/*
* Copyright (C) 2011-2012 Free Software Foundation, Inc.
* Copyright (C) 2016 Dmitry Eremin-Solenikov
*
* This file is part of GnuTLS.
*
* The GnuTLS is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* as published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>
*/
/*
* This is split from main TLS key exchange, because it might be useful in
* future for S/MIME support. For the definition of the algorithm see RFC 4357,
* section 5.2.
*/
#include "gnutls_int.h"
#include "vko.h"
#include "pk.h"
#include "common.h"
static int
_gnutls_gost_vko_key(gnutls_pk_params_st *pub,
gnutls_pk_params_st *priv,
gnutls_datum_t *ukm,
gnutls_digest_algorithm_t digalg,
gnutls_datum_t *kek)
{
gnutls_datum_t tmp_vko_key;
int ret;
ret = _gnutls_pk_derive_nonce(pub->algo, &tmp_vko_key,
priv, pub, ukm);
if (ret < 0)
return gnutls_assert_val(ret);
kek->size = gnutls_hash_get_len(digalg);
kek->data = gnutls_malloc(kek->size);
if (kek->data == NULL) {
gnutls_assert();
ret = GNUTLS_E_MEMORY_ERROR;
goto cleanup;
}
ret = gnutls_hash_fast(digalg, tmp_vko_key.data, tmp_vko_key.size, kek->data);
if (ret < 0) {
gnutls_assert();
_gnutls_free_datum(kek);
goto cleanup;
}
ret = 0;
cleanup:
_gnutls_free_temp_key_datum(&tmp_vko_key);
return ret;
}
static const gnutls_datum_t zero_data = { NULL, 0 };
int
_gnutls_gost_keytrans_encrypt(gnutls_pk_params_st *pub,
gnutls_pk_params_st *priv,
gnutls_datum_t *cek,
gnutls_datum_t *ukm,
gnutls_datum_t *out)
{
int ret;
gnutls_datum_t kek;
gnutls_datum_t enc, imit;
gnutls_digest_algorithm_t digalg;
ASN1_TYPE kx;
if (pub->algo == GNUTLS_PK_GOST_01)
digalg = GNUTLS_DIG_GOSTR_94;
else
digalg = GNUTLS_DIG_STREEBOG_256;
ret = _gnutls_gost_vko_key(pub, priv, ukm, digalg, &kek);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret = _gnutls_gost_key_wrap(pub->gost_params, &kek, ukm, cek,
&enc, &imit);
_gnutls_free_key_datum(&kek);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret = asn1_create_element(_gnutls_get_gnutls_asn(),
"GNUTLS.GostR3410-KeyTransport",
&kx);
if (ret != ASN1_SUCCESS) {
gnutls_assert();
ret = _gnutls_asn2err(ret);
_gnutls_free_datum(&enc);
_gnutls_free_datum(&imit);
return ret;
}
ret = _gnutls_x509_write_value(kx, "transportParameters.ukm", ukm);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = _gnutls_x509_encode_and_copy_PKI_params(kx,
"transportParameters.ephemeralPublicKey",
priv);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
if ((ret = asn1_write_value(kx, "transportParameters.encryptionParamSet",
gnutls_gost_paramset_get_oid(pub->gost_params),
1)) != ASN1_SUCCESS) {
gnutls_assert();
ret = _gnutls_asn2err(ret);
goto cleanup;
}
ret = _gnutls_x509_write_value(kx, "sessionEncryptedKey.encryptedKey", &enc);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = _gnutls_x509_write_value(kx, "sessionEncryptedKey.maskKey", &zero_data);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = _gnutls_x509_write_value(kx, "sessionEncryptedKey.macKey", &imit);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = _gnutls_x509_der_encode(kx, "", out, 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = 0;
cleanup:
asn1_delete_structure(&kx);
_gnutls_free_datum(&enc);
_gnutls_free_datum(&imit);
return ret;
}
int
_gnutls_gost_keytrans_decrypt(gnutls_pk_params_st *priv,
gnutls_datum_t *cek,
gnutls_datum_t *ukm,
gnutls_datum_t *out)
{
int ret;
ASN1_TYPE kx;
gnutls_pk_params_st pub;
gnutls_datum_t kek;
gnutls_datum_t ukm2, enc, imit;
char oid[MAX_OID_SIZE];
int oid_size;
gnutls_digest_algorithm_t digalg;
if ((ret = asn1_create_element(_gnutls_get_gnutls_asn(),
"GNUTLS.GostR3410-KeyTransport",
&kx)) != ASN1_SUCCESS) {
gnutls_assert();
ret = _gnutls_asn2err(ret);
return ret;
}
ret = _asn1_strict_der_decode(&kx, cek->data, cek->size, NULL);
if (ret != ASN1_SUCCESS) {
gnutls_assert();
ret = _gnutls_asn2err(ret);
asn1_delete_structure(&kx);
return ret;
}
ret = _gnutls_get_asn_mpis(kx,
"transportParameters.ephemeralPublicKey",
&pub);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
if (pub.algo != priv->algo ||
pub.gost_params != priv->gost_params ||
pub.curve != priv->curve) {
gnutls_assert();
ret = GNUTLS_E_ILLEGAL_PARAMETER;
goto cleanup;
}
oid_size = sizeof(oid);
ret = asn1_read_value(kx, "transportParameters.encryptionParamSet", oid, &oid_size);
if (ret != ASN1_SUCCESS) {
gnutls_assert();
ret = _gnutls_asn2err(ret);
goto cleanup;
}
if (gnutls_oid_to_gost_paramset(oid) != priv->gost_params) {
gnutls_assert();
ret = GNUTLS_E_ASN1_DER_ERROR;
goto cleanup;
}
ret = _gnutls_x509_read_value(kx, "transportParameters.ukm", &ukm2);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
/* Kind of strange design. For TLS UKM is calculated as a hash of
* client and server random. At the same time UKM is transmitted as a
* part of KeyTransport structure. At this point we have to compare
* them to check that they are equal. This does not result in an oracle
* of any kind as all values are transmitted in cleartext. Returning
* that this point won't give any information to the attacker.
*/
if (ukm2.size != ukm->size || memcmp(ukm2.data, ukm->data, ukm->size) != 0) {
gnutls_assert();
_gnutls_free_datum(&ukm2);
ret = GNUTLS_E_DECRYPTION_FAILED;
goto cleanup;
}
_gnutls_free_datum(&ukm2);
ret = _gnutls_x509_read_value(kx, "sessionEncryptedKey.encryptedKey",
&enc);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = _gnutls_x509_read_value(kx, "sessionEncryptedKey.macKey",
&imit);
if (ret < 0) {
gnutls_assert();
_gnutls_free_datum(&enc);
goto cleanup;
}
if (pub.algo == GNUTLS_PK_GOST_01)
digalg = GNUTLS_DIG_GOSTR_94;
else
digalg = GNUTLS_DIG_STREEBOG_256;
ret = _gnutls_gost_vko_key(&pub, priv, ukm, digalg, &kek);
if (ret < 0) {
gnutls_assert();
goto cleanup2;
}
ret = _gnutls_gost_key_unwrap(pub.gost_params, &kek, ukm,
&enc, &imit, out);
_gnutls_free_key_datum(&kek);
if (ret < 0) {
gnutls_assert();
goto cleanup2;
}
ret = 0;
cleanup2:
_gnutls_free_datum(&imit);
_gnutls_free_datum(&enc);
cleanup:
gnutls_pk_params_release(&pub);
asn1_delete_structure(&kx);
return ret;
}