]> granicus.if.org Git - pdns/commitdiff
goodby PolarSSL, hello mbed TLS
authorKees Monshouwer <mind04@monshouwer.org>
Fri, 14 Aug 2015 12:06:53 +0000 (14:06 +0200)
committermind04 <mind04@monshouwer.org>
Fri, 14 Aug 2015 12:26:56 +0000 (14:26 +0200)
13 files changed:
build-scripts/debian-authoritative/copyright
build-scripts/debian-recursor/copyright
configure.ac
docs/markdown/appendix/crypto-notes-export.md
ext/Makefile.am
m4/pdns_with_system_mbedtls.m4 [new file with mode: 0644]
m4/pdns_with_system_polarssl.m4 [deleted file]
modules/bindbackend/Makefile.am
modules/goraclebackend/Makefile.am
modules/remotebackend/Makefile.am
pdns/Makefile.am
pdns/mbedtlssigners.cc [moved from pdns/polarrsakeyinfra.cc with 98% similarity]
pdns/version.cc

index 35ca39f5294b1877e355ba2e1066ca08bdf672a1..7b41fec220d686f0a3dcd97fafb9795462d0437c 100644 (file)
@@ -88,7 +88,7 @@ Files: pdns/ext/rapidjson/*
 Copyright: 2011 Milo Yip
 License: Expat
 
-Files: pdns/ext/polarssl*
+Files: pdns/ext/mbedtls/*
 Copyright (C) 2006-2014, ARM Limited
 License: GPL-2+
 
index 363ae7b27eeb396a7f685904e9d86b711607176c..7a7489558a26ee7f292a3dd8ce4a5706be9169b8 100644 (file)
@@ -37,7 +37,7 @@ Files: pdns/ext/rapidjson/*
 Copyright: 2011 Milo Yip
 License: Expat
 
-Files: pdns/ext/polarssl*
+Files: pdns/ext/mbedtls/*
 Copyright (C) 2006-2014, ARM Limited
 License: GPL-2+
 
index c68a07b2aea5d75756ca35b0d6f890c202a9776e..e325bfae14d15e2ea0709850d58d0b9c2698c926 100644 (file)
@@ -177,7 +177,7 @@ AC_SUBST(THREADFLAGS)
 AC_SUBST([DYNLINKFLAGS], [-export-dynamic])
 
 PDNS_ENABLE_VERBOSE_LOGGING
-PDNS_WITH_SYSTEM_POLARSSL
+PDNS_WITH_SYSTEM_MBEDTLS
 PDNS_ENABLE_BOTAN
 PDNS_ENABLE_PKCS11
 PDNS_WITH_CRYPTOPP
index 51a7eaa2d7ad759d058b4ba9705ad02a719ca034..7fa71925d120ff2df4d69dc94b0056647967fea6 100644 (file)
@@ -3,12 +3,14 @@ In certain legal climates, PowerDNS might potentially require an export control
 
 PowerDNS does not itself implement any cryptographic algorithms but relies on third party implementations of AES, RSA, ECDSA, GOST, MD5 and various SHA-based hashing algorithms.
 
-Furthermore, RSA, MD5 and the SHA-based algorithms are supplied as a copy of [PolarSSL](http://www.polarssl.org/).
+Furthermore, RSA, MD5 and the SHA-based algorithms are supplied as a copy of [mbed TLS](https://tls.mbed.org/).
 
 Optionally, PowerDNS can link in a copy of the open source [Botan](http://botan.randombits.org/) cryptographic library.
 
 Optionally, PowerDNS can link in a copy of the open source [Crypto++](http://www.cryptopp.com/) library.
 
+Optionally, PowerDNS can link in a copy of the open source [Sodium](https://libsodium.org/) library.
+
 ## Specific United States Export Control Notes
 
 PowerDNS is not "US Origin" software. For re-export, like most open source,
index a06bda7327e2575edf97a0aede46059e64417bac..414cc7e28cee62ab671406b28941437d49fe6f22 100644 (file)
@@ -1,5 +1,5 @@
 SUBDIRS = \
-       $(POLARSSL_SUBDIR) \
+       $(MBEDTLS_SUBDIR) \
        yahttp \
        rapidjson \
         json11
diff --git a/m4/pdns_with_system_mbedtls.m4 b/m4/pdns_with_system_mbedtls.m4
new file mode 100644 (file)
index 0000000..d98a0a6
--- /dev/null
@@ -0,0 +1,54 @@
+AC_DEFUN([PDNS_WITH_SYSTEM_MBEDTLS],[
+  AC_ARG_WITH([system-mbedtls],
+    [AS_HELP_STRING([--with-system-mbedtls], [use system mbedt TLS @<:@default=no@:>@])],
+    [],
+    [with_system_mbedtls=no],
+  )
+
+  MBEDTLS_SUBDIR=mbedtls
+  MBEDTLS_CFLAGS=-I\$\(top_srcdir\)/ext/$MBEDTLS_SUBDIR/include/
+  MBEDTLS_LIBS="-L\$(top_builddir)/ext/$MBEDTLS_SUBDIR/library/ -lpolarssl"
+
+  AS_IF([test "x$with_system_mbedtls" = "xyes"],[
+    OLD_LIBS=$LIBS
+    LIBS=""
+    AC_SEARCH_LIBS([sha1_hmac], [mbedtls polarssl],[
+      MBEDTLS_LIBS=$LIBS
+      AC_MSG_CHECKING([for mbed TLS/PolarSSL version >= 1.3])
+      AC_COMPILE_IFELSE([
+        AC_LANG_PROGRAM(
+          [[#include <polarssl/version.h>]],
+          [[
+            #if POLARSSL_VERSION_NUMBER < 0x01030000
+            #error invalid version
+            #endif
+          ]]
+        )],
+        [have_system_mbedtls=yes],
+        [have_system_mbedtls=no]
+      )
+      AC_MSG_RESULT([$have_system_mbedtls])
+      ],
+      [have_system_mbedtls=no]
+    )
+    LIBS=$OLD_LIBS
+    ],
+    [have_system_mbedtls=no]
+  )
+
+  AS_IF([test "x$have_system_mbedtls" = "xyes"],[
+    MBEDTLS_CFLAGS=
+    MBEDTLS_SUBDIR=
+    AC_DEFINE([POLARSSL_SYSTEM], [1], [Defined if system mbed TLS is used])
+    ],[
+    AS_IF([test "x$with_system_mbedtls" = "xyes"],[
+      AC_MSG_ERROR([use of system mbedtls requested but not found])]
+    )]
+  )
+
+  AC_SUBST(MBEDTLS_CFLAGS)
+  AC_SUBST(MBEDTLS_LIBS)
+  AC_SUBST(MBEDTLS_SUBDIR)
+]
+)
+
diff --git a/m4/pdns_with_system_polarssl.m4 b/m4/pdns_with_system_polarssl.m4
deleted file mode 100644 (file)
index 6322c56..0000000
+++ /dev/null
@@ -1,54 +0,0 @@
-AC_DEFUN([PDNS_WITH_SYSTEM_POLARSSL],[
-  AC_ARG_WITH([system-polarssl],
-    [AS_HELP_STRING([--with-system-polarssl], [use system PolarSSL @<:@default=no@:>@])],
-    [],
-    [with_system_polarssl=no],
-  )
-
-  POLARSSL_SUBDIR=mbedtls
-  POLARSSL_CFLAGS=-I\$\(top_srcdir\)/ext/$POLARSSL_SUBDIR/include/
-  POLARSSL_LIBS="-L\$(top_builddir)/ext/$POLARSSL_SUBDIR/library/ -lpolarssl"
-
-  AS_IF([test "x$with_system_polarssl" = "xyes"],[
-    OLD_LIBS=$LIBS
-    LIBS=""
-    AC_SEARCH_LIBS([sha1_hmac], [mbedtls polarssl],[
-      POLARSSL_LIBS=$LIBS
-      AC_MSG_CHECKING([for PolarSSL version >= 1.3])
-      AC_COMPILE_IFELSE([
-        AC_LANG_PROGRAM(
-          [[#include <polarssl/version.h>]],
-          [[
-            #if POLARSSL_VERSION_NUMBER < 0x01030000
-            #error invalid version
-            #endif
-          ]]
-        )],
-        [have_system_polarssl=yes],
-        [have_system_polarssl=no]
-      )
-      AC_MSG_RESULT([$have_system_polarssl])
-      ],
-      [have_system_polarssl=no]
-    )
-    LIBS=$OLD_LIBS
-    ],
-    [have_system_polarssl=no]
-  )
-
-  AS_IF([test "x$have_system_polarssl" = "xyes"],[
-    POLARSSL_CFLAGS=
-    POLARSSL_SUBDIR=
-    AC_DEFINE([POLARSSL_SYSTEM], [1], [Defined if system PolarSSL is used])
-    ],[
-    AS_IF([test "x$with_system_polarssl" = "xyes"],[
-      AC_MSG_ERROR([use of system polarssl requested but not found])]
-    )]
-  )
-
-  AC_SUBST(POLARSSL_CFLAGS)
-  AC_SUBST(POLARSSL_LIBS)
-  AC_SUBST(POLARSSL_SUBDIR)
-]
-)
-
index ebde762e2dea61cfbec7e38249bad8eb2c183261..a2c85892e55c4542d33fbdc62170475f62917dd4 100644 (file)
@@ -1,5 +1,5 @@
 pkglib_LTLIBRARIES = libbindbackend.la
-AM_CPPFLAGS += -I../../pdns $(POLARSSL_CFLAGS)
+AM_CPPFLAGS += -I../../pdns $(MBEDTLS_CFLAGS)
 
 AM_LFLAGS = -i
 AM_YFLAGS = -d --verbose --debug
index fcd988f5ae632ba2cca9a8098c56056ed5475d7b..dd2882428dd9ea87d29dade6c92040a11e9744d9 100644 (file)
@@ -1,4 +1,4 @@
-AM_CPPFLAGS += $(ORACLE_CFLAGS) $(POLARSSL_CFLAGS)
+AM_CPPFLAGS += $(ORACLE_CFLAGS) $(MBEDTLS_CFLAGS)
 
 pkglib_LTLIBRARIES = libgoraclebackend.la
 
index a73a58dd6b02970c7ca7e00f1d32601da5472597..b0acfac22db3f30c1fdb3da98795fdb82781effe 100644 (file)
@@ -1,7 +1,7 @@
 AM_CPPFLAGS += \
        -I$(top_srcdir)/ext/rapidjson/include \
        $(YAHTTP_CFLAGS) \
-       $(POLARSSL_CFLAGS) \
+       $(MBEDTLS_CFLAGS) \
        $(LIBZMQ_CFLAGS)
 
 AM_LDFLAGS = $(THREADFLAGS)
@@ -129,7 +129,7 @@ libtestremotebackend_la_CPPFLAGS = $(AM_CPPFLAGS)
 
 libtestremotebackend_la_LIBADD = \
        $(YAHTTP_LIBS) \
-       $(POLARSSL_LIBS) \
+       $(MBEDTLS_LIBS) \
        $(BOOST_UNIT_TEST_FRAMEWORK_LIBS) \
        $(BOOST_SERIALIZATION_LIBS) \
        $(BOOST_PROGRAM_OPTIONS_LIBS) \
index d72ea74f1ecc7e4ca1faaa68915fc4946099254f..07bb26932ab14ecc8cc037aeb024f4c1d2017ba7 100644 (file)
@@ -2,7 +2,7 @@ AM_CPPFLAGS += \
        -I$(top_srcdir)/ext/json11 \
        -I$(top_srcdir)/ext/rapidjson/include \
        $(YAHTTP_CFLAGS) \
-       $(POLARSSL_CFLAGS)
+       $(MBEDTLS_CFLAGS)
 
 AM_CXXFLAGS = \
        -DSYSCONFDIR=\"$(sysconfdir)\" \
@@ -171,7 +171,7 @@ pdns_server_SOURCES = \
        packetcache.cc packetcache.hh \
        packethandler.cc packethandler.hh \
        pdnsexception.hh \
-       polarrsakeyinfra.cc \
+       mbedtlssigners.cc \
        qtype.cc qtype.hh \
        randomhelper.cc \
        rcpgenerator.cc \
@@ -207,7 +207,7 @@ pdns_server_LDADD = \
        @moduleobjects@ \
        @modulelibs@ \
        $(LIBDL) \
-       $(POLARSSL_LIBS) \
+       $(MBEDTLS_LIBS) \
        $(BOOST_SERIALIZATION_LIBS) \
        $(YAHTTP_LIBS)
 
@@ -283,7 +283,7 @@ pdnssec_SOURCES = \
        nsecrecords.cc \
        packetcache.cc \
        pdnssec.cc \
-       polarrsakeyinfra.cc \
+       mbedtlssigners.cc \
        qtype.cc \
        randomhelper.cc \
        rcpgenerator.cc rcpgenerator.hh \
@@ -306,7 +306,7 @@ pdnssec_LDADD = \
        @moduleobjects@ \
        @modulelibs@ \
        $(LIBDL) \
-       $(POLARSSL_LIBS) \
+       $(MBEDTLS_LIBS) \
        $(BOOST_PROGRAM_OPTIONS_LIBS) \
        $(BOOST_SERIALIZATION_LIBS) \
        $(YAHTTP_LIBS)
@@ -376,7 +376,7 @@ zone2sql_SOURCES = \
        zone2sql.cc \
        zoneparser-tng.cc
 
-zone2sql_LDADD = $(POLARSSL_LIBS)
+zone2sql_LDADD = $(MBEDTLS_LIBS)
 
 zone2json_SOURCES = \
        arguments.cc \
@@ -402,7 +402,7 @@ zone2json_SOURCES = \
        zone2json.cc \
        zoneparser-tng.cc
 
-zone2json_LDADD = $(POLARSSL_LIBS) -L$(top_srcdir)/ext/json11 -ljson11
+zone2json_LDADD = $(MBEDTLS_LIBS) -L$(top_srcdir)/ext/json11 -ljson11
 
 # pkglib_LTLIBRARIES = iputils.la
 # iputils_la_SOURCES = lua-iputils.cc
@@ -437,7 +437,7 @@ zone2ldap_SOURCES = \
        zone2ldap.cc \
        zoneparser-tng.cc
 
-zone2ldap_LDADD = $(POLARSSL_LIBS)
+zone2ldap_LDADD = $(MBEDTLS_LIBS)
 
 if LMDB
 bin_PROGRAMS += zone2lmdb
@@ -469,7 +469,7 @@ zone2lmdb_SOURCES = \
        zoneparser-tng.cc
 
 zone2lmdb_LDADD = \
-       $(POLARSSL_LIBS) \
+       $(MBEDTLS_LIBS) \
        $(LMDB_LIBS)
 endif
 
@@ -492,7 +492,7 @@ sdig_SOURCES = \
        statbag.cc \
        unix_utility.cc
 
-sdig_LDADD = $(POLARSSL_LIBS)
+sdig_LDADD = $(MBEDTLS_LIBS)
 
 calidns_SOURCES = \
        base32.cc \
@@ -514,7 +514,7 @@ calidns_SOURCES = \
        statbag.cc \
        unix_utility.cc
 
-calidns_LDADD = $(POLARSSL_LIBS)       
+calidns_LDADD = $(MBEDTLS_LIBS)
 calidns_LDFLAGS=$(THREADFLAGS) 
 
 dumresp_SOURCES = \
@@ -550,7 +550,7 @@ saxfr_SOURCES = \
        statbag.cc \
        unix_utility.cc
 
-saxfr_LDADD = $(POLARSSL_LIBS)
+saxfr_LDADD = $(MBEDTLS_LIBS)
 
 if PKCS11
 saxfr_SOURCES += pkcs11signers.cc pkcs11signers.hh
@@ -585,7 +585,7 @@ dnstcpbench_LDFLAGS = \
        $(BOOST_PROGRAM_OPTIONS_LDFLAGS)
 
 dnstcpbench_LDADD = \
-       $(POLARSSL_LIBS) \
+       $(MBEDTLS_LIBS) \
        $(BOOST_PROGRAM_OPTIONS_LIBS)
 
 dnsdist_SOURCES = \
@@ -640,7 +640,7 @@ nsec3dig_SOURCES = \
        statbag.cc \
        unix_utility.cc
 
-nsec3dig_LDADD = $(POLARSSL_LIBS)
+nsec3dig_LDADD = $(MBEDTLS_LIBS)
 
 if PKCS11
 nsec3dig_SOURCES += pkcs11signers.cc pkcs11signers.hh
@@ -673,7 +673,7 @@ toysdig_SOURCES = \
        toysdig.cc \
        unix_utility.cc
 
-toysdig_LDADD = $(POLARSSL_LIBS)
+toysdig_LDADD = $(MBEDTLS_LIBS)
 
 tsig_tests_SOURCES = \
        arguments.cc \
@@ -701,7 +701,7 @@ tsig_tests_SOURCES = \
        tsig-tests.cc \
        unix_utility.cc
 
-tsig_tests_LDADD = $(POLARSSL_LIBS)
+tsig_tests_LDADD = $(MBEDTLS_LIBS)
 
 if PKCS11
 tsig_tests_SOURCES += pkcs11signers.cc pkcs11signers.hh
@@ -729,7 +729,7 @@ speedtest_SOURCES = \
        statbag.cc \
        unix_utility.cc
 
-speedtest_LDADD = $(POLARSSL_LIBS) \
+speedtest_LDADD = $(MBEDTLS_LIBS) \
        $(RT_LIBS)
 
 dnswasher_SOURCES = \
@@ -769,7 +769,7 @@ dnsbulktest_LDFLAGS = \
        $(BOOST_PROGRAM_OPTIONS_LDFLAGS)
 
 dnsbulktest_LDADD = \
-       $(POLARSSL_LIBS) \
+       $(MBEDTLS_LIBS) \
        $(BOOST_PROGRAM_OPTIONS_LIBS)
 
 dnsscan_SOURCES = \
@@ -793,7 +793,7 @@ dnsscan_SOURCES = \
        unix_utility.cc \
        utility.hh
 
-dnsscan_LDADD = $(POLARSSL_LIBS)
+dnsscan_LDADD = $(MBEDTLS_LIBS)
 
 dnsreplay_SOURCES = \
        anadns.hh \
@@ -821,7 +821,7 @@ dnsreplay_LDFLAGS = \
        $(BOOST_PROGRAM_OPTIONS_LDFLAGS)
 
 dnsreplay_LDADD = \
-       $(POLARSSL_LIBS) \
+       $(MBEDTLS_LIBS) \
        $(BOOST_PROGRAM_OPTIONS_LIBS)
 
 nproxy_SOURCES = \
@@ -849,7 +849,7 @@ nproxy_LDFLAGS = \
        $(BOOST_PROGRAM_OPTIONS_LDFLAGS)
 
 nproxy_LDADD = \
-       $(POLARSSL_LIBS) \
+       $(MBEDTLS_LIBS) \
        $(BOOST_PROGRAM_OPTIONS_LIBS)
 
 notify_SOURCES = \
@@ -878,7 +878,7 @@ notify_LDFLAGS = \
        $(BOOST_PROGRAM_OPTIONS_LDFLAGS)
 
 notify_LDADD = \
-       $(POLARSSL_LIBS) \
+       $(MBEDTLS_LIBS) \
        $(BOOST_PROGRAM_OPTIONS_LIBS)
 
 dnsscope_SOURCES = \
@@ -908,7 +908,7 @@ dnsscope_LDFLAGS = \
        $(BOOST_PROGRAM_OPTIONS_LDFLAGS)
 
 dnsscope_LDADD = \
-       $(POLARSSL_LIBS) \
+       $(MBEDTLS_LIBS) \
        $(BOOST_PROGRAM_OPTIONS_LIBS)
 
 dnsgram_SOURCES = \
@@ -931,7 +931,7 @@ dnsgram_SOURCES = \
        unix_utility.cc \
        utility.hh
 
-dnsgram_LDADD = $(POLARSSL_LIBS)
+dnsgram_LDADD = $(MBEDTLS_LIBS)
 
 dnsdemog_SOURCES = \
        base32.cc \
@@ -953,7 +953,7 @@ dnsdemog_SOURCES = \
        unix_utility.cc \
        utility.hh
 
-dnsdemog_LDADD = $(POLARSSL_LIBS)
+dnsdemog_LDADD = $(MBEDTLS_LIBS)
 
 rec_control_SOURCES = \
        arguments.cc arguments.hh \
@@ -1029,7 +1029,7 @@ testrunner_LDFLAGS = \
        $(BOOST_SERIALIZATION_LDFLAGS)
 
 testrunner_LDADD = \
-       $(POLARSSL_LIBS) \
+       $(MBEDTLS_LIBS) \
        $(BOOST_UNIT_TEST_FRAMEWORK_LIBS) \
        $(BOOST_SERIALIZATION_LIBS) \
        $(RT_LIBS) \
@@ -1088,7 +1088,7 @@ pdns_recursor_SOURCES = \
        zoneparser-tng.cc zoneparser-tng.hh
 
 pdns_recursor_LDADD = \
-       $(POLARSSL_LIBS) \
+       $(MBEDTLS_LIBS) \
        $(YAHTTP_LIBS)
 
 if LUA
similarity index 98%
rename from pdns/polarrsakeyinfra.cc
rename to pdns/mbedtlssigners.cc
index eb7da34863c18de33f2a99a6e5becb365ccf299a..d40d81ec922e846565a0043f4b8841ffc02caaaf 100644 (file)
@@ -18,7 +18,7 @@ using namespace boost::assign;
 class RSADNSCryptoKeyEngine : public DNSCryptoKeyEngine
 {
 public:
-  string getName() const { return "PolarSSL RSA"; }
+  string getName() const { return "mbedTLS RSA"; }
 
   explicit RSADNSCryptoKeyEngine(unsigned int algorithm) : DNSCryptoKeyEngine(algorithm)
   {
@@ -41,7 +41,7 @@ public:
 
   RSADNSCryptoKeyEngine(const RSADNSCryptoKeyEngine& orig) : DNSCryptoKeyEngine(orig.d_algorithm)
   {
-    // this part is a little bit scary.. we make a 'deep copy' of an RSA state, and polarssl isn't helping us so we delve into thr struct
+    // this part is a little bit scary.. we make a 'deep copy' of an RSA state, and mbedtls isn't helping us so we delve into thr struct
     d_context.ver = orig.d_context.ver; 
     d_context.len = orig.d_context.len;
 
@@ -197,7 +197,7 @@ std::string RSADNSCryptoKeyEngine::hash(const std::string& toHash) const
     sha512((unsigned char*)toHash.c_str(), toHash.length(), hash, 0);
     return string((char*)hash, sizeof(hash));
   }
-  throw runtime_error("PolarSSL hashing method can't hash algorithm "+lexical_cast<string>(d_algorithm));
+  throw runtime_error("mbed TLS hashing method can't hash algorithm "+lexical_cast<string>(d_algorithm));
 }
 
 
@@ -362,6 +362,6 @@ struct LoaderStruct
     DNSCryptoKeyEngine::report(8, &RSADNSCryptoKeyEngine::maker, true);
     DNSCryptoKeyEngine::report(10, &RSADNSCryptoKeyEngine::maker, true);
   }
-} loaderPolar;
+} loaderMbed;
 }
 
index 67bcbf8e08a91393590b3273ebda0bd1e1798bb0..d3a5ef356eb18a9f637268feb31542b97bc1be33 100644 (file)
@@ -114,8 +114,8 @@ void showBuildConfiguration()
   // Auth only
   theL()<<Logger::Warning<<"Built-in modules: "<<PDNS_MODULES<<endl;
 #endif
-#ifndef POLARSSL_SYSTEM
-  theL()<<Logger::Warning<<"Built-in PolarSSL: "<<POLARSSL_VERSION_STRING<<endl;
+#ifndef MBEDTLS_SYSTEM
+  theL()<<Logger::Warning<<"Built-in mbed TLS: "<<POLARSSL_VERSION_STRING<<endl;
 #endif
 #ifdef PDNS_CONFIG_ARGS
 #define double_escape(s) #s