1 /* 2 * validator/val_secalgo.c - validator security algorithm functions. 3 * 4 * Copyright (c) 2012, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains helper functions for the validator module. 40 * These functions take raw data buffers, formatted for crypto verification, 41 * and do the library calls (for the crypto library in use). 42 */ 43 #include "config.h" 44 /* packed_rrset on top to define enum types (forced by c99 standard) */ 45 #include "util/data/packed_rrset.h" 46 #include "validator/val_secalgo.h" 47 #include "validator/val_nsec3.h" 48 #include "util/log.h" 49 #include "sldns/rrdef.h" 50 #include "sldns/keyraw.h" 51 #include "sldns/sbuffer.h" 52 53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) 54 #error "Need crypto library to do digital signature cryptography" 55 #endif 56 57 /* OpenSSL implementation */ 58 #ifdef HAVE_SSL 59 #ifdef HAVE_OPENSSL_ERR_H 60 #include <openssl/err.h> 61 #endif 62 63 #ifdef HAVE_OPENSSL_RAND_H 64 #include <openssl/rand.h> 65 #endif 66 67 #ifdef HAVE_OPENSSL_CONF_H 68 #include <openssl/conf.h> 69 #endif 70 71 #ifdef HAVE_OPENSSL_ENGINE_H 72 #include <openssl/engine.h> 73 #endif 74 75 /** fake DSA support for unit tests */ 76 int fake_dsa = 0; 77 /** fake SHA1 support for unit tests */ 78 int fake_sha1 = 0; 79 80 /* return size of digest if supported, or 0 otherwise */ 81 size_t 82 nsec3_hash_algo_size_supported(int id) 83 { 84 switch(id) { 85 case NSEC3_HASH_SHA1: 86 return SHA_DIGEST_LENGTH; 87 default: 88 return 0; 89 } 90 } 91 92 /* perform nsec3 hash. return false on failure */ 93 int 94 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 95 unsigned char* res) 96 { 97 switch(algo) { 98 case NSEC3_HASH_SHA1: 99 (void)SHA1(buf, len, res); 100 return 1; 101 default: 102 return 0; 103 } 104 } 105 106 void 107 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 108 { 109 (void)SHA256(buf, len, res); 110 } 111 112 /** 113 * Return size of DS digest according to its hash algorithm. 114 * @param algo: DS digest algo. 115 * @return size in bytes of digest, or 0 if not supported. 116 */ 117 size_t 118 ds_digest_size_supported(int algo) 119 { 120 switch(algo) { 121 case LDNS_SHA1: 122 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) 123 return SHA_DIGEST_LENGTH; 124 #else 125 if(fake_sha1) return 20; 126 return 0; 127 #endif 128 #ifdef HAVE_EVP_SHA256 129 case LDNS_SHA256: 130 return SHA256_DIGEST_LENGTH; 131 #endif 132 #ifdef USE_GOST 133 case LDNS_HASH_GOST: 134 /* we support GOST if it can be loaded */ 135 (void)sldns_key_EVP_load_gost_id(); 136 if(EVP_get_digestbyname("md_gost94")) 137 return 32; 138 else return 0; 139 #endif 140 #ifdef USE_ECDSA 141 case LDNS_SHA384: 142 return SHA384_DIGEST_LENGTH; 143 #endif 144 default: break; 145 } 146 return 0; 147 } 148 149 #ifdef USE_GOST 150 /** Perform GOST hash */ 151 static int 152 do_gost94(unsigned char* data, size_t len, unsigned char* dest) 153 { 154 const EVP_MD* md = EVP_get_digestbyname("md_gost94"); 155 if(!md) 156 return 0; 157 return sldns_digest_evp(data, (unsigned int)len, dest, md); 158 } 159 #endif 160 161 int 162 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 163 unsigned char* res) 164 { 165 switch(algo) { 166 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) 167 case LDNS_SHA1: 168 (void)SHA1(buf, len, res); 169 return 1; 170 #endif 171 #ifdef HAVE_EVP_SHA256 172 case LDNS_SHA256: 173 (void)SHA256(buf, len, res); 174 return 1; 175 #endif 176 #ifdef USE_GOST 177 case LDNS_HASH_GOST: 178 if(do_gost94(buf, len, res)) 179 return 1; 180 break; 181 #endif 182 #ifdef USE_ECDSA 183 case LDNS_SHA384: 184 (void)SHA384(buf, len, res); 185 return 1; 186 #endif 187 default: 188 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 189 algo); 190 break; 191 } 192 return 0; 193 } 194 195 /** return true if DNSKEY algorithm id is supported */ 196 int 197 dnskey_algo_id_is_supported(int id) 198 { 199 switch(id) { 200 case LDNS_RSAMD5: 201 /* RFC 6725 deprecates RSAMD5 */ 202 return 0; 203 case LDNS_DSA: 204 case LDNS_DSA_NSEC3: 205 #if defined(USE_DSA) && defined(USE_SHA1) 206 return 1; 207 #else 208 if(fake_dsa || fake_sha1) return 1; 209 return 0; 210 #endif 211 212 case LDNS_RSASHA1: 213 case LDNS_RSASHA1_NSEC3: 214 #ifdef USE_SHA1 215 return 1; 216 #else 217 if(fake_sha1) return 1; 218 return 0; 219 #endif 220 221 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 222 case LDNS_RSASHA256: 223 #endif 224 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 225 case LDNS_RSASHA512: 226 #endif 227 #ifdef USE_ECDSA 228 case LDNS_ECDSAP256SHA256: 229 case LDNS_ECDSAP384SHA384: 230 #endif 231 #ifdef USE_ED25519 232 case LDNS_ED25519: 233 #endif 234 #if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) 235 return 1; 236 #endif 237 238 #ifdef USE_GOST 239 case LDNS_ECC_GOST: 240 /* we support GOST if it can be loaded */ 241 return sldns_key_EVP_load_gost_id(); 242 #endif 243 default: 244 return 0; 245 } 246 } 247 248 /** 249 * Output a libcrypto openssl error to the logfile. 250 * @param str: string to add to it. 251 * @param e: the error to output, error number from ERR_get_error(). 252 */ 253 static void 254 log_crypto_error(const char* str, unsigned long e) 255 { 256 char buf[128]; 257 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ 258 ERR_error_string_n(e, buf, sizeof(buf)); 259 /* buf now contains */ 260 /* error:[error code]:[library name]:[function name]:[reason string] */ 261 log_err("%s crypto %s", str, buf); 262 } 263 264 #ifdef USE_DSA 265 /** 266 * Setup DSA key digest in DER encoding ... 267 * @param sig: input is signature output alloced ptr (unless failure). 268 * caller must free alloced ptr if this routine returns true. 269 * @param len: input is initial siglen, output is output len. 270 * @return false on failure. 271 */ 272 static int 273 setup_dsa_sig(unsigned char** sig, unsigned int* len) 274 { 275 unsigned char* orig = *sig; 276 unsigned int origlen = *len; 277 int newlen; 278 BIGNUM *R, *S; 279 DSA_SIG *dsasig; 280 281 /* extract the R and S field from the sig buffer */ 282 if(origlen < 1 + 2*SHA_DIGEST_LENGTH) 283 return 0; 284 R = BN_new(); 285 if(!R) return 0; 286 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R); 287 S = BN_new(); 288 if(!S) return 0; 289 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S); 290 dsasig = DSA_SIG_new(); 291 if(!dsasig) return 0; 292 293 #ifdef HAVE_DSA_SIG_SET0 294 if(!DSA_SIG_set0(dsasig, R, S)) return 0; 295 #else 296 dsasig->r = R; 297 dsasig->s = S; 298 #endif 299 *sig = NULL; 300 newlen = i2d_DSA_SIG(dsasig, sig); 301 if(newlen < 0) { 302 DSA_SIG_free(dsasig); 303 free(*sig); 304 return 0; 305 } 306 *len = (unsigned int)newlen; 307 DSA_SIG_free(dsasig); 308 return 1; 309 } 310 #endif /* USE_DSA */ 311 312 #ifdef USE_ECDSA 313 /** 314 * Setup the ECDSA signature in its encoding that the library wants. 315 * Converts from plain numbers to ASN formatted. 316 * @param sig: input is signature, output alloced ptr (unless failure). 317 * caller must free alloced ptr if this routine returns true. 318 * @param len: input is initial siglen, output is output len. 319 * @return false on failure. 320 */ 321 static int 322 setup_ecdsa_sig(unsigned char** sig, unsigned int* len) 323 { 324 /* convert from two BIGNUMs in the rdata buffer, to ASN notation. 325 * ASN preable: 30440220 <R 32bytefor256> 0220 <S 32bytefor256> 326 * the '20' is the length of that field (=bnsize). 327 i * the '44' is the total remaining length. 328 * if negative, start with leading zero. 329 * if starts with 00s, remove them from the number. 330 */ 331 uint8_t pre[] = {0x30, 0x44, 0x02, 0x20}; 332 int pre_len = 4; 333 uint8_t mid[] = {0x02, 0x20}; 334 int mid_len = 2; 335 int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0; 336 int bnsize = (int)((*len)/2); 337 unsigned char* d = *sig; 338 uint8_t* p; 339 /* if too short or not even length, fails */ 340 if(*len < 16 || bnsize*2 != (int)*len) 341 return 0; 342 343 /* strip leading zeroes from r (but not last one) */ 344 while(r_rem < bnsize-1 && d[r_rem] == 0) 345 r_rem++; 346 /* strip leading zeroes from s (but not last one) */ 347 while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0) 348 s_rem++; 349 350 r_high = ((d[0+r_rem]&0x80)?1:0); 351 s_high = ((d[bnsize+s_rem]&0x80)?1:0); 352 raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len + 353 s_high + bnsize - s_rem; 354 *sig = (unsigned char*)malloc((size_t)raw_sig_len); 355 if(!*sig) 356 return 0; 357 p = (uint8_t*)*sig; 358 p[0] = pre[0]; 359 p[1] = (uint8_t)(raw_sig_len-2); 360 p[2] = pre[2]; 361 p[3] = (uint8_t)(bnsize + r_high - r_rem); 362 p += 4; 363 if(r_high) { 364 *p = 0; 365 p += 1; 366 } 367 memmove(p, d+r_rem, (size_t)bnsize-r_rem); 368 p += bnsize-r_rem; 369 memmove(p, mid, (size_t)mid_len-1); 370 p += mid_len-1; 371 *p = (uint8_t)(bnsize + s_high - s_rem); 372 p += 1; 373 if(s_high) { 374 *p = 0; 375 p += 1; 376 } 377 memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem); 378 *len = (unsigned int)raw_sig_len; 379 return 1; 380 } 381 #endif /* USE_ECDSA */ 382 383 #ifdef USE_ECDSA_EVP_WORKAROUND 384 static EVP_MD ecdsa_evp_256_md; 385 static EVP_MD ecdsa_evp_384_md; 386 void ecdsa_evp_workaround_init(void) 387 { 388 /* openssl before 1.0.0 fixes RSA with the SHA256 389 * hash in EVP. We create one for ecdsa_sha256 */ 390 ecdsa_evp_256_md = *EVP_sha256(); 391 ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC; 392 ecdsa_evp_256_md.verify = (void*)ECDSA_verify; 393 394 ecdsa_evp_384_md = *EVP_sha384(); 395 ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC; 396 ecdsa_evp_384_md.verify = (void*)ECDSA_verify; 397 } 398 #endif /* USE_ECDSA_EVP_WORKAROUND */ 399 400 /** 401 * Setup key and digest for verification. Adjust sig if necessary. 402 * 403 * @param algo: key algorithm 404 * @param evp_key: EVP PKEY public key to create. 405 * @param digest_type: digest type to use 406 * @param key: key to setup for. 407 * @param keylen: length of key. 408 * @return false on failure. 409 */ 410 static int 411 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 412 unsigned char* key, size_t keylen) 413 { 414 #if defined(USE_DSA) && defined(USE_SHA1) 415 DSA* dsa; 416 #endif 417 RSA* rsa; 418 419 switch(algo) { 420 #if defined(USE_DSA) && defined(USE_SHA1) 421 case LDNS_DSA: 422 case LDNS_DSA_NSEC3: 423 *evp_key = EVP_PKEY_new(); 424 if(!*evp_key) { 425 log_err("verify: malloc failure in crypto"); 426 return 0; 427 } 428 dsa = sldns_key_buf2dsa_raw(key, keylen); 429 if(!dsa) { 430 verbose(VERB_QUERY, "verify: " 431 "sldns_key_buf2dsa_raw failed"); 432 return 0; 433 } 434 if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) { 435 verbose(VERB_QUERY, "verify: " 436 "EVP_PKEY_assign_DSA failed"); 437 return 0; 438 } 439 #ifdef HAVE_EVP_DSS1 440 *digest_type = EVP_dss1(); 441 #else 442 *digest_type = EVP_sha1(); 443 #endif 444 445 break; 446 #endif /* USE_DSA && USE_SHA1 */ 447 448 #if defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) 449 #ifdef USE_SHA1 450 case LDNS_RSASHA1: 451 case LDNS_RSASHA1_NSEC3: 452 #endif 453 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 454 case LDNS_RSASHA256: 455 #endif 456 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 457 case LDNS_RSASHA512: 458 #endif 459 *evp_key = EVP_PKEY_new(); 460 if(!*evp_key) { 461 log_err("verify: malloc failure in crypto"); 462 return 0; 463 } 464 rsa = sldns_key_buf2rsa_raw(key, keylen); 465 if(!rsa) { 466 verbose(VERB_QUERY, "verify: " 467 "sldns_key_buf2rsa_raw SHA failed"); 468 return 0; 469 } 470 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 471 verbose(VERB_QUERY, "verify: " 472 "EVP_PKEY_assign_RSA SHA failed"); 473 return 0; 474 } 475 476 /* select SHA version */ 477 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) 478 if(algo == LDNS_RSASHA256) 479 *digest_type = EVP_sha256(); 480 else 481 #endif 482 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) 483 if(algo == LDNS_RSASHA512) 484 *digest_type = EVP_sha512(); 485 else 486 #endif 487 #ifdef USE_SHA1 488 *digest_type = EVP_sha1(); 489 #else 490 { verbose(VERB_QUERY, "no digest available"); return 0; } 491 #endif 492 break; 493 #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */ 494 495 case LDNS_RSAMD5: 496 *evp_key = EVP_PKEY_new(); 497 if(!*evp_key) { 498 log_err("verify: malloc failure in crypto"); 499 return 0; 500 } 501 rsa = sldns_key_buf2rsa_raw(key, keylen); 502 if(!rsa) { 503 verbose(VERB_QUERY, "verify: " 504 "sldns_key_buf2rsa_raw MD5 failed"); 505 return 0; 506 } 507 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { 508 verbose(VERB_QUERY, "verify: " 509 "EVP_PKEY_assign_RSA MD5 failed"); 510 return 0; 511 } 512 *digest_type = EVP_md5(); 513 514 break; 515 #ifdef USE_GOST 516 case LDNS_ECC_GOST: 517 *evp_key = sldns_gost2pkey_raw(key, keylen); 518 if(!*evp_key) { 519 verbose(VERB_QUERY, "verify: " 520 "sldns_gost2pkey_raw failed"); 521 return 0; 522 } 523 *digest_type = EVP_get_digestbyname("md_gost94"); 524 if(!*digest_type) { 525 verbose(VERB_QUERY, "verify: " 526 "EVP_getdigest md_gost94 failed"); 527 return 0; 528 } 529 break; 530 #endif 531 #ifdef USE_ECDSA 532 case LDNS_ECDSAP256SHA256: 533 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 534 LDNS_ECDSAP256SHA256); 535 if(!*evp_key) { 536 verbose(VERB_QUERY, "verify: " 537 "sldns_ecdsa2pkey_raw failed"); 538 return 0; 539 } 540 #ifdef USE_ECDSA_EVP_WORKAROUND 541 *digest_type = &ecdsa_evp_256_md; 542 #else 543 *digest_type = EVP_sha256(); 544 #endif 545 break; 546 case LDNS_ECDSAP384SHA384: 547 *evp_key = sldns_ecdsa2pkey_raw(key, keylen, 548 LDNS_ECDSAP384SHA384); 549 if(!*evp_key) { 550 verbose(VERB_QUERY, "verify: " 551 "sldns_ecdsa2pkey_raw failed"); 552 return 0; 553 } 554 #ifdef USE_ECDSA_EVP_WORKAROUND 555 *digest_type = &ecdsa_evp_384_md; 556 #else 557 *digest_type = EVP_sha384(); 558 #endif 559 break; 560 #endif /* USE_ECDSA */ 561 #ifdef USE_ED25519 562 case LDNS_ED25519: 563 *evp_key = sldns_ed255192pkey_raw(key, keylen); 564 if(!*evp_key) { 565 verbose(VERB_QUERY, "verify: " 566 "sldns_ed255192pkey_raw failed"); 567 return 0; 568 } 569 *digest_type = NULL; 570 break; 571 #endif /* USE_ED25519 */ 572 default: 573 verbose(VERB_QUERY, "verify: unknown algorithm %d", 574 algo); 575 return 0; 576 } 577 return 1; 578 } 579 580 /** 581 * Check a canonical sig+rrset and signature against a dnskey 582 * @param buf: buffer with data to verify, the first rrsig part and the 583 * canonicalized rrset. 584 * @param algo: DNSKEY algorithm. 585 * @param sigblock: signature rdata field from RRSIG 586 * @param sigblock_len: length of sigblock data. 587 * @param key: public key data from DNSKEY RR. 588 * @param keylen: length of keydata. 589 * @param reason: bogus reason in more detail. 590 * @return secure if verification succeeded, bogus on crypto failure, 591 * unchecked on format errors and alloc failures. 592 */ 593 enum sec_status 594 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 595 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 596 char** reason) 597 { 598 const EVP_MD *digest_type; 599 EVP_MD_CTX* ctx; 600 int res, dofree = 0, docrypto_free = 0; 601 EVP_PKEY *evp_key = NULL; 602 603 #ifndef USE_DSA 604 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1)) 605 return sec_status_secure; 606 #endif 607 #ifndef USE_SHA1 608 if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3)) 609 return sec_status_secure; 610 #endif 611 612 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { 613 verbose(VERB_QUERY, "verify: failed to setup key"); 614 *reason = "use of key for crypto failed"; 615 EVP_PKEY_free(evp_key); 616 return sec_status_bogus; 617 } 618 #ifdef USE_DSA 619 /* if it is a DSA signature in bind format, convert to DER format */ 620 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && 621 sigblock_len == 1+2*SHA_DIGEST_LENGTH) { 622 if(!setup_dsa_sig(&sigblock, &sigblock_len)) { 623 verbose(VERB_QUERY, "verify: failed to setup DSA sig"); 624 *reason = "use of key for DSA crypto failed"; 625 EVP_PKEY_free(evp_key); 626 return sec_status_bogus; 627 } 628 docrypto_free = 1; 629 } 630 #endif 631 #if defined(USE_ECDSA) && defined(USE_DSA) 632 else 633 #endif 634 #ifdef USE_ECDSA 635 if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) { 636 /* EVP uses ASN prefix on sig, which is not in the wire data */ 637 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) { 638 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig"); 639 *reason = "use of signature for ECDSA crypto failed"; 640 EVP_PKEY_free(evp_key); 641 return sec_status_bogus; 642 } 643 dofree = 1; 644 } 645 #endif /* USE_ECDSA */ 646 647 /* do the signature cryptography work */ 648 #ifdef HAVE_EVP_MD_CTX_NEW 649 ctx = EVP_MD_CTX_new(); 650 #else 651 ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx)); 652 if(ctx) EVP_MD_CTX_init(ctx); 653 #endif 654 if(!ctx) { 655 log_err("EVP_MD_CTX_new: malloc failure"); 656 EVP_PKEY_free(evp_key); 657 if(dofree) free(sigblock); 658 else if(docrypto_free) OPENSSL_free(sigblock); 659 return sec_status_unchecked; 660 } 661 #ifndef HAVE_EVP_DIGESTVERIFY 662 if(EVP_DigestInit(ctx, digest_type) == 0) { 663 verbose(VERB_QUERY, "verify: EVP_DigestInit failed"); 664 #ifdef HAVE_EVP_MD_CTX_NEW 665 EVP_MD_CTX_destroy(ctx); 666 #else 667 EVP_MD_CTX_cleanup(ctx); 668 free(ctx); 669 #endif 670 EVP_PKEY_free(evp_key); 671 if(dofree) free(sigblock); 672 else if(docrypto_free) OPENSSL_free(sigblock); 673 return sec_status_unchecked; 674 } 675 if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), 676 (unsigned int)sldns_buffer_limit(buf)) == 0) { 677 verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed"); 678 #ifdef HAVE_EVP_MD_CTX_NEW 679 EVP_MD_CTX_destroy(ctx); 680 #else 681 EVP_MD_CTX_cleanup(ctx); 682 free(ctx); 683 #endif 684 EVP_PKEY_free(evp_key); 685 if(dofree) free(sigblock); 686 else if(docrypto_free) OPENSSL_free(sigblock); 687 return sec_status_unchecked; 688 } 689 690 res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key); 691 #else /* HAVE_EVP_DIGESTVERIFY */ 692 if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) { 693 verbose(VERB_QUERY, "verify: EVP_DigestVerifyInit failed"); 694 #ifdef HAVE_EVP_MD_CTX_NEW 695 EVP_MD_CTX_destroy(ctx); 696 #else 697 EVP_MD_CTX_cleanup(ctx); 698 free(ctx); 699 #endif 700 EVP_PKEY_free(evp_key); 701 if(dofree) free(sigblock); 702 else if(docrypto_free) OPENSSL_free(sigblock); 703 return sec_status_unchecked; 704 } 705 res = EVP_DigestVerify(ctx, sigblock, sigblock_len, 706 (unsigned char*)sldns_buffer_begin(buf), 707 sldns_buffer_limit(buf)); 708 #endif 709 #ifdef HAVE_EVP_MD_CTX_NEW 710 EVP_MD_CTX_destroy(ctx); 711 #else 712 EVP_MD_CTX_cleanup(ctx); 713 free(ctx); 714 #endif 715 EVP_PKEY_free(evp_key); 716 717 if(dofree) free(sigblock); 718 else if(docrypto_free) OPENSSL_free(sigblock); 719 720 if(res == 1) { 721 return sec_status_secure; 722 } else if(res == 0) { 723 verbose(VERB_QUERY, "verify: signature mismatch"); 724 *reason = "signature crypto failed"; 725 return sec_status_bogus; 726 } 727 728 log_crypto_error("verify:", ERR_get_error()); 729 return sec_status_unchecked; 730 } 731 732 /**************************************************/ 733 #elif defined(HAVE_NSS) 734 /* libnss implementation */ 735 /* nss3 */ 736 #include "sechash.h" 737 #include "pk11pub.h" 738 #include "keyhi.h" 739 #include "secerr.h" 740 #include "cryptohi.h" 741 /* nspr4 */ 742 #include "prerror.h" 743 744 /* return size of digest if supported, or 0 otherwise */ 745 size_t 746 nsec3_hash_algo_size_supported(int id) 747 { 748 switch(id) { 749 case NSEC3_HASH_SHA1: 750 return SHA1_LENGTH; 751 default: 752 return 0; 753 } 754 } 755 756 /* perform nsec3 hash. return false on failure */ 757 int 758 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 759 unsigned char* res) 760 { 761 switch(algo) { 762 case NSEC3_HASH_SHA1: 763 (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len); 764 return 1; 765 default: 766 return 0; 767 } 768 } 769 770 void 771 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 772 { 773 (void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len); 774 } 775 776 size_t 777 ds_digest_size_supported(int algo) 778 { 779 /* uses libNSS */ 780 switch(algo) { 781 #ifdef USE_SHA1 782 case LDNS_SHA1: 783 return SHA1_LENGTH; 784 #endif 785 #ifdef USE_SHA2 786 case LDNS_SHA256: 787 return SHA256_LENGTH; 788 #endif 789 #ifdef USE_ECDSA 790 case LDNS_SHA384: 791 return SHA384_LENGTH; 792 #endif 793 /* GOST not supported in NSS */ 794 case LDNS_HASH_GOST: 795 default: break; 796 } 797 return 0; 798 } 799 800 int 801 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 802 unsigned char* res) 803 { 804 /* uses libNSS */ 805 switch(algo) { 806 #ifdef USE_SHA1 807 case LDNS_SHA1: 808 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len) 809 == SECSuccess; 810 #endif 811 #if defined(USE_SHA2) 812 case LDNS_SHA256: 813 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len) 814 == SECSuccess; 815 #endif 816 #ifdef USE_ECDSA 817 case LDNS_SHA384: 818 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len) 819 == SECSuccess; 820 #endif 821 case LDNS_HASH_GOST: 822 default: 823 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 824 algo); 825 break; 826 } 827 return 0; 828 } 829 830 int 831 dnskey_algo_id_is_supported(int id) 832 { 833 /* uses libNSS */ 834 switch(id) { 835 case LDNS_RSAMD5: 836 /* RFC 6725 deprecates RSAMD5 */ 837 return 0; 838 #if defined(USE_SHA1) || defined(USE_SHA2) 839 #if defined(USE_DSA) && defined(USE_SHA1) 840 case LDNS_DSA: 841 case LDNS_DSA_NSEC3: 842 #endif 843 #ifdef USE_SHA1 844 case LDNS_RSASHA1: 845 case LDNS_RSASHA1_NSEC3: 846 #endif 847 #ifdef USE_SHA2 848 case LDNS_RSASHA256: 849 #endif 850 #ifdef USE_SHA2 851 case LDNS_RSASHA512: 852 #endif 853 return 1; 854 #endif /* SHA1 or SHA2 */ 855 856 #ifdef USE_ECDSA 857 case LDNS_ECDSAP256SHA256: 858 case LDNS_ECDSAP384SHA384: 859 return PK11_TokenExists(CKM_ECDSA); 860 #endif 861 case LDNS_ECC_GOST: 862 default: 863 return 0; 864 } 865 } 866 867 /* return a new public key for NSS */ 868 static SECKEYPublicKey* nss_key_create(KeyType ktype) 869 { 870 SECKEYPublicKey* key; 871 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 872 if(!arena) { 873 log_err("out of memory, PORT_NewArena failed"); 874 return NULL; 875 } 876 key = PORT_ArenaZNew(arena, SECKEYPublicKey); 877 if(!key) { 878 log_err("out of memory, PORT_ArenaZNew failed"); 879 PORT_FreeArena(arena, PR_FALSE); 880 return NULL; 881 } 882 key->arena = arena; 883 key->keyType = ktype; 884 key->pkcs11Slot = NULL; 885 key->pkcs11ID = CK_INVALID_HANDLE; 886 return key; 887 } 888 889 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo) 890 { 891 SECKEYPublicKey* pk; 892 SECItem pub = {siBuffer, NULL, 0}; 893 SECItem params = {siBuffer, NULL, 0}; 894 static unsigned char param256[] = { 895 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256) 896 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */ 897 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 898 }; 899 static unsigned char param384[] = { 900 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384) 901 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */ 902 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 903 }; 904 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ 905 906 /* check length, which uncompressed must be 2 bignums */ 907 if(algo == LDNS_ECDSAP256SHA256) { 908 if(len != 2*256/8) return NULL; 909 /* ECCurve_X9_62_PRIME_256V1 */ 910 } else if(algo == LDNS_ECDSAP384SHA384) { 911 if(len != 2*384/8) return NULL; 912 /* ECCurve_X9_62_PRIME_384R1 */ 913 } else return NULL; 914 915 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */ 916 memmove(buf+1, key, len); 917 pub.data = buf; 918 pub.len = len+1; 919 if(algo == LDNS_ECDSAP256SHA256) { 920 params.data = param256; 921 params.len = sizeof(param256); 922 } else { 923 params.data = param384; 924 params.len = sizeof(param384); 925 } 926 927 pk = nss_key_create(ecKey); 928 if(!pk) 929 return NULL; 930 pk->u.ec.size = (len/2)*8; 931 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) { 932 SECKEY_DestroyPublicKey(pk); 933 return NULL; 934 } 935 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) { 936 SECKEY_DestroyPublicKey(pk); 937 return NULL; 938 } 939 940 return pk; 941 } 942 943 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len) 944 { 945 SECKEYPublicKey* pk; 946 uint8_t T; 947 uint16_t length; 948 uint16_t offset; 949 SECItem Q = {siBuffer, NULL, 0}; 950 SECItem P = {siBuffer, NULL, 0}; 951 SECItem G = {siBuffer, NULL, 0}; 952 SECItem Y = {siBuffer, NULL, 0}; 953 954 if(len == 0) 955 return NULL; 956 T = (uint8_t)key[0]; 957 length = (64 + T * 8); 958 offset = 1; 959 960 if (T > 8) { 961 return NULL; 962 } 963 if(len < (size_t)1 + SHA1_LENGTH + 3*length) 964 return NULL; 965 966 Q.data = key+offset; 967 Q.len = SHA1_LENGTH; 968 offset += SHA1_LENGTH; 969 970 P.data = key+offset; 971 P.len = length; 972 offset += length; 973 974 G.data = key+offset; 975 G.len = length; 976 offset += length; 977 978 Y.data = key+offset; 979 Y.len = length; 980 offset += length; 981 982 pk = nss_key_create(dsaKey); 983 if(!pk) 984 return NULL; 985 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) { 986 SECKEY_DestroyPublicKey(pk); 987 return NULL; 988 } 989 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) { 990 SECKEY_DestroyPublicKey(pk); 991 return NULL; 992 } 993 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) { 994 SECKEY_DestroyPublicKey(pk); 995 return NULL; 996 } 997 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) { 998 SECKEY_DestroyPublicKey(pk); 999 return NULL; 1000 } 1001 return pk; 1002 } 1003 1004 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len) 1005 { 1006 SECKEYPublicKey* pk; 1007 uint16_t exp; 1008 uint16_t offset; 1009 uint16_t int16; 1010 SECItem modulus = {siBuffer, NULL, 0}; 1011 SECItem exponent = {siBuffer, NULL, 0}; 1012 if(len == 0) 1013 return NULL; 1014 if(key[0] == 0) { 1015 if(len < 3) 1016 return NULL; 1017 /* the exponent is too large so it's places further */ 1018 memmove(&int16, key+1, 2); 1019 exp = ntohs(int16); 1020 offset = 3; 1021 } else { 1022 exp = key[0]; 1023 offset = 1; 1024 } 1025 1026 /* key length at least one */ 1027 if(len < (size_t)offset + exp + 1) 1028 return NULL; 1029 1030 exponent.data = key+offset; 1031 exponent.len = exp; 1032 offset += exp; 1033 modulus.data = key+offset; 1034 modulus.len = (len - offset); 1035 1036 pk = nss_key_create(rsaKey); 1037 if(!pk) 1038 return NULL; 1039 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) { 1040 SECKEY_DestroyPublicKey(pk); 1041 return NULL; 1042 } 1043 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) { 1044 SECKEY_DestroyPublicKey(pk); 1045 return NULL; 1046 } 1047 return pk; 1048 } 1049 1050 /** 1051 * Setup key and digest for verification. Adjust sig if necessary. 1052 * 1053 * @param algo: key algorithm 1054 * @param evp_key: EVP PKEY public key to create. 1055 * @param digest_type: digest type to use 1056 * @param key: key to setup for. 1057 * @param keylen: length of key. 1058 * @param prefix: if returned, the ASN prefix for the hashblob. 1059 * @param prefixlen: length of the prefix. 1060 * @return false on failure. 1061 */ 1062 static int 1063 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, 1064 unsigned char* key, size_t keylen, unsigned char** prefix, 1065 size_t* prefixlen) 1066 { 1067 /* uses libNSS */ 1068 1069 /* hash prefix for md5, RFC2537 */ 1070 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 1071 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}; 1072 /* hash prefix to prepend to hash output, from RFC3110 */ 1073 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 1074 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14}; 1075 /* from RFC5702 */ 1076 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 1077 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; 1078 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 1079 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; 1080 /* from RFC6234 */ 1081 /* for future RSASHA384 .. 1082 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 1083 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; 1084 */ 1085 1086 switch(algo) { 1087 1088 #if defined(USE_SHA1) || defined(USE_SHA2) 1089 #if defined(USE_DSA) && defined(USE_SHA1) 1090 case LDNS_DSA: 1091 case LDNS_DSA_NSEC3: 1092 *pubkey = nss_buf2dsa(key, keylen); 1093 if(!*pubkey) { 1094 log_err("verify: malloc failure in crypto"); 1095 return 0; 1096 } 1097 *htype = HASH_AlgSHA1; 1098 /* no prefix for DSA verification */ 1099 break; 1100 #endif 1101 #ifdef USE_SHA1 1102 case LDNS_RSASHA1: 1103 case LDNS_RSASHA1_NSEC3: 1104 #endif 1105 #ifdef USE_SHA2 1106 case LDNS_RSASHA256: 1107 #endif 1108 #ifdef USE_SHA2 1109 case LDNS_RSASHA512: 1110 #endif 1111 *pubkey = nss_buf2rsa(key, keylen); 1112 if(!*pubkey) { 1113 log_err("verify: malloc failure in crypto"); 1114 return 0; 1115 } 1116 /* select SHA version */ 1117 #ifdef USE_SHA2 1118 if(algo == LDNS_RSASHA256) { 1119 *htype = HASH_AlgSHA256; 1120 *prefix = p_sha256; 1121 *prefixlen = sizeof(p_sha256); 1122 } else 1123 #endif 1124 #ifdef USE_SHA2 1125 if(algo == LDNS_RSASHA512) { 1126 *htype = HASH_AlgSHA512; 1127 *prefix = p_sha512; 1128 *prefixlen = sizeof(p_sha512); 1129 } else 1130 #endif 1131 #ifdef USE_SHA1 1132 { 1133 *htype = HASH_AlgSHA1; 1134 *prefix = p_sha1; 1135 *prefixlen = sizeof(p_sha1); 1136 } 1137 #else 1138 { 1139 verbose(VERB_QUERY, "verify: no digest algo"); 1140 return 0; 1141 } 1142 #endif 1143 1144 break; 1145 #endif /* SHA1 or SHA2 */ 1146 1147 case LDNS_RSAMD5: 1148 *pubkey = nss_buf2rsa(key, keylen); 1149 if(!*pubkey) { 1150 log_err("verify: malloc failure in crypto"); 1151 return 0; 1152 } 1153 *htype = HASH_AlgMD5; 1154 *prefix = p_md5; 1155 *prefixlen = sizeof(p_md5); 1156 1157 break; 1158 #ifdef USE_ECDSA 1159 case LDNS_ECDSAP256SHA256: 1160 *pubkey = nss_buf2ecdsa(key, keylen, 1161 LDNS_ECDSAP256SHA256); 1162 if(!*pubkey) { 1163 log_err("verify: malloc failure in crypto"); 1164 return 0; 1165 } 1166 *htype = HASH_AlgSHA256; 1167 /* no prefix for DSA verification */ 1168 break; 1169 case LDNS_ECDSAP384SHA384: 1170 *pubkey = nss_buf2ecdsa(key, keylen, 1171 LDNS_ECDSAP384SHA384); 1172 if(!*pubkey) { 1173 log_err("verify: malloc failure in crypto"); 1174 return 0; 1175 } 1176 *htype = HASH_AlgSHA384; 1177 /* no prefix for DSA verification */ 1178 break; 1179 #endif /* USE_ECDSA */ 1180 case LDNS_ECC_GOST: 1181 default: 1182 verbose(VERB_QUERY, "verify: unknown algorithm %d", 1183 algo); 1184 return 0; 1185 } 1186 return 1; 1187 } 1188 1189 /** 1190 * Check a canonical sig+rrset and signature against a dnskey 1191 * @param buf: buffer with data to verify, the first rrsig part and the 1192 * canonicalized rrset. 1193 * @param algo: DNSKEY algorithm. 1194 * @param sigblock: signature rdata field from RRSIG 1195 * @param sigblock_len: length of sigblock data. 1196 * @param key: public key data from DNSKEY RR. 1197 * @param keylen: length of keydata. 1198 * @param reason: bogus reason in more detail. 1199 * @return secure if verification succeeded, bogus on crypto failure, 1200 * unchecked on format errors and alloc failures. 1201 */ 1202 enum sec_status 1203 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1204 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1205 char** reason) 1206 { 1207 /* uses libNSS */ 1208 /* large enough for the different hashes */ 1209 unsigned char hash[HASH_LENGTH_MAX]; 1210 unsigned char hash2[HASH_LENGTH_MAX*2]; 1211 HASH_HashType htype = 0; 1212 SECKEYPublicKey* pubkey = NULL; 1213 SECItem secsig = {siBuffer, sigblock, sigblock_len}; 1214 SECItem sechash = {siBuffer, hash, 0}; 1215 SECStatus res; 1216 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */ 1217 size_t prefixlen = 0; 1218 int err; 1219 1220 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen, 1221 &prefix, &prefixlen)) { 1222 verbose(VERB_QUERY, "verify: failed to setup key"); 1223 *reason = "use of key for crypto failed"; 1224 SECKEY_DestroyPublicKey(pubkey); 1225 return sec_status_bogus; 1226 } 1227 1228 #if defined(USE_DSA) && defined(USE_SHA1) 1229 /* need to convert DSA, ECDSA signatures? */ 1230 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) { 1231 if(sigblock_len == 1+2*SHA1_LENGTH) { 1232 secsig.data ++; 1233 secsig.len --; 1234 } else { 1235 SECItem* p = DSAU_DecodeDerSig(&secsig); 1236 if(!p) { 1237 verbose(VERB_QUERY, "verify: failed DER decode"); 1238 *reason = "signature DER decode failed"; 1239 SECKEY_DestroyPublicKey(pubkey); 1240 return sec_status_bogus; 1241 } 1242 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) { 1243 log_err("alloc failure in DER decode"); 1244 SECKEY_DestroyPublicKey(pubkey); 1245 SECITEM_FreeItem(p, PR_TRUE); 1246 return sec_status_unchecked; 1247 } 1248 SECITEM_FreeItem(p, PR_TRUE); 1249 } 1250 } 1251 #endif /* USE_DSA */ 1252 1253 /* do the signature cryptography work */ 1254 /* hash the data */ 1255 sechash.len = HASH_ResultLen(htype); 1256 if(sechash.len > sizeof(hash)) { 1257 verbose(VERB_QUERY, "verify: hash too large for buffer"); 1258 SECKEY_DestroyPublicKey(pubkey); 1259 return sec_status_unchecked; 1260 } 1261 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf), 1262 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) { 1263 verbose(VERB_QUERY, "verify: HASH_HashBuf failed"); 1264 SECKEY_DestroyPublicKey(pubkey); 1265 return sec_status_unchecked; 1266 } 1267 if(prefix) { 1268 int hashlen = sechash.len; 1269 if(prefixlen+hashlen > sizeof(hash2)) { 1270 verbose(VERB_QUERY, "verify: hashprefix too large"); 1271 SECKEY_DestroyPublicKey(pubkey); 1272 return sec_status_unchecked; 1273 } 1274 sechash.data = hash2; 1275 sechash.len = prefixlen+hashlen; 1276 memcpy(sechash.data, prefix, prefixlen); 1277 memmove(sechash.data+prefixlen, hash, hashlen); 1278 } 1279 1280 /* verify the signature */ 1281 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/); 1282 SECKEY_DestroyPublicKey(pubkey); 1283 1284 if(res == SECSuccess) { 1285 return sec_status_secure; 1286 } 1287 err = PORT_GetError(); 1288 if(err != SEC_ERROR_BAD_SIGNATURE) { 1289 /* failed to verify */ 1290 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", 1291 PORT_ErrorToString(err)); 1292 /* if it is not supported, like ECC is removed, we get, 1293 * SEC_ERROR_NO_MODULE */ 1294 if(err == SEC_ERROR_NO_MODULE) 1295 return sec_status_unchecked; 1296 /* but other errors are commonly returned 1297 * for a bad signature from NSS. Thus we return bogus, 1298 * not unchecked */ 1299 *reason = "signature crypto failed"; 1300 return sec_status_bogus; 1301 } 1302 verbose(VERB_QUERY, "verify: signature mismatch: %s", 1303 PORT_ErrorToString(err)); 1304 *reason = "signature crypto failed"; 1305 return sec_status_bogus; 1306 } 1307 1308 #elif defined(HAVE_NETTLE) 1309 1310 #include "sha.h" 1311 #include "bignum.h" 1312 #include "macros.h" 1313 #include "rsa.h" 1314 #include "dsa.h" 1315 #ifdef HAVE_NETTLE_DSA_COMPAT_H 1316 #include "dsa-compat.h" 1317 #endif 1318 #include "asn1.h" 1319 #ifdef USE_ECDSA 1320 #include "ecdsa.h" 1321 #include "ecc-curve.h" 1322 #endif 1323 #ifdef HAVE_NETTLE_EDDSA_H 1324 #include "eddsa.h" 1325 #endif 1326 1327 static int 1328 _digest_nettle(int algo, uint8_t* buf, size_t len, 1329 unsigned char* res) 1330 { 1331 switch(algo) { 1332 case SHA1_DIGEST_SIZE: 1333 { 1334 struct sha1_ctx ctx; 1335 sha1_init(&ctx); 1336 sha1_update(&ctx, len, buf); 1337 sha1_digest(&ctx, SHA1_DIGEST_SIZE, res); 1338 return 1; 1339 } 1340 case SHA256_DIGEST_SIZE: 1341 { 1342 struct sha256_ctx ctx; 1343 sha256_init(&ctx); 1344 sha256_update(&ctx, len, buf); 1345 sha256_digest(&ctx, SHA256_DIGEST_SIZE, res); 1346 return 1; 1347 } 1348 case SHA384_DIGEST_SIZE: 1349 { 1350 struct sha384_ctx ctx; 1351 sha384_init(&ctx); 1352 sha384_update(&ctx, len, buf); 1353 sha384_digest(&ctx, SHA384_DIGEST_SIZE, res); 1354 return 1; 1355 } 1356 case SHA512_DIGEST_SIZE: 1357 { 1358 struct sha512_ctx ctx; 1359 sha512_init(&ctx); 1360 sha512_update(&ctx, len, buf); 1361 sha512_digest(&ctx, SHA512_DIGEST_SIZE, res); 1362 return 1; 1363 } 1364 default: 1365 break; 1366 } 1367 return 0; 1368 } 1369 1370 /* return size of digest if supported, or 0 otherwise */ 1371 size_t 1372 nsec3_hash_algo_size_supported(int id) 1373 { 1374 switch(id) { 1375 case NSEC3_HASH_SHA1: 1376 return SHA1_DIGEST_SIZE; 1377 default: 1378 return 0; 1379 } 1380 } 1381 1382 /* perform nsec3 hash. return false on failure */ 1383 int 1384 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, 1385 unsigned char* res) 1386 { 1387 switch(algo) { 1388 case NSEC3_HASH_SHA1: 1389 return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len, 1390 res); 1391 default: 1392 return 0; 1393 } 1394 } 1395 1396 void 1397 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res) 1398 { 1399 _digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res); 1400 } 1401 1402 /** 1403 * Return size of DS digest according to its hash algorithm. 1404 * @param algo: DS digest algo. 1405 * @return size in bytes of digest, or 0 if not supported. 1406 */ 1407 size_t 1408 ds_digest_size_supported(int algo) 1409 { 1410 switch(algo) { 1411 case LDNS_SHA1: 1412 #ifdef USE_SHA1 1413 return SHA1_DIGEST_SIZE; 1414 #else 1415 if(fake_sha1) return 20; 1416 return 0; 1417 #endif 1418 #ifdef USE_SHA2 1419 case LDNS_SHA256: 1420 return SHA256_DIGEST_SIZE; 1421 #endif 1422 #ifdef USE_ECDSA 1423 case LDNS_SHA384: 1424 return SHA384_DIGEST_SIZE; 1425 #endif 1426 /* GOST not supported */ 1427 case LDNS_HASH_GOST: 1428 default: 1429 break; 1430 } 1431 return 0; 1432 } 1433 1434 int 1435 secalgo_ds_digest(int algo, unsigned char* buf, size_t len, 1436 unsigned char* res) 1437 { 1438 switch(algo) { 1439 #ifdef USE_SHA1 1440 case LDNS_SHA1: 1441 return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res); 1442 #endif 1443 #if defined(USE_SHA2) 1444 case LDNS_SHA256: 1445 return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res); 1446 #endif 1447 #ifdef USE_ECDSA 1448 case LDNS_SHA384: 1449 return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res); 1450 1451 #endif 1452 case LDNS_HASH_GOST: 1453 default: 1454 verbose(VERB_QUERY, "unknown DS digest algorithm %d", 1455 algo); 1456 break; 1457 } 1458 return 0; 1459 } 1460 1461 int 1462 dnskey_algo_id_is_supported(int id) 1463 { 1464 /* uses libnettle */ 1465 switch(id) { 1466 #if defined(USE_DSA) && defined(USE_SHA1) 1467 case LDNS_DSA: 1468 case LDNS_DSA_NSEC3: 1469 #endif 1470 #ifdef USE_SHA1 1471 case LDNS_RSASHA1: 1472 case LDNS_RSASHA1_NSEC3: 1473 #endif 1474 #ifdef USE_SHA2 1475 case LDNS_RSASHA256: 1476 case LDNS_RSASHA512: 1477 #endif 1478 #ifdef USE_ECDSA 1479 case LDNS_ECDSAP256SHA256: 1480 case LDNS_ECDSAP384SHA384: 1481 #endif 1482 return 1; 1483 #ifdef USE_ED25519 1484 case LDNS_ED25519: 1485 return 1; 1486 #endif 1487 case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ 1488 case LDNS_ECC_GOST: 1489 default: 1490 return 0; 1491 } 1492 } 1493 1494 #if defined(USE_DSA) && defined(USE_SHA1) 1495 static char * 1496 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock, 1497 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1498 { 1499 uint8_t digest[SHA1_DIGEST_SIZE]; 1500 uint8_t key_t_value; 1501 int res = 0; 1502 size_t offset; 1503 struct dsa_public_key pubkey; 1504 struct dsa_signature signature; 1505 unsigned int expected_len; 1506 1507 /* Extract DSA signature from the record */ 1508 nettle_dsa_signature_init(&signature); 1509 /* Signature length: 41 bytes - RFC 2536 sec. 3 */ 1510 if(sigblock_len == 41) { 1511 if(key[0] != sigblock[0]) 1512 return "invalid T value in DSA signature or pubkey"; 1513 nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1); 1514 nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20); 1515 } else { 1516 /* DER encoded, decode the ASN1 notated R and S bignums */ 1517 /* SEQUENCE { r INTEGER, s INTEGER } */ 1518 struct asn1_der_iterator i, seq; 1519 if(asn1_der_iterator_first(&i, sigblock_len, 1520 (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED 1521 || i.type != ASN1_SEQUENCE) 1522 return "malformed DER encoded DSA signature"; 1523 /* decode this element of i using the seq iterator */ 1524 if(asn1_der_decode_constructed(&i, &seq) != 1525 ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER) 1526 return "malformed DER encoded DSA signature"; 1527 if(!asn1_der_get_bignum(&seq, signature.r, 20*8)) 1528 return "malformed DER encoded DSA signature"; 1529 if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE 1530 || seq.type != ASN1_INTEGER) 1531 return "malformed DER encoded DSA signature"; 1532 if(!asn1_der_get_bignum(&seq, signature.s, 20*8)) 1533 return "malformed DER encoded DSA signature"; 1534 if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END) 1535 return "malformed DER encoded DSA signature"; 1536 } 1537 1538 /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */ 1539 key_t_value = key[0]; 1540 if (key_t_value > 8) { 1541 return "invalid T value in DSA pubkey"; 1542 } 1543 1544 /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */ 1545 if (keylen < 21) { 1546 return "DSA pubkey too short"; 1547 } 1548 1549 expected_len = 1 + /* T */ 1550 20 + /* Q */ 1551 (64 + key_t_value*8) + /* P */ 1552 (64 + key_t_value*8) + /* G */ 1553 (64 + key_t_value*8); /* Y */ 1554 if (keylen != expected_len ) { 1555 return "invalid DSA pubkey length"; 1556 } 1557 1558 /* Extract DSA pubkey from the record */ 1559 nettle_dsa_public_key_init(&pubkey); 1560 offset = 1; 1561 nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset); 1562 offset += 20; 1563 nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t_value*8), key+offset); 1564 offset += (64 + key_t_value*8); 1565 nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t_value*8), key+offset); 1566 offset += (64 + key_t_value*8); 1567 nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t_value*8), key+offset); 1568 1569 /* Digest content of "buf" and verify its DSA signature in "sigblock"*/ 1570 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1571 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1572 res &= dsa_sha1_verify_digest(&pubkey, digest, &signature); 1573 1574 /* Clear and return */ 1575 nettle_dsa_signature_clear(&signature); 1576 nettle_dsa_public_key_clear(&pubkey); 1577 if (!res) 1578 return "DSA signature verification failed"; 1579 else 1580 return NULL; 1581 } 1582 #endif /* USE_DSA */ 1583 1584 static char * 1585 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock, 1586 unsigned int sigblock_len, uint8_t* key, unsigned int keylen) 1587 { 1588 uint16_t exp_len = 0; 1589 size_t exp_offset = 0, mod_offset = 0; 1590 struct rsa_public_key pubkey; 1591 mpz_t signature; 1592 int res = 0; 1593 1594 /* RSA pubkey parsing as per RFC 3110 sec. 2 */ 1595 if( keylen <= 1) { 1596 return "null RSA key"; 1597 } 1598 if (key[0] != 0) { 1599 /* 1-byte length */ 1600 exp_len = key[0]; 1601 exp_offset = 1; 1602 } else { 1603 /* 1-byte NUL + 2-bytes exponent length */ 1604 if (keylen < 3) { 1605 return "incorrect RSA key length"; 1606 } 1607 exp_len = READ_UINT16(key+1); 1608 if (exp_len == 0) 1609 return "null RSA exponent length"; 1610 exp_offset = 3; 1611 } 1612 /* Check that we are not over-running input length */ 1613 if (keylen < exp_offset + exp_len + 1) { 1614 return "RSA key content shorter than expected"; 1615 } 1616 mod_offset = exp_offset + exp_len; 1617 nettle_rsa_public_key_init(&pubkey); 1618 pubkey.size = keylen - mod_offset; 1619 nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]); 1620 nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]); 1621 1622 /* Digest content of "buf" and verify its RSA signature in "sigblock"*/ 1623 nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock); 1624 switch (digest_size) { 1625 case SHA1_DIGEST_SIZE: 1626 { 1627 uint8_t digest[SHA1_DIGEST_SIZE]; 1628 res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1629 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1630 res &= rsa_sha1_verify_digest(&pubkey, digest, signature); 1631 break; 1632 } 1633 case SHA256_DIGEST_SIZE: 1634 { 1635 uint8_t digest[SHA256_DIGEST_SIZE]; 1636 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1637 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1638 res &= rsa_sha256_verify_digest(&pubkey, digest, signature); 1639 break; 1640 } 1641 case SHA512_DIGEST_SIZE: 1642 { 1643 uint8_t digest[SHA512_DIGEST_SIZE]; 1644 res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1645 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1646 res &= rsa_sha512_verify_digest(&pubkey, digest, signature); 1647 break; 1648 } 1649 default: 1650 break; 1651 } 1652 1653 /* Clear and return */ 1654 nettle_rsa_public_key_clear(&pubkey); 1655 mpz_clear(signature); 1656 if (!res) { 1657 return "RSA signature verification failed"; 1658 } else { 1659 return NULL; 1660 } 1661 } 1662 1663 #ifdef USE_ECDSA 1664 static char * 1665 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock, 1666 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1667 { 1668 int res = 0; 1669 struct ecc_point pubkey; 1670 struct dsa_signature signature; 1671 1672 /* Always matched strength, as per RFC 6605 sec. 1 */ 1673 if (sigblock_len != 2*digest_size || keylen != 2*digest_size) { 1674 return "wrong ECDSA signature length"; 1675 } 1676 1677 /* Parse ECDSA signature as per RFC 6605 sec. 4 */ 1678 nettle_dsa_signature_init(&signature); 1679 switch (digest_size) { 1680 case SHA256_DIGEST_SIZE: 1681 { 1682 uint8_t digest[SHA256_DIGEST_SIZE]; 1683 mpz_t x, y; 1684 nettle_ecc_point_init(&pubkey, &nettle_secp_256r1); 1685 nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key); 1686 nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE); 1687 nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock); 1688 nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE); 1689 res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1690 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1691 res &= nettle_ecc_point_set(&pubkey, x, y); 1692 res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature); 1693 mpz_clear(x); 1694 mpz_clear(y); 1695 break; 1696 } 1697 case SHA384_DIGEST_SIZE: 1698 { 1699 uint8_t digest[SHA384_DIGEST_SIZE]; 1700 mpz_t x, y; 1701 nettle_ecc_point_init(&pubkey, &nettle_secp_384r1); 1702 nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key); 1703 nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE); 1704 nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock); 1705 nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE); 1706 res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), 1707 (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); 1708 res &= nettle_ecc_point_set(&pubkey, x, y); 1709 res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature); 1710 mpz_clear(x); 1711 mpz_clear(y); 1712 nettle_ecc_point_clear(&pubkey); 1713 break; 1714 } 1715 default: 1716 return "unknown ECDSA algorithm"; 1717 } 1718 1719 /* Clear and return */ 1720 nettle_dsa_signature_clear(&signature); 1721 if (!res) 1722 return "ECDSA signature verification failed"; 1723 else 1724 return NULL; 1725 } 1726 #endif 1727 1728 #ifdef USE_ED25519 1729 static char * 1730 _verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock, 1731 unsigned int sigblock_len, unsigned char* key, unsigned int keylen) 1732 { 1733 int res = 0; 1734 1735 if(sigblock_len != ED25519_SIGNATURE_SIZE) { 1736 return "wrong ED25519 signature length"; 1737 } 1738 if(keylen != ED25519_KEY_SIZE) { 1739 return "wrong ED25519 key length"; 1740 } 1741 1742 res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf), 1743 sldns_buffer_begin(buf), (uint8_t*)sigblock); 1744 1745 if (!res) 1746 return "ED25519 signature verification failed"; 1747 else 1748 return NULL; 1749 } 1750 #endif 1751 1752 /** 1753 * Check a canonical sig+rrset and signature against a dnskey 1754 * @param buf: buffer with data to verify, the first rrsig part and the 1755 * canonicalized rrset. 1756 * @param algo: DNSKEY algorithm. 1757 * @param sigblock: signature rdata field from RRSIG 1758 * @param sigblock_len: length of sigblock data. 1759 * @param key: public key data from DNSKEY RR. 1760 * @param keylen: length of keydata. 1761 * @param reason: bogus reason in more detail. 1762 * @return secure if verification succeeded, bogus on crypto failure, 1763 * unchecked on format errors and alloc failures. 1764 */ 1765 enum sec_status 1766 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 1767 unsigned int sigblock_len, unsigned char* key, unsigned int keylen, 1768 char** reason) 1769 { 1770 unsigned int digest_size = 0; 1771 1772 if (sigblock_len == 0 || keylen == 0) { 1773 *reason = "null signature"; 1774 return sec_status_bogus; 1775 } 1776 1777 switch(algo) { 1778 #if defined(USE_DSA) && defined(USE_SHA1) 1779 case LDNS_DSA: 1780 case LDNS_DSA_NSEC3: 1781 *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen); 1782 if (*reason != NULL) 1783 return sec_status_bogus; 1784 else 1785 return sec_status_secure; 1786 #endif /* USE_DSA */ 1787 1788 #ifdef USE_SHA1 1789 case LDNS_RSASHA1: 1790 case LDNS_RSASHA1_NSEC3: 1791 digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE); 1792 #endif 1793 /* double fallthrough annotation to please gcc parser */ 1794 /* fallthrough */ 1795 #ifdef USE_SHA2 1796 /* fallthrough */ 1797 case LDNS_RSASHA256: 1798 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 1799 /* fallthrough */ 1800 case LDNS_RSASHA512: 1801 digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE); 1802 1803 #endif 1804 *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock, 1805 sigblock_len, key, keylen); 1806 if (*reason != NULL) 1807 return sec_status_bogus; 1808 else 1809 return sec_status_secure; 1810 1811 #ifdef USE_ECDSA 1812 case LDNS_ECDSAP256SHA256: 1813 digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); 1814 /* fallthrough */ 1815 case LDNS_ECDSAP384SHA384: 1816 digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE); 1817 *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock, 1818 sigblock_len, key, keylen); 1819 if (*reason != NULL) 1820 return sec_status_bogus; 1821 else 1822 return sec_status_secure; 1823 #endif 1824 #ifdef USE_ED25519 1825 case LDNS_ED25519: 1826 *reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len, 1827 key, keylen); 1828 if (*reason != NULL) 1829 return sec_status_bogus; 1830 else 1831 return sec_status_secure; 1832 #endif 1833 case LDNS_RSAMD5: 1834 case LDNS_ECC_GOST: 1835 default: 1836 *reason = "unable to verify signature, unknown algorithm"; 1837 return sec_status_bogus; 1838 } 1839 } 1840 1841 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */ 1842