xref: /freebsd/contrib/unbound/validator/val_secalgo.c (revision 273c26a3c3bea87a241d6879abd4f991db180bf0)
1 /*
2  * validator/val_secalgo.c - validator security algorithm functions.
3  *
4  * Copyright (c) 2012, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  * These functions take raw data buffers, formatted for crypto verification,
41  * and do the library calls (for the crypto library in use).
42  */
43 #include "config.h"
44 /* packed_rrset on top to define enum types (forced by c99 standard) */
45 #include "util/data/packed_rrset.h"
46 #include "validator/val_secalgo.h"
47 #include "validator/val_nsec3.h"
48 #include "util/log.h"
49 #include "sldns/rrdef.h"
50 #include "sldns/keyraw.h"
51 #include "sldns/sbuffer.h"
52 
53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
54 #error "Need crypto library to do digital signature cryptography"
55 #endif
56 
57 /* OpenSSL implementation */
58 #ifdef HAVE_SSL
59 #ifdef HAVE_OPENSSL_ERR_H
60 #include <openssl/err.h>
61 #endif
62 
63 #ifdef HAVE_OPENSSL_RAND_H
64 #include <openssl/rand.h>
65 #endif
66 
67 #ifdef HAVE_OPENSSL_CONF_H
68 #include <openssl/conf.h>
69 #endif
70 
71 #ifdef HAVE_OPENSSL_ENGINE_H
72 #include <openssl/engine.h>
73 #endif
74 
75 /* return size of digest if supported, or 0 otherwise */
76 size_t
77 nsec3_hash_algo_size_supported(int id)
78 {
79 	switch(id) {
80 	case NSEC3_HASH_SHA1:
81 		return SHA_DIGEST_LENGTH;
82 	default:
83 		return 0;
84 	}
85 }
86 
87 /* perform nsec3 hash. return false on failure */
88 int
89 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
90         unsigned char* res)
91 {
92 	switch(algo) {
93 	case NSEC3_HASH_SHA1:
94 		(void)SHA1(buf, len, res);
95 		return 1;
96 	default:
97 		return 0;
98 	}
99 }
100 
101 void
102 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
103 {
104 	(void)SHA256(buf, len, res);
105 }
106 
107 /**
108  * Return size of DS digest according to its hash algorithm.
109  * @param algo: DS digest algo.
110  * @return size in bytes of digest, or 0 if not supported.
111  */
112 size_t
113 ds_digest_size_supported(int algo)
114 {
115 	switch(algo) {
116 #ifdef HAVE_EVP_SHA1
117 		case LDNS_SHA1:
118 			return SHA_DIGEST_LENGTH;
119 #endif
120 #ifdef HAVE_EVP_SHA256
121 		case LDNS_SHA256:
122 			return SHA256_DIGEST_LENGTH;
123 #endif
124 #ifdef USE_GOST
125 		case LDNS_HASH_GOST:
126 			/* we support GOST if it can be loaded */
127 			(void)sldns_key_EVP_load_gost_id();
128 			if(EVP_get_digestbyname("md_gost94"))
129 				return 32;
130 			else	return 0;
131 #endif
132 #ifdef USE_ECDSA
133 		case LDNS_SHA384:
134 			return SHA384_DIGEST_LENGTH;
135 #endif
136 		default: break;
137 	}
138 	return 0;
139 }
140 
141 #ifdef USE_GOST
142 /** Perform GOST hash */
143 static int
144 do_gost94(unsigned char* data, size_t len, unsigned char* dest)
145 {
146 	const EVP_MD* md = EVP_get_digestbyname("md_gost94");
147 	if(!md)
148 		return 0;
149 	return sldns_digest_evp(data, (unsigned int)len, dest, md);
150 }
151 #endif
152 
153 int
154 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
155 	unsigned char* res)
156 {
157 	switch(algo) {
158 #ifdef HAVE_EVP_SHA1
159 		case LDNS_SHA1:
160 			(void)SHA1(buf, len, res);
161 			return 1;
162 #endif
163 #ifdef HAVE_EVP_SHA256
164 		case LDNS_SHA256:
165 			(void)SHA256(buf, len, res);
166 			return 1;
167 #endif
168 #ifdef USE_GOST
169 		case LDNS_HASH_GOST:
170 			if(do_gost94(buf, len, res))
171 				return 1;
172 			break;
173 #endif
174 #ifdef USE_ECDSA
175 		case LDNS_SHA384:
176 			(void)SHA384(buf, len, res);
177 			return 1;
178 #endif
179 		default:
180 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
181 				algo);
182 			break;
183 	}
184 	return 0;
185 }
186 
187 /** return true if DNSKEY algorithm id is supported */
188 int
189 dnskey_algo_id_is_supported(int id)
190 {
191 	switch(id) {
192 	case LDNS_RSAMD5:
193 		/* RFC 6725 deprecates RSAMD5 */
194 		return 0;
195 #ifdef USE_DSA
196 	case LDNS_DSA:
197 	case LDNS_DSA_NSEC3:
198 #endif
199 	case LDNS_RSASHA1:
200 	case LDNS_RSASHA1_NSEC3:
201 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
202 	case LDNS_RSASHA256:
203 #endif
204 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
205 	case LDNS_RSASHA512:
206 #endif
207 #ifdef USE_ECDSA
208 	case LDNS_ECDSAP256SHA256:
209 	case LDNS_ECDSAP384SHA384:
210 #endif
211 		return 1;
212 #ifdef USE_GOST
213 	case LDNS_ECC_GOST:
214 		/* we support GOST if it can be loaded */
215 		return sldns_key_EVP_load_gost_id();
216 #endif
217 	default:
218 		return 0;
219 	}
220 }
221 
222 /**
223  * Output a libcrypto openssl error to the logfile.
224  * @param str: string to add to it.
225  * @param e: the error to output, error number from ERR_get_error().
226  */
227 static void
228 log_crypto_error(const char* str, unsigned long e)
229 {
230 	char buf[128];
231 	/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
232 	ERR_error_string_n(e, buf, sizeof(buf));
233 	/* buf now contains */
234 	/* error:[error code]:[library name]:[function name]:[reason string] */
235 	log_err("%s crypto %s", str, buf);
236 }
237 
238 #ifdef USE_DSA
239 /**
240  * Setup DSA key digest in DER encoding ...
241  * @param sig: input is signature output alloced ptr (unless failure).
242  * 	caller must free alloced ptr if this routine returns true.
243  * @param len: input is initial siglen, output is output len.
244  * @return false on failure.
245  */
246 static int
247 setup_dsa_sig(unsigned char** sig, unsigned int* len)
248 {
249 	unsigned char* orig = *sig;
250 	unsigned int origlen = *len;
251 	int newlen;
252 	BIGNUM *R, *S;
253 	DSA_SIG *dsasig;
254 
255 	/* extract the R and S field from the sig buffer */
256 	if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
257 		return 0;
258 	R = BN_new();
259 	if(!R) return 0;
260 	(void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
261 	S = BN_new();
262 	if(!S) return 0;
263 	(void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
264 	dsasig = DSA_SIG_new();
265 	if(!dsasig) return 0;
266 
267 	dsasig->r = R;
268 	dsasig->s = S;
269 	*sig = NULL;
270 	newlen = i2d_DSA_SIG(dsasig, sig);
271 	if(newlen < 0) {
272 		DSA_SIG_free(dsasig);
273 		free(*sig);
274 		return 0;
275 	}
276 	*len = (unsigned int)newlen;
277 	DSA_SIG_free(dsasig);
278 	return 1;
279 }
280 #endif /* USE_DSA */
281 
282 #ifdef USE_ECDSA
283 /**
284  * Setup the ECDSA signature in its encoding that the library wants.
285  * Converts from plain numbers to ASN formatted.
286  * @param sig: input is signature, output alloced ptr (unless failure).
287  * 	caller must free alloced ptr if this routine returns true.
288  * @param len: input is initial siglen, output is output len.
289  * @return false on failure.
290  */
291 static int
292 setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
293 {
294         /* convert from two BIGNUMs in the rdata buffer, to ASN notation.
295 	 * ASN preable:  30440220 <R 32bytefor256> 0220 <S 32bytefor256>
296 	 * the '20' is the length of that field (=bnsize).
297 i	 * the '44' is the total remaining length.
298 	 * if negative, start with leading zero.
299 	 * if starts with 00s, remove them from the number.
300 	 */
301         uint8_t pre[] = {0x30, 0x44, 0x02, 0x20};
302         int pre_len = 4;
303         uint8_t mid[] = {0x02, 0x20};
304         int mid_len = 2;
305         int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0;
306 	int bnsize = (int)((*len)/2);
307         unsigned char* d = *sig;
308 	uint8_t* p;
309 	/* if too short or not even length, fails */
310 	if(*len < 16 || bnsize*2 != (int)*len)
311 		return 0;
312 
313         /* strip leading zeroes from r (but not last one) */
314         while(r_rem < bnsize-1 && d[r_rem] == 0)
315                 r_rem++;
316         /* strip leading zeroes from s (but not last one) */
317         while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0)
318                 s_rem++;
319 
320         r_high = ((d[0+r_rem]&0x80)?1:0);
321         s_high = ((d[bnsize+s_rem]&0x80)?1:0);
322         raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len +
323                 s_high + bnsize - s_rem;
324 	*sig = (unsigned char*)malloc((size_t)raw_sig_len);
325 	if(!*sig)
326 		return 0;
327 	p = (uint8_t*)*sig;
328 	p[0] = pre[0];
329 	p[1] = (uint8_t)(raw_sig_len-2);
330 	p[2] = pre[2];
331 	p[3] = (uint8_t)(bnsize + r_high - r_rem);
332 	p += 4;
333 	if(r_high) {
334 		*p = 0;
335 		p += 1;
336 	}
337 	memmove(p, d+r_rem, (size_t)bnsize-r_rem);
338 	p += bnsize-r_rem;
339 	memmove(p, mid, (size_t)mid_len-1);
340 	p += mid_len-1;
341 	*p = (uint8_t)(bnsize + s_high - s_rem);
342 	p += 1;
343         if(s_high) {
344 		*p = 0;
345 		p += 1;
346 	}
347 	memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem);
348 	*len = (unsigned int)raw_sig_len;
349 	return 1;
350 }
351 #endif /* USE_ECDSA */
352 
353 #ifdef USE_ECDSA_EVP_WORKAROUND
354 static EVP_MD ecdsa_evp_256_md;
355 static EVP_MD ecdsa_evp_384_md;
356 void ecdsa_evp_workaround_init(void)
357 {
358 	/* openssl before 1.0.0 fixes RSA with the SHA256
359 	 * hash in EVP.  We create one for ecdsa_sha256 */
360 	ecdsa_evp_256_md = *EVP_sha256();
361 	ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC;
362 	ecdsa_evp_256_md.verify = (void*)ECDSA_verify;
363 
364 	ecdsa_evp_384_md = *EVP_sha384();
365 	ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC;
366 	ecdsa_evp_384_md.verify = (void*)ECDSA_verify;
367 }
368 #endif /* USE_ECDSA_EVP_WORKAROUND */
369 
370 /**
371  * Setup key and digest for verification. Adjust sig if necessary.
372  *
373  * @param algo: key algorithm
374  * @param evp_key: EVP PKEY public key to create.
375  * @param digest_type: digest type to use
376  * @param key: key to setup for.
377  * @param keylen: length of key.
378  * @return false on failure.
379  */
380 static int
381 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
382 	unsigned char* key, size_t keylen)
383 {
384 #ifdef USE_DSA
385 	DSA* dsa;
386 #endif
387 	RSA* rsa;
388 
389 	switch(algo) {
390 #ifdef USE_DSA
391 		case LDNS_DSA:
392 		case LDNS_DSA_NSEC3:
393 			*evp_key = EVP_PKEY_new();
394 			if(!*evp_key) {
395 				log_err("verify: malloc failure in crypto");
396 				return 0;
397 			}
398 			dsa = sldns_key_buf2dsa_raw(key, keylen);
399 			if(!dsa) {
400 				verbose(VERB_QUERY, "verify: "
401 					"sldns_key_buf2dsa_raw failed");
402 				return 0;
403 			}
404 			if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
405 				verbose(VERB_QUERY, "verify: "
406 					"EVP_PKEY_assign_DSA failed");
407 				return 0;
408 			}
409 			*digest_type = EVP_dss1();
410 
411 			break;
412 #endif /* USE_DSA */
413 		case LDNS_RSASHA1:
414 		case LDNS_RSASHA1_NSEC3:
415 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
416 		case LDNS_RSASHA256:
417 #endif
418 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
419 		case LDNS_RSASHA512:
420 #endif
421 			*evp_key = EVP_PKEY_new();
422 			if(!*evp_key) {
423 				log_err("verify: malloc failure in crypto");
424 				return 0;
425 			}
426 			rsa = sldns_key_buf2rsa_raw(key, keylen);
427 			if(!rsa) {
428 				verbose(VERB_QUERY, "verify: "
429 					"sldns_key_buf2rsa_raw SHA failed");
430 				return 0;
431 			}
432 			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
433 				verbose(VERB_QUERY, "verify: "
434 					"EVP_PKEY_assign_RSA SHA failed");
435 				return 0;
436 			}
437 
438 			/* select SHA version */
439 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
440 			if(algo == LDNS_RSASHA256)
441 				*digest_type = EVP_sha256();
442 			else
443 #endif
444 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
445 				if(algo == LDNS_RSASHA512)
446 				*digest_type = EVP_sha512();
447 			else
448 #endif
449 				*digest_type = EVP_sha1();
450 
451 			break;
452 		case LDNS_RSAMD5:
453 			*evp_key = EVP_PKEY_new();
454 			if(!*evp_key) {
455 				log_err("verify: malloc failure in crypto");
456 				return 0;
457 			}
458 			rsa = sldns_key_buf2rsa_raw(key, keylen);
459 			if(!rsa) {
460 				verbose(VERB_QUERY, "verify: "
461 					"sldns_key_buf2rsa_raw MD5 failed");
462 				return 0;
463 			}
464 			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
465 				verbose(VERB_QUERY, "verify: "
466 					"EVP_PKEY_assign_RSA MD5 failed");
467 				return 0;
468 			}
469 			*digest_type = EVP_md5();
470 
471 			break;
472 #ifdef USE_GOST
473 		case LDNS_ECC_GOST:
474 			*evp_key = sldns_gost2pkey_raw(key, keylen);
475 			if(!*evp_key) {
476 				verbose(VERB_QUERY, "verify: "
477 					"sldns_gost2pkey_raw failed");
478 				return 0;
479 			}
480 			*digest_type = EVP_get_digestbyname("md_gost94");
481 			if(!*digest_type) {
482 				verbose(VERB_QUERY, "verify: "
483 					"EVP_getdigest md_gost94 failed");
484 				return 0;
485 			}
486 			break;
487 #endif
488 #ifdef USE_ECDSA
489 		case LDNS_ECDSAP256SHA256:
490 			*evp_key = sldns_ecdsa2pkey_raw(key, keylen,
491 				LDNS_ECDSAP256SHA256);
492 			if(!*evp_key) {
493 				verbose(VERB_QUERY, "verify: "
494 					"sldns_ecdsa2pkey_raw failed");
495 				return 0;
496 			}
497 #ifdef USE_ECDSA_EVP_WORKAROUND
498 			*digest_type = &ecdsa_evp_256_md;
499 #else
500 			*digest_type = EVP_sha256();
501 #endif
502 			break;
503 		case LDNS_ECDSAP384SHA384:
504 			*evp_key = sldns_ecdsa2pkey_raw(key, keylen,
505 				LDNS_ECDSAP384SHA384);
506 			if(!*evp_key) {
507 				verbose(VERB_QUERY, "verify: "
508 					"sldns_ecdsa2pkey_raw failed");
509 				return 0;
510 			}
511 #ifdef USE_ECDSA_EVP_WORKAROUND
512 			*digest_type = &ecdsa_evp_384_md;
513 #else
514 			*digest_type = EVP_sha384();
515 #endif
516 			break;
517 #endif /* USE_ECDSA */
518 		default:
519 			verbose(VERB_QUERY, "verify: unknown algorithm %d",
520 				algo);
521 			return 0;
522 	}
523 	return 1;
524 }
525 
526 /**
527  * Check a canonical sig+rrset and signature against a dnskey
528  * @param buf: buffer with data to verify, the first rrsig part and the
529  *	canonicalized rrset.
530  * @param algo: DNSKEY algorithm.
531  * @param sigblock: signature rdata field from RRSIG
532  * @param sigblock_len: length of sigblock data.
533  * @param key: public key data from DNSKEY RR.
534  * @param keylen: length of keydata.
535  * @param reason: bogus reason in more detail.
536  * @return secure if verification succeeded, bogus on crypto failure,
537  *	unchecked on format errors and alloc failures.
538  */
539 enum sec_status
540 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
541 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
542 	char** reason)
543 {
544 	const EVP_MD *digest_type;
545 	EVP_MD_CTX* ctx;
546 	int res, dofree = 0, docrypto_free = 0;
547 	EVP_PKEY *evp_key = NULL;
548 
549 	if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
550 		verbose(VERB_QUERY, "verify: failed to setup key");
551 		*reason = "use of key for crypto failed";
552 		EVP_PKEY_free(evp_key);
553 		return sec_status_bogus;
554 	}
555 #ifdef USE_DSA
556 	/* if it is a DSA signature in bind format, convert to DER format */
557 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
558 		sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
559 		if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
560 			verbose(VERB_QUERY, "verify: failed to setup DSA sig");
561 			*reason = "use of key for DSA crypto failed";
562 			EVP_PKEY_free(evp_key);
563 			return sec_status_bogus;
564 		}
565 		docrypto_free = 1;
566 	}
567 #endif
568 #if defined(USE_ECDSA) && defined(USE_DSA)
569 	else
570 #endif
571 #ifdef USE_ECDSA
572 	if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
573 		/* EVP uses ASN prefix on sig, which is not in the wire data */
574 		if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
575 			verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
576 			*reason = "use of signature for ECDSA crypto failed";
577 			EVP_PKEY_free(evp_key);
578 			return sec_status_bogus;
579 		}
580 		dofree = 1;
581 	}
582 #endif /* USE_ECDSA */
583 
584 	/* do the signature cryptography work */
585 #ifdef HAVE_EVP_MD_CTX_NEW
586 	ctx = EVP_MD_CTX_new();
587 #else
588 	ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
589 	if(ctx) EVP_MD_CTX_init(ctx);
590 #endif
591 	if(!ctx) {
592 		log_err("EVP_MD_CTX_new: malloc failure");
593 		EVP_PKEY_free(evp_key);
594 		if(dofree) free(sigblock);
595 		else if(docrypto_free) OPENSSL_free(sigblock);
596 		return sec_status_unchecked;
597 	}
598 	if(EVP_VerifyInit(ctx, digest_type) == 0) {
599 		verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
600 		EVP_MD_CTX_destroy(ctx);
601 		EVP_PKEY_free(evp_key);
602 		if(dofree) free(sigblock);
603 		else if(docrypto_free) OPENSSL_free(sigblock);
604 		return sec_status_unchecked;
605 	}
606 	if(EVP_VerifyUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
607 		(unsigned int)sldns_buffer_limit(buf)) == 0) {
608 		verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
609 		EVP_MD_CTX_destroy(ctx);
610 		EVP_PKEY_free(evp_key);
611 		if(dofree) free(sigblock);
612 		else if(docrypto_free) OPENSSL_free(sigblock);
613 		return sec_status_unchecked;
614 	}
615 
616 	res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key);
617 #ifdef HAVE_EVP_MD_CTX_NEW
618 	EVP_MD_CTX_destroy(ctx);
619 #else
620 	EVP_MD_CTX_cleanup(ctx);
621 	free(ctx);
622 #endif
623 	EVP_PKEY_free(evp_key);
624 
625 	if(dofree) free(sigblock);
626 	else if(docrypto_free) OPENSSL_free(sigblock);
627 
628 	if(res == 1) {
629 		return sec_status_secure;
630 	} else if(res == 0) {
631 		verbose(VERB_QUERY, "verify: signature mismatch");
632 		*reason = "signature crypto failed";
633 		return sec_status_bogus;
634 	}
635 
636 	log_crypto_error("verify:", ERR_get_error());
637 	return sec_status_unchecked;
638 }
639 
640 /**************************************************/
641 #elif defined(HAVE_NSS)
642 /* libnss implementation */
643 /* nss3 */
644 #include "sechash.h"
645 #include "pk11pub.h"
646 #include "keyhi.h"
647 #include "secerr.h"
648 #include "cryptohi.h"
649 /* nspr4 */
650 #include "prerror.h"
651 
652 /* return size of digest if supported, or 0 otherwise */
653 size_t
654 nsec3_hash_algo_size_supported(int id)
655 {
656 	switch(id) {
657 	case NSEC3_HASH_SHA1:
658 		return SHA1_LENGTH;
659 	default:
660 		return 0;
661 	}
662 }
663 
664 /* perform nsec3 hash. return false on failure */
665 int
666 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
667         unsigned char* res)
668 {
669 	switch(algo) {
670 	case NSEC3_HASH_SHA1:
671 		(void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
672 		return 1;
673 	default:
674 		return 0;
675 	}
676 }
677 
678 void
679 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
680 {
681 	(void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len);
682 }
683 
684 size_t
685 ds_digest_size_supported(int algo)
686 {
687 	/* uses libNSS */
688 	switch(algo) {
689 		case LDNS_SHA1:
690 			return SHA1_LENGTH;
691 #ifdef USE_SHA2
692 		case LDNS_SHA256:
693 			return SHA256_LENGTH;
694 #endif
695 #ifdef USE_ECDSA
696 		case LDNS_SHA384:
697 			return SHA384_LENGTH;
698 #endif
699 		/* GOST not supported in NSS */
700 		case LDNS_HASH_GOST:
701 		default: break;
702 	}
703 	return 0;
704 }
705 
706 int
707 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
708 	unsigned char* res)
709 {
710 	/* uses libNSS */
711 	switch(algo) {
712 		case LDNS_SHA1:
713 			return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
714 				== SECSuccess;
715 #if defined(USE_SHA2)
716 		case LDNS_SHA256:
717 			return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
718 				== SECSuccess;
719 #endif
720 #ifdef USE_ECDSA
721 		case LDNS_SHA384:
722 			return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
723 				== SECSuccess;
724 #endif
725 		case LDNS_HASH_GOST:
726 		default:
727 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
728 				algo);
729 			break;
730 	}
731 	return 0;
732 }
733 
734 int
735 dnskey_algo_id_is_supported(int id)
736 {
737 	/* uses libNSS */
738 	switch(id) {
739 	case LDNS_RSAMD5:
740 		/* RFC 6725 deprecates RSAMD5 */
741 		return 0;
742 #ifdef USE_DSA
743 	case LDNS_DSA:
744 	case LDNS_DSA_NSEC3:
745 #endif
746 	case LDNS_RSASHA1:
747 	case LDNS_RSASHA1_NSEC3:
748 #ifdef USE_SHA2
749 	case LDNS_RSASHA256:
750 #endif
751 #ifdef USE_SHA2
752 	case LDNS_RSASHA512:
753 #endif
754 		return 1;
755 #ifdef USE_ECDSA
756 	case LDNS_ECDSAP256SHA256:
757 	case LDNS_ECDSAP384SHA384:
758 		return PK11_TokenExists(CKM_ECDSA);
759 #endif
760 	case LDNS_ECC_GOST:
761 	default:
762 		return 0;
763 	}
764 }
765 
766 /* return a new public key for NSS */
767 static SECKEYPublicKey* nss_key_create(KeyType ktype)
768 {
769 	SECKEYPublicKey* key;
770 	PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
771 	if(!arena) {
772 		log_err("out of memory, PORT_NewArena failed");
773 		return NULL;
774 	}
775 	key = PORT_ArenaZNew(arena, SECKEYPublicKey);
776 	if(!key) {
777 		log_err("out of memory, PORT_ArenaZNew failed");
778 		PORT_FreeArena(arena, PR_FALSE);
779 		return NULL;
780 	}
781 	key->arena = arena;
782 	key->keyType = ktype;
783 	key->pkcs11Slot = NULL;
784 	key->pkcs11ID = CK_INVALID_HANDLE;
785 	return key;
786 }
787 
788 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
789 {
790 	SECKEYPublicKey* pk;
791 	SECItem pub = {siBuffer, NULL, 0};
792 	SECItem params = {siBuffer, NULL, 0};
793 	static unsigned char param256[] = {
794 		/* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
795 		 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
796 		0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
797 	};
798 	static unsigned char param384[] = {
799 		/* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
800 		 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
801 		0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
802 	};
803 	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
804 
805 	/* check length, which uncompressed must be 2 bignums */
806 	if(algo == LDNS_ECDSAP256SHA256) {
807 		if(len != 2*256/8) return NULL;
808 		/* ECCurve_X9_62_PRIME_256V1 */
809 	} else if(algo == LDNS_ECDSAP384SHA384) {
810 		if(len != 2*384/8) return NULL;
811 		/* ECCurve_X9_62_PRIME_384R1 */
812 	} else    return NULL;
813 
814 	buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
815 	memmove(buf+1, key, len);
816 	pub.data = buf;
817 	pub.len = len+1;
818 	if(algo == LDNS_ECDSAP256SHA256) {
819 		params.data = param256;
820 		params.len = sizeof(param256);
821 	} else {
822 		params.data = param384;
823 		params.len = sizeof(param384);
824 	}
825 
826 	pk = nss_key_create(ecKey);
827 	if(!pk)
828 		return NULL;
829 	pk->u.ec.size = (len/2)*8;
830 	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
831 		SECKEY_DestroyPublicKey(pk);
832 		return NULL;
833 	}
834 	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, &params)) {
835 		SECKEY_DestroyPublicKey(pk);
836 		return NULL;
837 	}
838 
839 	return pk;
840 }
841 
842 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
843 {
844 	SECKEYPublicKey* pk;
845 	uint8_t T;
846 	uint16_t length;
847 	uint16_t offset;
848 	SECItem Q = {siBuffer, NULL, 0};
849 	SECItem P = {siBuffer, NULL, 0};
850 	SECItem G = {siBuffer, NULL, 0};
851 	SECItem Y = {siBuffer, NULL, 0};
852 
853 	if(len == 0)
854 		return NULL;
855 	T = (uint8_t)key[0];
856 	length = (64 + T * 8);
857 	offset = 1;
858 
859 	if (T > 8) {
860 		return NULL;
861 	}
862 	if(len < (size_t)1 + SHA1_LENGTH + 3*length)
863 		return NULL;
864 
865 	Q.data = key+offset;
866 	Q.len = SHA1_LENGTH;
867 	offset += SHA1_LENGTH;
868 
869 	P.data = key+offset;
870 	P.len = length;
871 	offset += length;
872 
873 	G.data = key+offset;
874 	G.len = length;
875 	offset += length;
876 
877 	Y.data = key+offset;
878 	Y.len = length;
879 	offset += length;
880 
881 	pk = nss_key_create(dsaKey);
882 	if(!pk)
883 		return NULL;
884 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
885 		SECKEY_DestroyPublicKey(pk);
886 		return NULL;
887 	}
888 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
889 		SECKEY_DestroyPublicKey(pk);
890 		return NULL;
891 	}
892 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
893 		SECKEY_DestroyPublicKey(pk);
894 		return NULL;
895 	}
896 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
897 		SECKEY_DestroyPublicKey(pk);
898 		return NULL;
899 	}
900 	return pk;
901 }
902 
903 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
904 {
905 	SECKEYPublicKey* pk;
906 	uint16_t exp;
907 	uint16_t offset;
908 	uint16_t int16;
909 	SECItem modulus = {siBuffer, NULL, 0};
910 	SECItem exponent = {siBuffer, NULL, 0};
911 	if(len == 0)
912 		return NULL;
913 	if(key[0] == 0) {
914 		if(len < 3)
915 			return NULL;
916 		/* the exponent is too large so it's places further */
917 		memmove(&int16, key+1, 2);
918 		exp = ntohs(int16);
919 		offset = 3;
920 	} else {
921 		exp = key[0];
922 		offset = 1;
923 	}
924 
925 	/* key length at least one */
926 	if(len < (size_t)offset + exp + 1)
927 		return NULL;
928 
929 	exponent.data = key+offset;
930 	exponent.len = exp;
931 	offset += exp;
932 	modulus.data = key+offset;
933 	modulus.len = (len - offset);
934 
935 	pk = nss_key_create(rsaKey);
936 	if(!pk)
937 		return NULL;
938 	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
939 		SECKEY_DestroyPublicKey(pk);
940 		return NULL;
941 	}
942 	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
943 		SECKEY_DestroyPublicKey(pk);
944 		return NULL;
945 	}
946 	return pk;
947 }
948 
949 /**
950  * Setup key and digest for verification. Adjust sig if necessary.
951  *
952  * @param algo: key algorithm
953  * @param evp_key: EVP PKEY public key to create.
954  * @param digest_type: digest type to use
955  * @param key: key to setup for.
956  * @param keylen: length of key.
957  * @param prefix: if returned, the ASN prefix for the hashblob.
958  * @param prefixlen: length of the prefix.
959  * @return false on failure.
960  */
961 static int
962 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
963 	unsigned char* key, size_t keylen, unsigned char** prefix,
964 	size_t* prefixlen)
965 {
966 	/* uses libNSS */
967 
968 	/* hash prefix for md5, RFC2537 */
969 	static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
970 	0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
971 	/* hash prefix to prepend to hash output, from RFC3110 */
972 	static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
973 		0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
974 	/* from RFC5702 */
975 	static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
976 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
977 	static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
978 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
979 	/* from RFC6234 */
980 	/* for future RSASHA384 ..
981 	static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
982 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
983 	*/
984 
985 	switch(algo) {
986 #ifdef USE_DSA
987 		case LDNS_DSA:
988 		case LDNS_DSA_NSEC3:
989 			*pubkey = nss_buf2dsa(key, keylen);
990 			if(!*pubkey) {
991 				log_err("verify: malloc failure in crypto");
992 				return 0;
993 			}
994 			*htype = HASH_AlgSHA1;
995 			/* no prefix for DSA verification */
996 			break;
997 #endif
998 		case LDNS_RSASHA1:
999 		case LDNS_RSASHA1_NSEC3:
1000 #ifdef USE_SHA2
1001 		case LDNS_RSASHA256:
1002 #endif
1003 #ifdef USE_SHA2
1004 		case LDNS_RSASHA512:
1005 #endif
1006 			*pubkey = nss_buf2rsa(key, keylen);
1007 			if(!*pubkey) {
1008 				log_err("verify: malloc failure in crypto");
1009 				return 0;
1010 			}
1011 			/* select SHA version */
1012 #ifdef USE_SHA2
1013 			if(algo == LDNS_RSASHA256) {
1014 				*htype = HASH_AlgSHA256;
1015 				*prefix = p_sha256;
1016 				*prefixlen = sizeof(p_sha256);
1017 			} else
1018 #endif
1019 #ifdef USE_SHA2
1020 				if(algo == LDNS_RSASHA512) {
1021 				*htype = HASH_AlgSHA512;
1022 				*prefix = p_sha512;
1023 				*prefixlen = sizeof(p_sha512);
1024 			} else
1025 #endif
1026 			{
1027 				*htype = HASH_AlgSHA1;
1028 				*prefix = p_sha1;
1029 				*prefixlen = sizeof(p_sha1);
1030 			}
1031 
1032 			break;
1033 		case LDNS_RSAMD5:
1034 			*pubkey = nss_buf2rsa(key, keylen);
1035 			if(!*pubkey) {
1036 				log_err("verify: malloc failure in crypto");
1037 				return 0;
1038 			}
1039 			*htype = HASH_AlgMD5;
1040 			*prefix = p_md5;
1041 			*prefixlen = sizeof(p_md5);
1042 
1043 			break;
1044 #ifdef USE_ECDSA
1045 		case LDNS_ECDSAP256SHA256:
1046 			*pubkey = nss_buf2ecdsa(key, keylen,
1047 				LDNS_ECDSAP256SHA256);
1048 			if(!*pubkey) {
1049 				log_err("verify: malloc failure in crypto");
1050 				return 0;
1051 			}
1052 			*htype = HASH_AlgSHA256;
1053 			/* no prefix for DSA verification */
1054 			break;
1055 		case LDNS_ECDSAP384SHA384:
1056 			*pubkey = nss_buf2ecdsa(key, keylen,
1057 				LDNS_ECDSAP384SHA384);
1058 			if(!*pubkey) {
1059 				log_err("verify: malloc failure in crypto");
1060 				return 0;
1061 			}
1062 			*htype = HASH_AlgSHA384;
1063 			/* no prefix for DSA verification */
1064 			break;
1065 #endif /* USE_ECDSA */
1066 		case LDNS_ECC_GOST:
1067 		default:
1068 			verbose(VERB_QUERY, "verify: unknown algorithm %d",
1069 				algo);
1070 			return 0;
1071 	}
1072 	return 1;
1073 }
1074 
1075 /**
1076  * Check a canonical sig+rrset and signature against a dnskey
1077  * @param buf: buffer with data to verify, the first rrsig part and the
1078  *	canonicalized rrset.
1079  * @param algo: DNSKEY algorithm.
1080  * @param sigblock: signature rdata field from RRSIG
1081  * @param sigblock_len: length of sigblock data.
1082  * @param key: public key data from DNSKEY RR.
1083  * @param keylen: length of keydata.
1084  * @param reason: bogus reason in more detail.
1085  * @return secure if verification succeeded, bogus on crypto failure,
1086  *	unchecked on format errors and alloc failures.
1087  */
1088 enum sec_status
1089 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1090 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1091 	char** reason)
1092 {
1093 	/* uses libNSS */
1094 	/* large enough for the different hashes */
1095 	unsigned char hash[HASH_LENGTH_MAX];
1096 	unsigned char hash2[HASH_LENGTH_MAX*2];
1097 	HASH_HashType htype = 0;
1098 	SECKEYPublicKey* pubkey = NULL;
1099 	SECItem secsig = {siBuffer, sigblock, sigblock_len};
1100 	SECItem sechash = {siBuffer, hash, 0};
1101 	SECStatus res;
1102 	unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
1103 	size_t prefixlen = 0;
1104 	int err;
1105 
1106 	if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
1107 		&prefix, &prefixlen)) {
1108 		verbose(VERB_QUERY, "verify: failed to setup key");
1109 		*reason = "use of key for crypto failed";
1110 		SECKEY_DestroyPublicKey(pubkey);
1111 		return sec_status_bogus;
1112 	}
1113 
1114 #ifdef USE_DSA
1115 	/* need to convert DSA, ECDSA signatures? */
1116 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
1117 		if(sigblock_len == 1+2*SHA1_LENGTH) {
1118 			secsig.data ++;
1119 			secsig.len --;
1120 		} else {
1121 			SECItem* p = DSAU_DecodeDerSig(&secsig);
1122 			if(!p) {
1123 				verbose(VERB_QUERY, "verify: failed DER decode");
1124 				*reason = "signature DER decode failed";
1125 				SECKEY_DestroyPublicKey(pubkey);
1126 				return sec_status_bogus;
1127 			}
1128 			if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
1129 				log_err("alloc failure in DER decode");
1130 				SECKEY_DestroyPublicKey(pubkey);
1131 				SECITEM_FreeItem(p, PR_TRUE);
1132 				return sec_status_unchecked;
1133 			}
1134 			SECITEM_FreeItem(p, PR_TRUE);
1135 		}
1136 	}
1137 #endif /* USE_DSA */
1138 
1139 	/* do the signature cryptography work */
1140 	/* hash the data */
1141 	sechash.len = HASH_ResultLen(htype);
1142 	if(sechash.len > sizeof(hash)) {
1143 		verbose(VERB_QUERY, "verify: hash too large for buffer");
1144 		SECKEY_DestroyPublicKey(pubkey);
1145 		return sec_status_unchecked;
1146 	}
1147 	if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf),
1148 		(unsigned int)sldns_buffer_limit(buf)) != SECSuccess) {
1149 		verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
1150 		SECKEY_DestroyPublicKey(pubkey);
1151 		return sec_status_unchecked;
1152 	}
1153 	if(prefix) {
1154 		int hashlen = sechash.len;
1155 		if(prefixlen+hashlen > sizeof(hash2)) {
1156 			verbose(VERB_QUERY, "verify: hashprefix too large");
1157 			SECKEY_DestroyPublicKey(pubkey);
1158 			return sec_status_unchecked;
1159 		}
1160 		sechash.data = hash2;
1161 		sechash.len = prefixlen+hashlen;
1162 		memcpy(sechash.data, prefix, prefixlen);
1163 		memmove(sechash.data+prefixlen, hash, hashlen);
1164 	}
1165 
1166 	/* verify the signature */
1167 	res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
1168 	SECKEY_DestroyPublicKey(pubkey);
1169 
1170 	if(res == SECSuccess) {
1171 		return sec_status_secure;
1172 	}
1173 	err = PORT_GetError();
1174 	if(err != SEC_ERROR_BAD_SIGNATURE) {
1175 		/* failed to verify */
1176 		verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
1177 			PORT_ErrorToString(err));
1178 		/* if it is not supported, like ECC is removed, we get,
1179 		 * SEC_ERROR_NO_MODULE */
1180 		if(err == SEC_ERROR_NO_MODULE)
1181 			return sec_status_unchecked;
1182 		/* but other errors are commonly returned
1183 		 * for a bad signature from NSS.  Thus we return bogus,
1184 		 * not unchecked */
1185 		*reason = "signature crypto failed";
1186 		return sec_status_bogus;
1187 	}
1188 	verbose(VERB_QUERY, "verify: signature mismatch: %s",
1189 		PORT_ErrorToString(err));
1190 	*reason = "signature crypto failed";
1191 	return sec_status_bogus;
1192 }
1193 
1194 #elif defined(HAVE_NETTLE)
1195 
1196 #include "sha.h"
1197 #include "bignum.h"
1198 #include "macros.h"
1199 #include "rsa.h"
1200 #include "dsa.h"
1201 #ifdef HAVE_NETTLE_DSA_COMPAT_H
1202 #include "dsa-compat.h"
1203 #endif
1204 #include "asn1.h"
1205 #ifdef USE_ECDSA
1206 #include "ecdsa.h"
1207 #include "ecc-curve.h"
1208 #endif
1209 
1210 static int
1211 _digest_nettle(int algo, uint8_t* buf, size_t len,
1212 	unsigned char* res)
1213 {
1214 	switch(algo) {
1215 		case SHA1_DIGEST_SIZE:
1216 		{
1217 			struct sha1_ctx ctx;
1218 			sha1_init(&ctx);
1219 			sha1_update(&ctx, len, buf);
1220 			sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
1221 			return 1;
1222 		}
1223 		case SHA256_DIGEST_SIZE:
1224 		{
1225 			struct sha256_ctx ctx;
1226 			sha256_init(&ctx);
1227 			sha256_update(&ctx, len, buf);
1228 			sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
1229 			return 1;
1230 		}
1231 		case SHA384_DIGEST_SIZE:
1232 		{
1233 			struct sha384_ctx ctx;
1234 			sha384_init(&ctx);
1235 			sha384_update(&ctx, len, buf);
1236 			sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
1237 			return 1;
1238 		}
1239 		case SHA512_DIGEST_SIZE:
1240 		{
1241 			struct sha512_ctx ctx;
1242 			sha512_init(&ctx);
1243 			sha512_update(&ctx, len, buf);
1244 			sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
1245 			return 1;
1246 		}
1247 		default:
1248 			break;
1249 	}
1250 	return 0;
1251 }
1252 
1253 /* return size of digest if supported, or 0 otherwise */
1254 size_t
1255 nsec3_hash_algo_size_supported(int id)
1256 {
1257 	switch(id) {
1258 	case NSEC3_HASH_SHA1:
1259 		return SHA1_DIGEST_SIZE;
1260 	default:
1261 		return 0;
1262 	}
1263 }
1264 
1265 /* perform nsec3 hash. return false on failure */
1266 int
1267 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
1268         unsigned char* res)
1269 {
1270 	switch(algo) {
1271 	case NSEC3_HASH_SHA1:
1272 		return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
1273 			res);
1274 	default:
1275 		return 0;
1276 	}
1277 }
1278 
1279 void
1280 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
1281 {
1282 	_digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res);
1283 }
1284 
1285 /**
1286  * Return size of DS digest according to its hash algorithm.
1287  * @param algo: DS digest algo.
1288  * @return size in bytes of digest, or 0 if not supported.
1289  */
1290 size_t
1291 ds_digest_size_supported(int algo)
1292 {
1293 	switch(algo) {
1294 		case LDNS_SHA1:
1295 			return SHA1_DIGEST_SIZE;
1296 #ifdef USE_SHA2
1297 		case LDNS_SHA256:
1298 			return SHA256_DIGEST_SIZE;
1299 #endif
1300 #ifdef USE_ECDSA
1301 		case LDNS_SHA384:
1302 			return SHA384_DIGEST_SIZE;
1303 #endif
1304 		/* GOST not supported */
1305 		case LDNS_HASH_GOST:
1306 		default:
1307 			break;
1308 	}
1309 	return 0;
1310 }
1311 
1312 int
1313 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
1314 	unsigned char* res)
1315 {
1316 	switch(algo) {
1317 		case LDNS_SHA1:
1318 			return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
1319 #if defined(USE_SHA2)
1320 		case LDNS_SHA256:
1321 			return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
1322 #endif
1323 #ifdef USE_ECDSA
1324 		case LDNS_SHA384:
1325 			return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
1326 
1327 #endif
1328 		case LDNS_HASH_GOST:
1329 		default:
1330 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
1331 				algo);
1332 			break;
1333 	}
1334 	return 0;
1335 }
1336 
1337 int
1338 dnskey_algo_id_is_supported(int id)
1339 {
1340 	/* uses libnettle */
1341 	switch(id) {
1342 #ifdef USE_DSA
1343 	case LDNS_DSA:
1344 	case LDNS_DSA_NSEC3:
1345 #endif
1346 	case LDNS_RSASHA1:
1347 	case LDNS_RSASHA1_NSEC3:
1348 #ifdef USE_SHA2
1349 	case LDNS_RSASHA256:
1350 	case LDNS_RSASHA512:
1351 #endif
1352 #ifdef USE_ECDSA
1353 	case LDNS_ECDSAP256SHA256:
1354 	case LDNS_ECDSAP384SHA384:
1355 #endif
1356 		return 1;
1357 	case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
1358 	case LDNS_ECC_GOST:
1359 	default:
1360 		return 0;
1361 	}
1362 }
1363 
1364 #ifdef USE_DSA
1365 static char *
1366 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
1367 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1368 {
1369 	uint8_t digest[SHA1_DIGEST_SIZE];
1370 	uint8_t key_t;
1371 	int res = 0;
1372 	size_t offset;
1373 	struct dsa_public_key pubkey;
1374 	struct dsa_signature signature;
1375 	unsigned int expected_len;
1376 
1377 	/* Extract DSA signature from the record */
1378 	nettle_dsa_signature_init(&signature);
1379 	/* Signature length: 41 bytes - RFC 2536 sec. 3 */
1380 	if(sigblock_len == 41) {
1381 		if(key[0] != sigblock[0])
1382 			return "invalid T value in DSA signature or pubkey";
1383 		nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
1384 		nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
1385 	} else {
1386 		/* DER encoded, decode the ASN1 notated R and S bignums */
1387 		/* SEQUENCE { r INTEGER, s INTEGER } */
1388 		struct asn1_der_iterator i, seq;
1389 		if(asn1_der_iterator_first(&i, sigblock_len,
1390 			(uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
1391 			|| i.type != ASN1_SEQUENCE)
1392 			return "malformed DER encoded DSA signature";
1393 		/* decode this element of i using the seq iterator */
1394 		if(asn1_der_decode_constructed(&i, &seq) !=
1395 			ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
1396 			return "malformed DER encoded DSA signature";
1397 		if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
1398 			return "malformed DER encoded DSA signature";
1399 		if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
1400 			|| seq.type != ASN1_INTEGER)
1401 			return "malformed DER encoded DSA signature";
1402 		if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
1403 			return "malformed DER encoded DSA signature";
1404 		if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
1405 			return "malformed DER encoded DSA signature";
1406 	}
1407 
1408 	/* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
1409 	key_t = key[0];
1410 	if (key_t > 8) {
1411 		return "invalid T value in DSA pubkey";
1412 	}
1413 
1414 	/* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
1415 	if (keylen < 21) {
1416 		return "DSA pubkey too short";
1417 	}
1418 
1419 	expected_len =   1 +		/* T */
1420 		        20 +		/* Q */
1421 		       (64 + key_t*8) +	/* P */
1422 		       (64 + key_t*8) +	/* G */
1423 		       (64 + key_t*8);	/* Y */
1424 	if (keylen != expected_len ) {
1425 		return "invalid DSA pubkey length";
1426 	}
1427 
1428 	/* Extract DSA pubkey from the record */
1429 	nettle_dsa_public_key_init(&pubkey);
1430 	offset = 1;
1431 	nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
1432 	offset += 20;
1433 	nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t*8), key+offset);
1434 	offset += (64 + key_t*8);
1435 	nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t*8), key+offset);
1436 	offset += (64 + key_t*8);
1437 	nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t*8), key+offset);
1438 
1439 	/* Digest content of "buf" and verify its DSA signature in "sigblock"*/
1440 	res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1441 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1442 	res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
1443 
1444 	/* Clear and return */
1445 	nettle_dsa_signature_clear(&signature);
1446 	nettle_dsa_public_key_clear(&pubkey);
1447 	if (!res)
1448 		return "DSA signature verification failed";
1449 	else
1450 		return NULL;
1451 }
1452 #endif /* USE_DSA */
1453 
1454 static char *
1455 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
1456 	unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
1457 {
1458 	uint16_t exp_len = 0;
1459 	size_t exp_offset = 0, mod_offset = 0;
1460 	struct rsa_public_key pubkey;
1461 	mpz_t signature;
1462 	int res = 0;
1463 
1464 	/* RSA pubkey parsing as per RFC 3110 sec. 2 */
1465 	if( keylen <= 1) {
1466 		return "null RSA key";
1467 	}
1468 	if (key[0] != 0) {
1469 		/* 1-byte length */
1470 		exp_len = key[0];
1471 		exp_offset = 1;
1472 	} else {
1473 		/* 1-byte NUL + 2-bytes exponent length */
1474 		if (keylen < 3) {
1475 			return "incorrect RSA key length";
1476 		}
1477 		exp_len = READ_UINT16(key+1);
1478 		if (exp_len == 0)
1479 			return "null RSA exponent length";
1480 		exp_offset = 3;
1481 	}
1482 	/* Check that we are not over-running input length */
1483 	if (keylen < exp_offset + exp_len + 1) {
1484 		return "RSA key content shorter than expected";
1485 	}
1486 	mod_offset = exp_offset + exp_len;
1487 	nettle_rsa_public_key_init(&pubkey);
1488 	pubkey.size = keylen - mod_offset;
1489 	nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
1490 	nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
1491 
1492 	/* Digest content of "buf" and verify its RSA signature in "sigblock"*/
1493 	nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
1494 	switch (digest_size) {
1495 		case SHA1_DIGEST_SIZE:
1496 		{
1497 			uint8_t digest[SHA1_DIGEST_SIZE];
1498 			res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1499 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1500 			res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
1501 			break;
1502 		}
1503 		case SHA256_DIGEST_SIZE:
1504 		{
1505 			uint8_t digest[SHA256_DIGEST_SIZE];
1506 			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1507 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1508 			res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
1509 			break;
1510 		}
1511 		case SHA512_DIGEST_SIZE:
1512 		{
1513 			uint8_t digest[SHA512_DIGEST_SIZE];
1514 			res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1515 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1516 			res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
1517 			break;
1518 		}
1519 		default:
1520 			break;
1521 	}
1522 
1523 	/* Clear and return */
1524 	nettle_rsa_public_key_clear(&pubkey);
1525 	mpz_clear(signature);
1526 	if (!res) {
1527 		return "RSA signature verification failed";
1528 	} else {
1529 		return NULL;
1530 	}
1531 }
1532 
1533 #ifdef USE_ECDSA
1534 static char *
1535 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
1536 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1537 {
1538 	int res = 0;
1539 	struct ecc_point pubkey;
1540 	struct dsa_signature signature;
1541 
1542 	/* Always matched strength, as per RFC 6605 sec. 1 */
1543 	if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
1544 		return "wrong ECDSA signature length";
1545 	}
1546 
1547 	/* Parse ECDSA signature as per RFC 6605 sec. 4 */
1548 	nettle_dsa_signature_init(&signature);
1549 	switch (digest_size) {
1550 		case SHA256_DIGEST_SIZE:
1551 		{
1552 			uint8_t digest[SHA256_DIGEST_SIZE];
1553 			mpz_t x, y;
1554 			nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
1555 			nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
1556 			nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
1557 			nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
1558 			nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
1559 			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1560 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1561 			res &= nettle_ecc_point_set(&pubkey, x, y);
1562 			res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
1563 			mpz_clear(x);
1564 			mpz_clear(y);
1565 			break;
1566 		}
1567 		case SHA384_DIGEST_SIZE:
1568 		{
1569 			uint8_t digest[SHA384_DIGEST_SIZE];
1570 			mpz_t x, y;
1571 			nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
1572 			nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
1573 			nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
1574 			nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
1575 			nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
1576 			res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1577 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1578 			res &= nettle_ecc_point_set(&pubkey, x, y);
1579 			res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
1580 			mpz_clear(x);
1581 			mpz_clear(y);
1582 			nettle_ecc_point_clear(&pubkey);
1583 			break;
1584 		}
1585 		default:
1586 			return "unknown ECDSA algorithm";
1587 	}
1588 
1589 	/* Clear and return */
1590 	nettle_dsa_signature_clear(&signature);
1591 	if (!res)
1592 		return "ECDSA signature verification failed";
1593 	else
1594 		return NULL;
1595 }
1596 #endif
1597 
1598 /**
1599  * Check a canonical sig+rrset and signature against a dnskey
1600  * @param buf: buffer with data to verify, the first rrsig part and the
1601  *	canonicalized rrset.
1602  * @param algo: DNSKEY algorithm.
1603  * @param sigblock: signature rdata field from RRSIG
1604  * @param sigblock_len: length of sigblock data.
1605  * @param key: public key data from DNSKEY RR.
1606  * @param keylen: length of keydata.
1607  * @param reason: bogus reason in more detail.
1608  * @return secure if verification succeeded, bogus on crypto failure,
1609  *	unchecked on format errors and alloc failures.
1610  */
1611 enum sec_status
1612 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1613 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1614 	char** reason)
1615 {
1616 	unsigned int digest_size = 0;
1617 
1618 	if (sigblock_len == 0 || keylen == 0) {
1619 		*reason = "null signature";
1620 		return sec_status_bogus;
1621 	}
1622 
1623 	switch(algo) {
1624 #ifdef USE_DSA
1625 	case LDNS_DSA:
1626 	case LDNS_DSA_NSEC3:
1627 		*reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
1628 		if (*reason != NULL)
1629 			return sec_status_bogus;
1630 		else
1631 			return sec_status_secure;
1632 #endif /* USE_DSA */
1633 
1634 	case LDNS_RSASHA1:
1635 	case LDNS_RSASHA1_NSEC3:
1636 		digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
1637 #ifdef USE_SHA2
1638 	case LDNS_RSASHA256:
1639 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1640 	case LDNS_RSASHA512:
1641 		digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
1642 
1643 #endif
1644 		*reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
1645 						sigblock_len, key, keylen);
1646 		if (*reason != NULL)
1647 			return sec_status_bogus;
1648 		else
1649 			return sec_status_secure;
1650 
1651 #ifdef USE_ECDSA
1652 	case LDNS_ECDSAP256SHA256:
1653 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1654 	case LDNS_ECDSAP384SHA384:
1655 		digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
1656 		*reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
1657 						sigblock_len, key, keylen);
1658 		if (*reason != NULL)
1659 			return sec_status_bogus;
1660 		else
1661 			return sec_status_secure;
1662 #endif
1663 	case LDNS_RSAMD5:
1664 	case LDNS_ECC_GOST:
1665 	default:
1666 		*reason = "unable to verify signature, unknown algorithm";
1667 		return sec_status_bogus;
1668 	}
1669 }
1670 
1671 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
1672