diff options
| author | erwin <erwin@FreeBSD.org> | 2012-12-07 12:39:58 +0000 |
|---|---|---|
| committer | erwin <erwin@FreeBSD.org> | 2012-12-07 12:39:58 +0000 |
| commit | 5d8c8fc50b9836a3c4a9d975721d7682dd286965 (patch) | |
| tree | c3abb28c9e8cb3396d1d00b0af4f9a474adaf5f5 /contrib/bind9/lib/dns/dst_api.c | |
| parent | d4467dc03357aa391339c667b9bce1af3f0455d9 (diff) | |
| parent | 4d1484242d381404f6b827320dad3260370137c8 (diff) | |
| download | FreeBSD-src-5d8c8fc50b9836a3c4a9d975721d7682dd286965.zip FreeBSD-src-5d8c8fc50b9836a3c4a9d975721d7682dd286965.tar.gz | |
Update to 9.8.4-P1.
Security Fixes
Prevents named from aborting with a require assertion failure
on servers with DNS64 enabled. These crashes might occur as a
result of specific queries that are received.
New Features
* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
Feature Changes
* Improves OpenSSL error logging [RT #29932]
* nslookup now returns a nonzero exit code when it is unable to get
an answer. [RT #29492]
Other critical bug fixes are included.
Approved by: delphij (mentor)
MFC after: 3 days
Security: CVE-2012-5688
Sponsored by: DK Hostmaster A/S
Diffstat (limited to 'contrib/bind9/lib/dns/dst_api.c')
| -rw-r--r-- | contrib/bind9/lib/dns/dst_api.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/contrib/bind9/lib/dns/dst_api.c b/contrib/bind9/lib/dns/dst_api.c index a14b268..f5dd89a 100644 --- a/contrib/bind9/lib/dns/dst_api.c +++ b/contrib/bind9/lib/dns/dst_api.c @@ -56,6 +56,7 @@ #include <isc/string.h> #include <isc/time.h> #include <isc/util.h> +#include <isc/file.h> #include <dns/fixedname.h> #include <dns/keyvalues.h> @@ -226,6 +227,10 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, #ifdef HAVE_OPENSSL_GOST RETERR(dst__opensslgost_init(&dst_t_func[DST_ALG_ECCGOST])); #endif +#ifdef HAVE_OPENSSL_ECDSA + RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256])); + RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); +#endif #endif /* OPENSSL */ #ifdef GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); @@ -1110,6 +1115,12 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { case DST_ALG_ECCGOST: *n = DNS_SIG_GOSTSIGSIZE; break; + case DST_ALG_ECDSA256: + *n = DNS_SIG_ECDSA256SIZE; + break; + case DST_ALG_ECDSA384: + *n = DNS_SIG_ECDSA384SIZE; + break; case DST_ALG_HMACMD5: *n = 16; break; @@ -1415,6 +1426,8 @@ issymmetric(const dst_key_t *key) { case DST_ALG_NSEC3DSA: case DST_ALG_DH: case DST_ALG_ECCGOST: + case DST_ALG_ECDSA256: + case DST_ALG_ECDSA384: return (ISC_FALSE); case DST_ALG_HMACMD5: case DST_ALG_GSSAPI: @@ -1691,7 +1704,8 @@ algorithm_status(unsigned int alg) { alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA || alg == DST_ALG_NSEC3RSASHA1 || alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512 || - alg == DST_ALG_ECCGOST) + alg == DST_ALG_ECCGOST || + alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384) return (DST_R_NOCRYPTO); #endif return (DST_R_UNSUPPORTEDALG); |
