search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
gnutls_certificate_set_x509_simple_pkcs12_file() now imports certificate chain if...
[gnutls.git] / lib / nettle / pk.c
blob41a0fb1af1fafc629f34f3fba3757b3b06c896f9
1 /*
2 * Copyright (C) 2010-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* This file contains the functions needed for RSA/DSA public key
24 * encryption and signatures.
25 */
26
27 #include <gnutls_int.h>
28 #include <gnutls_mpi.h>
29 #include <gnutls_pk.h>
30 #include <gnutls_errors.h>
31 #include <gnutls_datum.h>
32 #include <gnutls_global.h>
33 #include <gnutls_sig.h>
34 #include <gnutls_num.h>
35 #include <x509/x509_int.h>
36 #include <x509/common.h>
37 #include <random.h>
38 #include <gnutls_pk.h>
39 #include <nettle/dsa.h>
40 #include <nettle/rsa.h>
41 #include <random.h>
42 #include <gnutls/crypto.h>
43 #include "ecc.h"
44
45 #define TOMPZ(x) (*((mpz_t*)(x)))
46
47 static inline int is_supported_curve(int curve);
48
49 static void
50 rnd_func (void *_ctx, unsigned length, uint8_t * data)
51 {
52 _gnutls_rnd (GNUTLS_RND_RANDOM, data, length);
53 }
54
55 static void
56 _dsa_params_to_pubkey (const gnutls_pk_params_st * pk_params,
57 struct dsa_public_key *pub)
58 {
59 memcpy (&pub->p, pk_params->params[0], sizeof (mpz_t));
60 memcpy (&pub->q, pk_params->params[1], sizeof (mpz_t));
61 memcpy (&pub->g, pk_params->params[2], sizeof (mpz_t));
62 memcpy (&pub->y, pk_params->params[3], sizeof (mpz_t));
63 }
64
65 static void
66 _dsa_params_to_privkey (const gnutls_pk_params_st * pk_params,
67 struct dsa_private_key *pub)
68 {
69 memcpy (&pub->x, pk_params->params[4], sizeof (mpz_t));
70 }
71
72 static void
73 _rsa_params_to_privkey (const gnutls_pk_params_st * pk_params,
74 struct rsa_private_key *priv)
75 {
76 memcpy (&priv->d, pk_params->params[2], sizeof (mpz_t));
77 memcpy (&priv->p, pk_params->params[3], sizeof (mpz_t));
78 memcpy (&priv->q, pk_params->params[4], sizeof (mpz_t));
79 memcpy (&priv->c, pk_params->params[5], sizeof (mpz_t));
80 memcpy (&priv->a, pk_params->params[6], sizeof (mpz_t));
81 memcpy (&priv->b, pk_params->params[7], sizeof (mpz_t));
82 priv->size = nettle_mpz_sizeinbase_256_u(TOMPZ(pk_params->params[RSA_MODULUS]));
83 }
84
85 static void
86 _rsa_params_to_pubkey (const gnutls_pk_params_st * pk_params,
87 struct rsa_public_key *pub)
88 {
89 memcpy (&pub->n, pk_params->params[RSA_MODULUS], sizeof (mpz_t));
90 memcpy (&pub->e, pk_params->params[RSA_PUB], sizeof (mpz_t));
91 pub->size = nettle_mpz_sizeinbase_256_u(pub->n);
92 }
93
94 static void
95 _ecc_params_to_privkey(const gnutls_pk_params_st * pk_params,
96 ecc_key * priv)
97 {
98 priv->type = PK_PRIVATE;
99 memcpy(&priv->prime, pk_params->params[ECC_PRIME], sizeof(mpz_t));
100 memcpy(&priv->order, pk_params->params[ECC_ORDER], sizeof(mpz_t));
101 memcpy(&priv->A, pk_params->params[ECC_A], sizeof(mpz_t));
102 memcpy(&priv->B, pk_params->params[ECC_B], sizeof(mpz_t));
103 memcpy(&priv->Gx, pk_params->params[ECC_GX], sizeof(mpz_t));
104 memcpy(&priv->Gy, pk_params->params[ECC_GY], sizeof(mpz_t));
105 memcpy(&priv->pubkey.x, pk_params->params[ECC_X], sizeof(mpz_t));
106 memcpy(&priv->pubkey.y, pk_params->params[ECC_Y], sizeof(mpz_t));
107 memcpy(&priv->k, pk_params->params[ECC_K], sizeof(mpz_t));
108 mpz_init_set_ui(priv->pubkey.z, 1);
109 }
110
111 static void _ecc_params_clear(ecc_key * key)
112 {
113 mpz_clear(key->pubkey.z);
114 }
115
116 static void
117 _ecc_params_to_pubkey(const gnutls_pk_params_st * pk_params,
118 ecc_key * pub)
119 {
120 pub->type = PK_PUBLIC;
121 memcpy(&pub->prime, pk_params->params[ECC_PRIME], sizeof(mpz_t));
122 memcpy(&pub->order, pk_params->params[ECC_ORDER], sizeof(mpz_t));
123 memcpy(&pub->A, pk_params->params[ECC_A], sizeof(mpz_t));
124 memcpy(&pub->B, pk_params->params[ECC_B], sizeof(mpz_t));
125 memcpy(&pub->Gx, pk_params->params[ECC_GX], sizeof(mpz_t));
126 memcpy(&pub->Gy, pk_params->params[ECC_GY], sizeof(mpz_t));
127 memcpy(&pub->pubkey.x, pk_params->params[ECC_X], sizeof(mpz_t));
128 memcpy(&pub->pubkey.y, pk_params->params[ECC_Y], sizeof(mpz_t));
129 mpz_init_set_ui(pub->pubkey.z, 1);
130 }
131
132 static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo, gnutls_datum_t * out,
133 const gnutls_pk_params_st * priv,
134 const gnutls_pk_params_st * pub)
135 {
136 int ret;
137
138 switch (algo)
139 {
140 case GNUTLS_PK_EC:
141 {
142 ecc_key ecc_pub, ecc_priv;
143 int curve = priv->flags;
144 unsigned long sz;
145
146 out->data = NULL;
147
148 if (is_supported_curve(curve) == 0)
149 return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
150
151 _ecc_params_to_pubkey(pub, &ecc_pub);
152 _ecc_params_to_privkey(priv, &ecc_priv);
153
154 if (ecc_projective_check_point(&ecc_pub.pubkey, pub->params[ECC_B], pub->params[ECC_PRIME]) != 0)
155 {
156 ret = gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
157 goto ecc_cleanup;
158 }
159
160 sz = ECC_BUF_SIZE;
161 out->data = gnutls_malloc(sz);
162 if (out->data == NULL)
163 {
164 ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
165 goto ecc_cleanup;
166 }
167
168 ret = ecc_shared_secret(&ecc_priv, &ecc_pub, out->data, &sz);
169 if (ret != 0)
170 ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
171
172 ecc_cleanup:
173 _ecc_params_clear(&ecc_pub);
174 _ecc_params_clear(&ecc_priv);
175
176 if (ret < 0)
177 {
178 gnutls_free(out->data);
179 return ret;
180 }
181
182 out->size = sz;
183 break;
184 }
185 default:
186 gnutls_assert ();
187 ret = GNUTLS_E_INTERNAL_ERROR;
188 goto cleanup;
189 }
190
191 ret = 0;
192
193 cleanup:
194
195 return ret;
196 }
197
198 static int
199 _wrap_nettle_pk_encrypt (gnutls_pk_algorithm_t algo,
200 gnutls_datum_t * ciphertext,
201 const gnutls_datum_t * plaintext,
202 const gnutls_pk_params_st * pk_params)
203 {
204 int ret;
205 mpz_t p;
206
207 mpz_init(p);
208
209 switch (algo)
210 {
211 case GNUTLS_PK_RSA:
212 {
213 struct rsa_public_key pub;
214
215 _rsa_params_to_pubkey (pk_params, &pub);
216
217 ret = rsa_encrypt(&pub, NULL, rnd_func, plaintext->size, plaintext->data, p);
218 if (ret == 0)
219 {
220 ret = gnutls_assert_val(GNUTLS_E_ENCRYPTION_FAILED);
221 goto cleanup;
222 }
223
224 ret = _gnutls_mpi_dprint_size (p, ciphertext, plaintext->size);
225 if (ret < 0)
226 {
227 gnutls_assert ();
228 goto cleanup;
229 }
230
231 break;
232 }
233 default:
234 gnutls_assert ();
235 ret = GNUTLS_E_INTERNAL_ERROR;
236 goto cleanup;
237 }
238
239 ret = 0;
240
241 cleanup:
242
243 mpz_clear(p);
244 return ret;
245 }
246
247 static int
248 _wrap_nettle_pk_decrypt (gnutls_pk_algorithm_t algo,
249 gnutls_datum_t * plaintext,
250 const gnutls_datum_t * ciphertext,
251 const gnutls_pk_params_st * pk_params)
252 {
253 int ret;
254
255 plaintext->data = NULL;
256
257 /* make a sexp from pkey */
258 switch (algo)
259 {
260 case GNUTLS_PK_RSA:
261 {
262 struct rsa_private_key priv;
263 struct rsa_public_key pub;
264 unsigned length;
265 bigint_t c;
266
267 _rsa_params_to_privkey (pk_params, &priv);
268 _rsa_params_to_pubkey (pk_params, &pub);
269
270 if (_gnutls_mpi_scan_nz (&c, ciphertext->data, ciphertext->size) != 0)
271 {
272 ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
273 goto cleanup;
274 }
275
276 length = pub.size;
277 plaintext->data = gnutls_malloc(length);
278 if (plaintext->data == NULL)
279 {
280 ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
281 goto cleanup;
282 }
283
284 ret = rsa_decrypt_tr(&pub, &priv, NULL, rnd_func, &length, plaintext->data,
285 TOMPZ(c));
286 _gnutls_mpi_release (&c);
287 plaintext->size = length;
288
289 if (ret == 0)
290 {
291 ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
292 goto cleanup;
293 }
294
295 break;
296 }
297 default:
298 gnutls_assert ();
299 ret = GNUTLS_E_INTERNAL_ERROR;
300 goto cleanup;
301 }
302
303 ret = 0;
304
305 cleanup:
306 if (ret < 0)
307 gnutls_free(plaintext->data);
308
309 return ret;
310 }
311
312 /* in case of DSA puts into data, r,s
313 */
314 static int
315 _wrap_nettle_pk_sign (gnutls_pk_algorithm_t algo,
316 gnutls_datum_t * signature,
317 const gnutls_datum_t * vdata,
318 const gnutls_pk_params_st * pk_params)
319 {
320 int ret;
321 unsigned int hash;
322 unsigned int hash_len;
323
324 switch (algo)
325 {
326 case GNUTLS_PK_EC: /* we do ECDSA */
327 {
328 ecc_key priv;
329 struct dsa_signature sig;
330
331 _ecc_params_to_privkey(pk_params, &priv);
332
333 dsa_signature_init (&sig);
334
335 hash = _gnutls_dsa_q_to_hash (algo, pk_params, &hash_len);
336 if (hash_len > vdata->size)
337 {
338 gnutls_assert ();
339 _gnutls_debug_log("Security level of algorithm requires hash %s(%d) or better\n", gnutls_mac_get_name(hash), hash_len);
340 hash_len = vdata->size;
341 }
342
343 ret = ecc_sign_hash(vdata->data, hash_len,
344 &sig, NULL, rnd_func, &priv);
345 if (ret != 0)
346 {
347 gnutls_assert ();
348 ret = GNUTLS_E_PK_SIGN_FAILED;
349 goto ecdsa_fail;
350 }
351
352 ret = _gnutls_encode_ber_rs (signature, &sig.r, &sig.s);
353
354 ecdsa_fail:
355 dsa_signature_clear (&sig);
356 _ecc_params_clear( &priv);
357
358 if (ret < 0)
359 {
360 gnutls_assert ();
361 goto cleanup;
362 }
363 break;
364 }
365 case GNUTLS_PK_DSA:
366 {
367 struct dsa_public_key pub;
368 struct dsa_private_key priv;
369 struct dsa_signature sig;
370
371 memset(&priv, 0, sizeof(priv));
372 memset(&pub, 0, sizeof(pub));
373 _dsa_params_to_pubkey (pk_params, &pub);
374 _dsa_params_to_privkey (pk_params, &priv);
375
376 dsa_signature_init (&sig);
377
378 hash = _gnutls_dsa_q_to_hash (algo, pk_params, &hash_len);
379 if (hash_len > vdata->size)
380 {
381 gnutls_assert ();
382 _gnutls_debug_log("Security level of algorithm requires hash %s(%d) or better\n", gnutls_mac_get_name(hash), hash_len);
383 hash_len = vdata->size;
384 }
385
386 ret =
387 _dsa_sign (&pub, &priv, NULL, rnd_func,
388 hash_len, vdata->data, &sig);
389 if (ret == 0)
390 {
391 gnutls_assert ();
392 ret = GNUTLS_E_PK_SIGN_FAILED;
393 goto dsa_fail;
394 }
395
396 ret = _gnutls_encode_ber_rs (signature, &sig.r, &sig.s);
397
398 dsa_fail:
399 dsa_signature_clear (&sig);
400
401 if (ret < 0)
402 {
403 gnutls_assert ();
404 goto cleanup;
405 }
406 break;
407 }
408 case GNUTLS_PK_RSA:
409 {
410 struct rsa_private_key priv;
411 struct rsa_public_key pub;
412 mpz_t s;
413
414 _rsa_params_to_privkey (pk_params, &priv);
415 _rsa_params_to_pubkey (pk_params, &pub);
416
417 mpz_init(s);
418
419 ret = rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_func,
420 vdata->size, vdata->data, s);
421 if (ret == 0)
422 {
423 gnutls_assert();
424 ret = GNUTLS_E_PK_SIGN_FAILED;
425 goto rsa_fail;
426 }
427
428 ret = _gnutls_mpi_dprint (s, signature);
429
430 rsa_fail:
431 mpz_clear(s);
432
433 if (ret < 0)
434 {
435 gnutls_assert ();
436 goto cleanup;
437 }
438
439 break;
440 }
441 default:
442 gnutls_assert ();
443 ret = GNUTLS_E_INTERNAL_ERROR;
444 goto cleanup;
445 }
446
447 ret = 0;
448
449 cleanup:
450
451 return ret;
452 }
453
454 static int
455 _wrap_nettle_pk_verify (gnutls_pk_algorithm_t algo,
456 const gnutls_datum_t * vdata,
457 const gnutls_datum_t * signature,
458 const gnutls_pk_params_st * pk_params)
459 {
460 int ret;
461 unsigned int hash_len;
462 bigint_t tmp[2] = { NULL, NULL };
463
464 switch (algo)
465 {
466 case GNUTLS_PK_EC: /* ECDSA */
467 {
468 ecc_key pub;
469 struct dsa_signature sig;
470 int stat;
471
472 ret = _gnutls_decode_ber_rs (signature, &tmp[0], &tmp[1]);
473 if (ret < 0)
474 {
475 gnutls_assert ();
476 goto cleanup;
477 }
478
479 _ecc_params_to_pubkey(pk_params, &pub);
480 memcpy (&sig.r, tmp[0], sizeof (sig.r));
481 memcpy (&sig.s, tmp[1], sizeof (sig.s));
482
483 _gnutls_dsa_q_to_hash (algo, pk_params, &hash_len);
484 if (hash_len > vdata->size)
485 hash_len = vdata->size;
486
487 ret = ecc_verify_hash(&sig, vdata->data, hash_len, &stat, &pub);
488 if (ret != 0 || stat != 1)
489 {
490 gnutls_assert();
491 ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
492 }
493 else
494 ret = 0;
495
496 _gnutls_mpi_release (&tmp[0]);
497 _gnutls_mpi_release (&tmp[1]);
498 _ecc_params_clear( &pub);
499 break;
500 }
501 case GNUTLS_PK_DSA:
502 {
503 struct dsa_public_key pub;
504 struct dsa_signature sig;
505
506 ret = _gnutls_decode_ber_rs (signature, &tmp[0], &tmp[1]);
507 if (ret < 0)
508 {
509 gnutls_assert ();
510 goto cleanup;
511 }
512 memset(&pub, 0, sizeof(pub));
513 _dsa_params_to_pubkey (pk_params, &pub);
514 memcpy (&sig.r, tmp[0], sizeof (sig.r));
515 memcpy (&sig.s, tmp[1], sizeof (sig.s));
516
517 _gnutls_dsa_q_to_hash (algo, pk_params, &hash_len);
518 if (hash_len > vdata->size)
519 hash_len = vdata->size;
520
521 ret = _dsa_verify (&pub, hash_len, vdata->data, &sig);
522 if (ret == 0)
523 {
524 gnutls_assert();
525 ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
526 }
527 else
528 ret = 0;
529
530 _gnutls_mpi_release (&tmp[0]);
531 _gnutls_mpi_release (&tmp[1]);
532 break;
533 }
534 case GNUTLS_PK_RSA:
535 {
536 struct rsa_public_key pub;
537
538 _rsa_params_to_pubkey (pk_params, &pub);
539
540 ret = _gnutls_mpi_scan_nz (&tmp[0], signature->data, signature->size);
541 if (ret < 0)
542 {
543 gnutls_assert ();
544 goto cleanup;
545 }
546
547 ret = rsa_pkcs1_verify (&pub, vdata->size, vdata->data, TOMPZ(tmp[0]));
548 if (ret == 0)
549 ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
550 else ret = 0;
551
552 _gnutls_mpi_release (&tmp[0]);
553 break;
554 }
555 default:
556 gnutls_assert ();
557 ret = GNUTLS_E_INTERNAL_ERROR;
558 goto cleanup;
559 }
560
561 cleanup:
562
563 return ret;
564 }
565
566 static inline int is_supported_curve(int curve)
567 {
568 if (gnutls_ecc_curve_get_name(curve) != NULL)
569 return 1;
570 else
571 return 0;
572 }
573
574
575 static int
576 wrap_nettle_pk_generate_params (gnutls_pk_algorithm_t algo,
577 unsigned int level /*bits */ ,
578 gnutls_pk_params_st * params)
579 {
580 int ret;
581 unsigned int i, q_bits;
582
583 memset(params, 0, sizeof(*params));
584
585 switch (algo)
586 {
587
588 case GNUTLS_PK_DSA:
589 {
590 struct dsa_public_key pub;
591 struct dsa_private_key priv;
592
593 dsa_public_key_init (&pub);
594 dsa_private_key_init (&priv);
595
596 /* the best would be to use _gnutls_pk_bits_to_subgroup_bits()
597 * but we do NIST DSA here */
598 if (level <= 1024)
599 q_bits = 160;
600 else
601 q_bits = 256;
602
603 ret =
604 dsa_generate_keypair (&pub, &priv, NULL,
605 rnd_func, NULL, NULL, level, q_bits);
606 if (ret != 1)
607 {
608 gnutls_assert ();
609 ret = GNUTLS_E_INTERNAL_ERROR;
610 goto dsa_fail;
611 }
612
613 params->params_nr = 0;
614 for (i = 0; i < DSA_PRIVATE_PARAMS; i++)
615 {
616 params->params[i] = _gnutls_mpi_alloc_like (&pub.p);
617 if (params->params[i] == NULL)
618 {
619 ret = GNUTLS_E_MEMORY_ERROR;
620 goto dsa_fail;
621 }
622 params->params_nr++;
623 }
624
625 ret = 0;
626 _gnutls_mpi_set (params->params[0], pub.p);
627 _gnutls_mpi_set (params->params[1], pub.q);
628 _gnutls_mpi_set (params->params[2], pub.g);
629 _gnutls_mpi_set (params->params[3], pub.y);
630 _gnutls_mpi_set (params->params[4], priv.x);
631
632 dsa_fail:
633 dsa_private_key_clear (&priv);
634 dsa_public_key_clear (&pub);
635
636 if (ret < 0)
637 goto fail;
638
639 break;
640 }
641 case GNUTLS_PK_RSA:
642 {
643 struct rsa_public_key pub;
644 struct rsa_private_key priv;
645
646 rsa_public_key_init (&pub);
647 rsa_private_key_init (&priv);
648
649 _gnutls_mpi_set_ui (&pub.e, 65537);
650
651 ret =
652 rsa_generate_keypair (&pub, &priv, NULL,
653 rnd_func, NULL, NULL, level, 0);
654 if (ret != 1)
655 {
656 gnutls_assert ();
657 ret = GNUTLS_E_INTERNAL_ERROR;
658 goto rsa_fail;
659 }
660
661 params->params_nr = 0;
662 for (i = 0; i < RSA_PRIVATE_PARAMS; i++)
663 {
664 params->params[i] = _gnutls_mpi_alloc_like (&pub.n);
665 if (params->params[i] == NULL)
666 {
667 ret = GNUTLS_E_MEMORY_ERROR;
668 goto rsa_fail;
669 }
670 params->params_nr++;
671
672 }
673
674 ret = 0;
675
676 _gnutls_mpi_set (params->params[0], pub.n);
677 _gnutls_mpi_set (params->params[1], pub.e);
678 _gnutls_mpi_set (params->params[2], priv.d);
679 _gnutls_mpi_set (params->params[3], priv.p);
680 _gnutls_mpi_set (params->params[4], priv.q);
681 _gnutls_mpi_set (params->params[5], priv.c);
682 _gnutls_mpi_set (params->params[6], priv.a);
683 _gnutls_mpi_set (params->params[7], priv.b);
684
685 rsa_fail:
686 rsa_private_key_clear (&priv);
687 rsa_public_key_clear (&pub);
688
689 if (ret < 0)
690 goto fail;
691
692 break;
693 }
694 case GNUTLS_PK_EC:
695 {
696 ecc_key key;
697 ecc_set_type tls_ecc_set;
698 const gnutls_ecc_curve_entry_st *st;
699
700 st = _gnutls_ecc_curve_get_params(level);
701 if (st == NULL)
702 return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
703
704 tls_ecc_set.size = st->size;
705 tls_ecc_set.prime = st->prime;
706 tls_ecc_set.order = st->order;
707 tls_ecc_set.Gx = st->Gx;
708 tls_ecc_set.Gy = st->Gy;
709 tls_ecc_set.A = st->A;
710 tls_ecc_set.B = st->B;
711
712 ret = ecc_make_key(NULL, rnd_func, &key, &tls_ecc_set);
713 if (ret != 0)
714 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
715
716 params->params_nr = 0;
717 for (i = 0; i < ECC_PRIVATE_PARAMS; i++)
718 {
719 params->params[i] = _gnutls_mpi_alloc_like(&key.prime);
720 if (params->params[i] == NULL)
721 {
722 ret = GNUTLS_E_MEMORY_ERROR;
723 goto ecc_fail;
724 }
725 params->params_nr++;
726 }
727 params->flags = level;
728
729 mpz_set(TOMPZ(params->params[ECC_PRIME]), key.prime);
730 mpz_set(TOMPZ(params->params[ECC_ORDER]), key.order);
731 mpz_set(TOMPZ(params->params[ECC_A]), key.A);
732 mpz_set(TOMPZ(params->params[ECC_B]), key.B);
733 mpz_set(TOMPZ(params->params[ECC_GX]), key.Gx);
734 mpz_set(TOMPZ(params->params[ECC_GY]), key.Gy);
735 mpz_set(TOMPZ(params->params[ECC_X]), key.pubkey.x);
736 mpz_set(TOMPZ(params->params[ECC_Y]), key.pubkey.y);
737 mpz_set(TOMPZ(params->params[ECC_K]), key.k);
738
739 ecc_fail:
740 ecc_free(&key);
741
742 if (ret < 0)
743 goto fail;
744
745 break;
746 }
747 default:
748 gnutls_assert ();
749 return GNUTLS_E_INVALID_REQUEST;
750 }
751
752 return 0;
753
754 fail:
755
756 for (i = 0; i < params->params_nr; i++)
757 {
758 _gnutls_mpi_release (&params->params[i]);
759 }
760 params->params_nr = 0;
761
762 return ret;
763 }
764
765 static int
766 wrap_nettle_pk_verify_params (gnutls_pk_algorithm_t algo,
767 const gnutls_pk_params_st * params)
768 {
769 int ret;
770
771 switch (algo)
772 {
773 case GNUTLS_PK_RSA:
774 {
775 bigint_t t1 = NULL, t2 = NULL;
776
777 if (params->params_nr != RSA_PRIVATE_PARAMS)
778 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
779
780 t1 = _gnutls_mpi_new (256);
781 if (t1 == NULL)
782 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
783
784 _gnutls_mpi_mulm (t1, params->params[RSA_PRIME1], params->params[RSA_PRIME2], params->params[RSA_MODULUS]);
785 if (_gnutls_mpi_cmp_ui(t1, 0) != 0)
786 {
787 ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
788 goto rsa_cleanup;
789 }
790
791 mpz_invert (TOMPZ(t1), TOMPZ (params->params[RSA_PRIME2]), TOMPZ (params->params[RSA_PRIME1]));
792 if (_gnutls_mpi_cmp(t1, params->params[RSA_COEF]) != 0)
793 {
794 ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
795 goto rsa_cleanup;
796 }
797
798 /* [RSA_PRIME1] = d % p-1, [RSA_PRIME2] = d % q-1 */
799 _gnutls_mpi_sub_ui (t1, params->params[RSA_PRIME1], 1);
800 t2 = _gnutls_mpi_mod (params->params[RSA_PRIV], t1);
801 if (t2 == NULL)
802 {
803 ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
804 goto rsa_cleanup;
805 }
806
807 if (_gnutls_mpi_cmp(params->params[RSA_E1], t2) != 0)
808 {
809 ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
810 goto rsa_cleanup;
811 }
812
813 _gnutls_mpi_sub_ui (t1, params->params[RSA_PRIME2], 1);
814 _gnutls_mpi_release(&t2);
815
816 t2 = _gnutls_mpi_mod (params->params[RSA_PRIV], t1);
817 if (t2 == NULL)
818 {
819 ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
820 goto rsa_cleanup;
821 }
822
823 if (_gnutls_mpi_cmp(params->params[RSA_E2], t2) != 0)
824 {
825 ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
826 goto rsa_cleanup;
827 }
828
829 ret = 0;
830
831 rsa_cleanup:
832 _gnutls_mpi_release(&t1);
833 _gnutls_mpi_release(&t2);
834 }
835
836 break;
837 case GNUTLS_PK_DSA:
838 {
839 bigint_t t1 = NULL;
840
841 if (params->params_nr != DSA_PRIVATE_PARAMS)
842 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
843
844 t1 = _gnutls_mpi_new (256);
845 if (t1 == NULL)
846 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
847
848 _gnutls_mpi_powm (t1, params->params[DSA_G], params->params[DSA_X], params->params[DSA_P]);
849
850 if (_gnutls_mpi_cmp(t1, params->params[DSA_Y]) != 0)
851 {
852 ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
853 goto dsa_cleanup;
854 }
855
856 ret = 0;
857
858 dsa_cleanup:
859 _gnutls_mpi_release(&t1);
860 }
861
862 break;
863 case GNUTLS_PK_EC:
864 {
865 int curve = params->flags;
866 ecc_key ecc_priv;
867 ecc_point *R;
868 ecc_point zero;
869
870 if (params->params_nr != ECC_PRIVATE_PARAMS)
871 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
872
873 if (is_supported_curve(curve) == 0)
874 return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
875
876 _ecc_params_to_privkey(params, &ecc_priv);
877 R = ecc_new_point();
878
879 /* verify that x,y lie on the curve */
880 ret = ecc_projective_check_point(&ecc_priv.pubkey, TOMPZ(params->params[ECC_B]), params->params[ECC_PRIME]);
881 if (ret != 0)
882 {
883 ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
884 goto ecc_cleanup;
885 }
886
887 memcpy(&zero.x, ecc_priv.Gx, sizeof(mpz_t));
888 memcpy(&zero.y, ecc_priv.Gy, sizeof(mpz_t));
889 memcpy(&zero.z, ecc_priv.pubkey.z, sizeof(mpz_t)); /* z = 1 */
890
891 /* verify that k*(Gx,Gy)=(x,y) */
892 ret = ecc_mulmod(ecc_priv.k, &zero, R, TOMPZ(params->params[ECC_A]), TOMPZ(params->params[ECC_PRIME]), 1);
893 if (ret != 0)
894 {
895 ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
896 goto ecc_cleanup;
897 }
898
899 if (mpz_cmp(ecc_priv.pubkey.x, R->x) != 0 || mpz_cmp(ecc_priv.pubkey.y, R->y) != 0)
900 {
901 ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
902 goto ecc_cleanup;
903 }
904
905 ret = 0;
906
907 ecc_cleanup:
908 _ecc_params_clear(&ecc_priv);
909 ecc_del_point(R);
910 }
911 break;
912 default:
913 ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
914 }
915
916 return ret;
917 }
918
919 static int calc_rsa_exp (gnutls_pk_params_st* params)
920 {
921 bigint_t tmp = _gnutls_mpi_alloc_like (params->params[0]);
922
923 if (params->params_nr < RSA_PRIVATE_PARAMS - 2)
924 {
925 gnutls_assert ();
926 return GNUTLS_E_INTERNAL_ERROR;
927 }
928
929 if (tmp == NULL)
930 {
931 gnutls_assert ();
932 return GNUTLS_E_MEMORY_ERROR;
933 }
934
935 /* [6] = d % p-1, [7] = d % q-1 */
936 _gnutls_mpi_sub_ui (tmp, params->params[3], 1);
937 params->params[6] = _gnutls_mpi_mod (params->params[2] /*d */ , tmp);
938
939 _gnutls_mpi_sub_ui (tmp, params->params[4], 1);
940 params->params[7] = _gnutls_mpi_mod (params->params[2] /*d */ , tmp);
941
942 _gnutls_mpi_release (&tmp);
943
944 if (params->params[7] == NULL || params->params[6] == NULL)
945 {
946 gnutls_assert ();
947 return GNUTLS_E_MEMORY_ERROR;
948 }
949
950 return 0;
951 }
952
953
954 static int
955 wrap_nettle_pk_fixup (gnutls_pk_algorithm_t algo,
956 gnutls_direction_t direction,
957 gnutls_pk_params_st * params)
958 {
959 int result;
960
961 if (direction == GNUTLS_IMPORT && algo == GNUTLS_PK_RSA)
962 {
963 /* do not trust the generated values. Some old private keys
964 * generated by us have mess on the values. Those were very
965 * old but it seemed some of the shipped example private
966 * keys were as old.
967 */
968 mpz_invert (TOMPZ (params->params[RSA_COEF]),
969 TOMPZ (params->params[RSA_PRIME2]), TOMPZ (params->params[RSA_PRIME1]));
970
971 /* calculate exp1 [6] and exp2 [7] */
972 _gnutls_mpi_release (&params->params[RSA_E1]);
973 _gnutls_mpi_release (&params->params[RSA_E2]);
974
975 result = calc_rsa_exp (params);
976 if (result < 0)
977 {
978 gnutls_assert ();
979 return result;
980 }
981 params->params_nr = RSA_PRIVATE_PARAMS;
982 }
983
984 return 0;
985 }
986
987 static int
988 extract_digest_info(const struct rsa_public_key *key,
989 unsigned *length, uint8_t *digest_info,
990 const mpz_t signature)
991 {
992 unsigned i;
993 int ret;
994 mpz_t m;
995 uint8_t *em;
996
997 if (key->size == 0 || *length < key->size)
998 return 0;
999
1000 em = gnutls_malloc(key->size);
1001 if (em == NULL)
1002 return 0;
1003
1004 mpz_init (m);
1005
1006 mpz_powm(m, signature, key->e, key->n);
1007
1008 nettle_mpz_get_str_256(key->size, em, m);
1009 mpz_clear(m);
1010
1011 if (em[0] != 0 || em[1] != 1)
1012 {
1013 ret = 0;
1014 goto cleanup;
1015 }
1016
1017 for (i = 2; i < key->size; i++)
1018 {
1019 if (em[i] == 0 && i > 2)
1020 break;
1021
1022 if (em[i] != 0xff)
1023 {
1024 ret = 0;
1025 goto cleanup;
1026 }
1027 }
1028
1029 i++;
1030 memcpy(digest_info, &em[i], key->size-i);
1031 *length = key->size-i;
1032
1033 ret = 1;
1034 cleanup:
1035 gnutls_free(em);
1036
1037 return ret;
1038 }
1039
1040 /* Given a signature and parameters, it should return
1041 * the hash algorithm used in the signature. This is a kludge
1042 * but until we deprecate gnutls_pubkey_get_verify_algorithm()
1043 * we depend on it.
1044 */
1045 static int wrap_nettle_hash_algorithm (gnutls_pk_algorithm_t pk,
1046 const gnutls_datum_t * sig, gnutls_pk_params_st * issuer_params,
1047 gnutls_digest_algorithm_t* hash_algo)
1048 {
1049 uint8_t digest[MAX_HASH_SIZE];
1050 uint8_t digest_info[MAX_HASH_SIZE*3];
1051 gnutls_datum_t di;
1052 unsigned digest_size;
1053 mpz_t s;
1054 struct rsa_public_key pub;
1055 int ret;
1056
1057 mpz_init(s);
1058
1059 switch (pk)
1060 {
1061 case GNUTLS_PK_DSA:
1062 case GNUTLS_PK_EC:
1063
1064 if (hash_algo)
1065 *hash_algo = _gnutls_dsa_q_to_hash (pk, issuer_params, NULL);
1066
1067 ret = 0;
1068 break;
1069 case GNUTLS_PK_RSA:
1070 if (sig == NULL)
1071 { /* return a sensible algorithm */
1072 if (hash_algo)
1073 *hash_algo = GNUTLS_DIG_SHA256;
1074 return 0;
1075 }
1076
1077 _rsa_params_to_pubkey (issuer_params, &pub);
1078
1079 digest_size = sizeof(digest);
1080
1081 nettle_mpz_set_str_256_u(s, sig->size, sig->data);
1082
1083 digest_size = sizeof (digest_info);
1084 ret = extract_digest_info( &pub, &digest_size, digest_info, s);
1085 if (ret == 0)
1086 {
1087 ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
1088 gnutls_assert ();
1089 goto cleanup;
1090 }
1091
1092 di.data = digest_info;
1093 di.size = digest_size;
1094
1095 digest_size = sizeof(digest);
1096 if ((ret =
1097 decode_ber_digest_info (&di, hash_algo, digest,
1098 &digest_size)) < 0)
1099 {
1100 gnutls_assert ();
1101 goto cleanup;
1102 }
1103
1104 if (digest_size != _gnutls_hash_get_algo_len (*hash_algo))
1105 {
1106 gnutls_assert ();
1107 ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
1108 goto cleanup;
1109 }
1110
1111 ret = 0;
1112 break;
1113
1114 default:
1115 gnutls_assert ();
1116 ret = GNUTLS_E_INTERNAL_ERROR;
1117 }
1118
1119 cleanup:
1120 mpz_clear(s);
1121 return ret;
1122
1123 }
1124
1125
1126 int crypto_pk_prio = INT_MAX;
1127
1128 gnutls_crypto_pk_st _gnutls_pk_ops = {
1129 .hash_algorithm = wrap_nettle_hash_algorithm,
1130 .encrypt = _wrap_nettle_pk_encrypt,
1131 .decrypt = _wrap_nettle_pk_decrypt,
1132 .sign = _wrap_nettle_pk_sign,
1133 .verify = _wrap_nettle_pk_verify,
1134 .verify_params = wrap_nettle_pk_verify_params,
1135 .generate = wrap_nettle_pk_generate_params,
1136 .pk_fixup_private_params = wrap_nettle_pk_fixup,
1137 .derive = _wrap_nettle_pk_derive,
1138 };
Implementation of the SSL/TLS protocol