debhelper
debtest
DEBUGLOG
-decafsigners
decltype
deconfigure
deconfigured
LMDBQ
lnc
lnow
-loaderdecaf
loadersodium
loadfile
loadmodule
COVERAGE: ${{ github.repository == 'PowerDNS/pdns' && 'yes' || 'no' }}
LLVM_PROFILE_FILE: "/tmp/code-%p.profraw"
OPTIMIZATIONS: yes
- DECAF_SUPPORT: yes
jobs:
get-runner-container-image:
# for clang-tidy only, not compilation
CLANG_VERSION: '14'
REPO_HOME: ${{ github.workspace }}
- DECAF_SUPPORT: no
outputs:
clang-tidy-annotations-auth: ${{ steps.clang-tidy-annotations-auth.outputs.failed }}
AC_CHECK_HEADERS([sys/random.h])
PDNS_WITH_LIBSODIUM
-PDNS_WITH_LIBDECAF
PDNS_CHECK_LIBCRYPTO([
],[
AC_MSG_ERROR([OpenSSL/libcrypto not found])
[AC_MSG_NOTICE([OpenSSL ecdsa: yes])],
[AC_MSG_NOTICE([OpenSSL ecdsa: no])]
)
-AS_IF([test "x$LIBSODIUM_LIBS" != "x" || test "x$LIBDECAF_LIBS" != "x" || test "x$libcrypto_ed25519" = "xyes"],
+AS_IF([test "x$LIBSODIUM_LIBS" != "x" || test "x$libcrypto_ed25519" = "xyes"],
[AC_MSG_NOTICE([ed25519: yes])],
[AC_MSG_NOTICE([ed25519: no])]
)
-AS_IF([test "x$LIBDECAF_LIBS" != "x" || test "x$libcrypto_ed448" = "xyes"],
+AS_IF([test "x$libcrypto_ed448" = "xyes"],
[AC_MSG_NOTICE([ed448: yes])],
[AC_MSG_NOTICE([ed448: no])]
)
The PowerDNS Authoritative Server can link with `libsodium <https://download.libsodium.org/doc/>`_ to support ed25519 (DNSSEC algorithm 15).
To detect libsodium, use the ``--with-libsodium`` configure option.
-ed25519 and ed448 support with libdecaf
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-`libdecaf <https://sourceforge.net/projects/ed448goldilocks/>`_ is a library that allows the PowerDNS Authoritative Server to support ed25519 and Ed448 (DNSSEC algorithms 15 and 16).
-To detect libdecaf, use the ``--with-libdecaf`` configure option.
-
systemd notify support
^^^^^^^^^^^^^^^^^^^^^^
+++ /dev/null
-AC_DEFUN([PDNS_WITH_LIBDECAF],[
- AC_MSG_CHECKING([whether we will be linking in libdecaf])
- AC_ARG_WITH([libdecaf],
- [AS_HELP_STRING([--with-libdecaf],[use libdecaf @<:@default=no@:>@])],
- [with_libdecaf=$withval],
- [with_libdecaf=no]
- )
- AC_MSG_RESULT([$with_libdecaf])
-
- AM_CONDITIONAL([LIBDECAF],[test "x$with_libdecaf" != "xno"])
-
- AS_IF([test "x$with_libdecaf" != "xno"],[
- save_LIBS=$LIBS
- LIBS=""
- AC_SEARCH_LIBS([decaf_ed25519_sign],[decaf],[
- AC_DEFINE([HAVE_LIBDECAF],[1],[Define to 1 if you have libdecaf])
- AC_SUBST([LIBDECAF_LIBS],["$LIBS"])
- ],[
- AC_MSG_ERROR([Could not find libdecaf])
- ])
- LIBS="$save_LIBS"
-
- AS_IF([test "x$LIBDECAF_CFLAGS" = "x"],[
- AC_MSG_CHECKING([for libdecaf headers])
- libdecaf_header_dir=""
-
- header_dirs="/usr /usr/local"
- for header_dir in $header_dirs; do
- if test -f "$header_dir/include/decaf.hxx"; then
- libdecaf_header_dir="$header_dir/include"
- break
- fi
-
- if test -f "$header_dir/include/decaf/decaf.hxx"; then
- libdecaf_header_dir="$header_dir/include/decaf"
- break
- fi
- done
-
- AS_IF([test "x$libdecaf_header_dir" != "x"],[
- AC_MSG_RESULT([$libdecaf_header_dir])
- LIBDECAF_CFLAGS="-I$libdecaf_header_dir"
- ],
- [AC_MSG_RESULT([not found])])
- ])
-
- AC_SUBST([LIBDECAF_CFLAGS])
-
- save_CXXFLAGS="$CXXFLAGS"
- CXXFLAGS="$CXXFLAGS $LIBDECAF_CFLAGS"
- AC_CHECK_HEADERS(
- [decaf.hxx],
- [],
- [AC_MSG_ERROR([cannot find libdecaf headers])]
- )
- CXXFLAGS="$save_CXXFLAGS"
- ])
-])
subdir('meson' / 'tm-gmtoff') # Check for tm_gmtoff field in struct tm
subdir('meson' / 'mmap') # Check for mmap
subdir('meson' / 'libsodium') # Libsodium-based signers
-subdir('meson' / 'libdecaf') # Libdecaf-based signers
subdir('meson' / 'libcrypto') # OpenSSL-based signers
subdir('meson' / 'libssl') # OpenSSL libssl
subdir('meson' / 'gnutls') # GnuTLS
dep_lua_records,
dep_netlibs,
dep_libsodium,
- dep_libdecaf,
dep_libcrypto,
dep_libssl,
dep_gnutls,
)
endif
-libpdns_signers_decaf = dependency('', required: false)
-if dep_libdecaf.found()
- libpdns_signers_decaf = declare_dependency(
- link_whole: static_library(
- 'pdns-signers-decaf',
- sources: files(src_dir / 'decafsigners.cc'),
- dependencies: deps,
- )
- )
-endif
-
libpdns_signers_pkcs11 = dependency('', required: false)
if dep_pkcs11.found()
libpdns_signers_pkcs11 = declare_dependency(
libpdns_ssqlite3,
libpdns_gettime,
libpdns_signers_openssl,
- libpdns_signers_decaf,
libpdns_signers_sodium,
],
'manpages': ['pdns_server.1'],
dep_modules,
libpdns_ssqlite3,
libpdns_signers_openssl,
- libpdns_signers_decaf,
libpdns_signers_sodium,
],
'manpages': ['pdnsutil.1'],
'deps-extra': [
libpdns_test,
libpdns_signers_openssl,
- libpdns_signers_decaf,
libpdns_signers_sodium,
],
},
+++ /dev/null
-opt_libdecaf = get_option('signers-libdecaf')
-dep_libdecaf = dependency('', required: false)
-
-if not opt_libdecaf.disabled()
- dep_libdecaf = dependency('libdecaf', required: false)
-
- if not dep_libdecaf.found()
- all_lib_dirs = [
- '/usr',
- '/usr' / 'lib',
- '/usr' / 'local',
- '/usr' / 'local' / 'lib',
- ]
-
- all_include_dirs = [
- '/usr' / 'include',
- '/usr' / 'include' / 'decaf',
- '/usr' / 'local' / 'include',
- '/usr' / 'local' / 'include' / 'decaf',
- ]
-
- fs = import('fs')
-
- lib_dirs = []
- foreach lib_dir: all_lib_dirs
- if fs.is_dir(lib_dir)
- lib_dirs += lib_dir
- endif
- endforeach
-
- include_dirs = []
- foreach include_dir: all_include_dirs
- if fs.is_dir(include_dir)
- include_dirs += include_dir
- endif
- endforeach
- include_dirs = include_directories(include_dirs, is_system: true)
-
- dep_libdecaf = cxx.find_library(
- 'decaf',
- dirs: lib_dirs,
- required: opt_libdecaf,
- has_headers: [
- 'decaf.hxx',
- 'decaf' / 'spongerng.hxx',
- 'decaf' / 'eddsa.hxx',
- ],
- header_include_directories: include_dirs,
- )
-
- if dep_libdecaf.found()
- dep_libdecaf = declare_dependency(
- dependencies: dep_libdecaf,
- include_directories: include_dirs,
- )
- endif
- endif
-endif
-
-conf.set('HAVE_LIBDECAF', dep_libdecaf.found(), description: 'libdecaf-based signers')
-summary('libdecaf', dep_libdecaf.found(), bool_yn: true, section: 'Crypto')
option('hardening-fortify-source', type: 'combo', choices: ['auto', 'disabled', '1', '2', '3'], value: '2', description: 'Source fortification level')
option('rng-kiss', type: 'boolean', value: false, description: 'Use the unsafe KISS RNG')
option('signers-libsodium', type: 'feature', value: 'auto', description: 'Enable libsodium-based signers')
-option('signers-libdecaf', type: 'feature', value: 'auto', description: 'Enable libdecaf-based signers')
option('signers-libcrypto', type: 'feature', value: 'auto', description: 'Enable OpenSSL libcrypto-based signers)')
option('signers-libcrypto-path', type: 'string', value: '', description: 'Custom path to find OpenSSL libcrypto')
option('tls-libssl', type: 'feature', value: 'auto', description: 'OpenSSL-based TLS')
AM_CPPFLAGS +=$(LIBSODIUM_CFLAGS)
endif
-if LIBDECAF
-AM_CPPFLAGS += $(LIBDECAF_CFLAGS)
-endif
-
EXTRA_DIST = \
dnslabeltext.rl \
dnslabeltext.cc \
pdns_server_LDADD += $(LIBSODIUM_LIBS)
endif
-if LIBDECAF
-pdns_server_SOURCES += decafsigners.cc
-pdns_server_LDADD += $(LIBDECAF_LIBS)
-endif
-
if SQLITE3
pdns_server_SOURCES += ssqlite3.cc ssqlite3.hh
pdns_server_LDADD += $(SQLITE3_LIBS)
pdnsutil_LDADD += $(LIBSODIUM_LIBS)
endif
-if LIBDECAF
-pdnsutil_SOURCES += decafsigners.cc
-pdnsutil_LDADD += $(LIBDECAF_LIBS)
-endif
-
if SQLITE3
pdnsutil_SOURCES += ssqlite3.cc ssqlite3.hh
pdnsutil_LDADD += $(SQLITE3_LIBS)
speedtest_LDADD += $(LIBSODIUM_LIBS)
endif
-if LIBDECAF
-testrunner_SOURCES += decafsigners.cc
-testrunner_LDADD += $(LIBDECAF_LIBS)
-endif
-
if HAVE_FREEBSD
ixfrdist_SOURCES += kqueuemplexer.cc
testrunner_SOURCES += kqueuemplexer.cc
+++ /dev/null
-#include <openssl/err.h>
-#include <openssl/pem.h>
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wdeprecated-copy"
-#include <decaf.hxx>
-#pragma GCC diagnostic pop
-#include <decaf/eddsa.hxx>
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wshadow"
-#include <decaf/spongerng.hxx>
-#pragma GCC diagnostic pop
-#include "dnsseckeeper.hh"
-
-#include "dnssecinfra.hh"
-
-using namespace decaf;
-
-class DecafED25519DNSCryptoKeyEngine : public DNSCryptoKeyEngine
-{
-public:
- explicit DecafED25519DNSCryptoKeyEngine(unsigned int algo) :
- DNSCryptoKeyEngine(algo)
- {
- }
- string getName() const override { return "Decaf ED25519"; }
- void create(unsigned int bits) override;
-
-#if defined(HAVE_LIBCRYPTO_ED25519)
- /**
- * \brief Creates an ED25519 key engine from a PEM file.
- *
- * Receives an open file handle with PEM contents and creates an ED25519 key engine.
- *
- * \param[in] drc Key record contents to be populated.
- *
- * \param[in] inputFile An open file handle to a file containing ED25519 PEM contents.
- *
- * \param[in] filename Only used for providing filename information in error messages.
- *
- * \return An ED25519 key engine populated with the contents of the PEM file.
- */
- void createFromPEMFile(DNSKEYRecordContent& drc, std::FILE& inputFile, std::optional<std::reference_wrapper<const std::string>> filename = std::nullopt) override;
-
- /**
- * \brief Writes this key's contents to a file.
- *
- * Receives an open file handle and writes this key's contents to the
- * file.
- *
- * \param[in] outputFile An open file handle for writing.
- *
- * \exception std::runtime_error In case of OpenSSL errors.
- */
- void convertToPEMFile(std::FILE& outputFile) const override;
-#endif
-
- [[nodiscard]] storvector_t convertToISCVector() const override;
- [[nodiscard]] std::string sign(const std::string& msg) const override;
- [[nodiscard]] bool verify(const std::string& msg, const std::string& signature) const override;
- [[nodiscard]] std::string getPublicKeyString() const override;
- [[nodiscard]] int getBits() const override;
- void fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap) override;
- void fromPublicKeyString(const std::string& content) override;
-
- static std::unique_ptr<DNSCryptoKeyEngine> maker(unsigned int algorithm)
- {
- return make_unique<DecafED25519DNSCryptoKeyEngine>(algorithm);
- }
-
-private:
- unsigned char d_pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES];
- unsigned char d_seckey[DECAF_EDDSA_25519_PRIVATE_BYTES];
-};
-
-void DecafED25519DNSCryptoKeyEngine::create(unsigned int bits)
-{
- if (bits != (unsigned int)getBits()) {
- throw runtime_error("Unsupported key length of " + std::to_string(bits) + " bits requested, DecafED25519 class");
- }
-
- SpongeRng rng("/dev/urandom");
-
- typename EdDSA<IsoEd25519>::PrivateKey priv(rng);
- typename EdDSA<IsoEd25519>::PublicKey pub(priv);
-
- priv.serialize_into(d_seckey);
- pub.serialize_into(d_pubkey);
-}
-
-#if defined(HAVE_LIBCRYPTO_ED25519)
-void DecafED25519DNSCryptoKeyEngine::createFromPEMFile(DNSKEYRecordContent& drc, std::FILE& inputFile, std::optional<std::reference_wrapper<const std::string>> filename)
-{
- drc.d_algorithm = d_algorithm;
- auto key = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>(PEM_read_PrivateKey(&inputFile, nullptr, nullptr, nullptr), &EVP_PKEY_free);
- if (key == nullptr) {
- if (filename.has_value()) {
- throw runtime_error(getName() + ": Failed to read private key from PEM file `" + filename->get() + "`");
- }
-
- throw runtime_error(getName() + ": Failed to read private key from PEM contents");
- }
-
- std::size_t keylen = DECAF_EDDSA_25519_PRIVATE_BYTES;
- int ret = EVP_PKEY_get_raw_private_key(key.get(), d_seckey, &keylen);
- if (ret == 0) {
- if (filename.has_value()) {
- throw runtime_error(getName() + ": Failed to get private key from PEM file contents `" + filename->get() + "`");
- }
-
- throw runtime_error(getName() + ": Failed to get private key from PEM contents");
- }
-
- keylen = DECAF_EDDSA_25519_PUBLIC_BYTES;
- ret = EVP_PKEY_get_raw_public_key(key.get(), d_pubkey, &keylen);
- if (ret == 0) {
- if (filename.has_value()) {
- throw runtime_error(getName() + ": Failed to get public key from PEM file contents `" + filename->get() + "`");
- }
-
- throw runtime_error(getName() + ": Failed to get public key from PEM contents");
- }
-}
-
-void DecafED25519DNSCryptoKeyEngine::convertToPEMFile(std::FILE& outputFile) const
-{
- auto key = std::unique_ptr<EVP_PKEY, void (*)(EVP_PKEY*)>(EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, nullptr, d_seckey, DECAF_EDDSA_25519_PRIVATE_BYTES), EVP_PKEY_free);
- if (key == nullptr) {
- throw runtime_error(getName() + ": Could not create private key from buffer");
- }
-
- auto ret = PEM_write_PrivateKey(&outputFile, key.get(), nullptr, nullptr, 0, nullptr, nullptr);
- if (ret == 0) {
- throw runtime_error(getName() + ": Could not convert private key to PEM");
- }
-}
-#endif
-
-int DecafED25519DNSCryptoKeyEngine::getBits() const
-{
- return DECAF_EDDSA_25519_PRIVATE_BYTES << 3;
-}
-
-DNSCryptoKeyEngine::storvector_t DecafED25519DNSCryptoKeyEngine::convertToISCVector() const
-{
- /*
- Private-key-format: v1.2
- Algorithm: 15 (ED25519)
- PrivateKey: ODIyNjAzODQ2MjgwODAxMjI2NDUxOTAyMDQxNDIyNjI=
- */
-
- auto storvector = storvector_t{
- {"Algorithm", "15 (ED25519)"},
- {"PrivateKey", string((char*)d_seckey, DECAF_EDDSA_25519_PRIVATE_BYTES)},
- };
-
- return storvector;
-}
-
-void DecafED25519DNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap)
-{
- /*
- Private-key-format: v1.2
- Algorithm: 15 (ED25519)
- PrivateKey: ODIyNjAzODQ2MjgwODAxMjI2NDUxOTAyMDQxNDIyNjI=
- */
-
- pdns::checked_stoi_into(drc.d_algorithm, stormap["algorithm"]);
- string privateKey = stormap["privatekey"];
-
- if (privateKey.length() != DECAF_EDDSA_25519_PRIVATE_BYTES)
- throw runtime_error("Private key size mismatch in ISCMap, DecafED25519 class");
-
- typename EdDSA<IsoEd25519>::PrivateKey priv(Block((const unsigned char*)privateKey.c_str(), DECAF_EDDSA_25519_PRIVATE_BYTES));
- typename EdDSA<IsoEd25519>::PublicKey pub(priv);
-
- priv.serialize_into(d_seckey);
- pub.serialize_into(d_pubkey);
-}
-
-std::string DecafED25519DNSCryptoKeyEngine::getPublicKeyString() const
-{
- return string((char*)d_pubkey, DECAF_EDDSA_25519_PUBLIC_BYTES);
-}
-
-void DecafED25519DNSCryptoKeyEngine::fromPublicKeyString(const std::string& input)
-{
- if (input.length() != DECAF_EDDSA_25519_PUBLIC_BYTES)
- throw runtime_error("Public key size mismatch, DecafED25519 class");
-
- memcpy(d_pubkey, input.c_str(), DECAF_EDDSA_25519_PUBLIC_BYTES);
-}
-
-std::string DecafED25519DNSCryptoKeyEngine::sign(const std::string& msg) const
-{
- typename EdDSA<IsoEd25519>::PrivateKey priv(Block(d_seckey, DECAF_EDDSA_25519_PRIVATE_BYTES));
-
- SecureBuffer message(msg.begin(), msg.end());
-
- SecureBuffer sig = priv.sign(message);
-
- return string(sig.begin(), sig.end());
-}
-
-bool DecafED25519DNSCryptoKeyEngine::verify(const std::string& msg, const std::string& signature) const
-{
- if (signature.length() != DECAF_EDDSA_25519_SIGNATURE_BYTES)
- return false;
-
- typename EdDSA<IsoEd25519>::PublicKey pub(Block(d_pubkey, DECAF_EDDSA_25519_PUBLIC_BYTES));
-
- SecureBuffer sig(signature.begin(), signature.end());
- SecureBuffer message(msg.begin(), msg.end());
-
- try {
- pub.verify(sig, message);
- }
- catch (const CryptoException& e) {
- return false;
- }
-
- return true;
-}
-
-class DecafED448DNSCryptoKeyEngine : public DNSCryptoKeyEngine
-{
-public:
- explicit DecafED448DNSCryptoKeyEngine(unsigned int algo) :
- DNSCryptoKeyEngine(algo)
- {
- }
- string getName() const override { return "Decaf ED448"; }
- void create(unsigned int bits) override;
-
-#if defined(HAVE_LIBCRYPTO_ED448)
- /**
- * \brief Creates an ED448 key engine from a PEM file.
- *
- * Receives an open file handle with PEM contents and creates an ED448 key engine.
- *
- * \param[in] drc Key record contents to be populated.
- *
- * \param[in] inputFile An open file handle to a file containing ED448 PEM contents.
- *
- * \param[in] filename Only used for providing filename information in error messages.
- *
- * \return An ED448 key engine populated with the contents of the PEM file.
- */
- void createFromPEMFile(DNSKEYRecordContent& drc, std::FILE& inputFile, std::optional<std::reference_wrapper<const std::string>> filename = std::nullopt) override;
-
- /**
- * \brief Writes this key's contents to a file.
- *
- * Receives an open file handle and writes this key's contents to the
- * file.
- *
- * \param[in] outputFile An open file handle for writing.
- *
- * \exception std::runtime_error In case of OpenSSL errors.
- */
- void convertToPEMFile(std::FILE& outputFile) const override;
-#endif
-
- storvector_t convertToISCVector() const override;
- std::string sign(const std::string& msg) const override;
- bool verify(const std::string& msg, const std::string& signature) const override;
- std::string getPublicKeyString() const override;
- int getBits() const override;
- void fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap) override;
- void fromPublicKeyString(const std::string& content) override;
-
- static std::unique_ptr<DNSCryptoKeyEngine> maker(unsigned int algorithm)
- {
- return make_unique<DecafED448DNSCryptoKeyEngine>(algorithm);
- }
-
-private:
- unsigned char d_pubkey[DECAF_EDDSA_448_PUBLIC_BYTES];
- unsigned char d_seckey[DECAF_EDDSA_448_PRIVATE_BYTES];
-};
-
-void DecafED448DNSCryptoKeyEngine::create(unsigned int bits)
-{
- if (bits != (unsigned int)getBits()) {
- throw runtime_error("Unsupported key length of " + std::to_string(bits) + " bits requested, DecafED448 class");
- }
-
- SpongeRng rng("/dev/urandom");
-
- typename EdDSA<Ed448Goldilocks>::PrivateKey priv(rng);
- typename EdDSA<Ed448Goldilocks>::PublicKey pub(priv);
-
- priv.serialize_into(d_seckey);
- pub.serialize_into(d_pubkey);
-}
-
-#if defined(HAVE_LIBCRYPTO_ED448)
-void DecafED448DNSCryptoKeyEngine::createFromPEMFile(DNSKEYRecordContent& drc, std::FILE& inputFile, std::optional<std::reference_wrapper<const std::string>> filename)
-{
- drc.d_algorithm = d_algorithm;
- auto key = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>(PEM_read_PrivateKey(&inputFile, nullptr, nullptr, nullptr), &EVP_PKEY_free);
- if (key == nullptr) {
- if (filename.has_value()) {
- throw runtime_error(getName() + ": Failed to read private key from PEM file `" + filename->get() + "`");
- }
-
- throw runtime_error(getName() + ": Failed to read private key from PEM contents");
- }
-
- std::size_t keylen = DECAF_EDDSA_448_PRIVATE_BYTES;
- int ret = EVP_PKEY_get_raw_private_key(key.get(), d_seckey, &keylen);
- if (ret == 0) {
- if (filename.has_value()) {
- throw runtime_error(getName() + ": Failed to get private key from PEM file contents `" + filename->get() + "`");
- }
-
- throw runtime_error(getName() + ": Failed to get private key from PEM contents");
- }
-
- keylen = DECAF_EDDSA_448_PUBLIC_BYTES;
- ret = EVP_PKEY_get_raw_public_key(key.get(), d_pubkey, &keylen);
- if (ret == 0) {
- if (filename.has_value()) {
- throw runtime_error(getName() + ": Failed to get public key from PEM file contents `" + filename->get() + "`");
- }
-
- throw runtime_error(getName() + ": Failed to get public key from PEM contents");
- }
-}
-
-void DecafED448DNSCryptoKeyEngine::convertToPEMFile(std::FILE& outputFile) const
-{
- auto key = std::unique_ptr<EVP_PKEY, void (*)(EVP_PKEY*)>(EVP_PKEY_new_raw_private_key(EVP_PKEY_ED448, nullptr, d_seckey, DECAF_EDDSA_448_PRIVATE_BYTES), EVP_PKEY_free);
- if (key == nullptr) {
- throw runtime_error(getName() + ": Could not create private key from buffer");
- }
-
- auto ret = PEM_write_PrivateKey(&outputFile, key.get(), nullptr, nullptr, 0, nullptr, nullptr);
- if (ret == 0) {
- throw runtime_error(getName() + ": Could not convert private key to PEM");
- }
-}
-#endif
-
-int DecafED448DNSCryptoKeyEngine::getBits() const
-{
- return DECAF_EDDSA_448_PRIVATE_BYTES << 3;
-}
-
-DNSCryptoKeyEngine::storvector_t DecafED448DNSCryptoKeyEngine::convertToISCVector() const
-{
- /*
- Private-key-format: v1.2
- Algorithm: 16 (ED448)
- PrivateKey: xZ+5Cgm463xugtkY5B0Jx6erFTXp13rYegst0qRtNsOYnaVpMx0Z/c5EiA9x8wWbDDct/U3FhYWA
- */
-
- auto storvector = storvector_t{
- {"Algorithm", "16 (ED448)"},
- {"PrivateKey", string((char*)d_seckey, DECAF_EDDSA_448_PRIVATE_BYTES)},
- };
-
- return storvector;
-}
-
-void DecafED448DNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap)
-{
- /*
- Private-key-format: v1.2
- Algorithm: 16 (ED448)
- PrivateKey: xZ+5Cgm463xugtkY5B0Jx6erFTXp13rYegst0qRtNsOYnaVpMx0Z/c5EiA9x8wWbDDct/U3FhYWA
- */
-
- pdns::checked_stoi_into(drc.d_algorithm, stormap["algorithm"]);
- string privateKey = stormap["privatekey"];
-
- if (privateKey.length() != DECAF_EDDSA_448_PRIVATE_BYTES)
- throw runtime_error("Private key size mismatch in ISCMap, DecafED448 class");
-
- typename EdDSA<Ed448Goldilocks>::PrivateKey priv(Block((const unsigned char*)privateKey.c_str(), DECAF_EDDSA_448_PRIVATE_BYTES));
- typename EdDSA<Ed448Goldilocks>::PublicKey pub(priv);
-
- priv.serialize_into(d_seckey);
- pub.serialize_into(d_pubkey);
-}
-
-std::string DecafED448DNSCryptoKeyEngine::getPublicKeyString() const
-{
- return string((char*)d_pubkey, DECAF_EDDSA_448_PUBLIC_BYTES);
-}
-
-void DecafED448DNSCryptoKeyEngine::fromPublicKeyString(const std::string& input)
-{
- if (input.length() != DECAF_EDDSA_448_PUBLIC_BYTES)
- throw runtime_error("Public key size mismatch, DecafED448 class");
-
- memcpy(d_pubkey, input.c_str(), DECAF_EDDSA_448_PUBLIC_BYTES);
-}
-
-std::string DecafED448DNSCryptoKeyEngine::sign(const std::string& msg) const
-{
- typename EdDSA<Ed448Goldilocks>::PrivateKey priv(Block(d_seckey, DECAF_EDDSA_448_PRIVATE_BYTES));
-
- SecureBuffer message(msg.begin(), msg.end());
-
- SecureBuffer sig = priv.sign(message);
-
- return string(sig.begin(), sig.end());
-}
-
-bool DecafED448DNSCryptoKeyEngine::verify(const std::string& msg, const std::string& signature) const
-{
- if (signature.length() != DECAF_EDDSA_448_SIGNATURE_BYTES)
- return false;
-
- typename EdDSA<Ed448Goldilocks>::PublicKey pub(Block(d_pubkey, DECAF_EDDSA_448_PUBLIC_BYTES));
-
- SecureBuffer sig(signature.begin(), signature.end());
- SecureBuffer message(msg.begin(), msg.end());
-
- try {
- pub.verify(sig, message);
- }
- catch (const CryptoException& e) {
- return false;
- }
-
- return true;
-}
-
-namespace
-{
-const struct LoaderDecafStruct
-{
- LoaderDecafStruct()
- {
- DNSCryptoKeyEngine::report(DNSSECKeeper::ED25519, &DecafED25519DNSCryptoKeyEngine::maker, true);
- DNSCryptoKeyEngine::report(DNSSECKeeper::ED448, &DecafED448DNSCryptoKeyEngine::maker);
- }
-} loaderdecaf;
-}
cout << "list-autoprimaries List all autoprimaries" << endl;
cout << "add-zone-key ZONE {zsk|ksk} [BITS] [active|inactive] [published|unpublished]" << endl;
cout << " [rsasha1|rsasha1-nsec3-sha1|rsasha256|rsasha512|ecdsa256|ecdsa384";
-#if defined(HAVE_LIBSODIUM) || defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED25519)
+#if defined(HAVE_LIBSODIUM) || defined(HAVE_LIBCRYPTO_ED25519)
cout << "|ed25519";
#endif
-#if defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED448)
+#if defined(HAVE_LIBCRYPTO_ED448)
cout << "|ed448";
#endif
cout << "]" << endl;
else if (cmds.at(0) == "add-zone-key") {
if(cmds.size() < 3 ) {
cerr << "Syntax: pdnsutil add-zone-key ZONE [zsk|ksk] [BITS] [active|inactive] [rsasha1|rsasha1-nsec3-sha1|rsasha256|rsasha512|ecdsa256|ecdsa384";
-#if defined(HAVE_LIBSODIUM) || defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED25519)
+#if defined(HAVE_LIBSODIUM) || defined(HAVE_LIBCRYPTO_ED25519)
cerr << "|ed25519";
#endif
-#if defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED448)
+#if defined(HAVE_LIBCRYPTO_ED448)
cerr << "|ed448";
#endif
cerr << "]"<<endl;
else if (cmds.at(0) == "generate-zone-key") {
if(cmds.size() < 2 ) {
cerr << "Syntax: pdnsutil generate-zone-key zsk|ksk [rsasha1|rsasha1-nsec3-sha1|rsasha256|rsasha512|ecdsa256|ecdsa384";
-#if defined(HAVE_LIBSODIUM) || defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED25519)
+#if defined(HAVE_LIBSODIUM) || defined(HAVE_LIBCRYPTO_ED25519)
cerr << "|ed25519";
#endif
-#if defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED448)
+#if defined(HAVE_LIBCRYPTO_ED448)
cerr << "|ed448";
#endif
cerr << "] [bits]"<<endl;
AM_CPPFLAGS = $(LUA_CFLAGS) $(YAHTTP_CFLAGS) $(BOOST_CPPFLAGS) $(LIBSODIUM_CFLAGS) $(NET_SNMP_CFLAGS) $(LIBCAP_CFLAGS) $(SANITIZER_FLAGS) -O3 -Wall -pthread -DSYSCONFDIR=\"${sysconfdir}\" $(SYSTEMD_CFLAGS)
-if LIBDECAF
-AM_CPPFLAGS += $(LIBDECAF_CFLAGS)
-endif
-
AM_CPPFLAGS += \
-I$(top_srcdir)/ext/json11 \
-I$(top_srcdir)/ext/protozero/include \
-if LIBDECAF
-pdns_recursor_SOURCES += \
- decafsigners.cc
-pdns_recursor_LDADD += $(LIBDECAF_LIBS)
-endif
-
if MALLOC_TRACE
pdns_recursor_SOURCES += \
malloctrace.cc \
PDNS_CHECK_LIBCRYPTO_ECDSA
PDNS_CHECK_LIBCRYPTO_EDDSA
PDNS_WITH_LIBSODIUM
-PDNS_WITH_LIBDECAF
PDNS_WITH_LIBCAP
PDNS_CHECK_LIBCURL
AC_MSG_NOTICE([----------------])
AC_MSG_NOTICE([Lua: $LUAPC])
AC_MSG_NOTICE([OpenSSL ECDSA: $libcrypto_ecdsa])
-AS_IF([test "x$LIBSODIUM_LIBS" != "x" || test "x$LIBDECAF_LIBS" != "x" || test "x$libcrypto_ed25519" = "xyes"],
+AS_IF([test "x$LIBSODIUM_LIBS" != "x" || test "x$libcrypto_ed25519" = "xyes"],
[AC_MSG_NOTICE([ed25519: yes])],
[AC_MSG_NOTICE([ed25519: no])]
)
-AS_IF([test "x$LIBDECAF_LIBS" != "x" || test "x$libcrypto_ed448" = "xyes"],
+AS_IF([test "x$libcrypto_ed448" = "xyes"],
[AC_MSG_NOTICE([ed448: yes])],
[AC_MSG_NOTICE([ed448: no])]
)
.. versionchanged:: 4.2.0
This option was previously ``--enable-libsodium``
-ed25519 and ed448 support with libdecaf
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-`libdecaf <https://sourceforge.net/projects/ed448goldilocks/>`_ is a library that allows :program:`Recursor` to support ed25519 and Ed448 (DNSSEC algorithms 15 and 16).
-To detect libdecaf, use the ``--with-libdecaf`` configure option.
-
-.. versionchanged:: 4.2.0
- This option was previously ``--enable-libdecaf``
-
Protobuf to emit DNS logs
^^^^^^^^^^^^^^^^^^^^^^^^^
+++ /dev/null
-../../../m4/pdns_with_libdecaf.m4
\ No newline at end of file
subdir('meson' / 'tm-gmtoff') # Check for tm_gmtoff field in struct tm
subdir('meson' / 'mmap') # Check for mmap
subdir('meson' / 'libsodium') # Libsodium-based signers
-subdir('meson' / 'libdecaf') # Libdecaf-based signers
subdir('meson' / 'libcrypto') # OpenSSL-based signers
subdir('meson' / 'libssl') # OpenSSL libssl
subdir('meson' / 'libsnmp') # SNMP
)
endif
-librec_signers_decaf = dependency('', required: false)
-if dep_libdecaf.found()
- librec_signers_decaf = declare_dependency(
- link_whole: static_library(
- 'rec-signers-decaf',
- sources: files(src_dir / 'decafsigners.cc'),
- dependencies: [dep_boost, dep_libdecaf],
- )
- )
-endif
-
librec_signers_openssl = declare_dependency(
link_whole: static_library(
'rec-signers-openssl',
dep_rust_settings,
dep_systemd,
librec_signers_openssl,
- librec_signers_decaf,
librec_signers_sodium,
dep_pubsuffix,
],
dep_settings,
dep_rust_settings,
librec_signers_openssl,
- librec_signers_decaf,
librec_signers_sodium,
],
)
option('hardening-fortify-source', type: 'combo', choices: ['auto', 'disabled', '1', '2', '3'], value: '2', description: 'Source fortification level')
#option('rng-kiss', type: 'boolean', value: false, description: 'Use the unsafe KISS RNG')
option('signers-libsodium', type: 'feature', value: 'auto', description: 'Enable libsodium-based signers')
-option('signers-libdecaf', type: 'feature', value: 'auto', description: 'Enable libdecaf-based signers')
option('signers-libcrypto', type: 'feature', value: 'auto', description: 'Enable OpenSSL libcrypto-based signers)')
option('signers-libcrypto-path', type: 'string', value: '', description: 'Custom path to find OpenSSL libcrypto')
option('tls-libssl', type: 'feature', value: 'auto', description: 'OpenSSL-based TLS')
addSignerParams(DNSSECKeeper::ED25519, "ED25519", ed25519);
#endif
-#if defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED448)
+#if defined(HAVE_LIBCRYPTO_ED448)
addSignerParams(DNSSECKeeper::ED448, "ED448", ed448);
#endif
}
{
ostringstream ret;
ret << "Features:"
-#ifdef HAVE_LIBDECAF
- << " decaf"
-#endif
#ifdef HAVE_LIBCRYPTO_ECDSA
<< " libcrypto-ecdsa"
#endif
with c.cd(f'{repo}/builder-support/helpers/'):
c.run('sudo sh install_rust.sh')
-def install_libdecaf(c, product):
- c.run('rm -rf /tmp/libdecaf && git clone https://git.code.sf.net/p/ed448goldilocks/code /tmp/libdecaf')
- with c.cd('/tmp/libdecaf'):
- c.run('git checkout 41f349')
- c.run(f'CC={get_c_compiler()} CXX={get_cxx_compiler()} '
- 'cmake -B build '
- '-DCMAKE_INSTALL_PREFIX=/usr/local '
- '-DCMAKE_INSTALL_LIBDIR=lib '
- '-DENABLE_STATIC=OFF '
- '-DENABLE_TESTS=OFF '
- '-DCMAKE_C_FLAGS="-Wno-sizeof-array-div -Wno-array-parameter" .')
- c.run('make -C build')
- c.run('sudo make -C build install')
- c.sudo(f'mkdir -p /opt/{product}/libdecaf')
- c.sudo(f'cp /usr/local/lib/libdecaf.so* /opt/{product}/libdecaf/.')
-
@task
def install_doc_deps(c):
c.sudo('apt-get install -y ' + ' '.join(doc_deps))
def install_auth_build_deps(c):
c.sudo('apt-get install -y --no-install-recommends ' + ' '.join(all_build_deps + git_build_deps + auth_build_deps))
install_meson(c)
- if os.getenv('DECAF_SUPPORT', 'no') == 'yes':
- install_libdecaf(c, 'pdns-auth')
def is_coverage_enabled():
sanitizers = os.getenv('SANITIZERS')
# FIXME we may want to start a background recursor here to make ALIAS tests more robust
setup_authbind(c)
- if os.getenv('DECAF_SUPPORT', 'no') == 'yes':
- # Copy libdecaf out
- c.sudo('mkdir -p /usr/local/lib')
- c.sudo('cp /opt/pdns-auth/libdecaf/libdecaf.so* /usr/local/lib/.')
-
@task
def install_rec_bulk_deps(c): # FIXME: rename this, we do way more than apt-get
c.sudo('apt-get --no-install-recommends -y install ' + ' '.join(rec_bulk_deps))
"--enable-remotebackend-zeromq",
"--enable-verbose-logging",
"--with-lmdb=/usr",
- "--with-libdecaf" if os.getenv('DECAF_SUPPORT', 'no') == 'yes' else '',
"--prefix=/opt/pdns-auth",
"--enable-ixfrdist",
unittests,
"-D dns-over-tls=true",
"-D experimental-pkcs11=enabled",
"-D experimental-gss-tsig=enabled",
- "-D signers-libdecaf=enabled" if os.getenv('DECAF_SUPPORT', 'no') == 'yes' else '',
"-D prefix=/opt/pdns-auth",
"-D tools-ixfrdist=true",
unittests,
"--with-lua=luajit",
"--without-libcap",
"--without-libcurl",
- "--without-libdecaf",
"--without-libsodium",
"--without-net-snmp",
unittests,
projects / thirdparty / pdns.git / commitdiff
