From a6ab7ffe416279f114b14c7c46f0f5107fbea405 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 11 Dec 2018 15:05:09 +0100 Subject: [PATCH 1/2] ed25519 and ecdsa support with libnettle --- configure.ac | 100 ++++++++++++++++++++++++---- src/openssl/validator/val_secalgo.h | 5 ++ 2 files changed, 93 insertions(+), 12 deletions(-) diff --git a/configure.ac b/configure.ac index 865e21b4..77f9b091 100644 --- a/configure.ac +++ b/configure.ac @@ -400,6 +400,45 @@ yes) ;; esac +USE_NSS="no" +AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path], + [use libnss instead of openssl, installed at path.]), + [ + USE_NSS="yes" + AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto]) + if test "$withval" != "" -a "$withval" != "yes"; then + CPPFLAGS="$CPPFLAGS -I$withval/include/nss3" + LDFLAGS="$LDFLAGS -L$withval/lib" + ACX_RUNTIME_PATH_ADD([$withval/lib]) + CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS" + else + CPPFLAGS="$CPPFLAGS -I/usr/include/nss3" + CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS" + fi + LIBS="$LIBS -lnss3 -lnspr4" + SSLLIB="" + ] +) + +# libnettle +USE_NETTLE="no" +AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path], + [use libnettle as crypto library, installed at path.]), + [ + USE_NETTLE="yes" + AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto]) + AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT]) + if test "$withval" != "" -a "$withval" != "yes"; then + CPPFLAGS="$CPPFLAGS -I$withval/include/nettle" + LDFLAGS="$LDFLAGS -L$withval/lib" + ACX_RUNTIME_PATH_ADD([$withval/lib]) + else + CPPFLAGS="$CPPFLAGS -I/usr/include/nettle" + fi + LIBS="$LIBS -lhogweed -lnettle -lgmp" + SSLLIB="" + ] +) # Which TLS and crypto libs to use. AC_ARG_WITH([gnutls], [AS_HELP_STRING([--with-gnutls], @@ -410,17 +449,25 @@ AC_ARG_WITH([gnutls], CFLAGS="$libgnutls_CFLAGS $CFLAGS" AC_SUBST([TLSDIR], 'gnutls') AC_DEFINE([USE_GNUTLS], [1], [Use the GnuTLS library]) - AX_LIB_NETTLE(yes) + if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then + + AX_LIB_NETTLE(yes) + USE_NETTLE="yes" + AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto]) + AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT]) + fi ], [ - ACX_WITH_SSL_OPTIONAL + if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then + ACX_WITH_SSL + fi ACX_LIB_SSL AC_SUBST([TLSDIR], 'openssl') ]) -USE_NSS="no" + # openssl -if test $USE_NSS = "no"; then +if test $USE_NSS = "no" -a $USE_NETTLE = "no" ; then AC_MSG_CHECKING([for LibreSSL]) if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then AC_MSG_RESULT([yes]) @@ -431,11 +478,11 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/ else AC_MSG_RESULT([no]) fi -AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) +AC_CHECK_HEADERS([openssl/conf.h openssl/ssl.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT]) -AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter]) -AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list], [], [], [ +AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites]) +AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_set_min_proto_version,SSL_get_min_proto_version], [], [], [ AC_INCLUDES_DEFAULT #ifdef HAVE_OPENSSL_ERR_H #include @@ -594,7 +641,7 @@ AC_MSG_RESULT($ac_cv_c_gost_works) AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support])) use_gost="no" -if test $USE_NSS = "no"; then +if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then case "$enable_gost" in no) ;; @@ -608,7 +655,7 @@ case "$enable_gost" in fi ;; esac -fi dnl !USE_NSS +fi dnl !USE_NSS && !USE_NETTLE AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support])) use_ecdsa="no" @@ -616,7 +663,7 @@ case "$enable_ecdsa" in no) ;; *) - if test $USE_NSS = "no"; then + if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])]) AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])]) AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT @@ -648,6 +695,7 @@ case "$enable_dsa" in ;; *) dnl default # detect if DSA is supported, and turn it off if not. + if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then AC_CHECK_FUNC(DSA_SIG_new, [ AC_CHECK_TYPE(DSA_SIG*, [ AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.]) @@ -672,6 +720,9 @@ AC_INCLUDES_DEFAULT ]) ], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.]) fi ]) + else + AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.]) + fi ;; esac @@ -681,15 +732,40 @@ case "$enable_ed25519" in no) ;; *) - if test "$USE_NSS" = "no" -a "$USE_NETTLE" = "no"; then + if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then AC_CHECK_DECLS([NID_ED25519], [ - AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.]) use_ed25519="yes" ], [ if test "x$enable_ed25519" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED25519 and you used --enable-ed25519.]) fi ], [AC_INCLUDES_DEFAULT #include ]) fi + if test $USE_NETTLE = "yes"; then + AC_CHECK_HEADERS([nettle/eddsa.h], use_ed25519="yes",, [AC_INCLUDES_DEFAULT]) + fi + if test $use_ed25519 = "yes"; then + AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.]) + fi + ;; +esac + +AC_ARG_ENABLE(ed448, AC_HELP_STRING([--disable-ed448], [Disable ED448 support])) +use_ed448="no" +case "$enable_ed448" in + no) + ;; + *) + if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then + AC_CHECK_DECLS([NID_ED448], [ + use_ed448="yes" + ], [ if test "x$enable_ed448" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED448 and you used --enable-ed448.]) + fi ], [AC_INCLUDES_DEFAULT +#include + ]) + fi + if test $use_ed448 = "yes"; then + AC_DEFINE_UNQUOTED([USE_ED448], [1], [Define this to enable ED448 support.]) + fi ;; esac diff --git a/src/openssl/validator/val_secalgo.h b/src/openssl/validator/val_secalgo.h index e4e2a7a7..ef26cf34 100644 --- a/src/openssl/validator/val_secalgo.h +++ b/src/openssl/validator/val_secalgo.h @@ -18,6 +18,7 @@ #define fake_sha1 _getdns_fake_sha1 #define fake_dsa _getdns_fake_dsa + #define NSEC3_HASH_SHA1 0x01 #define LDNS_SHA1 GLDNS_SHA1 @@ -34,6 +35,10 @@ #define LDNS_ECDSAP256SHA256 GLDNS_ECDSAP256SHA256 #define LDNS_ECDSAP384SHA384 GLDNS_ECDSAP384SHA384 #define LDNS_ECC_GOST GLDNS_ECC_GOST +#define LDNS_ED25519 GLDNS_ED25519 +#define LDNS_ED448 GLDNS_ED448 +#define sldns_ed255192pkey_raw gldns_ed255192pkey_raw +#define sldns_ed4482pkey_raw gldns_ed4482pkey_raw #define sldns_key_EVP_load_gost_id gldns_key_EVP_load_gost_id #define sldns_digest_evp gldns_digest_evp #define sldns_key_buf2dsa_raw gldns_key_buf2dsa_raw From ab700e70fe1b9c41f141070eaaf874914a9c9a27 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 11 Dec 2018 15:13:17 +0100 Subject: [PATCH 2/2] DNS Cookies with libnettle too --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 77f9b091..21f386e5 100644 --- a/configure.ac +++ b/configure.ac @@ -791,8 +791,8 @@ case "$enable_edns_cookies" in no) ;; yes|*) - if test "x_$HAVE_SSL" != "x_yes"; then - AC_MSG_ERROR([edns cookies need openssl libcrypto which is not available, please rerun with --disable-edns-cookies]) + if test "x_$HAVE_SSL" != "x_yes" -a $USE_NETTLE = "no"; then + AC_MSG_ERROR([edns cookies needs crypto library which is not available, please rerun with --disable-edns-cookies]) fi AC_DEFINE_UNQUOTED([EDNS_COOKIES], [1], [Define this to enable the experimental edns cookies.]) ;;