From: Willem Toorop Date: Tue, 15 Jan 2013 12:37:54 +0000 (+0000) Subject: Add --disable-dane option to configure and check availability of the for dane needed... X-Git-Tag: release-1.6.17rc1~146 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e88b78595c6febf5f4778124553fb400354c7ef;p=thirdparty%2Fldns.git Add --disable-dane option to configure and check availability of the for dane needed X509_check_ca function in openssl. --- diff --git a/Changelog b/Changelog index 647c3644..b91cc9cb 100644 --- a/Changelog +++ b/Changelog @@ -1,8 +1,9 @@ 1.6.17 + * Add --disable-dane option to configure and check availability of the + for dane needed X509_check_ca function in openssl. * Fix ldns_dnssec_zone_new_frm_fp_l to allow the last parsed line of a zone to be an NSEC3 (or its RRSIG) covering an empty non terminal. - 1.6.16 2012-11-13 * Fix Makefile to build pyldns with BSD make * Fix typo in exporting b32_* symbols to make pyldns load again diff --git a/configure.ac b/configure.ac index 078f7982..ef031ea9 100644 --- a/configure.ac +++ b/configure.ac @@ -320,6 +320,21 @@ case "$enable_ecdsa" in ;; esac +AC_ARG_ENABLE(dane, AC_HELP_STRING([--disable-dane], [Disable DANE support])) +case "$enable_dane" in + no) + AC_SUBST(ldns_build_config_use_dane, 0) + ;; + *) dnl default + if test "x$HAVE_SSL" != "xyes"; then + AC_MSG_ERROR([DANE enabled, but no SSL support]) + fi + AC_CHECK_FUNC(X509_check_ca, [], [AC_MSG_ERROR([OpenSSL does not support DANE: please upgrade OpenSSL or rerun with --disable-dane])]) + AC_DEFINE_UNQUOTED([USE_DANE], [1], [Define this to enable DANE support.]) + AC_SUBST(ldns_build_config_use_dane, 1) + ;; +esac + AC_SUBST(LIBSSL_CPPFLAGS) AC_SUBST(LIBSSL_LDFLAGS) AC_SUBST(LIBSSL_LIBS) diff --git a/dane.c b/dane.c index 5e589a78..675dfa8b 100644 --- a/dane.c +++ b/dane.c @@ -8,6 +8,7 @@ */ #include +#ifdef USE_DANE #include #include @@ -744,3 +745,4 @@ ldns_dane_verify(ldns_rr_list* tlsas, return s; } #endif /* HAVE_SSL */ +#endif /* USE_DANE */ diff --git a/examples/configure.ac b/examples/configure.ac index 8bf48656..adc55692 100644 --- a/examples/configure.ac +++ b/examples/configure.ac @@ -176,18 +176,34 @@ case "$enable_gost" in ;; esac -AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--enable-ecdsa], [Enable ECDSA support, experimental])) +AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--disable-ecdsa], [Disable ECDSA support])) case "$enable_ecdsa" in - yes) - AC_CHECK_FUNC(ECDSA_sign,,[AC_MSG_ERROR([OpenSSL does not support ECDSA])]) - AC_DEFINE_UNQUOTED([USE_ECDSA], [1], [Define this to enable ECDSA support.]) - AC_WARN([ - ***************************************************************** - *** YOU HAVE ENABLED ECDSA WHICH IS EXPERIMENTAL AT THIS TIME *** - *** PLEASE DO NOT USE THIS ON THE PUBLIC INTERNET *** - *****************************************************************]) + no) + ;; + *) dnl default + if test "x$HAVE_SSL" != "xyes"; then + AC_MSG_ERROR([ECDSA enabled, but no SSL support]) + fi + AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade OpenSSL or rerun with --disable-ecdsa])]) + AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade OpenSSL or rerun with --disable-ecdsa])]) + AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade OpenSSL or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT +#include + ]) + # we now know we have ECDSA and the required curves. + AC_DEFINE_UNQUOTED([USE_ECDSA], [1], [Define this to enable ECDSA support.]) + ;; +esac + +AC_ARG_ENABLE(dane, AC_HELP_STRING([--disable-dane], [Disable DANE support])) +case "$enable_dane" in + no) ;; - no|*) + *) dnl default + if test "x$HAVE_SSL" != "xyes"; then + AC_MSG_ERROR([DANE enabled, but no SSL support]) + fi + AC_CHECK_FUNC(X509_check_ca, [], [AC_MSG_ERROR([OpenSSL does not support DANE: please upgrade OpenSSL or rerun with --disable-dane])]) + AC_DEFINE_UNQUOTED([USE_DANE], [1], [Define this to enable DANE support.]) ;; esac diff --git a/examples/ldns-dane.c b/examples/ldns-dane.c index 3ae35881..250d4b2b 100644 --- a/examples/ldns-dane.c +++ b/examples/ldns-dane.c @@ -22,6 +22,7 @@ #include +#ifdef USE_DANE #ifdef HAVE_SSL #include #include @@ -1710,7 +1711,7 @@ main(int argc, char* const* argv) exit(EXIT_FAILURE); } } -#else +#else /* HAVE_SSL */ int main(int argc, char **argv) @@ -1720,3 +1721,15 @@ main(int argc, char **argv) return 1; } #endif /* HAVE_SSL */ + +#else /* USE_DANE */ + +int +main(int argc, char **argv) +{ + fprintf(stderr, "dane support was disabled with this build of ldns, " + "and has not been compiled in\n"); + return 1; +} + +#endif /* USE_DANE */ diff --git a/ldns/common.h.in b/ldns/common.h.in index aedfc96d..b3614f18 100644 --- a/ldns/common.h.in +++ b/ldns/common.h.in @@ -24,6 +24,7 @@ #define LDNS_BUILD_CONFIG_HAVE_ATTR_FORMAT @ldns_build_config_have_attr_format@ #define LDNS_BUILD_CONFIG_HAVE_ATTR_UNUSED @ldns_build_config_have_attr_unused@ #define LDNS_BUILD_CONFIG_HAVE_SOCKLEN_T @ldns_build_config_have_socklen_t@ +#define LDNS_BUILD_CONFIG_USE_DANE @ldns_build_config_use_dane@ /* * HAVE_STDBOOL_H is not available when distributed as a library, but no build diff --git a/ldns/dane.h b/ldns/dane.h index c1c4e2d7..6adecd57 100644 --- a/ldns/dane.h +++ b/ldns/dane.h @@ -22,6 +22,7 @@ #ifndef LDNS_DANE_H #define LDNS_DANE_H +#if LDNS_BUILD_CONFIG_USE_DANE #include #include @@ -240,5 +241,6 @@ ldns_status ldns_dane_verify(ldns_rr_list* tlsas, } #endif +#endif /* LDNS_BUILD_CONFIG_USE_DANE */ #endif /* LDNS_DANE_H */