xref: /freebsd/contrib/unbound/validator/val_secalgo.c (revision 4f0a4502a1f33fef287ac558c98e5ef99a32216f)
1 /*
2  * validator/val_secalgo.c - validator security algorithm functions.
3  *
4  * Copyright (c) 2012, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  * These functions take raw data buffers, formatted for crypto verification,
41  * and do the library calls (for the crypto library in use).
42  */
43 #include "config.h"
44 /* packed_rrset on top to define enum types (forced by c99 standard) */
45 #include "util/data/packed_rrset.h"
46 #include "validator/val_secalgo.h"
47 #include "validator/val_nsec3.h"
48 #include "util/log.h"
49 #include "sldns/rrdef.h"
50 #include "sldns/keyraw.h"
51 #include "sldns/sbuffer.h"
52 
53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
54 #error "Need crypto library to do digital signature cryptography"
55 #endif
56 
57 /* OpenSSL implementation */
58 #ifdef HAVE_SSL
59 #ifdef HAVE_OPENSSL_ERR_H
60 #include <openssl/err.h>
61 #endif
62 
63 #ifdef HAVE_OPENSSL_RAND_H
64 #include <openssl/rand.h>
65 #endif
66 
67 #ifdef HAVE_OPENSSL_CONF_H
68 #include <openssl/conf.h>
69 #endif
70 
71 #ifdef HAVE_OPENSSL_ENGINE_H
72 #include <openssl/engine.h>
73 #endif
74 
75 /* return size of digest if supported, or 0 otherwise */
76 size_t
77 nsec3_hash_algo_size_supported(int id)
78 {
79 	switch(id) {
80 	case NSEC3_HASH_SHA1:
81 		return SHA_DIGEST_LENGTH;
82 	default:
83 		return 0;
84 	}
85 }
86 
87 /* perform nsec3 hash. return false on failure */
88 int
89 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
90         unsigned char* res)
91 {
92 	switch(algo) {
93 	case NSEC3_HASH_SHA1:
94 		(void)SHA1(buf, len, res);
95 		return 1;
96 	default:
97 		return 0;
98 	}
99 }
100 
101 /**
102  * Return size of DS digest according to its hash algorithm.
103  * @param algo: DS digest algo.
104  * @return size in bytes of digest, or 0 if not supported.
105  */
106 size_t
107 ds_digest_size_supported(int algo)
108 {
109 	switch(algo) {
110 #ifdef HAVE_EVP_SHA1
111 		case LDNS_SHA1:
112 			return SHA_DIGEST_LENGTH;
113 #endif
114 #ifdef HAVE_EVP_SHA256
115 		case LDNS_SHA256:
116 			return SHA256_DIGEST_LENGTH;
117 #endif
118 #ifdef USE_GOST
119 		case LDNS_HASH_GOST:
120 			if(EVP_get_digestbyname("md_gost94"))
121 				return 32;
122 			else	return 0;
123 #endif
124 #ifdef USE_ECDSA
125 		case LDNS_SHA384:
126 			return SHA384_DIGEST_LENGTH;
127 #endif
128 		default: break;
129 	}
130 	return 0;
131 }
132 
133 #ifdef USE_GOST
134 /** Perform GOST hash */
135 static int
136 do_gost94(unsigned char* data, size_t len, unsigned char* dest)
137 {
138 	const EVP_MD* md = EVP_get_digestbyname("md_gost94");
139 	if(!md)
140 		return 0;
141 	return sldns_digest_evp(data, (unsigned int)len, dest, md);
142 }
143 #endif
144 
145 int
146 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
147 	unsigned char* res)
148 {
149 	switch(algo) {
150 #ifdef HAVE_EVP_SHA1
151 		case LDNS_SHA1:
152 			(void)SHA1(buf, len, res);
153 			return 1;
154 #endif
155 #ifdef HAVE_EVP_SHA256
156 		case LDNS_SHA256:
157 			(void)SHA256(buf, len, res);
158 			return 1;
159 #endif
160 #ifdef USE_GOST
161 		case LDNS_HASH_GOST:
162 			if(do_gost94(buf, len, res))
163 				return 1;
164 			break;
165 #endif
166 #ifdef USE_ECDSA
167 		case LDNS_SHA384:
168 			(void)SHA384(buf, len, res);
169 			return 1;
170 #endif
171 		default:
172 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
173 				algo);
174 			break;
175 	}
176 	return 0;
177 }
178 
179 /** return true if DNSKEY algorithm id is supported */
180 int
181 dnskey_algo_id_is_supported(int id)
182 {
183 	switch(id) {
184 	case LDNS_RSAMD5:
185 		/* RFC 6725 deprecates RSAMD5 */
186 		return 0;
187 	case LDNS_DSA:
188 	case LDNS_DSA_NSEC3:
189 	case LDNS_RSASHA1:
190 	case LDNS_RSASHA1_NSEC3:
191 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
192 	case LDNS_RSASHA256:
193 #endif
194 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
195 	case LDNS_RSASHA512:
196 #endif
197 #ifdef USE_ECDSA
198 	case LDNS_ECDSAP256SHA256:
199 	case LDNS_ECDSAP384SHA384:
200 #endif
201 		return 1;
202 #ifdef USE_GOST
203 	case LDNS_ECC_GOST:
204 		/* we support GOST if it can be loaded */
205 		return sldns_key_EVP_load_gost_id();
206 #endif
207 	default:
208 		return 0;
209 	}
210 }
211 
212 /**
213  * Output a libcrypto openssl error to the logfile.
214  * @param str: string to add to it.
215  * @param e: the error to output, error number from ERR_get_error().
216  */
217 static void
218 log_crypto_error(const char* str, unsigned long e)
219 {
220 	char buf[128];
221 	/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
222 	ERR_error_string_n(e, buf, sizeof(buf));
223 	/* buf now contains */
224 	/* error:[error code]:[library name]:[function name]:[reason string] */
225 	log_err("%s crypto %s", str, buf);
226 }
227 
228 /**
229  * Setup DSA key digest in DER encoding ...
230  * @param sig: input is signature output alloced ptr (unless failure).
231  * 	caller must free alloced ptr if this routine returns true.
232  * @param len: input is initial siglen, output is output len.
233  * @return false on failure.
234  */
235 static int
236 setup_dsa_sig(unsigned char** sig, unsigned int* len)
237 {
238 	unsigned char* orig = *sig;
239 	unsigned int origlen = *len;
240 	int newlen;
241 	BIGNUM *R, *S;
242 	DSA_SIG *dsasig;
243 
244 	/* extract the R and S field from the sig buffer */
245 	if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
246 		return 0;
247 	R = BN_new();
248 	if(!R) return 0;
249 	(void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
250 	S = BN_new();
251 	if(!S) return 0;
252 	(void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
253 	dsasig = DSA_SIG_new();
254 	if(!dsasig) return 0;
255 
256 	dsasig->r = R;
257 	dsasig->s = S;
258 	*sig = NULL;
259 	newlen = i2d_DSA_SIG(dsasig, sig);
260 	if(newlen < 0) {
261 		DSA_SIG_free(dsasig);
262 		free(*sig);
263 		return 0;
264 	}
265 	*len = (unsigned int)newlen;
266 	DSA_SIG_free(dsasig);
267 	return 1;
268 }
269 
270 #ifdef USE_ECDSA
271 /**
272  * Setup the ECDSA signature in its encoding that the library wants.
273  * Converts from plain numbers to ASN formatted.
274  * @param sig: input is signature, output alloced ptr (unless failure).
275  * 	caller must free alloced ptr if this routine returns true.
276  * @param len: input is initial siglen, output is output len.
277  * @return false on failure.
278  */
279 static int
280 setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
281 {
282 	ECDSA_SIG* ecdsa_sig;
283 	int newlen;
284 	int bnsize = (int)((*len)/2);
285 	/* if too short or not even length, fails */
286 	if(*len < 16 || bnsize*2 != (int)*len)
287 		return 0;
288 	/* use the raw data to parse two evenly long BIGNUMs, "r | s". */
289 	ecdsa_sig = ECDSA_SIG_new();
290 	if(!ecdsa_sig) return 0;
291 	ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r);
292 	ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s);
293 	if(!ecdsa_sig->r || !ecdsa_sig->s) {
294 		ECDSA_SIG_free(ecdsa_sig);
295 		return 0;
296 	}
297 
298 	/* spool it into ASN format */
299 	*sig = NULL;
300 	newlen = i2d_ECDSA_SIG(ecdsa_sig, sig);
301 	if(newlen <= 0) {
302 		ECDSA_SIG_free(ecdsa_sig);
303 		free(*sig);
304 		return 0;
305 	}
306 	*len = (unsigned int)newlen;
307 	ECDSA_SIG_free(ecdsa_sig);
308 	return 1;
309 }
310 #endif /* USE_ECDSA */
311 
312 /**
313  * Setup key and digest for verification. Adjust sig if necessary.
314  *
315  * @param algo: key algorithm
316  * @param evp_key: EVP PKEY public key to create.
317  * @param digest_type: digest type to use
318  * @param key: key to setup for.
319  * @param keylen: length of key.
320  * @return false on failure.
321  */
322 static int
323 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
324 	unsigned char* key, size_t keylen)
325 {
326 	DSA* dsa;
327 	RSA* rsa;
328 
329 	switch(algo) {
330 		case LDNS_DSA:
331 		case LDNS_DSA_NSEC3:
332 			*evp_key = EVP_PKEY_new();
333 			if(!*evp_key) {
334 				log_err("verify: malloc failure in crypto");
335 				return 0;
336 			}
337 			dsa = sldns_key_buf2dsa_raw(key, keylen);
338 			if(!dsa) {
339 				verbose(VERB_QUERY, "verify: "
340 					"sldns_key_buf2dsa_raw failed");
341 				return 0;
342 			}
343 			if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
344 				verbose(VERB_QUERY, "verify: "
345 					"EVP_PKEY_assign_DSA failed");
346 				return 0;
347 			}
348 			*digest_type = EVP_dss1();
349 
350 			break;
351 		case LDNS_RSASHA1:
352 		case LDNS_RSASHA1_NSEC3:
353 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
354 		case LDNS_RSASHA256:
355 #endif
356 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
357 		case LDNS_RSASHA512:
358 #endif
359 			*evp_key = EVP_PKEY_new();
360 			if(!*evp_key) {
361 				log_err("verify: malloc failure in crypto");
362 				return 0;
363 			}
364 			rsa = sldns_key_buf2rsa_raw(key, keylen);
365 			if(!rsa) {
366 				verbose(VERB_QUERY, "verify: "
367 					"sldns_key_buf2rsa_raw SHA failed");
368 				return 0;
369 			}
370 			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
371 				verbose(VERB_QUERY, "verify: "
372 					"EVP_PKEY_assign_RSA SHA failed");
373 				return 0;
374 			}
375 
376 			/* select SHA version */
377 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
378 			if(algo == LDNS_RSASHA256)
379 				*digest_type = EVP_sha256();
380 			else
381 #endif
382 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
383 				if(algo == LDNS_RSASHA512)
384 				*digest_type = EVP_sha512();
385 			else
386 #endif
387 				*digest_type = EVP_sha1();
388 
389 			break;
390 		case LDNS_RSAMD5:
391 			*evp_key = EVP_PKEY_new();
392 			if(!*evp_key) {
393 				log_err("verify: malloc failure in crypto");
394 				return 0;
395 			}
396 			rsa = sldns_key_buf2rsa_raw(key, keylen);
397 			if(!rsa) {
398 				verbose(VERB_QUERY, "verify: "
399 					"sldns_key_buf2rsa_raw MD5 failed");
400 				return 0;
401 			}
402 			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
403 				verbose(VERB_QUERY, "verify: "
404 					"EVP_PKEY_assign_RSA MD5 failed");
405 				return 0;
406 			}
407 			*digest_type = EVP_md5();
408 
409 			break;
410 #ifdef USE_GOST
411 		case LDNS_ECC_GOST:
412 			*evp_key = sldns_gost2pkey_raw(key, keylen);
413 			if(!*evp_key) {
414 				verbose(VERB_QUERY, "verify: "
415 					"sldns_gost2pkey_raw failed");
416 				return 0;
417 			}
418 			*digest_type = EVP_get_digestbyname("md_gost94");
419 			if(!*digest_type) {
420 				verbose(VERB_QUERY, "verify: "
421 					"EVP_getdigest md_gost94 failed");
422 				return 0;
423 			}
424 			break;
425 #endif
426 #ifdef USE_ECDSA
427 		case LDNS_ECDSAP256SHA256:
428 			*evp_key = sldns_ecdsa2pkey_raw(key, keylen,
429 				LDNS_ECDSAP256SHA256);
430 			if(!*evp_key) {
431 				verbose(VERB_QUERY, "verify: "
432 					"sldns_ecdsa2pkey_raw failed");
433 				return 0;
434 			}
435 #ifdef USE_ECDSA_EVP_WORKAROUND
436 			/* openssl before 1.0.0 fixes RSA with the SHA256
437 			 * hash in EVP.  We create one for ecdsa_sha256 */
438 			{
439 				static int md_ecdsa_256_done = 0;
440 				static EVP_MD md;
441 				if(!md_ecdsa_256_done) {
442 					EVP_MD m = *EVP_sha256();
443 					md_ecdsa_256_done = 1;
444 					m.required_pkey_type[0] = (*evp_key)->type;
445 					m.verify = (void*)ECDSA_verify;
446 					md = m;
447 				}
448 				*digest_type = &md;
449 			}
450 #else
451 			*digest_type = EVP_sha256();
452 #endif
453 			break;
454 		case LDNS_ECDSAP384SHA384:
455 			*evp_key = sldns_ecdsa2pkey_raw(key, keylen,
456 				LDNS_ECDSAP384SHA384);
457 			if(!*evp_key) {
458 				verbose(VERB_QUERY, "verify: "
459 					"sldns_ecdsa2pkey_raw failed");
460 				return 0;
461 			}
462 #ifdef USE_ECDSA_EVP_WORKAROUND
463 			/* openssl before 1.0.0 fixes RSA with the SHA384
464 			 * hash in EVP.  We create one for ecdsa_sha384 */
465 			{
466 				static int md_ecdsa_384_done = 0;
467 				static EVP_MD md;
468 				if(!md_ecdsa_384_done) {
469 					EVP_MD m = *EVP_sha384();
470 					md_ecdsa_384_done = 1;
471 					m.required_pkey_type[0] = (*evp_key)->type;
472 					m.verify = (void*)ECDSA_verify;
473 					md = m;
474 				}
475 				*digest_type = &md;
476 			}
477 #else
478 			*digest_type = EVP_sha384();
479 #endif
480 			break;
481 #endif /* USE_ECDSA */
482 		default:
483 			verbose(VERB_QUERY, "verify: unknown algorithm %d",
484 				algo);
485 			return 0;
486 	}
487 	return 1;
488 }
489 
490 /**
491  * Check a canonical sig+rrset and signature against a dnskey
492  * @param buf: buffer with data to verify, the first rrsig part and the
493  *	canonicalized rrset.
494  * @param algo: DNSKEY algorithm.
495  * @param sigblock: signature rdata field from RRSIG
496  * @param sigblock_len: length of sigblock data.
497  * @param key: public key data from DNSKEY RR.
498  * @param keylen: length of keydata.
499  * @param reason: bogus reason in more detail.
500  * @return secure if verification succeeded, bogus on crypto failure,
501  *	unchecked on format errors and alloc failures.
502  */
503 enum sec_status
504 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
505 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
506 	char** reason)
507 {
508 	const EVP_MD *digest_type;
509 	EVP_MD_CTX ctx;
510 	int res, dofree = 0;
511 	EVP_PKEY *evp_key = NULL;
512 
513 	if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
514 		verbose(VERB_QUERY, "verify: failed to setup key");
515 		*reason = "use of key for crypto failed";
516 		EVP_PKEY_free(evp_key);
517 		return sec_status_bogus;
518 	}
519 	/* if it is a DSA signature in bind format, convert to DER format */
520 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
521 		sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
522 		if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
523 			verbose(VERB_QUERY, "verify: failed to setup DSA sig");
524 			*reason = "use of key for DSA crypto failed";
525 			EVP_PKEY_free(evp_key);
526 			return sec_status_bogus;
527 		}
528 		dofree = 1;
529 	}
530 #ifdef USE_ECDSA
531 	else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
532 		/* EVP uses ASN prefix on sig, which is not in the wire data */
533 		if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
534 			verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
535 			*reason = "use of signature for ECDSA crypto failed";
536 			EVP_PKEY_free(evp_key);
537 			return sec_status_bogus;
538 		}
539 		dofree = 1;
540 	}
541 #endif /* USE_ECDSA */
542 
543 	/* do the signature cryptography work */
544 	EVP_MD_CTX_init(&ctx);
545 	if(EVP_VerifyInit(&ctx, digest_type) == 0) {
546 		verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
547 		EVP_PKEY_free(evp_key);
548 		if(dofree) free(sigblock);
549 		return sec_status_unchecked;
550 	}
551 	if(EVP_VerifyUpdate(&ctx, (unsigned char*)sldns_buffer_begin(buf),
552 		(unsigned int)sldns_buffer_limit(buf)) == 0) {
553 		verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
554 		EVP_PKEY_free(evp_key);
555 		if(dofree) free(sigblock);
556 		return sec_status_unchecked;
557 	}
558 
559 	res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key);
560 	if(EVP_MD_CTX_cleanup(&ctx) == 0) {
561 		verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed");
562 		EVP_PKEY_free(evp_key);
563 		if(dofree) free(sigblock);
564 		return sec_status_unchecked;
565 	}
566 	EVP_PKEY_free(evp_key);
567 
568 	if(dofree)
569 		free(sigblock);
570 
571 	if(res == 1) {
572 		return sec_status_secure;
573 	} else if(res == 0) {
574 		verbose(VERB_QUERY, "verify: signature mismatch");
575 		*reason = "signature crypto failed";
576 		return sec_status_bogus;
577 	}
578 
579 	log_crypto_error("verify:", ERR_get_error());
580 	return sec_status_unchecked;
581 }
582 
583 /**************************************************/
584 #elif defined(HAVE_NSS)
585 /* libnss implementation */
586 /* nss3 */
587 #include "sechash.h"
588 #include "pk11pub.h"
589 #include "keyhi.h"
590 #include "secerr.h"
591 #include "cryptohi.h"
592 /* nspr4 */
593 #include "prerror.h"
594 
595 /* return size of digest if supported, or 0 otherwise */
596 size_t
597 nsec3_hash_algo_size_supported(int id)
598 {
599 	switch(id) {
600 	case NSEC3_HASH_SHA1:
601 		return SHA1_LENGTH;
602 	default:
603 		return 0;
604 	}
605 }
606 
607 /* perform nsec3 hash. return false on failure */
608 int
609 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
610         unsigned char* res)
611 {
612 	switch(algo) {
613 	case NSEC3_HASH_SHA1:
614 		(void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
615 		return 1;
616 	default:
617 		return 0;
618 	}
619 }
620 
621 size_t
622 ds_digest_size_supported(int algo)
623 {
624 	/* uses libNSS */
625 	switch(algo) {
626 		case LDNS_SHA1:
627 			return SHA1_LENGTH;
628 #ifdef USE_SHA2
629 		case LDNS_SHA256:
630 			return SHA256_LENGTH;
631 #endif
632 #ifdef USE_ECDSA
633 		case LDNS_SHA384:
634 			return SHA384_LENGTH;
635 #endif
636 		/* GOST not supported in NSS */
637 		case LDNS_HASH_GOST:
638 		default: break;
639 	}
640 	return 0;
641 }
642 
643 int
644 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
645 	unsigned char* res)
646 {
647 	/* uses libNSS */
648 	switch(algo) {
649 		case LDNS_SHA1:
650 			return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
651 				== SECSuccess;
652 #if defined(USE_SHA2)
653 		case LDNS_SHA256:
654 			return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
655 				== SECSuccess;
656 #endif
657 #ifdef USE_ECDSA
658 		case LDNS_SHA384:
659 			return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
660 				== SECSuccess;
661 #endif
662 		case LDNS_HASH_GOST:
663 		default:
664 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
665 				algo);
666 			break;
667 	}
668 	return 0;
669 }
670 
671 int
672 dnskey_algo_id_is_supported(int id)
673 {
674 	/* uses libNSS */
675 	switch(id) {
676 	case LDNS_RSAMD5:
677 		/* RFC 6725 deprecates RSAMD5 */
678 		return 0;
679 	case LDNS_DSA:
680 	case LDNS_DSA_NSEC3:
681 	case LDNS_RSASHA1:
682 	case LDNS_RSASHA1_NSEC3:
683 #ifdef USE_SHA2
684 	case LDNS_RSASHA256:
685 #endif
686 #ifdef USE_SHA2
687 	case LDNS_RSASHA512:
688 #endif
689 		return 1;
690 #ifdef USE_ECDSA
691 	case LDNS_ECDSAP256SHA256:
692 	case LDNS_ECDSAP384SHA384:
693 		return PK11_TokenExists(CKM_ECDSA);
694 #endif
695 	case LDNS_ECC_GOST:
696 	default:
697 		return 0;
698 	}
699 }
700 
701 /* return a new public key for NSS */
702 static SECKEYPublicKey* nss_key_create(KeyType ktype)
703 {
704 	SECKEYPublicKey* key;
705 	PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
706 	if(!arena) {
707 		log_err("out of memory, PORT_NewArena failed");
708 		return NULL;
709 	}
710 	key = PORT_ArenaZNew(arena, SECKEYPublicKey);
711 	if(!key) {
712 		log_err("out of memory, PORT_ArenaZNew failed");
713 		PORT_FreeArena(arena, PR_FALSE);
714 		return NULL;
715 	}
716 	key->arena = arena;
717 	key->keyType = ktype;
718 	key->pkcs11Slot = NULL;
719 	key->pkcs11ID = CK_INVALID_HANDLE;
720 	return key;
721 }
722 
723 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
724 {
725 	SECKEYPublicKey* pk;
726 	SECItem pub = {siBuffer, NULL, 0};
727 	SECItem params = {siBuffer, NULL, 0};
728 	static unsigned char param256[] = {
729 		/* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
730 		 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
731 		0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
732 	};
733 	static unsigned char param384[] = {
734 		/* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
735 		 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
736 		0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
737 	};
738 	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
739 
740 	/* check length, which uncompressed must be 2 bignums */
741 	if(algo == LDNS_ECDSAP256SHA256) {
742 		if(len != 2*256/8) return NULL;
743 		/* ECCurve_X9_62_PRIME_256V1 */
744 	} else if(algo == LDNS_ECDSAP384SHA384) {
745 		if(len != 2*384/8) return NULL;
746 		/* ECCurve_X9_62_PRIME_384R1 */
747 	} else    return NULL;
748 
749 	buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
750 	memmove(buf+1, key, len);
751 	pub.data = buf;
752 	pub.len = len+1;
753 	if(algo == LDNS_ECDSAP256SHA256) {
754 		params.data = param256;
755 		params.len = sizeof(param256);
756 	} else {
757 		params.data = param384;
758 		params.len = sizeof(param384);
759 	}
760 
761 	pk = nss_key_create(ecKey);
762 	if(!pk)
763 		return NULL;
764 	pk->u.ec.size = (len/2)*8;
765 	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
766 		SECKEY_DestroyPublicKey(pk);
767 		return NULL;
768 	}
769 	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, &params)) {
770 		SECKEY_DestroyPublicKey(pk);
771 		return NULL;
772 	}
773 
774 	return pk;
775 }
776 
777 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
778 {
779 	SECKEYPublicKey* pk;
780 	uint8_t T;
781 	uint16_t length;
782 	uint16_t offset;
783 	SECItem Q = {siBuffer, NULL, 0};
784 	SECItem P = {siBuffer, NULL, 0};
785 	SECItem G = {siBuffer, NULL, 0};
786 	SECItem Y = {siBuffer, NULL, 0};
787 
788 	if(len == 0)
789 		return NULL;
790 	T = (uint8_t)key[0];
791 	length = (64 + T * 8);
792 	offset = 1;
793 
794 	if (T > 8) {
795 		return NULL;
796 	}
797 	if(len < (size_t)1 + SHA1_LENGTH + 3*length)
798 		return NULL;
799 
800 	Q.data = key+offset;
801 	Q.len = SHA1_LENGTH;
802 	offset += SHA1_LENGTH;
803 
804 	P.data = key+offset;
805 	P.len = length;
806 	offset += length;
807 
808 	G.data = key+offset;
809 	G.len = length;
810 	offset += length;
811 
812 	Y.data = key+offset;
813 	Y.len = length;
814 	offset += length;
815 
816 	pk = nss_key_create(dsaKey);
817 	if(!pk)
818 		return NULL;
819 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
820 		SECKEY_DestroyPublicKey(pk);
821 		return NULL;
822 	}
823 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
824 		SECKEY_DestroyPublicKey(pk);
825 		return NULL;
826 	}
827 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
828 		SECKEY_DestroyPublicKey(pk);
829 		return NULL;
830 	}
831 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
832 		SECKEY_DestroyPublicKey(pk);
833 		return NULL;
834 	}
835 	return pk;
836 }
837 
838 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
839 {
840 	SECKEYPublicKey* pk;
841 	uint16_t exp;
842 	uint16_t offset;
843 	uint16_t int16;
844 	SECItem modulus = {siBuffer, NULL, 0};
845 	SECItem exponent = {siBuffer, NULL, 0};
846 	if(len == 0)
847 		return NULL;
848 	if(key[0] == 0) {
849 		if(len < 3)
850 			return NULL;
851 		/* the exponent is too large so it's places further */
852 		memmove(&int16, key+1, 2);
853 		exp = ntohs(int16);
854 		offset = 3;
855 	} else {
856 		exp = key[0];
857 		offset = 1;
858 	}
859 
860 	/* key length at least one */
861 	if(len < (size_t)offset + exp + 1)
862 		return NULL;
863 
864 	exponent.data = key+offset;
865 	exponent.len = exp;
866 	offset += exp;
867 	modulus.data = key+offset;
868 	modulus.len = (len - offset);
869 
870 	pk = nss_key_create(rsaKey);
871 	if(!pk)
872 		return NULL;
873 	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
874 		SECKEY_DestroyPublicKey(pk);
875 		return NULL;
876 	}
877 	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
878 		SECKEY_DestroyPublicKey(pk);
879 		return NULL;
880 	}
881 	return pk;
882 }
883 
884 /**
885  * Setup key and digest for verification. Adjust sig if necessary.
886  *
887  * @param algo: key algorithm
888  * @param evp_key: EVP PKEY public key to create.
889  * @param digest_type: digest type to use
890  * @param key: key to setup for.
891  * @param keylen: length of key.
892  * @param prefix: if returned, the ASN prefix for the hashblob.
893  * @param prefixlen: length of the prefix.
894  * @return false on failure.
895  */
896 static int
897 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
898 	unsigned char* key, size_t keylen, unsigned char** prefix,
899 	size_t* prefixlen)
900 {
901 	/* uses libNSS */
902 
903 	/* hash prefix for md5, RFC2537 */
904 	static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
905 	0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
906 	/* hash prefix to prepend to hash output, from RFC3110 */
907 	static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
908 		0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
909 	/* from RFC5702 */
910 	static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
911 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
912 	static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
913 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
914 	/* from RFC6234 */
915 	/* for future RSASHA384 ..
916 	static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
917 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
918 	*/
919 
920 	switch(algo) {
921 		case LDNS_DSA:
922 		case LDNS_DSA_NSEC3:
923 			*pubkey = nss_buf2dsa(key, keylen);
924 			if(!*pubkey) {
925 				log_err("verify: malloc failure in crypto");
926 				return 0;
927 			}
928 			*htype = HASH_AlgSHA1;
929 			/* no prefix for DSA verification */
930 			break;
931 		case LDNS_RSASHA1:
932 		case LDNS_RSASHA1_NSEC3:
933 #ifdef USE_SHA2
934 		case LDNS_RSASHA256:
935 #endif
936 #ifdef USE_SHA2
937 		case LDNS_RSASHA512:
938 #endif
939 			*pubkey = nss_buf2rsa(key, keylen);
940 			if(!*pubkey) {
941 				log_err("verify: malloc failure in crypto");
942 				return 0;
943 			}
944 			/* select SHA version */
945 #ifdef USE_SHA2
946 			if(algo == LDNS_RSASHA256) {
947 				*htype = HASH_AlgSHA256;
948 				*prefix = p_sha256;
949 				*prefixlen = sizeof(p_sha256);
950 			} else
951 #endif
952 #ifdef USE_SHA2
953 				if(algo == LDNS_RSASHA512) {
954 				*htype = HASH_AlgSHA512;
955 				*prefix = p_sha512;
956 				*prefixlen = sizeof(p_sha512);
957 			} else
958 #endif
959 			{
960 				*htype = HASH_AlgSHA1;
961 				*prefix = p_sha1;
962 				*prefixlen = sizeof(p_sha1);
963 			}
964 
965 			break;
966 		case LDNS_RSAMD5:
967 			*pubkey = nss_buf2rsa(key, keylen);
968 			if(!*pubkey) {
969 				log_err("verify: malloc failure in crypto");
970 				return 0;
971 			}
972 			*htype = HASH_AlgMD5;
973 			*prefix = p_md5;
974 			*prefixlen = sizeof(p_md5);
975 
976 			break;
977 #ifdef USE_ECDSA
978 		case LDNS_ECDSAP256SHA256:
979 			*pubkey = nss_buf2ecdsa(key, keylen,
980 				LDNS_ECDSAP256SHA256);
981 			if(!*pubkey) {
982 				log_err("verify: malloc failure in crypto");
983 				return 0;
984 			}
985 			*htype = HASH_AlgSHA256;
986 			/* no prefix for DSA verification */
987 			break;
988 		case LDNS_ECDSAP384SHA384:
989 			*pubkey = nss_buf2ecdsa(key, keylen,
990 				LDNS_ECDSAP384SHA384);
991 			if(!*pubkey) {
992 				log_err("verify: malloc failure in crypto");
993 				return 0;
994 			}
995 			*htype = HASH_AlgSHA384;
996 			/* no prefix for DSA verification */
997 			break;
998 #endif /* USE_ECDSA */
999 		case LDNS_ECC_GOST:
1000 		default:
1001 			verbose(VERB_QUERY, "verify: unknown algorithm %d",
1002 				algo);
1003 			return 0;
1004 	}
1005 	return 1;
1006 }
1007 
1008 /**
1009  * Check a canonical sig+rrset and signature against a dnskey
1010  * @param buf: buffer with data to verify, the first rrsig part and the
1011  *	canonicalized rrset.
1012  * @param algo: DNSKEY algorithm.
1013  * @param sigblock: signature rdata field from RRSIG
1014  * @param sigblock_len: length of sigblock data.
1015  * @param key: public key data from DNSKEY RR.
1016  * @param keylen: length of keydata.
1017  * @param reason: bogus reason in more detail.
1018  * @return secure if verification succeeded, bogus on crypto failure,
1019  *	unchecked on format errors and alloc failures.
1020  */
1021 enum sec_status
1022 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1023 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1024 	char** reason)
1025 {
1026 	/* uses libNSS */
1027 	/* large enough for the different hashes */
1028 	unsigned char hash[HASH_LENGTH_MAX];
1029 	unsigned char hash2[HASH_LENGTH_MAX*2];
1030 	HASH_HashType htype = 0;
1031 	SECKEYPublicKey* pubkey = NULL;
1032 	SECItem secsig = {siBuffer, sigblock, sigblock_len};
1033 	SECItem sechash = {siBuffer, hash, 0};
1034 	SECStatus res;
1035 	unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
1036 	size_t prefixlen = 0;
1037 	int err;
1038 
1039 	if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
1040 		&prefix, &prefixlen)) {
1041 		verbose(VERB_QUERY, "verify: failed to setup key");
1042 		*reason = "use of key for crypto failed";
1043 		SECKEY_DestroyPublicKey(pubkey);
1044 		return sec_status_bogus;
1045 	}
1046 
1047 	/* need to convert DSA, ECDSA signatures? */
1048 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
1049 		if(sigblock_len == 1+2*SHA1_LENGTH) {
1050 			secsig.data ++;
1051 			secsig.len --;
1052 		} else {
1053 			SECItem* p = DSAU_DecodeDerSig(&secsig);
1054 			if(!p) {
1055 				verbose(VERB_QUERY, "verify: failed DER decode");
1056 				*reason = "signature DER decode failed";
1057 				SECKEY_DestroyPublicKey(pubkey);
1058 				return sec_status_bogus;
1059 			}
1060 			if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
1061 				log_err("alloc failure in DER decode");
1062 				SECKEY_DestroyPublicKey(pubkey);
1063 				SECITEM_FreeItem(p, PR_TRUE);
1064 				return sec_status_unchecked;
1065 			}
1066 			SECITEM_FreeItem(p, PR_TRUE);
1067 		}
1068 	}
1069 
1070 	/* do the signature cryptography work */
1071 	/* hash the data */
1072 	sechash.len = HASH_ResultLen(htype);
1073 	if(sechash.len > sizeof(hash)) {
1074 		verbose(VERB_QUERY, "verify: hash too large for buffer");
1075 		SECKEY_DestroyPublicKey(pubkey);
1076 		return sec_status_unchecked;
1077 	}
1078 	if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf),
1079 		(unsigned int)sldns_buffer_limit(buf)) != SECSuccess) {
1080 		verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
1081 		SECKEY_DestroyPublicKey(pubkey);
1082 		return sec_status_unchecked;
1083 	}
1084 	if(prefix) {
1085 		int hashlen = sechash.len;
1086 		if(prefixlen+hashlen > sizeof(hash2)) {
1087 			verbose(VERB_QUERY, "verify: hashprefix too large");
1088 			SECKEY_DestroyPublicKey(pubkey);
1089 			return sec_status_unchecked;
1090 		}
1091 		sechash.data = hash2;
1092 		sechash.len = prefixlen+hashlen;
1093 		memcpy(sechash.data, prefix, prefixlen);
1094 		memmove(sechash.data+prefixlen, hash, hashlen);
1095 	}
1096 
1097 	/* verify the signature */
1098 	res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
1099 	SECKEY_DestroyPublicKey(pubkey);
1100 
1101 	if(res == SECSuccess) {
1102 		return sec_status_secure;
1103 	}
1104 	err = PORT_GetError();
1105 	if(err != SEC_ERROR_BAD_SIGNATURE) {
1106 		/* failed to verify */
1107 		verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
1108 			PORT_ErrorToString(err));
1109 		/* if it is not supported, like ECC is removed, we get,
1110 		 * SEC_ERROR_NO_MODULE */
1111 		if(err == SEC_ERROR_NO_MODULE)
1112 			return sec_status_unchecked;
1113 		/* but other errors are commonly returned
1114 		 * for a bad signature from NSS.  Thus we return bogus,
1115 		 * not unchecked */
1116 		*reason = "signature crypto failed";
1117 		return sec_status_bogus;
1118 	}
1119 	verbose(VERB_QUERY, "verify: signature mismatch: %s",
1120 		PORT_ErrorToString(err));
1121 	*reason = "signature crypto failed";
1122 	return sec_status_bogus;
1123 }
1124 
1125 #elif defined(HAVE_NETTLE)
1126 
1127 #include "sha.h"
1128 #include "bignum.h"
1129 #include "macros.h"
1130 #include "rsa.h"
1131 #include "dsa.h"
1132 #include "asn1.h"
1133 #ifdef USE_ECDSA
1134 #include "ecdsa.h"
1135 #include "ecc-curve.h"
1136 #endif
1137 
1138 static int
1139 _digest_nettle(int algo, uint8_t* buf, size_t len,
1140 	unsigned char* res)
1141 {
1142 	switch(algo) {
1143 		case SHA1_DIGEST_SIZE:
1144 		{
1145 			struct sha1_ctx ctx;
1146 			sha1_init(&ctx);
1147 			sha1_update(&ctx, len, buf);
1148 			sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
1149 			return 1;
1150 		}
1151 		case SHA256_DIGEST_SIZE:
1152 		{
1153 			struct sha256_ctx ctx;
1154 			sha256_init(&ctx);
1155 			sha256_update(&ctx, len, buf);
1156 			sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
1157 			return 1;
1158 		}
1159 		case SHA384_DIGEST_SIZE:
1160 		{
1161 			struct sha384_ctx ctx;
1162 			sha384_init(&ctx);
1163 			sha384_update(&ctx, len, buf);
1164 			sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
1165 			return 1;
1166 		}
1167 		case SHA512_DIGEST_SIZE:
1168 		{
1169 			struct sha512_ctx ctx;
1170 			sha512_init(&ctx);
1171 			sha512_update(&ctx, len, buf);
1172 			sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
1173 			return 1;
1174 		}
1175 		default:
1176 			break;
1177 	}
1178 	return 0;
1179 }
1180 
1181 /* return size of digest if supported, or 0 otherwise */
1182 size_t
1183 nsec3_hash_algo_size_supported(int id)
1184 {
1185 	switch(id) {
1186 	case NSEC3_HASH_SHA1:
1187 		return SHA1_DIGEST_SIZE;
1188 	default:
1189 		return 0;
1190 	}
1191 }
1192 
1193 /* perform nsec3 hash. return false on failure */
1194 int
1195 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
1196         unsigned char* res)
1197 {
1198 	switch(algo) {
1199 	case NSEC3_HASH_SHA1:
1200 		return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
1201 			res);
1202 	default:
1203 		return 0;
1204 	}
1205 }
1206 
1207 /**
1208  * Return size of DS digest according to its hash algorithm.
1209  * @param algo: DS digest algo.
1210  * @return size in bytes of digest, or 0 if not supported.
1211  */
1212 size_t
1213 ds_digest_size_supported(int algo)
1214 {
1215 	switch(algo) {
1216 		case LDNS_SHA1:
1217 			return SHA1_DIGEST_SIZE;
1218 #ifdef USE_SHA2
1219 		case LDNS_SHA256:
1220 			return SHA256_DIGEST_SIZE;
1221 #endif
1222 #ifdef USE_ECDSA
1223 		case LDNS_SHA384:
1224 			return SHA384_DIGEST_SIZE;
1225 #endif
1226 		/* GOST not supported */
1227 		case LDNS_HASH_GOST:
1228 		default:
1229 			break;
1230 	}
1231 	return 0;
1232 }
1233 
1234 int
1235 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
1236 	unsigned char* res)
1237 {
1238 	switch(algo) {
1239 		case LDNS_SHA1:
1240 			return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
1241 #if defined(USE_SHA2)
1242 		case LDNS_SHA256:
1243 			return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
1244 #endif
1245 #ifdef USE_ECDSA
1246 		case LDNS_SHA384:
1247 			return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
1248 
1249 #endif
1250 		case LDNS_HASH_GOST:
1251 		default:
1252 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
1253 				algo);
1254 			break;
1255 	}
1256 	return 0;
1257 }
1258 
1259 int
1260 dnskey_algo_id_is_supported(int id)
1261 {
1262 	/* uses libnettle */
1263 	switch(id) {
1264 	case LDNS_DSA:
1265 	case LDNS_DSA_NSEC3:
1266 	case LDNS_RSASHA1:
1267 	case LDNS_RSASHA1_NSEC3:
1268 #ifdef USE_SHA2
1269 	case LDNS_RSASHA256:
1270 	case LDNS_RSASHA512:
1271 #endif
1272 #ifdef USE_ECDSA
1273 	case LDNS_ECDSAP256SHA256:
1274 	case LDNS_ECDSAP384SHA384:
1275 #endif
1276 		return 1;
1277 	case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
1278 	case LDNS_ECC_GOST:
1279 	default:
1280 		return 0;
1281 	}
1282 }
1283 
1284 static char *
1285 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
1286 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1287 {
1288 	uint8_t digest[SHA1_DIGEST_SIZE];
1289 	uint8_t key_t;
1290 	int res = 0;
1291 	size_t offset;
1292 	struct dsa_public_key pubkey;
1293 	struct dsa_signature signature;
1294 	unsigned int expected_len;
1295 
1296 	/* Extract DSA signature from the record */
1297 	nettle_dsa_signature_init(&signature);
1298 	/* Signature length: 41 bytes - RFC 2536 sec. 3 */
1299 	if(sigblock_len == 41) {
1300 		if(key[0] != sigblock[0])
1301 			return "invalid T value in DSA signature or pubkey";
1302 		nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
1303 		nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
1304 	} else {
1305 		/* DER encoded, decode the ASN1 notated R and S bignums */
1306 		/* SEQUENCE { r INTEGER, s INTEGER } */
1307 		struct asn1_der_iterator i, seq;
1308 		if(asn1_der_iterator_first(&i, sigblock_len,
1309 			(uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
1310 			|| i.type != ASN1_SEQUENCE)
1311 			return "malformed DER encoded DSA signature";
1312 		/* decode this element of i using the seq iterator */
1313 		if(asn1_der_decode_constructed(&i, &seq) !=
1314 			ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
1315 			return "malformed DER encoded DSA signature";
1316 		if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
1317 			return "malformed DER encoded DSA signature";
1318 		if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
1319 			|| seq.type != ASN1_INTEGER)
1320 			return "malformed DER encoded DSA signature";
1321 		if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
1322 			return "malformed DER encoded DSA signature";
1323 		if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
1324 			return "malformed DER encoded DSA signature";
1325 	}
1326 
1327 	/* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
1328 	key_t = key[0];
1329 	if (key_t > 8) {
1330 		return "invalid T value in DSA pubkey";
1331 	}
1332 
1333 	/* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
1334 	if (keylen < 21) {
1335 		return "DSA pubkey too short";
1336 	}
1337 
1338 	expected_len =   1 +		/* T */
1339 		        20 +		/* Q */
1340 		       (64 + key_t*8) +	/* P */
1341 		       (64 + key_t*8) +	/* G */
1342 		       (64 + key_t*8);	/* Y */
1343 	if (keylen != expected_len ) {
1344 		return "invalid DSA pubkey length";
1345 	}
1346 
1347 	/* Extract DSA pubkey from the record */
1348 	nettle_dsa_public_key_init(&pubkey);
1349 	offset = 1;
1350 	nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
1351 	offset += 20;
1352 	nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t*8), key+offset);
1353 	offset += (64 + key_t*8);
1354 	nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t*8), key+offset);
1355 	offset += (64 + key_t*8);
1356 	nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t*8), key+offset);
1357 
1358 	/* Digest content of "buf" and verify its DSA signature in "sigblock"*/
1359 	res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1360 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1361 	res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
1362 
1363 	/* Clear and return */
1364 	nettle_dsa_signature_clear(&signature);
1365 	nettle_dsa_public_key_clear(&pubkey);
1366 	if (!res)
1367 		return "DSA signature verification failed";
1368 	else
1369 		return NULL;
1370 }
1371 
1372 static char *
1373 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
1374 	unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
1375 {
1376 	uint16_t exp_len = 0;
1377 	size_t exp_offset = 0, mod_offset = 0;
1378 	struct rsa_public_key pubkey;
1379 	mpz_t signature;
1380 	int res = 0;
1381 
1382 	/* RSA pubkey parsing as per RFC 3110 sec. 2 */
1383 	if( keylen <= 1) {
1384 		return "null RSA key";
1385 	}
1386 	if (key[0] != 0) {
1387 		/* 1-byte length */
1388 		exp_len = key[0];
1389 		exp_offset = 1;
1390 	} else {
1391 		/* 1-byte NUL + 2-bytes exponent length */
1392 		if (keylen < 3) {
1393 			return "incorrect RSA key length";
1394 		}
1395 		exp_len = READ_UINT16(key+1);
1396 		if (exp_len == 0)
1397 			return "null RSA exponent length";
1398 		exp_offset = 3;
1399 	}
1400 	/* Check that we are not over-running input length */
1401 	if (keylen < exp_offset + exp_len + 1) {
1402 		return "RSA key content shorter than expected";
1403 	}
1404 	mod_offset = exp_offset + exp_len;
1405 	nettle_rsa_public_key_init(&pubkey);
1406 	pubkey.size = keylen - mod_offset;
1407 	nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
1408 	nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
1409 
1410 	/* Digest content of "buf" and verify its RSA signature in "sigblock"*/
1411 	nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
1412 	switch (digest_size) {
1413 		case SHA1_DIGEST_SIZE:
1414 		{
1415 			uint8_t digest[SHA1_DIGEST_SIZE];
1416 			res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1417 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1418 			res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
1419 			break;
1420 		}
1421 		case SHA256_DIGEST_SIZE:
1422 		{
1423 			uint8_t digest[SHA256_DIGEST_SIZE];
1424 			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1425 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1426 			res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
1427 			break;
1428 		}
1429 		case SHA512_DIGEST_SIZE:
1430 		{
1431 			uint8_t digest[SHA512_DIGEST_SIZE];
1432 			res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1433 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1434 			res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
1435 			break;
1436 		}
1437 		default:
1438 			break;
1439 	}
1440 
1441 	/* Clear and return */
1442 	nettle_rsa_public_key_clear(&pubkey);
1443 	mpz_clear(signature);
1444 	if (!res) {
1445 		return "RSA signature verification failed";
1446 	} else {
1447 		return NULL;
1448 	}
1449 }
1450 
1451 #ifdef USE_ECDSA
1452 static char *
1453 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
1454 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1455 {
1456 	int res = 0;
1457 	struct ecc_point pubkey;
1458 	struct dsa_signature signature;
1459 
1460 	/* Always matched strength, as per RFC 6605 sec. 1 */
1461 	if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
1462 		return "wrong ECDSA signature length";
1463 	}
1464 
1465 	/* Parse ECDSA signature as per RFC 6605 sec. 4 */
1466 	nettle_dsa_signature_init(&signature);
1467 	switch (digest_size) {
1468 		case SHA256_DIGEST_SIZE:
1469 		{
1470 			uint8_t digest[SHA256_DIGEST_SIZE];
1471 			mpz_t x, y;
1472 			nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
1473 			nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
1474 			nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
1475 			nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
1476 			nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
1477 			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1478 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1479 			res &= nettle_ecc_point_set(&pubkey, x, y);
1480 			res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
1481 			mpz_clear(x);
1482 			mpz_clear(y);
1483 			break;
1484 		}
1485 		case SHA384_DIGEST_SIZE:
1486 		{
1487 			uint8_t digest[SHA384_DIGEST_SIZE];
1488 			mpz_t x, y;
1489 			nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
1490 			nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
1491 			nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
1492 			nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
1493 			nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
1494 			res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1495 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1496 			res &= nettle_ecc_point_set(&pubkey, x, y);
1497 			res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
1498 			mpz_clear(x);
1499 			mpz_clear(y);
1500 			nettle_ecc_point_clear(&pubkey);
1501 			break;
1502 		}
1503 		default:
1504 			return "unknown ECDSA algorithm";
1505 	}
1506 
1507 	/* Clear and return */
1508 	nettle_dsa_signature_clear(&signature);
1509 	if (!res)
1510 		return "ECDSA signature verification failed";
1511 	else
1512 		return NULL;
1513 }
1514 #endif
1515 
1516 /**
1517  * Check a canonical sig+rrset and signature against a dnskey
1518  * @param buf: buffer with data to verify, the first rrsig part and the
1519  *	canonicalized rrset.
1520  * @param algo: DNSKEY algorithm.
1521  * @param sigblock: signature rdata field from RRSIG
1522  * @param sigblock_len: length of sigblock data.
1523  * @param key: public key data from DNSKEY RR.
1524  * @param keylen: length of keydata.
1525  * @param reason: bogus reason in more detail.
1526  * @return secure if verification succeeded, bogus on crypto failure,
1527  *	unchecked on format errors and alloc failures.
1528  */
1529 enum sec_status
1530 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1531 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1532 	char** reason)
1533 {
1534 	unsigned int digest_size = 0;
1535 
1536 	if (sigblock_len == 0 || keylen == 0) {
1537 		*reason = "null signature";
1538 		return sec_status_bogus;
1539 	}
1540 
1541 	switch(algo) {
1542 	case LDNS_DSA:
1543 	case LDNS_DSA_NSEC3:
1544 		*reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
1545 		if (*reason != NULL)
1546 			return sec_status_bogus;
1547 		else
1548 			return sec_status_secure;
1549 
1550 	case LDNS_RSASHA1:
1551 	case LDNS_RSASHA1_NSEC3:
1552 		digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
1553 #ifdef USE_SHA2
1554 	case LDNS_RSASHA256:
1555 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1556 	case LDNS_RSASHA512:
1557 		digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
1558 
1559 #endif
1560 		*reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
1561 						sigblock_len, key, keylen);
1562 		if (*reason != NULL)
1563 			return sec_status_bogus;
1564 		else
1565 			return sec_status_secure;
1566 
1567 #ifdef USE_ECDSA
1568 	case LDNS_ECDSAP256SHA256:
1569 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1570 	case LDNS_ECDSAP384SHA384:
1571 		digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
1572 		*reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
1573 						sigblock_len, key, keylen);
1574 		if (*reason != NULL)
1575 			return sec_status_bogus;
1576 		else
1577 			return sec_status_secure;
1578 #endif
1579 	case LDNS_RSAMD5:
1580 	case LDNS_ECC_GOST:
1581 	default:
1582 		*reason = "unable to verify signature, unknown algorithm";
1583 		return sec_status_bogus;
1584 	}
1585 }
1586 
1587 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
1588