Merge pull request #198 from wtoorop/release/v1.0.0b2

Release/v1.0.0b2

ChangeLog

@@ -1,4 +1,4 @@
-* 2016-??-??: Version 1.0.0b2
+* 2016-07-14: Version 1.0.0b2
   * Collect coverage information from the unit tests
     Thanks Shane Kerr
   * pkg-config for the getdns_ext_event library

Makefile.in

@@ -178,6 +178,7 @@ $(distdir):
 	mkdir -p $(distdir)/src
 	mkdir -p $(distdir)/src/getdns
 	mkdir -p $(distdir)/src/test
+	mkdir -p $(distdir)/src/test/jsmn
 	mkdir -p $(distdir)/src/extension
 	mkdir -p $(distdir)/src/compat
 	mkdir -p $(distdir)/src/util
@@ -224,6 +225,9 @@ $(distdir):
 	cp $(srcdir)/spec/*.tgz $(distdir)/spec || true
 	cp $(srcdir)/spec/example/Makefile.in $(distdir)/spec/example
 	cp $(srcdir)/spec/example/*.[ch] $(distdir)/spec/example
+	cp $(srcdir)/src/test/jsmn/*.[ch] $(distdir)/src/test/jsmn
+	cp $(srcdir)/src/test/jsmn/LICENSE $(distdir)/src/test/jsmn
+	cp $(srcdir)/src/test/jsmn/README.md $(distdir)/src/test/jsmn
 	rm -f $(distdir)/Makefile $(distdir)/src/Makefile $(distdir)/src/getdns/getdns.h $(distdir)/spec/example/Makefile $(distdir)/src/test/Makefile $(distdir)/doc/Makefile $(distdir)/src/config.h
 
 distcheck: $(distdir).tar.gz

configure.ac

@@ -76,9 +76,10 @@ GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRE
 # getdns-0.3.3 had libversion 3:6:2
 # getdns-0.5.0 had libversion 4:0:3
 # getdns-0.5.1 had libversion 4:1:3 (but should have been getdns-0.6.0)
-# getdns-0.9.0 will have libversion 5:0:4
+# getdns-0.9.0 had libversion 5:0:4
+# getdns-1.0.0 will have libversion 5:1:4
 #
-GETDNS_LIBVERSION=5:0:4
+GETDNS_LIBVERSION=5:1:4
 
 AC_SUBST(GETDNS_COMPILATION_COMMENT)
 AC_SUBST(GETDNS_LIBVERSION)

src/context.c

@@ -1277,10 +1277,10 @@ getdns_context_create_with_extended_memory_functions(
 
 	// resolv.conf does not exist on Windows, handle differently
 #ifndef USE_WINSOCK 
-	if (set_from_os && (r = set_os_defaults(result)))
+	if ((set_from_os & 1) && (r = set_os_defaults(result)))
 		goto error;
 #else
-	if (set_from_os && (r = set_os_defaults_windows(result)))
+	if ((set_from_os & 1) && (r = set_os_defaults_windows(result)))
 		goto error;
 #endif
 
@@ -1297,7 +1297,7 @@ getdns_context_create_with_extended_memory_functions(
 	/* Unbound needs SSL to be init'ed this early when TLS is used. However we
 	 * don't know that till later so we will have to do this every time. */
 
-	if (set_from_os & 2 == 0)
+	if ((set_from_os & 2) == 0)
 		SSL_library_init();
 
 #ifdef HAVE_LIBUNBOUND

src/dnssec.c

@@ -2049,7 +2049,8 @@ static int find_nsec_covering_name(
 	                                        , SECTION_NO_ADDITIONAL)
 	    ; i ; i = _getdns_rrset_iter_next(i)) {
 
-		if ((n = _getdns_rrset_iter_value(i))->rr_type == GETDNS_RRTYPE_NSEC3
+		if ((n = _getdns_rrset_iter_value(i))
+		    && n->rr_type == GETDNS_RRTYPE_NSEC3
 
 		    /* Get the bitmap rdata field */
 		    && (nsec_rr = _getdns_rrtype_iter_init(&nsec_spc, n))
@@ -2085,7 +2086,8 @@ static int find_nsec_covering_name(
 
 			return keytag;
 		}
-		if ((n = _getdns_rrset_iter_value(i))->rr_type == GETDNS_RRTYPE_NSEC
+		if ((n = _getdns_rrset_iter_value(i))
+		    && n->rr_type == GETDNS_RRTYPE_NSEC
 		    && nsec_covers_name(n, name, NULL)
 
 		    /* Get the bitmap rdata field */

src/getdns/getdns.h.in

@@ -965,7 +965,8 @@ getdns_service(getdns_context *context,
  * If used multi-threaded, user must define appropriate OpenSSL callback locking functions
  * (e.g. CRYPTO_THREADID_set_call) depending on the library version used.
  * @param context context that can be used immediately with other API calls
- * @param set_from_os select to use os defaults or to specify user defined values
+ * @param set_from_os set to 1 to initialize the context with os defaults
+ *                    the second bit set (2) prevents OpenSSL library initialization.
  * @return GETDNS_RETURN_GOOD on success
 */
 getdns_return_t
@@ -977,10 +978,11 @@ getdns_context_create(getdns_context ** context, int set_from_os);
  * If used multi-threaded, user must define appropriate OpenSSL callback locking functions
  * (e.g. CRYPTO_THREADID_set_call) depending on the library version used.
  * @param context context that can be used immediately with other API calls
- * @param set_from_os select to use os defaults or to specify user defined values
+ * @param set_from_os set to 1 to initialize the context with os defaults
+ *                    the second bit set (2) prevents OpenSSL library initialization.
  * @param malloc custom malloc function
  * @param realloc custom realloc function
- * @param malloc custom free function
+ * @param free custom free function
  * @return GETDNS_RETURN_GOOD on success
 */
 getdns_return_t
@@ -998,10 +1000,12 @@ getdns_context_create_with_memory_functions(
  * If used multi-threaded, user must define appropriate OpenSSL callback locking functions
  * (e.g. CRYPTO_THREADID_set_call) depending on the library version used.
  * @param context context that can be used immediately with other API calls
- * @param set_from_os select to use os defaults or to specify user defined values
+ * @param set_from_os set to 1 to initialize the context with os defaults
+ *                    the second bit set (2) prevents OpenSSL library initialization.
+ * @param userarg parameter passed to the custom malloc, realloc and free functions
  * @param malloc custom malloc function
  * @param realloc custom realloc function
- * @param malloc custom free function
+ * @param free custom free function
  * @return GETDNS_RETURN_GOOD on success
 */
 getdns_return_t

src/getdns/getdns_extra.h.in

@@ -361,9 +361,9 @@ getdns_context_get_tls_authentication(getdns_context *context,
  * "chain" context update callbacks and in this way create a subscription
  * service catering multiple interested parties.
  * @param context The context to monitor for changes
- * @return userarg A user defined argument to be passed to the callback
+ * @param userarg A user defined argument to be passed to the callback
  *                 function.
- * @return value   The callback function to be called on context value
+ * @param value   The callback function to be called on context value
  *                 changes.
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  */
@@ -484,7 +484,7 @@ getdns_dict* getdns_pubkey_pin_create_from_string(
  *
  * @param pinset the set of public key pins to check for sanity.  This
  *               should be a list of dicts.
- * @return errorlist if not NULL, a list of human-readable strings is 
+ * @param errorlist if not NULL, a list of human-readable strings is 
  *                   appended to errorlist.
  * @return GETDNS_RETURN_GOOD if the pinset passes the sanity check.
  */ 
@@ -592,8 +592,8 @@ getdns_snprint_json_list(
  * Convert rr_dict to wireformat representation of the resource record.
  *
  * @param  rr_dict The getdns dict representation of the resource record
- * @return wire    A newly allocated buffer which will contain the wireformat.
- * @return wire_sz The size of the allocated buffer and the wireformat.
+ * @param wire    A newly allocated buffer which will contain the wireformat.
+ * @param wire_sz The size of the allocated buffer and the wireformat.
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  */
 getdns_return_t
@@ -644,7 +644,7 @@ getdns_rr_dict2wire_scan(
  *
  * @param  wire    Buffer containing the wireformat rr
  * @param  wire_sz Size of the wire buffer
- * @return rr_dict The returned rr_dict
+ * @param rr_dict The returned rr_dict
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  */
 getdns_return_t
@@ -657,7 +657,7 @@ getdns_wire2rr_dict(
  * @param  wire    Buffer containing the wireformat rr
  * @param  wire_sz On input the size of the wire buffer
  *                 On output the length of the wireformat rr.
- * @return rr_dict The returned rr_dict
+ * @param rr_dict The returned rr_dict
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  */
 getdns_return_t
@@ -673,7 +673,7 @@ getdns_wire2rr_dict_buf(
  * @param  wire_sz On input the size of the wire buffer
  *                 On output the size is decreased with the length
  *                 of the wireformat resource record.
- * @return rr_dict The returned rr_dict
+ * @param rr_dict The returned rr_dict
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  */
 getdns_return_t
@@ -685,7 +685,7 @@ getdns_wire2rr_dict_scan(
  * Convert rr_dict to the string representation of the resource record.
  *
  * @param  rr_dict The getdns dict representation of the resource record
- * @return str     A newly allocated string representation of the rr
+ * @param str     A newly allocated string representation of the rr
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  */
 getdns_return_t
@@ -735,7 +735,7 @@ getdns_rr_dict2str_scan(
  * Convert the string representation of the resource record to rr_dict format.
  *
  * @param  str         String representation of the resource record.
- * @return rr_dict     The result getdns dict representation of the resource record
+ * @param  rr_dict     The result getdns dict representation of the resource record
  * @param  origin      Default suffix for not fully qualified domain names
  * @param  default_ttl Default ttl
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
@@ -748,8 +748,8 @@ getdns_str2rr_dict(
 /**
  * Read the zonefile and convert to a list of rr_dict's.
  *
- * @param  FILE        An opened FILE pointer on the zone file.
- * @return rr_list     The result list of rr_dicts representing the zone file.
+ * @param  in          An opened FILE pointer on the zone file.
+ * @param  rr_list     The result list of rr_dicts representing the zone file.
  * @param  origin      Default suffix for not fully qualified domain names
  * @param  default_ttl Default ttl
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
@@ -763,8 +763,8 @@ getdns_fp2rr_list(
  * Convert DNS message dict to wireformat representation.
  *
  * @param  msg_dict The getdns dict representation of a DNS message
- * @return wire     A newly allocated buffer which will contain the wireformat.
- * @return wire_sz  The size of the allocated buffer and the wireformat.
+ * @param  wire     A newly allocated buffer which will contain the wireformat.
+ * @param  wire_sz  The size of the allocated buffer and the wireformat.
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  */
 getdns_return_t
@@ -815,7 +815,7 @@ getdns_msg_dict2wire_scan(
  *
  * @param  wire     Buffer containing the wireformat rr
  * @param  wire_sz  Size of the wire buffer
- * @return msg_dict The returned DNS message
+ * @param  msg_dict The returned DNS message
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  */
 getdns_return_t
@@ -828,7 +828,7 @@ getdns_wire2msg_dict(
  * @param  wire     Buffer containing the wireformat rr
  * @param  wire_sz  On input the size of the wire buffer
  *                  On output the length of the wireformat rr.
- * @return msg_dict The returned DNS message
+ * @param  msg_dict The returned DNS message
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  */
 getdns_return_t
@@ -844,7 +844,7 @@ getdns_wire2msg_dict_buf(
  * @param  wire_sz  On input the size of the wire buffer
  *                  On output the size is decreased with the length
  *                  of the wireformat DNS message.
- * @return msg_dict The returned DNS message
+ * @param  msg_dict The returned DNS message
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  */
 getdns_return_t
@@ -856,7 +856,7 @@ getdns_wire2msg_dict_scan(
  * Convert msg_dict to the string representation of the DNS message.
  *
  * @param  msg_dict The getdns dict representation of the DNS message
- * @return str      A newly allocated string representation of the rr
+ * @param  str      A newly allocated string representation of the rr
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  */
 getdns_return_t

src/gldns/rrdef.h

@@ -421,7 +421,8 @@ enum gldns_enum_edns_option
 	GLDNS_EDNS_DHU = 6, /* RFC6975 */
 	GLDNS_EDNS_N3U = 7, /* RFC6975 */
 	GLDNS_EDNS_CLIENT_SUBNET = 8, /* draft-vandergaast-edns-client-subnet */
-	GLDNS_EDNS_KEEPALIVE = 11 /* draft-ietf-dnsop-edns-tcp-keepalive*/
+	GLDNS_EDNS_KEEPALIVE = 11, /* draft-ietf-dnsop-edns-tcp-keepalive*/
+	GLDNS_EDNS_PADDING = 12 /* RFC7830 */
 };
 typedef enum gldns_enum_edns_option gldns_edns_option;
 

src/gldns/wire2str.c

@@ -166,6 +166,7 @@ static gldns_lookup_table gldns_edns_options_data[] = {
 	{ 7, "N3U" },
 	{ 8, "edns-client-subnet" },
 	{ 11, "edns-tcp-keepalive"},
+	{ 12, "Padding" },
 	{ 0, NULL}
 };
 gldns_lookup_table* gldns_edns_options = gldns_edns_options_data;
@@ -1887,6 +1888,9 @@ int gldns_wire2str_edns_option_print(char** s, size_t* sl,
 	 case GLDNS_EDNS_KEEPALIVE:
 		w += gldns_wire2str_edns_keepalive_print(s, sl, optdata, optlen);
 		break;
+	case GLDNS_EDNS_PADDING:
+		w += print_hex_buf(s, sl, optdata, optlen);
+		break;
 	default:
 		/* unknown option code */
 		w += print_hex_buf(s, sl, optdata, optlen);

src/rr-iter.c

@@ -306,7 +306,7 @@ static int rr_owner_equal(_getdns_rr_iter *rr, const uint8_t *name)
 
 	return (owner = _getdns_owner_if_or_as_decompressed(rr, owner_spc
 	                                                      ,&owner_len))
-	    && _getdns_dname_equal(owner, name);
+	    && name && _getdns_dname_equal(owner, name);
 }
 
 /* First a few filter functions that filter a RR iterator to point only

src/test/getdns_context_set_listen_addresses.c

@@ -804,6 +804,8 @@ getdns_return_t getdns_context_set_listen_addresses(getdns_context *context,
 	new_set->count = new_set_count * n_transports;
 	(void) memset(new_set->items, 0,
 	    sizeof(listener) * new_set_count * n_transports);
+	for (i = 0; i < new_set->count; i++)
+		new_set->items[i].fd = -1;
 
 	(void) memset(&hints, 0, sizeof(struct addrinfo));
 	hints.ai_family    = AF_UNSPEC;
@@ -906,7 +908,7 @@ getdns_return_t getdns_context_set_listen_addresses(getdns_context *context,
 			/* So the event can be rescheduled */
 		}
 	}
-	if ((r = add_listeners(new_set))) {
+	if (r || (r = add_listeners(new_set))) {
 		for (i = 0; i < new_set->count; i++)
 			new_set->items[i].action = to_remove;
 

src/test/getdns_query.c

@@ -442,12 +442,11 @@ static void parse_config(const char *config_str)
 			 * will get destroyed.
 			 */
 			if (!listen_dict &&
-			    !(listen_dict = getdns_dict_create())) {
+			    !(listen_dict = getdns_dict_create()))
 				fprintf(stderr, "Could not create "
 						"listen_dict");
-				r = GETDNS_RETURN_MEMORY_ERROR;
 
-			} else if ((r = getdns_dict_set_list(
+			else if ((r = getdns_dict_set_list(
 			    listen_dict, "listen_list", list)))
 				fprintf(stderr, "Could not set listen_list");
 
@@ -476,7 +475,7 @@ static void parse_config(const char *config_str)
 getdns_return_t parse_args(int argc, char **argv)
 {
 	getdns_return_t r = GETDNS_RETURN_GOOD;
-	size_t i, j;
+	size_t i, j, klass;
 	char *arg, *c, *endptr;
 	int t, print_api_info = 0, print_trust_anchors = 0;
 	getdns_list *upstream_list = NULL;
@@ -487,7 +486,6 @@ getdns_return_t parse_args(int argc, char **argv)
 	getdns_bindata bindata;
 	size_t upstream_count = 0;
 	FILE *fh;
-	uint32_t klass;
 	char *config_file = NULL;
 	long config_file_sz;
 
@@ -508,7 +506,7 @@ getdns_return_t parse_args(int argc, char **argv)
 			} else if (strncmp(arg+1, "specify_class=", 14) == 0) {
 				if ((klass = get_rrclass(arg+15)) >= 0)
 					r = getdns_dict_set_int(extensions,
-						    "specify_class", klass);
+					    "specify_class", (uint32_t )klass);
 				else
 					fprintf(stderr,
 					    "Unknown class: %s\n", arg+15);

src/test/getdns_str2dict.c

@@ -410,7 +410,10 @@ static int _jsmn_get_dict(struct mem_funcs *mf, const char *js, jsmntok_t *t,
 	char key_spc[1024], *key = NULL;
 	getdns_item child_item;
 
-	for (i = 0; i < t->size; i++) {
+	if (t->size <= 0)
+		*r = GETDNS_RETURN_GOOD;
+
+	else for (i = 0; i < t->size; i++) {
 		if (t[j].type != JSMN_STRING &&
 		    t[j].type != JSMN_PRIMITIVE) {
 
@@ -484,7 +487,10 @@ static int _jsmn_get_list(struct mem_funcs *mf, const char *js, jsmntok_t *t,
 	size_t i, j = 1, index = 0;
 	getdns_item child_item;
 
-	for (i = 0; i < t->size; i++) {
+	if (t->size <= 0)
+		*r = GETDNS_RETURN_GOOD;
+
+	else for (i = 0; i < t->size; i++) {
 		j += _jsmn_get_item(mf, js, t + j, count - j, &child_item, r);
 		if (*r) break;
 

src/util/import.sh

@@ -44,6 +44,10 @@ do
 	    -e 's/secalgo_ds_digest/_getdns_secalgo_ds_digest/g' \
 	    -e 's/dnskey_algo_id_is_supported/_getdns_dnskey_algo_id_is_supported/g' \
 	    -e 's/verify_canonrrset/_getdns_verify_canonrrset/g' \
+	    -e 's/nsec3_hash_algo_size_supported/_getdns_nsec3_hash_algo_size_supported/g' \
+	    -e 's/secalgo_nsec3_hash/_getdns_secalgo_nsec3_hash/g' \
+	    -e 's/secalgo_hash_sha256/_getdns_secalgo_hash_sha256/g' \
+	    -e 's/ecdsa_evp_workaround_init/_getdns_ecdsa_evp_workaround_init/g' \
 	    -e 's/LDNS_/GLDNS_/g' \
 	    -e 's/enum sec_status/int/g' \
 	    -e 's/sec_status_bogus/0/g' \

src/util/val_secalgo.c

@@ -72,7 +72,7 @@
 
 /* return size of digest if supported, or 0 otherwise */
 size_t
-nsec3_hash_algo_size_supported(int id)
+_getdns_nsec3_hash_algo_size_supported(int id)
 {
 	switch(id) {
 	case NSEC3_HASH_SHA1:
@@ -84,7 +84,7 @@ nsec3_hash_algo_size_supported(int id)
 
 /* perform nsec3 hash. return false on failure */
 int
-secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+_getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
         unsigned char* res)
 {
 	switch(algo) {
@@ -96,6 +96,12 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 	}
 }
 
+void
+_getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
+{
+	(void)SHA256(buf, len, res);
+}
+
 /**
  * Return size of DS digest according to its hash algorithm.
  * @param algo: DS digest algo.
@@ -342,6 +348,23 @@ i	 * the '44' is the total remaining length.
 }
 #endif /* USE_ECDSA */
 
+#ifdef USE_ECDSA_EVP_WORKAROUND
+static EVP_MD ecdsa_evp_256_md;
+static EVP_MD ecdsa_evp_384_md;
+void _getdns_ecdsa_evp_workaround_init(void)
+{
+	/* openssl before 1.0.0 fixes RSA with the SHA256
+	 * hash in EVP.  We create one for ecdsa_sha256 */
+	ecdsa_evp_256_md = *EVP_sha256();
+	ecdsa_evp_256_md.required_pkey_type[0] = EVP_PKEY_EC;
+	ecdsa_evp_256_md.verify = (void*)ECDSA_verify;
+
+	ecdsa_evp_384_md = *EVP_sha384();
+	ecdsa_evp_384_md.required_pkey_type[0] = EVP_PKEY_EC;
+	ecdsa_evp_384_md.verify = (void*)ECDSA_verify;
+}
+#endif /* USE_ECDSA_EVP_WORKAROUND */
+
 /**
  * Setup key and digest for verification. Adjust sig if necessary.
  *
@@ -470,20 +493,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 				return 0;
 			}
 #ifdef USE_ECDSA_EVP_WORKAROUND
-			/* openssl before 1.0.0 fixes RSA with the SHA256
-			 * hash in EVP.  We create one for ecdsa_sha256 */
-			{
-				static int md_ecdsa_256_done = 0;
-				static EVP_MD md;
-				if(!md_ecdsa_256_done) {
-					EVP_MD m = *EVP_sha256();
-					md_ecdsa_256_done = 1;
-					m.required_pkey_type[0] = (*evp_key)->type;
-					m.verify = (void*)ECDSA_verify;
-					md = m;
-				}
-				*digest_type = &md;
-			}
+			*digest_type = &ecdsa_evp_256_md;
 #else
 			*digest_type = EVP_sha256();
 #endif
@@ -497,20 +507,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 				return 0;
 			}
 #ifdef USE_ECDSA_EVP_WORKAROUND
-			/* openssl before 1.0.0 fixes RSA with the SHA384
-			 * hash in EVP.  We create one for ecdsa_sha384 */
-			{
-				static int md_ecdsa_384_done = 0;
-				static EVP_MD md;
-				if(!md_ecdsa_384_done) {
-					EVP_MD m = *EVP_sha384();
-					md_ecdsa_384_done = 1;
-					m.required_pkey_type[0] = (*evp_key)->type;
-					m.verify = (void*)ECDSA_verify;
-					md = m;
-				}
-				*digest_type = &md;
-			}
+			*digest_type = &ecdsa_evp_384_md;
 #else
 			*digest_type = EVP_sha384();
 #endif
@@ -544,7 +541,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 {
 	const EVP_MD *digest_type;
 	EVP_MD_CTX* ctx;
-	int res, dofree = 0;
+	int res, dofree = 0, docrypto_free = 0;
 	EVP_PKEY *evp_key = NULL;
 	
 	if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
@@ -563,7 +560,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 			EVP_PKEY_free(evp_key);
 			return 0;
 		}
-		dofree = 1;
+		docrypto_free = 1;
 	}
 #endif
 #if defined(USE_ECDSA) && defined(USE_DSA)
@@ -593,6 +590,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 		log_err("EVP_MD_CTX_new: malloc failure");
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
+		else if(docrypto_free) CRYPTO_free(sigblock);
 		return 0;
 	}
 	if(EVP_VerifyInit(ctx, digest_type) == 0) {
@@ -600,6 +598,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 		EVP_MD_CTX_destroy(ctx);
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
+		else if(docrypto_free) CRYPTO_free(sigblock);
 		return 0;
 	}
 	if(EVP_VerifyUpdate(ctx, (unsigned char*)gldns_buffer_begin(buf), 
@@ -608,15 +607,21 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 		EVP_MD_CTX_destroy(ctx);
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
+		else if(docrypto_free) CRYPTO_free(sigblock);
 		return 0;
 	}
 
 	res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key);
+#ifdef HAVE_EVP_MD_CTX_NEW
 	EVP_MD_CTX_destroy(ctx);
+#else
+	EVP_MD_CTX_cleanup(ctx);
+	free(ctx);
+#endif
 	EVP_PKEY_free(evp_key);
 
-	if(dofree)
-		free(sigblock);
+	if(dofree) free(sigblock);
+	else if(docrypto_free) CRYPTO_free(sigblock);
 
 	if(res == 1) {
 		return 1;
@@ -644,7 +649,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 
 /* return size of digest if supported, or 0 otherwise */
 size_t
-nsec3_hash_algo_size_supported(int id)
+_getdns_nsec3_hash_algo_size_supported(int id)
 {
 	switch(id) {
 	case NSEC3_HASH_SHA1:
@@ -656,7 +661,7 @@ nsec3_hash_algo_size_supported(int id)
 
 /* perform nsec3 hash. return false on failure */
 int
-secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+_getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
         unsigned char* res)
 {
 	switch(algo) {
@@ -668,6 +673,12 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 	}
 }
 
+void
+_getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
+{
+	(void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len);
+}
+
 size_t
 _getdns_ds_digest_size_supported(int algo)
 {
@@ -1185,6 +1196,9 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 #include "macros.h"
 #include "rsa.h"
 #include "dsa.h"
+#ifdef HAVE_NETTLE_DSA_COMPAT_H
+#include "dsa-compat.h"
+#endif
 #include "asn1.h"
 #ifdef USE_ECDSA
 #include "ecdsa.h"
@@ -1236,7 +1250,7 @@ _digest_nettle(int algo, uint8_t* buf, size_t len,
 
 /* return size of digest if supported, or 0 otherwise */
 size_t
-nsec3_hash_algo_size_supported(int id)
+_getdns_nsec3_hash_algo_size_supported(int id)
 {
 	switch(id) {
 	case NSEC3_HASH_SHA1:
@@ -1248,7 +1262,7 @@ nsec3_hash_algo_size_supported(int id)
 
 /* perform nsec3 hash. return false on failure */
 int
-secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+_getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
         unsigned char* res)
 {
 	switch(algo) {
@@ -1260,6 +1274,12 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 	}
 }
 
+void
+_getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
+{
+	_digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res);
+}
+
 /**
  * Return size of DS digest according to its hash algorithm.
  * @param algo: DS digest algo.

src/util/val_secalgo.h

@@ -45,7 +45,7 @@
 struct gldns_buffer;
 
 /** Return size of nsec3 hash algorithm, 0 if not supported */
-size_t nsec3_hash_algo_size_supported(int id);
+size_t _getdns_nsec3_hash_algo_size_supported(int id);
 
 /**
  * Hash a single hash call of an NSEC3 hash algorithm.
@@ -56,9 +56,17 @@ size_t nsec3_hash_algo_size_supported(int id);
  * @param res: result stored here (must have sufficient space).
  * @return false on failure.
 */
-int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
+int _getdns_secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
         unsigned char* res);
 
+/**
+ * Calculate the sha256 hash for the data buffer into the result.
+ * @param buf: buffer to digest.
+ * @param len: length of the buffer to digest.
+ * @param res: result is stored here (space 256/8 bytes).
+ */
+void _getdns_secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res);
+
 /**
  * Return size of DS digest according to its hash algorithm.
  * @param algo: DS digest algo.