42
48
const gnutls_datum_t * hash_concat,
43
49
gnutls_datum_t * signature);
51
/* While this is currently equal to the length of RSA/SHA512
52
* signature, it should also be sufficient for DSS signature and any
53
* other RSA signatures including one with the old MD5/SHA1-combined
56
#define MAX_SIG_SIZE 19 + MAX_HASH_SIZE
46
/* Generates a signature of all the previous sent packets in the
47
* handshake procedure. (20040227: now it works for SSL 3.0 as well)
58
/* Create a DER-encoded value as a opaque signature when RSA is used.
59
* See RFC 5246 DigitallySigned for the actual format.
50
_gnutls_tls_sign_hdata (gnutls_session_t session,
51
gnutls_cert * cert, gnutls_privkey * pkey,
62
_gnutls_rsa_encode_sig (gnutls_mac_algorithm_t algo,
63
const gnutls_datum_t * hash,
52
64
gnutls_datum_t * signature)
54
gnutls_datum_t dconcat;
59
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
62
_gnutls_hash_copy (&td_sha, &session->internals.handshake_mac_handle_sha);
69
if (ver == GNUTLS_SSL3)
71
ret = _gnutls_generate_master (session, 1);
78
_gnutls_mac_deinit_ssl3_handshake (&td_sha, &concat[16],
79
session->security_parameters.
80
master_secret, GNUTLS_MASTER_SIZE);
83
_gnutls_hash_deinit (&td_sha, &concat[16]);
85
switch (cert->subject_pk_algorithm)
89
_gnutls_hash_copy (&td_md5,
90
&session->internals.handshake_mac_handle_md5);
97
if (ver == GNUTLS_SSL3)
98
_gnutls_mac_deinit_ssl3_handshake (&td_md5, concat,
99
session->security_parameters.
100
master_secret, GNUTLS_MASTER_SIZE);
102
_gnutls_hash_deinit (&td_md5, concat);
104
dconcat.data = concat;
108
dconcat.data = &concat[16];
114
return GNUTLS_E_INTERNAL_ERROR;
116
ret = _gnutls_tls_sign (session, cert, pkey, &dconcat, signature);
68
int result, signature_size;
70
oid = _gnutls_x509_mac_to_oid (algo);
74
return GNUTLS_E_UNKNOWN_HASH_ALGORITHM;
77
if ((result = asn1_create_element
78
(_gnutls_get_gnutls_asn (), "GNUTLS.DigestInfo", &di)) != ASN1_SUCCESS)
81
return _gnutls_asn2err (result);
84
if ((result = asn1_write_value (di, "digestAlgorithm.algorithm",
85
oid, strlen (oid))) != ASN1_SUCCESS)
88
asn1_delete_structure (&di);
89
return _gnutls_asn2err (result);
92
/* Use NULL parameters. */
93
if ((result = asn1_write_value (di, "digestAlgorithm.parameters",
94
ASN1_NULL, ASN1_NULL_SIZE)) != ASN1_SUCCESS)
97
asn1_delete_structure (&di);
98
return _gnutls_asn2err (result);
101
if ((result = asn1_write_value (di, "digest",
102
hash->data, hash->size)) != ASN1_SUCCESS)
105
asn1_delete_structure (&di);
106
return _gnutls_asn2err (result);
109
signature_size = signature->size;
110
result = asn1_der_coding (di, "", signature->data, &signature_size, NULL);
111
asn1_delete_structure (&di);
113
if (result != ASN1_SUCCESS)
116
return _gnutls_asn2err (result);
119
signature->size = signature_size;
126
126
/* Generates a signature of all the random data and the parameters.
127
127
* Used in DHE_* ciphersuites.
130
_gnutls_tls_sign_params (gnutls_session_t session, gnutls_cert * cert,
131
gnutls_privkey * pkey, gnutls_datum_t * params,
132
gnutls_datum_t * signature)
130
_gnutls_handshake_sign_data (gnutls_session_t session, gnutls_cert * cert,
131
gnutls_privkey * pkey, gnutls_datum_t * params,
132
gnutls_datum_t * signature,
133
gnutls_sign_algorithm_t * sign_algo)
134
135
gnutls_datum_t dconcat;
136
137
digest_hd_st td_sha;
138
opaque concat[MAX_SIG_SIZE];
138
139
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
140
ret = _gnutls_hash_init (&td_sha, GNUTLS_MAC_SHA1);
140
gnutls_digest_algorithm_t hash_algo;
143
_gnutls_session_get_sign_algo (session, cert->subject_pk_algorithm,
145
if (*sign_algo == GNUTLS_SIGN_UNKNOWN)
148
return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
151
ret = _gnutls_hash_init (&td_sha, hash_algo);
143
154
gnutls_assert ();
385
/* Generates a signature of all the random data and the parameters.
386
* Used in DHE_* ciphersuites.
389
_gnutls_handshake_verify_data (gnutls_session_t session, gnutls_cert * cert,
390
const gnutls_datum_t * params,
391
gnutls_datum_t * signature,
392
gnutls_sign_algorithm_t algo)
394
gnutls_datum_t dconcat;
398
opaque concat[MAX_SIG_SIZE];
399
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
400
gnutls_digest_algorithm_t hash_algo = GNUTLS_DIG_SHA1;
402
ret = _gnutls_session_sign_algo_enabled (session, algo);
409
if (!_gnutls_version_has_selectable_prf (ver))
411
ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5);
418
_gnutls_hash (&td_md5, session->security_parameters.client_random,
420
_gnutls_hash (&td_md5, session->security_parameters.server_random,
422
_gnutls_hash (&td_md5, params->data, params->size);
425
if (algo != GNUTLS_SIGN_UNKNOWN)
426
hash_algo = _gnutls_sign_get_hash_algorithm (algo);
428
ret = _gnutls_hash_init (&td_sha, hash_algo);
432
if (!_gnutls_version_has_selectable_prf (ver))
433
_gnutls_hash_deinit (&td_md5, NULL);
437
_gnutls_hash (&td_sha, session->security_parameters.client_random,
439
_gnutls_hash (&td_sha, session->security_parameters.server_random,
441
_gnutls_hash (&td_sha, params->data, params->size);
443
if (!_gnutls_version_has_selectable_prf (ver))
445
_gnutls_hash_deinit (&td_md5, concat);
446
_gnutls_hash_deinit (&td_sha, &concat[16]);
447
dconcat.data = concat;
454
_gnutls_hash_deinit (&td_sha, concat);
457
hash.size = _gnutls_hash_get_algo_len (hash_algo);
458
dconcat.data = concat;
459
dconcat.size = sizeof concat;
461
ret = _gnutls_rsa_encode_sig (hash_algo, &hash, &dconcat);
469
ret = _gnutls_verify_sig (cert, &dconcat, signature,
471
_gnutls_hash_get_algo_len (hash_algo),
472
_gnutls_sign_get_pk_algorithm (algo));
483
/* Client certificate verify calculations
486
/* this is _gnutls_handshake_verify_cert_vrfy for TLS 1.2
489
_gnutls_handshake_verify_cert_vrfy12 (gnutls_session_t session,
491
gnutls_datum_t * signature,
492
gnutls_sign_algorithm_t sign_algo)
495
opaque concat[MAX_SIG_SIZE];
497
gnutls_datum_t dconcat;
499
gnutls_sign_algorithm_t _sign_algo;
500
gnutls_digest_algorithm_t hash_algo;
501
digest_hd_st *handshake_td;
503
handshake_td = &session->internals.handshake_mac_handle.tls12.sha1;
504
hash_algo = handshake_td->algorithm;
506
_gnutls_x509_pk_to_sign (cert->subject_pk_algorithm, hash_algo);
508
if (_sign_algo != sign_algo)
510
handshake_td = &session->internals.handshake_mac_handle.tls12.sha256;
511
hash_algo = handshake_td->algorithm;
513
_gnutls_x509_pk_to_sign (cert->subject_pk_algorithm, hash_algo);
514
if (sign_algo != _sign_algo)
517
return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
521
ret = _gnutls_hash_copy (&td, handshake_td);
525
return GNUTLS_E_HASH_FAILED;
528
_gnutls_hash_deinit (&td, concat);
531
hash.size = _gnutls_hash_get_algo_len (hash_algo);
533
dconcat.data = concat;
534
dconcat.size = sizeof concat;
536
ret = _gnutls_rsa_encode_sig (hash_algo, &hash, &dconcat);
544
_gnutls_verify_sig (cert, &dconcat, signature, 0,
545
cert->subject_pk_algorithm);
364
556
/* Verifies a TLS signature (like the one in the client certificate
365
557
* verify message).
368
_gnutls_verify_sig_hdata (gnutls_session_t session, gnutls_cert * cert,
369
gnutls_datum_t * signature)
560
_gnutls_handshake_verify_cert_vrfy (gnutls_session_t session,
562
gnutls_datum_t * signature,
563
gnutls_sign_algorithm_t sign_algo)
566
opaque concat[MAX_SIG_SIZE];
373
567
digest_hd_st td_md5;
374
568
digest_hd_st td_sha;
375
569
gnutls_datum_t dconcat;
376
570
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
572
if (session->security_parameters.handshake_mac_handle_type ==
573
HANDSHAKE_MAC_TYPE_12)
575
return _gnutls_handshake_verify_cert_vrfy12 (session, cert, signature,
578
else if (session->security_parameters.handshake_mac_handle_type !=
579
HANDSHAKE_MAC_TYPE_10)
582
return GNUTLS_E_INTERNAL_ERROR;
379
_gnutls_hash_copy (&td_md5, &session->internals.handshake_mac_handle_md5);
586
_gnutls_hash_copy (&td_md5,
587
&session->internals.handshake_mac_handle.tls10.md5);
382
590
gnutls_assert ();
431
/* Generates a signature of all the random data and the parameters.
432
* Used in DHE_* ciphersuites.
644
/* the same as _gnutls_handshake_sign_cert_vrfy except that it is made for TLS 1.2
647
_gnutls_handshake_sign_cert_vrfy12 (gnutls_session_t session,
648
gnutls_cert * cert, gnutls_privkey * pkey,
649
gnutls_datum_t * signature)
651
gnutls_datum_t dconcat, hash;
653
opaque concat[MAX_SIG_SIZE];
655
gnutls_sign_algorithm_t sign_algo;
656
gnutls_digest_algorithm_t hash_algo;
657
digest_hd_st *handshake_td;
659
handshake_td = &session->internals.handshake_mac_handle.tls12.sha1;
660
hash_algo = handshake_td->algorithm;
661
sign_algo = _gnutls_x509_pk_to_sign (cert->subject_pk_algorithm, hash_algo);
663
/* The idea here is to try signing with the one of the algorithms
664
* that have been initiated at handshake (SHA1, SHA256). If they
665
* are not requested by peer... tough luck
667
ret = _gnutls_session_sign_algo_requested (session, sign_algo);
668
if (sign_algo == GNUTLS_SIGN_UNKNOWN || ret < 0)
670
handshake_td = &session->internals.handshake_mac_handle.tls12.sha256;
671
hash_algo = handshake_td->algorithm;
673
_gnutls_x509_pk_to_sign (cert->subject_pk_algorithm, hash_algo);
674
if (sign_algo == GNUTLS_SIGN_UNKNOWN)
677
return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
680
ret = _gnutls_session_sign_algo_requested (session, sign_algo);
685
("Server did not allow either '%s' or '%s' for signing\n",
686
gnutls_mac_get_name (hash_algo),
687
gnutls_mac_get_name (session->internals.handshake_mac_handle.
688
tls12.sha1.algorithm));
693
_gnutls_x509_log ("sign handshake cert vrfy: picked %s with %s\n",
694
gnutls_sign_algorithm_get_name (sign_algo),
695
gnutls_mac_get_name (hash_algo));
697
ret = _gnutls_hash_copy (&td, handshake_td);
704
_gnutls_hash_deinit (&td, concat);
707
hash.size = _gnutls_hash_get_algo_len (hash_algo);
709
dconcat.data = concat;
710
dconcat.size = sizeof concat;
712
ret = _gnutls_rsa_encode_sig (hash_algo, &hash, &dconcat);
719
ret = _gnutls_tls_sign (session, cert, pkey, &dconcat, signature);
729
/* Generates a signature of all the previous sent packets in the
730
* handshake procedure.
731
* 20040227: now it works for SSL 3.0 as well
732
* 20091031: works for TLS 1.2 too!
734
* For TLS1.x, x<2 returns negative for failure and zero or unspecified for success.
735
* For TLS1.2 returns the signature algorithm used on success, or a negative value;
435
_gnutls_verify_sig_params (gnutls_session_t session, gnutls_cert * cert,
436
const gnutls_datum_t * params,
437
gnutls_datum_t * signature)
738
_gnutls_handshake_sign_cert_vrfy (gnutls_session_t session,
739
gnutls_cert * cert, gnutls_privkey * pkey,
740
gnutls_datum_t * signature)
439
742
gnutls_datum_t dconcat;
744
opaque concat[MAX_SIG_SIZE];
441
745
digest_hd_st td_md5;
442
746
digest_hd_st td_sha;
444
747
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
446
if (ver < GNUTLS_TLS1_2)
448
ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5);
455
_gnutls_hash (&td_md5, session->security_parameters.client_random,
457
_gnutls_hash (&td_md5, session->security_parameters.server_random,
459
_gnutls_hash (&td_md5, params->data, params->size);
462
ret = _gnutls_hash_init (&td_sha, GNUTLS_MAC_SHA1);
749
if (session->security_parameters.handshake_mac_handle_type ==
750
HANDSHAKE_MAC_TYPE_12)
752
return _gnutls_handshake_sign_cert_vrfy12 (session, cert, pkey,
755
else if (session->security_parameters.handshake_mac_handle_type !=
756
HANDSHAKE_MAC_TYPE_10)
759
return GNUTLS_E_INTERNAL_ERROR;
763
_gnutls_hash_copy (&td_sha,
764
&session->internals.handshake_mac_handle.tls10.sha);
465
767
gnutls_assert ();
466
if (ver < GNUTLS_TLS1_2)
467
_gnutls_hash_deinit (&td_md5, NULL);
471
_gnutls_hash (&td_sha, session->security_parameters.client_random,
473
_gnutls_hash (&td_sha, session->security_parameters.server_random,
475
_gnutls_hash (&td_sha, params->data, params->size);
477
if (ver < GNUTLS_TLS1_2)
479
_gnutls_hash_deinit (&td_md5, concat);
480
_gnutls_hash_deinit (&td_sha, &concat[16]);
771
if (ver == GNUTLS_SSL3)
773
ret = _gnutls_generate_master (session, 1);
780
_gnutls_mac_deinit_ssl3_handshake (&td_sha, &concat[16],
782
security_parameters.master_secret,
786
_gnutls_hash_deinit (&td_sha, &concat[16]);
788
switch (cert->subject_pk_algorithm)
792
_gnutls_hash_copy (&td_md5,
793
&session->internals.handshake_mac_handle.tls10.
801
if (ver == GNUTLS_SSL3)
802
_gnutls_mac_deinit_ssl3_handshake (&td_md5, concat,
804
security_parameters.master_secret,
807
_gnutls_hash_deinit (&td_md5, concat);
809
dconcat.data = concat;
481
810
dconcat.size = 36;
486
/* Use NULL parameters. */
488
"\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14",
490
_gnutls_hash_deinit (&td_sha, &concat[15]);
493
/* No parameters field. */
495
"\x30\x1f\x30\x07\x06\x05\x2b\x0e\x03\x02\x1a\x04\x14", 13);
496
_gnutls_hash_deinit (&td_sha, &concat[13]);
501
dconcat.data = concat;
503
ret = _gnutls_verify_sig (cert, &dconcat, signature, dconcat.size - 20);
813
dconcat.data = &concat[16];
819
return GNUTLS_E_INTERNAL_ERROR;
821
ret = _gnutls_tls_sign (session, cert, pkey, &dconcat, signature);
506
824
gnutls_assert ();