From 865df6a4ea2eb5c0eb944acdd303ff7fc3b44d3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 3 Aug 2022 20:12:34 +0200 Subject: [PATCH] Update to 0.16.2 Resolves: rhbz#2087120 CVE-2022-30698 https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-2 --- .gitignore | 3 +- sources | 4 +- unbound-1.16-fips-ed25519.patch | 96 --------------------------------- unbound.spec | 9 ++-- 4 files changed, 9 insertions(+), 103 deletions(-) delete mode 100644 unbound-1.16-fips-ed25519.patch diff --git a/.gitignore b/.gitignore index 3b9ae64..a877fda 100644 --- a/.gitignore +++ b/.gitignore @@ -70,4 +70,5 @@ unbound-1.4.5.tar.gz /unbound-1.15.0.tar.gz /unbound-1.15.0.tar.gz.asc /unbound-1.16.0.tar.gz -/unbound-1.16.0.tar.gz.asc +/unbound-1.16.2.tar.gz +/unbound-1.16.2.tar.gz.asc diff --git a/sources b/sources index 1586e1f..abff2db 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.16.0.tar.gz) = 134679c0baad6738541295fcfbf8cc701c647b5d5cd00f87e50394bc7b5b74b7326ed2fc42f3282cae8094b4980c1e580d7b748b7151642c9060c449b644715f -SHA512 (unbound-1.16.0.tar.gz.asc) = 1b7640df051bf9f37e261c4e7fa3b3343982f608c529553985eeb9444688ba9e751f45ad666ab13b783beff24806eef14e9833090a4aea249e1fa5023e3c0432 +SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572 +SHA512 (unbound-1.16.2.tar.gz.asc) = bc5241c86f90be76886209c81d6f1c025d4774fa00d114180b99d43999f31b1b4c8d123717b8a79a60bc3acfcbe9f46678b80b3d961431c7bfd05ff48c69ef4f diff --git a/unbound-1.16-fips-ed25519.patch b/unbound-1.16-fips-ed25519.patch deleted file mode 100644 index 36d0e26..0000000 --- a/unbound-1.16-fips-ed25519.patch +++ /dev/null @@ -1,96 +0,0 @@ -From cff6307f44c79df8975b3f205e98cd1a0464824b Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Wed, 27 Apr 2022 19:58:39 +0200 -Subject: [PATCH] Disable ED25519 and ED448 in FIPS mode on openssl3 - -Both crypto functions are not allowed by FIPS 140-3. Use openssl 3.0 -function to check FIPS mode presence and use it to make those algorithms -unsupported. ---- - unbound-1.16.0/config.h.in | 4 ++++ - unbound-1.16.0/configure.ac | 2 +- - unbound-1.16.0/validator/val_secalgo.c | 17 ++++++++++++++++- - 3 files changed, 21 insertions(+), 2 deletions(-) - -diff --git a/unbound-1.16.0/config.h.in b/unbound-1.16.0/config.h.in -index a080dde..cc1fbe8 100644 ---- a/unbound-1.16.0/config.h.in -+++ b/unbound-1.16.0/config.h.in -@@ -222,6 +222,10 @@ - /* Define to 1 if you have the `EVP_cleanup' function. */ - #undef HAVE_EVP_CLEANUP - -+/* Define to 1 if you have the `EVP_default_properties_is_fips_enabled' -+ function. */ -+#undef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED -+ - /* Define to 1 if you have the `EVP_DigestVerify' function. */ - #undef HAVE_EVP_DIGESTVERIFY - -diff --git a/unbound-1.16.0/configure.ac b/unbound-1.16.0/configure.ac -index 1453b3a..69cb13b 100644 ---- a/unbound-1.16.0/configure.ac -+++ b/unbound-1.16.0/configure.ac -@@ -906,7 +906,7 @@ else - AC_MSG_RESULT([no]) - fi - AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT]) --AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex]) -+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex]) - - # these check_funcs need -lssl - BAKLIBS="$LIBS" -diff --git a/unbound-1.16.0/validator/val_secalgo.c b/unbound-1.16.0/validator/val_secalgo.c -index 7abf66f..6276675 100644 ---- a/unbound-1.16.0/validator/val_secalgo.c -+++ b/unbound-1.16.0/validator/val_secalgo.c -@@ -215,6 +215,10 @@ ds_digest_size_supported(int algo) - switch(algo) { - case LDNS_SHA1: - #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) -+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED -+ if (EVP_default_properties_is_fips_enabled(NULL)) -+ return 0; -+#endif - return SHA_DIGEST_LENGTH; - #else - if(fake_sha1) return 20; -@@ -325,7 +329,11 @@ dnskey_algo_id_is_supported(int id) - case LDNS_RSASHA1: - case LDNS_RSASHA1_NSEC3: - #ifdef USE_SHA1 -+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED -+ return !EVP_default_properties_is_fips_enabled(NULL); -+#else - return 1; -+#endif - #else - if(fake_sha1) return 1; - return 0; -@@ -341,15 +349,22 @@ dnskey_algo_id_is_supported(int id) - case LDNS_ECDSAP256SHA256: - case LDNS_ECDSAP384SHA384: - #endif -+#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) -+ return 1; -+#endif - #ifdef USE_ED25519 - case LDNS_ED25519: - #endif - #ifdef USE_ED448 - case LDNS_ED448: - #endif --#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448) -+#if defined(USE_ED25519) || defined(USE_ED448) -+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED -+ return !EVP_default_properties_is_fips_enabled(NULL); -+#else - return 1; - #endif -+#endif - - #ifdef USE_GOST - case LDNS_ECC_GOST: --- -2.36.1 - diff --git a/unbound.spec b/unbound.spec index da7d68b..909acc5 100644 --- a/unbound.spec +++ b/unbound.spec @@ -29,8 +29,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.16.0 -Release: 3%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.16.2 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -53,8 +53,6 @@ Source17: unbound-anchor.service Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key -# https://github.com/NLnetLabs/unbound/pull/671 -Patch1: unbound-1.16-fips-ed25519.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -447,6 +445,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Wed Aug 03 2022 Petr Menšík - 1.16.2-1 +- Update to 1.16.2 (#2087120) + * Fri Jul 08 2022 Petr Menšík - 1.16.0-3 - Disable ED25519 and ED448 in FIPS mode (#2079548)