summaryrefslogtreecommitdiffstats
path: root/src/libdnssec
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-09-12 04:45:07 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-09-12 04:45:07 +0000
commit0335817ced71e8355806ea0445aa3b105a22364c (patch)
treedffe735f2668a4728d8567feaf7ccb2d73076bac /src/libdnssec
parentAdding upstream version 3.3.9. (diff)
downloadknot-upstream.tar.xz
knot-upstream.zip
Adding upstream version 3.4.0.upstream/3.4.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/libdnssec')
-rw-r--r--src/libdnssec/key/algorithm.c12
-rw-r--r--src/libdnssec/key/convert.c22
-rw-r--r--src/libdnssec/pem.c21
-rw-r--r--src/libdnssec/sign/sign.c41
-rw-r--r--src/libdnssec/version.h4
5 files changed, 10 insertions, 90 deletions
diff --git a/src/libdnssec/key/algorithm.c b/src/libdnssec/key/algorithm.c
index a9bc3ee..d242442 100644
--- a/src/libdnssec/key/algorithm.c
+++ b/src/libdnssec/key/algorithm.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -93,11 +93,9 @@ gnutls_pk_algorithm_t algorithm_to_gnutls(dnssec_key_algorithm_t dnssec)
return GNUTLS_PK_RSA;
case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256:
case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384:
- return GNUTLS_PK_EC;
-#ifdef HAVE_ED25519
+ return GNUTLS_PK_ECDSA;
case DNSSEC_KEY_ALGORITHM_ED25519:
return GNUTLS_PK_EDDSA_ED25519;
-#endif
#ifdef HAVE_ED448
case DNSSEC_KEY_ALGORITHM_ED448:
return GNUTLS_PK_EDDSA_ED448;
@@ -119,11 +117,7 @@ bool dnssec_algorithm_reproducible(dnssec_key_algorithm_t algorithm, bool enable
return true; // those are always reproducible
case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256:
case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384:
-#ifdef HAVE_GNUTLS_REPRODUCIBLE
- return enabled; // Reproducible only if GnuTLS supports && enabled
-#else
- return false;
-#endif
+ return enabled; // reproducible only if GnuTLS supports && enabled
default:
return false;
}
diff --git a/src/libdnssec/key/convert.c b/src/libdnssec/key/convert.c
index 56168f7..d06c25e 100644
--- a/src/libdnssec/key/convert.c
+++ b/src/libdnssec/key/convert.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -104,20 +104,16 @@ static size_t ecdsa_curve_point_size(gnutls_ecc_curve_t curve)
}
}
-#if defined(HAVE_ED25519) || defined(HAVE_ED448)
static size_t eddsa_curve_point_size(gnutls_ecc_curve_t curve)
{
switch (curve) {
-#ifdef HAVE_ED25519
case GNUTLS_ECC_CURVE_ED25519: return 32;
-#endif
#ifdef HAVE_ED448
case GNUTLS_ECC_CURVE_ED448: return 57;
#endif
default: return 0;
}
}
-#endif
/*!
* Convert ECDSA public key to DNSSEC format.
@@ -157,7 +153,6 @@ static int ecdsa_pubkey_to_rdata(gnutls_pubkey_t key, dnssec_binary_t *rdata)
/*!
* Convert EDDSA public key to DNSSEC format.
*/
-#if defined(HAVE_ED25519) || defined(HAVE_ED448)
static int eddsa_pubkey_to_rdata(gnutls_pubkey_t key, dnssec_binary_t *rdata)
{
assert(key);
@@ -187,7 +182,6 @@ static int eddsa_pubkey_to_rdata(gnutls_pubkey_t key, dnssec_binary_t *rdata)
return DNSSEC_EOK;
}
-#endif
/* -- crypto to DNSSEC ------------------------------------------------------*/
@@ -248,20 +242,16 @@ static gnutls_ecc_curve_t ecdsa_curve_from_rdata_size(size_t rdata_size)
/*!
* Get EDDSA curve based on DNSKEY RDATA size.
*/
-#if defined(HAVE_ED25519) || defined(HAVE_ED448)
static gnutls_ecc_curve_t eddsa_curve_from_rdata_size(size_t rdata_size)
{
switch (rdata_size) {
-#ifdef HAVE_ED25519
case 32: return GNUTLS_ECC_CURVE_ED25519;
-#endif
#ifdef HAVE_ED448
case 57: return GNUTLS_ECC_CURVE_ED448;
#endif
default: return GNUTLS_ECC_CURVE_INVALID;
}
}
-#endif
/*!
* Convert ECDSA key in DNSSEC format to crypto key.
@@ -296,7 +286,6 @@ static int ecdsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t k
/*!
* Convert EDDSA key in DNSSEC format to crypto key.
*/
-#if defined(HAVE_ED25519) || defined(HAVE_ED448)
static int eddsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t key)
{
assert(rdata);
@@ -320,7 +309,6 @@ static int eddsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t k
return DNSSEC_EOK;
}
-#endif
/* -- internal API --------------------------------------------------------- */
@@ -339,10 +327,8 @@ int convert_pubkey_to_dnskey(gnutls_pubkey_t key, dnssec_binary_t *rdata)
switch ((gnutls_pk_algorithm_t)algorithm) {
case GNUTLS_PK_RSA: return rsa_pubkey_to_rdata(key, rdata);
- case GNUTLS_PK_EC: return ecdsa_pubkey_to_rdata(key, rdata);
-#ifdef HAVE_ED25519
+ case GNUTLS_PK_ECDSA: return ecdsa_pubkey_to_rdata(key, rdata);
case GNUTLS_PK_EDDSA_ED25519: return eddsa_pubkey_to_rdata(key, rdata);
-#endif
#ifdef HAVE_ED448
case GNUTLS_PK_EDDSA_ED448: return eddsa_pubkey_to_rdata(key, rdata);
#endif
@@ -363,10 +349,8 @@ int convert_dnskey_to_pubkey(uint8_t algorithm, const dnssec_binary_t *rdata,
switch(gnutls_alg) {
case GNUTLS_PK_RSA: return rsa_rdata_to_pubkey(rdata, key);
- case GNUTLS_PK_EC: return ecdsa_rdata_to_pubkey(rdata, key);
-#ifdef HAVE_ED25519
+ case GNUTLS_PK_ECDSA: return ecdsa_rdata_to_pubkey(rdata, key);
case GNUTLS_PK_EDDSA_ED25519: return eddsa_rdata_to_pubkey(rdata, key);
-#endif
#ifdef HAVE_ED448
case GNUTLS_PK_EDDSA_ED448: return eddsa_rdata_to_pubkey(rdata, key);
#endif
diff --git a/src/libdnssec/pem.c b/src/libdnssec/pem.c
index fa463f6..41fd855 100644
--- a/src/libdnssec/pem.c
+++ b/src/libdnssec/pem.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -130,29 +130,10 @@ int dnssec_pem_from_x509(gnutls_x509_privkey_t key, dnssec_binary_t *pem)
static int privkey_export_x509(gnutls_privkey_t key, gnutls_x509_privkey_t *_key)
{
-#ifdef HAVE_EXPORT_X509
if (gnutls_privkey_export_x509(key, _key) != GNUTLS_E_SUCCESS) {
return DNSSEC_KEY_EXPORT_ERROR;
}
-#else // Needed for GnuTLS < 3.4.0 (CentOS 7)
- struct privkey { // Extracted needed items only!
- gnutls_privkey_type_t type;
- gnutls_pk_algorithm_t pk_algorithm;
- gnutls_x509_privkey_t x509;
- };
- struct privkey *pkey = (struct privkey *)key;
- assert(pkey->type == GNUTLS_PRIVKEY_X509);
-
- if (gnutls_x509_privkey_init(_key) != GNUTLS_E_SUCCESS) {
- return DNSSEC_KEY_EXPORT_ERROR;
- }
-
- if (gnutls_x509_privkey_cpy(*_key, pkey->x509) != GNUTLS_E_SUCCESS) {
- gnutls_x509_privkey_deinit(*_key);
- return DNSSEC_KEY_EXPORT_ERROR;
- }
-#endif
return DNSSEC_EOK;
}
diff --git a/src/libdnssec/sign/sign.c b/src/libdnssec/sign/sign.c
index 3a7bcba..727f650 100644
--- a/src/libdnssec/sign/sign.c
+++ b/src/libdnssec/sign/sign.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -202,34 +202,6 @@ static const algorithm_functions_t *get_functions(const dnssec_key_t *key)
}
}
-#ifndef HAVE_SIGN_DATA2
-/*!
- * Get digest algorithm used with a given key.
- */
-static gnutls_digest_algorithm_t get_digest_algorithm(const dnssec_key_t *key)
-{
- uint8_t algorithm = dnssec_key_get_algorithm(key);
-
- switch ((dnssec_key_algorithm_t)algorithm) {
- case DNSSEC_KEY_ALGORITHM_RSA_SHA1:
- case DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3:
- return GNUTLS_DIG_SHA1;
- case DNSSEC_KEY_ALGORITHM_RSA_SHA256:
- case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256:
- return GNUTLS_DIG_SHA256;
- case DNSSEC_KEY_ALGORITHM_RSA_SHA512:
- return GNUTLS_DIG_SHA512;
- case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384:
- return GNUTLS_DIG_SHA384;
- case DNSSEC_KEY_ALGORITHM_ED25519:
- case DNSSEC_KEY_ALGORITHM_ED448:
- return GNUTLS_DIG_SHA512;
- default:
- return GNUTLS_DIG_UNKNOWN;
- }
-}
-#endif
-
static gnutls_sign_algorithm_t algo_dnssec2gnutls(dnssec_key_algorithm_t algorithm)
{
switch (algorithm) {
@@ -244,10 +216,8 @@ static gnutls_sign_algorithm_t algo_dnssec2gnutls(dnssec_key_algorithm_t algorit
return GNUTLS_SIGN_RSA_SHA512;
case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384:
return GNUTLS_SIGN_ECDSA_SHA384;
-#ifdef HAVE_ED25519
case DNSSEC_KEY_ALGORITHM_ED25519:
return GNUTLS_SIGN_EDDSA_ED25519;
-#endif
#ifdef HAVE_ED448
case DNSSEC_KEY_ALGORITHM_ED448:
return GNUTLS_SIGN_EDDSA_ED448;
@@ -356,24 +326,15 @@ int dnssec_sign_write(dnssec_sign_ctx_t *ctx, dnssec_sign_flags_t flags, dnssec_
};
unsigned gnutls_flags = 0;
-#ifdef HAVE_GNUTLS_REPRODUCIBLE
if (flags & DNSSEC_SIGN_REPRODUCIBLE) {
gnutls_flags |= GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE;
}
-#endif
assert(ctx->key->private_key);
_cleanup_datum_ gnutls_datum_t raw = { 0 };
-#ifdef HAVE_SIGN_DATA2
int result = gnutls_privkey_sign_data2(ctx->key->private_key,
ctx->sign_algorithm,
gnutls_flags, &data, &raw);
-#else
- gnutls_digest_algorithm_t digest_algorithm = get_digest_algorithm(ctx->key);
- int result = gnutls_privkey_sign_data(ctx->key->private_key,
- digest_algorithm,
- gnutls_flags, &data, &raw);
-#endif
if (result < 0) {
return DNSSEC_SIGN_ERROR;
}
diff --git a/src/libdnssec/version.h b/src/libdnssec/version.h
index e72e2bd..cd5bad2 100644
--- a/src/libdnssec/version.h
+++ b/src/libdnssec/version.h
@@ -17,8 +17,8 @@
#pragma once
#define DNSSEC_VERSION_MAJOR 3
-#define DNSSEC_VERSION_MINOR 3
-#define DNSSEC_VERSION_PATCH 0x09
+#define DNSSEC_VERSION_MINOR 4
+#define DNSSEC_VERSION_PATCH 0x00
#define DNSSEC_VERSION_HEX ((DNSSEC_VERSION_MAJOR << 16) | \
(DNSSEC_VERSION_MINOR << 8) | \