diff options
-rw-r--r-- | lib/nettle/pk.c | 66 | ||||
-rw-r--r-- | lib/privkey_raw.c | 2 | ||||
-rw-r--r-- | lib/x509/privkey.c | 14 | ||||
-rwxr-xr-x | tests/cert-reencoding.sh | 3 | ||||
-rw-r--r-- | tests/key-import-export.c | 32 | ||||
-rwxr-xr-x | tests/ocsp-tests/ocsp-must-staple-connection | 3 | ||||
-rwxr-xr-x | tests/ocsp-tests/ocsp-tls-connection | 3 | ||||
-rw-r--r-- | tests/scripts/common.sh | 6 | ||||
-rwxr-xr-x | tests/suite/testcompat-tls13-openssl.sh | 3 |
9 files changed, 104 insertions, 28 deletions
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c index e9a380857c..0c91aac493 100644 --- a/lib/nettle/pk.c +++ b/lib/nettle/pk.c @@ -146,12 +146,12 @@ static void _rsa_params_to_privkey(const gnutls_pk_params_st * pk_params, struct rsa_private_key *priv) { - memcpy(priv->d, pk_params->params[2], SIZEOF_MPZT); - memcpy(priv->p, pk_params->params[3], SIZEOF_MPZT); - memcpy(priv->q, pk_params->params[4], SIZEOF_MPZT); - memcpy(priv->c, pk_params->params[5], SIZEOF_MPZT); - memcpy(priv->a, pk_params->params[6], SIZEOF_MPZT); - memcpy(priv->b, pk_params->params[7], SIZEOF_MPZT); + memcpy(priv->d, pk_params->params[RSA_PRIV], SIZEOF_MPZT); + memcpy(priv->p, pk_params->params[RSA_PRIME1], SIZEOF_MPZT); + memcpy(priv->q, pk_params->params[RSA_PRIME2], SIZEOF_MPZT); + memcpy(priv->c, pk_params->params[RSA_COEF], SIZEOF_MPZT); + memcpy(priv->a, pk_params->params[RSA_E1], SIZEOF_MPZT); + memcpy(priv->b, pk_params->params[RSA_E2], SIZEOF_MPZT); /* we do not rsa_private_key_prepare() because it involves a multiplication. * we call it once when we import the parameters */ priv->size = @@ -2511,14 +2511,14 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, params->params_nr++; } - mpz_set(TOMPZ(params->params[0]), pub.n); - mpz_set(TOMPZ(params->params[1]), pub.e); - mpz_set(TOMPZ(params->params[2]), priv.d); - mpz_set(TOMPZ(params->params[3]), priv.p); - mpz_set(TOMPZ(params->params[4]), priv.q); - mpz_set(TOMPZ(params->params[5]), priv.c); - mpz_set(TOMPZ(params->params[6]), priv.a); - mpz_set(TOMPZ(params->params[7]), priv.b); + mpz_set(TOMPZ(params->params[RSA_MODULUS]), pub.n); + mpz_set(TOMPZ(params->params[RSA_PUB]), pub.e); + mpz_set(TOMPZ(params->params[RSA_PRIV]), priv.d); + mpz_set(TOMPZ(params->params[RSA_PRIME1]), priv.p); + mpz_set(TOMPZ(params->params[RSA_PRIME2]), priv.q); + mpz_set(TOMPZ(params->params[RSA_COEF]), priv.c); + mpz_set(TOMPZ(params->params[RSA_E1]), priv.a); + mpz_set(TOMPZ(params->params[RSA_E2]), priv.b); ret = 0; @@ -3306,6 +3306,37 @@ fail: return ret; } +static int calc_rsa_priv(gnutls_pk_params_st * params) +{ + bigint_t lcm, p1, q1; + int ret; + + params->params[RSA_PRIV] = NULL; + + ret = _gnutls_mpi_init_multi(¶ms->params[RSA_PRIV], &lcm, &p1, &q1, NULL); + if (ret < 0) + return gnutls_assert_val(ret); + + /* lcm(p - 1, q - 1) */ + mpz_sub_ui(p1, params->params[RSA_PRIME1], 1); + mpz_sub_ui(q1, params->params[RSA_PRIME2], 1); + mpz_lcm(lcm, p1, q1); + + zrelease_mpi_key(&p1); + zrelease_mpi_key(&q1); + + /* d = e^{-1} (mod lcm) */ + ret = mpz_invert(params->params[RSA_PRIV], params->params[RSA_PUB], lcm); + + zrelease_mpi_key(&lcm); + + if (ret == 0) { + zrelease_mpi_key(¶ms->params[RSA_PRIV]); + return GNUTLS_E_INVALID_REQUEST; + } + + return 0; +} static int wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo, @@ -3320,6 +3351,13 @@ wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo, if (algo == GNUTLS_PK_RSA) { struct rsa_private_key priv; + if (params->params[RSA_PRIV] == NULL) { + ret = calc_rsa_priv(params); + if (ret < 0) + return gnutls_assert_val(ret); + params->params_nr++; + } + /* do not trust the generated values. Some old private keys * generated by us have mess on the values. Those were very * old but it seemed some of the shipped example private diff --git a/lib/privkey_raw.c b/lib/privkey_raw.c index 5f1dc8c26c..27327fc6d1 100644 --- a/lib/privkey_raw.c +++ b/lib/privkey_raw.c @@ -324,7 +324,7 @@ gnutls_privkey_export_gost_raw2(gnutls_privkey_t key, * @key: The structure to store the parsed key * @m: holds the modulus * @e: holds the public exponent - * @d: holds the private exponent + * @d: holds the private exponent (optional) * @p: holds the first prime (p) * @q: holds the second prime (q) * @u: holds the coefficient (optional) diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index f35575be9a..bb86e02ac8 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -887,13 +887,15 @@ gnutls_x509_privkey_import_rsa_raw2(gnutls_x509_privkey_t key, } key->params.params_nr++; - siz = d->size; - if (_gnutls_mpi_init_scan_nz(&key->params.params[RSA_PRIV], d->data, siz)) { - gnutls_assert(); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; + if (d) { + siz = d->size; + if (_gnutls_mpi_init_scan_nz(&key->params.params[RSA_PRIV], d->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + key->params.params_nr++; } - key->params.params_nr++; siz = p->size; if (_gnutls_mpi_init_scan_nz(&key->params.params[RSA_PRIME1], p->data, siz)) { diff --git a/tests/cert-reencoding.sh b/tests/cert-reencoding.sh index 240d336778..3469c42d22 100755 --- a/tests/cert-reencoding.sh +++ b/tests/cert-reencoding.sh @@ -24,7 +24,8 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}" OCSPTOOL="${OCSPTOOL:-../src/ocsptool${EXEEXT}}" -GNUTLS_SERV="${GNUTLS_SERV:-../src/gnutls-serv${EXEEXT}}" +GNUTLS_SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" +unset SERV GNUTLS_CLI="${GNUTLS_CLI:-../src/gnutls-cli${EXEEXT}}" DIFF="${DIFF:-diff}" SERVER_CERT_FILE="cert.$$.pem.tmp" diff --git a/tests/key-import-export.c b/tests/key-import-export.c index e28b21a4f2..fc6c25e6a7 100644 --- a/tests/key-import-export.c +++ b/tests/key-import-export.c @@ -367,6 +367,38 @@ int check_privkey_import_export(void) gnutls_privkey_deinit(key); } + /* Optional private exponent */ + ret = gnutls_privkey_init(&key); + if (ret < 0) + fail("error\n"); + + ret = gnutls_privkey_import_rsa_raw(key, &_rsa_m, &_rsa_e, NULL, &_rsa_p, &_rsa_q, NULL, NULL, NULL); + if (ret < 0) + fail("error\n"); + + ret = gnutls_privkey_export_rsa_raw2(key, &m, &e, &d, &p, &q, &u, &e1, &e2, 0); + if (ret < 0) + fail("error\n"); + + CMP("m", &m, rsa_m); + CMP("e", &e, rsa_e); + CMP("d", &d, rsa_d); + CMP("p", &p, rsa_p); + CMP("q", &q, rsa_q); + CMP("u", &u, rsa_u); + CMP("e1", &e1, rsa_e1); + CMP("e2", &e2, rsa_e2); + gnutls_free(m.data); + gnutls_free(e.data); + gnutls_free(d.data); + gnutls_free(p.data); + gnutls_free(q.data); + gnutls_free(u.data); + gnutls_free(e1.data); + gnutls_free(e2.data); + + gnutls_privkey_deinit(key); + ret = gnutls_privkey_init(&key); if (ret < 0) fail("error\n"); diff --git a/tests/ocsp-tests/ocsp-must-staple-connection b/tests/ocsp-tests/ocsp-must-staple-connection index 55d718ddf0..7da31765ed 100755 --- a/tests/ocsp-tests/ocsp-must-staple-connection +++ b/tests/ocsp-tests/ocsp-must-staple-connection @@ -21,7 +21,8 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}" OCSPTOOL="${OCSPTOOL:-../src/ocsptool${EXEEXT}}" -GNUTLS_SERV="${GNUTLS_SERV:-../src/gnutls-serv${EXEEXT}}" +GNUTLS_SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" +unset SERV GNUTLS_CLI="${GNUTLS_CLI:-../src/gnutls-cli${EXEEXT}}" DIFF="${DIFF:-diff}" TEMPLATE_FILE="ms-out.$$.tmpl.tmp" diff --git a/tests/ocsp-tests/ocsp-tls-connection b/tests/ocsp-tests/ocsp-tls-connection index 870f4ff78b..fba9a6eb1c 100755 --- a/tests/ocsp-tests/ocsp-tls-connection +++ b/tests/ocsp-tests/ocsp-tls-connection @@ -24,7 +24,8 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}" OCSPTOOL="${OCSPTOOL:-../src/ocsptool${EXEEXT}}" -GNUTLS_SERV="${GNUTLS_SERV:-../src/gnutls-serv${EXEEXT}}" +GNUTLS_SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" +unset SERV GNUTLS_CLI="${GNUTLS_CLI:-../src/gnutls-cli${EXEEXT}}" DIFF="${DIFF:-diff}" TEMPLATE_FILE="out.$$.tmpl.tmp" diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh index 6ae19fa586..3229510385 100644 --- a/tests/scripts/common.sh +++ b/tests/scripts/common.sh @@ -165,7 +165,7 @@ launch_server() { shift wait_for_free_port ${PORT} - ${SERV} ${DEBUG} -p "${PORT}" $* >${LOGFILE-/dev/null} & + ${SERV} ${DEBUG} -p "${PORT}" "$@" >${LOGFILE-/dev/null} & } launch_pkcs11_server() { @@ -176,7 +176,7 @@ launch_pkcs11_server() { wait_for_free_port ${PORT} - ${VALGRIND} ${SERV} ${PROVIDER} ${DEBUG} -p "${PORT}" $* & + ${VALGRIND} ${SERV} ${PROVIDER} ${DEBUG} -p "${PORT}" "$@" & } launch_bare_server() { @@ -184,7 +184,7 @@ launch_bare_server() { shift wait_for_free_port ${PORT} - ${SERV} $* >${LOGFILE-/dev/null} & + ${SERV} "$@" >${LOGFILE-/dev/null} & } wait_server() { diff --git a/tests/suite/testcompat-tls13-openssl.sh b/tests/suite/testcompat-tls13-openssl.sh index bc198a02b6..1090a47763 100755 --- a/tests/suite/testcompat-tls13-openssl.sh +++ b/tests/suite/testcompat-tls13-openssl.sh @@ -32,6 +32,7 @@ abs_top_srcdir="${abs_top_srcdir:-$(pwd)/../../}" srcdir="${srcdir:-.}" +GNUTLS_SERV="${SERV:-../../src/gnutls-serv${EXEEXT}}" CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" unset RETCODE @@ -309,7 +310,7 @@ echo_cmd "${PREFIX}" echo_cmd "${PREFIX}###############################################" echo_cmd "${PREFIX}# Server mode tests (gnutls server-openssl cli#" echo_cmd "${PREFIX}###############################################" -SERV="../../src/gnutls-serv${EXEEXT} -q" +SERV="${GNUTLS_SERV} -q" # Note that openssl s_client does not return error code on failure |