From: Wouter Wijngaards <wouter@NLnetLabs.nl>
Date: Fri, 13 Apr 2012 16:17:05 +0000 (+0000)
Subject: * New ECDSA support (RFC 6605), use --disable-ecdsa for older openssl.
X-Git-Tag: release-1.6.13rc1~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f6191fe9164fa2f42d9d463ed9241ca6650716e1;p=thirdparty%2Fldns.git

* New ECDSA support (RFC 6605), use --disable-ecdsa for older openssl.
---

diff --git a/Changelog b/Changelog
index 5a2f0642..3af325e7 100644
--- a/Changelog
+++ b/Changelog
@@ -16,6 +16,7 @@
 	* Fix reading \DDD: Error on values that are outside range (>255).
 	* bugfix #429: fix doxyparse.pl fails on NetBSD because specified
 	  path to perl.
+	* New ECDSA support (RFC 6605), use --disable-ecdsa for older openssl.
 
 1.6.12
 	* bugfix #413: Fix manpage source for srcdir != builddir
diff --git a/configure.ac b/configure.ac
index 0285c4fd..af24f44b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -297,26 +297,21 @@ case "$enable_gost" in
         ;;
 esac
 
-AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--enable-ecdsa], [Enable ECDSA support, experimental]))
+AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--enable-ecdsa], [Enable ECDSA support]))
 case "$enable_ecdsa" in
-    yes)
+    no)
+      ;;
+    *) dnl default
       if test "x$HAVE_SSL" != "xyes"; then
         AC_MSG_ERROR([ECDSA enabled, but no SSL support])
       fi
-      AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA])])
-      AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384])])
-      AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves])], [AC_INCLUDES_DEFAULT
+      AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade OpenSSL or rerun with --disable-ecdsa])])
+      AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade OpenSSL or rerun with --disable-ecdsa])])
+      AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade OpenSSL or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT
 #include <openssl/evp.h>
       ])
       # we now know we have ECDSA and the required curves.
       AC_DEFINE_UNQUOTED([USE_ECDSA], [1], [Define this to enable ECDSA support.])
-      AC_SUBST(ldns_build_config_use_ecdsa, 1)
-      ;;
-    no)
-      AC_SUBST(ldns_build_config_use_ecdsa, 0)
-      ;;
-    *)
-      AC_SUBST(ldns_build_config_use_ecdsa, 0)
       ;;
 esac
 
diff --git a/dnssec.c b/dnssec.c
index 6d75c677..c6e93211 100644
--- a/dnssec.c
+++ b/dnssec.c
@@ -532,17 +532,18 @@ ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
 		ldns_rr_free(ds);
 		return NULL;
 #endif
-#ifdef USE_ECDSA
-		/* Make similar ``not implemented'' construct as above when 
-		   draft-hoffman-dnssec-ecdsa-04 becomes a standard
-		 */
 	case LDNS_SHA384:
+#ifdef USE_ECDSA
 		digest = LDNS_XMALLOC(uint8_t, SHA384_DIGEST_LENGTH);
 		if (!digest) {
 			ldns_rr_free(ds);
 			return NULL;
 		}
                 break;
+#else
+		/* not implemented */
+		ldns_rr_free(ds);
+		return NULL;
 #endif
 	}
 
@@ -635,8 +636,8 @@ ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
 		ldns_rr_push_rdf(ds, tmp);
 #endif
 		break;
-#ifdef USE_ECDSA
 	case LDNS_SHA384:
+#ifdef USE_ECDSA
 		(void) SHA384((unsigned char *) ldns_buffer_begin(data_buf),
 		                 (unsigned int) ldns_buffer_position(data_buf),
 		                 (unsigned char *) digest);
@@ -644,8 +645,8 @@ ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
 		                            SHA384_DIGEST_LENGTH,
 		                            digest);
 		ldns_rr_push_rdf(ds, tmp);
-		break;
 #endif
+		break;
 	}
 
 	LDNS_FREE(digest);
diff --git a/keys.c b/keys.c
index 706f7f2c..00ab1402 100644
--- a/keys.c
+++ b/keys.c
@@ -388,14 +388,22 @@ ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr)
 		fprintf(stderr, "version of ldns, use --enable-gost\n");
 #endif
 	}
-#ifdef USE_ECDSA
 	if (strncmp(d, "13 ECDSAP256SHA256", 3) == 0) {
+#ifdef USE_ECDSA
                 alg = LDNS_SIGN_ECDSAP256SHA256;
+#else
+		fprintf(stderr, "Warning: ECDSA not compiled into this ");
+		fprintf(stderr, "version of ldns, use --enable-ecdsa\n");
+#endif
         }
 	if (strncmp(d, "14 ECDSAP384SHA384", 3) == 0) {
+#ifdef USE_ECDSA
                 alg = LDNS_SIGN_ECDSAP384SHA384;
-        }
+#else
+		fprintf(stderr, "Warning: ECDSA not compiled into this ");
+		fprintf(stderr, "version of ldns, use --enable-ecdsa\n");
 #endif
+        }
 	if (strncmp(d, "157 HMAC-MD5", 4) == 0) {
 		alg = LDNS_SIGN_HMACMD5;
 	}
diff --git a/ldns/common.h.in b/ldns/common.h.in
index 98470eea..5d625475 100644
--- a/ldns/common.h.in
+++ b/ldns/common.h.in
@@ -20,7 +20,6 @@
  * as detected and determined by the auto configure script.
  */
 #define LDNS_BUILD_CONFIG_HAVE_SSL         @ldns_build_config_have_ssl@
-#define LDNS_BUILD_CONFIG_USE_ECDSA        @ldns_build_config_use_ecdsa@
 #define LDNS_BUILD_CONFIG_HAVE_INTTYPES_H  @ldns_build_config_have_inttypes_h@
 #define LDNS_BUILD_CONFIG_HAVE_ATTR_FORMAT @ldns_build_config_have_attr_format@
 #define LDNS_BUILD_CONFIG_HAVE_ATTR_UNUSED @ldns_build_config_have_attr_unused@
diff --git a/ldns/keys.h b/ldns/keys.h
index ad3ff25b..c4bf5369 100644
--- a/ldns/keys.h
+++ b/ldns/keys.h
@@ -54,12 +54,8 @@ enum ldns_enum_algorithm
         LDNS_RSASHA256          = 8,   /* RFC 5702 */
         LDNS_RSASHA512          = 10,  /* RFC 5702 */
         LDNS_ECC_GOST           = 12,  /* RFC 5933 */
-#if LDNS_BUILD_CONFIG_USE_ECDSA
-	/* this ifdef has to be removed once it is no longer experimental,
-	 * to be able to use these values outside of the ldns library itself */
-        LDNS_ECDSAP256SHA256    = 13,  /* draft-hoffman-dnssec-ecdsa */
-        LDNS_ECDSAP384SHA384    = 14,  /* EXPERIMENTAL */
-#endif
+        LDNS_ECDSAP256SHA256    = 13,  /* RFC 6605 */
+        LDNS_ECDSAP384SHA384    = 14,  /* RFC 6605 */
         LDNS_INDIRECT           = 252,
         LDNS_PRIVATEDNS         = 253,
         LDNS_PRIVATEOID         = 254
@@ -73,12 +69,8 @@ enum ldns_enum_hash
 {
         LDNS_SHA1               = 1,  /* RFC 4034 */
         LDNS_SHA256             = 2,  /* RFC 4509 */
-        LDNS_HASH_GOST          = 3   /* RFC 5933 */
-#if LDNS_BUILD_CONFIG_USE_ECDSA
-	/* this ifdef has to be removed once it is no longer experimental,
-	 * to be able to use these values outside of the ldns library itself */
-        ,LDNS_SHA384             = 4   /* draft-hoffman-dnssec-ecdsa EXPERIMENTAL */
-#endif
+        LDNS_HASH_GOST          = 3,  /* RFC 5933 */
+        LDNS_SHA384             = 4   /* RFC 6605 */
 };
 typedef enum ldns_enum_hash ldns_hash;
 
@@ -95,12 +87,8 @@ enum ldns_enum_signing_algorithm
 	LDNS_SIGN_RSASHA512	 = LDNS_RSASHA512,
 	LDNS_SIGN_DSA_NSEC3	 = LDNS_DSA_NSEC3,
 	LDNS_SIGN_ECC_GOST       = LDNS_ECC_GOST,
-#if LDNS_BUILD_CONFIG_USE_ECDSA
-	/* this ifdef has to be removed once it is no longer experimental,
-	 * to be able to use these values outside of the ldns library itself */
         LDNS_SIGN_ECDSAP256SHA256 = LDNS_ECDSAP256SHA256,
         LDNS_SIGN_ECDSAP384SHA384 = LDNS_ECDSAP384SHA384,
-#endif
 	LDNS_SIGN_HMACMD5	 = 157,	/* not official! This type is for TSIG, not DNSSEC */
 	LDNS_SIGN_HMACSHA1	 = 158,	/* not official! This type is for TSIG, not DNSSEC */
 	LDNS_SIGN_HMACSHA256 = 159  /* ditto */