1/*
2 * validator/val_secalgo.c - validator security algorithm functions.
3 *
4 * Copyright (c) 2012, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36/**
37 * \file
38 *
39 * This file contains helper functions for the validator module.
40 * These functions take raw data buffers, formatted for crypto verification,
41 * and do the library calls (for the crypto library in use).
42 */
43#include "config.h"
44/* packed_rrset on top to define enum types (forced by c99 standard) */
45#include "util/data/packed_rrset.h"
46#include "validator/val_secalgo.h"
| 1/*
2 * validator/val_secalgo.c - validator security algorithm functions.
3 *
4 * Copyright (c) 2012, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36/**
37 * \file
38 *
39 * This file contains helper functions for the validator module.
40 * These functions take raw data buffers, formatted for crypto verification,
41 * and do the library calls (for the crypto library in use).
42 */
43#include "config.h"
44/* packed_rrset on top to define enum types (forced by c99 standard) */
45#include "util/data/packed_rrset.h"
46#include "validator/val_secalgo.h"
|
| 47#include "validator/val_nsec3.h"
|
47#include "util/log.h"
48#include "sldns/rrdef.h"
49#include "sldns/keyraw.h"
50#include "sldns/sbuffer.h"
51
| 48#include "util/log.h"
49#include "sldns/rrdef.h"
50#include "sldns/keyraw.h"
51#include "sldns/sbuffer.h"
52
|
52#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
| 53#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
|
53#error "Need crypto library to do digital signature cryptography"
54#endif
55
56/* OpenSSL implementation */
57#ifdef HAVE_SSL
58#ifdef HAVE_OPENSSL_ERR_H
59#include <openssl/err.h>
60#endif
61
62#ifdef HAVE_OPENSSL_RAND_H
63#include <openssl/rand.h>
64#endif
65
66#ifdef HAVE_OPENSSL_CONF_H
67#include <openssl/conf.h>
68#endif
69
70#ifdef HAVE_OPENSSL_ENGINE_H
71#include <openssl/engine.h>
72#endif
73
| 54#error "Need crypto library to do digital signature cryptography"
55#endif
56
57/* OpenSSL implementation */
58#ifdef HAVE_SSL
59#ifdef HAVE_OPENSSL_ERR_H
60#include <openssl/err.h>
61#endif
62
63#ifdef HAVE_OPENSSL_RAND_H
64#include <openssl/rand.h>
65#endif
66
67#ifdef HAVE_OPENSSL_CONF_H
68#include <openssl/conf.h>
69#endif
70
71#ifdef HAVE_OPENSSL_ENGINE_H
72#include <openssl/engine.h>
73#endif
74
|
| 75/* return size of digest if supported, or 0 otherwise */
76size_t
77nsec3_hash_algo_size_supported(int id)
78{
79 switch(id) {
80 case NSEC3_HASH_SHA1:
81 return SHA_DIGEST_LENGTH;
82 default:
83 return 0;
84 }
85}
86
87/* perform nsec3 hash. return false on failure */
88int
89secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
90 unsigned char* res)
91{
92 switch(algo) {
93 case NSEC3_HASH_SHA1:
94 (void)SHA1(buf, len, res);
95 return 1;
96 default:
97 return 0;
98 }
99}
100
|
74/**
75 * Return size of DS digest according to its hash algorithm.
76 * @param algo: DS digest algo.
| 101/**
102 * Return size of DS digest according to its hash algorithm.
103 * @param algo: DS digest algo.
|
77 * @return size in bytes of digest, or 0 if not supported.
| 104 * @return size in bytes of digest, or 0 if not supported.
|
78 */
79size_t
80ds_digest_size_supported(int algo)
81{
82 switch(algo) {
83#ifdef HAVE_EVP_SHA1
84 case LDNS_SHA1:
85 return SHA_DIGEST_LENGTH;
86#endif
87#ifdef HAVE_EVP_SHA256
88 case LDNS_SHA256:
89 return SHA256_DIGEST_LENGTH;
90#endif
91#ifdef USE_GOST
92 case LDNS_HASH_GOST:
93 if(EVP_get_digestbyname("md_gost94"))
94 return 32;
95 else return 0;
96#endif
97#ifdef USE_ECDSA
98 case LDNS_SHA384:
99 return SHA384_DIGEST_LENGTH;
100#endif
101 default: break;
102 }
103 return 0;
104}
105
106#ifdef USE_GOST
107/** Perform GOST hash */
108static int
109do_gost94(unsigned char* data, size_t len, unsigned char* dest)
110{
111 const EVP_MD* md = EVP_get_digestbyname("md_gost94");
112 if(!md)
113 return 0;
114 return sldns_digest_evp(data, (unsigned int)len, dest, md);
115}
116#endif
117
118int
119secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
120 unsigned char* res)
121{
122 switch(algo) {
123#ifdef HAVE_EVP_SHA1
124 case LDNS_SHA1:
125 (void)SHA1(buf, len, res);
126 return 1;
127#endif
128#ifdef HAVE_EVP_SHA256
129 case LDNS_SHA256:
130 (void)SHA256(buf, len, res);
131 return 1;
132#endif
133#ifdef USE_GOST
134 case LDNS_HASH_GOST:
135 if(do_gost94(buf, len, res))
136 return 1;
137 break;
138#endif
139#ifdef USE_ECDSA
140 case LDNS_SHA384:
141 (void)SHA384(buf, len, res);
142 return 1;
143#endif
144 default:
145 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
146 algo);
147 break;
148 }
149 return 0;
150}
151
152/** return true if DNSKEY algorithm id is supported */
153int
154dnskey_algo_id_is_supported(int id)
155{
156 switch(id) {
157 case LDNS_RSAMD5:
158 /* RFC 6725 deprecates RSAMD5 */
159 return 0;
160 case LDNS_DSA:
161 case LDNS_DSA_NSEC3:
162 case LDNS_RSASHA1:
163 case LDNS_RSASHA1_NSEC3:
164#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
165 case LDNS_RSASHA256:
166#endif
167#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
168 case LDNS_RSASHA512:
169#endif
170#ifdef USE_ECDSA
171 case LDNS_ECDSAP256SHA256:
172 case LDNS_ECDSAP384SHA384:
173#endif
174 return 1;
175#ifdef USE_GOST
176 case LDNS_ECC_GOST:
177 /* we support GOST if it can be loaded */
178 return sldns_key_EVP_load_gost_id();
179#endif
180 default:
181 return 0;
182 }
183}
184
185/**
186 * Output a libcrypto openssl error to the logfile.
187 * @param str: string to add to it.
188 * @param e: the error to output, error number from ERR_get_error().
189 */
190static void
191log_crypto_error(const char* str, unsigned long e)
192{
193 char buf[128];
194 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */
195 ERR_error_string_n(e, buf, sizeof(buf));
196 /* buf now contains */
197 /* error:[error code]:[library name]:[function name]:[reason string] */
198 log_err("%s crypto %s", str, buf);
199}
200
201/**
202 * Setup DSA key digest in DER encoding ...
203 * @param sig: input is signature output alloced ptr (unless failure).
204 * caller must free alloced ptr if this routine returns true.
205 * @param len: input is initial siglen, output is output len.
206 * @return false on failure.
207 */
208static int
209setup_dsa_sig(unsigned char** sig, unsigned int* len)
210{
211 unsigned char* orig = *sig;
212 unsigned int origlen = *len;
213 int newlen;
214 BIGNUM *R, *S;
215 DSA_SIG *dsasig;
216
217 /* extract the R and S field from the sig buffer */
218 if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
219 return 0;
220 R = BN_new();
221 if(!R) return 0;
222 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
223 S = BN_new();
224 if(!S) return 0;
225 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
226 dsasig = DSA_SIG_new();
227 if(!dsasig) return 0;
228
229 dsasig->r = R;
230 dsasig->s = S;
231 *sig = NULL;
232 newlen = i2d_DSA_SIG(dsasig, sig);
233 if(newlen < 0) {
234 DSA_SIG_free(dsasig);
235 free(*sig);
236 return 0;
237 }
238 *len = (unsigned int)newlen;
239 DSA_SIG_free(dsasig);
240 return 1;
241}
242
243#ifdef USE_ECDSA
244/**
245 * Setup the ECDSA signature in its encoding that the library wants.
246 * Converts from plain numbers to ASN formatted.
247 * @param sig: input is signature, output alloced ptr (unless failure).
248 * caller must free alloced ptr if this routine returns true.
249 * @param len: input is initial siglen, output is output len.
250 * @return false on failure.
251 */
252static int
253setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
254{
255 ECDSA_SIG* ecdsa_sig;
256 int newlen;
257 int bnsize = (int)((*len)/2);
258 /* if too short or not even length, fails */
259 if(*len < 16 || bnsize*2 != (int)*len)
260 return 0;
261 /* use the raw data to parse two evenly long BIGNUMs, "r | s". */
262 ecdsa_sig = ECDSA_SIG_new();
263 if(!ecdsa_sig) return 0;
264 ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r);
265 ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s);
266 if(!ecdsa_sig->r || !ecdsa_sig->s) {
267 ECDSA_SIG_free(ecdsa_sig);
268 return 0;
269 }
270
271 /* spool it into ASN format */
272 *sig = NULL;
273 newlen = i2d_ECDSA_SIG(ecdsa_sig, sig);
274 if(newlen <= 0) {
275 ECDSA_SIG_free(ecdsa_sig);
276 free(*sig);
277 return 0;
278 }
279 *len = (unsigned int)newlen;
280 ECDSA_SIG_free(ecdsa_sig);
281 return 1;
282}
283#endif /* USE_ECDSA */
284
285/**
286 * Setup key and digest for verification. Adjust sig if necessary.
287 *
288 * @param algo: key algorithm
289 * @param evp_key: EVP PKEY public key to create.
290 * @param digest_type: digest type to use
291 * @param key: key to setup for.
292 * @param keylen: length of key.
293 * @return false on failure.
294 */
295static int
296setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
297 unsigned char* key, size_t keylen)
298{
299 DSA* dsa;
300 RSA* rsa;
301
302 switch(algo) {
303 case LDNS_DSA:
304 case LDNS_DSA_NSEC3:
305 *evp_key = EVP_PKEY_new();
306 if(!*evp_key) {
307 log_err("verify: malloc failure in crypto");
308 return 0;
309 }
310 dsa = sldns_key_buf2dsa_raw(key, keylen);
311 if(!dsa) {
312 verbose(VERB_QUERY, "verify: "
313 "sldns_key_buf2dsa_raw failed");
314 return 0;
315 }
316 if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
317 verbose(VERB_QUERY, "verify: "
318 "EVP_PKEY_assign_DSA failed");
319 return 0;
320 }
321 *digest_type = EVP_dss1();
322
323 break;
324 case LDNS_RSASHA1:
325 case LDNS_RSASHA1_NSEC3:
326#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
327 case LDNS_RSASHA256:
328#endif
329#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
330 case LDNS_RSASHA512:
331#endif
332 *evp_key = EVP_PKEY_new();
333 if(!*evp_key) {
334 log_err("verify: malloc failure in crypto");
335 return 0;
336 }
337 rsa = sldns_key_buf2rsa_raw(key, keylen);
338 if(!rsa) {
339 verbose(VERB_QUERY, "verify: "
340 "sldns_key_buf2rsa_raw SHA failed");
341 return 0;
342 }
343 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
344 verbose(VERB_QUERY, "verify: "
345 "EVP_PKEY_assign_RSA SHA failed");
346 return 0;
347 }
348
349 /* select SHA version */
350#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
351 if(algo == LDNS_RSASHA256)
352 *digest_type = EVP_sha256();
353 else
354#endif
355#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
356 if(algo == LDNS_RSASHA512)
357 *digest_type = EVP_sha512();
358 else
359#endif
360 *digest_type = EVP_sha1();
361
362 break;
363 case LDNS_RSAMD5:
364 *evp_key = EVP_PKEY_new();
365 if(!*evp_key) {
366 log_err("verify: malloc failure in crypto");
367 return 0;
368 }
369 rsa = sldns_key_buf2rsa_raw(key, keylen);
370 if(!rsa) {
371 verbose(VERB_QUERY, "verify: "
372 "sldns_key_buf2rsa_raw MD5 failed");
373 return 0;
374 }
375 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
376 verbose(VERB_QUERY, "verify: "
377 "EVP_PKEY_assign_RSA MD5 failed");
378 return 0;
379 }
380 *digest_type = EVP_md5();
381
382 break;
383#ifdef USE_GOST
384 case LDNS_ECC_GOST:
385 *evp_key = sldns_gost2pkey_raw(key, keylen);
386 if(!*evp_key) {
387 verbose(VERB_QUERY, "verify: "
388 "sldns_gost2pkey_raw failed");
389 return 0;
390 }
391 *digest_type = EVP_get_digestbyname("md_gost94");
392 if(!*digest_type) {
393 verbose(VERB_QUERY, "verify: "
394 "EVP_getdigest md_gost94 failed");
395 return 0;
396 }
397 break;
398#endif
399#ifdef USE_ECDSA
400 case LDNS_ECDSAP256SHA256:
401 *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
402 LDNS_ECDSAP256SHA256);
403 if(!*evp_key) {
404 verbose(VERB_QUERY, "verify: "
405 "sldns_ecdsa2pkey_raw failed");
406 return 0;
407 }
408#ifdef USE_ECDSA_EVP_WORKAROUND
409 /* openssl before 1.0.0 fixes RSA with the SHA256
410 * hash in EVP. We create one for ecdsa_sha256 */
411 {
412 static int md_ecdsa_256_done = 0;
413 static EVP_MD md;
414 if(!md_ecdsa_256_done) {
415 EVP_MD m = *EVP_sha256();
416 md_ecdsa_256_done = 1;
417 m.required_pkey_type[0] = (*evp_key)->type;
418 m.verify = (void*)ECDSA_verify;
419 md = m;
420 }
421 *digest_type = &md;
422 }
423#else
424 *digest_type = EVP_sha256();
425#endif
426 break;
427 case LDNS_ECDSAP384SHA384:
428 *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
429 LDNS_ECDSAP384SHA384);
430 if(!*evp_key) {
431 verbose(VERB_QUERY, "verify: "
432 "sldns_ecdsa2pkey_raw failed");
433 return 0;
434 }
435#ifdef USE_ECDSA_EVP_WORKAROUND
436 /* openssl before 1.0.0 fixes RSA with the SHA384
437 * hash in EVP. We create one for ecdsa_sha384 */
438 {
439 static int md_ecdsa_384_done = 0;
440 static EVP_MD md;
441 if(!md_ecdsa_384_done) {
442 EVP_MD m = *EVP_sha384();
443 md_ecdsa_384_done = 1;
444 m.required_pkey_type[0] = (*evp_key)->type;
445 m.verify = (void*)ECDSA_verify;
446 md = m;
447 }
448 *digest_type = &md;
449 }
450#else
451 *digest_type = EVP_sha384();
452#endif
453 break;
454#endif /* USE_ECDSA */
455 default:
456 verbose(VERB_QUERY, "verify: unknown algorithm %d",
457 algo);
458 return 0;
459 }
460 return 1;
461}
462
463/**
464 * Check a canonical sig+rrset and signature against a dnskey
465 * @param buf: buffer with data to verify, the first rrsig part and the
466 * canonicalized rrset.
467 * @param algo: DNSKEY algorithm.
468 * @param sigblock: signature rdata field from RRSIG
469 * @param sigblock_len: length of sigblock data.
470 * @param key: public key data from DNSKEY RR.
471 * @param keylen: length of keydata.
472 * @param reason: bogus reason in more detail.
473 * @return secure if verification succeeded, bogus on crypto failure,
474 * unchecked on format errors and alloc failures.
475 */
476enum sec_status
477verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
478 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
479 char** reason)
480{
481 const EVP_MD *digest_type;
482 EVP_MD_CTX ctx;
483 int res, dofree = 0;
484 EVP_PKEY *evp_key = NULL;
485
486 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
487 verbose(VERB_QUERY, "verify: failed to setup key");
488 *reason = "use of key for crypto failed";
489 EVP_PKEY_free(evp_key);
490 return sec_status_bogus;
491 }
492 /* if it is a DSA signature in bind format, convert to DER format */
493 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
494 sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
495 if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
496 verbose(VERB_QUERY, "verify: failed to setup DSA sig");
497 *reason = "use of key for DSA crypto failed";
498 EVP_PKEY_free(evp_key);
499 return sec_status_bogus;
500 }
501 dofree = 1;
502 }
503#ifdef USE_ECDSA
504 else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
505 /* EVP uses ASN prefix on sig, which is not in the wire data */
506 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
507 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
508 *reason = "use of signature for ECDSA crypto failed";
509 EVP_PKEY_free(evp_key);
510 return sec_status_bogus;
511 }
512 dofree = 1;
513 }
514#endif /* USE_ECDSA */
515
516 /* do the signature cryptography work */
517 EVP_MD_CTX_init(&ctx);
518 if(EVP_VerifyInit(&ctx, digest_type) == 0) {
519 verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
520 EVP_PKEY_free(evp_key);
521 if(dofree) free(sigblock);
522 return sec_status_unchecked;
523 }
524 if(EVP_VerifyUpdate(&ctx, (unsigned char*)sldns_buffer_begin(buf),
525 (unsigned int)sldns_buffer_limit(buf)) == 0) {
526 verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
527 EVP_PKEY_free(evp_key);
528 if(dofree) free(sigblock);
529 return sec_status_unchecked;
530 }
531
532 res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key);
533 if(EVP_MD_CTX_cleanup(&ctx) == 0) {
534 verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed");
535 EVP_PKEY_free(evp_key);
536 if(dofree) free(sigblock);
537 return sec_status_unchecked;
538 }
539 EVP_PKEY_free(evp_key);
540
541 if(dofree)
542 free(sigblock);
543
544 if(res == 1) {
545 return sec_status_secure;
546 } else if(res == 0) {
547 verbose(VERB_QUERY, "verify: signature mismatch");
548 *reason = "signature crypto failed";
549 return sec_status_bogus;
550 }
551
552 log_crypto_error("verify:", ERR_get_error());
553 return sec_status_unchecked;
554}
555
556/**************************************************/
557#elif defined(HAVE_NSS)
558/* libnss implementation */
559/* nss3 */
560#include "sechash.h"
561#include "pk11pub.h"
562#include "keyhi.h"
563#include "secerr.h"
564#include "cryptohi.h"
565/* nspr4 */
566#include "prerror.h"
567
| 105 */
106size_t
107ds_digest_size_supported(int algo)
108{
109 switch(algo) {
110#ifdef HAVE_EVP_SHA1
111 case LDNS_SHA1:
112 return SHA_DIGEST_LENGTH;
113#endif
114#ifdef HAVE_EVP_SHA256
115 case LDNS_SHA256:
116 return SHA256_DIGEST_LENGTH;
117#endif
118#ifdef USE_GOST
119 case LDNS_HASH_GOST:
120 if(EVP_get_digestbyname("md_gost94"))
121 return 32;
122 else return 0;
123#endif
124#ifdef USE_ECDSA
125 case LDNS_SHA384:
126 return SHA384_DIGEST_LENGTH;
127#endif
128 default: break;
129 }
130 return 0;
131}
132
133#ifdef USE_GOST
134/** Perform GOST hash */
135static int
136do_gost94(unsigned char* data, size_t len, unsigned char* dest)
137{
138 const EVP_MD* md = EVP_get_digestbyname("md_gost94");
139 if(!md)
140 return 0;
141 return sldns_digest_evp(data, (unsigned int)len, dest, md);
142}
143#endif
144
145int
146secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
147 unsigned char* res)
148{
149 switch(algo) {
150#ifdef HAVE_EVP_SHA1
151 case LDNS_SHA1:
152 (void)SHA1(buf, len, res);
153 return 1;
154#endif
155#ifdef HAVE_EVP_SHA256
156 case LDNS_SHA256:
157 (void)SHA256(buf, len, res);
158 return 1;
159#endif
160#ifdef USE_GOST
161 case LDNS_HASH_GOST:
162 if(do_gost94(buf, len, res))
163 return 1;
164 break;
165#endif
166#ifdef USE_ECDSA
167 case LDNS_SHA384:
168 (void)SHA384(buf, len, res);
169 return 1;
170#endif
171 default:
172 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
173 algo);
174 break;
175 }
176 return 0;
177}
178
179/** return true if DNSKEY algorithm id is supported */
180int
181dnskey_algo_id_is_supported(int id)
182{
183 switch(id) {
184 case LDNS_RSAMD5:
185 /* RFC 6725 deprecates RSAMD5 */
186 return 0;
187 case LDNS_DSA:
188 case LDNS_DSA_NSEC3:
189 case LDNS_RSASHA1:
190 case LDNS_RSASHA1_NSEC3:
191#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
192 case LDNS_RSASHA256:
193#endif
194#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
195 case LDNS_RSASHA512:
196#endif
197#ifdef USE_ECDSA
198 case LDNS_ECDSAP256SHA256:
199 case LDNS_ECDSAP384SHA384:
200#endif
201 return 1;
202#ifdef USE_GOST
203 case LDNS_ECC_GOST:
204 /* we support GOST if it can be loaded */
205 return sldns_key_EVP_load_gost_id();
206#endif
207 default:
208 return 0;
209 }
210}
211
212/**
213 * Output a libcrypto openssl error to the logfile.
214 * @param str: string to add to it.
215 * @param e: the error to output, error number from ERR_get_error().
216 */
217static void
218log_crypto_error(const char* str, unsigned long e)
219{
220 char buf[128];
221 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */
222 ERR_error_string_n(e, buf, sizeof(buf));
223 /* buf now contains */
224 /* error:[error code]:[library name]:[function name]:[reason string] */
225 log_err("%s crypto %s", str, buf);
226}
227
228/**
229 * Setup DSA key digest in DER encoding ...
230 * @param sig: input is signature output alloced ptr (unless failure).
231 * caller must free alloced ptr if this routine returns true.
232 * @param len: input is initial siglen, output is output len.
233 * @return false on failure.
234 */
235static int
236setup_dsa_sig(unsigned char** sig, unsigned int* len)
237{
238 unsigned char* orig = *sig;
239 unsigned int origlen = *len;
240 int newlen;
241 BIGNUM *R, *S;
242 DSA_SIG *dsasig;
243
244 /* extract the R and S field from the sig buffer */
245 if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
246 return 0;
247 R = BN_new();
248 if(!R) return 0;
249 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
250 S = BN_new();
251 if(!S) return 0;
252 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
253 dsasig = DSA_SIG_new();
254 if(!dsasig) return 0;
255
256 dsasig->r = R;
257 dsasig->s = S;
258 *sig = NULL;
259 newlen = i2d_DSA_SIG(dsasig, sig);
260 if(newlen < 0) {
261 DSA_SIG_free(dsasig);
262 free(*sig);
263 return 0;
264 }
265 *len = (unsigned int)newlen;
266 DSA_SIG_free(dsasig);
267 return 1;
268}
269
270#ifdef USE_ECDSA
271/**
272 * Setup the ECDSA signature in its encoding that the library wants.
273 * Converts from plain numbers to ASN formatted.
274 * @param sig: input is signature, output alloced ptr (unless failure).
275 * caller must free alloced ptr if this routine returns true.
276 * @param len: input is initial siglen, output is output len.
277 * @return false on failure.
278 */
279static int
280setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
281{
282 ECDSA_SIG* ecdsa_sig;
283 int newlen;
284 int bnsize = (int)((*len)/2);
285 /* if too short or not even length, fails */
286 if(*len < 16 || bnsize*2 != (int)*len)
287 return 0;
288 /* use the raw data to parse two evenly long BIGNUMs, "r | s". */
289 ecdsa_sig = ECDSA_SIG_new();
290 if(!ecdsa_sig) return 0;
291 ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r);
292 ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s);
293 if(!ecdsa_sig->r || !ecdsa_sig->s) {
294 ECDSA_SIG_free(ecdsa_sig);
295 return 0;
296 }
297
298 /* spool it into ASN format */
299 *sig = NULL;
300 newlen = i2d_ECDSA_SIG(ecdsa_sig, sig);
301 if(newlen <= 0) {
302 ECDSA_SIG_free(ecdsa_sig);
303 free(*sig);
304 return 0;
305 }
306 *len = (unsigned int)newlen;
307 ECDSA_SIG_free(ecdsa_sig);
308 return 1;
309}
310#endif /* USE_ECDSA */
311
312/**
313 * Setup key and digest for verification. Adjust sig if necessary.
314 *
315 * @param algo: key algorithm
316 * @param evp_key: EVP PKEY public key to create.
317 * @param digest_type: digest type to use
318 * @param key: key to setup for.
319 * @param keylen: length of key.
320 * @return false on failure.
321 */
322static int
323setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
324 unsigned char* key, size_t keylen)
325{
326 DSA* dsa;
327 RSA* rsa;
328
329 switch(algo) {
330 case LDNS_DSA:
331 case LDNS_DSA_NSEC3:
332 *evp_key = EVP_PKEY_new();
333 if(!*evp_key) {
334 log_err("verify: malloc failure in crypto");
335 return 0;
336 }
337 dsa = sldns_key_buf2dsa_raw(key, keylen);
338 if(!dsa) {
339 verbose(VERB_QUERY, "verify: "
340 "sldns_key_buf2dsa_raw failed");
341 return 0;
342 }
343 if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
344 verbose(VERB_QUERY, "verify: "
345 "EVP_PKEY_assign_DSA failed");
346 return 0;
347 }
348 *digest_type = EVP_dss1();
349
350 break;
351 case LDNS_RSASHA1:
352 case LDNS_RSASHA1_NSEC3:
353#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
354 case LDNS_RSASHA256:
355#endif
356#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
357 case LDNS_RSASHA512:
358#endif
359 *evp_key = EVP_PKEY_new();
360 if(!*evp_key) {
361 log_err("verify: malloc failure in crypto");
362 return 0;
363 }
364 rsa = sldns_key_buf2rsa_raw(key, keylen);
365 if(!rsa) {
366 verbose(VERB_QUERY, "verify: "
367 "sldns_key_buf2rsa_raw SHA failed");
368 return 0;
369 }
370 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
371 verbose(VERB_QUERY, "verify: "
372 "EVP_PKEY_assign_RSA SHA failed");
373 return 0;
374 }
375
376 /* select SHA version */
377#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
378 if(algo == LDNS_RSASHA256)
379 *digest_type = EVP_sha256();
380 else
381#endif
382#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
383 if(algo == LDNS_RSASHA512)
384 *digest_type = EVP_sha512();
385 else
386#endif
387 *digest_type = EVP_sha1();
388
389 break;
390 case LDNS_RSAMD5:
391 *evp_key = EVP_PKEY_new();
392 if(!*evp_key) {
393 log_err("verify: malloc failure in crypto");
394 return 0;
395 }
396 rsa = sldns_key_buf2rsa_raw(key, keylen);
397 if(!rsa) {
398 verbose(VERB_QUERY, "verify: "
399 "sldns_key_buf2rsa_raw MD5 failed");
400 return 0;
401 }
402 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
403 verbose(VERB_QUERY, "verify: "
404 "EVP_PKEY_assign_RSA MD5 failed");
405 return 0;
406 }
407 *digest_type = EVP_md5();
408
409 break;
410#ifdef USE_GOST
411 case LDNS_ECC_GOST:
412 *evp_key = sldns_gost2pkey_raw(key, keylen);
413 if(!*evp_key) {
414 verbose(VERB_QUERY, "verify: "
415 "sldns_gost2pkey_raw failed");
416 return 0;
417 }
418 *digest_type = EVP_get_digestbyname("md_gost94");
419 if(!*digest_type) {
420 verbose(VERB_QUERY, "verify: "
421 "EVP_getdigest md_gost94 failed");
422 return 0;
423 }
424 break;
425#endif
426#ifdef USE_ECDSA
427 case LDNS_ECDSAP256SHA256:
428 *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
429 LDNS_ECDSAP256SHA256);
430 if(!*evp_key) {
431 verbose(VERB_QUERY, "verify: "
432 "sldns_ecdsa2pkey_raw failed");
433 return 0;
434 }
435#ifdef USE_ECDSA_EVP_WORKAROUND
436 /* openssl before 1.0.0 fixes RSA with the SHA256
437 * hash in EVP. We create one for ecdsa_sha256 */
438 {
439 static int md_ecdsa_256_done = 0;
440 static EVP_MD md;
441 if(!md_ecdsa_256_done) {
442 EVP_MD m = *EVP_sha256();
443 md_ecdsa_256_done = 1;
444 m.required_pkey_type[0] = (*evp_key)->type;
445 m.verify = (void*)ECDSA_verify;
446 md = m;
447 }
448 *digest_type = &md;
449 }
450#else
451 *digest_type = EVP_sha256();
452#endif
453 break;
454 case LDNS_ECDSAP384SHA384:
455 *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
456 LDNS_ECDSAP384SHA384);
457 if(!*evp_key) {
458 verbose(VERB_QUERY, "verify: "
459 "sldns_ecdsa2pkey_raw failed");
460 return 0;
461 }
462#ifdef USE_ECDSA_EVP_WORKAROUND
463 /* openssl before 1.0.0 fixes RSA with the SHA384
464 * hash in EVP. We create one for ecdsa_sha384 */
465 {
466 static int md_ecdsa_384_done = 0;
467 static EVP_MD md;
468 if(!md_ecdsa_384_done) {
469 EVP_MD m = *EVP_sha384();
470 md_ecdsa_384_done = 1;
471 m.required_pkey_type[0] = (*evp_key)->type;
472 m.verify = (void*)ECDSA_verify;
473 md = m;
474 }
475 *digest_type = &md;
476 }
477#else
478 *digest_type = EVP_sha384();
479#endif
480 break;
481#endif /* USE_ECDSA */
482 default:
483 verbose(VERB_QUERY, "verify: unknown algorithm %d",
484 algo);
485 return 0;
486 }
487 return 1;
488}
489
490/**
491 * Check a canonical sig+rrset and signature against a dnskey
492 * @param buf: buffer with data to verify, the first rrsig part and the
493 * canonicalized rrset.
494 * @param algo: DNSKEY algorithm.
495 * @param sigblock: signature rdata field from RRSIG
496 * @param sigblock_len: length of sigblock data.
497 * @param key: public key data from DNSKEY RR.
498 * @param keylen: length of keydata.
499 * @param reason: bogus reason in more detail.
500 * @return secure if verification succeeded, bogus on crypto failure,
501 * unchecked on format errors and alloc failures.
502 */
503enum sec_status
504verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
505 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
506 char** reason)
507{
508 const EVP_MD *digest_type;
509 EVP_MD_CTX ctx;
510 int res, dofree = 0;
511 EVP_PKEY *evp_key = NULL;
512
513 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
514 verbose(VERB_QUERY, "verify: failed to setup key");
515 *reason = "use of key for crypto failed";
516 EVP_PKEY_free(evp_key);
517 return sec_status_bogus;
518 }
519 /* if it is a DSA signature in bind format, convert to DER format */
520 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
521 sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
522 if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
523 verbose(VERB_QUERY, "verify: failed to setup DSA sig");
524 *reason = "use of key for DSA crypto failed";
525 EVP_PKEY_free(evp_key);
526 return sec_status_bogus;
527 }
528 dofree = 1;
529 }
530#ifdef USE_ECDSA
531 else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
532 /* EVP uses ASN prefix on sig, which is not in the wire data */
533 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
534 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
535 *reason = "use of signature for ECDSA crypto failed";
536 EVP_PKEY_free(evp_key);
537 return sec_status_bogus;
538 }
539 dofree = 1;
540 }
541#endif /* USE_ECDSA */
542
543 /* do the signature cryptography work */
544 EVP_MD_CTX_init(&ctx);
545 if(EVP_VerifyInit(&ctx, digest_type) == 0) {
546 verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
547 EVP_PKEY_free(evp_key);
548 if(dofree) free(sigblock);
549 return sec_status_unchecked;
550 }
551 if(EVP_VerifyUpdate(&ctx, (unsigned char*)sldns_buffer_begin(buf),
552 (unsigned int)sldns_buffer_limit(buf)) == 0) {
553 verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
554 EVP_PKEY_free(evp_key);
555 if(dofree) free(sigblock);
556 return sec_status_unchecked;
557 }
558
559 res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key);
560 if(EVP_MD_CTX_cleanup(&ctx) == 0) {
561 verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed");
562 EVP_PKEY_free(evp_key);
563 if(dofree) free(sigblock);
564 return sec_status_unchecked;
565 }
566 EVP_PKEY_free(evp_key);
567
568 if(dofree)
569 free(sigblock);
570
571 if(res == 1) {
572 return sec_status_secure;
573 } else if(res == 0) {
574 verbose(VERB_QUERY, "verify: signature mismatch");
575 *reason = "signature crypto failed";
576 return sec_status_bogus;
577 }
578
579 log_crypto_error("verify:", ERR_get_error());
580 return sec_status_unchecked;
581}
582
583/**************************************************/
584#elif defined(HAVE_NSS)
585/* libnss implementation */
586/* nss3 */
587#include "sechash.h"
588#include "pk11pub.h"
589#include "keyhi.h"
590#include "secerr.h"
591#include "cryptohi.h"
592/* nspr4 */
593#include "prerror.h"
594
|
| 595/* return size of digest if supported, or 0 otherwise */
|
568size_t
| 596size_t
|
| 597nsec3_hash_algo_size_supported(int id)
598{
599 switch(id) {
600 case NSEC3_HASH_SHA1:
601 return SHA1_LENGTH;
602 default:
603 return 0;
604 }
605}
606
607/* perform nsec3 hash. return false on failure */
608int
609secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
610 unsigned char* res)
611{
612 switch(algo) {
613 case NSEC3_HASH_SHA1:
614 (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
615 return 1;
616 default:
617 return 0;
618 }
619}
620
621size_t
|
569ds_digest_size_supported(int algo)
570{
571 /* uses libNSS */
572 switch(algo) {
573 case LDNS_SHA1:
574 return SHA1_LENGTH;
575#ifdef USE_SHA2
576 case LDNS_SHA256:
577 return SHA256_LENGTH;
578#endif
579#ifdef USE_ECDSA
580 case LDNS_SHA384:
581 return SHA384_LENGTH;
582#endif
583 /* GOST not supported in NSS */
584 case LDNS_HASH_GOST:
585 default: break;
586 }
587 return 0;
588}
589
590int
591secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
592 unsigned char* res)
593{
594 /* uses libNSS */
595 switch(algo) {
596 case LDNS_SHA1:
597 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
598 == SECSuccess;
599#if defined(USE_SHA2)
600 case LDNS_SHA256:
601 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
602 == SECSuccess;
603#endif
604#ifdef USE_ECDSA
605 case LDNS_SHA384:
606 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
607 == SECSuccess;
608#endif
609 case LDNS_HASH_GOST:
610 default:
611 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
612 algo);
613 break;
614 }
615 return 0;
616}
617
618int
619dnskey_algo_id_is_supported(int id)
620{
621 /* uses libNSS */
622 switch(id) {
623 case LDNS_RSAMD5:
624 /* RFC 6725 deprecates RSAMD5 */
625 return 0;
626 case LDNS_DSA:
627 case LDNS_DSA_NSEC3:
628 case LDNS_RSASHA1:
629 case LDNS_RSASHA1_NSEC3:
630#ifdef USE_SHA2
631 case LDNS_RSASHA256:
632#endif
633#ifdef USE_SHA2
634 case LDNS_RSASHA512:
635#endif
636 return 1;
637#ifdef USE_ECDSA
638 case LDNS_ECDSAP256SHA256:
639 case LDNS_ECDSAP384SHA384:
640 return PK11_TokenExists(CKM_ECDSA);
641#endif
642 case LDNS_ECC_GOST:
643 default:
644 return 0;
645 }
646}
647
648/* return a new public key for NSS */
649static SECKEYPublicKey* nss_key_create(KeyType ktype)
650{
651 SECKEYPublicKey* key;
652 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
653 if(!arena) {
654 log_err("out of memory, PORT_NewArena failed");
655 return NULL;
656 }
657 key = PORT_ArenaZNew(arena, SECKEYPublicKey);
658 if(!key) {
659 log_err("out of memory, PORT_ArenaZNew failed");
660 PORT_FreeArena(arena, PR_FALSE);
661 return NULL;
662 }
663 key->arena = arena;
664 key->keyType = ktype;
665 key->pkcs11Slot = NULL;
666 key->pkcs11ID = CK_INVALID_HANDLE;
667 return key;
668}
669
670static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
671{
672 SECKEYPublicKey* pk;
673 SECItem pub = {siBuffer, NULL, 0};
674 SECItem params = {siBuffer, NULL, 0};
675 static unsigned char param256[] = {
676 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
677 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
678 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
679 };
680 static unsigned char param384[] = {
681 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
682 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
683 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
684 };
685 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
686
687 /* check length, which uncompressed must be 2 bignums */
688 if(algo == LDNS_ECDSAP256SHA256) {
689 if(len != 2*256/8) return NULL;
690 /* ECCurve_X9_62_PRIME_256V1 */
691 } else if(algo == LDNS_ECDSAP384SHA384) {
692 if(len != 2*384/8) return NULL;
693 /* ECCurve_X9_62_PRIME_384R1 */
694 } else return NULL;
695
696 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
697 memmove(buf+1, key, len);
698 pub.data = buf;
699 pub.len = len+1;
700 if(algo == LDNS_ECDSAP256SHA256) {
701 params.data = param256;
702 params.len = sizeof(param256);
703 } else {
704 params.data = param384;
705 params.len = sizeof(param384);
706 }
707
708 pk = nss_key_create(ecKey);
709 if(!pk)
710 return NULL;
711 pk->u.ec.size = (len/2)*8;
712 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
713 SECKEY_DestroyPublicKey(pk);
714 return NULL;
715 }
716 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) {
717 SECKEY_DestroyPublicKey(pk);
718 return NULL;
719 }
720
721 return pk;
722}
723
724static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
725{
726 SECKEYPublicKey* pk;
727 uint8_t T;
728 uint16_t length;
729 uint16_t offset;
730 SECItem Q = {siBuffer, NULL, 0};
731 SECItem P = {siBuffer, NULL, 0};
732 SECItem G = {siBuffer, NULL, 0};
733 SECItem Y = {siBuffer, NULL, 0};
734
735 if(len == 0)
736 return NULL;
737 T = (uint8_t)key[0];
738 length = (64 + T * 8);
739 offset = 1;
740
741 if (T > 8) {
742 return NULL;
743 }
744 if(len < (size_t)1 + SHA1_LENGTH + 3*length)
745 return NULL;
746
747 Q.data = key+offset;
748 Q.len = SHA1_LENGTH;
749 offset += SHA1_LENGTH;
750
751 P.data = key+offset;
752 P.len = length;
753 offset += length;
754
755 G.data = key+offset;
756 G.len = length;
757 offset += length;
758
759 Y.data = key+offset;
760 Y.len = length;
761 offset += length;
762
763 pk = nss_key_create(dsaKey);
764 if(!pk)
765 return NULL;
766 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
767 SECKEY_DestroyPublicKey(pk);
768 return NULL;
769 }
770 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
771 SECKEY_DestroyPublicKey(pk);
772 return NULL;
773 }
774 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
775 SECKEY_DestroyPublicKey(pk);
776 return NULL;
777 }
778 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
779 SECKEY_DestroyPublicKey(pk);
780 return NULL;
781 }
782 return pk;
783}
784
785static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
786{
787 SECKEYPublicKey* pk;
788 uint16_t exp;
789 uint16_t offset;
790 uint16_t int16;
791 SECItem modulus = {siBuffer, NULL, 0};
792 SECItem exponent = {siBuffer, NULL, 0};
793 if(len == 0)
794 return NULL;
795 if(key[0] == 0) {
796 if(len < 3)
797 return NULL;
798 /* the exponent is too large so it's places further */
799 memmove(&int16, key+1, 2);
800 exp = ntohs(int16);
801 offset = 3;
802 } else {
803 exp = key[0];
804 offset = 1;
805 }
806
807 /* key length at least one */
808 if(len < (size_t)offset + exp + 1)
809 return NULL;
810
811 exponent.data = key+offset;
812 exponent.len = exp;
813 offset += exp;
814 modulus.data = key+offset;
815 modulus.len = (len - offset);
816
817 pk = nss_key_create(rsaKey);
818 if(!pk)
819 return NULL;
820 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
821 SECKEY_DestroyPublicKey(pk);
822 return NULL;
823 }
824 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
825 SECKEY_DestroyPublicKey(pk);
826 return NULL;
827 }
828 return pk;
829}
830
831/**
832 * Setup key and digest for verification. Adjust sig if necessary.
833 *
834 * @param algo: key algorithm
835 * @param evp_key: EVP PKEY public key to create.
836 * @param digest_type: digest type to use
837 * @param key: key to setup for.
838 * @param keylen: length of key.
839 * @param prefix: if returned, the ASN prefix for the hashblob.
840 * @param prefixlen: length of the prefix.
841 * @return false on failure.
842 */
843static int
844nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
845 unsigned char* key, size_t keylen, unsigned char** prefix,
846 size_t* prefixlen)
847{
848 /* uses libNSS */
849
850 /* hash prefix for md5, RFC2537 */
851 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
852 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
853 /* hash prefix to prepend to hash output, from RFC3110 */
854 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
855 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
856 /* from RFC5702 */
857 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
858 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
859 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
860 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
861 /* from RFC6234 */
862 /* for future RSASHA384 ..
863 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
864 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
865 */
866
867 switch(algo) {
868 case LDNS_DSA:
869 case LDNS_DSA_NSEC3:
870 *pubkey = nss_buf2dsa(key, keylen);
871 if(!*pubkey) {
872 log_err("verify: malloc failure in crypto");
873 return 0;
874 }
875 *htype = HASH_AlgSHA1;
876 /* no prefix for DSA verification */
877 break;
878 case LDNS_RSASHA1:
879 case LDNS_RSASHA1_NSEC3:
880#ifdef USE_SHA2
881 case LDNS_RSASHA256:
882#endif
883#ifdef USE_SHA2
884 case LDNS_RSASHA512:
885#endif
886 *pubkey = nss_buf2rsa(key, keylen);
887 if(!*pubkey) {
888 log_err("verify: malloc failure in crypto");
889 return 0;
890 }
891 /* select SHA version */
892#ifdef USE_SHA2
893 if(algo == LDNS_RSASHA256) {
894 *htype = HASH_AlgSHA256;
895 *prefix = p_sha256;
896 *prefixlen = sizeof(p_sha256);
897 } else
898#endif
899#ifdef USE_SHA2
900 if(algo == LDNS_RSASHA512) {
901 *htype = HASH_AlgSHA512;
902 *prefix = p_sha512;
903 *prefixlen = sizeof(p_sha512);
904 } else
905#endif
906 {
907 *htype = HASH_AlgSHA1;
908 *prefix = p_sha1;
909 *prefixlen = sizeof(p_sha1);
910 }
911
912 break;
913 case LDNS_RSAMD5:
914 *pubkey = nss_buf2rsa(key, keylen);
915 if(!*pubkey) {
916 log_err("verify: malloc failure in crypto");
917 return 0;
918 }
919 *htype = HASH_AlgMD5;
920 *prefix = p_md5;
921 *prefixlen = sizeof(p_md5);
922
923 break;
924#ifdef USE_ECDSA
925 case LDNS_ECDSAP256SHA256:
926 *pubkey = nss_buf2ecdsa(key, keylen,
927 LDNS_ECDSAP256SHA256);
928 if(!*pubkey) {
929 log_err("verify: malloc failure in crypto");
930 return 0;
931 }
932 *htype = HASH_AlgSHA256;
933 /* no prefix for DSA verification */
934 break;
935 case LDNS_ECDSAP384SHA384:
936 *pubkey = nss_buf2ecdsa(key, keylen,
937 LDNS_ECDSAP384SHA384);
938 if(!*pubkey) {
939 log_err("verify: malloc failure in crypto");
940 return 0;
941 }
942 *htype = HASH_AlgSHA384;
943 /* no prefix for DSA verification */
944 break;
945#endif /* USE_ECDSA */
946 case LDNS_ECC_GOST:
947 default:
948 verbose(VERB_QUERY, "verify: unknown algorithm %d",
949 algo);
950 return 0;
951 }
952 return 1;
953}
954
955/**
956 * Check a canonical sig+rrset and signature against a dnskey
957 * @param buf: buffer with data to verify, the first rrsig part and the
958 * canonicalized rrset.
959 * @param algo: DNSKEY algorithm.
960 * @param sigblock: signature rdata field from RRSIG
961 * @param sigblock_len: length of sigblock data.
962 * @param key: public key data from DNSKEY RR.
963 * @param keylen: length of keydata.
964 * @param reason: bogus reason in more detail.
965 * @return secure if verification succeeded, bogus on crypto failure,
966 * unchecked on format errors and alloc failures.
967 */
968enum sec_status
969verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
970 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
971 char** reason)
972{
973 /* uses libNSS */
974 /* large enough for the different hashes */
975 unsigned char hash[HASH_LENGTH_MAX];
976 unsigned char hash2[HASH_LENGTH_MAX*2];
977 HASH_HashType htype = 0;
978 SECKEYPublicKey* pubkey = NULL;
979 SECItem secsig = {siBuffer, sigblock, sigblock_len};
980 SECItem sechash = {siBuffer, hash, 0};
981 SECStatus res;
982 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
983 size_t prefixlen = 0;
984 int err;
985
986 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
987 &prefix, &prefixlen)) {
988 verbose(VERB_QUERY, "verify: failed to setup key");
989 *reason = "use of key for crypto failed";
990 SECKEY_DestroyPublicKey(pubkey);
991 return sec_status_bogus;
992 }
993
994 /* need to convert DSA, ECDSA signatures? */
995 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
996 if(sigblock_len == 1+2*SHA1_LENGTH) {
997 secsig.data ++;
998 secsig.len --;
999 } else {
1000 SECItem* p = DSAU_DecodeDerSig(&secsig);
1001 if(!p) {
1002 verbose(VERB_QUERY, "verify: failed DER decode");
1003 *reason = "signature DER decode failed";
1004 SECKEY_DestroyPublicKey(pubkey);
1005 return sec_status_bogus;
1006 }
1007 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
1008 log_err("alloc failure in DER decode");
1009 SECKEY_DestroyPublicKey(pubkey);
1010 SECITEM_FreeItem(p, PR_TRUE);
1011 return sec_status_unchecked;
1012 }
1013 SECITEM_FreeItem(p, PR_TRUE);
1014 }
1015 }
1016
1017 /* do the signature cryptography work */
1018 /* hash the data */
1019 sechash.len = HASH_ResultLen(htype);
1020 if(sechash.len > sizeof(hash)) {
1021 verbose(VERB_QUERY, "verify: hash too large for buffer");
1022 SECKEY_DestroyPublicKey(pubkey);
1023 return sec_status_unchecked;
1024 }
1025 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf),
1026 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) {
1027 verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
1028 SECKEY_DestroyPublicKey(pubkey);
1029 return sec_status_unchecked;
1030 }
1031 if(prefix) {
1032 int hashlen = sechash.len;
1033 if(prefixlen+hashlen > sizeof(hash2)) {
1034 verbose(VERB_QUERY, "verify: hashprefix too large");
1035 SECKEY_DestroyPublicKey(pubkey);
1036 return sec_status_unchecked;
1037 }
1038 sechash.data = hash2;
1039 sechash.len = prefixlen+hashlen;
1040 memcpy(sechash.data, prefix, prefixlen);
1041 memmove(sechash.data+prefixlen, hash, hashlen);
1042 }
1043
1044 /* verify the signature */
1045 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
1046 SECKEY_DestroyPublicKey(pubkey);
1047
1048 if(res == SECSuccess) {
1049 return sec_status_secure;
1050 }
1051 err = PORT_GetError();
1052 if(err != SEC_ERROR_BAD_SIGNATURE) {
1053 /* failed to verify */
1054 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
1055 PORT_ErrorToString(err));
1056 /* if it is not supported, like ECC is removed, we get,
1057 * SEC_ERROR_NO_MODULE */
1058 if(err == SEC_ERROR_NO_MODULE)
1059 return sec_status_unchecked;
1060 /* but other errors are commonly returned
1061 * for a bad signature from NSS. Thus we return bogus,
1062 * not unchecked */
1063 *reason = "signature crypto failed";
1064 return sec_status_bogus;
1065 }
1066 verbose(VERB_QUERY, "verify: signature mismatch: %s",
1067 PORT_ErrorToString(err));
1068 *reason = "signature crypto failed";
1069 return sec_status_bogus;
1070}
1071
| 622ds_digest_size_supported(int algo)
623{
624 /* uses libNSS */
625 switch(algo) {
626 case LDNS_SHA1:
627 return SHA1_LENGTH;
628#ifdef USE_SHA2
629 case LDNS_SHA256:
630 return SHA256_LENGTH;
631#endif
632#ifdef USE_ECDSA
633 case LDNS_SHA384:
634 return SHA384_LENGTH;
635#endif
636 /* GOST not supported in NSS */
637 case LDNS_HASH_GOST:
638 default: break;
639 }
640 return 0;
641}
642
643int
644secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
645 unsigned char* res)
646{
647 /* uses libNSS */
648 switch(algo) {
649 case LDNS_SHA1:
650 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
651 == SECSuccess;
652#if defined(USE_SHA2)
653 case LDNS_SHA256:
654 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
655 == SECSuccess;
656#endif
657#ifdef USE_ECDSA
658 case LDNS_SHA384:
659 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
660 == SECSuccess;
661#endif
662 case LDNS_HASH_GOST:
663 default:
664 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
665 algo);
666 break;
667 }
668 return 0;
669}
670
671int
672dnskey_algo_id_is_supported(int id)
673{
674 /* uses libNSS */
675 switch(id) {
676 case LDNS_RSAMD5:
677 /* RFC 6725 deprecates RSAMD5 */
678 return 0;
679 case LDNS_DSA:
680 case LDNS_DSA_NSEC3:
681 case LDNS_RSASHA1:
682 case LDNS_RSASHA1_NSEC3:
683#ifdef USE_SHA2
684 case LDNS_RSASHA256:
685#endif
686#ifdef USE_SHA2
687 case LDNS_RSASHA512:
688#endif
689 return 1;
690#ifdef USE_ECDSA
691 case LDNS_ECDSAP256SHA256:
692 case LDNS_ECDSAP384SHA384:
693 return PK11_TokenExists(CKM_ECDSA);
694#endif
695 case LDNS_ECC_GOST:
696 default:
697 return 0;
698 }
699}
700
701/* return a new public key for NSS */
702static SECKEYPublicKey* nss_key_create(KeyType ktype)
703{
704 SECKEYPublicKey* key;
705 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
706 if(!arena) {
707 log_err("out of memory, PORT_NewArena failed");
708 return NULL;
709 }
710 key = PORT_ArenaZNew(arena, SECKEYPublicKey);
711 if(!key) {
712 log_err("out of memory, PORT_ArenaZNew failed");
713 PORT_FreeArena(arena, PR_FALSE);
714 return NULL;
715 }
716 key->arena = arena;
717 key->keyType = ktype;
718 key->pkcs11Slot = NULL;
719 key->pkcs11ID = CK_INVALID_HANDLE;
720 return key;
721}
722
723static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
724{
725 SECKEYPublicKey* pk;
726 SECItem pub = {siBuffer, NULL, 0};
727 SECItem params = {siBuffer, NULL, 0};
728 static unsigned char param256[] = {
729 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
730 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
731 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
732 };
733 static unsigned char param384[] = {
734 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
735 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
736 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
737 };
738 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
739
740 /* check length, which uncompressed must be 2 bignums */
741 if(algo == LDNS_ECDSAP256SHA256) {
742 if(len != 2*256/8) return NULL;
743 /* ECCurve_X9_62_PRIME_256V1 */
744 } else if(algo == LDNS_ECDSAP384SHA384) {
745 if(len != 2*384/8) return NULL;
746 /* ECCurve_X9_62_PRIME_384R1 */
747 } else return NULL;
748
749 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
750 memmove(buf+1, key, len);
751 pub.data = buf;
752 pub.len = len+1;
753 if(algo == LDNS_ECDSAP256SHA256) {
754 params.data = param256;
755 params.len = sizeof(param256);
756 } else {
757 params.data = param384;
758 params.len = sizeof(param384);
759 }
760
761 pk = nss_key_create(ecKey);
762 if(!pk)
763 return NULL;
764 pk->u.ec.size = (len/2)*8;
765 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
766 SECKEY_DestroyPublicKey(pk);
767 return NULL;
768 }
769 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) {
770 SECKEY_DestroyPublicKey(pk);
771 return NULL;
772 }
773
774 return pk;
775}
776
777static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
778{
779 SECKEYPublicKey* pk;
780 uint8_t T;
781 uint16_t length;
782 uint16_t offset;
783 SECItem Q = {siBuffer, NULL, 0};
784 SECItem P = {siBuffer, NULL, 0};
785 SECItem G = {siBuffer, NULL, 0};
786 SECItem Y = {siBuffer, NULL, 0};
787
788 if(len == 0)
789 return NULL;
790 T = (uint8_t)key[0];
791 length = (64 + T * 8);
792 offset = 1;
793
794 if (T > 8) {
795 return NULL;
796 }
797 if(len < (size_t)1 + SHA1_LENGTH + 3*length)
798 return NULL;
799
800 Q.data = key+offset;
801 Q.len = SHA1_LENGTH;
802 offset += SHA1_LENGTH;
803
804 P.data = key+offset;
805 P.len = length;
806 offset += length;
807
808 G.data = key+offset;
809 G.len = length;
810 offset += length;
811
812 Y.data = key+offset;
813 Y.len = length;
814 offset += length;
815
816 pk = nss_key_create(dsaKey);
817 if(!pk)
818 return NULL;
819 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
820 SECKEY_DestroyPublicKey(pk);
821 return NULL;
822 }
823 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
824 SECKEY_DestroyPublicKey(pk);
825 return NULL;
826 }
827 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
828 SECKEY_DestroyPublicKey(pk);
829 return NULL;
830 }
831 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
832 SECKEY_DestroyPublicKey(pk);
833 return NULL;
834 }
835 return pk;
836}
837
838static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
839{
840 SECKEYPublicKey* pk;
841 uint16_t exp;
842 uint16_t offset;
843 uint16_t int16;
844 SECItem modulus = {siBuffer, NULL, 0};
845 SECItem exponent = {siBuffer, NULL, 0};
846 if(len == 0)
847 return NULL;
848 if(key[0] == 0) {
849 if(len < 3)
850 return NULL;
851 /* the exponent is too large so it's places further */
852 memmove(&int16, key+1, 2);
853 exp = ntohs(int16);
854 offset = 3;
855 } else {
856 exp = key[0];
857 offset = 1;
858 }
859
860 /* key length at least one */
861 if(len < (size_t)offset + exp + 1)
862 return NULL;
863
864 exponent.data = key+offset;
865 exponent.len = exp;
866 offset += exp;
867 modulus.data = key+offset;
868 modulus.len = (len - offset);
869
870 pk = nss_key_create(rsaKey);
871 if(!pk)
872 return NULL;
873 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
874 SECKEY_DestroyPublicKey(pk);
875 return NULL;
876 }
877 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
878 SECKEY_DestroyPublicKey(pk);
879 return NULL;
880 }
881 return pk;
882}
883
884/**
885 * Setup key and digest for verification. Adjust sig if necessary.
886 *
887 * @param algo: key algorithm
888 * @param evp_key: EVP PKEY public key to create.
889 * @param digest_type: digest type to use
890 * @param key: key to setup for.
891 * @param keylen: length of key.
892 * @param prefix: if returned, the ASN prefix for the hashblob.
893 * @param prefixlen: length of the prefix.
894 * @return false on failure.
895 */
896static int
897nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
898 unsigned char* key, size_t keylen, unsigned char** prefix,
899 size_t* prefixlen)
900{
901 /* uses libNSS */
902
903 /* hash prefix for md5, RFC2537 */
904 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
905 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
906 /* hash prefix to prepend to hash output, from RFC3110 */
907 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
908 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
909 /* from RFC5702 */
910 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
911 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
912 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
913 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
914 /* from RFC6234 */
915 /* for future RSASHA384 ..
916 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
917 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
918 */
919
920 switch(algo) {
921 case LDNS_DSA:
922 case LDNS_DSA_NSEC3:
923 *pubkey = nss_buf2dsa(key, keylen);
924 if(!*pubkey) {
925 log_err("verify: malloc failure in crypto");
926 return 0;
927 }
928 *htype = HASH_AlgSHA1;
929 /* no prefix for DSA verification */
930 break;
931 case LDNS_RSASHA1:
932 case LDNS_RSASHA1_NSEC3:
933#ifdef USE_SHA2
934 case LDNS_RSASHA256:
935#endif
936#ifdef USE_SHA2
937 case LDNS_RSASHA512:
938#endif
939 *pubkey = nss_buf2rsa(key, keylen);
940 if(!*pubkey) {
941 log_err("verify: malloc failure in crypto");
942 return 0;
943 }
944 /* select SHA version */
945#ifdef USE_SHA2
946 if(algo == LDNS_RSASHA256) {
947 *htype = HASH_AlgSHA256;
948 *prefix = p_sha256;
949 *prefixlen = sizeof(p_sha256);
950 } else
951#endif
952#ifdef USE_SHA2
953 if(algo == LDNS_RSASHA512) {
954 *htype = HASH_AlgSHA512;
955 *prefix = p_sha512;
956 *prefixlen = sizeof(p_sha512);
957 } else
958#endif
959 {
960 *htype = HASH_AlgSHA1;
961 *prefix = p_sha1;
962 *prefixlen = sizeof(p_sha1);
963 }
964
965 break;
966 case LDNS_RSAMD5:
967 *pubkey = nss_buf2rsa(key, keylen);
968 if(!*pubkey) {
969 log_err("verify: malloc failure in crypto");
970 return 0;
971 }
972 *htype = HASH_AlgMD5;
973 *prefix = p_md5;
974 *prefixlen = sizeof(p_md5);
975
976 break;
977#ifdef USE_ECDSA
978 case LDNS_ECDSAP256SHA256:
979 *pubkey = nss_buf2ecdsa(key, keylen,
980 LDNS_ECDSAP256SHA256);
981 if(!*pubkey) {
982 log_err("verify: malloc failure in crypto");
983 return 0;
984 }
985 *htype = HASH_AlgSHA256;
986 /* no prefix for DSA verification */
987 break;
988 case LDNS_ECDSAP384SHA384:
989 *pubkey = nss_buf2ecdsa(key, keylen,
990 LDNS_ECDSAP384SHA384);
991 if(!*pubkey) {
992 log_err("verify: malloc failure in crypto");
993 return 0;
994 }
995 *htype = HASH_AlgSHA384;
996 /* no prefix for DSA verification */
997 break;
998#endif /* USE_ECDSA */
999 case LDNS_ECC_GOST:
1000 default:
1001 verbose(VERB_QUERY, "verify: unknown algorithm %d",
1002 algo);
1003 return 0;
1004 }
1005 return 1;
1006}
1007
1008/**
1009 * Check a canonical sig+rrset and signature against a dnskey
1010 * @param buf: buffer with data to verify, the first rrsig part and the
1011 * canonicalized rrset.
1012 * @param algo: DNSKEY algorithm.
1013 * @param sigblock: signature rdata field from RRSIG
1014 * @param sigblock_len: length of sigblock data.
1015 * @param key: public key data from DNSKEY RR.
1016 * @param keylen: length of keydata.
1017 * @param reason: bogus reason in more detail.
1018 * @return secure if verification succeeded, bogus on crypto failure,
1019 * unchecked on format errors and alloc failures.
1020 */
1021enum sec_status
1022verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1023 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1024 char** reason)
1025{
1026 /* uses libNSS */
1027 /* large enough for the different hashes */
1028 unsigned char hash[HASH_LENGTH_MAX];
1029 unsigned char hash2[HASH_LENGTH_MAX*2];
1030 HASH_HashType htype = 0;
1031 SECKEYPublicKey* pubkey = NULL;
1032 SECItem secsig = {siBuffer, sigblock, sigblock_len};
1033 SECItem sechash = {siBuffer, hash, 0};
1034 SECStatus res;
1035 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
1036 size_t prefixlen = 0;
1037 int err;
1038
1039 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
1040 &prefix, &prefixlen)) {
1041 verbose(VERB_QUERY, "verify: failed to setup key");
1042 *reason = "use of key for crypto failed";
1043 SECKEY_DestroyPublicKey(pubkey);
1044 return sec_status_bogus;
1045 }
1046
1047 /* need to convert DSA, ECDSA signatures? */
1048 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
1049 if(sigblock_len == 1+2*SHA1_LENGTH) {
1050 secsig.data ++;
1051 secsig.len --;
1052 } else {
1053 SECItem* p = DSAU_DecodeDerSig(&secsig);
1054 if(!p) {
1055 verbose(VERB_QUERY, "verify: failed DER decode");
1056 *reason = "signature DER decode failed";
1057 SECKEY_DestroyPublicKey(pubkey);
1058 return sec_status_bogus;
1059 }
1060 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
1061 log_err("alloc failure in DER decode");
1062 SECKEY_DestroyPublicKey(pubkey);
1063 SECITEM_FreeItem(p, PR_TRUE);
1064 return sec_status_unchecked;
1065 }
1066 SECITEM_FreeItem(p, PR_TRUE);
1067 }
1068 }
1069
1070 /* do the signature cryptography work */
1071 /* hash the data */
1072 sechash.len = HASH_ResultLen(htype);
1073 if(sechash.len > sizeof(hash)) {
1074 verbose(VERB_QUERY, "verify: hash too large for buffer");
1075 SECKEY_DestroyPublicKey(pubkey);
1076 return sec_status_unchecked;
1077 }
1078 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf),
1079 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) {
1080 verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
1081 SECKEY_DestroyPublicKey(pubkey);
1082 return sec_status_unchecked;
1083 }
1084 if(prefix) {
1085 int hashlen = sechash.len;
1086 if(prefixlen+hashlen > sizeof(hash2)) {
1087 verbose(VERB_QUERY, "verify: hashprefix too large");
1088 SECKEY_DestroyPublicKey(pubkey);
1089 return sec_status_unchecked;
1090 }
1091 sechash.data = hash2;
1092 sechash.len = prefixlen+hashlen;
1093 memcpy(sechash.data, prefix, prefixlen);
1094 memmove(sechash.data+prefixlen, hash, hashlen);
1095 }
1096
1097 /* verify the signature */
1098 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
1099 SECKEY_DestroyPublicKey(pubkey);
1100
1101 if(res == SECSuccess) {
1102 return sec_status_secure;
1103 }
1104 err = PORT_GetError();
1105 if(err != SEC_ERROR_BAD_SIGNATURE) {
1106 /* failed to verify */
1107 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
1108 PORT_ErrorToString(err));
1109 /* if it is not supported, like ECC is removed, we get,
1110 * SEC_ERROR_NO_MODULE */
1111 if(err == SEC_ERROR_NO_MODULE)
1112 return sec_status_unchecked;
1113 /* but other errors are commonly returned
1114 * for a bad signature from NSS. Thus we return bogus,
1115 * not unchecked */
1116 *reason = "signature crypto failed";
1117 return sec_status_bogus;
1118 }
1119 verbose(VERB_QUERY, "verify: signature mismatch: %s",
1120 PORT_ErrorToString(err));
1121 *reason = "signature crypto failed";
1122 return sec_status_bogus;
1123}
1124
|
| 1125#elif defined(HAVE_NETTLE)
|
1072
| 1126
|
1073#endif /* HAVE_SSL or HAVE_NSS */
| 1127#include "sha.h"
1128#include "bignum.h"
1129#include "macros.h"
1130#include "rsa.h"
1131#include "dsa.h"
1132#include "asn1.h"
1133#ifdef USE_ECDSA
1134#include "ecdsa.h"
1135#include "ecc-curve.h"
1136#endif
1137
1138static int
1139_digest_nettle(int algo, uint8_t* buf, size_t len,
1140 unsigned char* res)
1141{
1142 switch(algo) {
1143 case SHA1_DIGEST_SIZE:
1144 {
1145 struct sha1_ctx ctx;
1146 sha1_init(&ctx);
1147 sha1_update(&ctx, len, buf);
1148 sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
1149 return 1;
1150 }
1151 case SHA256_DIGEST_SIZE:
1152 {
1153 struct sha256_ctx ctx;
1154 sha256_init(&ctx);
1155 sha256_update(&ctx, len, buf);
1156 sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
1157 return 1;
1158 }
1159 case SHA384_DIGEST_SIZE:
1160 {
1161 struct sha384_ctx ctx;
1162 sha384_init(&ctx);
1163 sha384_update(&ctx, len, buf);
1164 sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
1165 return 1;
1166 }
1167 case SHA512_DIGEST_SIZE:
1168 {
1169 struct sha512_ctx ctx;
1170 sha512_init(&ctx);
1171 sha512_update(&ctx, len, buf);
1172 sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
1173 return 1;
1174 }
1175 default:
1176 break;
1177 }
1178 return 0;
1179}
1180
1181/* return size of digest if supported, or 0 otherwise */
1182size_t
1183nsec3_hash_algo_size_supported(int id)
1184{
1185 switch(id) {
1186 case NSEC3_HASH_SHA1:
1187 return SHA1_DIGEST_SIZE;
1188 default:
1189 return 0;
1190 }
1191}
1192
1193/* perform nsec3 hash. return false on failure */
1194int
1195secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
1196 unsigned char* res)
1197{
1198 switch(algo) {
1199 case NSEC3_HASH_SHA1:
1200 return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
1201 res);
1202 default:
1203 return 0;
1204 }
1205}
1206
1207/**
1208 * Return size of DS digest according to its hash algorithm.
1209 * @param algo: DS digest algo.
1210 * @return size in bytes of digest, or 0 if not supported.
1211 */
1212size_t
1213ds_digest_size_supported(int algo)
1214{
1215 switch(algo) {
1216 case LDNS_SHA1:
1217 return SHA1_DIGEST_SIZE;
1218#ifdef USE_SHA2
1219 case LDNS_SHA256:
1220 return SHA256_DIGEST_SIZE;
1221#endif
1222#ifdef USE_ECDSA
1223 case LDNS_SHA384:
1224 return SHA384_DIGEST_SIZE;
1225#endif
1226 /* GOST not supported */
1227 case LDNS_HASH_GOST:
1228 default:
1229 break;
1230 }
1231 return 0;
1232}
1233
1234int
1235secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
1236 unsigned char* res)
1237{
1238 switch(algo) {
1239 case LDNS_SHA1:
1240 return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
1241#if defined(USE_SHA2)
1242 case LDNS_SHA256:
1243 return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
1244#endif
1245#ifdef USE_ECDSA
1246 case LDNS_SHA384:
1247 return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
1248
1249#endif
1250 case LDNS_HASH_GOST:
1251 default:
1252 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
1253 algo);
1254 break;
1255 }
1256 return 0;
1257}
1258
1259int
1260dnskey_algo_id_is_supported(int id)
1261{
1262 /* uses libnettle */
1263 switch(id) {
1264 case LDNS_DSA:
1265 case LDNS_DSA_NSEC3:
1266 case LDNS_RSASHA1:
1267 case LDNS_RSASHA1_NSEC3:
1268#ifdef USE_SHA2
1269 case LDNS_RSASHA256:
1270 case LDNS_RSASHA512:
1271#endif
1272#ifdef USE_ECDSA
1273 case LDNS_ECDSAP256SHA256:
1274 case LDNS_ECDSAP384SHA384:
1275#endif
1276 return 1;
1277 case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
1278 case LDNS_ECC_GOST:
1279 default:
1280 return 0;
1281 }
1282}
1283
1284static char *
1285_verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
1286 unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1287{
1288 uint8_t digest[SHA1_DIGEST_SIZE];
1289 uint8_t key_t;
1290 int res = 0;
1291 size_t offset;
1292 struct dsa_public_key pubkey;
1293 struct dsa_signature signature;
1294 unsigned int expected_len;
1295
1296 /* Extract DSA signature from the record */
1297 nettle_dsa_signature_init(&signature);
1298 /* Signature length: 41 bytes - RFC 2536 sec. 3 */
1299 if(sigblock_len == 41) {
1300 if(key[0] != sigblock[0])
1301 return "invalid T value in DSA signature or pubkey";
1302 nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
1303 nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
1304 } else {
1305 /* DER encoded, decode the ASN1 notated R and S bignums */
1306 /* SEQUENCE { r INTEGER, s INTEGER } */
1307 struct asn1_der_iterator i, seq;
1308 if(asn1_der_iterator_first(&i, sigblock_len,
1309 (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
1310 || i.type != ASN1_SEQUENCE)
1311 return "malformed DER encoded DSA signature";
1312 /* decode this element of i using the seq iterator */
1313 if(asn1_der_decode_constructed(&i, &seq) !=
1314 ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
1315 return "malformed DER encoded DSA signature";
1316 if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
1317 return "malformed DER encoded DSA signature";
1318 if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
1319 || seq.type != ASN1_INTEGER)
1320 return "malformed DER encoded DSA signature";
1321 if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
1322 return "malformed DER encoded DSA signature";
1323 if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
1324 return "malformed DER encoded DSA signature";
1325 }
1326
1327 /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
1328 key_t = key[0];
1329 if (key_t > 8) {
1330 return "invalid T value in DSA pubkey";
1331 }
1332
1333 /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
1334 if (keylen < 21) {
1335 return "DSA pubkey too short";
1336 }
1337
1338 expected_len = 1 + /* T */
1339 20 + /* Q */
1340 (64 + key_t*8) + /* P */
1341 (64 + key_t*8) + /* G */
1342 (64 + key_t*8); /* Y */
1343 if (keylen != expected_len ) {
1344 return "invalid DSA pubkey length";
1345 }
1346
1347 /* Extract DSA pubkey from the record */
1348 nettle_dsa_public_key_init(&pubkey);
1349 offset = 1;
1350 nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
1351 offset += 20;
1352 nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t*8), key+offset);
1353 offset += (64 + key_t*8);
1354 nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t*8), key+offset);
1355 offset += (64 + key_t*8);
1356 nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t*8), key+offset);
1357
1358 /* Digest content of "buf" and verify its DSA signature in "sigblock"*/
1359 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1360 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1361 res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
1362
1363 /* Clear and return */
1364 nettle_dsa_signature_clear(&signature);
1365 nettle_dsa_public_key_clear(&pubkey);
1366 if (!res)
1367 return "DSA signature verification failed";
1368 else
1369 return NULL;
1370}
1371
1372static char *
1373_verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
1374 unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
1375{
1376 uint16_t exp_len = 0;
1377 size_t exp_offset = 0, mod_offset = 0;
1378 struct rsa_public_key pubkey;
1379 mpz_t signature;
1380 int res = 0;
1381
1382 /* RSA pubkey parsing as per RFC 3110 sec. 2 */
1383 if( keylen <= 1) {
1384 return "null RSA key";
1385 }
1386 if (key[0] != 0) {
1387 /* 1-byte length */
1388 exp_len = key[0];
1389 exp_offset = 1;
1390 } else {
1391 /* 1-byte NUL + 2-bytes exponent length */
1392 if (keylen < 3) {
1393 return "incorrect RSA key length";
1394 }
1395 exp_len = READ_UINT16(key+1);
1396 if (exp_len == 0)
1397 return "null RSA exponent length";
1398 exp_offset = 3;
1399 }
1400 /* Check that we are not over-running input length */
1401 if (keylen < exp_offset + exp_len + 1) {
1402 return "RSA key content shorter than expected";
1403 }
1404 mod_offset = exp_offset + exp_len;
1405 nettle_rsa_public_key_init(&pubkey);
1406 pubkey.size = keylen - mod_offset;
1407 nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
1408 nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
1409
1410 /* Digest content of "buf" and verify its RSA signature in "sigblock"*/
1411 nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
1412 switch (digest_size) {
1413 case SHA1_DIGEST_SIZE:
1414 {
1415 uint8_t digest[SHA1_DIGEST_SIZE];
1416 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1417 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1418 res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
1419 break;
1420 }
1421 case SHA256_DIGEST_SIZE:
1422 {
1423 uint8_t digest[SHA256_DIGEST_SIZE];
1424 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1425 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1426 res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
1427 break;
1428 }
1429 case SHA512_DIGEST_SIZE:
1430 {
1431 uint8_t digest[SHA512_DIGEST_SIZE];
1432 res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1433 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1434 res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
1435 break;
1436 }
1437 default:
1438 break;
1439 }
1440
1441 /* Clear and return */
1442 nettle_rsa_public_key_clear(&pubkey);
1443 mpz_clear(signature);
1444 if (!res) {
1445 return "RSA signature verification failed";
1446 } else {
1447 return NULL;
1448 }
1449}
1450
1451#ifdef USE_ECDSA
1452static char *
1453_verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
1454 unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1455{
1456 int res = 0;
1457 struct ecc_point pubkey;
1458 struct dsa_signature signature;
1459
1460 /* Always matched strength, as per RFC 6605 sec. 1 */
1461 if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
1462 return "wrong ECDSA signature length";
1463 }
1464
1465 /* Parse ECDSA signature as per RFC 6605 sec. 4 */
1466 nettle_dsa_signature_init(&signature);
1467 switch (digest_size) {
1468 case SHA256_DIGEST_SIZE:
1469 {
1470 uint8_t digest[SHA256_DIGEST_SIZE];
1471 mpz_t x, y;
1472 nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
1473 nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
1474 nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
1475 nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
1476 nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
1477 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1478 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1479 res &= nettle_ecc_point_set(&pubkey, x, y);
1480 res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
1481 mpz_clear(x);
1482 mpz_clear(y);
1483 break;
1484 }
1485 case SHA384_DIGEST_SIZE:
1486 {
1487 uint8_t digest[SHA384_DIGEST_SIZE];
1488 mpz_t x, y;
1489 nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
1490 nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
1491 nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
1492 nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
1493 nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
1494 res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1495 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1496 res &= nettle_ecc_point_set(&pubkey, x, y);
1497 res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
1498 mpz_clear(x);
1499 mpz_clear(y);
1500 nettle_ecc_point_clear(&pubkey);
1501 break;
1502 }
1503 default:
1504 return "unknown ECDSA algorithm";
1505 }
1506
1507 /* Clear and return */
1508 nettle_dsa_signature_clear(&signature);
1509 if (!res)
1510 return "ECDSA signature verification failed";
1511 else
1512 return NULL;
1513}
1514#endif
1515
1516/**
1517 * Check a canonical sig+rrset and signature against a dnskey
1518 * @param buf: buffer with data to verify, the first rrsig part and the
1519 * canonicalized rrset.
1520 * @param algo: DNSKEY algorithm.
1521 * @param sigblock: signature rdata field from RRSIG
1522 * @param sigblock_len: length of sigblock data.
1523 * @param key: public key data from DNSKEY RR.
1524 * @param keylen: length of keydata.
1525 * @param reason: bogus reason in more detail.
1526 * @return secure if verification succeeded, bogus on crypto failure,
1527 * unchecked on format errors and alloc failures.
1528 */
1529enum sec_status
1530verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1531 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1532 char** reason)
1533{
1534 unsigned int digest_size = 0;
1535
1536 if (sigblock_len == 0 || keylen == 0) {
1537 *reason = "null signature";
1538 return sec_status_bogus;
1539 }
1540
1541 switch(algo) {
1542 case LDNS_DSA:
1543 case LDNS_DSA_NSEC3:
1544 *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
1545 if (*reason != NULL)
1546 return sec_status_bogus;
1547 else
1548 return sec_status_secure;
1549
1550 case LDNS_RSASHA1:
1551 case LDNS_RSASHA1_NSEC3:
1552 digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
1553#ifdef USE_SHA2
1554 case LDNS_RSASHA256:
1555 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1556 case LDNS_RSASHA512:
1557 digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
1558
1559#endif
1560 *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
1561 sigblock_len, key, keylen);
1562 if (*reason != NULL)
1563 return sec_status_bogus;
1564 else
1565 return sec_status_secure;
1566
1567#ifdef USE_ECDSA
1568 case LDNS_ECDSAP256SHA256:
1569 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1570 case LDNS_ECDSAP384SHA384:
1571 digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
1572 *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
1573 sigblock_len, key, keylen);
1574 if (*reason != NULL)
1575 return sec_status_bogus;
1576 else
1577 return sec_status_secure;
1578#endif
1579 case LDNS_RSAMD5:
1580 case LDNS_ECC_GOST:
1581 default:
1582 *reason = "unable to verify signature, unknown algorithm";
1583 return sec_status_bogus;
1584 }
1585}
1586
1587#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
|
| |