xref: /freebsd/contrib/unbound/validator/val_secalgo.c (revision 0caf9bf62de0dda2ae80086492a38c6ee3eeff9d)
1 /*
2  * validator/val_secalgo.c - validator security algorithm functions.
3  *
4  * Copyright (c) 2012, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  * These functions take raw data buffers, formatted for crypto verification,
41  * and do the library calls (for the crypto library in use).
42  */
43 #include "config.h"
44 /* packed_rrset on top to define enum types (forced by c99 standard) */
45 #include "util/data/packed_rrset.h"
46 #include "validator/val_secalgo.h"
47 #include "validator/val_nsec3.h"
48 #include "util/log.h"
49 #include "sldns/rrdef.h"
50 #include "sldns/keyraw.h"
51 #include "sldns/sbuffer.h"
52 
53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
54 #error "Need crypto library to do digital signature cryptography"
55 #endif
56 
57 /* OpenSSL implementation */
58 #ifdef HAVE_SSL
59 #ifdef HAVE_OPENSSL_ERR_H
60 #include <openssl/err.h>
61 #endif
62 
63 #ifdef HAVE_OPENSSL_RAND_H
64 #include <openssl/rand.h>
65 #endif
66 
67 #ifdef HAVE_OPENSSL_CONF_H
68 #include <openssl/conf.h>
69 #endif
70 
71 #ifdef HAVE_OPENSSL_ENGINE_H
72 #include <openssl/engine.h>
73 #endif
74 
75 /** fake DSA support for unit tests */
76 int fake_dsa = 0;
77 /** fake SHA1 support for unit tests */
78 int fake_sha1 = 0;
79 
80 /**
81  * Output a libcrypto openssl error to the logfile.
82  * @param str: string to add to it.
83  * @param e: the error to output, error number from ERR_get_error().
84  */
85 static void
86 log_crypto_error(const char* str, unsigned long e)
87 {
88 	char buf[128];
89 	/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
90 	ERR_error_string_n(e, buf, sizeof(buf));
91 	/* buf now contains */
92 	/* error:[error code]:[library name]:[function name]:[reason string] */
93 	log_err("%s crypto %s", str, buf);
94 }
95 
96 /* return size of digest if supported, or 0 otherwise */
97 size_t
98 nsec3_hash_algo_size_supported(int id)
99 {
100 	switch(id) {
101 	case NSEC3_HASH_SHA1:
102 		return SHA_DIGEST_LENGTH;
103 	default:
104 		return 0;
105 	}
106 }
107 
108 /* perform nsec3 hash. return false on failure */
109 int
110 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
111         unsigned char* res)
112 {
113 	switch(algo) {
114 	case NSEC3_HASH_SHA1:
115 #ifdef OPENSSL_FIPS
116 		if(!sldns_digest_evp(buf, len, res, EVP_sha1()))
117 			log_crypto_error("could not digest with EVP_sha1",
118 				ERR_get_error());
119 #else
120 		(void)SHA1(buf, len, res);
121 #endif
122 		return 1;
123 	default:
124 		return 0;
125 	}
126 }
127 
128 void
129 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
130 {
131 #ifdef OPENSSL_FIPS
132 	if(!sldns_digest_evp(buf, len, res, EVP_sha256()))
133 		log_crypto_error("could not digest with EVP_sha256",
134 			ERR_get_error());
135 #else
136 	(void)SHA256(buf, len, res);
137 #endif
138 }
139 
140 /**
141  * Return size of DS digest according to its hash algorithm.
142  * @param algo: DS digest algo.
143  * @return size in bytes of digest, or 0 if not supported.
144  */
145 size_t
146 ds_digest_size_supported(int algo)
147 {
148 	switch(algo) {
149 		case LDNS_SHA1:
150 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
151 			return SHA_DIGEST_LENGTH;
152 #else
153 			if(fake_sha1) return 20;
154 			return 0;
155 #endif
156 #ifdef HAVE_EVP_SHA256
157 		case LDNS_SHA256:
158 			return SHA256_DIGEST_LENGTH;
159 #endif
160 #ifdef USE_GOST
161 		case LDNS_HASH_GOST:
162 			/* we support GOST if it can be loaded */
163 			(void)sldns_key_EVP_load_gost_id();
164 			if(EVP_get_digestbyname("md_gost94"))
165 				return 32;
166 			else	return 0;
167 #endif
168 #ifdef USE_ECDSA
169 		case LDNS_SHA384:
170 			return SHA384_DIGEST_LENGTH;
171 #endif
172 		default: break;
173 	}
174 	return 0;
175 }
176 
177 #ifdef USE_GOST
178 /** Perform GOST hash */
179 static int
180 do_gost94(unsigned char* data, size_t len, unsigned char* dest)
181 {
182 	const EVP_MD* md = EVP_get_digestbyname("md_gost94");
183 	if(!md)
184 		return 0;
185 	return sldns_digest_evp(data, (unsigned int)len, dest, md);
186 }
187 #endif
188 
189 int
190 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
191 	unsigned char* res)
192 {
193 	switch(algo) {
194 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
195 		case LDNS_SHA1:
196 #ifdef OPENSSL_FIPS
197 			if(!sldns_digest_evp(buf, len, res, EVP_sha1()))
198 				log_crypto_error("could not digest with EVP_sha1",
199 					ERR_get_error());
200 #else
201 			(void)SHA1(buf, len, res);
202 #endif
203 			return 1;
204 #endif
205 #ifdef HAVE_EVP_SHA256
206 		case LDNS_SHA256:
207 #ifdef OPENSSL_FIPS
208 			if(!sldns_digest_evp(buf, len, res, EVP_sha256()))
209 				log_crypto_error("could not digest with EVP_sha256",
210 					ERR_get_error());
211 #else
212 			(void)SHA256(buf, len, res);
213 #endif
214 			return 1;
215 #endif
216 #ifdef USE_GOST
217 		case LDNS_HASH_GOST:
218 			if(do_gost94(buf, len, res))
219 				return 1;
220 			break;
221 #endif
222 #ifdef USE_ECDSA
223 		case LDNS_SHA384:
224 #ifdef OPENSSL_FIPS
225 			if(!sldns_digest_evp(buf, len, res, EVP_sha384()))
226 				log_crypto_error("could not digest with EVP_sha384",
227 					ERR_get_error());
228 #else
229 			(void)SHA384(buf, len, res);
230 #endif
231 			return 1;
232 #endif
233 		default:
234 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
235 				algo);
236 			break;
237 	}
238 	return 0;
239 }
240 
241 /** return true if DNSKEY algorithm id is supported */
242 int
243 dnskey_algo_id_is_supported(int id)
244 {
245 	switch(id) {
246 	case LDNS_RSAMD5:
247 		/* RFC 6725 deprecates RSAMD5 */
248 		return 0;
249 	case LDNS_DSA:
250 	case LDNS_DSA_NSEC3:
251 #if defined(USE_DSA) && defined(USE_SHA1)
252 		return 1;
253 #else
254 		if(fake_dsa || fake_sha1) return 1;
255 		return 0;
256 #endif
257 
258 	case LDNS_RSASHA1:
259 	case LDNS_RSASHA1_NSEC3:
260 #ifdef USE_SHA1
261 		return 1;
262 #else
263 		if(fake_sha1) return 1;
264 		return 0;
265 #endif
266 
267 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
268 	case LDNS_RSASHA256:
269 #endif
270 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
271 	case LDNS_RSASHA512:
272 #endif
273 #ifdef USE_ECDSA
274 	case LDNS_ECDSAP256SHA256:
275 	case LDNS_ECDSAP384SHA384:
276 #endif
277 #ifdef USE_ED25519
278 	case LDNS_ED25519:
279 #endif
280 #ifdef USE_ED448
281 	case LDNS_ED448:
282 #endif
283 #if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448)
284 		return 1;
285 #endif
286 
287 #ifdef USE_GOST
288 	case LDNS_ECC_GOST:
289 		/* we support GOST if it can be loaded */
290 		return sldns_key_EVP_load_gost_id();
291 #endif
292 	default:
293 		return 0;
294 	}
295 }
296 
297 #ifdef USE_DSA
298 /**
299  * Setup DSA key digest in DER encoding ...
300  * @param sig: input is signature output alloced ptr (unless failure).
301  * 	caller must free alloced ptr if this routine returns true.
302  * @param len: input is initial siglen, output is output len.
303  * @return false on failure.
304  */
305 static int
306 setup_dsa_sig(unsigned char** sig, unsigned int* len)
307 {
308 	unsigned char* orig = *sig;
309 	unsigned int origlen = *len;
310 	int newlen;
311 	BIGNUM *R, *S;
312 	DSA_SIG *dsasig;
313 
314 	/* extract the R and S field from the sig buffer */
315 	if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
316 		return 0;
317 	R = BN_new();
318 	if(!R) return 0;
319 	(void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
320 	S = BN_new();
321 	if(!S) return 0;
322 	(void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
323 	dsasig = DSA_SIG_new();
324 	if(!dsasig) return 0;
325 
326 #ifdef HAVE_DSA_SIG_SET0
327 	if(!DSA_SIG_set0(dsasig, R, S)) return 0;
328 #else
329 	dsasig->r = R;
330 	dsasig->s = S;
331 #endif
332 	*sig = NULL;
333 	newlen = i2d_DSA_SIG(dsasig, sig);
334 	if(newlen < 0) {
335 		DSA_SIG_free(dsasig);
336 		free(*sig);
337 		return 0;
338 	}
339 	*len = (unsigned int)newlen;
340 	DSA_SIG_free(dsasig);
341 	return 1;
342 }
343 #endif /* USE_DSA */
344 
345 #ifdef USE_ECDSA
346 /**
347  * Setup the ECDSA signature in its encoding that the library wants.
348  * Converts from plain numbers to ASN formatted.
349  * @param sig: input is signature, output alloced ptr (unless failure).
350  * 	caller must free alloced ptr if this routine returns true.
351  * @param len: input is initial siglen, output is output len.
352  * @return false on failure.
353  */
354 static int
355 setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
356 {
357         /* convert from two BIGNUMs in the rdata buffer, to ASN notation.
358 	 * ASN preamble: 30440220 <R 32bytefor256> 0220 <S 32bytefor256>
359 	 * the '20' is the length of that field (=bnsize).
360 i	 * the '44' is the total remaining length.
361 	 * if negative, start with leading zero.
362 	 * if starts with 00s, remove them from the number.
363 	 */
364         uint8_t pre[] = {0x30, 0x44, 0x02, 0x20};
365         int pre_len = 4;
366         uint8_t mid[] = {0x02, 0x20};
367         int mid_len = 2;
368         int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0;
369 	int bnsize = (int)((*len)/2);
370         unsigned char* d = *sig;
371 	uint8_t* p;
372 	/* if too short or not even length, fails */
373 	if(*len < 16 || bnsize*2 != (int)*len)
374 		return 0;
375 
376         /* strip leading zeroes from r (but not last one) */
377         while(r_rem < bnsize-1 && d[r_rem] == 0)
378                 r_rem++;
379         /* strip leading zeroes from s (but not last one) */
380         while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0)
381                 s_rem++;
382 
383         r_high = ((d[0+r_rem]&0x80)?1:0);
384         s_high = ((d[bnsize+s_rem]&0x80)?1:0);
385         raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len +
386                 s_high + bnsize - s_rem;
387 	*sig = (unsigned char*)malloc((size_t)raw_sig_len);
388 	if(!*sig)
389 		return 0;
390 	p = (uint8_t*)*sig;
391 	p[0] = pre[0];
392 	p[1] = (uint8_t)(raw_sig_len-2);
393 	p[2] = pre[2];
394 	p[3] = (uint8_t)(bnsize + r_high - r_rem);
395 	p += 4;
396 	if(r_high) {
397 		*p = 0;
398 		p += 1;
399 	}
400 	memmove(p, d+r_rem, (size_t)bnsize-r_rem);
401 	p += bnsize-r_rem;
402 	memmove(p, mid, (size_t)mid_len-1);
403 	p += mid_len-1;
404 	*p = (uint8_t)(bnsize + s_high - s_rem);
405 	p += 1;
406         if(s_high) {
407 		*p = 0;
408 		p += 1;
409 	}
410 	memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem);
411 	*len = (unsigned int)raw_sig_len;
412 	return 1;
413 }
414 #endif /* USE_ECDSA */
415 
416 #ifdef USE_ECDSA_EVP_WORKAROUND
417 static EVP_MD ecdsa_evp_256_md;
418 static EVP_MD ecdsa_evp_384_md;
419 void ecdsa_evp_workaround_init(void)
420 {
421 	/* openssl before 1.0.0 fixes RSA with the SHA256
422 	 * hash in EVP.  We create one for ecdsa_sha256 */
423 	ecdsa_evp_256_md = *EVP_sha256();
424 	ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC;
425 	ecdsa_evp_256_md.verify = (void*)ECDSA_verify;
426 
427 	ecdsa_evp_384_md = *EVP_sha384();
428 	ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC;
429 	ecdsa_evp_384_md.verify = (void*)ECDSA_verify;
430 }
431 #endif /* USE_ECDSA_EVP_WORKAROUND */
432 
433 /**
434  * Setup key and digest for verification. Adjust sig if necessary.
435  *
436  * @param algo: key algorithm
437  * @param evp_key: EVP PKEY public key to create.
438  * @param digest_type: digest type to use
439  * @param key: key to setup for.
440  * @param keylen: length of key.
441  * @return false on failure.
442  */
443 static int
444 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
445 	unsigned char* key, size_t keylen)
446 {
447 #if defined(USE_DSA) && defined(USE_SHA1)
448 	DSA* dsa;
449 #endif
450 	RSA* rsa;
451 
452 	switch(algo) {
453 #if defined(USE_DSA) && defined(USE_SHA1)
454 		case LDNS_DSA:
455 		case LDNS_DSA_NSEC3:
456 			*evp_key = EVP_PKEY_new();
457 			if(!*evp_key) {
458 				log_err("verify: malloc failure in crypto");
459 				return 0;
460 			}
461 			dsa = sldns_key_buf2dsa_raw(key, keylen);
462 			if(!dsa) {
463 				verbose(VERB_QUERY, "verify: "
464 					"sldns_key_buf2dsa_raw failed");
465 				return 0;
466 			}
467 			if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
468 				verbose(VERB_QUERY, "verify: "
469 					"EVP_PKEY_assign_DSA failed");
470 				return 0;
471 			}
472 #ifdef HAVE_EVP_DSS1
473 			*digest_type = EVP_dss1();
474 #else
475 			*digest_type = EVP_sha1();
476 #endif
477 
478 			break;
479 #endif /* USE_DSA && USE_SHA1 */
480 
481 #if defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2))
482 #ifdef USE_SHA1
483 		case LDNS_RSASHA1:
484 		case LDNS_RSASHA1_NSEC3:
485 #endif
486 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
487 		case LDNS_RSASHA256:
488 #endif
489 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
490 		case LDNS_RSASHA512:
491 #endif
492 			*evp_key = EVP_PKEY_new();
493 			if(!*evp_key) {
494 				log_err("verify: malloc failure in crypto");
495 				return 0;
496 			}
497 			rsa = sldns_key_buf2rsa_raw(key, keylen);
498 			if(!rsa) {
499 				verbose(VERB_QUERY, "verify: "
500 					"sldns_key_buf2rsa_raw SHA failed");
501 				return 0;
502 			}
503 			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
504 				verbose(VERB_QUERY, "verify: "
505 					"EVP_PKEY_assign_RSA SHA failed");
506 				return 0;
507 			}
508 
509 			/* select SHA version */
510 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
511 			if(algo == LDNS_RSASHA256)
512 				*digest_type = EVP_sha256();
513 			else
514 #endif
515 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
516 				if(algo == LDNS_RSASHA512)
517 				*digest_type = EVP_sha512();
518 			else
519 #endif
520 #ifdef USE_SHA1
521 				*digest_type = EVP_sha1();
522 #else
523 				{ verbose(VERB_QUERY, "no digest available"); return 0; }
524 #endif
525 			break;
526 #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */
527 
528 		case LDNS_RSAMD5:
529 			*evp_key = EVP_PKEY_new();
530 			if(!*evp_key) {
531 				log_err("verify: malloc failure in crypto");
532 				return 0;
533 			}
534 			rsa = sldns_key_buf2rsa_raw(key, keylen);
535 			if(!rsa) {
536 				verbose(VERB_QUERY, "verify: "
537 					"sldns_key_buf2rsa_raw MD5 failed");
538 				return 0;
539 			}
540 			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
541 				verbose(VERB_QUERY, "verify: "
542 					"EVP_PKEY_assign_RSA MD5 failed");
543 				return 0;
544 			}
545 			*digest_type = EVP_md5();
546 
547 			break;
548 #ifdef USE_GOST
549 		case LDNS_ECC_GOST:
550 			*evp_key = sldns_gost2pkey_raw(key, keylen);
551 			if(!*evp_key) {
552 				verbose(VERB_QUERY, "verify: "
553 					"sldns_gost2pkey_raw failed");
554 				return 0;
555 			}
556 			*digest_type = EVP_get_digestbyname("md_gost94");
557 			if(!*digest_type) {
558 				verbose(VERB_QUERY, "verify: "
559 					"EVP_getdigest md_gost94 failed");
560 				return 0;
561 			}
562 			break;
563 #endif
564 #ifdef USE_ECDSA
565 		case LDNS_ECDSAP256SHA256:
566 			*evp_key = sldns_ecdsa2pkey_raw(key, keylen,
567 				LDNS_ECDSAP256SHA256);
568 			if(!*evp_key) {
569 				verbose(VERB_QUERY, "verify: "
570 					"sldns_ecdsa2pkey_raw failed");
571 				return 0;
572 			}
573 #ifdef USE_ECDSA_EVP_WORKAROUND
574 			*digest_type = &ecdsa_evp_256_md;
575 #else
576 			*digest_type = EVP_sha256();
577 #endif
578 			break;
579 		case LDNS_ECDSAP384SHA384:
580 			*evp_key = sldns_ecdsa2pkey_raw(key, keylen,
581 				LDNS_ECDSAP384SHA384);
582 			if(!*evp_key) {
583 				verbose(VERB_QUERY, "verify: "
584 					"sldns_ecdsa2pkey_raw failed");
585 				return 0;
586 			}
587 #ifdef USE_ECDSA_EVP_WORKAROUND
588 			*digest_type = &ecdsa_evp_384_md;
589 #else
590 			*digest_type = EVP_sha384();
591 #endif
592 			break;
593 #endif /* USE_ECDSA */
594 #ifdef USE_ED25519
595 		case LDNS_ED25519:
596 			*evp_key = sldns_ed255192pkey_raw(key, keylen);
597 			if(!*evp_key) {
598 				verbose(VERB_QUERY, "verify: "
599 					"sldns_ed255192pkey_raw failed");
600 				return 0;
601 			}
602 			*digest_type = NULL;
603 			break;
604 #endif /* USE_ED25519 */
605 #ifdef USE_ED448
606 		case LDNS_ED448:
607 			*evp_key = sldns_ed4482pkey_raw(key, keylen);
608 			if(!*evp_key) {
609 				verbose(VERB_QUERY, "verify: "
610 					"sldns_ed4482pkey_raw failed");
611 				return 0;
612 			}
613 			*digest_type = NULL;
614 			break;
615 #endif /* USE_ED448 */
616 		default:
617 			verbose(VERB_QUERY, "verify: unknown algorithm %d",
618 				algo);
619 			return 0;
620 	}
621 	return 1;
622 }
623 
624 /**
625  * Check a canonical sig+rrset and signature against a dnskey
626  * @param buf: buffer with data to verify, the first rrsig part and the
627  *	canonicalized rrset.
628  * @param algo: DNSKEY algorithm.
629  * @param sigblock: signature rdata field from RRSIG
630  * @param sigblock_len: length of sigblock data.
631  * @param key: public key data from DNSKEY RR.
632  * @param keylen: length of keydata.
633  * @param reason: bogus reason in more detail.
634  * @return secure if verification succeeded, bogus on crypto failure,
635  *	unchecked on format errors and alloc failures.
636  */
637 enum sec_status
638 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
639 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
640 	char** reason)
641 {
642 	const EVP_MD *digest_type;
643 	EVP_MD_CTX* ctx;
644 	int res, dofree = 0, docrypto_free = 0;
645 	EVP_PKEY *evp_key = NULL;
646 
647 #ifndef USE_DSA
648 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1))
649 		return sec_status_secure;
650 #endif
651 #ifndef USE_SHA1
652 	if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3))
653 		return sec_status_secure;
654 #endif
655 
656 	if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
657 		verbose(VERB_QUERY, "verify: failed to setup key");
658 		*reason = "use of key for crypto failed";
659 		EVP_PKEY_free(evp_key);
660 		return sec_status_bogus;
661 	}
662 #ifdef USE_DSA
663 	/* if it is a DSA signature in bind format, convert to DER format */
664 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
665 		sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
666 		if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
667 			verbose(VERB_QUERY, "verify: failed to setup DSA sig");
668 			*reason = "use of key for DSA crypto failed";
669 			EVP_PKEY_free(evp_key);
670 			return sec_status_bogus;
671 		}
672 		docrypto_free = 1;
673 	}
674 #endif
675 #if defined(USE_ECDSA) && defined(USE_DSA)
676 	else
677 #endif
678 #ifdef USE_ECDSA
679 	if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
680 		/* EVP uses ASN prefix on sig, which is not in the wire data */
681 		if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
682 			verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
683 			*reason = "use of signature for ECDSA crypto failed";
684 			EVP_PKEY_free(evp_key);
685 			return sec_status_bogus;
686 		}
687 		dofree = 1;
688 	}
689 #endif /* USE_ECDSA */
690 
691 	/* do the signature cryptography work */
692 #ifdef HAVE_EVP_MD_CTX_NEW
693 	ctx = EVP_MD_CTX_new();
694 #else
695 	ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
696 	if(ctx) EVP_MD_CTX_init(ctx);
697 #endif
698 	if(!ctx) {
699 		log_err("EVP_MD_CTX_new: malloc failure");
700 		EVP_PKEY_free(evp_key);
701 		if(dofree) free(sigblock);
702 		else if(docrypto_free) OPENSSL_free(sigblock);
703 		return sec_status_unchecked;
704 	}
705 #ifndef HAVE_EVP_DIGESTVERIFY
706 	if(EVP_DigestInit(ctx, digest_type) == 0) {
707 		verbose(VERB_QUERY, "verify: EVP_DigestInit failed");
708 #ifdef HAVE_EVP_MD_CTX_NEW
709 		EVP_MD_CTX_destroy(ctx);
710 #else
711 		EVP_MD_CTX_cleanup(ctx);
712 		free(ctx);
713 #endif
714 		EVP_PKEY_free(evp_key);
715 		if(dofree) free(sigblock);
716 		else if(docrypto_free) OPENSSL_free(sigblock);
717 		return sec_status_unchecked;
718 	}
719 	if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
720 		(unsigned int)sldns_buffer_limit(buf)) == 0) {
721 		verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed");
722 #ifdef HAVE_EVP_MD_CTX_NEW
723 		EVP_MD_CTX_destroy(ctx);
724 #else
725 		EVP_MD_CTX_cleanup(ctx);
726 		free(ctx);
727 #endif
728 		EVP_PKEY_free(evp_key);
729 		if(dofree) free(sigblock);
730 		else if(docrypto_free) OPENSSL_free(sigblock);
731 		return sec_status_unchecked;
732 	}
733 
734 	res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key);
735 #else /* HAVE_EVP_DIGESTVERIFY */
736 	if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) {
737 		verbose(VERB_QUERY, "verify: EVP_DigestVerifyInit failed");
738 #ifdef HAVE_EVP_MD_CTX_NEW
739 		EVP_MD_CTX_destroy(ctx);
740 #else
741 		EVP_MD_CTX_cleanup(ctx);
742 		free(ctx);
743 #endif
744 		EVP_PKEY_free(evp_key);
745 		if(dofree) free(sigblock);
746 		else if(docrypto_free) OPENSSL_free(sigblock);
747 		return sec_status_unchecked;
748 	}
749 	res = EVP_DigestVerify(ctx, sigblock, sigblock_len,
750 		(unsigned char*)sldns_buffer_begin(buf),
751 		sldns_buffer_limit(buf));
752 #endif
753 #ifdef HAVE_EVP_MD_CTX_NEW
754 	EVP_MD_CTX_destroy(ctx);
755 #else
756 	EVP_MD_CTX_cleanup(ctx);
757 	free(ctx);
758 #endif
759 	EVP_PKEY_free(evp_key);
760 
761 	if(dofree) free(sigblock);
762 	else if(docrypto_free) OPENSSL_free(sigblock);
763 
764 	if(res == 1) {
765 		return sec_status_secure;
766 	} else if(res == 0) {
767 		verbose(VERB_QUERY, "verify: signature mismatch");
768 		*reason = "signature crypto failed";
769 		return sec_status_bogus;
770 	}
771 
772 	log_crypto_error("verify:", ERR_get_error());
773 	return sec_status_unchecked;
774 }
775 
776 /**************************************************/
777 #elif defined(HAVE_NSS)
778 /* libnss implementation */
779 /* nss3 */
780 #include "sechash.h"
781 #include "pk11pub.h"
782 #include "keyhi.h"
783 #include "secerr.h"
784 #include "cryptohi.h"
785 /* nspr4 */
786 #include "prerror.h"
787 
788 /* return size of digest if supported, or 0 otherwise */
789 size_t
790 nsec3_hash_algo_size_supported(int id)
791 {
792 	switch(id) {
793 	case NSEC3_HASH_SHA1:
794 		return SHA1_LENGTH;
795 	default:
796 		return 0;
797 	}
798 }
799 
800 /* perform nsec3 hash. return false on failure */
801 int
802 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
803         unsigned char* res)
804 {
805 	switch(algo) {
806 	case NSEC3_HASH_SHA1:
807 		(void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
808 		return 1;
809 	default:
810 		return 0;
811 	}
812 }
813 
814 void
815 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
816 {
817 	(void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len);
818 }
819 
820 size_t
821 ds_digest_size_supported(int algo)
822 {
823 	/* uses libNSS */
824 	switch(algo) {
825 #ifdef USE_SHA1
826 		case LDNS_SHA1:
827 			return SHA1_LENGTH;
828 #endif
829 #ifdef USE_SHA2
830 		case LDNS_SHA256:
831 			return SHA256_LENGTH;
832 #endif
833 #ifdef USE_ECDSA
834 		case LDNS_SHA384:
835 			return SHA384_LENGTH;
836 #endif
837 		/* GOST not supported in NSS */
838 		case LDNS_HASH_GOST:
839 		default: break;
840 	}
841 	return 0;
842 }
843 
844 int
845 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
846 	unsigned char* res)
847 {
848 	/* uses libNSS */
849 	switch(algo) {
850 #ifdef USE_SHA1
851 		case LDNS_SHA1:
852 			return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
853 				== SECSuccess;
854 #endif
855 #if defined(USE_SHA2)
856 		case LDNS_SHA256:
857 			return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
858 				== SECSuccess;
859 #endif
860 #ifdef USE_ECDSA
861 		case LDNS_SHA384:
862 			return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
863 				== SECSuccess;
864 #endif
865 		case LDNS_HASH_GOST:
866 		default:
867 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
868 				algo);
869 			break;
870 	}
871 	return 0;
872 }
873 
874 int
875 dnskey_algo_id_is_supported(int id)
876 {
877 	/* uses libNSS */
878 	switch(id) {
879 	case LDNS_RSAMD5:
880 		/* RFC 6725 deprecates RSAMD5 */
881 		return 0;
882 #if defined(USE_SHA1) || defined(USE_SHA2)
883 #if defined(USE_DSA) && defined(USE_SHA1)
884 	case LDNS_DSA:
885 	case LDNS_DSA_NSEC3:
886 #endif
887 #ifdef USE_SHA1
888 	case LDNS_RSASHA1:
889 	case LDNS_RSASHA1_NSEC3:
890 #endif
891 #ifdef USE_SHA2
892 	case LDNS_RSASHA256:
893 #endif
894 #ifdef USE_SHA2
895 	case LDNS_RSASHA512:
896 #endif
897 		return 1;
898 #endif /* SHA1 or SHA2 */
899 
900 #ifdef USE_ECDSA
901 	case LDNS_ECDSAP256SHA256:
902 	case LDNS_ECDSAP384SHA384:
903 		return PK11_TokenExists(CKM_ECDSA);
904 #endif
905 	case LDNS_ECC_GOST:
906 	default:
907 		return 0;
908 	}
909 }
910 
911 /* return a new public key for NSS */
912 static SECKEYPublicKey* nss_key_create(KeyType ktype)
913 {
914 	SECKEYPublicKey* key;
915 	PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
916 	if(!arena) {
917 		log_err("out of memory, PORT_NewArena failed");
918 		return NULL;
919 	}
920 	key = PORT_ArenaZNew(arena, SECKEYPublicKey);
921 	if(!key) {
922 		log_err("out of memory, PORT_ArenaZNew failed");
923 		PORT_FreeArena(arena, PR_FALSE);
924 		return NULL;
925 	}
926 	key->arena = arena;
927 	key->keyType = ktype;
928 	key->pkcs11Slot = NULL;
929 	key->pkcs11ID = CK_INVALID_HANDLE;
930 	return key;
931 }
932 
933 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
934 {
935 	SECKEYPublicKey* pk;
936 	SECItem pub = {siBuffer, NULL, 0};
937 	SECItem params = {siBuffer, NULL, 0};
938 	static unsigned char param256[] = {
939 		/* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
940 		 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
941 		0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
942 	};
943 	static unsigned char param384[] = {
944 		/* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
945 		 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
946 		0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
947 	};
948 	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
949 
950 	/* check length, which uncompressed must be 2 bignums */
951 	if(algo == LDNS_ECDSAP256SHA256) {
952 		if(len != 2*256/8) return NULL;
953 		/* ECCurve_X9_62_PRIME_256V1 */
954 	} else if(algo == LDNS_ECDSAP384SHA384) {
955 		if(len != 2*384/8) return NULL;
956 		/* ECCurve_X9_62_PRIME_384R1 */
957 	} else    return NULL;
958 
959 	buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
960 	memmove(buf+1, key, len);
961 	pub.data = buf;
962 	pub.len = len+1;
963 	if(algo == LDNS_ECDSAP256SHA256) {
964 		params.data = param256;
965 		params.len = sizeof(param256);
966 	} else {
967 		params.data = param384;
968 		params.len = sizeof(param384);
969 	}
970 
971 	pk = nss_key_create(ecKey);
972 	if(!pk)
973 		return NULL;
974 	pk->u.ec.size = (len/2)*8;
975 	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
976 		SECKEY_DestroyPublicKey(pk);
977 		return NULL;
978 	}
979 	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, &params)) {
980 		SECKEY_DestroyPublicKey(pk);
981 		return NULL;
982 	}
983 
984 	return pk;
985 }
986 
987 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
988 {
989 	SECKEYPublicKey* pk;
990 	uint8_t T;
991 	uint16_t length;
992 	uint16_t offset;
993 	SECItem Q = {siBuffer, NULL, 0};
994 	SECItem P = {siBuffer, NULL, 0};
995 	SECItem G = {siBuffer, NULL, 0};
996 	SECItem Y = {siBuffer, NULL, 0};
997 
998 	if(len == 0)
999 		return NULL;
1000 	T = (uint8_t)key[0];
1001 	length = (64 + T * 8);
1002 	offset = 1;
1003 
1004 	if (T > 8) {
1005 		return NULL;
1006 	}
1007 	if(len < (size_t)1 + SHA1_LENGTH + 3*length)
1008 		return NULL;
1009 
1010 	Q.data = key+offset;
1011 	Q.len = SHA1_LENGTH;
1012 	offset += SHA1_LENGTH;
1013 
1014 	P.data = key+offset;
1015 	P.len = length;
1016 	offset += length;
1017 
1018 	G.data = key+offset;
1019 	G.len = length;
1020 	offset += length;
1021 
1022 	Y.data = key+offset;
1023 	Y.len = length;
1024 	offset += length;
1025 
1026 	pk = nss_key_create(dsaKey);
1027 	if(!pk)
1028 		return NULL;
1029 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
1030 		SECKEY_DestroyPublicKey(pk);
1031 		return NULL;
1032 	}
1033 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
1034 		SECKEY_DestroyPublicKey(pk);
1035 		return NULL;
1036 	}
1037 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
1038 		SECKEY_DestroyPublicKey(pk);
1039 		return NULL;
1040 	}
1041 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
1042 		SECKEY_DestroyPublicKey(pk);
1043 		return NULL;
1044 	}
1045 	return pk;
1046 }
1047 
1048 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
1049 {
1050 	SECKEYPublicKey* pk;
1051 	uint16_t exp;
1052 	uint16_t offset;
1053 	uint16_t int16;
1054 	SECItem modulus = {siBuffer, NULL, 0};
1055 	SECItem exponent = {siBuffer, NULL, 0};
1056 	if(len == 0)
1057 		return NULL;
1058 	if(key[0] == 0) {
1059 		if(len < 3)
1060 			return NULL;
1061 		/* the exponent is too large so it's places further */
1062 		memmove(&int16, key+1, 2);
1063 		exp = ntohs(int16);
1064 		offset = 3;
1065 	} else {
1066 		exp = key[0];
1067 		offset = 1;
1068 	}
1069 
1070 	/* key length at least one */
1071 	if(len < (size_t)offset + exp + 1)
1072 		return NULL;
1073 
1074 	exponent.data = key+offset;
1075 	exponent.len = exp;
1076 	offset += exp;
1077 	modulus.data = key+offset;
1078 	modulus.len = (len - offset);
1079 
1080 	pk = nss_key_create(rsaKey);
1081 	if(!pk)
1082 		return NULL;
1083 	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
1084 		SECKEY_DestroyPublicKey(pk);
1085 		return NULL;
1086 	}
1087 	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
1088 		SECKEY_DestroyPublicKey(pk);
1089 		return NULL;
1090 	}
1091 	return pk;
1092 }
1093 
1094 /**
1095  * Setup key and digest for verification. Adjust sig if necessary.
1096  *
1097  * @param algo: key algorithm
1098  * @param evp_key: EVP PKEY public key to create.
1099  * @param digest_type: digest type to use
1100  * @param key: key to setup for.
1101  * @param keylen: length of key.
1102  * @param prefix: if returned, the ASN prefix for the hashblob.
1103  * @param prefixlen: length of the prefix.
1104  * @return false on failure.
1105  */
1106 static int
1107 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
1108 	unsigned char* key, size_t keylen, unsigned char** prefix,
1109 	size_t* prefixlen)
1110 {
1111 	/* uses libNSS */
1112 
1113 	/* hash prefix for md5, RFC2537 */
1114 	static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
1115 	0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
1116 	/* hash prefix to prepend to hash output, from RFC3110 */
1117 	static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
1118 		0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
1119 	/* from RFC5702 */
1120 	static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
1121 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
1122 	static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
1123 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
1124 	/* from RFC6234 */
1125 	/* for future RSASHA384 ..
1126 	static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
1127 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
1128 	*/
1129 
1130 	switch(algo) {
1131 
1132 #if defined(USE_SHA1) || defined(USE_SHA2)
1133 #if defined(USE_DSA) && defined(USE_SHA1)
1134 		case LDNS_DSA:
1135 		case LDNS_DSA_NSEC3:
1136 			*pubkey = nss_buf2dsa(key, keylen);
1137 			if(!*pubkey) {
1138 				log_err("verify: malloc failure in crypto");
1139 				return 0;
1140 			}
1141 			*htype = HASH_AlgSHA1;
1142 			/* no prefix for DSA verification */
1143 			break;
1144 #endif
1145 #ifdef USE_SHA1
1146 		case LDNS_RSASHA1:
1147 		case LDNS_RSASHA1_NSEC3:
1148 #endif
1149 #ifdef USE_SHA2
1150 		case LDNS_RSASHA256:
1151 #endif
1152 #ifdef USE_SHA2
1153 		case LDNS_RSASHA512:
1154 #endif
1155 			*pubkey = nss_buf2rsa(key, keylen);
1156 			if(!*pubkey) {
1157 				log_err("verify: malloc failure in crypto");
1158 				return 0;
1159 			}
1160 			/* select SHA version */
1161 #ifdef USE_SHA2
1162 			if(algo == LDNS_RSASHA256) {
1163 				*htype = HASH_AlgSHA256;
1164 				*prefix = p_sha256;
1165 				*prefixlen = sizeof(p_sha256);
1166 			} else
1167 #endif
1168 #ifdef USE_SHA2
1169 				if(algo == LDNS_RSASHA512) {
1170 				*htype = HASH_AlgSHA512;
1171 				*prefix = p_sha512;
1172 				*prefixlen = sizeof(p_sha512);
1173 			} else
1174 #endif
1175 #ifdef USE_SHA1
1176 			{
1177 				*htype = HASH_AlgSHA1;
1178 				*prefix = p_sha1;
1179 				*prefixlen = sizeof(p_sha1);
1180 			}
1181 #else
1182 			{
1183 				verbose(VERB_QUERY, "verify: no digest algo");
1184 				return 0;
1185 			}
1186 #endif
1187 
1188 			break;
1189 #endif /* SHA1 or SHA2 */
1190 
1191 		case LDNS_RSAMD5:
1192 			*pubkey = nss_buf2rsa(key, keylen);
1193 			if(!*pubkey) {
1194 				log_err("verify: malloc failure in crypto");
1195 				return 0;
1196 			}
1197 			*htype = HASH_AlgMD5;
1198 			*prefix = p_md5;
1199 			*prefixlen = sizeof(p_md5);
1200 
1201 			break;
1202 #ifdef USE_ECDSA
1203 		case LDNS_ECDSAP256SHA256:
1204 			*pubkey = nss_buf2ecdsa(key, keylen,
1205 				LDNS_ECDSAP256SHA256);
1206 			if(!*pubkey) {
1207 				log_err("verify: malloc failure in crypto");
1208 				return 0;
1209 			}
1210 			*htype = HASH_AlgSHA256;
1211 			/* no prefix for DSA verification */
1212 			break;
1213 		case LDNS_ECDSAP384SHA384:
1214 			*pubkey = nss_buf2ecdsa(key, keylen,
1215 				LDNS_ECDSAP384SHA384);
1216 			if(!*pubkey) {
1217 				log_err("verify: malloc failure in crypto");
1218 				return 0;
1219 			}
1220 			*htype = HASH_AlgSHA384;
1221 			/* no prefix for DSA verification */
1222 			break;
1223 #endif /* USE_ECDSA */
1224 		case LDNS_ECC_GOST:
1225 		default:
1226 			verbose(VERB_QUERY, "verify: unknown algorithm %d",
1227 				algo);
1228 			return 0;
1229 	}
1230 	return 1;
1231 }
1232 
1233 /**
1234  * Check a canonical sig+rrset and signature against a dnskey
1235  * @param buf: buffer with data to verify, the first rrsig part and the
1236  *	canonicalized rrset.
1237  * @param algo: DNSKEY algorithm.
1238  * @param sigblock: signature rdata field from RRSIG
1239  * @param sigblock_len: length of sigblock data.
1240  * @param key: public key data from DNSKEY RR.
1241  * @param keylen: length of keydata.
1242  * @param reason: bogus reason in more detail.
1243  * @return secure if verification succeeded, bogus on crypto failure,
1244  *	unchecked on format errors and alloc failures.
1245  */
1246 enum sec_status
1247 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1248 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1249 	char** reason)
1250 {
1251 	/* uses libNSS */
1252 	/* large enough for the different hashes */
1253 	unsigned char hash[HASH_LENGTH_MAX];
1254 	unsigned char hash2[HASH_LENGTH_MAX*2];
1255 	HASH_HashType htype = 0;
1256 	SECKEYPublicKey* pubkey = NULL;
1257 	SECItem secsig = {siBuffer, sigblock, sigblock_len};
1258 	SECItem sechash = {siBuffer, hash, 0};
1259 	SECStatus res;
1260 	unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
1261 	size_t prefixlen = 0;
1262 	int err;
1263 
1264 	if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
1265 		&prefix, &prefixlen)) {
1266 		verbose(VERB_QUERY, "verify: failed to setup key");
1267 		*reason = "use of key for crypto failed";
1268 		SECKEY_DestroyPublicKey(pubkey);
1269 		return sec_status_bogus;
1270 	}
1271 
1272 #if defined(USE_DSA) && defined(USE_SHA1)
1273 	/* need to convert DSA, ECDSA signatures? */
1274 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
1275 		if(sigblock_len == 1+2*SHA1_LENGTH) {
1276 			secsig.data ++;
1277 			secsig.len --;
1278 		} else {
1279 			SECItem* p = DSAU_DecodeDerSig(&secsig);
1280 			if(!p) {
1281 				verbose(VERB_QUERY, "verify: failed DER decode");
1282 				*reason = "signature DER decode failed";
1283 				SECKEY_DestroyPublicKey(pubkey);
1284 				return sec_status_bogus;
1285 			}
1286 			if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
1287 				log_err("alloc failure in DER decode");
1288 				SECKEY_DestroyPublicKey(pubkey);
1289 				SECITEM_FreeItem(p, PR_TRUE);
1290 				return sec_status_unchecked;
1291 			}
1292 			SECITEM_FreeItem(p, PR_TRUE);
1293 		}
1294 	}
1295 #endif /* USE_DSA */
1296 
1297 	/* do the signature cryptography work */
1298 	/* hash the data */
1299 	sechash.len = HASH_ResultLen(htype);
1300 	if(sechash.len > sizeof(hash)) {
1301 		verbose(VERB_QUERY, "verify: hash too large for buffer");
1302 		SECKEY_DestroyPublicKey(pubkey);
1303 		return sec_status_unchecked;
1304 	}
1305 	if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf),
1306 		(unsigned int)sldns_buffer_limit(buf)) != SECSuccess) {
1307 		verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
1308 		SECKEY_DestroyPublicKey(pubkey);
1309 		return sec_status_unchecked;
1310 	}
1311 	if(prefix) {
1312 		int hashlen = sechash.len;
1313 		if(prefixlen+hashlen > sizeof(hash2)) {
1314 			verbose(VERB_QUERY, "verify: hashprefix too large");
1315 			SECKEY_DestroyPublicKey(pubkey);
1316 			return sec_status_unchecked;
1317 		}
1318 		sechash.data = hash2;
1319 		sechash.len = prefixlen+hashlen;
1320 		memcpy(sechash.data, prefix, prefixlen);
1321 		memmove(sechash.data+prefixlen, hash, hashlen);
1322 	}
1323 
1324 	/* verify the signature */
1325 	res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
1326 	SECKEY_DestroyPublicKey(pubkey);
1327 
1328 	if(res == SECSuccess) {
1329 		return sec_status_secure;
1330 	}
1331 	err = PORT_GetError();
1332 	if(err != SEC_ERROR_BAD_SIGNATURE) {
1333 		/* failed to verify */
1334 		verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
1335 			PORT_ErrorToString(err));
1336 		/* if it is not supported, like ECC is removed, we get,
1337 		 * SEC_ERROR_NO_MODULE */
1338 		if(err == SEC_ERROR_NO_MODULE)
1339 			return sec_status_unchecked;
1340 		/* but other errors are commonly returned
1341 		 * for a bad signature from NSS.  Thus we return bogus,
1342 		 * not unchecked */
1343 		*reason = "signature crypto failed";
1344 		return sec_status_bogus;
1345 	}
1346 	verbose(VERB_QUERY, "verify: signature mismatch: %s",
1347 		PORT_ErrorToString(err));
1348 	*reason = "signature crypto failed";
1349 	return sec_status_bogus;
1350 }
1351 
1352 #elif defined(HAVE_NETTLE)
1353 
1354 #include "sha.h"
1355 #include "bignum.h"
1356 #include "macros.h"
1357 #include "rsa.h"
1358 #include "dsa.h"
1359 #ifdef HAVE_NETTLE_DSA_COMPAT_H
1360 #include "dsa-compat.h"
1361 #endif
1362 #include "asn1.h"
1363 #ifdef USE_ECDSA
1364 #include "ecdsa.h"
1365 #include "ecc-curve.h"
1366 #endif
1367 #ifdef HAVE_NETTLE_EDDSA_H
1368 #include "eddsa.h"
1369 #endif
1370 
1371 static int
1372 _digest_nettle(int algo, uint8_t* buf, size_t len,
1373 	unsigned char* res)
1374 {
1375 	switch(algo) {
1376 		case SHA1_DIGEST_SIZE:
1377 		{
1378 			struct sha1_ctx ctx;
1379 			sha1_init(&ctx);
1380 			sha1_update(&ctx, len, buf);
1381 			sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
1382 			return 1;
1383 		}
1384 		case SHA256_DIGEST_SIZE:
1385 		{
1386 			struct sha256_ctx ctx;
1387 			sha256_init(&ctx);
1388 			sha256_update(&ctx, len, buf);
1389 			sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
1390 			return 1;
1391 		}
1392 		case SHA384_DIGEST_SIZE:
1393 		{
1394 			struct sha384_ctx ctx;
1395 			sha384_init(&ctx);
1396 			sha384_update(&ctx, len, buf);
1397 			sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
1398 			return 1;
1399 		}
1400 		case SHA512_DIGEST_SIZE:
1401 		{
1402 			struct sha512_ctx ctx;
1403 			sha512_init(&ctx);
1404 			sha512_update(&ctx, len, buf);
1405 			sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
1406 			return 1;
1407 		}
1408 		default:
1409 			break;
1410 	}
1411 	return 0;
1412 }
1413 
1414 /* return size of digest if supported, or 0 otherwise */
1415 size_t
1416 nsec3_hash_algo_size_supported(int id)
1417 {
1418 	switch(id) {
1419 	case NSEC3_HASH_SHA1:
1420 		return SHA1_DIGEST_SIZE;
1421 	default:
1422 		return 0;
1423 	}
1424 }
1425 
1426 /* perform nsec3 hash. return false on failure */
1427 int
1428 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
1429         unsigned char* res)
1430 {
1431 	switch(algo) {
1432 	case NSEC3_HASH_SHA1:
1433 		return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
1434 			res);
1435 	default:
1436 		return 0;
1437 	}
1438 }
1439 
1440 void
1441 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
1442 {
1443 	_digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res);
1444 }
1445 
1446 /**
1447  * Return size of DS digest according to its hash algorithm.
1448  * @param algo: DS digest algo.
1449  * @return size in bytes of digest, or 0 if not supported.
1450  */
1451 size_t
1452 ds_digest_size_supported(int algo)
1453 {
1454 	switch(algo) {
1455 		case LDNS_SHA1:
1456 #ifdef USE_SHA1
1457 			return SHA1_DIGEST_SIZE;
1458 #else
1459 			if(fake_sha1) return 20;
1460 			return 0;
1461 #endif
1462 #ifdef USE_SHA2
1463 		case LDNS_SHA256:
1464 			return SHA256_DIGEST_SIZE;
1465 #endif
1466 #ifdef USE_ECDSA
1467 		case LDNS_SHA384:
1468 			return SHA384_DIGEST_SIZE;
1469 #endif
1470 		/* GOST not supported */
1471 		case LDNS_HASH_GOST:
1472 		default:
1473 			break;
1474 	}
1475 	return 0;
1476 }
1477 
1478 int
1479 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
1480 	unsigned char* res)
1481 {
1482 	switch(algo) {
1483 #ifdef USE_SHA1
1484 		case LDNS_SHA1:
1485 			return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
1486 #endif
1487 #if defined(USE_SHA2)
1488 		case LDNS_SHA256:
1489 			return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
1490 #endif
1491 #ifdef USE_ECDSA
1492 		case LDNS_SHA384:
1493 			return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
1494 
1495 #endif
1496 		case LDNS_HASH_GOST:
1497 		default:
1498 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
1499 				algo);
1500 			break;
1501 	}
1502 	return 0;
1503 }
1504 
1505 int
1506 dnskey_algo_id_is_supported(int id)
1507 {
1508 	/* uses libnettle */
1509 	switch(id) {
1510 #if defined(USE_DSA) && defined(USE_SHA1)
1511 	case LDNS_DSA:
1512 	case LDNS_DSA_NSEC3:
1513 #endif
1514 #ifdef USE_SHA1
1515 	case LDNS_RSASHA1:
1516 	case LDNS_RSASHA1_NSEC3:
1517 #endif
1518 #ifdef USE_SHA2
1519 	case LDNS_RSASHA256:
1520 	case LDNS_RSASHA512:
1521 #endif
1522 #ifdef USE_ECDSA
1523 	case LDNS_ECDSAP256SHA256:
1524 	case LDNS_ECDSAP384SHA384:
1525 #endif
1526 		return 1;
1527 #ifdef USE_ED25519
1528 	case LDNS_ED25519:
1529 		return 1;
1530 #endif
1531 	case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
1532 	case LDNS_ECC_GOST:
1533 	default:
1534 		return 0;
1535 	}
1536 }
1537 
1538 #if defined(USE_DSA) && defined(USE_SHA1)
1539 static char *
1540 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
1541 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1542 {
1543 	uint8_t digest[SHA1_DIGEST_SIZE];
1544 	uint8_t key_t_value;
1545 	int res = 0;
1546 	size_t offset;
1547 	struct dsa_public_key pubkey;
1548 	struct dsa_signature signature;
1549 	unsigned int expected_len;
1550 
1551 	/* Extract DSA signature from the record */
1552 	nettle_dsa_signature_init(&signature);
1553 	/* Signature length: 41 bytes - RFC 2536 sec. 3 */
1554 	if(sigblock_len == 41) {
1555 		if(key[0] != sigblock[0])
1556 			return "invalid T value in DSA signature or pubkey";
1557 		nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
1558 		nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
1559 	} else {
1560 		/* DER encoded, decode the ASN1 notated R and S bignums */
1561 		/* SEQUENCE { r INTEGER, s INTEGER } */
1562 		struct asn1_der_iterator i, seq;
1563 		if(asn1_der_iterator_first(&i, sigblock_len,
1564 			(uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
1565 			|| i.type != ASN1_SEQUENCE)
1566 			return "malformed DER encoded DSA signature";
1567 		/* decode this element of i using the seq iterator */
1568 		if(asn1_der_decode_constructed(&i, &seq) !=
1569 			ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
1570 			return "malformed DER encoded DSA signature";
1571 		if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
1572 			return "malformed DER encoded DSA signature";
1573 		if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
1574 			|| seq.type != ASN1_INTEGER)
1575 			return "malformed DER encoded DSA signature";
1576 		if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
1577 			return "malformed DER encoded DSA signature";
1578 		if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
1579 			return "malformed DER encoded DSA signature";
1580 	}
1581 
1582 	/* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
1583 	key_t_value = key[0];
1584 	if (key_t_value > 8) {
1585 		return "invalid T value in DSA pubkey";
1586 	}
1587 
1588 	/* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
1589 	if (keylen < 21) {
1590 		return "DSA pubkey too short";
1591 	}
1592 
1593 	expected_len =   1 +		/* T */
1594 		        20 +		/* Q */
1595 		       (64 + key_t_value*8) +	/* P */
1596 		       (64 + key_t_value*8) +	/* G */
1597 		       (64 + key_t_value*8);	/* Y */
1598 	if (keylen != expected_len ) {
1599 		return "invalid DSA pubkey length";
1600 	}
1601 
1602 	/* Extract DSA pubkey from the record */
1603 	nettle_dsa_public_key_init(&pubkey);
1604 	offset = 1;
1605 	nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
1606 	offset += 20;
1607 	nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t_value*8), key+offset);
1608 	offset += (64 + key_t_value*8);
1609 	nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t_value*8), key+offset);
1610 	offset += (64 + key_t_value*8);
1611 	nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t_value*8), key+offset);
1612 
1613 	/* Digest content of "buf" and verify its DSA signature in "sigblock"*/
1614 	res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1615 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1616 	res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
1617 
1618 	/* Clear and return */
1619 	nettle_dsa_signature_clear(&signature);
1620 	nettle_dsa_public_key_clear(&pubkey);
1621 	if (!res)
1622 		return "DSA signature verification failed";
1623 	else
1624 		return NULL;
1625 }
1626 #endif /* USE_DSA */
1627 
1628 static char *
1629 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
1630 	unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
1631 {
1632 	uint16_t exp_len = 0;
1633 	size_t exp_offset = 0, mod_offset = 0;
1634 	struct rsa_public_key pubkey;
1635 	mpz_t signature;
1636 	int res = 0;
1637 
1638 	/* RSA pubkey parsing as per RFC 3110 sec. 2 */
1639 	if( keylen <= 1) {
1640 		return "null RSA key";
1641 	}
1642 	if (key[0] != 0) {
1643 		/* 1-byte length */
1644 		exp_len = key[0];
1645 		exp_offset = 1;
1646 	} else {
1647 		/* 1-byte NUL + 2-bytes exponent length */
1648 		if (keylen < 3) {
1649 			return "incorrect RSA key length";
1650 		}
1651 		exp_len = READ_UINT16(key+1);
1652 		if (exp_len == 0)
1653 			return "null RSA exponent length";
1654 		exp_offset = 3;
1655 	}
1656 	/* Check that we are not over-running input length */
1657 	if (keylen < exp_offset + exp_len + 1) {
1658 		return "RSA key content shorter than expected";
1659 	}
1660 	mod_offset = exp_offset + exp_len;
1661 	nettle_rsa_public_key_init(&pubkey);
1662 	pubkey.size = keylen - mod_offset;
1663 	nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
1664 	nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
1665 
1666 	/* Digest content of "buf" and verify its RSA signature in "sigblock"*/
1667 	nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
1668 	switch (digest_size) {
1669 		case SHA1_DIGEST_SIZE:
1670 		{
1671 			uint8_t digest[SHA1_DIGEST_SIZE];
1672 			res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1673 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1674 			res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
1675 			break;
1676 		}
1677 		case SHA256_DIGEST_SIZE:
1678 		{
1679 			uint8_t digest[SHA256_DIGEST_SIZE];
1680 			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1681 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1682 			res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
1683 			break;
1684 		}
1685 		case SHA512_DIGEST_SIZE:
1686 		{
1687 			uint8_t digest[SHA512_DIGEST_SIZE];
1688 			res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1689 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1690 			res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
1691 			break;
1692 		}
1693 		default:
1694 			break;
1695 	}
1696 
1697 	/* Clear and return */
1698 	nettle_rsa_public_key_clear(&pubkey);
1699 	mpz_clear(signature);
1700 	if (!res) {
1701 		return "RSA signature verification failed";
1702 	} else {
1703 		return NULL;
1704 	}
1705 }
1706 
1707 #ifdef USE_ECDSA
1708 static char *
1709 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
1710 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1711 {
1712 	int res = 0;
1713 	struct ecc_point pubkey;
1714 	struct dsa_signature signature;
1715 
1716 	/* Always matched strength, as per RFC 6605 sec. 1 */
1717 	if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
1718 		return "wrong ECDSA signature length";
1719 	}
1720 
1721 	/* Parse ECDSA signature as per RFC 6605 sec. 4 */
1722 	nettle_dsa_signature_init(&signature);
1723 	switch (digest_size) {
1724 		case SHA256_DIGEST_SIZE:
1725 		{
1726 			uint8_t digest[SHA256_DIGEST_SIZE];
1727 			mpz_t x, y;
1728 			nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
1729 			nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
1730 			nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
1731 			nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
1732 			nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
1733 			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1734 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1735 			res &= nettle_ecc_point_set(&pubkey, x, y);
1736 			res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
1737 			mpz_clear(x);
1738 			mpz_clear(y);
1739 			break;
1740 		}
1741 		case SHA384_DIGEST_SIZE:
1742 		{
1743 			uint8_t digest[SHA384_DIGEST_SIZE];
1744 			mpz_t x, y;
1745 			nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
1746 			nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
1747 			nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
1748 			nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
1749 			nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
1750 			res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1751 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1752 			res &= nettle_ecc_point_set(&pubkey, x, y);
1753 			res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
1754 			mpz_clear(x);
1755 			mpz_clear(y);
1756 			nettle_ecc_point_clear(&pubkey);
1757 			break;
1758 		}
1759 		default:
1760 			return "unknown ECDSA algorithm";
1761 	}
1762 
1763 	/* Clear and return */
1764 	nettle_dsa_signature_clear(&signature);
1765 	if (!res)
1766 		return "ECDSA signature verification failed";
1767 	else
1768 		return NULL;
1769 }
1770 #endif
1771 
1772 #ifdef USE_ED25519
1773 static char *
1774 _verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock,
1775 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1776 {
1777 	int res = 0;
1778 
1779 	if(sigblock_len != ED25519_SIGNATURE_SIZE) {
1780 		return "wrong ED25519 signature length";
1781 	}
1782 	if(keylen != ED25519_KEY_SIZE) {
1783 		return "wrong ED25519 key length";
1784 	}
1785 
1786 	res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf),
1787 		sldns_buffer_begin(buf), (uint8_t*)sigblock);
1788 
1789 	if (!res)
1790 		return "ED25519 signature verification failed";
1791 	else
1792 		return NULL;
1793 }
1794 #endif
1795 
1796 /**
1797  * Check a canonical sig+rrset and signature against a dnskey
1798  * @param buf: buffer with data to verify, the first rrsig part and the
1799  *	canonicalized rrset.
1800  * @param algo: DNSKEY algorithm.
1801  * @param sigblock: signature rdata field from RRSIG
1802  * @param sigblock_len: length of sigblock data.
1803  * @param key: public key data from DNSKEY RR.
1804  * @param keylen: length of keydata.
1805  * @param reason: bogus reason in more detail.
1806  * @return secure if verification succeeded, bogus on crypto failure,
1807  *	unchecked on format errors and alloc failures.
1808  */
1809 enum sec_status
1810 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1811 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1812 	char** reason)
1813 {
1814 	unsigned int digest_size = 0;
1815 
1816 	if (sigblock_len == 0 || keylen == 0) {
1817 		*reason = "null signature";
1818 		return sec_status_bogus;
1819 	}
1820 
1821 	switch(algo) {
1822 #if defined(USE_DSA) && defined(USE_SHA1)
1823 	case LDNS_DSA:
1824 	case LDNS_DSA_NSEC3:
1825 		*reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
1826 		if (*reason != NULL)
1827 			return sec_status_bogus;
1828 		else
1829 			return sec_status_secure;
1830 #endif /* USE_DSA */
1831 
1832 #ifdef USE_SHA1
1833 	case LDNS_RSASHA1:
1834 	case LDNS_RSASHA1_NSEC3:
1835 		digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
1836 #endif
1837 		/* double fallthrough annotation to please gcc parser */
1838 		/* fallthrough */
1839 #ifdef USE_SHA2
1840 		/* fallthrough */
1841 	case LDNS_RSASHA256:
1842 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1843 		/* fallthrough */
1844 	case LDNS_RSASHA512:
1845 		digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
1846 
1847 #endif
1848 		*reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
1849 						sigblock_len, key, keylen);
1850 		if (*reason != NULL)
1851 			return sec_status_bogus;
1852 		else
1853 			return sec_status_secure;
1854 
1855 #ifdef USE_ECDSA
1856 	case LDNS_ECDSAP256SHA256:
1857 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1858 		/* fallthrough */
1859 	case LDNS_ECDSAP384SHA384:
1860 		digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
1861 		*reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
1862 						sigblock_len, key, keylen);
1863 		if (*reason != NULL)
1864 			return sec_status_bogus;
1865 		else
1866 			return sec_status_secure;
1867 #endif
1868 #ifdef USE_ED25519
1869 	case LDNS_ED25519:
1870 		*reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len,
1871 			key, keylen);
1872 		if (*reason != NULL)
1873 			return sec_status_bogus;
1874 		else
1875 			return sec_status_secure;
1876 #endif
1877 	case LDNS_RSAMD5:
1878 	case LDNS_ECC_GOST:
1879 	default:
1880 		*reason = "unable to verify signature, unknown algorithm";
1881 		return sec_status_bogus;
1882 	}
1883 }
1884 
1885 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
1886