source-git / gnutls

Clone
Source Code
GIT

Blame lib/auth/rsa.c

c8 c8s master
  1.   b97e568fddb0c347c225fc68303960b41a24f19f
  2.   lib
  3.   auth
  4.   rsa.c
Blob History Raw
Packit Service 4684c1 
/*
Packit Service 4684c1 
 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * Author: Nikos Mavrogiannopoulos
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * This file is part of GnuTLS.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * The GnuTLS is free software; you can redistribute it and/or
Packit Service 4684c1 
 * modify it under the terms of the GNU Lesser General Public License
Packit Service 4684c1 
 * as published by the Free Software Foundation; either version 2.1 of
Packit Service 4684c1 
 * the License, or (at your option) any later version.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * This library is distributed in the hope that it will be useful, but
Packit Service 4684c1 
 * WITHOUT ANY WARRANTY; without even the implied warranty of
Packit Service 4684c1 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Packit Service 4684c1 
 * Lesser General Public License for more details.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * You should have received a copy of the GNU Lesser General Public License
Packit Service 4684c1 
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
Packit Service 4684c1 
 *
Packit Service 4684c1 
 */
Packit Service 4684c1
Packit Service 4684c1 
/* This file contains the RSA key exchange part of the certificate
Packit Service 4684c1 
 * authentication.
Packit Service 4684c1 
 */
Packit Service 4684c1
Packit Service 4684c1 
#include "gnutls_int.h"
Packit Service 4684c1 
#include "auth.h"
Packit Service 4684c1 
#include "errors.h"
Packit Service 4684c1 
#include "dh.h"
Packit Service 4684c1 
#include "num.h"
Packit Service 4684c1 
#include "datum.h"
Packit Service 4684c1 
#include <auth/cert.h>
Packit Service 4684c1 
#include <pk.h>
Packit Service 4684c1 
#include <algorithms.h>
Packit Service 4684c1 
#include <global.h>
Packit Service 4684c1 
#include "debug.h"
Packit Service 4684c1 
#include <tls-sig.h>
Packit Service 4684c1 
#include <x509.h>
Packit Service 4684c1 
#include <random.h>
Packit Service 4684c1 
#include <mpi.h>
Packit Service 4684c1 
#include <abstract_int.h>
Packit Service 4684c1 
#include <auth/rsa_common.h>
Packit Service 4684c1
Packit Service 4684c1 
int _gnutls_gen_rsa_client_kx(gnutls_session_t, gnutls_buffer_st *);
Packit Service 4684c1 
static int proc_rsa_client_kx(gnutls_session_t, uint8_t *, size_t);
Packit Service 4684c1
Packit Service 4684c1 
const mod_auth_st rsa_auth_struct = {
Packit Service 4684c1 
	"RSA",
Packit Service 4684c1 
	_gnutls_gen_cert_server_crt,
Packit Service 4684c1 
	_gnutls_gen_cert_client_crt,
Packit Service 4684c1 
	NULL,			/* gen server kx */
Packit Service 4684c1 
	_gnutls_gen_rsa_client_kx,
Packit Service 4684c1 
	_gnutls_gen_cert_client_crt_vrfy,	/* gen client cert vrfy */
Packit Service 4684c1 
	_gnutls_gen_cert_server_cert_req,	/* server cert request */
Packit Service 4684c1
Packit Service 4684c1 
	_gnutls_proc_crt,
Packit Service 4684c1 
	_gnutls_proc_crt,
Packit Service 4684c1 
	NULL,			/* proc server kx */
Packit Service 4684c1 
	proc_rsa_client_kx,	/* proc client kx */
Packit Service 4684c1 
	_gnutls_proc_cert_client_crt_vrfy,	/* proc client cert vrfy */
Packit Service 4684c1 
	_gnutls_proc_cert_cert_req	/* proc server cert request */
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
static
Packit Service 4684c1 
int check_key_usage_for_enc(gnutls_session_t session, unsigned key_usage)
Packit Service 4684c1 
{
Packit Service 4684c1 
	if (key_usage != 0) {
Packit Service 4684c1 
		if (!(key_usage & GNUTLS_KEY_KEY_ENCIPHERMENT) && !(key_usage & GNUTLS_KEY_KEY_AGREEMENT)) {
Packit Service 4684c1 
			gnutls_assert();
Packit Service 4684c1 
			if (session->internals.allow_key_usage_violation == 0) {
Packit Service 4684c1 
				_gnutls_audit_log(session,
Packit Service 4684c1 
					  "Peer's certificate does not allow encryption. Key usage violation detected.\n");
Packit Service 4684c1 
				return GNUTLS_E_KEY_USAGE_VIOLATION;
Packit Service 4684c1 
			} else {
Packit Service 4684c1 
				_gnutls_audit_log(session,
Packit Service 4684c1 
					  "Peer's certificate does not allow encryption. Key usage violation detected (ignored).\n");
Packit Service 4684c1 
			}
Packit Service 4684c1 
		}
Packit Service 4684c1 
	}
Packit Service 4684c1 
	return 0;
Packit Service 4684c1 
}
Packit Service 4684c1
Packit Service 4684c1 
/* This function reads the RSA parameters from peer's certificate;
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * IMPORTANT:
Packit Service 4684c1 
 * Currently this function gets only called on the client side
Packit Service 4684c1 
 * during generation of the client kx msg. This function
Packit Service 4684c1 
 * retrieves the RSA params from the peer's certificate. That is in
Packit Service 4684c1 
 * this case the server's certificate. As of GNUTLS version 3.6.4 it is
Packit Service 4684c1 
 * possible to negotiate different certificate types for client and
Packit Service 4684c1 
 * server. Therefore the correct cert type needs to be retrieved to be
Packit Service 4684c1 
 * used for the _gnutls_get_auth_info_pcert call. If this
Packit Service 4684c1 
 * function is to be called on the server side in the future, extra
Packit Service 4684c1 
 * checks need to be build in order to retrieve the correct
Packit Service 4684c1 
 * certificate type.
Packit Service 4684c1 
 */
Packit Service 4684c1 
int
Packit Service 4684c1 
_gnutls_get_public_rsa_params(gnutls_session_t session,
Packit Service 4684c1 
			      gnutls_pk_params_st * params)
Packit Service 4684c1 
{
Packit Service 4684c1 
	int ret;
Packit Service 4684c1 
	cert_auth_info_t info;
Packit Service 4684c1 
	unsigned key_usage;
Packit Service 4684c1 
	gnutls_pcert_st peer_cert;
Packit Service 4684c1 
	gnutls_certificate_type_t cert_type;
Packit Service 4684c1
Packit Service 4684c1 
	assert(!IS_SERVER(session));
Packit Service 4684c1
Packit Service 4684c1 
	/* normal non export case */
Packit Service 4684c1
Packit Service 4684c1 
	info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE);
Packit Service 4684c1
Packit Service 4684c1 
	if (info == NULL || info->ncerts == 0) {
Packit Service 4684c1 
		gnutls_assert();
Packit Service 4684c1 
		return GNUTLS_E_INTERNAL_ERROR;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	// Get the negotiated server certificate type
Packit Service 4684c1 
	cert_type = get_certificate_type(session, GNUTLS_CTYPE_SERVER);
Packit Service 4684c1
Packit Service 4684c1 
	ret = _gnutls_get_auth_info_pcert(&peer_cert, cert_type, info);
Packit Service 4684c1
Packit Service 4684c1 
	if (ret < 0) {
Packit Service 4684c1 
		gnutls_assert();
Packit Service 4684c1 
		return ret;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	gnutls_pubkey_get_key_usage(peer_cert.pubkey, &key_usage);
Packit Service 4684c1
Packit Service 4684c1 
	ret = check_key_usage_for_enc(session, key_usage);
Packit Service 4684c1 
	if (ret < 0) {
Packit Service 4684c1 
		gnutls_assert();
Packit Service 4684c1 
		goto cleanup2;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	gnutls_pk_params_init(params);
Packit Service 4684c1
Packit Service 4684c1 
	ret = _gnutls_pubkey_get_mpis(peer_cert.pubkey, params);
Packit Service 4684c1 
	if (ret < 0) {
Packit Service 4684c1 
		ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
Packit Service 4684c1 
		goto cleanup2;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	gnutls_pcert_deinit(&peer_cert);
Packit Service 4684c1 
	return 0;
Packit Service 4684c1
Packit Service 4684c1 
      cleanup2:
Packit Service 4684c1 
	gnutls_pcert_deinit(&peer_cert);
Packit Service 4684c1
Packit Service 4684c1 
	return ret;
Packit Service 4684c1 
}
Packit Service 4684c1
Packit Service 4684c1 
static int
Packit Service 4684c1 
proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
Packit Service 4684c1 
		   size_t _data_size)
Packit Service 4684c1 
{
Packit Service 4684c1 
	const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n";
Packit Service 4684c1 
	gnutls_datum_t ciphertext;
Packit Service 4684c1 
	int ret, dsize;
Packit Service 4684c1 
	ssize_t data_size = _data_size;
Packit Service 4684c1 
	volatile uint8_t ver_maj, ver_min;
Packit Service 4684c1 
	volatile uint8_t check_ver_min;
Packit Service 4684c1 
	volatile uint32_t ok;
Packit Service 4684c1
Packit Service 4684c1 
#ifdef ENABLE_SSL3
Packit Service 4684c1 
	if (get_num_version(session) == GNUTLS_SSL3) {
Packit Service 4684c1 
		/* SSL 3.0
Packit Service 4684c1 
		 */
Packit Service 4684c1 
		ciphertext.data = data;
Packit Service 4684c1 
		ciphertext.size = data_size;
Packit Service 4684c1 
	} else
Packit Service 4684c1 
#endif
Packit Service 4684c1 
	{
Packit Service 4684c1 
		/* TLS 1.0+
Packit Service 4684c1 
		 */
Packit Service 4684c1 
		DECR_LEN(data_size, 2);
Packit Service 4684c1 
		ciphertext.data = &data[2];
Packit Service 4684c1 
		dsize = _gnutls_read_uint16(data);
Packit Service 4684c1
Packit Service 4684c1 
		if (dsize != data_size) {
Packit Service 4684c1 
			gnutls_assert();
Packit Service 4684c1 
			return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
Packit Service 4684c1 
		}
Packit Service 4684c1 
		ciphertext.size = dsize;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	ver_maj = _gnutls_get_adv_version_major(session);
Packit Service 4684c1 
	ver_min = _gnutls_get_adv_version_minor(session);
Packit Service 4684c1 
	check_ver_min = (session->internals.allow_wrong_pms == 0);
Packit Service 4684c1
Packit Service 4684c1 
	session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
Packit Service 4684c1 
	if (session->key.key.data == NULL) {
Packit Service 4684c1 
		gnutls_assert();
Packit Service 4684c1 
		return GNUTLS_E_MEMORY_ERROR;
Packit Service 4684c1 
	}
Packit Service 4684c1 
	session->key.key.size = GNUTLS_MASTER_SIZE;
Packit Service 4684c1
Packit Service 4684c1 
	/* Fallback value when decryption fails. Needs to be unpredictable. */
Packit Service 4684c1 
	ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data,
Packit Service 4684c1 
			 GNUTLS_MASTER_SIZE);
Packit Service 4684c1 
	if (ret < 0) {
Packit Service 4684c1 
		gnutls_free(session->key.key.data);
Packit Service 4684c1 
		session->key.key.size = 0;
Packit Service 4684c1 
		gnutls_assert();
Packit Service 4684c1 
		return ret;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	ret =
Packit Service 4684c1 
	    gnutls_privkey_decrypt_data2(session->internals.selected_key,
Packit Service 4684c1 
					 0, &ciphertext, session->key.key.data,
Packit Service 4684c1 
					 session->key.key.size);
Packit Service 4684c1 
	/* After this point, any conditional on failure that cause differences
Packit Service 4684c1 
	 * in execution may create a timing or cache access pattern side
Packit Service 4684c1 
	 * channel that can be used as an oracle, so treat very carefully */
Packit Service 4684c1
Packit Service 4684c1 
	/* Error handling logic:
Packit Service 4684c1 
	 * In case decryption fails then don't inform the peer. Just use the
Packit Service 4684c1 
	 * random key previously generated. (in order to avoid attack against
Packit Service 4684c1 
	 * pkcs-1 formatting).
Packit Service 4684c1 
	 *
Packit Service 4684c1 
	 * If we get version mismatches no error is returned either. We
Packit Service 4684c1 
	 * proceed normally. This is to defend against the attack described
Packit Service 4684c1 
	 * in the paper "Attacking RSA-based sessions in SSL/TLS" by
Packit Service 4684c1 
	 * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
Packit Service 4684c1 
	 */
Packit Service 4684c1
Packit Service 4684c1 
	/* ok is 0 in case of error and 1 in case of success. */
Packit Service 4684c1
Packit Service 4684c1 
	/* if ret < 0 */
Packit Service 4684c1 
	ok = CONSTCHECK_EQUAL(ret, 0);
Packit Service 4684c1 
	/* session->key.key.data[0] must equal ver_maj */
Packit Service 4684c1 
	ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
Packit Service 4684c1 
	/* if check_ver_min then session->key.key.data[1] must equal ver_min */
Packit Service 4684c1 
	ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
Packit Service 4684c1 
	        CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
Packit Service 4684c1
Packit Service 4684c1 
	if (ok) {
Packit Service 4684c1 
		/* call logging function unconditionally so all branches are
Packit Service 4684c1 
		 * indistinguishable for timing and cache access when debug
Packit Service 4684c1 
		 * logging is disabled */
Packit Service 4684c1 
		_gnutls_no_log("%s", attack_error);
Packit Service 4684c1 
	} else {
Packit Service 4684c1 
		_gnutls_debug_log("%s", attack_error);
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	/* This is here to avoid the version check attack
Packit Service 4684c1 
	 * discussed above.
Packit Service 4684c1 
	 */
Packit Service 4684c1 
	session->key.key.data[0] = ver_maj;
Packit Service 4684c1 
	session->key.key.data[1] = ver_min;
Packit Service 4684c1
Packit Service 4684c1 
	return 0;
Packit Service 4684c1 
}
Packit Service 4684c1
Packit Service 4684c1
Packit Service 4684c1
Packit Service 4684c1 
/* return RSA(random) using the peers public key
Packit Service 4684c1 
 */
Packit Service 4684c1 
int
Packit Service 4684c1 
_gnutls_gen_rsa_client_kx(gnutls_session_t session,
Packit Service 4684c1 
			  gnutls_buffer_st * data)
Packit Service 4684c1 
{
Packit Service 4684c1 
	cert_auth_info_t auth = session->key.auth_info;
Packit Service 4684c1 
	gnutls_datum_t sdata;	/* data to send */
Packit Service 4684c1 
	gnutls_pk_params_st params;
Packit Service 4684c1 
	int ret;
Packit Service 4684c1
Packit Service 4684c1 
	if (auth == NULL) {
Packit Service 4684c1 
		/* this shouldn't have happened. The proc_certificate
Packit Service 4684c1 
		 * function should have detected that.
Packit Service 4684c1 
		 */
Packit Service 4684c1 
		gnutls_assert();
Packit Service 4684c1 
		return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	session->key.key.size = GNUTLS_MASTER_SIZE;
Packit Service 4684c1 
	session->key.key.data = gnutls_malloc(session->key.key.size);
Packit Service 4684c1
Packit Service 4684c1 
	if (session->key.key.data == NULL) {
Packit Service 4684c1 
		gnutls_assert();
Packit Service 4684c1 
		return GNUTLS_E_MEMORY_ERROR;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	ret = gnutls_rnd(GNUTLS_RND_RANDOM, session->key.key.data,
Packit Service 4684c1 
			  session->key.key.size);
Packit Service 4684c1 
	if (ret < 0) {
Packit Service 4684c1 
		gnutls_assert();
Packit Service 4684c1 
		return ret;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	if (session->internals.rsa_pms_version[0] == 0) {
Packit Service 4684c1 
		session->key.key.data[0] =
Packit Service 4684c1 
		    _gnutls_get_adv_version_major(session);
Packit Service 4684c1 
		session->key.key.data[1] =
Packit Service 4684c1 
		    _gnutls_get_adv_version_minor(session);
Packit Service 4684c1 
	} else {		/* use the version provided */
Packit Service 4684c1 
		session->key.key.data[0] =
Packit Service 4684c1 
		    session->internals.rsa_pms_version[0];
Packit Service 4684c1 
		session->key.key.data[1] =
Packit Service 4684c1 
		    session->internals.rsa_pms_version[1];
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	/* move RSA parameters to key (session).
Packit Service 4684c1 
	 */
Packit Service 4684c1 
	if ((ret = _gnutls_get_public_rsa_params(session, &params)) < 0) {
Packit Service 4684c1 
		gnutls_assert();
Packit Service 4684c1 
		return ret;
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	ret =
Packit Service 4684c1 
	    _gnutls_pk_encrypt(GNUTLS_PK_RSA, &sdata, &session->key.key,
Packit Service 4684c1 
			       &params);
Packit Service 4684c1
Packit Service 4684c1 
	gnutls_pk_params_release(&params);
Packit Service 4684c1
Packit Service 4684c1 
	if (ret < 0)
Packit Service 4684c1 
		return gnutls_assert_val(ret);
Packit Service 4684c1
Packit Service 4684c1
Packit Service 4684c1 
#ifdef ENABLE_SSL3
Packit Service 4684c1 
	if (get_num_version(session) == GNUTLS_SSL3) {
Packit Service 4684c1 
		/* SSL 3.0 */
Packit Service 4684c1 
		ret =
Packit Service 4684c1 
		    _gnutls_buffer_append_data(data, sdata.data,
Packit Service 4684c1 
					       sdata.size);
Packit Service 4684c1
Packit Service 4684c1 
		_gnutls_free_datum(&sdata);
Packit Service 4684c1 
		return ret;
Packit Service 4684c1 
	} else
Packit Service 4684c1 
#endif
Packit Service 4684c1 
	{		/* TLS 1.x */
Packit Service 4684c1 
		ret =
Packit Service 4684c1 
		    _gnutls_buffer_append_data_prefix(data, 16, sdata.data,
Packit Service 4684c1 
						      sdata.size);
Packit Service 4684c1
Packit Service 4684c1 
		_gnutls_free_datum(&sdata);
Packit Service 4684c1 
		return ret;
Packit Service 4684c1 
	}
Packit Service 4684c1 
}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation