2 * validator/val_secalgo.c - validator security algorithm functions.
4 * Copyright (c) 2012, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 * This file contains helper functions for the validator module.
40 * These functions take raw data buffers, formatted for crypto verification,
41 * and do the library calls (for the crypto library in use).
44 /* packed_rrset on top to define enum types (forced by c99 standard) */
45 #include "util/data/packed_rrset.h"
46 #include "validator/val_secalgo.h"
47 #include "validator/val_nsec3.h"
49 #include "sldns/rrdef.h"
50 #include "sldns/keyraw.h"
51 #include "sldns/sbuffer.h"
53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
54 #error "Need crypto library to do digital signature cryptography"
57 /* OpenSSL implementation */
59 #ifdef HAVE_OPENSSL_ERR_H
60 #include <openssl/err.h>
63 #ifdef HAVE_OPENSSL_RAND_H
64 #include <openssl/rand.h>
67 #ifdef HAVE_OPENSSL_CONF_H
68 #include <openssl/conf.h>
71 #ifdef HAVE_OPENSSL_ENGINE_H
72 #include <openssl/engine.h>
75 /** fake DSA support for unit tests */
78 /* return size of digest if supported, or 0 otherwise */
80 nsec3_hash_algo_size_supported(int id)
84 return SHA_DIGEST_LENGTH;
90 /* perform nsec3 hash. return false on failure */
92 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
97 (void)SHA1(buf, len, res);
105 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
107 (void)SHA256(buf, len, res);
111 * Return size of DS digest according to its hash algorithm.
112 * @param algo: DS digest algo.
113 * @return size in bytes of digest, or 0 if not supported.
116 ds_digest_size_supported(int algo)
121 return SHA_DIGEST_LENGTH;
123 #ifdef HAVE_EVP_SHA256
125 return SHA256_DIGEST_LENGTH;
129 /* we support GOST if it can be loaded */
130 (void)sldns_key_EVP_load_gost_id();
131 if(EVP_get_digestbyname("md_gost94"))
137 return SHA384_DIGEST_LENGTH;
145 /** Perform GOST hash */
147 do_gost94(unsigned char* data, size_t len, unsigned char* dest)
149 const EVP_MD* md = EVP_get_digestbyname("md_gost94");
152 return sldns_digest_evp(data, (unsigned int)len, dest, md);
157 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
163 (void)SHA1(buf, len, res);
166 #ifdef HAVE_EVP_SHA256
168 (void)SHA256(buf, len, res);
173 if(do_gost94(buf, len, res))
179 (void)SHA384(buf, len, res);
183 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
190 /** return true if DNSKEY algorithm id is supported */
192 dnskey_algo_id_is_supported(int id)
196 /* RFC 6725 deprecates RSAMD5 */
203 if(fake_dsa) return 1;
207 case LDNS_RSASHA1_NSEC3:
208 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
211 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
215 case LDNS_ECDSAP256SHA256:
216 case LDNS_ECDSAP384SHA384:
221 /* we support GOST if it can be loaded */
222 return sldns_key_EVP_load_gost_id();
230 * Output a libcrypto openssl error to the logfile.
231 * @param str: string to add to it.
232 * @param e: the error to output, error number from ERR_get_error().
235 log_crypto_error(const char* str, unsigned long e)
238 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */
239 ERR_error_string_n(e, buf, sizeof(buf));
240 /* buf now contains */
241 /* error:[error code]:[library name]:[function name]:[reason string] */
242 log_err("%s crypto %s", str, buf);
247 * Setup DSA key digest in DER encoding ...
248 * @param sig: input is signature output alloced ptr (unless failure).
249 * caller must free alloced ptr if this routine returns true.
250 * @param len: input is initial siglen, output is output len.
251 * @return false on failure.
254 setup_dsa_sig(unsigned char** sig, unsigned int* len)
256 unsigned char* orig = *sig;
257 unsigned int origlen = *len;
262 /* extract the R and S field from the sig buffer */
263 if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
267 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
270 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
271 dsasig = DSA_SIG_new();
272 if(!dsasig) return 0;
274 #ifdef HAVE_DSA_SIG_SET0
275 if(!DSA_SIG_set0(dsasig, R, S)) return 0;
281 newlen = i2d_DSA_SIG(dsasig, sig);
283 DSA_SIG_free(dsasig);
287 *len = (unsigned int)newlen;
288 DSA_SIG_free(dsasig);
295 * Setup the ECDSA signature in its encoding that the library wants.
296 * Converts from plain numbers to ASN formatted.
297 * @param sig: input is signature, output alloced ptr (unless failure).
298 * caller must free alloced ptr if this routine returns true.
299 * @param len: input is initial siglen, output is output len.
300 * @return false on failure.
303 setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
305 /* convert from two BIGNUMs in the rdata buffer, to ASN notation.
306 * ASN preable: 30440220 <R 32bytefor256> 0220 <S 32bytefor256>
307 * the '20' is the length of that field (=bnsize).
308 i * the '44' is the total remaining length.
309 * if negative, start with leading zero.
310 * if starts with 00s, remove them from the number.
312 uint8_t pre[] = {0x30, 0x44, 0x02, 0x20};
314 uint8_t mid[] = {0x02, 0x20};
316 int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0;
317 int bnsize = (int)((*len)/2);
318 unsigned char* d = *sig;
320 /* if too short or not even length, fails */
321 if(*len < 16 || bnsize*2 != (int)*len)
324 /* strip leading zeroes from r (but not last one) */
325 while(r_rem < bnsize-1 && d[r_rem] == 0)
327 /* strip leading zeroes from s (but not last one) */
328 while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0)
331 r_high = ((d[0+r_rem]&0x80)?1:0);
332 s_high = ((d[bnsize+s_rem]&0x80)?1:0);
333 raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len +
334 s_high + bnsize - s_rem;
335 *sig = (unsigned char*)malloc((size_t)raw_sig_len);
340 p[1] = (uint8_t)(raw_sig_len-2);
342 p[3] = (uint8_t)(bnsize + r_high - r_rem);
348 memmove(p, d+r_rem, (size_t)bnsize-r_rem);
350 memmove(p, mid, (size_t)mid_len-1);
352 *p = (uint8_t)(bnsize + s_high - s_rem);
358 memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem);
359 *len = (unsigned int)raw_sig_len;
362 #endif /* USE_ECDSA */
364 #ifdef USE_ECDSA_EVP_WORKAROUND
365 static EVP_MD ecdsa_evp_256_md;
366 static EVP_MD ecdsa_evp_384_md;
367 void ecdsa_evp_workaround_init(void)
369 /* openssl before 1.0.0 fixes RSA with the SHA256
370 * hash in EVP. We create one for ecdsa_sha256 */
371 ecdsa_evp_256_md = *EVP_sha256();
372 ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC;
373 ecdsa_evp_256_md.verify = (void*)ECDSA_verify;
375 ecdsa_evp_384_md = *EVP_sha384();
376 ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC;
377 ecdsa_evp_384_md.verify = (void*)ECDSA_verify;
379 #endif /* USE_ECDSA_EVP_WORKAROUND */
382 * Setup key and digest for verification. Adjust sig if necessary.
384 * @param algo: key algorithm
385 * @param evp_key: EVP PKEY public key to create.
386 * @param digest_type: digest type to use
387 * @param key: key to setup for.
388 * @param keylen: length of key.
389 * @return false on failure.
392 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
393 unsigned char* key, size_t keylen)
404 *evp_key = EVP_PKEY_new();
406 log_err("verify: malloc failure in crypto");
409 dsa = sldns_key_buf2dsa_raw(key, keylen);
411 verbose(VERB_QUERY, "verify: "
412 "sldns_key_buf2dsa_raw failed");
415 if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
416 verbose(VERB_QUERY, "verify: "
417 "EVP_PKEY_assign_DSA failed");
421 *digest_type = EVP_dss1();
423 *digest_type = EVP_sha1();
429 case LDNS_RSASHA1_NSEC3:
430 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
433 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
436 *evp_key = EVP_PKEY_new();
438 log_err("verify: malloc failure in crypto");
441 rsa = sldns_key_buf2rsa_raw(key, keylen);
443 verbose(VERB_QUERY, "verify: "
444 "sldns_key_buf2rsa_raw SHA failed");
447 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
448 verbose(VERB_QUERY, "verify: "
449 "EVP_PKEY_assign_RSA SHA failed");
453 /* select SHA version */
454 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
455 if(algo == LDNS_RSASHA256)
456 *digest_type = EVP_sha256();
459 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
460 if(algo == LDNS_RSASHA512)
461 *digest_type = EVP_sha512();
464 *digest_type = EVP_sha1();
468 *evp_key = EVP_PKEY_new();
470 log_err("verify: malloc failure in crypto");
473 rsa = sldns_key_buf2rsa_raw(key, keylen);
475 verbose(VERB_QUERY, "verify: "
476 "sldns_key_buf2rsa_raw MD5 failed");
479 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
480 verbose(VERB_QUERY, "verify: "
481 "EVP_PKEY_assign_RSA MD5 failed");
484 *digest_type = EVP_md5();
489 *evp_key = sldns_gost2pkey_raw(key, keylen);
491 verbose(VERB_QUERY, "verify: "
492 "sldns_gost2pkey_raw failed");
495 *digest_type = EVP_get_digestbyname("md_gost94");
497 verbose(VERB_QUERY, "verify: "
498 "EVP_getdigest md_gost94 failed");
504 case LDNS_ECDSAP256SHA256:
505 *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
506 LDNS_ECDSAP256SHA256);
508 verbose(VERB_QUERY, "verify: "
509 "sldns_ecdsa2pkey_raw failed");
512 #ifdef USE_ECDSA_EVP_WORKAROUND
513 *digest_type = &ecdsa_evp_256_md;
515 *digest_type = EVP_sha256();
518 case LDNS_ECDSAP384SHA384:
519 *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
520 LDNS_ECDSAP384SHA384);
522 verbose(VERB_QUERY, "verify: "
523 "sldns_ecdsa2pkey_raw failed");
526 #ifdef USE_ECDSA_EVP_WORKAROUND
527 *digest_type = &ecdsa_evp_384_md;
529 *digest_type = EVP_sha384();
532 #endif /* USE_ECDSA */
534 verbose(VERB_QUERY, "verify: unknown algorithm %d",
542 * Check a canonical sig+rrset and signature against a dnskey
543 * @param buf: buffer with data to verify, the first rrsig part and the
544 * canonicalized rrset.
545 * @param algo: DNSKEY algorithm.
546 * @param sigblock: signature rdata field from RRSIG
547 * @param sigblock_len: length of sigblock data.
548 * @param key: public key data from DNSKEY RR.
549 * @param keylen: length of keydata.
550 * @param reason: bogus reason in more detail.
551 * @return secure if verification succeeded, bogus on crypto failure,
552 * unchecked on format errors and alloc failures.
555 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
556 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
559 const EVP_MD *digest_type;
561 int res, dofree = 0, docrypto_free = 0;
562 EVP_PKEY *evp_key = NULL;
565 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && fake_dsa)
566 return sec_status_secure;
569 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
570 verbose(VERB_QUERY, "verify: failed to setup key");
571 *reason = "use of key for crypto failed";
572 EVP_PKEY_free(evp_key);
573 return sec_status_bogus;
576 /* if it is a DSA signature in bind format, convert to DER format */
577 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
578 sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
579 if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
580 verbose(VERB_QUERY, "verify: failed to setup DSA sig");
581 *reason = "use of key for DSA crypto failed";
582 EVP_PKEY_free(evp_key);
583 return sec_status_bogus;
588 #if defined(USE_ECDSA) && defined(USE_DSA)
592 if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
593 /* EVP uses ASN prefix on sig, which is not in the wire data */
594 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
595 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
596 *reason = "use of signature for ECDSA crypto failed";
597 EVP_PKEY_free(evp_key);
598 return sec_status_bogus;
602 #endif /* USE_ECDSA */
604 /* do the signature cryptography work */
605 #ifdef HAVE_EVP_MD_CTX_NEW
606 ctx = EVP_MD_CTX_new();
608 ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
609 if(ctx) EVP_MD_CTX_init(ctx);
612 log_err("EVP_MD_CTX_new: malloc failure");
613 EVP_PKEY_free(evp_key);
614 if(dofree) free(sigblock);
615 else if(docrypto_free) OPENSSL_free(sigblock);
616 return sec_status_unchecked;
618 if(EVP_VerifyInit(ctx, digest_type) == 0) {
619 verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
620 EVP_MD_CTX_destroy(ctx);
621 EVP_PKEY_free(evp_key);
622 if(dofree) free(sigblock);
623 else if(docrypto_free) OPENSSL_free(sigblock);
624 return sec_status_unchecked;
626 if(EVP_VerifyUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
627 (unsigned int)sldns_buffer_limit(buf)) == 0) {
628 verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
629 EVP_MD_CTX_destroy(ctx);
630 EVP_PKEY_free(evp_key);
631 if(dofree) free(sigblock);
632 else if(docrypto_free) OPENSSL_free(sigblock);
633 return sec_status_unchecked;
636 res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key);
637 #ifdef HAVE_EVP_MD_CTX_NEW
638 EVP_MD_CTX_destroy(ctx);
640 EVP_MD_CTX_cleanup(ctx);
643 EVP_PKEY_free(evp_key);
645 if(dofree) free(sigblock);
646 else if(docrypto_free) OPENSSL_free(sigblock);
649 return sec_status_secure;
650 } else if(res == 0) {
651 verbose(VERB_QUERY, "verify: signature mismatch");
652 *reason = "signature crypto failed";
653 return sec_status_bogus;
656 log_crypto_error("verify:", ERR_get_error());
657 return sec_status_unchecked;
660 /**************************************************/
661 #elif defined(HAVE_NSS)
662 /* libnss implementation */
668 #include "cryptohi.h"
672 /* return size of digest if supported, or 0 otherwise */
674 nsec3_hash_algo_size_supported(int id)
677 case NSEC3_HASH_SHA1:
684 /* perform nsec3 hash. return false on failure */
686 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
690 case NSEC3_HASH_SHA1:
691 (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
699 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
701 (void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len);
705 ds_digest_size_supported(int algo)
713 return SHA256_LENGTH;
717 return SHA384_LENGTH;
719 /* GOST not supported in NSS */
727 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
733 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
735 #if defined(USE_SHA2)
737 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
742 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
747 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
755 dnskey_algo_id_is_supported(int id)
760 /* RFC 6725 deprecates RSAMD5 */
767 case LDNS_RSASHA1_NSEC3:
776 case LDNS_ECDSAP256SHA256:
777 case LDNS_ECDSAP384SHA384:
778 return PK11_TokenExists(CKM_ECDSA);
786 /* return a new public key for NSS */
787 static SECKEYPublicKey* nss_key_create(KeyType ktype)
789 SECKEYPublicKey* key;
790 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
792 log_err("out of memory, PORT_NewArena failed");
795 key = PORT_ArenaZNew(arena, SECKEYPublicKey);
797 log_err("out of memory, PORT_ArenaZNew failed");
798 PORT_FreeArena(arena, PR_FALSE);
802 key->keyType = ktype;
803 key->pkcs11Slot = NULL;
804 key->pkcs11ID = CK_INVALID_HANDLE;
808 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
811 SECItem pub = {siBuffer, NULL, 0};
812 SECItem params = {siBuffer, NULL, 0};
813 static unsigned char param256[] = {
814 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
815 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
816 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
818 static unsigned char param384[] = {
819 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
820 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
821 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
823 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
825 /* check length, which uncompressed must be 2 bignums */
826 if(algo == LDNS_ECDSAP256SHA256) {
827 if(len != 2*256/8) return NULL;
828 /* ECCurve_X9_62_PRIME_256V1 */
829 } else if(algo == LDNS_ECDSAP384SHA384) {
830 if(len != 2*384/8) return NULL;
831 /* ECCurve_X9_62_PRIME_384R1 */
834 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
835 memmove(buf+1, key, len);
838 if(algo == LDNS_ECDSAP256SHA256) {
839 params.data = param256;
840 params.len = sizeof(param256);
842 params.data = param384;
843 params.len = sizeof(param384);
846 pk = nss_key_create(ecKey);
849 pk->u.ec.size = (len/2)*8;
850 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
851 SECKEY_DestroyPublicKey(pk);
854 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) {
855 SECKEY_DestroyPublicKey(pk);
862 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
868 SECItem Q = {siBuffer, NULL, 0};
869 SECItem P = {siBuffer, NULL, 0};
870 SECItem G = {siBuffer, NULL, 0};
871 SECItem Y = {siBuffer, NULL, 0};
876 length = (64 + T * 8);
882 if(len < (size_t)1 + SHA1_LENGTH + 3*length)
887 offset += SHA1_LENGTH;
901 pk = nss_key_create(dsaKey);
904 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
905 SECKEY_DestroyPublicKey(pk);
908 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
909 SECKEY_DestroyPublicKey(pk);
912 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
913 SECKEY_DestroyPublicKey(pk);
916 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
917 SECKEY_DestroyPublicKey(pk);
923 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
929 SECItem modulus = {siBuffer, NULL, 0};
930 SECItem exponent = {siBuffer, NULL, 0};
936 /* the exponent is too large so it's places further */
937 memmove(&int16, key+1, 2);
945 /* key length at least one */
946 if(len < (size_t)offset + exp + 1)
949 exponent.data = key+offset;
952 modulus.data = key+offset;
953 modulus.len = (len - offset);
955 pk = nss_key_create(rsaKey);
958 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
959 SECKEY_DestroyPublicKey(pk);
962 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
963 SECKEY_DestroyPublicKey(pk);
970 * Setup key and digest for verification. Adjust sig if necessary.
972 * @param algo: key algorithm
973 * @param evp_key: EVP PKEY public key to create.
974 * @param digest_type: digest type to use
975 * @param key: key to setup for.
976 * @param keylen: length of key.
977 * @param prefix: if returned, the ASN prefix for the hashblob.
978 * @param prefixlen: length of the prefix.
979 * @return false on failure.
982 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
983 unsigned char* key, size_t keylen, unsigned char** prefix,
988 /* hash prefix for md5, RFC2537 */
989 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
990 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
991 /* hash prefix to prepend to hash output, from RFC3110 */
992 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
993 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
995 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
996 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
997 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
998 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
1000 /* for future RSASHA384 ..
1001 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
1002 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
1008 case LDNS_DSA_NSEC3:
1009 *pubkey = nss_buf2dsa(key, keylen);
1011 log_err("verify: malloc failure in crypto");
1014 *htype = HASH_AlgSHA1;
1015 /* no prefix for DSA verification */
1019 case LDNS_RSASHA1_NSEC3:
1021 case LDNS_RSASHA256:
1024 case LDNS_RSASHA512:
1026 *pubkey = nss_buf2rsa(key, keylen);
1028 log_err("verify: malloc failure in crypto");
1031 /* select SHA version */
1033 if(algo == LDNS_RSASHA256) {
1034 *htype = HASH_AlgSHA256;
1036 *prefixlen = sizeof(p_sha256);
1040 if(algo == LDNS_RSASHA512) {
1041 *htype = HASH_AlgSHA512;
1043 *prefixlen = sizeof(p_sha512);
1047 *htype = HASH_AlgSHA1;
1049 *prefixlen = sizeof(p_sha1);
1054 *pubkey = nss_buf2rsa(key, keylen);
1056 log_err("verify: malloc failure in crypto");
1059 *htype = HASH_AlgMD5;
1061 *prefixlen = sizeof(p_md5);
1065 case LDNS_ECDSAP256SHA256:
1066 *pubkey = nss_buf2ecdsa(key, keylen,
1067 LDNS_ECDSAP256SHA256);
1069 log_err("verify: malloc failure in crypto");
1072 *htype = HASH_AlgSHA256;
1073 /* no prefix for DSA verification */
1075 case LDNS_ECDSAP384SHA384:
1076 *pubkey = nss_buf2ecdsa(key, keylen,
1077 LDNS_ECDSAP384SHA384);
1079 log_err("verify: malloc failure in crypto");
1082 *htype = HASH_AlgSHA384;
1083 /* no prefix for DSA verification */
1085 #endif /* USE_ECDSA */
1088 verbose(VERB_QUERY, "verify: unknown algorithm %d",
1096 * Check a canonical sig+rrset and signature against a dnskey
1097 * @param buf: buffer with data to verify, the first rrsig part and the
1098 * canonicalized rrset.
1099 * @param algo: DNSKEY algorithm.
1100 * @param sigblock: signature rdata field from RRSIG
1101 * @param sigblock_len: length of sigblock data.
1102 * @param key: public key data from DNSKEY RR.
1103 * @param keylen: length of keydata.
1104 * @param reason: bogus reason in more detail.
1105 * @return secure if verification succeeded, bogus on crypto failure,
1106 * unchecked on format errors and alloc failures.
1109 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1110 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1114 /* large enough for the different hashes */
1115 unsigned char hash[HASH_LENGTH_MAX];
1116 unsigned char hash2[HASH_LENGTH_MAX*2];
1117 HASH_HashType htype = 0;
1118 SECKEYPublicKey* pubkey = NULL;
1119 SECItem secsig = {siBuffer, sigblock, sigblock_len};
1120 SECItem sechash = {siBuffer, hash, 0};
1122 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
1123 size_t prefixlen = 0;
1126 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
1127 &prefix, &prefixlen)) {
1128 verbose(VERB_QUERY, "verify: failed to setup key");
1129 *reason = "use of key for crypto failed";
1130 SECKEY_DestroyPublicKey(pubkey);
1131 return sec_status_bogus;
1135 /* need to convert DSA, ECDSA signatures? */
1136 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
1137 if(sigblock_len == 1+2*SHA1_LENGTH) {
1141 SECItem* p = DSAU_DecodeDerSig(&secsig);
1143 verbose(VERB_QUERY, "verify: failed DER decode");
1144 *reason = "signature DER decode failed";
1145 SECKEY_DestroyPublicKey(pubkey);
1146 return sec_status_bogus;
1148 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
1149 log_err("alloc failure in DER decode");
1150 SECKEY_DestroyPublicKey(pubkey);
1151 SECITEM_FreeItem(p, PR_TRUE);
1152 return sec_status_unchecked;
1154 SECITEM_FreeItem(p, PR_TRUE);
1157 #endif /* USE_DSA */
1159 /* do the signature cryptography work */
1161 sechash.len = HASH_ResultLen(htype);
1162 if(sechash.len > sizeof(hash)) {
1163 verbose(VERB_QUERY, "verify: hash too large for buffer");
1164 SECKEY_DestroyPublicKey(pubkey);
1165 return sec_status_unchecked;
1167 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf),
1168 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) {
1169 verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
1170 SECKEY_DestroyPublicKey(pubkey);
1171 return sec_status_unchecked;
1174 int hashlen = sechash.len;
1175 if(prefixlen+hashlen > sizeof(hash2)) {
1176 verbose(VERB_QUERY, "verify: hashprefix too large");
1177 SECKEY_DestroyPublicKey(pubkey);
1178 return sec_status_unchecked;
1180 sechash.data = hash2;
1181 sechash.len = prefixlen+hashlen;
1182 memcpy(sechash.data, prefix, prefixlen);
1183 memmove(sechash.data+prefixlen, hash, hashlen);
1186 /* verify the signature */
1187 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
1188 SECKEY_DestroyPublicKey(pubkey);
1190 if(res == SECSuccess) {
1191 return sec_status_secure;
1193 err = PORT_GetError();
1194 if(err != SEC_ERROR_BAD_SIGNATURE) {
1195 /* failed to verify */
1196 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
1197 PORT_ErrorToString(err));
1198 /* if it is not supported, like ECC is removed, we get,
1199 * SEC_ERROR_NO_MODULE */
1200 if(err == SEC_ERROR_NO_MODULE)
1201 return sec_status_unchecked;
1202 /* but other errors are commonly returned
1203 * for a bad signature from NSS. Thus we return bogus,
1205 *reason = "signature crypto failed";
1206 return sec_status_bogus;
1208 verbose(VERB_QUERY, "verify: signature mismatch: %s",
1209 PORT_ErrorToString(err));
1210 *reason = "signature crypto failed";
1211 return sec_status_bogus;
1214 #elif defined(HAVE_NETTLE)
1221 #ifdef HAVE_NETTLE_DSA_COMPAT_H
1222 #include "dsa-compat.h"
1227 #include "ecc-curve.h"
1231 _digest_nettle(int algo, uint8_t* buf, size_t len,
1235 case SHA1_DIGEST_SIZE:
1237 struct sha1_ctx ctx;
1239 sha1_update(&ctx, len, buf);
1240 sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
1243 case SHA256_DIGEST_SIZE:
1245 struct sha256_ctx ctx;
1247 sha256_update(&ctx, len, buf);
1248 sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
1251 case SHA384_DIGEST_SIZE:
1253 struct sha384_ctx ctx;
1255 sha384_update(&ctx, len, buf);
1256 sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
1259 case SHA512_DIGEST_SIZE:
1261 struct sha512_ctx ctx;
1263 sha512_update(&ctx, len, buf);
1264 sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
1273 /* return size of digest if supported, or 0 otherwise */
1275 nsec3_hash_algo_size_supported(int id)
1278 case NSEC3_HASH_SHA1:
1279 return SHA1_DIGEST_SIZE;
1285 /* perform nsec3 hash. return false on failure */
1287 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
1291 case NSEC3_HASH_SHA1:
1292 return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
1300 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
1302 _digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res);
1306 * Return size of DS digest according to its hash algorithm.
1307 * @param algo: DS digest algo.
1308 * @return size in bytes of digest, or 0 if not supported.
1311 ds_digest_size_supported(int algo)
1315 return SHA1_DIGEST_SIZE;
1318 return SHA256_DIGEST_SIZE;
1322 return SHA384_DIGEST_SIZE;
1324 /* GOST not supported */
1325 case LDNS_HASH_GOST:
1333 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
1338 return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
1339 #if defined(USE_SHA2)
1341 return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
1345 return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
1348 case LDNS_HASH_GOST:
1350 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
1358 dnskey_algo_id_is_supported(int id)
1360 /* uses libnettle */
1364 case LDNS_DSA_NSEC3:
1367 case LDNS_RSASHA1_NSEC3:
1369 case LDNS_RSASHA256:
1370 case LDNS_RSASHA512:
1373 case LDNS_ECDSAP256SHA256:
1374 case LDNS_ECDSAP384SHA384:
1377 case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
1386 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
1387 unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1389 uint8_t digest[SHA1_DIGEST_SIZE];
1393 struct dsa_public_key pubkey;
1394 struct dsa_signature signature;
1395 unsigned int expected_len;
1397 /* Extract DSA signature from the record */
1398 nettle_dsa_signature_init(&signature);
1399 /* Signature length: 41 bytes - RFC 2536 sec. 3 */
1400 if(sigblock_len == 41) {
1401 if(key[0] != sigblock[0])
1402 return "invalid T value in DSA signature or pubkey";
1403 nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
1404 nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
1406 /* DER encoded, decode the ASN1 notated R and S bignums */
1407 /* SEQUENCE { r INTEGER, s INTEGER } */
1408 struct asn1_der_iterator i, seq;
1409 if(asn1_der_iterator_first(&i, sigblock_len,
1410 (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
1411 || i.type != ASN1_SEQUENCE)
1412 return "malformed DER encoded DSA signature";
1413 /* decode this element of i using the seq iterator */
1414 if(asn1_der_decode_constructed(&i, &seq) !=
1415 ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
1416 return "malformed DER encoded DSA signature";
1417 if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
1418 return "malformed DER encoded DSA signature";
1419 if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
1420 || seq.type != ASN1_INTEGER)
1421 return "malformed DER encoded DSA signature";
1422 if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
1423 return "malformed DER encoded DSA signature";
1424 if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
1425 return "malformed DER encoded DSA signature";
1428 /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
1431 return "invalid T value in DSA pubkey";
1434 /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
1436 return "DSA pubkey too short";
1439 expected_len = 1 + /* T */
1441 (64 + key_t*8) + /* P */
1442 (64 + key_t*8) + /* G */
1443 (64 + key_t*8); /* Y */
1444 if (keylen != expected_len ) {
1445 return "invalid DSA pubkey length";
1448 /* Extract DSA pubkey from the record */
1449 nettle_dsa_public_key_init(&pubkey);
1451 nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
1453 nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t*8), key+offset);
1454 offset += (64 + key_t*8);
1455 nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t*8), key+offset);
1456 offset += (64 + key_t*8);
1457 nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t*8), key+offset);
1459 /* Digest content of "buf" and verify its DSA signature in "sigblock"*/
1460 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1461 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1462 res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
1464 /* Clear and return */
1465 nettle_dsa_signature_clear(&signature);
1466 nettle_dsa_public_key_clear(&pubkey);
1468 return "DSA signature verification failed";
1472 #endif /* USE_DSA */
1475 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
1476 unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
1478 uint16_t exp_len = 0;
1479 size_t exp_offset = 0, mod_offset = 0;
1480 struct rsa_public_key pubkey;
1484 /* RSA pubkey parsing as per RFC 3110 sec. 2 */
1486 return "null RSA key";
1493 /* 1-byte NUL + 2-bytes exponent length */
1495 return "incorrect RSA key length";
1497 exp_len = READ_UINT16(key+1);
1499 return "null RSA exponent length";
1502 /* Check that we are not over-running input length */
1503 if (keylen < exp_offset + exp_len + 1) {
1504 return "RSA key content shorter than expected";
1506 mod_offset = exp_offset + exp_len;
1507 nettle_rsa_public_key_init(&pubkey);
1508 pubkey.size = keylen - mod_offset;
1509 nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
1510 nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
1512 /* Digest content of "buf" and verify its RSA signature in "sigblock"*/
1513 nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
1514 switch (digest_size) {
1515 case SHA1_DIGEST_SIZE:
1517 uint8_t digest[SHA1_DIGEST_SIZE];
1518 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1519 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1520 res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
1523 case SHA256_DIGEST_SIZE:
1525 uint8_t digest[SHA256_DIGEST_SIZE];
1526 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1527 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1528 res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
1531 case SHA512_DIGEST_SIZE:
1533 uint8_t digest[SHA512_DIGEST_SIZE];
1534 res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1535 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1536 res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
1543 /* Clear and return */
1544 nettle_rsa_public_key_clear(&pubkey);
1545 mpz_clear(signature);
1547 return "RSA signature verification failed";
1555 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
1556 unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1559 struct ecc_point pubkey;
1560 struct dsa_signature signature;
1562 /* Always matched strength, as per RFC 6605 sec. 1 */
1563 if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
1564 return "wrong ECDSA signature length";
1567 /* Parse ECDSA signature as per RFC 6605 sec. 4 */
1568 nettle_dsa_signature_init(&signature);
1569 switch (digest_size) {
1570 case SHA256_DIGEST_SIZE:
1572 uint8_t digest[SHA256_DIGEST_SIZE];
1574 nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
1575 nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
1576 nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
1577 nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
1578 nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
1579 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1580 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1581 res &= nettle_ecc_point_set(&pubkey, x, y);
1582 res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
1587 case SHA384_DIGEST_SIZE:
1589 uint8_t digest[SHA384_DIGEST_SIZE];
1591 nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
1592 nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
1593 nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
1594 nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
1595 nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
1596 res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1597 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1598 res &= nettle_ecc_point_set(&pubkey, x, y);
1599 res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
1602 nettle_ecc_point_clear(&pubkey);
1606 return "unknown ECDSA algorithm";
1609 /* Clear and return */
1610 nettle_dsa_signature_clear(&signature);
1612 return "ECDSA signature verification failed";
1619 * Check a canonical sig+rrset and signature against a dnskey
1620 * @param buf: buffer with data to verify, the first rrsig part and the
1621 * canonicalized rrset.
1622 * @param algo: DNSKEY algorithm.
1623 * @param sigblock: signature rdata field from RRSIG
1624 * @param sigblock_len: length of sigblock data.
1625 * @param key: public key data from DNSKEY RR.
1626 * @param keylen: length of keydata.
1627 * @param reason: bogus reason in more detail.
1628 * @return secure if verification succeeded, bogus on crypto failure,
1629 * unchecked on format errors and alloc failures.
1632 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1633 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1636 unsigned int digest_size = 0;
1638 if (sigblock_len == 0 || keylen == 0) {
1639 *reason = "null signature";
1640 return sec_status_bogus;
1646 case LDNS_DSA_NSEC3:
1647 *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
1648 if (*reason != NULL)
1649 return sec_status_bogus;
1651 return sec_status_secure;
1652 #endif /* USE_DSA */
1655 case LDNS_RSASHA1_NSEC3:
1656 digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
1658 case LDNS_RSASHA256:
1659 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1660 case LDNS_RSASHA512:
1661 digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
1664 *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
1665 sigblock_len, key, keylen);
1666 if (*reason != NULL)
1667 return sec_status_bogus;
1669 return sec_status_secure;
1672 case LDNS_ECDSAP256SHA256:
1673 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1674 case LDNS_ECDSAP384SHA384:
1675 digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
1676 *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
1677 sigblock_len, key, keylen);
1678 if (*reason != NULL)
1679 return sec_status_bogus;
1681 return sec_status_secure;
1686 *reason = "unable to verify signature, unknown algorithm";
1687 return sec_status_bogus;
1691 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */