* Add sha384 and sha512 tsig algorithm. Thanks Michael Weiser
* Clarify data ownership with consts for tsig parameters.
Thanks Michael Weiser
+ * bugfix: Fix detection of DSA support with OpenSSL >= 1.1.0
1.6.17 2014-01-10
* Fix ldns_dnssec_zone_new_frm_fp_l to allow the last parsed line of a
else
AC_MSG_RESULT([no])
fi
-AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id])
+AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id DSA_SIG_set0 DSA_SIG_get0 EVP_dss1 DSA_get0_pqg DSA_get0_key])
# for macosx, see if glibtool exists and use that
# BSD's need to know the version...
;;
*) dnl default
# detect if DSA is supported, and turn it off if not.
- AC_CHECK_FUNC(EVP_dss1, [
+ AC_CHECK_FUNC(DSA_SIG_new, [
AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
fi ])
#ifdef USE_DSA
ldns_rdf *sigdata_rdf;
DSA_SIG *dsasig;
+ const BIGNUM *R, *S;
unsigned char *dsasig_data = (unsigned char*)ldns_buffer_begin(sig);
size_t byte_offset;
return NULL;
}
dsasig_data[0] = 0;
- byte_offset = (size_t) (20 - BN_num_bytes(dsasig->r));
+# ifdef HAVE_DSA_SIG_GET0
+ DSA_SIG_get0(dsasig, &R, &S);
+# else
+ R = dsasig->r;
+ S = dsasig->s;
+# endif
+ byte_offset = (size_t) (20 - BN_num_bytes(R));
if (byte_offset > 20) {
DSA_SIG_free(dsasig);
LDNS_FREE(dsasig_data);
return NULL;
}
memset(&dsasig_data[1], 0, byte_offset);
- BN_bn2bin(dsasig->r, &dsasig_data[1 + byte_offset]);
- byte_offset = (size_t) (20 - BN_num_bytes(dsasig->s));
+ BN_bn2bin(R, &dsasig_data[1 + byte_offset]);
+ byte_offset = (size_t) (20 - BN_num_bytes(S));
if (byte_offset > 20) {
DSA_SIG_free(dsasig);
LDNS_FREE(dsasig_data);
return NULL;
}
memset(&dsasig_data[21], 0, byte_offset);
- BN_bn2bin(dsasig->s, &dsasig_data[21 + byte_offset]);
+ BN_bn2bin(S, &dsasig_data[21 + byte_offset]);
sigdata_rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, 41, dsasig_data);
if(!sigdata_rdf) {
BN_free(S);
return LDNS_STATUS_MEM_ERR;
}
-
+# ifdef HAVE_DSA_SIG_SET0
+ if (! DSA_SIG_set0(dsasig, R, S))
+ return LDNS_STATUS_SSL_ERR;
+# else
dsasig->r = R;
dsasig->s = S;
+# endif
raw_sig_len = i2d_DSA_SIG(dsasig, &raw_sig);
if (raw_sig_len < 0) {
b64rdf = ldns_sign_public_evp(
sign_buf,
ldns_key_evp_key(current_key),
- EVP_dss1());
+# ifdef HAVE_EVP_DSS1
+ EVP_dss1()
+# else
+ EVP_sha1()
+# endif
+ );
break;
#endif /* USE_DSA */
case LDNS_SIGN_RSASHA1:
ldns_buffer *b64sig;
DSA_SIG *sig;
+ const BIGNUM *R, *S;
uint8_t *data;
size_t pad;
}
data[0] = 1;
- pad = 20 - (size_t) BN_num_bytes(sig->r);
+# ifdef HAVE_DSA_SIG_GET0
+ DSA_SIG_get0(sig, &R, &S);
+# else
+ R = sig->r;
+ S = sig->s;
+# endif
+ pad = 20 - (size_t) BN_num_bytes(R);
if (pad > 0) {
memset(data + 1, 0, pad);
}
- BN_bn2bin(sig->r, (unsigned char *) (data + 1) + pad);
+ BN_bn2bin(R, (unsigned char *) (data + 1) + pad);
- pad = 20 - (size_t) BN_num_bytes(sig->s);
+ pad = 20 - (size_t) BN_num_bytes(S);
if (pad > 0) {
memset(data + 1 + SHA_DIGEST_LENGTH, 0, pad);
}
- BN_bn2bin(sig->s, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad));
+ BN_bn2bin(S, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad));
sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64,
1 + 2 * SHA_DIGEST_LENGTH,
#ifdef USE_DSA
#ifndef S_SPLINT_S
/* unfortunately, OpenSSL output is different from DNS DSA format */
+# ifdef HAVE_EVP_PKEY_BASE_ID
+ if (EVP_PKEY_base_id(key) == EVP_PKEY_DSA) {
+# else
if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) {
+# endif
r = 1;
sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen);
}
siglen,
rrset,
evp_key,
- EVP_dss1());
+# ifdef HAVE_EVP_DSS1
+ EVP_dss1()
+# else
+ EVP_sha1()
+# endif
+ );
} else {
result = LDNS_STATUS_SSL_ERR;
}
case LDNS_SIGN_DSA_NSEC3:
#ifdef USE_DSA
#ifdef HAVE_SSL
+# if OPENSSL_VERSION_NUMBER < 0x00908000L
d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL, NULL);
if (!d) {
ldns_key_free(k);
return NULL;
}
+
+# else
+ if (! (d = DSA_new())) {
+ ldns_key_free(k);
+ return NULL;
+ }
+ if (! DSA_generate_parameters_ex(d, (int)size, NULL, 0, NULL, NULL, NULL)) {
+ DSA_free(d);
+ ldns_key_free(k);
+ return NULL;
+ }
+# endif
if (DSA_generate_key(d) != 1) {
ldns_key_free(k);
return NULL;
ldns_key_dsa2bin(unsigned char *data, DSA *k, uint16_t *size)
{
uint8_t T;
+ const BIGNUM *p, *q, *g;
+ const BIGNUM *pub_key, *priv_key;
if (!k) {
return false;
}
/* See RFC2536 */
- *size = (uint16_t)BN_num_bytes(k->p);
+# ifdef HAVE_DSA_GET0_PQG
+ DSA_get0_pqg(k, &p, &q, &g);
+# else
+ p = k->p; q = k->q; g = k->g;
+# endif
+# ifdef HAVE_DSA_GET0_KEY
+ DSA_get0_key(k, &pub_key, &priv_key);
+# else
+ pub_key = k->pub_key; priv_key = k->priv_key;
+# endif
+ (void)priv_key;
+ *size = (uint16_t)BN_num_bytes(p);
T = (*size - 64) / 8;
if (T > 8) {
/* size = 64 + (T * 8); */
memset(data, 0, 21 + *size * 3);
data[0] = (unsigned char)T;
- BN_bn2bin(k->q, data + 1 ); /* 20 octects */
- BN_bn2bin(k->p, data + 21 ); /* offset octects */
- BN_bn2bin(k->g, data + 21 + *size * 2 - BN_num_bytes(k->g));
- BN_bn2bin(k->pub_key,data + 21 + *size * 3 - BN_num_bytes(k->pub_key));
+ BN_bn2bin(q, data + 1 ); /* 20 octects */
+ BN_bn2bin(p, data + 21 ); /* offset octects */
+ BN_bn2bin(g, data + 21 + *size * 2 - BN_num_bytes(g));
+ BN_bn2bin(pub_key,data + 21 + *size * 3 - BN_num_bytes(pub_key));
*size = 21 + *size * 3;
return true;
}
projects / thirdparty / ldns.git / commitdiff
