search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
updated makefiles
[gnutls.git] / lib / gnutls_pk.c
blob738f1accf2ce4a341ff17b4c456641b56c6831ba
1 /*
2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* This file contains the functions needed for RSA/DSA public key
24 * encryption and signatures.
25 */
26
27 #include <gnutls_int.h>
28 #include <gnutls_mpi.h>
29 #include <gnutls_pk.h>
30 #include <gnutls_errors.h>
31 #include <gnutls_datum.h>
32 #include <gnutls_global.h>
33 #include <gnutls_num.h>
34 #include "debug.h"
35 #include <x509/x509_int.h>
36 #include <x509/common.h>
37 #include <random.h>
38
39 /* Do PKCS-1 RSA encryption.
40 * params is modulus, public exp.
41 */
42 int
43 _gnutls_pkcs1_rsa_encrypt (gnutls_datum_t * ciphertext,
44 const gnutls_datum_t * plaintext,
45 gnutls_pk_params_st * params,
46 unsigned btype)
47 {
48 unsigned int i, pad;
49 int ret;
50 uint8_t *edata, *ps;
51 size_t k, psize;
52 size_t mod_bits;
53 gnutls_datum_t to_encrypt, encrypted;
54
55 mod_bits = _gnutls_mpi_get_nbits (params->params[0]);
56 k = mod_bits / 8;
57 if (mod_bits % 8 != 0)
58 k++;
59
60 if (plaintext->size > k - 11)
61 {
62 gnutls_assert ();
63 return GNUTLS_E_PK_ENCRYPTION_FAILED;
64 }
65
66 edata = gnutls_malloc (k);
67 if (edata == NULL)
68 {
69 gnutls_assert ();
70 return GNUTLS_E_MEMORY_ERROR;
71 }
72
73 /* EB = 00||BT||PS||00||D
74 * (use block type 'btype')
75 */
76
77 edata[0] = 0;
78 edata[1] = btype;
79 psize = k - 3 - plaintext->size;
80
81 ps = &edata[2];
82 switch (btype)
83 {
84 case 2:
85 /* using public key */
86 if (params->params_nr < RSA_PUBLIC_PARAMS)
87 {
88 gnutls_assert ();
89 gnutls_free (edata);
90 return GNUTLS_E_INTERNAL_ERROR;
91 }
92
93 ret = _gnutls_rnd (GNUTLS_RND_RANDOM, ps, psize);
94 if (ret < 0)
95 {
96 gnutls_assert ();
97 gnutls_free (edata);
98 return ret;
99 }
100 for (i = 0; i < psize; i++)
101 while (ps[i] == 0)
102 {
103 ret = _gnutls_rnd (GNUTLS_RND_RANDOM, &ps[i], 1);
104 if (ret < 0)
105 {
106 gnutls_assert ();
107 gnutls_free (edata);
108 return ret;
109 }
110 }
111 break;
112 case 1:
113 /* using private key */
114
115 if (params->params_nr < RSA_PRIVATE_PARAMS)
116 {
117 gnutls_assert ();
118 gnutls_free (edata);
119 return GNUTLS_E_INTERNAL_ERROR;
120 }
121
122 for (i = 0; i < psize; i++)
123 ps[i] = 0xff;
124 break;
125 default:
126 gnutls_assert ();
127 gnutls_free (edata);
128 return GNUTLS_E_INTERNAL_ERROR;
129 }
130
131 ps[psize] = 0;
132 memcpy (&ps[psize + 1], plaintext->data, plaintext->size);
133
134 to_encrypt.data = edata;
135 to_encrypt.size = k;
136
137 if (btype == 2) /* encrypt */
138 ret =
139 _gnutls_pk_encrypt (GNUTLS_PK_RSA, &encrypted, &to_encrypt, params);
140 else /* sign */
141 ret =
142 _gnutls_pk_sign (GNUTLS_PK_RSA, &encrypted, &to_encrypt, params);
143
144 gnutls_free (edata);
145
146 if (ret < 0)
147 {
148 gnutls_assert ();
149 return ret;
150 }
151
152 psize = encrypted.size;
153 if (psize < k)
154 {
155 /* padding psize */
156 pad = k - psize;
157 psize = k;
158 }
159 else if (psize == k)
160 {
161 /* pad = 0;
162 * no need to do anything else
163 */
164 ciphertext->data = encrypted.data;
165 ciphertext->size = encrypted.size;
166 return 0;
167 }
168 else
169 { /* psize > k !!! */
170 /* This is an impossible situation */
171 gnutls_assert ();
172 _gnutls_free_datum (&encrypted);
173 return GNUTLS_E_INTERNAL_ERROR;
174 }
175
176 ciphertext->data = gnutls_malloc (psize);
177 if (ciphertext->data == NULL)
178 {
179 gnutls_assert ();
180 ret = GNUTLS_E_MEMORY_ERROR;
181 goto cleanup;
182 }
183
184 memcpy (&ciphertext->data[pad], encrypted.data, encrypted.size);
185 for (i = 0; i < pad; i++)
186 ciphertext->data[i] = 0;
187
188 ciphertext->size = k;
189
190 ret = 0;
191
192 cleanup:
193 _gnutls_free_datum (&encrypted);
194
195 return ret;
196 }
197
198
199 /* Do PKCS-1 RSA decryption.
200 * params is modulus, public exp., private key
201 * Can decrypt block type 1 and type 2 packets.
202 */
203 int
204 _gnutls_pkcs1_rsa_decrypt (gnutls_datum_t * plaintext,
205 const gnutls_datum_t * ciphertext,
206 gnutls_pk_params_st* params,
207 unsigned btype)
208 {
209 unsigned int k, i;
210 int ret;
211 size_t esize, mod_bits;
212
213 mod_bits = _gnutls_mpi_get_nbits (params->params[0]);
214 k = mod_bits / 8;
215 if (mod_bits % 8 != 0)
216 k++;
217
218 esize = ciphertext->size;
219
220 if (esize != k)
221 {
222 gnutls_assert ();
223 return GNUTLS_E_PK_DECRYPTION_FAILED;
224 }
225
226 /* we can use btype to see if the private key is
227 * available.
228 */
229 if (btype == 2)
230 {
231 ret =
232 _gnutls_pk_decrypt (GNUTLS_PK_RSA, plaintext, ciphertext, params);
233 }
234 else
235 {
236 ret =
237 _gnutls_pk_encrypt (GNUTLS_PK_RSA, plaintext, ciphertext, params);
238 }
239
240 if (ret < 0)
241 {
242 gnutls_assert ();
243 return ret;
244 }
245
246 /* EB = 00||BT||PS||00||D
247 * (use block type 'btype')
248 *
249 * From now on, return GNUTLS_E_DECRYPTION_FAILED on errors, to
250 * avoid attacks similar to the one described by Bleichenbacher in:
251 * "Chosen Ciphertext Attacks against Protocols Based on RSA
252 * Encryption Standard PKCS #1".
253 */
254 if (plaintext->data[0] != 0 || plaintext->data[1] != btype)
255 {
256 gnutls_assert ();
257 _gnutls_free_datum (plaintext);
258 return GNUTLS_E_DECRYPTION_FAILED;
259 }
260
261 ret = GNUTLS_E_DECRYPTION_FAILED;
262 switch (btype)
263 {
264 case 2:
265 for (i = 2; i < plaintext->size; i++)
266 {
267 if (plaintext->data[i] == 0)
268 {
269 ret = 0;
270 break;
271 }
272 }
273 break;
274 case 1:
275 for (i = 2; i < plaintext->size; i++)
276 {
277 if (plaintext->data[i] == 0 && i > 2)
278 {
279 ret = 0;
280 break;
281 }
282 if (plaintext->data[i] != 0xff)
283 {
284 _gnutls_handshake_log ("PKCS #1 padding error");
285 _gnutls_free_datum (plaintext);
286 /* PKCS #1 padding error. Don't use
287 GNUTLS_E_PKCS1_WRONG_PAD here. */
288 break;
289 }
290 }
291 break;
292 default:
293 gnutls_assert ();
294 _gnutls_free_datum (plaintext);
295 break;
296 }
297
298 if (ret < 0)
299 {
300 gnutls_assert ();
301 _gnutls_free_datum (plaintext);
302 return GNUTLS_E_DECRYPTION_FAILED;
303 }
304
305 i++;
306 memmove (plaintext->data, &plaintext->data[i], esize - i);
307 plaintext->size = esize - i;
308
309 return 0;
310 }
311
312
313 int
314 _gnutls_rsa_verify (const gnutls_datum_t * vdata,
315 const gnutls_datum_t * ciphertext,
316 gnutls_pk_params_st * params,
317 int btype)
318 {
319
320 gnutls_datum_t plain;
321 int ret;
322
323 /* decrypt signature */
324 if ((ret =
325 _gnutls_pkcs1_rsa_decrypt (&plain, ciphertext, params,
326 btype)) < 0)
327 {
328 gnutls_assert ();
329 return ret;
330 }
331
332 if (plain.size != vdata->size)
333 {
334 gnutls_assert ();
335 _gnutls_free_datum (&plain);
336 return GNUTLS_E_PK_SIG_VERIFY_FAILED;
337 }
338
339 if (memcmp (plain.data, vdata->data, plain.size) != 0)
340 {
341 gnutls_assert ();
342 _gnutls_free_datum (&plain);
343 return GNUTLS_E_PK_SIG_VERIFY_FAILED;
344 }
345
346 _gnutls_free_datum (&plain);
347
348 return 0; /* ok */
349 }
350
351 /* encodes the Dss-Sig-Value structure
352 */
353 int
354 _gnutls_encode_ber_rs (gnutls_datum_t * sig_value, bigint_t r, bigint_t s)
355 {
356 ASN1_TYPE sig;
357 int result;
358
359 if ((result =
360 asn1_create_element (_gnutls_get_gnutls_asn (),
361 "GNUTLS.DSASignatureValue",
362 &sig)) != ASN1_SUCCESS)
363 {
364 gnutls_assert ();
365 return _gnutls_asn2err (result);
366 }
367
368 result = _gnutls_x509_write_int (sig, "r", r, 1);
369 if (result < 0)
370 {
371 gnutls_assert ();
372 asn1_delete_structure (&sig);
373 return result;
374 }
375
376 result = _gnutls_x509_write_int (sig, "s", s, 1);
377 if (result < 0)
378 {
379 gnutls_assert ();
380 asn1_delete_structure (&sig);
381 return result;
382 }
383
384 result = _gnutls_x509_der_encode (sig, "", sig_value, 0);
385
386 asn1_delete_structure (&sig);
387
388 if (result < 0)
389 {
390 gnutls_assert ();
391 return result;
392 }
393
394 return 0;
395 }
396
397
398 /* decodes the Dss-Sig-Value structure
399 */
400 int
401 _gnutls_decode_ber_rs (const gnutls_datum_t * sig_value, bigint_t * r,
402 bigint_t * s)
403 {
404 ASN1_TYPE sig;
405 int result;
406
407 if ((result =
408 asn1_create_element (_gnutls_get_gnutls_asn (),
409 "GNUTLS.DSASignatureValue",
410 &sig)) != ASN1_SUCCESS)
411 {
412 gnutls_assert ();
413 return _gnutls_asn2err (result);
414 }
415
416 result = asn1_der_decoding (&sig, sig_value->data, sig_value->size, NULL);
417 if (result != ASN1_SUCCESS)
418 {
419 gnutls_assert ();
420 asn1_delete_structure (&sig);
421 return _gnutls_asn2err (result);
422 }
423
424 result = _gnutls_x509_read_int (sig, "r", r);
425 if (result < 0)
426 {
427 gnutls_assert ();
428 asn1_delete_structure (&sig);
429 return result;
430 }
431
432 result = _gnutls_x509_read_int (sig, "s", s);
433 if (result < 0)
434 {
435 gnutls_assert ();
436 _gnutls_mpi_release (s);
437 asn1_delete_structure (&sig);
438 return result;
439 }
440
441 asn1_delete_structure (&sig);
442
443 return 0;
444 }
445
446 /* some generic pk functions */
447
448 int _gnutls_pk_params_copy (gnutls_pk_params_st * dst, const gnutls_pk_params_st * src)
449 {
450 unsigned int i, j;
451 dst->params_nr = 0;
452
453 if (src == NULL || src->params_nr == 0)
454 {
455 gnutls_assert ();
456 return GNUTLS_E_INVALID_REQUEST;
457 }
458
459 for (i = 0; i < src->params_nr; i++)
460 {
461 dst->params[i] = _gnutls_mpi_set (NULL, src->params[i]);
462 if (dst->params[i] == NULL)
463 {
464 for (j = 0; j < i; j++)
465 _gnutls_mpi_release (&dst->params[j]);
466 return GNUTLS_E_MEMORY_ERROR;
467 }
468 dst->params_nr++;
469 }
470
471 return 0;
472 }
473
474 void
475 gnutls_pk_params_init (gnutls_pk_params_st * p)
476 {
477 memset (p, 0, sizeof (gnutls_pk_params_st));
478 }
479
480 void
481 gnutls_pk_params_release (gnutls_pk_params_st * p)
482 {
483 unsigned int i;
484 for (i = 0; i < p->params_nr; i++)
485 {
486 _gnutls_mpi_release (&p->params[i]);
487 }
488 p->params_nr = 0;
489 }
490
491 int
492 _gnutls_pk_get_hash_algorithm (gnutls_pk_algorithm_t pk,
493 gnutls_pk_params_st* params,
494 gnutls_digest_algorithm_t * dig,
495 unsigned int *mand)
496 {
497 if (mand)
498 {
499 if (pk == GNUTLS_PK_DSA)
500 *mand = 1;
501 else
502 *mand = 0;
503 }
504
505 return _gnutls_x509_verify_algorithm (dig,
506 NULL, pk, params);
507
508 }
Implementation of the SSL/TLS protocol