]> git.saurik.com Git - apple/network_cmds.git/blob - unbound/validator/val_secalgo.c
projects / apple / network_cmds.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
network_cmds-480.tar.gz
[apple/network_cmds.git] / unbound / validator / val_secalgo.c
1 /*
2 * validator/val_secalgo.c - validator security algorithm functions.
3 *
4 * Copyright (c) 2012, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 /**
37 * \file
38 *
39 * This file contains helper functions for the validator module.
40 * These functions take raw data buffers, formatted for crypto verification,
41 * and do the library calls (for the crypto library in use).
42 */
43 #include "config.h"
44 #include "validator/val_secalgo.h"
45 #include "util/data/packed_rrset.h"
46 #include "util/log.h"
47 #include "ldns/rrdef.h"
48 #include "ldns/keyraw.h"
49 #include "ldns/sbuffer.h"
50
51 #if !defined(HAVE_SSL) && !defined(HAVE_NSS)
52 #error "Need crypto library to do digital signature cryptography"
53 #endif
54
55 /* OpenSSL implementation */
56 #ifdef HAVE_SSL
57 #ifdef HAVE_OPENSSL_ERR_H
58 #include <openssl/err.h>
59 #endif
60
61 #ifdef HAVE_OPENSSL_RAND_H
62 #include <openssl/rand.h>
63 #endif
64
65 #ifdef HAVE_OPENSSL_CONF_H
66 #include <openssl/conf.h>
67 #endif
68
69 #ifdef HAVE_OPENSSL_ENGINE_H
70 #include <openssl/engine.h>
71 #endif
72
73 /**
74 * Return size of DS digest according to its hash algorithm.
75 * @param algo: DS digest algo.
76 * @return size in bytes of digest, or 0 if not supported.
77 */
78 size_t
79 ds_digest_size_supported(int algo)
80 {
81 switch(algo) {
82 #ifdef HAVE_EVP_SHA1
83 case LDNS_SHA1:
84 return SHA_DIGEST_LENGTH;
85 #endif
86 #ifdef HAVE_EVP_SHA256
87 case LDNS_SHA256:
88 return SHA256_DIGEST_LENGTH;
89 #endif
90 #ifdef USE_GOST
91 case LDNS_HASH_GOST:
92 if(EVP_get_digestbyname("md_gost94"))
93 return 32;
94 else return 0;
95 #endif
96 #ifdef USE_ECDSA
97 case LDNS_SHA384:
98 return SHA384_DIGEST_LENGTH;
99 #endif
100 default: break;
101 }
102 return 0;
103 }
104
105 #ifdef USE_GOST
106 /** Perform GOST hash */
107 static int
108 do_gost94(unsigned char* data, size_t len, unsigned char* dest)
109 {
110 const EVP_MD* md = EVP_get_digestbyname("md_gost94");
111 if(!md)
112 return 0;
113 return sldns_digest_evp(data, (unsigned int)len, dest, md);
114 }
115 #endif
116
117 int
118 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
119 unsigned char* res)
120 {
121 switch(algo) {
122 #ifdef HAVE_EVP_SHA1
123 case LDNS_SHA1:
124 (void)SHA1(buf, len, res);
125 return 1;
126 #endif
127 #ifdef HAVE_EVP_SHA256
128 case LDNS_SHA256:
129 (void)SHA256(buf, len, res);
130 return 1;
131 #endif
132 #ifdef USE_GOST
133 case LDNS_HASH_GOST:
134 if(do_gost94(buf, len, res))
135 return 1;
136 break;
137 #endif
138 #ifdef USE_ECDSA
139 case LDNS_SHA384:
140 (void)SHA384(buf, len, res);
141 return 1;
142 #endif
143 default:
144 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
145 algo);
146 break;
147 }
148 return 0;
149 }
150
151 /** return true if DNSKEY algorithm id is supported */
152 int
153 dnskey_algo_id_is_supported(int id)
154 {
155 switch(id) {
156 case LDNS_RSAMD5:
157 /* RFC 6725 deprecates RSAMD5 */
158 return 0;
159 case LDNS_DSA:
160 case LDNS_DSA_NSEC3:
161 case LDNS_RSASHA1:
162 case LDNS_RSASHA1_NSEC3:
163 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
164 case LDNS_RSASHA256:
165 #endif
166 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
167 case LDNS_RSASHA512:
168 #endif
169 #ifdef USE_ECDSA
170 case LDNS_ECDSAP256SHA256:
171 case LDNS_ECDSAP384SHA384:
172 #endif
173 return 1;
174 #ifdef USE_GOST
175 case LDNS_ECC_GOST:
176 /* we support GOST if it can be loaded */
177 return sldns_key_EVP_load_gost_id();
178 #endif
179 default:
180 return 0;
181 }
182 }
183
184 /**
185 * Output a libcrypto openssl error to the logfile.
186 * @param str: string to add to it.
187 * @param e: the error to output, error number from ERR_get_error().
188 */
189 static void
190 log_crypto_error(const char* str, unsigned long e)
191 {
192 char buf[128];
193 /* or use ERR_error_string if ERR_error_string_n is not avail TODO */
194 ERR_error_string_n(e, buf, sizeof(buf));
195 /* buf now contains */
196 /* error:[error code]:[library name]:[function name]:[reason string] */
197 log_err("%s crypto %s", str, buf);
198 }
199
200 /**
201 * Setup DSA key digest in DER encoding ...
202 * @param sig: input is signature output alloced ptr (unless failure).
203 * caller must free alloced ptr if this routine returns true.
204 * @param len: input is initial siglen, output is output len.
205 * @return false on failure.
206 */
207 static int
208 setup_dsa_sig(unsigned char** sig, unsigned int* len)
209 {
210 unsigned char* orig = *sig;
211 unsigned int origlen = *len;
212 int newlen;
213 BIGNUM *R, *S;
214 DSA_SIG *dsasig;
215
216 /* extract the R and S field from the sig buffer */
217 if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
218 return 0;
219 R = BN_new();
220 if(!R) return 0;
221 (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
222 S = BN_new();
223 if(!S) return 0;
224 (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
225 dsasig = DSA_SIG_new();
226 if(!dsasig) return 0;
227
228 dsasig->r = R;
229 dsasig->s = S;
230 *sig = NULL;
231 newlen = i2d_DSA_SIG(dsasig, sig);
232 if(newlen < 0) {
233 DSA_SIG_free(dsasig);
234 free(*sig);
235 return 0;
236 }
237 *len = (unsigned int)newlen;
238 DSA_SIG_free(dsasig);
239 return 1;
240 }
241
242 #ifdef USE_ECDSA
243 /**
244 * Setup the ECDSA signature in its encoding that the library wants.
245 * Converts from plain numbers to ASN formatted.
246 * @param sig: input is signature, output alloced ptr (unless failure).
247 * caller must free alloced ptr if this routine returns true.
248 * @param len: input is initial siglen, output is output len.
249 * @return false on failure.
250 */
251 static int
252 setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
253 {
254 ECDSA_SIG* ecdsa_sig;
255 int newlen;
256 int bnsize = (int)((*len)/2);
257 /* if too short or not even length, fails */
258 if(*len < 16 || bnsize*2 != (int)*len)
259 return 0;
260 /* use the raw data to parse two evenly long BIGNUMs, "r | s". */
261 ecdsa_sig = ECDSA_SIG_new();
262 if(!ecdsa_sig) return 0;
263 ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r);
264 ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s);
265 if(!ecdsa_sig->r || !ecdsa_sig->s) {
266 ECDSA_SIG_free(ecdsa_sig);
267 return 0;
268 }
269
270 /* spool it into ASN format */
271 *sig = NULL;
272 newlen = i2d_ECDSA_SIG(ecdsa_sig, sig);
273 if(newlen <= 0) {
274 ECDSA_SIG_free(ecdsa_sig);
275 free(*sig);
276 return 0;
277 }
278 *len = (unsigned int)newlen;
279 ECDSA_SIG_free(ecdsa_sig);
280 return 1;
281 }
282 #endif /* USE_ECDSA */
283
284 /**
285 * Setup key and digest for verification. Adjust sig if necessary.
286 *
287 * @param algo: key algorithm
288 * @param evp_key: EVP PKEY public key to create.
289 * @param digest_type: digest type to use
290 * @param key: key to setup for.
291 * @param keylen: length of key.
292 * @return false on failure.
293 */
294 static int
295 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
296 unsigned char* key, size_t keylen)
297 {
298 DSA* dsa;
299 RSA* rsa;
300
301 switch(algo) {
302 case LDNS_DSA:
303 case LDNS_DSA_NSEC3:
304 *evp_key = EVP_PKEY_new();
305 if(!*evp_key) {
306 log_err("verify: malloc failure in crypto");
307 return 0;
308 }
309 dsa = sldns_key_buf2dsa_raw(key, keylen);
310 if(!dsa) {
311 verbose(VERB_QUERY, "verify: "
312 "sldns_key_buf2dsa_raw failed");
313 return 0;
314 }
315 if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
316 verbose(VERB_QUERY, "verify: "
317 "EVP_PKEY_assign_DSA failed");
318 return 0;
319 }
320 *digest_type = EVP_dss1();
321
322 break;
323 case LDNS_RSASHA1:
324 case LDNS_RSASHA1_NSEC3:
325 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
326 case LDNS_RSASHA256:
327 #endif
328 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
329 case LDNS_RSASHA512:
330 #endif
331 *evp_key = EVP_PKEY_new();
332 if(!*evp_key) {
333 log_err("verify: malloc failure in crypto");
334 return 0;
335 }
336 rsa = sldns_key_buf2rsa_raw(key, keylen);
337 if(!rsa) {
338 verbose(VERB_QUERY, "verify: "
339 "sldns_key_buf2rsa_raw SHA failed");
340 return 0;
341 }
342 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
343 verbose(VERB_QUERY, "verify: "
344 "EVP_PKEY_assign_RSA SHA failed");
345 return 0;
346 }
347
348 /* select SHA version */
349 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
350 if(algo == LDNS_RSASHA256)
351 *digest_type = EVP_sha256();
352 else
353 #endif
354 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
355 if(algo == LDNS_RSASHA512)
356 *digest_type = EVP_sha512();
357 else
358 #endif
359 *digest_type = EVP_sha1();
360
361 break;
362 case LDNS_RSAMD5:
363 *evp_key = EVP_PKEY_new();
364 if(!*evp_key) {
365 log_err("verify: malloc failure in crypto");
366 return 0;
367 }
368 rsa = sldns_key_buf2rsa_raw(key, keylen);
369 if(!rsa) {
370 verbose(VERB_QUERY, "verify: "
371 "sldns_key_buf2rsa_raw MD5 failed");
372 return 0;
373 }
374 if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
375 verbose(VERB_QUERY, "verify: "
376 "EVP_PKEY_assign_RSA MD5 failed");
377 return 0;
378 }
379 *digest_type = EVP_md5();
380
381 break;
382 #ifdef USE_GOST
383 case LDNS_ECC_GOST:
384 *evp_key = sldns_gost2pkey_raw(key, keylen);
385 if(!*evp_key) {
386 verbose(VERB_QUERY, "verify: "
387 "sldns_gost2pkey_raw failed");
388 return 0;
389 }
390 *digest_type = EVP_get_digestbyname("md_gost94");
391 if(!*digest_type) {
392 verbose(VERB_QUERY, "verify: "
393 "EVP_getdigest md_gost94 failed");
394 return 0;
395 }
396 break;
397 #endif
398 #ifdef USE_ECDSA
399 case LDNS_ECDSAP256SHA256:
400 *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
401 LDNS_ECDSAP256SHA256);
402 if(!*evp_key) {
403 verbose(VERB_QUERY, "verify: "
404 "sldns_ecdsa2pkey_raw failed");
405 return 0;
406 }
407 #ifdef USE_ECDSA_EVP_WORKAROUND
408 /* openssl before 1.0.0 fixes RSA with the SHA256
409 * hash in EVP. We create one for ecdsa_sha256 */
410 {
411 static int md_ecdsa_256_done = 0;
412 static EVP_MD md;
413 if(!md_ecdsa_256_done) {
414 EVP_MD m = *EVP_sha256();
415 md_ecdsa_256_done = 1;
416 m.required_pkey_type[0] = (*evp_key)->type;
417 m.verify = (void*)ECDSA_verify;
418 md = m;
419 }
420 *digest_type = &md;
421 }
422 #else
423 *digest_type = EVP_sha256();
424 #endif
425 break;
426 case LDNS_ECDSAP384SHA384:
427 *evp_key = sldns_ecdsa2pkey_raw(key, keylen,
428 LDNS_ECDSAP384SHA384);
429 if(!*evp_key) {
430 verbose(VERB_QUERY, "verify: "
431 "sldns_ecdsa2pkey_raw failed");
432 return 0;
433 }
434 #ifdef USE_ECDSA_EVP_WORKAROUND
435 /* openssl before 1.0.0 fixes RSA with the SHA384
436 * hash in EVP. We create one for ecdsa_sha384 */
437 {
438 static int md_ecdsa_384_done = 0;
439 static EVP_MD md;
440 if(!md_ecdsa_384_done) {
441 EVP_MD m = *EVP_sha384();
442 md_ecdsa_384_done = 1;
443 m.required_pkey_type[0] = (*evp_key)->type;
444 m.verify = (void*)ECDSA_verify;
445 md = m;
446 }
447 *digest_type = &md;
448 }
449 #else
450 *digest_type = EVP_sha384();
451 #endif
452 break;
453 #endif /* USE_ECDSA */
454 default:
455 verbose(VERB_QUERY, "verify: unknown algorithm %d",
456 algo);
457 return 0;
458 }
459 return 1;
460 }
461
462 /**
463 * Check a canonical sig+rrset and signature against a dnskey
464 * @param buf: buffer with data to verify, the first rrsig part and the
465 * canonicalized rrset.
466 * @param algo: DNSKEY algorithm.
467 * @param sigblock: signature rdata field from RRSIG
468 * @param sigblock_len: length of sigblock data.
469 * @param key: public key data from DNSKEY RR.
470 * @param keylen: length of keydata.
471 * @param reason: bogus reason in more detail.
472 * @return secure if verification succeeded, bogus on crypto failure,
473 * unchecked on format errors and alloc failures.
474 */
475 enum sec_status
476 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
477 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
478 char** reason)
479 {
480 const EVP_MD *digest_type;
481 EVP_MD_CTX ctx;
482 int res, dofree = 0;
483 EVP_PKEY *evp_key = NULL;
484
485 if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
486 verbose(VERB_QUERY, "verify: failed to setup key");
487 *reason = "use of key for crypto failed";
488 EVP_PKEY_free(evp_key);
489 return sec_status_bogus;
490 }
491 /* if it is a DSA signature in bind format, convert to DER format */
492 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
493 sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
494 if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
495 verbose(VERB_QUERY, "verify: failed to setup DSA sig");
496 *reason = "use of key for DSA crypto failed";
497 EVP_PKEY_free(evp_key);
498 return sec_status_bogus;
499 }
500 dofree = 1;
501 }
502 #ifdef USE_ECDSA
503 else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
504 /* EVP uses ASN prefix on sig, which is not in the wire data */
505 if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
506 verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
507 *reason = "use of signature for ECDSA crypto failed";
508 EVP_PKEY_free(evp_key);
509 return sec_status_bogus;
510 }
511 dofree = 1;
512 }
513 #endif /* USE_ECDSA */
514
515 /* do the signature cryptography work */
516 EVP_MD_CTX_init(&ctx);
517 if(EVP_VerifyInit(&ctx, digest_type) == 0) {
518 verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
519 EVP_PKEY_free(evp_key);
520 if(dofree) free(sigblock);
521 return sec_status_unchecked;
522 }
523 if(EVP_VerifyUpdate(&ctx, (unsigned char*)sldns_buffer_begin(buf),
524 (unsigned int)sldns_buffer_limit(buf)) == 0) {
525 verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
526 EVP_PKEY_free(evp_key);
527 if(dofree) free(sigblock);
528 return sec_status_unchecked;
529 }
530
531 res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key);
532 if(EVP_MD_CTX_cleanup(&ctx) == 0) {
533 verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed");
534 EVP_PKEY_free(evp_key);
535 if(dofree) free(sigblock);
536 return sec_status_unchecked;
537 }
538 EVP_PKEY_free(evp_key);
539
540 if(dofree)
541 free(sigblock);
542
543 if(res == 1) {
544 return sec_status_secure;
545 } else if(res == 0) {
546 verbose(VERB_QUERY, "verify: signature mismatch");
547 *reason = "signature crypto failed";
548 return sec_status_bogus;
549 }
550
551 log_crypto_error("verify:", ERR_get_error());
552 return sec_status_unchecked;
553 }
554
555 /**************************************************/
556 #elif defined(HAVE_NSS)
557 /* libnss implementation */
558 /* nss3 */
559 #include "sechash.h"
560 #include "pk11pub.h"
561 #include "keyhi.h"
562 #include "secerr.h"
563 #include "cryptohi.h"
564 /* nspr4 */
565 #include "prerror.h"
566
567 size_t
568 ds_digest_size_supported(int algo)
569 {
570 /* uses libNSS */
571 switch(algo) {
572 case LDNS_SHA1:
573 return SHA1_LENGTH;
574 #ifdef USE_SHA2
575 case LDNS_SHA256:
576 return SHA256_LENGTH;
577 #endif
578 #ifdef USE_ECDSA
579 case LDNS_SHA384:
580 return SHA384_LENGTH;
581 #endif
582 /* GOST not supported in NSS */
583 case LDNS_HASH_GOST:
584 default: break;
585 }
586 return 0;
587 }
588
589 int
590 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
591 unsigned char* res)
592 {
593 /* uses libNSS */
594 switch(algo) {
595 case LDNS_SHA1:
596 return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
597 == SECSuccess;
598 #if defined(USE_SHA2)
599 case LDNS_SHA256:
600 return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
601 == SECSuccess;
602 #endif
603 #ifdef USE_ECDSA
604 case LDNS_SHA384:
605 return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
606 == SECSuccess;
607 #endif
608 case LDNS_HASH_GOST:
609 default:
610 verbose(VERB_QUERY, "unknown DS digest algorithm %d",
611 algo);
612 break;
613 }
614 return 0;
615 }
616
617 int
618 dnskey_algo_id_is_supported(int id)
619 {
620 /* uses libNSS */
621 switch(id) {
622 case LDNS_RSAMD5:
623 /* RFC 6725 deprecates RSAMD5 */
624 return 0;
625 case LDNS_DSA:
626 case LDNS_DSA_NSEC3:
627 case LDNS_RSASHA1:
628 case LDNS_RSASHA1_NSEC3:
629 #ifdef USE_SHA2
630 case LDNS_RSASHA256:
631 #endif
632 #ifdef USE_SHA2
633 case LDNS_RSASHA512:
634 #endif
635 return 1;
636 #ifdef USE_ECDSA
637 case LDNS_ECDSAP256SHA256:
638 case LDNS_ECDSAP384SHA384:
639 return PK11_TokenExists(CKM_ECDSA);
640 #endif
641 case LDNS_ECC_GOST:
642 default:
643 return 0;
644 }
645 }
646
647 /* return a new public key for NSS */
648 static SECKEYPublicKey* nss_key_create(KeyType ktype)
649 {
650 SECKEYPublicKey* key;
651 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
652 if(!arena) {
653 log_err("out of memory, PORT_NewArena failed");
654 return NULL;
655 }
656 key = PORT_ArenaZNew(arena, SECKEYPublicKey);
657 if(!key) {
658 log_err("out of memory, PORT_ArenaZNew failed");
659 PORT_FreeArena(arena, PR_FALSE);
660 return NULL;
661 }
662 key->arena = arena;
663 key->keyType = ktype;
664 key->pkcs11Slot = NULL;
665 key->pkcs11ID = CK_INVALID_HANDLE;
666 return key;
667 }
668
669 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
670 {
671 SECKEYPublicKey* pk;
672 SECItem pub = {siBuffer, NULL, 0};
673 SECItem params = {siBuffer, NULL, 0};
674 static unsigned char param256[] = {
675 /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
676 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
677 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
678 };
679 static unsigned char param384[] = {
680 /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
681 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
682 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
683 };
684 unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
685
686 /* check length, which uncompressed must be 2 bignums */
687 if(algo == LDNS_ECDSAP256SHA256) {
688 if(len != 2*256/8) return NULL;
689 /* ECCurve_X9_62_PRIME_256V1 */
690 } else if(algo == LDNS_ECDSAP384SHA384) {
691 if(len != 2*384/8) return NULL;
692 /* ECCurve_X9_62_PRIME_384R1 */
693 } else return NULL;
694
695 buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
696 memmove(buf+1, key, len);
697 pub.data = buf;
698 pub.len = len+1;
699 if(algo == LDNS_ECDSAP256SHA256) {
700 params.data = param256;
701 params.len = sizeof(param256);
702 } else {
703 params.data = param384;
704 params.len = sizeof(param384);
705 }
706
707 pk = nss_key_create(ecKey);
708 if(!pk)
709 return NULL;
710 pk->u.ec.size = (len/2)*8;
711 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
712 SECKEY_DestroyPublicKey(pk);
713 return NULL;
714 }
715 if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, &params)) {
716 SECKEY_DestroyPublicKey(pk);
717 return NULL;
718 }
719
720 return pk;
721 }
722
723 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
724 {
725 SECKEYPublicKey* pk;
726 uint8_t T;
727 uint16_t length;
728 uint16_t offset;
729 SECItem Q = {siBuffer, NULL, 0};
730 SECItem P = {siBuffer, NULL, 0};
731 SECItem G = {siBuffer, NULL, 0};
732 SECItem Y = {siBuffer, NULL, 0};
733
734 if(len == 0)
735 return NULL;
736 T = (uint8_t)key[0];
737 length = (64 + T * 8);
738 offset = 1;
739
740 if (T > 8) {
741 return NULL;
742 }
743 if(len < (size_t)1 + SHA1_LENGTH + 3*length)
744 return NULL;
745
746 Q.data = key+offset;
747 Q.len = SHA1_LENGTH;
748 offset += SHA1_LENGTH;
749
750 P.data = key+offset;
751 P.len = length;
752 offset += length;
753
754 G.data = key+offset;
755 G.len = length;
756 offset += length;
757
758 Y.data = key+offset;
759 Y.len = length;
760 offset += length;
761
762 pk = nss_key_create(dsaKey);
763 if(!pk)
764 return NULL;
765 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
766 SECKEY_DestroyPublicKey(pk);
767 return NULL;
768 }
769 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
770 SECKEY_DestroyPublicKey(pk);
771 return NULL;
772 }
773 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
774 SECKEY_DestroyPublicKey(pk);
775 return NULL;
776 }
777 if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
778 SECKEY_DestroyPublicKey(pk);
779 return NULL;
780 }
781 return pk;
782 }
783
784 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
785 {
786 SECKEYPublicKey* pk;
787 uint16_t exp;
788 uint16_t offset;
789 uint16_t int16;
790 SECItem modulus = {siBuffer, NULL, 0};
791 SECItem exponent = {siBuffer, NULL, 0};
792 if(len == 0)
793 return NULL;
794 if(key[0] == 0) {
795 if(len < 3)
796 return NULL;
797 /* the exponent is too large so it's places further */
798 memmove(&int16, key+1, 2);
799 exp = ntohs(int16);
800 offset = 3;
801 } else {
802 exp = key[0];
803 offset = 1;
804 }
805
806 /* key length at least one */
807 if(len < (size_t)offset + exp + 1)
808 return NULL;
809
810 exponent.data = key+offset;
811 exponent.len = exp;
812 offset += exp;
813 modulus.data = key+offset;
814 modulus.len = (len - offset);
815
816 pk = nss_key_create(rsaKey);
817 if(!pk)
818 return NULL;
819 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
820 SECKEY_DestroyPublicKey(pk);
821 return NULL;
822 }
823 if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
824 SECKEY_DestroyPublicKey(pk);
825 return NULL;
826 }
827 return pk;
828 }
829
830 /**
831 * Setup key and digest for verification. Adjust sig if necessary.
832 *
833 * @param algo: key algorithm
834 * @param evp_key: EVP PKEY public key to create.
835 * @param digest_type: digest type to use
836 * @param key: key to setup for.
837 * @param keylen: length of key.
838 * @param prefix: if returned, the ASN prefix for the hashblob.
839 * @param prefixlen: length of the prefix.
840 * @return false on failure.
841 */
842 static int
843 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
844 unsigned char* key, size_t keylen, unsigned char** prefix,
845 size_t* prefixlen)
846 {
847 /* uses libNSS */
848
849 /* hash prefix for md5, RFC2537 */
850 static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
851 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
852 /* hash prefix to prepend to hash output, from RFC3110 */
853 static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
854 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
855 /* from RFC5702 */
856 static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
857 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
858 static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
859 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
860 /* from RFC6234 */
861 /* for future RSASHA384 ..
862 static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
863 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
864 */
865
866 switch(algo) {
867 case LDNS_DSA:
868 case LDNS_DSA_NSEC3:
869 *pubkey = nss_buf2dsa(key, keylen);
870 if(!*pubkey) {
871 log_err("verify: malloc failure in crypto");
872 return 0;
873 }
874 *htype = HASH_AlgSHA1;
875 /* no prefix for DSA verification */
876 break;
877 case LDNS_RSASHA1:
878 case LDNS_RSASHA1_NSEC3:
879 #ifdef USE_SHA2
880 case LDNS_RSASHA256:
881 #endif
882 #ifdef USE_SHA2
883 case LDNS_RSASHA512:
884 #endif
885 *pubkey = nss_buf2rsa(key, keylen);
886 if(!*pubkey) {
887 log_err("verify: malloc failure in crypto");
888 return 0;
889 }
890 /* select SHA version */
891 #ifdef USE_SHA2
892 if(algo == LDNS_RSASHA256) {
893 *htype = HASH_AlgSHA256;
894 *prefix = p_sha256;
895 *prefixlen = sizeof(p_sha256);
896 } else
897 #endif
898 #ifdef USE_SHA2
899 if(algo == LDNS_RSASHA512) {
900 *htype = HASH_AlgSHA512;
901 *prefix = p_sha512;
902 *prefixlen = sizeof(p_sha512);
903 } else
904 #endif
905 {
906 *htype = HASH_AlgSHA1;
907 *prefix = p_sha1;
908 *prefixlen = sizeof(p_sha1);
909 }
910
911 break;
912 case LDNS_RSAMD5:
913 *pubkey = nss_buf2rsa(key, keylen);
914 if(!*pubkey) {
915 log_err("verify: malloc failure in crypto");
916 return 0;
917 }
918 *htype = HASH_AlgMD5;
919 *prefix = p_md5;
920 *prefixlen = sizeof(p_md5);
921
922 break;
923 #ifdef USE_ECDSA
924 case LDNS_ECDSAP256SHA256:
925 *pubkey = nss_buf2ecdsa(key, keylen,
926 LDNS_ECDSAP256SHA256);
927 if(!*pubkey) {
928 log_err("verify: malloc failure in crypto");
929 return 0;
930 }
931 *htype = HASH_AlgSHA256;
932 /* no prefix for DSA verification */
933 break;
934 case LDNS_ECDSAP384SHA384:
935 *pubkey = nss_buf2ecdsa(key, keylen,
936 LDNS_ECDSAP384SHA384);
937 if(!*pubkey) {
938 log_err("verify: malloc failure in crypto");
939 return 0;
940 }
941 *htype = HASH_AlgSHA384;
942 /* no prefix for DSA verification */
943 break;
944 #endif /* USE_ECDSA */
945 case LDNS_ECC_GOST:
946 default:
947 verbose(VERB_QUERY, "verify: unknown algorithm %d",
948 algo);
949 return 0;
950 }
951 return 1;
952 }
953
954 /**
955 * Check a canonical sig+rrset and signature against a dnskey
956 * @param buf: buffer with data to verify, the first rrsig part and the
957 * canonicalized rrset.
958 * @param algo: DNSKEY algorithm.
959 * @param sigblock: signature rdata field from RRSIG
960 * @param sigblock_len: length of sigblock data.
961 * @param key: public key data from DNSKEY RR.
962 * @param keylen: length of keydata.
963 * @param reason: bogus reason in more detail.
964 * @return secure if verification succeeded, bogus on crypto failure,
965 * unchecked on format errors and alloc failures.
966 */
967 enum sec_status
968 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
969 unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
970 char** reason)
971 {
972 /* uses libNSS */
973 /* large enough for the different hashes */
974 unsigned char hash[HASH_LENGTH_MAX];
975 unsigned char hash2[HASH_LENGTH_MAX*2];
976 HASH_HashType htype = 0;
977 SECKEYPublicKey* pubkey = NULL;
978 SECItem secsig = {siBuffer, sigblock, sigblock_len};
979 SECItem sechash = {siBuffer, hash, 0};
980 SECStatus res;
981 unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
982 size_t prefixlen = 0;
983 int err;
984
985 if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
986 &prefix, &prefixlen)) {
987 verbose(VERB_QUERY, "verify: failed to setup key");
988 *reason = "use of key for crypto failed";
989 SECKEY_DestroyPublicKey(pubkey);
990 return sec_status_bogus;
991 }
992
993 /* need to convert DSA, ECDSA signatures? */
994 if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
995 if(sigblock_len == 1+2*SHA1_LENGTH) {
996 secsig.data ++;
997 secsig.len --;
998 } else {
999 SECItem* p = DSAU_DecodeDerSig(&secsig);
1000 if(!p) {
1001 verbose(VERB_QUERY, "verify: failed DER decode");
1002 *reason = "signature DER decode failed";
1003 SECKEY_DestroyPublicKey(pubkey);
1004 return sec_status_bogus;
1005 }
1006 if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
1007 log_err("alloc failure in DER decode");
1008 SECKEY_DestroyPublicKey(pubkey);
1009 SECITEM_FreeItem(p, PR_TRUE);
1010 return sec_status_unchecked;
1011 }
1012 SECITEM_FreeItem(p, PR_TRUE);
1013 }
1014 }
1015
1016 /* do the signature cryptography work */
1017 /* hash the data */
1018 sechash.len = HASH_ResultLen(htype);
1019 if(sechash.len > sizeof(hash)) {
1020 verbose(VERB_QUERY, "verify: hash too large for buffer");
1021 SECKEY_DestroyPublicKey(pubkey);
1022 return sec_status_unchecked;
1023 }
1024 if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf),
1025 (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) {
1026 verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
1027 SECKEY_DestroyPublicKey(pubkey);
1028 return sec_status_unchecked;
1029 }
1030 if(prefix) {
1031 int hashlen = sechash.len;
1032 if(prefixlen+hashlen > sizeof(hash2)) {
1033 verbose(VERB_QUERY, "verify: hashprefix too large");
1034 SECKEY_DestroyPublicKey(pubkey);
1035 return sec_status_unchecked;
1036 }
1037 sechash.data = hash2;
1038 sechash.len = prefixlen+hashlen;
1039 memcpy(sechash.data, prefix, prefixlen);
1040 memmove(sechash.data+prefixlen, hash, hashlen);
1041 }
1042
1043 /* verify the signature */
1044 res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
1045 SECKEY_DestroyPublicKey(pubkey);
1046
1047 if(res == SECSuccess) {
1048 return sec_status_secure;
1049 }
1050 err = PORT_GetError();
1051 if(err != SEC_ERROR_BAD_SIGNATURE) {
1052 /* failed to verify */
1053 verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
1054 PORT_ErrorToString(err));
1055 /* if it is not supported, like ECC is removed, we get,
1056 * SEC_ERROR_NO_MODULE */
1057 if(err == SEC_ERROR_NO_MODULE)
1058 return sec_status_unchecked;
1059 /* but other errors are commonly returned
1060 * for a bad signature from NSS. Thus we return bogus,
1061 * not unchecked */
1062 *reason = "signature crypto failed";
1063 return sec_status_bogus;
1064 }
1065 verbose(VERB_QUERY, "verify: signature mismatch: %s",
1066 PORT_ErrorToString(err));
1067 *reason = "signature crypto failed";
1068 return sec_status_bogus;
1069 }
1070
1071
1072 #endif /* HAVE_SSL or HAVE_NSS */
mirror of network_cmds