/* * Copyright (C) 2001-2014 Free Software Foundation, Inc. * Copyright (C) 2017 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * * This file is part of GnuTLS. * * The GnuTLS is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public License * as published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see * */ /* This file contains the functions needed for RSA/DSA public key * encryption and signatures. */ #include "gnutls_int.h" #include #include #include "errors.h" #include #include #include #include "debug.h" #include #include #include #include /** * gnutls_encode_rs_value: * @sig_value: will hold a Dss-Sig-Value DER encoded structure * @r: must contain the r value * @s: must contain the s value * * This function will encode the provided r and s values, * into a Dss-Sig-Value structure, used for DSA and ECDSA * signatures. * * The output value should be deallocated using gnutls_free(). * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise * an error code is returned. * * Since: 3.6.0 * **/ int gnutls_encode_rs_value(gnutls_datum_t * sig_value, const gnutls_datum_t * r, const gnutls_datum_t * s) { return _gnutls_encode_ber_rs_raw(sig_value, r, s); } /* same as gnutls_encode_rs_value(), but kept since it used * to be exported for FIPS140 CAVS testing. */ int _gnutls_encode_ber_rs_raw(gnutls_datum_t * sig_value, const gnutls_datum_t * r, const gnutls_datum_t * s) { ASN1_TYPE sig; int result, ret; uint8_t *tmp = NULL; if ((result = asn1_create_element(_gnutls_get_gnutls_asn(), "GNUTLS.DSASignatureValue", &sig)) != ASN1_SUCCESS) { gnutls_assert(); return _gnutls_asn2err(result); } if (s->data[0] >= 0x80 || r->data[0] >= 0x80) { tmp = gnutls_malloc(MAX(r->size, s->size)+1); if (tmp == NULL) { ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); goto cleanup; } } if (r->data[0] >= 0x80) { tmp[0] = 0; memcpy(&tmp[1], r->data, r->size); result = asn1_write_value(sig, "r", tmp, 1+r->size); } else { result = asn1_write_value(sig, "r", r->data, r->size); } if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); goto cleanup; } if (s->data[0] >= 0x80) { tmp[0] = 0; memcpy(&tmp[1], s->data, s->size); result = asn1_write_value(sig, "s", tmp, 1+s->size); } else { result = asn1_write_value(sig, "s", s->data, s->size); } if (result != ASN1_SUCCESS) { gnutls_assert(); ret = _gnutls_asn2err(result); goto cleanup; } ret = _gnutls_x509_der_encode(sig, "", sig_value, 0); if (ret < 0) { gnutls_assert(); goto cleanup; } ret = 0; cleanup: gnutls_free(tmp); asn1_delete_structure(&sig); return ret; } int _gnutls_encode_ber_rs(gnutls_datum_t * sig_value, bigint_t r, bigint_t s) { ASN1_TYPE sig; int result; if ((result = asn1_create_element(_gnutls_get_gnutls_asn(), "GNUTLS.DSASignatureValue", &sig)) != ASN1_SUCCESS) { gnutls_assert(); return _gnutls_asn2err(result); } result = _gnutls_x509_write_int(sig, "r", r, 1); if (result < 0) { gnutls_assert(); asn1_delete_structure(&sig); return result; } result = _gnutls_x509_write_int(sig, "s", s, 1); if (result < 0) { gnutls_assert(); asn1_delete_structure(&sig); return result; } result = _gnutls_x509_der_encode(sig, "", sig_value, 0); asn1_delete_structure(&sig); if (result < 0) return gnutls_assert_val(result); return 0; } /* decodes the Dss-Sig-Value structure */ int _gnutls_decode_ber_rs(const gnutls_datum_t * sig_value, bigint_t * r, bigint_t * s) { ASN1_TYPE sig; int result; if ((result = asn1_create_element(_gnutls_get_gnutls_asn(), "GNUTLS.DSASignatureValue", &sig)) != ASN1_SUCCESS) { gnutls_assert(); return _gnutls_asn2err(result); } result = asn1_der_decoding(&sig, sig_value->data, sig_value->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); asn1_delete_structure(&sig); return _gnutls_asn2err(result); } result = _gnutls_x509_read_int(sig, "r", r); if (result < 0) { gnutls_assert(); asn1_delete_structure(&sig); return result; } result = _gnutls_x509_read_int(sig, "s", s); if (result < 0) { gnutls_assert(); _gnutls_mpi_release(r); asn1_delete_structure(&sig); return result; } asn1_delete_structure(&sig); return 0; } /** * gnutls_decode_rs_value: * @sig_value: holds a Dss-Sig-Value DER or BER encoded structure * @r: will contain the r value * @s: will contain the s value * * This function will decode the provided @sig_value, * into @r and @s elements. The Dss-Sig-Value is used for DSA and ECDSA * signatures. * * The output values may be padded with a zero byte to prevent them * from being interpreted as negative values. The value * should be deallocated using gnutls_free(). * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise * an error code is returned. * * Since: 3.6.0 * **/ int gnutls_decode_rs_value(const gnutls_datum_t * sig_value, gnutls_datum_t *r, gnutls_datum_t *s) { return _gnutls_decode_ber_rs_raw(sig_value, r, s); } /* same as gnutls_decode_rs_value(), but kept since it used * to be exported for FIPS140 CAVS testing. */ int _gnutls_decode_ber_rs_raw(const gnutls_datum_t * sig_value, gnutls_datum_t *r, gnutls_datum_t *s) { ASN1_TYPE sig; int result; if ((result = asn1_create_element(_gnutls_get_gnutls_asn(), "GNUTLS.DSASignatureValue", &sig)) != ASN1_SUCCESS) { gnutls_assert(); return _gnutls_asn2err(result); } result = asn1_der_decoding(&sig, sig_value->data, sig_value->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); asn1_delete_structure(&sig); return _gnutls_asn2err(result); } result = _gnutls_x509_read_value(sig, "r", r); if (result < 0) { gnutls_assert(); asn1_delete_structure(&sig); return result; } result = _gnutls_x509_read_value(sig, "s", s); if (result < 0) { gnutls_assert(); gnutls_free(r->data); asn1_delete_structure(&sig); return result; } asn1_delete_structure(&sig); return 0; } /* some generic pk functions */ int _gnutls_pk_params_copy(gnutls_pk_params_st * dst, const gnutls_pk_params_st * src) { unsigned int i, j; dst->params_nr = 0; if (src == NULL || src->params_nr == 0) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } dst->flags = src->flags; dst->algo = src->algo; for (i = 0; i < src->params_nr; i++) { dst->params[i] = _gnutls_mpi_copy(src->params[i]); if (dst->params[i] == NULL) { goto fail; } dst->params_nr++; } if (_gnutls_set_datum(&dst->raw_priv, src->raw_priv.data, src->raw_priv.size) < 0) { gnutls_assert(); goto fail; } if (_gnutls_set_datum(&dst->raw_pub, src->raw_pub.data, src->raw_pub.size) < 0) { gnutls_assert(); goto fail; } if (src->seed_size) { dst->seed_size = src->seed_size; memcpy(dst->seed, src->seed, src->seed_size); } dst->palgo = src->palgo; memcpy(&dst->sign, &src->sign, sizeof(gnutls_x509_spki_st)); return 0; fail: for (j = 0; j < i; j++) _gnutls_mpi_release(&dst->params[j]); return GNUTLS_E_MEMORY_ERROR; } void gnutls_pk_params_init(gnutls_pk_params_st * p) { memset(p, 0, sizeof(gnutls_pk_params_st)); } void gnutls_pk_params_release(gnutls_pk_params_st * p) { unsigned int i; for (i = 0; i < p->params_nr; i++) { _gnutls_mpi_release(&p->params[i]); } gnutls_free(p->raw_priv.data); gnutls_free(p->raw_pub.data); p->raw_priv.data = NULL; p->raw_pub.data = NULL; p->params_nr = 0; } void gnutls_pk_params_clear(gnutls_pk_params_st * p) { unsigned int i; for (i = 0; i < p->params_nr; i++) { if (p->params[i] != NULL) _gnutls_mpi_clear(p->params[i]); } gnutls_memset(p->seed, 0, p->seed_size); p->seed_size = 0; if (p->raw_priv.data != NULL) { gnutls_memset(p->raw_priv.data, 0, p->raw_priv.size); p->raw_priv.size = 0; } } unsigned _gnutls_find_rsa_pss_salt_size(unsigned bits, const mac_entry_st *me, unsigned salt_size) { unsigned max_salt_size, digest_size; digest_size = _gnutls_hash_get_algo_len(me); max_salt_size = (bits + 7) / 8 - digest_size - 2; if (salt_size < digest_size) salt_size = digest_size; if (salt_size > max_salt_size) salt_size = max_salt_size; return salt_size; } /* Writes the digest information and the digest in a DER encoded * structure. The digest info is allocated and stored into the info structure. */ int encode_ber_digest_info(const mac_entry_st * e, const gnutls_datum_t * digest, gnutls_datum_t * output) { ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; int result; const char *algo; uint8_t *tmp_output; int tmp_output_size; algo = _gnutls_x509_mac_to_oid(e); if (algo == NULL) { gnutls_assert(); _gnutls_debug_log("Hash algorithm: %d has no OID\n", e->id); return GNUTLS_E_UNKNOWN_PK_ALGORITHM; } if ((result = asn1_create_element(_gnutls_get_gnutls_asn(), "GNUTLS.DigestInfo", &dinfo)) != ASN1_SUCCESS) { gnutls_assert(); return _gnutls_asn2err(result); } result = asn1_write_value(dinfo, "digestAlgorithm.algorithm", algo, 1); if (result != ASN1_SUCCESS) { gnutls_assert(); asn1_delete_structure(&dinfo); return _gnutls_asn2err(result); } /* Write an ASN.1 NULL in the parameters field. This matches RFC 3279 and RFC 4055, although is arguable incorrect from a historic perspective (see those documents for more information). Regardless of what is correct, this appears to be what most implementations do. */ result = asn1_write_value(dinfo, "digestAlgorithm.parameters", ASN1_NULL, ASN1_NULL_SIZE); if (result != ASN1_SUCCESS) { gnutls_assert(); asn1_delete_structure(&dinfo); return _gnutls_asn2err(result); } result = asn1_write_value(dinfo, "digest", digest->data, digest->size); if (result != ASN1_SUCCESS) { gnutls_assert(); asn1_delete_structure(&dinfo); return _gnutls_asn2err(result); } tmp_output_size = 0; result = asn1_der_coding(dinfo, "", NULL, &tmp_output_size, NULL); if (result != ASN1_MEM_ERROR) { gnutls_assert(); asn1_delete_structure(&dinfo); return _gnutls_asn2err(result); } tmp_output = gnutls_malloc(tmp_output_size); if (tmp_output == NULL) { gnutls_assert(); asn1_delete_structure(&dinfo); return GNUTLS_E_MEMORY_ERROR; } result = asn1_der_coding(dinfo, "", tmp_output, &tmp_output_size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); asn1_delete_structure(&dinfo); return _gnutls_asn2err(result); } asn1_delete_structure(&dinfo); output->size = tmp_output_size; output->data = tmp_output; return 0; } /** * gnutls_encode_ber_digest_info: * @info: an RSA BER encoded DigestInfo structure * @hash: the hash algorithm that was used to get the digest * @digest: must contain the digest data * @output: will contain the allocated DigestInfo BER encoded data * * This function will encode the provided digest data, and its * algorithm into an RSA PKCS#1 1.5 DigestInfo structure. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise * an error code is returned. * * Since: 3.5.0 * **/ int gnutls_encode_ber_digest_info(gnutls_digest_algorithm_t hash, const gnutls_datum_t * digest, gnutls_datum_t * output) { const mac_entry_st *e = hash_to_entry(hash); if (unlikely(e == NULL)) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); return encode_ber_digest_info(e , digest, output); } /** * gnutls_decode_ber_digest_info: * @info: an RSA BER encoded DigestInfo structure * @hash: will contain the hash algorithm of the structure * @digest: will contain the hash output of the structure * @digest_size: will contain the hash size of the structure; initially must hold the maximum size of @digest * * This function will parse an RSA PKCS#1 1.5 DigestInfo structure * and report the hash algorithm used as well as the digest data. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise * an error code is returned. * * Since: 3.5.0 * **/ int gnutls_decode_ber_digest_info(const gnutls_datum_t * info, gnutls_digest_algorithm_t * hash, unsigned char * digest, unsigned int *digest_size) { ASN1_TYPE dinfo = ASN1_TYPE_EMPTY; int result; char str[MAX(MAX_OID_SIZE, MAX_HASH_SIZE)]; int len; if ((result = asn1_create_element(_gnutls_get_gnutls_asn(), "GNUTLS.DigestInfo", &dinfo)) != ASN1_SUCCESS) { gnutls_assert(); return _gnutls_asn2err(result); } result = asn1_der_decoding(&dinfo, info->data, info->size, NULL); if (result != ASN1_SUCCESS) { gnutls_assert(); asn1_delete_structure(&dinfo); return _gnutls_asn2err(result); } len = sizeof(str) - 1; result = asn1_read_value(dinfo, "digestAlgorithm.algorithm", str, &len); if (result != ASN1_SUCCESS) { gnutls_assert(); asn1_delete_structure(&dinfo); return _gnutls_asn2err(result); } *hash = gnutls_oid_to_digest(str); if (*hash == GNUTLS_DIG_UNKNOWN) { _gnutls_debug_log("verify.c: HASH OID: %s\n", str); gnutls_assert(); asn1_delete_structure(&dinfo); return GNUTLS_E_UNKNOWN_HASH_ALGORITHM; } len = sizeof(str) - 1; result = asn1_read_value(dinfo, "digestAlgorithm.parameters", str, &len); /* To avoid permitting garbage in the parameters field, either the parameters field is not present, or it contains 0x05 0x00. */ if (!(result == ASN1_ELEMENT_NOT_FOUND || (result == ASN1_SUCCESS && len == ASN1_NULL_SIZE && memcmp(str, ASN1_NULL, ASN1_NULL_SIZE) == 0))) { gnutls_assert(); asn1_delete_structure(&dinfo); return GNUTLS_E_ASN1_GENERIC_ERROR; } len = *digest_size; result = asn1_read_value(dinfo, "digest", digest, &len); if (result != ASN1_SUCCESS) { gnutls_assert(); *digest_size = len; asn1_delete_structure(&dinfo); return _gnutls_asn2err(result); } *digest_size = len; asn1_delete_structure(&dinfo); return 0; } int _gnutls_params_get_rsa_raw(const gnutls_pk_params_st* params, gnutls_datum_t * m, gnutls_datum_t * e, gnutls_datum_t * d, gnutls_datum_t * p, gnutls_datum_t * q, gnutls_datum_t * u, gnutls_datum_t * e1, gnutls_datum_t * e2, unsigned int flags) { int ret; mpi_dprint_func dprint = _gnutls_mpi_dprint_lz; if (flags & GNUTLS_EXPORT_FLAG_NO_LZ) dprint = _gnutls_mpi_dprint; if (params == NULL) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } if (!GNUTLS_PK_IS_RSA(params->algo)) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } if (m) { ret = dprint(params->params[0], m); if (ret < 0) { gnutls_assert(); goto error; } } /* E */ if (e) { ret = dprint(params->params[1], e); if (ret < 0) { gnutls_assert(); goto error; } } /* D */ if (d && params->params[2]) { ret = dprint(params->params[2], d); if (ret < 0) { gnutls_assert(); goto error; } } else if (d) { d->data = NULL; d->size = 0; } /* P */ if (p && params->params[3]) { ret = dprint(params->params[3], p); if (ret < 0) { gnutls_assert(); goto error; } } else if (p) { p->data = NULL; p->size = 0; } /* Q */ if (q && params->params[4]) { ret = dprint(params->params[4], q); if (ret < 0) { gnutls_assert(); goto error; } } else if (q) { q->data = NULL; q->size = 0; } /* U */ if (u && params->params[5]) { ret = dprint(params->params[5], u); if (ret < 0) { gnutls_assert(); goto error; } } else if (u) { u->data = NULL; u->size = 0; } /* E1 */ if (e1 && params->params[6]) { ret = dprint(params->params[6], e1); if (ret < 0) { gnutls_assert(); goto error; } } else if (e1) { e1->data = NULL; e1->size = 0; } /* E2 */ if (e2 && params->params[7]) { ret = dprint(params->params[7], e2); if (ret < 0) { gnutls_assert(); goto error; } } else if (e2) { e2->data = NULL; e2->size = 0; } return 0; error: _gnutls_free_datum(m); _gnutls_free_datum(d); _gnutls_free_datum(e); _gnutls_free_datum(e1); _gnutls_free_datum(e2); _gnutls_free_datum(p); _gnutls_free_datum(q); return ret; } int _gnutls_params_get_dsa_raw(const gnutls_pk_params_st* params, gnutls_datum_t * p, gnutls_datum_t * q, gnutls_datum_t * g, gnutls_datum_t * y, gnutls_datum_t * x, unsigned int flags) { int ret; mpi_dprint_func dprint = _gnutls_mpi_dprint_lz; if (flags & GNUTLS_EXPORT_FLAG_NO_LZ) dprint = _gnutls_mpi_dprint; if (params == NULL) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } if (params->algo != GNUTLS_PK_DSA) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } /* P */ if (p) { ret = dprint(params->params[0], p); if (ret < 0) { gnutls_assert(); return ret; } } /* Q */ if (q) { ret = dprint(params->params[1], q); if (ret < 0) { gnutls_assert(); _gnutls_free_datum(p); return ret; } } /* G */ if (g) { ret = dprint(params->params[2], g); if (ret < 0) { gnutls_assert(); _gnutls_free_datum(p); _gnutls_free_datum(q); return ret; } } /* Y */ if (y) { ret = dprint(params->params[3], y); if (ret < 0) { gnutls_assert(); _gnutls_free_datum(p); _gnutls_free_datum(g); _gnutls_free_datum(q); return ret; } } /* X */ if (x) { ret = dprint(params->params[4], x); if (ret < 0) { gnutls_assert(); _gnutls_free_datum(y); _gnutls_free_datum(p); _gnutls_free_datum(g); _gnutls_free_datum(q); return ret; } } return 0; } int _gnutls_params_get_ecc_raw(const gnutls_pk_params_st* params, gnutls_ecc_curve_t * curve, gnutls_datum_t * x, gnutls_datum_t * y, gnutls_datum_t * k, unsigned int flags) { int ret; mpi_dprint_func dprint = _gnutls_mpi_dprint_lz; if (flags & GNUTLS_EXPORT_FLAG_NO_LZ) dprint = _gnutls_mpi_dprint; if (params == NULL) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } if (curve) *curve = params->flags; /* X */ if (x) { ret = dprint(params->params[ECC_X], x); if (ret < 0) { gnutls_assert(); return ret; } } /* Y */ if (y) { ret = dprint(params->params[ECC_Y], y); if (ret < 0) { gnutls_assert(); _gnutls_free_datum(x); return ret; } } /* K */ if (k) { ret = dprint(params->params[ECC_K], k); if (ret < 0) { gnutls_assert(); _gnutls_free_datum(x); _gnutls_free_datum(y); return ret; } } return 0; } int pk_hash_data(gnutls_pk_algorithm_t pk, const mac_entry_st * hash, gnutls_pk_params_st * params, const gnutls_datum_t * data, gnutls_datum_t * digest) { int ret; digest->size = _gnutls_hash_get_algo_len(hash); digest->data = gnutls_malloc(digest->size); if (digest->data == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } ret = _gnutls_hash_fast((gnutls_digest_algorithm_t)hash->id, data->data, data->size, digest->data); if (ret < 0) { gnutls_assert(); goto cleanup; } return 0; cleanup: gnutls_free(digest->data); return ret; } /* * This function will do RSA PKCS #1 1.5 encoding * on the given digest. The given digest must be allocated * and will be freed if replacement is required. */ int pk_prepare_hash(gnutls_pk_algorithm_t pk, const mac_entry_st * hash, gnutls_datum_t * digest) { int ret; gnutls_datum_t old_digest = { digest->data, digest->size }; switch (pk) { case GNUTLS_PK_RSA: if (unlikely(hash == NULL)) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); /* Encode the digest as a DigestInfo */ if ((ret = encode_ber_digest_info(hash, &old_digest, digest)) != 0) { gnutls_assert(); return ret; } _gnutls_free_datum(&old_digest); break; case GNUTLS_PK_RSA_PSS: case GNUTLS_PK_DSA: case GNUTLS_PK_EC: break; default: gnutls_assert(); return GNUTLS_E_UNIMPLEMENTED_FEATURE; } return 0; }