diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-09-12 04:45:07 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-09-12 04:45:07 +0000 |
commit | 0335817ced71e8355806ea0445aa3b105a22364c (patch) | |
tree | dffe735f2668a4728d8567feaf7ccb2d73076bac /src/libdnssec | |
parent | Adding upstream version 3.3.9. (diff) | |
download | knot-upstream.tar.xz knot-upstream.zip |
Adding upstream version 3.4.0.upstream/3.4.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/libdnssec')
-rw-r--r-- | src/libdnssec/key/algorithm.c | 12 | ||||
-rw-r--r-- | src/libdnssec/key/convert.c | 22 | ||||
-rw-r--r-- | src/libdnssec/pem.c | 21 | ||||
-rw-r--r-- | src/libdnssec/sign/sign.c | 41 | ||||
-rw-r--r-- | src/libdnssec/version.h | 4 |
5 files changed, 10 insertions, 90 deletions
diff --git a/src/libdnssec/key/algorithm.c b/src/libdnssec/key/algorithm.c index a9bc3ee..d242442 100644 --- a/src/libdnssec/key/algorithm.c +++ b/src/libdnssec/key/algorithm.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -93,11 +93,9 @@ gnutls_pk_algorithm_t algorithm_to_gnutls(dnssec_key_algorithm_t dnssec) return GNUTLS_PK_RSA; case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256: case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384: - return GNUTLS_PK_EC; -#ifdef HAVE_ED25519 + return GNUTLS_PK_ECDSA; case DNSSEC_KEY_ALGORITHM_ED25519: return GNUTLS_PK_EDDSA_ED25519; -#endif #ifdef HAVE_ED448 case DNSSEC_KEY_ALGORITHM_ED448: return GNUTLS_PK_EDDSA_ED448; @@ -119,11 +117,7 @@ bool dnssec_algorithm_reproducible(dnssec_key_algorithm_t algorithm, bool enable return true; // those are always reproducible case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256: case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384: -#ifdef HAVE_GNUTLS_REPRODUCIBLE - return enabled; // Reproducible only if GnuTLS supports && enabled -#else - return false; -#endif + return enabled; // reproducible only if GnuTLS supports && enabled default: return false; } diff --git a/src/libdnssec/key/convert.c b/src/libdnssec/key/convert.c index 56168f7..d06c25e 100644 --- a/src/libdnssec/key/convert.c +++ b/src/libdnssec/key/convert.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -104,20 +104,16 @@ static size_t ecdsa_curve_point_size(gnutls_ecc_curve_t curve) } } -#if defined(HAVE_ED25519) || defined(HAVE_ED448) static size_t eddsa_curve_point_size(gnutls_ecc_curve_t curve) { switch (curve) { -#ifdef HAVE_ED25519 case GNUTLS_ECC_CURVE_ED25519: return 32; -#endif #ifdef HAVE_ED448 case GNUTLS_ECC_CURVE_ED448: return 57; #endif default: return 0; } } -#endif /*! * Convert ECDSA public key to DNSSEC format. @@ -157,7 +153,6 @@ static int ecdsa_pubkey_to_rdata(gnutls_pubkey_t key, dnssec_binary_t *rdata) /*! * Convert EDDSA public key to DNSSEC format. */ -#if defined(HAVE_ED25519) || defined(HAVE_ED448) static int eddsa_pubkey_to_rdata(gnutls_pubkey_t key, dnssec_binary_t *rdata) { assert(key); @@ -187,7 +182,6 @@ static int eddsa_pubkey_to_rdata(gnutls_pubkey_t key, dnssec_binary_t *rdata) return DNSSEC_EOK; } -#endif /* -- crypto to DNSSEC ------------------------------------------------------*/ @@ -248,20 +242,16 @@ static gnutls_ecc_curve_t ecdsa_curve_from_rdata_size(size_t rdata_size) /*! * Get EDDSA curve based on DNSKEY RDATA size. */ -#if defined(HAVE_ED25519) || defined(HAVE_ED448) static gnutls_ecc_curve_t eddsa_curve_from_rdata_size(size_t rdata_size) { switch (rdata_size) { -#ifdef HAVE_ED25519 case 32: return GNUTLS_ECC_CURVE_ED25519; -#endif #ifdef HAVE_ED448 case 57: return GNUTLS_ECC_CURVE_ED448; #endif default: return GNUTLS_ECC_CURVE_INVALID; } } -#endif /*! * Convert ECDSA key in DNSSEC format to crypto key. @@ -296,7 +286,6 @@ static int ecdsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t k /*! * Convert EDDSA key in DNSSEC format to crypto key. */ -#if defined(HAVE_ED25519) || defined(HAVE_ED448) static int eddsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t key) { assert(rdata); @@ -320,7 +309,6 @@ static int eddsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t k return DNSSEC_EOK; } -#endif /* -- internal API --------------------------------------------------------- */ @@ -339,10 +327,8 @@ int convert_pubkey_to_dnskey(gnutls_pubkey_t key, dnssec_binary_t *rdata) switch ((gnutls_pk_algorithm_t)algorithm) { case GNUTLS_PK_RSA: return rsa_pubkey_to_rdata(key, rdata); - case GNUTLS_PK_EC: return ecdsa_pubkey_to_rdata(key, rdata); -#ifdef HAVE_ED25519 + case GNUTLS_PK_ECDSA: return ecdsa_pubkey_to_rdata(key, rdata); case GNUTLS_PK_EDDSA_ED25519: return eddsa_pubkey_to_rdata(key, rdata); -#endif #ifdef HAVE_ED448 case GNUTLS_PK_EDDSA_ED448: return eddsa_pubkey_to_rdata(key, rdata); #endif @@ -363,10 +349,8 @@ int convert_dnskey_to_pubkey(uint8_t algorithm, const dnssec_binary_t *rdata, switch(gnutls_alg) { case GNUTLS_PK_RSA: return rsa_rdata_to_pubkey(rdata, key); - case GNUTLS_PK_EC: return ecdsa_rdata_to_pubkey(rdata, key); -#ifdef HAVE_ED25519 + case GNUTLS_PK_ECDSA: return ecdsa_rdata_to_pubkey(rdata, key); case GNUTLS_PK_EDDSA_ED25519: return eddsa_rdata_to_pubkey(rdata, key); -#endif #ifdef HAVE_ED448 case GNUTLS_PK_EDDSA_ED448: return eddsa_rdata_to_pubkey(rdata, key); #endif diff --git a/src/libdnssec/pem.c b/src/libdnssec/pem.c index fa463f6..41fd855 100644 --- a/src/libdnssec/pem.c +++ b/src/libdnssec/pem.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -130,29 +130,10 @@ int dnssec_pem_from_x509(gnutls_x509_privkey_t key, dnssec_binary_t *pem) static int privkey_export_x509(gnutls_privkey_t key, gnutls_x509_privkey_t *_key) { -#ifdef HAVE_EXPORT_X509 if (gnutls_privkey_export_x509(key, _key) != GNUTLS_E_SUCCESS) { return DNSSEC_KEY_EXPORT_ERROR; } -#else // Needed for GnuTLS < 3.4.0 (CentOS 7) - struct privkey { // Extracted needed items only! - gnutls_privkey_type_t type; - gnutls_pk_algorithm_t pk_algorithm; - gnutls_x509_privkey_t x509; - }; - struct privkey *pkey = (struct privkey *)key; - assert(pkey->type == GNUTLS_PRIVKEY_X509); - - if (gnutls_x509_privkey_init(_key) != GNUTLS_E_SUCCESS) { - return DNSSEC_KEY_EXPORT_ERROR; - } - - if (gnutls_x509_privkey_cpy(*_key, pkey->x509) != GNUTLS_E_SUCCESS) { - gnutls_x509_privkey_deinit(*_key); - return DNSSEC_KEY_EXPORT_ERROR; - } -#endif return DNSSEC_EOK; } diff --git a/src/libdnssec/sign/sign.c b/src/libdnssec/sign/sign.c index 3a7bcba..727f650 100644 --- a/src/libdnssec/sign/sign.c +++ b/src/libdnssec/sign/sign.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -202,34 +202,6 @@ static const algorithm_functions_t *get_functions(const dnssec_key_t *key) } } -#ifndef HAVE_SIGN_DATA2 -/*! - * Get digest algorithm used with a given key. - */ -static gnutls_digest_algorithm_t get_digest_algorithm(const dnssec_key_t *key) -{ - uint8_t algorithm = dnssec_key_get_algorithm(key); - - switch ((dnssec_key_algorithm_t)algorithm) { - case DNSSEC_KEY_ALGORITHM_RSA_SHA1: - case DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3: - return GNUTLS_DIG_SHA1; - case DNSSEC_KEY_ALGORITHM_RSA_SHA256: - case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256: - return GNUTLS_DIG_SHA256; - case DNSSEC_KEY_ALGORITHM_RSA_SHA512: - return GNUTLS_DIG_SHA512; - case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384: - return GNUTLS_DIG_SHA384; - case DNSSEC_KEY_ALGORITHM_ED25519: - case DNSSEC_KEY_ALGORITHM_ED448: - return GNUTLS_DIG_SHA512; - default: - return GNUTLS_DIG_UNKNOWN; - } -} -#endif - static gnutls_sign_algorithm_t algo_dnssec2gnutls(dnssec_key_algorithm_t algorithm) { switch (algorithm) { @@ -244,10 +216,8 @@ static gnutls_sign_algorithm_t algo_dnssec2gnutls(dnssec_key_algorithm_t algorit return GNUTLS_SIGN_RSA_SHA512; case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384: return GNUTLS_SIGN_ECDSA_SHA384; -#ifdef HAVE_ED25519 case DNSSEC_KEY_ALGORITHM_ED25519: return GNUTLS_SIGN_EDDSA_ED25519; -#endif #ifdef HAVE_ED448 case DNSSEC_KEY_ALGORITHM_ED448: return GNUTLS_SIGN_EDDSA_ED448; @@ -356,24 +326,15 @@ int dnssec_sign_write(dnssec_sign_ctx_t *ctx, dnssec_sign_flags_t flags, dnssec_ }; unsigned gnutls_flags = 0; -#ifdef HAVE_GNUTLS_REPRODUCIBLE if (flags & DNSSEC_SIGN_REPRODUCIBLE) { gnutls_flags |= GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE; } -#endif assert(ctx->key->private_key); _cleanup_datum_ gnutls_datum_t raw = { 0 }; -#ifdef HAVE_SIGN_DATA2 int result = gnutls_privkey_sign_data2(ctx->key->private_key, ctx->sign_algorithm, gnutls_flags, &data, &raw); -#else - gnutls_digest_algorithm_t digest_algorithm = get_digest_algorithm(ctx->key); - int result = gnutls_privkey_sign_data(ctx->key->private_key, - digest_algorithm, - gnutls_flags, &data, &raw); -#endif if (result < 0) { return DNSSEC_SIGN_ERROR; } diff --git a/src/libdnssec/version.h b/src/libdnssec/version.h index e72e2bd..cd5bad2 100644 --- a/src/libdnssec/version.h +++ b/src/libdnssec/version.h @@ -17,8 +17,8 @@ #pragma once #define DNSSEC_VERSION_MAJOR 3 -#define DNSSEC_VERSION_MINOR 3 -#define DNSSEC_VERSION_PATCH 0x09 +#define DNSSEC_VERSION_MINOR 4 +#define DNSSEC_VERSION_PATCH 0x00 #define DNSSEC_VERSION_HEX ((DNSSEC_VERSION_MAJOR << 16) | \ (DNSSEC_VERSION_MINOR << 8) | \ |