Update to 9.19.11 (#2178718)
- removes libirs and libbind9 from libs and devel subpackages. https://downloads.isc.org/isc/bind9/9.19.11/RELEASE-NOTES-bind-9.19.11.html
This commit is contained in:
parent
2f124983ed
commit
93f304f6c9
|
@ -200,3 +200,5 @@ bind-9.7.2b1.tar.gz
|
|||
/bind-9.19.9.tar.xz.asc
|
||||
/bind-9.19.10.tar.xz
|
||||
/bind-9.19.10.tar.xz.asc
|
||||
/bind-9.19.11.tar.xz
|
||||
/bind-9.19.11.tar.xz.asc
|
||||
|
|
|
@ -1,309 +0,0 @@
|
|||
From 75c029a38b59deb4f1b1861faf9113220e438253 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Thu, 2 Aug 2018 23:46:45 +0200
|
||||
Subject: [PATCH] FIPS tests changes for RHEL
|
||||
|
||||
Include MD5 feature detection in featuretest tool and use it in some
|
||||
places. When RHEL distribution or Fedora ELN is in FIPS mode, then MD5
|
||||
algorithm is unavailable completely and even hmac-md5 algorithm usage
|
||||
will always fail. Work that around by checking MD5 works and if not,
|
||||
skipping its usage.
|
||||
|
||||
Those changes were dragged as downstream patch bind-9.11-fips-tests.patch
|
||||
in Fedora and RHEL.
|
||||
---
|
||||
bin/tests/system/acl/tests.sh | 2 +-
|
||||
bin/tests/system/feature-test.c | 14 ++++++
|
||||
bin/tests/system/nsupdate/setup.sh | 6 ++-
|
||||
bin/tests/system/nsupdate/tests.sh | 11 +++-
|
||||
bin/tests/system/rndc/setup.sh | 2 +-
|
||||
bin/tests/system/rndc/tests.sh | 22 ++++----
|
||||
bin/tests/system/tsig/ns1/named.conf.in | 10 +---
|
||||
bin/tests/system/tsig/setup.sh | 16 ++++++
|
||||
bin/tests/system/tsig/tests.sh | 67 +++++++++++++++----------
|
||||
9 files changed, 102 insertions(+), 48 deletions(-)
|
||||
|
||||
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
|
||||
index df23d6a2f1..0984d85ed9 100644
|
||||
--- a/bin/tests/system/acl/tests.sh
|
||||
+++ b/bin/tests/system/acl/tests.sh
|
||||
@@ -98,7 +98,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
|
||||
# and other values? right out
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
|
||||
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
|
||||
index b1adaedade..4dd76fb187 100644
|
||||
--- a/bin/tests/system/feature-test.c
|
||||
+++ b/bin/tests/system/feature-test.c
|
||||
@@ -17,6 +17,7 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
+#include <isc/md.h>
|
||||
#include <isc/net.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/util.h>
|
||||
@@ -143,6 +144,19 @@ main(int argc, char **argv) {
|
||||
#endif
|
||||
}
|
||||
|
||||
+ if (strcmp(argv[1], "--md5") == 0) {
|
||||
+ unsigned char digest[ISC_MAX_MD_SIZE];
|
||||
+ const unsigned char test[] = "test";
|
||||
+ unsigned int size = sizeof(digest);
|
||||
+
|
||||
+ if (isc_md(ISC_MD_MD5, test, sizeof(test), digest, &size) ==
|
||||
+ ISC_R_SUCCESS) {
|
||||
+ return (0);
|
||||
+ } else {
|
||||
+ return (1);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (strcmp(argv[1], "--ipv6only=no") == 0) {
|
||||
#if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
|
||||
int s;
|
||||
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
|
||||
index b7d7b38107..25c4cb4d8b 100644
|
||||
--- a/bin/tests/system/nsupdate/setup.sh
|
||||
+++ b/bin/tests/system/nsupdate/setup.sh
|
||||
@@ -73,7 +73,11 @@ EOF
|
||||
|
||||
$TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key
|
||||
|
||||
-$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
|
||||
+if $FEATURETEST --md5; then
|
||||
+ $TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
|
||||
+else
|
||||
+ echo -n > ns1/md5.key
|
||||
+fi
|
||||
$TSIGKEYGEN -a hmac-sha1 sha1-key > ns1/sha1.key
|
||||
$TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
|
||||
$TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
|
||||
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||
index 5adc99ce5c..54e1d531a6 100755
|
||||
--- a/bin/tests/system/nsupdate/tests.sh
|
||||
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||
@@ -959,7 +959,14 @@ fi
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
|
||||
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
||||
+if $FEATURETEST --md5
|
||||
+then
|
||||
+ ALGS="md5 sha1 sha224 sha256 sha384 sha512"
|
||||
+else
|
||||
+ ALGS="sha1 sha224 sha256 sha384 sha512"
|
||||
+ echo_i "skipping disabled md5 algorithm"
|
||||
+fi
|
||||
+for alg in $ALGS; do
|
||||
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
update add ${alg}.keytests.nil. 600 A 10.10.10.3
|
||||
@@ -967,7 +974,7 @@ send
|
||||
END
|
||||
done
|
||||
sleep 2
|
||||
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
||||
+for alg in $ALGS; do
|
||||
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
|
||||
done
|
||||
if [ $ret -ne 0 ]; then
|
||||
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
|
||||
index a8793f36d9..e6714c0991 100644
|
||||
--- a/bin/tests/system/rndc/setup.sh
|
||||
+++ b/bin/tests/system/rndc/setup.sh
|
||||
@@ -48,7 +48,7 @@ make_key () {
|
||||
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
|
||||
}
|
||||
|
||||
-make_key 1 ${EXTRAPORT1} hmac-md5
|
||||
+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
|
||||
make_key 2 ${EXTRAPORT2} hmac-sha1
|
||||
make_key 3 ${EXTRAPORT3} hmac-sha224
|
||||
make_key 4 ${EXTRAPORT4} hmac-sha256
|
||||
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
|
||||
index 424ac2befe..27219a3df8 100644
|
||||
--- a/bin/tests/system/rndc/tests.sh
|
||||
+++ b/bin/tests/system/rndc/tests.sh
|
||||
@@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
|
||||
n=$((n+1))
|
||||
-echo_i "testing rndc with hmac-md5 ($n)"
|
||||
-ret=0
|
||||
-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
||||
-for i in 2 3 4 5 6
|
||||
-do
|
||||
- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||||
-done
|
||||
-if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
-status=$((status+ret))
|
||||
+if $FEATURETEST --md5; then
|
||||
+ echo_i "testing rndc with hmac-md5 ($n)"
|
||||
+ ret=0
|
||||
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
||||
+ for i in 2 3 4 5 6
|
||||
+ do
|
||||
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||||
+ done
|
||||
+ if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
+ status=$((status+ret))
|
||||
+else
|
||||
+ echo_i "skipping rndc with hmac-md5 ($n)"
|
||||
+fi
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "testing rndc with hmac-sha1 ($n)"
|
||||
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
|
||||
index 76cf970397..22637af901 100644
|
||||
--- a/bin/tests/system/tsig/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/tsig/ns1/named.conf.in
|
||||
@@ -23,10 +23,7 @@ options {
|
||||
notify no;
|
||||
};
|
||||
|
||||
-key "md5" {
|
||||
- secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
- algorithm hmac-md5;
|
||||
-};
|
||||
+# md5 key appended by setup.sh at the end
|
||||
|
||||
key "sha1" {
|
||||
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||
@@ -53,10 +50,7 @@ key "sha512" {
|
||||
algorithm hmac-sha512;
|
||||
};
|
||||
|
||||
-key "md5-trunc" {
|
||||
- secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
- algorithm hmac-md5-80;
|
||||
-};
|
||||
+# md5-trunc key appended by setup.sh at the end
|
||||
|
||||
key "sha1-trunc" {
|
||||
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
|
||||
index 34cc73bf53..6a739f7eb1 100644
|
||||
--- a/bin/tests/system/tsig/setup.sh
|
||||
+++ b/bin/tests/system/tsig/setup.sh
|
||||
@@ -16,3 +16,19 @@
|
||||
$SHELL clean.sh
|
||||
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
+
|
||||
+if $FEATURETEST --md5
|
||||
+then
|
||||
+ cat >> ns1/named.conf << EOF
|
||||
+# Conditionally included when support for MD5 is available
|
||||
+key "md5" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5;
|
||||
+};
|
||||
+
|
||||
+key "md5-trunc" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5-80;
|
||||
+};
|
||||
+EOF
|
||||
+fi
|
||||
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
|
||||
index 106722741c..ee05e838c1 100644
|
||||
--- a/bin/tests/system/tsig/tests.sh
|
||||
+++ b/bin/tests/system/tsig/tests.sh
|
||||
@@ -27,20 +27,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
|
||||
|
||||
status=0
|
||||
|
||||
-echo_i "fetching using hmac-md5 (old form)"
|
||||
-ret=0
|
||||
-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
|
||||
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
|
||||
-if [ $ret -eq 1 ] ; then
|
||||
- echo_i "failed"; status=1
|
||||
-fi
|
||||
-
|
||||
-echo_i "fetching using hmac-md5 (new form)"
|
||||
-ret=0
|
||||
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
||||
-if [ $ret -eq 1 ] ; then
|
||||
- echo_i "failed"; status=1
|
||||
+if $FEATURETEST --md5
|
||||
+then
|
||||
+ echo_i "fetching using hmac-md5 (old form)"
|
||||
+ ret=0
|
||||
+ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
|
||||
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
|
||||
+ if [ $ret -eq 1 ] ; then
|
||||
+ echo_i "failed"; status=1
|
||||
+ fi
|
||||
+
|
||||
+ echo_i "fetching using hmac-md5 (new form)"
|
||||
+ ret=0
|
||||
+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
||||
+ if [ $ret -eq 1 ] ; then
|
||||
+ echo_i "failed"; status=1
|
||||
+ fi
|
||||
+else
|
||||
+ echo_i "skipping using hmac-md5"
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha1"
|
||||
@@ -88,12 +93,17 @@ fi
|
||||
# Truncated TSIG
|
||||
#
|
||||
#
|
||||
-echo_i "fetching using hmac-md5 (trunc)"
|
||||
-ret=0
|
||||
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
|
||||
-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
|
||||
-if [ $ret -eq 1 ] ; then
|
||||
- echo_i "failed"; status=1
|
||||
+if $FEATURETEST --md5
|
||||
+then
|
||||
+ echo_i "fetching using hmac-md5 (trunc)"
|
||||
+ ret=0
|
||||
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
|
||||
+ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
|
||||
+ if [ $ret -eq 1 ] ; then
|
||||
+ echo_i "failed"; status=1
|
||||
+ fi
|
||||
+else
|
||||
+ echo_i "skipping using hmac-md5 (trunc)"
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha1 (trunc)"
|
||||
@@ -142,12 +152,17 @@ fi
|
||||
# Check for bad truncation.
|
||||
#
|
||||
#
|
||||
-echo_i "fetching using hmac-md5-80 (BADTRUNC)"
|
||||
-ret=0
|
||||
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
|
||||
-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
|
||||
-if [ $ret -eq 1 ] ; then
|
||||
- echo_i "failed"; status=1
|
||||
+if $FEATURETEST --md5
|
||||
+then
|
||||
+ echo_i "fetching using hmac-md5-80 (BADTRUNC)"
|
||||
+ ret=0
|
||||
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
|
||||
+ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
|
||||
+ if [ $ret -eq 1 ] ; then
|
||||
+ echo_i "failed"; status=1
|
||||
+ fi
|
||||
+else
|
||||
+ echo_i "skipping using hmac-md5-80 (BADTRUNC)"
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
|
||||
--
|
||||
2.39.0
|
||||
|
|
@ -55,7 +55,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
|
|||
Name: bind9-next
|
||||
License: MPL-2.0 AND ISC AND BSD-3-clause AND Expat AND BSD-2-clause
|
||||
#
|
||||
Version: 9.19.10
|
||||
Version: 9.19.11
|
||||
Release: 1%{?dist}
|
||||
Epoch: 32
|
||||
Url: https://www.isc.org/downloads/bind/
|
||||
|
@ -90,8 +90,6 @@ Source49: named-chroot.files
|
|||
# Common patches
|
||||
# Red Hat specific documentation is not relevant to upstream
|
||||
Patch1: bind-9.16-redhat_doc.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7417
|
||||
Patch2: bind-9.11-fips-tests.patch
|
||||
|
||||
%{?systemd_ordering}
|
||||
Requires: coreutils
|
||||
|
@ -828,11 +826,9 @@ fi;
|
|||
%dir /run/named
|
||||
|
||||
%files libs
|
||||
%{_libdir}/libbind9-%{version}*.so
|
||||
%{_libdir}/libisccc-%{version}*.so
|
||||
%{_libdir}/libns-%{version}*.so
|
||||
%{_libdir}/libdns-%{version}*.so
|
||||
%{_libdir}/libirs-%{version}*.so
|
||||
%{_libdir}/libisc-%{version}*.so
|
||||
%{_libdir}/libisccfg-%{version}*.so
|
||||
|
||||
|
@ -880,15 +876,12 @@ fi;
|
|||
%{_mandir}/man1/dnssec*.1*
|
||||
|
||||
%files devel
|
||||
%{_libdir}/libbind9.so
|
||||
%{_libdir}/libisccc.so
|
||||
%{_libdir}/libns.so
|
||||
%{_libdir}/libdns.so
|
||||
%{_libdir}/libirs.so
|
||||
%{_libdir}/libisc.so
|
||||
%{_libdir}/libisccfg.so
|
||||
%dir %{_includedir}/bind9
|
||||
%{_includedir}/bind9/bind9
|
||||
%{_includedir}/bind9/isccc
|
||||
%{_includedir}/bind9/ns
|
||||
%{_includedir}/bind9/dns
|
||||
|
@ -966,6 +959,9 @@ fi;
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Mar 23 2023 Petr Menšík <pemensik@redhat.com> - 32:9.19.11-1
|
||||
- Update to 9.19.11 (#2178718)
|
||||
|
||||
* Mon Mar 06 2023 Petr Menšík <pemensik@redhat.com> - 32:9.19.10-1
|
||||
- Update to 9.19.10 (#2170097)
|
||||
- Update license tag to SPDX tag
|
||||
|
|
4
sources
4
sources
|
@ -1,2 +1,2 @@
|
|||
SHA512 (bind-9.19.10.tar.xz) = 185afd57c1606862764aa4f211126b52bbbe65fb82f1b01b8cf8fb3692d58a8e47b2d1c83d39c8fe026a2da75eeb3059b877f7b34fea76bbacd0bd303f0ba6af
|
||||
SHA512 (bind-9.19.10.tar.xz.asc) = a2b729ec8d3a3998887276f2080601ae87443b83c3cc85ccf2af767e972e45c868454cb3db0fe1dd30c0f7aec2a9844b4e46b824130cb64a18735c79a9404127
|
||||
SHA512 (bind-9.19.11.tar.xz) = 52b5779b9f7951e1e367684cb18aeb7186199e380d44ec0b2b05ff9f1c28447d72d95138fbd49f0ac0e5e7c959f9ece70b4fcbe8557db2a45536cd1f83f28091
|
||||
SHA512 (bind-9.19.11.tar.xz.asc) = 37ce98e46cec1061d59a12ad39649223f824006e2612d902304f781494ca3b186dbbb8ce06ba9fe5d365a7c28bec9b0f9983ba652722d9ac06b84150ca227f82
|
||||
|
|
Loading…
Reference in New Issue