1 /* 2 * validator/val_secalgo.c - validator security algorithm functions. 3 * 4 * Copyright (c) 2012, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * These functions take raw data buffers, formatted for crypto verification, 41 * and do the library calls (for the crypto library in use). 42 */ 43 #include "config.h" 44 /* packed_rrset on top to define enum types (forced by c99 standard) */ 45 #include "util/data/packed_rrset.h" 46 #include "validator/val_secalgo.h" 47 #include "validator/val_nsec3.h" 48 #include "util/log.h" 49 #include "sldns/rrdef.h" 50 #include "sldns/keyraw.h" 51 #include "sldns/sbuffer.h" 52 53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) 54 #error "Need crypto library to do digital signature cryptography" 55 #endif 56 57 /** fake DSA support for unit tests */ 58 int fake_dsa = 0; 59 /** fake SHA1 support for unit tests */ 60 int fake_sha1 = 0; 61 62 /* OpenSSL implementation */ 63 #ifdef HAVE_SSL 64 #ifdef HAVE_OPENSSL_ERR_H 65 #include <openssl/err.h> 66 #endif 67 68 #ifdef HAVE_OPENSSL_RAND_H 69 #include <openssl/rand.h> 70 #endif 71 72 #ifdef HAVE_OPENSSL_CONF_H 73 #include <openssl/conf.h> 74 #endif 75 76 #ifdef HAVE_OPENSSL_ENGINE_H 77 #include <openssl/engine.h> 78 #endif 79 80 /** 81 * Output a libcrypto openssl error to the logfile. 82 * @param str: string to add to it. 83 * @param e: the error to output, error number from ERR_get_error(). 84 */ 85 static void 86 log_crypto_error(const char* str, unsigned long e) 87 { 88 char buf[128]; 89 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ 90 ERR_error_string_n(e, buf, sizeof(buf)); 91 /* buf now contains */ 92 /* error:[error code]:[library name]:[function name]:[reason string] */ 93 log_err("%s crypto %s", str, buf); 94 } 95 96 /* return size of digest if supported, or 0 otherwise */ 97 size_t 98 nsec3_hash_algo_size_supported(int id) 99 { 100 switch(id) { 101 case NSEC3_HASH_SHA1: 102 return SHA_DIGEST_LENGTH; 103 default: 104 return 0; 105 } 106 } 107 108 /* perform nsec3 hash. return false on failure */ 109 int 110 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 111 unsigned char* res) 112 { 113 switch(algo) { 114 case NSEC3_HASH_SHA1: 115 #ifdef OPENSSL_FIPS 116 if(!sldns_digest_evp(buf, len, res, EVP_sha1())) 117 log_crypto_error("could not digest with EVP_sha1", 118 ERR_get_error()); 119 #else 120 (void)SHA1(buf, len, res); 121 #endif 122 return 1; 123 default: 124 return 0; 125 } 126 } 127 128 void 129 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 130 { 131 #ifdef OPENSSL_FIPS 132 if(!sldns_digest_evp(buf, len, res, EVP_sha256())) 133 log_crypto_error("could not digest with EVP_sha256", 134 ERR_get_error()); 135 #else 136 (void)SHA256(buf, len, res); 137 #endif 138 } 139 140 /** 141 * Return size of DS digest according to its hash algorithm. 142 * @param algo: DS digest algo. 143 * @return size in bytes of digest, or 0 if not supported. 144 */ 145 size_t 146 ds_digest_size_supported(int algo) 147 { 148 switch(algo) { 149 case LDNS_SHA1: 150 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) 151 return SHA_DIGEST_LENGTH; 152 #else 153 if(fake_sha1) return 20; 154 return 0; 155 #endif 156 #ifdef HAVE_EVP_SHA256 157 case LDNS_SHA256: 158 return SHA256_DIGEST_LENGTH; 159 #endif 160 #ifdef USE_GOST 161 case LDNS_HASH_GOST: 162 /* we support GOST if it can be loaded */ 163 (void)sldns_key_EVP_load_gost_id(); 164 if(EVP_get_digestbyname("md_gost94")) 165 return 32; 166 else return 0; 167 #endif 168 #ifdef USE_ECDSA 169 case LDNS_SHA384: 170 return SHA384_DIGEST_LENGTH; 171 #endif 172 default: break; 173 } 174 return 0; 175 } 176 177 #ifdef USE_GOST 178 /** Perform GOST hash */ 179 static int 180 do_gost94(unsigned char* data, size_t len, unsigned char* dest) 181 { 182 const EVP_MD* md = EVP_get_digestbyname("md_gost94"); 183 if(!md) 184 return 0; 185 return sldns_digest_evp(data, (unsigned int)len, dest, md); 186 } 187 #endif 188 189 int 190 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 191 unsigned char* res) 192 { 193 switch(algo) { 194 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) 195 case LDNS_SHA1: 196 #ifdef OPENSSL_FIPS 197 if(!sldns_digest_evp(buf, len, res, EVP_sha1())) 198 log_crypto_error("could not digest with EVP_sha1", 199 ERR_get_error()); 200 #else 201 (void)SHA1(buf, len, res); 202 #endif 203 return 1; 204 #endif 205 #ifdef HAVE_EVP_SHA256 206 case LDNS_SHA256: 207 #ifdef OPENSSL_FIPS 208 if(!sldns_digest_evp(buf, len, res, EVP_sha256())) 209 log_crypto_error("could not digest with EVP_sha256", 210 ERR_get_error()); 211 #else 212 (void)SHA256(buf, len, res); 213 #endif 214 return 1; 215 #endif 216 #ifdef USE_GOST 217 case LDNS_HASH_GOST: 218 if(do_gost94(buf, len, res)) 219 return 1; 220 break; 221 #endif 222 #ifdef USE_ECDSA 223 case LDNS_SHA384: 224 #ifdef OPENSSL_FIPS 225 if(!sldns_digest_evp(buf, len, res, EVP_sha384())) 226 log_crypto_error("could not digest with EVP_sha384", 227 ERR_get_error()); 228 #else 229 (void)SHA384(buf, len, res); 230 #endif 231 return 1; 232 #endif 233 default: 234 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 235 algo); 236 break; 237 } 238 return 0; 239 } 240 241 /** return true if DNSKEY algorithm id is supported */ 242 int 243 dnskey_algo_id_is_supported(int id) 244 { 245 switch(id) { 246 case LDNS_RSAMD5: 247 /* RFC 6725 deprecates RSAMD5 */ 248 return 0; 249 case LDNS_DSA: 250 case LDNS_DSA_NSEC3: 251 #if defined(USE_DSA) && defined(USE_SHA1) 252 return 1; 253 #else 254 if(fake_dsa || fake_sha1) return 1; 255 return 0; 256 #endif 257 258 case LDNS_RSASHA1: 259 case LDNS_RSASHA1_NSEC3: 260 #ifdef USE_SHA1 261 return 1; 262 #else 263 if(fake_sha1) return 1; 264 return 0; 265 #endif 266 267 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 268 case LDNS_RSASHA256: 269 #endif 270 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 271 case LDNS_RSASHA512: 272 #endif 273 #ifdef USE_ECDSA 274 case LDNS_ECDSAP256SHA256: 275 case LDNS_ECDSAP384SHA384: 276 #endif 277 #ifdef USE_ED25519 278 case LDNS_ED25519: 279 #endif 280 #ifdef USE_ED448 281 case LDNS_ED448: 282 #endif 283 #if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448) 284 return 1; 285 #endif 286 287 #ifdef USE_GOST 288 case LDNS_ECC_GOST: 289 /* we support GOST if it can be loaded */ 290 return sldns_key_EVP_load_gost_id(); 291 #endif 292 default: 293 return 0; 294 } 295 } 296 297 #ifdef USE_DSA 298 /** 299 * Setup DSA key digest in DER encoding ... 300 * @param sig: input is signature output alloced ptr (unless failure). 301 * caller must free alloced ptr if this routine returns true. 302 * @param len: input is initial siglen, output is output len. 303 * @return false on failure. 304 */ 305 static int 306 setup_dsa_sig(unsigned char** sig, unsigned int* len) 307 { 308 unsigned char* orig = *sig; 309 unsigned int origlen = *len; 310 int newlen; 311 BIGNUM *R, *S; 312 DSA_SIG *dsasig; 313 314 /* extract the R and S field from the sig buffer */ 315 if(origlen < 1 + 2*SHA_DIGEST_LENGTH) 316 return 0; 317 R = BN_new(); 318 if(!R) return 0; 319 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R); 320 S = BN_new(); 321 if(!S) return 0; 322 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S); 323 dsasig = DSA_SIG_new(); 324 if(!dsasig) return 0; 325 326 #ifdef HAVE_DSA_SIG_SET0 327 if(!DSA_SIG_set0(dsasig, R, S)) return 0; 328 #else 329 # ifndef S_SPLINT_S 330 dsasig->r = R; 331 dsasig->s = S; 332 # endif /* S_SPLINT_S */ 333 #endif 334 *sig = NULL; 335 newlen = i2d_DSA_SIG(dsasig, sig); 336 if(newlen < 0) { 337 DSA_SIG_free(dsasig); 338 free(*sig); 339 return 0; 340 } 341 *len = (unsigned int)newlen; 342 DSA_SIG_free(dsasig); 343 return 1; 344 } 345 #endif /* USE_DSA */ 346 347 #ifdef USE_ECDSA 348 /** 349 * Setup the ECDSA signature in its encoding that the library wants. 350 * Converts from plain numbers to ASN formatted. 351 * @param sig: input is signature, output alloced ptr (unless failure). 352 * caller must free alloced ptr if this routine returns true. 353 * @param len: input is initial siglen, output is output len. 354 * @return false on failure. 355 */ 356 static int 357 setup_ecdsa_sig(unsigned char** sig, unsigned int* len) 358 { 359 /* convert from two BIGNUMs in the rdata buffer, to ASN notation. 360 * ASN preamble: 30440220 <R 32bytefor256> 0220 <S 32bytefor256> 361 * the '20' is the length of that field (=bnsize). 362 i * the '44' is the total remaining length. 363 * if negative, start with leading zero. 364 * if starts with 00s, remove them from the number. 365 */ 366 uint8_t pre[] = {0x30, 0x44, 0x02, 0x20}; 367 int pre_len = 4; 368 uint8_t mid[] = {0x02, 0x20}; 369 int mid_len = 2; 370 int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0; 371 int bnsize = (int)((*len)/2); 372 unsigned char* d = *sig; 373 uint8_t* p; 374 /* if too short or not even length, fails */ 375 if(*len < 16 || bnsize*2 != (int)*len) 376 return 0; 377 378 /* strip leading zeroes from r (but not last one) */ 379 while(r_rem < bnsize-1 && d[r_rem] == 0) 380 r_rem++; 381 /* strip leading zeroes from s (but not last one) */ 382 while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0) 383 s_rem++; 384 385 r_high = ((d[0+r_rem]&0x80)?1:0); 386 s_high = ((d[bnsize+s_rem]&0x80)?1:0); 387 raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len + 388 s_high + bnsize - s_rem; 389 *sig = (unsigned char*)malloc((size_t)raw_sig_len); 390 if(!*sig) 391 return 0; 392 p = (uint8_t*)*sig; 393 p[0] = pre[0]; 394 p[1] = (uint8_t)(raw_sig_len-2); 395 p[2] = pre[2]; 396 p[3] = (uint8_t)(bnsize + r_high - r_rem); 397 p += 4; 398 if(r_high) { 399 *p = 0; 400 p += 1; 401 } 402 memmove(p, d+r_rem, (size_t)bnsize-r_rem); 403 p += bnsize-r_rem; 404 memmove(p, mid, (size_t)mid_len-1); 405 p += mid_len-1; 406 *p = (uint8_t)(bnsize + s_high - s_rem); 407 p += 1; 408 if(s_high) { 409 *p = 0; 410 p += 1; 411 } 412 memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem); 413 *len = (unsigned int)raw_sig_len; 414 return 1; 415 } 416 #endif /* USE_ECDSA */ 417 418 #ifdef USE_ECDSA_EVP_WORKAROUND 419 static EVP_MD ecdsa_evp_256_md; 420 static EVP_MD ecdsa_evp_384_md; 421 void ecdsa_evp_workaround_init(void) 422 { 423 /* openssl before 1.0.0 fixes RSA with the SHA256 424 * hash in EVP. We create one for ecdsa_sha256 */ 425 ecdsa_evp_256_md = *EVP_sha256(); 426 ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC; 427 ecdsa_evp_256_md.verify = (void*)ECDSA_verify; 428 429 ecdsa_evp_384_md = *EVP_sha384(); 430 ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC; 431 ecdsa_evp_384_md.verify = (void*)ECDSA_verify; 432 } 433 #endif /* USE_ECDSA_EVP_WORKAROUND */ 434 435 /** 436 * Setup key and digest for verification. Adjust sig if necessary. 437 * 438 * @param algo: key algorithm 439 * @param evp_key: EVP PKEY public key to create. 440 * @param digest_type: digest type to use 441 * @param key: key to setup for. 442 * @param keylen: length of key. 443 * @return false on failure. 444 */ 445 static int 446 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 447 unsigned char* key, size_t keylen) 448 { 449 #if defined(USE_DSA) && defined(USE_SHA1) 450 DSA* dsa; 451 #endif 452 RSA* rsa; 453 454 switch(algo) { 455 #if defined(USE_DSA) && defined(USE_SHA1) 456 case LDNS_DSA: 457 case LDNS_DSA_NSEC3: 458 *evp_key = EVP_PKEY_new(); 459 if(!*evp_key) { 460 log_err("verify: malloc failure in crypto"); 461 return 0; 462 } 463 dsa = sldns_key_buf2dsa_raw(key, keylen); 464 if(!dsa) { 465 verbose(VERB_QUERY, "verify: " 466 "sldns_key_buf2dsa_raw failed"); 467 return 0; 468 } 469 if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) { 470 verbose(VERB_QUERY, "verify: " 471 "EVP_PKEY_assign_DSA failed"); 472 return 0; 473 } 474 #ifdef HAVE_EVP_DSS1 475 *digest_type = EVP_dss1(); 476 #else 477 *digest_type = EVP_sha1(); 478 #endif 479 480 break; 481 #endif /* USE_DSA && USE_SHA1 */ 482 483 #if defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) 484 #ifdef USE_SHA1 485 case LDNS_RSASHA1: 486 case LDNS_RSASHA1_NSEC3: 487 #endif 488 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 489 case LDNS_RSASHA256: 490 #endif 491 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 492 case LDNS_RSASHA512: 493 #endif 494 *evp_key = EVP_PKEY_new(); 495 if(!*evp_key) { 496 log_err("verify: malloc failure in crypto"); 497 return 0; 498 } 499 rsa = sldns_key_buf2rsa_raw(key, keylen); 500 if(!rsa) { 501 verbose(VERB_QUERY, "verify: " 502 "sldns_key_buf2rsa_raw SHA failed"); 503 return 0; 504 } 505 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 506 verbose(VERB_QUERY, "verify: " 507 "EVP_PKEY_assign_RSA SHA failed"); 508 return 0; 509 } 510 511 /* select SHA version */ 512 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 513 if(algo == LDNS_RSASHA256) 514 *digest_type = EVP_sha256(); 515 else 516 #endif 517 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 518 if(algo == LDNS_RSASHA512) 519 *digest_type = EVP_sha512(); 520 else 521 #endif 522 #ifdef USE_SHA1 523 *digest_type = EVP_sha1(); 524 #else 525 { verbose(VERB_QUERY, "no digest available"); return 0; } 526 #endif 527 break; 528 #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */ 529 530 case LDNS_RSAMD5: 531 *evp_key = EVP_PKEY_new(); 532 if(!*evp_key) { 533 log_err("verify: malloc failure in crypto"); 534 return 0; 535 } 536 rsa = sldns_key_buf2rsa_raw(key, keylen); 537 if(!rsa) { 538 verbose(VERB_QUERY, "verify: " 539 "sldns_key_buf2rsa_raw MD5 failed"); 540 return 0; 541 } 542 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 543 verbose(VERB_QUERY, "verify: " 544 "EVP_PKEY_assign_RSA MD5 failed"); 545 return 0; 546 } 547 *digest_type = EVP_md5(); 548 549 break; 550 #ifdef USE_GOST 551 case LDNS_ECC_GOST: 552 *evp_key = sldns_gost2pkey_raw(key, keylen); 553 if(!*evp_key) { 554 verbose(VERB_QUERY, "verify: " 555 "sldns_gost2pkey_raw failed"); 556 return 0; 557 } 558 *digest_type = EVP_get_digestbyname("md_gost94"); 559 if(!*digest_type) { 560 verbose(VERB_QUERY, "verify: " 561 "EVP_getdigest md_gost94 failed"); 562 return 0; 563 } 564 break; 565 #endif 566 #ifdef USE_ECDSA 567 case LDNS_ECDSAP256SHA256: 568 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 569 LDNS_ECDSAP256SHA256); 570 if(!*evp_key) { 571 verbose(VERB_QUERY, "verify: " 572 "sldns_ecdsa2pkey_raw failed"); 573 return 0; 574 } 575 #ifdef USE_ECDSA_EVP_WORKAROUND 576 *digest_type = &ecdsa_evp_256_md; 577 #else 578 *digest_type = EVP_sha256(); 579 #endif 580 break; 581 case LDNS_ECDSAP384SHA384: 582 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 583 LDNS_ECDSAP384SHA384); 584 if(!*evp_key) { 585 verbose(VERB_QUERY, "verify: " 586 "sldns_ecdsa2pkey_raw failed"); 587 return 0; 588 } 589 #ifdef USE_ECDSA_EVP_WORKAROUND 590 *digest_type = &ecdsa_evp_384_md; 591 #else 592 *digest_type = EVP_sha384(); 593 #endif 594 break; 595 #endif /* USE_ECDSA */ 596 #ifdef USE_ED25519 597 case LDNS_ED25519: 598 *evp_key = sldns_ed255192pkey_raw(key, keylen); 599 if(!*evp_key) { 600 verbose(VERB_QUERY, "verify: " 601 "sldns_ed255192pkey_raw failed"); 602 return 0; 603 } 604 *digest_type = NULL; 605 break; 606 #endif /* USE_ED25519 */ 607 #ifdef USE_ED448 608 case LDNS_ED448: 609 *evp_key = sldns_ed4482pkey_raw(key, keylen); 610 if(!*evp_key) { 611 verbose(VERB_QUERY, "verify: " 612 "sldns_ed4482pkey_raw failed"); 613 return 0; 614 } 615 *digest_type = NULL; 616 break; 617 #endif /* USE_ED448 */ 618 default: 619 verbose(VERB_QUERY, "verify: unknown algorithm %d", 620 algo); 621 return 0; 622 } 623 return 1; 624 } 625 626 /** 627 * Check a canonical sig+rrset and signature against a dnskey 628 * @param buf: buffer with data to verify, the first rrsig part and the 629 * canonicalized rrset. 630 * @param algo: DNSKEY algorithm. 631 * @param sigblock: signature rdata field from RRSIG 632 * @param sigblock_len: length of sigblock data. 633 * @param key: public key data from DNSKEY RR. 634 * @param keylen: length of keydata. 635 * @param reason: bogus reason in more detail. 636 * @return secure if verification succeeded, bogus on crypto failure, 637 * unchecked on format errors and alloc failures. 638 */ 639 enum sec_status 640 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 641 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 642 char** reason) 643 { 644 const EVP_MD *digest_type; 645 EVP_MD_CTX* ctx; 646 int res, dofree = 0, docrypto_free = 0; 647 EVP_PKEY *evp_key = NULL; 648 649 #ifndef USE_DSA 650 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1)) 651 return sec_status_secure; 652 #endif 653 #ifndef USE_SHA1 654 if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3)) 655 return sec_status_secure; 656 #endif 657 658 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { 659 verbose(VERB_QUERY, "verify: failed to setup key"); 660 *reason = "use of key for crypto failed"; 661 EVP_PKEY_free(evp_key); 662 return sec_status_bogus; 663 } 664 #ifdef USE_DSA 665 /* if it is a DSA signature in bind format, convert to DER format */ 666 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && 667 sigblock_len == 1+2*SHA_DIGEST_LENGTH) { 668 if(!setup_dsa_sig(&sigblock, &sigblock_len)) { 669 verbose(VERB_QUERY, "verify: failed to setup DSA sig"); 670 *reason = "use of key for DSA crypto failed"; 671 EVP_PKEY_free(evp_key); 672 return sec_status_bogus; 673 } 674 docrypto_free = 1; 675 } 676 #endif 677 #if defined(USE_ECDSA) && defined(USE_DSA) 678 else 679 #endif 680 #ifdef USE_ECDSA 681 if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) { 682 /* EVP uses ASN prefix on sig, which is not in the wire data */ 683 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) { 684 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig"); 685 *reason = "use of signature for ECDSA crypto failed"; 686 EVP_PKEY_free(evp_key); 687 return sec_status_bogus; 688 } 689 dofree = 1; 690 } 691 #endif /* USE_ECDSA */ 692 693 /* do the signature cryptography work */ 694 #ifdef HAVE_EVP_MD_CTX_NEW 695 ctx = EVP_MD_CTX_new(); 696 #else 697 ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx)); 698 if(ctx) EVP_MD_CTX_init(ctx); 699 #endif 700 if(!ctx) { 701 log_err("EVP_MD_CTX_new: malloc failure"); 702 EVP_PKEY_free(evp_key); 703 if(dofree) free(sigblock); 704 else if(docrypto_free) OPENSSL_free(sigblock); 705 return sec_status_unchecked; 706 } 707 #ifndef HAVE_EVP_DIGESTVERIFY 708 if(EVP_DigestInit(ctx, digest_type) == 0) { 709 verbose(VERB_QUERY, "verify: EVP_DigestInit failed"); 710 #ifdef HAVE_EVP_MD_CTX_NEW 711 EVP_MD_CTX_destroy(ctx); 712 #else 713 EVP_MD_CTX_cleanup(ctx); 714 free(ctx); 715 #endif 716 EVP_PKEY_free(evp_key); 717 if(dofree) free(sigblock); 718 else if(docrypto_free) OPENSSL_free(sigblock); 719 return sec_status_unchecked; 720 } 721 if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), 722 (unsigned int)sldns_buffer_limit(buf)) == 0) { 723 verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed"); 724 #ifdef HAVE_EVP_MD_CTX_NEW 725 EVP_MD_CTX_destroy(ctx); 726 #else 727 EVP_MD_CTX_cleanup(ctx); 728 free(ctx); 729 #endif 730 EVP_PKEY_free(evp_key); 731 if(dofree) free(sigblock); 732 else if(docrypto_free) OPENSSL_free(sigblock); 733 return sec_status_unchecked; 734 } 735 736 res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key); 737 #else /* HAVE_EVP_DIGESTVERIFY */ 738 if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) { 739 verbose(VERB_QUERY, "verify: EVP_DigestVerifyInit failed"); 740 #ifdef HAVE_EVP_MD_CTX_NEW 741 EVP_MD_CTX_destroy(ctx); 742 #else 743 EVP_MD_CTX_cleanup(ctx); 744 free(ctx); 745 #endif 746 EVP_PKEY_free(evp_key); 747 if(dofree) free(sigblock); 748 else if(docrypto_free) OPENSSL_free(sigblock); 749 return sec_status_unchecked; 750 } 751 res = EVP_DigestVerify(ctx, sigblock, sigblock_len, 752 (unsigned char*)sldns_buffer_begin(buf), 753 sldns_buffer_limit(buf)); 754 #endif 755 #ifdef HAVE_EVP_MD_CTX_NEW 756 EVP_MD_CTX_destroy(ctx); 757 #else 758 EVP_MD_CTX_cleanup(ctx); 759 free(ctx); 760 #endif 761 EVP_PKEY_free(evp_key); 762 763 if(dofree) free(sigblock); 764 else if(docrypto_free) OPENSSL_free(sigblock); 765 766 if(res == 1) { 767 return sec_status_secure; 768 } else if(res == 0) { 769 verbose(VERB_QUERY, "verify: signature mismatch"); 770 *reason = "signature crypto failed"; 771 return sec_status_bogus; 772 } 773 774 log_crypto_error("verify:", ERR_get_error()); 775 return sec_status_unchecked; 776 } 777 778 /**************************************************/ 779 #elif defined(HAVE_NSS) 780 /* libnss implementation */ 781 /* nss3 */ 782 #include "sechash.h" 783 #include "pk11pub.h" 784 #include "keyhi.h" 785 #include "secerr.h" 786 #include "cryptohi.h" 787 /* nspr4 */ 788 #include "prerror.h" 789 790 /* return size of digest if supported, or 0 otherwise */ 791 size_t 792 nsec3_hash_algo_size_supported(int id) 793 { 794 switch(id) { 795 case NSEC3_HASH_SHA1: 796 return SHA1_LENGTH; 797 default: 798 return 0; 799 } 800 } 801 802 /* perform nsec3 hash. return false on failure */ 803 int 804 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 805 unsigned char* res) 806 { 807 switch(algo) { 808 case NSEC3_HASH_SHA1: 809 (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len); 810 return 1; 811 default: 812 return 0; 813 } 814 } 815 816 void 817 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 818 { 819 (void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len); 820 } 821 822 size_t 823 ds_digest_size_supported(int algo) 824 { 825 /* uses libNSS */ 826 switch(algo) { 827 #ifdef USE_SHA1 828 case LDNS_SHA1: 829 return SHA1_LENGTH; 830 #endif 831 #ifdef USE_SHA2 832 case LDNS_SHA256: 833 return SHA256_LENGTH; 834 #endif 835 #ifdef USE_ECDSA 836 case LDNS_SHA384: 837 return SHA384_LENGTH; 838 #endif 839 /* GOST not supported in NSS */ 840 case LDNS_HASH_GOST: 841 default: break; 842 } 843 return 0; 844 } 845 846 int 847 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 848 unsigned char* res) 849 { 850 /* uses libNSS */ 851 switch(algo) { 852 #ifdef USE_SHA1 853 case LDNS_SHA1: 854 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len) 855 == SECSuccess; 856 #endif 857 #if defined(USE_SHA2) 858 case LDNS_SHA256: 859 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len) 860 == SECSuccess; 861 #endif 862 #ifdef USE_ECDSA 863 case LDNS_SHA384: 864 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len) 865 == SECSuccess; 866 #endif 867 case LDNS_HASH_GOST: 868 default: 869 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 870 algo); 871 break; 872 } 873 return 0; 874 } 875 876 int 877 dnskey_algo_id_is_supported(int id) 878 { 879 /* uses libNSS */ 880 switch(id) { 881 case LDNS_RSAMD5: 882 /* RFC 6725 deprecates RSAMD5 */ 883 return 0; 884 #if defined(USE_SHA1) || defined(USE_SHA2) 885 #if defined(USE_DSA) && defined(USE_SHA1) 886 case LDNS_DSA: 887 case LDNS_DSA_NSEC3: 888 #endif 889 #ifdef USE_SHA1 890 case LDNS_RSASHA1: 891 case LDNS_RSASHA1_NSEC3: 892 #endif 893 #ifdef USE_SHA2 894 case LDNS_RSASHA256: 895 #endif 896 #ifdef USE_SHA2 897 case LDNS_RSASHA512: 898 #endif 899 return 1; 900 #endif /* SHA1 or SHA2 */ 901 902 #ifdef USE_ECDSA 903 case LDNS_ECDSAP256SHA256: 904 case LDNS_ECDSAP384SHA384: 905 return PK11_TokenExists(CKM_ECDSA); 906 #endif 907 case LDNS_ECC_GOST: 908 default: 909 return 0; 910 } 911 } 912 913 /* return a new public key for NSS */ 914 static SECKEYPublicKey* nss_key_create(KeyType ktype) 915 { 916 SECKEYPublicKey* key; 917 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 918 if(!arena) { 919 log_err("out of memory, PORT_NewArena failed"); 920 return NULL; 921 } 922 key = PORT_ArenaZNew(arena, SECKEYPublicKey); 923 if(!key) { 924 log_err("out of memory, PORT_ArenaZNew failed"); 925 PORT_FreeArena(arena, PR_FALSE); 926 return NULL; 927 } 928 key->arena = arena; 929 key->keyType = ktype; 930 key->pkcs11Slot = NULL; 931 key->pkcs11ID = CK_INVALID_HANDLE; 932 return key; 933 } 934 935 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo) 936 { 937 SECKEYPublicKey* pk; 938 SECItem pub = {siBuffer, NULL, 0}; 939 SECItem params = {siBuffer, NULL, 0}; 940 static unsigned char param256[] = { 941 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256) 942 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */ 943 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 944 }; 945 static unsigned char param384[] = { 946 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384) 947 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */ 948 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 949 }; 950 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ 951 952 /* check length, which uncompressed must be 2 bignums */ 953 if(algo == LDNS_ECDSAP256SHA256) { 954 if(len != 2*256/8) return NULL; 955 /* ECCurve_X9_62_PRIME_256V1 */ 956 } else if(algo == LDNS_ECDSAP384SHA384) { 957 if(len != 2*384/8) return NULL; 958 /* ECCurve_X9_62_PRIME_384R1 */ 959 } else return NULL; 960 961 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */ 962 memmove(buf+1, key, len); 963 pub.data = buf; 964 pub.len = len+1; 965 if(algo == LDNS_ECDSAP256SHA256) { 966 params.data = param256; 967 params.len = sizeof(param256); 968 } else { 969 params.data = param384; 970 params.len = sizeof(param384); 971 } 972 973 pk = nss_key_create(ecKey); 974 if(!pk) 975 return NULL; 976 pk->u.ec.size = (len/2)*8; 977 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) { 978 SECKEY_DestroyPublicKey(pk); 979 return NULL; 980 } 981 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) { 982 SECKEY_DestroyPublicKey(pk); 983 return NULL; 984 } 985 986 return pk; 987 } 988 989 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len) 990 { 991 SECKEYPublicKey* pk; 992 uint8_t T; 993 uint16_t length; 994 uint16_t offset; 995 SECItem Q = {siBuffer, NULL, 0}; 996 SECItem P = {siBuffer, NULL, 0}; 997 SECItem G = {siBuffer, NULL, 0}; 998 SECItem Y = {siBuffer, NULL, 0}; 999 1000 if(len == 0) 1001 return NULL; 1002 T = (uint8_t)key[0]; 1003 length = (64 + T * 8); 1004 offset = 1; 1005 1006 if (T > 8) { 1007 return NULL; 1008 } 1009 if(len < (size_t)1 + SHA1_LENGTH + 3*length) 1010 return NULL; 1011 1012 Q.data = key+offset; 1013 Q.len = SHA1_LENGTH; 1014 offset += SHA1_LENGTH; 1015 1016 P.data = key+offset; 1017 P.len = length; 1018 offset += length; 1019 1020 G.data = key+offset; 1021 G.len = length; 1022 offset += length; 1023 1024 Y.data = key+offset; 1025 Y.len = length; 1026 offset += length; 1027 1028 pk = nss_key_create(dsaKey); 1029 if(!pk) 1030 return NULL; 1031 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) { 1032 SECKEY_DestroyPublicKey(pk); 1033 return NULL; 1034 } 1035 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) { 1036 SECKEY_DestroyPublicKey(pk); 1037 return NULL; 1038 } 1039 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) { 1040 SECKEY_DestroyPublicKey(pk); 1041 return NULL; 1042 } 1043 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) { 1044 SECKEY_DestroyPublicKey(pk); 1045 return NULL; 1046 } 1047 return pk; 1048 } 1049 1050 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len) 1051 { 1052 SECKEYPublicKey* pk; 1053 uint16_t exp; 1054 uint16_t offset; 1055 uint16_t int16; 1056 SECItem modulus = {siBuffer, NULL, 0}; 1057 SECItem exponent = {siBuffer, NULL, 0}; 1058 if(len == 0) 1059 return NULL; 1060 if(key[0] == 0) { 1061 if(len < 3) 1062 return NULL; 1063 /* the exponent is too large so it's places further */ 1064 memmove(&int16, key+1, 2); 1065 exp = ntohs(int16); 1066 offset = 3; 1067 } else { 1068 exp = key[0]; 1069 offset = 1; 1070 } 1071 1072 /* key length at least one */ 1073 if(len < (size_t)offset + exp + 1) 1074 return NULL; 1075 1076 exponent.data = key+offset; 1077 exponent.len = exp; 1078 offset += exp; 1079 modulus.data = key+offset; 1080 modulus.len = (len - offset); 1081 1082 pk = nss_key_create(rsaKey); 1083 if(!pk) 1084 return NULL; 1085 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) { 1086 SECKEY_DestroyPublicKey(pk); 1087 return NULL; 1088 } 1089 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) { 1090 SECKEY_DestroyPublicKey(pk); 1091 return NULL; 1092 } 1093 return pk; 1094 } 1095 1096 /** 1097 * Setup key and digest for verification. Adjust sig if necessary. 1098 * 1099 * @param algo: key algorithm 1100 * @param evp_key: EVP PKEY public key to create. 1101 * @param digest_type: digest type to use 1102 * @param key: key to setup for. 1103 * @param keylen: length of key. 1104 * @param prefix: if returned, the ASN prefix for the hashblob. 1105 * @param prefixlen: length of the prefix. 1106 * @return false on failure. 1107 */ 1108 static int 1109 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, 1110 unsigned char* key, size_t keylen, unsigned char** prefix, 1111 size_t* prefixlen) 1112 { 1113 /* uses libNSS */ 1114 1115 /* hash prefix for md5, RFC2537 */ 1116 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 1117 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}; 1118 /* hash prefix to prepend to hash output, from RFC3110 */ 1119 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 1120 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14}; 1121 /* from RFC5702 */ 1122 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 1123 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; 1124 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 1125 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; 1126 /* from RFC6234 */ 1127 /* for future RSASHA384 .. 1128 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 1129 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; 1130 */ 1131 1132 switch(algo) { 1133 1134 #if defined(USE_SHA1) || defined(USE_SHA2) 1135 #if defined(USE_DSA) && defined(USE_SHA1) 1136 case LDNS_DSA: 1137 case LDNS_DSA_NSEC3: 1138 *pubkey = nss_buf2dsa(key, keylen); 1139 if(!*pubkey) { 1140 log_err("verify: malloc failure in crypto"); 1141 return 0; 1142 } 1143 *htype = HASH_AlgSHA1; 1144 /* no prefix for DSA verification */ 1145 break; 1146 #endif 1147 #ifdef USE_SHA1 1148 case LDNS_RSASHA1: 1149 case LDNS_RSASHA1_NSEC3: 1150 #endif 1151 #ifdef USE_SHA2 1152 case LDNS_RSASHA256: 1153 #endif 1154 #ifdef USE_SHA2 1155 case LDNS_RSASHA512: 1156 #endif 1157 *pubkey = nss_buf2rsa(key, keylen); 1158 if(!*pubkey) { 1159 log_err("verify: malloc failure in crypto"); 1160 return 0; 1161 } 1162 /* select SHA version */ 1163 #ifdef USE_SHA2 1164 if(algo == LDNS_RSASHA256) { 1165 *htype = HASH_AlgSHA256; 1166 *prefix = p_sha256; 1167 *prefixlen = sizeof(p_sha256); 1168 } else 1169 #endif 1170 #ifdef USE_SHA2 1171 if(algo == LDNS_RSASHA512) { 1172 *htype = HASH_AlgSHA512; 1173 *prefix = p_sha512; 1174 *prefixlen = sizeof(p_sha512); 1175 } else 1176 #endif 1177 #ifdef USE_SHA1 1178 { 1179 *htype = HASH_AlgSHA1; 1180 *prefix = p_sha1; 1181 *prefixlen = sizeof(p_sha1); 1182 } 1183 #else 1184 { 1185 verbose(VERB_QUERY, "verify: no digest algo"); 1186 return 0; 1187 } 1188 #endif 1189 1190 break; 1191 #endif /* SHA1 or SHA2 */ 1192 1193 case LDNS_RSAMD5: 1194 *pubkey = nss_buf2rsa(key, keylen); 1195 if(!*pubkey) { 1196 log_err("verify: malloc failure in crypto"); 1197 return 0; 1198 } 1199 *htype = HASH_AlgMD5; 1200 *prefix = p_md5; 1201 *prefixlen = sizeof(p_md5); 1202 1203 break; 1204 #ifdef USE_ECDSA 1205 case LDNS_ECDSAP256SHA256: 1206 *pubkey = nss_buf2ecdsa(key, keylen, 1207 LDNS_ECDSAP256SHA256); 1208 if(!*pubkey) { 1209 log_err("verify: malloc failure in crypto"); 1210 return 0; 1211 } 1212 *htype = HASH_AlgSHA256; 1213 /* no prefix for DSA verification */ 1214 break; 1215 case LDNS_ECDSAP384SHA384: 1216 *pubkey = nss_buf2ecdsa(key, keylen, 1217 LDNS_ECDSAP384SHA384); 1218 if(!*pubkey) { 1219 log_err("verify: malloc failure in crypto"); 1220 return 0; 1221 } 1222 *htype = HASH_AlgSHA384; 1223 /* no prefix for DSA verification */ 1224 break; 1225 #endif /* USE_ECDSA */ 1226 case LDNS_ECC_GOST: 1227 default: 1228 verbose(VERB_QUERY, "verify: unknown algorithm %d", 1229 algo); 1230 return 0; 1231 } 1232 return 1; 1233 } 1234 1235 /** 1236 * Check a canonical sig+rrset and signature against a dnskey 1237 * @param buf: buffer with data to verify, the first rrsig part and the 1238 * canonicalized rrset. 1239 * @param algo: DNSKEY algorithm. 1240 * @param sigblock: signature rdata field from RRSIG 1241 * @param sigblock_len: length of sigblock data. 1242 * @param key: public key data from DNSKEY RR. 1243 * @param keylen: length of keydata. 1244 * @param reason: bogus reason in more detail. 1245 * @return secure if verification succeeded, bogus on crypto failure, 1246 * unchecked on format errors and alloc failures. 1247 */ 1248 enum sec_status 1249 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1250 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1251 char** reason) 1252 { 1253 /* uses libNSS */ 1254 /* large enough for the different hashes */ 1255 unsigned char hash[HASH_LENGTH_MAX]; 1256 unsigned char hash2[HASH_LENGTH_MAX*2]; 1257 HASH_HashType htype = 0; 1258 SECKEYPublicKey* pubkey = NULL; 1259 SECItem secsig = {siBuffer, sigblock, sigblock_len}; 1260 SECItem sechash = {siBuffer, hash, 0}; 1261 SECStatus res; 1262 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */ 1263 size_t prefixlen = 0; 1264 int err; 1265 1266 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen, 1267 &prefix, &prefixlen)) { 1268 verbose(VERB_QUERY, "verify: failed to setup key"); 1269 *reason = "use of key for crypto failed"; 1270 SECKEY_DestroyPublicKey(pubkey); 1271 return sec_status_bogus; 1272 } 1273 1274 #if defined(USE_DSA) && defined(USE_SHA1) 1275 /* need to convert DSA, ECDSA signatures? */ 1276 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) { 1277 if(sigblock_len == 1+2*SHA1_LENGTH) { 1278 secsig.data ++; 1279 secsig.len --; 1280 } else { 1281 SECItem* p = DSAU_DecodeDerSig(&secsig); 1282 if(!p) { 1283 verbose(VERB_QUERY, "verify: failed DER decode"); 1284 *reason = "signature DER decode failed"; 1285 SECKEY_DestroyPublicKey(pubkey); 1286 return sec_status_bogus; 1287 } 1288 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) { 1289 log_err("alloc failure in DER decode"); 1290 SECKEY_DestroyPublicKey(pubkey); 1291 SECITEM_FreeItem(p, PR_TRUE); 1292 return sec_status_unchecked; 1293 } 1294 SECITEM_FreeItem(p, PR_TRUE); 1295 } 1296 } 1297 #endif /* USE_DSA */ 1298 1299 /* do the signature cryptography work */ 1300 /* hash the data */ 1301 sechash.len = HASH_ResultLen(htype); 1302 if(sechash.len > sizeof(hash)) { 1303 verbose(VERB_QUERY, "verify: hash too large for buffer"); 1304 SECKEY_DestroyPublicKey(pubkey); 1305 return sec_status_unchecked; 1306 } 1307 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf), 1308 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) { 1309 verbose(VERB_QUERY, "verify: HASH_HashBuf failed"); 1310 SECKEY_DestroyPublicKey(pubkey); 1311 return sec_status_unchecked; 1312 } 1313 if(prefix) { 1314 int hashlen = sechash.len; 1315 if(prefixlen+hashlen > sizeof(hash2)) { 1316 verbose(VERB_QUERY, "verify: hashprefix too large"); 1317 SECKEY_DestroyPublicKey(pubkey); 1318 return sec_status_unchecked; 1319 } 1320 sechash.data = hash2; 1321 sechash.len = prefixlen+hashlen; 1322 memcpy(sechash.data, prefix, prefixlen); 1323 memmove(sechash.data+prefixlen, hash, hashlen); 1324 } 1325 1326 /* verify the signature */ 1327 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/); 1328 SECKEY_DestroyPublicKey(pubkey); 1329 1330 if(res == SECSuccess) { 1331 return sec_status_secure; 1332 } 1333 err = PORT_GetError(); 1334 if(err != SEC_ERROR_BAD_SIGNATURE) { 1335 /* failed to verify */ 1336 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", 1337 PORT_ErrorToString(err)); 1338 /* if it is not supported, like ECC is removed, we get, 1339 * SEC_ERROR_NO_MODULE */ 1340 if(err == SEC_ERROR_NO_MODULE) 1341 return sec_status_unchecked; 1342 /* but other errors are commonly returned 1343 * for a bad signature from NSS. Thus we return bogus, 1344 * not unchecked */ 1345 *reason = "signature crypto failed"; 1346 return sec_status_bogus; 1347 } 1348 verbose(VERB_QUERY, "verify: signature mismatch: %s", 1349 PORT_ErrorToString(err)); 1350 *reason = "signature crypto failed"; 1351 return sec_status_bogus; 1352 } 1353 1354 #elif defined(HAVE_NETTLE) 1355 1356 #include "sha.h" 1357 #include "bignum.h" 1358 #include "macros.h" 1359 #include "rsa.h" 1360 #include "dsa.h" 1361 #ifdef HAVE_NETTLE_DSA_COMPAT_H 1362 #include "dsa-compat.h" 1363 #endif 1364 #include "asn1.h" 1365 #ifdef USE_ECDSA 1366 #include "ecdsa.h" 1367 #include "ecc-curve.h" 1368 #endif 1369 #ifdef HAVE_NETTLE_EDDSA_H 1370 #include "eddsa.h" 1371 #endif 1372 1373 static int 1374 _digest_nettle(int algo, uint8_t* buf, size_t len, 1375 unsigned char* res) 1376 { 1377 switch(algo) { 1378 case SHA1_DIGEST_SIZE: 1379 { 1380 struct sha1_ctx ctx; 1381 sha1_init(&ctx); 1382 sha1_update(&ctx, len, buf); 1383 sha1_digest(&ctx, SHA1_DIGEST_SIZE, res); 1384 return 1; 1385 } 1386 case SHA256_DIGEST_SIZE: 1387 { 1388 struct sha256_ctx ctx; 1389 sha256_init(&ctx); 1390 sha256_update(&ctx, len, buf); 1391 sha256_digest(&ctx, SHA256_DIGEST_SIZE, res); 1392 return 1; 1393 } 1394 case SHA384_DIGEST_SIZE: 1395 { 1396 struct sha384_ctx ctx; 1397 sha384_init(&ctx); 1398 sha384_update(&ctx, len, buf); 1399 sha384_digest(&ctx, SHA384_DIGEST_SIZE, res); 1400 return 1; 1401 } 1402 case SHA512_DIGEST_SIZE: 1403 { 1404 struct sha512_ctx ctx; 1405 sha512_init(&ctx); 1406 sha512_update(&ctx, len, buf); 1407 sha512_digest(&ctx, SHA512_DIGEST_SIZE, res); 1408 return 1; 1409 } 1410 default: 1411 break; 1412 } 1413 return 0; 1414 } 1415 1416 /* return size of digest if supported, or 0 otherwise */ 1417 size_t 1418 nsec3_hash_algo_size_supported(int id) 1419 { 1420 switch(id) { 1421 case NSEC3_HASH_SHA1: 1422 return SHA1_DIGEST_SIZE; 1423 default: 1424 return 0; 1425 } 1426 } 1427 1428 /* perform nsec3 hash. return false on failure */ 1429 int 1430 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 1431 unsigned char* res) 1432 { 1433 switch(algo) { 1434 case NSEC3_HASH_SHA1: 1435 return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len, 1436 res); 1437 default: 1438 return 0; 1439 } 1440 } 1441 1442 void 1443 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 1444 { 1445 _digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res); 1446 } 1447 1448 /** 1449 * Return size of DS digest according to its hash algorithm. 1450 * @param algo: DS digest algo. 1451 * @return size in bytes of digest, or 0 if not supported. 1452 */ 1453 size_t 1454 ds_digest_size_supported(int algo) 1455 { 1456 switch(algo) { 1457 case LDNS_SHA1: 1458 #ifdef USE_SHA1 1459 return SHA1_DIGEST_SIZE; 1460 #else 1461 if(fake_sha1) return 20; 1462 return 0; 1463 #endif 1464 #ifdef USE_SHA2 1465 case LDNS_SHA256: 1466 return SHA256_DIGEST_SIZE; 1467 #endif 1468 #ifdef USE_ECDSA 1469 case LDNS_SHA384: 1470 return SHA384_DIGEST_SIZE; 1471 #endif 1472 /* GOST not supported */ 1473 case LDNS_HASH_GOST: 1474 default: 1475 break; 1476 } 1477 return 0; 1478 } 1479 1480 int 1481 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 1482 unsigned char* res) 1483 { 1484 switch(algo) { 1485 #ifdef USE_SHA1 1486 case LDNS_SHA1: 1487 return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res); 1488 #endif 1489 #if defined(USE_SHA2) 1490 case LDNS_SHA256: 1491 return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res); 1492 #endif 1493 #ifdef USE_ECDSA 1494 case LDNS_SHA384: 1495 return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res); 1496 1497 #endif 1498 case LDNS_HASH_GOST: 1499 default: 1500 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 1501 algo); 1502 break; 1503 } 1504 return 0; 1505 } 1506 1507 int 1508 dnskey_algo_id_is_supported(int id) 1509 { 1510 /* uses libnettle */ 1511 switch(id) { 1512 case LDNS_DSA: 1513 case LDNS_DSA_NSEC3: 1514 #if defined(USE_DSA) && defined(USE_SHA1) 1515 return 1; 1516 #else 1517 if(fake_dsa || fake_sha1) return 1; 1518 return 0; 1519 #endif 1520 case LDNS_RSASHA1: 1521 case LDNS_RSASHA1_NSEC3: 1522 #ifdef USE_SHA1 1523 return 1; 1524 #else 1525 if(fake_sha1) return 1; 1526 return 0; 1527 #endif 1528 #ifdef USE_SHA2 1529 case LDNS_RSASHA256: 1530 case LDNS_RSASHA512: 1531 #endif 1532 #ifdef USE_ECDSA 1533 case LDNS_ECDSAP256SHA256: 1534 case LDNS_ECDSAP384SHA384: 1535 #endif 1536 return 1; 1537 #ifdef USE_ED25519 1538 case LDNS_ED25519: 1539 return 1; 1540 #endif 1541 case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ 1542 case LDNS_ECC_GOST: 1543 default: 1544 return 0; 1545 } 1546 } 1547 1548 #if defined(USE_DSA) && defined(USE_SHA1) 1549 static char * 1550 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock, 1551 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1552 { 1553 uint8_t digest[SHA1_DIGEST_SIZE]; 1554 uint8_t key_t_value; 1555 int res = 0; 1556 size_t offset; 1557 struct dsa_public_key pubkey; 1558 struct dsa_signature signature; 1559 unsigned int expected_len; 1560 1561 /* Extract DSA signature from the record */ 1562 nettle_dsa_signature_init(&signature); 1563 /* Signature length: 41 bytes - RFC 2536 sec. 3 */ 1564 if(sigblock_len == 41) { 1565 if(key[0] != sigblock[0]) 1566 return "invalid T value in DSA signature or pubkey"; 1567 nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1); 1568 nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20); 1569 } else { 1570 /* DER encoded, decode the ASN1 notated R and S bignums */ 1571 /* SEQUENCE { r INTEGER, s INTEGER } */ 1572 struct asn1_der_iterator i, seq; 1573 if(asn1_der_iterator_first(&i, sigblock_len, 1574 (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED 1575 || i.type != ASN1_SEQUENCE) 1576 return "malformed DER encoded DSA signature"; 1577 /* decode this element of i using the seq iterator */ 1578 if(asn1_der_decode_constructed(&i, &seq) != 1579 ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER) 1580 return "malformed DER encoded DSA signature"; 1581 if(!asn1_der_get_bignum(&seq, signature.r, 20*8)) 1582 return "malformed DER encoded DSA signature"; 1583 if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE 1584 || seq.type != ASN1_INTEGER) 1585 return "malformed DER encoded DSA signature"; 1586 if(!asn1_der_get_bignum(&seq, signature.s, 20*8)) 1587 return "malformed DER encoded DSA signature"; 1588 if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END) 1589 return "malformed DER encoded DSA signature"; 1590 } 1591 1592 /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */ 1593 key_t_value = key[0]; 1594 if (key_t_value > 8) { 1595 return "invalid T value in DSA pubkey"; 1596 } 1597 1598 /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */ 1599 if (keylen < 21) { 1600 return "DSA pubkey too short"; 1601 } 1602 1603 expected_len = 1 + /* T */ 1604 20 + /* Q */ 1605 (64 + key_t_value*8) + /* P */ 1606 (64 + key_t_value*8) + /* G */ 1607 (64 + key_t_value*8); /* Y */ 1608 if (keylen != expected_len ) { 1609 return "invalid DSA pubkey length"; 1610 } 1611 1612 /* Extract DSA pubkey from the record */ 1613 nettle_dsa_public_key_init(&pubkey); 1614 offset = 1; 1615 nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset); 1616 offset += 20; 1617 nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t_value*8), key+offset); 1618 offset += (64 + key_t_value*8); 1619 nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t_value*8), key+offset); 1620 offset += (64 + key_t_value*8); 1621 nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t_value*8), key+offset); 1622 1623 /* Digest content of "buf" and verify its DSA signature in "sigblock"*/ 1624 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1625 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1626 res &= dsa_sha1_verify_digest(&pubkey, digest, &signature); 1627 1628 /* Clear and return */ 1629 nettle_dsa_signature_clear(&signature); 1630 nettle_dsa_public_key_clear(&pubkey); 1631 if (!res) 1632 return "DSA signature verification failed"; 1633 else 1634 return NULL; 1635 } 1636 #endif /* USE_DSA */ 1637 1638 static char * 1639 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock, 1640 unsigned int sigblock_len, uint8_t* key, unsigned int keylen) 1641 { 1642 uint16_t exp_len = 0; 1643 size_t exp_offset = 0, mod_offset = 0; 1644 struct rsa_public_key pubkey; 1645 mpz_t signature; 1646 int res = 0; 1647 1648 /* RSA pubkey parsing as per RFC 3110 sec. 2 */ 1649 if( keylen <= 1) { 1650 return "null RSA key"; 1651 } 1652 if (key[0] != 0) { 1653 /* 1-byte length */ 1654 exp_len = key[0]; 1655 exp_offset = 1; 1656 } else { 1657 /* 1-byte NUL + 2-bytes exponent length */ 1658 if (keylen < 3) { 1659 return "incorrect RSA key length"; 1660 } 1661 exp_len = READ_UINT16(key+1); 1662 if (exp_len == 0) 1663 return "null RSA exponent length"; 1664 exp_offset = 3; 1665 } 1666 /* Check that we are not over-running input length */ 1667 if (keylen < exp_offset + exp_len + 1) { 1668 return "RSA key content shorter than expected"; 1669 } 1670 mod_offset = exp_offset + exp_len; 1671 nettle_rsa_public_key_init(&pubkey); 1672 pubkey.size = keylen - mod_offset; 1673 nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]); 1674 nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]); 1675 1676 /* Digest content of "buf" and verify its RSA signature in "sigblock"*/ 1677 nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock); 1678 switch (digest_size) { 1679 case SHA1_DIGEST_SIZE: 1680 { 1681 uint8_t digest[SHA1_DIGEST_SIZE]; 1682 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1683 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1684 res &= rsa_sha1_verify_digest(&pubkey, digest, signature); 1685 break; 1686 } 1687 case SHA256_DIGEST_SIZE: 1688 { 1689 uint8_t digest[SHA256_DIGEST_SIZE]; 1690 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1691 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1692 res &= rsa_sha256_verify_digest(&pubkey, digest, signature); 1693 break; 1694 } 1695 case SHA512_DIGEST_SIZE: 1696 { 1697 uint8_t digest[SHA512_DIGEST_SIZE]; 1698 res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1699 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1700 res &= rsa_sha512_verify_digest(&pubkey, digest, signature); 1701 break; 1702 } 1703 default: 1704 break; 1705 } 1706 1707 /* Clear and return */ 1708 nettle_rsa_public_key_clear(&pubkey); 1709 mpz_clear(signature); 1710 if (!res) { 1711 return "RSA signature verification failed"; 1712 } else { 1713 return NULL; 1714 } 1715 } 1716 1717 #ifdef USE_ECDSA 1718 static char * 1719 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock, 1720 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1721 { 1722 int res = 0; 1723 struct ecc_point pubkey; 1724 struct dsa_signature signature; 1725 1726 /* Always matched strength, as per RFC 6605 sec. 1 */ 1727 if (sigblock_len != 2*digest_size || keylen != 2*digest_size) { 1728 return "wrong ECDSA signature length"; 1729 } 1730 1731 /* Parse ECDSA signature as per RFC 6605 sec. 4 */ 1732 nettle_dsa_signature_init(&signature); 1733 switch (digest_size) { 1734 case SHA256_DIGEST_SIZE: 1735 { 1736 uint8_t digest[SHA256_DIGEST_SIZE]; 1737 mpz_t x, y; 1738 nettle_ecc_point_init(&pubkey, nettle_get_secp_256r1()); 1739 nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key); 1740 nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE); 1741 nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock); 1742 nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE); 1743 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1744 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1745 res &= nettle_ecc_point_set(&pubkey, x, y); 1746 res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature); 1747 mpz_clear(x); 1748 mpz_clear(y); 1749 break; 1750 } 1751 case SHA384_DIGEST_SIZE: 1752 { 1753 uint8_t digest[SHA384_DIGEST_SIZE]; 1754 mpz_t x, y; 1755 nettle_ecc_point_init(&pubkey, nettle_get_secp_384r1()); 1756 nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key); 1757 nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE); 1758 nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock); 1759 nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE); 1760 res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1761 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1762 res &= nettle_ecc_point_set(&pubkey, x, y); 1763 res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature); 1764 mpz_clear(x); 1765 mpz_clear(y); 1766 nettle_ecc_point_clear(&pubkey); 1767 break; 1768 } 1769 default: 1770 return "unknown ECDSA algorithm"; 1771 } 1772 1773 /* Clear and return */ 1774 nettle_dsa_signature_clear(&signature); 1775 if (!res) 1776 return "ECDSA signature verification failed"; 1777 else 1778 return NULL; 1779 } 1780 #endif 1781 1782 #ifdef USE_ED25519 1783 static char * 1784 _verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock, 1785 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1786 { 1787 int res = 0; 1788 1789 if(sigblock_len != ED25519_SIGNATURE_SIZE) { 1790 return "wrong ED25519 signature length"; 1791 } 1792 if(keylen != ED25519_KEY_SIZE) { 1793 return "wrong ED25519 key length"; 1794 } 1795 1796 res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf), 1797 sldns_buffer_begin(buf), (uint8_t*)sigblock); 1798 1799 if (!res) 1800 return "ED25519 signature verification failed"; 1801 else 1802 return NULL; 1803 } 1804 #endif 1805 1806 /** 1807 * Check a canonical sig+rrset and signature against a dnskey 1808 * @param buf: buffer with data to verify, the first rrsig part and the 1809 * canonicalized rrset. 1810 * @param algo: DNSKEY algorithm. 1811 * @param sigblock: signature rdata field from RRSIG 1812 * @param sigblock_len: length of sigblock data. 1813 * @param key: public key data from DNSKEY RR. 1814 * @param keylen: length of keydata. 1815 * @param reason: bogus reason in more detail. 1816 * @return secure if verification succeeded, bogus on crypto failure, 1817 * unchecked on format errors and alloc failures. 1818 */ 1819 enum sec_status 1820 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1821 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1822 char** reason) 1823 { 1824 unsigned int digest_size = 0; 1825 1826 if (sigblock_len == 0 || keylen == 0) { 1827 *reason = "null signature"; 1828 return sec_status_bogus; 1829 } 1830 1831 #ifndef USE_DSA 1832 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1)) 1833 return sec_status_secure; 1834 #endif 1835 #ifndef USE_SHA1 1836 if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3)) 1837 return sec_status_secure; 1838 #endif 1839 1840 switch(algo) { 1841 #if defined(USE_DSA) && defined(USE_SHA1) 1842 case LDNS_DSA: 1843 case LDNS_DSA_NSEC3: 1844 *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen); 1845 if (*reason != NULL) 1846 return sec_status_bogus; 1847 else 1848 return sec_status_secure; 1849 #endif /* USE_DSA */ 1850 1851 #ifdef USE_SHA1 1852 case LDNS_RSASHA1: 1853 case LDNS_RSASHA1_NSEC3: 1854 digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE); 1855 #endif 1856 /* double fallthrough annotation to please gcc parser */ 1857 /* fallthrough */ 1858 #ifdef USE_SHA2 1859 /* fallthrough */ 1860 case LDNS_RSASHA256: 1861 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 1862 /* fallthrough */ 1863 case LDNS_RSASHA512: 1864 digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE); 1865 1866 #endif 1867 *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock, 1868 sigblock_len, key, keylen); 1869 if (*reason != NULL) 1870 return sec_status_bogus; 1871 else 1872 return sec_status_secure; 1873 1874 #ifdef USE_ECDSA 1875 case LDNS_ECDSAP256SHA256: 1876 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 1877 /* fallthrough */ 1878 case LDNS_ECDSAP384SHA384: 1879 digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE); 1880 *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock, 1881 sigblock_len, key, keylen); 1882 if (*reason != NULL) 1883 return sec_status_bogus; 1884 else 1885 return sec_status_secure; 1886 #endif 1887 #ifdef USE_ED25519 1888 case LDNS_ED25519: 1889 *reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len, 1890 key, keylen); 1891 if (*reason != NULL) 1892 return sec_status_bogus; 1893 else 1894 return sec_status_secure; 1895 #endif 1896 case LDNS_RSAMD5: 1897 case LDNS_ECC_GOST: 1898 default: 1899 *reason = "unable to verify signature, unknown algorithm"; 1900 return sec_status_bogus; 1901 } 1902 } 1903 1904 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ 1905