/* define this to enable debug checks. */
#undef UNBOUND_DEBUG
+/* Define this to enable GOST support. */
+#undef USE_GOST
+
/* Define if you want to use internal select based events */
#undef USE_MINI_EVENT
with_pythonmodule
with_ssl
enable_sha2
+enable_gost
with_libevent
enable_staticexe
enable_lock_checks
--disable-libtool-lock avoid locking (might break parallel builds)
--disable-rpath disable hardcoded rpath (default=enabled)
--enable-sha2 Enable SHA256 and SHA512 RRSIG support
+ --enable-gost Enable GOST support
--enable-static-exe enable to compile executables statically against
event, ldns libs, for debug purposes
--enable-lock-checks enable to check lock and unlock calls, for debug
else
lt_cv_nm_interface="BSD nm"
echo "int some_variable = 0;" > conftest.$ac_ext
- (eval echo "\"\$as_me:7263: $ac_compile\"" >&5)
+ (eval echo "\"\$as_me:7265: $ac_compile\"" >&5)
(eval "$ac_compile" 2>conftest.err)
cat conftest.err >&5
- (eval echo "\"\$as_me:7266: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+ (eval echo "\"\$as_me:7268: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
(eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
cat conftest.err >&5
- (eval echo "\"\$as_me:7269: output\"" >&5)
+ (eval echo "\"\$as_me:7271: output\"" >&5)
cat conftest.out >&5
if $GREP 'External.*some_variable' conftest.out > /dev/null; then
lt_cv_nm_interface="MS dumpbin"
;;
*-*-irix6*)
# Find out which ABI we are using.
- echo '#line 8474 "configure"' > conftest.$ac_ext
+ echo '#line 8476 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9841: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9843: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:9845: \$? = $ac_status" >&5
+ echo "$as_me:9847: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:10180: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:10182: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:10184: \$? = $ac_status" >&5
+ echo "$as_me:10186: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:10285: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:10287: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:10289: \$? = $ac_status" >&5
+ echo "$as_me:10291: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:10340: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:10342: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:10344: \$? = $ac_status" >&5
+ echo "$as_me:10346: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 13143 "configure"
+#line 13145 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 13239 "configure"
+#line 13241 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
case "$enable_sha2" in
yes)
-cat >>confdefs.h <<_ACEOF
-#define USE_SHA2 /**/
+cat >>confdefs.h <<\_ACEOF
+#define USE_SHA2 1
+_ACEOF
+
+ ;;
+ no|*)
+ ;;
+esac
+
+# Check whether --enable-gost was given.
+if test "${enable_gost+set}" = set; then
+ enableval=$enable_gost;
+fi
+
+case "$enable_gost" in
+ yes)
+
+cat >>confdefs.h <<\_ACEOF
+#define USE_GOST 1
_ACEOF
;;
AC_ARG_ENABLE(sha2, AC_HELP_STRING([--enable-sha2], [Enable SHA256 and SHA512 RRSIG support]))
case "$enable_sha2" in
yes)
- AC_DEFINE_UNQUOTED([USE_SHA2], [], [Define this to enable SHA256 and SHA512 support.])
+ AC_DEFINE([USE_SHA2], [1], [Define this to enable SHA256 and SHA512 support.])
+ ;;
+ no|*)
+ ;;
+esac
+
+AC_ARG_ENABLE(gost, AC_HELP_STRING([--enable-gost], [Enable GOST support]))
+case "$enable_gost" in
+ yes)
+ AC_DEFINE([USE_GOST], [1], [Define this to enable GOST support.])
;;
no|*)
;;
checklock_start();
ERR_load_crypto_strings();
ERR_load_SSL_strings();
+#if defined(HAVE_ENGINE_LOAD_GOST) && defined(USE_GOST)
+ (void)ldns_key_EVP_load_gost_id();
+#endif
OpenSSL_add_all_algorithms();
(void)SSL_library_init();
#ifdef HAVE_TZSET
+6 August 2009: Wouter
+ - configure --enable-gost for GOST support, experimental
+ implementation of draft-dolmatov-dnsext-dnssec-gost-01.
+
5 August 2009: Wouter
- trunk moved to 1.3.4.
* --with-pythonmodule
Compile the python module that processes responses in the server.
* --enable-sha2
- Enable draft support for RSASHA256 and RSASHA512.
+ Enable draft support for RSASHA256 and RSASHA512 crypto.
+ * --enable-gost
+ Enable draft support for GOST crypto.
* 'make test' attempts to run a series of tests, depending on the support
programs that are installed.
printf("-h this help\n");
printf("-p file playback text file\n");
printf("-2 detect SHA256 support (exit code 0 or 1)\n");
+ printf("-g detect GOST support (exit code 0 or 1)\n");
printf("-o str unbound commandline options separated by spaces.\n");
printf("Version %s\n", PACKAGE_VERSION);
printf("BSD licensed, see LICENSE file in source package.\n");
pass_argc = 1;
pass_argv[0] = "unbound";
add_opts("-d", &pass_argc, pass_argv);
- while( (c=getopt(argc, argv, "2ho:p:")) != -1) {
+ while( (c=getopt(argc, argv, "2gho:p:")) != -1) {
switch(c) {
case '2':
#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
#else
printf("SHA256 not supported\n");
exit(1);
+#endif
+ break;
+ case 'g':
+#if defined(HAVE_ENGINE_LOAD_GOST) && defined(USE_GOST)
+ printf("GOST supported\n");
+ exit(0);
+#else
+ printf("GOST not supported\n");
+ exit(1);
#endif
break;
case 'p':
}
printf("Start of %s unit test.\n", PACKAGE_STRING);
ERR_load_crypto_strings();
+#if defined(HAVE_ENGINE_LOAD_GOST) && defined(USE_GOST)
+ (void)ldns_key_EVP_load_gost_id();
+#endif
checklock_start();
neg_test();
rnd_test();
#endif
verifytest_file("testdata/test_signatures.12", "20090107100022");
verifytest_file("testdata/test_signatures.13", "20080414005004");
+#if defined(HAVE_ENGINE_LOAD_GOST) && defined(USE_GOST)
+ verifytest_file("testdata/test_signatures.15", "20090807060504");
+#endif
dstest_file("testdata/test_ds_sig.1");
nsectest();
nsec3_hash_test("testdata/test_nsec3_hash.1");
--- /dev/null
+; Signature test file
+
+; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification.
+; later entries are verified with it.
+
+; Test GOST signatures using algo number 11.
+
+ENTRY_BEGIN
+SECTION QUESTION
+nlnetlabs.nl. IN DNSKEY
+SECTION ANSWER
+nlnetlabs.nl. 3600 IN DNSKEY 256 3 11 Z7JC2FSJ0KQPAflOrM25v5XGVfZDEY54Zz1uslvmHgEL92nBbki3p2dzuiKqjov0iB33XvscfKb44CajJWeH8w== ;{id = 1952 (zsk), size = 512b}
+ENTRY_END
+
+; entry to test
+ENTRY_BEGIN
+SECTION QUESTION
+open.nlnetlabs.nl. IN A
+SECTION ANSWER
+open.nlnetlabs.nl. 600 IN A 213.154.224.1
+open.nlnetlabs.nl. 600 IN RRSIG A 11 3 600 20090903100515 20090806100515 1952 nlnetlabs.nl. jpKiYiSfGhROoZ5b+dqoxVefwCWN0lkAdkspKlbqz6GsZPfiQMU3UYWmZvTQm9hkwPqI9EKbaBJCw2i0ucBi8g== ;{id = 1952}
+ENTRY_END
+
+ENTRY_BEGIN
+SECTION QUESTION
+open.nlnetlabs.nl. IN AAAA
+SECTION ANSWER
+open.nlnetlabs.nl. 600 IN AAAA 2001:7b8:206:1::1
+open.nlnetlabs.nl. 600 IN AAAA 2001:7b8:206:1::53
+open.nlnetlabs.nl. 600 IN RRSIG AAAA 11 3 600 20090903100515 20090806100515 1952 nlnetlabs.nl. rGY+31Hdr5mxYrII+RGdBpbeZhJ9JccnHKocl9v/oMU7aBFl0CC7fWmFS18/AMvxWhNLqxPboir4q/nPpwkNhw== ;{id = 1952}
+ENTRY_END
+
+ENTRY_BEGIN
+SECTION QUESTION
+open.nlnetlabs.nl. IN NSEC
+SECTION ANSWER
+open.nlnetlabs.nl. 3600 IN NSEC nlnetlabs.nl. A AAAA RRSIG NSEC
+open.nlnetlabs.nl. 3600 IN RRSIG NSEC 11 3 3600 20090903100515 20090806100515 1952 nlnetlabs.nl. wq9NbqmdcasWb9APEPrrT9Z7dcK/1MJ0Pr0iYYv/2QHmRU3gDhyS/ss5I81YS7aePolNwNoASdoU3CCpU0dKTg== ;{id = 1952}
+ENTRY_END
+
#ifdef HAVE_EVP_SHA256
case LDNS_SHA256:
return SHA256_DIGEST_LENGTH;
+#endif
+#if defined(HAVE_ENGINE_LOAD_GOST) && defined(USE_GOST)
+ case LDNS_HASH_GOST94:
+ return 32;
#endif
default: break;
}
return 0;
}
+#if defined(HAVE_ENGINE_LOAD_GOST) && defined(USE_GOST)
+/** Perform GOST94 hash */
+static int
+do_gost94(unsigned char* data, size_t len, unsigned char* dest)
+{
+ const EVP_MD* md = EVP_get_digestbyname("md_gost94");
+ if(!md)
+ return 0;
+ return ldns_digest_evp(data, len, dest, md);
+}
+#endif
+
/**
* Create a DS digest for a DNSKEY entry.
*
(void)SHA256((unsigned char*)ldns_buffer_begin(b),
ldns_buffer_limit(b), (unsigned char*)digest);
return 1;
+#endif
+#if defined(HAVE_ENGINE_LOAD_GOST) && defined(USE_GOST)
+ case LDNS_HASH_GOST94:
+ if(do_gost94((unsigned char*)ldns_buffer_begin(b),
+ ldns_buffer_limit(b), (unsigned char*)digest))
+ return 1;
#endif
default:
verbose(VERB_QUERY, "unknown DS digest algorithm %d",
#endif
#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
case LDNS_RSASHA512:
+#endif
+#if defined(HAVE_ENGINE_LOAD_GOST) && defined(USE_GOST)
+ case LDNS_GOST:
#endif
return 1;
default:
* Setup key and digest for verification. Adjust sig if necessary.
*
* @param algo: key algorithm
- * @param evp_key: EVP PKEY public key to update.
+ * @param evp_key: EVP PKEY public key to create.
* @param digest_type: digest type to use
* @param key: key to setup for.
* @param keylen: length of key.
* @return false on failure.
*/
static int
-setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
+setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
unsigned char* key, size_t keylen)
{
DSA* dsa;
switch(algo) {
case LDNS_DSA:
case LDNS_DSA_NSEC3:
+ *evp_key = EVP_PKEY_new();
+ if(!*evp_key) {
+ log_err("verify: malloc failure in crypto");
+ return sec_status_unchecked;
+ }
dsa = ldns_key_buf2dsa_raw(key, keylen);
if(!dsa) {
verbose(VERB_QUERY, "verify: "
"ldns_key_buf2dsa_raw failed");
return 0;
}
- if(EVP_PKEY_assign_DSA(evp_key, dsa) == 0) {
+ if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
verbose(VERB_QUERY, "verify: "
"EVP_PKEY_assign_DSA failed");
return 0;
#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
case LDNS_RSASHA512:
#endif
+ *evp_key = EVP_PKEY_new();
+ if(!*evp_key) {
+ log_err("verify: malloc failure in crypto");
+ return sec_status_unchecked;
+ }
rsa = ldns_key_buf2rsa_raw(key, keylen);
if(!rsa) {
verbose(VERB_QUERY, "verify: "
"ldns_key_buf2rsa_raw SHA failed");
return 0;
}
- if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) {
+ if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
verbose(VERB_QUERY, "verify: "
"EVP_PKEY_assign_RSA SHA failed");
return 0;
break;
case LDNS_RSAMD5:
+ *evp_key = EVP_PKEY_new();
+ if(!*evp_key) {
+ log_err("verify: malloc failure in crypto");
+ return sec_status_unchecked;
+ }
rsa = ldns_key_buf2rsa_raw(key, keylen);
if(!rsa) {
verbose(VERB_QUERY, "verify: "
"ldns_key_buf2rsa_raw MD5 failed");
return 0;
}
- if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) {
+ if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
verbose(VERB_QUERY, "verify: "
"EVP_PKEY_assign_RSA MD5 failed");
return 0;
*digest_type = EVP_md5();
break;
+#if defined(HAVE_ENGINE_LOAD_GOST) && defined(USE_GOST)
+ case LDNS_GOST:
+ *evp_key = ldns_gost2pkey_raw(key, keylen);
+ if(!*evp_key) {
+ verbose(VERB_QUERY, "verify: "
+ "ldns_gost2pkey_raw failed");
+ return 0;
+ }
+ *digest_type = EVP_get_digestbyname("md_gost94");
+ if(!*digest_type) {
+ verbose(VERB_QUERY, "verify: "
+ "EVP_getdigest md_gost94 failed");
+ return 0;
+ }
+ break;
+#endif
default:
verbose(VERB_QUERY, "verify: unknown algorithm %d",
algo);
const EVP_MD *digest_type;
EVP_MD_CTX ctx;
int res, dofree = 0;
- EVP_PKEY *evp_key = EVP_PKEY_new();
- if(!evp_key) {
- log_err("verify: malloc failure in crypto");
- return sec_status_unchecked;
- }
-
- if(!setup_key_digest(algo, evp_key, &digest_type, key, keylen)) {
+ EVP_PKEY *evp_key = NULL;
+
+ if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
verbose(VERB_QUERY, "verify: failed to setup key");
EVP_PKEY_free(evp_key);
return sec_status_bogus;
projects / thirdparty / unbound.git / commitdiff
