mirror of https://github.com/getdnsapi/getdns.git
ED25519 & ED448 support
This commit is contained in:
parent
ea55b12a08
commit
c80aa72725
76
configure.ac
76
configure.ac
|
@ -400,48 +400,49 @@ yes)
|
||||||
esac
|
esac
|
||||||
|
|
||||||
USE_NSS="no"
|
USE_NSS="no"
|
||||||
AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
|
dnl AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
|
||||||
[use libnss instead of openssl, installed at path.]),
|
dnl [use libnss instead of openssl, installed at path.]),
|
||||||
[
|
dnl [
|
||||||
USE_NSS="yes"
|
dnl USE_NSS="yes"
|
||||||
AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
|
dnl AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
|
||||||
if test "$withval" != "" -a "$withval" != "yes"; then
|
dnl if test "$withval" != "" -a "$withval" != "yes"; then
|
||||||
CPPFLAGS="$CPPFLAGS -I$withval/include/nss3"
|
dnl CPPFLAGS="$CPPFLAGS -I$withval/include/nss3"
|
||||||
LDFLAGS="$LDFLAGS -L$withval/lib"
|
dnl LDFLAGS="$LDFLAGS -L$withval/lib"
|
||||||
ACX_RUNTIME_PATH_ADD([$withval/lib])
|
dnl ACX_RUNTIME_PATH_ADD([$withval/lib])
|
||||||
CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
|
dnl CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
|
||||||
else
|
dnl else
|
||||||
CPPFLAGS="$CPPFLAGS -I/usr/include/nss3"
|
dnl CPPFLAGS="$CPPFLAGS -I/usr/include/nss3"
|
||||||
CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
|
dnl CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
|
||||||
fi
|
dnl fi
|
||||||
LIBS="$LIBS -lnss3 -lnspr4"
|
dnl LIBS="$LIBS -lnss3 -lnspr4"
|
||||||
SSLLIB=""
|
dnl SSLLIB=""
|
||||||
]
|
dnl ]
|
||||||
)
|
dnl )
|
||||||
|
|
||||||
# libnettle
|
# libnettle
|
||||||
USE_NETTLE="no"
|
USE_NETTLE="no"
|
||||||
AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
|
dnl AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
|
||||||
[use libnettle as crypto library, installed at path.]),
|
dnl [use libnettle as crypto library, installed at path.]),
|
||||||
[
|
dnl [
|
||||||
USE_NETTLE="yes"
|
dnl USE_NETTLE="yes"
|
||||||
AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
|
dnl AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
|
||||||
AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT])
|
dnl AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT])
|
||||||
if test "$withval" != "" -a "$withval" != "yes"; then
|
dnl if test "$withval" != "" -a "$withval" != "yes"; then
|
||||||
CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
|
dnl CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
|
||||||
LDFLAGS="$LDFLAGS -L$withval/lib"
|
dnl LDFLAGS="$LDFLAGS -L$withval/lib"
|
||||||
ACX_RUNTIME_PATH_ADD([$withval/lib])
|
dnl ACX_RUNTIME_PATH_ADD([$withval/lib])
|
||||||
else
|
dnl else
|
||||||
CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
|
dnl CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
|
||||||
fi
|
dnl fi
|
||||||
LIBS="$LIBS -lhogweed -lnettle -lgmp"
|
dnl LIBS="$LIBS -lhogweed -lnettle -lgmp"
|
||||||
SSLLIB=""
|
dnl SSLLIB=""
|
||||||
]
|
dnl ]
|
||||||
)
|
dnl )
|
||||||
|
|
||||||
# openssl
|
# openssl
|
||||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||||
ACX_WITH_SSL_OPTIONAL
|
ACX_WITH_SSL
|
||||||
|
fi
|
||||||
ACX_LIB_SSL
|
ACX_LIB_SSL
|
||||||
AC_MSG_CHECKING([for LibreSSL])
|
AC_MSG_CHECKING([for LibreSSL])
|
||||||
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
|
||||||
|
@ -453,7 +454,7 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/
|
||||||
else
|
else
|
||||||
AC_MSG_RESULT([no])
|
AC_MSG_RESULT([no])
|
||||||
fi
|
fi
|
||||||
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
|
AC_CHECK_HEADERS([openssl/conf.h openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
|
||||||
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
|
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
|
||||||
AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
|
AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
|
||||||
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites])
|
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites])
|
||||||
|
@ -477,7 +478,6 @@ AC_INCLUDES_DEFAULT
|
||||||
#include <openssl/ssl.h>
|
#include <openssl/ssl.h>
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
])
|
])
|
||||||
fi
|
|
||||||
|
|
||||||
AC_MSG_CHECKING([whether we need to compile/link DANE support])
|
AC_MSG_CHECKING([whether we need to compile/link DANE support])
|
||||||
DANESSL_XTRA_OBJS=""
|
DANESSL_XTRA_OBJS=""
|
||||||
|
|
|
@ -495,6 +495,9 @@ _getdns_network_req_add_tsig(getdns_network_req *req)
|
||||||
void
|
void
|
||||||
_getdns_network_validate_tsig(getdns_network_req *req)
|
_getdns_network_validate_tsig(getdns_network_req *req)
|
||||||
{
|
{
|
||||||
|
#if defined(HAVE_NSS) || defined(HAVE_NETTLE)
|
||||||
|
(void)req;
|
||||||
|
#else
|
||||||
_getdns_rr_iter rr_spc, *rr;
|
_getdns_rr_iter rr_spc, *rr;
|
||||||
_getdns_rdf_iter rdf_spc, *rdf;
|
_getdns_rdf_iter rdf_spc, *rdf;
|
||||||
const uint8_t *request_mac;
|
const uint8_t *request_mac;
|
||||||
|
@ -668,6 +671,7 @@ _getdns_network_validate_tsig(getdns_network_req *req)
|
||||||
gldns_write_uint16(req->response, gldns_read_uint16(req->query));
|
gldns_write_uint16(req->response, gldns_read_uint16(req->query));
|
||||||
gldns_write_uint16(req->response + 10,
|
gldns_write_uint16(req->response + 10,
|
||||||
gldns_read_uint16(req->response + 10) + 1);
|
gldns_read_uint16(req->response + 10) + 1);
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
|
|
|
@ -1119,7 +1119,8 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
|
||||||
int rrsigs_in_answer = 0;
|
int rrsigs_in_answer = 0;
|
||||||
getdns_dict *reply;
|
getdns_dict *reply;
|
||||||
getdns_bindata *canonical_name = NULL;
|
getdns_bindata *canonical_name = NULL;
|
||||||
int nreplies = 0, nanswers = 0, nsecure = 0, ninsecure = 0, nbogus = 0;
|
int nreplies = 0, nanswers = 0;
|
||||||
|
int nsecure = 0, ninsecure = 0, nindeterminate = 0, nbogus = 0;
|
||||||
getdns_dict *netreq_debug;
|
getdns_dict *netreq_debug;
|
||||||
_srvs srvs = { 0, 0, NULL };
|
_srvs srvs = { 0, 0, NULL };
|
||||||
|
|
||||||
|
@ -1193,16 +1194,18 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
|
||||||
_getdns_network_validate_tsig(netreq);
|
_getdns_network_validate_tsig(netreq);
|
||||||
|
|
||||||
nreplies++;
|
nreplies++;
|
||||||
if (netreq->dnssec_status == GETDNS_DNSSEC_SECURE)
|
switch (netreq->dnssec_status) {
|
||||||
nsecure++;
|
case GETDNS_DNSSEC_SECURE : nsecure++;
|
||||||
else if (netreq->dnssec_status != GETDNS_DNSSEC_BOGUS)
|
break;
|
||||||
ninsecure++;
|
case GETDNS_DNSSEC_INSECURE : ninsecure++;
|
||||||
|
break;
|
||||||
if (dnssec_return_status &&
|
case GETDNS_DNSSEC_INDETERMINATE: nindeterminate++;
|
||||||
netreq->dnssec_status == GETDNS_DNSSEC_BOGUS)
|
ninsecure++;
|
||||||
nbogus++;
|
break;
|
||||||
|
case GETDNS_DNSSEC_BOGUS : if (dnssec_return_status)
|
||||||
|
nbogus++;
|
||||||
|
break;
|
||||||
|
}
|
||||||
if (! completed_request->dnssec_return_all_statuses &&
|
if (! completed_request->dnssec_return_all_statuses &&
|
||||||
! completed_request->dnssec_return_validation_chain) {
|
! completed_request->dnssec_return_validation_chain) {
|
||||||
if (dnssec_return_status &&
|
if (dnssec_return_status &&
|
||||||
|
@ -1291,8 +1294,11 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
|
||||||
if (getdns_dict_set_int(result, GETDNS_STR_KEY_STATUS,
|
if (getdns_dict_set_int(result, GETDNS_STR_KEY_STATUS,
|
||||||
completed_request->request_timed_out ||
|
completed_request->request_timed_out ||
|
||||||
nreplies == 0 ? GETDNS_RESPSTATUS_ALL_TIMEOUT :
|
nreplies == 0 ? GETDNS_RESPSTATUS_ALL_TIMEOUT :
|
||||||
|
( completed_request->dnssec
|
||||||
|
&& nsecure == 0 && nindeterminate ) > 0
|
||||||
|
? GETDNS_RESPSTATUS_NO_SECURE_ANSWERS :
|
||||||
( completed_request->dnssec_return_only_secure
|
( completed_request->dnssec_return_only_secure
|
||||||
|| completed_request->dnssec ) && nsecure == 0 && ninsecure > 0
|
&& nsecure == 0 && ninsecure ) > 0
|
||||||
? GETDNS_RESPSTATUS_NO_SECURE_ANSWERS :
|
? GETDNS_RESPSTATUS_NO_SECURE_ANSWERS :
|
||||||
( completed_request->dnssec_return_only_secure
|
( completed_request->dnssec_return_only_secure
|
||||||
|| completed_request->dnssec ) && nsecure == 0 && nbogus > 0
|
|| completed_request->dnssec ) && nsecure == 0 && nbogus > 0
|
||||||
|
|
Loading…
Reference in New Issue