From: W.C.A. Wijngaards Date: Wed, 12 Feb 2020 10:15:24 +0000 (+0100) Subject: - Fix with libnettle make test with dsa disabled. X-Git-Tag: release-1.10.0rc1~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2916cfb3b04d90b7d17e11cf6d02cff86c313017;p=thirdparty%2Funbound.git - Fix with libnettle make test with dsa disabled. --- diff --git a/doc/Changelog b/doc/Changelog index b4e9cb772..28e876873 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +12 February 2020: Wouter + - Fix with libnettle make test with dsa disabled. + 10 February 2020: George - Document 'ub_result.was_ratelimited' in libunbound. - Fix use after free on log-identity after a reload; Fixes #163. diff --git a/util/configparser.c b/util/configparser.c index 84312f0d3..69ee1cc1c 100644 --- a/util/configparser.c +++ b/util/configparser.c @@ -4582,7 +4582,7 @@ yyreduce: OUTYY(("P(server_fake_dsa:%s)\n", (yyvsp[0].str))); if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0) yyerror("expected yes or no."); -#ifdef HAVE_SSL +#if defined(HAVE_SSL) || defined(HAVE_NETTLE) else fake_dsa = (strcmp((yyvsp[0].str), "yes")==0); if(fake_dsa) log_warn("test option fake_dsa is enabled"); @@ -4598,7 +4598,7 @@ yyreduce: OUTYY(("P(server_fake_sha1:%s)\n", (yyvsp[0].str))); if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0) yyerror("expected yes or no."); -#ifdef HAVE_SSL +#if defined(HAVE_SSL) || defined(HAVE_NETTLE) else fake_sha1 = (strcmp((yyvsp[0].str), "yes")==0); if(fake_sha1) log_warn("test option fake_sha1 is enabled"); diff --git a/util/configparser.y b/util/configparser.y index d471babe6..798f4a972 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -1782,7 +1782,7 @@ server_fake_dsa: VAR_FAKE_DSA STRING_ARG OUTYY(("P(server_fake_dsa:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); -#ifdef HAVE_SSL +#if defined(HAVE_SSL) || defined(HAVE_NETTLE) else fake_dsa = (strcmp($2, "yes")==0); if(fake_dsa) log_warn("test option fake_dsa is enabled"); @@ -1795,7 +1795,7 @@ server_fake_sha1: VAR_FAKE_SHA1 STRING_ARG OUTYY(("P(server_fake_sha1:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); -#ifdef HAVE_SSL +#if defined(HAVE_SSL) || defined(HAVE_NETTLE) else fake_sha1 = (strcmp($2, "yes")==0); if(fake_sha1) log_warn("test option fake_sha1 is enabled"); diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c index 5e02f6bdb..8f17c53e8 100644 --- a/validator/val_secalgo.c +++ b/validator/val_secalgo.c @@ -54,6 +54,11 @@ #error "Need crypto library to do digital signature cryptography" #endif +/** fake DSA support for unit tests */ +int fake_dsa = 0; +/** fake SHA1 support for unit tests */ +int fake_sha1 = 0; + /* OpenSSL implementation */ #ifdef HAVE_SSL #ifdef HAVE_OPENSSL_ERR_H @@ -72,11 +77,6 @@ #include #endif -/** fake DSA support for unit tests */ -int fake_dsa = 0; -/** fake SHA1 support for unit tests */ -int fake_sha1 = 0; - /** * Output a libcrypto openssl error to the logfile. * @param str: string to add to it. @@ -1509,13 +1509,21 @@ dnskey_algo_id_is_supported(int id) { /* uses libnettle */ switch(id) { -#if defined(USE_DSA) && defined(USE_SHA1) case LDNS_DSA: case LDNS_DSA_NSEC3: +#if defined(USE_DSA) && defined(USE_SHA1) + return 1; +#else + if(fake_dsa || fake_sha1) return 1; + return 0; #endif -#ifdef USE_SHA1 case LDNS_RSASHA1: case LDNS_RSASHA1_NSEC3: +#ifdef USE_SHA1 + return 1; +#else + if(fake_sha1) return 1; + return 0; #endif #ifdef USE_SHA2 case LDNS_RSASHA256: @@ -1820,6 +1828,15 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, return sec_status_bogus; } +#ifndef USE_DSA + if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) &&(fake_dsa||fake_sha1)) + return sec_status_secure; +#endif +#ifndef USE_SHA1 + if(fake_sha1 && (algo == LDNS_DSA || algo == LDNS_DSA_NSEC3 || algo == LDNS_RSASHA1 || algo == LDNS_RSASHA1_NSEC3)) + return sec_status_secure; +#endif + switch(algo) { #if defined(USE_DSA) && defined(USE_SHA1) case LDNS_DSA: