1 /* 2 * validator/val_secalgo.c - validator security algorithm functions. 3 * 4 * Copyright (c) 2012, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * These functions take raw data buffers, formatted for crypto verification, 41 * and do the library calls (for the crypto library in use). 42 */ 43 #include "config.h" 44 /* packed_rrset on top to define enum types (forced by c99 standard) */ 45 #include "util/data/packed_rrset.h" 46 #include "validator/val_secalgo.h" 47 #include "validator/val_nsec3.h" 48 #include "util/log.h" 49 #include "sldns/rrdef.h" 50 #include "sldns/keyraw.h" 51 #include "sldns/sbuffer.h" 52 53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) 54 #error "Need crypto library to do digital signature cryptography" 55 #endif 56 57 /** fake DSA support for unit tests */ 58 int fake_dsa = 0; 59 /** fake SHA1 support for unit tests */ 60 int fake_sha1 = 0; 61 62 /* OpenSSL implementation */ 63 #ifdef HAVE_SSL 64 #ifdef HAVE_OPENSSL_ERR_H 65 #include <openssl/err.h> 66 #endif 67 68 #ifdef HAVE_OPENSSL_RAND_H 69 #include <openssl/rand.h> 70 #endif 71 72 #ifdef HAVE_OPENSSL_CONF_H 73 #include <openssl/conf.h> 74 #endif 75 76 #ifdef HAVE_OPENSSL_ENGINE_H 77 #include <openssl/engine.h> 78 #endif 79 80 #if defined(HAVE_OPENSSL_DSA_H) && defined(USE_DSA) 81 #include <openssl/dsa.h> 82 #endif 83 84 /** 85 * Output a libcrypto openssl error to the logfile. 86 * @param str: string to add to it. 87 * @param e: the error to output, error number from ERR_get_error(). 88 */ 89 static void 90 log_crypto_error(const char* str, unsigned long e) 91 { 92 char buf[128]; 93 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ 94 ERR_error_string_n(e, buf, sizeof(buf)); 95 /* buf now contains */ 96 /* error:[error code]:[library name]:[function name]:[reason string] */ 97 log_err("%s crypto %s", str, buf); 98 } 99 100 /* return size of digest if supported, or 0 otherwise */ 101 size_t 102 nsec3_hash_algo_size_supported(int id) 103 { 104 switch(id) { 105 case NSEC3_HASH_SHA1: 106 return SHA_DIGEST_LENGTH; 107 default: 108 return 0; 109 } 110 } 111 112 /* perform nsec3 hash. return false on failure */ 113 int 114 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 115 unsigned char* res) 116 { 117 switch(algo) { 118 case NSEC3_HASH_SHA1: 119 #ifdef OPENSSL_FIPS 120 if(!sldns_digest_evp(buf, len, res, EVP_sha1())) 121 log_crypto_error("could not digest with EVP_sha1", 122 ERR_get_error()); 123 #else 124 (void)SHA1(buf, len, res); 125 #endif 126 return 1; 127 default: 128 return 0; 129 } 130 } 131 132 void 133 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 134 { 135 #ifdef OPENSSL_FIPS 136 if(!sldns_digest_evp(buf, len, res, EVP_sha256())) 137 log_crypto_error("could not digest with EVP_sha256", 138 ERR_get_error()); 139 #else 140 (void)SHA256(buf, len, res); 141 #endif 142 } 143 144 /** hash structure for keeping track of running hashes */ 145 struct secalgo_hash { 146 /** the openssl message digest context */ 147 EVP_MD_CTX* ctx; 148 }; 149 150 /** create secalgo hash with hash type */ 151 static struct secalgo_hash* secalgo_hash_create_md(const EVP_MD* md) 152 { 153 struct secalgo_hash* h; 154 if(!md) 155 return NULL; 156 h = calloc(1, sizeof(*h)); 157 if(!h) 158 return NULL; 159 h->ctx = EVP_MD_CTX_create(); 160 if(!h->ctx) { 161 free(h); 162 return NULL; 163 } 164 if(!EVP_DigestInit_ex(h->ctx, md, NULL)) { 165 EVP_MD_CTX_destroy(h->ctx); 166 free(h); 167 return NULL; 168 } 169 return h; 170 } 171 172 struct secalgo_hash* secalgo_hash_create_sha384(void) 173 { 174 return secalgo_hash_create_md(EVP_sha384()); 175 } 176 177 struct secalgo_hash* secalgo_hash_create_sha512(void) 178 { 179 return secalgo_hash_create_md(EVP_sha512()); 180 } 181 182 int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len) 183 { 184 return EVP_DigestUpdate(hash->ctx, (unsigned char*)data, 185 (unsigned int)len); 186 } 187 188 int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result, 189 size_t maxlen, size_t* resultlen) 190 { 191 if(EVP_MD_CTX_size(hash->ctx) > (int)maxlen) { 192 *resultlen = 0; 193 log_err("secalgo_hash_final: hash buffer too small"); 194 return 0; 195 } 196 *resultlen = EVP_MD_CTX_size(hash->ctx); 197 return EVP_DigestFinal_ex(hash->ctx, result, NULL); 198 } 199 200 void secalgo_hash_delete(struct secalgo_hash* hash) 201 { 202 if(!hash) return; 203 EVP_MD_CTX_destroy(hash->ctx); 204 free(hash); 205 } 206 207 /** 208 * Return size of DS digest according to its hash algorithm. 209 * @param algo: DS digest algo. 210 * @return size in bytes of digest, or 0 if not supported. 211 */ 212 size_t 213 ds_digest_size_supported(int algo) 214 { 215 switch(algo) { 216 case LDNS_SHA1: 217 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) 218 return SHA_DIGEST_LENGTH; 219 #else 220 if(fake_sha1) return 20; 221 return 0; 222 #endif 223 #ifdef HAVE_EVP_SHA256 224 case LDNS_SHA256: 225 return SHA256_DIGEST_LENGTH; 226 #endif 227 #ifdef USE_GOST 228 case LDNS_HASH_GOST: 229 /* we support GOST if it can be loaded */ 230 (void)sldns_key_EVP_load_gost_id(); 231 if(EVP_get_digestbyname("md_gost94")) 232 return 32; 233 else return 0; 234 #endif 235 #ifdef USE_ECDSA 236 case LDNS_SHA384: 237 return SHA384_DIGEST_LENGTH; 238 #endif 239 default: break; 240 } 241 return 0; 242 } 243 244 #ifdef USE_GOST 245 /** Perform GOST hash */ 246 static int 247 do_gost94(unsigned char* data, size_t len, unsigned char* dest) 248 { 249 const EVP_MD* md = EVP_get_digestbyname("md_gost94"); 250 if(!md) 251 return 0; 252 return sldns_digest_evp(data, (unsigned int)len, dest, md); 253 } 254 #endif 255 256 int 257 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 258 unsigned char* res) 259 { 260 switch(algo) { 261 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) 262 case LDNS_SHA1: 263 #ifdef OPENSSL_FIPS 264 if(!sldns_digest_evp(buf, len, res, EVP_sha1())) 265 log_crypto_error("could not digest with EVP_sha1", 266 ERR_get_error()); 267 #else 268 (void)SHA1(buf, len, res); 269 #endif 270 return 1; 271 #endif 272 #ifdef HAVE_EVP_SHA256 273 case LDNS_SHA256: 274 #ifdef OPENSSL_FIPS 275 if(!sldns_digest_evp(buf, len, res, EVP_sha256())) 276 log_crypto_error("could not digest with EVP_sha256", 277 ERR_get_error()); 278 #else 279 (void)SHA256(buf, len, res); 280 #endif 281 return 1; 282 #endif 283 #ifdef USE_GOST 284 case LDNS_HASH_GOST: 285 if(do_gost94(buf, len, res)) 286 return 1; 287 break; 288 #endif 289 #ifdef USE_ECDSA 290 case LDNS_SHA384: 291 #ifdef OPENSSL_FIPS 292 if(!sldns_digest_evp(buf, len, res, EVP_sha384())) 293 log_crypto_error("could not digest with EVP_sha384", 294 ERR_get_error()); 295 #else 296 (void)SHA384(buf, len, res); 297 #endif 298 return 1; 299 #endif 300 default: 301 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 302 algo); 303 break; 304 } 305 return 0; 306 } 307 308 /** return true if DNSKEY algorithm id is supported */ 309 int 310 dnskey_algo_id_is_supported(int id) 311 { 312 switch(id) { 313 case LDNS_RSAMD5: 314 /* RFC 6725 deprecates RSAMD5 */ 315 return 0; 316 case LDNS_DSA: 317 case LDNS_DSA_NSEC3: 318 #if defined(USE_DSA) && defined(USE_SHA1) 319 return 1; 320 #else 321 if(fake_dsa || fake_sha1) return 1; 322 return 0; 323 #endif 324 325 case LDNS_RSASHA1: 326 case LDNS_RSASHA1_NSEC3: 327 #ifdef USE_SHA1 328 return 1; 329 #else 330 if(fake_sha1) return 1; 331 return 0; 332 #endif 333 334 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 335 case LDNS_RSASHA256: 336 #endif 337 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 338 case LDNS_RSASHA512: 339 #endif 340 #ifdef USE_ECDSA 341 case LDNS_ECDSAP256SHA256: 342 case LDNS_ECDSAP384SHA384: 343 #endif 344 #ifdef USE_ED25519 345 case LDNS_ED25519: 346 #endif 347 #ifdef USE_ED448 348 case LDNS_ED448: 349 #endif 350 #if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448) 351 return 1; 352 #endif 353 354 #ifdef USE_GOST 355 case LDNS_ECC_GOST: 356 /* we support GOST if it can be loaded */ 357 return sldns_key_EVP_load_gost_id(); 358 #endif 359 default: 360 return 0; 361 } 362 } 363 364 #ifdef USE_DSA 365 /** 366 * Setup DSA key digest in DER encoding ... 367 * @param sig: input is signature output alloced ptr (unless failure). 368 * caller must free alloced ptr if this routine returns true. 369 * @param len: input is initial siglen, output is output len. 370 * @return false on failure. 371 */ 372 static int 373 setup_dsa_sig(unsigned char** sig, unsigned int* len) 374 { 375 unsigned char* orig = *sig; 376 unsigned int origlen = *len; 377 int newlen; 378 BIGNUM *R, *S; 379 DSA_SIG *dsasig; 380 381 /* extract the R and S field from the sig buffer */ 382 if(origlen < 1 + 2*SHA_DIGEST_LENGTH) 383 return 0; 384 R = BN_new(); 385 if(!R) return 0; 386 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R); 387 S = BN_new(); 388 if(!S) return 0; 389 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S); 390 dsasig = DSA_SIG_new(); 391 if(!dsasig) return 0; 392 393 #ifdef HAVE_DSA_SIG_SET0 394 if(!DSA_SIG_set0(dsasig, R, S)) return 0; 395 #else 396 # ifndef S_SPLINT_S 397 dsasig->r = R; 398 dsasig->s = S; 399 # endif /* S_SPLINT_S */ 400 #endif 401 *sig = NULL; 402 newlen = i2d_DSA_SIG(dsasig, sig); 403 if(newlen < 0) { 404 DSA_SIG_free(dsasig); 405 free(*sig); 406 return 0; 407 } 408 *len = (unsigned int)newlen; 409 DSA_SIG_free(dsasig); 410 return 1; 411 } 412 #endif /* USE_DSA */ 413 414 #ifdef USE_ECDSA 415 /** 416 * Setup the ECDSA signature in its encoding that the library wants. 417 * Converts from plain numbers to ASN formatted. 418 * @param sig: input is signature, output alloced ptr (unless failure). 419 * caller must free alloced ptr if this routine returns true. 420 * @param len: input is initial siglen, output is output len. 421 * @return false on failure. 422 */ 423 static int 424 setup_ecdsa_sig(unsigned char** sig, unsigned int* len) 425 { 426 /* convert from two BIGNUMs in the rdata buffer, to ASN notation. 427 * ASN preamble: 30440220 <R 32bytefor256> 0220 <S 32bytefor256> 428 * the '20' is the length of that field (=bnsize). 429 i * the '44' is the total remaining length. 430 * if negative, start with leading zero. 431 * if starts with 00s, remove them from the number. 432 */ 433 uint8_t pre[] = {0x30, 0x44, 0x02, 0x20}; 434 int pre_len = 4; 435 uint8_t mid[] = {0x02, 0x20}; 436 int mid_len = 2; 437 int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0; 438 int bnsize = (int)((*len)/2); 439 unsigned char* d = *sig; 440 uint8_t* p; 441 /* if too short or not even length, fails */ 442 if(*len < 16 || bnsize*2 != (int)*len) 443 return 0; 444 445 /* strip leading zeroes from r (but not last one) */ 446 while(r_rem < bnsize-1 && d[r_rem] == 0) 447 r_rem++; 448 /* strip leading zeroes from s (but not last one) */ 449 while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0) 450 s_rem++; 451 452 r_high = ((d[0+r_rem]&0x80)?1:0); 453 s_high = ((d[bnsize+s_rem]&0x80)?1:0); 454 raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len + 455 s_high + bnsize - s_rem; 456 *sig = (unsigned char*)malloc((size_t)raw_sig_len); 457 if(!*sig) 458 return 0; 459 p = (uint8_t*)*sig; 460 p[0] = pre[0]; 461 p[1] = (uint8_t)(raw_sig_len-2); 462 p[2] = pre[2]; 463 p[3] = (uint8_t)(bnsize + r_high - r_rem); 464 p += 4; 465 if(r_high) { 466 *p = 0; 467 p += 1; 468 } 469 memmove(p, d+r_rem, (size_t)bnsize-r_rem); 470 p += bnsize-r_rem; 471 memmove(p, mid, (size_t)mid_len-1); 472 p += mid_len-1; 473 *p = (uint8_t)(bnsize + s_high - s_rem); 474 p += 1; 475 if(s_high) { 476 *p = 0; 477 p += 1; 478 } 479 memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem); 480 *len = (unsigned int)raw_sig_len; 481 return 1; 482 } 483 #endif /* USE_ECDSA */ 484 485 #ifdef USE_ECDSA_EVP_WORKAROUND 486 static EVP_MD ecdsa_evp_256_md; 487 static EVP_MD ecdsa_evp_384_md; 488 void ecdsa_evp_workaround_init(void) 489 { 490 /* openssl before 1.0.0 fixes RSA with the SHA256 491 * hash in EVP. We create one for ecdsa_sha256 */ 492 ecdsa_evp_256_md = *EVP_sha256(); 493 ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC; 494 ecdsa_evp_256_md.verify = (void*)ECDSA_verify; 495 496 ecdsa_evp_384_md = *EVP_sha384(); 497 ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC; 498 ecdsa_evp_384_md.verify = (void*)ECDSA_verify; 499 } 500 #endif /* USE_ECDSA_EVP_WORKAROUND */ 501 502 /** 503 * Setup key and digest for verification. Adjust sig if necessary. 504 * 505 * @param algo: key algorithm 506 * @param evp_key: EVP PKEY public key to create. 507 * @param digest_type: digest type to use 508 * @param key: key to setup for. 509 * @param keylen: length of key. 510 * @return false on failure. 511 */ 512 static int 513 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 514 unsigned char* key, size_t keylen) 515 { 516 switch(algo) { 517 #if defined(USE_DSA) && defined(USE_SHA1) 518 case LDNS_DSA: 519 case LDNS_DSA_NSEC3: 520 *evp_key = sldns_key_dsa2pkey_raw(key, keylen); 521 if(!*evp_key) { 522 verbose(VERB_QUERY, "verify: sldns_key_dsa2pkey failed"); 523 return 0; 524 } 525 #ifdef HAVE_EVP_DSS1 526 *digest_type = EVP_dss1(); 527 #else 528 *digest_type = EVP_sha1(); 529 #endif 530 531 break; 532 #endif /* USE_DSA && USE_SHA1 */ 533 534 #if defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) 535 #ifdef USE_SHA1 536 case LDNS_RSASHA1: 537 case LDNS_RSASHA1_NSEC3: 538 #endif 539 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 540 case LDNS_RSASHA256: 541 #endif 542 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 543 case LDNS_RSASHA512: 544 #endif 545 *evp_key = sldns_key_rsa2pkey_raw(key, keylen); 546 if(!*evp_key) { 547 verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey SHA failed"); 548 return 0; 549 } 550 551 /* select SHA version */ 552 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 553 if(algo == LDNS_RSASHA256) 554 *digest_type = EVP_sha256(); 555 else 556 #endif 557 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 558 if(algo == LDNS_RSASHA512) 559 *digest_type = EVP_sha512(); 560 else 561 #endif 562 #ifdef USE_SHA1 563 *digest_type = EVP_sha1(); 564 #else 565 { verbose(VERB_QUERY, "no digest available"); return 0; } 566 #endif 567 break; 568 #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */ 569 570 case LDNS_RSAMD5: 571 *evp_key = sldns_key_rsa2pkey_raw(key, keylen); 572 if(!*evp_key) { 573 verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey MD5 failed"); 574 return 0; 575 } 576 *digest_type = EVP_md5(); 577 578 break; 579 #ifdef USE_GOST 580 case LDNS_ECC_GOST: 581 *evp_key = sldns_gost2pkey_raw(key, keylen); 582 if(!*evp_key) { 583 verbose(VERB_QUERY, "verify: " 584 "sldns_gost2pkey_raw failed"); 585 return 0; 586 } 587 *digest_type = EVP_get_digestbyname("md_gost94"); 588 if(!*digest_type) { 589 verbose(VERB_QUERY, "verify: " 590 "EVP_getdigest md_gost94 failed"); 591 return 0; 592 } 593 break; 594 #endif 595 #ifdef USE_ECDSA 596 case LDNS_ECDSAP256SHA256: 597 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 598 LDNS_ECDSAP256SHA256); 599 if(!*evp_key) { 600 verbose(VERB_QUERY, "verify: " 601 "sldns_ecdsa2pkey_raw failed"); 602 return 0; 603 } 604 #ifdef USE_ECDSA_EVP_WORKAROUND 605 *digest_type = &ecdsa_evp_256_md; 606 #else 607 *digest_type = EVP_sha256(); 608 #endif 609 break; 610 case LDNS_ECDSAP384SHA384: 611 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 612 LDNS_ECDSAP384SHA384); 613 if(!*evp_key) { 614 verbose(VERB_QUERY, "verify: " 615 "sldns_ecdsa2pkey_raw failed"); 616 return 0; 617 } 618 #ifdef USE_ECDSA_EVP_WORKAROUND 619 *digest_type = &ecdsa_evp_384_md; 620 #else 621 *digest_type = EVP_sha384(); 622 #endif 623 break; 624 #endif /* USE_ECDSA */ 625 #ifdef USE_ED25519 626 case LDNS_ED25519: 627 *evp_key = sldns_ed255192pkey_raw(key, keylen); 628 if(!*evp_key) { 629 verbose(VERB_QUERY, "verify: " 630 "sldns_ed255192pkey_raw failed"); 631 return 0; 632 } 633 *digest_type = NULL; 634 break; 635 #endif /* USE_ED25519 */ 636 #ifdef USE_ED448 637 case LDNS_ED448: 638 *evp_key = sldns_ed4482pkey_raw(key, keylen); 639 if(!*evp_key) { 640 verbose(VERB_QUERY, "verify: " 641 "sldns_ed4482pkey_raw failed"); 642 return 0; 643 } 644 *digest_type = NULL; 645 break; 646 #endif /* USE_ED448 */ 647 default: 648 verbose(VERB_QUERY, "verify: unknown algorithm %d", 649 algo); 650 return 0; 651 } 652 return 1; 653 } 654 655 /** 656 * Check a canonical sig+rrset and signature against a dnskey 657 * @param buf: buffer with data to verify, the first rrsig part and the 658 * canonicalized rrset. 659 * @param algo: DNSKEY algorithm. 660 * @param sigblock: signature rdata field from RRSIG 661 * @param sigblock_len: length of sigblock data. 662 * @param key: public key data from DNSKEY RR. 663 * @param keylen: length of keydata. 664 * @param reason: bogus reason in more detail. 665 * @return secure if verification succeeded, bogus on crypto failure, 666 * unchecked on format errors and alloc failures. 667 */ 668 enum sec_status 669 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 670 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 671 char** reason) 672 { 673 const EVP_MD *digest_type; 674 EVP_MD_CTX* ctx; 675 int res, dofree = 0, docrypto_free = 0; 676 EVP_PKEY *evp_key = NULL; 677 678 #ifndef USE_DSA 679 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1)) 680 return sec_status_secure; 681 #endif 682 #ifndef USE_SHA1 683 if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3)) 684 return sec_status_secure; 685 #endif 686 687 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { 688 verbose(VERB_QUERY, "verify: failed to setup key"); 689 *reason = "use of key for crypto failed"; 690 EVP_PKEY_free(evp_key); 691 return sec_status_bogus; 692 } 693 #ifdef USE_DSA 694 /* if it is a DSA signature in bind format, convert to DER format */ 695 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && 696 sigblock_len == 1+2*SHA_DIGEST_LENGTH) { 697 if(!setup_dsa_sig(&sigblock, &sigblock_len)) { 698 verbose(VERB_QUERY, "verify: failed to setup DSA sig"); 699 *reason = "use of key for DSA crypto failed"; 700 EVP_PKEY_free(evp_key); 701 return sec_status_bogus; 702 } 703 docrypto_free = 1; 704 } 705 #endif 706 #if defined(USE_ECDSA) && defined(USE_DSA) 707 else 708 #endif 709 #ifdef USE_ECDSA 710 if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) { 711 /* EVP uses ASN prefix on sig, which is not in the wire data */ 712 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) { 713 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig"); 714 *reason = "use of signature for ECDSA crypto failed"; 715 EVP_PKEY_free(evp_key); 716 return sec_status_bogus; 717 } 718 dofree = 1; 719 } 720 #endif /* USE_ECDSA */ 721 722 /* do the signature cryptography work */ 723 #ifdef HAVE_EVP_MD_CTX_NEW 724 ctx = EVP_MD_CTX_new(); 725 #else 726 ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx)); 727 if(ctx) EVP_MD_CTX_init(ctx); 728 #endif 729 if(!ctx) { 730 log_err("EVP_MD_CTX_new: malloc failure"); 731 EVP_PKEY_free(evp_key); 732 if(dofree) free(sigblock); 733 else if(docrypto_free) OPENSSL_free(sigblock); 734 return sec_status_unchecked; 735 } 736 #ifndef HAVE_EVP_DIGESTVERIFY 737 if(EVP_DigestInit(ctx, digest_type) == 0) { 738 verbose(VERB_QUERY, "verify: EVP_DigestInit failed"); 739 #ifdef HAVE_EVP_MD_CTX_NEW 740 EVP_MD_CTX_destroy(ctx); 741 #else 742 EVP_MD_CTX_cleanup(ctx); 743 free(ctx); 744 #endif 745 EVP_PKEY_free(evp_key); 746 if(dofree) free(sigblock); 747 else if(docrypto_free) OPENSSL_free(sigblock); 748 return sec_status_unchecked; 749 } 750 if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), 751 (unsigned int)sldns_buffer_limit(buf)) == 0) { 752 verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed"); 753 #ifdef HAVE_EVP_MD_CTX_NEW 754 EVP_MD_CTX_destroy(ctx); 755 #else 756 EVP_MD_CTX_cleanup(ctx); 757 free(ctx); 758 #endif 759 EVP_PKEY_free(evp_key); 760 if(dofree) free(sigblock); 761 else if(docrypto_free) OPENSSL_free(sigblock); 762 return sec_status_unchecked; 763 } 764 765 res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key); 766 #else /* HAVE_EVP_DIGESTVERIFY */ 767 if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) { 768 verbose(VERB_QUERY, "verify: EVP_DigestVerifyInit failed"); 769 #ifdef HAVE_EVP_MD_CTX_NEW 770 EVP_MD_CTX_destroy(ctx); 771 #else 772 EVP_MD_CTX_cleanup(ctx); 773 free(ctx); 774 #endif 775 EVP_PKEY_free(evp_key); 776 if(dofree) free(sigblock); 777 else if(docrypto_free) OPENSSL_free(sigblock); 778 return sec_status_unchecked; 779 } 780 res = EVP_DigestVerify(ctx, sigblock, sigblock_len, 781 (unsigned char*)sldns_buffer_begin(buf), 782 sldns_buffer_limit(buf)); 783 #endif 784 #ifdef HAVE_EVP_MD_CTX_NEW 785 EVP_MD_CTX_destroy(ctx); 786 #else 787 EVP_MD_CTX_cleanup(ctx); 788 free(ctx); 789 #endif 790 EVP_PKEY_free(evp_key); 791 792 if(dofree) free(sigblock); 793 else if(docrypto_free) OPENSSL_free(sigblock); 794 795 if(res == 1) { 796 return sec_status_secure; 797 } else if(res == 0) { 798 verbose(VERB_QUERY, "verify: signature mismatch"); 799 *reason = "signature crypto failed"; 800 return sec_status_bogus; 801 } 802 803 log_crypto_error("verify:", ERR_get_error()); 804 return sec_status_unchecked; 805 } 806 807 /**************************************************/ 808 #elif defined(HAVE_NSS) 809 /* libnss implementation */ 810 /* nss3 */ 811 #include "sechash.h" 812 #include "pk11pub.h" 813 #include "keyhi.h" 814 #include "secerr.h" 815 #include "cryptohi.h" 816 /* nspr4 */ 817 #include "prerror.h" 818 819 /* return size of digest if supported, or 0 otherwise */ 820 size_t 821 nsec3_hash_algo_size_supported(int id) 822 { 823 switch(id) { 824 case NSEC3_HASH_SHA1: 825 return SHA1_LENGTH; 826 default: 827 return 0; 828 } 829 } 830 831 /* perform nsec3 hash. return false on failure */ 832 int 833 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 834 unsigned char* res) 835 { 836 switch(algo) { 837 case NSEC3_HASH_SHA1: 838 (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len); 839 return 1; 840 default: 841 return 0; 842 } 843 } 844 845 void 846 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 847 { 848 (void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len); 849 } 850 851 /** the secalgo hash structure */ 852 struct secalgo_hash { 853 /** hash context */ 854 HASHContext* ctx; 855 }; 856 857 /** create hash struct of type */ 858 static struct secalgo_hash* secalgo_hash_create_type(HASH_HashType tp) 859 { 860 struct secalgo_hash* h = calloc(1, sizeof(*h)); 861 if(!h) 862 return NULL; 863 h->ctx = HASH_Create(tp); 864 if(!h->ctx) { 865 free(h); 866 return NULL; 867 } 868 return h; 869 } 870 871 struct secalgo_hash* secalgo_hash_create_sha384(void) 872 { 873 return secalgo_hash_create_type(HASH_AlgSHA384); 874 } 875 876 struct secalgo_hash* secalgo_hash_create_sha512(void) 877 { 878 return secalgo_hash_create_type(HASH_AlgSHA512); 879 } 880 881 int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len) 882 { 883 HASH_Update(hash->ctx, (unsigned char*)data, (unsigned int)len); 884 return 1; 885 } 886 887 int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result, 888 size_t maxlen, size_t* resultlen) 889 { 890 unsigned int reslen = 0; 891 if(HASH_ResultLenContext(hash->ctx) > (unsigned int)maxlen) { 892 *resultlen = 0; 893 log_err("secalgo_hash_final: hash buffer too small"); 894 return 0; 895 } 896 HASH_End(hash->ctx, (unsigned char*)result, &reslen, 897 (unsigned int)maxlen); 898 *resultlen = (size_t)reslen; 899 return 1; 900 } 901 902 void secalgo_hash_delete(struct secalgo_hash* hash) 903 { 904 if(!hash) return; 905 HASH_Destroy(hash->ctx); 906 free(hash); 907 } 908 909 size_t 910 ds_digest_size_supported(int algo) 911 { 912 /* uses libNSS */ 913 switch(algo) { 914 #ifdef USE_SHA1 915 case LDNS_SHA1: 916 return SHA1_LENGTH; 917 #endif 918 #ifdef USE_SHA2 919 case LDNS_SHA256: 920 return SHA256_LENGTH; 921 #endif 922 #ifdef USE_ECDSA 923 case LDNS_SHA384: 924 return SHA384_LENGTH; 925 #endif 926 /* GOST not supported in NSS */ 927 case LDNS_HASH_GOST: 928 default: break; 929 } 930 return 0; 931 } 932 933 int 934 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 935 unsigned char* res) 936 { 937 /* uses libNSS */ 938 switch(algo) { 939 #ifdef USE_SHA1 940 case LDNS_SHA1: 941 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len) 942 == SECSuccess; 943 #endif 944 #if defined(USE_SHA2) 945 case LDNS_SHA256: 946 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len) 947 == SECSuccess; 948 #endif 949 #ifdef USE_ECDSA 950 case LDNS_SHA384: 951 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len) 952 == SECSuccess; 953 #endif 954 case LDNS_HASH_GOST: 955 default: 956 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 957 algo); 958 break; 959 } 960 return 0; 961 } 962 963 int 964 dnskey_algo_id_is_supported(int id) 965 { 966 /* uses libNSS */ 967 switch(id) { 968 case LDNS_RSAMD5: 969 /* RFC 6725 deprecates RSAMD5 */ 970 return 0; 971 #if defined(USE_SHA1) || defined(USE_SHA2) 972 #if defined(USE_DSA) && defined(USE_SHA1) 973 case LDNS_DSA: 974 case LDNS_DSA_NSEC3: 975 #endif 976 #ifdef USE_SHA1 977 case LDNS_RSASHA1: 978 case LDNS_RSASHA1_NSEC3: 979 #endif 980 #ifdef USE_SHA2 981 case LDNS_RSASHA256: 982 #endif 983 #ifdef USE_SHA2 984 case LDNS_RSASHA512: 985 #endif 986 return 1; 987 #endif /* SHA1 or SHA2 */ 988 989 #ifdef USE_ECDSA 990 case LDNS_ECDSAP256SHA256: 991 case LDNS_ECDSAP384SHA384: 992 return PK11_TokenExists(CKM_ECDSA); 993 #endif 994 case LDNS_ECC_GOST: 995 default: 996 return 0; 997 } 998 } 999 1000 /* return a new public key for NSS */ 1001 static SECKEYPublicKey* nss_key_create(KeyType ktype) 1002 { 1003 SECKEYPublicKey* key; 1004 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 1005 if(!arena) { 1006 log_err("out of memory, PORT_NewArena failed"); 1007 return NULL; 1008 } 1009 key = PORT_ArenaZNew(arena, SECKEYPublicKey); 1010 if(!key) { 1011 log_err("out of memory, PORT_ArenaZNew failed"); 1012 PORT_FreeArena(arena, PR_FALSE); 1013 return NULL; 1014 } 1015 key->arena = arena; 1016 key->keyType = ktype; 1017 key->pkcs11Slot = NULL; 1018 key->pkcs11ID = CK_INVALID_HANDLE; 1019 return key; 1020 } 1021 1022 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo) 1023 { 1024 SECKEYPublicKey* pk; 1025 SECItem pub = {siBuffer, NULL, 0}; 1026 SECItem params = {siBuffer, NULL, 0}; 1027 static unsigned char param256[] = { 1028 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256) 1029 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */ 1030 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 1031 }; 1032 static unsigned char param384[] = { 1033 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384) 1034 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */ 1035 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 1036 }; 1037 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ 1038 1039 /* check length, which uncompressed must be 2 bignums */ 1040 if(algo == LDNS_ECDSAP256SHA256) { 1041 if(len != 2*256/8) return NULL; 1042 /* ECCurve_X9_62_PRIME_256V1 */ 1043 } else if(algo == LDNS_ECDSAP384SHA384) { 1044 if(len != 2*384/8) return NULL; 1045 /* ECCurve_X9_62_PRIME_384R1 */ 1046 } else return NULL; 1047 1048 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */ 1049 memmove(buf+1, key, len); 1050 pub.data = buf; 1051 pub.len = len+1; 1052 if(algo == LDNS_ECDSAP256SHA256) { 1053 params.data = param256; 1054 params.len = sizeof(param256); 1055 } else { 1056 params.data = param384; 1057 params.len = sizeof(param384); 1058 } 1059 1060 pk = nss_key_create(ecKey); 1061 if(!pk) 1062 return NULL; 1063 pk->u.ec.size = (len/2)*8; 1064 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) { 1065 SECKEY_DestroyPublicKey(pk); 1066 return NULL; 1067 } 1068 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) { 1069 SECKEY_DestroyPublicKey(pk); 1070 return NULL; 1071 } 1072 1073 return pk; 1074 } 1075 1076 #if defined(USE_DSA) && defined(USE_SHA1) 1077 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len) 1078 { 1079 SECKEYPublicKey* pk; 1080 uint8_t T; 1081 uint16_t length; 1082 uint16_t offset; 1083 SECItem Q = {siBuffer, NULL, 0}; 1084 SECItem P = {siBuffer, NULL, 0}; 1085 SECItem G = {siBuffer, NULL, 0}; 1086 SECItem Y = {siBuffer, NULL, 0}; 1087 1088 if(len == 0) 1089 return NULL; 1090 T = (uint8_t)key[0]; 1091 length = (64 + T * 8); 1092 offset = 1; 1093 1094 if (T > 8) { 1095 return NULL; 1096 } 1097 if(len < (size_t)1 + SHA1_LENGTH + 3*length) 1098 return NULL; 1099 1100 Q.data = key+offset; 1101 Q.len = SHA1_LENGTH; 1102 offset += SHA1_LENGTH; 1103 1104 P.data = key+offset; 1105 P.len = length; 1106 offset += length; 1107 1108 G.data = key+offset; 1109 G.len = length; 1110 offset += length; 1111 1112 Y.data = key+offset; 1113 Y.len = length; 1114 offset += length; 1115 1116 pk = nss_key_create(dsaKey); 1117 if(!pk) 1118 return NULL; 1119 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) { 1120 SECKEY_DestroyPublicKey(pk); 1121 return NULL; 1122 } 1123 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) { 1124 SECKEY_DestroyPublicKey(pk); 1125 return NULL; 1126 } 1127 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) { 1128 SECKEY_DestroyPublicKey(pk); 1129 return NULL; 1130 } 1131 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) { 1132 SECKEY_DestroyPublicKey(pk); 1133 return NULL; 1134 } 1135 return pk; 1136 } 1137 #endif /* USE_DSA && USE_SHA1 */ 1138 1139 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len) 1140 { 1141 SECKEYPublicKey* pk; 1142 uint16_t exp; 1143 uint16_t offset; 1144 uint16_t int16; 1145 SECItem modulus = {siBuffer, NULL, 0}; 1146 SECItem exponent = {siBuffer, NULL, 0}; 1147 if(len == 0) 1148 return NULL; 1149 if(key[0] == 0) { 1150 if(len < 3) 1151 return NULL; 1152 /* the exponent is too large so it's places further */ 1153 memmove(&int16, key+1, 2); 1154 exp = ntohs(int16); 1155 offset = 3; 1156 } else { 1157 exp = key[0]; 1158 offset = 1; 1159 } 1160 1161 /* key length at least one */ 1162 if(len < (size_t)offset + exp + 1) 1163 return NULL; 1164 1165 exponent.data = key+offset; 1166 exponent.len = exp; 1167 offset += exp; 1168 modulus.data = key+offset; 1169 modulus.len = (len - offset); 1170 1171 pk = nss_key_create(rsaKey); 1172 if(!pk) 1173 return NULL; 1174 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) { 1175 SECKEY_DestroyPublicKey(pk); 1176 return NULL; 1177 } 1178 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) { 1179 SECKEY_DestroyPublicKey(pk); 1180 return NULL; 1181 } 1182 return pk; 1183 } 1184 1185 /** 1186 * Setup key and digest for verification. Adjust sig if necessary. 1187 * 1188 * @param algo: key algorithm 1189 * @param evp_key: EVP PKEY public key to create. 1190 * @param digest_type: digest type to use 1191 * @param key: key to setup for. 1192 * @param keylen: length of key. 1193 * @param prefix: if returned, the ASN prefix for the hashblob. 1194 * @param prefixlen: length of the prefix. 1195 * @return false on failure. 1196 */ 1197 static int 1198 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, 1199 unsigned char* key, size_t keylen, unsigned char** prefix, 1200 size_t* prefixlen) 1201 { 1202 /* uses libNSS */ 1203 1204 /* hash prefix for md5, RFC2537 */ 1205 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 1206 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}; 1207 /* hash prefix to prepend to hash output, from RFC3110 */ 1208 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 1209 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14}; 1210 /* from RFC5702 */ 1211 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 1212 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; 1213 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 1214 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; 1215 /* from RFC6234 */ 1216 /* for future RSASHA384 .. 1217 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 1218 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; 1219 */ 1220 1221 switch(algo) { 1222 1223 #if defined(USE_SHA1) || defined(USE_SHA2) 1224 #if defined(USE_DSA) && defined(USE_SHA1) 1225 case LDNS_DSA: 1226 case LDNS_DSA_NSEC3: 1227 *pubkey = nss_buf2dsa(key, keylen); 1228 if(!*pubkey) { 1229 log_err("verify: malloc failure in crypto"); 1230 return 0; 1231 } 1232 *htype = HASH_AlgSHA1; 1233 /* no prefix for DSA verification */ 1234 break; 1235 #endif 1236 #ifdef USE_SHA1 1237 case LDNS_RSASHA1: 1238 case LDNS_RSASHA1_NSEC3: 1239 #endif 1240 #ifdef USE_SHA2 1241 case LDNS_RSASHA256: 1242 #endif 1243 #ifdef USE_SHA2 1244 case LDNS_RSASHA512: 1245 #endif 1246 *pubkey = nss_buf2rsa(key, keylen); 1247 if(!*pubkey) { 1248 log_err("verify: malloc failure in crypto"); 1249 return 0; 1250 } 1251 /* select SHA version */ 1252 #ifdef USE_SHA2 1253 if(algo == LDNS_RSASHA256) { 1254 *htype = HASH_AlgSHA256; 1255 *prefix = p_sha256; 1256 *prefixlen = sizeof(p_sha256); 1257 } else 1258 #endif 1259 #ifdef USE_SHA2 1260 if(algo == LDNS_RSASHA512) { 1261 *htype = HASH_AlgSHA512; 1262 *prefix = p_sha512; 1263 *prefixlen = sizeof(p_sha512); 1264 } else 1265 #endif 1266 #ifdef USE_SHA1 1267 { 1268 *htype = HASH_AlgSHA1; 1269 *prefix = p_sha1; 1270 *prefixlen = sizeof(p_sha1); 1271 } 1272 #else 1273 { 1274 verbose(VERB_QUERY, "verify: no digest algo"); 1275 return 0; 1276 } 1277 #endif 1278 1279 break; 1280 #endif /* SHA1 or SHA2 */ 1281 1282 case LDNS_RSAMD5: 1283 *pubkey = nss_buf2rsa(key, keylen); 1284 if(!*pubkey) { 1285 log_err("verify: malloc failure in crypto"); 1286 return 0; 1287 } 1288 *htype = HASH_AlgMD5; 1289 *prefix = p_md5; 1290 *prefixlen = sizeof(p_md5); 1291 1292 break; 1293 #ifdef USE_ECDSA 1294 case LDNS_ECDSAP256SHA256: 1295 *pubkey = nss_buf2ecdsa(key, keylen, 1296 LDNS_ECDSAP256SHA256); 1297 if(!*pubkey) { 1298 log_err("verify: malloc failure in crypto"); 1299 return 0; 1300 } 1301 *htype = HASH_AlgSHA256; 1302 /* no prefix for DSA verification */ 1303 break; 1304 case LDNS_ECDSAP384SHA384: 1305 *pubkey = nss_buf2ecdsa(key, keylen, 1306 LDNS_ECDSAP384SHA384); 1307 if(!*pubkey) { 1308 log_err("verify: malloc failure in crypto"); 1309 return 0; 1310 } 1311 *htype = HASH_AlgSHA384; 1312 /* no prefix for DSA verification */ 1313 break; 1314 #endif /* USE_ECDSA */ 1315 case LDNS_ECC_GOST: 1316 default: 1317 verbose(VERB_QUERY, "verify: unknown algorithm %d", 1318 algo); 1319 return 0; 1320 } 1321 return 1; 1322 } 1323 1324 /** 1325 * Check a canonical sig+rrset and signature against a dnskey 1326 * @param buf: buffer with data to verify, the first rrsig part and the 1327 * canonicalized rrset. 1328 * @param algo: DNSKEY algorithm. 1329 * @param sigblock: signature rdata field from RRSIG 1330 * @param sigblock_len: length of sigblock data. 1331 * @param key: public key data from DNSKEY RR. 1332 * @param keylen: length of keydata. 1333 * @param reason: bogus reason in more detail. 1334 * @return secure if verification succeeded, bogus on crypto failure, 1335 * unchecked on format errors and alloc failures. 1336 */ 1337 enum sec_status 1338 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1339 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1340 char** reason) 1341 { 1342 /* uses libNSS */ 1343 /* large enough for the different hashes */ 1344 unsigned char hash[HASH_LENGTH_MAX]; 1345 unsigned char hash2[HASH_LENGTH_MAX*2]; 1346 HASH_HashType htype = 0; 1347 SECKEYPublicKey* pubkey = NULL; 1348 SECItem secsig = {siBuffer, sigblock, sigblock_len}; 1349 SECItem sechash = {siBuffer, hash, 0}; 1350 SECStatus res; 1351 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */ 1352 size_t prefixlen = 0; 1353 int err; 1354 1355 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen, 1356 &prefix, &prefixlen)) { 1357 verbose(VERB_QUERY, "verify: failed to setup key"); 1358 *reason = "use of key for crypto failed"; 1359 SECKEY_DestroyPublicKey(pubkey); 1360 return sec_status_bogus; 1361 } 1362 1363 #if defined(USE_DSA) && defined(USE_SHA1) 1364 /* need to convert DSA, ECDSA signatures? */ 1365 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) { 1366 if(sigblock_len == 1+2*SHA1_LENGTH) { 1367 secsig.data ++; 1368 secsig.len --; 1369 } else { 1370 SECItem* p = DSAU_DecodeDerSig(&secsig); 1371 if(!p) { 1372 verbose(VERB_QUERY, "verify: failed DER decode"); 1373 *reason = "signature DER decode failed"; 1374 SECKEY_DestroyPublicKey(pubkey); 1375 return sec_status_bogus; 1376 } 1377 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) { 1378 log_err("alloc failure in DER decode"); 1379 SECKEY_DestroyPublicKey(pubkey); 1380 SECITEM_FreeItem(p, PR_TRUE); 1381 return sec_status_unchecked; 1382 } 1383 SECITEM_FreeItem(p, PR_TRUE); 1384 } 1385 } 1386 #endif /* USE_DSA */ 1387 1388 /* do the signature cryptography work */ 1389 /* hash the data */ 1390 sechash.len = HASH_ResultLen(htype); 1391 if(sechash.len > sizeof(hash)) { 1392 verbose(VERB_QUERY, "verify: hash too large for buffer"); 1393 SECKEY_DestroyPublicKey(pubkey); 1394 return sec_status_unchecked; 1395 } 1396 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf), 1397 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) { 1398 verbose(VERB_QUERY, "verify: HASH_HashBuf failed"); 1399 SECKEY_DestroyPublicKey(pubkey); 1400 return sec_status_unchecked; 1401 } 1402 if(prefix) { 1403 int hashlen = sechash.len; 1404 if(prefixlen+hashlen > sizeof(hash2)) { 1405 verbose(VERB_QUERY, "verify: hashprefix too large"); 1406 SECKEY_DestroyPublicKey(pubkey); 1407 return sec_status_unchecked; 1408 } 1409 sechash.data = hash2; 1410 sechash.len = prefixlen+hashlen; 1411 memcpy(sechash.data, prefix, prefixlen); 1412 memmove(sechash.data+prefixlen, hash, hashlen); 1413 } 1414 1415 /* verify the signature */ 1416 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/); 1417 SECKEY_DestroyPublicKey(pubkey); 1418 1419 if(res == SECSuccess) { 1420 return sec_status_secure; 1421 } 1422 err = PORT_GetError(); 1423 if(err != SEC_ERROR_BAD_SIGNATURE) { 1424 /* failed to verify */ 1425 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", 1426 PORT_ErrorToString(err)); 1427 /* if it is not supported, like ECC is removed, we get, 1428 * SEC_ERROR_NO_MODULE */ 1429 if(err == SEC_ERROR_NO_MODULE) 1430 return sec_status_unchecked; 1431 /* but other errors are commonly returned 1432 * for a bad signature from NSS. Thus we return bogus, 1433 * not unchecked */ 1434 *reason = "signature crypto failed"; 1435 return sec_status_bogus; 1436 } 1437 verbose(VERB_QUERY, "verify: signature mismatch: %s", 1438 PORT_ErrorToString(err)); 1439 *reason = "signature crypto failed"; 1440 return sec_status_bogus; 1441 } 1442 1443 #elif defined(HAVE_NETTLE) 1444 1445 #include "sha.h" 1446 #include "bignum.h" 1447 #include "macros.h" 1448 #include "rsa.h" 1449 #include "dsa.h" 1450 #ifdef HAVE_NETTLE_DSA_COMPAT_H 1451 #include "dsa-compat.h" 1452 #endif 1453 #include "asn1.h" 1454 #ifdef USE_ECDSA 1455 #include "ecdsa.h" 1456 #include "ecc-curve.h" 1457 #endif 1458 #ifdef HAVE_NETTLE_EDDSA_H 1459 #include "eddsa.h" 1460 #endif 1461 1462 static int 1463 _digest_nettle(int algo, uint8_t* buf, size_t len, 1464 unsigned char* res) 1465 { 1466 switch(algo) { 1467 case SHA1_DIGEST_SIZE: 1468 { 1469 struct sha1_ctx ctx; 1470 sha1_init(&ctx); 1471 sha1_update(&ctx, len, buf); 1472 sha1_digest(&ctx, SHA1_DIGEST_SIZE, res); 1473 return 1; 1474 } 1475 case SHA256_DIGEST_SIZE: 1476 { 1477 struct sha256_ctx ctx; 1478 sha256_init(&ctx); 1479 sha256_update(&ctx, len, buf); 1480 sha256_digest(&ctx, SHA256_DIGEST_SIZE, res); 1481 return 1; 1482 } 1483 case SHA384_DIGEST_SIZE: 1484 { 1485 struct sha384_ctx ctx; 1486 sha384_init(&ctx); 1487 sha384_update(&ctx, len, buf); 1488 sha384_digest(&ctx, SHA384_DIGEST_SIZE, res); 1489 return 1; 1490 } 1491 case SHA512_DIGEST_SIZE: 1492 { 1493 struct sha512_ctx ctx; 1494 sha512_init(&ctx); 1495 sha512_update(&ctx, len, buf); 1496 sha512_digest(&ctx, SHA512_DIGEST_SIZE, res); 1497 return 1; 1498 } 1499 default: 1500 break; 1501 } 1502 return 0; 1503 } 1504 1505 /* return size of digest if supported, or 0 otherwise */ 1506 size_t 1507 nsec3_hash_algo_size_supported(int id) 1508 { 1509 switch(id) { 1510 case NSEC3_HASH_SHA1: 1511 return SHA1_DIGEST_SIZE; 1512 default: 1513 return 0; 1514 } 1515 } 1516 1517 /* perform nsec3 hash. return false on failure */ 1518 int 1519 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 1520 unsigned char* res) 1521 { 1522 switch(algo) { 1523 case NSEC3_HASH_SHA1: 1524 return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len, 1525 res); 1526 default: 1527 return 0; 1528 } 1529 } 1530 1531 void 1532 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 1533 { 1534 _digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res); 1535 } 1536 1537 /** secalgo hash structure */ 1538 struct secalgo_hash { 1539 /** if it is 384 or 512 */ 1540 int active; 1541 /** context for sha384 */ 1542 struct sha384_ctx ctx384; 1543 /** context for sha512 */ 1544 struct sha512_ctx ctx512; 1545 }; 1546 1547 struct secalgo_hash* secalgo_hash_create_sha384(void) 1548 { 1549 struct secalgo_hash* h = calloc(1, sizeof(*h)); 1550 if(!h) 1551 return NULL; 1552 h->active = 384; 1553 sha384_init(&h->ctx384); 1554 return h; 1555 } 1556 1557 struct secalgo_hash* secalgo_hash_create_sha512(void) 1558 { 1559 struct secalgo_hash* h = calloc(1, sizeof(*h)); 1560 if(!h) 1561 return NULL; 1562 h->active = 512; 1563 sha512_init(&h->ctx512); 1564 return h; 1565 } 1566 1567 int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len) 1568 { 1569 if(hash->active == 384) { 1570 sha384_update(&hash->ctx384, len, data); 1571 } else if(hash->active == 512) { 1572 sha512_update(&hash->ctx512, len, data); 1573 } else { 1574 return 0; 1575 } 1576 return 1; 1577 } 1578 1579 int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result, 1580 size_t maxlen, size_t* resultlen) 1581 { 1582 if(hash->active == 384) { 1583 if(SHA384_DIGEST_SIZE > maxlen) { 1584 *resultlen = 0; 1585 log_err("secalgo_hash_final: hash buffer too small"); 1586 return 0; 1587 } 1588 *resultlen = SHA384_DIGEST_SIZE; 1589 sha384_digest(&hash->ctx384, SHA384_DIGEST_SIZE, 1590 (unsigned char*)result); 1591 } else if(hash->active == 512) { 1592 if(SHA512_DIGEST_SIZE > maxlen) { 1593 *resultlen = 0; 1594 log_err("secalgo_hash_final: hash buffer too small"); 1595 return 0; 1596 } 1597 *resultlen = SHA512_DIGEST_SIZE; 1598 sha512_digest(&hash->ctx512, SHA512_DIGEST_SIZE, 1599 (unsigned char*)result); 1600 } else { 1601 *resultlen = 0; 1602 return 0; 1603 } 1604 return 1; 1605 } 1606 1607 void secalgo_hash_delete(struct secalgo_hash* hash) 1608 { 1609 if(!hash) return; 1610 free(hash); 1611 } 1612 1613 /** 1614 * Return size of DS digest according to its hash algorithm. 1615 * @param algo: DS digest algo. 1616 * @return size in bytes of digest, or 0 if not supported. 1617 */ 1618 size_t 1619 ds_digest_size_supported(int algo) 1620 { 1621 switch(algo) { 1622 case LDNS_SHA1: 1623 #ifdef USE_SHA1 1624 return SHA1_DIGEST_SIZE; 1625 #else 1626 if(fake_sha1) return 20; 1627 return 0; 1628 #endif 1629 #ifdef USE_SHA2 1630 case LDNS_SHA256: 1631 return SHA256_DIGEST_SIZE; 1632 #endif 1633 #ifdef USE_ECDSA 1634 case LDNS_SHA384: 1635 return SHA384_DIGEST_SIZE; 1636 #endif 1637 /* GOST not supported */ 1638 case LDNS_HASH_GOST: 1639 default: 1640 break; 1641 } 1642 return 0; 1643 } 1644 1645 int 1646 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 1647 unsigned char* res) 1648 { 1649 switch(algo) { 1650 #ifdef USE_SHA1 1651 case LDNS_SHA1: 1652 return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res); 1653 #endif 1654 #if defined(USE_SHA2) 1655 case LDNS_SHA256: 1656 return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res); 1657 #endif 1658 #ifdef USE_ECDSA 1659 case LDNS_SHA384: 1660 return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res); 1661 1662 #endif 1663 case LDNS_HASH_GOST: 1664 default: 1665 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 1666 algo); 1667 break; 1668 } 1669 return 0; 1670 } 1671 1672 int 1673 dnskey_algo_id_is_supported(int id) 1674 { 1675 /* uses libnettle */ 1676 switch(id) { 1677 case LDNS_DSA: 1678 case LDNS_DSA_NSEC3: 1679 #if defined(USE_DSA) && defined(USE_SHA1) 1680 return 1; 1681 #else 1682 if(fake_dsa || fake_sha1) return 1; 1683 return 0; 1684 #endif 1685 case LDNS_RSASHA1: 1686 case LDNS_RSASHA1_NSEC3: 1687 #ifdef USE_SHA1 1688 return 1; 1689 #else 1690 if(fake_sha1) return 1; 1691 return 0; 1692 #endif 1693 #ifdef USE_SHA2 1694 case LDNS_RSASHA256: 1695 case LDNS_RSASHA512: 1696 #endif 1697 #ifdef USE_ECDSA 1698 case LDNS_ECDSAP256SHA256: 1699 case LDNS_ECDSAP384SHA384: 1700 #endif 1701 return 1; 1702 #ifdef USE_ED25519 1703 case LDNS_ED25519: 1704 return 1; 1705 #endif 1706 case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ 1707 case LDNS_ECC_GOST: 1708 default: 1709 return 0; 1710 } 1711 } 1712 1713 #if defined(USE_DSA) && defined(USE_SHA1) 1714 static char * 1715 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock, 1716 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1717 { 1718 uint8_t digest[SHA1_DIGEST_SIZE]; 1719 uint8_t key_t_value; 1720 int res = 0; 1721 size_t offset; 1722 struct dsa_public_key pubkey; 1723 struct dsa_signature signature; 1724 unsigned int expected_len; 1725 1726 /* Extract DSA signature from the record */ 1727 nettle_dsa_signature_init(&signature); 1728 /* Signature length: 41 bytes - RFC 2536 sec. 3 */ 1729 if(sigblock_len == 41) { 1730 if(key[0] != sigblock[0]) 1731 return "invalid T value in DSA signature or pubkey"; 1732 nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1); 1733 nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20); 1734 } else { 1735 /* DER encoded, decode the ASN1 notated R and S bignums */ 1736 /* SEQUENCE { r INTEGER, s INTEGER } */ 1737 struct asn1_der_iterator i, seq; 1738 if(asn1_der_iterator_first(&i, sigblock_len, 1739 (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED 1740 || i.type != ASN1_SEQUENCE) 1741 return "malformed DER encoded DSA signature"; 1742 /* decode this element of i using the seq iterator */ 1743 if(asn1_der_decode_constructed(&i, &seq) != 1744 ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER) 1745 return "malformed DER encoded DSA signature"; 1746 if(!asn1_der_get_bignum(&seq, signature.r, 20*8)) 1747 return "malformed DER encoded DSA signature"; 1748 if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE 1749 || seq.type != ASN1_INTEGER) 1750 return "malformed DER encoded DSA signature"; 1751 if(!asn1_der_get_bignum(&seq, signature.s, 20*8)) 1752 return "malformed DER encoded DSA signature"; 1753 if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END) 1754 return "malformed DER encoded DSA signature"; 1755 } 1756 1757 /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */ 1758 key_t_value = key[0]; 1759 if (key_t_value > 8) { 1760 return "invalid T value in DSA pubkey"; 1761 } 1762 1763 /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */ 1764 if (keylen < 21) { 1765 return "DSA pubkey too short"; 1766 } 1767 1768 expected_len = 1 + /* T */ 1769 20 + /* Q */ 1770 (64 + key_t_value*8) + /* P */ 1771 (64 + key_t_value*8) + /* G */ 1772 (64 + key_t_value*8); /* Y */ 1773 if (keylen != expected_len ) { 1774 return "invalid DSA pubkey length"; 1775 } 1776 1777 /* Extract DSA pubkey from the record */ 1778 nettle_dsa_public_key_init(&pubkey); 1779 offset = 1; 1780 nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset); 1781 offset += 20; 1782 nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t_value*8), key+offset); 1783 offset += (64 + key_t_value*8); 1784 nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t_value*8), key+offset); 1785 offset += (64 + key_t_value*8); 1786 nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t_value*8), key+offset); 1787 1788 /* Digest content of "buf" and verify its DSA signature in "sigblock"*/ 1789 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1790 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1791 res &= dsa_sha1_verify_digest(&pubkey, digest, &signature); 1792 1793 /* Clear and return */ 1794 nettle_dsa_signature_clear(&signature); 1795 nettle_dsa_public_key_clear(&pubkey); 1796 if (!res) 1797 return "DSA signature verification failed"; 1798 else 1799 return NULL; 1800 } 1801 #endif /* USE_DSA */ 1802 1803 static char * 1804 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock, 1805 unsigned int sigblock_len, uint8_t* key, unsigned int keylen) 1806 { 1807 uint16_t exp_len = 0; 1808 size_t exp_offset = 0, mod_offset = 0; 1809 struct rsa_public_key pubkey; 1810 mpz_t signature; 1811 int res = 0; 1812 1813 /* RSA pubkey parsing as per RFC 3110 sec. 2 */ 1814 if( keylen <= 1) { 1815 return "null RSA key"; 1816 } 1817 if (key[0] != 0) { 1818 /* 1-byte length */ 1819 exp_len = key[0]; 1820 exp_offset = 1; 1821 } else { 1822 /* 1-byte NUL + 2-bytes exponent length */ 1823 if (keylen < 3) { 1824 return "incorrect RSA key length"; 1825 } 1826 exp_len = READ_UINT16(key+1); 1827 if (exp_len == 0) 1828 return "null RSA exponent length"; 1829 exp_offset = 3; 1830 } 1831 /* Check that we are not over-running input length */ 1832 if (keylen < exp_offset + exp_len + 1) { 1833 return "RSA key content shorter than expected"; 1834 } 1835 mod_offset = exp_offset + exp_len; 1836 nettle_rsa_public_key_init(&pubkey); 1837 pubkey.size = keylen - mod_offset; 1838 nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]); 1839 nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]); 1840 1841 /* Digest content of "buf" and verify its RSA signature in "sigblock"*/ 1842 nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock); 1843 switch (digest_size) { 1844 case SHA1_DIGEST_SIZE: 1845 { 1846 uint8_t digest[SHA1_DIGEST_SIZE]; 1847 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1848 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1849 res &= rsa_sha1_verify_digest(&pubkey, digest, signature); 1850 break; 1851 } 1852 case SHA256_DIGEST_SIZE: 1853 { 1854 uint8_t digest[SHA256_DIGEST_SIZE]; 1855 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1856 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1857 res &= rsa_sha256_verify_digest(&pubkey, digest, signature); 1858 break; 1859 } 1860 case SHA512_DIGEST_SIZE: 1861 { 1862 uint8_t digest[SHA512_DIGEST_SIZE]; 1863 res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1864 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1865 res &= rsa_sha512_verify_digest(&pubkey, digest, signature); 1866 break; 1867 } 1868 default: 1869 break; 1870 } 1871 1872 /* Clear and return */ 1873 nettle_rsa_public_key_clear(&pubkey); 1874 mpz_clear(signature); 1875 if (!res) { 1876 return "RSA signature verification failed"; 1877 } else { 1878 return NULL; 1879 } 1880 } 1881 1882 #ifdef USE_ECDSA 1883 static char * 1884 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock, 1885 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1886 { 1887 int res = 0; 1888 struct ecc_point pubkey; 1889 struct dsa_signature signature; 1890 1891 /* Always matched strength, as per RFC 6605 sec. 1 */ 1892 if (sigblock_len != 2*digest_size || keylen != 2*digest_size) { 1893 return "wrong ECDSA signature length"; 1894 } 1895 1896 /* Parse ECDSA signature as per RFC 6605 sec. 4 */ 1897 nettle_dsa_signature_init(&signature); 1898 switch (digest_size) { 1899 case SHA256_DIGEST_SIZE: 1900 { 1901 uint8_t digest[SHA256_DIGEST_SIZE]; 1902 mpz_t x, y; 1903 nettle_ecc_point_init(&pubkey, nettle_get_secp_256r1()); 1904 nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key); 1905 nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE); 1906 nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock); 1907 nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE); 1908 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1909 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1910 res &= nettle_ecc_point_set(&pubkey, x, y); 1911 res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature); 1912 mpz_clear(x); 1913 mpz_clear(y); 1914 nettle_ecc_point_clear(&pubkey); 1915 break; 1916 } 1917 case SHA384_DIGEST_SIZE: 1918 { 1919 uint8_t digest[SHA384_DIGEST_SIZE]; 1920 mpz_t x, y; 1921 nettle_ecc_point_init(&pubkey, nettle_get_secp_384r1()); 1922 nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key); 1923 nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE); 1924 nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock); 1925 nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE); 1926 res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1927 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1928 res &= nettle_ecc_point_set(&pubkey, x, y); 1929 res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature); 1930 mpz_clear(x); 1931 mpz_clear(y); 1932 nettle_ecc_point_clear(&pubkey); 1933 break; 1934 } 1935 default: 1936 return "unknown ECDSA algorithm"; 1937 } 1938 1939 /* Clear and return */ 1940 nettle_dsa_signature_clear(&signature); 1941 if (!res) 1942 return "ECDSA signature verification failed"; 1943 else 1944 return NULL; 1945 } 1946 #endif 1947 1948 #ifdef USE_ED25519 1949 static char * 1950 _verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock, 1951 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1952 { 1953 int res = 0; 1954 1955 if(sigblock_len != ED25519_SIGNATURE_SIZE) { 1956 return "wrong ED25519 signature length"; 1957 } 1958 if(keylen != ED25519_KEY_SIZE) { 1959 return "wrong ED25519 key length"; 1960 } 1961 1962 res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf), 1963 sldns_buffer_begin(buf), (uint8_t*)sigblock); 1964 1965 if (!res) 1966 return "ED25519 signature verification failed"; 1967 else 1968 return NULL; 1969 } 1970 #endif 1971 1972 /** 1973 * Check a canonical sig+rrset and signature against a dnskey 1974 * @param buf: buffer with data to verify, the first rrsig part and the 1975 * canonicalized rrset. 1976 * @param algo: DNSKEY algorithm. 1977 * @param sigblock: signature rdata field from RRSIG 1978 * @param sigblock_len: length of sigblock data. 1979 * @param key: public key data from DNSKEY RR. 1980 * @param keylen: length of keydata. 1981 * @param reason: bogus reason in more detail. 1982 * @return secure if verification succeeded, bogus on crypto failure, 1983 * unchecked on format errors and alloc failures. 1984 */ 1985 enum sec_status 1986 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1987 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1988 char** reason) 1989 { 1990 unsigned int digest_size = 0; 1991 1992 if (sigblock_len == 0 || keylen == 0) { 1993 *reason = "null signature"; 1994 return sec_status_bogus; 1995 } 1996 1997 #ifndef USE_DSA 1998 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1)) 1999 return sec_status_secure; 2000 #endif 2001 #ifndef USE_SHA1 2002 if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3)) 2003 return sec_status_secure; 2004 #endif 2005 2006 switch(algo) { 2007 #if defined(USE_DSA) && defined(USE_SHA1) 2008 case LDNS_DSA: 2009 case LDNS_DSA_NSEC3: 2010 *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen); 2011 if (*reason != NULL) 2012 return sec_status_bogus; 2013 else 2014 return sec_status_secure; 2015 #endif /* USE_DSA */ 2016 2017 #ifdef USE_SHA1 2018 case LDNS_RSASHA1: 2019 case LDNS_RSASHA1_NSEC3: 2020 digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE); 2021 #endif 2022 /* double fallthrough annotation to please gcc parser */ 2023 /* fallthrough */ 2024 #ifdef USE_SHA2 2025 /* fallthrough */ 2026 case LDNS_RSASHA256: 2027 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 2028 /* fallthrough */ 2029 case LDNS_RSASHA512: 2030 digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE); 2031 2032 #endif 2033 *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock, 2034 sigblock_len, key, keylen); 2035 if (*reason != NULL) 2036 return sec_status_bogus; 2037 else 2038 return sec_status_secure; 2039 2040 #ifdef USE_ECDSA 2041 case LDNS_ECDSAP256SHA256: 2042 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 2043 /* fallthrough */ 2044 case LDNS_ECDSAP384SHA384: 2045 digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE); 2046 *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock, 2047 sigblock_len, key, keylen); 2048 if (*reason != NULL) 2049 return sec_status_bogus; 2050 else 2051 return sec_status_secure; 2052 #endif 2053 #ifdef USE_ED25519 2054 case LDNS_ED25519: 2055 *reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len, 2056 key, keylen); 2057 if (*reason != NULL) 2058 return sec_status_bogus; 2059 else 2060 return sec_status_secure; 2061 #endif 2062 case LDNS_RSAMD5: 2063 case LDNS_ECC_GOST: 2064 default: 2065 *reason = "unable to verify signature, unknown algorithm"; 2066 return sec_status_bogus; 2067 } 2068 } 2069 2070 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ 2071