Commit 78608b0a authored by Francis Dupont's avatar Francis Dupont
Browse files

Added Ed25519 support (#44696)

parent d95b19f8
4665. [func] Add Ed25519 support (RFC 8080). [RT #25519]
4663. [cleanup] Clarify error message printed by dnssec-dsfromkey.
[RT #21731]
......
......@@ -52,7 +52,8 @@ int verbose;
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1 |"
" RSASHA256 | RSASHA512 | ECCGOST |"
" ECDSAP256SHA256 | ECDSAP384SHA384";
" ECDSAP256SHA256 | ECDSAP384SHA384 |"
" ED25519 | ED448";
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
......@@ -437,7 +438,8 @@ main(int argc, char **argv) {
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
......
......@@ -102,7 +102,7 @@
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
These values are case insensitive.
</para>
<para>
......
......@@ -82,7 +82,8 @@ usage(void) {
" | NSEC3DSA |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
fprintf(stderr, " ED25519 | ED448 | DH |\n");
fprintf(stderr, " HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
"HMAC-SHA256 | \n");
fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n");
fprintf(stderr, " (default: RSASHA1, or "
......@@ -101,6 +102,8 @@ usage(void) {
fprintf(stderr, " ECCGOST:\tignored\n");
fprintf(stderr, " ECDSAP256SHA256:\tignored\n");
fprintf(stderr, " ECDSAP384SHA384:\tignored\n");
fprintf(stderr, " ED25519:\tignored\n");
fprintf(stderr, " ED448:\tignored\n");
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
......@@ -602,7 +605,8 @@ main(int argc, char **argv) {
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384 &&
alg != DST_ALG_ED25519 && alg != DST_ALG_ED448) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
......@@ -636,7 +640,9 @@ main(int argc, char **argv) {
" to %d\n", size);
} else if (alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 &&
alg != DST_ALG_ECDSA384)
alg != DST_ALG_ECDSA384 &&
alg != DST_ALG_ED25519 &&
alg != DST_ALG_ED448)
fatal("key size not specified (-b option)");
}
......@@ -773,6 +779,12 @@ main(int argc, char **argv) {
case DST_ALG_ECDSA384:
size = 384;
break;
case DST_ALG_ED25519:
size = 256;
break;
case DST_ALG_ED448:
size = 456;
break;
case DST_ALG_HMACMD5:
options |= DST_TYPE_KEY;
if (size < 1 || size > 512)
......@@ -906,6 +918,8 @@ main(int argc, char **argv) {
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
case DST_ALG_ED448:
show_progress = ISC_TRUE;
/* fall through */
......
......@@ -113,7 +113,7 @@
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
......@@ -185,8 +185,8 @@
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
algorithms are NSEC3-capable.
</para>
</listitem>
</varlistentry>
......
......@@ -73,6 +73,7 @@
#define WANT_DH_PRIMES
#define WANT_ECC_CURVES
#include <pk11/constants.h>
#include <pkcs11/eddsa.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
......@@ -82,13 +83,14 @@
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
/* Key class: RSA, ECC, DSA, DH, or unknown */
/* Key class: RSA, ECC, ECX, DSA, DH, or unknown */
typedef enum {
key_unknown,
key_rsa,
key_dsa,
key_dh,
key_ecc
key_ecc,
key_ecx
} key_class_t;
/*
......@@ -136,7 +138,7 @@ static CK_ATTRIBUTE rsa_template[] = {
};
/*
* Public key template for ECC keys
* Public key template for ECC/ECX keys
*/
#define ECC_LABEL 0
#define ECC_VERIFY 1
......@@ -247,6 +249,9 @@ keyclass_fromtext(const char *name) {
else if (strncasecmp(name, "ecc", 3) == 0 ||
strncasecmp(name, "ecdsa", 5) == 0)
return (key_ecc);
else if (strncasecmp(name, "ecx", 3) == 0 ||
strncasecmp(name, "ed", 2) == 0)
return (key_ecx);
else
return (key_unknown);
}
......@@ -425,6 +430,39 @@ main(int argc, char *argv[]) {
sizeof(pk11_ecc_secp384r1);
}
break;
case key_ecx:
#ifndef CKM_EDDSA_KEY_PAIR_GEN
fprintf(stderr, "CKM_EDDSA_KEY_PAIR_GEN is not defined\n");
usage();
#endif
op_type = OP_EC;
if (bits == 0)
bits = 256;
else if (bits != 256 && bits != 456) {
fprintf(stderr, "ECX keys only support bit sizes of "
"256 and 456\n");
exit(2);
}
mech.mechanism = CKM_EDDSA_KEY_PAIR_GEN;
mech.pParameter = NULL;
mech.ulParameterLen = 0;
public_template = ecc_template;
public_attrcnt = ECC_ATTRS;
id_offset = ECC_ID;
if (bits == 256) {
public_template[4].pValue = pk11_ecc_ed25519;
public_template[4].ulValueLen =
sizeof(pk11_ecc_ed25519);
} else {
public_template[4].pValue = pk11_ecc_ed448;
public_template[4].ulValueLen =
sizeof(pk11_ecc_ed448);
}
break;
case key_dsa:
op_type = OP_DSA;
......@@ -570,7 +608,7 @@ main(int argc, char *argv[]) {
private_template[5].pValue = &truevalue;
}
if (keyclass == key_rsa || keyclass == key_ecc)
if (keyclass == key_rsa || keyclass == key_ecc || keyclass == key_ecx)
goto generate_keys;
/*
......
......@@ -71,11 +71,11 @@
<listitem>
<para>
Specify the key algorithm class: Supported classes are RSA,
DSA, DH, and ECC. In addition to these strings, the
DSA, DH, ECC and ECX. In addition to these strings, the
<option>algorithm</option> can be specified as a DNSSEC
signing algorithm that will be used with this key; for
example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps
to ECC. The default class is "RSA".
example, NSEC3RSASHA1 maps to RSA, ECDSAP256SHA256 maps
to ECC, and ED25519 to ECX. The default class is "RSA".
</para>
</listitem>
</varlistentry>
......@@ -86,7 +86,8 @@
<para>
Create the key pair with <option>keysize</option> bits of
prime. For ECC keys, the only valid values are 256 and 384,
and the default is 256.
and the default is 256. For ECX kyes, the only valid values
are 256 and 456, and the default is 256.
</para>
</listitem>
</varlistentry>
......
......@@ -30,7 +30,7 @@ class dnskey:
_ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', 'ECC', 'RSASHA1',
'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None,
'RSASHA512', None, 'ECCGOST', 'ECDSAP256SHA256',
'ECDSAP384SHA384')
'ECDSAP384SHA384', 'ED25519', 'ED448')
def __init__(self, key, directory=None, keyttl=None):
# this makes it possible to use algname as a class or instance method
......
......@@ -68,7 +68,7 @@ class PolicyLex:
return t
def t_ALGNAME(self, t):
r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECCGOST|ECDSAP256SHA256|ECDSAP384SHA384)\b'
r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECCGOST|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
t.value = t.value.upper()
return t
......@@ -138,7 +138,9 @@ class Policy:
'RSASHA512': [512, 4096],
'ECCGOST': None,
'ECDSAP256SHA256': None,
'ECDSAP384SHA384': None}
'ECDSAP384SHA384': None,
'ED25519': None,
'ED448': None}
def __init__(self, name=None, algorithm=None, parent=None):
self.name = name
......@@ -275,7 +277,9 @@ class Policy:
if self.algorithm in ['ECCGOST', \
'ECDSAP256SHA256', \
'ECDSAP384SHA384']:
'ECDSAP384SHA384', \
'ED25519', \
'ED448']:
self.ksk_keysize = None
self.zsk_keysize = None
......@@ -378,6 +382,18 @@ class dnssec_policy:
self.alg_policy['ECDSAP384SHA384'].ksk_keysize = None;
self.alg_policy['ECDSAP384SHA384'].zsk_keysize = None;
self.alg_policy['ED25519'] = copy(p)
self.alg_policy['ED25519'].algorithm = "ED25519"
self.alg_policy['ED25519'].name = "ED25519"
self.alg_policy['ED25519'].ksk_keysize = None;
self.alg_policy['ED25519'].zsk_keysize = None;
self.alg_policy['ED448'] = copy(p)
self.alg_policy['ED448'].algorithm = "ED448"
self.alg_policy['ED448'].name = "ED448"
self.alg_policy['ED448'].ksk_keysize = None;
self.alg_policy['ED448'].zsk_keysize = None;
if filename:
self.load(filename)
......
......@@ -73,7 +73,7 @@ SAMPLEUPDATE=$TOP/lib/samples/sample-update
SUBDIRS="acl additional addzone allow_query autosign builtin
cacheclean case catz chain checkconf @CHECKDS@ checknames checkzone
cookie @COVERAGE@ database digdelv dlv dlvauto dlz dlzexternal
dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa
dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa
ednscompliance emptyzones fetchlimit filter-aaaa formerr
forward geoip glue gost inline integrity ixfr @KEYMGR@
legacy limits logfileconfig lwresd masterfile masterformat
......
......@@ -61,6 +61,7 @@ MDIG=$TOP/Build/$VSCONF/mdig@EXEEXT@
NZD2NZF=$TOP/Build/$VSCONF/named-nzd2nzf@EXEEXT@
FSTRM_CAPTURE=@FSTRM_CAPTURE@
FEATURETEST=$TOP/Build/$VSCONF/feature-test@EXEEXT@
# to port WIRETEST=$TOP/Build/$VSCONF/wire_test@EXEEXT@
# this is given as argument to native WIN32 executables
RANDFILE=`cygpath -w $TOP/bin/tests/system/random.data`
......@@ -72,23 +73,29 @@ KEYDELETE=$TOP/Build/$VSCONF/keydelete@EXEEXT@
LWTEST=$TOP/Build/$VSCONF/lwtest@EXEEXT@
MAKEJOURNAL=$TOP/Build/$VSCONF/makejournal@EXEEXT@
PIPEQUERIES=$TOP/Build/$VSCONF/pipequeries@EXEEXT@
# to port SAMPLEUPDATE=$TOP/lib/samples/sample-update
# The "stress" test is not run by default since it creates enough
# load on the machine to make it unusable to other users.
# v6synth
SUBDIRS="acl additional addzone allow_query autosign builtin cacheclean case
catz checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@
database digdelv dlv dlvauto dlz dlzexternal dname dns64 dnssec
@DNSTAP@ dscp dsdigest dyndb ecdsa ednscompliance emptyzones
SUBDIRS="acl additional addzone allow_query autosign builtin
cacheclean case catz
checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@
database digdelv dlv dlvauto dlz dlzexternal
dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa
ednscompliance emptyzones
fetchlimit filter-aaaa formerr forward geoip glue gost inline ixfr
@KEYMGR@ legacy limits logfileconfig lwresd masterfile masterformat
metadata mkeys names notify nslookup nsupdate nzd2nzf pending
pipelined @PKCS11_TEST@ reclimit redirect resolver rndc rpz
@PKCS11_TEST@ pipelined reclimit redirect resolver rndc rpz
rpzrecurse rrchecker rrl rrsetorder rsabigexponent runtime sfcache
smartsign sortlist spf staticstub statistics statschannel stub tcp
tkey tsig tsiggss unknown upforwd verify views wildcard xfer
xferquota zero zonechecks"
# missing: chain integrity
# extra: dname ednscompliance forward
#Things that are different on Windows
KILL="/bin/kill -f"
DIFF="diff --strip-trailing-cr"
......
......@@ -42,3 +42,9 @@ zone "ecc.example." {
file "ecc.example.db.signed";
allow-update { any; };
};
zone "ecx.example." {
type master;
file "ecx.example.db.signed";
allow-update { any; };
};
......@@ -10,18 +10,24 @@ SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
echo "I:(Native PKCS#11)" >&2
rsafail=0 eccfail=0
rsafail=0 eccfail=0 ecxfail=0
$SHELL ../testcrypto.sh -q rsa || rsafail=1
$SHELL ../testcrypto.sh -q ecdsa || eccfail=1
$SHELL ../testcrypto.sh -q eddsa || ecxfail=1
if [ $rsafail = 0 -a $eccfail = 0 ]; then
echo both > supported
elif [ $rsafail = 1 -a $eccfail = 1 ]; then
if [ $rsafail = 1 -a $eccfail = 1 ]; then
echo "I:This test requires PKCS#11 support for either RSA or ECDSA cryptography." >&2
exit 255
elif [ $rsafail = 0 ]; then
echo rsaonly > supported
else
echo ecconly > supported
fi
rm -f supported
touch supported
if [ $rsafail = 0 ]; then
echo rsa >> supported
fi
if [ $eccfail = 0 ]; then
echo ecc >> supported
fi
if [ $ecxfail = 0 ]; then
echo ecx >> supported
fi
......@@ -14,11 +14,10 @@ infile=ns1/example.db.in
/bin/echo -n ${HSMPIN:-1234}> pin
PWD=`pwd`
supported=`cat supported`
zone=rsa.example
zonefile=ns1/rsa.example.db
if [ "$supported" != "ecconly" ]; then
have_rsa=`grep rsa supported`
if [ "x$have_rsa" != "x" ]; then
$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01
$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02
$PK11GEN -a RSA -b 2048 -l robie-rsa-ksk
......@@ -42,7 +41,8 @@ fi
zone=ecc.example
zonefile=ns1/ecc.example.db
if [ "$supported" != "rsaonly" ]; then
have_ecc=`grep ecc supported`
if [ "x$have_ecc" != "x" ]; then
$PK11GEN -a ECC -b 256 -l robie-ecc-zsk1 -i 03
$PK11GEN -a ECC -b 256 -l robie-ecc-zsk2 -i 04
$PK11GEN -a ECC -b 384 -l robie-ecc-ksk
......@@ -64,4 +64,32 @@ else
cp $infile ${zonefile}.signed
fi
zone=ecx.example
zonefile=ns1/ecx.example.db
have_ecx=`grep ecx supported`
if [ "x$have_ecx" != "x" ]; then
$PK11GEN -a ECX -b 256 -l robie-ecx-zsk1 -i 05
$PK11GEN -a ECX -b 256 -l robie-ecx-zsk2 -i 06
$PK11GEN -a ECX -b 256 -l robie-ecx-ksk
# $PK11GEN -a ECX -b 456 -l robie-ecx-ksk
ecxzsk1=`$KEYFRLAB -a ED25519 \
-l "object=robie-ecx-zsk1;pin-source=$PWD/pin" ecx.example`
ecxzsk2=`$KEYFRLAB -a ED25519 \
-l "object=robie-ecx-zsk2;pin-source=$PWD/pin" ecx.example`
ecxksk=`$KEYFRLAB -a ED25519 -f ksk \
-l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
# ecxksk=`$KEYFRLAB -a ED448 -f ksk \
# -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
cat $infile $ecxzsk1.key $ecxksk.key > $zonefile
$SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
> /dev/null 2> signer.err || cat signer.err
cp $ecxzsk2.key ns1/ecx.key
mv Kecx* ns1
else
# ECX not available and will not be tested; make a placeholder
cp $infile ${zonefile}.signed
fi
rm -f signer.err
......@@ -16,13 +16,19 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
status=0
ret=0
supported=`cat supported`
case $supported in
rsaonly) algs="rsa" ;;
ecconly) algs="ecc" ;;
both) algs="rsa ecc" ;;
esac
algs=""
have_rsa=`grep rsa supported`
if [ "x$have_rsa" != "x" ]; then
algs="rsa "
fi
have_ecc=`grep ecc supported`
if [ "x$have_ecc" != "x" ]; then
algs=$algs"ecc "
fi
have_ecx=`grep ecc supported`
if [ "x$have_ecx" != "x" ]; then
algs=$algs"ecx "
fi
for alg in $algs; do
zonefile=ns1/$alg.example.db
......@@ -66,6 +72,7 @@ END
case $alg in
rsa) id=02 ;;
ecc) id=04 ;;
ecx) id=06 ;;
esac
$PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
......
......@@ -39,6 +39,11 @@ while test "$#" -gt 0; do
msg1="ECDSA cryptography"
msg2="--with-ecdsa"
;;
eddsa|EDDSA)
alg="-a ED25519"
msg1="EDDSA cryptography"
msg2="--with-eddsa"
;;
*)
echo "${prog}: unknown argument"
exit 1
......
......@@ -368,6 +368,12 @@ int sigwait(const unsigned int *set, int *sig);
/* Define if your OpenSSL version supports ECDSA. */
#undef HAVE_OPENSSL_ECDSA
/* Define if your OpenSSL version supports Ed25519. */
#undef HAVE_OPENSSL_ED25519
/* Define if your OpenSSL version supports Ed448. */
#undef HAVE_OPENSSL_ED448
/* Define if your OpenSSL version supports EVP AES */
#undef HAVE_OPENSSL_EVP_AES
......@@ -377,6 +383,12 @@ int sigwait(const unsigned int *set, int *sig);
/* Define if your PKCS11 provider supports ECDSA. */
#undef HAVE_PKCS11_ECDSA
/* Define if your PKCS11 provider supports Ed25519. */
#undef HAVE_PKCS11_ED25519
/* Define if your PKCS11 provider supports Ed448. */
#undef HAVE_PKCS11_ED448
/* Define if your PKCS11 provider supports GOST. */
#undef HAVE_PKCS11_GOST
......
......@@ -328,12 +328,24 @@ typedef __int64 off_t;
/* Define if OpenSSL includes ECDSA support */
@HAVE_OPENSSL_ECDSA@
/* Define if OpenSSL includes Ed25519 support */
@HAVE_OPENSSL_ED25519@
/* Define if OpenSSL includes Ed448 support */
@HAVE_OPENSSL_ED448@
/* Define if your OpenSSL version supports GOST. */
@HAVE_OPENSSL_GOST@
/* Define if your PKCS11 provider supports ECDSA. */
@HAVE_PKCS11_ECDSA@
/* Define if your PKCS11 provider supports Ed25519. */
@HAVE_PKCS11_ED25519@
/* Define if your PKCS11 provider supports Ed448. */
@HAVE_PKCS11_ED448@
/* Define if your PKCS11 provider supports GOST. */
@HAVE_PKCS11_GOST@
......
......@@ -821,6 +821,7 @@ NZDTARGETS
NZDSRCS
NZD_TOOLS
PKCS11_TEST
PKCS11_ED25519
PKCS11_GOST
PKCS11_ECDSA
CRYPTO
......@@ -843,11 +844,14 @@ ISC_OPENSSL_INC
ISC_PLATFORM_OPENSSLHASH
ISC_PLATFORM_WANTAES
OPENSSL_GOST
OPENSSL_ED25519
OPENSSL_ECDSA
OPENSSLLINKSRCS
OPENSSLLINKOBJS
OPENSSLGOSTLINKSRCS
OPENSSLGOSTLINKOBJS
OPENSSLEDDSALINKSRCS
OPENSSLEDDSALINKOBJS
DST_OPENSSL_INC
INSTALL_LIBRARY
ISC_THREAD_DIR
......@@ -1016,6 +1020,7 @@ with_openssl
with_pkcs11
with_ecdsa
with_gost
with_eddsa
with_aes
enable_openssl_hash
with_cc_alg
......@@ -1748,6 +1753,7 @@ Optional Packages:
(PATH is for the PKCS11 provider)
--with-ecdsa Crypto ECDSA
--with-gost Crypto GOST yes|no|raw|asn1.
--with-eddsa Crypto EDDSA yes|all|no.
--with-aes Crypto AES
--with-cc-alg=ALG choose the algorithm for Client Cookie [aes|sha1|sha256]
--with-lmdb=PATH build with LMDB library yes|no|path
......@@ -15792,7 +15798,7 @@ fi
 
 
#
# were --with-ecdsa, --with-gost, --with-aes specified
# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified
#
 
# Check whether --with-ecdsa was given.
......@@ -15811,6 +15817,14 @@ else
fi
 
 
# Check whether --with-eddsa was given.
if test "${with_eddsa+set}" = set; then :
withval=$with_eddsa; with_eddsa="$withval"
else
with_eddsa="auto"
fi
# Check whether --with-aes was given.
if test "${with_aes+set}" = set; then :
withval=$with_aes; with_aes="$withval"
......@@ -15892,6 +15906,7 @@ then
fi
OPENSSL_ECDSA=""
OPENSSL_GOST=""
OPENSSL_ED25519=""
gosttype="raw"
case "$with_gost" in
raw)
......@@ -15917,6 +15932,8 @@ case "$use_openssl" in
$as_echo "disabled because of native PKCS11" >&6; }
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRS=""
OPENSSLLINKOBJS=""
......@@ -15927,6 +15944,8 @@ $as_echo "disabled because of native PKCS11" >&6; }
$as_echo "no" >&6; }
DST_OPENSSL_INC=""
CRYPTO=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRS=""
OPENSSLGOSTLINKOBJS=""
OPENSSLGOSTLINKSRS=""
OPENSSLLINKOBJS=""
......@@ -15935,6 +15954,8 @@ $as_echo "no" >&6; }
auto)
DST_OPENSSL_INC=""
CRYPTO=""
OPENSSLEDDSALINKOBJS=""
OPENSSLEDDSALINKSRS=""