libknot: ED488 is mandatory since GnuTLS 3.6.12

2026-02-03 18:49:28 -05:00 · 2025-12-05 09:28:09 +01:00 · 2025-12-05 09:28:09 +01:00 · 67b3f17c1f
commit 67b3f17c1f
parent 227314cc94
11 changed files with 1 additions and 42 deletions
--- a/configure.ac
+++ b/configure.ac
@ -155,12 +155,6 @@ PKG_CHECK_MODULES([gnutls], [gnutls >= 3.6.12], [
        [AC_DEFINE([HAVE_GNUTLS_PKCS11], [1], [gnutls_pkcs11_copy_pubkey available])
         gnutls_pkcs11=yes], [gnutls_pkcs11=no])
    AC_CHECK_DECL([GNUTLS_SIGN_EDDSA_ED448],
        [AC_DEFINE([HAVE_ED448], [1], [GnuTLS ED448 support available])
         enable_ed448=yes],
        [enable_ed448=no],
        [#include <gnutls/gnutls.h>])
    AC_CHECK_FUNC([gnutls_early_cipher_get],
        [AC_DEFINE([HAVE_GNUTLS_QUIC], [1], [gnutls_early_cipher_get available])
         gnutls_quic=yes], [gnutls_quic=no])
@ -840,7 +834,6 @@ result_msg_base="
    D-Bus support:          ${enable_dbus}
    POSIX capabilities:     ${enable_cap_ng}
    PKCS #11 support:       ${enable_pkcs11}
    Ed448 support:          ${enable_ed448}
    Code coverage:          ${enable_code_coverage}
    Sanitizer:              ${with_sanitizer}
--- a/doc/reference.rst
+++ b/doc/reference.rst
@ -2197,9 +2197,6 @@ Possible values:
 - ``ed25519``
 - ``ed448``
 .. NOTE::
   Ed448 algorithm is only available if compiled with GnuTLS 3.6.12+ and Nettle 3.6+.
 *Default:* ``ecdsap256sha256``
 .. _policy_ksk-size:
--- a/src/knot/conf/schema.c
+++ b/src/knot/conf/schema.c
@ -54,9 +54,7 @@ static const knot_lookup_t dnssec_key_algs[] = {
 	{ DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256, "ecdsap256sha256" },
 	{ DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384, "ecdsap384sha384" },
 	{ DNSSEC_KEY_ALGORITHM_ED25519,           "ed25519" },
 #ifdef HAVE_ED448
 	{ DNSSEC_KEY_ALGORITHM_ED448,             "ed448" },
 #endif
 	{ 0, NULL }
 };
--- a/src/libknot/dnssec/key/algorithm.c
+++ b/src/libknot/dnssec/key/algorithm.c
@ -85,10 +85,8 @@ gnutls_pk_algorithm_t algorithm_to_gnutls(dnssec_key_algorithm_t dnssec)
 		return GNUTLS_PK_ECDSA;
 	case DNSSEC_KEY_ALGORITHM_ED25519:
 		return GNUTLS_PK_EDDSA_ED25519;
 #ifdef HAVE_ED448
 	case DNSSEC_KEY_ALGORITHM_ED448:
 		return GNUTLS_PK_EDDSA_ED448;
 #endif
 	default:
 		return GNUTLS_PK_UNKNOWN;
 	}
--- a/src/libknot/dnssec/key/convert.c
+++ b/src/libknot/dnssec/key/convert.c
@ -97,9 +97,7 @@ static size_t eddsa_curve_point_size(gnutls_ecc_curve_t curve)
 {
 	switch (curve) {
 	case GNUTLS_ECC_CURVE_ED25519: return 32;
 #ifdef HAVE_ED448
 	case GNUTLS_ECC_CURVE_ED448: return 57;
 #endif
 	default: return 0;
 	}
 }
@ -235,9 +233,7 @@ static gnutls_ecc_curve_t eddsa_curve_from_rdata_size(size_t rdata_size)
 {
 	switch (rdata_size) {
 	case 32: return GNUTLS_ECC_CURVE_ED25519;
 #ifdef HAVE_ED448
 	case 57: return GNUTLS_ECC_CURVE_ED448;
 #endif
 	default: return GNUTLS_ECC_CURVE_INVALID;
 	}
 }
@ -318,9 +314,7 @@ int convert_pubkey_to_dnskey(gnutls_pubkey_t key, dnssec_binary_t *rdata)
 	case GNUTLS_PK_RSA: return rsa_pubkey_to_rdata(key, rdata);
 	case GNUTLS_PK_ECDSA: return ecdsa_pubkey_to_rdata(key, rdata);
 	case GNUTLS_PK_EDDSA_ED25519: return eddsa_pubkey_to_rdata(key, rdata);
 #ifdef HAVE_ED448
 	case GNUTLS_PK_EDDSA_ED448: return eddsa_pubkey_to_rdata(key, rdata);
 #endif
 	default: return KNOT_INVALID_KEY_ALGORITHM;
 	}
 }
@ -340,9 +334,7 @@ int convert_dnskey_to_pubkey(uint8_t algorithm, const dnssec_binary_t *rdata,
 	case GNUTLS_PK_RSA: return rsa_rdata_to_pubkey(rdata, key);
 	case GNUTLS_PK_ECDSA: return ecdsa_rdata_to_pubkey(rdata, key);
 	case GNUTLS_PK_EDDSA_ED25519: return eddsa_rdata_to_pubkey(rdata, key);
 #ifdef HAVE_ED448
 	case GNUTLS_PK_EDDSA_ED448: return eddsa_rdata_to_pubkey(rdata, key);
 #endif
 	default: return KNOT_INVALID_KEY_ALGORITHM;
 	}
 }
--- a/src/libknot/dnssec/sign/sign.c
+++ b/src/libknot/dnssec/sign/sign.c
@ -207,10 +207,8 @@ static gnutls_sign_algorithm_t algo_dnssec2gnutls(dnssec_key_algorithm_t algorit
 		return GNUTLS_SIGN_ECDSA_SHA384;
 	case DNSSEC_KEY_ALGORITHM_ED25519:
 		return GNUTLS_SIGN_EDDSA_ED25519;
 #ifdef HAVE_ED448
 	case DNSSEC_KEY_ALGORITHM_ED448:
 		return GNUTLS_SIGN_EDDSA_ED448;
 #endif
 	default:
 		return GNUTLS_SIGN_UNKNOWN;
 	}
--- a/src/utils/keymgr/bind_privkey.c
+++ b/src/utils/keymgr/bind_privkey.c
@ -270,9 +270,7 @@ static gnutls_ecc_curve_t choose_ecdsa_curve(size_t pubkey_size)
 {
 	switch (pubkey_size) {
 	case 32: return GNUTLS_ECC_CURVE_ED25519;
 #ifdef HAVE_ED448
 	case 57: return GNUTLS_ECC_CURVE_ED448;
 #endif
 	case 64: return GNUTLS_ECC_CURVE_SECP256R1;
 	case 96: return GNUTLS_ECC_CURVE_SECP384R1;
 	default: return GNUTLS_ECC_CURVE_INVALID;
@ -370,9 +368,7 @@ int bind_privkey_to_pem(dnssec_key_t *key, bind_privkey_t *params, dnssec_binary
 	case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384:
 		return ecdsa_params_to_pem(key, params, pem);
 	case DNSSEC_KEY_ALGORITHM_ED25519:
 #ifdef HAVE_ED448
 	case DNSSEC_KEY_ALGORITHM_ED448:
 #endif
 		return eddsa_params_to_pem(key, params, pem);
 	default:
 		return KNOT_INVALID_KEY_ALGORITHM;
--- a/tests/libknot/test_dnssec_key.c
+++ b/tests/libknot/test_dnssec_key.c
@ -181,9 +181,7 @@ int main(void)
 		{ "RSA",     &SAMPLE_RSA1024_SHA256_KEY },
 		{ "ECDSA",   &SAMPLE_ECDSA_P256_SHA256_KEY },
 		{ "ED25519", &SAMPLE_ED25519_KEY },
 #ifdef HAVE_ED448
 		{ "ED448",   &SAMPLE_ED448_KEY },
 #endif
 		{ NULL }
 	};
--- a/tests/libknot/test_dnssec_key_algorithm.c
+++ b/tests/libknot/test_dnssec_key_algorithm.c
@ -49,9 +49,7 @@ static void check_defaults(void)
 	is_int(2048, dnssec_algorithm_key_size_default(DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3),   "rsa default");
 	is_int(256, dnssec_algorithm_key_size_default(DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256), "ecc default");
 	is_int(256, dnssec_algorithm_key_size_default(DNSSEC_KEY_ALGORITHM_ED25519),           "ed25519 default");
 #ifdef HAVE_ED448
 	is_int(456, dnssec_algorithm_key_size_default(DNSSEC_KEY_ALGORITHM_ED448),             "ed448 default");
 #endif
 }
 int main(void)
@ -62,9 +60,8 @@ int main(void)
 	ok_range(DNSSEC_KEY_ALGORITHM_RSA_SHA512, 1024, 4096, "RSA/SHA256");
 	ok_range(DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384, 384, 384, "ECDSA/SHA384");
 	ok_range(DNSSEC_KEY_ALGORITHM_ED25519, 256, 256, "ED25519");
 #ifdef HAVE_ED448
 	ok_range(DNSSEC_KEY_ALGORITHM_ED448, 456, 456, "ED448");
-#endif
+
 	null_range();
 	check_borders();
--- a/tests/libknot/test_dnssec_key_ds.c
+++ b/tests/libknot/test_dnssec_key_ds.c
@ -91,15 +91,11 @@ int main(int argc, char *argv[])
 	test_key("RSA",     &SAMPLE_RSA1024_SHA256_KEY);
 	test_key("ECDSA",   &SAMPLE_ECDSA_P256_SHA256_KEY);
 	test_key("ED25519", &SAMPLE_ED25519_KEY);
 #ifdef HAVE_ED448
 	test_key("ED448",   &SAMPLE_ED448_KEY);
 #endif
 	test_errors(&SAMPLE_ECDSA_P256_SHA256_KEY);
 	test_errors(&SAMPLE_ED25519_KEY);
 #ifdef HAVE_ED448
 	test_errors(&SAMPLE_ED448_KEY);
 #endif
 	dnssec_crypto_cleanup();
--- a/tests/libknot/test_dnssec_sign.c
+++ b/tests/libknot/test_dnssec_sign.c
@ -57,7 +57,6 @@ static const dnssec_binary_t signed_ed25519 = { .size = 64, .data = (uint8_t [])
 		0x70, 0x34, 0x5e, 0x02, 0x49, 0xfb, 0x9e, 0x05,
 }};
 #ifdef HAVE_ED448
 static const dnssec_binary_t signed_ed448 = { .size = 114, .data = (uint8_t []) {
 	0x8d, 0x79, 0x27, 0xbd, 0xe2, 0xc4, 0x23, 0xd8, 0x26, 0xc1, 0xd4, 0xab,
 	0x6a, 0x0d, 0xdf, 0xe5, 0x5c, 0xf1, 0x8d, 0x3f, 0x1b, 0x13, 0x81, 0x94,
@ -70,7 +69,6 @@ static const dnssec_binary_t signed_ed448 = { .size = 114, .data = (uint8_t [])
 	0x74, 0x99, 0x01, 0x98, 0x5f, 0xdb, 0xea, 0xdf, 0xab, 0x59, 0x6c, 0x79,
 	0xe2, 0xc2, 0x2a, 0x91, 0x29, 0x00
 }};
 #endif
 static dnssec_binary_t binary_set_string(char *str)
 {
@ -177,10 +175,8 @@ int main(void)
 	check_key(&SAMPLE_ECDSA_P256_SHA256_KEY, &input_data, &signed_ecdsa, false);
 	diag("ED25519 signing");
 	check_key(&SAMPLE_ED25519_KEY, &input_data, &signed_ed25519, true);
 #ifdef HAVE_ED448
 	diag("ED448 signing");
 	check_key(&SAMPLE_ED448_KEY, &input_data, &signed_ed448, true);
 #endif
 	dnssec_crypto_cleanup();