diff --git a/config.h.in b/config.h.in index ba378b23b..945b5edad 100644 --- a/config.h.in +++ b/config.h.in @@ -400,6 +400,9 @@ /* Define if you want to use internal select based events */ #undef USE_MINI_EVENT +/* Define this to enable SHA256 and SHA512 support. */ +#undef USE_SHA2 + /* Whether the windows socket API is used */ #undef USE_WINSOCK diff --git a/configure b/configure index b4643ef62..f3bb45892 100755 --- a/configure +++ b/configure @@ -1464,6 +1464,7 @@ Optional Features: optimize for fast installation [default=yes] --disable-libtool-lock avoid locking (might break parallel builds) --disable-rpath disable hardcoded rpath (default=enabled) + --enable-sha2 Enable SHA256 and SHA512 RRSIG support --enable-static-exe enable to compile executables statically against event, ldns libs, for debug purposes --enable-lock-checks enable to check lock and unlock calls, for debug @@ -6881,7 +6882,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 6884 "configure"' > conftest.$ac_ext + echo '#line 6885 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -8195,11 +8196,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8198: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8199: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8202: \$? = $ac_status" >&5 + echo "$as_me:8203: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -8485,11 +8486,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8488: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8489: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8492: \$? = $ac_status" >&5 + echo "$as_me:8493: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -8589,11 +8590,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8592: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8593: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:8596: \$? = $ac_status" >&5 + echo "$as_me:8597: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -10940,7 +10941,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:13464: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:13467: \$? = $ac_status" >&5 + echo "$as_me:13468: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -13564,11 +13565,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13567: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13568: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:13571: \$? = $ac_status" >&5 + echo "$as_me:13572: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -15128,11 +15129,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15131: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15132: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:15135: \$? = $ac_status" >&5 + echo "$as_me:15136: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -15232,11 +15233,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15235: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15236: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:15239: \$? = $ac_status" >&5 + echo "$as_me:15240: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -17421,11 +17422,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17424: $lt_compile\"" >&5) + (eval echo "\"\$as_me:17425: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:17428: \$? = $ac_status" >&5 + echo "$as_me:17429: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -17711,11 +17712,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17714: $lt_compile\"" >&5) + (eval echo "\"\$as_me:17715: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:17718: \$? = $ac_status" >&5 + echo "$as_me:17719: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -17815,11 +17816,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17818: $lt_compile\"" >&5) + (eval echo "\"\$as_me:17819: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:17822: \$? = $ac_status" >&5 + echo "$as_me:17823: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -23769,6 +23770,23 @@ fi done +# Check whether --enable-sha2 was given. +if test "${enable_sha2+set}" = set; then + enableval=$enable_sha2; +fi + +case "$enable_sha2" in + yes) + +cat >>confdefs.h <<_ACEOF +#define USE_SHA2 +_ACEOF + + ;; + no|*) + ;; +esac + # check to see if libraries are needed for these functions. { echo "$as_me:$LINENO: checking for library containing inet_pton" >&5 echo $ECHO_N "checking for library containing inet_pton... $ECHO_C" >&6; } diff --git a/configure.ac b/configure.ac index 6fbfcc8ec..bee118141 100644 --- a/configure.ac +++ b/configure.ac @@ -348,6 +348,15 @@ ACX_WITH_SSL ACX_LIB_SSL AC_CHECK_FUNCS([EVP_sha1 EVP_sha256 EVP_sha512 ENGINE_load_gost]) +AC_ARG_ENABLE(sha2, AC_HELP_STRING([--enable-sha2], [Enable SHA256 and SHA512 RRSIG support])) +case "$enable_sha2" in + yes) + AC_DEFINE_UNQUOTED([USE_SHA2], [], [Define this to enable SHA256 and SHA512 support.]) + ;; + no|*) + ;; +esac + # check to see if libraries are needed for these functions. AC_SEARCH_LIBS([inet_pton], [nsl]) AC_SEARCH_LIBS([socket], [socket]) diff --git a/doc/Changelog b/doc/Changelog index a422f922b..fe1318dde 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,8 @@ +2 June 2009: Wouter + - --enable-sha2 option. The draft rsasha256 changed its algorithm + numbers too often. Therefore it is more prudent to disable the + RSASHA256 and RSASHA512 support by default. + 29 May 2009: Wouter - fixup doc bug in README reported by Matthew Dempsky. diff --git a/doc/README b/doc/README index eaa781fb8..b35658873 100644 --- a/doc/README +++ b/doc/README @@ -63,6 +63,8 @@ This software is under BSD license, see LICENSE for details. Needs python-devel and swig development tools. * --with-pythonmodule Compile the python module that processes responses in the server. + * --enable-sha2 + Enable draft support for RSASHA256 and RSASHA512. * 'make test' attempts to run a series of tests, depending on the support programs that are installed. diff --git a/testcode/testbound.c b/testcode/testbound.c index e503a27cf..1ed7fc5d1 100644 --- a/testcode/testbound.c +++ b/testcode/testbound.c @@ -227,7 +227,7 @@ main(int argc, char* argv[]) while( (c=getopt(argc, argv, "2ho:p:")) != -1) { switch(c) { case '2': -#ifdef HAVE_EVP_SHA256 +#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) printf("SHA256 supported\n"); exit(0); #else diff --git a/testcode/unitverify.c b/testcode/unitverify.c index 857783aee..651e1d73c 100644 --- a/testcode/unitverify.c +++ b/testcode/unitverify.c @@ -474,12 +474,14 @@ verify_test() verifytest_file("testdata/test_signatures.6", "20080416005004"); verifytest_file("testdata/test_signatures.7", "20070829144150"); verifytest_file("testdata/test_signatures.8", "20070829144150"); -#ifdef HAVE_EVP_SHA256 +#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) verifytest_file("testdata/test_signatures.9", "20070829144150"); verifytest_file("testdata/test_signatures.11", "20070829144150"); #endif -#ifdef HAVE_EVP_SHA512 +#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) + /* Skip test. Algorithm number uncertainty verifytest_file("testdata/test_signatures.10", "20070829144150"); + */ #endif verifytest_file("testdata/test_signatures.12", "20090107100022"); verifytest_file("testdata/test_signatures.13", "20080414005004"); diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c index 9b84ab9f4..0d2ebf413 100644 --- a/validator/val_sigcrypt.c +++ b/validator/val_sigcrypt.c @@ -370,10 +370,10 @@ dnskey_algo_id_is_supported(int id) case LDNS_RSASHA1: case LDNS_RSASHA1_NSEC3: case LDNS_RSAMD5: -#ifdef HAVE_EVP_SHA256 +#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) case LDNS_RSASHA256: #endif -#ifdef HAVE_EVP_SHA512 +#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) case LDNS_RSASHA512: #endif return 1; @@ -1237,10 +1237,10 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type, break; case LDNS_RSASHA1: case LDNS_RSASHA1_NSEC3: -#ifdef HAVE_EVP_SHA256 +#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) case LDNS_RSASHA256: #endif -#ifdef HAVE_EVP_SHA512 +#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) case LDNS_RSASHA512: #endif rsa = ldns_key_buf2rsa_raw(key, keylen); @@ -1256,12 +1256,12 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type, } /* select SHA version */ -#ifdef HAVE_EVP_SHA256 +#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2) if(algo == LDNS_RSASHA256) *digest_type = EVP_sha256(); else #endif -#ifdef HAVE_EVP_SHA512 +#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2) if(algo == LDNS_RSASHA512) *digest_type = EVP_sha512(); else