upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-10 13:10:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Added Ed25519 support (#44696)

Browse source
This commit is contained in:
Francis Dupont 2017-07-31 17:02:24 +02:00
parent f15c57b877
commit dea37aee81
25 changed files with 445 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGES
View file

@ -1,3 +1,5 @@
4665. [func] Add Ed25519 support (RFC 8080). [RT #25519]
4663. [cleanup] Clarify error message printed by dnssec-dsfromkey.
[RT #21731]

6
bin/dnssec/dnssec-keyfromlabel.c
View file

@ -54,7 +54,8 @@ int verbose;
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1 |"
" RSASHA256 | RSASHA512 | ECCGOST |"
" ECDSAP256SHA256 | ECDSAP384SHA384";
" ECDSAP256SHA256 | ECDSAP384SHA384 |"
" ED25519 | ED448";
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
@ -388,7 +389,8 @@ main(int argc, char **argv) {
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}

2
bin/dnssec/dnssec-keyfromlabel.docbook
View file

@ -107,7 +107,7 @@
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
These values are case insensitive.
</para>
<para>

20
bin/dnssec/dnssec-keygen.c
View file

@ -85,7 +85,8 @@ usage(void) {
" | NSEC3DSA |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
fprintf(stderr, " ED25519 | ED448 | DH |\n");
fprintf(stderr, " HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
"HMAC-SHA256 | \n");
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
fprintf(stderr, " (default: RSASHA1, or "
@ -104,6 +105,8 @@ usage(void) {
fprintf(stderr, " ECCGOST:\tignored\n");
fprintf(stderr, " ECDSAP256SHA256:\tignored\n");
fprintf(stderr, " ECDSAP384SHA384:\tignored\n");
fprintf(stderr, " ED25519:\tignored\n");
fprintf(stderr, " ED448:\tignored\n");
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
@ -549,7 +552,8 @@ main(int argc, char **argv) {
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
@ -583,7 +587,9 @@ main(int argc, char **argv) {
" to %d\n", size);
} else if (alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 &&
alg != DST_ALG_ECDSA384)
alg != DST_ALG_ECDSA384 &&
alg != DST_ALG_ED25519 &&
alg != DST_ALG_ED448)
fatal("key size not specified (-b option)");
}
@ -720,6 +726,12 @@ main(int argc, char **argv) {
case DST_ALG_ECDSA384:
size = 384;
break;
case DST_ALG_ED25519:
size = 256;
break;
case DST_ALG_ED448:
size = 456;
break;
case DST_ALG_HMACMD5:
options |= DST_TYPE_KEY;
if (size < 1 || size > 512)
@ -853,6 +865,8 @@ main(int argc, char **argv) {
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
case DST_ALG_ED448:
show_progress = ISC_TRUE;
/* fall through */

6
bin/dnssec/dnssec-keygen.docbook
View file

@ -122,7 +122,7 @@
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
@ -194,8 +194,8 @@
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
algorithms are NSEC3-capable.
</para>
</listitem>
</varlistentry>

2
bin/python/isc/dnskey.py.in
View file

@ -38,7 +38,7 @@ class dnskey:
_ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', 'ECC', 'RSASHA1',
'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None,
'RSASHA512', None, 'ECCGOST', 'ECDSAP256SHA256',
'ECDSAP384SHA384')
'ECDSAP384SHA384', 'ED25519', 'ED448')
def __init__(self, key, directory=None, keyttl=None):
# this makes it possible to use algname as a class or instance method

2
bin/tests/system/conf.sh.in
View file

@ -67,7 +67,7 @@ SAMPLEUPDATE=$TOP/lib/export/samples/sample-update
SUBDIRS="acl additional allow_query addzone autosign builtin
cacheclean case chain checkconf @CHECKDS@ checknames checkzone
@COVERAGE@ database digdelv dlv dlvauto dlz dlzexternal
dns64 dnssec ecdsa emptyzones fetchlimit filter-aaaa
dns64 dnssec ecdsa eddsa emptyzones fetchlimit filter-aaaa
formerr forward glue gost inline integrity ixfr legacy
limits logfileconfig lwresd masterfile masterformat metadata
notify nslookup nsupdate pending pkcs11 reclimit redirect

5
bin/tests/system/testcrypto.sh
View file

@ -47,6 +47,11 @@ while test "$#" -gt 0; do
msg1="ECDSA cryptography"
msg2="--with-ecdsa"
;;
eddsa|EDDSA)
alg="-a ED25519"
msg1="EDDSA cryptography"
msg2="--with-eddsa"
;;
*)
echo "${prog}: unknown argument"
exit 1

12
config.h.in
View file

@ -138,6 +138,12 @@ int sigwait(const unsigned int *set, int *sig);
/* Define if OpenSSL includes ECDSA support */
#undef HAVE_OPENSSL_ECDSA
/* Define if your OpenSSL version supports Ed25519. */
#undef HAVE_OPENSSL_ED25519
/* Define if your OpenSSL version supports Ed448. */
#undef HAVE_OPENSSL_ED448
/* Define to the length type used by the socket API (socklen_t, size_t, int). */
#undef ISC_SOCKADDR_LEN_T
@ -329,6 +335,12 @@ int sigwait(const unsigned int *set, int *sig);
/* Define if your OpenSSL version supports ECDSA. */
#undef HAVE_OPENSSL_ECDSA
/* Define if your PKCS11 provider supports Ed25519. */
#undef HAVE_PKCS11_ED25519
/* Define if your PKCS11 provider supports Ed448. */
#undef HAVE_PKCS11_ED448
/* Define if your OpenSSL version supports GOST. */
#undef HAVE_OPENSSL_GOST

6
config.h.win32
View file

@ -326,6 +326,12 @@ typedef __int64 off_t;
/* Define if OpenSSL includes ECDSA support */
@HAVE_OPENSSL_ECDSA@
/* Define if OpenSSL includes Ed25519 support */
@HAVE_OPENSSL_ED25519@
/* Define if OpenSSL includes Ed448 support */
@HAVE_OPENSSL_ED448@
/* Define if your OpenSSL version supports GOST. */
@HAVE_OPENSSL_GOST@

91
configure vendored
View file

@ -835,11 +835,14 @@ USE_PKCS11
ISC_OPENSSL_INC
ISC_PLATFORM_OPENSSLHASH
OPENSSL_GOST
OPENSSL_ED25519
OPENSSL_ECDSA
OPENSSLLINKSRCS
OPENSSLLINKOBJS
OPENSSLGOSTLINKSRCS
OPENSSLGOSTLINKOBJS
OPENSSLEDDSALINKSRCS
OPENSSLEDDSALINKOBJS
DST_OPENSSL_INC
USE_OPENSSL
LWRES_PLATFORM_NEEDSYSSELECTH
@ -984,6 +987,7 @@ with_openssl
enable_openssl_version_check
with_ecdsa
with_gost
with_eddsa
enable_openssl_hash
with_pkcs11
with_gssapi
@ -1710,6 +1714,7 @@ Optional Packages:
(Required for DNSSEC)
--with-ecdsa OpenSSL ECDSA
--with-gost OpenSSL GOST
--with-eddsa OpenSSL EDDSA
--with-pkcs11=PATH Build with PKCS11 support yes|no|path
(PATH is for the PKCS11 provider)
--with-gssapi=[PATH|[/path/]krb5-config] Specify path for system-supplied GSSAPI [default=yes]
@ -13685,6 +13690,7 @@ then
done
fi
OPENSSL_ECDSA=""
OPENSSL_ED25519=""
OPENSSL_GOST=""
case "$use_openssl" in
no)
@ -13694,6 +13700,8 @@ $as_echo "no" >&6; }
USE_OPENSSL=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
;;
@ -13702,6 +13710,8 @@ $as_echo "no" >&6; }
USE_OPENSSL=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@ -14113,6 +14123,80 @@ $as_echo "#define HAVE_OPENSSL_GOST 1" >>confdefs.h
*)
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL Ed25519 support" >&5
$as_echo_n "checking for OpenSSL Ed25519 support... " >&6; }
have_ed25519=""
have_ed448=""
if test "$cross_compiling" = yes; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-eddsa" >&5
$as_echo "using --with-eddsa" >&6; }
else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <openssl/evp.h>
#include <openssl/objects.h>
int main() {
EVP_PKEY_CTX *ctx;
ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);
if (ctx == NULL)
return (2);
return (0);
}
_ACEOF
if ac_fn_c_try_run "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
have_ed25519="yes"
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
have_ed25519="no"
fi
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
# Check whether --with-eddsa was given.
if test "${with_eddsa+set}" = set; then :
withval=$with_eddsa; with_eddsa="$withval"
else
with_eddsa="auto"
fi
case "$with_eddsa" in
yes)
case "$have_ed25519" in
no) as_fn_error $? "eddsa not supported" "$LINENO" 5 ;;
*) have_ed25519=yes ;;
esac
;;
no)
have_ed25519=no ;;
*)
case "$have_ed25519" in
yes|no) ;;
*) as_fn_error $? "need --with-eddsa=[yes or no]" "$LINENO" 5 ;;
esac
;;
esac
case $have_ed25519 in
yes)
OPENSSL_ED25519="yes"
OPENSSLEDDSALINKOBJS='${OPENSSLEDDSALINKOBJS}'
OPENSSLEDDSALINKSRCS='${OPENSSLEDDSALINKSRCS}'
$as_echo "#define HAVE_OPENSSL_ED25519 1" >>confdefs.h
;;
*)
;;
esac
CFLAGS="$saved_cflags"
LIBS="$saved_libs"
OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
@ -14135,6 +14219,9 @@ esac
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
#
@ -23886,6 +23973,8 @@ report() {
echo " GOST algorithm support (--with-gost)"
test "yes" != "$OPENSSL_ECDSA" || \
echo " ECDSA algorithm support (--with-ecdsa)"
test "yes" != "$OPENSSL_ED25519." || \
echo " EDDSA algorithm support (--with-eddsa)"
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$libxml2_libs" = "X" || echo " XML statistics (--with-libxml2)"
fi
@ -23932,6 +24021,8 @@ report() {
echo " GOST algorithm support (--with-gost)"
test "X$USE_OPENSSL" != "X" -a "$OPENSSL_ECDSA" != "yes" && \
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$USE_OPENSSL" != "X" -a "$OPENSSL_ED25519" != "yes" && \
echo " EDDSA algorithm support (--with-eddsa)"
test "X$PYTHON" = "X" && echo " Python tools (--with-python)"
test "X$libxml2_libs" = "X" && echo " XML statistics (--with-libxml2)"

63
configure.in
View file

@ -723,6 +723,7 @@ then
done
fi
OPENSSL_ECDSA=""
OPENSSL_ED25519=""
OPENSSL_GOST=""
case "$use_openssl" in
no)
@ -731,6 +732,8 @@ case "$use_openssl" in
USE_OPENSSL=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
;;
@ -739,6 +742,8 @@ case "$use_openssl" in
USE_OPENSSL=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRS=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
AC_MSG_ERROR(
@ -1025,6 +1030,57 @@ int main() {
*)
;;
esac
AC_MSG_CHECKING(for OpenSSL Ed25519 support)
have_ed25519=""
have_ed448=""
AC_TRY_RUN([
#include <openssl/evp.h>
#include <openssl/objects.h>
int main() {
EVP_PKEY_CTX *ctx;
ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);
if (ctx == NULL)
return (2);
return (0);
}
],
[AC_MSG_RESULT(yes)
have_ed25519="yes"],
[AC_MSG_RESULT(no)
have_ed25519="no"],
[AC_MSG_RESULT(using --with-eddsa)])
AC_ARG_WITH(eddsa, [ --with-eddsa OpenSSL EDDSA],
with_eddsa="$withval", with_eddsa="auto")
case "$with_eddsa" in
yes)
case "$have_ed25519" in
no) AC_MSG_ERROR([eddsa not supported]) ;;
*) have_ed25519=yes ;;
esac
;;
no)
have_ed25519=no ;;
*)
case "$have_ed25519" in
yes|no) ;;
*) AC_MSG_ERROR([need --with-eddsa=[[yes or no]]]) ;;
esac
;;
esac
case $have_ed25519 in
yes)
OPENSSL_ED25519="yes"
OPENSSLEDDSALINKOBJS='${OPENSSLEDDSALINKOBJS}'
OPENSSLEDDSALINKSRCS='${OPENSSLEDDSALINKSRCS}'
AC_DEFINE(HAVE_OPENSSL_ED25519, 1,
[Define if your OpenSSL version supports Ed25519.])
;;
*)
;;
esac
CFLAGS="$saved_cflags"
LIBS="$saved_libs"
OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
@ -1040,11 +1096,14 @@ esac
AC_SUBST(USE_OPENSSL)
AC_SUBST(DST_OPENSSL_INC)
AC_SUBST(OPENSSLEDDSALINKOBJS)
AC_SUBST(OPENSSLEDDSALINKSRCS)
AC_SUBST(OPENSSLGOSTLINKOBJS)
AC_SUBST(OPENSSLGOSTLINKSRCS)
AC_SUBST(OPENSSLLINKOBJS)
AC_SUBST(OPENSSLLINKSRCS)
AC_SUBST(OPENSSL_ECDSA)
AC_SUBST(OPENSSL_ED25519)
AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
@ -4387,6 +4446,8 @@ report() {
echo " GOST algorithm support (--with-gost)"
test "yes" != "$OPENSSL_ECDSA" || \
echo " ECDSA algorithm support (--with-ecdsa)"
test "yes" != "$OPENSSL_ED25519." || \
echo " EDDSA algorithm support (--with-eddsa)"
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$libxml2_libs" = "X" || echo " XML statistics (--with-libxml2)"
fi
@ -4433,6 +4494,8 @@ report() {
echo " GOST algorithm support (--with-gost)"
test "X$USE_OPENSSL" != "X" -a "$OPENSSL_ECDSA" != "yes" && \
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$USE_OPENSSL" != "X" -a "$OPENSSL_ED25519" != "yes" && \
echo " EDDSA algorithm support (--with-eddsa)"
test "X$PYTHON" = "X" && echo " Python tools (--with-python)"
test "X$libxml2_libs" = "X" && echo " XML statistics (--with-libxml2)"

9
lib/dns/Makefile.in
View file

@ -45,9 +45,10 @@ LIBS = @LIBS@
# Alphabetically
OPENSSLGOSTLINKOBJS = opensslgost_link.@O@
OPENSSLEDDSALINKOBJS = openssleddsa_link.@O@
OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
opensslecdsa_link.@O@ @OPENSSLGOSTLINKOBJS@ \
opensslrsa_link.@O@
opensslecdsa_link.@O@ @OPENSSLEDDSALINKOBJS@ \
@OPENSSLGOSTLINKOBJS@ opensslrsa_link.@O@
DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ \
dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
@ -78,8 +79,10 @@ OBJS= ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} @RRLLINKOBJS@
# Alphabetically
OPENSSLGOSTLINKSRCS = opensslgost_link.c
OPENSSLEDDDSALINKSRCS = openssleddsa_link.c
OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \
opensslecdsa_link.c @OPENSSLGOSTLINKSRCS@ opensslrsa_link.c
opensslecdsa_link.c @OPENSSLEDDDSALINKSRCS@ \
@OPENSSLGOSTLINKSRCS@ opensslrsa_link.c
DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ \
dst_api.c dst_lib.c dst_parse.c \

17
lib/dns/dst_api.c
View file

@ -218,6 +218,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#endif
#ifdef HAVE_OPENSSL_ED25519
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519]));
#endif
#ifdef HAVE_OPENSSL_ED448
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448]));
#endif
#endif /* OPENSSL */
#ifdef GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
@ -1180,6 +1186,12 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
case DST_ALG_ECDSA384:
*n = DNS_SIG_ECDSA384SIZE;
break;
case DST_ALG_ED25519:
*n = DNS_SIG_ED25519SIZE;
break;
case DST_ALG_ED448:
*n = DNS_SIG_ED448SIZE;
break;
case DST_ALG_HMACMD5:
*n = 16;
break;
@ -1508,6 +1520,8 @@ issymmetric(const dst_key_t *key) {
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
case DST_ALG_ED448:
return (ISC_FALSE);
case DST_ALG_HMACMD5:
case DST_ALG_HMACSHA1:
@ -1792,7 +1806,8 @@ algorithm_status(unsigned int alg) {
alg == DST_ALG_NSEC3RSASHA1 ||
alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512 ||
alg == DST_ALG_ECCGOST ||
alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384)
alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384 ||
alg == DST_ALG_ED25519 || alg == DST_ALG_ED448)
return (DST_R_NOCRYPTO);
#endif
return (DST_R_UNSUPPORTEDALG);

6
lib/dns/dst_internal.h
View file

@ -227,6 +227,12 @@ isc_result_t dst__opensslgost_init(struct dst_func **funcp);
#ifdef HAVE_OPENSSL_ECDSA
isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
#endif
#if defined(HAVE_OPENSSL_ED25519) || defined(HAVE_OPENSSL_ED448)
isc_result_t dst__openssleddsa_init(struct dst_func **funcp);
#endif
#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp);
#endif
/*%
* Destructors

24
lib/dns/dst_parse.c
View file

@ -111,6 +111,8 @@ static struct parse_map map[] = {
{TAG_ECDSA_PRIVATEKEY, "PrivateKey:"},
{TAG_EDDSA_PRIVATEKEY, "PrivateKey:"},
{TAG_HMACMD5_KEY, "Key:"},
{TAG_HMACMD5_BITS, "Bits:"},
@ -281,6 +283,19 @@ check_ecdsa(const dst_private_t *priv, isc_boolean_t external) {
return (0);
}
static int
check_eddsa(const dst_private_t *priv, isc_boolean_t external) {
if (external)
return ((priv->nelements == 0) ? 0 : -1);
if (priv->nelements != EDDSA_NTAGS)
return (-1);
if (priv->elements[0].tag != TAG(DST_ALG_ED25519, 0))
return (-1);
return (0);
}
static int
check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
int i, j;
@ -347,6 +362,9 @@ check_data(const dst_private_t *priv, const unsigned int alg,
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
return (check_ecdsa(priv, external));
case DST_ALG_ED25519:
case DST_ALG_ED448:
return (check_eddsa(priv, external));
case DST_ALG_HMACMD5:
return (check_hmac_md5(priv, old));
case DST_ALG_HMACSHA1:
@ -682,6 +700,12 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
case DST_ALG_ECDSA384:
fprintf(fp, "(ECDSAP384SHA384)\n");
break;
case DST_ALG_ED25519:
fprintf(fp, "(ED25519)\n");
break;
case DST_ALG_ED448:
fprintf(fp, "(ED448)\n");
break;
case DST_ALG_HMACMD5:
fprintf(fp, "(HMAC_MD5)\n");
break;

3
lib/dns/dst_parse.h
View file

@ -84,6 +84,9 @@
#define ECDSA_NTAGS 1
#define TAG_ECDSA_PRIVATEKEY ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
#define EDDSA_NTAGS 4
#define TAG_EDDSA_PRIVATEKEY ((DST_ALG_ED25519 << TAG_SHIFT) + 0)
#define OLD_HMACMD5_NTAGS 1
#define HMACMD5_NTAGS 2
#define TAG_HMACMD5_KEY ((DST_ALG_HMACMD5 << TAG_SHIFT) + 0)

8
lib/dns/include/dns/keyvalues.h
View file

@ -73,6 +73,8 @@
#define DNS_KEYALG_ECCGOST 12
#define DNS_KEYALG_ECDSA256 13
#define DNS_KEYALG_ECDSA384 14
#define DNS_KEYALG_ED25519 15
#define DNS_KEYALG_ED448 16
#define DNS_KEYALG_INDIRECT 252
#define DNS_KEYALG_PRIVATEDNS 253
#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */
@ -109,4 +111,10 @@
#define DNS_KEY_ECDSA256SIZE 64
#define DNS_KEY_ECDSA384SIZE 96
#define DNS_SIG_ED25519SIZE 64
#define DNS_SIG_ED448SIZE 114
#define DNS_KEY_ED25519SIZE 32
#define DNS_KEY_ED448SIZE 57
#endif /* DNS_KEYVALUES_H */

2
lib/dns/include/dst/dst.h
View file

@ -62,6 +62,8 @@ typedef struct dst_context dst_context_t;
#define DST_ALG_ECCGOST 12
#define DST_ALG_ECDSA256 13
#define DST_ALG_ECDSA384 14
#define DST_ALG_ED25519 15
#define DST_ALG_ED448 16
#define DST_ALG_HMACMD5 157
#define DST_ALG_GSSAPI 160
#define DST_ALG_HMACSHA1 161 /* XXXMPA */

2
lib/dns/rcode.c
View file

@ -117,6 +117,8 @@
{ DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \
{ DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \
{ DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \
{ DNS_KEYALG_ED25519, "ED25519", 0 }, \
{ DNS_KEYALG_ED448, "ED448", 0 }, \
{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \

4
lib/dns/win32/libdns.dsp.in
View file

@ -818,6 +818,10 @@ SOURCE=..\opensslecdsa_link.c
# End Source File
# Begin Source File
SOURCE=..\openssleddsa_link.c
# End Source File
# Begin Source File
SOURCE=..\opensslgost_link.c
# End Source File
# Begin Source File

24
lib/dns/win32/libdns.mak.in
View file

@ -165,6 +165,7 @@ CLEAN :
-@erase "$(INTDIR)\openssldh_link.obj"
-@erase "$(INTDIR)\openssldsa_link.obj"
-@erase "$(INTDIR)\opensslecdsa_link.obj"
-@erase "$(INTDIR)\openssleddsa_link.obj"
-@erase "$(INTDIR)\opensslgost_link.obj"
-@erase "$(INTDIR)\opensslrsa_link.obj"
-@erase "$(INTDIR)\order.obj"
@ -347,6 +348,7 @@ LINK32_OBJS= \
"$(INTDIR)\openssldh_link.obj" \
"$(INTDIR)\openssldsa_link.obj" \
"$(INTDIR)\opensslecdsa_link.obj" \
"$(INTDIR)\openssleddsa_link.obj" \
"$(INTDIR)\opensslgost_link.obj" \
"$(INTDIR)\opensslrsa_link.obj" \
"..\..\isc\win32\Release\libisc.lib"
@ -472,6 +474,8 @@ CLEAN :
-@erase "$(INTDIR)\openssldsa_link.sbr"
-@erase "$(INTDIR)\opensslecdsa_link.obj"
-@erase "$(INTDIR)\opensslecdsa_link.sbr"
-@erase "$(INTDIR)\openssleddsa_link.obj"
-@erase "$(INTDIR)\openssleddsa_link.sbr"
-@erase "$(INTDIR)\opensslgost_link.obj"
-@erase "$(INTDIR)\opensslgost_link.sbr"
-@erase "$(INTDIR)\opensslrsa_link.obj"
@ -695,6 +699,7 @@ BSC32_SBRS= \
"$(INTDIR)\openssldh_link.sbr" \
"$(INTDIR)\openssldsa_link.sbr" \
"$(INTDIR)\opensslecdsa_link.sbr" \
"$(INTDIR)\openssleddsa_link.sbr" \
"$(INTDIR)\opensslgost_link.sbr" \
"$(INTDIR)\opensslrsa_link.sbr"
@ -794,6 +799,7 @@ LINK32_OBJS= \
"$(INTDIR)\openssldh_link.obj" \
"$(INTDIR)\openssldsa_link.obj" \
"$(INTDIR)\opensslecdsa_link.obj" \
"$(INTDIR)\openssleddsa_link.obj" \
"$(INTDIR)\opensslgost_link.obj" \
"$(INTDIR)\opensslrsa_link.obj" \
"..\..\isc\win32\Debug\libisc.lib"
@ -2365,6 +2371,24 @@ SOURCE=..\opensslecdsa_link.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
SOURCE=..\openssleddsa_link.c
!IF "$(CFG)" == "libdns - @PLATFORM@ Release"
"$(INTDIR)\openssleddsa_link.obj" : $(SOURCE) "$(INTDIR)"
$(CPP) $(CPP_PROJ) $(SOURCE)
!ELSEIF "$(CFG)" == "libdns - @PLATFORM@ Debug"
"$(INTDIR)\openssleddsa_link.obj" "$(INTDIR)\openssleddsa_link.sbr" : $(SOURCE) "$(INTDIR)"
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
SOURCE=..\opensslgost_link.c

3
lib/dns/win32/libdns.vcxproj.filters.in
View file

@ -284,6 +284,9 @@
<ClCompile Include="..\opensslecdsa_link.c">
<Filter>Dst Source Files</Filter>
</ClCompile>
<ClCompile Include="..\openssleddsa_link.c">
<Filter>Dst Source Files</Filter>
</ClCompile>
<ClCompile Include="..\opensslgost_link.c">
<Filter>Dst Source Files</Filter>
</ClCompile>

1
lib/dns/win32/libdns.vcxproj.in
View file

@ -155,6 +155,7 @@
<ClCompile Include="..\openssldh_link.c" />
<ClCompile Include="..\openssldsa_link.c" />
<ClCompile Include="..\opensslecdsa_link.c" />
<ClCompile Include="..\openssleddsa_link.c" />
<ClCompile Include="..\opensslgost_link.c" />
<ClCompile Include="..\opensslrsa_link.c" />
<ClCompile Include="..\openssl_link.c" />

154
win32utils/Configure
View file

@ -327,6 +327,8 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
"HAVE_LIBXML2",
"HAVE_OPENSSL_DSA",
"HAVE_OPENSSL_ECDSA",
"HAVE_OPENSSL_ED25519",
"HAVE_OPENSSL_ED448",
"HAVE_OPENSSL_GOST",
"HAVE_READLINE",
"ISC_LIST_CHECKINIT",
@ -455,6 +457,7 @@ my @enablelist = ("developer",
my @withlist = ("cross-compile",
"ecdsa",
"eddsa",
"extra-tests",
"gssapi",
"geoip",
@ -508,6 +511,7 @@ my @help = (
" with-openssl[=PATH] build with OpenSSL yes|no|path\n",
" with-pkcs11[=PATH] build with PKCS#11 support yes|no|provider-path\n",
" with-ecdsa crypto ECDSA\n",
" with-eddsa crypto EDDSA yes|all|no\n",
" with-gost crypto GOST\n",
" with-gssapi[=PATH] build with MIT KfW GSSAPI yes|no|path\n",
" with-libxml2[=PATH] build with libxml2 library yes|no|path\n",
@ -545,6 +549,8 @@ my $openssl_path = "..\\..\\";
my $use_pkcs11 = "no";
my $pkcs11_path = "unknown";
my $use_ecdsa = "auto";
my $use_eddsa = "auto";
my $use_ed448 = "auto";
my $use_gost = "auto";
my $use_gssapi = "no";
my $gssapi_path = "C:\\Program\ Files\\MIT\\Kerberos\\";
@ -619,19 +625,19 @@ if ($legacy_only && ($want_x64 ne "yes")) {
}
if ($want_checkfiles eq "yes") {
foreach (@filelist) {
next if -r $_ . ".in";
s/\\/\//g;
next if -r $_ . ".in";
print "missing $_.in from filelist\n";
}
foreach (@projectlist) {
next if -r $_ . ".in";
s/\\/\//g;
next if -r $_ . ".in";
print "missing $_.in from projectlist\n";
}
exit(0);
foreach (@filelist) {
next if -r $_ . ".in";
s/\\/\//g;
next if -r $_ . ".in";
print "missing $_.in from filelist\n";
}
foreach (@projectlist) {
next if -r $_ . ".in";
s/\\/\//g;
next if -r $_ . ".in";
print "missing $_.in from projectlist\n";
}
exit(0);
}
# configure the platform
@ -810,10 +816,19 @@ sub mywith {
} elsif ($val =~ /^yes$/i) {
$use_ecdsa = "yes";
}
} elsif ($key =~ /^eddsa$/i) {
if ($val =~ /^no$/i) {
$use_eddsa = "no";
} elsif ($val !~ /^no$/i) {
$use_eddsa = "yes";
if ($val =~ /^all$/i) {
$use_ed448 = "yes";
}
}
} elsif ($key =~ /^gost$/i) {
if ($val =~ /^no$/i) {
$use_gost = "no";
} elsif ($val =~ /^yes$/i) {
} elsif ($val !~ /^no$/i) {
$use_gost = "yes";
}
} elsif ($key =~ /^gssapi$/i) {
@ -997,6 +1012,16 @@ if ($verbose) {
} else {
print "ecdsa: enabled\n";
}
if ($use_eddsa eq "no") {
print "eddsa: disabled\n";
} else {
print "ed25519: enabled\n";
if ($use_ed448 eq "no") {
print "ed448: disabled\n";
} else {
print "ed448: enabled\n";
}
}
if ($use_gost eq "no") {
print "gost: disabled\n";
} else {
@ -1526,6 +1551,7 @@ EOF
if ($verbose) {
print "EVP_sha512 test failed: disabling EVP_sha512\n";
}
$use_eddsa = "no";
} else {
$configdefh{"HAVE_EVP_SHA512"} = 1;
}
@ -1534,6 +1560,7 @@ EOF
print "can't compile EVP_sha512 test: $compret\n";
print "disabling EVP_sha512\n";
}
$use_eddsa = "no";
}
}
@ -1588,6 +1615,104 @@ if ($use_ecdsa ne "no") {
$configdefh{"HAVE_OPENSSL_ECDSA"} = 1;
}
# with-eddsa
if ($use_openssl eq "no") {
$use_eddsa = "no";
}
if ($use_eddsa eq "auto") {
if ($verbose) {
print "checking for OpenSSL ED25519 support\n";
}
open F, ">tested25519.c" || die $!;
print F << 'EOF';
#include <openssl/evp.h>
#include <openssl/objects.h>
int
main(void)
{
EVP_PKEY_CTX *ctx;
ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);
if (ctx == NULL)
return (2);
return (0);
}
EOF
close F;
my $include = $configinc{"OPENSSL_INC"};
my $library = $configlib{"OPENSSL_LIB"};
$compret = `cl /nologo /MD /I "$include" tested25519.c "$library"`;
if (grep { -f and -x } ".\\tested25519.exe") {
`.\\tested25519.exe`;
if ($? != 0) {
if ($verbose) {
print "EDDSA test failed: disabling EDDSA\n";
}
$use_eddsa = "no";
}
} else {
if ($verbose) {
print "can't compile EDDSA test: $compret\n";
print "disabling EDDSA\n";
}
$use_eddsa = "no";
}
}
if ($use_eddsa ne "no") {
$use_eddsa = "yes";
$configdefh{"HAVE_OPENSSL_ED25519"} = 1;
} else {
$use_ed448 = "no";
}
if ($use_ed448 eq "auto") {
if ($verbose) {
print "checking for OpenSSL ED448 support\n";
}
open F, ">tested448.c" || die $!;
print F << 'EOF';
#include <openssl/evp.h>
#include <openssl/objects.h>
int
main(void)
{
EVP_PKEY_CTX *ctx;
ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL);
if (ctx == NULL)
return (2);
return (0);
}
EOF
close F;
my $include = $configinc{"OPENSSL_INC"};
my $library = $configlib{"OPENSSL_LIB"};
$compret = `cl /nologo /MD /I "$include" tested448.c "$library"`;
if (grep { -f and -x } ".\\tested448.exe") {
`.\\tested448.exe`;
if ($? != 0) {
if ($verbose) {
print "ED448 test failed: disabling ED448\n";
}
$use_ed448 = "no";
}
} else {
if ($verbose) {
print "can't compile ED448 test: $compret\n";
print "disabling ED448\n";
}
$use_ed448 = "no";
}
}
if ($use_ed448 ne "no") {
$use_ed448 = "yes";
$configdefh{"HAVE_OPENSSL_ED448"} = 1;
}
# with-gost
if ($use_openssl eq "no") {
$use_gost = "no";
@ -2839,6 +2964,7 @@ exit 0;
# --with-openssl supported
# --with-pkcs11 supported
# --with-ecdsa supported
# --with-eddsa supported
# --with-gost supported
# --with-geoip supported
# --with-gssapi supported with MIT (K)erberos (f)or (W)indows