xref: /freebsd/contrib/unbound/validator/val_secalgo.c (revision d3d381b2b194b4d24853e92eecef55f262688d1a)
1 /*
2  * validator/val_secalgo.c - validator security algorithm functions.
3  *
4  * Copyright (c) 2012, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  * These functions take raw data buffers, formatted for crypto verification,
41  * and do the library calls (for the crypto library in use).
42  */
43 #include "config.h"
44 /* packed_rrset on top to define enum types (forced by c99 standard) */
45 #include "util/data/packed_rrset.h"
46 #include "validator/val_secalgo.h"
47 #include "validator/val_nsec3.h"
48 #include "util/log.h"
49 #include "sldns/rrdef.h"
50 #include "sldns/keyraw.h"
51 #include "sldns/sbuffer.h"
52 
53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
54 #error "Need crypto library to do digital signature cryptography"
55 #endif
56 
57 /* OpenSSL implementation */
58 #ifdef HAVE_SSL
59 #ifdef HAVE_OPENSSL_ERR_H
60 #include <openssl/err.h>
61 #endif
62 
63 #ifdef HAVE_OPENSSL_RAND_H
64 #include <openssl/rand.h>
65 #endif
66 
67 #ifdef HAVE_OPENSSL_CONF_H
68 #include <openssl/conf.h>
69 #endif
70 
71 #ifdef HAVE_OPENSSL_ENGINE_H
72 #include <openssl/engine.h>
73 #endif
74 
75 /** fake DSA support for unit tests */
76 int fake_dsa = 0;
77 /** fake SHA1 support for unit tests */
78 int fake_sha1 = 0;
79 
80 /* return size of digest if supported, or 0 otherwise */
81 size_t
82 nsec3_hash_algo_size_supported(int id)
83 {
84 	switch(id) {
85 	case NSEC3_HASH_SHA1:
86 		return SHA_DIGEST_LENGTH;
87 	default:
88 		return 0;
89 	}
90 }
91 
92 /* perform nsec3 hash. return false on failure */
93 int
94 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
95         unsigned char* res)
96 {
97 	switch(algo) {
98 	case NSEC3_HASH_SHA1:
99 		(void)SHA1(buf, len, res);
100 		return 1;
101 	default:
102 		return 0;
103 	}
104 }
105 
106 void
107 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
108 {
109 	(void)SHA256(buf, len, res);
110 }
111 
112 /**
113  * Return size of DS digest according to its hash algorithm.
114  * @param algo: DS digest algo.
115  * @return size in bytes of digest, or 0 if not supported.
116  */
117 size_t
118 ds_digest_size_supported(int algo)
119 {
120 	switch(algo) {
121 		case LDNS_SHA1:
122 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
123 			return SHA_DIGEST_LENGTH;
124 #else
125 			if(fake_sha1) return 20;
126 			return 0;
127 #endif
128 #ifdef HAVE_EVP_SHA256
129 		case LDNS_SHA256:
130 			return SHA256_DIGEST_LENGTH;
131 #endif
132 #ifdef USE_GOST
133 		case LDNS_HASH_GOST:
134 			/* we support GOST if it can be loaded */
135 			(void)sldns_key_EVP_load_gost_id();
136 			if(EVP_get_digestbyname("md_gost94"))
137 				return 32;
138 			else	return 0;
139 #endif
140 #ifdef USE_ECDSA
141 		case LDNS_SHA384:
142 			return SHA384_DIGEST_LENGTH;
143 #endif
144 		default: break;
145 	}
146 	return 0;
147 }
148 
149 #ifdef USE_GOST
150 /** Perform GOST hash */
151 static int
152 do_gost94(unsigned char* data, size_t len, unsigned char* dest)
153 {
154 	const EVP_MD* md = EVP_get_digestbyname("md_gost94");
155 	if(!md)
156 		return 0;
157 	return sldns_digest_evp(data, (unsigned int)len, dest, md);
158 }
159 #endif
160 
161 int
162 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
163 	unsigned char* res)
164 {
165 	switch(algo) {
166 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
167 		case LDNS_SHA1:
168 			(void)SHA1(buf, len, res);
169 			return 1;
170 #endif
171 #ifdef HAVE_EVP_SHA256
172 		case LDNS_SHA256:
173 			(void)SHA256(buf, len, res);
174 			return 1;
175 #endif
176 #ifdef USE_GOST
177 		case LDNS_HASH_GOST:
178 			if(do_gost94(buf, len, res))
179 				return 1;
180 			break;
181 #endif
182 #ifdef USE_ECDSA
183 		case LDNS_SHA384:
184 			(void)SHA384(buf, len, res);
185 			return 1;
186 #endif
187 		default:
188 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
189 				algo);
190 			break;
191 	}
192 	return 0;
193 }
194 
195 /** return true if DNSKEY algorithm id is supported */
196 int
197 dnskey_algo_id_is_supported(int id)
198 {
199 	switch(id) {
200 	case LDNS_RSAMD5:
201 		/* RFC 6725 deprecates RSAMD5 */
202 		return 0;
203 	case LDNS_DSA:
204 	case LDNS_DSA_NSEC3:
205 #if defined(USE_DSA) && defined(USE_SHA1)
206 		return 1;
207 #else
208 		if(fake_dsa || fake_sha1) return 1;
209 		return 0;
210 #endif
211 
212 	case LDNS_RSASHA1:
213 	case LDNS_RSASHA1_NSEC3:
214 #ifdef USE_SHA1
215 		return 1;
216 #else
217 		if(fake_sha1) return 1;
218 		return 0;
219 #endif
220 
221 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
222 	case LDNS_RSASHA256:
223 #endif
224 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
225 	case LDNS_RSASHA512:
226 #endif
227 #ifdef USE_ECDSA
228 	case LDNS_ECDSAP256SHA256:
229 	case LDNS_ECDSAP384SHA384:
230 #endif
231 #ifdef USE_ED25519
232 	case LDNS_ED25519:
233 #endif
234 #ifdef USE_ED448
235 	case LDNS_ED448:
236 #endif
237 #if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448)
238 		return 1;
239 #endif
240 
241 #ifdef USE_GOST
242 	case LDNS_ECC_GOST:
243 		/* we support GOST if it can be loaded */
244 		return sldns_key_EVP_load_gost_id();
245 #endif
246 	default:
247 		return 0;
248 	}
249 }
250 
251 /**
252  * Output a libcrypto openssl error to the logfile.
253  * @param str: string to add to it.
254  * @param e: the error to output, error number from ERR_get_error().
255  */
256 static void
257 log_crypto_error(const char* str, unsigned long e)
258 {
259 	char buf[128];
260 	/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
261 	ERR_error_string_n(e, buf, sizeof(buf));
262 	/* buf now contains */
263 	/* error:[error code]:[library name]:[function name]:[reason string] */
264 	log_err("%s crypto %s", str, buf);
265 }
266 
267 #ifdef USE_DSA
268 /**
269  * Setup DSA key digest in DER encoding ...
270  * @param sig: input is signature output alloced ptr (unless failure).
271  * 	caller must free alloced ptr if this routine returns true.
272  * @param len: input is initial siglen, output is output len.
273  * @return false on failure.
274  */
275 static int
276 setup_dsa_sig(unsigned char** sig, unsigned int* len)
277 {
278 	unsigned char* orig = *sig;
279 	unsigned int origlen = *len;
280 	int newlen;
281 	BIGNUM *R, *S;
282 	DSA_SIG *dsasig;
283 
284 	/* extract the R and S field from the sig buffer */
285 	if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
286 		return 0;
287 	R = BN_new();
288 	if(!R) return 0;
289 	(void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
290 	S = BN_new();
291 	if(!S) return 0;
292 	(void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
293 	dsasig = DSA_SIG_new();
294 	if(!dsasig) return 0;
295 
296 #ifdef HAVE_DSA_SIG_SET0
297 	if(!DSA_SIG_set0(dsasig, R, S)) return 0;
298 #else
299 	dsasig->r = R;
300 	dsasig->s = S;
301 #endif
302 	*sig = NULL;
303 	newlen = i2d_DSA_SIG(dsasig, sig);
304 	if(newlen < 0) {
305 		DSA_SIG_free(dsasig);
306 		free(*sig);
307 		return 0;
308 	}
309 	*len = (unsigned int)newlen;
310 	DSA_SIG_free(dsasig);
311 	return 1;
312 }
313 #endif /* USE_DSA */
314 
315 #ifdef USE_ECDSA
316 /**
317  * Setup the ECDSA signature in its encoding that the library wants.
318  * Converts from plain numbers to ASN formatted.
319  * @param sig: input is signature, output alloced ptr (unless failure).
320  * 	caller must free alloced ptr if this routine returns true.
321  * @param len: input is initial siglen, output is output len.
322  * @return false on failure.
323  */
324 static int
325 setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
326 {
327         /* convert from two BIGNUMs in the rdata buffer, to ASN notation.
328 	 * ASN preamble: 30440220 <R 32bytefor256> 0220 <S 32bytefor256>
329 	 * the '20' is the length of that field (=bnsize).
330 i	 * the '44' is the total remaining length.
331 	 * if negative, start with leading zero.
332 	 * if starts with 00s, remove them from the number.
333 	 */
334         uint8_t pre[] = {0x30, 0x44, 0x02, 0x20};
335         int pre_len = 4;
336         uint8_t mid[] = {0x02, 0x20};
337         int mid_len = 2;
338         int raw_sig_len, r_high, s_high, r_rem=0, s_rem=0;
339 	int bnsize = (int)((*len)/2);
340         unsigned char* d = *sig;
341 	uint8_t* p;
342 	/* if too short or not even length, fails */
343 	if(*len < 16 || bnsize*2 != (int)*len)
344 		return 0;
345 
346         /* strip leading zeroes from r (but not last one) */
347         while(r_rem < bnsize-1 && d[r_rem] == 0)
348                 r_rem++;
349         /* strip leading zeroes from s (but not last one) */
350         while(s_rem < bnsize-1 && d[bnsize+s_rem] == 0)
351                 s_rem++;
352 
353         r_high = ((d[0+r_rem]&0x80)?1:0);
354         s_high = ((d[bnsize+s_rem]&0x80)?1:0);
355         raw_sig_len = pre_len + r_high + bnsize - r_rem + mid_len +
356                 s_high + bnsize - s_rem;
357 	*sig = (unsigned char*)malloc((size_t)raw_sig_len);
358 	if(!*sig)
359 		return 0;
360 	p = (uint8_t*)*sig;
361 	p[0] = pre[0];
362 	p[1] = (uint8_t)(raw_sig_len-2);
363 	p[2] = pre[2];
364 	p[3] = (uint8_t)(bnsize + r_high - r_rem);
365 	p += 4;
366 	if(r_high) {
367 		*p = 0;
368 		p += 1;
369 	}
370 	memmove(p, d+r_rem, (size_t)bnsize-r_rem);
371 	p += bnsize-r_rem;
372 	memmove(p, mid, (size_t)mid_len-1);
373 	p += mid_len-1;
374 	*p = (uint8_t)(bnsize + s_high - s_rem);
375 	p += 1;
376         if(s_high) {
377 		*p = 0;
378 		p += 1;
379 	}
380 	memmove(p, d+bnsize+s_rem, (size_t)bnsize-s_rem);
381 	*len = (unsigned int)raw_sig_len;
382 	return 1;
383 }
384 #endif /* USE_ECDSA */
385 
386 #ifdef USE_ECDSA_EVP_WORKAROUND
387 static EVP_MD ecdsa_evp_256_md;
388 static EVP_MD ecdsa_evp_384_md;
389 void ecdsa_evp_workaround_init(void)
390 {
391 	/* openssl before 1.0.0 fixes RSA with the SHA256
392 	 * hash in EVP.  We create one for ecdsa_sha256 */
393 	ecdsa_evp_256_md = *EVP_sha256();
394 	ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC;
395 	ecdsa_evp_256_md.verify = (void*)ECDSA_verify;
396 
397 	ecdsa_evp_384_md = *EVP_sha384();
398 	ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC;
399 	ecdsa_evp_384_md.verify = (void*)ECDSA_verify;
400 }
401 #endif /* USE_ECDSA_EVP_WORKAROUND */
402 
403 /**
404  * Setup key and digest for verification. Adjust sig if necessary.
405  *
406  * @param algo: key algorithm
407  * @param evp_key: EVP PKEY public key to create.
408  * @param digest_type: digest type to use
409  * @param key: key to setup for.
410  * @param keylen: length of key.
411  * @return false on failure.
412  */
413 static int
414 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
415 	unsigned char* key, size_t keylen)
416 {
417 #if defined(USE_DSA) && defined(USE_SHA1)
418 	DSA* dsa;
419 #endif
420 	RSA* rsa;
421 
422 	switch(algo) {
423 #if defined(USE_DSA) && defined(USE_SHA1)
424 		case LDNS_DSA:
425 		case LDNS_DSA_NSEC3:
426 			*evp_key = EVP_PKEY_new();
427 			if(!*evp_key) {
428 				log_err("verify: malloc failure in crypto");
429 				return 0;
430 			}
431 			dsa = sldns_key_buf2dsa_raw(key, keylen);
432 			if(!dsa) {
433 				verbose(VERB_QUERY, "verify: "
434 					"sldns_key_buf2dsa_raw failed");
435 				return 0;
436 			}
437 			if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
438 				verbose(VERB_QUERY, "verify: "
439 					"EVP_PKEY_assign_DSA failed");
440 				return 0;
441 			}
442 #ifdef HAVE_EVP_DSS1
443 			*digest_type = EVP_dss1();
444 #else
445 			*digest_type = EVP_sha1();
446 #endif
447 
448 			break;
449 #endif /* USE_DSA && USE_SHA1 */
450 
451 #if defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2))
452 #ifdef USE_SHA1
453 		case LDNS_RSASHA1:
454 		case LDNS_RSASHA1_NSEC3:
455 #endif
456 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
457 		case LDNS_RSASHA256:
458 #endif
459 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
460 		case LDNS_RSASHA512:
461 #endif
462 			*evp_key = EVP_PKEY_new();
463 			if(!*evp_key) {
464 				log_err("verify: malloc failure in crypto");
465 				return 0;
466 			}
467 			rsa = sldns_key_buf2rsa_raw(key, keylen);
468 			if(!rsa) {
469 				verbose(VERB_QUERY, "verify: "
470 					"sldns_key_buf2rsa_raw SHA failed");
471 				return 0;
472 			}
473 			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
474 				verbose(VERB_QUERY, "verify: "
475 					"EVP_PKEY_assign_RSA SHA failed");
476 				return 0;
477 			}
478 
479 			/* select SHA version */
480 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
481 			if(algo == LDNS_RSASHA256)
482 				*digest_type = EVP_sha256();
483 			else
484 #endif
485 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
486 				if(algo == LDNS_RSASHA512)
487 				*digest_type = EVP_sha512();
488 			else
489 #endif
490 #ifdef USE_SHA1
491 				*digest_type = EVP_sha1();
492 #else
493 				{ verbose(VERB_QUERY, "no digest available"); return 0; }
494 #endif
495 			break;
496 #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */
497 
498 		case LDNS_RSAMD5:
499 			*evp_key = EVP_PKEY_new();
500 			if(!*evp_key) {
501 				log_err("verify: malloc failure in crypto");
502 				return 0;
503 			}
504 			rsa = sldns_key_buf2rsa_raw(key, keylen);
505 			if(!rsa) {
506 				verbose(VERB_QUERY, "verify: "
507 					"sldns_key_buf2rsa_raw MD5 failed");
508 				return 0;
509 			}
510 			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
511 				verbose(VERB_QUERY, "verify: "
512 					"EVP_PKEY_assign_RSA MD5 failed");
513 				return 0;
514 			}
515 			*digest_type = EVP_md5();
516 
517 			break;
518 #ifdef USE_GOST
519 		case LDNS_ECC_GOST:
520 			*evp_key = sldns_gost2pkey_raw(key, keylen);
521 			if(!*evp_key) {
522 				verbose(VERB_QUERY, "verify: "
523 					"sldns_gost2pkey_raw failed");
524 				return 0;
525 			}
526 			*digest_type = EVP_get_digestbyname("md_gost94");
527 			if(!*digest_type) {
528 				verbose(VERB_QUERY, "verify: "
529 					"EVP_getdigest md_gost94 failed");
530 				return 0;
531 			}
532 			break;
533 #endif
534 #ifdef USE_ECDSA
535 		case LDNS_ECDSAP256SHA256:
536 			*evp_key = sldns_ecdsa2pkey_raw(key, keylen,
537 				LDNS_ECDSAP256SHA256);
538 			if(!*evp_key) {
539 				verbose(VERB_QUERY, "verify: "
540 					"sldns_ecdsa2pkey_raw failed");
541 				return 0;
542 			}
543 #ifdef USE_ECDSA_EVP_WORKAROUND
544 			*digest_type = &ecdsa_evp_256_md;
545 #else
546 			*digest_type = EVP_sha256();
547 #endif
548 			break;
549 		case LDNS_ECDSAP384SHA384:
550 			*evp_key = sldns_ecdsa2pkey_raw(key, keylen,
551 				LDNS_ECDSAP384SHA384);
552 			if(!*evp_key) {
553 				verbose(VERB_QUERY, "verify: "
554 					"sldns_ecdsa2pkey_raw failed");
555 				return 0;
556 			}
557 #ifdef USE_ECDSA_EVP_WORKAROUND
558 			*digest_type = &ecdsa_evp_384_md;
559 #else
560 			*digest_type = EVP_sha384();
561 #endif
562 			break;
563 #endif /* USE_ECDSA */
564 #ifdef USE_ED25519
565 		case LDNS_ED25519:
566 			*evp_key = sldns_ed255192pkey_raw(key, keylen);
567 			if(!*evp_key) {
568 				verbose(VERB_QUERY, "verify: "
569 					"sldns_ed255192pkey_raw failed");
570 				return 0;
571 			}
572 			*digest_type = NULL;
573 			break;
574 #endif /* USE_ED25519 */
575 #ifdef USE_ED448
576 		case LDNS_ED448:
577 			*evp_key = sldns_ed4482pkey_raw(key, keylen);
578 			if(!*evp_key) {
579 				verbose(VERB_QUERY, "verify: "
580 					"sldns_ed4482pkey_raw failed");
581 				return 0;
582 			}
583 			*digest_type = NULL;
584 			break;
585 #endif /* USE_ED448 */
586 		default:
587 			verbose(VERB_QUERY, "verify: unknown algorithm %d",
588 				algo);
589 			return 0;
590 	}
591 	return 1;
592 }
593 
594 /**
595  * Check a canonical sig+rrset and signature against a dnskey
596  * @param buf: buffer with data to verify, the first rrsig part and the
597  *	canonicalized rrset.
598  * @param algo: DNSKEY algorithm.
599  * @param sigblock: signature rdata field from RRSIG
600  * @param sigblock_len: length of sigblock data.
601  * @param key: public key data from DNSKEY RR.
602  * @param keylen: length of keydata.
603  * @param reason: bogus reason in more detail.
604  * @return secure if verification succeeded, bogus on crypto failure,
605  *	unchecked on format errors and alloc failures.
606  */
607 enum sec_status
608 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
609 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
610 	char** reason)
611 {
612 	const EVP_MD *digest_type;
613 	EVP_MD_CTX* ctx;
614 	int res, dofree = 0, docrypto_free = 0;
615 	EVP_PKEY *evp_key = NULL;
616 
617 #ifndef USE_DSA
618 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1))
619 		return sec_status_secure;
620 #endif
621 #ifndef USE_SHA1
622 	if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3))
623 		return sec_status_secure;
624 #endif
625 
626 	if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
627 		verbose(VERB_QUERY, "verify: failed to setup key");
628 		*reason = "use of key for crypto failed";
629 		EVP_PKEY_free(evp_key);
630 		return sec_status_bogus;
631 	}
632 #ifdef USE_DSA
633 	/* if it is a DSA signature in bind format, convert to DER format */
634 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
635 		sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
636 		if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
637 			verbose(VERB_QUERY, "verify: failed to setup DSA sig");
638 			*reason = "use of key for DSA crypto failed";
639 			EVP_PKEY_free(evp_key);
640 			return sec_status_bogus;
641 		}
642 		docrypto_free = 1;
643 	}
644 #endif
645 #if defined(USE_ECDSA) && defined(USE_DSA)
646 	else
647 #endif
648 #ifdef USE_ECDSA
649 	if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
650 		/* EVP uses ASN prefix on sig, which is not in the wire data */
651 		if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
652 			verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
653 			*reason = "use of signature for ECDSA crypto failed";
654 			EVP_PKEY_free(evp_key);
655 			return sec_status_bogus;
656 		}
657 		dofree = 1;
658 	}
659 #endif /* USE_ECDSA */
660 
661 	/* do the signature cryptography work */
662 #ifdef HAVE_EVP_MD_CTX_NEW
663 	ctx = EVP_MD_CTX_new();
664 #else
665 	ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
666 	if(ctx) EVP_MD_CTX_init(ctx);
667 #endif
668 	if(!ctx) {
669 		log_err("EVP_MD_CTX_new: malloc failure");
670 		EVP_PKEY_free(evp_key);
671 		if(dofree) free(sigblock);
672 		else if(docrypto_free) OPENSSL_free(sigblock);
673 		return sec_status_unchecked;
674 	}
675 #ifndef HAVE_EVP_DIGESTVERIFY
676 	if(EVP_DigestInit(ctx, digest_type) == 0) {
677 		verbose(VERB_QUERY, "verify: EVP_DigestInit failed");
678 #ifdef HAVE_EVP_MD_CTX_NEW
679 		EVP_MD_CTX_destroy(ctx);
680 #else
681 		EVP_MD_CTX_cleanup(ctx);
682 		free(ctx);
683 #endif
684 		EVP_PKEY_free(evp_key);
685 		if(dofree) free(sigblock);
686 		else if(docrypto_free) OPENSSL_free(sigblock);
687 		return sec_status_unchecked;
688 	}
689 	if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
690 		(unsigned int)sldns_buffer_limit(buf)) == 0) {
691 		verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed");
692 #ifdef HAVE_EVP_MD_CTX_NEW
693 		EVP_MD_CTX_destroy(ctx);
694 #else
695 		EVP_MD_CTX_cleanup(ctx);
696 		free(ctx);
697 #endif
698 		EVP_PKEY_free(evp_key);
699 		if(dofree) free(sigblock);
700 		else if(docrypto_free) OPENSSL_free(sigblock);
701 		return sec_status_unchecked;
702 	}
703 
704 	res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key);
705 #else /* HAVE_EVP_DIGESTVERIFY */
706 	if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) {
707 		verbose(VERB_QUERY, "verify: EVP_DigestVerifyInit failed");
708 #ifdef HAVE_EVP_MD_CTX_NEW
709 		EVP_MD_CTX_destroy(ctx);
710 #else
711 		EVP_MD_CTX_cleanup(ctx);
712 		free(ctx);
713 #endif
714 		EVP_PKEY_free(evp_key);
715 		if(dofree) free(sigblock);
716 		else if(docrypto_free) OPENSSL_free(sigblock);
717 		return sec_status_unchecked;
718 	}
719 	res = EVP_DigestVerify(ctx, sigblock, sigblock_len,
720 		(unsigned char*)sldns_buffer_begin(buf),
721 		sldns_buffer_limit(buf));
722 #endif
723 #ifdef HAVE_EVP_MD_CTX_NEW
724 	EVP_MD_CTX_destroy(ctx);
725 #else
726 	EVP_MD_CTX_cleanup(ctx);
727 	free(ctx);
728 #endif
729 	EVP_PKEY_free(evp_key);
730 
731 	if(dofree) free(sigblock);
732 	else if(docrypto_free) OPENSSL_free(sigblock);
733 
734 	if(res == 1) {
735 		return sec_status_secure;
736 	} else if(res == 0) {
737 		verbose(VERB_QUERY, "verify: signature mismatch");
738 		*reason = "signature crypto failed";
739 		return sec_status_bogus;
740 	}
741 
742 	log_crypto_error("verify:", ERR_get_error());
743 	return sec_status_unchecked;
744 }
745 
746 /**************************************************/
747 #elif defined(HAVE_NSS)
748 /* libnss implementation */
749 /* nss3 */
750 #include "sechash.h"
751 #include "pk11pub.h"
752 #include "keyhi.h"
753 #include "secerr.h"
754 #include "cryptohi.h"
755 /* nspr4 */
756 #include "prerror.h"
757 
758 /* return size of digest if supported, or 0 otherwise */
759 size_t
760 nsec3_hash_algo_size_supported(int id)
761 {
762 	switch(id) {
763 	case NSEC3_HASH_SHA1:
764 		return SHA1_LENGTH;
765 	default:
766 		return 0;
767 	}
768 }
769 
770 /* perform nsec3 hash. return false on failure */
771 int
772 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
773         unsigned char* res)
774 {
775 	switch(algo) {
776 	case NSEC3_HASH_SHA1:
777 		(void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
778 		return 1;
779 	default:
780 		return 0;
781 	}
782 }
783 
784 void
785 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
786 {
787 	(void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len);
788 }
789 
790 size_t
791 ds_digest_size_supported(int algo)
792 {
793 	/* uses libNSS */
794 	switch(algo) {
795 #ifdef USE_SHA1
796 		case LDNS_SHA1:
797 			return SHA1_LENGTH;
798 #endif
799 #ifdef USE_SHA2
800 		case LDNS_SHA256:
801 			return SHA256_LENGTH;
802 #endif
803 #ifdef USE_ECDSA
804 		case LDNS_SHA384:
805 			return SHA384_LENGTH;
806 #endif
807 		/* GOST not supported in NSS */
808 		case LDNS_HASH_GOST:
809 		default: break;
810 	}
811 	return 0;
812 }
813 
814 int
815 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
816 	unsigned char* res)
817 {
818 	/* uses libNSS */
819 	switch(algo) {
820 #ifdef USE_SHA1
821 		case LDNS_SHA1:
822 			return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
823 				== SECSuccess;
824 #endif
825 #if defined(USE_SHA2)
826 		case LDNS_SHA256:
827 			return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
828 				== SECSuccess;
829 #endif
830 #ifdef USE_ECDSA
831 		case LDNS_SHA384:
832 			return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
833 				== SECSuccess;
834 #endif
835 		case LDNS_HASH_GOST:
836 		default:
837 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
838 				algo);
839 			break;
840 	}
841 	return 0;
842 }
843 
844 int
845 dnskey_algo_id_is_supported(int id)
846 {
847 	/* uses libNSS */
848 	switch(id) {
849 	case LDNS_RSAMD5:
850 		/* RFC 6725 deprecates RSAMD5 */
851 		return 0;
852 #if defined(USE_SHA1) || defined(USE_SHA2)
853 #if defined(USE_DSA) && defined(USE_SHA1)
854 	case LDNS_DSA:
855 	case LDNS_DSA_NSEC3:
856 #endif
857 #ifdef USE_SHA1
858 	case LDNS_RSASHA1:
859 	case LDNS_RSASHA1_NSEC3:
860 #endif
861 #ifdef USE_SHA2
862 	case LDNS_RSASHA256:
863 #endif
864 #ifdef USE_SHA2
865 	case LDNS_RSASHA512:
866 #endif
867 		return 1;
868 #endif /* SHA1 or SHA2 */
869 
870 #ifdef USE_ECDSA
871 	case LDNS_ECDSAP256SHA256:
872 	case LDNS_ECDSAP384SHA384:
873 		return PK11_TokenExists(CKM_ECDSA);
874 #endif
875 	case LDNS_ECC_GOST:
876 	default:
877 		return 0;
878 	}
879 }
880 
881 /* return a new public key for NSS */
882 static SECKEYPublicKey* nss_key_create(KeyType ktype)
883 {
884 	SECKEYPublicKey* key;
885 	PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
886 	if(!arena) {
887 		log_err("out of memory, PORT_NewArena failed");
888 		return NULL;
889 	}
890 	key = PORT_ArenaZNew(arena, SECKEYPublicKey);
891 	if(!key) {
892 		log_err("out of memory, PORT_ArenaZNew failed");
893 		PORT_FreeArena(arena, PR_FALSE);
894 		return NULL;
895 	}
896 	key->arena = arena;
897 	key->keyType = ktype;
898 	key->pkcs11Slot = NULL;
899 	key->pkcs11ID = CK_INVALID_HANDLE;
900 	return key;
901 }
902 
903 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
904 {
905 	SECKEYPublicKey* pk;
906 	SECItem pub = {siBuffer, NULL, 0};
907 	SECItem params = {siBuffer, NULL, 0};
908 	static unsigned char param256[] = {
909 		/* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
910 		 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
911 		0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
912 	};
913 	static unsigned char param384[] = {
914 		/* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
915 		 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
916 		0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
917 	};
918 	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
919 
920 	/* check length, which uncompressed must be 2 bignums */
921 	if(algo == LDNS_ECDSAP256SHA256) {
922 		if(len != 2*256/8) return NULL;
923 		/* ECCurve_X9_62_PRIME_256V1 */
924 	} else if(algo == LDNS_ECDSAP384SHA384) {
925 		if(len != 2*384/8) return NULL;
926 		/* ECCurve_X9_62_PRIME_384R1 */
927 	} else    return NULL;
928 
929 	buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
930 	memmove(buf+1, key, len);
931 	pub.data = buf;
932 	pub.len = len+1;
933 	if(algo == LDNS_ECDSAP256SHA256) {
934 		params.data = param256;
935 		params.len = sizeof(param256);
936 	} else {
937 		params.data = param384;
938 		params.len = sizeof(param384);
939 	}
940 
941 	pk = nss_key_create(ecKey);
942 	if(!pk)
943 		return NULL;
944 	pk->u.ec.size = (len/2)*8;
945 	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
946 		SECKEY_DestroyPublicKey(pk);
947 		return NULL;
948 	}
949 	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, &params)) {
950 		SECKEY_DestroyPublicKey(pk);
951 		return NULL;
952 	}
953 
954 	return pk;
955 }
956 
957 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
958 {
959 	SECKEYPublicKey* pk;
960 	uint8_t T;
961 	uint16_t length;
962 	uint16_t offset;
963 	SECItem Q = {siBuffer, NULL, 0};
964 	SECItem P = {siBuffer, NULL, 0};
965 	SECItem G = {siBuffer, NULL, 0};
966 	SECItem Y = {siBuffer, NULL, 0};
967 
968 	if(len == 0)
969 		return NULL;
970 	T = (uint8_t)key[0];
971 	length = (64 + T * 8);
972 	offset = 1;
973 
974 	if (T > 8) {
975 		return NULL;
976 	}
977 	if(len < (size_t)1 + SHA1_LENGTH + 3*length)
978 		return NULL;
979 
980 	Q.data = key+offset;
981 	Q.len = SHA1_LENGTH;
982 	offset += SHA1_LENGTH;
983 
984 	P.data = key+offset;
985 	P.len = length;
986 	offset += length;
987 
988 	G.data = key+offset;
989 	G.len = length;
990 	offset += length;
991 
992 	Y.data = key+offset;
993 	Y.len = length;
994 	offset += length;
995 
996 	pk = nss_key_create(dsaKey);
997 	if(!pk)
998 		return NULL;
999 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
1000 		SECKEY_DestroyPublicKey(pk);
1001 		return NULL;
1002 	}
1003 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
1004 		SECKEY_DestroyPublicKey(pk);
1005 		return NULL;
1006 	}
1007 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
1008 		SECKEY_DestroyPublicKey(pk);
1009 		return NULL;
1010 	}
1011 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
1012 		SECKEY_DestroyPublicKey(pk);
1013 		return NULL;
1014 	}
1015 	return pk;
1016 }
1017 
1018 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
1019 {
1020 	SECKEYPublicKey* pk;
1021 	uint16_t exp;
1022 	uint16_t offset;
1023 	uint16_t int16;
1024 	SECItem modulus = {siBuffer, NULL, 0};
1025 	SECItem exponent = {siBuffer, NULL, 0};
1026 	if(len == 0)
1027 		return NULL;
1028 	if(key[0] == 0) {
1029 		if(len < 3)
1030 			return NULL;
1031 		/* the exponent is too large so it's places further */
1032 		memmove(&int16, key+1, 2);
1033 		exp = ntohs(int16);
1034 		offset = 3;
1035 	} else {
1036 		exp = key[0];
1037 		offset = 1;
1038 	}
1039 
1040 	/* key length at least one */
1041 	if(len < (size_t)offset + exp + 1)
1042 		return NULL;
1043 
1044 	exponent.data = key+offset;
1045 	exponent.len = exp;
1046 	offset += exp;
1047 	modulus.data = key+offset;
1048 	modulus.len = (len - offset);
1049 
1050 	pk = nss_key_create(rsaKey);
1051 	if(!pk)
1052 		return NULL;
1053 	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
1054 		SECKEY_DestroyPublicKey(pk);
1055 		return NULL;
1056 	}
1057 	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
1058 		SECKEY_DestroyPublicKey(pk);
1059 		return NULL;
1060 	}
1061 	return pk;
1062 }
1063 
1064 /**
1065  * Setup key and digest for verification. Adjust sig if necessary.
1066  *
1067  * @param algo: key algorithm
1068  * @param evp_key: EVP PKEY public key to create.
1069  * @param digest_type: digest type to use
1070  * @param key: key to setup for.
1071  * @param keylen: length of key.
1072  * @param prefix: if returned, the ASN prefix for the hashblob.
1073  * @param prefixlen: length of the prefix.
1074  * @return false on failure.
1075  */
1076 static int
1077 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
1078 	unsigned char* key, size_t keylen, unsigned char** prefix,
1079 	size_t* prefixlen)
1080 {
1081 	/* uses libNSS */
1082 
1083 	/* hash prefix for md5, RFC2537 */
1084 	static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
1085 	0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
1086 	/* hash prefix to prepend to hash output, from RFC3110 */
1087 	static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
1088 		0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
1089 	/* from RFC5702 */
1090 	static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
1091 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
1092 	static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
1093 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
1094 	/* from RFC6234 */
1095 	/* for future RSASHA384 ..
1096 	static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
1097 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
1098 	*/
1099 
1100 	switch(algo) {
1101 
1102 #if defined(USE_SHA1) || defined(USE_SHA2)
1103 #if defined(USE_DSA) && defined(USE_SHA1)
1104 		case LDNS_DSA:
1105 		case LDNS_DSA_NSEC3:
1106 			*pubkey = nss_buf2dsa(key, keylen);
1107 			if(!*pubkey) {
1108 				log_err("verify: malloc failure in crypto");
1109 				return 0;
1110 			}
1111 			*htype = HASH_AlgSHA1;
1112 			/* no prefix for DSA verification */
1113 			break;
1114 #endif
1115 #ifdef USE_SHA1
1116 		case LDNS_RSASHA1:
1117 		case LDNS_RSASHA1_NSEC3:
1118 #endif
1119 #ifdef USE_SHA2
1120 		case LDNS_RSASHA256:
1121 #endif
1122 #ifdef USE_SHA2
1123 		case LDNS_RSASHA512:
1124 #endif
1125 			*pubkey = nss_buf2rsa(key, keylen);
1126 			if(!*pubkey) {
1127 				log_err("verify: malloc failure in crypto");
1128 				return 0;
1129 			}
1130 			/* select SHA version */
1131 #ifdef USE_SHA2
1132 			if(algo == LDNS_RSASHA256) {
1133 				*htype = HASH_AlgSHA256;
1134 				*prefix = p_sha256;
1135 				*prefixlen = sizeof(p_sha256);
1136 			} else
1137 #endif
1138 #ifdef USE_SHA2
1139 				if(algo == LDNS_RSASHA512) {
1140 				*htype = HASH_AlgSHA512;
1141 				*prefix = p_sha512;
1142 				*prefixlen = sizeof(p_sha512);
1143 			} else
1144 #endif
1145 #ifdef USE_SHA1
1146 			{
1147 				*htype = HASH_AlgSHA1;
1148 				*prefix = p_sha1;
1149 				*prefixlen = sizeof(p_sha1);
1150 			}
1151 #else
1152 			{
1153 				verbose(VERB_QUERY, "verify: no digest algo");
1154 				return 0;
1155 			}
1156 #endif
1157 
1158 			break;
1159 #endif /* SHA1 or SHA2 */
1160 
1161 		case LDNS_RSAMD5:
1162 			*pubkey = nss_buf2rsa(key, keylen);
1163 			if(!*pubkey) {
1164 				log_err("verify: malloc failure in crypto");
1165 				return 0;
1166 			}
1167 			*htype = HASH_AlgMD5;
1168 			*prefix = p_md5;
1169 			*prefixlen = sizeof(p_md5);
1170 
1171 			break;
1172 #ifdef USE_ECDSA
1173 		case LDNS_ECDSAP256SHA256:
1174 			*pubkey = nss_buf2ecdsa(key, keylen,
1175 				LDNS_ECDSAP256SHA256);
1176 			if(!*pubkey) {
1177 				log_err("verify: malloc failure in crypto");
1178 				return 0;
1179 			}
1180 			*htype = HASH_AlgSHA256;
1181 			/* no prefix for DSA verification */
1182 			break;
1183 		case LDNS_ECDSAP384SHA384:
1184 			*pubkey = nss_buf2ecdsa(key, keylen,
1185 				LDNS_ECDSAP384SHA384);
1186 			if(!*pubkey) {
1187 				log_err("verify: malloc failure in crypto");
1188 				return 0;
1189 			}
1190 			*htype = HASH_AlgSHA384;
1191 			/* no prefix for DSA verification */
1192 			break;
1193 #endif /* USE_ECDSA */
1194 		case LDNS_ECC_GOST:
1195 		default:
1196 			verbose(VERB_QUERY, "verify: unknown algorithm %d",
1197 				algo);
1198 			return 0;
1199 	}
1200 	return 1;
1201 }
1202 
1203 /**
1204  * Check a canonical sig+rrset and signature against a dnskey
1205  * @param buf: buffer with data to verify, the first rrsig part and the
1206  *	canonicalized rrset.
1207  * @param algo: DNSKEY algorithm.
1208  * @param sigblock: signature rdata field from RRSIG
1209  * @param sigblock_len: length of sigblock data.
1210  * @param key: public key data from DNSKEY RR.
1211  * @param keylen: length of keydata.
1212  * @param reason: bogus reason in more detail.
1213  * @return secure if verification succeeded, bogus on crypto failure,
1214  *	unchecked on format errors and alloc failures.
1215  */
1216 enum sec_status
1217 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1218 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1219 	char** reason)
1220 {
1221 	/* uses libNSS */
1222 	/* large enough for the different hashes */
1223 	unsigned char hash[HASH_LENGTH_MAX];
1224 	unsigned char hash2[HASH_LENGTH_MAX*2];
1225 	HASH_HashType htype = 0;
1226 	SECKEYPublicKey* pubkey = NULL;
1227 	SECItem secsig = {siBuffer, sigblock, sigblock_len};
1228 	SECItem sechash = {siBuffer, hash, 0};
1229 	SECStatus res;
1230 	unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
1231 	size_t prefixlen = 0;
1232 	int err;
1233 
1234 	if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
1235 		&prefix, &prefixlen)) {
1236 		verbose(VERB_QUERY, "verify: failed to setup key");
1237 		*reason = "use of key for crypto failed";
1238 		SECKEY_DestroyPublicKey(pubkey);
1239 		return sec_status_bogus;
1240 	}
1241 
1242 #if defined(USE_DSA) && defined(USE_SHA1)
1243 	/* need to convert DSA, ECDSA signatures? */
1244 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
1245 		if(sigblock_len == 1+2*SHA1_LENGTH) {
1246 			secsig.data ++;
1247 			secsig.len --;
1248 		} else {
1249 			SECItem* p = DSAU_DecodeDerSig(&secsig);
1250 			if(!p) {
1251 				verbose(VERB_QUERY, "verify: failed DER decode");
1252 				*reason = "signature DER decode failed";
1253 				SECKEY_DestroyPublicKey(pubkey);
1254 				return sec_status_bogus;
1255 			}
1256 			if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
1257 				log_err("alloc failure in DER decode");
1258 				SECKEY_DestroyPublicKey(pubkey);
1259 				SECITEM_FreeItem(p, PR_TRUE);
1260 				return sec_status_unchecked;
1261 			}
1262 			SECITEM_FreeItem(p, PR_TRUE);
1263 		}
1264 	}
1265 #endif /* USE_DSA */
1266 
1267 	/* do the signature cryptography work */
1268 	/* hash the data */
1269 	sechash.len = HASH_ResultLen(htype);
1270 	if(sechash.len > sizeof(hash)) {
1271 		verbose(VERB_QUERY, "verify: hash too large for buffer");
1272 		SECKEY_DestroyPublicKey(pubkey);
1273 		return sec_status_unchecked;
1274 	}
1275 	if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf),
1276 		(unsigned int)sldns_buffer_limit(buf)) != SECSuccess) {
1277 		verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
1278 		SECKEY_DestroyPublicKey(pubkey);
1279 		return sec_status_unchecked;
1280 	}
1281 	if(prefix) {
1282 		int hashlen = sechash.len;
1283 		if(prefixlen+hashlen > sizeof(hash2)) {
1284 			verbose(VERB_QUERY, "verify: hashprefix too large");
1285 			SECKEY_DestroyPublicKey(pubkey);
1286 			return sec_status_unchecked;
1287 		}
1288 		sechash.data = hash2;
1289 		sechash.len = prefixlen+hashlen;
1290 		memcpy(sechash.data, prefix, prefixlen);
1291 		memmove(sechash.data+prefixlen, hash, hashlen);
1292 	}
1293 
1294 	/* verify the signature */
1295 	res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
1296 	SECKEY_DestroyPublicKey(pubkey);
1297 
1298 	if(res == SECSuccess) {
1299 		return sec_status_secure;
1300 	}
1301 	err = PORT_GetError();
1302 	if(err != SEC_ERROR_BAD_SIGNATURE) {
1303 		/* failed to verify */
1304 		verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
1305 			PORT_ErrorToString(err));
1306 		/* if it is not supported, like ECC is removed, we get,
1307 		 * SEC_ERROR_NO_MODULE */
1308 		if(err == SEC_ERROR_NO_MODULE)
1309 			return sec_status_unchecked;
1310 		/* but other errors are commonly returned
1311 		 * for a bad signature from NSS.  Thus we return bogus,
1312 		 * not unchecked */
1313 		*reason = "signature crypto failed";
1314 		return sec_status_bogus;
1315 	}
1316 	verbose(VERB_QUERY, "verify: signature mismatch: %s",
1317 		PORT_ErrorToString(err));
1318 	*reason = "signature crypto failed";
1319 	return sec_status_bogus;
1320 }
1321 
1322 #elif defined(HAVE_NETTLE)
1323 
1324 #include "sha.h"
1325 #include "bignum.h"
1326 #include "macros.h"
1327 #include "rsa.h"
1328 #include "dsa.h"
1329 #ifdef HAVE_NETTLE_DSA_COMPAT_H
1330 #include "dsa-compat.h"
1331 #endif
1332 #include "asn1.h"
1333 #ifdef USE_ECDSA
1334 #include "ecdsa.h"
1335 #include "ecc-curve.h"
1336 #endif
1337 #ifdef HAVE_NETTLE_EDDSA_H
1338 #include "eddsa.h"
1339 #endif
1340 
1341 static int
1342 _digest_nettle(int algo, uint8_t* buf, size_t len,
1343 	unsigned char* res)
1344 {
1345 	switch(algo) {
1346 		case SHA1_DIGEST_SIZE:
1347 		{
1348 			struct sha1_ctx ctx;
1349 			sha1_init(&ctx);
1350 			sha1_update(&ctx, len, buf);
1351 			sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
1352 			return 1;
1353 		}
1354 		case SHA256_DIGEST_SIZE:
1355 		{
1356 			struct sha256_ctx ctx;
1357 			sha256_init(&ctx);
1358 			sha256_update(&ctx, len, buf);
1359 			sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
1360 			return 1;
1361 		}
1362 		case SHA384_DIGEST_SIZE:
1363 		{
1364 			struct sha384_ctx ctx;
1365 			sha384_init(&ctx);
1366 			sha384_update(&ctx, len, buf);
1367 			sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
1368 			return 1;
1369 		}
1370 		case SHA512_DIGEST_SIZE:
1371 		{
1372 			struct sha512_ctx ctx;
1373 			sha512_init(&ctx);
1374 			sha512_update(&ctx, len, buf);
1375 			sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
1376 			return 1;
1377 		}
1378 		default:
1379 			break;
1380 	}
1381 	return 0;
1382 }
1383 
1384 /* return size of digest if supported, or 0 otherwise */
1385 size_t
1386 nsec3_hash_algo_size_supported(int id)
1387 {
1388 	switch(id) {
1389 	case NSEC3_HASH_SHA1:
1390 		return SHA1_DIGEST_SIZE;
1391 	default:
1392 		return 0;
1393 	}
1394 }
1395 
1396 /* perform nsec3 hash. return false on failure */
1397 int
1398 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
1399         unsigned char* res)
1400 {
1401 	switch(algo) {
1402 	case NSEC3_HASH_SHA1:
1403 		return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
1404 			res);
1405 	default:
1406 		return 0;
1407 	}
1408 }
1409 
1410 void
1411 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
1412 {
1413 	_digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res);
1414 }
1415 
1416 /**
1417  * Return size of DS digest according to its hash algorithm.
1418  * @param algo: DS digest algo.
1419  * @return size in bytes of digest, or 0 if not supported.
1420  */
1421 size_t
1422 ds_digest_size_supported(int algo)
1423 {
1424 	switch(algo) {
1425 		case LDNS_SHA1:
1426 #ifdef USE_SHA1
1427 			return SHA1_DIGEST_SIZE;
1428 #else
1429 			if(fake_sha1) return 20;
1430 			return 0;
1431 #endif
1432 #ifdef USE_SHA2
1433 		case LDNS_SHA256:
1434 			return SHA256_DIGEST_SIZE;
1435 #endif
1436 #ifdef USE_ECDSA
1437 		case LDNS_SHA384:
1438 			return SHA384_DIGEST_SIZE;
1439 #endif
1440 		/* GOST not supported */
1441 		case LDNS_HASH_GOST:
1442 		default:
1443 			break;
1444 	}
1445 	return 0;
1446 }
1447 
1448 int
1449 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
1450 	unsigned char* res)
1451 {
1452 	switch(algo) {
1453 #ifdef USE_SHA1
1454 		case LDNS_SHA1:
1455 			return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
1456 #endif
1457 #if defined(USE_SHA2)
1458 		case LDNS_SHA256:
1459 			return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
1460 #endif
1461 #ifdef USE_ECDSA
1462 		case LDNS_SHA384:
1463 			return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
1464 
1465 #endif
1466 		case LDNS_HASH_GOST:
1467 		default:
1468 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
1469 				algo);
1470 			break;
1471 	}
1472 	return 0;
1473 }
1474 
1475 int
1476 dnskey_algo_id_is_supported(int id)
1477 {
1478 	/* uses libnettle */
1479 	switch(id) {
1480 #if defined(USE_DSA) && defined(USE_SHA1)
1481 	case LDNS_DSA:
1482 	case LDNS_DSA_NSEC3:
1483 #endif
1484 #ifdef USE_SHA1
1485 	case LDNS_RSASHA1:
1486 	case LDNS_RSASHA1_NSEC3:
1487 #endif
1488 #ifdef USE_SHA2
1489 	case LDNS_RSASHA256:
1490 	case LDNS_RSASHA512:
1491 #endif
1492 #ifdef USE_ECDSA
1493 	case LDNS_ECDSAP256SHA256:
1494 	case LDNS_ECDSAP384SHA384:
1495 #endif
1496 		return 1;
1497 #ifdef USE_ED25519
1498 	case LDNS_ED25519:
1499 		return 1;
1500 #endif
1501 	case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
1502 	case LDNS_ECC_GOST:
1503 	default:
1504 		return 0;
1505 	}
1506 }
1507 
1508 #if defined(USE_DSA) && defined(USE_SHA1)
1509 static char *
1510 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
1511 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1512 {
1513 	uint8_t digest[SHA1_DIGEST_SIZE];
1514 	uint8_t key_t_value;
1515 	int res = 0;
1516 	size_t offset;
1517 	struct dsa_public_key pubkey;
1518 	struct dsa_signature signature;
1519 	unsigned int expected_len;
1520 
1521 	/* Extract DSA signature from the record */
1522 	nettle_dsa_signature_init(&signature);
1523 	/* Signature length: 41 bytes - RFC 2536 sec. 3 */
1524 	if(sigblock_len == 41) {
1525 		if(key[0] != sigblock[0])
1526 			return "invalid T value in DSA signature or pubkey";
1527 		nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
1528 		nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
1529 	} else {
1530 		/* DER encoded, decode the ASN1 notated R and S bignums */
1531 		/* SEQUENCE { r INTEGER, s INTEGER } */
1532 		struct asn1_der_iterator i, seq;
1533 		if(asn1_der_iterator_first(&i, sigblock_len,
1534 			(uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
1535 			|| i.type != ASN1_SEQUENCE)
1536 			return "malformed DER encoded DSA signature";
1537 		/* decode this element of i using the seq iterator */
1538 		if(asn1_der_decode_constructed(&i, &seq) !=
1539 			ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
1540 			return "malformed DER encoded DSA signature";
1541 		if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
1542 			return "malformed DER encoded DSA signature";
1543 		if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
1544 			|| seq.type != ASN1_INTEGER)
1545 			return "malformed DER encoded DSA signature";
1546 		if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
1547 			return "malformed DER encoded DSA signature";
1548 		if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
1549 			return "malformed DER encoded DSA signature";
1550 	}
1551 
1552 	/* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
1553 	key_t_value = key[0];
1554 	if (key_t_value > 8) {
1555 		return "invalid T value in DSA pubkey";
1556 	}
1557 
1558 	/* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
1559 	if (keylen < 21) {
1560 		return "DSA pubkey too short";
1561 	}
1562 
1563 	expected_len =   1 +		/* T */
1564 		        20 +		/* Q */
1565 		       (64 + key_t_value*8) +	/* P */
1566 		       (64 + key_t_value*8) +	/* G */
1567 		       (64 + key_t_value*8);	/* Y */
1568 	if (keylen != expected_len ) {
1569 		return "invalid DSA pubkey length";
1570 	}
1571 
1572 	/* Extract DSA pubkey from the record */
1573 	nettle_dsa_public_key_init(&pubkey);
1574 	offset = 1;
1575 	nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
1576 	offset += 20;
1577 	nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t_value*8), key+offset);
1578 	offset += (64 + key_t_value*8);
1579 	nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t_value*8), key+offset);
1580 	offset += (64 + key_t_value*8);
1581 	nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t_value*8), key+offset);
1582 
1583 	/* Digest content of "buf" and verify its DSA signature in "sigblock"*/
1584 	res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1585 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1586 	res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
1587 
1588 	/* Clear and return */
1589 	nettle_dsa_signature_clear(&signature);
1590 	nettle_dsa_public_key_clear(&pubkey);
1591 	if (!res)
1592 		return "DSA signature verification failed";
1593 	else
1594 		return NULL;
1595 }
1596 #endif /* USE_DSA */
1597 
1598 static char *
1599 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
1600 	unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
1601 {
1602 	uint16_t exp_len = 0;
1603 	size_t exp_offset = 0, mod_offset = 0;
1604 	struct rsa_public_key pubkey;
1605 	mpz_t signature;
1606 	int res = 0;
1607 
1608 	/* RSA pubkey parsing as per RFC 3110 sec. 2 */
1609 	if( keylen <= 1) {
1610 		return "null RSA key";
1611 	}
1612 	if (key[0] != 0) {
1613 		/* 1-byte length */
1614 		exp_len = key[0];
1615 		exp_offset = 1;
1616 	} else {
1617 		/* 1-byte NUL + 2-bytes exponent length */
1618 		if (keylen < 3) {
1619 			return "incorrect RSA key length";
1620 		}
1621 		exp_len = READ_UINT16(key+1);
1622 		if (exp_len == 0)
1623 			return "null RSA exponent length";
1624 		exp_offset = 3;
1625 	}
1626 	/* Check that we are not over-running input length */
1627 	if (keylen < exp_offset + exp_len + 1) {
1628 		return "RSA key content shorter than expected";
1629 	}
1630 	mod_offset = exp_offset + exp_len;
1631 	nettle_rsa_public_key_init(&pubkey);
1632 	pubkey.size = keylen - mod_offset;
1633 	nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
1634 	nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
1635 
1636 	/* Digest content of "buf" and verify its RSA signature in "sigblock"*/
1637 	nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
1638 	switch (digest_size) {
1639 		case SHA1_DIGEST_SIZE:
1640 		{
1641 			uint8_t digest[SHA1_DIGEST_SIZE];
1642 			res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1643 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1644 			res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
1645 			break;
1646 		}
1647 		case SHA256_DIGEST_SIZE:
1648 		{
1649 			uint8_t digest[SHA256_DIGEST_SIZE];
1650 			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1651 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1652 			res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
1653 			break;
1654 		}
1655 		case SHA512_DIGEST_SIZE:
1656 		{
1657 			uint8_t digest[SHA512_DIGEST_SIZE];
1658 			res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1659 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1660 			res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
1661 			break;
1662 		}
1663 		default:
1664 			break;
1665 	}
1666 
1667 	/* Clear and return */
1668 	nettle_rsa_public_key_clear(&pubkey);
1669 	mpz_clear(signature);
1670 	if (!res) {
1671 		return "RSA signature verification failed";
1672 	} else {
1673 		return NULL;
1674 	}
1675 }
1676 
1677 #ifdef USE_ECDSA
1678 static char *
1679 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
1680 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1681 {
1682 	int res = 0;
1683 	struct ecc_point pubkey;
1684 	struct dsa_signature signature;
1685 
1686 	/* Always matched strength, as per RFC 6605 sec. 1 */
1687 	if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
1688 		return "wrong ECDSA signature length";
1689 	}
1690 
1691 	/* Parse ECDSA signature as per RFC 6605 sec. 4 */
1692 	nettle_dsa_signature_init(&signature);
1693 	switch (digest_size) {
1694 		case SHA256_DIGEST_SIZE:
1695 		{
1696 			uint8_t digest[SHA256_DIGEST_SIZE];
1697 			mpz_t x, y;
1698 			nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
1699 			nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
1700 			nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
1701 			nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
1702 			nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
1703 			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1704 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1705 			res &= nettle_ecc_point_set(&pubkey, x, y);
1706 			res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
1707 			mpz_clear(x);
1708 			mpz_clear(y);
1709 			break;
1710 		}
1711 		case SHA384_DIGEST_SIZE:
1712 		{
1713 			uint8_t digest[SHA384_DIGEST_SIZE];
1714 			mpz_t x, y;
1715 			nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
1716 			nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
1717 			nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
1718 			nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
1719 			nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
1720 			res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1721 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1722 			res &= nettle_ecc_point_set(&pubkey, x, y);
1723 			res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
1724 			mpz_clear(x);
1725 			mpz_clear(y);
1726 			nettle_ecc_point_clear(&pubkey);
1727 			break;
1728 		}
1729 		default:
1730 			return "unknown ECDSA algorithm";
1731 	}
1732 
1733 	/* Clear and return */
1734 	nettle_dsa_signature_clear(&signature);
1735 	if (!res)
1736 		return "ECDSA signature verification failed";
1737 	else
1738 		return NULL;
1739 }
1740 #endif
1741 
1742 #ifdef USE_ED25519
1743 static char *
1744 _verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock,
1745 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1746 {
1747 	int res = 0;
1748 
1749 	if(sigblock_len != ED25519_SIGNATURE_SIZE) {
1750 		return "wrong ED25519 signature length";
1751 	}
1752 	if(keylen != ED25519_KEY_SIZE) {
1753 		return "wrong ED25519 key length";
1754 	}
1755 
1756 	res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf),
1757 		sldns_buffer_begin(buf), (uint8_t*)sigblock);
1758 
1759 	if (!res)
1760 		return "ED25519 signature verification failed";
1761 	else
1762 		return NULL;
1763 }
1764 #endif
1765 
1766 /**
1767  * Check a canonical sig+rrset and signature against a dnskey
1768  * @param buf: buffer with data to verify, the first rrsig part and the
1769  *	canonicalized rrset.
1770  * @param algo: DNSKEY algorithm.
1771  * @param sigblock: signature rdata field from RRSIG
1772  * @param sigblock_len: length of sigblock data.
1773  * @param key: public key data from DNSKEY RR.
1774  * @param keylen: length of keydata.
1775  * @param reason: bogus reason in more detail.
1776  * @return secure if verification succeeded, bogus on crypto failure,
1777  *	unchecked on format errors and alloc failures.
1778  */
1779 enum sec_status
1780 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1781 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1782 	char** reason)
1783 {
1784 	unsigned int digest_size = 0;
1785 
1786 	if (sigblock_len == 0 || keylen == 0) {
1787 		*reason = "null signature";
1788 		return sec_status_bogus;
1789 	}
1790 
1791 	switch(algo) {
1792 #if defined(USE_DSA) && defined(USE_SHA1)
1793 	case LDNS_DSA:
1794 	case LDNS_DSA_NSEC3:
1795 		*reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
1796 		if (*reason != NULL)
1797 			return sec_status_bogus;
1798 		else
1799 			return sec_status_secure;
1800 #endif /* USE_DSA */
1801 
1802 #ifdef USE_SHA1
1803 	case LDNS_RSASHA1:
1804 	case LDNS_RSASHA1_NSEC3:
1805 		digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
1806 #endif
1807 		/* double fallthrough annotation to please gcc parser */
1808 		/* fallthrough */
1809 #ifdef USE_SHA2
1810 		/* fallthrough */
1811 	case LDNS_RSASHA256:
1812 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1813 		/* fallthrough */
1814 	case LDNS_RSASHA512:
1815 		digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
1816 
1817 #endif
1818 		*reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
1819 						sigblock_len, key, keylen);
1820 		if (*reason != NULL)
1821 			return sec_status_bogus;
1822 		else
1823 			return sec_status_secure;
1824 
1825 #ifdef USE_ECDSA
1826 	case LDNS_ECDSAP256SHA256:
1827 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1828 		/* fallthrough */
1829 	case LDNS_ECDSAP384SHA384:
1830 		digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
1831 		*reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
1832 						sigblock_len, key, keylen);
1833 		if (*reason != NULL)
1834 			return sec_status_bogus;
1835 		else
1836 			return sec_status_secure;
1837 #endif
1838 #ifdef USE_ED25519
1839 	case LDNS_ED25519:
1840 		*reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len,
1841 			key, keylen);
1842 		if (*reason != NULL)
1843 			return sec_status_bogus;
1844 		else
1845 			return sec_status_secure;
1846 #endif
1847 	case LDNS_RSAMD5:
1848 	case LDNS_ECC_GOST:
1849 	default:
1850 		*reason = "unable to verify signature, unknown algorithm";
1851 		return sec_status_bogus;
1852 	}
1853 }
1854 
1855 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
1856