mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
- ED448 support.
git-svn-id: file:///svn/unbound/trunk@4607 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
c515215eea
commit
1f9caf5805
@ -83,6 +83,10 @@
|
||||
don't. */
|
||||
#undef HAVE_DECL_NID_ED25519
|
||||
|
||||
/* Define to 1 if you have the declaration of `NID_ED448', and to 0 if you
|
||||
don't. */
|
||||
#undef HAVE_DECL_NID_ED448
|
||||
|
||||
/* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you
|
||||
don't. */
|
||||
#undef HAVE_DECL_NID_SECP384R1
|
||||
@ -716,6 +720,9 @@
|
||||
/* Define this to enable ED25519 support. */
|
||||
#undef USE_ED25519
|
||||
|
||||
/* Define this to enable ED448 support. */
|
||||
#undef USE_ED448
|
||||
|
||||
/* Define this to enable GOST support. */
|
||||
#undef USE_GOST
|
||||
|
||||
|
46
configure
vendored
46
configure
vendored
@ -859,6 +859,7 @@ enable_gost
|
||||
enable_ecdsa
|
||||
enable_dsa
|
||||
enable_ed25519
|
||||
enable_ed448
|
||||
enable_event_api
|
||||
enable_tfo_client
|
||||
enable_tfo_server
|
||||
@ -1545,6 +1546,7 @@ Optional Features:
|
||||
--disable-ecdsa Disable ECDSA support
|
||||
--disable-dsa Disable DSA support
|
||||
--disable-ed25519 Disable ED25519 support
|
||||
--disable-ed448 Disable ED448 support
|
||||
--enable-event-api Enable (experimental) pluggable event base
|
||||
libunbound API installed to unbound-event.h
|
||||
--enable-tfo-client Enable TCP Fast Open for client mode
|
||||
@ -18317,6 +18319,50 @@ _ACEOF
|
||||
;;
|
||||
esac
|
||||
|
||||
# Check whether --enable-ed448 was given.
|
||||
if test "${enable_ed448+set}" = set; then :
|
||||
enableval=$enable_ed448;
|
||||
fi
|
||||
|
||||
use_ed448="no"
|
||||
case "$enable_ed448" in
|
||||
no)
|
||||
;;
|
||||
*)
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
ac_fn_c_check_decl "$LINENO" "NID_ED448" "ac_cv_have_decl_NID_ED448" "$ac_includes_default
|
||||
#include <openssl/evp.h>
|
||||
|
||||
"
|
||||
if test "x$ac_cv_have_decl_NID_ED448" = xyes; then :
|
||||
ac_have_decl=1
|
||||
else
|
||||
ac_have_decl=0
|
||||
fi
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_NID_ED448 $ac_have_decl
|
||||
_ACEOF
|
||||
if test $ac_have_decl = 1; then :
|
||||
|
||||
use_ed448="yes"
|
||||
|
||||
else
|
||||
if test "x$enable_ed448" = "xyes"; then as_fn_error $? "OpenSSL does not support ED448 and you used --enable-ed448." "$LINENO" 5
|
||||
fi
|
||||
fi
|
||||
|
||||
fi
|
||||
if test $use_ed448 = "yes"; then
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define USE_ED448 1
|
||||
_ACEOF
|
||||
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
# Check whether --enable-event-api was given.
|
||||
if test "${enable_event_api+set}" = set; then :
|
||||
enableval=$enable_event_api;
|
||||
|
20
configure.ac
20
configure.ac
@ -993,6 +993,26 @@ case "$enable_ed25519" in
|
||||
;;
|
||||
esac
|
||||
|
||||
AC_ARG_ENABLE(ed448, AC_HELP_STRING([--disable-ed448], [Disable ED448 support]))
|
||||
use_ed448="no"
|
||||
case "$enable_ed448" in
|
||||
no)
|
||||
;;
|
||||
*)
|
||||
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
|
||||
AC_CHECK_DECLS([NID_ED448], [
|
||||
use_ed448="yes"
|
||||
], [ if test "x$enable_ed448" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED448 and you used --enable-ed448.])
|
||||
fi ], [AC_INCLUDES_DEFAULT
|
||||
#include <openssl/evp.h>
|
||||
])
|
||||
fi
|
||||
if test $use_ed448 = "yes"; then
|
||||
AC_DEFINE_UNQUOTED([USE_ED448], [1], [Define this to enable ED448 support.])
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
AC_ARG_ENABLE(event-api, AC_HELP_STRING([--enable-event-api], [Enable (experimental) pluggable event base libunbound API installed to unbound-event.h]))
|
||||
case "$enable_event_api" in
|
||||
yes)
|
||||
|
@ -5,6 +5,7 @@
|
||||
- Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
|
||||
tls_choose_sigalg routine does not allow the ciphers for the pipe,
|
||||
so use TLSv1.2.
|
||||
- ED448 support.
|
||||
|
||||
3 April 2018: Wouter
|
||||
- Fix #4043: make test fails due to v6 presentation issue in macOS.
|
||||
|
@ -89,6 +89,14 @@ sldns_rr_dnskey_key_size_raw(const unsigned char* keydata,
|
||||
return 256;
|
||||
case LDNS_ECDSAP384SHA384:
|
||||
return 384;
|
||||
#endif
|
||||
#ifdef USE_ED25519
|
||||
case LDNS_ED25519:
|
||||
return 256;
|
||||
#endif
|
||||
#ifdef USE_ED448
|
||||
case LDNS_ED448:
|
||||
return 456;
|
||||
#endif
|
||||
default:
|
||||
return 0;
|
||||
@ -409,6 +417,27 @@ sldns_ed255192pkey_raw(const unsigned char* key, size_t keylen)
|
||||
}
|
||||
#endif /* USE_ED25519 */
|
||||
|
||||
#ifdef USE_ED448
|
||||
EVP_PKEY*
|
||||
sldns_ed4482pkey_raw(const unsigned char* key, size_t keylen)
|
||||
{
|
||||
/* ASN1 for ED448 is 3043300506032b6571033a00 <57byteskey> */
|
||||
uint8_t pre[] = {0x30, 0x43, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
|
||||
0x71, 0x03, 0x3a, 0x00};
|
||||
int pre_len = 12;
|
||||
uint8_t buf[256];
|
||||
EVP_PKEY *evp_key;
|
||||
/* pp gets modified by d2i() */
|
||||
const unsigned char* pp = (unsigned char*)buf;
|
||||
if(keylen != 57 || keylen + pre_len > sizeof(buf))
|
||||
return NULL; /* wrong length */
|
||||
memmove(buf, pre, pre_len);
|
||||
memmove(buf+pre_len, key, keylen);
|
||||
evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
|
||||
return evp_key;
|
||||
}
|
||||
#endif /* USE_ED448 */
|
||||
|
||||
int
|
||||
sldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
|
||||
const EVP_MD* md)
|
||||
|
@ -101,6 +101,15 @@ RSA *sldns_key_buf2rsa_raw(unsigned char* key, size_t len);
|
||||
*/
|
||||
EVP_PKEY* sldns_ed255192pkey_raw(const unsigned char* key, size_t len);
|
||||
|
||||
/**
|
||||
* Converts a holding buffer with key material to EVP PKEY in openssl.
|
||||
* Only available if ldns was compiled with ED448.
|
||||
* \param[in] key the uncompressed wireformat of the key.
|
||||
* \param[in] len length of key data
|
||||
* \return the key or NULL on error.
|
||||
*/
|
||||
EVP_PKEY* sldns_ed4482pkey_raw(const unsigned char* key, size_t len);
|
||||
|
||||
/**
|
||||
* Utility function to calculate hash using generic EVP_MD pointer.
|
||||
* \param[in] data the data to hash.
|
||||
|
@ -548,6 +548,11 @@ verify_test(void)
|
||||
verifytest_file("testdata/test_sigs.ed25519", "20170530140439");
|
||||
}
|
||||
#endif
|
||||
#ifdef USE_ED448
|
||||
if(dnskey_algo_id_is_supported(LDNS_ED448)) {
|
||||
verifytest_file("testdata/test_sigs.ed448", "20180408143630");
|
||||
}
|
||||
#endif
|
||||
#ifdef USE_SHA1
|
||||
dstest_file("testdata/test_ds.sha1");
|
||||
#endif
|
||||
|
21
testdata/test_sigs.ed448
vendored
Normal file
21
testdata/test_sigs.ed448
vendored
Normal file
@ -0,0 +1,21 @@
|
||||
; Signature test file
|
||||
|
||||
; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification.
|
||||
; later entries are verified with it.
|
||||
|
||||
ENTRY_BEGIN
|
||||
SECTION QUESTION
|
||||
example.com. IN DNSKEY
|
||||
SECTION ANSWER
|
||||
example.com. IN DNSKEY 256 3 16 zqUQUbOlkWR1cEGLAr/50aOgpFIwyT3juetr4fT9TRIOdEaXK3Pzv6AvA4iNViZ6RAMD2xctd1EA ;{id = 39998 (zsk), size = 456b}
|
||||
ENTRY_END
|
||||
|
||||
; entry to test
|
||||
ENTRY_BEGIN
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
mail.example.com. 3600 IN A 1.2.3.5
|
||||
mail.example.com. 3600 IN RRSIG A 16 3 3600 20180503143630 20180405143630 39998 example.com. 5T6sjxQ2sB9Crcx8hNKDCteUVc0vNpz8slOa58acb4yLP7dBysp/6dVZwl9/gUN+CWUl6QpkcEMAFx2AcgjPhncYzRpeKCNuJBgBBQrb4Fz2Kvqf7r7H4Day6JrWQDvWcMXf8U9r0Eq06hoJ48M52CkA
|
||||
ENTRY_END
|
||||
|
@ -231,7 +231,10 @@ dnskey_algo_id_is_supported(int id)
|
||||
#ifdef USE_ED25519
|
||||
case LDNS_ED25519:
|
||||
#endif
|
||||
#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA)
|
||||
#ifdef USE_ED448
|
||||
case LDNS_ED448:
|
||||
#endif
|
||||
#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448)
|
||||
return 1;
|
||||
#endif
|
||||
|
||||
@ -569,6 +572,17 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
|
||||
*digest_type = NULL;
|
||||
break;
|
||||
#endif /* USE_ED25519 */
|
||||
#ifdef USE_ED448
|
||||
case LDNS_ED448:
|
||||
*evp_key = sldns_ed4482pkey_raw(key, keylen);
|
||||
if(!*evp_key) {
|
||||
verbose(VERB_QUERY, "verify: "
|
||||
"sldns_ed4482pkey_raw failed");
|
||||
return 0;
|
||||
}
|
||||
*digest_type = NULL;
|
||||
break;
|
||||
#endif /* USE_ED448 */
|
||||
default:
|
||||
verbose(VERB_QUERY, "verify: unknown algorithm %d",
|
||||
algo);
|
||||
|
Loading…
Reference in New Issue
Block a user