From c6dffa1239bf362577a7c8b8430ce5911b512560 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 6 Dec 2018 10:41:58 +0000 Subject: [PATCH] Add use of libnettle, and enable val_secalgo routines from existing Nettle implementation. Link to the openssl val_secalgo implementation and use that, after adjusting the source of Nettle includes. GnuTLS uses Nettle itself, so this is not adding a new dependency. --- configure.ac | 2 + m4/ax_lib_nettle.m4 | 80 +++++++++++++++++++++++++++++++++++++++ src/gnutls/val_secalgo.c | 59 +---------------------------- src/gnutls/validator | 1 + src/openssl/val_secalgo.c | 20 +++++----- 5 files changed, 94 insertions(+), 68 deletions(-) create mode 100644 m4/ax_lib_nettle.m4 mode change 100644 => 120000 src/gnutls/val_secalgo.c create mode 120000 src/gnutls/validator diff --git a/configure.ac b/configure.ac index a16100e3..865e21b4 100644 --- a/configure.ac +++ b/configure.ac @@ -33,6 +33,7 @@ AC_PREREQ([2.68]) AC_CONFIG_MACRO_DIRS([m4]) sinclude(./m4/acx_openssl.m4) sinclude(./m4/acx_getaddrinfo.m4) +sinclude(./m4/ac_lib_nettle.m4) sinclude(./m4/ax_check_compile_flag.m4) sinclude(./m4/pkg.m4) @@ -409,6 +410,7 @@ AC_ARG_WITH([gnutls], CFLAGS="$libgnutls_CFLAGS $CFLAGS" AC_SUBST([TLSDIR], 'gnutls') AC_DEFINE([USE_GNUTLS], [1], [Use the GnuTLS library]) + AX_LIB_NETTLE(yes) ], [ ACX_WITH_SSL_OPTIONAL diff --git a/m4/ax_lib_nettle.m4 b/m4/ax_lib_nettle.m4 new file mode 100644 index 00000000..e0ba1eac --- /dev/null +++ b/m4/ax_lib_nettle.m4 @@ -0,0 +1,80 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_lib_nettle.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_LIB_NETTLE([yes|no|auto]) +# +# DESCRIPTION +# +# Searches for the 'nettle' library with the --with... option. +# +# If found, define HAVE_NETTLE and macro NETTLE_LIBS. Also defines +# NETTLE_WITH_ for the algorithms found available. Possible +# algorithms: AES ARCTWO BLOWFISH CAST128 DES DES3 SERPENT TWOFISH MD2 MD4 +# MD5 SHA1 SHA256. +# +# The argument is used if no --with...-nettle option is set. Value "yes" +# requires the configuration by default. Value "no" does not require it by +# default. Value "auto" configures the library only if available. +# +# See also AX_LIB_BEECRYPT, AX_LIB_CRYPTO, and AX_LIB_GCRYPT. +# +# LICENSE +# +# Copyright (c) 2009 Fabien Coelho +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 10 + +# AX_CHECK_NETTLE_ALGO([name],[function]) +AC_DEFUN([AX_CHECK_NETTLE_ALGO],[ + AC_CHECK_LIB([nettle], [nettle_$2], + AC_DEFINE([NETTLE_WITH_$1],[1],[Algorithm $1 in nettle library])) +]) + +# AX_LIB_NETTLE([yes|no|auto]) +AC_DEFUN([AX_LIB_NETTLE],[ + AC_MSG_CHECKING([whether nettle is enabled]) + AC_ARG_WITH([nettle], + AC_HELP_STRING([--with-nettle], [Require nettle library (required with GnuTLS)]),[ + AC_MSG_RESULT([$withval]) + ax_with_nettle=$withval + ],[ + AC_MSG_RESULT([$1]) + ax_with_nettle=$1 + ]) + if test "$ax_with_nettle" = "yes" -o "$ax_with_nettle" = "auto" ; then + AC_CHECK_HEADERS([nettle/nettle-meta.h],[ + AC_CHECK_LIB([nettle],[nettle_base64_encode_final],[ + AC_DEFINE([HAVE_NETTLE],[1],[Nettle library is available]) + HAVE_NETTLE=1 + AC_SUBST([NETTLE_LIBS],[-lnettle]) + # ciphers + AX_CHECK_NETTLE_ALGO([AES],[aes_encrypt]) + AX_CHECK_NETTLE_ALGO([ARCTWO],[arctwo_encrypt]) + AX_CHECK_NETTLE_ALGO([BLOWFISH],[blowfish_encrypt]) + AX_CHECK_NETTLE_ALGO([CAST128],[cast128_encrypt]) + AX_CHECK_NETTLE_ALGO([DES],[des_encrypt]) + AX_CHECK_NETTLE_ALGO([DES3],[des3_encrypt]) + AX_CHECK_NETTLE_ALGO([SERPENT],[serpent_encrypt]) + AX_CHECK_NETTLE_ALGO([TWOFISH],[twofish_encrypt]) + # digests + AX_CHECK_NETTLE_ALGO([MD2],[md2_digest]) + AX_CHECK_NETTLE_ALGO([MD4],[md4_digest]) + AX_CHECK_NETTLE_ALGO([MD5],[md5_digest]) + AX_CHECK_NETTLE_ALGO([SHA1],[sha1_digest]) + AX_CHECK_NETTLE_ALGO([SHA256],[sha256_digest]) + ]) + ]) + # complain only if explicitly required + if test "$ax_with_nettle" = "yes" -a "x$HAVE_NETTLE" = "x" ; then + AC_MSG_ERROR([cannot configure required nettle library]) + fi + fi +]) diff --git a/src/gnutls/val_secalgo.c b/src/gnutls/val_secalgo.c deleted file mode 100644 index 2290eb4c..00000000 --- a/src/gnutls/val_secalgo.c +++ /dev/null @@ -1,58 +0,0 @@ -/** - * - * /brief secalgo interface. - * - */ -/* - * Copyright (c) 2017, NLnet Labs, the getdns team - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the names of the copyright holders nor the - * names of its contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY - * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND - * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "config.h" - -#include "util/val_secalgo.h" - -size_t _getdns_ds_digest_size_supported(int algo) -{ - return 0; -} - -int _getdns_secalgo_ds_digest(int algo, unsigned char* buf, size_t len, - unsigned char* res) -{ - return 0; -} - -int _getdns_dnskey_algo_id_is_supported(int id) -{ - return 0; -} - -enum sec_status _getdns_verify_canonrrset(struct gldns_buffer* buf, int algo, - unsigned char* sigblock, unsigned int sigblock_len, - unsigned char* key, unsigned int keylen, char** reason) -{ - return sec_status_bogus; -} diff --git a/src/gnutls/val_secalgo.c b/src/gnutls/val_secalgo.c new file mode 120000 index 00000000..446f8e5f --- /dev/null +++ b/src/gnutls/val_secalgo.c @@ -0,0 +1 @@ +../openssl/val_secalgo.c \ No newline at end of file diff --git a/src/gnutls/validator b/src/gnutls/validator new file mode 120000 index 00000000..3e9ba44b --- /dev/null +++ b/src/gnutls/validator @@ -0,0 +1 @@ +../openssl/validator \ No newline at end of file diff --git a/src/openssl/val_secalgo.c b/src/openssl/val_secalgo.c index 95200a48..03fc96f2 100644 --- a/src/openssl/val_secalgo.c +++ b/src/openssl/val_secalgo.c @@ -1321,21 +1321,21 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, #elif defined(HAVE_NETTLE) -#include "sha.h" -#include "bignum.h" -#include "macros.h" -#include "rsa.h" -#include "dsa.h" +#include +#include +#include +#include +#include #ifdef HAVE_NETTLE_DSA_COMPAT_H -#include "dsa-compat.h" +#include #endif -#include "asn1.h" +#include #ifdef USE_ECDSA -#include "ecdsa.h" -#include "ecc-curve.h" +#include +#include #endif #ifdef HAVE_NETTLE_EDDSA_H -#include "eddsa.h" +#include #endif static int