ED25519 & ED448 support

2018-12-03 15:35:03 +01:00 · 2018-12-03 15:35:03 +01:00 · c80aa72725
parent ea55b12a08
commit c80aa72725
3 changed files with 60 additions and 50 deletions
--- a/configure.ac
+++ b/configure.ac
@ -400,48 +400,49 @@ yes)
 esac

 USE_NSS="no"
-AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
-        [use libnss instead of openssl, installed at path.]),
-        [
-        USE_NSS="yes"
-        AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
-        if test "$withval" != "" -a "$withval" != "yes"; then
-                CPPFLAGS="$CPPFLAGS -I$withval/include/nss3"
-                LDFLAGS="$LDFLAGS -L$withval/lib"
-                ACX_RUNTIME_PATH_ADD([$withval/lib])
-                CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
-        else
-                CPPFLAGS="$CPPFLAGS -I/usr/include/nss3"
-                CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
-        fi
-        LIBS="$LIBS -lnss3 -lnspr4"
-        SSLLIB=""
-        ]
-)
+dnl AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
+dnl         [use libnss instead of openssl, installed at path.]),
+dnl         [
+dnl         USE_NSS="yes"
+dnl         AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
+dnl         if test "$withval" != "" -a "$withval" != "yes"; then
+dnl                 CPPFLAGS="$CPPFLAGS -I$withval/include/nss3"
+dnl                 LDFLAGS="$LDFLAGS -L$withval/lib"
+dnl                 ACX_RUNTIME_PATH_ADD([$withval/lib])
+dnl                 CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
+dnl         else
+dnl                 CPPFLAGS="$CPPFLAGS -I/usr/include/nss3"
+dnl                 CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
+dnl         fi
+dnl         LIBS="$LIBS -lnss3 -lnspr4"
+dnl         SSLLIB=""
+dnl         ]
+dnl )

 # libnettle
 USE_NETTLE="no"
-AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
-        [use libnettle as crypto library, installed at path.]),
-        [
-        USE_NETTLE="yes"
-        AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
-        AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT])
-        if test "$withval" != "" -a "$withval" != "yes"; then
-                CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
-                LDFLAGS="$LDFLAGS -L$withval/lib"
-                ACX_RUNTIME_PATH_ADD([$withval/lib])
-        else
-                CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
-        fi
-        LIBS="$LIBS -lhogweed -lnettle -lgmp"
-        SSLLIB=""
-        ]
-)
+dnl AC_ARG_WITH([nettle], AC_HELP_STRING([--with-nettle=path],
+dnl         [use libnettle as crypto library, installed at path.]),
+dnl         [
+dnl         USE_NETTLE="yes"
+dnl         AC_DEFINE(HAVE_NETTLE, 1, [Use libnettle for crypto])
+dnl         AC_CHECK_HEADERS([nettle/dsa-compat.h],,, [AC_INCLUDES_DEFAULT])
+dnl         if test "$withval" != "" -a "$withval" != "yes"; then
+dnl                 CPPFLAGS="$CPPFLAGS -I$withval/include/nettle"
+dnl                 LDFLAGS="$LDFLAGS -L$withval/lib"
+dnl                 ACX_RUNTIME_PATH_ADD([$withval/lib])
+dnl         else
+dnl                 CPPFLAGS="$CPPFLAGS -I/usr/include/nettle"
+dnl         fi
+dnl         LIBS="$LIBS -lhogweed -lnettle -lgmp"
+dnl         SSLLIB=""
+dnl         ]
+dnl )

 # openssl
 if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
-ACX_WITH_SSL_OPTIONAL
+ACX_WITH_SSL
+fi
 ACX_LIB_SSL
 AC_MSG_CHECKING([for LibreSSL])
 if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then
@ -453,7 +454,7 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/
 else
 	AC_MSG_RESULT([no])
 fi
-AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([openssl/conf.h openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites])
@ -477,7 +478,6 @@ AC_INCLUDES_DEFAULT
 #include <openssl/ssl.h>
 #include <openssl/evp.h>
 ])
-fi

 AC_MSG_CHECKING([whether we need to compile/link DANE support])
 DANESSL_XTRA_OBJS=""
--- a/src/request-internal.c
+++ b/src/request-internal.c
@ -495,6 +495,9 @@ _getdns_network_req_add_tsig(getdns_network_req *req)
 void
 _getdns_network_validate_tsig(getdns_network_req *req)
 {
+#if defined(HAVE_NSS) || defined(HAVE_NETTLE)
+	(void)req;
+#else
 	_getdns_rr_iter  rr_spc, *rr;
 	_getdns_rdf_iter rdf_spc, *rdf;
 	const uint8_t *request_mac;
@ -668,6 +671,7 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 	gldns_write_uint16(req->response, gldns_read_uint16(req->query));
 	gldns_write_uint16(req->response + 10,
 	    gldns_read_uint16(req->response + 10) + 1);
+#endif
 }

 void
--- a/src/util-internal.c
+++ b/src/util-internal.c
@ -1119,7 +1119,8 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
 	int rrsigs_in_answer = 0;
 	getdns_dict *reply;
 	getdns_bindata *canonical_name = NULL;
-	int nreplies = 0, nanswers = 0, nsecure = 0, ninsecure = 0, nbogus = 0;
+	int nreplies = 0, nanswers = 0;
+	int nsecure = 0, ninsecure = 0, nindeterminate = 0, nbogus = 0;
 	getdns_dict   *netreq_debug;
 	_srvs srvs = { 0, 0, NULL };

@ -1193,16 +1194,18 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
 			_getdns_network_validate_tsig(netreq);

 		nreplies++;
-		if (netreq->dnssec_status == GETDNS_DNSSEC_SECURE)
-			nsecure++;
-		else if (netreq->dnssec_status != GETDNS_DNSSEC_BOGUS)
-			ninsecure++;
-
-		if (dnssec_return_status &&
-		    netreq->dnssec_status == GETDNS_DNSSEC_BOGUS)
-			nbogus++;
-
-
+		switch (netreq->dnssec_status) {
+		case GETDNS_DNSSEC_SECURE       : nsecure++;
+						  break;
+		case GETDNS_DNSSEC_INSECURE     : ninsecure++;
+						  break;
+		case GETDNS_DNSSEC_INDETERMINATE: nindeterminate++;
+						  ninsecure++;
+						  break;
+		case GETDNS_DNSSEC_BOGUS        : if (dnssec_return_status)
+							  nbogus++;
+						  break;
+		}
 		if (! completed_request->dnssec_return_all_statuses &&
 		    ! completed_request->dnssec_return_validation_chain) {
 			if (dnssec_return_status &&
@ -1291,8 +1294,11 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
 	if (getdns_dict_set_int(result, GETDNS_STR_KEY_STATUS,
 	    completed_request->request_timed_out ||
 	    nreplies == 0   ? GETDNS_RESPSTATUS_ALL_TIMEOUT :
+	    (  completed_request->dnssec
+	    && nsecure == 0 && nindeterminate ) > 0
+	                    ? GETDNS_RESPSTATUS_NO_SECURE_ANSWERS :
 	    (  completed_request->dnssec_return_only_secure
-	    || completed_request->dnssec ) && nsecure == 0 && ninsecure > 0
+	    && nsecure == 0 && ninsecure ) > 0
 	                    ? GETDNS_RESPSTATUS_NO_SECURE_ANSWERS :
 	    (  completed_request->dnssec_return_only_secure
 	    || completed_request->dnssec ) && nsecure == 0 && nbogus > 0