xref: /freebsd/contrib/unbound/validator/val_secalgo.c (revision faf139cc5dd3396181c11922bc6685c0c59b7b24)
1 /*
2  * validator/val_secalgo.c - validator security algorithm functions.
3  *
4  * Copyright (c) 2012, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains helper functions for the validator module.
40  * These functions take raw data buffers, formatted for crypto verification,
41  * and do the library calls (for the crypto library in use).
42  */
43 #include "config.h"
44 /* packed_rrset on top to define enum types (forced by c99 standard) */
45 #include "util/data/packed_rrset.h"
46 #include "validator/val_secalgo.h"
47 #include "validator/val_nsec3.h"
48 #include "util/log.h"
49 #include "sldns/rrdef.h"
50 #include "sldns/keyraw.h"
51 #include "sldns/sbuffer.h"
52 
53 #if !defined(HAVE_SSL) && !defined(HAVE_NSS) && !defined(HAVE_NETTLE)
54 #error "Need crypto library to do digital signature cryptography"
55 #endif
56 
57 /* OpenSSL implementation */
58 #ifdef HAVE_SSL
59 #ifdef HAVE_OPENSSL_ERR_H
60 #include <openssl/err.h>
61 #endif
62 
63 #ifdef HAVE_OPENSSL_RAND_H
64 #include <openssl/rand.h>
65 #endif
66 
67 #ifdef HAVE_OPENSSL_CONF_H
68 #include <openssl/conf.h>
69 #endif
70 
71 #ifdef HAVE_OPENSSL_ENGINE_H
72 #include <openssl/engine.h>
73 #endif
74 
75 /* return size of digest if supported, or 0 otherwise */
76 size_t
77 nsec3_hash_algo_size_supported(int id)
78 {
79 	switch(id) {
80 	case NSEC3_HASH_SHA1:
81 		return SHA_DIGEST_LENGTH;
82 	default:
83 		return 0;
84 	}
85 }
86 
87 /* perform nsec3 hash. return false on failure */
88 int
89 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
90         unsigned char* res)
91 {
92 	switch(algo) {
93 	case NSEC3_HASH_SHA1:
94 		(void)SHA1(buf, len, res);
95 		return 1;
96 	default:
97 		return 0;
98 	}
99 }
100 
101 /**
102  * Return size of DS digest according to its hash algorithm.
103  * @param algo: DS digest algo.
104  * @return size in bytes of digest, or 0 if not supported.
105  */
106 size_t
107 ds_digest_size_supported(int algo)
108 {
109 	switch(algo) {
110 #ifdef HAVE_EVP_SHA1
111 		case LDNS_SHA1:
112 			return SHA_DIGEST_LENGTH;
113 #endif
114 #ifdef HAVE_EVP_SHA256
115 		case LDNS_SHA256:
116 			return SHA256_DIGEST_LENGTH;
117 #endif
118 #ifdef USE_GOST
119 		case LDNS_HASH_GOST:
120 			/* we support GOST if it can be loaded */
121 			(void)sldns_key_EVP_load_gost_id();
122 			if(EVP_get_digestbyname("md_gost94"))
123 				return 32;
124 			else	return 0;
125 #endif
126 #ifdef USE_ECDSA
127 		case LDNS_SHA384:
128 			return SHA384_DIGEST_LENGTH;
129 #endif
130 		default: break;
131 	}
132 	return 0;
133 }
134 
135 #ifdef USE_GOST
136 /** Perform GOST hash */
137 static int
138 do_gost94(unsigned char* data, size_t len, unsigned char* dest)
139 {
140 	const EVP_MD* md = EVP_get_digestbyname("md_gost94");
141 	if(!md)
142 		return 0;
143 	return sldns_digest_evp(data, (unsigned int)len, dest, md);
144 }
145 #endif
146 
147 int
148 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
149 	unsigned char* res)
150 {
151 	switch(algo) {
152 #ifdef HAVE_EVP_SHA1
153 		case LDNS_SHA1:
154 			(void)SHA1(buf, len, res);
155 			return 1;
156 #endif
157 #ifdef HAVE_EVP_SHA256
158 		case LDNS_SHA256:
159 			(void)SHA256(buf, len, res);
160 			return 1;
161 #endif
162 #ifdef USE_GOST
163 		case LDNS_HASH_GOST:
164 			if(do_gost94(buf, len, res))
165 				return 1;
166 			break;
167 #endif
168 #ifdef USE_ECDSA
169 		case LDNS_SHA384:
170 			(void)SHA384(buf, len, res);
171 			return 1;
172 #endif
173 		default:
174 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
175 				algo);
176 			break;
177 	}
178 	return 0;
179 }
180 
181 /** return true if DNSKEY algorithm id is supported */
182 int
183 dnskey_algo_id_is_supported(int id)
184 {
185 	switch(id) {
186 	case LDNS_RSAMD5:
187 		/* RFC 6725 deprecates RSAMD5 */
188 		return 0;
189 	case LDNS_DSA:
190 	case LDNS_DSA_NSEC3:
191 	case LDNS_RSASHA1:
192 	case LDNS_RSASHA1_NSEC3:
193 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
194 	case LDNS_RSASHA256:
195 #endif
196 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
197 	case LDNS_RSASHA512:
198 #endif
199 #ifdef USE_ECDSA
200 	case LDNS_ECDSAP256SHA256:
201 	case LDNS_ECDSAP384SHA384:
202 #endif
203 		return 1;
204 #ifdef USE_GOST
205 	case LDNS_ECC_GOST:
206 		/* we support GOST if it can be loaded */
207 		return sldns_key_EVP_load_gost_id();
208 #endif
209 	default:
210 		return 0;
211 	}
212 }
213 
214 /**
215  * Output a libcrypto openssl error to the logfile.
216  * @param str: string to add to it.
217  * @param e: the error to output, error number from ERR_get_error().
218  */
219 static void
220 log_crypto_error(const char* str, unsigned long e)
221 {
222 	char buf[128];
223 	/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
224 	ERR_error_string_n(e, buf, sizeof(buf));
225 	/* buf now contains */
226 	/* error:[error code]:[library name]:[function name]:[reason string] */
227 	log_err("%s crypto %s", str, buf);
228 }
229 
230 /**
231  * Setup DSA key digest in DER encoding ...
232  * @param sig: input is signature output alloced ptr (unless failure).
233  * 	caller must free alloced ptr if this routine returns true.
234  * @param len: input is initial siglen, output is output len.
235  * @return false on failure.
236  */
237 static int
238 setup_dsa_sig(unsigned char** sig, unsigned int* len)
239 {
240 	unsigned char* orig = *sig;
241 	unsigned int origlen = *len;
242 	int newlen;
243 	BIGNUM *R, *S;
244 	DSA_SIG *dsasig;
245 
246 	/* extract the R and S field from the sig buffer */
247 	if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
248 		return 0;
249 	R = BN_new();
250 	if(!R) return 0;
251 	(void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
252 	S = BN_new();
253 	if(!S) return 0;
254 	(void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
255 	dsasig = DSA_SIG_new();
256 	if(!dsasig) return 0;
257 
258 	dsasig->r = R;
259 	dsasig->s = S;
260 	*sig = NULL;
261 	newlen = i2d_DSA_SIG(dsasig, sig);
262 	if(newlen < 0) {
263 		DSA_SIG_free(dsasig);
264 		free(*sig);
265 		return 0;
266 	}
267 	*len = (unsigned int)newlen;
268 	DSA_SIG_free(dsasig);
269 	return 1;
270 }
271 
272 #ifdef USE_ECDSA
273 /**
274  * Setup the ECDSA signature in its encoding that the library wants.
275  * Converts from plain numbers to ASN formatted.
276  * @param sig: input is signature, output alloced ptr (unless failure).
277  * 	caller must free alloced ptr if this routine returns true.
278  * @param len: input is initial siglen, output is output len.
279  * @return false on failure.
280  */
281 static int
282 setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
283 {
284 	ECDSA_SIG* ecdsa_sig;
285 	int newlen;
286 	int bnsize = (int)((*len)/2);
287 	/* if too short or not even length, fails */
288 	if(*len < 16 || bnsize*2 != (int)*len)
289 		return 0;
290 	/* use the raw data to parse two evenly long BIGNUMs, "r | s". */
291 	ecdsa_sig = ECDSA_SIG_new();
292 	if(!ecdsa_sig) return 0;
293 	ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r);
294 	ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s);
295 	if(!ecdsa_sig->r || !ecdsa_sig->s) {
296 		ECDSA_SIG_free(ecdsa_sig);
297 		return 0;
298 	}
299 
300 	/* spool it into ASN format */
301 	*sig = NULL;
302 	newlen = i2d_ECDSA_SIG(ecdsa_sig, sig);
303 	if(newlen <= 0) {
304 		ECDSA_SIG_free(ecdsa_sig);
305 		free(*sig);
306 		return 0;
307 	}
308 	*len = (unsigned int)newlen;
309 	ECDSA_SIG_free(ecdsa_sig);
310 	return 1;
311 }
312 #endif /* USE_ECDSA */
313 
314 /**
315  * Setup key and digest for verification. Adjust sig if necessary.
316  *
317  * @param algo: key algorithm
318  * @param evp_key: EVP PKEY public key to create.
319  * @param digest_type: digest type to use
320  * @param key: key to setup for.
321  * @param keylen: length of key.
322  * @return false on failure.
323  */
324 static int
325 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
326 	unsigned char* key, size_t keylen)
327 {
328 	DSA* dsa;
329 	RSA* rsa;
330 
331 	switch(algo) {
332 		case LDNS_DSA:
333 		case LDNS_DSA_NSEC3:
334 			*evp_key = EVP_PKEY_new();
335 			if(!*evp_key) {
336 				log_err("verify: malloc failure in crypto");
337 				return 0;
338 			}
339 			dsa = sldns_key_buf2dsa_raw(key, keylen);
340 			if(!dsa) {
341 				verbose(VERB_QUERY, "verify: "
342 					"sldns_key_buf2dsa_raw failed");
343 				return 0;
344 			}
345 			if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
346 				verbose(VERB_QUERY, "verify: "
347 					"EVP_PKEY_assign_DSA failed");
348 				return 0;
349 			}
350 			*digest_type = EVP_dss1();
351 
352 			break;
353 		case LDNS_RSASHA1:
354 		case LDNS_RSASHA1_NSEC3:
355 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
356 		case LDNS_RSASHA256:
357 #endif
358 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
359 		case LDNS_RSASHA512:
360 #endif
361 			*evp_key = EVP_PKEY_new();
362 			if(!*evp_key) {
363 				log_err("verify: malloc failure in crypto");
364 				return 0;
365 			}
366 			rsa = sldns_key_buf2rsa_raw(key, keylen);
367 			if(!rsa) {
368 				verbose(VERB_QUERY, "verify: "
369 					"sldns_key_buf2rsa_raw SHA failed");
370 				return 0;
371 			}
372 			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
373 				verbose(VERB_QUERY, "verify: "
374 					"EVP_PKEY_assign_RSA SHA failed");
375 				return 0;
376 			}
377 
378 			/* select SHA version */
379 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
380 			if(algo == LDNS_RSASHA256)
381 				*digest_type = EVP_sha256();
382 			else
383 #endif
384 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
385 				if(algo == LDNS_RSASHA512)
386 				*digest_type = EVP_sha512();
387 			else
388 #endif
389 				*digest_type = EVP_sha1();
390 
391 			break;
392 		case LDNS_RSAMD5:
393 			*evp_key = EVP_PKEY_new();
394 			if(!*evp_key) {
395 				log_err("verify: malloc failure in crypto");
396 				return 0;
397 			}
398 			rsa = sldns_key_buf2rsa_raw(key, keylen);
399 			if(!rsa) {
400 				verbose(VERB_QUERY, "verify: "
401 					"sldns_key_buf2rsa_raw MD5 failed");
402 				return 0;
403 			}
404 			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
405 				verbose(VERB_QUERY, "verify: "
406 					"EVP_PKEY_assign_RSA MD5 failed");
407 				return 0;
408 			}
409 			*digest_type = EVP_md5();
410 
411 			break;
412 #ifdef USE_GOST
413 		case LDNS_ECC_GOST:
414 			*evp_key = sldns_gost2pkey_raw(key, keylen);
415 			if(!*evp_key) {
416 				verbose(VERB_QUERY, "verify: "
417 					"sldns_gost2pkey_raw failed");
418 				return 0;
419 			}
420 			*digest_type = EVP_get_digestbyname("md_gost94");
421 			if(!*digest_type) {
422 				verbose(VERB_QUERY, "verify: "
423 					"EVP_getdigest md_gost94 failed");
424 				return 0;
425 			}
426 			break;
427 #endif
428 #ifdef USE_ECDSA
429 		case LDNS_ECDSAP256SHA256:
430 			*evp_key = sldns_ecdsa2pkey_raw(key, keylen,
431 				LDNS_ECDSAP256SHA256);
432 			if(!*evp_key) {
433 				verbose(VERB_QUERY, "verify: "
434 					"sldns_ecdsa2pkey_raw failed");
435 				return 0;
436 			}
437 #ifdef USE_ECDSA_EVP_WORKAROUND
438 			/* openssl before 1.0.0 fixes RSA with the SHA256
439 			 * hash in EVP.  We create one for ecdsa_sha256 */
440 			{
441 				static int md_ecdsa_256_done = 0;
442 				static EVP_MD md;
443 				if(!md_ecdsa_256_done) {
444 					EVP_MD m = *EVP_sha256();
445 					md_ecdsa_256_done = 1;
446 					m.required_pkey_type[0] = (*evp_key)->type;
447 					m.verify = (void*)ECDSA_verify;
448 					md = m;
449 				}
450 				*digest_type = &md;
451 			}
452 #else
453 			*digest_type = EVP_sha256();
454 #endif
455 			break;
456 		case LDNS_ECDSAP384SHA384:
457 			*evp_key = sldns_ecdsa2pkey_raw(key, keylen,
458 				LDNS_ECDSAP384SHA384);
459 			if(!*evp_key) {
460 				verbose(VERB_QUERY, "verify: "
461 					"sldns_ecdsa2pkey_raw failed");
462 				return 0;
463 			}
464 #ifdef USE_ECDSA_EVP_WORKAROUND
465 			/* openssl before 1.0.0 fixes RSA with the SHA384
466 			 * hash in EVP.  We create one for ecdsa_sha384 */
467 			{
468 				static int md_ecdsa_384_done = 0;
469 				static EVP_MD md;
470 				if(!md_ecdsa_384_done) {
471 					EVP_MD m = *EVP_sha384();
472 					md_ecdsa_384_done = 1;
473 					m.required_pkey_type[0] = (*evp_key)->type;
474 					m.verify = (void*)ECDSA_verify;
475 					md = m;
476 				}
477 				*digest_type = &md;
478 			}
479 #else
480 			*digest_type = EVP_sha384();
481 #endif
482 			break;
483 #endif /* USE_ECDSA */
484 		default:
485 			verbose(VERB_QUERY, "verify: unknown algorithm %d",
486 				algo);
487 			return 0;
488 	}
489 	return 1;
490 }
491 
492 /**
493  * Check a canonical sig+rrset and signature against a dnskey
494  * @param buf: buffer with data to verify, the first rrsig part and the
495  *	canonicalized rrset.
496  * @param algo: DNSKEY algorithm.
497  * @param sigblock: signature rdata field from RRSIG
498  * @param sigblock_len: length of sigblock data.
499  * @param key: public key data from DNSKEY RR.
500  * @param keylen: length of keydata.
501  * @param reason: bogus reason in more detail.
502  * @return secure if verification succeeded, bogus on crypto failure,
503  *	unchecked on format errors and alloc failures.
504  */
505 enum sec_status
506 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
507 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
508 	char** reason)
509 {
510 	const EVP_MD *digest_type;
511 	EVP_MD_CTX ctx;
512 	int res, dofree = 0;
513 	EVP_PKEY *evp_key = NULL;
514 
515 	if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
516 		verbose(VERB_QUERY, "verify: failed to setup key");
517 		*reason = "use of key for crypto failed";
518 		EVP_PKEY_free(evp_key);
519 		return sec_status_bogus;
520 	}
521 	/* if it is a DSA signature in bind format, convert to DER format */
522 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
523 		sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
524 		if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
525 			verbose(VERB_QUERY, "verify: failed to setup DSA sig");
526 			*reason = "use of key for DSA crypto failed";
527 			EVP_PKEY_free(evp_key);
528 			return sec_status_bogus;
529 		}
530 		dofree = 1;
531 	}
532 #ifdef USE_ECDSA
533 	else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
534 		/* EVP uses ASN prefix on sig, which is not in the wire data */
535 		if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
536 			verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
537 			*reason = "use of signature for ECDSA crypto failed";
538 			EVP_PKEY_free(evp_key);
539 			return sec_status_bogus;
540 		}
541 		dofree = 1;
542 	}
543 #endif /* USE_ECDSA */
544 
545 	/* do the signature cryptography work */
546 	EVP_MD_CTX_init(&ctx);
547 	if(EVP_VerifyInit(&ctx, digest_type) == 0) {
548 		verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
549 		EVP_PKEY_free(evp_key);
550 		if(dofree) free(sigblock);
551 		return sec_status_unchecked;
552 	}
553 	if(EVP_VerifyUpdate(&ctx, (unsigned char*)sldns_buffer_begin(buf),
554 		(unsigned int)sldns_buffer_limit(buf)) == 0) {
555 		verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
556 		EVP_PKEY_free(evp_key);
557 		if(dofree) free(sigblock);
558 		return sec_status_unchecked;
559 	}
560 
561 	res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key);
562 	if(EVP_MD_CTX_cleanup(&ctx) == 0) {
563 		verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed");
564 		EVP_PKEY_free(evp_key);
565 		if(dofree) free(sigblock);
566 		return sec_status_unchecked;
567 	}
568 	EVP_PKEY_free(evp_key);
569 
570 	if(dofree)
571 		free(sigblock);
572 
573 	if(res == 1) {
574 		return sec_status_secure;
575 	} else if(res == 0) {
576 		verbose(VERB_QUERY, "verify: signature mismatch");
577 		*reason = "signature crypto failed";
578 		return sec_status_bogus;
579 	}
580 
581 	log_crypto_error("verify:", ERR_get_error());
582 	return sec_status_unchecked;
583 }
584 
585 /**************************************************/
586 #elif defined(HAVE_NSS)
587 /* libnss implementation */
588 /* nss3 */
589 #include "sechash.h"
590 #include "pk11pub.h"
591 #include "keyhi.h"
592 #include "secerr.h"
593 #include "cryptohi.h"
594 /* nspr4 */
595 #include "prerror.h"
596 
597 /* return size of digest if supported, or 0 otherwise */
598 size_t
599 nsec3_hash_algo_size_supported(int id)
600 {
601 	switch(id) {
602 	case NSEC3_HASH_SHA1:
603 		return SHA1_LENGTH;
604 	default:
605 		return 0;
606 	}
607 }
608 
609 /* perform nsec3 hash. return false on failure */
610 int
611 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
612         unsigned char* res)
613 {
614 	switch(algo) {
615 	case NSEC3_HASH_SHA1:
616 		(void)HASH_HashBuf(HASH_AlgSHA1, res, buf, (unsigned long)len);
617 		return 1;
618 	default:
619 		return 0;
620 	}
621 }
622 
623 size_t
624 ds_digest_size_supported(int algo)
625 {
626 	/* uses libNSS */
627 	switch(algo) {
628 		case LDNS_SHA1:
629 			return SHA1_LENGTH;
630 #ifdef USE_SHA2
631 		case LDNS_SHA256:
632 			return SHA256_LENGTH;
633 #endif
634 #ifdef USE_ECDSA
635 		case LDNS_SHA384:
636 			return SHA384_LENGTH;
637 #endif
638 		/* GOST not supported in NSS */
639 		case LDNS_HASH_GOST:
640 		default: break;
641 	}
642 	return 0;
643 }
644 
645 int
646 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
647 	unsigned char* res)
648 {
649 	/* uses libNSS */
650 	switch(algo) {
651 		case LDNS_SHA1:
652 			return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
653 				== SECSuccess;
654 #if defined(USE_SHA2)
655 		case LDNS_SHA256:
656 			return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
657 				== SECSuccess;
658 #endif
659 #ifdef USE_ECDSA
660 		case LDNS_SHA384:
661 			return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
662 				== SECSuccess;
663 #endif
664 		case LDNS_HASH_GOST:
665 		default:
666 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
667 				algo);
668 			break;
669 	}
670 	return 0;
671 }
672 
673 int
674 dnskey_algo_id_is_supported(int id)
675 {
676 	/* uses libNSS */
677 	switch(id) {
678 	case LDNS_RSAMD5:
679 		/* RFC 6725 deprecates RSAMD5 */
680 		return 0;
681 	case LDNS_DSA:
682 	case LDNS_DSA_NSEC3:
683 	case LDNS_RSASHA1:
684 	case LDNS_RSASHA1_NSEC3:
685 #ifdef USE_SHA2
686 	case LDNS_RSASHA256:
687 #endif
688 #ifdef USE_SHA2
689 	case LDNS_RSASHA512:
690 #endif
691 		return 1;
692 #ifdef USE_ECDSA
693 	case LDNS_ECDSAP256SHA256:
694 	case LDNS_ECDSAP384SHA384:
695 		return PK11_TokenExists(CKM_ECDSA);
696 #endif
697 	case LDNS_ECC_GOST:
698 	default:
699 		return 0;
700 	}
701 }
702 
703 /* return a new public key for NSS */
704 static SECKEYPublicKey* nss_key_create(KeyType ktype)
705 {
706 	SECKEYPublicKey* key;
707 	PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
708 	if(!arena) {
709 		log_err("out of memory, PORT_NewArena failed");
710 		return NULL;
711 	}
712 	key = PORT_ArenaZNew(arena, SECKEYPublicKey);
713 	if(!key) {
714 		log_err("out of memory, PORT_ArenaZNew failed");
715 		PORT_FreeArena(arena, PR_FALSE);
716 		return NULL;
717 	}
718 	key->arena = arena;
719 	key->keyType = ktype;
720 	key->pkcs11Slot = NULL;
721 	key->pkcs11ID = CK_INVALID_HANDLE;
722 	return key;
723 }
724 
725 static SECKEYPublicKey* nss_buf2ecdsa(unsigned char* key, size_t len, int algo)
726 {
727 	SECKEYPublicKey* pk;
728 	SECItem pub = {siBuffer, NULL, 0};
729 	SECItem params = {siBuffer, NULL, 0};
730 	static unsigned char param256[] = {
731 		/* OBJECTIDENTIFIER 1.2.840.10045.3.1.7 (P-256)
732 		 * {iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) prime256v1(7)} */
733 		0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
734 	};
735 	static unsigned char param384[] = {
736 		/* OBJECTIDENTIFIER 1.3.132.0.34 (P-384)
737 		 * {iso(1) identified-organization(3) certicom(132) curve(0) ansip384r1(34)} */
738 		0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
739 	};
740 	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
741 
742 	/* check length, which uncompressed must be 2 bignums */
743 	if(algo == LDNS_ECDSAP256SHA256) {
744 		if(len != 2*256/8) return NULL;
745 		/* ECCurve_X9_62_PRIME_256V1 */
746 	} else if(algo == LDNS_ECDSAP384SHA384) {
747 		if(len != 2*384/8) return NULL;
748 		/* ECCurve_X9_62_PRIME_384R1 */
749 	} else    return NULL;
750 
751 	buf[0] = 0x04; /* POINT_FORM_UNCOMPRESSED */
752 	memmove(buf+1, key, len);
753 	pub.data = buf;
754 	pub.len = len+1;
755 	if(algo == LDNS_ECDSAP256SHA256) {
756 		params.data = param256;
757 		params.len = sizeof(param256);
758 	} else {
759 		params.data = param384;
760 		params.len = sizeof(param384);
761 	}
762 
763 	pk = nss_key_create(ecKey);
764 	if(!pk)
765 		return NULL;
766 	pk->u.ec.size = (len/2)*8;
767 	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.publicValue, &pub)) {
768 		SECKEY_DestroyPublicKey(pk);
769 		return NULL;
770 	}
771 	if(SECITEM_CopyItem(pk->arena, &pk->u.ec.DEREncodedParams, &params)) {
772 		SECKEY_DestroyPublicKey(pk);
773 		return NULL;
774 	}
775 
776 	return pk;
777 }
778 
779 static SECKEYPublicKey* nss_buf2dsa(unsigned char* key, size_t len)
780 {
781 	SECKEYPublicKey* pk;
782 	uint8_t T;
783 	uint16_t length;
784 	uint16_t offset;
785 	SECItem Q = {siBuffer, NULL, 0};
786 	SECItem P = {siBuffer, NULL, 0};
787 	SECItem G = {siBuffer, NULL, 0};
788 	SECItem Y = {siBuffer, NULL, 0};
789 
790 	if(len == 0)
791 		return NULL;
792 	T = (uint8_t)key[0];
793 	length = (64 + T * 8);
794 	offset = 1;
795 
796 	if (T > 8) {
797 		return NULL;
798 	}
799 	if(len < (size_t)1 + SHA1_LENGTH + 3*length)
800 		return NULL;
801 
802 	Q.data = key+offset;
803 	Q.len = SHA1_LENGTH;
804 	offset += SHA1_LENGTH;
805 
806 	P.data = key+offset;
807 	P.len = length;
808 	offset += length;
809 
810 	G.data = key+offset;
811 	G.len = length;
812 	offset += length;
813 
814 	Y.data = key+offset;
815 	Y.len = length;
816 	offset += length;
817 
818 	pk = nss_key_create(dsaKey);
819 	if(!pk)
820 		return NULL;
821 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.prime, &P)) {
822 		SECKEY_DestroyPublicKey(pk);
823 		return NULL;
824 	}
825 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.subPrime, &Q)) {
826 		SECKEY_DestroyPublicKey(pk);
827 		return NULL;
828 	}
829 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.params.base, &G)) {
830 		SECKEY_DestroyPublicKey(pk);
831 		return NULL;
832 	}
833 	if(SECITEM_CopyItem(pk->arena, &pk->u.dsa.publicValue, &Y)) {
834 		SECKEY_DestroyPublicKey(pk);
835 		return NULL;
836 	}
837 	return pk;
838 }
839 
840 static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
841 {
842 	SECKEYPublicKey* pk;
843 	uint16_t exp;
844 	uint16_t offset;
845 	uint16_t int16;
846 	SECItem modulus = {siBuffer, NULL, 0};
847 	SECItem exponent = {siBuffer, NULL, 0};
848 	if(len == 0)
849 		return NULL;
850 	if(key[0] == 0) {
851 		if(len < 3)
852 			return NULL;
853 		/* the exponent is too large so it's places further */
854 		memmove(&int16, key+1, 2);
855 		exp = ntohs(int16);
856 		offset = 3;
857 	} else {
858 		exp = key[0];
859 		offset = 1;
860 	}
861 
862 	/* key length at least one */
863 	if(len < (size_t)offset + exp + 1)
864 		return NULL;
865 
866 	exponent.data = key+offset;
867 	exponent.len = exp;
868 	offset += exp;
869 	modulus.data = key+offset;
870 	modulus.len = (len - offset);
871 
872 	pk = nss_key_create(rsaKey);
873 	if(!pk)
874 		return NULL;
875 	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
876 		SECKEY_DestroyPublicKey(pk);
877 		return NULL;
878 	}
879 	if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
880 		SECKEY_DestroyPublicKey(pk);
881 		return NULL;
882 	}
883 	return pk;
884 }
885 
886 /**
887  * Setup key and digest for verification. Adjust sig if necessary.
888  *
889  * @param algo: key algorithm
890  * @param evp_key: EVP PKEY public key to create.
891  * @param digest_type: digest type to use
892  * @param key: key to setup for.
893  * @param keylen: length of key.
894  * @param prefix: if returned, the ASN prefix for the hashblob.
895  * @param prefixlen: length of the prefix.
896  * @return false on failure.
897  */
898 static int
899 nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
900 	unsigned char* key, size_t keylen, unsigned char** prefix,
901 	size_t* prefixlen)
902 {
903 	/* uses libNSS */
904 
905 	/* hash prefix for md5, RFC2537 */
906 	static unsigned char p_md5[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a,
907 	0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
908 	/* hash prefix to prepend to hash output, from RFC3110 */
909 	static unsigned char p_sha1[] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
910 		0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
911 	/* from RFC5702 */
912 	static unsigned char p_sha256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
913 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
914 	static unsigned char p_sha512[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
915 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
916 	/* from RFC6234 */
917 	/* for future RSASHA384 ..
918 	static unsigned char p_sha384[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60,
919 	0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30};
920 	*/
921 
922 	switch(algo) {
923 		case LDNS_DSA:
924 		case LDNS_DSA_NSEC3:
925 			*pubkey = nss_buf2dsa(key, keylen);
926 			if(!*pubkey) {
927 				log_err("verify: malloc failure in crypto");
928 				return 0;
929 			}
930 			*htype = HASH_AlgSHA1;
931 			/* no prefix for DSA verification */
932 			break;
933 		case LDNS_RSASHA1:
934 		case LDNS_RSASHA1_NSEC3:
935 #ifdef USE_SHA2
936 		case LDNS_RSASHA256:
937 #endif
938 #ifdef USE_SHA2
939 		case LDNS_RSASHA512:
940 #endif
941 			*pubkey = nss_buf2rsa(key, keylen);
942 			if(!*pubkey) {
943 				log_err("verify: malloc failure in crypto");
944 				return 0;
945 			}
946 			/* select SHA version */
947 #ifdef USE_SHA2
948 			if(algo == LDNS_RSASHA256) {
949 				*htype = HASH_AlgSHA256;
950 				*prefix = p_sha256;
951 				*prefixlen = sizeof(p_sha256);
952 			} else
953 #endif
954 #ifdef USE_SHA2
955 				if(algo == LDNS_RSASHA512) {
956 				*htype = HASH_AlgSHA512;
957 				*prefix = p_sha512;
958 				*prefixlen = sizeof(p_sha512);
959 			} else
960 #endif
961 			{
962 				*htype = HASH_AlgSHA1;
963 				*prefix = p_sha1;
964 				*prefixlen = sizeof(p_sha1);
965 			}
966 
967 			break;
968 		case LDNS_RSAMD5:
969 			*pubkey = nss_buf2rsa(key, keylen);
970 			if(!*pubkey) {
971 				log_err("verify: malloc failure in crypto");
972 				return 0;
973 			}
974 			*htype = HASH_AlgMD5;
975 			*prefix = p_md5;
976 			*prefixlen = sizeof(p_md5);
977 
978 			break;
979 #ifdef USE_ECDSA
980 		case LDNS_ECDSAP256SHA256:
981 			*pubkey = nss_buf2ecdsa(key, keylen,
982 				LDNS_ECDSAP256SHA256);
983 			if(!*pubkey) {
984 				log_err("verify: malloc failure in crypto");
985 				return 0;
986 			}
987 			*htype = HASH_AlgSHA256;
988 			/* no prefix for DSA verification */
989 			break;
990 		case LDNS_ECDSAP384SHA384:
991 			*pubkey = nss_buf2ecdsa(key, keylen,
992 				LDNS_ECDSAP384SHA384);
993 			if(!*pubkey) {
994 				log_err("verify: malloc failure in crypto");
995 				return 0;
996 			}
997 			*htype = HASH_AlgSHA384;
998 			/* no prefix for DSA verification */
999 			break;
1000 #endif /* USE_ECDSA */
1001 		case LDNS_ECC_GOST:
1002 		default:
1003 			verbose(VERB_QUERY, "verify: unknown algorithm %d",
1004 				algo);
1005 			return 0;
1006 	}
1007 	return 1;
1008 }
1009 
1010 /**
1011  * Check a canonical sig+rrset and signature against a dnskey
1012  * @param buf: buffer with data to verify, the first rrsig part and the
1013  *	canonicalized rrset.
1014  * @param algo: DNSKEY algorithm.
1015  * @param sigblock: signature rdata field from RRSIG
1016  * @param sigblock_len: length of sigblock data.
1017  * @param key: public key data from DNSKEY RR.
1018  * @param keylen: length of keydata.
1019  * @param reason: bogus reason in more detail.
1020  * @return secure if verification succeeded, bogus on crypto failure,
1021  *	unchecked on format errors and alloc failures.
1022  */
1023 enum sec_status
1024 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1025 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1026 	char** reason)
1027 {
1028 	/* uses libNSS */
1029 	/* large enough for the different hashes */
1030 	unsigned char hash[HASH_LENGTH_MAX];
1031 	unsigned char hash2[HASH_LENGTH_MAX*2];
1032 	HASH_HashType htype = 0;
1033 	SECKEYPublicKey* pubkey = NULL;
1034 	SECItem secsig = {siBuffer, sigblock, sigblock_len};
1035 	SECItem sechash = {siBuffer, hash, 0};
1036 	SECStatus res;
1037 	unsigned char* prefix = NULL; /* prefix for hash, RFC3110, RFC5702 */
1038 	size_t prefixlen = 0;
1039 	int err;
1040 
1041 	if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen,
1042 		&prefix, &prefixlen)) {
1043 		verbose(VERB_QUERY, "verify: failed to setup key");
1044 		*reason = "use of key for crypto failed";
1045 		SECKEY_DestroyPublicKey(pubkey);
1046 		return sec_status_bogus;
1047 	}
1048 
1049 	/* need to convert DSA, ECDSA signatures? */
1050 	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3)) {
1051 		if(sigblock_len == 1+2*SHA1_LENGTH) {
1052 			secsig.data ++;
1053 			secsig.len --;
1054 		} else {
1055 			SECItem* p = DSAU_DecodeDerSig(&secsig);
1056 			if(!p) {
1057 				verbose(VERB_QUERY, "verify: failed DER decode");
1058 				*reason = "signature DER decode failed";
1059 				SECKEY_DestroyPublicKey(pubkey);
1060 				return sec_status_bogus;
1061 			}
1062 			if(SECITEM_CopyItem(pubkey->arena, &secsig, p)) {
1063 				log_err("alloc failure in DER decode");
1064 				SECKEY_DestroyPublicKey(pubkey);
1065 				SECITEM_FreeItem(p, PR_TRUE);
1066 				return sec_status_unchecked;
1067 			}
1068 			SECITEM_FreeItem(p, PR_TRUE);
1069 		}
1070 	}
1071 
1072 	/* do the signature cryptography work */
1073 	/* hash the data */
1074 	sechash.len = HASH_ResultLen(htype);
1075 	if(sechash.len > sizeof(hash)) {
1076 		verbose(VERB_QUERY, "verify: hash too large for buffer");
1077 		SECKEY_DestroyPublicKey(pubkey);
1078 		return sec_status_unchecked;
1079 	}
1080 	if(HASH_HashBuf(htype, hash, (unsigned char*)sldns_buffer_begin(buf),
1081 		(unsigned int)sldns_buffer_limit(buf)) != SECSuccess) {
1082 		verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
1083 		SECKEY_DestroyPublicKey(pubkey);
1084 		return sec_status_unchecked;
1085 	}
1086 	if(prefix) {
1087 		int hashlen = sechash.len;
1088 		if(prefixlen+hashlen > sizeof(hash2)) {
1089 			verbose(VERB_QUERY, "verify: hashprefix too large");
1090 			SECKEY_DestroyPublicKey(pubkey);
1091 			return sec_status_unchecked;
1092 		}
1093 		sechash.data = hash2;
1094 		sechash.len = prefixlen+hashlen;
1095 		memcpy(sechash.data, prefix, prefixlen);
1096 		memmove(sechash.data+prefixlen, hash, hashlen);
1097 	}
1098 
1099 	/* verify the signature */
1100 	res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
1101 	SECKEY_DestroyPublicKey(pubkey);
1102 
1103 	if(res == SECSuccess) {
1104 		return sec_status_secure;
1105 	}
1106 	err = PORT_GetError();
1107 	if(err != SEC_ERROR_BAD_SIGNATURE) {
1108 		/* failed to verify */
1109 		verbose(VERB_QUERY, "verify: PK11_Verify failed: %s",
1110 			PORT_ErrorToString(err));
1111 		/* if it is not supported, like ECC is removed, we get,
1112 		 * SEC_ERROR_NO_MODULE */
1113 		if(err == SEC_ERROR_NO_MODULE)
1114 			return sec_status_unchecked;
1115 		/* but other errors are commonly returned
1116 		 * for a bad signature from NSS.  Thus we return bogus,
1117 		 * not unchecked */
1118 		*reason = "signature crypto failed";
1119 		return sec_status_bogus;
1120 	}
1121 	verbose(VERB_QUERY, "verify: signature mismatch: %s",
1122 		PORT_ErrorToString(err));
1123 	*reason = "signature crypto failed";
1124 	return sec_status_bogus;
1125 }
1126 
1127 #elif defined(HAVE_NETTLE)
1128 
1129 #include "sha.h"
1130 #include "bignum.h"
1131 #include "macros.h"
1132 #include "rsa.h"
1133 #include "dsa.h"
1134 #include "asn1.h"
1135 #ifdef USE_ECDSA
1136 #include "ecdsa.h"
1137 #include "ecc-curve.h"
1138 #endif
1139 
1140 static int
1141 _digest_nettle(int algo, uint8_t* buf, size_t len,
1142 	unsigned char* res)
1143 {
1144 	switch(algo) {
1145 		case SHA1_DIGEST_SIZE:
1146 		{
1147 			struct sha1_ctx ctx;
1148 			sha1_init(&ctx);
1149 			sha1_update(&ctx, len, buf);
1150 			sha1_digest(&ctx, SHA1_DIGEST_SIZE, res);
1151 			return 1;
1152 		}
1153 		case SHA256_DIGEST_SIZE:
1154 		{
1155 			struct sha256_ctx ctx;
1156 			sha256_init(&ctx);
1157 			sha256_update(&ctx, len, buf);
1158 			sha256_digest(&ctx, SHA256_DIGEST_SIZE, res);
1159 			return 1;
1160 		}
1161 		case SHA384_DIGEST_SIZE:
1162 		{
1163 			struct sha384_ctx ctx;
1164 			sha384_init(&ctx);
1165 			sha384_update(&ctx, len, buf);
1166 			sha384_digest(&ctx, SHA384_DIGEST_SIZE, res);
1167 			return 1;
1168 		}
1169 		case SHA512_DIGEST_SIZE:
1170 		{
1171 			struct sha512_ctx ctx;
1172 			sha512_init(&ctx);
1173 			sha512_update(&ctx, len, buf);
1174 			sha512_digest(&ctx, SHA512_DIGEST_SIZE, res);
1175 			return 1;
1176 		}
1177 		default:
1178 			break;
1179 	}
1180 	return 0;
1181 }
1182 
1183 /* return size of digest if supported, or 0 otherwise */
1184 size_t
1185 nsec3_hash_algo_size_supported(int id)
1186 {
1187 	switch(id) {
1188 	case NSEC3_HASH_SHA1:
1189 		return SHA1_DIGEST_SIZE;
1190 	default:
1191 		return 0;
1192 	}
1193 }
1194 
1195 /* perform nsec3 hash. return false on failure */
1196 int
1197 secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
1198         unsigned char* res)
1199 {
1200 	switch(algo) {
1201 	case NSEC3_HASH_SHA1:
1202 		return _digest_nettle(SHA1_DIGEST_SIZE, (uint8_t*)buf, len,
1203 			res);
1204 	default:
1205 		return 0;
1206 	}
1207 }
1208 
1209 /**
1210  * Return size of DS digest according to its hash algorithm.
1211  * @param algo: DS digest algo.
1212  * @return size in bytes of digest, or 0 if not supported.
1213  */
1214 size_t
1215 ds_digest_size_supported(int algo)
1216 {
1217 	switch(algo) {
1218 		case LDNS_SHA1:
1219 			return SHA1_DIGEST_SIZE;
1220 #ifdef USE_SHA2
1221 		case LDNS_SHA256:
1222 			return SHA256_DIGEST_SIZE;
1223 #endif
1224 #ifdef USE_ECDSA
1225 		case LDNS_SHA384:
1226 			return SHA384_DIGEST_SIZE;
1227 #endif
1228 		/* GOST not supported */
1229 		case LDNS_HASH_GOST:
1230 		default:
1231 			break;
1232 	}
1233 	return 0;
1234 }
1235 
1236 int
1237 secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
1238 	unsigned char* res)
1239 {
1240 	switch(algo) {
1241 		case LDNS_SHA1:
1242 			return _digest_nettle(SHA1_DIGEST_SIZE, buf, len, res);
1243 #if defined(USE_SHA2)
1244 		case LDNS_SHA256:
1245 			return _digest_nettle(SHA256_DIGEST_SIZE, buf, len, res);
1246 #endif
1247 #ifdef USE_ECDSA
1248 		case LDNS_SHA384:
1249 			return _digest_nettle(SHA384_DIGEST_SIZE, buf, len, res);
1250 
1251 #endif
1252 		case LDNS_HASH_GOST:
1253 		default:
1254 			verbose(VERB_QUERY, "unknown DS digest algorithm %d",
1255 				algo);
1256 			break;
1257 	}
1258 	return 0;
1259 }
1260 
1261 int
1262 dnskey_algo_id_is_supported(int id)
1263 {
1264 	/* uses libnettle */
1265 	switch(id) {
1266 	case LDNS_DSA:
1267 	case LDNS_DSA_NSEC3:
1268 	case LDNS_RSASHA1:
1269 	case LDNS_RSASHA1_NSEC3:
1270 #ifdef USE_SHA2
1271 	case LDNS_RSASHA256:
1272 	case LDNS_RSASHA512:
1273 #endif
1274 #ifdef USE_ECDSA
1275 	case LDNS_ECDSAP256SHA256:
1276 	case LDNS_ECDSAP384SHA384:
1277 #endif
1278 		return 1;
1279 	case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
1280 	case LDNS_ECC_GOST:
1281 	default:
1282 		return 0;
1283 	}
1284 }
1285 
1286 static char *
1287 _verify_nettle_dsa(sldns_buffer* buf, unsigned char* sigblock,
1288 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1289 {
1290 	uint8_t digest[SHA1_DIGEST_SIZE];
1291 	uint8_t key_t;
1292 	int res = 0;
1293 	size_t offset;
1294 	struct dsa_public_key pubkey;
1295 	struct dsa_signature signature;
1296 	unsigned int expected_len;
1297 
1298 	/* Extract DSA signature from the record */
1299 	nettle_dsa_signature_init(&signature);
1300 	/* Signature length: 41 bytes - RFC 2536 sec. 3 */
1301 	if(sigblock_len == 41) {
1302 		if(key[0] != sigblock[0])
1303 			return "invalid T value in DSA signature or pubkey";
1304 		nettle_mpz_set_str_256_u(signature.r, 20, sigblock+1);
1305 		nettle_mpz_set_str_256_u(signature.s, 20, sigblock+1+20);
1306 	} else {
1307 		/* DER encoded, decode the ASN1 notated R and S bignums */
1308 		/* SEQUENCE { r INTEGER, s INTEGER } */
1309 		struct asn1_der_iterator i, seq;
1310 		if(asn1_der_iterator_first(&i, sigblock_len,
1311 			(uint8_t*)sigblock) != ASN1_ITERATOR_CONSTRUCTED
1312 			|| i.type != ASN1_SEQUENCE)
1313 			return "malformed DER encoded DSA signature";
1314 		/* decode this element of i using the seq iterator */
1315 		if(asn1_der_decode_constructed(&i, &seq) !=
1316 			ASN1_ITERATOR_PRIMITIVE || seq.type != ASN1_INTEGER)
1317 			return "malformed DER encoded DSA signature";
1318 		if(!asn1_der_get_bignum(&seq, signature.r, 20*8))
1319 			return "malformed DER encoded DSA signature";
1320 		if(asn1_der_iterator_next(&seq) != ASN1_ITERATOR_PRIMITIVE
1321 			|| seq.type != ASN1_INTEGER)
1322 			return "malformed DER encoded DSA signature";
1323 		if(!asn1_der_get_bignum(&seq, signature.s, 20*8))
1324 			return "malformed DER encoded DSA signature";
1325 		if(asn1_der_iterator_next(&i) != ASN1_ITERATOR_END)
1326 			return "malformed DER encoded DSA signature";
1327 	}
1328 
1329 	/* Validate T values constraints - RFC 2536 sec. 2 & sec. 3 */
1330 	key_t = key[0];
1331 	if (key_t > 8) {
1332 		return "invalid T value in DSA pubkey";
1333 	}
1334 
1335 	/* Pubkey minimum length: 21 bytes - RFC 2536 sec. 2 */
1336 	if (keylen < 21) {
1337 		return "DSA pubkey too short";
1338 	}
1339 
1340 	expected_len =   1 +		/* T */
1341 		        20 +		/* Q */
1342 		       (64 + key_t*8) +	/* P */
1343 		       (64 + key_t*8) +	/* G */
1344 		       (64 + key_t*8);	/* Y */
1345 	if (keylen != expected_len ) {
1346 		return "invalid DSA pubkey length";
1347 	}
1348 
1349 	/* Extract DSA pubkey from the record */
1350 	nettle_dsa_public_key_init(&pubkey);
1351 	offset = 1;
1352 	nettle_mpz_set_str_256_u(pubkey.q, 20, key+offset);
1353 	offset += 20;
1354 	nettle_mpz_set_str_256_u(pubkey.p, (64 + key_t*8), key+offset);
1355 	offset += (64 + key_t*8);
1356 	nettle_mpz_set_str_256_u(pubkey.g, (64 + key_t*8), key+offset);
1357 	offset += (64 + key_t*8);
1358 	nettle_mpz_set_str_256_u(pubkey.y, (64 + key_t*8), key+offset);
1359 
1360 	/* Digest content of "buf" and verify its DSA signature in "sigblock"*/
1361 	res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1362 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1363 	res &= dsa_sha1_verify_digest(&pubkey, digest, &signature);
1364 
1365 	/* Clear and return */
1366 	nettle_dsa_signature_clear(&signature);
1367 	nettle_dsa_public_key_clear(&pubkey);
1368 	if (!res)
1369 		return "DSA signature verification failed";
1370 	else
1371 		return NULL;
1372 }
1373 
1374 static char *
1375 _verify_nettle_rsa(sldns_buffer* buf, unsigned int digest_size, char* sigblock,
1376 	unsigned int sigblock_len, uint8_t* key, unsigned int keylen)
1377 {
1378 	uint16_t exp_len = 0;
1379 	size_t exp_offset = 0, mod_offset = 0;
1380 	struct rsa_public_key pubkey;
1381 	mpz_t signature;
1382 	int res = 0;
1383 
1384 	/* RSA pubkey parsing as per RFC 3110 sec. 2 */
1385 	if( keylen <= 1) {
1386 		return "null RSA key";
1387 	}
1388 	if (key[0] != 0) {
1389 		/* 1-byte length */
1390 		exp_len = key[0];
1391 		exp_offset = 1;
1392 	} else {
1393 		/* 1-byte NUL + 2-bytes exponent length */
1394 		if (keylen < 3) {
1395 			return "incorrect RSA key length";
1396 		}
1397 		exp_len = READ_UINT16(key+1);
1398 		if (exp_len == 0)
1399 			return "null RSA exponent length";
1400 		exp_offset = 3;
1401 	}
1402 	/* Check that we are not over-running input length */
1403 	if (keylen < exp_offset + exp_len + 1) {
1404 		return "RSA key content shorter than expected";
1405 	}
1406 	mod_offset = exp_offset + exp_len;
1407 	nettle_rsa_public_key_init(&pubkey);
1408 	pubkey.size = keylen - mod_offset;
1409 	nettle_mpz_set_str_256_u(pubkey.e, exp_len, &key[exp_offset]);
1410 	nettle_mpz_set_str_256_u(pubkey.n, pubkey.size, &key[mod_offset]);
1411 
1412 	/* Digest content of "buf" and verify its RSA signature in "sigblock"*/
1413 	nettle_mpz_init_set_str_256_u(signature, sigblock_len, (uint8_t*)sigblock);
1414 	switch (digest_size) {
1415 		case SHA1_DIGEST_SIZE:
1416 		{
1417 			uint8_t digest[SHA1_DIGEST_SIZE];
1418 			res = _digest_nettle(SHA1_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1419 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1420 			res &= rsa_sha1_verify_digest(&pubkey, digest, signature);
1421 			break;
1422 		}
1423 		case SHA256_DIGEST_SIZE:
1424 		{
1425 			uint8_t digest[SHA256_DIGEST_SIZE];
1426 			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1427 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1428 			res &= rsa_sha256_verify_digest(&pubkey, digest, signature);
1429 			break;
1430 		}
1431 		case SHA512_DIGEST_SIZE:
1432 		{
1433 			uint8_t digest[SHA512_DIGEST_SIZE];
1434 			res = _digest_nettle(SHA512_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1435 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1436 			res &= rsa_sha512_verify_digest(&pubkey, digest, signature);
1437 			break;
1438 		}
1439 		default:
1440 			break;
1441 	}
1442 
1443 	/* Clear and return */
1444 	nettle_rsa_public_key_clear(&pubkey);
1445 	mpz_clear(signature);
1446 	if (!res) {
1447 		return "RSA signature verification failed";
1448 	} else {
1449 		return NULL;
1450 	}
1451 }
1452 
1453 #ifdef USE_ECDSA
1454 static char *
1455 _verify_nettle_ecdsa(sldns_buffer* buf, unsigned int digest_size, unsigned char* sigblock,
1456 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
1457 {
1458 	int res = 0;
1459 	struct ecc_point pubkey;
1460 	struct dsa_signature signature;
1461 
1462 	/* Always matched strength, as per RFC 6605 sec. 1 */
1463 	if (sigblock_len != 2*digest_size || keylen != 2*digest_size) {
1464 		return "wrong ECDSA signature length";
1465 	}
1466 
1467 	/* Parse ECDSA signature as per RFC 6605 sec. 4 */
1468 	nettle_dsa_signature_init(&signature);
1469 	switch (digest_size) {
1470 		case SHA256_DIGEST_SIZE:
1471 		{
1472 			uint8_t digest[SHA256_DIGEST_SIZE];
1473 			mpz_t x, y;
1474 			nettle_ecc_point_init(&pubkey, &nettle_secp_256r1);
1475 			nettle_mpz_init_set_str_256_u(x, SHA256_DIGEST_SIZE, key);
1476 			nettle_mpz_init_set_str_256_u(y, SHA256_DIGEST_SIZE, key+SHA256_DIGEST_SIZE);
1477 			nettle_mpz_set_str_256_u(signature.r, SHA256_DIGEST_SIZE, sigblock);
1478 			nettle_mpz_set_str_256_u(signature.s, SHA256_DIGEST_SIZE, sigblock+SHA256_DIGEST_SIZE);
1479 			res = _digest_nettle(SHA256_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1480 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1481 			res &= nettle_ecc_point_set(&pubkey, x, y);
1482 			res &= nettle_ecdsa_verify (&pubkey, SHA256_DIGEST_SIZE, digest, &signature);
1483 			mpz_clear(x);
1484 			mpz_clear(y);
1485 			break;
1486 		}
1487 		case SHA384_DIGEST_SIZE:
1488 		{
1489 			uint8_t digest[SHA384_DIGEST_SIZE];
1490 			mpz_t x, y;
1491 			nettle_ecc_point_init(&pubkey, &nettle_secp_384r1);
1492 			nettle_mpz_init_set_str_256_u(x, SHA384_DIGEST_SIZE, key);
1493 			nettle_mpz_init_set_str_256_u(y, SHA384_DIGEST_SIZE, key+SHA384_DIGEST_SIZE);
1494 			nettle_mpz_set_str_256_u(signature.r, SHA384_DIGEST_SIZE, sigblock);
1495 			nettle_mpz_set_str_256_u(signature.s, SHA384_DIGEST_SIZE, sigblock+SHA384_DIGEST_SIZE);
1496 			res = _digest_nettle(SHA384_DIGEST_SIZE, (unsigned char*)sldns_buffer_begin(buf),
1497 						(unsigned int)sldns_buffer_limit(buf), (unsigned char*)digest);
1498 			res &= nettle_ecc_point_set(&pubkey, x, y);
1499 			res &= nettle_ecdsa_verify (&pubkey, SHA384_DIGEST_SIZE, digest, &signature);
1500 			mpz_clear(x);
1501 			mpz_clear(y);
1502 			nettle_ecc_point_clear(&pubkey);
1503 			break;
1504 		}
1505 		default:
1506 			return "unknown ECDSA algorithm";
1507 	}
1508 
1509 	/* Clear and return */
1510 	nettle_dsa_signature_clear(&signature);
1511 	if (!res)
1512 		return "ECDSA signature verification failed";
1513 	else
1514 		return NULL;
1515 }
1516 #endif
1517 
1518 /**
1519  * Check a canonical sig+rrset and signature against a dnskey
1520  * @param buf: buffer with data to verify, the first rrsig part and the
1521  *	canonicalized rrset.
1522  * @param algo: DNSKEY algorithm.
1523  * @param sigblock: signature rdata field from RRSIG
1524  * @param sigblock_len: length of sigblock data.
1525  * @param key: public key data from DNSKEY RR.
1526  * @param keylen: length of keydata.
1527  * @param reason: bogus reason in more detail.
1528  * @return secure if verification succeeded, bogus on crypto failure,
1529  *	unchecked on format errors and alloc failures.
1530  */
1531 enum sec_status
1532 verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
1533 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
1534 	char** reason)
1535 {
1536 	unsigned int digest_size = 0;
1537 
1538 	if (sigblock_len == 0 || keylen == 0) {
1539 		*reason = "null signature";
1540 		return sec_status_bogus;
1541 	}
1542 
1543 	switch(algo) {
1544 	case LDNS_DSA:
1545 	case LDNS_DSA_NSEC3:
1546 		*reason = _verify_nettle_dsa(buf, sigblock, sigblock_len, key, keylen);
1547 		if (*reason != NULL)
1548 			return sec_status_bogus;
1549 		else
1550 			return sec_status_secure;
1551 
1552 	case LDNS_RSASHA1:
1553 	case LDNS_RSASHA1_NSEC3:
1554 		digest_size = (digest_size ? digest_size : SHA1_DIGEST_SIZE);
1555 #ifdef USE_SHA2
1556 	case LDNS_RSASHA256:
1557 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1558 	case LDNS_RSASHA512:
1559 		digest_size = (digest_size ? digest_size : SHA512_DIGEST_SIZE);
1560 
1561 #endif
1562 		*reason = _verify_nettle_rsa(buf, digest_size, (char*)sigblock,
1563 						sigblock_len, key, keylen);
1564 		if (*reason != NULL)
1565 			return sec_status_bogus;
1566 		else
1567 			return sec_status_secure;
1568 
1569 #ifdef USE_ECDSA
1570 	case LDNS_ECDSAP256SHA256:
1571 		digest_size = (digest_size ? digest_size : SHA256_DIGEST_SIZE);
1572 	case LDNS_ECDSAP384SHA384:
1573 		digest_size = (digest_size ? digest_size : SHA384_DIGEST_SIZE);
1574 		*reason = _verify_nettle_ecdsa(buf, digest_size, sigblock,
1575 						sigblock_len, key, keylen);
1576 		if (*reason != NULL)
1577 			return sec_status_bogus;
1578 		else
1579 			return sec_status_secure;
1580 #endif
1581 	case LDNS_RSAMD5:
1582 	case LDNS_ECC_GOST:
1583 	default:
1584 		*reason = "unable to verify signature, unknown algorithm";
1585 		return sec_status_bogus;
1586 	}
1587 }
1588 
1589 #endif /* HAVE_SSL or HAVE_NSS or HAVE_NETTLE */
1590