diff options
Diffstat (limited to 'external/unbound/validator/val_secalgo.c')
| -rw-r--r-- | external/unbound/validator/val_secalgo.c | 1072 |
1 files changed, 1072 insertions, 0 deletions
diff --git a/external/unbound/validator/val_secalgo.c b/external/unbound/validator/val_secalgo.c new file mode 100644 index 000000000..d89675f83 --- /dev/null +++ b/external/unbound/validator/val_secalgo.c @@ -0,0 +1,1072 @@ +/* + * validator/val_secalgo.c - validator security algorithm functions. + * + * Copyright (c) 2012, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + * \file + * + * This file contains helper functions for the validator module. + * These functions take raw data buffers, formatted for crypto verification, + * and do the library calls (for the crypto library in use). + */ +#include "config.h" +#include "validator/val_secalgo.h" +#include "util/data/packed_rrset.h" +#include "util/log.h" +#include "ldns/rrdef.h" +#include "ldns/keyraw.h" +#include "ldns/sbuffer.h" + +#if !defined(HAVE_SSL) && !defined(HAVE_NSS) +#error "Need crypto library to do digital signature cryptography" +#endif + +/* OpenSSL implementation */ +#ifdef HAVE_SSL +#ifdef HAVE_OPENSSL_ERR_H +#include <openssl/err.h> +#endif + +#ifdef HAVE_OPENSSL_RAND_H +#include <openssl/rand.h> +#endif + +#ifdef HAVE_OPENSSL_CONF_H +#include <openssl/conf.h> +#endif + +#ifdef HAVE_OPENSSL_ENGINE_H +#include <openssl/engine.h> +#endif + +/** + * Return size of DS digest according to its hash algorithm. + * @param algo: DS digest algo. + * @return size in bytes of digest, or 0 if not supported. + */ +size_t +ds_digest_size_supported(int algo) +{ + switch(algo) { +#ifdef HAVE_EVP_SHA1 + case LDNS_SHA1: + return SHA_DIGEST_LENGTH; +#endif +#ifdef HAVE_EVP_SHA256 + case LDNS_SHA256: + return SHA256_DIGEST_LENGTH; +#endif +#ifdef USE_GOST + case LDNS_HASH_GOST: + if(EVP_get_digestbyname("md_gost94")) + return 32; + else return 0; +#endif +#ifdef USE_ECDSA + case LDNS_SHA384: + return SHA384_DIGEST_LENGTH; +#endif + default: break; + } + return 0; +} + +#ifdef USE_GOST +/** Perform GOST hash */ +static int +do_gost94(unsigned char* data, size_t len, unsigned char* dest) +{ + const EVP_MD* md = EVP_get_digestbyname("md_gost94"); + if(!md) + return 0; + return sldns_digest_evp(data, (unsigned int)len, dest, md); +} +#endif + +int +secalgo_ds_digest(int algo, unsigned char* buf, size_t len, + unsigned char* res) +{ + switch(algo) { +#ifdef HAVE_EVP_SHA1 + case LDNS_SHA1: + (void)SHA1(buf, len, res); + return 1; +#endif +#ifdef HAVE_EVP_SHA256 + case LDNS_SHA256: + (void)SHA256(buf, len, res); + return 1; +#endif +#ifdef USE_GOST + case LDNS_HASH_GOST: + if(do_gost94(buf, len, res)) + return 1; + break; +#endif +#ifdef USE_ECDSA + case LDNS_SHA384: + (void)SHA384(buf, len, res); + return 1; +#endif + default: + verbose(VERB_QUERY, "unknown DS digest algorithm %d", + algo); + break; + } + return 0; +} + +/** return true if DNSKEY algorithm id is supported */ +int +dnskey_algo_id_is_supported(int id) +{ + switch(id) { + case LDNS_RSAMD5: + /* RFC 6725 deprecates RSAMD5 */ + return 0; + case LDNS_DSA: + case LDNS_DSA_NSEC3: + case LDNS_RSASHA1: + case LDNS_RSASHA1_NSEC3: +#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) + case LDNS_RSASHA256: +#endif +#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) + case LDNS_RSASHA512: +#endif +#ifdef USE_ECDSA + case LDNS_ECDSAP256SHA256: + case LDNS_ECDSAP384SHA384: +#endif + return 1; +#ifdef USE_GOST + case LDNS_ECC_GOST: + /* we support GOST if it can be loaded */ + return sldns_key_EVP_load_gost_id(); +#endif + default: + return 0; + } +} + +/** + * Output a libcrypto openssl error to the logfile. + * @param str: string to add to it. + * @param e: the error to output, error number from ERR_get_error(). + */ +static void +log_crypto_error(const char* str, unsigned long e) +{ + char buf[128]; + /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ + ERR_error_string_n(e, buf, sizeof(buf)); + /* buf now contains */ + /* error:[error code]:[library name]:[function name]:[reason string] */ + log_err("%s crypto %s", str, buf); +} + +/** + * Setup DSA key digest in DER encoding ... + * @param sig: input is signature output alloced ptr (unless failure). + * caller must free alloced ptr if this routine returns true. + * @param len: input is initial siglen, output is output len. + * @return false on failure. + */ +static int +setup_dsa_sig(unsigned char** sig, unsigned int* len) +{ + unsigned char* orig = *sig; + unsigned int origlen = *len; + int newlen; + BIGNUM *R, *S; + DSA_SIG *dsasig; + + /* extract the R and S field from the sig buffer */ + if(origlen < 1 + 2*SHA_DIGEST_LENGTH) + return 0; + R = BN_new(); + if(!R) return 0; + (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R); + S = BN_new(); + if(!S) return 0; + (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S); + dsasig = DSA_SIG_new(); + if(!dsasig) return 0; + + dsasig->r = R; + dsasig->s = S; + *sig = NULL; + newlen = i2d_DSA_SIG(dsasig, sig); + if(newlen < 0) { + DSA_SIG_free(dsasig); + free(*sig); + return 0; + } + *len = (unsigned int)newlen; + DSA_SIG_free(dsasig); + return 1; +} + +#ifdef USE_ECDSA +/** + * Setup the ECDSA signature in its encoding that the library wants. + * Converts from plain numbers to ASN formatted. + * @param sig: input is signature, output alloced ptr (unless failure). + * caller must free alloced ptr if this routine returns true. + * @param len: input is initial siglen, output is output len. + * @return false on failure. + */ +static int +setup_ecdsa_sig(unsigned char** sig, unsigned int* len) +{ + ECDSA_SIG* ecdsa_sig; + int newlen; + int bnsize = (int)((*len)/2); + /* if too short or not even length, fails */ + if(*len < 16 || bnsize*2 != (int)*len) + return 0; + /* use the raw data to parse two evenly long BIGNUMs, "r | s". */ + ecdsa_sig = ECDSA_SIG_new(); + if(!ecdsa_sig) return 0; + ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r); + ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s); + if(!ecdsa_sig->r || !ecdsa_sig->s) { + ECDSA_SIG_free(ecdsa_sig); + return 0; + } + + /* spool it into ASN format */ + *sig = NULL; + newlen = i2d_ECDSA_SIG(ecdsa_sig, sig); + if(newlen <= 0) { + ECDSA_SIG_free(ecdsa_sig); + free(*sig); + return 0; + } + *len = (unsigned int)newlen; + ECDSA_SIG_free(ecdsa_sig); + return 1; +} +#endif /* USE_ECDSA */ + +/** + * Setup key and digest for verification. Adjust sig if necessary. + * + * @param algo: key algorithm + * @param evp_key: EVP PKEY public key to create. + * @param digest_type: digest type to use + * @param key: key to setup for. + * @param keylen: length of key. + * @return false on failure. + */ +static int +setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, + unsigned char* key, size_t keylen) +{ + DSA* dsa; + RSA* rsa; + + switch(algo) { + case LDNS_DSA: + case LDNS_DSA_NSEC3: + *evp_key = EVP_PKEY_new(); + if(!*evp_key) { + log_err("verify: malloc failure in crypto"); + return 0; + } + dsa = sldns_key_buf2dsa_raw(key, keylen); + if(!dsa) { + verbose(VERB_QUERY, "verify: " + "sldns_key_buf2dsa_raw failed"); + return 0; + } + if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) { + verbose(VERB_QUERY, "verify: " + "EVP_PKEY_assign_DSA failed"); + return 0; + } + *digest_type = EVP_dss1(); + + break; + case LDNS_RSASHA1: + case LDNS_RSASHA1_NSEC3: +#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) + case LDNS_RSASHA256: +#endif +#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) + case LDNS_RSASHA512: +#endif + *evp_key = EVP_PKEY_new(); + if(!*evp_key) { + log_err("verify: malloc failure in crypto"); + return 0; + } + rsa = sldns_key_buf2rsa_raw(key, keylen); + if(!rsa) { + verbose(VERB_QUERY, "verify: " + "sldns_key_buf2rsa_raw SHA failed"); + return 0; + } + if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { + verbose(VERB_QUERY, "verify: " + "EVP_PKEY_assign_RSA SHA failed"); + return 0; + } + + /* select SHA version */ +#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) + if(algo == LDNS_RSASHA256) + *digest_type = EVP_sha256(); + else +#endif +#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) + if(algo == LDNS_RSASHA512) + *digest_type = EVP_sha512(); + else +#endif + *digest_type = EVP_sha1(); + + break; + case LDNS_RSAMD5: + *evp_key = EVP_PKEY_new(); + if(!*evp_key) { + log_err("verify: malloc failure in crypto"); + return 0; + } + rsa = sldns_key_buf2rsa_raw(key, keylen); + if(!rsa) { + verbose(VERB_QUERY, "verify: " + "sldns_key_buf2rsa_raw MD5 failed"); + return 0; + } + if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) { + verbose(VERB_QUERY, "verify: " + "EVP_PKEY_assign_RSA MD5 failed"); + return 0; + } + *digest_type = EVP_md5(); + + break; +#ifdef USE_GOST + case LDNS_ECC_GOST: + *evp_key = sldns_gost2pkey_raw(key, keylen); + if(!*evp_key) { + verbose(VERB_QUERY, "verify: " + "sldns_gost2pkey_raw failed"); + return 0; + } + *digest_type = EVP_get_digestbyname("md_gost94"); + if(!*digest_type) { + verbose(VERB_QUERY, "verify: " + "EVP_getdigest md_gost94 failed"); + return 0; + } + break; +#endif +#ifdef USE_ECDSA + case LDNS_ECDSAP256SHA256: + *evp_key = sldns_ecdsa2pkey_raw(key, keylen, + LDNS_ECDSAP256SHA256); + if(!*evp_key) { + verbose(VERB_QUERY, "verify: " + "sldns_ecdsa2pkey_raw failed"); + return 0; + } +#ifdef USE_ECDSA_EVP_WORKAROUND + /* openssl before 1.0.0 fixes RSA with the SHA256 + * hash in EVP. We create one for ecdsa_sha256 */ + { + static int md_ecdsa_256_done = 0; + static EVP_MD md; + if(!md_ecdsa_256_done) { + EVP_MD m = *EVP_sha256(); + md_ecdsa_256_done = 1; + m.required_pkey_type[0] = (*evp_key)->type; + m.verify = (void*)ECDSA_verify; + md = m; + } + *digest_type = &md; + } +#else + *digest_type = EVP_sha256(); +#endif + break; + case LDNS_ECDSAP384SHA384: + *evp_key = sldns_ecdsa2pkey_raw(key, keylen, + LDNS_ECDSAP384SHA384); + if(!*evp_key) { + verbose(VERB_QUERY, "verify: " + "sldns_ecdsa2pkey_raw failed"); + return 0; + } +#ifdef USE_ECDSA_EVP_WORKAROUND + /* openssl before 1.0.0 fixes RSA with the SHA384 + * hash in EVP. We create one for ecdsa_sha384 */ + { + static int md_ecdsa_384_done = 0; + static EVP_MD md; + if(!md_ecdsa_384_done) { + EVP_MD m = *EVP_sha384(); + md_ecdsa_384_done = 1; + m.required_pkey_type[0] = (*evp_key)->type; + m.verify = (void*)ECDSA_verify; + md = m; + } + *digest_type = &md; + } +#else + *digest_type = EVP_sha384(); +#endif + break; +#endif /* USE_ECDSA */ + default: + verbose(VERB_QUERY, "verify: unknown algorithm %d", + algo); + return 0; + } + return 1; +} + +/** + * Check a canonical sig+rrset and signature against a dnskey + * @param buf: buffer with data to verify, the first rrsig part and the + * canonicalized rrset. + * @param algo: DNSKEY algorithm. + * @param sigblock: signature rdata field from RRSIG + * @param sigblock_len: length of sigblock data. + * @param key: public key data from DNSKEY RR. + * @param keylen: length of keydata. + * @param reason: bogus reason in more detail. + * @return secure if verification succeeded, bogus on crypto failure, + * unchecked on format errors and alloc failures. + */ +enum sec_status +verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, + unsigned int sigblock_len, unsigned char* key, unsigned int keylen, + char** reason) +{ + const EVP_MD *digest_type; + EVP_MD_CTX ctx; + int res, dofree = 0; + EVP_PKEY *evp_key = NULL; + + if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) { + verbose(VERB_QUERY, "verify: failed to setup key"); + *reason = "use of key for crypto failed"; + EVP_PKEY_free(evp_key); + return sec_status_bogus; + } + /* if it is a DSA signature in bind format, convert to DER format */ + if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && + sigblock_len == 1+2*SHA_DIGEST_LENGTH) { + if(!setup_dsa_sig(&sigblock, &sigblock_len)) { + verbose(VERB_QUERY, "verify: failed to setup DSA sig"); + *reason = "use of key for DSA crypto failed"; + EVP_PKEY_free(evp_key); + return sec_status_bogus; + } + dofree = 1; + } +#ifdef USE_ECDSA + else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) { + /* EVP uses ASN prefix on sig, which is not in the wire data */ + if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) { + verbose(VERB_QUERY, "verify: failed to setup ECDSA sig"); + *reason = "use of signature for ECDSA crypto failed"; + EVP_PKEY_free(evp_key); + return sec_status_bogus; + } + dofree = 1; + } +#endif /* USE_ECDSA */ + + /* do the signature cryptography work */ + EVP_MD_CTX_init(&ctx); + if(EVP_VerifyInit(&ctx, digest_type) == 0) { + verbose(VERB_QUERY, "verify: EVP_VerifyInit failed"); + EVP_PKEY_free(evp_key); + if(dofree) free(sigblock); + return sec_status_unchecked; + } + if(EVP_VerifyUpdate(&ctx, (unsigned char*)sldns_buffer_begin(buf), + (unsigned int)sldns_buffer_limit(buf)) == 0) { + verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed"); + EVP_PKEY_free(evp_key); + if(dofree) free(sigblock); + return sec_status_unchecked; + } + + res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key); + if(EVP_MD_CTX_cleanup(&ctx) == 0) { + verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed"); + EVP_PKEY_free(evp_key); + if(dofree) free(sigblock); + return sec_status_unchecked; + } + EVP_PKEY_free(evp_key); + + if(dofree) + free(sigblock); + + if(res == 1) { + return sec_status_secure; + } else if(res == 0) { + verbose(VERB_QUERY, "verify: signature mismatch"); + *reason = "signature crypto failed"; + return sec_status_bogus; + } + + log_crypto_error("verify:", ERR_get_error()); + return sec_status_unchecked; +} + +/**************************************************/ +#elif defined(HAVE_NSS) +/* libnss implementation */ +/* nss3 */ +#include "sechash.h" +#include "pk11pub.h" +#include "keyhi.h" +#include "secerr.h" +#include "cryptohi.h" +/* nspr4 */ +#include "prerror.h" + +size_t +ds_digest_size_supported(int algo) +{ + /* uses libNSS */ + switch(algo) { + case LDNS_SHA1: + return SHA1_LENGTH; +#ifdef USE_SHA2 + case LDNS_SHA256: + return SHA256_LENGTH; +#endif +#ifdef USE_ECDSA + case LDNS_SHA384: + return SHA384_LENGTH; +#endif + /* GOST not supported in NSS */ + case LDNS_HASH_GOST: + default: break; + } + return 0; +} + +int +secalgo_ds_digest(int algo, unsigned char* buf, size_t len, + unsigned char* res) +{ + /* uses libNSS */ + switch(algo) { + case LDNS_SHA1: + return HASH_HashBuf(HASH_AlgSHA1, res, buf, len) + == SECSuccess; +#if defined(USE_SHA2) + case LDNS_SHA256: + return HASH_HashBuf(HASH_AlgSHA256, res, buf, len) + == SECSuccess; +#endif +#ifdef USE_ECDSA + case LDNS_SHA384: + return HASH_HashBuf(HASH_AlgSHA384, res, buf, len) + == SECSuccess; +#endif + case LDNS_HASH_GOST: + default: + verbose(VERB_QUERY, "unknown DS digest algorithm %d", + algo); + break; + } + return 0; +} + +int +dnskey_algo_id_is_supported(int id) +{ + /* uses libNSS */ + switch(id) { + case LDNS_RSAMD5: + /* RFC 6725 deprecates RSAMD5 */ + return 0; + case LDNS_DSA: + case LDNS_DSA_NSEC3: + case LDNS_RSASHA1: + case LDNS_RSASHA1_NSEC3: +#ifdef USE_SHA2 + case LDNS_RSASHA256: +#endif +#ifdef USE_SHA2 + case LDNS_RSASHA512: +#endif + return 1; +#ifdef USE_ECDSA + case LDNS_ECDSAP256SHA256: + case LDNS_ECDSAP384SHA384: + return PK11_TokenExists(CKM_ECDSA); +#endif + case LDNS_ECC_GOST: + default: + return 0; + } +} + +/* return a new public key for NSS */ +static SECKEYPublicKey* nss_key_create(KeyType ktype) +{ + SECKEYPublicKey* key; + PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if(!arena) { + log_err("out of memory, PORT_NewArena failed"); + return NULL; + } + key = PORT_ArenaZNew(arena, SECKEYPublicKey); + if(!key) { + log_err("out of memory, PORT_ArenaZNew failed"); + PORT_FreeArena(arena, PR_FALSE); + return NULL; + } + key->arena = arena; + key->keyType = ktype; + key->pkcs11Slot = NULL; + key->pkcs11ID = CK_INVALID_HANDLE; + return key; +} + +static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo) +{ + SECKEYPublicKey* pk; + SECItem pub = {siBuffer, NULL, 0}; + SECItem params = {siBuffer, NULL, 0}; + static unsigned char param256[] = { + /* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256) + * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */ + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 + }; + static unsigned char param384[] = { + /* OBJECTIDENTIFIER 1.3.132.0.34 (P-384) + * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */ + 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 + }; + unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */ + + /* check length, which uncompressed must be 2 bignums */ + if(algo == LDNS_ECDSAP256SHA256) { + if(len != 2*256/8) return NULL; + /* ECCurve_X9_62_PRIME_256V1 */ + } else if(algo == LDNS_ECDSAP384SHA384) { + if(len != 2*384/8) return NULL; + /* ECCurve_X9_62_PRIME_384R1 */ + } else return NULL; + + buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */ + memmove(buf+1, key, len); + pub.data = buf; + pub.len = len+1; + if(algo == LDNS_ECDSAP256SHA256) { + params.data = param256; + params.len = sizeof(param256); + } else { + params.data = param384; + params.len = sizeof(param384); + } + + pk = nss_key_create(ecKey); + if(!pk) + return NULL; + pk->u.ec.size = (len/2)*8; + if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) { + SECKEY_DestroyPublicKey(pk); + return NULL; + } + if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, ¶ms)) { + SECKEY_DestroyPublicKey(pk); + return NULL; + } + + return pk; +} + +static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len) +{ + SECKEYPublicKey* pk; + uint8_t T; + uint16_t length; + uint16_t offset; + SECItem Q = {siBuffer, NULL, 0}; + SECItem P = {siBuffer, NULL, 0}; + SECItem G = {siBuffer, NULL, 0}; + SECItem Y = {siBuffer, NULL, 0}; + + if(len == 0) + return NULL; + T = (uint8_t)key[0]; + length = (64 + T * 8); + offset = 1; + + if (T > 8) { + return NULL; + } + if(len < (size_t)1 + SHA1_LENGTH + 3*length) + return NULL; + + Q.data = key+offset; + Q.len = SHA1_LENGTH; + offset += SHA1_LENGTH; + + P.data = key+offset; + P.len = length; + offset += length; + + G.data = key+offset; + G.len = length; + offset += length; + + Y.data = key+offset; + Y.len = length; + offset += length; + + pk = nss_key_create(dsaKey); + if(!pk) + return NULL; + if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) { + SECKEY_DestroyPublicKey(pk); + return NULL; + } + if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) { + SECKEY_DestroyPublicKey(pk); + return NULL; + } + if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) { + SECKEY_DestroyPublicKey(pk); + return NULL; + } + if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) { + SECKEY_DestroyPublicKey(pk); + return NULL; + } + return pk; +} + +static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len) +{ + SECKEYPublicKey* pk; + uint16_t exp; + uint16_t offset; + uint16_t int16; + SECItem modulus = {siBuffer, NULL, 0}; + SECItem exponent = {siBuffer, NULL, 0}; + if(len == 0) + return NULL; + if(key[0] == 0) { + if(len < 3) + return NULL; + /* the exponent is too large so it's places further */ + memmove(&int16, key+1, 2); + exp = ntohs(int16); + offset = 3; + } else { + exp = key[0]; + offset = 1; + } + + /* key length at least one */ + if(len < (size_t)offset + exp + 1) + return NULL; + + exponent.data = key+offset; + exponent.len = exp; + offset += exp; + modulus.data = key+offset; + modulus.len = (len - offset); + + pk = nss_key_create(rsaKey); + if(!pk) + return NULL; + if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) { + SECKEY_DestroyPublicKey(pk); + return NULL; + } + if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) { + SECKEY_DestroyPublicKey(pk); + return NULL; + } + return pk; +} + +/** + * Setup key and digest for verification. Adjust sig if necessary. + * + * @param algo: key algorithm + * @param evp_key: EVP PKEY public key to create. + * @param digest_type: digest type to use + * @param key: key to setup for. + * @param keylen: length of key. + * @param prefix: if returned, the ASN prefix for the hashblob. + * @param prefixlen: length of the prefix. + * @return false on failure. + */ +static int +nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype, + unsigned char* key, size_t keylen, unsigned char** prefix, + size_t* prefixlen) +{ + /* uses libNSS */ + + /* hash prefix for md5, RFC2537 */ + static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}; + /* hash prefix to prepend to hash output, from RFC3110 */ + static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, + 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14}; + /* from RFC5702 */ + static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, + 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; + static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, + 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; + /* from RFC6234 */ + /* for future RSASHA384 .. + static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, + 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}; + */ + + switch(algo) { + case LDNS_DSA: + case LDNS_DSA_NSEC3: + *pubkey = nss_buf2dsa(key, keylen); + if(!*pubkey) { + log_err("verify: malloc failure in crypto"); + return 0; + } + *htype = HASH_AlgSHA1; + /* no prefix for DSA verification */ + break; + case LDNS_RSASHA1: + case LDNS_RSASHA1_NSEC3: +#ifdef USE_SHA2 + case LDNS_RSASHA256: +#endif +#ifdef USE_SHA2 + case LDNS_RSASHA512: +#endif + *pubkey = nss_buf2rsa(key, keylen); + if(!*pubkey) { + log_err("verify: malloc failure in crypto"); + return 0; + } + /* select SHA version */ +#ifdef USE_SHA2 + if(algo == LDNS_RSASHA256) { + *htype = HASH_AlgSHA256; + *prefix = p_sha256; + *prefixlen = sizeof(p_sha256); + } else +#endif +#ifdef USE_SHA2 + if(algo == LDNS_RSASHA512) { + *htype = HASH_AlgSHA512; + *prefix = p_sha512; + *prefixlen = sizeof(p_sha512); + } else +#endif + { + *htype = HASH_AlgSHA1; + *prefix = p_sha1; + *prefixlen = sizeof(p_sha1); + } + + break; + case LDNS_RSAMD5: + *pubkey = nss_buf2rsa(key, keylen); + if(!*pubkey) { + log_err("verify: malloc failure in crypto"); + return 0; + } + *htype = HASH_AlgMD5; + *prefix = p_md5; + *prefixlen = sizeof(p_md5); + + break; +#ifdef USE_ECDSA + case LDNS_ECDSAP256SHA256: + *pubkey = nss_buf2ecdsa(key, keylen, + LDNS_ECDSAP256SHA256); + if(!*pubkey) { + log_err("verify: malloc failure in crypto"); + return 0; + } + *htype = HASH_AlgSHA256; + /* no prefix for DSA verification */ + break; + case LDNS_ECDSAP384SHA384: + *pubkey = nss_buf2ecdsa(key, keylen, + LDNS_ECDSAP384SHA384); + if(!*pubkey) { + log_err("verify: malloc failure in crypto"); + return 0; + } + *htype = HASH_AlgSHA384; + /* no prefix for DSA verification */ + break; +#endif /* USE_ECDSA */ + case LDNS_ECC_GOST: + default: + verbose(VERB_QUERY, "verify: unknown algorithm %d", + algo); + return 0; + } + return 1; +} + +/** + * Check a canonical sig+rrset and signature against a dnskey + * @param buf: buffer with data to verify, the first rrsig part and the + * canonicalized rrset. + * @param algo: DNSKEY algorithm. + * @param sigblock: signature rdata field from RRSIG + * @param sigblock_len: length of sigblock data. + * @param key: public key data from DNSKEY RR. + * @param keylen: length of keydata. + * @param reason: bogus reason in more detail. + * @return secure if verification succeeded, bogus on crypto failure, + * unchecked on format errors and alloc failures. + */ +enum sec_status +verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, + unsigned int sigblock_len, unsigned char* key, unsigned int keylen, + char** reason) +{ + /* uses libNSS */ + /* large enough for the different hashes */ + unsigned char hash[HASH_LENGTH_MAX]; + unsigned char hash2[HASH_LENGTH_MAX*2]; + HASH_HashType htype = 0; + SECKEYPublicKey* pubkey = NULL; + SECItem secsig = {siBuffer, sigblock, sigblock_len}; + SECItem sechash = {siBuffer, hash, 0}; + SECStatus res; + unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */ + size_t prefixlen = 0; + int err; + + if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen, + &prefix, &prefixlen)) { + verbose(VERB_QUERY, "verify: failed to setup key"); + *reason = "use of key for crypto failed"; + SECKEY_DestroyPublicKey(pubkey); + return sec_status_bogus; + } + + /* need to convert DSA, ECDSA signatures? */ + if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) { + if(sigblock_len == 1+2*SHA1_LENGTH) { + secsig.data ++; + secsig.len --; + } else { + SECItem* p = DSAU_DecodeDerSig(&secsig); + if(!p) { + verbose(VERB_QUERY, "verify: failed DER decode"); + *reason = "signature DER decode failed"; + SECKEY_DestroyPublicKey(pubkey); + return sec_status_bogus; + } + if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) { + log_err("alloc failure in DER decode"); + SECKEY_DestroyPublicKey(pubkey); + SECITEM_FreeItem(p, PR_TRUE); + return sec_status_unchecked; + } + SECITEM_FreeItem(p, PR_TRUE); + } + } + + /* do the signature cryptography work */ + /* hash the data */ + sechash.len = HASH_ResultLen(htype); + if(sechash.len > sizeof(hash)) { + verbose(VERB_QUERY, "verify: hash too large for buffer"); + SECKEY_DestroyPublicKey(pubkey); + return sec_status_unchecked; + } + if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf), + (unsigned int)sldns_buffer_limit(buf)) != SECSuccess) { + verbose(VERB_QUERY, "verify: HASH_HashBuf failed"); + SECKEY_DestroyPublicKey(pubkey); + return sec_status_unchecked; + } + if(prefix) { + int hashlen = sechash.len; + if(prefixlen+hashlen > sizeof(hash2)) { + verbose(VERB_QUERY, "verify: hashprefix too large"); + SECKEY_DestroyPublicKey(pubkey); + return sec_status_unchecked; + } + sechash.data = hash2; + sechash.len = prefixlen+hashlen; + memcpy(sechash.data, prefix, prefixlen); + memmove(sechash.data+prefixlen, hash, hashlen); + } + + /* verify the signature */ + res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/); + SECKEY_DestroyPublicKey(pubkey); + + if(res == SECSuccess) { + return sec_status_secure; + } + err = PORT_GetError(); + if(err != SEC_ERROR_BAD_SIGNATURE) { + /* failed to verify */ + verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", + PORT_ErrorToString(err)); + /* if it is not supported, like ECC is removed, we get, + * SEC_ERROR_NO_MODULE */ + if(err == SEC_ERROR_NO_MODULE) + return sec_status_unchecked; + /* but other errors are commonly returned + * for a bad signature from NSS. Thus we return bogus, + * not unchecked */ + *reason = "signature crypto failed"; + return sec_status_bogus; + } + verbose(VERB_QUERY, "verify: signature mismatch: %s", + PORT_ErrorToString(err)); + *reason = "signature crypto failed"; + return sec_status_bogus; +} + + +#endif /* HAVE_SSL or HAVE_NSS */ |