diff --git a/.gitignore b/.gitignore index e45d36e..63bf0e7 100644 --- a/.gitignore +++ b/.gitignore @@ -10,5 +10,3 @@ x86_64 /dnssec-tools-2.0.tar.gz /dnssec-tools-2.1.tar.gz /dnssec-tools-2.2.tar.gz -/dnssec-tools-2.2.1.tar.gz -/dnssec-tools-2.2.3.tar.gz diff --git a/7287c6b96422e499560fb10b95c1a481ea82656d.patch b/7287c6b96422e499560fb10b95c1a481ea82656d.patch deleted file mode 100644 index 266de8f..0000000 --- a/7287c6b96422e499560fb10b95c1a481ea82656d.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 7287c6b96422e499560fb10b95c1a481ea82656d Mon Sep 17 00:00:00 2001 -From: Conrad Kostecki -Date: Sun, 21 Apr 2019 12:55:15 +0200 -Subject: [PATCH] Update makefile to respect users LDFLAGS - -Signed-off-by: Conrad Kostecki ---- - dnssec-tools/validator/libsres/Makefile.in | 2 +- - dnssec-tools/validator/libval/Makefile.in | 2 +- - dnssec-tools/validator/libval_shim/Makefile.in | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/dnssec-tools/validator/libsres/Makefile.in b/dnssec-tools/validator/libsres/Makefile.in -index e20f6d788..0ef21cf80 100644 ---- a/dnssec-tools/validator/libsres/Makefile.in -+++ b/dnssec-tools/validator/libsres/Makefile.in -@@ -63,7 +63,7 @@ clean: - $(RM) -rf $(LT_DIR) - - $(LIBRES): $(LOBJ) -- $(LIBTOOLLD) -o $@ $(LOBJ) -+ $(LIBTOOLLD) -o $@ $(LOBJ) $(LDFLAGS) - - install: - $(MKPATH) $(DESTDIR)$(libdir) -diff --git a/dnssec-tools/validator/libval/Makefile.in b/dnssec-tools/validator/libval/Makefile.in -index 0d6f35f99..6b361756c 100644 ---- a/dnssec-tools/validator/libval/Makefile.in -+++ b/dnssec-tools/validator/libval/Makefile.in -@@ -65,7 +65,7 @@ clean: - $(RM) -rf $(LT_DIR) - - $(LIBVAL): $(LOBJ) -- $(LIBTOOLLD) -o $@ $(LOBJ) $(LSRES) -+ $(LIBTOOLLD) -o $@ $(LOBJ) $(LSRES) $(LDFLAGS) - - install: - $(MKPATH) $(DESTDIR)$(libdir) -diff --git a/dnssec-tools/validator/libval_shim/Makefile.in b/dnssec-tools/validator/libval_shim/Makefile.in -index 8b7c8e550..303943cc3 100644 ---- a/dnssec-tools/validator/libval_shim/Makefile.in -+++ b/dnssec-tools/validator/libval_shim/Makefile.in -@@ -21,7 +21,7 @@ clean: - $(RM) -rf $(LT_DIR) - - $(LIBVAL_SHIM): $(LOBJ) -- $(LIBTOOLLD) -o $@ $(LOBJ) $(EXTRA_LIBS) -+ $(LIBTOOLLD) -o $@ $(LOBJ) $(EXTRA_LIBS) $(LDFLAGS) - - install: - $(MKPATH) $(DESTDIR)$(libdir) diff --git a/dnssec-tools-2.2.3-add_ifdedf_to_engine.patch b/dnssec-tools-2.2.3-add_ifdedf_to_engine.patch deleted file mode 100644 index 5c6820e..0000000 --- a/dnssec-tools-2.2.3-add_ifdedf_to_engine.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff -r -u dnssec-tools-2.2.3.orig/validator/libval/val_context.c dnssec-tools-2.2.3/validator/libval/val_context.c ---- dnssec-tools-2.2.3.orig/validator/libval/val_context.c 2024-11-05 11:39:33.696730353 +0100 -+++ dnssec-tools-2.2.3/validator/libval/val_context.c 2024-11-05 11:44:01.428711438 +0100 -@@ -17,9 +17,10 @@ - - #include - #include -+#ifndef OPENSSL_NO_ENGINE - #include -+#endif /* !defined(OPENSSL_NO_ENGINE) */ - #include -- - #include "val_support.h" - #include "val_policy.h" - #include "val_cache.h" -@@ -853,7 +854,9 @@ - /* Whole bunch of openssl cleanup routines */ - CONF_modules_unload(1); - EVP_cleanup(); -+#ifndef OPENSSL_NO_ENGINE - ENGINE_cleanup(); -+#endif - CRYPTO_cleanup_all_ex_data(); - ERR_remove_state(0); - ERR_free_strings(); -diff -r -u dnssec-tools-2.2.3.orig/validator/libval/val_crypto.c dnssec-tools-2.2.3/validator/libval/val_crypto.c ---- dnssec-tools-2.2.3.orig/validator/libval/val_crypto.c 2024-11-05 11:39:33.695730345 +0100 -+++ dnssec-tools-2.2.3/validator/libval/val_crypto.c 2024-11-05 11:40:17.569919704 +0100 -@@ -22,7 +22,9 @@ - #include - #endif - #include -+#ifndef OPENSSL_NO_ENGINE - #include -+#endif /* !defined(OPENSSL_NO_ENGINE) */ - #include - #include - #include diff --git a/dnssec-tools-2.2.3-link-libval-threads-with-libs.patch b/dnssec-tools-2.2.3-link-libval-threads-with-libs.patch deleted file mode 100644 index f160b6b..0000000 --- a/dnssec-tools-2.2.3-link-libval-threads-with-libs.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff -up dnssec-tools-2.2.3/validator/libval/Makefile.in.link-with-libs dnssec-tools-2.2.3/validator/libval/Makefile.in ---- dnssec-tools-2.2.3/validator/libval/Makefile.in.link-with-libs 2019-12-19 16:36:05.522457192 -0500 -+++ dnssec-tools-2.2.3/validator/libval/Makefile.in 2019-12-19 16:36:11.967342451 -0500 -@@ -1,3 +1,4 @@ -+LIBS=@LIBS@ - - INCL= ../include - LIB= ../libsres -@@ -65,7 +66,7 @@ clean: - $(RM) -rf $(LT_DIR) - - $(LIBVAL): $(LOBJ) -- $(LIBTOOLLD) -o $@ $(LOBJ) $(LSRES) $(LDFLAGS) -+ $(LIBTOOLLD) -o $@ $(LOBJ) $(LSRES) $(LIBS) $(LDFLAGS) - - install: - $(MKPATH) $(DESTDIR)$(libdir) diff --git a/dnssec-tools-dnsval.conf b/dnssec-tools-dnsval.conf index 724ac23..7a61654 100644 --- a/dnssec-tools-dnsval.conf +++ b/dnssec-tools-dnsval.conf @@ -1,61 +1,10 @@ -################################## -# Includes -################################## - -# TRUSTMAN-ACTION bind-include /var/opt/named/named.conf - -################################## -# Global Options -################################## - -global-options - trust-oob-answers yes - edns0-size 1492 - env-policy disable - app-policy disable +: trust-anchor + . DS "19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" ; -################################## -# Default policies -################################## - -: trust-anchor - . DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 - . DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D +: zone-security-expectation + . validate ; - -: zone-security-expectation - . validate -; - : provably-insecure-status - . trusted -; - -: clock-skew - . 0 -; - -################################## -# MTA Policies -################################## - -mta provably-insecure-status - . trusted -; - -mta clock-skew - . -1 -; - -################################## -# Web Browser Policies -################################## - -browser provably-insecure-status - . trusted -; - -browser clock-skew - . 0 + . trusted ; diff --git a/dnssec-tools-new-2017-key.patch b/dnssec-tools-new-2017-key.patch deleted file mode 100644 index ef27692..0000000 --- a/dnssec-tools-new-2017-key.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/dnssec-tools/validator/etc/dnsval.conf b/dnssec-tools/validator/etc/dnsval.conf -index 07288fe..34bbe6d 100644 ---- a/dnssec-tools/validator/etc/dnsval.conf -+++ b/dnssec-tools/validator/etc/dnsval.conf -@@ -21,6 +21,7 @@ global-options - - : trust-anchor - . DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 -+ . DS 19036 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D - ; - - : zone-security-expectation diff --git a/dnssec-tools-new-openssl-APIs.patch b/dnssec-tools-new-openssl-APIs.patch deleted file mode 100644 index 37baf01..0000000 --- a/dnssec-tools-new-openssl-APIs.patch +++ /dev/null @@ -1,464 +0,0 @@ -diff --git a/dnssec-tools/validator/doc/dt-danechk.1 b/dnssec-tools/validator/doc/dt-danechk.1 -index 0d7f5c0a..afe6df47 100644 ---- a/dnssec-tools/validator/doc/dt-danechk.1 -+++ b/dnssec-tools/validator/doc/dt-danechk.1 -@@ -1,4 +1,4 @@ --.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) -+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) - .\" - .\" Standard preamble: - .\" ======================================================================== -@@ -38,26 +38,31 @@ - . ds PI \(*p - . ds L" `` - . ds R" '' -+. ds C` -+. ds C' - 'br\} - .\" - .\" Escape single quotes in literal strings from groff's Unicode transform. - .ie \n(.g .ds Aq \(aq - .el .ds Aq ' - .\" --.\" If the F register is turned on, we'll generate index entries on stderr for -+.\" If the F register is >0, we'll generate index entries on stderr for - .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index - .\" entries marked with X<> in POD. Of course, you'll have to process the - .\" output yourself in some meaningful fashion. --.ie \nF \{\ --. de IX --. tm Index:\\$1\t\\n%\t"\\$2" -+.\" -+.\" Avoid warning from groff about undefined register 'F'. -+.de IX - .. --. nr % 0 --. rr F --.\} --.el \{\ -+.if !\nF .nr F 0 -+.if \nF>0 \{\ - . de IX -+. tm Index:\\$1\t\\n%\t"\\$2" - .. -+. if !\nF==2 \{\ -+. nr % 0 -+. nr F 2 -+. \} - .\} - .\" - .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -@@ -124,7 +129,7 @@ - .\" ======================================================================== - .\" - .IX Title "DT-DANECHK 1" --.TH DT-DANECHK 1 "2013-03-07" "perl v5.12.4" "User Commands" -+.TH DT-DANECHK 1 "2016-12-16" "perl v5.26.2" "User Commands" - .\" For nroff, turn off justification. Always turn off hyphenation; it makes - .\" way too many mistakes in technical documents. - .if n .ad l -@@ -139,8 +144,8 @@ dt\-danechk \- validate TLSA records against SSL certificates. - .SH "DESCRIPTION" - .IX Header "DESCRIPTION" - \&\fBdt-danechk\fR is a diagnostic tool that can be used to test the validity --of an \s-1SSL/TLS\s0 certificate against the \s-1TLSA\s0 record published in the \s-1DNS\s0. --For more information on \s-1TLSA\s0 and \s-1DANE\s0 see \s-1RFC\s0 6698. -+of an \s-1SSL/TLS\s0 certificate against the \s-1TLSA\s0 record published in the \s-1DNS.\s0 -+For more information on \s-1TLSA\s0 and \s-1DANE\s0 see \s-1RFC 6698.\s0 - .SH "OPTIONS" - .IX Header "OPTIONS" - .IP "\-h, \-\-help" 4 -@@ -204,7 +209,7 @@ Display the version and exit. - \&\fBlibval\fR - .SH "COPYRIGHT" - .IX Header "COPYRIGHT" --Copyright 2005\-2013 \s-1SPARTA\s0, Inc. All rights reserved. -+Copyright 2005\-2013 \s-1SPARTA,\s0 Inc. All rights reserved. - See the \s-1COPYING\s0 file included with the DNSSEC-Tools package for details. - .SH "AUTHORS" - .IX Header "AUTHORS" -diff --git a/dnssec-tools/validator/doc/val_getdaneinfo.3 b/dnssec-tools/validator/doc/val_getdaneinfo.3 -index 12f3be6d..148b5a5c 100644 ---- a/dnssec-tools/validator/doc/val_getdaneinfo.3 -+++ b/dnssec-tools/validator/doc/val_getdaneinfo.3 -@@ -1,4 +1,4 @@ --.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) -+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) - .\" - .\" Standard preamble: - .\" ======================================================================== -@@ -38,26 +38,31 @@ - . ds PI \(*p - . ds L" `` - . ds R" '' -+. ds C` -+. ds C' - 'br\} - .\" - .\" Escape single quotes in literal strings from groff's Unicode transform. - .ie \n(.g .ds Aq \(aq - .el .ds Aq ' - .\" --.\" If the F register is turned on, we'll generate index entries on stderr for -+.\" If the F register is >0, we'll generate index entries on stderr for - .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index - .\" entries marked with X<> in POD. Of course, you'll have to process the - .\" output yourself in some meaningful fashion. --.ie \nF \{\ --. de IX --. tm Index:\\$1\t\\n%\t"\\$2" -+.\" -+.\" Avoid warning from groff about undefined register 'F'. -+.de IX - .. --. nr % 0 --. rr F --.\} --.el \{\ -+.if !\nF .nr F 0 -+.if \nF>0 \{\ - . de IX -+. tm Index:\\$1\t\\n%\t"\\$2" - .. -+. if !\nF==2 \{\ -+. nr % 0 -+. nr F 2 -+. \} - .\} - .\" - .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -@@ -124,7 +129,7 @@ - .\" ======================================================================== - .\" - .IX Title "val_getdaneinfo 3" --.TH val_getdaneinfo 3 "2013-03-08" "perl v5.12.4" "Programmer's Manual" -+.TH val_getdaneinfo 3 "2016-12-16" "perl v5.26.2" "Programmer's Manual" - .\" For nroff, turn off justification. Always turn off hyphenation; it makes - .\" way too many mistakes in technical documents. - .if n .ad l -@@ -231,9 +236,9 @@ form below: - .Ve - .PP - The \fIttl\fR field is the time-to-live associated with the \s-1TLSA\s0 record. An --application must not cache (and use) this \s-1TLSA\s0 record beyond its \s-1TTL\s0. -+application must not cache (and use) this \s-1TLSA\s0 record beyond its \s-1TTL.\s0 - The \fIusage\fR, \fIselector\fR and \fItype\fR fields correspond to the first --three fields of the \s-1TLSA\s0 \s-1RDATA\s0 as described in rfc6698. The \s-1TLSA\s0 -+three fields of the \s-1TLSA RDATA\s0 as described in rfc6698. The \s-1TLSA\s0 - certificate association data is returned in the \fIdata\fR field and has - a length of \fIdatalen\fR bytes. There can be more than one \s-1TLSA\s0 record - associated with a given name, and the \fInext\fR field points to the next -@@ -250,7 +255,7 @@ This function automatically iterates over all elements in \fIdres\fR and - compares the certificate association data against the \s-1SSL/TLS\s0 - certificates associated with the \s-1SSL\s0 connection \fIcon\fR. The \s-1DANE\s0 - protocol enables certain use cases that allows new trust anchors to be --introduced via \s-1DNSSEC\s0. The value of \fIdo_pathval\fR indicates whether -+introduced via \s-1DNSSEC.\s0 The value of \fIdo_pathval\fR indicates whether - the application must proceed with X509 path validation for this - connection in accordance with the usage that was encoded in the \s-1TLSA\s0 - record. -@@ -267,7 +272,7 @@ validation policy). - \&\fI\fIval_getdaneinfo()\fI\fR and \fI\fIval_dane_submit()\fI\fR return \fB\s-1VAL_DANE_NOERROR\s0\fR - on success, and \fB\s-1VAL_DANE_MALFORMED_TLSA\s0\fR or \fB\s-1VAL_DANE_INTERNAL_ERROR\s0\fR - for error conditions. A value of \fB\s-1VAL_DANE_NOTVALIDATED\s0\fR is returned if --the \s-1TLSA\s0 record cannot be validated via \s-1DNSSEC\s0. A value of -+the \s-1TLSA\s0 record cannot be validated via \s-1DNSSEC. A\s0 value of - \&\fB\s-1VAL_DANE_IGNORE_TLSA\s0\fR is returned if the \s-1TLSA\s0 record for the given name - is provably absent. - .PP -@@ -285,7 +290,7 @@ The \fI\fIp_dane_error()\fI\fR function can be used to convert the DANE-related - error codes to an error string value. - .SH "COPYRIGHT" - .IX Header "COPYRIGHT" --Copyright 2004\-2013 \s-1SPARTA\s0, Inc. All rights reserved. -+Copyright 2004\-2013 \s-1SPARTA,\s0 Inc. All rights reserved. - See the \s-1COPYING\s0 file included with the DNSSEC-Tools package for details. - .SH "AUTHORS" - .IX Header "AUTHORS" -@@ -294,7 +299,7 @@ Suresh Krishnaswamy - .IX Header "SEE ALSO" - \&\fI\fIlibval\fI\|(3)\fR - .PP --\&\s-1RFC\s0 6698 (\s-1DANE\s0) -+\&\s-1RFC 6698\s0 (\s-1DANE\s0) - .PP - draft-hayatnagarkar-dnsext-validator-api - .PP -diff --git a/dnssec-tools/validator/etc/dnsval.conf b/dnssec-tools/validator/etc/dnsval.conf -index 07288fe3..34bbe6d6 100644 ---- a/dnssec-tools/validator/etc/dnsval.conf -+++ b/dnssec-tools/validator/etc/dnsval.conf -@@ -21,6 +21,7 @@ global-options - - : trust-anchor - . DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 -+ . DS 19036 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D - ; - - : zone-security-expectation -diff --git a/dnssec-tools/validator/include/validator/validator-compat.h b/dnssec-tools/validator/include/validator/validator-compat.h -index c6ebf23f..300ef11e 100644 ---- a/dnssec-tools/validator/include/validator/validator-compat.h -+++ b/dnssec-tools/validator/include/validator/validator-compat.h -@@ -818,14 +818,6 @@ typedef enum __ns_flag { - ns_f_max - } ns_flag; - --/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */ --#define NS_ALG_MD5RSA 1 /* MD5 with RSA */ --#define NS_ALG_DH 2 /* Diffie Hellman KEY */ --#define NS_ALG_DSA 3 /* DSA KEY */ --#define NS_ALG_DSS NS_ALG_DSA --#define NS_ALG_EXPIRE_ONLY 253 /* No alg, no security */ --#define NS_ALG_PRIVATE_OID 254 /* Key begins with OID giving alg */ -- - /* Protocol values */ - /* value 0 is reserved */ - #define NS_KEY_PROT_TLS 1 -@@ -1050,5 +1042,26 @@ struct addrinfo { - #endif - - -+/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */ -+#define NS_ALG_MD5RSA 1 /* MD5 with RSA */ -+#define NS_ALG_DH 2 /* Diffie Hellman KEY */ -+#define NS_ALG_DSA 3 /* DSA KEY */ -+#define NS_ALG_DSS NS_ALG_DSA -+#define NS_ALG_EXPIRE_ONLY 253 /* No alg, no security */ -+#define NS_ALG_PRIVATE_OID 254 /* Key begins with OID giving alg */ -+#define ns_t_zxfr 256 -+ -+#define NS_MD5RSA_MIN_BITS 512 /* Size of a mod or exp in bits */ -+#define NS_MD5RSA_MAX_BITS 2552 -+ /* Total of binary mod and exp */ -+#define NS_MD5RSA_MAX_BYTES ((NS_MD5RSA_MAX_BITS+7/8)*2+3) -+ /* Max length of text sig block */ -+#define NS_MD5RSA_MAX_BASE64 (((NS_MD5RSA_MAX_BYTES+2)/3)*4) -+#define NS_MD5RSA_MIN_SIZE ((NS_MD5RSA_MIN_BITS+7)/8) -+#define NS_MD5RSA_MAX_SIZE ((NS_MD5RSA_MAX_BITS+7)/8) -+ -+#include "openssl/hmac.h" -+#include "openssl/ossl_typ.h" -+ - #endif /* _VALIDATOR_COMPAT_H */ - -diff --git a/dnssec-tools/validator/libsres/ns_print.c b/dnssec-tools/validator/libsres/ns_print.c -index 98f1f9c3..edcbbbc3 100644 ---- a/dnssec-tools/validator/libsres/ns_print.c -+++ b/dnssec-tools/validator/libsres/ns_print.c -@@ -712,6 +712,10 @@ ns_sprintrrf_data(const u_char * msg, size_t msglen, - nxtbitmaps: - #endif /* LIBVAL_NSEC3 */ - -+#if !defined(NS_NXT_BIT_ISSET) -+#define NS_NXT_BITS 8 -+#define NS_NXT_BIT_ISSET(n,p) (p[(n)/NS_NXT_BITS] & (0x80>>((n)%NS_NXT_BITS))) -+#endif - /** Type bit map. */ - while (edata - rdata > 0) { - b = *rdata; -diff --git a/dnssec-tools/validator/libsres/res_tsig.c b/dnssec-tools/validator/libsres/res_tsig.c -index bc010302..03f73c49 100644 ---- a/dnssec-tools/validator/libsres/res_tsig.c -+++ b/dnssec-tools/validator/libsres/res_tsig.c -@@ -16,6 +16,7 @@ - */ - #include "validator-internal.h" - -+#include - #include - - #include "res_tsig.h" -@@ -237,7 +238,7 @@ res_tsig_sign(u_char * query, - u_char *hp; - HEADER *header; - struct timeval now; -- HMAC_CTX ctx; -+ HMAC_CTX *ctx; - const EVP_MD *md; - u_char hash[MAX_DIGEST_LENGTH]; - unsigned int len; -@@ -274,8 +275,8 @@ res_tsig_sign(u_char * query, - return SR_TS_FAIL; - } - -- HMAC_CTX_init(&ctx); -- HMAC_Init_ex(&ctx, ns->ns_tsig->key, ns->ns_tsig->keylen, -+ ctx = HMAC_CTX_new(); -+ HMAC_Init_ex(ctx, ns->ns_tsig->key, ns->ns_tsig->keylen, - md, NULL); - - /* Create a TSIG RR and add it to the additional section */ -@@ -289,7 +290,7 @@ res_tsig_sign(u_char * query, - p = cp; - memcpy(cp, query, query_length * sizeof(u_char)); - cp += query_length; -- HMAC_Update(&ctx, p, cp-p); -+ HMAC_Update(ctx, p, cp-p); - - /* Bump up the additional section count */ - header = (HEADER *) p; -@@ -300,7 +301,7 @@ res_tsig_sign(u_char * query, - p = cp; - memcpy(cp, ns->ns_tsig->name_n, wire_name_length(ns->ns_tsig->name_n)); - cp += wire_name_length(ns->ns_tsig->name_n); -- HMAC_Update(&ctx, p, cp-p); -+ HMAC_Update(ctx, p, cp-p); - - /* don't digest type */ - RES_PUT16(ns_t_tsig, cp); -@@ -308,7 +309,7 @@ res_tsig_sign(u_char * query, - p = cp; - RES_PUT16(ns_t_any, cp); - RES_PUT32(0, cp); -- HMAC_Update(&ctx, p, cp-p); -+ HMAC_Update(ctx, p, cp-p); - - /* don't digest rdatalen */ - RES_PUT16(ns->ns_tsig->rdatalen, cp); -@@ -316,13 +317,13 @@ res_tsig_sign(u_char * query, - p = cp; - memcpy(cp, ns->ns_tsig->alg_n, wire_name_length(ns->ns_tsig->alg_n)); - cp += wire_name_length(ns->ns_tsig->alg_n); -- HMAC_Update(&ctx, p, cp-p); -+ HMAC_Update(ctx, p, cp-p); - - gettimeofday(&now, NULL); - p = cp; - RES_PUT48((u_int64_t)now.tv_sec, cp); - RES_PUT16(ns->ns_tsig->fudge, cp); -- HMAC_Update(&ctx, p, cp-p); -+ HMAC_Update(ctx, p, cp-p); - - /* don't digest the mac_size */ - RES_PUT16(ns->ns_tsig->mac_size, cp); -@@ -337,9 +338,9 @@ res_tsig_sign(u_char * query, - p = cp; - RES_PUT16(0, cp); - RES_PUT16(0, cp); -- HMAC_Update(&ctx, p, cp-p); -+ HMAC_Update(ctx, p, cp-p); - -- HMAC_Final(&ctx, hash, &len); -+ HMAC_Final(ctx, hash, &len); - - if (len != ns->ns_tsig->mac_size) { - FREE(*signed_query); -@@ -348,7 +349,7 @@ res_tsig_sign(u_char * query, - } - memcpy(hp, hash, len); - -- HMAC_CTX_cleanup(&ctx); -+ HMAC_CTX_free(ctx); - return SR_TS_OK; - - } else -diff --git a/dnssec-tools/validator/libval/val_crypto.c b/dnssec-tools/validator/libval/val_crypto.c -index 46d1ce5d..b3ccdcd4 100644 ---- a/dnssec-tools/validator/libval/val_crypto.c -+++ b/dnssec-tools/validator/libval/val_crypto.c -@@ -22,6 +22,7 @@ - #include - #endif - #include -+#include - #include - #include - #include -@@ -77,10 +78,8 @@ dsasha1_parse_public_key(const u_char *buf, size_t buflen, DSA * dsa) - bn_y = BN_bin2bn(buf + index, 64 + (T * 8), NULL); - index += (64 + (T * 8)); - -- dsa->p = bn_p; -- dsa->q = bn_q; -- dsa->g = bn_g; -- dsa->pub_key = bn_y; -+ DSA_set0_pqg(dsa, bn_p, bn_q, bn_g); -+ DSA_set0_key(dsa, bn_y, NULL); - - return VAL_NO_ERROR; /* success */ - } -@@ -214,8 +213,7 @@ rsamd5_parse_public_key(const u_char *buf, size_t buflen, RSA * rsa) - */ - bn_mod = BN_bin2bn(buf + index, buflen - index, NULL); - -- rsa->e = bn_exp; -- rsa->n = bn_mod; -+ RSA_set0_key(rsa, bn_mod, bn_exp, NULL); - - return VAL_NO_ERROR; /* success */ - } -@@ -246,7 +244,7 @@ rsamd5_keytag(const u_char *pubkey, size_t pubkey_len) - return VAL_BAD_ARGUMENT; - } - -- modulus = rsa->n; -+ RSA_get0_key(rsa, (const BIGNUM **) &modulus, NULL, NULL); - modulus_len = BN_num_bytes(modulus); - modulus_bin = - (u_char *) MALLOC(modulus_len * sizeof(u_char)); -@@ -361,8 +359,7 @@ rsa_parse_public_key(const u_char *buf, size_t buflen, RSA * rsa) - */ - bn_mod = BN_bin2bn(buf + index, buflen - index, NULL); - -- rsa->e = bn_exp; -- rsa->n = bn_mod; -+ RSA_set0_key(rsa, bn_mod, bn_exp, NULL); - - return VAL_NO_ERROR; /* success */ - } -@@ -460,11 +457,10 @@ ecdsa_sigverify(val_context_t * ctx, - EC_KEY *eckey = NULL; - BIGNUM *bn_x = NULL; - BIGNUM *bn_y = NULL; -- ECDSA_SIG ecdsa_sig; -+ ECDSA_SIG *ecdsa_sig; - size_t hashlen = 0; - -- ecdsa_sig.r = NULL; -- ecdsa_sig.s = NULL; -+ ecdsa_sig = ECDSA_SIG_new(); - memset(sha_hash, 0, sizeof(sha_hash)); - - val_log(ctx, LOG_DEBUG, -@@ -523,10 +519,10 @@ ecdsa_sigverify(val_context_t * ctx, - goto err; - } - -- ecdsa_sig.r = BN_bin2bn(rrsig->signature, hashlen, NULL); -- ecdsa_sig.s = BN_bin2bn(&rrsig->signature[hashlen], hashlen, NULL); -+ ECDSA_SIG_set0(ecdsa_sig, BN_bin2bn(rrsig->signature, hashlen, NULL), -+ BN_bin2bn(&rrsig->signature[hashlen], hashlen, NULL)); - -- if (ECDSA_do_verify(sha_hash, hashlen, &ecdsa_sig, eckey) == 1) { -+ if (ECDSA_do_verify(sha_hash, hashlen, ecdsa_sig, eckey) == 1) { - val_log(ctx, LOG_INFO, "ecdsa_sigverify(): returned SUCCESS"); - *sig_status = VAL_AC_RRSIG_VERIFIED; - } else { -@@ -536,10 +532,8 @@ ecdsa_sigverify(val_context_t * ctx, - - /* Free all structures allocated */ - err: -- if (ecdsa_sig.r) -- BN_free(ecdsa_sig.r); -- if (ecdsa_sig.s) -- BN_free(ecdsa_sig.s); -+ if (ecdsa_sig) -+ ECDSA_SIG_free(ecdsa_sig); - if (bn_x) - BN_free(bn_x); - if (bn_y) -diff --git a/dnssec-tools/validator/libval/val_dane.c b/dnssec-tools/validator/libval/val_dane.c -index 32ffdc7a..16b0a0b2 100644 ---- a/dnssec-tools/validator/libval/val_dane.c -+++ b/dnssec-tools/validator/libval/val_dane.c -@@ -875,7 +875,8 @@ val_X509_peer_cert_verify_cb(X509_STORE_CTX *x509ctx, void *arg) - if (x509ctx == NULL || ssl_dane_data == NULL) - return 0; - -- cert = x509ctx->cert; -+ -+ cert = X509_STORE_CTX_get_current_cert(x509ctx); - context = ssl_dane_data->context; - - /* diff --git a/dnssec-tools.spec b/dnssec-tools.spec index 92889ca..2bd49a4 100644 --- a/dnssec-tools.spec +++ b/dnssec-tools.spec @@ -1,43 +1,32 @@ -# OpenSSL ENGINE support deprecated in Fedora 41 onwards -# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine -%if 0%{?fedora} > 40 -%global _preprocessor_defines %{?_preprocessor_defines} -DOPENSSL_NO_ENGINE -%endif - - Summary: A suite of tools for managing dnssec aware DNS usage Name: dnssec-tools -Version: 2.2.3 -Release: 30%{?dist} -# Automatically converted from old format: BSD - review is highly recommended. -License: LicenseRef-Callaway-BSD +Version: 2.2 +Release: 3%{?dist} +License: BSD +Group: System Environment/Base URL: http://www.dnssec-tools.org/ -#Source0: https://www.dnssec-tools.org/download/%%{name}-%%{version}.tar.gz -Source0: https://www.hardakers.net/software/%{name}-%{version}.tar.gz +Source0: https://www.dnssec-tools.org/download/%{name}-%{version}.tar.gz Source1: dnssec-tools-dnsval.conf Source2: libval-config +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) # Require note: the auto-detection for perl-Net-DNS-SEC will not work since # the tools do run time tests for their existence. But most of the tools # are much more useful with the modules in place, so we hand require them. -Requires: dnssec-tools-perlmods, bind, perl(Getopt::GUI::Long) +Requires: perl(Net::DNS), perl(Net::DNS::SEC), dnssec-tools-perlmods, bind, perl(Getopt::GUI::Long) +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) Requires: perl(GraphViz) -BuildRequires: gcc BuildRequires: openssl-devel BuildRequires: perl-devel BuildRequires: perl-generators BuildRequires: perl(Test) perl(ExtUtils::MakeMaker) -BuildRequires: make # Makes the code installation linux filesystem friendly Patch5: dnssec-tools-linux-conf-paths-1.13.patch +Patch6: dnssec-tools-zonefile-fast-new-bind-1.13.patch +Patch12: dnssec-tools-zonefile-fast-nsec3-1.20.patch Patch13: dnssec-tools-2.0-autoconf-for-aarch64.patch -Patch17: dnssec-tools-new-2017-key.patch -Patch18: dnssec-tools-new-openssl-APIs.patch -# Update Makefile to respect users LDFLAGS -# https://github.com/DNSSEC-Tools/DNSSEC-Tools/commit/7287c6b96422e499560fb10b95c1a481ea82656d -Patch19: 7287c6b96422e499560fb10b95c1a481ea82656d.patch -# link libval-threads with libs -Patch20: dnssec-tools-2.2.3-link-libval-threads-with-libs.patch -Patch21: dnssec-tools-2.2.3-add_ifdedf_to_engine.patch +Patch14: dnssec-tools-zonefile-fast-misc.patch +Patch15: dnssec-tools-zonefile-fast-nsec3-fixes.patch +Patch16: dnssec-tools-zonefile-fast-tlsa-fixes.patch %description @@ -46,8 +35,9 @@ patches, applications, wrappers, extensions, and plugins that will help ease the deployment of DNSSEC-related technologies. %package perlmods +Group: System Environment/Libraries Summary: Perl modules supporting DNSSEC (needed by the dnssec-tools) -Requires: perl(Getopt::GUI::Long) +Requires: perl(Net::DNS), perl(Net::DNS::SEC) %description perlmods @@ -56,6 +46,7 @@ required by the DNSSEC tools themselves as well as modules that are useful for other developers. %package libs +Group: System Environment/Libraries Summary: C-based libraries for dnssec aware tools Requires: openssl @@ -63,6 +54,7 @@ Requires: openssl C-based libraries useful for developing dnssec aware tools. %package libs-devel +Group: Development/Libraries Summary: C-based development libraries for dnssec aware tools Requires: dnssec-tools-libs = %{version}-%{release} @@ -72,18 +64,13 @@ C-based libraries useful for developing dnssec aware tools. %prep %setup -q -%patch -P5 -p0 -#%%patch6 -p2 -#%%patch12 -p2 -#%%patch13 -p2 -#%%patch14 -p2 -#%%patch15 -p2 -#%%patch16 -p2 -#%%patch17 -p2 -#%%patch18 -p2 -%patch -P19 -p2 -%patch -P20 -p1 -b .link-with-libs -%patch -P21 -p1 +%patch5 -p0 +#%patch6 -p2 +#%patch12 -p2 +#%patch13 -p2 +#%patch14 -p2 +#%patch15 -p2 +#%patch16 -p2 %build %configure --with-validator-testcases-file=%{_datadir}/dnssec-tools/validator-testcases --with-perl-build-args="INSTALLDIRS=vendor OPTIMIZE='$RPM_OPT_FLAGS'" --sysconfdir=/etc --with-root-hints=/etc/dnssec-tools/root.hints --with-resolv-conf=/etc/dnssec-tools/resolv.conf --disable-static --with-nsec3 --with-ipv6 --with-dlv --disable-bind-checks @@ -92,7 +79,7 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' validator/libtool sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' validator/libtool # makefile dependencies are broken; we can't use smp_mflags: -#make %%{?_smp_mflags} CCFLAGS="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" +#make %{?_smp_mflags} CCFLAGS="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" make CCFLAGS="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" %install @@ -117,10 +104,16 @@ mv ${RPM_BUILD_ROOT}/%{_bindir}/libval-config ${RPM_BUILD_ROOT}/%{_bindir}/libva # Add a new wrapper script that calls the right file at run time install -m 755 %SOURCE2 ${RPM_BUILD_ROOT}/%{_bindir}/libval-config -%ldconfig_scriptlets libs +%post libs -p /sbin/ldconfig + +%postun libs -p /sbin/ldconfig + +%clean +rm -rf %{buildroot} %files -%doc README.md INSTALL COPYING +%defattr(-,root,root,-) +%doc README INSTALL COPYING %dir %{_sysconfdir}/dnssec-tools/ %config(noreplace) %{_sysconfdir}/dnssec-tools/dnssec-tools.conf @@ -137,7 +130,7 @@ install -m 755 %SOURCE2 ${RPM_BUILD_ROOT}/%{_bindir}/libval-config %{_bindir}/maketestzone %{_bindir}/mapper %{_bindir}/zonesigner -# this doesn't use %%{_datadir} because patch6 above uses this exact path +# this doesn't use %{_datadir} because patch6 above uses this exact path /usr/share/dnssec-tools #/usr/share/dnssec-tools/donuts #/usr/share/dnssec-tools/donuts/rules @@ -164,7 +157,7 @@ install -m 755 %SOURCE2 ${RPM_BUILD_ROOT}/%{_bindir}/libval-config %{_bindir}/dt-libval_check_conf %{_bindir}/dt-validate # configure above -#%%{_datadir}/dnssec-tools/validator-testcases +#%{_datadir}/dnssec-tools/validator-testcases %{_bindir}/dt-getaddr %{_bindir}/dt-gethost %{_bindir}/dt-getname @@ -266,6 +259,8 @@ install -m 755 %SOURCE2 ${RPM_BUILD_ROOT}/%{_bindir}/libval-config %{_mandir}/man3/Net::DNS::SEC::Tools::realmmgr.3pm.gz %files perlmods +%defattr(-,root,root) + # perl-Net-DNS-SEC is noarch and cannot own this directory: %dir %{perl_vendorarch}/Net/DNS/SEC @@ -291,6 +286,7 @@ install -m 755 %SOURCE2 ${RPM_BUILD_ROOT}/%{_bindir}/libval-config %{_mandir}/man3/Net::DNS::SEC::Validator.3pm.gz %{_mandir}/man3/Net::addrinfo.3pm.gz %{_mandir}/man3/Net::DNS::SEC::Tools::Donuts::Rule.3pm.gz +%{_mandir}/man3/Net::DNS::ZoneFile::Fast.3pm.gz %{_mandir}/man3/Net::DNS::SEC::Tools::rolllog.3pm.gz %{_mandir}/man3/Net::DNS::SEC::Tools::TrustAnchor.3pm.gz @@ -303,16 +299,15 @@ install -m 755 %SOURCE2 ${RPM_BUILD_ROOT}/%{_bindir}/libval-config %{_mandir}/man3/Net::DNS::SEC::Tools::TrustAnchor::Mf.3pm.gz %{_mandir}/man3/Net::DNS::SEC::Tools::TrustAnchor::Secspider.3pm.gz -# obsolete module still in upstream source: -%{_mandir}/man3/Net::DNS::ZoneFile::Fast.3pm.gz - %files libs +%defattr(-,root,root) %{_libdir}/*.so.* %config(noreplace) %{_sysconfdir}/dnssec-tools -#%%config(noreplace) %%{_sysconfdir}/dnssec-tools/dnsval.conf -#%%config(noreplace) %%{_sysconfdir}/dnssec-tools/root.hints +#%config(noreplace) %{_sysconfdir}/dnssec-tools/dnsval.conf +#%config(noreplace) %{_sysconfdir}/dnssec-tools/root.hints %files libs-devel +%defattr(-,root,root) %{_includedir}/validator %{_libdir}/*.so @@ -346,7 +341,7 @@ install -m 755 %SOURCE2 ${RPM_BUILD_ROOT}/%{_bindir}/libval-config %{_mandir}/man3/val_isvalidated.3.gz %{_mandir}/man3/val_res_query.3.gz %{_mandir}/man3/val_res_search.3.gz -#%%{_mandir}/man3/val_addrinfo.3.gz +#%{_mandir}/man3/val_addrinfo.3.gz %{_mandir}/man3/val_add_valpolicy.3.gz %{_mandir}/man3/val_context_setqflags.3.gz %{_mandir}/man3/val_does_not_exist.3.gz @@ -372,125 +367,6 @@ install -m 755 %SOURCE2 ${RPM_BUILD_ROOT}/%{_bindir}/libval-config %changelog -* Wed Jul 23 2025 Fedora Release Engineering - 2.2.3-30 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Mon Jul 07 2025 Jitka Plesnikova - 2.2.3-29 -- Perl 5.42 rebuild - -* Thu Jan 16 2025 Fedora Release Engineering - 2.2.3-28 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - -* Tue Nov 05 2024 Michal Josef Špaček - 2.2.3-27 -- Build without OpenSSL ENGINE support on Fedora 41 onwards - -* Wed Aug 28 2024 Miroslav Suchý - 2.2.3-26 -- convert license to SPDX - -* Wed Jul 17 2024 Fedora Release Engineering - 2.2.3-25 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Mon Jun 10 2024 Jitka Plesnikova - 2.2.3-24 -- Perl 5.40 rebuild - -* Wed Jan 24 2024 Fedora Release Engineering - 2.2.3-23 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Fri Jan 19 2024 Fedora Release Engineering - 2.2.3-22 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Wed Jul 19 2023 Fedora Release Engineering - 2.2.3-21 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Tue Jul 11 2023 Jitka Plesnikova - 2.2.3-20 -- Perl 5.38 rebuild - -* Thu Jan 19 2023 Fedora Release Engineering - 2.2.3-19 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Mon Dec 19 2022 Jitka Plesnikova - 2.2.3-18 -- Add BR perl-generators to automatically generates run-time dependencies - for installed Perl files - -* Thu Jul 21 2022 Fedora Release Engineering - 2.2.3-17 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Mon May 30 2022 Jitka Plesnikova - 2.2.3-16 -- Perl 5.36 rebuild - -* Thu Jan 20 2022 Fedora Release Engineering - 2.2.3-15 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Tue Sep 14 2021 Sahana Prasad - 2.2.3-14 -- Rebuilt with OpenSSL 3.0.0 - -* Wed Jul 21 2021 Fedora Release Engineering - 2.2.3-13 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Fri May 21 2021 Jitka Plesnikova - 2.2.3-12 -- Perl 5.34 rebuild - -* Tue Jan 26 2021 Fedora Release Engineering - 2.2.3-11 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Fri Sep 25 2020 Petr Pisar - 2.2.3-10 -- Build-require perl-macros for Perl RPM macros - -* Mon Jul 27 2020 Fedora Release Engineering - 2.2.3-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Mon Jun 22 2020 Jitka Plesnikova - 2.2.3-8 -- Perl 5.32 rebuild - -* Tue Jan 28 2020 Fedora Release Engineering - 2.2.3-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Thu Dec 19 2019 Tom Callaway - 2.2.3-6 -- fix libval-threads to link with dependent libs -- use LDFLAGS - -* Wed Jul 24 2019 Fedora Release Engineering - 2.2.3-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Thu May 30 2019 Jitka Plesnikova - 2.2.3-4 -- Perl 5.30 rebuild - -* Thu Jan 31 2019 Fedora Release Engineering - 2.2.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Thu Oct 4 2018 Wes Hardaker - 2.2.3-2 -- update default dnsval.conf - -* Wed Aug 29 2018 Wes Hardaker - 2.2.3-1 -- match upstream version - -* Wed Aug 29 2018 Wes Hardaker - 2.2.1-2 -- add Mail::Send - -* Mon Jul 30 2018 Wes Hardaker - 2.2.1-1 -- fix build issues - -* Thu Jul 12 2018 Fedora Release Engineering - 2.2-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Thu Jun 28 2018 Jitka Plesnikova - 2.2-9 -- Perl 5.28 rebuild - -* Wed Feb 07 2018 Fedora Release Engineering - 2.2-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Wed Aug 02 2017 Fedora Release Engineering - 2.2-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 2.2-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Sun Jun 04 2017 Jitka Plesnikova - 2.2-5 -- Perl 5.26 rebuild - -* Fri Feb 10 2017 Fedora Release Engineering - 2.2-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - * Sun May 15 2016 Jitka Plesnikova - 2.2-3 - Perl 5.24 rebuild diff --git a/sources b/sources index 9a6d52d..ec03a48 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (dnssec-tools-2.2.3.tar.gz) = b83d3dfc999560937f7bb5558caf45449ad0501818b2b7cbbdc03008a365cd1d37aae6dff49b7c6785f737d1a01f20d3bf35bb7c86e9f9fca7eff5f5b35b8834 +ceb39b4d2376bfc4aa22f73846c11789 dnssec-tools-2.2.tar.gz