diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh index b0fd76795c..ae085c1a20 100644 --- a/bin/tests/system/testcrypto.sh +++ b/bin/tests/system/testcrypto.sh @@ -18,8 +18,7 @@ args="" alg="-a $DEFAULT_ALGORITHM -b $DEFAULT_BITS" quiet=0 -msg1="cryptography" -msg2="--with-openssl, or --enable-native-pkcs11 --with-pkcs11" +msg="cryptography" while test "$#" -gt 0; do case $1 in -q) @@ -28,18 +27,16 @@ while test "$#" -gt 0; do ;; rsa|RSA) alg="-a RSASHA1" - msg1="RSA cryptography" + msg="RSA cryptography" ;; ecdsa|ECDSA) alg="-a ecdsap256sha256" - msg1="ECDSA cryptography" - msg2="--with-ecdsa" + msg="ECDSA cryptography" + ;; + eddsa|EDDSA) + alg="-a ED25519" + msg="EDDSA cryptography" ;; - eddsa|EDDSA) - alg="-a ED25519" - msg1="EDDSA cryptography" - msg2="--with-eddsa" - ;; *) echo "${prog}: unknown argument" exit 1 @@ -48,14 +45,14 @@ while test "$#" -gt 0; do shift done - if $KEYGEN $args $alg foo > /dev/null 2>&1 then rm -f Kfoo* else if test $quiet -eq 0; then - echo "I:This test requires support for $msg1" >&2 - echo "I:configure with $msg2" >&2 + echo "I:This test requires support for $msg" >&2 + echo "I:configure with --with-openssl, or --enable-native-pkcs11" \ + "--with-pkcs11" >&2 fi exit 255 fi diff --git a/config.h.win32 b/config.h.win32 index 84c4c8bcfb..d3f3d210b8 100644 --- a/config.h.win32 +++ b/config.h.win32 @@ -289,12 +289,6 @@ typedef __int64 off_t; /* Define if native PKCS#11 is used as cryptographic library provider */ @USE_PKCS11@ -/* Define if your PKCS11 provider supports Ed25519. */ -@HAVE_PKCS11_ED25519@ - -/* Define if your PKCS11 provider supports Ed448. */ -@HAVE_PKCS11_ED448@ - /* HMAC_*() return ints */ @HMAC_RETURN_INT@ diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index d7a71dd806..94106a3fc1 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -228,12 +228,8 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512])); RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256])); RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); -#ifdef HAVE_PKCS11_ED25519 RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519])); -#endif /* ifdef HAVE_PKCS11_ED25519 */ -#ifdef HAVE_PKCS11_ED448 RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448])); -#endif /* ifdef HAVE_PKCS11_ED448 */ #endif /* USE_PKCS11 */ #ifdef GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index bce2a9f9d2..116e2d28fa 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -234,10 +234,8 @@ isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp); isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp); -#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448) isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp); -#endif /* if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448) */ #endif /* USE_PKCS11 */ #ifdef GSSAPI isc_result_t diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c index cd73523234..e725319b15 100644 --- a/lib/dns/pkcs11eddsa_link.c +++ b/lib/dns/pkcs11eddsa_link.c @@ -11,7 +11,7 @@ /*! \file */ -#if USE_PKCS11 && (HAVE_PKCS11_ED25519 || HAVE_PKCS11_ED448) +#if USE_PKCS11 #include diff --git a/lib/isc/include/pk11/constants.h b/lib/isc/include/pk11/constants.h index a8ae4508d4..8dc8cd82a3 100644 --- a/lib/isc/include/pk11/constants.h +++ b/lib/isc/include/pk11/constants.h @@ -24,12 +24,8 @@ static CK_BYTE pk11_ecc_prime256v1[] = { 0x06, 0x08, 0x2a, 0x86, 0x48, static CK_BYTE pk11_ecc_secp384r1[] = { 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 }; -#if HAVE_PKCS11_ED25519 static CK_BYTE pk11_ecc_ed25519[] = { 0x06, 0x03, 0x2b, 0x65, 0x70 }; -#endif /* HAVE_PKCS11_ED25519 */ -#if HAVE_PKCS11_ED448 static CK_BYTE pk11_ecc_ed448[] = { 0x06, 0x03, 0x2b, 0x65, 0x71 }; -#endif /* HAVE_PKCS11_ED448 */ #ifdef WANT_DH_PRIMES static CK_BYTE pk11_dh_bn2[] = { 2 }; diff --git a/win32utils/Configure b/win32utils/Configure index 13ee4d44e7..8a02e580ff 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -203,8 +203,6 @@ my @substdefh = ("CONFIGARGS", "USE_BACKTRACE", "USE_OPENSSL", "USE_PKCS11", - "HAVE_PKCS11_ED25519", - "HAVE_PKCS11_ED448", "HAVE_READLINE", "HAVE_ZLIB", "ISC_LIST_CHECKINIT", @@ -368,8 +366,6 @@ my @enablelist = ("developer", my @withlist = ("aes", "cross-compile", - "ecdsa", - "eddsa", "extra-tests", "gssapi", "geoip2", @@ -427,7 +423,6 @@ my @help = ( " with-openssl[=PATH] build with OpenSSL yes|path (mandatory)\n", " with-libuv[=PATH] build with libuv yes|path (mandatory)\n", " with-pkcs11[=PATH] build with PKCS#11 support yes|no|provider-path\n", -" with-eddsa crypto EDDSA yes|all|no\n", " with-gssapi[=PATH] build with MIT KfW GSSAPI yes|no|path\n", " with-libxml2[=PATH] build with libxml2 library yes|no|path\n", " with-geoip2[=PATH] build with GeoIP2 support yes|no|path\n", @@ -475,8 +470,6 @@ my $use_openssl = "auto"; my $openssl_path = "..\\..\\"; my $use_pkcs11 = "no"; my $pkcs11_path = "unknown"; -my $use_eddsa = "auto"; -my $use_ed448 = "auto"; my $use_aes = "auto"; my $use_gssapi = "no"; my $validation_default = "auto"; @@ -762,15 +755,6 @@ sub mywith { $pkcs11_path = $val; $pkcs11_path =~ s/\.dll$//i; } - } elsif ($key =~ /^eddsa$/i) { - if ($val =~ /^no$/i) { - $use_eddsa = "no"; - } elsif ($val !~ /^no$/i) { - $use_eddsa = "yes"; - if ($val =~ /^all$/i) { - $use_ed448 = "yes"; - } - } } elsif ($key =~ /^aes$/i) { if ($val =~ /^no$/i) { $use_aes = "no"; @@ -974,17 +958,6 @@ if ($verbose) { } else { print "pkcs11-provider-path: $pkcs11_path\n"; } - print "ecdsa: enabled\n"; - if ($use_eddsa eq "no") { - print "eddsa: disabled\n"; - } else { - print "ed25519: enabled\n"; - if ($use_ed448 eq "no") { - print "ed448: disabled\n"; - } else { - print "ed448: enabled\n"; - } - } if ($use_aes eq "no") { print "aes: disabled\n"; } else { @@ -1247,26 +1220,6 @@ if ($enable_native_pkcs11 eq "yes") { print "native PKCS#11 support: no PKCS#11 provider defined?\n"; } } - if ($use_eddsa eq "no") { - if ($verbose) { - print "no EDDSA support in native PKCS#11\n"; - } - } else { - if ($verbose) { - print "enabled Ed25519 support in native PKCS#11\n"; - } - $configdefh{"HAVE_PKCS11_ED25519"} = 1; - if ($use_ed448 eq "no") { - if ($verbose) { - print "no Ed448 support in native PKCS#11\n"; - } - } else { - if ($verbose) { - print "enabled Ed448 support in native PKCS#11\n"; - } - $configdefh{"HAVE_PKCS11_ED448"} = 1; - } - } } # enable-fixed-rrset @@ -1587,13 +1540,9 @@ EOF } } -# with-eddsa -if ($use_openssl eq "no") { - $use_eddsa = "no"; -} -if ($use_eddsa eq "auto") { +if ($use_openssl eq "yes") { if ($verbose) { - print "checking for OpenSSL ED25519 support\n"; + print "checking for OpenSSL Ed25519 support\n"; } open F, ">tested25519.c" || die $!; print F << 'EOF'; @@ -1617,31 +1566,24 @@ EOF $compret = `cl /nologo /MD /I "$include" tested25519.c "$library"`; if (grep { -f and -x } ".\\tested25519.exe") { `.\\tested25519.exe`; - if ($? != 0) { + if ($? == 0) { + $configdefh{"HAVE_OPENSSL_ED25519"} = 1; + } else { if ($verbose) { - print "EDDSA test failed: disabling EDDSA\n"; + print "Ed25519 test failed: disabling Ed25519\n"; } - $use_eddsa = "no"; } } else { if ($verbose) { - print "can't compile EDDSA test: $compret\n"; - print "disabling EDDSA\n"; + print "can't compile Ed25519 test: $compret\n"; + print "disabling Ed25519\n"; } - $use_eddsa = "no"; } } -if ($use_eddsa ne "no") { - $use_eddsa = "yes"; - $configdefh{"HAVE_OPENSSL_ED25519"} = 1; -} else { - $use_ed448 = "no"; -} - -if ($use_ed448 eq "auto") { +if ($use_openssl eq "yes") { if ($verbose) { - print "checking for OpenSSL ED448 support\n"; + print "checking for OpenSSL Ed448 support\n"; } open F, ">tested448.c" || die $!; print F << 'EOF'; @@ -1665,26 +1607,21 @@ EOF $compret = `cl /nologo /MD /I "$include" tested448.c "$library"`; if (grep { -f and -x } ".\\tested448.exe") { `.\\tested448.exe`; - if ($? != 0) { + if ($? == 0) { + $configdefh{"HAVE_OPENSSL_ED448"} = 1; + } else { if ($verbose) { - print "ED448 test failed: disabling ED448\n"; + print "Ed448 test failed: disabling Ed448\n"; } - $use_ed448 = "no"; } } else { if ($verbose) { - print "can't compile ED448 test: $compret\n"; - print "disabling ED448\n"; + print "can't compile Ed448 test: $compret\n"; + print "disabling Ed448\n"; } - $use_ed448 = "no"; } } -if ($use_ed448 ne "no") { - $use_ed448 = "yes"; - $configdefh{"HAVE_OPENSSL_ED448"} = 1; -} - # with-aes if ($use_openssl eq "no") { if ($use_aes ne "pkcs11") { @@ -2926,8 +2863,6 @@ exit 0; # --with-python supported # --with-openssl supported # --with-pkcs11 supported -# --with-ecdsa supported -# --with-eddsa supported # --with-aes supported # --with-randomdev not supported on WIN32 (makes no sense) # --with-geoip2 supported