xref: /freebsd/contrib/unbound/validator/val_secalgo.c (revision ae7e8a02e6e93455e026036132c4d053b2c12ad9)
1 /*
2  * validator/val_secalgo.c - validator security algorithm functions.
3  *
4  * Copyright (c) 2012, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  * These functions take raw data buffers, formatted for crypto verification,
41  * and do the library calls (for the crypto library in use).
42  */
43 #include "config.h"
44 /* packed_rrset on top to define enum types (forced by c99 standard) */
45 #include "util/data/packed_rrset.h"
46 #include "validator/val_secalgo.h"
47 #include "validator/val_nsec3.h"
48 #include "util/log.h"
49 #include "sldns/rrdef.h"
50 #include "sldns/keyraw.h"
51 #include "sldns/sbuffer.h"
52 
53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
54 #error "Need crypto library to do digital signature cryptography"
55 #endif
56 
57 /** fake DSA support for unit tests */
58 int fake_dsa = 0;
59 /** fake SHA1 support for unit tests */
60 int fake_sha1 = 0;
61 
62 /* OpenSSL implementation */
63 #ifdef HAVE_SSL
64 #ifdef HAVE_OPENSSL_ERR_H
65 #include <openssl/err.h>
66 #endif
67 
68 #ifdef HAVE_OPENSSL_RAND_H
69 #include <openssl/rand.h>
70 #endif
71 
72 #ifdef HAVE_OPENSSL_CONF_H
73 #include <openssl/conf.h>
74 #endif
75 
76 #ifdef HAVE_OPENSSL_ENGINE_H
77 #include <openssl/engine.h>
78 #endif
79 
80 #if defined(HAVE_OPENSSL_DSA_H) && defined(USE_DSA)
81 #include <openssl/dsa.h>
82 #endif
83 
84 /**
85  * Output a libcrypto openssl error to the logfile.
86  * @param str: string to add to it.
87  * @param e: the error to output, error number from ERR_get_error().
88  */
89 static void
90 log_crypto_error(const char* str, unsigned long e)
91 {
92 	char buf[128];
93 	/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
94 	ERR_error_string_n(e, buf, sizeof(buf));
95 	/* buf now contains */
96 	/* error:[error code]:[library name]:[function name]:[reason string] */
97 	log_err("%s crypto %s", str, buf);
98 }
99 
100 /* return size of digest if supported, or 0 otherwise */
101 size_t
102 nsec3_hash_algo_size_supported(int id)
103 {
104 	switch(id) {
105 	case NSEC3_HASH_SHA1:
106 		return SHA_DIGEST_LENGTH;
107 	default:
108 		return 0;
109 	}
110 }
111 
112 /* perform nsec3 hash. return false on failure */
113 int
114 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
115         unsigned char* res)
116 {
117 	switch(algo) {
118 	case NSEC3_HASH_SHA1:
119 #ifdef OPENSSL_FIPS
120 		if(!sldns_digest_evp(buf, len, res, EVP_sha1()))
121 			log_crypto_error("could not digest with EVP_sha1",
122 				ERR_get_error());
123 #else
124 		(void)SHA1(buf, len, res);
125 #endif
126 		return 1;
127 	default:
128 		return 0;
129 	}
130 }
131 
132 void
133 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
134 {
135 #ifdef OPENSSL_FIPS
136 	if(!sldns_digest_evp(buf, len, res, EVP_sha256()))
137 		log_crypto_error("could not digest with EVP_sha256",
138 			ERR_get_error());
139 #else
140 	(void)SHA256(buf, len, res);
141 #endif
142 }
143 
144 /** hash structure for keeping track of running hashes */
145 struct secalgo_hash {
146 	/** the openssl message digest context */
147 	EVP_MD_CTX* ctx;
148 };
149 
150 /** create secalgo hash with hash type */
151 static struct secalgo_hash* secalgo_hash_create_md(const EVP_MD* md)
152 {
153 	struct secalgo_hash* h;
154 	if(!md)
155 		return NULL;
156 	h = calloc(1, sizeof(*h));
157 	if(!h)
158 		return NULL;
159 	h->ctx = EVP_MD_CTX_create();
160 	if(!h->ctx) {
161 		free(h);
162 		return NULL;
163 	}
164 	if(!EVP_DigestInit_ex(h->ctx, md, NULL)) {
165 		EVP_MD_CTX_destroy(h->ctx);
166 		free(h);
167 		return NULL;
168 	}
169 	return h;
170 }
171 
172 struct secalgo_hash* secalgo_hash_create_sha384(void)
173 {
174 	return secalgo_hash_create_md(EVP_sha384());
175 }
176 
177 struct secalgo_hash* secalgo_hash_create_sha512(void)
178 {
179 	return secalgo_hash_create_md(EVP_sha512());
180 }
181 
182 int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len)
183 {
184 	return EVP_DigestUpdate(hash->ctx, (unsigned char*)data,
185 		(unsigned int)len);
186 }
187 
188 int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result,
189         size_t maxlen, size_t* resultlen)
190 {
191 	if(EVP_MD_CTX_size(hash->ctx) > (int)maxlen) {
192 		*resultlen = 0;
193 		log_err("secalgo_hash_final: hash buffer too small");
194 		return 0;
195 	}
196 	*resultlen = EVP_MD_CTX_size(hash->ctx);
197 	return EVP_DigestFinal_ex(hash->ctx, result, NULL);
198 }
199 
200 void secalgo_hash_delete(struct secalgo_hash* hash)
201 {
202 	if(!hash) return;
203 	EVP_MD_CTX_destroy(hash->ctx);
204 	free(hash);
205 }
206 
207 /**
208  * Return size of DS digest according to its hash algorithm.
209  * @param algo: DS digest algo.
210  * @return size in bytes of digest, or 0 if not supported.
211  */
212 size_t
213 ds_digest_size_supported(int algo)
214 {
215 	switch(algo) {
216 		case LDNS_SHA1:
217 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
218 			return SHA_DIGEST_LENGTH;
219 #else
220 			if(fake_sha1) return 20;
221 			return 0;
222 #endif
223 #ifdef HAVE_EVP_SHA256
224 		case LDNS_SHA256:
225 			return SHA256_DIGEST_LENGTH;
226 #endif
227 #ifdef USE_GOST
228 		case LDNS_HASH_GOST:
229 			/* we support GOST if it can be loaded */
230 			(void)sldns_key_EVP_load_gost_id();
231 			if(EVP_get_digestbyname("md_gost94"))
232 				return 32;
233 			else	return 0;
234 #endif
235 #ifdef USE_ECDSA
236 		case LDNS_SHA384:
237 			return SHA384_DIGEST_LENGTH;
238 #endif
239 		default: break;
240 	}
241 	return 0;
242 }
243 
244 #ifdef USE_GOST
245 /** Perform GOST hash */
246 static int
247 do_gost94(unsigned char* data, size_t len, unsigned char* dest)
248 {
249 	const EVP_MD* md = EVP_get_digestbyname("md_gost94");
250 	if(!md)
251 		return 0;
252 	return sldns_digest_evp(data, (unsigned int)len, dest, md);
253 }
254 #endif
255 
256 int
257 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
258 	unsigned char* res)
259 {
260 	switch(algo) {
261 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
262 		case LDNS_SHA1:
263 #ifdef OPENSSL_FIPS
264 			if(!sldns_digest_evp(buf, len, res, EVP_sha1()))
265 				log_crypto_error("could not digest with EVP_sha1",
266 					ERR_get_error());
267 #else
268 			(void)SHA1(buf, len, res);
269 #endif
270 			return 1;
271 #endif
272 #ifdef HAVE_EVP_SHA256
273 		case LDNS_SHA256:
274 #ifdef OPENSSL_FIPS
275 			if(!sldns_digest_evp(buf, len, res, EVP_sha256()))
276 				log_crypto_error("could not digest with EVP_sha256",
277 					ERR_get_error());
278 #else
279 			(void)SHA256(buf, len, res);
280 #endif
281 			return 1;
282 #endif
283 #ifdef USE_GOST
284 		case LDNS_HASH_GOST:
285 			if(do_gost94(buf, len, res))
286 				return 1;
287 			break;
288 #endif
289 #ifdef USE_ECDSA
290 		case LDNS_SHA384:
291 #ifdef OPENSSL_FIPS
292 			if(!sldns_digest_evp(buf, len, res, EVP_sha384()))
293 				log_crypto_error("could not digest with EVP_sha384",
294 					ERR_get_error());
295 #else
296 			(void)SHA384(buf, len, res);
297 #endif
298 			return 1;
299 #endif
300 		default:
301 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
302 				algo);
303 			break;
304 	}
305 	return 0;
306 }
307 
308 /** return true if DNSKEY algorithm id is supported */
309 int
310 dnskey_algo_id_is_supported(int id)
311 {
312 	switch(id) {
313 	case LDNS_RSAMD5:
314 		/* RFC 6725 deprecates RSAMD5 */
315 		return 0;
316 	case LDNS_DSA:
317 	case LDNS_DSA_NSEC3:
318 #if defined(USE_DSA) && defined(USE_SHA1)
319 		return 1;
320 #else
321 		if(fake_dsa || fake_sha1) return 1;
322 		return 0;
323 #endif
324 
325 	case LDNS_RSASHA1:
326 	case LDNS_RSASHA1_NSEC3:
327 #ifdef USE_SHA1
328 		return 1;
329 #else
330 		if(fake_sha1) return 1;
331 		return 0;
332 #endif
333 
334 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
335 	case LDNS_RSASHA256:
336 #endif
337 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
338 	case LDNS_RSASHA512:
339 #endif
340 #ifdef USE_ECDSA
341 	case LDNS_ECDSAP256SHA256:
342 	case LDNS_ECDSAP384SHA384:
343 #endif
344 #ifdef USE_ED25519
345 	case LDNS_ED25519:
346 #endif
347 #ifdef USE_ED448
348 	case LDNS_ED448:
349 #endif
350 #if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448)
351 		return 1;
352 #endif
353 
354 #ifdef USE_GOST
355 	case LDNS_ECC_GOST:
356 		/* we support GOST if it can be loaded */
357 		return sldns_key_EVP_load_gost_id();
358 #endif
359 	default:
360 		return 0;
361 	}
362 }
363 
364 #ifdef USE_DSA
365 /**
366  * Setup DSA key digest in DER encoding ...
367  * @param sig: input is signature output alloced ptr (unless failure).
368  * 	caller must free alloced ptr if this routine returns true.
369  * @param len: input is initial siglen, output is output len.
370  * @return false on failure.
371  */
372 static int
373 setup_dsa_sig(unsigned char** sig, unsigned int* len)
374 {
375 	unsigned char* orig = *sig;
376 	unsigned int origlen = *len;
377 	int newlen;
378 	BIGNUM *R, *S;
379 	DSA_SIG *dsasig;
380 
381 	/* extract the R and S field from the sig buffer */
382 	if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
383 		return 0;
384 	R = BN_new();
385 	if(!R) return 0;
386 	(void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
387 	S = BN_new();
388 	if(!S) return 0;
389 	(void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
390 	dsasig = DSA_SIG_new();
391 	if(!dsasig) return 0;
392 
393 #ifdef HAVE_DSA_SIG_SET0
394 	if(!DSA_SIG_set0(dsasig, R, S)) return 0;
395 #else
396 #  ifndef S_SPLINT_S
397 	dsasig->r = R;
398 	dsasig->s = S;
399 #  endif /* S_SPLINT_S */
400 #endif
401 	*sig = NULL;
402 	newlen = i2d_DSA_SIG(dsasig, sig);
403 	if(newlen < 0) {
404 		DSA_SIG_free(dsasig);
405 		free(*sig);
406 		return 0;
407 	}
408 	*len = (unsigned int)newlen;
409 	DSA_SIG_free(dsasig);
410 	return 1;
411 }
412 #endif /* USE_DSA */
413 
414 #ifdef USE_ECDSA
415 /**
416  * Setup the ECDSA signature in its encoding that the library wants.
417  * Converts from plain numbers to ASN formatted.
418  * @param sig: input is signature, output alloced ptr (unless failure).
419  * 	caller must free alloced ptr if this routine returns true.
420  * @param len: input is initial siglen, output is output len.
421  * @return false on failure.
422  */
423 static int
424 setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
425 {
426         /* convert from two BIGNUMs in the rdata buffer, to ASN notation.
427 	 * ASN preamble: 30440220 <R 32bytefor256> 0220 <S 32bytefor256>
428 	 * the '20' is the length of that field (=bnsize).
429 i	 * the '44' is the total remaining length.
430 	 * if negative, start with leading zero.
431 	 * if starts with 00s, remove them from the number.
432 	 */
433         uint8_t pre[] = {0x30, 0x44, 0x02, 0x20};
434         int pre_len = 4;
435         uint8_t mid[] = {0x02, 0x20};
436         int mid_len = 2;
437         int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0;
438 	int bnsize = (int)((*len)/2);
439         unsigned char* d = *sig;
440 	uint8_t* p;
441 	/* if too short or not even length, fails */
442 	if(*len < 16 || bnsize*2 != (int)*len)
443 		return 0;
444 
445         /* strip leading zeroes from r (but not last one) */
446         while(r_rem < bnsize-1 && d[r_rem] == 0)
447                 r_rem++;
448         /* strip leading zeroes from s (but not last one) */
449         while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0)
450                 s_rem++;
451 
452         r_high = ((d[0+r_rem]&0x80)?1:0);
453         s_high = ((d[bnsize+s_rem]&0x80)?1:0);
454         raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len +
455                 s_high + bnsize - s_rem;
456 	*sig = (unsigned char*)malloc((size_t)raw_sig_len);
457 	if(!*sig)
458 		return 0;
459 	p = (uint8_t*)*sig;
460 	p[0] = pre[0];
461 	p[1] = (uint8_t)(raw_sig_len-2);
462 	p[2] = pre[2];
463 	p[3] = (uint8_t)(bnsize + r_high - r_rem);
464 	p += 4;
465 	if(r_high) {
466 		*p = 0;
467 		p += 1;
468 	}
469 	memmove(p, d+r_rem, (size_t)bnsize-r_rem);
470 	p += bnsize-r_rem;
471 	memmove(p, mid, (size_t)mid_len-1);
472 	p += mid_len-1;
473 	*p = (uint8_t)(bnsize + s_high - s_rem);
474 	p += 1;
475         if(s_high) {
476 		*p = 0;
477 		p += 1;
478 	}
479 	memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem);
480 	*len = (unsigned int)raw_sig_len;
481 	return 1;
482 }
483 #endif /* USE_ECDSA */
484 
485 #ifdef USE_ECDSA_EVP_WORKAROUND
486 static EVP_MD ecdsa_evp_256_md;
487 static EVP_MD ecdsa_evp_384_md;
488 void ecdsa_evp_workaround_init(void)
489 {
490 	/* openssl before 1.0.0 fixes RSA with the SHA256
491 	 * hash in EVP.  We create one for ecdsa_sha256 */
492 	ecdsa_evp_256_md = *EVP_sha256();
493 	ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC;
494 	ecdsa_evp_256_md.verify = (void*)ECDSA_verify;
495 
496 	ecdsa_evp_384_md = *EVP_sha384();
497 	ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC;
498 	ecdsa_evp_384_md.verify = (void*)ECDSA_verify;
499 }
500 #endif /* USE_ECDSA_EVP_WORKAROUND */
501 
502 /**
503  * Setup key and digest for verification. Adjust sig if necessary.
504  *
505  * @param algo: key algorithm
506  * @param evp_key: EVP PKEY public key to create.
507  * @param digest_type: digest type to use
508  * @param key: key to setup for.
509  * @param keylen: length of key.
510  * @return false on failure.
511  */
512 static int
513 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
514 	unsigned char* key, size_t keylen)
515 {
516 	switch(algo) {
517 #if defined(USE_DSA) && defined(USE_SHA1)
518 		case LDNS_DSA:
519 		case LDNS_DSA_NSEC3:
520 			*evp_key = sldns_key_dsa2pkey_raw(key, keylen);
521 			if(!*evp_key) {
522 				verbose(VERB_QUERY, "verify: sldns_key_dsa2pkey failed");
523 				return 0;
524 			}
525 #ifdef HAVE_EVP_DSS1
526 			*digest_type = EVP_dss1();
527 #else
528 			*digest_type = EVP_sha1();
529 #endif
530 
531 			break;
532 #endif /* USE_DSA && USE_SHA1 */
533 
534 #if defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2))
535 #ifdef USE_SHA1
536 		case LDNS_RSASHA1:
537 		case LDNS_RSASHA1_NSEC3:
538 #endif
539 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
540 		case LDNS_RSASHA256:
541 #endif
542 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
543 		case LDNS_RSASHA512:
544 #endif
545 			*evp_key = sldns_key_rsa2pkey_raw(key, keylen);
546 			if(!*evp_key) {
547 				verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey SHA failed");
548 				return 0;
549 			}
550 
551 			/* select SHA version */
552 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
553 			if(algo == LDNS_RSASHA256)
554 				*digest_type = EVP_sha256();
555 			else
556 #endif
557 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
558 				if(algo == LDNS_RSASHA512)
559 				*digest_type = EVP_sha512();
560 			else
561 #endif
562 #ifdef USE_SHA1
563 				*digest_type = EVP_sha1();
564 #else
565 				{ verbose(VERB_QUERY, "no digest available"); return 0; }
566 #endif
567 			break;
568 #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */
569 
570 		case LDNS_RSAMD5:
571 			*evp_key = sldns_key_rsa2pkey_raw(key, keylen);
572 			if(!*evp_key) {
573 				verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey MD5 failed");
574 				return 0;
575 			}
576 			*digest_type = EVP_md5();
577 
578 			break;
579 #ifdef USE_GOST
580 		case LDNS_ECC_GOST:
581 			*evp_key = sldns_gost2pkey_raw(key, keylen);
582 			if(!*evp_key) {
583 				verbose(VERB_QUERY, "verify: "
584 					"sldns_gost2pkey_raw failed");
585 				return 0;
586 			}
587 			*digest_type = EVP_get_digestbyname("md_gost94");
588 			if(!*digest_type) {
589 				verbose(VERB_QUERY, "verify: "
590 					"EVP_getdigest md_gost94 failed");
591 				return 0;
592 			}
593 			break;
594 #endif
595 #ifdef USE_ECDSA
596 		case LDNS_ECDSAP256SHA256:
597 			*evp_key = sldns_ecdsa2pkey_raw(key, keylen,
598 				LDNS_ECDSAP256SHA256);
599 			if(!*evp_key) {
600 				verbose(VERB_QUERY, "verify: "
601 					"sldns_ecdsa2pkey_raw failed");
602 				return 0;
603 			}
604 #ifdef USE_ECDSA_EVP_WORKAROUND
605 			*digest_type = &ecdsa_evp_256_md;
606 #else
607 			*digest_type = EVP_sha256();
608 #endif
609 			break;
610 		case LDNS_ECDSAP384SHA384:
611 			*evp_key = sldns_ecdsa2pkey_raw(key, keylen,
612 				LDNS_ECDSAP384SHA384);
613 			if(!*evp_key) {
614 				verbose(VERB_QUERY, "verify: "
615 					"sldns_ecdsa2pkey_raw failed");
616 				return 0;
617 			}
618 #ifdef USE_ECDSA_EVP_WORKAROUND
619 			*digest_type = &ecdsa_evp_384_md;
620 #else
621 			*digest_type = EVP_sha384();
622 #endif
623 			break;
624 #endif /* USE_ECDSA */
625 #ifdef USE_ED25519
626 		case LDNS_ED25519:
627 			*evp_key = sldns_ed255192pkey_raw(key, keylen);
628 			if(!*evp_key) {
629 				verbose(VERB_QUERY, "verify: "
630 					"sldns_ed255192pkey_raw failed");
631 				return 0;
632 			}
633 			*digest_type = NULL;
634 			break;
635 #endif /* USE_ED25519 */
636 #ifdef USE_ED448
637 		case LDNS_ED448:
638 			*evp_key = sldns_ed4482pkey_raw(key, keylen);
639 			if(!*evp_key) {
640 				verbose(VERB_QUERY, "verify: "
641 					"sldns_ed4482pkey_raw failed");
642 				return 0;
643 			}
644 			*digest_type = NULL;
645 			break;
646 #endif /* USE_ED448 */
647 		default:
648 			verbose(VERB_QUERY, "verify: unknown algorithm %d",
649 				algo);
650 			return 0;
651 	}
652 	return 1;
653 }
654 
655 /**
656  * Check a canonical sig+rrset and signature against a dnskey
657  * @param buf: buffer with data to verify, the first rrsig part and the
658  *	canonicalized rrset.
659  * @param algo: DNSKEY algorithm.
660  * @param sigblock: signature rdata field from RRSIG
661  * @param sigblock_len: length of sigblock data.
662  * @param key: public key data from DNSKEY RR.
663  * @param keylen: length of keydata.
664  * @param reason: bogus reason in more detail.
665  * @return secure if verification succeeded, bogus on crypto failure,
666  *	unchecked on format errors and alloc failures.
667  */
668 enum sec_status
669 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
670 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
671 	char** reason)
672 {
673 	const EVP_MD *digest_type;
674 	EVP_MD_CTX* ctx;
675 	int res, dofree = 0, docrypto_free = 0;
676 	EVP_PKEY *evp_key = NULL;
677 
678 #ifndef USE_DSA
679 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1))
680 		return sec_status_secure;
681 #endif
682 #ifndef USE_SHA1
683 	if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3))
684 		return sec_status_secure;
685 #endif
686 
687 	if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
688 		verbose(VERB_QUERY, "verify: failed to setup key");
689 		*reason = "use of key for crypto failed";
690 		EVP_PKEY_free(evp_key);
691 		return sec_status_bogus;
692 	}
693 #ifdef USE_DSA
694 	/* if it is a DSA signature in bind format, convert to DER format */
695 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
696 		sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
697 		if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
698 			verbose(VERB_QUERY, "verify: failed to setup DSA sig");
699 			*reason = "use of key for DSA crypto failed";
700 			EVP_PKEY_free(evp_key);
701 			return sec_status_bogus;
702 		}
703 		docrypto_free = 1;
704 	}
705 #endif
706 #if defined(USE_ECDSA) && defined(USE_DSA)
707 	else
708 #endif
709 #ifdef USE_ECDSA
710 	if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
711 		/* EVP uses ASN prefix on sig, which is not in the wire data */
712 		if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
713 			verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
714 			*reason = "use of signature for ECDSA crypto failed";
715 			EVP_PKEY_free(evp_key);
716 			return sec_status_bogus;
717 		}
718 		dofree = 1;
719 	}
720 #endif /* USE_ECDSA */
721 
722 	/* do the signature cryptography work */
723 #ifdef HAVE_EVP_MD_CTX_NEW
724 	ctx = EVP_MD_CTX_new();
725 #else
726 	ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
727 	if(ctx) EVP_MD_CTX_init(ctx);
728 #endif
729 	if(!ctx) {
730 		log_err("EVP_MD_CTX_new: malloc failure");
731 		EVP_PKEY_free(evp_key);
732 		if(dofree) free(sigblock);
733 		else if(docrypto_free) OPENSSL_free(sigblock);
734 		return sec_status_unchecked;
735 	}
736 #ifndef HAVE_EVP_DIGESTVERIFY
737 	if(EVP_DigestInit(ctx, digest_type) == 0) {
738 		verbose(VERB_QUERY, "verify: EVP_DigestInit failed");
739 #ifdef HAVE_EVP_MD_CTX_NEW
740 		EVP_MD_CTX_destroy(ctx);
741 #else
742 		EVP_MD_CTX_cleanup(ctx);
743 		free(ctx);
744 #endif
745 		EVP_PKEY_free(evp_key);
746 		if(dofree) free(sigblock);
747 		else if(docrypto_free) OPENSSL_free(sigblock);
748 		return sec_status_unchecked;
749 	}
750 	if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
751 		(unsigned int)sldns_buffer_limit(buf)) == 0) {
752 		verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed");
753 #ifdef HAVE_EVP_MD_CTX_NEW
754 		EVP_MD_CTX_destroy(ctx);
755 #else
756 		EVP_MD_CTX_cleanup(ctx);
757 		free(ctx);
758 #endif
759 		EVP_PKEY_free(evp_key);
760 		if(dofree) free(sigblock);
761 		else if(docrypto_free) OPENSSL_free(sigblock);
762 		return sec_status_unchecked;
763 	}
764 
765 	res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key);
766 #else /* HAVE_EVP_DIGESTVERIFY */
767 	if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) {
768 		verbose(VERB_QUERY, "verify: EVP_DigestVerifyInit failed");
769 #ifdef HAVE_EVP_MD_CTX_NEW
770 		EVP_MD_CTX_destroy(ctx);
771 #else
772 		EVP_MD_CTX_cleanup(ctx);
773 		free(ctx);
774 #endif
775 		EVP_PKEY_free(evp_key);
776 		if(dofree) free(sigblock);
777 		else if(docrypto_free) OPENSSL_free(sigblock);
778 		return sec_status_unchecked;
779 	}
780 	res = EVP_DigestVerify(ctx, sigblock, sigblock_len,
781 		(unsigned char*)sldns_buffer_begin(buf),
782 		sldns_buffer_limit(buf));
783 #endif
784 #ifdef HAVE_EVP_MD_CTX_NEW
785 	EVP_MD_CTX_destroy(ctx);
786 #else
787 	EVP_MD_CTX_cleanup(ctx);
788 	free(ctx);
789 #endif
790 	EVP_PKEY_free(evp_key);
791 
792 	if(dofree) free(sigblock);
793 	else if(docrypto_free) OPENSSL_free(sigblock);
794 
795 	if(res == 1) {
796 		return sec_status_secure;
797 	} else if(res == 0) {
798 		verbose(VERB_QUERY, "verify: signature mismatch");
799 		*reason = "signature crypto failed";
800 		return sec_status_bogus;
801 	}
802 
803 	log_crypto_error("verify:", ERR_get_error());
804 	return sec_status_unchecked;
805 }
806 
807 /**************************************************/
808 #elif defined(HAVE_NSS)
809 /* libnss implementation */
810 /* nss3 */
811 #include "sechash.h"
812 #include "pk11pub.h"
813 #include "keyhi.h"
814 #include "secerr.h"
815 #include "cryptohi.h"
816 /* nspr4 */
817 #include "prerror.h"
818 
819 /* return size of digest if supported, or 0 otherwise */
820 size_t
821 nsec3_hash_algo_size_supported(int id)
822 {
823 	switch(id) {
824 	case NSEC3_HASH_SHA1:
825 		return SHA1_LENGTH;
826 	default:
827 		return 0;
828 	}
829 }
830 
831 /* perform nsec3 hash. return false on failure */
832 int
833 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
834         unsigned char* res)
835 {
836 	switch(algo) {
837 	case NSEC3_HASH_SHA1:
838 		(void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
839 		return 1;
840 	default:
841 		return 0;
842 	}
843 }
844 
845 void
846 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
847 {
848 	(void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len);
849 }
850 
851 /** the secalgo hash structure */
852 struct secalgo_hash {
853 	/** hash context */
854 	HASHContext* ctx;
855 };
856 
857 /** create hash struct of type */
858 static struct secalgo_hash* secalgo_hash_create_type(HASH_HashType tp)
859 {
860 	struct secalgo_hash* h = calloc(1, sizeof(*h));
861 	if(!h)
862 		return NULL;
863 	h->ctx = HASH_Create(tp);
864 	if(!h->ctx) {
865 		free(h);
866 		return NULL;
867 	}
868 	return h;
869 }
870 
871 struct secalgo_hash* secalgo_hash_create_sha384(void)
872 {
873 	return secalgo_hash_create_type(HASH_AlgSHA384);
874 }
875 
876 struct secalgo_hash* secalgo_hash_create_sha512(void)
877 {
878 	return secalgo_hash_create_type(HASH_AlgSHA512);
879 }
880 
881 int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len)
882 {
883 	HASH_Update(hash->ctx, (unsigned char*)data, (unsigned int)len);
884 	return 1;
885 }
886 
887 int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result,
888         size_t maxlen, size_t* resultlen)
889 {
890 	unsigned int reslen = 0;
891 	if(HASH_ResultLenContext(hash->ctx) > (unsigned int)maxlen) {
892 		*resultlen = 0;
893 		log_err("secalgo_hash_final: hash buffer too small");
894 		return 0;
895 	}
896 	HASH_End(hash->ctx, (unsigned char*)result, &reslen,
897 		(unsigned int)maxlen);
898 	*resultlen = (size_t)reslen;
899 	return 1;
900 }
901 
902 void secalgo_hash_delete(struct secalgo_hash* hash)
903 {
904 	if(!hash) return;
905 	HASH_Destroy(hash->ctx);
906 	free(hash);
907 }
908 
909 size_t
910 ds_digest_size_supported(int algo)
911 {
912 	/* uses libNSS */
913 	switch(algo) {
914 #ifdef USE_SHA1
915 		case LDNS_SHA1:
916 			return SHA1_LENGTH;
917 #endif
918 #ifdef USE_SHA2
919 		case LDNS_SHA256:
920 			return SHA256_LENGTH;
921 #endif
922 #ifdef USE_ECDSA
923 		case LDNS_SHA384:
924 			return SHA384_LENGTH;
925 #endif
926 		/* GOST not supported in NSS */
927 		case LDNS_HASH_GOST:
928 		default: break;
929 	}
930 	return 0;
931 }
932 
933 int
934 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
935 	unsigned char* res)
936 {
937 	/* uses libNSS */
938 	switch(algo) {
939 #ifdef USE_SHA1
940 		case LDNS_SHA1:
941 			return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
942 				== SECSuccess;
943 #endif
944 #if defined(USE_SHA2)
945 		case LDNS_SHA256:
946 			return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
947 				== SECSuccess;
948 #endif
949 #ifdef USE_ECDSA
950 		case LDNS_SHA384:
951 			return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
952 				== SECSuccess;
953 #endif
954 		case LDNS_HASH_GOST:
955 		default:
956 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
957 				algo);
958 			break;
959 	}
960 	return 0;
961 }
962 
963 int
964 dnskey_algo_id_is_supported(int id)
965 {
966 	/* uses libNSS */
967 	switch(id) {
968 	case LDNS_RSAMD5:
969 		/* RFC 6725 deprecates RSAMD5 */
970 		return 0;
971 #if defined(USE_SHA1) || defined(USE_SHA2)
972 #if defined(USE_DSA) && defined(USE_SHA1)
973 	case LDNS_DSA:
974 	case LDNS_DSA_NSEC3:
975 #endif
976 #ifdef USE_SHA1
977 	case LDNS_RSASHA1:
978 	case LDNS_RSASHA1_NSEC3:
979 #endif
980 #ifdef USE_SHA2
981 	case LDNS_RSASHA256:
982 #endif
983 #ifdef USE_SHA2
984 	case LDNS_RSASHA512:
985 #endif
986 		return 1;
987 #endif /* SHA1 or SHA2 */
988 
989 #ifdef USE_ECDSA
990 	case LDNS_ECDSAP256SHA256:
991 	case LDNS_ECDSAP384SHA384:
992 		return PK11_TokenExists(CKM_ECDSA);
993 #endif
994 	case LDNS_ECC_GOST:
995 	default:
996 		return 0;
997 	}
998 }
999 
1000 /* return a new public key for NSS */
1001 static SECKEYPublicKey* nss_key_create(KeyType ktype)
1002 {
1003 	SECKEYPublicKey* key;
1004 	PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1005 	if(!arena) {
1006 		log_err("out of memory, PORT_NewArena failed");
1007 		return NULL;
1008 	}
1009 	key = PORT_ArenaZNew(arena, SECKEYPublicKey);
1010 	if(!key) {
1011 		log_err("out of memory, PORT_ArenaZNew failed");
1012 		PORT_FreeArena(arena, PR_FALSE);
1013 		return NULL;
1014 	}
1015 	key->arena = arena;
1016 	key->keyType = ktype;
1017 	key->pkcs11Slot = NULL;
1018 	key->pkcs11ID = CK_INVALID_HANDLE;
1019 	return key;
1020 }
1021 
1022 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
1023 {
1024 	SECKEYPublicKey* pk;
1025 	SECItem pub = {siBuffer, NULL, 0};
1026 	SECItem params = {siBuffer, NULL, 0};
1027 	static unsigned char param256[] = {
1028 		/* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
1029 		 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
1030 		0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
1031 	};
1032 	static unsigned char param384[] = {
1033 		/* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
1034 		 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
1035 		0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
1036 	};
1037 	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
1038 
1039 	/* check length, which uncompressed must be 2 bignums */
1040 	if(algo == LDNS_ECDSAP256SHA256) {
1041 		if(len != 2*256/8) return NULL;
1042 		/* ECCurve_X9_62_PRIME_256V1 */
1043 	} else if(algo == LDNS_ECDSAP384SHA384) {
1044 		if(len != 2*384/8) return NULL;
1045 		/* ECCurve_X9_62_PRIME_384R1 */
1046 	} else    return NULL;
1047 
1048 	buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
1049 	memmove(buf+1, key, len);
1050 	pub.data = buf;
1051 	pub.len = len+1;
1052 	if(algo == LDNS_ECDSAP256SHA256) {
1053 		params.data = param256;
1054 		params.len = sizeof(param256);
1055 	} else {
1056 		params.data = param384;
1057 		params.len = sizeof(param384);
1058 	}
1059 
1060 	pk = nss_key_create(ecKey);
1061 	if(!pk)
1062 		return NULL;
1063 	pk->u.ec.size = (len/2)*8;
1064 	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
1065 		SECKEY_DestroyPublicKey(pk);
1066 		return NULL;
1067 	}
1068 	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, &params)) {
1069 		SECKEY_DestroyPublicKey(pk);
1070 		return NULL;
1071 	}
1072 
1073 	return pk;
1074 }
1075 
1076 #if defined(USE_DSA) && defined(USE_SHA1)
1077 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
1078 {
1079 	SECKEYPublicKey* pk;
1080 	uint8_t T;
1081 	uint16_t length;
1082 	uint16_t offset;
1083 	SECItem Q = {siBuffer, NULL, 0};
1084 	SECItem P = {siBuffer, NULL, 0};
1085 	SECItem G = {siBuffer, NULL, 0};
1086 	SECItem Y = {siBuffer, NULL, 0};
1087 
1088 	if(len == 0)
1089 		return NULL;
1090 	T = (uint8_t)key[0];
1091 	length = (64 + T * 8);
1092 	offset = 1;
1093 
1094 	if (T > 8) {
1095 		return NULL;
1096 	}
1097 	if(len < (size_t)1 + SHA1_LENGTH + 3*length)
1098 		return NULL;
1099 
1100 	Q.data = key+offset;
1101 	Q.len = SHA1_LENGTH;
1102 	offset += SHA1_LENGTH;
1103 
1104 	P.data = key+offset;
1105 	P.len = length;
1106 	offset += length;
1107 
1108 	G.data = key+offset;
1109 	G.len = length;
1110 	offset += length;
1111 
1112 	Y.data = key+offset;
1113 	Y.len = length;
1114 	offset += length;
1115 
1116 	pk = nss_key_create(dsaKey);
1117 	if(!pk)
1118 		return NULL;
1119 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
1120 		SECKEY_DestroyPublicKey(pk);
1121 		return NULL;
1122 	}
1123 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
1124 		SECKEY_DestroyPublicKey(pk);
1125 		return NULL;
1126 	}
1127 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
1128 		SECKEY_DestroyPublicKey(pk);
1129 		return NULL;
1130 	}
1131 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
1132 		SECKEY_DestroyPublicKey(pk);
1133 		return NULL;
1134 	}
1135 	return pk;
1136 }
1137 #endif /* USE_DSA && USE_SHA1 */
1138 
1139 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
1140 {
1141 	SECKEYPublicKey* pk;
1142 	uint16_t exp;
1143 	uint16_t offset;
1144 	uint16_t int16;
1145 	SECItem modulus = {siBuffer, NULL, 0};
1146 	SECItem exponent = {siBuffer, NULL, 0};
1147 	if(len == 0)
1148 		return NULL;
1149 	if(key[0] == 0) {
1150 		if(len < 3)
1151 			return NULL;
1152 		/* the exponent is too large so it's places further */
1153 		memmove(&int16, key+1, 2);
1154 		exp = ntohs(int16);
1155 		offset = 3;
1156 	} else {
1157 		exp = key[0];
1158 		offset = 1;
1159 	}
1160 
1161 	/* key length at least one */
1162 	if(len < (size_t)offset + exp + 1)
1163 		return NULL;
1164 
1165 	exponent.data = key+offset;
1166 	exponent.len = exp;
1167 	offset += exp;
1168 	modulus.data = key+offset;
1169 	modulus.len = (len - offset);
1170 
1171 	pk = nss_key_create(rsaKey);
1172 	if(!pk)
1173 		return NULL;
1174 	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
1175 		SECKEY_DestroyPublicKey(pk);
1176 		return NULL;
1177 	}
1178 	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
1179 		SECKEY_DestroyPublicKey(pk);
1180 		return NULL;
1181 	}
1182 	return pk;
1183 }
1184 
1185 /**
1186  * Setup key and digest for verification. Adjust sig if necessary.
1187  *
1188  * @param algo: key algorithm
1189  * @param evp_key: EVP PKEY public key to create.
1190  * @param digest_type: digest type to use
1191  * @param key: key to setup for.
1192  * @param keylen: length of key.
1193  * @param prefix: if returned, the ASN prefix for the hashblob.
1194  * @param prefixlen: length of the prefix.
1195  * @return false on failure.
1196  */
1197 static int
1198 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
1199 	unsigned char* key, size_t keylen, unsigned char** prefix,
1200 	size_t* prefixlen)
1201 {
1202 	/* uses libNSS */
1203 
1204 	/* hash prefix for md5, RFC2537 */
1205 	static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
1206 	0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
1207 	/* hash prefix to prepend to hash output, from RFC3110 */
1208 	static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
1209 		0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
1210 	/* from RFC5702 */
1211 	static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
1212 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
1213 	static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
1214 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
1215 	/* from RFC6234 */
1216 	/* for future RSASHA384 ..
1217 	static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
1218 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
1219 	*/
1220 
1221 	switch(algo) {
1222 
1223 #if defined(USE_SHA1) || defined(USE_SHA2)
1224 #if defined(USE_DSA) && defined(USE_SHA1)
1225 		case LDNS_DSA:
1226 		case LDNS_DSA_NSEC3:
1227 			*pubkey = nss_buf2dsa(key, keylen);
1228 			if(!*pubkey) {
1229 				log_err("verify: malloc failure in crypto");
1230 				return 0;
1231 			}
1232 			*htype = HASH_AlgSHA1;
1233 			/* no prefix for DSA verification */
1234 			break;
1235 #endif
1236 #ifdef USE_SHA1
1237 		case LDNS_RSASHA1:
1238 		case LDNS_RSASHA1_NSEC3:
1239 #endif
1240 #ifdef USE_SHA2
1241 		case LDNS_RSASHA256:
1242 #endif
1243 #ifdef USE_SHA2
1244 		case LDNS_RSASHA512:
1245 #endif
1246 			*pubkey = nss_buf2rsa(key, keylen);
1247 			if(!*pubkey) {
1248 				log_err("verify: malloc failure in crypto");
1249 				return 0;
1250 			}
1251 			/* select SHA version */
1252 #ifdef USE_SHA2
1253 			if(algo == LDNS_RSASHA256) {
1254 				*htype = HASH_AlgSHA256;
1255 				*prefix = p_sha256;
1256 				*prefixlen = sizeof(p_sha256);
1257 			} else
1258 #endif
1259 #ifdef USE_SHA2
1260 				if(algo == LDNS_RSASHA512) {
1261 				*htype = HASH_AlgSHA512;
1262 				*prefix = p_sha512;
1263 				*prefixlen = sizeof(p_sha512);
1264 			} else
1265 #endif
1266 #ifdef USE_SHA1
1267 			{
1268 				*htype = HASH_AlgSHA1;
1269 				*prefix = p_sha1;
1270 				*prefixlen = sizeof(p_sha1);
1271 			}
1272 #else
1273 			{
1274 				verbose(VERB_QUERY, "verify: no digest algo");
1275 				return 0;
1276 			}
1277 #endif
1278 
1279 			break;
1280 #endif /* SHA1 or SHA2 */
1281 
1282 		case LDNS_RSAMD5:
1283 			*pubkey = nss_buf2rsa(key, keylen);
1284 			if(!*pubkey) {
1285 				log_err("verify: malloc failure in crypto");
1286 				return 0;
1287 			}
1288 			*htype = HASH_AlgMD5;
1289 			*prefix = p_md5;
1290 			*prefixlen = sizeof(p_md5);
1291 
1292 			break;
1293 #ifdef USE_ECDSA
1294 		case LDNS_ECDSAP256SHA256:
1295 			*pubkey = nss_buf2ecdsa(key, keylen,
1296 				LDNS_ECDSAP256SHA256);
1297 			if(!*pubkey) {
1298 				log_err("verify: malloc failure in crypto");
1299 				return 0;
1300 			}
1301 			*htype = HASH_AlgSHA256;
1302 			/* no prefix for DSA verification */
1303 			break;
1304 		case LDNS_ECDSAP384SHA384:
1305 			*pubkey = nss_buf2ecdsa(key, keylen,
1306 				LDNS_ECDSAP384SHA384);
1307 			if(!*pubkey) {
1308 				log_err("verify: malloc failure in crypto");
1309 				return 0;
1310 			}
1311 			*htype = HASH_AlgSHA384;
1312 			/* no prefix for DSA verification */
1313 			break;
1314 #endif /* USE_ECDSA */
1315 		case LDNS_ECC_GOST:
1316 		default:
1317 			verbose(VERB_QUERY, "verify: unknown algorithm %d",
1318 				algo);
1319 			return 0;
1320 	}
1321 	return 1;
1322 }
1323 
1324 /**
1325  * Check a canonical sig+rrset and signature against a dnskey
1326  * @param buf: buffer with data to verify, the first rrsig part and the
1327  *	canonicalized rrset.
1328  * @param algo: DNSKEY algorithm.
1329  * @param sigblock: signature rdata field from RRSIG
1330  * @param sigblock_len: length of sigblock data.
1331  * @param key: public key data from DNSKEY RR.
1332  * @param keylen: length of keydata.
1333  * @param reason: bogus reason in more detail.
1334  * @return secure if verification succeeded, bogus on crypto failure,
1335  *	unchecked on format errors and alloc failures.
1336  */
1337 enum sec_status
1338 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1339 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1340 	char** reason)
1341 {
1342 	/* uses libNSS */
1343 	/* large enough for the different hashes */
1344 	unsigned char hash[HASH_LENGTH_MAX];
1345 	unsigned char hash2[HASH_LENGTH_MAX*2];
1346 	HASH_HashType htype = 0;
1347 	SECKEYPublicKey* pubkey = NULL;
1348 	SECItem secsig = {siBuffer, sigblock, sigblock_len};
1349 	SECItem sechash = {siBuffer, hash, 0};
1350 	SECStatus res;
1351 	unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
1352 	size_t prefixlen = 0;
1353 	int err;
1354 
1355 	if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
1356 		&prefix, &prefixlen)) {
1357 		verbose(VERB_QUERY, "verify: failed to setup key");
1358 		*reason = "use of key for crypto failed";
1359 		SECKEY_DestroyPublicKey(pubkey);
1360 		return sec_status_bogus;
1361 	}
1362 
1363 #if defined(USE_DSA) && defined(USE_SHA1)
1364 	/* need to convert DSA, ECDSA signatures? */
1365 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
1366 		if(sigblock_len == 1+2*SHA1_LENGTH) {
1367 			secsig.data ++;
1368 			secsig.len --;
1369 		} else {
1370 			SECItem* p = DSAU_DecodeDerSig(&secsig);
1371 			if(!p) {
1372 				verbose(VERB_QUERY, "verify: failed DER decode");
1373 				*reason = "signature DER decode failed";
1374 				SECKEY_DestroyPublicKey(pubkey);
1375 				return sec_status_bogus;
1376 			}
1377 			if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
1378 				log_err("alloc failure in DER decode");
1379 				SECKEY_DestroyPublicKey(pubkey);
1380 				SECITEM_FreeItem(p, PR_TRUE);
1381 				return sec_status_unchecked;
1382 			}
1383 			SECITEM_FreeItem(p, PR_TRUE);
1384 		}
1385 	}
1386 #endif /* USE_DSA */
1387 
1388 	/* do the signature cryptography work */
1389 	/* hash the data */
1390 	sechash.len = HASH_ResultLen(htype);
1391 	if(sechash.len > sizeof(hash)) {
1392 		verbose(VERB_QUERY, "verify: hash too large for buffer");
1393 		SECKEY_DestroyPublicKey(pubkey);
1394 		return sec_status_unchecked;
1395 	}
1396 	if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf),
1397 		(unsigned int)sldns_buffer_limit(buf)) != SECSuccess) {
1398 		verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
1399 		SECKEY_DestroyPublicKey(pubkey);
1400 		return sec_status_unchecked;
1401 	}
1402 	if(prefix) {
1403 		int hashlen = sechash.len;
1404 		if(prefixlen+hashlen > sizeof(hash2)) {
1405 			verbose(VERB_QUERY, "verify: hashprefix too large");
1406 			SECKEY_DestroyPublicKey(pubkey);
1407 			return sec_status_unchecked;
1408 		}
1409 		sechash.data = hash2;
1410 		sechash.len = prefixlen+hashlen;
1411 		memcpy(sechash.data, prefix, prefixlen);
1412 		memmove(sechash.data+prefixlen, hash, hashlen);
1413 	}
1414 
1415 	/* verify the signature */
1416 	res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
1417 	SECKEY_DestroyPublicKey(pubkey);
1418 
1419 	if(res == SECSuccess) {
1420 		return sec_status_secure;
1421 	}
1422 	err = PORT_GetError();
1423 	if(err != SEC_ERROR_BAD_SIGNATURE) {
1424 		/* failed to verify */
1425 		verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
1426 			PORT_ErrorToString(err));
1427 		/* if it is not supported, like ECC is removed, we get,
1428 		 * SEC_ERROR_NO_MODULE */
1429 		if(err == SEC_ERROR_NO_MODULE)
1430 			return sec_status_unchecked;
1431 		/* but other errors are commonly returned
1432 		 * for a bad signature from NSS.  Thus we return bogus,
1433 		 * not unchecked */
1434 		*reason = "signature crypto failed";
1435 		return sec_status_bogus;
1436 	}
1437 	verbose(VERB_QUERY, "verify: signature mismatch: %s",
1438 		PORT_ErrorToString(err));
1439 	*reason = "signature crypto failed";
1440 	return sec_status_bogus;
1441 }
1442 
1443 #elif defined(HAVE_NETTLE)
1444 
1445 #include "sha.h"
1446 #include "bignum.h"
1447 #include "macros.h"
1448 #include "rsa.h"
1449 #include "dsa.h"
1450 #ifdef HAVE_NETTLE_DSA_COMPAT_H
1451 #include "dsa-compat.h"
1452 #endif
1453 #include "asn1.h"
1454 #ifdef USE_ECDSA
1455 #include "ecdsa.h"
1456 #include "ecc-curve.h"
1457 #endif
1458 #ifdef HAVE_NETTLE_EDDSA_H
1459 #include "eddsa.h"
1460 #endif
1461 
1462 static int
1463 _digest_nettle(int algo, uint8_t* buf, size_t len,
1464 	unsigned char* res)
1465 {
1466 	switch(algo) {
1467 		case SHA1_DIGEST_SIZE:
1468 		{
1469 			struct sha1_ctx ctx;
1470 			sha1_init(&ctx);
1471 			sha1_update(&ctx, len, buf);
1472 			sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
1473 			return 1;
1474 		}
1475 		case SHA256_DIGEST_SIZE:
1476 		{
1477 			struct sha256_ctx ctx;
1478 			sha256_init(&ctx);
1479 			sha256_update(&ctx, len, buf);
1480 			sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
1481 			return 1;
1482 		}
1483 		case SHA384_DIGEST_SIZE:
1484 		{
1485 			struct sha384_ctx ctx;
1486 			sha384_init(&ctx);
1487 			sha384_update(&ctx, len, buf);
1488 			sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
1489 			return 1;
1490 		}
1491 		case SHA512_DIGEST_SIZE:
1492 		{
1493 			struct sha512_ctx ctx;
1494 			sha512_init(&ctx);
1495 			sha512_update(&ctx, len, buf);
1496 			sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
1497 			return 1;
1498 		}
1499 		default:
1500 			break;
1501 	}
1502 	return 0;
1503 }
1504 
1505 /* return size of digest if supported, or 0 otherwise */
1506 size_t
1507 nsec3_hash_algo_size_supported(int id)
1508 {
1509 	switch(id) {
1510 	case NSEC3_HASH_SHA1:
1511 		return SHA1_DIGEST_SIZE;
1512 	default:
1513 		return 0;
1514 	}
1515 }
1516 
1517 /* perform nsec3 hash. return false on failure */
1518 int
1519 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
1520         unsigned char* res)
1521 {
1522 	switch(algo) {
1523 	case NSEC3_HASH_SHA1:
1524 		return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
1525 			res);
1526 	default:
1527 		return 0;
1528 	}
1529 }
1530 
1531 void
1532 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
1533 {
1534 	_digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res);
1535 }
1536 
1537 /** secalgo hash structure */
1538 struct secalgo_hash {
1539 	/** if it is 384 or 512 */
1540 	int active;
1541 	/** context for sha384 */
1542 	struct sha384_ctx ctx384;
1543 	/** context for sha512 */
1544 	struct sha512_ctx ctx512;
1545 };
1546 
1547 struct secalgo_hash* secalgo_hash_create_sha384(void)
1548 {
1549 	struct secalgo_hash* h = calloc(1, sizeof(*h));
1550 	if(!h)
1551 		return NULL;
1552 	h->active = 384;
1553 	sha384_init(&h->ctx384);
1554 	return h;
1555 }
1556 
1557 struct secalgo_hash* secalgo_hash_create_sha512(void)
1558 {
1559 	struct secalgo_hash* h = calloc(1, sizeof(*h));
1560 	if(!h)
1561 		return NULL;
1562 	h->active = 512;
1563 	sha512_init(&h->ctx512);
1564 	return h;
1565 }
1566 
1567 int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len)
1568 {
1569 	if(hash->active == 384) {
1570 		sha384_update(&hash->ctx384, len, data);
1571 	} else if(hash->active == 512) {
1572 		sha512_update(&hash->ctx512, len, data);
1573 	} else {
1574 		return 0;
1575 	}
1576 	return 1;
1577 }
1578 
1579 int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result,
1580         size_t maxlen, size_t* resultlen)
1581 {
1582 	if(hash->active == 384) {
1583 		if(SHA384_DIGEST_SIZE > maxlen) {
1584 			*resultlen = 0;
1585 			log_err("secalgo_hash_final: hash buffer too small");
1586 			return 0;
1587 		}
1588 		*resultlen = SHA384_DIGEST_SIZE;
1589 		sha384_digest(&hash->ctx384, SHA384_DIGEST_SIZE,
1590 			(unsigned char*)result);
1591 	} else if(hash->active == 512) {
1592 		if(SHA512_DIGEST_SIZE > maxlen) {
1593 			*resultlen = 0;
1594 			log_err("secalgo_hash_final: hash buffer too small");
1595 			return 0;
1596 		}
1597 		*resultlen = SHA512_DIGEST_SIZE;
1598 		sha512_digest(&hash->ctx512, SHA512_DIGEST_SIZE,
1599 			(unsigned char*)result);
1600 	} else {
1601 		*resultlen = 0;
1602 		return 0;
1603 	}
1604 	return 1;
1605 }
1606 
1607 void secalgo_hash_delete(struct secalgo_hash* hash)
1608 {
1609 	if(!hash) return;
1610 	free(hash);
1611 }
1612 
1613 /**
1614  * Return size of DS digest according to its hash algorithm.
1615  * @param algo: DS digest algo.
1616  * @return size in bytes of digest, or 0 if not supported.
1617  */
1618 size_t
1619 ds_digest_size_supported(int algo)
1620 {
1621 	switch(algo) {
1622 		case LDNS_SHA1:
1623 #ifdef USE_SHA1
1624 			return SHA1_DIGEST_SIZE;
1625 #else
1626 			if(fake_sha1) return 20;
1627 			return 0;
1628 #endif
1629 #ifdef USE_SHA2
1630 		case LDNS_SHA256:
1631 			return SHA256_DIGEST_SIZE;
1632 #endif
1633 #ifdef USE_ECDSA
1634 		case LDNS_SHA384:
1635 			return SHA384_DIGEST_SIZE;
1636 #endif
1637 		/* GOST not supported */
1638 		case LDNS_HASH_GOST:
1639 		default:
1640 			break;
1641 	}
1642 	return 0;
1643 }
1644 
1645 int
1646 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
1647 	unsigned char* res)
1648 {
1649 	switch(algo) {
1650 #ifdef USE_SHA1
1651 		case LDNS_SHA1:
1652 			return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
1653 #endif
1654 #if defined(USE_SHA2)
1655 		case LDNS_SHA256:
1656 			return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
1657 #endif
1658 #ifdef USE_ECDSA
1659 		case LDNS_SHA384:
1660 			return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
1661 
1662 #endif
1663 		case LDNS_HASH_GOST:
1664 		default:
1665 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
1666 				algo);
1667 			break;
1668 	}
1669 	return 0;
1670 }
1671 
1672 int
1673 dnskey_algo_id_is_supported(int id)
1674 {
1675 	/* uses libnettle */
1676 	switch(id) {
1677 	case LDNS_DSA:
1678 	case LDNS_DSA_NSEC3:
1679 #if defined(USE_DSA) && defined(USE_SHA1)
1680 		return 1;
1681 #else
1682 		if(fake_dsa || fake_sha1) return 1;
1683 		return 0;
1684 #endif
1685 	case LDNS_RSASHA1:
1686 	case LDNS_RSASHA1_NSEC3:
1687 #ifdef USE_SHA1
1688 		return 1;
1689 #else
1690 		if(fake_sha1) return 1;
1691 		return 0;
1692 #endif
1693 #ifdef USE_SHA2
1694 	case LDNS_RSASHA256:
1695 	case LDNS_RSASHA512:
1696 #endif
1697 #ifdef USE_ECDSA
1698 	case LDNS_ECDSAP256SHA256:
1699 	case LDNS_ECDSAP384SHA384:
1700 #endif
1701 		return 1;
1702 #ifdef USE_ED25519
1703 	case LDNS_ED25519:
1704 		return 1;
1705 #endif
1706 	case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
1707 	case LDNS_ECC_GOST:
1708 	default:
1709 		return 0;
1710 	}
1711 }
1712 
1713 #if defined(USE_DSA) && defined(USE_SHA1)
1714 static char *
1715 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
1716 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1717 {
1718 	uint8_t digest[SHA1_DIGEST_SIZE];
1719 	uint8_t key_t_value;
1720 	int res = 0;
1721 	size_t offset;
1722 	struct dsa_public_key pubkey;
1723 	struct dsa_signature signature;
1724 	unsigned int expected_len;
1725 
1726 	/* Extract DSA signature from the record */
1727 	nettle_dsa_signature_init(&signature);
1728 	/* Signature length: 41 bytes - RFC 2536 sec. 3 */
1729 	if(sigblock_len == 41) {
1730 		if(key[0] != sigblock[0])
1731 			return "invalid T value in DSA signature or pubkey";
1732 		nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
1733 		nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
1734 	} else {
1735 		/* DER encoded, decode the ASN1 notated R and S bignums */
1736 		/* SEQUENCE { r INTEGER, s INTEGER } */
1737 		struct asn1_der_iterator i, seq;
1738 		if(asn1_der_iterator_first(&i, sigblock_len,
1739 			(uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
1740 			|| i.type != ASN1_SEQUENCE)
1741 			return "malformed DER encoded DSA signature";
1742 		/* decode this element of i using the seq iterator */
1743 		if(asn1_der_decode_constructed(&i, &seq) !=
1744 			ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
1745 			return "malformed DER encoded DSA signature";
1746 		if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
1747 			return "malformed DER encoded DSA signature";
1748 		if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
1749 			|| seq.type != ASN1_INTEGER)
1750 			return "malformed DER encoded DSA signature";
1751 		if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
1752 			return "malformed DER encoded DSA signature";
1753 		if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
1754 			return "malformed DER encoded DSA signature";
1755 	}
1756 
1757 	/* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
1758 	key_t_value = key[0];
1759 	if (key_t_value > 8) {
1760 		return "invalid T value in DSA pubkey";
1761 	}
1762 
1763 	/* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
1764 	if (keylen < 21) {
1765 		return "DSA pubkey too short";
1766 	}
1767 
1768 	expected_len =   1 +		/* T */
1769 		        20 +		/* Q */
1770 		       (64 + key_t_value*8) +	/* P */
1771 		       (64 + key_t_value*8) +	/* G */
1772 		       (64 + key_t_value*8);	/* Y */
1773 	if (keylen != expected_len ) {
1774 		return "invalid DSA pubkey length";
1775 	}
1776 
1777 	/* Extract DSA pubkey from the record */
1778 	nettle_dsa_public_key_init(&pubkey);
1779 	offset = 1;
1780 	nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
1781 	offset += 20;
1782 	nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t_value*8), key+offset);
1783 	offset += (64 + key_t_value*8);
1784 	nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t_value*8), key+offset);
1785 	offset += (64 + key_t_value*8);
1786 	nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t_value*8), key+offset);
1787 
1788 	/* Digest content of "buf" and verify its DSA signature in "sigblock"*/
1789 	res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1790 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1791 	res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
1792 
1793 	/* Clear and return */
1794 	nettle_dsa_signature_clear(&signature);
1795 	nettle_dsa_public_key_clear(&pubkey);
1796 	if (!res)
1797 		return "DSA signature verification failed";
1798 	else
1799 		return NULL;
1800 }
1801 #endif /* USE_DSA */
1802 
1803 static char *
1804 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
1805 	unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
1806 {
1807 	uint16_t exp_len = 0;
1808 	size_t exp_offset = 0, mod_offset = 0;
1809 	struct rsa_public_key pubkey;
1810 	mpz_t signature;
1811 	int res = 0;
1812 
1813 	/* RSA pubkey parsing as per RFC 3110 sec. 2 */
1814 	if( keylen <= 1) {
1815 		return "null RSA key";
1816 	}
1817 	if (key[0] != 0) {
1818 		/* 1-byte length */
1819 		exp_len = key[0];
1820 		exp_offset = 1;
1821 	} else {
1822 		/* 1-byte NUL + 2-bytes exponent length */
1823 		if (keylen < 3) {
1824 			return "incorrect RSA key length";
1825 		}
1826 		exp_len = READ_UINT16(key+1);
1827 		if (exp_len == 0)
1828 			return "null RSA exponent length";
1829 		exp_offset = 3;
1830 	}
1831 	/* Check that we are not over-running input length */
1832 	if (keylen < exp_offset + exp_len + 1) {
1833 		return "RSA key content shorter than expected";
1834 	}
1835 	mod_offset = exp_offset + exp_len;
1836 	nettle_rsa_public_key_init(&pubkey);
1837 	pubkey.size = keylen - mod_offset;
1838 	nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
1839 	nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
1840 
1841 	/* Digest content of "buf" and verify its RSA signature in "sigblock"*/
1842 	nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
1843 	switch (digest_size) {
1844 		case SHA1_DIGEST_SIZE:
1845 		{
1846 			uint8_t digest[SHA1_DIGEST_SIZE];
1847 			res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1848 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1849 			res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
1850 			break;
1851 		}
1852 		case SHA256_DIGEST_SIZE:
1853 		{
1854 			uint8_t digest[SHA256_DIGEST_SIZE];
1855 			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1856 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1857 			res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
1858 			break;
1859 		}
1860 		case SHA512_DIGEST_SIZE:
1861 		{
1862 			uint8_t digest[SHA512_DIGEST_SIZE];
1863 			res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1864 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1865 			res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
1866 			break;
1867 		}
1868 		default:
1869 			break;
1870 	}
1871 
1872 	/* Clear and return */
1873 	nettle_rsa_public_key_clear(&pubkey);
1874 	mpz_clear(signature);
1875 	if (!res) {
1876 		return "RSA signature verification failed";
1877 	} else {
1878 		return NULL;
1879 	}
1880 }
1881 
1882 #ifdef USE_ECDSA
1883 static char *
1884 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
1885 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1886 {
1887 	int res = 0;
1888 	struct ecc_point pubkey;
1889 	struct dsa_signature signature;
1890 
1891 	/* Always matched strength, as per RFC 6605 sec. 1 */
1892 	if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
1893 		return "wrong ECDSA signature length";
1894 	}
1895 
1896 	/* Parse ECDSA signature as per RFC 6605 sec. 4 */
1897 	nettle_dsa_signature_init(&signature);
1898 	switch (digest_size) {
1899 		case SHA256_DIGEST_SIZE:
1900 		{
1901 			uint8_t digest[SHA256_DIGEST_SIZE];
1902 			mpz_t x, y;
1903 			nettle_ecc_point_init(&pubkey, nettle_get_secp_256r1());
1904 			nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
1905 			nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
1906 			nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
1907 			nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
1908 			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1909 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1910 			res &= nettle_ecc_point_set(&pubkey, x, y);
1911 			res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
1912 			mpz_clear(x);
1913 			mpz_clear(y);
1914 			nettle_ecc_point_clear(&pubkey);
1915 			break;
1916 		}
1917 		case SHA384_DIGEST_SIZE:
1918 		{
1919 			uint8_t digest[SHA384_DIGEST_SIZE];
1920 			mpz_t x, y;
1921 			nettle_ecc_point_init(&pubkey, nettle_get_secp_384r1());
1922 			nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
1923 			nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
1924 			nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
1925 			nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
1926 			res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1927 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1928 			res &= nettle_ecc_point_set(&pubkey, x, y);
1929 			res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
1930 			mpz_clear(x);
1931 			mpz_clear(y);
1932 			nettle_ecc_point_clear(&pubkey);
1933 			break;
1934 		}
1935 		default:
1936 			return "unknown ECDSA algorithm";
1937 	}
1938 
1939 	/* Clear and return */
1940 	nettle_dsa_signature_clear(&signature);
1941 	if (!res)
1942 		return "ECDSA signature verification failed";
1943 	else
1944 		return NULL;
1945 }
1946 #endif
1947 
1948 #ifdef USE_ED25519
1949 static char *
1950 _verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock,
1951 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1952 {
1953 	int res = 0;
1954 
1955 	if(sigblock_len != ED25519_SIGNATURE_SIZE) {
1956 		return "wrong ED25519 signature length";
1957 	}
1958 	if(keylen != ED25519_KEY_SIZE) {
1959 		return "wrong ED25519 key length";
1960 	}
1961 
1962 	res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf),
1963 		sldns_buffer_begin(buf), (uint8_t*)sigblock);
1964 
1965 	if (!res)
1966 		return "ED25519 signature verification failed";
1967 	else
1968 		return NULL;
1969 }
1970 #endif
1971 
1972 /**
1973  * Check a canonical sig+rrset and signature against a dnskey
1974  * @param buf: buffer with data to verify, the first rrsig part and the
1975  *	canonicalized rrset.
1976  * @param algo: DNSKEY algorithm.
1977  * @param sigblock: signature rdata field from RRSIG
1978  * @param sigblock_len: length of sigblock data.
1979  * @param key: public key data from DNSKEY RR.
1980  * @param keylen: length of keydata.
1981  * @param reason: bogus reason in more detail.
1982  * @return secure if verification succeeded, bogus on crypto failure,
1983  *	unchecked on format errors and alloc failures.
1984  */
1985 enum sec_status
1986 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1987 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1988 	char** reason)
1989 {
1990 	unsigned int digest_size = 0;
1991 
1992 	if (sigblock_len == 0 || keylen == 0) {
1993 		*reason = "null signature";
1994 		return sec_status_bogus;
1995 	}
1996 
1997 #ifndef USE_DSA
1998 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1))
1999 		return sec_status_secure;
2000 #endif
2001 #ifndef USE_SHA1
2002 	if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3))
2003 		return sec_status_secure;
2004 #endif
2005 
2006 	switch(algo) {
2007 #if defined(USE_DSA) && defined(USE_SHA1)
2008 	case LDNS_DSA:
2009 	case LDNS_DSA_NSEC3:
2010 		*reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
2011 		if (*reason != NULL)
2012 			return sec_status_bogus;
2013 		else
2014 			return sec_status_secure;
2015 #endif /* USE_DSA */
2016 
2017 #ifdef USE_SHA1
2018 	case LDNS_RSASHA1:
2019 	case LDNS_RSASHA1_NSEC3:
2020 		digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
2021 #endif
2022 		/* double fallthrough annotation to please gcc parser */
2023 		/* fallthrough */
2024 #ifdef USE_SHA2
2025 		/* fallthrough */
2026 	case LDNS_RSASHA256:
2027 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
2028 		/* fallthrough */
2029 	case LDNS_RSASHA512:
2030 		digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
2031 
2032 #endif
2033 		*reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
2034 						sigblock_len, key, keylen);
2035 		if (*reason != NULL)
2036 			return sec_status_bogus;
2037 		else
2038 			return sec_status_secure;
2039 
2040 #ifdef USE_ECDSA
2041 	case LDNS_ECDSAP256SHA256:
2042 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
2043 		/* fallthrough */
2044 	case LDNS_ECDSAP384SHA384:
2045 		digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
2046 		*reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
2047 						sigblock_len, key, keylen);
2048 		if (*reason != NULL)
2049 			return sec_status_bogus;
2050 		else
2051 			return sec_status_secure;
2052 #endif
2053 #ifdef USE_ED25519
2054 	case LDNS_ED25519:
2055 		*reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len,
2056 			key, keylen);
2057 		if (*reason != NULL)
2058 			return sec_status_bogus;
2059 		else
2060 			return sec_status_secure;
2061 #endif
2062 	case LDNS_RSAMD5:
2063 	case LDNS_ECC_GOST:
2064 	default:
2065 		*reason = "unable to verify signature, unknown algorithm";
2066 		return sec_status_bogus;
2067 	}
2068 }
2069 
2070 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
2071