summaryrefslogtreecommitdiffstats
path: root/lib/dns/openssleddsa_link.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--lib/dns/openssleddsa_link.c676
1 files changed, 676 insertions, 0 deletions
diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
new file mode 100644
index 0000000..b76fac9
--- /dev/null
+++ b/lib/dns/openssleddsa_link.c
@@ -0,0 +1,676 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#if defined(OPENSSL) && \
+ (defined(HAVE_OPENSSL_ED25519) || defined(HAVE_OPENSSL_ED448))
+
+#include <stdbool.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+#ifndef NID_ED25519
+#error "Ed25519 group is not known (NID_ED25519)"
+#endif
+#ifndef NID_ED448
+#error "Ed448 group is not known (NID_ED448)"
+#endif
+
+#define DST_RET(a) {ret = a; goto err;}
+
+/* OpenSSL doesn't provide direct access to key values */
+
+#define PUBPREFIXLEN 12
+
+static const unsigned char ed25519_pub_prefix[] = {
+ 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+ 0x70, 0x03, 0x21, 0x00
+};
+
+static EVP_PKEY *pub_ed25519_to_ossl(const unsigned char *key)
+{
+ unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED25519SIZE];
+ const unsigned char *p;
+
+ memmove(buf, ed25519_pub_prefix, PUBPREFIXLEN);
+ memmove(buf + PUBPREFIXLEN, key, DNS_KEY_ED25519SIZE);
+ p = buf;
+ return (d2i_PUBKEY(NULL, &p, PUBPREFIXLEN + DNS_KEY_ED25519SIZE));
+}
+
+static isc_result_t pub_ed25519_from_ossl(EVP_PKEY *pkey,
+ unsigned char *key)
+{
+ unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED25519SIZE];
+ unsigned char *p;
+ int len;
+
+ len = i2d_PUBKEY(pkey, NULL);
+ if ((len <= DNS_KEY_ED25519SIZE) ||
+ (len > PUBPREFIXLEN + DNS_KEY_ED25519SIZE))
+ return (DST_R_OPENSSLFAILURE);
+ p = buf;
+ len = i2d_PUBKEY(pkey, &p);
+ if ((len <= DNS_KEY_ED25519SIZE) ||
+ (len > PUBPREFIXLEN + DNS_KEY_ED25519SIZE))
+ return (DST_R_OPENSSLFAILURE);
+ memmove(key, buf + len - DNS_KEY_ED25519SIZE, DNS_KEY_ED25519SIZE);
+ return (ISC_R_SUCCESS);
+}
+
+static const unsigned char ed448_pub_prefix[] = {
+ 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+ 0x71, 0x03, 0x21, 0x00
+};
+
+static EVP_PKEY *pub_ed448_to_ossl(const unsigned char *key)
+{
+ unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE];
+ const unsigned char *p;
+
+ memmove(buf, ed448_pub_prefix, PUBPREFIXLEN);
+ memmove(buf + PUBPREFIXLEN, key, DNS_KEY_ED448SIZE);
+ p = buf;
+ return (d2i_PUBKEY(NULL, &p, PUBPREFIXLEN + DNS_KEY_ED448SIZE));
+}
+
+static isc_result_t pub_ed448_from_ossl(EVP_PKEY *pkey,
+ unsigned char *key)
+{
+ unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE];
+ unsigned char *p;
+ int len;
+
+ len = i2d_PUBKEY(pkey, NULL);
+ if ((len <= DNS_KEY_ED448SIZE) ||
+ (len > PUBPREFIXLEN + DNS_KEY_ED448SIZE))
+ return (DST_R_OPENSSLFAILURE);
+ p = buf;
+ len = i2d_PUBKEY(pkey, &p);
+ if ((len <= DNS_KEY_ED448SIZE) ||
+ (len > PUBPREFIXLEN + DNS_KEY_ED448SIZE))
+ return (DST_R_OPENSSLFAILURE);
+ memmove(key, buf + len - DNS_KEY_ED448SIZE, DNS_KEY_ED448SIZE);
+ return (ISC_R_SUCCESS);
+}
+
+#define PRIVPREFIXLEN 16
+
+static const unsigned char ed25519_priv_prefix[] = {
+ 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
+ 0x03, 0x2b, 0x65, 0x70, 0x04, 0x22, 0x04, 0x20
+};
+
+static EVP_PKEY *priv_ed25519_to_ossl(const unsigned char *key)
+{
+ unsigned char buf[PRIVPREFIXLEN + DNS_KEY_ED25519SIZE];
+ const unsigned char *p;
+
+ memmove(buf, ed25519_priv_prefix, PRIVPREFIXLEN);
+ memmove(buf + PRIVPREFIXLEN, key, DNS_KEY_ED25519SIZE);
+ p = buf;
+ return (d2i_PrivateKey(NID_ED25519, NULL, &p,
+ PRIVPREFIXLEN + DNS_KEY_ED25519SIZE));
+}
+
+static isc_result_t priv_ed25519_from_ossl(EVP_PKEY *pkey,
+ unsigned char *key)
+{
+ unsigned char buf[PRIVPREFIXLEN + DNS_KEY_ED25519SIZE];
+ unsigned char *p;
+ int len;
+
+ len = i2d_PrivateKey(pkey, NULL);
+ if ((len <= DNS_KEY_ED25519SIZE) ||
+ (len > PRIVPREFIXLEN + DNS_KEY_ED25519SIZE))
+ return (DST_R_OPENSSLFAILURE);
+ p = buf;
+ len = i2d_PrivateKey(pkey, &p);
+ if ((len <= DNS_KEY_ED25519SIZE) ||
+ (len > PRIVPREFIXLEN + DNS_KEY_ED25519SIZE))
+ return (DST_R_OPENSSLFAILURE);
+ memmove(key, buf + len - DNS_KEY_ED25519SIZE, DNS_KEY_ED25519SIZE);
+ return (ISC_R_SUCCESS);
+}
+
+static const unsigned char ed448_priv_prefix[] = {
+ 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
+ 0x03, 0x2b, 0x65, 0x71, 0x04, 0x22, 0x04, 0x20
+};
+
+static EVP_PKEY *priv_ed448_to_ossl(const unsigned char *key)
+{
+ unsigned char buf[PRIVPREFIXLEN + DNS_KEY_ED448SIZE];
+ const unsigned char *p;
+
+ memmove(buf, ed448_priv_prefix, PRIVPREFIXLEN);
+ memmove(buf + PRIVPREFIXLEN, key, DNS_KEY_ED448SIZE);
+ p = buf;
+ return (d2i_PrivateKey(NID_ED448, NULL, &p,
+ PRIVPREFIXLEN + DNS_KEY_ED448SIZE));
+}
+
+static isc_result_t priv_ed448_from_ossl(EVP_PKEY *pkey,
+ unsigned char *key)
+{
+ unsigned char buf[PRIVPREFIXLEN + DNS_KEY_ED448SIZE];
+ unsigned char *p;
+ int len;
+
+ len = i2d_PrivateKey(pkey, NULL);
+ if ((len <= DNS_KEY_ED448SIZE) ||
+ (len > PRIVPREFIXLEN + DNS_KEY_ED448SIZE))
+ return (DST_R_OPENSSLFAILURE);
+ p = buf;
+ len = i2d_PrivateKey(pkey, &p);
+ if ((len <= DNS_KEY_ED448SIZE) ||
+ (len > PRIVPREFIXLEN + DNS_KEY_ED448SIZE))
+ return (DST_R_OPENSSLFAILURE);
+ memmove(key, buf + len - DNS_KEY_ED448SIZE, DNS_KEY_ED448SIZE);
+ return (ISC_R_SUCCESS);
+}
+
+static isc_result_t openssleddsa_todns(const dst_key_t *key,
+ isc_buffer_t *data);
+
+static isc_result_t
+openssleddsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+ isc_buffer_t *buf = NULL;
+ isc_result_t result;
+
+ UNUSED(key);
+ REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+ dctx->key->key_alg == DST_ALG_ED448);
+
+ result = isc_buffer_allocate(dctx->mctx, &buf, 64);
+ dctx->ctxdata.generic = buf;
+
+ return (result);
+}
+
+static void
+openssleddsa_destroyctx(dst_context_t *dctx) {
+ isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+
+ REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+ dctx->key->key_alg == DST_ALG_ED448);
+ if (buf != NULL)
+ isc_buffer_free(&buf);
+ dctx->ctxdata.generic = NULL;
+}
+
+static isc_result_t
+openssleddsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+ isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+ isc_buffer_t *nbuf = NULL;
+ isc_region_t r;
+ unsigned int length;
+ isc_result_t result;
+
+ REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+ dctx->key->key_alg == DST_ALG_ED448);
+
+ result = isc_buffer_copyregion(buf, data);
+ if (result == ISC_R_SUCCESS)
+ return (ISC_R_SUCCESS);
+
+ length = isc_buffer_length(buf) + data->length + 64;
+ result = isc_buffer_allocate(dctx->mctx, &nbuf, length);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ isc_buffer_usedregion(buf, &r);
+ (void) isc_buffer_copyregion(nbuf, &r);
+ (void) isc_buffer_copyregion(nbuf, data);
+ isc_buffer_free(&buf);
+ dctx->ctxdata.generic = nbuf;
+
+ return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssleddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+ isc_result_t ret;
+ dst_key_t *key = dctx->key;
+ isc_region_t tbsreg;
+ isc_region_t sigreg;
+ EVP_PKEY *pkey = key->keydata.pkey;
+ EVP_MD_CTX* ctx = EVP_MD_CTX_new();
+ isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+ size_t siglen;
+
+ REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+ key->key_alg == DST_ALG_ED448);
+
+ if (ctx == NULL)
+ return (ISC_R_NOMEMORY);
+
+ if (key->key_alg == DST_ALG_ED25519)
+ siglen = DNS_SIG_ED25519SIZE;
+ else
+ siglen = DNS_SIG_ED448SIZE;
+
+ isc_buffer_availableregion(sig, &sigreg);
+ if (sigreg.length < (unsigned int) siglen)
+ DST_RET(ISC_R_NOSPACE);
+
+ isc_buffer_usedregion(buf, &tbsreg);
+
+ if (!EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey))
+ DST_RET(dst__openssl_toresult3(dctx->category,
+ "EVP_DigestSignInit",
+ ISC_R_FAILURE));
+ if (!EVP_DigestSign(ctx, sigreg.base, &siglen,
+ tbsreg.base, tbsreg.length))
+ DST_RET(dst__openssl_toresult3(dctx->category,
+ "EVP_DigestSign",
+ DST_R_SIGNFAILURE));
+ isc_buffer_add(sig, (unsigned int) siglen);
+ ret = ISC_R_SUCCESS;
+
+ err:
+ if (ctx != NULL)
+ EVP_MD_CTX_free(ctx);
+ isc_buffer_free(&buf);
+ dctx->ctxdata.generic = NULL;
+
+ return (ret);
+}
+
+static isc_result_t
+openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ isc_result_t ret;
+ dst_key_t *key = dctx->key;
+ int status;
+ isc_region_t tbsreg;
+ EVP_PKEY *pkey = key->keydata.pkey;
+ EVP_MD_CTX* ctx = EVP_MD_CTX_new();
+ isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+ unsigned int siglen;
+
+ REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+ key->key_alg == DST_ALG_ED448);
+
+ if (ctx == NULL)
+ return (ISC_R_NOMEMORY);
+
+ if (key->key_alg == DST_ALG_ED25519)
+ siglen = DNS_SIG_ED25519SIZE;
+ else
+ siglen = DNS_SIG_ED448SIZE;
+
+ if (sig->length != siglen)
+ return (DST_R_VERIFYFAILURE);
+
+ isc_buffer_usedregion(buf, &tbsreg);
+
+ if (!EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, pkey))
+ DST_RET(dst__openssl_toresult3(dctx->category,
+ "EVP_DigestVerifyInit",
+ ISC_R_FAILURE));
+
+ status = EVP_DigestVerify(ctx, sig->base, siglen,
+ tbsreg.base, tbsreg.length);
+
+ switch (status) {
+ case 1:
+ ret = ISC_R_SUCCESS;
+ break;
+ case 0:
+ ret = dst__openssl_toresult(DST_R_VERIFYFAILURE);
+ break;
+ default:
+ ret = dst__openssl_toresult3(dctx->category,
+ "EVP_DigestVerify",
+ DST_R_VERIFYFAILURE);
+ break;
+ }
+
+ err:
+ if (ctx != NULL)
+ EVP_MD_CTX_free(ctx);
+ isc_buffer_free(&buf);
+ dctx->ctxdata.generic = NULL;
+
+ return (ret);
+}
+
+static bool
+openssleddsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ int status;
+ EVP_PKEY *pkey1 = key1->keydata.pkey;
+ EVP_PKEY *pkey2 = key2->keydata.pkey;
+
+ if (pkey1 == NULL && pkey2 == NULL)
+ return (true);
+ else if (pkey1 == NULL || pkey2 == NULL)
+ return (false);
+
+ status = EVP_PKEY_cmp(pkey1, pkey2);
+ if (status == 1)
+ return (true);
+ return (false);
+}
+
+static isc_result_t
+openssleddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+ isc_result_t ret;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *ctx = NULL;
+ int nid, status;
+
+ REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+ key->key_alg == DST_ALG_ED448);
+ UNUSED(unused);
+ UNUSED(callback);
+
+ if (key->key_alg == DST_ALG_ED25519) {
+ nid = NID_ED25519;
+ key->key_size = DNS_KEY_ED25519SIZE;
+ } else {
+ nid = NID_ED448;
+ key->key_size = DNS_KEY_ED448SIZE;
+ }
+
+ ctx = EVP_PKEY_CTX_new_id(nid, NULL);
+ if (ctx == NULL)
+ return (dst__openssl_toresult2("EVP_PKEY_CTX_new_id",
+ DST_R_OPENSSLFAILURE));
+
+ status = EVP_PKEY_keygen_init(ctx);
+ if (status != 1)
+ DST_RET (dst__openssl_toresult2("EVP_PKEY_keygen_init",
+ DST_R_OPENSSLFAILURE));
+
+ status = EVP_PKEY_keygen(ctx, &pkey);
+ if (status != 1)
+ DST_RET (dst__openssl_toresult2("EVP_PKEY_keygen",
+ DST_R_OPENSSLFAILURE));
+
+ key->keydata.pkey = pkey;
+ ret = ISC_R_SUCCESS;
+
+ err:
+ if (ctx != NULL)
+ EVP_PKEY_CTX_free(ctx);
+ return (ret);
+}
+
+static bool
+openssleddsa_isprivate(const dst_key_t *key) {
+ EVP_PKEY *pkey = key->keydata.pkey;
+ int len;
+ unsigned long err;
+
+ if (pkey == NULL)
+ return (false);
+
+ len = i2d_PrivateKey(pkey, NULL);
+ if (len > 0)
+ return (true);
+ /* can check if first error is EC_R_INVALID_PRIVATE_KEY */
+ while ((err = ERR_get_error()) != 0)
+ /**/;
+
+ return (false);
+}
+
+static void
+openssleddsa_destroy(dst_key_t *key) {
+ EVP_PKEY *pkey = key->keydata.pkey;
+
+ EVP_PKEY_free(pkey);
+ key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+openssleddsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+ EVP_PKEY *pkey = key->keydata.pkey;
+ isc_region_t r;
+ isc_result_t result;
+
+ REQUIRE(pkey != NULL);
+
+ pkey = key->keydata.pkey;
+ switch (key->key_alg) {
+ case DST_ALG_ED25519:
+ isc_buffer_availableregion(data, &r);
+ if (r.length < DNS_KEY_ED25519SIZE)
+ return (ISC_R_NOSPACE);
+ result = pub_ed25519_from_ossl(pkey, r.base);
+ if (result == ISC_R_SUCCESS)
+ isc_buffer_add(data, DNS_KEY_ED25519SIZE);
+ return (result);
+ case DST_ALG_ED448:
+ isc_buffer_availableregion(data, &r);
+ if (r.length < DNS_KEY_ED448SIZE)
+ return (ISC_R_NOSPACE);
+ result = pub_ed448_from_ossl(pkey, r.base);
+ if (result == ISC_R_SUCCESS)
+ isc_buffer_add(data, DNS_KEY_ED448SIZE);
+ return (result);
+ default:
+ INSIST(0);
+ }
+}
+
+static isc_result_t
+openssleddsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ EVP_PKEY *pkey;
+ isc_region_t r;
+ unsigned int len;
+
+ REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+ key->key_alg == DST_ALG_ED448);
+
+ isc_buffer_remainingregion(data, &r);
+ if (r.length == 0)
+ return (ISC_R_SUCCESS);
+ if (key->key_alg == DST_ALG_ED25519) {
+ len = DNS_KEY_ED25519SIZE;
+ if (r.length < len)
+ return (DST_R_INVALIDPUBLICKEY);
+ pkey = pub_ed25519_to_ossl(r.base);
+ } else {
+ len = DNS_KEY_ED448SIZE;
+ if (r.length < len)
+ return (DST_R_INVALIDPUBLICKEY);
+ pkey = pub_ed448_to_ossl(r.base);
+ }
+ if (pkey == NULL)
+ return (dst__openssl_toresult(ISC_R_FAILURE));
+ isc_buffer_forward(data, len);
+ key->keydata.pkey = pkey;
+ key->key_size = len;
+ return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssleddsa_tofile(const dst_key_t *key, const char *directory) {
+ isc_result_t ret;
+ EVP_PKEY *pkey;
+ dst_private_t priv;
+ unsigned char *buf = NULL;
+ unsigned int len;
+
+ REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+ key->key_alg == DST_ALG_ED448);
+
+ if (key->keydata.pkey == NULL)
+ return (DST_R_NULLKEY);
+
+ if (key->external) {
+ priv.nelements = 0;
+ return (dst__privstruct_writefile(key, &priv, directory));
+ }
+
+ pkey = key->keydata.pkey;
+ if (key->key_alg == DST_ALG_ED25519) {
+ len = DNS_KEY_ED25519SIZE;
+ buf = isc_mem_get(key->mctx, len);
+ if (buf == NULL)
+ return (ISC_R_NOMEMORY);
+ priv.elements[0].tag = TAG_EDDSA_PRIVATEKEY;
+ priv.elements[0].length = len;
+ ret = priv_ed25519_from_ossl(pkey, buf);
+ if (ret != ISC_R_SUCCESS)
+ DST_RET (dst__openssl_toresult(ret));
+ priv.elements[0].data = buf;
+ priv.nelements = 1;
+ ret = dst__privstruct_writefile(key, &priv, directory);
+ } else {
+ len = DNS_KEY_ED448SIZE;
+ buf = isc_mem_get(key->mctx, len);
+ if (buf == NULL)
+ return (ISC_R_NOMEMORY);
+ priv.elements[0].tag = TAG_EDDSA_PRIVATEKEY;
+ priv.elements[0].length = len;
+ ret = priv_ed448_from_ossl(pkey, buf);
+ if (ret != ISC_R_SUCCESS)
+ DST_RET (dst__openssl_toresult(ret));
+ priv.elements[0].data = buf;
+ priv.nelements = 1;
+ ret = dst__privstruct_writefile(key, &priv, directory);
+ }
+
+ err:
+ if (buf != NULL)
+ isc_mem_put(key->mctx, buf, len);
+ return (ret);
+}
+
+static isc_result_t
+eddsa_check(EVP_PKEY *privkey, dst_key_t *pub)
+{
+ EVP_PKEY *pkey;
+
+ if (pub == NULL)
+ return (ISC_R_SUCCESS);
+ pkey = pub->keydata.pkey;
+ if (pkey == NULL)
+ return (ISC_R_SUCCESS);
+ if (EVP_PKEY_cmp(privkey, pkey) == 1)
+ return (ISC_R_SUCCESS);
+ return (ISC_R_FAILURE);
+}
+
+static isc_result_t
+openssleddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ dst_private_t priv;
+ isc_result_t ret;
+ EVP_PKEY *pkey = NULL;
+ unsigned int len;
+ isc_mem_t *mctx = key->mctx;
+
+ REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+ key->key_alg == DST_ALG_ED448);
+
+ /* read private key file */
+ ret = dst__privstruct_parse(key, DST_ALG_ED25519, lexer, mctx, &priv);
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ if (key->external) {
+ if (priv.nelements != 0)
+ DST_RET(DST_R_INVALIDPRIVATEKEY);
+ if (pub == NULL)
+ DST_RET(DST_R_INVALIDPRIVATEKEY);
+ key->keydata.pkey = pub->keydata.pkey;
+ pub->keydata.pkey = NULL;
+ dst__privstruct_free(&priv, mctx);
+ isc_safe_memwipe(&priv, sizeof(priv));
+ return (ISC_R_SUCCESS);
+ }
+
+ if (key->key_alg == DST_ALG_ED25519) {
+ len = DNS_KEY_ED25519SIZE;
+ if (priv.elements[0].length < len)
+ DST_RET(DST_R_INVALIDPRIVATEKEY);
+ pkey = priv_ed25519_to_ossl(priv.elements[0].data);
+ } else {
+ len = DNS_KEY_ED448SIZE;
+ if (priv.elements[0].length < len)
+ DST_RET(DST_R_INVALIDPRIVATEKEY);
+ pkey = priv_ed448_to_ossl(priv.elements[0].data);
+ }
+ if (pkey == NULL)
+ DST_RET (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ if (eddsa_check(pkey, pub) != ISC_R_SUCCESS) {
+ EVP_PKEY_free(pkey);
+ DST_RET(DST_R_INVALIDPRIVATEKEY);
+ }
+ key->keydata.pkey = pkey;
+ key->key_size = len;
+ ret = ISC_R_SUCCESS;
+
+ err:
+ dst__privstruct_free(&priv, mctx);
+ isc_safe_memwipe(&priv, sizeof(priv));
+ return (ret);
+}
+
+static dst_func_t openssleddsa_functions = {
+ openssleddsa_createctx,
+ NULL, /*%< createctx2 */
+ openssleddsa_destroyctx,
+ openssleddsa_adddata,
+ openssleddsa_sign,
+ openssleddsa_verify,
+ NULL, /*%< verify2 */
+ NULL, /*%< computesecret */
+ openssleddsa_compare,
+ NULL, /*%< paramcompare */
+ openssleddsa_generate,
+ openssleddsa_isprivate,
+ openssleddsa_destroy,
+ openssleddsa_todns,
+ openssleddsa_fromdns,
+ openssleddsa_tofile,
+ openssleddsa_parse,
+ NULL, /*%< cleanup */
+ NULL, /*%< fromlabel */
+ NULL, /*%< dump */
+ NULL, /*%< restore */
+};
+
+isc_result_t
+dst__openssleddsa_init(dst_func_t **funcp) {
+ REQUIRE(funcp != NULL);
+ if (*funcp == NULL)
+ *funcp = &openssleddsa_functions;
+ return (ISC_R_SUCCESS);
+}
+
+#else /* HAVE_OPENSSL_EDxxx */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* HAVE_OPENSSL_EDxxx */
+/*! \file */