2 * validator/val_secalgo.c - validator security algorithm functions.
4 * Copyright (c) 2012, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 * This file contains helper functions for the validator module.
40 * These functions take raw data buffers, formatted for crypto verification,
41 * and do the library calls (for the crypto library in use).
44 /* packed_rrset on top to define enum types (forced by c99 standard) */
45 #include "util/data/packed_rrset.h"
46 #include "validator/val_secalgo.h"
47 #include "validator/val_nsec3.h"
49 #include "sldns/rrdef.h"
50 #include "sldns/keyraw.h"
51 #include "sldns/sbuffer.h"
53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
54 #error "Need crypto library to do digital signature cryptography"
57 /* OpenSSL implementation */
59 #ifdef HAVE_OPENSSL_ERR_H
60 #include <openssl/err.h>
63 #ifdef HAVE_OPENSSL_RAND_H
64 #include <openssl/rand.h>
67 #ifdef HAVE_OPENSSL_CONF_H
68 #include <openssl/conf.h>
71 #ifdef HAVE_OPENSSL_ENGINE_H
72 #include <openssl/engine.h>
75 /** fake DSA support for unit tests */
77 /** fake SHA1 support for unit tests */
80 /* return size of digest if supported, or 0 otherwise */
82 nsec3_hash_algo_size_supported(int id)
86 return SHA_DIGEST_LENGTH;
92 /* perform nsec3 hash. return false on failure */
94 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
99 (void)SHA1(buf, len, res);
107 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
109 (void)SHA256(buf, len, res);
113 * Return size of DS digest according to its hash algorithm.
114 * @param algo: DS digest algo.
115 * @return size in bytes of digest, or 0 if not supported.
118 ds_digest_size_supported(int algo)
122 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
123 return SHA_DIGEST_LENGTH;
125 if(fake_sha1) return 20;
128 #ifdef HAVE_EVP_SHA256
130 return SHA256_DIGEST_LENGTH;
134 /* we support GOST if it can be loaded */
135 (void)sldns_key_EVP_load_gost_id();
136 if(EVP_get_digestbyname("md_gost94"))
142 return SHA384_DIGEST_LENGTH;
150 /** Perform GOST hash */
152 do_gost94(unsigned char* data, size_t len, unsigned char* dest)
154 const EVP_MD* md = EVP_get_digestbyname("md_gost94");
157 return sldns_digest_evp(data, (unsigned int)len, dest, md);
162 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
166 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
168 (void)SHA1(buf, len, res);
171 #ifdef HAVE_EVP_SHA256
173 (void)SHA256(buf, len, res);
178 if(do_gost94(buf, len, res))
184 (void)SHA384(buf, len, res);
188 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
195 /** return true if DNSKEY algorithm id is supported */
197 dnskey_algo_id_is_supported(int id)
201 /* RFC 6725 deprecates RSAMD5 */
205 #if defined(USE_DSA) && defined(USE_SHA1)
208 if(fake_dsa || fake_sha1) return 1;
213 case LDNS_RSASHA1_NSEC3:
217 if(fake_sha1) return 1;
221 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
224 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
228 case LDNS_ECDSAP256SHA256:
229 case LDNS_ECDSAP384SHA384:
234 #if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA)
240 /* we support GOST if it can be loaded */
241 return sldns_key_EVP_load_gost_id();
249 * Output a libcrypto openssl error to the logfile.
250 * @param str: string to add to it.
251 * @param e: the error to output, error number from ERR_get_error().
254 log_crypto_error(const char* str, unsigned long e)
257 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */
258 ERR_error_string_n(e, buf, sizeof(buf));
259 /* buf now contains */
260 /* error:[error code]:[library name]:[function name]:[reason string] */
261 log_err("%s crypto %s", str, buf);
266 * Setup DSA key digest in DER encoding ...
267 * @param sig: input is signature output alloced ptr (unless failure).
268 * caller must free alloced ptr if this routine returns true.
269 * @param len: input is initial siglen, output is output len.
270 * @return false on failure.
273 setup_dsa_sig(unsigned char** sig, unsigned int* len)
275 unsigned char* orig = *sig;
276 unsigned int origlen = *len;
281 /* extract the R and S field from the sig buffer */
282 if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
286 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
289 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
290 dsasig = DSA_SIG_new();
291 if(!dsasig) return 0;
293 #ifdef HAVE_DSA_SIG_SET0
294 if(!DSA_SIG_set0(dsasig, R, S)) return 0;
300 newlen = i2d_DSA_SIG(dsasig, sig);
302 DSA_SIG_free(dsasig);
306 *len = (unsigned int)newlen;
307 DSA_SIG_free(dsasig);
314 * Setup the ECDSA signature in its encoding that the library wants.
315 * Converts from plain numbers to ASN formatted.
316 * @param sig: input is signature, output alloced ptr (unless failure).
317 * caller must free alloced ptr if this routine returns true.
318 * @param len: input is initial siglen, output is output len.
319 * @return false on failure.
322 setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
324 /* convert from two BIGNUMs in the rdata buffer, to ASN notation.
325 * ASN preable: 30440220 <R 32bytefor256> 0220 <S 32bytefor256>
326 * the '20' is the length of that field (=bnsize).
327 i * the '44' is the total remaining length.
328 * if negative, start with leading zero.
329 * if starts with 00s, remove them from the number.
331 uint8_t pre[] = {0x30, 0x44, 0x02, 0x20};
333 uint8_t mid[] = {0x02, 0x20};
335 int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0;
336 int bnsize = (int)((*len)/2);
337 unsigned char* d = *sig;
339 /* if too short or not even length, fails */
340 if(*len < 16 || bnsize*2 != (int)*len)
343 /* strip leading zeroes from r (but not last one) */
344 while(r_rem < bnsize-1 && d[r_rem] == 0)
346 /* strip leading zeroes from s (but not last one) */
347 while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0)
350 r_high = ((d[0+r_rem]&0x80)?1:0);
351 s_high = ((d[bnsize+s_rem]&0x80)?1:0);
352 raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len +
353 s_high + bnsize - s_rem;
354 *sig = (unsigned char*)malloc((size_t)raw_sig_len);
359 p[1] = (uint8_t)(raw_sig_len-2);
361 p[3] = (uint8_t)(bnsize + r_high - r_rem);
367 memmove(p, d+r_rem, (size_t)bnsize-r_rem);
369 memmove(p, mid, (size_t)mid_len-1);
371 *p = (uint8_t)(bnsize + s_high - s_rem);
377 memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem);
378 *len = (unsigned int)raw_sig_len;
381 #endif /* USE_ECDSA */
383 #ifdef USE_ECDSA_EVP_WORKAROUND
384 static EVP_MD ecdsa_evp_256_md;
385 static EVP_MD ecdsa_evp_384_md;
386 void ecdsa_evp_workaround_init(void)
388 /* openssl before 1.0.0 fixes RSA with the SHA256
389 * hash in EVP. We create one for ecdsa_sha256 */
390 ecdsa_evp_256_md = *EVP_sha256();
391 ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC;
392 ecdsa_evp_256_md.verify = (void*)ECDSA_verify;
394 ecdsa_evp_384_md = *EVP_sha384();
395 ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC;
396 ecdsa_evp_384_md.verify = (void*)ECDSA_verify;
398 #endif /* USE_ECDSA_EVP_WORKAROUND */
401 * Setup key and digest for verification. Adjust sig if necessary.
403 * @param algo: key algorithm
404 * @param evp_key: EVP PKEY public key to create.
405 * @param digest_type: digest type to use
406 * @param key: key to setup for.
407 * @param keylen: length of key.
408 * @return false on failure.
411 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
412 unsigned char* key, size_t keylen)
414 #if defined(USE_DSA) && defined(USE_SHA1)
420 #if defined(USE_DSA) && defined(USE_SHA1)
423 *evp_key = EVP_PKEY_new();
425 log_err("verify: malloc failure in crypto");
428 dsa = sldns_key_buf2dsa_raw(key, keylen);
430 verbose(VERB_QUERY, "verify: "
431 "sldns_key_buf2dsa_raw failed");
434 if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
435 verbose(VERB_QUERY, "verify: "
436 "EVP_PKEY_assign_DSA failed");
440 *digest_type = EVP_dss1();
442 *digest_type = EVP_sha1();
446 #endif /* USE_DSA && USE_SHA1 */
448 #if defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2))
451 case LDNS_RSASHA1_NSEC3:
453 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
456 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
459 *evp_key = EVP_PKEY_new();
461 log_err("verify: malloc failure in crypto");
464 rsa = sldns_key_buf2rsa_raw(key, keylen);
466 verbose(VERB_QUERY, "verify: "
467 "sldns_key_buf2rsa_raw SHA failed");
470 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
471 verbose(VERB_QUERY, "verify: "
472 "EVP_PKEY_assign_RSA SHA failed");
476 /* select SHA version */
477 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
478 if(algo == LDNS_RSASHA256)
479 *digest_type = EVP_sha256();
482 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
483 if(algo == LDNS_RSASHA512)
484 *digest_type = EVP_sha512();
488 *digest_type = EVP_sha1();
490 { verbose(VERB_QUERY, "no digest available"); return 0; }
493 #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */
496 *evp_key = EVP_PKEY_new();
498 log_err("verify: malloc failure in crypto");
501 rsa = sldns_key_buf2rsa_raw(key, keylen);
503 verbose(VERB_QUERY, "verify: "
504 "sldns_key_buf2rsa_raw MD5 failed");
507 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
508 verbose(VERB_QUERY, "verify: "
509 "EVP_PKEY_assign_RSA MD5 failed");
512 *digest_type = EVP_md5();
517 *evp_key = sldns_gost2pkey_raw(key, keylen);
519 verbose(VERB_QUERY, "verify: "
520 "sldns_gost2pkey_raw failed");
523 *digest_type = EVP_get_digestbyname("md_gost94");
525 verbose(VERB_QUERY, "verify: "
526 "EVP_getdigest md_gost94 failed");
532 case LDNS_ECDSAP256SHA256:
533 *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
534 LDNS_ECDSAP256SHA256);
536 verbose(VERB_QUERY, "verify: "
537 "sldns_ecdsa2pkey_raw failed");
540 #ifdef USE_ECDSA_EVP_WORKAROUND
541 *digest_type = &ecdsa_evp_256_md;
543 *digest_type = EVP_sha256();
546 case LDNS_ECDSAP384SHA384:
547 *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
548 LDNS_ECDSAP384SHA384);
550 verbose(VERB_QUERY, "verify: "
551 "sldns_ecdsa2pkey_raw failed");
554 #ifdef USE_ECDSA_EVP_WORKAROUND
555 *digest_type = &ecdsa_evp_384_md;
557 *digest_type = EVP_sha384();
560 #endif /* USE_ECDSA */
563 *evp_key = sldns_ed255192pkey_raw(key, keylen);
565 verbose(VERB_QUERY, "verify: "
566 "sldns_ed255192pkey_raw failed");
571 #endif /* USE_ED25519 */
573 verbose(VERB_QUERY, "verify: unknown algorithm %d",
581 * Check a canonical sig+rrset and signature against a dnskey
582 * @param buf: buffer with data to verify, the first rrsig part and the
583 * canonicalized rrset.
584 * @param algo: DNSKEY algorithm.
585 * @param sigblock: signature rdata field from RRSIG
586 * @param sigblock_len: length of sigblock data.
587 * @param key: public key data from DNSKEY RR.
588 * @param keylen: length of keydata.
589 * @param reason: bogus reason in more detail.
590 * @return secure if verification succeeded, bogus on crypto failure,
591 * unchecked on format errors and alloc failures.
594 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
595 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
598 const EVP_MD *digest_type;
600 int res, dofree = 0, docrypto_free = 0;
601 EVP_PKEY *evp_key = NULL;
604 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1))
605 return sec_status_secure;
608 if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3))
609 return sec_status_secure;
612 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
613 verbose(VERB_QUERY, "verify: failed to setup key");
614 *reason = "use of key for crypto failed";
615 EVP_PKEY_free(evp_key);
616 return sec_status_bogus;
619 /* if it is a DSA signature in bind format, convert to DER format */
620 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
621 sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
622 if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
623 verbose(VERB_QUERY, "verify: failed to setup DSA sig");
624 *reason = "use of key for DSA crypto failed";
625 EVP_PKEY_free(evp_key);
626 return sec_status_bogus;
631 #if defined(USE_ECDSA) && defined(USE_DSA)
635 if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
636 /* EVP uses ASN prefix on sig, which is not in the wire data */
637 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
638 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
639 *reason = "use of signature for ECDSA crypto failed";
640 EVP_PKEY_free(evp_key);
641 return sec_status_bogus;
645 #endif /* USE_ECDSA */
647 /* do the signature cryptography work */
648 #ifdef HAVE_EVP_MD_CTX_NEW
649 ctx = EVP_MD_CTX_new();
651 ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
652 if(ctx) EVP_MD_CTX_init(ctx);
655 log_err("EVP_MD_CTX_new: malloc failure");
656 EVP_PKEY_free(evp_key);
657 if(dofree) free(sigblock);
658 else if(docrypto_free) OPENSSL_free(sigblock);
659 return sec_status_unchecked;
661 #ifndef HAVE_EVP_DIGESTVERIFY
662 if(EVP_DigestInit(ctx, digest_type) == 0) {
663 verbose(VERB_QUERY, "verify: EVP_DigestInit failed");
664 #ifdef HAVE_EVP_MD_CTX_NEW
665 EVP_MD_CTX_destroy(ctx);
667 EVP_MD_CTX_cleanup(ctx);
670 EVP_PKEY_free(evp_key);
671 if(dofree) free(sigblock);
672 else if(docrypto_free) OPENSSL_free(sigblock);
673 return sec_status_unchecked;
675 if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
676 (unsigned int)sldns_buffer_limit(buf)) == 0) {
677 verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed");
678 #ifdef HAVE_EVP_MD_CTX_NEW
679 EVP_MD_CTX_destroy(ctx);
681 EVP_MD_CTX_cleanup(ctx);
684 EVP_PKEY_free(evp_key);
685 if(dofree) free(sigblock);
686 else if(docrypto_free) OPENSSL_free(sigblock);
687 return sec_status_unchecked;
690 res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key);
691 #else /* HAVE_EVP_DIGESTVERIFY */
692 if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) {
693 verbose(VERB_QUERY, "verify: EVP_DigestVerifyInit failed");
694 #ifdef HAVE_EVP_MD_CTX_NEW
695 EVP_MD_CTX_destroy(ctx);
697 EVP_MD_CTX_cleanup(ctx);
700 EVP_PKEY_free(evp_key);
701 if(dofree) free(sigblock);
702 else if(docrypto_free) OPENSSL_free(sigblock);
703 return sec_status_unchecked;
705 res = EVP_DigestVerify(ctx, sigblock, sigblock_len,
706 (unsigned char*)sldns_buffer_begin(buf),
707 sldns_buffer_limit(buf));
709 #ifdef HAVE_EVP_MD_CTX_NEW
710 EVP_MD_CTX_destroy(ctx);
712 EVP_MD_CTX_cleanup(ctx);
715 EVP_PKEY_free(evp_key);
717 if(dofree) free(sigblock);
718 else if(docrypto_free) OPENSSL_free(sigblock);
721 return sec_status_secure;
722 } else if(res == 0) {
723 verbose(VERB_QUERY, "verify: signature mismatch");
724 *reason = "signature crypto failed";
725 return sec_status_bogus;
728 log_crypto_error("verify:", ERR_get_error());
729 return sec_status_unchecked;
732 /**************************************************/
733 #elif defined(HAVE_NSS)
734 /* libnss implementation */
740 #include "cryptohi.h"
744 /* return size of digest if supported, or 0 otherwise */
746 nsec3_hash_algo_size_supported(int id)
749 case NSEC3_HASH_SHA1:
756 /* perform nsec3 hash. return false on failure */
758 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
762 case NSEC3_HASH_SHA1:
763 (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
771 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
773 (void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len);
777 ds_digest_size_supported(int algo)
787 return SHA256_LENGTH;
791 return SHA384_LENGTH;
793 /* GOST not supported in NSS */
801 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
808 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
811 #if defined(USE_SHA2)
813 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
818 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
823 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
831 dnskey_algo_id_is_supported(int id)
836 /* RFC 6725 deprecates RSAMD5 */
838 #if defined(USE_SHA1) || defined(USE_SHA2)
839 #if defined(USE_DSA) && defined(USE_SHA1)
845 case LDNS_RSASHA1_NSEC3:
854 #endif /* SHA1 or SHA2 */
857 case LDNS_ECDSAP256SHA256:
858 case LDNS_ECDSAP384SHA384:
859 return PK11_TokenExists(CKM_ECDSA);
867 /* return a new public key for NSS */
868 static SECKEYPublicKey* nss_key_create(KeyType ktype)
870 SECKEYPublicKey* key;
871 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
873 log_err("out of memory, PORT_NewArena failed");
876 key = PORT_ArenaZNew(arena, SECKEYPublicKey);
878 log_err("out of memory, PORT_ArenaZNew failed");
879 PORT_FreeArena(arena, PR_FALSE);
883 key->keyType = ktype;
884 key->pkcs11Slot = NULL;
885 key->pkcs11ID = CK_INVALID_HANDLE;
889 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
892 SECItem pub = {siBuffer, NULL, 0};
893 SECItem params = {siBuffer, NULL, 0};
894 static unsigned char param256[] = {
895 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
896 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
897 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
899 static unsigned char param384[] = {
900 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
901 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
902 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
904 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
906 /* check length, which uncompressed must be 2 bignums */
907 if(algo == LDNS_ECDSAP256SHA256) {
908 if(len != 2*256/8) return NULL;
909 /* ECCurve_X9_62_PRIME_256V1 */
910 } else if(algo == LDNS_ECDSAP384SHA384) {
911 if(len != 2*384/8) return NULL;
912 /* ECCurve_X9_62_PRIME_384R1 */
915 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
916 memmove(buf+1, key, len);
919 if(algo == LDNS_ECDSAP256SHA256) {
920 params.data = param256;
921 params.len = sizeof(param256);
923 params.data = param384;
924 params.len = sizeof(param384);
927 pk = nss_key_create(ecKey);
930 pk->u.ec.size = (len/2)*8;
931 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
932 SECKEY_DestroyPublicKey(pk);
935 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) {
936 SECKEY_DestroyPublicKey(pk);
943 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
949 SECItem Q = {siBuffer, NULL, 0};
950 SECItem P = {siBuffer, NULL, 0};
951 SECItem G = {siBuffer, NULL, 0};
952 SECItem Y = {siBuffer, NULL, 0};
957 length = (64 + T * 8);
963 if(len < (size_t)1 + SHA1_LENGTH + 3*length)
968 offset += SHA1_LENGTH;
982 pk = nss_key_create(dsaKey);
985 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
986 SECKEY_DestroyPublicKey(pk);
989 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
990 SECKEY_DestroyPublicKey(pk);
993 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
994 SECKEY_DestroyPublicKey(pk);
997 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
998 SECKEY_DestroyPublicKey(pk);
1004 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
1006 SECKEYPublicKey* pk;
1010 SECItem modulus = {siBuffer, NULL, 0};
1011 SECItem exponent = {siBuffer, NULL, 0};
1017 /* the exponent is too large so it's places further */
1018 memmove(&int16, key+1, 2);
1026 /* key length at least one */
1027 if(len < (size_t)offset + exp + 1)
1030 exponent.data = key+offset;
1033 modulus.data = key+offset;
1034 modulus.len = (len - offset);
1036 pk = nss_key_create(rsaKey);
1039 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
1040 SECKEY_DestroyPublicKey(pk);
1043 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
1044 SECKEY_DestroyPublicKey(pk);
1051 * Setup key and digest for verification. Adjust sig if necessary.
1053 * @param algo: key algorithm
1054 * @param evp_key: EVP PKEY public key to create.
1055 * @param digest_type: digest type to use
1056 * @param key: key to setup for.
1057 * @param keylen: length of key.
1058 * @param prefix: if returned, the ASN prefix for the hashblob.
1059 * @param prefixlen: length of the prefix.
1060 * @return false on failure.
1063 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
1064 unsigned char* key, size_t keylen, unsigned char** prefix,
1069 /* hash prefix for md5, RFC2537 */
1070 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
1071 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
1072 /* hash prefix to prepend to hash output, from RFC3110 */
1073 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
1074 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
1076 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
1077 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
1078 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
1079 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
1081 /* for future RSASHA384 ..
1082 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
1083 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
1088 #if defined(USE_SHA1) || defined(USE_SHA2)
1089 #if defined(USE_DSA) && defined(USE_SHA1)
1091 case LDNS_DSA_NSEC3:
1092 *pubkey = nss_buf2dsa(key, keylen);
1094 log_err("verify: malloc failure in crypto");
1097 *htype = HASH_AlgSHA1;
1098 /* no prefix for DSA verification */
1103 case LDNS_RSASHA1_NSEC3:
1106 case LDNS_RSASHA256:
1109 case LDNS_RSASHA512:
1111 *pubkey = nss_buf2rsa(key, keylen);
1113 log_err("verify: malloc failure in crypto");
1116 /* select SHA version */
1118 if(algo == LDNS_RSASHA256) {
1119 *htype = HASH_AlgSHA256;
1121 *prefixlen = sizeof(p_sha256);
1125 if(algo == LDNS_RSASHA512) {
1126 *htype = HASH_AlgSHA512;
1128 *prefixlen = sizeof(p_sha512);
1133 *htype = HASH_AlgSHA1;
1135 *prefixlen = sizeof(p_sha1);
1139 verbose(VERB_QUERY, "verify: no digest algo");
1145 #endif /* SHA1 or SHA2 */
1148 *pubkey = nss_buf2rsa(key, keylen);
1150 log_err("verify: malloc failure in crypto");
1153 *htype = HASH_AlgMD5;
1155 *prefixlen = sizeof(p_md5);
1159 case LDNS_ECDSAP256SHA256:
1160 *pubkey = nss_buf2ecdsa(key, keylen,
1161 LDNS_ECDSAP256SHA256);
1163 log_err("verify: malloc failure in crypto");
1166 *htype = HASH_AlgSHA256;
1167 /* no prefix for DSA verification */
1169 case LDNS_ECDSAP384SHA384:
1170 *pubkey = nss_buf2ecdsa(key, keylen,
1171 LDNS_ECDSAP384SHA384);
1173 log_err("verify: malloc failure in crypto");
1176 *htype = HASH_AlgSHA384;
1177 /* no prefix for DSA verification */
1179 #endif /* USE_ECDSA */
1182 verbose(VERB_QUERY, "verify: unknown algorithm %d",
1190 * Check a canonical sig+rrset and signature against a dnskey
1191 * @param buf: buffer with data to verify, the first rrsig part and the
1192 * canonicalized rrset.
1193 * @param algo: DNSKEY algorithm.
1194 * @param sigblock: signature rdata field from RRSIG
1195 * @param sigblock_len: length of sigblock data.
1196 * @param key: public key data from DNSKEY RR.
1197 * @param keylen: length of keydata.
1198 * @param reason: bogus reason in more detail.
1199 * @return secure if verification succeeded, bogus on crypto failure,
1200 * unchecked on format errors and alloc failures.
1203 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1204 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1208 /* large enough for the different hashes */
1209 unsigned char hash[HASH_LENGTH_MAX];
1210 unsigned char hash2[HASH_LENGTH_MAX*2];
1211 HASH_HashType htype = 0;
1212 SECKEYPublicKey* pubkey = NULL;
1213 SECItem secsig = {siBuffer, sigblock, sigblock_len};
1214 SECItem sechash = {siBuffer, hash, 0};
1216 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
1217 size_t prefixlen = 0;
1220 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
1221 &prefix, &prefixlen)) {
1222 verbose(VERB_QUERY, "verify: failed to setup key");
1223 *reason = "use of key for crypto failed";
1224 SECKEY_DestroyPublicKey(pubkey);
1225 return sec_status_bogus;
1228 #if defined(USE_DSA) && defined(USE_SHA1)
1229 /* need to convert DSA, ECDSA signatures? */
1230 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
1231 if(sigblock_len == 1+2*SHA1_LENGTH) {
1235 SECItem* p = DSAU_DecodeDerSig(&secsig);
1237 verbose(VERB_QUERY, "verify: failed DER decode");
1238 *reason = "signature DER decode failed";
1239 SECKEY_DestroyPublicKey(pubkey);
1240 return sec_status_bogus;
1242 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
1243 log_err("alloc failure in DER decode");
1244 SECKEY_DestroyPublicKey(pubkey);
1245 SECITEM_FreeItem(p, PR_TRUE);
1246 return sec_status_unchecked;
1248 SECITEM_FreeItem(p, PR_TRUE);
1251 #endif /* USE_DSA */
1253 /* do the signature cryptography work */
1255 sechash.len = HASH_ResultLen(htype);
1256 if(sechash.len > sizeof(hash)) {
1257 verbose(VERB_QUERY, "verify: hash too large for buffer");
1258 SECKEY_DestroyPublicKey(pubkey);
1259 return sec_status_unchecked;
1261 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf),
1262 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) {
1263 verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
1264 SECKEY_DestroyPublicKey(pubkey);
1265 return sec_status_unchecked;
1268 int hashlen = sechash.len;
1269 if(prefixlen+hashlen > sizeof(hash2)) {
1270 verbose(VERB_QUERY, "verify: hashprefix too large");
1271 SECKEY_DestroyPublicKey(pubkey);
1272 return sec_status_unchecked;
1274 sechash.data = hash2;
1275 sechash.len = prefixlen+hashlen;
1276 memcpy(sechash.data, prefix, prefixlen);
1277 memmove(sechash.data+prefixlen, hash, hashlen);
1280 /* verify the signature */
1281 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
1282 SECKEY_DestroyPublicKey(pubkey);
1284 if(res == SECSuccess) {
1285 return sec_status_secure;
1287 err = PORT_GetError();
1288 if(err != SEC_ERROR_BAD_SIGNATURE) {
1289 /* failed to verify */
1290 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
1291 PORT_ErrorToString(err));
1292 /* if it is not supported, like ECC is removed, we get,
1293 * SEC_ERROR_NO_MODULE */
1294 if(err == SEC_ERROR_NO_MODULE)
1295 return sec_status_unchecked;
1296 /* but other errors are commonly returned
1297 * for a bad signature from NSS. Thus we return bogus,
1299 *reason = "signature crypto failed";
1300 return sec_status_bogus;
1302 verbose(VERB_QUERY, "verify: signature mismatch: %s",
1303 PORT_ErrorToString(err));
1304 *reason = "signature crypto failed";
1305 return sec_status_bogus;
1308 #elif defined(HAVE_NETTLE)
1315 #ifdef HAVE_NETTLE_DSA_COMPAT_H
1316 #include "dsa-compat.h"
1321 #include "ecc-curve.h"
1325 _digest_nettle(int algo, uint8_t* buf, size_t len,
1329 case SHA1_DIGEST_SIZE:
1331 struct sha1_ctx ctx;
1333 sha1_update(&ctx, len, buf);
1334 sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
1337 case SHA256_DIGEST_SIZE:
1339 struct sha256_ctx ctx;
1341 sha256_update(&ctx, len, buf);
1342 sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
1345 case SHA384_DIGEST_SIZE:
1347 struct sha384_ctx ctx;
1349 sha384_update(&ctx, len, buf);
1350 sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
1353 case SHA512_DIGEST_SIZE:
1355 struct sha512_ctx ctx;
1357 sha512_update(&ctx, len, buf);
1358 sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
1367 /* return size of digest if supported, or 0 otherwise */
1369 nsec3_hash_algo_size_supported(int id)
1372 case NSEC3_HASH_SHA1:
1373 return SHA1_DIGEST_SIZE;
1379 /* perform nsec3 hash. return false on failure */
1381 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
1385 case NSEC3_HASH_SHA1:
1386 return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
1394 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
1396 _digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res);
1400 * Return size of DS digest according to its hash algorithm.
1401 * @param algo: DS digest algo.
1402 * @return size in bytes of digest, or 0 if not supported.
1405 ds_digest_size_supported(int algo)
1410 return SHA1_DIGEST_SIZE;
1412 if(fake_sha1) return 20;
1417 return SHA256_DIGEST_SIZE;
1421 return SHA384_DIGEST_SIZE;
1423 /* GOST not supported */
1424 case LDNS_HASH_GOST:
1432 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
1438 return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
1440 #if defined(USE_SHA2)
1442 return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
1446 return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
1449 case LDNS_HASH_GOST:
1451 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
1459 dnskey_algo_id_is_supported(int id)
1461 /* uses libnettle */
1463 #if defined(USE_DSA) && defined(USE_SHA1)
1465 case LDNS_DSA_NSEC3:
1469 case LDNS_RSASHA1_NSEC3:
1472 case LDNS_RSASHA256:
1473 case LDNS_RSASHA512:
1476 case LDNS_ECDSAP256SHA256:
1477 case LDNS_ECDSAP384SHA384:
1480 case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
1487 #if defined(USE_DSA) && defined(USE_SHA1)
1489 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
1490 unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1492 uint8_t digest[SHA1_DIGEST_SIZE];
1493 uint8_t key_t_value;
1496 struct dsa_public_key pubkey;
1497 struct dsa_signature signature;
1498 unsigned int expected_len;
1500 /* Extract DSA signature from the record */
1501 nettle_dsa_signature_init(&signature);
1502 /* Signature length: 41 bytes - RFC 2536 sec. 3 */
1503 if(sigblock_len == 41) {
1504 if(key[0] != sigblock[0])
1505 return "invalid T value in DSA signature or pubkey";
1506 nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
1507 nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
1509 /* DER encoded, decode the ASN1 notated R and S bignums */
1510 /* SEQUENCE { r INTEGER, s INTEGER } */
1511 struct asn1_der_iterator i, seq;
1512 if(asn1_der_iterator_first(&i, sigblock_len,
1513 (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
1514 || i.type != ASN1_SEQUENCE)
1515 return "malformed DER encoded DSA signature";
1516 /* decode this element of i using the seq iterator */
1517 if(asn1_der_decode_constructed(&i, &seq) !=
1518 ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
1519 return "malformed DER encoded DSA signature";
1520 if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
1521 return "malformed DER encoded DSA signature";
1522 if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
1523 || seq.type != ASN1_INTEGER)
1524 return "malformed DER encoded DSA signature";
1525 if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
1526 return "malformed DER encoded DSA signature";
1527 if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
1528 return "malformed DER encoded DSA signature";
1531 /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
1532 key_t_value = key[0];
1533 if (key_t_value > 8) {
1534 return "invalid T value in DSA pubkey";
1537 /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
1539 return "DSA pubkey too short";
1542 expected_len = 1 + /* T */
1544 (64 + key_t_value*8) + /* P */
1545 (64 + key_t_value*8) + /* G */
1546 (64 + key_t_value*8); /* Y */
1547 if (keylen != expected_len ) {
1548 return "invalid DSA pubkey length";
1551 /* Extract DSA pubkey from the record */
1552 nettle_dsa_public_key_init(&pubkey);
1554 nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
1556 nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t_value*8), key+offset);
1557 offset += (64 + key_t_value*8);
1558 nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t_value*8), key+offset);
1559 offset += (64 + key_t_value*8);
1560 nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t_value*8), key+offset);
1562 /* Digest content of "buf" and verify its DSA signature in "sigblock"*/
1563 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1564 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1565 res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
1567 /* Clear and return */
1568 nettle_dsa_signature_clear(&signature);
1569 nettle_dsa_public_key_clear(&pubkey);
1571 return "DSA signature verification failed";
1575 #endif /* USE_DSA */
1578 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
1579 unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
1581 uint16_t exp_len = 0;
1582 size_t exp_offset = 0, mod_offset = 0;
1583 struct rsa_public_key pubkey;
1587 /* RSA pubkey parsing as per RFC 3110 sec. 2 */
1589 return "null RSA key";
1596 /* 1-byte NUL + 2-bytes exponent length */
1598 return "incorrect RSA key length";
1600 exp_len = READ_UINT16(key+1);
1602 return "null RSA exponent length";
1605 /* Check that we are not over-running input length */
1606 if (keylen < exp_offset + exp_len + 1) {
1607 return "RSA key content shorter than expected";
1609 mod_offset = exp_offset + exp_len;
1610 nettle_rsa_public_key_init(&pubkey);
1611 pubkey.size = keylen - mod_offset;
1612 nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
1613 nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
1615 /* Digest content of "buf" and verify its RSA signature in "sigblock"*/
1616 nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
1617 switch (digest_size) {
1618 case SHA1_DIGEST_SIZE:
1620 uint8_t digest[SHA1_DIGEST_SIZE];
1621 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1622 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1623 res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
1626 case SHA256_DIGEST_SIZE:
1628 uint8_t digest[SHA256_DIGEST_SIZE];
1629 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1630 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1631 res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
1634 case SHA512_DIGEST_SIZE:
1636 uint8_t digest[SHA512_DIGEST_SIZE];
1637 res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1638 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1639 res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
1646 /* Clear and return */
1647 nettle_rsa_public_key_clear(&pubkey);
1648 mpz_clear(signature);
1650 return "RSA signature verification failed";
1658 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
1659 unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1662 struct ecc_point pubkey;
1663 struct dsa_signature signature;
1665 /* Always matched strength, as per RFC 6605 sec. 1 */
1666 if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
1667 return "wrong ECDSA signature length";
1670 /* Parse ECDSA signature as per RFC 6605 sec. 4 */
1671 nettle_dsa_signature_init(&signature);
1672 switch (digest_size) {
1673 case SHA256_DIGEST_SIZE:
1675 uint8_t digest[SHA256_DIGEST_SIZE];
1677 nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
1678 nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
1679 nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
1680 nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
1681 nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
1682 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1683 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1684 res &= nettle_ecc_point_set(&pubkey, x, y);
1685 res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
1690 case SHA384_DIGEST_SIZE:
1692 uint8_t digest[SHA384_DIGEST_SIZE];
1694 nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
1695 nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
1696 nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
1697 nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
1698 nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
1699 res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1700 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1701 res &= nettle_ecc_point_set(&pubkey, x, y);
1702 res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
1705 nettle_ecc_point_clear(&pubkey);
1709 return "unknown ECDSA algorithm";
1712 /* Clear and return */
1713 nettle_dsa_signature_clear(&signature);
1715 return "ECDSA signature verification failed";
1722 * Check a canonical sig+rrset and signature against a dnskey
1723 * @param buf: buffer with data to verify, the first rrsig part and the
1724 * canonicalized rrset.
1725 * @param algo: DNSKEY algorithm.
1726 * @param sigblock: signature rdata field from RRSIG
1727 * @param sigblock_len: length of sigblock data.
1728 * @param key: public key data from DNSKEY RR.
1729 * @param keylen: length of keydata.
1730 * @param reason: bogus reason in more detail.
1731 * @return secure if verification succeeded, bogus on crypto failure,
1732 * unchecked on format errors and alloc failures.
1735 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1736 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1739 unsigned int digest_size = 0;
1741 if (sigblock_len == 0 || keylen == 0) {
1742 *reason = "null signature";
1743 return sec_status_bogus;
1747 #if defined(USE_DSA) && defined(USE_SHA1)
1749 case LDNS_DSA_NSEC3:
1750 *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
1751 if (*reason != NULL)
1752 return sec_status_bogus;
1754 return sec_status_secure;
1755 #endif /* USE_DSA */
1759 case LDNS_RSASHA1_NSEC3:
1760 digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
1763 case LDNS_RSASHA256:
1764 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1765 case LDNS_RSASHA512:
1766 digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
1769 *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
1770 sigblock_len, key, keylen);
1771 if (*reason != NULL)
1772 return sec_status_bogus;
1774 return sec_status_secure;
1777 case LDNS_ECDSAP256SHA256:
1778 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1779 case LDNS_ECDSAP384SHA384:
1780 digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
1781 *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
1782 sigblock_len, key, keylen);
1783 if (*reason != NULL)
1784 return sec_status_bogus;
1786 return sec_status_secure;
1791 *reason = "unable to verify signature, unknown algorithm";
1792 return sec_status_bogus;
1796 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */