/src/gnutls/lib/auth/rsa_psk.c

Source (jump to first uncovered line)
/*
 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2007, 2009, 2010
 * Free Software Foundation, Inc.
 *
 * Copyright (C) 2011
 * Bardenheuer GmbH, Munich and Bundesdruckerei GmbH, Berlin
 *
 * Copyright (C) 2013 Frank Morgner
 * Copyright (C) 2013 Nikos Mavrogiannopoulos
 *
 * This file is part of GnuTLS.
 *
 * The GnuTLS is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library.  If not, see <https://www.gnu.org/licenses/>.
 *
 */

#include "gnutls_int.h"

#ifdef ENABLE_PSK

# include "auth.h"
# include "dh.h"
# include "errors.h"
# include "mpi.h"
# include "num.h"
# include "gnutls_int.h"
# include "pk.h"
# include "random.h"
# include <abstract_int.h>
# include <algorithms.h>
# include <auth/dh_common.h>
# include <auth/psk.h>
# include <auth/psk_passwd.h>
# include <auth/rsa_common.h>
# include <cert.h>
# include <datum.h>
# include <state.h>

static int _gnutls_gen_rsa_psk_client_kx(gnutls_session_t session,
           gnutls_buffer_st * data);
static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t, uint8_t *, size_t);
static int
_gnutls_proc_rsa_psk_server_kx(gnutls_session_t session, uint8_t * data,
             size_t _data_size);

const mod_auth_st rsa_psk_auth_struct = {
  "RSA PSK",
  _gnutls_gen_cert_server_crt,
  NULL,     /* generate_client_certificate */
  _gnutls_gen_psk_server_kx,
  _gnutls_gen_rsa_psk_client_kx,
  NULL,     /* generate_client_cert_vrfy */
  NULL,     /* generate_server_certificate_request */
  _gnutls_proc_crt,
  NULL,     /* process_client_certificate */
  _gnutls_proc_rsa_psk_server_kx,
  _gnutls_proc_rsa_psk_client_kx,
  NULL,     /* process_client_cert_vrfy */
  NULL      /* process_server_certificate_reuqest */
};

/* Set the PSK premaster secret.
 */
static int
set_rsa_psk_session_key(gnutls_session_t session,
      gnutls_datum_t * ppsk, gnutls_datum_t * rsa_secret)
{
  unsigned char *p;
  size_t rsa_secret_size;
  int ret;

  rsa_secret_size = rsa_secret->size;

  /* set the session key
   */
  session->key.key.size = 2 + rsa_secret_size + 2 + ppsk->size;
  session->key.key.data = gnutls_malloc(session->key.key.size);
  if (session->key.key.data == NULL) {
    gnutls_assert();
    ret = GNUTLS_E_MEMORY_ERROR;
    goto error;
  }

  /* format of the premaster secret:
   * (uint16_t) other_secret size (48)
   * other_secret: 2 byte version + 46 byte random
   * (uint16_t) psk_size
   * the psk
   */
  _gnutls_write_uint16(rsa_secret_size, session->key.key.data);
  memcpy(&session->key.key.data[2], rsa_secret->data, rsa_secret->size);
  p = &session->key.key.data[rsa_secret_size + 2];
  _gnutls_write_uint16(ppsk->size, p);
  if (ppsk->data != NULL)
    memcpy(p + 2, ppsk->data, ppsk->size);

  ret = 0;

 error:
  return ret;
}

/* Generate client key exchange message
 *
 *
 * struct {
 *    select (KeyExchangeAlgorithm) {
 *       uint8_t psk_identity<0..2^16-1>;
 *       EncryptedPreMasterSecret;
 *    } exchange_keys;
 * } ClientKeyExchange;
 */
static int
_gnutls_gen_rsa_psk_client_kx(gnutls_session_t session, gnutls_buffer_st * data)
{
  cert_auth_info_t auth = session->key.auth_info;
  gnutls_datum_t sdata; /* data to send */
  gnutls_pk_params_st params;
  gnutls_psk_client_credentials_t cred;
  gnutls_datum_t username, key;
  int ret, free;
  unsigned init_pos;

  if (auth == NULL) {
    /* this shouldn't have happened. The proc_certificate
     * function should have detected that.
     */
    gnutls_assert();
    return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
  }

  gnutls_datum_t premaster_secret;
  premaster_secret.size = GNUTLS_MASTER_SIZE;
  premaster_secret.data = gnutls_malloc(premaster_secret.size);

  if (premaster_secret.data == NULL) {
    gnutls_assert();
    return GNUTLS_E_MEMORY_ERROR;
  }

  /* Generate random */
  ret = gnutls_rnd(GNUTLS_RND_RANDOM, premaster_secret.data,
       premaster_secret.size);
  if (ret < 0) {
    gnutls_assert();
    return ret;
  }

  /* Set version */
  if (session->internals.rsa_pms_version[0] == 0) {
    premaster_secret.data[0] =
        _gnutls_get_adv_version_major(session);
    premaster_secret.data[1] =
        _gnutls_get_adv_version_minor(session);
  } else {   /* use the version provided */
    premaster_secret.data[0] =
        session->internals.rsa_pms_version[0];
    premaster_secret.data[1] =
        session->internals.rsa_pms_version[1];
  }

  /* move RSA parameters to key (session).
   */
  if ((ret = _gnutls_get_public_rsa_params(session, &params)) < 0) {
    gnutls_assert();
    return ret;
  }

  /* Encrypt premaster secret */
  if ((ret =
       _gnutls_pk_encrypt(GNUTLS_PK_RSA, &sdata, &premaster_secret,
        &params)) < 0) {
    gnutls_assert();
    return ret;
  }

  gnutls_pk_params_release(&params);

  cred = (gnutls_psk_client_credentials_t)
      _gnutls_get_cred(session, GNUTLS_CRD_PSK);

  if (cred == NULL) {
    gnutls_assert();
    return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
  }

  ret = _gnutls_find_psk_key(session, cred, &username, &key, &free);
  if (ret < 0)
    return gnutls_assert_val(ret);

  /* Here we set the PSK key */
  ret = set_rsa_psk_session_key(session, &key, &premaster_secret);
  if (ret < 0) {
    gnutls_assert();
    goto cleanup;
  }

  /* Create message for client key exchange
   *
   * struct {
   *   uint8_t psk_identity<0..2^16-1>;
   *   EncryptedPreMasterSecret;
   * }
   */

  init_pos = data->length;

  /* Write psk_identity and EncryptedPreMasterSecret into data stream
   */
  ret =
      _gnutls_buffer_append_data_prefix(data, 16,
                username.data, username.size);
  if (ret < 0) {
    gnutls_assert();
    goto cleanup;
  }

  ret =
      _gnutls_buffer_append_data_prefix(data, 16, sdata.data, sdata.size);
  if (ret < 0) {
    gnutls_assert();
    goto cleanup;
  }

  ret = data->length - init_pos;

 cleanup:
  _gnutls_free_datum(&sdata);
  _gnutls_free_temp_key_datum(&premaster_secret);
  if (free) {
    _gnutls_free_temp_key_datum(&key);
    gnutls_free(username.data);
  }

  return ret;
}

/*
  Process the client key exchange message
*/
static int
_gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
             size_t _data_size)
{
  gnutls_datum_t username;
  psk_auth_info_t info;
  gnutls_datum_t plaintext;
  gnutls_datum_t ciphertext;
  gnutls_datum_t pwd_psk = { NULL, 0 };
  int ret, dsize;
  int randomize_key = 0;
  ssize_t data_size = _data_size;
  gnutls_psk_server_credentials_t cred;
  gnutls_datum_t premaster_secret = { NULL, 0 };

  cred = (gnutls_psk_server_credentials_t)
      _gnutls_get_cred(session, GNUTLS_CRD_PSK);

  if (cred == NULL) {
    gnutls_assert();
    return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
  }

  ret = _gnutls_auth_info_init(session, GNUTLS_CRD_PSK,
             sizeof(psk_auth_info_st), 1);
  if (ret < 0) {
    gnutls_assert();
    return ret;
  }

  /*** 1. Extract user psk_identity ***/

  DECR_LEN(data_size, 2);
  username.size = _gnutls_read_uint16(&data[0]);

  DECR_LEN(data_size, username.size);

  username.data = &data[2];

  /* copy the username to the auth info structures
   */
  info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK);
  if (info == NULL) {
    gnutls_assert();
    return GNUTLS_E_INTERNAL_ERROR;
  }

  if (username.size > MAX_USERNAME_SIZE) {
    gnutls_assert();
    return GNUTLS_E_ILLEGAL_SRP_USERNAME;
  }

  ret = _gnutls_copy_psk_username(info, username);
  if (ret < 0)
    gnutls_assert_val(ret);

  /* Adjust data so it points to EncryptedPreMasterSecret */
  data += username.size + 2;

  /*** 2. Decrypt and extract EncryptedPreMasterSecret ***/

  DECR_LEN(data_size, 2);
  ciphertext.data = &data[2];
  dsize = _gnutls_read_uint16(data);

  if (dsize != data_size) {
    gnutls_assert();
    return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
  }
  ciphertext.size = dsize;

  ret =
      gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
          &ciphertext, &plaintext);
  if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
    /* In case decryption fails then don't inform
     * the peer. Just use a random key. (in order to avoid
     * attack against pkcs-1 formatting).
     */
    gnutls_assert();
    _gnutls_debug_log
        ("auth_rsa_psk: Possible PKCS #1 format attack\n");
    if (ret >= 0) {
      gnutls_free(plaintext.data);
    }
    randomize_key = 1;
  } else {
    /* If the secret was properly formatted, then
     * check the version number.
     */
    if (_gnutls_get_adv_version_major(session) != plaintext.data[0]
        || (session->internals.allow_wrong_pms == 0
      && _gnutls_get_adv_version_minor(session) !=
      plaintext.data[1])) {
      /* No error is returned here, if the version number check
       * fails. We proceed normally.
       * That is to defend against the attack described in the paper
       * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
       * Ondej Pokorny and Tomas Rosa.
       */
      gnutls_assert();
      _gnutls_debug_log
          ("auth_rsa: Possible PKCS #1 version check format attack\n");
    }
  }

  if (randomize_key != 0) {
    premaster_secret.size = GNUTLS_MASTER_SIZE;
    premaster_secret.data = gnutls_malloc(premaster_secret.size);
    if (premaster_secret.data == NULL) {
      gnutls_assert();
      return GNUTLS_E_MEMORY_ERROR;
    }

    /* we do not need strong random numbers here.
     */
    ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
         premaster_secret.size);
    if (ret < 0) {
      gnutls_assert();
      goto cleanup;
    }
  } else {
    premaster_secret.data = plaintext.data;
    premaster_secret.size = plaintext.size;
  }

  /* This is here to avoid the version check attack
   * discussed above.
   */

  premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
  premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);

  /* find the key of this username
   */
  ret =
      _gnutls_psk_pwd_find_entry(session, info->username,
               strlen(info->username), &pwd_psk);
  if (ret < 0) {
    gnutls_assert();
    goto cleanup;
  }

  ret = set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
  if (ret < 0) {
    gnutls_assert();
    goto cleanup;
  }

  ret = 0;
 cleanup:
  _gnutls_free_key_datum(&pwd_psk);
  _gnutls_free_temp_key_datum(&premaster_secret);

  return ret;
}

static int
_gnutls_proc_rsa_psk_server_kx(gnutls_session_t session, uint8_t * data,
             size_t _data_size)
{
  /* In RSA-PSK the key is calculated elsewhere.
   * Moreover, since we only keep a single auth info structure, we cannot
   * store the hint (as we store certificate auth info).
   * Ideally we need to handle that by multiple auth info
   * structures or something similar.
   */

  return 0;
}

#endif        /* ENABLE_PSK */

Coverage Report

Created: 2023-03-26 08:33

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2007, 2009, 2010
3		* Free Software Foundation, Inc.
4		*
5		* Copyright (C) 2011
6		* Bardenheuer GmbH, Munich and Bundesdruckerei GmbH, Berlin
7		*
8		* Copyright (C) 2013 Frank Morgner
9		* Copyright (C) 2013 Nikos Mavrogiannopoulos
10		*
11		* This file is part of GnuTLS.
12		*
13		* The GnuTLS is free software; you can redistribute it and/or
14		* modify it under the terms of the GNU Lesser General Public License
15		* as published by the Free Software Foundation; either version 2.1 of
16		* the License, or (at your option) any later version.
17		*
18		* This library is distributed in the hope that it will be useful, but
19		* WITHOUT ANY WARRANTY; without even the implied warranty of
20		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
21		* Lesser General Public License for more details.
22		*
23		* You should have received a copy of the GNU Lesser General Public
24		* License along with this library. If not, see <https://www.gnu.org/licenses/>.
25		*
26		*/
27
28		#include "gnutls_int.h"
29
30		#ifdef ENABLE_PSK
31
32		# include "auth.h"
33		# include "dh.h"
34		# include "errors.h"
35		# include "mpi.h"
36		# include "num.h"
37		# include "gnutls_int.h"
38		# include "pk.h"
39		# include "random.h"
40		# include <abstract_int.h>
41		# include <algorithms.h>
42		# include <auth/dh_common.h>
43		# include <auth/psk.h>
44		# include <auth/psk_passwd.h>
45		# include <auth/rsa_common.h>
46		# include <cert.h>
47		# include <datum.h>
48		# include <state.h>
49
50		static int _gnutls_gen_rsa_psk_client_kx(gnutls_session_t session,
51		gnutls_buffer_st * data);
52		static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t, uint8_t *, size_t);
53		static int
54		_gnutls_proc_rsa_psk_server_kx(gnutls_session_t session, uint8_t * data,
55		size_t _data_size);
56
57		const mod_auth_st rsa_psk_auth_struct = {
58		"RSA PSK",
59		_gnutls_gen_cert_server_crt,
60		NULL, /* generate_client_certificate */
61		_gnutls_gen_psk_server_kx,
62		_gnutls_gen_rsa_psk_client_kx,
63		NULL, /* generate_client_cert_vrfy */
64		NULL, /* generate_server_certificate_request */
65		_gnutls_proc_crt,
66		NULL, /* process_client_certificate */
67		_gnutls_proc_rsa_psk_server_kx,
68		_gnutls_proc_rsa_psk_client_kx,
69		NULL, /* process_client_cert_vrfy */
70		NULL /* process_server_certificate_reuqest */
71		};
72
73		/* Set the PSK premaster secret.
74		*/
75		static int
76		set_rsa_psk_session_key(gnutls_session_t session,
77		gnutls_datum_t * ppsk, gnutls_datum_t * rsa_secret)
78	0	{
79	0	unsigned char *p;
80	0	size_t rsa_secret_size;
81	0	int ret;
82
83	0	rsa_secret_size = rsa_secret->size;
84
85		/* set the session key
86		*/
87	0	session->key.key.size = 2 + rsa_secret_size + 2 + ppsk->size;
88	0	session->key.key.data = gnutls_malloc(session->key.key.size);
89	0	if (session->key.key.data == NULL) {
90	0	gnutls_assert();
91	0	ret = GNUTLS_E_MEMORY_ERROR;
92	0	goto error;
93	0	}
94
95		/* format of the premaster secret:
96		* (uint16_t) other_secret size (48)
97		* other_secret: 2 byte version + 46 byte random
98		* (uint16_t) psk_size
99		* the psk
100		*/
101	0	_gnutls_write_uint16(rsa_secret_size, session->key.key.data);
102	0	memcpy(&session->key.key.data[2], rsa_secret->data, rsa_secret->size);
103	0	p = &session->key.key.data[rsa_secret_size + 2];
104	0	_gnutls_write_uint16(ppsk->size, p);
105	0	if (ppsk->data != NULL)
106	0	memcpy(p + 2, ppsk->data, ppsk->size);
107
108	0	ret = 0;
109
110	0	error:
111	0	return ret;
112	0	}
113
114		/* Generate client key exchange message
115		*
116		*
117		* struct {
118		* select (KeyExchangeAlgorithm) {
119		* uint8_t psk_identity<0..2^16-1>;
120		* EncryptedPreMasterSecret;
121		* } exchange_keys;
122		* } ClientKeyExchange;
123		*/
124		static int
125		_gnutls_gen_rsa_psk_client_kx(gnutls_session_t session, gnutls_buffer_st * data)
126	0	{
127	0	cert_auth_info_t auth = session->key.auth_info;
128	0	gnutls_datum_t sdata; /* data to send */
129	0	gnutls_pk_params_st params;
130	0	gnutls_psk_client_credentials_t cred;
131	0	gnutls_datum_t username, key;
132	0	int ret, free;
133	0	unsigned init_pos;
134
135	0	if (auth == NULL) {
136		/* this shouldn't have happened. The proc_certificate
137		* function should have detected that.
138		*/
139	0	gnutls_assert();
140	0	return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
141	0	}
142
143	0	gnutls_datum_t premaster_secret;
144	0	premaster_secret.size = GNUTLS_MASTER_SIZE;
145	0	premaster_secret.data = gnutls_malloc(premaster_secret.size);
146
147	0	if (premaster_secret.data == NULL) {
148	0	gnutls_assert();
149	0	return GNUTLS_E_MEMORY_ERROR;
150	0	}
151
152		/* Generate random */
153	0	ret = gnutls_rnd(GNUTLS_RND_RANDOM, premaster_secret.data,
154	0	premaster_secret.size);
155	0	if (ret < 0) {
156	0	gnutls_assert();
157	0	return ret;
158	0	}
159
160		/* Set version */
161	0	if (session->internals.rsa_pms_version[0] == 0) {
162	0	premaster_secret.data[0] =
163	0	_gnutls_get_adv_version_major(session);
164	0	premaster_secret.data[1] =
165	0	_gnutls_get_adv_version_minor(session);
166	0	} else { /* use the version provided */
167	0	premaster_secret.data[0] =
168	0	session->internals.rsa_pms_version[0];
169	0	premaster_secret.data[1] =
170	0	session->internals.rsa_pms_version[1];
171	0	}
172
173		/* move RSA parameters to key (session).
174		*/
175	0	if ((ret = _gnutls_get_public_rsa_params(session, &params)) < 0) {
176	0	gnutls_assert();
177	0	return ret;
178	0	}
179
180		/* Encrypt premaster secret */
181	0	if ((ret =
182	0	_gnutls_pk_encrypt(GNUTLS_PK_RSA, &sdata, &premaster_secret,
183	0	&params)) < 0) {
184	0	gnutls_assert();
185	0	return ret;
186	0	}
187
188	0	gnutls_pk_params_release(&params);
189
190	0	cred = (gnutls_psk_client_credentials_t)
191	0	_gnutls_get_cred(session, GNUTLS_CRD_PSK);
192
193	0	if (cred == NULL) {
194	0	gnutls_assert();
195	0	return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
196	0	}
197
198	0	ret = _gnutls_find_psk_key(session, cred, &username, &key, &free);
199	0	if (ret < 0)
200	0	return gnutls_assert_val(ret);
201
202		/* Here we set the PSK key */
203	0	ret = set_rsa_psk_session_key(session, &key, &premaster_secret);
204	0	if (ret < 0) {
205	0	gnutls_assert();
206	0	goto cleanup;
207	0	}
208
209		/* Create message for client key exchange
210		*
211		* struct {
212		* uint8_t psk_identity<0..2^16-1>;
213		* EncryptedPreMasterSecret;
214		* }
215		*/
216
217	0	init_pos = data->length;
218
219		/* Write psk_identity and EncryptedPreMasterSecret into data stream
220		*/
221	0	ret =
222	0	_gnutls_buffer_append_data_prefix(data, 16,
223	0	username.data, username.size);
224	0	if (ret < 0) {
225	0	gnutls_assert();
226	0	goto cleanup;
227	0	}
228
229	0	ret =
230	0	_gnutls_buffer_append_data_prefix(data, 16, sdata.data, sdata.size);
231	0	if (ret < 0) {
232	0	gnutls_assert();
233	0	goto cleanup;
234	0	}
235
236	0	ret = data->length - init_pos;
237
238	0	cleanup:
239	0	_gnutls_free_datum(&sdata);
240	0	_gnutls_free_temp_key_datum(&premaster_secret);
241	0	if (free) {
242	0	_gnutls_free_temp_key_datum(&key);
243	0	gnutls_free(username.data);
244	0	}
245
246	0	return ret;
247	0	}
248
249		/*
250		Process the client key exchange message
251		*/
252		static int
253		_gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
254		size_t _data_size)
255	0	{
256	0	gnutls_datum_t username;
257	0	psk_auth_info_t info;
258	0	gnutls_datum_t plaintext;
259	0	gnutls_datum_t ciphertext;
260	0	gnutls_datum_t pwd_psk = { NULL, 0 };
261	0	int ret, dsize;
262	0	int randomize_key = 0;
263	0	ssize_t data_size = _data_size;
264	0	gnutls_psk_server_credentials_t cred;
265	0	gnutls_datum_t premaster_secret = { NULL, 0 };
266
267	0	cred = (gnutls_psk_server_credentials_t)
268	0	_gnutls_get_cred(session, GNUTLS_CRD_PSK);
269
270	0	if (cred == NULL) {
271	0	gnutls_assert();
272	0	return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
273	0	}
274
275	0	ret = _gnutls_auth_info_init(session, GNUTLS_CRD_PSK,
276	0	sizeof(psk_auth_info_st), 1);
277	0	if (ret < 0) {
278	0	gnutls_assert();
279	0	return ret;
280	0	}
281
282		/* 1. Extract user psk_identity */
283
284	0	DECR_LEN(data_size, 2);
285	0	username.size = _gnutls_read_uint16(&data[0]);
286
287	0	DECR_LEN(data_size, username.size);
288
289	0	username.data = &data[2];
290
291		/* copy the username to the auth info structures
292		*/
293	0	info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK);
294	0	if (info == NULL) {
295	0	gnutls_assert();
296	0	return GNUTLS_E_INTERNAL_ERROR;
297	0	}
298
299	0	if (username.size > MAX_USERNAME_SIZE) {
300	0	gnutls_assert();
301	0	return GNUTLS_E_ILLEGAL_SRP_USERNAME;
302	0	}
303
304	0	ret = _gnutls_copy_psk_username(info, username);
305	0	if (ret < 0)
306	0	gnutls_assert_val(ret);
307
308		/* Adjust data so it points to EncryptedPreMasterSecret */
309	0	data += username.size + 2;
310
311		/* 2. Decrypt and extract EncryptedPreMasterSecret */
312
313	0	DECR_LEN(data_size, 2);
314	0	ciphertext.data = &data[2];
315	0	dsize = _gnutls_read_uint16(data);
316
317	0	if (dsize != data_size) {
318	0	gnutls_assert();
319	0	return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
320	0	}
321	0	ciphertext.size = dsize;
322
323	0	ret =
324	0	gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
325	0	&ciphertext, &plaintext);
326	0	if (ret < 0 \|\| plaintext.size != GNUTLS_MASTER_SIZE) {
327		/* In case decryption fails then don't inform
328		* the peer. Just use a random key. (in order to avoid
329		* attack against pkcs-1 formatting).
330		*/
331	0	gnutls_assert();
332	0	_gnutls_debug_log
333	0	("auth_rsa_psk: Possible PKCS #1 format attack\n");
334	0	if (ret >= 0) {
335	0	gnutls_free(plaintext.data);
336	0	}
337	0	randomize_key = 1;
338	0	} else {
339		/* If the secret was properly formatted, then
340		* check the version number.
341		*/
342	0	if (_gnutls_get_adv_version_major(session) != plaintext.data[0]
343	0	\|\| (session->internals.allow_wrong_pms == 0
344	0	&& _gnutls_get_adv_version_minor(session) !=
345	0	plaintext.data[1])) {
346		/* No error is returned here, if the version number check
347		* fails. We proceed normally.
348		* That is to defend against the attack described in the paper
349		* "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
350		* Ondej Pokorny and Tomas Rosa.
351		*/
352	0	gnutls_assert();
353	0	_gnutls_debug_log
354	0	("auth_rsa: Possible PKCS #1 version check format attack\n");
355	0	}
356	0	}
357
358	0	if (randomize_key != 0) {
359	0	premaster_secret.size = GNUTLS_MASTER_SIZE;
360	0	premaster_secret.data = gnutls_malloc(premaster_secret.size);
361	0	if (premaster_secret.data == NULL) {
362	0	gnutls_assert();
363	0	return GNUTLS_E_MEMORY_ERROR;
364	0	}
365
366		/* we do not need strong random numbers here.
367		*/
368	0	ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
369	0	premaster_secret.size);
370	0	if (ret < 0) {
371	0	gnutls_assert();
372	0	goto cleanup;
373	0	}
374	0	} else {
375	0	premaster_secret.data = plaintext.data;
376	0	premaster_secret.size = plaintext.size;
377	0	}
378
379		/* This is here to avoid the version check attack
380		* discussed above.
381		*/
382
383	0	premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
384	0	premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
385
386		/* find the key of this username
387		*/
388	0	ret =
389	0	_gnutls_psk_pwd_find_entry(session, info->username,
390	0	strlen(info->username), &pwd_psk);
391	0	if (ret < 0) {
392	0	gnutls_assert();
393	0	goto cleanup;
394	0	}
395
396	0	ret = set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
397	0	if (ret < 0) {
398	0	gnutls_assert();
399	0	goto cleanup;
400	0	}
401
402	0	ret = 0;
403	0	cleanup:
404	0	_gnutls_free_key_datum(&pwd_psk);
405	0	_gnutls_free_temp_key_datum(&premaster_secret);
406
407	0	return ret;
408	0	}
409
410		static int
411		_gnutls_proc_rsa_psk_server_kx(gnutls_session_t session, uint8_t * data,
412		size_t _data_size)
413	0	{
414		/* In RSA-PSK the key is calculated elsewhere.
415		* Moreover, since we only keep a single auth info structure, we cannot
416		* store the hint (as we store certificate auth info).
417		* Ideally we need to handle that by multiple auth info
418		* structures or something similar.
419		*/
420
421	0	return 0;
422	0	}
423
424		#endif /* ENABLE_PSK */