validator/val_secalgo.c

   1 /*
   2  * validator/val_secalgo.c - validator security algorithm functions.
   3  *
   4  * Copyright (c) 2012, NLnet Labs. All rights reserved.
   5  *
   6  * This software is open source.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * Redistributions of source code must retain the above copyright notice,
  13  * this list of conditions and the following disclaimer.
  14  *
  15  * Redistributions in binary form must reproduce the above copyright notice,
  16  * this list of conditions and the following disclaimer in the documentation
  17  * and/or other materials provided with the distribution.
  18  *
  19  * Neither the name of the NLNET LABS nor the names of its contributors may
  20  * be used to endorse or promote products derived from this software without
  21  * specific prior written permission.
  22  *
  23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
  29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  34  */
  35
  36 /**
  37  * \file
  38  *
  39  * This file contains helper functions for the validator module.
  40  * These functions take raw data buffers, formatted for crypto verification,
  41  * and do the library calls (for the crypto library in use).
  42  */
  43 #include "config.h"
  44 /* packed_rrset on top to define enum types (forced by c99 standard) */
  45 #include "util/data/packed_rrset.h"
  46 #include "validator/val_secalgo.h"
  47 #include "validator/val_nsec3.h"
  48 #include "util/log.h"
  49 #include "sldns/rrdef.h"
  50 #include "sldns/keyraw.h"
  51 #include "sldns/sbuffer.h"
  52
  53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
  54 #error "Need crypto library to do digital signature cryptography"
  55 #endif
  56
  57 /* OpenSSL implementation */
  58 #ifdef HAVE_SSL
  59 #ifdef HAVE_OPENSSL_ERR_H
  60 #include <openssl/err.h>
  61 #endif
  62
  63 #ifdef HAVE_OPENSSL_RAND_H
  64 #include <openssl/rand.h>
  65 #endif
  66
  67 #ifdef HAVE_OPENSSL_CONF_H
  68 #include <openssl/conf.h>
  69 #endif
  70
  71 #ifdef HAVE_OPENSSL_ENGINE_H
  72 #include <openssl/engine.h>
  73 #endif
  74
  75 /** fake DSA support for unit tests */
  76 int fake_dsa = 0;
  77 /** fake SHA1 support for unit tests */
  78 int fake_sha1 = 0;
  79
  80 /* return size of digest if supported, or 0 otherwise */
  81 size_t
  82 nsec3_hash_algo_size_supported(int id)
  83 {
  84         switch(id) {
  85         case NSEC3_HASH_SHA1:
  86                 return SHA_DIGEST_LENGTH;
  87         default:
  88                 return 0;
  89         }
  90 }
  91
  92 /* perform nsec3 hash. return false on failure */
  93 int
  94 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
  95         unsigned char* res)
  96 {
  97         switch(algo) {
  98         case NSEC3_HASH_SHA1:
  99                 (void)SHA1(buf, len, res);
 100                 return 1;
 101         default:
 102                 return 0;
 103         }
 104 }
 105
 106 void
 107 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
 108 {
 109         (void)SHA256(buf, len, res);
 110 }
 111
 112 /**
 113  * Return size of DS digest according to its hash algorithm.
 114  * @param algo: DS digest algo.
 115  * @return size in bytes of digest, or 0 if not supported.
 116  */
 117 size_t
 118 ds_digest_size_supported(int algo)
 119 {
 120         switch(algo) {
 121                 case LDNS_SHA1:
 122 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
 123                         return SHA_DIGEST_LENGTH;
 124 #else
 125                         if(fake_sha1) return 20;
 126                         return 0;
 127 #endif
 128 #ifdef HAVE_EVP_SHA256
 129                 case LDNS_SHA256:
 130                         return SHA256_DIGEST_LENGTH;
 131 #endif
 132 #ifdef USE_GOST
 133                 case LDNS_HASH_GOST:
 134                         /* we support GOST if it can be loaded */
 135                         (void)sldns_key_EVP_load_gost_id();
 136                         if(EVP_get_digestbyname("md_gost94"))
 137                                 return 32;
 138                         else    return 0;
 139 #endif
 140 #ifdef USE_ECDSA
 141                 case LDNS_SHA384:
 142                         return SHA384_DIGEST_LENGTH;
 143 #endif
 144                 default: break;
 145         }
 146         return 0;
 147 }
 148
 149 #ifdef USE_GOST
 150 /** Perform GOST hash */
 151 static int
 152 do_gost94(unsigned char* data, size_t len, unsigned char* dest)
 153 {
 154         const EVP_MD* md = EVP_get_digestbyname("md_gost94");
 155         if(!md)
 156                 return 0;
 157         return sldns_digest_evp(data, (unsigned int)len, dest, md);
 158 }
 159 #endif
 160
 161 int
 162 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
 163         unsigned char* res)
 164 {
 165         switch(algo) {
 166 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
 167                 case LDNS_SHA1:
 168                         (void)SHA1(buf, len, res);
 169                         return 1;
 170 #endif
 171 #ifdef HAVE_EVP_SHA256
 172                 case LDNS_SHA256:
 173                         (void)SHA256(buf, len, res);
 174                         return 1;
 175 #endif
 176 #ifdef USE_GOST
 177                 case LDNS_HASH_GOST:
 178                         if(do_gost94(buf, len, res))
 179                                 return 1;
 180                         break;
 181 #endif
 182 #ifdef USE_ECDSA
 183                 case LDNS_SHA384:
 184                         (void)SHA384(buf, len, res);
 185                         return 1;
 186 #endif
 187                 default:
 188                         verbose(VERB_QUERY, "unknown DS digest algorithm %d",
 189                                 algo);
 190                         break;
 191         }
 192         return 0;
 193 }
 194
 195 /** return true if DNSKEY algorithm id is supported */
 196 int
 197 dnskey_algo_id_is_supported(int id)
 198 {
 199         switch(id) {
 200         case LDNS_RSAMD5:
 201                 /* RFC 6725 deprecates RSAMD5 */
 202                 return 0;
 203         case LDNS_DSA:
 204         case LDNS_DSA_NSEC3:
 205 #if defined(USE_DSA) && defined(USE_SHA1)
 206                 return 1;
 207 #else
 208                 if(fake_dsa || fake_sha1) return 1;
 209                 return 0;
 210 #endif
 211
 212         case LDNS_RSASHA1:
 213         case LDNS_RSASHA1_NSEC3:
 214 #ifdef USE_SHA1
 215                 return 1;
 216 #else
 217                 if(fake_sha1) return 1;
 218                 return 0;
 219 #endif
 220
 221 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
 222         case LDNS_RSASHA256:
 223 #endif
 224 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
 225         case LDNS_RSASHA512:
 226 #endif
 227 #ifdef USE_ECDSA
 228         case LDNS_ECDSAP256SHA256:
 229         case LDNS_ECDSAP384SHA384:
 230 #endif
 231 #if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA)
 232                 return 1;
 233 #endif
 234
 235 #ifdef USE_GOST
 236         case LDNS_ECC_GOST:
 237                 /* we support GOST if it can be loaded */
 238                 return sldns_key_EVP_load_gost_id();
 239 #endif
 240         default:
 241                 return 0;
 242         }
 243 }
 244
 245 /**
 246  * Output a libcrypto openssl error to the logfile.
 247  * @param str: string to add to it.
 248  * @param e: the error to output, error number from ERR_get_error().
 249  */
 250 static void
 251 log_crypto_error(const char* str, unsigned long e)
 252 {
 253         char buf[128];
 254         /* or use ERR_error_string if ERR_error_string_n is not avail TODO */
 255         ERR_error_string_n(e, buf, sizeof(buf));
 256         /* buf now contains */
 257         /* error:[error code]:[library name]:[function name]:[reason string] */
 258         log_err("%s crypto %s", str, buf);
 259 }
 260
 261 #ifdef USE_DSA
 262 /**
 263  * Setup DSA key digest in DER encoding ...
 264  * @param sig: input is signature output alloced ptr (unless failure).
 265  *      caller must free alloced ptr if this routine returns true.
 266  * @param len: input is initial siglen, output is output len.
 267  * @return false on failure.
 268  */
 269 static int
 270 setup_dsa_sig(unsigned char** sig, unsigned int* len)
 271 {
 272         unsigned char* orig = *sig;
 273         unsigned int origlen = *len;
 274         int newlen;
 275         BIGNUM *R, *S;
 276         DSA_SIG *dsasig;
 277
 278         /* extract the R and S field from the sig buffer */
 279         if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
 280                 return 0;
 281         R = BN_new();
 282         if(!R) return 0;
 283         (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
 284         S = BN_new();
 285         if(!S) return 0;
 286         (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
 287         dsasig = DSA_SIG_new();
 288         if(!dsasig) return 0;
 289
 290 #ifdef HAVE_DSA_SIG_SET0
 291         if(!DSA_SIG_set0(dsasig, R, S)) return 0;
 292 #else
 293         dsasig->r = R;
 294         dsasig->s = S;
 295 #endif
 296         *sig = NULL;
 297         newlen = i2d_DSA_SIG(dsasig, sig);
 298         if(newlen < 0) {
 299                 DSA_SIG_free(dsasig);
 300                 free(*sig);
 301                 return 0;
 302         }
 303         *len = (unsigned int)newlen;
 304         DSA_SIG_free(dsasig);
 305         return 1;
 306 }
 307 #endif /* USE_DSA */
 308
 309 #ifdef USE_ECDSA
 310 /**
 311  * Setup the ECDSA signature in its encoding that the library wants.
 312  * Converts from plain numbers to ASN formatted.
 313  * @param sig: input is signature, output alloced ptr (unless failure).
 314  *      caller must free alloced ptr if this routine returns true.
 315  * @param len: input is initial siglen, output is output len.
 316  * @return false on failure.
 317  */
 318 static int
 319 setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
 320 {
 321         /* convert from two BIGNUMs in the rdata buffer, to ASN notation.
 322          * ASN preable:  30440220 <R 32bytefor256> 0220 <S 32bytefor256>
 323          * the '20' is the length of that field (=bnsize).
 324 i        * the '44' is the total remaining length.
 325          * if negative, start with leading zero.
 326          * if starts with 00s, remove them from the number.
 327          */
 328         uint8_t pre[] = {0x30, 0x44, 0x02, 0x20};
 329         int pre_len = 4;
 330         uint8_t mid[] = {0x02, 0x20};
 331         int mid_len = 2;
 332         int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0;
 333         int bnsize = (int)((*len)/2);
 334         unsigned char* d = *sig;
 335         uint8_t* p;
 336         /* if too short or not even length, fails */
 337         if(*len < 16 || bnsize*2 != (int)*len)
 338                 return 0;
 339
 340         /* strip leading zeroes from r (but not last one) */
 341         while(r_rem < bnsize-1 && d[r_rem] == 0)
 342                 r_rem++;
 343         /* strip leading zeroes from s (but not last one) */
 344         while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0)
 345                 s_rem++;
 346
 347         r_high = ((d[0+r_rem]&0x80)?1:0);
 348         s_high = ((d[bnsize+s_rem]&0x80)?1:0);
 349         raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len +
 350                 s_high + bnsize - s_rem;
 351         *sig = (unsigned char*)malloc((size_t)raw_sig_len);
 352         if(!*sig)
 353                 return 0;
 354         p = (uint8_t*)*sig;
 355         p[0] = pre[0];
 356         p[1] = (uint8_t)(raw_sig_len-2);
 357         p[2] = pre[2];
 358         p[3] = (uint8_t)(bnsize + r_high - r_rem);
 359         p += 4;
 360         if(r_high) {
 361                 *p = 0;
 362                 p += 1;
 363         }
 364         memmove(p, d+r_rem, (size_t)bnsize-r_rem);
 365         p += bnsize-r_rem;
 366         memmove(p, mid, (size_t)mid_len-1);
 367         p += mid_len-1;
 368         *p = (uint8_t)(bnsize + s_high - s_rem);
 369         p += 1;
 370         if(s_high) {
 371                 *p = 0;
 372                 p += 1;
 373         }
 374         memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem);
 375         *len = (unsigned int)raw_sig_len;
 376         return 1;
 377 }
 378 #endif /* USE_ECDSA */
 379
 380 #ifdef USE_ECDSA_EVP_WORKAROUND
 381 static EVP_MD ecdsa_evp_256_md;
 382 static EVP_MD ecdsa_evp_384_md;
 383 void ecdsa_evp_workaround_init(void)
 384 {
 385         /* openssl before 1.0.0 fixes RSA with the SHA256
 386          * hash in EVP.  We create one for ecdsa_sha256 */
 387         ecdsa_evp_256_md = *EVP_sha256();
 388         ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC;
 389         ecdsa_evp_256_md.verify = (void*)ECDSA_verify;
 390
 391         ecdsa_evp_384_md = *EVP_sha384();
 392         ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC;
 393         ecdsa_evp_384_md.verify = (void*)ECDSA_verify;
 394 }
 395 #endif /* USE_ECDSA_EVP_WORKAROUND */
 396
 397 /**
 398  * Setup key and digest for verification. Adjust sig if necessary.
 399  *
 400  * @param algo: key algorithm
 401  * @param evp_key: EVP PKEY public key to create.
 402  * @param digest_type: digest type to use
 403  * @param key: key to setup for.
 404  * @param keylen: length of key.
 405  * @return false on failure.
 406  */
 407 static int
 408 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 409         unsigned char* key, size_t keylen)
 410 {
 411 #if defined(USE_DSA) && defined(USE_SHA1)
 412         DSA* dsa;
 413 #endif
 414         RSA* rsa;
 415
 416         switch(algo) {
 417 #if defined(USE_DSA) && defined(USE_SHA1)
 418                 case LDNS_DSA:
 419                 case LDNS_DSA_NSEC3:
 420                         *evp_key = EVP_PKEY_new();
 421                         if(!*evp_key) {
 422                                 log_err("verify: malloc failure in crypto");
 423                                 return 0;
 424                         }
 425                         dsa = sldns_key_buf2dsa_raw(key, keylen);
 426                         if(!dsa) {
 427                                 verbose(VERB_QUERY, "verify: "
 428                                         "sldns_key_buf2dsa_raw failed");
 429                                 return 0;
 430                         }
 431                         if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
 432                                 verbose(VERB_QUERY, "verify: "
 433                                         "EVP_PKEY_assign_DSA failed");
 434                                 return 0;
 435                         }
 436 #ifdef HAVE_EVP_DSS1
 437                         *digest_type = EVP_dss1();
 438 #else
 439                         *digest_type = EVP_sha1();
 440 #endif
 441
 442                         break;
 443 #endif /* USE_DSA && USE_SHA1 */
 444
 445 #if defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2))
 446 #ifdef USE_SHA1
 447                 case LDNS_RSASHA1:
 448                 case LDNS_RSASHA1_NSEC3:
 449 #endif
 450 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
 451                 case LDNS_RSASHA256:
 452 #endif
 453 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
 454                 case LDNS_RSASHA512:
 455 #endif
 456                         *evp_key = EVP_PKEY_new();
 457                         if(!*evp_key) {
 458                                 log_err("verify: malloc failure in crypto");
 459                                 return 0;
 460                         }
 461                         rsa = sldns_key_buf2rsa_raw(key, keylen);
 462                         if(!rsa) {
 463                                 verbose(VERB_QUERY, "verify: "
 464                                         "sldns_key_buf2rsa_raw SHA failed");
 465                                 return 0;
 466                         }
 467                         if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
 468                                 verbose(VERB_QUERY, "verify: "
 469                                         "EVP_PKEY_assign_RSA SHA failed");
 470                                 return 0;
 471                         }
 472
 473                         /* select SHA version */
 474 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
 475                         if(algo == LDNS_RSASHA256)
 476                                 *digest_type = EVP_sha256();
 477                         else
 478 #endif
 479 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
 480                                 if(algo == LDNS_RSASHA512)
 481                                 *digest_type = EVP_sha512();
 482                         else
 483 #endif
 484 #ifdef USE_SHA1
 485                                 *digest_type = EVP_sha1();
 486 #else
 487                                 { verbose(VERB_QUERY, "no digest available"); return 0; }
 488 #endif
 489                         break;
 490 #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */
 491
 492                 case LDNS_RSAMD5:
 493                         *evp_key = EVP_PKEY_new();
 494                         if(!*evp_key) {
 495                                 log_err("verify: malloc failure in crypto");
 496                                 return 0;
 497                         }
 498                         rsa = sldns_key_buf2rsa_raw(key, keylen);
 499                         if(!rsa) {
 500                                 verbose(VERB_QUERY, "verify: "
 501                                         "sldns_key_buf2rsa_raw MD5 failed");
 502                                 return 0;
 503                         }
 504                         if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
 505                                 verbose(VERB_QUERY, "verify: "
 506                                         "EVP_PKEY_assign_RSA MD5 failed");
 507                                 return 0;
 508                         }
 509                         *digest_type = EVP_md5();
 510
 511                         break;
 512 #ifdef USE_GOST
 513                 case LDNS_ECC_GOST:
 514                         *evp_key = sldns_gost2pkey_raw(key, keylen);
 515                         if(!*evp_key) {
 516                                 verbose(VERB_QUERY, "verify: "
 517                                         "sldns_gost2pkey_raw failed");
 518                                 return 0;
 519                         }
 520                         *digest_type = EVP_get_digestbyname("md_gost94");
 521                         if(!*digest_type) {
 522                                 verbose(VERB_QUERY, "verify: "
 523                                         "EVP_getdigest md_gost94 failed");
 524                                 return 0;
 525                         }
 526                         break;
 527 #endif
 528 #ifdef USE_ECDSA
 529                 case LDNS_ECDSAP256SHA256:
 530                         *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
 531                                 LDNS_ECDSAP256SHA256);
 532                         if(!*evp_key) {
 533                                 verbose(VERB_QUERY, "verify: "
 534                                         "sldns_ecdsa2pkey_raw failed");
 535                                 return 0;
 536                         }
 537 #ifdef USE_ECDSA_EVP_WORKAROUND
 538                         *digest_type = &ecdsa_evp_256_md;
 539 #else
 540                         *digest_type = EVP_sha256();
 541 #endif
 542                         break;
 543                 case LDNS_ECDSAP384SHA384:
 544                         *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
 545                                 LDNS_ECDSAP384SHA384);
 546                         if(!*evp_key) {
 547                                 verbose(VERB_QUERY, "verify: "
 548                                         "sldns_ecdsa2pkey_raw failed");
 549                                 return 0;
 550                         }
 551 #ifdef USE_ECDSA_EVP_WORKAROUND
 552                         *digest_type = &ecdsa_evp_384_md;
 553 #else
 554                         *digest_type = EVP_sha384();
 555 #endif
 556                         break;
 557 #endif /* USE_ECDSA */
 558                 default:
 559                         verbose(VERB_QUERY, "verify: unknown algorithm %d",
 560                                 algo);
 561                         return 0;
 562         }
 563         return 1;
 564 }
 565
 566 /**
 567  * Check a canonical sig+rrset and signature against a dnskey
 568  * @param buf: buffer with data to verify, the first rrsig part and the
 569  *      canonicalized rrset.
 570  * @param algo: DNSKEY algorithm.
 571  * @param sigblock: signature rdata field from RRSIG
 572  * @param sigblock_len: length of sigblock data.
 573  * @param key: public key data from DNSKEY RR.
 574  * @param keylen: length of keydata.
 575  * @param reason: bogus reason in more detail.
 576  * @return secure if verification succeeded, bogus on crypto failure,
 577  *      unchecked on format errors and alloc failures.
 578  */
 579 enum sec_status
 580 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 581         unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
 582         char** reason)
 583 {
 584         const EVP_MD *digest_type;
 585         EVP_MD_CTX* ctx;
 586         int res, dofree = 0, docrypto_free = 0;
 587         EVP_PKEY *evp_key = NULL;
 588
 589 #ifndef USE_DSA
 590         if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1))
 591                 return sec_status_secure;
 592 #endif
 593 #ifndef USE_SHA1
 594         if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3))
 595                 return sec_status_secure;
 596 #endif
 597
 598         if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
 599                 verbose(VERB_QUERY, "verify: failed to setup key");
 600                 *reason = "use of key for crypto failed";
 601                 EVP_PKEY_free(evp_key);
 602                 return sec_status_bogus;
 603         }
 604 #ifdef USE_DSA
 605         /* if it is a DSA signature in bind format, convert to DER format */
 606         if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
 607                 sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
 608                 if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
 609                         verbose(VERB_QUERY, "verify: failed to setup DSA sig");
 610                         *reason = "use of key for DSA crypto failed";
 611                         EVP_PKEY_free(evp_key);
 612                         return sec_status_bogus;
 613                 }
 614                 docrypto_free = 1;
 615         }
 616 #endif
 617 #if defined(USE_ECDSA) && defined(USE_DSA)
 618         else
 619 #endif
 620 #ifdef USE_ECDSA
 621         if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
 622                 /* EVP uses ASN prefix on sig, which is not in the wire data */
 623                 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
 624                         verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
 625                         *reason = "use of signature for ECDSA crypto failed";
 626                         EVP_PKEY_free(evp_key);
 627                         return sec_status_bogus;
 628                 }
 629                 dofree = 1;
 630         }
 631 #endif /* USE_ECDSA */
 632
 633         /* do the signature cryptography work */
 634 #ifdef HAVE_EVP_MD_CTX_NEW
 635         ctx = EVP_MD_CTX_new();
 636 #else
 637         ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
 638         if(ctx) EVP_MD_CTX_init(ctx);
 639 #endif
 640         if(!ctx) {
 641                 log_err("EVP_MD_CTX_new: malloc failure");
 642                 EVP_PKEY_free(evp_key);
 643                 if(dofree) free(sigblock);
 644                 else if(docrypto_free) OPENSSL_free(sigblock);
 645                 return sec_status_unchecked;
 646         }
 647         if(EVP_VerifyInit(ctx, digest_type) == 0) {
 648                 verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
 649                 EVP_MD_CTX_destroy(ctx);
 650                 EVP_PKEY_free(evp_key);
 651                 if(dofree) free(sigblock);
 652                 else if(docrypto_free) OPENSSL_free(sigblock);
 653                 return sec_status_unchecked;
 654         }
 655         if(EVP_VerifyUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
 656                 (unsigned int)sldns_buffer_limit(buf)) == 0) {
 657                 verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
 658                 EVP_MD_CTX_destroy(ctx);
 659                 EVP_PKEY_free(evp_key);
 660                 if(dofree) free(sigblock);
 661                 else if(docrypto_free) OPENSSL_free(sigblock);
 662                 return sec_status_unchecked;
 663         }
 664
 665         res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key);
 666 #ifdef HAVE_EVP_MD_CTX_NEW
 667         EVP_MD_CTX_destroy(ctx);
 668 #else
 669         EVP_MD_CTX_cleanup(ctx);
 670         free(ctx);
 671 #endif
 672         EVP_PKEY_free(evp_key);
 673
 674         if(dofree) free(sigblock);
 675         else if(docrypto_free) OPENSSL_free(sigblock);
 676
 677         if(res == 1) {
 678                 return sec_status_secure;
 679         } else if(res == 0) {
 680                 verbose(VERB_QUERY, "verify: signature mismatch");
 681                 *reason = "signature crypto failed";
 682                 return sec_status_bogus;
 683         }
 684
 685         log_crypto_error("verify:", ERR_get_error());
 686         return sec_status_unchecked;
 687 }
 688
 689 /**************************************************/
 690 #elif defined(HAVE_NSS)
 691 /* libnss implementation */
 692 /* nss3 */
 693 #include "sechash.h"
 694 #include "pk11pub.h"
 695 #include "keyhi.h"
 696 #include "secerr.h"
 697 #include "cryptohi.h"
 698 /* nspr4 */
 699 #include "prerror.h"
 700
 701 /* return size of digest if supported, or 0 otherwise */
 702 size_t
 703 nsec3_hash_algo_size_supported(int id)
 704 {
 705         switch(id) {
 706         case NSEC3_HASH_SHA1:
 707                 return SHA1_LENGTH;
 708         default:
 709                 return 0;
 710         }
 711 }
 712
 713 /* perform nsec3 hash. return false on failure */
 714 int
 715 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 716         unsigned char* res)
 717 {
 718         switch(algo) {
 719         case NSEC3_HASH_SHA1:
 720                 (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
 721                 return 1;
 722         default:
 723                 return 0;
 724         }
 725 }
 726
 727 void
 728 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
 729 {
 730         (void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len);
 731 }
 732
 733 size_t
 734 ds_digest_size_supported(int algo)
 735 {
 736         /* uses libNSS */
 737         switch(algo) {
 738 #ifdef USE_SHA1
 739                 case LDNS_SHA1:
 740                         return SHA1_LENGTH;
 741 #endif
 742 #ifdef USE_SHA2
 743                 case LDNS_SHA256:
 744                         return SHA256_LENGTH;
 745 #endif
 746 #ifdef USE_ECDSA
 747                 case LDNS_SHA384:
 748                         return SHA384_LENGTH;
 749 #endif
 750                 /* GOST not supported in NSS */
 751                 case LDNS_HASH_GOST:
 752                 default: break;
 753         }
 754         return 0;
 755 }
 756
 757 int
 758 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
 759         unsigned char* res)
 760 {
 761         /* uses libNSS */
 762         switch(algo) {
 763 #ifdef USE_SHA1
 764                 case LDNS_SHA1:
 765                         return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
 766                                 == SECSuccess;
 767 #endif
 768 #if defined(USE_SHA2)
 769                 case LDNS_SHA256:
 770                         return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
 771                                 == SECSuccess;
 772 #endif
 773 #ifdef USE_ECDSA
 774                 case LDNS_SHA384:
 775                         return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
 776                                 == SECSuccess;
 777 #endif
 778                 case LDNS_HASH_GOST:
 779                 default:
 780                         verbose(VERB_QUERY, "unknown DS digest algorithm %d",
 781                                 algo);
 782                         break;
 783         }
 784         return 0;
 785 }
 786
 787 int
 788 dnskey_algo_id_is_supported(int id)
 789 {
 790         /* uses libNSS */
 791         switch(id) {
 792         case LDNS_RSAMD5:
 793                 /* RFC 6725 deprecates RSAMD5 */
 794                 return 0;
 795 #if defined(USE_SHA1) || defined(USE_SHA2)
 796 #if defined(USE_DSA) && defined(USE_SHA1)
 797         case LDNS_DSA:
 798         case LDNS_DSA_NSEC3:
 799 #endif
 800 #ifdef USE_SHA1
 801         case LDNS_RSASHA1:
 802         case LDNS_RSASHA1_NSEC3:
 803 #endif
 804 #ifdef USE_SHA2
 805         case LDNS_RSASHA256:
 806 #endif
 807 #ifdef USE_SHA2
 808         case LDNS_RSASHA512:
 809 #endif
 810                 return 1;
 811 #endif /* SHA1 or SHA2 */
 812
 813 #ifdef USE_ECDSA
 814         case LDNS_ECDSAP256SHA256:
 815         case LDNS_ECDSAP384SHA384:
 816                 return PK11_TokenExists(CKM_ECDSA);
 817 #endif
 818         case LDNS_ECC_GOST:
 819         default:
 820                 return 0;
 821         }
 822 }
 823
 824 /* return a new public key for NSS */
 825 static SECKEYPublicKey* nss_key_create(KeyType ktype)
 826 {
 827         SECKEYPublicKey* key;
 828         PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
 829         if(!arena) {
 830                 log_err("out of memory, PORT_NewArena failed");
 831                 return NULL;
 832         }
 833         key = PORT_ArenaZNew(arena, SECKEYPublicKey);
 834         if(!key) {
 835                 log_err("out of memory, PORT_ArenaZNew failed");
 836                 PORT_FreeArena(arena, PR_FALSE);
 837                 return NULL;
 838         }
 839         key->arena = arena;
 840         key->keyType = ktype;
 841         key->pkcs11Slot = NULL;
 842         key->pkcs11ID = CK_INVALID_HANDLE;
 843         return key;
 844 }
 845
 846 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
 847 {
 848         SECKEYPublicKey* pk;
 849         SECItem pub = {siBuffer, NULL, 0};
 850         SECItem params = {siBuffer, NULL, 0};
 851         static unsigned char param256[] = {
 852                 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
 853                  * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
 854                 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
 855         };
 856         static unsigned char param384[] = {
 857                 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
 858                  * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
 859                 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
 860         };
 861         unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
 862
 863         /* check length, which uncompressed must be 2 bignums */
 864         if(algo == LDNS_ECDSAP256SHA256) {
 865                 if(len != 2*256/8) return NULL;
 866                 /* ECCurve_X9_62_PRIME_256V1 */
 867         } else if(algo == LDNS_ECDSAP384SHA384) {
 868                 if(len != 2*384/8) return NULL;
 869                 /* ECCurve_X9_62_PRIME_384R1 */
 870         } else    return NULL;
 871
 872         buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
 873         memmove(buf+1, key, len);
 874         pub.data = buf;
 875         pub.len = len+1;
 876         if(algo == LDNS_ECDSAP256SHA256) {
 877                 params.data = param256;
 878                 params.len = sizeof(param256);
 879         } else {
 880                 params.data = param384;
 881                 params.len = sizeof(param384);
 882         }
 883
 884         pk = nss_key_create(ecKey);
 885         if(!pk)
 886                 return NULL;
 887         pk->u.ec.size = (len/2)*8;
 888         if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
 889                 SECKEY_DestroyPublicKey(pk);
 890                 return NULL;
 891         }
 892         if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, &params)) {
 893                 SECKEY_DestroyPublicKey(pk);
 894                 return NULL;
 895         }
 896
 897         return pk;
 898 }
 899
 900 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
 901 {
 902         SECKEYPublicKey* pk;
 903         uint8_t T;
 904         uint16_t length;
 905         uint16_t offset;
 906         SECItem Q = {siBuffer, NULL, 0};
 907         SECItem P = {siBuffer, NULL, 0};
 908         SECItem G = {siBuffer, NULL, 0};
 909         SECItem Y = {siBuffer, NULL, 0};
 910
 911         if(len == 0)
 912                 return NULL;
 913         T = (uint8_t)key[0];
 914         length = (64 + T * 8);
 915         offset = 1;
 916
 917         if (T > 8) {
 918                 return NULL;
 919         }
 920         if(len < (size_t)1 + SHA1_LENGTH + 3*length)
 921                 return NULL;
 922
 923         Q.data = key+offset;
 924         Q.len = SHA1_LENGTH;
 925         offset += SHA1_LENGTH;
 926
 927         P.data = key+offset;
 928         P.len = length;
 929         offset += length;
 930
 931         G.data = key+offset;
 932         G.len = length;
 933         offset += length;
 934
 935         Y.data = key+offset;
 936         Y.len = length;
 937         offset += length;
 938
 939         pk = nss_key_create(dsaKey);
 940         if(!pk)
 941                 return NULL;
 942         if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
 943                 SECKEY_DestroyPublicKey(pk);
 944                 return NULL;
 945         }
 946         if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
 947                 SECKEY_DestroyPublicKey(pk);
 948                 return NULL;
 949         }
 950         if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
 951                 SECKEY_DestroyPublicKey(pk);
 952                 return NULL;
 953         }
 954         if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
 955                 SECKEY_DestroyPublicKey(pk);
 956                 return NULL;
 957         }
 958         return pk;
 959 }
 960
 961 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
 962 {
 963         SECKEYPublicKey* pk;
 964         uint16_t exp;
 965         uint16_t offset;
 966         uint16_t int16;
 967         SECItem modulus = {siBuffer, NULL, 0};
 968         SECItem exponent = {siBuffer, NULL, 0};
 969         if(len == 0)
 970                 return NULL;
 971         if(key[0] == 0) {
 972                 if(len < 3)
 973                         return NULL;
 974                 /* the exponent is too large so it's places further */
 975                 memmove(&int16, key+1, 2);
 976                 exp = ntohs(int16);
 977                 offset = 3;
 978         } else {
 979                 exp = key[0];
 980                 offset = 1;
 981         }
 982
 983         /* key length at least one */
 984         if(len < (size_t)offset + exp + 1)
 985                 return NULL;
 986
 987         exponent.data = key+offset;
 988         exponent.len = exp;
 989         offset += exp;
 990         modulus.data = key+offset;
 991         modulus.len = (len - offset);
 992
 993         pk = nss_key_create(rsaKey);
 994         if(!pk)
 995                 return NULL;
 996         if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
 997                 SECKEY_DestroyPublicKey(pk);
 998                 return NULL;
 999         }
1000         if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
1001                 SECKEY_DestroyPublicKey(pk);
1002                 return NULL;
1003         }
1004         return pk;
1005 }
1006
1007 /**
1008  * Setup key and digest for verification. Adjust sig if necessary.
1009  *
1010  * @param algo: key algorithm
1011  * @param evp_key: EVP PKEY public key to create.
1012  * @param digest_type: digest type to use
1013  * @param key: key to setup for.
1014  * @param keylen: length of key.
1015  * @param prefix: if returned, the ASN prefix for the hashblob.
1016  * @param prefixlen: length of the prefix.
1017  * @return false on failure.
1018  */
1019 static int
1020 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
1021         unsigned char* key, size_t keylen, unsigned char** prefix,
1022         size_t* prefixlen)
1023 {
1024         /* uses libNSS */
1025
1026         /* hash prefix for md5, RFC2537 */
1027         static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
1028         0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
1029         /* hash prefix to prepend to hash output, from RFC3110 */
1030         static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
1031                 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
1032         /* from RFC5702 */
1033         static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
1034         0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
1035         static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
1036         0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
1037         /* from RFC6234 */
1038         /* for future RSASHA384 ..
1039         static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
1040         0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
1041         */
1042
1043         switch(algo) {
1044
1045 #if defined(USE_SHA1) || defined(USE_SHA2)
1046 #if defined(USE_DSA) && defined(USE_SHA1)
1047                 case LDNS_DSA:
1048                 case LDNS_DSA_NSEC3:
1049                         *pubkey = nss_buf2dsa(key, keylen);
1050                         if(!*pubkey) {
1051                                 log_err("verify: malloc failure in crypto");
1052                                 return 0;
1053                         }
1054                         *htype = HASH_AlgSHA1;
1055                         /* no prefix for DSA verification */
1056                         break;
1057 #endif
1058 #ifdef USE_SHA1
1059                 case LDNS_RSASHA1:
1060                 case LDNS_RSASHA1_NSEC3:
1061 #endif
1062 #ifdef USE_SHA2
1063                 case LDNS_RSASHA256:
1064 #endif
1065 #ifdef USE_SHA2
1066                 case LDNS_RSASHA512:
1067 #endif
1068                         *pubkey = nss_buf2rsa(key, keylen);
1069                         if(!*pubkey) {
1070                                 log_err("verify: malloc failure in crypto");
1071                                 return 0;
1072                         }
1073                         /* select SHA version */
1074 #ifdef USE_SHA2
1075                         if(algo == LDNS_RSASHA256) {
1076                                 *htype = HASH_AlgSHA256;
1077                                 *prefix = p_sha256;
1078                                 *prefixlen = sizeof(p_sha256);
1079                         } else
1080 #endif
1081 #ifdef USE_SHA2
1082                                 if(algo == LDNS_RSASHA512) {
1083                                 *htype = HASH_AlgSHA512;
1084                                 *prefix = p_sha512;
1085                                 *prefixlen = sizeof(p_sha512);
1086                         } else
1087 #endif
1088 #ifdef USE_SHA1
1089                         {
1090                                 *htype = HASH_AlgSHA1;
1091                                 *prefix = p_sha1;
1092                                 *prefixlen = sizeof(p_sha1);
1093                         }
1094 #else
1095                         {
1096                                 verbose(VERB_QUERY, "verify: no digest algo");
1097                                 return 0;
1098                         }
1099 #endif
1100
1101                         break;
1102 #endif /* SHA1 or SHA2 */
1103
1104                 case LDNS_RSAMD5:
1105                         *pubkey = nss_buf2rsa(key, keylen);
1106                         if(!*pubkey) {
1107                                 log_err("verify: malloc failure in crypto");
1108                                 return 0;
1109                         }
1110                         *htype = HASH_AlgMD5;
1111                         *prefix = p_md5;
1112                         *prefixlen = sizeof(p_md5);
1113
1114                         break;
1115 #ifdef USE_ECDSA
1116                 case LDNS_ECDSAP256SHA256:
1117                         *pubkey = nss_buf2ecdsa(key, keylen,
1118                                 LDNS_ECDSAP256SHA256);
1119                         if(!*pubkey) {
1120                                 log_err("verify: malloc failure in crypto");
1121                                 return 0;
1122                         }
1123                         *htype = HASH_AlgSHA256;
1124                         /* no prefix for DSA verification */
1125                         break;
1126                 case LDNS_ECDSAP384SHA384:
1127                         *pubkey = nss_buf2ecdsa(key, keylen,
1128                                 LDNS_ECDSAP384SHA384);
1129                         if(!*pubkey) {
1130                                 log_err("verify: malloc failure in crypto");
1131                                 return 0;
1132                         }
1133                         *htype = HASH_AlgSHA384;
1134                         /* no prefix for DSA verification */
1135                         break;
1136 #endif /* USE_ECDSA */
1137                 case LDNS_ECC_GOST:
1138                 default:
1139                         verbose(VERB_QUERY, "verify: unknown algorithm %d",
1140                                 algo);
1141                         return 0;
1142         }
1143         return 1;
1144 }
1145
1146 /**
1147  * Check a canonical sig+rrset and signature against a dnskey
1148  * @param buf: buffer with data to verify, the first rrsig part and the
1149  *      canonicalized rrset.
1150  * @param algo: DNSKEY algorithm.
1151  * @param sigblock: signature rdata field from RRSIG
1152  * @param sigblock_len: length of sigblock data.
1153  * @param key: public key data from DNSKEY RR.
1154  * @param keylen: length of keydata.
1155  * @param reason: bogus reason in more detail.
1156  * @return secure if verification succeeded, bogus on crypto failure,
1157  *      unchecked on format errors and alloc failures.
1158  */
1159 enum sec_status
1160 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1161         unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1162         char** reason)
1163 {
1164         /* uses libNSS */
1165         /* large enough for the different hashes */
1166         unsigned char hash[HASH_LENGTH_MAX];
1167         unsigned char hash2[HASH_LENGTH_MAX*2];
1168         HASH_HashType htype = 0;
1169         SECKEYPublicKey* pubkey = NULL;
1170         SECItem secsig = {siBuffer, sigblock, sigblock_len};
1171         SECItem sechash = {siBuffer, hash, 0};
1172         SECStatus res;
1173         unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
1174         size_t prefixlen = 0;
1175         int err;
1176
1177         if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
1178                 &prefix, &prefixlen)) {
1179                 verbose(VERB_QUERY, "verify: failed to setup key");
1180                 *reason = "use of key for crypto failed";
1181                 SECKEY_DestroyPublicKey(pubkey);
1182                 return sec_status_bogus;
1183         }
1184
1185 #if defined(USE_DSA) && defined(USE_SHA1)
1186         /* need to convert DSA, ECDSA signatures? */
1187         if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
1188                 if(sigblock_len == 1+2*SHA1_LENGTH) {
1189                         secsig.data ++;
1190                         secsig.len --;
1191                 } else {
1192                         SECItem* p = DSAU_DecodeDerSig(&secsig);
1193                         if(!p) {
1194                                 verbose(VERB_QUERY, "verify: failed DER decode");
1195                                 *reason = "signature DER decode failed";
1196                                 SECKEY_DestroyPublicKey(pubkey);
1197                                 return sec_status_bogus;
1198                         }
1199                         if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
1200                                 log_err("alloc failure in DER decode");
1201                                 SECKEY_DestroyPublicKey(pubkey);
1202                                 SECITEM_FreeItem(p, PR_TRUE);
1203                                 return sec_status_unchecked;
1204                         }
1205                         SECITEM_FreeItem(p, PR_TRUE);
1206                 }
1207         }
1208 #endif /* USE_DSA */
1209
1210         /* do the signature cryptography work */
1211         /* hash the data */
1212         sechash.len = HASH_ResultLen(htype);
1213         if(sechash.len > sizeof(hash)) {
1214                 verbose(VERB_QUERY, "verify: hash too large for buffer");
1215                 SECKEY_DestroyPublicKey(pubkey);
1216                 return sec_status_unchecked;
1217         }
1218         if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf),
1219                 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) {
1220                 verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
1221                 SECKEY_DestroyPublicKey(pubkey);
1222                 return sec_status_unchecked;
1223         }
1224         if(prefix) {
1225                 int hashlen = sechash.len;
1226                 if(prefixlen+hashlen > sizeof(hash2)) {
1227                         verbose(VERB_QUERY, "verify: hashprefix too large");
1228                         SECKEY_DestroyPublicKey(pubkey);
1229                         return sec_status_unchecked;
1230                 }
1231                 sechash.data = hash2;
1232                 sechash.len = prefixlen+hashlen;
1233                 memcpy(sechash.data, prefix, prefixlen);
1234                 memmove(sechash.data+prefixlen, hash, hashlen);
1235         }
1236
1237         /* verify the signature */
1238         res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
1239         SECKEY_DestroyPublicKey(pubkey);
1240
1241         if(res == SECSuccess) {
1242                 return sec_status_secure;
1243         }
1244         err = PORT_GetError();
1245         if(err != SEC_ERROR_BAD_SIGNATURE) {
1246                 /* failed to verify */
1247                 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
1248                         PORT_ErrorToString(err));
1249                 /* if it is not supported, like ECC is removed, we get,
1250                  * SEC_ERROR_NO_MODULE */
1251                 if(err == SEC_ERROR_NO_MODULE)
1252                         return sec_status_unchecked;
1253                 /* but other errors are commonly returned
1254                  * for a bad signature from NSS.  Thus we return bogus,
1255                  * not unchecked */
1256                 *reason = "signature crypto failed";
1257                 return sec_status_bogus;
1258         }
1259         verbose(VERB_QUERY, "verify: signature mismatch: %s",
1260                 PORT_ErrorToString(err));
1261         *reason = "signature crypto failed";
1262         return sec_status_bogus;
1263 }
1264
1265 #elif defined(HAVE_NETTLE)
1266
1267 #include "sha.h"
1268 #include "bignum.h"
1269 #include "macros.h"
1270 #include "rsa.h"
1271 #include "dsa.h"
1272 #ifdef HAVE_NETTLE_DSA_COMPAT_H
1273 #include "dsa-compat.h"
1274 #endif
1275 #include "asn1.h"
1276 #ifdef USE_ECDSA
1277 #include "ecdsa.h"
1278 #include "ecc-curve.h"
1279 #endif
1280
1281 static int
1282 _digest_nettle(int algo, uint8_t* buf, size_t len,
1283         unsigned char* res)
1284 {
1285         switch(algo) {
1286                 case SHA1_DIGEST_SIZE:
1287                 {
1288                         struct sha1_ctx ctx;
1289                         sha1_init(&ctx);
1290                         sha1_update(&ctx, len, buf);
1291                         sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
1292                         return 1;
1293                 }
1294                 case SHA256_DIGEST_SIZE:
1295                 {
1296                         struct sha256_ctx ctx;
1297                         sha256_init(&ctx);
1298                         sha256_update(&ctx, len, buf);
1299                         sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
1300                         return 1;
1301                 }
1302                 case SHA384_DIGEST_SIZE:
1303                 {
1304                         struct sha384_ctx ctx;
1305                         sha384_init(&ctx);
1306                         sha384_update(&ctx, len, buf);
1307                         sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
1308                         return 1;
1309                 }
1310                 case SHA512_DIGEST_SIZE:
1311                 {
1312                         struct sha512_ctx ctx;
1313                         sha512_init(&ctx);
1314                         sha512_update(&ctx, len, buf);
1315                         sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
1316                         return 1;
1317                 }
1318                 default:
1319                         break;
1320         }
1321         return 0;
1322 }
1323
1324 /* return size of digest if supported, or 0 otherwise */
1325 size_t
1326 nsec3_hash_algo_size_supported(int id)
1327 {
1328         switch(id) {
1329         case NSEC3_HASH_SHA1:
1330                 return SHA1_DIGEST_SIZE;
1331         default:
1332                 return 0;
1333         }
1334 }
1335
1336 /* perform nsec3 hash. return false on failure */
1337 int
1338 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
1339         unsigned char* res)
1340 {
1341         switch(algo) {
1342         case NSEC3_HASH_SHA1:
1343                 return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
1344                         res);
1345         default:
1346                 return 0;
1347         }
1348 }
1349
1350 void
1351 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
1352 {
1353         _digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res);
1354 }
1355
1356 /**
1357  * Return size of DS digest according to its hash algorithm.
1358  * @param algo: DS digest algo.
1359  * @return size in bytes of digest, or 0 if not supported.
1360  */
1361 size_t
1362 ds_digest_size_supported(int algo)
1363 {
1364         switch(algo) {
1365                 case LDNS_SHA1:
1366 #ifdef USE_SHA1
1367                         return SHA1_DIGEST_SIZE;
1368 #else
1369                         if(fake_sha1) return 20;
1370                         return 0;
1371 #endif
1372 #ifdef USE_SHA2
1373                 case LDNS_SHA256:
1374                         return SHA256_DIGEST_SIZE;
1375 #endif
1376 #ifdef USE_ECDSA
1377                 case LDNS_SHA384:
1378                         return SHA384_DIGEST_SIZE;
1379 #endif
1380                 /* GOST not supported */
1381                 case LDNS_HASH_GOST:
1382                 default:
1383                         break;
1384         }
1385         return 0;
1386 }
1387
1388 int
1389 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
1390         unsigned char* res)
1391 {
1392         switch(algo) {
1393 #ifdef USE_SHA1
1394                 case LDNS_SHA1:
1395                         return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
1396 #endif
1397 #if defined(USE_SHA2)
1398                 case LDNS_SHA256:
1399                         return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
1400 #endif
1401 #ifdef USE_ECDSA
1402                 case LDNS_SHA384:
1403                         return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
1404
1405 #endif
1406                 case LDNS_HASH_GOST:
1407                 default:
1408                         verbose(VERB_QUERY, "unknown DS digest algorithm %d",
1409                                 algo);
1410                         break;
1411         }
1412         return 0;
1413 }
1414
1415 int
1416 dnskey_algo_id_is_supported(int id)
1417 {
1418         /* uses libnettle */
1419         switch(id) {
1420 #if defined(USE_DSA) && defined(USE_SHA1)
1421         case LDNS_DSA:
1422         case LDNS_DSA_NSEC3:
1423 #endif
1424 #ifdef USE_SHA1
1425         case LDNS_RSASHA1:
1426         case LDNS_RSASHA1_NSEC3:
1427 #endif
1428 #ifdef USE_SHA2
1429         case LDNS_RSASHA256:
1430         case LDNS_RSASHA512:
1431 #endif
1432 #ifdef USE_ECDSA
1433         case LDNS_ECDSAP256SHA256:
1434         case LDNS_ECDSAP384SHA384:
1435 #endif
1436                 return 1;
1437         case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
1438         case LDNS_ECC_GOST:
1439         default:
1440                 return 0;
1441         }
1442 }
1443
1444 #if defined(USE_DSA) && defined(USE_SHA1)
1445 static char *
1446 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
1447         unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1448 {
1449         uint8_t digest[SHA1_DIGEST_SIZE];
1450         uint8_t key_t_value;
1451         int res = 0;
1452         size_t offset;
1453         struct dsa_public_key pubkey;
1454         struct dsa_signature signature;
1455         unsigned int expected_len;
1456
1457         /* Extract DSA signature from the record */
1458         nettle_dsa_signature_init(&signature);
1459         /* Signature length: 41 bytes - RFC 2536 sec. 3 */
1460         if(sigblock_len == 41) {
1461                 if(key[0] != sigblock[0])
1462                         return "invalid T value in DSA signature or pubkey";
1463                 nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
1464                 nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
1465         } else {
1466                 /* DER encoded, decode the ASN1 notated R and S bignums */
1467                 /* SEQUENCE { r INTEGER, s INTEGER } */
1468                 struct asn1_der_iterator i, seq;
1469                 if(asn1_der_iterator_first(&i, sigblock_len,
1470                         (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
1471                         || i.type != ASN1_SEQUENCE)
1472                         return "malformed DER encoded DSA signature";
1473                 /* decode this element of i using the seq iterator */
1474                 if(asn1_der_decode_constructed(&i, &seq) !=
1475                         ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
1476                         return "malformed DER encoded DSA signature";
1477                 if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
1478                         return "malformed DER encoded DSA signature";
1479                 if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
1480                         || seq.type != ASN1_INTEGER)
1481                         return "malformed DER encoded DSA signature";
1482                 if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
1483                         return "malformed DER encoded DSA signature";
1484                 if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
1485                         return "malformed DER encoded DSA signature";
1486         }
1487
1488         /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
1489         key_t_value = key[0];
1490         if (key_t_value > 8) {
1491                 return "invalid T value in DSA pubkey";
1492         }
1493
1494         /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
1495         if (keylen < 21) {
1496                 return "DSA pubkey too short";
1497         }
1498
1499         expected_len =   1 +            /* T */
1500                         20 +            /* Q */
1501                        (64 + key_t_value*8) +   /* P */
1502                        (64 + key_t_value*8) +   /* G */
1503                        (64 + key_t_value*8);    /* Y */
1504         if (keylen != expected_len ) {
1505                 return "invalid DSA pubkey length";
1506         }
1507
1508         /* Extract DSA pubkey from the record */
1509         nettle_dsa_public_key_init(&pubkey);
1510         offset = 1;
1511         nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
1512         offset += 20;
1513         nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t_value*8), key+offset);
1514         offset += (64 + key_t_value*8);
1515         nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t_value*8), key+offset);
1516         offset += (64 + key_t_value*8);
1517         nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t_value*8), key+offset);
1518
1519         /* Digest content of "buf" and verify its DSA signature in "sigblock"*/
1520         res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1521                                                 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1522         res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
1523
1524         /* Clear and return */
1525         nettle_dsa_signature_clear(&signature);
1526         nettle_dsa_public_key_clear(&pubkey);
1527         if (!res)
1528                 return "DSA signature verification failed";
1529         else
1530                 return NULL;
1531 }
1532 #endif /* USE_DSA */
1533
1534 static char *
1535 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
1536         unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
1537 {
1538         uint16_t exp_len = 0;
1539         size_t exp_offset = 0, mod_offset = 0;
1540         struct rsa_public_key pubkey;
1541         mpz_t signature;
1542         int res = 0;
1543
1544         /* RSA pubkey parsing as per RFC 3110 sec. 2 */
1545         if( keylen <= 1) {
1546                 return "null RSA key";
1547         }
1548         if (key[0] != 0) {
1549                 /* 1-byte length */
1550                 exp_len = key[0];
1551                 exp_offset = 1;
1552         } else {
1553                 /* 1-byte NUL + 2-bytes exponent length */
1554                 if (keylen < 3) {
1555                         return "incorrect RSA key length";
1556                 }
1557                 exp_len = READ_UINT16(key+1);
1558                 if (exp_len == 0)
1559                         return "null RSA exponent length";
1560                 exp_offset = 3;
1561         }
1562         /* Check that we are not over-running input length */
1563         if (keylen < exp_offset + exp_len + 1) {
1564                 return "RSA key content shorter than expected";
1565         }
1566         mod_offset = exp_offset + exp_len;
1567         nettle_rsa_public_key_init(&pubkey);
1568         pubkey.size = keylen - mod_offset;
1569         nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
1570         nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
1571
1572         /* Digest content of "buf" and verify its RSA signature in "sigblock"*/
1573         nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
1574         switch (digest_size) {
1575                 case SHA1_DIGEST_SIZE:
1576                 {
1577                         uint8_t digest[SHA1_DIGEST_SIZE];
1578                         res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1579                                                 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1580                         res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
1581                         break;
1582                 }
1583                 case SHA256_DIGEST_SIZE:
1584                 {
1585                         uint8_t digest[SHA256_DIGEST_SIZE];
1586                         res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1587                                                 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1588                         res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
1589                         break;
1590                 }
1591                 case SHA512_DIGEST_SIZE:
1592                 {
1593                         uint8_t digest[SHA512_DIGEST_SIZE];
1594                         res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1595                                                 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1596                         res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
1597                         break;
1598                 }
1599                 default:
1600                         break;
1601         }
1602
1603         /* Clear and return */
1604         nettle_rsa_public_key_clear(&pubkey);
1605         mpz_clear(signature);
1606         if (!res) {
1607                 return "RSA signature verification failed";
1608         } else {
1609                 return NULL;
1610         }
1611 }
1612
1613 #ifdef USE_ECDSA
1614 static char *
1615 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
1616         unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1617 {
1618         int res = 0;
1619         struct ecc_point pubkey;
1620         struct dsa_signature signature;
1621
1622         /* Always matched strength, as per RFC 6605 sec. 1 */
1623         if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
1624                 return "wrong ECDSA signature length";
1625         }
1626
1627         /* Parse ECDSA signature as per RFC 6605 sec. 4 */
1628         nettle_dsa_signature_init(&signature);
1629         switch (digest_size) {
1630                 case SHA256_DIGEST_SIZE:
1631                 {
1632                         uint8_t digest[SHA256_DIGEST_SIZE];
1633                         mpz_t x, y;
1634                         nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
1635                         nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
1636                         nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
1637                         nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
1638                         nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
1639                         res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1640                                                 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1641                         res &= nettle_ecc_point_set(&pubkey, x, y);
1642                         res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
1643                         mpz_clear(x);
1644                         mpz_clear(y);
1645                         break;
1646                 }
1647                 case SHA384_DIGEST_SIZE:
1648                 {
1649                         uint8_t digest[SHA384_DIGEST_SIZE];
1650                         mpz_t x, y;
1651                         nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
1652                         nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
1653                         nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
1654                         nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
1655                         nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
1656                         res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1657                                                 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1658                         res &= nettle_ecc_point_set(&pubkey, x, y);
1659                         res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
1660                         mpz_clear(x);
1661                         mpz_clear(y);
1662                         nettle_ecc_point_clear(&pubkey);
1663                         break;
1664                 }
1665                 default:
1666                         return "unknown ECDSA algorithm";
1667         }
1668
1669         /* Clear and return */
1670         nettle_dsa_signature_clear(&signature);
1671         if (!res)
1672                 return "ECDSA signature verification failed";
1673         else
1674                 return NULL;
1675 }
1676 #endif
1677
1678 /**
1679  * Check a canonical sig+rrset and signature against a dnskey
1680  * @param buf: buffer with data to verify, the first rrsig part and the
1681  *      canonicalized rrset.
1682  * @param algo: DNSKEY algorithm.
1683  * @param sigblock: signature rdata field from RRSIG
1684  * @param sigblock_len: length of sigblock data.
1685  * @param key: public key data from DNSKEY RR.
1686  * @param keylen: length of keydata.
1687  * @param reason: bogus reason in more detail.
1688  * @return secure if verification succeeded, bogus on crypto failure,
1689  *      unchecked on format errors and alloc failures.
1690  */
1691 enum sec_status
1692 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1693         unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1694         char** reason)
1695 {
1696         unsigned int digest_size = 0;
1697
1698         if (sigblock_len == 0 || keylen == 0) {
1699                 *reason = "null signature";
1700                 return sec_status_bogus;
1701         }
1702
1703         switch(algo) {
1704 #if defined(USE_DSA) && defined(USE_SHA1)
1705         case LDNS_DSA:
1706         case LDNS_DSA_NSEC3:
1707                 *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
1708                 if (*reason != NULL)
1709                         return sec_status_bogus;
1710                 else
1711                         return sec_status_secure;
1712 #endif /* USE_DSA */
1713
1714 #ifdef USE_SHA1
1715         case LDNS_RSASHA1:
1716         case LDNS_RSASHA1_NSEC3:
1717                 digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
1718 #endif
1719 #ifdef USE_SHA2
1720         case LDNS_RSASHA256:
1721                 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1722         case LDNS_RSASHA512:
1723                 digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
1724
1725 #endif
1726                 *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
1727                                                 sigblock_len, key, keylen);
1728                 if (*reason != NULL)
1729                         return sec_status_bogus;
1730                 else
1731                         return sec_status_secure;
1732
1733 #ifdef USE_ECDSA
1734         case LDNS_ECDSAP256SHA256:
1735                 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1736         case LDNS_ECDSAP384SHA384:
1737                 digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
1738                 *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
1739                                                 sigblock_len, key, keylen);
1740                 if (*reason != NULL)
1741                         return sec_status_bogus;
1742                 else
1743                         return sec_status_secure;
1744 #endif
1745         case LDNS_RSAMD5:
1746         case LDNS_ECC_GOST:
1747         default:
1748                 *reason = "unable to verify signature, unknown algorithm";
1749                 return sec_status_bogus;
1750         }
1751 }
1752
1753 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */