search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
even more cleanups
[gnutls.git] / lib / gnutls_sig.c
bloba5e85bd5298d172da854d58346ab4cd882cbf497
1 /*
2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 #include <gnutls_int.h>
24 #include <gnutls_errors.h>
25 #include <x509_b64.h>
26 #include <auth/cert.h>
27 #include <algorithms.h>
28 #include <gnutls_datum.h>
29 #include <gnutls_mpi.h>
30 #include <gnutls_global.h>
31 #include <gnutls_pk.h>
32 #include <debug.h>
33 #include <gnutls_buffers.h>
34 #include <gnutls_sig.h>
35 #include <gnutls_kx.h>
36 #include <libtasn1.h>
37 #include <ext/signature.h>
38 #include <gnutls_state.h>
39 #include <x509/common.h>
40 #include <abstract_int.h>
41
42 static int
43 sign_tls_hash (gnutls_session_t session, gnutls_digest_algorithm_t hash_algo,
44 gnutls_pcert_st* cert, gnutls_privkey_t pkey,
45 const gnutls_datum_t * hash_concat,
46 gnutls_datum_t * signature);
47
48 static int
49 encode_ber_digest_info (gnutls_digest_algorithm_t hash,
50 const gnutls_datum_t * digest,
51 gnutls_datum_t * output);
52
53 /* While this is currently equal to the length of RSA/SHA512
54 * signature, it should also be sufficient for DSS signature and any
55 * other RSA signatures including one with the old MD5/SHA1-combined
56 * format.
57 */
58 #define MAX_SIG_SIZE 19 + MAX_HASH_SIZE
59
60 /* Generates a signature of all the random data and the parameters.
61 * Used in DHE_* ciphersuites.
62 */
63 int
64 _gnutls_handshake_sign_data (gnutls_session_t session, gnutls_pcert_st* cert,
65 gnutls_privkey_t pkey, gnutls_datum_t * params,
66 gnutls_datum_t * signature,
67 gnutls_sign_algorithm_t * sign_algo)
68 {
69 gnutls_datum_t dconcat;
70 int ret;
71 digest_hd_st td_sha;
72 uint8_t concat[MAX_SIG_SIZE];
73 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
74 gnutls_digest_algorithm_t hash_algo;
75
76 *sign_algo =
77 _gnutls_session_get_sign_algo (session, cert);
78 if (*sign_algo == GNUTLS_SIGN_UNKNOWN)
79 {
80 gnutls_assert ();
81 return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
82 }
83
84 hash_algo = _gnutls_sign_get_hash_algorithm (*sign_algo);
85
86 _gnutls_handshake_log ("HSK[%p]: signing handshake data: using %s\n",
87 session, gnutls_sign_algorithm_get_name (*sign_algo));
88
89 ret = _gnutls_hash_init (&td_sha, hash_algo);
90 if (ret < 0)
91 {
92 gnutls_assert ();
93 return ret;
94 }
95
96 _gnutls_hash (&td_sha, session->security_parameters.client_random,
97 GNUTLS_RANDOM_SIZE);
98 _gnutls_hash (&td_sha, session->security_parameters.server_random,
99 GNUTLS_RANDOM_SIZE);
100 _gnutls_hash (&td_sha, params->data, params->size);
101
102 switch (gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL))
103 {
104 case GNUTLS_PK_RSA:
105 if (!_gnutls_version_has_selectable_sighash (ver))
106 {
107 digest_hd_st td_md5;
108
109 ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5);
110 if (ret < 0)
111 {
112 gnutls_assert ();
113 return ret;
114 }
115
116 _gnutls_hash (&td_md5, session->security_parameters.client_random,
117 GNUTLS_RANDOM_SIZE);
118 _gnutls_hash (&td_md5, session->security_parameters.server_random,
119 GNUTLS_RANDOM_SIZE);
120 _gnutls_hash (&td_md5, params->data, params->size);
121
122 _gnutls_hash_deinit (&td_md5, concat);
123 _gnutls_hash_deinit (&td_sha, &concat[16]);
124
125 dconcat.data = concat;
126 dconcat.size = 36;
127 }
128 else
129 { /* TLS 1.2 way */
130
131 _gnutls_hash_deinit (&td_sha, concat);
132
133 dconcat.data = concat;
134 dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
135 }
136 break;
137 case GNUTLS_PK_DSA:
138 case GNUTLS_PK_EC:
139 _gnutls_hash_deinit (&td_sha, concat);
140
141 if (!IS_SHA(hash_algo))
142 {
143 gnutls_assert ();
144 return GNUTLS_E_INTERNAL_ERROR;
145 }
146 dconcat.data = concat;
147 dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
148 break;
149
150 default:
151 gnutls_assert ();
152 _gnutls_hash_deinit (&td_sha, NULL);
153 return GNUTLS_E_INTERNAL_ERROR;
154 }
155
156 ret = sign_tls_hash (session, hash_algo, cert, pkey, &dconcat, signature);
157 if (ret < 0)
158 {
159 gnutls_assert ();
160 }
161
162 return ret;
163
164 }
165
166
167 /* This will create a PKCS1 or DSA signature, using the given parameters, and the
168 * given data. The output will be allocated and be put in signature.
169 */
170 int
171 _gnutls_soft_sign (gnutls_pk_algorithm_t algo, gnutls_pk_params_st * params,
172 const gnutls_datum_t * data,
173 gnutls_datum_t * signature)
174 {
175 int ret;
176
177 switch (algo)
178 {
179 case GNUTLS_PK_RSA:
180 /* encrypt */
181 if ((ret = _gnutls_pkcs1_rsa_encrypt (signature, data, params, 1)) < 0)
182 {
183 gnutls_assert ();
184 return ret;
185 }
186
187 break;
188 default:
189 ret = _gnutls_pk_sign( algo, signature, data, params);
190 if (ret < 0)
191 {
192 gnutls_assert ();
193 return ret;
194 }
195 break;
196 }
197
198 return 0;
199 }
200
201 /* This will create a PKCS1 or DSA signature, as defined in the TLS protocol.
202 * Cert is the certificate of the corresponding private key. It is only checked if
203 * it supports signing.
204 */
205 static int
206 sign_tls_hash (gnutls_session_t session, gnutls_digest_algorithm_t hash_algo,
207 gnutls_pcert_st* cert, gnutls_privkey_t pkey,
208 const gnutls_datum_t * hash_concat,
209 gnutls_datum_t * signature)
210 {
211 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
212 unsigned int key_usage = 0;
213 /* If our certificate supports signing
214 */
215
216 if (cert != NULL)
217 {
218 gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
219
220 if (key_usage != 0)
221 if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
222 {
223 gnutls_assert ();
224 return GNUTLS_E_KEY_USAGE_VIOLATION;
225 }
226
227 /* External signing. Deprecated. To be removed. */
228 if (!pkey)
229 {
230 int ret;
231
232 if (!session->internals.sign_func)
233 return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
234
235 if (!_gnutls_version_has_selectable_sighash (ver))
236 return (*session->internals.sign_func)
237 (session, session->internals.sign_func_userdata,
238 cert->type, &cert->cert, hash_concat, signature);
239 else
240 {
241 gnutls_datum_t digest;
242
243 ret = _gnutls_set_datum(&digest, hash_concat->data, hash_concat->size);
244 if (ret < 0)
245 return gnutls_assert_val(ret);
246
247 ret = pk_prepare_hash (gnutls_privkey_get_pk_algorithm(pkey, NULL), hash_algo, &digest);
248 if (ret < 0)
249 {
250 gnutls_assert ();
251 goto es_cleanup;
252 }
253
254 ret = (*session->internals.sign_func)
255 (session, session->internals.sign_func_userdata,
256 cert->type, &cert->cert, &digest, signature);
257 es_cleanup:
258 gnutls_free(digest.data);
259
260 return ret;
261 }
262 }
263 }
264
265 if (!_gnutls_version_has_selectable_sighash (ver))
266 return _gnutls_privkey_sign_hash (pkey, hash_concat, signature);
267 else
268 return gnutls_privkey_sign_hash (pkey, hash_algo, 0, hash_concat, signature);
269 }
270
271 static int
272 verify_tls_hash (gnutls_protocol_t ver, gnutls_pcert_st* cert,
273 const gnutls_datum_t * hash_concat,
274 gnutls_datum_t * signature, size_t sha1pos,
275 gnutls_pk_algorithm_t pk_algo)
276 {
277 int ret;
278 gnutls_datum_t vdata;
279 unsigned int key_usage = 0, flags;
280
281 if (cert == NULL)
282 {
283 gnutls_assert ();
284 return GNUTLS_E_CERTIFICATE_ERROR;
285 }
286
287 gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage);
288
289 /* If the certificate supports signing continue.
290 */
291 if (key_usage != 0)
292 if (!(key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE))
293 {
294 gnutls_assert ();
295 return GNUTLS_E_KEY_USAGE_VIOLATION;
296 }
297
298 if (pk_algo == GNUTLS_PK_UNKNOWN)
299 pk_algo = gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);
300 switch (pk_algo)
301 {
302 case GNUTLS_PK_RSA:
303
304 vdata.data = hash_concat->data;
305 vdata.size = hash_concat->size;
306
307 /* verify signature */
308 if (!_gnutls_version_has_selectable_sighash (ver))
309 flags = GNUTLS_PUBKEY_VERIFY_FLAG_TLS_RSA;
310 else
311 flags = 0;
312
313
314 break;
315 case GNUTLS_PK_DSA:
316 case GNUTLS_PK_EC:
317
318 vdata.data = &hash_concat->data[sha1pos];
319 vdata.size = hash_concat->size - sha1pos;
320
321 flags = 0;
322
323 break;
324 default:
325 gnutls_assert ();
326 return GNUTLS_E_INTERNAL_ERROR;
327 }
328
329 ret = gnutls_pubkey_verify_hash(cert->pubkey, flags, &vdata,
330 signature);
331
332 if (ret < 0)
333 return gnutls_assert_val(ret);
334
335
336 return 0;
337 }
338
339
340 /* Generates a signature of all the random data and the parameters.
341 * Used in DHE_* ciphersuites.
342 */
343 int
344 _gnutls_handshake_verify_data (gnutls_session_t session, gnutls_pcert_st* cert,
345 const gnutls_datum_t * params,
346 gnutls_datum_t * signature,
347 gnutls_sign_algorithm_t algo)
348 {
349 gnutls_datum_t dconcat;
350 int ret;
351 digest_hd_st td_md5;
352 digest_hd_st td_sha;
353 uint8_t concat[MAX_SIG_SIZE];
354 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
355 gnutls_digest_algorithm_t hash_algo;
356
357 if (_gnutls_version_has_selectable_sighash (ver))
358 {
359 _gnutls_handshake_log ("HSK[%p]: verify handshake data: using %s\n",
360 session, gnutls_sign_algorithm_get_name (algo));
361
362 ret = _gnutls_pubkey_compatible_with_sig(cert->pubkey, ver, algo);
363 if (ret < 0)
364 return gnutls_assert_val(ret);
365
366 ret = _gnutls_session_sign_algo_enabled (session, algo);
367 if (ret < 0)
368 return gnutls_assert_val(ret);
369
370 hash_algo = _gnutls_sign_get_hash_algorithm (algo);
371 }
372 else
373 {
374 ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5);
375 if (ret < 0)
376 {
377 gnutls_assert ();
378 return ret;
379 }
380
381 _gnutls_hash (&td_md5, session->security_parameters.client_random,
382 GNUTLS_RANDOM_SIZE);
383 _gnutls_hash (&td_md5, session->security_parameters.server_random,
384 GNUTLS_RANDOM_SIZE);
385 _gnutls_hash (&td_md5, params->data, params->size);
386
387 hash_algo = GNUTLS_DIG_SHA1;
388 }
389
390 ret = _gnutls_hash_init (&td_sha, hash_algo);
391 if (ret < 0)
392 {
393 gnutls_assert ();
394 if (!_gnutls_version_has_selectable_sighash (ver))
395 _gnutls_hash_deinit (&td_md5, NULL);
396 return ret;
397 }
398
399 _gnutls_hash (&td_sha, session->security_parameters.client_random,
400 GNUTLS_RANDOM_SIZE);
401 _gnutls_hash (&td_sha, session->security_parameters.server_random,
402 GNUTLS_RANDOM_SIZE);
403 _gnutls_hash (&td_sha, params->data, params->size);
404
405 if (!_gnutls_version_has_selectable_sighash (ver))
406 {
407 _gnutls_hash_deinit (&td_md5, concat);
408 _gnutls_hash_deinit (&td_sha, &concat[16]);
409 dconcat.data = concat;
410 dconcat.size = 36;
411 }
412 else
413 {
414 _gnutls_hash_deinit (&td_sha, concat);
415
416 dconcat.data = concat;
417 dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
418 }
419
420 ret = verify_tls_hash (ver, cert, &dconcat, signature,
421 dconcat.size -
422 _gnutls_hash_get_algo_len (hash_algo),
423 _gnutls_sign_get_pk_algorithm (algo));
424 if (ret < 0)
425 {
426 gnutls_assert ();
427 return ret;
428 }
429
430 return ret;
431
432 }
433
434 /* Client certificate verify calculations
435 */
436
437 /* this is _gnutls_handshake_verify_crt_vrfy for TLS 1.2
438 */
439 static int
440 _gnutls_handshake_verify_crt_vrfy12 (gnutls_session_t session,
441 gnutls_pcert_st* cert,
442 gnutls_datum_t * signature,
443 gnutls_sign_algorithm_t sign_algo)
444 {
445 int ret;
446 uint8_t concat[MAX_HASH_SIZE];
447 gnutls_datum_t dconcat;
448 gnutls_digest_algorithm_t hash_algo;
449 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
450 gnutls_pk_algorithm_t pk = gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);
451
452 ret = _gnutls_session_sign_algo_enabled(session, sign_algo);
453 if (ret < 0)
454 return gnutls_assert_val(ret);
455
456 hash_algo = _gnutls_sign_get_hash_algorithm(sign_algo);
457
458 ret = _gnutls_hash_fast(hash_algo, session->internals.handshake_hash_buffer.data,
459 session->internals.handshake_hash_buffer_prev_len,
460 concat);
461 if (ret < 0)
462 return gnutls_assert_val(ret);
463
464 dconcat.data = concat;
465 dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
466
467 ret =
468 verify_tls_hash (ver, cert, &dconcat, signature, 0, pk);
469 if (ret < 0)
470 {
471 gnutls_assert ();
472 return ret;
473 }
474
475 return ret;
476
477 }
478
479 /* Verifies a TLS signature (like the one in the client certificate
480 * verify message).
481 */
482 int
483 _gnutls_handshake_verify_crt_vrfy (gnutls_session_t session,
484 gnutls_pcert_st *cert,
485 gnutls_datum_t * signature,
486 gnutls_sign_algorithm_t sign_algo)
487 {
488 int ret;
489 uint8_t concat[MAX_SIG_SIZE];
490 digest_hd_st td_md5;
491 digest_hd_st td_sha;
492 gnutls_datum_t dconcat;
493 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
494
495 _gnutls_handshake_log ("HSK[%p]: verify cert vrfy: using %s\n",
496 session, gnutls_sign_algorithm_get_name (sign_algo));
497
498
499 if (_gnutls_version_has_selectable_sighash(ver))
500 return _gnutls_handshake_verify_crt_vrfy12 (session, cert, signature,
501 sign_algo);
502
503 ret =
504 _gnutls_hash_init (&td_md5, GNUTLS_DIG_MD5);
505 if (ret < 0)
506 {
507 gnutls_assert ();
508 return ret;
509 }
510
511 ret =
512 _gnutls_hash_init (&td_sha, GNUTLS_DIG_SHA1);
513 if (ret < 0)
514 {
515 gnutls_assert ();
516 _gnutls_hash_deinit (&td_md5, NULL);
517 return GNUTLS_E_HASH_FAILED;
518 }
519
520 _gnutls_hash(&td_sha, session->internals.handshake_hash_buffer.data, session->internals.handshake_hash_buffer_prev_len);
521 _gnutls_hash(&td_md5, session->internals.handshake_hash_buffer.data, session->internals.handshake_hash_buffer_prev_len);
522
523 if (ver == GNUTLS_SSL3)
524 {
525 ret = _gnutls_generate_master (session, 1);
526 if (ret < 0)
527 {
528 _gnutls_hash_deinit (&td_md5, NULL);
529 _gnutls_hash_deinit (&td_sha, NULL);
530 return gnutls_assert_val(ret);
531 }
532
533 ret = _gnutls_mac_deinit_ssl3_handshake (&td_md5, concat,
534 session->
535 security_parameters.master_secret,
536 GNUTLS_MASTER_SIZE);
537 if (ret < 0)
538 {
539 _gnutls_hash_deinit (&td_sha, NULL);
540 return gnutls_assert_val(ret);
541 }
542
543 ret = _gnutls_mac_deinit_ssl3_handshake (&td_sha, &concat[16],
544 session->
545 security_parameters.master_secret,
546 GNUTLS_MASTER_SIZE);
547 if (ret < 0)
548 {
549 return gnutls_assert_val(ret);
550 }
551 }
552 else
553 {
554 _gnutls_hash_deinit (&td_md5, concat);
555 _gnutls_hash_deinit (&td_sha, &concat[16]);
556 }
557
558 dconcat.data = concat;
559 dconcat.size = 20 + 16; /* md5+ sha */
560
561 ret =
562 verify_tls_hash (ver, cert, &dconcat, signature, 16,
563 gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL));
564 if (ret < 0)
565 {
566 gnutls_assert ();
567 return ret;
568 }
569
570 return ret;
571
572 }
573
574 /* the same as _gnutls_handshake_sign_crt_vrfy except that it is made for TLS 1.2
575 */
576 static int
577 _gnutls_handshake_sign_crt_vrfy12 (gnutls_session_t session,
578 gnutls_pcert_st* cert, gnutls_privkey_t pkey,
579 gnutls_datum_t * signature)
580 {
581 gnutls_datum_t dconcat;
582 int ret;
583 uint8_t concat[MAX_SIG_SIZE];
584 gnutls_sign_algorithm_t sign_algo;
585 gnutls_digest_algorithm_t hash_algo;
586
587 sign_algo =
588 _gnutls_session_get_sign_algo (session, cert);
589 if (sign_algo == GNUTLS_SIGN_UNKNOWN)
590 {
591 gnutls_assert ();
592 return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
593 }
594
595 hash_algo = _gnutls_sign_get_hash_algorithm (sign_algo);
596
597 _gnutls_debug_log ("sign handshake cert vrfy: picked %s with %s\n",
598 gnutls_sign_algorithm_get_name (sign_algo),
599 gnutls_mac_get_name (hash_algo));
600
601 ret = _gnutls_hash_fast (hash_algo, session->internals.handshake_hash_buffer.data,
602 session->internals.handshake_hash_buffer.length,
603 concat);
604 if (ret < 0)
605 return gnutls_assert_val(ret);
606
607 dconcat.data = concat;
608 dconcat.size = _gnutls_hash_get_algo_len (hash_algo);
609
610 ret = sign_tls_hash (session, hash_algo, cert, pkey, &dconcat, signature);
611 if (ret < 0)
612 {
613 gnutls_assert ();
614 return ret;
615 }
616
617 return sign_algo;
618 }
619
620
621 /* Generates a signature of all the previous sent packets in the
622 * handshake procedure.
623 * 20040227: now it works for SSL 3.0 as well
624 * 20091031: works for TLS 1.2 too!
625 *
626 * For TLS1.x, x<2 returns negative for failure and zero or unspecified for success.
627 * For TLS1.2 returns the signature algorithm used on success, or a negative error code;
628 */
629 int
630 _gnutls_handshake_sign_crt_vrfy (gnutls_session_t session,
631 gnutls_pcert_st* cert, gnutls_privkey_t pkey,
632 gnutls_datum_t * signature)
633 {
634 gnutls_datum_t dconcat;
635 int ret;
636 uint8_t concat[MAX_SIG_SIZE];
637 digest_hd_st td_md5;
638 digest_hd_st td_sha;
639 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
640 gnutls_pk_algorithm_t pk = gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL);
641
642 if (_gnutls_version_has_selectable_sighash(ver))
643 return _gnutls_handshake_sign_crt_vrfy12 (session, cert, pkey,
644 signature);
645
646 ret =
647 _gnutls_hash_init (&td_sha, GNUTLS_DIG_SHA1);
648 if (ret < 0)
649 {
650 gnutls_assert ();
651 return ret;
652 }
653
654 _gnutls_hash(&td_sha, session->internals.handshake_hash_buffer.data, session->internals.handshake_hash_buffer.length);
655
656 if (ver == GNUTLS_SSL3)
657 {
658 ret = _gnutls_generate_master (session, 1);
659 if (ret < 0)
660 {
661 gnutls_assert ();
662 _gnutls_hash_deinit (&td_sha, NULL);
663 return ret;
664 }
665
666 ret = _gnutls_mac_deinit_ssl3_handshake (&td_sha, &concat[16],
667 session->
668 security_parameters.master_secret,
669 GNUTLS_MASTER_SIZE);
670 if (ret < 0)
671 return gnutls_assert_val(ret);
672 }
673 else
674 _gnutls_hash_deinit (&td_sha, &concat[16]);
675
676 /* ensure 1024 bit DSA keys are used */
677 ret = _gnutls_pubkey_compatible_with_sig(cert->pubkey, ver, GNUTLS_SIGN_UNKNOWN);
678 if (ret < 0)
679 return gnutls_assert_val(ret);
680
681 switch (pk)
682 {
683 case GNUTLS_PK_RSA:
684 ret =
685 _gnutls_hash_init (&td_md5, GNUTLS_DIG_MD5);
686 if (ret < 0)
687 return gnutls_assert_val(ret);
688
689 _gnutls_hash(&td_md5, session->internals.handshake_hash_buffer.data, session->internals.handshake_hash_buffer.length);
690
691 if (ver == GNUTLS_SSL3)
692 {
693 ret = _gnutls_mac_deinit_ssl3_handshake (&td_md5, concat,
694 session->
695 security_parameters.master_secret,
696 GNUTLS_MASTER_SIZE);
697 if (ret < 0)
698 return gnutls_assert_val(ret);
699 }
700 else
701 _gnutls_hash_deinit (&td_md5, concat);
702
703 dconcat.data = concat;
704 dconcat.size = 36;
705 break;
706 case GNUTLS_PK_DSA:
707 case GNUTLS_PK_EC:
708
709 dconcat.data = &concat[16];
710 dconcat.size = 20;
711 break;
712
713 default:
714 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
715 }
716 ret = sign_tls_hash (session, GNUTLS_DIG_NULL, cert, pkey, &dconcat, signature);
717 if (ret < 0)
718 {
719 gnutls_assert ();
720 }
721
722 return ret;
723 }
724
725 int
726 pk_hash_data (gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t hash,
727 gnutls_pk_params_st* params,
728 const gnutls_datum_t * data, gnutls_datum_t * digest)
729 {
730 int ret;
731
732 digest->size = _gnutls_hash_get_algo_len (hash);
733 digest->data = gnutls_malloc (digest->size);
734 if (digest->data == NULL)
735 {
736 gnutls_assert ();
737 return GNUTLS_E_MEMORY_ERROR;
738 }
739
740 ret = _gnutls_hash_fast (hash, data->data, data->size, digest->data);
741 if (ret < 0)
742 {
743 gnutls_assert ();
744 goto cleanup;
745 }
746
747 return 0;
748
749 cleanup:
750 gnutls_free (digest->data);
751 return ret;
752 }
753
754
755 /*
756 * This function will do RSA PKCS #1 1.5 encoding
757 * on the given digest. The given digest must be allocated
758 * and will be freed if replacement is required.
759 */
760 int
761 pk_prepare_hash (gnutls_pk_algorithm_t pk,
762 gnutls_digest_algorithm_t hash, gnutls_datum_t * digest)
763 {
764 int ret;
765 gnutls_datum_t old_digest = { digest->data, digest->size };
766
767 switch (pk)
768 {
769 case GNUTLS_PK_RSA:
770 /* Encode the digest as a DigestInfo
771 */
772 if ((ret = encode_ber_digest_info (hash, &old_digest, digest)) != 0)
773 {
774 gnutls_assert ();
775 return ret;
776 }
777
778 _gnutls_free_datum (&old_digest);
779 break;
780 case GNUTLS_PK_DSA:
781 case GNUTLS_PK_EC:
782 break;
783 default:
784 gnutls_assert ();
785 return GNUTLS_E_UNIMPLEMENTED_FEATURE;
786 }
787
788 return 0;
789 }
790
791 /* Reads the digest information.
792 * we use DER here, although we should use BER. It works fine
793 * anyway.
794 */
795 int
796 decode_ber_digest_info (const gnutls_datum_t * info,
797 gnutls_mac_algorithm_t * hash,
798 uint8_t * digest, unsigned int *digest_size)
799 {
800 ASN1_TYPE dinfo = ASN1_TYPE_EMPTY;
801 int result;
802 char str[1024];
803 int len;
804
805 if ((result = asn1_create_element (_gnutls_get_gnutls_asn (),
806 "GNUTLS.DigestInfo",
807 &dinfo)) != ASN1_SUCCESS)
808 {
809 gnutls_assert ();
810 return _gnutls_asn2err (result);
811 }
812
813 result = asn1_der_decoding (&dinfo, info->data, info->size, NULL);
814 if (result != ASN1_SUCCESS)
815 {
816 gnutls_assert ();
817 asn1_delete_structure (&dinfo);
818 return _gnutls_asn2err (result);
819 }
820
821 len = sizeof (str) - 1;
822 result = asn1_read_value (dinfo, "digestAlgorithm.algorithm", str, &len);
823 if (result != ASN1_SUCCESS)
824 {
825 gnutls_assert ();
826 asn1_delete_structure (&dinfo);
827 return _gnutls_asn2err (result);
828 }
829
830 *hash = _gnutls_x509_oid2mac_algorithm (str);
831
832 if (*hash == GNUTLS_MAC_UNKNOWN)
833 {
834
835 _gnutls_debug_log ("verify.c: HASH OID: %s\n", str);
836
837 gnutls_assert ();
838 asn1_delete_structure (&dinfo);
839 return GNUTLS_E_UNKNOWN_ALGORITHM;
840 }
841
842 len = sizeof (str) - 1;
843 result = asn1_read_value (dinfo, "digestAlgorithm.parameters", str, &len);
844 /* To avoid permitting garbage in the parameters field, either the
845 parameters field is not present, or it contains 0x05 0x00. */
846 if (!(result == ASN1_ELEMENT_NOT_FOUND ||
847 (result == ASN1_SUCCESS && len == ASN1_NULL_SIZE &&
848 memcmp (str, ASN1_NULL, ASN1_NULL_SIZE) == 0)))
849 {
850 gnutls_assert ();
851 asn1_delete_structure (&dinfo);
852 return GNUTLS_E_ASN1_GENERIC_ERROR;
853 }
854
855 len = *digest_size;
856 result = asn1_read_value (dinfo, "digest", digest, &len);
857
858 if (result != ASN1_SUCCESS)
859 {
860 gnutls_assert ();
861 *digest_size = len;
862 asn1_delete_structure (&dinfo);
863 return _gnutls_asn2err (result);
864 }
865
866 *digest_size = len;
867 asn1_delete_structure (&dinfo);
868
869 return 0;
870 }
871
872 /* Writes the digest information and the digest in a DER encoded
873 * structure. The digest info is allocated and stored into the info structure.
874 */
875 static int
876 encode_ber_digest_info (gnutls_digest_algorithm_t hash,
877 const gnutls_datum_t * digest,
878 gnutls_datum_t * output)
879 {
880 ASN1_TYPE dinfo = ASN1_TYPE_EMPTY;
881 int result;
882 const char *algo;
883 uint8_t *tmp_output;
884 int tmp_output_size;
885
886 algo = _gnutls_x509_mac_to_oid ((gnutls_mac_algorithm_t) hash);
887 if (algo == NULL)
888 {
889 gnutls_assert ();
890 _gnutls_debug_log ("Hash algorithm: %d has no OID\n", hash);
891 return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
892 }
893
894 if ((result = asn1_create_element (_gnutls_get_gnutls_asn (),
895 "GNUTLS.DigestInfo",
896 &dinfo)) != ASN1_SUCCESS)
897 {
898 gnutls_assert ();
899 return _gnutls_asn2err (result);
900 }
901
902 result = asn1_write_value (dinfo, "digestAlgorithm.algorithm", algo, 1);
903 if (result != ASN1_SUCCESS)
904 {
905 gnutls_assert ();
906 asn1_delete_structure (&dinfo);
907 return _gnutls_asn2err (result);
908 }
909
910 /* Write an ASN.1 NULL in the parameters field. This matches RFC
911 3279 and RFC 4055, although is arguable incorrect from a historic
912 perspective (see those documents for more information).
913 Regardless of what is correct, this appears to be what most
914 implementations do. */
915 result = asn1_write_value (dinfo, "digestAlgorithm.parameters",
916 ASN1_NULL, ASN1_NULL_SIZE);
917 if (result != ASN1_SUCCESS)
918 {
919 gnutls_assert ();
920 asn1_delete_structure (&dinfo);
921 return _gnutls_asn2err (result);
922 }
923
924 result = asn1_write_value (dinfo, "digest", digest->data, digest->size);
925 if (result != ASN1_SUCCESS)
926 {
927 gnutls_assert ();
928 asn1_delete_structure (&dinfo);
929 return _gnutls_asn2err (result);
930 }
931
932 tmp_output_size = 0;
933 asn1_der_coding (dinfo, "", NULL, &tmp_output_size, NULL);
934
935 tmp_output = gnutls_malloc (tmp_output_size);
936 if (output->data == NULL)
937 {
938 gnutls_assert ();
939 asn1_delete_structure (&dinfo);
940 return GNUTLS_E_MEMORY_ERROR;
941 }
942
943 result = asn1_der_coding (dinfo, "", tmp_output, &tmp_output_size, NULL);
944 if (result != ASN1_SUCCESS)
945 {
946 gnutls_assert ();
947 asn1_delete_structure (&dinfo);
948 return _gnutls_asn2err (result);
949 }
950
951 asn1_delete_structure (&dinfo);
952
953 output->size = tmp_output_size;
954 output->data = tmp_output;
955
956 return 0;
957 }
Implementation of the SSL/TLS protocol