From 8cb5dea2ce601a8e79f606f7af9e7676b1feee40 Mon Sep 17 00:00:00 2001 From: Kees Monshouwer Date: Fri, 14 Aug 2015 14:06:53 +0200 Subject: [PATCH] goodby PolarSSL, hello mbed TLS --- build-scripts/debian-authoritative/copyright | 2 +- build-scripts/debian-recursor/copyright | 2 +- configure.ac | 2 +- docs/markdown/appendix/crypto-notes-export.md | 4 +- ext/Makefile.am | 2 +- m4/pdns_with_system_mbedtls.m4 | 54 +++++++++++++++++++ m4/pdns_with_system_polarssl.m4 | 54 ------------------- modules/bindbackend/Makefile.am | 2 +- modules/goraclebackend/Makefile.am | 2 +- modules/remotebackend/Makefile.am | 4 +- pdns/Makefile.am | 54 +++++++++---------- ...{polarrsakeyinfra.cc => mbedtlssigners.cc} | 8 +-- pdns/version.cc | 4 +- 13 files changed, 98 insertions(+), 96 deletions(-) create mode 100644 m4/pdns_with_system_mbedtls.m4 delete mode 100644 m4/pdns_with_system_polarssl.m4 rename pdns/{polarrsakeyinfra.cc => mbedtlssigners.cc} (98%) diff --git a/build-scripts/debian-authoritative/copyright b/build-scripts/debian-authoritative/copyright index 35ca39f52..7b41fec22 100644 --- a/build-scripts/debian-authoritative/copyright +++ b/build-scripts/debian-authoritative/copyright @@ -88,7 +88,7 @@ Files: pdns/ext/rapidjson/* Copyright: 2011 Milo Yip License: Expat -Files: pdns/ext/polarssl* +Files: pdns/ext/mbedtls/* Copyright (C) 2006-2014, ARM Limited License: GPL-2+ diff --git a/build-scripts/debian-recursor/copyright b/build-scripts/debian-recursor/copyright index 363ae7b27..7a7489558 100644 --- a/build-scripts/debian-recursor/copyright +++ b/build-scripts/debian-recursor/copyright @@ -37,7 +37,7 @@ Files: pdns/ext/rapidjson/* Copyright: 2011 Milo Yip License: Expat -Files: pdns/ext/polarssl* +Files: pdns/ext/mbedtls/* Copyright (C) 2006-2014, ARM Limited License: GPL-2+ diff --git a/configure.ac b/configure.ac index c68a07b2a..e325bfae1 100644 --- a/configure.ac +++ b/configure.ac @@ -177,7 +177,7 @@ AC_SUBST(THREADFLAGS) AC_SUBST([DYNLINKFLAGS], [-export-dynamic]) PDNS_ENABLE_VERBOSE_LOGGING -PDNS_WITH_SYSTEM_POLARSSL +PDNS_WITH_SYSTEM_MBEDTLS PDNS_ENABLE_BOTAN PDNS_ENABLE_PKCS11 PDNS_WITH_CRYPTOPP diff --git a/docs/markdown/appendix/crypto-notes-export.md b/docs/markdown/appendix/crypto-notes-export.md index 51a7eaa2d..7fa71925d 100644 --- a/docs/markdown/appendix/crypto-notes-export.md +++ b/docs/markdown/appendix/crypto-notes-export.md @@ -3,12 +3,14 @@ In certain legal climates, PowerDNS might potentially require an export control PowerDNS does not itself implement any cryptographic algorithms but relies on third party implementations of AES, RSA, ECDSA, GOST, MD5 and various SHA-based hashing algorithms. -Furthermore, RSA, MD5 and the SHA-based algorithms are supplied as a copy of [PolarSSL](http://www.polarssl.org/). +Furthermore, RSA, MD5 and the SHA-based algorithms are supplied as a copy of [mbed TLS](https://tls.mbed.org/). Optionally, PowerDNS can link in a copy of the open source [Botan](http://botan.randombits.org/) cryptographic library. Optionally, PowerDNS can link in a copy of the open source [Crypto++](http://www.cryptopp.com/) library. +Optionally, PowerDNS can link in a copy of the open source [Sodium](https://libsodium.org/) library. + ## Specific United States Export Control Notes PowerDNS is not "US Origin" software. For re-export, like most open source, diff --git a/ext/Makefile.am b/ext/Makefile.am index a06bda732..414cc7e28 100644 --- a/ext/Makefile.am +++ b/ext/Makefile.am @@ -1,5 +1,5 @@ SUBDIRS = \ - $(POLARSSL_SUBDIR) \ + $(MBEDTLS_SUBDIR) \ yahttp \ rapidjson \ json11 diff --git a/m4/pdns_with_system_mbedtls.m4 b/m4/pdns_with_system_mbedtls.m4 new file mode 100644 index 000000000..d98a0a65f --- /dev/null +++ b/m4/pdns_with_system_mbedtls.m4 @@ -0,0 +1,54 @@ +AC_DEFUN([PDNS_WITH_SYSTEM_MBEDTLS],[ + AC_ARG_WITH([system-mbedtls], + [AS_HELP_STRING([--with-system-mbedtls], [use system mbedt TLS @<:@default=no@:>@])], + [], + [with_system_mbedtls=no], + ) + + MBEDTLS_SUBDIR=mbedtls + MBEDTLS_CFLAGS=-I\$\(top_srcdir\)/ext/$MBEDTLS_SUBDIR/include/ + MBEDTLS_LIBS="-L\$(top_builddir)/ext/$MBEDTLS_SUBDIR/library/ -lpolarssl" + + AS_IF([test "x$with_system_mbedtls" = "xyes"],[ + OLD_LIBS=$LIBS + LIBS="" + AC_SEARCH_LIBS([sha1_hmac], [mbedtls polarssl],[ + MBEDTLS_LIBS=$LIBS + AC_MSG_CHECKING([for mbed TLS/PolarSSL version >= 1.3]) + AC_COMPILE_IFELSE([ + AC_LANG_PROGRAM( + [[#include ]], + [[ + #if POLARSSL_VERSION_NUMBER < 0x01030000 + #error invalid version + #endif + ]] + )], + [have_system_mbedtls=yes], + [have_system_mbedtls=no] + ) + AC_MSG_RESULT([$have_system_mbedtls]) + ], + [have_system_mbedtls=no] + ) + LIBS=$OLD_LIBS + ], + [have_system_mbedtls=no] + ) + + AS_IF([test "x$have_system_mbedtls" = "xyes"],[ + MBEDTLS_CFLAGS= + MBEDTLS_SUBDIR= + AC_DEFINE([POLARSSL_SYSTEM], [1], [Defined if system mbed TLS is used]) + ],[ + AS_IF([test "x$with_system_mbedtls" = "xyes"],[ + AC_MSG_ERROR([use of system mbedtls requested but not found])] + )] + ) + + AC_SUBST(MBEDTLS_CFLAGS) + AC_SUBST(MBEDTLS_LIBS) + AC_SUBST(MBEDTLS_SUBDIR) +] +) + diff --git a/m4/pdns_with_system_polarssl.m4 b/m4/pdns_with_system_polarssl.m4 deleted file mode 100644 index 6322c56b3..000000000 --- a/m4/pdns_with_system_polarssl.m4 +++ /dev/null @@ -1,54 +0,0 @@ -AC_DEFUN([PDNS_WITH_SYSTEM_POLARSSL],[ - AC_ARG_WITH([system-polarssl], - [AS_HELP_STRING([--with-system-polarssl], [use system PolarSSL @<:@default=no@:>@])], - [], - [with_system_polarssl=no], - ) - - POLARSSL_SUBDIR=mbedtls - POLARSSL_CFLAGS=-I\$\(top_srcdir\)/ext/$POLARSSL_SUBDIR/include/ - POLARSSL_LIBS="-L\$(top_builddir)/ext/$POLARSSL_SUBDIR/library/ -lpolarssl" - - AS_IF([test "x$with_system_polarssl" = "xyes"],[ - OLD_LIBS=$LIBS - LIBS="" - AC_SEARCH_LIBS([sha1_hmac], [mbedtls polarssl],[ - POLARSSL_LIBS=$LIBS - AC_MSG_CHECKING([for PolarSSL version >= 1.3]) - AC_COMPILE_IFELSE([ - AC_LANG_PROGRAM( - [[#include ]], - [[ - #if POLARSSL_VERSION_NUMBER < 0x01030000 - #error invalid version - #endif - ]] - )], - [have_system_polarssl=yes], - [have_system_polarssl=no] - ) - AC_MSG_RESULT([$have_system_polarssl]) - ], - [have_system_polarssl=no] - ) - LIBS=$OLD_LIBS - ], - [have_system_polarssl=no] - ) - - AS_IF([test "x$have_system_polarssl" = "xyes"],[ - POLARSSL_CFLAGS= - POLARSSL_SUBDIR= - AC_DEFINE([POLARSSL_SYSTEM], [1], [Defined if system PolarSSL is used]) - ],[ - AS_IF([test "x$with_system_polarssl" = "xyes"],[ - AC_MSG_ERROR([use of system polarssl requested but not found])] - )] - ) - - AC_SUBST(POLARSSL_CFLAGS) - AC_SUBST(POLARSSL_LIBS) - AC_SUBST(POLARSSL_SUBDIR) -] -) - diff --git a/modules/bindbackend/Makefile.am b/modules/bindbackend/Makefile.am index ebde762e2..a2c85892e 100644 --- a/modules/bindbackend/Makefile.am +++ b/modules/bindbackend/Makefile.am @@ -1,5 +1,5 @@ pkglib_LTLIBRARIES = libbindbackend.la -AM_CPPFLAGS += -I../../pdns $(POLARSSL_CFLAGS) +AM_CPPFLAGS += -I../../pdns $(MBEDTLS_CFLAGS) AM_LFLAGS = -i AM_YFLAGS = -d --verbose --debug diff --git a/modules/goraclebackend/Makefile.am b/modules/goraclebackend/Makefile.am index fcd988f5a..dd2882428 100644 --- a/modules/goraclebackend/Makefile.am +++ b/modules/goraclebackend/Makefile.am @@ -1,4 +1,4 @@ -AM_CPPFLAGS += $(ORACLE_CFLAGS) $(POLARSSL_CFLAGS) +AM_CPPFLAGS += $(ORACLE_CFLAGS) $(MBEDTLS_CFLAGS) pkglib_LTLIBRARIES = libgoraclebackend.la diff --git a/modules/remotebackend/Makefile.am b/modules/remotebackend/Makefile.am index a73a58dd6..b0acfac22 100644 --- a/modules/remotebackend/Makefile.am +++ b/modules/remotebackend/Makefile.am @@ -1,7 +1,7 @@ AM_CPPFLAGS += \ -I$(top_srcdir)/ext/rapidjson/include \ $(YAHTTP_CFLAGS) \ - $(POLARSSL_CFLAGS) \ + $(MBEDTLS_CFLAGS) \ $(LIBZMQ_CFLAGS) AM_LDFLAGS = $(THREADFLAGS) @@ -129,7 +129,7 @@ libtestremotebackend_la_CPPFLAGS = $(AM_CPPFLAGS) libtestremotebackend_la_LIBADD = \ $(YAHTTP_LIBS) \ - $(POLARSSL_LIBS) \ + $(MBEDTLS_LIBS) \ $(BOOST_UNIT_TEST_FRAMEWORK_LIBS) \ $(BOOST_SERIALIZATION_LIBS) \ $(BOOST_PROGRAM_OPTIONS_LIBS) \ diff --git a/pdns/Makefile.am b/pdns/Makefile.am index d72ea74f1..07bb26932 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -2,7 +2,7 @@ AM_CPPFLAGS += \ -I$(top_srcdir)/ext/json11 \ -I$(top_srcdir)/ext/rapidjson/include \ $(YAHTTP_CFLAGS) \ - $(POLARSSL_CFLAGS) + $(MBEDTLS_CFLAGS) AM_CXXFLAGS = \ -DSYSCONFDIR=\"$(sysconfdir)\" \ @@ -171,7 +171,7 @@ pdns_server_SOURCES = \ packetcache.cc packetcache.hh \ packethandler.cc packethandler.hh \ pdnsexception.hh \ - polarrsakeyinfra.cc \ + mbedtlssigners.cc \ qtype.cc qtype.hh \ randomhelper.cc \ rcpgenerator.cc \ @@ -207,7 +207,7 @@ pdns_server_LDADD = \ @moduleobjects@ \ @modulelibs@ \ $(LIBDL) \ - $(POLARSSL_LIBS) \ + $(MBEDTLS_LIBS) \ $(BOOST_SERIALIZATION_LIBS) \ $(YAHTTP_LIBS) @@ -283,7 +283,7 @@ pdnssec_SOURCES = \ nsecrecords.cc \ packetcache.cc \ pdnssec.cc \ - polarrsakeyinfra.cc \ + mbedtlssigners.cc \ qtype.cc \ randomhelper.cc \ rcpgenerator.cc rcpgenerator.hh \ @@ -306,7 +306,7 @@ pdnssec_LDADD = \ @moduleobjects@ \ @modulelibs@ \ $(LIBDL) \ - $(POLARSSL_LIBS) \ + $(MBEDTLS_LIBS) \ $(BOOST_PROGRAM_OPTIONS_LIBS) \ $(BOOST_SERIALIZATION_LIBS) \ $(YAHTTP_LIBS) @@ -376,7 +376,7 @@ zone2sql_SOURCES = \ zone2sql.cc \ zoneparser-tng.cc -zone2sql_LDADD = $(POLARSSL_LIBS) +zone2sql_LDADD = $(MBEDTLS_LIBS) zone2json_SOURCES = \ arguments.cc \ @@ -402,7 +402,7 @@ zone2json_SOURCES = \ zone2json.cc \ zoneparser-tng.cc -zone2json_LDADD = $(POLARSSL_LIBS) -L$(top_srcdir)/ext/json11 -ljson11 +zone2json_LDADD = $(MBEDTLS_LIBS) -L$(top_srcdir)/ext/json11 -ljson11 # pkglib_LTLIBRARIES = iputils.la # iputils_la_SOURCES = lua-iputils.cc @@ -437,7 +437,7 @@ zone2ldap_SOURCES = \ zone2ldap.cc \ zoneparser-tng.cc -zone2ldap_LDADD = $(POLARSSL_LIBS) +zone2ldap_LDADD = $(MBEDTLS_LIBS) if LMDB bin_PROGRAMS += zone2lmdb @@ -469,7 +469,7 @@ zone2lmdb_SOURCES = \ zoneparser-tng.cc zone2lmdb_LDADD = \ - $(POLARSSL_LIBS) \ + $(MBEDTLS_LIBS) \ $(LMDB_LIBS) endif @@ -492,7 +492,7 @@ sdig_SOURCES = \ statbag.cc \ unix_utility.cc -sdig_LDADD = $(POLARSSL_LIBS) +sdig_LDADD = $(MBEDTLS_LIBS) calidns_SOURCES = \ base32.cc \ @@ -514,7 +514,7 @@ calidns_SOURCES = \ statbag.cc \ unix_utility.cc -calidns_LDADD = $(POLARSSL_LIBS) +calidns_LDADD = $(MBEDTLS_LIBS) calidns_LDFLAGS=$(THREADFLAGS) dumresp_SOURCES = \ @@ -550,7 +550,7 @@ saxfr_SOURCES = \ statbag.cc \ unix_utility.cc -saxfr_LDADD = $(POLARSSL_LIBS) +saxfr_LDADD = $(MBEDTLS_LIBS) if PKCS11 saxfr_SOURCES += pkcs11signers.cc pkcs11signers.hh @@ -585,7 +585,7 @@ dnstcpbench_LDFLAGS = \ $(BOOST_PROGRAM_OPTIONS_LDFLAGS) dnstcpbench_LDADD = \ - $(POLARSSL_LIBS) \ + $(MBEDTLS_LIBS) \ $(BOOST_PROGRAM_OPTIONS_LIBS) dnsdist_SOURCES = \ @@ -640,7 +640,7 @@ nsec3dig_SOURCES = \ statbag.cc \ unix_utility.cc -nsec3dig_LDADD = $(POLARSSL_LIBS) +nsec3dig_LDADD = $(MBEDTLS_LIBS) if PKCS11 nsec3dig_SOURCES += pkcs11signers.cc pkcs11signers.hh @@ -673,7 +673,7 @@ toysdig_SOURCES = \ toysdig.cc \ unix_utility.cc -toysdig_LDADD = $(POLARSSL_LIBS) +toysdig_LDADD = $(MBEDTLS_LIBS) tsig_tests_SOURCES = \ arguments.cc \ @@ -701,7 +701,7 @@ tsig_tests_SOURCES = \ tsig-tests.cc \ unix_utility.cc -tsig_tests_LDADD = $(POLARSSL_LIBS) +tsig_tests_LDADD = $(MBEDTLS_LIBS) if PKCS11 tsig_tests_SOURCES += pkcs11signers.cc pkcs11signers.hh @@ -729,7 +729,7 @@ speedtest_SOURCES = \ statbag.cc \ unix_utility.cc -speedtest_LDADD = $(POLARSSL_LIBS) \ +speedtest_LDADD = $(MBEDTLS_LIBS) \ $(RT_LIBS) dnswasher_SOURCES = \ @@ -769,7 +769,7 @@ dnsbulktest_LDFLAGS = \ $(BOOST_PROGRAM_OPTIONS_LDFLAGS) dnsbulktest_LDADD = \ - $(POLARSSL_LIBS) \ + $(MBEDTLS_LIBS) \ $(BOOST_PROGRAM_OPTIONS_LIBS) dnsscan_SOURCES = \ @@ -793,7 +793,7 @@ dnsscan_SOURCES = \ unix_utility.cc \ utility.hh -dnsscan_LDADD = $(POLARSSL_LIBS) +dnsscan_LDADD = $(MBEDTLS_LIBS) dnsreplay_SOURCES = \ anadns.hh \ @@ -821,7 +821,7 @@ dnsreplay_LDFLAGS = \ $(BOOST_PROGRAM_OPTIONS_LDFLAGS) dnsreplay_LDADD = \ - $(POLARSSL_LIBS) \ + $(MBEDTLS_LIBS) \ $(BOOST_PROGRAM_OPTIONS_LIBS) nproxy_SOURCES = \ @@ -849,7 +849,7 @@ nproxy_LDFLAGS = \ $(BOOST_PROGRAM_OPTIONS_LDFLAGS) nproxy_LDADD = \ - $(POLARSSL_LIBS) \ + $(MBEDTLS_LIBS) \ $(BOOST_PROGRAM_OPTIONS_LIBS) notify_SOURCES = \ @@ -878,7 +878,7 @@ notify_LDFLAGS = \ $(BOOST_PROGRAM_OPTIONS_LDFLAGS) notify_LDADD = \ - $(POLARSSL_LIBS) \ + $(MBEDTLS_LIBS) \ $(BOOST_PROGRAM_OPTIONS_LIBS) dnsscope_SOURCES = \ @@ -908,7 +908,7 @@ dnsscope_LDFLAGS = \ $(BOOST_PROGRAM_OPTIONS_LDFLAGS) dnsscope_LDADD = \ - $(POLARSSL_LIBS) \ + $(MBEDTLS_LIBS) \ $(BOOST_PROGRAM_OPTIONS_LIBS) dnsgram_SOURCES = \ @@ -931,7 +931,7 @@ dnsgram_SOURCES = \ unix_utility.cc \ utility.hh -dnsgram_LDADD = $(POLARSSL_LIBS) +dnsgram_LDADD = $(MBEDTLS_LIBS) dnsdemog_SOURCES = \ base32.cc \ @@ -953,7 +953,7 @@ dnsdemog_SOURCES = \ unix_utility.cc \ utility.hh -dnsdemog_LDADD = $(POLARSSL_LIBS) +dnsdemog_LDADD = $(MBEDTLS_LIBS) rec_control_SOURCES = \ arguments.cc arguments.hh \ @@ -1029,7 +1029,7 @@ testrunner_LDFLAGS = \ $(BOOST_SERIALIZATION_LDFLAGS) testrunner_LDADD = \ - $(POLARSSL_LIBS) \ + $(MBEDTLS_LIBS) \ $(BOOST_UNIT_TEST_FRAMEWORK_LIBS) \ $(BOOST_SERIALIZATION_LIBS) \ $(RT_LIBS) \ @@ -1088,7 +1088,7 @@ pdns_recursor_SOURCES = \ zoneparser-tng.cc zoneparser-tng.hh pdns_recursor_LDADD = \ - $(POLARSSL_LIBS) \ + $(MBEDTLS_LIBS) \ $(YAHTTP_LIBS) if LUA diff --git a/pdns/polarrsakeyinfra.cc b/pdns/mbedtlssigners.cc similarity index 98% rename from pdns/polarrsakeyinfra.cc rename to pdns/mbedtlssigners.cc index eb7da3486..d40d81ec9 100644 --- a/pdns/polarrsakeyinfra.cc +++ b/pdns/mbedtlssigners.cc @@ -18,7 +18,7 @@ using namespace boost::assign; class RSADNSCryptoKeyEngine : public DNSCryptoKeyEngine { public: - string getName() const { return "PolarSSL RSA"; } + string getName() const { return "mbedTLS RSA"; } explicit RSADNSCryptoKeyEngine(unsigned int algorithm) : DNSCryptoKeyEngine(algorithm) { @@ -41,7 +41,7 @@ public: RSADNSCryptoKeyEngine(const RSADNSCryptoKeyEngine& orig) : DNSCryptoKeyEngine(orig.d_algorithm) { - // this part is a little bit scary.. we make a 'deep copy' of an RSA state, and polarssl isn't helping us so we delve into thr struct + // this part is a little bit scary.. we make a 'deep copy' of an RSA state, and mbedtls isn't helping us so we delve into thr struct d_context.ver = orig.d_context.ver; d_context.len = orig.d_context.len; @@ -197,7 +197,7 @@ std::string RSADNSCryptoKeyEngine::hash(const std::string& toHash) const sha512((unsigned char*)toHash.c_str(), toHash.length(), hash, 0); return string((char*)hash, sizeof(hash)); } - throw runtime_error("PolarSSL hashing method can't hash algorithm "+lexical_cast(d_algorithm)); + throw runtime_error("mbed TLS hashing method can't hash algorithm "+lexical_cast(d_algorithm)); } @@ -362,6 +362,6 @@ struct LoaderStruct DNSCryptoKeyEngine::report(8, &RSADNSCryptoKeyEngine::maker, true); DNSCryptoKeyEngine::report(10, &RSADNSCryptoKeyEngine::maker, true); } -} loaderPolar; +} loaderMbed; } diff --git a/pdns/version.cc b/pdns/version.cc index 67bcbf8e0..d3a5ef356 100644 --- a/pdns/version.cc +++ b/pdns/version.cc @@ -114,8 +114,8 @@ void showBuildConfiguration() // Auth only theL()<