Update to 0.16.2
Resolves: rhbz#2087120 CVE-2022-30698 https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-2
This commit is contained in:
Petr Menšík
parent
53ceffb423
commit
865df6a4ea
3
.gitignore
vendored
3
.gitignore
vendored
@ -70,4 +70,5 @@ unbound-1.4.5.tar.gz
|
||||
/unbound-1.15.0.tar.gz
|
||||
/unbound-1.15.0.tar.gz.asc
|
||||
/unbound-1.16.0.tar.gz
|
||||
/unbound-1.16.0.tar.gz.asc
|
||||
/unbound-1.16.2.tar.gz
|
||||
/unbound-1.16.2.tar.gz.asc
|
||||
|
||||
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (unbound-1.16.0.tar.gz) = 134679c0baad6738541295fcfbf8cc701c647b5d5cd00f87e50394bc7b5b74b7326ed2fc42f3282cae8094b4980c1e580d7b748b7151642c9060c449b644715f
|
||||
SHA512 (unbound-1.16.0.tar.gz.asc) = 1b7640df051bf9f37e261c4e7fa3b3343982f608c529553985eeb9444688ba9e751f45ad666ab13b783beff24806eef14e9833090a4aea249e1fa5023e3c0432
|
||||
SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572
|
||||
SHA512 (unbound-1.16.2.tar.gz.asc) = bc5241c86f90be76886209c81d6f1c025d4774fa00d114180b99d43999f31b1b4c8d123717b8a79a60bc3acfcbe9f46678b80b3d961431c7bfd05ff48c69ef4f
|
||||
|
||||
@ -1,96 +0,0 @@
|
||||
From cff6307f44c79df8975b3f205e98cd1a0464824b Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Wed, 27 Apr 2022 19:58:39 +0200
|
||||
Subject: [PATCH] Disable ED25519 and ED448 in FIPS mode on openssl3
|
||||
|
||||
Both crypto functions are not allowed by FIPS 140-3. Use openssl 3.0
|
||||
function to check FIPS mode presence and use it to make those algorithms
|
||||
unsupported.
|
||||
---
|
||||
unbound-1.16.0/config.h.in | 4 ++++
|
||||
unbound-1.16.0/configure.ac | 2 +-
|
||||
unbound-1.16.0/validator/val_secalgo.c | 17 ++++++++++++++++-
|
||||
3 files changed, 21 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/unbound-1.16.0/config.h.in b/unbound-1.16.0/config.h.in
|
||||
index a080dde..cc1fbe8 100644
|
||||
--- a/unbound-1.16.0/config.h.in
|
||||
+++ b/unbound-1.16.0/config.h.in
|
||||
@@ -222,6 +222,10 @@
|
||||
/* Define to 1 if you have the `EVP_cleanup' function. */
|
||||
#undef HAVE_EVP_CLEANUP
|
||||
|
||||
+/* Define to 1 if you have the `EVP_default_properties_is_fips_enabled'
|
||||
+ function. */
|
||||
+#undef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
|
||||
+
|
||||
/* Define to 1 if you have the `EVP_DigestVerify' function. */
|
||||
#undef HAVE_EVP_DIGESTVERIFY
|
||||
|
||||
diff --git a/unbound-1.16.0/configure.ac b/unbound-1.16.0/configure.ac
|
||||
index 1453b3a..69cb13b 100644
|
||||
--- a/unbound-1.16.0/configure.ac
|
||||
+++ b/unbound-1.16.0/configure.ac
|
||||
@@ -906,7 +906,7 @@ else
|
||||
AC_MSG_RESULT([no])
|
||||
fi
|
||||
AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT])
|
||||
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
|
||||
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
|
||||
|
||||
# these check_funcs need -lssl
|
||||
BAKLIBS="$LIBS"
|
||||
diff --git a/unbound-1.16.0/validator/val_secalgo.c b/unbound-1.16.0/validator/val_secalgo.c
|
||||
index 7abf66f..6276675 100644
|
||||
--- a/unbound-1.16.0/validator/val_secalgo.c
|
||||
+++ b/unbound-1.16.0/validator/val_secalgo.c
|
||||
@@ -215,6 +215,10 @@ ds_digest_size_supported(int algo)
|
||||
switch(algo) {
|
||||
case LDNS_SHA1:
|
||||
#if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
|
||||
+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
|
||||
+ if (EVP_default_properties_is_fips_enabled(NULL))
|
||||
+ return 0;
|
||||
+#endif
|
||||
return SHA_DIGEST_LENGTH;
|
||||
#else
|
||||
if(fake_sha1) return 20;
|
||||
@@ -325,7 +329,11 @@ dnskey_algo_id_is_supported(int id)
|
||||
case LDNS_RSASHA1:
|
||||
case LDNS_RSASHA1_NSEC3:
|
||||
#ifdef USE_SHA1
|
||||
+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
|
||||
+ return !EVP_default_properties_is_fips_enabled(NULL);
|
||||
+#else
|
||||
return 1;
|
||||
+#endif
|
||||
#else
|
||||
if(fake_sha1) return 1;
|
||||
return 0;
|
||||
@@ -341,15 +349,22 @@ dnskey_algo_id_is_supported(int id)
|
||||
case LDNS_ECDSAP256SHA256:
|
||||
case LDNS_ECDSAP384SHA384:
|
||||
#endif
|
||||
+#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA)
|
||||
+ return 1;
|
||||
+#endif
|
||||
#ifdef USE_ED25519
|
||||
case LDNS_ED25519:
|
||||
#endif
|
||||
#ifdef USE_ED448
|
||||
case LDNS_ED448:
|
||||
#endif
|
||||
-#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448)
|
||||
+#if defined(USE_ED25519) || defined(USE_ED448)
|
||||
+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
|
||||
+ return !EVP_default_properties_is_fips_enabled(NULL);
|
||||
+#else
|
||||
return 1;
|
||||
#endif
|
||||
+#endif
|
||||
|
||||
#ifdef USE_GOST
|
||||
case LDNS_ECC_GOST:
|
||||
--
|
||||
2.36.1
|
||||
|
||||
@ -29,8 +29,8 @@
|
||||
|
||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||
Name: unbound
|
||||
Version: 1.16.0
|
||||
Release: 3%{?extra_version:.%{extra_version}}%{?dist}
|
||||
Version: 1.16.2
|
||||
Release: 1%{?extra_version:.%{extra_version}}%{?dist}
|
||||
License: BSD
|
||||
Url: https://nlnetlabs.nl/projects/unbound/
|
||||
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
|
||||
@ -53,8 +53,6 @@ Source17: unbound-anchor.service
|
||||
Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
|
||||
Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
|
||||
|
||||
# https://github.com/NLnetLabs/unbound/pull/671
|
||||
Patch1: unbound-1.16-fips-ed25519.patch
|
||||
|
||||
BuildRequires: gcc, make
|
||||
BuildRequires: flex, openssl-devel
|
||||
@ -447,6 +445,9 @@ popd
|
||||
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
|
||||
|
||||
%changelog
|
||||
* Wed Aug 03 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-1
|
||||
- Update to 1.16.2 (#2087120)
|
||||
|
||||
* Fri Jul 08 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-3
|
||||
- Disable ED25519 and ED448 in FIPS mode (#2079548)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user