From 20f2d9b41bfee9394e2fcaa983b9cadf3813f839 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 29 May 2019 15:32:16 +1000
Subject: [PATCH] test Ed448 against test vectors

---
 .../eddsa/ns2/Xexample.com.+016+09713.key     |  1 +
 .../eddsa/ns2/Xexample.com.+016+09713.private |  3 ++
 .../eddsa/ns2/Xexample.com.+016+38353.key     |  1 +
 .../eddsa/ns2/Xexample.com.+016+38353.private |  3 ++
 bin/tests/system/eddsa/ns2/example.com.db     |  2 ++
 bin/tests/system/eddsa/ns2/sign.sh            |  4 ++-
 bin/tests/system/eddsa/tests.sh               | 22 +++++++++++--
 config.h.in                                   |  3 ++
 configure                                     | 32 +++++++++++++------
 configure.ac                                  | 15 ++++-----
 util/copyrights                               |  4 +++
 11 files changed, 70 insertions(+), 20 deletions(-)
 create mode 100644 bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.key
 create mode 100644 bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.private
 create mode 100644 bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.key
 create mode 100644 bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.private

diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.key b/bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.key
new file mode 100644
index 0000000000..5c4628f89a
--- /dev/null
+++ b/bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.key
@@ -0,0 +1 @@
+example.com. IN DNSKEY 257 3 16 3kgROaDjrh0H2iuixWBrc8g2EpBBLCdGzHmn+G2MpTPhpj/OiBVHHSfPodx1FYYUcJKm1MDpJtIA
diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.private b/bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.private
new file mode 100644
index 0000000000..eb065f9fde
--- /dev/null
+++ b/bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.private
@@ -0,0 +1,3 @@
+Private-key-format: v1.2
+Algorithm: 16 (ED448)
+PrivateKey: xZ+5Cgm463xugtkY5B0Jx6erFTXp13rYegst0qRtNsOYnaVpMx0Z/c5EiA9x8wWbDDct/U3FhYWA
diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.key b/bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.key
new file mode 100644
index 0000000000..705856dd42
--- /dev/null
+++ b/bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.key
@@ -0,0 +1 @@
+example.com. IN DNSKEY 257 3 16 kkreGWoccSDmUBGAe7+zsbG6ZAFQp+syPmYUurBRQc3tDjeMCJcVMRDmgcNLp5HlHAMy12VoISsA
diff --git a/bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.private b/bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.private
new file mode 100644
index 0000000000..b512d8064d
--- /dev/null
+++ b/bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.private
@@ -0,0 +1,3 @@
+Private-key-format: v1.2
+Algorithm: 16 (ED448)
+PrivateKey: WEykD3ht3MHkU8iH4uVOLz8JLwtRBSqiBoM6fF72+Mrp/u5gjxuB1DV6NnPO2BlZdz4hdSTkOdOA
diff --git a/bin/tests/system/eddsa/ns2/example.com.db b/bin/tests/system/eddsa/ns2/example.com.db
index 8a2b6cdf5b..306a156979 100644
--- a/bin/tests/system/eddsa/ns2/example.com.db
+++ b/bin/tests/system/eddsa/ns2/example.com.db
@@ -21,3 +21,5 @@ ns.example.com.		A	10.53.0.3
 ;
 $INCLUDE Kexample.com.+015+03613.key
 $INCLUDE Kexample.com.+015+35217.key
+$INCLUDE Kexample.com.+016+09713.key
+$INCLUDE Kexample.com.+016+38353.key
diff --git a/bin/tests/system/eddsa/ns2/sign.sh b/bin/tests/system/eddsa/ns2/sign.sh
index f9d819459d..7aeceecd2a 100644
--- a/bin/tests/system/eddsa/ns2/sign.sh
+++ b/bin/tests/system/eddsa/ns2/sign.sh
@@ -18,7 +18,9 @@ starttime=20150729220000
 endtime=20150819220000
 
 for i in Xexample.com.+015+03613.key Xexample.com.+015+03613.private \
-	 Xexample.com.+015+35217.key Xexample.com.+015+35217.private
+	 Xexample.com.+015+35217.key Xexample.com.+015+35217.private \
+	 Xexample.com.+016+09713.key Xexample.com.+016+09713.private \
+	 Xexample.com.+016+38353.key Xexample.com.+016+38353.private
 do
 	cp $i `echo $i | sed s/X/K/`
 done
diff --git a/bin/tests/system/eddsa/tests.sh b/bin/tests/system/eddsa/tests.sh
index 361380cccd..4f6269e34b 100644
--- a/bin/tests/system/eddsa/tests.sh
+++ b/bin/tests/system/eddsa/tests.sh
@@ -13,7 +13,7 @@ SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
 status=0
-n=0
+n=1
 
 rm -f dig.out.*
 
@@ -33,7 +33,7 @@ status=`expr $status + $ret`
 
 # Check test vectors (RFC 8080 + errata)
 
-echo "I:checking that test vectors match ($n)"
+echo "I:checking that Ed25519 test vectors match ($n)"
 ret=0
 grep 'oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jP' ns2/example.com.db.signed > /dev/null || ret=1
 grep 'VrbpMngwcrqNAg==' ns2/example.com.db.signed > /dev/null || ret=1
@@ -43,5 +43,23 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking that Ed448 test vectors match ($n)"
+ret=0
+grep '3cPAHkmlnxcDHMyg7vFC34l0blBhuG1qpwLm' ns2/example.com.db.signed > /dev/null || ret=1
+grep 'jInI8w1CMB29FkEAIJUA0amxWndkmnBZ6SKi' ns2/example.com.db.signed > /dev/null || ret=1
+grep 'wZSAxGILn/NBtOXft0+Gj7FSvOKxE/07+4RQ' ns2/example.com.db.signed > /dev/null || ret=1
+grep 'vE581N3Aj/JtIyaiYVdnYtyMWbSNyGEY2213' ns2/example.com.db.signed > /dev/null || ret=1
+grep 'WKsJlwEA' ns2/example.com.db.signed > /dev/null || ret=1
+
+grep 'E1/oLjSGIbmLny/4fcgM1z4oL6aqo+izT3ur' ns2/example.com.db.signed > /dev/null || ret=1
+grep 'CyHyvEp4Sp8Syg1eI+lJ57CSnZqjJP41O/9l' ns2/example.com.db.signed > /dev/null || ret=1
+grep '4m0AsQ4f7qI1gVnML8vWWiyW2KXhT9kuAICU' ns2/example.com.db.signed > /dev/null || ret=1
+grep 'Sxv5OWbf81Rq7Yu60npabODB0QFPb/rkW3kU' ns2/example.com.db.signed > /dev/null || ret=1
+grep 'ZmQ0YQUA' ns2/example.com.db.signed > /dev/null || ret=1
+
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/config.h.in b/config.h.in
index 252bb8b553..4f40e31458 100644
--- a/config.h.in
+++ b/config.h.in
@@ -285,6 +285,9 @@
 /* define if OpenSSL supports Ed25519 */
 #undef HAVE_OPENSSL_ED25519
 
+/* define if OpenSSL supports Ed448 */
+#undef HAVE_OPENSSL_ED448
+
 /* Define to 1 if you have the `processor_bind' function. */
 #undef HAVE_PROCESSOR_BIND
 
diff --git a/configure b/configure
index 76fbe0ce42..09167c62f4 100755
--- a/configure
+++ b/configure
@@ -15996,15 +15996,29 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Ed448 support" >&5
 $as_echo_n "checking for Ed448 support... " >&6; }
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: broken" >&5
-$as_echo "broken" >&6; }
-#AC_COMPILE_IFELSE(
-#    [AC_LANG_PROGRAM([[#include <openssl/evp.h>
-#		       #include <openssl/ec.h>]],
-#		     [[EC_KEY *key = EC_KEY_new_by_curve_name(NID_ED448);]])],
-#    [AC_DEFINE([HAVE_OPENSSL_ED448], [1], [define if OpenSSL supports Ed448])
-#     AC_MSG_RESULT([yes])],
-#    [AC_MSG_RESULT([no])])
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <openssl/evp.h>
+		       #include <openssl/ec.h>
+int
+main ()
+{
+EC_KEY *key = EC_KEY_new_by_curve_name(NID_ED448);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+$as_echo "#define HAVE_OPENSSL_ED448 1" >>confdefs.h
+
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 #
 # Check for OpenSSL SHA-1 support
diff --git a/configure.ac b/configure.ac
index 7a76ace3b1..1e20f1724e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -805,14 +805,13 @@ AC_COMPILE_IFELSE(
     [AC_MSG_RESULT([no])])
 
 AC_MSG_CHECKING([for Ed448 support])
-AC_MSG_RESULT([broken])
-#AC_COMPILE_IFELSE(
-#    [AC_LANG_PROGRAM([[#include <openssl/evp.h>
-#		       #include <openssl/ec.h>]],
-#		     [[EC_KEY *key = EC_KEY_new_by_curve_name(NID_ED448);]])],
-#    [AC_DEFINE([HAVE_OPENSSL_ED448], [1], [define if OpenSSL supports Ed448])
-#     AC_MSG_RESULT([yes])],
-#    [AC_MSG_RESULT([no])])
+AC_COMPILE_IFELSE(
+    [AC_LANG_PROGRAM([[#include <openssl/evp.h>
+		       #include <openssl/ec.h>]],
+		     [[EC_KEY *key = EC_KEY_new_by_curve_name(NID_ED448);]])],
+    [AC_DEFINE([HAVE_OPENSSL_ED448], [1], [define if OpenSSL supports Ed448])
+     AC_MSG_RESULT([yes])],
+    [AC_MSG_RESULT([no])])
 
 #
 # Check for OpenSSL SHA-1 support
diff --git a/util/copyrights b/util/copyrights
index 2618ec77e0..ff2bd91ac1 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -614,6 +614,10 @@
 ./bin/tests/system/eddsa/ns2/Xexample.com.+015+03613.private	X	2017,2018,2019
 ./bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.key	X	2017,2018,2019
 ./bin/tests/system/eddsa/ns2/Xexample.com.+015+35217.private	X	2017,2018,2019
+./bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.key	X	2019
+./bin/tests/system/eddsa/ns2/Xexample.com.+016+09713.private	X	2019
+./bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.key	X	2019
+./bin/tests/system/eddsa/ns2/Xexample.com.+016+38353.private	X	2019
 ./bin/tests/system/eddsa/ns2/sign.sh		SH	2017,2018,2019
 ./bin/tests/system/eddsa/prereq.sh		SH	2017,2018,2019
 ./bin/tests/system/eddsa/setup.sh		SH	2017,2018,2019