summaryrefslogtreecommitdiffstats
path: root/src/libdnssec
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/libdnssec/Makefile.inc3
-rw-r--r--src/libdnssec/key/algorithm.c12
-rw-r--r--src/libdnssec/key/convert.c22
-rw-r--r--src/libdnssec/pem.c21
-rw-r--r--src/libdnssec/sample_keys.h (renamed from tests/libdnssec/sample_keys.h)4
-rw-r--r--src/libdnssec/sign/sign.c41
-rw-r--r--src/libdnssec/version.h4
7 files changed, 15 insertions, 92 deletions
diff --git a/src/libdnssec/Makefile.inc b/src/libdnssec/Makefile.inc
index 981d841..62050b3 100644
--- a/src/libdnssec/Makefile.inc
+++ b/src/libdnssec/Makefile.inc
@@ -8,6 +8,9 @@ if ENABLE_PKCS11
libdnssec_la_LIBADD += $(pthread_LIBS)
endif
+EXTRA_DIST += \
+ libdnssec/sample_keys.h
+
include_libdnssecdir = $(includedir)/libdnssec
include_libdnssec_HEADERS = \
libdnssec/binary.h \
diff --git a/src/libdnssec/key/algorithm.c b/src/libdnssec/key/algorithm.c
index a9bc3ee..d242442 100644
--- a/src/libdnssec/key/algorithm.c
+++ b/src/libdnssec/key/algorithm.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -93,11 +93,9 @@ gnutls_pk_algorithm_t algorithm_to_gnutls(dnssec_key_algorithm_t dnssec)
return GNUTLS_PK_RSA;
case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256:
case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384:
- return GNUTLS_PK_EC;
-#ifdef HAVE_ED25519
+ return GNUTLS_PK_ECDSA;
case DNSSEC_KEY_ALGORITHM_ED25519:
return GNUTLS_PK_EDDSA_ED25519;
-#endif
#ifdef HAVE_ED448
case DNSSEC_KEY_ALGORITHM_ED448:
return GNUTLS_PK_EDDSA_ED448;
@@ -119,11 +117,7 @@ bool dnssec_algorithm_reproducible(dnssec_key_algorithm_t algorithm, bool enable
return true; // those are always reproducible
case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256:
case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384:
-#ifdef HAVE_GNUTLS_REPRODUCIBLE
- return enabled; // Reproducible only if GnuTLS supports && enabled
-#else
- return false;
-#endif
+ return enabled; // reproducible only if GnuTLS supports && enabled
default:
return false;
}
diff --git a/src/libdnssec/key/convert.c b/src/libdnssec/key/convert.c
index 56168f7..d06c25e 100644
--- a/src/libdnssec/key/convert.c
+++ b/src/libdnssec/key/convert.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -104,20 +104,16 @@ static size_t ecdsa_curve_point_size(gnutls_ecc_curve_t curve)
}
}
-#if defined(HAVE_ED25519) || defined(HAVE_ED448)
static size_t eddsa_curve_point_size(gnutls_ecc_curve_t curve)
{
switch (curve) {
-#ifdef HAVE_ED25519
case GNUTLS_ECC_CURVE_ED25519: return 32;
-#endif
#ifdef HAVE_ED448
case GNUTLS_ECC_CURVE_ED448: return 57;
#endif
default: return 0;
}
}
-#endif
/*!
* Convert ECDSA public key to DNSSEC format.
@@ -157,7 +153,6 @@ static int ecdsa_pubkey_to_rdata(gnutls_pubkey_t key, dnssec_binary_t *rdata)
/*!
* Convert EDDSA public key to DNSSEC format.
*/
-#if defined(HAVE_ED25519) || defined(HAVE_ED448)
static int eddsa_pubkey_to_rdata(gnutls_pubkey_t key, dnssec_binary_t *rdata)
{
assert(key);
@@ -187,7 +182,6 @@ static int eddsa_pubkey_to_rdata(gnutls_pubkey_t key, dnssec_binary_t *rdata)
return DNSSEC_EOK;
}
-#endif
/* -- crypto to DNSSEC ------------------------------------------------------*/
@@ -248,20 +242,16 @@ static gnutls_ecc_curve_t ecdsa_curve_from_rdata_size(size_t rdata_size)
/*!
* Get EDDSA curve based on DNSKEY RDATA size.
*/
-#if defined(HAVE_ED25519) || defined(HAVE_ED448)
static gnutls_ecc_curve_t eddsa_curve_from_rdata_size(size_t rdata_size)
{
switch (rdata_size) {
-#ifdef HAVE_ED25519
case 32: return GNUTLS_ECC_CURVE_ED25519;
-#endif
#ifdef HAVE_ED448
case 57: return GNUTLS_ECC_CURVE_ED448;
#endif
default: return GNUTLS_ECC_CURVE_INVALID;
}
}
-#endif
/*!
* Convert ECDSA key in DNSSEC format to crypto key.
@@ -296,7 +286,6 @@ static int ecdsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t k
/*!
* Convert EDDSA key in DNSSEC format to crypto key.
*/
-#if defined(HAVE_ED25519) || defined(HAVE_ED448)
static int eddsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t key)
{
assert(rdata);
@@ -320,7 +309,6 @@ static int eddsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t k
return DNSSEC_EOK;
}
-#endif
/* -- internal API --------------------------------------------------------- */
@@ -339,10 +327,8 @@ int convert_pubkey_to_dnskey(gnutls_pubkey_t key, dnssec_binary_t *rdata)
switch ((gnutls_pk_algorithm_t)algorithm) {
case GNUTLS_PK_RSA: return rsa_pubkey_to_rdata(key, rdata);
- case GNUTLS_PK_EC: return ecdsa_pubkey_to_rdata(key, rdata);
-#ifdef HAVE_ED25519
+ case GNUTLS_PK_ECDSA: return ecdsa_pubkey_to_rdata(key, rdata);
case GNUTLS_PK_EDDSA_ED25519: return eddsa_pubkey_to_rdata(key, rdata);
-#endif
#ifdef HAVE_ED448
case GNUTLS_PK_EDDSA_ED448: return eddsa_pubkey_to_rdata(key, rdata);
#endif
@@ -363,10 +349,8 @@ int convert_dnskey_to_pubkey(uint8_t algorithm, const dnssec_binary_t *rdata,
switch(gnutls_alg) {
case GNUTLS_PK_RSA: return rsa_rdata_to_pubkey(rdata, key);
- case GNUTLS_PK_EC: return ecdsa_rdata_to_pubkey(rdata, key);
-#ifdef HAVE_ED25519
+ case GNUTLS_PK_ECDSA: return ecdsa_rdata_to_pubkey(rdata, key);
case GNUTLS_PK_EDDSA_ED25519: return eddsa_rdata_to_pubkey(rdata, key);
-#endif
#ifdef HAVE_ED448
case GNUTLS_PK_EDDSA_ED448: return eddsa_rdata_to_pubkey(rdata, key);
#endif
diff --git a/src/libdnssec/pem.c b/src/libdnssec/pem.c
index fa463f6..41fd855 100644
--- a/src/libdnssec/pem.c
+++ b/src/libdnssec/pem.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -130,29 +130,10 @@ int dnssec_pem_from_x509(gnutls_x509_privkey_t key, dnssec_binary_t *pem)
static int privkey_export_x509(gnutls_privkey_t key, gnutls_x509_privkey_t *_key)
{
-#ifdef HAVE_EXPORT_X509
if (gnutls_privkey_export_x509(key, _key) != GNUTLS_E_SUCCESS) {
return DNSSEC_KEY_EXPORT_ERROR;
}
-#else // Needed for GnuTLS < 3.4.0 (CentOS 7)
- struct privkey { // Extracted needed items only!
- gnutls_privkey_type_t type;
- gnutls_pk_algorithm_t pk_algorithm;
- gnutls_x509_privkey_t x509;
- };
- struct privkey *pkey = (struct privkey *)key;
- assert(pkey->type == GNUTLS_PRIVKEY_X509);
-
- if (gnutls_x509_privkey_init(_key) != GNUTLS_E_SUCCESS) {
- return DNSSEC_KEY_EXPORT_ERROR;
- }
-
- if (gnutls_x509_privkey_cpy(*_key, pkey->x509) != GNUTLS_E_SUCCESS) {
- gnutls_x509_privkey_deinit(*_key);
- return DNSSEC_KEY_EXPORT_ERROR;
- }
-#endif
return DNSSEC_EOK;
}
diff --git a/tests/libdnssec/sample_keys.h b/src/libdnssec/sample_keys.h
index cd9f18f..5b6155e 100644
--- a/tests/libdnssec/sample_keys.h
+++ b/src/libdnssec/sample_keys.h
@@ -1,4 +1,4 @@
-/* Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -16,7 +16,7 @@
#pragma once
-#include <binary.h>
+#include "libdnssec/binary.h"
typedef struct key_parameters {
// DNSSEC fields
diff --git a/src/libdnssec/sign/sign.c b/src/libdnssec/sign/sign.c
index 3a7bcba..727f650 100644
--- a/src/libdnssec/sign/sign.c
+++ b/src/libdnssec/sign/sign.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -202,34 +202,6 @@ static const algorithm_functions_t *get_functions(const dnssec_key_t *key)
}
}
-#ifndef HAVE_SIGN_DATA2
-/*!
- * Get digest algorithm used with a given key.
- */
-static gnutls_digest_algorithm_t get_digest_algorithm(const dnssec_key_t *key)
-{
- uint8_t algorithm = dnssec_key_get_algorithm(key);
-
- switch ((dnssec_key_algorithm_t)algorithm) {
- case DNSSEC_KEY_ALGORITHM_RSA_SHA1:
- case DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3:
- return GNUTLS_DIG_SHA1;
- case DNSSEC_KEY_ALGORITHM_RSA_SHA256:
- case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256:
- return GNUTLS_DIG_SHA256;
- case DNSSEC_KEY_ALGORITHM_RSA_SHA512:
- return GNUTLS_DIG_SHA512;
- case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384:
- return GNUTLS_DIG_SHA384;
- case DNSSEC_KEY_ALGORITHM_ED25519:
- case DNSSEC_KEY_ALGORITHM_ED448:
- return GNUTLS_DIG_SHA512;
- default:
- return GNUTLS_DIG_UNKNOWN;
- }
-}
-#endif
-
static gnutls_sign_algorithm_t algo_dnssec2gnutls(dnssec_key_algorithm_t algorithm)
{
switch (algorithm) {
@@ -244,10 +216,8 @@ static gnutls_sign_algorithm_t algo_dnssec2gnutls(dnssec_key_algorithm_t algorit
return GNUTLS_SIGN_RSA_SHA512;
case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384:
return GNUTLS_SIGN_ECDSA_SHA384;
-#ifdef HAVE_ED25519
case DNSSEC_KEY_ALGORITHM_ED25519:
return GNUTLS_SIGN_EDDSA_ED25519;
-#endif
#ifdef HAVE_ED448
case DNSSEC_KEY_ALGORITHM_ED448:
return GNUTLS_SIGN_EDDSA_ED448;
@@ -356,24 +326,15 @@ int dnssec_sign_write(dnssec_sign_ctx_t *ctx, dnssec_sign_flags_t flags, dnssec_
};
unsigned gnutls_flags = 0;
-#ifdef HAVE_GNUTLS_REPRODUCIBLE
if (flags & DNSSEC_SIGN_REPRODUCIBLE) {
gnutls_flags |= GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE;
}
-#endif
assert(ctx->key->private_key);
_cleanup_datum_ gnutls_datum_t raw = { 0 };
-#ifdef HAVE_SIGN_DATA2
int result = gnutls_privkey_sign_data2(ctx->key->private_key,
ctx->sign_algorithm,
gnutls_flags, &data, &raw);
-#else
- gnutls_digest_algorithm_t digest_algorithm = get_digest_algorithm(ctx->key);
- int result = gnutls_privkey_sign_data(ctx->key->private_key,
- digest_algorithm,
- gnutls_flags, &data, &raw);
-#endif
if (result < 0) {
return DNSSEC_SIGN_ERROR;
}
diff --git a/src/libdnssec/version.h b/src/libdnssec/version.h
index c8edcd0..cd5bad2 100644
--- a/src/libdnssec/version.h
+++ b/src/libdnssec/version.h
@@ -17,8 +17,8 @@
#pragma once
#define DNSSEC_VERSION_MAJOR 3
-#define DNSSEC_VERSION_MINOR 3
-#define DNSSEC_VERSION_PATCH 0x07
+#define DNSSEC_VERSION_MINOR 4
+#define DNSSEC_VERSION_PATCH 0x00
#define DNSSEC_VERSION_HEX ((DNSSEC_VERSION_MAJOR << 16) | \
(DNSSEC_VERSION_MINOR << 8) | \