From 6d9587f495f428017a23a15bd781cc91ecd78a9c Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Tue, 21 Oct 2025 11:31:30 +0200 Subject: [PATCH] feat(dnsdist): Make IPCrypt2 optional --- pdns/dnsdistdist/dnsdist-ipcrypt2.cc | 18 ++++++++++++++++-- pdns/dnsdistdist/dnsdist.cc | 3 +++ pdns/dnsdistdist/ext/ipcrypt2/meson.build | 18 ++++++++++++++++-- .../m4/pdns_check_aarch64_uint64x2_t.m4 | 2 ++ pdns/dnsdistdist/meson_options.txt | 1 + pdns/dnsdistdist/test-dnsdist-ipcrypt2_cc.cc | 4 ++++ 6 files changed, 42 insertions(+), 4 deletions(-) diff --git a/pdns/dnsdistdist/dnsdist-ipcrypt2.cc b/pdns/dnsdistdist/dnsdist-ipcrypt2.cc index 9fcf70d685..dc1d64600f 100644 --- a/pdns/dnsdistdist/dnsdist-ipcrypt2.cc +++ b/pdns/dnsdistdist/dnsdist-ipcrypt2.cc @@ -20,21 +20,26 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ +#ifdef HAVE_IPCRYPT2 #include +#endif #include #include #include #include "dnsdist-ipcrypt2.hh" +#ifdef HAVE_IPCRYPT2 #include "ipcrypt2.h" +#endif #include "iputils.hh" // ipcrypt2 namespace does not have to be dnsdist-specific namespace pdns::ipcrypt2 { -IPCrypt2::IPCrypt2(const IPCryptMethod& method, const std::string& key) : +IPCrypt2::IPCrypt2([[maybe_unused]] const IPCryptMethod& method, [[maybe_unused]] const std::string& key) : d_method(method) { +#ifdef HAVE_IPCRYPT2 switch (method) { case IPCryptMethod::pfx: { if (key.size() != IPCRYPT_PFX_KEYBYTES) { @@ -50,10 +55,14 @@ IPCrypt2::IPCrypt2(const IPCryptMethod& method, const std::string& key) : throw std::runtime_error("Unsupported IPCrypt2 method"); break; } +#else + throw std::runtime_error("IPCrypt2 is not supported"); +#endif } IPCrypt2::~IPCrypt2() { +#ifdef HAVE_IPCRYPT2 switch (d_method) { case IPCryptMethod::pfx: if (d_ipcryptCtxPfx != nullptr) { @@ -63,10 +72,12 @@ IPCrypt2::~IPCrypt2() default: return; } +#endif }; -ComboAddress IPCrypt2::encrypt(const ComboAddress& address) const +ComboAddress IPCrypt2::encrypt([[maybe_unused]] const ComboAddress& address) const // NOLINT(readability-convert-member-functions-to-static) { +#ifdef HAVE_IPCRYPT2 switch (d_method) { case IPCryptMethod::pfx: { uint8_t ip16[16]; @@ -91,5 +102,8 @@ ComboAddress IPCrypt2::encrypt(const ComboAddress& address) const throw std::runtime_error("Unsupported method"); break; } +#else + throw std::runtime_error("IPCrypt2 is not supported"); +#endif } } diff --git a/pdns/dnsdistdist/dnsdist.cc b/pdns/dnsdistdist/dnsdist.cc index 7b5a27b7cc..d64c5d6fe0 100644 --- a/pdns/dnsdistdist/dnsdist.cc +++ b/pdns/dnsdistdist/dnsdist.cc @@ -3072,6 +3072,9 @@ static void reportFeatures() #ifdef HAVE_IPCIPHER cout << "ipcipher "; #endif +#ifdef HAVE_IPCRYPT2 + cout << "ipcrypt2 "; +#endif #ifdef HAVE_LIBEDIT cout << "libedit "; #endif diff --git a/pdns/dnsdistdist/ext/ipcrypt2/meson.build b/pdns/dnsdistdist/ext/ipcrypt2/meson.build index 6be41f48c0..41d3fde95a 100644 --- a/pdns/dnsdistdist/ext/ipcrypt2/meson.build +++ b/pdns/dnsdistdist/ext/ipcrypt2/meson.build @@ -1,3 +1,6 @@ +opt_ipcrypt2 = get_option('ipcrypt2') + +can_build=true if target_machine.cpu_family() == 'aarch64' code = ''' # if defined(_MSC_VER) && defined(_M_ARM64) @@ -12,10 +15,13 @@ int main() { } ''' compiler = meson.get_compiler('cpp') - result = compiler.compiles(code, name: 'uint64x2_t tests') - assert(result, 'Compiler does not support calculation with uint64x2_t on ARM64') + can_build = compiler.compiles(code, name: 'uint64x2_t tests') endif + +dep_ipcrypt2 = declare_dependency() + +if can_build lib_ipcrypt2 = static_library( 'ipcrypt2', 'ipcrypt2.c', @@ -30,3 +36,11 @@ dep_ipcrypt2 = declare_dependency( link_with: lib_ipcrypt2, include_directories: include_directories('./include'), ) +endif + +if not can_build and opt_ipcrypt2.enabled() + error('ipcrypt2 support was requested but ipcrypt2 can not be built') +endif +enable_ipcrypt2 = can_build and not opt_ipcrypt2.disabled() +conf.set('HAVE_IPCRYPT2', enable_ipcrypt2, description: 'ipcrypt2 support') +summary('ipcrypt2', enable_ipcrypt2, bool_yn: true, section: 'Configuration') diff --git a/pdns/dnsdistdist/m4/pdns_check_aarch64_uint64x2_t.m4 b/pdns/dnsdistdist/m4/pdns_check_aarch64_uint64x2_t.m4 index 96c2437ac7..a6cbf2dfdb 100644 --- a/pdns/dnsdistdist/m4/pdns_check_aarch64_uint64x2_t.m4 +++ b/pdns/dnsdistdist/m4/pdns_check_aarch64_uint64x2_t.m4 @@ -15,6 +15,8 @@ int main() { return 0; } ])],[ + dnl We just define this. Proper detection is only done in Meson + AC_DEFINE([HAVE_IPCRYPT2], [1], [Define to 1 to build with IPCrypt2]) AC_MSG_RESULT([ok]) ],[ AC_MSG_FAILURE([no]) diff --git a/pdns/dnsdistdist/meson_options.txt b/pdns/dnsdistdist/meson_options.txt index 5fd8ac92d7..3f506142c5 100644 --- a/pdns/dnsdistdist/meson_options.txt +++ b/pdns/dnsdistdist/meson_options.txt @@ -11,6 +11,7 @@ option('hardening-experimental-cf', type: 'combo', choices: ['disabled', 'full', option('hardening-experimental-scp', type: 'feature', value: 'disabled', description: 'Stack Clash Protection') option('hardening-fortify-source', type: 'combo', choices: ['auto', 'disabled', '1', '2', '3'], value: '2', description: 'Source fortification level') option('ipcipher', type: 'feature', value: 'auto', description: 'IPCipher') +option('ipcrypt2', type: 'feature', value: 'auto', description: 'IPCrypt2') option('tls-libssl', type: 'feature', value: 'auto', description: 'OpenSSL-based TLS') option('tls-libssl-dir', type: 'string', value: '', description: 'Alternate OpenSSL location') option('tls-libssl-engines', type: 'boolean', value: false, description: 'OpenSSL-based TLS with TLS engines') diff --git a/pdns/dnsdistdist/test-dnsdist-ipcrypt2_cc.cc b/pdns/dnsdistdist/test-dnsdist-ipcrypt2_cc.cc index f5b7aa82f5..2f38b4a567 100644 --- a/pdns/dnsdistdist/test-dnsdist-ipcrypt2_cc.cc +++ b/pdns/dnsdistdist/test-dnsdist-ipcrypt2_cc.cc @@ -19,6 +19,8 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ +#ifdef HAVE_IPCRYPT2 + #ifndef BOOST_TEST_DYN_LINK #define BOOST_TEST_DYN_LINK #include "iputils.hh" @@ -93,3 +95,5 @@ BOOST_AUTO_TEST_CASE(unsupported_method) } BOOST_AUTO_TEST_SUITE_END() + +#endif // HAVE_IPCRYPT2 -- 2.47.3