMORY_ERROR;
  78     }
  79
  80   /* EB = 00||BT||PS||00||D
  81    * (use block type 'btype')
  82    */
  83
  84   edata[0] = 0;
  85   edata[1] = btype;
  86   psize = k - 3 - plaintext->size;
  87
  88   ps = &edata[2];
  89   switch (btype)
  90     {
  91     case 2:
  92       /* using public key */
  93       if (params_len < RSA_PUBLIC_PARAMS)
  94         {
  95           gnutls_assert ();
  96           gnutls_free (edata);
  97           return GNUTLS_E_INTERNAL_ERROR;
  98         }
  99
 100       ret = _gnutls_rnd (GNUTLS_RND_RANDOM, ps, psize);
 101       if (ret < 0)
 102         {
 103           gnutls_assert ();
 104           gnutls_free (edata);
 105           return ret;
 106         }
 107       for (i = 0; i < psize; i++)
 108         while (ps[i] == 0)
 109           {
 110             ret = _gnutls_rnd (GNUTLS_RND_RANDOM, &ps[i], 1);
 111             if (ret < 0)
 112               {
 113                 gnutls_assert ();
 114                 gnutls_free (edata);
 115                 return ret;
 116               }
 117           }
 118       break;
 119     case 1:
 120       /* using private key */
 121
 122       if (params_len < RSA_PRIVATE_PARAMS)
 123         {
 124           gnutls_assert ();
 125           gnutls_free (edata);
 126           return GNUTLS_E_INTERNAL_ERROR;
 127         }
 128
 129       for (i = 0; i < psize; i++)
 130         ps[i] = 0xff;
 131       break;
 132     default:
 133       gnutls_assert ();
 134       gnutls_free (edata);
 135       return GNUTLS_E_INTERNAL_ERROR;
 136     }
 137
 138   ps[psize] = 0;
 139   memcpy (&ps[psize + 1], plaintext->data, plaintext->size);
 140
 141   to_encrypt.data = edata;
 142   to_encrypt.size = k;
 143
 144   if (btype == 2)               /* encrypt */
 145     ret =
 146       _gnutls_pk_encrypt (GNUTLS_PK_RSA, &encrypted, &to_encrypt, &pk_params);
 147   else                          /* sign */
 148     ret =
 149       _gnutls_pk_sign (GNUTLS_PK_RSA, &encrypted, &to_encrypt, &pk_params);
 150
 151   gnutls_free (edata);
 152
 153   if (ret < 0)
 154     {
 155       gnutls_assert ();
 156       return ret;
 157     }
 158
 159   psize = encrypted.size;
 160   if (psize < k)
 161     {
 162       /* padding psize */
 163       pad = k - psize;
 164       psize = k;
 165     }
 166   else if (psize == k)
 167     {
 168       /* pad = 0;
 169        * no need to do anything else
 170        */
 171       ciphertext->data = encrypted.data;
 172       ciphertext->size = encrypted.size;
 173       return 0;
 174     }
 175   else
 176     {                           /* psize > k !!! */
 177       /* This is an impossible situation */
 178       gnutls_assert ();
 179       _gnutls_free_datum (&encrypted);
 180       return GNUTLS_E_INTERNAL_ERROR;
 181     }
 182
 183   ciphertext->data = gnutls_malloc (psize);
 184   if (ciphertext->data == NULL)
 185     {
 186       gnutls_assert ();
 187       _gnutls_free_datum (&encrypted);
 188       return GNUTLS_E_MEMORY_ERROR;
 189     }
 190
 191   memcpy (&ciphertext->data[pad], encrypted.data, encrypted.size);
 192   for (i = 0; i < pad; i++)
 193     ciphertext->data[i] = 0;
 194
 195   ciphertext->size = k;
 196
 197   _gnutls_free_datum (&encrypted);
 198
 199   return 0;
 200 }
 201
 202
 203 /* Do PKCS-1 RSA decryption.
 204  * params is modulus, public exp., private key
 205  * Can decrypt block type 1 and type 2 packets.
 206  */
 207 int
 208 _gnutls_pkcs1_rsa_decrypt (gnutls_datum_t * plaintext,
 209                            const gnutls_datum_t * ciphertext,
 210                            bigint_t * params, unsigned params_len,
 211                            unsigned btype)
 212 {
 213   unsigned int k, i;
 214   int ret;
 215   size_t esize, mod_bits;
 216   gnutls_pk_params_st pk_params;
 217
 218   for (i = 0; i < params_len; i++)
 219     pk_params.params[i] = params[i];
 220   pk_params.params_nr = params_len;
 221
 222   mod_bits = _gnutls_mpi_get_nbits (params[0]);
 223   k = mod_bits / 8;
 224   if (mod_bits % 8 != 0)
 225     k++;
 226
 227   esize = ciphertext->size;
 228
 229   if (esize != k)
 230     {
 231       gnutls_assert ();
 232       return GNUTLS_E_PK_DECRYPTION_FAILED;
 233     }
 234
 235   /* we can use btype to see if the private key is
 236    * available.
 237    */
 238   if (btype == 2)
 239     {
 240       ret =
 241         _gnutls_pk_decrypt (GNUTLS_PK_RSA, plaintext, ciphertext, &pk_params);
 242     }
 243   else
 244     {
 245       ret =
 246         _gnutls_pk_encrypt (GNUTLS_PK_RSA, plaintext, ciphertext, &pk_params);
 247     }
 248
 249   if (ret < 0)
 250     {
 251       gnutls_assert ();
 252       return ret;
 253     }
 254
 255   /* EB = 00||BT||PS||00||D
 256    * (use block type 'btype')
 257    *
 258    * From now on, return GNUTLS_E_DECRYPTION_FAILED on errors, to
 259    * avoid attacks similar to the one described by Bleichenbacher in:
 260    * "Chosen Ciphertext Attacks against Protocols Based on RSA
 261    * Encryption Standard PKCS #1".
 262    */
 263   if (plaintext->data[0] != 0 || plaintext->data[1] != btype)
 264     {
 265       gnutls_assert ();
 266       return GNUTLS_E_DECRYPTION_FAILED;
 267     }
 268
 269   ret = GNUTLS_E_DECRYPTION_FAILED;
 270   switch (btype)
 271     {
 272     case 2:
 273       for (i = 2; i < plaintext->size; i++)
 274         {
 275           if (plaintext->data[i] == 0)
 276             {
 277               ret = 0;
 278               break;
 279             }
 280         }
 281       break;
 282     case 1:
 283       for (i = 2; i < plaintext->size; i++)
 284         {
 285           if (plaintext->data[i] == 0 && i > 2)
 286             {
 287               ret = 0;
 288               break;
 289             }
 290           if (plaintext->data[i] != 0xff)
 291             {
 292               _gnutls_handshake_log ("PKCS #1 padding error");
 293               _gnutls_free_datum (plaintext);
 294               /* PKCS #1 padding error.  Don't use
 295                  GNUTLS_E_PKCS1_WRONG_PAD here.  */
 296               break;
 297             }
 298         }
 299       break;
 300     default:
 301       gnutls_assert ();
 302       _gnutls_free_datum (plaintext);
 303       break;
 304     }
 305   i++;
 306
 307   if (ret < 0)
 308     {
 309       gnutls_assert ();
 310       _gnutls_free_datum (plaintext);
 311       return GNUTLS_E_DECRYPTION_FAILED;
 312     }
 313
 314   memmove (plaintext->data, &plaintext->data[i], esize - i);
 315   plaintext->size = esize - i;
 316
 317   return 0;
 318 }
 319
 320
 321 int
 322 _gnutls_rsa_verify (const gnutls_datum_t * vdata,
 323                     const gnutls_datum_t * ciphertext, bigint_t * params,
 324                     int params_len, int btype)
 325 {
 326
 327   gnutls_datum_t plain;
 328   int ret;
 329
 330   /* decrypt signature */
 331   if ((ret =
 332        _gnutls_pkcs1_rsa_decrypt (&plain, ciphertext, params, params_len,
 333                                   btype)) < 0)
 334     {
 335       gnutls_assert ();
 336       return ret;
 337     }
 338
 339   if (plain.size != vdata->size)
 340     {
 341       gnutls_assert ();
 342       _gnutls_free_datum (&plain);
 343       return GNUTLS_E_PK_SIG_VERIFY_FAILED;
 344     }
 345
 346   if (memcmp (plain.data, vdata->data, plain.size) != 0)
 347     {
 348       gnutls_assert ();
 349       _gnutls_free_datum (&plain);
 350       return GNUTLS_E_PK_SIG_VERIFY_FAILED;
 351     }
 352
 353   _gnutls_free_datum (&plain);
 354
 355   return 0;                     /* ok */
 356 }
 357
 358 /* encodes the Dss-Sig-Value structure
 359  */
 360 int
 361 _gnutls_encode_ber_rs (gnutls_datum_t * sig_value, bigint_t r, bigint_t s)
 362 {
 363   ASN1_TYPE sig;
 364   int result;
 365
 366   if ((result =
 367        asn1_create_element (_gnutls_get_gnutls_asn (),
 368                             "GNUTLS.DSASignatureValue",
 369                             &sig)) != ASN1_SUCCESS)
 370     {
 371       gnutls_assert ();
 372       return _gnutls_asn2err (result);
 373     }
 374
 375   result = _gnutls_x509_write_int (sig, "r", r, 1);
 376   if (result < 0)
 377     {
 378       gnutls_assert ();
 379       asn1_delete_structure (&sig);
 380       return result;
 381     }
 382
 383   result = _gnutls_x509_write_int (sig, "s", s, 1);
 384   if (result < 0)
 385     {
 386       gnutls_assert ();
 387       asn1_delete_structure (&sig);
 388       return result;
 389     }
 390
 391   result = _gnutls_x509_der_encode (sig, "", sig_value, 0);
 392
 393   asn1_delete_structure (&sig);
 394
 395   if (result < 0)
 396     {
 397       gnutls_assert ();
 398       return result;
 399     }
 400
 401   return 0;
 402 }
 403
 404
 405 /* Do DSA signature calculation. params is p, q, g, y, x in that order.
 406  */
 407 int
 408 _gnutls_dsa_sign (gnutls_datum_t * signature,
 409                   const gnutls_datum_t * hash, bigint_t * params,
 410                   unsigned int params_len)
 411 {
 412   int ret;
 413   size_t i;
 414   size_t k;
 415   gnutls_pk_params_st pk_params;
 416
 417   for (i = 0; i < params_len; i++)
 418     pk_params.params[i] = params[i];
 419   pk_params.params_nr = params_len;
 420
 421   k = hash->size;
 422   if (k < 20)
 423     {                           /* SHA1 or better only */
 424       gnutls_assert ();
 425       return GNUTLS_E_PK_SIGN_FAILED;
 426     }
 427
 428   ret = _gnutls_pk_sign (GNUTLS_PK_DSA, signature, hash, &pk_params);
 429   /* rs[0], rs[1] now hold r,s */
 430
 431   if (ret < 0)
 432     {
 433       gnutls_assert ();
 434       return ret;
 435     }
 436
 437   return 0;
 438 }
 439
 440 /* decodes the Dss-Sig-Value structure
 441  */
 442 int
 443 _gnutls_decode_ber_rs (const gnutls_datum_t * sig_value, bigint_t * r,
 444                        bigint_t * s)
 445 {
 446   ASN1_TYPE sig;
 447   int result;
 448
 449   if ((result =
 450        asn1_create_element (_gnutls_get_gnutls_asn (),
 451                             "GNUTLS.DSASignatureValue",
 452                             &sig)) != ASN1_SUCCESS)
 453     {
 454       gnutls_assert ();
 455       return _gnutls_asn2err (result);
 456     }
 457
 458   result = asn1_der_decoding (&sig, sig_value->data, sig_value->size, NULL);
 459   if (result != ASN1_SUCCESS)
 460     {
 461       gnutls_assert ();
 462       asn1_delete_structure (&sig);
 463       return _gnutls_asn2err (result);
 464     }
 465
 466   result = _gnutls_x509_read_int (sig, "r", r);
 467   if (result < 0)
 468     {
 469       gnutls_assert ();
 470       asn1_delete_structure (&sig);
 471       return result;
 472     }
 473
 474   result = _gnutls_x509_read_int (sig, "s", s);
 475   if (result < 0)
 476     {
 477       gnutls_assert ();
 478       _gnutls_mpi_release (s);
 479       asn1_delete_structure (&sig);
 480       return result;
 481     }
 482
 483   asn1_delete_structure (&sig);
 484
 485   return 0;
 486 }
 487
 488 /* params is p, q, g, y in that order
 489  */
 490 int
 491 _gnutls_dsa_verify (const gnutls_datum_t * vdata,
 492                     const gnutls_datum_t * sig_value, bigint_t * params,
 493                     int params_len)
 494 {
 495
 496   int ret, i;
 497   gnutls_pk_params_st pk_params;
 498
 499   for (i = 0; i < params_len; i++)
 500     pk_params.params[i] = params[i];
 501   pk_params.params_nr = params_len;
 502
 503   if (vdata->size > 20)
 504     {                           /* SHA1 or better only */
 505       gnutls_assert ();
 506       return GNUTLS_E_PK_SIG_VERIFY_FAILED;
 507     }
 508
 509   /* decrypt signature */
 510   ret = _gnutls_pk_verify (GNUTLS_PK_DSA, vdata, sig_value, &pk_params);
 511
 512   if (ret < 0)
 513     {
 514       gnutls_assert ();
 515       return ret;
 516     }
 517
 518   return 0;                     /* ok */
 519 }
 520
 521 /* some generic pk functions */
 522 static int
 523 _generate_params (int algo, bigint_t * resarr, unsigned int *resarr_len,
 524                   int bits)
 525 {
 526   gnutls_pk_params_st params;
 527   int ret;
 528   unsigned int i;
 529
 530   ret = _gnutls_pk_ops.generate (algo, bits, &params);
 531
 532   if (ret < 0)
 533     {
 534       gnutls_assert ();
 535       return ret;
 536     }
 537
 538   if (resarr && resarr_len && *resarr_len >= params.params_nr)
 539     {
 540       *resarr_len = params.params_nr;
 541       for (i = 0; i < params.params_nr; i++)
 542         resarr[i] = params.params[i];
 543     }
 544   else
 545     {
 546       gnutls_assert ();
 547       return GNUTLS_E_INVALID_REQUEST;
 548     }
 549   return 0;
 550 }
 551
 552
 553
 554 int
 555 _gnutls_rsa_generate_params (bigint_t * resarr, unsigned int *resarr_len,
 556                              int bits)
 557 {
 558   return _generate_params (GNUTLS_PK_RSA, resarr, resarr_len, bits);
 559 }
 560
 561 int
 562 _gnutls_dsa_generate_params (bigint_t * resarr, unsigned int *resarr_len,
 563                              int bits)
 564 {
 565   return _generate_params (GNUTLS_PK_DSA, resarr, resarr_len, bits);
 566 }
 567
 568 int
 569 _gnutls_pk_params_copy (gnutls_pk_params_st * dst, bigint_t * params,
 570                         int params_len)
 571 {
 572   int i, j;
 573   dst->params_nr = 0;
 574
 575   if (params_len == 0 || params == NULL)
 576     {
 577       gnutls_assert ();
 578       return GNUTLS_E_INVALID_REQUEST;
 579     }
 580
 581   for (i = 0; i < params_len; i++)
 582     {
 583       dst->params[i] = _gnutls_mpi_set (NULL, params[i]);
 584       if (dst->params[i] == NULL)
 585         {
 586           for (j = 0; j < i; j++)
 587             _gnutls_mpi_release (&dst->params[j]);
 588           return GNUTLS_E_MEMORY_ERROR;
 589         }
 590       dst->params_nr++;
 591     }
 592
 593   return 0;
 594 }
 595
 596 void
 597 gnutls_pk_params_init (gnutls_pk_params_st * p)
 598 {
 599   memset (p, 0, sizeof (gnutls_pk_params_st));
 600 }
 601
 602 void
 603 gnutls_pk_params_release (gnutls_pk_params_st * p)
 604 {
 605   unsigned int i;
 606   for (i = 0; i < p->params_nr; i++)
 607     {
 608       _gnutls_mpi_release (&p->params[i]);
 609     }
 610 }