rsasha256 and rsasha512 not enabled by default.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@1631 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
wouter
parent
5d54dfa2f7
commit
e6df7cd585
@ -400,6 +400,9 @@
|
||||
/* Define if you want to use internal select based events */
|
||||
#undef USE_MINI_EVENT
|
||||
|
||||
/* Define this to enable SHA256 and SHA512 support. */
|
||||
#undef USE_SHA2
|
||||
|
||||
/* Whether the windows socket API is used */
|
||||
#undef USE_WINSOCK
|
||||
|
||||
|
||||
64
configure
vendored
64
configure
vendored
@ -1464,6 +1464,7 @@ Optional Features:
|
||||
optimize for fast installation [default=yes]
|
||||
--disable-libtool-lock avoid locking (might break parallel builds)
|
||||
--disable-rpath disable hardcoded rpath (default=enabled)
|
||||
--enable-sha2 Enable SHA256 and SHA512 RRSIG support
|
||||
--enable-static-exe enable to compile executables statically against
|
||||
event, ldns libs, for debug purposes
|
||||
--enable-lock-checks enable to check lock and unlock calls, for debug
|
||||
@ -6881,7 +6882,7 @@ ia64-*-hpux*)
|
||||
;;
|
||||
*-*-irix6*)
|
||||
# Find out which ABI we are using.
|
||||
echo '#line 6884 "configure"' > conftest.$ac_ext
|
||||
echo '#line 6885 "configure"' > conftest.$ac_ext
|
||||
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
|
||||
(eval $ac_compile) 2>&5
|
||||
ac_status=$?
|
||||
@ -8195,11 +8196,11 @@ else
|
||||
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
|
||||
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
|
||||
-e 's:$: $lt_compiler_flag:'`
|
||||
(eval echo "\"\$as_me:8198: $lt_compile\"" >&5)
|
||||
(eval echo "\"\$as_me:8199: $lt_compile\"" >&5)
|
||||
(eval "$lt_compile" 2>conftest.err)
|
||||
ac_status=$?
|
||||
cat conftest.err >&5
|
||||
echo "$as_me:8202: \$? = $ac_status" >&5
|
||||
echo "$as_me:8203: \$? = $ac_status" >&5
|
||||
if (exit $ac_status) && test -s "$ac_outfile"; then
|
||||
# The compiler can only warn and ignore the option if not recognized
|
||||
# So say no if there are warnings other than the usual output.
|
||||
@ -8485,11 +8486,11 @@ else
|
||||
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
|
||||
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
|
||||
-e 's:$: $lt_compiler_flag:'`
|
||||
(eval echo "\"\$as_me:8488: $lt_compile\"" >&5)
|
||||
(eval echo "\"\$as_me:8489: $lt_compile\"" >&5)
|
||||
(eval "$lt_compile" 2>conftest.err)
|
||||
ac_status=$?
|
||||
cat conftest.err >&5
|
||||
echo "$as_me:8492: \$? = $ac_status" >&5
|
||||
echo "$as_me:8493: \$? = $ac_status" >&5
|
||||
if (exit $ac_status) && test -s "$ac_outfile"; then
|
||||
# The compiler can only warn and ignore the option if not recognized
|
||||
# So say no if there are warnings other than the usual output.
|
||||
@ -8589,11 +8590,11 @@ else
|
||||
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
|
||||
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
|
||||
-e 's:$: $lt_compiler_flag:'`
|
||||
(eval echo "\"\$as_me:8592: $lt_compile\"" >&5)
|
||||
(eval echo "\"\$as_me:8593: $lt_compile\"" >&5)
|
||||
(eval "$lt_compile" 2>out/conftest.err)
|
||||
ac_status=$?
|
||||
cat out/conftest.err >&5
|
||||
echo "$as_me:8596: \$? = $ac_status" >&5
|
||||
echo "$as_me:8597: \$? = $ac_status" >&5
|
||||
if (exit $ac_status) && test -s out/conftest2.$ac_objext
|
||||
then
|
||||
# The compiler can only warn and ignore the option if not recognized
|
||||
@ -10940,7 +10941,7 @@ else
|
||||
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
|
||||
lt_status=$lt_dlunknown
|
||||
cat > conftest.$ac_ext <<EOF
|
||||
#line 10943 "configure"
|
||||
#line 10944 "configure"
|
||||
#include "confdefs.h"
|
||||
|
||||
#if HAVE_DLFCN_H
|
||||
@ -11040,7 +11041,7 @@ else
|
||||
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
|
||||
lt_status=$lt_dlunknown
|
||||
cat > conftest.$ac_ext <<EOF
|
||||
#line 11043 "configure"
|
||||
#line 11044 "configure"
|
||||
#include "confdefs.h"
|
||||
|
||||
#if HAVE_DLFCN_H
|
||||
@ -13460,11 +13461,11 @@ else
|
||||
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
|
||||
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
|
||||
-e 's:$: $lt_compiler_flag:'`
|
||||
(eval echo "\"\$as_me:13463: $lt_compile\"" >&5)
|
||||
(eval echo "\"\$as_me:13464: $lt_compile\"" >&5)
|
||||
(eval "$lt_compile" 2>conftest.err)
|
||||
ac_status=$?
|
||||
cat conftest.err >&5
|
||||
echo "$as_me:13467: \$? = $ac_status" >&5
|
||||
echo "$as_me:13468: \$? = $ac_status" >&5
|
||||
if (exit $ac_status) && test -s "$ac_outfile"; then
|
||||
# The compiler can only warn and ignore the option if not recognized
|
||||
# So say no if there are warnings other than the usual output.
|
||||
@ -13564,11 +13565,11 @@ else
|
||||
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
|
||||
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
|
||||
-e 's:$: $lt_compiler_flag:'`
|
||||
(eval echo "\"\$as_me:13567: $lt_compile\"" >&5)
|
||||
(eval echo "\"\$as_me:13568: $lt_compile\"" >&5)
|
||||
(eval "$lt_compile" 2>out/conftest.err)
|
||||
ac_status=$?
|
||||
cat out/conftest.err >&5
|
||||
echo "$as_me:13571: \$? = $ac_status" >&5
|
||||
echo "$as_me:13572: \$? = $ac_status" >&5
|
||||
if (exit $ac_status) && test -s out/conftest2.$ac_objext
|
||||
then
|
||||
# The compiler can only warn and ignore the option if not recognized
|
||||
@ -15128,11 +15129,11 @@ else
|
||||
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
|
||||
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
|
||||
-e 's:$: $lt_compiler_flag:'`
|
||||
(eval echo "\"\$as_me:15131: $lt_compile\"" >&5)
|
||||
(eval echo "\"\$as_me:15132: $lt_compile\"" >&5)
|
||||
(eval "$lt_compile" 2>conftest.err)
|
||||
ac_status=$?
|
||||
cat conftest.err >&5
|
||||
echo "$as_me:15135: \$? = $ac_status" >&5
|
||||
echo "$as_me:15136: \$? = $ac_status" >&5
|
||||
if (exit $ac_status) && test -s "$ac_outfile"; then
|
||||
# The compiler can only warn and ignore the option if not recognized
|
||||
# So say no if there are warnings other than the usual output.
|
||||
@ -15232,11 +15233,11 @@ else
|
||||
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
|
||||
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
|
||||
-e 's:$: $lt_compiler_flag:'`
|
||||
(eval echo "\"\$as_me:15235: $lt_compile\"" >&5)
|
||||
(eval echo "\"\$as_me:15236: $lt_compile\"" >&5)
|
||||
(eval "$lt_compile" 2>out/conftest.err)
|
||||
ac_status=$?
|
||||
cat out/conftest.err >&5
|
||||
echo "$as_me:15239: \$? = $ac_status" >&5
|
||||
echo "$as_me:15240: \$? = $ac_status" >&5
|
||||
if (exit $ac_status) && test -s out/conftest2.$ac_objext
|
||||
then
|
||||
# The compiler can only warn and ignore the option if not recognized
|
||||
@ -17421,11 +17422,11 @@ else
|
||||
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
|
||||
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
|
||||
-e 's:$: $lt_compiler_flag:'`
|
||||
(eval echo "\"\$as_me:17424: $lt_compile\"" >&5)
|
||||
(eval echo "\"\$as_me:17425: $lt_compile\"" >&5)
|
||||
(eval "$lt_compile" 2>conftest.err)
|
||||
ac_status=$?
|
||||
cat conftest.err >&5
|
||||
echo "$as_me:17428: \$? = $ac_status" >&5
|
||||
echo "$as_me:17429: \$? = $ac_status" >&5
|
||||
if (exit $ac_status) && test -s "$ac_outfile"; then
|
||||
# The compiler can only warn and ignore the option if not recognized
|
||||
# So say no if there are warnings other than the usual output.
|
||||
@ -17711,11 +17712,11 @@ else
|
||||
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
|
||||
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
|
||||
-e 's:$: $lt_compiler_flag:'`
|
||||
(eval echo "\"\$as_me:17714: $lt_compile\"" >&5)
|
||||
(eval echo "\"\$as_me:17715: $lt_compile\"" >&5)
|
||||
(eval "$lt_compile" 2>conftest.err)
|
||||
ac_status=$?
|
||||
cat conftest.err >&5
|
||||
echo "$as_me:17718: \$? = $ac_status" >&5
|
||||
echo "$as_me:17719: \$? = $ac_status" >&5
|
||||
if (exit $ac_status) && test -s "$ac_outfile"; then
|
||||
# The compiler can only warn and ignore the option if not recognized
|
||||
# So say no if there are warnings other than the usual output.
|
||||
@ -17815,11 +17816,11 @@ else
|
||||
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
|
||||
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
|
||||
-e 's:$: $lt_compiler_flag:'`
|
||||
(eval echo "\"\$as_me:17818: $lt_compile\"" >&5)
|
||||
(eval echo "\"\$as_me:17819: $lt_compile\"" >&5)
|
||||
(eval "$lt_compile" 2>out/conftest.err)
|
||||
ac_status=$?
|
||||
cat out/conftest.err >&5
|
||||
echo "$as_me:17822: \$? = $ac_status" >&5
|
||||
echo "$as_me:17823: \$? = $ac_status" >&5
|
||||
if (exit $ac_status) && test -s out/conftest2.$ac_objext
|
||||
then
|
||||
# The compiler can only warn and ignore the option if not recognized
|
||||
@ -23769,6 +23770,23 @@ fi
|
||||
done
|
||||
|
||||
|
||||
# Check whether --enable-sha2 was given.
|
||||
if test "${enable_sha2+set}" = set; then
|
||||
enableval=$enable_sha2;
|
||||
fi
|
||||
|
||||
case "$enable_sha2" in
|
||||
yes)
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define USE_SHA2
|
||||
_ACEOF
|
||||
|
||||
;;
|
||||
no|*)
|
||||
;;
|
||||
esac
|
||||
|
||||
# check to see if libraries are needed for these functions.
|
||||
{ echo "$as_me:$LINENO: checking for library containing inet_pton" >&5
|
||||
echo $ECHO_N "checking for library containing inet_pton... $ECHO_C" >&6; }
|
||||
|
||||
@ -348,6 +348,15 @@ ACX_WITH_SSL
|
||||
ACX_LIB_SSL
|
||||
AC_CHECK_FUNCS([EVP_sha1 EVP_sha256 EVP_sha512 ENGINE_load_gost])
|
||||
|
||||
AC_ARG_ENABLE(sha2, AC_HELP_STRING([--enable-sha2], [Enable SHA256 and SHA512 RRSIG support]))
|
||||
case "$enable_sha2" in
|
||||
yes)
|
||||
AC_DEFINE_UNQUOTED([USE_SHA2], [], [Define this to enable SHA256 and SHA512 support.])
|
||||
;;
|
||||
no|*)
|
||||
;;
|
||||
esac
|
||||
|
||||
# check to see if libraries are needed for these functions.
|
||||
AC_SEARCH_LIBS([inet_pton], [nsl])
|
||||
AC_SEARCH_LIBS([socket], [socket])
|
||||
|
||||
@ -1,3 +1,8 @@
|
||||
2 June 2009: Wouter
|
||||
- --enable-sha2 option. The draft rsasha256 changed its algorithm
|
||||
numbers too often. Therefore it is more prudent to disable the
|
||||
RSASHA256 and RSASHA512 support by default.
|
||||
|
||||
29 May 2009: Wouter
|
||||
- fixup doc bug in README reported by Matthew Dempsky.
|
||||
|
||||
|
||||
@ -63,6 +63,8 @@ This software is under BSD license, see LICENSE for details.
|
||||
Needs python-devel and swig development tools.
|
||||
* --with-pythonmodule
|
||||
Compile the python module that processes responses in the server.
|
||||
* --enable-sha2
|
||||
Enable draft support for RSASHA256 and RSASHA512.
|
||||
|
||||
* 'make test' attempts to run a series of tests, depending on the support
|
||||
programs that are installed.
|
||||
|
||||
@ -227,7 +227,7 @@ main(int argc, char* argv[])
|
||||
while( (c=getopt(argc, argv, "2ho:p:")) != -1) {
|
||||
switch(c) {
|
||||
case '2':
|
||||
#ifdef HAVE_EVP_SHA256
|
||||
#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
|
||||
printf("SHA256 supported\n");
|
||||
exit(0);
|
||||
#else
|
||||
|
||||
@ -474,12 +474,14 @@ verify_test()
|
||||
verifytest_file("testdata/test_signatures.6", "20080416005004");
|
||||
verifytest_file("testdata/test_signatures.7", "20070829144150");
|
||||
verifytest_file("testdata/test_signatures.8", "20070829144150");
|
||||
#ifdef HAVE_EVP_SHA256
|
||||
#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
|
||||
verifytest_file("testdata/test_signatures.9", "20070829144150");
|
||||
verifytest_file("testdata/test_signatures.11", "20070829144150");
|
||||
#endif
|
||||
#ifdef HAVE_EVP_SHA512
|
||||
#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
|
||||
/* Skip test. Algorithm number uncertainty
|
||||
verifytest_file("testdata/test_signatures.10", "20070829144150");
|
||||
*/
|
||||
#endif
|
||||
verifytest_file("testdata/test_signatures.12", "20090107100022");
|
||||
verifytest_file("testdata/test_signatures.13", "20080414005004");
|
||||
|
||||
@ -370,10 +370,10 @@ dnskey_algo_id_is_supported(int id)
|
||||
case LDNS_RSASHA1:
|
||||
case LDNS_RSASHA1_NSEC3:
|
||||
case LDNS_RSAMD5:
|
||||
#ifdef HAVE_EVP_SHA256
|
||||
#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
|
||||
case LDNS_RSASHA256:
|
||||
#endif
|
||||
#ifdef HAVE_EVP_SHA512
|
||||
#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
|
||||
case LDNS_RSASHA512:
|
||||
#endif
|
||||
return 1;
|
||||
@ -1237,10 +1237,10 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
|
||||
break;
|
||||
case LDNS_RSASHA1:
|
||||
case LDNS_RSASHA1_NSEC3:
|
||||
#ifdef HAVE_EVP_SHA256
|
||||
#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
|
||||
case LDNS_RSASHA256:
|
||||
#endif
|
||||
#ifdef HAVE_EVP_SHA512
|
||||
#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
|
||||
case LDNS_RSASHA512:
|
||||
#endif
|
||||
rsa = ldns_key_buf2rsa_raw(key, keylen);
|
||||
@ -1256,12 +1256,12 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
|
||||
}
|
||||
|
||||
/* select SHA version */
|
||||
#ifdef HAVE_EVP_SHA256
|
||||
#if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
|
||||
if(algo == LDNS_RSASHA256)
|
||||
*digest_type = EVP_sha256();
|
||||
else
|
||||
#endif
|
||||
#ifdef HAVE_EVP_SHA512
|
||||
#if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
|
||||
if(algo == LDNS_RSASHA512)
|
||||
*digest_type = EVP_sha512();
|
||||
else
|
||||
|
||||
Loading…
Reference in New Issue
Block a user