Commit 8df27691 authored by Manuel Pégourié-Gonnard's avatar Manuel Pégourié-Gonnard
Browse files

Introduce pk_sign() and use it in ssl

parent 583b6084
......@@ -129,6 +129,13 @@ typedef struct
const unsigned char *hash, size_t hash_len,
const unsigned char *sig, size_t sig_len );
/** Make signature */
int (*sign_func)( void *ctx, md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t *sig_len,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
/** Allocate a new context */
void * (*ctx_alloc_func)( void );
......@@ -218,6 +225,25 @@ int pk_verify( pk_context *ctx, md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
const unsigned char *sig, size_t sig_len );
/**
* \brief Make signature
*
* \param ctx PK context to use
* \param md_alg Hash algorithm used
* \param hash Hash of the message to sign
* \param hash_len Hash length
* \param sig Place to write the signature
* \param sig_len Number of bytes written
* \param f_rng RNG function
* \param p_rng RNG parameter
*
* \return 0 on success, or a specific error code.
*/
int pk_sign( pk_context *ctx, md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t *sig_len,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/**
* \brief Export debug information
*
......
......@@ -580,6 +580,7 @@ struct _ssl_context
*/
pk_context *pk_key; /*!< own private key */
#if defined(POLARSSL_RSA_C)
int rsa_use_alt; /*<! flag for alt (temporary) */
void *rsa_key; /*!< own RSA private key */
rsa_decrypt_func rsa_decrypt; /*!< function for RSA decrypt*/
rsa_sign_func rsa_sign; /*!< function for RSA sign */
......
......@@ -130,11 +130,28 @@ int pk_verify( pk_context *ctx, md_type_t md_alg,
if( ctx->pk_info->verify_func == NULL )
return( POLARSSL_ERR_PK_TYPE_MISMATCH );
return( ctx->pk_info->verify_func( ctx->pk_ctx, md_alg,
hash, hash_len,
return( ctx->pk_info->verify_func( ctx->pk_ctx, md_alg, hash, hash_len,
sig, sig_len ) );
}
/*
* Make a signature
*/
int pk_sign( pk_context *ctx, md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t *sig_len,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
if( ctx == NULL || ctx->pk_info == NULL )
return( POLARSSL_ERR_PK_BAD_INPUT_DATA );
if( ctx->pk_info->sign_func == NULL )
return( POLARSSL_ERR_PK_TYPE_MISMATCH );
return( ctx->pk_info->sign_func( ctx->pk_ctx, md_alg, hash, hash_len,
sig, sig_len, f_rng, p_rng ) );
}
/*
* Get key size in bits
*/
......
......@@ -69,6 +69,17 @@ static int rsa_verify_wrap( void *ctx, md_type_t md_alg,
RSA_PUBLIC, md_alg, hash_len, hash, sig ) );
}
static int rsa_sign_wrap( void *ctx, md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t *sig_len,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
*sig_len = ((rsa_context *) ctx)->len;
return( rsa_pkcs1_sign( (rsa_context *) ctx, f_rng, p_rng, RSA_PRIVATE,
md_alg, hash_len, hash, sig ) );
}
static void *rsa_alloc_wrap( void )
{
void *ctx = polarssl_malloc( sizeof( rsa_context ) );
......@@ -104,6 +115,7 @@ const pk_info_t rsa_info = {
rsa_get_size,
rsa_can_do,
rsa_verify_wrap,
rsa_sign_wrap,
rsa_alloc_wrap,
rsa_free_wrap,
rsa_debug,
......@@ -127,11 +139,16 @@ static size_t eckey_get_size( const void *ctx )
}
#if defined(POLARSSL_ECDSA_C)
/* Forward declaration */
/* Forward declarations */
static int ecdsa_verify_wrap( void *ctx, md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
const unsigned char *sig, size_t sig_len );
static int ecdsa_sign_wrap( void *ctx, md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t *sig_len,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
static int eckey_verify_wrap( void *ctx, md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
const unsigned char *sig, size_t sig_len )
......@@ -148,6 +165,26 @@ static int eckey_verify_wrap( void *ctx, md_type_t md_alg,
return( ret );
}
static int eckey_sign_wrap( void *ctx, md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t *sig_len,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret;
ecdsa_context ecdsa;
ecdsa_init( &ecdsa );
if( ( ret = ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
ret = ecdsa_sign_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len,
f_rng, p_rng );
ecdsa_free( &ecdsa );
return( ret );
}
#endif /* POLARSSL_ECDSA_C */
static void *eckey_alloc_wrap( void )
......@@ -180,8 +217,10 @@ const pk_info_t eckey_info = {
eckey_can_do,
#if defined(POLARSSL_ECDSA_C)
eckey_verify_wrap,
eckey_sign_wrap,
#else
NULL,
NULL,
#endif
eckey_alloc_wrap,
eckey_free_wrap,
......@@ -203,6 +242,7 @@ const pk_info_t eckeydh_info = {
eckey_get_size, /* Same underlying key structure */
eckeydh_can_do,
NULL,
NULL,
eckey_alloc_wrap, /* Same underlying key structure */
eckey_free_wrap, /* Same underlying key structure */
eckey_debug, /* Same underlying key structure */
......@@ -225,6 +265,17 @@ static int ecdsa_verify_wrap( void *ctx, md_type_t md_alg,
hash, hash_len, sig, sig_len ) );
}
static int ecdsa_sign_wrap( void *ctx, md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t *sig_len,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
((void) md_alg);
return( ecdsa_write_signature( (ecdsa_context *) ctx,
hash, hash_len, sig, sig_len, f_rng, p_rng ) );
}
static void *ecdsa_alloc_wrap( void )
{
void *ctx = polarssl_malloc( sizeof( ecdsa_context ) );
......@@ -247,6 +298,7 @@ const pk_info_t ecdsa_info = {
eckey_get_size, /* Compatible key structures */
ecdsa_can_do,
ecdsa_verify_wrap,
ecdsa_sign_wrap,
ecdsa_alloc_wrap,
ecdsa_free_wrap,
eckey_debug, /* Compatible key structures */
......
......@@ -2044,40 +2044,42 @@ static int ssl_write_certificate_verify( ssl_context *ssl )
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
ssl->out_msg[5] = SSL_SIG_RSA;
if( ( ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
RSA_PRIVATE, md_alg,
hashlen, hash, ssl->out_msg + 6 + offset ) ) != 0 )
if( ssl->rsa_use_alt )
{
SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
return( ret );
}
if( ( ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
RSA_PRIVATE, md_alg,
hashlen, hash, ssl->out_msg + 6 + offset ) ) != 0 )
{
SSL_DEBUG_RET( 1, "rsa_sign", ret );
return( ret );
}
n = ssl->rsa_key_len ( ssl->rsa_key );
n = ssl->rsa_key_len ( ssl->rsa_key );
}
else
{
if( ( ret = pk_sign( ssl->pk_key, md_alg, hash, hashlen,
ssl->out_msg + 6 + offset, &n,
ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "pk_sign", ret );
return( ret );
}
}
}
else
#endif /* POLARSSL_RSA_C */
#if defined(POLARSSL_ECDSA_C)
if( pk_can_do( ssl->pk_key, POLARSSL_PK_ECDSA ) )
{
ecdsa_context ecdsa;
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
ssl->out_msg[5] = SSL_SIG_ECDSA;
ecdsa_init( &ecdsa );
if( ( ret = ecdsa_from_keypair( &ecdsa, ssl->pk_key->pk_ctx ) ) == 0 )
{
ret = ecdsa_write_signature( &ecdsa, hash, hashlen,
ssl->out_msg + 6 + offset, &n,
ssl->f_rng, ssl->p_rng );
}
ecdsa_free( &ecdsa );
if( ret != 0 )
if( ( ret = pk_sign( ssl->pk_key, md_alg, hash, hashlen,
ssl->out_msg + 6 + offset, &n,
ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ecdsa_sign", ret );
SSL_DEBUG_RET( 1, "pk_sign", ret );
return( ret );
}
}
......
......@@ -2080,22 +2080,34 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
n += 2;
}
if( ( ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
RSA_PRIVATE, md_alg, hashlen, hash, p + 2 ) ) != 0 )
if( ssl->rsa_use_alt )
{
SSL_DEBUG_RET( 1, "rsa_sign", ret );
return( ret );
}
if( ( ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng,
ssl->p_rng, RSA_PRIVATE, md_alg, hashlen,
hash, p + 2 ) ) != 0 )
{
SSL_DEBUG_RET( 1, "rsa_sign", ret );
return( ret );
}
signature_len = ssl->rsa_key_len( ssl->rsa_key );
signature_len = ssl->rsa_key_len( ssl->rsa_key );
}
else
{
if( ( ret = pk_sign( ssl->pk_key, md_alg, hash, hashlen,
p + 2 , &signature_len,
ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "pk_sign", ret );
return( ret );
}
}
}
else
#endif /* POLARSSL_RSA_C */
#if defined(POLARSSL_ECDSA_C)
if( pk_can_do( ssl->pk_key, POLARSSL_PK_ECDSA ) )
{
ecdsa_context ecdsa;
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
{
*(p++) = ssl->handshake->sig_alg;
......@@ -2104,21 +2116,11 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
n += 2;
}
ecdsa_init( &ecdsa );
ret = ecdsa_from_keypair( &ecdsa, ssl->pk_key->pk_ctx );
if( ret == 0 )
{
ret = ecdsa_write_signature( &ecdsa, hash, hashlen,
p + 2, &signature_len,
ssl->f_rng, ssl->p_rng );
}
ecdsa_free( &ecdsa );
if( ret != 0 )
if( ( ret = pk_sign( ssl->pk_key, md_alg, hash, hashlen,
p + 2 , &signature_len,
ssl->f_rng, ssl->p_rng ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ecdsa_sign", ret );
SSL_DEBUG_RET( 1, "pk_sign", ret );
return( ret );
}
}
......
......@@ -3169,6 +3169,7 @@ void ssl_set_own_cert_alt_rsa( ssl_context *ssl, x509_cert *own_cert,
rsa_key_len_func rsa_key_len )
{
ssl->own_cert = own_cert;
ssl->rsa_use_alt = 1;
ssl->rsa_key = rsa_key;
ssl->rsa_decrypt = rsa_decrypt;
ssl->rsa_sign = rsa_sign;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment