- ED448 support.

git-svn-id: file:///svn/unbound/trunk@4607 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/config.h.in b/config.h.in
index 0dc6eb7b3a358792d70f990a81d68817f47adeab..e9e3a95237e5a49a6b78f1ccb5a3a67bbcaa4bfc 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -83,6 +83,10 @@
    don't. */
 #undef HAVE_DECL_NID_ED25519
 
+/* Define to 1 if you have the declaration of `NID_ED448', and to 0 if you
+   don't. */
+#undef HAVE_DECL_NID_ED448
+
 /* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you
    don't. */
 #undef HAVE_DECL_NID_SECP384R1
@@ -716,6 +720,9 @@
 /* Define this to enable ED25519 support. */
 #undef USE_ED25519
 
+/* Define this to enable ED448 support. */
+#undef USE_ED448
+
 /* Define this to enable GOST support. */
 #undef USE_GOST
 

diff --git a/configure b/configure
index 77d2696f1cd683ad08ef48037c3e651db5b9af81..6535a5a969c2d2e205f93087bdb5be45d4809829 100755 (executable)
--- a/configure
+++ b/configure
@@ -859,6 +859,7 @@ enable_gost
 enable_ecdsa
 enable_dsa
 enable_ed25519
+enable_ed448
 enable_event_api
 enable_tfo_client
 enable_tfo_server
@@ -1545,6 +1546,7 @@ Optional Features:
   --disable-ecdsa         Disable ECDSA support
   --disable-dsa           Disable DSA support
   --disable-ed25519       Disable ED25519 support
+  --disable-ed448         Disable ED448 support
   --enable-event-api      Enable (experimental) pluggable event base
                           libunbound API installed to unbound-event.h
   --enable-tfo-client     Enable TCP Fast Open for client mode
@@ -18317,6 +18319,50 @@ _ACEOF
       ;;
 esac
 
+# Check whether --enable-ed448 was given.
+if test "${enable_ed448+set}" = set; then :
+  enableval=$enable_ed448;
+fi
+
+use_ed448="no"
+case "$enable_ed448" in
+    no)
+      ;;
+    *)
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
+             ac_fn_c_check_decl "$LINENO" "NID_ED448" "ac_cv_have_decl_NID_ED448" "$ac_includes_default
+#include <openssl/evp.h>
+
+"
+if test "x$ac_cv_have_decl_NID_ED448" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_NID_ED448 $ac_have_decl
+_ACEOF
+if test $ac_have_decl = 1; then :
+
+               use_ed448="yes"
+
+else
+   if test "x$enable_ed448" = "xyes"; then as_fn_error $? "OpenSSL does not support ED448 and you used --enable-ed448." "$LINENO" 5
+               fi
+fi
+
+      fi
+      if test $use_ed448 = "yes"; then
+
+cat >>confdefs.h <<_ACEOF
+#define USE_ED448 1
+_ACEOF
+
+      fi
+      ;;
+esac
+
 # Check whether --enable-event-api was given.
 if test "${enable_event_api+set}" = set; then :
   enableval=$enable_event_api;

diff --git a/configure.ac b/configure.ac
index aabf14fea04a946bd463713bcef7b8f709015b38..a149fe6372ccd8ce9479449ae9fb3a78710ff0b2 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -993,6 +993,26 @@ case "$enable_ed25519" in
       ;;
 esac
 
+AC_ARG_ENABLE(ed448, AC_HELP_STRING([--disable-ed448], [Disable ED448 support]))
+use_ed448="no"
+case "$enable_ed448" in
+    no)
+      ;;
+    *)
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
+             AC_CHECK_DECLS([NID_ED448], [
+               use_ed448="yes"
+             ], [ if test "x$enable_ed448" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED448 and you used --enable-ed448.])
+               fi ], [AC_INCLUDES_DEFAULT
+#include <openssl/evp.h>
+             ])
+      fi
+      if test $use_ed448 = "yes"; then
+               AC_DEFINE_UNQUOTED([USE_ED448], [1], [Define this to enable ED448 support.])
+      fi
+      ;;
+esac
+
 AC_ARG_ENABLE(event-api, AC_HELP_STRING([--enable-event-api], [Enable (experimental) pluggable event base libunbound API installed to unbound-event.h]))
 case "$enable_event_api" in
     yes)

diff --git a/doc/Changelog b/doc/Changelog
index 3c3bfe6133bd94903c67dce44210f4d809cf7a5d..13a8804211fb96d83ebca84e63ee3b4553bdbadc 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -5,6 +5,7 @@
        - Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
          tls_choose_sigalg routine does not allow the ciphers for the pipe,
          so use TLSv1.2.
+       - ED448 support.
 
 3 April 2018: Wouter
        - Fix #4043: make test fails due to v6 presentation issue in macOS.

diff --git a/sldns/keyraw.c b/sldns/keyraw.c
index e2f14f2a4e972054ae7d9185684c75a2dd635c70..2ec225bc5bd8358e3753668382f75def78624521 100644 (file)
--- a/sldns/keyraw.c
+++ b/sldns/keyraw.c
@@ -89,6 +89,14 @@ sldns_rr_dnskey_key_size_raw(const unsigned char* keydata,
                 return 256;
         case LDNS_ECDSAP384SHA384:
                 return 384;
+#endif
+#ifdef USE_ED25519
+       case LDNS_ED25519:
+               return 256;
+#endif
+#ifdef USE_ED448
+       case LDNS_ED448:
+               return 456;
 #endif
        default:
                return 0;
@@ -409,6 +417,27 @@ sldns_ed255192pkey_raw(const unsigned char* key, size_t keylen)
 }
 #endif /* USE_ED25519 */
 
+#ifdef USE_ED448
+EVP_PKEY*
+sldns_ed4482pkey_raw(const unsigned char* key, size_t keylen)
+{
+       /* ASN1 for ED448 is 3043300506032b6571033a00 <57byteskey> */
+       uint8_t pre[] = {0x30, 0x43, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+               0x71, 0x03, 0x3a, 0x00};
+        int pre_len = 12;
+       uint8_t buf[256];
+        EVP_PKEY *evp_key;
+       /* pp gets modified by d2i() */
+        const unsigned char* pp = (unsigned char*)buf;
+       if(keylen != 57 || keylen + pre_len > sizeof(buf))
+               return NULL; /* wrong length */
+       memmove(buf, pre, pre_len);
+       memmove(buf+pre_len, key, keylen);
+       evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
+        return evp_key;
+}
+#endif /* USE_ED448 */
+
 int
 sldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
        const EVP_MD* md)

diff --git a/sldns/keyraw.h b/sldns/keyraw.h
index 19653b46c7ba815a597ed267f42862aaa0a1c99c..989b02ce052ef28227de20961a6bd8a17744655e 100644 (file)
--- a/sldns/keyraw.h
+++ b/sldns/keyraw.h
@@ -101,6 +101,15 @@ RSA *sldns_key_buf2rsa_raw(unsigned char* key, size_t len);
  */
 EVP_PKEY* sldns_ed255192pkey_raw(const unsigned char* key, size_t len);
 
+/**
+ * Converts a holding buffer with key material to EVP PKEY in openssl.
+ * Only available if ldns was compiled with ED448.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* sldns_ed4482pkey_raw(const unsigned char* key, size_t len);
+
 /**
  * Utility function to calculate hash using generic EVP_MD pointer.
  * \param[in] data the data to hash.

diff --git a/testcode/unitverify.c b/testcode/unitverify.c
index 06691f822e408e2d04642f33d68f56ec8e499d18..95676e10490559b4dc5ef2f763ec9f99584be2c7 100644 (file)
--- a/testcode/unitverify.c
+++ b/testcode/unitverify.c
@@ -548,6 +548,11 @@ verify_test(void)
                verifytest_file("testdata/test_sigs.ed25519", "20170530140439");
        }
 #endif
+#ifdef USE_ED448
+       if(dnskey_algo_id_is_supported(LDNS_ED448)) {
+               verifytest_file("testdata/test_sigs.ed448", "20180408143630");
+       }
+#endif
 #ifdef USE_SHA1
        dstest_file("testdata/test_ds.sha1");
 #endif

diff --git a/testdata/test_sigs.ed448 b/testdata/test_sigs.ed448
new file mode 100644 (file)
index 0000000..3e5f14f
--- /dev/null
+++ b/testdata/test_sigs.ed448
@@ -0,0 +1,21 @@
+; Signature test file
+
+; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. 
+; later entries are verified with it.
+
+ENTRY_BEGIN
+SECTION QUESTION
+example.com.   IN DNSKEY
+SECTION ANSWER
+example.com.   IN      DNSKEY  256 3 16 zqUQUbOlkWR1cEGLAr/50aOgpFIwyT3juetr4fT9TRIOdEaXK3Pzv6AvA4iNViZ6RAMD2xctd1EA ;{id = 39998 (zsk), size = 456b}
+ENTRY_END
+
+; entry to test
+ENTRY_BEGIN
+SECTION QUESTION
+www.example.com.    IN      A 
+SECTION ANSWER
+mail.example.com.       3600    IN      A       1.2.3.5
+mail.example.com.       3600    IN      RRSIG   A 16 3 3600 20180503143630 20180405143630 39998 example.com. 5T6sjxQ2sB9Crcx8hNKDCteUVc0vNpz8slOa58acb4yLP7dBysp/6dVZwl9/gUN+CWUl6QpkcEMAFx2AcgjPhncYzRpeKCNuJBgBBQrb4Fz2Kvqf7r7H4Day6JrWQDvWcMXf8U9r0Eq06hoJ48M52CkA
+ENTRY_END
+

diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index 7f5c5181fd2d5977b4b90d7f28994599040991fa..95200a48b61b8b9a4d68bad25e44194004db320e 100644 (file)
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -231,7 +231,10 @@ dnskey_algo_id_is_supported(int id)
 #ifdef USE_ED25519
        case LDNS_ED25519:
 #endif
-#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA)
+#ifdef USE_ED448
+       case LDNS_ED448:
+#endif
+#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448)
                return 1;
 #endif
 
@@ -569,6 +572,17 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
                        *digest_type = NULL;
                        break;
 #endif /* USE_ED25519 */
+#ifdef USE_ED448
+               case LDNS_ED448:
+                       *evp_key = sldns_ed4482pkey_raw(key, keylen);
+                       if(!*evp_key) {
+                               verbose(VERB_QUERY, "verify: "
+                                       "sldns_ed4482pkey_raw failed");
+                               return 0;
+                       }
+                       *digest_type = NULL;
+                       break;
+#endif /* USE_ED448 */
                default:
                        verbose(VERB_QUERY, "verify: unknown algorithm %d", 
                                algo);