diff options
Diffstat (limited to '')
-rw-r--r-- | src/libdnssec/Makefile.inc | 3 | ||||
-rw-r--r-- | src/libdnssec/key/algorithm.c | 12 | ||||
-rw-r--r-- | src/libdnssec/key/convert.c | 22 | ||||
-rw-r--r-- | src/libdnssec/pem.c | 21 | ||||
-rw-r--r-- | src/libdnssec/sample_keys.h (renamed from tests/libdnssec/sample_keys.h) | 4 | ||||
-rw-r--r-- | src/libdnssec/sign/sign.c | 41 | ||||
-rw-r--r-- | src/libdnssec/version.h | 4 |
7 files changed, 15 insertions, 92 deletions
diff --git a/src/libdnssec/Makefile.inc b/src/libdnssec/Makefile.inc index 981d841..62050b3 100644 --- a/src/libdnssec/Makefile.inc +++ b/src/libdnssec/Makefile.inc @@ -8,6 +8,9 @@ if ENABLE_PKCS11 libdnssec_la_LIBADD += $(pthread_LIBS) endif +EXTRA_DIST += \ + libdnssec/sample_keys.h + include_libdnssecdir = $(includedir)/libdnssec include_libdnssec_HEADERS = \ libdnssec/binary.h \ diff --git a/src/libdnssec/key/algorithm.c b/src/libdnssec/key/algorithm.c index a9bc3ee..d242442 100644 --- a/src/libdnssec/key/algorithm.c +++ b/src/libdnssec/key/algorithm.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -93,11 +93,9 @@ gnutls_pk_algorithm_t algorithm_to_gnutls(dnssec_key_algorithm_t dnssec) return GNUTLS_PK_RSA; case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256: case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384: - return GNUTLS_PK_EC; -#ifdef HAVE_ED25519 + return GNUTLS_PK_ECDSA; case DNSSEC_KEY_ALGORITHM_ED25519: return GNUTLS_PK_EDDSA_ED25519; -#endif #ifdef HAVE_ED448 case DNSSEC_KEY_ALGORITHM_ED448: return GNUTLS_PK_EDDSA_ED448; @@ -119,11 +117,7 @@ bool dnssec_algorithm_reproducible(dnssec_key_algorithm_t algorithm, bool enable return true; // those are always reproducible case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256: case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384: -#ifdef HAVE_GNUTLS_REPRODUCIBLE - return enabled; // Reproducible only if GnuTLS supports && enabled -#else - return false; -#endif + return enabled; // reproducible only if GnuTLS supports && enabled default: return false; } diff --git a/src/libdnssec/key/convert.c b/src/libdnssec/key/convert.c index 56168f7..d06c25e 100644 --- a/src/libdnssec/key/convert.c +++ b/src/libdnssec/key/convert.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -104,20 +104,16 @@ static size_t ecdsa_curve_point_size(gnutls_ecc_curve_t curve) } } -#if defined(HAVE_ED25519) || defined(HAVE_ED448) static size_t eddsa_curve_point_size(gnutls_ecc_curve_t curve) { switch (curve) { -#ifdef HAVE_ED25519 case GNUTLS_ECC_CURVE_ED25519: return 32; -#endif #ifdef HAVE_ED448 case GNUTLS_ECC_CURVE_ED448: return 57; #endif default: return 0; } } -#endif /*! * Convert ECDSA public key to DNSSEC format. @@ -157,7 +153,6 @@ static int ecdsa_pubkey_to_rdata(gnutls_pubkey_t key, dnssec_binary_t *rdata) /*! * Convert EDDSA public key to DNSSEC format. */ -#if defined(HAVE_ED25519) || defined(HAVE_ED448) static int eddsa_pubkey_to_rdata(gnutls_pubkey_t key, dnssec_binary_t *rdata) { assert(key); @@ -187,7 +182,6 @@ static int eddsa_pubkey_to_rdata(gnutls_pubkey_t key, dnssec_binary_t *rdata) return DNSSEC_EOK; } -#endif /* -- crypto to DNSSEC ------------------------------------------------------*/ @@ -248,20 +242,16 @@ static gnutls_ecc_curve_t ecdsa_curve_from_rdata_size(size_t rdata_size) /*! * Get EDDSA curve based on DNSKEY RDATA size. */ -#if defined(HAVE_ED25519) || defined(HAVE_ED448) static gnutls_ecc_curve_t eddsa_curve_from_rdata_size(size_t rdata_size) { switch (rdata_size) { -#ifdef HAVE_ED25519 case 32: return GNUTLS_ECC_CURVE_ED25519; -#endif #ifdef HAVE_ED448 case 57: return GNUTLS_ECC_CURVE_ED448; #endif default: return GNUTLS_ECC_CURVE_INVALID; } } -#endif /*! * Convert ECDSA key in DNSSEC format to crypto key. @@ -296,7 +286,6 @@ static int ecdsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t k /*! * Convert EDDSA key in DNSSEC format to crypto key. */ -#if defined(HAVE_ED25519) || defined(HAVE_ED448) static int eddsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t key) { assert(rdata); @@ -320,7 +309,6 @@ static int eddsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t k return DNSSEC_EOK; } -#endif /* -- internal API --------------------------------------------------------- */ @@ -339,10 +327,8 @@ int convert_pubkey_to_dnskey(gnutls_pubkey_t key, dnssec_binary_t *rdata) switch ((gnutls_pk_algorithm_t)algorithm) { case GNUTLS_PK_RSA: return rsa_pubkey_to_rdata(key, rdata); - case GNUTLS_PK_EC: return ecdsa_pubkey_to_rdata(key, rdata); -#ifdef HAVE_ED25519 + case GNUTLS_PK_ECDSA: return ecdsa_pubkey_to_rdata(key, rdata); case GNUTLS_PK_EDDSA_ED25519: return eddsa_pubkey_to_rdata(key, rdata); -#endif #ifdef HAVE_ED448 case GNUTLS_PK_EDDSA_ED448: return eddsa_pubkey_to_rdata(key, rdata); #endif @@ -363,10 +349,8 @@ int convert_dnskey_to_pubkey(uint8_t algorithm, const dnssec_binary_t *rdata, switch(gnutls_alg) { case GNUTLS_PK_RSA: return rsa_rdata_to_pubkey(rdata, key); - case GNUTLS_PK_EC: return ecdsa_rdata_to_pubkey(rdata, key); -#ifdef HAVE_ED25519 + case GNUTLS_PK_ECDSA: return ecdsa_rdata_to_pubkey(rdata, key); case GNUTLS_PK_EDDSA_ED25519: return eddsa_rdata_to_pubkey(rdata, key); -#endif #ifdef HAVE_ED448 case GNUTLS_PK_EDDSA_ED448: return eddsa_rdata_to_pubkey(rdata, key); #endif diff --git a/src/libdnssec/pem.c b/src/libdnssec/pem.c index fa463f6..41fd855 100644 --- a/src/libdnssec/pem.c +++ b/src/libdnssec/pem.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -130,29 +130,10 @@ int dnssec_pem_from_x509(gnutls_x509_privkey_t key, dnssec_binary_t *pem) static int privkey_export_x509(gnutls_privkey_t key, gnutls_x509_privkey_t *_key) { -#ifdef HAVE_EXPORT_X509 if (gnutls_privkey_export_x509(key, _key) != GNUTLS_E_SUCCESS) { return DNSSEC_KEY_EXPORT_ERROR; } -#else // Needed for GnuTLS < 3.4.0 (CentOS 7) - struct privkey { // Extracted needed items only! - gnutls_privkey_type_t type; - gnutls_pk_algorithm_t pk_algorithm; - gnutls_x509_privkey_t x509; - }; - struct privkey *pkey = (struct privkey *)key; - assert(pkey->type == GNUTLS_PRIVKEY_X509); - - if (gnutls_x509_privkey_init(_key) != GNUTLS_E_SUCCESS) { - return DNSSEC_KEY_EXPORT_ERROR; - } - - if (gnutls_x509_privkey_cpy(*_key, pkey->x509) != GNUTLS_E_SUCCESS) { - gnutls_x509_privkey_deinit(*_key); - return DNSSEC_KEY_EXPORT_ERROR; - } -#endif return DNSSEC_EOK; } diff --git a/tests/libdnssec/sample_keys.h b/src/libdnssec/sample_keys.h index cd9f18f..5b6155e 100644 --- a/tests/libdnssec/sample_keys.h +++ b/src/libdnssec/sample_keys.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -16,7 +16,7 @@ #pragma once -#include <binary.h> +#include "libdnssec/binary.h" typedef struct key_parameters { // DNSSEC fields diff --git a/src/libdnssec/sign/sign.c b/src/libdnssec/sign/sign.c index 3a7bcba..727f650 100644 --- a/src/libdnssec/sign/sign.c +++ b/src/libdnssec/sign/sign.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -202,34 +202,6 @@ static const algorithm_functions_t *get_functions(const dnssec_key_t *key) } } -#ifndef HAVE_SIGN_DATA2 -/*! - * Get digest algorithm used with a given key. - */ -static gnutls_digest_algorithm_t get_digest_algorithm(const dnssec_key_t *key) -{ - uint8_t algorithm = dnssec_key_get_algorithm(key); - - switch ((dnssec_key_algorithm_t)algorithm) { - case DNSSEC_KEY_ALGORITHM_RSA_SHA1: - case DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3: - return GNUTLS_DIG_SHA1; - case DNSSEC_KEY_ALGORITHM_RSA_SHA256: - case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256: - return GNUTLS_DIG_SHA256; - case DNSSEC_KEY_ALGORITHM_RSA_SHA512: - return GNUTLS_DIG_SHA512; - case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384: - return GNUTLS_DIG_SHA384; - case DNSSEC_KEY_ALGORITHM_ED25519: - case DNSSEC_KEY_ALGORITHM_ED448: - return GNUTLS_DIG_SHA512; - default: - return GNUTLS_DIG_UNKNOWN; - } -} -#endif - static gnutls_sign_algorithm_t algo_dnssec2gnutls(dnssec_key_algorithm_t algorithm) { switch (algorithm) { @@ -244,10 +216,8 @@ static gnutls_sign_algorithm_t algo_dnssec2gnutls(dnssec_key_algorithm_t algorit return GNUTLS_SIGN_RSA_SHA512; case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384: return GNUTLS_SIGN_ECDSA_SHA384; -#ifdef HAVE_ED25519 case DNSSEC_KEY_ALGORITHM_ED25519: return GNUTLS_SIGN_EDDSA_ED25519; -#endif #ifdef HAVE_ED448 case DNSSEC_KEY_ALGORITHM_ED448: return GNUTLS_SIGN_EDDSA_ED448; @@ -356,24 +326,15 @@ int dnssec_sign_write(dnssec_sign_ctx_t *ctx, dnssec_sign_flags_t flags, dnssec_ }; unsigned gnutls_flags = 0; -#ifdef HAVE_GNUTLS_REPRODUCIBLE if (flags & DNSSEC_SIGN_REPRODUCIBLE) { gnutls_flags |= GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE; } -#endif assert(ctx->key->private_key); _cleanup_datum_ gnutls_datum_t raw = { 0 }; -#ifdef HAVE_SIGN_DATA2 int result = gnutls_privkey_sign_data2(ctx->key->private_key, ctx->sign_algorithm, gnutls_flags, &data, &raw); -#else - gnutls_digest_algorithm_t digest_algorithm = get_digest_algorithm(ctx->key); - int result = gnutls_privkey_sign_data(ctx->key->private_key, - digest_algorithm, - gnutls_flags, &data, &raw); -#endif if (result < 0) { return DNSSEC_SIGN_ERROR; } diff --git a/src/libdnssec/version.h b/src/libdnssec/version.h index c8edcd0..cd5bad2 100644 --- a/src/libdnssec/version.h +++ b/src/libdnssec/version.h @@ -17,8 +17,8 @@ #pragma once #define DNSSEC_VERSION_MAJOR 3 -#define DNSSEC_VERSION_MINOR 3 -#define DNSSEC_VERSION_PATCH 0x07 +#define DNSSEC_VERSION_MINOR 4 +#define DNSSEC_VERSION_PATCH 0x00 #define DNSSEC_VERSION_HEX ((DNSSEC_VERSION_MAJOR << 16) | \ (DNSSEC_VERSION_MINOR << 8) | \ |