Add use of libnettle, and enable val_secalgo routines from existing Nettle implementation.

Link to the openssl val_secalgo implementation and use that, after adjusting the source of Nettle includes.

GnuTLS uses Nettle itself, so this is not adding a new dependency.

configure.ac

@@ -33,6 +33,7 @@ AC_PREREQ([2.68])
 AC_CONFIG_MACRO_DIRS([m4])
 sinclude(./m4/acx_openssl.m4)
 sinclude(./m4/acx_getaddrinfo.m4)
+sinclude(./m4/ac_lib_nettle.m4)
 sinclude(./m4/ax_check_compile_flag.m4)
 sinclude(./m4/pkg.m4)
 
@@ -409,6 +410,7 @@ AC_ARG_WITH([gnutls],
         CFLAGS="$libgnutls_CFLAGS $CFLAGS"
         AC_SUBST([TLSDIR], 'gnutls')
         AC_DEFINE([USE_GNUTLS], [1], [Use the GnuTLS library])
+        AX_LIB_NETTLE(yes)
     ],
     [
         ACX_WITH_SSL_OPTIONAL

m4/ax_lib_nettle.m4

@@ -0,0 +1,80 @@
+# ===========================================================================
+#      https://www.gnu.org/software/autoconf-archive/ax_lib_nettle.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_LIB_NETTLE([yes|no|auto])
+#
+# DESCRIPTION
+#
+#   Searches for the 'nettle' library with the --with... option.
+#
+#   If found, define HAVE_NETTLE and macro NETTLE_LIBS. Also defines
+#   NETTLE_WITH_<algo> for the algorithms found available. Possible
+#   algorithms: AES ARCTWO BLOWFISH CAST128 DES DES3 SERPENT TWOFISH MD2 MD4
+#   MD5 SHA1 SHA256.
+#
+#   The argument is used if no --with...-nettle option is set. Value "yes"
+#   requires the configuration by default. Value "no" does not require it by
+#   default. Value "auto" configures the library only if available.
+#
+#   See also AX_LIB_BEECRYPT, AX_LIB_CRYPTO, and AX_LIB_GCRYPT.
+#
+# LICENSE
+#
+#   Copyright (c) 2009 Fabien Coelho <autoconf.archive@coelho.net>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 10
+
+# AX_CHECK_NETTLE_ALGO([name],[function])
+AC_DEFUN([AX_CHECK_NETTLE_ALGO],[
+  AC_CHECK_LIB([nettle], [nettle_$2],
+    AC_DEFINE([NETTLE_WITH_$1],[1],[Algorithm $1 in nettle library]))
+])
+
+# AX_LIB_NETTLE([yes|no|auto])
+AC_DEFUN([AX_LIB_NETTLE],[
+  AC_MSG_CHECKING([whether nettle is enabled])
+  AC_ARG_WITH([nettle],
+        AC_HELP_STRING([--with-nettle], [Require nettle library (required with GnuTLS)]),[
+    AC_MSG_RESULT([$withval])
+    ax_with_nettle=$withval
+  ],[
+    AC_MSG_RESULT([$1])
+    ax_with_nettle=$1
+  ])
+  if test "$ax_with_nettle" = "yes" -o "$ax_with_nettle" = "auto" ; then
+    AC_CHECK_HEADERS([nettle/nettle-meta.h],[
+      AC_CHECK_LIB([nettle],[nettle_base64_encode_final],[
+        AC_DEFINE([HAVE_NETTLE],[1],[Nettle library is available])
+	HAVE_NETTLE=1
+        AC_SUBST([NETTLE_LIBS],[-lnettle])
+	# ciphers
+        AX_CHECK_NETTLE_ALGO([AES],[aes_encrypt])
+        AX_CHECK_NETTLE_ALGO([ARCTWO],[arctwo_encrypt])
+        AX_CHECK_NETTLE_ALGO([BLOWFISH],[blowfish_encrypt])
+        AX_CHECK_NETTLE_ALGO([CAST128],[cast128_encrypt])
+        AX_CHECK_NETTLE_ALGO([DES],[des_encrypt])
+        AX_CHECK_NETTLE_ALGO([DES3],[des3_encrypt])
+        AX_CHECK_NETTLE_ALGO([SERPENT],[serpent_encrypt])
+        AX_CHECK_NETTLE_ALGO([TWOFISH],[twofish_encrypt])
+	# digests
+        AX_CHECK_NETTLE_ALGO([MD2],[md2_digest])
+        AX_CHECK_NETTLE_ALGO([MD4],[md4_digest])
+        AX_CHECK_NETTLE_ALGO([MD5],[md5_digest])
+        AX_CHECK_NETTLE_ALGO([SHA1],[sha1_digest])
+        AX_CHECK_NETTLE_ALGO([SHA256],[sha256_digest])
+      ])
+    ])
+    # complain only if explicitly required
+    if test "$ax_with_nettle" = "yes" -a "x$HAVE_NETTLE" = "x" ; then
+        AC_MSG_ERROR([cannot configure required nettle library])
+    fi
+  fi
+])

src/gnutls/val_secalgo.c

@@ -1,58 +0,0 @@
-/**
- *
- * /brief secalgo interface.
- *
- */
-/*
- * Copyright (c) 2017, NLnet Labs, the getdns team
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * * Redistributions of source code must retain the above copyright
- *   notice, this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright
- *   notice, this list of conditions and the following disclaimer in the
- *   documentation and/or other materials provided with the distribution.
- * * Neither the names of the copyright holders nor the
- *   names of its contributors may be used to endorse or promote products
- *   derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include "util/val_secalgo.h"
-
-size_t _getdns_ds_digest_size_supported(int algo)
-{
-	return 0;
-}
-
-int _getdns_secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
-	unsigned char* res)
-{
-	return 0;
-}
-
-int _getdns_dnskey_algo_id_is_supported(int id)
-{
-	return 0;
-}
-
-enum sec_status _getdns_verify_canonrrset(struct gldns_buffer* buf, int algo,
-	unsigned char* sigblock, unsigned int sigblock_len,
-	unsigned char* key, unsigned int keylen, char** reason)
-{
-	return sec_status_bogus;
-}

src/gnutls/val_secalgo.c

@@ -0,0 +1 @@
+../openssl/val_secalgo.c

src/gnutls/validator

@@ -0,0 +1 @@
+../openssl/validator

src/openssl/val_secalgo.c

@@ -1321,21 +1321,21 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 
 #elif defined(HAVE_NETTLE)
 
-#include "sha.h"
+#include <nettle/sha.h>
-#include "bignum.h"
+#include <nettle/bignum.h>
-#include "macros.h"
+#include <nettle/macros.h>
-#include "rsa.h"
+#include <nettle/rsa.h>
-#include "dsa.h"
+#include <nettle/dsa.h>
 #ifdef HAVE_NETTLE_DSA_COMPAT_H
-#include "dsa-compat.h"
+#include <nettle/dsa-compat.h>
 #endif
-#include "asn1.h"
+#include <nettle/asn1.h>
 #ifdef USE_ECDSA
-#include "ecdsa.h"
+#include <nettle/ecdsa.h>
-#include "ecc-curve.h"
+#include <nettle/ecc-curve.h>
 #endif
 #ifdef HAVE_NETTLE_EDDSA_H
-#include "eddsa.h"
+#include <nettle/eddsa.h>
 #endif
 
 static int