val_secalgo.c revision 356345
1/* 2 * validator/val_secalgo.c - validator security algorithm functions. 3 * 4 * Copyright (c) 2012, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36/** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * These functions take raw data buffers, formatted for crypto verification, 41 * and do the library calls (for the crypto library in use). 42 */ 43#include "config.h" 44/* packed_rrset on top to define enum types (forced by c99 standard) */ 45#include "util/data/packed_rrset.h" 46#include "validator/val_secalgo.h" 47#include "validator/val_nsec3.h" 48#include "util/log.h" 49#include "sldns/rrdef.h" 50#include "sldns/keyraw.h" 51#include "sldns/sbuffer.h" 52 53#if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) 54#error "Need crypto library to do digital signature cryptography" 55#endif 56 57/* OpenSSL implementation */ 58#ifdef HAVE_SSL 59#ifdef HAVE_OPENSSL_ERR_H 60#include <openssl/err.h> 61#endif 62 63#ifdef HAVE_OPENSSL_RAND_H 64#include <openssl/rand.h> 65#endif 66 67#ifdef HAVE_OPENSSL_CONF_H 68#include <openssl/conf.h> 69#endif 70 71#ifdef HAVE_OPENSSL_ENGINE_H 72#include <openssl/engine.h> 73#endif 74 75/** fake DSA support for unit tests */ 76int fake_dsa = 0; 77/** fake SHA1 support for unit tests */ 78int fake_sha1 = 0; 79 80/** 81 * Output a libcrypto openssl error to the logfile. 82 * @param str: string to add to it. 83 * @param e: the error to output, error number from ERR_get_error(). 84 */ 85static void 86log_crypto_error(const char* str, unsigned long e) 87{ 88 char buf[128]; 89 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ 90 ERR_error_string_n(e, buf, sizeof(buf)); 91 /* buf now contains */ 92 /* error:[error code]:[library name]:[function name]:[reason string] */ 93 log_err("%s crypto %s", str, buf); 94} 95 96/* return size of digest if supported, or 0 otherwise */ 97size_t 98nsec3_hash_algo_size_supported(int id) 99{ 100 switch(id) { 101 case NSEC3_HASH_SHA1: 102 return SHA_DIGEST_LENGTH; 103 default: 104 return 0; 105 } 106} 107 108/* perform nsec3 hash. return false on failure */ 109int 110secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 111 unsigned char* res) 112{ 113 switch(algo) { 114 case NSEC3_HASH_SHA1: 115#ifdef OPENSSL_FIPS 116 if(!sldns_digest_evp(buf, len, res, EVP_sha1())) 117 log_crypto_error("could not digest with EVP_sha1", 118 ERR_get_error()); 119#else 120 (void)SHA1(buf, len, res); 121#endif 122 return 1; 123 default: 124 return 0; 125 } 126} 127 128void 129secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 130{ 131#ifdef OPENSSL_FIPS 132 if(!sldns_digest_evp(buf, len, res, EVP_sha256())) 133 log_crypto_error("could not digest with EVP_sha256", 134 ERR_get_error()); 135#else 136 (void)SHA256(buf, len, res); 137#endif 138} 139 140/** 141 * Return size of DS digest according to its hash algorithm. 142 * @param algo: DS digest algo. 143 * @return size in bytes of digest, or 0 if not supported. 144 */ 145size_t 146ds_digest_size_supported(int algo) 147{ 148 switch(algo) { 149 case LDNS_SHA1: 150#if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) 151 return SHA_DIGEST_LENGTH; 152#else 153 if(fake_sha1) return 20; 154 return 0; 155#endif 156#ifdef HAVE_EVP_SHA256 157 case LDNS_SHA256: 158 return SHA256_DIGEST_LENGTH; 159#endif 160#ifdef USE_GOST 161 case LDNS_HASH_GOST: 162 /* we support GOST if it can be loaded */ 163 (void)sldns_key_EVP_load_gost_id(); 164 if(EVP_get_digestbyname("md_gost94")) 165 return 32; 166 else return 0; 167#endif 168#ifdef USE_ECDSA 169 case LDNS_SHA384: 170 return SHA384_DIGEST_LENGTH; 171#endif 172 default: break; 173 } 174 return 0; 175} 176 177#ifdef USE_GOST 178/** Perform GOST hash */ 179static int 180do_gost94(unsigned char* data, size_t len, unsigned char* dest) 181{ 182 const EVP_MD* md = EVP_get_digestbyname("md_gost94"); 183 if(!md) 184 return 0; 185 return sldns_digest_evp(data, (unsigned int)len, dest, md); 186} 187#endif 188 189int 190secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 191 unsigned char* res) 192{ 193 switch(algo) { 194#if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) 195 case LDNS_SHA1: 196#ifdef OPENSSL_FIPS 197 if(!sldns_digest_evp(buf, len, res, EVP_sha1())) 198 log_crypto_error("could not digest with EVP_sha1", 199 ERR_get_error()); 200#else 201 (void)SHA1(buf, len, res); 202#endif 203 return 1; 204#endif 205#ifdef HAVE_EVP_SHA256 206 case LDNS_SHA256: 207#ifdef OPENSSL_FIPS 208 if(!sldns_digest_evp(buf, len, res, EVP_sha256())) 209 log_crypto_error("could not digest with EVP_sha256", 210 ERR_get_error()); 211#else 212 (void)SHA256(buf, len, res); 213#endif 214 return 1; 215#endif 216#ifdef USE_GOST 217 case LDNS_HASH_GOST: 218 if(do_gost94(buf, len, res)) 219 return 1; 220 break; 221#endif 222#ifdef USE_ECDSA 223 case LDNS_SHA384: 224#ifdef OPENSSL_FIPS 225 if(!sldns_digest_evp(buf, len, res, EVP_sha384())) 226 log_crypto_error("could not digest with EVP_sha384", 227 ERR_get_error()); 228#else 229 (void)SHA384(buf, len, res); 230#endif 231 return 1; 232#endif 233 default: 234 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 235 algo); 236 break; 237 } 238 return 0; 239} 240 241/** return true if DNSKEY algorithm id is supported */ 242int 243dnskey_algo_id_is_supported(int id) 244{ 245 switch(id) { 246 case LDNS_RSAMD5: 247 /* RFC 6725 deprecates RSAMD5 */ 248 return 0; 249 case LDNS_DSA: 250 case LDNS_DSA_NSEC3: 251#if defined(USE_DSA) && defined(USE_SHA1) 252 return 1; 253#else 254 if(fake_dsa || fake_sha1) return 1; 255 return 0; 256#endif 257 258 case LDNS_RSASHA1: 259 case LDNS_RSASHA1_NSEC3: 260#ifdef USE_SHA1 261 return 1; 262#else 263 if(fake_sha1) return 1; 264 return 0; 265#endif 266 267#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 268 case LDNS_RSASHA256: 269#endif 270#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 271 case LDNS_RSASHA512: 272#endif 273#ifdef USE_ECDSA 274 case LDNS_ECDSAP256SHA256: 275 case LDNS_ECDSAP384SHA384: 276#endif 277#ifdef USE_ED25519 278 case LDNS_ED25519: 279#endif 280#ifdef USE_ED448 281 case LDNS_ED448: 282#endif 283#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448) 284 return 1; 285#endif 286 287#ifdef USE_GOST 288 case LDNS_ECC_GOST: 289 /* we support GOST if it can be loaded */ 290 return sldns_key_EVP_load_gost_id(); 291#endif 292 default: 293 return 0; 294 } 295} 296 297#ifdef USE_DSA 298/** 299 * Setup DSA key digest in DER encoding ... 300 * @param sig: input is signature output alloced ptr (unless failure). 301 * caller must free alloced ptr if this routine returns true. 302 * @param len: input is initial siglen, output is output len. 303 * @return false on failure. 304 */ 305static int 306setup_dsa_sig(unsigned char** sig, unsigned int* len) 307{ 308 unsigned char* orig = *sig; 309 unsigned int origlen = *len; 310 int newlen; 311 BIGNUM *R, *S; 312 DSA_SIG *dsasig; 313 314 /* extract the R and S field from the sig buffer */ 315 if(origlen < 1 + 2*SHA_DIGEST_LENGTH) 316 return 0; 317 R = BN_new(); 318 if(!R) return 0; 319 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R); 320 S = BN_new(); 321 if(!S) return 0; 322 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S); 323 dsasig = DSA_SIG_new(); 324 if(!dsasig) return 0; 325 326#ifdef HAVE_DSA_SIG_SET0 327 if(!DSA_SIG_set0(dsasig, R, S)) return 0; 328#else 329# ifndef S_SPLINT_S 330 dsasig->r = R; 331 dsasig->s = S; 332# endif /* S_SPLINT_S */ 333#endif 334 *sig = NULL; 335 newlen = i2d_DSA_SIG(dsasig, sig); 336 if(newlen < 0) { 337 DSA_SIG_free(dsasig); 338 free(*sig); 339 return 0; 340 } 341 *len = (unsigned int)newlen; 342 DSA_SIG_free(dsasig); 343 return 1; 344} 345#endif /* USE_DSA */ 346 347#ifdef USE_ECDSA 348/** 349 * Setup the ECDSA signature in its encoding that the library wants. 350 * Converts from plain numbers to ASN formatted. 351 * @param sig: input is signature, output alloced ptr (unless failure). 352 * caller must free alloced ptr if this routine returns true. 353 * @param len: input is initial siglen, output is output len. 354 * @return false on failure. 355 */ 356static int 357setup_ecdsa_sig(unsigned char** sig, unsigned int* len) 358{ 359 /* convert from two BIGNUMs in the rdata buffer, to ASN notation. 360 * ASN preamble: 30440220 <R 32bytefor256> 0220 <S 32bytefor256> 361 * the '20' is the length of that field (=bnsize). 362i * the '44' is the total remaining length. 363 * if negative, start with leading zero. 364 * if starts with 00s, remove them from the number. 365 */ 366 uint8_t pre[] = {0x30, 0x44, 0x02, 0x20}; 367 int pre_len = 4; 368 uint8_t mid[] = {0x02, 0x20}; 369 int mid_len = 2; 370 int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0; 371 int bnsize = (int)((*len)/2); 372 unsigned char* d = *sig; 373 uint8_t* p; 374 /* if too short or not even length, fails */ 375 if(*len < 16 || bnsize*2 != (int)*len) 376 return 0; 377 378 /* strip leading zeroes from r (but not last one) */ 379 while(r_rem < bnsize-1 && d[r_rem] == 0) 380 r_rem++; 381 /* strip leading zeroes from s (but not last one) */ 382 while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0) 383 s_rem++; 384 385 r_high = ((d[0+r_rem]&0x80)?1:0); 386 s_high = ((d[bnsize+s_rem]&0x80)?1:0); 387 raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len + 388 s_high + bnsize - s_rem; 389 *sig = (unsigned char*)malloc((size_t)raw_sig_len); 390 if(!*sig) 391 return 0; 392 p = (uint8_t*)*sig; 393 p[0] = pre[0]; 394 p[1] = (uint8_t)(raw_sig_len-2); 395 p[2] = pre[2]; 396 p[3] = (uint8_t)(bnsize + r_high - r_rem); 397 p += 4; 398 if(r_high) { 399 *p = 0; 400 p += 1; 401 } 402 memmove(p, d+r_rem, (size_t)bnsize-r_rem); 403 p += bnsize-r_rem; 404 memmove(p, mid, (size_t)mid_len-1); 405 p += mid_len-1; 406 *p = (uint8_t)(bnsize + s_high - s_rem); 407 p += 1; 408 if(s_high) { 409 *p = 0; 410 p += 1; 411 } 412 memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem); 413 *len = (unsigned int)raw_sig_len; 414 return 1; 415} 416#endif /* USE_ECDSA */ 417 418#ifdef USE_ECDSA_EVP_WORKAROUND 419static EVP_MD ecdsa_evp_256_md; 420static EVP_MD ecdsa_evp_384_md; 421void ecdsa_evp_workaround_init(void) 422{ 423 /* openssl before 1.0.0 fixes RSA with the SHA256 424 * hash in EVP. We create one for ecdsa_sha256 */ 425 ecdsa_evp_256_md = *EVP_sha256(); 426 ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC; 427 ecdsa_evp_256_md.verify = (void*)ECDSA_verify; 428 429 ecdsa_evp_384_md = *EVP_sha384(); 430 ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC; 431 ecdsa_evp_384_md.verify = (void*)ECDSA_verify; 432} 433#endif /* USE_ECDSA_EVP_WORKAROUND */ 434 435/** 436 * Setup key and digest for verification. Adjust sig if necessary. 437 * 438 * @param algo: key algorithm 439 * @param evp_key: EVP PKEY public key to create. 440 * @param digest_type: digest type to use 441 * @param key: key to setup for. 442 * @param keylen: length of key. 443 * @return false on failure. 444 */ 445static int 446setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 447 unsigned char* key, size_t keylen) 448{ 449#if defined(USE_DSA) && defined(USE_SHA1) 450 DSA* dsa; 451#endif 452 RSA* rsa; 453 454 switch(algo) { 455#if defined(USE_DSA) && defined(USE_SHA1) 456 case LDNS_DSA: 457 case LDNS_DSA_NSEC3: 458 *evp_key = EVP_PKEY_new(); 459 if(!*evp_key) { 460 log_err("verify: malloc failure in crypto"); 461 return 0; 462 } 463 dsa = sldns_key_buf2dsa_raw(key, keylen); 464 if(!dsa) { 465 verbose(VERB_QUERY, "verify: " 466 "sldns_key_buf2dsa_raw failed"); 467 return 0; 468 } 469 if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) { 470 verbose(VERB_QUERY, "verify: " 471 "EVP_PKEY_assign_DSA failed"); 472 return 0; 473 } 474#ifdef HAVE_EVP_DSS1 475 *digest_type = EVP_dss1(); 476#else 477 *digest_type = EVP_sha1(); 478#endif 479 480 break; 481#endif /* USE_DSA && USE_SHA1 */ 482 483#if defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) 484#ifdef USE_SHA1 485 case LDNS_RSASHA1: 486 case LDNS_RSASHA1_NSEC3: 487#endif 488#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 489 case LDNS_RSASHA256: 490#endif 491#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 492 case LDNS_RSASHA512: 493#endif 494 *evp_key = EVP_PKEY_new(); 495 if(!*evp_key) { 496 log_err("verify: malloc failure in crypto"); 497 return 0; 498 } 499 rsa = sldns_key_buf2rsa_raw(key, keylen); 500 if(!rsa) { 501 verbose(VERB_QUERY, "verify: " 502 "sldns_key_buf2rsa_raw SHA failed"); 503 return 0; 504 } 505 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 506 verbose(VERB_QUERY, "verify: " 507 "EVP_PKEY_assign_RSA SHA failed"); 508 return 0; 509 } 510 511 /* select SHA version */ 512#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 513 if(algo == LDNS_RSASHA256) 514 *digest_type = EVP_sha256(); 515 else 516#endif 517#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 518 if(algo == LDNS_RSASHA512) 519 *digest_type = EVP_sha512(); 520 else 521#endif 522#ifdef USE_SHA1 523 *digest_type = EVP_sha1(); 524#else 525 { verbose(VERB_QUERY, "no digest available"); return 0; } 526#endif 527 break; 528#endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */ 529 530 case LDNS_RSAMD5: 531 *evp_key = EVP_PKEY_new(); 532 if(!*evp_key) { 533 log_err("verify: malloc failure in crypto"); 534 return 0; 535 } 536 rsa = sldns_key_buf2rsa_raw(key, keylen); 537 if(!rsa) { 538 verbose(VERB_QUERY, "verify: " 539 "sldns_key_buf2rsa_raw MD5 failed"); 540 return 0; 541 } 542 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 543 verbose(VERB_QUERY, "verify: " 544 "EVP_PKEY_assign_RSA MD5 failed"); 545 return 0; 546 } 547 *digest_type = EVP_md5(); 548 549 break; 550#ifdef USE_GOST 551 case LDNS_ECC_GOST: 552 *evp_key = sldns_gost2pkey_raw(key, keylen); 553 if(!*evp_key) { 554 verbose(VERB_QUERY, "verify: " 555 "sldns_gost2pkey_raw failed"); 556 return 0; 557 } 558 *digest_type = EVP_get_digestbyname("md_gost94"); 559 if(!*digest_type) { 560 verbose(VERB_QUERY, "verify: " 561 "EVP_getdigest md_gost94 failed"); 562 return 0; 563 } 564 break; 565#endif 566#ifdef USE_ECDSA 567 case LDNS_ECDSAP256SHA256: 568 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 569 LDNS_ECDSAP256SHA256); 570 if(!*evp_key) { 571 verbose(VERB_QUERY, "verify: " 572 "sldns_ecdsa2pkey_raw failed"); 573 return 0; 574 } 575#ifdef USE_ECDSA_EVP_WORKAROUND 576 *digest_type = &ecdsa_evp_256_md; 577#else 578 *digest_type = EVP_sha256(); 579#endif 580 break; 581 case LDNS_ECDSAP384SHA384: 582 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 583 LDNS_ECDSAP384SHA384); 584 if(!*evp_key) { 585 verbose(VERB_QUERY, "verify: " 586 "sldns_ecdsa2pkey_raw failed"); 587 return 0; 588 } 589#ifdef USE_ECDSA_EVP_WORKAROUND 590 *digest_type = &ecdsa_evp_384_md; 591#else 592 *digest_type = EVP_sha384(); 593#endif 594 break; 595#endif /* USE_ECDSA */ 596#ifdef USE_ED25519 597 case LDNS_ED25519: 598 *evp_key = sldns_ed255192pkey_raw(key, keylen); 599 if(!*evp_key) { 600 verbose(VERB_QUERY, "verify: " 601 "sldns_ed255192pkey_raw failed"); 602 return 0; 603 } 604 *digest_type = NULL; 605 break; 606#endif /* USE_ED25519 */ 607#ifdef USE_ED448 608 case LDNS_ED448: 609 *evp_key = sldns_ed4482pkey_raw(key, keylen); 610 if(!*evp_key) { 611 verbose(VERB_QUERY, "verify: " 612 "sldns_ed4482pkey_raw failed"); 613 return 0; 614 } 615 *digest_type = NULL; 616 break; 617#endif /* USE_ED448 */ 618 default: 619 verbose(VERB_QUERY, "verify: unknown algorithm %d", 620 algo); 621 return 0; 622 } 623 return 1; 624} 625 626/** 627 * Check a canonical sig+rrset and signature against a dnskey 628 * @param buf: buffer with data to verify, the first rrsig part and the 629 * canonicalized rrset. 630 * @param algo: DNSKEY algorithm. 631 * @param sigblock: signature rdata field from RRSIG 632 * @param sigblock_len: length of sigblock data. 633 * @param key: public key data from DNSKEY RR. 634 * @param keylen: length of keydata. 635 * @param reason: bogus reason in more detail. 636 * @return secure if verification succeeded, bogus on crypto failure, 637 * unchecked on format errors and alloc failures. 638 */ 639enum sec_status 640verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 641 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 642 char** reason) 643{ 644 const EVP_MD *digest_type; 645 EVP_MD_CTX* ctx; 646 int res, dofree = 0, docrypto_free = 0; 647 EVP_PKEY *evp_key = NULL; 648 649#ifndef USE_DSA 650 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1)) 651 return sec_status_secure; 652#endif 653#ifndef USE_SHA1 654 if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3)) 655 return sec_status_secure; 656#endif 657 658 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { 659 verbose(VERB_QUERY, "verify: failed to setup key"); 660 *reason = "use of key for crypto failed"; 661 EVP_PKEY_free(evp_key); 662 return sec_status_bogus; 663 } 664#ifdef USE_DSA 665 /* if it is a DSA signature in bind format, convert to DER format */ 666 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && 667 sigblock_len == 1+2*SHA_DIGEST_LENGTH) { 668 if(!setup_dsa_sig(&sigblock, &sigblock_len)) { 669 verbose(VERB_QUERY, "verify: failed to setup DSA sig"); 670 *reason = "use of key for DSA crypto failed"; 671 EVP_PKEY_free(evp_key); 672 return sec_status_bogus; 673 } 674 docrypto_free = 1; 675 } 676#endif 677#if defined(USE_ECDSA) && defined(USE_DSA) 678 else 679#endif 680#ifdef USE_ECDSA 681 if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) { 682 /* EVP uses ASN prefix on sig, which is not in the wire data */ 683 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) { 684 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig"); 685 *reason = "use of signature for ECDSA crypto failed"; 686 EVP_PKEY_free(evp_key); 687 return sec_status_bogus; 688 } 689 dofree = 1; 690 } 691#endif /* USE_ECDSA */ 692 693 /* do the signature cryptography work */ 694#ifdef HAVE_EVP_MD_CTX_NEW 695 ctx = EVP_MD_CTX_new(); 696#else 697 ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx)); 698 if(ctx) EVP_MD_CTX_init(ctx); 699#endif 700 if(!ctx) { 701 log_err("EVP_MD_CTX_new: malloc failure"); 702 EVP_PKEY_free(evp_key); 703 if(dofree) free(sigblock); 704 else if(docrypto_free) OPENSSL_free(sigblock); 705 return sec_status_unchecked; 706 } 707#ifndef HAVE_EVP_DIGESTVERIFY 708 if(EVP_DigestInit(ctx, digest_type) == 0) { 709 verbose(VERB_QUERY, "verify: EVP_DigestInit failed"); 710#ifdef HAVE_EVP_MD_CTX_NEW 711 EVP_MD_CTX_destroy(ctx); 712#else 713 EVP_MD_CTX_cleanup(ctx); 714 free(ctx); 715#endif 716 EVP_PKEY_free(evp_key); 717 if(dofree) free(sigblock); 718 else if(docrypto_free) OPENSSL_free(sigblock); 719 return sec_status_unchecked; 720 } 721 if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), 722 (unsigned int)sldns_buffer_limit(buf)) == 0) { 723 verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed"); 724#ifdef HAVE_EVP_MD_CTX_NEW 725 EVP_MD_CTX_destroy(ctx); 726#else 727 EVP_MD_CTX_cleanup(ctx); 728 free(ctx); 729#endif 730 EVP_PKEY_free(evp_key); 731 if(dofree) free(sigblock); 732 else if(docrypto_free) OPENSSL_free(sigblock); 733 return sec_status_unchecked; 734 } 735 736 res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key); 737#else /* HAVE_EVP_DIGESTVERIFY */ 738 if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) { 739 verbose(VERB_QUERY, "verify: EVP_DigestVerifyInit failed"); 740#ifdef HAVE_EVP_MD_CTX_NEW 741 EVP_MD_CTX_destroy(ctx); 742#else 743 EVP_MD_CTX_cleanup(ctx); 744 free(ctx); 745#endif 746 EVP_PKEY_free(evp_key); 747 if(dofree) free(sigblock); 748 else if(docrypto_free) OPENSSL_free(sigblock); 749 return sec_status_unchecked; 750 } 751 res = EVP_DigestVerify(ctx, sigblock, sigblock_len, 752 (unsigned char*)sldns_buffer_begin(buf), 753 sldns_buffer_limit(buf)); 754#endif 755#ifdef HAVE_EVP_MD_CTX_NEW 756 EVP_MD_CTX_destroy(ctx); 757#else 758 EVP_MD_CTX_cleanup(ctx); 759 free(ctx); 760#endif 761 EVP_PKEY_free(evp_key); 762 763 if(dofree) free(sigblock); 764 else if(docrypto_free) OPENSSL_free(sigblock); 765 766 if(res == 1) { 767 return sec_status_secure; 768 } else if(res == 0) { 769 verbose(VERB_QUERY, "verify: signature mismatch"); 770 *reason = "signature crypto failed"; 771 return sec_status_bogus; 772 } 773 774 log_crypto_error("verify:", ERR_get_error()); 775 return sec_status_unchecked; 776} 777 778/**************************************************/ 779#elif defined(HAVE_NSS) 780/* libnss implementation */ 781/* nss3 */ 782#include "sechash.h" 783#include "pk11pub.h" 784#include "keyhi.h" 785#include "secerr.h" 786#include "cryptohi.h" 787/* nspr4 */ 788#include "prerror.h" 789 790/* return size of digest if supported, or 0 otherwise */ 791size_t 792nsec3_hash_algo_size_supported(int id) 793{ 794 switch(id) { 795 case NSEC3_HASH_SHA1: 796 return SHA1_LENGTH; 797 default: 798 return 0; 799 } 800} 801 802/* perform nsec3 hash. return false on failure */ 803int 804secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 805 unsigned char* res) 806{ 807 switch(algo) { 808 case NSEC3_HASH_SHA1: 809 (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len); 810 return 1; 811 default: 812 return 0; 813 } 814} 815 816void 817secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 818{ 819 (void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len); 820} 821 822size_t 823ds_digest_size_supported(int algo) 824{ 825 /* uses libNSS */ 826 switch(algo) { 827#ifdef USE_SHA1 828 case LDNS_SHA1: 829 return SHA1_LENGTH; 830#endif 831#ifdef USE_SHA2 832 case LDNS_SHA256: 833 return SHA256_LENGTH; 834#endif 835#ifdef USE_ECDSA 836 case LDNS_SHA384: 837 return SHA384_LENGTH; 838#endif 839 /* GOST not supported in NSS */ 840 case LDNS_HASH_GOST: 841 default: break; 842 } 843 return 0; 844} 845 846int 847secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 848 unsigned char* res) 849{ 850 /* uses libNSS */ 851 switch(algo) { 852#ifdef USE_SHA1 853 case LDNS_SHA1: 854 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len) 855 == SECSuccess; 856#endif 857#if defined(USE_SHA2) 858 case LDNS_SHA256: 859 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len) 860 == SECSuccess; 861#endif 862#ifdef USE_ECDSA 863 case LDNS_SHA384: 864 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len) 865 == SECSuccess; 866#endif 867 case LDNS_HASH_GOST: 868 default: 869 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 870 algo); 871 break; 872 } 873 return 0; 874} 875 876int 877dnskey_algo_id_is_supported(int id) 878{ 879 /* uses libNSS */ 880 switch(id) { 881 case LDNS_RSAMD5: 882 /* RFC 6725 deprecates RSAMD5 */ 883 return 0; 884#if defined(USE_SHA1) || defined(USE_SHA2) 885#if defined(USE_DSA) && defined(USE_SHA1) 886 case LDNS_DSA: 887 case LDNS_DSA_NSEC3: 888#endif 889#ifdef USE_SHA1 890 case LDNS_RSASHA1: 891 case LDNS_RSASHA1_NSEC3: 892#endif 893#ifdef USE_SHA2 894 case LDNS_RSASHA256: 895#endif 896#ifdef USE_SHA2 897 case LDNS_RSASHA512: 898#endif 899 return 1; 900#endif /* SHA1 or SHA2 */ 901 902#ifdef USE_ECDSA 903 case LDNS_ECDSAP256SHA256: 904 case LDNS_ECDSAP384SHA384: 905 return PK11_TokenExists(CKM_ECDSA); 906#endif 907 case LDNS_ECC_GOST: 908 default: 909 return 0; 910 } 911} 912 913/* return a new public key for NSS */ 914static SECKEYPublicKey* nss_key_create(KeyType ktype) 915{ 916 SECKEYPublicKey* key; 917 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 918 if(!arena) { 919 log_err("out of memory, PORT_NewArena failed"); 920 return NULL; 921 } 922 key = PORT_ArenaZNew(arena, SECKEYPublicKey); 923 if(!key) { 924 log_err("out of memory, PORT_ArenaZNew failed"); 925 PORT_FreeArena(arena, PR_FALSE); 926 return NULL; 927 } 928 key->arena = arena; 929 key->keyType = ktype; 930 key->pkcs11Slot = NULL; 931 key->pkcs11ID = CK_INVALID_HANDLE; 932 return key; 933} 934 935static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo) 936{ 937 SECKEYPublicKey* pk; 938 SECItem pub = {siBuffer, NULL, 0}; 939 SECItem params = {siBuffer, NULL, 0}; 940 static unsigned char param256[] = { 941 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256) 942 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */ 943 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 944 }; 945 static unsigned char param384[] = { 946 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384) 947 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */ 948 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 949 }; 950 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ 951 952 /* check length, which uncompressed must be 2 bignums */ 953 if(algo == LDNS_ECDSAP256SHA256) { 954 if(len != 2*256/8) return NULL; 955 /* ECCurve_X9_62_PRIME_256V1 */ 956 } else if(algo == LDNS_ECDSAP384SHA384) { 957 if(len != 2*384/8) return NULL; 958 /* ECCurve_X9_62_PRIME_384R1 */ 959 } else return NULL; 960 961 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */ 962 memmove(buf+1, key, len); 963 pub.data = buf; 964 pub.len = len+1; 965 if(algo == LDNS_ECDSAP256SHA256) { 966 params.data = param256; 967 params.len = sizeof(param256); 968 } else { 969 params.data = param384; 970 params.len = sizeof(param384); 971 } 972 973 pk = nss_key_create(ecKey); 974 if(!pk) 975 return NULL; 976 pk->u.ec.size = (len/2)*8; 977 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) { 978 SECKEY_DestroyPublicKey(pk); 979 return NULL; 980 } 981 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) { 982 SECKEY_DestroyPublicKey(pk); 983 return NULL; 984 } 985 986 return pk; 987} 988 989static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len) 990{ 991 SECKEYPublicKey* pk; 992 uint8_t T; 993 uint16_t length; 994 uint16_t offset; 995 SECItem Q = {siBuffer, NULL, 0}; 996 SECItem P = {siBuffer, NULL, 0}; 997 SECItem G = {siBuffer, NULL, 0}; 998 SECItem Y = {siBuffer, NULL, 0}; 999 1000 if(len == 0) 1001 return NULL; 1002 T = (uint8_t)key[0]; 1003 length = (64 + T * 8); 1004 offset = 1; 1005 1006 if (T > 8) { 1007 return NULL; 1008 } 1009 if(len < (size_t)1 + SHA1_LENGTH + 3*length) 1010 return NULL; 1011 1012 Q.data = key+offset; 1013 Q.len = SHA1_LENGTH; 1014 offset += SHA1_LENGTH; 1015 1016 P.data = key+offset; 1017 P.len = length; 1018 offset += length; 1019 1020 G.data = key+offset; 1021 G.len = length; 1022 offset += length; 1023 1024 Y.data = key+offset; 1025 Y.len = length; 1026 offset += length; 1027 1028 pk = nss_key_create(dsaKey); 1029 if(!pk) 1030 return NULL; 1031 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) { 1032 SECKEY_DestroyPublicKey(pk); 1033 return NULL; 1034 } 1035 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) { 1036 SECKEY_DestroyPublicKey(pk); 1037 return NULL; 1038 } 1039 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) { 1040 SECKEY_DestroyPublicKey(pk); 1041 return NULL; 1042 } 1043 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) { 1044 SECKEY_DestroyPublicKey(pk); 1045 return NULL; 1046 } 1047 return pk; 1048} 1049 1050static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len) 1051{ 1052 SECKEYPublicKey* pk; 1053 uint16_t exp; 1054 uint16_t offset; 1055 uint16_t int16; 1056 SECItem modulus = {siBuffer, NULL, 0}; 1057 SECItem exponent = {siBuffer, NULL, 0}; 1058 if(len == 0) 1059 return NULL; 1060 if(key[0] == 0) { 1061 if(len < 3) 1062 return NULL; 1063 /* the exponent is too large so it's places further */ 1064 memmove(&int16, key+1, 2); 1065 exp = ntohs(int16); 1066 offset = 3; 1067 } else { 1068 exp = key[0]; 1069 offset = 1; 1070 } 1071 1072 /* key length at least one */ 1073 if(len < (size_t)offset + exp + 1) 1074 return NULL; 1075 1076 exponent.data = key+offset; 1077 exponent.len = exp; 1078 offset += exp; 1079 modulus.data = key+offset; 1080 modulus.len = (len - offset); 1081 1082 pk = nss_key_create(rsaKey); 1083 if(!pk) 1084 return NULL; 1085 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) { 1086 SECKEY_DestroyPublicKey(pk); 1087 return NULL; 1088 } 1089 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) { 1090 SECKEY_DestroyPublicKey(pk); 1091 return NULL; 1092 } 1093 return pk; 1094} 1095 1096/** 1097 * Setup key and digest for verification. Adjust sig if necessary. 1098 * 1099 * @param algo: key algorithm 1100 * @param evp_key: EVP PKEY public key to create. 1101 * @param digest_type: digest type to use 1102 * @param key: key to setup for. 1103 * @param keylen: length of key. 1104 * @param prefix: if returned, the ASN prefix for the hashblob. 1105 * @param prefixlen: length of the prefix. 1106 * @return false on failure. 1107 */ 1108static int 1109nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, 1110 unsigned char* key, size_t keylen, unsigned char** prefix, 1111 size_t* prefixlen) 1112{ 1113 /* uses libNSS */ 1114 1115 /* hash prefix for md5, RFC2537 */ 1116 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 1117 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}; 1118 /* hash prefix to prepend to hash output, from RFC3110 */ 1119 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 1120 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14}; 1121 /* from RFC5702 */ 1122 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 1123 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; 1124 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 1125 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; 1126 /* from RFC6234 */ 1127 /* for future RSASHA384 .. 1128 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 1129 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; 1130 */ 1131 1132 switch(algo) { 1133 1134#if defined(USE_SHA1) || defined(USE_SHA2) 1135#if defined(USE_DSA) && defined(USE_SHA1) 1136 case LDNS_DSA: 1137 case LDNS_DSA_NSEC3: 1138 *pubkey = nss_buf2dsa(key, keylen); 1139 if(!*pubkey) { 1140 log_err("verify: malloc failure in crypto"); 1141 return 0; 1142 } 1143 *htype = HASH_AlgSHA1; 1144 /* no prefix for DSA verification */ 1145 break; 1146#endif 1147#ifdef USE_SHA1 1148 case LDNS_RSASHA1: 1149 case LDNS_RSASHA1_NSEC3: 1150#endif 1151#ifdef USE_SHA2 1152 case LDNS_RSASHA256: 1153#endif 1154#ifdef USE_SHA2 1155 case LDNS_RSASHA512: 1156#endif 1157 *pubkey = nss_buf2rsa(key, keylen); 1158 if(!*pubkey) { 1159 log_err("verify: malloc failure in crypto"); 1160 return 0; 1161 } 1162 /* select SHA version */ 1163#ifdef USE_SHA2 1164 if(algo == LDNS_RSASHA256) { 1165 *htype = HASH_AlgSHA256; 1166 *prefix = p_sha256; 1167 *prefixlen = sizeof(p_sha256); 1168 } else 1169#endif 1170#ifdef USE_SHA2 1171 if(algo == LDNS_RSASHA512) { 1172 *htype = HASH_AlgSHA512; 1173 *prefix = p_sha512; 1174 *prefixlen = sizeof(p_sha512); 1175 } else 1176#endif 1177#ifdef USE_SHA1 1178 { 1179 *htype = HASH_AlgSHA1; 1180 *prefix = p_sha1; 1181 *prefixlen = sizeof(p_sha1); 1182 } 1183#else 1184 { 1185 verbose(VERB_QUERY, "verify: no digest algo"); 1186 return 0; 1187 } 1188#endif 1189 1190 break; 1191#endif /* SHA1 or SHA2 */ 1192 1193 case LDNS_RSAMD5: 1194 *pubkey = nss_buf2rsa(key, keylen); 1195 if(!*pubkey) { 1196 log_err("verify: malloc failure in crypto"); 1197 return 0; 1198 } 1199 *htype = HASH_AlgMD5; 1200 *prefix = p_md5; 1201 *prefixlen = sizeof(p_md5); 1202 1203 break; 1204#ifdef USE_ECDSA 1205 case LDNS_ECDSAP256SHA256: 1206 *pubkey = nss_buf2ecdsa(key, keylen, 1207 LDNS_ECDSAP256SHA256); 1208 if(!*pubkey) { 1209 log_err("verify: malloc failure in crypto"); 1210 return 0; 1211 } 1212 *htype = HASH_AlgSHA256; 1213 /* no prefix for DSA verification */ 1214 break; 1215 case LDNS_ECDSAP384SHA384: 1216 *pubkey = nss_buf2ecdsa(key, keylen, 1217 LDNS_ECDSAP384SHA384); 1218 if(!*pubkey) { 1219 log_err("verify: malloc failure in crypto"); 1220 return 0; 1221 } 1222 *htype = HASH_AlgSHA384; 1223 /* no prefix for DSA verification */ 1224 break; 1225#endif /* USE_ECDSA */ 1226 case LDNS_ECC_GOST: 1227 default: 1228 verbose(VERB_QUERY, "verify: unknown algorithm %d", 1229 algo); 1230 return 0; 1231 } 1232 return 1; 1233} 1234 1235/** 1236 * Check a canonical sig+rrset and signature against a dnskey 1237 * @param buf: buffer with data to verify, the first rrsig part and the 1238 * canonicalized rrset. 1239 * @param algo: DNSKEY algorithm. 1240 * @param sigblock: signature rdata field from RRSIG 1241 * @param sigblock_len: length of sigblock data. 1242 * @param key: public key data from DNSKEY RR. 1243 * @param keylen: length of keydata. 1244 * @param reason: bogus reason in more detail. 1245 * @return secure if verification succeeded, bogus on crypto failure, 1246 * unchecked on format errors and alloc failures. 1247 */ 1248enum sec_status 1249verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1250 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1251 char** reason) 1252{ 1253 /* uses libNSS */ 1254 /* large enough for the different hashes */ 1255 unsigned char hash[HASH_LENGTH_MAX]; 1256 unsigned char hash2[HASH_LENGTH_MAX*2]; 1257 HASH_HashType htype = 0; 1258 SECKEYPublicKey* pubkey = NULL; 1259 SECItem secsig = {siBuffer, sigblock, sigblock_len}; 1260 SECItem sechash = {siBuffer, hash, 0}; 1261 SECStatus res; 1262 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */ 1263 size_t prefixlen = 0; 1264 int err; 1265 1266 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen, 1267 &prefix, &prefixlen)) { 1268 verbose(VERB_QUERY, "verify: failed to setup key"); 1269 *reason = "use of key for crypto failed"; 1270 SECKEY_DestroyPublicKey(pubkey); 1271 return sec_status_bogus; 1272 } 1273 1274#if defined(USE_DSA) && defined(USE_SHA1) 1275 /* need to convert DSA, ECDSA signatures? */ 1276 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) { 1277 if(sigblock_len == 1+2*SHA1_LENGTH) { 1278 secsig.data ++; 1279 secsig.len --; 1280 } else { 1281 SECItem* p = DSAU_DecodeDerSig(&secsig); 1282 if(!p) { 1283 verbose(VERB_QUERY, "verify: failed DER decode"); 1284 *reason = "signature DER decode failed"; 1285 SECKEY_DestroyPublicKey(pubkey); 1286 return sec_status_bogus; 1287 } 1288 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) { 1289 log_err("alloc failure in DER decode"); 1290 SECKEY_DestroyPublicKey(pubkey); 1291 SECITEM_FreeItem(p, PR_TRUE); 1292 return sec_status_unchecked; 1293 } 1294 SECITEM_FreeItem(p, PR_TRUE); 1295 } 1296 } 1297#endif /* USE_DSA */ 1298 1299 /* do the signature cryptography work */ 1300 /* hash the data */ 1301 sechash.len = HASH_ResultLen(htype); 1302 if(sechash.len > sizeof(hash)) { 1303 verbose(VERB_QUERY, "verify: hash too large for buffer"); 1304 SECKEY_DestroyPublicKey(pubkey); 1305 return sec_status_unchecked; 1306 } 1307 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf), 1308 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) { 1309 verbose(VERB_QUERY, "verify: HASH_HashBuf failed"); 1310 SECKEY_DestroyPublicKey(pubkey); 1311 return sec_status_unchecked; 1312 } 1313 if(prefix) { 1314 int hashlen = sechash.len; 1315 if(prefixlen+hashlen > sizeof(hash2)) { 1316 verbose(VERB_QUERY, "verify: hashprefix too large"); 1317 SECKEY_DestroyPublicKey(pubkey); 1318 return sec_status_unchecked; 1319 } 1320 sechash.data = hash2; 1321 sechash.len = prefixlen+hashlen; 1322 memcpy(sechash.data, prefix, prefixlen); 1323 memmove(sechash.data+prefixlen, hash, hashlen); 1324 } 1325 1326 /* verify the signature */ 1327 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/); 1328 SECKEY_DestroyPublicKey(pubkey); 1329 1330 if(res == SECSuccess) { 1331 return sec_status_secure; 1332 } 1333 err = PORT_GetError(); 1334 if(err != SEC_ERROR_BAD_SIGNATURE) { 1335 /* failed to verify */ 1336 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", 1337 PORT_ErrorToString(err)); 1338 /* if it is not supported, like ECC is removed, we get, 1339 * SEC_ERROR_NO_MODULE */ 1340 if(err == SEC_ERROR_NO_MODULE) 1341 return sec_status_unchecked; 1342 /* but other errors are commonly returned 1343 * for a bad signature from NSS. Thus we return bogus, 1344 * not unchecked */ 1345 *reason = "signature crypto failed"; 1346 return sec_status_bogus; 1347 } 1348 verbose(VERB_QUERY, "verify: signature mismatch: %s", 1349 PORT_ErrorToString(err)); 1350 *reason = "signature crypto failed"; 1351 return sec_status_bogus; 1352} 1353 1354#elif defined(HAVE_NETTLE) 1355 1356#include "sha.h" 1357#include "bignum.h" 1358#include "macros.h" 1359#include "rsa.h" 1360#include "dsa.h" 1361#ifdef HAVE_NETTLE_DSA_COMPAT_H 1362#include "dsa-compat.h" 1363#endif 1364#include "asn1.h" 1365#ifdef USE_ECDSA 1366#include "ecdsa.h" 1367#include "ecc-curve.h" 1368#endif 1369#ifdef HAVE_NETTLE_EDDSA_H 1370#include "eddsa.h" 1371#endif 1372 1373static int 1374_digest_nettle(int algo, uint8_t* buf, size_t len, 1375 unsigned char* res) 1376{ 1377 switch(algo) { 1378 case SHA1_DIGEST_SIZE: 1379 { 1380 struct sha1_ctx ctx; 1381 sha1_init(&ctx); 1382 sha1_update(&ctx, len, buf); 1383 sha1_digest(&ctx, SHA1_DIGEST_SIZE, res); 1384 return 1; 1385 } 1386 case SHA256_DIGEST_SIZE: 1387 { 1388 struct sha256_ctx ctx; 1389 sha256_init(&ctx); 1390 sha256_update(&ctx, len, buf); 1391 sha256_digest(&ctx, SHA256_DIGEST_SIZE, res); 1392 return 1; 1393 } 1394 case SHA384_DIGEST_SIZE: 1395 { 1396 struct sha384_ctx ctx; 1397 sha384_init(&ctx); 1398 sha384_update(&ctx, len, buf); 1399 sha384_digest(&ctx, SHA384_DIGEST_SIZE, res); 1400 return 1; 1401 } 1402 case SHA512_DIGEST_SIZE: 1403 { 1404 struct sha512_ctx ctx; 1405 sha512_init(&ctx); 1406 sha512_update(&ctx, len, buf); 1407 sha512_digest(&ctx, SHA512_DIGEST_SIZE, res); 1408 return 1; 1409 } 1410 default: 1411 break; 1412 } 1413 return 0; 1414} 1415 1416/* return size of digest if supported, or 0 otherwise */ 1417size_t 1418nsec3_hash_algo_size_supported(int id) 1419{ 1420 switch(id) { 1421 case NSEC3_HASH_SHA1: 1422 return SHA1_DIGEST_SIZE; 1423 default: 1424 return 0; 1425 } 1426} 1427 1428/* perform nsec3 hash. return false on failure */ 1429int 1430secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 1431 unsigned char* res) 1432{ 1433 switch(algo) { 1434 case NSEC3_HASH_SHA1: 1435 return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len, 1436 res); 1437 default: 1438 return 0; 1439 } 1440} 1441 1442void 1443secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 1444{ 1445 _digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res); 1446} 1447 1448/** 1449 * Return size of DS digest according to its hash algorithm. 1450 * @param algo: DS digest algo. 1451 * @return size in bytes of digest, or 0 if not supported. 1452 */ 1453size_t 1454ds_digest_size_supported(int algo) 1455{ 1456 switch(algo) { 1457 case LDNS_SHA1: 1458#ifdef USE_SHA1 1459 return SHA1_DIGEST_SIZE; 1460#else 1461 if(fake_sha1) return 20; 1462 return 0; 1463#endif 1464#ifdef USE_SHA2 1465 case LDNS_SHA256: 1466 return SHA256_DIGEST_SIZE; 1467#endif 1468#ifdef USE_ECDSA 1469 case LDNS_SHA384: 1470 return SHA384_DIGEST_SIZE; 1471#endif 1472 /* GOST not supported */ 1473 case LDNS_HASH_GOST: 1474 default: 1475 break; 1476 } 1477 return 0; 1478} 1479 1480int 1481secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 1482 unsigned char* res) 1483{ 1484 switch(algo) { 1485#ifdef USE_SHA1 1486 case LDNS_SHA1: 1487 return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res); 1488#endif 1489#if defined(USE_SHA2) 1490 case LDNS_SHA256: 1491 return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res); 1492#endif 1493#ifdef USE_ECDSA 1494 case LDNS_SHA384: 1495 return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res); 1496 1497#endif 1498 case LDNS_HASH_GOST: 1499 default: 1500 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 1501 algo); 1502 break; 1503 } 1504 return 0; 1505} 1506 1507int 1508dnskey_algo_id_is_supported(int id) 1509{ 1510 /* uses libnettle */ 1511 switch(id) { 1512#if defined(USE_DSA) && defined(USE_SHA1) 1513 case LDNS_DSA: 1514 case LDNS_DSA_NSEC3: 1515#endif 1516#ifdef USE_SHA1 1517 case LDNS_RSASHA1: 1518 case LDNS_RSASHA1_NSEC3: 1519#endif 1520#ifdef USE_SHA2 1521 case LDNS_RSASHA256: 1522 case LDNS_RSASHA512: 1523#endif 1524#ifdef USE_ECDSA 1525 case LDNS_ECDSAP256SHA256: 1526 case LDNS_ECDSAP384SHA384: 1527#endif 1528 return 1; 1529#ifdef USE_ED25519 1530 case LDNS_ED25519: 1531 return 1; 1532#endif 1533 case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ 1534 case LDNS_ECC_GOST: 1535 default: 1536 return 0; 1537 } 1538} 1539 1540#if defined(USE_DSA) && defined(USE_SHA1) 1541static char * 1542_verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock, 1543 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1544{ 1545 uint8_t digest[SHA1_DIGEST_SIZE]; 1546 uint8_t key_t_value; 1547 int res = 0; 1548 size_t offset; 1549 struct dsa_public_key pubkey; 1550 struct dsa_signature signature; 1551 unsigned int expected_len; 1552 1553 /* Extract DSA signature from the record */ 1554 nettle_dsa_signature_init(&signature); 1555 /* Signature length: 41 bytes - RFC 2536 sec. 3 */ 1556 if(sigblock_len == 41) { 1557 if(key[0] != sigblock[0]) 1558 return "invalid T value in DSA signature or pubkey"; 1559 nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1); 1560 nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20); 1561 } else { 1562 /* DER encoded, decode the ASN1 notated R and S bignums */ 1563 /* SEQUENCE { r INTEGER, s INTEGER } */ 1564 struct asn1_der_iterator i, seq; 1565 if(asn1_der_iterator_first(&i, sigblock_len, 1566 (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED 1567 || i.type != ASN1_SEQUENCE) 1568 return "malformed DER encoded DSA signature"; 1569 /* decode this element of i using the seq iterator */ 1570 if(asn1_der_decode_constructed(&i, &seq) != 1571 ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER) 1572 return "malformed DER encoded DSA signature"; 1573 if(!asn1_der_get_bignum(&seq, signature.r, 20*8)) 1574 return "malformed DER encoded DSA signature"; 1575 if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE 1576 || seq.type != ASN1_INTEGER) 1577 return "malformed DER encoded DSA signature"; 1578 if(!asn1_der_get_bignum(&seq, signature.s, 20*8)) 1579 return "malformed DER encoded DSA signature"; 1580 if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END) 1581 return "malformed DER encoded DSA signature"; 1582 } 1583 1584 /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */ 1585 key_t_value = key[0]; 1586 if (key_t_value > 8) { 1587 return "invalid T value in DSA pubkey"; 1588 } 1589 1590 /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */ 1591 if (keylen < 21) { 1592 return "DSA pubkey too short"; 1593 } 1594 1595 expected_len = 1 + /* T */ 1596 20 + /* Q */ 1597 (64 + key_t_value*8) + /* P */ 1598 (64 + key_t_value*8) + /* G */ 1599 (64 + key_t_value*8); /* Y */ 1600 if (keylen != expected_len ) { 1601 return "invalid DSA pubkey length"; 1602 } 1603 1604 /* Extract DSA pubkey from the record */ 1605 nettle_dsa_public_key_init(&pubkey); 1606 offset = 1; 1607 nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset); 1608 offset += 20; 1609 nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t_value*8), key+offset); 1610 offset += (64 + key_t_value*8); 1611 nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t_value*8), key+offset); 1612 offset += (64 + key_t_value*8); 1613 nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t_value*8), key+offset); 1614 1615 /* Digest content of "buf" and verify its DSA signature in "sigblock"*/ 1616 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1617 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1618 res &= dsa_sha1_verify_digest(&pubkey, digest, &signature); 1619 1620 /* Clear and return */ 1621 nettle_dsa_signature_clear(&signature); 1622 nettle_dsa_public_key_clear(&pubkey); 1623 if (!res) 1624 return "DSA signature verification failed"; 1625 else 1626 return NULL; 1627} 1628#endif /* USE_DSA */ 1629 1630static char * 1631_verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock, 1632 unsigned int sigblock_len, uint8_t* key, unsigned int keylen) 1633{ 1634 uint16_t exp_len = 0; 1635 size_t exp_offset = 0, mod_offset = 0; 1636 struct rsa_public_key pubkey; 1637 mpz_t signature; 1638 int res = 0; 1639 1640 /* RSA pubkey parsing as per RFC 3110 sec. 2 */ 1641 if( keylen <= 1) { 1642 return "null RSA key"; 1643 } 1644 if (key[0] != 0) { 1645 /* 1-byte length */ 1646 exp_len = key[0]; 1647 exp_offset = 1; 1648 } else { 1649 /* 1-byte NUL + 2-bytes exponent length */ 1650 if (keylen < 3) { 1651 return "incorrect RSA key length"; 1652 } 1653 exp_len = READ_UINT16(key+1); 1654 if (exp_len == 0) 1655 return "null RSA exponent length"; 1656 exp_offset = 3; 1657 } 1658 /* Check that we are not over-running input length */ 1659 if (keylen < exp_offset + exp_len + 1) { 1660 return "RSA key content shorter than expected"; 1661 } 1662 mod_offset = exp_offset + exp_len; 1663 nettle_rsa_public_key_init(&pubkey); 1664 pubkey.size = keylen - mod_offset; 1665 nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]); 1666 nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]); 1667 1668 /* Digest content of "buf" and verify its RSA signature in "sigblock"*/ 1669 nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock); 1670 switch (digest_size) { 1671 case SHA1_DIGEST_SIZE: 1672 { 1673 uint8_t digest[SHA1_DIGEST_SIZE]; 1674 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1675 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1676 res &= rsa_sha1_verify_digest(&pubkey, digest, signature); 1677 break; 1678 } 1679 case SHA256_DIGEST_SIZE: 1680 { 1681 uint8_t digest[SHA256_DIGEST_SIZE]; 1682 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1683 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1684 res &= rsa_sha256_verify_digest(&pubkey, digest, signature); 1685 break; 1686 } 1687 case SHA512_DIGEST_SIZE: 1688 { 1689 uint8_t digest[SHA512_DIGEST_SIZE]; 1690 res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1691 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1692 res &= rsa_sha512_verify_digest(&pubkey, digest, signature); 1693 break; 1694 } 1695 default: 1696 break; 1697 } 1698 1699 /* Clear and return */ 1700 nettle_rsa_public_key_clear(&pubkey); 1701 mpz_clear(signature); 1702 if (!res) { 1703 return "RSA signature verification failed"; 1704 } else { 1705 return NULL; 1706 } 1707} 1708 1709#ifdef USE_ECDSA 1710static char * 1711_verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock, 1712 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1713{ 1714 int res = 0; 1715 struct ecc_point pubkey; 1716 struct dsa_signature signature; 1717 1718 /* Always matched strength, as per RFC 6605 sec. 1 */ 1719 if (sigblock_len != 2*digest_size || keylen != 2*digest_size) { 1720 return "wrong ECDSA signature length"; 1721 } 1722 1723 /* Parse ECDSA signature as per RFC 6605 sec. 4 */ 1724 nettle_dsa_signature_init(&signature); 1725 switch (digest_size) { 1726 case SHA256_DIGEST_SIZE: 1727 { 1728 uint8_t digest[SHA256_DIGEST_SIZE]; 1729 mpz_t x, y; 1730 nettle_ecc_point_init(&pubkey, nettle_get_secp_256r1()); 1731 nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key); 1732 nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE); 1733 nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock); 1734 nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE); 1735 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1736 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1737 res &= nettle_ecc_point_set(&pubkey, x, y); 1738 res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature); 1739 mpz_clear(x); 1740 mpz_clear(y); 1741 break; 1742 } 1743 case SHA384_DIGEST_SIZE: 1744 { 1745 uint8_t digest[SHA384_DIGEST_SIZE]; 1746 mpz_t x, y; 1747 nettle_ecc_point_init(&pubkey, nettle_get_secp_384r1()); 1748 nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key); 1749 nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE); 1750 nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock); 1751 nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE); 1752 res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1753 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1754 res &= nettle_ecc_point_set(&pubkey, x, y); 1755 res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature); 1756 mpz_clear(x); 1757 mpz_clear(y); 1758 nettle_ecc_point_clear(&pubkey); 1759 break; 1760 } 1761 default: 1762 return "unknown ECDSA algorithm"; 1763 } 1764 1765 /* Clear and return */ 1766 nettle_dsa_signature_clear(&signature); 1767 if (!res) 1768 return "ECDSA signature verification failed"; 1769 else 1770 return NULL; 1771} 1772#endif 1773 1774#ifdef USE_ED25519 1775static char * 1776_verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock, 1777 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1778{ 1779 int res = 0; 1780 1781 if(sigblock_len != ED25519_SIGNATURE_SIZE) { 1782 return "wrong ED25519 signature length"; 1783 } 1784 if(keylen != ED25519_KEY_SIZE) { 1785 return "wrong ED25519 key length"; 1786 } 1787 1788 res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf), 1789 sldns_buffer_begin(buf), (uint8_t*)sigblock); 1790 1791 if (!res) 1792 return "ED25519 signature verification failed"; 1793 else 1794 return NULL; 1795} 1796#endif 1797 1798/** 1799 * Check a canonical sig+rrset and signature against a dnskey 1800 * @param buf: buffer with data to verify, the first rrsig part and the 1801 * canonicalized rrset. 1802 * @param algo: DNSKEY algorithm. 1803 * @param sigblock: signature rdata field from RRSIG 1804 * @param sigblock_len: length of sigblock data. 1805 * @param key: public key data from DNSKEY RR. 1806 * @param keylen: length of keydata. 1807 * @param reason: bogus reason in more detail. 1808 * @return secure if verification succeeded, bogus on crypto failure, 1809 * unchecked on format errors and alloc failures. 1810 */ 1811enum sec_status 1812verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1813 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1814 char** reason) 1815{ 1816 unsigned int digest_size = 0; 1817 1818 if (sigblock_len == 0 || keylen == 0) { 1819 *reason = "null signature"; 1820 return sec_status_bogus; 1821 } 1822 1823 switch(algo) { 1824#if defined(USE_DSA) && defined(USE_SHA1) 1825 case LDNS_DSA: 1826 case LDNS_DSA_NSEC3: 1827 *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen); 1828 if (*reason != NULL) 1829 return sec_status_bogus; 1830 else 1831 return sec_status_secure; 1832#endif /* USE_DSA */ 1833 1834#ifdef USE_SHA1 1835 case LDNS_RSASHA1: 1836 case LDNS_RSASHA1_NSEC3: 1837 digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE); 1838#endif 1839 /* double fallthrough annotation to please gcc parser */ 1840 /* fallthrough */ 1841#ifdef USE_SHA2 1842 /* fallthrough */ 1843 case LDNS_RSASHA256: 1844 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 1845 /* fallthrough */ 1846 case LDNS_RSASHA512: 1847 digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE); 1848 1849#endif 1850 *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock, 1851 sigblock_len, key, keylen); 1852 if (*reason != NULL) 1853 return sec_status_bogus; 1854 else 1855 return sec_status_secure; 1856 1857#ifdef USE_ECDSA 1858 case LDNS_ECDSAP256SHA256: 1859 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 1860 /* fallthrough */ 1861 case LDNS_ECDSAP384SHA384: 1862 digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE); 1863 *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock, 1864 sigblock_len, key, keylen); 1865 if (*reason != NULL) 1866 return sec_status_bogus; 1867 else 1868 return sec_status_secure; 1869#endif 1870#ifdef USE_ED25519 1871 case LDNS_ED25519: 1872 *reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len, 1873 key, keylen); 1874 if (*reason != NULL) 1875 return sec_status_bogus; 1876 else 1877 return sec_status_secure; 1878#endif 1879 case LDNS_RSAMD5: 1880 case LDNS_ECC_GOST: 1881 default: 1882 *reason = "unable to verify signature, unknown algorithm"; 1883 return sec_status_bogus; 1884 } 1885} 1886 1887#endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ 1888