/src/gnutls/lib/auth/rsa.c

Source (jump to first uncovered line)
/*
 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
 *
 * Author: Nikos Mavrogiannopoulos
 *
 * This file is part of GnuTLS.
 *
 * The GnuTLS is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
 *
 */

/* This file contains the RSA key exchange part of the certificate
 * authentication.
 */

#include "gnutls_int.h"
#include "auth.h"
#include "errors.h"
#include "dh.h"
#include "num.h"
#include "datum.h"
#include "auth/cert.h"
#include "pk.h"
#include "algorithms.h"
#include "global.h"
#include "debug.h"
#include "tls-sig.h"
#include "x509.h"
#include "random.h"
#include "mpi.h"
#include "abstract_int.h"
#include "auth/rsa_common.h"

int _gnutls_gen_rsa_client_kx(gnutls_session_t, gnutls_buffer_st *);
static int proc_rsa_client_kx(gnutls_session_t, uint8_t *, size_t);

const mod_auth_st rsa_auth_struct = {
  "RSA",
  _gnutls_gen_cert_server_crt,
  _gnutls_gen_cert_client_crt,
  NULL, /* gen server kx */
  _gnutls_gen_rsa_client_kx,
  _gnutls_gen_cert_client_crt_vrfy, /* gen client cert vrfy */
  _gnutls_gen_cert_server_cert_req, /* server cert request */

  _gnutls_proc_crt,
  _gnutls_proc_crt,
  NULL, /* proc server kx */
  proc_rsa_client_kx, /* proc client kx */
  _gnutls_proc_cert_client_crt_vrfy, /* proc client cert vrfy */
  _gnutls_proc_cert_cert_req /* proc server cert request */
};

static int check_key_usage_for_enc(gnutls_session_t session, unsigned key_usage)
{
  if (key_usage != 0) {
    if (!(key_usage & GNUTLS_KEY_KEY_ENCIPHERMENT) &&
        !(key_usage & GNUTLS_KEY_KEY_AGREEMENT)) {
      gnutls_assert();
      if (session->internals.allow_key_usage_violation == 0) {
        _gnutls_audit_log(
          session,
          "Peer's certificate does not allow encryption. Key usage violation detected.\n");
        return GNUTLS_E_KEY_USAGE_VIOLATION;
      } else {
        _gnutls_audit_log(
          session,
          "Peer's certificate does not allow encryption. Key usage violation detected (ignored).\n");
      }
    }
  }
  return 0;
}

/* This function reads the RSA parameters from peer's certificate;
 *
 * IMPORTANT:
 * Currently this function gets only called on the client side
 * during generation of the client kx msg. This function
 * retrieves the RSA params from the peer's certificate. That is in
 * this case the server's certificate. As of GNUTLS version 3.6.4 it is
 * possible to negotiate different certificate types for client and
 * server. Therefore the correct cert type needs to be retrieved to be
 * used for the _gnutls_get_auth_info_pcert call. If this
 * function is to be called on the server side in the future, extra
 * checks need to be build in order to retrieve the correct
 * certificate type.
 */
int _gnutls_get_public_rsa_params(gnutls_session_t session,
          gnutls_pk_params_st *params)
{
  int ret;
  cert_auth_info_t info;
  unsigned key_usage;
  gnutls_pcert_st peer_cert;
  gnutls_certificate_type_t cert_type;

  assert(!IS_SERVER(session));

  /* normal non export case */

  info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE);

  if (info == NULL || info->ncerts == 0) {
    gnutls_assert();
    return GNUTLS_E_INTERNAL_ERROR;
  }
  // Get the negotiated server certificate type
  cert_type = get_certificate_type(session, GNUTLS_CTYPE_SERVER);

  ret = _gnutls_get_auth_info_pcert(&peer_cert, cert_type, info);

  if (ret < 0) {
    gnutls_assert();
    return ret;
  }

  gnutls_pubkey_get_key_usage(peer_cert.pubkey, &key_usage);

  ret = check_key_usage_for_enc(session, key_usage);
  if (ret < 0) {
    gnutls_assert();
    goto cleanup2;
  }

  gnutls_pk_params_init(params);

  ret = _gnutls_pubkey_get_mpis(peer_cert.pubkey, params);
  if (ret < 0) {
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
    goto cleanup2;
  }

  gnutls_pcert_deinit(&peer_cert);
  return 0;

cleanup2:
  gnutls_pcert_deinit(&peer_cert);

  return ret;
}

static int proc_rsa_client_kx(gnutls_session_t session, uint8_t *data,
            size_t _data_size)
{
  gnutls_datum_t ciphertext;
  int ret, dsize;
  ssize_t data_size = _data_size;
  volatile uint8_t ver_maj, ver_min;

#ifdef ENABLE_SSL3
  if (get_num_version(session) == GNUTLS_SSL3) {
    /* SSL 3.0 
     */
    ciphertext.data = data;
    ciphertext.size = data_size;
  } else
#endif
  {
    /* TLS 1.0+
     */
    DECR_LEN(data_size, 2);
    ciphertext.data = &data[2];
    dsize = _gnutls_read_uint16(data);

    if (dsize != data_size) {
      gnutls_assert();
      return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
    }
    ciphertext.size = dsize;
  }

  ver_maj = _gnutls_get_adv_version_major(session);
  ver_min = _gnutls_get_adv_version_minor(session);

  session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
  if (session->key.key.data == NULL) {
    gnutls_assert();
    return GNUTLS_E_MEMORY_ERROR;
  }
  session->key.key.size = GNUTLS_MASTER_SIZE;

  /* Fallback value when decryption fails. Needs to be unpredictable. */
  ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data,
       GNUTLS_MASTER_SIZE);
  if (ret < 0) {
    gnutls_free(session->key.key.data);
    session->key.key.size = 0;
    gnutls_assert();
    return ret;
  }

  gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
             &ciphertext, session->key.key.data,
             session->key.key.size);
  /* After this point, any conditional on failure that cause differences
   * in execution may create a timing or cache access pattern side
   * channel that can be used as an oracle, so tread carefully */

  /* Error handling logic:
   * In case decryption fails then don't inform the peer. Just use the
   * random key previously generated. (in order to avoid attack against
   * pkcs-1 formatting).
   *
   * If we get version mismatches no error is returned either. We
   * proceed normally. This is to defend against the attack described
   * in the paper "Attacking RSA-based sessions in SSL/TLS" by
   * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
   */

  /* This is here to avoid the version check attack
   * discussed above.
   */
  session->key.key.data[0] = ver_maj;
  session->key.key.data[1] = ver_min;

  return 0;
}

/* return RSA(random) using the peers public key 
 */
int _gnutls_gen_rsa_client_kx(gnutls_session_t session, gnutls_buffer_st *data)
{
  cert_auth_info_t auth = session->key.auth_info;
  gnutls_datum_t sdata; /* data to send */
  gnutls_pk_params_st params;
  int ret;

  if (auth == NULL) {
    /* this shouldn't have happened. The proc_certificate
     * function should have detected that.
     */
    gnutls_assert();
    return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
  }

  session->key.key.size = GNUTLS_MASTER_SIZE;
  session->key.key.data = gnutls_malloc(session->key.key.size);

  if (session->key.key.data == NULL) {
    gnutls_assert();
    return GNUTLS_E_MEMORY_ERROR;
  }

  ret = gnutls_rnd(GNUTLS_RND_RANDOM, session->key.key.data,
       session->key.key.size);
  if (ret < 0) {
    gnutls_assert();
    return ret;
  }

  if (session->internals.rsa_pms_version[0] == 0) {
    session->key.key.data[0] =
      _gnutls_get_adv_version_major(session);
    session->key.key.data[1] =
      _gnutls_get_adv_version_minor(session);
  } else { /* use the version provided */
    session->key.key.data[0] =
      session->internals.rsa_pms_version[0];
    session->key.key.data[1] =
      session->internals.rsa_pms_version[1];
  }

  /* move RSA parameters to key (session).
   */
  if ((ret = _gnutls_get_public_rsa_params(session, &params)) < 0) {
    gnutls_assert();
    return ret;
  }

  ret = _gnutls_pk_encrypt(GNUTLS_PK_RSA, &sdata, &session->key.key,
         &params);

  gnutls_pk_params_release(&params);

  if (ret < 0)
    return gnutls_assert_val(ret);

#ifdef ENABLE_SSL3
  if (get_num_version(session) == GNUTLS_SSL3) {
    /* SSL 3.0 */
    ret = _gnutls_buffer_append_data(data, sdata.data, sdata.size);

    _gnutls_free_datum(&sdata);
    return ret;
  } else
#endif
  { /* TLS 1.x */
    ret = _gnutls_buffer_append_data_prefix(data, 16, sdata.data,
              sdata.size);

    _gnutls_free_datum(&sdata);
    return ret;
  }
}

Coverage Report

Created: 2025-03-06 06:58

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright (C) 2000-2012 Free Software Foundation, Inc.
3		*
4		* Author: Nikos Mavrogiannopoulos
5		*
6		* This file is part of GnuTLS.
7		*
8		* The GnuTLS is free software; you can redistribute it and/or
9		* modify it under the terms of the GNU Lesser General Public License
10		* as published by the Free Software Foundation; either version 2.1 of
11		* the License, or (at your option) any later version.
12		*
13		* This library is distributed in the hope that it will be useful, but
14		* WITHOUT ANY WARRANTY; without even the implied warranty of
15		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16		* Lesser General Public License for more details.
17		*
18		* You should have received a copy of the GNU Lesser General Public License
19		* along with this program. If not, see <https://www.gnu.org/licenses/>
20		*
21		*/
22
23		/* This file contains the RSA key exchange part of the certificate
24		* authentication.
25		*/
26
27		#include "gnutls_int.h"
28		#include "auth.h"
29		#include "errors.h"
30		#include "dh.h"
31		#include "num.h"
32		#include "datum.h"
33		#include "auth/cert.h"
34		#include "pk.h"
35		#include "algorithms.h"
36		#include "global.h"
37		#include "debug.h"
38		#include "tls-sig.h"
39		#include "x509.h"
40		#include "random.h"
41		#include "mpi.h"
42		#include "abstract_int.h"
43		#include "auth/rsa_common.h"
44
45		int _gnutls_gen_rsa_client_kx(gnutls_session_t, gnutls_buffer_st *);
46		static int proc_rsa_client_kx(gnutls_session_t, uint8_t *, size_t);
47
48		const mod_auth_st rsa_auth_struct = {
49		"RSA",
50		_gnutls_gen_cert_server_crt,
51		_gnutls_gen_cert_client_crt,
52		NULL, /* gen server kx */
53		_gnutls_gen_rsa_client_kx,
54		_gnutls_gen_cert_client_crt_vrfy, /* gen client cert vrfy */
55		_gnutls_gen_cert_server_cert_req, /* server cert request */
56
57		_gnutls_proc_crt,
58		_gnutls_proc_crt,
59		NULL, /* proc server kx */
60		proc_rsa_client_kx, /* proc client kx */
61		_gnutls_proc_cert_client_crt_vrfy, /* proc client cert vrfy */
62		_gnutls_proc_cert_cert_req /* proc server cert request */
63		};
64
65		static int check_key_usage_for_enc(gnutls_session_t session, unsigned key_usage)
66	0	{
67	0	if (key_usage != 0) {
68	0	if (!(key_usage & GNUTLS_KEY_KEY_ENCIPHERMENT) &&
69	0	!(key_usage & GNUTLS_KEY_KEY_AGREEMENT)) {
70	0	gnutls_assert();
71	0	if (session->internals.allow_key_usage_violation == 0) {
72	0	_gnutls_audit_log(
73	0	session,
74	0	"Peer's certificate does not allow encryption. Key usage violation detected.\n");
75	0	return GNUTLS_E_KEY_USAGE_VIOLATION;
76	0	} else {
77	0	_gnutls_audit_log(
78	0	session,
79	0	"Peer's certificate does not allow encryption. Key usage violation detected (ignored).\n");
80	0	}
81	0	}
82	0	}
83	0	return 0;
84	0	}
85
86		/* This function reads the RSA parameters from peer's certificate;
87		*
88		* IMPORTANT:
89		* Currently this function gets only called on the client side
90		* during generation of the client kx msg. This function
91		* retrieves the RSA params from the peer's certificate. That is in
92		* this case the server's certificate. As of GNUTLS version 3.6.4 it is
93		* possible to negotiate different certificate types for client and
94		* server. Therefore the correct cert type needs to be retrieved to be
95		* used for the _gnutls_get_auth_info_pcert call. If this
96		* function is to be called on the server side in the future, extra
97		* checks need to be build in order to retrieve the correct
98		* certificate type.
99		*/
100		int _gnutls_get_public_rsa_params(gnutls_session_t session,
101		gnutls_pk_params_st *params)
102	0	{
103	0	int ret;
104	0	cert_auth_info_t info;
105	0	unsigned key_usage;
106	0	gnutls_pcert_st peer_cert;
107	0	gnutls_certificate_type_t cert_type;
108
109	0	assert(!IS_SERVER(session));
110
111		/* normal non export case */
112
113	0	info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE);
114
115	0	if (info == NULL \|\| info->ncerts == 0) {
116	0	gnutls_assert();
117	0	return GNUTLS_E_INTERNAL_ERROR;
118	0	}
119		// Get the negotiated server certificate type
120	0	cert_type = get_certificate_type(session, GNUTLS_CTYPE_SERVER);
121
122	0	ret = _gnutls_get_auth_info_pcert(&peer_cert, cert_type, info);
123
124	0	if (ret < 0) {
125	0	gnutls_assert();
126	0	return ret;
127	0	}
128
129	0	gnutls_pubkey_get_key_usage(peer_cert.pubkey, &key_usage);
130
131	0	ret = check_key_usage_for_enc(session, key_usage);
132	0	if (ret < 0) {
133	0	gnutls_assert();
134	0	goto cleanup2;
135	0	}
136
137	0	gnutls_pk_params_init(params);
138
139	0	ret = _gnutls_pubkey_get_mpis(peer_cert.pubkey, params);
140	0	if (ret < 0) {
141	0	ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
142	0	goto cleanup2;
143	0	}
144
145	0	gnutls_pcert_deinit(&peer_cert);
146	0	return 0;
147
148	0	cleanup2:
149	0	gnutls_pcert_deinit(&peer_cert);
150
151	0	return ret;
152	0	}
153
154		static int proc_rsa_client_kx(gnutls_session_t session, uint8_t *data,
155		size_t _data_size)
156	0	{
157	0	gnutls_datum_t ciphertext;
158	0	int ret, dsize;
159	0	ssize_t data_size = _data_size;
160	0	volatile uint8_t ver_maj, ver_min;
161
162		#ifdef ENABLE_SSL3
163		if (get_num_version(session) == GNUTLS_SSL3) {
164		/* SSL 3.0
165		*/
166		ciphertext.data = data;
167		ciphertext.size = data_size;
168		} else
169		#endif
170	0	{
171		/* TLS 1.0+
172		*/
173	0	DECR_LEN(data_size, 2);
174	0	ciphertext.data = &data[2];
175	0	dsize = _gnutls_read_uint16(data);
176
177	0	if (dsize != data_size) {
178	0	gnutls_assert();
179	0	return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
180	0	}
181	0	ciphertext.size = dsize;
182	0	}
183
184	0	ver_maj = _gnutls_get_adv_version_major(session);
185	0	ver_min = _gnutls_get_adv_version_minor(session);
186
187	0	session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
188	0	if (session->key.key.data == NULL) {
189	0	gnutls_assert();
190	0	return GNUTLS_E_MEMORY_ERROR;
191	0	}
192	0	session->key.key.size = GNUTLS_MASTER_SIZE;
193
194		/* Fallback value when decryption fails. Needs to be unpredictable. */
195	0	ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data,
196	0	GNUTLS_MASTER_SIZE);
197	0	if (ret < 0) {
198	0	gnutls_free(session->key.key.data);
199	0	session->key.key.size = 0;
200	0	gnutls_assert();
201	0	return ret;
202	0	}
203
204	0	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
205	0	&ciphertext, session->key.key.data,
206	0	session->key.key.size);
207		/* After this point, any conditional on failure that cause differences
208		* in execution may create a timing or cache access pattern side
209		* channel that can be used as an oracle, so tread carefully */
210
211		/* Error handling logic:
212		* In case decryption fails then don't inform the peer. Just use the
213		* random key previously generated. (in order to avoid attack against
214		* pkcs-1 formatting).
215		*
216		* If we get version mismatches no error is returned either. We
217		* proceed normally. This is to defend against the attack described
218		* in the paper "Attacking RSA-based sessions in SSL/TLS" by
219		* Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
220		*/
221
222		/* This is here to avoid the version check attack
223		* discussed above.
224		*/
225	0	session->key.key.data[0] = ver_maj;
226	0	session->key.key.data[1] = ver_min;
227
228	0	return 0;
229	0	}
230
231		/* return RSA(random) using the peers public key
232		*/
233		int _gnutls_gen_rsa_client_kx(gnutls_session_t session, gnutls_buffer_st *data)
234	0	{
235	0	cert_auth_info_t auth = session->key.auth_info;
236	0	gnutls_datum_t sdata; /* data to send */
237	0	gnutls_pk_params_st params;
238	0	int ret;
239
240	0	if (auth == NULL) {
241		/* this shouldn't have happened. The proc_certificate
242		* function should have detected that.
243		*/
244	0	gnutls_assert();
245	0	return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
246	0	}
247
248	0	session->key.key.size = GNUTLS_MASTER_SIZE;
249	0	session->key.key.data = gnutls_malloc(session->key.key.size);
250
251	0	if (session->key.key.data == NULL) {
252	0	gnutls_assert();
253	0	return GNUTLS_E_MEMORY_ERROR;
254	0	}
255
256	0	ret = gnutls_rnd(GNUTLS_RND_RANDOM, session->key.key.data,
257	0	session->key.key.size);
258	0	if (ret < 0) {
259	0	gnutls_assert();
260	0	return ret;
261	0	}
262
263	0	if (session->internals.rsa_pms_version[0] == 0) {
264	0	session->key.key.data[0] =
265	0	_gnutls_get_adv_version_major(session);
266	0	session->key.key.data[1] =
267	0	_gnutls_get_adv_version_minor(session);
268	0	} else { /* use the version provided */
269	0	session->key.key.data[0] =
270	0	session->internals.rsa_pms_version[0];
271	0	session->key.key.data[1] =
272	0	session->internals.rsa_pms_version[1];
273	0	}
274
275		/* move RSA parameters to key (session).
276		*/
277	0	if ((ret = _gnutls_get_public_rsa_params(session, &params)) < 0) {
278	0	gnutls_assert();
279	0	return ret;
280	0	}
281
282	0	ret = _gnutls_pk_encrypt(GNUTLS_PK_RSA, &sdata, &session->key.key,
283	0	&params);
284
285	0	gnutls_pk_params_release(&params);
286
287	0	if (ret < 0)
288	0	return gnutls_assert_val(ret);
289
290		#ifdef ENABLE_SSL3
291		if (get_num_version(session) == GNUTLS_SSL3) {
292		/* SSL 3.0 */
293		ret = _gnutls_buffer_append_data(data, sdata.data, sdata.size);
294
295		_gnutls_free_datum(&sdata);
296		return ret;
297		} else
298		#endif
299	0	{ /* TLS 1.x */
300	0	ret = _gnutls_buffer_append_data_prefix(data, 16, sdata.data,
301	0	sdata.size);
302
303	0	_gnutls_free_datum(&sdata);
304	0	return ret;
305	0	}
306	0	}