Commit 83889892 authored by Ondrej Sury's avatar Ondrej Sury

Imported Upstream version 1.6.7

parent fcb9d288
1.6.6
1.6.7 2010-11-08
* EXPERIMENTAL ecdsa implementation, please do not enable on real
servers.
* GOST code enabled by default (RFC 5933).
* bugfix #326: ignore whitespace between directives and their values.
* Header comment to advertise ldns_axfr_complete to check for
successfully completed zone transfers.
* read resolv.conf skips interface labels, e.g. %eth0.
* Fix drill verify NSEC3 denials.
* Use closesocket() on windows.
* Add ldns_get_signing_algorithm_by_name that understand aliases,
names changed to RFC names and aliases for compatibility added.
* bugfix: don't print final dot if the domain is relative.
* bugfix: resolver search continue when packet rcode != NOERROR.
* bugfix: resolver push all domains in search directive to list.
* bugfix: resolver search by default includes the root domain.
* bugfix: tcp read could fail on single octet recv.
* bugfix: read of RR in unknown syntax with missing fields.
* added ldns_pkt_tsig_sign_next() and ldns_pkt_tsig_verify_next()
to sign and verify TSIG RRs on subsequent messages
(section 4.4, RFC 2845).
* bugfix: signer sigs nsecs with zsks only.
* bugfix #333: fix ldns_dname_absolute for name ending with backslash.
1.6.6 2010-08-09
* Fix ldns_rr_clone to copy question rrs properly.
* Fix ldns_sign_zone(_nsec3) to clone the soa for the new zone.
* Fix ldns_wire2dname size check from reading 1 byte beyond buffer end.
......@@ -22,7 +46,7 @@
* Fix drill: allow for a secure trace if you use DS records as trust
anchors (thanks Jan Komissar).
1.6.5
1.6.5 2010-06-15
* Catch \X where X is a digit as an error.
* Fix segfault when ip6 ldns resolver only has ip4 servers.
* Fix NSEC record after DNSKEY at zone apex not properly signed.
......
......@@ -101,7 +101,7 @@ COMP_LIB = $(LIBTOOL) --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS)
LINK = $(CC) $(strip $(CFLAGS) $(LDFLAGS) $(LIBS))
LINK_LIB = $(LIBTOOL) --mode=link $(CC) $(strip $(CFLAGS) $(LDFLAGS) $(LIBS) -version-number $(version_info) -no-undefined)
%.o: $(srcdir)/%.c $(LIBDNS_HEADERS) ldns/util.h ldns/config.h
%.o: $(srcdir)/%.c $(LIBDNS_HEADERS) ldns/net.h ldns/util.h ldns/config.h
$(COMP_LIB) $(LIBSSL_CPPFLAGS) -c $<
.PHONY: clean realclean docclean manpages doc lint all lib pyldns
......@@ -110,7 +110,7 @@ LINK_LIB = $(LIBTOOL) --mode=link $(CC) $(strip $(CFLAGS) $(LDFLAGS) $(LIBS) -ve
all: copy-headers lib linktest manpages @PYLDNS@
linktest: $(srcdir)/linktest.c $(LIBDNS_HEADERS) ldns/util.h ldns/config.h libldns.la
linktest: $(srcdir)/linktest.c $(LIBDNS_HEADERS) ldns/net.h ldns/util.h ldns/config.h libldns.la
$(LIBTOOL) --mode=link $(CC) $(srcdir)/linktest.c $(CPPFLAGS) $(LIBSSL_CPPFLAGS) $(CFLAGS) -lldns $(LIBS) -o linktest
lib: libldns.la
......@@ -130,7 +130,12 @@ $(addprefix include/ldns/, $(notdir $(LIBDNS_HEADERS))): include/ldns/%.h: $(src
@if [ ! -d include/ldns ] ; then (cd include; ln -s ../ldns ./ldns || echo "include/ldns exists") ; fi ;
$(INSTALL) -c -m 644 $< ./include/ldns/
copy-headers: $(addprefix include/ldns/, $(notdir $(LIBDNS_HEADERS)))
include/ldns/util.h include/ldns/net.h include/ldns/config.h: include/ldns/%.h: ./ldns/%.h
@if [ ! -d include ] ; then ($(INSTALL) -d include || echo "include exists") ; fi ;
@if [ ! -d include/ldns ] ; then (cd include; ln -s ../ldns ./ldns || echo "include/ldns exists") ; fi ;
$(INSTALL) -c -m 644 $< ./include/ldns/
copy-headers: $(addprefix include/ldns/, $(notdir $(LIBDNS_HEADERS))) include/ldns/util.h include/ldns/net.h include/ldns/config.h
mancheck:
sh -c 'find . -name \*.\[13\] -exec troff -z {} \;' 2>&1 | sed "s/^\.\///" | sed "s/\(:[0\-9]\+:\)/\1 warning:/g"
......
......@@ -65,10 +65,11 @@ commands may be a little bit different on your machine. Most notable, you'll nee
* Developers
ldns is developed by the ldns team at NLnet Labs. This team currently
consists of:
o Jelte Jansen
o Wouter Wijngaards
o Matthijs Mekking
Former main developers:
o Jelte Jansen
o Miek Gieben
* Credits
......
......@@ -2,7 +2,8 @@
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
# Version 10
# Version 11
# 2010-08-16 Fix FLAG_OMITTED for AS_TR_CPP changes in autoconf-2.66.
# 2010-07-02 Add check for ss_family (for minix).
# 2010-04-26 Fix to use CPPFLAGS for CHECK_COMPILER_FLAGS.
# 2010-03-01 Fix RPATH using CONFIG_COMMANDS to run at the very end.
......@@ -1192,7 +1193,7 @@ AC_DEFUN([ACX_CFLAGS_STRIP],
[
if echo $CFLAGS | grep " $1" >/dev/null 2>&1; then
CFLAGS="`echo $CFLAGS | sed -e 's/ $1//g'`"
AC_DEFINE(AS_TR_CPP(OMITTED_$1), 1, Put $1 define in config.h)
AC_DEFINE(m4_bpatsubst(OMITTED_$1,[[-=]],_), 1, Put $1 define in config.h)
fi
])
......@@ -1223,7 +1224,7 @@ AC_DEFUN([AHX_CONFIG_FLAG_OMITTED],
dnl Wrapper for AHX_CONFIG_FLAG_OMITTED for -D style flags
dnl $1: the -DNAME or -DNAME=value string.
AC_DEFUN([AHX_CONFIG_FLAG_EXT],
[AHX_CONFIG_FLAG_OMITTED(AS_TR_CPP(OMITTED_$1),m4_bpatsubst(m4_bpatsubst($1,-D,),=.*$,),m4_if(m4_bregexp($1,=),-1,1,m4_bpatsubst($1,^.*=,)))
[AHX_CONFIG_FLAG_OMITTED(m4_bpatsubst(OMITTED_$1,[[-=]],_),m4_bpatsubst(m4_bpatsubst($1,-D,),=.*$,),m4_if(m4_bregexp($1,=),-1,1,m4_bpatsubst($1,^.*=,)))
])
dnl config.h part to define omitted cflags, use with ACX_STRIP_EXT_FLAGS.
......
......@@ -44,9 +44,13 @@ ldns_buffer_new_frm_data(ldns_buffer *buffer, void *data, size_t size)
buffer->_position = 0;
buffer->_limit = buffer->_capacity = size;
buffer->_fixed = 0;
buffer->_data = LDNS_XMALLOC(uint8_t, size);
if(!buffer->_data) {
buffer->_status = LDNS_STATUS_MEM_ERR;
return;
}
memcpy(buffer->_data, data, size);
buffer->_fixed = 0;
buffer->_status = LDNS_STATUS_OK;
ldns_buffer_invariant(buffer);
......
......@@ -254,41 +254,56 @@ ldns_b32_ntop_ar(uint8_t const *src, size_t srclength, char *target, size_t targ
}
target[datalength++] = B32_ar[output[0]];
if (srclength >= 1) {
if (datalength + 1 > targsize) { return (-2); }
target[datalength++] = B32_ar[output[1]];
if (srclength == 1 && output[2] == 0) {
if (datalength + 1 > targsize) { return (-2); }
target[datalength++] = Pad32;
} else {
if (datalength + 1 > targsize) { return (-2); }
target[datalength++] = B32_ar[output[2]];
}
} else {
if (datalength + 1 > targsize) { return (-2); }
target[datalength++] = Pad32;
if (datalength + 1 > targsize) { return (-2); }
target[datalength++] = Pad32;
}
if (srclength >= 2) {
if (datalength + 1 > targsize) { return (-2); }
target[datalength++] = B32_ar[output[3]];
} else {
if (datalength + 1 > targsize) { return (-2); }
target[datalength++] = Pad32;
}
if (srclength >= 3) {
if (datalength + 1 > targsize) { return (-2); }
target[datalength++] = B32_ar[output[4]];
if (srclength == 3 && output[5] == 0) {
if (datalength + 1 > targsize) { return (-2); }
target[datalength++] = Pad32;
} else {
if (datalength + 1 > targsize) { return (-2); }
target[datalength++] = B32_ar[output[5]];
}
} else {
if (datalength + 1 > targsize) { return (-2); }
target[datalength++] = Pad32;
if (datalength + 1 > targsize) { return (-2); }
target[datalength++] = Pad32;
}
if (srclength >= 4) {
if (datalength + 1 > targsize) { return (-2); }
target[datalength++] = B32_ar[output[6]];
} else {
if (datalength + 1 > targsize) { return (-2); }
target[datalength++] = Pad32;
}
if (datalength + 1 > targsize) { return (-2); }
target[datalength++] = Pad32;
}
if (datalength > targsize) {
return (-3);
if (datalength+1 > targsize) {
return (int) (datalength);
}
target[datalength] = '\0'; /* Returned value doesn't count \0. */
return (int) (datalength);
......
This diff is collapsed.
......@@ -6,7 +6,7 @@ sinclude(acx_nlnetlabs.m4)
# must be numbers. ac_defun because of later processing.
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[6])
m4_define([VERSION_MICRO],[6])
m4_define([VERSION_MICRO],[7])
AC_INIT(ldns, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), libdns@nlnetlabs.nl, libdns)
AC_CONFIG_SRCDIR([packet.c])
# needed to build correct soname
......@@ -149,26 +149,44 @@ case "$enable_sha2" in
;;
esac
AC_ARG_ENABLE(gost, AC_HELP_STRING([--enable-gost], [Enable GOST support, experimental]))
AC_ARG_ENABLE(gost, AC_HELP_STRING([--disable-gost], [Disable GOST support]))
case "$enable_gost" in
yes)
no)
;;
*) dnl default
if test "x$HAVE_SSL" != "xyes"; then
AC_MSG_ERROR([GOST enabled, but no SSL support])
fi
AC_MSG_CHECKING(for GOST)
AC_CHECK_FUNC(EVP_PKEY_set_type_str, [],[AC_MSG_ERROR([OpenSSL >= 1.0.0 is needed for GOST support])])
AC_CHECK_FUNC(EVP_PKEY_set_type_str, [],[AC_MSG_ERROR([OpenSSL >= 1.0.0 is needed for GOST support or rerun with --disable-gost])])
AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([No ECC functions found in OpenSSL: please upgrade OpenSSL or rerun with --disable-gost])])
AC_DEFINE_UNQUOTED([USE_GOST], [1], [Define this to enable GOST support.])
;;
esac
AC_ARG_ENABLE(ecdsa, AC_HELP_STRING([--enable-ecdsa], [Enable ECDSA support, experimental]))
case "$enable_ecdsa" in
yes)
if test "x$HAVE_SSL" != "xyes"; then
AC_MSG_ERROR([ECDSA enabled, but no SSL support])
fi
AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA])])
AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384])])
AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curve])], [AC_INCLUDES_DEFAULT
#include <openssl/evp.h>
])
# we now know we have ECDSA and the required curves.
AC_DEFINE_UNQUOTED([USE_ECDSA], [1], [Define this to enable ECDSA support.])
AC_WARN([
*****************************************************************
*** YOU HAVE ENABLED ECDSA WHICH IS EXPERIMENTAL AT THIS TIME ***
*** PLEASE DO NOT USE THIS ON THE PUBLIC INTERNET ***
*****************************************************************])
;;
no)
;;
*) dnl default
if test "x$HAVE_SSL" = "xyes"; then
AC_MSG_CHECKING(for GOST)
AC_CHECK_FUNC(EVP_PKEY_set_type_str, [
AC_DEFINE_UNQUOTED([USE_GOST], [1], [Define this to enable GOST support.])
],[])
fi
;;
;;
*)
;;
esac
AC_SUBST(LIBSSL_CPPFLAGS)
......@@ -246,6 +264,24 @@ include_inttypes_h=''
],[AC_INCLUDES_DEFAULT
])
AC_SUBST(include_inttypes_h)
AC_CHECK_HEADER(sys/types.h,
[
include_systypes_h='#include <sys/types.h>'
AC_DEFINE(HAVE_SYS_TYPES_H, 1, [define if you have sys/types.h])
],[
include_systypes_h=''
],[AC_INCLUDES_DEFAULT
])
AC_SUBST(include_systypes_h)
AC_CHECK_HEADER(unistd.h,
[
include_unistd_h='#include <unistd.h>'
AC_DEFINE(HAVE_UNISTD_H, 1, [define if you have unistd.h])
],[
include_unistd_h=''
],[AC_INCLUDES_DEFAULT
])
AC_SUBST(include_unistd_h)
ACX_TYPE_SOCKLEN_T
AC_CHECK_TYPE(ssize_t, int)
......
......@@ -506,7 +506,7 @@ ldns_dname_str_absolute(const char *dname_str)
if(dname_str[strlen(dname_str) - 2] != '\\')
return 1; /* ends in . and no \ before it */
/* so we have the case of ends in . and there is \ before it */
for(s=dname_str; s; s++) {
for(s=dname_str; *s; s++) {
if(*s == '\\') {
if(s[1] && s[2] && s[3] /* check length */
&& isdigit(s[1]) && isdigit(s[2]) &&
......
......@@ -525,12 +525,25 @@ ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
ldns_rr_free(ds);
return NULL;
}
break;
#else
/* not implemented */
ldns_rr_free(ds);
return NULL;
#endif
#ifdef USE_ECDSA
case LDNS_SHA384:
digest = LDNS_XMALLOC(uint8_t, SHA384_DIGEST_LENGTH);
if (!digest) {
ldns_rr_free(ds);
return NULL;
}
break;
#else
/* not implemented */
ldns_rr_free(ds);
return NULL;
#endif
break;
}
data_buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
......@@ -615,6 +628,17 @@ ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
ldns_rr_push_rdf(ds, tmp);
#endif
break;
#ifdef USE_ECDSA
case LDNS_SHA384:
(void) SHA384((unsigned char *) ldns_buffer_begin(data_buf),
(unsigned int) ldns_buffer_position(data_buf),
(unsigned char *) digest);
tmp = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_HEX,
SHA384_DIGEST_LENGTH,
digest);
ldns_rr_push_rdf(ds, tmp);
break;
#endif
}
LDNS_FREE(digest);
......@@ -970,7 +994,7 @@ ldns_nsec3_hash_name(ldns_rdf *name,
(uint8_t *) hashed_owner_str,
hashed_owner_str_len,
hashed_owner_b32,
ldns_b32_ntop_calculate_size(hashed_owner_str_len));
ldns_b32_ntop_calculate_size(hashed_owner_str_len)+1);
if (hashed_owner_b32_len < 1) {
fprintf(stderr, "Error in base32 extended hex encoding ");
fprintf(stderr, "of hashed owner name (name: ");
......@@ -1588,4 +1612,65 @@ ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
return ldns_buffer_status(target_buffer);
}
#ifdef USE_ECDSA
ldns_rdf *
ldns_convert_ecdsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len)
{
ECDSA_SIG* ecdsa_sig;
unsigned char *data = (unsigned char*)ldns_buffer_begin(sig);
ldns_rdf* rdf;
ecdsa_sig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&data, sig_len);
if(!ecdsa_sig) return NULL;
/* "r | s". */
data = LDNS_XMALLOC(unsigned char,
BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s));
if(!data) {
ECDSA_SIG_free(ecdsa_sig);
return NULL;
}
BN_bn2bin(ecdsa_sig->r, data);
BN_bn2bin(ecdsa_sig->s, data+BN_num_bytes(ecdsa_sig->r));
rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64,
BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s), data);
ECDSA_SIG_free(ecdsa_sig);
return rdf;
}
ldns_status
ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
const ldns_rdf *sig_rdf)
{
ECDSA_SIG* sig;
int raw_sig_len;
long bnsize = ldns_rdf_size(sig_rdf) / 2;
/* if too short, or not even length, do not bother */
if(bnsize < 16 || (size_t)bnsize*2 != ldns_rdf_size(sig_rdf))
return LDNS_STATUS_ERR;
/* use the raw data to parse two evenly long BIGNUMs, "r | s". */
sig = ECDSA_SIG_new();
if(!sig) return LDNS_STATUS_MEM_ERR;
sig->r = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf),
bnsize, sig->r);
sig->s = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf)+bnsize,
bnsize, sig->s);
if(!sig->r || !sig->s) {
ECDSA_SIG_free(sig);
return LDNS_STATUS_MEM_ERR;
}
raw_sig_len = i2d_ECDSA_SIG(sig, NULL);
if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) {
unsigned char* pp = ldns_buffer_current(target_buffer);
raw_sig_len = i2d_ECDSA_SIG(sig, &pp);
ldns_buffer_skip(target_buffer, (size_t) raw_sig_len);
}
ECDSA_SIG_free(sig);
return ldns_buffer_status(target_buffer);
}
#endif /* USE_ECDSA */
#endif /* HAVE_SSL */
......@@ -155,6 +155,20 @@ ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key)
EVP_get_digestbyname("md_gost94"));
break;
#endif /* USE_GOST */
#ifdef USE_ECDSA
case LDNS_SIGN_ECDSAP256SHA256:
b64rdf = ldns_sign_public_evp(
sign_buf,
ldns_key_evp_key(current_key),
EVP_sha256());
break;
case LDNS_SIGN_ECDSAP384SHA384:
b64rdf = ldns_sign_public_evp(
sign_buf,
ldns_key_evp_key(current_key),
EVP_sha384());
break;
#endif
case LDNS_SIGN_RSAMD5:
b64rdf = ldns_sign_public_evp(
sign_buf,
......@@ -333,6 +347,32 @@ ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key)
return sigdata_rdf;
}
#ifdef USE_ECDSA
static int
ldns_pkey_is_ecdsa(EVP_PKEY* pkey)
{
EC_KEY* ec;
const EC_GROUP* g;
if(EVP_PKEY_type(pkey->type) != EVP_PKEY_EC)
return 0;
ec = EVP_PKEY_get1_EC_KEY(pkey);
g = EC_KEY_get0_group(ec);
if(!g) {
EC_KEY_free(ec);
return 0;
}
if(EC_GROUP_get_curve_name(g) == NID_secp224r1 ||
EC_GROUP_get_curve_name(g) == NID_X9_62_prime256v1 ||
EC_GROUP_get_curve_name(g) == NID_secp384r1) {
EC_KEY_free(ec);
return 1;
}
/* downref the eckey, the original is still inside the pkey */
EC_KEY_free(ec);
return 0;
}
#endif /* USE_ECDSA */
ldns_rdf *
ldns_sign_public_evp(ldns_buffer *to_sign,
EVP_PKEY *key,
......@@ -384,6 +424,11 @@ ldns_sign_public_evp(ldns_buffer *to_sign,
/* unfortunately, OpenSSL output is differenct from DNS DSA format */
if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) {
sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen);
#ifdef USE_ECDSA
} else if(EVP_PKEY_type(key->type) == EVP_PKEY_EC &&
ldns_pkey_is_ecdsa(key)) {
sigdata_rdf = ldns_convert_ecdsa_rrsig_asn12rdf(b64sig, siglen);
#endif
} else {
/* ok output for other types is the same */
sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
......@@ -936,6 +981,7 @@ ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone,
key_list,
func,
arg);
ldns_key_list_filter_for_non_dnskey(key_list);
rr_list = ldns_rr_list_new();
ldns_rr_list_push_rr(rr_list, cur_name->nsec);
......
......@@ -1411,6 +1411,10 @@ ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
ldns_rr_owner(rr),
ldns_rr_get_type(rr),
nsecs);
if(!closest_encloser) {
result = LDNS_STATUS_NSEC3_ERR;
goto done;
}
wildcard = ldns_dname_new_frm_str("*");
(void) ldns_dname_cat(wildcard, closest_encloser);
......@@ -1545,6 +1549,63 @@ ldns_verify_rrsig_gost_raw(unsigned char* sig, size_t siglen,
}
#endif
#ifdef USE_ECDSA
EVP_PKEY*
ldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
{
unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
const unsigned char* pp = buf;
EVP_PKEY *evp_key;
EC_KEY *ec;
/* check length, which uncompressed must be 2 bignums */
if(algo == LDNS_ECDSAP256SHA256) {
if(keylen != 2*256/8) return NULL;
ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
} else if(algo == LDNS_ECDSAP384SHA384) {
if(keylen != 2*384/8) return NULL;
ec = EC_KEY_new_by_curve_name(NID_secp384r1);
} else ec = NULL;
if(!ec) return NULL;
if(keylen+1 > sizeof(buf))
return NULL; /* sanity check */
/* prepend the 0x02 (from docs) (or actually 0x04 from implementation
* of openssl) for uncompressed data */
buf[0] = POINT_CONVERSION_UNCOMPRESSED;
memmove(buf+1, key, keylen);
if(!o2i_ECPublicKey(&ec, &pp, keylen+1)) {
EC_KEY_free(ec);
return NULL;
}
evp_key = EVP_PKEY_new();
if(!evp_key) {
EC_KEY_free(ec);
return NULL;
}
EVP_PKEY_assign_EC_KEY(evp_key, ec);
return evp_key;
}
static ldns_status
ldns_verify_rrsig_ecdsa_raw(unsigned char* sig, size_t siglen,
ldns_buffer* rrset, unsigned char* key, size_t keylen, uint8_t algo)
{
EVP_PKEY *evp_key;
ldns_status result;
const EVP_MD *d;
evp_key = ldns_ecdsa2pkey_raw(key, keylen, algo);
if(!evp_key) {
/* could not convert key */
return LDNS_STATUS_CRYPTO_BOGUS;
}
if(algo == LDNS_ECDSAP256SHA256)
d = EVP_sha256();
else d = EVP_sha384(); /* LDNS_ECDSAP384SHA384 */
result = ldns_verify_rrsig_evp_raw(sig, siglen, rrset, evp_key, d);
EVP_PKEY_free(evp_key);
return result;
}
#endif
ldns_status
ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, ldns_buffer *verify_buf,
......@@ -1602,6 +1663,13 @@ ldns_verify_rrsig_buffers_raw(unsigned char* sig, size_t siglen,
return ldns_verify_rrsig_gost_raw(sig, siglen, verify_buf,
key, keylen);
break;
#endif
#ifdef USE_ECDSA
case LDNS_ECDSAP256SHA256:
case LDNS_ECDSAP384SHA384:
return ldns_verify_rrsig_ecdsa_raw(sig, siglen, verify_buf,
key, keylen, algo);
break;
#endif
case LDNS_RSAMD5:
return ldns_verify_rrsig_rsamd5_raw(sig,
......@@ -1708,6 +1776,17 @@ ldns_rrsig2rawsig_buffer(ldns_buffer* rawsig_buf, ldns_rr* rrsig)
return LDNS_STATUS_MEM_ERR;
}
break;
#ifdef USE_ECDSA
case LDNS_ECDSAP256SHA256:
case LDNS_ECDSAP384SHA384:
/* EVP produces an ASN prefix on the signature, which is
* not used in the DNS */
if (ldns_convert_ecdsa_rrsig_rdf2asn1(rawsig_buf,
ldns_rr_rdf(rrsig, 8)) != LDNS_STATUS_OK) {
return LDNS_STATUS_MEM_ERR;
}
break;
#endif
case LDNS_DH:
case LDNS_ECC:
case LDNS_INDIRECT:
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.65 for ldns 1.6.6.
# Generated by GNU Autoconf 2.65 for ldns 1.6.7.
#
# Report bugs to <libdns@nlnetlabs.nl>.
#
......@@ -552,8 +552,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='ldns'
PACKAGE_TARNAME='libdns'
PACKAGE_VERSION='1.6.6'
PACKAGE_STRING='ldns 1.6.6'
PACKAGE_VERSION='1.6.7'
PACKAGE_STRING='ldns 1.6.7'
PACKAGE_BUGREPORT='libdns@nlnetlabs.nl'
PACKAGE_URL=''
......@@ -1207,7 +1207,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures ldns 1.6.6 to adapt to many kinds of systems.
\`configure' configures ldns 1.6.7 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
......@@ -1268,7 +1268,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of ldns 1.6.6:";;
short | recursive ) echo "Configuration of ldns 1.6.7:";;
esac
cat <<\_ACEOF
......@@ -1364,7 +1364,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
ldns configure 1.6.6
ldns configure 1.6.7
generated by GNU Autoconf 2.65
Copyright (C) 2009 Free Software Foundation, Inc.
......@@ -1789,7 +1789,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by ldns $as_me 1.6.6, which was
It was created by ldns $as_me 1.6.7, which was
generated by GNU Autoconf 2.65. Invocation command line was
$ $0 $@
......@@ -2141,7 +2141,8 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
# Version 10
# Version 11
# 2010-08-16 Fix FLAG_OMITTED for AS_TR_CPP changes in autoconf-2.66.
# 2010-07-02 Add check for ss_family (for minix).
# 2010-04-26 Fix to use CPPFLAGS for CHECK_COMPILER_FLAGS.
# 2010-03-01 Fix RPATH using CONFIG_COMMANDS to run at the very end.
......@@ -5873,7 +5874,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by ldns $as_me 1.6.6, which was
This file was extended by ldns $as_me 1.6.7, which was
generated by GNU Autoconf 2.65. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
......@@ -5935,7 +5936,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
ldns config.status 1.6.6
ldns config.status 1.6.7
configured by $0, generated by GNU Autoconf 2.65,
with options \\"\$ac_cs_config\\"
......
......@@ -2,7 +2,7 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.56)
AC_INIT(ldns, 1.6.6, libdns@nlnetlabs.nl,libdns)
AC_INIT(ldns, 1.6.7, libdns@nlnetlabs.nl,libdns)
AC_CONFIG_SRCDIR([drill.c])
sinclude(../acx_nlnetlabs.m4)
......
......@@ -212,7 +212,22 @@ ldns_verify_denial(ldns_pkt *pkt, ldns_rdf *name, ldns_rr_type type, ldns_rr_lis
}
}
ldns_rr_list_deep_free(nsecs);
}
} else if( (nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC3, LDNS_SECTION_ANY_NOQUESTION)) ) {
ldns_rr_list* sigs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANY_NOQUESTION);
ldns_rr* q = ldns_rr_new();
if(!sigs) return LDNS_STATUS_MEM_ERR;
if(!q) return LDNS_STATUS_MEM_ERR;
ldns_rr_set_question(q, 1);
ldns_rr_set_ttl(q, 0);
ldns_rr_set_owner(q, ldns_rdf_clone(name));
if(!ldns_rr_owner(q)) return LDNS_STATUS_MEM_ERR;
ldns_rr_set_type(q, type);
result = ldns_dnssec_verify_denial_nsec3(q, nsecs, sigs, ldns_pkt_get_rcode(pkt), type, ldns_pkt_ancount(pkt) == 0);
ldns_rr_free(q);
ldns_rr_list_deep_free(nsecs);
ldns_rr_list_deep_free(sigs);
}
return result;
}
......
......@@ -172,6 +172,9 @@
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
/* Define this to enable ECDSA support. */
#undef USE_ECDSA
/* Define this to enable GOST support. */
#undef USE_GOST
......@@ -321,6 +324,7 @@
#endif
#ifdef HAVE_WINSOCK2_H
#define USE_WINSOCK 1
#include <winsock2.h>
#endif
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.65 for ldns 1.6.6.
# Generated by GNU Autoconf 2.65 for ldns 1.6.7.
#
# Report bugs to <libdns@nlnetlabs.nl>.
#
......@@ -552,8 +552,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='ldns'
PACKAGE_TARNAME='libdns'
PACKAGE_VERSION='1.6.6'
PACKAGE_STRING='ldns 1.6.6'
PACKAGE_VERSION='1.6.7'
PACKAGE_STRING='ldns 1.6.7'
PACKAGE_BUGREPORT='libdns@nlnetlabs.nl'
PACKAGE_URL=''
......@@ -660,6 +660,7 @@ enable_rpath
with_ssl
enable_sha2
enable_gost
enable_ecdsa
with_ldns
'
ac_precious_vars='build_alias
......@@ -1212,7 +1213,7 @@ if test "$ac_init_help" = "long"; then