Update to 9.18.8 (#2136100)
https://downloads.isc.org/isc/bind9/9.18.8/doc/arm/html/notes.html#notes-for-bind-9-18-8
This commit is contained in:
parent
e6424d1a09
commit
99fd53a106
2
.gitignore
vendored
2
.gitignore
vendored
@ -192,3 +192,5 @@ bind-9.7.2b1.tar.gz
|
||||
/bind-9.18.6.tar.xz.asc
|
||||
/bind-9.18.7.tar.xz
|
||||
/bind-9.18.7.tar.xz.asc
|
||||
/bind-9.18.8.tar.xz
|
||||
/bind-9.18.8.tar.xz.asc
|
||||
|
@ -1,4 +1,4 @@
|
||||
From b1e27453fadcf8ce453beed5b896ad995dfb5534 Mon Sep 17 00:00:00 2001
|
||||
From 2ad42c7c23858f12d977526d6ebc3465907d7b1b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Thu, 2 Aug 2018 23:46:45 +0200
|
||||
Subject: [PATCH] FIPS tests changes
|
||||
@ -428,10 +428,10 @@ index 364f94b..9518f82 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
|
||||
index bbffe07..80da0fe 100644
|
||||
index 01a13cf..3711c63 100644
|
||||
--- a/bin/tests/system/allow-query/tests.sh
|
||||
+++ b/bin/tests/system/allow-query/tests.sh
|
||||
@@ -200,7 +200,7 @@ rndc_reload ns2 10.53.0.2
|
||||
@@ -201,7 +201,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: key allowed - query allowed"
|
||||
ret=0
|
||||
@ -440,7 +440,7 @@ index bbffe07..80da0fe 100644
|
||||
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -213,7 +213,7 @@ rndc_reload ns2 10.53.0.2
|
||||
@@ -214,7 +214,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: key not allowed - query refused"
|
||||
ret=0
|
||||
@ -449,7 +449,7 @@ index bbffe07..80da0fe 100644
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
@@ -227,7 +227,7 @@ rndc_reload ns2 10.53.0.2
|
||||
@@ -228,7 +228,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: key disallowed - query refused"
|
||||
ret=0
|
||||
@ -458,7 +458,7 @@ index bbffe07..80da0fe 100644
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
@@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2
|
||||
@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: views key allowed - query allowed"
|
||||
ret=0
|
||||
@ -467,7 +467,7 @@ index bbffe07..80da0fe 100644
|
||||
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -379,7 +379,7 @@ rndc_reload ns2 10.53.0.2
|
||||
@@ -380,7 +380,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: views key not allowed - query refused"
|
||||
ret=0
|
||||
@ -476,7 +476,7 @@ index bbffe07..80da0fe 100644
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
@@ -393,7 +393,7 @@ rndc_reload ns2 10.53.0.2
|
||||
@@ -394,7 +394,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: views key disallowed - query refused"
|
||||
ret=0
|
||||
@ -485,7 +485,7 @@ index bbffe07..80da0fe 100644
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
@@ -533,7 +533,7 @@ status=`expr $status + $ret`
|
||||
@@ -534,7 +534,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo_i "test $n: zone key allowed - query allowed"
|
||||
ret=0
|
||||
@ -494,7 +494,7 @@ index bbffe07..80da0fe 100644
|
||||
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -543,7 +543,7 @@ status=`expr $status + $ret`
|
||||
@@ -544,7 +544,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo_i "test $n: zone key not allowed - query refused"
|
||||
ret=0
|
||||
@ -503,7 +503,7 @@ index bbffe07..80da0fe 100644
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
@@ -554,7 +554,7 @@ status=`expr $status + $ret`
|
||||
@@ -555,7 +555,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo_i "test $n: zone key disallowed - query refused"
|
||||
ret=0
|
||||
@ -513,16 +513,18 @@ index bbffe07..80da0fe 100644
|
||||
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
|
||||
index 1421281..424afb8 100644
|
||||
index 3a8e401..82e720d 100644
|
||||
--- a/bin/tests/system/catz/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/catz/ns1/named.conf.in
|
||||
@@ -122,5 +122,5 @@ view "ch" ch {
|
||||
@@ -122,7 +122,7 @@ view "ch" ch {
|
||||
|
||||
key tsig_key. {
|
||||
secret "LSAnCU+Z";
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
};
|
||||
|
||||
key next_key. {
|
||||
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
|
||||
index 4af25b0..9f202d5 100644
|
||||
--- a/bin/tests/system/checkconf/bad-tsig.conf
|
||||
|
@ -1,46 +0,0 @@
|
||||
diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst
|
||||
index 0d72000..f4810ae 100644
|
||||
--- a/doc/arm/dnssec.inc.rst
|
||||
+++ b/doc/arm/dnssec.inc.rst
|
||||
@@ -282,7 +282,7 @@ NSEC3
|
||||
|
||||
To sign using :ref:`NSEC3 <advanced_discussions_nsec3>` instead of :ref:`NSEC
|
||||
<advanced_discussions_nsec>`, add an NSEC3PARAM record to the initial update
|
||||
-request. The :term:`OPTOUT <opt-out>` bit in the NSEC3
|
||||
+request. The :term:`OPTOUT <Opt-out>` bit in the NSEC3
|
||||
chain can be set in the flags field of the
|
||||
NSEC3PARAM record.
|
||||
|
||||
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
|
||||
index ef6c1c7..b59b0ac 100644
|
||||
--- a/doc/arm/reference.rst
|
||||
+++ b/doc/arm/reference.rst
|
||||
@@ -35,7 +35,7 @@ The file :file:`named.conf` may contain three types of entities:
|
||||
|
||||
Block
|
||||
:ref:`Blocks <configuration_blocks>` are containers for :term:`statements
|
||||
- <statement>` which either have common functionality - for example,
|
||||
+ <Statement>` which either have common functionality - for example,
|
||||
the definition of a cryptographic key in a :namedconf:ref:`key` block - or which
|
||||
define the scope of the statement - for example, a statement which appears
|
||||
in a :namedconf:ref:`zone` block has scope only for that zone.
|
||||
@@ -68,7 +68,7 @@ The file :file:`named.conf` may contain three types of entities:
|
||||
more argument/value pairs. The :any:`also-notify` statement may take a number
|
||||
of such argument/value pairs, such as ``also-notify port 5353;``,
|
||||
where ``port`` is the argument and ``5353`` is the corresponding value.
|
||||
- - Statements can appear in a single :term:`block` - for
|
||||
+ - Statements can appear in a single :term:`block <Block>` - for
|
||||
example, an :namedconf:ref:`algorithm` statement can appear only in a
|
||||
:namedconf:ref:`key` block - or in multiple blocks - for example, an
|
||||
:any:`also-notify` statement can appear in an :namedconf:ref:`options`
|
||||
@@ -6550,8 +6550,8 @@ The following options can be specified in a :any:`dnssec-policy` statement:
|
||||
of the indicated length.
|
||||
|
||||
.. warning::
|
||||
- Do not use extra :term:`iterations`, :term:`salt`, and
|
||||
- :term:`opt-out` unless their implications are fully understood.
|
||||
+ Do not use extra :term:`iterations <Iterations>`, :term:`salt <Salt>`, and
|
||||
+ :term:`opt-out <Opt-out>` unless their implications are fully understood.
|
||||
A higher number of iterations causes interoperability problems and opens
|
||||
servers to CPU-exhausting DoS attacks.
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,48 +0,0 @@
|
||||
From 87a2eac7a8264a0e8d64a8db85d44ec22454e256 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Wed, 7 Sep 2022 13:46:31 +0200
|
||||
Subject: [PATCH 1/3] Add ENGINE_init and ENGINE_finish calls
|
||||
|
||||
According to manual page of ENGINE_init, it should be called explicitly
|
||||
before any key operations happens. Make it active whole lifetime.
|
||||
---
|
||||
lib/dns/openssl_link.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
|
||||
index 333f34cb37..a3f63885fa 100644
|
||||
--- a/lib/dns/openssl_link.c
|
||||
+++ b/lib/dns/openssl_link.c
|
||||
@@ -85,14 +85,20 @@ dst__openssl_init(const char *engine) {
|
||||
result = DST_R_NOENGINE;
|
||||
goto cleanup_rm;
|
||||
}
|
||||
+ if (!ENGINE_init(e)) {
|
||||
+ result = DST_R_NOENGINE;
|
||||
+ goto cleanup_rm;
|
||||
+ }
|
||||
/* This will init the engine. */
|
||||
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
|
||||
result = DST_R_NOENGINE;
|
||||
- goto cleanup_rm;
|
||||
+ goto cleanup_init;
|
||||
}
|
||||
}
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
+cleanup_init:
|
||||
+ ENGINE_finish(e);
|
||||
cleanup_rm:
|
||||
if (e != NULL) {
|
||||
ENGINE_free(e);
|
||||
@@ -108,6 +114,7 @@ void
|
||||
dst__openssl_destroy(void) {
|
||||
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
|
||||
if (e != NULL) {
|
||||
+ ENGINE_finish(e);
|
||||
ENGINE_free(e);
|
||||
}
|
||||
e = NULL;
|
||||
--
|
||||
2.37.2
|
||||
|
@ -1,245 +0,0 @@
|
||||
From cc8edfc6670ba97434bc5acb595539fd9c7d9123 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Thu, 8 Sep 2022 16:33:38 +0200
|
||||
Subject: [PATCH 3/3] Remove engine related parts for OpenSSL 3.0
|
||||
|
||||
OpenSSL just cannot work with mixing ENGINE_* api mixed with OSSL_PARAM
|
||||
builders. But it can be built in legacy mode, where deprecated but still
|
||||
working API would be used.
|
||||
|
||||
It can work under OpenSSL 3.0, but only if using legacy code paths
|
||||
matching OpenSSL 1.1 calls and functions.
|
||||
|
||||
Remove fromlabel processing by OpenSSL 3.0 only functions. They can
|
||||
return later with a proper provider support for pkcs11.
|
||||
---
|
||||
lib/dns/opensslecdsa_link.c | 55 -------------------------------------
|
||||
lib/dns/opensslrsa_link.c | 32 ---------------------
|
||||
2 files changed, 87 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
|
||||
index 04f0d80b5e..f04f076e42 100644
|
||||
--- a/lib/dns/opensslecdsa_link.c
|
||||
+++ b/lib/dns/opensslecdsa_link.c
|
||||
@@ -1311,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
|
||||
isc_result_t ret = ISC_R_SUCCESS;
|
||||
ENGINE *e;
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
EC_KEY *eckey = NULL;
|
||||
EC_KEY *pubeckey = NULL;
|
||||
int group_nid;
|
||||
-#else
|
||||
- size_t len;
|
||||
- const char *curve_name, *nist_curve_name;
|
||||
- char buf[128]; /* Sufficient for all of the supported curves' names. */
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
EVP_PKEY *pkey = NULL;
|
||||
EVP_PKEY *pubpkey = NULL;
|
||||
|
||||
@@ -1336,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
DST_RET(DST_R_NOENGINE);
|
||||
}
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
if (key->key_alg == DST_ALG_ECDSA256) {
|
||||
group_nid = NID_X9_62_prime256v1;
|
||||
} else {
|
||||
group_nid = NID_secp384r1;
|
||||
}
|
||||
-#else
|
||||
- /* Get the expected curve names */
|
||||
- if (key->key_alg == DST_ALG_ECDSA256) {
|
||||
- curve_name = "prime256v1";
|
||||
- nist_curve_name = "P-256";
|
||||
- } else {
|
||||
- curve_name = "secp384r1";
|
||||
- nist_curve_name = "P-384";
|
||||
- }
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
/* Load private key. */
|
||||
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
|
||||
@@ -1363,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
|
||||
DST_RET(DST_R_INVALIDPRIVATEKEY);
|
||||
}
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
eckey = EVP_PKEY_get1_EC_KEY(pkey);
|
||||
if (eckey == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
@@ -1371,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) {
|
||||
DST_RET(DST_R_INVALIDPRIVATEKEY);
|
||||
}
|
||||
-#else
|
||||
- len = 0;
|
||||
- if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
|
||||
- buf, sizeof buf, &len) != 1 ||
|
||||
- len == 0 || len >= sizeof buf)
|
||||
- {
|
||||
- DST_RET(DST_R_INVALIDPRIVATEKEY);
|
||||
- }
|
||||
- if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
|
||||
- strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
|
||||
- {
|
||||
- DST_RET(DST_R_INVALIDPRIVATEKEY);
|
||||
- }
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
/* Load public key. */
|
||||
pubpkey = ENGINE_load_public_key(e, label, NULL, NULL);
|
||||
@@ -1396,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) {
|
||||
DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey);
|
||||
if (pubeckey == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
@@ -1404,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) {
|
||||
DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
-#else
|
||||
- len = 0;
|
||||
- if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME,
|
||||
- buf, sizeof buf, &len) != 1 ||
|
||||
- len == 0 || len >= sizeof buf)
|
||||
- {
|
||||
- DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
- }
|
||||
- if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
|
||||
- strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
|
||||
- {
|
||||
- DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
- }
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
}
|
||||
-#else
|
||||
- if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) {
|
||||
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
- }
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
key->label = isc_mem_strdup(key->mctx, label);
|
||||
key->engine = isc_mem_strdup(key->mctx, engine);
|
||||
@@ -1442,14 +1389,12 @@ err:
|
||||
if (pkey != NULL) {
|
||||
EVP_PKEY_free(pkey);
|
||||
}
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
if (pubeckey != NULL) {
|
||||
EC_KEY_free(pubeckey);
|
||||
}
|
||||
if (eckey != NULL) {
|
||||
EC_KEY_free(eckey);
|
||||
}
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
return (ret);
|
||||
#else
|
||||
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
|
||||
index 867b486a2f..cf350610ba 100644
|
||||
--- a/lib/dns/opensslrsa_link.c
|
||||
+++ b/lib/dns/opensslrsa_link.c
|
||||
@@ -1167,7 +1167,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
key->engine = isc_mem_strdup(key->mctx, engine);
|
||||
key->label = isc_mem_strdup(key->mctx, label);
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
rsa = EVP_PKEY_get1_RSA(pkey);
|
||||
if (rsa == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
@@ -1176,16 +1175,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
}
|
||||
RSA_get0_key(rsa, NULL, &ex, NULL);
|
||||
-#else
|
||||
- if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) !=
|
||||
- ISC_R_SUCCESS) {
|
||||
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
- }
|
||||
- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) !=
|
||||
- 1) {
|
||||
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
- }
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
if (ex == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
@@ -1437,12 +1426,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
ENGINE *e = NULL;
|
||||
isc_result_t ret = ISC_R_SUCCESS;
|
||||
EVP_PKEY *pkey = NULL, *pubpkey = NULL;
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
RSA *rsa = NULL, *pubrsa = NULL;
|
||||
const BIGNUM *ex = NULL;
|
||||
-#else
|
||||
- BIGNUM *ex = NULL;
|
||||
-#endif
|
||||
|
||||
UNUSED(pin);
|
||||
|
||||
@@ -1459,12 +1444,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
|
||||
DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
pubrsa = EVP_PKEY_get1_RSA(pubpkey);
|
||||
if (pubrsa == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
|
||||
if (pkey == NULL) {
|
||||
@@ -1475,7 +1458,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
key->engine = isc_mem_strdup(key->mctx, engine);
|
||||
key->label = isc_mem_strdup(key->mctx, label);
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
rsa = EVP_PKEY_get1_RSA(pkey);
|
||||
if (rsa == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
@@ -1484,14 +1466,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
}
|
||||
RSA_get0_key(rsa, NULL, &ex, NULL);
|
||||
-#else
|
||||
- if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) {
|
||||
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
- }
|
||||
- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) {
|
||||
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
- }
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
if (ex == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
@@ -1505,18 +1479,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
pkey = NULL;
|
||||
|
||||
err:
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
if (rsa != NULL) {
|
||||
RSA_free(rsa);
|
||||
}
|
||||
if (pubrsa != NULL) {
|
||||
RSA_free(pubrsa);
|
||||
}
|
||||
-#else
|
||||
- if (ex != NULL) {
|
||||
- BN_free(ex);
|
||||
- }
|
||||
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
if (pkey != NULL) {
|
||||
EVP_PKEY_free(pkey);
|
||||
}
|
||||
--
|
||||
2.37.2
|
||||
|
15
bind.spec
15
bind.spec
@ -62,8 +62,8 @@ Conflicts: %1 \
|
||||
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
|
||||
Name: bind
|
||||
License: MPL-2.0
|
||||
Version: 9.18.7
|
||||
Release: 3%{?dist}
|
||||
Version: 9.18.8
|
||||
Release: 1%{?dist}
|
||||
Epoch: 32
|
||||
Url: https://www.isc.org/downloads/bind/
|
||||
#
|
||||
@ -99,16 +99,8 @@ Source49: named-chroot.files
|
||||
Patch10: bind-9.5-PIE.patch
|
||||
Patch16: bind-9.16-redhat_doc.patch
|
||||
Patch22: bind-9.11-fips-tests.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5385
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2122841
|
||||
Patch23: bind-9.18-pkcs11-engine-init.patch
|
||||
Patch24: bind-9.18-pkcs11-engine-compat-api.patch
|
||||
Patch25: bind-9.18-pkcs11-engine-remove-deadcode.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2122010
|
||||
Patch26: bind-9.18-unittest-netmgr-unstable.patch
|
||||
# Fix building ARM docs in EPEL9
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6815
|
||||
Patch27: bind-9.18-doc-arm-rhel9.patch
|
||||
|
||||
%{?systemd_ordering}
|
||||
Requires: coreutils
|
||||
@ -957,6 +949,9 @@ fi;
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Sat Oct 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.8-1
|
||||
- Update to 9.18.8 (#2136100)
|
||||
|
||||
* Fri Sep 30 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.7-3
|
||||
- Update License to SPDX identifier
|
||||
- Enable automatic restart on crashes
|
||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (bind-9.18.7.tar.xz) = 2cdceb4125b8759f5225296c6ffecdbb895b0a27dfcfcd98b04b9ad78552d16c16b0452fb823dc47d11cec21d2c6ecb05a107dd3094f8e7419bb9717d68820c5
|
||||
SHA512 (bind-9.18.7.tar.xz.asc) = 40030c2259858f1ba7ce4fbcd523025631ed78687ca87863d0f0bcd0fd530d96052e0601808ffa37e59d574a9a9c84bb2ededc66f730b9eaf560a00a6ef29c48
|
||||
SHA512 (bind-9.18.8.tar.xz) = ea6cad5276269a320fa1e666544888ed88b9d058ecab56c82aebff24e841a4ad221ce9c1209b1258884d71f7c03eed4d1c6a7e1922780073644344bc939a0e89
|
||||
SHA512 (bind-9.18.8.tar.xz.asc) = 06a880eb3af14e760f52ab5bd666b6512487d724a16a0fdf646ad9a07f17249e68a9a59ddf902f9111aee6450d96ed8dfe36d6fb433808f993d9bbc6dd4e665c
|
||||
|
Loading…
Reference in New Issue
Block a user