/* Define to 1 if you have the <nettle/dsa-compat.h> header file. */
#undef HAVE_NETTLE_DSA_COMPAT_H
+/* Define to 1 if you have the <nettle/eddsa.h> header file. */
+#undef HAVE_NETTLE_EDDSA_H
+
/* Use libnss for crypto */
#undef HAVE_NSS
_ACEOF
if test $ac_have_decl = 1; then :
-
-cat >>confdefs.h <<_ACEOF
-#define USE_ED25519 1
-_ACEOF
-
use_ed25519="yes"
else
fi
fi
+ fi
+ if test $USE_NETTLE = "yes"; then
+ for ac_header in nettle/eddsa.h
+do :
+ ac_fn_c_check_header_compile "$LINENO" "nettle/eddsa.h" "ac_cv_header_nettle_eddsa_h" "$ac_includes_default
+"
+if test "x$ac_cv_header_nettle_eddsa_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_NETTLE_EDDSA_H 1
+_ACEOF
+ use_ed25519="yes"
+fi
+
+done
+
+ fi
+ if test $use_ed25519 = "yes"; then
+
+cat >>confdefs.h <<_ACEOF
+#define USE_ED25519 1
+_ACEOF
+
fi
;;
esac
*)
if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
AC_CHECK_DECLS([NID_ED25519], [
- AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
use_ed25519="yes"
], [ if test "x$enable_ed25519" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED25519 and you used --enable-ed25519.])
fi ], [AC_INCLUDES_DEFAULT
#include <openssl/evp.h>
])
fi
+ if test $USE_NETTLE = "yes"; then
+ AC_CHECK_HEADERS([nettle/eddsa.h], use_ed25519="yes",, [AC_INCLUDES_DEFAULT])
+ fi
+ if test $use_ed25519 = "yes"; then
+ AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
+ fi
;;
esac
- remove warning from windows compile.
- Fix compile with libnettle
- Fix DSA configure switch (--disable dsa) for libnettle and libnss.
+ - Fix #1365: Add Ed25519 support using libnettle.
17 July 2017: Wouter
- Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
struct module_env env;
struct val_env ve;
time_t now = time(NULL);
+ unit_show_func("signature verify", fname);
if(!list)
fatal_exit("could not read %s: %s", fname, strerror(errno));
struct entry* e;
struct entry* list = read_datafile(fname, 1);
struct module_env env;
+ unit_show_func("DS verify", fname);
if(!list)
fatal_exit("could not read %s: %s", fname, strerror(errno));
sldns_buffer* buf = sldns_buffer_new(65535);
struct entry* e;
struct entry* list = read_datafile(fname, 1);
+ unit_show_func("NSEC3 hash", fname);
if(!list)
fatal_exit("could not read %s: %s", fname, strerror(errno));
#include "ecdsa.h"
#include "ecc-curve.h"
#endif
+#ifdef HAVE_NETTLE_EDDSA_H
+#include "eddsa.h"
+#endif
static int
_digest_nettle(int algo, uint8_t* buf, size_t len,
case LDNS_ECDSAP384SHA384:
#endif
return 1;
+#ifdef USE_ED25519
+ case LDNS_ED25519:
+ return 1;
+#endif
case LDNS_RSAMD5: /* RFC 6725 deprecates RSAMD5 */
case LDNS_ECC_GOST:
default:
}
#endif
+#ifdef USE_ED25519
+static char *
+_verify_nettle_ed25519(sldns_buffer* buf, unsigned char* sigblock,
+ unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
+{
+ int res = 0;
+
+ if(sigblock_len != ED25519_SIGNATURE_SIZE) {
+ return "wrong ED25519 signature length";
+ }
+ if(keylen != ED25519_KEY_SIZE) {
+ return "wrong ED25519 key length";
+ }
+
+ res = ed25519_sha512_verify((uint8_t*)key, sldns_buffer_limit(buf),
+ sldns_buffer_begin(buf), sigblock);
+
+ if (!res)
+ return "ED25519 signature verification failed";
+ else
+ return NULL;
+}
+#endif
+
/**
* Check a canonical sig+rrset and signature against a dnskey
* @param buf: buffer with data to verify, the first rrsig part and the
return sec_status_bogus;
else
return sec_status_secure;
+#endif
+#ifdef USE_ED25519
+ case LDNS_ED25519:
+ *reason = _verify_nettle_ed25519(buf, sigblock, sigblock_len,
+ key, keylen);
+ if (*reason != NULL)
+ return sec_status_bogus;
+ else
+ return sec_status_secure;
#endif
case LDNS_RSAMD5:
case LDNS_ECC_GOST:
projects / thirdparty / unbound.git / commitdiff
