util/winsock_event.c validator/autotrust.c validator/val_anchor.c \
validator/validator.c validator/val_kcache.c validator/val_kentry.c \
validator/val_neg.c validator/val_nsec3.c validator/val_nsec.c \
-validator/val_sigcrypt.c validator/val_utils.c $(CHECKLOCK_SRC)
+validator/val_secalgo.c validator/val_sigcrypt.c \
+validator/val_utils.c $(CHECKLOCK_SRC)
COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
slabhash.lo timehist.lo tube.lo winsock_event.lo autotrust.lo val_anchor.lo \
validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
-val_sigcrypt.lo val_utils.lo $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ)
+val_secalgo.lo val_sigcrypt.lo val_utils.lo $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ)
COMMON_OBJ=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
outside_network.lo
# set to $COMMON_OBJ or to "" if --enableallsymbols
# Dependencies
dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
- $(srcdir)/validator/val_nsec.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/services/cache/dns.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/util/data/msgreply.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/net_help.h \
$(srcdir)/util/regional.h $(srcdir)/util/config_file.h
infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h \
- $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/rtt.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lookup3.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \
$(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
rrset.lo rrset.o: $(srcdir)/services/cache/rrset.c config.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/config_file.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h
dname.lo dname.o: $(srcdir)/util/data/dname.c config.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/data/msgparse.h \
$(srcdir)/util/storage/lookup3.h
msgencode.lo msgencode.o: $(srcdir)/util/data/msgencode.c config.h \
- $(srcdir)/util/data/msgencode.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/regional.h $(srcdir)/util/net_help.h
+ $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h
msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h \
- $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lookup3.h \
- $(srcdir)/util/regional.h
+ $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h
msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h \
- $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/data/msgencode.h
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h \
+ $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/util/data/msgencode.h
packed_rrset.lo packed_rrset.o: $(srcdir)/util/data/packed_rrset.c config.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \
$(srcdir)/util/net_help.h
iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h \
- $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \
- $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_delegpt.h \
- $(srcdir)/iterator/iter_scrub.h $(srcdir)/iterator/iter_priv.h $(srcdir)/validator/val_neg.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
- $(srcdir)/util/config_file.h
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/iterator/iter_utils.h \
+ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_donotq.h \
+ $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_scrub.h $(srcdir)/iterator/iter_priv.h \
+ $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/config_file.h
iter_delegpt.lo iter_delegpt.o: $(srcdir)/iterator/iter_delegpt.c config.h $(srcdir)/iterator/iter_delegpt.h \
$(srcdir)/util/log.h \
- $(srcdir)/services/cache/dns.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/regional.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h
iter_donotq.lo iter_donotq.o: $(srcdir)/iterator/iter_donotq.c config.h $(srcdir)/iterator/iter_donotq.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h \
- $(srcdir)/util/net_help.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
iter_fwd.lo iter_fwd.o: $(srcdir)/iterator/iter_fwd.c config.h \
- $(srcdir)/iterator/iter_fwd.h \
- $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
-iter_hints.lo iter_hints.o: $(srcdir)/iterator/iter_hints.c config.h \
- $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
+ $(srcdir)/iterator/iter_fwd.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
+iter_hints.lo iter_hints.o: $(srcdir)/iterator/iter_hints.c config.h \
+ $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
iter_priv.lo iter_priv.o: $(srcdir)/iterator/iter_priv.c config.h \
- $(srcdir)/iterator/iter_priv.h \
- $(srcdir)/util/rbtree.h \
- $(srcdir)/util/regional.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/iterator/iter_priv.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/regional.h \
+ $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/net_help.h \
$(srcdir)/util/storage/dnstree.h
iter_resptype.lo iter_resptype.o: $(srcdir)/iterator/iter_resptype.c config.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/net_help.h \
$(srcdir)/util/data/dname.h
iter_scrub.lo iter_scrub.o: $(srcdir)/iterator/iter_scrub.c config.h $(srcdir)/iterator/iter_scrub.h \
- $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/module.h \
$(srcdir)/util/data/msgparse.h \
$(srcdir)/iterator/iter_priv.h $(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/util/alloc.h
iter_utils.lo iter_utils.o: $(srcdir)/iterator/iter_utils.c config.h $(srcdir)/iterator/iter_utils.h \
$(srcdir)/iterator/iter_resptype.h \
- $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/module.h \
$(srcdir)/util/data/msgparse.h \
$(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \
$(srcdir)/util/net_help.h
localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h \
- $(srcdir)/services/localzone.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/util/net_help.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h
+ $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h
mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h \
$(srcdir)/services/mesh.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/tube.h $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h
modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/services/modstack.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/netevent.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \
- $(srcdir)/validator/val_utils.h $(PYTHONMOD_HEADER)
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h
outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \
$(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/netevent.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
-
+ $(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h
alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/regional.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h \
- $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h \
$(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \
$(srcdir)/util/rbtree.h $(srcdir)/daemon/worker.h $(srcdir)/util/alloc.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/daemon/remote.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/localzone.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
- $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \
- $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/libunbound/libworker.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/util/config_file.h $(PYTHONMOD_HEADER)
+ $(srcdir)/util/timehist.h $(srcdir)/daemon/remote.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/localzone.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/iterator/iterator.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/validator/validator.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_nsec3.h \
+ $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_neg.h \
+ $(srcdir)/validator/autotrust.h $(srcdir)/util/storage/dnstree.h $(srcdir)/libunbound/libworker.h \
+ $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/config_file.h
locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h \
$(srcdir)/util/locks.h
mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h \
$(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h \
netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h \
$(srcdir)/util/log.h $(srcdir)/util/net_help.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h \
- $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h \
$(srcdir)/util/net_help.h \
$(srcdir)/util/log.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/util/regional.h \
-
+ $(srcdir)/util/data/msgparse.h $(srcdir)/util/regional.h
random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h \
rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h \
- $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h \
$(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
lookup3.lo lookup3.o: $(srcdir)/util/storage/lookup3.c config.h $(srcdir)/util/storage/lookup3.h
lruhash.lo lruhash.o: $(srcdir)/util/storage/lruhash.c config.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/netevent.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h \
$(srcdir)/util/tube.h \
$(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h
autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h \
- $(srcdir)/validator/autotrust.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/net_help.h \
+ $(srcdir)/validator/autotrust.h $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_anchor.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/net_help.h \
$(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/services/mesh.h \
$(srcdir)/util/netevent.h $(srcdir)/services/modstack.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h
val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h \
- $(srcdir)/validator/val_anchor.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h
+ $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/validator/autotrust.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/config_file.h
validator.lo validator.o: $(srcdir)/validator/validator.c config.h \
- $(srcdir)/validator/validator.h \
- $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kentry.h \
- $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_neg.h \
- $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/autotrust.h $(srcdir)/services/cache/dns.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/modstack.h
+ $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/validator/val_kcache.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_nsec3.h \
+ $(srcdir)/validator/val_neg.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/autotrust.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h
val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/validator/val_kcache.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/validator/val_kentry.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/validator/val_kentry.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h \
val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h \
- $(srcdir)/validator/val_kentry.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h
-val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
- $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/validator/val_kentry.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h
+val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h \
$(srcdir)/util/rbtree.h \
$(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/validator/val_nsec3.h \
- $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h
-val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/validator/validator.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/validator/val_utils.h \
- $(srcdir)/validator/val_kentry.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/validator/val_nsec.h
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h
+val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kentry.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/validator/val_nsec.h
val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h \
- $(srcdir)/validator/val_nsec.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/validator/val_utils.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h
+val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h \
+ $(srcdir)/validator/val_secalgo.h
val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
- $(srcdir)/validator/val_sigcrypt.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
-
+ $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/regional.h
val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/validator/validator.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/validator/val_kentry.h \
- $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h \
- $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h
+ $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h
checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/testcode/checklocks.h
unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h \
$(srcdir)/util/locks.h
unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/util/log.h \
- $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
$(srcdir)/util/log.h \
$(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
$(srcdir)/util/log.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
unitverify.lo unitverify.o: $(srcdir)/testcode/unitverify.c config.h $(srcdir)/util/log.h \
- $(srcdir)/testcode/unitmain.h \
- $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h \
- $(srcdir)/validator/val_nsec.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/validator/val_utils.h \
- $(srcdir)/testcode/ldns-testpkts.h \
+ $(srcdir)/testcode/unitmain.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/testcode/ldns-testpkts.h \
$(srcdir)/util/data/dname.h \
$(srcdir)/util/regional.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h
readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/readhex.h \
$(srcdir)/testcode/ldns-testpkts.h
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h \
- $(srcdir)/util/net_help.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
$(srcdir)/daemon/cachedump.h \
$(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/util/netevent.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/net_help.h \
$(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h \
$(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/daemon/stats.h \
$(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
- $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/daemon/stats.h \
$(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
- $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
$(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
$(srcdir)/validator/val_anchor.h
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h \
- $(srcdir)/util/net_help.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
$(srcdir)/daemon/daemon.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h $(srcdir)/daemon/worker.h \
$(srcdir)/util/netevent.h \
$(srcdir)/util/net_help.h \
$(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/util/rbtree.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/testcode/replay.h \
- $(srcdir)/testcode/ldns-testpkts.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/rtt.h $(srcdir)/testcode/replay.h $(srcdir)/testcode/ldns-testpkts.h \
$(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h
lock_verify.lo lock_verify.o: $(srcdir)/testcode/lock_verify.c config.h $(srcdir)/util/log.h \
$(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/services/modstack.h
unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c config.h $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h \
- $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h \
$(srcdir)/util/net_help.h \
$(srcdir)/util/regional.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
$(srcdir)/iterator/iter_fwd.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/services/localzone.h $(PYTHONMOD_HEADER)
+ $(srcdir)/services/localzone.h
worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/util/log.h \
$(srcdir)/services/mesh.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/config_file.h \
- $(srcdir)/util/net_help.h $(srcdir)/services/localzone.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/services/localzone.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/rtt.h
libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h config.h \
$(srcdir)/libunbound/context.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/alloc.h \
$(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h \
- $(srcdir)/libunbound/libworker.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h
+ $(srcdir)/libunbound/libworker.h $(srcdir)/util/config_file.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/util/regional.h \
+ $(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/services/localzone.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h
libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
$(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/storage/lruhash.h \
streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/dname.h \
-
+ $(srcdir)/util/data/dname.h
perf.lo perf.o: $(srcdir)/testcode/perf.c config.h \
- $(srcdir)/util/log.h $(srcdir)/util/locks.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/log.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h
delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h
harvest.lo harvest.o: $(srcdir)/testcode/harvest.c config.h \
$(srcdir)/libunbound/unbound.h
-unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
- $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h \
- $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
+unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h
unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
-petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
-
+petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h \
$(srcdir)/util/netevent.h \
$(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
-
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h
win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/alloc.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h \
$(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/daemon/remote.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/winsock_event.h
+ $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/winsock_event.h
w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
$(srcdir)/winrc/w_inst.h
/* Define to 1 if you have the <netinet/in.h> header file. */
#undef HAVE_NETINET_IN_H
+/* Use libnss for crypto */
+#undef HAVE_NSS
+
/* Define to 1 if you have the `OPENSSL_config' function. */
#undef HAVE_OPENSSL_CONFIG
with_solaris_threads
with_pyunbound
with_pythonmodule
+with_nss
with_ssl
enable_sha2
enable_gost
(default=no)
--with-pythonmodule build Python module, or --without-pythonmodule to
disable script engine. (default=no)
+ --with-nss=path use libnss instead of openssl, installed at path.
--with-ssl=pathname enable SSL (will check /usr/local/ssl /usr/lib/ssl
/usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
/usr)
# Checks for libraries.
+# libnss
+USE_NSS="no"
+
+# Check whether --with-nss was given.
+if test "${with_nss+set}" = set; then :
+ withval=$with_nss;
+ USE_NSS="yes"
+
+$as_echo "#define HAVE_NSS 1" >>confdefs.h
+
+ if test "$withval" != "/usr" -a "$withval" != "" -a "$withval" != "yes"; then
+ CPPFLAGS="$CPPFLAGS -I$withval/include"
+ LDFLAGS="$LDFLAGS -L$withval/lib"
+
+ if test "x$enable_rpath" = xyes; then
+ if echo "$withval/lib" | grep "^/" >/dev/null; then
+ RUNTIME_PATH="$RUNTIME_PATH -R$withval/lib"
+ fi
+ fi
+
+ CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
+ else
+ CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
+ fi
+
+
+fi
+
+
+# openssl
+if test $USE_NSS = "no"; then
+
# Check whether --with-ssl was given.
if test "${with_ssl+set}" = set; then :
#define HAVE_DECL_SK_SSL_COMP_POP_FREE $ac_have_decl
_ACEOF
+fi
+
# Check whether --enable-sha2 was given.
if test "${enable_sha2+set}" = set; then :
fi
use_gost="no"
+if test $USE_NSS = "no"; then
case "$enable_gost" in
no)
;;
as_fn_error $? "OpenSSL 1.0.0 is needed for GOST support" "$LINENO" 5
fi
- ac_fn_c_check_func "$LINENO" "EC_KEY_new" "ac_cv_func_EC_KEY_new"
+ ac_fn_c_check_func "$LINENO" "EC_KEY_new" "ac_cv_func_EC_KEY_new"
if test "x$ac_cv_func_EC_KEY_new" = xyes; then :
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_gost_works" >&5
$as_echo "$ac_cv_c_gost_works" >&6; }
- if test $ac_cv_c_gost_works != no; then
+ if test "$ac_cv_c_gost_works" != no; then
use_gost="yes"
$as_echo "#define USE_GOST 1" >>confdefs.h
fi
;;
esac
-
+fi
# Check whether --enable-ecdsa was given.
if test "${enable_ecdsa+set}" = set; then :
enableval=$enable_ecdsa;
no)
;;
*)
- ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign"
+ if test $USE_NSS = "no"; then
+ ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign"
if test "x$ac_cv_func_ECDSA_sign" = xyes; then :
else
as_fn_error $? "OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa" "$LINENO" 5
fi
- ac_fn_c_check_func "$LINENO" "SHA384_Init" "ac_cv_func_SHA384_Init"
+ ac_fn_c_check_func "$LINENO" "SHA384_Init" "ac_cv_func_SHA384_Init"
if test "x$ac_cv_func_SHA384_Init" = xyes; then :
else
as_fn_error $? "OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa" "$LINENO" 5
fi
- ac_fn_c_check_decl "$LINENO" "NID_X9_62_prime256v1" "ac_cv_have_decl_NID_X9_62_prime256v1" "$ac_includes_default
+ ac_fn_c_check_decl "$LINENO" "NID_X9_62_prime256v1" "ac_cv_have_decl_NID_X9_62_prime256v1" "$ac_includes_default
#include <openssl/evp.h>
"
as_fn_error $? "OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa" "$LINENO" 5
fi
- # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking if openssl supports SHA2 and ECDSA with EVP" >&5
+ # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if openssl supports SHA2 and ECDSA with EVP" >&5
$as_echo_n "checking if openssl supports SHA2 and ECDSA with EVP... " >&6; }
- if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
cat >>confdefs.h <<_ACEOF
#define USE_ECDSA_EVP_WORKAROUND 1
_ACEOF
- else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+ else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
+ fi
fi
# we now know we have ECDSA and the required curves.
fi
-ac_fn_c_check_func "$LINENO" "ldns_key_buf2rsa_raw" "ac_cv_func_ldns_key_buf2rsa_raw"
+if test $USE_NSS = "no"; then
+ ac_fn_c_check_func "$LINENO" "ldns_key_buf2rsa_raw" "ac_cv_func_ldns_key_buf2rsa_raw"
if test "x$ac_cv_func_ldns_key_buf2rsa_raw" = xyes; then :
fi
+else
+ ac_cv_func_ldns_key_buf2rsa_raw="yes"
+fi
ac_fn_c_check_func "$LINENO" "ldns_get_random" "ac_cv_func_ldns_get_random"
if test "x$ac_cv_func_ldns_get_random" = xyes; then :
fi
-if test x$use_gost = xyes; then
+if test x$use_gost = xyes -a x$USE_NSS = xno; then
ac_fn_c_check_func "$LINENO" "ldns_key_EVP_load_gost_id" "ac_cv_func_ldns_key_EVP_load_gost_id"
if test "x$ac_cv_func_ldns_key_EVP_load_gost_id" = xyes; then :
done
else
- ac_cv_func_ldns_key_EVP_load_gost_id="yes"
+ ac_cv_func_ldns_key_EVP_load_gost_id="yes"
fi
if test x$use_ecdsa = xyes; then
ac_fn_c_check_decl "$LINENO" "LDNS_ECDSAP384SHA384" "ac_cv_have_decl_LDNS_ECDSAP384SHA384" "
AC_SUBST(CONFIG_DATE)
# Checks for libraries.
+
+# libnss
+USE_NSS="no"
+AC_ARG_WITH([nss], AC_HELP_STRING([--with-nss=path],
+ [use libnss instead of openssl, installed at path.]),
+ [
+ USE_NSS="yes"
+ AC_DEFINE(HAVE_NSS, 1, [Use libnss for crypto])
+ if test "$withval" != "/usr" -a "$withval" != "" -a "$withval" != "yes"; then
+ CPPFLAGS="$CPPFLAGS -I$withval/include"
+ LDFLAGS="$LDFLAGS -L$withval/lib"
+ ACX_RUNTIME_PATH_ADD([$withval/lib])
+ CPPFLAGS="-I$withval/include/nspr4 $CPPFLAGS"
+ else
+ CPPFLAGS="-I/usr/include/nspr4 $CPPFLAGS"
+ fi
+ LIBS="$LIBS -lnss3 -lnspr4"
+ ]
+)
+
+# openssl
+if test $USE_NSS = "no"; then
ACX_WITH_SSL
ACX_LIB_SSL
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
#include <openssl/ssl.h>
#include <openssl/evp.h>
])
+fi
+
AC_ARG_ENABLE(sha2, AC_HELP_STRING([--disable-sha2], [Disable SHA256 and SHA512 RRSIG support]))
case "$enable_sha2" in
AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
use_gost="no"
+if test $USE_NSS = "no"; then
case "$enable_gost" in
no)
;;
*)
AC_CHECK_FUNC(EVP_PKEY_set_type_str, [:],[AC_MSG_ERROR([OpenSSL 1.0.0 is needed for GOST support])])
- AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([OpenSSL does not support ECC, needed for GOST support])])
+ AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([OpenSSL does not support ECC, needed for GOST support])])
AC_CHECK_GOST_WORKS
- if test $ac_cv_c_gost_works != no; then
+ if test "$ac_cv_c_gost_works" != no; then
use_gost="yes"
AC_DEFINE([USE_GOST], [1], [Define this to enable GOST support.])
fi
;;
esac
+fi dnl !USE_NSS
AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support]))
use_ecdsa="no"
no)
;;
*)
- AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
- AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
- AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
+ if test $USE_NSS = "no"; then
+ AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])])
+ AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])])
+ AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
#include <openssl/evp.h>
- ])
- # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
- AC_MSG_CHECKING([if openssl supports SHA2 and ECDSA with EVP])
- if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
- AC_MSG_RESULT([no])
- AC_DEFINE_UNQUOTED([USE_ECDSA_EVP_WORKAROUND], [1], [Define this to enable an EVP workaround for older openssl])
- else
- AC_MSG_RESULT([yes])
+ ])
+ # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency)
+ AC_MSG_CHECKING([if openssl supports SHA2 and ECDSA with EVP])
+ if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then
+ AC_MSG_RESULT([no])
+ AC_DEFINE_UNQUOTED([USE_ECDSA_EVP_WORKAROUND], [1], [Define this to enable an EVP workaround for older openssl])
+ else
+ AC_MSG_RESULT([yes])
+ fi
fi
# we now know we have ECDSA and the required curves.
AC_DEFINE_UNQUOTED([USE_ECDSA], [1], [Define this to enable ECDSA support.])
AC_MSG_ERROR([No ldns library found, install the ldns library into system lib dir or use --with-ldns=path to other location. The --with-ldns can point to the make-dir of ldns. Install the package ldns or download source http://www.nlnetlabs.nl/projects/ldns])
])
AC_CHECK_FUNC(ldns_buffer_copy)
-AC_CHECK_FUNC(ldns_key_buf2rsa_raw)
+if test $USE_NSS = "no"; then
+ AC_CHECK_FUNC(ldns_key_buf2rsa_raw)
+else
+ dnl ignore test
+ ac_cv_func_ldns_key_buf2rsa_raw="yes"
+fi
AC_CHECK_FUNC(ldns_get_random)
AC_CHECK_FUNC(ldns_b32_ntop_extended_hex)
-if test x$use_gost = xyes; then
+if test x$use_gost = xyes -a x$USE_NSS = xno; then
AC_CHECK_FUNC(ldns_key_EVP_load_gost_id)
AC_CHECK_FUNCS([ldns_key_EVP_unload_gost])
else
+ dnl ignore test
ac_cv_func_ldns_key_EVP_load_gost_id="yes"
fi
if test x$use_ecdsa = xyes; then
struct comm_point* c;
/** in the handshake part */
enum { rc_none, rc_hs_read, rc_hs_write } shake_state;
+#ifdef HAVE_SSL
/** the ssl state */
SSL* ssl;
+#endif
/** the rc this is part of */
struct daemon_remote* rc;
};
int max_active;
/** current commpoints busy; should be a short list, malloced */
struct rc_state* busy_list;
+#ifdef HAVE_SSL
/** the SSL context for creating new SSL streams */
SSL_CTX* ctx;
+#endif
};
/**
/** handle remote control data callbacks */
int remote_control_callback(struct comm_point*, void*, int, struct comm_reply*);
+#ifdef HAVE_SSL
/**
* Print fixed line of text over ssl connection in blocking mode
* @param ssl: print to
* @return false on connection failure.
*/
int ssl_read_line(SSL* ssl, char* buf, size_t max);
+#endif /* HAVE_SSL */
/** routine to printout option values over SSL */
void remote_get_opt_ssl(char* line, void* arg);
+20 June 2012: Wouter
+ - work on --with-nss build option (for now, --with-libunbound-only).
+
19 June 2012: Wouter
- --with-libunbound-only build option, only builds the library and
not the daemon and other tools.
#ifdef HAVE_OPENSSL_ENGINE_H
#include <openssl/engine.h>
#endif
+
+#ifdef HAVE_NSS
+#include "nss3/nss.h"
+#endif
+
#include <ldns/ldns.h>
#include "util/log.h"
#include "testcode/unitmain.h"
return 1;
}
printf("Start of %s unit test.\n", PACKAGE_STRING);
+#ifdef HAVE_SSL
ERR_load_crypto_strings();
-#ifdef HAVE_OPENSSL_CONFIG
+# ifdef HAVE_OPENSSL_CONFIG
OPENSSL_config("unbound");
-#endif
-#ifdef USE_GOST
+# endif
+# ifdef USE_GOST
(void)ldns_key_EVP_load_gost_id();
-#endif
+# endif
+#elif defined(HAVE_NSS)
+ if(NSS_NoDB_Init(".") != SECSuccess)
+ fatal_exit("could not init NSS");
+#endif /* HAVE_SSL or HAVE_NSS*/
checklock_start();
neg_test();
rnd_test();
msgparse_test();
checklock_stop();
printf("%d checks ok.\n", testcount);
-#if defined(USE_GOST) && defined(HAVE_LDNS_KEY_EVP_UNLOAD_GOST)
+#ifdef HAVE_SSL
+# if defined(USE_GOST) && defined(HAVE_LDNS_KEY_EVP_UNLOAD_GOST)
ldns_key_EVP_unload_gost();
-#endif
-#ifdef HAVE_OPENSSL_CONFIG
+# endif
+# ifdef HAVE_OPENSSL_CONFIG
EVP_cleanup();
ENGINE_cleanup();
CONF_modules_free();
-#endif
+# endif
CRYPTO_cleanup_all_ex_data();
ERR_remove_state(0);
ERR_free_strings();
RAND_cleanup();
+#elif defined(HAVE_NSS)
+ if(NSS_Shutdown() != SECSuccess)
+ fatal_exit("could not shutdown NSS");
+#endif /* HAVE_SSL or HAVE_NSS */
#ifdef HAVE_PTHREAD
/* dlopen frees its thread specific state */
pthread_exit(NULL);
#ifdef UNBOUND_ALLOC_LITE
# include <ldns/packet.h>
-# include <openssl/ssl.h>
+# ifdef HAVE_OPENSSL_SSL_H
+# include <openssl/ssl.h>
+# endif
# define malloc(s) unbound_stat_malloc_lite(s, __FILE__, __LINE__, __func__)
# define calloc(n,s) unbound_stat_calloc_lite(n, s, __FILE__, __LINE__, __func__)
# define free(p) unbound_stat_free_lite(p, __FILE__, __LINE__, __func__)
#include "util/module.h"
#include "util/regional.h"
#include <fcntl.h>
+#ifdef HAVE_OPENSSL_SSL_H
#include <openssl/ssl.h>
+#endif
+#ifdef HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
+#endif
/** max length of an IP address (the address portion) that we allow */
#define MAX_ADDR_STRLEN 128 /* characters */
void
log_crypto_err(const char* str)
{
+#ifdef HAVE_SSL
/* error:[error code]:[library name]:[function name]:[reason string] */
char buf[128];
unsigned long e;
ERR_error_string_n(e, buf, sizeof(buf));
log_err("and additionally crypto %s", buf);
}
+#endif /* HAVE_SSL */
}
void* listen_sslctx_create(char* key, char* pem, char* verifypem)
{
+#ifdef HAVE_SSL
SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
if(!ctx) {
log_crypto_err("could not SSL_CTX_new");
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
}
return ctx;
+#endif
}
void* connect_sslctx_create(char* key, char* pem, char* verifypem)
{
+#ifdef HAVE_SSL
SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
if(!ctx) {
log_crypto_err("could not allocate SSL_CTX pointer");
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
}
return ctx;
+#endif
}
void* incoming_ssl_fd(void* sslctx, int fd)
{
+#ifdef HAVE_SSL
SSL* ssl = SSL_new((SSL_CTX*)sslctx);
if(!ssl) {
log_crypto_err("could not SSL_new");
return NULL;
}
return ssl;
+#endif
}
void* outgoing_ssl_fd(void* sslctx, int fd)
{
+#ifdef HAVE_SSL
SSL* ssl = SSL_new((SSL_CTX*)sslctx);
if(!ssl) {
log_crypto_err("could not SSL_new");
return NULL;
}
return ssl;
+#endif
}
#include "util/log.h"
#include "util/net_help.h"
#include "util/fptr_wlist.h"
+#ifdef HAVE_OPENSSL_SSL_H
#include <openssl/ssl.h>
+#endif
+#ifdef HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
+#endif
/* -------- Start of local definitions -------- */
/** if CMSG_ALIGN is not defined on this platform, a workaround */
static int
ssl_handshake(struct comm_point* c)
{
+#ifdef HAVE_SSL
int r;
if(c->ssl_shake_state == comm_ssl_shake_hs_read) {
/* read condition satisfied back to writing */
}
c->ssl_shake_state = comm_ssl_shake_none;
return 1;
+#endif /* HAVE_SSL */
}
/** ssl read callback on TCP */
static int
ssl_handle_read(struct comm_point* c)
{
+#ifdef HAVE_SSL
int r;
if(c->ssl_shake_state != comm_ssl_shake_none) {
if(!ssl_handshake(c))
tcp_callback_reader(c);
}
return 1;
+#endif /* HAVE_SSL */
}
/** ssl write callback on TCP */
static int
ssl_handle_write(struct comm_point* c)
{
+#ifdef HAVE_SSL
int r;
if(c->ssl_shake_state != comm_ssl_shake_none) {
if(!ssl_handshake(c))
tcp_callback_writer(c);
}
return 1;
+#endif /* HAVE_SSL */
}
/** handle ssl tcp connection with dns contents */
#include "config.h"
#include "util/random.h"
#include "util/log.h"
+#ifdef HAVE_SSL
#include <openssl/rand.h>
#include <openssl/rc4.h>
#include <openssl/err.h>
+#elif defined(HAVE_NSS)
+#include <nss3/nssbase.h>
+#include <nss3/pk11pub.h>
+#endif
+/**
+ * Max random value. Similar to RAND_MAX, but more portable
+ * (mingw uses only 15 bits random).
+ */
+#define MAX_VALUE 0x7fffffff
+
+#ifdef HAVE_SSL
/**
* Struct with per-thread random state.
* Keeps SSL types away from the header file.
/** Size of key to use (must be multiple of 8) */
#define SEED_SIZE 24
-/**
- * Max random value. Similar to RAND_MAX, but more portable
- * (mingw uses only 15 bits random).
- */
-#define MAX_VALUE 0x7fffffff
-
/** Number of bytes to reseed after */
#define REKEY_BYTES (1 << 24)
return (long int)((r) % (((unsigned)MAX_VALUE + 1)));
}
+#elif defined(HAVE_NSS)
+
+/* not much to remember for NSS since we use its pk11_random, placeholder */
+struct ub_randstate {
+ int ready;
+};
+
+void ub_systemseed(unsigned int ATTR_UNUSED(seed))
+{
+}
+
+struct ub_randstate* ub_initstate(unsigned int ATTR_UNUSED(seed),
+ struct ub_randstate* ATTR_UNUSED(from))
+{
+ struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
+ if(!s) {
+ log_err("malloc failure in random init");
+ return NULL;
+ }
+ return s;
+}
+
+long int ub_random(struct ub_randstate* ATTR_UNUSED(state))
+{
+ long int x;
+ /* random 31 bit value. */
+ SECStatus s = PK11_GenerateRandom((unsigned char*)&x, (int)sizeof(x));
+ if(s != SECSuccess) {
+ log_err("PK11_GenerateRandom error: %s",
+ PORT_ErrorToString(PORT_GetError()));
+ }
+ return x & MAX_VALUE;
+}
+
+#endif /* HAVE_SSL or HAVE_NSS */
+
long int
ub_random_max(struct ub_randstate* state, long int x)
{
#include "config.h"
#ifdef HAVE_OPENSSL_SSL_H
#include "openssl/ssl.h"
+#define NSEC3_SHA_LEN SHA_DIGEST_LENGTH
+#else
+#define NSEC3_SHA_LEN 20
#endif
#include "validator/val_neg.h"
#include "validator/val_nsec.h"
int qlabs, ldns_buffer* buf, uint8_t* hashnc, size_t* nclen)
{
struct val_neg_data* data;
- uint8_t hashce[SHA_DIGEST_LENGTH];
+ uint8_t hashce[NSEC3_SHA_LEN];
uint8_t b32[257];
size_t celen, b32len;
{
struct dns_msg* msg;
struct val_neg_data* data;
- uint8_t hashnc[SHA_DIGEST_LENGTH];
+ uint8_t hashnc[NSEC3_SHA_LEN];
size_t nclen;
struct ub_packed_rrset_key* ce_rrset, *nc_rrset;
struct nsec3_cached_hash c;
--- /dev/null
+/*
+ * validator/val_secalgo.c - validator security algorithm functions.
+ *
+ * Copyright (c) 2012, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains helper functions for the validator module.
+ * These functions take raw data buffers, formatted for crypto verification,
+ * and do the library calls (for the crypto library in use).
+ */
+#include "config.h"
+#include <ldns/ldns.h>
+#include "validator/val_secalgo.h"
+#include "util/data/packed_rrset.h"
+#include "util/log.h"
+
+#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
+#error "Need crypto library to do digital signature cryptography"
+#endif
+
+/* OpenSSL implementation */
+#ifdef HAVE_SSL
+#ifdef HAVE_OPENSSL_ERR_H
+#include <openssl/err.h>
+#endif
+
+#ifdef HAVE_OPENSSL_RAND_H
+#include <openssl/rand.h>
+#endif
+
+#ifdef HAVE_OPENSSL_CONF_H
+#include <openssl/conf.h>
+#endif
+
+#ifdef HAVE_OPENSSL_ENGINE_H
+#include <openssl/engine.h>
+#endif
+
+/**
+ * Return size of DS digest according to its hash algorithm.
+ * @param algo: DS digest algo.
+ * @return size in bytes of digest, or 0 if not supported.
+ */
+size_t
+ds_digest_size_supported(int algo)
+{
+ switch(algo) {
+#ifdef HAVE_EVP_SHA1
+ case LDNS_SHA1:
+ return SHA_DIGEST_LENGTH;
+#endif
+#ifdef HAVE_EVP_SHA256
+ case LDNS_SHA256:
+ return SHA256_DIGEST_LENGTH;
+#endif
+#ifdef USE_GOST
+ case LDNS_HASH_GOST:
+ if(EVP_get_digestbyname("md_gost94"))
+ return 32;
+ else return 0;
+#endif
+#ifdef USE_ECDSA
+ case LDNS_SHA384:
+ return SHA384_DIGEST_LENGTH;
+#endif
+ default: break;
+ }
+ return 0;
+}
+
+#ifdef USE_GOST
+/** Perform GOST hash */
+static int
+do_gost94(unsigned char* data, size_t len, unsigned char* dest)
+{
+ const EVP_MD* md = EVP_get_digestbyname("md_gost94");
+ if(!md)
+ return 0;
+ return ldns_digest_evp(data, (unsigned int)len, dest, md);
+}
+#endif
+
+int
+secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
+ unsigned char* res)
+{
+ switch(algo) {
+#ifdef HAVE_EVP_SHA1
+ case LDNS_SHA1:
+ (void)SHA1(buf, len, res);
+ return 1;
+#endif
+#ifdef HAVE_EVP_SHA256
+ case LDNS_SHA256:
+ (void)SHA256(buf, len, res);
+ return 1;
+#endif
+#ifdef USE_GOST
+ case LDNS_HASH_GOST:
+ if(do_gost94(buf, len, res))
+ return 1;
+#endif
+#ifdef USE_ECDSA
+ case LDNS_SHA384:
+ (void)SHA384(buf, len, res);
+ return 1;
+#endif
+ default:
+ verbose(VERB_QUERY, "unknown DS digest algorithm %d",
+ algo);
+ break;
+ }
+ return 0;
+}
+
+/** return true if DNSKEY algorithm id is supported */
+int
+dnskey_algo_id_is_supported(int id)
+{
+ switch(id) {
+ case LDNS_DSA:
+ case LDNS_DSA_NSEC3:
+ case LDNS_RSASHA1:
+ case LDNS_RSASHA1_NSEC3:
+ case LDNS_RSAMD5:
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
+ case LDNS_RSASHA256:
+#endif
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
+ case LDNS_RSASHA512:
+#endif
+#ifdef USE_ECDSA
+ case LDNS_ECDSAP256SHA256:
+ case LDNS_ECDSAP384SHA384:
+#endif
+ return 1;
+#ifdef USE_GOST
+ case LDNS_ECC_GOST:
+ /* we support GOST if it can be loaded */
+ return ldns_key_EVP_load_gost_id();
+#endif
+ default:
+ return 0;
+ }
+}
+
+/**
+ * Output a libcrypto openssl error to the logfile.
+ * @param str: string to add to it.
+ * @param e: the error to output, error number from ERR_get_error().
+ */
+static void
+log_crypto_error(const char* str, unsigned long e)
+{
+ char buf[128];
+ /* or use ERR_error_string if ERR_error_string_n is not avail TODO */
+ ERR_error_string_n(e, buf, sizeof(buf));
+ /* buf now contains */
+ /* error:[error code]:[library name]:[function name]:[reason string] */
+ log_err("%s crypto %s", str, buf);
+}
+
+/**
+ * Setup DSA key digest in DER encoding ...
+ * @param sig: input is signature output alloced ptr (unless failure).
+ * caller must free alloced ptr if this routine returns true.
+ * @param len: input is initial siglen, output is output len.
+ * @return false on failure.
+ */
+static int
+setup_dsa_sig(unsigned char** sig, unsigned int* len)
+{
+ unsigned char* orig = *sig;
+ unsigned int origlen = *len;
+ int newlen;
+ BIGNUM *R, *S;
+ DSA_SIG *dsasig;
+
+ /* extract the R and S field from the sig buffer */
+ if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
+ return 0;
+ R = BN_new();
+ if(!R) return 0;
+ (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
+ S = BN_new();
+ if(!S) return 0;
+ (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
+ dsasig = DSA_SIG_new();
+ if(!dsasig) return 0;
+
+ dsasig->r = R;
+ dsasig->s = S;
+ *sig = NULL;
+ newlen = i2d_DSA_SIG(dsasig, sig);
+ if(newlen < 0) {
+ DSA_SIG_free(dsasig);
+ free(*sig);
+ return 0;
+ }
+ *len = (unsigned int)newlen;
+ DSA_SIG_free(dsasig);
+ return 1;
+}
+
+#ifdef USE_ECDSA
+/**
+ * Setup the ECDSA signature in its encoding that the library wants.
+ * Converts from plain numbers to ASN formatted.
+ * @param sig: input is signature, output alloced ptr (unless failure).
+ * caller must free alloced ptr if this routine returns true.
+ * @param len: input is initial siglen, output is output len.
+ * @return false on failure.
+ */
+static int
+setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
+{
+ ECDSA_SIG* ecdsa_sig;
+ int newlen;
+ int bnsize = (int)((*len)/2);
+ /* if too short or not even length, fails */
+ if(*len < 16 || bnsize*2 != (int)*len)
+ return 0;
+ /* use the raw data to parse two evenly long BIGNUMs, "r | s". */
+ ecdsa_sig = ECDSA_SIG_new();
+ if(!ecdsa_sig) return 0;
+ ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r);
+ ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s);
+ if(!ecdsa_sig->r || !ecdsa_sig->s) {
+ ECDSA_SIG_free(ecdsa_sig);
+ return 0;
+ }
+
+ /* spool it into ASN format */
+ *sig = NULL;
+ newlen = i2d_ECDSA_SIG(ecdsa_sig, sig);
+ if(newlen <= 0) {
+ ECDSA_SIG_free(ecdsa_sig);
+ free(*sig);
+ return 0;
+ }
+ *len = (unsigned int)newlen;
+ ECDSA_SIG_free(ecdsa_sig);
+ return 1;
+}
+#endif /* USE_ECDSA */
+
+/**
+ * Setup key and digest for verification. Adjust sig if necessary.
+ *
+ * @param algo: key algorithm
+ * @param evp_key: EVP PKEY public key to create.
+ * @param digest_type: digest type to use
+ * @param key: key to setup for.
+ * @param keylen: length of key.
+ * @return false on failure.
+ */
+static int
+setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
+ unsigned char* key, size_t keylen)
+{
+ DSA* dsa;
+ RSA* rsa;
+
+ switch(algo) {
+ case LDNS_DSA:
+ case LDNS_DSA_NSEC3:
+ *evp_key = EVP_PKEY_new();
+ if(!*evp_key) {
+ log_err("verify: malloc failure in crypto");
+ return sec_status_unchecked;
+ }
+ dsa = ldns_key_buf2dsa_raw(key, keylen);
+ if(!dsa) {
+ verbose(VERB_QUERY, "verify: "
+ "ldns_key_buf2dsa_raw failed");
+ return 0;
+ }
+ if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
+ verbose(VERB_QUERY, "verify: "
+ "EVP_PKEY_assign_DSA failed");
+ return 0;
+ }
+ *digest_type = EVP_dss1();
+
+ break;
+ case LDNS_RSASHA1:
+ case LDNS_RSASHA1_NSEC3:
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
+ case LDNS_RSASHA256:
+#endif
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
+ case LDNS_RSASHA512:
+#endif
+ *evp_key = EVP_PKEY_new();
+ if(!*evp_key) {
+ log_err("verify: malloc failure in crypto");
+ return sec_status_unchecked;
+ }
+ rsa = ldns_key_buf2rsa_raw(key, keylen);
+ if(!rsa) {
+ verbose(VERB_QUERY, "verify: "
+ "ldns_key_buf2rsa_raw SHA failed");
+ return 0;
+ }
+ if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
+ verbose(VERB_QUERY, "verify: "
+ "EVP_PKEY_assign_RSA SHA failed");
+ return 0;
+ }
+
+ /* select SHA version */
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
+ if(algo == LDNS_RSASHA256)
+ *digest_type = EVP_sha256();
+ else
+#endif
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
+ if(algo == LDNS_RSASHA512)
+ *digest_type = EVP_sha512();
+ else
+#endif
+ *digest_type = EVP_sha1();
+
+ break;
+ case LDNS_RSAMD5:
+ *evp_key = EVP_PKEY_new();
+ if(!*evp_key) {
+ log_err("verify: malloc failure in crypto");
+ return sec_status_unchecked;
+ }
+ rsa = ldns_key_buf2rsa_raw(key, keylen);
+ if(!rsa) {
+ verbose(VERB_QUERY, "verify: "
+ "ldns_key_buf2rsa_raw MD5 failed");
+ return 0;
+ }
+ if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
+ verbose(VERB_QUERY, "verify: "
+ "EVP_PKEY_assign_RSA MD5 failed");
+ return 0;
+ }
+ *digest_type = EVP_md5();
+
+ break;
+#ifdef USE_GOST
+ case LDNS_ECC_GOST:
+ *evp_key = ldns_gost2pkey_raw(key, keylen);
+ if(!*evp_key) {
+ verbose(VERB_QUERY, "verify: "
+ "ldns_gost2pkey_raw failed");
+ return 0;
+ }
+ *digest_type = EVP_get_digestbyname("md_gost94");
+ if(!*digest_type) {
+ verbose(VERB_QUERY, "verify: "
+ "EVP_getdigest md_gost94 failed");
+ return 0;
+ }
+ break;
+#endif
+#ifdef USE_ECDSA
+ case LDNS_ECDSAP256SHA256:
+ *evp_key = ldns_ecdsa2pkey_raw(key, keylen,
+ LDNS_ECDSAP256SHA256);
+ if(!*evp_key) {
+ verbose(VERB_QUERY, "verify: "
+ "ldns_ecdsa2pkey_raw failed");
+ return 0;
+ }
+#ifdef USE_ECDSA_EVP_WORKAROUND
+ /* openssl before 1.0.0 fixes RSA with the SHA256
+ * hash in EVP. We create one for ecdsa_sha256 */
+ {
+ static int md_ecdsa_256_done = 0;
+ static EVP_MD md;
+ if(!md_ecdsa_256_done) {
+ EVP_MD m = *EVP_sha256();
+ md_ecdsa_256_done = 1;
+ m.required_pkey_type[0] = (*evp_key)->type;
+ m.verify = (void*)ECDSA_verify;
+ md = m;
+ }
+ *digest_type = &md;
+ }
+#else
+ *digest_type = EVP_sha256();
+#endif
+ break;
+ case LDNS_ECDSAP384SHA384:
+ *evp_key = ldns_ecdsa2pkey_raw(key, keylen,
+ LDNS_ECDSAP384SHA384);
+ if(!*evp_key) {
+ verbose(VERB_QUERY, "verify: "
+ "ldns_ecdsa2pkey_raw failed");
+ return 0;
+ }
+#ifdef USE_ECDSA_EVP_WORKAROUND
+ /* openssl before 1.0.0 fixes RSA with the SHA384
+ * hash in EVP. We create one for ecdsa_sha384 */
+ {
+ static int md_ecdsa_384_done = 0;
+ static EVP_MD md;
+ if(!md_ecdsa_384_done) {
+ EVP_MD m = *EVP_sha384();
+ md_ecdsa_384_done = 1;
+ m.required_pkey_type[0] = (*evp_key)->type;
+ m.verify = (void*)ECDSA_verify;
+ md = m;
+ }
+ *digest_type = &md;
+ }
+#else
+ *digest_type = EVP_sha384();
+#endif
+ break;
+#endif /* USE_ECDSA */
+ default:
+ verbose(VERB_QUERY, "verify: unknown algorithm %d",
+ algo);
+ return 0;
+ }
+ return 1;
+}
+
+/**
+ * Check a canonical sig+rrset and signature against a dnskey
+ * @param buf: buffer with data to verify, the first rrsig part and the
+ * canonicalized rrset.
+ * @param algo: DNSKEY algorithm.
+ * @param sigblock: signature rdata field from RRSIG
+ * @param sigblock_len: length of sigblock data.
+ * @param key: public key data from DNSKEY RR.
+ * @param keylen: length of keydata.
+ * @param reason: bogus reason in more detail.
+ * @return secure if verification succeeded, bogus on crypto failure,
+ * unchecked on format errors and alloc failures.
+ */
+enum sec_status
+verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock,
+ unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
+ char** reason)
+{
+ const EVP_MD *digest_type;
+ EVP_MD_CTX ctx;
+ int res, dofree = 0;
+ EVP_PKEY *evp_key = NULL;
+
+ if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
+ verbose(VERB_QUERY, "verify: failed to setup key");
+ *reason = "use of key for crypto failed";
+ EVP_PKEY_free(evp_key);
+ return sec_status_bogus;
+ }
+ /* if it is a DSA signature in bind format, convert to DER format */
+ if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
+ sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
+ if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
+ verbose(VERB_QUERY, "verify: failed to setup DSA sig");
+ *reason = "use of key for DSA crypto failed";
+ EVP_PKEY_free(evp_key);
+ return sec_status_bogus;
+ }
+ dofree = 1;
+ }
+#ifdef USE_ECDSA
+ else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
+ /* EVP uses ASN prefix on sig, which is not in the wire data */
+ if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
+ verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
+ *reason = "use of signature for ECDSA crypto failed";
+ EVP_PKEY_free(evp_key);
+ return sec_status_bogus;
+ }
+ dofree = 1;
+ }
+#endif /* USE_ECDSA */
+
+ /* do the signature cryptography work */
+ EVP_MD_CTX_init(&ctx);
+ if(EVP_VerifyInit(&ctx, digest_type) == 0) {
+ verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
+ EVP_PKEY_free(evp_key);
+ if(dofree) free(sigblock);
+ return sec_status_unchecked;
+ }
+ if(EVP_VerifyUpdate(&ctx, (unsigned char*)ldns_buffer_begin(buf),
+ (unsigned int)ldns_buffer_limit(buf)) == 0) {
+ verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
+ EVP_PKEY_free(evp_key);
+ if(dofree) free(sigblock);
+ return sec_status_unchecked;
+ }
+
+ res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key);
+ if(EVP_MD_CTX_cleanup(&ctx) == 0) {
+ verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed");
+ EVP_PKEY_free(evp_key);
+ if(dofree) free(sigblock);
+ return sec_status_unchecked;
+ }
+ EVP_PKEY_free(evp_key);
+
+ if(dofree)
+ free(sigblock);
+
+ if(res == 1) {
+ return sec_status_secure;
+ } else if(res == 0) {
+ verbose(VERB_QUERY, "verify: signature mismatch");
+ *reason = "signature crypto failed";
+ return sec_status_bogus;
+ }
+
+ log_crypto_error("verify:", ERR_get_error());
+ return sec_status_unchecked;
+}
+
+/**************************************************/
+#elif defined(HAVE_NSS)
+/* libnss implementation */
+#include <nss3/sechash.h>
+#include <nss3/pk11pub.h>
+#include <nss3/keyhi.h>
+#include <nspr4/prerror.h>
+
+size_t
+ds_digest_size_supported(int algo)
+{
+ /* uses libNSS */
+ switch(algo) {
+#ifdef HAVE_EVP_SHA1
+ case LDNS_SHA1:
+ return SHA1_LENGTH;
+#endif
+#ifdef HAVE_EVP_SHA256
+ case LDNS_SHA256:
+ return SHA256_LENGTH;
+#endif
+#ifdef USE_ECDSA
+ case LDNS_SHA384:
+ return SHA384_LENGTH;
+#endif
+ /* GOST not supported in NSS */
+ case LDNS_HASH_GOST:
+ default: break;
+ }
+ return 0;
+}
+
+int
+secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
+ unsigned char* res)
+{
+ /* uses libNSS */
+ switch(algo) {
+#ifdef HAVE_EVP_SHA1
+ case LDNS_SHA1:
+ return HASH_HashBuf(HASH_AlgSHA1, res, buf, len)
+ == SECSuccess;
+#endif
+#ifdef HAVE_EVP_SHA256
+ case LDNS_SHA256:
+ return HASH_HashBuf(HASH_AlgSHA256, res, buf, len)
+ == SECSuccess;
+#endif
+#ifdef USE_ECDSA
+ case LDNS_SHA384:
+ return HASH_HashBuf(HASH_AlgSHA384, res, buf, len)
+ == SECSuccess;
+#endif
+ case LDNS_HASH_GOST:
+ default:
+ verbose(VERB_QUERY, "unknown DS digest algorithm %d",
+ algo);
+ break;
+ }
+ return 0;
+}
+
+int
+dnskey_algo_id_is_supported(int id)
+{
+ /* uses libNSS */
+ switch(id) {
+ case LDNS_DSA:
+ case LDNS_DSA_NSEC3:
+ case LDNS_RSASHA1:
+ case LDNS_RSASHA1_NSEC3:
+ case LDNS_RSAMD5:
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
+ case LDNS_RSASHA256:
+#endif
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
+ case LDNS_RSASHA512:
+#endif
+#ifdef USE_ECDSA
+ case LDNS_ECDSAP256SHA256:
+ case LDNS_ECDSAP384SHA384:
+#endif
+ return 1;
+ case LDNS_ECC_GOST:
+ default:
+ return 0;
+ }
+}
+
+/* return a new public key for NSS */
+static SECKEYPublicKey* nss_key_create(KeyType ktype)
+{
+ SECKEYPublicKey* key;
+ PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if(!arena) {
+ log_err("out of memory, PORT_NewArena failed");
+ return NULL;
+ }
+ key = PORT_ArenaZNew(arena, SECKEYPublicKey);
+ if(!key) {
+ log_err("out of memory, PORT_ArenaZNew failed");
+ PORT_FreeArena(arena, PR_FALSE);
+ return NULL;
+ }
+ key->arena = arena;
+ key->keyType = ktype;
+ key->pkcs11Slot = NULL;
+ key->pkcs11ID = CK_INVALID_HANDLE;
+ return key;
+}
+
+static SECKEYPublicKey* nss_buf2rsa(unsigned char* key, size_t len)
+{
+ SECKEYPublicKey* pk;
+ uint16_t exp;
+ uint16_t offset;
+ uint16_t int16;
+ SECItem modulus = {siBuffer, NULL, 0};
+ SECItem exponent = {siBuffer, NULL, 0};
+ if(len == 0)
+ return NULL;
+ if(key[0] == 0) {
+ if(len < 3)
+ return NULL;
+ /* the exponent is too large so it's places further */
+ memmove(&int16, key+1, 2);
+ exp = ntohs(int16);
+ offset = 3;
+ } else {
+ exp = key[0];
+ offset = 1;
+ }
+
+ /* key length at least one */
+ if(len < (size_t)offset + exp + 1)
+ return NULL;
+
+ exponent.data = key+offset;
+ exponent.len = exp;
+ offset += exp;
+ modulus.data = key+offset;
+ modulus.len = (len - offset);
+
+ pk = nss_key_create(rsaKey);
+ if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.modulus, &modulus)) {
+ SECKEY_DestroyPublicKey(pk);
+ return NULL;
+ }
+ if(SECITEM_CopyItem(pk->arena, &pk->u.rsa.publicExponent, &exponent)) {
+ SECKEY_DestroyPublicKey(pk);
+ return NULL;
+ }
+ return pk;
+}
+
+/**
+ * Setup key and digest for verification. Adjust sig if necessary.
+ *
+ * @param algo: key algorithm
+ * @param evp_key: EVP PKEY public key to create.
+ * @param digest_type: digest type to use
+ * @param key: key to setup for.
+ * @param keylen: length of key.
+ * @return false on failure.
+ */
+static int
+nss_setup_key_digest(int algo, SECKEYPublicKey** pubkey, HASH_HashType* htype,
+ unsigned char* key, size_t keylen)
+{
+ /* TODO uses libNSS */
+
+ switch(algo) {
+ case LDNS_DSA:
+ case LDNS_DSA_NSEC3:
+ /* TODO */
+ /*
+ *evp_key = EVP_PKEY_new();
+ if(!*evp_key) {
+ log_err("verify: malloc failure in crypto");
+ return sec_status_unchecked;
+ }
+ dsa = ldns_key_buf2dsa_raw(key, keylen);
+ if(!dsa) {
+ verbose(VERB_QUERY, "verify: "
+ "ldns_key_buf2dsa_raw failed");
+ return 0;
+ }
+ if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
+ verbose(VERB_QUERY, "verify: "
+ "EVP_PKEY_assign_DSA failed");
+ return 0;
+ }
+ *digest_type = EVP_dss1();
+ */
+ *htype = HASH_AlgSHA1;
+
+ break;
+ case LDNS_RSASHA1:
+ case LDNS_RSASHA1_NSEC3:
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
+ case LDNS_RSASHA256:
+#endif
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
+ case LDNS_RSASHA512:
+#endif
+ *pubkey = nss_buf2rsa(key, keylen);
+ if(!*pubkey) {
+ log_err("verify: malloc failure in crypto");
+ return sec_status_unchecked;
+ }
+ /* select SHA version */
+#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
+ if(algo == LDNS_RSASHA256)
+ *htype = HASH_AlgSHA256;
+ else
+#endif
+#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
+ if(algo == LDNS_RSASHA512)
+ *htype = HASH_AlgSHA512;
+ else
+#endif
+ *htype = HASH_AlgSHA1;
+
+ break;
+ case LDNS_RSAMD5:
+ *pubkey = nss_buf2rsa(key, keylen);
+ if(!*pubkey) {
+ log_err("verify: malloc failure in crypto");
+ return sec_status_unchecked;
+ }
+ *htype = HASH_AlgMD5;
+
+ break;
+#ifdef USE_ECDSA
+ case LDNS_ECDSAP256SHA256:
+ /* TODO
+ *evp_key = ldns_ecdsa2pkey_raw(key, keylen,
+ LDNS_ECDSAP256SHA256);
+ if(!*evp_key) {
+ verbose(VERB_QUERY, "verify: "
+ "ldns_ecdsa2pkey_raw failed");
+ return 0;
+ }
+ */
+ *htype = HASH_AlgSHA256;
+ break;
+ case LDNS_ECDSAP384SHA384:
+ /* TODO
+ *evp_key = ldns_ecdsa2pkey_raw(key, keylen,
+ LDNS_ECDSAP384SHA384);
+ if(!*evp_key) {
+ verbose(VERB_QUERY, "verify: "
+ "ldns_ecdsa2pkey_raw failed");
+ return 0;
+ }
+ */
+ *htype = HASH_AlgSHA384;
+ break;
+#endif /* USE_ECDSA */
+ case LDNS_ECC_GOST:
+ default:
+ verbose(VERB_QUERY, "verify: unknown algorithm %d",
+ algo);
+ return 0;
+ }
+ return 1;
+}
+
+/**
+ * Check a canonical sig+rrset and signature against a dnskey
+ * @param buf: buffer with data to verify, the first rrsig part and the
+ * canonicalized rrset.
+ * @param algo: DNSKEY algorithm.
+ * @param sigblock: signature rdata field from RRSIG
+ * @param sigblock_len: length of sigblock data.
+ * @param key: public key data from DNSKEY RR.
+ * @param keylen: length of keydata.
+ * @param reason: bogus reason in more detail.
+ * @return secure if verification succeeded, bogus on crypto failure,
+ * unchecked on format errors and alloc failures.
+ */
+enum sec_status
+verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock,
+ unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
+ char** reason)
+{
+ /* TODO uses libNSS */
+ /* large enough for the different hashes */
+ unsigned char hash[HASH_LENGTH_MAX];
+ HASH_HashType htype = 0;
+ SECKEYPublicKey* pubkey = NULL;
+ SECItem secsig = {siBuffer, sigblock, sigblock_len};
+ SECItem sechash = {siBuffer, hash, 0};
+ SECStatus res;
+
+ // extern SECKEYPublicKey *SECKEY_DecodeDERPublicKey(SECItem *pubkder);
+ // SECKEYPublicKey* SECKEY_ImportDERPublicKey(SECItem *derKey, CK_KEY_TYPE type);
+ if(!nss_setup_key_digest(algo, &pubkey, &htype, key, keylen)) {
+ verbose(VERB_QUERY, "verify: failed to setup key");
+ *reason = "use of key for crypto failed";
+ SECKEY_DestroyPublicKey(pubkey);
+ return sec_status_bogus;
+ }
+
+ /* TODO: need to convert DSA, ECDSA signatures? */
+
+ /* do the signature cryptography work */
+ /* hash the data */
+ sechash.len = HASH_ResultLen(htype);
+ if(sechash.len > sizeof(hash)) {
+ verbose(VERB_QUERY, "verify: hash too large for buffer");
+ SECKEY_DestroyPublicKey(pubkey);
+ return sec_status_unchecked;
+ }
+ if(HASH_HashBuf(htype, hash, (unsigned char*)ldns_buffer_begin(buf),
+ (unsigned int)ldns_buffer_limit(buf)) != SECSuccess) {
+ verbose(VERB_QUERY, "verify: HASH_HashBuf failed");
+ SECKEY_DestroyPublicKey(pubkey);
+ return sec_status_unchecked;
+ }
+ /* verify the signature */
+ res = PK11_Verify(pubkey, &secsig, &sechash, NULL /*wincx*/);
+ SECKEY_DestroyPublicKey(pubkey);
+
+ if(res == SECSuccess) {
+ return sec_status_secure;
+ }
+ verbose(VERB_QUERY, "verify: signature mismatch %s",
+ PORT_ErrorToString(PORT_GetError()));
+ *reason = "signature crypto failed";
+ return sec_status_bogus;
+}
+
+
+#endif /* HAVE_SSL or HAVE_NSS */
--- /dev/null
+/*
+ * validator/val_secalgo.h - validator security algorithm functions.
+ *
+ * Copyright (c) 2012, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains helper functions for the validator module.
+ * The functions take buffers with raw data and convert to library calls.
+ */
+
+#ifndef VALIDATOR_VAL_SECALGO_H
+#define VALIDATOR_VAL_SECALGO_H
+
+/**
+ * Return size of DS digest according to its hash algorithm.
+ * @param algo: DS digest algo.
+ * @return size in bytes of digest, or 0 if not supported.
+ */
+size_t ds_digest_size_supported(int algo);
+
+/**
+ * @param algo: the DS digest algo
+ * @param buf: the buffer to digest
+ * @param len: length of buffer to digest.
+ * @param res: result stored here (must have sufficient space).
+ * @return false on failure.
+ */
+int secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
+ unsigned char* res);
+
+/** return true if DNSKEY algorithm id is supported */
+int dnskey_algo_id_is_supported(int id);
+
+/**
+ * Check a canonical sig+rrset and signature against a dnskey
+ * @param buf: buffer with data to verify, the first rrsig part and the
+ * canonicalized rrset.
+ * @param algo: DNSKEY algorithm.
+ * @param sigblock: signature rdata field from RRSIG
+ * @param sigblock_len: length of sigblock data.
+ * @param key: public key data from DNSKEY RR.
+ * @param keylen: length of keydata.
+ * @param reason: bogus reason in more detail.
+ * @return secure if verification succeeded, bogus on crypto failure,
+ * unchecked on format errors and alloc failures.
+ */
+enum sec_status verify_canonrrset(ldns_buffer* buf, int algo,
+ unsigned char* sigblock, unsigned int sigblock_len,
+ unsigned char* key, unsigned int keylen, char** reason);
+
+#endif /* VALIDATOR_VAL_SECALGO_H */
#include "config.h"
#include <ldns/ldns.h>
#include "validator/val_sigcrypt.h"
+#include "validator/val_secalgo.h"
#include "validator/validator.h"
#include "util/data/msgreply.h"
#include "util/data/msgparse.h"
#include "util/net_help.h"
#include "util/regional.h"
-#ifndef HAVE_SSL
-#error "Need SSL library to do digital signature cryptography"
+#if !defined(HAVE_SSL) && !defined(HAVE_NSS)
+#error "Need crypto library to do digital signature cryptography"
#endif
#ifdef HAVE_OPENSSL_ERR_H
static size_t
ds_digest_size_algo(struct ub_packed_rrset_key* k, size_t idx)
{
- switch(ds_get_digest_algo(k, idx)) {
-#ifdef HAVE_EVP_SHA1
- case LDNS_SHA1:
- return SHA_DIGEST_LENGTH;
-#endif
-#ifdef HAVE_EVP_SHA256
- case LDNS_SHA256:
- return SHA256_DIGEST_LENGTH;
-#endif
-#ifdef USE_GOST
- case LDNS_HASH_GOST:
- if(EVP_get_digestbyname("md_gost94"))
- return 32;
- else return 0;
-#endif
-#ifdef USE_ECDSA
- case LDNS_SHA384:
- return SHA384_DIGEST_LENGTH;
-#endif
- default: break;
- }
- return 0;
-}
-
-#ifdef USE_GOST
-/** Perform GOST hash */
-static int
-do_gost94(unsigned char* data, size_t len, unsigned char* dest)
-{
- const EVP_MD* md = EVP_get_digestbyname("md_gost94");
- if(!md)
- return 0;
- return ldns_digest_evp(data, (unsigned int)len, dest, md);
+ return ds_digest_size_supported(ds_get_digest_algo(k, idx));
}
-#endif
/**
* Create a DS digest for a DNSKEY entry.
ldns_buffer_write(b, dnskey_rdata+2, dnskey_len-2); /* skip rdatalen*/
ldns_buffer_flip(b);
- switch(ds_get_digest_algo(ds_rrset, ds_idx)) {
-#ifdef HAVE_EVP_SHA1
- case LDNS_SHA1:
- (void)SHA1((unsigned char*)ldns_buffer_begin(b),
- ldns_buffer_limit(b), (unsigned char*)digest);
- return 1;
-#endif
-#ifdef HAVE_EVP_SHA256
- case LDNS_SHA256:
- (void)SHA256((unsigned char*)ldns_buffer_begin(b),
- ldns_buffer_limit(b), (unsigned char*)digest);
- return 1;
-#endif
-#ifdef USE_GOST
- case LDNS_HASH_GOST:
- if(do_gost94((unsigned char*)ldns_buffer_begin(b),
- ldns_buffer_limit(b), (unsigned char*)digest))
- return 1;
-#endif
-#ifdef USE_ECDSA
- case LDNS_SHA384:
- (void)SHA384((unsigned char*)ldns_buffer_begin(b),
- ldns_buffer_limit(b), (unsigned char*)digest);
- return 1;
-#endif
- default:
- verbose(VERB_QUERY, "unknown DS digest algorithm %d",
- (int) ds_get_digest_algo(ds_rrset, ds_idx));
- break;
- }
- return 0;
+ return secalgo_ds_digest(ds_get_digest_algo(ds_rrset, ds_idx),
+ (unsigned char*)ldns_buffer_begin(b), ldns_buffer_limit(b),
+ (unsigned char*)digest);
}
int ds_digest_match_dnskey(struct module_env* env,
return (ds_digest_size_algo(ds_rrset, ds_idx) != 0);
}
-/** return true if DNSKEY algorithm id is supported */
-static int
-dnskey_algo_id_is_supported(int id)
-{
- switch(id) {
- case LDNS_DSA:
- case LDNS_DSA_NSEC3:
- case LDNS_RSASHA1:
- case LDNS_RSASHA1_NSEC3:
- case LDNS_RSAMD5:
-#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
- case LDNS_RSASHA256:
-#endif
-#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
- case LDNS_RSASHA512:
-#endif
-#ifdef USE_ECDSA
- case LDNS_ECDSAP256SHA256:
- case LDNS_ECDSAP384SHA384:
-#endif
- return 1;
-#ifdef USE_GOST
- case LDNS_ECC_GOST:
- /* we support GOST if it can be loaded */
- return ldns_key_EVP_load_gost_id();
-#endif
- default:
- return 0;
- }
-}
-
int
ds_key_algo_is_supported(struct ub_packed_rrset_key* ds_rrset,
size_t ds_idx)
}
}
-
-/**
- * Output a libcrypto openssl error to the logfile.
- * @param str: string to add to it.
- * @param e: the error to output, error number from ERR_get_error().
- */
-static void
-log_crypto_error(const char* str, unsigned long e)
-{
- char buf[128];
- /* or use ERR_error_string if ERR_error_string_n is not avail TODO */
- ERR_error_string_n(e, buf, sizeof(buf));
- /* buf now contains */
- /* error:[error code]:[library name]:[function name]:[reason string] */
- log_err("%s crypto %s", str, buf);
-}
-
-/**
- * Setup DSA key digest in DER encoding ...
- * @param sig: input is signature output alloced ptr (unless failure).
- * caller must free alloced ptr if this routine returns true.
- * @param len: input is initial siglen, output is output len.
- * @return false on failure.
- */
-static int
-setup_dsa_sig(unsigned char** sig, unsigned int* len)
-{
- unsigned char* orig = *sig;
- unsigned int origlen = *len;
- int newlen;
- BIGNUM *R, *S;
- DSA_SIG *dsasig;
-
- /* extract the R and S field from the sig buffer */
- if(origlen < 1 + 2*SHA_DIGEST_LENGTH)
- return 0;
- R = BN_new();
- if(!R) return 0;
- (void) BN_bin2bn(orig + 1, SHA_DIGEST_LENGTH, R);
- S = BN_new();
- if(!S) return 0;
- (void) BN_bin2bn(orig + 21, SHA_DIGEST_LENGTH, S);
- dsasig = DSA_SIG_new();
- if(!dsasig) return 0;
-
- dsasig->r = R;
- dsasig->s = S;
- *sig = NULL;
- newlen = i2d_DSA_SIG(dsasig, sig);
- if(newlen < 0) {
- DSA_SIG_free(dsasig);
- free(*sig);
- return 0;
- }
- *len = (unsigned int)newlen;
- DSA_SIG_free(dsasig);
- return 1;
-}
-
-#ifdef USE_ECDSA
-/**
- * Setup the ECDSA signature in its encoding that the library wants.
- * Converts from plain numbers to ASN formatted.
- * @param sig: input is signature, output alloced ptr (unless failure).
- * caller must free alloced ptr if this routine returns true.
- * @param len: input is initial siglen, output is output len.
- * @return false on failure.
- */
-static int
-setup_ecdsa_sig(unsigned char** sig, unsigned int* len)
-{
- ECDSA_SIG* ecdsa_sig;
- int newlen;
- int bnsize = (int)((*len)/2);
- /* if too short or not even length, fails */
- if(*len < 16 || bnsize*2 != (int)*len)
- return 0;
- /* use the raw data to parse two evenly long BIGNUMs, "r | s". */
- ecdsa_sig = ECDSA_SIG_new();
- if(!ecdsa_sig) return 0;
- ecdsa_sig->r = BN_bin2bn(*sig, bnsize, ecdsa_sig->r);
- ecdsa_sig->s = BN_bin2bn(*sig+bnsize, bnsize, ecdsa_sig->s);
- if(!ecdsa_sig->r || !ecdsa_sig->s) {
- ECDSA_SIG_free(ecdsa_sig);
- return 0;
- }
-
- /* spool it into ASN format */
- *sig = NULL;
- newlen = i2d_ECDSA_SIG(ecdsa_sig, sig);
- if(newlen <= 0) {
- ECDSA_SIG_free(ecdsa_sig);
- free(*sig);
- return 0;
- }
- *len = (unsigned int)newlen;
- ECDSA_SIG_free(ecdsa_sig);
- return 1;
-}
-#endif /* USE_ECDSA */
-
-/**
- * Setup key and digest for verification. Adjust sig if necessary.
- *
- * @param algo: key algorithm
- * @param evp_key: EVP PKEY public key to create.
- * @param digest_type: digest type to use
- * @param key: key to setup for.
- * @param keylen: length of key.
- * @return false on failure.
- */
-static int
-setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
- unsigned char* key, size_t keylen)
-{
- DSA* dsa;
- RSA* rsa;
-
- switch(algo) {
- case LDNS_DSA:
- case LDNS_DSA_NSEC3:
- *evp_key = EVP_PKEY_new();
- if(!*evp_key) {
- log_err("verify: malloc failure in crypto");
- return sec_status_unchecked;
- }
- dsa = ldns_key_buf2dsa_raw(key, keylen);
- if(!dsa) {
- verbose(VERB_QUERY, "verify: "
- "ldns_key_buf2dsa_raw failed");
- return 0;
- }
- if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
- verbose(VERB_QUERY, "verify: "
- "EVP_PKEY_assign_DSA failed");
- return 0;
- }
- *digest_type = EVP_dss1();
-
- break;
- case LDNS_RSASHA1:
- case LDNS_RSASHA1_NSEC3:
-#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
- case LDNS_RSASHA256:
-#endif
-#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
- case LDNS_RSASHA512:
-#endif
- *evp_key = EVP_PKEY_new();
- if(!*evp_key) {
- log_err("verify: malloc failure in crypto");
- return sec_status_unchecked;
- }
- rsa = ldns_key_buf2rsa_raw(key, keylen);
- if(!rsa) {
- verbose(VERB_QUERY, "verify: "
- "ldns_key_buf2rsa_raw SHA failed");
- return 0;
- }
- if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
- verbose(VERB_QUERY, "verify: "
- "EVP_PKEY_assign_RSA SHA failed");
- return 0;
- }
-
- /* select SHA version */
-#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
- if(algo == LDNS_RSASHA256)
- *digest_type = EVP_sha256();
- else
-#endif
-#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
- if(algo == LDNS_RSASHA512)
- *digest_type = EVP_sha512();
- else
-#endif
- *digest_type = EVP_sha1();
-
- break;
- case LDNS_RSAMD5:
- *evp_key = EVP_PKEY_new();
- if(!*evp_key) {
- log_err("verify: malloc failure in crypto");
- return sec_status_unchecked;
- }
- rsa = ldns_key_buf2rsa_raw(key, keylen);
- if(!rsa) {
- verbose(VERB_QUERY, "verify: "
- "ldns_key_buf2rsa_raw MD5 failed");
- return 0;
- }
- if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
- verbose(VERB_QUERY, "verify: "
- "EVP_PKEY_assign_RSA MD5 failed");
- return 0;
- }
- *digest_type = EVP_md5();
-
- break;
-#ifdef USE_GOST
- case LDNS_ECC_GOST:
- *evp_key = ldns_gost2pkey_raw(key, keylen);
- if(!*evp_key) {
- verbose(VERB_QUERY, "verify: "
- "ldns_gost2pkey_raw failed");
- return 0;
- }
- *digest_type = EVP_get_digestbyname("md_gost94");
- if(!*digest_type) {
- verbose(VERB_QUERY, "verify: "
- "EVP_getdigest md_gost94 failed");
- return 0;
- }
- break;
-#endif
-#ifdef USE_ECDSA
- case LDNS_ECDSAP256SHA256:
- *evp_key = ldns_ecdsa2pkey_raw(key, keylen,
- LDNS_ECDSAP256SHA256);
- if(!*evp_key) {
- verbose(VERB_QUERY, "verify: "
- "ldns_ecdsa2pkey_raw failed");
- return 0;
- }
-#ifdef USE_ECDSA_EVP_WORKAROUND
- /* openssl before 1.0.0 fixes RSA with the SHA256
- * hash in EVP. We create one for ecdsa_sha256 */
- {
- static int md_ecdsa_256_done = 0;
- static EVP_MD md;
- if(!md_ecdsa_256_done) {
- EVP_MD m = *EVP_sha256();
- md_ecdsa_256_done = 1;
- m.required_pkey_type[0] = (*evp_key)->type;
- m.verify = (void*)ECDSA_verify;
- md = m;
- }
- *digest_type = &md;
- }
-#else
- *digest_type = EVP_sha256();
-#endif
- break;
- case LDNS_ECDSAP384SHA384:
- *evp_key = ldns_ecdsa2pkey_raw(key, keylen,
- LDNS_ECDSAP384SHA384);
- if(!*evp_key) {
- verbose(VERB_QUERY, "verify: "
- "ldns_ecdsa2pkey_raw failed");
- return 0;
- }
-#ifdef USE_ECDSA_EVP_WORKAROUND
- /* openssl before 1.0.0 fixes RSA with the SHA384
- * hash in EVP. We create one for ecdsa_sha384 */
- {
- static int md_ecdsa_384_done = 0;
- static EVP_MD md;
- if(!md_ecdsa_384_done) {
- EVP_MD m = *EVP_sha384();
- md_ecdsa_384_done = 1;
- m.required_pkey_type[0] = (*evp_key)->type;
- m.verify = (void*)ECDSA_verify;
- md = m;
- }
- *digest_type = &md;
- }
-#else
- *digest_type = EVP_sha384();
-#endif
- break;
-#endif /* USE_ECDSA */
- default:
- verbose(VERB_QUERY, "verify: unknown algorithm %d",
- algo);
- return 0;
- }
- return 1;
-}
-
-/**
- * Check a canonical sig+rrset and signature against a dnskey
- * @param buf: buffer with data to verify, the first rrsig part and the
- * canonicalized rrset.
- * @param algo: DNSKEY algorithm.
- * @param sigblock: signature rdata field from RRSIG
- * @param sigblock_len: length of sigblock data.
- * @param key: public key data from DNSKEY RR.
- * @param keylen: length of keydata.
- * @param reason: bogus reason in more detail.
- * @return secure if verification succeeded, bogus on crypto failure,
- * unchecked on format errors and alloc failures.
- */
-static enum sec_status
-verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock,
- unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
- char** reason)
-{
- const EVP_MD *digest_type;
- EVP_MD_CTX ctx;
- int res, dofree = 0;
- EVP_PKEY *evp_key = NULL;
-
- if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
- verbose(VERB_QUERY, "verify: failed to setup key");
- *reason = "use of key for crypto failed";
- EVP_PKEY_free(evp_key);
- return sec_status_bogus;
- }
- /* if it is a DSA signature in bind format, convert to DER format */
- if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&
- sigblock_len == 1+2*SHA_DIGEST_LENGTH) {
- if(!setup_dsa_sig(&sigblock, &sigblock_len)) {
- verbose(VERB_QUERY, "verify: failed to setup DSA sig");
- *reason = "use of key for DSA crypto failed";
- EVP_PKEY_free(evp_key);
- return sec_status_bogus;
- }
- dofree = 1;
- }
-#ifdef USE_ECDSA
- else if(algo == LDNS_ECDSAP256SHA256 || algo == LDNS_ECDSAP384SHA384) {
- /* EVP uses ASN prefix on sig, which is not in the wire data */
- if(!setup_ecdsa_sig(&sigblock, &sigblock_len)) {
- verbose(VERB_QUERY, "verify: failed to setup ECDSA sig");
- *reason = "use of signature for ECDSA crypto failed";
- EVP_PKEY_free(evp_key);
- return sec_status_bogus;
- }
- dofree = 1;
- }
-#endif /* USE_ECDSA */
-
- /* do the signature cryptography work */
- EVP_MD_CTX_init(&ctx);
- if(EVP_VerifyInit(&ctx, digest_type) == 0) {
- verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
- EVP_PKEY_free(evp_key);
- if(dofree) free(sigblock);
- return sec_status_unchecked;
- }
- if(EVP_VerifyUpdate(&ctx, (unsigned char*)ldns_buffer_begin(buf),
- (unsigned int)ldns_buffer_limit(buf)) == 0) {
- verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
- EVP_PKEY_free(evp_key);
- if(dofree) free(sigblock);
- return sec_status_unchecked;
- }
-
- res = EVP_VerifyFinal(&ctx, sigblock, sigblock_len, evp_key);
- if(EVP_MD_CTX_cleanup(&ctx) == 0) {
- verbose(VERB_QUERY, "verify: EVP_MD_CTX_cleanup failed");
- EVP_PKEY_free(evp_key);
- if(dofree) free(sigblock);
- return sec_status_unchecked;
- }
- EVP_PKEY_free(evp_key);
-
- if(dofree)
- free(sigblock);
-
- if(res == 1) {
- return sec_status_secure;
- } else if(res == 0) {
- verbose(VERB_QUERY, "verify: signature mismatch");
- *reason = "signature crypto failed";
- return sec_status_bogus;
- }
-
- log_crypto_error("verify:", ERR_get_error());
- return sec_status_unchecked;
-}
-
enum sec_status
dnskey_verify_rrset_sig(struct regional* region, ldns_buffer* buf,
struct val_env* ve, uint32_t now,
projects / thirdparty / unbound.git / commitdiff
