Line data Source code
1 : /*
2 : * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 : *
4 : * Author: Nikos Mavrogiannopoulos
5 : *
6 : * This file is part of GnuTLS.
7 : *
8 : * The GnuTLS is free software; you can redistribute it and/or
9 : * modify it under the terms of the GNU Lesser General Public License
10 : * as published by the Free Software Foundation; either version 2.1 of
11 : * the License, or (at your option) any later version.
12 : *
13 : * This library is distributed in the hope that it will be useful, but
14 : * WITHOUT ANY WARRANTY; without even the implied warranty of
15 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 : * Lesser General Public License for more details.
17 : *
18 : * You should have received a copy of the GNU Lesser General Public License
19 : * along with this program. If not, see <https://www.gnu.org/licenses/>
20 : *
21 : */
22 :
23 : /* This file contains the RSA key exchange part of the certificate
24 : * authentication.
25 : */
26 :
27 : #include "gnutls_int.h"
28 : #include "auth.h"
29 : #include "errors.h"
30 : #include "dh.h"
31 : #include "num.h"
32 : #include "datum.h"
33 : #include <auth/cert.h>
34 : #include <pk.h>
35 : #include <algorithms.h>
36 : #include <global.h>
37 : #include "debug.h"
38 : #include <tls-sig.h>
39 : #include <x509.h>
40 : #include <random.h>
41 : #include <mpi.h>
42 : #include <abstract_int.h>
43 : #include <auth/rsa_common.h>
44 :
45 : int _gnutls_gen_rsa_client_kx(gnutls_session_t, gnutls_buffer_st *);
46 : static int proc_rsa_client_kx(gnutls_session_t, uint8_t *, size_t);
47 :
48 : const mod_auth_st rsa_auth_struct = {
49 : "RSA",
50 : _gnutls_gen_cert_server_crt,
51 : _gnutls_gen_cert_client_crt,
52 : NULL, /* gen server kx */
53 : _gnutls_gen_rsa_client_kx,
54 : _gnutls_gen_cert_client_crt_vrfy, /* gen client cert vrfy */
55 : _gnutls_gen_cert_server_cert_req, /* server cert request */
56 :
57 : _gnutls_proc_crt,
58 : _gnutls_proc_crt,
59 : NULL, /* proc server kx */
60 : proc_rsa_client_kx, /* proc client kx */
61 : _gnutls_proc_cert_client_crt_vrfy, /* proc client cert vrfy */
62 : _gnutls_proc_cert_cert_req /* proc server cert request */
63 : };
64 :
65 : static
66 229 : int check_key_usage_for_enc(gnutls_session_t session, unsigned key_usage)
67 : {
68 229 : if (key_usage != 0) {
69 204 : if (!(key_usage & GNUTLS_KEY_KEY_ENCIPHERMENT) && !(key_usage & GNUTLS_KEY_KEY_AGREEMENT)) {
70 1 : gnutls_assert();
71 1 : if (session->internals.allow_key_usage_violation == 0) {
72 1 : _gnutls_audit_log(session,
73 : "Peer's certificate does not allow encryption. Key usage violation detected.\n");
74 1 : return GNUTLS_E_KEY_USAGE_VIOLATION;
75 : } else {
76 0 : _gnutls_audit_log(session,
77 : "Peer's certificate does not allow encryption. Key usage violation detected (ignored).\n");
78 : }
79 : }
80 : }
81 : return 0;
82 : }
83 :
84 : /* This function reads the RSA parameters from peer's certificate;
85 : *
86 : * IMPORTANT:
87 : * Currently this function gets only called on the client side
88 : * during generation of the client kx msg. This function
89 : * retrieves the RSA params from the peer's certificate. That is in
90 : * this case the server's certificate. As of GNUTLS version 3.6.4 it is
91 : * possible to negotiate different certificate types for client and
92 : * server. Therefore the correct cert type needs to be retrieved to be
93 : * used for the _gnutls_get_auth_info_pcert call. If this
94 : * function is to be called on the server side in the future, extra
95 : * checks need to be build in order to retrieve the correct
96 : * certificate type.
97 : */
98 : int
99 229 : _gnutls_get_public_rsa_params(gnutls_session_t session,
100 : gnutls_pk_params_st * params)
101 : {
102 229 : int ret;
103 229 : cert_auth_info_t info;
104 229 : unsigned key_usage;
105 229 : gnutls_pcert_st peer_cert;
106 229 : gnutls_certificate_type_t cert_type;
107 :
108 229 : assert(!IS_SERVER(session));
109 :
110 : /* normal non export case */
111 :
112 229 : info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE);
113 :
114 229 : if (info == NULL || info->ncerts == 0) {
115 0 : gnutls_assert();
116 0 : return GNUTLS_E_INTERNAL_ERROR;
117 : }
118 :
119 : // Get the negotiated server certificate type
120 229 : cert_type = get_certificate_type(session, GNUTLS_CTYPE_SERVER);
121 :
122 229 : ret = _gnutls_get_auth_info_pcert(&peer_cert, cert_type, info);
123 :
124 229 : if (ret < 0) {
125 0 : gnutls_assert();
126 0 : return ret;
127 : }
128 :
129 229 : gnutls_pubkey_get_key_usage(peer_cert.pubkey, &key_usage);
130 :
131 229 : ret = check_key_usage_for_enc(session, key_usage);
132 229 : if (ret < 0) {
133 1 : gnutls_assert();
134 1 : goto cleanup2;
135 : }
136 :
137 228 : gnutls_pk_params_init(params);
138 :
139 228 : ret = _gnutls_pubkey_get_mpis(peer_cert.pubkey, params);
140 228 : if (ret < 0) {
141 0 : ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
142 0 : goto cleanup2;
143 : }
144 :
145 228 : gnutls_pcert_deinit(&peer_cert);
146 228 : return 0;
147 :
148 1 : cleanup2:
149 1 : gnutls_pcert_deinit(&peer_cert);
150 :
151 1 : return ret;
152 : }
153 :
154 : static int
155 1860 : proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
156 : size_t _data_size)
157 : {
158 1860 : const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n";
159 1860 : gnutls_datum_t ciphertext;
160 1860 : int ret, dsize;
161 1860 : ssize_t data_size = _data_size;
162 1860 : volatile uint8_t ver_maj, ver_min;
163 1860 : volatile uint8_t check_ver_min;
164 1860 : volatile uint32_t ok;
165 :
166 : #ifdef ENABLE_SSL3
167 : if (get_num_version(session) == GNUTLS_SSL3) {
168 : /* SSL 3.0
169 : */
170 : ciphertext.data = data;
171 : ciphertext.size = data_size;
172 : } else
173 : #endif
174 : {
175 : /* TLS 1.0+
176 : */
177 1860 : DECR_LEN(data_size, 2);
178 1859 : ciphertext.data = &data[2];
179 1859 : dsize = _gnutls_read_uint16(data);
180 :
181 1859 : if (dsize != data_size) {
182 3 : gnutls_assert();
183 3 : return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
184 : }
185 1856 : ciphertext.size = dsize;
186 : }
187 :
188 1856 : ver_maj = _gnutls_get_adv_version_major(session);
189 1856 : ver_min = _gnutls_get_adv_version_minor(session);
190 1856 : check_ver_min = (session->internals.allow_wrong_pms == 0);
191 :
192 1856 : session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
193 1856 : if (session->key.key.data == NULL) {
194 0 : gnutls_assert();
195 0 : return GNUTLS_E_MEMORY_ERROR;
196 : }
197 1856 : session->key.key.size = GNUTLS_MASTER_SIZE;
198 :
199 : /* Fallback value when decryption fails. Needs to be unpredictable. */
200 1856 : ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data,
201 : GNUTLS_MASTER_SIZE);
202 1856 : if (ret < 0) {
203 0 : gnutls_free(session->key.key.data);
204 0 : session->key.key.size = 0;
205 0 : gnutls_assert();
206 0 : return ret;
207 : }
208 :
209 1856 : ret =
210 3712 : gnutls_privkey_decrypt_data2(session->internals.selected_key,
211 : 0, &ciphertext, session->key.key.data,
212 1856 : session->key.key.size);
213 : /* After this point, any conditional on failure that cause differences
214 : * in execution may create a timing or cache access pattern side
215 : * channel that can be used as an oracle, so treat very carefully */
216 :
217 : /* Error handling logic:
218 : * In case decryption fails then don't inform the peer. Just use the
219 : * random key previously generated. (in order to avoid attack against
220 : * pkcs-1 formatting).
221 : *
222 : * If we get version mismatches no error is returned either. We
223 : * proceed normally. This is to defend against the attack described
224 : * in the paper "Attacking RSA-based sessions in SSL/TLS" by
225 : * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
226 : */
227 :
228 : /* ok is 0 in case of error and 1 in case of success. */
229 :
230 : /* if ret < 0 */
231 1856 : ok = CONSTCHECK_EQUAL(ret, 0);
232 : /* session->key.key.data[0] must equal ver_maj */
233 1856 : ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
234 : /* if check_ver_min then session->key.key.data[1] must equal ver_min */
235 1856 : ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
236 1856 : CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
237 :
238 1856 : if (ok) {
239 : /* call logging function unconditionally so all branches are
240 : * indistinguishable for timing and cache access when debug
241 : * logging is disabled */
242 1822 : _gnutls_no_log("%s", attack_error);
243 : } else {
244 34 : _gnutls_debug_log("%s", attack_error);
245 : }
246 :
247 : /* This is here to avoid the version check attack
248 : * discussed above.
249 : */
250 1856 : session->key.key.data[0] = ver_maj;
251 1856 : session->key.key.data[1] = ver_min;
252 :
253 1856 : return 0;
254 : }
255 :
256 :
257 :
258 : /* return RSA(random) using the peers public key
259 : */
260 : int
261 219 : _gnutls_gen_rsa_client_kx(gnutls_session_t session,
262 : gnutls_buffer_st * data)
263 : {
264 219 : cert_auth_info_t auth = session->key.auth_info;
265 219 : gnutls_datum_t sdata; /* data to send */
266 219 : gnutls_pk_params_st params;
267 219 : int ret;
268 :
269 219 : if (auth == NULL) {
270 : /* this shouldn't have happened. The proc_certificate
271 : * function should have detected that.
272 : */
273 0 : gnutls_assert();
274 0 : return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
275 : }
276 :
277 219 : session->key.key.size = GNUTLS_MASTER_SIZE;
278 219 : session->key.key.data = gnutls_malloc(session->key.key.size);
279 :
280 219 : if (session->key.key.data == NULL) {
281 0 : gnutls_assert();
282 0 : return GNUTLS_E_MEMORY_ERROR;
283 : }
284 :
285 438 : ret = gnutls_rnd(GNUTLS_RND_RANDOM, session->key.key.data,
286 219 : session->key.key.size);
287 219 : if (ret < 0) {
288 0 : gnutls_assert();
289 0 : return ret;
290 : }
291 :
292 219 : if (session->internals.rsa_pms_version[0] == 0) {
293 216 : session->key.key.data[0] =
294 216 : _gnutls_get_adv_version_major(session);
295 216 : session->key.key.data[1] =
296 216 : _gnutls_get_adv_version_minor(session);
297 : } else { /* use the version provided */
298 3 : session->key.key.data[0] =
299 : session->internals.rsa_pms_version[0];
300 3 : session->key.key.data[1] =
301 3 : session->internals.rsa_pms_version[1];
302 : }
303 :
304 : /* move RSA parameters to key (session).
305 : */
306 219 : if ((ret = _gnutls_get_public_rsa_params(session, ¶ms)) < 0) {
307 1 : gnutls_assert();
308 1 : return ret;
309 : }
310 :
311 218 : ret =
312 218 : _gnutls_pk_encrypt(GNUTLS_PK_RSA, &sdata, &session->key.key,
313 : ¶ms);
314 :
315 218 : gnutls_pk_params_release(¶ms);
316 :
317 218 : if (ret < 0)
318 0 : return gnutls_assert_val(ret);
319 :
320 :
321 : #ifdef ENABLE_SSL3
322 : if (get_num_version(session) == GNUTLS_SSL3) {
323 : /* SSL 3.0 */
324 : ret =
325 : _gnutls_buffer_append_data(data, sdata.data,
326 : sdata.size);
327 :
328 : _gnutls_free_datum(&sdata);
329 : return ret;
330 : } else
331 : #endif
332 : { /* TLS 1.x */
333 218 : ret =
334 436 : _gnutls_buffer_append_data_prefix(data, 16, sdata.data,
335 218 : sdata.size);
336 :
337 218 : _gnutls_free_datum(&sdata);
338 218 : return ret;
339 : }
340 : }
|