upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-01-11 09:12:53 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

merge master

Browse source
This commit is contained in:
Tomasz Ziolkowski 2021-08-04 13:02:20 +02:00
commit a922c6d525
22 changed files with 540 additions and 121 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Makefile.in
View file

@ -250,7 +250,7 @@ DELAYER_OBJ_LINK=$(DELAYER_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \
$(SLDNS_OBJ)
READZONE_SRC=testcode/readzone.c
READZONE_OBJ=readzone.lo
READZONE_OBJ_LINK=$(READZONE_OBJ) $(COMPAT_OBJ) $(SLDNS_OBJ)
READZONE_OBJ_LINK=$(READZONE_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) $(SLDNS_OBJ)
IPSET_SRC=@IPSET_SRC@
IPSET_OBJ=@IPSET_OBJ@
DNSTAP_SOCKET_SRC=dnstap/unbound-dnstap-socket.c

15
acx_nlnetlabs.m4
View file

@ -2,7 +2,8 @@
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
# Version 40
# Version 41
# 2021-07-30 fix for openssl use of lib64 directory.
# 2021-06-14 fix nonblocking test to use host instead of target for mingw test.
# 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for
# 64bit compatibility.
@ -669,9 +670,15 @@ AC_DEFUN([ACX_SSL_CHECKS], [
HAVE_SSL=yes
dnl assume /usr is already in the lib and dynlib paths.
if test "$ssldir" != "/usr" -a "$ssldir" != ""; then
LDFLAGS="$LDFLAGS -L$ssldir/lib"
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
ACX_RUNTIME_PATH_ADD([$ssldir/lib])
if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
LDFLAGS="$LDFLAGS -L$ssldir/lib64"
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib64"
ACX_RUNTIME_PATH_ADD([$ssldir/lib64])
else
LDFLAGS="$LDFLAGS -L$ssldir/lib"
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
ACX_RUNTIME_PATH_ADD([$ssldir/lib])
fi
fi
AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])

17
config.h.in
View file

@ -429,6 +429,9 @@
/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
#undef HAVE_OPENSSL_INIT_SSL
/* Define to 1 if you have the <openssl/param_build.h> header file. */
#undef HAVE_OPENSSL_PARAM_BUILD_H
/* Define to 1 if you have the <openssl/rand.h> header file. */
#undef HAVE_OPENSSL_RAND_H
@ -438,6 +441,9 @@
/* Define to 1 if you have the <openssl/ssl.h> header file. */
#undef HAVE_OPENSSL_SSL_H
/* Define to 1 if you have the `OSSL_PARAM_BLD_new' function. */
#undef HAVE_OSSL_PARAM_BLD_NEW
/* Define if you have POSIX threads libraries and header files. */
#undef HAVE_PTHREAD
@ -541,6 +547,9 @@
/* Define to 1 if you have the `SSL_get0_peername' function. */
#undef HAVE_SSL_GET0_PEERNAME
/* Define to 1 if you have the `SSL_get1_peer_certificate' function. */
#undef HAVE_SSL_GET1_PEER_CERTIFICATE
/* Define to 1 if you have the `SSL_set1_host' function. */
#undef HAVE_SSL_SET1_HOST
@ -856,6 +865,14 @@
/* Define if you enable libevent */
#undef USE_LIBEVENT
/* Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a
default outgoing port range. This is only for the libunbound on Linux and
does not affect unbound resolving daemon itself. This may severely limit
the number of available outgoing ports and thus decrease randomness. Define
this only when the target system restricts (e.g. some of SELinux enabled
distributions) the use of non-ephemeral ports. */
#undef USE_LINUX_IP_LOCAL_PORT_RANGE
/* Define if you want to use internal select based events */
#undef USE_MINI_EVENT

64
configure vendored
View file

@ -812,7 +812,6 @@ infodir
docdir
oldincludedir
includedir
runstatedir
localstatedir
sharedstatedir
sysconfdir
@ -903,6 +902,7 @@ enable_ipsecmod
enable_ipset
with_libmnl
enable_explicit_port_randomisation
enable_linux_ip_local_port_range
with_libunbound_only
'
ac_precious_vars='build_alias
@ -963,7 +963,6 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@ -1216,15 +1215,6 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
-runstatedir | --runstatedir | --runstatedi | --runstated \
| --runstate | --runstat | --runsta | --runst | --runs \
| --run | --ru | --r)
ac_prev=runstatedir ;;
-runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
| --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
| --run=* | --ru=* | --r=*)
runstatedir=$ac_optarg ;;
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@ -1362,7 +1352,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
libdir localedir mandir runstatedir
libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
@ -1515,7 +1505,6 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
@ -1606,6 +1595,16 @@ Optional Features:
--disable-explicit-port-randomisation
disable explicit source port randomisation and rely
on the kernel to provide random source ports
--enable-linux-ip-local-port-range
Define this to enable use of
/proc/sys/net/ipv4/ip_local_port_range as a default
outgoing port range. This is only for the libunbound
on Linux and does not affect unbound resolving
daemon itself. This may severely limit the number of
available outgoing ports and thus decrease
randomness. Define this only when the target system
restricts (e.g. some of SELinux enabled
distributions) the use of non-ephemeral ports.
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
@ -18026,8 +18025,19 @@ _ACEOF
$as_echo "found in $ssldir" >&6; }
HAVE_SSL=yes
if test "$ssldir" != "/usr" -a "$ssldir" != ""; then
LDFLAGS="$LDFLAGS -L$ssldir/lib"
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
LDFLAGS="$LDFLAGS -L$ssldir/lib64"
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib64"
if test "x$enable_rpath" = xyes; then
if echo "$ssldir/lib64" | grep "^/" >/dev/null; then
RUNTIME_PATH="$RUNTIME_PATH -R$ssldir/lib64"
fi
fi
else
LDFLAGS="$LDFLAGS -L$ssldir/lib"
LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
if test "x$enable_rpath" = xyes; then
if echo "$ssldir/lib" | grep "^/" >/dev/null; then
@ -18035,6 +18045,7 @@ $as_echo "found in $ssldir" >&6; }
fi
fi
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_sha256 in -lcrypto" >&5
@ -18417,7 +18428,7 @@ else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
for ac_header in openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h
for ac_header in openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h
do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
@ -18431,7 +18442,7 @@ fi
done
for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params
for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -18447,7 +18458,7 @@ done
# these check_funcs need -lssl
BAKLIBS="$LIBS"
LIBS="-lssl $LIBS"
for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos
for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos SSL_get1_peer_certificate
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -21638,6 +21649,23 @@ $as_echo "#define DISABLE_EXPLICIT_PORT_RANDOMISATION 1" >>confdefs.h
;;
esac
if echo "$host" | $GREP -i -e linux >/dev/null; then
# Check whether --enable-linux-ip-local-port-range was given.
if test "${enable_linux_ip_local_port_range+set}" = set; then :
enableval=$enable_linux_ip_local_port_range;
fi
case "$enable_linux_ip_local_port_range" in
yes)
$as_echo "#define USE_LINUX_IP_LOCAL_PORT_RANGE 1" >>confdefs.h
;;
no|*)
;;
esac
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5
$as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; }

17
configure.ac
View file

@ -859,13 +859,13 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/
else
AC_MSG_RESULT([no])
fi
AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params])
AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new])
# these check_funcs need -lssl
BAKLIBS="$LIBS"
LIBS="-lssl $LIBS"
AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos])
AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos SSL_get1_peer_certificate])
LIBS="$BAKLIBS"
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
@ -1862,6 +1862,17 @@ case "$enable_explicit_port_randomisation" in
;;
esac
if echo "$host" | $GREP -i -e linux >/dev/null; then
AC_ARG_ENABLE(linux-ip-local-port-range, AC_HELP_STRING([--enable-linux-ip-local-port-range], [Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports.]))
case "$enable_linux_ip_local_port_range" in
yes)
AC_DEFINE([USE_LINUX_IP_LOCAL_PORT_RANGE], [1], [Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports.])
;;
no|*)
;;
esac
fi
AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
# on openBSD, the implicit rule make $< work.

4
daemon/remote.c
View file

@ -3338,7 +3338,11 @@ int remote_control_callback(struct comm_point* c, void* arg, int err,
if (!rc->use_cert) {
verbose(VERB_ALGO, "unauthenticated remote control connection");
} else if(SSL_get_verify_result(s->ssl) == X509_V_OK) {
#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
X509* x = SSL_get1_peer_certificate(s->ssl);
#else
X509* x = SSL_get_peer_certificate(s->ssl);
#endif
if(!x) {
verbose(VERB_DETAIL, "remote control connection "
"provided no client certificate");

2
daemon/unbound.c
View file

@ -222,7 +222,7 @@ checkrlimits(struct config_file* cfg)
#endif
if(getrlimit(RLIMIT_DATA, &rlim) == 0) {
if(rlim.rlim_cur != (rlim_t)RLIM_INFINITY &&
rlim.rlim_cur < memsize_expect) {
rlim.rlim_cur < (rlim_t)memsize_expect) {
log_warn("the ulimit(data seg size) is smaller than the expected memory usage (added size of caches). %u < %u bytes", (unsigned)rlim.rlim_cur, (unsigned)memsize_expect);
}
}

39
doc/Changelog
View file

@ -1,3 +1,42 @@
4 August 2021: George
- Merge PR #415 from sibeream: Use
/proc/sys/net/ipv4/ip_local_port_range to determine available outgoing
ports. (New --enable-linux-ip-local-port-range configuration option)
- Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This
allows longer CNAME chains in Unbound.
4 August 2021: Wouter
- In unit test use openssl set security level to allow keys in test.
- Fix static analysis warnings about localzone locks that are unused.
- Fix missing locks in zonemd unit test.
- Fix readzone compile under debug config.
3 August 2021: George
- Listen to read or write events after the SSL handshake.
Sticky events on windows would stick on read when write was needed.
3 August 2021: Wouter
- Merge PR #517 from dyunwei: #420 breaks the mesh reply list
function that need to reuse the dns answer.
- Annotate assertion into error printout; we think it may be an
error, but the situation looks harmless.
- Fix sign comparison warning on FreeBSD.
2 August 2021: Wouter
- Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
keyraw functions to produce EVP_PKEY results.
- Move RSA and DSA to use OpenSSL 3.0.0 API.
- Move ECDSA functions to use OpenSSL 3.0.0 API.
- iana portlist update.
- Fix verbose printout failure in tcp reuse unit test.
30 July 2021: Wouter
- Fix #515: Compilation against openssl 3.0.0 beta2 is failing to
build unbound.
- For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and
SSL_get_peer_certificate.
- Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
26 July 2021: George
- Merge #513: Stream reuse, attempt to fix #411, #439, #469. This
introduces a couple of fixes for the stream reuse functionality

2
iterator/iterator.h
View file

@ -61,7 +61,7 @@ struct rbtree_type;
* its subqueries */
#define MAX_TARGET_NX 5
/** max number of query restarts. Determines max number of CNAME chain. */
#define MAX_RESTART_COUNT 8
#define MAX_RESTART_COUNT 11
/** max number of referrals. Makes sure resolver does not run away */
#define MAX_REFERRAL_COUNT 130
/** max number of queries-sent-out. Make sure large NS set does not loop */

1
libunbound/context.c
View file

@ -69,6 +69,7 @@ context_finalize(struct ub_ctx* ctx)
} else {
log_init(cfg->logfile, cfg->use_syslog, NULL);
}
cfg_apply_local_port_policy(cfg, 65536);
config_apply(cfg);
if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env))
return UB_INITFAIL;

4
services/listen_dnsport.c
View file

@ -2477,6 +2477,10 @@ static int http2_query_read_done(struct http2_session* h2_session,
"buffer already assigned to stream");
return -1;
}
/* the c->buffer might be used by mesh_send_reply and no be cleard
* need to be cleared before use */
sldns_buffer_clear(h2_session->c->buffer);
if(sldns_buffer_remaining(h2_session->c->buffer) <
sldns_buffer_remaining(h2_stream->qbuffer)) {
/* qbuffer will be free'd in frame close cb */

16
services/localzone.c
View file

@ -745,9 +745,15 @@ static int
lz_enter_zones(struct local_zones* zones, struct config_file* cfg)
{
struct config_str2list* p;
#ifndef THREADS_DISABLED
struct local_zone* z;
#endif
for(p = cfg->local_zones; p; p = p->next) {
if(!(z=lz_enter_zone(zones, p->str, p->str2,
if(!(
#ifndef THREADS_DISABLED
z=
#endif
lz_enter_zone(zones, p->str, p->str2,
LDNS_RR_CLASS_IN)))
return 0;
lock_rw_unlock(&z->lock);
@ -1027,7 +1033,9 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg)
}
if(have_name) {
uint8_t* n2;
#ifndef THREADS_DISABLED
struct local_zone* z;
#endif
/* allocate zone of smallest shared topdomain to contain em */
n2 = nm;
dname_remove_labels(&n2, &nmlen, nmlabs - match);
@ -1039,7 +1047,11 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg)
}
log_nametypeclass(VERB_ALGO, "implicit transparent local-zone",
n2, 0, dclass);
if(!(z=lz_enter_zone_dname(zones, n2, nmlen, match,
if(!(
#ifndef THREADS_DISABLED
z=
#endif
lz_enter_zone_dname(zones, n2, nmlen, match,
local_zone_transparent, dclass))) {
return 0;
}

2
services/outside_network.c
View file

@ -347,6 +347,8 @@ log_reuse_tcp(enum verbosity_value v, const char* msg, struct reuse_tcp* reuse)
uint16_t port;
char addrbuf[128];
if(verbosity < v) return;
if(!reuse || !reuse->pending || !reuse->pending->c)
return;
addr_to_str(&reuse->addr, reuse->addrlen, addrbuf, sizeof(addrbuf));
port = ntohs(((struct sockaddr_in*)&reuse->addr)->sin_port);
verbose(v, "%s %s#%u fd %d", msg, addrbuf, (unsigned)port,

333
sldns/keyraw.c
View file

@ -26,11 +26,15 @@
#ifdef HAVE_OPENSSL_BN_H
#include <openssl/bn.h>
#endif
#ifdef HAVE_OPENSSL_RSA_H
#include <openssl/rsa.h>
#endif
#ifdef HAVE_OPENSSL_DSA_H
#include <openssl/dsa.h>
#ifdef HAVE_OPENSSL_PARAM_BUILD_H
# include <openssl/param_build.h>
#else
# ifdef HAVE_OPENSSL_RSA_H
# include <openssl/rsa.h>
# endif
# ifdef HAVE_OPENSSL_DSA_H
# include <openssl/dsa.h>
# endif
#endif
#endif /* HAVE_SSL */
@ -191,45 +195,59 @@ void sldns_key_EVP_unload_gost(void)
}
#endif /* USE_GOST */
DSA *
sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
/* Retrieve params as BIGNUM from raw buffer */
static int
sldns_key_dsa_buf_bignum(unsigned char* key, size_t len, BIGNUM** p,
BIGNUM** q, BIGNUM** g, BIGNUM** y)
{
uint8_t T;
uint16_t length;
uint16_t offset;
DSA *dsa;
BIGNUM *Q; BIGNUM *P;
BIGNUM *G; BIGNUM *Y;
if(len == 0)
return NULL;
return 0;
T = (uint8_t)key[0];
length = (64 + T * 8);
offset = 1;
if (T > 8) {
return NULL;
return 0;
}
if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length)
return NULL;
return 0;
Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
*q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
offset += SHA_DIGEST_LENGTH;
P = BN_bin2bn(key+offset, (int)length, NULL);
*p = BN_bin2bn(key+offset, (int)length, NULL);
offset += length;
G = BN_bin2bn(key+offset, (int)length, NULL);
*g = BN_bin2bn(key+offset, (int)length, NULL);
offset += length;
Y = BN_bin2bn(key+offset, (int)length, NULL);
*y = BN_bin2bn(key+offset, (int)length, NULL);
if(!*q || !*p || !*g || !*y) {
BN_free(*q);
BN_free(*p);
BN_free(*g);
BN_free(*y);
return 0;
}
return 1;
}
#ifndef HAVE_OSSL_PARAM_BLD_NEW
DSA *
sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
{
DSA *dsa;
BIGNUM *Q=NULL, *P=NULL, *G=NULL, *Y=NULL;
if(!sldns_key_dsa_buf_bignum(key, len, &P, &Q, &G, &Y)) {
return NULL;
}
/* create the key and set its properties */
if(!Q || !P || !G || !Y || !(dsa = DSA_new())) {
BN_free(Q);
BN_free(P);
BN_free(G);
BN_free(Y);
if(!(dsa = DSA_new())) {
return NULL;
}
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
@ -261,22 +279,111 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
return dsa;
}
#endif /* HAVE_OSSL_PARAM_BLD_NEW */
RSA *
sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
EVP_PKEY *sldns_key_dsa2pkey_raw(unsigned char* key, size_t len)
{
#ifdef HAVE_OSSL_PARAM_BLD_NEW
EVP_PKEY* evp_key = NULL;
EVP_PKEY_CTX* ctx;
BIGNUM *p=NULL, *q=NULL, *g=NULL, *y=NULL;
OSSL_PARAM_BLD* param_bld;
OSSL_PARAM* params = NULL;
if(!sldns_key_dsa_buf_bignum(key, len, &p, &q, &g, &y)) {
return NULL;
}
param_bld = OSSL_PARAM_BLD_new();
if(!param_bld) {
BN_free(p);
BN_free(q);
BN_free(g);
BN_free(y);
return NULL;
}
if(!OSSL_PARAM_BLD_push_BN(param_bld, "p", p) ||
!OSSL_PARAM_BLD_push_BN(param_bld, "g", g) ||
!OSSL_PARAM_BLD_push_BN(param_bld, "q", q) ||
!OSSL_PARAM_BLD_push_BN(param_bld, "pub", y)) {
OSSL_PARAM_BLD_free(param_bld);
BN_free(p);
BN_free(q);
BN_free(g);
BN_free(y);
return NULL;
}
params = OSSL_PARAM_BLD_to_param(param_bld);
OSSL_PARAM_BLD_free(param_bld);
ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
if(!ctx) {
OSSL_PARAM_free(params);
BN_free(p);
BN_free(q);
BN_free(g);
BN_free(y);
return NULL;
}
if(EVP_PKEY_fromdata_init(ctx) <= 0) {
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
BN_free(p);
BN_free(q);
BN_free(g);
BN_free(y);
return NULL;
}
if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
BN_free(p);
BN_free(q);
BN_free(g);
BN_free(y);
return NULL;
}
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
BN_free(p);
BN_free(q);
BN_free(g);
BN_free(y);
return evp_key;
#else
DSA* dsa;
EVP_PKEY* evp_key = EVP_PKEY_new();
if(!evp_key) {
return NULL;
}
dsa = sldns_key_buf2dsa_raw(key, len);
if(!dsa) {
EVP_PKEY_free(evp_key);
return NULL;
}
if(EVP_PKEY_assign_DSA(evp_key, dsa) == 0) {
DSA_free(dsa);
EVP_PKEY_free(evp_key);
return NULL;
}
return evp_key;
#endif
}
/* Retrieve params as BIGNUM from raw buffer, n is modulus, e is exponent */
static int
sldns_key_rsa_buf_bignum(unsigned char* key, size_t len, BIGNUM** n,
BIGNUM** e)
{
uint16_t offset;
uint16_t exp;
uint16_t int16;
RSA *rsa;
BIGNUM *modulus;
BIGNUM *exponent;
if (len == 0)
return NULL;
return 0;
if (key[0] == 0) {
if(len < 3)
return NULL;
return 0;
memmove(&int16, key+1, 2);
exp = ntohs(int16);
offset = 3;
@ -287,23 +394,34 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
/* key length at least one */
if(len < (size_t)offset + exp + 1)
return NULL;
return 0;
/* Exponent */
exponent = BN_new();
if(!exponent) return NULL;
(void) BN_bin2bn(key+offset, (int)exp, exponent);
*e = BN_new();
if(!*e) return 0;
(void) BN_bin2bn(key+offset, (int)exp, *e);
offset += exp;
/* Modulus */
modulus = BN_new();
if(!modulus) {
BN_free(exponent);
return NULL;
*n = BN_new();
if(!*n) {
BN_free(*e);
return 0;
}
/* length of the buffer must match the key length! */
(void) BN_bin2bn(key+offset, (int)(len - offset), modulus);
(void) BN_bin2bn(key+offset, (int)(len - offset), *n);
return 1;
}
#ifndef HAVE_OSSL_PARAM_BLD_NEW
RSA *
sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
{
BIGNUM* modulus = NULL;
BIGNUM* exponent = NULL;
RSA *rsa;
if(!sldns_key_rsa_buf_bignum(key, len, &modulus, &exponent))
return NULL;
rsa = RSA_new();
if(!rsa) {
BN_free(exponent);
@ -327,6 +445,88 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
return rsa;
}
#endif /* HAVE_OSSL_PARAM_BLD_NEW */
EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len)
{
#ifdef HAVE_OSSL_PARAM_BLD_NEW
EVP_PKEY* evp_key = NULL;
EVP_PKEY_CTX* ctx;
BIGNUM *n=NULL, *e=NULL;
OSSL_PARAM_BLD* param_bld;
OSSL_PARAM* params = NULL;
if(!sldns_key_rsa_buf_bignum(key, len, &n, &e)) {
return NULL;
}
param_bld = OSSL_PARAM_BLD_new();
if(!param_bld) {
BN_free(n);
BN_free(e);
return NULL;
}
if(!OSSL_PARAM_BLD_push_BN(param_bld, "n", n)) {
OSSL_PARAM_BLD_free(param_bld);
BN_free(n);
BN_free(e);
return NULL;
}
if(!OSSL_PARAM_BLD_push_BN(param_bld, "e", e)) {
OSSL_PARAM_BLD_free(param_bld);
BN_free(n);
BN_free(e);
return NULL;
}
params = OSSL_PARAM_BLD_to_param(param_bld);
OSSL_PARAM_BLD_free(param_bld);
ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
if(!ctx) {
OSSL_PARAM_free(params);
BN_free(n);
BN_free(e);
return NULL;
}
if(EVP_PKEY_fromdata_init(ctx) <= 0) {
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
BN_free(n);
BN_free(e);
return NULL;
}
if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
BN_free(n);
BN_free(e);
return NULL;
}
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
BN_free(n);
BN_free(e);
return evp_key;
#else
RSA* rsa;
EVP_PKEY *evp_key = EVP_PKEY_new();
if(!evp_key) {
return NULL;
}
rsa = sldns_key_buf2rsa_raw(key, len);
if(!rsa) {
EVP_PKEY_free(evp_key);
return NULL;
}
if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) {
RSA_free(rsa);
EVP_PKEY_free(evp_key);
return NULL;
}
return evp_key;
#endif
}
#ifdef USE_GOST
EVP_PKEY*
@ -357,6 +557,62 @@ sldns_gost2pkey_raw(unsigned char* key, size_t keylen)
EVP_PKEY*
sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
{
#ifdef HAVE_OSSL_PARAM_BLD_NEW
unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
EVP_PKEY *evp_key = NULL;
EVP_PKEY_CTX* ctx;
OSSL_PARAM_BLD* param_bld;
OSSL_PARAM* params = NULL;
char* group = NULL;
/* check length, which uncompressed must be 2 bignums */
if(algo == LDNS_ECDSAP256SHA256) {
if(keylen != 2*256/8) return NULL;
group = "prime256v1";
} else if(algo == LDNS_ECDSAP384SHA384) {
if(keylen != 2*384/8) return NULL;
group = "P-384";
} else {
return NULL;
}
if(keylen+1 > sizeof(buf)) { /* sanity check */
return NULL;
}
/* prepend the 0x04 for uncompressed format */
buf[0] = POINT_CONVERSION_UNCOMPRESSED;
memmove(buf+1, key, keylen);
param_bld = OSSL_PARAM_BLD_new();
if(!param_bld) {
return NULL;
}
if(!OSSL_PARAM_BLD_push_utf8_string(param_bld, "group", group, 0) ||
!OSSL_PARAM_BLD_push_octet_string(param_bld, "pub", buf, keylen+1)) {
OSSL_PARAM_BLD_free(param_bld);
return NULL;
}
params = OSSL_PARAM_BLD_to_param(param_bld);
OSSL_PARAM_BLD_free(param_bld);
ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
if(!ctx) {
OSSL_PARAM_free(params);
return NULL;
}
if(EVP_PKEY_fromdata_init(ctx) <= 0) {
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
return NULL;
}
if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
return NULL;
}
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
return evp_key;
#else
unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
const unsigned char* pp = buf;
EVP_PKEY *evp_key;
@ -393,6 +649,7 @@ sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
return NULL;
}
return evp_key;
#endif /* HAVE_OSSL_PARAM_BLD_NEW */
}
#endif /* USE_ECDSA */

20
sldns/keyraw.h
View file

@ -57,6 +57,7 @@ int sldns_key_EVP_load_gost_id(void);
/** Release the engine reference held for the GOST engine. */
void sldns_key_EVP_unload_gost(void);
#ifndef HAVE_OSSL_PARAM_BLD_NEW
/**
* Like sldns_key_buf2dsa, but uses raw buffer.
* \param[in] key the uncompressed wireformat of the key.
@ -64,6 +65,15 @@ void sldns_key_EVP_unload_gost(void);
* \return a DSA * structure with the key material
*/
DSA *sldns_key_buf2dsa_raw(unsigned char* key, size_t len);
#endif
/**
* Converts a holding buffer with DSA key material to EVP PKEY in openssl.
* \param[in] key the uncompressed wireformat of the key.
* \param[in] len length of key data
* \return the key or NULL on error.
*/
EVP_PKEY *sldns_key_dsa2pkey_raw(unsigned char* key, size_t len);
/**
* Converts a holding buffer with key material to EVP PKEY in openssl.
@ -84,6 +94,7 @@ EVP_PKEY* sldns_gost2pkey_raw(unsigned char* key, size_t keylen);
*/
EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
#ifndef HAVE_OSSL_PARAM_BLD_NEW
/**
* Like sldns_key_buf2rsa, but uses raw buffer.
* \param[in] key the uncompressed wireformat of the key.
@ -91,6 +102,15 @@ EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
* \return a RSA * structure with the key material
*/
RSA *sldns_key_buf2rsa_raw(unsigned char* key, size_t len);
#endif
/**
* Converts a holding buffer with RSA key material to EVP PKEY in openssl.
* \param[in] key the uncompressed wireformat of the key.
* \param[in] len length of key data
* \return the key or NULL on error.
*/
EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len);
/**
* Converts a holding buffer with key material to EVP PKEY in openssl.

4
smallapp/unbound-control.c
View file

@ -499,9 +499,7 @@ static void ssl_path_err(const char* s, const char *path)
{
unsigned long err;
err = ERR_peek_error();
if (ERR_GET_LIB(err) == ERR_LIB_SYS &&
(ERR_GET_FUNC(err) == SYS_F_FOPEN ||
ERR_GET_FUNC(err) == SYS_F_FREAD) ) {
if (ERR_GET_LIB(err) == ERR_LIB_SYS) {
fprintf(stderr, "error: %s\n%s: %s\n",
s, path, ERR_reason_error_string(err));
exit(1);

7
testcode/petal.c
View file

@ -241,9 +241,12 @@ setup_ctx(char* key, char* cert)
(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
#endif
(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
SSL_CTX_set_security_level(ctx, 0); /* for keys in tests */
#endif
if(!SSL_CTX_use_certificate_chain_file(ctx, cert)) {
int e = ERR_peek_error();
printf("error string: %s\n", ERR_reason_error_string(e));
int e = ERR_peek_error();
printf("error string: %s\n", ERR_reason_error_string(e));
print_exit("cannot read cert");
}
if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM))

4
testcode/unitzonemd.c
View file

@ -82,7 +82,9 @@ static void zonemd_generate_test(const char* zname, char* zfile,
/* read file */
z = authtest_addzone(az, zname, zfile);
unit_assert(z);
lock_rw_wrlock(&z->lock);
z->zonemd_check = 1;
lock_rw_unlock(&z->lock);
/* create zonemd digest */
result = auth_zone_generate_zonemd_hash(z, scheme, hashalgo,
@ -197,7 +199,9 @@ static void zonemd_check_test(void)
/* read file */
z = authtest_addzone(az, zname, zfile);
unit_assert(z);
lock_rw_wrlock(&z->lock);
z->zonemd_check = 1;
lock_rw_unlock(&z->lock);
hashlen = sizeof(hash);
if(sldns_str2wire_hex_buf(digest, hash, &hashlen) != 0) {
unit_assert(0); /* parse failure */

31
util/config_file.c
View file

@ -1704,6 +1704,37 @@ int cfg_condense_ports(struct config_file* cfg, int** avail)
return num;
}
void cfg_apply_local_port_policy(struct config_file* cfg, int num) {
(void)cfg;
(void)num;
#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
{
int i = 0;
FILE* range_fd;
if ((range_fd = fopen(LINUX_IP_LOCAL_PORT_RANGE_PATH, "r")) != NULL) {
int min_port = 0;
int max_port = num - 1;
if (fscanf(range_fd, "%d %d", &min_port, &max_port) == 2) {
for(i=0; i<min_port; i++) {
cfg->outgoing_avail_ports[i] = 0;
}
for(i=max_port+1; i<num; i++) {
cfg->outgoing_avail_ports[i] = 0;
}
} else {
log_err("unexpected port range in %s",
LINUX_IP_LOCAL_PORT_RANGE_PATH);
}
fclose(range_fd);
} else {
log_err("failed to read from file: %s (%s)",
LINUX_IP_LOCAL_PORT_RANGE_PATH,
strerror(errno));
}
}
#endif
}
/** print error with file and line number */
static void ub_c_error_va_list(const char *fmt, va_list args)
{

11
util/config_file.h
View file

@ -1190,6 +1190,13 @@ int cfg_mark_ports(const char* str, int allow, int* avail, int num);
*/
int cfg_condense_ports(struct config_file* cfg, int** avail);
/**
* Apply system specific port range policy.
* @param cfg: config file.
* @param num: size of the array (65536).
*/
void cfg_apply_local_port_policy(struct config_file* cfg, int num);
/**
* Scan ports available
* @param avail: the array from cfg.
@ -1329,5 +1336,9 @@ int if_is_https(const char* ifname, const char* port, int https_port);
*/
int cfg_has_https(struct config_file* cfg);
#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
#define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range"
#endif
#endif /* UTIL_CONFIG_FILE_H */

16
util/netevent.c
View file

@ -1214,7 +1214,7 @@ ssl_handshake(struct comm_point* c)
int r;
if(c->ssl_shake_state == comm_ssl_shake_hs_read) {
/* read condition satisfied back to writing */
comm_point_listen_for_rw(c, 1, 1);
comm_point_listen_for_rw(c, 0, 1);
c->ssl_shake_state = comm_ssl_shake_none;
return 1;
}
@ -1278,7 +1278,11 @@ ssl_handshake(struct comm_point* c)
if((SSL_get_verify_mode(c->ssl)&SSL_VERIFY_PEER)) {
/* verification */
if(SSL_get_verify_result(c->ssl) == X509_V_OK) {
#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
X509* x = SSL_get1_peer_certificate(c->ssl);
#else
X509* x = SSL_get_peer_certificate(c->ssl);
#endif
if(!x) {
log_addr(VERB_ALGO, "SSL connection failed: "
"no certificate",
@ -1304,7 +1308,11 @@ ssl_handshake(struct comm_point* c)
#endif
X509_free(x);
} else {
#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
X509* x = SSL_get1_peer_certificate(c->ssl);
#else
X509* x = SSL_get_peer_certificate(c->ssl);
#endif
if(x) {
log_cert(VERB_ALGO, "peer certificate", x);
X509_free(x);
@ -1340,7 +1348,7 @@ ssl_handshake(struct comm_point* c)
if(c->ssl_shake_state != comm_ssl_shake_read)
comm_point_listen_for_rw(c, 1, 0);
} else {
comm_point_listen_for_rw(c, 1, 1);
comm_point_listen_for_rw(c, 0, 1);
}
c->ssl_shake_state = comm_ssl_shake_none;
return 1;
@ -1726,7 +1734,8 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok)
(int)sldns_buffer_limit(c->buffer));
}
log_assert(sldns_buffer_remaining(c->buffer) > 0);
if(sldns_buffer_remaining(c->buffer) == 0)
log_err("in comm_point_tcp_handle_read buffer_remaining is not > 0 as expected, continuing with (harmless) 0 length recv");
r = recv(fd, (void*)sldns_buffer_current(c->buffer),
sldns_buffer_remaining(c->buffer), 0);
if(r == 0) {
@ -4062,7 +4071,6 @@ comm_point_send_reply(struct comm_reply *repinfo)
}
repinfo->c->h2_stream = NULL;
repinfo->c->tcp_is_reading = 0;
sldns_buffer_clear(repinfo->c->buffer);
comm_point_stop_listening(repinfo->c);
comm_point_start_listening(repinfo->c, -1,
adjusted_tcp_timeout(repinfo->c));

50
validator/val_secalgo.c
View file

@ -513,29 +513,13 @@ static int
setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
unsigned char* key, size_t keylen)
{
#if defined(USE_DSA) && defined(USE_SHA1)
DSA* dsa;
#endif
RSA* rsa;
switch(algo) {
#if defined(USE_DSA) && defined(USE_SHA1)
case LDNS_DSA:
case LDNS_DSA_NSEC3:
*evp_key = EVP_PKEY_new();
*evp_key = sldns_key_dsa2pkey_raw(key, keylen);
if(!*evp_key) {
log_err("verify: malloc failure in crypto");
return 0;
}
dsa = sldns_key_buf2dsa_raw(key, keylen);
if(!dsa) {
verbose(VERB_QUERY, "verify: "
"sldns_key_buf2dsa_raw failed");
return 0;
}
if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
verbose(VERB_QUERY, "verify: "
"EVP_PKEY_assign_DSA failed");
verbose(VERB_QUERY, "verify: sldns_key_dsa2pkey failed");
return 0;
}
#ifdef HAVE_EVP_DSS1
@ -558,20 +542,9 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
case LDNS_RSASHA512:
#endif
*evp_key = EVP_PKEY_new();
*evp_key = sldns_key_rsa2pkey_raw(key, keylen);
if(!*evp_key) {
log_err("verify: malloc failure in crypto");
return 0;
}
rsa = sldns_key_buf2rsa_raw(key, keylen);
if(!rsa) {
verbose(VERB_QUERY, "verify: "
"sldns_key_buf2rsa_raw SHA failed");
return 0;
}
if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
verbose(VERB_QUERY, "verify: "
"EVP_PKEY_assign_RSA SHA failed");
verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey SHA failed");
return 0;
}
@ -595,20 +568,9 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
#endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */
case LDNS_RSAMD5:
*evp_key = EVP_PKEY_new();
*evp_key = sldns_key_rsa2pkey_raw(key, keylen);
if(!*evp_key) {
log_err("verify: malloc failure in crypto");
return 0;
}
rsa = sldns_key_buf2rsa_raw(key, keylen);
if(!rsa) {
verbose(VERB_QUERY, "verify: "
"sldns_key_buf2rsa_raw MD5 failed");
return 0;
}
if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
verbose(VERB_QUERY, "verify: "
"EVP_PKEY_assign_RSA MD5 failed");
verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey MD5 failed");
return 0;
}
*digest_type = EVP_md5();