/src/gnutls/lib/tls13-sig.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2017-2019 Red Hat, Inc. |
3 | | * |
4 | | * Author: Nikos Mavrogiannopoulos |
5 | | * |
6 | | * This file is part of GnuTLS. |
7 | | * |
8 | | * The GnuTLS is free software; you can redistribute it and/or |
9 | | * modify it under the terms of the GNU Lesser General Public License |
10 | | * as published by the Free Software Foundation; either version 2.1 of |
11 | | * the License, or (at your option) any later version. |
12 | | * |
13 | | * This library is distributed in the hope that it will be useful, but |
14 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
16 | | * Lesser General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public License |
19 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
20 | | * |
21 | | */ |
22 | | |
23 | | #include "gnutls_int.h" |
24 | | #include "errors.h" |
25 | | #include "auth/cert.h" |
26 | | #include "algorithms.h" |
27 | | #include "ext/signature.h" |
28 | | #include "abstract_int.h" |
29 | | #include "tls13-sig.h" |
30 | | #include "tls-sig.h" |
31 | | #include "hash_int.h" |
32 | | |
33 | | #undef PREFIX_SIZE |
34 | 0 | #define PREFIX_SIZE 64 |
35 | | #if PREFIX_SIZE < MAX_HASH_SIZE |
36 | | /* we assume later that prefix is sufficient to store hash output */ |
37 | | #error Need to modify code |
38 | | #endif |
39 | | |
40 | | int _gnutls13_handshake_verify_data(gnutls_session_t session, |
41 | | unsigned verify_flags, |
42 | | gnutls_pcert_st *cert, |
43 | | const gnutls_datum_t *context, |
44 | | const gnutls_datum_t *signature, |
45 | | const gnutls_sign_entry_st *se) |
46 | 0 | { |
47 | 0 | int ret; |
48 | 0 | const version_entry_st *ver = get_version(session); |
49 | 0 | gnutls_buffer_st buf; |
50 | 0 | uint8_t prefix[PREFIX_SIZE]; |
51 | 0 | unsigned key_usage = 0; |
52 | 0 | gnutls_datum_t p; |
53 | |
|
54 | 0 | _gnutls_handshake_log( |
55 | 0 | "HSK[%p]: verifying TLS 1.3 handshake data using %s\n", session, |
56 | 0 | se->name); |
57 | |
|
58 | 0 | ret = _gnutls_pubkey_compatible_with_sig(session, cert->pubkey, ver, |
59 | 0 | se->id); |
60 | 0 | if (ret < 0) |
61 | 0 | return gnutls_assert_val(ret); |
62 | | |
63 | 0 | if (unlikely(sign_supports_cert_pk_algorithm( |
64 | 0 | se, cert->pubkey->params.algo) == 0)) { |
65 | 0 | _gnutls_handshake_log( |
66 | 0 | "HSK[%p]: certificate of %s cannot be combined with %s sig\n", |
67 | 0 | session, gnutls_pk_get_name(cert->pubkey->params.algo), |
68 | 0 | se->name); |
69 | 0 | return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); |
70 | 0 | } |
71 | | |
72 | 0 | ret = _gnutls_session_sign_algo_enabled(session, se->id); |
73 | 0 | if (ret < 0) |
74 | 0 | return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); |
75 | | |
76 | 0 | if ((se->flags & GNUTLS_SIGN_FLAG_TLS13_OK) == |
77 | 0 | 0) /* explicitly prohibited */ |
78 | 0 | return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); |
79 | | |
80 | 0 | gnutls_pubkey_get_key_usage(cert->pubkey, &key_usage); |
81 | |
|
82 | 0 | ret = _gnutls_check_key_usage_for_sig(session, key_usage, 0); |
83 | 0 | if (ret < 0) |
84 | 0 | return gnutls_assert_val(ret); |
85 | | |
86 | 0 | _gnutls_buffer_init(&buf); |
87 | |
|
88 | 0 | memset(prefix, 0x20, sizeof(prefix)); |
89 | 0 | ret = _gnutls_buffer_append_data(&buf, prefix, sizeof(prefix)); |
90 | 0 | if (ret < 0) { |
91 | 0 | gnutls_assert(); |
92 | 0 | goto cleanup; |
93 | 0 | } |
94 | | |
95 | 0 | ret = _gnutls_buffer_append_data(&buf, context->data, context->size); |
96 | 0 | if (ret < 0) { |
97 | 0 | gnutls_assert(); |
98 | 0 | goto cleanup; |
99 | 0 | } |
100 | | |
101 | 0 | ret = _gnutls_buffer_append_data(&buf, "\x00", 1); |
102 | 0 | if (ret < 0) { |
103 | 0 | gnutls_assert(); |
104 | 0 | goto cleanup; |
105 | 0 | } |
106 | | |
107 | 0 | ret = gnutls_hash_fast( |
108 | 0 | MAC_TO_DIG(session->security_parameters.prf->id), |
109 | 0 | session->internals.handshake_hash_buffer.data, |
110 | 0 | session->internals.handshake_hash_buffer_prev_len, prefix); |
111 | 0 | if (ret < 0) { |
112 | 0 | gnutls_assert(); |
113 | 0 | goto cleanup; |
114 | 0 | } |
115 | | |
116 | 0 | ret = _gnutls_buffer_append_data( |
117 | 0 | &buf, prefix, session->security_parameters.prf->output_size); |
118 | 0 | if (ret < 0) { |
119 | 0 | gnutls_assert(); |
120 | 0 | goto cleanup; |
121 | 0 | } |
122 | | |
123 | 0 | p.data = buf.data; |
124 | 0 | p.size = buf.length; |
125 | |
|
126 | 0 | verify_flags |= GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH; |
127 | 0 | ret = gnutls_pubkey_verify_data2(cert->pubkey, se->id, verify_flags, &p, |
128 | 0 | signature); |
129 | 0 | if (ret < 0) { |
130 | 0 | gnutls_assert(); |
131 | 0 | goto cleanup; |
132 | 0 | } |
133 | | |
134 | 0 | ret = 0; |
135 | 0 | cleanup: |
136 | 0 | _gnutls_buffer_clear(&buf); |
137 | |
|
138 | 0 | return ret; |
139 | 0 | } |
140 | | |
141 | | int _gnutls13_handshake_sign_data(gnutls_session_t session, |
142 | | gnutls_pcert_st *cert, gnutls_privkey_t pkey, |
143 | | const gnutls_datum_t *context, |
144 | | gnutls_datum_t *signature, |
145 | | const gnutls_sign_entry_st *se) |
146 | 0 | { |
147 | 0 | gnutls_datum_t p; |
148 | 0 | int ret; |
149 | 0 | gnutls_buffer_st buf; |
150 | 0 | uint8_t tmp[MAX_HASH_SIZE]; |
151 | |
|
152 | 0 | if (unlikely(se == NULL || |
153 | 0 | (se->flags & GNUTLS_SIGN_FLAG_TLS13_OK) == 0)) |
154 | 0 | return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); |
155 | | |
156 | 0 | if (unlikely(sign_supports_priv_pk_algorithm(se, pkey->pk_algorithm) == |
157 | 0 | 0)) |
158 | 0 | return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); |
159 | | |
160 | | /* when we reach here we know we have a signing certificate */ |
161 | 0 | _gnutls_handshake_log( |
162 | 0 | "HSK[%p]: signing TLS 1.3 handshake data: using %s and PRF: %s\n", |
163 | 0 | session, se->name, session->security_parameters.prf->name); |
164 | |
|
165 | 0 | _gnutls_buffer_init(&buf); |
166 | |
|
167 | 0 | ret = _gnutls_buffer_resize(&buf, PREFIX_SIZE); |
168 | 0 | if (ret < 0) { |
169 | 0 | gnutls_assert(); |
170 | 0 | goto cleanup; |
171 | 0 | } |
172 | | |
173 | 0 | memset(buf.data, 0x20, PREFIX_SIZE); |
174 | 0 | buf.length += PREFIX_SIZE; |
175 | |
|
176 | 0 | ret = _gnutls_buffer_append_data(&buf, context->data, context->size); |
177 | 0 | if (ret < 0) { |
178 | 0 | gnutls_assert(); |
179 | 0 | goto cleanup; |
180 | 0 | } |
181 | | |
182 | 0 | ret = _gnutls_buffer_append_data(&buf, "\x00", 1); |
183 | 0 | if (ret < 0) { |
184 | 0 | gnutls_assert(); |
185 | 0 | goto cleanup; |
186 | 0 | } |
187 | | |
188 | 0 | ret = gnutls_hash_fast(MAC_TO_DIG(session->security_parameters.prf->id), |
189 | 0 | session->internals.handshake_hash_buffer.data, |
190 | 0 | session->internals.handshake_hash_buffer.length, |
191 | 0 | tmp); |
192 | 0 | if (ret < 0) { |
193 | 0 | gnutls_assert(); |
194 | 0 | goto cleanup; |
195 | 0 | } |
196 | | |
197 | 0 | ret = _gnutls_buffer_append_data( |
198 | 0 | &buf, tmp, session->security_parameters.prf->output_size); |
199 | 0 | if (ret < 0) { |
200 | 0 | gnutls_assert(); |
201 | 0 | goto cleanup; |
202 | 0 | } |
203 | | |
204 | 0 | p.data = buf.data; |
205 | 0 | p.size = buf.length; |
206 | |
|
207 | 0 | ret = gnutls_privkey_sign_data2( |
208 | 0 | pkey, se->id, GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH, &p, |
209 | 0 | signature); |
210 | 0 | if (ret < 0) { |
211 | 0 | gnutls_assert(); |
212 | 0 | goto cleanup; |
213 | 0 | } |
214 | | |
215 | 0 | ret = 0; |
216 | 0 | cleanup: |
217 | 0 | _gnutls_buffer_clear(&buf); |
218 | |
|
219 | 0 | return ret; |
220 | 0 | } |