From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 19 Dec 2016 22:24:23 +0000 (+0100)
Subject: --enable-gost-anyway compiles with GOST ...
X-Git-Tag: release-1.7.0~2^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1bf54867bd8460e22341c0d99a90b5d200b44948;p=thirdparty%2Fldns.git

--enable-gost-anyway compiles with GOST ...

... with OpenSSL >= 1.1.0, even when the GOST engine is not available.
---

diff --git a/Changelog b/Changelog
index 03985662..1c63f3ba 100644
--- a/Changelog
+++ b/Changelog
@@ -110,6 +110,8 @@
 	  Thanks Michael Weiser
 	* bugfix: Fix detection of DSA support with OpenSSL >= 1.1.0
 	* bugfix #1160: Provide sha256 for release tarballs
+	* --enable-gost-anyway compiles GOST support with OpenSSL >= 1.1.0
+	  even when the GOST engine is not available.
 
 1.6.17	2014-01-10
 	* Fix ldns_dnssec_zone_new_frm_fp_l to allow the last parsed line of a
diff --git a/configure.ac b/configure.ac
index 08f05086..b7c6c811 100644
--- a/configure.ac
+++ b/configure.ac
@@ -354,6 +354,103 @@ case "$enable_sha2" in
         ;;
 esac
 
+# check wether gost also works
+AC_DEFUN([AC_CHECK_GOST_WORKS],
+[AC_REQUIRE([AC_PROG_CC])
+AC_MSG_CHECKING([if GOST works])
+if test c${cross_compiling} = cno; then
+BAKCFLAGS="$CFLAGS"
+if test -n "$ssldir"; then
+	CFLAGS="$CFLAGS -Wl,-rpath,$ssldir/lib"
+fi
+AC_RUN_IFELSE([AC_LANG_SOURCE([[
+#include <string.h>
+#include <openssl/ssl.h>
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include <openssl/conf.h>
+/* routine to load gost (from sldns) */
+int load_gost_id(void)
+{
+	static int gost_id = 0;
+	const EVP_PKEY_ASN1_METHOD* meth;
+	ENGINE* e;
+
+	if(gost_id) return gost_id;
+
+	/* see if configuration loaded gost implementation from other engine*/
+	meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1);
+	if(meth) {
+		EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
+		return gost_id;
+	}
+
+	/* see if engine can be loaded already */
+	e = ENGINE_by_id("gost");
+	if(!e) {
+		/* load it ourself, in case statically linked */
+		ENGINE_load_builtin_engines();
+		ENGINE_load_dynamic();
+		e = ENGINE_by_id("gost");
+	}
+	if(!e) {
+		/* no gost engine in openssl */
+		return 0;
+	}
+	if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+		ENGINE_finish(e);
+		ENGINE_free(e);
+		return 0;
+	}
+
+	meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1);
+	if(!meth) {
+		/* algo not found */
+		ENGINE_finish(e);
+		ENGINE_free(e);
+		return 0;
+	}
+	EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
+	return gost_id;
+}
+int main(void) { 
+	EVP_MD_CTX* ctx;
+	const EVP_MD* md;
+	unsigned char digest[64]; /* its a 256-bit digest, so uses 32 bytes */
+	const char* str = "Hello world";
+	const unsigned char check[] = {
+		0x40 , 0xed , 0xf8 , 0x56 , 0x5a , 0xc5 , 0x36 , 0xe1 ,
+		0x33 , 0x7c , 0x7e , 0x87 , 0x62 , 0x1c , 0x42 , 0xe0 ,
+		0x17 , 0x1b , 0x5e , 0xce , 0xa8 , 0x46 , 0x65 , 0x4d ,
+		0x8d , 0x3e , 0x22 , 0x9b , 0xe1 , 0x30 , 0x19 , 0x9d
+	};
+	OPENSSL_config(NULL);
+	(void)load_gost_id();
+	md = EVP_get_digestbyname("md_gost94");
+	if(!md) return 1;
+	memset(digest, 0, sizeof(digest));
+	ctx = EVP_MD_CTX_create();
+	if(!ctx) return 2;
+	if(!EVP_DigestInit_ex(ctx, md, NULL)) return 3;
+	if(!EVP_DigestUpdate(ctx, str, 10)) return 4;
+	if(!EVP_DigestFinal_ex(ctx, digest, NULL)) return 5;
+	/* uncomment to see the hash calculated.
+		{int i;
+		for(i=0; i<32; i++)
+			printf(" %2.2x", (int)digest[i]);
+		printf("\n");}
+	*/
+	if(memcmp(digest, check, sizeof(check)) != 0)
+		return 6;
+	return 0;
+}
+]])] , [eval "ac_cv_c_gost_works=yes"], [eval "ac_cv_c_gost_works=no"])
+CFLAGS="$BAKCFLAGS"
+else
+eval "ac_cv_c_gost_works=maybe"
+fi
+])dnl
+
 AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
 case "$enable_gost" in
     no)
@@ -365,7 +462,22 @@ case "$enable_gost" in
         AC_MSG_CHECKING(for GOST)
         AC_CHECK_FUNC(EVP_PKEY_set_type_str, [],[AC_MSG_ERROR([OpenSSL >= 1.0.0 is needed for GOST support or rerun with --disable-gost])])
         AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([No ECC functions found in OpenSSL: please upgrade OpenSSL or rerun with --disable-gost])])
-        AC_DEFINE_UNQUOTED([USE_GOST], [1], [Define this to enable GOST support.])
+	AC_CHECK_GOST_WORKS
+	AC_ARG_ENABLE(gost-anyway, AC_HELP_STRING([--enable-gost-anyway], [Enable GOST even whithout a GOST engine installed]))
+	if test "$ac_cv_c_gost_works" != "no" -o "$enable_gost_anyway" = "yes"; then
+		if test "$ac_cv_c_gost_works" = "no"; then
+			AC_MSG_RESULT([no, but compiling with GOST support anyway])
+		else
+			AC_MSG_RESULT([yes])
+		fi
+		use_gost="yes"
+		AC_DEFINE([USE_GOST], [1], [Define this to enable GOST support.])
+	else
+		AC_MSG_RESULT([no])
+		AC_MSG_WARN([Gost support does not work because the engine is missing.])
+		AC_MSG_WARN([Install gost-engine first or use the --enable-gost-anyway to compile with GOST support anyway])
+		AC_MSG_WARN([See also https://github.com/gost-engine/engine/wiki for information about gost-engine])
+	fi
         ;;
 esac