mirror of https://github.com/getdnsapi/getdns.git
Merge pull request #4 from wtoorop/feature/abstract-tls-willem
Enable ed25519, ecdsa and cookies with gnutls/libnettle
This commit is contained in:
commit
0a9f155cc9
102
configure.ac
102
configure.ac
|
@ -400,6 +400,45 @@ yes)
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
USE_NSS="no"
|
||||||
|
AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
|
||||||
|
[use libnss instead of openssl, installed at path.]),
|
||||||
|
[
|
||||||
|
USE_NSS="yes"
|
||||||
|
AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
|
||||||
|
if test "$withval" != "" -a "$withval" != "yes"; then
|
||||||
|
CPPFLAGS="$CPPFLAGS -I$withval/include/nss3"
|
||||||
|
LDFLAGS="$LDFLAGS -L$withval/lib"
|
||||||
|
ACX_RUNTIME_PATH_ADD([$withval/lib])
|
||||||
|
CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
|
||||||
|
else
|
||||||
|
CPPFLAGS="$CPPFLAGS -I/usr/include/nss3"
|
||||||
|
CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
|
||||||
|
fi
|
||||||
|
LIBS="$LIBS -lnss3 -lnspr4"
|
||||||
|
SSLLIB=""
|
||||||
|
]
|
||||||
|
)
|
||||||
|
|
||||||
|
# libnettle
|
||||||
|
USE_NETTLE="no"
|
||||||
|
AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
|
||||||
|
[use libnettle as crypto library, installed at path.]),
|
||||||
|
[
|
||||||
|
USE_NETTLE="yes"
|
||||||
|
AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
|
||||||
|
AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT])
|
||||||
|
if test "$withval" != "" -a "$withval" != "yes"; then
|
||||||
|
CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
|
||||||
|
LDFLAGS="$LDFLAGS -L$withval/lib"
|
||||||
|
ACX_RUNTIME_PATH_ADD([$withval/lib])
|
||||||
|
else
|
||||||
|
CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
|
||||||
|
fi
|
||||||
|
LIBS="$LIBS -lhogweed -lnettle -lgmp"
|
||||||
|
SSLLIB=""
|
||||||
|
]
|
||||||
|
)
|
||||||
# Which TLS and crypto libs to use.
|
# Which TLS and crypto libs to use.
|
||||||
AC_ARG_WITH([gnutls],
|
AC_ARG_WITH([gnutls],
|
||||||
[AS_HELP_STRING([--with-gnutls],
|
[AS_HELP_STRING([--with-gnutls],
|
||||||
|
@ -410,17 +449,25 @@ AC_ARG_WITH([gnutls],
|
||||||
CFLAGS="$libgnutls_CFLAGS $CFLAGS"
|
CFLAGS="$libgnutls_CFLAGS $CFLAGS"
|
||||||
AC_SUBST([TLSDIR], 'gnutls')
|
AC_SUBST([TLSDIR], 'gnutls')
|
||||||
AC_DEFINE([USE_GNUTLS], [1], [Use the GnuTLS library])
|
AC_DEFINE([USE_GNUTLS], [1], [Use the GnuTLS library])
|
||||||
|
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||||
|
|
||||||
AX_LIB_NETTLE(yes)
|
AX_LIB_NETTLE(yes)
|
||||||
|
USE_NETTLE="yes"
|
||||||
|
AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
|
||||||
|
AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT])
|
||||||
|
fi
|
||||||
],
|
],
|
||||||
[
|
[
|
||||||
ACX_WITH_SSL_OPTIONAL
|
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||||
|
ACX_WITH_SSL
|
||||||
|
fi
|
||||||
ACX_LIB_SSL
|
ACX_LIB_SSL
|
||||||
AC_SUBST([TLSDIR], 'openssl')
|
AC_SUBST([TLSDIR], 'openssl')
|
||||||
])
|
])
|
||||||
|
|
||||||
USE_NSS="no"
|
|
||||||
# openssl
|
# openssl
|
||||||
if test $USE_NSS = "no"; then
|
if test $USE_NSS = "no" -a $USE_NETTLE = "no" ; then
|
||||||
AC_MSG_CHECKING([for LibreSSL])
|
AC_MSG_CHECKING([for LibreSSL])
|
||||||
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||||
AC_MSG_RESULT([yes])
|
AC_MSG_RESULT([yes])
|
||||||
|
@ -431,11 +478,11 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/
|
||||||
else
|
else
|
||||||
AC_MSG_RESULT([no])
|
AC_MSG_RESULT([no])
|
||||||
fi
|
fi
|
||||||
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
|
AC_CHECK_HEADERS([openssl/conf.h openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
|
||||||
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
|
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
|
||||||
AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
|
AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
|
||||||
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter])
|
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites])
|
||||||
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list], [], [], [
|
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_set_min_proto_version,SSL_get_min_proto_version], [], [], [
|
||||||
AC_INCLUDES_DEFAULT
|
AC_INCLUDES_DEFAULT
|
||||||
#ifdef HAVE_OPENSSL_ERR_H
|
#ifdef HAVE_OPENSSL_ERR_H
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
|
@ -594,7 +641,7 @@ AC_MSG_RESULT($ac_cv_c_gost_works)
|
||||||
|
|
||||||
AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
|
AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
|
||||||
use_gost="no"
|
use_gost="no"
|
||||||
if test $USE_NSS = "no"; then
|
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||||
case "$enable_gost" in
|
case "$enable_gost" in
|
||||||
no)
|
no)
|
||||||
;;
|
;;
|
||||||
|
@ -608,7 +655,7 @@ case "$enable_gost" in
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi dnl !USE_NSS
|
fi dnl !USE_NSS && !USE_NETTLE
|
||||||
|
|
||||||
AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
|
AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
|
||||||
use_ecdsa="no"
|
use_ecdsa="no"
|
||||||
|
@ -616,7 +663,7 @@ case "$enable_ecdsa" in
|
||||||
no)
|
no)
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if test $USE_NSS = "no"; then
|
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||||
AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
|
AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
|
||||||
AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
|
AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
|
||||||
AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
|
AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
|
||||||
|
@ -648,6 +695,7 @@ case "$enable_dsa" in
|
||||||
;;
|
;;
|
||||||
*) dnl default
|
*) dnl default
|
||||||
# detect if DSA is supported, and turn it off if not.
|
# detect if DSA is supported, and turn it off if not.
|
||||||
|
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||||
AC_CHECK_FUNC(DSA_SIG_new, [
|
AC_CHECK_FUNC(DSA_SIG_new, [
|
||||||
AC_CHECK_TYPE(DSA_SIG*, [
|
AC_CHECK_TYPE(DSA_SIG*, [
|
||||||
AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
|
AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
|
||||||
|
@ -672,6 +720,9 @@ AC_INCLUDES_DEFAULT
|
||||||
])
|
])
|
||||||
], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
|
], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
|
||||||
fi ])
|
fi ])
|
||||||
|
else
|
||||||
|
AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
@ -681,15 +732,40 @@ case "$enable_ed25519" in
|
||||||
no)
|
no)
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if test "$USE_NSS" = "no" -a "$USE_NETTLE" = "no"; then
|
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||||
AC_CHECK_DECLS([NID_ED25519], [
|
AC_CHECK_DECLS([NID_ED25519], [
|
||||||
AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
|
|
||||||
use_ed25519="yes"
|
use_ed25519="yes"
|
||||||
], [ if test "x$enable_ed25519" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED25519 and you used --enable-ed25519.])
|
], [ if test "x$enable_ed25519" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED25519 and you used --enable-ed25519.])
|
||||||
fi ], [AC_INCLUDES_DEFAULT
|
fi ], [AC_INCLUDES_DEFAULT
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
])
|
])
|
||||||
fi
|
fi
|
||||||
|
if test $USE_NETTLE = "yes"; then
|
||||||
|
AC_CHECK_HEADERS([nettle/eddsa.h], use_ed25519="yes",, [AC_INCLUDES_DEFAULT])
|
||||||
|
fi
|
||||||
|
if test $use_ed25519 = "yes"; then
|
||||||
|
AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
AC_ARG_ENABLE(ed448, AC_HELP_STRING([--disable-ed448], [Disable ED448 support]))
|
||||||
|
use_ed448="no"
|
||||||
|
case "$enable_ed448" in
|
||||||
|
no)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||||
|
AC_CHECK_DECLS([NID_ED448], [
|
||||||
|
use_ed448="yes"
|
||||||
|
], [ if test "x$enable_ed448" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED448 and you used --enable-ed448.])
|
||||||
|
fi ], [AC_INCLUDES_DEFAULT
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
])
|
||||||
|
fi
|
||||||
|
if test $use_ed448 = "yes"; then
|
||||||
|
AC_DEFINE_UNQUOTED([USE_ED448], [1], [Define this to enable ED448 support.])
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
@ -715,8 +791,8 @@ case "$enable_edns_cookies" in
|
||||||
no)
|
no)
|
||||||
;;
|
;;
|
||||||
yes|*)
|
yes|*)
|
||||||
if test "x_$HAVE_SSL" != "x_yes"; then
|
if test "x_$HAVE_SSL" != "x_yes" -a $USE_NETTLE = "no"; then
|
||||||
AC_MSG_ERROR([edns cookies need openssl libcrypto which is not available, please rerun with --disable-edns-cookies])
|
AC_MSG_ERROR([edns cookies needs crypto library which is not available, please rerun with --disable-edns-cookies])
|
||||||
fi
|
fi
|
||||||
AC_DEFINE_UNQUOTED([EDNS_COOKIES], [1], [Define this to enable the experimental edns cookies.])
|
AC_DEFINE_UNQUOTED([EDNS_COOKIES], [1], [Define this to enable the experimental edns cookies.])
|
||||||
;;
|
;;
|
||||||
|
|
|
@ -18,6 +18,7 @@
|
||||||
#define fake_sha1 _getdns_fake_sha1
|
#define fake_sha1 _getdns_fake_sha1
|
||||||
#define fake_dsa _getdns_fake_dsa
|
#define fake_dsa _getdns_fake_dsa
|
||||||
|
|
||||||
|
|
||||||
#define NSEC3_HASH_SHA1 0x01
|
#define NSEC3_HASH_SHA1 0x01
|
||||||
|
|
||||||
#define LDNS_SHA1 GLDNS_SHA1
|
#define LDNS_SHA1 GLDNS_SHA1
|
||||||
|
@ -34,6 +35,10 @@
|
||||||
#define LDNS_ECDSAP256SHA256 GLDNS_ECDSAP256SHA256
|
#define LDNS_ECDSAP256SHA256 GLDNS_ECDSAP256SHA256
|
||||||
#define LDNS_ECDSAP384SHA384 GLDNS_ECDSAP384SHA384
|
#define LDNS_ECDSAP384SHA384 GLDNS_ECDSAP384SHA384
|
||||||
#define LDNS_ECC_GOST GLDNS_ECC_GOST
|
#define LDNS_ECC_GOST GLDNS_ECC_GOST
|
||||||
|
#define LDNS_ED25519 GLDNS_ED25519
|
||||||
|
#define LDNS_ED448 GLDNS_ED448
|
||||||
|
#define sldns_ed255192pkey_raw gldns_ed255192pkey_raw
|
||||||
|
#define sldns_ed4482pkey_raw gldns_ed4482pkey_raw
|
||||||
#define sldns_key_EVP_load_gost_id gldns_key_EVP_load_gost_id
|
#define sldns_key_EVP_load_gost_id gldns_key_EVP_load_gost_id
|
||||||
#define sldns_digest_evp gldns_digest_evp
|
#define sldns_digest_evp gldns_digest_evp
|
||||||
#define sldns_key_buf2dsa_raw gldns_key_buf2dsa_raw
|
#define sldns_key_buf2dsa_raw gldns_key_buf2dsa_raw
|
||||||
|
|
Loading…
Reference in New Issue