1 /* 2 * validator/val_secalgo.c - validator security algorithm functions. 3 * 4 * Copyright (c) 2012, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * These functions take raw data buffers, formatted for crypto verification, 41 * and do the library calls (for the crypto library in use). 42 */ 43 #include "config.h" 44 /* packed_rrset on top to define enum types (forced by c99 standard) */ 45 #include "util/data/packed_rrset.h" 46 #include "validator/val_secalgo.h" 47 #include "validator/val_nsec3.h" 48 #include "util/log.h" 49 #include "sldns/rrdef.h" 50 #include "sldns/keyraw.h" 51 #include "sldns/sbuffer.h" 52 53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) 54 #error "Need crypto library to do digital signature cryptography" 55 #endif 56 57 /* OpenSSL implementation */ 58 #ifdef HAVE_SSL 59 #ifdef HAVE_OPENSSL_ERR_H 60 #include <openssl/err.h> 61 #endif 62 63 #ifdef HAVE_OPENSSL_RAND_H 64 #include <openssl/rand.h> 65 #endif 66 67 #ifdef HAVE_OPENSSL_CONF_H 68 #include <openssl/conf.h> 69 #endif 70 71 #ifdef HAVE_OPENSSL_ENGINE_H 72 #include <openssl/engine.h> 73 #endif 74 75 /* return size of digest if supported, or 0 otherwise */ 76 size_t 77 nsec3_hash_algo_size_supported(int id) 78 { 79 switch(id) { 80 case NSEC3_HASH_SHA1: 81 return SHA_DIGEST_LENGTH; 82 default: 83 return 0; 84 } 85 } 86 87 /* perform nsec3 hash. return false on failure */ 88 int 89 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 90 unsigned char* res) 91 { 92 switch(algo) { 93 case NSEC3_HASH_SHA1: 94 (void)SHA1(buf, len, res); 95 return 1; 96 default: 97 return 0; 98 } 99 } 100 101 /** 102 * Return size of DS digest according to its hash algorithm. 103 * @param algo: DS digest algo. 104 * @return size in bytes of digest, or 0 if not supported. 105 */ 106 size_t 107 ds_digest_size_supported(int algo) 108 { 109 switch(algo) { 110 #ifdef HAVE_EVP_SHA1 111 case LDNS_SHA1: 112 return SHA_DIGEST_LENGTH; 113 #endif 114 #ifdef HAVE_EVP_SHA256 115 case LDNS_SHA256: 116 return SHA256_DIGEST_LENGTH; 117 #endif 118 #ifdef USE_GOST 119 case LDNS_HASH_GOST: 120 /* we support GOST if it can be loaded */ 121 (void)sldns_key_EVP_load_gost_id(); 122 if(EVP_get_digestbyname("md_gost94")) 123 return 32; 124 else return 0; 125 #endif 126 #ifdef USE_ECDSA 127 case LDNS_SHA384: 128 return SHA384_DIGEST_LENGTH; 129 #endif 130 default: break; 131 } 132 return 0; 133 } 134 135 #ifdef USE_GOST 136 /** Perform GOST hash */ 137 static int 138 do_gost94(unsigned char* data, size_t len, unsigned char* dest) 139 { 140 const EVP_MD* md = EVP_get_digestbyname("md_gost94"); 141 if(!md) 142 return 0; 143 return sldns_digest_evp(data, (unsigned int)len, dest, md); 144 } 145 #endif 146 147 int 148 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 149 unsigned char* res) 150 { 151 switch(algo) { 152 #ifdef HAVE_EVP_SHA1 153 case LDNS_SHA1: 154 (void)SHA1(buf, len, res); 155 return 1; 156 #endif 157 #ifdef HAVE_EVP_SHA256 158 case LDNS_SHA256: 159 (void)SHA256(buf, len, res); 160 return 1; 161 #endif 162 #ifdef USE_GOST 163 case LDNS_HASH_GOST: 164 if(do_gost94(buf, len, res)) 165 return 1; 166 break; 167 #endif 168 #ifdef USE_ECDSA 169 case LDNS_SHA384: 170 (void)SHA384(buf, len, res); 171 return 1; 172 #endif 173 default: 174 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 175 algo); 176 break; 177 } 178 return 0; 179 } 180 181 /** return true if DNSKEY algorithm id is supported */ 182 int 183 dnskey_algo_id_is_supported(int id) 184 { 185 switch(id) { 186 case LDNS_RSAMD5: 187 /* RFC 6725 deprecates RSAMD5 */ 188 return 0; 189 case LDNS_DSA: 190 case LDNS_DSA_NSEC3: 191 case LDNS_RSASHA1: 192 case LDNS_RSASHA1_NSEC3: 193 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 194 case LDNS_RSASHA256: 195 #endif 196 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 197 case LDNS_RSASHA512: 198 #endif 199 #ifdef USE_ECDSA 200 case LDNS_ECDSAP256SHA256: 201 case LDNS_ECDSAP384SHA384: 202 #endif 203 return 1; 204 #ifdef USE_GOST 205 case LDNS_ECC_GOST: 206 /* we support GOST if it can be loaded */ 207 return sldns_key_EVP_load_gost_id(); 208 #endif 209 default: 210 return 0; 211 } 212 } 213 214 /** 215 * Output a libcrypto openssl error to the logfile. 216 * @param str: string to add to it. 217 * @param e: the error to output, error number from ERR_get_error(). 218 */ 219 static void 220 log_crypto_error(const char* str, unsigned long e) 221 { 222 char buf[128]; 223 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ 224 ERR_error_string_n(e, buf, sizeof(buf)); 225 /* buf now contains */ 226 /* error:[error code]:[library name]:[function name]:[reason string] */ 227 log_err("%s crypto %s", str, buf); 228 } 229 230 /** 231 * Setup DSA key digest in DER encoding ... 232 * @param sig: input is signature output alloced ptr (unless failure). 233 * caller must free alloced ptr if this routine returns true. 234 * @param len: input is initial siglen, output is output len. 235 * @return false on failure. 236 */ 237 static int 238 setup_dsa_sig(unsigned char** sig, unsigned int* len) 239 { 240 unsigned char* orig = *sig; 241 unsigned int origlen = *len; 242 int newlen; 243 BIGNUM *R, *S; 244 DSA_SIG *dsasig; 245 246 /* extract the R and S field from the sig buffer */ 247 if(origlen < 1 + 2*SHA_DIGEST_LENGTH) 248 return 0; 249 R = BN_new(); 250 if(!R) return 0; 251 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R); 252 S = BN_new(); 253 if(!S) return 0; 254 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S); 255 dsasig = DSA_SIG_new(); 256 if(!dsasig) return 0; 257 258 dsasig->r = R; 259 dsasig->s = S; 260 *sig = NULL; 261 newlen = i2d_DSA_SIG(dsasig, sig); 262 if(newlen < 0) { 263 DSA_SIG_free(dsasig); 264 free(*sig); 265 return 0; 266 } 267 *len = (unsigned int)newlen; 268 DSA_SIG_free(dsasig); 269 return 1; 270 } 271 272 #ifdef USE_ECDSA 273 /** 274 * Setup the ECDSA signature in its encoding that the library wants. 275 * Converts from plain numbers to ASN formatted. 276 * @param sig: input is signature, output alloced ptr (unless failure). 277 * caller must free alloced ptr if this routine returns true. 278 * @param len: input is initial siglen, output is output len. 279 * @return false on failure. 280 */ 281 static int 282 setup_ecdsa_sig(unsigned char** sig, unsigned int* len) 283 { 284 ECDSA_SIG* ecdsa_sig; 285 int newlen; 286 int bnsize = (int)((*len)/2); 287 /* if too short or not even length, fails */ 288 if(*len < 16 || bnsize*2 != (int)*len) 289 return 0; 290 /* use the raw data to parse two evenly long BIGNUMs, "r | s". */ 291 ecdsa_sig = ECDSA_SIG_new(); 292 if(!ecdsa_sig) return 0; 293 ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r); 294 ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s); 295 if(!ecdsa_sig->r || !ecdsa_sig->s) { 296 ECDSA_SIG_free(ecdsa_sig); 297 return 0; 298 } 299 300 /* spool it into ASN format */ 301 *sig = NULL; 302 newlen = i2d_ECDSA_SIG(ecdsa_sig, sig); 303 if(newlen <= 0) { 304 ECDSA_SIG_free(ecdsa_sig); 305 free(*sig); 306 return 0; 307 } 308 *len = (unsigned int)newlen; 309 ECDSA_SIG_free(ecdsa_sig); 310 return 1; 311 } 312 #endif /* USE_ECDSA */ 313 314 /** 315 * Setup key and digest for verification. Adjust sig if necessary. 316 * 317 * @param algo: key algorithm 318 * @param evp_key: EVP PKEY public key to create. 319 * @param digest_type: digest type to use 320 * @param key: key to setup for. 321 * @param keylen: length of key. 322 * @return false on failure. 323 */ 324 static int 325 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 326 unsigned char* key, size_t keylen) 327 { 328 DSA* dsa; 329 RSA* rsa; 330 331 switch(algo) { 332 case LDNS_DSA: 333 case LDNS_DSA_NSEC3: 334 *evp_key = EVP_PKEY_new(); 335 if(!*evp_key) { 336 log_err("verify: malloc failure in crypto"); 337 return 0; 338 } 339 dsa = sldns_key_buf2dsa_raw(key, keylen); 340 if(!dsa) { 341 verbose(VERB_QUERY, "verify: " 342 "sldns_key_buf2dsa_raw failed"); 343 return 0; 344 } 345 if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) { 346 verbose(VERB_QUERY, "verify: " 347 "EVP_PKEY_assign_DSA failed"); 348 return 0; 349 } 350 *digest_type = EVP_dss1(); 351 352 break; 353 case LDNS_RSASHA1: 354 case LDNS_RSASHA1_NSEC3: 355 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 356 case LDNS_RSASHA256: 357 #endif 358 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 359 case LDNS_RSASHA512: 360 #endif 361 *evp_key = EVP_PKEY_new(); 362 if(!*evp_key) { 363 log_err("verify: malloc failure in crypto"); 364 return 0; 365 } 366 rsa = sldns_key_buf2rsa_raw(key, keylen); 367 if(!rsa) { 368 verbose(VERB_QUERY, "verify: " 369 "sldns_key_buf2rsa_raw SHA failed"); 370 return 0; 371 } 372 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 373 verbose(VERB_QUERY, "verify: " 374 "EVP_PKEY_assign_RSA SHA failed"); 375 return 0; 376 } 377 378 /* select SHA version */ 379 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 380 if(algo == LDNS_RSASHA256) 381 *digest_type = EVP_sha256(); 382 else 383 #endif 384 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 385 if(algo == LDNS_RSASHA512) 386 *digest_type = EVP_sha512(); 387 else 388 #endif 389 *digest_type = EVP_sha1(); 390 391 break; 392 case LDNS_RSAMD5: 393 *evp_key = EVP_PKEY_new(); 394 if(!*evp_key) { 395 log_err("verify: malloc failure in crypto"); 396 return 0; 397 } 398 rsa = sldns_key_buf2rsa_raw(key, keylen); 399 if(!rsa) { 400 verbose(VERB_QUERY, "verify: " 401 "sldns_key_buf2rsa_raw MD5 failed"); 402 return 0; 403 } 404 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 405 verbose(VERB_QUERY, "verify: " 406 "EVP_PKEY_assign_RSA MD5 failed"); 407 return 0; 408 } 409 *digest_type = EVP_md5(); 410 411 break; 412 #ifdef USE_GOST 413 case LDNS_ECC_GOST: 414 *evp_key = sldns_gost2pkey_raw(key, keylen); 415 if(!*evp_key) { 416 verbose(VERB_QUERY, "verify: " 417 "sldns_gost2pkey_raw failed"); 418 return 0; 419 } 420 *digest_type = EVP_get_digestbyname("md_gost94"); 421 if(!*digest_type) { 422 verbose(VERB_QUERY, "verify: " 423 "EVP_getdigest md_gost94 failed"); 424 return 0; 425 } 426 break; 427 #endif 428 #ifdef USE_ECDSA 429 case LDNS_ECDSAP256SHA256: 430 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 431 LDNS_ECDSAP256SHA256); 432 if(!*evp_key) { 433 verbose(VERB_QUERY, "verify: " 434 "sldns_ecdsa2pkey_raw failed"); 435 return 0; 436 } 437 #ifdef USE_ECDSA_EVP_WORKAROUND 438 /* openssl before 1.0.0 fixes RSA with the SHA256 439 * hash in EVP. We create one for ecdsa_sha256 */ 440 { 441 static int md_ecdsa_256_done = 0; 442 static EVP_MD md; 443 if(!md_ecdsa_256_done) { 444 EVP_MD m = *EVP_sha256(); 445 md_ecdsa_256_done = 1; 446 m.required_pkey_type[0] = (*evp_key)->type; 447 m.verify = (void*)ECDSA_verify; 448 md = m; 449 } 450 *digest_type = &md; 451 } 452 #else 453 *digest_type = EVP_sha256(); 454 #endif 455 break; 456 case LDNS_ECDSAP384SHA384: 457 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 458 LDNS_ECDSAP384SHA384); 459 if(!*evp_key) { 460 verbose(VERB_QUERY, "verify: " 461 "sldns_ecdsa2pkey_raw failed"); 462 return 0; 463 } 464 #ifdef USE_ECDSA_EVP_WORKAROUND 465 /* openssl before 1.0.0 fixes RSA with the SHA384 466 * hash in EVP. We create one for ecdsa_sha384 */ 467 { 468 static int md_ecdsa_384_done = 0; 469 static EVP_MD md; 470 if(!md_ecdsa_384_done) { 471 EVP_MD m = *EVP_sha384(); 472 md_ecdsa_384_done = 1; 473 m.required_pkey_type[0] = (*evp_key)->type; 474 m.verify = (void*)ECDSA_verify; 475 md = m; 476 } 477 *digest_type = &md; 478 } 479 #else 480 *digest_type = EVP_sha384(); 481 #endif 482 break; 483 #endif /* USE_ECDSA */ 484 default: 485 verbose(VERB_QUERY, "verify: unknown algorithm %d", 486 algo); 487 return 0; 488 } 489 return 1; 490 } 491 492 /** 493 * Check a canonical sig+rrset and signature against a dnskey 494 * @param buf: buffer with data to verify, the first rrsig part and the 495 * canonicalized rrset. 496 * @param algo: DNSKEY algorithm. 497 * @param sigblock: signature rdata field from RRSIG 498 * @param sigblock_len: length of sigblock data. 499 * @param key: public key data from DNSKEY RR. 500 * @param keylen: length of keydata. 501 * @param reason: bogus reason in more detail. 502 * @return secure if verification succeeded, bogus on crypto failure, 503 * unchecked on format errors and alloc failures. 504 */ 505 enum sec_status 506 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 507 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 508 char** reason) 509 { 510 const EVP_MD *digest_type; 511 EVP_MD_CTX ctx; 512 int res, dofree = 0; 513 EVP_PKEY *evp_key = NULL; 514 515 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { 516 verbose(VERB_QUERY, "verify: failed to setup key"); 517 *reason = "use of key for crypto failed"; 518 EVP_PKEY_free(evp_key); 519 return sec_status_bogus; 520 } 521 /* if it is a DSA signature in bind format, convert to DER format */ 522 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && 523 sigblock_len == 1+2*SHA_DIGEST_LENGTH) { 524 if(!setup_dsa_sig(&sigblock, &sigblock_len)) { 525 verbose(VERB_QUERY, "verify: failed to setup DSA sig"); 526 *reason = "use of key for DSA crypto failed"; 527 EVP_PKEY_free(evp_key); 528 return sec_status_bogus; 529 } 530 dofree = 1; 531 } 532 #ifdef USE_ECDSA 533 else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) { 534 /* EVP uses ASN prefix on sig, which is not in the wire data */ 535 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) { 536 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig"); 537 *reason = "use of signature for ECDSA crypto failed"; 538 EVP_PKEY_free(evp_key); 539 return sec_status_bogus; 540 } 541 dofree = 1; 542 } 543 #endif /* USE_ECDSA */ 544 545 /* do the signature cryptography work */ 546 EVP_MD_CTX_init(&ctx); 547 if(EVP_VerifyInit(&ctx, digest_type) == 0) { 548 verbose(VERB_QUERY, "verify: EVP_VerifyInit failed"); 549 EVP_PKEY_free(evp_key); 550 if(dofree) free(sigblock); 551 return sec_status_unchecked; 552 } 553 if(EVP_VerifyUpdate(&ctx, (unsigned char*)sldns_buffer_begin(buf), 554 (unsigned int)sldns_buffer_limit(buf)) == 0) { 555 verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed"); 556 EVP_PKEY_free(evp_key); 557 if(dofree) free(sigblock); 558 return sec_status_unchecked; 559 } 560 561 res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key); 562 if(EVP_MD_CTX_cleanup(&ctx) == 0) { 563 verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed"); 564 EVP_PKEY_free(evp_key); 565 if(dofree) free(sigblock); 566 return sec_status_unchecked; 567 } 568 EVP_PKEY_free(evp_key); 569 570 if(dofree) 571 free(sigblock); 572 573 if(res == 1) { 574 return sec_status_secure; 575 } else if(res == 0) { 576 verbose(VERB_QUERY, "verify: signature mismatch"); 577 *reason = "signature crypto failed"; 578 return sec_status_bogus; 579 } 580 581 log_crypto_error("verify:", ERR_get_error()); 582 return sec_status_unchecked; 583 } 584 585 /**************************************************/ 586 #elif defined(HAVE_NSS) 587 /* libnss implementation */ 588 /* nss3 */ 589 #include "sechash.h" 590 #include "pk11pub.h" 591 #include "keyhi.h" 592 #include "secerr.h" 593 #include "cryptohi.h" 594 /* nspr4 */ 595 #include "prerror.h" 596 597 /* return size of digest if supported, or 0 otherwise */ 598 size_t 599 nsec3_hash_algo_size_supported(int id) 600 { 601 switch(id) { 602 case NSEC3_HASH_SHA1: 603 return SHA1_LENGTH; 604 default: 605 return 0; 606 } 607 } 608 609 /* perform nsec3 hash. return false on failure */ 610 int 611 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 612 unsigned char* res) 613 { 614 switch(algo) { 615 case NSEC3_HASH_SHA1: 616 (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len); 617 return 1; 618 default: 619 return 0; 620 } 621 } 622 623 size_t 624 ds_digest_size_supported(int algo) 625 { 626 /* uses libNSS */ 627 switch(algo) { 628 case LDNS_SHA1: 629 return SHA1_LENGTH; 630 #ifdef USE_SHA2 631 case LDNS_SHA256: 632 return SHA256_LENGTH; 633 #endif 634 #ifdef USE_ECDSA 635 case LDNS_SHA384: 636 return SHA384_LENGTH; 637 #endif 638 /* GOST not supported in NSS */ 639 case LDNS_HASH_GOST: 640 default: break; 641 } 642 return 0; 643 } 644 645 int 646 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 647 unsigned char* res) 648 { 649 /* uses libNSS */ 650 switch(algo) { 651 case LDNS_SHA1: 652 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len) 653 == SECSuccess; 654 #if defined(USE_SHA2) 655 case LDNS_SHA256: 656 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len) 657 == SECSuccess; 658 #endif 659 #ifdef USE_ECDSA 660 case LDNS_SHA384: 661 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len) 662 == SECSuccess; 663 #endif 664 case LDNS_HASH_GOST: 665 default: 666 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 667 algo); 668 break; 669 } 670 return 0; 671 } 672 673 int 674 dnskey_algo_id_is_supported(int id) 675 { 676 /* uses libNSS */ 677 switch(id) { 678 case LDNS_RSAMD5: 679 /* RFC 6725 deprecates RSAMD5 */ 680 return 0; 681 case LDNS_DSA: 682 case LDNS_DSA_NSEC3: 683 case LDNS_RSASHA1: 684 case LDNS_RSASHA1_NSEC3: 685 #ifdef USE_SHA2 686 case LDNS_RSASHA256: 687 #endif 688 #ifdef USE_SHA2 689 case LDNS_RSASHA512: 690 #endif 691 return 1; 692 #ifdef USE_ECDSA 693 case LDNS_ECDSAP256SHA256: 694 case LDNS_ECDSAP384SHA384: 695 return PK11_TokenExists(CKM_ECDSA); 696 #endif 697 case LDNS_ECC_GOST: 698 default: 699 return 0; 700 } 701 } 702 703 /* return a new public key for NSS */ 704 static SECKEYPublicKey* nss_key_create(KeyType ktype) 705 { 706 SECKEYPublicKey* key; 707 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 708 if(!arena) { 709 log_err("out of memory, PORT_NewArena failed"); 710 return NULL; 711 } 712 key = PORT_ArenaZNew(arena, SECKEYPublicKey); 713 if(!key) { 714 log_err("out of memory, PORT_ArenaZNew failed"); 715 PORT_FreeArena(arena, PR_FALSE); 716 return NULL; 717 } 718 key->arena = arena; 719 key->keyType = ktype; 720 key->pkcs11Slot = NULL; 721 key->pkcs11ID = CK_INVALID_HANDLE; 722 return key; 723 } 724 725 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo) 726 { 727 SECKEYPublicKey* pk; 728 SECItem pub = {siBuffer, NULL, 0}; 729 SECItem params = {siBuffer, NULL, 0}; 730 static unsigned char param256[] = { 731 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256) 732 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */ 733 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 734 }; 735 static unsigned char param384[] = { 736 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384) 737 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */ 738 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 739 }; 740 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ 741 742 /* check length, which uncompressed must be 2 bignums */ 743 if(algo == LDNS_ECDSAP256SHA256) { 744 if(len != 2*256/8) return NULL; 745 /* ECCurve_X9_62_PRIME_256V1 */ 746 } else if(algo == LDNS_ECDSAP384SHA384) { 747 if(len != 2*384/8) return NULL; 748 /* ECCurve_X9_62_PRIME_384R1 */ 749 } else return NULL; 750 751 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */ 752 memmove(buf+1, key, len); 753 pub.data = buf; 754 pub.len = len+1; 755 if(algo == LDNS_ECDSAP256SHA256) { 756 params.data = param256; 757 params.len = sizeof(param256); 758 } else { 759 params.data = param384; 760 params.len = sizeof(param384); 761 } 762 763 pk = nss_key_create(ecKey); 764 if(!pk) 765 return NULL; 766 pk->u.ec.size = (len/2)*8; 767 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) { 768 SECKEY_DestroyPublicKey(pk); 769 return NULL; 770 } 771 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) { 772 SECKEY_DestroyPublicKey(pk); 773 return NULL; 774 } 775 776 return pk; 777 } 778 779 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len) 780 { 781 SECKEYPublicKey* pk; 782 uint8_t T; 783 uint16_t length; 784 uint16_t offset; 785 SECItem Q = {siBuffer, NULL, 0}; 786 SECItem P = {siBuffer, NULL, 0}; 787 SECItem G = {siBuffer, NULL, 0}; 788 SECItem Y = {siBuffer, NULL, 0}; 789 790 if(len == 0) 791 return NULL; 792 T = (uint8_t)key[0]; 793 length = (64 + T * 8); 794 offset = 1; 795 796 if (T > 8) { 797 return NULL; 798 } 799 if(len < (size_t)1 + SHA1_LENGTH + 3*length) 800 return NULL; 801 802 Q.data = key+offset; 803 Q.len = SHA1_LENGTH; 804 offset += SHA1_LENGTH; 805 806 P.data = key+offset; 807 P.len = length; 808 offset += length; 809 810 G.data = key+offset; 811 G.len = length; 812 offset += length; 813 814 Y.data = key+offset; 815 Y.len = length; 816 offset += length; 817 818 pk = nss_key_create(dsaKey); 819 if(!pk) 820 return NULL; 821 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) { 822 SECKEY_DestroyPublicKey(pk); 823 return NULL; 824 } 825 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) { 826 SECKEY_DestroyPublicKey(pk); 827 return NULL; 828 } 829 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) { 830 SECKEY_DestroyPublicKey(pk); 831 return NULL; 832 } 833 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) { 834 SECKEY_DestroyPublicKey(pk); 835 return NULL; 836 } 837 return pk; 838 } 839 840 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len) 841 { 842 SECKEYPublicKey* pk; 843 uint16_t exp; 844 uint16_t offset; 845 uint16_t int16; 846 SECItem modulus = {siBuffer, NULL, 0}; 847 SECItem exponent = {siBuffer, NULL, 0}; 848 if(len == 0) 849 return NULL; 850 if(key[0] == 0) { 851 if(len < 3) 852 return NULL; 853 /* the exponent is too large so it's places further */ 854 memmove(&int16, key+1, 2); 855 exp = ntohs(int16); 856 offset = 3; 857 } else { 858 exp = key[0]; 859 offset = 1; 860 } 861 862 /* key length at least one */ 863 if(len < (size_t)offset + exp + 1) 864 return NULL; 865 866 exponent.data = key+offset; 867 exponent.len = exp; 868 offset += exp; 869 modulus.data = key+offset; 870 modulus.len = (len - offset); 871 872 pk = nss_key_create(rsaKey); 873 if(!pk) 874 return NULL; 875 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) { 876 SECKEY_DestroyPublicKey(pk); 877 return NULL; 878 } 879 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) { 880 SECKEY_DestroyPublicKey(pk); 881 return NULL; 882 } 883 return pk; 884 } 885 886 /** 887 * Setup key and digest for verification. Adjust sig if necessary. 888 * 889 * @param algo: key algorithm 890 * @param evp_key: EVP PKEY public key to create. 891 * @param digest_type: digest type to use 892 * @param key: key to setup for. 893 * @param keylen: length of key. 894 * @param prefix: if returned, the ASN prefix for the hashblob. 895 * @param prefixlen: length of the prefix. 896 * @return false on failure. 897 */ 898 static int 899 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, 900 unsigned char* key, size_t keylen, unsigned char** prefix, 901 size_t* prefixlen) 902 { 903 /* uses libNSS */ 904 905 /* hash prefix for md5, RFC2537 */ 906 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 907 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}; 908 /* hash prefix to prepend to hash output, from RFC3110 */ 909 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 910 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14}; 911 /* from RFC5702 */ 912 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 913 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; 914 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 915 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; 916 /* from RFC6234 */ 917 /* for future RSASHA384 .. 918 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 919 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; 920 */ 921 922 switch(algo) { 923 case LDNS_DSA: 924 case LDNS_DSA_NSEC3: 925 *pubkey = nss_buf2dsa(key, keylen); 926 if(!*pubkey) { 927 log_err("verify: malloc failure in crypto"); 928 return 0; 929 } 930 *htype = HASH_AlgSHA1; 931 /* no prefix for DSA verification */ 932 break; 933 case LDNS_RSASHA1: 934 case LDNS_RSASHA1_NSEC3: 935 #ifdef USE_SHA2 936 case LDNS_RSASHA256: 937 #endif 938 #ifdef USE_SHA2 939 case LDNS_RSASHA512: 940 #endif 941 *pubkey = nss_buf2rsa(key, keylen); 942 if(!*pubkey) { 943 log_err("verify: malloc failure in crypto"); 944 return 0; 945 } 946 /* select SHA version */ 947 #ifdef USE_SHA2 948 if(algo == LDNS_RSASHA256) { 949 *htype = HASH_AlgSHA256; 950 *prefix = p_sha256; 951 *prefixlen = sizeof(p_sha256); 952 } else 953 #endif 954 #ifdef USE_SHA2 955 if(algo == LDNS_RSASHA512) { 956 *htype = HASH_AlgSHA512; 957 *prefix = p_sha512; 958 *prefixlen = sizeof(p_sha512); 959 } else 960 #endif 961 { 962 *htype = HASH_AlgSHA1; 963 *prefix = p_sha1; 964 *prefixlen = sizeof(p_sha1); 965 } 966 967 break; 968 case LDNS_RSAMD5: 969 *pubkey = nss_buf2rsa(key, keylen); 970 if(!*pubkey) { 971 log_err("verify: malloc failure in crypto"); 972 return 0; 973 } 974 *htype = HASH_AlgMD5; 975 *prefix = p_md5; 976 *prefixlen = sizeof(p_md5); 977 978 break; 979 #ifdef USE_ECDSA 980 case LDNS_ECDSAP256SHA256: 981 *pubkey = nss_buf2ecdsa(key, keylen, 982 LDNS_ECDSAP256SHA256); 983 if(!*pubkey) { 984 log_err("verify: malloc failure in crypto"); 985 return 0; 986 } 987 *htype = HASH_AlgSHA256; 988 /* no prefix for DSA verification */ 989 break; 990 case LDNS_ECDSAP384SHA384: 991 *pubkey = nss_buf2ecdsa(key, keylen, 992 LDNS_ECDSAP384SHA384); 993 if(!*pubkey) { 994 log_err("verify: malloc failure in crypto"); 995 return 0; 996 } 997 *htype = HASH_AlgSHA384; 998 /* no prefix for DSA verification */ 999 break; 1000 #endif /* USE_ECDSA */ 1001 case LDNS_ECC_GOST: 1002 default: 1003 verbose(VERB_QUERY, "verify: unknown algorithm %d", 1004 algo); 1005 return 0; 1006 } 1007 return 1; 1008 } 1009 1010 /** 1011 * Check a canonical sig+rrset and signature against a dnskey 1012 * @param buf: buffer with data to verify, the first rrsig part and the 1013 * canonicalized rrset. 1014 * @param algo: DNSKEY algorithm. 1015 * @param sigblock: signature rdata field from RRSIG 1016 * @param sigblock_len: length of sigblock data. 1017 * @param key: public key data from DNSKEY RR. 1018 * @param keylen: length of keydata. 1019 * @param reason: bogus reason in more detail. 1020 * @return secure if verification succeeded, bogus on crypto failure, 1021 * unchecked on format errors and alloc failures. 1022 */ 1023 enum sec_status 1024 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1025 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1026 char** reason) 1027 { 1028 /* uses libNSS */ 1029 /* large enough for the different hashes */ 1030 unsigned char hash[HASH_LENGTH_MAX]; 1031 unsigned char hash2[HASH_LENGTH_MAX*2]; 1032 HASH_HashType htype = 0; 1033 SECKEYPublicKey* pubkey = NULL; 1034 SECItem secsig = {siBuffer, sigblock, sigblock_len}; 1035 SECItem sechash = {siBuffer, hash, 0}; 1036 SECStatus res; 1037 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */ 1038 size_t prefixlen = 0; 1039 int err; 1040 1041 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen, 1042 &prefix, &prefixlen)) { 1043 verbose(VERB_QUERY, "verify: failed to setup key"); 1044 *reason = "use of key for crypto failed"; 1045 SECKEY_DestroyPublicKey(pubkey); 1046 return sec_status_bogus; 1047 } 1048 1049 /* need to convert DSA, ECDSA signatures? */ 1050 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) { 1051 if(sigblock_len == 1+2*SHA1_LENGTH) { 1052 secsig.data ++; 1053 secsig.len --; 1054 } else { 1055 SECItem* p = DSAU_DecodeDerSig(&secsig); 1056 if(!p) { 1057 verbose(VERB_QUERY, "verify: failed DER decode"); 1058 *reason = "signature DER decode failed"; 1059 SECKEY_DestroyPublicKey(pubkey); 1060 return sec_status_bogus; 1061 } 1062 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) { 1063 log_err("alloc failure in DER decode"); 1064 SECKEY_DestroyPublicKey(pubkey); 1065 SECITEM_FreeItem(p, PR_TRUE); 1066 return sec_status_unchecked; 1067 } 1068 SECITEM_FreeItem(p, PR_TRUE); 1069 } 1070 } 1071 1072 /* do the signature cryptography work */ 1073 /* hash the data */ 1074 sechash.len = HASH_ResultLen(htype); 1075 if(sechash.len > sizeof(hash)) { 1076 verbose(VERB_QUERY, "verify: hash too large for buffer"); 1077 SECKEY_DestroyPublicKey(pubkey); 1078 return sec_status_unchecked; 1079 } 1080 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf), 1081 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) { 1082 verbose(VERB_QUERY, "verify: HASH_HashBuf failed"); 1083 SECKEY_DestroyPublicKey(pubkey); 1084 return sec_status_unchecked; 1085 } 1086 if(prefix) { 1087 int hashlen = sechash.len; 1088 if(prefixlen+hashlen > sizeof(hash2)) { 1089 verbose(VERB_QUERY, "verify: hashprefix too large"); 1090 SECKEY_DestroyPublicKey(pubkey); 1091 return sec_status_unchecked; 1092 } 1093 sechash.data = hash2; 1094 sechash.len = prefixlen+hashlen; 1095 memcpy(sechash.data, prefix, prefixlen); 1096 memmove(sechash.data+prefixlen, hash, hashlen); 1097 } 1098 1099 /* verify the signature */ 1100 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/); 1101 SECKEY_DestroyPublicKey(pubkey); 1102 1103 if(res == SECSuccess) { 1104 return sec_status_secure; 1105 } 1106 err = PORT_GetError(); 1107 if(err != SEC_ERROR_BAD_SIGNATURE) { 1108 /* failed to verify */ 1109 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", 1110 PORT_ErrorToString(err)); 1111 /* if it is not supported, like ECC is removed, we get, 1112 * SEC_ERROR_NO_MODULE */ 1113 if(err == SEC_ERROR_NO_MODULE) 1114 return sec_status_unchecked; 1115 /* but other errors are commonly returned 1116 * for a bad signature from NSS. Thus we return bogus, 1117 * not unchecked */ 1118 *reason = "signature crypto failed"; 1119 return sec_status_bogus; 1120 } 1121 verbose(VERB_QUERY, "verify: signature mismatch: %s", 1122 PORT_ErrorToString(err)); 1123 *reason = "signature crypto failed"; 1124 return sec_status_bogus; 1125 } 1126 1127 #elif defined(HAVE_NETTLE) 1128 1129 #include "sha.h" 1130 #include "bignum.h" 1131 #include "macros.h" 1132 #include "rsa.h" 1133 #include "dsa.h" 1134 #include "asn1.h" 1135 #ifdef USE_ECDSA 1136 #include "ecdsa.h" 1137 #include "ecc-curve.h" 1138 #endif 1139 1140 static int 1141 _digest_nettle(int algo, uint8_t* buf, size_t len, 1142 unsigned char* res) 1143 { 1144 switch(algo) { 1145 case SHA1_DIGEST_SIZE: 1146 { 1147 struct sha1_ctx ctx; 1148 sha1_init(&ctx); 1149 sha1_update(&ctx, len, buf); 1150 sha1_digest(&ctx, SHA1_DIGEST_SIZE, res); 1151 return 1; 1152 } 1153 case SHA256_DIGEST_SIZE: 1154 { 1155 struct sha256_ctx ctx; 1156 sha256_init(&ctx); 1157 sha256_update(&ctx, len, buf); 1158 sha256_digest(&ctx, SHA256_DIGEST_SIZE, res); 1159 return 1; 1160 } 1161 case SHA384_DIGEST_SIZE: 1162 { 1163 struct sha384_ctx ctx; 1164 sha384_init(&ctx); 1165 sha384_update(&ctx, len, buf); 1166 sha384_digest(&ctx, SHA384_DIGEST_SIZE, res); 1167 return 1; 1168 } 1169 case SHA512_DIGEST_SIZE: 1170 { 1171 struct sha512_ctx ctx; 1172 sha512_init(&ctx); 1173 sha512_update(&ctx, len, buf); 1174 sha512_digest(&ctx, SHA512_DIGEST_SIZE, res); 1175 return 1; 1176 } 1177 default: 1178 break; 1179 } 1180 return 0; 1181 } 1182 1183 /* return size of digest if supported, or 0 otherwise */ 1184 size_t 1185 nsec3_hash_algo_size_supported(int id) 1186 { 1187 switch(id) { 1188 case NSEC3_HASH_SHA1: 1189 return SHA1_DIGEST_SIZE; 1190 default: 1191 return 0; 1192 } 1193 } 1194 1195 /* perform nsec3 hash. return false on failure */ 1196 int 1197 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 1198 unsigned char* res) 1199 { 1200 switch(algo) { 1201 case NSEC3_HASH_SHA1: 1202 return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len, 1203 res); 1204 default: 1205 return 0; 1206 } 1207 } 1208 1209 /** 1210 * Return size of DS digest according to its hash algorithm. 1211 * @param algo: DS digest algo. 1212 * @return size in bytes of digest, or 0 if not supported. 1213 */ 1214 size_t 1215 ds_digest_size_supported(int algo) 1216 { 1217 switch(algo) { 1218 case LDNS_SHA1: 1219 return SHA1_DIGEST_SIZE; 1220 #ifdef USE_SHA2 1221 case LDNS_SHA256: 1222 return SHA256_DIGEST_SIZE; 1223 #endif 1224 #ifdef USE_ECDSA 1225 case LDNS_SHA384: 1226 return SHA384_DIGEST_SIZE; 1227 #endif 1228 /* GOST not supported */ 1229 case LDNS_HASH_GOST: 1230 default: 1231 break; 1232 } 1233 return 0; 1234 } 1235 1236 int 1237 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 1238 unsigned char* res) 1239 { 1240 switch(algo) { 1241 case LDNS_SHA1: 1242 return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res); 1243 #if defined(USE_SHA2) 1244 case LDNS_SHA256: 1245 return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res); 1246 #endif 1247 #ifdef USE_ECDSA 1248 case LDNS_SHA384: 1249 return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res); 1250 1251 #endif 1252 case LDNS_HASH_GOST: 1253 default: 1254 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 1255 algo); 1256 break; 1257 } 1258 return 0; 1259 } 1260 1261 int 1262 dnskey_algo_id_is_supported(int id) 1263 { 1264 /* uses libnettle */ 1265 switch(id) { 1266 case LDNS_DSA: 1267 case LDNS_DSA_NSEC3: 1268 case LDNS_RSASHA1: 1269 case LDNS_RSASHA1_NSEC3: 1270 #ifdef USE_SHA2 1271 case LDNS_RSASHA256: 1272 case LDNS_RSASHA512: 1273 #endif 1274 #ifdef USE_ECDSA 1275 case LDNS_ECDSAP256SHA256: 1276 case LDNS_ECDSAP384SHA384: 1277 #endif 1278 return 1; 1279 case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ 1280 case LDNS_ECC_GOST: 1281 default: 1282 return 0; 1283 } 1284 } 1285 1286 static char * 1287 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock, 1288 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1289 { 1290 uint8_t digest[SHA1_DIGEST_SIZE]; 1291 uint8_t key_t; 1292 int res = 0; 1293 size_t offset; 1294 struct dsa_public_key pubkey; 1295 struct dsa_signature signature; 1296 unsigned int expected_len; 1297 1298 /* Extract DSA signature from the record */ 1299 nettle_dsa_signature_init(&signature); 1300 /* Signature length: 41 bytes - RFC 2536 sec. 3 */ 1301 if(sigblock_len == 41) { 1302 if(key[0] != sigblock[0]) 1303 return "invalid T value in DSA signature or pubkey"; 1304 nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1); 1305 nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20); 1306 } else { 1307 /* DER encoded, decode the ASN1 notated R and S bignums */ 1308 /* SEQUENCE { r INTEGER, s INTEGER } */ 1309 struct asn1_der_iterator i, seq; 1310 if(asn1_der_iterator_first(&i, sigblock_len, 1311 (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED 1312 || i.type != ASN1_SEQUENCE) 1313 return "malformed DER encoded DSA signature"; 1314 /* decode this element of i using the seq iterator */ 1315 if(asn1_der_decode_constructed(&i, &seq) != 1316 ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER) 1317 return "malformed DER encoded DSA signature"; 1318 if(!asn1_der_get_bignum(&seq, signature.r, 20*8)) 1319 return "malformed DER encoded DSA signature"; 1320 if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE 1321 || seq.type != ASN1_INTEGER) 1322 return "malformed DER encoded DSA signature"; 1323 if(!asn1_der_get_bignum(&seq, signature.s, 20*8)) 1324 return "malformed DER encoded DSA signature"; 1325 if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END) 1326 return "malformed DER encoded DSA signature"; 1327 } 1328 1329 /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */ 1330 key_t = key[0]; 1331 if (key_t > 8) { 1332 return "invalid T value in DSA pubkey"; 1333 } 1334 1335 /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */ 1336 if (keylen < 21) { 1337 return "DSA pubkey too short"; 1338 } 1339 1340 expected_len = 1 + /* T */ 1341 20 + /* Q */ 1342 (64 + key_t*8) + /* P */ 1343 (64 + key_t*8) + /* G */ 1344 (64 + key_t*8); /* Y */ 1345 if (keylen != expected_len ) { 1346 return "invalid DSA pubkey length"; 1347 } 1348 1349 /* Extract DSA pubkey from the record */ 1350 nettle_dsa_public_key_init(&pubkey); 1351 offset = 1; 1352 nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset); 1353 offset += 20; 1354 nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t*8), key+offset); 1355 offset += (64 + key_t*8); 1356 nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t*8), key+offset); 1357 offset += (64 + key_t*8); 1358 nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t*8), key+offset); 1359 1360 /* Digest content of "buf" and verify its DSA signature in "sigblock"*/ 1361 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1362 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1363 res &= dsa_sha1_verify_digest(&pubkey, digest, &signature); 1364 1365 /* Clear and return */ 1366 nettle_dsa_signature_clear(&signature); 1367 nettle_dsa_public_key_clear(&pubkey); 1368 if (!res) 1369 return "DSA signature verification failed"; 1370 else 1371 return NULL; 1372 } 1373 1374 static char * 1375 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock, 1376 unsigned int sigblock_len, uint8_t* key, unsigned int keylen) 1377 { 1378 uint16_t exp_len = 0; 1379 size_t exp_offset = 0, mod_offset = 0; 1380 struct rsa_public_key pubkey; 1381 mpz_t signature; 1382 int res = 0; 1383 1384 /* RSA pubkey parsing as per RFC 3110 sec. 2 */ 1385 if( keylen <= 1) { 1386 return "null RSA key"; 1387 } 1388 if (key[0] != 0) { 1389 /* 1-byte length */ 1390 exp_len = key[0]; 1391 exp_offset = 1; 1392 } else { 1393 /* 1-byte NUL + 2-bytes exponent length */ 1394 if (keylen < 3) { 1395 return "incorrect RSA key length"; 1396 } 1397 exp_len = READ_UINT16(key+1); 1398 if (exp_len == 0) 1399 return "null RSA exponent length"; 1400 exp_offset = 3; 1401 } 1402 /* Check that we are not over-running input length */ 1403 if (keylen < exp_offset + exp_len + 1) { 1404 return "RSA key content shorter than expected"; 1405 } 1406 mod_offset = exp_offset + exp_len; 1407 nettle_rsa_public_key_init(&pubkey); 1408 pubkey.size = keylen - mod_offset; 1409 nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]); 1410 nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]); 1411 1412 /* Digest content of "buf" and verify its RSA signature in "sigblock"*/ 1413 nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock); 1414 switch (digest_size) { 1415 case SHA1_DIGEST_SIZE: 1416 { 1417 uint8_t digest[SHA1_DIGEST_SIZE]; 1418 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1419 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1420 res &= rsa_sha1_verify_digest(&pubkey, digest, signature); 1421 break; 1422 } 1423 case SHA256_DIGEST_SIZE: 1424 { 1425 uint8_t digest[SHA256_DIGEST_SIZE]; 1426 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1427 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1428 res &= rsa_sha256_verify_digest(&pubkey, digest, signature); 1429 break; 1430 } 1431 case SHA512_DIGEST_SIZE: 1432 { 1433 uint8_t digest[SHA512_DIGEST_SIZE]; 1434 res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1435 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1436 res &= rsa_sha512_verify_digest(&pubkey, digest, signature); 1437 break; 1438 } 1439 default: 1440 break; 1441 } 1442 1443 /* Clear and return */ 1444 nettle_rsa_public_key_clear(&pubkey); 1445 mpz_clear(signature); 1446 if (!res) { 1447 return "RSA signature verification failed"; 1448 } else { 1449 return NULL; 1450 } 1451 } 1452 1453 #ifdef USE_ECDSA 1454 static char * 1455 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock, 1456 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1457 { 1458 int res = 0; 1459 struct ecc_point pubkey; 1460 struct dsa_signature signature; 1461 1462 /* Always matched strength, as per RFC 6605 sec. 1 */ 1463 if (sigblock_len != 2*digest_size || keylen != 2*digest_size) { 1464 return "wrong ECDSA signature length"; 1465 } 1466 1467 /* Parse ECDSA signature as per RFC 6605 sec. 4 */ 1468 nettle_dsa_signature_init(&signature); 1469 switch (digest_size) { 1470 case SHA256_DIGEST_SIZE: 1471 { 1472 uint8_t digest[SHA256_DIGEST_SIZE]; 1473 mpz_t x, y; 1474 nettle_ecc_point_init(&pubkey, &nettle_secp_256r1); 1475 nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key); 1476 nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE); 1477 nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock); 1478 nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE); 1479 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1480 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1481 res &= nettle_ecc_point_set(&pubkey, x, y); 1482 res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature); 1483 mpz_clear(x); 1484 mpz_clear(y); 1485 break; 1486 } 1487 case SHA384_DIGEST_SIZE: 1488 { 1489 uint8_t digest[SHA384_DIGEST_SIZE]; 1490 mpz_t x, y; 1491 nettle_ecc_point_init(&pubkey, &nettle_secp_384r1); 1492 nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key); 1493 nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE); 1494 nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock); 1495 nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE); 1496 res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1497 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1498 res &= nettle_ecc_point_set(&pubkey, x, y); 1499 res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature); 1500 mpz_clear(x); 1501 mpz_clear(y); 1502 nettle_ecc_point_clear(&pubkey); 1503 break; 1504 } 1505 default: 1506 return "unknown ECDSA algorithm"; 1507 } 1508 1509 /* Clear and return */ 1510 nettle_dsa_signature_clear(&signature); 1511 if (!res) 1512 return "ECDSA signature verification failed"; 1513 else 1514 return NULL; 1515 } 1516 #endif 1517 1518 /** 1519 * Check a canonical sig+rrset and signature against a dnskey 1520 * @param buf: buffer with data to verify, the first rrsig part and the 1521 * canonicalized rrset. 1522 * @param algo: DNSKEY algorithm. 1523 * @param sigblock: signature rdata field from RRSIG 1524 * @param sigblock_len: length of sigblock data. 1525 * @param key: public key data from DNSKEY RR. 1526 * @param keylen: length of keydata. 1527 * @param reason: bogus reason in more detail. 1528 * @return secure if verification succeeded, bogus on crypto failure, 1529 * unchecked on format errors and alloc failures. 1530 */ 1531 enum sec_status 1532 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1533 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1534 char** reason) 1535 { 1536 unsigned int digest_size = 0; 1537 1538 if (sigblock_len == 0 || keylen == 0) { 1539 *reason = "null signature"; 1540 return sec_status_bogus; 1541 } 1542 1543 switch(algo) { 1544 case LDNS_DSA: 1545 case LDNS_DSA_NSEC3: 1546 *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen); 1547 if (*reason != NULL) 1548 return sec_status_bogus; 1549 else 1550 return sec_status_secure; 1551 1552 case LDNS_RSASHA1: 1553 case LDNS_RSASHA1_NSEC3: 1554 digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE); 1555 #ifdef USE_SHA2 1556 case LDNS_RSASHA256: 1557 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 1558 case LDNS_RSASHA512: 1559 digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE); 1560 1561 #endif 1562 *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock, 1563 sigblock_len, key, keylen); 1564 if (*reason != NULL) 1565 return sec_status_bogus; 1566 else 1567 return sec_status_secure; 1568 1569 #ifdef USE_ECDSA 1570 case LDNS_ECDSAP256SHA256: 1571 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 1572 case LDNS_ECDSAP384SHA384: 1573 digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE); 1574 *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock, 1575 sigblock_len, key, keylen); 1576 if (*reason != NULL) 1577 return sec_status_bogus; 1578 else 1579 return sec_status_secure; 1580 #endif 1581 case LDNS_RSAMD5: 1582 case LDNS_ECC_GOST: 1583 default: 1584 *reason = "unable to verify signature, unknown algorithm"; 1585 return sec_status_bogus; 1586 } 1587 } 1588 1589 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ 1590