From: Miek Gieben Date: Wed, 11 Jan 2006 13:11:52 +0000 (+0000) Subject: OpenSSL was made optional at compile time X-Git-Tag: release-1.1.0~439 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8f967e253f68179dd45c6d287bc914db62b72c19;p=thirdparty%2Fldns.git OpenSSL was made optional at compile time --- diff --git a/Changelog b/Changelog index 78272551..291221f5 100644 --- a/Changelog +++ b/Changelog @@ -9,6 +9,8 @@ (ie. just a list of rrs) can scale to zone file in order of megabytes. Sorting such zone is still difficult. * Reading multiline b64 encoded rdata works. + * OpenSSL was made optional, configure --without-ssl. + Ofcourse all dnssec/tsig related functions are disabled Drill: * -r was killed in favor of -o
which diff --git a/dnssec.c b/dnssec.c index c7e57034..54ba6176 100644 --- a/dnssec.c +++ b/dnssec.c @@ -17,14 +17,13 @@ #include #include +#ifdef HAVE_SSL +/* this entire file is rather useless when you don't have + * crypto... + */ #include -#include #include -#include -#include -#include -#include -#include +#include /* used only on the public key RR */ uint16_t @@ -34,14 +33,12 @@ ldns_calc_keytag(ldns_rr *key) uint32_t ac; ldns_buffer *keybuf; size_t keysize; - if (!key) { return 0; } ac = 0; - if (ldns_rr_get_type(key) != LDNS_RR_TYPE_DNSKEY) { return 0; } @@ -78,7 +75,6 @@ ldns_status ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, ldns_rr_list *keys, ldns_rr_list *good_keys) { uint16_t i; -/* ldns_rr_list *keys_verified;*/ bool valid; ldns_status verify_result = LDNS_STATUS_ERR; @@ -102,7 +98,7 @@ ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, ldns_rr_list *keys, ldns_r return verify_result; } -INLINE ldns_status +ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, ldns_buffer *verify_buf, ldns_buffer *key_buf, @@ -1338,3 +1334,4 @@ ldns_init_random(FILE *fd, uint16_t bytes) { LDNS_FREE(buf); return LDNS_STATUS_OK; } +#endif /* HAVE_SSL */ diff --git a/drill/configure.ac b/drill/configure.ac index b1bcb474..3790b1e1 100644 --- a/drill/configure.ac +++ b/drill/configure.ac @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.57) -AC_INIT(drill, 1.0.1, libdns@nlnetlabs.nl, drill) +AC_INIT(drill, 1.1.0, libdns@nlnetlabs.nl, drill) AC_CONFIG_SRCDIR([drill_util.h]) AC_AIX diff --git a/examples/configure.ac b/examples/configure.ac index d9c7536a..973c973f 100644 --- a/examples/configure.ac +++ b/examples/configure.ac @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.57) -AC_INIT(libdns, 1.0.1, libdns@nlnetlabs.nl,libdns) +AC_INIT(libdns, 1.1.0, libdns@nlnetlabs.nl,libdns) AC_CONFIG_SRCDIR([ldns-read-zone.c]) AC_AIX diff --git a/host2str.c b/host2str.c index 1a51214b..c15af348 100644 --- a/host2str.c +++ b/host2str.c @@ -842,6 +842,7 @@ ldns_rr2buffer_str(ldns_buffer *output, ldns_rr *rr) if (ldns_rr_rd_count(rr) > 0) { switch (ldns_rr_get_type(rr)) { case LDNS_RR_TYPE_DNSKEY: +#ifdef HAVE_SSL if (ldns_rdf2native_int16(ldns_rr_rdf(rr, 0)) == 256) { ldns_buffer_printf(output, " ;{id = %d (zsk), size = %db}", ldns_calc_keytag(rr), @@ -857,6 +858,7 @@ ldns_rr2buffer_str(ldns_buffer *output, ldns_rr *rr) ldns_buffer_printf(output, " ;{id = %d, size = %db}", ldns_calc_keytag(rr), ldns_rr_dnskey_key_size(rr)); +#endif /* HAVE_SSL */ break; case LDNS_RR_TYPE_RRSIG: ldns_buffer_printf(output, " ;{id = %d}", @@ -1039,14 +1041,16 @@ ldns_pkt2buffer_str(ldns_buffer *output, ldns_pkt *pkt) return status; } -#ifdef HAVE_SSL ldns_status ldns_key2buffer_str(ldns_buffer *output, ldns_key *k) { ldns_status status = LDNS_STATUS_OK; unsigned char *bignum; +#ifdef HAVE_SSL + /* not used when ssl is not defined */ ldns_rdf *b64_bignum; uint16_t i; +#endif /* HAVE_SSL */ if (!k) { return LDNS_STATUS_ERR; @@ -1058,6 +1062,7 @@ ldns_key2buffer_str(ldns_buffer *output, ldns_key *k) } if (ldns_buffer_status_ok(output)) { +#ifdef HAVE_SSL switch(ldns_key_algorithm(k)) { case LDNS_SIGN_RSASHA1: case LDNS_SIGN_RSAMD5: @@ -1221,6 +1226,7 @@ ldns_key2buffer_str(ldns_buffer *output, ldns_key *k) /* is the filefmt specified for TSIG.. don't know */ goto error; } +#endif /* HAVE_SSL */ } else { LDNS_FREE(bignum); return ldns_buffer_status(output); @@ -1228,18 +1234,14 @@ ldns_key2buffer_str(ldns_buffer *output, ldns_key *k) LDNS_FREE(bignum); return status; +#ifdef HAVE_SSL + /* compiles warn the label isn't used */ error: LDNS_FREE(bignum); return LDNS_STATUS_ERR; +#endif /* HAVE_SSL */ } -#else -ldns_status -ldns_key2buffer_str(ldns_buffer *output, ldns_key *k) -{ - return LDNS_STATUS_ERR; -} -#endif /* HAVE_SSL */ /* * Zero terminate the buffer and fix it to the size of the string. diff --git a/keys.c b/keys.c index b8f310d7..985dc38b 100644 --- a/keys.c +++ b/keys.c @@ -14,7 +14,9 @@ #include +#ifdef HAVE_SSL #include +#endif /* HAVE_SSL */ ldns_lookup_table ldns_signing_algorithms[] = { { LDNS_SIGN_RSAMD5, "RSAMD5" }, @@ -24,6 +26,7 @@ ldns_lookup_table ldns_signing_algorithms[] = { { 0, NULL } }; +#ifdef HAVE_SSL ldns_key_list * ldns_key_list_new() { @@ -791,3 +794,4 @@ ldns_key_list_free(ldns_key_list *key_list) LDNS_FREE(key_list->_keys); LDNS_FREE(key_list); } +#endif /* HAVE_SSL */ diff --git a/ldns/dnssec.h b/ldns/dnssec.h index 3dc4406f..3a54a3c0 100644 --- a/ldns/dnssec.h +++ b/ldns/dnssec.h @@ -11,7 +11,9 @@ #ifndef _LDNS_DNSSEC_H_ #define _LDNS_DNSSEC_H_ +#ifdef HAVE_SSL #include +#endif /* HAVE_SSL */ #include #include #include @@ -20,7 +22,7 @@ #define LDNS_MAX_KEYLEN 2048 #define LDNS_DNSSEC_KEYPROTO 3 /* default time before sigs expire */ -#define LDNS_DEFAULT_EXP_TIME 1209600 +#define LDNS_DEFAULT_EXP_TIME 2419200 /* 4 weeks */ /** * calculates a keytag of a key for use in DNSSEC. @@ -88,7 +90,9 @@ ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, ldns_buffer *rrset, ldns_ * \param[in] key the key to convert * \return a DSA * structure with the key material */ +#ifdef HAVE_SSL DSA *ldns_key_buf2dsa(ldns_buffer *key); +#endif /* HAVE_SSL */ /** * converts a buffer holding key material to a RSA key in openssl. @@ -96,7 +100,9 @@ DSA *ldns_key_buf2dsa(ldns_buffer *key); * \param[in] key the key to convert * \return a RSA * structure with the key material */ +#ifdef HAVE_SSL RSA *ldns_key_buf2rsa(ldns_buffer *key); +#endif /* HAVE_SSL */ /** * returns a new DS rr that represents the given key rr. @@ -108,10 +114,12 @@ ldns_rr *ldns_key_rr2ds(const ldns_rr *key); /* sign functions - these are very much a work in progress */ ldns_rr_list *ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys); +#ifdef HAVE_SSL ldns_rdf *ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key); ldns_rdf *ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key); ldns_rdf *ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key); ldns_rdf *ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key); +#endif /* HAVE_SSL */ /** * Create a NSEC record diff --git a/ldns/keys.h b/ldns/keys.h index 5cba5404..8a34b5f9 100644 --- a/ldns/keys.h +++ b/ldns/keys.h @@ -14,7 +14,9 @@ #ifndef _LDNS_KEYS_H #define _LDNS_KEYS_H +#ifdef HAVE_SSL #include +#endif /* HAVE_SSL */ #include #include @@ -58,8 +60,10 @@ struct ldns_struct_key { ldns_signing_algorithm _alg; /** types of keys supported */ union { +#ifdef HAVE_SSL RSA *rsa; DSA *dsa; +#endif /* HAVE_SSL */ unsigned char *hmac; } _key; /** depending on the key we can have extra data */ @@ -134,7 +138,9 @@ ldns_key *ldns_key_new_frm_fp_l(FILE *fp, int *line_nr); * \param[in] fp the file to parse * \return NULL on failure otherwise a RSA structure */ +#ifdef HAVE_SSL RSA *ldns_key_new_frm_fp_rsa(FILE *fp); +#endif /* HAVE_SSL */ /** * frm_fp helper function. This function parsed the @@ -143,7 +149,9 @@ RSA *ldns_key_new_frm_fp_rsa(FILE *fp); * \param[in] line_nr pointer to an integer containing the current line number (for debugging purposes) * \return NULL on failure otherwise a RSA structure */ +#ifdef HAVE_SSL RSA *ldns_key_new_frm_fp_rsa_l(FILE *fp, int *line_nr); +#endif /* HAVE_SSL */ /** * frm_fp helper function. This function parsed the @@ -151,7 +159,9 @@ RSA *ldns_key_new_frm_fp_rsa_l(FILE *fp, int *line_nr); * \param[in] fp the file to parse * \return NULL on failure otherwise a RSA structure */ +#ifdef HAVE_SSL DSA *ldns_key_new_frm_fp_dsa(FILE *fp); +#endif /* HAVE_SSL */ /** * frm_fp helper function. This function parsed the @@ -160,12 +170,16 @@ DSA *ldns_key_new_frm_fp_dsa(FILE *fp); * \param[in] line_nr pointer to an integer containing the current line number (for debugging purposes) * \return NULL on failure otherwise a RSA structure */ +#ifdef HAVE_SSL DSA *ldns_key_new_frm_fp_dsa_l(FILE *fp, int *line_nr); +#endif /* HAVE_SSL */ /* acces write functions */ void ldns_key_set_algorithm(ldns_key *k, ldns_signing_algorithm l); +#ifdef HAVE_SSL void ldns_key_set_rsa_key(ldns_key *k, RSA *r); void ldns_key_set_dsa_key(ldns_key *k, DSA *d); +#endif /* HAVE_SSL */ void ldns_key_set_hmac_key(ldns_key *k, unsigned char *hmac); void ldns_key_set_origttl(ldns_key *k, uint32_t t); void ldns_key_set_inception(ldns_key *k, uint32_t i); @@ -196,12 +210,16 @@ ldns_key *ldns_key_list_key(ldns_key_list *key, size_t nr); /** * returns the (openssl) RSA struct contained in the key */ +#ifdef HAVE_SSL RSA *ldns_key_rsa_key(ldns_key *k); +#endif /* HAVE_SSL */ /** * returns the (openssl) DSA struct contained in the key */ +#ifdef HAVE_SSL DSA *ldns_key_dsa_key(ldns_key *k); +#endif /* HAVE_SSL */ ldns_signing_algorithm ldns_key_algorithm(ldns_key *k); unsigned char *ldns_key_hmac_key(ldns_key *k); diff --git a/net.c b/net.c index b0d39bea..c833014e 100644 --- a/net.c +++ b/net.c @@ -149,6 +149,7 @@ ldns_send(ldns_pkt **result, ldns_resolver *r, ldns_pkt *query_pkt) sleep((unsigned int) ldns_resolver_retrans(r)); } +#ifdef HAVE_SSL if (tsig_mac && reply_bytes) { if (!ldns_pkt_tsig_verify(reply, reply_bytes, @@ -159,6 +160,7 @@ ldns_send(ldns_pkt **result, ldns_resolver *r, ldns_pkt *query_pkt) status = LDNS_STATUS_CRYPTO_TSIG_BOGUS; } } +#endif /* HAVE_SSL */ LDNS_FREE(reply_bytes); ldns_buffer_free(qb); diff --git a/resolver.c b/resolver.c index a46574ed..08b96f86 100644 --- a/resolver.c +++ b/resolver.c @@ -864,6 +864,7 @@ ldns_resolver_send(ldns_pkt **answer, ldns_resolver *r, ldns_rdf *name, rr instead of seperate values in resolver (and packet) Jelte */ +#ifdef HAVE_SSL if (ldns_resolver_tsig_keyname(r) && ldns_resolver_tsig_keydata(r)) { status = ldns_pkt_tsig_sign(query_pkt, ldns_resolver_tsig_keyname(r), @@ -875,6 +876,7 @@ ldns_resolver_send(ldns_pkt **answer, ldns_resolver *r, ldns_rdf *name, return LDNS_STATUS_CRYPTO_TSIG_ERR; } } +#endif /* HAVE_SSL */ status = ldns_resolver_send_pkt(&answer_pkt, r, query_pkt); ldns_pkt_free(query_pkt); diff --git a/rr.c b/rr.c index 4b0a7855..a711bae6 100644 --- a/rr.c +++ b/rr.c @@ -1176,7 +1176,9 @@ bool ldns_rr_compare_ds(const ldns_rr *orr1, const ldns_rr *orr2) { bool result; +#ifdef HAVE_SSL ldns_rr *ds_repr; +#endif /* HAVE_SSL */ ldns_rr *rr1 = ldns_rr_clone(orr1); ldns_rr *rr2 = ldns_rr_clone(orr2); @@ -1184,6 +1186,7 @@ ldns_rr_compare_ds(const ldns_rr *orr1, const ldns_rr *orr2) ldns_rr_set_ttl(rr1, 0); ldns_rr_set_ttl(rr2, 0); +#ifdef HAVE_SSL if (ldns_rr_get_type(rr1) == LDNS_RR_TYPE_DS && ldns_rr_get_type(rr2) == LDNS_RR_TYPE_DNSKEY) { ds_repr = ldns_key_rr2ds(rr2); @@ -1197,6 +1200,9 @@ ldns_rr_compare_ds(const ldns_rr *orr1, const ldns_rr *orr2) } else { result = (ldns_rr_compare(rr1, rr2) == 0); } +#else + result = (ldns_rr_compare(rr1, rr2) == 0); +#endif /* HAVE_SSL */ ldns_rr_free(rr1); ldns_rr_free(rr2); diff --git a/tsig.c b/tsig.c index 1989a762..67c2dcbd 100644 --- a/tsig.c +++ b/tsig.c @@ -13,8 +13,10 @@ #include +#ifdef HAVE_SSL #include #include +#endif /* HAVE_SSL */ char * ldns_tsig_algorithm(ldns_tsig_credentials *tc) @@ -123,6 +125,7 @@ ldns_tsig_prepare_pkt_wire(uint8_t *wire, size_t wire_len, size_t *result_len) return wire2; } +#ifdef HAVE_SSL const EVP_MD * ldns_get_digest_function(char *name) { @@ -137,7 +140,9 @@ ldns_get_digest_function(char *name) else return NULL; } +#endif +#ifdef HAVE_SSL ldns_status ldns_create_tsig_mac( ldns_rdf **tsig_mac, @@ -221,9 +226,10 @@ ldns_create_tsig_mac( return LDNS_STATUS_OK; } +#endif /* HAVE_SSL */ -/* THIS FUNC WILL REMOVE TSIG ITSELF */ +#ifdef HAVE_SSL bool ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, @@ -303,7 +309,9 @@ ldns_pkt_tsig_verify(ldns_pkt *pkt, return false; } } +#endif /* HAVE_SSL */ +#ifdef HAVE_SSL /* TODO: memory :p */ ldns_status ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data, uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac) @@ -401,3 +409,4 @@ ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data, ui ldns_rdf_free(other_data_rdf); return status; } +#endif /* HAVE_SSL */ diff --git a/update.c b/update.c index b028740e..c75cbb15 100644 --- a/update.c +++ b/update.c @@ -68,14 +68,15 @@ ldns_update_pkt_new(ldns_rdf *zone_rdf, ldns_rr_class class, } ldns_status -ldns_update_pkt_tsig_add(ldns_pkt *p, ldns_resolver *r) +ldns_update_pkt_tsig_add(ldns_pkt *ATTR_UNUSED(p), ldns_resolver *ATTR_UNUSED(r)) { +#ifdef HAVE_SSL uint16_t fudge = 300; /* Recommended fudge. [RFC2845 6.4] */ - if (ldns_resolver_tsig_keyname(r) && ldns_resolver_tsig_keydata(r)) return ldns_pkt_tsig_sign(p, ldns_resolver_tsig_keyname(r), ldns_resolver_tsig_keydata(r), fudge, ldns_resolver_tsig_algorithm(r), NULL); +#endif /* HAVE_SSL */ /* No TSIG to do. */ return LDNS_STATUS_OK;