From b966231ea08adbf4d5fbdd13e3347e20958862c5 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 18 Nov 2021 15:16:00 +0000
Subject: [PATCH] pass USE_DSA to public facing header files

---
 configure.ac     |  5 ++++-
 ldns/common.h.in |  1 +
 ldns/keys.h      | 54 ++++++++++++++++++------------------------------
 3 files changed, 25 insertions(+), 35 deletions(-)

diff --git a/configure.ac b/configure.ac
index 9bd51319..a8efe399 100644
--- a/configure.ac
+++ b/configure.ac
@@ -562,13 +562,16 @@ esac
 AC_ARG_ENABLE(dsa, AC_HELP_STRING([--disable-dsa], [Disable DSA support]))
 case "$enable_dsa" in
     no)
+      AC_SUBST(ldns_build_config_use_dsa, 0)
       ;;
     *) dnl default
       # detect if DSA is supported, and turn it off if not.
       AC_CHECK_FUNC(DSA_SIG_new, [
 	AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
+	AC_SUBST(ldns_build_config_use_dsa, 1)
       ], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
-	  fi ])
+	  fi
+	  AC_SUBST(ldns_build_config_use_dsa, 0)])
       ;;
 esac
 
diff --git a/ldns/common.h.in b/ldns/common.h.in
index 805eb8bf..d4a8051d 100644
--- a/ldns/common.h.in
+++ b/ldns/common.h.in
@@ -27,6 +27,7 @@
 #define LDNS_BUILD_CONFIG_USE_DANE         @ldns_build_config_use_dane@
 #define LDNS_BUILD_CONFIG_HAVE_B32_PTON    @ldns_build_config_have_b32_pton@
 #define LDNS_BUILD_CONFIG_HAVE_B32_NTOP    @ldns_build_config_have_b32_ntop@
+#define LDNS_BUILD_CONFIG_USE_DSA          @ldns_build_config_use_dsa@
 
 /*
  * HAVE_STDBOOL_H is not available when distributed as a library, but no build 
diff --git a/ldns/keys.h b/ldns/keys.h
index 8442ad39..7e5fac5c 100644
--- a/ldns/keys.h
+++ b/ldns/keys.h
@@ -45,30 +45,22 @@ enum ldns_enum_algorithm
 {
         LDNS_RSAMD5             = 1,   /* RFC 4034,4035 */
         LDNS_DH                 = 2,
-#ifdef USE_DSA
+#if LDNS_BUILD_CONFIG_USE_DSA
         LDNS_DSA                = 3,
-#endif /* USE_DSA */
+#endif /* LDNS_BUILD_CONFIG_USE_DSA */
         LDNS_ECC                = 4,
         LDNS_RSASHA1            = 5,
-#ifdef USE_DSA
+#if LDNS_BUILD_CONFIG_USE_DSA
         LDNS_DSA_NSEC3          = 6,
-#endif /* USE_DSA */
+#endif /* LDNS_BUILD_CONFIG_USE_DSA */
         LDNS_RSASHA1_NSEC3      = 7,
         LDNS_RSASHA256          = 8,   /* RFC 5702 */
         LDNS_RSASHA512          = 10,  /* RFC 5702 */
         LDNS_ECC_GOST           = 12,  /* RFC 5933 */
         LDNS_ECDSAP256SHA256    = 13,  /* RFC 6605 */
         LDNS_ECDSAP384SHA384    = 14,  /* RFC 6605 */
-#ifdef USE_ED25519
-	/* this ifdef is internal to ldns, because we do not want to export
-	 * the symbol.  Users can define it if they want access,
-	 * the feature is not fully implemented at this time and openssl
-	 * does not support it fully either (also for ED448). */
-	LDNS_ED25519		= 15,  /* draft-ietf-curdle-dnskey-ed25519 */
-#endif
-#ifdef USE_ED448
-	LDNS_ED448		= 16,  /* draft-ietf-curdle-dnskey-ed448 */
-#endif
+	LDNS_ED25519		= 15,  /* RFC 8080 */
+	LDNS_ED448		= 16,  /* RFC 8080 */
         LDNS_INDIRECT           = 252,
         LDNS_PRIVATEDNS         = 253,
         LDNS_PRIVATEOID         = 254
@@ -94,24 +86,20 @@ enum ldns_enum_signing_algorithm
 {
 	LDNS_SIGN_RSAMD5	 = LDNS_RSAMD5,
 	LDNS_SIGN_RSASHA1	 = LDNS_RSASHA1,
-#ifdef USE_DSA
+#if LDNS_BUILD_CONFIG_USE_DSA
 	LDNS_SIGN_DSA		 = LDNS_DSA,
-#endif /* USE_DSA */
+#endif /* LDNS_BUILD_CONFIG_USE_DSA */
 	LDNS_SIGN_RSASHA1_NSEC3  = LDNS_RSASHA1_NSEC3,
 	LDNS_SIGN_RSASHA256	 = LDNS_RSASHA256,
 	LDNS_SIGN_RSASHA512	 = LDNS_RSASHA512,
-#ifdef USE_DSA
+#if LDNS_BUILD_CONFIG_USE_DSA
 	LDNS_SIGN_DSA_NSEC3	 = LDNS_DSA_NSEC3,
-#endif /* USE_DSA */
+#endif /* LDNS_BUILD_CONFIG_USE_DSA */
 	LDNS_SIGN_ECC_GOST       = LDNS_ECC_GOST,
         LDNS_SIGN_ECDSAP256SHA256 = LDNS_ECDSAP256SHA256,
         LDNS_SIGN_ECDSAP384SHA384 = LDNS_ECDSAP384SHA384,
-#ifdef USE_ED25519
 	LDNS_SIGN_ED25519	 = LDNS_ED25519,
-#endif
-#ifdef USE_ED448
 	LDNS_SIGN_ED448		 = LDNS_ED448,
-#endif
 	LDNS_SIGN_HMACMD5	 = 157,	/* not official! This type is for TSIG, not DNSSEC */
 	LDNS_SIGN_HMACSHA1	 = 158,	/* not official! This type is for TSIG, not DNSSEC */
 	LDNS_SIGN_HMACSHA256 = 159,  /* ditto */
@@ -250,9 +238,7 @@ ldns_status ldns_key_new_frm_engine(ldns_key **key, ENGINE *e, char *key_id, ldn
  * \return NULL on failure otherwise a RSA structure
  */
 RSA *ldns_key_new_frm_fp_rsa(FILE *fp);
-#endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
 
-#if LDNS_BUILD_CONFIG_HAVE_SSL
 /**
  * frm_fp helper function. This function parses the
  * remainder of the (RSA) priv. key file generated from bind9
@@ -261,9 +247,9 @@ RSA *ldns_key_new_frm_fp_rsa(FILE *fp);
  * \return NULL on failure otherwise a RSA structure
  */
 RSA *ldns_key_new_frm_fp_rsa_l(FILE *fp, int *line_nr);
-#endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
 
-#if LDNS_BUILD_CONFIG_HAVE_SSL
+
+# if LDNS_BUILD_CONFIG_USE_DSA
 /**
  * frm_fp helper function. This function parses the
  * remainder of the (DSA) priv. key file
@@ -271,9 +257,7 @@ RSA *ldns_key_new_frm_fp_rsa_l(FILE *fp, int *line_nr);
  * \return NULL on failure otherwise a RSA structure
  */
 DSA *ldns_key_new_frm_fp_dsa(FILE *fp);
-#endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
 
-#if LDNS_BUILD_CONFIG_HAVE_SSL
 /**
  * frm_fp helper function. This function parses the
  * remainder of the (DSA) priv. key file
@@ -282,9 +266,8 @@ DSA *ldns_key_new_frm_fp_dsa(FILE *fp);
  * \return NULL on failure otherwise a RSA structure
  */
 DSA *ldns_key_new_frm_fp_dsa_l(FILE *fp, int *line_nr);
-#endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
+# endif /* LDNS_BUILD_CONFIG_USE_DSA */
 
-#if LDNS_BUILD_CONFIG_HAVE_SSL
 /**
  * frm_fp helper function. This function parses the
  * remainder of the (HMAC-MD5) key file
@@ -294,9 +277,7 @@ DSA *ldns_key_new_frm_fp_dsa_l(FILE *fp, int *line_nr);
  * \return NULL on failure otherwise a newly allocated char buffer
  */
 unsigned char *ldns_key_new_frm_fp_hmac(FILE *fp, size_t *hmac_size);
-#endif
 
-#if LDNS_BUILD_CONFIG_HAVE_SSL
 /**
  * frm_fp helper function. This function parses the
  * remainder of the (HMAC-MD5) key file
@@ -316,6 +297,7 @@ unsigned char *ldns_key_new_frm_fp_hmac_l(FILE *fp, int *line_nr, size_t *hmac_s
  * \param[in] l the algorithm
  */
 void ldns_key_set_algorithm(ldns_key *k, ldns_signing_algorithm l);
+
 #if LDNS_BUILD_CONFIG_HAVE_SSL
 /**
  * Set the key's evp key
@@ -332,6 +314,7 @@ void ldns_key_set_evp_key(ldns_key *k, EVP_PKEY *e);
  */
 void ldns_key_set_rsa_key(ldns_key *k, RSA *r);
 
+# if LDNS_BUILD_CONFIG_USE_DSA
 /**
  * Set the key's dsa data
  * The dsa data should be freed by the user.
@@ -339,6 +322,7 @@ void ldns_key_set_rsa_key(ldns_key *k, RSA *r);
  * \param[in] d the dsa data
  */
 void ldns_key_set_dsa_key(ldns_key *k, DSA *d);
+# endif /* LDNS_BUILD_CONFIG_USE_DSA */
 
 /**
  * Assign the key's rsa data
@@ -348,6 +332,7 @@ void ldns_key_set_dsa_key(ldns_key *k, DSA *d);
  */
 void ldns_key_assign_rsa_key(ldns_key *k, RSA *r);
 
+# if LDNS_BUILD_CONFIG_USE_DSA
 /**
  * Assign the key's dsa data
  * The dsa data will be freed automatically when the key is freed.
@@ -355,6 +340,7 @@ void ldns_key_assign_rsa_key(ldns_key *k, RSA *r);
  * \param[in] d the dsa data
  */
 void ldns_key_assign_dsa_key(ldns_key *k, DSA *d);
+# endif /* LDNS_BUILD_CONFIG_USE_DSA */
 
 /** 
  * Get the PKEY id for GOST, loads GOST into openssl as a side effect.
@@ -471,13 +457,13 @@ RSA *ldns_key_rsa_key(const ldns_key *k);
  * \return the RSA * structure in the key
  */
 EVP_PKEY *ldns_key_evp_key(const ldns_key *k);
-#endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
 
+# if LDNS_BUILD_CONFIG_USE_DSA
 /**
  * returns the (openssl) DSA struct contained in the key
  */
-#if LDNS_BUILD_CONFIG_HAVE_SSL
 DSA *ldns_key_dsa_key(const ldns_key *k);
+# endif /* LDNS_BUILD_CONFIG_USE_DSA */
 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
 
 /**
-- 
2.47.3