From c069436a89a238e2815452de6f8f5930dc66dc36 Mon Sep 17 00:00:00 2001 From: Christian Hofstaedtler Date: Thu, 21 Jan 2016 12:48:10 +0000 Subject: [PATCH] Remove mbedtls support --- .travis.yml | 1 - build-scripts/build-auth-rpm | 3 +- build-scripts/debian-authoritative/rules | 1 - build-scripts/debian-recursor/rules | 1 - configure.ac | 1 - ext/Makefile.am | 2 - m4/pdns_with_system_mbedtls.m4 | 90 --- modules/bindbackend/Makefile.am | 2 +- modules/goraclebackend/Makefile.am | 2 +- modules/remotebackend/Makefile.am | 2 - pdns/Makefile.am | 70 +- pdns/base64.cc | 22 - pdns/dns_random.cc | 22 - pdns/dnssecinfra.cc | 52 -- pdns/mbedtlscompat.hh | 132 ---- pdns/mbedtlssigners.cc | 739 ------------------ pdns/md5.hh | 13 - pdns/recursordist/Makefile.am | 12 +- pdns/recursordist/configure.ac | 1 - .../m4/pdns_with_system_mbedtls.m4 | 81 -- pdns/recursordist/mbedtlscompat.hh | 1 - pdns/recursordist/mbedtlssigners.cc | 1 - pdns/sha.hh | 37 - pdns/version.cc | 12 - 24 files changed, 15 insertions(+), 1285 deletions(-) delete mode 100644 m4/pdns_with_system_mbedtls.m4 delete mode 100644 pdns/mbedtlscompat.hh delete mode 100644 pdns/mbedtlssigners.cc delete mode 100644 pdns/recursordist/m4/pdns_with_system_mbedtls.m4 delete mode 120000 pdns/recursordist/mbedtlscompat.hh delete mode 120000 pdns/recursordist/mbedtlssigners.cc diff --git a/.travis.yml b/.travis.yml index b45699ad1..b03b2a914 100644 --- a/.travis.yml +++ b/.travis.yml @@ -154,7 +154,6 @@ script: - CFLAGS='-O1' CXXFLAGS='-O1' ./configure --with-dynmodules='bind gmysql geoip gpgsql gsqlite3 ldap lua mydns opendbx pipe random remote tinydns' --with-modules='' - --without-mbedtls --with-sqlite3 --enable-libsodium --enable-experimental-pkcs11 diff --git a/build-scripts/build-auth-rpm b/build-scripts/build-auth-rpm index 9c9b82eeb..973c96dce 100755 --- a/build-scripts/build-auth-rpm +++ b/build-scripts/build-auth-rpm @@ -301,7 +301,7 @@ BuildRequires: systemd-units BuildRequires: boost-devel BuildRequires: lua-devel BuildRequires: bison -BuildRequires: mbedtls-devel +BuildRequires: openssl-devel Provides: powerdns = %{version}-%{release} %global backends %{backends} bind @@ -420,7 +420,6 @@ export CPPFLAGS="-DLDAP_DEPRECATED" --disable-dependency-tracking \ --disable-silent-rules \ --with-modules='' \ - --with-system-mbedtls \ --with-lua \ --with-dynmodules='%{backends} random' \ --enable-tools \ diff --git a/build-scripts/debian-authoritative/rules b/build-scripts/debian-authoritative/rules index 7c8eec6c8..ffe6a0459 100755 --- a/build-scripts/debian-authoritative/rules +++ b/build-scripts/debian-authoritative/rules @@ -26,7 +26,6 @@ override_dh_auto_configure: --libexecdir='$${prefix}/lib' \ --with-dynmodules="$(backends)" \ --with-modules="" \ - --with-system-mbedtls \ --with-pgsql-includes=`pg_config --includedir` \ --enable-botan1.10 \ --enable-tools \ diff --git a/build-scripts/debian-recursor/rules b/build-scripts/debian-recursor/rules index 012ed493c..750223056 100755 --- a/build-scripts/debian-recursor/rules +++ b/build-scripts/debian-recursor/rules @@ -25,7 +25,6 @@ override_dh_auto_configure: --infodir=\$${prefix}/share/info \ --libdir='$${prefix}/lib/$(DEB_HOST_MULTIARCH)' \ --libexecdir='$${prefix}/lib' \ - --without-system-mbedtls \ --enable-unit-tests override_dh_auto_install: diff --git a/configure.ac b/configure.ac index ea1cb1e1a..40084d853 100644 --- a/configure.ac +++ b/configure.ac @@ -141,7 +141,6 @@ AC_SUBST([LIBDL], [$lt_cv_dlopen_libs]) PDNS_CHECK_OS PDNS_ENABLE_VERBOSE_LOGGING -PDNS_WITH_SYSTEM_MBEDTLS PDNS_ENABLE_BOTAN PDNS_ENABLE_PKCS11 PDNS_ENABLE_GSS_TSIG diff --git a/ext/Makefile.am b/ext/Makefile.am index 4d7397399..49dc5a219 100644 --- a/ext/Makefile.am +++ b/ext/Makefile.am @@ -1,10 +1,8 @@ SUBDIRS = \ - $(MBEDTLS_SUBDIR) \ yahttp \ json11 DIST_SUBDIRS = \ - mbedtls \ yahttp \ json11 diff --git a/m4/pdns_with_system_mbedtls.m4 b/m4/pdns_with_system_mbedtls.m4 deleted file mode 100644 index 6cc058d3a..000000000 --- a/m4/pdns_with_system_mbedtls.m4 +++ /dev/null @@ -1,90 +0,0 @@ -AC_DEFUN([PDNS_WITH_SYSTEM_MBEDTLS],[ - AC_ARG_WITH([mbedtls], - [AS_HELP_STRING([--with-mbedtls], [use mbed TLS @<:@default=yes@:>@])] - ) - AC_ARG_WITH([system-mbedtls], - [AS_HELP_STRING([--with-system-mbedtls], [use system mbed TLS @<:@default=no@:>@])], - [], - [with_system_mbedtls=no], - ) - - AC_MSG_CHECKING([if we should build with mbedtls]) - AS_IF([test "x$with_mbedtls" != "xno"],[ - AC_MSG_RESULT([yes]) - have_mbedtls=yes - MBEDTLS_SUBDIR=mbedtls - MBEDTLS_CFLAGS=-I\$\(top_srcdir\)/ext/$MBEDTLS_SUBDIR/include/ - MBEDTLS_LIBS="-L\$(top_builddir)/ext/$MBEDTLS_SUBDIR/library/ -lmbedtls" - AS_IF([test "x$with_system_mbedtls" = "xyes"],[ - OLD_LIBS=$LIBS - LIBS="" - AC_SEARCH_LIBS([mbedtls_sha1], [mbedcrypto],[ - MBEDTLS_LIBS=$LIBS - have_system_mbedtls=yes - have_mbedtls_v2=yes - ],[ - have_mbedtls_v2=no - AC_SEARCH_LIBS([sha1_hmac], [mbedtls polarssl],[ - MBEDTLS_LIBS=$LIBS - AC_MSG_CHECKING([for mbed TLS/PolarSSL version >= 1.3.0]) - AC_COMPILE_IFELSE([ - AC_LANG_PROGRAM( - [[#include ]], - [[ - #if POLARSSL_VERSION_NUMBER < 0x01030000 - #error invalid version - #endif - ]] - )], - [have_system_mbedtls=yes], - [have_system_mbedtls=no] - ) - AC_MSG_RESULT([$have_system_mbedtls]) - ], - [have_system_mbedtls=no] - ) - ]) - LIBS=$OLD_LIBS - ],[ - have_system_mbedtls=no - have_mbedtls_v2=yes - ]) - - AS_IF([test "x$have_system_mbedtls" = "xyes"],[ - MBEDTLS_CFLAGS= - MBEDTLS_SUBDIR= - AC_DEFINE([MBEDTLS_SYSTEM], [1], [Defined if system mbed TLS is used]) - ],[ - AS_IF([test "x$with_system_mbedtls" = "xyes"],[ - AC_MSG_ERROR([use of system mbed TLS requested but not found]) - ]) - ]) - ],[ - AC_MSG_RESULT([no]) - have_system_mbedtls=no - have_mbedtls_v2=no - have_mbedtls=no - MBEDTLS_SUBDIR= - MBEDTLS_CFLAGS= - MBEDTLS_LIBS= - AS_IF([test "x$with_system_mbedtls" = "xyes"],[ - AC_MSG_ERROR([use of system mbed TLS requested but mbed TLS disabled]) - ]) - ]) - - AS_IF([test "x$have_mbedtls_v2" = "xyes"],[ - AC_DEFINE([HAVE_MBEDTLS2], [1], [Defined if mbed TLS version 2.x.x is used]) - ]) - - AS_IF([test "x$have_mbedtls" = "xyes"],[ - AC_DEFINE([HAVE_MBEDTLS], [1], [Defined if mbed TLS is used]) - AM_CONDITIONAL([MBEDTLS], [true]) - ],[ - AM_CONDITIONAL([MBEDTLS], [false]) - ]) - - AC_SUBST(MBEDTLS_CFLAGS) - AC_SUBST(MBEDTLS_LIBS) - AC_SUBST(MBEDTLS_SUBDIR) -] -) diff --git a/modules/bindbackend/Makefile.am b/modules/bindbackend/Makefile.am index a2c85892e..aaf88be68 100644 --- a/modules/bindbackend/Makefile.am +++ b/modules/bindbackend/Makefile.am @@ -1,5 +1,5 @@ pkglib_LTLIBRARIES = libbindbackend.la -AM_CPPFLAGS += -I../../pdns $(MBEDTLS_CFLAGS) +AM_CPPFLAGS += -I../../pdns AM_LFLAGS = -i AM_YFLAGS = -d --verbose --debug diff --git a/modules/goraclebackend/Makefile.am b/modules/goraclebackend/Makefile.am index dd2882428..f4fdf9247 100644 --- a/modules/goraclebackend/Makefile.am +++ b/modules/goraclebackend/Makefile.am @@ -1,4 +1,4 @@ -AM_CPPFLAGS += $(ORACLE_CFLAGS) $(MBEDTLS_CFLAGS) +AM_CPPFLAGS += $(ORACLE_CFLAGS) pkglib_LTLIBRARIES = libgoraclebackend.la diff --git a/modules/remotebackend/Makefile.am b/modules/remotebackend/Makefile.am index 1ee7e4b2d..de2395ede 100644 --- a/modules/remotebackend/Makefile.am +++ b/modules/remotebackend/Makefile.am @@ -1,7 +1,6 @@ AM_CPPFLAGS += \ -I$(top_srcdir)/ext/json11 \ $(YAHTTP_CFLAGS) \ - $(MBEDTLS_CFLAGS) \ $(OPENSSL_CFLAGS) \ $(LIBZMQ_CFLAGS) @@ -132,7 +131,6 @@ libtestremotebackend_la_CPPFLAGS = $(AM_CPPFLAGS) libtestremotebackend_la_LIBADD = \ $(YAHTTP_LIBS) \ - $(MBEDTLS_LIBS) \ $(OPENSSL_LIBS) \ $(BOOST_UNIT_TEST_FRAMEWORK_LIBS) \ $(BOOST_SERIALIZATION_LIBS) \ diff --git a/pdns/Makefile.am b/pdns/Makefile.am index f41948fe7..2f85205b8 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -3,7 +3,6 @@ JSON11_LIBS = -L$(top_builddir)/ext/json11 -ljson11 AM_CPPFLAGS += \ -I$(top_srcdir)/ext/json11 \ $(YAHTTP_CFLAGS) \ - $(MBEDTLS_CFLAGS) \ $(LIBEDIT_CFLAGS) AM_CXXFLAGS = \ @@ -217,11 +216,6 @@ pdns_server_SOURCES += sodiumsigners.cc pdns_server_LDADD += $(LIBSODIUM_LIBS) endif -if MBEDTLS -pdns_server_SOURCES += mbedtlssigners.cc mbedtlscompat.hh -pdns_server_LDADD += $(MBEDTLS_LIBS) -endif - if OPENSSL pdns_server_SOURCES += opensslsigners.cc opensslsigners.hh pdns_server_LDFLAGS += $(OPENSSL_LDFLAGS) @@ -316,11 +310,6 @@ pdnsutil_SOURCES += sodiumsigners.cc pdnsutil_LDADD += $(LIBSODIUM_LIBS) endif -if MBEDTLS -pdnsutil_SOURCES += mbedtlssigners.cc mbedtlscompat.hh -pdnsutil_LDADD += $(MBEDTLS_LIBS) -endif - if OPENSSL pdnsutil_SOURCES += opensslsigners.cc opensslsigners.hh pdnsutil_LDFLAGS += $(OPENSSL_LDFLAGS) @@ -372,7 +361,7 @@ zone2sql_SOURCES = \ zone2sql.cc \ zoneparser-tng.cc -zone2sql_LDADD = $(MBEDTLS_LIBS) $(OPENSSL_LIBS) $(JSON11_LIBS) +zone2sql_LDADD = $(OPENSSL_LIBS) $(JSON11_LIBS) zone2sql_LDFLAGS = $(AM_LDFLAGS) $(OPENSSL_LDFLAGS) zone2json_SOURCES = \ @@ -399,7 +388,7 @@ zone2json_SOURCES = \ zone2json.cc \ zoneparser-tng.cc -zone2json_LDADD = $(MBEDTLS_LIBS) $(OPENSSL_LIBS) $(JSON11_LIBS) +zone2json_LDADD = $(OPENSSL_LIBS) $(JSON11_LIBS) zone2json_LDFLAGS = $(AM_LDFLAGS) $(OPENSSL_LDFLAGS) # pkglib_LTLIBRARIES = iputils.la @@ -435,7 +424,7 @@ zone2ldap_SOURCES = \ zone2ldap.cc \ zoneparser-tng.cc -zone2ldap_LDADD = $(MBEDTLS_LIBS) $(OPENSSL_LIBS) +zone2ldap_LDADD = $(OPENSSL_LIBS) zone2ldap_LDFLAGS = $(AM_LDFLAGS) $(OPENSSL_LDFLAGS) sdig_SOURCES = \ @@ -449,7 +438,6 @@ sdig_SOURCES = \ dnswriter.cc dnswriter.hh \ ednssubnet.cc \ logger.cc \ - mbedtlscompat.hh \ misc.cc misc.hh \ nsecrecords.cc \ qtype.cc \ @@ -460,7 +448,7 @@ sdig_SOURCES = \ statbag.cc \ unix_utility.cc -sdig_LDADD = $(MBEDTLS_LIBS) $(OPENSSL_LIBS) +sdig_LDADD = $(OPENSSL_LIBS) sdig_LDFLAGS = $(AM_LDFLAGS) $(OPENSSL_LDFLAGS) calidns_SOURCES = \ @@ -474,7 +462,6 @@ calidns_SOURCES = \ dnswriter.cc dnswriter.hh \ iputils.cc \ logger.cc \ - mbedtlscompat.hh \ misc.cc misc.hh \ nsecrecords.cc \ qtype.cc \ @@ -484,7 +471,7 @@ calidns_SOURCES = \ statbag.cc \ unix_utility.cc -calidns_LDADD = $(MBEDTLS_LIBS) $(OPENSSL_LIBS) +calidns_LDADD = $(OPENSSL_LIBS) calidns_LDFLAGS = $(AM_LDFLAGS) $(THREADFLAGS) $(OPENSSL_LDFLAGS) dumresp_SOURCES = \ @@ -518,7 +505,6 @@ saxfr_SOURCES = \ dnswriter.cc dnswriter.hh \ gss_context.cc gss_context.hh \ logger.cc \ - mbedtlscompat.hh \ misc.cc misc.hh \ nsecrecords.cc \ qtype.cc \ @@ -529,7 +515,7 @@ saxfr_SOURCES = \ statbag.cc \ unix_utility.cc -saxfr_LDADD = $(MBEDTLS_LIBS) $(OPENSSL_LIBS) +saxfr_LDADD = $(OPENSSL_LIBS) saxfr_LDFLAGS = $(AM_LDFLAGS) $(OPENSSL_LDFLAGS) if PKCS11 @@ -556,7 +542,6 @@ ixplore_SOURCES = \ dnswriter.cc dnswriter.hh \ gss_context.cc gss_context.hh \ logger.cc \ - mbedtlscompat.hh \ misc.cc misc.hh \ nsecrecords.cc \ qtype.cc \ @@ -569,7 +554,7 @@ ixplore_SOURCES = \ statbag.cc \ unix_utility.cc zoneparser-tng.cc -ixplore_LDADD = $(MBEDTLS_LIBS) $(OPENSSL_LIBS) +ixplore_LDADD = $(OPENSSL_LIBS) ixplore_LDFLAGS = $(AM_LDFLAGS) $(OPENSSL_LDFLAGS) if PKCS11 @@ -592,7 +577,6 @@ dnstcpbench_SOURCES = \ dnstcpbench.cc \ dnswriter.cc dnswriter.hh \ logger.cc \ - mbedtlscompat.hh \ misc.cc misc.hh \ nsecrecords.cc \ qtype.cc \ @@ -608,7 +592,6 @@ dnstcpbench_LDFLAGS = \ $(BOOST_PROGRAM_OPTIONS_LDFLAGS) dnstcpbench_LDADD = \ - $(MBEDTLS_LIBS) \ $(OPENSSL_LIBS) \ $(BOOST_PROGRAM_OPTIONS_LIBS) @@ -623,7 +606,6 @@ nsec3dig_SOURCES = \ dnswriter.cc dnswriter.hh \ gss_context.cc gss_context.hh \ logger.cc \ - mbedtlscompat.hh \ misc.cc misc.hh \ nsec3dig.cc \ nsecrecords.cc \ @@ -634,7 +616,7 @@ nsec3dig_SOURCES = \ statbag.cc \ unix_utility.cc -nsec3dig_LDADD = $(MBEDTLS_LIBS) $(OPENSSL_LIBS) +nsec3dig_LDADD = $(OPENSSL_LIBS) nsec3dig_LDFLAGS = $(AM_LDFLAGS) $(OPENSSL_LDFLAGS) if PKCS11 @@ -659,7 +641,6 @@ toysdig_SOURCES = \ ednssubnet.cc ednssubnet.hh \ gss_context.cc gss_context.hh \ logger.cc \ - mbedtlscompat.hh \ misc.cc misc.hh \ nsecrecords.cc \ qtype.cc \ @@ -690,11 +671,6 @@ toysdig_SOURCES += pkcs11signers.cc pkcs11signers.hh toysdig_LDADD += $(P11KIT1_LIBS) endif -if MBEDTLS -toysdig_SOURCES += mbedtlssigners.cc mbedtlscompat.hh -toysdig_LDADD += $(MBEDTLS_LIBS) -endif - if OPENSSL toysdig_SOURCES += opensslsigners.cc opensslsigners.hh toysdig_LDADD += $(OPENSSL_LIBS) @@ -716,7 +692,6 @@ tsig_tests_SOURCES = \ dnswriter.cc dnswriter.hh \ gss_context.cc gss_context.hh \ logger.cc \ - mbedtlscompat.hh \ misc.cc misc.hh \ nsecrecords.cc \ qtype.cc \ @@ -729,7 +704,7 @@ tsig_tests_SOURCES = \ tsig-tests.cc \ unix_utility.cc -tsig_tests_LDADD = $(MBEDTLS_LIBS) $(OPENSSL_LIBS) +tsig_tests_LDADD = $(OPENSSL_LIBS) tsig_tests_LDFLAGS = $(AM_LDFLAGS) $(OPENSSL_LDFLAGS) if PKCS11 @@ -750,7 +725,6 @@ speedtest_SOURCES = \ dnsrecords.cc \ dnswriter.cc dnswriter.hh \ logger.cc \ - mbedtlscompat.hh \ misc.cc misc.hh \ nsecrecords.cc \ qtype.cc \ @@ -761,7 +735,7 @@ speedtest_SOURCES = \ unix_utility.cc speedtest_LDFLAGS = $(AM_LDFLAGS) $(OPENSSL_LDFLAGS) -speedtest_LDADD = $(MBEDTLS_LIBS) $(OPENSSL_LIBS) \ +speedtest_LDADD = $(OPENSSL_LIBS) \ $(RT_LIBS) dnswasher_SOURCES = \ @@ -802,7 +776,6 @@ dnsbulktest_LDFLAGS = \ $(BOOST_PROGRAM_OPTIONS_LDFLAGS) dnsbulktest_LDADD = \ - $(MBEDTLS_LIBS) \ $(OPENSSL_LIBS) \ $(BOOST_PROGRAM_OPTIONS_LIBS) @@ -818,7 +791,6 @@ dnsscan_SOURCES = \ dnsscan.cc \ dnswriter.cc dnswriter.hh \ logger.cc \ - mbedtlscompat.hh \ misc.cc \ nsecrecords.cc \ qtype.cc \ @@ -832,7 +804,7 @@ dnsscan_LDFLAGS = \ $(AM_LDFLAGS) \ $(OPENSSL_LDFLAGS) -dnsscan_LDADD = $(MBEDTLS_LIBS) $(OPENSSL_LIBS) +dnsscan_LDADD = $(OPENSSL_LIBS) dnsreplay_SOURCES = \ anadns.hh \ @@ -846,7 +818,6 @@ dnsreplay_SOURCES = \ dnsreplay.cc \ dnswriter.cc dnswriter.hh \ logger.cc \ - mbedtlscompat.hh \ misc.cc \ nsecrecords.cc \ qtype.cc \ @@ -862,7 +833,6 @@ dnsreplay_LDFLAGS = \ $(BOOST_PROGRAM_OPTIONS_LDFLAGS) dnsreplay_LDADD = \ - $(MBEDTLS_LIBS) \ $(OPENSSL_LIBS) \ $(BOOST_PROGRAM_OPTIONS_LIBS) @@ -875,7 +845,6 @@ nproxy_SOURCES = \ dnsrecords.cc \ dnswriter.cc dnswriter.hh \ logger.cc \ - mbedtlscompat.hh \ misc.cc \ mplexer.hh \ nproxy.cc \ @@ -893,7 +862,6 @@ nproxy_LDFLAGS = \ $(BOOST_PROGRAM_OPTIONS_LDFLAGS) nproxy_LDADD = \ - $(MBEDTLS_LIBS) \ $(OPENSSL_LIBS) \ $(BOOST_PROGRAM_OPTIONS_LIBS) @@ -908,7 +876,6 @@ notify_SOURCES = \ dnsrecords.cc \ dnswriter.cc dnswriter.hh \ logger.cc \ - mbedtlscompat.hh \ misc.cc \ notify.cc \ nsecrecords.cc \ @@ -925,7 +892,6 @@ notify_LDFLAGS = \ $(BOOST_PROGRAM_OPTIONS_LDFLAGS) notify_LDADD = \ - $(MBEDTLS_LIBS) \ $(OPENSSL_LIBS) \ $(BOOST_PROGRAM_OPTIONS_LIBS) @@ -942,7 +908,6 @@ dnsscope_SOURCES = \ dnsscope.cc \ dnswriter.cc dnswriter.hh \ logger.cc \ - mbedtlscompat.hh \ misc.cc \ nsecrecords.cc \ qtype.cc \ @@ -958,7 +923,6 @@ dnsscope_LDFLAGS = \ $(BOOST_PROGRAM_OPTIONS_LDFLAGS) dnsscope_LDADD = \ - $(MBEDTLS_LIBS) \ $(OPENSSL_LIBS) \ $(BOOST_PROGRAM_OPTIONS_LIBS) @@ -973,7 +937,6 @@ dnsgram_SOURCES = \ dnsrecords.cc \ dnswriter.cc dnswriter.hh \ logger.cc \ - mbedtlscompat.hh \ misc.cc \ nsecrecords.cc \ qtype.cc \ @@ -988,7 +951,6 @@ dnsgram_LDFLAGS = \ $(OPENSSL_LDFLAGS) dnsgram_LDADD = \ - $(MBEDTLS_LIBS) \ $(OPENSSL_LIBS) dnsdemog_SOURCES = \ @@ -1002,7 +964,6 @@ dnsdemog_SOURCES = \ dnsrecords.cc \ dnswriter.cc dnswriter.hh \ logger.cc \ - mbedtlscompat.hh \ misc.cc \ nsecrecords.cc \ qtype.cc \ @@ -1017,7 +978,6 @@ dnsdemog_LDFLAGS = \ $(OPENSSL_LDFLAGS) dnsdemog_LDADD = \ - $(MBEDTLS_LIBS) \ $(OPENSSL_LIBS) rec_control_SOURCES = \ @@ -1097,7 +1057,6 @@ testrunner_LDFLAGS = \ $(BOOST_UNIT_TEST_FRAMEWORK_LDFLAGS) testrunner_LDADD = \ - $(MBEDTLS_LIBS) \ $(OPENSSL_LIBS) \ $(BOOST_UNIT_TEST_FRAMEWORK_LIBS) \ $(RT_LIBS) \ @@ -1130,7 +1089,6 @@ pdns_recursor_SOURCES = \ logger.cc \ lua-recursor4.cc lua-recursor4.hh \ lwres.cc lwres.hh \ - mbedtlscompat.hh \ misc.cc \ mtasker.hh \ nsecrecords.cc \ @@ -1181,11 +1139,6 @@ pdns_recursor_SOURCES += botan110signers.cc botansigners.cc pdns_recursor_LDADD += $(BOTAN110_LIBS) endif -if MBEDTLS -pdns_recursor_SOURCES += mbedtlssigners.cc mbedtlscompat.hh -pdns_recursor_LDADD += $(MBEDTLS_LIBS) -endif - if OPENSSL pdns_recursor_SOURCES += opensslsigners.cc opensslsigners.hh pdns_recursor_LDADD += $(OPENSSL_LIBS) @@ -1257,7 +1210,6 @@ nodist_dnsdist_SOURCES = \ dolog.hh \ iputils.cc \ htmlfiles.h \ - mbedtlscompat.hh \ misc.cc misc.hh \ qtype.cc \ sholder.hh \ diff --git a/pdns/base64.cc b/pdns/base64.cc index 996c16e28..17c8c8d74 100644 --- a/pdns/base64.cc +++ b/pdns/base64.cc @@ -3,15 +3,8 @@ #endif #include "base64.hh" #include -#ifdef HAVE_MBEDTLS2 -#include -#elif defined(HAVE_MBEDTLS) -#include -#include "mbedtlscompat.hh" -#elif defined(HAVE_OPENSSL) #include #include -#endif int B64Decode(const std::string& src, std::string& dst) { @@ -22,9 +15,6 @@ int B64Decode(const std::string& src, std::string& dst) size_t dlen = ( src.length() * 6 + 7 ) / 8 ; size_t olen = 0; boost::scoped_array d( new unsigned char[dlen] ); -#ifdef HAVE_MBEDTLS - if ( mbedtls_base64_decode( d.get(), dlen, &olen, (const unsigned char*) src.c_str(), src.length() ) == 0 ) { -#elif defined(HAVE_OPENSSL) BIO *bio, *b64; bio = BIO_new(BIO_s_mem()); BIO_write(bio, src.c_str(), src.length()); @@ -34,9 +24,6 @@ int B64Decode(const std::string& src, std::string& dst) olen = BIO_read(b64, d.get(), dlen); BIO_free_all(bio); if (olen > 0) { -#else -#error "No base64 implementation found" -#endif dst = std::string( (const char*) d.get(), olen ); return 0; } @@ -47,12 +34,6 @@ std::string Base64Encode (const std::string& src) { if (!src.empty()) { size_t olen = 0; -#ifdef HAVE_MBEDTLS - size_t dlen = ( ( ( src.length() + 2 ) / 3 ) * 4 ) + 1; - boost::scoped_array dst( new unsigned char[dlen] ); - if( mbedtls_base64_encode( dst.get(), dlen, &olen, (const unsigned char*) src.c_str(), src.length() ) == 0 ) - return std::string( (const char*) dst.get(), olen ); -#elif defined(HAVE_OPENSSL) BIO *bio, *b64; b64 = BIO_new(BIO_f_base64()); bio = BIO_new(BIO_s_mem()); @@ -68,9 +49,6 @@ std::string Base64Encode (const std::string& src) } BIO_free_all(bio); return out; -#else -#error "No base64 implementation found" -#endif } return ""; } diff --git a/pdns/dns_random.cc b/pdns/dns_random.cc index b96665492..7812ef252 100644 --- a/pdns/dns_random.cc +++ b/pdns/dns_random.cc @@ -1,14 +1,7 @@ #ifdef HAVE_CONFIG_H #include "config.h" #endif -#if HAVE_MBEDTLS2 -#include -#elif HAVE_MBEDTLS -#include -#include "mbedtlscompat.hh" -#elif HAVE_OPENSSL #include -#endif #include #include #include @@ -22,13 +15,8 @@ using namespace std; -#ifdef HAVE_MBEDTLS -static mbedtls_aes_context g_ctx; -static size_t g_offset; -#elif defined(HAVE_OPENSSL) static AES_KEY aes_key; static unsigned int g_offset; -#endif static unsigned char g_counter[16], g_stream[16]; static uint32_t g_in; @@ -38,13 +26,9 @@ void dns_random_init(const char data[16]) { g_offset = 0; memset(&g_stream, 0, sizeof(g_stream)); -#if HAVE_MBEDTLS - mbedtls_aes_setkey_enc(&g_ctx, (const unsigned char*)data, 128); -#elif HAVE_OPENSSL if (AES_set_encrypt_key((const unsigned char*)data, 128, &aes_key) < 0) { throw std::runtime_error("AES_set_encrypt_key failed"); } -#endif struct timeval now; gettimeofday(&now, 0); @@ -62,13 +46,7 @@ unsigned int dns_random(unsigned int n) if(!g_initialized) abort(); uint32_t out; -#ifdef HAVE_MBEDTLS - mbedtls_aes_crypt_ctr(&g_ctx, sizeof(g_in), &g_offset, g_counter, (unsigned char*) &g_stream, (unsigned char*) &g_in, (unsigned char*) &out); -#elif defined(HAVE_OPENSSL) AES_ctr128_encrypt((const unsigned char*)&g_in, (unsigned char*) &out, sizeof(g_in), &aes_key, g_counter, g_stream, &g_offset); -#else -#error "No dns_random implementation found" -#endif return out % n; } diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc index 2f5fff187..3d477eead 100644 --- a/pdns/dnssecinfra.cc +++ b/pdns/dnssecinfra.cc @@ -12,19 +12,8 @@ #include #include "dnssecinfra.hh" #include "dnsseckeeper.hh" -#ifdef HAVE_MBEDTLS2 -#include -#include -#include -#elif defined(HAVE_MBEDTLS) -#include -#include -#include -#include "mbedtlscompat.hh" -#elif defined(HAVE_OPENSSL) #include #include -#endif #include // for 'operator+=()' #include #include "base64.hh" @@ -406,11 +395,7 @@ string hashQNameWithSalt(const NSEC3PARAMRecordContent& ns3prc, const DNSName& q for(;;) { toHash.append(ns3prc.d_salt); -#ifdef HAVE_MBEDTLS - mbedtls_sha1((unsigned char*)toHash.c_str(), toHash.length(), hash); -#elif defined(HAVE_OPENSSL) SHA1((unsigned char*)toHash.c_str(), toHash.length(), hash); -#endif toHash.assign((char*)hash, sizeof(hash)); if(!times--) break; @@ -502,40 +487,6 @@ void decodeDERIntegerSequence(const std::string& input, vector& output) string calculateHMAC(const std::string& key, const std::string& text, TSIGHashEnum hasher) { -#ifdef HAVE_MBEDTLS - mbedtls_md_type_t md_type; - const mbedtls_md_info_t *md_info; - - unsigned char hash[MBEDTLS_MD_MAX_SIZE]; - - switch(hasher) { - case TSIG_MD5: - md_type = MBEDTLS_MD_MD5; - break; - case TSIG_SHA1: - md_type = MBEDTLS_MD_SHA1; - break; - case TSIG_SHA224: - md_type = MBEDTLS_MD_SHA224; - break; - case TSIG_SHA256: - md_type = MBEDTLS_MD_SHA256; - break; - case TSIG_SHA384: - md_type = MBEDTLS_MD_SHA384; - break; - case TSIG_SHA512: - md_type = MBEDTLS_MD_SHA512; - break; - default: - throw new PDNSException("Unknown hash algorithm requested from calculateHMAC()"); - } - - md_info = mbedtls_md_info_from_type( md_type ); - if( mbedtls_md_hmac( md_info, reinterpret_cast(key.c_str()), key.size(), reinterpret_cast(text.c_str()), text.size(), hash ) == 0 ) - return string( (char*) hash, mbedtls_md_get_size( md_info ) ); - -#elif defined(HAVE_OPENSSL) const EVP_MD* md_type; unsigned int outlen; unsigned char hash[EVP_MAX_MD_SIZE]; @@ -566,9 +517,6 @@ string calculateHMAC(const std::string& key, const std::string& text, TSIGHashEn if (out != NULL && outlen > 0) { return string((char*) hash, outlen); } -#else -#error "No HMAC implementation found" -#endif return ""; } diff --git a/pdns/mbedtlscompat.hh b/pdns/mbedtlscompat.hh deleted file mode 100644 index cd66b8d5b..000000000 --- a/pdns/mbedtlscompat.hh +++ /dev/null @@ -1,132 +0,0 @@ -#define MBEDTLS_VERSION_STRING POLARSSL_VERSION_STRING - -#define MBEDTLS_MD_MAX_SIZE POLARSSL_MD_MAX_SIZE -#define MBEDTLS_MD_MD5 POLARSSL_MD_MD5 -#define MBEDTLS_MD_SHA1 POLARSSL_MD_SHA1 -#define MBEDTLS_MD_SHA224 POLARSSL_MD_SHA224 -#define MBEDTLS_MD_SHA256 POLARSSL_MD_SHA256 -#define MBEDTLS_MD_SHA384 POLARSSL_MD_SHA384 -#define MBEDTLS_MD_SHA512 POLARSSL_MD_SHA512 - -#define MBEDTLS_RSA_PKCS_V15 RSA_PKCS_V15 -#define MBEDTLS_RSA_PRIVATE RSA_PRIVATE -#define MBEDTLS_RSA_PUBLIC RSA_PUBLIC - -#define MBEDTLS_ECP_DP_SECP256R1 POLARSSL_ECP_DP_SECP256R1 -#define MBEDTLS_ECP_DP_SECP384R1 POLARSSL_ECP_DP_SECP384R1 -#define MBEDTLS_ECP_MAX_PT_LEN POLARSSL_ECP_MAX_PT_LEN -#define MBEDTLS_ECP_PF_UNCOMPRESSED POLARSSL_ECP_PF_UNCOMPRESSED - -// Types -#define mbedtls_aes_context aes_context - -#define mbedtls_sha1_context sha1_context -#define mbedtls_sha256_context sha256_context -#define mbedtls_sha512_context sha512_context - -#ifdef POLARSSL_MD_H -typedef md_info_t mbedtls_md_info_t; -typedef md_type_t mbedtls_md_type_t; -#endif - -#define mbedtls_entropy_context entropy_context - -#define mbedtls_ctr_drbg_context ctr_drbg_context - -#define mbedtls_rsa_context rsa_context - -#define mbedtls_mpi mpi - -#define mbedtls_ecdsa_context ecdsa_context - -#define mbedtls_ecp_group ecp_group -#define mbedtls_ecp_group_id ecp_group_id - -// Functions macro -#define mbedtls_aes_crypt_ctr aes_crypt_ctr -#define mbedtls_aes_setkey_enc aes_setkey_enc - -#define mbedtls_sha1 sha1 -#define mbedtls_sha1_starts sha1_starts -#define mbedtls_sha1_update sha1_update -#define mbedtls_sha1_finish sha1_finish - -#define mbedtls_sha256 sha256 -#define mbedtls_sha256_starts sha256_starts -#define mbedtls_sha256_update sha256_update -#define mbedtls_sha256_finish sha256_finish - -#define mbedtls_sha512 sha512 -#define mbedtls_sha512_starts sha512_starts -#define mbedtls_sha512_update sha512_update -#define mbedtls_sha512_finish sha512_finish - -#define mbedtls_md_hmac md_hmac -#define mbedtls_md_get_size md_get_size -#define mbedtls_md_info_from_type md_info_from_type - -#define mbedtls_md5 md5 - -#define mbedtls_mpi_init mpi_init -#define mbedtls_mpi_size mpi_size -#define mbedtls_mpi_free mpi_free - -#define mbedtls_entropy_init entropy_init -#define mbedtls_entropy_func entropy_func -#define mbedtls_entropy_free entropy_free - -#define mbedtls_ctr_drbg_init -#define mbedtls_ctr_drbg_seed ctr_drbg_init -#define mbedtls_ctr_drbg_random ctr_drbg_random -#if POLARSSL_VERSION_NUMBER >= 0x01030800 -#define mbedtls_ctr_drbg_free ctr_drbg_free -#else -#define mbedtls_ctr_drbg_free -#endif - -#define mbedtls_rsa_init rsa_init -#define mbedtls_rsa_gen_key rsa_gen_key -#define mbedtls_rsa_pkcs1_sign rsa_pkcs1_sign -#define mbedtls_rsa_pkcs1_verify rsa_pkcs1_verify - -#define mbedtls_mpi_copy mpi_copy -#define mbedtls_mpi_cmp_mpi mpi_cmp_mpi -#define mbedtls_mpi_bitlen mpi_msb -#define mbedtls_mpi_write_binary mpi_write_binary -#define mbedtls_mpi_read_binary mpi_read_binary - -#define mbedtls_ecdsa_free ecdsa_free -#define mbedtls_ecdsa_genkey ecdsa_genkey -#define mbedtls_ecdsa_init ecdsa_init -#define mbedtls_ecdsa_sign_det ecdsa_sign_det -#define mbedtls_ecdsa_verify ecdsa_verify - -#define mbedtls_ecp_copy ecp_copy -#define mbedtls_ecp_group_init ecp_group_init -#define mbedtls_ecp_group_copy ecp_group_copy -#define mbedtls_ecp_group_load ecp_use_known_dp -#define mbedtls_ecp_group_free ecp_group_free -#define mbedtls_ecp_mul ecp_mul -#define mbedtls_ecp_point_init ecp_point_init -#define mbedtls_ecp_point_read_binary ecp_point_read_binary -#define mbedtls_ecp_point_write_binary ecp_point_write_binary - -// Functions -#ifdef POLARSSL_BASE64_H -#ifndef COMPAT_BASE64 -#define COMPAT_BASE64 - -inline int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen, const unsigned char *src, size_t slen ) { - int ret = base64_decode( dst, &dlen, src, slen ); - *olen = dlen; - return ret; -} - -inline int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen, const unsigned char *src, size_t slen ) { - int ret = base64_encode( dst, &dlen, src, slen ); - *olen = dlen; - return ret; -} - -#endif -#endif diff --git a/pdns/mbedtlssigners.cc b/pdns/mbedtlssigners.cc deleted file mode 100644 index 328293517..000000000 --- a/pdns/mbedtlssigners.cc +++ /dev/null @@ -1,739 +0,0 @@ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif -#ifdef HAVE_MBEDTLS2 -#include -#include -#include -#include -#include -#include -#include -#else -#include -#include -#include -#include -#include -#include -#include -#include "mbedtlscompat.hh" -#endif -#include // for 'operator+=()' - -#include "dnssecinfra.hh" -using namespace boost::assign; - -#define PDNSSEC_MI(x) mbedtls_mpi_init(&d_context.x) -#define PDNSSEC_MC(x) PDNSSEC_MI(x); mbedtls_mpi_copy(&d_context.x, const_cast(&orig.d_context.x)) -#define PDNSSEC_MF(x) mbedtls_mpi_free(&d_context.x) - -class RSADNSCryptoKeyEngine : public DNSCryptoKeyEngine -{ -public: - string getName() const { return "mbedTLS RSA"; } - - explicit RSADNSCryptoKeyEngine(unsigned int algorithm) : DNSCryptoKeyEngine(algorithm) - { - memset(&d_context, 0, sizeof(d_context)); - PDNSSEC_MI(N); - PDNSSEC_MI(E); PDNSSEC_MI(D); PDNSSEC_MI(P); PDNSSEC_MI(Q); PDNSSEC_MI(DP); PDNSSEC_MI(DQ); PDNSSEC_MI(QP); PDNSSEC_MI(RN); PDNSSEC_MI(RP); PDNSSEC_MI(RQ); - } - - ~RSADNSCryptoKeyEngine() - { - PDNSSEC_MF(N); - PDNSSEC_MF(E); PDNSSEC_MF(D); PDNSSEC_MF(P); PDNSSEC_MF(Q); PDNSSEC_MF(DP); PDNSSEC_MF(DQ); PDNSSEC_MF(QP); PDNSSEC_MF(RN); PDNSSEC_MF(RP); PDNSSEC_MF(RQ); - } - - bool operator<(const RSADNSCryptoKeyEngine& rhs) const - { - return tie(d_context.N, d_context.E, d_context.D, d_context.P, d_context.Q, d_context.DP, d_context.DQ, d_context.QP) - < tie(rhs.d_context.N, rhs.d_context.E, rhs.d_context.D, rhs.d_context.P, rhs.d_context.Q, rhs.d_context.DP, rhs.d_context.DQ, rhs.d_context.QP); - } - - RSADNSCryptoKeyEngine(const RSADNSCryptoKeyEngine& orig) : DNSCryptoKeyEngine(orig.d_algorithm) - { - // this part is a little bit scary.. we make a 'deep copy' of an RSA state, and mbedtls isn't helping us so we delve into thr struct - d_context.ver = orig.d_context.ver; - d_context.len = orig.d_context.len; - - d_context.padding = orig.d_context.padding; - d_context.hash_id = orig.d_context.hash_id; - - PDNSSEC_MC(N); - PDNSSEC_MC(E); PDNSSEC_MC(D); PDNSSEC_MC(P); PDNSSEC_MC(Q); PDNSSEC_MC(DP); PDNSSEC_MC(DQ); PDNSSEC_MC(QP); PDNSSEC_MC(RN); PDNSSEC_MC(RP); PDNSSEC_MC(RQ); - } - - RSADNSCryptoKeyEngine& operator=(const RSADNSCryptoKeyEngine& orig) - { - *this = RSADNSCryptoKeyEngine(orig); - return *this; - } - - const mbedtls_rsa_context& getConstContext() const - { - return d_context; - } - - mbedtls_rsa_context& getContext() - { - return d_context; - } - - void create(unsigned int bits); - storvector_t convertToISCVector() const; - std::string getPubKeyHash() const; - std::string sign(const std::string& hash) const; - std::string hash(const std::string& hash) const; - bool verify(const std::string& hash, const std::string& signature) const; - std::string getPublicKeyString() const; - int getBits() const - { - return mbedtls_mpi_size(&d_context.N)*8; - } - void fromISCMap(DNSKEYRecordContent& drc, std::map& stormap); - void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw); - void fromPublicKeyString(const std::string& raw); - static DNSCryptoKeyEngine* maker(unsigned int algorithm) - { - return new RSADNSCryptoKeyEngine(algorithm); - } - -private: - mbedtls_rsa_context d_context; -}; - -// see above -#undef PDNSSEC_MC -#undef PDNSSEC_MI -#undef PDNSSEC_MF - - -inline bool operator<(const mbedtls_mpi& a, const mbedtls_mpi& b) -{ - return mbedtls_mpi_cmp_mpi(&a, &b) < 0; -} - - -void RSADNSCryptoKeyEngine::create(unsigned int bits) -{ - mbedtls_entropy_context entropy; - mbedtls_ctr_drbg_context ctr_drbg; - - mbedtls_entropy_init( &entropy ); - mbedtls_ctr_drbg_init( &ctr_drbg ); - int ret=mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, (unsigned char *) "PowerDNS", 8); - if(ret < 0) - throw runtime_error("Entropy gathering for key generation failed"); - mbedtls_rsa_init(&d_context, MBEDTLS_RSA_PKCS_V15, 0); // FIXME this leaks memory (it does?) - ret=mbedtls_rsa_gen_key(&d_context, mbedtls_ctr_drbg_random, &ctr_drbg, bits, 65537); - if(ret < 0) - throw runtime_error("Key generation failed"); -} - -std::string RSADNSCryptoKeyEngine::getPubKeyHash() const -{ - unsigned char hash[20]; - unsigned char N[mbedtls_mpi_size(&d_context.N)]; - mbedtls_mpi_write_binary(&d_context.N, N, sizeof(N)); - unsigned char E[mbedtls_mpi_size(&d_context.E)]; - mbedtls_mpi_write_binary(&d_context.E, E, sizeof(E)); - - mbedtls_sha1_context ctx; - mbedtls_sha1_starts(&ctx); - mbedtls_sha1_update(&ctx, N, sizeof(N)); - mbedtls_sha1_update(&ctx, E, sizeof(E)); - mbedtls_sha1_finish(&ctx, hash); - return string((char*)hash, sizeof(hash)); -} - -std::string RSADNSCryptoKeyEngine::sign(const std::string& msg) const -{ - string hash = this->hash(msg); - unsigned char signature[mbedtls_mpi_size(&d_context.N)]; - mbedtls_md_type_t hashKind; - - if(hash.size()==20) - hashKind= MBEDTLS_MD_SHA1; - else if(hash.size()==32) - hashKind= MBEDTLS_MD_SHA256; - else - hashKind = MBEDTLS_MD_SHA512; - - int ret=mbedtls_rsa_pkcs1_sign(const_cast(&d_context), NULL, NULL, MBEDTLS_RSA_PRIVATE, - hashKind, - hash.size(), - (const unsigned char*) hash.c_str(), signature); - - if(ret!=0) { - cerr<<"signing returned: "<hash(msg); - if(hash.size()==20) - hashKind= MBEDTLS_MD_SHA1; - else if(hash.size()==32) - hashKind= MBEDTLS_MD_SHA256; - else - hashKind = MBEDTLS_MD_SHA512; - - int ret=mbedtls_rsa_pkcs1_verify(const_cast(&d_context), - NULL, NULL, - MBEDTLS_RSA_PUBLIC, - hashKind, - hash.size(), - (const unsigned char*) hash.c_str(), (unsigned char*) signature.c_str()); - - return ret==0; // 0 really IS ok ;-) -} - -std::string RSADNSCryptoKeyEngine::hash(const std::string& toHash) const -{ - if(d_algorithm <= 7 ) { // RSASHA1 - unsigned char hash[20]; - mbedtls_sha1((unsigned char*)toHash.c_str(), toHash.length(), hash); - return string((char*)hash, sizeof(hash)); - } - else if(d_algorithm == 8) { // RSASHA256 - unsigned char hash[32]; - mbedtls_sha256((unsigned char*)toHash.c_str(), toHash.length(), hash, 0); - return string((char*)hash, sizeof(hash)); - } - else if(d_algorithm == 10) { // RSASHA512 - unsigned char hash[64]; - mbedtls_sha512((unsigned char*)toHash.c_str(), toHash.length(), hash, 0); - return string((char*)hash, sizeof(hash)); - } - throw runtime_error("mbed TLS hashing method can't hash algorithm "+std::to_string(d_algorithm)); -} - - -DNSCryptoKeyEngine::storvector_t RSADNSCryptoKeyEngine::convertToISCVector() const -{ - storvector_t storvect; - typedef vector > outputs_t; - outputs_t outputs; - push_back(outputs)("Modulus", &d_context.N)("PublicExponent",&d_context.E) - ("PrivateExponent",&d_context.D) - ("Prime1",&d_context.P) - ("Prime2",&d_context.Q) - ("Exponent1",&d_context.DP) - ("Exponent2",&d_context.DQ) - ("Coefficient",&d_context.QP); - - string algorithm=std::to_string(d_algorithm); - switch(d_algorithm) { - case 5: - case 7 : - algorithm+= " (RSASHA1)"; - break; - case 8: - algorithm += " (RSASHA256)"; - break; - } - storvect.push_back(make_pair("Algorithm", algorithm)); - - for(outputs_t::value_type value : outputs) { - unsigned char tmp[mbedtls_mpi_size(value.second)]; - mbedtls_mpi_write_binary(value.second, tmp, sizeof(tmp)); - storvect.push_back(make_pair(value.first, string((char*)tmp, sizeof(tmp)))); - } - return storvect; -} - - -void RSADNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map& stormap) -{ - string sline; - string key,value; - typedef map places_t; - places_t places; - - mbedtls_rsa_init(&d_context, MBEDTLS_RSA_PKCS_V15, 0); - - places["Modulus"]=&d_context.N; - places["PublicExponent"]=&d_context.E; - places["PrivateExponent"]=&d_context.D; - places["Prime1"]=&d_context.P; - places["Prime2"]=&d_context.Q; - places["Exponent1"]=&d_context.DP; - places["Exponent2"]=&d_context.DQ; - places["Coefficient"]=&d_context.QP; - - drc.d_algorithm = pdns_stou(stormap["algorithm"]); - - string raw; - for(const places_t::value_type& val : places) { - raw=stormap[toLower(val.first)]; - mbedtls_mpi_read_binary(val.second, (unsigned char*) raw.c_str(), raw.length()); - } - - d_context.len = ( mbedtls_mpi_bitlen( &d_context.N ) + 7 ) >> 3; // no clue what this does - drc.d_key = this->getPublicKeyString(); - drc.d_protocol=3; -} - -void RSADNSCryptoKeyEngine::fromPEMString(DNSKEYRecordContent& drc, const std::string& raw) -{ - vector integers; - decodeDERIntegerSequence(raw, integers); - cerr<<"Got "< places; - - mbedtls_rsa_init(&d_context, MBEDTLS_RSA_PKCS_V15, 0); - - places[1]=&d_context.N; - places[2]=&d_context.E; - places[3]=&d_context.D; - places[4]=&d_context.P; - places[5]=&d_context.Q; - places[6]=&d_context.DP; - places[7]=&d_context.DQ; - places[8]=&d_context.QP; - - string modulus, exponent; - - for(int n = 0; n < 9 ; ++n) { - if(places.count(n)) { - if(places[n]) { - mbedtls_mpi_read_binary(places[n], (const unsigned char*)integers[n].c_str(), integers[n].length()); - if(n==1) - modulus=integers[n]; - if(n==2) - exponent=integers[n]; - } - } - } - d_context.len = ( mbedtls_mpi_bitlen( &d_context.N ) + 7 ) >> 3; // no clue what this does - - if(exponent.length() < 255) - drc.d_key.assign(1, (char) (unsigned int) exponent.length()); - else { - drc.d_key.assign(1, 0); - uint16_t len=htons(exponent.length()); - drc.d_key.append((char*)&len, 2); - } - drc.d_key.append(exponent); - drc.d_key.append(modulus); - drc.d_protocol=3; -} - -void RSADNSCryptoKeyEngine::fromPublicKeyString(const std::string& rawString) -{ - mbedtls_rsa_init(&d_context, MBEDTLS_RSA_PKCS_V15, 0); - string exponent, modulus; - const unsigned char* raw = (const unsigned char*)rawString.c_str(); - - if(raw[0] != 0) { - exponent=rawString.substr(1, raw[0]); - modulus=rawString.substr(raw[0]+1); - } else { - exponent=rawString.substr(3, raw[1]*0xff + raw[2]); - modulus = rawString.substr(3+ raw[1]*0xff + raw[2]); - } - mbedtls_mpi_read_binary(&d_context.E, (unsigned char*)exponent.c_str(), exponent.length()); - mbedtls_mpi_read_binary(&d_context.N, (unsigned char*)modulus.c_str(), modulus.length()); - d_context.len = ( mbedtls_mpi_bitlen( &d_context.N ) + 7 ) >> 3; // no clue what this does -} - -string RSADNSCryptoKeyEngine::getPublicKeyString() const -{ - string keystring; - char tmp[std::max(mbedtls_mpi_size(&d_context.E), mbedtls_mpi_size(&d_context.N))]; - - mbedtls_mpi_write_binary(&d_context.E, (unsigned char*)tmp, mbedtls_mpi_size(&d_context.E) ); - string exponent((char*)tmp, mbedtls_mpi_size(&d_context.E)); - - mbedtls_mpi_write_binary(&d_context.N, (unsigned char*)tmp, mbedtls_mpi_size(&d_context.N) ); - string modulus((char*)tmp, mbedtls_mpi_size(&d_context.N)); - - if(exponent.length() < 255) - keystring.assign(1, (char) (unsigned int) exponent.length()); - else { - keystring.assign(1, 0); - uint16_t len=htons(exponent.length()); - keystring.append((char*)&len, 2); - } - keystring.append(exponent); - keystring.append(modulus); - return keystring; -} - -class MbedECDSADNSCryptoKeyEngine : public DNSCryptoKeyEngine -{ -public: - explicit MbedECDSADNSCryptoKeyEngine(unsigned int algo) : DNSCryptoKeyEngine(algo) - { - static const unsigned char custom[] = "PowerDNS"; - mbedtls_ecdsa_init(&d_ctx); - mbedtls_entropy_init(&d_entropy); - mbedtls_ctr_drbg_init(&d_ctr_drbg); - - int ret = mbedtls_ctr_drbg_seed(&d_ctr_drbg, mbedtls_entropy_func, &d_entropy, custom, sizeof(custom) - 1); - if (ret != 0) { - throw runtime_error(getName()+" entropy gathering for key generation failed"); - } - - if(d_algorithm == 13) { - d_groupId = MBEDTLS_ECP_DP_SECP256R1; - d_bits = 256; - } - else if(d_algorithm == 14){ - d_groupId = MBEDTLS_ECP_DP_SECP384R1; - d_bits = 384; - } - else { - throw runtime_error(getName()+" unknown algo "+std::to_string(d_algorithm)); - } - } - - MbedECDSADNSCryptoKeyEngine(const MbedECDSADNSCryptoKeyEngine& orig) : MbedECDSADNSCryptoKeyEngine(orig.d_algorithm) - { - mbedtls_ecp_point_init(&d_ctx.Q); - int ret = mbedtls_ecp_copy(&d_ctx.Q, &orig.d_ctx.Q); - - if (ret != 0) { - throw runtime_error(getName()+" EC point copy failed"); - } - - mbedtls_mpi_init(&d_ctx.d); - ret = mbedtls_mpi_copy(&d_ctx.d, &orig.d_ctx.d); - - if (ret != 0) { - throw runtime_error(getName()+" key copy failed"); - } - } - - ~MbedECDSADNSCryptoKeyEngine() - { - mbedtls_ctr_drbg_free(&d_ctr_drbg); - mbedtls_entropy_free(&d_entropy); - mbedtls_ecdsa_free(&d_ctx); - } - - string getName() const { return "mbedTLS ECDSA"; } - void create(unsigned int bits); - storvector_t convertToISCVector() const; - std::string getPubKeyHash() const; - std::string sign(const std::string& hash) const; - std::string hash(const std::string& hash) const; - bool verify(const std::string& hash, const std::string& signature) const; - std::string getPublicKeyString() const; - int getBits() const; - void fromISCMap(DNSKEYRecordContent& drc, std::map& stormap); - void fromPublicKeyString(const std::string& content); - void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw) - {} - - static DNSCryptoKeyEngine* maker(unsigned int algorithm) - { - return new MbedECDSADNSCryptoKeyEngine(algorithm); - } - -private: - mbedtls_ecdsa_context d_ctx; - mbedtls_entropy_context d_entropy; - mbedtls_ctr_drbg_context d_ctr_drbg; - mbedtls_ecp_group_id d_groupId; - unsigned int d_bits; -}; - -void MbedECDSADNSCryptoKeyEngine::create(unsigned int bits) -{ - if (bits != d_bits) { - throw runtime_error(getName()+" invalid key length of "+std::to_string(bits)+" bits requested"); - } - - mbedtls_ecdsa_free(&d_ctx); - mbedtls_ecdsa_init(&d_ctx); - int ret = mbedtls_ecp_group_load(&d_ctx.grp, d_groupId); - - if (ret != 0) { - throw runtime_error(getName()+" error loading EC group for algo "+std::to_string(d_algorithm)); - } - - ret = mbedtls_ecdsa_genkey(&d_ctx, d_groupId, &mbedtls_ctr_drbg_random, &d_ctr_drbg); - if (ret != 0) { - throw runtime_error(getName()+" key generation failed"); - } -} - -int MbedECDSADNSCryptoKeyEngine::getBits() const -{ - return d_bits; -} - -DNSCryptoKeyEngine::storvector_t MbedECDSADNSCryptoKeyEngine::convertToISCVector() const -{ - storvector_t storvect; - string algorithm; - - if(d_algorithm == 13) { - algorithm = "13 (ECDSAP256SHA256)"; - } - else if(d_algorithm == 14) { - algorithm ="14 (ECDSAP384SHA384)"; - } - else { - algorithm =" ? (?)"; - } - - storvect.push_back(make_pair("Algorithm", algorithm)); - - unsigned char tmp[mbedtls_mpi_size(&d_ctx.d)]; - int ret = mbedtls_mpi_write_binary(&d_ctx.d, tmp, sizeof(tmp)); - - if (ret != 0) { - throw runtime_error(getName()+" error converting private Key to binary"); - } - - storvect.push_back(make_pair("PrivateKey", string((char*) tmp, sizeof(tmp)))); - - return storvect; -} - -void MbedECDSADNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map& stormap) -{ - drc.d_algorithm = atoi(stormap["algorithm"].c_str()); - - if (drc.d_algorithm != d_algorithm) { - throw runtime_error(getName()+" tried to feed an algorithm "+std::to_string(drc.d_algorithm)+" to a "+std::to_string(d_algorithm)+" key!"); - } - - mbedtls_ecdsa_free(&d_ctx); - mbedtls_ecdsa_init(&d_ctx); - int ret = mbedtls_ecp_group_load(&d_ctx.grp, d_groupId); - - if (ret != 0) { - throw runtime_error(getName()+" error loading EC group for algo "+std::to_string(d_algorithm)); - } - - string privateKey = stormap["privatekey"]; - ret = mbedtls_mpi_read_binary(&d_ctx.d, (unsigned char*) privateKey.c_str(), privateKey.length()); - if (ret != 0) { - throw runtime_error(getName()+" reading private key from binary failed"); - } - - /* compute the public key */ - ret = mbedtls_ecp_mul(&d_ctx.grp, &d_ctx.Q, &d_ctx.d, &d_ctx.grp.G, &mbedtls_ctr_drbg_random, &d_ctr_drbg); - - if (ret != 0) { - throw runtime_error(getName()+" computing public key from private failed"); - } -} - -std::string MbedECDSADNSCryptoKeyEngine::getPubKeyHash() const -{ - unsigned char binaryPoint[MBEDTLS_ECP_MAX_PT_LEN]; - size_t binaryPointLen = 0; - unsigned char hash[20]; - int ret = mbedtls_ecp_point_write_binary(&d_ctx.grp, &d_ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &binaryPointLen, binaryPoint, sizeof(binaryPoint)); - - if (ret != 0) { - throw runtime_error(getName()+" exporting ECP point to binary failed"); - } - - mbedtls_sha1_context ctx; - mbedtls_sha1_starts(&ctx); - /* we skip the first byte as the other backends use - raw field elements, as opposed to the format described in - SEC1: "2.3.3 Elliptic-Curve-Point-to-Octet-String Conversion" */ - mbedtls_sha1_update(&ctx, binaryPoint + 1, binaryPointLen - 1); - mbedtls_sha1_finish(&ctx, hash); - - return string((char*)hash, sizeof(hash)); -} - -std::string MbedECDSADNSCryptoKeyEngine::getPublicKeyString() const -{ - unsigned char binaryPoint[MBEDTLS_ECP_MAX_PT_LEN]; - size_t binaryPointLen = 0; - int ret = mbedtls_ecp_point_write_binary(&d_ctx.grp, &d_ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &binaryPointLen, binaryPoint, sizeof(binaryPoint)); - - if (ret != 0) { - throw runtime_error(getName()+" exporting ECP point to binary failed"); - } - - /* we skip the first byte as the other signers use - raw field elements, as opposed to the format described in - SEC1: "2.3.3 Elliptic-Curve-Point-to-Octet-String Conversion" */ - return string((const char *)(binaryPoint + 1), binaryPointLen - 1); -} - -void MbedECDSADNSCryptoKeyEngine::fromPublicKeyString(const std::string&input) -{ - /* uncompressed point, from SEC1: - "2.3.4 Octet-String-to-Elliptic-Curve-Point Conversion" */ - static const unsigned char uncompressed[] = { 0x04 }; - string ecdsaPoint; - ecdsaPoint.assign((const char*) uncompressed, sizeof(uncompressed)); - ecdsaPoint.append(input); - - mbedtls_ecdsa_free(&d_ctx); - mbedtls_ecdsa_init(&d_ctx); - int ret = mbedtls_ecp_group_load(&d_ctx.grp, d_groupId); - - if (ret != 0) { - throw runtime_error(getName()+" error loading EC group for algo "+std::to_string(d_algorithm)); - } - - ret = mbedtls_ecp_point_read_binary(&d_ctx.grp, &d_ctx.Q, (unsigned char*) ecdsaPoint.c_str(), ecdsaPoint.length()); - - if (ret != 0) { - throw runtime_error(getName()+" reading ECP point from binary failed"); - } -} - -std::string MbedECDSADNSCryptoKeyEngine::sign(const std::string& msg) const -{ - string hash = this->hash(msg); - mbedtls_md_type_t hashKind; - if (hash.size() == 32) { - hashKind = MBEDTLS_MD_SHA256; - } - else { - hashKind = MBEDTLS_MD_SHA384; - } - - mbedtls_mpi r, s; - - mbedtls_mpi_init(&r); - mbedtls_mpi_init(&s); - - mbedtls_ecp_group tempGroup; - mbedtls_ecp_group_init(&tempGroup); - - int ret = mbedtls_ecp_group_copy(&tempGroup, &d_ctx.grp); - - if (ret != 0) { - mbedtls_mpi_free(&r); - mbedtls_mpi_free(&s); - mbedtls_ecp_group_free(&tempGroup); - throw runtime_error(getName()+" error copying group"); - } - - ret = mbedtls_ecdsa_sign_det(&tempGroup, &r, &s, &d_ctx.d, (const unsigned char*) hash.c_str(), hash.length(), hashKind); - - mbedtls_ecp_group_free(&tempGroup); - - if (ret != 0) { - mbedtls_mpi_free(&r); - mbedtls_mpi_free(&s); - throw runtime_error(getName()+ " signature failed"); - } - - /* SEC1: 4.1.3 Signing Operation */ - const size_t mpiLen = mbedtls_mpi_size(&d_ctx.grp.P); - const size_t sigLen = mpiLen * 2; - - unsigned char sig[sigLen]; - - ret = mbedtls_mpi_write_binary(&r, sig, mpiLen); - - if (ret != 0) { - mbedtls_mpi_free(&r); - mbedtls_mpi_free(&s); - throw runtime_error(getName()+" error converting signature part R to binary"); - } - - ret = mbedtls_mpi_write_binary(&s, sig + mpiLen, mpiLen); - - if (ret != 0) { - mbedtls_mpi_free(&r); - mbedtls_mpi_free(&s); - throw runtime_error(getName()+" error converting signature part S to binary"); - } - - mbedtls_mpi_free(&r); - mbedtls_mpi_free(&s); - - return string((char *) sig, sigLen); -} - -std::string MbedECDSADNSCryptoKeyEngine::hash(const std::string& orig) const -{ - if(getBits() == 256) { - unsigned char hash[32]; - mbedtls_sha256((unsigned char*) orig.c_str(), orig.length(), hash, 0); - return string((char*) hash, sizeof(hash)); - } - else if(getBits() == 384) { - unsigned char hash[48]; - // mbedtls_sha512() with the last parameter as 1 computes sha384 - mbedtls_sha512((unsigned char*) orig.c_str(), orig.length(), hash, 1); - return string((char*) hash, sizeof(hash)); - } - - throw runtime_error(getName()+" does not support hash size of "+std::to_string(getBits())); -} - -bool MbedECDSADNSCryptoKeyEngine::verify(const std::string& msg, const std::string& signature) const -{ - string hash = this->hash(msg); - const size_t mpiLen = mbedtls_mpi_size(&d_ctx.grp.P); - mbedtls_mpi r, s; - - /* SEC1: 4.1.4 Verifying Operation */ - mbedtls_mpi_init(&r); - mbedtls_mpi_init(&s); - - if (signature.length() < (mpiLen * 2)) { - throw runtime_error(getName()+ " invalid signature size"); - } - - int ret = mbedtls_mpi_read_binary(&r, (unsigned char*) signature.c_str(), mpiLen); - if (ret != 0) { - mbedtls_mpi_free(&r); - mbedtls_mpi_free(&s); - throw runtime_error(getName()+" reading signature part R from binary failed"); - } - - ret = mbedtls_mpi_read_binary(&s, (unsigned char*) signature.c_str() + mpiLen, mpiLen); - if (ret != 0) { - mbedtls_mpi_free(&r); - mbedtls_mpi_free(&s); - throw runtime_error(getName()+" reading signature part S from binary failed"); - } - - mbedtls_ecp_group tempGroup; - mbedtls_ecp_group_init(&tempGroup); - - ret = mbedtls_ecp_group_copy(&tempGroup, &d_ctx.grp); - - if (ret != 0) { - mbedtls_mpi_free(&r); - mbedtls_mpi_free(&s); - mbedtls_ecp_group_free(&tempGroup); - throw runtime_error(getName()+ " error copying group"); - } - - ret = mbedtls_ecdsa_verify(&tempGroup, (const unsigned char*) hash.c_str(), hash.length(), &d_ctx.Q, &r, &s); - - mbedtls_ecp_group_free(&tempGroup); - mbedtls_mpi_free(&r); - mbedtls_mpi_free(&s); - - return (ret == 0); -} - -namespace { -struct LoaderStruct -{ - LoaderStruct() - { - DNSCryptoKeyEngine::report(5, &RSADNSCryptoKeyEngine::maker, true); - DNSCryptoKeyEngine::report(7, &RSADNSCryptoKeyEngine::maker, true); - DNSCryptoKeyEngine::report(8, &RSADNSCryptoKeyEngine::maker, true); - DNSCryptoKeyEngine::report(10, &RSADNSCryptoKeyEngine::maker, true); - DNSCryptoKeyEngine::report(13, &MbedECDSADNSCryptoKeyEngine::maker, true); - DNSCryptoKeyEngine::report(14, &MbedECDSADNSCryptoKeyEngine::maker, true); - } -} loaderMbed; -} diff --git a/pdns/md5.hh b/pdns/md5.hh index 9a9093768..238e01858 100644 --- a/pdns/md5.hh +++ b/pdns/md5.hh @@ -3,25 +3,12 @@ #include #include -#ifdef HAVE_MBEDTLS2 -#include -#elif defined(HAVE_MBEDTLS) -#include -#include "mbedtlscompat.hh" -#elif HAVE_OPENSSL #include -#endif inline std::string pdns_md5sum(const std::string& input) { unsigned char result[16] = {0}; -#ifdef HAVE_MBEDTLS - mbedtls_md5(reinterpret_cast(input.c_str()), input.length(), result); -#elif defined(HAVE_OPENSSL) MD5(reinterpret_cast(input.c_str()), input.length(), result); -#else -#error "No md5 implementation found" -#endif return std::string(result, result + sizeof result); } diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am index 4e3a10392..a66086332 100644 --- a/pdns/recursordist/Makefile.am +++ b/pdns/recursordist/Makefile.am @@ -5,8 +5,7 @@ AM_CPPFLAGS = $(LUA_CFLAGS) $(YAHTTP_CFLAGS) $(BOOST_CPPFLAGS) $(SANITIZER_FLAGS AM_CPPFLAGS += \ -I$(top_srcdir)/ext/json11 \ -I$(top_srcdir)/ext/rapidjson/include \ - $(YAHTTP_CFLAGS) \ - $(MBEDTLS_CFLAGS) + $(YAHTTP_CFLAGS) AM_CXXFLAGS = \ -DSYSCONFDIR=\"$(sysconfdir)\" \ @@ -38,7 +37,6 @@ EXTRA_DIST = \ epollmplexer.cc \ kqueuemplexer.cc \ malloctrace.cc malloctrace.hh \ - mbedtlscompat.hh mbedtlssigners.cc \ mtasker.cc \ opensslsigners.hh opensslsigners.cc \ pdns_recursor.1.md \ @@ -122,14 +120,6 @@ pdns_recursor_LDADD = \ pdns_recursor_LDFLAGS = $(AM_LDFLAGS) -if MBEDTLS -pdns_recursor_SOURCES += \ - mbedtlscompat.hh \ - mbedtlssigners.cc -pdns_recursor_LDADD += $(MBEDTLS_LIBS) -pdns_recursor_LDFLAGS += $(MBEDTLS_LDFLAGS) -endif - if OPENSSL pdns_recursor_SOURCES += \ opensslsigners.cc \ diff --git a/pdns/recursordist/configure.ac b/pdns/recursordist/configure.ac index 37eeab86d..8eab32438 100644 --- a/pdns/recursordist/configure.ac +++ b/pdns/recursordist/configure.ac @@ -44,7 +44,6 @@ AS_IF([test "x$with_luajit" = "xno"], [ PDNS_ENABLE_VERBOSE_LOGGING # Crypto libraries -PDNS_WITH_SYSTEM_MBEDTLS PDNS_ENABLE_BOTAN AX_CHECK_OPENSSL([ AM_CONDITIONAL([OPENSSL], [true]) diff --git a/pdns/recursordist/m4/pdns_with_system_mbedtls.m4 b/pdns/recursordist/m4/pdns_with_system_mbedtls.m4 deleted file mode 100644 index 9530208c0..000000000 --- a/pdns/recursordist/m4/pdns_with_system_mbedtls.m4 +++ /dev/null @@ -1,81 +0,0 @@ -AC_DEFUN([PDNS_WITH_SYSTEM_MBEDTLS],[ - AC_ARG_WITH([system-mbedtls], - [AS_HELP_STRING([--with-system-mbedtls], [use system mbed TLS @<:@default=no@:>@])], - [], - [with_system_mbedtls=no], - ) - - AC_MSG_CHECKING([if we should build with mbedtls]) - AS_IF([test "x$with_system_mbedtls" = "xyes"],[ - AC_MSG_RESULT([yes]) - OLD_LIBS=$LIBS - LIBS="" - AC_SEARCH_LIBS([mbedtls_sha1], [mbedcrypto],[ - MBEDTLS_LIBS=$LIBS - have_system_mbedtls=yes - have_mbedtls=yes - have_mbedtls_v2=yes - ],[ - have_mbedtls_v2=no - AC_SEARCH_LIBS([sha1_hmac], [mbedtls polarssl],[ - MBEDTLS_LIBS=$LIBS - AC_MSG_CHECKING([for mbed TLS/PolarSSL version >= 1.3.0]) - AC_COMPILE_IFELSE([ - AC_LANG_PROGRAM( - [[#include ]], - [[ - #if POLARSSL_VERSION_NUMBER < 0x01030000 - #error invalid version - #endif - ]]) - ],[ - have_mbedtls=yes - have_system_mbedtls=yes - ],[ - AC_MSG_ERROR([no mbedTLS found]) - ]) - MBEDTLS_CFLAGS= - MBEDTLS_SUBDIR= - AC_DEFINE([MBEDTLS_SYSTEM], [1], [Defined if system mbed TLS is used]) - AC_MSG_RESULT([$have_system_mbedtls]) - ],[ - AC_MSG_ERROR([no mbedTLS found]) - ]) - ]) - LIBS=$OLD_LIBS - ],[ - AC_MSG_RESULT([no]) - have_system_mbedtls=no - have_mbedtls_v2=no - have_mbedtls=no - MBEDTLS_SUBDIR= - MBEDTLS_CFLAGS= - MBEDTLS_LIBS= - ]) - - AS_IF([test "x$have_system_mbedtls" = "xyes"],[ - MBEDTLS_CFLAGS= - MBEDTLS_SUBDIR= - AC_DEFINE([MBEDTLS_SYSTEM], [1], [Defined if system mbed TLS is used]) - ],[ - AS_IF([test "x$with_system_mbedtls" = "xyes"],[ - AC_MSG_ERROR([use of system mbed TLS requested but not found]) - ]) - ]) - - - AS_IF([test "x$have_mbedtls_v2" = "xyes"],[ - AC_DEFINE([HAVE_MBEDTLS2], [1], [Defined if mbed TLS version 2.x.x is used]) - ]) - - AS_IF([test "x$have_mbedtls" = "xyes"],[ - AC_DEFINE([HAVE_MBEDTLS], [1], [Defined if mbed TLS is used]) - AM_CONDITIONAL([MBEDTLS], [true]) - ],[ - AM_CONDITIONAL([MBEDTLS], [false]) - ]) - - AC_SUBST(MBEDTLS_CFLAGS) - AC_SUBST(MBEDTLS_LIBS) - AC_SUBST(MBEDTLS_SUBDIR) -]) diff --git a/pdns/recursordist/mbedtlscompat.hh b/pdns/recursordist/mbedtlscompat.hh deleted file mode 120000 index 1691c6738..000000000 --- a/pdns/recursordist/mbedtlscompat.hh +++ /dev/null @@ -1 +0,0 @@ -../mbedtlscompat.hh \ No newline at end of file diff --git a/pdns/recursordist/mbedtlssigners.cc b/pdns/recursordist/mbedtlssigners.cc deleted file mode 120000 index c1e36ba67..000000000 --- a/pdns/recursordist/mbedtlssigners.cc +++ /dev/null @@ -1 +0,0 @@ -../mbedtlssigners.cc \ No newline at end of file diff --git a/pdns/sha.hh b/pdns/sha.hh index 971bf5cc6..0bf657f49 100644 --- a/pdns/sha.hh +++ b/pdns/sha.hh @@ -3,70 +3,33 @@ #include #include -#ifdef HAVE_MBEDTLS2 -#include -#include -#include -#elif defined(HAVE_MBEDTLS) -#include -#include -#include -#include "mbedtlscompat.hh" -#elif defined(HAVE_OPENSSL) #include -#else -#error "No SHA implementation found" -#endif inline std::string pdns_sha1sum(const std::string& input) { unsigned char result[20] = {0}; -#ifdef HAVE_MBEDTLS - mbedtls_sha1(reinterpret_cast(input.c_str()), input.length(), result); -#elif defined(HAVE_OPENSSL) SHA1(reinterpret_cast(input.c_str()), input.length(), result); -#else -#error "No sha1 implementation found" -#endif return std::string(result, result + sizeof result); } inline std::string pdns_sha256sum(const std::string& input) { unsigned char result[32] = {0}; -#ifdef HAVE_MBEDTLS - mbedtls_sha256(reinterpret_cast(input.c_str()), input.length(), result, 0); -#elif defined(HAVE_OPENSSL) SHA256(reinterpret_cast(input.c_str()), input.length(), result); -#else -#error "No sha256 implementation found" -#endif return std::string(result, result + sizeof result); } inline std::string pdns_sha384sum(const std::string& input) { unsigned char result[48] = {0}; -#ifdef HAVE_MBEDTLS - mbedtls_sha512(reinterpret_cast(input.c_str()), input.length(), result, 1); -#elif defined(HAVE_OPENSSL) SHA384(reinterpret_cast(input.c_str()), input.length(), result); -#else -#error "No sha384 implementation found" -#endif return std::string(result, result + sizeof result); } inline std::string pdns_sha512sum(const std::string& input) { unsigned char result[64] = {0}; -#ifdef HAVE_MBEDTLS - mbedtls_sha512(reinterpret_cast(input.c_str()), input.length(), result, 0); -#elif defined(HAVE_OPENSSL) SHA512(reinterpret_cast(input.c_str()), input.length(), result); -#else -#error "No sha512 implementation found" -#endif return std::string(result, result + sizeof result); } diff --git a/pdns/version.cc b/pdns/version.cc index fb3787681..2475ddd5d 100644 --- a/pdns/version.cc +++ b/pdns/version.cc @@ -25,12 +25,6 @@ #endif #include "logger.hh" #include "version.hh" -#ifdef HAVE_MBEDTLS2 -#include -#elif defined(HAVE_MBEDTLS) -#include -#include "mbedtlscompat.hh" -#endif static ProductType productType; @@ -96,9 +90,6 @@ void showBuildConfiguration() #ifdef HAVE_LIBSODIUM "sodium " << #endif -#ifdef HAVE_MBEDTLS - "mbedtls " << -#endif #ifdef HAVE_OPENSSL "openssl " << #endif @@ -119,9 +110,6 @@ void showBuildConfiguration() // Auth only theL()<