1 /* 2 * validator/val_secalgo.c - validator security algorithm functions. 3 * 4 * Copyright (c) 2012, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * These functions take raw data buffers, formatted for crypto verification, 41 * and do the library calls (for the crypto library in use). 42 */ 43 #include "config.h" 44 #include "validator/val_secalgo.h" 45 #include "util/data/packed_rrset.h" 46 #include "util/log.h" 47 #include "ldns/rrdef.h" 48 #include "ldns/keyraw.h" 49 #include "ldns/sbuffer.h" 50 51 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) 52 #error "Need crypto library to do digital signature cryptography" 53 #endif 54 55 /* OpenSSL implementation */ 56 #ifdef HAVE_SSL 57 #ifdef HAVE_OPENSSL_ERR_H 58 #include <openssl/err.h> 59 #endif 60 61 #ifdef HAVE_OPENSSL_RAND_H 62 #include <openssl/rand.h> 63 #endif 64 65 #ifdef HAVE_OPENSSL_CONF_H 66 #include <openssl/conf.h> 67 #endif 68 69 #ifdef HAVE_OPENSSL_ENGINE_H 70 #include <openssl/engine.h> 71 #endif 72 73 /** 74 * Return size of DS digest according to its hash algorithm. 75 * @param algo: DS digest algo. 76 * @return size in bytes of digest, or 0 if not supported. 77 */ 78 size_t 79 ds_digest_size_supported(int algo) 80 { 81 switch(algo) { 82 #ifdef HAVE_EVP_SHA1 83 case LDNS_SHA1: 84 return SHA_DIGEST_LENGTH; 85 #endif 86 #ifdef HAVE_EVP_SHA256 87 case LDNS_SHA256: 88 return SHA256_DIGEST_LENGTH; 89 #endif 90 #ifdef USE_GOST 91 case LDNS_HASH_GOST: 92 if(EVP_get_digestbyname("md_gost94")) 93 return 32; 94 else return 0; 95 #endif 96 #ifdef USE_ECDSA 97 case LDNS_SHA384: 98 return SHA384_DIGEST_LENGTH; 99 #endif 100 default: break; 101 } 102 return 0; 103 } 104 105 #ifdef USE_GOST 106 /** Perform GOST hash */ 107 static int 108 do_gost94(unsigned char* data, size_t len, unsigned char* dest) 109 { 110 const EVP_MD* md = EVP_get_digestbyname("md_gost94"); 111 if(!md) 112 return 0; 113 return sldns_digest_evp(data, (unsigned int)len, dest, md); 114 } 115 #endif 116 117 int 118 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 119 unsigned char* res) 120 { 121 switch(algo) { 122 #ifdef HAVE_EVP_SHA1 123 case LDNS_SHA1: 124 (void)SHA1(buf, len, res); 125 return 1; 126 #endif 127 #ifdef HAVE_EVP_SHA256 128 case LDNS_SHA256: 129 (void)SHA256(buf, len, res); 130 return 1; 131 #endif 132 #ifdef USE_GOST 133 case LDNS_HASH_GOST: 134 if(do_gost94(buf, len, res)) 135 return 1; 136 break; 137 #endif 138 #ifdef USE_ECDSA 139 case LDNS_SHA384: 140 (void)SHA384(buf, len, res); 141 return 1; 142 #endif 143 default: 144 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 145 algo); 146 break; 147 } 148 return 0; 149 } 150 151 /** return true if DNSKEY algorithm id is supported */ 152 int 153 dnskey_algo_id_is_supported(int id) 154 { 155 switch(id) { 156 case LDNS_RSAMD5: 157 /* RFC 6725 deprecates RSAMD5 */ 158 return 0; 159 case LDNS_DSA: 160 case LDNS_DSA_NSEC3: 161 case LDNS_RSASHA1: 162 case LDNS_RSASHA1_NSEC3: 163 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 164 case LDNS_RSASHA256: 165 #endif 166 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 167 case LDNS_RSASHA512: 168 #endif 169 #ifdef USE_ECDSA 170 case LDNS_ECDSAP256SHA256: 171 case LDNS_ECDSAP384SHA384: 172 #endif 173 return 1; 174 #ifdef USE_GOST 175 case LDNS_ECC_GOST: 176 /* we support GOST if it can be loaded */ 177 return sldns_key_EVP_load_gost_id(); 178 #endif 179 default: 180 return 0; 181 } 182 } 183 184 /** 185 * Output a libcrypto openssl error to the logfile. 186 * @param str: string to add to it. 187 * @param e: the error to output, error number from ERR_get_error(). 188 */ 189 static void 190 log_crypto_error(const char* str, unsigned long e) 191 { 192 char buf[128]; 193 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ 194 ERR_error_string_n(e, buf, sizeof(buf)); 195 /* buf now contains */ 196 /* error:[error code]:[library name]:[function name]:[reason string] */ 197 log_err("%s crypto %s", str, buf); 198 } 199 200 /** 201 * Setup DSA key digest in DER encoding ... 202 * @param sig: input is signature output alloced ptr (unless failure). 203 * caller must free alloced ptr if this routine returns true. 204 * @param len: input is initial siglen, output is output len. 205 * @return false on failure. 206 */ 207 static int 208 setup_dsa_sig(unsigned char** sig, unsigned int* len) 209 { 210 unsigned char* orig = *sig; 211 unsigned int origlen = *len; 212 int newlen; 213 BIGNUM *R, *S; 214 DSA_SIG *dsasig; 215 216 /* extract the R and S field from the sig buffer */ 217 if(origlen < 1 + 2*SHA_DIGEST_LENGTH) 218 return 0; 219 R = BN_new(); 220 if(!R) return 0; 221 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R); 222 S = BN_new(); 223 if(!S) return 0; 224 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S); 225 dsasig = DSA_SIG_new(); 226 if(!dsasig) return 0; 227 228 dsasig->r = R; 229 dsasig->s = S; 230 *sig = NULL; 231 newlen = i2d_DSA_SIG(dsasig, sig); 232 if(newlen < 0) { 233 DSA_SIG_free(dsasig); 234 free(*sig); 235 return 0; 236 } 237 *len = (unsigned int)newlen; 238 DSA_SIG_free(dsasig); 239 return 1; 240 } 241 242 #ifdef USE_ECDSA 243 /** 244 * Setup the ECDSA signature in its encoding that the library wants. 245 * Converts from plain numbers to ASN formatted. 246 * @param sig: input is signature, output alloced ptr (unless failure). 247 * caller must free alloced ptr if this routine returns true. 248 * @param len: input is initial siglen, output is output len. 249 * @return false on failure. 250 */ 251 static int 252 setup_ecdsa_sig(unsigned char** sig, unsigned int* len) 253 { 254 ECDSA_SIG* ecdsa_sig; 255 int newlen; 256 int bnsize = (int)((*len)/2); 257 /* if too short or not even length, fails */ 258 if(*len < 16 || bnsize*2 != (int)*len) 259 return 0; 260 /* use the raw data to parse two evenly long BIGNUMs, "r | s". */ 261 ecdsa_sig = ECDSA_SIG_new(); 262 if(!ecdsa_sig) return 0; 263 ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r); 264 ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s); 265 if(!ecdsa_sig->r || !ecdsa_sig->s) { 266 ECDSA_SIG_free(ecdsa_sig); 267 return 0; 268 } 269 270 /* spool it into ASN format */ 271 *sig = NULL; 272 newlen = i2d_ECDSA_SIG(ecdsa_sig, sig); 273 if(newlen <= 0) { 274 ECDSA_SIG_free(ecdsa_sig); 275 free(*sig); 276 return 0; 277 } 278 *len = (unsigned int)newlen; 279 ECDSA_SIG_free(ecdsa_sig); 280 return 1; 281 } 282 #endif /* USE_ECDSA */ 283 284 /** 285 * Setup key and digest for verification. Adjust sig if necessary. 286 * 287 * @param algo: key algorithm 288 * @param evp_key: EVP PKEY public key to create. 289 * @param digest_type: digest type to use 290 * @param key: key to setup for. 291 * @param keylen: length of key. 292 * @return false on failure. 293 */ 294 static int 295 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 296 unsigned char* key, size_t keylen) 297 { 298 DSA* dsa; 299 RSA* rsa; 300 301 switch(algo) { 302 case LDNS_DSA: 303 case LDNS_DSA_NSEC3: 304 *evp_key = EVP_PKEY_new(); 305 if(!*evp_key) { 306 log_err("verify: malloc failure in crypto"); 307 return 0; 308 } 309 dsa = sldns_key_buf2dsa_raw(key, keylen); 310 if(!dsa) { 311 verbose(VERB_QUERY, "verify: " 312 "sldns_key_buf2dsa_raw failed"); 313 return 0; 314 } 315 if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) { 316 verbose(VERB_QUERY, "verify: " 317 "EVP_PKEY_assign_DSA failed"); 318 return 0; 319 } 320 *digest_type = EVP_dss1(); 321 322 break; 323 case LDNS_RSASHA1: 324 case LDNS_RSASHA1_NSEC3: 325 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 326 case LDNS_RSASHA256: 327 #endif 328 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 329 case LDNS_RSASHA512: 330 #endif 331 *evp_key = EVP_PKEY_new(); 332 if(!*evp_key) { 333 log_err("verify: malloc failure in crypto"); 334 return 0; 335 } 336 rsa = sldns_key_buf2rsa_raw(key, keylen); 337 if(!rsa) { 338 verbose(VERB_QUERY, "verify: " 339 "sldns_key_buf2rsa_raw SHA failed"); 340 return 0; 341 } 342 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 343 verbose(VERB_QUERY, "verify: " 344 "EVP_PKEY_assign_RSA SHA failed"); 345 return 0; 346 } 347 348 /* select SHA version */ 349 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 350 if(algo == LDNS_RSASHA256) 351 *digest_type = EVP_sha256(); 352 else 353 #endif 354 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 355 if(algo == LDNS_RSASHA512) 356 *digest_type = EVP_sha512(); 357 else 358 #endif 359 *digest_type = EVP_sha1(); 360 361 break; 362 case LDNS_RSAMD5: 363 *evp_key = EVP_PKEY_new(); 364 if(!*evp_key) { 365 log_err("verify: malloc failure in crypto"); 366 return 0; 367 } 368 rsa = sldns_key_buf2rsa_raw(key, keylen); 369 if(!rsa) { 370 verbose(VERB_QUERY, "verify: " 371 "sldns_key_buf2rsa_raw MD5 failed"); 372 return 0; 373 } 374 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 375 verbose(VERB_QUERY, "verify: " 376 "EVP_PKEY_assign_RSA MD5 failed"); 377 return 0; 378 } 379 *digest_type = EVP_md5(); 380 381 break; 382 #ifdef USE_GOST 383 case LDNS_ECC_GOST: 384 *evp_key = sldns_gost2pkey_raw(key, keylen); 385 if(!*evp_key) { 386 verbose(VERB_QUERY, "verify: " 387 "sldns_gost2pkey_raw failed"); 388 return 0; 389 } 390 *digest_type = EVP_get_digestbyname("md_gost94"); 391 if(!*digest_type) { 392 verbose(VERB_QUERY, "verify: " 393 "EVP_getdigest md_gost94 failed"); 394 return 0; 395 } 396 break; 397 #endif 398 #ifdef USE_ECDSA 399 case LDNS_ECDSAP256SHA256: 400 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 401 LDNS_ECDSAP256SHA256); 402 if(!*evp_key) { 403 verbose(VERB_QUERY, "verify: " 404 "sldns_ecdsa2pkey_raw failed"); 405 return 0; 406 } 407 #ifdef USE_ECDSA_EVP_WORKAROUND 408 /* openssl before 1.0.0 fixes RSA with the SHA256 409 * hash in EVP. We create one for ecdsa_sha256 */ 410 { 411 static int md_ecdsa_256_done = 0; 412 static EVP_MD md; 413 if(!md_ecdsa_256_done) { 414 EVP_MD m = *EVP_sha256(); 415 md_ecdsa_256_done = 1; 416 m.required_pkey_type[0] = (*evp_key)->type; 417 m.verify = (void*)ECDSA_verify; 418 md = m; 419 } 420 *digest_type = &md; 421 } 422 #else 423 *digest_type = EVP_sha256(); 424 #endif 425 break; 426 case LDNS_ECDSAP384SHA384: 427 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 428 LDNS_ECDSAP384SHA384); 429 if(!*evp_key) { 430 verbose(VERB_QUERY, "verify: " 431 "sldns_ecdsa2pkey_raw failed"); 432 return 0; 433 } 434 #ifdef USE_ECDSA_EVP_WORKAROUND 435 /* openssl before 1.0.0 fixes RSA with the SHA384 436 * hash in EVP. We create one for ecdsa_sha384 */ 437 { 438 static int md_ecdsa_384_done = 0; 439 static EVP_MD md; 440 if(!md_ecdsa_384_done) { 441 EVP_MD m = *EVP_sha384(); 442 md_ecdsa_384_done = 1; 443 m.required_pkey_type[0] = (*evp_key)->type; 444 m.verify = (void*)ECDSA_verify; 445 md = m; 446 } 447 *digest_type = &md; 448 } 449 #else 450 *digest_type = EVP_sha384(); 451 #endif 452 break; 453 #endif /* USE_ECDSA */ 454 default: 455 verbose(VERB_QUERY, "verify: unknown algorithm %d", 456 algo); 457 return 0; 458 } 459 return 1; 460 } 461 462 /** 463 * Check a canonical sig+rrset and signature against a dnskey 464 * @param buf: buffer with data to verify, the first rrsig part and the 465 * canonicalized rrset. 466 * @param algo: DNSKEY algorithm. 467 * @param sigblock: signature rdata field from RRSIG 468 * @param sigblock_len: length of sigblock data. 469 * @param key: public key data from DNSKEY RR. 470 * @param keylen: length of keydata. 471 * @param reason: bogus reason in more detail. 472 * @return secure if verification succeeded, bogus on crypto failure, 473 * unchecked on format errors and alloc failures. 474 */ 475 enum sec_status 476 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 477 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 478 char** reason) 479 { 480 const EVP_MD *digest_type; 481 EVP_MD_CTX ctx; 482 int res, dofree = 0; 483 EVP_PKEY *evp_key = NULL; 484 485 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { 486 verbose(VERB_QUERY, "verify: failed to setup key"); 487 *reason = "use of key for crypto failed"; 488 EVP_PKEY_free(evp_key); 489 return sec_status_bogus; 490 } 491 /* if it is a DSA signature in bind format, convert to DER format */ 492 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && 493 sigblock_len == 1+2*SHA_DIGEST_LENGTH) { 494 if(!setup_dsa_sig(&sigblock, &sigblock_len)) { 495 verbose(VERB_QUERY, "verify: failed to setup DSA sig"); 496 *reason = "use of key for DSA crypto failed"; 497 EVP_PKEY_free(evp_key); 498 return sec_status_bogus; 499 } 500 dofree = 1; 501 } 502 #ifdef USE_ECDSA 503 else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) { 504 /* EVP uses ASN prefix on sig, which is not in the wire data */ 505 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) { 506 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig"); 507 *reason = "use of signature for ECDSA crypto failed"; 508 EVP_PKEY_free(evp_key); 509 return sec_status_bogus; 510 } 511 dofree = 1; 512 } 513 #endif /* USE_ECDSA */ 514 515 /* do the signature cryptography work */ 516 EVP_MD_CTX_init(&ctx); 517 if(EVP_VerifyInit(&ctx, digest_type) == 0) { 518 verbose(VERB_QUERY, "verify: EVP_VerifyInit failed"); 519 EVP_PKEY_free(evp_key); 520 if(dofree) free(sigblock); 521 return sec_status_unchecked; 522 } 523 if(EVP_VerifyUpdate(&ctx, (unsigned char*)sldns_buffer_begin(buf), 524 (unsigned int)sldns_buffer_limit(buf)) == 0) { 525 verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed"); 526 EVP_PKEY_free(evp_key); 527 if(dofree) free(sigblock); 528 return sec_status_unchecked; 529 } 530 531 res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key); 532 if(EVP_MD_CTX_cleanup(&ctx) == 0) { 533 verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed"); 534 EVP_PKEY_free(evp_key); 535 if(dofree) free(sigblock); 536 return sec_status_unchecked; 537 } 538 EVP_PKEY_free(evp_key); 539 540 if(dofree) 541 free(sigblock); 542 543 if(res == 1) { 544 return sec_status_secure; 545 } else if(res == 0) { 546 verbose(VERB_QUERY, "verify: signature mismatch"); 547 *reason = "signature crypto failed"; 548 return sec_status_bogus; 549 } 550 551 log_crypto_error("verify:", ERR_get_error()); 552 return sec_status_unchecked; 553 } 554 555 /**************************************************/ 556 #elif defined(HAVE_NSS) 557 /* libnss implementation */ 558 /* nss3 */ 559 #include "sechash.h" 560 #include "pk11pub.h" 561 #include "keyhi.h" 562 #include "secerr.h" 563 #include "cryptohi.h" 564 /* nspr4 */ 565 #include "prerror.h" 566 567 size_t 568 ds_digest_size_supported(int algo) 569 { 570 /* uses libNSS */ 571 switch(algo) { 572 case LDNS_SHA1: 573 return SHA1_LENGTH; 574 #ifdef USE_SHA2 575 case LDNS_SHA256: 576 return SHA256_LENGTH; 577 #endif 578 #ifdef USE_ECDSA 579 case LDNS_SHA384: 580 return SHA384_LENGTH; 581 #endif 582 /* GOST not supported in NSS */ 583 case LDNS_HASH_GOST: 584 default: break; 585 } 586 return 0; 587 } 588 589 int 590 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 591 unsigned char* res) 592 { 593 /* uses libNSS */ 594 switch(algo) { 595 case LDNS_SHA1: 596 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len) 597 == SECSuccess; 598 #if defined(USE_SHA2) 599 case LDNS_SHA256: 600 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len) 601 == SECSuccess; 602 #endif 603 #ifdef USE_ECDSA 604 case LDNS_SHA384: 605 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len) 606 == SECSuccess; 607 #endif 608 case LDNS_HASH_GOST: 609 default: 610 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 611 algo); 612 break; 613 } 614 return 0; 615 } 616 617 int 618 dnskey_algo_id_is_supported(int id) 619 { 620 /* uses libNSS */ 621 switch(id) { 622 case LDNS_RSAMD5: 623 /* RFC 6725 deprecates RSAMD5 */ 624 return 0; 625 case LDNS_DSA: 626 case LDNS_DSA_NSEC3: 627 case LDNS_RSASHA1: 628 case LDNS_RSASHA1_NSEC3: 629 #ifdef USE_SHA2 630 case LDNS_RSASHA256: 631 #endif 632 #ifdef USE_SHA2 633 case LDNS_RSASHA512: 634 #endif 635 return 1; 636 #ifdef USE_ECDSA 637 case LDNS_ECDSAP256SHA256: 638 case LDNS_ECDSAP384SHA384: 639 return PK11_TokenExists(CKM_ECDSA); 640 #endif 641 case LDNS_ECC_GOST: 642 default: 643 return 0; 644 } 645 } 646 647 /* return a new public key for NSS */ 648 static SECKEYPublicKey* nss_key_create(KeyType ktype) 649 { 650 SECKEYPublicKey* key; 651 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 652 if(!arena) { 653 log_err("out of memory, PORT_NewArena failed"); 654 return NULL; 655 } 656 key = PORT_ArenaZNew(arena, SECKEYPublicKey); 657 if(!key) { 658 log_err("out of memory, PORT_ArenaZNew failed"); 659 PORT_FreeArena(arena, PR_FALSE); 660 return NULL; 661 } 662 key->arena = arena; 663 key->keyType = ktype; 664 key->pkcs11Slot = NULL; 665 key->pkcs11ID = CK_INVALID_HANDLE; 666 return key; 667 } 668 669 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo) 670 { 671 SECKEYPublicKey* pk; 672 SECItem pub = {siBuffer, NULL, 0}; 673 SECItem params = {siBuffer, NULL, 0}; 674 static unsigned char param256[] = { 675 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256) 676 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */ 677 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 678 }; 679 static unsigned char param384[] = { 680 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384) 681 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */ 682 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 683 }; 684 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ 685 686 /* check length, which uncompressed must be 2 bignums */ 687 if(algo == LDNS_ECDSAP256SHA256) { 688 if(len != 2*256/8) return NULL; 689 /* ECCurve_X9_62_PRIME_256V1 */ 690 } else if(algo == LDNS_ECDSAP384SHA384) { 691 if(len != 2*384/8) return NULL; 692 /* ECCurve_X9_62_PRIME_384R1 */ 693 } else return NULL; 694 695 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */ 696 memmove(buf+1, key, len); 697 pub.data = buf; 698 pub.len = len+1; 699 if(algo == LDNS_ECDSAP256SHA256) { 700 params.data = param256; 701 params.len = sizeof(param256); 702 } else { 703 params.data = param384; 704 params.len = sizeof(param384); 705 } 706 707 pk = nss_key_create(ecKey); 708 if(!pk) 709 return NULL; 710 pk->u.ec.size = (len/2)*8; 711 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) { 712 SECKEY_DestroyPublicKey(pk); 713 return NULL; 714 } 715 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) { 716 SECKEY_DestroyPublicKey(pk); 717 return NULL; 718 } 719 720 return pk; 721 } 722 723 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len) 724 { 725 SECKEYPublicKey* pk; 726 uint8_t T; 727 uint16_t length; 728 uint16_t offset; 729 SECItem Q = {siBuffer, NULL, 0}; 730 SECItem P = {siBuffer, NULL, 0}; 731 SECItem G = {siBuffer, NULL, 0}; 732 SECItem Y = {siBuffer, NULL, 0}; 733 734 if(len == 0) 735 return NULL; 736 T = (uint8_t)key[0]; 737 length = (64 + T * 8); 738 offset = 1; 739 740 if (T > 8) { 741 return NULL; 742 } 743 if(len < (size_t)1 + SHA1_LENGTH + 3*length) 744 return NULL; 745 746 Q.data = key+offset; 747 Q.len = SHA1_LENGTH; 748 offset += SHA1_LENGTH; 749 750 P.data = key+offset; 751 P.len = length; 752 offset += length; 753 754 G.data = key+offset; 755 G.len = length; 756 offset += length; 757 758 Y.data = key+offset; 759 Y.len = length; 760 offset += length; 761 762 pk = nss_key_create(dsaKey); 763 if(!pk) 764 return NULL; 765 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) { 766 SECKEY_DestroyPublicKey(pk); 767 return NULL; 768 } 769 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) { 770 SECKEY_DestroyPublicKey(pk); 771 return NULL; 772 } 773 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) { 774 SECKEY_DestroyPublicKey(pk); 775 return NULL; 776 } 777 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) { 778 SECKEY_DestroyPublicKey(pk); 779 return NULL; 780 } 781 return pk; 782 } 783 784 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len) 785 { 786 SECKEYPublicKey* pk; 787 uint16_t exp; 788 uint16_t offset; 789 uint16_t int16; 790 SECItem modulus = {siBuffer, NULL, 0}; 791 SECItem exponent = {siBuffer, NULL, 0}; 792 if(len == 0) 793 return NULL; 794 if(key[0] == 0) { 795 if(len < 3) 796 return NULL; 797 /* the exponent is too large so it's places further */ 798 memmove(&int16, key+1, 2); 799 exp = ntohs(int16); 800 offset = 3; 801 } else { 802 exp = key[0]; 803 offset = 1; 804 } 805 806 /* key length at least one */ 807 if(len < (size_t)offset + exp + 1) 808 return NULL; 809 810 exponent.data = key+offset; 811 exponent.len = exp; 812 offset += exp; 813 modulus.data = key+offset; 814 modulus.len = (len - offset); 815 816 pk = nss_key_create(rsaKey); 817 if(!pk) 818 return NULL; 819 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) { 820 SECKEY_DestroyPublicKey(pk); 821 return NULL; 822 } 823 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) { 824 SECKEY_DestroyPublicKey(pk); 825 return NULL; 826 } 827 return pk; 828 } 829 830 /** 831 * Setup key and digest for verification. Adjust sig if necessary. 832 * 833 * @param algo: key algorithm 834 * @param evp_key: EVP PKEY public key to create. 835 * @param digest_type: digest type to use 836 * @param key: key to setup for. 837 * @param keylen: length of key. 838 * @param prefix: if returned, the ASN prefix for the hashblob. 839 * @param prefixlen: length of the prefix. 840 * @return false on failure. 841 */ 842 static int 843 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, 844 unsigned char* key, size_t keylen, unsigned char** prefix, 845 size_t* prefixlen) 846 { 847 /* uses libNSS */ 848 849 /* hash prefix for md5, RFC2537 */ 850 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 851 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}; 852 /* hash prefix to prepend to hash output, from RFC3110 */ 853 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 854 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14}; 855 /* from RFC5702 */ 856 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 857 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; 858 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 859 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; 860 /* from RFC6234 */ 861 /* for future RSASHA384 .. 862 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 863 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; 864 */ 865 866 switch(algo) { 867 case LDNS_DSA: 868 case LDNS_DSA_NSEC3: 869 *pubkey = nss_buf2dsa(key, keylen); 870 if(!*pubkey) { 871 log_err("verify: malloc failure in crypto"); 872 return 0; 873 } 874 *htype = HASH_AlgSHA1; 875 /* no prefix for DSA verification */ 876 break; 877 case LDNS_RSASHA1: 878 case LDNS_RSASHA1_NSEC3: 879 #ifdef USE_SHA2 880 case LDNS_RSASHA256: 881 #endif 882 #ifdef USE_SHA2 883 case LDNS_RSASHA512: 884 #endif 885 *pubkey = nss_buf2rsa(key, keylen); 886 if(!*pubkey) { 887 log_err("verify: malloc failure in crypto"); 888 return 0; 889 } 890 /* select SHA version */ 891 #ifdef USE_SHA2 892 if(algo == LDNS_RSASHA256) { 893 *htype = HASH_AlgSHA256; 894 *prefix = p_sha256; 895 *prefixlen = sizeof(p_sha256); 896 } else 897 #endif 898 #ifdef USE_SHA2 899 if(algo == LDNS_RSASHA512) { 900 *htype = HASH_AlgSHA512; 901 *prefix = p_sha512; 902 *prefixlen = sizeof(p_sha512); 903 } else 904 #endif 905 { 906 *htype = HASH_AlgSHA1; 907 *prefix = p_sha1; 908 *prefixlen = sizeof(p_sha1); 909 } 910 911 break; 912 case LDNS_RSAMD5: 913 *pubkey = nss_buf2rsa(key, keylen); 914 if(!*pubkey) { 915 log_err("verify: malloc failure in crypto"); 916 return 0; 917 } 918 *htype = HASH_AlgMD5; 919 *prefix = p_md5; 920 *prefixlen = sizeof(p_md5); 921 922 break; 923 #ifdef USE_ECDSA 924 case LDNS_ECDSAP256SHA256: 925 *pubkey = nss_buf2ecdsa(key, keylen, 926 LDNS_ECDSAP256SHA256); 927 if(!*pubkey) { 928 log_err("verify: malloc failure in crypto"); 929 return 0; 930 } 931 *htype = HASH_AlgSHA256; 932 /* no prefix for DSA verification */ 933 break; 934 case LDNS_ECDSAP384SHA384: 935 *pubkey = nss_buf2ecdsa(key, keylen, 936 LDNS_ECDSAP384SHA384); 937 if(!*pubkey) { 938 log_err("verify: malloc failure in crypto"); 939 return 0; 940 } 941 *htype = HASH_AlgSHA384; 942 /* no prefix for DSA verification */ 943 break; 944 #endif /* USE_ECDSA */ 945 case LDNS_ECC_GOST: 946 default: 947 verbose(VERB_QUERY, "verify: unknown algorithm %d", 948 algo); 949 return 0; 950 } 951 return 1; 952 } 953 954 /** 955 * Check a canonical sig+rrset and signature against a dnskey 956 * @param buf: buffer with data to verify, the first rrsig part and the 957 * canonicalized rrset. 958 * @param algo: DNSKEY algorithm. 959 * @param sigblock: signature rdata field from RRSIG 960 * @param sigblock_len: length of sigblock data. 961 * @param key: public key data from DNSKEY RR. 962 * @param keylen: length of keydata. 963 * @param reason: bogus reason in more detail. 964 * @return secure if verification succeeded, bogus on crypto failure, 965 * unchecked on format errors and alloc failures. 966 */ 967 enum sec_status 968 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 969 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 970 char** reason) 971 { 972 /* uses libNSS */ 973 /* large enough for the different hashes */ 974 unsigned char hash[HASH_LENGTH_MAX]; 975 unsigned char hash2[HASH_LENGTH_MAX*2]; 976 HASH_HashType htype = 0; 977 SECKEYPublicKey* pubkey = NULL; 978 SECItem secsig = {siBuffer, sigblock, sigblock_len}; 979 SECItem sechash = {siBuffer, hash, 0}; 980 SECStatus res; 981 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */ 982 size_t prefixlen = 0; 983 int err; 984 985 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen, 986 &prefix, &prefixlen)) { 987 verbose(VERB_QUERY, "verify: failed to setup key"); 988 *reason = "use of key for crypto failed"; 989 SECKEY_DestroyPublicKey(pubkey); 990 return sec_status_bogus; 991 } 992 993 /* need to convert DSA, ECDSA signatures? */ 994 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) { 995 if(sigblock_len == 1+2*SHA1_LENGTH) { 996 secsig.data ++; 997 secsig.len --; 998 } else { 999 SECItem* p = DSAU_DecodeDerSig(&secsig); 1000 if(!p) { 1001 verbose(VERB_QUERY, "verify: failed DER decode"); 1002 *reason = "signature DER decode failed"; 1003 SECKEY_DestroyPublicKey(pubkey); 1004 return sec_status_bogus; 1005 } 1006 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) { 1007 log_err("alloc failure in DER decode"); 1008 SECKEY_DestroyPublicKey(pubkey); 1009 SECITEM_FreeItem(p, PR_TRUE); 1010 return sec_status_unchecked; 1011 } 1012 SECITEM_FreeItem(p, PR_TRUE); 1013 } 1014 } 1015 1016 /* do the signature cryptography work */ 1017 /* hash the data */ 1018 sechash.len = HASH_ResultLen(htype); 1019 if(sechash.len > sizeof(hash)) { 1020 verbose(VERB_QUERY, "verify: hash too large for buffer"); 1021 SECKEY_DestroyPublicKey(pubkey); 1022 return sec_status_unchecked; 1023 } 1024 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf), 1025 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) { 1026 verbose(VERB_QUERY, "verify: HASH_HashBuf failed"); 1027 SECKEY_DestroyPublicKey(pubkey); 1028 return sec_status_unchecked; 1029 } 1030 if(prefix) { 1031 int hashlen = sechash.len; 1032 if(prefixlen+hashlen > sizeof(hash2)) { 1033 verbose(VERB_QUERY, "verify: hashprefix too large"); 1034 SECKEY_DestroyPublicKey(pubkey); 1035 return sec_status_unchecked; 1036 } 1037 sechash.data = hash2; 1038 sechash.len = prefixlen+hashlen; 1039 memcpy(sechash.data, prefix, prefixlen); 1040 memmove(sechash.data+prefixlen, hash, hashlen); 1041 } 1042 1043 /* verify the signature */ 1044 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/); 1045 SECKEY_DestroyPublicKey(pubkey); 1046 1047 if(res == SECSuccess) { 1048 return sec_status_secure; 1049 } 1050 err = PORT_GetError(); 1051 if(err != SEC_ERROR_BAD_SIGNATURE) { 1052 /* failed to verify */ 1053 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", 1054 PORT_ErrorToString(err)); 1055 /* if it is not supported, like ECC is removed, we get, 1056 * SEC_ERROR_NO_MODULE */ 1057 if(err == SEC_ERROR_NO_MODULE) 1058 return sec_status_unchecked; 1059 /* but other errors are commonly returned 1060 * for a bad signature from NSS. Thus we return bogus, 1061 * not unchecked */ 1062 *reason = "signature crypto failed"; 1063 return sec_status_bogus; 1064 } 1065 verbose(VERB_QUERY, "verify: signature mismatch: %s", 1066 PORT_ErrorToString(err)); 1067 *reason = "signature crypto failed"; 1068 return sec_status_bogus; 1069 } 1070 1071 1072 #endif /* HAVE_SSL or HAVE_NSS */ 1073