/* * validator/val_secalgo.c - validator security algorithm functions. * * Copyright (c) 2012, NLnet Labs. All rights reserved. * * This software is open source. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /** * \file * * This file contains helper functions for the validator module. * These functions take raw data buffers, formatted for crypto verification, * and do the library calls (for the crypto library in use). */ #include "config.h" /* packed_rrset on top to define enum types (forced by c99 standard) */ #include "util/data/packed_rrset.h" #include "validator/val_secalgo.h" #include "validator/val_nsec3.h" #include "util/log.h" #include "sldns/rrdef.h" #include "sldns/keyraw.h" #include "sldns/sbuffer.h" #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE) #error "Need crypto library to do digital signature cryptography" #endif /* OpenSSL implementation */ #ifdef HAVE_SSL #ifdef HAVE_OPENSSL_ERR_H #include #endif #ifdef HAVE_OPENSSL_RAND_H #include #endif #ifdef HAVE_OPENSSL_CONF_H #include #endif #ifdef HAVE_OPENSSL_ENGINE_H #include #endif /* return size of digest if supported, or 0 otherwise */ size_t nsec3_hash_algo_size_supported(int id) { switch(id) { case NSEC3_HASH_SHA1: return SHA_DIGEST_LENGTH; default: return 0; } } /* perform nsec3 hash. return false on failure */ int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, unsigned char* res) { switch(algo) { case NSEC3_HASH_SHA1: (void)SHA1(buf, len, res); return 1; default: return 0; } } /** * Return size of DS digest according to its hash algorithm. * @param algo: DS digest algo. * @return size in bytes of digest, or 0 if not supported. */ size_t ds_digest_size_supported(int algo) { switch(algo) { #ifdef HAVE_EVP_SHA1 case LDNS_SHA1: return SHA_DIGEST_LENGTH; #endif #ifdef HAVE_EVP_SHA256 case LDNS_SHA256: return SHA256_DIGEST_LENGTH; #endif #ifdef USE_GOST case LDNS_HASH_GOST: /* we support GOST if it can be loaded */ (void)sldns_key_EVP_load_gost_id(); if(EVP_get_digestbyname("md_gost94")) return 32; else return 0; #endif #ifdef USE_ECDSA case LDNS_SHA384: return SHA384_DIGEST_LENGTH; #endif default: break; } return 0; } #ifdef USE_GOST /** Perform GOST hash */ static int do_gost94(unsigned char* data, size_t len, unsigned char* dest) { const EVP_MD* md = EVP_get_digestbyname("md_gost94"); if(!md) return 0; return sldns_digest_evp(data, (unsigned int)len, dest, md); } #endif int secalgo_ds_digest(int algo, unsigned char* buf, size_t len, unsigned char* res) { switch(algo) { #ifdef HAVE_EVP_SHA1 case LDNS_SHA1: (void)SHA1(buf, len, res); return 1; #endif #ifdef HAVE_EVP_SHA256 case LDNS_SHA256: (void)SHA256(buf, len, res); return 1; #endif #ifdef USE_GOST case LDNS_HASH_GOST: if(do_gost94(buf, len, res)) return 1; break; #endif #ifdef USE_ECDSA case LDNS_SHA384: (void)SHA384(buf, len, res); return 1; #endif default: verbose(VERB_QUERY, "unknown DS digest algorithm %d", algo); break; } return 0; } /** return true if DNSKEY algorithm id is supported */ int dnskey_algo_id_is_supported(int id) { switch(id) { case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ return 0; case LDNS_DSA: case LDNS_DSA_NSEC3: case LDNS_RSASHA1: case LDNS_RSASHA1_NSEC3: #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) case LDNS_RSASHA256: #endif #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) case LDNS_RSASHA512: #endif #ifdef USE_ECDSA case LDNS_ECDSAP256SHA256: case LDNS_ECDSAP384SHA384: #endif return 1; #ifdef USE_GOST case LDNS_ECC_GOST: /* we support GOST if it can be loaded */ return sldns_key_EVP_load_gost_id(); #endif default: return 0; } } /** * Output a libcrypto openssl error to the logfile. * @param str: string to add to it. * @param e: the error to output, error number from ERR_get_error(). */ static void log_crypto_error(const char* str, unsigned long e) { char buf[128]; /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ ERR_error_string_n(e, buf, sizeof(buf)); /* buf now contains */ /* error:[error code]:[library name]:[function name]:[reason string] */ log_err("%s crypto %s", str, buf); } /** * Setup DSA key digest in DER encoding ... * @param sig: input is signature output alloced ptr (unless failure). * caller must free alloced ptr if this routine returns true. * @param len: input is initial siglen, output is output len. * @return false on failure. */ static int setup_dsa_sig(unsigned char** sig, unsigned int* len) { unsigned char* orig = *sig; unsigned int origlen = *len; int newlen; BIGNUM *R, *S; DSA_SIG *dsasig; /* extract the R and S field from the sig buffer */ if(origlen < 1 + 2*SHA_DIGEST_LENGTH) return 0; R = BN_new(); if(!R) return 0; (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R); S = BN_new(); if(!S) return 0; (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S); dsasig = DSA_SIG_new(); if(!dsasig) return 0; dsasig->r = R; dsasig->s = S; *sig = NULL; newlen = i2d_DSA_SIG(dsasig, sig); if(newlen < 0) { DSA_SIG_free(dsasig); free(*sig); return 0; } *len = (unsigned int)newlen; DSA_SIG_free(dsasig); return 1; } #ifdef USE_ECDSA /** * Setup the ECDSA signature in its encoding that the library wants. * Converts from plain numbers to ASN formatted. * @param sig: input is signature, output alloced ptr (unless failure). * caller must free alloced ptr if this routine returns true. * @param len: input is initial siglen, output is output len. * @return false on failure. */ static int setup_ecdsa_sig(unsigned char** sig, unsigned int* len) { ECDSA_SIG* ecdsa_sig; int newlen; int bnsize = (int)((*len)/2); /* if too short or not even length, fails */ if(*len < 16 || bnsize*2 != (int)*len) return 0; /* use the raw data to parse two evenly long BIGNUMs, "r | s". */ ecdsa_sig = ECDSA_SIG_new(); if(!ecdsa_sig) return 0; ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r); ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s); if(!ecdsa_sig->r || !ecdsa_sig->s) { ECDSA_SIG_free(ecdsa_sig); return 0; } /* spool it into ASN format */ *sig = NULL; newlen = i2d_ECDSA_SIG(ecdsa_sig, sig); if(newlen <= 0) { ECDSA_SIG_free(ecdsa_sig); free(*sig); return 0; } *len = (unsigned int)newlen; ECDSA_SIG_free(ecdsa_sig); return 1; } #endif /* USE_ECDSA */ /** * Setup key and digest for verification. Adjust sig if necessary. * * @param algo: key algorithm * @param evp_key: EVP PKEY public key to create. * @param digest_type: digest type to use * @param key: key to setup for. * @param keylen: length of key. * @return false on failure. */ static int setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, unsigned char* key, size_t keylen) { DSA* dsa; RSA* rsa; switch(algo) { case LDNS_DSA: case LDNS_DSA_NSEC3: *evp_key = EVP_PKEY_new(); if(!*evp_key) { log_err("verify: malloc failure in crypto"); return 0; } dsa = sldns_key_buf2dsa_raw(key, keylen); if(!dsa) { verbose(VERB_QUERY, "verify: " "sldns_key_buf2dsa_raw failed"); return 0; } if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) { verbose(VERB_QUERY, "verify: " "EVP_PKEY_assign_DSA failed"); return 0; } *digest_type = EVP_dss1(); break; case LDNS_RSASHA1: case LDNS_RSASHA1_NSEC3: #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) case LDNS_RSASHA256: #endif #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) case LDNS_RSASHA512: #endif *evp_key = EVP_PKEY_new(); if(!*evp_key) { log_err("verify: malloc failure in crypto"); return 0; } rsa = sldns_key_buf2rsa_raw(key, keylen); if(!rsa) { verbose(VERB_QUERY, "verify: " "sldns_key_buf2rsa_raw SHA failed"); return 0; } if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { verbose(VERB_QUERY, "verify: " "EVP_PKEY_assign_RSA SHA failed"); return 0; } /* select SHA version */ #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) if(algo == LDNS_RSASHA256) *digest_type = EVP_sha256(); else #endif #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) if(algo == LDNS_RSASHA512) *digest_type = EVP_sha512(); else #endif *digest_type = EVP_sha1(); break; case LDNS_RSAMD5: *evp_key = EVP_PKEY_new(); if(!*evp_key) { log_err("verify: malloc failure in crypto"); return 0; } rsa = sldns_key_buf2rsa_raw(key, keylen); if(!rsa) { verbose(VERB_QUERY, "verify: " "sldns_key_buf2rsa_raw MD5 failed"); return 0; } if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { verbose(VERB_QUERY, "verify: " "EVP_PKEY_assign_RSA MD5 failed"); return 0; } *digest_type = EVP_md5(); break; #ifdef USE_GOST case LDNS_ECC_GOST: *evp_key = sldns_gost2pkey_raw(key, keylen); if(!*evp_key) { verbose(VERB_QUERY, "verify: " "sldns_gost2pkey_raw failed"); return 0; } *digest_type = EVP_get_digestbyname("md_gost94"); if(!*digest_type) { verbose(VERB_QUERY, "verify: " "EVP_getdigest md_gost94 failed"); return 0; } break; #endif #ifdef USE_ECDSA case LDNS_ECDSAP256SHA256: *evp_key = sldns_ecdsa2pkey_raw(key, keylen, LDNS_ECDSAP256SHA256); if(!*evp_key) { verbose(VERB_QUERY, "verify: " "sldns_ecdsa2pkey_raw failed"); return 0; } #ifdef USE_ECDSA_EVP_WORKAROUND /* openssl before 1.0.0 fixes RSA with the SHA256 * hash in EVP. We create one for ecdsa_sha256 */ { static int md_ecdsa_256_done = 0; static EVP_MD md; if(!md_ecdsa_256_done) { EVP_MD m = *EVP_sha256(); md_ecdsa_256_done = 1; m.required_pkey_type[0] = (*evp_key)->type; m.verify = (void*)ECDSA_verify; md = m; } *digest_type = &md; } #else *digest_type = EVP_sha256(); #endif break; case LDNS_ECDSAP384SHA384: *evp_key = sldns_ecdsa2pkey_raw(key, keylen, LDNS_ECDSAP384SHA384); if(!*evp_key) { verbose(VERB_QUERY, "verify: " "sldns_ecdsa2pkey_raw failed"); return 0; } #ifdef USE_ECDSA_EVP_WORKAROUND /* openssl before 1.0.0 fixes RSA with the SHA384 * hash in EVP. We create one for ecdsa_sha384 */ { static int md_ecdsa_384_done = 0; static EVP_MD md; if(!md_ecdsa_384_done) { EVP_MD m = *EVP_sha384(); md_ecdsa_384_done = 1; m.required_pkey_type[0] = (*evp_key)->type; m.verify = (void*)ECDSA_verify; md = m; } *digest_type = &md; } #else *digest_type = EVP_sha384(); #endif break; #endif /* USE_ECDSA */ default: verbose(VERB_QUERY, "verify: unknown algorithm %d", algo); return 0; } return 1; } /** * Check a canonical sig+rrset and signature against a dnskey * @param buf: buffer with data to verify, the first rrsig part and the * canonicalized rrset. * @param algo: DNSKEY algorithm. * @param sigblock: signature rdata field from RRSIG * @param sigblock_len: length of sigblock data. * @param key: public key data from DNSKEY RR. * @param keylen: length of keydata. * @param reason: bogus reason in more detail. * @return secure if verification succeeded, bogus on crypto failure, * unchecked on format errors and alloc failures. */ enum sec_status verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, unsigned int sigblock_len, unsigned char* key, unsigned int keylen, char** reason) { const EVP_MD *digest_type; EVP_MD_CTX ctx; int res, dofree = 0; EVP_PKEY *evp_key = NULL; if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { verbose(VERB_QUERY, "verify: failed to setup key"); *reason = "use of key for crypto failed"; EVP_PKEY_free(evp_key); return sec_status_bogus; } /* if it is a DSA signature in bind format, convert to DER format */ if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && sigblock_len == 1+2*SHA_DIGEST_LENGTH) { if(!setup_dsa_sig(&sigblock, &sigblock_len)) { verbose(VERB_QUERY, "verify: failed to setup DSA sig"); *reason = "use of key for DSA crypto failed"; EVP_PKEY_free(evp_key); return sec_status_bogus; } dofree = 1; } #ifdef USE_ECDSA else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) { /* EVP uses ASN prefix on sig, which is not in the wire data */ if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) { verbose(VERB_QUERY, "verify: failed to setup ECDSA sig"); *reason = "use of signature for ECDSA crypto failed"; EVP_PKEY_free(evp_key); return sec_status_bogus; } dofree = 1; } #endif /* USE_ECDSA */ /* do the signature cryptography work */ EVP_MD_CTX_init(&ctx); if(EVP_VerifyInit(&ctx, digest_type) == 0) { verbose(VERB_QUERY, "verify: EVP_VerifyInit failed"); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); return sec_status_unchecked; } if(EVP_VerifyUpdate(&ctx, (unsigned char*)sldns_buffer_begin(buf), (unsigned int)sldns_buffer_limit(buf)) == 0) { verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed"); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); return sec_status_unchecked; } res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key); if(EVP_MD_CTX_cleanup(&ctx) == 0) { verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed"); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); return sec_status_unchecked; } EVP_PKEY_free(evp_key); if(dofree) free(sigblock); if(res == 1) { return sec_status_secure; } else if(res == 0) { verbose(VERB_QUERY, "verify: signature mismatch"); *reason = "signature crypto failed"; return sec_status_bogus; } log_crypto_error("verify:", ERR_get_error()); return sec_status_unchecked; } /**************************************************/ #elif defined(HAVE_NSS) /* libnss implementation */ /* nss3 */ #include "sechash.h" #include "pk11pub.h" #include "keyhi.h" #include "secerr.h" #include "cryptohi.h" /* nspr4 */ #include "prerror.h" /* return size of digest if supported, or 0 otherwise */ size_t nsec3_hash_algo_size_supported(int id) { switch(id) { case NSEC3_HASH_SHA1: return SHA1_LENGTH; default: return 0; } } /* perform nsec3 hash. return false on failure */ int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, unsigned char* res) { switch(algo) { case NSEC3_HASH_SHA1: (void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len); return 1; default: return 0; } } size_t ds_digest_size_supported(int algo) { /* uses libNSS */ switch(algo) { case LDNS_SHA1: return SHA1_LENGTH; #ifdef USE_SHA2 case LDNS_SHA256: return SHA256_LENGTH; #endif #ifdef USE_ECDSA case LDNS_SHA384: return SHA384_LENGTH; #endif /* GOST not supported in NSS */ case LDNS_HASH_GOST: default: break; } return 0; } int secalgo_ds_digest(int algo, unsigned char* buf, size_t len, unsigned char* res) { /* uses libNSS */ switch(algo) { case LDNS_SHA1: return HASH_HashBuf(HASH_AlgSHA1, res, buf, len) == SECSuccess; #if defined(USE_SHA2) case LDNS_SHA256: return HASH_HashBuf(HASH_AlgSHA256, res, buf, len) == SECSuccess; #endif #ifdef USE_ECDSA case LDNS_SHA384: return HASH_HashBuf(HASH_AlgSHA384, res, buf, len) == SECSuccess; #endif case LDNS_HASH_GOST: default: verbose(VERB_QUERY, "unknown DS digest algorithm %d", algo); break; } return 0; } int dnskey_algo_id_is_supported(int id) { /* uses libNSS */ switch(id) { case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ return 0; case LDNS_DSA: case LDNS_DSA_NSEC3: case LDNS_RSASHA1: case LDNS_RSASHA1_NSEC3: #ifdef USE_SHA2 case LDNS_RSASHA256: #endif #ifdef USE_SHA2 case LDNS_RSASHA512: #endif return 1; #ifdef USE_ECDSA case LDNS_ECDSAP256SHA256: case LDNS_ECDSAP384SHA384: return PK11_TokenExists(CKM_ECDSA); #endif case LDNS_ECC_GOST: default: return 0; } } /* return a new public key for NSS */ static SECKEYPublicKey* nss_key_create(KeyType ktype) { SECKEYPublicKey* key; PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if(!arena) { log_err("out of memory, PORT_NewArena failed"); return NULL; } key = PORT_ArenaZNew(arena, SECKEYPublicKey); if(!key) { log_err("out of memory, PORT_ArenaZNew failed"); PORT_FreeArena(arena, PR_FALSE); return NULL; } key->arena = arena; key->keyType = ktype; key->pkcs11Slot = NULL; key->pkcs11ID = CK_INVALID_HANDLE; return key; } static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo) { SECKEYPublicKey* pk; SECItem pub = {siBuffer, NULL, 0}; SECItem params = {siBuffer, NULL, 0}; static unsigned char param256[] = { /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256) * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */ 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 }; static unsigned char param384[] = { /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384) * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */ 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 }; unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ /* check length, which uncompressed must be 2 bignums */ if(algo == LDNS_ECDSAP256SHA256) { if(len != 2*256/8) return NULL; /* ECCurve_X9_62_PRIME_256V1 */ } else if(algo == LDNS_ECDSAP384SHA384) { if(len != 2*384/8) return NULL; /* ECCurve_X9_62_PRIME_384R1 */ } else return NULL; buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */ memmove(buf+1, key, len); pub.data = buf; pub.len = len+1; if(algo == LDNS_ECDSAP256SHA256) { params.data = param256; params.len = sizeof(param256); } else { params.data = param384; params.len = sizeof(param384); } pk = nss_key_create(ecKey); if(!pk) return NULL; pk->u.ec.size = (len/2)*8; if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) { SECKEY_DestroyPublicKey(pk); return NULL; } if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) { SECKEY_DestroyPublicKey(pk); return NULL; } return pk; } static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len) { SECKEYPublicKey* pk; uint8_t T; uint16_t length; uint16_t offset; SECItem Q = {siBuffer, NULL, 0}; SECItem P = {siBuffer, NULL, 0}; SECItem G = {siBuffer, NULL, 0}; SECItem Y = {siBuffer, NULL, 0}; if(len == 0) return NULL; T = (uint8_t)key[0]; length = (64 + T * 8); offset = 1; if (T > 8) { return NULL; } if(len < (size_t)1 + SHA1_LENGTH + 3*length) return NULL; Q.data = key+offset; Q.len = SHA1_LENGTH; offset += SHA1_LENGTH; P.data = key+offset; P.len = length; offset += length; G.data = key+offset; G.len = length; offset += length; Y.data = key+offset; Y.len = length; offset += length; pk = nss_key_create(dsaKey); if(!pk) return NULL; if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) { SECKEY_DestroyPublicKey(pk); return NULL; } if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) { SECKEY_DestroyPublicKey(pk); return NULL; } if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) { SECKEY_DestroyPublicKey(pk); return NULL; } if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) { SECKEY_DestroyPublicKey(pk); return NULL; } return pk; } static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len) { SECKEYPublicKey* pk; uint16_t exp; uint16_t offset; uint16_t int16; SECItem modulus = {siBuffer, NULL, 0}; SECItem exponent = {siBuffer, NULL, 0}; if(len == 0) return NULL; if(key[0] == 0) { if(len < 3) return NULL; /* the exponent is too large so it's places further */ memmove(&int16, key+1, 2); exp = ntohs(int16); offset = 3; } else { exp = key[0]; offset = 1; } /* key length at least one */ if(len < (size_t)offset + exp + 1) return NULL; exponent.data = key+offset; exponent.len = exp; offset += exp; modulus.data = key+offset; modulus.len = (len - offset); pk = nss_key_create(rsaKey); if(!pk) return NULL; if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) { SECKEY_DestroyPublicKey(pk); return NULL; } if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) { SECKEY_DestroyPublicKey(pk); return NULL; } return pk; } /** * Setup key and digest for verification. Adjust sig if necessary. * * @param algo: key algorithm * @param evp_key: EVP PKEY public key to create. * @param digest_type: digest type to use * @param key: key to setup for. * @param keylen: length of key. * @param prefix: if returned, the ASN prefix for the hashblob. * @param prefixlen: length of the prefix. * @return false on failure. */ static int nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, unsigned char* key, size_t keylen, unsigned char** prefix, size_t* prefixlen) { /* uses libNSS */ /* hash prefix for md5, RFC2537 */ static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}; /* hash prefix to prepend to hash output, from RFC3110 */ static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14}; /* from RFC5702 */ static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; /* from RFC6234 */ /* for future RSASHA384 .. static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; */ switch(algo) { case LDNS_DSA: case LDNS_DSA_NSEC3: *pubkey = nss_buf2dsa(key, keylen); if(!*pubkey) { log_err("verify: malloc failure in crypto"); return 0; } *htype = HASH_AlgSHA1; /* no prefix for DSA verification */ break; case LDNS_RSASHA1: case LDNS_RSASHA1_NSEC3: #ifdef USE_SHA2 case LDNS_RSASHA256: #endif #ifdef USE_SHA2 case LDNS_RSASHA512: #endif *pubkey = nss_buf2rsa(key, keylen); if(!*pubkey) { log_err("verify: malloc failure in crypto"); return 0; } /* select SHA version */ #ifdef USE_SHA2 if(algo == LDNS_RSASHA256) { *htype = HASH_AlgSHA256; *prefix = p_sha256; *prefixlen = sizeof(p_sha256); } else #endif #ifdef USE_SHA2 if(algo == LDNS_RSASHA512) { *htype = HASH_AlgSHA512; *prefix = p_sha512; *prefixlen = sizeof(p_sha512); } else #endif { *htype = HASH_AlgSHA1; *prefix = p_sha1; *prefixlen = sizeof(p_sha1); } break; case LDNS_RSAMD5: *pubkey = nss_buf2rsa(key, keylen); if(!*pubkey) { log_err("verify: malloc failure in crypto"); return 0; } *htype = HASH_AlgMD5; *prefix = p_md5; *prefixlen = sizeof(p_md5); break; #ifdef USE_ECDSA case LDNS_ECDSAP256SHA256: *pubkey = nss_buf2ecdsa(key, keylen, LDNS_ECDSAP256SHA256); if(!*pubkey) { log_err("verify: malloc failure in crypto"); return 0; } *htype = HASH_AlgSHA256; /* no prefix for DSA verification */ break; case LDNS_ECDSAP384SHA384: *pubkey = nss_buf2ecdsa(key, keylen, LDNS_ECDSAP384SHA384); if(!*pubkey) { log_err("verify: malloc failure in crypto"); return 0; } *htype = HASH_AlgSHA384; /* no prefix for DSA verification */ break; #endif /* USE_ECDSA */ case LDNS_ECC_GOST: default: verbose(VERB_QUERY, "verify: unknown algorithm %d", algo); return 0; } return 1; } /** * Check a canonical sig+rrset and signature against a dnskey * @param buf: buffer with data to verify, the first rrsig part and the * canonicalized rrset. * @param algo: DNSKEY algorithm. * @param sigblock: signature rdata field from RRSIG * @param sigblock_len: length of sigblock data. * @param key: public key data from DNSKEY RR. * @param keylen: length of keydata. * @param reason: bogus reason in more detail. * @return secure if verification succeeded, bogus on crypto failure, * unchecked on format errors and alloc failures. */ enum sec_status verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, unsigned int sigblock_len, unsigned char* key, unsigned int keylen, char** reason) { /* uses libNSS */ /* large enough for the different hashes */ unsigned char hash[HASH_LENGTH_MAX]; unsigned char hash2[HASH_LENGTH_MAX*2]; HASH_HashType htype = 0; SECKEYPublicKey* pubkey = NULL; SECItem secsig = {siBuffer, sigblock, sigblock_len}; SECItem sechash = {siBuffer, hash, 0}; SECStatus res; unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */ size_t prefixlen = 0; int err; if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen, &prefix, &prefixlen)) { verbose(VERB_QUERY, "verify: failed to setup key"); *reason = "use of key for crypto failed"; SECKEY_DestroyPublicKey(pubkey); return sec_status_bogus; } /* need to convert DSA, ECDSA signatures? */ if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) { if(sigblock_len == 1+2*SHA1_LENGTH) { secsig.data ++; secsig.len --; } else { SECItem* p = DSAU_DecodeDerSig(&secsig); if(!p) { verbose(VERB_QUERY, "verify: failed DER decode"); *reason = "signature DER decode failed"; SECKEY_DestroyPublicKey(pubkey); return sec_status_bogus; } if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) { log_err("alloc failure in DER decode"); SECKEY_DestroyPublicKey(pubkey); SECITEM_FreeItem(p, PR_TRUE); return sec_status_unchecked; } SECITEM_FreeItem(p, PR_TRUE); } } /* do the signature cryptography work */ /* hash the data */ sechash.len = HASH_ResultLen(htype); if(sechash.len > sizeof(hash)) { verbose(VERB_QUERY, "verify: hash too large for buffer"); SECKEY_DestroyPublicKey(pubkey); return sec_status_unchecked; } if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf), (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) { verbose(VERB_QUERY, "verify: HASH_HashBuf failed"); SECKEY_DestroyPublicKey(pubkey); return sec_status_unchecked; } if(prefix) { int hashlen = sechash.len; if(prefixlen+hashlen > sizeof(hash2)) { verbose(VERB_QUERY, "verify: hashprefix too large"); SECKEY_DestroyPublicKey(pubkey); return sec_status_unchecked; } sechash.data = hash2; sechash.len = prefixlen+hashlen; memcpy(sechash.data, prefix, prefixlen); memmove(sechash.data+prefixlen, hash, hashlen); } /* verify the signature */ res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/); SECKEY_DestroyPublicKey(pubkey); if(res == SECSuccess) { return sec_status_secure; } err = PORT_GetError(); if(err != SEC_ERROR_BAD_SIGNATURE) { /* failed to verify */ verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", PORT_ErrorToString(err)); /* if it is not supported, like ECC is removed, we get, * SEC_ERROR_NO_MODULE */ if(err == SEC_ERROR_NO_MODULE) return sec_status_unchecked; /* but other errors are commonly returned * for a bad signature from NSS. Thus we return bogus, * not unchecked */ *reason = "signature crypto failed"; return sec_status_bogus; } verbose(VERB_QUERY, "verify: signature mismatch: %s", PORT_ErrorToString(err)); *reason = "signature crypto failed"; return sec_status_bogus; } #elif defined(HAVE_NETTLE) #include "sha.h" #include "bignum.h" #include "macros.h" #include "rsa.h" #include "dsa.h" #include "asn1.h" #ifdef USE_ECDSA #include "ecdsa.h" #include "ecc-curve.h" #endif static int _digest_nettle(int algo, uint8_t* buf, size_t len, unsigned char* res) { switch(algo) { case SHA1_DIGEST_SIZE: { struct sha1_ctx ctx; sha1_init(&ctx); sha1_update(&ctx, len, buf); sha1_digest(&ctx, SHA1_DIGEST_SIZE, res); return 1; } case SHA256_DIGEST_SIZE: { struct sha256_ctx ctx; sha256_init(&ctx); sha256_update(&ctx, len, buf); sha256_digest(&ctx, SHA256_DIGEST_SIZE, res); return 1; } case SHA384_DIGEST_SIZE: { struct sha384_ctx ctx; sha384_init(&ctx); sha384_update(&ctx, len, buf); sha384_digest(&ctx, SHA384_DIGEST_SIZE, res); return 1; } case SHA512_DIGEST_SIZE: { struct sha512_ctx ctx; sha512_init(&ctx); sha512_update(&ctx, len, buf); sha512_digest(&ctx, SHA512_DIGEST_SIZE, res); return 1; } default: break; } return 0; } /* return size of digest if supported, or 0 otherwise */ size_t nsec3_hash_algo_size_supported(int id) { switch(id) { case NSEC3_HASH_SHA1: return SHA1_DIGEST_SIZE; default: return 0; } } /* perform nsec3 hash. return false on failure */ int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len, unsigned char* res) { switch(algo) { case NSEC3_HASH_SHA1: return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len, res); default: return 0; } } /** * Return size of DS digest according to its hash algorithm. * @param algo: DS digest algo. * @return size in bytes of digest, or 0 if not supported. */ size_t ds_digest_size_supported(int algo) { switch(algo) { case LDNS_SHA1: return SHA1_DIGEST_SIZE; #ifdef USE_SHA2 case LDNS_SHA256: return SHA256_DIGEST_SIZE; #endif #ifdef USE_ECDSA case LDNS_SHA384: return SHA384_DIGEST_SIZE; #endif /* GOST not supported */ case LDNS_HASH_GOST: default: break; } return 0; } int secalgo_ds_digest(int algo, unsigned char* buf, size_t len, unsigned char* res) { switch(algo) { case LDNS_SHA1: return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res); #if defined(USE_SHA2) case LDNS_SHA256: return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res); #endif #ifdef USE_ECDSA case LDNS_SHA384: return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res); #endif case LDNS_HASH_GOST: default: verbose(VERB_QUERY, "unknown DS digest algorithm %d", algo); break; } return 0; } int dnskey_algo_id_is_supported(int id) { /* uses libnettle */ switch(id) { case LDNS_DSA: case LDNS_DSA_NSEC3: case LDNS_RSASHA1: case LDNS_RSASHA1_NSEC3: #ifdef USE_SHA2 case LDNS_RSASHA256: case LDNS_RSASHA512: #endif #ifdef USE_ECDSA case LDNS_ECDSAP256SHA256: case LDNS_ECDSAP384SHA384: #endif return 1; case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */ case LDNS_ECC_GOST: default: return 0; } } static char * _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock, unsigned int sigblock_len, unsigned char* key, unsigned int keylen) { uint8_t digest[SHA1_DIGEST_SIZE]; uint8_t key_t; int res = 0; size_t offset; struct dsa_public_key pubkey; struct dsa_signature signature; unsigned int expected_len; /* Extract DSA signature from the record */ nettle_dsa_signature_init(&signature); /* Signature length: 41 bytes - RFC 2536 sec. 3 */ if(sigblock_len == 41) { if(key[0] != sigblock[0]) return "invalid T value in DSA signature or pubkey"; nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1); nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20); } else { /* DER encoded, decode the ASN1 notated R and S bignums */ /* SEQUENCE { r INTEGER, s INTEGER } */ struct asn1_der_iterator i, seq; if(asn1_der_iterator_first(&i, sigblock_len, (uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED || i.type != ASN1_SEQUENCE) return "malformed DER encoded DSA signature"; /* decode this element of i using the seq iterator */ if(asn1_der_decode_constructed(&i, &seq) != ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER) return "malformed DER encoded DSA signature"; if(!asn1_der_get_bignum(&seq, signature.r, 20*8)) return "malformed DER encoded DSA signature"; if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER) return "malformed DER encoded DSA signature"; if(!asn1_der_get_bignum(&seq, signature.s, 20*8)) return "malformed DER encoded DSA signature"; if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END) return "malformed DER encoded DSA signature"; } /* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */ key_t = key[0]; if (key_t > 8) { return "invalid T value in DSA pubkey"; } /* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */ if (keylen < 21) { return "DSA pubkey too short"; } expected_len = 1 + /* T */ 20 + /* Q */ (64 + key_t*8) + /* P */ (64 + key_t*8) + /* G */ (64 + key_t*8); /* Y */ if (keylen != expected_len ) { return "invalid DSA pubkey length"; } /* Extract DSA pubkey from the record */ nettle_dsa_public_key_init(&pubkey); offset = 1; nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset); offset += 20; nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t*8), key+offset); offset += (64 + key_t*8); nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t*8), key+offset); offset += (64 + key_t*8); nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t*8), key+offset); /* Digest content of "buf" and verify its DSA signature in "sigblock"*/ res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); res &= dsa_sha1_verify_digest(&pubkey, digest, &signature); /* Clear and return */ nettle_dsa_signature_clear(&signature); nettle_dsa_public_key_clear(&pubkey); if (!res) return "DSA signature verification failed"; else return NULL; } static char * _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock, unsigned int sigblock_len, uint8_t* key, unsigned int keylen) { uint16_t exp_len = 0; size_t exp_offset = 0, mod_offset = 0; struct rsa_public_key pubkey; mpz_t signature; int res = 0; /* RSA pubkey parsing as per RFC 3110 sec. 2 */ if( keylen <= 1) { return "null RSA key"; } if (key[0] != 0) { /* 1-byte length */ exp_len = key[0]; exp_offset = 1; } else { /* 1-byte NUL + 2-bytes exponent length */ if (keylen < 3) { return "incorrect RSA key length"; } exp_len = READ_UINT16(key+1); if (exp_len == 0) return "null RSA exponent length"; exp_offset = 3; } /* Check that we are not over-running input length */ if (keylen < exp_offset + exp_len + 1) { return "RSA key content shorter than expected"; } mod_offset = exp_offset + exp_len; nettle_rsa_public_key_init(&pubkey); pubkey.size = keylen - mod_offset; nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]); nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]); /* Digest content of "buf" and verify its RSA signature in "sigblock"*/ nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock); switch (digest_size) { case SHA1_DIGEST_SIZE: { uint8_t digest[SHA1_DIGEST_SIZE]; res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); res &= rsa_sha1_verify_digest(&pubkey, digest, signature); break; } case SHA256_DIGEST_SIZE: { uint8_t digest[SHA256_DIGEST_SIZE]; res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); res &= rsa_sha256_verify_digest(&pubkey, digest, signature); break; } case SHA512_DIGEST_SIZE: { uint8_t digest[SHA512_DIGEST_SIZE]; res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); res &= rsa_sha512_verify_digest(&pubkey, digest, signature); break; } default: break; } /* Clear and return */ nettle_rsa_public_key_clear(&pubkey); mpz_clear(signature); if (!res) { return "RSA signature verification failed"; } else { return NULL; } } #ifdef USE_ECDSA static char * _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock, unsigned int sigblock_len, unsigned char* key, unsigned int keylen) { int res = 0; struct ecc_point pubkey; struct dsa_signature signature; /* Always matched strength, as per RFC 6605 sec. 1 */ if (sigblock_len != 2*digest_size || keylen != 2*digest_size) { return "wrong ECDSA signature length"; } /* Parse ECDSA signature as per RFC 6605 sec. 4 */ nettle_dsa_signature_init(&signature); switch (digest_size) { case SHA256_DIGEST_SIZE: { uint8_t digest[SHA256_DIGEST_SIZE]; mpz_t x, y; nettle_ecc_point_init(&pubkey, &nettle_secp_256r1); nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key); nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE); nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock); nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE); res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); res &= nettle_ecc_point_set(&pubkey, x, y); res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature); mpz_clear(x); mpz_clear(y); break; } case SHA384_DIGEST_SIZE: { uint8_t digest[SHA384_DIGEST_SIZE]; mpz_t x, y; nettle_ecc_point_init(&pubkey, &nettle_secp_384r1); nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key); nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE); nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock); nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE); res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf), (unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest); res &= nettle_ecc_point_set(&pubkey, x, y); res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature); mpz_clear(x); mpz_clear(y); nettle_ecc_point_clear(&pubkey); break; } default: return "unknown ECDSA algorithm"; } /* Clear and return */ nettle_dsa_signature_clear(&signature); if (!res) return "ECDSA signature verification failed"; else return NULL; } #endif /** * Check a canonical sig+rrset and signature against a dnskey * @param buf: buffer with data to verify, the first rrsig part and the * canonicalized rrset. * @param algo: DNSKEY algorithm. * @param sigblock: signature rdata field from RRSIG * @param sigblock_len: length of sigblock data. * @param key: public key data from DNSKEY RR. * @param keylen: length of keydata. * @param reason: bogus reason in more detail. * @return secure if verification succeeded, bogus on crypto failure, * unchecked on format errors and alloc failures. */ enum sec_status verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, unsigned int sigblock_len, unsigned char* key, unsigned int keylen, char** reason) { unsigned int digest_size = 0; if (sigblock_len == 0 || keylen == 0) { *reason = "null signature"; return sec_status_bogus; } switch(algo) { case LDNS_DSA: case LDNS_DSA_NSEC3: *reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen); if (*reason != NULL) return sec_status_bogus; else return sec_status_secure; case LDNS_RSASHA1: case LDNS_RSASHA1_NSEC3: digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE); #ifdef USE_SHA2 case LDNS_RSASHA256: digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); case LDNS_RSASHA512: digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE); #endif *reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock, sigblock_len, key, keylen); if (*reason != NULL) return sec_status_bogus; else return sec_status_secure; #ifdef USE_ECDSA case LDNS_ECDSAP256SHA256: digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE); case LDNS_ECDSAP384SHA384: digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE); *reason = _verify_nettle_ecdsa(buf, digest_size, sigblock, sigblock_len, key, keylen); if (*reason != NULL) return sec_status_bogus; else return sec_status_secure; #endif case LDNS_RSAMD5: case LDNS_ECC_GOST: default: *reason = "unable to verify signature, unknown algorithm"; return sec_status_bogus; } } #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */