ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
37,992 Commits 589 Branches 805 Tags
f362cc0bf3656434be22c8b59f58dbf6624f95f6
Commit Graph

37992 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ondřej Surý
f362cc0bf3 Merge branch '3785-openssl-refactoring-17' into 'main' 
Refactor OpenSSL ECDSA public and private key export

Closes #3785

See merge request isc-projects/bind9!7334
 2023-01-09 19:32:28 +00:00
Timo Teräs
8b62e7ed99 Refactor OpenSSL ECDSA private key export 2023-01-09 19:56:31 +01:00
Ondřej Surý
ddce412489 Merge branch '3785-openssl-refactoring-16' into 'main' 
Refactor OpenSSL ECDSA generation to helper functions

Closes #3785

See merge request isc-projects/bind9!7333
 2023-01-09 18:56:29 +00:00
Timo Teräs
83b2e45600 Refactor OpenSSL ECDSA public key export 2023-01-09 19:56:27 +01:00
Timo Teräs
560d21a8b3 Refactor OpenSSL ECDSA generation to helper functions 
Reduce the #ifdef cruft by having specific helper functions.
 2023-01-09 19:52:56 +01:00
Ondřej Surý
a0d15e4e07 Merge branch '3785-openssl-refactoring-15' into 'main' 
Refactor OpenSSL ECDSA to use pkeypair

Closes #3785

See merge request isc-projects/bind9!7332
 2023-01-09 18:52:27 +00:00
Timo Teräs
a3b6729a88 Refactor OpenSSL ECDSA to use pkeypair 
- Use separate EVP_PKEY for public and private keys
- On private key load, generate public key allowing better consistency
- Support OpenSSL3 providers
- Clean up key construction abstraction
- Various other clean ups
 2023-01-09 19:33:48 +01:00
Ondřej Surý
f6f807319c Merge branch '3785-openssl-refactoring-14' into 'main' 
Make OpenSSL keypair comparation a generic helper function

Closes #3785

See merge request isc-projects/bind9!7331
 2023-01-09 18:33:24 +00:00
Ondřej Surý
326e85e08d Merge branch '3785-openssl-refactoring-13' into 'main' 
Refactor OpenSSL ECDSA type check to opensslecdsa_valid_key_alg helper

Closes #3785

See merge request isc-projects/bind9!7330
 2023-01-09 18:31:06 +00:00
Timo Teräs
02efa591ef Make OpenSSL keypair comparation a generic helper function 2023-01-09 19:30:49 +01:00
Ondřej Surý
608ca9b140 Merge branch '3785-openssl-refactoring-12' into 'main' 
Implement support for OpenSSL 3 Provider API stored RSA keys

Closes #3785

See merge request isc-projects/bind9!7329
 2023-01-09 18:29:56 +00:00
Timo Teräs
96b8ad21f6 Refactor OpenSSL ECDSA type check to opensslecdsa_valid_key_alg helper 2023-01-09 19:29:38 +01:00
Timo Teräs
5fd6cfc625 Implement support for OpenSSL 3 Provider API stored RSA keys 
Allows using pkcs11-provider module for PKCS#11 keys
 2023-01-09 19:22:40 +01:00
Michal Nowak
370acd1f0a Merge branch 'mnowak/abort-on-ubsan-errors' into 'main' 
Abort on UBSAN errors

See merge request isc-projects/bind9!6877
 2023-01-09 16:39:24 +00:00
Michal Nowak
1451bb7390 Abort on UBSAN errors 
Previously, UBSAN errors might slip undetected.
 2023-01-09 17:19:19 +01:00
Ondřej Surý
29de02e0ec Merge branch '3785-openssl-refactoring-11' into 'main' 
Make the OpenSSL RSA fromlabel helper a generic one

Closes #3785

See merge request isc-projects/bind9!7326
 2023-01-09 15:43:09 +00:00
Timo Teräs
a0404696d7 Make the OpenSSL RSA fromlabel helper a generic one 2023-01-09 16:35:30 +01:00
Ondřej Surý
56614a722a Merge branch '3785-openssl-refactoring-10' into 'main' 
Rename the global ENGINE *e to global_engine

Closes #3785

See merge request isc-projects/bind9!7325
 2023-01-09 15:35:24 +00:00
Ondřej Surý
11692467cd Merge branch '3785-openssl-refactoring-9' into 'main' 
Refactor OpenSSL RSA pkey building to use components struct

Closes #3785

See merge request isc-projects/bind9!7322
 2023-01-09 15:31:46 +00:00
Timo Teräs
9e417f9815 Rename the global ENGINE *e to global_engine 2023-01-09 16:31:40 +01:00
Timo Teräs
451edf3242 Refactor OpenSSL RSA pkey building to use components struct 2023-01-09 15:31:24 +00:00
Petr Špaček
1d52a4cffd Merge branch 'pspacek/aclelementtype_cleanup' into 'main' 
Remove unused dns_aclelementtype_{ipprefix,any} enum values

See merge request isc-projects/bind9!7295
 2023-01-09 15:06:22 +00:00
Petr Špaček
f5fa9b2965 Remove unused dns_aclelementtype_{ipprefix,any} enum values 
Seems like they are unused, and all system tests pass when those values
removed.
 2023-01-09 16:05:41 +01:00
Ondřej Surý
4d374786f9 Merge branch '3785-openssl-refactoring-8-cleanup' into 'main' 
BN_free() and BN_clear_free() both accept NULL

Closes #3785

See merge request isc-projects/bind9!7323
 2023-01-09 15:02:55 +00:00
Ondřej Surý
9e185cd611 BN_free() and BN_clear_free() both accept NULL 
Remove the extra check in opensslrsa_components_free() as both BN_free()
and BN_clear_free() both accepts NULL as valid argument and do nothing.
 2023-01-09 16:00:18 +01:00
Ondřej Surý
edd1b44d0b Merge branch '3785-openssl-refactoring-8' into 'main' 
Refactor OpenSSL RSA components getting to a helper function

Closes #3785

See merge request isc-projects/bind9!7321
 2023-01-09 14:56:07 +00:00
Timo Teräs
b31d9f0b42 Refactor OpenSSL RSA components getting to a helper function 2023-01-09 15:55:07 +01:00
Matthijs Mekking
05b781e2f0 Merge branch '3743-unexpected-prohibited-ede' into 'main' 
Fix unexpected "Prohibited" extended DNS error on allow-recursion mismatch

Closes #3743

See merge request isc-projects/bind9!7223
 2023-01-09 14:40:31 +00:00
Matthijs Mekking
8db8ec1f6e Add system test for #3743 2023-01-09 15:39:57 +01:00
Matthijs Mekking
e43a26fd1e Add release note and CHANGES for #3743 2023-01-09 15:39:57 +01:00
Matthijs Mekking
798c8f57d4 Don't set EDE in ns_client_aclchecksilent 
The ns_client_aclchecksilent is used to check multiple ACLs before
the decision is made that a query is denied. It is also used to
determine if recursion is available. In those cases we should not
set the extended DNS error "Prohibited".
 2023-01-09 15:38:35 +01:00
Ondřej Surý
680921c4ef Merge branch '3785-openssl-refactoring-7' into 'main' 
Refactor OpenSSL RSA generation to be more readable

Closes #3785

See merge request isc-projects/bind9!7320
 2023-01-09 14:33:09 +00:00
Ondřej Surý
1ce3f2eb7e Merge branch '3785-openssl-refactoring-6' into 'main' 
Provide identical BN_GENCB_new shim

Closes #3785

See merge request isc-projects/bind9!7319
 2023-01-09 14:22:22 +00:00
Timo Teräs
0881d7fbf5 Refactor OpenSSL RSA generation to be more readable 
No major code changes. Just reduce the ifdef clutter.
 2023-01-09 15:22:18 +01:00
Timo Teräs
307f95d72f Provide identical BN_GENCB_new shim 
Instead of trying to optimize by using a stack local variable
with additional #ifdef logic, use identical implementations of
the upstream functions to reduce #ifdef clutter.

Move the definitions from dst_openssl.h to openssl_shim.h where
rest of the shim is.
 2023-01-09 15:20:49 +01:00
Ondřej Surý
220267f241 Merge branch '3785-openssl-refactoring-5' into 'main' 
Refactor OpenSSL RSA private key handling

Closes #3785

See merge request isc-projects/bind9!7318
 2023-01-09 14:20:38 +00:00
Timo Teräs
74361b0b6e Refactor OpenSSL RSA private key handling 
Instead of trying to enforce one pkey to contain both a private
and a public key pair, refactor the code to have separate public
and private pkeys.

This is a prerequisite for proper openssl 3.0 providers support
and greatly simplifies the code.
 2023-01-09 15:19:37 +01:00
Ondřej Surý
471a2a3ffb Merge branch '3768-dns_zonemgr-use-after-free' into 'main' 
Fix a use-after-free bug in dns_zonemgr_releasezone()

Closes #3768

See merge request isc-projects/bind9!7303
 2023-01-09 14:14:41 +00:00
Aram Sargsyan
d50cb1d45d Add a CHANGES note for [GL #3768] 2023-01-09 14:14:31 +00:00
Aram Sargsyan
c1fc212253 Fix a use-after-free bug in dns_zonemgr_releasezone() 
The dns_zonemgr_releasezone() function makes a decision to destroy
'zmgr' (based on its references count, after decreasing it) inside
a lock, and then destroys the object outside of the lock.

This causes a race with dns_zonemgr_detach(), which could destroy
the object in the meantime.

Change dns_zonemgr_releasezone() to detach from 'zmgr' and destroy
the object (if needed) using dns_zonemgr_detach(), outside of the
lock.
 2023-01-09 14:14:31 +00:00
Ondřej Surý
6675731adf Merge branch '3785-openssl-refactoring-4' into 'main' 
Remove non-sensical RSA key compare tests

Closes #3785

See merge request isc-projects/bind9!7317
 2023-01-09 14:03:03 +00:00
Ondřej Surý
d92bf40e23 Merge branch '3785-openssl-refactoring-3' into 'main' 
Refactor OpenSSL RSA exponent bits checking to a helper function

Closes #3785

See merge request isc-projects/bind9!7316
 2023-01-09 14:00:07 +00:00
Timo Teräs
b2eefba387 Remove non-sensical RSA key compare tests 
The keys tested are not valid RSA keys as a single private
component was modified manually. The key would not pass
basic sanity test.
 2023-01-09 14:59:56 +01:00
Timo Teräs
c8bcf3a34e Refactor OpenSSL RSA exponent bits checking to a helper function 
- Make it a separate opensslrsa_check_exponent_bits() function to
  clean up the code a bit
- Always use provider API first if using openssl 3.0, and fallback
  to EVP API for older openssl or if built with engine support
- Use RSA_get0_key() (with shim for openssl 1.0) to avoid memory
  allocations
 2023-01-09 14:58:55 +01:00
Ondřej Surý
e78d61e2f5 Merge branch '3785-openssl-refactoring-2' into 'main' 
Refactor OpenSSL RSA type check to opensslrsa_valid_key_alg helper

Closes #3785

See merge request isc-projects/bind9!7315
 2023-01-09 13:34:41 +00:00
Timo Teräs
8bc52f836c Refactor OpenSSL RSA type check to opensslrsa_valid_key_alg helper 
Move the repetetive code into a small opensslrsa_valid_key_alg() helper
function.
 2023-01-09 14:33:09 +01:00
Ondřej Surý
df2b767d45 Merge branch '3785-openssl-refactoring-1' into 'main' 
Remove obsolete and unused EVP_dss1 compat #define

Closes #3785

See merge request isc-projects/bind9!7314
 2023-01-09 13:32:59 +00:00
Timo Teräs
04c7f30690 Remove obsolete and unused EVP_dss1 compat #define 2023-01-09 14:21:41 +01:00
Ondřej Surý
2d3d44d59e Merge branch '3671-override-ISC_R_EXISTS-in-findnodeintree' into 'main' 
Change ISC_R_EXISTS to ISC_R_SUCCESS in dns/rbtdb.c:findnodeintree()

Closes #3671

See merge request isc-projects/bind9!7312
 2023-01-09 12:33:12 +00:00
Ondřej Surý
e3d4d34744 Change ISC_R_EXISTS to ISC_R_SUCCESS in dns/rbtdb.c:findnodeintree() 
In the previous refactoring, the findnodeintree() function could return
ISC_R_EXISTS (from dns_db_addnode() call) instead of ISC_R_SUCCESS
leading to node being attached, but never detached.

Change the ISC_R_EXISTS result code returned from dns_rbt_addnode() to
the ISC_R_SUCCESS in the findnodeintree() function (called internally by
dns_db_findnode() and dns_db_findnsec3node()).
 2023-01-09 12:48:19 +01:00