1 /* 2 * validator/val_secalgo.c - validator security algorithm functions. 3 * 4 * Copyright (c) 2012, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * These functions take raw data buffers, formatted for crypto verification, 41 * and do the library calls (for the crypto library in use). 42 */ 43 #include "config.h" 44 /* packed_rrset on top to define enum types (forced by c99 standard) */ 45 #include "util/data/packed_rrset.h" 46 #include "validator/val_secalgo.h" 47 #include "validator/val_nsec3.h" 48 #include "util/log.h" 49 #include "sldns/rrdef.h" 50 #include "sldns/keyraw.h" 51 #include "sldns/sbuffer.h" 52 53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) 54 #error "Need crypto library to do digital signature cryptography" 55 #endif 56 57 /* OpenSSL implementation */ 58 #ifdef HAVE_SSL 59 #ifdef HAVE_OPENSSL_ERR_H 60 #include <openssl/err.h> 61 #endif 62 63 #ifdef HAVE_OPENSSL_RAND_H 64 #include <openssl/rand.h> 65 #endif 66 67 #ifdef HAVE_OPENSSL_CONF_H 68 #include <openssl/conf.h> 69 #endif 70 71 #ifdef HAVE_OPENSSL_ENGINE_H 72 #include <openssl/engine.h> 73 #endif 74 75 /* return size of digest if supported, or 0 otherwise */ 76 size_t 77 nsec3_hash_algo_size_supported(int id) 78 { 79 switch(id) { 80 case NSEC3_HASH_SHA1: 81 return SHA_DIGEST_LENGTH; 82 default: 83 return 0; 84 } 85 } 86 87 /* perform nsec3 hash. return false on failure */ 88 int 89 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 90 unsigned char* res) 91 { 92 switch(algo) { 93 case NSEC3_HASH_SHA1: 94 (void)SHA1(buf, len, res); 95 return 1; 96 default: 97 return 0; 98 } 99 } 100 101 void 102 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 103 { 104 (void)SHA256(buf, len, res); 105 } 106 107 /** 108 * Return size of DS digest according to its hash algorithm. 109 * @param algo: DS digest algo. 110 * @return size in bytes of digest, or 0 if not supported. 111 */ 112 size_t 113 ds_digest_size_supported(int algo) 114 { 115 switch(algo) { 116 #ifdef HAVE_EVP_SHA1 117 case LDNS_SHA1: 118 return SHA_DIGEST_LENGTH; 119 #endif 120 #ifdef HAVE_EVP_SHA256 121 case LDNS_SHA256: 122 return SHA256_DIGEST_LENGTH; 123 #endif 124 #ifdef USE_GOST 125 case LDNS_HASH_GOST: 126 /* we support GOST if it can be loaded */ 127 (void)sldns_key_EVP_load_gost_id(); 128 if(EVP_get_digestbyname("md_gost94")) 129 return 32; 130 else return 0; 131 #endif 132 #ifdef USE_ECDSA 133 case LDNS_SHA384: 134 return SHA384_DIGEST_LENGTH; 135 #endif 136 default: break; 137 } 138 return 0; 139 } 140 141 #ifdef USE_GOST 142 /** Perform GOST hash */ 143 static int 144 do_gost94(unsigned char* data, size_t len, unsigned char* dest) 145 { 146 const EVP_MD* md = EVP_get_digestbyname("md_gost94"); 147 if(!md) 148 return 0; 149 return sldns_digest_evp(data, (unsigned int)len, dest, md); 150 } 151 #endif 152 153 int 154 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 155 unsigned char* res) 156 { 157 switch(algo) { 158 #ifdef HAVE_EVP_SHA1 159 case LDNS_SHA1: 160 (void)SHA1(buf, len, res); 161 return 1; 162 #endif 163 #ifdef HAVE_EVP_SHA256 164 case LDNS_SHA256: 165 (void)SHA256(buf, len, res); 166 return 1; 167 #endif 168 #ifdef USE_GOST 169 case LDNS_HASH_GOST: 170 if(do_gost94(buf, len, res)) 171 return 1; 172 break; 173 #endif 174 #ifdef USE_ECDSA 175 case LDNS_SHA384: 176 (void)SHA384(buf, len, res); 177 return 1; 178 #endif 179 default: 180 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 181 algo); 182 break; 183 } 184 return 0; 185 } 186 187 /** return true if DNSKEY algorithm id is supported */ 188 int 189 dnskey_algo_id_is_supported(int id) 190 { 191 switch(id) { 192 case LDNS_RSAMD5: 193 /* RFC 6725 deprecates RSAMD5 */ 194 return 0; 195 #ifdef USE_DSA 196 case LDNS_DSA: 197 case LDNS_DSA_NSEC3: 198 #endif 199 case LDNS_RSASHA1: 200 case LDNS_RSASHA1_NSEC3: 201 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 202 case LDNS_RSASHA256: 203 #endif 204 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 205 case LDNS_RSASHA512: 206 #endif 207 #ifdef USE_ECDSA 208 case LDNS_ECDSAP256SHA256: 209 case LDNS_ECDSAP384SHA384: 210 #endif 211 return 1; 212 #ifdef USE_GOST 213 case LDNS_ECC_GOST: 214 /* we support GOST if it can be loaded */ 215 return sldns_key_EVP_load_gost_id(); 216 #endif 217 default: 218 return 0; 219 } 220 } 221 222 /** 223 * Output a libcrypto openssl error to the logfile. 224 * @param str: string to add to it. 225 * @param e: the error to output, error number from ERR_get_error(). 226 */ 227 static void 228 log_crypto_error(const char* str, unsigned long e) 229 { 230 char buf[128]; 231 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ 232 ERR_error_string_n(e, buf, sizeof(buf)); 233 /* buf now contains */ 234 /* error:[error code]:[library name]:[function name]:[reason string] */ 235 log_err("%s crypto %s", str, buf); 236 } 237 238 #ifdef USE_DSA 239 /** 240 * Setup DSA key digest in DER encoding ... 241 * @param sig: input is signature output alloced ptr (unless failure). 242 * caller must free alloced ptr if this routine returns true. 243 * @param len: input is initial siglen, output is output len. 244 * @return false on failure. 245 */ 246 static int 247 setup_dsa_sig(unsigned char** sig, unsigned int* len) 248 { 249 unsigned char* orig = *sig; 250 unsigned int origlen = *len; 251 int newlen; 252 BIGNUM *R, *S; 253 DSA_SIG *dsasig; 254 255 /* extract the R and S field from the sig buffer */ 256 if(origlen < 1 + 2*SHA_DIGEST_LENGTH) 257 return 0; 258 R = BN_new(); 259 if(!R) return 0; 260 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R); 261 S = BN_new(); 262 if(!S) return 0; 263 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S); 264 dsasig = DSA_SIG_new(); 265 if(!dsasig) return 0; 266 267 dsasig->r = R; 268 dsasig->s = S; 269 *sig = NULL; 270 newlen = i2d_DSA_SIG(dsasig, sig); 271 if(newlen < 0) { 272 DSA_SIG_free(dsasig); 273 free(*sig); 274 return 0; 275 } 276 *len = (unsigned int)newlen; 277 DSA_SIG_free(dsasig); 278 return 1; 279 } 280 #endif /* USE_DSA */ 281 282 #ifdef USE_ECDSA 283 /** 284 * Setup the ECDSA signature in its encoding that the library wants. 285 * Converts from plain numbers to ASN formatted. 286 * @param sig: input is signature, output alloced ptr (unless failure). 287 * caller must free alloced ptr if this routine returns true. 288 * @param len: input is initial siglen, output is output len. 289 * @return false on failure. 290 */ 291 static int 292 setup_ecdsa_sig(unsigned char** sig, unsigned int* len) 293 { 294 /* convert from two BIGNUMs in the rdata buffer, to ASN notation. 295 * ASN preable: 30440220 <R 32bytefor256> 0220 <S 32bytefor256> 296 * the '20' is the length of that field (=bnsize). 297 i * the '44' is the total remaining length. 298 * if negative, start with leading zero. 299 * if starts with 00s, remove them from the number. 300 */ 301 uint8_t pre[] = {0x30, 0x44, 0x02, 0x20}; 302 int pre_len = 4; 303 uint8_t mid[] = {0x02, 0x20}; 304 int mid_len = 2; 305 int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0; 306 int bnsize = (int)((*len)/2); 307 unsigned char* d = *sig; 308 uint8_t* p; 309 /* if too short or not even length, fails */ 310 if(*len < 16 || bnsize*2 != (int)*len) 311 return 0; 312 313 /* strip leading zeroes from r (but not last one) */ 314 while(r_rem < bnsize-1 && d[r_rem] == 0) 315 r_rem++; 316 /* strip leading zeroes from s (but not last one) */ 317 while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0) 318 s_rem++; 319 320 r_high = ((d[0+r_rem]&0x80)?1:0); 321 s_high = ((d[bnsize+s_rem]&0x80)?1:0); 322 raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len + 323 s_high + bnsize - s_rem; 324 *sig = (unsigned char*)malloc((size_t)raw_sig_len); 325 if(!*sig) 326 return 0; 327 p = (uint8_t*)*sig; 328 p[0] = pre[0]; 329 p[1] = (uint8_t)(raw_sig_len-2); 330 p[2] = pre[2]; 331 p[3] = (uint8_t)(bnsize + r_high - r_rem); 332 p += 4; 333 if(r_high) { 334 *p = 0; 335 p += 1; 336 } 337 memmove(p, d+r_rem, (size_t)bnsize-r_rem); 338 p += bnsize-r_rem; 339 memmove(p, mid, (size_t)mid_len-1); 340 p += mid_len-1; 341 *p = (uint8_t)(bnsize + s_high - s_rem); 342 p += 1; 343 if(s_high) { 344 *p = 0; 345 p += 1; 346 } 347 memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem); 348 *len = (unsigned int)raw_sig_len; 349 return 1; 350 } 351 #endif /* USE_ECDSA */ 352 353 /** 354 * Setup key and digest for verification. Adjust sig if necessary. 355 * 356 * @param algo: key algorithm 357 * @param evp_key: EVP PKEY public key to create. 358 * @param digest_type: digest type to use 359 * @param key: key to setup for. 360 * @param keylen: length of key. 361 * @return false on failure. 362 */ 363 static int 364 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 365 unsigned char* key, size_t keylen) 366 { 367 #ifdef USE_DSA 368 DSA* dsa; 369 #endif 370 RSA* rsa; 371 372 switch(algo) { 373 #ifdef USE_DSA 374 case LDNS_DSA: 375 case LDNS_DSA_NSEC3: 376 *evp_key = EVP_PKEY_new(); 377 if(!*evp_key) { 378 log_err("verify: malloc failure in crypto"); 379 return 0; 380 } 381 dsa = sldns_key_buf2dsa_raw(key, keylen); 382 if(!dsa) { 383 verbose(VERB_QUERY, "verify: " 384 "sldns_key_buf2dsa_raw failed"); 385 return 0; 386 } 387 if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) { 388 verbose(VERB_QUERY, "verify: " 389 "EVP_PKEY_assign_DSA failed"); 390 return 0; 391 } 392 *digest_type = EVP_dss1(); 393 394 break; 395 #endif /* USE_DSA */ 396 case LDNS_RSASHA1: 397 case LDNS_RSASHA1_NSEC3: 398 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 399 case LDNS_RSASHA256: 400 #endif 401 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 402 case LDNS_RSASHA512: 403 #endif 404 *evp_key = EVP_PKEY_new(); 405 if(!*evp_key) { 406 log_err("verify: malloc failure in crypto"); 407 return 0; 408 } 409 rsa = sldns_key_buf2rsa_raw(key, keylen); 410 if(!rsa) { 411 verbose(VERB_QUERY, "verify: " 412 "sldns_key_buf2rsa_raw SHA failed"); 413 return 0; 414 } 415 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 416 verbose(VERB_QUERY, "verify: " 417 "EVP_PKEY_assign_RSA SHA failed"); 418 return 0; 419 } 420 421 /* select SHA version */ 422 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 423 if(algo == LDNS_RSASHA256) 424 *digest_type = EVP_sha256(); 425 else 426 #endif 427 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 428 if(algo == LDNS_RSASHA512) 429 *digest_type = EVP_sha512(); 430 else 431 #endif 432 *digest_type = EVP_sha1(); 433 434 break; 435 case LDNS_RSAMD5: 436 *evp_key = EVP_PKEY_new(); 437 if(!*evp_key) { 438 log_err("verify: malloc failure in crypto"); 439 return 0; 440 } 441 rsa = sldns_key_buf2rsa_raw(key, keylen); 442 if(!rsa) { 443 verbose(VERB_QUERY, "verify: " 444 "sldns_key_buf2rsa_raw MD5 failed"); 445 return 0; 446 } 447 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 448 verbose(VERB_QUERY, "verify: " 449 "EVP_PKEY_assign_RSA MD5 failed"); 450 return 0; 451 } 452 *digest_type = EVP_md5(); 453 454 break; 455 #ifdef USE_GOST 456 case LDNS_ECC_GOST: 457 *evp_key = sldns_gost2pkey_raw(key, keylen); 458 if(!*evp_key) { 459 verbose(VERB_QUERY, "verify: " 460 "sldns_gost2pkey_raw failed"); 461 return 0; 462 } 463 *digest_type = EVP_get_digestbyname("md_gost94"); 464 if(!*digest_type) { 465 verbose(VERB_QUERY, "verify: " 466 "EVP_getdigest md_gost94 failed"); 467 return 0; 468 } 469 break; 470 #endif 471 #ifdef USE_ECDSA 472 case LDNS_ECDSAP256SHA256: 473 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 474 LDNS_ECDSAP256SHA256); 475 if(!*evp_key) { 476 verbose(VERB_QUERY, "verify: " 477 "sldns_ecdsa2pkey_raw failed"); 478 return 0; 479 } 480 #ifdef USE_ECDSA_EVP_WORKAROUND 481 /* openssl before 1.0.0 fixes RSA with the SHA256 482 * hash in EVP. We create one for ecdsa_sha256 */ 483 { 484 static int md_ecdsa_256_done = 0; 485 static EVP_MD md; 486 if(!md_ecdsa_256_done) { 487 EVP_MD m = *EVP_sha256(); 488 md_ecdsa_256_done = 1; 489 m.required_pkey_type[0] = (*evp_key)->type; 490 m.verify = (void*)ECDSA_verify; 491 md = m; 492 } 493 *digest_type = &md; 494 } 495 #else 496 *digest_type = EVP_sha256(); 497 #endif 498 break; 499 case LDNS_ECDSAP384SHA384: 500 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 501 LDNS_ECDSAP384SHA384); 502 if(!*evp_key) { 503 verbose(VERB_QUERY, "verify: " 504 "sldns_ecdsa2pkey_raw failed"); 505 return 0; 506 } 507 #ifdef USE_ECDSA_EVP_WORKAROUND 508 /* openssl before 1.0.0 fixes RSA with the SHA384 509 * hash in EVP. We create one for ecdsa_sha384 */ 510 { 511 static int md_ecdsa_384_done = 0; 512 static EVP_MD md; 513 if(!md_ecdsa_384_done) { 514 EVP_MD m = *EVP_sha384(); 515 md_ecdsa_384_done = 1; 516 m.required_pkey_type[0] = (*evp_key)->type; 517 m.verify = (void*)ECDSA_verify; 518 md = m; 519 } 520 *digest_type = &md; 521 } 522 #else 523 *digest_type = EVP_sha384(); 524 #endif 525 break; 526 #endif /* USE_ECDSA */ 527 default: 528 verbose(VERB_QUERY, "verify: unknown algorithm %d", 529 algo); 530 return 0; 531 } 532 return 1; 533 } 534 535 /** 536 * Check a canonical sig+rrset and signature against a dnskey 537 * @param buf: buffer with data to verify, the first rrsig part and the 538 * canonicalized rrset. 539 * @param algo: DNSKEY algorithm. 540 * @param sigblock: signature rdata field from RRSIG 541 * @param sigblock_len: length of sigblock data. 542 * @param key: public key data from DNSKEY RR. 543 * @param keylen: length of keydata. 544 * @param reason: bogus reason in more detail. 545 * @return secure if verification succeeded, bogus on crypto failure, 546 * unchecked on format errors and alloc failures. 547 */ 548 enum sec_status 549 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 550 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 551 char** reason) 552 { 553 const EVP_MD *digest_type; 554 EVP_MD_CTX* ctx; 555 int res, dofree = 0, docrypto_free = 0; 556 EVP_PKEY *evp_key = NULL; 557 558 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { 559 verbose(VERB_QUERY, "verify: failed to setup key"); 560 *reason = "use of key for crypto failed"; 561 EVP_PKEY_free(evp_key); 562 return sec_status_bogus; 563 } 564 #ifdef USE_DSA 565 /* if it is a DSA signature in bind format, convert to DER format */ 566 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && 567 sigblock_len == 1+2*SHA_DIGEST_LENGTH) { 568 if(!setup_dsa_sig(&sigblock, &sigblock_len)) { 569 verbose(VERB_QUERY, "verify: failed to setup DSA sig"); 570 *reason = "use of key for DSA crypto failed"; 571 EVP_PKEY_free(evp_key); 572 return sec_status_bogus; 573 } 574 docrypto_free = 1; 575 } 576 #endif 577 #if defined(USE_ECDSA) && defined(USE_DSA) 578 else 579 #endif 580 #ifdef USE_ECDSA 581 if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) { 582 /* EVP uses ASN prefix on sig, which is not in the wire data */ 583 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) { 584 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig"); 585 *reason = "use of signature for ECDSA crypto failed"; 586 EVP_PKEY_free(evp_key); 587 return sec_status_bogus; 588 } 589 dofree = 1; 590 } 591 #endif /* USE_ECDSA */ 592 593 /* do the signature cryptography work */ 594 #ifdef HAVE_EVP_MD_CTX_NEW 595 ctx = EVP_MD_CTX_new(); 596 #else 597 ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx)); 598 if(ctx) EVP_MD_CTX_init(ctx); 599 #endif 600 if(!ctx) { 601 log_err("EVP_MD_CTX_new: malloc failure"); 602 EVP_PKEY_free(evp_key); 603 if(dofree) free(sigblock); 604 else if(docrypto_free) CRYPTO_free(sigblock); 605 return sec_status_unchecked; 606 } 607 if(EVP_VerifyInit(ctx, digest_type) == 0) { 608 verbose(VERB_QUERY, "verify: EVP_VerifyInit failed"); 609 EVP_MD_CTX_destroy(ctx); 610 EVP_PKEY_free(evp_key); 611 if(dofree) free(sigblock); 612 else if(docrypto_free) CRYPTO_free(sigblock); 613 return sec_status_unchecked; 614 } 615 if(EVP_VerifyUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), 616 (unsigned int)sldns_buffer_limit(buf)) == 0) { 617 verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed"); 618 EVP_MD_CTX_destroy(ctx); 619 EVP_PKEY_free(evp_key); 620 if(dofree) free(sigblock); 621 else if(docrypto_free) CRYPTO_free(sigblock); 622 return sec_status_unchecked; 623 } 624 625 res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key); 626 #ifdef HAVE_EVP_MD_CTX_NEW 627 EVP_MD_CTX_destroy(ctx); 628 #else 629 EVP_MD_CTX_cleanup(ctx); 630 free(ctx); 631 #endif 632 EVP_PKEY_free(evp_key); 633 634 if(dofree) free(sigblock); 635 else if(docrypto_free) CRYPTO_free(sigblock); 636 637 if(res == 1) { 638 return sec_status_secure; 639 } else if(res == 0) { 640 verbose(VERB_QUERY, "verify: signature mismatch"); 641 *reason = "signature crypto failed"; 642 return sec_status_bogus; 643 } 644 645 log_crypto_error("verify:", ERR_get_error()); 646 return sec_status_unchecked; 647 } 648 649 /**************************************************/ 650 #elif defined(HAVE_NSS) 651 /* libnss implementation */ 652 /* nss3 */ 653 #include "sechash.h" 654 #include "pk11pub.h" 655 #include "keyhi.h" 656 #include "secerr.h" 657 #include "cryptohi.h" 658 /* nspr4 */ 659 #include "prerror.h" 660 661 /* return size of digest if supported, or 0 otherwise */ 662 size_t 663 nsec3_hash_algo_size_supported(int id) 664 { 665 switch(id) { 666 case NSEC3_HASH_SHA1: 667 return SHA1_LENGTH; 668 default: 669 return 0; 670 } 671 } 672 673 /* perform nsec3 hash. return false on failure */ 674 int 675 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 676 unsigned char* res) 677 { 678 switch(algo) { 679 case NSEC3_HASH_SHA1: 680 (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len); 681 return 1; 682 default: 683 return 0; 684 } 685 } 686 687 void 688 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 689 { 690 (void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len); 691 } 692 693 size_t 694 ds_digest_size_supported(int algo) 695 { 696 /* uses libNSS */ 697 switch(algo) { 698 case LDNS_SHA1: 699 return SHA1_LENGTH; 700 #ifdef USE_SHA2 701 case LDNS_SHA256: 702 return SHA256_LENGTH; 703 #endif 704 #ifdef USE_ECDSA 705 case LDNS_SHA384: 706 return SHA384_LENGTH; 707 #endif 708 /* GOST not supported in NSS */ 709 case LDNS_HASH_GOST: 710 default: break; 711 } 712 return 0; 713 } 714 715 int 716 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 717 unsigned char* res) 718 { 719 /* uses libNSS */ 720 switch(algo) { 721 case LDNS_SHA1: 722 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len) 723 == SECSuccess; 724 #if defined(USE_SHA2) 725 case LDNS_SHA256: 726 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len) 727 == SECSuccess; 728 #endif 729 #ifdef USE_ECDSA 730 case LDNS_SHA384: 731 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len) 732 == SECSuccess; 733 #endif 734 case LDNS_HASH_GOST: 735 default: 736 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 737 algo); 738 break; 739 } 740 return 0; 741 } 742 743 int 744 dnskey_algo_id_is_supported(int id) 745 { 746 /* uses libNSS */ 747 switch(id) { 748 case LDNS_RSAMD5: 749 /* RFC 6725 deprecates RSAMD5 */ 750 return 0; 751 #ifdef USE_DSA 752 case LDNS_DSA: 753 case LDNS_DSA_NSEC3: 754 #endif 755 case LDNS_RSASHA1: 756 case LDNS_RSASHA1_NSEC3: 757 #ifdef USE_SHA2 758 case LDNS_RSASHA256: 759 #endif 760 #ifdef USE_SHA2 761 case LDNS_RSASHA512: 762 #endif 763 return 1; 764 #ifdef USE_ECDSA 765 case LDNS_ECDSAP256SHA256: 766 case LDNS_ECDSAP384SHA384: 767 return PK11_TokenExists(CKM_ECDSA); 768 #endif 769 case LDNS_ECC_GOST: 770 default: 771 return 0; 772 } 773 } 774 775 /* return a new public key for NSS */ 776 static SECKEYPublicKey* nss_key_create(KeyType ktype) 777 { 778 SECKEYPublicKey* key; 779 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 780 if(!arena) { 781 log_err("out of memory, PORT_NewArena failed"); 782 return NULL; 783 } 784 key = PORT_ArenaZNew(arena, SECKEYPublicKey); 785 if(!key) { 786 log_err("out of memory, PORT_ArenaZNew failed"); 787 PORT_FreeArena(arena, PR_FALSE); 788 return NULL; 789 } 790 key->arena = arena; 791 key->keyType = ktype; 792 key->pkcs11Slot = NULL; 793 key->pkcs11ID = CK_INVALID_HANDLE; 794 return key; 795 } 796 797 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo) 798 { 799 SECKEYPublicKey* pk; 800 SECItem pub = {siBuffer, NULL, 0}; 801 SECItem params = {siBuffer, NULL, 0}; 802 static unsigned char param256[] = { 803 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256) 804 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */ 805 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 806 }; 807 static unsigned char param384[] = { 808 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384) 809 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */ 810 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 811 }; 812 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ 813 814 /* check length, which uncompressed must be 2 bignums */ 815 if(algo == LDNS_ECDSAP256SHA256) { 816 if(len != 2*256/8) return NULL; 817 /* ECCurve_X9_62_PRIME_256V1 */ 818 } else if(algo == LDNS_ECDSAP384SHA384) { 819 if(len != 2*384/8) return NULL; 820 /* ECCurve_X9_62_PRIME_384R1 */ 821 } else return NULL; 822 823 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */ 824 memmove(buf+1, key, len); 825 pub.data = buf; 826 pub.len = len+1; 827 if(algo == LDNS_ECDSAP256SHA256) { 828 params.data = param256; 829 params.len = sizeof(param256); 830 } else { 831 params.data = param384; 832 params.len = sizeof(param384); 833 } 834 835 pk = nss_key_create(ecKey); 836 if(!pk) 837 return NULL; 838 pk->u.ec.size = (len/2)*8; 839 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) { 840 SECKEY_DestroyPublicKey(pk); 841 return NULL; 842 } 843 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) { 844 SECKEY_DestroyPublicKey(pk); 845 return NULL; 846 } 847 848 return pk; 849 } 850 851 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len) 852 { 853 SECKEYPublicKey* pk; 854 uint8_t T; 855 uint16_t length; 856 uint16_t offset; 857 SECItem Q = {siBuffer, NULL, 0}; 858 SECItem P = {siBuffer, NULL, 0}; 859 SECItem G = {siBuffer, NULL, 0}; 860 SECItem Y = {siBuffer, NULL, 0}; 861 862 if(len == 0) 863 return NULL; 864 T = (uint8_t)key[0]; 865 length = (64 + T * 8); 866 offset = 1; 867 868 if (T > 8) { 869 return NULL; 870 } 871 if(len < (size_t)1 + SHA1_LENGTH + 3*length) 872 return NULL; 873 874 Q.data = key+offset; 875 Q.len = SHA1_LENGTH; 876 offset += SHA1_LENGTH; 877 878 P.data = key+offset; 879 P.len = length; 880 offset += length; 881 882 G.data = key+offset; 883 G.len = length; 884 offset += length; 885 886 Y.data = key+offset; 887 Y.len = length; 888 offset += length; 889 890 pk = nss_key_create(dsaKey); 891 if(!pk) 892 return NULL; 893 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) { 894 SECKEY_DestroyPublicKey(pk); 895 return NULL; 896 } 897 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) { 898 SECKEY_DestroyPublicKey(pk); 899 return NULL; 900 } 901 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) { 902 SECKEY_DestroyPublicKey(pk); 903 return NULL; 904 } 905 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) { 906 SECKEY_DestroyPublicKey(pk); 907 return NULL; 908 } 909 return pk; 910 } 911 912 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len) 913 { 914 SECKEYPublicKey* pk; 915 uint16_t exp; 916 uint16_t offset; 917 uint16_t int16; 918 SECItem modulus = {siBuffer, NULL, 0}; 919 SECItem exponent = {siBuffer, NULL, 0}; 920 if(len == 0) 921 return NULL; 922 if(key[0] == 0) { 923 if(len < 3) 924 return NULL; 925 /* the exponent is too large so it's places further */ 926 memmove(&int16, key+1, 2); 927 exp = ntohs(int16); 928 offset = 3; 929 } else { 930 exp = key[0]; 931 offset = 1; 932 } 933 934 /* key length at least one */ 935 if(len < (size_t)offset + exp + 1) 936 return NULL; 937 938 exponent.data = key+offset; 939 exponent.len = exp; 940 offset += exp; 941 modulus.data = key+offset; 942 modulus.len = (len - offset); 943 944 pk = nss_key_create(rsaKey); 945 if(!pk) 946 return NULL; 947 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) { 948 SECKEY_DestroyPublicKey(pk); 949 return NULL; 950 } 951 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) { 952 SECKEY_DestroyPublicKey(pk); 953 return NULL; 954 } 955 return pk; 956 } 957 958 /** 959 * Setup key and digest for verification. Adjust sig if necessary. 960 * 961 * @param algo: key algorithm 962 * @param evp_key: EVP PKEY public key to create. 963 * @param digest_type: digest type to use 964 * @param key: key to setup for. 965 * @param keylen: length of key. 966 * @param prefix: if returned, the ASN prefix for the hashblob. 967 * @param prefixlen: length of the prefix. 968 * @return false on failure. 969 */ 970 static int 971 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, 972 unsigned char* key, size_t keylen, unsigned char** prefix, 973 size_t* prefixlen) 974 { 975 /* uses libNSS */ 976 977 /* hash prefix for md5, RFC2537 */ 978 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 979 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}; 980 /* hash prefix to prepend to hash output, from RFC3110 */ 981 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 982 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14}; 983 /* from RFC5702 */ 984 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 985 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; 986 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 987 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; 988 /* from RFC6234 */ 989 /* for future RSASHA384 .. 990 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 991 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; 992 */ 993 994 switch(algo) { 995 #ifdef USE_DSA 996 case LDNS_DSA: 997 case LDNS_DSA_NSEC3: 998 *pubkey = nss_buf2dsa(key, keylen); 999 if(!*pubkey) { 1000 log_err("verify: malloc failure in crypto"); 1001 return 0; 1002 } 1003 *htype = HASH_AlgSHA1; 1004 /* no prefix for DSA verification */ 1005 break; 1006 #endif 1007 case LDNS_RSASHA1: 1008 case LDNS_RSASHA1_NSEC3: 1009 #ifdef USE_SHA2 1010 case LDNS_RSASHA256: 1011 #endif 1012 #ifdef USE_SHA2 1013 case LDNS_RSASHA512: 1014 #endif 1015 *pubkey = nss_buf2rsa(key, keylen); 1016 if(!*pubkey) { 1017 log_err("verify: malloc failure in crypto"); 1018 return 0; 1019 } 1020 /* select SHA version */ 1021 #ifdef USE_SHA2 1022 if(algo == LDNS_RSASHA256) { 1023 *htype = HASH_AlgSHA256; 1024 *prefix = p_sha256; 1025 *prefixlen = sizeof(p_sha256); 1026 } else 1027 #endif 1028 #ifdef USE_SHA2 1029 if(algo == LDNS_RSASHA512) { 1030 *htype = HASH_AlgSHA512; 1031 *prefix = p_sha512; 1032 *prefixlen = sizeof(p_sha512); 1033 } else 1034 #endif 1035 { 1036 *htype = HASH_AlgSHA1; 1037 *prefix = p_sha1; 1038 *prefixlen = sizeof(p_sha1); 1039 } 1040 1041 break; 1042 case LDNS_RSAMD5: 1043 *pubkey = nss_buf2rsa(key, keylen); 1044 if(!*pubkey) { 1045 log_err("verify: malloc failure in crypto"); 1046 return 0; 1047 } 1048 *htype = HASH_AlgMD5; 1049 *prefix = p_md5; 1050 *prefixlen = sizeof(p_md5); 1051 1052 break; 1053 #ifdef USE_ECDSA 1054 case LDNS_ECDSAP256SHA256: 1055 *pubkey = nss_buf2ecdsa(key, keylen, 1056 LDNS_ECDSAP256SHA256); 1057 if(!*pubkey) { 1058 log_err("verify: malloc failure in crypto"); 1059 return 0; 1060 } 1061 *htype = HASH_AlgSHA256; 1062 /* no prefix for DSA verification */ 1063 break; 1064 case LDNS_ECDSAP384SHA384: 1065 *pubkey = nss_buf2ecdsa(key, keylen, 1066 LDNS_ECDSAP384SHA384); 1067 if(!*pubkey) { 1068 log_err("verify: malloc failure in crypto"); 1069 return 0; 1070 } 1071 *htype = HASH_AlgSHA384; 1072 /* no prefix for DSA verification */ 1073 break; 1074 #endif /* USE_ECDSA */ 1075 case LDNS_ECC_GOST: 1076 default: 1077 verbose(VERB_QUERY, "verify: unknown algorithm %d", 1078 algo); 1079 return 0; 1080 } 1081 return 1; 1082 } 1083 1084 /** 1085 * Check a canonical sig+rrset and signature against a dnskey 1086 * @param buf: buffer with data to verify, the first rrsig part and the 1087 * canonicalized rrset. 1088 * @param algo: DNSKEY algorithm. 1089 * @param sigblock: signature rdata field from RRSIG 1090 * @param sigblock_len: length of sigblock data. 1091 * @param key: public key data from DNSKEY RR. 1092 * @param keylen: length of keydata. 1093 * @param reason: bogus reason in more detail. 1094 * @return secure if verification succeeded, bogus on crypto failure, 1095 * unchecked on format errors and alloc failures. 1096 */ 1097 enum sec_status 1098 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1099 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1100 char** reason) 1101 { 1102 /* uses libNSS */ 1103 /* large enough for the different hashes */ 1104 unsigned char hash[HASH_LENGTH_MAX]; 1105 unsigned char hash2[HASH_LENGTH_MAX*2]; 1106 HASH_HashType htype = 0; 1107 SECKEYPublicKey* pubkey = NULL; 1108 SECItem secsig = {siBuffer, sigblock, sigblock_len}; 1109 SECItem sechash = {siBuffer, hash, 0}; 1110 SECStatus res; 1111 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */ 1112 size_t prefixlen = 0; 1113 int err; 1114 1115 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen, 1116 &prefix, &prefixlen)) { 1117 verbose(VERB_QUERY, "verify: failed to setup key"); 1118 *reason = "use of key for crypto failed"; 1119 SECKEY_DestroyPublicKey(pubkey); 1120 return sec_status_bogus; 1121 } 1122 1123 #ifdef USE_DSA 1124 /* need to convert DSA, ECDSA signatures? */ 1125 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) { 1126 if(sigblock_len == 1+2*SHA1_LENGTH) { 1127 secsig.data ++; 1128 secsig.len --; 1129 } else { 1130 SECItem* p = DSAU_DecodeDerSig(&secsig); 1131 if(!p) { 1132 verbose(VERB_QUERY, "verify: failed DER decode"); 1133 *reason = "signature DER decode failed"; 1134 SECKEY_DestroyPublicKey(pubkey); 1135 return sec_status_bogus; 1136 } 1137 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) { 1138 log_err("alloc failure in DER decode"); 1139 SECKEY_DestroyPublicKey(pubkey); 1140 SECITEM_FreeItem(p, PR_TRUE); 1141 return sec_status_unchecked; 1142 } 1143 SECITEM_FreeItem(p, PR_TRUE); 1144 } 1145 } 1146 #endif /* USE_DSA */ 1147 1148 /* do the signature cryptography work */ 1149 /* hash the data */ 1150 sechash.len = HASH_ResultLen(htype); 1151 if(sechash.len > sizeof(hash)) { 1152 verbose(VERB_QUERY, "verify: hash too large for buffer"); 1153 SECKEY_DestroyPublicKey(pubkey); 1154 return sec_status_unchecked; 1155 } 1156 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf), 1157 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) { 1158 verbose(VERB_QUERY, "verify: HASH_HashBuf failed"); 1159 SECKEY_DestroyPublicKey(pubkey); 1160 return sec_status_unchecked; 1161 } 1162 if(prefix) { 1163 int hashlen = sechash.len; 1164 if(prefixlen+hashlen > sizeof(hash2)) { 1165 verbose(VERB_QUERY, "verify: hashprefix too large"); 1166 SECKEY_DestroyPublicKey(pubkey); 1167 return sec_status_unchecked; 1168 } 1169 sechash.data = hash2; 1170 sechash.len = prefixlen+hashlen; 1171 memcpy(sechash.data, prefix, prefixlen); 1172 memmove(sechash.data+prefixlen, hash, hashlen); 1173 } 1174 1175 /* verify the signature */ 1176 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/); 1177 SECKEY_DestroyPublicKey(pubkey); 1178 1179 if(res == SECSuccess) { 1180 return sec_status_secure; 1181 } 1182 err = PORT_GetError(); 1183 if(err != SEC_ERROR_BAD_SIGNATURE) { 1184 /* failed to verify */ 1185 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", 1186 PORT_ErrorToString(err)); 1187 /* if it is not supported, like ECC is removed, we get, 1188 * SEC_ERROR_NO_MODULE */ 1189 if(err == SEC_ERROR_NO_MODULE) 1190 return sec_status_unchecked; 1191 /* but other errors are commonly returned 1192 * for a bad signature from NSS. Thus we return bogus, 1193 * not unchecked */ 1194 *reason = "signature crypto failed"; 1195 return sec_status_bogus; 1196 } 1197 verbose(VERB_QUERY, "verify: signature mismatch: %s", 1198 PORT_ErrorToString(err)); 1199 *reason = "signature crypto failed"; 1200 return sec_status_bogus; 1201 } 1202 1203 #elif defined(HAVE_NETTLE) 1204 1205 #include "sha.h" 1206 #include "bignum.h" 1207 #include "macros.h" 1208 #include "rsa.h" 1209 #include "dsa.h" 1210 #include "asn1.h" 1211 #ifdef USE_ECDSA 1212 #include "ecdsa.h" 1213 #include "ecc-curve.h" 1214 #endif 1215 1216 static int 1217 _digest_nettle(int algo, uint8_t* buf, size_t len, 1218 unsigned char* res) 1219 { 1220 switch(algo) { 1221 case SHA1_DIGEST_SIZE: 1222 { 1223 struct sha1_ctx ctx; 1224 sha1_init(&ctx); 1225 sha1_update(&ctx, len, buf); 1226 sha1_digest(&ctx, SHA1_DIGEST_SIZE, res); 1227 return 1; 1228 } 1229 case SHA256_DIGEST_SIZE: 1230 { 1231 struct sha256_ctx ctx; 1232 sha256_init(&ctx); 1233 sha256_update(&ctx, len, buf); 1234 sha256_digest(&ctx, SHA256_DIGEST_SIZE, res); 1235 return 1; 1236 } 1237 case SHA384_DIGEST_SIZE: 1238 { 1239 struct sha384_ctx ctx; 1240 sha384_init(&ctx); 1241 sha384_update(&ctx, len, buf); 1242 sha384_digest(&ctx, SHA384_DIGEST_SIZE, res); 1243 return 1; 1244 } 1245 case SHA512_DIGEST_SIZE: 1246 { 1247 struct sha512_ctx ctx; 1248 sha512_init(&ctx); 1249 sha512_update(&ctx, len, buf); 1250 sha512_digest(&ctx, SHA512_DIGEST_SIZE, res); 1251 return 1; 1252 } 1253 default: 1254 break; 1255 } 1256 return 0; 1257 } 1258 1259 /* return size of digest if supported, or 0 otherwise */ 1260 size_t 1261 nsec3_hash_algo_size_supported(int id) 1262 { 1263 switch(id) { 1264 case NSEC3_HASH_SHA1: 1265 return SHA1_DIGEST_SIZE; 1266 default: 1267 return 0; 1268 } 1269 } 1270 1271 /* perform nsec3 hash. return false on failure */ 1272 int 1273 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 1274 unsigned char* res) 1275 { 1276 switch(algo) { 1277 case NSEC3_HASH_SHA1: 1278 return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len, 1279 res); 1280 default: 1281 return 0; 1282 } 1283 } 1284 1285 void 1286 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 1287 { 1288 _digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res); 1289 } 1290 1291 /** 1292 * Return size of DS digest according to its hash algorithm. 1293 * @param algo: DS digest algo. 1294 * @return size in bytes of digest, or 0 if not supported. 1295 */ 1296 size_t 1297 ds_digest_size_supported(int algo) 1298 { 1299 switch(algo) { 1300 case LDNS_SHA1: 1301 return SHA1_DIGEST_SIZE; 1302 #ifdef USE_SHA2 1303 case LDNS_SHA256: 1304 return SHA256_DIGEST_SIZE; 1305 #endif 1306 #ifdef USE_ECDSA 1307 case LDNS_SHA384: 1308 return SHA384_DIGEST_SIZE; 1309 #endif 1310 /* GOST not supported */ 1311 case LDNS_HASH_GOST: 1312 default: 1313 break; 1314 } 1315 return 0; 1316 } 1317 1318 int 1319 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 1320 unsigned char* res) 1321 { 1322 switch(algo) { 1323 case LDNS_SHA1: 1324 return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res); 1325 #if defined(USE_SHA2) 1326 case LDNS_SHA256: 1327 return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res); 1328 #endif 1329 #ifdef USE_ECDSA 1330 case LDNS_SHA384: 1331 return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res); 1332 1333 #endif 1334 case LDNS_HASH_GOST: 1335 default: 1336 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 1337 algo); 1338 break; 1339 } 1340 return 0; 1341 } 1342 1343 int 1344 dnskey_algo_id_is_supported(int id) 1345 { 1346 /* uses libnettle */ 1347 switch(id) { 1348 #ifdef USE_DSA 1349 case LDNS_DSA: 1350 case LDNS_DSA_NSEC3: 1351 #endif 1352 case LDNS_RSASHA1: 1353 case LDNS_RSASHA1_NSEC3: 1354 #ifdef USE_SHA2 1355 case LDNS_RSASHA256: 1356 case LDNS_RSASHA512: 1357 #endif 1358 #ifdef USE_ECDSA 1359 case LDNS_ECDSAP256SHA256: 1360 case LDNS_ECDSAP384SHA384: 1361 #endif 1362 return 1; 1363 case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ 1364 case LDNS_ECC_GOST: 1365 default: 1366 return 0; 1367 } 1368 } 1369 1370 static char * 1371 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock, 1372 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1373 { 1374 uint8_t digest[SHA1_DIGEST_SIZE]; 1375 uint8_t key_t; 1376 int res = 0; 1377 size_t offset; 1378 struct dsa_public_key pubkey; 1379 struct dsa_signature signature; 1380 unsigned int expected_len; 1381 1382 /* Extract DSA signature from the record */ 1383 nettle_dsa_signature_init(&signature); 1384 /* Signature length: 41 bytes - RFC 2536 sec. 3 */ 1385 if(sigblock_len == 41) { 1386 if(key[0] != sigblock[0]) 1387 return "invalid T value in DSA signature or pubkey"; 1388 nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1); 1389 nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20); 1390 } else { 1391 /* DER encoded, decode the ASN1 notated R and S bignums */ 1392 /* SEQUENCE { r INTEGER, s INTEGER } */ 1393 struct asn1_der_iterator i, seq; 1394 if(asn1_der_iterator_first(&i, sigblock_len, 1395 (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED 1396 || i.type != ASN1_SEQUENCE) 1397 return "malformed DER encoded DSA signature"; 1398 /* decode this element of i using the seq iterator */ 1399 if(asn1_der_decode_constructed(&i, &seq) != 1400 ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER) 1401 return "malformed DER encoded DSA signature"; 1402 if(!asn1_der_get_bignum(&seq, signature.r, 20*8)) 1403 return "malformed DER encoded DSA signature"; 1404 if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE 1405 || seq.type != ASN1_INTEGER) 1406 return "malformed DER encoded DSA signature"; 1407 if(!asn1_der_get_bignum(&seq, signature.s, 20*8)) 1408 return "malformed DER encoded DSA signature"; 1409 if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END) 1410 return "malformed DER encoded DSA signature"; 1411 } 1412 1413 /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */ 1414 key_t = key[0]; 1415 if (key_t > 8) { 1416 return "invalid T value in DSA pubkey"; 1417 } 1418 1419 /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */ 1420 if (keylen < 21) { 1421 return "DSA pubkey too short"; 1422 } 1423 1424 expected_len = 1 + /* T */ 1425 20 + /* Q */ 1426 (64 + key_t*8) + /* P */ 1427 (64 + key_t*8) + /* G */ 1428 (64 + key_t*8); /* Y */ 1429 if (keylen != expected_len ) { 1430 return "invalid DSA pubkey length"; 1431 } 1432 1433 /* Extract DSA pubkey from the record */ 1434 nettle_dsa_public_key_init(&pubkey); 1435 offset = 1; 1436 nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset); 1437 offset += 20; 1438 nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t*8), key+offset); 1439 offset += (64 + key_t*8); 1440 nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t*8), key+offset); 1441 offset += (64 + key_t*8); 1442 nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t*8), key+offset); 1443 1444 /* Digest content of "buf" and verify its DSA signature in "sigblock"*/ 1445 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1446 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1447 res &= dsa_sha1_verify_digest(&pubkey, digest, &signature); 1448 1449 /* Clear and return */ 1450 nettle_dsa_signature_clear(&signature); 1451 nettle_dsa_public_key_clear(&pubkey); 1452 if (!res) 1453 return "DSA signature verification failed"; 1454 else 1455 return NULL; 1456 } 1457 1458 static char * 1459 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock, 1460 unsigned int sigblock_len, uint8_t* key, unsigned int keylen) 1461 { 1462 uint16_t exp_len = 0; 1463 size_t exp_offset = 0, mod_offset = 0; 1464 struct rsa_public_key pubkey; 1465 mpz_t signature; 1466 int res = 0; 1467 1468 /* RSA pubkey parsing as per RFC 3110 sec. 2 */ 1469 if( keylen <= 1) { 1470 return "null RSA key"; 1471 } 1472 if (key[0] != 0) { 1473 /* 1-byte length */ 1474 exp_len = key[0]; 1475 exp_offset = 1; 1476 } else { 1477 /* 1-byte NUL + 2-bytes exponent length */ 1478 if (keylen < 3) { 1479 return "incorrect RSA key length"; 1480 } 1481 exp_len = READ_UINT16(key+1); 1482 if (exp_len == 0) 1483 return "null RSA exponent length"; 1484 exp_offset = 3; 1485 } 1486 /* Check that we are not over-running input length */ 1487 if (keylen < exp_offset + exp_len + 1) { 1488 return "RSA key content shorter than expected"; 1489 } 1490 mod_offset = exp_offset + exp_len; 1491 nettle_rsa_public_key_init(&pubkey); 1492 pubkey.size = keylen - mod_offset; 1493 nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]); 1494 nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]); 1495 1496 /* Digest content of "buf" and verify its RSA signature in "sigblock"*/ 1497 nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock); 1498 switch (digest_size) { 1499 case SHA1_DIGEST_SIZE: 1500 { 1501 uint8_t digest[SHA1_DIGEST_SIZE]; 1502 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1503 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1504 res &= rsa_sha1_verify_digest(&pubkey, digest, signature); 1505 break; 1506 } 1507 case SHA256_DIGEST_SIZE: 1508 { 1509 uint8_t digest[SHA256_DIGEST_SIZE]; 1510 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1511 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1512 res &= rsa_sha256_verify_digest(&pubkey, digest, signature); 1513 break; 1514 } 1515 case SHA512_DIGEST_SIZE: 1516 { 1517 uint8_t digest[SHA512_DIGEST_SIZE]; 1518 res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1519 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1520 res &= rsa_sha512_verify_digest(&pubkey, digest, signature); 1521 break; 1522 } 1523 default: 1524 break; 1525 } 1526 1527 /* Clear and return */ 1528 nettle_rsa_public_key_clear(&pubkey); 1529 mpz_clear(signature); 1530 if (!res) { 1531 return "RSA signature verification failed"; 1532 } else { 1533 return NULL; 1534 } 1535 } 1536 1537 #ifdef USE_ECDSA 1538 static char * 1539 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock, 1540 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1541 { 1542 int res = 0; 1543 struct ecc_point pubkey; 1544 struct dsa_signature signature; 1545 1546 /* Always matched strength, as per RFC 6605 sec. 1 */ 1547 if (sigblock_len != 2*digest_size || keylen != 2*digest_size) { 1548 return "wrong ECDSA signature length"; 1549 } 1550 1551 /* Parse ECDSA signature as per RFC 6605 sec. 4 */ 1552 nettle_dsa_signature_init(&signature); 1553 switch (digest_size) { 1554 case SHA256_DIGEST_SIZE: 1555 { 1556 uint8_t digest[SHA256_DIGEST_SIZE]; 1557 mpz_t x, y; 1558 nettle_ecc_point_init(&pubkey, &nettle_secp_256r1); 1559 nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key); 1560 nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE); 1561 nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock); 1562 nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE); 1563 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1564 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1565 res &= nettle_ecc_point_set(&pubkey, x, y); 1566 res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature); 1567 mpz_clear(x); 1568 mpz_clear(y); 1569 break; 1570 } 1571 case SHA384_DIGEST_SIZE: 1572 { 1573 uint8_t digest[SHA384_DIGEST_SIZE]; 1574 mpz_t x, y; 1575 nettle_ecc_point_init(&pubkey, &nettle_secp_384r1); 1576 nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key); 1577 nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE); 1578 nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock); 1579 nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE); 1580 res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1581 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1582 res &= nettle_ecc_point_set(&pubkey, x, y); 1583 res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature); 1584 mpz_clear(x); 1585 mpz_clear(y); 1586 nettle_ecc_point_clear(&pubkey); 1587 break; 1588 } 1589 default: 1590 return "unknown ECDSA algorithm"; 1591 } 1592 1593 /* Clear and return */ 1594 nettle_dsa_signature_clear(&signature); 1595 if (!res) 1596 return "ECDSA signature verification failed"; 1597 else 1598 return NULL; 1599 } 1600 #endif 1601 1602 /** 1603 * Check a canonical sig+rrset and signature against a dnskey 1604 * @param buf: buffer with data to verify, the first rrsig part and the 1605 * canonicalized rrset. 1606 * @param algo: DNSKEY algorithm. 1607 * @param sigblock: signature rdata field from RRSIG 1608 * @param sigblock_len: length of sigblock data. 1609 * @param key: public key data from DNSKEY RR. 1610 * @param keylen: length of keydata. 1611 * @param reason: bogus reason in more detail. 1612 * @return secure if verification succeeded, bogus on crypto failure, 1613 * unchecked on format errors and alloc failures. 1614 */ 1615 enum sec_status 1616 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1617 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1618 char** reason) 1619 { 1620 unsigned int digest_size = 0; 1621 1622 if (sigblock_len == 0 || keylen == 0) { 1623 *reason = "null signature"; 1624 return sec_status_bogus; 1625 } 1626 1627 switch(algo) { 1628 #ifdef USE_DSA 1629 case LDNS_DSA: 1630 case LDNS_DSA_NSEC3: 1631 *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen); 1632 if (*reason != NULL) 1633 return sec_status_bogus; 1634 else 1635 return sec_status_secure; 1636 #endif /* USE_DSA */ 1637 1638 case LDNS_RSASHA1: 1639 case LDNS_RSASHA1_NSEC3: 1640 digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE); 1641 #ifdef USE_SHA2 1642 case LDNS_RSASHA256: 1643 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 1644 case LDNS_RSASHA512: 1645 digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE); 1646 1647 #endif 1648 *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock, 1649 sigblock_len, key, keylen); 1650 if (*reason != NULL) 1651 return sec_status_bogus; 1652 else 1653 return sec_status_secure; 1654 1655 #ifdef USE_ECDSA 1656 case LDNS_ECDSAP256SHA256: 1657 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 1658 case LDNS_ECDSAP384SHA384: 1659 digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE); 1660 *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock, 1661 sigblock_len, key, keylen); 1662 if (*reason != NULL) 1663 return sec_status_bogus; 1664 else 1665 return sec_status_secure; 1666 #endif 1667 case LDNS_RSAMD5: 1668 case LDNS_ECC_GOST: 1669 default: 1670 *reason = "unable to verify signature, unknown algorithm"; 1671 return sec_status_bogus; 1672 } 1673 } 1674 1675 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ 1676