2 * Copyright (C) 2001, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
3 * Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 #include <gnutls_int.h>
27 #include <gnutls_errors.h>
29 #include <auth_cert.h>
30 #include <gnutls_algorithms.h>
31 #include <gnutls_cert.h>
32 #include <gnutls_datum.h>
33 #include <gnutls_mpi.h>
34 #include <gnutls_global.h>
35 #include <gnutls_pk.h>
37 #include <gnutls_buffers.h>
38 #include <gnutls_sig.h>
39 #include <gnutls_kx.h>
41 #include <ext_signature.h>
42 #include <gnutls_state.h>
43 #include <x509/common.h>
46 sign_tls_hash (gnutls_session_t session, gnutls_digest_algorithm_t hash_algo,
47 gnutls_cert * cert, gnutls_privkey_t pkey,
48 const gnutls_datum_t * hash_concat,
49 gnutls_datum_t * signature);
51 /* While this is currently equal to the length of RSA/SHA512
52 * signature, it should also be sufficient for DSS signature and any
53 * other RSA signatures including one with the old MD5/SHA1-combined
56 #define MAX_SIG_SIZE 19 + MAX_HASH_SIZE
58 /* Generates a signature of all the random data and the parameters.
59 * Used in DHE_* ciphersuites.
62 _gnutls_handshake_sign_data (gnutls_session_t session, gnutls_cert * cert,
63 gnutls_privkey_t pkey, gnutls_datum_t * params,
64 gnutls_datum_t * signature,
65 gnutls_sign_algorithm_t * sign_algo)
67 gnutls_datum_t dconcat;
70 opaque concat[MAX_SIG_SIZE];
71 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
72 gnutls_digest_algorithm_t hash_algo;
75 _gnutls_session_get_sign_algo (session, cert);
76 if (*sign_algo == GNUTLS_SIGN_UNKNOWN)
79 return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
82 hash_algo = _gnutls_sign_get_hash_algorithm (*sign_algo);
84 _gnutls_handshake_log ("HSK[%p]: signing handshake data: using %s\n",
85 session, gnutls_sign_algorithm_get_name (*sign_algo));
87 ret = _gnutls_hash_init (&td_sha, hash_algo);
94 _gnutls_hash (&td_sha, session->security_parameters.client_random,
96 _gnutls_hash (&td_sha, session->security_parameters.server_random,
98 _gnutls_hash (&td_sha, params->data, params->size);
100 switch (cert->subject_pk_algorithm)
103 if (!_gnutls_version_has_selectable_sighash (ver))
107 ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5);
114 _gnutls_hash (&td_md5, session->security_parameters.client_random,
116 _gnutls_hash (&td_md5, session->security_parameters.server_random,
118 _gnutls_hash (&td_md5, params->data, params->size);
120 _gnutls_hash_deinit (&td_md5, concat);
121 _gnutls_hash_deinit (&td_sha, &concat[16]);
123 dconcat.data = concat;
129 _gnutls_hash_deinit (&td_sha, concat);
131 dconcat.data = concat;
132 dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
136 _gnutls_hash_deinit (&td_sha, concat);
138 if ((hash_algo != GNUTLS_DIG_SHA1) && (hash_algo != GNUTLS_DIG_SHA224)
139 && (hash_algo != GNUTLS_DIG_SHA256))
142 return GNUTLS_E_INTERNAL_ERROR;
144 dconcat.data = concat;
145 dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
150 _gnutls_hash_deinit (&td_sha, NULL);
151 return GNUTLS_E_INTERNAL_ERROR;
154 ret = sign_tls_hash (session, hash_algo, cert, pkey, &dconcat, signature);
165 /* This will create a PKCS1 or DSA signature, using the given parameters, and the
166 * given data. The output will be allocated and be put in signature.
169 _gnutls_soft_sign (gnutls_pk_algorithm_t algo, bigint_t * params,
170 int params_size, const gnutls_datum_t * data,
171 gnutls_datum_t * signature)
179 if ((ret = _gnutls_pkcs1_rsa_encrypt (signature, data, params,
180 params_size, 1)) < 0)
189 if ((ret = _gnutls_dsa_sign (signature, data, params, params_size)) < 0)
197 return GNUTLS_E_INTERNAL_ERROR;
204 /* This will create a PKCS1 or DSA signature, as defined in the TLS protocol.
205 * Cert is the certificate of the corresponding private key. It is only checked if
206 * it supports signing.
209 sign_tls_hash (gnutls_session_t session, gnutls_digest_algorithm_t hash_algo,
210 gnutls_cert * cert, gnutls_privkey_t pkey,
211 const gnutls_datum_t * hash_concat,
212 gnutls_datum_t * signature)
214 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
216 /* If our certificate supports signing
221 if (cert->key_usage != 0)
222 if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
225 return GNUTLS_E_KEY_USAGE_VIOLATION;
228 /* External signing. */
233 if (!session->internals.sign_func)
234 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
236 if (!_gnutls_version_has_selectable_sighash (ver))
237 return (*session->internals.sign_func)
238 (session, session->internals.sign_func_userdata,
239 cert->cert_type, &cert->raw, hash_concat, signature);
242 gnutls_datum_t digest;
244 ret = _gnutls_set_datum(&digest, hash_concat->data, hash_concat->size);
246 return gnutls_assert_val(ret);
248 ret = pk_prepare_hash (gnutls_privkey_get_pk_algorithm(pkey, NULL), hash_algo, &digest);
255 ret = (*session->internals.sign_func)
256 (session, session->internals.sign_func_userdata,
257 cert->cert_type, &cert->raw, &digest, signature);
259 gnutls_free(digest.data);
266 if (!_gnutls_version_has_selectable_sighash (ver))
267 return _gnutls_privkey_sign_hash (pkey, hash_concat, signature);
269 return gnutls_privkey_sign_hash (pkey, hash_algo, 0, hash_concat, signature);
273 verify_tls_hash (gnutls_protocol_t ver, gnutls_cert * cert,
274 const gnutls_datum_t * hash_concat,
275 gnutls_datum_t * signature, size_t sha1pos,
276 gnutls_pk_algorithm_t pk_algo)
279 gnutls_datum_t vdata;
281 if (cert == NULL || cert->version == 0)
282 { /* this is the only way to check
283 * if it is initialized
286 return GNUTLS_E_CERTIFICATE_ERROR;
289 /* If the certificate supports signing continue.
291 if (cert->key_usage != 0)
292 if (!(cert->key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
295 return GNUTLS_E_KEY_USAGE_VIOLATION;
298 if (pk_algo == GNUTLS_PK_UNKNOWN)
299 pk_algo = cert->subject_pk_algorithm;
304 vdata.data = hash_concat->data;
305 vdata.size = hash_concat->size;
307 /* verify signature */
308 if (!_gnutls_version_has_selectable_sighash (ver))
309 ret = _gnutls_rsa_verify (&vdata, signature, cert->params,
310 cert->params_size, 1);
312 ret = pubkey_verify_sig( NULL, &vdata, signature, pk_algo,
313 cert->params, cert->params_size);
324 vdata.data = &hash_concat->data[sha1pos];
325 vdata.size = hash_concat->size - sha1pos;
327 ret = pubkey_verify_sig( NULL, &vdata, signature, pk_algo,
328 cert->params, cert->params_size);
329 /* verify signature */
339 return GNUTLS_E_INTERNAL_ERROR;
348 /* Generates a signature of all the random data and the parameters.
349 * Used in DHE_* ciphersuites.
352 _gnutls_handshake_verify_data (gnutls_session_t session, gnutls_cert * cert,
353 const gnutls_datum_t * params,
354 gnutls_datum_t * signature,
355 gnutls_sign_algorithm_t algo)
357 gnutls_datum_t dconcat;
361 opaque concat[MAX_SIG_SIZE];
362 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
363 gnutls_digest_algorithm_t hash_algo;
365 if (_gnutls_version_has_selectable_sighash (ver))
367 _gnutls_handshake_log ("HSK[%p]: verify handshake data: using %s\n",
368 session, gnutls_sign_algorithm_get_name (algo));
370 ret = cert_compatible_with_sig(cert, ver, algo);
372 return gnutls_assert_val(ret);
374 ret = _gnutls_session_sign_algo_enabled (session, algo);
376 return gnutls_assert_val(ret);
378 hash_algo = _gnutls_sign_get_hash_algorithm (algo);
382 ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5);
389 _gnutls_hash (&td_md5, session->security_parameters.client_random,
391 _gnutls_hash (&td_md5, session->security_parameters.server_random,
393 _gnutls_hash (&td_md5, params->data, params->size);
395 hash_algo = GNUTLS_DIG_SHA1;
398 ret = _gnutls_hash_init (&td_sha, hash_algo);
402 if (!_gnutls_version_has_selectable_sighash (ver))
403 _gnutls_hash_deinit (&td_md5, NULL);
407 _gnutls_hash (&td_sha, session->security_parameters.client_random,
409 _gnutls_hash (&td_sha, session->security_parameters.server_random,
411 _gnutls_hash (&td_sha, params->data, params->size);
413 if (!_gnutls_version_has_selectable_sighash (ver))
415 _gnutls_hash_deinit (&td_md5, concat);
416 _gnutls_hash_deinit (&td_sha, &concat[16]);
417 dconcat.data = concat;
422 _gnutls_hash_deinit (&td_sha, concat);
424 dconcat.data = concat;
425 dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
428 ret = verify_tls_hash (ver, cert, &dconcat, signature,
430 _gnutls_hash_get_algo_len (hash_algo),
431 _gnutls_sign_get_pk_algorithm (algo));
442 /* Client certificate verify calculations
445 /* this is _gnutls_handshake_verify_cert_vrfy for TLS 1.2
448 _gnutls_handshake_verify_cert_vrfy12 (gnutls_session_t session,
450 gnutls_datum_t * signature,
451 gnutls_sign_algorithm_t sign_algo)
454 opaque concat[MAX_SIG_SIZE];
456 gnutls_datum_t dconcat;
457 gnutls_sign_algorithm_t _sign_algo;
458 gnutls_digest_algorithm_t hash_algo;
459 digest_hd_st *handshake_td;
460 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
462 handshake_td = &session->internals.handshake_mac_handle.tls12.sha1;
463 hash_algo = handshake_td->algorithm;
465 _gnutls_x509_pk_to_sign (cert->subject_pk_algorithm, hash_algo);
467 if (_sign_algo != sign_algo)
469 handshake_td = &session->internals.handshake_mac_handle.tls12.sha256;
470 hash_algo = handshake_td->algorithm;
472 _gnutls_x509_pk_to_sign (cert->subject_pk_algorithm, hash_algo);
473 if (sign_algo != _sign_algo)
476 return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
480 ret = _gnutls_hash_copy (&td, handshake_td);
484 return GNUTLS_E_HASH_FAILED;
487 _gnutls_hash_deinit (&td, concat);
489 dconcat.data = concat;
490 dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
493 verify_tls_hash (ver, cert, &dconcat, signature, 0,
494 cert->subject_pk_algorithm);
505 /* Verifies a TLS signature (like the one in the client certificate
509 _gnutls_handshake_verify_cert_vrfy (gnutls_session_t session,
511 gnutls_datum_t * signature,
512 gnutls_sign_algorithm_t sign_algo)
515 opaque concat[MAX_SIG_SIZE];
518 gnutls_datum_t dconcat;
519 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
521 _gnutls_handshake_log ("HSK[%p]: verify cert vrfy: using %s\n",
522 session, gnutls_sign_algorithm_get_name (sign_algo));
524 if (session->security_parameters.handshake_mac_handle_type ==
525 HANDSHAKE_MAC_TYPE_12)
527 return _gnutls_handshake_verify_cert_vrfy12 (session, cert, signature,
530 else if (session->security_parameters.handshake_mac_handle_type !=
531 HANDSHAKE_MAC_TYPE_10)
534 return GNUTLS_E_INTERNAL_ERROR;
538 _gnutls_hash_copy (&td_md5,
539 &session->internals.handshake_mac_handle.tls10.md5);
547 _gnutls_hash_copy (&td_sha,
548 &session->internals.handshake_mac_handle.tls10.sha);
552 _gnutls_hash_deinit (&td_md5, NULL);
553 return GNUTLS_E_HASH_FAILED;
556 if (ver == GNUTLS_SSL3)
558 ret = _gnutls_generate_master (session, 1);
565 _gnutls_mac_deinit_ssl3_handshake (&td_md5, concat,
567 security_parameters.master_secret,
569 _gnutls_mac_deinit_ssl3_handshake (&td_sha, &concat[16],
571 security_parameters.master_secret,
576 _gnutls_hash_deinit (&td_md5, concat);
577 _gnutls_hash_deinit (&td_sha, &concat[16]);
580 dconcat.data = concat;
581 dconcat.size = 20 + 16; /* md5+ sha */
584 verify_tls_hash (ver, cert, &dconcat, signature, 16,
585 cert->subject_pk_algorithm);
596 /* the same as _gnutls_handshake_sign_cert_vrfy except that it is made for TLS 1.2
599 _gnutls_handshake_sign_cert_vrfy12 (gnutls_session_t session,
600 gnutls_cert * cert, gnutls_privkey_t pkey,
601 gnutls_datum_t * signature)
603 gnutls_datum_t dconcat;
605 opaque concat[MAX_SIG_SIZE];
607 gnutls_sign_algorithm_t sign_algo;
608 gnutls_digest_algorithm_t hash_algo;
609 digest_hd_st *handshake_td;
612 _gnutls_session_get_sign_algo (session, cert);
613 if (sign_algo == GNUTLS_SIGN_UNKNOWN)
616 return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
619 hash_algo = _gnutls_sign_get_hash_algorithm (sign_algo);
621 _gnutls_debug_log ("sign handshake cert vrfy: picked %s with %s\n",
622 gnutls_sign_algorithm_get_name (sign_algo),
623 gnutls_mac_get_name (hash_algo));
625 if ((gnutls_mac_algorithm_t)hash_algo == session->internals.handshake_mac_handle.tls12.sha1.algorithm)
626 handshake_td = &session->internals.handshake_mac_handle.tls12.sha1;
627 else if ((gnutls_mac_algorithm_t)hash_algo == session->internals.handshake_mac_handle.tls12.sha256.algorithm)
628 handshake_td = &session->internals.handshake_mac_handle.tls12.sha256;
630 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); /* too bad we only support SHA1 and SHA256 */
632 ret = _gnutls_hash_copy (&td, handshake_td);
639 _gnutls_hash_deinit (&td, concat);
641 dconcat.data = concat;
642 dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
644 ret = sign_tls_hash (session, hash_algo, cert, pkey, &dconcat, signature);
655 /* Generates a signature of all the previous sent packets in the
656 * handshake procedure.
657 * 20040227: now it works for SSL 3.0 as well
658 * 20091031: works for TLS 1.2 too!
660 * For TLS1.x, x<2 returns negative for failure and zero or unspecified for success.
661 * For TLS1.2 returns the signature algorithm used on success, or a negative value;
664 _gnutls_handshake_sign_cert_vrfy (gnutls_session_t session,
665 gnutls_cert * cert, gnutls_privkey_t pkey,
666 gnutls_datum_t * signature)
668 gnutls_datum_t dconcat;
670 opaque concat[MAX_SIG_SIZE];
673 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
675 if (session->security_parameters.handshake_mac_handle_type ==
676 HANDSHAKE_MAC_TYPE_12)
678 return _gnutls_handshake_sign_cert_vrfy12 (session, cert, pkey,
681 else if (session->security_parameters.handshake_mac_handle_type !=
682 HANDSHAKE_MAC_TYPE_10)
685 return GNUTLS_E_INTERNAL_ERROR;
689 _gnutls_hash_copy (&td_sha,
690 &session->internals.handshake_mac_handle.tls10.sha);
697 if (ver == GNUTLS_SSL3)
699 ret = _gnutls_generate_master (session, 1);
706 _gnutls_mac_deinit_ssl3_handshake (&td_sha, &concat[16],
708 security_parameters.master_secret,
712 _gnutls_hash_deinit (&td_sha, &concat[16]);
714 switch (cert->subject_pk_algorithm)
718 _gnutls_hash_copy (&td_md5,
719 &session->internals.handshake_mac_handle.tls10.
727 if (ver == GNUTLS_SSL3)
728 _gnutls_mac_deinit_ssl3_handshake (&td_md5, concat,
730 security_parameters.master_secret,
733 _gnutls_hash_deinit (&td_md5, concat);
735 dconcat.data = concat;
739 /* ensure 1024 bit DSA keys are used */
740 hash_algo = _gnutls_dsa_q_to_hash (cert->params[1], NULL);
741 if (!_gnutls_version_has_selectable_sighash (ver) && hash_algo != GNUTLS_DIG_SHA1)
742 return gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
744 dconcat.data = &concat[16];
749 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
751 ret = sign_tls_hash (session, GNUTLS_DIG_NULL, cert, pkey, &dconcat, signature);
761 pk_hash_data (gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t hash,
763 const gnutls_datum_t * data, gnutls_datum_t * digest)
767 digest->size = _gnutls_hash_get_algo_len (hash);
768 digest->data = gnutls_malloc (digest->size);
769 if (digest->data == NULL)
772 return GNUTLS_E_MEMORY_ERROR;
775 ret = _gnutls_hash_fast (hash, data->data, data->size, digest->data);
785 gnutls_free (digest->data);
789 /* Writes the digest information and the digest in a DER encoded
790 * structure. The digest info is allocated and stored into the info structure.
793 encode_ber_digest_info (gnutls_digest_algorithm_t hash,
794 const gnutls_datum_t * digest,
795 gnutls_datum_t * output)
797 ASN1_TYPE dinfo = ASN1_TYPE_EMPTY;
803 algo = _gnutls_x509_mac_to_oid ((gnutls_mac_algorithm_t) hash);
807 _gnutls_x509_log ("Hash algorithm: %d\n", hash);
808 return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
811 if ((result = asn1_create_element (_gnutls_get_gnutls_asn (),
813 &dinfo)) != ASN1_SUCCESS)
816 return _gnutls_asn2err (result);
819 result = asn1_write_value (dinfo, "digestAlgorithm.algorithm", algo, 1);
820 if (result != ASN1_SUCCESS)
823 asn1_delete_structure (&dinfo);
824 return _gnutls_asn2err (result);
827 /* Write an ASN.1 NULL in the parameters field. This matches RFC
828 3279 and RFC 4055, although is arguable incorrect from a historic
829 perspective (see those documents for more information).
830 Regardless of what is correct, this appears to be what most
831 implementations do. */
832 result = asn1_write_value (dinfo, "digestAlgorithm.parameters",
833 ASN1_NULL, ASN1_NULL_SIZE);
834 if (result != ASN1_SUCCESS)
837 asn1_delete_structure (&dinfo);
838 return _gnutls_asn2err (result);
841 result = asn1_write_value (dinfo, "digest", digest->data, digest->size);
842 if (result != ASN1_SUCCESS)
845 asn1_delete_structure (&dinfo);
846 return _gnutls_asn2err (result);
850 asn1_der_coding (dinfo, "", NULL, &tmp_output_size, NULL);
852 tmp_output = gnutls_malloc (tmp_output_size);
853 if (output->data == NULL)
856 asn1_delete_structure (&dinfo);
857 return GNUTLS_E_MEMORY_ERROR;
860 result = asn1_der_coding (dinfo, "", tmp_output, &tmp_output_size, NULL);
861 if (result != ASN1_SUCCESS)
864 asn1_delete_structure (&dinfo);
865 return _gnutls_asn2err (result);
868 asn1_delete_structure (&dinfo);
870 output->size = tmp_output_size;
871 output->data = tmp_output;
877 * This function will do RSA PKCS #1 1.5 encoding
878 * on the given digest. The given digest must be allocated
879 * and will be freed if replacement is required.
882 pk_prepare_hash (gnutls_pk_algorithm_t pk,
883 gnutls_digest_algorithm_t hash, gnutls_datum_t * digest)
886 gnutls_datum old_digest = { digest->data, digest->size };
891 /* Encode the digest as a DigestInfo
893 if ((ret = encode_ber_digest_info (hash, &old_digest, digest)) != 0)
899 _gnutls_free_datum (&old_digest);
905 return GNUTLS_E_UNIMPLEMENTED_FEATURE;
projects / external / libgnutls26.git / blob