mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-11 13:29:59 -04:00
Added Ed25519 support (#44696)
This commit is contained in:
Francis Dupont
parent
18e797e379
commit
b03f0672e1
38 changed files with 902 additions and 68 deletions
2
CHANGES
2
CHANGES
|
|
@ -1,3 +1,5 @@
|
|||
4665. [func] Add Ed25519 support (RFC 8080). [RT #25519]
|
||||
|
||||
4663. [cleanup] Clarify error message printed by dnssec-dsfromkey.
|
||||
[RT #21731]
|
||||
|
||||
|
|
|
|||
|
|
@ -60,7 +60,8 @@ int verbose;
|
|||
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
|
||||
" NSEC3DSA | NSEC3RSASHA1 |"
|
||||
" RSASHA256 | RSASHA512 | ECCGOST |"
|
||||
" ECDSAP256SHA256 | ECDSAP384SHA384";
|
||||
" ECDSAP256SHA256 | ECDSAP384SHA384 |"
|
||||
" ED25519 | ED448";
|
||||
|
||||
ISC_PLATFORM_NORETURN_PRE static void
|
||||
usage(void) ISC_PLATFORM_NORETURN_POST;
|
||||
|
|
@ -412,7 +413,8 @@ main(int argc, char **argv) {
|
|||
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
|
||||
alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
|
||||
alg != DST_ALG_ECCGOST &&
|
||||
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
|
||||
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
|
||||
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
|
||||
fatal("%s is incompatible with NSEC3; "
|
||||
"do not use the -3 option", algname);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -107,7 +107,7 @@
|
|||
Selects the cryptographic algorithm. The value of
|
||||
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
|
||||
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
|
||||
ECDSAP256SHA256 or ECDSAP384SHA384.
|
||||
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
|
||||
These values are case insensitive.
|
||||
</para>
|
||||
<para>
|
||||
|
|
|
|||
|
|
@ -91,7 +91,8 @@ usage(void) {
|
|||
" | NSEC3DSA |\n");
|
||||
fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n");
|
||||
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
|
||||
fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
|
||||
fprintf(stderr, " ED25519 | ED448 | DH |\n");
|
||||
fprintf(stderr, " HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
|
||||
"HMAC-SHA256 | \n");
|
||||
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
|
||||
fprintf(stderr, " (default: RSASHA1, or "
|
||||
|
|
@ -110,6 +111,8 @@ usage(void) {
|
|||
fprintf(stderr, " ECCGOST:\tignored\n");
|
||||
fprintf(stderr, " ECDSAP256SHA256:\tignored\n");
|
||||
fprintf(stderr, " ECDSAP384SHA384:\tignored\n");
|
||||
fprintf(stderr, " ED25519:\tignored\n");
|
||||
fprintf(stderr, " ED448:\tignored\n");
|
||||
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
|
||||
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
|
||||
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
|
||||
|
|
@ -581,7 +584,8 @@ main(int argc, char **argv) {
|
|||
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
|
||||
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
|
||||
alg != DST_ALG_ECCGOST &&
|
||||
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
|
||||
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
|
||||
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
|
||||
fatal("%s is incompatible with NSEC3; "
|
||||
"do not use the -3 option", algname);
|
||||
}
|
||||
|
|
@ -615,7 +619,9 @@ main(int argc, char **argv) {
|
|||
" to %d\n", size);
|
||||
} else if (alg != DST_ALG_ECCGOST &&
|
||||
alg != DST_ALG_ECDSA256 &&
|
||||
alg != DST_ALG_ECDSA384)
|
||||
alg != DST_ALG_ECDSA384 &&
|
||||
alg != DST_ALG_ED25519 &&
|
||||
alg != DST_ALG_ED448)
|
||||
fatal("key size not specified (-b option)");
|
||||
}
|
||||
|
||||
|
|
@ -752,6 +758,12 @@ main(int argc, char **argv) {
|
|||
case DST_ALG_ECDSA384:
|
||||
size = 384;
|
||||
break;
|
||||
case DST_ALG_ED25519:
|
||||
size = 256;
|
||||
break;
|
||||
case DST_ALG_ED448:
|
||||
size = 456;
|
||||
break;
|
||||
case DST_ALG_HMACMD5:
|
||||
options |= DST_TYPE_KEY;
|
||||
if (size < 1 || size > 512)
|
||||
|
|
@ -885,6 +897,8 @@ main(int argc, char **argv) {
|
|||
case DST_ALG_ECCGOST:
|
||||
case DST_ALG_ECDSA256:
|
||||
case DST_ALG_ECDSA384:
|
||||
case DST_ALG_ED25519:
|
||||
case DST_ALG_ED448:
|
||||
show_progress = ISC_TRUE;
|
||||
/* fall through */
|
||||
|
||||
|
|
|
|||
|
|
@ -122,7 +122,7 @@
|
|||
Selects the cryptographic algorithm. For DNSSEC keys, the value
|
||||
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
|
||||
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
|
||||
ECDSAP256SHA256 or ECDSAP384SHA384.
|
||||
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
|
||||
For TSIG/TKEY, the value must
|
||||
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
|
||||
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
|
||||
|
|
@ -194,8 +194,8 @@
|
|||
If this option is used and no algorithm is explicitly
|
||||
set on the command line, NSEC3RSASHA1 will be used by
|
||||
default. Note that RSASHA256, RSASHA512, ECCGOST,
|
||||
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
|
||||
are NSEC3-capable.
|
||||
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
|
||||
algorithms are NSEC3-capable.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
|
|
|||
|
|
@ -73,6 +73,7 @@
|
|||
#define WANT_DH_PRIMES
|
||||
#define WANT_ECC_CURVES
|
||||
#include <pk11/constants.h>
|
||||
#include <pkcs11/eddsa.h>
|
||||
|
||||
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
|
||||
#define getpassphrase(x) getpass(x)
|
||||
|
|
@ -82,13 +83,14 @@
|
|||
static CK_BBOOL truevalue = TRUE;
|
||||
static CK_BBOOL falsevalue = FALSE;
|
||||
|
||||
/* Key class: RSA, ECC, DSA, DH, or unknown */
|
||||
/* Key class: RSA, ECC, ECX, DSA, DH, or unknown */
|
||||
typedef enum {
|
||||
key_unknown,
|
||||
key_rsa,
|
||||
key_dsa,
|
||||
key_dh,
|
||||
key_ecc
|
||||
key_ecc,
|
||||
key_ecx
|
||||
} key_class_t;
|
||||
|
||||
/*
|
||||
|
|
@ -136,7 +138,7 @@ static CK_ATTRIBUTE rsa_template[] = {
|
|||
};
|
||||
|
||||
/*
|
||||
* Public key template for ECC keys
|
||||
* Public key template for ECC/ECX keys
|
||||
*/
|
||||
#define ECC_LABEL 0
|
||||
#define ECC_VERIFY 1
|
||||
|
|
@ -247,6 +249,9 @@ keyclass_fromtext(const char *name) {
|
|||
else if (strncasecmp(name, "ecc", 3) == 0 ||
|
||||
strncasecmp(name, "ecdsa", 5) == 0)
|
||||
return (key_ecc);
|
||||
else if (strncasecmp(name, "ecx", 3) == 0 ||
|
||||
strncasecmp(name, "ed", 2) == 0)
|
||||
return (key_ecx);
|
||||
else
|
||||
return (key_unknown);
|
||||
}
|
||||
|
|
@ -425,6 +430,39 @@ main(int argc, char *argv[]) {
|
|||
sizeof(pk11_ecc_secp384r1);
|
||||
}
|
||||
|
||||
break;
|
||||
case key_ecx:
|
||||
#ifndef CKM_EDDSA_KEY_PAIR_GEN
|
||||
fprintf(stderr, "CKM_EDDSA_KEY_PAIR_GEN is not defined\n");
|
||||
usage();
|
||||
#endif
|
||||
op_type = OP_EC;
|
||||
if (bits == 0)
|
||||
bits = 256;
|
||||
else if (bits != 256 && bits != 456) {
|
||||
fprintf(stderr, "ECX keys only support bit sizes of "
|
||||
"256 and 456\n");
|
||||
exit(2);
|
||||
}
|
||||
|
||||
mech.mechanism = CKM_EDDSA_KEY_PAIR_GEN;
|
||||
mech.pParameter = NULL;
|
||||
mech.ulParameterLen = 0;
|
||||
|
||||
public_template = ecc_template;
|
||||
public_attrcnt = ECC_ATTRS;
|
||||
id_offset = ECC_ID;
|
||||
|
||||
if (bits == 256) {
|
||||
public_template[4].pValue = pk11_ecc_ed25519;
|
||||
public_template[4].ulValueLen =
|
||||
sizeof(pk11_ecc_ed25519);
|
||||
} else {
|
||||
public_template[4].pValue = pk11_ecc_ed448;
|
||||
public_template[4].ulValueLen =
|
||||
sizeof(pk11_ecc_ed448);
|
||||
}
|
||||
|
||||
break;
|
||||
case key_dsa:
|
||||
op_type = OP_DSA;
|
||||
|
|
@ -570,7 +608,7 @@ main(int argc, char *argv[]) {
|
|||
private_template[5].pValue = &truevalue;
|
||||
}
|
||||
|
||||
if (keyclass == key_rsa || keyclass == key_ecc)
|
||||
if (keyclass == key_rsa || keyclass == key_ecc || keyclass == key_ecx)
|
||||
goto generate_keys;
|
||||
|
||||
/*
|
||||
|
|
|
|||
|
|
@ -79,11 +79,11 @@
|
|||
<listitem>
|
||||
<para>
|
||||
Specify the key algorithm class: Supported classes are RSA,
|
||||
DSA, DH, and ECC. In addition to these strings, the
|
||||
DSA, DH, ECC and ECX. In addition to these strings, the
|
||||
<option>algorithm</option> can be specified as a DNSSEC
|
||||
signing algorithm that will be used with this key; for
|
||||
example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps
|
||||
to ECC. The default class is "RSA".
|
||||
example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
|
||||
to ECC, and ED25519 to ECX. The default class is "RSA".
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
|
@ -94,7 +94,8 @@
|
|||
<para>
|
||||
Create the key pair with <option>keysize</option> bits of
|
||||
prime. For ECC keys, the only valid values are 256 and 384,
|
||||
and the default is 256.
|
||||
and the default is 256. For ECX kyes, the only valid values
|
||||
are 256 and 456, and the default is 256.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ class dnskey:
|
|||
_ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', 'ECC', 'RSASHA1',
|
||||
'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None,
|
||||
'RSASHA512', None, 'ECCGOST', 'ECDSAP256SHA256',
|
||||
'ECDSAP384SHA384')
|
||||
'ECDSAP384SHA384', 'ED25519', 'ED448')
|
||||
|
||||
def __init__(self, key, directory=None, keyttl=None):
|
||||
# this makes it possible to use algname as a class or instance method
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ SUBDIRS="acl additional allow_query addzone autosign builtin
|
|||
cacheclean case chain checkconf @CHECKDS@ checknames
|
||||
checkzone cookie @COVERAGE@ database delv digdelv dlv
|
||||
dlvauto dlz dlzexternal dlzredir dns64 dnssec dsdigest
|
||||
dscp ecdsa ednscompliance emptyzones fetchlimit filter-aaaa
|
||||
dscp ecdsa eddsa ednscompliance emptyzones fetchlimit filter-aaaa
|
||||
formerr forward geoip glue gost ixfr inline integrity
|
||||
legacy limits logfileconfig lwresd masterfile masterformat
|
||||
metadata notify nslookup nsupdate pending @PKCS11_TEST@
|
||||
|
|
|
|||
|
|
@ -69,6 +69,7 @@ MDIG=$TOP/Build/$VSCONF/mdig@EXEEXT@
|
|||
NZD2NZF=$TOP/Build/$VSCONF/named-nzd2nzf@EXEEXT@
|
||||
FSTRM_CAPTURE=@FSTRM_CAPTURE@
|
||||
FEATURETEST=$TOP/Build/$VSCONF/feature-test@EXEEXT@
|
||||
# to port WIRETEST=$TOP/Build/$VSCONF/wire_test@EXEEXT@
|
||||
|
||||
# this is given as argument to native WIN32 executables
|
||||
RANDFILE=`cygpath -w $TOP/bin/tests/system/random.data`
|
||||
|
|
@ -85,7 +86,7 @@ MAKEJOURNAL=$TOP/Build/$VSCONF/makejournal@EXEEXT@
|
|||
SUBDIRS="acl additional addzone allow_query autosign builtin cacheclean case
|
||||
catz checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@
|
||||
database digdelv dlv dlvauto dlz dlzexternal dname dns64 dnssec
|
||||
@DNSTAP@ dscp dsdigest dyndb ecdsa ednscompliance emptyzones
|
||||
@DNSTAP@ dscp dsdigest dyndb ecdsa eddsa ednscompliance emptyzones
|
||||
fetchlimit filter-aaaa formerr forward geoip glue gost inline ixfr
|
||||
@KEYMGR@ legacy limits logfileconfig lwresd masterfile masterformat
|
||||
metadata mkeys names notify nslookup nsupdate nzd2nzf pending
|
||||
|
|
|
|||
|
|
@ -50,3 +50,9 @@ zone "ecc.example." {
|
|||
file "ecc.example.db.signed";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "ecx.example." {
|
||||
type master;
|
||||
file "ecx.example.db.signed";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
|
|
|||
|
|
@ -18,18 +18,24 @@ SYSTEMTESTTOP=..
|
|||
. $SYSTEMTESTTOP/conf.sh
|
||||
|
||||
echo "I:(Native PKCS#11)" >&2
|
||||
rsafail=0 eccfail=0
|
||||
rsafail=0 eccfail=0 ecxfail=0
|
||||
|
||||
$SHELL ../testcrypto.sh -q rsa || rsafail=1
|
||||
$SHELL ../testcrypto.sh -q ecdsa || eccfail=1
|
||||
$SHELL ../testcrypto.sh -q eddsa || ecxfail=1
|
||||
|
||||
if [ $rsafail = 0 -a $eccfail = 0 ]; then
|
||||
echo both > supported
|
||||
elif [ $rsafail = 1 -a $eccfail = 1 ]; then
|
||||
if [ $rsafail = 1 -a $eccfail = 1 ]; then
|
||||
echo "I:This test requires PKCS#11 support for either RSA or ECDSA cryptography." >&2
|
||||
exit 255
|
||||
elif [ $rsafail = 0 ]; then
|
||||
echo rsaonly > supported
|
||||
else
|
||||
echo ecconly > supported
|
||||
fi
|
||||
rm -f supported
|
||||
touch supported
|
||||
if [ $rsafail = 0 ]; then
|
||||
echo rsa >> supported
|
||||
fi
|
||||
if [ $eccfail = 0 ]; then
|
||||
echo ecc >> supported
|
||||
fi
|
||||
if [ $ecxfail = 0 ]; then
|
||||
echo ecx >> supported
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -22,11 +22,10 @@ infile=ns1/example.db.in
|
|||
/bin/echo -n ${HSMPIN:-1234}> pin
|
||||
PWD=`pwd`
|
||||
|
||||
supported=`cat supported`
|
||||
|
||||
zone=rsa.example
|
||||
zonefile=ns1/rsa.example.db
|
||||
if [ "$supported" != "ecconly" ]; then
|
||||
have_rsa=`grep rsa supported`
|
||||
if [ "x$have_rsa" != "x" ]; then
|
||||
$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01
|
||||
$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02
|
||||
$PK11GEN -a RSA -b 2048 -l robie-rsa-ksk
|
||||
|
|
@ -50,7 +49,8 @@ fi
|
|||
|
||||
zone=ecc.example
|
||||
zonefile=ns1/ecc.example.db
|
||||
if [ "$supported" != "rsaonly" ]; then
|
||||
have_ecc=`grep ecc supported`
|
||||
if [ "x$have_ecc" != "x" ]; then
|
||||
$PK11GEN -a ECC -b 256 -l robie-ecc-zsk1 -i 03
|
||||
$PK11GEN -a ECC -b 256 -l robie-ecc-zsk2 -i 04
|
||||
$PK11GEN -a ECC -b 384 -l robie-ecc-ksk
|
||||
|
|
@ -72,4 +72,32 @@ else
|
|||
cp $infile ${zonefile}.signed
|
||||
fi
|
||||
|
||||
zone=ecx.example
|
||||
zonefile=ns1/ecx.example.db
|
||||
have_ecx=`grep ecx supported`
|
||||
if [ "x$have_ecx" != "x" ]; then
|
||||
$PK11GEN -a ECX -b 256 -l robie-ecx-zsk1 -i 05
|
||||
$PK11GEN -a ECX -b 256 -l robie-ecx-zsk2 -i 06
|
||||
$PK11GEN -a ECX -b 256 -l robie-ecx-ksk
|
||||
# $PK11GEN -a ECX -b 456 -l robie-ecx-ksk
|
||||
|
||||
ecxzsk1=`$KEYFRLAB -a ED25519 \
|
||||
-l "object=robie-ecx-zsk1;pin-source=$PWD/pin" ecx.example`
|
||||
ecxzsk2=`$KEYFRLAB -a ED25519 \
|
||||
-l "object=robie-ecx-zsk2;pin-source=$PWD/pin" ecx.example`
|
||||
ecxksk=`$KEYFRLAB -a ED25519 -f ksk \
|
||||
-l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
|
||||
# ecxksk=`$KEYFRLAB -a ED448 -f ksk \
|
||||
# -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
|
||||
|
||||
cat $infile $ecxzsk1.key $ecxksk.key > $zonefile
|
||||
$SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
|
||||
> /dev/null 2> signer.err || cat signer.err
|
||||
cp $ecxzsk2.key ns1/ecx.key
|
||||
mv Kecx* ns1
|
||||
else
|
||||
# ECX not available and will not be tested; make a placeholder
|
||||
cp $infile ${zonefile}.signed
|
||||
fi
|
||||
|
||||
rm -f signer.err
|
||||
|
|
|
|||
|
|
@ -24,13 +24,19 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
|
|||
status=0
|
||||
ret=0
|
||||
|
||||
supported=`cat supported`
|
||||
case $supported in
|
||||
rsaonly) algs="rsa" ;;
|
||||
ecconly) algs="ecc" ;;
|
||||
both) algs="rsa ecc" ;;
|
||||
esac
|
||||
|
||||
algs=""
|
||||
have_rsa=`grep rsa supported`
|
||||
if [ "x$have_rsa" != "x" ]; then
|
||||
algs="rsa "
|
||||
fi
|
||||
have_ecc=`grep ecc supported`
|
||||
if [ "x$have_ecc" != "x" ]; then
|
||||
algs=$algs"ecc "
|
||||
fi
|
||||
have_ecx=`grep ecc supported`
|
||||
if [ "x$have_ecx" != "x" ]; then
|
||||
algs=$algs"ecx "
|
||||
fi
|
||||
|
||||
for alg in $algs; do
|
||||
zonefile=ns1/$alg.example.db
|
||||
|
|
@ -74,6 +80,7 @@ END
|
|||
case $alg in
|
||||
rsa) id=02 ;;
|
||||
ecc) id=04 ;;
|
||||
ecx) id=06 ;;
|
||||
esac
|
||||
$PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
|
|
|
|||
|
|
@ -47,6 +47,11 @@ while test "$#" -gt 0; do
|
|||
msg1="ECDSA cryptography"
|
||||
msg2="--with-ecdsa"
|
||||
;;
|
||||
eddsa|EDDSA)
|
||||
alg="-a ED25519"
|
||||
msg1="EDDSA cryptography"
|
||||
msg2="--with-eddsa"
|
||||
;;
|
||||
*)
|
||||
echo "${prog}: unknown argument"
|
||||
exit 1
|
||||
|
|
|
|||
12
config.h.in
12
config.h.in
|
|
@ -372,6 +372,12 @@ int sigwait(const unsigned int *set, int *sig);
|
|||
/* Define if your OpenSSL version supports ECDSA. */
|
||||
#undef HAVE_OPENSSL_ECDSA
|
||||
|
||||
/* Define if your OpenSSL version supports Ed25519. */
|
||||
#undef HAVE_OPENSSL_ED25519
|
||||
|
||||
/* Define if your OpenSSL version supports Ed448. */
|
||||
#undef HAVE_OPENSSL_ED448
|
||||
|
||||
/* Define if your OpenSSL version supports EVP AES */
|
||||
#undef HAVE_OPENSSL_EVP_AES
|
||||
|
||||
|
|
@ -381,6 +387,12 @@ int sigwait(const unsigned int *set, int *sig);
|
|||
/* Define if your PKCS11 provider supports ECDSA. */
|
||||
#undef HAVE_PKCS11_ECDSA
|
||||
|
||||
/* Define if your PKCS11 provider supports Ed25519. */
|
||||
#undef HAVE_PKCS11_ED25519
|
||||
|
||||
/* Define if your PKCS11 provider supports Ed448. */
|
||||
#undef HAVE_PKCS11_ED448
|
||||
|
||||
/* Define if your PKCS11 provider supports GOST. */
|
||||
#undef HAVE_PKCS11_GOST
|
||||
|
||||
|
|
|
|||
|
|
@ -337,12 +337,24 @@ typedef __int64 off_t;
|
|||
/* Define if OpenSSL includes ECDSA support */
|
||||
@HAVE_OPENSSL_ECDSA@
|
||||
|
||||
/* Define if OpenSSL includes Ed25519 support */
|
||||
@HAVE_OPENSSL_ED25519@
|
||||
|
||||
/* Define if OpenSSL includes Ed448 support */
|
||||
@HAVE_OPENSSL_ED448@
|
||||
|
||||
/* Define if your OpenSSL version supports GOST. */
|
||||
@HAVE_OPENSSL_GOST@
|
||||
|
||||
/* Define if your PKCS11 provider supports ECDSA. */
|
||||
@HAVE_PKCS11_ECDSA@
|
||||
|
||||
/* Define if your PKCS11 provider supports Ed25519. */
|
||||
@HAVE_PKCS11_ED25519@
|
||||
|
||||
/* Define if your PKCS11 provider supports Ed448. */
|
||||
@HAVE_PKCS11_ED448@
|
||||
|
||||
/* Define if your PKCS11 provider supports GOST. */
|
||||
@HAVE_PKCS11_GOST@
|
||||
|
||||
|
|
|
|||
177
configure
vendored
177
configure
vendored
|
|
@ -814,6 +814,7 @@ MKDEPCC
|
|||
JSONSTATS
|
||||
XMLSTATS
|
||||
PKCS11_TEST
|
||||
PKCS11_ED25519
|
||||
PKCS11_GOST
|
||||
PKCS11_ECDSA
|
||||
CRYPTO
|
||||
|
|
@ -836,11 +837,14 @@ ISC_OPENSSL_INC
|
|||
ISC_PLATFORM_OPENSSLHASH
|
||||
ISC_PLATFORM_WANTAES
|
||||
OPENSSL_GOST
|
||||
OPENSSL_ED25519
|
||||
OPENSSL_ECDSA
|
||||
OPENSSLLINKSRCS
|
||||
OPENSSLLINKOBJS
|
||||
OPENSSLGOSTLINKSRCS
|
||||
OPENSSLGOSTLINKOBJS
|
||||
OPENSSLEDDSALINKSRCS
|
||||
OPENSSLEDDSALINKOBJS
|
||||
DST_OPENSSL_INC
|
||||
HAVE_SIT
|
||||
ISC_PLATFORM_USESIT
|
||||
|
|
@ -1009,6 +1013,7 @@ with_openssl
|
|||
with_pkcs11
|
||||
with_ecdsa
|
||||
with_gost
|
||||
with_eddsa
|
||||
with_aes
|
||||
enable_openssl_hash
|
||||
enable_sit
|
||||
|
|
@ -1738,6 +1743,7 @@ Optional Packages:
|
|||
(PATH is for the PKCS11 provider)
|
||||
--with-ecdsa Crypto ECDSA
|
||||
--with-gost Crypto GOST yes|no|raw|asn1.
|
||||
--with-eddsa Crypto EDDSA yes|all|no.
|
||||
--with-aes Crypto AES
|
||||
--with-sit-alg=ALG choose the algorithm for SIT [aes|sha1|sha256]
|
||||
--with-libxml2=PATH build with libxml2 library yes|no|path
|
||||
|
|
@ -15738,7 +15744,7 @@ fi
|
|||
|
||||
|
||||
#
|
||||
# were --with-ecdsa, --with-gost, --with-aes specified
|
||||
# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified
|
||||
#
|
||||
|
||||
# Check whether --with-ecdsa was given.
|
||||
|
|
@ -15757,6 +15763,14 @@ else
|
|||
fi
|
||||
|
||||
|
||||
# Check whether --with-eddsa was given.
|
||||
if test "${with_eddsa+set}" = set; then :
|
||||
withval=$with_eddsa; with_eddsa="$withval"
|
||||
else
|
||||
with_eddsa="auto"
|
||||
fi
|
||||
|
||||
|
||||
# Check whether --with-aes was given.
|
||||
if test "${with_aes+set}" = set; then :
|
||||
withval=$with_aes; with_aes="$withval"
|
||||
|
|
@ -15874,6 +15888,7 @@ then
|
|||
fi
|
||||
OPENSSL_ECDSA=""
|
||||
OPENSSL_GOST=""
|
||||
OPENSSL_ED25519=""
|
||||
gosttype="raw"
|
||||
case "$with_gost" in
|
||||
raw)
|
||||
|
|
@ -15899,6 +15914,8 @@ case "$use_openssl" in
|
|||
$as_echo "disabled because of native PKCS11" >&6; }
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO="-DPKCS11CRYPTO"
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
OPENSSLEDDSALINKSRS=""
|
||||
OPENSSLGOSTLINKOBJS=""
|
||||
OPENSSLGOSTLINKSRS=""
|
||||
OPENSSLLINKOBJS=""
|
||||
|
|
@ -15909,6 +15926,8 @@ $as_echo "disabled because of native PKCS11" >&6; }
|
|||
$as_echo "no" >&6; }
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
OPENSSLEDDSALINKSRS=""
|
||||
OPENSSLGOSTLINKOBJS=""
|
||||
OPENSSLGOSTLINKSRS=""
|
||||
OPENSSLLINKOBJS=""
|
||||
|
|
@ -15917,6 +15936,8 @@ $as_echo "no" >&6; }
|
|||
auto)
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
OPENSSLEDDSALINKSRS=""
|
||||
OPENSSLGOSTLINKOBJS=""
|
||||
OPENSSLGOSTLINKSRS=""
|
||||
OPENSSLLINKOBJS=""
|
||||
|
|
@ -16330,6 +16351,120 @@ $as_echo "#define HAVE_OPENSSL_GOST 1" >>confdefs.h
|
|||
;;
|
||||
esac
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL Ed25519 support" >&5
|
||||
$as_echo_n "checking for OpenSSL Ed25519 support... " >&6; }
|
||||
have_ed25519=""
|
||||
have_ed448=""
|
||||
if test "$cross_compiling" = yes; then :
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-eddsa" >&5
|
||||
$as_echo "using --with-eddsa" >&6; }
|
||||
else
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/objects.h>
|
||||
int main() {
|
||||
EVP_PKEY_CTX *ctx;
|
||||
|
||||
ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);
|
||||
if (ctx == NULL)
|
||||
return (2);
|
||||
return (0);
|
||||
}
|
||||
|
||||
_ACEOF
|
||||
if ac_fn_c_try_run "$LINENO"; then :
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
have_ed25519="yes"
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
have_ed25519="no"
|
||||
fi
|
||||
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
|
||||
conftest.$ac_objext conftest.beam conftest.$ac_ext
|
||||
fi
|
||||
|
||||
case "$with_eddsa" in
|
||||
yes|all)
|
||||
case "$have_ed25519" in
|
||||
no) as_fn_error $? "eddsa not supported" "$LINENO" 5 ;;
|
||||
*) have_ed25519=yes ;;
|
||||
esac
|
||||
;;
|
||||
no)
|
||||
have_ed25519=no ;;
|
||||
*)
|
||||
case "$have_ed25519" in
|
||||
yes|no) ;;
|
||||
*) as_fn_error $? "need --with-eddsa=[yes, all or no]" "$LINENO" 5 ;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
case $have_ed25519 in
|
||||
yes)
|
||||
OPENSSL_ED25519="yes"
|
||||
OPENSSLEDDSALINKOBJS='${OPENSSLEDDSALINKOBJS}'
|
||||
OPENSSLEDDSALINKSRCS='${OPENSSLEDDSALINKSRCS}'
|
||||
|
||||
$as_echo "#define HAVE_OPENSSL_ED25519 1" >>confdefs.h
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL Ed448 support" >&5
|
||||
$as_echo_n "checking for OpenSSL Ed448 support... " >&6; }
|
||||
if test "$cross_compiling" = yes; then :
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-eddsa" >&5
|
||||
$as_echo "using --with-eddsa" >&6; }
|
||||
else
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/objects.h>
|
||||
int main() {
|
||||
EVP_PKEY_CTX *ctx;
|
||||
|
||||
ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL);
|
||||
if (ctx == NULL)
|
||||
return (2);
|
||||
return (0);
|
||||
}
|
||||
|
||||
_ACEOF
|
||||
if ac_fn_c_try_run "$LINENO"; then :
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
have_ed448="yes"
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
have_ed448="no"
|
||||
fi
|
||||
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
|
||||
conftest.$ac_objext conftest.beam conftest.$ac_ext
|
||||
fi
|
||||
|
||||
case $with_eddsa in
|
||||
all)
|
||||
have_ed448=yes ;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
case $have_ed448 in
|
||||
yes)
|
||||
|
||||
$as_echo "#define HAVE_OPENSSL_ED448 1" >>confdefs.h
|
||||
],
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
|
||||
have_aes="no"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL AES support" >&5
|
||||
$as_echo_n "checking for OpenSSL AES support... " >&6; }
|
||||
|
|
@ -16422,6 +16557,9 @@ esac
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
|
||||
|
||||
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
|
||||
|
|
@ -16691,6 +16829,7 @@ esac
|
|||
|
||||
PKCS11_ECDSA=""
|
||||
PKCS11_GOST=""
|
||||
PKCS11_ED25519=""
|
||||
set_pk11_flavor="no"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for native PKCS11" >&5
|
||||
$as_echo_n "checking for native PKCS11... " >&6; }
|
||||
|
|
@ -16734,6 +16873,37 @@ $as_echo "#define HAVE_PKCS11_GOST 1" >>confdefs.h
|
|||
$as_echo "disabled" >&6; }
|
||||
;;
|
||||
esac
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 Ed25519" >&5
|
||||
$as_echo_n "checking for PKCS11 Ed25519... " >&6; }
|
||||
case "$with_eddsa" in
|
||||
yes|all)
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
|
||||
$as_echo "enabled" >&6; }
|
||||
PKCS11_ED25519="yes"
|
||||
|
||||
$as_echo "#define HAVE_PKCS11_ED25519 1" >>confdefs.h
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 Ed448" >&5
|
||||
$as_echo_n "checking for PKCS11 Ed448... " >&6; }
|
||||
case "$with_eddsa" in
|
||||
all)
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
|
||||
$as_echo "enabled" >&6; }
|
||||
|
||||
$as_echo "#define HAVE_PKCS11_ED448 1" >>confdefs.h
|
||||
|
||||
;;
|
||||
*)
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
|
||||
$as_echo "disabled" >&6; }
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
|
||||
$as_echo "disabled" >&6; }
|
||||
;;
|
||||
esac
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 flavor" >&5
|
||||
$as_echo_n "checking for PKCS11 flavor... " >&6; }
|
||||
case "$PKCS11_PROVIDER" in
|
||||
|
|
@ -16794,6 +16964,7 @@ esac
|
|||
|
||||
|
||||
|
||||
|
||||
# for PKCS11 benchmarks
|
||||
|
||||
have_clock_gt=no
|
||||
|
|
@ -25137,6 +25308,8 @@ report() {
|
|||
fi
|
||||
test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \
|
||||
echo " ECDSA algorithm support (--with-ecdsa)"
|
||||
test "yes" = "$OPENSSL_ED25519" -o "$PKCS11_ED25519" && \
|
||||
echo " EDDSA algorithm support (--with-eddsa)"
|
||||
test "yes" = "$enable_fixed" && \
|
||||
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
|
||||
test "yes" = "$enable_filter" && \
|
||||
|
|
@ -25199,6 +25372,8 @@ report() {
|
|||
echo " GOST algorithm support (--with-gost)"
|
||||
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ECDSA" -o "yes" = "$PKCS11_ECDSA" || \
|
||||
echo " ECDSA algorithm support (--with-ecdsa)"
|
||||
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
|
||||
echo " EDDSA algorithm support (--with-eddsa)"
|
||||
|
||||
test "yes" = "$enable_seccomp" || \
|
||||
echo " Use libseccomp system call filtering (--enable-seccomp)"
|
||||
|
|
|
|||
123
configure.in
123
configure.in
|
|
@ -1436,12 +1436,14 @@ AC_ARG_WITH(pkcs11,
|
|||
use_pkcs11="$withval", use_pkcs11="auto")
|
||||
|
||||
#
|
||||
# were --with-ecdsa, --with-gost, --with-aes specified
|
||||
# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified
|
||||
#
|
||||
AC_ARG_WITH(ecdsa, [ --with-ecdsa Crypto ECDSA],
|
||||
with_ecdsa="$withval", with_ecdsa="auto")
|
||||
AC_ARG_WITH(gost, [ --with-gost Crypto GOST [yes|no|raw|asn1].],
|
||||
with_gost="$withval", with_gost="auto")
|
||||
AC_ARG_WITH(eddsa, [ --with-eddsa Crypto EDDSA [yes|all|no].],
|
||||
with_eddsa="$withval", with_eddsa="auto")
|
||||
AC_ARG_WITH(aes, [ --with-aes Crypto AES],
|
||||
with_aes="$withval", with_aes="checksit")
|
||||
|
||||
|
|
@ -1536,6 +1538,7 @@ then
|
|||
fi
|
||||
OPENSSL_ECDSA=""
|
||||
OPENSSL_GOST=""
|
||||
OPENSSL_ED25519=""
|
||||
gosttype="raw"
|
||||
case "$with_gost" in
|
||||
raw)
|
||||
|
|
@ -1559,6 +1562,8 @@ case "$use_openssl" in
|
|||
AC_MSG_RESULT(disabled because of native PKCS11)
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO="-DPKCS11CRYPTO"
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
OPENSSLEDDSALINKSRS=""
|
||||
OPENSSLGOSTLINKOBJS=""
|
||||
OPENSSLGOSTLINKSRS=""
|
||||
OPENSSLLINKOBJS=""
|
||||
|
|
@ -1568,6 +1573,8 @@ case "$use_openssl" in
|
|||
AC_MSG_RESULT(no)
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
OPENSSLEDDSALINKSRS=""
|
||||
OPENSSLGOSTLINKOBJS=""
|
||||
OPENSSLGOSTLINKSRS=""
|
||||
OPENSSLLINKOBJS=""
|
||||
|
|
@ -1576,6 +1583,8 @@ case "$use_openssl" in
|
|||
auto)
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
OPENSSLEDDSALINKSRS=""
|
||||
OPENSSLGOSTLINKOBJS=""
|
||||
OPENSSLGOSTLINKSRS=""
|
||||
OPENSSLLINKOBJS=""
|
||||
|
|
@ -1875,6 +1884,86 @@ int main() {
|
|||
;;
|
||||
esac
|
||||
|
||||
AC_MSG_CHECKING(for OpenSSL Ed25519 support)
|
||||
have_ed25519=""
|
||||
have_ed448=""
|
||||
AC_TRY_RUN([
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/objects.h>
|
||||
int main() {
|
||||
EVP_PKEY_CTX *ctx;
|
||||
|
||||
ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);
|
||||
if (ctx == NULL)
|
||||
return (2);
|
||||
return (0);
|
||||
}
|
||||
],
|
||||
[AC_MSG_RESULT(yes)
|
||||
have_ed25519="yes"],
|
||||
[AC_MSG_RESULT(no)
|
||||
have_ed25519="no"],
|
||||
[AC_MSG_RESULT(using --with-eddsa)])
|
||||
case "$with_eddsa" in
|
||||
yes|all)
|
||||
case "$have_ed25519" in
|
||||
no) AC_MSG_ERROR([eddsa not supported]) ;;
|
||||
*) have_ed25519=yes ;;
|
||||
esac
|
||||
;;
|
||||
no)
|
||||
have_ed25519=no ;;
|
||||
*)
|
||||
case "$have_ed25519" in
|
||||
yes|no) ;;
|
||||
*) AC_MSG_ERROR([need --with-eddsa=[[yes, all or no]]]) ;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
case $have_ed25519 in
|
||||
yes)
|
||||
OPENSSL_ED25519="yes"
|
||||
OPENSSLEDDSALINKOBJS='${OPENSSLEDDSALINKOBJS}'
|
||||
OPENSSLEDDSALINKSRCS='${OPENSSLEDDSALINKSRCS}'
|
||||
AC_DEFINE(HAVE_OPENSSL_ED25519, 1,
|
||||
[Define if your OpenSSL version supports Ed25519.])
|
||||
AC_MSG_CHECKING(for OpenSSL Ed448 support)
|
||||
AC_TRY_RUN([
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/objects.h>
|
||||
int main() {
|
||||
EVP_PKEY_CTX *ctx;
|
||||
|
||||
ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL);
|
||||
if (ctx == NULL)
|
||||
return (2);
|
||||
return (0);
|
||||
}
|
||||
],
|
||||
[AC_MSG_RESULT(yes)
|
||||
have_ed448="yes"],
|
||||
[AC_MSG_RESULT(no)
|
||||
have_ed448="no"],
|
||||
[AC_MSG_RESULT(using --with-eddsa)])
|
||||
case $with_eddsa in
|
||||
all)
|
||||
have_ed448=yes ;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
case $have_ed448 in
|
||||
yes)
|
||||
AC_DEFINE(HAVE_OPENSSL_ED448, 1,
|
||||
[Define if your OpenSSL version supports Ed448.])],
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
|
||||
have_aes="no"
|
||||
AC_MSG_CHECKING(for OpenSSL AES support)
|
||||
AC_TRY_RUN([
|
||||
|
|
@ -1937,11 +2026,14 @@ esac
|
|||
#
|
||||
|
||||
AC_SUBST(DST_OPENSSL_INC)
|
||||
AC_SUBST(OPENSSLEDDSALINKOBJS)
|
||||
AC_SUBST(OPENSSLEDDSALINKSRCS)
|
||||
AC_SUBST(OPENSSLGOSTLINKOBJS)
|
||||
AC_SUBST(OPENSSLGOSTLINKSRCS)
|
||||
AC_SUBST(OPENSSLLINKOBJS)
|
||||
AC_SUBST(OPENSSLLINKSRCS)
|
||||
AC_SUBST(OPENSSL_ECDSA)
|
||||
AC_SUBST(OPENSSL_ED25519)
|
||||
AC_SUBST(OPENSSL_GOST)
|
||||
|
||||
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
|
||||
|
|
@ -2175,6 +2267,7 @@ AC_SUBST(PKCS11_PROVIDER)
|
|||
|
||||
PKCS11_ECDSA=""
|
||||
PKCS11_GOST=""
|
||||
PKCS11_ED25519=""
|
||||
set_pk11_flavor="no"
|
||||
AC_MSG_CHECKING(for native PKCS11)
|
||||
|
||||
|
|
@ -2208,6 +2301,29 @@ case "$want_native_pkcs11" in
|
|||
AC_MSG_RESULT(disabled)
|
||||
;;
|
||||
esac
|
||||
AC_MSG_CHECKING(for PKCS11 Ed25519)
|
||||
case "$with_eddsa" in
|
||||
yes|all)
|
||||
AC_MSG_RESULT(enabled)
|
||||
PKCS11_ED25519="yes"
|
||||
AC_DEFINE(HAVE_PKCS11_ED25519, 1,
|
||||
[Define if your PKCS11 provider supports Ed25519.])
|
||||
AC_MSG_CHECKING(for PKCS11 Ed448)
|
||||
case "$with_eddsa" in
|
||||
all)
|
||||
AC_MSG_RESULT(enabled)
|
||||
AC_DEFINE(HAVE_PKCS11_ED448, 1,
|
||||
[Define if your PKCS11 provider supports Ed448.])
|
||||
;;
|
||||
*)
|
||||
AC_MSG_RESULT(disabled)
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
AC_MSG_RESULT(disabled)
|
||||
;;
|
||||
esac
|
||||
AC_MSG_CHECKING(for PKCS11 flavor)
|
||||
case "$PKCS11_PROVIDER" in
|
||||
*nfast*)
|
||||
|
|
@ -2257,6 +2373,7 @@ AC_SUBST(PKCS11LINKSRCS)
|
|||
AC_SUBST(CRYPTO)
|
||||
AC_SUBST(PKCS11_ECDSA)
|
||||
AC_SUBST(PKCS11_GOST)
|
||||
AC_SUBST(PKCS11_ED25519)
|
||||
AC_SUBST(PKCS11_TEST)
|
||||
|
||||
# for PKCS11 benchmarks
|
||||
|
|
@ -5115,6 +5232,8 @@ report() {
|
|||
fi
|
||||
test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \
|
||||
echo " ECDSA algorithm support (--with-ecdsa)"
|
||||
test "yes" = "$OPENSSL_ED25519" -o "$PKCS11_ED25519" && \
|
||||
echo " EDDSA algorithm support (--with-eddsa)"
|
||||
test "yes" = "$enable_fixed" && \
|
||||
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
|
||||
test "yes" = "$enable_filter" && \
|
||||
|
|
@ -5177,6 +5296,8 @@ report() {
|
|||
echo " GOST algorithm support (--with-gost)"
|
||||
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ECDSA" -o "yes" = "$PKCS11_ECDSA" || \
|
||||
echo " ECDSA algorithm support (--with-ecdsa)"
|
||||
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
|
||||
echo " EDDSA algorithm support (--with-eddsa)"
|
||||
|
||||
test "yes" = "$enable_seccomp" || \
|
||||
echo " Use libseccomp system call filtering (--enable-seccomp)"
|
||||
|
|
|
|||
|
|
@ -48,12 +48,14 @@ LIBS = @LIBS@
|
|||
# Alphabetically
|
||||
|
||||
OPENSSLGOSTLINKOBJS = opensslgost_link.@O@
|
||||
OPENSSLEDDSALINKOBJS = openssleddsa_link.@O@
|
||||
OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
|
||||
opensslecdsa_link.@O@ @OPENSSLGOSTLINKOBJS@ \
|
||||
opensslrsa_link.@O@
|
||||
opensslecdsa_link.@O@ @OPENSSLEDDSALINKOBJS@ \
|
||||
@OPENSSLGOSTLINKOBJS@ opensslrsa_link.@O@
|
||||
|
||||
PKCS11LINKOBJS = pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \
|
||||
pkcs11ecdsa_link.@O@ pkcs11gost_link.@O@ pkcs11.@O@
|
||||
pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ \
|
||||
pkcs11gost_link.@O@ pkcs11.@O@
|
||||
|
||||
DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ @PKCS11LINKOBJS@ \
|
||||
dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
|
||||
|
|
@ -87,11 +89,14 @@ OBJS= ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} ${PORTDNSOBJS} \
|
|||
|
||||
# Alphabetically
|
||||
OPENSSLGOSTLINKSRCS = opensslgost_link.c
|
||||
OPENSSLEDDDSALINKSRCS = openssleddsa_link.c
|
||||
OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \
|
||||
opensslecdsa_link.c @OPENSSLGOSTLINKSRCS@ opensslrsa_link.c
|
||||
opensslecdsa_link.c @OPENSSLEDDDSALINKSRCS@ \
|
||||
@OPENSSLGOSTLINKSRCS@ opensslrsa_link.c
|
||||
|
||||
PKCS11LINKSRCS = pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \
|
||||
pkcs11ecdsa_link.c pkcs11gost_link.c pkcs11.c
|
||||
pkcs11ecdsa_link.c pkcs11eddsa_link.c \
|
||||
pkcs11gost_link.c pkcs11.c
|
||||
|
||||
DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ @PKCS11LINKSRCS@ \
|
||||
dst_api.c dst_lib.c dst_parse.c \
|
||||
|
|
|
|||
|
|
@ -235,6 +235,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
|
|||
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
|
||||
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
|
||||
#endif
|
||||
#ifdef HAVE_OPENSSL_ED25519
|
||||
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519]));
|
||||
#endif
|
||||
#ifdef HAVE_OPENSSL_ED448
|
||||
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448]));
|
||||
#endif
|
||||
#elif PKCS11CRYPTO
|
||||
RETERR(dst__pkcs11_init(mctx, engine));
|
||||
#ifndef PK11_MD5_DISABLE
|
||||
|
|
@ -255,6 +261,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
|
|||
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
|
||||
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
|
||||
#endif
|
||||
#ifdef HAVE_PKCS11_ED25519
|
||||
RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519]));
|
||||
#endif
|
||||
#ifdef HAVE_PKCS11_ED448
|
||||
RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448]));
|
||||
#endif
|
||||
#ifdef HAVE_PKCS11_GOST
|
||||
RETERR(dst__pkcs11gost_init(&dst_t_func[DST_ALG_ECCGOST]));
|
||||
#endif
|
||||
|
|
@ -1266,6 +1278,12 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
|
|||
case DST_ALG_ECDSA384:
|
||||
*n = DNS_SIG_ECDSA384SIZE;
|
||||
break;
|
||||
case DST_ALG_ED25519:
|
||||
*n = DNS_SIG_ED25519SIZE;
|
||||
break;
|
||||
case DST_ALG_ED448:
|
||||
*n = DNS_SIG_ED448SIZE;
|
||||
break;
|
||||
#ifndef PK11_MD5_DISABLE
|
||||
case DST_ALG_HMACMD5:
|
||||
*n = 16;
|
||||
|
|
@ -1608,6 +1626,8 @@ issymmetric(const dst_key_t *key) {
|
|||
case DST_ALG_ECCGOST:
|
||||
case DST_ALG_ECDSA256:
|
||||
case DST_ALG_ECDSA384:
|
||||
case DST_ALG_ED25519:
|
||||
case DST_ALG_ED448:
|
||||
return (ISC_FALSE);
|
||||
#ifndef PK11_MD5_DISABLE
|
||||
case DST_ALG_HMACMD5:
|
||||
|
|
@ -1894,7 +1914,8 @@ algorithm_status(unsigned int alg) {
|
|||
alg == DST_ALG_NSEC3RSASHA1 ||
|
||||
alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512 ||
|
||||
alg == DST_ALG_ECCGOST ||
|
||||
alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384)
|
||||
alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384 ||
|
||||
alg == DST_ALG_ED25519 || alg == DST_ALG_ED448)
|
||||
return (DST_R_NOCRYPTO);
|
||||
#endif
|
||||
return (DST_R_UNSUPPORTEDALG);
|
||||
|
|
|
|||
|
|
@ -265,9 +265,15 @@ isc_result_t dst__gssapi_init(struct dst_func **funcp);
|
|||
#ifdef HAVE_OPENSSL_ECDSA
|
||||
isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
|
||||
#endif
|
||||
#if defined(HAVE_OPENSSL_ED25519) || defined(HAVE_OPENSSL_ED448)
|
||||
isc_result_t dst__openssleddsa_init(struct dst_func **funcp);
|
||||
#endif
|
||||
#ifdef HAVE_PKCS11_ECDSA
|
||||
isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp);
|
||||
#endif
|
||||
#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
|
||||
isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp);
|
||||
#endif
|
||||
#ifdef HAVE_OPENSSL_GOST
|
||||
isc_result_t dst__opensslgost_init(struct dst_func **funcp);
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -119,6 +119,10 @@ static struct parse_map map[] = {
|
|||
{TAG_ECDSA_ENGINE, "Engine:" },
|
||||
{TAG_ECDSA_LABEL, "Label:" },
|
||||
|
||||
{TAG_EDDSA_PRIVATEKEY, "PrivateKey:"},
|
||||
{TAG_EDDSA_ENGINE, "Engine:" },
|
||||
{TAG_EDDSA_LABEL, "Label:" },
|
||||
|
||||
#ifndef PK11_MD5_DISABLE
|
||||
{TAG_HMACMD5_KEY, "Key:"},
|
||||
{TAG_HMACMD5_BITS, "Bits:"},
|
||||
|
|
@ -315,6 +319,38 @@ check_ecdsa(const dst_private_t *priv, isc_boolean_t external) {
|
|||
return (ok ? 0 : -1 );
|
||||
}
|
||||
|
||||
static int
|
||||
check_eddsa(const dst_private_t *priv, isc_boolean_t external) {
|
||||
int i, j;
|
||||
isc_boolean_t have[EDDSA_NTAGS];
|
||||
isc_boolean_t ok;
|
||||
unsigned int mask;
|
||||
|
||||
if (external)
|
||||
return ((priv->nelements == 0) ? 0 : -1);
|
||||
|
||||
for (i = 0; i < EDDSA_NTAGS; i++)
|
||||
have[i] = ISC_FALSE;
|
||||
for (j = 0; j < priv->nelements; j++) {
|
||||
for (i = 0; i < EDDSA_NTAGS; i++)
|
||||
if (priv->elements[j].tag == TAG(DST_ALG_ED25519, i))
|
||||
break;
|
||||
if (i == EDDSA_NTAGS)
|
||||
return (-1);
|
||||
have[i] = ISC_TRUE;
|
||||
}
|
||||
|
||||
mask = ~0;
|
||||
mask <<= sizeof(mask) * 8 - TAG_SHIFT;
|
||||
mask >>= sizeof(mask) * 8 - TAG_SHIFT;
|
||||
|
||||
if (have[TAG_EDDSA_ENGINE & mask])
|
||||
ok = have[TAG_EDDSA_LABEL & mask];
|
||||
else
|
||||
ok = have[TAG_EDDSA_PRIVATEKEY & mask];
|
||||
return (ok ? 0 : -1 );
|
||||
}
|
||||
|
||||
#ifndef PK11_MD5_DISABLE
|
||||
static int
|
||||
check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
|
||||
|
|
@ -392,6 +428,9 @@ check_data(const dst_private_t *priv, const unsigned int alg,
|
|||
case DST_ALG_ECDSA256:
|
||||
case DST_ALG_ECDSA384:
|
||||
return (check_ecdsa(priv, external));
|
||||
case DST_ALG_ED25519:
|
||||
case DST_ALG_ED448:
|
||||
return (check_eddsa(priv, external));
|
||||
#ifndef PK11_MD5_DISABLE
|
||||
case DST_ALG_HMACMD5:
|
||||
return (check_hmac_md5(priv, old));
|
||||
|
|
@ -743,6 +782,12 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
|
|||
case DST_ALG_ECDSA384:
|
||||
fprintf(fp, "(ECDSAP384SHA384)\n");
|
||||
break;
|
||||
case DST_ALG_ED25519:
|
||||
fprintf(fp, "(ED25519)\n");
|
||||
break;
|
||||
case DST_ALG_ED448:
|
||||
fprintf(fp, "(ED448)\n");
|
||||
break;
|
||||
case DST_ALG_HMACMD5:
|
||||
fprintf(fp, "(HMAC_MD5)\n");
|
||||
break;
|
||||
|
|
|
|||
|
|
@ -86,6 +86,11 @@
|
|||
#define TAG_ECDSA_ENGINE ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)
|
||||
#define TAG_ECDSA_LABEL ((DST_ALG_ECDSA256 << TAG_SHIFT) + 2)
|
||||
|
||||
#define EDDSA_NTAGS 4
|
||||
#define TAG_EDDSA_PRIVATEKEY ((DST_ALG_ED25519 << TAG_SHIFT) + 0)
|
||||
#define TAG_EDDSA_ENGINE ((DST_ALG_ED25519 << TAG_SHIFT) + 1)
|
||||
#define TAG_EDDSA_LABEL ((DST_ALG_ED25519 << TAG_SHIFT) + 2)
|
||||
|
||||
#define OLD_HMACMD5_NTAGS 1
|
||||
#define HMACMD5_NTAGS 2
|
||||
#define TAG_HMACMD5_KEY ((DST_ALG_HMACMD5 << TAG_SHIFT) + 0)
|
||||
|
|
|
|||
|
|
@ -73,6 +73,8 @@
|
|||
#define DNS_KEYALG_ECCGOST 12
|
||||
#define DNS_KEYALG_ECDSA256 13
|
||||
#define DNS_KEYALG_ECDSA384 14
|
||||
#define DNS_KEYALG_ED25519 15
|
||||
#define DNS_KEYALG_ED448 16
|
||||
#define DNS_KEYALG_INDIRECT 252
|
||||
#define DNS_KEYALG_PRIVATEDNS 253
|
||||
#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */
|
||||
|
|
@ -109,4 +111,10 @@
|
|||
#define DNS_KEY_ECDSA256SIZE 64
|
||||
#define DNS_KEY_ECDSA384SIZE 96
|
||||
|
||||
#define DNS_SIG_ED25519SIZE 64
|
||||
#define DNS_SIG_ED448SIZE 114
|
||||
|
||||
#define DNS_KEY_ED25519SIZE 32
|
||||
#define DNS_KEY_ED448SIZE 57
|
||||
|
||||
#endif /* DNS_KEYVALUES_H */
|
||||
|
|
|
|||
|
|
@ -64,6 +64,8 @@ typedef struct dst_context dst_context_t;
|
|||
#define DST_ALG_ECCGOST 12
|
||||
#define DST_ALG_ECDSA256 13
|
||||
#define DST_ALG_ECDSA384 14
|
||||
#define DST_ALG_ED25519 15
|
||||
#define DST_ALG_ED448 16
|
||||
#define DST_ALG_HMACMD5 157
|
||||
#define DST_ALG_GSSAPI 160
|
||||
#define DST_ALG_HMACSHA1 161 /* XXXMPA */
|
||||
|
|
|
|||
|
|
@ -141,6 +141,8 @@
|
|||
{ DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \
|
||||
{ DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \
|
||||
{ DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \
|
||||
{ DNS_KEYALG_ED25519, "ED25519", 0 }, \
|
||||
{ DNS_KEYALG_ED448, "ED448", 0 }, \
|
||||
{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
|
||||
{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
|
||||
{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \
|
||||
|
|
|
|||
|
|
@ -843,6 +843,10 @@ SOURCE=..\opensslecdsa_link.c
|
|||
# End Source File
|
||||
# Begin Source File
|
||||
|
||||
SOURCE=..\openssleddsa_link.c
|
||||
# End Source File
|
||||
# Begin Source File
|
||||
|
||||
SOURCE=..\opensslgost_link.c
|
||||
# End Source File
|
||||
# Begin Source File
|
||||
|
|
@ -869,6 +873,10 @@ SOURCE=..\pkcs11ecdsa_link.c
|
|||
# End Source File
|
||||
# Begin Source File
|
||||
|
||||
SOURCE=..\pkcs11eddsa_link.c
|
||||
# End Source File
|
||||
# Begin Source File
|
||||
|
||||
SOURCE=..\pkcs11gost_link.c
|
||||
# End Source File
|
||||
# Begin Source File
|
||||
|
|
|
|||
|
|
@ -171,6 +171,7 @@ CLEAN :
|
|||
-@erase "$(INTDIR)\openssldh_link.obj"
|
||||
-@erase "$(INTDIR)\openssldsa_link.obj"
|
||||
-@erase "$(INTDIR)\opensslecdsa_link.obj"
|
||||
-@erase "$(INTDIR)\openssleddsa_link.obj"
|
||||
-@erase "$(INTDIR)\opensslgost_link.obj"
|
||||
-@erase "$(INTDIR)\opensslrsa_link.obj"
|
||||
@END OPENSSL
|
||||
|
|
@ -181,6 +182,7 @@ CLEAN :
|
|||
-@erase "$(INTDIR)\pkcs11dh_link.obj"
|
||||
-@erase "$(INTDIR)\pkcs11dsa_link.obj"
|
||||
-@erase "$(INTDIR)\pkcs11ecdsa_link.obj"
|
||||
-@erase "$(INTDIR)\pkcs11eddsa_link.obj"
|
||||
-@erase "$(INTDIR)\pkcs11gost_link.obj"
|
||||
-@erase "$(INTDIR)\pkcs11rsa_link.obj"
|
||||
@END PKCS11
|
||||
|
|
@ -370,6 +372,7 @@ LINK32_OBJS= \
|
|||
"$(INTDIR)\openssldh_link.obj" \
|
||||
"$(INTDIR)\openssldsa_link.obj" \
|
||||
"$(INTDIR)\opensslecdsa_link.obj" \
|
||||
"$(INTDIR)\openssleddsa_link.obj" \
|
||||
"$(INTDIR)\opensslgost_link.obj" \
|
||||
"$(INTDIR)\opensslrsa_link.obj" \
|
||||
@END OPENSSL
|
||||
|
|
@ -378,6 +381,7 @@ LINK32_OBJS= \
|
|||
"$(INTDIR)\pkcs11dh_link.obj" \
|
||||
"$(INTDIR)\pkcs11dsa_link.obj" \
|
||||
"$(INTDIR)\pkcs11ecdsa_link.obj" \
|
||||
"$(INTDIR)\pkcs11eddsa_link.obj" \
|
||||
"$(INTDIR)\pkcs11gost_link.obj" \
|
||||
"$(INTDIR)\pkcs11rsa_link.obj" \
|
||||
@END PKCS11
|
||||
|
|
@ -513,6 +517,8 @@ CLEAN :
|
|||
-@erase "$(INTDIR)\openssldsa_link.sbr"
|
||||
-@erase "$(INTDIR)\opensslecdsa_link.obj"
|
||||
-@erase "$(INTDIR)\opensslecdsa_link.sbr"
|
||||
-@erase "$(INTDIR)\openssleddsa_link.obj"
|
||||
-@erase "$(INTDIR)\openssleddsa_link.sbr"
|
||||
-@erase "$(INTDIR)\opensslgost_link.obj"
|
||||
-@erase "$(INTDIR)\opensslgost_link.sbr"
|
||||
-@erase "$(INTDIR)\opensslrsa_link.obj"
|
||||
|
|
@ -531,6 +537,8 @@ CLEAN :
|
|||
-@erase "$(INTDIR)\pkcs11dsa_link.sbr"
|
||||
-@erase "$(INTDIR)\pkcs11ecdsa_link.obj"
|
||||
-@erase "$(INTDIR)\pkcs11ecdsa_link.sbr"
|
||||
-@erase "$(INTDIR)\pkcs11eddsa_link.obj"
|
||||
-@erase "$(INTDIR)\pkcs11eddsa_link.sbr"
|
||||
-@erase "$(INTDIR)\pkcs11gost_link.obj"
|
||||
-@erase "$(INTDIR)\pkcs11gost_link.sbr"
|
||||
-@erase "$(INTDIR)\pkcs11rsa_link.obj"
|
||||
|
|
@ -760,6 +768,7 @@ BSC32_SBRS= \
|
|||
"$(INTDIR)\openssldh_link.sbr" \
|
||||
"$(INTDIR)\openssldsa_link.sbr" \
|
||||
"$(INTDIR)\opensslecdsa_link.sbr" \
|
||||
"$(INTDIR)\openssleddsa_link.sbr" \
|
||||
"$(INTDIR)\opensslgost_link.sbr" \
|
||||
"$(INTDIR)\opensslrsa_link.sbr" \
|
||||
@END OPENSSL
|
||||
|
|
@ -768,6 +777,7 @@ BSC32_SBRS= \
|
|||
"$(INTDIR)\pkcs11dh_link.sbr" \
|
||||
"$(INTDIR)\pkcs11dsa_link.sbr" \
|
||||
"$(INTDIR)\pkcs11ecdsa_link.sbr" \
|
||||
"$(INTDIR)\pkcs11eddsa_link.sbr" \
|
||||
"$(INTDIR)\pkcs11gost_link.sbr" \
|
||||
"$(INTDIR)\pkcs11rsa_link.sbr"
|
||||
@END PKCS11
|
||||
|
|
@ -875,6 +885,7 @@ LINK32_OBJS= \
|
|||
"$(INTDIR)\openssldh_link.obj" \
|
||||
"$(INTDIR)\openssldsa_link.obj" \
|
||||
"$(INTDIR)\opensslecdsa_link.obj" \
|
||||
"$(INTDIR)\openssleddsa_link.obj" \
|
||||
"$(INTDIR)\opensslgost_link.obj" \
|
||||
"$(INTDIR)\opensslrsa_link.obj" \
|
||||
@END OPENSSL
|
||||
|
|
@ -883,6 +894,7 @@ LINK32_OBJS= \
|
|||
"$(INTDIR)\pkcs11dh_link.obj" \
|
||||
"$(INTDIR)\pkcs11dsa_link.obj" \
|
||||
"$(INTDIR)\pkcs11ecdsa_link.obj" \
|
||||
"$(INTDIR)\pkcs11eddsa_link.obj" \
|
||||
"$(INTDIR)\pkcs11gost_link.obj" \
|
||||
"$(INTDIR)\pkcs11rsa_link.obj" \
|
||||
@END PKCS11
|
||||
|
|
@ -2530,6 +2542,24 @@ SOURCE=..\opensslecdsa_link.c
|
|||
$(CPP) $(CPP_PROJ) $(SOURCE)
|
||||
|
||||
|
||||
!ENDIF
|
||||
|
||||
SOURCE=..\openssleddsa_link.c
|
||||
|
||||
!IF "$(CFG)" == "libdns - @PLATFORM@ Release"
|
||||
|
||||
|
||||
"$(INTDIR)\openssleddsa_link.obj" : $(SOURCE) "$(INTDIR)"
|
||||
$(CPP) $(CPP_PROJ) $(SOURCE)
|
||||
|
||||
|
||||
!ELSEIF "$(CFG)" == "libdns - @PLATFORM@ Debug"
|
||||
|
||||
|
||||
"$(INTDIR)\openssleddsa_link.obj" "$(INTDIR)\openssleddsa_link.sbr" : $(SOURCE) "$(INTDIR)"
|
||||
$(CPP) $(CPP_PROJ) $(SOURCE)
|
||||
|
||||
|
||||
!ENDIF
|
||||
|
||||
SOURCE=..\opensslgost_link.c
|
||||
|
|
@ -2640,6 +2670,24 @@ SOURCE=..\pkcs11ecdsa_link.c
|
|||
$(CPP) $(CPP_PROJ) $(SOURCE)
|
||||
|
||||
|
||||
!ENDIF
|
||||
|
||||
SOURCE=..\pkcs11eddsa_link.c
|
||||
|
||||
!IF "$(CFG)" == "libdns - @PLATFORM@ Release"
|
||||
|
||||
|
||||
"$(INTDIR)\pkcs11eddsa_link.obj" : $(SOURCE) "$(INTDIR)"
|
||||
$(CPP) $(CPP_PROJ) $(SOURCE)
|
||||
|
||||
|
||||
!ELSEIF "$(CFG)" == "libdns - @PLATFORM@ Debug"
|
||||
|
||||
|
||||
"$(INTDIR)\pkcs11eddsa_link.obj" "$(INTDIR)\pkcs11eddsa_link.sbr" : $(SOURCE) "$(INTDIR)"
|
||||
$(CPP) $(CPP_PROJ) $(SOURCE)
|
||||
|
||||
|
||||
!ENDIF
|
||||
|
||||
SOURCE=..\pkcs11gost_link.c
|
||||
|
|
|
|||
|
|
@ -294,6 +294,9 @@
|
|||
<ClCompile Include="..\opensslecdsa_link.c">
|
||||
<Filter>Dst Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="..\openssleddsa_link.c">
|
||||
<Filter>Dst Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="..\opensslgost_link.c">
|
||||
<Filter>Dst Source Files</Filter>
|
||||
</ClCompile>
|
||||
|
|
@ -314,6 +317,9 @@
|
|||
<ClCompile Include="..\pkcs11ecdsa_link.c">
|
||||
<Filter>Dst Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="..\pkcs11eddsa_link.c">
|
||||
<Filter>Dst Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="..\pkcs11gost_link.c">
|
||||
<Filter>Dst Source Files</Filter>
|
||||
</ClCompile>
|
||||
|
|
|
|||
|
|
@ -158,6 +158,7 @@
|
|||
<ClCompile Include="..\openssldh_link.c" />
|
||||
<ClCompile Include="..\openssldsa_link.c" />
|
||||
<ClCompile Include="..\opensslecdsa_link.c" />
|
||||
<ClCompile Include="..\openssleddsa_link.c" />
|
||||
<ClCompile Include="..\opensslgost_link.c" />
|
||||
<ClCompile Include="..\opensslrsa_link.c" />
|
||||
<ClCompile Include="..\openssl_link.c" />
|
||||
|
|
@ -169,6 +170,7 @@
|
|||
<ClCompile Include="..\pkcs11dh_link.c" />
|
||||
<ClCompile Include="..\pkcs11dsa_link.c" />
|
||||
<ClCompile Include="..\pkcs11ecdsa_link.c" />
|
||||
<ClCompile Include="..\pkcs11eddsa_link.c" />
|
||||
<ClCompile Include="..\pkcs11gost_link.c" />
|
||||
<ClCompile Include="..\pkcs11rsa_link.c" />
|
||||
@END PKCS11
|
||||
|
|
|
|||
|
|
@ -104,8 +104,19 @@ isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
|
|||
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
|
||||
{ CKA_VALUE, NULL, (CK_ULONG) len }
|
||||
};
|
||||
#ifdef PK11_PAD_HMAC_KEYS
|
||||
CK_BYTE keypad[ISC_MD5_DIGESTLENGTH];
|
||||
|
||||
if (len < ISC_MD5_DIGESTLENGTH) {
|
||||
memset(keypad, 0, ISC_MD5_DIGESTLENGTH);
|
||||
memmove(keypad, key, len);
|
||||
keyTemplate[5].pValue = keypad;
|
||||
keyTemplate[5].ulValueLen = ISC_MD5_DIGESTLENGTH;
|
||||
} else
|
||||
DE_CONST(key, keyTemplate[5].pValue);
|
||||
#else
|
||||
DE_CONST(key, keyTemplate[5].pValue);
|
||||
#endif
|
||||
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
|
||||
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
|
||||
ctx->object = CK_INVALID_HANDLE;
|
||||
|
|
|
|||
|
|
@ -273,8 +273,19 @@ isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
|
|||
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
|
||||
{ CKA_VALUE, NULL, (CK_ULONG) len }
|
||||
};
|
||||
#ifdef PK11_PAD_HMAC_KEYS
|
||||
CK_BYTE keypad[ISC_SHA1_DIGESTLENGTH];
|
||||
|
||||
if (len < ISC_SHA1_DIGESTLENGTH) {
|
||||
memset(keypad, 0, ISC_SHA1_DIGESTLENGTH);
|
||||
memmove(keypad, key, len);
|
||||
keyTemplate[5].pValue = keypad;
|
||||
keyTemplate[5].ulValueLen = ISC_SHA1_DIGESTLENGTH;
|
||||
} else
|
||||
DE_CONST(key, keyTemplate[5].pValue);
|
||||
#else
|
||||
DE_CONST(key, keyTemplate[5].pValue);
|
||||
#endif
|
||||
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
|
||||
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
|
||||
ctx->object = CK_INVALID_HANDLE;
|
||||
|
|
@ -432,8 +443,19 @@ isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
|
|||
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
|
||||
{ CKA_VALUE, NULL, (CK_ULONG) len }
|
||||
};
|
||||
#ifdef PK11_PAD_HMAC_KEYS
|
||||
CK_BYTE keypad[ISC_SHA224_DIGESTLENGTH];
|
||||
|
||||
if (len < ISC_SHA224_DIGESTLENGTH) {
|
||||
memset(keypad, 0, ISC_SHA224_DIGESTLENGTH);
|
||||
memmove(keypad, key, len);
|
||||
keyTemplate[5].pValue = keypad;
|
||||
keyTemplate[5].ulValueLen = ISC_SHA224_DIGESTLENGTH;
|
||||
} else
|
||||
DE_CONST(key, keyTemplate[5].pValue);
|
||||
#else
|
||||
DE_CONST(key, keyTemplate[5].pValue);
|
||||
#endif
|
||||
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
|
||||
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
|
||||
ctx->object = CK_INVALID_HANDLE;
|
||||
|
|
@ -591,8 +613,19 @@ isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
|
|||
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
|
||||
{ CKA_VALUE, NULL, (CK_ULONG) len }
|
||||
};
|
||||
#ifdef PK11_PAD_HMAC_KEYS
|
||||
CK_BYTE keypad[ISC_SHA256_DIGESTLENGTH];
|
||||
|
||||
if (len < ISC_SHA256_DIGESTLENGTH) {
|
||||
memset(keypad, 0, ISC_SHA256_DIGESTLENGTH);
|
||||
memmove(keypad, key, len);
|
||||
keyTemplate[5].pValue = keypad;
|
||||
keyTemplate[5].ulValueLen = ISC_SHA256_DIGESTLENGTH;
|
||||
} else
|
||||
DE_CONST(key, keyTemplate[5].pValue);
|
||||
#else
|
||||
DE_CONST(key, keyTemplate[5].pValue);
|
||||
#endif
|
||||
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
|
||||
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
|
||||
ctx->object = CK_INVALID_HANDLE;
|
||||
|
|
@ -750,8 +783,19 @@ isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
|
|||
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
|
||||
{ CKA_VALUE, NULL, (CK_ULONG) len }
|
||||
};
|
||||
#ifdef PK11_PAD_HMAC_KEYS
|
||||
CK_BYTE keypad[ISC_SHA384_DIGESTLENGTH];
|
||||
|
||||
if (len < ISC_SHA384_DIGESTLENGTH) {
|
||||
memset(keypad, 0, ISC_SHA384_DIGESTLENGTH);
|
||||
memmove(keypad, key, len);
|
||||
keyTemplate[5].pValue = keypad;
|
||||
keyTemplate[5].ulValueLen = ISC_SHA384_DIGESTLENGTH;
|
||||
} else
|
||||
DE_CONST(key, keyTemplate[5].pValue);
|
||||
#else
|
||||
DE_CONST(key, keyTemplate[5].pValue);
|
||||
#endif
|
||||
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
|
||||
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
|
||||
ctx->object = CK_INVALID_HANDLE;
|
||||
|
|
@ -909,8 +953,19 @@ isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
|
|||
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
|
||||
{ CKA_VALUE, NULL, (CK_ULONG) len }
|
||||
};
|
||||
#ifdef PK11_PAD_HMAC_KEYS
|
||||
CK_BYTE keypad[ISC_SHA512_DIGESTLENGTH];
|
||||
|
||||
if (len < ISC_SHA512_DIGESTLENGTH) {
|
||||
memset(keypad, 0, ISC_SHA512_DIGESTLENGTH);
|
||||
memmove(keypad, key, len);
|
||||
keyTemplate[5].pValue = keypad;
|
||||
keyTemplate[5].ulValueLen = ISC_SHA512_DIGESTLENGTH;
|
||||
} else
|
||||
DE_CONST(key, keyTemplate[5].pValue);
|
||||
#else
|
||||
DE_CONST(key, keyTemplate[5].pValue);
|
||||
#endif
|
||||
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
|
||||
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
|
||||
ctx->object = CK_INVALID_HANDLE;
|
||||
|
|
|
|||
|
|
@ -31,6 +31,12 @@ static CK_BYTE pk11_ecc_prime256v1[] = {
|
|||
static CK_BYTE pk11_ecc_secp384r1[] = {
|
||||
0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
|
||||
};
|
||||
static CK_BYTE pk11_ecc_ed25519[] = {
|
||||
0x06, 0x03, 0x2b, 0x65, 0x70
|
||||
};
|
||||
static CK_BYTE pk11_ecc_ed448[] = {
|
||||
0x06, 0x03, 0x2b, 0x65, 0x71
|
||||
};
|
||||
#endif
|
||||
|
||||
#ifdef WANT_DH_PRIMES
|
||||
|
|
|
|||
|
|
@ -31,6 +31,9 @@
|
|||
*
|
||||
*\li PK11_<algorithm>_DISABLE:
|
||||
* Same as SKIP, and disable support for the algorithm.
|
||||
*
|
||||
*\li PK11_PAD_HMAC_KEYS:
|
||||
* Extend HMAC keys shorter than digest length.
|
||||
*/
|
||||
|
||||
/* current implemented flags are:
|
||||
|
|
@ -46,6 +49,7 @@ PK11_SHA512_HMAC_REPLACE
|
|||
PK11_MD5_DISABLE
|
||||
PK11_DSA_DISABLE
|
||||
PK11_DH_DISABLE
|
||||
PK11_PAD_HMAC_KEYS
|
||||
*/
|
||||
|
||||
/*
|
||||
|
|
@ -74,8 +78,11 @@ PK11_DH_DISABLE
|
|||
#endif
|
||||
|
||||
#if PK11_FLAVOR == PK11_SOFTHSMV1_FLAVOR
|
||||
#define PK11_DH_DISABLE
|
||||
#define PK11_DSA_DISABLE
|
||||
#define PK11_PAD_HMAC_KEYS
|
||||
#endif
|
||||
|
||||
#if PK11_FLAVOR == PK11_SOFTHSMV2_FLAVOR
|
||||
/* SoftHSMv2 was updated to enforce minimal key sizes... argh! */
|
||||
#define PK11_MD5_HMAC_REPLACE
|
||||
#define PK11_SHA_1_HMAC_REPLACE
|
||||
#define PK11_SHA224_HMAC_REPLACE
|
||||
|
|
@ -84,9 +91,6 @@ PK11_DH_DISABLE
|
|||
#define PK11_SHA512_HMAC_REPLACE
|
||||
#endif
|
||||
|
||||
#if PK11_FLAVOR == PK11_SOFTHSMV2_FLAVOR
|
||||
#endif
|
||||
|
||||
#if PK11_FLAVOR == PK11_CRYPTECH_FLAVOR
|
||||
#define PK11_DH_DISABLE
|
||||
#define PK11_DSA_DISABLE
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ VERSION=@BIND9_VERSION@
|
|||
# machine generated. The latter are handled specially in the
|
||||
# install target below.
|
||||
#
|
||||
HEADERS = pkcs11f.h pkcs11.h pkcs11t.h
|
||||
HEADERS = pkcs11f.h pkcs11.h pkcs11t.h eddsa.h
|
||||
SUBDIRS =
|
||||
TARGETS =
|
||||
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@
|
|||
|
||||
#include <pkcs11/cryptoki.h>
|
||||
#include <pkcs11/pkcs11.h>
|
||||
#include <pkcs11/eddsa.h>
|
||||
|
||||
/* was 32 octets, Petr Spacek suggested 1024, SoftHSMv2 uses 256... */
|
||||
#ifndef PINLEN
|
||||
|
|
@ -879,12 +880,33 @@ scan_slots(void) {
|
|||
PK11_TRACEM(CKM_GOSTR3410_WITH_GOSTR3411);
|
||||
}
|
||||
if (bad)
|
||||
goto try_aes;
|
||||
goto try_eddsa;
|
||||
token->operations |= 1 << OP_GOST;
|
||||
if (best_gost_token == NULL)
|
||||
best_gost_token = token;
|
||||
|
||||
try_eddsa:
|
||||
#if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && defined(CKK_EDDSA)
|
||||
bad = ISC_FALSE;
|
||||
rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA_KEY_PAIR_GEN,
|
||||
&mechInfo);
|
||||
if ((rv != CKR_OK) ||
|
||||
((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
|
||||
bad = ISC_TRUE;
|
||||
PK11_TRACEM(CKM_EDDSA_KEY_PAIR_GEN);
|
||||
}
|
||||
rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA, &mechInfo);
|
||||
if ((rv != CKR_OK) ||
|
||||
((mechInfo.flags & CKF_SIGN) == 0) ||
|
||||
((mechInfo.flags & CKF_VERIFY) == 0)) {
|
||||
bad = ISC_TRUE;
|
||||
PK11_TRACEM(CKM_EDDSA);
|
||||
}
|
||||
if (bad)
|
||||
goto try_aes;
|
||||
|
||||
try_aes:
|
||||
#endif
|
||||
bad = ISC_FALSE;
|
||||
rv = pkcs_C_GetMechanismInfo(slot, CKM_AES_ECB, &mechInfo);
|
||||
if ((rv != CKR_OK) || ((mechInfo.flags & CKF_ENCRYPT) == 0)) {
|
||||
|
|
|
|||
|
|
@ -396,9 +396,13 @@ my @substdefh = ("AES_SIT",
|
|||
"HAVE_OPENSSL_AES",
|
||||
"HAVE_OPENSSL_DSA",
|
||||
"HAVE_OPENSSL_ECDSA",
|
||||
"HAVE_OPENSSL_ED25519",
|
||||
"HAVE_OPENSSL_ED448",
|
||||
"HAVE_OPENSSL_EVP_AES",
|
||||
"HAVE_OPENSSL_GOST",
|
||||
"HAVE_PKCS11_ECDSA",
|
||||
"HAVE_PKCS11_ED25519",
|
||||
"HAVE_PKCS11_ED448",
|
||||
"HAVE_PKCS11_GOST",
|
||||
"HAVE_READLINE",
|
||||
"HMAC_SHA1_SIT",
|
||||
|
|
@ -555,6 +559,7 @@ my @withlist = ("aes",
|
|||
"cc-alg",
|
||||
"cross-compile",
|
||||
"ecdsa",
|
||||
"eddsa",
|
||||
"extra-tests",
|
||||
"gssapi",
|
||||
"geoip",
|
||||
|
|
@ -615,6 +620,7 @@ my @help = (
|
|||
" with-openssl[=PATH] build with OpenSSL yes|no|path\n",
|
||||
" with-pkcs11[=PATH] build with PKCS#11 support yes|no|provider-path\n",
|
||||
" with-ecdsa crypto ECDSA\n",
|
||||
" with-eddsa crypto EDDSA yes|all|no\n",
|
||||
" with-gost[=ENC] crypto GOST yes|no|raw|ans1\n",
|
||||
" with-aes crypto AES\n",
|
||||
" with-sit-alg choose the algorithm for SIT aes|sha1|sha256\n",
|
||||
|
|
@ -659,6 +665,8 @@ my $openssl_path = "..\\..\\";
|
|||
my $use_pkcs11 = "no";
|
||||
my $pkcs11_path = "unknown";
|
||||
my $use_ecdsa = "auto";
|
||||
my $use_eddsa = "auto";
|
||||
my $use_ed448 = "auto";
|
||||
my $use_gost = "auto";
|
||||
my $gost_encoding = "raw";
|
||||
my $use_aes = "auto";
|
||||
|
|
@ -737,19 +745,19 @@ if ($legacy_only && ($want_x64 ne "yes")) {
|
|||
}
|
||||
|
||||
if ($want_checkfiles eq "yes") {
|
||||
foreach (@filelist) {
|
||||
next if -r $_ . ".in";
|
||||
s/\\/\//g;
|
||||
next if -r $_ . ".in";
|
||||
print "missing $_.in from filelist\n";
|
||||
}
|
||||
foreach (@projectlist) {
|
||||
next if -r $_ . ".in";
|
||||
s/\\/\//g;
|
||||
next if -r $_ . ".in";
|
||||
print "missing $_.in from projectlist\n";
|
||||
}
|
||||
exit(0);
|
||||
foreach (@filelist) {
|
||||
next if -r $_ . ".in";
|
||||
s/\\/\//g;
|
||||
next if -r $_ . ".in";
|
||||
print "missing $_.in from filelist\n";
|
||||
}
|
||||
foreach (@projectlist) {
|
||||
next if -r $_ . ".in";
|
||||
s/\\/\//g;
|
||||
next if -r $_ . ".in";
|
||||
print "missing $_.in from projectlist\n";
|
||||
}
|
||||
exit(0);
|
||||
}
|
||||
|
||||
# configure the platform
|
||||
|
|
@ -953,10 +961,19 @@ sub mywith {
|
|||
} elsif ($val =~ /^yes$/i) {
|
||||
$use_ecdsa = "yes";
|
||||
}
|
||||
} elsif ($key =~ /^eddsa$/i) {
|
||||
if ($val =~ /^no$/i) {
|
||||
$use_eddsa = "no";
|
||||
} elsif ($val !~ /^no$/i) {
|
||||
$use_eddsa = "yes";
|
||||
if ($val =~ /^all$/i) {
|
||||
$use_ed448 = "yes";
|
||||
}
|
||||
}
|
||||
} elsif ($key =~ /^gost$/i) {
|
||||
if ($val =~ /^no$/i) {
|
||||
$use_gost = "no";
|
||||
} elsif ($val =~ /^yes$/i) {
|
||||
} elsif ($val !~ /^no$/i) {
|
||||
$use_gost = "yes";
|
||||
$gost_encoding = $val;
|
||||
}
|
||||
|
|
@ -1189,6 +1206,16 @@ if ($verbose) {
|
|||
} else {
|
||||
print "ecdsa: enabled\n";
|
||||
}
|
||||
if ($use_eddsa eq "no") {
|
||||
print "eddsa: disabled\n";
|
||||
} else {
|
||||
print "ed25519: enabled\n";
|
||||
if ($use_ed448 eq "no") {
|
||||
print "ed448: disabled\n";
|
||||
} else {
|
||||
print "ed448: enabled\n";
|
||||
}
|
||||
}
|
||||
if ($use_gost eq "no") {
|
||||
print "gost: disabled\n";
|
||||
} else {
|
||||
|
|
@ -1477,6 +1504,26 @@ if ($enable_native_pkcs11 eq "yes") {
|
|||
}
|
||||
$configdefh{"HAVE_PKCS11_ECDSA"} = 1;
|
||||
}
|
||||
if ($use_eddsa eq "no") {
|
||||
if ($verbose) {
|
||||
print "no EDDSA support in native PKCS#11\n";
|
||||
}
|
||||
} else {
|
||||
if ($verbose) {
|
||||
print "enabled Ed25519 support in native PKCS#11\n";
|
||||
}
|
||||
$configdefh{"HAVE_PKCS11_ED25519"} = 1;
|
||||
if ($use_ed448 eq "no") {
|
||||
if ($verbose) {
|
||||
print "no Ed448 support in native PKCS#11\n";
|
||||
}
|
||||
} else {
|
||||
if ($verbose) {
|
||||
print "enabled Ed448 support in native PKCS#11\n";
|
||||
}
|
||||
$configdefh{"HAVE_PKCS11_ED448"} = 1;
|
||||
}
|
||||
}
|
||||
if ($use_gost eq "no") {
|
||||
if ($verbose) {
|
||||
print "no GOST support in native PKCS#11\n";
|
||||
|
|
@ -1816,6 +1863,7 @@ EOF
|
|||
if ($verbose) {
|
||||
print "EVP_sha512 test failed: disabling EVP_sha512\n";
|
||||
}
|
||||
$use_eddsa = "no";
|
||||
} else {
|
||||
$configdefh{"HAVE_EVP_SHA512"} = 1;
|
||||
}
|
||||
|
|
@ -1824,6 +1872,7 @@ EOF
|
|||
print "can't compile EVP_sha512 test: $compret\n";
|
||||
print "disabling EVP_sha512\n";
|
||||
}
|
||||
$use_eddsa = "no";
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -1878,6 +1927,104 @@ if ($use_ecdsa ne "no") {
|
|||
$configdefh{"HAVE_OPENSSL_ECDSA"} = 1;
|
||||
}
|
||||
|
||||
# with-eddsa
|
||||
if ($use_openssl eq "no") {
|
||||
$use_eddsa = "no";
|
||||
}
|
||||
if ($use_eddsa eq "auto") {
|
||||
if ($verbose) {
|
||||
print "checking for OpenSSL ED25519 support\n";
|
||||
}
|
||||
open F, ">tested25519.c" || die $!;
|
||||
print F << 'EOF';
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/objects.h>
|
||||
|
||||
int
|
||||
main(void)
|
||||
{
|
||||
EVP_PKEY_CTX *ctx;
|
||||
|
||||
ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);
|
||||
if (ctx == NULL)
|
||||
return (2);
|
||||
return (0);
|
||||
}
|
||||
EOF
|
||||
close F;
|
||||
my $include = $configinc{"OPENSSL_INC"};
|
||||
my $library = $configlib{"OPENSSL_LIB"};
|
||||
$compret = `cl /nologo /MD /I "$include" tested25519.c "$library"`;
|
||||
if (grep { -f and -x } ".\\tested25519.exe") {
|
||||
`.\\tested25519.exe`;
|
||||
if ($? != 0) {
|
||||
if ($verbose) {
|
||||
print "EDDSA test failed: disabling EDDSA\n";
|
||||
}
|
||||
$use_eddsa = "no";
|
||||
}
|
||||
} else {
|
||||
if ($verbose) {
|
||||
print "can't compile EDDSA test: $compret\n";
|
||||
print "disabling EDDSA\n";
|
||||
}
|
||||
$use_eddsa = "no";
|
||||
}
|
||||
}
|
||||
|
||||
if ($use_eddsa ne "no") {
|
||||
$use_eddsa = "yes";
|
||||
$configdefh{"HAVE_OPENSSL_ED25519"} = 1;
|
||||
} else {
|
||||
$use_ed448 = "no";
|
||||
}
|
||||
|
||||
if ($use_ed448 eq "auto") {
|
||||
if ($verbose) {
|
||||
print "checking for OpenSSL ED448 support\n";
|
||||
}
|
||||
open F, ">tested448.c" || die $!;
|
||||
print F << 'EOF';
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/objects.h>
|
||||
|
||||
int
|
||||
main(void)
|
||||
{
|
||||
EVP_PKEY_CTX *ctx;
|
||||
|
||||
ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL);
|
||||
if (ctx == NULL)
|
||||
return (2);
|
||||
return (0);
|
||||
}
|
||||
EOF
|
||||
close F;
|
||||
my $include = $configinc{"OPENSSL_INC"};
|
||||
my $library = $configlib{"OPENSSL_LIB"};
|
||||
$compret = `cl /nologo /MD /I "$include" tested448.c "$library"`;
|
||||
if (grep { -f and -x } ".\\tested448.exe") {
|
||||
`.\\tested448.exe`;
|
||||
if ($? != 0) {
|
||||
if ($verbose) {
|
||||
print "ED448 test failed: disabling ED448\n";
|
||||
}
|
||||
$use_ed448 = "no";
|
||||
}
|
||||
} else {
|
||||
if ($verbose) {
|
||||
print "can't compile ED448 test: $compret\n";
|
||||
print "disabling ED448\n";
|
||||
}
|
||||
$use_ed448 = "no";
|
||||
}
|
||||
}
|
||||
|
||||
if ($use_ed448 ne "no") {
|
||||
$use_ed448 = "yes";
|
||||
$configdefh{"HAVE_OPENSSL_ED448"} = 1;
|
||||
}
|
||||
|
||||
# with-gost
|
||||
if ($use_openssl eq "no") {
|
||||
$use_gost = "no";
|
||||
|
|
@ -3398,6 +3545,7 @@ exit 0;
|
|||
# --with-openssl supported
|
||||
# --with-pkcs11 supported
|
||||
# --with-ecdsa supported
|
||||
# --with-eddsa supported
|
||||
# --with-gost supported
|
||||
# --with-aes supported
|
||||
# --with-sit-alg supported
|
||||
|
|
|
|||
Loading…
Reference in a new issue