From 67b3f17c1f75bb3507f42306b7bbea8a56544756 Mon Sep 17 00:00:00 2001
From: Daniel Salzman <daniel.salzman@nic.cz>
Date: Fri, 5 Dec 2025 09:28:09 +0100
Subject: [PATCH] libknot: ED488 is mandatory since GnuTLS 3.6.12

---
 configure.ac                              | 7 -------
 doc/reference.rst                         | 3 ---
 src/knot/conf/schema.c                    | 2 --
 src/libknot/dnssec/key/algorithm.c        | 2 --
 src/libknot/dnssec/key/convert.c          | 8 --------
 src/libknot/dnssec/sign/sign.c            | 2 --
 src/utils/keymgr/bind_privkey.c           | 4 ----
 tests/libknot/test_dnssec_key.c           | 2 --
 tests/libknot/test_dnssec_key_algorithm.c | 5 +----
 tests/libknot/test_dnssec_key_ds.c        | 4 ----
 tests/libknot/test_dnssec_sign.c          | 4 ----
 11 files changed, 1 insertion(+), 42 deletions(-)

diff --git a/configure.ac b/configure.ac
index d97950e90..41e935491 100644
--- a/configure.ac
+++ b/configure.ac
@@ -155,12 +155,6 @@ PKG_CHECK_MODULES([gnutls], [gnutls >= 3.6.12], [
         [AC_DEFINE([HAVE_GNUTLS_PKCS11], [1], [gnutls_pkcs11_copy_pubkey available])
          gnutls_pkcs11=yes], [gnutls_pkcs11=no])
 
-    AC_CHECK_DECL([GNUTLS_SIGN_EDDSA_ED448],
-        [AC_DEFINE([HAVE_ED448], [1], [GnuTLS ED448 support available])
-         enable_ed448=yes],
-        [enable_ed448=no],
-        [#include <gnutls/gnutls.h>])
-
     AC_CHECK_FUNC([gnutls_early_cipher_get],
         [AC_DEFINE([HAVE_GNUTLS_QUIC], [1], [gnutls_early_cipher_get available])
          gnutls_quic=yes], [gnutls_quic=no])
@@ -840,7 +834,6 @@ result_msg_base="
     D-Bus support:          ${enable_dbus}
     POSIX capabilities:     ${enable_cap_ng}
     PKCS #11 support:       ${enable_pkcs11}
-    Ed448 support:          ${enable_ed448}
 
     Code coverage:          ${enable_code_coverage}
     Sanitizer:              ${with_sanitizer}
diff --git a/doc/reference.rst b/doc/reference.rst
index 317c0474b..b34a2fc2c 100644
--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -2197,9 +2197,6 @@ Possible values:
 - ``ed25519``
 - ``ed448``
 
-.. NOTE::
-   Ed448 algorithm is only available if compiled with GnuTLS 3.6.12+ and Nettle 3.6+.
-
 *Default:* ``ecdsap256sha256``
 
 .. _policy_ksk-size:
diff --git a/src/knot/conf/schema.c b/src/knot/conf/schema.c
index a0d52cfb1..d8d69b8ee 100644
--- a/src/knot/conf/schema.c
+++ b/src/knot/conf/schema.c
@@ -54,9 +54,7 @@ static const knot_lookup_t dnssec_key_algs[] = {
 	{ DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256, "ecdsap256sha256" },
 	{ DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384, "ecdsap384sha384" },
 	{ DNSSEC_KEY_ALGORITHM_ED25519,           "ed25519" },
-#ifdef HAVE_ED448
 	{ DNSSEC_KEY_ALGORITHM_ED448,             "ed448" },
-#endif
 	{ 0, NULL }
 };
 
diff --git a/src/libknot/dnssec/key/algorithm.c b/src/libknot/dnssec/key/algorithm.c
index 78b7d3628..8a352d21b 100644
--- a/src/libknot/dnssec/key/algorithm.c
+++ b/src/libknot/dnssec/key/algorithm.c
@@ -85,10 +85,8 @@ gnutls_pk_algorithm_t algorithm_to_gnutls(dnssec_key_algorithm_t dnssec)
 		return GNUTLS_PK_ECDSA;
 	case DNSSEC_KEY_ALGORITHM_ED25519:
 		return GNUTLS_PK_EDDSA_ED25519;
-#ifdef HAVE_ED448
 	case DNSSEC_KEY_ALGORITHM_ED448:
 		return GNUTLS_PK_EDDSA_ED448;
-#endif
 	default:
 		return GNUTLS_PK_UNKNOWN;
 	}
diff --git a/src/libknot/dnssec/key/convert.c b/src/libknot/dnssec/key/convert.c
index f541bad7a..278e40581 100644
--- a/src/libknot/dnssec/key/convert.c
+++ b/src/libknot/dnssec/key/convert.c
@@ -97,9 +97,7 @@ static size_t eddsa_curve_point_size(gnutls_ecc_curve_t curve)
 {
 	switch (curve) {
 	case GNUTLS_ECC_CURVE_ED25519: return 32;
-#ifdef HAVE_ED448
 	case GNUTLS_ECC_CURVE_ED448: return 57;
-#endif
 	default: return 0;
 	}
 }
@@ -235,9 +233,7 @@ static gnutls_ecc_curve_t eddsa_curve_from_rdata_size(size_t rdata_size)
 {
 	switch (rdata_size) {
 	case 32: return GNUTLS_ECC_CURVE_ED25519;
-#ifdef HAVE_ED448
 	case 57: return GNUTLS_ECC_CURVE_ED448;
-#endif
 	default: return GNUTLS_ECC_CURVE_INVALID;
 	}
 }
@@ -318,9 +314,7 @@ int convert_pubkey_to_dnskey(gnutls_pubkey_t key, dnssec_binary_t *rdata)
 	case GNUTLS_PK_RSA: return rsa_pubkey_to_rdata(key, rdata);
 	case GNUTLS_PK_ECDSA: return ecdsa_pubkey_to_rdata(key, rdata);
 	case GNUTLS_PK_EDDSA_ED25519: return eddsa_pubkey_to_rdata(key, rdata);
-#ifdef HAVE_ED448
 	case GNUTLS_PK_EDDSA_ED448: return eddsa_pubkey_to_rdata(key, rdata);
-#endif
 	default: return KNOT_INVALID_KEY_ALGORITHM;
 	}
 }
@@ -340,9 +334,7 @@ int convert_dnskey_to_pubkey(uint8_t algorithm, const dnssec_binary_t *rdata,
 	case GNUTLS_PK_RSA: return rsa_rdata_to_pubkey(rdata, key);
 	case GNUTLS_PK_ECDSA: return ecdsa_rdata_to_pubkey(rdata, key);
 	case GNUTLS_PK_EDDSA_ED25519: return eddsa_rdata_to_pubkey(rdata, key);
-#ifdef HAVE_ED448
 	case GNUTLS_PK_EDDSA_ED448: return eddsa_rdata_to_pubkey(rdata, key);
-#endif
 	default: return KNOT_INVALID_KEY_ALGORITHM;
 	}
 }
diff --git a/src/libknot/dnssec/sign/sign.c b/src/libknot/dnssec/sign/sign.c
index 241b31d0d..3a8497d0a 100644
--- a/src/libknot/dnssec/sign/sign.c
+++ b/src/libknot/dnssec/sign/sign.c
@@ -207,10 +207,8 @@ static gnutls_sign_algorithm_t algo_dnssec2gnutls(dnssec_key_algorithm_t algorit
 		return GNUTLS_SIGN_ECDSA_SHA384;
 	case DNSSEC_KEY_ALGORITHM_ED25519:
 		return GNUTLS_SIGN_EDDSA_ED25519;
-#ifdef HAVE_ED448
 	case DNSSEC_KEY_ALGORITHM_ED448:
 		return GNUTLS_SIGN_EDDSA_ED448;
-#endif
 	default:
 		return GNUTLS_SIGN_UNKNOWN;
 	}
diff --git a/src/utils/keymgr/bind_privkey.c b/src/utils/keymgr/bind_privkey.c
index b8ca43184..61131632d 100644
--- a/src/utils/keymgr/bind_privkey.c
+++ b/src/utils/keymgr/bind_privkey.c
@@ -270,9 +270,7 @@ static gnutls_ecc_curve_t choose_ecdsa_curve(size_t pubkey_size)
 {
 	switch (pubkey_size) {
 	case 32: return GNUTLS_ECC_CURVE_ED25519;
-#ifdef HAVE_ED448
 	case 57: return GNUTLS_ECC_CURVE_ED448;
-#endif
 	case 64: return GNUTLS_ECC_CURVE_SECP256R1;
 	case 96: return GNUTLS_ECC_CURVE_SECP384R1;
 	default: return GNUTLS_ECC_CURVE_INVALID;
@@ -370,9 +368,7 @@ int bind_privkey_to_pem(dnssec_key_t *key, bind_privkey_t *params, dnssec_binary
 	case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384:
 		return ecdsa_params_to_pem(key, params, pem);
 	case DNSSEC_KEY_ALGORITHM_ED25519:
-#ifdef HAVE_ED448
 	case DNSSEC_KEY_ALGORITHM_ED448:
-#endif
 		return eddsa_params_to_pem(key, params, pem);
 	default:
 		return KNOT_INVALID_KEY_ALGORITHM;
diff --git a/tests/libknot/test_dnssec_key.c b/tests/libknot/test_dnssec_key.c
index 597707bef..761912efd 100644
--- a/tests/libknot/test_dnssec_key.c
+++ b/tests/libknot/test_dnssec_key.c
@@ -181,9 +181,7 @@ int main(void)
 		{ "RSA",     &SAMPLE_RSA1024_SHA256_KEY },
 		{ "ECDSA",   &SAMPLE_ECDSA_P256_SHA256_KEY },
 		{ "ED25519", &SAMPLE_ED25519_KEY },
-#ifdef HAVE_ED448
 		{ "ED448",   &SAMPLE_ED448_KEY },
-#endif
 		{ NULL }
 	};
 
diff --git a/tests/libknot/test_dnssec_key_algorithm.c b/tests/libknot/test_dnssec_key_algorithm.c
index 68e3b000f..b99b2354f 100644
--- a/tests/libknot/test_dnssec_key_algorithm.c
+++ b/tests/libknot/test_dnssec_key_algorithm.c
@@ -49,9 +49,7 @@ static void check_defaults(void)
 	is_int(2048, dnssec_algorithm_key_size_default(DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3),   "rsa default");
 	is_int(256, dnssec_algorithm_key_size_default(DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256), "ecc default");
 	is_int(256, dnssec_algorithm_key_size_default(DNSSEC_KEY_ALGORITHM_ED25519),           "ed25519 default");
-#ifdef HAVE_ED448
 	is_int(456, dnssec_algorithm_key_size_default(DNSSEC_KEY_ALGORITHM_ED448),             "ed448 default");
-#endif
 }
 
 int main(void)
@@ -62,9 +60,8 @@ int main(void)
 	ok_range(DNSSEC_KEY_ALGORITHM_RSA_SHA512, 1024, 4096, "RSA/SHA256");
 	ok_range(DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384, 384, 384, "ECDSA/SHA384");
 	ok_range(DNSSEC_KEY_ALGORITHM_ED25519, 256, 256, "ED25519");
-#ifdef HAVE_ED448
 	ok_range(DNSSEC_KEY_ALGORITHM_ED448, 456, 456, "ED448");
-#endif
+
 	null_range();
 
 	check_borders();
diff --git a/tests/libknot/test_dnssec_key_ds.c b/tests/libknot/test_dnssec_key_ds.c
index 7d24b6a3b..8ccba7ea6 100644
--- a/tests/libknot/test_dnssec_key_ds.c
+++ b/tests/libknot/test_dnssec_key_ds.c
@@ -91,15 +91,11 @@ int main(int argc, char *argv[])
 	test_key("RSA",     &SAMPLE_RSA1024_SHA256_KEY);
 	test_key("ECDSA",   &SAMPLE_ECDSA_P256_SHA256_KEY);
 	test_key("ED25519", &SAMPLE_ED25519_KEY);
-#ifdef HAVE_ED448
 	test_key("ED448",   &SAMPLE_ED448_KEY);
-#endif
 
 	test_errors(&SAMPLE_ECDSA_P256_SHA256_KEY);
 	test_errors(&SAMPLE_ED25519_KEY);
-#ifdef HAVE_ED448
 	test_errors(&SAMPLE_ED448_KEY);
-#endif
 
 	dnssec_crypto_cleanup();
 
diff --git a/tests/libknot/test_dnssec_sign.c b/tests/libknot/test_dnssec_sign.c
index acb0e9c16..40b3d87b0 100644
--- a/tests/libknot/test_dnssec_sign.c
+++ b/tests/libknot/test_dnssec_sign.c
@@ -57,7 +57,6 @@ static const dnssec_binary_t signed_ed25519 = { .size = 64, .data = (uint8_t [])
 		0x70, 0x34, 0x5e, 0x02, 0x49, 0xfb, 0x9e, 0x05,
 }};
 
-#ifdef HAVE_ED448
 static const dnssec_binary_t signed_ed448 = { .size = 114, .data = (uint8_t []) {
 	0x8d, 0x79, 0x27, 0xbd, 0xe2, 0xc4, 0x23, 0xd8, 0x26, 0xc1, 0xd4, 0xab,
 	0x6a, 0x0d, 0xdf, 0xe5, 0x5c, 0xf1, 0x8d, 0x3f, 0x1b, 0x13, 0x81, 0x94,
@@ -70,7 +69,6 @@ static const dnssec_binary_t signed_ed448 = { .size = 114, .data = (uint8_t [])
 	0x74, 0x99, 0x01, 0x98, 0x5f, 0xdb, 0xea, 0xdf, 0xab, 0x59, 0x6c, 0x79,
 	0xe2, 0xc2, 0x2a, 0x91, 0x29, 0x00
 }};
-#endif
 
 static dnssec_binary_t binary_set_string(char *str)
 {
@@ -177,10 +175,8 @@ int main(void)
 	check_key(&SAMPLE_ECDSA_P256_SHA256_KEY, &input_data, &signed_ecdsa, false);
 	diag("ED25519 signing");
 	check_key(&SAMPLE_ED25519_KEY, &input_data, &signed_ed25519, true);
-#ifdef HAVE_ED448
 	diag("ED448 signing");
 	check_key(&SAMPLE_ED448_KEY, &input_data, &signed_ed448, true);
-#endif
 
 	dnssec_crypto_cleanup();