From: Kees Monshouwer <mind04@monshouwer.org>
Date: Wed, 11 May 2016 14:09:20 +0000 (+0200)
Subject: disable algorithm 13 and 14 in the opensslsigner if OpenSSL does not support ecdsa... 
X-Git-Tag: auth-4.0.0-beta1~17^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de4e1d0db1a5e7a2f4894aebf14517cea421cf6b;p=thirdparty%2Fpdns.git

disable algorithm 13 and 14 in the opensslsigner if OpenSSL does not support ecdsa or the required curves
---

diff --git a/configure.ac b/configure.ac
index 3920a42639..5e41bee834 100644
--- a/configure.ac
+++ b/configure.ac
@@ -346,6 +346,10 @@ AC_MSG_NOTICE([LIBS: $LIBS])
 AC_MSG_NOTICE([])
 AC_MSG_NOTICE([BOOST_CPPFLAGS: $BOOST_CPPFLAGS])
 AC_MSG_NOTICE([])
+AS_IF([test "x$openssl_ecdsa" == "xyes"],
+  [AC_MSG_NOTICE([OpenSSL ecdsa support: yes])],
+  [AC_MSG_NOTICE([OpenSSL ecdsa support: no])]
+)
 AS_IF([test "x$needsqlite3" != "x"],
   [AC_MSG_NOTICE([SQLite3 support: yes])],
   [AC_MSG_NOTICE([SQLite3 support: no])]
diff --git a/m4/ax_check_openssl.m4 b/m4/ax_check_openssl.m4
index 6bbfde856a..12207f9ff2 100644
--- a/m4/ax_check_openssl.m4
+++ b/m4/ax_check_openssl.m4
@@ -109,6 +109,18 @@ AC_DEFUN([AX_CHECK_OPENSSL], [
         [AC_LANG_PROGRAM([#include <openssl/crypto.h>], [CRYPTO_free(NULL)])],
         [
             AC_MSG_RESULT([yes])
+            openssl_ecdsa=yes
+            AC_CHECK_FUNC(ECDSA_do_sign,
+            [
+                AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [ : ], [ openssl_ecdsa=no ], [AC_INCLUDES_DEFAULT
+#include <openssl/evp.h>
+                ])
+            ], [
+                openssl_ecdsa=no
+            ])
+            AS_IF([test "x$openssl_ecdsa" = "xyes"], [
+                AC_DEFINE([OPENSSL_USE_ECDSA], [1], [define to 1 if OpenSSL ecdsa support is avalable.])
+            ])
             $1
         ], [
             AC_MSG_RESULT([no])
diff --git a/pdns/opensslsigners.cc b/pdns/opensslsigners.cc
index 8c37dd7051..c420c43a77 100644
--- a/pdns/opensslsigners.cc
+++ b/pdns/opensslsigners.cc
@@ -2,7 +2,9 @@
 #include "config.h"
 #endif
 #include <openssl/obj_mac.h>
+#ifdef OPENSSL_USE_ECDSA
 #include <openssl/ecdsa.h>
+#endif
 #include <openssl/sha.h>
 #include <openssl/rand.h>
 #include <openssl/rsa.h>
@@ -416,6 +418,7 @@ void OpenSSLRSADNSCryptoKeyEngine::fromPublicKeyString(const std::string& input)
   d_key = key;
 }
 
+#ifdef OPENSSL_USE_ECDSA
 class OpenSSLECDSADNSCryptoKeyEngine : public DNSCryptoKeyEngine
 {
 public:
@@ -716,6 +719,7 @@ void OpenSSLECDSADNSCryptoKeyEngine::fromPublicKeyString(const std::string& inpu
 
   EC_POINT_free(pub_key);
 }
+#endif
 
 
 namespace {
@@ -727,8 +731,10 @@ namespace {
       DNSCryptoKeyEngine::report(7, &OpenSSLRSADNSCryptoKeyEngine::maker);
       DNSCryptoKeyEngine::report(8, &OpenSSLRSADNSCryptoKeyEngine::maker);
       DNSCryptoKeyEngine::report(10, &OpenSSLRSADNSCryptoKeyEngine::maker);
+#ifdef OPENSSL_USE_ECDSA
       DNSCryptoKeyEngine::report(13, &OpenSSLECDSADNSCryptoKeyEngine::maker);
       DNSCryptoKeyEngine::report(14, &OpenSSLECDSADNSCryptoKeyEngine::maker);
+#endif
     }
   } loaderOpenSSL;
 }