From bc37490ae60921a07aee7205d2b920fc4e0ce3c1 Mon Sep 17 00:00:00 2001 From: Miod Vallat Date: Wed, 4 Dec 2024 09:39:02 +0100 Subject: [PATCH] Remove support for libdecaf. Fixes #12953 --- .github/actions/spell-check/allow.txt | 2 - .github/workflows/build-and-test-all.yml | 1 - .github/workflows/codeql-analysis.yml | 1 - configure.ac | 5 +- docs/appendices/compiling.rst | 6 - m4/pdns_with_libdecaf.m4 | 58 --- meson.build | 16 - meson/libdecaf/meson.build | 61 --- meson_options.txt | 1 - pdns/Makefile.am | 19 - pdns/decafsigners.cc | 443 ------------------ pdns/pdnsutil.cc | 12 +- pdns/recursordist/Makefile.am | 10 - pdns/recursordist/configure.ac | 5 +- .../docs/appendices/compiling.rst | 9 - pdns/recursordist/m4/pdns_with_libdecaf.m4 | 1 - pdns/recursordist/meson.build | 14 - pdns/recursordist/meson_options.txt | 1 - pdns/test-signers.cc | 2 +- pdns/version.cc | 3 - tasks.py | 26 - 21 files changed, 11 insertions(+), 685 deletions(-) delete mode 100644 m4/pdns_with_libdecaf.m4 delete mode 100644 meson/libdecaf/meson.build delete mode 100644 pdns/decafsigners.cc delete mode 120000 pdns/recursordist/m4/pdns_with_libdecaf.m4 diff --git a/.github/actions/spell-check/allow.txt b/.github/actions/spell-check/allow.txt index 6015d0f50f66..a325ba18a0b1 100644 --- a/.github/actions/spell-check/allow.txt +++ b/.github/actions/spell-check/allow.txt @@ -651,7 +651,6 @@ DEBFULLNAME debhelper debtest DEBUGLOG -decafsigners decltype deconfigure deconfigured @@ -1810,7 +1809,6 @@ llu LMDBQ lnc lnow -loaderdecaf loadersodium loadfile loadmodule diff --git a/.github/workflows/build-and-test-all.yml b/.github/workflows/build-and-test-all.yml index 4fa0b42bbad3..54ff10273ff4 100644 --- a/.github/workflows/build-and-test-all.yml +++ b/.github/workflows/build-and-test-all.yml @@ -31,7 +31,6 @@ env: COVERAGE: ${{ github.repository == 'PowerDNS/pdns' && 'yes' || 'no' }} LLVM_PROFILE_FILE: "/tmp/code-%p.profraw" OPTIMIZATIONS: yes - DECAF_SUPPORT: yes jobs: get-runner-container-image: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0038a02870c3..d7cdcc81c930 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -52,7 +52,6 @@ jobs: # for clang-tidy only, not compilation CLANG_VERSION: '14' REPO_HOME: ${{ github.workspace }} - DECAF_SUPPORT: no outputs: clang-tidy-annotations-auth: ${{ steps.clang-tidy-annotations-auth.outputs.failed }} diff --git a/configure.ac b/configure.ac index 6cd518a10f7e..b0fec7b40b9f 100644 --- a/configure.ac +++ b/configure.ac @@ -88,7 +88,6 @@ AC_CHECK_HEADERS( AC_CHECK_HEADERS([sys/random.h]) PDNS_WITH_LIBSODIUM -PDNS_WITH_LIBDECAF PDNS_CHECK_LIBCRYPTO([ ],[ AC_MSG_ERROR([OpenSSL/libcrypto not found]) @@ -417,11 +416,11 @@ AS_IF([test "x$libcrypto_ecdsa" = "xyes"], [AC_MSG_NOTICE([OpenSSL ecdsa: yes])], [AC_MSG_NOTICE([OpenSSL ecdsa: no])] ) -AS_IF([test "x$LIBSODIUM_LIBS" != "x" || test "x$LIBDECAF_LIBS" != "x" || test "x$libcrypto_ed25519" = "xyes"], +AS_IF([test "x$LIBSODIUM_LIBS" != "x" || test "x$libcrypto_ed25519" = "xyes"], [AC_MSG_NOTICE([ed25519: yes])], [AC_MSG_NOTICE([ed25519: no])] ) -AS_IF([test "x$LIBDECAF_LIBS" != "x" || test "x$libcrypto_ed448" = "xyes"], +AS_IF([test "x$libcrypto_ed448" = "xyes"], [AC_MSG_NOTICE([ed448: yes])], [AC_MSG_NOTICE([ed448: no])] ) diff --git a/docs/appendices/compiling.rst b/docs/appendices/compiling.rst index 97fda12ff0c7..9873d1878e9c 100644 --- a/docs/appendices/compiling.rst +++ b/docs/appendices/compiling.rst @@ -64,12 +64,6 @@ ed25519 support with libsodium The PowerDNS Authoritative Server can link with `libsodium `_ to support ed25519 (DNSSEC algorithm 15). To detect libsodium, use the ``--with-libsodium`` configure option. -ed25519 and ed448 support with libdecaf -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -`libdecaf `_ is a library that allows the PowerDNS Authoritative Server to support ed25519 and Ed448 (DNSSEC algorithms 15 and 16). -To detect libdecaf, use the ``--with-libdecaf`` configure option. - systemd notify support ^^^^^^^^^^^^^^^^^^^^^^ diff --git a/m4/pdns_with_libdecaf.m4 b/m4/pdns_with_libdecaf.m4 deleted file mode 100644 index 0c1bef3c25ec..000000000000 --- a/m4/pdns_with_libdecaf.m4 +++ /dev/null @@ -1,58 +0,0 @@ -AC_DEFUN([PDNS_WITH_LIBDECAF],[ - AC_MSG_CHECKING([whether we will be linking in libdecaf]) - AC_ARG_WITH([libdecaf], - [AS_HELP_STRING([--with-libdecaf],[use libdecaf @<:@default=no@:>@])], - [with_libdecaf=$withval], - [with_libdecaf=no] - ) - AC_MSG_RESULT([$with_libdecaf]) - - AM_CONDITIONAL([LIBDECAF],[test "x$with_libdecaf" != "xno"]) - - AS_IF([test "x$with_libdecaf" != "xno"],[ - save_LIBS=$LIBS - LIBS="" - AC_SEARCH_LIBS([decaf_ed25519_sign],[decaf],[ - AC_DEFINE([HAVE_LIBDECAF],[1],[Define to 1 if you have libdecaf]) - AC_SUBST([LIBDECAF_LIBS],["$LIBS"]) - ],[ - AC_MSG_ERROR([Could not find libdecaf]) - ]) - LIBS="$save_LIBS" - - AS_IF([test "x$LIBDECAF_CFLAGS" = "x"],[ - AC_MSG_CHECKING([for libdecaf headers]) - libdecaf_header_dir="" - - header_dirs="/usr /usr/local" - for header_dir in $header_dirs; do - if test -f "$header_dir/include/decaf.hxx"; then - libdecaf_header_dir="$header_dir/include" - break - fi - - if test -f "$header_dir/include/decaf/decaf.hxx"; then - libdecaf_header_dir="$header_dir/include/decaf" - break - fi - done - - AS_IF([test "x$libdecaf_header_dir" != "x"],[ - AC_MSG_RESULT([$libdecaf_header_dir]) - LIBDECAF_CFLAGS="-I$libdecaf_header_dir" - ], - [AC_MSG_RESULT([not found])]) - ]) - - AC_SUBST([LIBDECAF_CFLAGS]) - - save_CXXFLAGS="$CXXFLAGS" - CXXFLAGS="$CXXFLAGS $LIBDECAF_CFLAGS" - AC_CHECK_HEADERS( - [decaf.hxx], - [], - [AC_MSG_ERROR([cannot find libdecaf headers])] - ) - CXXFLAGS="$save_CXXFLAGS" - ]) -]) diff --git a/meson.build b/meson.build index f472242616bb..c726bf8eb77c 100644 --- a/meson.build +++ b/meson.build @@ -42,7 +42,6 @@ subdir('meson' / 'net-libs') # Network Libraries subdir('meson' / 'tm-gmtoff') # Check for tm_gmtoff field in struct tm subdir('meson' / 'mmap') # Check for mmap subdir('meson' / 'libsodium') # Libsodium-based signers -subdir('meson' / 'libdecaf') # Libdecaf-based signers subdir('meson' / 'libcrypto') # OpenSSL-based signers subdir('meson' / 'libssl') # OpenSSL libssl subdir('meson' / 'gnutls') # GnuTLS @@ -128,7 +127,6 @@ deps = [ dep_lua_records, dep_netlibs, dep_libsodium, - dep_libdecaf, dep_libcrypto, dep_libssl, dep_gnutls, @@ -440,17 +438,6 @@ if dep_libsodium.found() ) endif -libpdns_signers_decaf = dependency('', required: false) -if dep_libdecaf.found() - libpdns_signers_decaf = declare_dependency( - link_whole: static_library( - 'pdns-signers-decaf', - sources: files(src_dir / 'decafsigners.cc'), - dependencies: deps, - ) - ) -endif - libpdns_signers_pkcs11 = dependency('', required: false) if dep_pkcs11.found() libpdns_signers_pkcs11 = declare_dependency( @@ -692,7 +679,6 @@ tools = { libpdns_ssqlite3, libpdns_gettime, libpdns_signers_openssl, - libpdns_signers_decaf, libpdns_signers_sodium, ], 'manpages': ['pdns_server.1'], @@ -705,7 +691,6 @@ tools = { dep_modules, libpdns_ssqlite3, libpdns_signers_openssl, - libpdns_signers_decaf, libpdns_signers_sodium, ], 'manpages': ['pdnsutil.1'], @@ -930,7 +915,6 @@ if get_option('unit-tests') 'deps-extra': [ libpdns_test, libpdns_signers_openssl, - libpdns_signers_decaf, libpdns_signers_sodium, ], }, diff --git a/meson/libdecaf/meson.build b/meson/libdecaf/meson.build deleted file mode 100644 index 2fb0738cd06a..000000000000 --- a/meson/libdecaf/meson.build +++ /dev/null @@ -1,61 +0,0 @@ -opt_libdecaf = get_option('signers-libdecaf') -dep_libdecaf = dependency('', required: false) - -if not opt_libdecaf.disabled() - dep_libdecaf = dependency('libdecaf', required: false) - - if not dep_libdecaf.found() - all_lib_dirs = [ - '/usr', - '/usr' / 'lib', - '/usr' / 'local', - '/usr' / 'local' / 'lib', - ] - - all_include_dirs = [ - '/usr' / 'include', - '/usr' / 'include' / 'decaf', - '/usr' / 'local' / 'include', - '/usr' / 'local' / 'include' / 'decaf', - ] - - fs = import('fs') - - lib_dirs = [] - foreach lib_dir: all_lib_dirs - if fs.is_dir(lib_dir) - lib_dirs += lib_dir - endif - endforeach - - include_dirs = [] - foreach include_dir: all_include_dirs - if fs.is_dir(include_dir) - include_dirs += include_dir - endif - endforeach - include_dirs = include_directories(include_dirs, is_system: true) - - dep_libdecaf = cxx.find_library( - 'decaf', - dirs: lib_dirs, - required: opt_libdecaf, - has_headers: [ - 'decaf.hxx', - 'decaf' / 'spongerng.hxx', - 'decaf' / 'eddsa.hxx', - ], - header_include_directories: include_dirs, - ) - - if dep_libdecaf.found() - dep_libdecaf = declare_dependency( - dependencies: dep_libdecaf, - include_directories: include_dirs, - ) - endif - endif -endif - -conf.set('HAVE_LIBDECAF', dep_libdecaf.found(), description: 'libdecaf-based signers') -summary('libdecaf', dep_libdecaf.found(), bool_yn: true, section: 'Crypto') diff --git a/meson_options.txt b/meson_options.txt index c33ae9b8db15..a4869ce62b8b 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -5,7 +5,6 @@ option('hardening-experimental-scp', type: 'feature', value: 'disabled', descrip option('hardening-fortify-source', type: 'combo', choices: ['auto', 'disabled', '1', '2', '3'], value: '2', description: 'Source fortification level') option('rng-kiss', type: 'boolean', value: false, description: 'Use the unsafe KISS RNG') option('signers-libsodium', type: 'feature', value: 'auto', description: 'Enable libsodium-based signers') -option('signers-libdecaf', type: 'feature', value: 'auto', description: 'Enable libdecaf-based signers') option('signers-libcrypto', type: 'feature', value: 'auto', description: 'Enable OpenSSL libcrypto-based signers)') option('signers-libcrypto-path', type: 'string', value: '', description: 'Custom path to find OpenSSL libcrypto') option('tls-libssl', type: 'feature', value: 'auto', description: 'OpenSSL-based TLS') diff --git a/pdns/Makefile.am b/pdns/Makefile.am index 2522839a0f3c..042ad78769b5 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -45,10 +45,6 @@ if LIBSODIUM AM_CPPFLAGS +=$(LIBSODIUM_CFLAGS) endif -if LIBDECAF -AM_CPPFLAGS += $(LIBDECAF_CFLAGS) -endif - EXTRA_DIST = \ dnslabeltext.rl \ dnslabeltext.cc \ @@ -316,11 +312,6 @@ pdns_server_SOURCES += sodiumsigners.cc pdns_server_LDADD += $(LIBSODIUM_LIBS) endif -if LIBDECAF -pdns_server_SOURCES += decafsigners.cc -pdns_server_LDADD += $(LIBDECAF_LIBS) -endif - if SQLITE3 pdns_server_SOURCES += ssqlite3.cc ssqlite3.hh pdns_server_LDADD += $(SQLITE3_LIBS) @@ -423,11 +414,6 @@ pdnsutil_SOURCES += sodiumsigners.cc pdnsutil_LDADD += $(LIBSODIUM_LIBS) endif -if LIBDECAF -pdnsutil_SOURCES += decafsigners.cc -pdnsutil_LDADD += $(LIBDECAF_LIBS) -endif - if SQLITE3 pdnsutil_SOURCES += ssqlite3.cc ssqlite3.hh pdnsutil_LDADD += $(SQLITE3_LIBS) @@ -1482,11 +1468,6 @@ testrunner_LDADD += $(LIBSODIUM_LIBS) speedtest_LDADD += $(LIBSODIUM_LIBS) endif -if LIBDECAF -testrunner_SOURCES += decafsigners.cc -testrunner_LDADD += $(LIBDECAF_LIBS) -endif - if HAVE_FREEBSD ixfrdist_SOURCES += kqueuemplexer.cc testrunner_SOURCES += kqueuemplexer.cc diff --git a/pdns/decafsigners.cc b/pdns/decafsigners.cc deleted file mode 100644 index 6c8be67a4f4b..000000000000 --- a/pdns/decafsigners.cc +++ /dev/null @@ -1,443 +0,0 @@ -#include -#include -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wdeprecated-copy" -#include -#pragma GCC diagnostic pop -#include -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wshadow" -#include -#pragma GCC diagnostic pop -#include "dnsseckeeper.hh" - -#include "dnssecinfra.hh" - -using namespace decaf; - -class DecafED25519DNSCryptoKeyEngine : public DNSCryptoKeyEngine -{ -public: - explicit DecafED25519DNSCryptoKeyEngine(unsigned int algo) : - DNSCryptoKeyEngine(algo) - { - } - string getName() const override { return "Decaf ED25519"; } - void create(unsigned int bits) override; - -#if defined(HAVE_LIBCRYPTO_ED25519) - /** - * \brief Creates an ED25519 key engine from a PEM file. - * - * Receives an open file handle with PEM contents and creates an ED25519 key engine. - * - * \param[in] drc Key record contents to be populated. - * - * \param[in] inputFile An open file handle to a file containing ED25519 PEM contents. - * - * \param[in] filename Only used for providing filename information in error messages. - * - * \return An ED25519 key engine populated with the contents of the PEM file. - */ - void createFromPEMFile(DNSKEYRecordContent& drc, std::FILE& inputFile, std::optional> filename = std::nullopt) override; - - /** - * \brief Writes this key's contents to a file. - * - * Receives an open file handle and writes this key's contents to the - * file. - * - * \param[in] outputFile An open file handle for writing. - * - * \exception std::runtime_error In case of OpenSSL errors. - */ - void convertToPEMFile(std::FILE& outputFile) const override; -#endif - - [[nodiscard]] storvector_t convertToISCVector() const override; - [[nodiscard]] std::string sign(const std::string& msg) const override; - [[nodiscard]] bool verify(const std::string& msg, const std::string& signature) const override; - [[nodiscard]] std::string getPublicKeyString() const override; - [[nodiscard]] int getBits() const override; - void fromISCMap(DNSKEYRecordContent& drc, std::map& stormap) override; - void fromPublicKeyString(const std::string& content) override; - - static std::unique_ptr maker(unsigned int algorithm) - { - return make_unique(algorithm); - } - -private: - unsigned char d_pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES]; - unsigned char d_seckey[DECAF_EDDSA_25519_PRIVATE_BYTES]; -}; - -void DecafED25519DNSCryptoKeyEngine::create(unsigned int bits) -{ - if (bits != (unsigned int)getBits()) { - throw runtime_error("Unsupported key length of " + std::to_string(bits) + " bits requested, DecafED25519 class"); - } - - SpongeRng rng("/dev/urandom"); - - typename EdDSA::PrivateKey priv(rng); - typename EdDSA::PublicKey pub(priv); - - priv.serialize_into(d_seckey); - pub.serialize_into(d_pubkey); -} - -#if defined(HAVE_LIBCRYPTO_ED25519) -void DecafED25519DNSCryptoKeyEngine::createFromPEMFile(DNSKEYRecordContent& drc, std::FILE& inputFile, std::optional> filename) -{ - drc.d_algorithm = d_algorithm; - auto key = std::unique_ptr(PEM_read_PrivateKey(&inputFile, nullptr, nullptr, nullptr), &EVP_PKEY_free); - if (key == nullptr) { - if (filename.has_value()) { - throw runtime_error(getName() + ": Failed to read private key from PEM file `" + filename->get() + "`"); - } - - throw runtime_error(getName() + ": Failed to read private key from PEM contents"); - } - - std::size_t keylen = DECAF_EDDSA_25519_PRIVATE_BYTES; - int ret = EVP_PKEY_get_raw_private_key(key.get(), d_seckey, &keylen); - if (ret == 0) { - if (filename.has_value()) { - throw runtime_error(getName() + ": Failed to get private key from PEM file contents `" + filename->get() + "`"); - } - - throw runtime_error(getName() + ": Failed to get private key from PEM contents"); - } - - keylen = DECAF_EDDSA_25519_PUBLIC_BYTES; - ret = EVP_PKEY_get_raw_public_key(key.get(), d_pubkey, &keylen); - if (ret == 0) { - if (filename.has_value()) { - throw runtime_error(getName() + ": Failed to get public key from PEM file contents `" + filename->get() + "`"); - } - - throw runtime_error(getName() + ": Failed to get public key from PEM contents"); - } -} - -void DecafED25519DNSCryptoKeyEngine::convertToPEMFile(std::FILE& outputFile) const -{ - auto key = std::unique_ptr(EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, nullptr, d_seckey, DECAF_EDDSA_25519_PRIVATE_BYTES), EVP_PKEY_free); - if (key == nullptr) { - throw runtime_error(getName() + ": Could not create private key from buffer"); - } - - auto ret = PEM_write_PrivateKey(&outputFile, key.get(), nullptr, nullptr, 0, nullptr, nullptr); - if (ret == 0) { - throw runtime_error(getName() + ": Could not convert private key to PEM"); - } -} -#endif - -int DecafED25519DNSCryptoKeyEngine::getBits() const -{ - return DECAF_EDDSA_25519_PRIVATE_BYTES << 3; -} - -DNSCryptoKeyEngine::storvector_t DecafED25519DNSCryptoKeyEngine::convertToISCVector() const -{ - /* - Private-key-format: v1.2 - Algorithm: 15 (ED25519) - PrivateKey: ODIyNjAzODQ2MjgwODAxMjI2NDUxOTAyMDQxNDIyNjI= - */ - - auto storvector = storvector_t{ - {"Algorithm", "15 (ED25519)"}, - {"PrivateKey", string((char*)d_seckey, DECAF_EDDSA_25519_PRIVATE_BYTES)}, - }; - - return storvector; -} - -void DecafED25519DNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map& stormap) -{ - /* - Private-key-format: v1.2 - Algorithm: 15 (ED25519) - PrivateKey: ODIyNjAzODQ2MjgwODAxMjI2NDUxOTAyMDQxNDIyNjI= - */ - - pdns::checked_stoi_into(drc.d_algorithm, stormap["algorithm"]); - string privateKey = stormap["privatekey"]; - - if (privateKey.length() != DECAF_EDDSA_25519_PRIVATE_BYTES) - throw runtime_error("Private key size mismatch in ISCMap, DecafED25519 class"); - - typename EdDSA::PrivateKey priv(Block((const unsigned char*)privateKey.c_str(), DECAF_EDDSA_25519_PRIVATE_BYTES)); - typename EdDSA::PublicKey pub(priv); - - priv.serialize_into(d_seckey); - pub.serialize_into(d_pubkey); -} - -std::string DecafED25519DNSCryptoKeyEngine::getPublicKeyString() const -{ - return string((char*)d_pubkey, DECAF_EDDSA_25519_PUBLIC_BYTES); -} - -void DecafED25519DNSCryptoKeyEngine::fromPublicKeyString(const std::string& input) -{ - if (input.length() != DECAF_EDDSA_25519_PUBLIC_BYTES) - throw runtime_error("Public key size mismatch, DecafED25519 class"); - - memcpy(d_pubkey, input.c_str(), DECAF_EDDSA_25519_PUBLIC_BYTES); -} - -std::string DecafED25519DNSCryptoKeyEngine::sign(const std::string& msg) const -{ - typename EdDSA::PrivateKey priv(Block(d_seckey, DECAF_EDDSA_25519_PRIVATE_BYTES)); - - SecureBuffer message(msg.begin(), msg.end()); - - SecureBuffer sig = priv.sign(message); - - return string(sig.begin(), sig.end()); -} - -bool DecafED25519DNSCryptoKeyEngine::verify(const std::string& msg, const std::string& signature) const -{ - if (signature.length() != DECAF_EDDSA_25519_SIGNATURE_BYTES) - return false; - - typename EdDSA::PublicKey pub(Block(d_pubkey, DECAF_EDDSA_25519_PUBLIC_BYTES)); - - SecureBuffer sig(signature.begin(), signature.end()); - SecureBuffer message(msg.begin(), msg.end()); - - try { - pub.verify(sig, message); - } - catch (const CryptoException& e) { - return false; - } - - return true; -} - -class DecafED448DNSCryptoKeyEngine : public DNSCryptoKeyEngine -{ -public: - explicit DecafED448DNSCryptoKeyEngine(unsigned int algo) : - DNSCryptoKeyEngine(algo) - { - } - string getName() const override { return "Decaf ED448"; } - void create(unsigned int bits) override; - -#if defined(HAVE_LIBCRYPTO_ED448) - /** - * \brief Creates an ED448 key engine from a PEM file. - * - * Receives an open file handle with PEM contents and creates an ED448 key engine. - * - * \param[in] drc Key record contents to be populated. - * - * \param[in] inputFile An open file handle to a file containing ED448 PEM contents. - * - * \param[in] filename Only used for providing filename information in error messages. - * - * \return An ED448 key engine populated with the contents of the PEM file. - */ - void createFromPEMFile(DNSKEYRecordContent& drc, std::FILE& inputFile, std::optional> filename = std::nullopt) override; - - /** - * \brief Writes this key's contents to a file. - * - * Receives an open file handle and writes this key's contents to the - * file. - * - * \param[in] outputFile An open file handle for writing. - * - * \exception std::runtime_error In case of OpenSSL errors. - */ - void convertToPEMFile(std::FILE& outputFile) const override; -#endif - - storvector_t convertToISCVector() const override; - std::string sign(const std::string& msg) const override; - bool verify(const std::string& msg, const std::string& signature) const override; - std::string getPublicKeyString() const override; - int getBits() const override; - void fromISCMap(DNSKEYRecordContent& drc, std::map& stormap) override; - void fromPublicKeyString(const std::string& content) override; - - static std::unique_ptr maker(unsigned int algorithm) - { - return make_unique(algorithm); - } - -private: - unsigned char d_pubkey[DECAF_EDDSA_448_PUBLIC_BYTES]; - unsigned char d_seckey[DECAF_EDDSA_448_PRIVATE_BYTES]; -}; - -void DecafED448DNSCryptoKeyEngine::create(unsigned int bits) -{ - if (bits != (unsigned int)getBits()) { - throw runtime_error("Unsupported key length of " + std::to_string(bits) + " bits requested, DecafED448 class"); - } - - SpongeRng rng("/dev/urandom"); - - typename EdDSA::PrivateKey priv(rng); - typename EdDSA::PublicKey pub(priv); - - priv.serialize_into(d_seckey); - pub.serialize_into(d_pubkey); -} - -#if defined(HAVE_LIBCRYPTO_ED448) -void DecafED448DNSCryptoKeyEngine::createFromPEMFile(DNSKEYRecordContent& drc, std::FILE& inputFile, std::optional> filename) -{ - drc.d_algorithm = d_algorithm; - auto key = std::unique_ptr(PEM_read_PrivateKey(&inputFile, nullptr, nullptr, nullptr), &EVP_PKEY_free); - if (key == nullptr) { - if (filename.has_value()) { - throw runtime_error(getName() + ": Failed to read private key from PEM file `" + filename->get() + "`"); - } - - throw runtime_error(getName() + ": Failed to read private key from PEM contents"); - } - - std::size_t keylen = DECAF_EDDSA_448_PRIVATE_BYTES; - int ret = EVP_PKEY_get_raw_private_key(key.get(), d_seckey, &keylen); - if (ret == 0) { - if (filename.has_value()) { - throw runtime_error(getName() + ": Failed to get private key from PEM file contents `" + filename->get() + "`"); - } - - throw runtime_error(getName() + ": Failed to get private key from PEM contents"); - } - - keylen = DECAF_EDDSA_448_PUBLIC_BYTES; - ret = EVP_PKEY_get_raw_public_key(key.get(), d_pubkey, &keylen); - if (ret == 0) { - if (filename.has_value()) { - throw runtime_error(getName() + ": Failed to get public key from PEM file contents `" + filename->get() + "`"); - } - - throw runtime_error(getName() + ": Failed to get public key from PEM contents"); - } -} - -void DecafED448DNSCryptoKeyEngine::convertToPEMFile(std::FILE& outputFile) const -{ - auto key = std::unique_ptr(EVP_PKEY_new_raw_private_key(EVP_PKEY_ED448, nullptr, d_seckey, DECAF_EDDSA_448_PRIVATE_BYTES), EVP_PKEY_free); - if (key == nullptr) { - throw runtime_error(getName() + ": Could not create private key from buffer"); - } - - auto ret = PEM_write_PrivateKey(&outputFile, key.get(), nullptr, nullptr, 0, nullptr, nullptr); - if (ret == 0) { - throw runtime_error(getName() + ": Could not convert private key to PEM"); - } -} -#endif - -int DecafED448DNSCryptoKeyEngine::getBits() const -{ - return DECAF_EDDSA_448_PRIVATE_BYTES << 3; -} - -DNSCryptoKeyEngine::storvector_t DecafED448DNSCryptoKeyEngine::convertToISCVector() const -{ - /* - Private-key-format: v1.2 - Algorithm: 16 (ED448) - PrivateKey: xZ+5Cgm463xugtkY5B0Jx6erFTXp13rYegst0qRtNsOYnaVpMx0Z/c5EiA9x8wWbDDct/U3FhYWA - */ - - auto storvector = storvector_t{ - {"Algorithm", "16 (ED448)"}, - {"PrivateKey", string((char*)d_seckey, DECAF_EDDSA_448_PRIVATE_BYTES)}, - }; - - return storvector; -} - -void DecafED448DNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map& stormap) -{ - /* - Private-key-format: v1.2 - Algorithm: 16 (ED448) - PrivateKey: xZ+5Cgm463xugtkY5B0Jx6erFTXp13rYegst0qRtNsOYnaVpMx0Z/c5EiA9x8wWbDDct/U3FhYWA - */ - - pdns::checked_stoi_into(drc.d_algorithm, stormap["algorithm"]); - string privateKey = stormap["privatekey"]; - - if (privateKey.length() != DECAF_EDDSA_448_PRIVATE_BYTES) - throw runtime_error("Private key size mismatch in ISCMap, DecafED448 class"); - - typename EdDSA::PrivateKey priv(Block((const unsigned char*)privateKey.c_str(), DECAF_EDDSA_448_PRIVATE_BYTES)); - typename EdDSA::PublicKey pub(priv); - - priv.serialize_into(d_seckey); - pub.serialize_into(d_pubkey); -} - -std::string DecafED448DNSCryptoKeyEngine::getPublicKeyString() const -{ - return string((char*)d_pubkey, DECAF_EDDSA_448_PUBLIC_BYTES); -} - -void DecafED448DNSCryptoKeyEngine::fromPublicKeyString(const std::string& input) -{ - if (input.length() != DECAF_EDDSA_448_PUBLIC_BYTES) - throw runtime_error("Public key size mismatch, DecafED448 class"); - - memcpy(d_pubkey, input.c_str(), DECAF_EDDSA_448_PUBLIC_BYTES); -} - -std::string DecafED448DNSCryptoKeyEngine::sign(const std::string& msg) const -{ - typename EdDSA::PrivateKey priv(Block(d_seckey, DECAF_EDDSA_448_PRIVATE_BYTES)); - - SecureBuffer message(msg.begin(), msg.end()); - - SecureBuffer sig = priv.sign(message); - - return string(sig.begin(), sig.end()); -} - -bool DecafED448DNSCryptoKeyEngine::verify(const std::string& msg, const std::string& signature) const -{ - if (signature.length() != DECAF_EDDSA_448_SIGNATURE_BYTES) - return false; - - typename EdDSA::PublicKey pub(Block(d_pubkey, DECAF_EDDSA_448_PUBLIC_BYTES)); - - SecureBuffer sig(signature.begin(), signature.end()); - SecureBuffer message(msg.begin(), msg.end()); - - try { - pub.verify(sig, message); - } - catch (const CryptoException& e) { - return false; - } - - return true; -} - -namespace -{ -const struct LoaderDecafStruct -{ - LoaderDecafStruct() - { - DNSCryptoKeyEngine::report(DNSSECKeeper::ED25519, &DecafED25519DNSCryptoKeyEngine::maker, true); - DNSCryptoKeyEngine::report(DNSSECKeeper::ED448, &DecafED448DNSCryptoKeyEngine::maker); - } -} loaderdecaf; -} diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc index 90d309d4166f..ed19662297cd 100644 --- a/pdns/pdnsutil.cc +++ b/pdns/pdnsutil.cc @@ -2562,10 +2562,10 @@ try cout << "list-autoprimaries List all autoprimaries" << endl; cout << "add-zone-key ZONE {zsk|ksk} [BITS] [active|inactive] [published|unpublished]" << endl; cout << " [rsasha1|rsasha1-nsec3-sha1|rsasha256|rsasha512|ecdsa256|ecdsa384"; -#if defined(HAVE_LIBSODIUM) || defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED25519) +#if defined(HAVE_LIBSODIUM) || defined(HAVE_LIBCRYPTO_ED25519) cout << "|ed25519"; #endif -#if defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED448) +#if defined(HAVE_LIBCRYPTO_ED448) cout << "|ed448"; #endif cout << "]" << endl; @@ -3025,10 +3025,10 @@ try else if (cmds.at(0) == "add-zone-key") { if(cmds.size() < 3 ) { cerr << "Syntax: pdnsutil add-zone-key ZONE [zsk|ksk] [BITS] [active|inactive] [rsasha1|rsasha1-nsec3-sha1|rsasha256|rsasha512|ecdsa256|ecdsa384"; -#if defined(HAVE_LIBSODIUM) || defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED25519) +#if defined(HAVE_LIBSODIUM) || defined(HAVE_LIBCRYPTO_ED25519) cerr << "|ed25519"; #endif -#if defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED448) +#if defined(HAVE_LIBCRYPTO_ED448) cerr << "|ed448"; #endif cerr << "]"<`_ is a library that allows :program:`Recursor` to support ed25519 and Ed448 (DNSSEC algorithms 15 and 16). -To detect libdecaf, use the ``--with-libdecaf`` configure option. - -.. versionchanged:: 4.2.0 - This option was previously ``--enable-libdecaf`` - Protobuf to emit DNS logs ^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/pdns/recursordist/m4/pdns_with_libdecaf.m4 b/pdns/recursordist/m4/pdns_with_libdecaf.m4 deleted file mode 120000 index e932fd10cc8a..000000000000 --- a/pdns/recursordist/m4/pdns_with_libdecaf.m4 +++ /dev/null @@ -1 +0,0 @@ -../../../m4/pdns_with_libdecaf.m4 \ No newline at end of file diff --git a/pdns/recursordist/meson.build b/pdns/recursordist/meson.build index ed573dedd760..2cb4799708e4 100644 --- a/pdns/recursordist/meson.build +++ b/pdns/recursordist/meson.build @@ -45,7 +45,6 @@ subdir('meson' / 'net-libs') # Network Libraries subdir('meson' / 'tm-gmtoff') # Check for tm_gmtoff field in struct tm subdir('meson' / 'mmap') # Check for mmap subdir('meson' / 'libsodium') # Libsodium-based signers -subdir('meson' / 'libdecaf') # Libdecaf-based signers subdir('meson' / 'libcrypto') # OpenSSL-based signers subdir('meson' / 'libssl') # OpenSSL libssl subdir('meson' / 'libsnmp') # SNMP @@ -326,17 +325,6 @@ if dep_libsodium.found() ) endif -librec_signers_decaf = dependency('', required: false) -if dep_libdecaf.found() - librec_signers_decaf = declare_dependency( - link_whole: static_library( - 'rec-signers-decaf', - sources: files(src_dir / 'decafsigners.cc'), - dependencies: [dep_boost, dep_libdecaf], - ) - ) -endif - librec_signers_openssl = declare_dependency( link_whole: static_library( 'rec-signers-openssl', @@ -433,7 +421,6 @@ tools = { dep_rust_settings, dep_systemd, librec_signers_openssl, - librec_signers_decaf, librec_signers_sodium, dep_pubsuffix, ], @@ -519,7 +506,6 @@ if get_option('unit-tests') dep_settings, dep_rust_settings, librec_signers_openssl, - librec_signers_decaf, librec_signers_sodium, ], ) diff --git a/pdns/recursordist/meson_options.txt b/pdns/recursordist/meson_options.txt index 52ba9f3acd0a..64612d31c437 100644 --- a/pdns/recursordist/meson_options.txt +++ b/pdns/recursordist/meson_options.txt @@ -5,7 +5,6 @@ option('hardening-experimental-scp', type: 'feature', value: 'disabled', descrip option('hardening-fortify-source', type: 'combo', choices: ['auto', 'disabled', '1', '2', '3'], value: '2', description: 'Source fortification level') #option('rng-kiss', type: 'boolean', value: false, description: 'Use the unsafe KISS RNG') option('signers-libsodium', type: 'feature', value: 'auto', description: 'Enable libsodium-based signers') -option('signers-libdecaf', type: 'feature', value: 'auto', description: 'Enable libdecaf-based signers') option('signers-libcrypto', type: 'feature', value: 'auto', description: 'Enable OpenSSL libcrypto-based signers)') option('signers-libcrypto-path', type: 'string', value: '', description: 'Custom path to find OpenSSL libcrypto') option('tls-libssl', type: 'feature', value: 'auto', description: 'OpenSSL-based TLS') diff --git a/pdns/test-signers.cc b/pdns/test-signers.cc index 5743f831dfed..22cb402df556 100644 --- a/pdns/test-signers.cc +++ b/pdns/test-signers.cc @@ -318,7 +318,7 @@ struct Fixture addSignerParams(DNSSECKeeper::ED25519, "ED25519", ed25519); #endif -#if defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED448) +#if defined(HAVE_LIBCRYPTO_ED448) addSignerParams(DNSSECKeeper::ED448, "ED448", ed448); #endif } diff --git a/pdns/version.cc b/pdns/version.cc index 9e7b8bc6d1e0..fc40756a44c7 100644 --- a/pdns/version.cc +++ b/pdns/version.cc @@ -107,9 +107,6 @@ string getBuildConfiguration() { ostringstream ret; ret << "Features:" -#ifdef HAVE_LIBDECAF - << " decaf" -#endif #ifdef HAVE_LIBCRYPTO_ECDSA << " libcrypto-ecdsa" #endif diff --git a/tasks.py b/tasks.py index 5a0d53101fb2..50c4e27ffbb5 100644 --- a/tasks.py +++ b/tasks.py @@ -175,22 +175,6 @@ def ci_install_rust(c, repo): with c.cd(f'{repo}/builder-support/helpers/'): c.run('sudo sh install_rust.sh') -def install_libdecaf(c, product): - c.run('rm -rf /tmp/libdecaf && git clone https://git.code.sf.net/p/ed448goldilocks/code /tmp/libdecaf') - with c.cd('/tmp/libdecaf'): - c.run('git checkout 41f349') - c.run(f'CC={get_c_compiler()} CXX={get_cxx_compiler()} ' - 'cmake -B build ' - '-DCMAKE_INSTALL_PREFIX=/usr/local ' - '-DCMAKE_INSTALL_LIBDIR=lib ' - '-DENABLE_STATIC=OFF ' - '-DENABLE_TESTS=OFF ' - '-DCMAKE_C_FLAGS="-Wno-sizeof-array-div -Wno-array-parameter" .') - c.run('make -C build') - c.run('sudo make -C build install') - c.sudo(f'mkdir -p /opt/{product}/libdecaf') - c.sudo(f'cp /usr/local/lib/libdecaf.so* /opt/{product}/libdecaf/.') - @task def install_doc_deps(c): c.sudo('apt-get install -y ' + ' '.join(doc_deps)) @@ -207,8 +191,6 @@ def install_meson(c): def install_auth_build_deps(c): c.sudo('apt-get install -y --no-install-recommends ' + ' '.join(all_build_deps + git_build_deps + auth_build_deps)) install_meson(c) - if os.getenv('DECAF_SUPPORT', 'no') == 'yes': - install_libdecaf(c, 'pdns-auth') def is_coverage_enabled(): sanitizers = os.getenv('SANITIZERS') @@ -280,11 +262,6 @@ def install_auth_test_deps(c, backend): # FIXME: rename this, we do way more tha # FIXME we may want to start a background recursor here to make ALIAS tests more robust setup_authbind(c) - if os.getenv('DECAF_SUPPORT', 'no') == 'yes': - # Copy libdecaf out - c.sudo('mkdir -p /usr/local/lib') - c.sudo('cp /opt/pdns-auth/libdecaf/libdecaf.so* /usr/local/lib/.') - @task def install_rec_bulk_deps(c): # FIXME: rename this, we do way more than apt-get c.sudo('apt-get --no-install-recommends -y install ' + ' '.join(rec_bulk_deps)) @@ -513,7 +490,6 @@ def ci_auth_configure_autotools(c): "--enable-remotebackend-zeromq", "--enable-verbose-logging", "--with-lmdb=/usr", - "--with-libdecaf" if os.getenv('DECAF_SUPPORT', 'no') == 'yes' else '', "--prefix=/opt/pdns-auth", "--enable-ixfrdist", unittests, @@ -547,7 +523,6 @@ def ci_auth_configure_meson(c, build_dir): "-D dns-over-tls=true", "-D experimental-pkcs11=enabled", "-D experimental-gss-tsig=enabled", - "-D signers-libdecaf=enabled" if os.getenv('DECAF_SUPPORT', 'no') == 'yes' else '', "-D prefix=/opt/pdns-auth", "-D tools-ixfrdist=true", unittests, @@ -599,7 +574,6 @@ def ci_rec_configure(c, features): "--with-lua=luajit", "--without-libcap", "--without-libcurl", - "--without-libdecaf", "--without-libsodium", "--without-net-snmp", unittests,