1 /* 2 * validator/val_secalgo.c - validator security algorithm functions. 3 * 4 * Copyright (c) 2012, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * These functions take raw data buffers, formatted for crypto verification, 41 * and do the library calls (for the crypto library in use). 42 */ 43 #include "config.h" 44 /* packed_rrset on top to define enum types (forced by c99 standard) */ 45 #include "util/data/packed_rrset.h" 46 #include "validator/val_secalgo.h" 47 #include "validator/val_nsec3.h" 48 #include "util/log.h" 49 #include "sldns/rrdef.h" 50 #include "sldns/keyraw.h" 51 #include "sldns/sbuffer.h" 52 53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) 54 #error "Need crypto library to do digital signature cryptography" 55 #endif 56 57 /** fake DSA support for unit tests */ 58 int fake_dsa = 0; 59 /** fake SHA1 support for unit tests */ 60 int fake_sha1 = 0; 61 62 /* OpenSSL implementation */ 63 #ifdef HAVE_SSL 64 #ifdef HAVE_OPENSSL_ERR_H 65 #include <openssl/err.h> 66 #endif 67 68 #ifdef HAVE_OPENSSL_RAND_H 69 #include <openssl/rand.h> 70 #endif 71 72 #ifdef HAVE_OPENSSL_CONF_H 73 #include <openssl/conf.h> 74 #endif 75 76 #ifdef HAVE_OPENSSL_ENGINE_H 77 #include <openssl/engine.h> 78 #endif 79 80 #if defined(HAVE_OPENSSL_DSA_H) && defined(USE_DSA) 81 #include <openssl/dsa.h> 82 #endif 83 84 /** 85 * Output a libcrypto openssl error to the logfile. 86 * @param str: string to add to it. 87 * @param e: the error to output, error number from ERR_get_error(). 88 */ 89 static void 90 log_crypto_error(const char* str, unsigned long e) 91 { 92 char buf[128]; 93 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ 94 ERR_error_string_n(e, buf, sizeof(buf)); 95 /* buf now contains */ 96 /* error:[error code]:[library name]:[function name]:[reason string] */ 97 log_err("%s crypto %s", str, buf); 98 } 99 100 /** 101 * Output a libcrypto openssl error to the logfile as a debug message. 102 * @param level: debug level to use in verbose() call 103 * @param str: string to add to it. 104 * @param e: the error to output, error number from ERR_get_error(). 105 */ 106 static void 107 log_crypto_verbose(enum verbosity_value level, const char* str, unsigned long e) 108 { 109 char buf[128]; 110 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ 111 ERR_error_string_n(e, buf, sizeof(buf)); 112 /* buf now contains */ 113 /* error:[error code]:[library name]:[function name]:[reason string] */ 114 verbose(level, "%s crypto %s", str, buf); 115 } 116 117 /* return size of digest if supported, or 0 otherwise */ 118 size_t 119 nsec3_hash_algo_size_supported(int id) 120 { 121 switch(id) { 122 case NSEC3_HASH_SHA1: 123 return SHA_DIGEST_LENGTH; 124 default: 125 return 0; 126 } 127 } 128 129 /* perform nsec3 hash. return false on failure */ 130 int 131 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 132 unsigned char* res) 133 { 134 switch(algo) { 135 case NSEC3_HASH_SHA1: 136 #ifdef OPENSSL_FIPS 137 if(!sldns_digest_evp(buf, len, res, EVP_sha1())) 138 log_crypto_error("could not digest with EVP_sha1", 139 ERR_get_error()); 140 #else 141 (void)SHA1(buf, len, res); 142 #endif 143 return 1; 144 default: 145 return 0; 146 } 147 } 148 149 void 150 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 151 { 152 #ifdef OPENSSL_FIPS 153 if(!sldns_digest_evp(buf, len, res, EVP_sha256())) 154 log_crypto_error("could not digest with EVP_sha256", 155 ERR_get_error()); 156 #else 157 (void)SHA256(buf, len, res); 158 #endif 159 } 160 161 /** hash structure for keeping track of running hashes */ 162 struct secalgo_hash { 163 /** the openssl message digest context */ 164 EVP_MD_CTX* ctx; 165 }; 166 167 /** create secalgo hash with hash type */ 168 static struct secalgo_hash* secalgo_hash_create_md(const EVP_MD* md) 169 { 170 struct secalgo_hash* h; 171 if(!md) 172 return NULL; 173 h = calloc(1, sizeof(*h)); 174 if(!h) 175 return NULL; 176 h->ctx = EVP_MD_CTX_create(); 177 if(!h->ctx) { 178 free(h); 179 return NULL; 180 } 181 if(!EVP_DigestInit_ex(h->ctx, md, NULL)) { 182 EVP_MD_CTX_destroy(h->ctx); 183 free(h); 184 return NULL; 185 } 186 return h; 187 } 188 189 struct secalgo_hash* secalgo_hash_create_sha384(void) 190 { 191 return secalgo_hash_create_md(EVP_sha384()); 192 } 193 194 struct secalgo_hash* secalgo_hash_create_sha512(void) 195 { 196 return secalgo_hash_create_md(EVP_sha512()); 197 } 198 199 int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len) 200 { 201 return EVP_DigestUpdate(hash->ctx, (unsigned char*)data, 202 (unsigned int)len); 203 } 204 205 int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result, 206 size_t maxlen, size_t* resultlen) 207 { 208 if(EVP_MD_CTX_size(hash->ctx) > (int)maxlen) { 209 *resultlen = 0; 210 log_err("secalgo_hash_final: hash buffer too small"); 211 return 0; 212 } 213 *resultlen = EVP_MD_CTX_size(hash->ctx); 214 return EVP_DigestFinal_ex(hash->ctx, result, NULL); 215 } 216 217 void secalgo_hash_delete(struct secalgo_hash* hash) 218 { 219 if(!hash) return; 220 EVP_MD_CTX_destroy(hash->ctx); 221 free(hash); 222 } 223 224 /** 225 * Return size of DS digest according to its hash algorithm. 226 * @param algo: DS digest algo. 227 * @return size in bytes of digest, or 0 if not supported. 228 */ 229 size_t 230 ds_digest_size_supported(int algo) 231 { 232 switch(algo) { 233 case LDNS_SHA1: 234 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) 235 #ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED 236 if (EVP_default_properties_is_fips_enabled(NULL)) 237 return 0; 238 #endif 239 return SHA_DIGEST_LENGTH; 240 #else 241 if(fake_sha1) return 20; 242 return 0; 243 #endif 244 #ifdef HAVE_EVP_SHA256 245 case LDNS_SHA256: 246 return SHA256_DIGEST_LENGTH; 247 #endif 248 #ifdef USE_GOST 249 case LDNS_HASH_GOST: 250 /* we support GOST if it can be loaded */ 251 (void)sldns_key_EVP_load_gost_id(); 252 if(EVP_get_digestbyname("md_gost94")) 253 return 32; 254 else return 0; 255 #endif 256 #ifdef USE_ECDSA 257 case LDNS_SHA384: 258 return SHA384_DIGEST_LENGTH; 259 #endif 260 default: break; 261 } 262 return 0; 263 } 264 265 #ifdef USE_GOST 266 /** Perform GOST hash */ 267 static int 268 do_gost94(unsigned char* data, size_t len, unsigned char* dest) 269 { 270 const EVP_MD* md = EVP_get_digestbyname("md_gost94"); 271 if(!md) 272 return 0; 273 return sldns_digest_evp(data, (unsigned int)len, dest, md); 274 } 275 #endif 276 277 int 278 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 279 unsigned char* res) 280 { 281 switch(algo) { 282 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) 283 case LDNS_SHA1: 284 #ifdef OPENSSL_FIPS 285 if(!sldns_digest_evp(buf, len, res, EVP_sha1())) 286 log_crypto_error("could not digest with EVP_sha1", 287 ERR_get_error()); 288 #else 289 (void)SHA1(buf, len, res); 290 #endif 291 return 1; 292 #endif 293 #ifdef HAVE_EVP_SHA256 294 case LDNS_SHA256: 295 #ifdef OPENSSL_FIPS 296 if(!sldns_digest_evp(buf, len, res, EVP_sha256())) 297 log_crypto_error("could not digest with EVP_sha256", 298 ERR_get_error()); 299 #else 300 (void)SHA256(buf, len, res); 301 #endif 302 return 1; 303 #endif 304 #ifdef USE_GOST 305 case LDNS_HASH_GOST: 306 if(do_gost94(buf, len, res)) 307 return 1; 308 break; 309 #endif 310 #ifdef USE_ECDSA 311 case LDNS_SHA384: 312 #ifdef OPENSSL_FIPS 313 if(!sldns_digest_evp(buf, len, res, EVP_sha384())) 314 log_crypto_error("could not digest with EVP_sha384", 315 ERR_get_error()); 316 #else 317 (void)SHA384(buf, len, res); 318 #endif 319 return 1; 320 #endif 321 default: 322 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 323 algo); 324 break; 325 } 326 return 0; 327 } 328 329 /** return true if DNSKEY algorithm id is supported */ 330 int 331 dnskey_algo_id_is_supported(int id) 332 { 333 switch(id) { 334 case LDNS_RSAMD5: 335 /* RFC 6725 deprecates RSAMD5 */ 336 return 0; 337 case LDNS_DSA: 338 case LDNS_DSA_NSEC3: 339 #if defined(USE_DSA) && defined(USE_SHA1) 340 return 1; 341 #else 342 if(fake_dsa || fake_sha1) return 1; 343 return 0; 344 #endif 345 346 case LDNS_RSASHA1: 347 case LDNS_RSASHA1_NSEC3: 348 #ifdef USE_SHA1 349 #ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED 350 return !EVP_default_properties_is_fips_enabled(NULL); 351 #else 352 return 1; 353 #endif 354 #else 355 if(fake_sha1) return 1; 356 return 0; 357 #endif 358 359 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 360 case LDNS_RSASHA256: 361 #endif 362 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 363 case LDNS_RSASHA512: 364 #endif 365 #ifdef USE_ECDSA 366 case LDNS_ECDSAP256SHA256: 367 case LDNS_ECDSAP384SHA384: 368 #endif 369 #if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) 370 return 1; 371 #endif 372 #ifdef USE_ED25519 373 case LDNS_ED25519: 374 #endif 375 #ifdef USE_ED448 376 case LDNS_ED448: 377 #endif 378 #if defined(USE_ED25519) || defined(USE_ED448) 379 #ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED 380 return !EVP_default_properties_is_fips_enabled(NULL); 381 #else 382 return 1; 383 #endif 384 #endif 385 386 #ifdef USE_GOST 387 case LDNS_ECC_GOST: 388 /* we support GOST if it can be loaded */ 389 return sldns_key_EVP_load_gost_id(); 390 #endif 391 default: 392 return 0; 393 } 394 } 395 396 #ifdef USE_DSA 397 /** 398 * Setup DSA key digest in DER encoding ... 399 * @param sig: input is signature output alloced ptr (unless failure). 400 * caller must free alloced ptr if this routine returns true. 401 * @param len: input is initial siglen, output is output len. 402 * @return false on failure. 403 */ 404 static int 405 setup_dsa_sig(unsigned char** sig, unsigned int* len) 406 { 407 unsigned char* orig = *sig; 408 unsigned int origlen = *len; 409 int newlen; 410 BIGNUM *R, *S; 411 DSA_SIG *dsasig; 412 413 /* extract the R and S field from the sig buffer */ 414 if(origlen < 1 + 2*SHA_DIGEST_LENGTH) 415 return 0; 416 R = BN_new(); 417 if(!R) return 0; 418 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R); 419 S = BN_new(); 420 if(!S) return 0; 421 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S); 422 dsasig = DSA_SIG_new(); 423 if(!dsasig) return 0; 424 425 #ifdef HAVE_DSA_SIG_SET0 426 if(!DSA_SIG_set0(dsasig, R, S)) return 0; 427 #else 428 # ifndef S_SPLINT_S 429 dsasig->r = R; 430 dsasig->s = S; 431 # endif /* S_SPLINT_S */ 432 #endif 433 *sig = NULL; 434 newlen = i2d_DSA_SIG(dsasig, sig); 435 if(newlen < 0) { 436 DSA_SIG_free(dsasig); 437 free(*sig); 438 return 0; 439 } 440 *len = (unsigned int)newlen; 441 DSA_SIG_free(dsasig); 442 return 1; 443 } 444 #endif /* USE_DSA */ 445 446 #ifdef USE_ECDSA 447 /** 448 * Setup the ECDSA signature in its encoding that the library wants. 449 * Converts from plain numbers to ASN formatted. 450 * @param sig: input is signature, output alloced ptr (unless failure). 451 * caller must free alloced ptr if this routine returns true. 452 * @param len: input is initial siglen, output is output len. 453 * @return false on failure. 454 */ 455 static int 456 setup_ecdsa_sig(unsigned char** sig, unsigned int* len) 457 { 458 /* convert from two BIGNUMs in the rdata buffer, to ASN notation. 459 * ASN preamble: 30440220 <R 32bytefor256> 0220 <S 32bytefor256> 460 * the '20' is the length of that field (=bnsize). 461 i * the '44' is the total remaining length. 462 * if negative, start with leading zero. 463 * if starts with 00s, remove them from the number. 464 */ 465 uint8_t pre[] = {0x30, 0x44, 0x02, 0x20}; 466 int pre_len = 4; 467 uint8_t mid[] = {0x02, 0x20}; 468 int mid_len = 2; 469 int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0; 470 int bnsize = (int)((*len)/2); 471 unsigned char* d = *sig; 472 uint8_t* p; 473 /* if too short or not even length, fails */ 474 if(*len < 16 || bnsize*2 != (int)*len) 475 return 0; 476 477 /* strip leading zeroes from r (but not last one) */ 478 while(r_rem < bnsize-1 && d[r_rem] == 0) 479 r_rem++; 480 /* strip leading zeroes from s (but not last one) */ 481 while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0) 482 s_rem++; 483 484 r_high = ((d[0+r_rem]&0x80)?1:0); 485 s_high = ((d[bnsize+s_rem]&0x80)?1:0); 486 raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len + 487 s_high + bnsize - s_rem; 488 *sig = (unsigned char*)malloc((size_t)raw_sig_len); 489 if(!*sig) 490 return 0; 491 p = (uint8_t*)*sig; 492 p[0] = pre[0]; 493 p[1] = (uint8_t)(raw_sig_len-2); 494 p[2] = pre[2]; 495 p[3] = (uint8_t)(bnsize + r_high - r_rem); 496 p += 4; 497 if(r_high) { 498 *p = 0; 499 p += 1; 500 } 501 memmove(p, d+r_rem, (size_t)bnsize-r_rem); 502 p += bnsize-r_rem; 503 memmove(p, mid, (size_t)mid_len-1); 504 p += mid_len-1; 505 *p = (uint8_t)(bnsize + s_high - s_rem); 506 p += 1; 507 if(s_high) { 508 *p = 0; 509 p += 1; 510 } 511 memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem); 512 *len = (unsigned int)raw_sig_len; 513 return 1; 514 } 515 #endif /* USE_ECDSA */ 516 517 #ifdef USE_ECDSA_EVP_WORKAROUND 518 static EVP_MD ecdsa_evp_256_md; 519 static EVP_MD ecdsa_evp_384_md; 520 void ecdsa_evp_workaround_init(void) 521 { 522 /* openssl before 1.0.0 fixes RSA with the SHA256 523 * hash in EVP. We create one for ecdsa_sha256 */ 524 ecdsa_evp_256_md = *EVP_sha256(); 525 ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC; 526 ecdsa_evp_256_md.verify = (void*)ECDSA_verify; 527 528 ecdsa_evp_384_md = *EVP_sha384(); 529 ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC; 530 ecdsa_evp_384_md.verify = (void*)ECDSA_verify; 531 } 532 #endif /* USE_ECDSA_EVP_WORKAROUND */ 533 534 /** 535 * Setup key and digest for verification. Adjust sig if necessary. 536 * 537 * @param algo: key algorithm 538 * @param evp_key: EVP PKEY public key to create. 539 * @param digest_type: digest type to use 540 * @param key: key to setup for. 541 * @param keylen: length of key. 542 * @return false on failure. 543 */ 544 static int 545 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 546 unsigned char* key, size_t keylen) 547 { 548 switch(algo) { 549 #if defined(USE_DSA) && defined(USE_SHA1) 550 case LDNS_DSA: 551 case LDNS_DSA_NSEC3: 552 *evp_key = sldns_key_dsa2pkey_raw(key, keylen); 553 if(!*evp_key) { 554 verbose(VERB_QUERY, "verify: sldns_key_dsa2pkey failed"); 555 return 0; 556 } 557 #ifdef HAVE_EVP_DSS1 558 *digest_type = EVP_dss1(); 559 #else 560 *digest_type = EVP_sha1(); 561 #endif 562 563 break; 564 #endif /* USE_DSA && USE_SHA1 */ 565 566 #if defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) 567 #ifdef USE_SHA1 568 case LDNS_RSASHA1: 569 case LDNS_RSASHA1_NSEC3: 570 #endif 571 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 572 case LDNS_RSASHA256: 573 #endif 574 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 575 case LDNS_RSASHA512: 576 #endif 577 *evp_key = sldns_key_rsa2pkey_raw(key, keylen); 578 if(!*evp_key) { 579 verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey SHA failed"); 580 return 0; 581 } 582 583 /* select SHA version */ 584 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 585 if(algo == LDNS_RSASHA256) 586 *digest_type = EVP_sha256(); 587 else 588 #endif 589 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 590 if(algo == LDNS_RSASHA512) 591 *digest_type = EVP_sha512(); 592 else 593 #endif 594 #ifdef USE_SHA1 595 *digest_type = EVP_sha1(); 596 #else 597 { verbose(VERB_QUERY, "no digest available"); return 0; } 598 #endif 599 break; 600 #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */ 601 602 case LDNS_RSAMD5: 603 *evp_key = sldns_key_rsa2pkey_raw(key, keylen); 604 if(!*evp_key) { 605 verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey MD5 failed"); 606 return 0; 607 } 608 *digest_type = EVP_md5(); 609 610 break; 611 #ifdef USE_GOST 612 case LDNS_ECC_GOST: 613 *evp_key = sldns_gost2pkey_raw(key, keylen); 614 if(!*evp_key) { 615 verbose(VERB_QUERY, "verify: " 616 "sldns_gost2pkey_raw failed"); 617 return 0; 618 } 619 *digest_type = EVP_get_digestbyname("md_gost94"); 620 if(!*digest_type) { 621 verbose(VERB_QUERY, "verify: " 622 "EVP_getdigest md_gost94 failed"); 623 return 0; 624 } 625 break; 626 #endif 627 #ifdef USE_ECDSA 628 case LDNS_ECDSAP256SHA256: 629 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 630 LDNS_ECDSAP256SHA256); 631 if(!*evp_key) { 632 verbose(VERB_QUERY, "verify: " 633 "sldns_ecdsa2pkey_raw failed"); 634 return 0; 635 } 636 #ifdef USE_ECDSA_EVP_WORKAROUND 637 *digest_type = &ecdsa_evp_256_md; 638 #else 639 *digest_type = EVP_sha256(); 640 #endif 641 break; 642 case LDNS_ECDSAP384SHA384: 643 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 644 LDNS_ECDSAP384SHA384); 645 if(!*evp_key) { 646 verbose(VERB_QUERY, "verify: " 647 "sldns_ecdsa2pkey_raw failed"); 648 return 0; 649 } 650 #ifdef USE_ECDSA_EVP_WORKAROUND 651 *digest_type = &ecdsa_evp_384_md; 652 #else 653 *digest_type = EVP_sha384(); 654 #endif 655 break; 656 #endif /* USE_ECDSA */ 657 #ifdef USE_ED25519 658 case LDNS_ED25519: 659 *evp_key = sldns_ed255192pkey_raw(key, keylen); 660 if(!*evp_key) { 661 verbose(VERB_QUERY, "verify: " 662 "sldns_ed255192pkey_raw failed"); 663 return 0; 664 } 665 *digest_type = NULL; 666 break; 667 #endif /* USE_ED25519 */ 668 #ifdef USE_ED448 669 case LDNS_ED448: 670 *evp_key = sldns_ed4482pkey_raw(key, keylen); 671 if(!*evp_key) { 672 verbose(VERB_QUERY, "verify: " 673 "sldns_ed4482pkey_raw failed"); 674 return 0; 675 } 676 *digest_type = NULL; 677 break; 678 #endif /* USE_ED448 */ 679 default: 680 verbose(VERB_QUERY, "verify: unknown algorithm %d", 681 algo); 682 return 0; 683 } 684 return 1; 685 } 686 687 static void 688 digest_ctx_free(EVP_MD_CTX* ctx, EVP_PKEY *evp_key, 689 unsigned char* sigblock, int dofree, int docrypto_free) 690 { 691 #ifdef HAVE_EVP_MD_CTX_NEW 692 EVP_MD_CTX_destroy(ctx); 693 #else 694 EVP_MD_CTX_cleanup(ctx); 695 free(ctx); 696 #endif 697 EVP_PKEY_free(evp_key); 698 if(dofree) free(sigblock); 699 else if(docrypto_free) OPENSSL_free(sigblock); 700 } 701 702 static enum sec_status 703 digest_error_status(const char *str) 704 { 705 unsigned long e = ERR_get_error(); 706 #ifdef EVP_R_INVALID_DIGEST 707 if (ERR_GET_LIB(e) == ERR_LIB_EVP && 708 ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST) { 709 log_crypto_verbose(VERB_ALGO, str, e); 710 return sec_status_indeterminate; 711 } 712 #endif 713 log_crypto_verbose(VERB_QUERY, str, e); 714 return sec_status_unchecked; 715 } 716 717 /** 718 * Check a canonical sig+rrset and signature against a dnskey 719 * @param buf: buffer with data to verify, the first rrsig part and the 720 * canonicalized rrset. 721 * @param algo: DNSKEY algorithm. 722 * @param sigblock: signature rdata field from RRSIG 723 * @param sigblock_len: length of sigblock data. 724 * @param key: public key data from DNSKEY RR. 725 * @param keylen: length of keydata. 726 * @param reason: bogus reason in more detail. 727 * @return secure if verification succeeded, bogus on crypto failure, 728 * unchecked on format errors and alloc failures, indeterminate 729 * if digest is not supported by the crypto library (openssl3+ only). 730 */ 731 enum sec_status 732 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 733 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 734 char** reason) 735 { 736 const EVP_MD *digest_type; 737 EVP_MD_CTX* ctx; 738 int res, dofree = 0, docrypto_free = 0; 739 EVP_PKEY *evp_key = NULL; 740 741 #ifndef USE_DSA 742 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1)) 743 return sec_status_secure; 744 #endif 745 #ifndef USE_SHA1 746 if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3)) 747 return sec_status_secure; 748 #endif 749 750 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { 751 verbose(VERB_QUERY, "verify: failed to setup key"); 752 *reason = "use of key for crypto failed"; 753 EVP_PKEY_free(evp_key); 754 return sec_status_bogus; 755 } 756 #ifdef USE_DSA 757 /* if it is a DSA signature in bind format, convert to DER format */ 758 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && 759 sigblock_len == 1+2*SHA_DIGEST_LENGTH) { 760 if(!setup_dsa_sig(&sigblock, &sigblock_len)) { 761 verbose(VERB_QUERY, "verify: failed to setup DSA sig"); 762 *reason = "use of key for DSA crypto failed"; 763 EVP_PKEY_free(evp_key); 764 return sec_status_bogus; 765 } 766 docrypto_free = 1; 767 } 768 #endif 769 #if defined(USE_ECDSA) && defined(USE_DSA) 770 else 771 #endif 772 #ifdef USE_ECDSA 773 if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) { 774 /* EVP uses ASN prefix on sig, which is not in the wire data */ 775 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) { 776 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig"); 777 *reason = "use of signature for ECDSA crypto failed"; 778 EVP_PKEY_free(evp_key); 779 return sec_status_bogus; 780 } 781 dofree = 1; 782 } 783 #endif /* USE_ECDSA */ 784 785 /* do the signature cryptography work */ 786 #ifdef HAVE_EVP_MD_CTX_NEW 787 ctx = EVP_MD_CTX_new(); 788 #else 789 ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx)); 790 if(ctx) EVP_MD_CTX_init(ctx); 791 #endif 792 if(!ctx) { 793 log_err("EVP_MD_CTX_new: malloc failure"); 794 EVP_PKEY_free(evp_key); 795 if(dofree) free(sigblock); 796 else if(docrypto_free) OPENSSL_free(sigblock); 797 return sec_status_unchecked; 798 } 799 #ifndef HAVE_EVP_DIGESTVERIFY 800 if(EVP_DigestInit(ctx, digest_type) == 0) { 801 enum sec_status sec; 802 sec = digest_error_status("verify: EVP_DigestInit failed"); 803 digest_ctx_free(ctx, evp_key, sigblock, 804 dofree, docrypto_free); 805 return sec; 806 } 807 if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), 808 (unsigned int)sldns_buffer_limit(buf)) == 0) { 809 log_crypto_verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed", 810 ERR_get_error()); 811 digest_ctx_free(ctx, evp_key, sigblock, 812 dofree, docrypto_free); 813 return sec_status_unchecked; 814 } 815 816 res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key); 817 #else /* HAVE_EVP_DIGESTVERIFY */ 818 if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) { 819 enum sec_status sec; 820 sec = digest_error_status("verify: EVP_DigestVerifyInit failed"); 821 digest_ctx_free(ctx, evp_key, sigblock, 822 dofree, docrypto_free); 823 return sec; 824 } 825 res = EVP_DigestVerify(ctx, sigblock, sigblock_len, 826 (unsigned char*)sldns_buffer_begin(buf), 827 sldns_buffer_limit(buf)); 828 #endif 829 digest_ctx_free(ctx, evp_key, sigblock, 830 dofree, docrypto_free); 831 832 if(res == 1) { 833 return sec_status_secure; 834 } else if(res == 0) { 835 verbose(VERB_QUERY, "verify: signature mismatch"); 836 *reason = "signature crypto failed"; 837 return sec_status_bogus; 838 } 839 840 log_crypto_error("verify:", ERR_get_error()); 841 return sec_status_unchecked; 842 } 843 844 /**************************************************/ 845 #elif defined(HAVE_NSS) 846 /* libnss implementation */ 847 /* nss3 */ 848 #include "sechash.h" 849 #include "pk11pub.h" 850 #include "keyhi.h" 851 #include "secerr.h" 852 #include "cryptohi.h" 853 /* nspr4 */ 854 #include "prerror.h" 855 856 /* return size of digest if supported, or 0 otherwise */ 857 size_t 858 nsec3_hash_algo_size_supported(int id) 859 { 860 switch(id) { 861 case NSEC3_HASH_SHA1: 862 return SHA1_LENGTH; 863 default: 864 return 0; 865 } 866 } 867 868 /* perform nsec3 hash. return false on failure */ 869 int 870 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 871 unsigned char* res) 872 { 873 switch(algo) { 874 case NSEC3_HASH_SHA1: 875 (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len); 876 return 1; 877 default: 878 return 0; 879 } 880 } 881 882 void 883 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 884 { 885 (void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len); 886 } 887 888 /** the secalgo hash structure */ 889 struct secalgo_hash { 890 /** hash context */ 891 HASHContext* ctx; 892 }; 893 894 /** create hash struct of type */ 895 static struct secalgo_hash* secalgo_hash_create_type(HASH_HashType tp) 896 { 897 struct secalgo_hash* h = calloc(1, sizeof(*h)); 898 if(!h) 899 return NULL; 900 h->ctx = HASH_Create(tp); 901 if(!h->ctx) { 902 free(h); 903 return NULL; 904 } 905 return h; 906 } 907 908 struct secalgo_hash* secalgo_hash_create_sha384(void) 909 { 910 return secalgo_hash_create_type(HASH_AlgSHA384); 911 } 912 913 struct secalgo_hash* secalgo_hash_create_sha512(void) 914 { 915 return secalgo_hash_create_type(HASH_AlgSHA512); 916 } 917 918 int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len) 919 { 920 HASH_Update(hash->ctx, (unsigned char*)data, (unsigned int)len); 921 return 1; 922 } 923 924 int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result, 925 size_t maxlen, size_t* resultlen) 926 { 927 unsigned int reslen = 0; 928 if(HASH_ResultLenContext(hash->ctx) > (unsigned int)maxlen) { 929 *resultlen = 0; 930 log_err("secalgo_hash_final: hash buffer too small"); 931 return 0; 932 } 933 HASH_End(hash->ctx, (unsigned char*)result, &reslen, 934 (unsigned int)maxlen); 935 *resultlen = (size_t)reslen; 936 return 1; 937 } 938 939 void secalgo_hash_delete(struct secalgo_hash* hash) 940 { 941 if(!hash) return; 942 HASH_Destroy(hash->ctx); 943 free(hash); 944 } 945 946 size_t 947 ds_digest_size_supported(int algo) 948 { 949 /* uses libNSS */ 950 switch(algo) { 951 #ifdef USE_SHA1 952 case LDNS_SHA1: 953 return SHA1_LENGTH; 954 #endif 955 #ifdef USE_SHA2 956 case LDNS_SHA256: 957 return SHA256_LENGTH; 958 #endif 959 #ifdef USE_ECDSA 960 case LDNS_SHA384: 961 return SHA384_LENGTH; 962 #endif 963 /* GOST not supported in NSS */ 964 case LDNS_HASH_GOST: 965 default: break; 966 } 967 return 0; 968 } 969 970 int 971 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 972 unsigned char* res) 973 { 974 /* uses libNSS */ 975 switch(algo) { 976 #ifdef USE_SHA1 977 case LDNS_SHA1: 978 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len) 979 == SECSuccess; 980 #endif 981 #if defined(USE_SHA2) 982 case LDNS_SHA256: 983 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len) 984 == SECSuccess; 985 #endif 986 #ifdef USE_ECDSA 987 case LDNS_SHA384: 988 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len) 989 == SECSuccess; 990 #endif 991 case LDNS_HASH_GOST: 992 default: 993 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 994 algo); 995 break; 996 } 997 return 0; 998 } 999 1000 int 1001 dnskey_algo_id_is_supported(int id) 1002 { 1003 /* uses libNSS */ 1004 switch(id) { 1005 case LDNS_RSAMD5: 1006 /* RFC 6725 deprecates RSAMD5 */ 1007 return 0; 1008 #if defined(USE_SHA1) || defined(USE_SHA2) 1009 #if defined(USE_DSA) && defined(USE_SHA1) 1010 case LDNS_DSA: 1011 case LDNS_DSA_NSEC3: 1012 #endif 1013 #ifdef USE_SHA1 1014 case LDNS_RSASHA1: 1015 case LDNS_RSASHA1_NSEC3: 1016 #endif 1017 #ifdef USE_SHA2 1018 case LDNS_RSASHA256: 1019 #endif 1020 #ifdef USE_SHA2 1021 case LDNS_RSASHA512: 1022 #endif 1023 return 1; 1024 #endif /* SHA1 or SHA2 */ 1025 1026 #ifdef USE_ECDSA 1027 case LDNS_ECDSAP256SHA256: 1028 case LDNS_ECDSAP384SHA384: 1029 return PK11_TokenExists(CKM_ECDSA); 1030 #endif 1031 case LDNS_ECC_GOST: 1032 default: 1033 return 0; 1034 } 1035 } 1036 1037 /* return a new public key for NSS */ 1038 static SECKEYPublicKey* nss_key_create(KeyType ktype) 1039 { 1040 SECKEYPublicKey* key; 1041 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 1042 if(!arena) { 1043 log_err("out of memory, PORT_NewArena failed"); 1044 return NULL; 1045 } 1046 key = PORT_ArenaZNew(arena, SECKEYPublicKey); 1047 if(!key) { 1048 log_err("out of memory, PORT_ArenaZNew failed"); 1049 PORT_FreeArena(arena, PR_FALSE); 1050 return NULL; 1051 } 1052 key->arena = arena; 1053 key->keyType = ktype; 1054 key->pkcs11Slot = NULL; 1055 key->pkcs11ID = CK_INVALID_HANDLE; 1056 return key; 1057 } 1058 1059 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo) 1060 { 1061 SECKEYPublicKey* pk; 1062 SECItem pub = {siBuffer, NULL, 0}; 1063 SECItem params = {siBuffer, NULL, 0}; 1064 static unsigned char param256[] = { 1065 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256) 1066 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */ 1067 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 1068 }; 1069 static unsigned char param384[] = { 1070 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384) 1071 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */ 1072 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 1073 }; 1074 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ 1075 1076 /* check length, which uncompressed must be 2 bignums */ 1077 if(algo == LDNS_ECDSAP256SHA256) { 1078 if(len != 2*256/8) return NULL; 1079 /* ECCurve_X9_62_PRIME_256V1 */ 1080 } else if(algo == LDNS_ECDSAP384SHA384) { 1081 if(len != 2*384/8) return NULL; 1082 /* ECCurve_X9_62_PRIME_384R1 */ 1083 } else return NULL; 1084 1085 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */ 1086 memmove(buf+1, key, len); 1087 pub.data = buf; 1088 pub.len = len+1; 1089 if(algo == LDNS_ECDSAP256SHA256) { 1090 params.data = param256; 1091 params.len = sizeof(param256); 1092 } else { 1093 params.data = param384; 1094 params.len = sizeof(param384); 1095 } 1096 1097 pk = nss_key_create(ecKey); 1098 if(!pk) 1099 return NULL; 1100 pk->u.ec.size = (len/2)*8; 1101 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) { 1102 SECKEY_DestroyPublicKey(pk); 1103 return NULL; 1104 } 1105 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) { 1106 SECKEY_DestroyPublicKey(pk); 1107 return NULL; 1108 } 1109 1110 return pk; 1111 } 1112 1113 #if defined(USE_DSA) && defined(USE_SHA1) 1114 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len) 1115 { 1116 SECKEYPublicKey* pk; 1117 uint8_t T; 1118 uint16_t length; 1119 uint16_t offset; 1120 SECItem Q = {siBuffer, NULL, 0}; 1121 SECItem P = {siBuffer, NULL, 0}; 1122 SECItem G = {siBuffer, NULL, 0}; 1123 SECItem Y = {siBuffer, NULL, 0}; 1124 1125 if(len == 0) 1126 return NULL; 1127 T = (uint8_t)key[0]; 1128 length = (64 + T * 8); 1129 offset = 1; 1130 1131 if (T > 8) { 1132 return NULL; 1133 } 1134 if(len < (size_t)1 + SHA1_LENGTH + 3*length) 1135 return NULL; 1136 1137 Q.data = key+offset; 1138 Q.len = SHA1_LENGTH; 1139 offset += SHA1_LENGTH; 1140 1141 P.data = key+offset; 1142 P.len = length; 1143 offset += length; 1144 1145 G.data = key+offset; 1146 G.len = length; 1147 offset += length; 1148 1149 Y.data = key+offset; 1150 Y.len = length; 1151 offset += length; 1152 1153 pk = nss_key_create(dsaKey); 1154 if(!pk) 1155 return NULL; 1156 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) { 1157 SECKEY_DestroyPublicKey(pk); 1158 return NULL; 1159 } 1160 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) { 1161 SECKEY_DestroyPublicKey(pk); 1162 return NULL; 1163 } 1164 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) { 1165 SECKEY_DestroyPublicKey(pk); 1166 return NULL; 1167 } 1168 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) { 1169 SECKEY_DestroyPublicKey(pk); 1170 return NULL; 1171 } 1172 return pk; 1173 } 1174 #endif /* USE_DSA && USE_SHA1 */ 1175 1176 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len) 1177 { 1178 SECKEYPublicKey* pk; 1179 uint16_t exp; 1180 uint16_t offset; 1181 uint16_t int16; 1182 SECItem modulus = {siBuffer, NULL, 0}; 1183 SECItem exponent = {siBuffer, NULL, 0}; 1184 if(len == 0) 1185 return NULL; 1186 if(key[0] == 0) { 1187 if(len < 3) 1188 return NULL; 1189 /* the exponent is too large so it's places further */ 1190 memmove(&int16, key+1, 2); 1191 exp = ntohs(int16); 1192 offset = 3; 1193 } else { 1194 exp = key[0]; 1195 offset = 1; 1196 } 1197 1198 /* key length at least one */ 1199 if(len < (size_t)offset + exp + 1) 1200 return NULL; 1201 1202 exponent.data = key+offset; 1203 exponent.len = exp; 1204 offset += exp; 1205 modulus.data = key+offset; 1206 modulus.len = (len - offset); 1207 1208 pk = nss_key_create(rsaKey); 1209 if(!pk) 1210 return NULL; 1211 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) { 1212 SECKEY_DestroyPublicKey(pk); 1213 return NULL; 1214 } 1215 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) { 1216 SECKEY_DestroyPublicKey(pk); 1217 return NULL; 1218 } 1219 return pk; 1220 } 1221 1222 /** 1223 * Setup key and digest for verification. Adjust sig if necessary. 1224 * 1225 * @param algo: key algorithm 1226 * @param evp_key: EVP PKEY public key to create. 1227 * @param digest_type: digest type to use 1228 * @param key: key to setup for. 1229 * @param keylen: length of key. 1230 * @param prefix: if returned, the ASN prefix for the hashblob. 1231 * @param prefixlen: length of the prefix. 1232 * @return false on failure. 1233 */ 1234 static int 1235 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, 1236 unsigned char* key, size_t keylen, unsigned char** prefix, 1237 size_t* prefixlen) 1238 { 1239 /* uses libNSS */ 1240 1241 /* hash prefix for md5, RFC2537 */ 1242 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 1243 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}; 1244 /* hash prefix to prepend to hash output, from RFC3110 */ 1245 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 1246 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14}; 1247 /* from RFC5702 */ 1248 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 1249 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; 1250 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 1251 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; 1252 /* from RFC6234 */ 1253 /* for future RSASHA384 .. 1254 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 1255 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; 1256 */ 1257 1258 switch(algo) { 1259 1260 #if defined(USE_SHA1) || defined(USE_SHA2) 1261 #if defined(USE_DSA) && defined(USE_SHA1) 1262 case LDNS_DSA: 1263 case LDNS_DSA_NSEC3: 1264 *pubkey = nss_buf2dsa(key, keylen); 1265 if(!*pubkey) { 1266 log_err("verify: malloc failure in crypto"); 1267 return 0; 1268 } 1269 *htype = HASH_AlgSHA1; 1270 /* no prefix for DSA verification */ 1271 break; 1272 #endif 1273 #ifdef USE_SHA1 1274 case LDNS_RSASHA1: 1275 case LDNS_RSASHA1_NSEC3: 1276 #endif 1277 #ifdef USE_SHA2 1278 case LDNS_RSASHA256: 1279 #endif 1280 #ifdef USE_SHA2 1281 case LDNS_RSASHA512: 1282 #endif 1283 *pubkey = nss_buf2rsa(key, keylen); 1284 if(!*pubkey) { 1285 log_err("verify: malloc failure in crypto"); 1286 return 0; 1287 } 1288 /* select SHA version */ 1289 #ifdef USE_SHA2 1290 if(algo == LDNS_RSASHA256) { 1291 *htype = HASH_AlgSHA256; 1292 *prefix = p_sha256; 1293 *prefixlen = sizeof(p_sha256); 1294 } else 1295 #endif 1296 #ifdef USE_SHA2 1297 if(algo == LDNS_RSASHA512) { 1298 *htype = HASH_AlgSHA512; 1299 *prefix = p_sha512; 1300 *prefixlen = sizeof(p_sha512); 1301 } else 1302 #endif 1303 #ifdef USE_SHA1 1304 { 1305 *htype = HASH_AlgSHA1; 1306 *prefix = p_sha1; 1307 *prefixlen = sizeof(p_sha1); 1308 } 1309 #else 1310 { 1311 verbose(VERB_QUERY, "verify: no digest algo"); 1312 return 0; 1313 } 1314 #endif 1315 1316 break; 1317 #endif /* SHA1 or SHA2 */ 1318 1319 case LDNS_RSAMD5: 1320 *pubkey = nss_buf2rsa(key, keylen); 1321 if(!*pubkey) { 1322 log_err("verify: malloc failure in crypto"); 1323 return 0; 1324 } 1325 *htype = HASH_AlgMD5; 1326 *prefix = p_md5; 1327 *prefixlen = sizeof(p_md5); 1328 1329 break; 1330 #ifdef USE_ECDSA 1331 case LDNS_ECDSAP256SHA256: 1332 *pubkey = nss_buf2ecdsa(key, keylen, 1333 LDNS_ECDSAP256SHA256); 1334 if(!*pubkey) { 1335 log_err("verify: malloc failure in crypto"); 1336 return 0; 1337 } 1338 *htype = HASH_AlgSHA256; 1339 /* no prefix for DSA verification */ 1340 break; 1341 case LDNS_ECDSAP384SHA384: 1342 *pubkey = nss_buf2ecdsa(key, keylen, 1343 LDNS_ECDSAP384SHA384); 1344 if(!*pubkey) { 1345 log_err("verify: malloc failure in crypto"); 1346 return 0; 1347 } 1348 *htype = HASH_AlgSHA384; 1349 /* no prefix for DSA verification */ 1350 break; 1351 #endif /* USE_ECDSA */ 1352 case LDNS_ECC_GOST: 1353 default: 1354 verbose(VERB_QUERY, "verify: unknown algorithm %d", 1355 algo); 1356 return 0; 1357 } 1358 return 1; 1359 } 1360 1361 /** 1362 * Check a canonical sig+rrset and signature against a dnskey 1363 * @param buf: buffer with data to verify, the first rrsig part and the 1364 * canonicalized rrset. 1365 * @param algo: DNSKEY algorithm. 1366 * @param sigblock: signature rdata field from RRSIG 1367 * @param sigblock_len: length of sigblock data. 1368 * @param key: public key data from DNSKEY RR. 1369 * @param keylen: length of keydata. 1370 * @param reason: bogus reason in more detail. 1371 * @return secure if verification succeeded, bogus on crypto failure, 1372 * unchecked on format errors and alloc failures. 1373 */ 1374 enum sec_status 1375 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1376 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1377 char** reason) 1378 { 1379 /* uses libNSS */ 1380 /* large enough for the different hashes */ 1381 unsigned char hash[HASH_LENGTH_MAX]; 1382 unsigned char hash2[HASH_LENGTH_MAX*2]; 1383 HASH_HashType htype = 0; 1384 SECKEYPublicKey* pubkey = NULL; 1385 SECItem secsig = {siBuffer, sigblock, sigblock_len}; 1386 SECItem sechash = {siBuffer, hash, 0}; 1387 SECStatus res; 1388 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */ 1389 size_t prefixlen = 0; 1390 int err; 1391 1392 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen, 1393 &prefix, &prefixlen)) { 1394 verbose(VERB_QUERY, "verify: failed to setup key"); 1395 *reason = "use of key for crypto failed"; 1396 SECKEY_DestroyPublicKey(pubkey); 1397 return sec_status_bogus; 1398 } 1399 1400 #if defined(USE_DSA) && defined(USE_SHA1) 1401 /* need to convert DSA, ECDSA signatures? */ 1402 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) { 1403 if(sigblock_len == 1+2*SHA1_LENGTH) { 1404 secsig.data ++; 1405 secsig.len --; 1406 } else { 1407 SECItem* p = DSAU_DecodeDerSig(&secsig); 1408 if(!p) { 1409 verbose(VERB_QUERY, "verify: failed DER decode"); 1410 *reason = "signature DER decode failed"; 1411 SECKEY_DestroyPublicKey(pubkey); 1412 return sec_status_bogus; 1413 } 1414 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) { 1415 log_err("alloc failure in DER decode"); 1416 SECKEY_DestroyPublicKey(pubkey); 1417 SECITEM_FreeItem(p, PR_TRUE); 1418 return sec_status_unchecked; 1419 } 1420 SECITEM_FreeItem(p, PR_TRUE); 1421 } 1422 } 1423 #endif /* USE_DSA */ 1424 1425 /* do the signature cryptography work */ 1426 /* hash the data */ 1427 sechash.len = HASH_ResultLen(htype); 1428 if(sechash.len > sizeof(hash)) { 1429 verbose(VERB_QUERY, "verify: hash too large for buffer"); 1430 SECKEY_DestroyPublicKey(pubkey); 1431 return sec_status_unchecked; 1432 } 1433 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf), 1434 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) { 1435 verbose(VERB_QUERY, "verify: HASH_HashBuf failed"); 1436 SECKEY_DestroyPublicKey(pubkey); 1437 return sec_status_unchecked; 1438 } 1439 if(prefix) { 1440 int hashlen = sechash.len; 1441 if(prefixlen+hashlen > sizeof(hash2)) { 1442 verbose(VERB_QUERY, "verify: hashprefix too large"); 1443 SECKEY_DestroyPublicKey(pubkey); 1444 return sec_status_unchecked; 1445 } 1446 sechash.data = hash2; 1447 sechash.len = prefixlen+hashlen; 1448 memcpy(sechash.data, prefix, prefixlen); 1449 memmove(sechash.data+prefixlen, hash, hashlen); 1450 } 1451 1452 /* verify the signature */ 1453 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/); 1454 SECKEY_DestroyPublicKey(pubkey); 1455 1456 if(res == SECSuccess) { 1457 return sec_status_secure; 1458 } 1459 err = PORT_GetError(); 1460 if(err != SEC_ERROR_BAD_SIGNATURE) { 1461 /* failed to verify */ 1462 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", 1463 PORT_ErrorToString(err)); 1464 /* if it is not supported, like ECC is removed, we get, 1465 * SEC_ERROR_NO_MODULE */ 1466 if(err == SEC_ERROR_NO_MODULE) 1467 return sec_status_unchecked; 1468 /* but other errors are commonly returned 1469 * for a bad signature from NSS. Thus we return bogus, 1470 * not unchecked */ 1471 *reason = "signature crypto failed"; 1472 return sec_status_bogus; 1473 } 1474 verbose(VERB_QUERY, "verify: signature mismatch: %s", 1475 PORT_ErrorToString(err)); 1476 *reason = "signature crypto failed"; 1477 return sec_status_bogus; 1478 } 1479 1480 #elif defined(HAVE_NETTLE) 1481 1482 #include "sha.h" 1483 #include "bignum.h" 1484 #include "macros.h" 1485 #include "rsa.h" 1486 #include "dsa.h" 1487 #ifdef HAVE_NETTLE_DSA_COMPAT_H 1488 #include "dsa-compat.h" 1489 #endif 1490 #include "asn1.h" 1491 #ifdef USE_ECDSA 1492 #include "ecdsa.h" 1493 #include "ecc-curve.h" 1494 #endif 1495 #ifdef HAVE_NETTLE_EDDSA_H 1496 #include "eddsa.h" 1497 #endif 1498 1499 static int 1500 _digest_nettle(int algo, uint8_t* buf, size_t len, 1501 unsigned char* res) 1502 { 1503 switch(algo) { 1504 case SHA1_DIGEST_SIZE: 1505 { 1506 struct sha1_ctx ctx; 1507 sha1_init(&ctx); 1508 sha1_update(&ctx, len, buf); 1509 sha1_digest(&ctx, SHA1_DIGEST_SIZE, res); 1510 return 1; 1511 } 1512 case SHA256_DIGEST_SIZE: 1513 { 1514 struct sha256_ctx ctx; 1515 sha256_init(&ctx); 1516 sha256_update(&ctx, len, buf); 1517 sha256_digest(&ctx, SHA256_DIGEST_SIZE, res); 1518 return 1; 1519 } 1520 case SHA384_DIGEST_SIZE: 1521 { 1522 struct sha384_ctx ctx; 1523 sha384_init(&ctx); 1524 sha384_update(&ctx, len, buf); 1525 sha384_digest(&ctx, SHA384_DIGEST_SIZE, res); 1526 return 1; 1527 } 1528 case SHA512_DIGEST_SIZE: 1529 { 1530 struct sha512_ctx ctx; 1531 sha512_init(&ctx); 1532 sha512_update(&ctx, len, buf); 1533 sha512_digest(&ctx, SHA512_DIGEST_SIZE, res); 1534 return 1; 1535 } 1536 default: 1537 break; 1538 } 1539 return 0; 1540 } 1541 1542 /* return size of digest if supported, or 0 otherwise */ 1543 size_t 1544 nsec3_hash_algo_size_supported(int id) 1545 { 1546 switch(id) { 1547 case NSEC3_HASH_SHA1: 1548 return SHA1_DIGEST_SIZE; 1549 default: 1550 return 0; 1551 } 1552 } 1553 1554 /* perform nsec3 hash. return false on failure */ 1555 int 1556 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 1557 unsigned char* res) 1558 { 1559 switch(algo) { 1560 case NSEC3_HASH_SHA1: 1561 return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len, 1562 res); 1563 default: 1564 return 0; 1565 } 1566 } 1567 1568 void 1569 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 1570 { 1571 _digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res); 1572 } 1573 1574 /** secalgo hash structure */ 1575 struct secalgo_hash { 1576 /** if it is 384 or 512 */ 1577 int active; 1578 /** context for sha384 */ 1579 struct sha384_ctx ctx384; 1580 /** context for sha512 */ 1581 struct sha512_ctx ctx512; 1582 }; 1583 1584 struct secalgo_hash* secalgo_hash_create_sha384(void) 1585 { 1586 struct secalgo_hash* h = calloc(1, sizeof(*h)); 1587 if(!h) 1588 return NULL; 1589 h->active = 384; 1590 sha384_init(&h->ctx384); 1591 return h; 1592 } 1593 1594 struct secalgo_hash* secalgo_hash_create_sha512(void) 1595 { 1596 struct secalgo_hash* h = calloc(1, sizeof(*h)); 1597 if(!h) 1598 return NULL; 1599 h->active = 512; 1600 sha512_init(&h->ctx512); 1601 return h; 1602 } 1603 1604 int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len) 1605 { 1606 if(hash->active == 384) { 1607 sha384_update(&hash->ctx384, len, data); 1608 } else if(hash->active == 512) { 1609 sha512_update(&hash->ctx512, len, data); 1610 } else { 1611 return 0; 1612 } 1613 return 1; 1614 } 1615 1616 int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result, 1617 size_t maxlen, size_t* resultlen) 1618 { 1619 if(hash->active == 384) { 1620 if(SHA384_DIGEST_SIZE > maxlen) { 1621 *resultlen = 0; 1622 log_err("secalgo_hash_final: hash buffer too small"); 1623 return 0; 1624 } 1625 *resultlen = SHA384_DIGEST_SIZE; 1626 sha384_digest(&hash->ctx384, SHA384_DIGEST_SIZE, 1627 (unsigned char*)result); 1628 } else if(hash->active == 512) { 1629 if(SHA512_DIGEST_SIZE > maxlen) { 1630 *resultlen = 0; 1631 log_err("secalgo_hash_final: hash buffer too small"); 1632 return 0; 1633 } 1634 *resultlen = SHA512_DIGEST_SIZE; 1635 sha512_digest(&hash->ctx512, SHA512_DIGEST_SIZE, 1636 (unsigned char*)result); 1637 } else { 1638 *resultlen = 0; 1639 return 0; 1640 } 1641 return 1; 1642 } 1643 1644 void secalgo_hash_delete(struct secalgo_hash* hash) 1645 { 1646 if(!hash) return; 1647 free(hash); 1648 } 1649 1650 /** 1651 * Return size of DS digest according to its hash algorithm. 1652 * @param algo: DS digest algo. 1653 * @return size in bytes of digest, or 0 if not supported. 1654 */ 1655 size_t 1656 ds_digest_size_supported(int algo) 1657 { 1658 switch(algo) { 1659 case LDNS_SHA1: 1660 #ifdef USE_SHA1 1661 return SHA1_DIGEST_SIZE; 1662 #else 1663 if(fake_sha1) return 20; 1664 return 0; 1665 #endif 1666 #ifdef USE_SHA2 1667 case LDNS_SHA256: 1668 return SHA256_DIGEST_SIZE; 1669 #endif 1670 #ifdef USE_ECDSA 1671 case LDNS_SHA384: 1672 return SHA384_DIGEST_SIZE; 1673 #endif 1674 /* GOST not supported */ 1675 case LDNS_HASH_GOST: 1676 default: 1677 break; 1678 } 1679 return 0; 1680 } 1681 1682 int 1683 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 1684 unsigned char* res) 1685 { 1686 switch(algo) { 1687 #ifdef USE_SHA1 1688 case LDNS_SHA1: 1689 return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res); 1690 #endif 1691 #if defined(USE_SHA2) 1692 case LDNS_SHA256: 1693 return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res); 1694 #endif 1695 #ifdef USE_ECDSA 1696 case LDNS_SHA384: 1697 return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res); 1698 1699 #endif 1700 case LDNS_HASH_GOST: 1701 default: 1702 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 1703 algo); 1704 break; 1705 } 1706 return 0; 1707 } 1708 1709 int 1710 dnskey_algo_id_is_supported(int id) 1711 { 1712 /* uses libnettle */ 1713 switch(id) { 1714 case LDNS_DSA: 1715 case LDNS_DSA_NSEC3: 1716 #if defined(USE_DSA) && defined(USE_SHA1) 1717 return 1; 1718 #else 1719 if(fake_dsa || fake_sha1) return 1; 1720 return 0; 1721 #endif 1722 case LDNS_RSASHA1: 1723 case LDNS_RSASHA1_NSEC3: 1724 #ifdef USE_SHA1 1725 return 1; 1726 #else 1727 if(fake_sha1) return 1; 1728 return 0; 1729 #endif 1730 #ifdef USE_SHA2 1731 case LDNS_RSASHA256: 1732 case LDNS_RSASHA512: 1733 #endif 1734 #ifdef USE_ECDSA 1735 case LDNS_ECDSAP256SHA256: 1736 case LDNS_ECDSAP384SHA384: 1737 #endif 1738 return 1; 1739 #ifdef USE_ED25519 1740 case LDNS_ED25519: 1741 return 1; 1742 #endif 1743 case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ 1744 case LDNS_ECC_GOST: 1745 default: 1746 return 0; 1747 } 1748 } 1749 1750 #if defined(USE_DSA) && defined(USE_SHA1) 1751 static char * 1752 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock, 1753 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1754 { 1755 uint8_t digest[SHA1_DIGEST_SIZE]; 1756 uint8_t key_t_value; 1757 int res = 0; 1758 size_t offset; 1759 struct dsa_public_key pubkey; 1760 struct dsa_signature signature; 1761 unsigned int expected_len; 1762 1763 /* Extract DSA signature from the record */ 1764 nettle_dsa_signature_init(&signature); 1765 /* Signature length: 41 bytes - RFC 2536 sec. 3 */ 1766 if(sigblock_len == 41) { 1767 if(key[0] != sigblock[0]) 1768 return "invalid T value in DSA signature or pubkey"; 1769 nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1); 1770 nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20); 1771 } else { 1772 /* DER encoded, decode the ASN1 notated R and S bignums */ 1773 /* SEQUENCE { r INTEGER, s INTEGER } */ 1774 struct asn1_der_iterator i, seq; 1775 if(asn1_der_iterator_first(&i, sigblock_len, 1776 (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED 1777 || i.type != ASN1_SEQUENCE) 1778 return "malformed DER encoded DSA signature"; 1779 /* decode this element of i using the seq iterator */ 1780 if(asn1_der_decode_constructed(&i, &seq) != 1781 ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER) 1782 return "malformed DER encoded DSA signature"; 1783 if(!asn1_der_get_bignum(&seq, signature.r, 20*8)) 1784 return "malformed DER encoded DSA signature"; 1785 if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE 1786 || seq.type != ASN1_INTEGER) 1787 return "malformed DER encoded DSA signature"; 1788 if(!asn1_der_get_bignum(&seq, signature.s, 20*8)) 1789 return "malformed DER encoded DSA signature"; 1790 if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END) 1791 return "malformed DER encoded DSA signature"; 1792 } 1793 1794 /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */ 1795 key_t_value = key[0]; 1796 if (key_t_value > 8) { 1797 return "invalid T value in DSA pubkey"; 1798 } 1799 1800 /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */ 1801 if (keylen < 21) { 1802 return "DSA pubkey too short"; 1803 } 1804 1805 expected_len = 1 + /* T */ 1806 20 + /* Q */ 1807 (64 + key_t_value*8) + /* P */ 1808 (64 + key_t_value*8) + /* G */ 1809 (64 + key_t_value*8); /* Y */ 1810 if (keylen != expected_len ) { 1811 return "invalid DSA pubkey length"; 1812 } 1813 1814 /* Extract DSA pubkey from the record */ 1815 nettle_dsa_public_key_init(&pubkey); 1816 offset = 1; 1817 nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset); 1818 offset += 20; 1819 nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t_value*8), key+offset); 1820 offset += (64 + key_t_value*8); 1821 nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t_value*8), key+offset); 1822 offset += (64 + key_t_value*8); 1823 nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t_value*8), key+offset); 1824 1825 /* Digest content of "buf" and verify its DSA signature in "sigblock"*/ 1826 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1827 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1828 res &= dsa_sha1_verify_digest(&pubkey, digest, &signature); 1829 1830 /* Clear and return */ 1831 nettle_dsa_signature_clear(&signature); 1832 nettle_dsa_public_key_clear(&pubkey); 1833 if (!res) 1834 return "DSA signature verification failed"; 1835 else 1836 return NULL; 1837 } 1838 #endif /* USE_DSA */ 1839 1840 static char * 1841 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock, 1842 unsigned int sigblock_len, uint8_t* key, unsigned int keylen) 1843 { 1844 uint16_t exp_len = 0; 1845 size_t exp_offset = 0, mod_offset = 0; 1846 struct rsa_public_key pubkey; 1847 mpz_t signature; 1848 int res = 0; 1849 1850 /* RSA pubkey parsing as per RFC 3110 sec. 2 */ 1851 if( keylen <= 1) { 1852 return "null RSA key"; 1853 } 1854 if (key[0] != 0) { 1855 /* 1-byte length */ 1856 exp_len = key[0]; 1857 exp_offset = 1; 1858 } else { 1859 /* 1-byte NUL + 2-bytes exponent length */ 1860 if (keylen < 3) { 1861 return "incorrect RSA key length"; 1862 } 1863 exp_len = READ_UINT16(key+1); 1864 if (exp_len == 0) 1865 return "null RSA exponent length"; 1866 exp_offset = 3; 1867 } 1868 /* Check that we are not over-running input length */ 1869 if (keylen < exp_offset + exp_len + 1) { 1870 return "RSA key content shorter than expected"; 1871 } 1872 mod_offset = exp_offset + exp_len; 1873 nettle_rsa_public_key_init(&pubkey); 1874 pubkey.size = keylen - mod_offset; 1875 nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]); 1876 nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]); 1877 1878 /* Digest content of "buf" and verify its RSA signature in "sigblock"*/ 1879 nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock); 1880 switch (digest_size) { 1881 case SHA1_DIGEST_SIZE: 1882 { 1883 uint8_t digest[SHA1_DIGEST_SIZE]; 1884 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1885 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1886 res &= rsa_sha1_verify_digest(&pubkey, digest, signature); 1887 break; 1888 } 1889 case SHA256_DIGEST_SIZE: 1890 { 1891 uint8_t digest[SHA256_DIGEST_SIZE]; 1892 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1893 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1894 res &= rsa_sha256_verify_digest(&pubkey, digest, signature); 1895 break; 1896 } 1897 case SHA512_DIGEST_SIZE: 1898 { 1899 uint8_t digest[SHA512_DIGEST_SIZE]; 1900 res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1901 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1902 res &= rsa_sha512_verify_digest(&pubkey, digest, signature); 1903 break; 1904 } 1905 default: 1906 break; 1907 } 1908 1909 /* Clear and return */ 1910 nettle_rsa_public_key_clear(&pubkey); 1911 mpz_clear(signature); 1912 if (!res) { 1913 return "RSA signature verification failed"; 1914 } else { 1915 return NULL; 1916 } 1917 } 1918 1919 #ifdef USE_ECDSA 1920 static char * 1921 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock, 1922 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1923 { 1924 int res = 0; 1925 struct ecc_point pubkey; 1926 struct dsa_signature signature; 1927 1928 /* Always matched strength, as per RFC 6605 sec. 1 */ 1929 if (sigblock_len != 2*digest_size || keylen != 2*digest_size) { 1930 return "wrong ECDSA signature length"; 1931 } 1932 1933 /* Parse ECDSA signature as per RFC 6605 sec. 4 */ 1934 nettle_dsa_signature_init(&signature); 1935 switch (digest_size) { 1936 case SHA256_DIGEST_SIZE: 1937 { 1938 uint8_t digest[SHA256_DIGEST_SIZE]; 1939 mpz_t x, y; 1940 nettle_ecc_point_init(&pubkey, nettle_get_secp_256r1()); 1941 nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key); 1942 nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE); 1943 nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock); 1944 nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE); 1945 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1946 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1947 res &= nettle_ecc_point_set(&pubkey, x, y); 1948 res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature); 1949 mpz_clear(x); 1950 mpz_clear(y); 1951 nettle_ecc_point_clear(&pubkey); 1952 break; 1953 } 1954 case SHA384_DIGEST_SIZE: 1955 { 1956 uint8_t digest[SHA384_DIGEST_SIZE]; 1957 mpz_t x, y; 1958 nettle_ecc_point_init(&pubkey, nettle_get_secp_384r1()); 1959 nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key); 1960 nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE); 1961 nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock); 1962 nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE); 1963 res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1964 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1965 res &= nettle_ecc_point_set(&pubkey, x, y); 1966 res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature); 1967 mpz_clear(x); 1968 mpz_clear(y); 1969 nettle_ecc_point_clear(&pubkey); 1970 break; 1971 } 1972 default: 1973 return "unknown ECDSA algorithm"; 1974 } 1975 1976 /* Clear and return */ 1977 nettle_dsa_signature_clear(&signature); 1978 if (!res) 1979 return "ECDSA signature verification failed"; 1980 else 1981 return NULL; 1982 } 1983 #endif 1984 1985 #ifdef USE_ED25519 1986 static char * 1987 _verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock, 1988 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1989 { 1990 int res = 0; 1991 1992 if(sigblock_len != ED25519_SIGNATURE_SIZE) { 1993 return "wrong ED25519 signature length"; 1994 } 1995 if(keylen != ED25519_KEY_SIZE) { 1996 return "wrong ED25519 key length"; 1997 } 1998 1999 res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf), 2000 sldns_buffer_begin(buf), (uint8_t*)sigblock); 2001 2002 if (!res) 2003 return "ED25519 signature verification failed"; 2004 else 2005 return NULL; 2006 } 2007 #endif 2008 2009 /** 2010 * Check a canonical sig+rrset and signature against a dnskey 2011 * @param buf: buffer with data to verify, the first rrsig part and the 2012 * canonicalized rrset. 2013 * @param algo: DNSKEY algorithm. 2014 * @param sigblock: signature rdata field from RRSIG 2015 * @param sigblock_len: length of sigblock data. 2016 * @param key: public key data from DNSKEY RR. 2017 * @param keylen: length of keydata. 2018 * @param reason: bogus reason in more detail. 2019 * @return secure if verification succeeded, bogus on crypto failure, 2020 * unchecked on format errors and alloc failures. 2021 */ 2022 enum sec_status 2023 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 2024 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 2025 char** reason) 2026 { 2027 unsigned int digest_size = 0; 2028 2029 if (sigblock_len == 0 || keylen == 0) { 2030 *reason = "null signature"; 2031 return sec_status_bogus; 2032 } 2033 2034 #ifndef USE_DSA 2035 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1)) 2036 return sec_status_secure; 2037 #endif 2038 #ifndef USE_SHA1 2039 if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3)) 2040 return sec_status_secure; 2041 #endif 2042 2043 switch(algo) { 2044 #if defined(USE_DSA) && defined(USE_SHA1) 2045 case LDNS_DSA: 2046 case LDNS_DSA_NSEC3: 2047 *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen); 2048 if (*reason != NULL) 2049 return sec_status_bogus; 2050 else 2051 return sec_status_secure; 2052 #endif /* USE_DSA */ 2053 2054 #ifdef USE_SHA1 2055 case LDNS_RSASHA1: 2056 case LDNS_RSASHA1_NSEC3: 2057 digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE); 2058 #endif 2059 /* double fallthrough annotation to please gcc parser */ 2060 /* fallthrough */ 2061 #ifdef USE_SHA2 2062 /* fallthrough */ 2063 case LDNS_RSASHA256: 2064 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 2065 /* fallthrough */ 2066 case LDNS_RSASHA512: 2067 digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE); 2068 2069 #endif 2070 *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock, 2071 sigblock_len, key, keylen); 2072 if (*reason != NULL) 2073 return sec_status_bogus; 2074 else 2075 return sec_status_secure; 2076 2077 #ifdef USE_ECDSA 2078 case LDNS_ECDSAP256SHA256: 2079 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 2080 /* fallthrough */ 2081 case LDNS_ECDSAP384SHA384: 2082 digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE); 2083 *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock, 2084 sigblock_len, key, keylen); 2085 if (*reason != NULL) 2086 return sec_status_bogus; 2087 else 2088 return sec_status_secure; 2089 #endif 2090 #ifdef USE_ED25519 2091 case LDNS_ED25519: 2092 *reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len, 2093 key, keylen); 2094 if (*reason != NULL) 2095 return sec_status_bogus; 2096 else 2097 return sec_status_secure; 2098 #endif 2099 case LDNS_RSAMD5: 2100 case LDNS_ECC_GOST: 2101 default: 2102 *reason = "unable to verify signature, unknown algorithm"; 2103 return sec_status_bogus; 2104 } 2105 } 2106 2107 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ 2108