2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2008, 2009, 2010
3 * Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 /* This file contains the functions needed for RSA/DSA public key
27 * encryption and signatures.
30 #include <gnutls_int.h>
31 #include <gnutls_mpi.h>
32 #include <gnutls_pk.h>
33 #include <gnutls_errors.h>
34 #include <gnutls_datum.h>
35 #include <gnutls_global.h>
36 #include <gnutls_num.h>
38 #include <x509/x509_int.h>
39 #include <x509/common.h>
42 /* Do PKCS-1 RSA encryption.
43 * params is modulus, public exp.
46 _gnutls_pkcs1_rsa_encrypt (gnutls_datum_t * ciphertext,
47 const gnutls_datum_t * plaintext,
48 bigint_t * params, unsigned params_len,
56 gnutls_pk_params_st pk_params;
57 gnutls_datum_t to_encrypt, encrypted;
59 for (i = 0; i < params_len; i++)
60 pk_params.params[i] = params[i];
61 pk_params.params_nr = params_len;
63 mod_bits = _gnutls_mpi_get_nbits (params[0]);
65 if (mod_bits % 8 != 0)
68 if (plaintext->size > k - 11)
71 return GNUTLS_E_PK_ENCRYPTION_FAILED;
74 edata = gnutls_malloc (k);
78 return GNUTLS_E_MEMORY_ERROR;
81 /* EB = 00||BT||PS||00||D
82 * (use block type 'btype')
87 psize = k - 3 - plaintext->size;
93 /* using public key */
94 if (params_len < RSA_PUBLIC_PARAMS)
98 return GNUTLS_E_INTERNAL_ERROR;
101 ret = _gnutls_rnd (GNUTLS_RND_RANDOM, ps, psize);
108 for (i = 0; i < psize; i++)
111 ret = _gnutls_rnd (GNUTLS_RND_RANDOM, &ps[i], 1);
121 /* using private key */
123 if (params_len < RSA_PRIVATE_PARAMS)
127 return GNUTLS_E_INTERNAL_ERROR;
130 for (i = 0; i < psize; i++)
136 return GNUTLS_E_INTERNAL_ERROR;
140 memcpy (&ps[psize + 1], plaintext->data, plaintext->size);
142 to_encrypt.data = edata;
145 if (btype == 2) /* encrypt */
147 _gnutls_pk_encrypt (GNUTLS_PK_RSA, &encrypted, &to_encrypt, &pk_params);
150 _gnutls_pk_sign (GNUTLS_PK_RSA, &encrypted, &to_encrypt, &pk_params);
160 psize = encrypted.size;
170 * no need to do anything else
172 ciphertext->data = encrypted.data;
173 ciphertext->size = encrypted.size;
177 { /* psize > k !!! */
178 /* This is an impossible situation */
180 _gnutls_free_datum (&encrypted);
181 return GNUTLS_E_INTERNAL_ERROR;
184 ciphertext->data = gnutls_malloc (psize);
185 if (ciphertext->data == NULL)
188 _gnutls_free_datum (&encrypted);
189 return GNUTLS_E_MEMORY_ERROR;
192 memcpy (&ciphertext->data[pad], encrypted.data, encrypted.size);
193 for (i = 0; i < pad; i++)
194 ciphertext->data[i] = 0;
196 ciphertext->size = k;
198 _gnutls_free_datum (&encrypted);
204 /* Do PKCS-1 RSA decryption.
205 * params is modulus, public exp., private key
206 * Can decrypt block type 1 and type 2 packets.
209 _gnutls_pkcs1_rsa_decrypt (gnutls_datum_t * plaintext,
210 const gnutls_datum_t * ciphertext,
211 bigint_t * params, unsigned params_len,
216 size_t esize, mod_bits;
217 gnutls_pk_params_st pk_params;
219 if (params_len > GNUTLS_MAX_PK_PARAMS)
220 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
222 for (i = 0; i < params_len; i++)
223 pk_params.params[i] = params[i];
224 pk_params.params_nr = params_len;
226 mod_bits = _gnutls_mpi_get_nbits (params[0]);
228 if (mod_bits % 8 != 0)
231 esize = ciphertext->size;
236 return GNUTLS_E_PK_DECRYPTION_FAILED;
239 /* we can use btype to see if the private key is
245 _gnutls_pk_decrypt (GNUTLS_PK_RSA, plaintext, ciphertext, &pk_params);
250 _gnutls_pk_encrypt (GNUTLS_PK_RSA, plaintext, ciphertext, &pk_params);
259 /* EB = 00||BT||PS||00||D
260 * (use block type 'btype')
262 * From now on, return GNUTLS_E_DECRYPTION_FAILED on errors, to
263 * avoid attacks similar to the one described by Bleichenbacher in:
264 * "Chosen Ciphertext Attacks against Protocols Based on RSA
265 * Encryption Standard PKCS #1".
267 if (plaintext->data[0] != 0 || plaintext->data[1] != btype)
270 return GNUTLS_E_DECRYPTION_FAILED;
273 ret = GNUTLS_E_DECRYPTION_FAILED;
277 for (i = 2; i < plaintext->size; i++)
279 if (plaintext->data[i] == 0)
287 for (i = 2; i < plaintext->size; i++)
289 if (plaintext->data[i] == 0 && i > 2)
294 if (plaintext->data[i] != 0xff)
296 _gnutls_handshake_log ("PKCS #1 padding error");
297 _gnutls_free_datum (plaintext);
298 /* PKCS #1 padding error. Don't use
299 GNUTLS_E_PKCS1_WRONG_PAD here. */
306 _gnutls_free_datum (plaintext);
314 _gnutls_free_datum (plaintext);
315 return GNUTLS_E_DECRYPTION_FAILED;
318 memmove (plaintext->data, &plaintext->data[i], esize - i);
319 plaintext->size = esize - i;
326 _gnutls_rsa_verify (const gnutls_datum_t * vdata,
327 const gnutls_datum_t * ciphertext, bigint_t * params,
328 int params_len, int btype)
331 gnutls_datum_t plain;
334 /* decrypt signature */
336 _gnutls_pkcs1_rsa_decrypt (&plain, ciphertext, params, params_len,
343 if (plain.size != vdata->size)
346 _gnutls_free_datum (&plain);
347 return GNUTLS_E_PK_SIG_VERIFY_FAILED;
350 if (memcmp (plain.data, vdata->data, plain.size) != 0)
353 _gnutls_free_datum (&plain);
354 return GNUTLS_E_PK_SIG_VERIFY_FAILED;
357 _gnutls_free_datum (&plain);
362 /* encodes the Dss-Sig-Value structure
365 _gnutls_encode_ber_rs (gnutls_datum_t * sig_value, bigint_t r, bigint_t s)
371 asn1_create_element (_gnutls_get_gnutls_asn (),
372 "GNUTLS.DSASignatureValue",
373 &sig)) != ASN1_SUCCESS)
376 return _gnutls_asn2err (result);
379 result = _gnutls_x509_write_int (sig, "r", r, 1);
383 asn1_delete_structure (&sig);
387 result = _gnutls_x509_write_int (sig, "s", s, 1);
391 asn1_delete_structure (&sig);
395 result = _gnutls_x509_der_encode (sig, "", sig_value, 0);
397 asn1_delete_structure (&sig);
409 /* Do DSA signature calculation. params is p, q, g, y, x in that order.
412 _gnutls_dsa_sign (gnutls_datum_t * signature,
413 const gnutls_datum_t * hash, bigint_t * params,
414 unsigned int params_len)
419 gnutls_pk_params_st pk_params;
421 for (i = 0; i < params_len; i++)
422 pk_params.params[i] = params[i];
423 pk_params.params_nr = params_len;
427 { /* SHA1 or better only */
429 return GNUTLS_E_PK_SIGN_FAILED;
432 ret = _gnutls_pk_sign (GNUTLS_PK_DSA, signature, hash, &pk_params);
433 /* rs[0], rs[1] now hold r,s */
444 /* decodes the Dss-Sig-Value structure
447 _gnutls_decode_ber_rs (const gnutls_datum_t * sig_value, bigint_t * r,
454 asn1_create_element (_gnutls_get_gnutls_asn (),
455 "GNUTLS.DSASignatureValue",
456 &sig)) != ASN1_SUCCESS)
459 return _gnutls_asn2err (result);
462 result = asn1_der_decoding (&sig, sig_value->data, sig_value->size, NULL);
463 if (result != ASN1_SUCCESS)
466 asn1_delete_structure (&sig);
467 return _gnutls_asn2err (result);
470 result = _gnutls_x509_read_int (sig, "r", r);
474 asn1_delete_structure (&sig);
478 result = _gnutls_x509_read_int (sig, "s", s);
482 _gnutls_mpi_release (s);
483 asn1_delete_structure (&sig);
487 asn1_delete_structure (&sig);
492 /* params is p, q, g, y in that order
495 _gnutls_dsa_verify (const gnutls_datum_t * vdata,
496 const gnutls_datum_t * sig_value, bigint_t * params,
501 gnutls_pk_params_st pk_params;
503 for (i = 0; i < params_len; i++)
504 pk_params.params[i] = params[i];
505 pk_params.params_nr = params_len;
507 if (vdata->size < 20)
508 { /* SHA1 or better only */
510 return GNUTLS_E_PK_SIG_VERIFY_FAILED;
513 /* decrypt signature */
514 ret = _gnutls_pk_verify (GNUTLS_PK_DSA, vdata, sig_value, &pk_params);
525 /* some generic pk functions */
527 _generate_params (int algo, bigint_t * resarr, unsigned int *resarr_len,
530 gnutls_pk_params_st params;
534 ret = _gnutls_pk_ops.generate (algo, bits, ¶ms);
542 if (resarr && resarr_len && *resarr_len >= params.params_nr)
544 *resarr_len = params.params_nr;
545 for (i = 0; i < params.params_nr; i++)
546 resarr[i] = params.params[i];
550 gnutls_pk_params_release(¶ms);
552 return GNUTLS_E_INVALID_REQUEST;
560 _gnutls_rsa_generate_params (bigint_t * resarr, unsigned int *resarr_len,
563 return _generate_params (GNUTLS_PK_RSA, resarr, resarr_len, bits);
567 _gnutls_dsa_generate_params (bigint_t * resarr, unsigned int *resarr_len,
570 return _generate_params (GNUTLS_PK_DSA, resarr, resarr_len, bits);
574 _gnutls_pk_params_copy (gnutls_pk_params_st * dst, bigint_t * params,
580 if (params_len == 0 || params == NULL)
583 return GNUTLS_E_INVALID_REQUEST;
586 for (i = 0; i < params_len; i++)
588 dst->params[i] = _gnutls_mpi_set (NULL, params[i]);
589 if (dst->params[i] == NULL)
591 for (j = 0; j < i; j++)
592 _gnutls_mpi_release (&dst->params[j]);
593 return GNUTLS_E_MEMORY_ERROR;
602 gnutls_pk_params_init (gnutls_pk_params_st * p)
604 memset (p, 0, sizeof (gnutls_pk_params_st));
608 gnutls_pk_params_release (gnutls_pk_params_st * p)
611 for (i = 0; i < p->params_nr; i++)
613 _gnutls_mpi_release (&p->params[i]);
618 _gnutls_calc_rsa_exp (bigint_t * params, unsigned int params_size)
620 bigint_t tmp = _gnutls_mpi_alloc_like (params[0]);
622 if (params_size < RSA_PRIVATE_PARAMS - 2)
625 return GNUTLS_E_INTERNAL_ERROR;
631 return GNUTLS_E_MEMORY_ERROR;
634 /* [6] = d % p-1, [7] = d % q-1 */
635 _gnutls_mpi_sub_ui (tmp, params[3], 1);
636 params[6] = _gnutls_mpi_mod (params[2] /*d */ , tmp);
638 _gnutls_mpi_sub_ui (tmp, params[4], 1);
639 params[7] = _gnutls_mpi_mod (params[2] /*d */ , tmp);
641 _gnutls_mpi_release (&tmp);
643 if (params[7] == NULL || params[6] == NULL)
646 return GNUTLS_E_MEMORY_ERROR;
653 _gnutls_pk_get_hash_algorithm (gnutls_pk_algorithm_t pk, bigint_t * params,
655 gnutls_digest_algorithm_t * dig,
660 if (pk == GNUTLS_PK_DSA)
666 return _gnutls_x509_verify_algorithm ((gnutls_mac_algorithm_t *) dig,
667 NULL, pk, params, params_size);