2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 #include <gnutls_int.h>
24 #include <gnutls_errors.h>
26 #include <auth/cert.h>
27 #include <algorithms.h>
28 #include <gnutls_datum.h>
29 #include <gnutls_mpi.h>
30 #include <gnutls_global.h>
31 #include <gnutls_pk.h>
33 #include <gnutls_buffers.h>
34 #include <gnutls_sig.h>
35 #include <gnutls_kx.h>
37 #include <ext/signature.h>
38 #include <gnutls_state.h>
39 #include <x509/common.h>
40 #include <abstract_int.h>
43 sign_tls_hash(gnutls_session_t session, const mac_entry_st * hash_algo,
44 gnutls_pcert_st * cert, gnutls_privkey_t pkey,
45 const gnutls_datum_t * hash_concat,
46 gnutls_datum_t * signature);
49 /* While this is currently equal to the length of RSA/SHA512
50 * signature, it should also be sufficient for DSS signature and any
51 * other RSA signatures including one with the old MD5/SHA1-combined
54 #define MAX_SIG_SIZE 19 + MAX_HASH_SIZE
56 /* Generates a signature of all the random data and the parameters.
57 * Used in DHE_* ciphersuites.
60 _gnutls_handshake_sign_data(gnutls_session_t session,
61 gnutls_pcert_st * cert, gnutls_privkey_t pkey,
62 gnutls_datum_t * params,
63 gnutls_datum_t * signature,
64 gnutls_sign_algorithm_t * sign_algo)
66 gnutls_datum_t dconcat;
69 uint8_t concat[MAX_SIG_SIZE];
70 const version_entry_st *ver = get_version(session);
71 const mac_entry_st *hash_algo;
73 *sign_algo = _gnutls_session_get_sign_algo(session, cert);
74 if (*sign_algo == GNUTLS_SIGN_UNKNOWN) {
76 return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
79 gnutls_sign_algorithm_set_server(session, *sign_algo);
82 hash_to_entry(gnutls_sign_get_hash_algorithm(*sign_algo));
83 if (hash_algo == NULL)
84 return gnutls_assert_val(GNUTLS_E_UNKNOWN_HASH_ALGORITHM);
87 ("HSK[%p]: signing handshake data: using %s\n", session,
88 gnutls_sign_algorithm_get_name(*sign_algo));
90 ret = _gnutls_hash_init(&td_sha, hash_algo);
96 _gnutls_hash(&td_sha, session->security_parameters.client_random,
98 _gnutls_hash(&td_sha, session->security_parameters.server_random,
100 _gnutls_hash(&td_sha, params->data, params->size);
102 switch (gnutls_privkey_get_pk_algorithm(pkey, NULL)) {
104 if (!_gnutls_version_has_selectable_sighash(ver)) {
108 _gnutls_hash_init(&td_md5,
116 _gnutls_hash(&td_md5,
117 session->security_parameters.
118 client_random, GNUTLS_RANDOM_SIZE);
119 _gnutls_hash(&td_md5,
120 session->security_parameters.
121 server_random, GNUTLS_RANDOM_SIZE);
122 _gnutls_hash(&td_md5, params->data, params->size);
124 _gnutls_hash_deinit(&td_md5, concat);
125 _gnutls_hash_deinit(&td_sha, &concat[16]);
127 dconcat.data = concat;
129 } else { /* TLS 1.2 way */
131 _gnutls_hash_deinit(&td_sha, concat);
133 dconcat.data = concat;
135 _gnutls_hash_get_algo_len(hash_algo);
140 _gnutls_hash_deinit(&td_sha, concat);
142 if (!IS_SHA((gnutls_digest_algorithm_t)hash_algo->id)) {
144 return GNUTLS_E_INTERNAL_ERROR;
146 dconcat.data = concat;
147 dconcat.size = _gnutls_hash_get_algo_len(hash_algo);
152 _gnutls_hash_deinit(&td_sha, NULL);
153 return GNUTLS_E_INTERNAL_ERROR;
157 sign_tls_hash(session, hash_algo, cert, pkey, &dconcat,
167 /* This will create a PKCS1 or DSA signature, as defined in the TLS protocol.
168 * Cert is the certificate of the corresponding private key. It is only checked if
169 * it supports signing.
172 sign_tls_hash(gnutls_session_t session, const mac_entry_st * hash_algo,
173 gnutls_pcert_st * cert, gnutls_privkey_t pkey,
174 const gnutls_datum_t * hash_concat,
175 gnutls_datum_t * signature)
177 const version_entry_st *ver = get_version(session);
178 unsigned int key_usage = 0;
180 /* If our certificate supports signing
183 gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
186 if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
188 _gnutls_audit_log(session,
189 "Peer's certificate does not allow digital signatures. Key usage violation detected (ignored).\n");
192 /* External signing. Deprecated. To be removed. */
196 if (!session->internals.sign_func)
199 (GNUTLS_E_INSUFFICIENT_CREDENTIALS);
201 if (!_gnutls_version_has_selectable_sighash(ver))
202 return (*session->internals.sign_func)
204 session->internals.sign_func_userdata,
205 cert->type, &cert->cert, hash_concat,
208 gnutls_datum_t digest;
211 _gnutls_set_datum(&digest,
215 return gnutls_assert_val(ret);
219 (gnutls_pubkey_get_pk_algorithm
220 (cert->pubkey, NULL), hash_algo,
227 ret = (*session->internals.sign_func)
229 session->internals.sign_func_userdata,
230 cert->type, &cert->cert, &digest,
233 gnutls_free(digest.data);
240 if (!_gnutls_version_has_selectable_sighash(ver))
241 return gnutls_privkey_sign_raw_data(pkey, 0, hash_concat,
244 return gnutls_privkey_sign_hash(pkey,
245 (gnutls_digest_algorithm_t)hash_algo->id,
246 0, hash_concat, signature);
250 verify_tls_hash(gnutls_session_t session,
251 const version_entry_st * ver, gnutls_pcert_st * cert,
252 const gnutls_datum_t * hash_concat,
253 gnutls_datum_t * signature, size_t sha1pos,
254 gnutls_sign_algorithm_t sign_algo,
255 gnutls_pk_algorithm_t pk_algo)
258 gnutls_datum_t vdata;
259 unsigned int key_usage = 0, flags;
263 return GNUTLS_E_CERTIFICATE_ERROR;
266 gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
268 /* If the certificate supports signing continue.
271 if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
273 _gnutls_audit_log(session,
274 "Peer's certificate does not allow digital signatures. Key usage violation detected (ignored).\n");
277 if (pk_algo == GNUTLS_PK_UNKNOWN)
279 gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);
283 vdata.data = hash_concat->data;
284 vdata.size = hash_concat->size;
286 /* verify signature */
287 if (!_gnutls_version_has_selectable_sighash(ver))
288 flags = GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA;
294 vdata.data = &hash_concat->data[sha1pos];
295 vdata.size = hash_concat->size - sha1pos;
302 return GNUTLS_E_INTERNAL_ERROR;
305 gnutls_sign_algorithm_set_server(session, sign_algo);
307 ret = gnutls_pubkey_verify_hash2(cert->pubkey, sign_algo, flags,
311 return gnutls_assert_val(ret);
318 /* Generates a signature of all the random data and the parameters.
319 * Used in DHE_* ciphersuites.
322 _gnutls_handshake_verify_data(gnutls_session_t session,
323 gnutls_pcert_st * cert,
324 const gnutls_datum_t * params,
325 gnutls_datum_t * signature,
326 gnutls_sign_algorithm_t sign_algo)
328 gnutls_datum_t dconcat;
332 uint8_t concat[MAX_SIG_SIZE];
333 const version_entry_st *ver = get_version(session);
334 gnutls_digest_algorithm_t hash_algo;
335 const mac_entry_st *me;
337 if (_gnutls_version_has_selectable_sighash(ver)) {
338 _gnutls_handshake_log
339 ("HSK[%p]: verify handshake data: using %s\n", session,
340 gnutls_sign_algorithm_get_name(sign_algo));
343 _gnutls_pubkey_compatible_with_sig(session,
347 return gnutls_assert_val(ret);
350 _gnutls_session_sign_algo_enabled(session, sign_algo);
352 return gnutls_assert_val(ret);
354 hash_algo = gnutls_sign_get_hash_algorithm(sign_algo);
355 me = hash_to_entry(hash_algo);
357 me = hash_to_entry(GNUTLS_DIG_MD5);
358 ret = _gnutls_hash_init(&td_md5, me);
364 _gnutls_hash(&td_md5,
365 session->security_parameters.client_random,
367 _gnutls_hash(&td_md5,
368 session->security_parameters.server_random,
370 _gnutls_hash(&td_md5, params->data, params->size);
372 me = hash_to_entry(GNUTLS_DIG_SHA1);
375 ret = _gnutls_hash_init(&td_sha, me);
378 if (!_gnutls_version_has_selectable_sighash(ver))
379 _gnutls_hash_deinit(&td_md5, NULL);
383 _gnutls_hash(&td_sha, session->security_parameters.client_random,
385 _gnutls_hash(&td_sha, session->security_parameters.server_random,
387 _gnutls_hash(&td_sha, params->data, params->size);
389 if (!_gnutls_version_has_selectable_sighash(ver)) {
390 _gnutls_hash_deinit(&td_md5, concat);
391 _gnutls_hash_deinit(&td_sha, &concat[16]);
392 dconcat.data = concat;
395 _gnutls_hash_deinit(&td_sha, concat);
397 dconcat.data = concat;
398 dconcat.size = _gnutls_hash_get_algo_len(me);
401 ret = verify_tls_hash(session, ver, cert, &dconcat, signature,
402 dconcat.size - _gnutls_hash_get_algo_len(me),
404 gnutls_sign_get_pk_algorithm(sign_algo));
414 /* Client certificate verify calculations
417 /* this is _gnutls_handshake_verify_crt_vrfy for TLS 1.2
420 _gnutls_handshake_verify_crt_vrfy12(gnutls_session_t session,
421 gnutls_pcert_st * cert,
422 gnutls_datum_t * signature,
423 gnutls_sign_algorithm_t sign_algo)
426 uint8_t concat[MAX_HASH_SIZE];
427 gnutls_datum_t dconcat;
428 const version_entry_st *ver = get_version(session);
429 gnutls_pk_algorithm_t pk =
430 gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);
431 const mac_entry_st *me;
433 ret = _gnutls_session_sign_algo_enabled(session, sign_algo);
435 return gnutls_assert_val(ret);
437 gnutls_sign_algorithm_set_client(session, sign_algo);
439 me = hash_to_entry(gnutls_sign_get_hash_algorithm(sign_algo));
442 _gnutls_hash_fast((gnutls_digest_algorithm_t)me->id,
443 session->internals.handshake_hash_buffer.
446 handshake_hash_buffer_prev_len, concat);
448 return gnutls_assert_val(ret);
450 dconcat.data = concat;
451 dconcat.size = _gnutls_hash_get_algo_len(me);
454 verify_tls_hash(session, ver, cert, &dconcat, signature, 0,
465 /* Verifies a TLS signature (like the one in the client certificate
469 _gnutls_handshake_verify_crt_vrfy(gnutls_session_t session,
470 gnutls_pcert_st * cert,
471 gnutls_datum_t * signature,
472 gnutls_sign_algorithm_t sign_algo)
475 uint8_t concat[MAX_SIG_SIZE];
478 gnutls_datum_t dconcat;
479 const version_entry_st *ver = get_version(session);
481 _gnutls_handshake_log("HSK[%p]: verify cert vrfy: using %s\n",
483 gnutls_sign_algorithm_get_name(sign_algo));
485 if (unlikely(ver == NULL))
486 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
488 if (_gnutls_version_has_selectable_sighash(ver))
489 return _gnutls_handshake_verify_crt_vrfy12(session, cert,
493 ret = _gnutls_hash_init(&td_md5, hash_to_entry(GNUTLS_DIG_MD5));
499 ret = _gnutls_hash_init(&td_sha, hash_to_entry(GNUTLS_DIG_SHA1));
502 _gnutls_hash_deinit(&td_md5, NULL);
503 return GNUTLS_E_HASH_FAILED;
506 _gnutls_hash(&td_sha,
507 session->internals.handshake_hash_buffer.data,
508 session->internals.handshake_hash_buffer_prev_len);
509 _gnutls_hash(&td_md5,
510 session->internals.handshake_hash_buffer.data,
511 session->internals.handshake_hash_buffer_prev_len);
513 if (ver->id == GNUTLS_SSL3) {
514 ret = _gnutls_generate_master(session, 1);
516 _gnutls_hash_deinit(&td_md5, NULL);
517 _gnutls_hash_deinit(&td_sha, NULL);
518 return gnutls_assert_val(ret);
521 ret = _gnutls_mac_deinit_ssl3_handshake(&td_md5, concat,
522 session->security_parameters.
526 _gnutls_hash_deinit(&td_sha, NULL);
527 return gnutls_assert_val(ret);
531 _gnutls_mac_deinit_ssl3_handshake(&td_sha, &concat[16],
532 session->security_parameters.
536 return gnutls_assert_val(ret);
539 _gnutls_hash_deinit(&td_md5, concat);
540 _gnutls_hash_deinit(&td_sha, &concat[16]);
543 dconcat.data = concat;
544 dconcat.size = 20 + 16; /* md5+ sha */
547 verify_tls_hash(session, ver, cert, &dconcat, signature, 16,
549 gnutls_pubkey_get_pk_algorithm(cert->pubkey,
559 /* the same as _gnutls_handshake_sign_crt_vrfy except that it is made for TLS 1.2
562 _gnutls_handshake_sign_crt_vrfy12(gnutls_session_t session,
563 gnutls_pcert_st * cert,
564 gnutls_privkey_t pkey,
565 gnutls_datum_t * signature)
567 gnutls_datum_t dconcat;
569 uint8_t concat[MAX_SIG_SIZE];
570 gnutls_sign_algorithm_t sign_algo;
571 const mac_entry_st *me;
573 sign_algo = _gnutls_session_get_sign_algo(session, cert);
574 if (sign_algo == GNUTLS_SIGN_UNKNOWN) {
576 return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
579 gnutls_sign_algorithm_set_client(session, sign_algo);
581 me = hash_to_entry(gnutls_sign_get_hash_algorithm(sign_algo));
583 _gnutls_debug_log("sign handshake cert vrfy: picked %s with %s\n",
584 gnutls_sign_algorithm_get_name(sign_algo),
585 _gnutls_mac_get_name(me));
588 _gnutls_hash_fast((gnutls_digest_algorithm_t)me->id,
589 session->internals.handshake_hash_buffer.
591 session->internals.handshake_hash_buffer.
594 return gnutls_assert_val(ret);
596 dconcat.data = concat;
597 dconcat.size = _gnutls_hash_get_algo_len(me);
599 ret = sign_tls_hash(session, me, cert, pkey, &dconcat, signature);
609 /* Generates a signature of all the previous sent packets in the
610 * handshake procedure.
611 * 20040227: now it works for SSL 3.0 as well
612 * 20091031: works for TLS 1.2 too!
614 * For TLS1.x, x<2 returns negative for failure and zero or unspecified for success.
615 * For TLS1.2 returns the signature algorithm used on success, or a negative error code;
618 _gnutls_handshake_sign_crt_vrfy(gnutls_session_t session,
619 gnutls_pcert_st * cert,
620 gnutls_privkey_t pkey,
621 gnutls_datum_t * signature)
623 gnutls_datum_t dconcat;
625 uint8_t concat[MAX_SIG_SIZE];
628 const version_entry_st *ver = get_version(session);
629 gnutls_pk_algorithm_t pk =
630 gnutls_privkey_get_pk_algorithm(pkey, NULL);
632 if (unlikely(ver == NULL))
633 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
635 if (_gnutls_version_has_selectable_sighash(ver))
636 return _gnutls_handshake_sign_crt_vrfy12(session, cert,
639 ret = _gnutls_hash_init(&td_sha, hash_to_entry(GNUTLS_DIG_SHA1));
645 _gnutls_hash(&td_sha,
646 session->internals.handshake_hash_buffer.data,
647 session->internals.handshake_hash_buffer.length);
649 if (ver->id == GNUTLS_SSL3) {
650 ret = _gnutls_generate_master(session, 1);
653 _gnutls_hash_deinit(&td_sha, NULL);
658 _gnutls_mac_deinit_ssl3_handshake(&td_sha, &concat[16],
659 session->security_parameters.
663 return gnutls_assert_val(ret);
665 _gnutls_hash_deinit(&td_sha, &concat[16]);
667 /* ensure 1024 bit DSA keys are used */
669 _gnutls_pubkey_compatible_with_sig(session, cert->pubkey, ver,
670 GNUTLS_SIGN_UNKNOWN);
672 return gnutls_assert_val(ret);
677 _gnutls_hash_init(&td_md5,
678 hash_to_entry(GNUTLS_DIG_MD5));
680 return gnutls_assert_val(ret);
682 _gnutls_hash(&td_md5,
683 session->internals.handshake_hash_buffer.data,
684 session->internals.handshake_hash_buffer.
687 if (ver->id == GNUTLS_SSL3) {
689 _gnutls_mac_deinit_ssl3_handshake(&td_md5,
691 session->security_parameters.
695 return gnutls_assert_val(ret);
697 _gnutls_hash_deinit(&td_md5, concat);
699 dconcat.data = concat;
705 dconcat.data = &concat[16];
710 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
713 sign_tls_hash(session, NULL, cert, pkey, &dconcat, signature);
722 pk_hash_data(gnutls_pk_algorithm_t pk, const mac_entry_st * hash,
723 gnutls_pk_params_st * params,
724 const gnutls_datum_t * data, gnutls_datum_t * digest)
728 digest->size = _gnutls_hash_get_algo_len(hash);
729 digest->data = gnutls_malloc(digest->size);
730 if (digest->data == NULL) {
732 return GNUTLS_E_MEMORY_ERROR;
736 _gnutls_hash_fast((gnutls_digest_algorithm_t)hash->id, data->data, data->size,
746 gnutls_free(digest->data);
752 * This function will do RSA PKCS #1 1.5 encoding
753 * on the given digest. The given digest must be allocated
754 * and will be freed if replacement is required.
757 pk_prepare_hash(gnutls_pk_algorithm_t pk,
758 const mac_entry_st * hash, gnutls_datum_t * digest)
761 gnutls_datum_t old_digest = { digest->data, digest->size };
765 if (unlikely(hash == NULL))
766 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
767 /* Encode the digest as a DigestInfo
770 encode_ber_digest_info(hash, &old_digest,
776 _gnutls_free_datum(&old_digest);
783 return GNUTLS_E_UNIMPLEMENTED_FEATURE;