diff --git a/dnssec-tools/validator/doc/dt-danechk.1 b/dnssec-tools/validator/doc/dt-danechk.1
index 0d7f5c0a..afe6df47 100644
--- a/dnssec-tools/validator/doc/dt-danechk.1
+++ b/dnssec-tools/validator/doc/dt-danechk.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -38,26 +38,31 @@
. ds PI \(*p
. ds L" ``
. ds R" ''
+. ds C`
+. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
..
-. nr % 0
-. rr F
-.\}
-.el \{\
+.if !\nF .nr F 0
+.if \nF>0 \{\
. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
+. \}
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
@@ -124,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "DT-DANECHK 1"
-.TH DT-DANECHK 1 "2013-03-07" "perl v5.12.4" "User Commands"
+.TH DT-DANECHK 1 "2016-12-16" "perl v5.26.2" "User Commands"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -139,8 +144,8 @@ dt\-danechk \- validate TLSA records against SSL certificates.
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBdt-danechk\fR is a diagnostic tool that can be used to test the validity
-of an \s-1SSL/TLS\s0 certificate against the \s-1TLSA\s0 record published in the \s-1DNS\s0.
-For more information on \s-1TLSA\s0 and \s-1DANE\s0 see \s-1RFC\s0 6698.
+of an \s-1SSL/TLS\s0 certificate against the \s-1TLSA\s0 record published in the \s-1DNS.\s0
+For more information on \s-1TLSA\s0 and \s-1DANE\s0 see \s-1RFC 6698.\s0
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\-h, \-\-help" 4
@@ -204,7 +209,7 @@ Display the version and exit.
\&\fBlibval\fR
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
-Copyright 2005\-2013 \s-1SPARTA\s0, Inc. All rights reserved.
+Copyright 2005\-2013 \s-1SPARTA,\s0 Inc. All rights reserved.
See the \s-1COPYING\s0 file included with the DNSSEC-Tools package for details.
.SH "AUTHORS"
.IX Header "AUTHORS"
diff --git a/dnssec-tools/validator/doc/val_getdaneinfo.3 b/dnssec-tools/validator/doc/val_getdaneinfo.3
index 12f3be6d..148b5a5c 100644
--- a/dnssec-tools/validator/doc/val_getdaneinfo.3
+++ b/dnssec-tools/validator/doc/val_getdaneinfo.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -38,26 +38,31 @@
. ds PI \(*p
. ds L" ``
. ds R" ''
+. ds C`
+. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
..
-. nr % 0
-. rr F
-.\}
-.el \{\
+.if !\nF .nr F 0
+.if \nF>0 \{\
. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
+. \}
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
@@ -124,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "val_getdaneinfo 3"
-.TH val_getdaneinfo 3 "2013-03-08" "perl v5.12.4" "Programmer's Manual"
+.TH val_getdaneinfo 3 "2016-12-16" "perl v5.26.2" "Programmer's Manual"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -231,9 +236,9 @@ form below:
.Ve
.PP
The \fIttl\fR field is the time-to-live associated with the \s-1TLSA\s0 record. An
-application must not cache (and use) this \s-1TLSA\s0 record beyond its \s-1TTL\s0.
+application must not cache (and use) this \s-1TLSA\s0 record beyond its \s-1TTL.\s0
The \fIusage\fR, \fIselector\fR and \fItype\fR fields correspond to the first
-three fields of the \s-1TLSA\s0 \s-1RDATA\s0 as described in rfc6698. The \s-1TLSA\s0
+three fields of the \s-1TLSA RDATA\s0 as described in rfc6698. The \s-1TLSA\s0
certificate association data is returned in the \fIdata\fR field and has
a length of \fIdatalen\fR bytes. There can be more than one \s-1TLSA\s0 record
associated with a given name, and the \fInext\fR field points to the next
@@ -250,7 +255,7 @@ This function automatically iterates over all elements in \fIdres\fR and
compares the certificate association data against the \s-1SSL/TLS\s0
certificates associated with the \s-1SSL\s0 connection \fIcon\fR. The \s-1DANE\s0
protocol enables certain use cases that allows new trust anchors to be
-introduced via \s-1DNSSEC\s0. The value of \fIdo_pathval\fR indicates whether
+introduced via \s-1DNSSEC.\s0 The value of \fIdo_pathval\fR indicates whether
the application must proceed with X509 path validation for this
connection in accordance with the usage that was encoded in the \s-1TLSA\s0
record.
@@ -267,7 +272,7 @@ validation policy).
\&\fI\fIval_getdaneinfo()\fI\fR and \fI\fIval_dane_submit()\fI\fR return \fB\s-1VAL_DANE_NOERROR\s0\fR
on success, and \fB\s-1VAL_DANE_MALFORMED_TLSA\s0\fR or \fB\s-1VAL_DANE_INTERNAL_ERROR\s0\fR
for error conditions. A value of \fB\s-1VAL_DANE_NOTVALIDATED\s0\fR is returned if
-the \s-1TLSA\s0 record cannot be validated via \s-1DNSSEC\s0. A value of
+the \s-1TLSA\s0 record cannot be validated via \s-1DNSSEC. A\s0 value of
\&\fB\s-1VAL_DANE_IGNORE_TLSA\s0\fR is returned if the \s-1TLSA\s0 record for the given name
is provably absent.
.PP
@@ -285,7 +290,7 @@ The \fI\fIp_dane_error()\fI\fR function can be used to convert the DANE-related
error codes to an error string value.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
-Copyright 2004\-2013 \s-1SPARTA\s0, Inc. All rights reserved.
+Copyright 2004\-2013 \s-1SPARTA,\s0 Inc. All rights reserved.
See the \s-1COPYING\s0 file included with the DNSSEC-Tools package for details.
.SH "AUTHORS"
.IX Header "AUTHORS"
@@ -294,7 +299,7 @@ Suresh Krishnaswamy
.IX Header "SEE ALSO"
\&\fI\fIlibval\fI\|(3)\fR
.PP
-\&\s-1RFC\s0 6698 (\s-1DANE\s0)
+\&\s-1RFC 6698\s0 (\s-1DANE\s0)
.PP
draft-hayatnagarkar-dnsext-validator-api
.PP
diff --git a/dnssec-tools/validator/etc/dnsval.conf b/dnssec-tools/validator/etc/dnsval.conf
index 07288fe3..34bbe6d6 100644
--- a/dnssec-tools/validator/etc/dnsval.conf
+++ b/dnssec-tools/validator/etc/dnsval.conf
@@ -21,6 +21,7 @@ global-options
: trust-anchor
. DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
+ . DS 19036 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
;
: zone-security-expectation
diff --git a/dnssec-tools/validator/include/validator/validator-compat.h b/dnssec-tools/validator/include/validator/validator-compat.h
index c6ebf23f..300ef11e 100644
--- a/dnssec-tools/validator/include/validator/validator-compat.h
+++ b/dnssec-tools/validator/include/validator/validator-compat.h
@@ -818,14 +818,6 @@ typedef enum __ns_flag {
ns_f_max
} ns_flag;
-/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
-#define NS_ALG_MD5RSA 1 /* MD5 with RSA */
-#define NS_ALG_DH 2 /* Diffie Hellman KEY */
-#define NS_ALG_DSA 3 /* DSA KEY */
-#define NS_ALG_DSS NS_ALG_DSA
-#define NS_ALG_EXPIRE_ONLY 253 /* No alg, no security */
-#define NS_ALG_PRIVATE_OID 254 /* Key begins with OID giving alg */
-
/* Protocol values */
/* value 0 is reserved */
#define NS_KEY_PROT_TLS 1
@@ -1050,5 +1042,26 @@ struct addrinfo {
#endif
+/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
+#define NS_ALG_MD5RSA 1 /* MD5 with RSA */
+#define NS_ALG_DH 2 /* Diffie Hellman KEY */
+#define NS_ALG_DSA 3 /* DSA KEY */
+#define NS_ALG_DSS NS_ALG_DSA
+#define NS_ALG_EXPIRE_ONLY 253 /* No alg, no security */
+#define NS_ALG_PRIVATE_OID 254 /* Key begins with OID giving alg */
+#define ns_t_zxfr 256
+
+#define NS_MD5RSA_MIN_BITS 512 /* Size of a mod or exp in bits */
+#define NS_MD5RSA_MAX_BITS 2552
+ /* Total of binary mod and exp */
+#define NS_MD5RSA_MAX_BYTES ((NS_MD5RSA_MAX_BITS+7/8)*2+3)
+ /* Max length of text sig block */
+#define NS_MD5RSA_MAX_BASE64 (((NS_MD5RSA_MAX_BYTES+2)/3)*4)
+#define NS_MD5RSA_MIN_SIZE ((NS_MD5RSA_MIN_BITS+7)/8)
+#define NS_MD5RSA_MAX_SIZE ((NS_MD5RSA_MAX_BITS+7)/8)
+
+#include "openssl/hmac.h"
+#include "openssl/ossl_typ.h"
+
#endif /* _VALIDATOR_COMPAT_H */
diff --git a/dnssec-tools/validator/libsres/ns_print.c b/dnssec-tools/validator/libsres/ns_print.c
index 98f1f9c3..edcbbbc3 100644
--- a/dnssec-tools/validator/libsres/ns_print.c
+++ b/dnssec-tools/validator/libsres/ns_print.c
@@ -712,6 +712,10 @@ ns_sprintrrf_data(const u_char * msg, size_t msglen,
nxtbitmaps:
#endif /* LIBVAL_NSEC3 */
+#if !defined(NS_NXT_BIT_ISSET)
+#define NS_NXT_BITS 8
+#define NS_NXT_BIT_ISSET(n,p) (p[(n)/NS_NXT_BITS] & (0x80>>((n)%NS_NXT_BITS)))
+#endif
/** Type bit map. */
while (edata - rdata > 0) {
b = *rdata;
diff --git a/dnssec-tools/validator/libsres/res_tsig.c b/dnssec-tools/validator/libsres/res_tsig.c
index bc010302..03f73c49 100644
--- a/dnssec-tools/validator/libsres/res_tsig.c
+++ b/dnssec-tools/validator/libsres/res_tsig.c
@@ -16,6 +16,7 @@
*/
#include "validator-internal.h"
+#include <openssl/ossl_typ.h>
#include <openssl/hmac.h>
#include "res_tsig.h"
@@ -237,7 +238,7 @@ res_tsig_sign(u_char * query,
u_char *hp;
HEADER *header;
struct timeval now;
- HMAC_CTX ctx;
+ HMAC_CTX *ctx;
const EVP_MD *md;
u_char hash[MAX_DIGEST_LENGTH];
unsigned int len;
@@ -274,8 +275,8 @@ res_tsig_sign(u_char * query,
return SR_TS_FAIL;
}
- HMAC_CTX_init(&ctx);
- HMAC_Init_ex(&ctx, ns->ns_tsig->key, ns->ns_tsig->keylen,
+ ctx = HMAC_CTX_new();
+ HMAC_Init_ex(ctx, ns->ns_tsig->key, ns->ns_tsig->keylen,
md, NULL);
/* Create a TSIG RR and add it to the additional section */
@@ -289,7 +290,7 @@ res_tsig_sign(u_char * query,
p = cp;
memcpy(cp, query, query_length * sizeof(u_char));
cp += query_length;
- HMAC_Update(&ctx, p, cp-p);
+ HMAC_Update(ctx, p, cp-p);
/* Bump up the additional section count */
header = (HEADER *) p;
@@ -300,7 +301,7 @@ res_tsig_sign(u_char * query,
p = cp;
memcpy(cp, ns->ns_tsig->name_n, wire_name_length(ns->ns_tsig->name_n));
cp += wire_name_length(ns->ns_tsig->name_n);
- HMAC_Update(&ctx, p, cp-p);
+ HMAC_Update(ctx, p, cp-p);
/* don't digest type */
RES_PUT16(ns_t_tsig, cp);
@@ -308,7 +309,7 @@ res_tsig_sign(u_char * query,
p = cp;
RES_PUT16(ns_t_any, cp);
RES_PUT32(0, cp);
- HMAC_Update(&ctx, p, cp-p);
+ HMAC_Update(ctx, p, cp-p);
/* don't digest rdatalen */
RES_PUT16(ns->ns_tsig->rdatalen, cp);
@@ -316,13 +317,13 @@ res_tsig_sign(u_char * query,
p = cp;
memcpy(cp, ns->ns_tsig->alg_n, wire_name_length(ns->ns_tsig->alg_n));
cp += wire_name_length(ns->ns_tsig->alg_n);
- HMAC_Update(&ctx, p, cp-p);
+ HMAC_Update(ctx, p, cp-p);
gettimeofday(&now, NULL);
p = cp;
RES_PUT48((u_int64_t)now.tv_sec, cp);
RES_PUT16(ns->ns_tsig->fudge, cp);
- HMAC_Update(&ctx, p, cp-p);
+ HMAC_Update(ctx, p, cp-p);
/* don't digest the mac_size */
RES_PUT16(ns->ns_tsig->mac_size, cp);
@@ -337,9 +338,9 @@ res_tsig_sign(u_char * query,
p = cp;
RES_PUT16(0, cp);
RES_PUT16(0, cp);
- HMAC_Update(&ctx, p, cp-p);
+ HMAC_Update(ctx, p, cp-p);
- HMAC_Final(&ctx, hash, &len);
+ HMAC_Final(ctx, hash, &len);
if (len != ns->ns_tsig->mac_size) {
FREE(*signed_query);
@@ -348,7 +349,7 @@ res_tsig_sign(u_char * query,
}
memcpy(hp, hash, len);
- HMAC_CTX_cleanup(&ctx);
+ HMAC_CTX_free(ctx);
return SR_TS_OK;
} else
diff --git a/dnssec-tools/validator/libval/val_crypto.c b/dnssec-tools/validator/libval/val_crypto.c
index 46d1ce5d..b3ccdcd4 100644
--- a/dnssec-tools/validator/libval/val_crypto.c
+++ b/dnssec-tools/validator/libval/val_crypto.c
@@ -22,6 +22,7 @@
#include <crypto/sha2.h>
#endif
#include <openssl/dsa.h>
+#include <openssl/engine.h>
#include <openssl/md5.h>
#include <openssl/rsa.h>
#include <openssl/err.h>
@@ -77,10 +78,8 @@ dsasha1_parse_public_key(const u_char *buf, size_t buflen, DSA * dsa)
bn_y = BN_bin2bn(buf + index, 64 + (T * 8), NULL);
index += (64 + (T * 8));
- dsa->p = bn_p;
- dsa->q = bn_q;
- dsa->g = bn_g;
- dsa->pub_key = bn_y;
+ DSA_set0_pqg(dsa, bn_p, bn_q, bn_g);
+ DSA_set0_key(dsa, bn_y, NULL);
return VAL_NO_ERROR; /* success */
}
@@ -214,8 +213,7 @@ rsamd5_parse_public_key(const u_char *buf, size_t buflen, RSA * rsa)
*/
bn_mod = BN_bin2bn(buf + index, buflen - index, NULL);
- rsa->e = bn_exp;
- rsa->n = bn_mod;
+ RSA_set0_key(rsa, bn_mod, bn_exp, NULL);
return VAL_NO_ERROR; /* success */
}
@@ -246,7 +244,7 @@ rsamd5_keytag(const u_char *pubkey, size_t pubkey_len)
return VAL_BAD_ARGUMENT;
}
- modulus = rsa->n;
+ RSA_get0_key(rsa, (const BIGNUM **) &modulus, NULL, NULL);
modulus_len = BN_num_bytes(modulus);
modulus_bin =
(u_char *) MALLOC(modulus_len * sizeof(u_char));
@@ -361,8 +359,7 @@ rsa_parse_public_key(const u_char *buf, size_t buflen, RSA * rsa)
*/
bn_mod = BN_bin2bn(buf + index, buflen - index, NULL);
- rsa->e = bn_exp;
- rsa->n = bn_mod;
+ RSA_set0_key(rsa, bn_mod, bn_exp, NULL);
return VAL_NO_ERROR; /* success */
}
@@ -460,11 +457,10 @@ ecdsa_sigverify(val_context_t * ctx,
EC_KEY *eckey = NULL;
BIGNUM *bn_x = NULL;
BIGNUM *bn_y = NULL;
- ECDSA_SIG ecdsa_sig;
+ ECDSA_SIG *ecdsa_sig;
size_t hashlen = 0;
- ecdsa_sig.r = NULL;
- ecdsa_sig.s = NULL;
+ ecdsa_sig = ECDSA_SIG_new();
memset(sha_hash, 0, sizeof(sha_hash));
val_log(ctx, LOG_DEBUG,
@@ -523,10 +519,10 @@ ecdsa_sigverify(val_context_t * ctx,
goto err;
}
- ecdsa_sig.r = BN_bin2bn(rrsig->signature, hashlen, NULL);
- ecdsa_sig.s = BN_bin2bn(&rrsig->signature[hashlen], hashlen, NULL);
+ ECDSA_SIG_set0(ecdsa_sig, BN_bin2bn(rrsig->signature, hashlen, NULL),
+ BN_bin2bn(&rrsig->signature[hashlen], hashlen, NULL));
- if (ECDSA_do_verify(sha_hash, hashlen, &ecdsa_sig, eckey) == 1) {
+ if (ECDSA_do_verify(sha_hash, hashlen, ecdsa_sig, eckey) == 1) {
val_log(ctx, LOG_INFO, "ecdsa_sigverify(): returned SUCCESS");
*sig_status = VAL_AC_RRSIG_VERIFIED;
} else {
@@ -536,10 +532,8 @@ ecdsa_sigverify(val_context_t * ctx,
/* Free all structures allocated */
err:
- if (ecdsa_sig.r)
- BN_free(ecdsa_sig.r);
- if (ecdsa_sig.s)
- BN_free(ecdsa_sig.s);
+ if (ecdsa_sig)
+ ECDSA_SIG_free(ecdsa_sig);
if (bn_x)
BN_free(bn_x);
if (bn_y)
diff --git a/dnssec-tools/validator/libval/val_dane.c b/dnssec-tools/validator/libval/val_dane.c
index 32ffdc7a..16b0a0b2 100644
--- a/dnssec-tools/validator/libval/val_dane.c
+++ b/dnssec-tools/validator/libval/val_dane.c
@@ -875,7 +875,8 @@ val_X509_peer_cert_verify_cb(X509_STORE_CTX *x509ctx, void *arg)
if (x509ctx == NULL || ssl_dane_data == NULL)
return 0;
- cert = x509ctx->cert;
+
+ cert = X509_STORE_CTX_get_current_cert(x509ctx);
context = ssl_dane_data->context;
/*