diff --git a/CHANGES b/CHANGES
index fdfe071e5b..0151d7ba30 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+4665. [func] Add Ed25519 support (RFC 8080). [RT #25519]
+
4663. [cleanup] Clarify error message printed by dnssec-dsfromkey.
[RT #21731]
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index defcc7e27c..4961a60e17 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -60,7 +60,8 @@ int verbose;
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1 |"
" RSASHA256 | RSASHA512 | ECCGOST |"
- " ECDSAP256SHA256 | ECDSAP384SHA384";
+ " ECDSAP256SHA256 | ECDSAP384SHA384 |"
+ " ED25519 | ED448";
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
@@ -412,7 +413,8 @@ main(int argc, char **argv) {
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST &&
- alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
+ alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
+ alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
index 8c2fb508b3..24934f4e1e 100644
--- a/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -107,7 +107,7 @@
Selects the cryptographic algorithm. The value of
must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
- ECDSAP256SHA256 or ECDSAP384SHA384.
+ ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
These values are case insensitive.
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 4f8841edfa..8ef424751a 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -91,7 +91,8 @@ usage(void) {
" | NSEC3DSA |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
- fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
+ fprintf(stderr, " ED25519 | ED448 | DH |\n");
+ fprintf(stderr, " HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
"HMAC-SHA256 | \n");
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
fprintf(stderr, " (default: RSASHA1, or "
@@ -110,6 +111,8 @@ usage(void) {
fprintf(stderr, " ECCGOST:\tignored\n");
fprintf(stderr, " ECDSAP256SHA256:\tignored\n");
fprintf(stderr, " ECDSAP384SHA384:\tignored\n");
+ fprintf(stderr, " ED25519:\tignored\n");
+ fprintf(stderr, " ED448:\tignored\n");
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
@@ -581,7 +584,8 @@ main(int argc, char **argv) {
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST &&
- alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
+ alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
+ alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
@@ -615,7 +619,9 @@ main(int argc, char **argv) {
" to %d\n", size);
} else if (alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 &&
- alg != DST_ALG_ECDSA384)
+ alg != DST_ALG_ECDSA384 &&
+ alg != DST_ALG_ED25519 &&
+ alg != DST_ALG_ED448)
fatal("key size not specified (-b option)");
}
@@ -752,6 +758,12 @@ main(int argc, char **argv) {
case DST_ALG_ECDSA384:
size = 384;
break;
+ case DST_ALG_ED25519:
+ size = 256;
+ break;
+ case DST_ALG_ED448:
+ size = 456;
+ break;
case DST_ALG_HMACMD5:
options |= DST_TYPE_KEY;
if (size < 1 || size > 512)
@@ -885,6 +897,8 @@ main(int argc, char **argv) {
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
+ case DST_ALG_ED25519:
+ case DST_ALG_ED448:
show_progress = ISC_TRUE;
/* fall through */
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index a189d0d20a..651d655663 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -122,7 +122,7 @@
Selects the cryptographic algorithm. For DNSSEC keys, the value
of must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
- ECDSAP256SHA256 or ECDSAP384SHA384.
+ ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
@@ -194,8 +194,8 @@
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
- ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
- are NSEC3-capable.
+ ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
+ algorithms are NSEC3-capable.
diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
index 75baa04052..fe314ab409 100644
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -73,6 +73,7 @@
#define WANT_DH_PRIMES
#define WANT_ECC_CURVES
#include
+#include
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
@@ -82,13 +83,14 @@
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
-/* Key class: RSA, ECC, DSA, DH, or unknown */
+/* Key class: RSA, ECC, ECX, DSA, DH, or unknown */
typedef enum {
key_unknown,
key_rsa,
key_dsa,
key_dh,
- key_ecc
+ key_ecc,
+ key_ecx
} key_class_t;
/*
@@ -136,7 +138,7 @@ static CK_ATTRIBUTE rsa_template[] = {
};
/*
- * Public key template for ECC keys
+ * Public key template for ECC/ECX keys
*/
#define ECC_LABEL 0
#define ECC_VERIFY 1
@@ -247,6 +249,9 @@ keyclass_fromtext(const char *name) {
else if (strncasecmp(name, "ecc", 3) == 0 ||
strncasecmp(name, "ecdsa", 5) == 0)
return (key_ecc);
+ else if (strncasecmp(name, "ecx", 3) == 0 ||
+ strncasecmp(name, "ed", 2) == 0)
+ return (key_ecx);
else
return (key_unknown);
}
@@ -425,6 +430,39 @@ main(int argc, char *argv[]) {
sizeof(pk11_ecc_secp384r1);
}
+ break;
+ case key_ecx:
+#ifndef CKM_EDDSA_KEY_PAIR_GEN
+ fprintf(stderr, "CKM_EDDSA_KEY_PAIR_GEN is not defined\n");
+ usage();
+#endif
+ op_type = OP_EC;
+ if (bits == 0)
+ bits = 256;
+ else if (bits != 256 && bits != 456) {
+ fprintf(stderr, "ECX keys only support bit sizes of "
+ "256 and 456\n");
+ exit(2);
+ }
+
+ mech.mechanism = CKM_EDDSA_KEY_PAIR_GEN;
+ mech.pParameter = NULL;
+ mech.ulParameterLen = 0;
+
+ public_template = ecc_template;
+ public_attrcnt = ECC_ATTRS;
+ id_offset = ECC_ID;
+
+ if (bits == 256) {
+ public_template[4].pValue = pk11_ecc_ed25519;
+ public_template[4].ulValueLen =
+ sizeof(pk11_ecc_ed25519);
+ } else {
+ public_template[4].pValue = pk11_ecc_ed448;
+ public_template[4].ulValueLen =
+ sizeof(pk11_ecc_ed448);
+ }
+
break;
case key_dsa:
op_type = OP_DSA;
@@ -570,7 +608,7 @@ main(int argc, char *argv[]) {
private_template[5].pValue = &truevalue;
}
- if (keyclass == key_rsa || keyclass == key_ecc)
+ if (keyclass == key_rsa || keyclass == key_ecc || keyclass == key_ecx)
goto generate_keys;
/*
diff --git a/bin/pkcs11/pkcs11-keygen.docbook b/bin/pkcs11/pkcs11-keygen.docbook
index 163586d7b4..e024ce9f01 100644
--- a/bin/pkcs11/pkcs11-keygen.docbook
+++ b/bin/pkcs11/pkcs11-keygen.docbook
@@ -79,11 +79,11 @@
Specify the key algorithm class: Supported classes are RSA,
- DSA, DH, and ECC. In addition to these strings, the
+ DSA, DH, ECC and ECX. In addition to these strings, the
can be specified as a DNSSEC
signing algorithm that will be used with this key; for
- example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps
- to ECC. The default class is "RSA".
+ example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
+ to ECC, and ED25519 to ECX. The default class is "RSA".
@@ -94,7 +94,8 @@
Create the key pair with bits of
prime. For ECC keys, the only valid values are 256 and 384,
- and the default is 256.
+ and the default is 256. For ECX kyes, the only valid values
+ are 256 and 456, and the default is 256.
diff --git a/bin/python/isc/dnskey.py.in b/bin/python/isc/dnskey.py.in
index 744e239c1f..0c54566695 100644
--- a/bin/python/isc/dnskey.py.in
+++ b/bin/python/isc/dnskey.py.in
@@ -38,7 +38,7 @@ class dnskey:
_ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', 'ECC', 'RSASHA1',
'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None,
'RSASHA512', None, 'ECCGOST', 'ECDSAP256SHA256',
- 'ECDSAP384SHA384')
+ 'ECDSAP384SHA384', 'ED25519', 'ED448')
def __init__(self, key, directory=None, keyttl=None):
# this makes it possible to use algname as a class or instance method
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 1d2e07b74a..b0cff4f30c 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -77,7 +77,7 @@ SUBDIRS="acl additional allow_query addzone autosign builtin
cacheclean case chain checkconf @CHECKDS@ checknames
checkzone cookie @COVERAGE@ database delv digdelv dlv
dlvauto dlz dlzexternal dlzredir dns64 dnssec dsdigest
- dscp ecdsa ednscompliance emptyzones fetchlimit filter-aaaa
+ dscp ecdsa eddsa ednscompliance emptyzones fetchlimit filter-aaaa
formerr forward geoip glue gost ixfr inline integrity
legacy limits logfileconfig lwresd masterfile masterformat
metadata notify nslookup nsupdate pending @PKCS11_TEST@
diff --git a/bin/tests/system/conf.sh.win32 b/bin/tests/system/conf.sh.win32
index c7380ecb0b..50f9aba75f 100644
--- a/bin/tests/system/conf.sh.win32
+++ b/bin/tests/system/conf.sh.win32
@@ -69,6 +69,7 @@ MDIG=$TOP/Build/$VSCONF/mdig@EXEEXT@
NZD2NZF=$TOP/Build/$VSCONF/named-nzd2nzf@EXEEXT@
FSTRM_CAPTURE=@FSTRM_CAPTURE@
FEATURETEST=$TOP/Build/$VSCONF/feature-test@EXEEXT@
+# to port WIRETEST=$TOP/Build/$VSCONF/wire_test@EXEEXT@
# this is given as argument to native WIN32 executables
RANDFILE=`cygpath -w $TOP/bin/tests/system/random.data`
@@ -85,7 +86,7 @@ MAKEJOURNAL=$TOP/Build/$VSCONF/makejournal@EXEEXT@
SUBDIRS="acl additional addzone allow_query autosign builtin cacheclean case
catz checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@
database digdelv dlv dlvauto dlz dlzexternal dname dns64 dnssec
- @DNSTAP@ dscp dsdigest dyndb ecdsa ednscompliance emptyzones
+ @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa ednscompliance emptyzones
fetchlimit filter-aaaa formerr forward geoip glue gost inline ixfr
@KEYMGR@ legacy limits logfileconfig lwresd masterfile masterformat
metadata mkeys names notify nslookup nsupdate nzd2nzf pending
diff --git a/bin/tests/system/pkcs11/ns1/named.conf b/bin/tests/system/pkcs11/ns1/named.conf
index f446115752..cb26afb368 100644
--- a/bin/tests/system/pkcs11/ns1/named.conf
+++ b/bin/tests/system/pkcs11/ns1/named.conf
@@ -50,3 +50,9 @@ zone "ecc.example." {
file "ecc.example.db.signed";
allow-update { any; };
};
+
+zone "ecx.example." {
+ type master;
+ file "ecx.example.db.signed";
+ allow-update { any; };
+};
diff --git a/bin/tests/system/pkcs11/prereq.sh b/bin/tests/system/pkcs11/prereq.sh
index c832ab96eb..7ff19da13c 100644
--- a/bin/tests/system/pkcs11/prereq.sh
+++ b/bin/tests/system/pkcs11/prereq.sh
@@ -18,18 +18,24 @@ SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
echo "I:(Native PKCS#11)" >&2
-rsafail=0 eccfail=0
+rsafail=0 eccfail=0 ecxfail=0
$SHELL ../testcrypto.sh -q rsa || rsafail=1
$SHELL ../testcrypto.sh -q ecdsa || eccfail=1
+$SHELL ../testcrypto.sh -q eddsa || ecxfail=1
-if [ $rsafail = 0 -a $eccfail = 0 ]; then
- echo both > supported
-elif [ $rsafail = 1 -a $eccfail = 1 ]; then
+if [ $rsafail = 1 -a $eccfail = 1 ]; then
echo "I:This test requires PKCS#11 support for either RSA or ECDSA cryptography." >&2
exit 255
-elif [ $rsafail = 0 ]; then
- echo rsaonly > supported
-else
- echo ecconly > supported
+fi
+rm -f supported
+touch supported
+if [ $rsafail = 0 ]; then
+ echo rsa >> supported
+fi
+if [ $eccfail = 0 ]; then
+ echo ecc >> supported
+fi
+if [ $ecxfail = 0 ]; then
+ echo ecx >> supported
fi
diff --git a/bin/tests/system/pkcs11/setup.sh b/bin/tests/system/pkcs11/setup.sh
index ceebff50d4..29321198e4 100644
--- a/bin/tests/system/pkcs11/setup.sh
+++ b/bin/tests/system/pkcs11/setup.sh
@@ -22,11 +22,10 @@ infile=ns1/example.db.in
/bin/echo -n ${HSMPIN:-1234}> pin
PWD=`pwd`
-supported=`cat supported`
-
zone=rsa.example
zonefile=ns1/rsa.example.db
-if [ "$supported" != "ecconly" ]; then
+have_rsa=`grep rsa supported`
+if [ "x$have_rsa" != "x" ]; then
$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01
$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02
$PK11GEN -a RSA -b 2048 -l robie-rsa-ksk
@@ -50,7 +49,8 @@ fi
zone=ecc.example
zonefile=ns1/ecc.example.db
-if [ "$supported" != "rsaonly" ]; then
+have_ecc=`grep ecc supported`
+if [ "x$have_ecc" != "x" ]; then
$PK11GEN -a ECC -b 256 -l robie-ecc-zsk1 -i 03
$PK11GEN -a ECC -b 256 -l robie-ecc-zsk2 -i 04
$PK11GEN -a ECC -b 384 -l robie-ecc-ksk
@@ -72,4 +72,32 @@ else
cp $infile ${zonefile}.signed
fi
+zone=ecx.example
+zonefile=ns1/ecx.example.db
+have_ecx=`grep ecx supported`
+if [ "x$have_ecx" != "x" ]; then
+ $PK11GEN -a ECX -b 256 -l robie-ecx-zsk1 -i 05
+ $PK11GEN -a ECX -b 256 -l robie-ecx-zsk2 -i 06
+ $PK11GEN -a ECX -b 256 -l robie-ecx-ksk
+# $PK11GEN -a ECX -b 456 -l robie-ecx-ksk
+
+ ecxzsk1=`$KEYFRLAB -a ED25519 \
+ -l "object=robie-ecx-zsk1;pin-source=$PWD/pin" ecx.example`
+ ecxzsk2=`$KEYFRLAB -a ED25519 \
+ -l "object=robie-ecx-zsk2;pin-source=$PWD/pin" ecx.example`
+ ecxksk=`$KEYFRLAB -a ED25519 -f ksk \
+ -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
+# ecxksk=`$KEYFRLAB -a ED448 -f ksk \
+# -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
+
+ cat $infile $ecxzsk1.key $ecxksk.key > $zonefile
+ $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+ > /dev/null 2> signer.err || cat signer.err
+ cp $ecxzsk2.key ns1/ecx.key
+ mv Kecx* ns1
+else
+ # ECX not available and will not be tested; make a placeholder
+ cp $infile ${zonefile}.signed
+fi
+
rm -f signer.err
diff --git a/bin/tests/system/pkcs11/tests.sh b/bin/tests/system/pkcs11/tests.sh
index aca9500168..4a246560af 100644
--- a/bin/tests/system/pkcs11/tests.sh
+++ b/bin/tests/system/pkcs11/tests.sh
@@ -24,13 +24,19 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
status=0
ret=0
-supported=`cat supported`
-case $supported in
- rsaonly) algs="rsa" ;;
- ecconly) algs="ecc" ;;
- both) algs="rsa ecc" ;;
-esac
-
+algs=""
+have_rsa=`grep rsa supported`
+if [ "x$have_rsa" != "x" ]; then
+ algs="rsa "
+fi
+have_ecc=`grep ecc supported`
+if [ "x$have_ecc" != "x" ]; then
+ algs=$algs"ecc "
+fi
+have_ecx=`grep ecc supported`
+if [ "x$have_ecx" != "x" ]; then
+ algs=$algs"ecx "
+fi
for alg in $algs; do
zonefile=ns1/$alg.example.db
@@ -74,6 +80,7 @@ END
case $alg in
rsa) id=02 ;;
ecc) id=04 ;;
+ ecx) id=06 ;;
esac
$PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh
index 4cec7f4834..8885055e5f 100644
--- a/bin/tests/system/testcrypto.sh
+++ b/bin/tests/system/testcrypto.sh
@@ -47,6 +47,11 @@ while test "$#" -gt 0; do
msg1="ECDSA cryptography"
msg2="--with-ecdsa"
;;
+ eddsa|EDDSA)
+ alg="-a ED25519"
+ msg1="EDDSA cryptography"
+ msg2="--with-eddsa"
+ ;;
*)
echo "${prog}: unknown argument"
exit 1
diff --git a/config.h.in b/config.h.in
index bf7f385893..30f609163b 100644
--- a/config.h.in
+++ b/config.h.in
@@ -372,6 +372,12 @@ int sigwait(const unsigned int *set, int *sig);
/* Define if your OpenSSL version supports ECDSA. */
#undef HAVE_OPENSSL_ECDSA
+/* Define if your OpenSSL version supports Ed25519. */
+#undef HAVE_OPENSSL_ED25519
+
+/* Define if your OpenSSL version supports Ed448. */
+#undef HAVE_OPENSSL_ED448
+
/* Define if your OpenSSL version supports EVP AES */
#undef HAVE_OPENSSL_EVP_AES
@@ -381,6 +387,12 @@ int sigwait(const unsigned int *set, int *sig);
/* Define if your PKCS11 provider supports ECDSA. */
#undef HAVE_PKCS11_ECDSA
+/* Define if your PKCS11 provider supports Ed25519. */
+#undef HAVE_PKCS11_ED25519
+
+/* Define if your PKCS11 provider supports Ed448. */
+#undef HAVE_PKCS11_ED448
+
/* Define if your PKCS11 provider supports GOST. */
#undef HAVE_PKCS11_GOST
diff --git a/config.h.win32 b/config.h.win32
index 0b0d6a8691..056b2c0257 100644
--- a/config.h.win32
+++ b/config.h.win32
@@ -337,12 +337,24 @@ typedef __int64 off_t;
/* Define if OpenSSL includes ECDSA support */
@HAVE_OPENSSL_ECDSA@
+/* Define if OpenSSL includes Ed25519 support */
+@HAVE_OPENSSL_ED25519@
+
+/* Define if OpenSSL includes Ed448 support */
+@HAVE_OPENSSL_ED448@
+
/* Define if your OpenSSL version supports GOST. */
@HAVE_OPENSSL_GOST@
/* Define if your PKCS11 provider supports ECDSA. */
@HAVE_PKCS11_ECDSA@
+/* Define if your PKCS11 provider supports Ed25519. */
+@HAVE_PKCS11_ED25519@
+
+/* Define if your PKCS11 provider supports Ed448. */
+@HAVE_PKCS11_ED448@
+
/* Define if your PKCS11 provider supports GOST. */
@HAVE_PKCS11_GOST@
diff --git a/configure b/configure
index f7dadb6716..96578e85b9 100755
--- a/configure
+++ b/configure
@@ -814,6 +814,7 @@ MKDEPCC
JSONSTATS
XMLSTATS
PKCS11_TEST
+PKCS11_ED25519
PKCS11_GOST
PKCS11_ECDSA
CRYPTO
@@ -836,11 +837,14 @@ ISC_OPENSSL_INC
ISC_PLATFORM_OPENSSLHASH
ISC_PLATFORM_WANTAES
OPENSSL_GOST
+OPENSSL_ED25519
OPENSSL_ECDSA
OPENSSLLINKSRCS
OPENSSLLINKOBJS
OPENSSLGOSTLINKSRCS
OPENSSLGOSTLINKOBJS
+OPENSSLEDDSALINKSRCS
+OPENSSLEDDSALINKOBJS
DST_OPENSSL_INC
HAVE_SIT
ISC_PLATFORM_USESIT
@@ -1009,6 +1013,7 @@ with_openssl
with_pkcs11
with_ecdsa
with_gost
+with_eddsa
with_aes
enable_openssl_hash
enable_sit
@@ -1738,6 +1743,7 @@ Optional Packages:
(PATH is for the PKCS11 provider)
--with-ecdsa Crypto ECDSA
--with-gost Crypto GOST yes|no|raw|asn1.
+ --with-eddsa Crypto EDDSA yes|all|no.
--with-aes Crypto AES
--with-sit-alg=ALG choose the algorithm for SIT [aes|sha1|sha256]
--with-libxml2=PATH build with libxml2 library yes|no|path
@@ -15738,7 +15744,7 @@ fi
#
-# were --with-ecdsa, --with-gost, --with-aes specified
+# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified
#
# Check whether --with-ecdsa was given.
@@ -15757,6 +15763,14 @@ else
fi
+# Check whether --with-eddsa was given.
+if test "${with_eddsa+set}" = set; then :
+ withval=$with_eddsa; with_eddsa="$withval"
+else
+ with_eddsa="auto"
+fi
+
+
# Check whether --with-aes was given.
if test "${with_aes+set}" = set; then :
withval=$with_aes; with_aes="$withval"
@@ -15874,6 +15888,7 @@ then
fi
OPENSSL_ECDSA=""
OPENSSL_GOST=""
+OPENSSL_ED25519=""
gosttype="raw"
case "$with_gost" in
raw)
@@ -15899,6 +15914,8 @@ case "$use_openssl" in
$as_echo "disabled because of native PKCS11" >&6; }
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
+ OPENSSLEDDSALINKOBJS=""
+ OPENSSLEDDSALINKSRS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRS=""
OPENSSLLINKOBJS=""
@@ -15909,6 +15926,8 @@ $as_echo "disabled because of native PKCS11" >&6; }
$as_echo "no" >&6; }
DST_OPENSSL_INC=""
CRYPTO=""
+ OPENSSLEDDSALINKOBJS=""
+ OPENSSLEDDSALINKSRS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRS=""
OPENSSLLINKOBJS=""
@@ -15917,6 +15936,8 @@ $as_echo "no" >&6; }
auto)
DST_OPENSSL_INC=""
CRYPTO=""
+ OPENSSLEDDSALINKOBJS=""
+ OPENSSLEDDSALINKSRS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRS=""
OPENSSLLINKOBJS=""
@@ -16330,6 +16351,120 @@ $as_echo "#define HAVE_OPENSSL_GOST 1" >>confdefs.h
;;
esac
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL Ed25519 support" >&5
+$as_echo_n "checking for OpenSSL Ed25519 support... " >&6; }
+ have_ed25519=""
+ have_ed448=""
+ if test "$cross_compiling" = yes; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-eddsa" >&5
+$as_echo "using --with-eddsa" >&6; }
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+#include
+#include
+int main() {
+ EVP_PKEY_CTX *ctx;
+
+ ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);
+ if (ctx == NULL)
+ return (2);
+ return (0);
+}
+
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ have_ed25519="yes"
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ have_ed25519="no"
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+ case "$with_eddsa" in
+ yes|all)
+ case "$have_ed25519" in
+ no) as_fn_error $? "eddsa not supported" "$LINENO" 5 ;;
+ *) have_ed25519=yes ;;
+ esac
+ ;;
+ no)
+ have_ed25519=no ;;
+ *)
+ case "$have_ed25519" in
+ yes|no) ;;
+ *) as_fn_error $? "need --with-eddsa=[yes, all or no]" "$LINENO" 5 ;;
+ esac
+ ;;
+ esac
+ case $have_ed25519 in
+ yes)
+ OPENSSL_ED25519="yes"
+ OPENSSLEDDSALINKOBJS='${OPENSSLEDDSALINKOBJS}'
+ OPENSSLEDDSALINKSRCS='${OPENSSLEDDSALINKSRCS}'
+
+$as_echo "#define HAVE_OPENSSL_ED25519 1" >>confdefs.h
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL Ed448 support" >&5
+$as_echo_n "checking for OpenSSL Ed448 support... " >&6; }
+ if test "$cross_compiling" = yes; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-eddsa" >&5
+$as_echo "using --with-eddsa" >&6; }
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+#include
+#include
+int main() {
+ EVP_PKEY_CTX *ctx;
+
+ ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL);
+ if (ctx == NULL)
+ return (2);
+ return (0);
+}
+
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ have_ed448="yes"
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ have_ed448="no"
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+ case $with_eddsa in
+ all)
+ have_ed448=yes ;;
+ *)
+ ;;
+ esac
+ case $have_ed448 in
+ yes)
+
+$as_echo "#define HAVE_OPENSSL_ED448 1" >>confdefs.h
+],
+ ;;
+ *)
+ ;;
+ esac
+ ;;
+ *)
+ ;;
+ esac
+
have_aes="no"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL AES support" >&5
$as_echo_n "checking for OpenSSL AES support... " >&6; }
@@ -16422,6 +16557,9 @@ esac
+
+
+
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
@@ -16691,6 +16829,7 @@ esac
PKCS11_ECDSA=""
PKCS11_GOST=""
+PKCS11_ED25519=""
set_pk11_flavor="no"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for native PKCS11" >&5
$as_echo_n "checking for native PKCS11... " >&6; }
@@ -16734,6 +16873,37 @@ $as_echo "#define HAVE_PKCS11_GOST 1" >>confdefs.h
$as_echo "disabled" >&6; }
;;
esac
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 Ed25519" >&5
+$as_echo_n "checking for PKCS11 Ed25519... " >&6; }
+ case "$with_eddsa" in
+ yes|all)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
+$as_echo "enabled" >&6; }
+ PKCS11_ED25519="yes"
+
+$as_echo "#define HAVE_PKCS11_ED25519 1" >>confdefs.h
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 Ed448" >&5
+$as_echo_n "checking for PKCS11 Ed448... " >&6; }
+ case "$with_eddsa" in
+ all)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
+$as_echo "enabled" >&6; }
+
+$as_echo "#define HAVE_PKCS11_ED448 1" >>confdefs.h
+
+ ;;
+ *)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
+ ;;
+ esac
+ ;;
+ *)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
+ ;;
+ esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 flavor" >&5
$as_echo_n "checking for PKCS11 flavor... " >&6; }
case "$PKCS11_PROVIDER" in
@@ -16794,6 +16964,7 @@ esac
+
# for PKCS11 benchmarks
have_clock_gt=no
@@ -25137,6 +25308,8 @@ report() {
fi
test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \
echo " ECDSA algorithm support (--with-ecdsa)"
+ test "yes" = "$OPENSSL_ED25519" -o "$PKCS11_ED25519" && \
+ echo " EDDSA algorithm support (--with-eddsa)"
test "yes" = "$enable_fixed" && \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
test "yes" = "$enable_filter" && \
@@ -25199,6 +25372,8 @@ report() {
echo " GOST algorithm support (--with-gost)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ECDSA" -o "yes" = "$PKCS11_ECDSA" || \
echo " ECDSA algorithm support (--with-ecdsa)"
+ test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
+ echo " EDDSA algorithm support (--with-eddsa)"
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
diff --git a/configure.in b/configure.in
index cf752867d9..afbe3cf14b 100644
--- a/configure.in
+++ b/configure.in
@@ -1436,12 +1436,14 @@ AC_ARG_WITH(pkcs11,
use_pkcs11="$withval", use_pkcs11="auto")
#
-# were --with-ecdsa, --with-gost, --with-aes specified
+# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified
#
AC_ARG_WITH(ecdsa, [ --with-ecdsa Crypto ECDSA],
with_ecdsa="$withval", with_ecdsa="auto")
AC_ARG_WITH(gost, [ --with-gost Crypto GOST [yes|no|raw|asn1].],
with_gost="$withval", with_gost="auto")
+AC_ARG_WITH(eddsa, [ --with-eddsa Crypto EDDSA [yes|all|no].],
+ with_eddsa="$withval", with_eddsa="auto")
AC_ARG_WITH(aes, [ --with-aes Crypto AES],
with_aes="$withval", with_aes="checksit")
@@ -1536,6 +1538,7 @@ then
fi
OPENSSL_ECDSA=""
OPENSSL_GOST=""
+OPENSSL_ED25519=""
gosttype="raw"
case "$with_gost" in
raw)
@@ -1559,6 +1562,8 @@ case "$use_openssl" in
AC_MSG_RESULT(disabled because of native PKCS11)
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
+ OPENSSLEDDSALINKOBJS=""
+ OPENSSLEDDSALINKSRS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRS=""
OPENSSLLINKOBJS=""
@@ -1568,6 +1573,8 @@ case "$use_openssl" in
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
CRYPTO=""
+ OPENSSLEDDSALINKOBJS=""
+ OPENSSLEDDSALINKSRS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRS=""
OPENSSLLINKOBJS=""
@@ -1576,6 +1583,8 @@ case "$use_openssl" in
auto)
DST_OPENSSL_INC=""
CRYPTO=""
+ OPENSSLEDDSALINKOBJS=""
+ OPENSSLEDDSALINKSRS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRS=""
OPENSSLLINKOBJS=""
@@ -1875,6 +1884,86 @@ int main() {
;;
esac
+ AC_MSG_CHECKING(for OpenSSL Ed25519 support)
+ have_ed25519=""
+ have_ed448=""
+ AC_TRY_RUN([
+#include
+#include
+int main() {
+ EVP_PKEY_CTX *ctx;
+
+ ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);
+ if (ctx == NULL)
+ return (2);
+ return (0);
+}
+],
+ [AC_MSG_RESULT(yes)
+ have_ed25519="yes"],
+ [AC_MSG_RESULT(no)
+ have_ed25519="no"],
+ [AC_MSG_RESULT(using --with-eddsa)])
+ case "$with_eddsa" in
+ yes|all)
+ case "$have_ed25519" in
+ no) AC_MSG_ERROR([eddsa not supported]) ;;
+ *) have_ed25519=yes ;;
+ esac
+ ;;
+ no)
+ have_ed25519=no ;;
+ *)
+ case "$have_ed25519" in
+ yes|no) ;;
+ *) AC_MSG_ERROR([need --with-eddsa=[[yes, all or no]]]) ;;
+ esac
+ ;;
+ esac
+ case $have_ed25519 in
+ yes)
+ OPENSSL_ED25519="yes"
+ OPENSSLEDDSALINKOBJS='${OPENSSLEDDSALINKOBJS}'
+ OPENSSLEDDSALINKSRCS='${OPENSSLEDDSALINKSRCS}'
+ AC_DEFINE(HAVE_OPENSSL_ED25519, 1,
+ [Define if your OpenSSL version supports Ed25519.])
+ AC_MSG_CHECKING(for OpenSSL Ed448 support)
+ AC_TRY_RUN([
+#include
+#include
+int main() {
+ EVP_PKEY_CTX *ctx;
+
+ ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL);
+ if (ctx == NULL)
+ return (2);
+ return (0);
+}
+],
+ [AC_MSG_RESULT(yes)
+ have_ed448="yes"],
+ [AC_MSG_RESULT(no)
+ have_ed448="no"],
+ [AC_MSG_RESULT(using --with-eddsa)])
+ case $with_eddsa in
+ all)
+ have_ed448=yes ;;
+ *)
+ ;;
+ esac
+ case $have_ed448 in
+ yes)
+ AC_DEFINE(HAVE_OPENSSL_ED448, 1,
+ [Define if your OpenSSL version supports Ed448.])],
+ ;;
+ *)
+ ;;
+ esac
+ ;;
+ *)
+ ;;
+ esac
+
have_aes="no"
AC_MSG_CHECKING(for OpenSSL AES support)
AC_TRY_RUN([
@@ -1937,11 +2026,14 @@ esac
#
AC_SUBST(DST_OPENSSL_INC)
+AC_SUBST(OPENSSLEDDSALINKOBJS)
+AC_SUBST(OPENSSLEDDSALINKSRCS)
AC_SUBST(OPENSSLGOSTLINKOBJS)
AC_SUBST(OPENSSLGOSTLINKSRCS)
AC_SUBST(OPENSSLLINKOBJS)
AC_SUBST(OPENSSLLINKSRCS)
AC_SUBST(OPENSSL_ECDSA)
+AC_SUBST(OPENSSL_ED25519)
AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
@@ -2175,6 +2267,7 @@ AC_SUBST(PKCS11_PROVIDER)
PKCS11_ECDSA=""
PKCS11_GOST=""
+PKCS11_ED25519=""
set_pk11_flavor="no"
AC_MSG_CHECKING(for native PKCS11)
@@ -2208,6 +2301,29 @@ case "$want_native_pkcs11" in
AC_MSG_RESULT(disabled)
;;
esac
+ AC_MSG_CHECKING(for PKCS11 Ed25519)
+ case "$with_eddsa" in
+ yes|all)
+ AC_MSG_RESULT(enabled)
+ PKCS11_ED25519="yes"
+ AC_DEFINE(HAVE_PKCS11_ED25519, 1,
+ [Define if your PKCS11 provider supports Ed25519.])
+ AC_MSG_CHECKING(for PKCS11 Ed448)
+ case "$with_eddsa" in
+ all)
+ AC_MSG_RESULT(enabled)
+ AC_DEFINE(HAVE_PKCS11_ED448, 1,
+ [Define if your PKCS11 provider supports Ed448.])
+ ;;
+ *)
+ AC_MSG_RESULT(disabled)
+ ;;
+ esac
+ ;;
+ *)
+ AC_MSG_RESULT(disabled)
+ ;;
+ esac
AC_MSG_CHECKING(for PKCS11 flavor)
case "$PKCS11_PROVIDER" in
*nfast*)
@@ -2257,6 +2373,7 @@ AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(CRYPTO)
AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST)
+AC_SUBST(PKCS11_ED25519)
AC_SUBST(PKCS11_TEST)
# for PKCS11 benchmarks
@@ -5115,6 +5232,8 @@ report() {
fi
test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \
echo " ECDSA algorithm support (--with-ecdsa)"
+ test "yes" = "$OPENSSL_ED25519" -o "$PKCS11_ED25519" && \
+ echo " EDDSA algorithm support (--with-eddsa)"
test "yes" = "$enable_fixed" && \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
test "yes" = "$enable_filter" && \
@@ -5177,6 +5296,8 @@ report() {
echo " GOST algorithm support (--with-gost)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ECDSA" -o "yes" = "$PKCS11_ECDSA" || \
echo " ECDSA algorithm support (--with-ecdsa)"
+ test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
+ echo " EDDSA algorithm support (--with-eddsa)"
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
index 9203f226d9..c33a64a01f 100644
--- a/lib/dns/Makefile.in
+++ b/lib/dns/Makefile.in
@@ -48,12 +48,14 @@ LIBS = @LIBS@
# Alphabetically
OPENSSLGOSTLINKOBJS = opensslgost_link.@O@
+OPENSSLEDDSALINKOBJS = openssleddsa_link.@O@
OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
- opensslecdsa_link.@O@ @OPENSSLGOSTLINKOBJS@ \
- opensslrsa_link.@O@
+ opensslecdsa_link.@O@ @OPENSSLEDDSALINKOBJS@ \
+ @OPENSSLGOSTLINKOBJS@ opensslrsa_link.@O@
PKCS11LINKOBJS = pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \
- pkcs11ecdsa_link.@O@ pkcs11gost_link.@O@ pkcs11.@O@
+ pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ \
+ pkcs11gost_link.@O@ pkcs11.@O@
DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ @PKCS11LINKOBJS@ \
dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
@@ -87,11 +89,14 @@ OBJS= ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} ${PORTDNSOBJS} \
# Alphabetically
OPENSSLGOSTLINKSRCS = opensslgost_link.c
+OPENSSLEDDDSALINKSRCS = openssleddsa_link.c
OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \
- opensslecdsa_link.c @OPENSSLGOSTLINKSRCS@ opensslrsa_link.c
+ opensslecdsa_link.c @OPENSSLEDDDSALINKSRCS@ \
+ @OPENSSLGOSTLINKSRCS@ opensslrsa_link.c
PKCS11LINKSRCS = pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \
- pkcs11ecdsa_link.c pkcs11gost_link.c pkcs11.c
+ pkcs11ecdsa_link.c pkcs11eddsa_link.c \
+ pkcs11gost_link.c pkcs11.c
DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ @PKCS11LINKSRCS@ \
dst_api.c dst_lib.c dst_parse.c \
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 14cc6387e3..c50a798506 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -235,6 +235,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#endif
+#ifdef HAVE_OPENSSL_ED25519
+ RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519]));
+#endif
+#ifdef HAVE_OPENSSL_ED448
+ RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448]));
+#endif
#elif PKCS11CRYPTO
RETERR(dst__pkcs11_init(mctx, engine));
#ifndef PK11_MD5_DISABLE
@@ -255,6 +261,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#endif
+#ifdef HAVE_PKCS11_ED25519
+ RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519]));
+#endif
+#ifdef HAVE_PKCS11_ED448
+ RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448]));
+#endif
#ifdef HAVE_PKCS11_GOST
RETERR(dst__pkcs11gost_init(&dst_t_func[DST_ALG_ECCGOST]));
#endif
@@ -1266,6 +1278,12 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
case DST_ALG_ECDSA384:
*n = DNS_SIG_ECDSA384SIZE;
break;
+ case DST_ALG_ED25519:
+ *n = DNS_SIG_ED25519SIZE;
+ break;
+ case DST_ALG_ED448:
+ *n = DNS_SIG_ED448SIZE;
+ break;
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
*n = 16;
@@ -1608,6 +1626,8 @@ issymmetric(const dst_key_t *key) {
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
+ case DST_ALG_ED25519:
+ case DST_ALG_ED448:
return (ISC_FALSE);
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
@@ -1894,7 +1914,8 @@ algorithm_status(unsigned int alg) {
alg == DST_ALG_NSEC3RSASHA1 ||
alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512 ||
alg == DST_ALG_ECCGOST ||
- alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384)
+ alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384 ||
+ alg == DST_ALG_ED25519 || alg == DST_ALG_ED448)
return (DST_R_NOCRYPTO);
#endif
return (DST_R_UNSUPPORTEDALG);
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index 9e305112e9..0d24b7f1e1 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -265,9 +265,15 @@ isc_result_t dst__gssapi_init(struct dst_func **funcp);
#ifdef HAVE_OPENSSL_ECDSA
isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
#endif
+#if defined(HAVE_OPENSSL_ED25519) || defined(HAVE_OPENSSL_ED448)
+isc_result_t dst__openssleddsa_init(struct dst_func **funcp);
+#endif
#ifdef HAVE_PKCS11_ECDSA
isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp);
#endif
+#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
+isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp);
+#endif
#ifdef HAVE_OPENSSL_GOST
isc_result_t dst__opensslgost_init(struct dst_func **funcp);
#endif
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index b0d73b7ac6..d2b62f4e0a 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -119,6 +119,10 @@ static struct parse_map map[] = {
{TAG_ECDSA_ENGINE, "Engine:" },
{TAG_ECDSA_LABEL, "Label:" },
+ {TAG_EDDSA_PRIVATEKEY, "PrivateKey:"},
+ {TAG_EDDSA_ENGINE, "Engine:" },
+ {TAG_EDDSA_LABEL, "Label:" },
+
#ifndef PK11_MD5_DISABLE
{TAG_HMACMD5_KEY, "Key:"},
{TAG_HMACMD5_BITS, "Bits:"},
@@ -315,6 +319,38 @@ check_ecdsa(const dst_private_t *priv, isc_boolean_t external) {
return (ok ? 0 : -1 );
}
+static int
+check_eddsa(const dst_private_t *priv, isc_boolean_t external) {
+ int i, j;
+ isc_boolean_t have[EDDSA_NTAGS];
+ isc_boolean_t ok;
+ unsigned int mask;
+
+ if (external)
+ return ((priv->nelements == 0) ? 0 : -1);
+
+ for (i = 0; i < EDDSA_NTAGS; i++)
+ have[i] = ISC_FALSE;
+ for (j = 0; j < priv->nelements; j++) {
+ for (i = 0; i < EDDSA_NTAGS; i++)
+ if (priv->elements[j].tag == TAG(DST_ALG_ED25519, i))
+ break;
+ if (i == EDDSA_NTAGS)
+ return (-1);
+ have[i] = ISC_TRUE;
+ }
+
+ mask = ~0;
+ mask <<= sizeof(mask) * 8 - TAG_SHIFT;
+ mask >>= sizeof(mask) * 8 - TAG_SHIFT;
+
+ if (have[TAG_EDDSA_ENGINE & mask])
+ ok = have[TAG_EDDSA_LABEL & mask];
+ else
+ ok = have[TAG_EDDSA_PRIVATEKEY & mask];
+ return (ok ? 0 : -1 );
+}
+
#ifndef PK11_MD5_DISABLE
static int
check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
@@ -392,6 +428,9 @@ check_data(const dst_private_t *priv, const unsigned int alg,
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
return (check_ecdsa(priv, external));
+ case DST_ALG_ED25519:
+ case DST_ALG_ED448:
+ return (check_eddsa(priv, external));
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
return (check_hmac_md5(priv, old));
@@ -743,6 +782,12 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
case DST_ALG_ECDSA384:
fprintf(fp, "(ECDSAP384SHA384)\n");
break;
+ case DST_ALG_ED25519:
+ fprintf(fp, "(ED25519)\n");
+ break;
+ case DST_ALG_ED448:
+ fprintf(fp, "(ED448)\n");
+ break;
case DST_ALG_HMACMD5:
fprintf(fp, "(HMAC_MD5)\n");
break;
diff --git a/lib/dns/dst_parse.h b/lib/dns/dst_parse.h
index e4c7f89780..f32d7a5d18 100644
--- a/lib/dns/dst_parse.h
+++ b/lib/dns/dst_parse.h
@@ -86,6 +86,11 @@
#define TAG_ECDSA_ENGINE ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)
#define TAG_ECDSA_LABEL ((DST_ALG_ECDSA256 << TAG_SHIFT) + 2)
+#define EDDSA_NTAGS 4
+#define TAG_EDDSA_PRIVATEKEY ((DST_ALG_ED25519 << TAG_SHIFT) + 0)
+#define TAG_EDDSA_ENGINE ((DST_ALG_ED25519 << TAG_SHIFT) + 1)
+#define TAG_EDDSA_LABEL ((DST_ALG_ED25519 << TAG_SHIFT) + 2)
+
#define OLD_HMACMD5_NTAGS 1
#define HMACMD5_NTAGS 2
#define TAG_HMACMD5_KEY ((DST_ALG_HMACMD5 << TAG_SHIFT) + 0)
diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
index 0c392ca14c..3638ee413f 100644
--- a/lib/dns/include/dns/keyvalues.h
+++ b/lib/dns/include/dns/keyvalues.h
@@ -73,6 +73,8 @@
#define DNS_KEYALG_ECCGOST 12
#define DNS_KEYALG_ECDSA256 13
#define DNS_KEYALG_ECDSA384 14
+#define DNS_KEYALG_ED25519 15
+#define DNS_KEYALG_ED448 16
#define DNS_KEYALG_INDIRECT 252
#define DNS_KEYALG_PRIVATEDNS 253
#define DNS_KEYALG_PRIVATEOID 254 /*%< Key begins with OID giving alg */
@@ -109,4 +111,10 @@
#define DNS_KEY_ECDSA256SIZE 64
#define DNS_KEY_ECDSA384SIZE 96
+#define DNS_SIG_ED25519SIZE 64
+#define DNS_SIG_ED448SIZE 114
+
+#define DNS_KEY_ED25519SIZE 32
+#define DNS_KEY_ED448SIZE 57
+
#endif /* DNS_KEYVALUES_H */
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index c2ff306838..8e82b4a405 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -64,6 +64,8 @@ typedef struct dst_context dst_context_t;
#define DST_ALG_ECCGOST 12
#define DST_ALG_ECDSA256 13
#define DST_ALG_ECDSA384 14
+#define DST_ALG_ED25519 15
+#define DST_ALG_ED448 16
#define DST_ALG_HMACMD5 157
#define DST_ALG_GSSAPI 160
#define DST_ALG_HMACSHA1 161 /* XXXMPA */
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
index b5af9ef15f..6e8c59febb 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -141,6 +141,8 @@
{ DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \
{ DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \
{ DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \
+ { DNS_KEYALG_ED25519, "ED25519", 0 }, \
+ { DNS_KEYALG_ED448, "ED448", 0 }, \
{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \
diff --git a/lib/dns/win32/libdns.dsp.in b/lib/dns/win32/libdns.dsp.in
index a280e6de9a..72125d4b75 100644
--- a/lib/dns/win32/libdns.dsp.in
+++ b/lib/dns/win32/libdns.dsp.in
@@ -843,6 +843,10 @@ SOURCE=..\opensslecdsa_link.c
# End Source File
# Begin Source File
+SOURCE=..\openssleddsa_link.c
+# End Source File
+# Begin Source File
+
SOURCE=..\opensslgost_link.c
# End Source File
# Begin Source File
@@ -869,6 +873,10 @@ SOURCE=..\pkcs11ecdsa_link.c
# End Source File
# Begin Source File
+SOURCE=..\pkcs11eddsa_link.c
+# End Source File
+# Begin Source File
+
SOURCE=..\pkcs11gost_link.c
# End Source File
# Begin Source File
diff --git a/lib/dns/win32/libdns.mak.in b/lib/dns/win32/libdns.mak.in
index 9b96feb07a..69c41dfcb5 100644
--- a/lib/dns/win32/libdns.mak.in
+++ b/lib/dns/win32/libdns.mak.in
@@ -171,6 +171,7 @@ CLEAN :
-@erase "$(INTDIR)\openssldh_link.obj"
-@erase "$(INTDIR)\openssldsa_link.obj"
-@erase "$(INTDIR)\opensslecdsa_link.obj"
+ -@erase "$(INTDIR)\openssleddsa_link.obj"
-@erase "$(INTDIR)\opensslgost_link.obj"
-@erase "$(INTDIR)\opensslrsa_link.obj"
@END OPENSSL
@@ -181,6 +182,7 @@ CLEAN :
-@erase "$(INTDIR)\pkcs11dh_link.obj"
-@erase "$(INTDIR)\pkcs11dsa_link.obj"
-@erase "$(INTDIR)\pkcs11ecdsa_link.obj"
+ -@erase "$(INTDIR)\pkcs11eddsa_link.obj"
-@erase "$(INTDIR)\pkcs11gost_link.obj"
-@erase "$(INTDIR)\pkcs11rsa_link.obj"
@END PKCS11
@@ -370,6 +372,7 @@ LINK32_OBJS= \
"$(INTDIR)\openssldh_link.obj" \
"$(INTDIR)\openssldsa_link.obj" \
"$(INTDIR)\opensslecdsa_link.obj" \
+ "$(INTDIR)\openssleddsa_link.obj" \
"$(INTDIR)\opensslgost_link.obj" \
"$(INTDIR)\opensslrsa_link.obj" \
@END OPENSSL
@@ -378,6 +381,7 @@ LINK32_OBJS= \
"$(INTDIR)\pkcs11dh_link.obj" \
"$(INTDIR)\pkcs11dsa_link.obj" \
"$(INTDIR)\pkcs11ecdsa_link.obj" \
+ "$(INTDIR)\pkcs11eddsa_link.obj" \
"$(INTDIR)\pkcs11gost_link.obj" \
"$(INTDIR)\pkcs11rsa_link.obj" \
@END PKCS11
@@ -513,6 +517,8 @@ CLEAN :
-@erase "$(INTDIR)\openssldsa_link.sbr"
-@erase "$(INTDIR)\opensslecdsa_link.obj"
-@erase "$(INTDIR)\opensslecdsa_link.sbr"
+ -@erase "$(INTDIR)\openssleddsa_link.obj"
+ -@erase "$(INTDIR)\openssleddsa_link.sbr"
-@erase "$(INTDIR)\opensslgost_link.obj"
-@erase "$(INTDIR)\opensslgost_link.sbr"
-@erase "$(INTDIR)\opensslrsa_link.obj"
@@ -531,6 +537,8 @@ CLEAN :
-@erase "$(INTDIR)\pkcs11dsa_link.sbr"
-@erase "$(INTDIR)\pkcs11ecdsa_link.obj"
-@erase "$(INTDIR)\pkcs11ecdsa_link.sbr"
+ -@erase "$(INTDIR)\pkcs11eddsa_link.obj"
+ -@erase "$(INTDIR)\pkcs11eddsa_link.sbr"
-@erase "$(INTDIR)\pkcs11gost_link.obj"
-@erase "$(INTDIR)\pkcs11gost_link.sbr"
-@erase "$(INTDIR)\pkcs11rsa_link.obj"
@@ -760,6 +768,7 @@ BSC32_SBRS= \
"$(INTDIR)\openssldh_link.sbr" \
"$(INTDIR)\openssldsa_link.sbr" \
"$(INTDIR)\opensslecdsa_link.sbr" \
+ "$(INTDIR)\openssleddsa_link.sbr" \
"$(INTDIR)\opensslgost_link.sbr" \
"$(INTDIR)\opensslrsa_link.sbr" \
@END OPENSSL
@@ -768,6 +777,7 @@ BSC32_SBRS= \
"$(INTDIR)\pkcs11dh_link.sbr" \
"$(INTDIR)\pkcs11dsa_link.sbr" \
"$(INTDIR)\pkcs11ecdsa_link.sbr" \
+ "$(INTDIR)\pkcs11eddsa_link.sbr" \
"$(INTDIR)\pkcs11gost_link.sbr" \
"$(INTDIR)\pkcs11rsa_link.sbr"
@END PKCS11
@@ -875,6 +885,7 @@ LINK32_OBJS= \
"$(INTDIR)\openssldh_link.obj" \
"$(INTDIR)\openssldsa_link.obj" \
"$(INTDIR)\opensslecdsa_link.obj" \
+ "$(INTDIR)\openssleddsa_link.obj" \
"$(INTDIR)\opensslgost_link.obj" \
"$(INTDIR)\opensslrsa_link.obj" \
@END OPENSSL
@@ -883,6 +894,7 @@ LINK32_OBJS= \
"$(INTDIR)\pkcs11dh_link.obj" \
"$(INTDIR)\pkcs11dsa_link.obj" \
"$(INTDIR)\pkcs11ecdsa_link.obj" \
+ "$(INTDIR)\pkcs11eddsa_link.obj" \
"$(INTDIR)\pkcs11gost_link.obj" \
"$(INTDIR)\pkcs11rsa_link.obj" \
@END PKCS11
@@ -2530,6 +2542,24 @@ SOURCE=..\opensslecdsa_link.c
$(CPP) $(CPP_PROJ) $(SOURCE)
+!ENDIF
+
+SOURCE=..\openssleddsa_link.c
+
+!IF "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\openssleddsa_link.obj" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\openssleddsa_link.obj" "$(INTDIR)\openssleddsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
!ENDIF
SOURCE=..\opensslgost_link.c
@@ -2640,6 +2670,24 @@ SOURCE=..\pkcs11ecdsa_link.c
$(CPP) $(CPP_PROJ) $(SOURCE)
+!ENDIF
+
+SOURCE=..\pkcs11eddsa_link.c
+
+!IF "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11eddsa_link.obj" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11eddsa_link.obj" "$(INTDIR)\pkcs11eddsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
!ENDIF
SOURCE=..\pkcs11gost_link.c
diff --git a/lib/dns/win32/libdns.vcxproj.filters.in b/lib/dns/win32/libdns.vcxproj.filters.in
index 2b983267ea..51f0f1d7e7 100644
--- a/lib/dns/win32/libdns.vcxproj.filters.in
+++ b/lib/dns/win32/libdns.vcxproj.filters.in
@@ -294,6 +294,9 @@
Dst Source Files
+
+ Dst Source Files
+
Dst Source Files
@@ -314,6 +317,9 @@
Dst Source Files
+
+ Dst Source Files
+
Dst Source Files
diff --git a/lib/dns/win32/libdns.vcxproj.in b/lib/dns/win32/libdns.vcxproj.in
index 35fd9561db..6db688f1fc 100644
--- a/lib/dns/win32/libdns.vcxproj.in
+++ b/lib/dns/win32/libdns.vcxproj.in
@@ -158,6 +158,7 @@
+
@@ -169,6 +170,7 @@
+
@END PKCS11
diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c
index ad07d0d292..bab793187f 100644
--- a/lib/isc/hmacmd5.c
+++ b/lib/isc/hmacmd5.c
@@ -104,8 +104,19 @@ isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
{ CKA_VALUE, NULL, (CK_ULONG) len }
};
+#ifdef PK11_PAD_HMAC_KEYS
+ CK_BYTE keypad[ISC_MD5_DIGESTLENGTH];
+ if (len < ISC_MD5_DIGESTLENGTH) {
+ memset(keypad, 0, ISC_MD5_DIGESTLENGTH);
+ memmove(keypad, key, len);
+ keyTemplate[5].pValue = keypad;
+ keyTemplate[5].ulValueLen = ISC_MD5_DIGESTLENGTH;
+ } else
+ DE_CONST(key, keyTemplate[5].pValue);
+#else
DE_CONST(key, keyTemplate[5].pValue);
+#endif
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
ctx->object = CK_INVALID_HANDLE;
diff --git a/lib/isc/hmacsha.c b/lib/isc/hmacsha.c
index c4b4df11e5..84e25c73a2 100644
--- a/lib/isc/hmacsha.c
+++ b/lib/isc/hmacsha.c
@@ -273,8 +273,19 @@ isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
{ CKA_VALUE, NULL, (CK_ULONG) len }
};
+#ifdef PK11_PAD_HMAC_KEYS
+ CK_BYTE keypad[ISC_SHA1_DIGESTLENGTH];
+ if (len < ISC_SHA1_DIGESTLENGTH) {
+ memset(keypad, 0, ISC_SHA1_DIGESTLENGTH);
+ memmove(keypad, key, len);
+ keyTemplate[5].pValue = keypad;
+ keyTemplate[5].ulValueLen = ISC_SHA1_DIGESTLENGTH;
+ } else
+ DE_CONST(key, keyTemplate[5].pValue);
+#else
DE_CONST(key, keyTemplate[5].pValue);
+#endif
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
ctx->object = CK_INVALID_HANDLE;
@@ -432,8 +443,19 @@ isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
{ CKA_VALUE, NULL, (CK_ULONG) len }
};
+#ifdef PK11_PAD_HMAC_KEYS
+ CK_BYTE keypad[ISC_SHA224_DIGESTLENGTH];
+ if (len < ISC_SHA224_DIGESTLENGTH) {
+ memset(keypad, 0, ISC_SHA224_DIGESTLENGTH);
+ memmove(keypad, key, len);
+ keyTemplate[5].pValue = keypad;
+ keyTemplate[5].ulValueLen = ISC_SHA224_DIGESTLENGTH;
+ } else
+ DE_CONST(key, keyTemplate[5].pValue);
+#else
DE_CONST(key, keyTemplate[5].pValue);
+#endif
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
ctx->object = CK_INVALID_HANDLE;
@@ -591,8 +613,19 @@ isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
{ CKA_VALUE, NULL, (CK_ULONG) len }
};
+#ifdef PK11_PAD_HMAC_KEYS
+ CK_BYTE keypad[ISC_SHA256_DIGESTLENGTH];
+ if (len < ISC_SHA256_DIGESTLENGTH) {
+ memset(keypad, 0, ISC_SHA256_DIGESTLENGTH);
+ memmove(keypad, key, len);
+ keyTemplate[5].pValue = keypad;
+ keyTemplate[5].ulValueLen = ISC_SHA256_DIGESTLENGTH;
+ } else
+ DE_CONST(key, keyTemplate[5].pValue);
+#else
DE_CONST(key, keyTemplate[5].pValue);
+#endif
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
ctx->object = CK_INVALID_HANDLE;
@@ -750,8 +783,19 @@ isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
{ CKA_VALUE, NULL, (CK_ULONG) len }
};
+#ifdef PK11_PAD_HMAC_KEYS
+ CK_BYTE keypad[ISC_SHA384_DIGESTLENGTH];
+ if (len < ISC_SHA384_DIGESTLENGTH) {
+ memset(keypad, 0, ISC_SHA384_DIGESTLENGTH);
+ memmove(keypad, key, len);
+ keyTemplate[5].pValue = keypad;
+ keyTemplate[5].ulValueLen = ISC_SHA384_DIGESTLENGTH;
+ } else
+ DE_CONST(key, keyTemplate[5].pValue);
+#else
DE_CONST(key, keyTemplate[5].pValue);
+#endif
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
ctx->object = CK_INVALID_HANDLE;
@@ -909,8 +953,19 @@ isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
{ CKA_VALUE, NULL, (CK_ULONG) len }
};
+#ifdef PK11_PAD_HMAC_KEYS
+ CK_BYTE keypad[ISC_SHA512_DIGESTLENGTH];
+ if (len < ISC_SHA512_DIGESTLENGTH) {
+ memset(keypad, 0, ISC_SHA512_DIGESTLENGTH);
+ memmove(keypad, key, len);
+ keyTemplate[5].pValue = keypad;
+ keyTemplate[5].ulValueLen = ISC_SHA512_DIGESTLENGTH;
+ } else
+ DE_CONST(key, keyTemplate[5].pValue);
+#else
DE_CONST(key, keyTemplate[5].pValue);
+#endif
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
ctx->object = CK_INVALID_HANDLE;
diff --git a/lib/isc/include/pk11/constants.h b/lib/isc/include/pk11/constants.h
index e1e058117a..27ab4d6adc 100644
--- a/lib/isc/include/pk11/constants.h
+++ b/lib/isc/include/pk11/constants.h
@@ -31,6 +31,12 @@ static CK_BYTE pk11_ecc_prime256v1[] = {
static CK_BYTE pk11_ecc_secp384r1[] = {
0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
};
+static CK_BYTE pk11_ecc_ed25519[] = {
+ 0x06, 0x03, 0x2b, 0x65, 0x70
+};
+static CK_BYTE pk11_ecc_ed448[] = {
+ 0x06, 0x03, 0x2b, 0x65, 0x71
+};
#endif
#ifdef WANT_DH_PRIMES
diff --git a/lib/isc/include/pk11/site.h b/lib/isc/include/pk11/site.h
index 8d5ac945a3..801430b00e 100644
--- a/lib/isc/include/pk11/site.h
+++ b/lib/isc/include/pk11/site.h
@@ -31,6 +31,9 @@
*
*\li PK11__DISABLE:
* Same as SKIP, and disable support for the algorithm.
+ *
+ *\li PK11_PAD_HMAC_KEYS:
+ * Extend HMAC keys shorter than digest length.
*/
/* current implemented flags are:
@@ -46,6 +49,7 @@ PK11_SHA512_HMAC_REPLACE
PK11_MD5_DISABLE
PK11_DSA_DISABLE
PK11_DH_DISABLE
+PK11_PAD_HMAC_KEYS
*/
/*
@@ -74,8 +78,11 @@ PK11_DH_DISABLE
#endif
#if PK11_FLAVOR == PK11_SOFTHSMV1_FLAVOR
-#define PK11_DH_DISABLE
-#define PK11_DSA_DISABLE
+#define PK11_PAD_HMAC_KEYS
+#endif
+
+#if PK11_FLAVOR == PK11_SOFTHSMV2_FLAVOR
+/* SoftHSMv2 was updated to enforce minimal key sizes... argh! */
#define PK11_MD5_HMAC_REPLACE
#define PK11_SHA_1_HMAC_REPLACE
#define PK11_SHA224_HMAC_REPLACE
@@ -84,9 +91,6 @@ PK11_DH_DISABLE
#define PK11_SHA512_HMAC_REPLACE
#endif
-#if PK11_FLAVOR == PK11_SOFTHSMV2_FLAVOR
-#endif
-
#if PK11_FLAVOR == PK11_CRYPTECH_FLAVOR
#define PK11_DH_DISABLE
#define PK11_DSA_DISABLE
diff --git a/lib/isc/include/pkcs11/Makefile.in b/lib/isc/include/pkcs11/Makefile.in
index d920cdd249..6841d72daa 100644
--- a/lib/isc/include/pkcs11/Makefile.in
+++ b/lib/isc/include/pkcs11/Makefile.in
@@ -25,7 +25,7 @@ VERSION=@BIND9_VERSION@
# machine generated. The latter are handled specially in the
# install target below.
#
-HEADERS = pkcs11f.h pkcs11.h pkcs11t.h
+HEADERS = pkcs11f.h pkcs11.h pkcs11t.h eddsa.h
SUBDIRS =
TARGETS =
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
index 424bfb93b4..5129b2a02c 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -38,6 +38,7 @@
#include
#include
+#include
/* was 32 octets, Petr Spacek suggested 1024, SoftHSMv2 uses 256... */
#ifndef PINLEN
@@ -879,12 +880,33 @@ scan_slots(void) {
PK11_TRACEM(CKM_GOSTR3410_WITH_GOSTR3411);
}
if (bad)
- goto try_aes;
+ goto try_eddsa;
token->operations |= 1 << OP_GOST;
if (best_gost_token == NULL)
best_gost_token = token;
+ try_eddsa:
+#if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && defined(CKK_EDDSA)
+ bad = ISC_FALSE;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA_KEY_PAIR_GEN,
+ &mechInfo);
+ if ((rv != CKR_OK) ||
+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_EDDSA_KEY_PAIR_GEN);
+ }
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA, &mechInfo);
+ if ((rv != CKR_OK) ||
+ ((mechInfo.flags & CKF_SIGN) == 0) ||
+ ((mechInfo.flags & CKF_VERIFY) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_EDDSA);
+ }
+ if (bad)
+ goto try_aes;
+
try_aes:
+#endif
bad = ISC_FALSE;
rv = pkcs_C_GetMechanismInfo(slot, CKM_AES_ECB, &mechInfo);
if ((rv != CKR_OK) || ((mechInfo.flags & CKF_ENCRYPT) == 0)) {
diff --git a/win32utils/Configure b/win32utils/Configure
index e5af47377a..4b4cdbf536 100644
--- a/win32utils/Configure
+++ b/win32utils/Configure
@@ -396,9 +396,13 @@ my @substdefh = ("AES_SIT",
"HAVE_OPENSSL_AES",
"HAVE_OPENSSL_DSA",
"HAVE_OPENSSL_ECDSA",
+ "HAVE_OPENSSL_ED25519",
+ "HAVE_OPENSSL_ED448",
"HAVE_OPENSSL_EVP_AES",
"HAVE_OPENSSL_GOST",
"HAVE_PKCS11_ECDSA",
+ "HAVE_PKCS11_ED25519",
+ "HAVE_PKCS11_ED448",
"HAVE_PKCS11_GOST",
"HAVE_READLINE",
"HMAC_SHA1_SIT",
@@ -555,6 +559,7 @@ my @withlist = ("aes",
"cc-alg",
"cross-compile",
"ecdsa",
+ "eddsa",
"extra-tests",
"gssapi",
"geoip",
@@ -615,6 +620,7 @@ my @help = (
" with-openssl[=PATH] build with OpenSSL yes|no|path\n",
" with-pkcs11[=PATH] build with PKCS#11 support yes|no|provider-path\n",
" with-ecdsa crypto ECDSA\n",
+" with-eddsa crypto EDDSA yes|all|no\n",
" with-gost[=ENC] crypto GOST yes|no|raw|ans1\n",
" with-aes crypto AES\n",
" with-sit-alg choose the algorithm for SIT aes|sha1|sha256\n",
@@ -659,6 +665,8 @@ my $openssl_path = "..\\..\\";
my $use_pkcs11 = "no";
my $pkcs11_path = "unknown";
my $use_ecdsa = "auto";
+my $use_eddsa = "auto";
+my $use_ed448 = "auto";
my $use_gost = "auto";
my $gost_encoding = "raw";
my $use_aes = "auto";
@@ -737,19 +745,19 @@ if ($legacy_only && ($want_x64 ne "yes")) {
}
if ($want_checkfiles eq "yes") {
- foreach (@filelist) {
- next if -r $_ . ".in";
- s/\\/\//g;
- next if -r $_ . ".in";
- print "missing $_.in from filelist\n";
- }
- foreach (@projectlist) {
- next if -r $_ . ".in";
- s/\\/\//g;
- next if -r $_ . ".in";
- print "missing $_.in from projectlist\n";
- }
- exit(0);
+ foreach (@filelist) {
+ next if -r $_ . ".in";
+ s/\\/\//g;
+ next if -r $_ . ".in";
+ print "missing $_.in from filelist\n";
+ }
+ foreach (@projectlist) {
+ next if -r $_ . ".in";
+ s/\\/\//g;
+ next if -r $_ . ".in";
+ print "missing $_.in from projectlist\n";
+ }
+ exit(0);
}
# configure the platform
@@ -953,10 +961,19 @@ sub mywith {
} elsif ($val =~ /^yes$/i) {
$use_ecdsa = "yes";
}
+ } elsif ($key =~ /^eddsa$/i) {
+ if ($val =~ /^no$/i) {
+ $use_eddsa = "no";
+ } elsif ($val !~ /^no$/i) {
+ $use_eddsa = "yes";
+ if ($val =~ /^all$/i) {
+ $use_ed448 = "yes";
+ }
+ }
} elsif ($key =~ /^gost$/i) {
if ($val =~ /^no$/i) {
$use_gost = "no";
- } elsif ($val =~ /^yes$/i) {
+ } elsif ($val !~ /^no$/i) {
$use_gost = "yes";
$gost_encoding = $val;
}
@@ -1189,6 +1206,16 @@ if ($verbose) {
} else {
print "ecdsa: enabled\n";
}
+ if ($use_eddsa eq "no") {
+ print "eddsa: disabled\n";
+ } else {
+ print "ed25519: enabled\n";
+ if ($use_ed448 eq "no") {
+ print "ed448: disabled\n";
+ } else {
+ print "ed448: enabled\n";
+ }
+ }
if ($use_gost eq "no") {
print "gost: disabled\n";
} else {
@@ -1477,6 +1504,26 @@ if ($enable_native_pkcs11 eq "yes") {
}
$configdefh{"HAVE_PKCS11_ECDSA"} = 1;
}
+ if ($use_eddsa eq "no") {
+ if ($verbose) {
+ print "no EDDSA support in native PKCS#11\n";
+ }
+ } else {
+ if ($verbose) {
+ print "enabled Ed25519 support in native PKCS#11\n";
+ }
+ $configdefh{"HAVE_PKCS11_ED25519"} = 1;
+ if ($use_ed448 eq "no") {
+ if ($verbose) {
+ print "no Ed448 support in native PKCS#11\n";
+ }
+ } else {
+ if ($verbose) {
+ print "enabled Ed448 support in native PKCS#11\n";
+ }
+ $configdefh{"HAVE_PKCS11_ED448"} = 1;
+ }
+ }
if ($use_gost eq "no") {
if ($verbose) {
print "no GOST support in native PKCS#11\n";
@@ -1816,6 +1863,7 @@ EOF
if ($verbose) {
print "EVP_sha512 test failed: disabling EVP_sha512\n";
}
+ $use_eddsa = "no";
} else {
$configdefh{"HAVE_EVP_SHA512"} = 1;
}
@@ -1824,6 +1872,7 @@ EOF
print "can't compile EVP_sha512 test: $compret\n";
print "disabling EVP_sha512\n";
}
+ $use_eddsa = "no";
}
}
@@ -1878,6 +1927,104 @@ if ($use_ecdsa ne "no") {
$configdefh{"HAVE_OPENSSL_ECDSA"} = 1;
}
+# with-eddsa
+if ($use_openssl eq "no") {
+ $use_eddsa = "no";
+}
+if ($use_eddsa eq "auto") {
+ if ($verbose) {
+ print "checking for OpenSSL ED25519 support\n";
+ }
+ open F, ">tested25519.c" || die $!;
+ print F << 'EOF';
+#include
+#include
+
+int
+main(void)
+{
+ EVP_PKEY_CTX *ctx;
+
+ ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);
+ if (ctx == NULL)
+ return (2);
+ return (0);
+}
+EOF
+ close F;
+ my $include = $configinc{"OPENSSL_INC"};
+ my $library = $configlib{"OPENSSL_LIB"};
+ $compret = `cl /nologo /MD /I "$include" tested25519.c "$library"`;
+ if (grep { -f and -x } ".\\tested25519.exe") {
+ `.\\tested25519.exe`;
+ if ($? != 0) {
+ if ($verbose) {
+ print "EDDSA test failed: disabling EDDSA\n";
+ }
+ $use_eddsa = "no";
+ }
+ } else {
+ if ($verbose) {
+ print "can't compile EDDSA test: $compret\n";
+ print "disabling EDDSA\n";
+ }
+ $use_eddsa = "no";
+ }
+}
+
+if ($use_eddsa ne "no") {
+ $use_eddsa = "yes";
+ $configdefh{"HAVE_OPENSSL_ED25519"} = 1;
+} else {
+ $use_ed448 = "no";
+}
+
+if ($use_ed448 eq "auto") {
+ if ($verbose) {
+ print "checking for OpenSSL ED448 support\n";
+ }
+ open F, ">tested448.c" || die $!;
+ print F << 'EOF';
+#include
+#include
+
+int
+main(void)
+{
+ EVP_PKEY_CTX *ctx;
+
+ ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL);
+ if (ctx == NULL)
+ return (2);
+ return (0);
+}
+EOF
+ close F;
+ my $include = $configinc{"OPENSSL_INC"};
+ my $library = $configlib{"OPENSSL_LIB"};
+ $compret = `cl /nologo /MD /I "$include" tested448.c "$library"`;
+ if (grep { -f and -x } ".\\tested448.exe") {
+ `.\\tested448.exe`;
+ if ($? != 0) {
+ if ($verbose) {
+ print "ED448 test failed: disabling ED448\n";
+ }
+ $use_ed448 = "no";
+ }
+ } else {
+ if ($verbose) {
+ print "can't compile ED448 test: $compret\n";
+ print "disabling ED448\n";
+ }
+ $use_ed448 = "no";
+ }
+}
+
+if ($use_ed448 ne "no") {
+ $use_ed448 = "yes";
+ $configdefh{"HAVE_OPENSSL_ED448"} = 1;
+}
+
# with-gost
if ($use_openssl eq "no") {
$use_gost = "no";
@@ -3398,6 +3545,7 @@ exit 0;
# --with-openssl supported
# --with-pkcs11 supported
# --with-ecdsa supported
+# --with-eddsa supported
# --with-gost supported
# --with-aes supported
# --with-sit-alg supported