1 /* 2 * validator/val_secalgo.c - validator security algorithm functions. 3 * 4 * Copyright (c) 2012, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * These functions take raw data buffers, formatted for crypto verification, 41 * and do the library calls (for the crypto library in use). 42 */ 43 #include "config.h" 44 /* packed_rrset on top to define enum types (forced by c99 standard) */ 45 #include "util/data/packed_rrset.h" 46 #include "validator/val_secalgo.h" 47 #include "validator/val_nsec3.h" 48 #include "util/log.h" 49 #include "sldns/rrdef.h" 50 #include "sldns/keyraw.h" 51 #include "sldns/sbuffer.h" 52 53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) 54 #error "Need crypto library to do digital signature cryptography" 55 #endif 56 57 /* OpenSSL implementation */ 58 #ifdef HAVE_SSL 59 #ifdef HAVE_OPENSSL_ERR_H 60 #include <openssl/err.h> 61 #endif 62 63 #ifdef HAVE_OPENSSL_RAND_H 64 #include <openssl/rand.h> 65 #endif 66 67 #ifdef HAVE_OPENSSL_CONF_H 68 #include <openssl/conf.h> 69 #endif 70 71 #ifdef HAVE_OPENSSL_ENGINE_H 72 #include <openssl/engine.h> 73 #endif 74 75 /** fake DSA support for unit tests */ 76 int fake_dsa = 0; 77 /** fake SHA1 support for unit tests */ 78 int fake_sha1 = 0; 79 80 /* return size of digest if supported, or 0 otherwise */ 81 size_t 82 nsec3_hash_algo_size_supported(int id) 83 { 84 switch(id) { 85 case NSEC3_HASH_SHA1: 86 return SHA_DIGEST_LENGTH; 87 default: 88 return 0; 89 } 90 } 91 92 /* perform nsec3 hash. return false on failure */ 93 int 94 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 95 unsigned char* res) 96 { 97 switch(algo) { 98 case NSEC3_HASH_SHA1: 99 (void)SHA1(buf, len, res); 100 return 1; 101 default: 102 return 0; 103 } 104 } 105 106 void 107 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 108 { 109 (void)SHA256(buf, len, res); 110 } 111 112 /** 113 * Return size of DS digest according to its hash algorithm. 114 * @param algo: DS digest algo. 115 * @return size in bytes of digest, or 0 if not supported. 116 */ 117 size_t 118 ds_digest_size_supported(int algo) 119 { 120 switch(algo) { 121 case LDNS_SHA1: 122 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) 123 return SHA_DIGEST_LENGTH; 124 #else 125 if(fake_sha1) return 20; 126 return 0; 127 #endif 128 #ifdef HAVE_EVP_SHA256 129 case LDNS_SHA256: 130 return SHA256_DIGEST_LENGTH; 131 #endif 132 #ifdef USE_GOST 133 case LDNS_HASH_GOST: 134 /* we support GOST if it can be loaded */ 135 (void)sldns_key_EVP_load_gost_id(); 136 if(EVP_get_digestbyname("md_gost94")) 137 return 32; 138 else return 0; 139 #endif 140 #ifdef USE_ECDSA 141 case LDNS_SHA384: 142 return SHA384_DIGEST_LENGTH; 143 #endif 144 default: break; 145 } 146 return 0; 147 } 148 149 #ifdef USE_GOST 150 /** Perform GOST hash */ 151 static int 152 do_gost94(unsigned char* data, size_t len, unsigned char* dest) 153 { 154 const EVP_MD* md = EVP_get_digestbyname("md_gost94"); 155 if(!md) 156 return 0; 157 return sldns_digest_evp(data, (unsigned int)len, dest, md); 158 } 159 #endif 160 161 int 162 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 163 unsigned char* res) 164 { 165 switch(algo) { 166 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) 167 case LDNS_SHA1: 168 (void)SHA1(buf, len, res); 169 return 1; 170 #endif 171 #ifdef HAVE_EVP_SHA256 172 case LDNS_SHA256: 173 (void)SHA256(buf, len, res); 174 return 1; 175 #endif 176 #ifdef USE_GOST 177 case LDNS_HASH_GOST: 178 if(do_gost94(buf, len, res)) 179 return 1; 180 break; 181 #endif 182 #ifdef USE_ECDSA 183 case LDNS_SHA384: 184 (void)SHA384(buf, len, res); 185 return 1; 186 #endif 187 default: 188 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 189 algo); 190 break; 191 } 192 return 0; 193 } 194 195 /** return true if DNSKEY algorithm id is supported */ 196 int 197 dnskey_algo_id_is_supported(int id) 198 { 199 switch(id) { 200 case LDNS_RSAMD5: 201 /* RFC 6725 deprecates RSAMD5 */ 202 return 0; 203 case LDNS_DSA: 204 case LDNS_DSA_NSEC3: 205 #if defined(USE_DSA) && defined(USE_SHA1) 206 return 1; 207 #else 208 if(fake_dsa || fake_sha1) return 1; 209 return 0; 210 #endif 211 212 case LDNS_RSASHA1: 213 case LDNS_RSASHA1_NSEC3: 214 #ifdef USE_SHA1 215 return 1; 216 #else 217 if(fake_sha1) return 1; 218 return 0; 219 #endif 220 221 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 222 case LDNS_RSASHA256: 223 #endif 224 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 225 case LDNS_RSASHA512: 226 #endif 227 #ifdef USE_ECDSA 228 case LDNS_ECDSAP256SHA256: 229 case LDNS_ECDSAP384SHA384: 230 #endif 231 #ifdef USE_ED25519 232 case LDNS_ED25519: 233 #endif 234 #ifdef USE_ED448 235 case LDNS_ED448: 236 #endif 237 #if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448) 238 return 1; 239 #endif 240 241 #ifdef USE_GOST 242 case LDNS_ECC_GOST: 243 /* we support GOST if it can be loaded */ 244 return sldns_key_EVP_load_gost_id(); 245 #endif 246 default: 247 return 0; 248 } 249 } 250 251 /** 252 * Output a libcrypto openssl error to the logfile. 253 * @param str: string to add to it. 254 * @param e: the error to output, error number from ERR_get_error(). 255 */ 256 static void 257 log_crypto_error(const char* str, unsigned long e) 258 { 259 char buf[128]; 260 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ 261 ERR_error_string_n(e, buf, sizeof(buf)); 262 /* buf now contains */ 263 /* error:[error code]:[library name]:[function name]:[reason string] */ 264 log_err("%s crypto %s", str, buf); 265 } 266 267 #ifdef USE_DSA 268 /** 269 * Setup DSA key digest in DER encoding ... 270 * @param sig: input is signature output alloced ptr (unless failure). 271 * caller must free alloced ptr if this routine returns true. 272 * @param len: input is initial siglen, output is output len. 273 * @return false on failure. 274 */ 275 static int 276 setup_dsa_sig(unsigned char** sig, unsigned int* len) 277 { 278 unsigned char* orig = *sig; 279 unsigned int origlen = *len; 280 int newlen; 281 BIGNUM *R, *S; 282 DSA_SIG *dsasig; 283 284 /* extract the R and S field from the sig buffer */ 285 if(origlen < 1 + 2*SHA_DIGEST_LENGTH) 286 return 0; 287 R = BN_new(); 288 if(!R) return 0; 289 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R); 290 S = BN_new(); 291 if(!S) return 0; 292 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S); 293 dsasig = DSA_SIG_new(); 294 if(!dsasig) return 0; 295 296 #ifdef HAVE_DSA_SIG_SET0 297 if(!DSA_SIG_set0(dsasig, R, S)) return 0; 298 #else 299 dsasig->r = R; 300 dsasig->s = S; 301 #endif 302 *sig = NULL; 303 newlen = i2d_DSA_SIG(dsasig, sig); 304 if(newlen < 0) { 305 DSA_SIG_free(dsasig); 306 free(*sig); 307 return 0; 308 } 309 *len = (unsigned int)newlen; 310 DSA_SIG_free(dsasig); 311 return 1; 312 } 313 #endif /* USE_DSA */ 314 315 #ifdef USE_ECDSA 316 /** 317 * Setup the ECDSA signature in its encoding that the library wants. 318 * Converts from plain numbers to ASN formatted. 319 * @param sig: input is signature, output alloced ptr (unless failure). 320 * caller must free alloced ptr if this routine returns true. 321 * @param len: input is initial siglen, output is output len. 322 * @return false on failure. 323 */ 324 static int 325 setup_ecdsa_sig(unsigned char** sig, unsigned int* len) 326 { 327 /* convert from two BIGNUMs in the rdata buffer, to ASN notation. 328 * ASN preamble: 30440220 <R 32bytefor256> 0220 <S 32bytefor256> 329 * the '20' is the length of that field (=bnsize). 330 i * the '44' is the total remaining length. 331 * if negative, start with leading zero. 332 * if starts with 00s, remove them from the number. 333 */ 334 uint8_t pre[] = {0x30, 0x44, 0x02, 0x20}; 335 int pre_len = 4; 336 uint8_t mid[] = {0x02, 0x20}; 337 int mid_len = 2; 338 int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0; 339 int bnsize = (int)((*len)/2); 340 unsigned char* d = *sig; 341 uint8_t* p; 342 /* if too short or not even length, fails */ 343 if(*len < 16 || bnsize*2 != (int)*len) 344 return 0; 345 346 /* strip leading zeroes from r (but not last one) */ 347 while(r_rem < bnsize-1 && d[r_rem] == 0) 348 r_rem++; 349 /* strip leading zeroes from s (but not last one) */ 350 while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0) 351 s_rem++; 352 353 r_high = ((d[0+r_rem]&0x80)?1:0); 354 s_high = ((d[bnsize+s_rem]&0x80)?1:0); 355 raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len + 356 s_high + bnsize - s_rem; 357 *sig = (unsigned char*)malloc((size_t)raw_sig_len); 358 if(!*sig) 359 return 0; 360 p = (uint8_t*)*sig; 361 p[0] = pre[0]; 362 p[1] = (uint8_t)(raw_sig_len-2); 363 p[2] = pre[2]; 364 p[3] = (uint8_t)(bnsize + r_high - r_rem); 365 p += 4; 366 if(r_high) { 367 *p = 0; 368 p += 1; 369 } 370 memmove(p, d+r_rem, (size_t)bnsize-r_rem); 371 p += bnsize-r_rem; 372 memmove(p, mid, (size_t)mid_len-1); 373 p += mid_len-1; 374 *p = (uint8_t)(bnsize + s_high - s_rem); 375 p += 1; 376 if(s_high) { 377 *p = 0; 378 p += 1; 379 } 380 memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem); 381 *len = (unsigned int)raw_sig_len; 382 return 1; 383 } 384 #endif /* USE_ECDSA */ 385 386 #ifdef USE_ECDSA_EVP_WORKAROUND 387 static EVP_MD ecdsa_evp_256_md; 388 static EVP_MD ecdsa_evp_384_md; 389 void ecdsa_evp_workaround_init(void) 390 { 391 /* openssl before 1.0.0 fixes RSA with the SHA256 392 * hash in EVP. We create one for ecdsa_sha256 */ 393 ecdsa_evp_256_md = *EVP_sha256(); 394 ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC; 395 ecdsa_evp_256_md.verify = (void*)ECDSA_verify; 396 397 ecdsa_evp_384_md = *EVP_sha384(); 398 ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC; 399 ecdsa_evp_384_md.verify = (void*)ECDSA_verify; 400 } 401 #endif /* USE_ECDSA_EVP_WORKAROUND */ 402 403 /** 404 * Setup key and digest for verification. Adjust sig if necessary. 405 * 406 * @param algo: key algorithm 407 * @param evp_key: EVP PKEY public key to create. 408 * @param digest_type: digest type to use 409 * @param key: key to setup for. 410 * @param keylen: length of key. 411 * @return false on failure. 412 */ 413 static int 414 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 415 unsigned char* key, size_t keylen) 416 { 417 #if defined(USE_DSA) && defined(USE_SHA1) 418 DSA* dsa; 419 #endif 420 RSA* rsa; 421 422 switch(algo) { 423 #if defined(USE_DSA) && defined(USE_SHA1) 424 case LDNS_DSA: 425 case LDNS_DSA_NSEC3: 426 *evp_key = EVP_PKEY_new(); 427 if(!*evp_key) { 428 log_err("verify: malloc failure in crypto"); 429 return 0; 430 } 431 dsa = sldns_key_buf2dsa_raw(key, keylen); 432 if(!dsa) { 433 verbose(VERB_QUERY, "verify: " 434 "sldns_key_buf2dsa_raw failed"); 435 return 0; 436 } 437 if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) { 438 verbose(VERB_QUERY, "verify: " 439 "EVP_PKEY_assign_DSA failed"); 440 return 0; 441 } 442 #ifdef HAVE_EVP_DSS1 443 *digest_type = EVP_dss1(); 444 #else 445 *digest_type = EVP_sha1(); 446 #endif 447 448 break; 449 #endif /* USE_DSA && USE_SHA1 */ 450 451 #if defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) 452 #ifdef USE_SHA1 453 case LDNS_RSASHA1: 454 case LDNS_RSASHA1_NSEC3: 455 #endif 456 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 457 case LDNS_RSASHA256: 458 #endif 459 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 460 case LDNS_RSASHA512: 461 #endif 462 *evp_key = EVP_PKEY_new(); 463 if(!*evp_key) { 464 log_err("verify: malloc failure in crypto"); 465 return 0; 466 } 467 rsa = sldns_key_buf2rsa_raw(key, keylen); 468 if(!rsa) { 469 verbose(VERB_QUERY, "verify: " 470 "sldns_key_buf2rsa_raw SHA failed"); 471 return 0; 472 } 473 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 474 verbose(VERB_QUERY, "verify: " 475 "EVP_PKEY_assign_RSA SHA failed"); 476 return 0; 477 } 478 479 /* select SHA version */ 480 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 481 if(algo == LDNS_RSASHA256) 482 *digest_type = EVP_sha256(); 483 else 484 #endif 485 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 486 if(algo == LDNS_RSASHA512) 487 *digest_type = EVP_sha512(); 488 else 489 #endif 490 #ifdef USE_SHA1 491 *digest_type = EVP_sha1(); 492 #else 493 { verbose(VERB_QUERY, "no digest available"); return 0; } 494 #endif 495 break; 496 #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */ 497 498 case LDNS_RSAMD5: 499 *evp_key = EVP_PKEY_new(); 500 if(!*evp_key) { 501 log_err("verify: malloc failure in crypto"); 502 return 0; 503 } 504 rsa = sldns_key_buf2rsa_raw(key, keylen); 505 if(!rsa) { 506 verbose(VERB_QUERY, "verify: " 507 "sldns_key_buf2rsa_raw MD5 failed"); 508 return 0; 509 } 510 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 511 verbose(VERB_QUERY, "verify: " 512 "EVP_PKEY_assign_RSA MD5 failed"); 513 return 0; 514 } 515 *digest_type = EVP_md5(); 516 517 break; 518 #ifdef USE_GOST 519 case LDNS_ECC_GOST: 520 *evp_key = sldns_gost2pkey_raw(key, keylen); 521 if(!*evp_key) { 522 verbose(VERB_QUERY, "verify: " 523 "sldns_gost2pkey_raw failed"); 524 return 0; 525 } 526 *digest_type = EVP_get_digestbyname("md_gost94"); 527 if(!*digest_type) { 528 verbose(VERB_QUERY, "verify: " 529 "EVP_getdigest md_gost94 failed"); 530 return 0; 531 } 532 break; 533 #endif 534 #ifdef USE_ECDSA 535 case LDNS_ECDSAP256SHA256: 536 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 537 LDNS_ECDSAP256SHA256); 538 if(!*evp_key) { 539 verbose(VERB_QUERY, "verify: " 540 "sldns_ecdsa2pkey_raw failed"); 541 return 0; 542 } 543 #ifdef USE_ECDSA_EVP_WORKAROUND 544 *digest_type = &ecdsa_evp_256_md; 545 #else 546 *digest_type = EVP_sha256(); 547 #endif 548 break; 549 case LDNS_ECDSAP384SHA384: 550 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 551 LDNS_ECDSAP384SHA384); 552 if(!*evp_key) { 553 verbose(VERB_QUERY, "verify: " 554 "sldns_ecdsa2pkey_raw failed"); 555 return 0; 556 } 557 #ifdef USE_ECDSA_EVP_WORKAROUND 558 *digest_type = &ecdsa_evp_384_md; 559 #else 560 *digest_type = EVP_sha384(); 561 #endif 562 break; 563 #endif /* USE_ECDSA */ 564 #ifdef USE_ED25519 565 case LDNS_ED25519: 566 *evp_key = sldns_ed255192pkey_raw(key, keylen); 567 if(!*evp_key) { 568 verbose(VERB_QUERY, "verify: " 569 "sldns_ed255192pkey_raw failed"); 570 return 0; 571 } 572 *digest_type = NULL; 573 break; 574 #endif /* USE_ED25519 */ 575 #ifdef USE_ED448 576 case LDNS_ED448: 577 *evp_key = sldns_ed4482pkey_raw(key, keylen); 578 if(!*evp_key) { 579 verbose(VERB_QUERY, "verify: " 580 "sldns_ed4482pkey_raw failed"); 581 return 0; 582 } 583 *digest_type = NULL; 584 break; 585 #endif /* USE_ED448 */ 586 default: 587 verbose(VERB_QUERY, "verify: unknown algorithm %d", 588 algo); 589 return 0; 590 } 591 return 1; 592 } 593 594 /** 595 * Check a canonical sig+rrset and signature against a dnskey 596 * @param buf: buffer with data to verify, the first rrsig part and the 597 * canonicalized rrset. 598 * @param algo: DNSKEY algorithm. 599 * @param sigblock: signature rdata field from RRSIG 600 * @param sigblock_len: length of sigblock data. 601 * @param key: public key data from DNSKEY RR. 602 * @param keylen: length of keydata. 603 * @param reason: bogus reason in more detail. 604 * @return secure if verification succeeded, bogus on crypto failure, 605 * unchecked on format errors and alloc failures. 606 */ 607 enum sec_status 608 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 609 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 610 char** reason) 611 { 612 const EVP_MD *digest_type; 613 EVP_MD_CTX* ctx; 614 int res, dofree = 0, docrypto_free = 0; 615 EVP_PKEY *evp_key = NULL; 616 617 #ifndef USE_DSA 618 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1)) 619 return sec_status_secure; 620 #endif 621 #ifndef USE_SHA1 622 if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3)) 623 return sec_status_secure; 624 #endif 625 626 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { 627 verbose(VERB_QUERY, "verify: failed to setup key"); 628 *reason = "use of key for crypto failed"; 629 EVP_PKEY_free(evp_key); 630 return sec_status_bogus; 631 } 632 #ifdef USE_DSA 633 /* if it is a DSA signature in bind format, convert to DER format */ 634 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && 635 sigblock_len == 1+2*SHA_DIGEST_LENGTH) { 636 if(!setup_dsa_sig(&sigblock, &sigblock_len)) { 637 verbose(VERB_QUERY, "verify: failed to setup DSA sig"); 638 *reason = "use of key for DSA crypto failed"; 639 EVP_PKEY_free(evp_key); 640 return sec_status_bogus; 641 } 642 docrypto_free = 1; 643 } 644 #endif 645 #if defined(USE_ECDSA) && defined(USE_DSA) 646 else 647 #endif 648 #ifdef USE_ECDSA 649 if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) { 650 /* EVP uses ASN prefix on sig, which is not in the wire data */ 651 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) { 652 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig"); 653 *reason = "use of signature for ECDSA crypto failed"; 654 EVP_PKEY_free(evp_key); 655 return sec_status_bogus; 656 } 657 dofree = 1; 658 } 659 #endif /* USE_ECDSA */ 660 661 /* do the signature cryptography work */ 662 #ifdef HAVE_EVP_MD_CTX_NEW 663 ctx = EVP_MD_CTX_new(); 664 #else 665 ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx)); 666 if(ctx) EVP_MD_CTX_init(ctx); 667 #endif 668 if(!ctx) { 669 log_err("EVP_MD_CTX_new: malloc failure"); 670 EVP_PKEY_free(evp_key); 671 if(dofree) free(sigblock); 672 else if(docrypto_free) OPENSSL_free(sigblock); 673 return sec_status_unchecked; 674 } 675 #ifndef HAVE_EVP_DIGESTVERIFY 676 if(EVP_DigestInit(ctx, digest_type) == 0) { 677 verbose(VERB_QUERY, "verify: EVP_DigestInit failed"); 678 #ifdef HAVE_EVP_MD_CTX_NEW 679 EVP_MD_CTX_destroy(ctx); 680 #else 681 EVP_MD_CTX_cleanup(ctx); 682 free(ctx); 683 #endif 684 EVP_PKEY_free(evp_key); 685 if(dofree) free(sigblock); 686 else if(docrypto_free) OPENSSL_free(sigblock); 687 return sec_status_unchecked; 688 } 689 if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), 690 (unsigned int)sldns_buffer_limit(buf)) == 0) { 691 verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed"); 692 #ifdef HAVE_EVP_MD_CTX_NEW 693 EVP_MD_CTX_destroy(ctx); 694 #else 695 EVP_MD_CTX_cleanup(ctx); 696 free(ctx); 697 #endif 698 EVP_PKEY_free(evp_key); 699 if(dofree) free(sigblock); 700 else if(docrypto_free) OPENSSL_free(sigblock); 701 return sec_status_unchecked; 702 } 703 704 res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key); 705 #else /* HAVE_EVP_DIGESTVERIFY */ 706 if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) { 707 verbose(VERB_QUERY, "verify: EVP_DigestVerifyInit failed"); 708 #ifdef HAVE_EVP_MD_CTX_NEW 709 EVP_MD_CTX_destroy(ctx); 710 #else 711 EVP_MD_CTX_cleanup(ctx); 712 free(ctx); 713 #endif 714 EVP_PKEY_free(evp_key); 715 if(dofree) free(sigblock); 716 else if(docrypto_free) OPENSSL_free(sigblock); 717 return sec_status_unchecked; 718 } 719 res = EVP_DigestVerify(ctx, sigblock, sigblock_len, 720 (unsigned char*)sldns_buffer_begin(buf), 721 sldns_buffer_limit(buf)); 722 #endif 723 #ifdef HAVE_EVP_MD_CTX_NEW 724 EVP_MD_CTX_destroy(ctx); 725 #else 726 EVP_MD_CTX_cleanup(ctx); 727 free(ctx); 728 #endif 729 EVP_PKEY_free(evp_key); 730 731 if(dofree) free(sigblock); 732 else if(docrypto_free) OPENSSL_free(sigblock); 733 734 if(res == 1) { 735 return sec_status_secure; 736 } else if(res == 0) { 737 verbose(VERB_QUERY, "verify: signature mismatch"); 738 *reason = "signature crypto failed"; 739 return sec_status_bogus; 740 } 741 742 log_crypto_error("verify:", ERR_get_error()); 743 return sec_status_unchecked; 744 } 745 746 /**************************************************/ 747 #elif defined(HAVE_NSS) 748 /* libnss implementation */ 749 /* nss3 */ 750 #include "sechash.h" 751 #include "pk11pub.h" 752 #include "keyhi.h" 753 #include "secerr.h" 754 #include "cryptohi.h" 755 /* nspr4 */ 756 #include "prerror.h" 757 758 /* return size of digest if supported, or 0 otherwise */ 759 size_t 760 nsec3_hash_algo_size_supported(int id) 761 { 762 switch(id) { 763 case NSEC3_HASH_SHA1: 764 return SHA1_LENGTH; 765 default: 766 return 0; 767 } 768 } 769 770 /* perform nsec3 hash. return false on failure */ 771 int 772 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 773 unsigned char* res) 774 { 775 switch(algo) { 776 case NSEC3_HASH_SHA1: 777 (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len); 778 return 1; 779 default: 780 return 0; 781 } 782 } 783 784 void 785 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 786 { 787 (void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len); 788 } 789 790 size_t 791 ds_digest_size_supported(int algo) 792 { 793 /* uses libNSS */ 794 switch(algo) { 795 #ifdef USE_SHA1 796 case LDNS_SHA1: 797 return SHA1_LENGTH; 798 #endif 799 #ifdef USE_SHA2 800 case LDNS_SHA256: 801 return SHA256_LENGTH; 802 #endif 803 #ifdef USE_ECDSA 804 case LDNS_SHA384: 805 return SHA384_LENGTH; 806 #endif 807 /* GOST not supported in NSS */ 808 case LDNS_HASH_GOST: 809 default: break; 810 } 811 return 0; 812 } 813 814 int 815 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 816 unsigned char* res) 817 { 818 /* uses libNSS */ 819 switch(algo) { 820 #ifdef USE_SHA1 821 case LDNS_SHA1: 822 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len) 823 == SECSuccess; 824 #endif 825 #if defined(USE_SHA2) 826 case LDNS_SHA256: 827 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len) 828 == SECSuccess; 829 #endif 830 #ifdef USE_ECDSA 831 case LDNS_SHA384: 832 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len) 833 == SECSuccess; 834 #endif 835 case LDNS_HASH_GOST: 836 default: 837 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 838 algo); 839 break; 840 } 841 return 0; 842 } 843 844 int 845 dnskey_algo_id_is_supported(int id) 846 { 847 /* uses libNSS */ 848 switch(id) { 849 case LDNS_RSAMD5: 850 /* RFC 6725 deprecates RSAMD5 */ 851 return 0; 852 #if defined(USE_SHA1) || defined(USE_SHA2) 853 #if defined(USE_DSA) && defined(USE_SHA1) 854 case LDNS_DSA: 855 case LDNS_DSA_NSEC3: 856 #endif 857 #ifdef USE_SHA1 858 case LDNS_RSASHA1: 859 case LDNS_RSASHA1_NSEC3: 860 #endif 861 #ifdef USE_SHA2 862 case LDNS_RSASHA256: 863 #endif 864 #ifdef USE_SHA2 865 case LDNS_RSASHA512: 866 #endif 867 return 1; 868 #endif /* SHA1 or SHA2 */ 869 870 #ifdef USE_ECDSA 871 case LDNS_ECDSAP256SHA256: 872 case LDNS_ECDSAP384SHA384: 873 return PK11_TokenExists(CKM_ECDSA); 874 #endif 875 case LDNS_ECC_GOST: 876 default: 877 return 0; 878 } 879 } 880 881 /* return a new public key for NSS */ 882 static SECKEYPublicKey* nss_key_create(KeyType ktype) 883 { 884 SECKEYPublicKey* key; 885 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 886 if(!arena) { 887 log_err("out of memory, PORT_NewArena failed"); 888 return NULL; 889 } 890 key = PORT_ArenaZNew(arena, SECKEYPublicKey); 891 if(!key) { 892 log_err("out of memory, PORT_ArenaZNew failed"); 893 PORT_FreeArena(arena, PR_FALSE); 894 return NULL; 895 } 896 key->arena = arena; 897 key->keyType = ktype; 898 key->pkcs11Slot = NULL; 899 key->pkcs11ID = CK_INVALID_HANDLE; 900 return key; 901 } 902 903 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo) 904 { 905 SECKEYPublicKey* pk; 906 SECItem pub = {siBuffer, NULL, 0}; 907 SECItem params = {siBuffer, NULL, 0}; 908 static unsigned char param256[] = { 909 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256) 910 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */ 911 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 912 }; 913 static unsigned char param384[] = { 914 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384) 915 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */ 916 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 917 }; 918 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ 919 920 /* check length, which uncompressed must be 2 bignums */ 921 if(algo == LDNS_ECDSAP256SHA256) { 922 if(len != 2*256/8) return NULL; 923 /* ECCurve_X9_62_PRIME_256V1 */ 924 } else if(algo == LDNS_ECDSAP384SHA384) { 925 if(len != 2*384/8) return NULL; 926 /* ECCurve_X9_62_PRIME_384R1 */ 927 } else return NULL; 928 929 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */ 930 memmove(buf+1, key, len); 931 pub.data = buf; 932 pub.len = len+1; 933 if(algo == LDNS_ECDSAP256SHA256) { 934 params.data = param256; 935 params.len = sizeof(param256); 936 } else { 937 params.data = param384; 938 params.len = sizeof(param384); 939 } 940 941 pk = nss_key_create(ecKey); 942 if(!pk) 943 return NULL; 944 pk->u.ec.size = (len/2)*8; 945 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) { 946 SECKEY_DestroyPublicKey(pk); 947 return NULL; 948 } 949 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) { 950 SECKEY_DestroyPublicKey(pk); 951 return NULL; 952 } 953 954 return pk; 955 } 956 957 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len) 958 { 959 SECKEYPublicKey* pk; 960 uint8_t T; 961 uint16_t length; 962 uint16_t offset; 963 SECItem Q = {siBuffer, NULL, 0}; 964 SECItem P = {siBuffer, NULL, 0}; 965 SECItem G = {siBuffer, NULL, 0}; 966 SECItem Y = {siBuffer, NULL, 0}; 967 968 if(len == 0) 969 return NULL; 970 T = (uint8_t)key[0]; 971 length = (64 + T * 8); 972 offset = 1; 973 974 if (T > 8) { 975 return NULL; 976 } 977 if(len < (size_t)1 + SHA1_LENGTH + 3*length) 978 return NULL; 979 980 Q.data = key+offset; 981 Q.len = SHA1_LENGTH; 982 offset += SHA1_LENGTH; 983 984 P.data = key+offset; 985 P.len = length; 986 offset += length; 987 988 G.data = key+offset; 989 G.len = length; 990 offset += length; 991 992 Y.data = key+offset; 993 Y.len = length; 994 offset += length; 995 996 pk = nss_key_create(dsaKey); 997 if(!pk) 998 return NULL; 999 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) { 1000 SECKEY_DestroyPublicKey(pk); 1001 return NULL; 1002 } 1003 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) { 1004 SECKEY_DestroyPublicKey(pk); 1005 return NULL; 1006 } 1007 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) { 1008 SECKEY_DestroyPublicKey(pk); 1009 return NULL; 1010 } 1011 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) { 1012 SECKEY_DestroyPublicKey(pk); 1013 return NULL; 1014 } 1015 return pk; 1016 } 1017 1018 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len) 1019 { 1020 SECKEYPublicKey* pk; 1021 uint16_t exp; 1022 uint16_t offset; 1023 uint16_t int16; 1024 SECItem modulus = {siBuffer, NULL, 0}; 1025 SECItem exponent = {siBuffer, NULL, 0}; 1026 if(len == 0) 1027 return NULL; 1028 if(key[0] == 0) { 1029 if(len < 3) 1030 return NULL; 1031 /* the exponent is too large so it's places further */ 1032 memmove(&int16, key+1, 2); 1033 exp = ntohs(int16); 1034 offset = 3; 1035 } else { 1036 exp = key[0]; 1037 offset = 1; 1038 } 1039 1040 /* key length at least one */ 1041 if(len < (size_t)offset + exp + 1) 1042 return NULL; 1043 1044 exponent.data = key+offset; 1045 exponent.len = exp; 1046 offset += exp; 1047 modulus.data = key+offset; 1048 modulus.len = (len - offset); 1049 1050 pk = nss_key_create(rsaKey); 1051 if(!pk) 1052 return NULL; 1053 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) { 1054 SECKEY_DestroyPublicKey(pk); 1055 return NULL; 1056 } 1057 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) { 1058 SECKEY_DestroyPublicKey(pk); 1059 return NULL; 1060 } 1061 return pk; 1062 } 1063 1064 /** 1065 * Setup key and digest for verification. Adjust sig if necessary. 1066 * 1067 * @param algo: key algorithm 1068 * @param evp_key: EVP PKEY public key to create. 1069 * @param digest_type: digest type to use 1070 * @param key: key to setup for. 1071 * @param keylen: length of key. 1072 * @param prefix: if returned, the ASN prefix for the hashblob. 1073 * @param prefixlen: length of the prefix. 1074 * @return false on failure. 1075 */ 1076 static int 1077 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, 1078 unsigned char* key, size_t keylen, unsigned char** prefix, 1079 size_t* prefixlen) 1080 { 1081 /* uses libNSS */ 1082 1083 /* hash prefix for md5, RFC2537 */ 1084 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 1085 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}; 1086 /* hash prefix to prepend to hash output, from RFC3110 */ 1087 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 1088 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14}; 1089 /* from RFC5702 */ 1090 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 1091 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; 1092 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 1093 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; 1094 /* from RFC6234 */ 1095 /* for future RSASHA384 .. 1096 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 1097 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; 1098 */ 1099 1100 switch(algo) { 1101 1102 #if defined(USE_SHA1) || defined(USE_SHA2) 1103 #if defined(USE_DSA) && defined(USE_SHA1) 1104 case LDNS_DSA: 1105 case LDNS_DSA_NSEC3: 1106 *pubkey = nss_buf2dsa(key, keylen); 1107 if(!*pubkey) { 1108 log_err("verify: malloc failure in crypto"); 1109 return 0; 1110 } 1111 *htype = HASH_AlgSHA1; 1112 /* no prefix for DSA verification */ 1113 break; 1114 #endif 1115 #ifdef USE_SHA1 1116 case LDNS_RSASHA1: 1117 case LDNS_RSASHA1_NSEC3: 1118 #endif 1119 #ifdef USE_SHA2 1120 case LDNS_RSASHA256: 1121 #endif 1122 #ifdef USE_SHA2 1123 case LDNS_RSASHA512: 1124 #endif 1125 *pubkey = nss_buf2rsa(key, keylen); 1126 if(!*pubkey) { 1127 log_err("verify: malloc failure in crypto"); 1128 return 0; 1129 } 1130 /* select SHA version */ 1131 #ifdef USE_SHA2 1132 if(algo == LDNS_RSASHA256) { 1133 *htype = HASH_AlgSHA256; 1134 *prefix = p_sha256; 1135 *prefixlen = sizeof(p_sha256); 1136 } else 1137 #endif 1138 #ifdef USE_SHA2 1139 if(algo == LDNS_RSASHA512) { 1140 *htype = HASH_AlgSHA512; 1141 *prefix = p_sha512; 1142 *prefixlen = sizeof(p_sha512); 1143 } else 1144 #endif 1145 #ifdef USE_SHA1 1146 { 1147 *htype = HASH_AlgSHA1; 1148 *prefix = p_sha1; 1149 *prefixlen = sizeof(p_sha1); 1150 } 1151 #else 1152 { 1153 verbose(VERB_QUERY, "verify: no digest algo"); 1154 return 0; 1155 } 1156 #endif 1157 1158 break; 1159 #endif /* SHA1 or SHA2 */ 1160 1161 case LDNS_RSAMD5: 1162 *pubkey = nss_buf2rsa(key, keylen); 1163 if(!*pubkey) { 1164 log_err("verify: malloc failure in crypto"); 1165 return 0; 1166 } 1167 *htype = HASH_AlgMD5; 1168 *prefix = p_md5; 1169 *prefixlen = sizeof(p_md5); 1170 1171 break; 1172 #ifdef USE_ECDSA 1173 case LDNS_ECDSAP256SHA256: 1174 *pubkey = nss_buf2ecdsa(key, keylen, 1175 LDNS_ECDSAP256SHA256); 1176 if(!*pubkey) { 1177 log_err("verify: malloc failure in crypto"); 1178 return 0; 1179 } 1180 *htype = HASH_AlgSHA256; 1181 /* no prefix for DSA verification */ 1182 break; 1183 case LDNS_ECDSAP384SHA384: 1184 *pubkey = nss_buf2ecdsa(key, keylen, 1185 LDNS_ECDSAP384SHA384); 1186 if(!*pubkey) { 1187 log_err("verify: malloc failure in crypto"); 1188 return 0; 1189 } 1190 *htype = HASH_AlgSHA384; 1191 /* no prefix for DSA verification */ 1192 break; 1193 #endif /* USE_ECDSA */ 1194 case LDNS_ECC_GOST: 1195 default: 1196 verbose(VERB_QUERY, "verify: unknown algorithm %d", 1197 algo); 1198 return 0; 1199 } 1200 return 1; 1201 } 1202 1203 /** 1204 * Check a canonical sig+rrset and signature against a dnskey 1205 * @param buf: buffer with data to verify, the first rrsig part and the 1206 * canonicalized rrset. 1207 * @param algo: DNSKEY algorithm. 1208 * @param sigblock: signature rdata field from RRSIG 1209 * @param sigblock_len: length of sigblock data. 1210 * @param key: public key data from DNSKEY RR. 1211 * @param keylen: length of keydata. 1212 * @param reason: bogus reason in more detail. 1213 * @return secure if verification succeeded, bogus on crypto failure, 1214 * unchecked on format errors and alloc failures. 1215 */ 1216 enum sec_status 1217 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1218 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1219 char** reason) 1220 { 1221 /* uses libNSS */ 1222 /* large enough for the different hashes */ 1223 unsigned char hash[HASH_LENGTH_MAX]; 1224 unsigned char hash2[HASH_LENGTH_MAX*2]; 1225 HASH_HashType htype = 0; 1226 SECKEYPublicKey* pubkey = NULL; 1227 SECItem secsig = {siBuffer, sigblock, sigblock_len}; 1228 SECItem sechash = {siBuffer, hash, 0}; 1229 SECStatus res; 1230 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */ 1231 size_t prefixlen = 0; 1232 int err; 1233 1234 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen, 1235 &prefix, &prefixlen)) { 1236 verbose(VERB_QUERY, "verify: failed to setup key"); 1237 *reason = "use of key for crypto failed"; 1238 SECKEY_DestroyPublicKey(pubkey); 1239 return sec_status_bogus; 1240 } 1241 1242 #if defined(USE_DSA) && defined(USE_SHA1) 1243 /* need to convert DSA, ECDSA signatures? */ 1244 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) { 1245 if(sigblock_len == 1+2*SHA1_LENGTH) { 1246 secsig.data ++; 1247 secsig.len --; 1248 } else { 1249 SECItem* p = DSAU_DecodeDerSig(&secsig); 1250 if(!p) { 1251 verbose(VERB_QUERY, "verify: failed DER decode"); 1252 *reason = "signature DER decode failed"; 1253 SECKEY_DestroyPublicKey(pubkey); 1254 return sec_status_bogus; 1255 } 1256 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) { 1257 log_err("alloc failure in DER decode"); 1258 SECKEY_DestroyPublicKey(pubkey); 1259 SECITEM_FreeItem(p, PR_TRUE); 1260 return sec_status_unchecked; 1261 } 1262 SECITEM_FreeItem(p, PR_TRUE); 1263 } 1264 } 1265 #endif /* USE_DSA */ 1266 1267 /* do the signature cryptography work */ 1268 /* hash the data */ 1269 sechash.len = HASH_ResultLen(htype); 1270 if(sechash.len > sizeof(hash)) { 1271 verbose(VERB_QUERY, "verify: hash too large for buffer"); 1272 SECKEY_DestroyPublicKey(pubkey); 1273 return sec_status_unchecked; 1274 } 1275 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf), 1276 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) { 1277 verbose(VERB_QUERY, "verify: HASH_HashBuf failed"); 1278 SECKEY_DestroyPublicKey(pubkey); 1279 return sec_status_unchecked; 1280 } 1281 if(prefix) { 1282 int hashlen = sechash.len; 1283 if(prefixlen+hashlen > sizeof(hash2)) { 1284 verbose(VERB_QUERY, "verify: hashprefix too large"); 1285 SECKEY_DestroyPublicKey(pubkey); 1286 return sec_status_unchecked; 1287 } 1288 sechash.data = hash2; 1289 sechash.len = prefixlen+hashlen; 1290 memcpy(sechash.data, prefix, prefixlen); 1291 memmove(sechash.data+prefixlen, hash, hashlen); 1292 } 1293 1294 /* verify the signature */ 1295 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/); 1296 SECKEY_DestroyPublicKey(pubkey); 1297 1298 if(res == SECSuccess) { 1299 return sec_status_secure; 1300 } 1301 err = PORT_GetError(); 1302 if(err != SEC_ERROR_BAD_SIGNATURE) { 1303 /* failed to verify */ 1304 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", 1305 PORT_ErrorToString(err)); 1306 /* if it is not supported, like ECC is removed, we get, 1307 * SEC_ERROR_NO_MODULE */ 1308 if(err == SEC_ERROR_NO_MODULE) 1309 return sec_status_unchecked; 1310 /* but other errors are commonly returned 1311 * for a bad signature from NSS. Thus we return bogus, 1312 * not unchecked */ 1313 *reason = "signature crypto failed"; 1314 return sec_status_bogus; 1315 } 1316 verbose(VERB_QUERY, "verify: signature mismatch: %s", 1317 PORT_ErrorToString(err)); 1318 *reason = "signature crypto failed"; 1319 return sec_status_bogus; 1320 } 1321 1322 #elif defined(HAVE_NETTLE) 1323 1324 #include "sha.h" 1325 #include "bignum.h" 1326 #include "macros.h" 1327 #include "rsa.h" 1328 #include "dsa.h" 1329 #ifdef HAVE_NETTLE_DSA_COMPAT_H 1330 #include "dsa-compat.h" 1331 #endif 1332 #include "asn1.h" 1333 #ifdef USE_ECDSA 1334 #include "ecdsa.h" 1335 #include "ecc-curve.h" 1336 #endif 1337 #ifdef HAVE_NETTLE_EDDSA_H 1338 #include "eddsa.h" 1339 #endif 1340 1341 static int 1342 _digest_nettle(int algo, uint8_t* buf, size_t len, 1343 unsigned char* res) 1344 { 1345 switch(algo) { 1346 case SHA1_DIGEST_SIZE: 1347 { 1348 struct sha1_ctx ctx; 1349 sha1_init(&ctx); 1350 sha1_update(&ctx, len, buf); 1351 sha1_digest(&ctx, SHA1_DIGEST_SIZE, res); 1352 return 1; 1353 } 1354 case SHA256_DIGEST_SIZE: 1355 { 1356 struct sha256_ctx ctx; 1357 sha256_init(&ctx); 1358 sha256_update(&ctx, len, buf); 1359 sha256_digest(&ctx, SHA256_DIGEST_SIZE, res); 1360 return 1; 1361 } 1362 case SHA384_DIGEST_SIZE: 1363 { 1364 struct sha384_ctx ctx; 1365 sha384_init(&ctx); 1366 sha384_update(&ctx, len, buf); 1367 sha384_digest(&ctx, SHA384_DIGEST_SIZE, res); 1368 return 1; 1369 } 1370 case SHA512_DIGEST_SIZE: 1371 { 1372 struct sha512_ctx ctx; 1373 sha512_init(&ctx); 1374 sha512_update(&ctx, len, buf); 1375 sha512_digest(&ctx, SHA512_DIGEST_SIZE, res); 1376 return 1; 1377 } 1378 default: 1379 break; 1380 } 1381 return 0; 1382 } 1383 1384 /* return size of digest if supported, or 0 otherwise */ 1385 size_t 1386 nsec3_hash_algo_size_supported(int id) 1387 { 1388 switch(id) { 1389 case NSEC3_HASH_SHA1: 1390 return SHA1_DIGEST_SIZE; 1391 default: 1392 return 0; 1393 } 1394 } 1395 1396 /* perform nsec3 hash. return false on failure */ 1397 int 1398 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 1399 unsigned char* res) 1400 { 1401 switch(algo) { 1402 case NSEC3_HASH_SHA1: 1403 return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len, 1404 res); 1405 default: 1406 return 0; 1407 } 1408 } 1409 1410 void 1411 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 1412 { 1413 _digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res); 1414 } 1415 1416 /** 1417 * Return size of DS digest according to its hash algorithm. 1418 * @param algo: DS digest algo. 1419 * @return size in bytes of digest, or 0 if not supported. 1420 */ 1421 size_t 1422 ds_digest_size_supported(int algo) 1423 { 1424 switch(algo) { 1425 case LDNS_SHA1: 1426 #ifdef USE_SHA1 1427 return SHA1_DIGEST_SIZE; 1428 #else 1429 if(fake_sha1) return 20; 1430 return 0; 1431 #endif 1432 #ifdef USE_SHA2 1433 case LDNS_SHA256: 1434 return SHA256_DIGEST_SIZE; 1435 #endif 1436 #ifdef USE_ECDSA 1437 case LDNS_SHA384: 1438 return SHA384_DIGEST_SIZE; 1439 #endif 1440 /* GOST not supported */ 1441 case LDNS_HASH_GOST: 1442 default: 1443 break; 1444 } 1445 return 0; 1446 } 1447 1448 int 1449 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 1450 unsigned char* res) 1451 { 1452 switch(algo) { 1453 #ifdef USE_SHA1 1454 case LDNS_SHA1: 1455 return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res); 1456 #endif 1457 #if defined(USE_SHA2) 1458 case LDNS_SHA256: 1459 return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res); 1460 #endif 1461 #ifdef USE_ECDSA 1462 case LDNS_SHA384: 1463 return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res); 1464 1465 #endif 1466 case LDNS_HASH_GOST: 1467 default: 1468 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 1469 algo); 1470 break; 1471 } 1472 return 0; 1473 } 1474 1475 int 1476 dnskey_algo_id_is_supported(int id) 1477 { 1478 /* uses libnettle */ 1479 switch(id) { 1480 #if defined(USE_DSA) && defined(USE_SHA1) 1481 case LDNS_DSA: 1482 case LDNS_DSA_NSEC3: 1483 #endif 1484 #ifdef USE_SHA1 1485 case LDNS_RSASHA1: 1486 case LDNS_RSASHA1_NSEC3: 1487 #endif 1488 #ifdef USE_SHA2 1489 case LDNS_RSASHA256: 1490 case LDNS_RSASHA512: 1491 #endif 1492 #ifdef USE_ECDSA 1493 case LDNS_ECDSAP256SHA256: 1494 case LDNS_ECDSAP384SHA384: 1495 #endif 1496 return 1; 1497 #ifdef USE_ED25519 1498 case LDNS_ED25519: 1499 return 1; 1500 #endif 1501 case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ 1502 case LDNS_ECC_GOST: 1503 default: 1504 return 0; 1505 } 1506 } 1507 1508 #if defined(USE_DSA) && defined(USE_SHA1) 1509 static char * 1510 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock, 1511 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1512 { 1513 uint8_t digest[SHA1_DIGEST_SIZE]; 1514 uint8_t key_t_value; 1515 int res = 0; 1516 size_t offset; 1517 struct dsa_public_key pubkey; 1518 struct dsa_signature signature; 1519 unsigned int expected_len; 1520 1521 /* Extract DSA signature from the record */ 1522 nettle_dsa_signature_init(&signature); 1523 /* Signature length: 41 bytes - RFC 2536 sec. 3 */ 1524 if(sigblock_len == 41) { 1525 if(key[0] != sigblock[0]) 1526 return "invalid T value in DSA signature or pubkey"; 1527 nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1); 1528 nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20); 1529 } else { 1530 /* DER encoded, decode the ASN1 notated R and S bignums */ 1531 /* SEQUENCE { r INTEGER, s INTEGER } */ 1532 struct asn1_der_iterator i, seq; 1533 if(asn1_der_iterator_first(&i, sigblock_len, 1534 (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED 1535 || i.type != ASN1_SEQUENCE) 1536 return "malformed DER encoded DSA signature"; 1537 /* decode this element of i using the seq iterator */ 1538 if(asn1_der_decode_constructed(&i, &seq) != 1539 ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER) 1540 return "malformed DER encoded DSA signature"; 1541 if(!asn1_der_get_bignum(&seq, signature.r, 20*8)) 1542 return "malformed DER encoded DSA signature"; 1543 if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE 1544 || seq.type != ASN1_INTEGER) 1545 return "malformed DER encoded DSA signature"; 1546 if(!asn1_der_get_bignum(&seq, signature.s, 20*8)) 1547 return "malformed DER encoded DSA signature"; 1548 if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END) 1549 return "malformed DER encoded DSA signature"; 1550 } 1551 1552 /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */ 1553 key_t_value = key[0]; 1554 if (key_t_value > 8) { 1555 return "invalid T value in DSA pubkey"; 1556 } 1557 1558 /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */ 1559 if (keylen < 21) { 1560 return "DSA pubkey too short"; 1561 } 1562 1563 expected_len = 1 + /* T */ 1564 20 + /* Q */ 1565 (64 + key_t_value*8) + /* P */ 1566 (64 + key_t_value*8) + /* G */ 1567 (64 + key_t_value*8); /* Y */ 1568 if (keylen != expected_len ) { 1569 return "invalid DSA pubkey length"; 1570 } 1571 1572 /* Extract DSA pubkey from the record */ 1573 nettle_dsa_public_key_init(&pubkey); 1574 offset = 1; 1575 nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset); 1576 offset += 20; 1577 nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t_value*8), key+offset); 1578 offset += (64 + key_t_value*8); 1579 nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t_value*8), key+offset); 1580 offset += (64 + key_t_value*8); 1581 nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t_value*8), key+offset); 1582 1583 /* Digest content of "buf" and verify its DSA signature in "sigblock"*/ 1584 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1585 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1586 res &= dsa_sha1_verify_digest(&pubkey, digest, &signature); 1587 1588 /* Clear and return */ 1589 nettle_dsa_signature_clear(&signature); 1590 nettle_dsa_public_key_clear(&pubkey); 1591 if (!res) 1592 return "DSA signature verification failed"; 1593 else 1594 return NULL; 1595 } 1596 #endif /* USE_DSA */ 1597 1598 static char * 1599 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock, 1600 unsigned int sigblock_len, uint8_t* key, unsigned int keylen) 1601 { 1602 uint16_t exp_len = 0; 1603 size_t exp_offset = 0, mod_offset = 0; 1604 struct rsa_public_key pubkey; 1605 mpz_t signature; 1606 int res = 0; 1607 1608 /* RSA pubkey parsing as per RFC 3110 sec. 2 */ 1609 if( keylen <= 1) { 1610 return "null RSA key"; 1611 } 1612 if (key[0] != 0) { 1613 /* 1-byte length */ 1614 exp_len = key[0]; 1615 exp_offset = 1; 1616 } else { 1617 /* 1-byte NUL + 2-bytes exponent length */ 1618 if (keylen < 3) { 1619 return "incorrect RSA key length"; 1620 } 1621 exp_len = READ_UINT16(key+1); 1622 if (exp_len == 0) 1623 return "null RSA exponent length"; 1624 exp_offset = 3; 1625 } 1626 /* Check that we are not over-running input length */ 1627 if (keylen < exp_offset + exp_len + 1) { 1628 return "RSA key content shorter than expected"; 1629 } 1630 mod_offset = exp_offset + exp_len; 1631 nettle_rsa_public_key_init(&pubkey); 1632 pubkey.size = keylen - mod_offset; 1633 nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]); 1634 nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]); 1635 1636 /* Digest content of "buf" and verify its RSA signature in "sigblock"*/ 1637 nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock); 1638 switch (digest_size) { 1639 case SHA1_DIGEST_SIZE: 1640 { 1641 uint8_t digest[SHA1_DIGEST_SIZE]; 1642 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1643 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1644 res &= rsa_sha1_verify_digest(&pubkey, digest, signature); 1645 break; 1646 } 1647 case SHA256_DIGEST_SIZE: 1648 { 1649 uint8_t digest[SHA256_DIGEST_SIZE]; 1650 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1651 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1652 res &= rsa_sha256_verify_digest(&pubkey, digest, signature); 1653 break; 1654 } 1655 case SHA512_DIGEST_SIZE: 1656 { 1657 uint8_t digest[SHA512_DIGEST_SIZE]; 1658 res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1659 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1660 res &= rsa_sha512_verify_digest(&pubkey, digest, signature); 1661 break; 1662 } 1663 default: 1664 break; 1665 } 1666 1667 /* Clear and return */ 1668 nettle_rsa_public_key_clear(&pubkey); 1669 mpz_clear(signature); 1670 if (!res) { 1671 return "RSA signature verification failed"; 1672 } else { 1673 return NULL; 1674 } 1675 } 1676 1677 #ifdef USE_ECDSA 1678 static char * 1679 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock, 1680 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1681 { 1682 int res = 0; 1683 struct ecc_point pubkey; 1684 struct dsa_signature signature; 1685 1686 /* Always matched strength, as per RFC 6605 sec. 1 */ 1687 if (sigblock_len != 2*digest_size || keylen != 2*digest_size) { 1688 return "wrong ECDSA signature length"; 1689 } 1690 1691 /* Parse ECDSA signature as per RFC 6605 sec. 4 */ 1692 nettle_dsa_signature_init(&signature); 1693 switch (digest_size) { 1694 case SHA256_DIGEST_SIZE: 1695 { 1696 uint8_t digest[SHA256_DIGEST_SIZE]; 1697 mpz_t x, y; 1698 nettle_ecc_point_init(&pubkey, &nettle_secp_256r1); 1699 nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key); 1700 nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE); 1701 nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock); 1702 nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE); 1703 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1704 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1705 res &= nettle_ecc_point_set(&pubkey, x, y); 1706 res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature); 1707 mpz_clear(x); 1708 mpz_clear(y); 1709 break; 1710 } 1711 case SHA384_DIGEST_SIZE: 1712 { 1713 uint8_t digest[SHA384_DIGEST_SIZE]; 1714 mpz_t x, y; 1715 nettle_ecc_point_init(&pubkey, &nettle_secp_384r1); 1716 nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key); 1717 nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE); 1718 nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock); 1719 nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE); 1720 res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1721 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1722 res &= nettle_ecc_point_set(&pubkey, x, y); 1723 res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature); 1724 mpz_clear(x); 1725 mpz_clear(y); 1726 nettle_ecc_point_clear(&pubkey); 1727 break; 1728 } 1729 default: 1730 return "unknown ECDSA algorithm"; 1731 } 1732 1733 /* Clear and return */ 1734 nettle_dsa_signature_clear(&signature); 1735 if (!res) 1736 return "ECDSA signature verification failed"; 1737 else 1738 return NULL; 1739 } 1740 #endif 1741 1742 #ifdef USE_ED25519 1743 static char * 1744 _verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock, 1745 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1746 { 1747 int res = 0; 1748 1749 if(sigblock_len != ED25519_SIGNATURE_SIZE) { 1750 return "wrong ED25519 signature length"; 1751 } 1752 if(keylen != ED25519_KEY_SIZE) { 1753 return "wrong ED25519 key length"; 1754 } 1755 1756 res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf), 1757 sldns_buffer_begin(buf), (uint8_t*)sigblock); 1758 1759 if (!res) 1760 return "ED25519 signature verification failed"; 1761 else 1762 return NULL; 1763 } 1764 #endif 1765 1766 /** 1767 * Check a canonical sig+rrset and signature against a dnskey 1768 * @param buf: buffer with data to verify, the first rrsig part and the 1769 * canonicalized rrset. 1770 * @param algo: DNSKEY algorithm. 1771 * @param sigblock: signature rdata field from RRSIG 1772 * @param sigblock_len: length of sigblock data. 1773 * @param key: public key data from DNSKEY RR. 1774 * @param keylen: length of keydata. 1775 * @param reason: bogus reason in more detail. 1776 * @return secure if verification succeeded, bogus on crypto failure, 1777 * unchecked on format errors and alloc failures. 1778 */ 1779 enum sec_status 1780 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1781 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1782 char** reason) 1783 { 1784 unsigned int digest_size = 0; 1785 1786 if (sigblock_len == 0 || keylen == 0) { 1787 *reason = "null signature"; 1788 return sec_status_bogus; 1789 } 1790 1791 switch(algo) { 1792 #if defined(USE_DSA) && defined(USE_SHA1) 1793 case LDNS_DSA: 1794 case LDNS_DSA_NSEC3: 1795 *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen); 1796 if (*reason != NULL) 1797 return sec_status_bogus; 1798 else 1799 return sec_status_secure; 1800 #endif /* USE_DSA */ 1801 1802 #ifdef USE_SHA1 1803 case LDNS_RSASHA1: 1804 case LDNS_RSASHA1_NSEC3: 1805 digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE); 1806 #endif 1807 /* double fallthrough annotation to please gcc parser */ 1808 /* fallthrough */ 1809 #ifdef USE_SHA2 1810 /* fallthrough */ 1811 case LDNS_RSASHA256: 1812 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 1813 /* fallthrough */ 1814 case LDNS_RSASHA512: 1815 digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE); 1816 1817 #endif 1818 *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock, 1819 sigblock_len, key, keylen); 1820 if (*reason != NULL) 1821 return sec_status_bogus; 1822 else 1823 return sec_status_secure; 1824 1825 #ifdef USE_ECDSA 1826 case LDNS_ECDSAP256SHA256: 1827 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 1828 /* fallthrough */ 1829 case LDNS_ECDSAP384SHA384: 1830 digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE); 1831 *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock, 1832 sigblock_len, key, keylen); 1833 if (*reason != NULL) 1834 return sec_status_bogus; 1835 else 1836 return sec_status_secure; 1837 #endif 1838 #ifdef USE_ED25519 1839 case LDNS_ED25519: 1840 *reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len, 1841 key, keylen); 1842 if (*reason != NULL) 1843 return sec_status_bogus; 1844 else 1845 return sec_status_secure; 1846 #endif 1847 case LDNS_RSAMD5: 1848 case LDNS_ECC_GOST: 1849 default: 1850 *reason = "unable to verify signature, unknown algorithm"; 1851 return sec_status_bogus; 1852 } 1853 } 1854 1855 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ 1856