interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ED25519 & ED448 support

This commit is contained in:
Willem Toorop 2018-12-03 15:35:03 +01:00
parent ea55b12a08
commit c80aa72725
3 changed files with 60 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
configure.ac
View File

@ -400,48 +400,49 @@ yes)
esac esac
USE_NSS="no" USE_NSS="no"
AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path], dnl AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
[use libnss instead of openssl, installed at path.]), dnl [use libnss instead of openssl, installed at path.]),
[ dnl [
USE_NSS="yes" dnl USE_NSS="yes"
AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto]) dnl AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
if test "$withval" != "" -a "$withval" != "yes"; then dnl if test "$withval" != "" -a "$withval" != "yes"; then
CPPFLAGS="$CPPFLAGS -I$withval/include/nss3" dnl CPPFLAGS="$CPPFLAGS -I$withval/include/nss3"
LDFLAGS="$LDFLAGS -L$withval/lib" dnl LDFLAGS="$LDFLAGS -L$withval/lib"
ACX_RUNTIME_PATH_ADD([$withval/lib]) dnl ACX_RUNTIME_PATH_ADD([$withval/lib])
CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS" dnl CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
else dnl else
CPPFLAGS="$CPPFLAGS -I/usr/include/nss3" dnl CPPFLAGS="$CPPFLAGS -I/usr/include/nss3"
CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS" dnl CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
fi dnl fi
LIBS="$LIBS -lnss3 -lnspr4" dnl LIBS="$LIBS -lnss3 -lnspr4"
SSLLIB="" dnl SSLLIB=""
] dnl ]
) dnl )
# libnettle # libnettle
USE_NETTLE="no" USE_NETTLE="no"
AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path], dnl AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
[use libnettle as crypto library, installed at path.]), dnl [use libnettle as crypto library, installed at path.]),
[ dnl [
USE_NETTLE="yes" dnl USE_NETTLE="yes"
AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto]) dnl AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT]) dnl AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT])
if test "$withval" != "" -a "$withval" != "yes"; then dnl if test "$withval" != "" -a "$withval" != "yes"; then
CPPFLAGS="$CPPFLAGS -I$withval/include/nettle" dnl CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
LDFLAGS="$LDFLAGS -L$withval/lib" dnl LDFLAGS="$LDFLAGS -L$withval/lib"
ACX_RUNTIME_PATH_ADD([$withval/lib]) dnl ACX_RUNTIME_PATH_ADD([$withval/lib])
else dnl else
CPPFLAGS="$CPPFLAGS -I/usr/include/nettle" dnl CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
fi dnl fi
LIBS="$LIBS -lhogweed -lnettle -lgmp" dnl LIBS="$LIBS -lhogweed -lnettle -lgmp"
SSLLIB="" dnl SSLLIB=""
] dnl ]
) dnl )
# openssl # openssl
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
ACX_WITH_SSL_OPTIONAL ACX_WITH_SSL
fi
ACX_LIB_SSL ACX_LIB_SSL
AC_MSG_CHECKING([for LibreSSL]) AC_MSG_CHECKING([for LibreSSL])
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
@ -453,7 +454,7 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/
else else
AC_MSG_RESULT([no]) AC_MSG_RESULT([no])
fi fi
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/conf.h openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites]) AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites])
@ -477,7 +478,6 @@ AC_INCLUDES_DEFAULT
#include <openssl/ssl.h> #include <openssl/ssl.h>
#include <openssl/evp.h> #include <openssl/evp.h>
]) ])
fi
AC_MSG_CHECKING([whether we need to compile/link DANE support]) AC_MSG_CHECKING([whether we need to compile/link DANE support])
DANESSL_XTRA_OBJS="" DANESSL_XTRA_OBJS=""

4
src/request-internal.c
View File

@ -495,6 +495,9 @@ _getdns_network_req_add_tsig(getdns_network_req *req)
void void
_getdns_network_validate_tsig(getdns_network_req *req) _getdns_network_validate_tsig(getdns_network_req *req)
{ {
#if defined(HAVE_NSS) || defined(HAVE_NETTLE)
(void)req;
#else
_getdns_rr_iter rr_spc, *rr; _getdns_rr_iter rr_spc, *rr;
_getdns_rdf_iter rdf_spc, *rdf; _getdns_rdf_iter rdf_spc, *rdf;
const uint8_t *request_mac; const uint8_t *request_mac;
@ -668,6 +671,7 @@ _getdns_network_validate_tsig(getdns_network_req *req)
gldns_write_uint16(req->response, gldns_read_uint16(req->query)); gldns_write_uint16(req->response, gldns_read_uint16(req->query));
gldns_write_uint16(req->response + 10, gldns_write_uint16(req->response + 10,
gldns_read_uint16(req->response + 10) + 1); gldns_read_uint16(req->response + 10) + 1);
#endif
} }
void void

26
src/util-internal.c
View File

@ -1119,7 +1119,8 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
int rrsigs_in_answer = 0; int rrsigs_in_answer = 0;
getdns_dict *reply; getdns_dict *reply;
getdns_bindata *canonical_name = NULL; getdns_bindata *canonical_name = NULL;
int nreplies = 0, nanswers = 0, nsecure = 0, ninsecure = 0, nbogus = 0; int nreplies = 0, nanswers = 0;
int nsecure = 0, ninsecure = 0, nindeterminate = 0, nbogus = 0;
getdns_dict *netreq_debug; getdns_dict *netreq_debug;
_srvs srvs = { 0, 0, NULL }; _srvs srvs = { 0, 0, NULL };
@ -1193,16 +1194,18 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
_getdns_network_validate_tsig(netreq); _getdns_network_validate_tsig(netreq);
nreplies++; nreplies++;
if (netreq->dnssec_status == GETDNS_DNSSEC_SECURE) switch (netreq->dnssec_status) {
nsecure++; case GETDNS_DNSSEC_SECURE : nsecure++;
else if (netreq->dnssec_status != GETDNS_DNSSEC_BOGUS) break;
case GETDNS_DNSSEC_INSECURE : ninsecure++;
break;
case GETDNS_DNSSEC_INDETERMINATE: nindeterminate++;
ninsecure++; ninsecure++;
break;
if (dnssec_return_status && case GETDNS_DNSSEC_BOGUS : if (dnssec_return_status)
netreq->dnssec_status == GETDNS_DNSSEC_BOGUS)
nbogus++; nbogus++;
break;
}
if (! completed_request->dnssec_return_all_statuses && if (! completed_request->dnssec_return_all_statuses &&
! completed_request->dnssec_return_validation_chain) { ! completed_request->dnssec_return_validation_chain) {
if (dnssec_return_status && if (dnssec_return_status &&
@ -1291,8 +1294,11 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
if (getdns_dict_set_int(result, GETDNS_STR_KEY_STATUS, if (getdns_dict_set_int(result, GETDNS_STR_KEY_STATUS,
completed_request->request_timed_out || completed_request->request_timed_out ||
nreplies == 0 ? GETDNS_RESPSTATUS_ALL_TIMEOUT : nreplies == 0 ? GETDNS_RESPSTATUS_ALL_TIMEOUT :
( completed_request->dnssec
&& nsecure == 0 && nindeterminate ) > 0
? GETDNS_RESPSTATUS_NO_SECURE_ANSWERS :
( completed_request->dnssec_return_only_secure ( completed_request->dnssec_return_only_secure
|| completed_request->dnssec ) && nsecure == 0 && ninsecure > 0 && nsecure == 0 && ninsecure ) > 0
? GETDNS_RESPSTATUS_NO_SECURE_ANSWERS : ? GETDNS_RESPSTATUS_NO_SECURE_ANSWERS :
( completed_request->dnssec_return_only_secure ( completed_request->dnssec_return_only_secure
|| completed_request->dnssec ) && nsecure == 0 && nbogus > 0 || completed_request->dnssec ) && nsecure == 0 && nbogus > 0