rsasha256 and rsasha512 not enabled by default.

git-svn-id: file:///svn/unbound/trunk@1631 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/config.h.in b/config.h.in
index ba378b23beb5c651ff3e6063e5787c0499058425..945b5edad53ed58b5776e0522179086a70d17736 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -400,6 +400,9 @@
 /* Define if you want to use internal select based events */
 #undef USE_MINI_EVENT
 
+/* Define this to enable SHA256 and SHA512 support. */
+#undef USE_SHA2
+
 /* Whether the windows socket API is used */
 #undef USE_WINSOCK
 

diff --git a/configure b/configure
index b4643ef62c8114d4d236dcf378b0bfbb44571568..f3bb45892daf606ae2685072ae88512e903d44db 100755 (executable)
--- a/configure
+++ b/configure
@@ -1464,6 +1464,7 @@ Optional Features:
                           optimize for fast installation [default=yes]
   --disable-libtool-lock  avoid locking (might break parallel builds)
   --disable-rpath         disable hardcoded rpath (default=enabled)
+  --enable-sha2           Enable SHA256 and SHA512 RRSIG support
   --enable-static-exe     enable to compile executables statically against
                           event, ldns libs, for debug purposes
   --enable-lock-checks    enable to check lock and unlock calls, for debug
@@ -6881,7 +6882,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 6884 "configure"' > conftest.$ac_ext
+  echo '#line 6885 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -8195,11 +8196,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8198: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8199: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:8202: \$? = $ac_status" >&5
+   echo "$as_me:8203: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -8485,11 +8486,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8488: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8489: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:8492: \$? = $ac_status" >&5
+   echo "$as_me:8493: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -8589,11 +8590,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8592: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8593: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:8596: \$? = $ac_status" >&5
+   echo "$as_me:8597: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -10940,7 +10941,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 10943 "configure"
+#line 10944 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -11040,7 +11041,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 11043 "configure"
+#line 11044 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13460,11 +13461,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13463: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13464: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:13467: \$? = $ac_status" >&5
+   echo "$as_me:13468: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -13564,11 +13565,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13567: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13568: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:13571: \$? = $ac_status" >&5
+   echo "$as_me:13572: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -15128,11 +15129,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15131: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:15132: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:15135: \$? = $ac_status" >&5
+   echo "$as_me:15136: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -15232,11 +15233,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15235: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:15236: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:15239: \$? = $ac_status" >&5
+   echo "$as_me:15240: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -17421,11 +17422,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17424: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:17425: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:17428: \$? = $ac_status" >&5
+   echo "$as_me:17429: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -17711,11 +17712,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17714: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:17715: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:17718: \$? = $ac_status" >&5
+   echo "$as_me:17719: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -17815,11 +17816,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17818: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:17819: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:17822: \$? = $ac_status" >&5
+   echo "$as_me:17823: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -23769,6 +23770,23 @@ fi
 done
 
 
+# Check whether --enable-sha2 was given.
+if test "${enable_sha2+set}" = set; then
+  enableval=$enable_sha2;
+fi
+
+case "$enable_sha2" in
+       yes)
+
+cat >>confdefs.h <<_ACEOF
+#define USE_SHA2
+_ACEOF
+
+       ;;
+       no|*)
+       ;;
+esac
+
 # check to see if libraries are needed for these functions.
 { echo "$as_me:$LINENO: checking for library containing inet_pton" >&5
 echo $ECHO_N "checking for library containing inet_pton... $ECHO_C" >&6; }

diff --git a/configure.ac b/configure.ac
index 6fbfcc8ecee701d6691dd9ac466dc54bb2c7ad1e..bee118141a1dab569535e2197a50dff83850c52b 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -348,6 +348,15 @@ ACX_WITH_SSL
 ACX_LIB_SSL
 AC_CHECK_FUNCS([EVP_sha1 EVP_sha256 EVP_sha512 ENGINE_load_gost])
 
+AC_ARG_ENABLE(sha2, AC_HELP_STRING([--enable-sha2], [Enable SHA256 and SHA512 RRSIG support]))
+case "$enable_sha2" in
+       yes)
+       AC_DEFINE_UNQUOTED([USE_SHA2], [], [Define this to enable SHA256 and SHA512 support.])
+       ;;
+       no|*)
+       ;;
+esac
+
 # check to see if libraries are needed for these functions.
 AC_SEARCH_LIBS([inet_pton], [nsl])
 AC_SEARCH_LIBS([socket], [socket])

diff --git a/doc/Changelog b/doc/Changelog
index a422f922bdb4b222e7114310928ac2e6a60250e3..fe1318dde0c4bb261b37f565161856d9bd99b5bb 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,8 @@
+2 June 2009: Wouter
+       - --enable-sha2 option. The draft rsasha256 changed its algorithm
+         numbers too often.  Therefore it is more prudent to disable the
+         RSASHA256 and RSASHA512 support by default.
+
 29 May 2009: Wouter
        - fixup doc bug in README reported by Matthew Dempsky.
 

diff --git a/doc/README b/doc/README
index eaa781fb815db557ed87ec070bc74ce758d07711..b356588735e0305ecf27c3850ab6d9d20c5d8acc 100644 (file)
--- a/doc/README
+++ b/doc/README
@@ -63,6 +63,8 @@ This software is under BSD license, see LICENSE for details.
        Needs python-devel and swig development tools.
   * --with-pythonmodule
        Compile the python module that processes responses in the server.
+  * --enable-sha2
+       Enable draft support for RSASHA256 and RSASHA512.
 
 * 'make test' attempts to run a series of tests, depending on the support
   programs that are installed.

diff --git a/testcode/testbound.c b/testcode/testbound.c
index e503a27cfec3c30387346392f7077d3825cc8d97..1ed7fc5d1f849fe6ba2df184c78559b1ede35db4 100644 (file)
--- a/testcode/testbound.c
+++ b/testcode/testbound.c
@@ -227,7 +227,7 @@ main(int argc, char* argv[])
        while( (c=getopt(argc, argv, "2ho:p:")) != -1) {
                switch(c) {
                case '2':
-#ifdef HAVE_EVP_SHA256
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
                        printf("SHA256 supported\n");
                        exit(0);
 #else

diff --git a/testcode/unitverify.c b/testcode/unitverify.c
index 857783aeed6326f2692bb47a2c92c0d775932768..651e1d73c5abddf25e4e2ed16b77acbbf54fea36 100644 (file)
--- a/testcode/unitverify.c
+++ b/testcode/unitverify.c
@@ -474,12 +474,14 @@ verify_test()
        verifytest_file("testdata/test_signatures.6", "20080416005004");
        verifytest_file("testdata/test_signatures.7", "20070829144150");
        verifytest_file("testdata/test_signatures.8", "20070829144150");
-#ifdef HAVE_EVP_SHA256
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
        verifytest_file("testdata/test_signatures.9", "20070829144150");
        verifytest_file("testdata/test_signatures.11", "20070829144150");
 #endif
-#ifdef HAVE_EVP_SHA512
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
+       /* Skip test. Algorithm number uncertainty
        verifytest_file("testdata/test_signatures.10", "20070829144150");
+       */
 #endif
        verifytest_file("testdata/test_signatures.12", "20090107100022");
        verifytest_file("testdata/test_signatures.13", "20080414005004");

diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 9b84ab9f4366ff2e79c6f707e6016ba81f7b4d06..0d2ebf413df7ad476ffd669fbc9d96dbe24197aa 100644 (file)
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -370,10 +370,10 @@ dnskey_algo_id_is_supported(int id)
        case LDNS_RSASHA1:
        case LDNS_RSASHA1_NSEC3:
        case LDNS_RSAMD5:
-#ifdef HAVE_EVP_SHA256
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
        case LDNS_RSASHA256:
 #endif
-#ifdef HAVE_EVP_SHA512
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
        case LDNS_RSASHA512:
 #endif
                return 1;
@@ -1237,10 +1237,10 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
                        break;
                case LDNS_RSASHA1:
                case LDNS_RSASHA1_NSEC3:
-#ifdef HAVE_EVP_SHA256
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
                case LDNS_RSASHA256:
 #endif
-#ifdef HAVE_EVP_SHA512
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
                case LDNS_RSASHA512:
 #endif
                        rsa = ldns_key_buf2rsa_raw(key, keylen);
@@ -1256,12 +1256,12 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
                        }
 
                        /* select SHA version */
-#ifdef HAVE_EVP_SHA256
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
                        if(algo == LDNS_RSASHA256)
                                *digest_type = EVP_sha256();
                        else
 #endif
-#ifdef HAVE_EVP_SHA512
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
                                if(algo == LDNS_RSASHA512)
                                *digest_type = EVP_sha512();
                        else