xref: /freebsd/contrib/unbound/validator/val_secalgo.c (revision 0e8011faf58b743cc652e3b2ad0f7671227610df)
1 /*
2  * validator/val_secalgo.c - validator security algorithm functions.
3  *
4  * Copyright (c) 2012, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  * These functions take raw data buffers, formatted for crypto verification,
41  * and do the library calls (for the crypto library in use).
42  */
43 #include "config.h"
44 /* packed_rrset on top to define enum types (forced by c99 standard) */
45 #include "util/data/packed_rrset.h"
46 #include "validator/val_secalgo.h"
47 #include "validator/val_nsec3.h"
48 #include "util/log.h"
49 #include "sldns/rrdef.h"
50 #include "sldns/keyraw.h"
51 #include "sldns/sbuffer.h"
52 
53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
54 #error "Need crypto library to do digital signature cryptography"
55 #endif
56 
57 /** fake DSA support for unit tests */
58 int fake_dsa = 0;
59 /** fake SHA1 support for unit tests */
60 int fake_sha1 = 0;
61 
62 /* OpenSSL implementation */
63 #ifdef HAVE_SSL
64 #ifdef HAVE_OPENSSL_ERR_H
65 #include <openssl/err.h>
66 #endif
67 
68 #ifdef HAVE_OPENSSL_RAND_H
69 #include <openssl/rand.h>
70 #endif
71 
72 #ifdef HAVE_OPENSSL_CONF_H
73 #include <openssl/conf.h>
74 #endif
75 
76 #ifdef HAVE_OPENSSL_ENGINE_H
77 #include <openssl/engine.h>
78 #endif
79 
80 #if defined(HAVE_OPENSSL_DSA_H) && defined(USE_DSA)
81 #include <openssl/dsa.h>
82 #endif
83 
84 /**
85  * Output a libcrypto openssl error to the logfile.
86  * @param str: string to add to it.
87  * @param e: the error to output, error number from ERR_get_error().
88  */
89 static void
90 log_crypto_error(const char* str, unsigned long e)
91 {
92 	char buf[128];
93 	/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
94 	ERR_error_string_n(e, buf, sizeof(buf));
95 	/* buf now contains */
96 	/* error:[error code]:[library name]:[function name]:[reason string] */
97 	log_err("%s crypto %s", str, buf);
98 }
99 
100 /**
101  * Output a libcrypto openssl error to the logfile as a debug message.
102  * @param level: debug level to use in verbose() call
103  * @param str: string to add to it.
104  * @param e: the error to output, error number from ERR_get_error().
105  */
106 static void
107 log_crypto_verbose(enum verbosity_value level, const char* str, unsigned long e)
108 {
109 	char buf[128];
110 	/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
111 	ERR_error_string_n(e, buf, sizeof(buf));
112 	/* buf now contains */
113 	/* error:[error code]:[library name]:[function name]:[reason string] */
114 	verbose(level, "%s crypto %s", str, buf);
115 }
116 
117 /* return size of digest if supported, or 0 otherwise */
118 size_t
119 nsec3_hash_algo_size_supported(int id)
120 {
121 	switch(id) {
122 	case NSEC3_HASH_SHA1:
123 		return SHA_DIGEST_LENGTH;
124 	default:
125 		return 0;
126 	}
127 }
128 
129 /* perform nsec3 hash. return false on failure */
130 int
131 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
132         unsigned char* res)
133 {
134 	switch(algo) {
135 	case NSEC3_HASH_SHA1:
136 #ifdef OPENSSL_FIPS
137 		if(!sldns_digest_evp(buf, len, res, EVP_sha1()))
138 			log_crypto_error("could not digest with EVP_sha1",
139 				ERR_get_error());
140 #else
141 		(void)SHA1(buf, len, res);
142 #endif
143 		return 1;
144 	default:
145 		return 0;
146 	}
147 }
148 
149 void
150 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
151 {
152 #ifdef OPENSSL_FIPS
153 	if(!sldns_digest_evp(buf, len, res, EVP_sha256()))
154 		log_crypto_error("could not digest with EVP_sha256",
155 			ERR_get_error());
156 #else
157 	(void)SHA256(buf, len, res);
158 #endif
159 }
160 
161 /** hash structure for keeping track of running hashes */
162 struct secalgo_hash {
163 	/** the openssl message digest context */
164 	EVP_MD_CTX* ctx;
165 };
166 
167 /** create secalgo hash with hash type */
168 static struct secalgo_hash* secalgo_hash_create_md(const EVP_MD* md)
169 {
170 	struct secalgo_hash* h;
171 	if(!md)
172 		return NULL;
173 	h = calloc(1, sizeof(*h));
174 	if(!h)
175 		return NULL;
176 	h->ctx = EVP_MD_CTX_create();
177 	if(!h->ctx) {
178 		free(h);
179 		return NULL;
180 	}
181 	if(!EVP_DigestInit_ex(h->ctx, md, NULL)) {
182 		EVP_MD_CTX_destroy(h->ctx);
183 		free(h);
184 		return NULL;
185 	}
186 	return h;
187 }
188 
189 struct secalgo_hash* secalgo_hash_create_sha384(void)
190 {
191 	return secalgo_hash_create_md(EVP_sha384());
192 }
193 
194 struct secalgo_hash* secalgo_hash_create_sha512(void)
195 {
196 	return secalgo_hash_create_md(EVP_sha512());
197 }
198 
199 int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len)
200 {
201 	return EVP_DigestUpdate(hash->ctx, (unsigned char*)data,
202 		(unsigned int)len);
203 }
204 
205 int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result,
206         size_t maxlen, size_t* resultlen)
207 {
208 	if(EVP_MD_CTX_size(hash->ctx) > (int)maxlen) {
209 		*resultlen = 0;
210 		log_err("secalgo_hash_final: hash buffer too small");
211 		return 0;
212 	}
213 	*resultlen = EVP_MD_CTX_size(hash->ctx);
214 	return EVP_DigestFinal_ex(hash->ctx, result, NULL);
215 }
216 
217 void secalgo_hash_delete(struct secalgo_hash* hash)
218 {
219 	if(!hash) return;
220 	EVP_MD_CTX_destroy(hash->ctx);
221 	free(hash);
222 }
223 
224 /**
225  * Return size of DS digest according to its hash algorithm.
226  * @param algo: DS digest algo.
227  * @return size in bytes of digest, or 0 if not supported.
228  */
229 size_t
230 ds_digest_size_supported(int algo)
231 {
232 	switch(algo) {
233 		case LDNS_SHA1:
234 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
235 #ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
236 			if (EVP_default_properties_is_fips_enabled(NULL))
237 				return 0;
238 #endif
239 			return SHA_DIGEST_LENGTH;
240 #else
241 			if(fake_sha1) return 20;
242 			return 0;
243 #endif
244 #ifdef HAVE_EVP_SHA256
245 		case LDNS_SHA256:
246 			return SHA256_DIGEST_LENGTH;
247 #endif
248 #ifdef USE_GOST
249 		case LDNS_HASH_GOST:
250 			/* we support GOST if it can be loaded */
251 			(void)sldns_key_EVP_load_gost_id();
252 			if(EVP_get_digestbyname("md_gost94"))
253 				return 32;
254 			else	return 0;
255 #endif
256 #ifdef USE_ECDSA
257 		case LDNS_SHA384:
258 			return SHA384_DIGEST_LENGTH;
259 #endif
260 		default: break;
261 	}
262 	return 0;
263 }
264 
265 #ifdef USE_GOST
266 /** Perform GOST hash */
267 static int
268 do_gost94(unsigned char* data, size_t len, unsigned char* dest)
269 {
270 	const EVP_MD* md = EVP_get_digestbyname("md_gost94");
271 	if(!md)
272 		return 0;
273 	return sldns_digest_evp(data, (unsigned int)len, dest, md);
274 }
275 #endif
276 
277 int
278 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
279 	unsigned char* res)
280 {
281 	switch(algo) {
282 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
283 		case LDNS_SHA1:
284 #ifdef OPENSSL_FIPS
285 			if(!sldns_digest_evp(buf, len, res, EVP_sha1()))
286 				log_crypto_error("could not digest with EVP_sha1",
287 					ERR_get_error());
288 #else
289 			(void)SHA1(buf, len, res);
290 #endif
291 			return 1;
292 #endif
293 #ifdef HAVE_EVP_SHA256
294 		case LDNS_SHA256:
295 #ifdef OPENSSL_FIPS
296 			if(!sldns_digest_evp(buf, len, res, EVP_sha256()))
297 				log_crypto_error("could not digest with EVP_sha256",
298 					ERR_get_error());
299 #else
300 			(void)SHA256(buf, len, res);
301 #endif
302 			return 1;
303 #endif
304 #ifdef USE_GOST
305 		case LDNS_HASH_GOST:
306 			if(do_gost94(buf, len, res))
307 				return 1;
308 			break;
309 #endif
310 #ifdef USE_ECDSA
311 		case LDNS_SHA384:
312 #ifdef OPENSSL_FIPS
313 			if(!sldns_digest_evp(buf, len, res, EVP_sha384()))
314 				log_crypto_error("could not digest with EVP_sha384",
315 					ERR_get_error());
316 #else
317 			(void)SHA384(buf, len, res);
318 #endif
319 			return 1;
320 #endif
321 		default:
322 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
323 				algo);
324 			break;
325 	}
326 	return 0;
327 }
328 
329 /** return true if DNSKEY algorithm id is supported */
330 int
331 dnskey_algo_id_is_supported(int id)
332 {
333 	switch(id) {
334 	case LDNS_RSAMD5:
335 		/* RFC 6725 deprecates RSAMD5 */
336 		return 0;
337 	case LDNS_DSA:
338 	case LDNS_DSA_NSEC3:
339 #if defined(USE_DSA) && defined(USE_SHA1)
340 		return 1;
341 #else
342 		if(fake_dsa || fake_sha1) return 1;
343 		return 0;
344 #endif
345 
346 	case LDNS_RSASHA1:
347 	case LDNS_RSASHA1_NSEC3:
348 #ifdef USE_SHA1
349 #ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
350 		return !EVP_default_properties_is_fips_enabled(NULL);
351 #else
352 		return 1;
353 #endif
354 #else
355 		if(fake_sha1) return 1;
356 		return 0;
357 #endif
358 
359 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
360 	case LDNS_RSASHA256:
361 #endif
362 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
363 	case LDNS_RSASHA512:
364 #endif
365 #ifdef USE_ECDSA
366 	case LDNS_ECDSAP256SHA256:
367 	case LDNS_ECDSAP384SHA384:
368 #endif
369 #if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA)
370 		return 1;
371 #endif
372 #ifdef USE_ED25519
373 	case LDNS_ED25519:
374 #endif
375 #ifdef USE_ED448
376 	case LDNS_ED448:
377 #endif
378 #if defined(USE_ED25519) || defined(USE_ED448)
379 #ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
380 		return !EVP_default_properties_is_fips_enabled(NULL);
381 #else
382 		return 1;
383 #endif
384 #endif
385 
386 #ifdef USE_GOST
387 	case LDNS_ECC_GOST:
388 		/* we support GOST if it can be loaded */
389 		return sldns_key_EVP_load_gost_id();
390 #endif
391 	default:
392 		return 0;
393 	}
394 }
395 
396 #ifdef USE_DSA
397 /**
398  * Setup DSA key digest in DER encoding ...
399  * @param sig: input is signature output alloced ptr (unless failure).
400  * 	caller must free alloced ptr if this routine returns true.
401  * @param len: input is initial siglen, output is output len.
402  * @return false on failure.
403  */
404 static int
405 setup_dsa_sig(unsigned char** sig, unsigned int* len)
406 {
407 	unsigned char* orig = *sig;
408 	unsigned int origlen = *len;
409 	int newlen;
410 	BIGNUM *R, *S;
411 	DSA_SIG *dsasig;
412 
413 	/* extract the R and S field from the sig buffer */
414 	if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
415 		return 0;
416 	R = BN_new();
417 	if(!R) return 0;
418 	(void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
419 	S = BN_new();
420 	if(!S) return 0;
421 	(void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
422 	dsasig = DSA_SIG_new();
423 	if(!dsasig) return 0;
424 
425 #ifdef HAVE_DSA_SIG_SET0
426 	if(!DSA_SIG_set0(dsasig, R, S)) {
427 		DSA_SIG_free(dsasig);
428 		return 0;
429 	}
430 #else
431 #  ifndef S_SPLINT_S
432 	dsasig->r = R;
433 	dsasig->s = S;
434 #  endif /* S_SPLINT_S */
435 #endif
436 	*sig = NULL;
437 	newlen = i2d_DSA_SIG(dsasig, sig);
438 	if(newlen < 0) {
439 		DSA_SIG_free(dsasig);
440 		free(*sig);
441 		return 0;
442 	}
443 	*len = (unsigned int)newlen;
444 	DSA_SIG_free(dsasig);
445 	return 1;
446 }
447 #endif /* USE_DSA */
448 
449 #ifdef USE_ECDSA
450 /**
451  * Setup the ECDSA signature in its encoding that the library wants.
452  * Converts from plain numbers to ASN formatted.
453  * @param sig: input is signature, output alloced ptr (unless failure).
454  * 	caller must free alloced ptr if this routine returns true.
455  * @param len: input is initial siglen, output is output len.
456  * @return false on failure.
457  */
458 static int
459 setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
460 {
461         /* convert from two BIGNUMs in the rdata buffer, to ASN notation.
462 	 * ASN preamble: 30440220 <R 32bytefor256> 0220 <S 32bytefor256>
463 	 * the '20' is the length of that field (=bnsize).
464 i	 * the '44' is the total remaining length.
465 	 * if negative, start with leading zero.
466 	 * if starts with 00s, remove them from the number.
467 	 */
468         uint8_t pre[] = {0x30, 0x44, 0x02, 0x20};
469         int pre_len = 4;
470         uint8_t mid[] = {0x02, 0x20};
471         int mid_len = 2;
472         int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0;
473 	int bnsize = (int)((*len)/2);
474         unsigned char* d = *sig;
475 	uint8_t* p;
476 	/* if too short or not even length, fails */
477 	if(*len < 16 || bnsize*2 != (int)*len)
478 		return 0;
479 
480         /* strip leading zeroes from r (but not last one) */
481         while(r_rem < bnsize-1 && d[r_rem] == 0)
482                 r_rem++;
483         /* strip leading zeroes from s (but not last one) */
484         while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0)
485                 s_rem++;
486 
487         r_high = ((d[0+r_rem]&0x80)?1:0);
488         s_high = ((d[bnsize+s_rem]&0x80)?1:0);
489         raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len +
490                 s_high + bnsize - s_rem;
491 	*sig = (unsigned char*)malloc((size_t)raw_sig_len);
492 	if(!*sig)
493 		return 0;
494 	p = (uint8_t*)*sig;
495 	p[0] = pre[0];
496 	p[1] = (uint8_t)(raw_sig_len-2);
497 	p[2] = pre[2];
498 	p[3] = (uint8_t)(bnsize + r_high - r_rem);
499 	p += 4;
500 	if(r_high) {
501 		*p = 0;
502 		p += 1;
503 	}
504 	memmove(p, d+r_rem, (size_t)bnsize-r_rem);
505 	p += bnsize-r_rem;
506 	memmove(p, mid, (size_t)mid_len-1);
507 	p += mid_len-1;
508 	*p = (uint8_t)(bnsize + s_high - s_rem);
509 	p += 1;
510         if(s_high) {
511 		*p = 0;
512 		p += 1;
513 	}
514 	memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem);
515 	*len = (unsigned int)raw_sig_len;
516 	return 1;
517 }
518 #endif /* USE_ECDSA */
519 
520 #ifdef USE_ECDSA_EVP_WORKAROUND
521 static EVP_MD ecdsa_evp_256_md;
522 static EVP_MD ecdsa_evp_384_md;
523 void ecdsa_evp_workaround_init(void)
524 {
525 	/* openssl before 1.0.0 fixes RSA with the SHA256
526 	 * hash in EVP.  We create one for ecdsa_sha256 */
527 	ecdsa_evp_256_md = *EVP_sha256();
528 	ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC;
529 	ecdsa_evp_256_md.verify = (void*)ECDSA_verify;
530 
531 	ecdsa_evp_384_md = *EVP_sha384();
532 	ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC;
533 	ecdsa_evp_384_md.verify = (void*)ECDSA_verify;
534 }
535 #endif /* USE_ECDSA_EVP_WORKAROUND */
536 
537 /**
538  * Setup key and digest for verification. Adjust sig if necessary.
539  *
540  * @param algo: key algorithm
541  * @param evp_key: EVP PKEY public key to create.
542  * @param digest_type: digest type to use
543  * @param key: key to setup for.
544  * @param keylen: length of key.
545  * @return false on failure.
546  */
547 static int
548 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
549 	unsigned char* key, size_t keylen)
550 {
551 	switch(algo) {
552 #if defined(USE_DSA) && defined(USE_SHA1)
553 		case LDNS_DSA:
554 		case LDNS_DSA_NSEC3:
555 			*evp_key = sldns_key_dsa2pkey_raw(key, keylen);
556 			if(!*evp_key) {
557 				verbose(VERB_QUERY, "verify: sldns_key_dsa2pkey failed");
558 				return 0;
559 			}
560 #ifdef HAVE_EVP_DSS1
561 			*digest_type = EVP_dss1();
562 #else
563 			*digest_type = EVP_sha1();
564 #endif
565 
566 			break;
567 #endif /* USE_DSA && USE_SHA1 */
568 
569 #if defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2))
570 #ifdef USE_SHA1
571 		case LDNS_RSASHA1:
572 		case LDNS_RSASHA1_NSEC3:
573 #endif
574 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
575 		case LDNS_RSASHA256:
576 #endif
577 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
578 		case LDNS_RSASHA512:
579 #endif
580 			*evp_key = sldns_key_rsa2pkey_raw(key, keylen);
581 			if(!*evp_key) {
582 				verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey SHA failed");
583 				return 0;
584 			}
585 
586 			/* select SHA version */
587 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
588 			if(algo == LDNS_RSASHA256)
589 				*digest_type = EVP_sha256();
590 			else
591 #endif
592 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
593 				if(algo == LDNS_RSASHA512)
594 				*digest_type = EVP_sha512();
595 			else
596 #endif
597 #ifdef USE_SHA1
598 				*digest_type = EVP_sha1();
599 #else
600 				{ verbose(VERB_QUERY, "no digest available"); return 0; }
601 #endif
602 			break;
603 #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */
604 
605 		case LDNS_RSAMD5:
606 			*evp_key = sldns_key_rsa2pkey_raw(key, keylen);
607 			if(!*evp_key) {
608 				verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey MD5 failed");
609 				return 0;
610 			}
611 			*digest_type = EVP_md5();
612 
613 			break;
614 #ifdef USE_GOST
615 		case LDNS_ECC_GOST:
616 			*evp_key = sldns_gost2pkey_raw(key, keylen);
617 			if(!*evp_key) {
618 				verbose(VERB_QUERY, "verify: "
619 					"sldns_gost2pkey_raw failed");
620 				return 0;
621 			}
622 			*digest_type = EVP_get_digestbyname("md_gost94");
623 			if(!*digest_type) {
624 				verbose(VERB_QUERY, "verify: "
625 					"EVP_getdigest md_gost94 failed");
626 				return 0;
627 			}
628 			break;
629 #endif
630 #ifdef USE_ECDSA
631 		case LDNS_ECDSAP256SHA256:
632 			*evp_key = sldns_ecdsa2pkey_raw(key, keylen,
633 				LDNS_ECDSAP256SHA256);
634 			if(!*evp_key) {
635 				verbose(VERB_QUERY, "verify: "
636 					"sldns_ecdsa2pkey_raw failed");
637 				return 0;
638 			}
639 #ifdef USE_ECDSA_EVP_WORKAROUND
640 			*digest_type = &ecdsa_evp_256_md;
641 #else
642 			*digest_type = EVP_sha256();
643 #endif
644 			break;
645 		case LDNS_ECDSAP384SHA384:
646 			*evp_key = sldns_ecdsa2pkey_raw(key, keylen,
647 				LDNS_ECDSAP384SHA384);
648 			if(!*evp_key) {
649 				verbose(VERB_QUERY, "verify: "
650 					"sldns_ecdsa2pkey_raw failed");
651 				return 0;
652 			}
653 #ifdef USE_ECDSA_EVP_WORKAROUND
654 			*digest_type = &ecdsa_evp_384_md;
655 #else
656 			*digest_type = EVP_sha384();
657 #endif
658 			break;
659 #endif /* USE_ECDSA */
660 #ifdef USE_ED25519
661 		case LDNS_ED25519:
662 			*evp_key = sldns_ed255192pkey_raw(key, keylen);
663 			if(!*evp_key) {
664 				verbose(VERB_QUERY, "verify: "
665 					"sldns_ed255192pkey_raw failed");
666 				return 0;
667 			}
668 			*digest_type = NULL;
669 			break;
670 #endif /* USE_ED25519 */
671 #ifdef USE_ED448
672 		case LDNS_ED448:
673 			*evp_key = sldns_ed4482pkey_raw(key, keylen);
674 			if(!*evp_key) {
675 				verbose(VERB_QUERY, "verify: "
676 					"sldns_ed4482pkey_raw failed");
677 				return 0;
678 			}
679 			*digest_type = NULL;
680 			break;
681 #endif /* USE_ED448 */
682 		default:
683 			verbose(VERB_QUERY, "verify: unknown algorithm %d",
684 				algo);
685 			return 0;
686 	}
687 	return 1;
688 }
689 
690 static void
691 digest_ctx_free(EVP_MD_CTX* ctx, EVP_PKEY *evp_key,
692 	unsigned char* sigblock, int dofree, int docrypto_free)
693 {
694 #ifdef HAVE_EVP_MD_CTX_NEW
695 	EVP_MD_CTX_destroy(ctx);
696 #else
697 	EVP_MD_CTX_cleanup(ctx);
698 	free(ctx);
699 #endif
700 	EVP_PKEY_free(evp_key);
701 	if(dofree) free(sigblock);
702 	else if(docrypto_free) OPENSSL_free(sigblock);
703 }
704 
705 static enum sec_status
706 digest_error_status(const char *str)
707 {
708 	unsigned long e = ERR_get_error();
709 #ifdef EVP_R_INVALID_DIGEST
710 	if (ERR_GET_LIB(e) == ERR_LIB_EVP &&
711 		ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST) {
712 		log_crypto_verbose(VERB_ALGO, str, e);
713 		return sec_status_indeterminate;
714 	}
715 #endif
716 	log_crypto_verbose(VERB_QUERY, str, e);
717 	return sec_status_unchecked;
718 }
719 
720 /**
721  * Check a canonical sig+rrset and signature against a dnskey
722  * @param buf: buffer with data to verify, the first rrsig part and the
723  *	canonicalized rrset.
724  * @param algo: DNSKEY algorithm.
725  * @param sigblock: signature rdata field from RRSIG
726  * @param sigblock_len: length of sigblock data.
727  * @param key: public key data from DNSKEY RR.
728  * @param keylen: length of keydata.
729  * @param reason: bogus reason in more detail.
730  * @return secure if verification succeeded, bogus on crypto failure,
731  *	unchecked on format errors and alloc failures, indeterminate
732  *	if digest is not supported by the crypto library (openssl3+ only).
733  */
734 enum sec_status
735 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
736 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
737 	char** reason)
738 {
739 	const EVP_MD *digest_type;
740 	EVP_MD_CTX* ctx;
741 	int res, dofree = 0, docrypto_free = 0;
742 	EVP_PKEY *evp_key = NULL;
743 
744 #ifndef USE_DSA
745 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1))
746 		return sec_status_secure;
747 #endif
748 #ifndef USE_SHA1
749 	if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3))
750 		return sec_status_secure;
751 #endif
752 
753 	if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
754 		verbose(VERB_QUERY, "verify: failed to setup key");
755 		*reason = "use of key for crypto failed";
756 		EVP_PKEY_free(evp_key);
757 		return sec_status_bogus;
758 	}
759 #ifdef USE_DSA
760 	/* if it is a DSA signature in bind format, convert to DER format */
761 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
762 		sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
763 		if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
764 			verbose(VERB_QUERY, "verify: failed to setup DSA sig");
765 			*reason = "use of key for DSA crypto failed";
766 			EVP_PKEY_free(evp_key);
767 			return sec_status_bogus;
768 		}
769 		docrypto_free = 1;
770 	}
771 #endif
772 #if defined(USE_ECDSA) && defined(USE_DSA)
773 	else
774 #endif
775 #ifdef USE_ECDSA
776 	if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
777 		/* EVP uses ASN prefix on sig, which is not in the wire data */
778 		if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
779 			verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
780 			*reason = "use of signature for ECDSA crypto failed";
781 			EVP_PKEY_free(evp_key);
782 			return sec_status_bogus;
783 		}
784 		dofree = 1;
785 	}
786 #endif /* USE_ECDSA */
787 
788 	/* do the signature cryptography work */
789 #ifdef HAVE_EVP_MD_CTX_NEW
790 	ctx = EVP_MD_CTX_new();
791 #else
792 	ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
793 	if(ctx) EVP_MD_CTX_init(ctx);
794 #endif
795 	if(!ctx) {
796 		log_err("EVP_MD_CTX_new: malloc failure");
797 		EVP_PKEY_free(evp_key);
798 		if(dofree) free(sigblock);
799 		else if(docrypto_free) OPENSSL_free(sigblock);
800 		return sec_status_unchecked;
801 	}
802 #ifndef HAVE_EVP_DIGESTVERIFY
803 	if(EVP_DigestInit(ctx, digest_type) == 0) {
804 		enum sec_status sec;
805 		sec = digest_error_status("verify: EVP_DigestInit failed");
806 		digest_ctx_free(ctx, evp_key, sigblock,
807 			dofree, docrypto_free);
808 		return sec;
809 	}
810 	if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
811 		(unsigned int)sldns_buffer_limit(buf)) == 0) {
812 		log_crypto_verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed",
813 			ERR_get_error());
814 		digest_ctx_free(ctx, evp_key, sigblock,
815 			dofree, docrypto_free);
816 		return sec_status_unchecked;
817 	}
818 
819 	res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key);
820 #else /* HAVE_EVP_DIGESTVERIFY */
821 	if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) {
822 		enum sec_status sec;
823 		sec = digest_error_status("verify: EVP_DigestVerifyInit failed");
824 		digest_ctx_free(ctx, evp_key, sigblock,
825 			dofree, docrypto_free);
826 		return sec;
827 	}
828 	res = EVP_DigestVerify(ctx, sigblock, sigblock_len,
829 		(unsigned char*)sldns_buffer_begin(buf),
830 		sldns_buffer_limit(buf));
831 #endif
832 	digest_ctx_free(ctx, evp_key, sigblock,
833 		dofree, docrypto_free);
834 
835 	if(res == 1) {
836 		return sec_status_secure;
837 	} else if(res == 0) {
838 		verbose(VERB_QUERY, "verify: signature mismatch");
839 		*reason = "signature crypto failed";
840 		return sec_status_bogus;
841 	}
842 
843 	log_crypto_error("verify:", ERR_get_error());
844 	return sec_status_unchecked;
845 }
846 
847 /**************************************************/
848 #elif defined(HAVE_NSS)
849 /* libnss implementation */
850 /* nss3 */
851 #include "sechash.h"
852 #include "pk11pub.h"
853 #include "keyhi.h"
854 #include "secerr.h"
855 #include "cryptohi.h"
856 /* nspr4 */
857 #include "prerror.h"
858 
859 /* return size of digest if supported, or 0 otherwise */
860 size_t
861 nsec3_hash_algo_size_supported(int id)
862 {
863 	switch(id) {
864 	case NSEC3_HASH_SHA1:
865 		return SHA1_LENGTH;
866 	default:
867 		return 0;
868 	}
869 }
870 
871 /* perform nsec3 hash. return false on failure */
872 int
873 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
874         unsigned char* res)
875 {
876 	switch(algo) {
877 	case NSEC3_HASH_SHA1:
878 		(void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
879 		return 1;
880 	default:
881 		return 0;
882 	}
883 }
884 
885 void
886 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
887 {
888 	(void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len);
889 }
890 
891 /** the secalgo hash structure */
892 struct secalgo_hash {
893 	/** hash context */
894 	HASHContext* ctx;
895 };
896 
897 /** create hash struct of type */
898 static struct secalgo_hash* secalgo_hash_create_type(HASH_HashType tp)
899 {
900 	struct secalgo_hash* h = calloc(1, sizeof(*h));
901 	if(!h)
902 		return NULL;
903 	h->ctx = HASH_Create(tp);
904 	if(!h->ctx) {
905 		free(h);
906 		return NULL;
907 	}
908 	return h;
909 }
910 
911 struct secalgo_hash* secalgo_hash_create_sha384(void)
912 {
913 	return secalgo_hash_create_type(HASH_AlgSHA384);
914 }
915 
916 struct secalgo_hash* secalgo_hash_create_sha512(void)
917 {
918 	return secalgo_hash_create_type(HASH_AlgSHA512);
919 }
920 
921 int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len)
922 {
923 	HASH_Update(hash->ctx, (unsigned char*)data, (unsigned int)len);
924 	return 1;
925 }
926 
927 int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result,
928         size_t maxlen, size_t* resultlen)
929 {
930 	unsigned int reslen = 0;
931 	if(HASH_ResultLenContext(hash->ctx) > (unsigned int)maxlen) {
932 		*resultlen = 0;
933 		log_err("secalgo_hash_final: hash buffer too small");
934 		return 0;
935 	}
936 	HASH_End(hash->ctx, (unsigned char*)result, &reslen,
937 		(unsigned int)maxlen);
938 	*resultlen = (size_t)reslen;
939 	return 1;
940 }
941 
942 void secalgo_hash_delete(struct secalgo_hash* hash)
943 {
944 	if(!hash) return;
945 	HASH_Destroy(hash->ctx);
946 	free(hash);
947 }
948 
949 size_t
950 ds_digest_size_supported(int algo)
951 {
952 	/* uses libNSS */
953 	switch(algo) {
954 #ifdef USE_SHA1
955 		case LDNS_SHA1:
956 			return SHA1_LENGTH;
957 #endif
958 #ifdef USE_SHA2
959 		case LDNS_SHA256:
960 			return SHA256_LENGTH;
961 #endif
962 #ifdef USE_ECDSA
963 		case LDNS_SHA384:
964 			return SHA384_LENGTH;
965 #endif
966 		/* GOST not supported in NSS */
967 		case LDNS_HASH_GOST:
968 		default: break;
969 	}
970 	return 0;
971 }
972 
973 int
974 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
975 	unsigned char* res)
976 {
977 	/* uses libNSS */
978 	switch(algo) {
979 #ifdef USE_SHA1
980 		case LDNS_SHA1:
981 			return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
982 				== SECSuccess;
983 #endif
984 #if defined(USE_SHA2)
985 		case LDNS_SHA256:
986 			return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
987 				== SECSuccess;
988 #endif
989 #ifdef USE_ECDSA
990 		case LDNS_SHA384:
991 			return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
992 				== SECSuccess;
993 #endif
994 		case LDNS_HASH_GOST:
995 		default:
996 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
997 				algo);
998 			break;
999 	}
1000 	return 0;
1001 }
1002 
1003 int
1004 dnskey_algo_id_is_supported(int id)
1005 {
1006 	/* uses libNSS */
1007 	switch(id) {
1008 	case LDNS_RSAMD5:
1009 		/* RFC 6725 deprecates RSAMD5 */
1010 		return 0;
1011 #if defined(USE_SHA1) || defined(USE_SHA2)
1012 #if defined(USE_DSA) && defined(USE_SHA1)
1013 	case LDNS_DSA:
1014 	case LDNS_DSA_NSEC3:
1015 #endif
1016 #ifdef USE_SHA1
1017 	case LDNS_RSASHA1:
1018 	case LDNS_RSASHA1_NSEC3:
1019 #endif
1020 #ifdef USE_SHA2
1021 	case LDNS_RSASHA256:
1022 #endif
1023 #ifdef USE_SHA2
1024 	case LDNS_RSASHA512:
1025 #endif
1026 		return 1;
1027 #endif /* SHA1 or SHA2 */
1028 
1029 #ifdef USE_ECDSA
1030 	case LDNS_ECDSAP256SHA256:
1031 	case LDNS_ECDSAP384SHA384:
1032 		return PK11_TokenExists(CKM_ECDSA);
1033 #endif
1034 	case LDNS_ECC_GOST:
1035 	default:
1036 		return 0;
1037 	}
1038 }
1039 
1040 /* return a new public key for NSS */
1041 static SECKEYPublicKey* nss_key_create(KeyType ktype)
1042 {
1043 	SECKEYPublicKey* key;
1044 	PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1045 	if(!arena) {
1046 		log_err("out of memory, PORT_NewArena failed");
1047 		return NULL;
1048 	}
1049 	key = PORT_ArenaZNew(arena, SECKEYPublicKey);
1050 	if(!key) {
1051 		log_err("out of memory, PORT_ArenaZNew failed");
1052 		PORT_FreeArena(arena, PR_FALSE);
1053 		return NULL;
1054 	}
1055 	key->arena = arena;
1056 	key->keyType = ktype;
1057 	key->pkcs11Slot = NULL;
1058 	key->pkcs11ID = CK_INVALID_HANDLE;
1059 	return key;
1060 }
1061 
1062 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
1063 {
1064 	SECKEYPublicKey* pk;
1065 	SECItem pub = {siBuffer, NULL, 0};
1066 	SECItem params = {siBuffer, NULL, 0};
1067 	static unsigned char param256[] = {
1068 		/* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
1069 		 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
1070 		0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
1071 	};
1072 	static unsigned char param384[] = {
1073 		/* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
1074 		 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
1075 		0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
1076 	};
1077 	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
1078 
1079 	/* check length, which uncompressed must be 2 bignums */
1080 	if(algo == LDNS_ECDSAP256SHA256) {
1081 		if(len != 2*256/8) return NULL;
1082 		/* ECCurve_X9_62_PRIME_256V1 */
1083 	} else if(algo == LDNS_ECDSAP384SHA384) {
1084 		if(len != 2*384/8) return NULL;
1085 		/* ECCurve_X9_62_PRIME_384R1 */
1086 	} else    return NULL;
1087 
1088 	buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
1089 	memmove(buf+1, key, len);
1090 	pub.data = buf;
1091 	pub.len = len+1;
1092 	if(algo == LDNS_ECDSAP256SHA256) {
1093 		params.data = param256;
1094 		params.len = sizeof(param256);
1095 	} else {
1096 		params.data = param384;
1097 		params.len = sizeof(param384);
1098 	}
1099 
1100 	pk = nss_key_create(ecKey);
1101 	if(!pk)
1102 		return NULL;
1103 	pk->u.ec.size = (len/2)*8;
1104 	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
1105 		SECKEY_DestroyPublicKey(pk);
1106 		return NULL;
1107 	}
1108 	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, &params)) {
1109 		SECKEY_DestroyPublicKey(pk);
1110 		return NULL;
1111 	}
1112 
1113 	return pk;
1114 }
1115 
1116 #if defined(USE_DSA) && defined(USE_SHA1)
1117 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
1118 {
1119 	SECKEYPublicKey* pk;
1120 	uint8_t T;
1121 	uint16_t length;
1122 	uint16_t offset;
1123 	SECItem Q = {siBuffer, NULL, 0};
1124 	SECItem P = {siBuffer, NULL, 0};
1125 	SECItem G = {siBuffer, NULL, 0};
1126 	SECItem Y = {siBuffer, NULL, 0};
1127 
1128 	if(len == 0)
1129 		return NULL;
1130 	T = (uint8_t)key[0];
1131 	length = (64 + T * 8);
1132 	offset = 1;
1133 
1134 	if (T > 8) {
1135 		return NULL;
1136 	}
1137 	if(len < (size_t)1 + SHA1_LENGTH + 3*length)
1138 		return NULL;
1139 
1140 	Q.data = key+offset;
1141 	Q.len = SHA1_LENGTH;
1142 	offset += SHA1_LENGTH;
1143 
1144 	P.data = key+offset;
1145 	P.len = length;
1146 	offset += length;
1147 
1148 	G.data = key+offset;
1149 	G.len = length;
1150 	offset += length;
1151 
1152 	Y.data = key+offset;
1153 	Y.len = length;
1154 	offset += length;
1155 
1156 	pk = nss_key_create(dsaKey);
1157 	if(!pk)
1158 		return NULL;
1159 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
1160 		SECKEY_DestroyPublicKey(pk);
1161 		return NULL;
1162 	}
1163 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
1164 		SECKEY_DestroyPublicKey(pk);
1165 		return NULL;
1166 	}
1167 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
1168 		SECKEY_DestroyPublicKey(pk);
1169 		return NULL;
1170 	}
1171 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
1172 		SECKEY_DestroyPublicKey(pk);
1173 		return NULL;
1174 	}
1175 	return pk;
1176 }
1177 #endif /* USE_DSA && USE_SHA1 */
1178 
1179 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
1180 {
1181 	SECKEYPublicKey* pk;
1182 	uint16_t exp;
1183 	uint16_t offset;
1184 	uint16_t int16;
1185 	SECItem modulus = {siBuffer, NULL, 0};
1186 	SECItem exponent = {siBuffer, NULL, 0};
1187 	if(len == 0)
1188 		return NULL;
1189 	if(key[0] == 0) {
1190 		if(len < 3)
1191 			return NULL;
1192 		/* the exponent is too large so it's places further */
1193 		memmove(&int16, key+1, 2);
1194 		exp = ntohs(int16);
1195 		offset = 3;
1196 	} else {
1197 		exp = key[0];
1198 		offset = 1;
1199 	}
1200 
1201 	/* key length at least one */
1202 	if(len < (size_t)offset + exp + 1)
1203 		return NULL;
1204 
1205 	exponent.data = key+offset;
1206 	exponent.len = exp;
1207 	offset += exp;
1208 	modulus.data = key+offset;
1209 	modulus.len = (len - offset);
1210 
1211 	pk = nss_key_create(rsaKey);
1212 	if(!pk)
1213 		return NULL;
1214 	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
1215 		SECKEY_DestroyPublicKey(pk);
1216 		return NULL;
1217 	}
1218 	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
1219 		SECKEY_DestroyPublicKey(pk);
1220 		return NULL;
1221 	}
1222 	return pk;
1223 }
1224 
1225 /**
1226  * Setup key and digest for verification. Adjust sig if necessary.
1227  *
1228  * @param algo: key algorithm
1229  * @param evp_key: EVP PKEY public key to create.
1230  * @param digest_type: digest type to use
1231  * @param key: key to setup for.
1232  * @param keylen: length of key.
1233  * @param prefix: if returned, the ASN prefix for the hashblob.
1234  * @param prefixlen: length of the prefix.
1235  * @return false on failure.
1236  */
1237 static int
1238 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
1239 	unsigned char* key, size_t keylen, unsigned char** prefix,
1240 	size_t* prefixlen)
1241 {
1242 	/* uses libNSS */
1243 
1244 	/* hash prefix for md5, RFC2537 */
1245 	static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
1246 	0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
1247 	/* hash prefix to prepend to hash output, from RFC3110 */
1248 	static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
1249 		0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
1250 	/* from RFC5702 */
1251 	static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
1252 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
1253 	static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
1254 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
1255 	/* from RFC6234 */
1256 	/* for future RSASHA384 ..
1257 	static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
1258 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
1259 	*/
1260 
1261 	switch(algo) {
1262 
1263 #if defined(USE_SHA1) || defined(USE_SHA2)
1264 #if defined(USE_DSA) && defined(USE_SHA1)
1265 		case LDNS_DSA:
1266 		case LDNS_DSA_NSEC3:
1267 			*pubkey = nss_buf2dsa(key, keylen);
1268 			if(!*pubkey) {
1269 				log_err("verify: malloc failure in crypto");
1270 				return 0;
1271 			}
1272 			*htype = HASH_AlgSHA1;
1273 			/* no prefix for DSA verification */
1274 			break;
1275 #endif
1276 #ifdef USE_SHA1
1277 		case LDNS_RSASHA1:
1278 		case LDNS_RSASHA1_NSEC3:
1279 #endif
1280 #ifdef USE_SHA2
1281 		case LDNS_RSASHA256:
1282 #endif
1283 #ifdef USE_SHA2
1284 		case LDNS_RSASHA512:
1285 #endif
1286 			*pubkey = nss_buf2rsa(key, keylen);
1287 			if(!*pubkey) {
1288 				log_err("verify: malloc failure in crypto");
1289 				return 0;
1290 			}
1291 			/* select SHA version */
1292 #ifdef USE_SHA2
1293 			if(algo == LDNS_RSASHA256) {
1294 				*htype = HASH_AlgSHA256;
1295 				*prefix = p_sha256;
1296 				*prefixlen = sizeof(p_sha256);
1297 			} else
1298 #endif
1299 #ifdef USE_SHA2
1300 				if(algo == LDNS_RSASHA512) {
1301 				*htype = HASH_AlgSHA512;
1302 				*prefix = p_sha512;
1303 				*prefixlen = sizeof(p_sha512);
1304 			} else
1305 #endif
1306 #ifdef USE_SHA1
1307 			{
1308 				*htype = HASH_AlgSHA1;
1309 				*prefix = p_sha1;
1310 				*prefixlen = sizeof(p_sha1);
1311 			}
1312 #else
1313 			{
1314 				verbose(VERB_QUERY, "verify: no digest algo");
1315 				return 0;
1316 			}
1317 #endif
1318 
1319 			break;
1320 #endif /* SHA1 or SHA2 */
1321 
1322 		case LDNS_RSAMD5:
1323 			*pubkey = nss_buf2rsa(key, keylen);
1324 			if(!*pubkey) {
1325 				log_err("verify: malloc failure in crypto");
1326 				return 0;
1327 			}
1328 			*htype = HASH_AlgMD5;
1329 			*prefix = p_md5;
1330 			*prefixlen = sizeof(p_md5);
1331 
1332 			break;
1333 #ifdef USE_ECDSA
1334 		case LDNS_ECDSAP256SHA256:
1335 			*pubkey = nss_buf2ecdsa(key, keylen,
1336 				LDNS_ECDSAP256SHA256);
1337 			if(!*pubkey) {
1338 				log_err("verify: malloc failure in crypto");
1339 				return 0;
1340 			}
1341 			*htype = HASH_AlgSHA256;
1342 			/* no prefix for DSA verification */
1343 			break;
1344 		case LDNS_ECDSAP384SHA384:
1345 			*pubkey = nss_buf2ecdsa(key, keylen,
1346 				LDNS_ECDSAP384SHA384);
1347 			if(!*pubkey) {
1348 				log_err("verify: malloc failure in crypto");
1349 				return 0;
1350 			}
1351 			*htype = HASH_AlgSHA384;
1352 			/* no prefix for DSA verification */
1353 			break;
1354 #endif /* USE_ECDSA */
1355 		case LDNS_ECC_GOST:
1356 		default:
1357 			verbose(VERB_QUERY, "verify: unknown algorithm %d",
1358 				algo);
1359 			return 0;
1360 	}
1361 	return 1;
1362 }
1363 
1364 /**
1365  * Check a canonical sig+rrset and signature against a dnskey
1366  * @param buf: buffer with data to verify, the first rrsig part and the
1367  *	canonicalized rrset.
1368  * @param algo: DNSKEY algorithm.
1369  * @param sigblock: signature rdata field from RRSIG
1370  * @param sigblock_len: length of sigblock data.
1371  * @param key: public key data from DNSKEY RR.
1372  * @param keylen: length of keydata.
1373  * @param reason: bogus reason in more detail.
1374  * @return secure if verification succeeded, bogus on crypto failure,
1375  *	unchecked on format errors and alloc failures.
1376  */
1377 enum sec_status
1378 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1379 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1380 	char** reason)
1381 {
1382 	/* uses libNSS */
1383 	/* large enough for the different hashes */
1384 	unsigned char hash[HASH_LENGTH_MAX];
1385 	unsigned char hash2[HASH_LENGTH_MAX*2];
1386 	HASH_HashType htype = 0;
1387 	SECKEYPublicKey* pubkey = NULL;
1388 	SECItem secsig = {siBuffer, sigblock, sigblock_len};
1389 	SECItem sechash = {siBuffer, hash, 0};
1390 	SECStatus res;
1391 	unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
1392 	size_t prefixlen = 0;
1393 	int err;
1394 
1395 	if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
1396 		&prefix, &prefixlen)) {
1397 		verbose(VERB_QUERY, "verify: failed to setup key");
1398 		*reason = "use of key for crypto failed";
1399 		SECKEY_DestroyPublicKey(pubkey);
1400 		return sec_status_bogus;
1401 	}
1402 
1403 #if defined(USE_DSA) && defined(USE_SHA1)
1404 	/* need to convert DSA, ECDSA signatures? */
1405 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
1406 		if(sigblock_len == 1+2*SHA1_LENGTH) {
1407 			secsig.data ++;
1408 			secsig.len --;
1409 		} else {
1410 			SECItem* p = DSAU_DecodeDerSig(&secsig);
1411 			if(!p) {
1412 				verbose(VERB_QUERY, "verify: failed DER decode");
1413 				*reason = "signature DER decode failed";
1414 				SECKEY_DestroyPublicKey(pubkey);
1415 				return sec_status_bogus;
1416 			}
1417 			if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
1418 				log_err("alloc failure in DER decode");
1419 				SECKEY_DestroyPublicKey(pubkey);
1420 				SECITEM_FreeItem(p, PR_TRUE);
1421 				return sec_status_unchecked;
1422 			}
1423 			SECITEM_FreeItem(p, PR_TRUE);
1424 		}
1425 	}
1426 #endif /* USE_DSA */
1427 
1428 	/* do the signature cryptography work */
1429 	/* hash the data */
1430 	sechash.len = HASH_ResultLen(htype);
1431 	if(sechash.len > sizeof(hash)) {
1432 		verbose(VERB_QUERY, "verify: hash too large for buffer");
1433 		SECKEY_DestroyPublicKey(pubkey);
1434 		return sec_status_unchecked;
1435 	}
1436 	if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf),
1437 		(unsigned int)sldns_buffer_limit(buf)) != SECSuccess) {
1438 		verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
1439 		SECKEY_DestroyPublicKey(pubkey);
1440 		return sec_status_unchecked;
1441 	}
1442 	if(prefix) {
1443 		int hashlen = sechash.len;
1444 		if(prefixlen+hashlen > sizeof(hash2)) {
1445 			verbose(VERB_QUERY, "verify: hashprefix too large");
1446 			SECKEY_DestroyPublicKey(pubkey);
1447 			return sec_status_unchecked;
1448 		}
1449 		sechash.data = hash2;
1450 		sechash.len = prefixlen+hashlen;
1451 		memcpy(sechash.data, prefix, prefixlen);
1452 		memmove(sechash.data+prefixlen, hash, hashlen);
1453 	}
1454 
1455 	/* verify the signature */
1456 	res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
1457 	SECKEY_DestroyPublicKey(pubkey);
1458 
1459 	if(res == SECSuccess) {
1460 		return sec_status_secure;
1461 	}
1462 	err = PORT_GetError();
1463 	if(err != SEC_ERROR_BAD_SIGNATURE) {
1464 		/* failed to verify */
1465 		verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
1466 			PORT_ErrorToString(err));
1467 		/* if it is not supported, like ECC is removed, we get,
1468 		 * SEC_ERROR_NO_MODULE */
1469 		if(err == SEC_ERROR_NO_MODULE)
1470 			return sec_status_unchecked;
1471 		/* but other errors are commonly returned
1472 		 * for a bad signature from NSS.  Thus we return bogus,
1473 		 * not unchecked */
1474 		*reason = "signature crypto failed";
1475 		return sec_status_bogus;
1476 	}
1477 	verbose(VERB_QUERY, "verify: signature mismatch: %s",
1478 		PORT_ErrorToString(err));
1479 	*reason = "signature crypto failed";
1480 	return sec_status_bogus;
1481 }
1482 
1483 #elif defined(HAVE_NETTLE)
1484 
1485 #include "sha.h"
1486 #include "bignum.h"
1487 #include "macros.h"
1488 #include "rsa.h"
1489 #include "dsa.h"
1490 #ifdef HAVE_NETTLE_DSA_COMPAT_H
1491 #include "dsa-compat.h"
1492 #endif
1493 #include "asn1.h"
1494 #ifdef USE_ECDSA
1495 #include "ecdsa.h"
1496 #include "ecc-curve.h"
1497 #endif
1498 #ifdef HAVE_NETTLE_EDDSA_H
1499 #include "eddsa.h"
1500 #endif
1501 
1502 static int
1503 _digest_nettle(int algo, uint8_t* buf, size_t len,
1504 	unsigned char* res)
1505 {
1506 	switch(algo) {
1507 		case SHA1_DIGEST_SIZE:
1508 		{
1509 			struct sha1_ctx ctx;
1510 			sha1_init(&ctx);
1511 			sha1_update(&ctx, len, buf);
1512 			sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
1513 			return 1;
1514 		}
1515 		case SHA256_DIGEST_SIZE:
1516 		{
1517 			struct sha256_ctx ctx;
1518 			sha256_init(&ctx);
1519 			sha256_update(&ctx, len, buf);
1520 			sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
1521 			return 1;
1522 		}
1523 		case SHA384_DIGEST_SIZE:
1524 		{
1525 			struct sha384_ctx ctx;
1526 			sha384_init(&ctx);
1527 			sha384_update(&ctx, len, buf);
1528 			sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
1529 			return 1;
1530 		}
1531 		case SHA512_DIGEST_SIZE:
1532 		{
1533 			struct sha512_ctx ctx;
1534 			sha512_init(&ctx);
1535 			sha512_update(&ctx, len, buf);
1536 			sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
1537 			return 1;
1538 		}
1539 		default:
1540 			break;
1541 	}
1542 	return 0;
1543 }
1544 
1545 /* return size of digest if supported, or 0 otherwise */
1546 size_t
1547 nsec3_hash_algo_size_supported(int id)
1548 {
1549 	switch(id) {
1550 	case NSEC3_HASH_SHA1:
1551 		return SHA1_DIGEST_SIZE;
1552 	default:
1553 		return 0;
1554 	}
1555 }
1556 
1557 /* perform nsec3 hash. return false on failure */
1558 int
1559 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
1560         unsigned char* res)
1561 {
1562 	switch(algo) {
1563 	case NSEC3_HASH_SHA1:
1564 		return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
1565 			res);
1566 	default:
1567 		return 0;
1568 	}
1569 }
1570 
1571 void
1572 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
1573 {
1574 	_digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res);
1575 }
1576 
1577 /** secalgo hash structure */
1578 struct secalgo_hash {
1579 	/** if it is 384 or 512 */
1580 	int active;
1581 	/** context for sha384 */
1582 	struct sha384_ctx ctx384;
1583 	/** context for sha512 */
1584 	struct sha512_ctx ctx512;
1585 };
1586 
1587 struct secalgo_hash* secalgo_hash_create_sha384(void)
1588 {
1589 	struct secalgo_hash* h = calloc(1, sizeof(*h));
1590 	if(!h)
1591 		return NULL;
1592 	h->active = 384;
1593 	sha384_init(&h->ctx384);
1594 	return h;
1595 }
1596 
1597 struct secalgo_hash* secalgo_hash_create_sha512(void)
1598 {
1599 	struct secalgo_hash* h = calloc(1, sizeof(*h));
1600 	if(!h)
1601 		return NULL;
1602 	h->active = 512;
1603 	sha512_init(&h->ctx512);
1604 	return h;
1605 }
1606 
1607 int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len)
1608 {
1609 	if(hash->active == 384) {
1610 		sha384_update(&hash->ctx384, len, data);
1611 	} else if(hash->active == 512) {
1612 		sha512_update(&hash->ctx512, len, data);
1613 	} else {
1614 		return 0;
1615 	}
1616 	return 1;
1617 }
1618 
1619 int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result,
1620         size_t maxlen, size_t* resultlen)
1621 {
1622 	if(hash->active == 384) {
1623 		if(SHA384_DIGEST_SIZE > maxlen) {
1624 			*resultlen = 0;
1625 			log_err("secalgo_hash_final: hash buffer too small");
1626 			return 0;
1627 		}
1628 		*resultlen = SHA384_DIGEST_SIZE;
1629 		sha384_digest(&hash->ctx384, SHA384_DIGEST_SIZE,
1630 			(unsigned char*)result);
1631 	} else if(hash->active == 512) {
1632 		if(SHA512_DIGEST_SIZE > maxlen) {
1633 			*resultlen = 0;
1634 			log_err("secalgo_hash_final: hash buffer too small");
1635 			return 0;
1636 		}
1637 		*resultlen = SHA512_DIGEST_SIZE;
1638 		sha512_digest(&hash->ctx512, SHA512_DIGEST_SIZE,
1639 			(unsigned char*)result);
1640 	} else {
1641 		*resultlen = 0;
1642 		return 0;
1643 	}
1644 	return 1;
1645 }
1646 
1647 void secalgo_hash_delete(struct secalgo_hash* hash)
1648 {
1649 	if(!hash) return;
1650 	free(hash);
1651 }
1652 
1653 /**
1654  * Return size of DS digest according to its hash algorithm.
1655  * @param algo: DS digest algo.
1656  * @return size in bytes of digest, or 0 if not supported.
1657  */
1658 size_t
1659 ds_digest_size_supported(int algo)
1660 {
1661 	switch(algo) {
1662 		case LDNS_SHA1:
1663 #ifdef USE_SHA1
1664 			return SHA1_DIGEST_SIZE;
1665 #else
1666 			if(fake_sha1) return 20;
1667 			return 0;
1668 #endif
1669 #ifdef USE_SHA2
1670 		case LDNS_SHA256:
1671 			return SHA256_DIGEST_SIZE;
1672 #endif
1673 #ifdef USE_ECDSA
1674 		case LDNS_SHA384:
1675 			return SHA384_DIGEST_SIZE;
1676 #endif
1677 		/* GOST not supported */
1678 		case LDNS_HASH_GOST:
1679 		default:
1680 			break;
1681 	}
1682 	return 0;
1683 }
1684 
1685 int
1686 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
1687 	unsigned char* res)
1688 {
1689 	switch(algo) {
1690 #ifdef USE_SHA1
1691 		case LDNS_SHA1:
1692 			return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
1693 #endif
1694 #if defined(USE_SHA2)
1695 		case LDNS_SHA256:
1696 			return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
1697 #endif
1698 #ifdef USE_ECDSA
1699 		case LDNS_SHA384:
1700 			return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
1701 
1702 #endif
1703 		case LDNS_HASH_GOST:
1704 		default:
1705 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
1706 				algo);
1707 			break;
1708 	}
1709 	return 0;
1710 }
1711 
1712 int
1713 dnskey_algo_id_is_supported(int id)
1714 {
1715 	/* uses libnettle */
1716 	switch(id) {
1717 	case LDNS_DSA:
1718 	case LDNS_DSA_NSEC3:
1719 #if defined(USE_DSA) && defined(USE_SHA1)
1720 		return 1;
1721 #else
1722 		if(fake_dsa || fake_sha1) return 1;
1723 		return 0;
1724 #endif
1725 	case LDNS_RSASHA1:
1726 	case LDNS_RSASHA1_NSEC3:
1727 #ifdef USE_SHA1
1728 		return 1;
1729 #else
1730 		if(fake_sha1) return 1;
1731 		return 0;
1732 #endif
1733 #ifdef USE_SHA2
1734 	case LDNS_RSASHA256:
1735 	case LDNS_RSASHA512:
1736 #endif
1737 #ifdef USE_ECDSA
1738 	case LDNS_ECDSAP256SHA256:
1739 	case LDNS_ECDSAP384SHA384:
1740 #endif
1741 		return 1;
1742 #ifdef USE_ED25519
1743 	case LDNS_ED25519:
1744 		return 1;
1745 #endif
1746 	case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
1747 	case LDNS_ECC_GOST:
1748 	default:
1749 		return 0;
1750 	}
1751 }
1752 
1753 #if defined(USE_DSA) && defined(USE_SHA1)
1754 static char *
1755 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
1756 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1757 {
1758 	uint8_t digest[SHA1_DIGEST_SIZE];
1759 	uint8_t key_t_value;
1760 	int res = 0;
1761 	size_t offset;
1762 	struct dsa_public_key pubkey;
1763 	struct dsa_signature signature;
1764 	unsigned int expected_len;
1765 
1766 	/* Extract DSA signature from the record */
1767 	nettle_dsa_signature_init(&signature);
1768 	/* Signature length: 41 bytes - RFC 2536 sec. 3 */
1769 	if(sigblock_len == 41) {
1770 		if(key[0] != sigblock[0])
1771 			return "invalid T value in DSA signature or pubkey";
1772 		nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
1773 		nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
1774 	} else {
1775 		/* DER encoded, decode the ASN1 notated R and S bignums */
1776 		/* SEQUENCE { r INTEGER, s INTEGER } */
1777 		struct asn1_der_iterator i, seq;
1778 		if(asn1_der_iterator_first(&i, sigblock_len,
1779 			(uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
1780 			|| i.type != ASN1_SEQUENCE)
1781 			return "malformed DER encoded DSA signature";
1782 		/* decode this element of i using the seq iterator */
1783 		if(asn1_der_decode_constructed(&i, &seq) !=
1784 			ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
1785 			return "malformed DER encoded DSA signature";
1786 		if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
1787 			return "malformed DER encoded DSA signature";
1788 		if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
1789 			|| seq.type != ASN1_INTEGER)
1790 			return "malformed DER encoded DSA signature";
1791 		if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
1792 			return "malformed DER encoded DSA signature";
1793 		if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
1794 			return "malformed DER encoded DSA signature";
1795 	}
1796 
1797 	/* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
1798 	key_t_value = key[0];
1799 	if (key_t_value > 8) {
1800 		return "invalid T value in DSA pubkey";
1801 	}
1802 
1803 	/* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
1804 	if (keylen < 21) {
1805 		return "DSA pubkey too short";
1806 	}
1807 
1808 	expected_len =   1 +		/* T */
1809 		        20 +		/* Q */
1810 		       (64 + key_t_value*8) +	/* P */
1811 		       (64 + key_t_value*8) +	/* G */
1812 		       (64 + key_t_value*8);	/* Y */
1813 	if (keylen != expected_len ) {
1814 		return "invalid DSA pubkey length";
1815 	}
1816 
1817 	/* Extract DSA pubkey from the record */
1818 	nettle_dsa_public_key_init(&pubkey);
1819 	offset = 1;
1820 	nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
1821 	offset += 20;
1822 	nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t_value*8), key+offset);
1823 	offset += (64 + key_t_value*8);
1824 	nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t_value*8), key+offset);
1825 	offset += (64 + key_t_value*8);
1826 	nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t_value*8), key+offset);
1827 
1828 	/* Digest content of "buf" and verify its DSA signature in "sigblock"*/
1829 	res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1830 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1831 	res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
1832 
1833 	/* Clear and return */
1834 	nettle_dsa_signature_clear(&signature);
1835 	nettle_dsa_public_key_clear(&pubkey);
1836 	if (!res)
1837 		return "DSA signature verification failed";
1838 	else
1839 		return NULL;
1840 }
1841 #endif /* USE_DSA */
1842 
1843 static char *
1844 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
1845 	unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
1846 {
1847 	uint16_t exp_len = 0;
1848 	size_t exp_offset = 0, mod_offset = 0;
1849 	struct rsa_public_key pubkey;
1850 	mpz_t signature;
1851 	int res = 0;
1852 
1853 	/* RSA pubkey parsing as per RFC 3110 sec. 2 */
1854 	if( keylen <= 1) {
1855 		return "null RSA key";
1856 	}
1857 	if (key[0] != 0) {
1858 		/* 1-byte length */
1859 		exp_len = key[0];
1860 		exp_offset = 1;
1861 	} else {
1862 		/* 1-byte NUL + 2-bytes exponent length */
1863 		if (keylen < 3) {
1864 			return "incorrect RSA key length";
1865 		}
1866 		exp_len = READ_UINT16(key+1);
1867 		if (exp_len == 0)
1868 			return "null RSA exponent length";
1869 		exp_offset = 3;
1870 	}
1871 	/* Check that we are not over-running input length */
1872 	if (keylen < exp_offset + exp_len + 1) {
1873 		return "RSA key content shorter than expected";
1874 	}
1875 	mod_offset = exp_offset + exp_len;
1876 	nettle_rsa_public_key_init(&pubkey);
1877 	pubkey.size = keylen - mod_offset;
1878 	nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
1879 	nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
1880 
1881 	/* Digest content of "buf" and verify its RSA signature in "sigblock"*/
1882 	nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
1883 	switch (digest_size) {
1884 		case SHA1_DIGEST_SIZE:
1885 		{
1886 			uint8_t digest[SHA1_DIGEST_SIZE];
1887 			res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1888 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1889 			res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
1890 			break;
1891 		}
1892 		case SHA256_DIGEST_SIZE:
1893 		{
1894 			uint8_t digest[SHA256_DIGEST_SIZE];
1895 			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1896 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1897 			res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
1898 			break;
1899 		}
1900 		case SHA512_DIGEST_SIZE:
1901 		{
1902 			uint8_t digest[SHA512_DIGEST_SIZE];
1903 			res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1904 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1905 			res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
1906 			break;
1907 		}
1908 		default:
1909 			break;
1910 	}
1911 
1912 	/* Clear and return */
1913 	nettle_rsa_public_key_clear(&pubkey);
1914 	mpz_clear(signature);
1915 	if (!res) {
1916 		return "RSA signature verification failed";
1917 	} else {
1918 		return NULL;
1919 	}
1920 }
1921 
1922 #ifdef USE_ECDSA
1923 static char *
1924 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
1925 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1926 {
1927 	int res = 0;
1928 	struct ecc_point pubkey;
1929 	struct dsa_signature signature;
1930 
1931 	/* Always matched strength, as per RFC 6605 sec. 1 */
1932 	if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
1933 		return "wrong ECDSA signature length";
1934 	}
1935 
1936 	/* Parse ECDSA signature as per RFC 6605 sec. 4 */
1937 	nettle_dsa_signature_init(&signature);
1938 	switch (digest_size) {
1939 		case SHA256_DIGEST_SIZE:
1940 		{
1941 			uint8_t digest[SHA256_DIGEST_SIZE];
1942 			mpz_t x, y;
1943 			nettle_ecc_point_init(&pubkey, nettle_get_secp_256r1());
1944 			nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
1945 			nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
1946 			nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
1947 			nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
1948 			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1949 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1950 			res &= nettle_ecc_point_set(&pubkey, x, y);
1951 			res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
1952 			mpz_clear(x);
1953 			mpz_clear(y);
1954 			nettle_ecc_point_clear(&pubkey);
1955 			break;
1956 		}
1957 		case SHA384_DIGEST_SIZE:
1958 		{
1959 			uint8_t digest[SHA384_DIGEST_SIZE];
1960 			mpz_t x, y;
1961 			nettle_ecc_point_init(&pubkey, nettle_get_secp_384r1());
1962 			nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
1963 			nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
1964 			nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
1965 			nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
1966 			res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1967 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1968 			res &= nettle_ecc_point_set(&pubkey, x, y);
1969 			res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
1970 			mpz_clear(x);
1971 			mpz_clear(y);
1972 			nettle_ecc_point_clear(&pubkey);
1973 			break;
1974 		}
1975 		default:
1976 			return "unknown ECDSA algorithm";
1977 	}
1978 
1979 	/* Clear and return */
1980 	nettle_dsa_signature_clear(&signature);
1981 	if (!res)
1982 		return "ECDSA signature verification failed";
1983 	else
1984 		return NULL;
1985 }
1986 #endif
1987 
1988 #ifdef USE_ED25519
1989 static char *
1990 _verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock,
1991 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1992 {
1993 	int res = 0;
1994 
1995 	if(sigblock_len != ED25519_SIGNATURE_SIZE) {
1996 		return "wrong ED25519 signature length";
1997 	}
1998 	if(keylen != ED25519_KEY_SIZE) {
1999 		return "wrong ED25519 key length";
2000 	}
2001 
2002 	res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf),
2003 		sldns_buffer_begin(buf), (uint8_t*)sigblock);
2004 
2005 	if (!res)
2006 		return "ED25519 signature verification failed";
2007 	else
2008 		return NULL;
2009 }
2010 #endif
2011 
2012 /**
2013  * Check a canonical sig+rrset and signature against a dnskey
2014  * @param buf: buffer with data to verify, the first rrsig part and the
2015  *	canonicalized rrset.
2016  * @param algo: DNSKEY algorithm.
2017  * @param sigblock: signature rdata field from RRSIG
2018  * @param sigblock_len: length of sigblock data.
2019  * @param key: public key data from DNSKEY RR.
2020  * @param keylen: length of keydata.
2021  * @param reason: bogus reason in more detail.
2022  * @return secure if verification succeeded, bogus on crypto failure,
2023  *	unchecked on format errors and alloc failures.
2024  */
2025 enum sec_status
2026 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
2027 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
2028 	char** reason)
2029 {
2030 	unsigned int digest_size = 0;
2031 
2032 	if (sigblock_len == 0 || keylen == 0) {
2033 		*reason = "null signature";
2034 		return sec_status_bogus;
2035 	}
2036 
2037 #ifndef USE_DSA
2038 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1))
2039 		return sec_status_secure;
2040 #endif
2041 #ifndef USE_SHA1
2042 	if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3))
2043 		return sec_status_secure;
2044 #endif
2045 
2046 	switch(algo) {
2047 #if defined(USE_DSA) && defined(USE_SHA1)
2048 	case LDNS_DSA:
2049 	case LDNS_DSA_NSEC3:
2050 		*reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
2051 		if (*reason != NULL)
2052 			return sec_status_bogus;
2053 		else
2054 			return sec_status_secure;
2055 #endif /* USE_DSA */
2056 
2057 #ifdef USE_SHA1
2058 	case LDNS_RSASHA1:
2059 	case LDNS_RSASHA1_NSEC3:
2060 		digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
2061 #endif
2062 		/* double fallthrough annotation to please gcc parser */
2063 		ATTR_FALLTHROUGH
2064 		/* fallthrough */
2065 #ifdef USE_SHA2
2066 		/* fallthrough */
2067 	case LDNS_RSASHA256:
2068 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
2069 		ATTR_FALLTHROUGH
2070 		/* fallthrough */
2071 	case LDNS_RSASHA512:
2072 		digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
2073 
2074 #endif
2075 		*reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
2076 						sigblock_len, key, keylen);
2077 		if (*reason != NULL)
2078 			return sec_status_bogus;
2079 		else
2080 			return sec_status_secure;
2081 
2082 #ifdef USE_ECDSA
2083 	case LDNS_ECDSAP256SHA256:
2084 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
2085 		ATTR_FALLTHROUGH
2086 		/* fallthrough */
2087 	case LDNS_ECDSAP384SHA384:
2088 		digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
2089 		*reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
2090 						sigblock_len, key, keylen);
2091 		if (*reason != NULL)
2092 			return sec_status_bogus;
2093 		else
2094 			return sec_status_secure;
2095 #endif
2096 #ifdef USE_ED25519
2097 	case LDNS_ED25519:
2098 		*reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len,
2099 			key, keylen);
2100 		if (*reason != NULL)
2101 			return sec_status_bogus;
2102 		else
2103 			return sec_status_secure;
2104 #endif
2105 	case LDNS_RSAMD5:
2106 	case LDNS_ECC_GOST:
2107 	default:
2108 		*reason = "unable to verify signature, unknown algorithm";
2109 		return sec_status_bogus;
2110 	}
2111 }
2112 
2113 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
2114