2
* Copyright (C) 2001, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
3
* Software Foundation, Inc.
5
* Author: Nikos Mavrogiannopoulos
7
* This file is part of GnuTLS.
9
* The GnuTLS is free software; you can redistribute it and/or
10
* modify it under the terms of the GNU Lesser General Public License
11
* as published by the Free Software Foundation; either version 2.1 of
12
* the License, or (at your option) any later version.
14
* This library is distributed in the hope that it will be useful, but
15
* WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17
* Lesser General Public License for more details.
19
* You should have received a copy of the GNU Lesser General Public
20
* License along with this library; if not, write to the Free Software
21
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26
#include <gnutls_int.h>
27
#include <gnutls_errors.h>
29
#include <auth_cert.h>
30
#include <gnutls_algorithms.h>
31
#include <gnutls_cert.h>
32
#include <gnutls_datum.h>
33
#include <gnutls_mpi.h>
34
#include <gnutls_global.h>
35
#include <gnutls_pk.h>
37
#include <gnutls_buffers.h>
38
#include <gnutls_sig.h>
39
#include <gnutls_kx.h>
41
#include <ext_signature.h>
42
#include <gnutls_state.h>
43
#include <x509/common.h>
46
sign_tls_hash (gnutls_session_t session, gnutls_digest_algorithm_t hash_algo,
47
gnutls_cert * cert, gnutls_privkey_t pkey,
48
const gnutls_datum_t * hash_concat,
49
gnutls_datum_t * signature);
51
/* While this is currently equal to the length of RSA/SHA512
52
* signature, it should also be sufficient for DSS signature and any
53
* other RSA signatures including one with the old MD5/SHA1-combined
56
#define MAX_SIG_SIZE 19 + MAX_HASH_SIZE
58
/* Generates a signature of all the random data and the parameters.
59
* Used in DHE_* ciphersuites.
62
_gnutls_handshake_sign_data (gnutls_session_t session, gnutls_cert * cert,
63
gnutls_privkey_t pkey, gnutls_datum_t * params,
64
gnutls_datum_t * signature,
65
gnutls_sign_algorithm_t * sign_algo)
67
gnutls_datum_t dconcat;
70
opaque concat[MAX_SIG_SIZE];
71
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
72
gnutls_digest_algorithm_t hash_algo;
75
_gnutls_session_get_sign_algo (session, cert);
76
if (*sign_algo == GNUTLS_SIGN_UNKNOWN)
79
return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
82
hash_algo = _gnutls_sign_get_hash_algorithm (*sign_algo);
84
_gnutls_handshake_log ("HSK[%p]: signing handshake data: using %s\n",
85
session, gnutls_sign_algorithm_get_name (*sign_algo));
87
ret = _gnutls_hash_init (&td_sha, hash_algo);
94
_gnutls_hash (&td_sha, session->security_parameters.client_random,
96
_gnutls_hash (&td_sha, session->security_parameters.server_random,
98
_gnutls_hash (&td_sha, params->data, params->size);
100
switch (cert->subject_pk_algorithm)
103
if (!_gnutls_version_has_selectable_sighash (ver))
107
ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5);
114
_gnutls_hash (&td_md5, session->security_parameters.client_random,
116
_gnutls_hash (&td_md5, session->security_parameters.server_random,
118
_gnutls_hash (&td_md5, params->data, params->size);
120
_gnutls_hash_deinit (&td_md5, concat);
121
_gnutls_hash_deinit (&td_sha, &concat[16]);
123
dconcat.data = concat;
129
_gnutls_hash_deinit (&td_sha, concat);
131
dconcat.data = concat;
132
dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
136
_gnutls_hash_deinit (&td_sha, concat);
138
if ((hash_algo != GNUTLS_DIG_SHA1) && (hash_algo != GNUTLS_DIG_SHA224)
139
&& (hash_algo != GNUTLS_DIG_SHA256))
142
return GNUTLS_E_INTERNAL_ERROR;
144
dconcat.data = concat;
145
dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
150
_gnutls_hash_deinit (&td_sha, NULL);
151
return GNUTLS_E_INTERNAL_ERROR;
154
ret = sign_tls_hash (session, hash_algo, cert, pkey, &dconcat, signature);
165
/* This will create a PKCS1 or DSA signature, using the given parameters, and the
166
* given data. The output will be allocated and be put in signature.
169
_gnutls_soft_sign (gnutls_pk_algorithm_t algo, bigint_t * params,
170
int params_size, const gnutls_datum_t * data,
171
gnutls_datum_t * signature)
179
if ((ret = _gnutls_pkcs1_rsa_encrypt (signature, data, params,
180
params_size, 1)) < 0)
189
if ((ret = _gnutls_dsa_sign (signature, data, params, params_size)) < 0)
197
return GNUTLS_E_INTERNAL_ERROR;
204
/* This will create a PKCS1 or DSA signature, as defined in the TLS protocol.
205
* Cert is the certificate of the corresponding private key. It is only checked if
206
* it supports signing.
209
sign_tls_hash (gnutls_session_t session, gnutls_digest_algorithm_t hash_algo,
210
gnutls_cert * cert, gnutls_privkey_t pkey,
211
const gnutls_datum_t * hash_concat,
212
gnutls_datum_t * signature)
214
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
216
/* If our certificate supports signing
221
if (cert->key_usage != 0)
222
if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
225
return GNUTLS_E_KEY_USAGE_VIOLATION;
228
/* External signing. */
233
if (!session->internals.sign_func)
234
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
236
if (!_gnutls_version_has_selectable_sighash (ver))
237
return (*session->internals.sign_func)
238
(session, session->internals.sign_func_userdata,
239
cert->cert_type, &cert->raw, hash_concat, signature);
242
gnutls_datum_t digest;
244
ret = _gnutls_set_datum(&digest, hash_concat->data, hash_concat->size);
246
return gnutls_assert_val(ret);
248
ret = pk_prepare_hash (gnutls_privkey_get_pk_algorithm(pkey, NULL), hash_algo, &digest);
255
ret = (*session->internals.sign_func)
256
(session, session->internals.sign_func_userdata,
257
cert->cert_type, &cert->raw, &digest, signature);
259
gnutls_free(digest.data);
266
if (!_gnutls_version_has_selectable_sighash (ver))
267
return _gnutls_privkey_sign_hash (pkey, hash_concat, signature);
269
return gnutls_privkey_sign_hash (pkey, hash_algo, 0, hash_concat, signature);
273
verify_tls_hash (gnutls_protocol_t ver, gnutls_cert * cert,
274
const gnutls_datum_t * hash_concat,
275
gnutls_datum_t * signature, size_t sha1pos,
276
gnutls_pk_algorithm_t pk_algo)
279
gnutls_datum_t vdata;
281
if (cert == NULL || cert->version == 0)
282
{ /* this is the only way to check
283
* if it is initialized
286
return GNUTLS_E_CERTIFICATE_ERROR;
289
/* If the certificate supports signing continue.
291
if (cert->key_usage != 0)
292
if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
295
return GNUTLS_E_KEY_USAGE_VIOLATION;
298
if (pk_algo == GNUTLS_PK_UNKNOWN)
299
pk_algo = cert->subject_pk_algorithm;
304
vdata.data = hash_concat->data;
305
vdata.size = hash_concat->size;
307
/* verify signature */
308
if (!_gnutls_version_has_selectable_sighash (ver))
309
ret = _gnutls_rsa_verify (&vdata, signature, cert->params,
310
cert->params_size, 1);
312
ret = pubkey_verify_sig( NULL, &vdata, signature, pk_algo,
313
cert->params, cert->params_size);
324
vdata.data = &hash_concat->data[sha1pos];
325
vdata.size = hash_concat->size - sha1pos;
327
ret = pubkey_verify_sig( NULL, &vdata, signature, pk_algo,
328
cert->params, cert->params_size);
329
/* verify signature */
339
return GNUTLS_E_INTERNAL_ERROR;
348
/* Generates a signature of all the random data and the parameters.
349
* Used in DHE_* ciphersuites.
352
_gnutls_handshake_verify_data (gnutls_session_t session, gnutls_cert * cert,
353
const gnutls_datum_t * params,
354
gnutls_datum_t * signature,
355
gnutls_sign_algorithm_t algo)
357
gnutls_datum_t dconcat;
361
opaque concat[MAX_SIG_SIZE];
362
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
363
gnutls_digest_algorithm_t hash_algo;
365
if (_gnutls_version_has_selectable_sighash (ver))
367
_gnutls_handshake_log ("HSK[%p]: verify handshake data: using %s\n",
368
session, gnutls_sign_algorithm_get_name (algo));
370
ret = cert_compatible_with_sig(cert, ver, algo);
372
return gnutls_assert_val(ret);
374
ret = _gnutls_session_sign_algo_enabled (session, algo);
376
return gnutls_assert_val(ret);
378
hash_algo = _gnutls_sign_get_hash_algorithm (algo);
382
ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5);
389
_gnutls_hash (&td_md5, session->security_parameters.client_random,
391
_gnutls_hash (&td_md5, session->security_parameters.server_random,
393
_gnutls_hash (&td_md5, params->data, params->size);
395
hash_algo = GNUTLS_DIG_SHA1;
398
ret = _gnutls_hash_init (&td_sha, hash_algo);
402
if (!_gnutls_version_has_selectable_sighash (ver))
403
_gnutls_hash_deinit (&td_md5, NULL);
407
_gnutls_hash (&td_sha, session->security_parameters.client_random,
409
_gnutls_hash (&td_sha, session->security_parameters.server_random,
411
_gnutls_hash (&td_sha, params->data, params->size);
413
if (!_gnutls_version_has_selectable_sighash (ver))
415
_gnutls_hash_deinit (&td_md5, concat);
416
_gnutls_hash_deinit (&td_sha, &concat[16]);
417
dconcat.data = concat;
422
_gnutls_hash_deinit (&td_sha, concat);
424
dconcat.data = concat;
425
dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
428
ret = verify_tls_hash (ver, cert, &dconcat, signature,
430
_gnutls_hash_get_algo_len (hash_algo),
431
_gnutls_sign_get_pk_algorithm (algo));
442
/* Client certificate verify calculations
445
/* this is _gnutls_handshake_verify_cert_vrfy for TLS 1.2
448
_gnutls_handshake_verify_cert_vrfy12 (gnutls_session_t session,
450
gnutls_datum_t * signature,
451
gnutls_sign_algorithm_t sign_algo)
454
opaque concat[MAX_SIG_SIZE];
456
gnutls_datum_t dconcat;
457
gnutls_sign_algorithm_t _sign_algo;
458
gnutls_digest_algorithm_t hash_algo;
459
digest_hd_st *handshake_td;
460
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
462
handshake_td = &session->internals.handshake_mac_handle.tls12.sha1;
463
hash_algo = handshake_td->algorithm;
465
_gnutls_x509_pk_to_sign (cert->subject_pk_algorithm, hash_algo);
467
if (_sign_algo != sign_algo)
469
handshake_td = &session->internals.handshake_mac_handle.tls12.sha256;
470
hash_algo = handshake_td->algorithm;
472
_gnutls_x509_pk_to_sign (cert->subject_pk_algorithm, hash_algo);
473
if (sign_algo != _sign_algo)
476
return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
480
ret = _gnutls_hash_copy (&td, handshake_td);
484
return GNUTLS_E_HASH_FAILED;
487
_gnutls_hash_deinit (&td, concat);
489
dconcat.data = concat;
490
dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
493
verify_tls_hash (ver, cert, &dconcat, signature, 0,
494
cert->subject_pk_algorithm);
505
/* Verifies a TLS signature (like the one in the client certificate
509
_gnutls_handshake_verify_cert_vrfy (gnutls_session_t session,
511
gnutls_datum_t * signature,
512
gnutls_sign_algorithm_t sign_algo)
515
opaque concat[MAX_SIG_SIZE];
518
gnutls_datum_t dconcat;
519
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
521
_gnutls_handshake_log ("HSK[%p]: verify cert vrfy: using %s\n",
522
session, gnutls_sign_algorithm_get_name (sign_algo));
524
if (session->security_parameters.handshake_mac_handle_type ==
525
HANDSHAKE_MAC_TYPE_12)
527
return _gnutls_handshake_verify_cert_vrfy12 (session, cert, signature,
530
else if (session->security_parameters.handshake_mac_handle_type !=
531
HANDSHAKE_MAC_TYPE_10)
534
return GNUTLS_E_INTERNAL_ERROR;
538
_gnutls_hash_copy (&td_md5,
539
&session->internals.handshake_mac_handle.tls10.md5);
547
_gnutls_hash_copy (&td_sha,
548
&session->internals.handshake_mac_handle.tls10.sha);
552
_gnutls_hash_deinit (&td_md5, NULL);
553
return GNUTLS_E_HASH_FAILED;
556
if (ver == GNUTLS_SSL3)
558
ret = _gnutls_generate_master (session, 1);
565
_gnutls_mac_deinit_ssl3_handshake (&td_md5, concat,
567
security_parameters.master_secret,
569
_gnutls_mac_deinit_ssl3_handshake (&td_sha, &concat[16],
571
security_parameters.master_secret,
576
_gnutls_hash_deinit (&td_md5, concat);
577
_gnutls_hash_deinit (&td_sha, &concat[16]);
580
dconcat.data = concat;
581
dconcat.size = 20 + 16; /* md5+ sha */
584
verify_tls_hash (ver, cert, &dconcat, signature, 16,
585
cert->subject_pk_algorithm);
596
/* the same as _gnutls_handshake_sign_cert_vrfy except that it is made for TLS 1.2
599
_gnutls_handshake_sign_cert_vrfy12 (gnutls_session_t session,
600
gnutls_cert * cert, gnutls_privkey_t pkey,
601
gnutls_datum_t * signature)
603
gnutls_datum_t dconcat;
605
opaque concat[MAX_SIG_SIZE];
607
gnutls_sign_algorithm_t sign_algo;
608
gnutls_digest_algorithm_t hash_algo;
609
digest_hd_st *handshake_td;
612
_gnutls_session_get_sign_algo (session, cert);
613
if (sign_algo == GNUTLS_SIGN_UNKNOWN)
616
return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
619
hash_algo = _gnutls_sign_get_hash_algorithm (sign_algo);
621
_gnutls_debug_log ("sign handshake cert vrfy: picked %s with %s\n",
622
gnutls_sign_algorithm_get_name (sign_algo),
623
gnutls_mac_get_name (hash_algo));
625
if ((gnutls_mac_algorithm_t)hash_algo == session->internals.handshake_mac_handle.tls12.sha1.algorithm)
626
handshake_td = &session->internals.handshake_mac_handle.tls12.sha1;
627
else if ((gnutls_mac_algorithm_t)hash_algo == session->internals.handshake_mac_handle.tls12.sha256.algorithm)
628
handshake_td = &session->internals.handshake_mac_handle.tls12.sha256;
630
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); /* too bad we only support SHA1 and SHA256 */
632
ret = _gnutls_hash_copy (&td, handshake_td);
639
_gnutls_hash_deinit (&td, concat);
641
dconcat.data = concat;
642
dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
644
ret = sign_tls_hash (session, hash_algo, cert, pkey, &dconcat, signature);
655
/* Generates a signature of all the previous sent packets in the
656
* handshake procedure.
657
* 20040227: now it works for SSL 3.0 as well
658
* 20091031: works for TLS 1.2 too!
660
* For TLS1.x, x<2 returns negative for failure and zero or unspecified for success.
661
* For TLS1.2 returns the signature algorithm used on success, or a negative value;
664
_gnutls_handshake_sign_cert_vrfy (gnutls_session_t session,
665
gnutls_cert * cert, gnutls_privkey_t pkey,
666
gnutls_datum_t * signature)
668
gnutls_datum_t dconcat;
670
opaque concat[MAX_SIG_SIZE];
673
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
675
if (session->security_parameters.handshake_mac_handle_type ==
676
HANDSHAKE_MAC_TYPE_12)
678
return _gnutls_handshake_sign_cert_vrfy12 (session, cert, pkey,
681
else if (session->security_parameters.handshake_mac_handle_type !=
682
HANDSHAKE_MAC_TYPE_10)
685
return GNUTLS_E_INTERNAL_ERROR;
689
_gnutls_hash_copy (&td_sha,
690
&session->internals.handshake_mac_handle.tls10.sha);
697
if (ver == GNUTLS_SSL3)
699
ret = _gnutls_generate_master (session, 1);
706
_gnutls_mac_deinit_ssl3_handshake (&td_sha, &concat[16],
708
security_parameters.master_secret,
712
_gnutls_hash_deinit (&td_sha, &concat[16]);
714
switch (cert->subject_pk_algorithm)
718
_gnutls_hash_copy (&td_md5,
719
&session->internals.handshake_mac_handle.tls10.
727
if (ver == GNUTLS_SSL3)
728
_gnutls_mac_deinit_ssl3_handshake (&td_md5, concat,
730
security_parameters.master_secret,
733
_gnutls_hash_deinit (&td_md5, concat);
735
dconcat.data = concat;
739
/* ensure 1024 bit DSA keys are used */
740
hash_algo = _gnutls_dsa_q_to_hash (cert->params[1], NULL);
741
if (!_gnutls_version_has_selectable_sighash (ver) && hash_algo != GNUTLS_DIG_SHA1)
742
return gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
744
dconcat.data = &concat[16];
749
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
751
ret = sign_tls_hash (session, GNUTLS_DIG_NULL, cert, pkey, &dconcat, signature);
761
pk_hash_data (gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t hash,
763
const gnutls_datum_t * data, gnutls_datum_t * digest)
767
digest->size = _gnutls_hash_get_algo_len (hash);
768
digest->data = gnutls_malloc (digest->size);
769
if (digest->data == NULL)
772
return GNUTLS_E_MEMORY_ERROR;
775
ret = _gnutls_hash_fast (hash, data->data, data->size, digest->data);
785
gnutls_free (digest->data);
789
/* Writes the digest information and the digest in a DER encoded
790
* structure. The digest info is allocated and stored into the info structure.
793
encode_ber_digest_info (gnutls_digest_algorithm_t hash,
794
const gnutls_datum_t * digest,
795
gnutls_datum_t * output)
797
ASN1_TYPE dinfo = ASN1_TYPE_EMPTY;
803
algo = _gnutls_x509_mac_to_oid ((gnutls_mac_algorithm_t) hash);
807
_gnutls_x509_log ("Hash algorithm: %d\n", hash);
808
return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
811
if ((result = asn1_create_element (_gnutls_get_gnutls_asn (),
813
&dinfo)) != ASN1_SUCCESS)
816
return _gnutls_asn2err (result);
819
result = asn1_write_value (dinfo, "digestAlgorithm.algorithm", algo, 1);
820
if (result != ASN1_SUCCESS)
823
asn1_delete_structure (&dinfo);
824
return _gnutls_asn2err (result);
827
/* Write an ASN.1 NULL in the parameters field. This matches RFC
828
3279 and RFC 4055, although is arguable incorrect from a historic
829
perspective (see those documents for more information).
830
Regardless of what is correct, this appears to be what most
831
implementations do. */
832
result = asn1_write_value (dinfo, "digestAlgorithm.parameters",
833
ASN1_NULL, ASN1_NULL_SIZE);
834
if (result != ASN1_SUCCESS)
837
asn1_delete_structure (&dinfo);
838
return _gnutls_asn2err (result);
841
result = asn1_write_value (dinfo, "digest", digest->data, digest->size);
842
if (result != ASN1_SUCCESS)
845
asn1_delete_structure (&dinfo);
846
return _gnutls_asn2err (result);
850
asn1_der_coding (dinfo, "", NULL, &tmp_output_size, NULL);
852
tmp_output = gnutls_malloc (tmp_output_size);
853
if (output->data == NULL)
856
asn1_delete_structure (&dinfo);
857
return GNUTLS_E_MEMORY_ERROR;
860
result = asn1_der_coding (dinfo, "", tmp_output, &tmp_output_size, NULL);
861
if (result != ASN1_SUCCESS)
864
asn1_delete_structure (&dinfo);
865
return _gnutls_asn2err (result);
868
asn1_delete_structure (&dinfo);
870
output->size = tmp_output_size;
871
output->data = tmp_output;
877
* This function will do RSA PKCS #1 1.5 encoding
878
* on the given digest. The given digest must be allocated
879
* and will be freed if replacement is required.
882
pk_prepare_hash (gnutls_pk_algorithm_t pk,
883
gnutls_digest_algorithm_t hash, gnutls_datum_t * digest)
886
gnutls_datum old_digest = { digest->data, digest->size };
891
/* Encode the digest as a DigestInfo
893
if ((ret = encode_ber_digest_info (hash, &old_digest, digest)) != 0)
899
_gnutls_free_datum (&old_digest);
905
return GNUTLS_E_UNIMPLEMENTED_FEATURE;