/src/unbound/validator/val_secalgo.c
Line | Count | Source |
1 | | /* |
2 | | * validator/val_secalgo.c - validator security algorithm functions. |
3 | | * |
4 | | * Copyright (c) 2012, NLnet Labs. All rights reserved. |
5 | | * |
6 | | * This software is open source. |
7 | | * |
8 | | * Redistribution and use in source and binary forms, with or without |
9 | | * modification, are permitted provided that the following conditions |
10 | | * are met: |
11 | | * |
12 | | * Redistributions of source code must retain the above copyright notice, |
13 | | * this list of conditions and the following disclaimer. |
14 | | * |
15 | | * Redistributions in binary form must reproduce the above copyright notice, |
16 | | * this list of conditions and the following disclaimer in the documentation |
17 | | * and/or other materials provided with the distribution. |
18 | | * |
19 | | * Neither the name of the NLNET LABS nor the names of its contributors may |
20 | | * be used to endorse or promote products derived from this software without |
21 | | * specific prior written permission. |
22 | | * |
23 | | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
24 | | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
25 | | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
26 | | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
27 | | * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
28 | | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED |
29 | | * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR |
30 | | * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF |
31 | | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING |
32 | | * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
33 | | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
34 | | */ |
35 | | |
36 | | /** |
37 | | * \file |
38 | | * |
39 | | * This file contains helper functions for the validator module. |
40 | | * These functions take raw data buffers, formatted for crypto verification, |
41 | | * and do the library calls (for the crypto library in use). |
42 | | */ |
43 | | #include "config.h" |
44 | | /* packed_rrset on top to define enum types (forced by c99 standard) */ |
45 | | #include "util/data/packed_rrset.h" |
46 | | #include "validator/val_secalgo.h" |
47 | | #include "validator/val_nsec3.h" |
48 | | #include "util/log.h" |
49 | | #include "sldns/rrdef.h" |
50 | | #include "sldns/keyraw.h" |
51 | | #include "sldns/sbuffer.h" |
52 | | |
53 | | #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) |
54 | | #error "Need crypto library to do digital signature cryptography" |
55 | | #endif |
56 | | |
57 | | /** fake DSA support for unit tests */ |
58 | | int fake_dsa = 0; |
59 | | /** fake SHA1 support for unit tests */ |
60 | | int fake_sha1 = 0; |
61 | | |
62 | | /* OpenSSL implementation */ |
63 | | #ifdef HAVE_SSL |
64 | | #ifdef HAVE_OPENSSL_ERR_H |
65 | | #include <openssl/err.h> |
66 | | #endif |
67 | | |
68 | | #ifdef HAVE_OPENSSL_RAND_H |
69 | | #include <openssl/rand.h> |
70 | | #endif |
71 | | |
72 | | #ifdef HAVE_OPENSSL_CONF_H |
73 | | #include <openssl/conf.h> |
74 | | #endif |
75 | | |
76 | | #ifdef HAVE_OPENSSL_ENGINE_H |
77 | | #include <openssl/engine.h> |
78 | | #endif |
79 | | |
80 | | #if defined(HAVE_OPENSSL_DSA_H) && defined(USE_DSA) |
81 | | #include <openssl/dsa.h> |
82 | | #endif |
83 | | |
84 | | /** |
85 | | * Output a libcrypto openssl error to the logfile. |
86 | | * @param str: string to add to it. |
87 | | * @param e: the error to output, error number from ERR_get_error(). |
88 | | */ |
89 | | static void |
90 | | log_crypto_error(const char* str, unsigned long e) |
91 | 0 | { |
92 | 0 | char buf[128]; |
93 | | /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ |
94 | 0 | ERR_error_string_n(e, buf, sizeof(buf)); |
95 | | /* buf now contains */ |
96 | | /* error:[error code]:[library name]:[function name]:[reason string] */ |
97 | 0 | log_err("%s crypto %s", str, buf); |
98 | 0 | } |
99 | | |
100 | | /** |
101 | | * Output a libcrypto openssl error to the logfile as a debug message. |
102 | | * @param level: debug level to use in verbose() call |
103 | | * @param str: string to add to it. |
104 | | * @param e: the error to output, error number from ERR_get_error(). |
105 | | */ |
106 | | static void |
107 | | log_crypto_verbose(enum verbosity_value level, const char* str, unsigned long e) |
108 | 0 | { |
109 | 0 | char buf[128]; |
110 | | /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ |
111 | 0 | ERR_error_string_n(e, buf, sizeof(buf)); |
112 | | /* buf now contains */ |
113 | | /* error:[error code]:[library name]:[function name]:[reason string] */ |
114 | 0 | verbose(level, "%s crypto %s", str, buf); |
115 | 0 | } |
116 | | |
117 | | /* return size of digest if supported, or 0 otherwise */ |
118 | | size_t |
119 | | nsec3_hash_algo_size_supported(int id) |
120 | 0 | { |
121 | 0 | switch(id) { |
122 | 0 | case NSEC3_HASH_SHA1: |
123 | 0 | return SHA_DIGEST_LENGTH; |
124 | 0 | default: |
125 | 0 | return 0; |
126 | 0 | } |
127 | 0 | } |
128 | | |
129 | | /* perform nsec3 hash. return false on failure */ |
130 | | int |
131 | | secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, |
132 | | unsigned char* res) |
133 | 0 | { |
134 | 0 | switch(algo) { |
135 | 0 | case NSEC3_HASH_SHA1: |
136 | | #ifdef OPENSSL_FIPS |
137 | | if(!sldns_digest_evp(buf, len, res, EVP_sha1())) |
138 | | log_crypto_error("could not digest with EVP_sha1", |
139 | | ERR_get_error()); |
140 | | #else |
141 | 0 | (void)SHA1(buf, len, res); |
142 | 0 | #endif |
143 | 0 | return 1; |
144 | 0 | default: |
145 | 0 | return 0; |
146 | 0 | } |
147 | 0 | } |
148 | | |
149 | | void |
150 | | secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) |
151 | 0 | { |
152 | | #ifdef OPENSSL_FIPS |
153 | | if(!sldns_digest_evp(buf, len, res, EVP_sha256())) |
154 | | log_crypto_error("could not digest with EVP_sha256", |
155 | | ERR_get_error()); |
156 | | #else |
157 | 0 | (void)SHA256(buf, len, res); |
158 | 0 | #endif |
159 | 0 | } |
160 | | |
161 | | /** hash structure for keeping track of running hashes */ |
162 | | struct secalgo_hash { |
163 | | /** the openssl message digest context */ |
164 | | EVP_MD_CTX* ctx; |
165 | | }; |
166 | | |
167 | | /** create secalgo hash with hash type */ |
168 | | static struct secalgo_hash* secalgo_hash_create_md(const EVP_MD* md) |
169 | 0 | { |
170 | 0 | struct secalgo_hash* h; |
171 | 0 | if(!md) |
172 | 0 | return NULL; |
173 | 0 | h = calloc(1, sizeof(*h)); |
174 | 0 | if(!h) |
175 | 0 | return NULL; |
176 | 0 | h->ctx = EVP_MD_CTX_create(); |
177 | 0 | if(!h->ctx) { |
178 | 0 | free(h); |
179 | 0 | return NULL; |
180 | 0 | } |
181 | 0 | if(!EVP_DigestInit_ex(h->ctx, md, NULL)) { |
182 | 0 | EVP_MD_CTX_destroy(h->ctx); |
183 | 0 | free(h); |
184 | 0 | return NULL; |
185 | 0 | } |
186 | 0 | return h; |
187 | 0 | } |
188 | | |
189 | | struct secalgo_hash* secalgo_hash_create_sha384(void) |
190 | 0 | { |
191 | 0 | return secalgo_hash_create_md(EVP_sha384()); |
192 | 0 | } |
193 | | |
194 | | struct secalgo_hash* secalgo_hash_create_sha512(void) |
195 | 0 | { |
196 | 0 | return secalgo_hash_create_md(EVP_sha512()); |
197 | 0 | } |
198 | | |
199 | | int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len) |
200 | 0 | { |
201 | 0 | return EVP_DigestUpdate(hash->ctx, (unsigned char*)data, |
202 | 0 | (unsigned int)len); |
203 | 0 | } |
204 | | |
205 | | int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result, |
206 | | size_t maxlen, size_t* resultlen) |
207 | 0 | { |
208 | 0 | if(EVP_MD_CTX_size(hash->ctx) > (int)maxlen) { |
209 | 0 | *resultlen = 0; |
210 | 0 | log_err("secalgo_hash_final: hash buffer too small"); |
211 | 0 | return 0; |
212 | 0 | } |
213 | 0 | *resultlen = EVP_MD_CTX_size(hash->ctx); |
214 | 0 | return EVP_DigestFinal_ex(hash->ctx, result, NULL); |
215 | 0 | } |
216 | | |
217 | | void secalgo_hash_delete(struct secalgo_hash* hash) |
218 | 0 | { |
219 | 0 | if(!hash) return; |
220 | 0 | EVP_MD_CTX_destroy(hash->ctx); |
221 | 0 | free(hash); |
222 | 0 | } |
223 | | |
224 | | /** |
225 | | * Return size of DS digest according to its hash algorithm. |
226 | | * @param algo: DS digest algo. |
227 | | * @return size in bytes of digest, or 0 if not supported. |
228 | | */ |
229 | | size_t |
230 | | ds_digest_size_supported(int algo) |
231 | 0 | { |
232 | 0 | switch(algo) { |
233 | 0 | case LDNS_SHA1: |
234 | 0 | #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) |
235 | | #ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED |
236 | | if (EVP_default_properties_is_fips_enabled(NULL)) |
237 | | return 0; |
238 | | #endif |
239 | 0 | return SHA_DIGEST_LENGTH; |
240 | | #else |
241 | | if(fake_sha1) return 20; |
242 | | return 0; |
243 | | #endif |
244 | 0 | #ifdef HAVE_EVP_SHA256 |
245 | 0 | case LDNS_SHA256: |
246 | 0 | return SHA256_DIGEST_LENGTH; |
247 | 0 | #endif |
248 | | #ifdef USE_GOST |
249 | | case LDNS_HASH_GOST: |
250 | | /* we support GOST if it can be loaded */ |
251 | | (void)sldns_key_EVP_load_gost_id(); |
252 | | if(EVP_get_digestbyname("md_gost94")) |
253 | | return 32; |
254 | | else return 0; |
255 | | #endif |
256 | 0 | #ifdef USE_ECDSA |
257 | 0 | case LDNS_SHA384: |
258 | 0 | return SHA384_DIGEST_LENGTH; |
259 | 0 | #endif |
260 | 0 | default: break; |
261 | 0 | } |
262 | 0 | return 0; |
263 | 0 | } |
264 | | |
265 | | #ifdef USE_GOST |
266 | | /** Perform GOST hash */ |
267 | | static int |
268 | | do_gost94(unsigned char* data, size_t len, unsigned char* dest) |
269 | | { |
270 | | const EVP_MD* md = EVP_get_digestbyname("md_gost94"); |
271 | | if(!md) |
272 | | return 0; |
273 | | return sldns_digest_evp(data, (unsigned int)len, dest, md); |
274 | | } |
275 | | #endif |
276 | | |
277 | | int |
278 | | secalgo_ds_digest(int algo, unsigned char* buf, size_t len, |
279 | | unsigned char* res) |
280 | 0 | { |
281 | 0 | switch(algo) { |
282 | 0 | #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) |
283 | 0 | case LDNS_SHA1: |
284 | | #ifdef OPENSSL_FIPS |
285 | | if(!sldns_digest_evp(buf, len, res, EVP_sha1())) |
286 | | log_crypto_error("could not digest with EVP_sha1", |
287 | | ERR_get_error()); |
288 | | #else |
289 | 0 | (void)SHA1(buf, len, res); |
290 | 0 | #endif |
291 | 0 | return 1; |
292 | 0 | #endif |
293 | 0 | #ifdef HAVE_EVP_SHA256 |
294 | 0 | case LDNS_SHA256: |
295 | | #ifdef OPENSSL_FIPS |
296 | | if(!sldns_digest_evp(buf, len, res, EVP_sha256())) |
297 | | log_crypto_error("could not digest with EVP_sha256", |
298 | | ERR_get_error()); |
299 | | #else |
300 | 0 | (void)SHA256(buf, len, res); |
301 | 0 | #endif |
302 | 0 | return 1; |
303 | 0 | #endif |
304 | | #ifdef USE_GOST |
305 | | case LDNS_HASH_GOST: |
306 | | if(do_gost94(buf, len, res)) |
307 | | return 1; |
308 | | break; |
309 | | #endif |
310 | 0 | #ifdef USE_ECDSA |
311 | 0 | case LDNS_SHA384: |
312 | | #ifdef OPENSSL_FIPS |
313 | | if(!sldns_digest_evp(buf, len, res, EVP_sha384())) |
314 | | log_crypto_error("could not digest with EVP_sha384", |
315 | | ERR_get_error()); |
316 | | #else |
317 | 0 | (void)SHA384(buf, len, res); |
318 | 0 | #endif |
319 | 0 | return 1; |
320 | 0 | #endif |
321 | 0 | default: |
322 | 0 | verbose(VERB_QUERY, "unknown DS digest algorithm %d", |
323 | 0 | algo); |
324 | 0 | break; |
325 | 0 | } |
326 | 0 | return 0; |
327 | 0 | } |
328 | | |
329 | | /** return true if DNSKEY algorithm id is supported */ |
330 | | int |
331 | | dnskey_algo_id_is_supported(int id) |
332 | 0 | { |
333 | 0 | switch(id) { |
334 | 0 | case LDNS_RSAMD5: |
335 | | /* RFC 6725 deprecates RSAMD5 */ |
336 | 0 | return 0; |
337 | 0 | case LDNS_DSA: |
338 | 0 | case LDNS_DSA_NSEC3: |
339 | | #if defined(USE_DSA) && defined(USE_SHA1) |
340 | | return 1; |
341 | | #else |
342 | 0 | if(fake_dsa || fake_sha1) return 1; |
343 | 0 | return 0; |
344 | 0 | #endif |
345 | | |
346 | 0 | case LDNS_RSASHA1: |
347 | 0 | case LDNS_RSASHA1_NSEC3: |
348 | 0 | #ifdef USE_SHA1 |
349 | | #ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED |
350 | | return !EVP_default_properties_is_fips_enabled(NULL); |
351 | | #else |
352 | 0 | return 1; |
353 | 0 | #endif |
354 | | #else |
355 | | if(fake_sha1) return 1; |
356 | | return 0; |
357 | | #endif |
358 | | |
359 | 0 | #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) |
360 | 0 | case LDNS_RSASHA256: |
361 | 0 | #endif |
362 | 0 | #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) |
363 | 0 | case LDNS_RSASHA512: |
364 | 0 | #endif |
365 | 0 | #ifdef USE_ECDSA |
366 | 0 | case LDNS_ECDSAP256SHA256: |
367 | 0 | case LDNS_ECDSAP384SHA384: |
368 | 0 | #endif |
369 | 0 | #if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) |
370 | 0 | return 1; |
371 | 0 | #endif |
372 | 0 | #ifdef USE_ED25519 |
373 | 0 | case LDNS_ED25519: |
374 | 0 | #endif |
375 | 0 | #ifdef USE_ED448 |
376 | 0 | case LDNS_ED448: |
377 | 0 | #endif |
378 | 0 | #if defined(USE_ED25519) || defined(USE_ED448) |
379 | | #ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED |
380 | | return !EVP_default_properties_is_fips_enabled(NULL); |
381 | | #else |
382 | 0 | return 1; |
383 | 0 | #endif |
384 | 0 | #endif |
385 | | |
386 | | #ifdef USE_GOST |
387 | | case LDNS_ECC_GOST: |
388 | | /* we support GOST if it can be loaded */ |
389 | | return sldns_key_EVP_load_gost_id(); |
390 | | #endif |
391 | 0 | default: |
392 | 0 | return 0; |
393 | 0 | } |
394 | 0 | } |
395 | | |
396 | | #ifdef USE_DSA |
397 | | /** |
398 | | * Setup DSA key digest in DER encoding ... |
399 | | * @param sig: input is signature output alloced ptr (unless failure). |
400 | | * caller must free alloced ptr if this routine returns true. |
401 | | * @param len: input is initial siglen, output is output len. |
402 | | * @return false on failure. |
403 | | */ |
404 | | static int |
405 | | setup_dsa_sig(unsigned char** sig, unsigned int* len) |
406 | | { |
407 | | unsigned char* orig = *sig; |
408 | | unsigned int origlen = *len; |
409 | | int newlen; |
410 | | BIGNUM *R, *S; |
411 | | DSA_SIG *dsasig; |
412 | | |
413 | | /* extract the R and S field from the sig buffer */ |
414 | | if(origlen < 1 + 2*SHA_DIGEST_LENGTH) |
415 | | return 0; |
416 | | R = BN_new(); |
417 | | if(!R) return 0; |
418 | | (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R); |
419 | | S = BN_new(); |
420 | | if(!S) return 0; |
421 | | (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S); |
422 | | dsasig = DSA_SIG_new(); |
423 | | if(!dsasig) return 0; |
424 | | |
425 | | #ifdef HAVE_DSA_SIG_SET0 |
426 | | if(!DSA_SIG_set0(dsasig, R, S)) { |
427 | | DSA_SIG_free(dsasig); |
428 | | return 0; |
429 | | } |
430 | | #else |
431 | | # ifndef S_SPLINT_S |
432 | | dsasig->r = R; |
433 | | dsasig->s = S; |
434 | | # endif /* S_SPLINT_S */ |
435 | | #endif |
436 | | *sig = NULL; |
437 | | newlen = i2d_DSA_SIG(dsasig, sig); |
438 | | if(newlen < 0) { |
439 | | DSA_SIG_free(dsasig); |
440 | | free(*sig); |
441 | | return 0; |
442 | | } |
443 | | *len = (unsigned int)newlen; |
444 | | DSA_SIG_free(dsasig); |
445 | | return 1; |
446 | | } |
447 | | #endif /* USE_DSA */ |
448 | | |
449 | | #ifdef USE_ECDSA |
450 | | /** |
451 | | * Setup the ECDSA signature in its encoding that the library wants. |
452 | | * Converts from plain numbers to ASN formatted. |
453 | | * @param sig: input is signature, output alloced ptr (unless failure). |
454 | | * caller must free alloced ptr if this routine returns true. |
455 | | * @param len: input is initial siglen, output is output len. |
456 | | * @return false on failure. |
457 | | */ |
458 | | static int |
459 | | setup_ecdsa_sig(unsigned char** sig, unsigned int* len) |
460 | 0 | { |
461 | | /* convert from two BIGNUMs in the rdata buffer, to ASN notation. |
462 | | * ASN preamble: 30440220 <R 32bytefor256> 0220 <S 32bytefor256> |
463 | | * the '20' is the length of that field (=bnsize). |
464 | | i * the '44' is the total remaining length. |
465 | | * if negative, start with leading zero. |
466 | | * if starts with 00s, remove them from the number. |
467 | | */ |
468 | 0 | uint8_t pre[] = {0x30, 0x44, 0x02, 0x20}; |
469 | 0 | int pre_len = 4; |
470 | 0 | uint8_t mid[] = {0x02, 0x20}; |
471 | 0 | int mid_len = 2; |
472 | 0 | int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0; |
473 | 0 | int bnsize = (int)((*len)/2); |
474 | 0 | unsigned char* d = *sig; |
475 | 0 | uint8_t* p; |
476 | | /* if too short or not even length, fails */ |
477 | 0 | if(*len < 16 || bnsize*2 != (int)*len) |
478 | 0 | return 0; |
479 | | |
480 | | /* strip leading zeroes from r (but not last one) */ |
481 | 0 | while(r_rem < bnsize-1 && d[r_rem] == 0) |
482 | 0 | r_rem++; |
483 | | /* strip leading zeroes from s (but not last one) */ |
484 | 0 | while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0) |
485 | 0 | s_rem++; |
486 | |
|
487 | 0 | r_high = ((d[0+r_rem]&0x80)?1:0); |
488 | 0 | s_high = ((d[bnsize+s_rem]&0x80)?1:0); |
489 | 0 | raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len + |
490 | 0 | s_high + bnsize - s_rem; |
491 | 0 | *sig = (unsigned char*)malloc((size_t)raw_sig_len); |
492 | 0 | if(!*sig) |
493 | 0 | return 0; |
494 | 0 | p = (uint8_t*)*sig; |
495 | 0 | p[0] = pre[0]; |
496 | 0 | p[1] = (uint8_t)(raw_sig_len-2); |
497 | 0 | p[2] = pre[2]; |
498 | 0 | p[3] = (uint8_t)(bnsize + r_high - r_rem); |
499 | 0 | p += 4; |
500 | 0 | if(r_high) { |
501 | 0 | *p = 0; |
502 | 0 | p += 1; |
503 | 0 | } |
504 | 0 | memmove(p, d+r_rem, (size_t)bnsize-r_rem); |
505 | 0 | p += bnsize-r_rem; |
506 | 0 | memmove(p, mid, (size_t)mid_len-1); |
507 | 0 | p += mid_len-1; |
508 | 0 | *p = (uint8_t)(bnsize + s_high - s_rem); |
509 | 0 | p += 1; |
510 | 0 | if(s_high) { |
511 | 0 | *p = 0; |
512 | 0 | p += 1; |
513 | 0 | } |
514 | 0 | memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem); |
515 | 0 | *len = (unsigned int)raw_sig_len; |
516 | 0 | return 1; |
517 | 0 | } |
518 | | #endif /* USE_ECDSA */ |
519 | | |
520 | | #ifdef USE_ECDSA_EVP_WORKAROUND |
521 | | static EVP_MD ecdsa_evp_256_md; |
522 | | static EVP_MD ecdsa_evp_384_md; |
523 | | void ecdsa_evp_workaround_init(void) |
524 | | { |
525 | | /* openssl before 1.0.0 fixes RSA with the SHA256 |
526 | | * hash in EVP. We create one for ecdsa_sha256 */ |
527 | | ecdsa_evp_256_md = *EVP_sha256(); |
528 | | ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC; |
529 | | ecdsa_evp_256_md.verify = (void*)ECDSA_verify; |
530 | | |
531 | | ecdsa_evp_384_md = *EVP_sha384(); |
532 | | ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC; |
533 | | ecdsa_evp_384_md.verify = (void*)ECDSA_verify; |
534 | | } |
535 | | #endif /* USE_ECDSA_EVP_WORKAROUND */ |
536 | | |
537 | | /** |
538 | | * Setup key and digest for verification. Adjust sig if necessary. |
539 | | * |
540 | | * @param algo: key algorithm |
541 | | * @param evp_key: EVP PKEY public key to create. |
542 | | * @param digest_type: digest type to use |
543 | | * @param key: key to setup for. |
544 | | * @param keylen: length of key. |
545 | | * @return false on failure. |
546 | | */ |
547 | | static int |
548 | | setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, |
549 | | unsigned char* key, size_t keylen) |
550 | 0 | { |
551 | 0 | switch(algo) { |
552 | | #if defined(USE_DSA) && defined(USE_SHA1) |
553 | | case LDNS_DSA: |
554 | | case LDNS_DSA_NSEC3: |
555 | | *evp_key = sldns_key_dsa2pkey_raw(key, keylen); |
556 | | if(!*evp_key) { |
557 | | verbose(VERB_QUERY, "verify: sldns_key_dsa2pkey failed"); |
558 | | return 0; |
559 | | } |
560 | | #ifdef HAVE_EVP_DSS1 |
561 | | *digest_type = EVP_dss1(); |
562 | | #else |
563 | | *digest_type = EVP_sha1(); |
564 | | #endif |
565 | | |
566 | | break; |
567 | | #endif /* USE_DSA && USE_SHA1 */ |
568 | | |
569 | 0 | #if defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) |
570 | 0 | #ifdef USE_SHA1 |
571 | 0 | case LDNS_RSASHA1: |
572 | 0 | case LDNS_RSASHA1_NSEC3: |
573 | 0 | #endif |
574 | 0 | #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) |
575 | 0 | case LDNS_RSASHA256: |
576 | 0 | #endif |
577 | 0 | #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) |
578 | 0 | case LDNS_RSASHA512: |
579 | 0 | #endif |
580 | 0 | *evp_key = sldns_key_rsa2pkey_raw(key, keylen); |
581 | 0 | if(!*evp_key) { |
582 | 0 | verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey SHA failed"); |
583 | 0 | return 0; |
584 | 0 | } |
585 | | |
586 | | /* select SHA version */ |
587 | 0 | #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) |
588 | 0 | if(algo == LDNS_RSASHA256) |
589 | 0 | *digest_type = EVP_sha256(); |
590 | 0 | else |
591 | 0 | #endif |
592 | 0 | #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) |
593 | 0 | if(algo == LDNS_RSASHA512) |
594 | 0 | *digest_type = EVP_sha512(); |
595 | 0 | else |
596 | 0 | #endif |
597 | 0 | #ifdef USE_SHA1 |
598 | 0 | *digest_type = EVP_sha1(); |
599 | | #else |
600 | | { verbose(VERB_QUERY, "no digest available"); return 0; } |
601 | | #endif |
602 | 0 | break; |
603 | 0 | #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */ |
604 | | |
605 | 0 | case LDNS_RSAMD5: |
606 | 0 | *evp_key = sldns_key_rsa2pkey_raw(key, keylen); |
607 | 0 | if(!*evp_key) { |
608 | 0 | verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey MD5 failed"); |
609 | 0 | return 0; |
610 | 0 | } |
611 | 0 | *digest_type = EVP_md5(); |
612 | |
|
613 | 0 | break; |
614 | | #ifdef USE_GOST |
615 | | case LDNS_ECC_GOST: |
616 | | *evp_key = sldns_gost2pkey_raw(key, keylen); |
617 | | if(!*evp_key) { |
618 | | verbose(VERB_QUERY, "verify: " |
619 | | "sldns_gost2pkey_raw failed"); |
620 | | return 0; |
621 | | } |
622 | | *digest_type = EVP_get_digestbyname("md_gost94"); |
623 | | if(!*digest_type) { |
624 | | verbose(VERB_QUERY, "verify: " |
625 | | "EVP_getdigest md_gost94 failed"); |
626 | | return 0; |
627 | | } |
628 | | break; |
629 | | #endif |
630 | 0 | #ifdef USE_ECDSA |
631 | 0 | case LDNS_ECDSAP256SHA256: |
632 | 0 | *evp_key = sldns_ecdsa2pkey_raw(key, keylen, |
633 | 0 | LDNS_ECDSAP256SHA256); |
634 | 0 | if(!*evp_key) { |
635 | 0 | verbose(VERB_QUERY, "verify: " |
636 | 0 | "sldns_ecdsa2pkey_raw failed"); |
637 | 0 | return 0; |
638 | 0 | } |
639 | | #ifdef USE_ECDSA_EVP_WORKAROUND |
640 | | *digest_type = &ecdsa_evp_256_md; |
641 | | #else |
642 | 0 | *digest_type = EVP_sha256(); |
643 | 0 | #endif |
644 | 0 | break; |
645 | 0 | case LDNS_ECDSAP384SHA384: |
646 | 0 | *evp_key = sldns_ecdsa2pkey_raw(key, keylen, |
647 | 0 | LDNS_ECDSAP384SHA384); |
648 | 0 | if(!*evp_key) { |
649 | 0 | verbose(VERB_QUERY, "verify: " |
650 | 0 | "sldns_ecdsa2pkey_raw failed"); |
651 | 0 | return 0; |
652 | 0 | } |
653 | | #ifdef USE_ECDSA_EVP_WORKAROUND |
654 | | *digest_type = &ecdsa_evp_384_md; |
655 | | #else |
656 | 0 | *digest_type = EVP_sha384(); |
657 | 0 | #endif |
658 | 0 | break; |
659 | 0 | #endif /* USE_ECDSA */ |
660 | 0 | #ifdef USE_ED25519 |
661 | 0 | case LDNS_ED25519: |
662 | 0 | *evp_key = sldns_ed255192pkey_raw(key, keylen); |
663 | 0 | if(!*evp_key) { |
664 | 0 | verbose(VERB_QUERY, "verify: " |
665 | 0 | "sldns_ed255192pkey_raw failed"); |
666 | 0 | return 0; |
667 | 0 | } |
668 | 0 | *digest_type = NULL; |
669 | 0 | break; |
670 | 0 | #endif /* USE_ED25519 */ |
671 | 0 | #ifdef USE_ED448 |
672 | 0 | case LDNS_ED448: |
673 | 0 | *evp_key = sldns_ed4482pkey_raw(key, keylen); |
674 | 0 | if(!*evp_key) { |
675 | 0 | verbose(VERB_QUERY, "verify: " |
676 | 0 | "sldns_ed4482pkey_raw failed"); |
677 | 0 | return 0; |
678 | 0 | } |
679 | 0 | *digest_type = NULL; |
680 | 0 | break; |
681 | 0 | #endif /* USE_ED448 */ |
682 | 0 | default: |
683 | 0 | verbose(VERB_QUERY, "verify: unknown algorithm %d", |
684 | 0 | algo); |
685 | 0 | return 0; |
686 | 0 | } |
687 | 0 | return 1; |
688 | 0 | } |
689 | | |
690 | | static void |
691 | | digest_ctx_free(EVP_MD_CTX* ctx, EVP_PKEY *evp_key, |
692 | | unsigned char* sigblock, int dofree, int docrypto_free) |
693 | 0 | { |
694 | 0 | #ifdef HAVE_EVP_MD_CTX_NEW |
695 | 0 | EVP_MD_CTX_destroy(ctx); |
696 | | #else |
697 | | EVP_MD_CTX_cleanup(ctx); |
698 | | free(ctx); |
699 | | #endif |
700 | 0 | EVP_PKEY_free(evp_key); |
701 | 0 | if(dofree) free(sigblock); |
702 | 0 | else if(docrypto_free) OPENSSL_free(sigblock); |
703 | 0 | } |
704 | | |
705 | | static enum sec_status |
706 | | digest_error_status(const char *str) |
707 | 0 | { |
708 | 0 | unsigned long e = ERR_get_error(); |
709 | 0 | #ifdef EVP_R_INVALID_DIGEST |
710 | 0 | if (ERR_GET_LIB(e) == ERR_LIB_EVP && |
711 | 0 | ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST) { |
712 | 0 | log_crypto_verbose(VERB_ALGO, str, e); |
713 | 0 | return sec_status_indeterminate; |
714 | 0 | } |
715 | 0 | #endif |
716 | 0 | log_crypto_verbose(VERB_QUERY, str, e); |
717 | 0 | return sec_status_unchecked; |
718 | 0 | } |
719 | | |
720 | | /** |
721 | | * Check a canonical sig+rrset and signature against a dnskey |
722 | | * @param buf: buffer with data to verify, the first rrsig part and the |
723 | | * canonicalized rrset. |
724 | | * @param algo: DNSKEY algorithm. |
725 | | * @param sigblock: signature rdata field from RRSIG |
726 | | * @param sigblock_len: length of sigblock data. |
727 | | * @param key: public key data from DNSKEY RR. |
728 | | * @param keylen: length of keydata. |
729 | | * @param reason: bogus reason in more detail. |
730 | | * @return secure if verification succeeded, bogus on crypto failure, |
731 | | * unchecked on format errors and alloc failures, indeterminate |
732 | | * if digest is not supported by the crypto library (openssl3+ only). |
733 | | */ |
734 | | enum sec_status |
735 | | verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, |
736 | | unsigned int sigblock_len, unsigned char* key, unsigned int keylen, |
737 | | char** reason) |
738 | 0 | { |
739 | 0 | const EVP_MD *digest_type; |
740 | 0 | EVP_MD_CTX* ctx; |
741 | 0 | int res, dofree = 0, docrypto_free = 0; |
742 | 0 | EVP_PKEY *evp_key = NULL; |
743 | |
|
744 | 0 | #ifndef USE_DSA |
745 | 0 | if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1)) |
746 | 0 | return sec_status_secure; |
747 | 0 | #endif |
748 | | #ifndef USE_SHA1 |
749 | | if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3)) |
750 | | return sec_status_secure; |
751 | | #endif |
752 | | |
753 | 0 | if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { |
754 | 0 | verbose(VERB_QUERY, "verify: failed to setup key"); |
755 | 0 | *reason = "use of key for crypto failed"; |
756 | 0 | EVP_PKEY_free(evp_key); |
757 | 0 | return sec_status_bogus; |
758 | 0 | } |
759 | | #ifdef USE_DSA |
760 | | /* if it is a DSA signature in bind format, convert to DER format */ |
761 | | if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && |
762 | | sigblock_len == 1+2*SHA_DIGEST_LENGTH) { |
763 | | if(!setup_dsa_sig(&sigblock, &sigblock_len)) { |
764 | | verbose(VERB_QUERY, "verify: failed to setup DSA sig"); |
765 | | *reason = "use of key for DSA crypto failed"; |
766 | | EVP_PKEY_free(evp_key); |
767 | | return sec_status_bogus; |
768 | | } |
769 | | docrypto_free = 1; |
770 | | } |
771 | | #endif |
772 | | #if defined(USE_ECDSA) && defined(USE_DSA) |
773 | | else |
774 | | #endif |
775 | 0 | #ifdef USE_ECDSA |
776 | 0 | if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) { |
777 | | /* EVP uses ASN prefix on sig, which is not in the wire data */ |
778 | 0 | if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) { |
779 | 0 | verbose(VERB_QUERY, "verify: failed to setup ECDSA sig"); |
780 | 0 | *reason = "use of signature for ECDSA crypto failed"; |
781 | 0 | EVP_PKEY_free(evp_key); |
782 | 0 | return sec_status_bogus; |
783 | 0 | } |
784 | 0 | dofree = 1; |
785 | 0 | } |
786 | 0 | #endif /* USE_ECDSA */ |
787 | | |
788 | | /* do the signature cryptography work */ |
789 | 0 | #ifdef HAVE_EVP_MD_CTX_NEW |
790 | 0 | ctx = EVP_MD_CTX_new(); |
791 | | #else |
792 | | ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx)); |
793 | | if(ctx) EVP_MD_CTX_init(ctx); |
794 | | #endif |
795 | 0 | if(!ctx) { |
796 | 0 | log_err("EVP_MD_CTX_new: malloc failure"); |
797 | 0 | EVP_PKEY_free(evp_key); |
798 | 0 | if(dofree) free(sigblock); |
799 | 0 | else if(docrypto_free) OPENSSL_free(sigblock); |
800 | 0 | return sec_status_unchecked; |
801 | 0 | } |
802 | | #ifndef HAVE_EVP_DIGESTVERIFY |
803 | | if(EVP_DigestInit(ctx, digest_type) == 0) { |
804 | | enum sec_status sec; |
805 | | sec = digest_error_status("verify: EVP_DigestInit failed"); |
806 | | digest_ctx_free(ctx, evp_key, sigblock, |
807 | | dofree, docrypto_free); |
808 | | return sec; |
809 | | } |
810 | | if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), |
811 | | (unsigned int)sldns_buffer_limit(buf)) == 0) { |
812 | | log_crypto_verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed", |
813 | | ERR_get_error()); |
814 | | digest_ctx_free(ctx, evp_key, sigblock, |
815 | | dofree, docrypto_free); |
816 | | return sec_status_unchecked; |
817 | | } |
818 | | |
819 | | res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key); |
820 | | #else /* HAVE_EVP_DIGESTVERIFY */ |
821 | 0 | if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) { |
822 | 0 | enum sec_status sec; |
823 | 0 | sec = digest_error_status("verify: EVP_DigestVerifyInit failed"); |
824 | 0 | digest_ctx_free(ctx, evp_key, sigblock, |
825 | 0 | dofree, docrypto_free); |
826 | 0 | return sec; |
827 | 0 | } |
828 | 0 | res = EVP_DigestVerify(ctx, sigblock, sigblock_len, |
829 | 0 | (unsigned char*)sldns_buffer_begin(buf), |
830 | 0 | sldns_buffer_limit(buf)); |
831 | 0 | #endif |
832 | 0 | digest_ctx_free(ctx, evp_key, sigblock, |
833 | 0 | dofree, docrypto_free); |
834 | |
|
835 | 0 | if(res == 1) { |
836 | 0 | return sec_status_secure; |
837 | 0 | } else if(res == 0) { |
838 | 0 | verbose(VERB_QUERY, "verify: signature mismatch"); |
839 | 0 | *reason = "signature crypto failed"; |
840 | 0 | return sec_status_bogus; |
841 | 0 | } |
842 | | |
843 | 0 | log_crypto_error("verify:", ERR_get_error()); |
844 | 0 | return sec_status_unchecked; |
845 | 0 | } |
846 | | |
847 | | /**************************************************/ |
848 | | #elif defined(HAVE_NSS) |
849 | | /* libnss implementation */ |
850 | | /* nss3 */ |
851 | | #include "sechash.h" |
852 | | #include "pk11pub.h" |
853 | | #include "keyhi.h" |
854 | | #include "secerr.h" |
855 | | #include "cryptohi.h" |
856 | | /* nspr4 */ |
857 | | #include "prerror.h" |
858 | | |
859 | | /* return size of digest if supported, or 0 otherwise */ |
860 | | size_t |
861 | | nsec3_hash_algo_size_supported(int id) |
862 | | { |
863 | | switch(id) { |
864 | | case NSEC3_HASH_SHA1: |
865 | | return SHA1_LENGTH; |
866 | | default: |
867 | | return 0; |
868 | | } |
869 | | } |
870 | | |
871 | | /* perform nsec3 hash. return false on failure */ |
872 | | int |
873 | | secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, |
874 | | unsigned char* res) |
875 | | { |
876 | | switch(algo) { |
877 | | case NSEC3_HASH_SHA1: |
878 | | (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len); |
879 | | return 1; |
880 | | default: |
881 | | return 0; |
882 | | } |
883 | | } |
884 | | |
885 | | void |
886 | | secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) |
887 | | { |
888 | | (void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len); |
889 | | } |
890 | | |
891 | | /** the secalgo hash structure */ |
892 | | struct secalgo_hash { |
893 | | /** hash context */ |
894 | | HASHContext* ctx; |
895 | | }; |
896 | | |
897 | | /** create hash struct of type */ |
898 | | static struct secalgo_hash* secalgo_hash_create_type(HASH_HashType tp) |
899 | | { |
900 | | struct secalgo_hash* h = calloc(1, sizeof(*h)); |
901 | | if(!h) |
902 | | return NULL; |
903 | | h->ctx = HASH_Create(tp); |
904 | | if(!h->ctx) { |
905 | | free(h); |
906 | | return NULL; |
907 | | } |
908 | | return h; |
909 | | } |
910 | | |
911 | | struct secalgo_hash* secalgo_hash_create_sha384(void) |
912 | | { |
913 | | return secalgo_hash_create_type(HASH_AlgSHA384); |
914 | | } |
915 | | |
916 | | struct secalgo_hash* secalgo_hash_create_sha512(void) |
917 | | { |
918 | | return secalgo_hash_create_type(HASH_AlgSHA512); |
919 | | } |
920 | | |
921 | | int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len) |
922 | | { |
923 | | HASH_Update(hash->ctx, (unsigned char*)data, (unsigned int)len); |
924 | | return 1; |
925 | | } |
926 | | |
927 | | int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result, |
928 | | size_t maxlen, size_t* resultlen) |
929 | | { |
930 | | unsigned int reslen = 0; |
931 | | if(HASH_ResultLenContext(hash->ctx) > (unsigned int)maxlen) { |
932 | | *resultlen = 0; |
933 | | log_err("secalgo_hash_final: hash buffer too small"); |
934 | | return 0; |
935 | | } |
936 | | HASH_End(hash->ctx, (unsigned char*)result, &reslen, |
937 | | (unsigned int)maxlen); |
938 | | *resultlen = (size_t)reslen; |
939 | | return 1; |
940 | | } |
941 | | |
942 | | void secalgo_hash_delete(struct secalgo_hash* hash) |
943 | | { |
944 | | if(!hash) return; |
945 | | HASH_Destroy(hash->ctx); |
946 | | free(hash); |
947 | | } |
948 | | |
949 | | size_t |
950 | | ds_digest_size_supported(int algo) |
951 | | { |
952 | | /* uses libNSS */ |
953 | | switch(algo) { |
954 | | #ifdef USE_SHA1 |
955 | | case LDNS_SHA1: |
956 | | return SHA1_LENGTH; |
957 | | #endif |
958 | | #ifdef USE_SHA2 |
959 | | case LDNS_SHA256: |
960 | | return SHA256_LENGTH; |
961 | | #endif |
962 | | #ifdef USE_ECDSA |
963 | | case LDNS_SHA384: |
964 | | return SHA384_LENGTH; |
965 | | #endif |
966 | | /* GOST not supported in NSS */ |
967 | | case LDNS_HASH_GOST: |
968 | | default: break; |
969 | | } |
970 | | return 0; |
971 | | } |
972 | | |
973 | | int |
974 | | secalgo_ds_digest(int algo, unsigned char* buf, size_t len, |
975 | | unsigned char* res) |
976 | | { |
977 | | /* uses libNSS */ |
978 | | switch(algo) { |
979 | | #ifdef USE_SHA1 |
980 | | case LDNS_SHA1: |
981 | | return HASH_HashBuf(HASH_AlgSHA1, res, buf, len) |
982 | | == SECSuccess; |
983 | | #endif |
984 | | #if defined(USE_SHA2) |
985 | | case LDNS_SHA256: |
986 | | return HASH_HashBuf(HASH_AlgSHA256, res, buf, len) |
987 | | == SECSuccess; |
988 | | #endif |
989 | | #ifdef USE_ECDSA |
990 | | case LDNS_SHA384: |
991 | | return HASH_HashBuf(HASH_AlgSHA384, res, buf, len) |
992 | | == SECSuccess; |
993 | | #endif |
994 | | case LDNS_HASH_GOST: |
995 | | default: |
996 | | verbose(VERB_QUERY, "unknown DS digest algorithm %d", |
997 | | algo); |
998 | | break; |
999 | | } |
1000 | | return 0; |
1001 | | } |
1002 | | |
1003 | | int |
1004 | | dnskey_algo_id_is_supported(int id) |
1005 | | { |
1006 | | /* uses libNSS */ |
1007 | | switch(id) { |
1008 | | case LDNS_RSAMD5: |
1009 | | /* RFC 6725 deprecates RSAMD5 */ |
1010 | | return 0; |
1011 | | #if defined(USE_SHA1) || defined(USE_SHA2) |
1012 | | #if defined(USE_DSA) && defined(USE_SHA1) |
1013 | | case LDNS_DSA: |
1014 | | case LDNS_DSA_NSEC3: |
1015 | | #endif |
1016 | | #ifdef USE_SHA1 |
1017 | | case LDNS_RSASHA1: |
1018 | | case LDNS_RSASHA1_NSEC3: |
1019 | | #endif |
1020 | | #ifdef USE_SHA2 |
1021 | | case LDNS_RSASHA256: |
1022 | | #endif |
1023 | | #ifdef USE_SHA2 |
1024 | | case LDNS_RSASHA512: |
1025 | | #endif |
1026 | | return 1; |
1027 | | #endif /* SHA1 or SHA2 */ |
1028 | | |
1029 | | #ifdef USE_ECDSA |
1030 | | case LDNS_ECDSAP256SHA256: |
1031 | | case LDNS_ECDSAP384SHA384: |
1032 | | return PK11_TokenExists(CKM_ECDSA); |
1033 | | #endif |
1034 | | case LDNS_ECC_GOST: |
1035 | | default: |
1036 | | return 0; |
1037 | | } |
1038 | | } |
1039 | | |
1040 | | /* return a new public key for NSS */ |
1041 | | static SECKEYPublicKey* nss_key_create(KeyType ktype) |
1042 | | { |
1043 | | SECKEYPublicKey* key; |
1044 | | PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
1045 | | if(!arena) { |
1046 | | log_err("out of memory, PORT_NewArena failed"); |
1047 | | return NULL; |
1048 | | } |
1049 | | key = PORT_ArenaZNew(arena, SECKEYPublicKey); |
1050 | | if(!key) { |
1051 | | log_err("out of memory, PORT_ArenaZNew failed"); |
1052 | | PORT_FreeArena(arena, PR_FALSE); |
1053 | | return NULL; |
1054 | | } |
1055 | | key->arena = arena; |
1056 | | key->keyType = ktype; |
1057 | | key->pkcs11Slot = NULL; |
1058 | | key->pkcs11ID = CK_INVALID_HANDLE; |
1059 | | return key; |
1060 | | } |
1061 | | |
1062 | | static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo) |
1063 | | { |
1064 | | SECKEYPublicKey* pk; |
1065 | | SECItem pub = {siBuffer, NULL, 0}; |
1066 | | SECItem params = {siBuffer, NULL, 0}; |
1067 | | static unsigned char param256[] = { |
1068 | | /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256) |
1069 | | * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */ |
1070 | | 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 |
1071 | | }; |
1072 | | static unsigned char param384[] = { |
1073 | | /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384) |
1074 | | * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */ |
1075 | | 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 |
1076 | | }; |
1077 | | unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ |
1078 | | |
1079 | | /* check length, which uncompressed must be 2 bignums */ |
1080 | | if(algo == LDNS_ECDSAP256SHA256) { |
1081 | | if(len != 2*256/8) return NULL; |
1082 | | /* ECCurve_X9_62_PRIME_256V1 */ |
1083 | | } else if(algo == LDNS_ECDSAP384SHA384) { |
1084 | | if(len != 2*384/8) return NULL; |
1085 | | /* ECCurve_X9_62_PRIME_384R1 */ |
1086 | | } else return NULL; |
1087 | | |
1088 | | buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */ |
1089 | | memmove(buf+1, key, len); |
1090 | | pub.data = buf; |
1091 | | pub.len = len+1; |
1092 | | if(algo == LDNS_ECDSAP256SHA256) { |
1093 | | params.data = param256; |
1094 | | params.len = sizeof(param256); |
1095 | | } else { |
1096 | | params.data = param384; |
1097 | | params.len = sizeof(param384); |
1098 | | } |
1099 | | |
1100 | | pk = nss_key_create(ecKey); |
1101 | | if(!pk) |
1102 | | return NULL; |
1103 | | pk->u.ec.size = (len/2)*8; |
1104 | | if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) { |
1105 | | SECKEY_DestroyPublicKey(pk); |
1106 | | return NULL; |
1107 | | } |
1108 | | if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) { |
1109 | | SECKEY_DestroyPublicKey(pk); |
1110 | | return NULL; |
1111 | | } |
1112 | | |
1113 | | return pk; |
1114 | | } |
1115 | | |
1116 | | #if defined(USE_DSA) && defined(USE_SHA1) |
1117 | | static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len) |
1118 | | { |
1119 | | SECKEYPublicKey* pk; |
1120 | | uint8_t T; |
1121 | | uint16_t length; |
1122 | | uint16_t offset; |
1123 | | SECItem Q = {siBuffer, NULL, 0}; |
1124 | | SECItem P = {siBuffer, NULL, 0}; |
1125 | | SECItem G = {siBuffer, NULL, 0}; |
1126 | | SECItem Y = {siBuffer, NULL, 0}; |
1127 | | |
1128 | | if(len == 0) |
1129 | | return NULL; |
1130 | | T = (uint8_t)key[0]; |
1131 | | length = (64 + T * 8); |
1132 | | offset = 1; |
1133 | | |
1134 | | if (T > 8) { |
1135 | | return NULL; |
1136 | | } |
1137 | | if(len < (size_t)1 + SHA1_LENGTH + 3*length) |
1138 | | return NULL; |
1139 | | |
1140 | | Q.data = key+offset; |
1141 | | Q.len = SHA1_LENGTH; |
1142 | | offset += SHA1_LENGTH; |
1143 | | |
1144 | | P.data = key+offset; |
1145 | | P.len = length; |
1146 | | offset += length; |
1147 | | |
1148 | | G.data = key+offset; |
1149 | | G.len = length; |
1150 | | offset += length; |
1151 | | |
1152 | | Y.data = key+offset; |
1153 | | Y.len = length; |
1154 | | offset += length; |
1155 | | |
1156 | | pk = nss_key_create(dsaKey); |
1157 | | if(!pk) |
1158 | | return NULL; |
1159 | | if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) { |
1160 | | SECKEY_DestroyPublicKey(pk); |
1161 | | return NULL; |
1162 | | } |
1163 | | if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) { |
1164 | | SECKEY_DestroyPublicKey(pk); |
1165 | | return NULL; |
1166 | | } |
1167 | | if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) { |
1168 | | SECKEY_DestroyPublicKey(pk); |
1169 | | return NULL; |
1170 | | } |
1171 | | if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) { |
1172 | | SECKEY_DestroyPublicKey(pk); |
1173 | | return NULL; |
1174 | | } |
1175 | | return pk; |
1176 | | } |
1177 | | #endif /* USE_DSA && USE_SHA1 */ |
1178 | | |
1179 | | static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len) |
1180 | | { |
1181 | | SECKEYPublicKey* pk; |
1182 | | uint16_t exp; |
1183 | | uint16_t offset; |
1184 | | uint16_t int16; |
1185 | | SECItem modulus = {siBuffer, NULL, 0}; |
1186 | | SECItem exponent = {siBuffer, NULL, 0}; |
1187 | | if(len == 0) |
1188 | | return NULL; |
1189 | | if(key[0] == 0) { |
1190 | | if(len < 3) |
1191 | | return NULL; |
1192 | | /* the exponent is too large so it's places further */ |
1193 | | memmove(&int16, key+1, 2); |
1194 | | exp = ntohs(int16); |
1195 | | offset = 3; |
1196 | | } else { |
1197 | | exp = key[0]; |
1198 | | offset = 1; |
1199 | | } |
1200 | | |
1201 | | /* key length at least one */ |
1202 | | if(len < (size_t)offset + exp + 1) |
1203 | | return NULL; |
1204 | | |
1205 | | exponent.data = key+offset; |
1206 | | exponent.len = exp; |
1207 | | offset += exp; |
1208 | | modulus.data = key+offset; |
1209 | | modulus.len = (len - offset); |
1210 | | |
1211 | | pk = nss_key_create(rsaKey); |
1212 | | if(!pk) |
1213 | | return NULL; |
1214 | | if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) { |
1215 | | SECKEY_DestroyPublicKey(pk); |
1216 | | return NULL; |
1217 | | } |
1218 | | if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) { |
1219 | | SECKEY_DestroyPublicKey(pk); |
1220 | | return NULL; |
1221 | | } |
1222 | | return pk; |
1223 | | } |
1224 | | |
1225 | | /** |
1226 | | * Setup key and digest for verification. Adjust sig if necessary. |
1227 | | * |
1228 | | * @param algo: key algorithm |
1229 | | * @param evp_key: EVP PKEY public key to create. |
1230 | | * @param digest_type: digest type to use |
1231 | | * @param key: key to setup for. |
1232 | | * @param keylen: length of key. |
1233 | | * @param prefix: if returned, the ASN prefix for the hashblob. |
1234 | | * @param prefixlen: length of the prefix. |
1235 | | * @return false on failure. |
1236 | | */ |
1237 | | static int |
1238 | | nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, |
1239 | | unsigned char* key, size_t keylen, unsigned char** prefix, |
1240 | | size_t* prefixlen) |
1241 | | { |
1242 | | /* uses libNSS */ |
1243 | | |
1244 | | /* hash prefix for md5, RFC2537 */ |
1245 | | static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, |
1246 | | 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}; |
1247 | | /* hash prefix to prepend to hash output, from RFC3110 */ |
1248 | | static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, |
1249 | | 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14}; |
1250 | | /* from RFC5702 */ |
1251 | | static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, |
1252 | | 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; |
1253 | | static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, |
1254 | | 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; |
1255 | | /* from RFC6234 */ |
1256 | | /* for future RSASHA384 .. |
1257 | | static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, |
1258 | | 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; |
1259 | | */ |
1260 | | |
1261 | | switch(algo) { |
1262 | | |
1263 | | #if defined(USE_SHA1) || defined(USE_SHA2) |
1264 | | #if defined(USE_DSA) && defined(USE_SHA1) |
1265 | | case LDNS_DSA: |
1266 | | case LDNS_DSA_NSEC3: |
1267 | | *pubkey = nss_buf2dsa(key, keylen); |
1268 | | if(!*pubkey) { |
1269 | | log_err("verify: malloc failure in crypto"); |
1270 | | return 0; |
1271 | | } |
1272 | | *htype = HASH_AlgSHA1; |
1273 | | /* no prefix for DSA verification */ |
1274 | | break; |
1275 | | #endif |
1276 | | #ifdef USE_SHA1 |
1277 | | case LDNS_RSASHA1: |
1278 | | case LDNS_RSASHA1_NSEC3: |
1279 | | #endif |
1280 | | #ifdef USE_SHA2 |
1281 | | case LDNS_RSASHA256: |
1282 | | #endif |
1283 | | #ifdef USE_SHA2 |
1284 | | case LDNS_RSASHA512: |
1285 | | #endif |
1286 | | *pubkey = nss_buf2rsa(key, keylen); |
1287 | | if(!*pubkey) { |
1288 | | log_err("verify: malloc failure in crypto"); |
1289 | | return 0; |
1290 | | } |
1291 | | /* select SHA version */ |
1292 | | #ifdef USE_SHA2 |
1293 | | if(algo == LDNS_RSASHA256) { |
1294 | | *htype = HASH_AlgSHA256; |
1295 | | *prefix = p_sha256; |
1296 | | *prefixlen = sizeof(p_sha256); |
1297 | | } else |
1298 | | #endif |
1299 | | #ifdef USE_SHA2 |
1300 | | if(algo == LDNS_RSASHA512) { |
1301 | | *htype = HASH_AlgSHA512; |
1302 | | *prefix = p_sha512; |
1303 | | *prefixlen = sizeof(p_sha512); |
1304 | | } else |
1305 | | #endif |
1306 | | #ifdef USE_SHA1 |
1307 | | { |
1308 | | *htype = HASH_AlgSHA1; |
1309 | | *prefix = p_sha1; |
1310 | | *prefixlen = sizeof(p_sha1); |
1311 | | } |
1312 | | #else |
1313 | | { |
1314 | | verbose(VERB_QUERY, "verify: no digest algo"); |
1315 | | return 0; |
1316 | | } |
1317 | | #endif |
1318 | | |
1319 | | break; |
1320 | | #endif /* SHA1 or SHA2 */ |
1321 | | |
1322 | | case LDNS_RSAMD5: |
1323 | | *pubkey = nss_buf2rsa(key, keylen); |
1324 | | if(!*pubkey) { |
1325 | | log_err("verify: malloc failure in crypto"); |
1326 | | return 0; |
1327 | | } |
1328 | | *htype = HASH_AlgMD5; |
1329 | | *prefix = p_md5; |
1330 | | *prefixlen = sizeof(p_md5); |
1331 | | |
1332 | | break; |
1333 | | #ifdef USE_ECDSA |
1334 | | case LDNS_ECDSAP256SHA256: |
1335 | | *pubkey = nss_buf2ecdsa(key, keylen, |
1336 | | LDNS_ECDSAP256SHA256); |
1337 | | if(!*pubkey) { |
1338 | | log_err("verify: malloc failure in crypto"); |
1339 | | return 0; |
1340 | | } |
1341 | | *htype = HASH_AlgSHA256; |
1342 | | /* no prefix for DSA verification */ |
1343 | | break; |
1344 | | case LDNS_ECDSAP384SHA384: |
1345 | | *pubkey = nss_buf2ecdsa(key, keylen, |
1346 | | LDNS_ECDSAP384SHA384); |
1347 | | if(!*pubkey) { |
1348 | | log_err("verify: malloc failure in crypto"); |
1349 | | return 0; |
1350 | | } |
1351 | | *htype = HASH_AlgSHA384; |
1352 | | /* no prefix for DSA verification */ |
1353 | | break; |
1354 | | #endif /* USE_ECDSA */ |
1355 | | case LDNS_ECC_GOST: |
1356 | | default: |
1357 | | verbose(VERB_QUERY, "verify: unknown algorithm %d", |
1358 | | algo); |
1359 | | return 0; |
1360 | | } |
1361 | | return 1; |
1362 | | } |
1363 | | |
1364 | | /** |
1365 | | * Check a canonical sig+rrset and signature against a dnskey |
1366 | | * @param buf: buffer with data to verify, the first rrsig part and the |
1367 | | * canonicalized rrset. |
1368 | | * @param algo: DNSKEY algorithm. |
1369 | | * @param sigblock: signature rdata field from RRSIG |
1370 | | * @param sigblock_len: length of sigblock data. |
1371 | | * @param key: public key data from DNSKEY RR. |
1372 | | * @param keylen: length of keydata. |
1373 | | * @param reason: bogus reason in more detail. |
1374 | | * @return secure if verification succeeded, bogus on crypto failure, |
1375 | | * unchecked on format errors and alloc failures. |
1376 | | */ |
1377 | | enum sec_status |
1378 | | verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, |
1379 | | unsigned int sigblock_len, unsigned char* key, unsigned int keylen, |
1380 | | char** reason) |
1381 | | { |
1382 | | /* uses libNSS */ |
1383 | | /* large enough for the different hashes */ |
1384 | | unsigned char hash[HASH_LENGTH_MAX]; |
1385 | | unsigned char hash2[HASH_LENGTH_MAX*2]; |
1386 | | HASH_HashType htype = 0; |
1387 | | SECKEYPublicKey* pubkey = NULL; |
1388 | | SECItem secsig = {siBuffer, sigblock, sigblock_len}; |
1389 | | SECItem sechash = {siBuffer, hash, 0}; |
1390 | | SECStatus res; |
1391 | | unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */ |
1392 | | size_t prefixlen = 0; |
1393 | | int err; |
1394 | | |
1395 | | if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen, |
1396 | | &prefix, &prefixlen)) { |
1397 | | verbose(VERB_QUERY, "verify: failed to setup key"); |
1398 | | *reason = "use of key for crypto failed"; |
1399 | | SECKEY_DestroyPublicKey(pubkey); |
1400 | | return sec_status_bogus; |
1401 | | } |
1402 | | |
1403 | | #if defined(USE_DSA) && defined(USE_SHA1) |
1404 | | /* need to convert DSA, ECDSA signatures? */ |
1405 | | if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) { |
1406 | | if(sigblock_len == 1+2*SHA1_LENGTH) { |
1407 | | secsig.data ++; |
1408 | | secsig.len --; |
1409 | | } else { |
1410 | | SECItem* p = DSAU_DecodeDerSig(&secsig); |
1411 | | if(!p) { |
1412 | | verbose(VERB_QUERY, "verify: failed DER decode"); |
1413 | | *reason = "signature DER decode failed"; |
1414 | | SECKEY_DestroyPublicKey(pubkey); |
1415 | | return sec_status_bogus; |
1416 | | } |
1417 | | if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) { |
1418 | | log_err("alloc failure in DER decode"); |
1419 | | SECKEY_DestroyPublicKey(pubkey); |
1420 | | SECITEM_FreeItem(p, PR_TRUE); |
1421 | | return sec_status_unchecked; |
1422 | | } |
1423 | | SECITEM_FreeItem(p, PR_TRUE); |
1424 | | } |
1425 | | } |
1426 | | #endif /* USE_DSA */ |
1427 | | |
1428 | | /* do the signature cryptography work */ |
1429 | | /* hash the data */ |
1430 | | sechash.len = HASH_ResultLen(htype); |
1431 | | if(sechash.len > sizeof(hash)) { |
1432 | | verbose(VERB_QUERY, "verify: hash too large for buffer"); |
1433 | | SECKEY_DestroyPublicKey(pubkey); |
1434 | | return sec_status_unchecked; |
1435 | | } |
1436 | | if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf), |
1437 | | (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) { |
1438 | | verbose(VERB_QUERY, "verify: HASH_HashBuf failed"); |
1439 | | SECKEY_DestroyPublicKey(pubkey); |
1440 | | return sec_status_unchecked; |
1441 | | } |
1442 | | if(prefix) { |
1443 | | int hashlen = sechash.len; |
1444 | | if(prefixlen+hashlen > sizeof(hash2)) { |
1445 | | verbose(VERB_QUERY, "verify: hashprefix too large"); |
1446 | | SECKEY_DestroyPublicKey(pubkey); |
1447 | | return sec_status_unchecked; |
1448 | | } |
1449 | | sechash.data = hash2; |
1450 | | sechash.len = prefixlen+hashlen; |
1451 | | memcpy(sechash.data, prefix, prefixlen); |
1452 | | memmove(sechash.data+prefixlen, hash, hashlen); |
1453 | | } |
1454 | | |
1455 | | /* verify the signature */ |
1456 | | res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/); |
1457 | | SECKEY_DestroyPublicKey(pubkey); |
1458 | | |
1459 | | if(res == SECSuccess) { |
1460 | | return sec_status_secure; |
1461 | | } |
1462 | | err = PORT_GetError(); |
1463 | | if(err != SEC_ERROR_BAD_SIGNATURE) { |
1464 | | /* failed to verify */ |
1465 | | verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", |
1466 | | PORT_ErrorToString(err)); |
1467 | | /* if it is not supported, like ECC is removed, we get, |
1468 | | * SEC_ERROR_NO_MODULE */ |
1469 | | if(err == SEC_ERROR_NO_MODULE) |
1470 | | return sec_status_unchecked; |
1471 | | /* but other errors are commonly returned |
1472 | | * for a bad signature from NSS. Thus we return bogus, |
1473 | | * not unchecked */ |
1474 | | *reason = "signature crypto failed"; |
1475 | | return sec_status_bogus; |
1476 | | } |
1477 | | verbose(VERB_QUERY, "verify: signature mismatch: %s", |
1478 | | PORT_ErrorToString(err)); |
1479 | | *reason = "signature crypto failed"; |
1480 | | return sec_status_bogus; |
1481 | | } |
1482 | | |
1483 | | #elif defined(HAVE_NETTLE) |
1484 | | |
1485 | | #include "sha.h" |
1486 | | #include "bignum.h" |
1487 | | #include "macros.h" |
1488 | | #include "rsa.h" |
1489 | | #include "dsa.h" |
1490 | | #ifdef HAVE_NETTLE_DSA_COMPAT_H |
1491 | | #include "dsa-compat.h" |
1492 | | #endif |
1493 | | #include "asn1.h" |
1494 | | #ifdef USE_ECDSA |
1495 | | #include "ecdsa.h" |
1496 | | #include "ecc-curve.h" |
1497 | | #endif |
1498 | | #ifdef HAVE_NETTLE_EDDSA_H |
1499 | | #include "eddsa.h" |
1500 | | #endif |
1501 | | |
1502 | | static int |
1503 | | _digest_nettle(int algo, uint8_t* buf, size_t len, |
1504 | | unsigned char* res) |
1505 | | { |
1506 | | switch(algo) { |
1507 | | case SHA1_DIGEST_SIZE: |
1508 | | { |
1509 | | struct sha1_ctx ctx; |
1510 | | sha1_init(&ctx); |
1511 | | sha1_update(&ctx, len, buf); |
1512 | | sha1_digest(&ctx, SHA1_DIGEST_SIZE, res); |
1513 | | return 1; |
1514 | | } |
1515 | | case SHA256_DIGEST_SIZE: |
1516 | | { |
1517 | | struct sha256_ctx ctx; |
1518 | | sha256_init(&ctx); |
1519 | | sha256_update(&ctx, len, buf); |
1520 | | sha256_digest(&ctx, SHA256_DIGEST_SIZE, res); |
1521 | | return 1; |
1522 | | } |
1523 | | case SHA384_DIGEST_SIZE: |
1524 | | { |
1525 | | struct sha384_ctx ctx; |
1526 | | sha384_init(&ctx); |
1527 | | sha384_update(&ctx, len, buf); |
1528 | | sha384_digest(&ctx, SHA384_DIGEST_SIZE, res); |
1529 | | return 1; |
1530 | | } |
1531 | | case SHA512_DIGEST_SIZE: |
1532 | | { |
1533 | | struct sha512_ctx ctx; |
1534 | | sha512_init(&ctx); |
1535 | | sha512_update(&ctx, len, buf); |
1536 | | sha512_digest(&ctx, SHA512_DIGEST_SIZE, res); |
1537 | | return 1; |
1538 | | } |
1539 | | default: |
1540 | | break; |
1541 | | } |
1542 | | return 0; |
1543 | | } |
1544 | | |
1545 | | /* return size of digest if supported, or 0 otherwise */ |
1546 | | size_t |
1547 | | nsec3_hash_algo_size_supported(int id) |
1548 | | { |
1549 | | switch(id) { |
1550 | | case NSEC3_HASH_SHA1: |
1551 | | return SHA1_DIGEST_SIZE; |
1552 | | default: |
1553 | | return 0; |
1554 | | } |
1555 | | } |
1556 | | |
1557 | | /* perform nsec3 hash. return false on failure */ |
1558 | | int |
1559 | | secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, |
1560 | | unsigned char* res) |
1561 | | { |
1562 | | switch(algo) { |
1563 | | case NSEC3_HASH_SHA1: |
1564 | | return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len, |
1565 | | res); |
1566 | | default: |
1567 | | return 0; |
1568 | | } |
1569 | | } |
1570 | | |
1571 | | void |
1572 | | secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) |
1573 | | { |
1574 | | _digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res); |
1575 | | } |
1576 | | |
1577 | | /** secalgo hash structure */ |
1578 | | struct secalgo_hash { |
1579 | | /** if it is 384 or 512 */ |
1580 | | int active; |
1581 | | /** context for sha384 */ |
1582 | | struct sha384_ctx ctx384; |
1583 | | /** context for sha512 */ |
1584 | | struct sha512_ctx ctx512; |
1585 | | }; |
1586 | | |
1587 | | struct secalgo_hash* secalgo_hash_create_sha384(void) |
1588 | | { |
1589 | | struct secalgo_hash* h = calloc(1, sizeof(*h)); |
1590 | | if(!h) |
1591 | | return NULL; |
1592 | | h->active = 384; |
1593 | | sha384_init(&h->ctx384); |
1594 | | return h; |
1595 | | } |
1596 | | |
1597 | | struct secalgo_hash* secalgo_hash_create_sha512(void) |
1598 | | { |
1599 | | struct secalgo_hash* h = calloc(1, sizeof(*h)); |
1600 | | if(!h) |
1601 | | return NULL; |
1602 | | h->active = 512; |
1603 | | sha512_init(&h->ctx512); |
1604 | | return h; |
1605 | | } |
1606 | | |
1607 | | int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len) |
1608 | | { |
1609 | | if(hash->active == 384) { |
1610 | | sha384_update(&hash->ctx384, len, data); |
1611 | | } else if(hash->active == 512) { |
1612 | | sha512_update(&hash->ctx512, len, data); |
1613 | | } else { |
1614 | | return 0; |
1615 | | } |
1616 | | return 1; |
1617 | | } |
1618 | | |
1619 | | int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result, |
1620 | | size_t maxlen, size_t* resultlen) |
1621 | | { |
1622 | | if(hash->active == 384) { |
1623 | | if(SHA384_DIGEST_SIZE > maxlen) { |
1624 | | *resultlen = 0; |
1625 | | log_err("secalgo_hash_final: hash buffer too small"); |
1626 | | return 0; |
1627 | | } |
1628 | | *resultlen = SHA384_DIGEST_SIZE; |
1629 | | sha384_digest(&hash->ctx384, SHA384_DIGEST_SIZE, |
1630 | | (unsigned char*)result); |
1631 | | } else if(hash->active == 512) { |
1632 | | if(SHA512_DIGEST_SIZE > maxlen) { |
1633 | | *resultlen = 0; |
1634 | | log_err("secalgo_hash_final: hash buffer too small"); |
1635 | | return 0; |
1636 | | } |
1637 | | *resultlen = SHA512_DIGEST_SIZE; |
1638 | | sha512_digest(&hash->ctx512, SHA512_DIGEST_SIZE, |
1639 | | (unsigned char*)result); |
1640 | | } else { |
1641 | | *resultlen = 0; |
1642 | | return 0; |
1643 | | } |
1644 | | return 1; |
1645 | | } |
1646 | | |
1647 | | void secalgo_hash_delete(struct secalgo_hash* hash) |
1648 | | { |
1649 | | if(!hash) return; |
1650 | | free(hash); |
1651 | | } |
1652 | | |
1653 | | /** |
1654 | | * Return size of DS digest according to its hash algorithm. |
1655 | | * @param algo: DS digest algo. |
1656 | | * @return size in bytes of digest, or 0 if not supported. |
1657 | | */ |
1658 | | size_t |
1659 | | ds_digest_size_supported(int algo) |
1660 | | { |
1661 | | switch(algo) { |
1662 | | case LDNS_SHA1: |
1663 | | #ifdef USE_SHA1 |
1664 | | return SHA1_DIGEST_SIZE; |
1665 | | #else |
1666 | | if(fake_sha1) return 20; |
1667 | | return 0; |
1668 | | #endif |
1669 | | #ifdef USE_SHA2 |
1670 | | case LDNS_SHA256: |
1671 | | return SHA256_DIGEST_SIZE; |
1672 | | #endif |
1673 | | #ifdef USE_ECDSA |
1674 | | case LDNS_SHA384: |
1675 | | return SHA384_DIGEST_SIZE; |
1676 | | #endif |
1677 | | /* GOST not supported */ |
1678 | | case LDNS_HASH_GOST: |
1679 | | default: |
1680 | | break; |
1681 | | } |
1682 | | return 0; |
1683 | | } |
1684 | | |
1685 | | int |
1686 | | secalgo_ds_digest(int algo, unsigned char* buf, size_t len, |
1687 | | unsigned char* res) |
1688 | | { |
1689 | | switch(algo) { |
1690 | | #ifdef USE_SHA1 |
1691 | | case LDNS_SHA1: |
1692 | | return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res); |
1693 | | #endif |
1694 | | #if defined(USE_SHA2) |
1695 | | case LDNS_SHA256: |
1696 | | return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res); |
1697 | | #endif |
1698 | | #ifdef USE_ECDSA |
1699 | | case LDNS_SHA384: |
1700 | | return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res); |
1701 | | |
1702 | | #endif |
1703 | | case LDNS_HASH_GOST: |
1704 | | default: |
1705 | | verbose(VERB_QUERY, "unknown DS digest algorithm %d", |
1706 | | algo); |
1707 | | break; |
1708 | | } |
1709 | | return 0; |
1710 | | } |
1711 | | |
1712 | | int |
1713 | | dnskey_algo_id_is_supported(int id) |
1714 | | { |
1715 | | /* uses libnettle */ |
1716 | | switch(id) { |
1717 | | case LDNS_DSA: |
1718 | | case LDNS_DSA_NSEC3: |
1719 | | #if defined(USE_DSA) && defined(USE_SHA1) |
1720 | | return 1; |
1721 | | #else |
1722 | | if(fake_dsa || fake_sha1) return 1; |
1723 | | return 0; |
1724 | | #endif |
1725 | | case LDNS_RSASHA1: |
1726 | | case LDNS_RSASHA1_NSEC3: |
1727 | | #ifdef USE_SHA1 |
1728 | | return 1; |
1729 | | #else |
1730 | | if(fake_sha1) return 1; |
1731 | | return 0; |
1732 | | #endif |
1733 | | #ifdef USE_SHA2 |
1734 | | case LDNS_RSASHA256: |
1735 | | case LDNS_RSASHA512: |
1736 | | #endif |
1737 | | #ifdef USE_ECDSA |
1738 | | case LDNS_ECDSAP256SHA256: |
1739 | | case LDNS_ECDSAP384SHA384: |
1740 | | #endif |
1741 | | return 1; |
1742 | | #ifdef USE_ED25519 |
1743 | | case LDNS_ED25519: |
1744 | | return 1; |
1745 | | #endif |
1746 | | case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ |
1747 | | case LDNS_ECC_GOST: |
1748 | | default: |
1749 | | return 0; |
1750 | | } |
1751 | | } |
1752 | | |
1753 | | #if defined(USE_DSA) && defined(USE_SHA1) |
1754 | | static char * |
1755 | | _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock, |
1756 | | unsigned int sigblock_len, unsigned char* key, unsigned int keylen) |
1757 | | { |
1758 | | uint8_t digest[SHA1_DIGEST_SIZE]; |
1759 | | uint8_t key_t_value; |
1760 | | int res = 0; |
1761 | | size_t offset; |
1762 | | struct dsa_public_key pubkey; |
1763 | | struct dsa_signature signature; |
1764 | | unsigned int expected_len; |
1765 | | |
1766 | | /* Extract DSA signature from the record */ |
1767 | | nettle_dsa_signature_init(&signature); |
1768 | | /* Signature length: 41 bytes - RFC 2536 sec. 3 */ |
1769 | | if(sigblock_len == 41) { |
1770 | | if(key[0] != sigblock[0]) |
1771 | | return "invalid T value in DSA signature or pubkey"; |
1772 | | nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1); |
1773 | | nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20); |
1774 | | } else { |
1775 | | /* DER encoded, decode the ASN1 notated R and S bignums */ |
1776 | | /* SEQUENCE { r INTEGER, s INTEGER } */ |
1777 | | struct asn1_der_iterator i, seq; |
1778 | | if(asn1_der_iterator_first(&i, sigblock_len, |
1779 | | (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED |
1780 | | || i.type != ASN1_SEQUENCE) |
1781 | | return "malformed DER encoded DSA signature"; |
1782 | | /* decode this element of i using the seq iterator */ |
1783 | | if(asn1_der_decode_constructed(&i, &seq) != |
1784 | | ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER) |
1785 | | return "malformed DER encoded DSA signature"; |
1786 | | if(!asn1_der_get_bignum(&seq, signature.r, 20*8)) |
1787 | | return "malformed DER encoded DSA signature"; |
1788 | | if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE |
1789 | | || seq.type != ASN1_INTEGER) |
1790 | | return "malformed DER encoded DSA signature"; |
1791 | | if(!asn1_der_get_bignum(&seq, signature.s, 20*8)) |
1792 | | return "malformed DER encoded DSA signature"; |
1793 | | if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END) |
1794 | | return "malformed DER encoded DSA signature"; |
1795 | | } |
1796 | | |
1797 | | /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */ |
1798 | | key_t_value = key[0]; |
1799 | | if (key_t_value > 8) { |
1800 | | return "invalid T value in DSA pubkey"; |
1801 | | } |
1802 | | |
1803 | | /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */ |
1804 | | if (keylen < 21) { |
1805 | | return "DSA pubkey too short"; |
1806 | | } |
1807 | | |
1808 | | expected_len = 1 + /* T */ |
1809 | | 20 + /* Q */ |
1810 | | (64 + key_t_value*8) + /* P */ |
1811 | | (64 + key_t_value*8) + /* G */ |
1812 | | (64 + key_t_value*8); /* Y */ |
1813 | | if (keylen != expected_len ) { |
1814 | | return "invalid DSA pubkey length"; |
1815 | | } |
1816 | | |
1817 | | /* Extract DSA pubkey from the record */ |
1818 | | nettle_dsa_public_key_init(&pubkey); |
1819 | | offset = 1; |
1820 | | nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset); |
1821 | | offset += 20; |
1822 | | nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t_value*8), key+offset); |
1823 | | offset += (64 + key_t_value*8); |
1824 | | nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t_value*8), key+offset); |
1825 | | offset += (64 + key_t_value*8); |
1826 | | nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t_value*8), key+offset); |
1827 | | |
1828 | | /* Digest content of "buf" and verify its DSA signature in "sigblock"*/ |
1829 | | res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), |
1830 | | (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); |
1831 | | res &= dsa_sha1_verify_digest(&pubkey, digest, &signature); |
1832 | | |
1833 | | /* Clear and return */ |
1834 | | nettle_dsa_signature_clear(&signature); |
1835 | | nettle_dsa_public_key_clear(&pubkey); |
1836 | | if (!res) |
1837 | | return "DSA signature verification failed"; |
1838 | | else |
1839 | | return NULL; |
1840 | | } |
1841 | | #endif /* USE_DSA */ |
1842 | | |
1843 | | static char * |
1844 | | _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock, |
1845 | | unsigned int sigblock_len, uint8_t* key, unsigned int keylen) |
1846 | | { |
1847 | | uint16_t exp_len = 0; |
1848 | | size_t exp_offset = 0, mod_offset = 0; |
1849 | | struct rsa_public_key pubkey; |
1850 | | mpz_t signature; |
1851 | | int res = 0; |
1852 | | |
1853 | | /* RSA pubkey parsing as per RFC 3110 sec. 2 */ |
1854 | | if( keylen <= 1) { |
1855 | | return "null RSA key"; |
1856 | | } |
1857 | | if (key[0] != 0) { |
1858 | | /* 1-byte length */ |
1859 | | exp_len = key[0]; |
1860 | | exp_offset = 1; |
1861 | | } else { |
1862 | | /* 1-byte NUL + 2-bytes exponent length */ |
1863 | | if (keylen < 3) { |
1864 | | return "incorrect RSA key length"; |
1865 | | } |
1866 | | exp_len = READ_UINT16(key+1); |
1867 | | if (exp_len == 0) |
1868 | | return "null RSA exponent length"; |
1869 | | exp_offset = 3; |
1870 | | } |
1871 | | /* Check that we are not over-running input length */ |
1872 | | if (keylen < exp_offset + exp_len + 1) { |
1873 | | return "RSA key content shorter than expected"; |
1874 | | } |
1875 | | mod_offset = exp_offset + exp_len; |
1876 | | nettle_rsa_public_key_init(&pubkey); |
1877 | | pubkey.size = keylen - mod_offset; |
1878 | | nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]); |
1879 | | nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]); |
1880 | | |
1881 | | /* Digest content of "buf" and verify its RSA signature in "sigblock"*/ |
1882 | | nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock); |
1883 | | switch (digest_size) { |
1884 | | case SHA1_DIGEST_SIZE: |
1885 | | { |
1886 | | uint8_t digest[SHA1_DIGEST_SIZE]; |
1887 | | res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), |
1888 | | (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); |
1889 | | res &= rsa_sha1_verify_digest(&pubkey, digest, signature); |
1890 | | break; |
1891 | | } |
1892 | | case SHA256_DIGEST_SIZE: |
1893 | | { |
1894 | | uint8_t digest[SHA256_DIGEST_SIZE]; |
1895 | | res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), |
1896 | | (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); |
1897 | | res &= rsa_sha256_verify_digest(&pubkey, digest, signature); |
1898 | | break; |
1899 | | } |
1900 | | case SHA512_DIGEST_SIZE: |
1901 | | { |
1902 | | uint8_t digest[SHA512_DIGEST_SIZE]; |
1903 | | res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), |
1904 | | (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); |
1905 | | res &= rsa_sha512_verify_digest(&pubkey, digest, signature); |
1906 | | break; |
1907 | | } |
1908 | | default: |
1909 | | break; |
1910 | | } |
1911 | | |
1912 | | /* Clear and return */ |
1913 | | nettle_rsa_public_key_clear(&pubkey); |
1914 | | mpz_clear(signature); |
1915 | | if (!res) { |
1916 | | return "RSA signature verification failed"; |
1917 | | } else { |
1918 | | return NULL; |
1919 | | } |
1920 | | } |
1921 | | |
1922 | | #ifdef USE_ECDSA |
1923 | | static char * |
1924 | | _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock, |
1925 | | unsigned int sigblock_len, unsigned char* key, unsigned int keylen) |
1926 | | { |
1927 | | int res = 0; |
1928 | | struct ecc_point pubkey; |
1929 | | struct dsa_signature signature; |
1930 | | |
1931 | | /* Always matched strength, as per RFC 6605 sec. 1 */ |
1932 | | if (sigblock_len != 2*digest_size || keylen != 2*digest_size) { |
1933 | | return "wrong ECDSA signature length"; |
1934 | | } |
1935 | | |
1936 | | /* Parse ECDSA signature as per RFC 6605 sec. 4 */ |
1937 | | nettle_dsa_signature_init(&signature); |
1938 | | switch (digest_size) { |
1939 | | case SHA256_DIGEST_SIZE: |
1940 | | { |
1941 | | uint8_t digest[SHA256_DIGEST_SIZE]; |
1942 | | mpz_t x, y; |
1943 | | nettle_ecc_point_init(&pubkey, nettle_get_secp_256r1()); |
1944 | | nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key); |
1945 | | nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE); |
1946 | | nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock); |
1947 | | nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE); |
1948 | | res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), |
1949 | | (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); |
1950 | | res &= nettle_ecc_point_set(&pubkey, x, y); |
1951 | | res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature); |
1952 | | mpz_clear(x); |
1953 | | mpz_clear(y); |
1954 | | nettle_ecc_point_clear(&pubkey); |
1955 | | break; |
1956 | | } |
1957 | | case SHA384_DIGEST_SIZE: |
1958 | | { |
1959 | | uint8_t digest[SHA384_DIGEST_SIZE]; |
1960 | | mpz_t x, y; |
1961 | | nettle_ecc_point_init(&pubkey, nettle_get_secp_384r1()); |
1962 | | nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key); |
1963 | | nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE); |
1964 | | nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock); |
1965 | | nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE); |
1966 | | res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), |
1967 | | (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); |
1968 | | res &= nettle_ecc_point_set(&pubkey, x, y); |
1969 | | res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature); |
1970 | | mpz_clear(x); |
1971 | | mpz_clear(y); |
1972 | | nettle_ecc_point_clear(&pubkey); |
1973 | | break; |
1974 | | } |
1975 | | default: |
1976 | | return "unknown ECDSA algorithm"; |
1977 | | } |
1978 | | |
1979 | | /* Clear and return */ |
1980 | | nettle_dsa_signature_clear(&signature); |
1981 | | if (!res) |
1982 | | return "ECDSA signature verification failed"; |
1983 | | else |
1984 | | return NULL; |
1985 | | } |
1986 | | #endif |
1987 | | |
1988 | | #ifdef USE_ED25519 |
1989 | | static char * |
1990 | | _verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock, |
1991 | | unsigned int sigblock_len, unsigned char* key, unsigned int keylen) |
1992 | | { |
1993 | | int res = 0; |
1994 | | |
1995 | | if(sigblock_len != ED25519_SIGNATURE_SIZE) { |
1996 | | return "wrong ED25519 signature length"; |
1997 | | } |
1998 | | if(keylen != ED25519_KEY_SIZE) { |
1999 | | return "wrong ED25519 key length"; |
2000 | | } |
2001 | | |
2002 | | res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf), |
2003 | | sldns_buffer_begin(buf), (uint8_t*)sigblock); |
2004 | | |
2005 | | if (!res) |
2006 | | return "ED25519 signature verification failed"; |
2007 | | else |
2008 | | return NULL; |
2009 | | } |
2010 | | #endif |
2011 | | |
2012 | | /** |
2013 | | * Check a canonical sig+rrset and signature against a dnskey |
2014 | | * @param buf: buffer with data to verify, the first rrsig part and the |
2015 | | * canonicalized rrset. |
2016 | | * @param algo: DNSKEY algorithm. |
2017 | | * @param sigblock: signature rdata field from RRSIG |
2018 | | * @param sigblock_len: length of sigblock data. |
2019 | | * @param key: public key data from DNSKEY RR. |
2020 | | * @param keylen: length of keydata. |
2021 | | * @param reason: bogus reason in more detail. |
2022 | | * @return secure if verification succeeded, bogus on crypto failure, |
2023 | | * unchecked on format errors and alloc failures. |
2024 | | */ |
2025 | | enum sec_status |
2026 | | verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, |
2027 | | unsigned int sigblock_len, unsigned char* key, unsigned int keylen, |
2028 | | char** reason) |
2029 | | { |
2030 | | unsigned int digest_size = 0; |
2031 | | |
2032 | | if (sigblock_len == 0 || keylen == 0) { |
2033 | | *reason = "null signature"; |
2034 | | return sec_status_bogus; |
2035 | | } |
2036 | | |
2037 | | #ifndef USE_DSA |
2038 | | if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1)) |
2039 | | return sec_status_secure; |
2040 | | #endif |
2041 | | #ifndef USE_SHA1 |
2042 | | if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3)) |
2043 | | return sec_status_secure; |
2044 | | #endif |
2045 | | |
2046 | | switch(algo) { |
2047 | | #if defined(USE_DSA) && defined(USE_SHA1) |
2048 | | case LDNS_DSA: |
2049 | | case LDNS_DSA_NSEC3: |
2050 | | *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen); |
2051 | | if (*reason != NULL) |
2052 | | return sec_status_bogus; |
2053 | | else |
2054 | | return sec_status_secure; |
2055 | | #endif /* USE_DSA */ |
2056 | | |
2057 | | #ifdef USE_SHA1 |
2058 | | case LDNS_RSASHA1: |
2059 | | case LDNS_RSASHA1_NSEC3: |
2060 | | digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE); |
2061 | | #endif |
2062 | | /* double fallthrough annotation to please gcc parser */ |
2063 | | ATTR_FALLTHROUGH |
2064 | | /* fallthrough */ |
2065 | | #ifdef USE_SHA2 |
2066 | | /* fallthrough */ |
2067 | | case LDNS_RSASHA256: |
2068 | | digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); |
2069 | | ATTR_FALLTHROUGH |
2070 | | /* fallthrough */ |
2071 | | case LDNS_RSASHA512: |
2072 | | digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE); |
2073 | | |
2074 | | #endif |
2075 | | *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock, |
2076 | | sigblock_len, key, keylen); |
2077 | | if (*reason != NULL) |
2078 | | return sec_status_bogus; |
2079 | | else |
2080 | | return sec_status_secure; |
2081 | | |
2082 | | #ifdef USE_ECDSA |
2083 | | case LDNS_ECDSAP256SHA256: |
2084 | | digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); |
2085 | | ATTR_FALLTHROUGH |
2086 | | /* fallthrough */ |
2087 | | case LDNS_ECDSAP384SHA384: |
2088 | | digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE); |
2089 | | *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock, |
2090 | | sigblock_len, key, keylen); |
2091 | | if (*reason != NULL) |
2092 | | return sec_status_bogus; |
2093 | | else |
2094 | | return sec_status_secure; |
2095 | | #endif |
2096 | | #ifdef USE_ED25519 |
2097 | | case LDNS_ED25519: |
2098 | | *reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len, |
2099 | | key, keylen); |
2100 | | if (*reason != NULL) |
2101 | | return sec_status_bogus; |
2102 | | else |
2103 | | return sec_status_secure; |
2104 | | #endif |
2105 | | case LDNS_RSAMD5: |
2106 | | case LDNS_ECC_GOST: |
2107 | | default: |
2108 | | *reason = "unable to verify signature, unknown algorithm"; |
2109 | | return sec_status_bogus; |
2110 | | } |
2111 | | } |
2112 | | |
2113 | | #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ |