upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

rsasha256 and rsasha512 not enabled by default.

Browse source 
git-svn-id: file:///svn/unbound/trunk@1631 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2009-06-02 09:04:16 +00:00
parent 71b6537666
commit 4b449309e5
8 changed files with 71 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
config.h.in
View file

@ -400,6 +400,9 @@
/* Define if you want to use internal select based events */ /* Define if you want to use internal select based events */
#undef USE_MINI_EVENT #undef USE_MINI_EVENT
/* Define this to enable SHA256 and SHA512 support. */
#undef USE_SHA2
/* Whether the windows socket API is used */ /* Whether the windows socket API is used */
#undef USE_WINSOCK #undef USE_WINSOCK

64
configure vendored
View file

@ -1464,6 +1464,7 @@ Optional Features:
optimize for fast installation [default=yes] optimize for fast installation [default=yes]
--disable-libtool-lock avoid locking (might break parallel builds) --disable-libtool-lock avoid locking (might break parallel builds)
--disable-rpath disable hardcoded rpath (default=enabled) --disable-rpath disable hardcoded rpath (default=enabled)
--enable-sha2 Enable SHA256 and SHA512 RRSIG support
--enable-static-exe enable to compile executables statically against --enable-static-exe enable to compile executables statically against
event, ldns libs, for debug purposes event, ldns libs, for debug purposes
--enable-lock-checks enable to check lock and unlock calls, for debug --enable-lock-checks enable to check lock and unlock calls, for debug
@ -6881,7 +6882,7 @@ ia64-*-hpux*)
;; ;;
*-*-irix6*) *-*-irix6*)
# Find out which ABI we are using. # Find out which ABI we are using.
echo '#line 6884 "configure"' > conftest.$ac_ext echo '#line 6885 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5 (eval $ac_compile) 2>&5
ac_status=$? ac_status=$?
@ -8195,11 +8196,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:8198: $lt_compile\"" >&5) (eval echo "\"\$as_me:8199: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err) (eval "$lt_compile" 2>conftest.err)
ac_status=$? ac_status=$?
cat conftest.err >&5 cat conftest.err >&5
echo "$as_me:8202: \$? = $ac_status" >&5 echo "$as_me:8203: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output. # So say no if there are warnings other than the usual output.
@ -8485,11 +8486,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:8488: $lt_compile\"" >&5) (eval echo "\"\$as_me:8489: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err) (eval "$lt_compile" 2>conftest.err)
ac_status=$? ac_status=$?
cat conftest.err >&5 cat conftest.err >&5
echo "$as_me:8492: \$? = $ac_status" >&5 echo "$as_me:8493: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output. # So say no if there are warnings other than the usual output.
@ -8589,11 +8590,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:8592: $lt_compile\"" >&5) (eval echo "\"\$as_me:8593: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err) (eval "$lt_compile" 2>out/conftest.err)
ac_status=$? ac_status=$?
cat out/conftest.err >&5 cat out/conftest.err >&5
echo "$as_me:8596: \$? = $ac_status" >&5 echo "$as_me:8597: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext if (exit $ac_status) && test -s out/conftest2.$ac_objext
then then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
@ -10940,7 +10941,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF cat > conftest.$ac_ext <<EOF
#line 10943 "configure" #line 10944 "configure"
#include "confdefs.h" #include "confdefs.h"
#if HAVE_DLFCN_H #if HAVE_DLFCN_H
@ -11040,7 +11041,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF cat > conftest.$ac_ext <<EOF
#line 11043 "configure" #line 11044 "configure"
#include "confdefs.h" #include "confdefs.h"
#if HAVE_DLFCN_H #if HAVE_DLFCN_H
@ -13460,11 +13461,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:13463: $lt_compile\"" >&5) (eval echo "\"\$as_me:13464: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err) (eval "$lt_compile" 2>conftest.err)
ac_status=$? ac_status=$?
cat conftest.err >&5 cat conftest.err >&5
echo "$as_me:13467: \$? = $ac_status" >&5 echo "$as_me:13468: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output. # So say no if there are warnings other than the usual output.
@ -13564,11 +13565,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:13567: $lt_compile\"" >&5) (eval echo "\"\$as_me:13568: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err) (eval "$lt_compile" 2>out/conftest.err)
ac_status=$? ac_status=$?
cat out/conftest.err >&5 cat out/conftest.err >&5
echo "$as_me:13571: \$? = $ac_status" >&5 echo "$as_me:13572: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext if (exit $ac_status) && test -s out/conftest2.$ac_objext
then then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
@ -15128,11 +15129,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:15131: $lt_compile\"" >&5) (eval echo "\"\$as_me:15132: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err) (eval "$lt_compile" 2>conftest.err)
ac_status=$? ac_status=$?
cat conftest.err >&5 cat conftest.err >&5
echo "$as_me:15135: \$? = $ac_status" >&5 echo "$as_me:15136: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output. # So say no if there are warnings other than the usual output.
@ -15232,11 +15233,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:15235: $lt_compile\"" >&5) (eval echo "\"\$as_me:15236: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err) (eval "$lt_compile" 2>out/conftest.err)
ac_status=$? ac_status=$?
cat out/conftest.err >&5 cat out/conftest.err >&5
echo "$as_me:15239: \$? = $ac_status" >&5 echo "$as_me:15240: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext if (exit $ac_status) && test -s out/conftest2.$ac_objext
then then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
@ -17421,11 +17422,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:17424: $lt_compile\"" >&5) (eval echo "\"\$as_me:17425: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err) (eval "$lt_compile" 2>conftest.err)
ac_status=$? ac_status=$?
cat conftest.err >&5 cat conftest.err >&5
echo "$as_me:17428: \$? = $ac_status" >&5 echo "$as_me:17429: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output. # So say no if there are warnings other than the usual output.
@ -17711,11 +17712,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:17714: $lt_compile\"" >&5) (eval echo "\"\$as_me:17715: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err) (eval "$lt_compile" 2>conftest.err)
ac_status=$? ac_status=$?
cat conftest.err >&5 cat conftest.err >&5
echo "$as_me:17718: \$? = $ac_status" >&5 echo "$as_me:17719: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output. # So say no if there are warnings other than the usual output.
@ -17815,11 +17816,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:17818: $lt_compile\"" >&5) (eval echo "\"\$as_me:17819: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err) (eval "$lt_compile" 2>out/conftest.err)
ac_status=$? ac_status=$?
cat out/conftest.err >&5 cat out/conftest.err >&5
echo "$as_me:17822: \$? = $ac_status" >&5 echo "$as_me:17823: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext if (exit $ac_status) && test -s out/conftest2.$ac_objext
then then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
@ -23769,6 +23770,23 @@ fi
done done
# Check whether --enable-sha2 was given.
if test "${enable_sha2+set}" = set; then
enableval=$enable_sha2;
fi
case "$enable_sha2" in
yes)
cat >>confdefs.h <<_ACEOF
#define USE_SHA2
_ACEOF
;;
no|*)
;;
esac
# check to see if libraries are needed for these functions. # check to see if libraries are needed for these functions.
{ echo "$as_me:$LINENO: checking for library containing inet_pton" >&5 { echo "$as_me:$LINENO: checking for library containing inet_pton" >&5
echo $ECHO_N "checking for library containing inet_pton... $ECHO_C" >&6; } echo $ECHO_N "checking for library containing inet_pton... $ECHO_C" >&6; }

9
configure.ac
View file

@ -348,6 +348,15 @@ ACX_WITH_SSL
ACX_LIB_SSL ACX_LIB_SSL
AC_CHECK_FUNCS([EVP_sha1 EVP_sha256 EVP_sha512 ENGINE_load_gost]) AC_CHECK_FUNCS([EVP_sha1 EVP_sha256 EVP_sha512 ENGINE_load_gost])
AC_ARG_ENABLE(sha2, AC_HELP_STRING([--enable-sha2], [Enable SHA256 and SHA512 RRSIG support]))
case "$enable_sha2" in
yes)
AC_DEFINE_UNQUOTED([USE_SHA2], [], [Define this to enable SHA256 and SHA512 support.])
;;
no|*)
;;
esac
# check to see if libraries are needed for these functions. # check to see if libraries are needed for these functions.
AC_SEARCH_LIBS([inet_pton], [nsl]) AC_SEARCH_LIBS([inet_pton], [nsl])
AC_SEARCH_LIBS([socket], [socket]) AC_SEARCH_LIBS([socket], [socket])

5
doc/Changelog
View file

@ -1,3 +1,8 @@
2 June 2009: Wouter
- --enable-sha2 option. The draft rsasha256 changed its algorithm
numbers too often. Therefore it is more prudent to disable the
RSASHA256 and RSASHA512 support by default.
29 May 2009: Wouter 29 May 2009: Wouter
- fixup doc bug in README reported by Matthew Dempsky. - fixup doc bug in README reported by Matthew Dempsky.

2
doc/README
View file

@ -63,6 +63,8 @@ This software is under BSD license, see LICENSE for details.
Needs python-devel and swig development tools. Needs python-devel and swig development tools.
* --with-pythonmodule * --with-pythonmodule
Compile the python module that processes responses in the server. Compile the python module that processes responses in the server.
* --enable-sha2
Enable draft support for RSASHA256 and RSASHA512.
* 'make test' attempts to run a series of tests, depending on the support * 'make test' attempts to run a series of tests, depending on the support
programs that are installed. programs that are installed.

2
testcode/testbound.c
View file

@ -227,7 +227,7 @@ main(int argc, char* argv[])
while( (c=getopt(argc, argv, "2ho:p:")) != -1) { while( (c=getopt(argc, argv, "2ho:p:")) != -1) {
switch(c) { switch(c) {
case '2': case '2':
#ifdef HAVE_EVP_SHA256 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
printf("SHA256 supported\n"); printf("SHA256 supported\n");
exit(0); exit(0);
#else #else

6
testcode/unitverify.c
View file

@ -474,12 +474,14 @@ verify_test()
verifytest_file("testdata/test_signatures.6", "20080416005004"); verifytest_file("testdata/test_signatures.6", "20080416005004");
verifytest_file("testdata/test_signatures.7", "20070829144150"); verifytest_file("testdata/test_signatures.7", "20070829144150");
verifytest_file("testdata/test_signatures.8", "20070829144150"); verifytest_file("testdata/test_signatures.8", "20070829144150");
#ifdef HAVE_EVP_SHA256 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
verifytest_file("testdata/test_signatures.9", "20070829144150"); verifytest_file("testdata/test_signatures.9", "20070829144150");
verifytest_file("testdata/test_signatures.11", "20070829144150"); verifytest_file("testdata/test_signatures.11", "20070829144150");
#endif #endif
#ifdef HAVE_EVP_SHA512 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
/* Skip test. Algorithm number uncertainty
verifytest_file("testdata/test_signatures.10", "20070829144150"); verifytest_file("testdata/test_signatures.10", "20070829144150");
*/
#endif #endif
verifytest_file("testdata/test_signatures.12", "20090107100022"); verifytest_file("testdata/test_signatures.12", "20090107100022");
verifytest_file("testdata/test_signatures.13", "20080414005004"); verifytest_file("testdata/test_signatures.13", "20080414005004");

12
validator/val_sigcrypt.c
View file

@ -370,10 +370,10 @@ dnskey_algo_id_is_supported(int id)
case LDNS_RSASHA1: case LDNS_RSASHA1:
case LDNS_RSASHA1_NSEC3: case LDNS_RSASHA1_NSEC3:
case LDNS_RSAMD5: case LDNS_RSAMD5:
#ifdef HAVE_EVP_SHA256 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
case LDNS_RSASHA256: case LDNS_RSASHA256:
#endif #endif
#ifdef HAVE_EVP_SHA512 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
case LDNS_RSASHA512: case LDNS_RSASHA512:
#endif #endif
return 1; return 1;
@ -1237,10 +1237,10 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
break; break;
case LDNS_RSASHA1: case LDNS_RSASHA1:
case LDNS_RSASHA1_NSEC3: case LDNS_RSASHA1_NSEC3:
#ifdef HAVE_EVP_SHA256 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
case LDNS_RSASHA256: case LDNS_RSASHA256:
#endif #endif
#ifdef HAVE_EVP_SHA512 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
case LDNS_RSASHA512: case LDNS_RSASHA512:
#endif #endif
rsa = ldns_key_buf2rsa_raw(key, keylen); rsa = ldns_key_buf2rsa_raw(key, keylen);
@ -1256,12 +1256,12 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
} }
/* select SHA version */ /* select SHA version */
#ifdef HAVE_EVP_SHA256 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
if(algo == LDNS_RSASHA256) if(algo == LDNS_RSASHA256)
*digest_type = EVP_sha256(); *digest_type = EVP_sha256();
else else
#endif #endif
#ifdef HAVE_EVP_SHA512 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
if(algo == LDNS_RSASHA512) if(algo == LDNS_RSASHA512)
*digest_type = EVP_sha512(); *digest_type = EVP_sha512();
else else