diff --git a/.github/actions/spell-check/allow.txt b/.github/actions/spell-check/allow.txt
index 6015d0f50f66..a325ba18a0b1 100644
--- a/.github/actions/spell-check/allow.txt
+++ b/.github/actions/spell-check/allow.txt
@@ -651,7 +651,6 @@ DEBFULLNAME
debhelper
debtest
DEBUGLOG
-decafsigners
decltype
deconfigure
deconfigured
@@ -1810,7 +1809,6 @@ llu
LMDBQ
lnc
lnow
-loaderdecaf
loadersodium
loadfile
loadmodule
diff --git a/.github/workflows/build-and-test-all.yml b/.github/workflows/build-and-test-all.yml
index 4fa0b42bbad3..54ff10273ff4 100644
--- a/.github/workflows/build-and-test-all.yml
+++ b/.github/workflows/build-and-test-all.yml
@@ -31,7 +31,6 @@ env:
COVERAGE: ${{ github.repository == 'PowerDNS/pdns' && 'yes' || 'no' }}
LLVM_PROFILE_FILE: "/tmp/code-%p.profraw"
OPTIMIZATIONS: yes
- DECAF_SUPPORT: yes
jobs:
get-runner-container-image:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 0038a02870c3..d7cdcc81c930 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -52,7 +52,6 @@ jobs:
# for clang-tidy only, not compilation
CLANG_VERSION: '14'
REPO_HOME: ${{ github.workspace }}
- DECAF_SUPPORT: no
outputs:
clang-tidy-annotations-auth: ${{ steps.clang-tidy-annotations-auth.outputs.failed }}
diff --git a/configure.ac b/configure.ac
index 6cd518a10f7e..b0fec7b40b9f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -88,7 +88,6 @@ AC_CHECK_HEADERS(
AC_CHECK_HEADERS([sys/random.h])
PDNS_WITH_LIBSODIUM
-PDNS_WITH_LIBDECAF
PDNS_CHECK_LIBCRYPTO([
],[
AC_MSG_ERROR([OpenSSL/libcrypto not found])
@@ -417,11 +416,11 @@ AS_IF([test "x$libcrypto_ecdsa" = "xyes"],
[AC_MSG_NOTICE([OpenSSL ecdsa: yes])],
[AC_MSG_NOTICE([OpenSSL ecdsa: no])]
)
-AS_IF([test "x$LIBSODIUM_LIBS" != "x" || test "x$LIBDECAF_LIBS" != "x" || test "x$libcrypto_ed25519" = "xyes"],
+AS_IF([test "x$LIBSODIUM_LIBS" != "x" || test "x$libcrypto_ed25519" = "xyes"],
[AC_MSG_NOTICE([ed25519: yes])],
[AC_MSG_NOTICE([ed25519: no])]
)
-AS_IF([test "x$LIBDECAF_LIBS" != "x" || test "x$libcrypto_ed448" = "xyes"],
+AS_IF([test "x$libcrypto_ed448" = "xyes"],
[AC_MSG_NOTICE([ed448: yes])],
[AC_MSG_NOTICE([ed448: no])]
)
diff --git a/docs/appendices/compiling.rst b/docs/appendices/compiling.rst
index 97fda12ff0c7..9873d1878e9c 100644
--- a/docs/appendices/compiling.rst
+++ b/docs/appendices/compiling.rst
@@ -64,12 +64,6 @@ ed25519 support with libsodium
The PowerDNS Authoritative Server can link with `libsodium `_ to support ed25519 (DNSSEC algorithm 15).
To detect libsodium, use the ``--with-libsodium`` configure option.
-ed25519 and ed448 support with libdecaf
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-`libdecaf `_ is a library that allows the PowerDNS Authoritative Server to support ed25519 and Ed448 (DNSSEC algorithms 15 and 16).
-To detect libdecaf, use the ``--with-libdecaf`` configure option.
-
systemd notify support
^^^^^^^^^^^^^^^^^^^^^^
diff --git a/m4/pdns_with_libdecaf.m4 b/m4/pdns_with_libdecaf.m4
deleted file mode 100644
index 0c1bef3c25ec..000000000000
--- a/m4/pdns_with_libdecaf.m4
+++ /dev/null
@@ -1,58 +0,0 @@
-AC_DEFUN([PDNS_WITH_LIBDECAF],[
- AC_MSG_CHECKING([whether we will be linking in libdecaf])
- AC_ARG_WITH([libdecaf],
- [AS_HELP_STRING([--with-libdecaf],[use libdecaf @<:@default=no@:>@])],
- [with_libdecaf=$withval],
- [with_libdecaf=no]
- )
- AC_MSG_RESULT([$with_libdecaf])
-
- AM_CONDITIONAL([LIBDECAF],[test "x$with_libdecaf" != "xno"])
-
- AS_IF([test "x$with_libdecaf" != "xno"],[
- save_LIBS=$LIBS
- LIBS=""
- AC_SEARCH_LIBS([decaf_ed25519_sign],[decaf],[
- AC_DEFINE([HAVE_LIBDECAF],[1],[Define to 1 if you have libdecaf])
- AC_SUBST([LIBDECAF_LIBS],["$LIBS"])
- ],[
- AC_MSG_ERROR([Could not find libdecaf])
- ])
- LIBS="$save_LIBS"
-
- AS_IF([test "x$LIBDECAF_CFLAGS" = "x"],[
- AC_MSG_CHECKING([for libdecaf headers])
- libdecaf_header_dir=""
-
- header_dirs="/usr /usr/local"
- for header_dir in $header_dirs; do
- if test -f "$header_dir/include/decaf.hxx"; then
- libdecaf_header_dir="$header_dir/include"
- break
- fi
-
- if test -f "$header_dir/include/decaf/decaf.hxx"; then
- libdecaf_header_dir="$header_dir/include/decaf"
- break
- fi
- done
-
- AS_IF([test "x$libdecaf_header_dir" != "x"],[
- AC_MSG_RESULT([$libdecaf_header_dir])
- LIBDECAF_CFLAGS="-I$libdecaf_header_dir"
- ],
- [AC_MSG_RESULT([not found])])
- ])
-
- AC_SUBST([LIBDECAF_CFLAGS])
-
- save_CXXFLAGS="$CXXFLAGS"
- CXXFLAGS="$CXXFLAGS $LIBDECAF_CFLAGS"
- AC_CHECK_HEADERS(
- [decaf.hxx],
- [],
- [AC_MSG_ERROR([cannot find libdecaf headers])]
- )
- CXXFLAGS="$save_CXXFLAGS"
- ])
-])
diff --git a/meson.build b/meson.build
index f472242616bb..c726bf8eb77c 100644
--- a/meson.build
+++ b/meson.build
@@ -42,7 +42,6 @@ subdir('meson' / 'net-libs') # Network Libraries
subdir('meson' / 'tm-gmtoff') # Check for tm_gmtoff field in struct tm
subdir('meson' / 'mmap') # Check for mmap
subdir('meson' / 'libsodium') # Libsodium-based signers
-subdir('meson' / 'libdecaf') # Libdecaf-based signers
subdir('meson' / 'libcrypto') # OpenSSL-based signers
subdir('meson' / 'libssl') # OpenSSL libssl
subdir('meson' / 'gnutls') # GnuTLS
@@ -128,7 +127,6 @@ deps = [
dep_lua_records,
dep_netlibs,
dep_libsodium,
- dep_libdecaf,
dep_libcrypto,
dep_libssl,
dep_gnutls,
@@ -440,17 +438,6 @@ if dep_libsodium.found()
)
endif
-libpdns_signers_decaf = dependency('', required: false)
-if dep_libdecaf.found()
- libpdns_signers_decaf = declare_dependency(
- link_whole: static_library(
- 'pdns-signers-decaf',
- sources: files(src_dir / 'decafsigners.cc'),
- dependencies: deps,
- )
- )
-endif
-
libpdns_signers_pkcs11 = dependency('', required: false)
if dep_pkcs11.found()
libpdns_signers_pkcs11 = declare_dependency(
@@ -692,7 +679,6 @@ tools = {
libpdns_ssqlite3,
libpdns_gettime,
libpdns_signers_openssl,
- libpdns_signers_decaf,
libpdns_signers_sodium,
],
'manpages': ['pdns_server.1'],
@@ -705,7 +691,6 @@ tools = {
dep_modules,
libpdns_ssqlite3,
libpdns_signers_openssl,
- libpdns_signers_decaf,
libpdns_signers_sodium,
],
'manpages': ['pdnsutil.1'],
@@ -930,7 +915,6 @@ if get_option('unit-tests')
'deps-extra': [
libpdns_test,
libpdns_signers_openssl,
- libpdns_signers_decaf,
libpdns_signers_sodium,
],
},
diff --git a/meson/libdecaf/meson.build b/meson/libdecaf/meson.build
deleted file mode 100644
index 2fb0738cd06a..000000000000
--- a/meson/libdecaf/meson.build
+++ /dev/null
@@ -1,61 +0,0 @@
-opt_libdecaf = get_option('signers-libdecaf')
-dep_libdecaf = dependency('', required: false)
-
-if not opt_libdecaf.disabled()
- dep_libdecaf = dependency('libdecaf', required: false)
-
- if not dep_libdecaf.found()
- all_lib_dirs = [
- '/usr',
- '/usr' / 'lib',
- '/usr' / 'local',
- '/usr' / 'local' / 'lib',
- ]
-
- all_include_dirs = [
- '/usr' / 'include',
- '/usr' / 'include' / 'decaf',
- '/usr' / 'local' / 'include',
- '/usr' / 'local' / 'include' / 'decaf',
- ]
-
- fs = import('fs')
-
- lib_dirs = []
- foreach lib_dir: all_lib_dirs
- if fs.is_dir(lib_dir)
- lib_dirs += lib_dir
- endif
- endforeach
-
- include_dirs = []
- foreach include_dir: all_include_dirs
- if fs.is_dir(include_dir)
- include_dirs += include_dir
- endif
- endforeach
- include_dirs = include_directories(include_dirs, is_system: true)
-
- dep_libdecaf = cxx.find_library(
- 'decaf',
- dirs: lib_dirs,
- required: opt_libdecaf,
- has_headers: [
- 'decaf.hxx',
- 'decaf' / 'spongerng.hxx',
- 'decaf' / 'eddsa.hxx',
- ],
- header_include_directories: include_dirs,
- )
-
- if dep_libdecaf.found()
- dep_libdecaf = declare_dependency(
- dependencies: dep_libdecaf,
- include_directories: include_dirs,
- )
- endif
- endif
-endif
-
-conf.set('HAVE_LIBDECAF', dep_libdecaf.found(), description: 'libdecaf-based signers')
-summary('libdecaf', dep_libdecaf.found(), bool_yn: true, section: 'Crypto')
diff --git a/meson_options.txt b/meson_options.txt
index c33ae9b8db15..a4869ce62b8b 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -5,7 +5,6 @@ option('hardening-experimental-scp', type: 'feature', value: 'disabled', descrip
option('hardening-fortify-source', type: 'combo', choices: ['auto', 'disabled', '1', '2', '3'], value: '2', description: 'Source fortification level')
option('rng-kiss', type: 'boolean', value: false, description: 'Use the unsafe KISS RNG')
option('signers-libsodium', type: 'feature', value: 'auto', description: 'Enable libsodium-based signers')
-option('signers-libdecaf', type: 'feature', value: 'auto', description: 'Enable libdecaf-based signers')
option('signers-libcrypto', type: 'feature', value: 'auto', description: 'Enable OpenSSL libcrypto-based signers)')
option('signers-libcrypto-path', type: 'string', value: '', description: 'Custom path to find OpenSSL libcrypto')
option('tls-libssl', type: 'feature', value: 'auto', description: 'OpenSSL-based TLS')
diff --git a/pdns/Makefile.am b/pdns/Makefile.am
index 2522839a0f3c..042ad78769b5 100644
--- a/pdns/Makefile.am
+++ b/pdns/Makefile.am
@@ -45,10 +45,6 @@ if LIBSODIUM
AM_CPPFLAGS +=$(LIBSODIUM_CFLAGS)
endif
-if LIBDECAF
-AM_CPPFLAGS += $(LIBDECAF_CFLAGS)
-endif
-
EXTRA_DIST = \
dnslabeltext.rl \
dnslabeltext.cc \
@@ -316,11 +312,6 @@ pdns_server_SOURCES += sodiumsigners.cc
pdns_server_LDADD += $(LIBSODIUM_LIBS)
endif
-if LIBDECAF
-pdns_server_SOURCES += decafsigners.cc
-pdns_server_LDADD += $(LIBDECAF_LIBS)
-endif
-
if SQLITE3
pdns_server_SOURCES += ssqlite3.cc ssqlite3.hh
pdns_server_LDADD += $(SQLITE3_LIBS)
@@ -423,11 +414,6 @@ pdnsutil_SOURCES += sodiumsigners.cc
pdnsutil_LDADD += $(LIBSODIUM_LIBS)
endif
-if LIBDECAF
-pdnsutil_SOURCES += decafsigners.cc
-pdnsutil_LDADD += $(LIBDECAF_LIBS)
-endif
-
if SQLITE3
pdnsutil_SOURCES += ssqlite3.cc ssqlite3.hh
pdnsutil_LDADD += $(SQLITE3_LIBS)
@@ -1482,11 +1468,6 @@ testrunner_LDADD += $(LIBSODIUM_LIBS)
speedtest_LDADD += $(LIBSODIUM_LIBS)
endif
-if LIBDECAF
-testrunner_SOURCES += decafsigners.cc
-testrunner_LDADD += $(LIBDECAF_LIBS)
-endif
-
if HAVE_FREEBSD
ixfrdist_SOURCES += kqueuemplexer.cc
testrunner_SOURCES += kqueuemplexer.cc
diff --git a/pdns/decafsigners.cc b/pdns/decafsigners.cc
deleted file mode 100644
index 6c8be67a4f4b..000000000000
--- a/pdns/decafsigners.cc
+++ /dev/null
@@ -1,443 +0,0 @@
-#include
-#include
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wdeprecated-copy"
-#include
-#pragma GCC diagnostic pop
-#include
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wshadow"
-#include
-#pragma GCC diagnostic pop
-#include "dnsseckeeper.hh"
-
-#include "dnssecinfra.hh"
-
-using namespace decaf;
-
-class DecafED25519DNSCryptoKeyEngine : public DNSCryptoKeyEngine
-{
-public:
- explicit DecafED25519DNSCryptoKeyEngine(unsigned int algo) :
- DNSCryptoKeyEngine(algo)
- {
- }
- string getName() const override { return "Decaf ED25519"; }
- void create(unsigned int bits) override;
-
-#if defined(HAVE_LIBCRYPTO_ED25519)
- /**
- * \brief Creates an ED25519 key engine from a PEM file.
- *
- * Receives an open file handle with PEM contents and creates an ED25519 key engine.
- *
- * \param[in] drc Key record contents to be populated.
- *
- * \param[in] inputFile An open file handle to a file containing ED25519 PEM contents.
- *
- * \param[in] filename Only used for providing filename information in error messages.
- *
- * \return An ED25519 key engine populated with the contents of the PEM file.
- */
- void createFromPEMFile(DNSKEYRecordContent& drc, std::FILE& inputFile, std::optional> filename = std::nullopt) override;
-
- /**
- * \brief Writes this key's contents to a file.
- *
- * Receives an open file handle and writes this key's contents to the
- * file.
- *
- * \param[in] outputFile An open file handle for writing.
- *
- * \exception std::runtime_error In case of OpenSSL errors.
- */
- void convertToPEMFile(std::FILE& outputFile) const override;
-#endif
-
- [[nodiscard]] storvector_t convertToISCVector() const override;
- [[nodiscard]] std::string sign(const std::string& msg) const override;
- [[nodiscard]] bool verify(const std::string& msg, const std::string& signature) const override;
- [[nodiscard]] std::string getPublicKeyString() const override;
- [[nodiscard]] int getBits() const override;
- void fromISCMap(DNSKEYRecordContent& drc, std::map& stormap) override;
- void fromPublicKeyString(const std::string& content) override;
-
- static std::unique_ptr maker(unsigned int algorithm)
- {
- return make_unique(algorithm);
- }
-
-private:
- unsigned char d_pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES];
- unsigned char d_seckey[DECAF_EDDSA_25519_PRIVATE_BYTES];
-};
-
-void DecafED25519DNSCryptoKeyEngine::create(unsigned int bits)
-{
- if (bits != (unsigned int)getBits()) {
- throw runtime_error("Unsupported key length of " + std::to_string(bits) + " bits requested, DecafED25519 class");
- }
-
- SpongeRng rng("/dev/urandom");
-
- typename EdDSA::PrivateKey priv(rng);
- typename EdDSA::PublicKey pub(priv);
-
- priv.serialize_into(d_seckey);
- pub.serialize_into(d_pubkey);
-}
-
-#if defined(HAVE_LIBCRYPTO_ED25519)
-void DecafED25519DNSCryptoKeyEngine::createFromPEMFile(DNSKEYRecordContent& drc, std::FILE& inputFile, std::optional> filename)
-{
- drc.d_algorithm = d_algorithm;
- auto key = std::unique_ptr(PEM_read_PrivateKey(&inputFile, nullptr, nullptr, nullptr), &EVP_PKEY_free);
- if (key == nullptr) {
- if (filename.has_value()) {
- throw runtime_error(getName() + ": Failed to read private key from PEM file `" + filename->get() + "`");
- }
-
- throw runtime_error(getName() + ": Failed to read private key from PEM contents");
- }
-
- std::size_t keylen = DECAF_EDDSA_25519_PRIVATE_BYTES;
- int ret = EVP_PKEY_get_raw_private_key(key.get(), d_seckey, &keylen);
- if (ret == 0) {
- if (filename.has_value()) {
- throw runtime_error(getName() + ": Failed to get private key from PEM file contents `" + filename->get() + "`");
- }
-
- throw runtime_error(getName() + ": Failed to get private key from PEM contents");
- }
-
- keylen = DECAF_EDDSA_25519_PUBLIC_BYTES;
- ret = EVP_PKEY_get_raw_public_key(key.get(), d_pubkey, &keylen);
- if (ret == 0) {
- if (filename.has_value()) {
- throw runtime_error(getName() + ": Failed to get public key from PEM file contents `" + filename->get() + "`");
- }
-
- throw runtime_error(getName() + ": Failed to get public key from PEM contents");
- }
-}
-
-void DecafED25519DNSCryptoKeyEngine::convertToPEMFile(std::FILE& outputFile) const
-{
- auto key = std::unique_ptr(EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, nullptr, d_seckey, DECAF_EDDSA_25519_PRIVATE_BYTES), EVP_PKEY_free);
- if (key == nullptr) {
- throw runtime_error(getName() + ": Could not create private key from buffer");
- }
-
- auto ret = PEM_write_PrivateKey(&outputFile, key.get(), nullptr, nullptr, 0, nullptr, nullptr);
- if (ret == 0) {
- throw runtime_error(getName() + ": Could not convert private key to PEM");
- }
-}
-#endif
-
-int DecafED25519DNSCryptoKeyEngine::getBits() const
-{
- return DECAF_EDDSA_25519_PRIVATE_BYTES << 3;
-}
-
-DNSCryptoKeyEngine::storvector_t DecafED25519DNSCryptoKeyEngine::convertToISCVector() const
-{
- /*
- Private-key-format: v1.2
- Algorithm: 15 (ED25519)
- PrivateKey: ODIyNjAzODQ2MjgwODAxMjI2NDUxOTAyMDQxNDIyNjI=
- */
-
- auto storvector = storvector_t{
- {"Algorithm", "15 (ED25519)"},
- {"PrivateKey", string((char*)d_seckey, DECAF_EDDSA_25519_PRIVATE_BYTES)},
- };
-
- return storvector;
-}
-
-void DecafED25519DNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map& stormap)
-{
- /*
- Private-key-format: v1.2
- Algorithm: 15 (ED25519)
- PrivateKey: ODIyNjAzODQ2MjgwODAxMjI2NDUxOTAyMDQxNDIyNjI=
- */
-
- pdns::checked_stoi_into(drc.d_algorithm, stormap["algorithm"]);
- string privateKey = stormap["privatekey"];
-
- if (privateKey.length() != DECAF_EDDSA_25519_PRIVATE_BYTES)
- throw runtime_error("Private key size mismatch in ISCMap, DecafED25519 class");
-
- typename EdDSA::PrivateKey priv(Block((const unsigned char*)privateKey.c_str(), DECAF_EDDSA_25519_PRIVATE_BYTES));
- typename EdDSA::PublicKey pub(priv);
-
- priv.serialize_into(d_seckey);
- pub.serialize_into(d_pubkey);
-}
-
-std::string DecafED25519DNSCryptoKeyEngine::getPublicKeyString() const
-{
- return string((char*)d_pubkey, DECAF_EDDSA_25519_PUBLIC_BYTES);
-}
-
-void DecafED25519DNSCryptoKeyEngine::fromPublicKeyString(const std::string& input)
-{
- if (input.length() != DECAF_EDDSA_25519_PUBLIC_BYTES)
- throw runtime_error("Public key size mismatch, DecafED25519 class");
-
- memcpy(d_pubkey, input.c_str(), DECAF_EDDSA_25519_PUBLIC_BYTES);
-}
-
-std::string DecafED25519DNSCryptoKeyEngine::sign(const std::string& msg) const
-{
- typename EdDSA::PrivateKey priv(Block(d_seckey, DECAF_EDDSA_25519_PRIVATE_BYTES));
-
- SecureBuffer message(msg.begin(), msg.end());
-
- SecureBuffer sig = priv.sign(message);
-
- return string(sig.begin(), sig.end());
-}
-
-bool DecafED25519DNSCryptoKeyEngine::verify(const std::string& msg, const std::string& signature) const
-{
- if (signature.length() != DECAF_EDDSA_25519_SIGNATURE_BYTES)
- return false;
-
- typename EdDSA::PublicKey pub(Block(d_pubkey, DECAF_EDDSA_25519_PUBLIC_BYTES));
-
- SecureBuffer sig(signature.begin(), signature.end());
- SecureBuffer message(msg.begin(), msg.end());
-
- try {
- pub.verify(sig, message);
- }
- catch (const CryptoException& e) {
- return false;
- }
-
- return true;
-}
-
-class DecafED448DNSCryptoKeyEngine : public DNSCryptoKeyEngine
-{
-public:
- explicit DecafED448DNSCryptoKeyEngine(unsigned int algo) :
- DNSCryptoKeyEngine(algo)
- {
- }
- string getName() const override { return "Decaf ED448"; }
- void create(unsigned int bits) override;
-
-#if defined(HAVE_LIBCRYPTO_ED448)
- /**
- * \brief Creates an ED448 key engine from a PEM file.
- *
- * Receives an open file handle with PEM contents and creates an ED448 key engine.
- *
- * \param[in] drc Key record contents to be populated.
- *
- * \param[in] inputFile An open file handle to a file containing ED448 PEM contents.
- *
- * \param[in] filename Only used for providing filename information in error messages.
- *
- * \return An ED448 key engine populated with the contents of the PEM file.
- */
- void createFromPEMFile(DNSKEYRecordContent& drc, std::FILE& inputFile, std::optional> filename = std::nullopt) override;
-
- /**
- * \brief Writes this key's contents to a file.
- *
- * Receives an open file handle and writes this key's contents to the
- * file.
- *
- * \param[in] outputFile An open file handle for writing.
- *
- * \exception std::runtime_error In case of OpenSSL errors.
- */
- void convertToPEMFile(std::FILE& outputFile) const override;
-#endif
-
- storvector_t convertToISCVector() const override;
- std::string sign(const std::string& msg) const override;
- bool verify(const std::string& msg, const std::string& signature) const override;
- std::string getPublicKeyString() const override;
- int getBits() const override;
- void fromISCMap(DNSKEYRecordContent& drc, std::map& stormap) override;
- void fromPublicKeyString(const std::string& content) override;
-
- static std::unique_ptr maker(unsigned int algorithm)
- {
- return make_unique(algorithm);
- }
-
-private:
- unsigned char d_pubkey[DECAF_EDDSA_448_PUBLIC_BYTES];
- unsigned char d_seckey[DECAF_EDDSA_448_PRIVATE_BYTES];
-};
-
-void DecafED448DNSCryptoKeyEngine::create(unsigned int bits)
-{
- if (bits != (unsigned int)getBits()) {
- throw runtime_error("Unsupported key length of " + std::to_string(bits) + " bits requested, DecafED448 class");
- }
-
- SpongeRng rng("/dev/urandom");
-
- typename EdDSA::PrivateKey priv(rng);
- typename EdDSA::PublicKey pub(priv);
-
- priv.serialize_into(d_seckey);
- pub.serialize_into(d_pubkey);
-}
-
-#if defined(HAVE_LIBCRYPTO_ED448)
-void DecafED448DNSCryptoKeyEngine::createFromPEMFile(DNSKEYRecordContent& drc, std::FILE& inputFile, std::optional> filename)
-{
- drc.d_algorithm = d_algorithm;
- auto key = std::unique_ptr(PEM_read_PrivateKey(&inputFile, nullptr, nullptr, nullptr), &EVP_PKEY_free);
- if (key == nullptr) {
- if (filename.has_value()) {
- throw runtime_error(getName() + ": Failed to read private key from PEM file `" + filename->get() + "`");
- }
-
- throw runtime_error(getName() + ": Failed to read private key from PEM contents");
- }
-
- std::size_t keylen = DECAF_EDDSA_448_PRIVATE_BYTES;
- int ret = EVP_PKEY_get_raw_private_key(key.get(), d_seckey, &keylen);
- if (ret == 0) {
- if (filename.has_value()) {
- throw runtime_error(getName() + ": Failed to get private key from PEM file contents `" + filename->get() + "`");
- }
-
- throw runtime_error(getName() + ": Failed to get private key from PEM contents");
- }
-
- keylen = DECAF_EDDSA_448_PUBLIC_BYTES;
- ret = EVP_PKEY_get_raw_public_key(key.get(), d_pubkey, &keylen);
- if (ret == 0) {
- if (filename.has_value()) {
- throw runtime_error(getName() + ": Failed to get public key from PEM file contents `" + filename->get() + "`");
- }
-
- throw runtime_error(getName() + ": Failed to get public key from PEM contents");
- }
-}
-
-void DecafED448DNSCryptoKeyEngine::convertToPEMFile(std::FILE& outputFile) const
-{
- auto key = std::unique_ptr(EVP_PKEY_new_raw_private_key(EVP_PKEY_ED448, nullptr, d_seckey, DECAF_EDDSA_448_PRIVATE_BYTES), EVP_PKEY_free);
- if (key == nullptr) {
- throw runtime_error(getName() + ": Could not create private key from buffer");
- }
-
- auto ret = PEM_write_PrivateKey(&outputFile, key.get(), nullptr, nullptr, 0, nullptr, nullptr);
- if (ret == 0) {
- throw runtime_error(getName() + ": Could not convert private key to PEM");
- }
-}
-#endif
-
-int DecafED448DNSCryptoKeyEngine::getBits() const
-{
- return DECAF_EDDSA_448_PRIVATE_BYTES << 3;
-}
-
-DNSCryptoKeyEngine::storvector_t DecafED448DNSCryptoKeyEngine::convertToISCVector() const
-{
- /*
- Private-key-format: v1.2
- Algorithm: 16 (ED448)
- PrivateKey: xZ+5Cgm463xugtkY5B0Jx6erFTXp13rYegst0qRtNsOYnaVpMx0Z/c5EiA9x8wWbDDct/U3FhYWA
- */
-
- auto storvector = storvector_t{
- {"Algorithm", "16 (ED448)"},
- {"PrivateKey", string((char*)d_seckey, DECAF_EDDSA_448_PRIVATE_BYTES)},
- };
-
- return storvector;
-}
-
-void DecafED448DNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map& stormap)
-{
- /*
- Private-key-format: v1.2
- Algorithm: 16 (ED448)
- PrivateKey: xZ+5Cgm463xugtkY5B0Jx6erFTXp13rYegst0qRtNsOYnaVpMx0Z/c5EiA9x8wWbDDct/U3FhYWA
- */
-
- pdns::checked_stoi_into(drc.d_algorithm, stormap["algorithm"]);
- string privateKey = stormap["privatekey"];
-
- if (privateKey.length() != DECAF_EDDSA_448_PRIVATE_BYTES)
- throw runtime_error("Private key size mismatch in ISCMap, DecafED448 class");
-
- typename EdDSA::PrivateKey priv(Block((const unsigned char*)privateKey.c_str(), DECAF_EDDSA_448_PRIVATE_BYTES));
- typename EdDSA::PublicKey pub(priv);
-
- priv.serialize_into(d_seckey);
- pub.serialize_into(d_pubkey);
-}
-
-std::string DecafED448DNSCryptoKeyEngine::getPublicKeyString() const
-{
- return string((char*)d_pubkey, DECAF_EDDSA_448_PUBLIC_BYTES);
-}
-
-void DecafED448DNSCryptoKeyEngine::fromPublicKeyString(const std::string& input)
-{
- if (input.length() != DECAF_EDDSA_448_PUBLIC_BYTES)
- throw runtime_error("Public key size mismatch, DecafED448 class");
-
- memcpy(d_pubkey, input.c_str(), DECAF_EDDSA_448_PUBLIC_BYTES);
-}
-
-std::string DecafED448DNSCryptoKeyEngine::sign(const std::string& msg) const
-{
- typename EdDSA::PrivateKey priv(Block(d_seckey, DECAF_EDDSA_448_PRIVATE_BYTES));
-
- SecureBuffer message(msg.begin(), msg.end());
-
- SecureBuffer sig = priv.sign(message);
-
- return string(sig.begin(), sig.end());
-}
-
-bool DecafED448DNSCryptoKeyEngine::verify(const std::string& msg, const std::string& signature) const
-{
- if (signature.length() != DECAF_EDDSA_448_SIGNATURE_BYTES)
- return false;
-
- typename EdDSA::PublicKey pub(Block(d_pubkey, DECAF_EDDSA_448_PUBLIC_BYTES));
-
- SecureBuffer sig(signature.begin(), signature.end());
- SecureBuffer message(msg.begin(), msg.end());
-
- try {
- pub.verify(sig, message);
- }
- catch (const CryptoException& e) {
- return false;
- }
-
- return true;
-}
-
-namespace
-{
-const struct LoaderDecafStruct
-{
- LoaderDecafStruct()
- {
- DNSCryptoKeyEngine::report(DNSSECKeeper::ED25519, &DecafED25519DNSCryptoKeyEngine::maker, true);
- DNSCryptoKeyEngine::report(DNSSECKeeper::ED448, &DecafED448DNSCryptoKeyEngine::maker);
- }
-} loaderdecaf;
-}
diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index 90d309d4166f..ed19662297cd 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -2562,10 +2562,10 @@ try
cout << "list-autoprimaries List all autoprimaries" << endl;
cout << "add-zone-key ZONE {zsk|ksk} [BITS] [active|inactive] [published|unpublished]" << endl;
cout << " [rsasha1|rsasha1-nsec3-sha1|rsasha256|rsasha512|ecdsa256|ecdsa384";
-#if defined(HAVE_LIBSODIUM) || defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED25519)
+#if defined(HAVE_LIBSODIUM) || defined(HAVE_LIBCRYPTO_ED25519)
cout << "|ed25519";
#endif
-#if defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED448)
+#if defined(HAVE_LIBCRYPTO_ED448)
cout << "|ed448";
#endif
cout << "]" << endl;
@@ -3025,10 +3025,10 @@ try
else if (cmds.at(0) == "add-zone-key") {
if(cmds.size() < 3 ) {
cerr << "Syntax: pdnsutil add-zone-key ZONE [zsk|ksk] [BITS] [active|inactive] [rsasha1|rsasha1-nsec3-sha1|rsasha256|rsasha512|ecdsa256|ecdsa384";
-#if defined(HAVE_LIBSODIUM) || defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED25519)
+#if defined(HAVE_LIBSODIUM) || defined(HAVE_LIBCRYPTO_ED25519)
cerr << "|ed25519";
#endif
-#if defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED448)
+#if defined(HAVE_LIBCRYPTO_ED448)
cerr << "|ed448";
#endif
cerr << "]"<`_ is a library that allows :program:`Recursor` to support ed25519 and Ed448 (DNSSEC algorithms 15 and 16).
-To detect libdecaf, use the ``--with-libdecaf`` configure option.
-
-.. versionchanged:: 4.2.0
- This option was previously ``--enable-libdecaf``
-
Protobuf to emit DNS logs
^^^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/pdns/recursordist/m4/pdns_with_libdecaf.m4 b/pdns/recursordist/m4/pdns_with_libdecaf.m4
deleted file mode 120000
index e932fd10cc8a..000000000000
--- a/pdns/recursordist/m4/pdns_with_libdecaf.m4
+++ /dev/null
@@ -1 +0,0 @@
-../../../m4/pdns_with_libdecaf.m4
\ No newline at end of file
diff --git a/pdns/recursordist/meson.build b/pdns/recursordist/meson.build
index ed573dedd760..2cb4799708e4 100644
--- a/pdns/recursordist/meson.build
+++ b/pdns/recursordist/meson.build
@@ -45,7 +45,6 @@ subdir('meson' / 'net-libs') # Network Libraries
subdir('meson' / 'tm-gmtoff') # Check for tm_gmtoff field in struct tm
subdir('meson' / 'mmap') # Check for mmap
subdir('meson' / 'libsodium') # Libsodium-based signers
-subdir('meson' / 'libdecaf') # Libdecaf-based signers
subdir('meson' / 'libcrypto') # OpenSSL-based signers
subdir('meson' / 'libssl') # OpenSSL libssl
subdir('meson' / 'libsnmp') # SNMP
@@ -326,17 +325,6 @@ if dep_libsodium.found()
)
endif
-librec_signers_decaf = dependency('', required: false)
-if dep_libdecaf.found()
- librec_signers_decaf = declare_dependency(
- link_whole: static_library(
- 'rec-signers-decaf',
- sources: files(src_dir / 'decafsigners.cc'),
- dependencies: [dep_boost, dep_libdecaf],
- )
- )
-endif
-
librec_signers_openssl = declare_dependency(
link_whole: static_library(
'rec-signers-openssl',
@@ -433,7 +421,6 @@ tools = {
dep_rust_settings,
dep_systemd,
librec_signers_openssl,
- librec_signers_decaf,
librec_signers_sodium,
dep_pubsuffix,
],
@@ -519,7 +506,6 @@ if get_option('unit-tests')
dep_settings,
dep_rust_settings,
librec_signers_openssl,
- librec_signers_decaf,
librec_signers_sodium,
],
)
diff --git a/pdns/recursordist/meson_options.txt b/pdns/recursordist/meson_options.txt
index 52ba9f3acd0a..64612d31c437 100644
--- a/pdns/recursordist/meson_options.txt
+++ b/pdns/recursordist/meson_options.txt
@@ -5,7 +5,6 @@ option('hardening-experimental-scp', type: 'feature', value: 'disabled', descrip
option('hardening-fortify-source', type: 'combo', choices: ['auto', 'disabled', '1', '2', '3'], value: '2', description: 'Source fortification level')
#option('rng-kiss', type: 'boolean', value: false, description: 'Use the unsafe KISS RNG')
option('signers-libsodium', type: 'feature', value: 'auto', description: 'Enable libsodium-based signers')
-option('signers-libdecaf', type: 'feature', value: 'auto', description: 'Enable libdecaf-based signers')
option('signers-libcrypto', type: 'feature', value: 'auto', description: 'Enable OpenSSL libcrypto-based signers)')
option('signers-libcrypto-path', type: 'string', value: '', description: 'Custom path to find OpenSSL libcrypto')
option('tls-libssl', type: 'feature', value: 'auto', description: 'OpenSSL-based TLS')
diff --git a/pdns/test-signers.cc b/pdns/test-signers.cc
index 5743f831dfed..22cb402df556 100644
--- a/pdns/test-signers.cc
+++ b/pdns/test-signers.cc
@@ -318,7 +318,7 @@ struct Fixture
addSignerParams(DNSSECKeeper::ED25519, "ED25519", ed25519);
#endif
-#if defined(HAVE_LIBDECAF) || defined(HAVE_LIBCRYPTO_ED448)
+#if defined(HAVE_LIBCRYPTO_ED448)
addSignerParams(DNSSECKeeper::ED448, "ED448", ed448);
#endif
}
diff --git a/pdns/version.cc b/pdns/version.cc
index 9e7b8bc6d1e0..fc40756a44c7 100644
--- a/pdns/version.cc
+++ b/pdns/version.cc
@@ -107,9 +107,6 @@ string getBuildConfiguration()
{
ostringstream ret;
ret << "Features:"
-#ifdef HAVE_LIBDECAF
- << " decaf"
-#endif
#ifdef HAVE_LIBCRYPTO_ECDSA
<< " libcrypto-ecdsa"
#endif
diff --git a/tasks.py b/tasks.py
index 5a0d53101fb2..50c4e27ffbb5 100644
--- a/tasks.py
+++ b/tasks.py
@@ -175,22 +175,6 @@ def ci_install_rust(c, repo):
with c.cd(f'{repo}/builder-support/helpers/'):
c.run('sudo sh install_rust.sh')
-def install_libdecaf(c, product):
- c.run('rm -rf /tmp/libdecaf && git clone https://git.code.sf.net/p/ed448goldilocks/code /tmp/libdecaf')
- with c.cd('/tmp/libdecaf'):
- c.run('git checkout 41f349')
- c.run(f'CC={get_c_compiler()} CXX={get_cxx_compiler()} '
- 'cmake -B build '
- '-DCMAKE_INSTALL_PREFIX=/usr/local '
- '-DCMAKE_INSTALL_LIBDIR=lib '
- '-DENABLE_STATIC=OFF '
- '-DENABLE_TESTS=OFF '
- '-DCMAKE_C_FLAGS="-Wno-sizeof-array-div -Wno-array-parameter" .')
- c.run('make -C build')
- c.run('sudo make -C build install')
- c.sudo(f'mkdir -p /opt/{product}/libdecaf')
- c.sudo(f'cp /usr/local/lib/libdecaf.so* /opt/{product}/libdecaf/.')
-
@task
def install_doc_deps(c):
c.sudo('apt-get install -y ' + ' '.join(doc_deps))
@@ -207,8 +191,6 @@ def install_meson(c):
def install_auth_build_deps(c):
c.sudo('apt-get install -y --no-install-recommends ' + ' '.join(all_build_deps + git_build_deps + auth_build_deps))
install_meson(c)
- if os.getenv('DECAF_SUPPORT', 'no') == 'yes':
- install_libdecaf(c, 'pdns-auth')
def is_coverage_enabled():
sanitizers = os.getenv('SANITIZERS')
@@ -280,11 +262,6 @@ def install_auth_test_deps(c, backend): # FIXME: rename this, we do way more tha
# FIXME we may want to start a background recursor here to make ALIAS tests more robust
setup_authbind(c)
- if os.getenv('DECAF_SUPPORT', 'no') == 'yes':
- # Copy libdecaf out
- c.sudo('mkdir -p /usr/local/lib')
- c.sudo('cp /opt/pdns-auth/libdecaf/libdecaf.so* /usr/local/lib/.')
-
@task
def install_rec_bulk_deps(c): # FIXME: rename this, we do way more than apt-get
c.sudo('apt-get --no-install-recommends -y install ' + ' '.join(rec_bulk_deps))
@@ -513,7 +490,6 @@ def ci_auth_configure_autotools(c):
"--enable-remotebackend-zeromq",
"--enable-verbose-logging",
"--with-lmdb=/usr",
- "--with-libdecaf" if os.getenv('DECAF_SUPPORT', 'no') == 'yes' else '',
"--prefix=/opt/pdns-auth",
"--enable-ixfrdist",
unittests,
@@ -547,7 +523,6 @@ def ci_auth_configure_meson(c, build_dir):
"-D dns-over-tls=true",
"-D experimental-pkcs11=enabled",
"-D experimental-gss-tsig=enabled",
- "-D signers-libdecaf=enabled" if os.getenv('DECAF_SUPPORT', 'no') == 'yes' else '',
"-D prefix=/opt/pdns-auth",
"-D tools-ixfrdist=true",
unittests,
@@ -599,7 +574,6 @@ def ci_rec_configure(c, features):
"--with-lua=luajit",
"--without-libcap",
"--without-libcurl",
- "--without-libdecaf",
"--without-libsodium",
"--without-net-snmp",
unittests,