diff --git a/.gitignore b/.gitignore index 2e6cd23..c6e3afe 100644 --- a/.gitignore +++ b/.gitignore @@ -190,3 +190,5 @@ bind-9.7.2b1.tar.gz /bind-9.18.5.tar.xz.asc /bind-9.18.6.tar.xz /bind-9.18.6.tar.xz.asc +/bind-9.18.7.tar.xz +/bind-9.18.7.tar.xz.asc diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch index ea38410..415a87a 100644 --- a/bind-9.11-fips-tests.patch +++ b/bind-9.11-fips-tests.patch @@ -1,4 +1,4 @@ -From 09030b066846a9b7252b5cb4f483d4a55b4639fc Mon Sep 17 00:00:00 2001 +From b1e27453fadcf8ce453beed5b896ad995dfb5534 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:46:45 +0200 Subject: [PATCH] FIPS tests changes @@ -81,20 +81,18 @@ Date: Wed Mar 7 10:44:23 2018 +0100 bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- bin/tests/system/nsupdate/setup.sh | 6 +- - bin/tests/system/nsupdate/tests.sh | 11 ++- + bin/tests/system/nsupdate/tests.sh | 9 ++- bin/tests/system/rndc/setup.sh | 2 +- bin/tests/system/rndc/tests.sh | 22 +++--- bin/tests/system/tsig/ns1/named.conf.in | 10 +-- - bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++ bin/tests/system/tsig/setup.sh | 5 ++ bin/tests/system/tsig/tests.sh | 67 ++++++++++++------- bin/tests/system/upforwd/ns1/named.conf.in | 2 +- bin/tests/system/upforwd/tests.sh | 2 +- - 32 files changed, 159 insertions(+), 106 deletions(-) - create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in + 31 files changed, 147 insertions(+), 106 deletions(-) diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in -index 745048a..93cb411 100644 +index 8787c6a..b781d0b 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in @@ -35,12 +35,12 @@ options { @@ -113,7 +111,7 @@ index 745048a..93cb411 100644 }; diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in -index 21aa991..78e71cc 100644 +index a95b4c1..3f3f471 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in @@ -35,12 +35,12 @@ options { @@ -132,7 +130,7 @@ index 21aa991..78e71cc 100644 }; diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in -index 3208c92..bed6325 100644 +index 14cc3fe..9507706 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in @@ -35,17 +35,17 @@ options { @@ -157,7 +155,7 @@ index 3208c92..bed6325 100644 }; diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in -index 14e82ed..a22cafe 100644 +index 77cf110..029c91b 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in @@ -35,12 +35,12 @@ options { @@ -176,7 +174,7 @@ index 14e82ed..a22cafe 100644 }; diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in -index f43f33c..f4a865a 100644 +index 5ccabf9..6154797 100644 --- a/bin/tests/system/acl/ns2/named5.conf.in +++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -37,12 +37,12 @@ options { @@ -539,10 +537,10 @@ index 4af25b0..9f202d5 100644 }; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf -index 897dc86..e4b6dc1 100644 +index 154bf75..e7a05cd 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf -@@ -270,6 +270,6 @@ dyndb "name" "library.so" { +@@ -283,6 +283,6 @@ dyndb "name" "library.so" { system; }; key "mykey" { @@ -608,7 +606,7 @@ index 5cab276..d4a7bf3 100644 }; diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh -index 04fd34b..e5476ea 100644 +index 95158a4..9b9aa0a 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh @@ -179,7 +179,7 @@ test_start "checking notify to multiple views using tsig" @@ -633,7 +631,7 @@ index 04fd34b..e5476ea 100644 grep "test string" "$fnb" > /dev/null && grep "test string" "$fnc" > /dev/null && diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in -index 81d0c99..effbe2e 100644 +index 2b67360..a734584 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in @@ -39,7 +39,7 @@ controls { @@ -646,7 +644,7 @@ index 81d0c99..effbe2e 100644 }; diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in -index f1a1735..da2b3d1 100644 +index c85eef5..428b6b1 100644 --- a/bin/tests/system/nsupdate/ns2/named.conf.in +++ b/bin/tests/system/nsupdate/ns2/named.conf.in @@ -34,7 +34,7 @@ controls { @@ -676,26 +674,24 @@ index 50056dc..a4a1a3f 100644 $TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index 0863d0a..559def7 100755 +index 0bb9d00..ecbc0df 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh -@@ -841,7 +841,14 @@ fi - n=`expr $n + 1` +@@ -841,7 +841,12 @@ fi + n=$((n + 1)) ret=0 echo_i "check TSIG key algorithms (nsupdate -k) ($n)" -for alg in md5 sha1 sha224 sha256 sha384 sha512; do -+if $FEATURETEST --md5 -+then -+ ALGS="md5 sha1 sha224 sha256 sha384 sha512" -+else -+ ALGS="sha1 sha224 sha256 sha384 sha512" ++MD5ALG='md5' ++if ! $FEATURETEST --md5; then ++ MD5ALG='' + echo_i "skipping disabled md5 algorithm" +fi -+for alg in $ALGS; do ++for alg in $MD5ALG sha1 sha224 sha256 sha384 sha512; do $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 -@@ -849,7 +856,7 @@ send +@@ -849,7 +854,7 @@ send END done sleep 2 @@ -718,7 +714,7 @@ index 4dd6fa7..1b79263 100644 make_key 3 ${EXTRAPORT3} hmac-sha224 make_key 4 ${EXTRAPORT4} hmac-sha256 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh -index e678153..e7ec855 100644 +index a66ca15..6ebf78c 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh @@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi @@ -778,22 +774,6 @@ index 76cf970..22637af 100644 key "sha1-trunc" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; -diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in -new file mode 100644 -index 0000000..0682194 ---- /dev/null -+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in -@@ -0,0 +1,10 @@ -+# Conditionally included when support for MD5 is available -+key "md5" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5; -+}; -+ -+key "md5-trunc" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5-80; -+}; diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh index 34cc73b..d51ff21 100644 --- a/bin/tests/system/tsig/setup.sh diff --git a/bind-9.18-pkcs11-engine-compat-api.patch b/bind-9.18-pkcs11-engine-compat-api.patch index 32126f4..678d199 100644 --- a/bind-9.18-pkcs11-engine-compat-api.patch +++ b/bind-9.18-pkcs11-engine-compat-api.patch @@ -1,7 +1,7 @@ -From 561356ec1d46abb939e4eed10ee2c9e639eb88db Mon Sep 17 00:00:00 2001 +From 1ecf072a6a556aa386003d1d5b83fe172320e7ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 8 Sep 2022 17:19:20 +0200 -Subject: [PATCH 2/3] Do not use OSSL_PARAM when engine API is compiled +Subject: [PATCH] Do not use OSSL_PARAM when engine API is compiled OpenSSL has deprecated many things in version 3.0. If pkcs11 engine should work then no builder from OpenSSL 3.0 API can be used. @@ -16,7 +16,7 @@ working keys loading from the engine passed on command line. 3 files changed, 189 insertions(+), 184 deletions(-) diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c -index d5dbc2e889..96c1d523b7 100644 +index 1a01c2b..7df483f 100644 --- a/lib/dns/openssldh_link.c +++ b/lib/dns/openssldh_link.c @@ -91,7 +91,7 @@ static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL; @@ -68,16 +68,16 @@ index d5dbc2e889..96c1d523b7 100644 isc_buffer_add(secret, (unsigned int)secret_len); -@@ -165,7 +165,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, - +@@ -166,7 +166,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, static bool openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + bool ret = true; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 DH *dh1, *dh2; const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; -@@ -175,9 +175,9 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { +@@ -176,9 +176,9 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; @@ -89,7 +89,7 @@ index d5dbc2e889..96c1d523b7 100644 dh1 = key1->keydata.dh; dh2 = key2->keydata.dh; -@@ -209,7 +209,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { +@@ -210,7 +210,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PUB_KEY, &pub_key2); EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key1); EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key2); @@ -99,15 +99,15 @@ index d5dbc2e889..96c1d523b7 100644 if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || BN_cmp(pub_key1, pub_key2) != 0) @@ -226,7 +226,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { - } } + err: -#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 if (p1 != NULL) { BN_free(p1); } -@@ -251,22 +251,23 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { +@@ -251,7 +251,8 @@ err: if (priv_key2 != NULL) { BN_clear_free(priv_key2); } @@ -115,11 +115,12 @@ index d5dbc2e889..96c1d523b7 100644 +#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ + */ - return (true); + return (ret); } - +@@ -259,15 +260,15 @@ err: static bool openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { + bool ret = true; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 DH *dh1, *dh2; @@ -135,7 +136,7 @@ index d5dbc2e889..96c1d523b7 100644 dh1 = key1->keydata.dh; dh2 = key2->keydata.dh; -@@ -292,13 +293,13 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { +@@ -293,14 +294,14 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2); EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1); EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2); @@ -143,15 +144,16 @@ index d5dbc2e889..96c1d523b7 100644 +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) { - return (false); + DST_RET(false); } + err: -#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 if (p1 != NULL) { BN_free(p1); } -@@ -311,12 +312,13 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { +@@ -313,12 +314,13 @@ err: if (g2 != NULL) { BN_free(g2); } @@ -159,7 +161,7 @@ index d5dbc2e889..96c1d523b7 100644 +#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ + */ - return (true); + return (ret); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L @@ -167,7 +169,7 @@ index d5dbc2e889..96c1d523b7 100644 static int progress_cb(int p, int n, BN_GENCB *cb) { union { -@@ -347,7 +349,7 @@ progress_cb(EVP_PKEY_CTX *ctx) { +@@ -349,7 +351,7 @@ progress_cb(EVP_PKEY_CTX *ctx) { } return (1); } @@ -176,7 +178,7 @@ index d5dbc2e889..96c1d523b7 100644 static isc_result_t openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { -@@ -357,7 +359,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { +@@ -359,7 +361,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { void (*fptr)(int); } u; BIGNUM *p = NULL, *g = NULL; @@ -185,7 +187,7 @@ index d5dbc2e889..96c1d523b7 100644 DH *dh = NULL; BN_GENCB *cb = NULL; #if !HAVE_BN_GENCB_NEW -@@ -370,9 +372,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { +@@ -372,9 +374,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { EVP_PKEY_CTX *ctx = NULL; EVP_PKEY *param_pkey = NULL; EVP_PKEY *pkey = NULL; @@ -197,7 +199,7 @@ index d5dbc2e889..96c1d523b7 100644 dh = DH_new(); if (dh == NULL) { DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); -@@ -386,7 +388,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { +@@ -388,7 +390,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { if (param_ctx == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); } @@ -206,7 +208,7 @@ index d5dbc2e889..96c1d523b7 100644 if (generator == 0) { /* -@@ -406,7 +408,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { +@@ -408,7 +410,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { if (p == NULL || g == NULL) { DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); } @@ -215,7 +217,7 @@ index d5dbc2e889..96c1d523b7 100644 if (DH_set0_pqg(dh, p, NULL, g) != 1) { DST_RET(dst__openssl_toresult2( "DH_set0_pqg", DST_R_OPENSSLFAILURE)); -@@ -430,7 +432,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { +@@ -432,7 +434,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { DST_R_OPENSSLFAILURE)); } params = OSSL_PARAM_BLD_to_param(bld); @@ -224,7 +226,7 @@ index d5dbc2e889..96c1d523b7 100644 } else { /* -@@ -443,7 +445,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { +@@ -445,7 +447,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { } if (generator != 0) { @@ -233,7 +235,7 @@ index d5dbc2e889..96c1d523b7 100644 cb = BN_GENCB_new(); #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) if (cb == NULL) { -@@ -486,10 +488,10 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { +@@ -488,10 +490,10 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { DST_R_OPENSSLFAILURE)); } params = OSSL_PARAM_BLD_to_param(bld); @@ -246,7 +248,7 @@ index d5dbc2e889..96c1d523b7 100644 if (DH_generate_key(dh) == 0) { DST_RET(dst__openssl_toresult2("DH_generate_key", DST_R_OPENSSLFAILURE)); -@@ -557,12 +559,12 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { +@@ -559,12 +561,12 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { key->keydata.pkey = pkey; pkey = NULL; @@ -261,7 +263,7 @@ index d5dbc2e889..96c1d523b7 100644 if (dh != NULL) { DH_free(dh); } -@@ -594,14 +596,14 @@ err: +@@ -596,14 +598,14 @@ err: if (g != NULL) { BN_free(g); } @@ -278,7 +280,7 @@ index d5dbc2e889..96c1d523b7 100644 DH *dh = key->keydata.dh; const BIGNUM *priv_key = NULL; -@@ -626,12 +628,12 @@ openssldh_isprivate(const dst_key_t *key) { +@@ -628,12 +630,12 @@ openssldh_isprivate(const dst_key_t *key) { } return (ret); @@ -293,7 +295,7 @@ index d5dbc2e889..96c1d523b7 100644 DH *dh = key->keydata.dh; if (dh == NULL) { -@@ -649,7 +651,7 @@ openssldh_destroy(dst_key_t *key) { +@@ -651,7 +653,7 @@ openssldh_destroy(dst_key_t *key) { EVP_PKEY_free(pkey); key->keydata.pkey = NULL; @@ -302,10 +304,10 @@ index d5dbc2e889..96c1d523b7 100644 } static void -@@ -675,17 +677,17 @@ uint16_fromregion(isc_region_t *region) { - +@@ -678,17 +680,17 @@ uint16_fromregion(isc_region_t *region) { static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + isc_result_t ret = ISC_R_SUCCESS; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 DH *dh; @@ -323,7 +325,7 @@ index d5dbc2e889..96c1d523b7 100644 REQUIRE(key->keydata.dh != NULL); dh = key->keydata.dh; -@@ -698,7 +700,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { +@@ -701,7 +703,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p); EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g); EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); @@ -332,16 +334,16 @@ index d5dbc2e889..96c1d523b7 100644 isc_buffer_availableregion(data, &r); -@@ -745,7 +747,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { - +@@ -749,7 +751,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { isc_buffer_add(data, dnslen); + err: -#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 if (p != NULL) { BN_free(p); } -@@ -755,7 +757,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { +@@ -759,7 +761,8 @@ err: if (pub_key != NULL) { BN_free(pub_key); } @@ -349,9 +351,9 @@ index d5dbc2e889..96c1d523b7 100644 +#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ + */ - return (ISC_R_SUCCESS); + return (ret); } -@@ -763,14 +766,14 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { +@@ -767,14 +770,14 @@ err: static isc_result_t openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { isc_result_t ret; @@ -368,7 +370,7 @@ index d5dbc2e889..96c1d523b7 100644 BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; int key_size; isc_region_t r; -@@ -782,7 +785,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { +@@ -786,7 +789,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { return (ISC_R_SUCCESS); } @@ -377,7 +379,7 @@ index d5dbc2e889..96c1d523b7 100644 dh = DH_new(); if (dh == NULL) { DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); -@@ -797,7 +800,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { +@@ -801,7 +804,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { if (ctx == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); } @@ -386,7 +388,7 @@ index d5dbc2e889..96c1d523b7 100644 /* * Read the prime length. 1 & 2 are table entries, > 16 means a -@@ -873,7 +876,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { +@@ -877,7 +880,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { key_size = BN_num_bits(p); @@ -395,7 +397,7 @@ index d5dbc2e889..96c1d523b7 100644 if (DH_set0_pqg(dh, p, NULL, g) != 1) { DST_RET(dst__openssl_toresult2("DH_set0_pqg", DST_R_OPENSSLFAILURE)); -@@ -889,7 +892,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { +@@ -893,7 +896,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN", DST_R_OPENSSLFAILURE)); } @@ -404,7 +406,7 @@ index d5dbc2e889..96c1d523b7 100644 if (r.length < 2) { DST_RET(DST_R_INVALIDPUBLICKEY); -@@ -907,7 +910,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { +@@ -911,7 +914,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { isc_buffer_forward(data, plen + glen + publen + 6); @@ -413,7 +415,7 @@ index d5dbc2e889..96c1d523b7 100644 #if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && \ (LIBRESSL_VERSION_NUMBER <= 0x2070200fL) /* -@@ -951,14 +954,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { +@@ -955,14 +958,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { key->keydata.pkey = pkey; pkey = NULL; @@ -430,7 +432,7 @@ index d5dbc2e889..96c1d523b7 100644 if (dh != NULL) { DH_free(dh); } -@@ -975,7 +978,7 @@ err: +@@ -979,7 +982,7 @@ err: if (bld != NULL) { OSSL_PARAM_BLD_free(bld); } @@ -439,7 +441,7 @@ index d5dbc2e889..96c1d523b7 100644 if (p != NULL) { BN_free(p); } -@@ -991,13 +994,13 @@ err: +@@ -995,13 +998,13 @@ err: static isc_result_t openssldh_tofile(const dst_key_t *key, const char *directory) { @@ -455,7 +457,7 @@ index d5dbc2e889..96c1d523b7 100644 dst_private_t priv; unsigned char *bufs[4] = { NULL }; unsigned short i = 0; -@@ -1007,7 +1010,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { +@@ -1011,7 +1014,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { return (DST_R_EXTERNALKEY); } @@ -464,7 +466,7 @@ index d5dbc2e889..96c1d523b7 100644 if (key->keydata.dh == NULL) { return (DST_R_NULLKEY); } -@@ -1025,7 +1028,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { +@@ -1029,7 +1032,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g); EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key); @@ -473,7 +475,7 @@ index d5dbc2e889..96c1d523b7 100644 priv.elements[i].tag = TAG_DH_PRIME; priv.elements[i].length = BN_num_bytes(p); -@@ -1065,7 +1068,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { +@@ -1069,7 +1072,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { } } @@ -482,7 +484,7 @@ index d5dbc2e889..96c1d523b7 100644 if (p != NULL) { BN_free(p); } -@@ -1078,7 +1081,8 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { +@@ -1082,7 +1085,8 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { if (priv_key != NULL) { BN_clear_free(priv_key); } @@ -492,7 +494,7 @@ index d5dbc2e889..96c1d523b7 100644 return (result); } -@@ -1088,14 +1092,14 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { +@@ -1092,14 +1096,14 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst_private_t priv; isc_result_t ret; int i; @@ -509,7 +511,7 @@ index d5dbc2e889..96c1d523b7 100644 BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; int key_size = 0; isc_mem_t *mctx; -@@ -1113,7 +1117,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { +@@ -1117,7 +1121,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { DST_RET(DST_R_EXTERNALKEY); } @@ -518,7 +520,7 @@ index d5dbc2e889..96c1d523b7 100644 dh = DH_new(); if (dh == NULL) { DST_RET(ISC_R_NOMEMORY); -@@ -1128,7 +1132,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { +@@ -1132,7 +1136,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { if (ctx == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); } @@ -527,7 +529,7 @@ index d5dbc2e889..96c1d523b7 100644 for (i = 0; i < priv.nelements; i++) { BIGNUM *bn; -@@ -1155,7 +1159,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { +@@ -1159,7 +1163,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { } } @@ -536,7 +538,7 @@ index d5dbc2e889..96c1d523b7 100644 if (DH_set0_key(dh, pub_key, priv_key) != 1) { DST_RET(dst__openssl_toresult2("DH_set0_key", DST_R_OPENSSLFAILURE)); -@@ -1202,13 +1206,13 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { +@@ -1206,13 +1210,13 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { key->keydata.pkey = pkey; pkey = NULL; @@ -552,7 +554,7 @@ index d5dbc2e889..96c1d523b7 100644 if (dh != NULL) { DH_free(dh); } -@@ -1225,7 +1229,7 @@ err: +@@ -1229,7 +1233,7 @@ err: if (bld != NULL) { OSSL_PARAM_BLD_free(bld); } @@ -562,7 +564,7 @@ index d5dbc2e889..96c1d523b7 100644 BN_free(p); } diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c -index 519e88b7e7..04f0d80b5e 100644 +index 519e88b..04f0d80 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -17,14 +17,14 @@ @@ -1045,7 +1047,7 @@ index 519e88b7e7..04f0d80b5e 100644 key->keydata.generic = NULL; } diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c -index fc905b7d60..867b486a2f 100644 +index fc905b7..867b486 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -18,7 +18,7 @@ @@ -1550,5 +1552,5 @@ index fc905b7d60..867b486a2f 100644 RSA_free(rsa); } -- -2.37.2 +2.37.3 diff --git a/bind.spec b/bind.spec index cc93e82..178f2b9 100644 --- a/bind.spec +++ b/bind.spec @@ -62,8 +62,8 @@ Conflicts: %1 \ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPLv2.0 -Version: 9.18.6 -Release: 4%{?dist} +Version: 9.18.7 +Release: 1%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -954,6 +954,9 @@ fi; %endif %changelog +* Wed Sep 21 2022 Petr Menšík - 32:9.18.7-1 +- Update to 9.18.7 (#2128609) + * Wed Sep 14 2022 Petr Menšík - 32:9.18.6-4 - Disable yet another test (##2122010) diff --git a/sources b/sources index 9d5923f..25459e0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (bind-9.18.6.tar.xz) = 6b31eb56cf25b2cb1d8af0f76f9cac0e0985c78cbe3ba80164d773cb0bf77116dd98b5c4b84e3c74fd35b5da501ee6ba2dc0fae12267104edde2cb2daa1e1ba7 -SHA512 (bind-9.18.6.tar.xz.asc) = 13629b56acb02ca1fe861e6a17e949fee276de83624d972174893e48cc5de650a2a0081262e5e0d6913360861e2c91fed6b808ed8ae702e5cb2e2380eacf163b +SHA512 (bind-9.18.7.tar.xz) = 2cdceb4125b8759f5225296c6ffecdbb895b0a27dfcfcd98b04b9ad78552d16c16b0452fb823dc47d11cec21d2c6ecb05a107dd3094f8e7419bb9717d68820c5 +SHA512 (bind-9.18.7.tar.xz.asc) = 40030c2259858f1ba7ce4fbcd523025631ed78687ca87863d0f0bcd0fd530d96052e0601808ffa37e59d574a9a9c84bb2ededc66f730b9eaf560a00a6ef29c48