|
Packit |
aea12f |
/*
|
|
Packit |
aea12f |
* Copyright (C) 2011-2012 Free Software Foundation, Inc.
|
|
Packit |
aea12f |
* Copyright (C) 2017 Red Hat, Inc.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Author: Nikos Mavrogiannopoulos
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This file is part of GnuTLS.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* The GnuTLS is free software; you can redistribute it and/or
|
|
Packit |
aea12f |
* modify it under the terms of the GNU Lesser General Public License
|
|
Packit |
aea12f |
* as published by the Free Software Foundation; either version 2.1 of
|
|
Packit |
aea12f |
* the License, or (at your option) any later version.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This library is distributed in the hope that it will be useful, but
|
|
Packit |
aea12f |
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
aea12f |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit |
aea12f |
* Lesser General Public License for more details.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit |
aea12f |
* along with this program. If not, see <https://www.gnu.org/licenses/>
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* This file contains common stuff in Ephemeral Diffie-Hellman (DHE)
|
|
Packit |
aea12f |
* and Anonymous DH key exchange(DHA). These are used in the handshake
|
|
Packit |
aea12f |
* procedure of the certificate and anoymous authentication.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#include "gnutls_int.h"
|
|
Packit |
aea12f |
#include "auth.h"
|
|
Packit |
aea12f |
#include "errors.h"
|
|
Packit |
aea12f |
#include "dh.h"
|
|
Packit |
aea12f |
#include "num.h"
|
|
Packit |
aea12f |
#include "tls-sig.h"
|
|
Packit |
aea12f |
#include <state.h>
|
|
Packit |
aea12f |
#include <datum.h>
|
|
Packit |
aea12f |
#include <x509.h>
|
|
Packit |
aea12f |
#include <auth/ecdhe.h>
|
|
Packit |
aea12f |
#include <ecc.h>
|
|
Packit |
aea12f |
#include <ext/supported_groups.h>
|
|
Packit |
aea12f |
#include <algorithms.h>
|
|
Packit |
aea12f |
#include <auth/psk.h>
|
|
Packit |
aea12f |
#include <auth/cert.h>
|
|
Packit |
aea12f |
#include <pk.h>
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
static int gen_ecdhe_server_kx(gnutls_session_t, gnutls_buffer_st *);
|
|
Packit |
aea12f |
static int
|
|
Packit |
aea12f |
proc_ecdhe_server_kx(gnutls_session_t session,
|
|
Packit |
aea12f |
uint8_t * data, size_t _data_size);
|
|
Packit |
aea12f |
static int
|
|
Packit |
aea12f |
proc_ecdhe_client_kx(gnutls_session_t session,
|
|
Packit |
aea12f |
uint8_t * data, size_t _data_size);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#if defined(ENABLE_ECDHE)
|
|
Packit |
aea12f |
const mod_auth_st ecdhe_ecdsa_auth_struct = {
|
|
Packit |
aea12f |
"ECDHE_ECDSA",
|
|
Packit |
aea12f |
_gnutls_gen_cert_server_crt,
|
|
Packit |
aea12f |
_gnutls_gen_cert_client_crt,
|
|
Packit |
aea12f |
gen_ecdhe_server_kx,
|
|
Packit |
aea12f |
_gnutls_gen_ecdh_common_client_kx, /* This is the only difference */
|
|
Packit |
aea12f |
_gnutls_gen_cert_client_crt_vrfy,
|
|
Packit |
aea12f |
_gnutls_gen_cert_server_cert_req,
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
_gnutls_proc_crt,
|
|
Packit |
aea12f |
_gnutls_proc_crt,
|
|
Packit |
aea12f |
proc_ecdhe_server_kx,
|
|
Packit |
aea12f |
proc_ecdhe_client_kx,
|
|
Packit |
aea12f |
_gnutls_proc_cert_client_crt_vrfy,
|
|
Packit |
aea12f |
_gnutls_proc_cert_cert_req
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
const mod_auth_st ecdhe_rsa_auth_struct = {
|
|
Packit |
aea12f |
"ECDHE_RSA",
|
|
Packit |
aea12f |
_gnutls_gen_cert_server_crt,
|
|
Packit |
aea12f |
_gnutls_gen_cert_client_crt,
|
|
Packit |
aea12f |
gen_ecdhe_server_kx,
|
|
Packit |
aea12f |
_gnutls_gen_ecdh_common_client_kx, /* This is the only difference */
|
|
Packit |
aea12f |
_gnutls_gen_cert_client_crt_vrfy,
|
|
Packit |
aea12f |
_gnutls_gen_cert_server_cert_req,
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
_gnutls_proc_crt,
|
|
Packit |
aea12f |
_gnutls_proc_crt,
|
|
Packit |
aea12f |
proc_ecdhe_server_kx,
|
|
Packit |
aea12f |
proc_ecdhe_client_kx,
|
|
Packit |
aea12f |
_gnutls_proc_cert_client_crt_vrfy,
|
|
Packit |
aea12f |
_gnutls_proc_cert_cert_req
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
static int calc_ecdh_key(gnutls_session_t session,
|
|
Packit |
aea12f |
gnutls_datum_t * psk_key,
|
|
Packit |
aea12f |
const gnutls_ecc_curve_entry_st *ecurve)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
gnutls_pk_params_st pub;
|
|
Packit |
aea12f |
int ret;
|
|
Packit |
aea12f |
gnutls_datum_t tmp_dh_key;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
gnutls_pk_params_init(&pub;;
|
|
Packit |
aea12f |
pub.params[ECC_X] = session->key.proto.tls12.ecdh.x;
|
|
Packit |
aea12f |
pub.params[ECC_Y] = session->key.proto.tls12.ecdh.y;
|
|
Packit |
aea12f |
pub.raw_pub.data = session->key.proto.tls12.ecdh.raw.data;
|
|
Packit |
aea12f |
pub.raw_pub.size = session->key.proto.tls12.ecdh.raw.size;
|
|
Packit |
aea12f |
pub.curve = ecurve->id;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
_gnutls_pk_derive(ecurve->pk, &tmp_dh_key,
|
|
Packit |
aea12f |
&session->key.proto.tls12.ecdh.params, &pub;;
|
|
Packit |
aea12f |
if (ret < 0) {
|
|
Packit |
aea12f |
ret = gnutls_assert_val(ret);
|
|
Packit |
aea12f |
goto cleanup;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (psk_key == NULL) {
|
|
Packit |
aea12f |
memcpy(&session->key.key, &tmp_dh_key, sizeof(gnutls_datum_t));
|
|
Packit |
aea12f |
tmp_dh_key.data = NULL; /* no longer needed */
|
|
Packit |
aea12f |
} else {
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
_gnutls_set_psk_session_key(session, psk_key,
|
|
Packit |
aea12f |
&tmp_dh_key);
|
|
Packit |
aea12f |
_gnutls_free_temp_key_datum(&tmp_dh_key);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (ret < 0) {
|
|
Packit |
aea12f |
ret = gnutls_assert_val(ret);
|
|
Packit |
aea12f |
goto cleanup;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ret = 0;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
cleanup:
|
|
Packit |
aea12f |
/* no longer needed */
|
|
Packit |
aea12f |
_gnutls_mpi_release(&session->key.proto.tls12.ecdh.x);
|
|
Packit |
aea12f |
_gnutls_mpi_release(&session->key.proto.tls12.ecdh.y);
|
|
Packit |
aea12f |
_gnutls_free_datum(&session->key.proto.tls12.ecdh.raw);
|
|
Packit |
aea12f |
gnutls_pk_params_release(&session->key.proto.tls12.ecdh.params);
|
|
Packit |
aea12f |
return ret;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
int _gnutls_proc_ecdh_common_client_kx(gnutls_session_t session,
|
|
Packit |
aea12f |
uint8_t * data, size_t _data_size,
|
|
Packit |
aea12f |
const struct gnutls_group_entry_st *group,
|
|
Packit |
aea12f |
gnutls_datum_t * psk_key)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
ssize_t data_size = _data_size;
|
|
Packit |
aea12f |
int ret, i = 0;
|
|
Packit |
aea12f |
unsigned point_size;
|
|
Packit |
aea12f |
const gnutls_ecc_curve_entry_st *ecurve;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (group == NULL)
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ecurve = _gnutls_ecc_curve_get_params(group->curve);
|
|
Packit |
aea12f |
if (ecurve == NULL)
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
DECR_LEN(data_size, 1);
|
|
Packit |
aea12f |
point_size = data[i];
|
|
Packit |
aea12f |
i += 1;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (point_size == 0) {
|
|
Packit |
aea12f |
ret = gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
|
|
Packit |
aea12f |
goto cleanup;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
DECR_LEN(data_size, point_size);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (ecurve->pk == GNUTLS_PK_EC) {
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
_gnutls_ecc_ansi_x962_import(&data[i], point_size,
|
|
Packit |
aea12f |
&session->key.proto.tls12.ecdh.x,
|
|
Packit |
aea12f |
&session->key.proto.tls12.ecdh.y);
|
|
Packit |
aea12f |
if (ret < 0) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
goto cleanup;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
} else if (ecurve->pk == GNUTLS_PK_ECDH_X25519) {
|
|
Packit |
aea12f |
if (ecurve->size != point_size)
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ret = _gnutls_set_datum(&session->key.proto.tls12.ecdh.raw,
|
|
Packit |
aea12f |
&data[i], point_size);
|
|
Packit |
aea12f |
if (ret < 0) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
goto cleanup;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* RFC7748 requires to mask the MSB in the final byte */
|
|
Packit |
aea12f |
if (ecurve->id == GNUTLS_ECC_CURVE_X25519) {
|
|
Packit |
aea12f |
session->key.proto.tls12.ecdh.raw.data[point_size-1] &= 0x7f;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
} else {
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (data_size != 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* generate pre-shared key */
|
|
Packit |
aea12f |
ret = calc_ecdh_key(session, psk_key, ecurve);
|
|
Packit |
aea12f |
if (ret < 0) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
goto cleanup;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
cleanup:
|
|
Packit |
aea12f |
gnutls_pk_params_clear(&session->key.proto.tls12.ecdh.params);
|
|
Packit |
aea12f |
return ret;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
static int
|
|
Packit |
aea12f |
proc_ecdhe_client_kx(gnutls_session_t session,
|
|
Packit |
aea12f |
uint8_t * data, size_t _data_size)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
gnutls_certificate_credentials_t cred;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
cred = (gnutls_certificate_credentials_t)
|
|
Packit |
aea12f |
_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE);
|
|
Packit |
aea12f |
if (cred == NULL) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return _gnutls_proc_ecdh_common_client_kx(session, data,
|
|
Packit |
aea12f |
_data_size,
|
|
Packit |
aea12f |
get_group
|
|
Packit |
aea12f |
(session), NULL);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
int
|
|
Packit |
aea12f |
_gnutls_gen_ecdh_common_client_kx(gnutls_session_t session,
|
|
Packit |
aea12f |
gnutls_buffer_st * data)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
return _gnutls_gen_ecdh_common_client_kx_int(session, data, NULL);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
int
|
|
Packit |
aea12f |
_gnutls_gen_ecdh_common_client_kx_int(gnutls_session_t session,
|
|
Packit |
aea12f |
gnutls_buffer_st * data,
|
|
Packit |
aea12f |
gnutls_datum_t * psk_key)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
int ret;
|
|
Packit |
aea12f |
gnutls_datum_t out;
|
|
Packit |
aea12f |
const gnutls_group_entry_st *group = get_group(session);
|
|
Packit |
aea12f |
const gnutls_ecc_curve_entry_st *ecurve;
|
|
Packit |
aea12f |
int pk;
|
|
Packit |
aea12f |
unsigned init_pos = data->length;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (group == NULL)
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ecurve = _gnutls_ecc_curve_get_params(group->curve);
|
|
Packit |
aea12f |
if (ecurve == NULL)
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
pk = ecurve->pk;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* generate temporal key */
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
_gnutls_pk_generate_keys(pk, ecurve->id,
|
|
Packit |
aea12f |
&session->key.proto.tls12.ecdh.params, 1);
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(ret);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (pk == GNUTLS_PK_EC) {
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
_gnutls_ecc_ansi_x962_export(ecurve->id,
|
|
Packit |
aea12f |
session->key.proto.tls12.ecdh.params.
|
|
Packit |
aea12f |
params[ECC_X] /* x */ ,
|
|
Packit |
aea12f |
session->key.proto.tls12.ecdh.params.
|
|
Packit |
aea12f |
params[ECC_Y] /* y */ , &out;;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (ret < 0) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
goto cleanup;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
_gnutls_buffer_append_data_prefix(data, 8, out.data, out.size);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
_gnutls_free_datum(&out;;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (ret < 0) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
goto cleanup;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
} else if (pk == GNUTLS_PK_ECDH_X25519) {
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
_gnutls_buffer_append_data_prefix(data, 8,
|
|
Packit |
aea12f |
session->key.proto.tls12.ecdh.params.raw_pub.data,
|
|
Packit |
aea12f |
session->key.proto.tls12.ecdh.params.raw_pub.size);
|
|
Packit |
aea12f |
if (ret < 0) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
goto cleanup;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* generate pre-shared key */
|
|
Packit |
aea12f |
ret = calc_ecdh_key(session, psk_key, ecurve);
|
|
Packit |
aea12f |
if (ret < 0) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
goto cleanup;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ret = data->length - init_pos;
|
|
Packit |
aea12f |
cleanup:
|
|
Packit |
aea12f |
gnutls_pk_params_clear(&session->key.proto.tls12.ecdh.params);
|
|
Packit |
aea12f |
return ret;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
static int
|
|
Packit |
aea12f |
proc_ecdhe_server_kx(gnutls_session_t session,
|
|
Packit |
aea12f |
uint8_t * data, size_t _data_size)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
int ret;
|
|
Packit |
aea12f |
gnutls_datum_t vparams;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
_gnutls_proc_ecdh_common_server_kx(session, data, _data_size);
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(ret);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
vparams.data = data;
|
|
Packit |
aea12f |
vparams.size = ret;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return _gnutls_proc_dhe_signature(session, data + ret,
|
|
Packit |
aea12f |
_data_size - ret, &vparams);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
int
|
|
Packit |
aea12f |
_gnutls_proc_ecdh_common_server_kx(gnutls_session_t session,
|
|
Packit |
aea12f |
uint8_t * data, size_t _data_size)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
int i, ret;
|
|
Packit |
aea12f |
unsigned point_size;
|
|
Packit |
aea12f |
const gnutls_group_entry_st *group;
|
|
Packit |
aea12f |
ssize_t data_size = _data_size;
|
|
Packit |
aea12f |
const gnutls_ecc_curve_entry_st *ecurve;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* just in case we are resuming a session */
|
|
Packit |
aea12f |
gnutls_pk_params_release(&session->key.proto.tls12.ecdh.params);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
gnutls_pk_params_init(&session->key.proto.tls12.ecdh.params);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
i = 0;
|
|
Packit |
aea12f |
DECR_LEN(data_size, 1);
|
|
Packit |
aea12f |
if (data[i++] != 3)
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
DECR_LEN(data_size, 2);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
group = _gnutls_tls_id_to_group(_gnutls_read_uint16(&data[i]));
|
|
Packit |
aea12f |
if (group == NULL || group->curve == 0) {
|
|
Packit |
aea12f |
_gnutls_debug_log("received unknown curve %u.%u\n", (unsigned)data[i], (unsigned)data[i+1]);
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
|
|
Packit |
aea12f |
} else {
|
|
Packit |
aea12f |
_gnutls_debug_log("received curve %s\n", group->name);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
i += 2;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ret = _gnutls_session_supports_group(session, group->id);
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(ret);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ecurve = _gnutls_ecc_curve_get_params(group->curve);
|
|
Packit |
aea12f |
if (ecurve == NULL) {
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
_gnutls_session_group_set(session, group);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
DECR_LEN(data_size, 1);
|
|
Packit |
aea12f |
point_size = data[i];
|
|
Packit |
aea12f |
i++;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
DECR_LEN(data_size, point_size);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (ecurve->pk == GNUTLS_PK_EC) {
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
_gnutls_ecc_ansi_x962_import(&data[i], point_size,
|
|
Packit |
aea12f |
&session->key.proto.tls12.ecdh.x,
|
|
Packit |
aea12f |
&session->key.proto.tls12.ecdh.y);
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(ret);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
} else if (ecurve->pk == GNUTLS_PK_ECDH_X25519) {
|
|
Packit |
aea12f |
if (ecurve->size != point_size)
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ret = _gnutls_set_datum(&session->key.proto.tls12.ecdh.raw,
|
|
Packit |
aea12f |
&data[i], point_size);
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(ret);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* RFC7748 requires to mask the MSB in the final byte */
|
|
Packit |
aea12f |
if (ecurve->id == GNUTLS_ECC_CURVE_X25519) {
|
|
Packit |
aea12f |
session->key.proto.tls12.ecdh.raw.data[point_size-1] &= 0x7f;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
} else {
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
i += point_size;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return i;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* If the psk flag is set, then an empty psk_identity_hint will
|
|
Packit |
aea12f |
* be inserted */
|
|
Packit |
aea12f |
int _gnutls_ecdh_common_print_server_kx(gnutls_session_t session,
|
|
Packit |
aea12f |
gnutls_buffer_st * data,
|
|
Packit |
aea12f |
const gnutls_group_entry_st *group)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
uint8_t p;
|
|
Packit |
aea12f |
int ret;
|
|
Packit |
aea12f |
gnutls_datum_t out;
|
|
Packit |
aea12f |
unsigned init_pos = data->length;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (group == NULL || group->curve == 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* just in case we are resuming a session */
|
|
Packit |
aea12f |
gnutls_pk_params_release(&session->key.proto.tls12.ecdh.params);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
gnutls_pk_params_init(&session->key.proto.tls12.ecdh.params);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* curve type */
|
|
Packit |
aea12f |
p = 3;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ret = _gnutls_buffer_append_data(data, &p, 1);
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(ret);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
_gnutls_buffer_append_prefix(data, 16,
|
|
Packit |
aea12f |
group->tls_id);
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(ret);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* generate temporal key */
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
_gnutls_pk_generate_keys(group->pk, group->curve,
|
|
Packit |
aea12f |
&session->key.proto.tls12.ecdh.params, 1);
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(ret);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (group->pk == GNUTLS_PK_EC) {
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
_gnutls_ecc_ansi_x962_export(group->curve,
|
|
Packit |
aea12f |
session->key.proto.tls12.ecdh.params.
|
|
Packit |
aea12f |
params[ECC_X] /* x */ ,
|
|
Packit |
aea12f |
session->key.proto.tls12.ecdh.params.
|
|
Packit |
aea12f |
params[ECC_Y] /* y */ , &out;;
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(ret);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
_gnutls_buffer_append_data_prefix(data, 8, out.data, out.size);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
_gnutls_free_datum(&out;;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(ret);
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
} else if (group->pk == GNUTLS_PK_ECDH_X25519) {
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
_gnutls_buffer_append_data_prefix(data, 8,
|
|
Packit |
aea12f |
session->key.proto.tls12.ecdh.params.raw_pub.data,
|
|
Packit |
aea12f |
session->key.proto.tls12.ecdh.params.raw_pub.size);
|
|
Packit |
aea12f |
if (ret < 0)
|
|
Packit |
aea12f |
return gnutls_assert_val(ret);
|
|
Packit |
aea12f |
} else {
|
|
Packit |
aea12f |
return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
return data->length - init_pos;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
static int
|
|
Packit |
aea12f |
gen_ecdhe_server_kx(gnutls_session_t session, gnutls_buffer_st * data)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
int ret = 0;
|
|
Packit |
aea12f |
gnutls_certificate_credentials_t cred;
|
|
Packit |
aea12f |
unsigned sig_pos;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
cred = (gnutls_certificate_credentials_t)
|
|
Packit |
aea12f |
_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE);
|
|
Packit |
aea12f |
if (cred == NULL) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
if ((ret = _gnutls_auth_info_init(session, GNUTLS_CRD_CERTIFICATE,
|
|
Packit |
aea12f |
sizeof(cert_auth_info_st),
|
|
Packit |
aea12f |
1)) < 0) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
return ret;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
sig_pos = data->length;
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
ret =
|
|
Packit |
aea12f |
_gnutls_ecdh_common_print_server_kx(session, data,
|
|
Packit |
aea12f |
get_group
|
|
Packit |
aea12f |
(session));
|
|
Packit |
aea12f |
if (ret < 0) {
|
|
Packit |
aea12f |
gnutls_assert();
|
|
Packit |
aea12f |
return ret;
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* Generate the signature. */
|
|
Packit |
aea12f |
return _gnutls_gen_dhe_signature(session, data, &data->data[sig_pos],
|
|
Packit |
aea12f |
data->length-sig_pos);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#endif
|