1/* 2 * validator/val_secalgo.c - validator security algorithm functions. 3 * 4 * Copyright (c) 2012, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36/** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * These functions take raw data buffers, formatted for crypto verification, 41 * and do the library calls (for the crypto library in use). 42 */ 43#include "config.h" 44/* packed_rrset on top to define enum types (forced by c99 standard) */ 45#include "util/data/packed_rrset.h" 46#include "validator/val_secalgo.h" 47#include "validator/val_nsec3.h" 48#include "util/log.h" 49#include "sldns/rrdef.h" 50#include "sldns/keyraw.h" 51#include "sldns/sbuffer.h" 52 53#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) 54#error "Need crypto library to do digital signature cryptography" 55#endif 56 57/* OpenSSL implementation */ 58#ifdef HAVE_SSL 59#ifdef HAVE_OPENSSL_ERR_H 60#include <openssl/err.h> 61#endif 62 63#ifdef HAVE_OPENSSL_RAND_H 64#include <openssl/rand.h> 65#endif 66 67#ifdef HAVE_OPENSSL_CONF_H 68#include <openssl/conf.h> 69#endif 70 71#ifdef HAVE_OPENSSL_ENGINE_H 72#include <openssl/engine.h> 73#endif 74 75/* return size of digest if supported, or 0 otherwise */ 76size_t 77nsec3_hash_algo_size_supported(int id) 78{ 79 switch(id) { 80 case NSEC3_HASH_SHA1: 81 return SHA_DIGEST_LENGTH; 82 default: 83 return 0; 84 } 85} 86 87/* perform nsec3 hash. return false on failure */ 88int 89secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 90 unsigned char* res) 91{ 92 switch(algo) { 93 case NSEC3_HASH_SHA1: 94 (void)SHA1(buf, len, res); 95 return 1; 96 default: 97 return 0; 98 } 99} 100 101/** 102 * Return size of DS digest according to its hash algorithm. 103 * @param algo: DS digest algo. 104 * @return size in bytes of digest, or 0 if not supported. 105 */ 106size_t 107ds_digest_size_supported(int algo) 108{ 109 switch(algo) { 110#ifdef HAVE_EVP_SHA1 111 case LDNS_SHA1: 112 return SHA_DIGEST_LENGTH; 113#endif 114#ifdef HAVE_EVP_SHA256 115 case LDNS_SHA256: 116 return SHA256_DIGEST_LENGTH; 117#endif 118#ifdef USE_GOST 119 case LDNS_HASH_GOST: 120 if(EVP_get_digestbyname("md_gost94")) 121 return 32; 122 else return 0; 123#endif 124#ifdef USE_ECDSA 125 case LDNS_SHA384: 126 return SHA384_DIGEST_LENGTH; 127#endif 128 default: break; 129 } 130 return 0; 131} 132 133#ifdef USE_GOST 134/** Perform GOST hash */ 135static int 136do_gost94(unsigned char* data, size_t len, unsigned char* dest) 137{ 138 const EVP_MD* md = EVP_get_digestbyname("md_gost94"); 139 if(!md) 140 return 0; 141 return sldns_digest_evp(data, (unsigned int)len, dest, md); 142} 143#endif 144 145int 146secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 147 unsigned char* res) 148{ 149 switch(algo) { 150#ifdef HAVE_EVP_SHA1 151 case LDNS_SHA1: 152 (void)SHA1(buf, len, res); 153 return 1; 154#endif 155#ifdef HAVE_EVP_SHA256 156 case LDNS_SHA256: 157 (void)SHA256(buf, len, res); 158 return 1; 159#endif 160#ifdef USE_GOST 161 case LDNS_HASH_GOST: 162 if(do_gost94(buf, len, res)) 163 return 1; 164 break; 165#endif 166#ifdef USE_ECDSA 167 case LDNS_SHA384: 168 (void)SHA384(buf, len, res); 169 return 1; 170#endif 171 default: 172 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 173 algo); 174 break; 175 } 176 return 0; 177} 178 179/** return true if DNSKEY algorithm id is supported */ 180int 181dnskey_algo_id_is_supported(int id) 182{ 183 switch(id) { 184 case LDNS_RSAMD5: 185 /* RFC 6725 deprecates RSAMD5 */ 186 return 0; 187 case LDNS_DSA: 188 case LDNS_DSA_NSEC3: 189 case LDNS_RSASHA1: 190 case LDNS_RSASHA1_NSEC3: 191#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 192 case LDNS_RSASHA256: 193#endif 194#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 195 case LDNS_RSASHA512: 196#endif 197#ifdef USE_ECDSA 198 case LDNS_ECDSAP256SHA256: 199 case LDNS_ECDSAP384SHA384: 200#endif 201 return 1; 202#ifdef USE_GOST 203 case LDNS_ECC_GOST: 204 /* we support GOST if it can be loaded */ 205 return sldns_key_EVP_load_gost_id(); 206#endif 207 default: 208 return 0; 209 } 210} 211 212/** 213 * Output a libcrypto openssl error to the logfile. 214 * @param str: string to add to it. 215 * @param e: the error to output, error number from ERR_get_error(). 216 */ 217static void 218log_crypto_error(const char* str, unsigned long e) 219{ 220 char buf[128]; 221 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ 222 ERR_error_string_n(e, buf, sizeof(buf)); 223 /* buf now contains */ 224 /* error:[error code]:[library name]:[function name]:[reason string] */ 225 log_err("%s crypto %s", str, buf); 226} 227 228/** 229 * Setup DSA key digest in DER encoding ... 230 * @param sig: input is signature output alloced ptr (unless failure). 231 * caller must free alloced ptr if this routine returns true. 232 * @param len: input is initial siglen, output is output len. 233 * @return false on failure. 234 */ 235static int 236setup_dsa_sig(unsigned char** sig, unsigned int* len) 237{ 238 unsigned char* orig = *sig; 239 unsigned int origlen = *len; 240 int newlen; 241 BIGNUM *R, *S; 242 DSA_SIG *dsasig; 243 244 /* extract the R and S field from the sig buffer */ 245 if(origlen < 1 + 2*SHA_DIGEST_LENGTH) 246 return 0; 247 R = BN_new(); 248 if(!R) return 0; 249 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R); 250 S = BN_new(); 251 if(!S) return 0; 252 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S); 253 dsasig = DSA_SIG_new(); 254 if(!dsasig) return 0; 255 256 dsasig->r = R; 257 dsasig->s = S; 258 *sig = NULL; 259 newlen = i2d_DSA_SIG(dsasig, sig); 260 if(newlen < 0) { 261 DSA_SIG_free(dsasig); 262 free(*sig); 263 return 0; 264 } 265 *len = (unsigned int)newlen; 266 DSA_SIG_free(dsasig); 267 return 1; 268} 269 270#ifdef USE_ECDSA 271/** 272 * Setup the ECDSA signature in its encoding that the library wants. 273 * Converts from plain numbers to ASN formatted. 274 * @param sig: input is signature, output alloced ptr (unless failure). 275 * caller must free alloced ptr if this routine returns true. 276 * @param len: input is initial siglen, output is output len. 277 * @return false on failure. 278 */ 279static int 280setup_ecdsa_sig(unsigned char** sig, unsigned int* len) 281{ 282 ECDSA_SIG* ecdsa_sig; 283 int newlen; 284 int bnsize = (int)((*len)/2); 285 /* if too short or not even length, fails */ 286 if(*len < 16 || bnsize*2 != (int)*len) 287 return 0; 288 /* use the raw data to parse two evenly long BIGNUMs, "r | s". */ 289 ecdsa_sig = ECDSA_SIG_new(); 290 if(!ecdsa_sig) return 0; 291 ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r); 292 ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s); 293 if(!ecdsa_sig->r || !ecdsa_sig->s) { 294 ECDSA_SIG_free(ecdsa_sig); 295 return 0; 296 } 297 298 /* spool it into ASN format */ 299 *sig = NULL; 300 newlen = i2d_ECDSA_SIG(ecdsa_sig, sig); 301 if(newlen <= 0) { 302 ECDSA_SIG_free(ecdsa_sig); 303 free(*sig); 304 return 0; 305 } 306 *len = (unsigned int)newlen; 307 ECDSA_SIG_free(ecdsa_sig); 308 return 1; 309} 310#endif /* USE_ECDSA */ 311 312/** 313 * Setup key and digest for verification. Adjust sig if necessary. 314 * 315 * @param algo: key algorithm 316 * @param evp_key: EVP PKEY public key to create. 317 * @param digest_type: digest type to use 318 * @param key: key to setup for. 319 * @param keylen: length of key. 320 * @return false on failure. 321 */ 322static int 323setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 324 unsigned char* key, size_t keylen) 325{ 326 DSA* dsa; 327 RSA* rsa; 328 329 switch(algo) { 330 case LDNS_DSA: 331 case LDNS_DSA_NSEC3: 332 *evp_key = EVP_PKEY_new(); 333 if(!*evp_key) { 334 log_err("verify: malloc failure in crypto"); 335 return 0; 336 } 337 dsa = sldns_key_buf2dsa_raw(key, keylen); 338 if(!dsa) { 339 verbose(VERB_QUERY, "verify: " 340 "sldns_key_buf2dsa_raw failed"); 341 return 0; 342 } 343 if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) { 344 verbose(VERB_QUERY, "verify: " 345 "EVP_PKEY_assign_DSA failed"); 346 return 0; 347 } 348 *digest_type = EVP_dss1(); 349 350 break; 351 case LDNS_RSASHA1: 352 case LDNS_RSASHA1_NSEC3: 353#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 354 case LDNS_RSASHA256: 355#endif 356#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 357 case LDNS_RSASHA512: 358#endif 359 *evp_key = EVP_PKEY_new(); 360 if(!*evp_key) { 361 log_err("verify: malloc failure in crypto"); 362 return 0; 363 } 364 rsa = sldns_key_buf2rsa_raw(key, keylen); 365 if(!rsa) { 366 verbose(VERB_QUERY, "verify: " 367 "sldns_key_buf2rsa_raw SHA failed"); 368 return 0; 369 } 370 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 371 verbose(VERB_QUERY, "verify: " 372 "EVP_PKEY_assign_RSA SHA failed"); 373 return 0; 374 } 375 376 /* select SHA version */ 377#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 378 if(algo == LDNS_RSASHA256) 379 *digest_type = EVP_sha256(); 380 else 381#endif 382#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 383 if(algo == LDNS_RSASHA512) 384 *digest_type = EVP_sha512(); 385 else 386#endif 387 *digest_type = EVP_sha1(); 388 389 break; 390 case LDNS_RSAMD5: 391 *evp_key = EVP_PKEY_new(); 392 if(!*evp_key) { 393 log_err("verify: malloc failure in crypto"); 394 return 0; 395 } 396 rsa = sldns_key_buf2rsa_raw(key, keylen); 397 if(!rsa) { 398 verbose(VERB_QUERY, "verify: " 399 "sldns_key_buf2rsa_raw MD5 failed"); 400 return 0; 401 } 402 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 403 verbose(VERB_QUERY, "verify: " 404 "EVP_PKEY_assign_RSA MD5 failed"); 405 return 0; 406 } 407 *digest_type = EVP_md5(); 408 409 break; 410#ifdef USE_GOST 411 case LDNS_ECC_GOST: 412 *evp_key = sldns_gost2pkey_raw(key, keylen); 413 if(!*evp_key) { 414 verbose(VERB_QUERY, "verify: " 415 "sldns_gost2pkey_raw failed"); 416 return 0; 417 } 418 *digest_type = EVP_get_digestbyname("md_gost94"); 419 if(!*digest_type) { 420 verbose(VERB_QUERY, "verify: " 421 "EVP_getdigest md_gost94 failed"); 422 return 0; 423 } 424 break; 425#endif 426#ifdef USE_ECDSA 427 case LDNS_ECDSAP256SHA256: 428 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 429 LDNS_ECDSAP256SHA256); 430 if(!*evp_key) { 431 verbose(VERB_QUERY, "verify: " 432 "sldns_ecdsa2pkey_raw failed"); 433 return 0; 434 } 435#ifdef USE_ECDSA_EVP_WORKAROUND 436 /* openssl before 1.0.0 fixes RSA with the SHA256 437 * hash in EVP. We create one for ecdsa_sha256 */ 438 { 439 static int md_ecdsa_256_done = 0; 440 static EVP_MD md; 441 if(!md_ecdsa_256_done) { 442 EVP_MD m = *EVP_sha256(); 443 md_ecdsa_256_done = 1; 444 m.required_pkey_type[0] = (*evp_key)->type; 445 m.verify = (void*)ECDSA_verify; 446 md = m; 447 } 448 *digest_type = &md; 449 } 450#else 451 *digest_type = EVP_sha256(); 452#endif 453 break; 454 case LDNS_ECDSAP384SHA384: 455 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 456 LDNS_ECDSAP384SHA384); 457 if(!*evp_key) { 458 verbose(VERB_QUERY, "verify: " 459 "sldns_ecdsa2pkey_raw failed"); 460 return 0; 461 } 462#ifdef USE_ECDSA_EVP_WORKAROUND 463 /* openssl before 1.0.0 fixes RSA with the SHA384 464 * hash in EVP. We create one for ecdsa_sha384 */ 465 { 466 static int md_ecdsa_384_done = 0; 467 static EVP_MD md; 468 if(!md_ecdsa_384_done) { 469 EVP_MD m = *EVP_sha384(); 470 md_ecdsa_384_done = 1; 471 m.required_pkey_type[0] = (*evp_key)->type; 472 m.verify = (void*)ECDSA_verify; 473 md = m; 474 } 475 *digest_type = &md; 476 } 477#else 478 *digest_type = EVP_sha384(); 479#endif 480 break; 481#endif /* USE_ECDSA */ 482 default: 483 verbose(VERB_QUERY, "verify: unknown algorithm %d", 484 algo); 485 return 0; 486 } 487 return 1; 488} 489 490/** 491 * Check a canonical sig+rrset and signature against a dnskey 492 * @param buf: buffer with data to verify, the first rrsig part and the 493 * canonicalized rrset. 494 * @param algo: DNSKEY algorithm. 495 * @param sigblock: signature rdata field from RRSIG 496 * @param sigblock_len: length of sigblock data. 497 * @param key: public key data from DNSKEY RR. 498 * @param keylen: length of keydata. 499 * @param reason: bogus reason in more detail. 500 * @return secure if verification succeeded, bogus on crypto failure, 501 * unchecked on format errors and alloc failures. 502 */ 503enum sec_status 504verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 505 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 506 char** reason) 507{ 508 const EVP_MD *digest_type; 509 EVP_MD_CTX ctx; 510 int res, dofree = 0; 511 EVP_PKEY *evp_key = NULL; 512 513 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { 514 verbose(VERB_QUERY, "verify: failed to setup key"); 515 *reason = "use of key for crypto failed"; 516 EVP_PKEY_free(evp_key); 517 return sec_status_bogus; 518 } 519 /* if it is a DSA signature in bind format, convert to DER format */ 520 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && 521 sigblock_len == 1+2*SHA_DIGEST_LENGTH) { 522 if(!setup_dsa_sig(&sigblock, &sigblock_len)) { 523 verbose(VERB_QUERY, "verify: failed to setup DSA sig"); 524 *reason = "use of key for DSA crypto failed"; 525 EVP_PKEY_free(evp_key); 526 return sec_status_bogus; 527 } 528 dofree = 1; 529 } 530#ifdef USE_ECDSA 531 else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) { 532 /* EVP uses ASN prefix on sig, which is not in the wire data */ 533 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) { 534 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig"); 535 *reason = "use of signature for ECDSA crypto failed"; 536 EVP_PKEY_free(evp_key); 537 return sec_status_bogus; 538 } 539 dofree = 1; 540 } 541#endif /* USE_ECDSA */ 542 543 /* do the signature cryptography work */ 544 EVP_MD_CTX_init(&ctx); 545 if(EVP_VerifyInit(&ctx, digest_type) == 0) { 546 verbose(VERB_QUERY, "verify: EVP_VerifyInit failed"); 547 EVP_PKEY_free(evp_key); 548 if(dofree) free(sigblock); 549 return sec_status_unchecked; 550 } 551 if(EVP_VerifyUpdate(&ctx, (unsigned char*)sldns_buffer_begin(buf), 552 (unsigned int)sldns_buffer_limit(buf)) == 0) { 553 verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed"); 554 EVP_PKEY_free(evp_key); 555 if(dofree) free(sigblock); 556 return sec_status_unchecked; 557 } 558 559 res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key); 560 if(EVP_MD_CTX_cleanup(&ctx) == 0) { 561 verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed"); 562 EVP_PKEY_free(evp_key); 563 if(dofree) free(sigblock); 564 return sec_status_unchecked; 565 } 566 EVP_PKEY_free(evp_key); 567 568 if(dofree) 569 free(sigblock); 570 571 if(res == 1) { 572 return sec_status_secure; 573 } else if(res == 0) { 574 verbose(VERB_QUERY, "verify: signature mismatch"); 575 *reason = "signature crypto failed"; 576 return sec_status_bogus; 577 } 578 579 log_crypto_error("verify:", ERR_get_error()); 580 return sec_status_unchecked; 581} 582 583/**************************************************/ 584#elif defined(HAVE_NSS) 585/* libnss implementation */ 586/* nss3 */ 587#include "sechash.h" 588#include "pk11pub.h" 589#include "keyhi.h" 590#include "secerr.h" 591#include "cryptohi.h" 592/* nspr4 */ 593#include "prerror.h" 594 595/* return size of digest if supported, or 0 otherwise */ 596size_t 597nsec3_hash_algo_size_supported(int id) 598{ 599 switch(id) { 600 case NSEC3_HASH_SHA1: 601 return SHA1_LENGTH; 602 default: 603 return 0; 604 } 605} 606 607/* perform nsec3 hash. return false on failure */ 608int 609secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 610 unsigned char* res) 611{ 612 switch(algo) { 613 case NSEC3_HASH_SHA1: 614 (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len); 615 return 1; 616 default: 617 return 0; 618 } 619} 620 621size_t 622ds_digest_size_supported(int algo) 623{ 624 /* uses libNSS */ 625 switch(algo) { 626 case LDNS_SHA1: 627 return SHA1_LENGTH; 628#ifdef USE_SHA2 629 case LDNS_SHA256: 630 return SHA256_LENGTH; 631#endif 632#ifdef USE_ECDSA 633 case LDNS_SHA384: 634 return SHA384_LENGTH; 635#endif 636 /* GOST not supported in NSS */ 637 case LDNS_HASH_GOST: 638 default: break; 639 } 640 return 0; 641} 642 643int 644secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 645 unsigned char* res) 646{ 647 /* uses libNSS */ 648 switch(algo) { 649 case LDNS_SHA1: 650 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len) 651 == SECSuccess; 652#if defined(USE_SHA2) 653 case LDNS_SHA256: 654 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len) 655 == SECSuccess; 656#endif 657#ifdef USE_ECDSA 658 case LDNS_SHA384: 659 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len) 660 == SECSuccess; 661#endif 662 case LDNS_HASH_GOST: 663 default: 664 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 665 algo); 666 break; 667 } 668 return 0; 669} 670 671int 672dnskey_algo_id_is_supported(int id) 673{ 674 /* uses libNSS */ 675 switch(id) { 676 case LDNS_RSAMD5: 677 /* RFC 6725 deprecates RSAMD5 */ 678 return 0; 679 case LDNS_DSA: 680 case LDNS_DSA_NSEC3: 681 case LDNS_RSASHA1: 682 case LDNS_RSASHA1_NSEC3: 683#ifdef USE_SHA2 684 case LDNS_RSASHA256: 685#endif 686#ifdef USE_SHA2 687 case LDNS_RSASHA512: 688#endif 689 return 1; 690#ifdef USE_ECDSA 691 case LDNS_ECDSAP256SHA256: 692 case LDNS_ECDSAP384SHA384: 693 return PK11_TokenExists(CKM_ECDSA); 694#endif 695 case LDNS_ECC_GOST: 696 default: 697 return 0; 698 } 699} 700 701/* return a new public key for NSS */ 702static SECKEYPublicKey* nss_key_create(KeyType ktype) 703{ 704 SECKEYPublicKey* key; 705 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 706 if(!arena) { 707 log_err("out of memory, PORT_NewArena failed"); 708 return NULL; 709 } 710 key = PORT_ArenaZNew(arena, SECKEYPublicKey); 711 if(!key) { 712 log_err("out of memory, PORT_ArenaZNew failed"); 713 PORT_FreeArena(arena, PR_FALSE); 714 return NULL; 715 } 716 key->arena = arena; 717 key->keyType = ktype; 718 key->pkcs11Slot = NULL; 719 key->pkcs11ID = CK_INVALID_HANDLE; 720 return key; 721} 722 723static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo) 724{ 725 SECKEYPublicKey* pk; 726 SECItem pub = {siBuffer, NULL, 0}; 727 SECItem params = {siBuffer, NULL, 0}; 728 static unsigned char param256[] = { 729 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256) 730 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */ 731 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 732 }; 733 static unsigned char param384[] = { 734 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384) 735 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */ 736 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 737 }; 738 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ 739 740 /* check length, which uncompressed must be 2 bignums */ 741 if(algo == LDNS_ECDSAP256SHA256) { 742 if(len != 2*256/8) return NULL; 743 /* ECCurve_X9_62_PRIME_256V1 */ 744 } else if(algo == LDNS_ECDSAP384SHA384) { 745 if(len != 2*384/8) return NULL; 746 /* ECCurve_X9_62_PRIME_384R1 */ 747 } else return NULL; 748 749 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */ 750 memmove(buf+1, key, len); 751 pub.data = buf; 752 pub.len = len+1; 753 if(algo == LDNS_ECDSAP256SHA256) { 754 params.data = param256; 755 params.len = sizeof(param256); 756 } else { 757 params.data = param384; 758 params.len = sizeof(param384); 759 } 760 761 pk = nss_key_create(ecKey); 762 if(!pk) 763 return NULL; 764 pk->u.ec.size = (len/2)*8; 765 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) { 766 SECKEY_DestroyPublicKey(pk); 767 return NULL; 768 } 769 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) { 770 SECKEY_DestroyPublicKey(pk); 771 return NULL; 772 } 773 774 return pk; 775} 776 777static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len) 778{ 779 SECKEYPublicKey* pk; 780 uint8_t T; 781 uint16_t length; 782 uint16_t offset; 783 SECItem Q = {siBuffer, NULL, 0}; 784 SECItem P = {siBuffer, NULL, 0}; 785 SECItem G = {siBuffer, NULL, 0}; 786 SECItem Y = {siBuffer, NULL, 0}; 787 788 if(len == 0) 789 return NULL; 790 T = (uint8_t)key[0]; 791 length = (64 + T * 8); 792 offset = 1; 793 794 if (T > 8) { 795 return NULL; 796 } 797 if(len < (size_t)1 + SHA1_LENGTH + 3*length) 798 return NULL; 799 800 Q.data = key+offset; 801 Q.len = SHA1_LENGTH; 802 offset += SHA1_LENGTH; 803 804 P.data = key+offset; 805 P.len = length; 806 offset += length; 807 808 G.data = key+offset; 809 G.len = length; 810 offset += length; 811 812 Y.data = key+offset; 813 Y.len = length; 814 offset += length; 815 816 pk = nss_key_create(dsaKey); 817 if(!pk) 818 return NULL; 819 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) { 820 SECKEY_DestroyPublicKey(pk); 821 return NULL; 822 } 823 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) { 824 SECKEY_DestroyPublicKey(pk); 825 return NULL; 826 } 827 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) { 828 SECKEY_DestroyPublicKey(pk); 829 return NULL; 830 } 831 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) { 832 SECKEY_DestroyPublicKey(pk); 833 return NULL; 834 } 835 return pk; 836} 837 838static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len) 839{ 840 SECKEYPublicKey* pk; 841 uint16_t exp; 842 uint16_t offset; 843 uint16_t int16; 844 SECItem modulus = {siBuffer, NULL, 0}; 845 SECItem exponent = {siBuffer, NULL, 0}; 846 if(len == 0) 847 return NULL; 848 if(key[0] == 0) { 849 if(len < 3) 850 return NULL; 851 /* the exponent is too large so it's places further */ 852 memmove(&int16, key+1, 2); 853 exp = ntohs(int16); 854 offset = 3; 855 } else { 856 exp = key[0]; 857 offset = 1; 858 } 859 860 /* key length at least one */ 861 if(len < (size_t)offset + exp + 1) 862 return NULL; 863 864 exponent.data = key+offset; 865 exponent.len = exp; 866 offset += exp; 867 modulus.data = key+offset; 868 modulus.len = (len - offset); 869 870 pk = nss_key_create(rsaKey); 871 if(!pk) 872 return NULL; 873 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) { 874 SECKEY_DestroyPublicKey(pk); 875 return NULL; 876 } 877 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) { 878 SECKEY_DestroyPublicKey(pk); 879 return NULL; 880 } 881 return pk; 882} 883 884/** 885 * Setup key and digest for verification. Adjust sig if necessary. 886 * 887 * @param algo: key algorithm 888 * @param evp_key: EVP PKEY public key to create. 889 * @param digest_type: digest type to use 890 * @param key: key to setup for. 891 * @param keylen: length of key. 892 * @param prefix: if returned, the ASN prefix for the hashblob. 893 * @param prefixlen: length of the prefix. 894 * @return false on failure. 895 */ 896static int 897nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, 898 unsigned char* key, size_t keylen, unsigned char** prefix, 899 size_t* prefixlen) 900{ 901 /* uses libNSS */ 902 903 /* hash prefix for md5, RFC2537 */ 904 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 905 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}; 906 /* hash prefix to prepend to hash output, from RFC3110 */ 907 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 908 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14}; 909 /* from RFC5702 */ 910 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 911 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; 912 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 913 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; 914 /* from RFC6234 */ 915 /* for future RSASHA384 .. 916 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 917 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; 918 */ 919 920 switch(algo) { 921 case LDNS_DSA: 922 case LDNS_DSA_NSEC3: 923 *pubkey = nss_buf2dsa(key, keylen); 924 if(!*pubkey) { 925 log_err("verify: malloc failure in crypto"); 926 return 0; 927 } 928 *htype = HASH_AlgSHA1; 929 /* no prefix for DSA verification */ 930 break; 931 case LDNS_RSASHA1: 932 case LDNS_RSASHA1_NSEC3: 933#ifdef USE_SHA2 934 case LDNS_RSASHA256: 935#endif 936#ifdef USE_SHA2 937 case LDNS_RSASHA512: 938#endif 939 *pubkey = nss_buf2rsa(key, keylen); 940 if(!*pubkey) { 941 log_err("verify: malloc failure in crypto"); 942 return 0; 943 } 944 /* select SHA version */ 945#ifdef USE_SHA2 946 if(algo == LDNS_RSASHA256) { 947 *htype = HASH_AlgSHA256; 948 *prefix = p_sha256; 949 *prefixlen = sizeof(p_sha256); 950 } else 951#endif 952#ifdef USE_SHA2 953 if(algo == LDNS_RSASHA512) { 954 *htype = HASH_AlgSHA512; 955 *prefix = p_sha512; 956 *prefixlen = sizeof(p_sha512); 957 } else 958#endif 959 { 960 *htype = HASH_AlgSHA1; 961 *prefix = p_sha1; 962 *prefixlen = sizeof(p_sha1); 963 } 964 965 break; 966 case LDNS_RSAMD5: 967 *pubkey = nss_buf2rsa(key, keylen); 968 if(!*pubkey) { 969 log_err("verify: malloc failure in crypto"); 970 return 0; 971 } 972 *htype = HASH_AlgMD5; 973 *prefix = p_md5; 974 *prefixlen = sizeof(p_md5); 975 976 break; 977#ifdef USE_ECDSA 978 case LDNS_ECDSAP256SHA256: 979 *pubkey = nss_buf2ecdsa(key, keylen, 980 LDNS_ECDSAP256SHA256); 981 if(!*pubkey) { 982 log_err("verify: malloc failure in crypto"); 983 return 0; 984 } 985 *htype = HASH_AlgSHA256; 986 /* no prefix for DSA verification */ 987 break; 988 case LDNS_ECDSAP384SHA384: 989 *pubkey = nss_buf2ecdsa(key, keylen, 990 LDNS_ECDSAP384SHA384); 991 if(!*pubkey) { 992 log_err("verify: malloc failure in crypto"); 993 return 0; 994 } 995 *htype = HASH_AlgSHA384; 996 /* no prefix for DSA verification */ 997 break; 998#endif /* USE_ECDSA */ 999 case LDNS_ECC_GOST: 1000 default: 1001 verbose(VERB_QUERY, "verify: unknown algorithm %d", 1002 algo); 1003 return 0; 1004 } 1005 return 1; 1006} 1007 1008/** 1009 * Check a canonical sig+rrset and signature against a dnskey 1010 * @param buf: buffer with data to verify, the first rrsig part and the 1011 * canonicalized rrset. 1012 * @param algo: DNSKEY algorithm. 1013 * @param sigblock: signature rdata field from RRSIG 1014 * @param sigblock_len: length of sigblock data. 1015 * @param key: public key data from DNSKEY RR. 1016 * @param keylen: length of keydata. 1017 * @param reason: bogus reason in more detail. 1018 * @return secure if verification succeeded, bogus on crypto failure, 1019 * unchecked on format errors and alloc failures. 1020 */ 1021enum sec_status 1022verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1023 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1024 char** reason) 1025{ 1026 /* uses libNSS */ 1027 /* large enough for the different hashes */ 1028 unsigned char hash[HASH_LENGTH_MAX]; 1029 unsigned char hash2[HASH_LENGTH_MAX*2]; 1030 HASH_HashType htype = 0; 1031 SECKEYPublicKey* pubkey = NULL; 1032 SECItem secsig = {siBuffer, sigblock, sigblock_len}; 1033 SECItem sechash = {siBuffer, hash, 0}; 1034 SECStatus res; 1035 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */ 1036 size_t prefixlen = 0; 1037 int err; 1038 1039 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen, 1040 &prefix, &prefixlen)) { 1041 verbose(VERB_QUERY, "verify: failed to setup key"); 1042 *reason = "use of key for crypto failed"; 1043 SECKEY_DestroyPublicKey(pubkey); 1044 return sec_status_bogus; 1045 } 1046 1047 /* need to convert DSA, ECDSA signatures? */ 1048 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) { 1049 if(sigblock_len == 1+2*SHA1_LENGTH) { 1050 secsig.data ++; 1051 secsig.len --; 1052 } else { 1053 SECItem* p = DSAU_DecodeDerSig(&secsig); 1054 if(!p) { 1055 verbose(VERB_QUERY, "verify: failed DER decode"); 1056 *reason = "signature DER decode failed"; 1057 SECKEY_DestroyPublicKey(pubkey); 1058 return sec_status_bogus; 1059 } 1060 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) { 1061 log_err("alloc failure in DER decode"); 1062 SECKEY_DestroyPublicKey(pubkey); 1063 SECITEM_FreeItem(p, PR_TRUE); 1064 return sec_status_unchecked; 1065 } 1066 SECITEM_FreeItem(p, PR_TRUE); 1067 } 1068 } 1069 1070 /* do the signature cryptography work */ 1071 /* hash the data */ 1072 sechash.len = HASH_ResultLen(htype); 1073 if(sechash.len > sizeof(hash)) { 1074 verbose(VERB_QUERY, "verify: hash too large for buffer"); 1075 SECKEY_DestroyPublicKey(pubkey); 1076 return sec_status_unchecked; 1077 } 1078 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf), 1079 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) { 1080 verbose(VERB_QUERY, "verify: HASH_HashBuf failed"); 1081 SECKEY_DestroyPublicKey(pubkey); 1082 return sec_status_unchecked; 1083 } 1084 if(prefix) { 1085 int hashlen = sechash.len; 1086 if(prefixlen+hashlen > sizeof(hash2)) { 1087 verbose(VERB_QUERY, "verify: hashprefix too large"); 1088 SECKEY_DestroyPublicKey(pubkey); 1089 return sec_status_unchecked; 1090 } 1091 sechash.data = hash2; 1092 sechash.len = prefixlen+hashlen; 1093 memcpy(sechash.data, prefix, prefixlen); 1094 memmove(sechash.data+prefixlen, hash, hashlen); 1095 } 1096 1097 /* verify the signature */ 1098 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/); 1099 SECKEY_DestroyPublicKey(pubkey); 1100 1101 if(res == SECSuccess) { 1102 return sec_status_secure; 1103 } 1104 err = PORT_GetError(); 1105 if(err != SEC_ERROR_BAD_SIGNATURE) { 1106 /* failed to verify */ 1107 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", 1108 PORT_ErrorToString(err)); 1109 /* if it is not supported, like ECC is removed, we get, 1110 * SEC_ERROR_NO_MODULE */ 1111 if(err == SEC_ERROR_NO_MODULE) 1112 return sec_status_unchecked; 1113 /* but other errors are commonly returned 1114 * for a bad signature from NSS. Thus we return bogus, 1115 * not unchecked */ 1116 *reason = "signature crypto failed"; 1117 return sec_status_bogus; 1118 } 1119 verbose(VERB_QUERY, "verify: signature mismatch: %s", 1120 PORT_ErrorToString(err)); 1121 *reason = "signature crypto failed"; 1122 return sec_status_bogus; 1123} 1124 1125#elif defined(HAVE_NETTLE) 1126 1127#include "sha.h" 1128#include "bignum.h" 1129#include "macros.h" 1130#include "rsa.h" 1131#include "dsa.h" 1132#include "asn1.h" 1133#ifdef USE_ECDSA 1134#include "ecdsa.h" 1135#include "ecc-curve.h" 1136#endif 1137 1138static int 1139_digest_nettle(int algo, uint8_t* buf, size_t len, 1140 unsigned char* res) 1141{ 1142 switch(algo) { 1143 case SHA1_DIGEST_SIZE: 1144 { 1145 struct sha1_ctx ctx; 1146 sha1_init(&ctx); 1147 sha1_update(&ctx, len, buf); 1148 sha1_digest(&ctx, SHA1_DIGEST_SIZE, res); 1149 return 1; 1150 } 1151 case SHA256_DIGEST_SIZE: 1152 { 1153 struct sha256_ctx ctx; 1154 sha256_init(&ctx); 1155 sha256_update(&ctx, len, buf); 1156 sha256_digest(&ctx, SHA256_DIGEST_SIZE, res); 1157 return 1; 1158 } 1159 case SHA384_DIGEST_SIZE: 1160 { 1161 struct sha384_ctx ctx; 1162 sha384_init(&ctx); 1163 sha384_update(&ctx, len, buf); 1164 sha384_digest(&ctx, SHA384_DIGEST_SIZE, res); 1165 return 1; 1166 } 1167 case SHA512_DIGEST_SIZE: 1168 { 1169 struct sha512_ctx ctx; 1170 sha512_init(&ctx); 1171 sha512_update(&ctx, len, buf); 1172 sha512_digest(&ctx, SHA512_DIGEST_SIZE, res); 1173 return 1; 1174 } 1175 default: 1176 break; 1177 } 1178 return 0; 1179} 1180 1181/* return size of digest if supported, or 0 otherwise */ 1182size_t 1183nsec3_hash_algo_size_supported(int id) 1184{ 1185 switch(id) { 1186 case NSEC3_HASH_SHA1: 1187 return SHA1_DIGEST_SIZE; 1188 default: 1189 return 0; 1190 } 1191} 1192 1193/* perform nsec3 hash. return false on failure */ 1194int 1195secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 1196 unsigned char* res) 1197{ 1198 switch(algo) { 1199 case NSEC3_HASH_SHA1: 1200 return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len, 1201 res); 1202 default: 1203 return 0; 1204 } 1205} 1206 1207/** 1208 * Return size of DS digest according to its hash algorithm. 1209 * @param algo: DS digest algo. 1210 * @return size in bytes of digest, or 0 if not supported. 1211 */ 1212size_t 1213ds_digest_size_supported(int algo) 1214{ 1215 switch(algo) { 1216 case LDNS_SHA1: 1217 return SHA1_DIGEST_SIZE; 1218#ifdef USE_SHA2 1219 case LDNS_SHA256: 1220 return SHA256_DIGEST_SIZE; 1221#endif 1222#ifdef USE_ECDSA 1223 case LDNS_SHA384: 1224 return SHA384_DIGEST_SIZE; 1225#endif 1226 /* GOST not supported */ 1227 case LDNS_HASH_GOST: 1228 default: 1229 break; 1230 } 1231 return 0; 1232} 1233 1234int 1235secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 1236 unsigned char* res) 1237{ 1238 switch(algo) { 1239 case LDNS_SHA1: 1240 return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res); 1241#if defined(USE_SHA2) 1242 case LDNS_SHA256: 1243 return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res); 1244#endif 1245#ifdef USE_ECDSA 1246 case LDNS_SHA384: 1247 return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res); 1248 1249#endif 1250 case LDNS_HASH_GOST: 1251 default: 1252 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 1253 algo); 1254 break; 1255 } 1256 return 0; 1257} 1258 1259int 1260dnskey_algo_id_is_supported(int id) 1261{ 1262 /* uses libnettle */ 1263 switch(id) { 1264 case LDNS_DSA: 1265 case LDNS_DSA_NSEC3: 1266 case LDNS_RSASHA1: 1267 case LDNS_RSASHA1_NSEC3: 1268#ifdef USE_SHA2 1269 case LDNS_RSASHA256: 1270 case LDNS_RSASHA512: 1271#endif 1272#ifdef USE_ECDSA 1273 case LDNS_ECDSAP256SHA256: 1274 case LDNS_ECDSAP384SHA384: 1275#endif 1276 return 1; 1277 case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ 1278 case LDNS_ECC_GOST: 1279 default: 1280 return 0; 1281 } 1282} 1283 1284static char * 1285_verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock, 1286 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1287{ 1288 uint8_t digest[SHA1_DIGEST_SIZE]; 1289 uint8_t key_t; 1290 int res = 0; 1291 size_t offset; 1292 struct dsa_public_key pubkey; 1293 struct dsa_signature signature; 1294 unsigned int expected_len; 1295 1296 /* Extract DSA signature from the record */ 1297 nettle_dsa_signature_init(&signature); 1298 /* Signature length: 41 bytes - RFC 2536 sec. 3 */ 1299 if(sigblock_len == 41) { 1300 if(key[0] != sigblock[0]) 1301 return "invalid T value in DSA signature or pubkey"; 1302 nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1); 1303 nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20); 1304 } else { 1305 /* DER encoded, decode the ASN1 notated R and S bignums */ 1306 /* SEQUENCE { r INTEGER, s INTEGER } */ 1307 struct asn1_der_iterator i, seq; 1308 if(asn1_der_iterator_first(&i, sigblock_len, 1309 (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED 1310 || i.type != ASN1_SEQUENCE) 1311 return "malformed DER encoded DSA signature"; 1312 /* decode this element of i using the seq iterator */ 1313 if(asn1_der_decode_constructed(&i, &seq) != 1314 ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER) 1315 return "malformed DER encoded DSA signature"; 1316 if(!asn1_der_get_bignum(&seq, signature.r, 20*8)) 1317 return "malformed DER encoded DSA signature"; 1318 if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE 1319 || seq.type != ASN1_INTEGER) 1320 return "malformed DER encoded DSA signature"; 1321 if(!asn1_der_get_bignum(&seq, signature.s, 20*8)) 1322 return "malformed DER encoded DSA signature"; 1323 if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END) 1324 return "malformed DER encoded DSA signature"; 1325 } 1326 1327 /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */ 1328 key_t = key[0]; 1329 if (key_t > 8) { 1330 return "invalid T value in DSA pubkey"; 1331 } 1332 1333 /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */ 1334 if (keylen < 21) { 1335 return "DSA pubkey too short"; 1336 } 1337 1338 expected_len = 1 + /* T */ 1339 20 + /* Q */ 1340 (64 + key_t*8) + /* P */ 1341 (64 + key_t*8) + /* G */ 1342 (64 + key_t*8); /* Y */ 1343 if (keylen != expected_len ) { 1344 return "invalid DSA pubkey length"; 1345 } 1346 1347 /* Extract DSA pubkey from the record */ 1348 nettle_dsa_public_key_init(&pubkey); 1349 offset = 1; 1350 nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset); 1351 offset += 20; 1352 nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t*8), key+offset); 1353 offset += (64 + key_t*8); 1354 nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t*8), key+offset); 1355 offset += (64 + key_t*8); 1356 nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t*8), key+offset); 1357 1358 /* Digest content of "buf" and verify its DSA signature in "sigblock"*/ 1359 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1360 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1361 res &= dsa_sha1_verify_digest(&pubkey, digest, &signature); 1362 1363 /* Clear and return */ 1364 nettle_dsa_signature_clear(&signature); 1365 nettle_dsa_public_key_clear(&pubkey); 1366 if (!res) 1367 return "DSA signature verification failed"; 1368 else 1369 return NULL; 1370} 1371 1372static char * 1373_verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock, 1374 unsigned int sigblock_len, uint8_t* key, unsigned int keylen) 1375{ 1376 uint16_t exp_len = 0; 1377 size_t exp_offset = 0, mod_offset = 0; 1378 struct rsa_public_key pubkey; 1379 mpz_t signature; 1380 int res = 0; 1381 1382 /* RSA pubkey parsing as per RFC 3110 sec. 2 */ 1383 if( keylen <= 1) { 1384 return "null RSA key"; 1385 } 1386 if (key[0] != 0) { 1387 /* 1-byte length */ 1388 exp_len = key[0]; 1389 exp_offset = 1; 1390 } else { 1391 /* 1-byte NUL + 2-bytes exponent length */ 1392 if (keylen < 3) { 1393 return "incorrect RSA key length"; 1394 } 1395 exp_len = READ_UINT16(key+1); 1396 if (exp_len == 0) 1397 return "null RSA exponent length"; 1398 exp_offset = 3; 1399 } 1400 /* Check that we are not over-running input length */ 1401 if (keylen < exp_offset + exp_len + 1) { 1402 return "RSA key content shorter than expected"; 1403 } 1404 mod_offset = exp_offset + exp_len; 1405 nettle_rsa_public_key_init(&pubkey); 1406 pubkey.size = keylen - mod_offset; 1407 nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]); 1408 nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]); 1409 1410 /* Digest content of "buf" and verify its RSA signature in "sigblock"*/ 1411 nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock); 1412 switch (digest_size) { 1413 case SHA1_DIGEST_SIZE: 1414 { 1415 uint8_t digest[SHA1_DIGEST_SIZE]; 1416 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1417 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1418 res &= rsa_sha1_verify_digest(&pubkey, digest, signature); 1419 break; 1420 } 1421 case SHA256_DIGEST_SIZE: 1422 { 1423 uint8_t digest[SHA256_DIGEST_SIZE]; 1424 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1425 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1426 res &= rsa_sha256_verify_digest(&pubkey, digest, signature); 1427 break; 1428 } 1429 case SHA512_DIGEST_SIZE: 1430 { 1431 uint8_t digest[SHA512_DIGEST_SIZE]; 1432 res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1433 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1434 res &= rsa_sha512_verify_digest(&pubkey, digest, signature); 1435 break; 1436 } 1437 default: 1438 break; 1439 } 1440 1441 /* Clear and return */ 1442 nettle_rsa_public_key_clear(&pubkey); 1443 mpz_clear(signature); 1444 if (!res) { 1445 return "RSA signature verification failed"; 1446 } else { 1447 return NULL; 1448 } 1449} 1450 1451#ifdef USE_ECDSA 1452static char * 1453_verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock, 1454 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1455{ 1456 int res = 0; 1457 struct ecc_point pubkey; 1458 struct dsa_signature signature; 1459 1460 /* Always matched strength, as per RFC 6605 sec. 1 */ 1461 if (sigblock_len != 2*digest_size || keylen != 2*digest_size) { 1462 return "wrong ECDSA signature length"; 1463 } 1464 1465 /* Parse ECDSA signature as per RFC 6605 sec. 4 */ 1466 nettle_dsa_signature_init(&signature); 1467 switch (digest_size) { 1468 case SHA256_DIGEST_SIZE: 1469 { 1470 uint8_t digest[SHA256_DIGEST_SIZE]; 1471 mpz_t x, y; 1472 nettle_ecc_point_init(&pubkey, &nettle_secp_256r1); 1473 nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key); 1474 nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE); 1475 nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock); 1476 nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE); 1477 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1478 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1479 res &= nettle_ecc_point_set(&pubkey, x, y); 1480 res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature); 1481 mpz_clear(x); 1482 mpz_clear(y); 1483 break; 1484 } 1485 case SHA384_DIGEST_SIZE: 1486 { 1487 uint8_t digest[SHA384_DIGEST_SIZE]; 1488 mpz_t x, y; 1489 nettle_ecc_point_init(&pubkey, &nettle_secp_384r1); 1490 nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key); 1491 nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE); 1492 nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock); 1493 nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE); 1494 res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1495 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1496 res &= nettle_ecc_point_set(&pubkey, x, y); 1497 res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature); 1498 mpz_clear(x); 1499 mpz_clear(y); 1500 nettle_ecc_point_clear(&pubkey); 1501 break; 1502 } 1503 default: 1504 return "unknown ECDSA algorithm"; 1505 } 1506 1507 /* Clear and return */ 1508 nettle_dsa_signature_clear(&signature); 1509 if (!res) 1510 return "ECDSA signature verification failed"; 1511 else 1512 return NULL; 1513} 1514#endif 1515 1516/** 1517 * Check a canonical sig+rrset and signature against a dnskey 1518 * @param buf: buffer with data to verify, the first rrsig part and the 1519 * canonicalized rrset. 1520 * @param algo: DNSKEY algorithm. 1521 * @param sigblock: signature rdata field from RRSIG 1522 * @param sigblock_len: length of sigblock data. 1523 * @param key: public key data from DNSKEY RR. 1524 * @param keylen: length of keydata. 1525 * @param reason: bogus reason in more detail. 1526 * @return secure if verification succeeded, bogus on crypto failure, 1527 * unchecked on format errors and alloc failures. 1528 */ 1529enum sec_status 1530verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1531 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1532 char** reason) 1533{ 1534 unsigned int digest_size = 0; 1535 1536 if (sigblock_len == 0 || keylen == 0) { 1537 *reason = "null signature"; 1538 return sec_status_bogus; 1539 } 1540 1541 switch(algo) { 1542 case LDNS_DSA: 1543 case LDNS_DSA_NSEC3: 1544 *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen); 1545 if (*reason != NULL) 1546 return sec_status_bogus; 1547 else 1548 return sec_status_secure; 1549 1550 case LDNS_RSASHA1: 1551 case LDNS_RSASHA1_NSEC3: 1552 digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE); 1553#ifdef USE_SHA2 1554 case LDNS_RSASHA256: 1555 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 1556 case LDNS_RSASHA512: 1557 digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE); 1558 1559#endif 1560 *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock, 1561 sigblock_len, key, keylen); 1562 if (*reason != NULL) 1563 return sec_status_bogus; 1564 else 1565 return sec_status_secure; 1566 1567#ifdef USE_ECDSA 1568 case LDNS_ECDSAP256SHA256: 1569 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 1570 case LDNS_ECDSAP384SHA384: 1571 digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE); 1572 *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock, 1573 sigblock_len, key, keylen); 1574 if (*reason != NULL) 1575 return sec_status_bogus; 1576 else 1577 return sec_status_secure; 1578#endif 1579 case LDNS_RSAMD5: 1580 case LDNS_ECC_GOST: 1581 default: 1582 *reason = "unable to verify signature, unknown algorithm"; 1583 return sec_status_bogus; 1584 } 1585} 1586 1587#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ 1588