2 * validator/val_secalgo.c - validator security algorithm functions.
4 * Copyright (c) 2012, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 * This file contains helper functions for the validator module.
40 * These functions take raw data buffers, formatted for crypto verification,
41 * and do the library calls (for the crypto library in use).
44 /* packed_rrset on top to define enum types (forced by c99 standard) */
45 #include "util/data/packed_rrset.h"
46 #include "validator/val_secalgo.h"
47 #include "validator/val_nsec3.h"
49 #include "sldns/rrdef.h"
50 #include "sldns/keyraw.h"
51 #include "sldns/sbuffer.h"
53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
54 #error "Need crypto library to do digital signature cryptography"
57 /* OpenSSL implementation */
59 #ifdef HAVE_OPENSSL_ERR_H
60 #include <openssl/err.h>
63 #ifdef HAVE_OPENSSL_RAND_H
64 #include <openssl/rand.h>
67 #ifdef HAVE_OPENSSL_CONF_H
68 #include <openssl/conf.h>
71 #ifdef HAVE_OPENSSL_ENGINE_H
72 #include <openssl/engine.h>
75 /* return size of digest if supported, or 0 otherwise */
77 nsec3_hash_algo_size_supported(int id)
81 return SHA_DIGEST_LENGTH;
87 /* perform nsec3 hash. return false on failure */
89 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
94 (void)SHA1(buf, len, res);
102 * Return size of DS digest according to its hash algorithm.
103 * @param algo: DS digest algo.
104 * @return size in bytes of digest, or 0 if not supported.
107 ds_digest_size_supported(int algo)
112 return SHA_DIGEST_LENGTH;
114 #ifdef HAVE_EVP_SHA256
116 return SHA256_DIGEST_LENGTH;
120 if(EVP_get_digestbyname("md_gost94"))
126 return SHA384_DIGEST_LENGTH;
134 /** Perform GOST hash */
136 do_gost94(unsigned char* data, size_t len, unsigned char* dest)
138 const EVP_MD* md = EVP_get_digestbyname("md_gost94");
141 return sldns_digest_evp(data, (unsigned int)len, dest, md);
146 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
152 (void)SHA1(buf, len, res);
155 #ifdef HAVE_EVP_SHA256
157 (void)SHA256(buf, len, res);
162 if(do_gost94(buf, len, res))
168 (void)SHA384(buf, len, res);
172 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
179 /** return true if DNSKEY algorithm id is supported */
181 dnskey_algo_id_is_supported(int id)
185 /* RFC 6725 deprecates RSAMD5 */
190 case LDNS_RSASHA1_NSEC3:
191 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
194 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
198 case LDNS_ECDSAP256SHA256:
199 case LDNS_ECDSAP384SHA384:
204 /* we support GOST if it can be loaded */
205 return sldns_key_EVP_load_gost_id();
213 * Output a libcrypto openssl error to the logfile.
214 * @param str: string to add to it.
215 * @param e: the error to output, error number from ERR_get_error().
218 log_crypto_error(const char* str, unsigned long e)
221 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */
222 ERR_error_string_n(e, buf, sizeof(buf));
223 /* buf now contains */
224 /* error:[error code]:[library name]:[function name]:[reason string] */
225 log_err("%s crypto %s", str, buf);
229 * Setup DSA key digest in DER encoding ...
230 * @param sig: input is signature output alloced ptr (unless failure).
231 * caller must free alloced ptr if this routine returns true.
232 * @param len: input is initial siglen, output is output len.
233 * @return false on failure.
236 setup_dsa_sig(unsigned char** sig, unsigned int* len)
238 unsigned char* orig = *sig;
239 unsigned int origlen = *len;
244 /* extract the R and S field from the sig buffer */
245 if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
249 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
252 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
253 dsasig = DSA_SIG_new();
254 if(!dsasig) return 0;
259 newlen = i2d_DSA_SIG(dsasig, sig);
261 DSA_SIG_free(dsasig);
265 *len = (unsigned int)newlen;
266 DSA_SIG_free(dsasig);
272 * Setup the ECDSA signature in its encoding that the library wants.
273 * Converts from plain numbers to ASN formatted.
274 * @param sig: input is signature, output alloced ptr (unless failure).
275 * caller must free alloced ptr if this routine returns true.
276 * @param len: input is initial siglen, output is output len.
277 * @return false on failure.
280 setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
282 ECDSA_SIG* ecdsa_sig;
284 int bnsize = (int)((*len)/2);
285 /* if too short or not even length, fails */
286 if(*len < 16 || bnsize*2 != (int)*len)
288 /* use the raw data to parse two evenly long BIGNUMs, "r | s". */
289 ecdsa_sig = ECDSA_SIG_new();
290 if(!ecdsa_sig) return 0;
291 ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r);
292 ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s);
293 if(!ecdsa_sig->r || !ecdsa_sig->s) {
294 ECDSA_SIG_free(ecdsa_sig);
298 /* spool it into ASN format */
300 newlen = i2d_ECDSA_SIG(ecdsa_sig, sig);
302 ECDSA_SIG_free(ecdsa_sig);
306 *len = (unsigned int)newlen;
307 ECDSA_SIG_free(ecdsa_sig);
310 #endif /* USE_ECDSA */
313 * Setup key and digest for verification. Adjust sig if necessary.
315 * @param algo: key algorithm
316 * @param evp_key: EVP PKEY public key to create.
317 * @param digest_type: digest type to use
318 * @param key: key to setup for.
319 * @param keylen: length of key.
320 * @return false on failure.
323 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
324 unsigned char* key, size_t keylen)
332 *evp_key = EVP_PKEY_new();
334 log_err("verify: malloc failure in crypto");
337 dsa = sldns_key_buf2dsa_raw(key, keylen);
339 verbose(VERB_QUERY, "verify: "
340 "sldns_key_buf2dsa_raw failed");
343 if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
344 verbose(VERB_QUERY, "verify: "
345 "EVP_PKEY_assign_DSA failed");
348 *digest_type = EVP_dss1();
352 case LDNS_RSASHA1_NSEC3:
353 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
356 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
359 *evp_key = EVP_PKEY_new();
361 log_err("verify: malloc failure in crypto");
364 rsa = sldns_key_buf2rsa_raw(key, keylen);
366 verbose(VERB_QUERY, "verify: "
367 "sldns_key_buf2rsa_raw SHA failed");
370 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
371 verbose(VERB_QUERY, "verify: "
372 "EVP_PKEY_assign_RSA SHA failed");
376 /* select SHA version */
377 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
378 if(algo == LDNS_RSASHA256)
379 *digest_type = EVP_sha256();
382 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
383 if(algo == LDNS_RSASHA512)
384 *digest_type = EVP_sha512();
387 *digest_type = EVP_sha1();
391 *evp_key = EVP_PKEY_new();
393 log_err("verify: malloc failure in crypto");
396 rsa = sldns_key_buf2rsa_raw(key, keylen);
398 verbose(VERB_QUERY, "verify: "
399 "sldns_key_buf2rsa_raw MD5 failed");
402 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
403 verbose(VERB_QUERY, "verify: "
404 "EVP_PKEY_assign_RSA MD5 failed");
407 *digest_type = EVP_md5();
412 *evp_key = sldns_gost2pkey_raw(key, keylen);
414 verbose(VERB_QUERY, "verify: "
415 "sldns_gost2pkey_raw failed");
418 *digest_type = EVP_get_digestbyname("md_gost94");
420 verbose(VERB_QUERY, "verify: "
421 "EVP_getdigest md_gost94 failed");
427 case LDNS_ECDSAP256SHA256:
428 *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
429 LDNS_ECDSAP256SHA256);
431 verbose(VERB_QUERY, "verify: "
432 "sldns_ecdsa2pkey_raw failed");
435 #ifdef USE_ECDSA_EVP_WORKAROUND
436 /* openssl before 1.0.0 fixes RSA with the SHA256
437 * hash in EVP. We create one for ecdsa_sha256 */
439 static int md_ecdsa_256_done = 0;
441 if(!md_ecdsa_256_done) {
442 EVP_MD m = *EVP_sha256();
443 md_ecdsa_256_done = 1;
444 m.required_pkey_type[0] = (*evp_key)->type;
445 m.verify = (void*)ECDSA_verify;
451 *digest_type = EVP_sha256();
454 case LDNS_ECDSAP384SHA384:
455 *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
456 LDNS_ECDSAP384SHA384);
458 verbose(VERB_QUERY, "verify: "
459 "sldns_ecdsa2pkey_raw failed");
462 #ifdef USE_ECDSA_EVP_WORKAROUND
463 /* openssl before 1.0.0 fixes RSA with the SHA384
464 * hash in EVP. We create one for ecdsa_sha384 */
466 static int md_ecdsa_384_done = 0;
468 if(!md_ecdsa_384_done) {
469 EVP_MD m = *EVP_sha384();
470 md_ecdsa_384_done = 1;
471 m.required_pkey_type[0] = (*evp_key)->type;
472 m.verify = (void*)ECDSA_verify;
478 *digest_type = EVP_sha384();
481 #endif /* USE_ECDSA */
483 verbose(VERB_QUERY, "verify: unknown algorithm %d",
491 * Check a canonical sig+rrset and signature against a dnskey
492 * @param buf: buffer with data to verify, the first rrsig part and the
493 * canonicalized rrset.
494 * @param algo: DNSKEY algorithm.
495 * @param sigblock: signature rdata field from RRSIG
496 * @param sigblock_len: length of sigblock data.
497 * @param key: public key data from DNSKEY RR.
498 * @param keylen: length of keydata.
499 * @param reason: bogus reason in more detail.
500 * @return secure if verification succeeded, bogus on crypto failure,
501 * unchecked on format errors and alloc failures.
504 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
505 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
508 const EVP_MD *digest_type;
511 EVP_PKEY *evp_key = NULL;
513 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
514 verbose(VERB_QUERY, "verify: failed to setup key");
515 *reason = "use of key for crypto failed";
516 EVP_PKEY_free(evp_key);
517 return sec_status_bogus;
519 /* if it is a DSA signature in bind format, convert to DER format */
520 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
521 sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
522 if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
523 verbose(VERB_QUERY, "verify: failed to setup DSA sig");
524 *reason = "use of key for DSA crypto failed";
525 EVP_PKEY_free(evp_key);
526 return sec_status_bogus;
531 else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
532 /* EVP uses ASN prefix on sig, which is not in the wire data */
533 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
534 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
535 *reason = "use of signature for ECDSA crypto failed";
536 EVP_PKEY_free(evp_key);
537 return sec_status_bogus;
541 #endif /* USE_ECDSA */
543 /* do the signature cryptography work */
544 EVP_MD_CTX_init(&ctx);
545 if(EVP_VerifyInit(&ctx, digest_type) == 0) {
546 verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
547 EVP_PKEY_free(evp_key);
548 if(dofree) free(sigblock);
549 return sec_status_unchecked;
551 if(EVP_VerifyUpdate(&ctx, (unsigned char*)sldns_buffer_begin(buf),
552 (unsigned int)sldns_buffer_limit(buf)) == 0) {
553 verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
554 EVP_PKEY_free(evp_key);
555 if(dofree) free(sigblock);
556 return sec_status_unchecked;
559 res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key);
560 if(EVP_MD_CTX_cleanup(&ctx) == 0) {
561 verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed");
562 EVP_PKEY_free(evp_key);
563 if(dofree) free(sigblock);
564 return sec_status_unchecked;
566 EVP_PKEY_free(evp_key);
572 return sec_status_secure;
573 } else if(res == 0) {
574 verbose(VERB_QUERY, "verify: signature mismatch");
575 *reason = "signature crypto failed";
576 return sec_status_bogus;
579 log_crypto_error("verify:", ERR_get_error());
580 return sec_status_unchecked;
583 /**************************************************/
584 #elif defined(HAVE_NSS)
585 /* libnss implementation */
591 #include "cryptohi.h"
595 /* return size of digest if supported, or 0 otherwise */
597 nsec3_hash_algo_size_supported(int id)
600 case NSEC3_HASH_SHA1:
607 /* perform nsec3 hash. return false on failure */
609 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
613 case NSEC3_HASH_SHA1:
614 (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
622 ds_digest_size_supported(int algo)
630 return SHA256_LENGTH;
634 return SHA384_LENGTH;
636 /* GOST not supported in NSS */
644 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
650 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
652 #if defined(USE_SHA2)
654 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
659 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
664 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
672 dnskey_algo_id_is_supported(int id)
677 /* RFC 6725 deprecates RSAMD5 */
682 case LDNS_RSASHA1_NSEC3:
691 case LDNS_ECDSAP256SHA256:
692 case LDNS_ECDSAP384SHA384:
693 return PK11_TokenExists(CKM_ECDSA);
701 /* return a new public key for NSS */
702 static SECKEYPublicKey* nss_key_create(KeyType ktype)
704 SECKEYPublicKey* key;
705 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
707 log_err("out of memory, PORT_NewArena failed");
710 key = PORT_ArenaZNew(arena, SECKEYPublicKey);
712 log_err("out of memory, PORT_ArenaZNew failed");
713 PORT_FreeArena(arena, PR_FALSE);
717 key->keyType = ktype;
718 key->pkcs11Slot = NULL;
719 key->pkcs11ID = CK_INVALID_HANDLE;
723 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
726 SECItem pub = {siBuffer, NULL, 0};
727 SECItem params = {siBuffer, NULL, 0};
728 static unsigned char param256[] = {
729 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
730 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
731 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
733 static unsigned char param384[] = {
734 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
735 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
736 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
738 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
740 /* check length, which uncompressed must be 2 bignums */
741 if(algo == LDNS_ECDSAP256SHA256) {
742 if(len != 2*256/8) return NULL;
743 /* ECCurve_X9_62_PRIME_256V1 */
744 } else if(algo == LDNS_ECDSAP384SHA384) {
745 if(len != 2*384/8) return NULL;
746 /* ECCurve_X9_62_PRIME_384R1 */
749 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
750 memmove(buf+1, key, len);
753 if(algo == LDNS_ECDSAP256SHA256) {
754 params.data = param256;
755 params.len = sizeof(param256);
757 params.data = param384;
758 params.len = sizeof(param384);
761 pk = nss_key_create(ecKey);
764 pk->u.ec.size = (len/2)*8;
765 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
766 SECKEY_DestroyPublicKey(pk);
769 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) {
770 SECKEY_DestroyPublicKey(pk);
777 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
783 SECItem Q = {siBuffer, NULL, 0};
784 SECItem P = {siBuffer, NULL, 0};
785 SECItem G = {siBuffer, NULL, 0};
786 SECItem Y = {siBuffer, NULL, 0};
791 length = (64 + T * 8);
797 if(len < (size_t)1 + SHA1_LENGTH + 3*length)
802 offset += SHA1_LENGTH;
816 pk = nss_key_create(dsaKey);
819 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
820 SECKEY_DestroyPublicKey(pk);
823 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
824 SECKEY_DestroyPublicKey(pk);
827 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
828 SECKEY_DestroyPublicKey(pk);
831 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
832 SECKEY_DestroyPublicKey(pk);
838 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
844 SECItem modulus = {siBuffer, NULL, 0};
845 SECItem exponent = {siBuffer, NULL, 0};
851 /* the exponent is too large so it's places further */
852 memmove(&int16, key+1, 2);
860 /* key length at least one */
861 if(len < (size_t)offset + exp + 1)
864 exponent.data = key+offset;
867 modulus.data = key+offset;
868 modulus.len = (len - offset);
870 pk = nss_key_create(rsaKey);
873 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
874 SECKEY_DestroyPublicKey(pk);
877 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
878 SECKEY_DestroyPublicKey(pk);
885 * Setup key and digest for verification. Adjust sig if necessary.
887 * @param algo: key algorithm
888 * @param evp_key: EVP PKEY public key to create.
889 * @param digest_type: digest type to use
890 * @param key: key to setup for.
891 * @param keylen: length of key.
892 * @param prefix: if returned, the ASN prefix for the hashblob.
893 * @param prefixlen: length of the prefix.
894 * @return false on failure.
897 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
898 unsigned char* key, size_t keylen, unsigned char** prefix,
903 /* hash prefix for md5, RFC2537 */
904 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
905 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
906 /* hash prefix to prepend to hash output, from RFC3110 */
907 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
908 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
910 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
911 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
912 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
913 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
915 /* for future RSASHA384 ..
916 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
917 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
923 *pubkey = nss_buf2dsa(key, keylen);
925 log_err("verify: malloc failure in crypto");
928 *htype = HASH_AlgSHA1;
929 /* no prefix for DSA verification */
932 case LDNS_RSASHA1_NSEC3:
939 *pubkey = nss_buf2rsa(key, keylen);
941 log_err("verify: malloc failure in crypto");
944 /* select SHA version */
946 if(algo == LDNS_RSASHA256) {
947 *htype = HASH_AlgSHA256;
949 *prefixlen = sizeof(p_sha256);
953 if(algo == LDNS_RSASHA512) {
954 *htype = HASH_AlgSHA512;
956 *prefixlen = sizeof(p_sha512);
960 *htype = HASH_AlgSHA1;
962 *prefixlen = sizeof(p_sha1);
967 *pubkey = nss_buf2rsa(key, keylen);
969 log_err("verify: malloc failure in crypto");
972 *htype = HASH_AlgMD5;
974 *prefixlen = sizeof(p_md5);
978 case LDNS_ECDSAP256SHA256:
979 *pubkey = nss_buf2ecdsa(key, keylen,
980 LDNS_ECDSAP256SHA256);
982 log_err("verify: malloc failure in crypto");
985 *htype = HASH_AlgSHA256;
986 /* no prefix for DSA verification */
988 case LDNS_ECDSAP384SHA384:
989 *pubkey = nss_buf2ecdsa(key, keylen,
990 LDNS_ECDSAP384SHA384);
992 log_err("verify: malloc failure in crypto");
995 *htype = HASH_AlgSHA384;
996 /* no prefix for DSA verification */
998 #endif /* USE_ECDSA */
1001 verbose(VERB_QUERY, "verify: unknown algorithm %d",
1009 * Check a canonical sig+rrset and signature against a dnskey
1010 * @param buf: buffer with data to verify, the first rrsig part and the
1011 * canonicalized rrset.
1012 * @param algo: DNSKEY algorithm.
1013 * @param sigblock: signature rdata field from RRSIG
1014 * @param sigblock_len: length of sigblock data.
1015 * @param key: public key data from DNSKEY RR.
1016 * @param keylen: length of keydata.
1017 * @param reason: bogus reason in more detail.
1018 * @return secure if verification succeeded, bogus on crypto failure,
1019 * unchecked on format errors and alloc failures.
1022 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1023 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1027 /* large enough for the different hashes */
1028 unsigned char hash[HASH_LENGTH_MAX];
1029 unsigned char hash2[HASH_LENGTH_MAX*2];
1030 HASH_HashType htype = 0;
1031 SECKEYPublicKey* pubkey = NULL;
1032 SECItem secsig = {siBuffer, sigblock, sigblock_len};
1033 SECItem sechash = {siBuffer, hash, 0};
1035 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
1036 size_t prefixlen = 0;
1039 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
1040 &prefix, &prefixlen)) {
1041 verbose(VERB_QUERY, "verify: failed to setup key");
1042 *reason = "use of key for crypto failed";
1043 SECKEY_DestroyPublicKey(pubkey);
1044 return sec_status_bogus;
1047 /* need to convert DSA, ECDSA signatures? */
1048 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
1049 if(sigblock_len == 1+2*SHA1_LENGTH) {
1053 SECItem* p = DSAU_DecodeDerSig(&secsig);
1055 verbose(VERB_QUERY, "verify: failed DER decode");
1056 *reason = "signature DER decode failed";
1057 SECKEY_DestroyPublicKey(pubkey);
1058 return sec_status_bogus;
1060 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
1061 log_err("alloc failure in DER decode");
1062 SECKEY_DestroyPublicKey(pubkey);
1063 SECITEM_FreeItem(p, PR_TRUE);
1064 return sec_status_unchecked;
1066 SECITEM_FreeItem(p, PR_TRUE);
1070 /* do the signature cryptography work */
1072 sechash.len = HASH_ResultLen(htype);
1073 if(sechash.len > sizeof(hash)) {
1074 verbose(VERB_QUERY, "verify: hash too large for buffer");
1075 SECKEY_DestroyPublicKey(pubkey);
1076 return sec_status_unchecked;
1078 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf),
1079 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) {
1080 verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
1081 SECKEY_DestroyPublicKey(pubkey);
1082 return sec_status_unchecked;
1085 int hashlen = sechash.len;
1086 if(prefixlen+hashlen > sizeof(hash2)) {
1087 verbose(VERB_QUERY, "verify: hashprefix too large");
1088 SECKEY_DestroyPublicKey(pubkey);
1089 return sec_status_unchecked;
1091 sechash.data = hash2;
1092 sechash.len = prefixlen+hashlen;
1093 memcpy(sechash.data, prefix, prefixlen);
1094 memmove(sechash.data+prefixlen, hash, hashlen);
1097 /* verify the signature */
1098 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
1099 SECKEY_DestroyPublicKey(pubkey);
1101 if(res == SECSuccess) {
1102 return sec_status_secure;
1104 err = PORT_GetError();
1105 if(err != SEC_ERROR_BAD_SIGNATURE) {
1106 /* failed to verify */
1107 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
1108 PORT_ErrorToString(err));
1109 /* if it is not supported, like ECC is removed, we get,
1110 * SEC_ERROR_NO_MODULE */
1111 if(err == SEC_ERROR_NO_MODULE)
1112 return sec_status_unchecked;
1113 /* but other errors are commonly returned
1114 * for a bad signature from NSS. Thus we return bogus,
1116 *reason = "signature crypto failed";
1117 return sec_status_bogus;
1119 verbose(VERB_QUERY, "verify: signature mismatch: %s",
1120 PORT_ErrorToString(err));
1121 *reason = "signature crypto failed";
1122 return sec_status_bogus;
1125 #elif defined(HAVE_NETTLE)
1135 #include "ecc-curve.h"
1139 _digest_nettle(int algo, uint8_t* buf, size_t len,
1143 case SHA1_DIGEST_SIZE:
1145 struct sha1_ctx ctx;
1147 sha1_update(&ctx, len, buf);
1148 sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
1151 case SHA256_DIGEST_SIZE:
1153 struct sha256_ctx ctx;
1155 sha256_update(&ctx, len, buf);
1156 sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
1159 case SHA384_DIGEST_SIZE:
1161 struct sha384_ctx ctx;
1163 sha384_update(&ctx, len, buf);
1164 sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
1167 case SHA512_DIGEST_SIZE:
1169 struct sha512_ctx ctx;
1171 sha512_update(&ctx, len, buf);
1172 sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
1181 /* return size of digest if supported, or 0 otherwise */
1183 nsec3_hash_algo_size_supported(int id)
1186 case NSEC3_HASH_SHA1:
1187 return SHA1_DIGEST_SIZE;
1193 /* perform nsec3 hash. return false on failure */
1195 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
1199 case NSEC3_HASH_SHA1:
1200 return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
1208 * Return size of DS digest according to its hash algorithm.
1209 * @param algo: DS digest algo.
1210 * @return size in bytes of digest, or 0 if not supported.
1213 ds_digest_size_supported(int algo)
1217 return SHA1_DIGEST_SIZE;
1220 return SHA256_DIGEST_SIZE;
1224 return SHA384_DIGEST_SIZE;
1226 /* GOST not supported */
1227 case LDNS_HASH_GOST:
1235 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
1240 return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
1241 #if defined(USE_SHA2)
1243 return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
1247 return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
1250 case LDNS_HASH_GOST:
1252 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
1260 dnskey_algo_id_is_supported(int id)
1262 /* uses libnettle */
1265 case LDNS_DSA_NSEC3:
1267 case LDNS_RSASHA1_NSEC3:
1269 case LDNS_RSASHA256:
1270 case LDNS_RSASHA512:
1273 case LDNS_ECDSAP256SHA256:
1274 case LDNS_ECDSAP384SHA384:
1277 case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
1285 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
1286 unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1288 uint8_t digest[SHA1_DIGEST_SIZE];
1292 struct dsa_public_key pubkey;
1293 struct dsa_signature signature;
1294 unsigned int expected_len;
1296 /* Extract DSA signature from the record */
1297 nettle_dsa_signature_init(&signature);
1298 /* Signature length: 41 bytes - RFC 2536 sec. 3 */
1299 if(sigblock_len == 41) {
1300 if(key[0] != sigblock[0])
1301 return "invalid T value in DSA signature or pubkey";
1302 nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
1303 nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
1305 /* DER encoded, decode the ASN1 notated R and S bignums */
1306 /* SEQUENCE { r INTEGER, s INTEGER } */
1307 struct asn1_der_iterator i, seq;
1308 if(asn1_der_iterator_first(&i, sigblock_len,
1309 (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
1310 || i.type != ASN1_SEQUENCE)
1311 return "malformed DER encoded DSA signature";
1312 /* decode this element of i using the seq iterator */
1313 if(asn1_der_decode_constructed(&i, &seq) !=
1314 ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
1315 return "malformed DER encoded DSA signature";
1316 if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
1317 return "malformed DER encoded DSA signature";
1318 if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
1319 || seq.type != ASN1_INTEGER)
1320 return "malformed DER encoded DSA signature";
1321 if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
1322 return "malformed DER encoded DSA signature";
1323 if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
1324 return "malformed DER encoded DSA signature";
1327 /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
1330 return "invalid T value in DSA pubkey";
1333 /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
1335 return "DSA pubkey too short";
1338 expected_len = 1 + /* T */
1340 (64 + key_t*8) + /* P */
1341 (64 + key_t*8) + /* G */
1342 (64 + key_t*8); /* Y */
1343 if (keylen != expected_len ) {
1344 return "invalid DSA pubkey length";
1347 /* Extract DSA pubkey from the record */
1348 nettle_dsa_public_key_init(&pubkey);
1350 nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
1352 nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t*8), key+offset);
1353 offset += (64 + key_t*8);
1354 nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t*8), key+offset);
1355 offset += (64 + key_t*8);
1356 nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t*8), key+offset);
1358 /* Digest content of "buf" and verify its DSA signature in "sigblock"*/
1359 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1360 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1361 res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
1363 /* Clear and return */
1364 nettle_dsa_signature_clear(&signature);
1365 nettle_dsa_public_key_clear(&pubkey);
1367 return "DSA signature verification failed";
1373 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
1374 unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
1376 uint16_t exp_len = 0;
1377 size_t exp_offset = 0, mod_offset = 0;
1378 struct rsa_public_key pubkey;
1382 /* RSA pubkey parsing as per RFC 3110 sec. 2 */
1384 return "null RSA key";
1391 /* 1-byte NUL + 2-bytes exponent length */
1393 return "incorrect RSA key length";
1395 exp_len = READ_UINT16(key+1);
1397 return "null RSA exponent length";
1400 /* Check that we are not over-running input length */
1401 if (keylen < exp_offset + exp_len + 1) {
1402 return "RSA key content shorter than expected";
1404 mod_offset = exp_offset + exp_len;
1405 nettle_rsa_public_key_init(&pubkey);
1406 pubkey.size = keylen - mod_offset;
1407 nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
1408 nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
1410 /* Digest content of "buf" and verify its RSA signature in "sigblock"*/
1411 nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
1412 switch (digest_size) {
1413 case SHA1_DIGEST_SIZE:
1415 uint8_t digest[SHA1_DIGEST_SIZE];
1416 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1417 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1418 res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
1421 case SHA256_DIGEST_SIZE:
1423 uint8_t digest[SHA256_DIGEST_SIZE];
1424 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1425 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1426 res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
1429 case SHA512_DIGEST_SIZE:
1431 uint8_t digest[SHA512_DIGEST_SIZE];
1432 res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1433 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1434 res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
1441 /* Clear and return */
1442 nettle_rsa_public_key_clear(&pubkey);
1443 mpz_clear(signature);
1445 return "RSA signature verification failed";
1453 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
1454 unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1457 struct ecc_point pubkey;
1458 struct dsa_signature signature;
1460 /* Always matched strength, as per RFC 6605 sec. 1 */
1461 if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
1462 return "wrong ECDSA signature length";
1465 /* Parse ECDSA signature as per RFC 6605 sec. 4 */
1466 nettle_dsa_signature_init(&signature);
1467 switch (digest_size) {
1468 case SHA256_DIGEST_SIZE:
1470 uint8_t digest[SHA256_DIGEST_SIZE];
1472 nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
1473 nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
1474 nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
1475 nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
1476 nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
1477 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1478 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1479 res &= nettle_ecc_point_set(&pubkey, x, y);
1480 res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
1485 case SHA384_DIGEST_SIZE:
1487 uint8_t digest[SHA384_DIGEST_SIZE];
1489 nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
1490 nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
1491 nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
1492 nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
1493 nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
1494 res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1495 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1496 res &= nettle_ecc_point_set(&pubkey, x, y);
1497 res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
1500 nettle_ecc_point_clear(&pubkey);
1504 return "unknown ECDSA algorithm";
1507 /* Clear and return */
1508 nettle_dsa_signature_clear(&signature);
1510 return "ECDSA signature verification failed";
1517 * Check a canonical sig+rrset and signature against a dnskey
1518 * @param buf: buffer with data to verify, the first rrsig part and the
1519 * canonicalized rrset.
1520 * @param algo: DNSKEY algorithm.
1521 * @param sigblock: signature rdata field from RRSIG
1522 * @param sigblock_len: length of sigblock data.
1523 * @param key: public key data from DNSKEY RR.
1524 * @param keylen: length of keydata.
1525 * @param reason: bogus reason in more detail.
1526 * @return secure if verification succeeded, bogus on crypto failure,
1527 * unchecked on format errors and alloc failures.
1530 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1531 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1534 unsigned int digest_size = 0;
1536 if (sigblock_len == 0 || keylen == 0) {
1537 *reason = "null signature";
1538 return sec_status_bogus;
1543 case LDNS_DSA_NSEC3:
1544 *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
1545 if (*reason != NULL)
1546 return sec_status_bogus;
1548 return sec_status_secure;
1551 case LDNS_RSASHA1_NSEC3:
1552 digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
1554 case LDNS_RSASHA256:
1555 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1556 case LDNS_RSASHA512:
1557 digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
1560 *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
1561 sigblock_len, key, keylen);
1562 if (*reason != NULL)
1563 return sec_status_bogus;
1565 return sec_status_secure;
1568 case LDNS_ECDSAP256SHA256:
1569 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1570 case LDNS_ECDSAP384SHA384:
1571 digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
1572 *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
1573 sigblock_len, key, keylen);
1574 if (*reason != NULL)
1575 return sec_status_bogus;
1577 return sec_status_secure;
1582 *reason = "unable to verify signature, unknown algorithm";
1583 return sec_status_bogus;
1587 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */