aboutsummaryrefslogtreecommitdiff
path: root/external/unbound/validator/val_secalgo.c
diff options
context:
space:
mode:
authorRiccardo Spagni <ric@spagni.net>2014-10-05 23:44:31 +0200
committerRiccardo Spagni <ric@spagni.net>2014-10-05 23:44:31 +0200
commit9ef094b356b4da7542c3cab898dac7e135b76903 (patch)
tree99b5876712b0b1551fc042fe75447b998e4b0fc1 /external/unbound/validator/val_secalgo.c
parentsplit mnemonic printout over 3 lines (diff)
downloadmonero-9ef094b356b4da7542c3cab898dac7e135b76903.tar.xz
added unbound to external deps
Diffstat (limited to 'external/unbound/validator/val_secalgo.c')
-rw-r--r--external/unbound/validator/val_secalgo.c1072
1 files changed, 1072 insertions, 0 deletions
diff --git a/external/unbound/validator/val_secalgo.c b/external/unbound/validator/val_secalgo.c
new file mode 100644
index 000000000..d89675f83
--- /dev/null
+++ b/external/unbound/validator/val_secalgo.c
@@ -0,0 +1,1072 @@
+/*
+ * validator/val_secalgo.c - validator security algorithm functions.
+ *
+ * Copyright (c) 2012, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains helper functions for the validator module.
+ * These functions take raw data buffers, formatted for crypto verification,
+ * and do the library calls (for the crypto library in use).
+ */
+#include "config.h"
+#include "validator/val_secalgo.h"
+#include "util/data/packed_rrset.h"
+#include "util/log.h"
+#include "ldns/rrdef.h"
+#include "ldns/keyraw.h"
+#include "ldns/sbuffer.h"
+
+#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
+#error "Need crypto library to do digital signature cryptography"
+#endif
+
+/* OpenSSL implementation */
+#ifdef HAVE_SSL
+#ifdef HAVE_OPENSSL_ERR_H
+#include <openssl/err.h>
+#endif
+
+#ifdef HAVE_OPENSSL_RAND_H
+#include <openssl/rand.h>
+#endif
+
+#ifdef HAVE_OPENSSL_CONF_H
+#include <openssl/conf.h>
+#endif
+
+#ifdef HAVE_OPENSSL_ENGINE_H
+#include <openssl/engine.h>
+#endif
+
+/**
+ * Return size of DS digest according to its hash algorithm.
+ * @param algo: DS digest algo.
+ * @return size in bytes of digest, or 0 if not supported.
+ */
+size_t
+ds_digest_size_supported(int algo)
+{
+ switch(algo) {
+#ifdef HAVE_EVP_SHA1
+ case LDNS_SHA1:
+ return SHA_DIGEST_LENGTH;
+#endif
+#ifdef HAVE_EVP_SHA256
+ case LDNS_SHA256:
+ return SHA256_DIGEST_LENGTH;
+#endif
+#ifdef USE_GOST
+ case LDNS_HASH_GOST:
+ if(EVP_get_digestbyname("md_gost94"))
+ return 32;
+ else return 0;
+#endif
+#ifdef USE_ECDSA
+ case LDNS_SHA384:
+ return SHA384_DIGEST_LENGTH;
+#endif
+ default: break;
+ }
+ return 0;
+}
+
+#ifdef USE_GOST
+/** Perform GOST hash */
+static int
+do_gost94(unsigned char* data, size_t len, unsigned char* dest)
+{
+ const EVP_MD* md = EVP_get_digestbyname("md_gost94");
+ if(!md)
+ return 0;
+ return sldns_digest_evp(data, (unsigned int)len, dest, md);
+}
+#endif
+
+int
+secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
+ unsigned char* res)
+{
+ switch(algo) {
+#ifdef HAVE_EVP_SHA1
+ case LDNS_SHA1:
+ (void)SHA1(buf, len, res);
+ return 1;
+#endif
+#ifdef HAVE_EVP_SHA256
+ case LDNS_SHA256:
+ (void)SHA256(buf, len, res);
+ return 1;
+#endif
+#ifdef USE_GOST
+ case LDNS_HASH_GOST:
+ if(do_gost94(buf, len, res))
+ return 1;
+ break;
+#endif
+#ifdef USE_ECDSA
+ case LDNS_SHA384:
+ (void)SHA384(buf, len, res);
+ return 1;
+#endif
+ default:
+ verbose(VERB_QUERY, "unknown DS digest algorithm %d",
+ algo);
+ break;
+ }
+ return 0;
+}
+
+/** return true if DNSKEY algorithm id is supported */
+int
+dnskey_algo_id_is_supported(int id)
+{
+ switch(id) {
+ case LDNS_RSAMD5:
+ /* RFC 6725 deprecates RSAMD5 */
+ return 0;
+ case LDNS_DSA:
+ case LDNS_DSA_NSEC3:
+ case LDNS_RSASHA1:
+ case LDNS_RSASHA1_NSEC3:
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
+ case LDNS_RSASHA256:
+#endif
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
+ case LDNS_RSASHA512:
+#endif
+#ifdef USE_ECDSA
+ case LDNS_ECDSAP256SHA256:
+ case LDNS_ECDSAP384SHA384:
+#endif
+ return 1;
+#ifdef USE_GOST
+ case LDNS_ECC_GOST:
+ /* we support GOST if it can be loaded */
+ return sldns_key_EVP_load_gost_id();
+#endif
+ default:
+ return 0;
+ }
+}
+
+/**
+ * Output a libcrypto openssl error to the logfile.
+ * @param str: string to add to it.
+ * @param e: the error to output, error number from ERR_get_error().
+ */
+static void
+log_crypto_error(const char* str, unsigned long e)
+{
+ char buf[128];
+ /* or use ERR_error_string if ERR_error_string_n is not avail TODO */
+ ERR_error_string_n(e, buf, sizeof(buf));
+ /* buf now contains */
+ /* error:[error code]:[library name]:[function name]:[reason string] */
+ log_err("%s crypto %s", str, buf);
+}
+
+/**
+ * Setup DSA key digest in DER encoding ...
+ * @param sig: input is signature output alloced ptr (unless failure).
+ * caller must free alloced ptr if this routine returns true.
+ * @param len: input is initial siglen, output is output len.
+ * @return false on failure.
+ */
+static int
+setup_dsa_sig(unsigned char** sig, unsigned int* len)
+{
+ unsigned char* orig = *sig;
+ unsigned int origlen = *len;
+ int newlen;
+ BIGNUM *R, *S;
+ DSA_SIG *dsasig;
+
+ /* extract the R and S field from the sig buffer */
+ if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
+ return 0;
+ R = BN_new();
+ if(!R) return 0;
+ (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
+ S = BN_new();
+ if(!S) return 0;
+ (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
+ dsasig = DSA_SIG_new();
+ if(!dsasig) return 0;
+
+ dsasig->r = R;
+ dsasig->s = S;
+ *sig = NULL;
+ newlen = i2d_DSA_SIG(dsasig, sig);
+ if(newlen < 0) {
+ DSA_SIG_free(dsasig);
+ free(*sig);
+ return 0;
+ }
+ *len = (unsigned int)newlen;
+ DSA_SIG_free(dsasig);
+ return 1;
+}
+
+#ifdef USE_ECDSA
+/**
+ * Setup the ECDSA signature in its encoding that the library wants.
+ * Converts from plain numbers to ASN formatted.
+ * @param sig: input is signature, output alloced ptr (unless failure).
+ * caller must free alloced ptr if this routine returns true.
+ * @param len: input is initial siglen, output is output len.
+ * @return false on failure.
+ */
+static int
+setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
+{
+ ECDSA_SIG* ecdsa_sig;
+ int newlen;
+ int bnsize = (int)((*len)/2);
+ /* if too short or not even length, fails */
+ if(*len < 16 || bnsize*2 != (int)*len)
+ return 0;
+ /* use the raw data to parse two evenly long BIGNUMs, "r | s". */
+ ecdsa_sig = ECDSA_SIG_new();
+ if(!ecdsa_sig) return 0;
+ ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r);
+ ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s);
+ if(!ecdsa_sig->r || !ecdsa_sig->s) {
+ ECDSA_SIG_free(ecdsa_sig);
+ return 0;
+ }
+
+ /* spool it into ASN format */
+ *sig = NULL;
+ newlen = i2d_ECDSA_SIG(ecdsa_sig, sig);
+ if(newlen <= 0) {
+ ECDSA_SIG_free(ecdsa_sig);
+ free(*sig);
+ return 0;
+ }
+ *len = (unsigned int)newlen;
+ ECDSA_SIG_free(ecdsa_sig);
+ return 1;
+}
+#endif /* USE_ECDSA */
+
+/**
+ * Setup key and digest for verification. Adjust sig if necessary.
+ *
+ * @param algo: key algorithm
+ * @param evp_key: EVP PKEY public key to create.
+ * @param digest_type: digest type to use
+ * @param key: key to setup for.
+ * @param keylen: length of key.
+ * @return false on failure.
+ */
+static int
+setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
+ unsigned char* key, size_t keylen)
+{
+ DSA* dsa;
+ RSA* rsa;
+
+ switch(algo) {
+ case LDNS_DSA:
+ case LDNS_DSA_NSEC3:
+ *evp_key = EVP_PKEY_new();
+ if(!*evp_key) {
+ log_err("verify: malloc failure in crypto");
+ return 0;
+ }
+ dsa = sldns_key_buf2dsa_raw(key, keylen);
+ if(!dsa) {
+ verbose(VERB_QUERY, "verify: "
+ "sldns_key_buf2dsa_raw failed");
+ return 0;
+ }
+ if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
+ verbose(VERB_QUERY, "verify: "
+ "EVP_PKEY_assign_DSA failed");
+ return 0;
+ }
+ *digest_type = EVP_dss1();
+
+ break;
+ case LDNS_RSASHA1:
+ case LDNS_RSASHA1_NSEC3:
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
+ case LDNS_RSASHA256:
+#endif
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
+ case LDNS_RSASHA512:
+#endif
+ *evp_key = EVP_PKEY_new();
+ if(!*evp_key) {
+ log_err("verify: malloc failure in crypto");
+ return 0;
+ }
+ rsa = sldns_key_buf2rsa_raw(key, keylen);
+ if(!rsa) {
+ verbose(VERB_QUERY, "verify: "
+ "sldns_key_buf2rsa_raw SHA failed");
+ return 0;
+ }
+ if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
+ verbose(VERB_QUERY, "verify: "
+ "EVP_PKEY_assign_RSA SHA failed");
+ return 0;
+ }
+
+ /* select SHA version */
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
+ if(algo == LDNS_RSASHA256)
+ *digest_type = EVP_sha256();
+ else
+#endif
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
+ if(algo == LDNS_RSASHA512)
+ *digest_type = EVP_sha512();
+ else
+#endif
+ *digest_type = EVP_sha1();
+
+ break;
+ case LDNS_RSAMD5:
+ *evp_key = EVP_PKEY_new();
+ if(!*evp_key) {
+ log_err("verify: malloc failure in crypto");
+ return 0;
+ }
+ rsa = sldns_key_buf2rsa_raw(key, keylen);
+ if(!rsa) {
+ verbose(VERB_QUERY, "verify: "
+ "sldns_key_buf2rsa_raw MD5 failed");
+ return 0;
+ }
+ if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
+ verbose(VERB_QUERY, "verify: "
+ "EVP_PKEY_assign_RSA MD5 failed");
+ return 0;
+ }
+ *digest_type = EVP_md5();
+
+ break;
+#ifdef USE_GOST
+ case LDNS_ECC_GOST:
+ *evp_key = sldns_gost2pkey_raw(key, keylen);
+ if(!*evp_key) {
+ verbose(VERB_QUERY, "verify: "
+ "sldns_gost2pkey_raw failed");
+ return 0;
+ }
+ *digest_type = EVP_get_digestbyname("md_gost94");
+ if(!*digest_type) {
+ verbose(VERB_QUERY, "verify: "
+ "EVP_getdigest md_gost94 failed");
+ return 0;
+ }
+ break;
+#endif
+#ifdef USE_ECDSA
+ case LDNS_ECDSAP256SHA256:
+ *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
+ LDNS_ECDSAP256SHA256);
+ if(!*evp_key) {
+ verbose(VERB_QUERY, "verify: "
+ "sldns_ecdsa2pkey_raw failed");
+ return 0;
+ }
+#ifdef USE_ECDSA_EVP_WORKAROUND
+ /* openssl before 1.0.0 fixes RSA with the SHA256
+ * hash in EVP. We create one for ecdsa_sha256 */
+ {
+ static int md_ecdsa_256_done = 0;
+ static EVP_MD md;
+ if(!md_ecdsa_256_done) {
+ EVP_MD m = *EVP_sha256();
+ md_ecdsa_256_done = 1;
+ m.required_pkey_type[0] = (*evp_key)->type;
+ m.verify = (void*)ECDSA_verify;
+ md = m;
+ }
+ *digest_type = &md;
+ }
+#else
+ *digest_type = EVP_sha256();
+#endif
+ break;
+ case LDNS_ECDSAP384SHA384:
+ *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
+ LDNS_ECDSAP384SHA384);
+ if(!*evp_key) {
+ verbose(VERB_QUERY, "verify: "
+ "sldns_ecdsa2pkey_raw failed");
+ return 0;
+ }
+#ifdef USE_ECDSA_EVP_WORKAROUND
+ /* openssl before 1.0.0 fixes RSA with the SHA384
+ * hash in EVP. We create one for ecdsa_sha384 */
+ {
+ static int md_ecdsa_384_done = 0;
+ static EVP_MD md;
+ if(!md_ecdsa_384_done) {
+ EVP_MD m = *EVP_sha384();
+ md_ecdsa_384_done = 1;
+ m.required_pkey_type[0] = (*evp_key)->type;
+ m.verify = (void*)ECDSA_verify;
+ md = m;
+ }
+ *digest_type = &md;
+ }
+#else
+ *digest_type = EVP_sha384();
+#endif
+ break;
+#endif /* USE_ECDSA */
+ default:
+ verbose(VERB_QUERY, "verify: unknown algorithm %d",
+ algo);
+ return 0;
+ }
+ return 1;
+}
+
+/**
+ * Check a canonical sig+rrset and signature against a dnskey
+ * @param buf: buffer with data to verify, the first rrsig part and the
+ * canonicalized rrset.
+ * @param algo: DNSKEY algorithm.
+ * @param sigblock: signature rdata field from RRSIG
+ * @param sigblock_len: length of sigblock data.
+ * @param key: public key data from DNSKEY RR.
+ * @param keylen: length of keydata.
+ * @param reason: bogus reason in more detail.
+ * @return secure if verification succeeded, bogus on crypto failure,
+ * unchecked on format errors and alloc failures.
+ */
+enum sec_status
+verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
+ unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
+ char** reason)
+{
+ const EVP_MD *digest_type;
+ EVP_MD_CTX ctx;
+ int res, dofree = 0;
+ EVP_PKEY *evp_key = NULL;
+
+ if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
+ verbose(VERB_QUERY, "verify: failed to setup key");
+ *reason = "use of key for crypto failed";
+ EVP_PKEY_free(evp_key);
+ return sec_status_bogus;
+ }
+ /* if it is a DSA signature in bind format, convert to DER format */
+ if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
+ sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
+ if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
+ verbose(VERB_QUERY, "verify: failed to setup DSA sig");
+ *reason = "use of key for DSA crypto failed";
+ EVP_PKEY_free(evp_key);
+ return sec_status_bogus;
+ }
+ dofree = 1;
+ }
+#ifdef USE_ECDSA
+ else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
+ /* EVP uses ASN prefix on sig, which is not in the wire data */
+ if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
+ verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
+ *reason = "use of signature for ECDSA crypto failed";
+ EVP_PKEY_free(evp_key);
+ return sec_status_bogus;
+ }
+ dofree = 1;
+ }
+#endif /* USE_ECDSA */
+
+ /* do the signature cryptography work */
+ EVP_MD_CTX_init(&ctx);
+ if(EVP_VerifyInit(&ctx, digest_type) == 0) {
+ verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
+ EVP_PKEY_free(evp_key);
+ if(dofree) free(sigblock);
+ return sec_status_unchecked;
+ }
+ if(EVP_VerifyUpdate(&ctx, (unsigned char*)sldns_buffer_begin(buf),
+ (unsigned int)sldns_buffer_limit(buf)) == 0) {
+ verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
+ EVP_PKEY_free(evp_key);
+ if(dofree) free(sigblock);
+ return sec_status_unchecked;
+ }
+
+ res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key);
+ if(EVP_MD_CTX_cleanup(&ctx) == 0) {
+ verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed");
+ EVP_PKEY_free(evp_key);
+ if(dofree) free(sigblock);
+ return sec_status_unchecked;
+ }
+ EVP_PKEY_free(evp_key);
+
+ if(dofree)
+ free(sigblock);
+
+ if(res == 1) {
+ return sec_status_secure;
+ } else if(res == 0) {
+ verbose(VERB_QUERY, "verify: signature mismatch");
+ *reason = "signature crypto failed";
+ return sec_status_bogus;
+ }
+
+ log_crypto_error("verify:", ERR_get_error());
+ return sec_status_unchecked;
+}
+
+/**************************************************/
+#elif defined(HAVE_NSS)
+/* libnss implementation */
+/* nss3 */
+#include "sechash.h"
+#include "pk11pub.h"
+#include "keyhi.h"
+#include "secerr.h"
+#include "cryptohi.h"
+/* nspr4 */
+#include "prerror.h"
+
+size_t
+ds_digest_size_supported(int algo)
+{
+ /* uses libNSS */
+ switch(algo) {
+ case LDNS_SHA1:
+ return SHA1_LENGTH;
+#ifdef USE_SHA2
+ case LDNS_SHA256:
+ return SHA256_LENGTH;
+#endif
+#ifdef USE_ECDSA
+ case LDNS_SHA384:
+ return SHA384_LENGTH;
+#endif
+ /* GOST not supported in NSS */
+ case LDNS_HASH_GOST:
+ default: break;
+ }
+ return 0;
+}
+
+int
+secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
+ unsigned char* res)
+{
+ /* uses libNSS */
+ switch(algo) {
+ case LDNS_SHA1:
+ return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
+ == SECSuccess;
+#if defined(USE_SHA2)
+ case LDNS_SHA256:
+ return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
+ == SECSuccess;
+#endif
+#ifdef USE_ECDSA
+ case LDNS_SHA384:
+ return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
+ == SECSuccess;
+#endif
+ case LDNS_HASH_GOST:
+ default:
+ verbose(VERB_QUERY, "unknown DS digest algorithm %d",
+ algo);
+ break;
+ }
+ return 0;
+}
+
+int
+dnskey_algo_id_is_supported(int id)
+{
+ /* uses libNSS */
+ switch(id) {
+ case LDNS_RSAMD5:
+ /* RFC 6725 deprecates RSAMD5 */
+ return 0;
+ case LDNS_DSA:
+ case LDNS_DSA_NSEC3:
+ case LDNS_RSASHA1:
+ case LDNS_RSASHA1_NSEC3:
+#ifdef USE_SHA2
+ case LDNS_RSASHA256:
+#endif
+#ifdef USE_SHA2
+ case LDNS_RSASHA512:
+#endif
+ return 1;
+#ifdef USE_ECDSA
+ case LDNS_ECDSAP256SHA256:
+ case LDNS_ECDSAP384SHA384:
+ return PK11_TokenExists(CKM_ECDSA);
+#endif
+ case LDNS_ECC_GOST:
+ default:
+ return 0;
+ }
+}
+
+/* return a new public key for NSS */
+static SECKEYPublicKey* nss_key_create(KeyType ktype)
+{
+ SECKEYPublicKey* key;
+ PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if(!arena) {
+ log_err("out of memory, PORT_NewArena failed");
+ return NULL;
+ }
+ key = PORT_ArenaZNew(arena, SECKEYPublicKey);
+ if(!key) {
+ log_err("out of memory, PORT_ArenaZNew failed");
+ PORT_FreeArena(arena, PR_FALSE);
+ return NULL;
+ }
+ key->arena = arena;
+ key->keyType = ktype;
+ key->pkcs11Slot = NULL;
+ key->pkcs11ID = CK_INVALID_HANDLE;
+ return key;
+}
+
+static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
+{
+ SECKEYPublicKey* pk;
+ SECItem pub = {siBuffer, NULL, 0};
+ SECItem params = {siBuffer, NULL, 0};
+ static unsigned char param256[] = {
+ /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
+ * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
+ };
+ static unsigned char param384[] = {
+ /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
+ * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
+ 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
+ };
+ unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
+
+ /* check length, which uncompressed must be 2 bignums */
+ if(algo == LDNS_ECDSAP256SHA256) {
+ if(len != 2*256/8) return NULL;
+ /* ECCurve_X9_62_PRIME_256V1 */
+ } else if(algo == LDNS_ECDSAP384SHA384) {
+ if(len != 2*384/8) return NULL;
+ /* ECCurve_X9_62_PRIME_384R1 */
+ } else return NULL;
+
+ buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
+ memmove(buf+1, key, len);
+ pub.data = buf;
+ pub.len = len+1;
+ if(algo == LDNS_ECDSAP256SHA256) {
+ params.data = param256;
+ params.len = sizeof(param256);
+ } else {
+ params.data = param384;
+ params.len = sizeof(param384);
+ }
+
+ pk = nss_key_create(ecKey);
+ if(!pk)
+ return NULL;
+ pk->u.ec.size = (len/2)*8;
+ if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
+ SECKEY_DestroyPublicKey(pk);
+ return NULL;
+ }
+ if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, &params)) {
+ SECKEY_DestroyPublicKey(pk);
+ return NULL;
+ }
+
+ return pk;
+}
+
+static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
+{
+ SECKEYPublicKey* pk;
+ uint8_t T;
+ uint16_t length;
+ uint16_t offset;
+ SECItem Q = {siBuffer, NULL, 0};
+ SECItem P = {siBuffer, NULL, 0};
+ SECItem G = {siBuffer, NULL, 0};
+ SECItem Y = {siBuffer, NULL, 0};
+
+ if(len == 0)
+ return NULL;
+ T = (uint8_t)key[0];
+ length = (64 + T * 8);
+ offset = 1;
+
+ if (T > 8) {
+ return NULL;
+ }
+ if(len < (size_t)1 + SHA1_LENGTH + 3*length)
+ return NULL;
+
+ Q.data = key+offset;
+ Q.len = SHA1_LENGTH;
+ offset += SHA1_LENGTH;
+
+ P.data = key+offset;
+ P.len = length;
+ offset += length;
+
+ G.data = key+offset;
+ G.len = length;
+ offset += length;
+
+ Y.data = key+offset;
+ Y.len = length;
+ offset += length;
+
+ pk = nss_key_create(dsaKey);
+ if(!pk)
+ return NULL;
+ if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
+ SECKEY_DestroyPublicKey(pk);
+ return NULL;
+ }
+ if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
+ SECKEY_DestroyPublicKey(pk);
+ return NULL;
+ }
+ if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
+ SECKEY_DestroyPublicKey(pk);
+ return NULL;
+ }
+ if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
+ SECKEY_DestroyPublicKey(pk);
+ return NULL;
+ }
+ return pk;
+}
+
+static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
+{
+ SECKEYPublicKey* pk;
+ uint16_t exp;
+ uint16_t offset;
+ uint16_t int16;
+ SECItem modulus = {siBuffer, NULL, 0};
+ SECItem exponent = {siBuffer, NULL, 0};
+ if(len == 0)
+ return NULL;
+ if(key[0] == 0) {
+ if(len < 3)
+ return NULL;
+ /* the exponent is too large so it's places further */
+ memmove(&int16, key+1, 2);
+ exp = ntohs(int16);
+ offset = 3;
+ } else {
+ exp = key[0];
+ offset = 1;
+ }
+
+ /* key length at least one */
+ if(len < (size_t)offset + exp + 1)
+ return NULL;
+
+ exponent.data = key+offset;
+ exponent.len = exp;
+ offset += exp;
+ modulus.data = key+offset;
+ modulus.len = (len - offset);
+
+ pk = nss_key_create(rsaKey);
+ if(!pk)
+ return NULL;
+ if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
+ SECKEY_DestroyPublicKey(pk);
+ return NULL;
+ }
+ if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
+ SECKEY_DestroyPublicKey(pk);
+ return NULL;
+ }
+ return pk;
+}
+
+/**
+ * Setup key and digest for verification. Adjust sig if necessary.
+ *
+ * @param algo: key algorithm
+ * @param evp_key: EVP PKEY public key to create.
+ * @param digest_type: digest type to use
+ * @param key: key to setup for.
+ * @param keylen: length of key.
+ * @param prefix: if returned, the ASN prefix for the hashblob.
+ * @param prefixlen: length of the prefix.
+ * @return false on failure.
+ */
+static int
+nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
+ unsigned char* key, size_t keylen, unsigned char** prefix,
+ size_t* prefixlen)
+{
+ /* uses libNSS */
+
+ /* hash prefix for md5, RFC2537 */
+ static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
+ /* hash prefix to prepend to hash output, from RFC3110 */
+ static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
+ 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
+ /* from RFC5702 */
+ static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
+ static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
+ /* from RFC6234 */
+ /* for future RSASHA384 ..
+ static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
+ */
+
+ switch(algo) {
+ case LDNS_DSA:
+ case LDNS_DSA_NSEC3:
+ *pubkey = nss_buf2dsa(key, keylen);
+ if(!*pubkey) {
+ log_err("verify: malloc failure in crypto");
+ return 0;
+ }
+ *htype = HASH_AlgSHA1;
+ /* no prefix for DSA verification */
+ break;
+ case LDNS_RSASHA1:
+ case LDNS_RSASHA1_NSEC3:
+#ifdef USE_SHA2
+ case LDNS_RSASHA256:
+#endif
+#ifdef USE_SHA2
+ case LDNS_RSASHA512:
+#endif
+ *pubkey = nss_buf2rsa(key, keylen);
+ if(!*pubkey) {
+ log_err("verify: malloc failure in crypto");
+ return 0;
+ }
+ /* select SHA version */
+#ifdef USE_SHA2
+ if(algo == LDNS_RSASHA256) {
+ *htype = HASH_AlgSHA256;
+ *prefix = p_sha256;
+ *prefixlen = sizeof(p_sha256);
+ } else
+#endif
+#ifdef USE_SHA2
+ if(algo == LDNS_RSASHA512) {
+ *htype = HASH_AlgSHA512;
+ *prefix = p_sha512;
+ *prefixlen = sizeof(p_sha512);
+ } else
+#endif
+ {
+ *htype = HASH_AlgSHA1;
+ *prefix = p_sha1;
+ *prefixlen = sizeof(p_sha1);
+ }
+
+ break;
+ case LDNS_RSAMD5:
+ *pubkey = nss_buf2rsa(key, keylen);
+ if(!*pubkey) {
+ log_err("verify: malloc failure in crypto");
+ return 0;
+ }
+ *htype = HASH_AlgMD5;
+ *prefix = p_md5;
+ *prefixlen = sizeof(p_md5);
+
+ break;
+#ifdef USE_ECDSA
+ case LDNS_ECDSAP256SHA256:
+ *pubkey = nss_buf2ecdsa(key, keylen,
+ LDNS_ECDSAP256SHA256);
+ if(!*pubkey) {
+ log_err("verify: malloc failure in crypto");
+ return 0;
+ }
+ *htype = HASH_AlgSHA256;
+ /* no prefix for DSA verification */
+ break;
+ case LDNS_ECDSAP384SHA384:
+ *pubkey = nss_buf2ecdsa(key, keylen,
+ LDNS_ECDSAP384SHA384);
+ if(!*pubkey) {
+ log_err("verify: malloc failure in crypto");
+ return 0;
+ }
+ *htype = HASH_AlgSHA384;
+ /* no prefix for DSA verification */
+ break;
+#endif /* USE_ECDSA */
+ case LDNS_ECC_GOST:
+ default:
+ verbose(VERB_QUERY, "verify: unknown algorithm %d",
+ algo);
+ return 0;
+ }
+ return 1;
+}
+
+/**
+ * Check a canonical sig+rrset and signature against a dnskey
+ * @param buf: buffer with data to verify, the first rrsig part and the
+ * canonicalized rrset.
+ * @param algo: DNSKEY algorithm.
+ * @param sigblock: signature rdata field from RRSIG
+ * @param sigblock_len: length of sigblock data.
+ * @param key: public key data from DNSKEY RR.
+ * @param keylen: length of keydata.
+ * @param reason: bogus reason in more detail.
+ * @return secure if verification succeeded, bogus on crypto failure,
+ * unchecked on format errors and alloc failures.
+ */
+enum sec_status
+verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
+ unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
+ char** reason)
+{
+ /* uses libNSS */
+ /* large enough for the different hashes */
+ unsigned char hash[HASH_LENGTH_MAX];
+ unsigned char hash2[HASH_LENGTH_MAX*2];
+ HASH_HashType htype = 0;
+ SECKEYPublicKey* pubkey = NULL;
+ SECItem secsig = {siBuffer, sigblock, sigblock_len};
+ SECItem sechash = {siBuffer, hash, 0};
+ SECStatus res;
+ unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
+ size_t prefixlen = 0;
+ int err;
+
+ if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
+ &prefix, &prefixlen)) {
+ verbose(VERB_QUERY, "verify: failed to setup key");
+ *reason = "use of key for crypto failed";
+ SECKEY_DestroyPublicKey(pubkey);
+ return sec_status_bogus;
+ }
+
+ /* need to convert DSA, ECDSA signatures? */
+ if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
+ if(sigblock_len == 1+2*SHA1_LENGTH) {
+ secsig.data ++;
+ secsig.len --;
+ } else {
+ SECItem* p = DSAU_DecodeDerSig(&secsig);
+ if(!p) {
+ verbose(VERB_QUERY, "verify: failed DER decode");
+ *reason = "signature DER decode failed";
+ SECKEY_DestroyPublicKey(pubkey);
+ return sec_status_bogus;
+ }
+ if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
+ log_err("alloc failure in DER decode");
+ SECKEY_DestroyPublicKey(pubkey);
+ SECITEM_FreeItem(p, PR_TRUE);
+ return sec_status_unchecked;
+ }
+ SECITEM_FreeItem(p, PR_TRUE);
+ }
+ }
+
+ /* do the signature cryptography work */
+ /* hash the data */
+ sechash.len = HASH_ResultLen(htype);
+ if(sechash.len > sizeof(hash)) {
+ verbose(VERB_QUERY, "verify: hash too large for buffer");
+ SECKEY_DestroyPublicKey(pubkey);
+ return sec_status_unchecked;
+ }
+ if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf),
+ (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) {
+ verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
+ SECKEY_DestroyPublicKey(pubkey);
+ return sec_status_unchecked;
+ }
+ if(prefix) {
+ int hashlen = sechash.len;
+ if(prefixlen+hashlen > sizeof(hash2)) {
+ verbose(VERB_QUERY, "verify: hashprefix too large");
+ SECKEY_DestroyPublicKey(pubkey);
+ return sec_status_unchecked;
+ }
+ sechash.data = hash2;
+ sechash.len = prefixlen+hashlen;
+ memcpy(sechash.data, prefix, prefixlen);
+ memmove(sechash.data+prefixlen, hash, hashlen);
+ }
+
+ /* verify the signature */
+ res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
+ SECKEY_DestroyPublicKey(pubkey);
+
+ if(res == SECSuccess) {
+ return sec_status_secure;
+ }
+ err = PORT_GetError();
+ if(err != SEC_ERROR_BAD_SIGNATURE) {
+ /* failed to verify */
+ verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
+ PORT_ErrorToString(err));
+ /* if it is not supported, like ECC is removed, we get,
+ * SEC_ERROR_NO_MODULE */
+ if(err == SEC_ERROR_NO_MODULE)
+ return sec_status_unchecked;
+ /* but other errors are commonly returned
+ * for a bad signature from NSS. Thus we return bogus,
+ * not unchecked */
+ *reason = "signature crypto failed";
+ return sec_status_bogus;
+ }
+ verbose(VERB_QUERY, "verify: signature mismatch: %s",
+ PORT_ErrorToString(err));
+ *reason = "signature crypto failed";
+ return sec_status_bogus;
+}
+
+
+#endif /* HAVE_SSL or HAVE_NSS */