/src/gnutls/lib/auth/rsa_psk.c

Source (jump to first uncovered line)
/*
 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2007, 2009, 2010
 * Free Software Foundation, Inc.
 *
 * Copyright (C) 2011
 * Bardenheuer GmbH, Munich and Bundesdruckerei GmbH, Berlin
 *
 * Copyright (C) 2013 Frank Morgner
 * Copyright (C) 2013 Nikos Mavrogiannopoulos
 *
 * This file is part of GnuTLS.
 *
 * The GnuTLS is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library.  If not, see <https://www.gnu.org/licenses/>.
 *
 */

#include "gnutls_int.h"

#ifdef ENABLE_PSK

#include "auth.h"
#include "dh.h"
#include "errors.h"
#include "mpi.h"
#include "num.h"
#include "gnutls_int.h"
#include "pk.h"
#include "random.h"
#include "abstract_int.h"
#include "algorithms.h"
#include "auth/dh_common.h"
#include "auth/psk.h"
#include "auth/psk_passwd.h"
#include "auth/rsa_common.h"
#include "cert.h"
#include "datum.h"
#include "state.h"

static int _gnutls_gen_rsa_psk_client_kx(gnutls_session_t session,
           gnutls_buffer_st *data);
static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t, uint8_t *, size_t);
static int _gnutls_proc_rsa_psk_server_kx(gnutls_session_t session,
            uint8_t *data, size_t _data_size);

const mod_auth_st rsa_psk_auth_struct = {
  "RSA PSK",
  _gnutls_gen_cert_server_crt,
  NULL, /* generate_client_certificate */
  _gnutls_gen_psk_server_kx,
  _gnutls_gen_rsa_psk_client_kx,
  NULL, /* generate_client_cert_vrfy */
  NULL, /* generate_server_certificate_request */
  _gnutls_proc_crt,
  NULL, /* process_client_certificate */
  _gnutls_proc_rsa_psk_server_kx,
  _gnutls_proc_rsa_psk_client_kx,
  NULL, /* process_client_cert_vrfy */
  NULL /* process_server_certificate_reuqest */
};

/* Set the PSK premaster secret.
 */
static int set_rsa_psk_session_key(gnutls_session_t session,
           gnutls_datum_t *ppsk,
           gnutls_datum_t *rsa_secret)
{
  unsigned char *p;
  size_t rsa_secret_size;
  int ret;

  rsa_secret_size = rsa_secret->size;

  /* set the session key
   */
  session->key.key.size = 2 + rsa_secret_size + 2 + ppsk->size;
  session->key.key.data = gnutls_malloc(session->key.key.size);
  if (session->key.key.data == NULL) {
    gnutls_assert();
    ret = GNUTLS_E_MEMORY_ERROR;
    goto error;
  }

  /* format of the premaster secret:
   * (uint16_t) other_secret size (48)
   * other_secret: 2 byte version + 46 byte random
   * (uint16_t) psk_size
   * the psk
   */
  _gnutls_write_uint16(rsa_secret_size, session->key.key.data);
  memcpy(&session->key.key.data[2], rsa_secret->data, rsa_secret->size);
  p = &session->key.key.data[rsa_secret_size + 2];
  _gnutls_write_uint16(ppsk->size, p);
  if (ppsk->data != NULL)
    memcpy(p + 2, ppsk->data, ppsk->size);

  ret = 0;

error:
  return ret;
}

/* Generate client key exchange message
 *
 *
 * struct {
 *    select (KeyExchangeAlgorithm) {
 *       uint8_t psk_identity<0..2^16-1>;
 *       EncryptedPreMasterSecret;
 *    } exchange_keys;
 * } ClientKeyExchange;
 */
static int _gnutls_gen_rsa_psk_client_kx(gnutls_session_t session,
           gnutls_buffer_st *data)
{
  cert_auth_info_t auth = session->key.auth_info;
  gnutls_datum_t sdata; /* data to send */
  gnutls_pk_params_st params;
  gnutls_psk_client_credentials_t cred;
  gnutls_datum_t username, key;
  int ret, free;
  unsigned init_pos;

  if (auth == NULL) {
    /* this shouldn't have happened. The proc_certificate
     * function should have detected that.
     */
    gnutls_assert();
    return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
  }

  gnutls_datum_t premaster_secret;
  premaster_secret.size = GNUTLS_MASTER_SIZE;
  premaster_secret.data = gnutls_malloc(premaster_secret.size);

  if (premaster_secret.data == NULL) {
    gnutls_assert();
    return GNUTLS_E_MEMORY_ERROR;
  }

  /* Generate random */
  ret = gnutls_rnd(GNUTLS_RND_RANDOM, premaster_secret.data,
       premaster_secret.size);
  if (ret < 0) {
    gnutls_assert();
    return ret;
  }

  /* Set version */
  if (session->internals.rsa_pms_version[0] == 0) {
    premaster_secret.data[0] =
      _gnutls_get_adv_version_major(session);
    premaster_secret.data[1] =
      _gnutls_get_adv_version_minor(session);
  } else { /* use the version provided */
    premaster_secret.data[0] =
      session->internals.rsa_pms_version[0];
    premaster_secret.data[1] =
      session->internals.rsa_pms_version[1];
  }

  /* move RSA parameters to key (session).
   */
  if ((ret = _gnutls_get_public_rsa_params(session, &params)) < 0) {
    gnutls_assert();
    return ret;
  }

  /* Encrypt premaster secret */
  if ((ret = _gnutls_pk_encrypt(GNUTLS_PK_RSA, &sdata, &premaster_secret,
              &params)) < 0) {
    gnutls_assert();
    return ret;
  }

  gnutls_pk_params_release(&params);

  cred = (gnutls_psk_client_credentials_t)_gnutls_get_cred(
    session, GNUTLS_CRD_PSK);

  if (cred == NULL) {
    gnutls_assert();
    return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
  }

  ret = _gnutls_find_psk_key(session, cred, &username, &key, NULL, &free);
  if (ret < 0)
    return gnutls_assert_val(ret);

  /* Here we set the PSK key */
  ret = set_rsa_psk_session_key(session, &key, &premaster_secret);
  if (ret < 0) {
    gnutls_assert();
    goto cleanup;
  }

  /* Create message for client key exchange
   *
   * struct {
   *   uint8_t psk_identity<0..2^16-1>;
   *   EncryptedPreMasterSecret;
   * }
   */

  init_pos = data->length;

  /* Write psk_identity and EncryptedPreMasterSecret into data stream
   */
  ret = _gnutls_buffer_append_data_prefix(data, 16, username.data,
            username.size);
  if (ret < 0) {
    gnutls_assert();
    goto cleanup;
  }

  ret = _gnutls_buffer_append_data_prefix(data, 16, sdata.data,
            sdata.size);
  if (ret < 0) {
    gnutls_assert();
    goto cleanup;
  }

  ret = data->length - init_pos;

cleanup:
  _gnutls_free_datum(&sdata);
  _gnutls_free_temp_key_datum(&premaster_secret);
  if (free) {
    _gnutls_free_temp_key_datum(&key);
    gnutls_free(username.data);
  }

  return ret;
}

/*
  Process the client key exchange message
*/
static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
            uint8_t *data, size_t _data_size)
{
  gnutls_datum_t username;
  psk_auth_info_t info;
  gnutls_datum_t ciphertext;
  gnutls_datum_t pwd_psk = { NULL, 0 };
  int ret, dsize;
  ssize_t data_size = _data_size;
  gnutls_psk_server_credentials_t cred;
  volatile uint8_t ver_maj, ver_min;

  cred = (gnutls_psk_server_credentials_t)_gnutls_get_cred(
    session, GNUTLS_CRD_PSK);

  if (cred == NULL) {
    gnutls_assert();
    return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
  }

  ret = _gnutls_auth_info_init(session, GNUTLS_CRD_PSK,
             sizeof(psk_auth_info_st), 1);
  if (ret < 0) {
    gnutls_assert();
    return ret;
  }

  /*** 1. Extract user psk_identity ***/

  DECR_LEN(data_size, 2);
  username.size = _gnutls_read_uint16(&data[0]);

  DECR_LEN(data_size, username.size);

  username.data = &data[2];

  /* copy the username to the auth info structures
   */
  info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK);
  if (info == NULL) {
    gnutls_assert();
    return GNUTLS_E_INTERNAL_ERROR;
  }

  if (username.size > MAX_USERNAME_SIZE) {
    gnutls_assert();
    return GNUTLS_E_ILLEGAL_SRP_USERNAME;
  }

  ret = _gnutls_copy_psk_username(info, username);
  if (ret < 0)
    gnutls_assert_val(ret);

  /* Adjust data so it points to EncryptedPreMasterSecret */
  data += username.size + 2;

  /*** 2. Decrypt and extract EncryptedPreMasterSecret ***/

  DECR_LEN(data_size, 2);
  ciphertext.data = &data[2];
  dsize = _gnutls_read_uint16(data);

  if (dsize != data_size) {
    gnutls_assert();
    return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
  }
  ciphertext.size = dsize;

  ver_maj = _gnutls_get_adv_version_major(session);
  ver_min = _gnutls_get_adv_version_minor(session);

  /* Find the key of this username. A random value will be
   * filled in if the key is not found.
   */
  ret = _gnutls_psk_pwd_find_entry(session, info->username,
           strlen(info->username), &pwd_psk,
           NULL);
  if (ret < 0)
    return gnutls_assert_val(ret);

  /* Allocate memory for premaster secret, and fill in the
   * fields except the decryption result.
   */
  session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
  session->key.key.data = gnutls_malloc(session->key.key.size);
  if (session->key.key.data == NULL) {
    gnutls_assert();
    _gnutls_free_key_datum(&pwd_psk);
    /* No need to zeroize, as the secret is not copied in yet */
    _gnutls_free_datum(&session->key.key);
    return GNUTLS_E_MEMORY_ERROR;
  }

  /* Fallback value when decryption fails. Needs to be unpredictable. */
  ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
       GNUTLS_MASTER_SIZE);
  if (ret < 0) {
    gnutls_assert();
    _gnutls_free_key_datum(&pwd_psk);
    /* No need to zeroize, as the secret is not copied in yet */
    _gnutls_free_datum(&session->key.key);
    return ret;
  }

  _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
  _gnutls_write_uint16(pwd_psk.size,
           &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
  memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data,
         pwd_psk.size);
  _gnutls_free_key_datum(&pwd_psk);

  gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
             &ciphertext, session->key.key.data + 2,
             GNUTLS_MASTER_SIZE);
  /* After this point, any conditional on failure that cause differences
   * in execution may create a timing or cache access pattern side
   * channel that can be used as an oracle, so tread carefully */

  /* Error handling logic:
   * In case decryption fails then don't inform the peer. Just use the
   * random key previously generated. (in order to avoid attack against
   * pkcs-1 formatting).
   *
   * If we get version mismatches no error is returned either. We
   * proceed normally. This is to defend against the attack described
   * in the paper "Attacking RSA-based sessions in SSL/TLS" by
   * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
   */

  /* This is here to avoid the version check attack
   * discussed above.
   */
  session->key.key.data[2] = ver_maj;
  session->key.key.data[3] = ver_min;

  return 0;
}

static int _gnutls_proc_rsa_psk_server_kx(gnutls_session_t session,
            uint8_t *data, size_t _data_size)
{
  /* In RSA-PSK the key is calculated elsewhere.
   * Moreover, since we only keep a single auth info structure, we cannot
   * store the hint (as we store certificate auth info).
   * Ideally we need to handle that by multiple auth info
   * structures or something similar.
   */

  return 0;
}

#endif /* ENABLE_PSK */

Coverage Report

Created: 2025-03-18 06:55

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2007, 2009, 2010
3		* Free Software Foundation, Inc.
4		*
5		* Copyright (C) 2011
6		* Bardenheuer GmbH, Munich and Bundesdruckerei GmbH, Berlin
7		*
8		* Copyright (C) 2013 Frank Morgner
9		* Copyright (C) 2013 Nikos Mavrogiannopoulos
10		*
11		* This file is part of GnuTLS.
12		*
13		* The GnuTLS is free software; you can redistribute it and/or
14		* modify it under the terms of the GNU Lesser General Public License
15		* as published by the Free Software Foundation; either version 2.1 of
16		* the License, or (at your option) any later version.
17		*
18		* This library is distributed in the hope that it will be useful, but
19		* WITHOUT ANY WARRANTY; without even the implied warranty of
20		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
21		* Lesser General Public License for more details.
22		*
23		* You should have received a copy of the GNU Lesser General Public
24		* License along with this library. If not, see <https://www.gnu.org/licenses/>.
25		*
26		*/
27
28		#include "gnutls_int.h"
29
30		#ifdef ENABLE_PSK
31
32		#include "auth.h"
33		#include "dh.h"
34		#include "errors.h"
35		#include "mpi.h"
36		#include "num.h"
37		#include "gnutls_int.h"
38		#include "pk.h"
39		#include "random.h"
40		#include "abstract_int.h"
41		#include "algorithms.h"
42		#include "auth/dh_common.h"
43		#include "auth/psk.h"
44		#include "auth/psk_passwd.h"
45		#include "auth/rsa_common.h"
46		#include "cert.h"
47		#include "datum.h"
48		#include "state.h"
49
50		static int _gnutls_gen_rsa_psk_client_kx(gnutls_session_t session,
51		gnutls_buffer_st *data);
52		static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t, uint8_t *, size_t);
53		static int _gnutls_proc_rsa_psk_server_kx(gnutls_session_t session,
54		uint8_t *data, size_t _data_size);
55
56		const mod_auth_st rsa_psk_auth_struct = {
57		"RSA PSK",
58		_gnutls_gen_cert_server_crt,
59		NULL, /* generate_client_certificate */
60		_gnutls_gen_psk_server_kx,
61		_gnutls_gen_rsa_psk_client_kx,
62		NULL, /* generate_client_cert_vrfy */
63		NULL, /* generate_server_certificate_request */
64		_gnutls_proc_crt,
65		NULL, /* process_client_certificate */
66		_gnutls_proc_rsa_psk_server_kx,
67		_gnutls_proc_rsa_psk_client_kx,
68		NULL, /* process_client_cert_vrfy */
69		NULL /* process_server_certificate_reuqest */
70		};
71
72		/* Set the PSK premaster secret.
73		*/
74		static int set_rsa_psk_session_key(gnutls_session_t session,
75		gnutls_datum_t *ppsk,
76		gnutls_datum_t *rsa_secret)
77	0	{
78	0	unsigned char *p;
79	0	size_t rsa_secret_size;
80	0	int ret;
81
82	0	rsa_secret_size = rsa_secret->size;
83
84		/* set the session key
85		*/
86	0	session->key.key.size = 2 + rsa_secret_size + 2 + ppsk->size;
87	0	session->key.key.data = gnutls_malloc(session->key.key.size);
88	0	if (session->key.key.data == NULL) {
89	0	gnutls_assert();
90	0	ret = GNUTLS_E_MEMORY_ERROR;
91	0	goto error;
92	0	}
93
94		/* format of the premaster secret:
95		* (uint16_t) other_secret size (48)
96		* other_secret: 2 byte version + 46 byte random
97		* (uint16_t) psk_size
98		* the psk
99		*/
100	0	_gnutls_write_uint16(rsa_secret_size, session->key.key.data);
101	0	memcpy(&session->key.key.data[2], rsa_secret->data, rsa_secret->size);
102	0	p = &session->key.key.data[rsa_secret_size + 2];
103	0	_gnutls_write_uint16(ppsk->size, p);
104	0	if (ppsk->data != NULL)
105	0	memcpy(p + 2, ppsk->data, ppsk->size);
106
107	0	ret = 0;
108
109	0	error:
110	0	return ret;
111	0	}
112
113		/* Generate client key exchange message
114		*
115		*
116		* struct {
117		* select (KeyExchangeAlgorithm) {
118		* uint8_t psk_identity<0..2^16-1>;
119		* EncryptedPreMasterSecret;
120		* } exchange_keys;
121		* } ClientKeyExchange;
122		*/
123		static int _gnutls_gen_rsa_psk_client_kx(gnutls_session_t session,
124		gnutls_buffer_st *data)
125	0	{
126	0	cert_auth_info_t auth = session->key.auth_info;
127	0	gnutls_datum_t sdata; /* data to send */
128	0	gnutls_pk_params_st params;
129	0	gnutls_psk_client_credentials_t cred;
130	0	gnutls_datum_t username, key;
131	0	int ret, free;
132	0	unsigned init_pos;
133
134	0	if (auth == NULL) {
135		/* this shouldn't have happened. The proc_certificate
136		* function should have detected that.
137		*/
138	0	gnutls_assert();
139	0	return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
140	0	}
141
142	0	gnutls_datum_t premaster_secret;
143	0	premaster_secret.size = GNUTLS_MASTER_SIZE;
144	0	premaster_secret.data = gnutls_malloc(premaster_secret.size);
145
146	0	if (premaster_secret.data == NULL) {
147	0	gnutls_assert();
148	0	return GNUTLS_E_MEMORY_ERROR;
149	0	}
150
151		/* Generate random */
152	0	ret = gnutls_rnd(GNUTLS_RND_RANDOM, premaster_secret.data,
153	0	premaster_secret.size);
154	0	if (ret < 0) {
155	0	gnutls_assert();
156	0	return ret;
157	0	}
158
159		/* Set version */
160	0	if (session->internals.rsa_pms_version[0] == 0) {
161	0	premaster_secret.data[0] =
162	0	_gnutls_get_adv_version_major(session);
163	0	premaster_secret.data[1] =
164	0	_gnutls_get_adv_version_minor(session);
165	0	} else { /* use the version provided */
166	0	premaster_secret.data[0] =
167	0	session->internals.rsa_pms_version[0];
168	0	premaster_secret.data[1] =
169	0	session->internals.rsa_pms_version[1];
170	0	}
171
172		/* move RSA parameters to key (session).
173		*/
174	0	if ((ret = _gnutls_get_public_rsa_params(session, &params)) < 0) {
175	0	gnutls_assert();
176	0	return ret;
177	0	}
178
179		/* Encrypt premaster secret */
180	0	if ((ret = _gnutls_pk_encrypt(GNUTLS_PK_RSA, &sdata, &premaster_secret,
181	0	&params)) < 0) {
182	0	gnutls_assert();
183	0	return ret;
184	0	}
185
186	0	gnutls_pk_params_release(&params);
187
188	0	cred = (gnutls_psk_client_credentials_t)_gnutls_get_cred(
189	0	session, GNUTLS_CRD_PSK);
190
191	0	if (cred == NULL) {
192	0	gnutls_assert();
193	0	return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
194	0	}
195
196	0	ret = _gnutls_find_psk_key(session, cred, &username, &key, NULL, &free);
197	0	if (ret < 0)
198	0	return gnutls_assert_val(ret);
199
200		/* Here we set the PSK key */
201	0	ret = set_rsa_psk_session_key(session, &key, &premaster_secret);
202	0	if (ret < 0) {
203	0	gnutls_assert();
204	0	goto cleanup;
205	0	}
206
207		/* Create message for client key exchange
208		*
209		* struct {
210		* uint8_t psk_identity<0..2^16-1>;
211		* EncryptedPreMasterSecret;
212		* }
213		*/
214
215	0	init_pos = data->length;
216
217		/* Write psk_identity and EncryptedPreMasterSecret into data stream
218		*/
219	0	ret = _gnutls_buffer_append_data_prefix(data, 16, username.data,
220	0	username.size);
221	0	if (ret < 0) {
222	0	gnutls_assert();
223	0	goto cleanup;
224	0	}
225
226	0	ret = _gnutls_buffer_append_data_prefix(data, 16, sdata.data,
227	0	sdata.size);
228	0	if (ret < 0) {
229	0	gnutls_assert();
230	0	goto cleanup;
231	0	}
232
233	0	ret = data->length - init_pos;
234
235	0	cleanup:
236	0	_gnutls_free_datum(&sdata);
237	0	_gnutls_free_temp_key_datum(&premaster_secret);
238	0	if (free) {
239	0	_gnutls_free_temp_key_datum(&key);
240	0	gnutls_free(username.data);
241	0	}
242
243	0	return ret;
244	0	}
245
246		/*
247		Process the client key exchange message
248		*/
249		static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
250		uint8_t *data, size_t _data_size)
251	0	{
252	0	gnutls_datum_t username;
253	0	psk_auth_info_t info;
254	0	gnutls_datum_t ciphertext;
255	0	gnutls_datum_t pwd_psk = { NULL, 0 };
256	0	int ret, dsize;
257	0	ssize_t data_size = _data_size;
258	0	gnutls_psk_server_credentials_t cred;
259	0	volatile uint8_t ver_maj, ver_min;
260
261	0	cred = (gnutls_psk_server_credentials_t)_gnutls_get_cred(
262	0	session, GNUTLS_CRD_PSK);
263
264	0	if (cred == NULL) {
265	0	gnutls_assert();
266	0	return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
267	0	}
268
269	0	ret = _gnutls_auth_info_init(session, GNUTLS_CRD_PSK,
270	0	sizeof(psk_auth_info_st), 1);
271	0	if (ret < 0) {
272	0	gnutls_assert();
273	0	return ret;
274	0	}
275
276		/* 1. Extract user psk_identity */
277
278	0	DECR_LEN(data_size, 2);
279	0	username.size = _gnutls_read_uint16(&data[0]);
280
281	0	DECR_LEN(data_size, username.size);
282
283	0	username.data = &data[2];
284
285		/* copy the username to the auth info structures
286		*/
287	0	info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK);
288	0	if (info == NULL) {
289	0	gnutls_assert();
290	0	return GNUTLS_E_INTERNAL_ERROR;
291	0	}
292
293	0	if (username.size > MAX_USERNAME_SIZE) {
294	0	gnutls_assert();
295	0	return GNUTLS_E_ILLEGAL_SRP_USERNAME;
296	0	}
297
298	0	ret = _gnutls_copy_psk_username(info, username);
299	0	if (ret < 0)
300	0	gnutls_assert_val(ret);
301
302		/* Adjust data so it points to EncryptedPreMasterSecret */
303	0	data += username.size + 2;
304
305		/* 2. Decrypt and extract EncryptedPreMasterSecret */
306
307	0	DECR_LEN(data_size, 2);
308	0	ciphertext.data = &data[2];
309	0	dsize = _gnutls_read_uint16(data);
310
311	0	if (dsize != data_size) {
312	0	gnutls_assert();
313	0	return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
314	0	}
315	0	ciphertext.size = dsize;
316
317	0	ver_maj = _gnutls_get_adv_version_major(session);
318	0	ver_min = _gnutls_get_adv_version_minor(session);
319
320		/* Find the key of this username. A random value will be
321		* filled in if the key is not found.
322		*/
323	0	ret = _gnutls_psk_pwd_find_entry(session, info->username,
324	0	strlen(info->username), &pwd_psk,
325	0	NULL);
326	0	if (ret < 0)
327	0	return gnutls_assert_val(ret);
328
329		/* Allocate memory for premaster secret, and fill in the
330		* fields except the decryption result.
331		*/
332	0	session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
333	0	session->key.key.data = gnutls_malloc(session->key.key.size);
334	0	if (session->key.key.data == NULL) {
335	0	gnutls_assert();
336	0	_gnutls_free_key_datum(&pwd_psk);
337		/* No need to zeroize, as the secret is not copied in yet */
338	0	_gnutls_free_datum(&session->key.key);
339	0	return GNUTLS_E_MEMORY_ERROR;
340	0	}
341
342		/* Fallback value when decryption fails. Needs to be unpredictable. */
343	0	ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
344	0	GNUTLS_MASTER_SIZE);
345	0	if (ret < 0) {
346	0	gnutls_assert();
347	0	_gnutls_free_key_datum(&pwd_psk);
348		/* No need to zeroize, as the secret is not copied in yet */
349	0	_gnutls_free_datum(&session->key.key);
350	0	return ret;
351	0	}
352
353	0	_gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
354	0	_gnutls_write_uint16(pwd_psk.size,
355	0	&session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
356	0	memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data,
357	0	pwd_psk.size);
358	0	_gnutls_free_key_datum(&pwd_psk);
359
360	0	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
361	0	&ciphertext, session->key.key.data + 2,
362	0	GNUTLS_MASTER_SIZE);
363		/* After this point, any conditional on failure that cause differences
364		* in execution may create a timing or cache access pattern side
365		* channel that can be used as an oracle, so tread carefully */
366
367		/* Error handling logic:
368		* In case decryption fails then don't inform the peer. Just use the
369		* random key previously generated. (in order to avoid attack against
370		* pkcs-1 formatting).
371		*
372		* If we get version mismatches no error is returned either. We
373		* proceed normally. This is to defend against the attack described
374		* in the paper "Attacking RSA-based sessions in SSL/TLS" by
375		* Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
376		*/
377
378		/* This is here to avoid the version check attack
379		* discussed above.
380		*/
381	0	session->key.key.data[2] = ver_maj;
382	0	session->key.key.data[3] = ver_min;
383
384	0	return 0;
385	0	}
386
387		static int _gnutls_proc_rsa_psk_server_kx(gnutls_session_t session,
388		uint8_t *data, size_t _data_size)
389	0	{
390		/* In RSA-PSK the key is calculated elsewhere.
391		* Moreover, since we only keep a single auth info structure, we cannot
392		* store the hint (as we store certificate auth info).
393		* Ideally we need to handle that by multiple auth info
394		* structures or something similar.
395		*/
396
397	0	return 0;
398	0	}
399
400		#endif /* ENABLE_PSK */