2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 #include <gnutls_int.h>
24 #include <gnutls_errors.h>
26 #include <auth/cert.h>
27 #include <algorithms.h>
28 #include <gnutls_datum.h>
29 #include <gnutls_mpi.h>
30 #include <gnutls_global.h>
31 #include <gnutls_pk.h>
33 #include <gnutls_buffers.h>
34 #include <gnutls_sig.h>
35 #include <gnutls_kx.h>
37 #include <ext/signature.h>
38 #include <gnutls_state.h>
39 #include <x509/common.h>
40 #include <abstract_int.h>
43 sign_tls_hash(gnutls_session_t session, const mac_entry_st * hash_algo,
44 gnutls_pcert_st * cert, gnutls_privkey_t pkey,
45 const gnutls_datum_t * hash_concat,
46 gnutls_datum_t * signature);
49 /* While this is currently equal to the length of RSA/SHA512
50 * signature, it should also be sufficient for DSS signature and any
51 * other RSA signatures including one with the old MD5/SHA1-combined
54 #define MAX_SIG_SIZE 19 + MAX_HASH_SIZE
56 /* Generates a signature of all the random data and the parameters.
57 * Used in DHE_* ciphersuites.
60 _gnutls_handshake_sign_data(gnutls_session_t session,
61 gnutls_pcert_st * cert, gnutls_privkey_t pkey,
62 gnutls_datum_t * params,
63 gnutls_datum_t * signature,
64 gnutls_sign_algorithm_t * sign_algo)
66 gnutls_datum_t dconcat;
69 uint8_t concat[MAX_SIG_SIZE];
70 const version_entry_st *ver = get_version(session);
71 const mac_entry_st *hash_algo;
73 *sign_algo = _gnutls_session_get_sign_algo(session, cert);
74 if (*sign_algo == GNUTLS_SIGN_UNKNOWN) {
76 return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
79 gnutls_sign_algorithm_set_server(session, *sign_algo);
82 hash_to_entry(gnutls_sign_get_hash_algorithm(*sign_algo));
83 if (hash_algo == NULL)
84 return gnutls_assert_val(GNUTLS_E_UNKNOWN_HASH_ALGORITHM);
87 ("HSK[%p]: signing handshake data: using %s\n", session,
88 gnutls_sign_algorithm_get_name(*sign_algo));
90 ret = _gnutls_hash_init(&td_sha, hash_algo);
96 _gnutls_hash(&td_sha, session->security_parameters.client_random,
98 _gnutls_hash(&td_sha, session->security_parameters.server_random,
100 _gnutls_hash(&td_sha, params->data, params->size);
102 switch (gnutls_privkey_get_pk_algorithm(pkey, NULL)) {
104 if (!_gnutls_version_has_selectable_sighash(ver)) {
108 _gnutls_hash_init(&td_md5,
116 _gnutls_hash(&td_md5,
117 session->security_parameters.
118 client_random, GNUTLS_RANDOM_SIZE);
119 _gnutls_hash(&td_md5,
120 session->security_parameters.
121 server_random, GNUTLS_RANDOM_SIZE);
122 _gnutls_hash(&td_md5, params->data, params->size);
124 _gnutls_hash_deinit(&td_md5, concat);
125 _gnutls_hash_deinit(&td_sha, &concat[16]);
127 dconcat.data = concat;
129 } else { /* TLS 1.2 way */
131 _gnutls_hash_deinit(&td_sha, concat);
133 dconcat.data = concat;
135 _gnutls_hash_get_algo_len(hash_algo);
140 _gnutls_hash_deinit(&td_sha, concat);
142 if (!IS_SHA((gnutls_digest_algorithm_t)hash_algo->id)) {
144 return GNUTLS_E_INTERNAL_ERROR;
146 dconcat.data = concat;
147 dconcat.size = _gnutls_hash_get_algo_len(hash_algo);
152 _gnutls_hash_deinit(&td_sha, NULL);
153 return GNUTLS_E_INTERNAL_ERROR;
157 sign_tls_hash(session, hash_algo, cert, pkey, &dconcat,
167 /* This will create a PKCS1 or DSA signature, as defined in the TLS protocol.
168 * Cert is the certificate of the corresponding private key. It is only checked if
169 * it supports signing.
172 sign_tls_hash(gnutls_session_t session, const mac_entry_st * hash_algo,
173 gnutls_pcert_st * cert, gnutls_privkey_t pkey,
174 const gnutls_datum_t * hash_concat,
175 gnutls_datum_t * signature)
177 const version_entry_st *ver = get_version(session);
178 unsigned int key_usage = 0;
180 /* If our certificate supports signing
183 gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
186 if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
188 _gnutls_audit_log(session,
189 "Peer's certificate does not allow digital signatures. Key usage violation detected (ignored).\n");
192 /* External signing. Deprecated. To be removed. */
196 if (!session->internals.sign_func)
199 (GNUTLS_E_INSUFFICIENT_CREDENTIALS);
201 if (!_gnutls_version_has_selectable_sighash(ver))
202 return (*session->internals.sign_func)
204 session->internals.sign_func_userdata,
205 cert->type, &cert->cert, hash_concat,
208 gnutls_datum_t digest;
211 _gnutls_set_datum(&digest,
215 return gnutls_assert_val(ret);
219 (gnutls_pubkey_get_pk_algorithm
220 (cert->pubkey, NULL), hash_algo,
227 ret = (*session->internals.sign_func)
229 session->internals.sign_func_userdata,
230 cert->type, &cert->cert, &digest,
233 gnutls_free(digest.data);
240 if (!_gnutls_version_has_selectable_sighash(ver))
241 return gnutls_privkey_sign_raw_data(pkey, 0, hash_concat,
244 return gnutls_privkey_sign_hash(pkey,
245 (gnutls_digest_algorithm_t)hash_algo->id,
246 0, hash_concat, signature);
250 verify_tls_hash(gnutls_session_t session,
251 const version_entry_st * ver, gnutls_pcert_st * cert,
252 const gnutls_datum_t * hash_concat,
253 gnutls_datum_t * signature, size_t sha1pos,
254 gnutls_sign_algorithm_t sign_algo,
255 gnutls_pk_algorithm_t pk_algo)
258 gnutls_datum_t vdata;
259 unsigned int key_usage = 0, flags;
263 return GNUTLS_E_CERTIFICATE_ERROR;
266 gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
268 /* If the certificate supports signing continue.
271 if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
273 _gnutls_audit_log(session,
274 "Peer's certificate does not allow digital signatures. Key usage violation detected (ignored).\n");
277 if (pk_algo == GNUTLS_PK_UNKNOWN)
279 gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);
283 vdata.data = hash_concat->data;
284 vdata.size = hash_concat->size;
286 /* verify signature */
287 if (!_gnutls_version_has_selectable_sighash(ver))
288 flags = GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA;
294 vdata.data = &hash_concat->data[sha1pos];
295 vdata.size = hash_concat->size - sha1pos;
302 return GNUTLS_E_INTERNAL_ERROR;
305 if (session->security_parameters.entity == GNUTLS_CLIENT)
306 gnutls_sign_algorithm_set_server(session, sign_algo);
308 ret = gnutls_pubkey_verify_hash2(cert->pubkey, sign_algo, flags,
312 return gnutls_assert_val(ret);
319 /* Generates a signature of all the random data and the parameters.
320 * Used in DHE_* ciphersuites.
323 _gnutls_handshake_verify_data(gnutls_session_t session,
324 gnutls_pcert_st * cert,
325 const gnutls_datum_t * params,
326 gnutls_datum_t * signature,
327 gnutls_sign_algorithm_t sign_algo)
329 gnutls_datum_t dconcat;
333 uint8_t concat[MAX_SIG_SIZE];
334 const version_entry_st *ver = get_version(session);
335 gnutls_digest_algorithm_t hash_algo;
336 const mac_entry_st *me;
338 if (_gnutls_version_has_selectable_sighash(ver)) {
339 _gnutls_handshake_log
340 ("HSK[%p]: verify handshake data: using %s\n", session,
341 gnutls_sign_algorithm_get_name(sign_algo));
344 _gnutls_pubkey_compatible_with_sig(session,
348 return gnutls_assert_val(ret);
351 _gnutls_session_sign_algo_enabled(session, sign_algo);
353 return gnutls_assert_val(ret);
355 hash_algo = gnutls_sign_get_hash_algorithm(sign_algo);
356 me = hash_to_entry(hash_algo);
358 me = hash_to_entry(GNUTLS_DIG_MD5);
359 ret = _gnutls_hash_init(&td_md5, me);
365 _gnutls_hash(&td_md5,
366 session->security_parameters.client_random,
368 _gnutls_hash(&td_md5,
369 session->security_parameters.server_random,
371 _gnutls_hash(&td_md5, params->data, params->size);
373 me = hash_to_entry(GNUTLS_DIG_SHA1);
376 ret = _gnutls_hash_init(&td_sha, me);
379 if (!_gnutls_version_has_selectable_sighash(ver))
380 _gnutls_hash_deinit(&td_md5, NULL);
384 _gnutls_hash(&td_sha, session->security_parameters.client_random,
386 _gnutls_hash(&td_sha, session->security_parameters.server_random,
388 _gnutls_hash(&td_sha, params->data, params->size);
390 if (!_gnutls_version_has_selectable_sighash(ver)) {
391 _gnutls_hash_deinit(&td_md5, concat);
392 _gnutls_hash_deinit(&td_sha, &concat[16]);
393 dconcat.data = concat;
396 _gnutls_hash_deinit(&td_sha, concat);
398 dconcat.data = concat;
399 dconcat.size = _gnutls_hash_get_algo_len(me);
402 ret = verify_tls_hash(session, ver, cert, &dconcat, signature,
403 dconcat.size - _gnutls_hash_get_algo_len(me),
405 gnutls_sign_get_pk_algorithm(sign_algo));
415 /* Client certificate verify calculations
418 /* this is _gnutls_handshake_verify_crt_vrfy for TLS 1.2
421 _gnutls_handshake_verify_crt_vrfy12(gnutls_session_t session,
422 gnutls_pcert_st * cert,
423 gnutls_datum_t * signature,
424 gnutls_sign_algorithm_t sign_algo)
427 uint8_t concat[MAX_HASH_SIZE];
428 gnutls_datum_t dconcat;
429 const version_entry_st *ver = get_version(session);
430 gnutls_pk_algorithm_t pk =
431 gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);
432 const mac_entry_st *me;
434 ret = _gnutls_session_sign_algo_enabled(session, sign_algo);
436 return gnutls_assert_val(ret);
438 gnutls_sign_algorithm_set_client(session, sign_algo);
440 me = hash_to_entry(gnutls_sign_get_hash_algorithm(sign_algo));
443 _gnutls_hash_fast((gnutls_digest_algorithm_t)me->id,
444 session->internals.handshake_hash_buffer.
447 handshake_hash_buffer_prev_len, concat);
449 return gnutls_assert_val(ret);
451 dconcat.data = concat;
452 dconcat.size = _gnutls_hash_get_algo_len(me);
455 verify_tls_hash(session, ver, cert, &dconcat, signature, 0,
466 /* Verifies a TLS signature (like the one in the client certificate
470 _gnutls_handshake_verify_crt_vrfy(gnutls_session_t session,
471 gnutls_pcert_st * cert,
472 gnutls_datum_t * signature,
473 gnutls_sign_algorithm_t sign_algo)
476 uint8_t concat[MAX_SIG_SIZE];
479 gnutls_datum_t dconcat;
480 const version_entry_st *ver = get_version(session);
482 _gnutls_handshake_log("HSK[%p]: verify cert vrfy: using %s\n",
484 gnutls_sign_algorithm_get_name(sign_algo));
486 if (unlikely(ver == NULL))
487 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
489 if (_gnutls_version_has_selectable_sighash(ver))
490 return _gnutls_handshake_verify_crt_vrfy12(session, cert,
494 ret = _gnutls_hash_init(&td_md5, hash_to_entry(GNUTLS_DIG_MD5));
500 ret = _gnutls_hash_init(&td_sha, hash_to_entry(GNUTLS_DIG_SHA1));
503 _gnutls_hash_deinit(&td_md5, NULL);
504 return GNUTLS_E_HASH_FAILED;
507 _gnutls_hash(&td_sha,
508 session->internals.handshake_hash_buffer.data,
509 session->internals.handshake_hash_buffer_prev_len);
510 _gnutls_hash(&td_md5,
511 session->internals.handshake_hash_buffer.data,
512 session->internals.handshake_hash_buffer_prev_len);
514 if (ver->id == GNUTLS_SSL3) {
515 ret = _gnutls_generate_master(session, 1);
517 _gnutls_hash_deinit(&td_md5, NULL);
518 _gnutls_hash_deinit(&td_sha, NULL);
519 return gnutls_assert_val(ret);
522 ret = _gnutls_mac_deinit_ssl3_handshake(&td_md5, concat,
523 session->security_parameters.
527 _gnutls_hash_deinit(&td_sha, NULL);
528 return gnutls_assert_val(ret);
532 _gnutls_mac_deinit_ssl3_handshake(&td_sha, &concat[16],
533 session->security_parameters.
537 return gnutls_assert_val(ret);
540 _gnutls_hash_deinit(&td_md5, concat);
541 _gnutls_hash_deinit(&td_sha, &concat[16]);
544 dconcat.data = concat;
545 dconcat.size = 20 + 16; /* md5+ sha */
548 verify_tls_hash(session, ver, cert, &dconcat, signature, 16,
550 gnutls_pubkey_get_pk_algorithm(cert->pubkey,
560 /* the same as _gnutls_handshake_sign_crt_vrfy except that it is made for TLS 1.2
563 _gnutls_handshake_sign_crt_vrfy12(gnutls_session_t session,
564 gnutls_pcert_st * cert,
565 gnutls_privkey_t pkey,
566 gnutls_datum_t * signature)
568 gnutls_datum_t dconcat;
570 uint8_t concat[MAX_SIG_SIZE];
571 gnutls_sign_algorithm_t sign_algo;
572 const mac_entry_st *me;
574 sign_algo = _gnutls_session_get_sign_algo(session, cert);
575 if (sign_algo == GNUTLS_SIGN_UNKNOWN) {
577 return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
580 gnutls_sign_algorithm_set_client(session, sign_algo);
582 me = hash_to_entry(gnutls_sign_get_hash_algorithm(sign_algo));
584 _gnutls_debug_log("sign handshake cert vrfy: picked %s with %s\n",
585 gnutls_sign_algorithm_get_name(sign_algo),
586 _gnutls_mac_get_name(me));
589 _gnutls_hash_fast((gnutls_digest_algorithm_t)me->id,
590 session->internals.handshake_hash_buffer.
592 session->internals.handshake_hash_buffer.
595 return gnutls_assert_val(ret);
597 dconcat.data = concat;
598 dconcat.size = _gnutls_hash_get_algo_len(me);
600 ret = sign_tls_hash(session, me, cert, pkey, &dconcat, signature);
610 /* Generates a signature of all the previous sent packets in the
611 * handshake procedure.
612 * 20040227: now it works for SSL 3.0 as well
613 * 20091031: works for TLS 1.2 too!
615 * For TLS1.x, x<2 returns negative for failure and zero or unspecified for success.
616 * For TLS1.2 returns the signature algorithm used on success, or a negative error code;
619 _gnutls_handshake_sign_crt_vrfy(gnutls_session_t session,
620 gnutls_pcert_st * cert,
621 gnutls_privkey_t pkey,
622 gnutls_datum_t * signature)
624 gnutls_datum_t dconcat;
626 uint8_t concat[MAX_SIG_SIZE];
629 const version_entry_st *ver = get_version(session);
630 gnutls_pk_algorithm_t pk =
631 gnutls_privkey_get_pk_algorithm(pkey, NULL);
633 if (unlikely(ver == NULL))
634 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
636 if (_gnutls_version_has_selectable_sighash(ver))
637 return _gnutls_handshake_sign_crt_vrfy12(session, cert,
640 ret = _gnutls_hash_init(&td_sha, hash_to_entry(GNUTLS_DIG_SHA1));
646 _gnutls_hash(&td_sha,
647 session->internals.handshake_hash_buffer.data,
648 session->internals.handshake_hash_buffer.length);
650 if (ver->id == GNUTLS_SSL3) {
651 ret = _gnutls_generate_master(session, 1);
654 _gnutls_hash_deinit(&td_sha, NULL);
659 _gnutls_mac_deinit_ssl3_handshake(&td_sha, &concat[16],
660 session->security_parameters.
664 return gnutls_assert_val(ret);
666 _gnutls_hash_deinit(&td_sha, &concat[16]);
668 /* ensure 1024 bit DSA keys are used */
670 _gnutls_pubkey_compatible_with_sig(session, cert->pubkey, ver,
671 GNUTLS_SIGN_UNKNOWN);
673 return gnutls_assert_val(ret);
678 _gnutls_hash_init(&td_md5,
679 hash_to_entry(GNUTLS_DIG_MD5));
681 return gnutls_assert_val(ret);
683 _gnutls_hash(&td_md5,
684 session->internals.handshake_hash_buffer.data,
685 session->internals.handshake_hash_buffer.
688 if (ver->id == GNUTLS_SSL3) {
690 _gnutls_mac_deinit_ssl3_handshake(&td_md5,
692 session->security_parameters.
696 return gnutls_assert_val(ret);
698 _gnutls_hash_deinit(&td_md5, concat);
700 dconcat.data = concat;
706 dconcat.data = &concat[16];
711 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
714 sign_tls_hash(session, NULL, cert, pkey, &dconcat, signature);
723 pk_hash_data(gnutls_pk_algorithm_t pk, const mac_entry_st * hash,
724 gnutls_pk_params_st * params,
725 const gnutls_datum_t * data, gnutls_datum_t * digest)
729 digest->size = _gnutls_hash_get_algo_len(hash);
730 digest->data = gnutls_malloc(digest->size);
731 if (digest->data == NULL) {
733 return GNUTLS_E_MEMORY_ERROR;
737 _gnutls_hash_fast((gnutls_digest_algorithm_t)hash->id, data->data, data->size,
747 gnutls_free(digest->data);
753 * This function will do RSA PKCS #1 1.5 encoding
754 * on the given digest. The given digest must be allocated
755 * and will be freed if replacement is required.
758 pk_prepare_hash(gnutls_pk_algorithm_t pk,
759 const mac_entry_st * hash, gnutls_datum_t * digest)
762 gnutls_datum_t old_digest = { digest->data, digest->size };
766 if (unlikely(hash == NULL))
767 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
768 /* Encode the digest as a DigestInfo
771 encode_ber_digest_info(hash, &old_digest,
777 _gnutls_free_datum(&old_digest);
784 return GNUTLS_E_UNIMPLEMENTED_FEATURE;