The package rpms/bind.git has added or updated architecture specific content in its spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s): https://src.fedoraproject.org/cgit/rpms/bind.git/commit/?id=219b0e889f74ed22....
Change: -%ifnarch alpha ia64
Thanks.
Full change: ============
commit fd11bcc212a10ae3ce6ec9eb0f10553c4454d63a Author: Petr Menk pemensik@redhat.com Date: Fri May 3 15:55:24 2019 +0200
Revert "Move dnssec related tools to bind-dnssec-utils"
This reverts commit 2830e00b88ea8bb956e0cdeb6f205fc72741b167.
diff --git a/bind.spec b/bind.spec index 34c6c31..9da1b90 100644 --- a/bind.spec +++ b/bind.spec @@ -169,7 +169,6 @@ Provides: dnssec-conf = 1.27-2 # in case it needs to be used Requires(post): ((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls)) Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls)) -Recommends: bind-utils bind-dnssec-utils BuildRequires: gcc, make BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel BuildRequires: libidn2-devel, libxml2-devel, GeoIP-devel @@ -307,14 +306,9 @@ Contains license of the BIND DNS suite.
%package utils Summary: Utilities for querying DNS name servers -Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} -# TODO: this is just temporary workaround until all packages depending on -# bind-utils can be satisfied without dnssec-utils -# It will be removed after some time, or changed to Recommends -Suggests: bind-dnssec-utils -# For compatibility with Debian package -Provides: dnsutils = %{epoch}:%{version}-%{release} +Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} +Requires: python3-bind = %{epoch}:%{version}-%{release}
%description utils Bind-utils contains a collection of utilities for querying DNS (Domain @@ -326,20 +320,6 @@ network addresses. You should install bind-utils if you need to get information from DNS name servers.
-%package dnssec-utils -Summary: Utilities for DNSSEC keys and DNS zone files management -Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} -Recommends: bind-utils -Requires: python3-bind = %{epoch}:%{version}-%{release} - -%description dnssec-utils -Bind-dnssec-utils contains a collection of utilities for editing -DNSSEC keys and BIND zone files. These tools provide generation, -revocation and verification of keys and DNSSEC signatures in zone files. - -You should install bind-dnssec-utils if you need to sign a DNS zone -or maintain keys for it. - %if %{with DEVEL} %package devel Summary: Header files and libraries needed for BIND DNS development @@ -1280,19 +1260,6 @@ fi; %{_bindir}/nslookup %{_bindir}/nsupdate %{_bindir}/arpaname -%if %{with DNSTAP} -%{_bindir}/dnstap-read -%{_mandir}/man1/dnstap-read.1* -%endif -%{_mandir}/man1/host.1* -%{_mandir}/man1/nsupdate.1* -%{_mandir}/man1/dig.1* -%{_mandir}/man1/delv.1* -%{_mandir}/man1/nslookup.1* -%{_mandir}/man1/arpaname.1* -%{_sysconfdir}/trusted-key.key - -%files dnssec-utils %{_sbindir}/ddns-confgen %{_sbindir}/tsig-keygen %{_sbindir}/genrandom @@ -1307,6 +1274,16 @@ fi; %if %{with LMDB} %{_sbindir}/named-nzd2nzf %endif +%if %{with DNSTAP} +%{_bindir}/dnstap-read +%{_mandir}/man1/dnstap-read.1* +%endif +%{_mandir}/man1/host.1* +%{_mandir}/man1/nsupdate.1* +%{_mandir}/man1/dig.1* +%{_mandir}/man1/delv.1* +%{_mandir}/man1/nslookup.1* +%{_mandir}/man1/arpaname.1* %{_mandir}/man8/ddns-confgen.8* %{_mandir}/man8/tsig-keygen.8* %{_mandir}/man8/genrandom.8* @@ -1321,6 +1298,7 @@ fi; %if %{with LMDB} %{_mandir}/man8/named-nzd2nzf.8* %endif +%{_sysconfdir}/trusted-key.key
%if %{with DEVEL} %files devel
commit f6f181d9d55ccc62c08001c6d30f9c7a3a5412d1 Author: Petr Menk pemensik@redhat.com Date: Fri May 3 15:53:27 2019 +0200
Update to 9.11.6-P1
Finish merge from more recent branches, cleanup changelog changes not relevant to this branch.
diff --git a/bind.spec b/bind.spec index 5b40270..34c6c31 100644 --- a/bind.spec +++ b/bind.spec @@ -53,7 +53,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.6 -Release: 0%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -1519,6 +1519,9 @@ fi;
%changelog +* Fri May 03 2019 Petr Menk pemensik@redhat.com - 32:9.11.6-1.P1 +- Update to 9.11.6-P1 (#1702881) + * Fri Feb 22 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-4.P4 - Update to 9.11.5-P4
@@ -1532,45 +1535,10 @@ fi; - disable IDN output from scripts - Update project URL - Removed revoked KSK 19164 from trusted keys -* Thu Feb 21 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-11.P1 -- Disable often failing unit test random_test - -* Thu Feb 21 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-10.P1 -- Disable autodetected eddsa algorithm ED448 - -* Thu Jan 31 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-9.P1 -- dig prints ASCII name instead of failure (#1647829) -- disable IDN output from scripts -- Update project URL -- Removed revoked KSK 19164 from trusted keys - -* Thu Jan 31 2019 Fedora Release Engineering releng@fedoraproject.org - 32:9.11.5-8.P1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Sun Jan 27 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-7.P1 -- Update to 9.11.5-P1 - -* Wed Jan 23 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-6 -- Reenable crypto rand for DHCP, disable just entropy check (#1663318) - -* Thu Jan 17 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-5 -- Move dnssec related tools from bind-utils to bind-dnssec-utils (#1649398) - -* Wed Jan 16 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-4 -- Reject invalid binary file (#1666814) - -* Mon Jan 14 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-3 -- Disable crypto rand for DHCP (#1663318) - -* Thu Oct 25 2018 Petr Menk pemensik@redhat.com - 32:9.11.5-2 -- Add optional support for JSON statistics -- Add optional DNSTAP support (#1564776), new dnstap-read tool
* Wed Oct 24 2018 Petr Menk pemensik@redhat.com - 32:9.11.5-1 - Update to 9.11.5
-* Mon Jan 14 2019 Petr Menk pemensik@redhat.com - 32:9.11.4-13.P2 -- Disable crypto rand for DHCP (#1663318) * Tue Oct 02 2018 Petr Menk pemensik@redhat.com - 32:9.11.4-12.P2 - Add Requires to devel packages referenced by bind-devel
commit 3e06916fb7d69295eb19b2e7d0d3238c4dc8300b Author: Petr Menk pemensik@redhat.com Date: Fri May 3 15:39:13 2019 +0200
Revert "Enable LMDB support"
This reverts commit ec6f94669ad65412d41dfefc0f43e8bec2da7994.
diff --git a/bind.spec b/bind.spec index 7f77ba8..5b40270 100644 --- a/bind.spec +++ b/bind.spec @@ -15,8 +15,8 @@ # due to extensive changes to Makefiles %bcond_without PKCS11 %bcond_without DEVEL +%bcond_with LMDB %bcond_with JSON -%bcond_without LMDB %bcond_with DNSTAP %bcond_with DLZ %bcond_without EXPORT_LIBS
commit 9b172b6d29ef6ab30497e12c9537cbfa698a8f77 Author: Petr Menk pemensik@redhat.com Date: Fri May 3 15:37:44 2019 +0200
Revert "Enable json statistics format"
This reverts commit d3fe8d6248ba08cb0c343f81f25d815bba173190.
diff --git a/bind.spec b/bind.spec index 24c1bf6..7f77ba8 100644 --- a/bind.spec +++ b/bind.spec @@ -15,8 +15,8 @@ # due to extensive changes to Makefiles %bcond_without PKCS11 %bcond_without DEVEL +%bcond_with JSON %bcond_without LMDB -%bcond_without JSON %bcond_with DNSTAP %bcond_with DLZ %bcond_without EXPORT_LIBS @@ -1571,8 +1571,6 @@ fi;
* Mon Jan 14 2019 Petr Menk pemensik@redhat.com - 32:9.11.4-13.P2 - Disable crypto rand for DHCP (#1663318) -- Enable json format in statistics-channel - * Tue Oct 02 2018 Petr Menk pemensik@redhat.com - 32:9.11.4-12.P2 - Add Requires to devel packages referenced by bind-devel
commit 65cf5aa6e0ffd5fb7522162a0c0eef6604cbca60 Author: Petr Menk pemensik@redhat.com Date: Fri May 3 15:35:58 2019 +0200
Revert "Enable DNSTAP (#1564776)"
This reverts commit f0b6f15ced5af5f309ccbfe35c6ec38ddca7b619.
diff --git a/bind.spec b/bind.spec index ff220d7..24c1bf6 100644 --- a/bind.spec +++ b/bind.spec @@ -17,7 +17,7 @@ %bcond_without DEVEL %bcond_without LMDB %bcond_without JSON -%bcond_without DNSTAP +%bcond_with DNSTAP %bcond_with DLZ %bcond_without EXPORT_LIBS %if 0%{?fedora} >= 28 @@ -1532,7 +1532,6 @@ fi; - disable IDN output from scripts - Update project URL - Removed revoked KSK 19164 from trusted keys - * Thu Feb 21 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-11.P1 - Disable often failing unit test random_test
commit c1ece0be9b77d42f0876c21b02f9e3eb328e857f Merge: 3a9a611 36d3753 Author: Petr Menk pemensik@redhat.com Date: Fri May 3 15:32:35 2019 +0200
Merge branch 'f30' into f29
diff --cc bind.spec index b5b836c,f5ba390..ff220d7 --- a/bind.spec +++ b/bind.spec @@@ -51,8 -52,8 +52,8 @@@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPLv2.0 - Version: 9.11.5 - Release: 4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} + Version: 9.11.6 -Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} ++Release: 0%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@@ -1461,27 -1519,66 +1519,61 @@@ fi
%changelog -* Thu May 02 2019 Petr Menk pemensik@redhat.com - 32:9.11.6-3.P1 -- Fix inefective limit of TCP clients (CVE-2018-5743) - -* Thu Mar 14 2019 Petr Menk pemensik@redhat.com - 32:9.11.6-2 -- Fix dnstap and timer issues in unit test - -* Tue Mar 05 2019 Petr Menk pemensik@redhat.com - 32:9.11.6-1 -- Update to 9.11.6 - -* Fri Mar 01 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-15.P4 -- Support testing of named variants - -* Thu Feb 28 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-14.P4 -- Modify feature-test detection of dlz-filesystem - -* Fri Feb 22 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-13.P4 +* Fri Feb 22 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-4.P4 - Update to 9.11.5-P4
-* Fri Feb 22 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-12.P1 -- Enable DNSTAP support (#1564776) -- Enable LMDB support for rndc addzone -- Enable json format in statistics-channel +* Thu Feb 21 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-3.P1 +- Disable autodetected eddsa algorithm ED448 +- Disable often failing unit test random_test + +* Sun Jan 27 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-2.P1 +- Update to 9.11.5-P1 +- dig prints ASCII name instead of failure (#1647829) +- disable IDN output from scripts +- Update project URL +- Removed revoked KSK 19164 from trusted keys
- * Sun Jan 27 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-1 - - Update to 9.11.5 + * Thu Feb 21 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-11.P1 + - Disable often failing unit test random_test + + * Thu Feb 21 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-10.P1 + - Disable autodetected eddsa algorithm ED448 + + * Thu Jan 31 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-9.P1 + - dig prints ASCII name instead of failure (#1647829) + - disable IDN output from scripts + - Update project URL + - Removed revoked KSK 19164 from trusted keys + + * Thu Jan 31 2019 Fedora Release Engineering releng@fedoraproject.org - 32:9.11.5-8.P1 + - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + + * Sun Jan 27 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-7.P1 + - Update to 9.11.5-P1 + + * Wed Jan 23 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-6 - Reenable crypto rand for DHCP, disable just entropy check (#1663318)
+ * Thu Jan 17 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-5 + - Move dnssec related tools from bind-utils to bind-dnssec-utils (#1649398) + + * Wed Jan 16 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-4 + - Reject invalid binary file (#1666814) + + * Mon Jan 14 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-3 + - Disable crypto rand for DHCP (#1663318) + + * Thu Oct 25 2018 Petr Menk pemensik@redhat.com - 32:9.11.5-2 + - Add optional support for JSON statistics + - Add optional DNSTAP support (#1564776), new dnstap-read tool + + * Wed Oct 24 2018 Petr Menk pemensik@redhat.com - 32:9.11.5-1 + - Update to 9.11.5 + +* Mon Jan 14 2019 Petr Menk pemensik@redhat.com - 32:9.11.4-13.P2 +- Disable crypto rand for DHCP (#1663318) ++- Enable json format in statistics-channel + * Tue Oct 02 2018 Petr Menk pemensik@redhat.com - 32:9.11.4-12.P2 - Add Requires to devel packages referenced by bind-devel
commit 36d37531c94aae8f885e664b03aacd5a4d9ecb6d Author: Petr Menk pemensik@redhat.com Date: Fri May 3 12:51:18 2019 +0200
Revert "Enable optional features by default"
This reverts commit ae423dfbebbd150c56df1c7c1954ac6ba3090bc8.
diff --git a/bind.spec b/bind.spec index d80a7e0..f5ba390 100644 --- a/bind.spec +++ b/bind.spec @@ -18,7 +18,7 @@ %bcond_without LMDB %bcond_without JSON %bcond_without DNSTAP -%bcond_without DLZ +%bcond_with DLZ %bcond_without EXPORT_LIBS %if 0%{?fedora} >= 28 %bcond_without UNITTEST @@ -1524,7 +1524,6 @@ fi;
* Thu Mar 14 2019 Petr Menk pemensik@redhat.com - 32:9.11.6-2 - Fix dnstap and timer issues in unit test -- Enable DLZ modules
* Tue Mar 05 2019 Petr Menk pemensik@redhat.com - 32:9.11.6-1 - Update to 9.11.6
commit 4b42a5c16289817095b3ed990fca5a83153a8baf Author: Petr Menk pemensik@redhat.com Date: Thu May 2 14:49:56 2019 +0200
5200. [security] tcp-clients settings could be exceeded in some cases, which could lead to exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
diff --git a/.gitignore b/.gitignore index 4c7e54a..9775b64 100644 --- a/.gitignore +++ b/.gitignore @@ -91,3 +91,4 @@ bind-9.7.2b1.tar.gz /config-19.tar.bz2 /bind-9.11.5-P4.tar.gz /bind-9.11.6.tar.gz +/bind-9.11.6-P1.tar.gz diff --git a/bind-9.11-CVE-2018-5741-atomic.patch b/bind-9.11-CVE-2018-5741-atomic.patch new file mode 100644 index 0000000..cfbded6 --- /dev/null +++ b/bind-9.11-CVE-2018-5741-atomic.patch @@ -0,0 +1,132 @@ +From ef49780d30d3ddc5735cfc32561b678a634fa72f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= ondrej@sury.org +Date: Wed, 17 Apr 2019 15:22:27 +0200 +Subject: [PATCH] Replace atomic operations in bin/named/client.c with + isc_refcount reference counting + +--- + bin/named/client.c | 18 +++++++----------- + bin/named/include/named/interfacemgr.h | 5 +++-- + bin/named/interfacemgr.c | 7 +++++-- + 3 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/bin/named/client.c b/bin/named/client.c +index 845326abc0..29fecadca8 100644 +--- a/bin/named/client.c ++++ b/bin/named/client.c +@@ -402,12 +402,10 @@ tcpconn_detach(ns_client_t *client) { + static void + mark_tcp_active(ns_client_t *client, bool active) { + if (active && !client->tcpactive) { +- isc_atomic_xadd(&client->interface->ntcpactive, 1); ++ isc_refcount_increment0(&client->interface->ntcpactive, NULL); + client->tcpactive = active; + } else if (!active && client->tcpactive) { +- uint32_t old = +- isc_atomic_xadd(&client->interface->ntcpactive, -1); +- INSIST(old > 0); ++ isc_refcount_decrement(&client->interface->ntcpactive, NULL); + client->tcpactive = active; + } + } +@@ -554,7 +552,7 @@ exit_check(ns_client_t *client) { + if (client->mortal && TCP_CLIENT(client) && + client->newstate != NS_CLIENTSTATE_FREED && + !ns_g_clienttest && +- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0) ++ isc_refcount_current(&client->interface->ntcpaccepting) == 0) + { + /* Nobody else is accepting */ + client->mortal = false; +@@ -3328,7 +3326,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) { + isc_result_t result; + ns_client_t *client = event->ev_arg; + isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event; +- uint32_t old; + + REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN); + REQUIRE(NS_CLIENT_VALID(client)); +@@ -3348,8 +3345,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) { + INSIST(client->naccepts == 1); + client->naccepts--; + +- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1); +- INSIST(old > 0); ++ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL); + + /* + * We must take ownership of the new socket before the exit +@@ -3480,8 +3476,8 @@ client_accept(ns_client_t *client) { + * quota is tcp-clients plus the number of listening + * interfaces plus 1.) + */ +- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > +- (client->tcpactive ? 1 : 0)); ++ exit = (isc_refcount_current(&client->interface->ntcpactive) > ++ (client->tcpactive ? 1U : 0U)); + if (exit) { + client->newstate = NS_CLIENTSTATE_INACTIVE; + (void)exit_check(client); +@@ -3539,7 +3535,7 @@ client_accept(ns_client_t *client) { + * listening for connections itself to prevent the interface + * going dead. + */ +- isc_atomic_xadd(&client->interface->ntcpaccepting, 1); ++ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL); + } + + static void +diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h +index 3535ef22a8..6e10f210fd 100644 +--- a/bin/named/include/named/interfacemgr.h ++++ b/bin/named/include/named/interfacemgr.h +@@ -45,6 +45,7 @@ + #include <isc/magic.h> + #include <isc/mem.h> + #include <isc/socket.h> ++#include <isc/refcount.h> + + #include <dns/result.h> + +@@ -75,11 +76,11 @@ struct ns_interface { + /*%< UDP dispatchers. */ + isc_socket_t * tcpsocket; /*%< TCP socket. */ + isc_dscp_t dscp; /*%< "listen-on" DSCP value */ +- int32_t ntcpaccepting; /*%< Number of clients ++ isc_refcount_t ntcpaccepting; /*%< Number of clients + ready to accept new + TCP connections on this + interface */ +- int32_t ntcpactive; /*%< Number of clients ++ isc_refcount_t ntcpactive; /*%< Number of clients + servicing TCP queries + (whether accepting or + connected) */ +diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c +index d9f6df5802..135533be6b 100644 +--- a/bin/named/interfacemgr.c ++++ b/bin/named/interfacemgr.c +@@ -386,8 +386,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, + * connections will be handled in parallel even though there is + * only one client initially. + */ +- ifp->ntcpaccepting = 0; +- ifp->ntcpactive = 0; ++ isc_refcount_init(&ifp->ntcpaccepting, 0); ++ isc_refcount_init(&ifp->ntcpactive, 0); + + ifp->nudpdispatch = 0; + +@@ -618,6 +618,9 @@ ns_interface_destroy(ns_interface_t *ifp) { + + ns_interfacemgr_detach(&ifp->mgr); + ++ isc_refcount_destroy(&ifp->ntcpactive); ++ isc_refcount_destroy(&ifp->ntcpaccepting); ++ + ifp->magic = 0; + isc_mem_put(mctx, ifp, sizeof(*ifp)); + } +-- +2.18.1 + diff --git a/bind-9.11-rt46047.patch b/bind-9.11-rt46047.patch index 1f40a16..c5725f7 100644 --- a/bind-9.11-rt46047.patch +++ b/bind-9.11-rt46047.patch @@ -1,4 +1,4 @@ -From 2b7a633f29c2ae8fe801f2a98541013837ebaeaa Mon Sep 17 00:00:00 2001 +From 55e649d82a1adc5209738fb8402624f03287ca87 Mon Sep 17 00:00:00 2001 From: Evan Hunt each@isc.org Date: Thu, 28 Sep 2017 10:09:22 -0700 Subject: [PATCH] completed and corrected the crypto-random change @@ -39,14 +39,14 @@ Subject: [PATCH] completed and corrected the crypto-random change bin/tests/system/tkey/keycreate.c | 4 +- bin/tests/system/tkey/keydelete.c | 4 +- doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++------- - doc/arm/notes.xml | 26 +++++++++++ + doc/arm/notes.xml | 31 +++++++++++++ lib/dns/dst_api.c | 4 +- lib/dns/include/dst/dst.h | 14 +++++- lib/dns/openssl_link.c | 3 +- lib/isc/include/isc/entropy.h | 50 +++++++++++++++------ lib/isc/include/isc/random.h | 28 +++++++----- lib/isccfg/namedconf.c | 2 +- - 22 files changed, 220 insertions(+), 107 deletions(-) + 22 files changed, 225 insertions(+), 107 deletions(-)
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index 295e16f..0f79aa8 100644 @@ -140,10 +140,10 @@ index 31a99e7..38c83ed 100644 usekeyboard);
diff --git a/bin/named/client.c b/bin/named/client.c -index d425df2..7ab3dec 100644 +index ce24670..0ce02a9 100644 --- a/bin/named/client.c +++ b/bin/named/client.c -@@ -1609,7 +1609,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, +@@ -1754,7 +1754,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
isc_buffer_init(&buf, cookie, sizeof(cookie)); isc_stdtime_get(&now); @@ -241,7 +241,7 @@ index f5ed2b7..b2c1d05 100644
struct ns_altsecret { diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c -index 419927b..d721f47 100644 +index d9f6df5..662eb6c 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c @@ -17,6 +17,7 @@ @@ -436,7 +436,7 @@ index 2146f9b..ac2c311 100644 } #endif diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml -index dd5365c..1a463b0 100644 +index bb79723..888959c 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -5071,22 +5071,45 @@ badresp:1,adberr:0,findfail:0,valfail:0] @@ -502,13 +502,15 @@ index dd5365c..1a463b0 100644 </listitem> </varlistentry> diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml -index ad4b34c..2685b8e 100644 +index ba9a7cf..c0256f1 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml -@@ -229,6 +229,32 @@ - is used from the shell scripts. - </para> - </listitem> +@@ -117,6 +117,37 @@ + </itemizedlist> + </section> + ++ <section xml:id="relnotes_rh_changes"><info><title>Red Hat Specific Changes</title></info> ++ <itemizedlist> + <listitem> + <para> + By default, BIND now uses the random number generation functions @@ -535,9 +537,12 @@ index ad4b34c..2685b8e 100644 + entropy source. [RT #31459] [RT #46047] + </para> + </listitem> - </itemizedlist> - </section> - ++ </itemizedlist> ++ </section> ++ + <section xml:id="end_of_life"><info><title>End of Life</title></info> + <para> + BIND 9.11 (Extended Support Version) will be supported until at diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index b55ebe0..d2b43d3 100644 --- a/lib/dns/dst_api.c diff --git a/bind-9.11.6-P1.tar.gz.asc b/bind-9.11.6-P1.tar.gz.asc new file mode 100644 index 0000000..53b9403 --- /dev/null +++ b/bind-9.11.6-P1.tar.gz.asc @@ -0,0 +1,16 @@
diff --git a/bind.spec b/bind.spec index 5ca6e49..eafbae7 100644 --- a/bind.spec +++ b/bind.spec @@ -2,7 +2,7 @@ # Red Hat BIND package .spec file #
-%global PATCHVER P1 +%global PATCHVER P4 #%%global PREVER rc1 %global BINDVERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}}
@@ -54,12 +54,13 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.5 -Release: 12%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 13%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # Source: https://ftp.isc.org/isc/bind9/%%7BBINDVERSION%7D/bind-%%7BBINDVERSION%7D.tar... Source1: named.sysconfig +Source2: https://ftp.isc.org/isc/bind9/%%7BBINDVERSION%7D/bind-%%7BBINDVERSION%7D.tar... Source3: named.logrotate Source7: bind-9.3.1rc1-sdb_tools-Makefile.in Source8: dnszone.schema @@ -1529,6 +1530,9 @@ fi;
%changelog +* Fri Feb 22 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-13.P4 +- Update to 9.11.5-P4 + * Fri Feb 22 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-12.P1 - Enable DNSTAP support (#1564776) - Enable LMDB support for rndc addzone diff --git a/sources b/sources index e4f563b..8336c9d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (bind-9.11.5-P1.tar.gz) = cf0e511342affc81fc89656417a6d74a8ee4c3ffcc242e3aad76864f34d8ff7b0b52ada422385b5becafb7ef3a81dddfb28ba1488c8bee168f16842e2c617069 +SHA512 (bind-9.11.5-P4.tar.gz) = ba750ffd080a47309db8be3df3d80896c5872aadb1a14ac7effd1bb783c2a2ae1e82959d6999eecc3d694336887060a84ae8813a17836b9064515cdd96fcb573 SHA512 (config-19.tar.bz2) = 36aa38a0c7c33267ae594b31c81681290ac58dde7ca6749bd599da531380b5b1428330813dbe983e01071ccaed83e83f6a9cd92179a53b7d0ccbb6851a0b017c
commit d3fe8d6248ba08cb0c343f81f25d815bba173190 Author: Petr Menk pemensik@redhat.com Date: Fri Feb 22 19:19:59 2019 +0100
Enable json statistics format
Statistics channel would include also json format, use URL http://localhost:80/v3/json/. XML format is still supported.
diff --git a/bind.spec b/bind.spec index 211da6b..5ca6e49 100644 --- a/bind.spec +++ b/bind.spec @@ -16,8 +16,8 @@ # due to extensive changes to Makefiles %bcond_without PKCS11 %bcond_without DEVEL -%bcond_with JSON %bcond_without LMDB +%bcond_without JSON %bcond_without DNSTAP %bcond_with DLZ %bcond_without EXPORT_LIBS @@ -1532,6 +1532,7 @@ fi; * Fri Feb 22 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-12.P1 - Enable DNSTAP support (#1564776) - Enable LMDB support for rndc addzone +- Enable json format in statistics-channel
* Thu Feb 21 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-11.P1 - Disable often failing unit test random_test
commit ec6f94669ad65412d41dfefc0f43e8bec2da7994 Author: Petr Menk pemensik@redhat.com Date: Fri Feb 22 19:18:45 2019 +0100
Enable LMDB support
Provides faster adding and removing of dynamically created zones runtime. Useful on higher number of zones used.
diff --git a/bind.spec b/bind.spec index 3e41327..211da6b 100644 --- a/bind.spec +++ b/bind.spec @@ -16,8 +16,8 @@ # due to extensive changes to Makefiles %bcond_without PKCS11 %bcond_without DEVEL -%bcond_with LMDB %bcond_with JSON +%bcond_without LMDB %bcond_without DNSTAP %bcond_with DLZ %bcond_without EXPORT_LIBS @@ -1531,6 +1531,7 @@ fi; %changelog * Fri Feb 22 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-12.P1 - Enable DNSTAP support (#1564776) +- Enable LMDB support for rndc addzone
* Thu Feb 21 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-11.P1 - Disable often failing unit test random_test
commit f0b6f15ced5af5f309ccbfe35c6ec38ddca7b619 Author: Petr Menk pemensik@redhat.com Date: Fri Feb 22 19:14:36 2019 +0100
Enable DNSTAP (#1564776)
Enable support for DNSTAP. It will introduce new linked libraries to bind and its tools, including bind-utils.
diff --git a/bind.spec b/bind.spec index 4c81673..3e41327 100644 --- a/bind.spec +++ b/bind.spec @@ -18,7 +18,7 @@ %bcond_without DEVEL %bcond_with LMDB %bcond_with JSON -%bcond_with DNSTAP +%bcond_without DNSTAP %bcond_with DLZ %bcond_without EXPORT_LIBS %if 0%{?fedora} >= 17 @@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.5 -Release: 11%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 12%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -1529,6 +1529,9 @@ fi;
%changelog +* Fri Feb 22 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-12.P1 +- Enable DNSTAP support (#1564776) + * Thu Feb 21 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-11.P1 - Disable often failing unit test random_test
commit bd6e8b8965ba3f68f1034213b7d933423828e9a6 Author: Petr Menk pemensik@redhat.com Date: Fri Feb 22 16:39:54 2019 +0100
Fix spec usage of softhsm helper
Output produced by helper is multiline starting with comment. Unless it is enclosed in quotes, it will be concatenated into single line.
Fixes commit fa1631eef77a827e0df168df837e84c2d8790ce5
diff --git a/bind.spec b/bind.spec index 9165139..4c81673 100644 --- a/bind.spec +++ b/bind.spec @@ -805,7 +805,7 @@ sed -e '/^tp:.*-pkcs11/ d' -e '/^tp:\s*lwres/ d' \ %check %if %{with PKCS11} # Tests require initialization of pkcs11 token - eval $(bash %{SOURCE48} -A "`pwd`/softhsm-tokens") + eval "$(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")" %endif
%if %{with UNITTEST} diff --git a/setup-named-softhsm.sh b/setup-named-softhsm.sh index a13c91e..c0f8445 100755 --- a/setup-named-softhsm.sh +++ b/setup-named-softhsm.sh @@ -4,8 +4,9 @@ # in custom location. Is useful to store tokens in non-standard location. # # Output can be evaluated from bash, it will prepare it for usage of temporary tokens. +# Quotes around eval are mandatory! # Recommended use: -# eval $(bash setup-named-softhsm.sh -A) +# eval "$(bash setup-named-softhsm.sh -A)" #
SOFTHSM2_CONF="$1"
commit ad76423202011e1a254f57ac35160a17767adebd Author: Petr Menk pemensik@redhat.com Date: Thu Feb 21 22:50:12 2019 +0100
Disable random_test in unit tests
It fails sometimes, but aborts whole build just because some fail. Keep it disabled until fixed.
diff --git a/bind-9.11-unit-disable-random.patch b/bind-9.11-unit-disable-random.patch new file mode 100644 index 0000000..5658d12 --- /dev/null +++ b/bind-9.11-unit-disable-random.patch @@ -0,0 +1,45 @@ +From c89b0e288f923af69b97e8acc29250b262be7d1e Mon Sep 17 00:00:00 2001 +From: Petr Mensik pemensik@redhat.com +Date: Thu, 21 Feb 2019 22:42:27 +0100 +Subject: [PATCH] Disable random_test + +It fails too often on some architecture, failing the whole build along. +Because it runs two times for pkcs11 and normal build and any of +subtests can occasionally fail, stop it. + +It can be used again by defining 'unstable' variable in Kyuafile. +--- + lib/isc/tests/Atffile | 3 ++- + lib/isc/tests/Kyuafile | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/isc/tests/Atffile b/lib/isc/tests/Atffile +index 8681844..74a4a77 100644 +--- a/lib/isc/tests/Atffile ++++ b/lib/isc/tests/Atffile +@@ -20,7 +20,8 @@ tp: pool_test + tp: print_test + tp: queue_test + tp: radix_test +-tp: random_test ++# random test fails too often ++#tp: random_test + tp: regex_test + tp: result_test + tp: safe_test +diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile +index 1c510c1..a86824a 100644 +--- a/lib/isc/tests/Kyuafile ++++ b/lib/isc/tests/Kyuafile +@@ -19,7 +19,7 @@ atf_test_program{name='pool_test'} + atf_test_program{name='print_test'} + atf_test_program{name='queue_test'} + atf_test_program{name='radix_test'} +-atf_test_program{name='random_test'} ++atf_test_program{name='random_test', required_configs='unstable'} + atf_test_program{name='regex_test'} + atf_test_program{name='result_test'} + atf_test_program{name='safe_test'} +-- +2.20.1 + diff --git a/bind.spec b/bind.spec index 5af1fc5..9165139 100644 --- a/bind.spec +++ b/bind.spec @@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.5 -Release: 10%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 11%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -139,6 +139,8 @@ Patch165:bind-9.11-rh1647829.patch Patch166:bind-9.11-rh1647829-2.patch # https://gitlab.isc.org/isc-projects/bind9/issues/225 Patch167:bind-9.11-ed448-disable.patch +# random_test fails too often by random, disable it +Patch168:bind-9.11-unit-disable-random.patch
# SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -519,6 +521,7 @@ are used for building ISC DHCP. %patch165 -p1 -b .rh1647829 %patch166 -p1 -b .rh1647829-2 %patch167 -p1 -b .noed448 +%patch168 -p1 -b .random_test-disable
mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -1526,6 +1529,9 @@ fi;
%changelog +* Thu Feb 21 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-11.P1 +- Disable often failing unit test random_test + * Thu Feb 21 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-10.P1 - Disable autodetected eddsa algorithm ED448
commit c2772a07e8962b1fc25c24ae1597e7cdee284a06 Author: Petr Menk pemensik@redhat.com Date: Thu Feb 21 15:36:27 2019 +0100
Disable ED448
It is breaking dnssec system test. Its implementation in BIND is broken.
diff --git a/bind-9.11-ed448-disable.patch b/bind-9.11-ed448-disable.patch new file mode 100644 index 0000000..179f32f --- /dev/null +++ b/bind-9.11-ed448-disable.patch @@ -0,0 +1,41 @@ +From e6bad0789c731f06de781997e33e864c71510ff2 Mon Sep 17 00:00:00 2001 +From: Petr Mensik pemensik@redhat.com +Date: Thu, 21 Feb 2019 12:36:17 +0100 +Subject: [PATCH] Disable autodetected ED448 algorithm support + +Implementation is broken in bind, disabled also in more recent versions. +Makes bin/tests/system/dnssec fail. +--- + configure.in | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/configure.in b/configure.in +index ca84ff3239..da4dd5f249 100644 +--- a/configure.in ++++ b/configure.in +@@ -1917,6 +1917,9 @@ int main() { + } + ], + [AC_MSG_RESULT(yes) ++ # ED448 support is broken in BIND ++ # https://gitlab.isc.org/isc-projects/bind9/issues/225 ++ # disable if autodetected, can be enabled by --with-eddsa=all + have_ed448="yes"], + [AC_MSG_RESULT(no) + have_ed448="no"], +@@ -1929,8 +1932,10 @@ int main() { + esac + case $have_ed448 in + yes) +- AC_DEFINE(HAVE_OPENSSL_ED448, 1, +- [Define if your OpenSSL version supports Ed448.]) ++ # ED448 support is broken in BIND ++ # https://gitlab.isc.org/isc-projects/bind9/issues/225 ++ # AC_DEFINE(HAVE_OPENSSL_ED448, 1, ++ # [Define if your OpenSSL version supports Ed448.]) + ;; + *) + ;; +-- +2.20.1 + diff --git a/bind.spec b/bind.spec index f7ff9dc..5af1fc5 100644 --- a/bind.spec +++ b/bind.spec @@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.5 -Release: 9%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 10%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -137,6 +137,8 @@ Patch164:bind-9.11-rh1666814.patch Patch165:bind-9.11-rh1647829.patch # commit 8e1cc95c943b7dfaaaaf2d9a4971861735cc3fb2 Patch166:bind-9.11-rh1647829-2.patch +# https://gitlab.isc.org/isc-projects/bind9/issues/225 +Patch167:bind-9.11-ed448-disable.patch
# SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -516,6 +518,7 @@ are used for building ISC DHCP. %patch164 -p1 -b .rh1666814 %patch165 -p1 -b .rh1647829 %patch166 -p1 -b .rh1647829-2 +%patch167 -p1 -b .noed448
mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -1523,6 +1526,9 @@ fi;
%changelog +* Thu Feb 21 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-10.P1 +- Disable autodetected eddsa algorithm ED448 + * Thu Jan 31 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-9.P1 - dig prints ASCII name instead of failure (#1647829) - disable IDN output from scripts
commit fa1631eef77a827e0df168df837e84c2d8790ce5 Author: Petr Menk pemensik@redhat.com Date: Wed Feb 20 18:53:13 2019 +0100
Simplify pkcs11 token generation
Make default secure enough, no predefined pins are used. Generate pin and save it into file protected by unix rights. HSM tools will probably require it anyway. Use smart defaults.
diff --git a/bind.spec b/bind.spec index cde769e..f7ff9dc 100644 --- a/bind.spec +++ b/bind.spec @@ -799,8 +799,7 @@ sed -e '/^tp:.*-pkcs11/ d' -e '/^tp:\s*lwres/ d' \ %check %if %{with PKCS11} # Tests require initialization of pkcs11 token - export SOFTHSM2_CONF="`pwd`/softhsm2.conf" - sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens" + eval $(bash %{SOURCE48} -A "`pwd`/softhsm-tokens") %endif
%if %{with UNITTEST} diff --git a/setup-named-softhsm.sh b/setup-named-softhsm.sh index 7ae0a6d..a13c91e 100755 --- a/setup-named-softhsm.sh +++ b/setup-named-softhsm.sh @@ -2,6 +2,11 @@ # # This script will initialise token storage of softhsm PKCS11 provider # in custom location. Is useful to store tokens in non-standard location. +# +# Output can be evaluated from bash, it will prepare it for usage of temporary tokens. +# Recommended use: +# eval $(bash setup-named-softhsm.sh -A) +#
SOFTHSM2_CONF="$1" TOKENPATH="$2" @@ -10,14 +15,55 @@ GROUPNAME="$3" # This is intended for crypto accelerators using PKCS11 interface. # Uninitialized token would fail any crypto operation. PIN=1234 +SO_PIN=1234 +LABEL=rpm
set -e
+echo_i() +{ + echo "#" $@ +} + +random() +{ + if [ -x "$(which openssl 2>/dev/null)" ]; then + openssl rand -base64 $1 + else + dd if=/dev/urandom bs=1c count=$1 | base64 + fi +} + +usage() +{ + echo "Usage: $0 -A [token directory] [group]" + echo " or: $0 <config file> <token directory> [group]" +} + +if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then + TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX) +fi + if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then - echo "Usage: $0 <config file> <token directory> [group]" >&2 + usage >&2 exit 1 fi
+if [ "$SOFTHSM2_CONF" = "-A" ]; then + # Automagic mode instead + MODE=secure + SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf" + PIN_SOURCE="$TOKENPATH/pin" + SOPIN_SOURCE="$TOKENPATH/so-pin" + TOKENPATH="$TOKENPATH/tokens" +else + MODE=legacy +fi + +[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH" + +umask 0022 + if ! [ -f "$SOFTHSM2_CONF" ]; then cat << SED > "$SOFTHSM2_CONF" # SoftHSM v2 configuration file @@ -32,19 +78,36 @@ log.level = ERROR slots.removable = false SED else - echo "Config file $SOFTHSM2_CONF already exists" >&2 + echo_i "Config file $SOFTHSM2_CONF already exists" >&2 fi
-[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH" +if [ -n "$PIN_SOURCE" ]; then + touch "$PIN_SOURCE" "$SOPIN_SOURCE" + chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE" + if [ -n "$GROUPNAME" ]; then + chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE" + chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE" + fi +fi
export SOFTHSM2_CONF
if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null then - echo "Token in ${TOKENPATH} is already initialized" >&2 + echo_i "Token in ${TOKENPATH} is already initialized" >&2 + + [ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE") + [ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE") else - echo "Initializing tokens to ${TOKENPATH}..." - softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN + PIN=$(random 6) + SO_PIN=$(random 18) + if [ -n "$PIN_SOURCE" ]; then + echo -n "$PIN" > "$PIN_SOURCE" + echo -n "$SO_PIN" > "$SOPIN_SOURCE" + fi + + echo_i "Initializing tokens to ${TOKENPATH}..." + softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
if [ -n "$GROUPNAME" ]; then chgrp -R -- "$GROUPNAME" "$TOKENPATH" @@ -53,3 +116,8 @@ else fi
echo "export SOFTHSM2_CONF="$SOFTHSM2_CONF"" +echo "export PIN_SOURCE="$PIN_SOURCE"" +echo "export SOPIN_SOURCE="$SOPIN_SOURCE"" +# These are intentionaly not exported +echo "PIN="$PIN"" +echo "SO_PIN="$SO_PIN""
commit 6fee3d63e97cc86062b9fedb5d9294455cf522b6 Author: Petr Menk pemensik@redhat.com Date: Fri Feb 15 19:49:27 2019 +0100
Remove revoked KSK 19164 from trusted root keys
diff --git a/.gitignore b/.gitignore index eb450f2..854f798 100644 --- a/.gitignore +++ b/.gitignore @@ -88,3 +88,4 @@ bind-9.7.2b1.tar.gz /bind-9.11.4-P2.tar.gz /bind-9.11.5.tar.gz /bind-9.11.5-P1.tar.gz +/config-19.tar.bz2 diff --git a/bind.spec b/bind.spec index 82b6312..cde769e 100644 --- a/bind.spec +++ b/bind.spec @@ -66,7 +66,7 @@ Source8: dnszone.schema Source12: README.sdb_pgsql Source25: named.conf.sample Source26: named.conf -Source28: config-18.tar.bz2 +Source28: config-19.tar.bz2 Source30: ldap2zone.c Source31: ldap2zone.1 Source32: named-sdb.8 @@ -1528,6 +1528,7 @@ fi; - dig prints ASCII name instead of failure (#1647829) - disable IDN output from scripts - Update project URL +- Removed revoked KSK 19164 from trusted keys
* Thu Jan 31 2019 Fedora Release Engineering releng@fedoraproject.org - 32:9.11.5-8.P1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild diff --git a/sources b/sources index 37dc9dc..e4f563b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (bind-9.11.5-P1.tar.gz) = cf0e511342affc81fc89656417a6d74a8ee4c3ffcc242e3aad76864f34d8ff7b0b52ada422385b5becafb7ef3a81dddfb28ba1488c8bee168f16842e2c617069 -SHA512 (config-18.tar.bz2) = c0a0a1fd58a7e2c09fe69915b9a4c682d1b6c96e78583f63ce5355f663c9509d28facfd3aa078b228b69954d0af4bfa484ef661a9568aaafe6eade97dda3c3d9 +SHA512 (config-19.tar.bz2) = 36aa38a0c7c33267ae594b31c81681290ac58dde7ca6749bd599da531380b5b1428330813dbe983e01071ccaed83e83f6a9cd92179a53b7d0ccbb6851a0b017c diff --git a/trusted-key.key b/trusted-key.key index df2fd0d..7b845f3 100644 --- a/trusted-key.key +++ b/trusted-key.key @@ -1,2 +1 @@ -. 3600 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= . 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
commit 6ecd16d4585bafcc4fae224c16d6d0f059955492 Author: Petr Menk pemensik@redhat.com Date: Fri Feb 15 10:10:44 2019 +0100
Update project URL
diff --git a/bind.spec b/bind.spec index 35e9c5c..82b6312 100644 --- a/bind.spec +++ b/bind.spec @@ -56,7 +56,7 @@ License: MPLv2.0 Version: 9.11.5 Release: 9%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 -Url: http://www.isc.org/products/BIND/ +Url: https://www.isc.org/downloads/bind/ # Source: https://ftp.isc.org/isc/bind9/%%7BBINDVERSION%7D/bind-%%7BBINDVERSION%7D.tar... Source1: named.sysconfig @@ -1527,6 +1527,7 @@ fi; * Thu Jan 31 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-9.P1 - dig prints ASCII name instead of failure (#1647829) - disable IDN output from scripts +- Update project URL
* Thu Jan 31 2019 Fedora Release Engineering releng@fedoraproject.org - 32:9.11.5-8.P1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
commit 1da60a891af5ae99154986131505ff4233c61d88 Author: Petr Menk pemensik@redhat.com Date: Tue Feb 12 22:09:48 2019 +0100
More fixes to compile DLZ
diff --git a/bind.spec b/bind.spec index 0b3f47a..35e9c5c 100644 --- a/bind.spec +++ b/bind.spec @@ -641,6 +641,9 @@ export LIBDIR_SUFFIX --with-dlz-filesystem=yes \ --with-dlz-bdb=yes \ %endif +%if %{with DLZ} + --with-dlz-bdb=yes \ +%endif %if %{with GSSTSIG} --with-gssapi=yes \ --disable-isc-spnego \ @@ -941,9 +944,10 @@ install -m 644 %{SOURCE12} contrib/sdb/pgsql/ %endif
%if %{with DLZ} + pushd build pushd contrib/dlz pushd bin/dlzbdb - make DESTDIR=${RPM_BUILD_ROOT} install + make DESTDIR=${RPM_BUILD_ROOT} install popd pushd modules for DIR in bdbhpt filesystem ldap mysql mysqldyn sqlite3; do @@ -952,6 +956,7 @@ install -m 644 %{SOURCE12} contrib/sdb/pgsql/ mv mysqldyn/testing/README mysqldyn/testing/README.testing popd popd + popd %endif
# Install isc/errno2result.h header
commit de8fa0799a58ae497abd3327f2c4c13e32cb7674 Author: Petr Menk pemensik@redhat.com Date: Tue Feb 12 20:45:49 2019 +0100
Improve descriptions for DLZ plugins
diff --git a/bind.spec b/bind.spec index 4cf4e14..0b3f47a 100644 --- a/bind.spec +++ b/bind.spec @@ -404,42 +404,42 @@ Summary: BIND server bdb DLZ module Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-bdb -Dynamic Loadable Zones module for BIND server. +Dynamic Loadable Zones Berkeley DB module for BIND server.
%package dlz-filesystem Summary: BIND server filesystem DLZ module Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-filesystem -Dynamic Loadable Zones module for BIND server. +Dynamic Loadable Zones filesystem module for BIND server.
%package dlz-ldap Summary: BIND server ldap DLZ module Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-ldap -Dynamic Loadable Zones module for BIND server. +Dynamic Loadable Zones LDAP module for BIND server.
%package dlz-mysql Summary: BIND server mysql DLZ module Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-mysql -Dynamic Loadable Zones module for BIND server. +Dynamic Loadable Zones MySQL module for BIND server.
%package dlz-mysqldyn Summary: BIND server mysqldyn DLZ module Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-mysqldyn -Dynamic Loadable Zones module for BIND server. +BIND 9 DLZ MySQL module with support for dynamic DNS (DDNS)
%package dlz-sqlite3 Summary: BIND server sqlite3 DLZ module Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-sqlite3 -Dynamic Loadable Zones module for BIND server. +Dynamic Loadable Zones sqlite3 module for BIND server. %endif
@@ -1489,6 +1489,7 @@ fi; %{_sbindir}/dlzbdb %{_libdir}/bind/dlz_bdbhpt_dynamic.so %doc contrib/dlz/modules/bdbhpt/testing/* +%doc contrib/dlz/modules/bdbhpt/README*
%files dlz-filesystem %{_libdir}/bind/dlz_filesystem_dynamic.so @@ -1500,7 +1501,7 @@ fi; %files dlz-mysqldyn %{_libdir}/bind/dlz_mysqldyn_mod.so %doc contrib/dlz/modules/mysqldyn/testing/* -%doc contrib/dlz/modules/mysqldyn/README +%doc contrib/dlz/modules/mysqldyn/README*
%files dlz-ldap %{_libdir}/bind/dlz_ldap_dynamic.so
commit 7a958a2a9f9461e4d789cf15fd0bfac005a8e491 Author: Petr Menk pemensik@redhat.com Date: Tue Jan 29 19:54:36 2019 +0100
Disable dig IDN output into scripts
Dig could be used to receive zone via AXFR. If IDN data are inside and are decoded, it cannot be used as named zone file. Disable +idnout if stdin is not a tty.
diff --git a/bind-9.11-rh1647829-2.patch b/bind-9.11-rh1647829-2.patch new file mode 100644 index 0000000..bb8b3e9 --- /dev/null +++ b/bind-9.11-rh1647829-2.patch @@ -0,0 +1,28 @@ +From 58e1af6ca75d035b6391708be2c2272bb8d04620 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= ondrej@sury.org +Date: Sun, 4 Nov 2018 02:20:41 +0700 +Subject: [PATCH] Enable IDN processing (both idnin and idnout) only on tty, + disable it when the stdout is not a tty + +(cherry picked from commit 0e1bf7d017e4f6d787cbeb72cc2aa74e7f30122e) +(cherry picked from commit 8e1cc95c943b7dfaaaaf2d9a4971861735cc3fb2) +--- + bin/dig/dighost.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index 74791d671e..3b722ba0ff 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -825,7 +825,7 @@ make_empty_lookup(void) { + looknew->seenbadcookie = false; + looknew->badcookie = true; + #ifdef WITH_IDN_SUPPORT +- looknew->idnin = (getenv("IDN_DISABLE") == NULL); ++ looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false; + if (looknew->idnin) { + const char *charset = getenv("CHARSET"); + if (charset && !strcmp(charset, "ASCII")) +-- +2.20.1 + diff --git a/bind.spec b/bind.spec index a3023ea..4cf4e14 100644 --- a/bind.spec +++ b/bind.spec @@ -135,6 +135,8 @@ Patch163:bind-9.11-rh1663318.patch Patch164:bind-9.11-rh1666814.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1647829 Patch165:bind-9.11-rh1647829.patch +# commit 8e1cc95c943b7dfaaaaf2d9a4971861735cc3fb2 +Patch166:bind-9.11-rh1647829-2.patch
# SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -513,6 +515,7 @@ are used for building ISC DHCP. %patch163 -p1 -b .rh1663318 %patch164 -p1 -b .rh1666814 %patch165 -p1 -b .rh1647829 +%patch166 -p1 -b .rh1647829-2
mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -1517,6 +1520,8 @@ fi; %changelog * Thu Jan 31 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-9.P1 - dig prints ASCII name instead of failure (#1647829) +- disable IDN output from scripts + * Thu Jan 31 2019 Fedora Release Engineering releng@fedoraproject.org - 32:9.11.5-8.P1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
commit a699858667627bb95545c41fca123366a9c4e7ce Author: Petr Menk pemensik@redhat.com Date: Tue Jan 29 19:41:22 2019 +0100
dig prints ASCII name instead of failure (#1647829)
diff --git a/bind-9.11-rh1647829.patch b/bind-9.11-rh1647829.patch new file mode 100644 index 0000000..ceec7fc --- /dev/null +++ b/bind-9.11-rh1647829.patch @@ -0,0 +1,86 @@ +From 2eca7f5fa97a24997e4d8f900460ba43ae167e97 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= pemensik@redhat.com +Date: Tue, 29 Jan 2019 18:07:44 +0100 +Subject: [PATCH] Fallback to ASCII on output IDN conversion error + +It is possible dig used ACE encoded name in locale, which does not +support converting it to unicode. Instead of fatal error, fallback to +ACE name on output. + +(cherry picked from commit 7f4cb8f9584597fea16de6557124ac8b1bd47440) + +Modify idna test to fallback to ACE + +Test valid A-label on input would be displayed as A-label on output if +locale does not allow U-label. + +(cherry picked from commit 4ce232f8605bdbe0594ebe5a71383c9d4e6f263b) + +Emit warning on IDN output failure + +Warning is emitted before any dig headers. + +(cherry picked from commit 4b410038c531fbb902cd5fb83174eed1f06cb7d7) +--- + bin/dig/dighost.c | 15 +++++++++++++-- + bin/tests/system/idna/tests.sh | 17 +++++++++++++++++ + 2 files changed, 30 insertions(+), 2 deletions(-) + +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index bb8702c..d7cfc33 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -4860,9 +4860,20 @@ idn_ace_to_locale(const char *from, char *to, size_t tolen) { + */ + res = idn2_to_unicode_8zlz(utf8_src, &tmp_str, 0); + if (res != IDN2_OK) { +- fatal("Cannot represent '%s' in the current locale (%s), " +- "use +noidnout or a different locale", ++ static bool warned = false; ++ ++ res = idn2_to_ascii_8z(utf8_src, &tmp_str, 0); ++ if (res != IDN2_OK) { ++ fatal("Cannot represent '%s' " ++ "in the current locale nor ascii (%s), " ++ "use +noidnout or a different locale", + from, idn2_strerror(res)); ++ } else if (!warned) { ++ fprintf(stderr, ";; Warning: cannot represent '%s' " ++ "in the current locale", ++ tmp_str); ++ warned = true; ++ } + } + + /* +diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh +index 6637bf6..215a9d5 100644 +--- a/bin/tests/system/idna/tests.sh ++++ b/bin/tests/system/idna/tests.sh +@@ -244,6 +244,23 @@ idna_enabled_test() { + idna_test "$text" "+idnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." + idna_test "$text" "+idnin +idnout" "xn--nxasmq6b.com" ".com." + ++ # Test of valid A-label in locale that cannot display it ++ # ++ # +noidnout: The string is sent as-is to the server and the returned qname ++ # is displayed in the same form. ++ # +idnout: The string is sent as-is to the server and the returned qname ++ # is displayed as the corresponding A-label. ++ # ++ # The "+[no]idnout" flag has no effect in these cases. ++ text="Checking valid A-label in C locale" ++ label="xn--nxasmq6b.com" ++ LC_ALL=C idna_test "$text" "" "$label" "$label." ++ LC_ALL=C idna_test "$text" "+noidnin +noidnout" "$label" "$label." ++ LC_ALL=C idna_test "$text" "+noidnin +idnout" "$label" "$label." ++ LC_ALL=C idna_test "$text" "+idnin +noidnout" "$label" "$label." ++ LC_ALL=C idna_test "$text" "+idnin +idnout" "$label" "$label." ++ LC_ALL=C idna_test "$text" "+noidnin +idnout" "$label" "$label." ++ + + + # Tests of invalid A-labels +-- +2.20.1 + diff --git a/bind.spec b/bind.spec index 7a11ebb..a3023ea 100644 --- a/bind.spec +++ b/bind.spec @@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.5 -Release: 8%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 9%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -133,6 +133,8 @@ Patch162:bind-9.11-unit-dnstap-pkcs11.patch Patch163:bind-9.11-rh1663318.patch # https://gitlab.isc.org/isc-projects/bind9/issues/819 Patch164:bind-9.11-rh1666814.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1647829 +Patch165:bind-9.11-rh1647829.patch
# SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -510,6 +512,7 @@ are used for building ISC DHCP. %patch162 -p1 -b .dnstap-pkcs11 %patch163 -p1 -b .rh1663318 %patch164 -p1 -b .rh1666814 +%patch165 -p1 -b .rh1647829
mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -1512,6 +1515,8 @@ fi;
%changelog +* Thu Jan 31 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-9.P1 +- dig prints ASCII name instead of failure (#1647829) * Thu Jan 31 2019 Fedora Release Engineering releng@fedoraproject.org - 32:9.11.5-8.P1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
commit 432a81aeff2c5a01a5ccd78e553d20aeca1376b5 Author: Petr Menk pemensik@redhat.com Date: Wed Feb 6 18:38:12 2019 +0100
Fix DLZ in oot builds
DLZ has no VPATH support. Just make duplicates in build directory
diff --git a/bind.spec b/bind.spec index c2bbf99..7a11ebb 100644 --- a/bind.spec +++ b/bind.spec @@ -599,6 +599,13 @@ version libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f
mkdir build + +%if %{with DLZ} +# DLZ modules do not support oot builds. Copy files into build +mkdir -p build/contrib/dlz +cp -frp contrib/dlz/modules build/contrib/dlz/modules +%endif + pushd build LIBDIR_SUFFIX= export LIBDIR_SUFFIX
commit 9a4b768e181047ed5934cb199f19b6412fdee6b4 Author: Fedora Release Engineering releng@fedoraproject.org Date: Thu Jan 31 14:36:55 2019 +0000
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Signed-off-by: Fedora Release Engineering releng@fedoraproject.org
diff --git a/bind.spec b/bind.spec index 66a0d39..c2bbf99 100644 --- a/bind.spec +++ b/bind.spec @@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.5 -Release: 7%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 8%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -1505,6 +1505,9 @@ fi;
%changelog +* Thu Jan 31 2019 Fedora Release Engineering releng@fedoraproject.org - 32:9.11.5-8.P1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + * Sun Jan 27 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-7.P1 - Update to 9.11.5-P1
commit b2a708808a89b215ffaf2133e711a25a4fe4d13c Author: Igor Gnatenko ignatenkobrain@fedoraproject.org Date: Tue Jan 29 05:45:26 2019 +0100
Remove unneeded %clean section
It is the behavior since EPEL5.
Signed-off-by: Igor Gnatenko ignatenkobrain@fedoraproject.org
diff --git a/bind.spec b/bind.spec index bc2c940..66a0d39 100644 --- a/bind.spec +++ b/bind.spec @@ -1171,10 +1171,6 @@ fi;
%endif
-%clean -rm -rf ${RPM_BUILD_ROOT} -:; - %files %{_libdir}/bind %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named
commit 13f8f23ec518ca7ecd2bb2c9ed231955c670079b Author: Petr Menk pemensik@redhat.com Date: Mon Jan 28 00:47:11 2019 +0100
Update to 9.11.5-P1
diff --git a/.gitignore b/.gitignore index f656e89..eb450f2 100644 --- a/.gitignore +++ b/.gitignore @@ -87,3 +87,4 @@ bind-9.7.2b1.tar.gz /bind-9.11.4-P1.tar.gz /bind-9.11.4-P2.tar.gz /bind-9.11.5.tar.gz +/bind-9.11.5-P1.tar.gz diff --git a/bind.spec b/bind.spec index 5b2f349..bc2c940 100644 --- a/bind.spec +++ b/bind.spec @@ -2,7 +2,7 @@ # Red Hat BIND package .spec file #
-#%%global PATCHVER P2 +%global PATCHVER P1 #%%global PREVER rc1 %global BINDVERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}}
@@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.5 -Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 7%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -1509,6 +1509,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog +* Sun Jan 27 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-7.P1 +- Update to 9.11.5-P1 + * Wed Jan 23 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-6 - Reenable crypto rand for DHCP, disable just entropy check (#1663318)
diff --git a/sources b/sources index f7e1978..37dc9dc 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (bind-9.11.5.tar.gz) = 7e34c8033dabaed232479b1dc2849d1247c0137bcb2b63f08f8f72ff2cca0f73e0f05d0b9b8959f8c4db8ee36a700af30fe869be186c7bab7c81a25843384b8d +SHA512 (bind-9.11.5-P1.tar.gz) = cf0e511342affc81fc89656417a6d74a8ee4c3ffcc242e3aad76864f34d8ff7b0b52ada422385b5becafb7ef3a81dddfb28ba1488c8bee168f16842e2c617069 SHA512 (config-18.tar.bz2) = c0a0a1fd58a7e2c09fe69915b9a4c682d1b6c96e78583f63ce5355f663c9509d28facfd3aa078b228b69954d0af4bfa484ef661a9568aaafe6eade97dda3c3d9
commit 32d91f12ca83ef8ec46df091fc0fe72cd05f91d9 Author: Petr Menk pemensik@redhat.com Date: Wed Jan 23 21:15:03 2019 +0100
Made RAND_status check optional (broke --disable-crypto-rand)
Unlike upstream, skip it also for DHCP.
Disable RAND_status also in non-threaded builds. DHCP is built without threads and should not check RAND_status on dns library initialization. Lack of entropy is possible state for dhclient, but it must not fail even in this case. Because DHCP itself does not require custom random generator, leave default RAND_OpenSSL configured. It should help TLS connection to LDAP in single DHCP binary, while keeping secure random data if needed.
Resolves: #1663318
(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)
diff --git a/bind-9.11-rh1663318.patch b/bind-9.11-rh1663318.patch index 79487b0..1af7efb 100644 --- a/bind-9.11-rh1663318.patch +++ b/bind-9.11-rh1663318.patch @@ -1,21 +1,37 @@ -From 48d86dd3d834bcedd0c977d193c36b12e8398b4e Mon Sep 17 00:00:00 2001 -From: Francis Dupont fdupont@isc.org -Date: Sun, 17 Sep 2017 12:02:09 +0200 +From b16a1ff25644bb075f454afe68ee63f6f385ca9c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= pemensik@redhat.com +Date: Wed, 23 Jan 2019 21:11:07 +0100 Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit
+Unlike upstream, skip it also for DHCP. + +Disable RAND_status also in non-threaded builds. DHCP is built without +threads and should not check RAND_status on dns library initialization. +Lack of entropy is possible state for dhclient, but it must not fail +even in this case. Because DHCP itself does not require custom random +generator, leave default RAND_OpenSSL configured. It should help TLS +connection to LDAP in single DHCP binary, while keeping secure random +data if needed. + +(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099) + +Signed-off-by: Petr Menk pemensik@redhat.com --- lib/dns/openssl_link.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index 91e87d0..3cddaa9 100644 +index 7a233dd..941eb17 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) { #endif #endif /* !defined(OPENSSL_NO_ENGINE) */
-+#ifdef ISC_PLATFORM_CRYPTORANDOM ++#if defined(ISC_PLATFORM_CRYPTORANDOM) && defined(ISC_PLATFORM_USETHREADS) /* Protect ourselves against unseeded PRNG */ if (RAND_status() != 1) { FATAL_ERROR(__FILE__, __LINE__, diff --git a/bind.spec b/bind.spec index 421da0d..5b2f349 100644 --- a/bind.spec +++ b/bind.spec @@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.5 -Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -736,7 +736,6 @@ export LIBDIR_SUFFIX --without-libjson \ --without-zlib \ --without-dlopen \ - --disable-crypto-rand \ --enable-full-report
## We don't want to build other libs than -export twice @@ -1510,6 +1509,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog +* Wed Jan 23 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-6 +- Reenable crypto rand for DHCP, disable just entropy check (#1663318) + * Thu Jan 17 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-5 - Move dnssec related tools from bind-utils to bind-dnssec-utils (#1649398)
commit 219b0e889f74ed22e0fa512d501eeba3355a11bf Author: Petr Menk pemensik@redhat.com Date: Thu Jan 17 13:51:29 2019 +0100
Remove conditional patch for alpha and ia64
It emits warning just because architectures no longer supported
diff --git a/bind.spec b/bind.spec index 6293ab4..421da0d 100644 --- a/bind.spec +++ b/bind.spec @@ -489,9 +489,7 @@ are used for building ISC DHCP. # Common patches %patch10 -p1 -b .PIE %patch16 -p1 -b .redhat_doc -%ifnarch alpha ia64 %patch72 -p1 -b .64bit -%endif %patch102 -p1 -b .rh452060 %patch106 -p1 -b .rh490837 %patch109 -p1 -b .rh478718
commit 2830e00b88ea8bb956e0cdeb6f205fc72741b167 Author: Petr Menk pemensik@redhat.com Date: Thu Jan 17 13:07:46 2019 +0100
Move dnssec related tools to bind-dnssec-utils
Most often clients require just dig or host to lookup addresses. Move dnssec and zone file into dedicated subpackage. For a limited time, make bind-utils suggest bind-dnssec-utils, until all dependencies are resolved. (#1649398)
diff --git a/bind.spec b/bind.spec index a6357de..6293ab4 100644 --- a/bind.spec +++ b/bind.spec @@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.5 -Release: 4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -159,6 +159,7 @@ Provides: dnssec-conf = 1.27-2 Requires(post): policycoreutils-python-utils Requires(post): libselinux-utils Requires(post): selinux-policy +Recommends: bind-utils bind-dnssec-utils BuildRequires: gcc, make BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel BuildRequires: libidn2-devel, libxml2-devel, GeoIP-devel @@ -299,9 +300,14 @@ Contains license of the BIND DNS suite.
%package utils Summary: Utilities for querying DNS name servers -Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} -Requires: python3-bind = %{epoch}:%{version}-%{release} +Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +# TODO: this is just temporary workaround until all packages depending on +# bind-utils can be satisfied without dnssec-utils +# It will be removed after some time, or changed to Recommends +Suggests: bind-dnssec-utils +# For compatibility with Debian package +Provides: dnsutils = %{epoch}:%{version}-%{release}
%description utils Bind-utils contains a collection of utilities for querying DNS (Domain @@ -313,6 +319,20 @@ network addresses. You should install bind-utils if you need to get information from DNS name servers.
+%package dnssec-utils +Summary: Utilities for DNSSEC keys and DNS zone files management +Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} +Recommends: bind-utils +Requires: python3-bind = %{epoch}:%{version}-%{release} + +%description dnssec-utils +Bind-dnssec-utils contains a collection of utilities for editing +DNSSEC keys and BIND zone files. These tools provide generation, +revocation and verification of keys and DNSSEC signatures in zone files. + +You should install bind-dnssec-utils if you need to sign a DNS zone +or maintain keys for it. + %if %{with DEVEL} %package devel Summary: Header files and libraries needed for BIND DNS development @@ -1254,6 +1274,19 @@ rm -rf ${RPM_BUILD_ROOT} %{_bindir}/nslookup %{_bindir}/nsupdate %{_bindir}/arpaname +%if %{with DNSTAP} +%{_bindir}/dnstap-read +%{_mandir}/man1/dnstap-read.1* +%endif +%{_mandir}/man1/host.1* +%{_mandir}/man1/nsupdate.1* +%{_mandir}/man1/dig.1* +%{_mandir}/man1/delv.1* +%{_mandir}/man1/nslookup.1* +%{_mandir}/man1/arpaname.1* +%{_sysconfdir}/trusted-key.key + +%files dnssec-utils %{_sbindir}/ddns-confgen %{_sbindir}/tsig-keygen %{_sbindir}/genrandom @@ -1268,16 +1301,6 @@ rm -rf ${RPM_BUILD_ROOT} %if %{with LMDB} %{_sbindir}/named-nzd2nzf %endif -%if %{with DNSTAP} -%{_bindir}/dnstap-read -%{_mandir}/man1/dnstap-read.1* -%endif -%{_mandir}/man1/host.1* -%{_mandir}/man1/nsupdate.1* -%{_mandir}/man1/dig.1* -%{_mandir}/man1/delv.1* -%{_mandir}/man1/nslookup.1* -%{_mandir}/man1/arpaname.1* %{_mandir}/man8/ddns-confgen.8* %{_mandir}/man8/tsig-keygen.8* %{_mandir}/man8/genrandom.8* @@ -1292,7 +1315,6 @@ rm -rf ${RPM_BUILD_ROOT} %if %{with LMDB} %{_mandir}/man8/named-nzd2nzf.8* %endif -%{_sysconfdir}/trusted-key.key
%if %{with DEVEL} %files devel @@ -1490,6 +1512,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog +* Thu Jan 17 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-5 +- Move dnssec related tools from bind-utils to bind-dnssec-utils (#1649398) + * Wed Jan 16 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-4 - Reject invalid binary file (#1666814)
commit 685f10cbfd1120c865ff7d3e4ce3923998fe2286 Author: Petr Menk pemensik@redhat.com Date: Wed Jan 16 17:08:53 2019 +0100
Reject invalid rbt file if header is corrupted
Resolves: rhbz#1666814
diff --git a/bind-9.11-rh1666814.patch b/bind-9.11-rh1666814.patch new file mode 100644 index 0000000..ea1df5d --- /dev/null +++ b/bind-9.11-rh1666814.patch @@ -0,0 +1,37 @@ +From 3bb29f45604ac6890f4ea5cdcbd1a62e6dad14a7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= pemensik@redhat.com +Date: Wed, 16 Jan 2019 16:27:33 +0100 +Subject: [PATCH 2/2] Fix possible crash when loading corrupted file + +Some values passes internal triggers by coincidence. Fix the check and +check also first_node_offset before even passing it further. +--- + lib/dns/rbt.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c +index 62d0826..b029b7d 100644 +--- a/lib/dns/rbt.c ++++ b/lib/dns/rbt.c +@@ -787,7 +787,7 @@ treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n, + return (ISC_R_SUCCESS); + + CONFIRM((void *) n >= base); +- CONFIRM((char *) n - (char *) base <= (int) nodemax); ++ CONFIRM((size_t)((char *) n - (char *) base) <= nodemax); + CONFIRM(DNS_RBTNODE_VALID(n)); + + dns_name_init(&nodename, NULL); +@@ -939,7 +939,8 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize, + rbt->root = (dns_rbtnode_t *)((char *)base_address + + header_offset + header->first_node_offset); + +- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) { ++ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize ++ || header->first_node_offset > filesize) { + result = ISC_R_INVALIDFILE; + goto cleanup; + } +-- +2.20.1 + diff --git a/bind.spec b/bind.spec index f0c5d10..a6357de 100644 --- a/bind.spec +++ b/bind.spec @@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.5 -Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -131,6 +131,8 @@ Patch161:bind-9.11-host-idn-disable.patch Patch162:bind-9.11-unit-dnstap-pkcs11.patch # https://gitlab.isc.org/isc-projects/bind9/commit/8a98277811e Patch163:bind-9.11-rh1663318.patch +# https://gitlab.isc.org/isc-projects/bind9/issues/819 +Patch164:bind-9.11-rh1666814.patch
# SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -489,6 +491,7 @@ are used for building ISC DHCP. %patch161 -p1 -b .host-idn-disable %patch162 -p1 -b .dnstap-pkcs11 %patch163 -p1 -b .rh1663318 +%patch164 -p1 -b .rh1666814
mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -1487,6 +1490,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog +* Wed Jan 16 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-4 +- Reject invalid binary file (#1666814) + * Mon Jan 14 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-3 - Disable crypto rand for DHCP (#1663318)
commit 67a5cd83ffa71f67f58648e6f6c5cbb1c7ab3fa7 Author: Petr Menk pemensik@redhat.com Date: Mon Jan 14 18:51:53 2019 +0100
Made RAND_status check optional (broke --disable-crypto-rand)
dhclient can terminate if not enough entropy, but it never requires random data. On a new virtual machine, lack of entropy can be common. Ensure it does not prevent DHCP client assigning an IP address.
diff --git a/bind-9.11-rh1663318.patch b/bind-9.11-rh1663318.patch new file mode 100644 index 0000000..79487b0 --- /dev/null +++ b/bind-9.11-rh1663318.patch @@ -0,0 +1,32 @@ +From 48d86dd3d834bcedd0c977d193c36b12e8398b4e Mon Sep 17 00:00:00 2001 +From: Francis Dupont fdupont@isc.org +Date: Sun, 17 Sep 2017 12:02:09 +0200 +Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand) + +--- + lib/dns/openssl_link.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c +index 91e87d0..3cddaa9 100644 +--- a/lib/dns/openssl_link.c ++++ b/lib/dns/openssl_link.c +@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) { + #endif + #endif /* !defined(OPENSSL_NO_ENGINE) */ + ++#ifdef ISC_PLATFORM_CRYPTORANDOM + /* Protect ourselves against unseeded PRNG */ + if (RAND_status() != 1) { + FATAL_ERROR(__FILE__, __LINE__, +@@ -296,6 +297,7 @@ dst__openssl_init(const char *engine) { + "cannot be initialized (see the `PRNG not " + "seeded' message in the OpenSSL FAQ)"); + } ++#endif + + return (ISC_R_SUCCESS); + +-- +2.20.1 + diff --git a/bind.spec b/bind.spec index 110b520..f0c5d10 100644 --- a/bind.spec +++ b/bind.spec @@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.5 -Release: 2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -129,6 +129,8 @@ Patch160:bind-9.11-rh1624100.patch Patch161:bind-9.11-host-idn-disable.patch # https://gitlab.isc.org/isc-projects/bind9/issues/624 Patch162:bind-9.11-unit-dnstap-pkcs11.patch +# https://gitlab.isc.org/isc-projects/bind9/commit/8a98277811e +Patch163:bind-9.11-rh1663318.patch
# SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -486,6 +488,7 @@ are used for building ISC DHCP. %patch160 -p1 -b .rh1624100 %patch161 -p1 -b .host-idn-disable %patch162 -p1 -b .dnstap-pkcs11 +%patch163 -p1 -b .rh1663318
mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -712,6 +715,7 @@ export LIBDIR_SUFFIX --without-libjson \ --without-zlib \ --without-dlopen \ + --disable-crypto-rand \ --enable-full-report
## We don't want to build other libs than -export twice @@ -1483,6 +1487,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog +* Mon Jan 14 2019 Petr Menk pemensik@redhat.com - 32:9.11.5-3 +- Disable crypto rand for DHCP (#1663318) + * Thu Oct 25 2018 Petr Menk pemensik@redhat.com - 32:9.11.5-2 - Add optional support for JSON statistics - Add optional DNSTAP support (#1564776), new dnstap-read tool
commit a1558710fbf2b46acfaab42af347805cf678b340 Author: Adam Williamson awilliam@redhat.com Date: Fri Jan 11 23:35:03 2019 -0800
Correct a backport inconsistency in bind-9.11-rt46047.patch
The patch seems to have been generated from a more recent bind tree in which `ns_g_lctx` was renamed `named_g_lctx`. So the patch uses the `named_g_lctx` name, but the rest of server.c in bind-9.11 still uses the name `ns_g_lctx`, so if you compile with --disable-crypto-rand, the build actually fails with an undeclared name error.
diff --git a/bind-9.11-rt46047.patch b/bind-9.11-rt46047.patch index 5030c06..3cb3c0f 100644 --- a/bind-9.11-rt46047.patch +++ b/bind-9.11-rt46047.patch @@ -299,7 +299,7 @@ index 9258e7f..f4320df 100644 - randomdev); + if ((obj != NULL) && !cfg_obj_isvoid(obj)) + level = ISC_LOG_INFO; -+ isc_log_write(named_g_lctx, NS_LOGCATEGORY_GENERAL, ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, level, + "no source of entropy found"); + if ((obj == NULL) || cfg_obj_isvoid(obj)) {
commit ae36af4c9fd8189ea9925222f6e9902239f61af3 Author: Petr Menk pemensik@redhat.com Date: Fri Oct 19 17:41:16 2018 +0200
Add support for DNSTAP
Not enabled by default yet. Enables dumping of dns traffic. Fix DNSTAP issues in build and unit tests.
Fool rpmlint to accept dnstap relative path. Rpmlint emited error hardcoded-library-path on dnstap path. It is not system-wide library, workaround by using variable.
Add dnstap-read utility to utils. When dnstap is enabled, dnstap-read will be part of utils. Disadvantage is all utilities would have dependency on protobuf library, including host and dig.
Resolves: #1564776
diff --git a/bind-9.11-unit-dnstap-pkcs11.patch b/bind-9.11-unit-dnstap-pkcs11.patch new file mode 100644 index 0000000..8620e9f --- /dev/null +++ b/bind-9.11-unit-dnstap-pkcs11.patch @@ -0,0 +1,24 @@ +diff --git a/lib/dns/tests/dnstap_test.c b/lib/dns/tests/dnstap_test.c +index 56e3da4..1f31542 100644 +--- a/lib/dns/tests/dnstap_test.c ++++ b/lib/dns/tests/dnstap_test.c +@@ -297,6 +297,9 @@ ATF_TC_BODY(totext, tc) { + + UNUSED(tc); + ++ /* make sure text conversion gets the right local time */ ++ setenv("TZ", "PST8", 1); ++ + result = dns_test_begin(NULL, true); + ATF_REQUIRE(result == ISC_R_SUCCESS); + +@@ -306,9 +309,6 @@ ATF_TC_BODY(totext, tc) { + result = isc_stdio_open(TAPTEXT, "r", &fp); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + +- /* make sure text conversion gets the right local time */ +- setenv("TZ", "PST8", 1); +- + while (dns_dt_getframe(handle, &data, &dsize) == ISC_R_SUCCESS) { + dns_dtdata_t *dtdata = NULL; + isc_buffer_t *b = NULL; diff --git a/bind.spec b/bind.spec index 14b76ff..110b520 100644 --- a/bind.spec +++ b/bind.spec @@ -18,6 +18,7 @@ %bcond_without DEVEL %bcond_with LMDB %bcond_with JSON +%bcond_with DNSTAP %bcond_with DLZ %bcond_without EXPORT_LIBS %if 0%{?fedora} >= 17 @@ -124,7 +125,10 @@ Patch159:bind-9.11-rt46047.patch # commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c # commit 083461d3329ff6f2410745848a926090586a9846 Patch160:bind-9.11-rh1624100.patch +# https://gitlab.isc.org/isc-projects/bind9/issues/555 Patch161:bind-9.11-host-idn-disable.patch +# https://gitlab.isc.org/isc-projects/bind9/issues/624 +Patch162:bind-9.11-unit-dnstap-pkcs11.patch
# SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -187,6 +191,9 @@ BuildRequires: lmdb-devel %if %{with JSON} BuildRequires: json-c-devel %endif +%if %{with DNSTAP} +BuildRequires: fstrm-devel protobuf-c-devel +%endif # Needed to regenerate dig.1 manpage BuildRequires: docbook-style-xsl, libxslt
@@ -328,6 +335,9 @@ Requires: lmdb-devel %if %{with JSON} Requires: json-c-devel%{?_isa} %endif +%if %{with DNSTAP} +Requires: fstrm-devel%{?_isa} protobuf-c-devel%{?_isa} +%endif
%description lite-devel The bind-lite-devel package contains lite version of the header @@ -475,6 +485,7 @@ are used for building ISC DHCP. %patch159 -p1 -b .rt46047 %patch160 -p1 -b .rh1624100 %patch161 -p1 -b .host-idn-disable +%patch162 -p1 -b .dnstap-pkcs11
mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -605,6 +616,9 @@ export LIBDIR_SUFFIX %if %{with JSON} --with-libjson \ %endif +%if %{with DNSTAP} + --enable-dnstap \ +%endif %if %{with UNITTEST} --with-atf=${ATF_PATH} \ %endif @@ -612,6 +626,15 @@ export LIBDIR_SUFFIX --with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets \ --enable-full-report \ ; +%if %{with DNSTAP} + pushd lib + SRCLIB="../../../lib" + (cd dns && ln -s ${SRCLIB}/dns/dnstap.proto) +%if %{with PKCS11} + (cd dns-pkcs11 && ln -s ${SRCLIB}/dns-pkcs11/dnstap.proto) +%endif + popd +%endif make %{?_smp_mflags}
### FIXME hack!!! @@ -1238,6 +1261,10 @@ rm -rf ${RPM_BUILD_ROOT} %if %{with LMDB} %{_sbindir}/named-nzd2nzf %endif +%if %{with DNSTAP} +%{_bindir}/dnstap-read +%{_mandir}/man1/dnstap-read.1* +%endif %{_mandir}/man1/host.1* %{_mandir}/man1/nsupdate.1* %{_mandir}/man1/dig.1* @@ -1458,6 +1485,7 @@ rm -rf ${RPM_BUILD_ROOT} %changelog * Thu Oct 25 2018 Petr Menk pemensik@redhat.com - 32:9.11.5-2 - Add optional support for JSON statistics +- Add optional DNSTAP support (#1564776), new dnstap-read tool
* Wed Oct 24 2018 Petr Menk pemensik@redhat.com - 32:9.11.5-1 - Update to 9.11.5
commit eba5779fc1ae3c7d8bc86e5099ccafac3c37f3ba Author: Petr Menk pemensik@redhat.com Date: Mon Oct 15 17:15:26 2018 +0200
Add JSON statistics support
Optional support for HTTP statistics. For now it is still disabled.
diff --git a/bind.spec b/bind.spec index b557e44..14b76ff 100644 --- a/bind.spec +++ b/bind.spec @@ -17,6 +17,7 @@ %bcond_without PKCS11 %bcond_without DEVEL %bcond_with LMDB +%bcond_with JSON %bcond_with DLZ %bcond_without EXPORT_LIBS %if 0%{?fedora} >= 17 @@ -52,7 +53,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.5 -Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -183,6 +184,9 @@ BuildRequires: krb5-devel %if %{with LMDB} BuildRequires: lmdb-devel %endif +%if %{with JSON} +BuildRequires: json-c-devel +%endif # Needed to regenerate dig.1 manpage BuildRequires: docbook-style-xsl, libxslt
@@ -321,6 +325,9 @@ Requires: krb5-devel%{?_isa} %if %{with LMDB} Requires: lmdb-devel %endif +%if %{with JSON} +Requires: json-c-devel%{?_isa} +%endif
%description lite-devel The bind-lite-devel package contains lite version of the header @@ -595,6 +602,9 @@ export LIBDIR_SUFFIX %else --with-lmdb=no \ %endif +%if %{with JSON} + --with-libjson \ +%endif %if %{with UNITTEST} --with-atf=${ATF_PATH} \ %endif @@ -1446,6 +1456,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog +* Thu Oct 25 2018 Petr Menk pemensik@redhat.com - 32:9.11.5-2 +- Add optional support for JSON statistics + * Wed Oct 24 2018 Petr Menk pemensik@redhat.com - 32:9.11.5-1 - Update to 9.11.5
commit ad7b3b8f1284fb8077c24233c4172e2174a6d90e Author: Petr Menk pemensik@redhat.com Date: Fri Oct 19 17:52:10 2018 +0200
Update to 9.11.5
Bump to higher version, update sources.
More fixes to rebased BIND. Many patches are affected by stdbool change. Update libraries so versions.
diff --git a/.gitignore b/.gitignore index 774f56c..f656e89 100644 --- a/.gitignore +++ b/.gitignore @@ -86,3 +86,4 @@ bind-9.7.2b1.tar.gz /bind-9.11.4.tar.gz /bind-9.11.4-P1.tar.gz /bind-9.11.4-P2.tar.gz +/bind-9.11.5.tar.gz diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch index 6f66dc1..aa95e33 100644 --- a/bind-9.10-dist-native-pkcs11.patch +++ b/bind-9.10-dist-native-pkcs11.patch @@ -14,7 +14,7 @@ index f0c504a..ce7a2da 100644
@BIND9_MAKE_RULES@ diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in -index 1d0c4ce..7b7f89b 100644 +index ce0a177..f8370cf 100644 --- a/bin/dnssec-pkcs11/Makefile.in +++ b/bin/dnssec-pkcs11/Makefile.in @@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@ @@ -121,15 +121,15 @@ index 1d0c4ce..7b7f89b 100644
-install:: ${TARGETS} installdirs install-man8 +install:: ${TARGETS} installdirs - for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done + for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
uninstall:: -- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done - for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done +- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done + for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
clean distclean:: diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in -index 1d0c4ce..11538cf 100644 +index ce0a177..7cede84 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in @@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@ @@ -291,10 +291,10 @@ index a058c91..d4b689a 100644 DEPLIBS = ${ISCDEPLIBS}
diff --git a/configure.in b/configure.in -index 849fa94..69e6373 100644 +index 898b4ac..1edafd1 100644 --- a/configure.in +++ b/configure.in -@@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI) +@@ -1109,12 +1109,14 @@ AC_SUBST(USE_GSSAPI) AC_SUBST(DST_GSSAPI_INC) AC_SUBST(DNS_GSSAPI_LIBS) DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS" @@ -309,7 +309,7 @@ index 849fa94..69e6373 100644
# # was --with-randomdev specified? -@@ -1554,11 +1556,11 @@ fi +@@ -1499,11 +1501,11 @@ fi AC_MSG_CHECKING(for OpenSSL library) OPENSSL_WARNING= openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw" @@ -326,7 +326,7 @@ index 849fa94..69e6373 100644
if test "auto" = "$use_openssl" then -@@ -1571,6 +1573,7 @@ then +@@ -1516,6 +1518,7 @@ then fi done fi @@ -334,7 +334,7 @@ index 849fa94..69e6373 100644 OPENSSL_ECDSA="" OPENSSL_GOST="" OPENSSL_ED25519="" -@@ -1592,11 +1595,10 @@ case "$with_gost" in +@@ -1537,11 +1540,10 @@ case "$with_gost" in ;; esac
@@ -349,7 +349,7 @@ index 849fa94..69e6373 100644 CRYPTOLIB="pkcs11" OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" -@@ -1606,7 +1608,9 @@ case "$use_openssl" in +@@ -1551,7 +1553,9 @@ case "$use_openssl" in OPENSSLGOSTLINKSRCS="" OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" @@ -360,7 +360,7 @@ index 849fa94..69e6373 100644 no) AC_MSG_RESULT(no) DST_OPENSSL_INC="" -@@ -1638,7 +1642,7 @@ case "$use_openssl" in +@@ -1583,7 +1587,7 @@ case "$use_openssl" in If you do not want OpenSSL, use --without-openssl]) ;; *) @@ -369,7 +369,7 @@ index 849fa94..69e6373 100644 then AC_MSG_RESULT() AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) -@@ -2066,6 +2070,7 @@ AC_SUBST(OPENSSL_ED25519) +@@ -2011,6 +2015,7 @@ AC_SUBST(OPENSSL_ED25519) AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS" @@ -377,7 +377,7 @@ index 849fa94..69e6373 100644
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" if test "yes" = "$with_aes" -@@ -2384,6 +2389,7 @@ esac +@@ -2329,6 +2334,7 @@ esac AC_SUBST(PKCS11LINKOBJS) AC_SUBST(PKCS11LINKSRCS) AC_SUBST(CRYPTO) @@ -385,7 +385,7 @@ index 849fa94..69e6373 100644 AC_SUBST(PKCS11_ECDSA) AC_SUBST(PKCS11_GOST) AC_SUBST(PKCS11_ED25519) -@@ -5497,8 +5503,11 @@ AC_CONFIG_FILES([ +@@ -5401,8 +5407,11 @@ AC_CONFIG_FILES([ bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile @@ -397,7 +397,7 @@ index 849fa94..69e6373 100644 bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile -@@ -5572,6 +5581,10 @@ AC_CONFIG_FILES([ +@@ -5476,6 +5485,10 @@ AC_CONFIG_FILES([ lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile @@ -408,7 +408,7 @@ index 849fa94..69e6373 100644 lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile -@@ -5596,6 +5609,24 @@ AC_CONFIG_FILES([ +@@ -5500,6 +5513,24 @@ AC_CONFIG_FILES([ lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile @@ -525,7 +525,7 @@ index 4a8549e..6a19906 100644 rm -f include/dns/rdatastruct.h rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in -index ba53ef1..d1f1771 100644 +index 98acfff..2fd6981 100644 --- a/lib/isc-pkcs11/Makefile.in +++ b/lib/isc-pkcs11/Makefile.in @@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \ @@ -539,7 +539,7 @@ index ba53ef1..d1f1771 100644 CWARNINGS =
# Alphabetically -@@ -107,40 +107,40 @@ version.@O@: version.c +@@ -103,40 +103,40 @@ version.@O@: version.c -DLIBAGE=${LIBAGE} \ -c ${srcdir}/version.c
diff --git a/bind-9.11-fips-code.patch b/bind-9.11-fips-code.patch index 2dccdea..f4973a6 100644 --- a/bind-9.11-fips-code.patch +++ b/bind-9.11-fips-code.patch @@ -1,11 +1,13 @@ -From fb8665aebd79ea33cb255f578544e1738f5bbb58 Mon Sep 17 00:00:00 2001 +From 9fa0831af989818eb6f908815967590e56a19ab1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= pemensik@redhat.com Date: Thu, 2 Aug 2018 23:34:45 +0200 -Subject: [PATCH 1/2] Squashed commit of the following: +Subject: [PATCH] FIPS code changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
+Squashed commit of the following: + commit b49f70ce0575b6b52a71b90fe0376dbf16f92c6b Author: Petr Menk pemensik@redhat.com Date: Mon Jan 22 14:12:37 2018 +0100 @@ -95,7 +97,7 @@ Date: Mon Jan 22 07:21:04 2018 +0100 Add runtime detection whether MD5 is useable. --- bin/confgen/keygen.c | 10 ++++- - bin/confgen/rndc-confgen.c | 36 +++++------------- + bin/confgen/rndc-confgen.c | 32 ++++------------ bin/dig/dig.c | 7 ++-- bin/dig/dighost.c | 14 +++++-- bin/dnssec/dnssec-keygen.c | 14 +++++++ @@ -104,12 +106,12 @@ Date: Mon Jan 22 07:21:04 2018 +0100 bin/rndc/rndc.c | 3 +- bin/tests/optional/hash_test.c | 78 ++++++++++++++++++++------------------- bin/tests/system/tkey/keycreate.c | 3 ++ - bin/tests/system/tkey/keydelete.c | 18 ++++++--- + bin/tests/system/tkey/keydelete.c | 17 ++++++--- lib/bind9/check.c | 10 +++++ lib/dns/dst_api.c | 23 ++++++++---- lib/dns/dst_internal.h | 3 +- lib/dns/dst_parse.c | 18 +++++++-- - lib/dns/hmac_link.c | 20 +++------- + lib/dns/hmac_link.c | 18 ++------- lib/dns/opensslrsa_link.c | 6 +++ lib/dns/pkcs11rsa_link.c | 33 +++++++++++++++-- lib/dns/rcode.c | 21 ++++++++++- @@ -120,13 +122,13 @@ Date: Mon Jan 22 07:21:04 2018 +0100 lib/dns/tsig.c | 17 +++++---- lib/isc/include/isc/md5.h | 3 ++ lib/isc/md5.c | 59 +++++++++++++++++++++++++++++ - lib/isc/pk11.c | 58 ++++++++++++++++++++--------- + lib/isc/pk11.c | 44 +++++++++++++++------- lib/isc/tests/hash_test.c | 9 +++-- lib/isccc/cc.c | 42 +++++++++++++-------- - 29 files changed, 424 insertions(+), 177 deletions(-) + 29 files changed, 409 insertions(+), 171 deletions(-)
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c -index 453c641dba..11cc54dd46 100644 +index 8931ad5..5015abb 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -22,6 +22,7 @@ @@ -150,7 +152,7 @@ index 453c641dba..11cc54dd46 100644 switch (alg) { #ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: -+ if (isc_md5_available() == ISC_FALSE) { ++ if (!isc_md5_available()) { + fatal("unsupported algorithm %d\n", alg); + } else if (keysize < 1 || keysize > 512) { + fatal("keysize %d out of range (must be 1-512)\n", @@ -161,10 +163,10 @@ index 453c641dba..11cc54dd46 100644 case DST_ALG_HMACSHA1: case DST_ALG_HMACSHA224: diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c -index 2925baf32f..d7d8418073 100644 +index 5ca3d76..6b7790a 100644 --- a/bin/confgen/rndc-confgen.c +++ b/bin/confgen/rndc-confgen.c -@@ -35,6 +35,7 @@ +@@ -36,6 +36,7 @@ #include <isc/file.h> #include <isc/keyboard.h> #include <isc/mem.h> @@ -172,16 +174,16 @@ index 2925baf32f..d7d8418073 100644 #include <isc/net.h> #include <isc/print.h> #include <isc/result.h> -@@ -62,7 +63,7 @@ const char *progname; +@@ -63,7 +64,7 @@ const char *progname;
- isc_boolean_t verbose = ISC_FALSE; + bool verbose = false;
-const char *keyfile, *keydef; +const char *keyfile, *keydef, *algdef;
ISC_PLATFORM_NORETURN_PRE static void usage(int status) ISC_PLATFORM_NORETURN_POST; -@@ -70,13 +71,12 @@ usage(int status) ISC_PLATFORM_NORETURN_POST; +@@ -71,13 +72,12 @@ usage(int status) ISC_PLATFORM_NORETURN_POST; static void usage(int status) {
@@ -196,7 +198,7 @@ index 2925baf32f..d7d8418073 100644 -b bits: from 1 through 512, default 256; total length of the secret\n\ -c keyfile: specify an alternate key file (requires -a)\n\ -k keyname: the name as it will be used in named.conf and rndc.conf\n\ -@@ -85,24 +85,7 @@ Usage:\n\ +@@ -86,24 +86,7 @@ Usage:\n\ -s addr: the address to which rndc should connect\n\ -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\ -u user: set the keyfile owner to "user" (requires -a)\n", @@ -222,31 +224,27 @@ index 2925baf32f..d7d8418073 100644
exit (status); } -@@ -138,13 +121,14 @@ main(int argc, char **argv) { +@@ -139,11 +122,12 @@ main(int argc, char **argv) { progname = program;
keyname = DEFAULT_KEYNAME; -#ifndef PK11_MD5_DISABLE - alg = DST_ALG_HMACMD5; -#else -- alg = DST_ALG_HMACSHA256; --#endif - serveraddr = DEFAULT_SERVER; - port = DEFAULT_PORT; -+ alg = DST_ALG_HMACSHA256; + alg = DST_ALG_HMACSHA256; +#ifndef PK11_MD5_DISABLE + if (isc_md5_available()) + alg = DST_ALG_HMACMD5; -+#endif + #endif + algdef = alg_totext(alg); - - isc_commandline_errprint = ISC_FALSE; + serveraddr = DEFAULT_SERVER; + port = DEFAULT_PORT;
diff --git a/bin/dig/dig.c b/bin/dig/dig.c -index d4808ada67..9dff7c8ecd 100644 +index 39f74be..597e830 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c -@@ -17,6 +17,7 @@ +@@ -20,6 +20,7 @@ #include <ctype.h>
#include <isc/app.h> @@ -254,7 +252,7 @@ index d4808ada67..9dff7c8ecd 100644 #include <isc/netaddr.h> #include <isc/parseint.h> #include <isc/platform.h> -@@ -1757,10 +1758,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, +@@ -1760,10 +1761,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, ptr = ptr2; ptr2 = ptr3; } else { @@ -269,10 +267,10 @@ index d4808ada67..9dff7c8ecd 100644 digestbits = 0; } diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index ecefc98453..94c428ed30 100644 +index 1fa711a..341ed80 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c -@@ -77,6 +77,7 @@ +@@ -80,6 +80,7 @@ #include <isc/hex.h> #include <isc/lang.h> #include <isc/log.h> @@ -280,7 +278,7 @@ index ecefc98453..94c428ed30 100644 #include <isc/netaddr.h> #include <isc/netdb.h> #include <isc/parseint.h> -@@ -1243,9 +1244,10 @@ parse_hmac(const char *hmac) { +@@ -1246,9 +1247,10 @@ parse_hmac(const char *hmac) { digestbits = 0;
#ifndef PK11_MD5_DISABLE @@ -293,7 +291,7 @@ index ecefc98453..94c428ed30 100644 hmacname = DNS_TSIG_HMACMD5_NAME; digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128); } else -@@ -1365,7 +1367,13 @@ setup_file_key(void) { +@@ -1368,7 +1370,13 @@ setup_file_key(void) { switch (dst_key_alg(dstkey)) { #ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: @@ -309,10 +307,10 @@ index ecefc98453..94c428ed30 100644 #endif case DST_ALG_HMACSHA1: diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c -index 6fc3ab0979..fc04356ed4 100644 +index 1476d0d..f5c9316 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c -@@ -34,6 +34,7 @@ +@@ -36,6 +36,7 @@ #include <isc/buffer.h> #include <isc/commandline.h> #include <isc/entropy.h> @@ -320,7 +318,7 @@ index 6fc3ab0979..fc04356ed4 100644 #include <isc/mem.h> #include <isc/print.h> #include <isc/region.h> -@@ -560,6 +561,19 @@ main(int argc, char **argv) { +@@ -562,6 +563,19 @@ main(int argc, char **argv) { ""-a RSAMD5"\n"); INSIST(freeit == NULL); return (1); @@ -333,7 +331,7 @@ index 6fc3ab0979..fc04356ed4 100644 + return (1); + } + } else if (strcasecmp(algname, "RSAMD5") == 0 && -+ isc_md5_available() == ISC_FALSE) { ++ !isc_md5_available()) { + fprintf(stderr, "The use of RSAMD5 was disabled\n"); + INSIST(freeit == NULL); + return (1); @@ -341,10 +339,10 @@ index 6fc3ab0979..fc04356ed4 100644 alg = DST_ALG_HMACMD5; #else diff --git a/bin/named/config.c b/bin/named/config.c -index 54bc37fff7..c50f759ddd 100644 +index 2732a8f..2c4c93c 100644 --- a/bin/named/config.c +++ b/bin/named/config.c -@@ -17,6 +17,7 @@ +@@ -18,6 +18,7 @@
#include <isc/buffer.h> #include <isc/log.h> @@ -352,14 +350,14 @@ index 54bc37fff7..c50f759ddd 100644 #include <isc/mem.h> #include <isc/parseint.h> #include <isc/region.h> -@@ -966,6 +967,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name, +@@ -967,6 +968,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name, return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits)); }
+static inline int +algorithms_start() { +#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { ++ if (!isc_md5_available()) { + int i = 0; + while (algorithms[i].str != NULL && + algorithms[i].hmac == hmacmd5) { @@ -373,9 +371,9 @@ index 54bc37fff7..c50f759ddd 100644 + isc_result_t ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, - unsigned int *typep, isc_uint16_t *digestbits) -@@ -975,7 +991,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, - isc_uint16_t bits; + unsigned int *typep, uint16_t *digestbits) +@@ -976,7 +992,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, + uint16_t bits; isc_result_t result;
- for (i = 0; algorithms[i].str != NULL; i++) { @@ -383,7 +381,7 @@ index 54bc37fff7..c50f759ddd 100644 len = strlen(algorithms[i].str); if (strncasecmp(algorithms[i].str, str, len) == 0 && (str[len] == '\0' || -@@ -998,7 +1014,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, +@@ -999,7 +1015,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, if (name != NULL) { switch (algorithms[i].hmac) { #ifndef PK11_MD5_DISABLE @@ -398,10 +396,10 @@ index 54bc37fff7..c50f759ddd 100644 case hmacsha1: *name = dns_tsig_hmacsha1_name; break; case hmacsha224: *name = dns_tsig_hmacsha224_name; break; diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index 6967b49754..bb5d50038f 100644 +index 8d1da3b..5eefc57 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c -@@ -29,6 +29,7 @@ +@@ -31,6 +31,7 @@ #include <isc/hash.h> #include <isc/lex.h> #include <isc/log.h> @@ -409,7 +407,7 @@ index 6967b49754..bb5d50038f 100644 #include <isc/mem.h> #include <isc/parseint.h> #include <isc/print.h> -@@ -474,9 +475,10 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len, +@@ -476,9 +477,10 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len, strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf)));
#ifndef PK11_MD5_DISABLE @@ -422,7 +420,7 @@ index 6967b49754..bb5d50038f 100644 *hmac = DNS_TSIG_HMACMD5_NAME; result = isc_parse_uint16(&digestbits, &buf[9], 10); if (result != ISC_R_SUCCESS || digestbits > 128) { -@@ -589,10 +591,10 @@ setup_keystr(void) { +@@ -591,10 +593,10 @@ setup_keystr(void) { exit(1); } } else { @@ -436,7 +434,7 @@ index 6967b49754..bb5d50038f 100644 #endif name = keystr; n = s; -@@ -729,7 +731,8 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { +@@ -731,7 +733,8 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { switch (dst_key_alg(dstkey)) { #ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: @@ -446,7 +444,7 @@ index 6967b49754..bb5d50038f 100644 break; #endif case DST_ALG_HMACSHA1: -@@ -1604,12 +1607,13 @@ evaluate_key(char *cmdline) { +@@ -1606,12 +1609,13 @@ evaluate_key(char *cmdline) { return (STATUS_SYNTAX); } namestr = n + 1; @@ -465,10 +463,10 @@ index 6967b49754..bb5d50038f 100644 isc_buffer_init(&b, namestr, strlen(namestr)); isc_buffer_add(&b, strlen(namestr)); diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c -index 5c29caf86b..617b06b4a1 100644 +index 9eb0ce0..8083654 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c -@@ -21,6 +21,7 @@ +@@ -23,6 +23,7 @@ #include <isc/file.h> #include <isc/log.h> #include <isc/net.h> @@ -476,7 +474,7 @@ index 5c29caf86b..617b06b4a1 100644 #include <isc/mem.h> #include <isc/print.h> #include <isc/random.h> -@@ -634,7 +635,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, +@@ -636,7 +637,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, algorithmstr = cfg_obj_asstring(algorithmobj);
#ifndef PK11_MD5_DISABLE @@ -486,7 +484,7 @@ index 5c29caf86b..617b06b4a1 100644 else #endif diff --git a/bin/tests/optional/hash_test.c b/bin/tests/optional/hash_test.c -index bf2891ad4c..b5f0a1c5f5 100644 +index bf2891a..b5f0a1c 100644 --- a/bin/tests/optional/hash_test.c +++ b/bin/tests/optional/hash_test.c @@ -90,43 +90,47 @@ main(int argc, char **argv) { @@ -575,7 +573,7 @@ index bf2891ad4c..b5f0a1c5f5 100644
/* diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c -index 2a0ee94888..489f4390dc 100644 +index 5a00f86..653c951 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -20,6 +20,7 @@ @@ -590,30 +588,29 @@ index 2a0ee94888..489f4390dc 100644 static char keystr[] = "0123456789ab";
isc_event_free(&event); -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
result = ISC_R_FAILURE; if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1) diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 7057c318e4..36ee6c7d21 100644 +index bde66a4..70a40c3 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c -@@ -225,12 +225,18 @@ main(int argc, char **argv) { +@@ -225,12 +225,17 @@ main(int argc, char **argv) { result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey); CHECK("dst_key_fromnamedfile", result); #ifndef PK11_MD5_DISABLE - result = dns_tsigkey_createfromkey(dst_key_name(dstkey), - DNS_TSIG_HMACMD5_NAME, -- dstkey, ISC_TRUE, NULL, 0, 0, +- dstkey, true, NULL, 0, 0, - mctx, ring, &tsigkey); - dst_key_free(&dstkey); - CHECK("dns_tsigkey_createfromkey", result); + if (isc_md5_available()) { + result = dns_tsigkey_createfromkey(dst_key_name(dstkey), + DNS_TSIG_HMACMD5_NAME, -+ dstkey, ISC_TRUE, -+ NULL, 0, 0, ++ dstkey, true, NULL, 0, 0, + mctx, ring, &tsigkey); + dst_key_free(&dstkey); + CHECK("dns_tsigkey_createfromkey", result); @@ -625,10 +622,10 @@ index 7057c318e4..36ee6c7d21 100644 dst_key_free(&dstkey); CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); diff --git a/lib/bind9/check.c b/lib/bind9/check.c -index 3da83a7ae2..1a3d534799 100644 +index d32a5a1..c749c27 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c -@@ -21,6 +21,7 @@ +@@ -23,6 +23,7 @@ #include <isc/file.h> #include <isc/hex.h> #include <isc/log.h> @@ -636,13 +633,13 @@ index 3da83a7ae2..1a3d534799 100644 #include <isc/mem.h> #include <isc/netaddr.h> #include <isc/parseint.h> -@@ -2572,6 +2573,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) { +@@ -2592,6 +2593,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) { }
algorithm = cfg_obj_asstring(algobj); +#ifndef PK11_MD5_DISABLE + /* Skip hmac-md5* algorithms */ -+ if (isc_md5_available() == ISC_FALSE && ++ if (!isc_md5_available() && + strncasecmp(algorithm, "hmac-md5", 8) == 0) { + cfg_obj_log(algobj, logctx, ISC_LOG_ERROR, + "disabled algorithm '%s'", algorithm); @@ -653,10 +650,10 @@ index 3da83a7ae2..1a3d534799 100644 len = strlen(algorithms[i].name); if (strncasecmp(algorithms[i].name, algorithm, len) == 0 && diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index 4f3d6ac55c..dbece0ac56 100644 +index 97fee68..5703f9c 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c -@@ -190,6 +190,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, +@@ -192,6 +192,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, dst_result_register();
memset(dst_t_func, 0, sizeof(dst_t_func)); @@ -669,7 +666,7 @@ index 4f3d6ac55c..dbece0ac56 100644 #ifndef PK11_MD5_DISABLE RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5])); #endif -@@ -199,7 +205,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, +@@ -201,7 +207,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384])); RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512])); #ifdef OPENSSL @@ -677,7 +674,7 @@ index 4f3d6ac55c..dbece0ac56 100644 #ifndef PK11_MD5_DISABLE RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5], DST_ALG_RSAMD5)); -@@ -233,14 +238,18 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, +@@ -235,14 +240,18 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448])); #endif #elif PKCS11CRYPTO @@ -703,10 +700,10 @@ index 4f3d6ac55c..dbece0ac56 100644 RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA])); RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA])); diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h -index 640519a5ba..deb7ed4e13 100644 +index 6ee796c..3e55d44 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h -@@ -245,7 +245,8 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp); +@@ -250,7 +250,8 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp); isc_result_t dst__hmacsha512_init(struct dst_func **funcp); isc_result_t dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm); @@ -717,10 +714,10 @@ index 640519a5ba..deb7ed4e13 100644 isc_result_t dst__openssldsa_init(struct dst_func **funcp); isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp); diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c -index b0e5c895c6..03f2b8ace8 100644 +index f31c33d..87023a6 100644 --- a/lib/dns/dst_parse.c +++ b/lib/dns/dst_parse.c -@@ -30,6 +30,7 @@ +@@ -33,6 +33,7 @@ #include <isc/file.h> #include <isc/fsaccess.h> #include <isc/lex.h> @@ -728,7 +725,7 @@ index b0e5c895c6..03f2b8ace8 100644 #include <isc/mem.h> #include <isc/print.h> #include <isc/stdtime.h> -@@ -393,6 +394,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, +@@ -396,6 +397,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, switch (alg) { #ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: @@ -739,7 +736,7 @@ index b0e5c895c6..03f2b8ace8 100644 #endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: -@@ -418,7 +423,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, +@@ -421,7 +426,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, return (check_eddsa(priv, external)); #ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: @@ -751,36 +748,35 @@ index b0e5c895c6..03f2b8ace8 100644 #endif case DST_ALG_HMACSHA1: return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg)); -@@ -637,11 +645,13 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, +@@ -640,11 +648,13 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, }
#ifdef PK11_MD5_DISABLE - check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg, -- ISC_TRUE, external); +- true, external); + if (alg == DST_ALG_RSA) + alg = DST_ALG_RSASHA1; #else -- check = check_data(priv, alg, ISC_TRUE, external); -+ if (isc_md5_available() == ISC_FALSE && alg == DST_ALG_RSA) +- check = check_data(priv, alg, true, external); ++ if (!isc_md5_available() && alg == DST_ALG_RSA) + alg = DST_ALG_RSASHA1; #endif -+ check = check_data(priv, alg, ISC_TRUE, external); ++ check = check_data(priv, alg, true, external); if (check < 0) { ret = DST_R_INVALIDPRIVATEKEY; goto fail; diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c -index 59aa4705e5..21bfa44450 100644 +index 94e73b1..d904075 100644 --- a/lib/dns/hmac_link.c +++ b/lib/dns/hmac_link.c -@@ -338,25 +338,17 @@ static dst_func_t hmacmd5_functions = { +@@ -340,20 +340,10 @@ static dst_func_t hmacmd5_functions = {
isc_result_t dst__hmacmd5_init(dst_func_t **funcp) { -#ifdef HAVE_FIPS_MODE - /* +- /* - * Problems from OpenSSL are likely from FIPS mode -+ * Prevent use of incorrect crypto - */ +- */ - int fips_mode = FIPS_mode(); - - if (fips_mode != 0) { @@ -789,26 +785,20 @@ index 59aa4705e5..21bfa44450 100644 - "if the value is 0.\n" - "Please disable either FIPS mode or MD5.", - fips_mode); +- } +-#endif + -+#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { -+ /* Intentionally skip initialization */ ++ /* Intentionally skip initialization */ ++ if (!isc_md5_available()) + return (ISC_R_SUCCESS); - } - #endif - -- /* -- * Prevent use of incorrect crypto -- */ -- - RUNTIME_CHECK(isc_md5_check(ISC_FALSE)); - RUNTIME_CHECK(isc_hmacmd5_check(0));
+ /* + * Prevent use of incorrect crypto diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c -index f4847bbe74..126cebca19 100644 +index c03fd72..49b66fc 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c -@@ -1801,6 +1801,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) { +@@ -1802,6 +1802,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
if (*funcp == NULL) { switch (algorithm) { @@ -822,10 +812,10 @@ index f4847bbe74..126cebca19 100644 #if defined(HAVE_EVP_SHA256) || !USE_EVP *funcp = &opensslrsa_functions; diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c -index 56955203e9..af6008d4dd 100644 +index eb782c8..46fd844 100644 --- a/lib/dns/pkcs11rsa_link.c +++ b/lib/dns/pkcs11rsa_link.c -@@ -94,10 +94,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { +@@ -96,10 +96,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { #endif
/* @@ -835,44 +825,44 @@ index 56955203e9..af6008d4dd 100644 switch (dctx->key->key_alg) { case DST_ALG_RSAMD5: +#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + return (ISC_R_FAILURE); +#endif + /* FALLTHROUGH */ case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: /* From RFC 3110 */ -@@ -634,6 +639,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { +@@ -636,6 +641,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { switch (key->key_alg) { #ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + return (ISC_R_FAILURE); + mech.mechanism = CKM_MD5; break; #endif -@@ -790,6 +798,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { +@@ -792,6 +800,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { switch (key->key_alg) { #ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + return (ISC_R_FAILURE); + der = md5_der; derlen = sizeof(md5_der); hashlen = ISC_MD5_DIGESTLENGTH; -@@ -1014,6 +1025,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { +@@ -1016,6 +1027,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { switch (key->key_alg) { #ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + return (ISC_R_FAILURE); + der = md5_der; derlen = sizeof(md5_der); hashlen = ISC_MD5_DIGESTLENGTH; -@@ -2217,11 +2231,22 @@ static dst_func_t pkcs11rsa_functions = { +@@ -2219,11 +2233,22 @@ static dst_func_t pkcs11rsa_functions = { };
isc_result_t @@ -899,18 +889,18 @@ index 56955203e9..af6008d4dd 100644 }
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c -index 937d8fc1ec..d1fa8d5870 100644 +index 6a5948e..010dd1b 100644 --- a/lib/dns/rcode.c +++ b/lib/dns/rcode.c -@@ -14,6 +14,7 @@ - #include <ctype.h> +@@ -16,6 +16,7 @@ + #include <stdbool.h>
#include <isc/buffer.h> +#include <isc/md5.h> #include <isc/parseint.h> #include <isc/print.h> #include <isc/region.h> -@@ -347,17 +348,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { +@@ -349,17 +350,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { return (dns_mnemonic_totext(cert, target, certs)); }
@@ -919,7 +909,7 @@ index 937d8fc1ec..d1fa8d5870 100644 + struct tbl *algs = secalgs; + +#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { ++ if (!isc_md5_available()) { + while (algs->name != NULL && + algs->value == DNS_KEYALG_RSAMD5) + ++algs; @@ -947,7 +937,7 @@ index 937d8fc1ec..d1fa8d5870 100644
void diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c -index 224cf5b475..44040dd8b7 100644 +index fb207ef..3ef0a4e 100644 --- a/lib/dns/tests/rsa_test.c +++ b/lib/dns/tests/rsa_test.c @@ -19,6 +19,7 @@ @@ -967,10 +957,10 @@ index 224cf5b475..44040dd8b7 100644 + key->key_alg = DST_ALG_RSAMD5;
- ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC, -- ISC_FALSE, &ctx); +- false, &ctx); - ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); + ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC, -+ ISC_FALSE, &ctx); ++ false, &ctx); + ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
- r.base = d; @@ -998,7 +988,7 @@ index 224cf5b475..44040dd8b7 100644
/* RSASHA256 */ diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c -index ee025c2387..c403d9954d 100644 +index 443fb36..f003ff3 100644 --- a/lib/dns/tests/tsig_test.c +++ b/lib/dns/tests/tsig_test.c @@ -14,6 +14,7 @@ @@ -1010,24 +1000,24 @@ index ee025c2387..c403d9954d 100644 #include <isc/print.h>
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c -index d9f68e50b1..a8edde47b5 100644 +index 5b4ffd9..cc3469d 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c -@@ -242,6 +242,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness, +@@ -245,6 +245,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness, unsigned char digests[32]; unsigned int i;
-+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + return (ISC_R_NOTIMPLEMENTED); + isc_buffer_usedregion(shared, &r);
/* -@@ -318,6 +321,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, +@@ -321,6 +324,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, }
#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { ++ if (!isc_md5_available()) { + tkey_log("process_dhtkey: MD5 was disabled"); + tkeyout->error = dns_tsigerror_badalg; + return (ISC_R_SUCCESS); @@ -1037,7 +1027,7 @@ index d9f68e50b1..a8edde47b5 100644 tkey_log("process_dhtkey: algorithms other than " "hmac-md5 are not supported"); diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c -index a367291f23..37baad7437 100644 +index c5eca0e..19b9002 100644 --- a/lib/dns/tsec.c +++ b/lib/dns/tsec.c @@ -11,6 +11,7 @@ @@ -1063,10 +1053,10 @@ index a367291f23..37baad7437 100644 #endif case DST_ALG_HMACSHA1: diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c -index bdcc581bc3..70805bb709 100644 +index a94ec69..f74c831 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c -@@ -270,7 +270,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, +@@ -273,7 +273,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, (void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
#ifndef PK11_MD5_DISABLE @@ -1076,7 +1066,7 @@ index bdcc581bc3..70805bb709 100644 tkey->algorithm = DNS_TSIG_HMACMD5_NAME; if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) { ret = DNS_R_BADALG; -@@ -496,7 +497,8 @@ destroyring(dns_tsig_keyring_t *ring) { +@@ -499,7 +500,8 @@ destroyring(dns_tsig_keyring_t *ring) { static unsigned int dst_alg_fromname(dns_name_t *algorithm) { #ifndef PK11_MD5_DISABLE @@ -1086,7 +1076,7 @@ index bdcc581bc3..70805bb709 100644 return (DST_ALG_HMACMD5); } else #endif -@@ -680,7 +682,8 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, +@@ -683,7 +685,8 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, REQUIRE(secret != NULL);
#ifndef PK11_MD5_DISABLE @@ -1096,7 +1086,7 @@ index bdcc581bc3..70805bb709 100644 if (secret != NULL) { isc_buffer_t b;
-@@ -1280,7 +1283,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, +@@ -1283,7 +1286,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, return (ret); if ( #ifndef PK11_MD5_DISABLE @@ -1105,7 +1095,7 @@ index bdcc581bc3..70805bb709 100644 #endif alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || -@@ -1449,7 +1452,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, +@@ -1452,7 +1455,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
if ( #ifndef PK11_MD5_DISABLE @@ -1114,7 +1104,7 @@ index bdcc581bc3..70805bb709 100644 #endif alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || -@@ -1590,7 +1593,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { +@@ -1593,7 +1596,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { goto cleanup_querystruct; if ( #ifndef PK11_MD5_DISABLE @@ -1123,7 +1113,7 @@ index bdcc581bc3..70805bb709 100644 #endif alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || -@@ -1769,7 +1772,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { +@@ -1772,7 +1775,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { goto cleanup_context; if ( #ifndef PK11_MD5_DISABLE @@ -1133,24 +1123,24 @@ index bdcc581bc3..70805bb709 100644 alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h -index e5f46dd9c7..9d11f9f8b6 100644 +index 4d29398..e3f5cec 100644 --- a/lib/isc/include/isc/md5.h +++ b/lib/isc/include/isc/md5.h -@@ -89,6 +89,9 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest); - isc_boolean_t - isc_md5_check(isc_boolean_t testing); +@@ -91,6 +91,9 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest); + bool + isc_md5_check(bool testing);
-+isc_boolean_t ++bool +isc_md5_available(void); + ISC_LANG_ENDDECLS
#endif /* !PK11_MD5_DISABLE */ diff --git a/lib/isc/md5.c b/lib/isc/md5.c -index 740d863b1b..aefd16478f 100644 +index 25c71a2..934a70c 100644 --- a/lib/isc/md5.c +++ b/lib/isc/md5.c -@@ -35,6 +35,7 @@ +@@ -37,6 +37,7 @@
#include <isc/assertions.h> #include <isc/md5.h> @@ -1158,17 +1148,17 @@ index 740d863b1b..aefd16478f 100644 #include <isc/platform.h> #include <isc/safe.h> #include <isc/string.h> -@@ -53,6 +54,9 @@ +@@ -55,6 +56,9 @@ #define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) #endif
+static isc_once_t available_once = ISC_ONCE_INIT; -+static isc_boolean_t available = ISC_FALSE; ++static bool available = false; + void isc_md5_init(isc_md5_t *ctx) { ctx->ctx = EVP_MD_CTX_new(); -@@ -84,8 +88,33 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { +@@ -86,8 +90,33 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { ctx->ctx = NULL; }
@@ -1180,14 +1170,14 @@ index 740d863b1b..aefd16478f 100644 + + ctx->ctx = EVP_MD_CTX_new(); + RUNTIME_CHECK(ctx->ctx != NULL); -+ available = ISC_TF(EVP_DigestInit(ctx->ctx, EVP_md5()) == 1); ++ available = (EVP_DigestInit(ctx->ctx, EVP_md5()) == 1); + if (available) + (void)EVP_DigestFinal(ctx->ctx, digest, NULL); + EVP_MD_CTX_free(ctx->ctx); + ctx->ctx = NULL; +} + -+isc_boolean_t ++bool +isc_md5_available() { + RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available) + == ISC_R_SUCCESS); @@ -1197,12 +1187,12 @@ index 740d863b1b..aefd16478f 100644 #elif PKCS11CRYPTO
+static isc_once_t available_once = ISC_ONCE_INIT; -+static isc_boolean_t available = ISC_FALSE; ++static bool available = false; + void isc_md5_init(isc_md5_t *ctx) { CK_RV rv; -@@ -128,6 +157,31 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { +@@ -130,6 +159,31 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { pk11_return_session(ctx); }
@@ -1213,18 +1203,18 @@ index 740d863b1b..aefd16478f 100644 + CK_RV rv; + CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; + -+ if (pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS) ++ if (pk11_get_session(ctx, OP_DIGEST, true, false, ++ false, NULL, 0) == ISC_R_SUCCESS) + { + rv = pkcs_C_DigestInit(ctx->session, &mech); + isc_md5_invalidate(ctx); -+ available = (ISC_TF(rv == CKR_OK)); ++ available = (rv == CKR_OK); + } else { -+ available = ISC_FALSE; ++ available = false; + } +} + -+isc_boolean_t ++bool +isc_md5_available() { + RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available) + == ISC_R_SUCCESS); @@ -1234,74 +1224,49 @@ index 740d863b1b..aefd16478f 100644 #else
static void -@@ -337,6 +391,11 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { +@@ -339,6 +393,11 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { memmove(digest, ctx->buf, 16); isc_safe_memwipe(ctx, sizeof(*ctx)); /* In case it's sensitive */ } + -+isc_boolean_t ++bool +isc_md5_available() { -+ return ISC_TRUE; ++ return true; +} #endif
/* diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c -index fc75a46154..48e1031974 100644 +index c5d2310..a01e698 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c -@@ -191,13 +191,12 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { - LOCK(&alloclock); - if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0)) - isc_mem_attach(mctx, &pk11_mctx); -+ UNLOCK(&alloclock); -+ -+ LOCK(&sessionlock); +@@ -197,8 +197,6 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { + UNLOCK(&alloclock); if (initialized) { -- UNLOCK(&alloclock); -- return (ISC_R_SUCCESS); + goto unlock; - } else { -- LOCK(&sessionlock); -- initialized = ISC_TRUE; -- UNLOCK(&alloclock); -+ result = ISC_R_SUCCESS; -+ goto unlock; +- initialized = true; }
ISC_LIST_INIT(tokens); -@@ -237,6 +236,7 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { +@@ -236,6 +234,7 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { + result = PK11_R_NOAESSERVICE; + goto unlock; } ++ initialized = true; #endif #endif /* PKCS11CRYPTO */ -+ initialized = ISC_TRUE; - result = ISC_R_SUCCESS; unlock: - UNLOCK(&sessionlock); -@@ -273,9 +273,14 @@ pk11_finalize(void) { - pk11_mem_put(token, sizeof(*token)); - token = next; - } -+ LOCK(&alloclock); - if (pk11_mctx != NULL) - isc_mem_detach(&pk11_mctx); -+ UNLOCK(&alloclock); -+ -+ LOCK(&sessionlock); - initialized = ISC_FALSE; -+ UNLOCK(&sessionlock); - return (ret); - } - -@@ -589,6 +594,8 @@ scan_slots(void) { +@@ -589,6 +588,8 @@ scan_slots(void) { pk11_token_t *token; unsigned int i; - isc_boolean_t bad; + bool bad; + unsigned int best_rsa_algorithms = 0; + unsigned int best_digest_algorithms = 0;
slotCount = 0; PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount)); -@@ -601,6 +608,8 @@ scan_slots(void) { +@@ -601,6 +602,8 @@ scan_slots(void) { PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount));
for (i = 0; i < slotCount; i++) { @@ -1310,12 +1275,12 @@ index fc75a46154..48e1031974 100644 slot = slotList[i]; PK11_TRACE2("slot#%u=0x%lx\n", i, slot);
-@@ -640,11 +649,12 @@ scan_slots(void) { +@@ -640,11 +643,12 @@ scan_slots(void) { if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || ((mechInfo.flags & CKF_VERIFY) == 0)) { -#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE) -- bad = ISC_TRUE; +- bad = true; -#endif PK11_TRACEM(CKM_MD5_RSA_PKCS); } @@ -1326,28 +1291,28 @@ index fc75a46154..48e1031974 100644 rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS, &mechInfo); if ((rv != CKR_OK) || -@@ -687,8 +697,14 @@ scan_slots(void) { +@@ -687,8 +691,14 @@ scan_slots(void) { if (bad) goto try_dsa; token->operations |= 1 << OP_RSA; - if (best_rsa_token == NULL) + if (best_rsa_token == NULL) { -+ best_rsa_token = token; + best_rsa_token = token; + best_rsa_algorithms = rsa_algorithms; + } else if (rsa_algorithms > best_rsa_algorithms) { + pk11_mem_put(best_rsa_token, sizeof(*best_rsa_token)); - best_rsa_token = token; ++ best_rsa_token = token; + best_rsa_algorithms = rsa_algorithms; + }
try_dsa: - bad = ISC_FALSE; -@@ -756,11 +772,12 @@ scan_slots(void) { - bad = ISC_FALSE; + bad = false; +@@ -756,11 +766,12 @@ scan_slots(void) { + bad = false; rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { -#ifndef PK11_MD5_DISABLE -- bad = ISC_TRUE; +- bad = true; -#endif PK11_TRACEM(CKM_MD5); } @@ -1357,13 +1322,13 @@ index fc75a46154..48e1031974 100644 +#endif rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; -@@ -788,11 +805,12 @@ scan_slots(void) { + bad = true; +@@ -788,11 +799,12 @@ scan_slots(void) { } rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { -#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE) -- bad = ISC_TRUE; +- bad = true; -#endif PK11_TRACEM(CKM_MD5_HMAC); } @@ -1374,27 +1339,27 @@ index fc75a46154..48e1031974 100644 rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { #ifndef PK11_SHA_1_HMAC_REPLACE -@@ -830,8 +848,14 @@ scan_slots(void) { +@@ -830,8 +842,14 @@ scan_slots(void) { } if (!bad) { token->operations |= 1 << OP_DIGEST; - if (digest_token == NULL) + if (digest_token == NULL) { -+ digest_token = token; + digest_token = token; + best_digest_algorithms = digest_algorithms; + } else if (digest_algorithms > best_digest_algorithms) { + pk11_mem_put(digest_token, sizeof(*digest_token)); - digest_token = token; ++ digest_token = token; + best_digest_algorithms = digest_algorithms; + } }
/* ECDSA requires digest */ diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c -index 18759903be..6bc45b1ad3 100644 +index 8f12342..7eb1552 100644 --- a/lib/isc/tests/hash_test.c +++ b/lib/isc/tests/hash_test.c -@@ -2008,7 +2008,8 @@ ATF_TP_ADD_TCS(tp) { +@@ -2009,7 +2009,8 @@ ATF_TP_ADD_TCS(tp) { * various cryptographic hashes. */ #ifndef PK11_MD5_DISABLE @@ -1404,7 +1369,7 @@ index 18759903be..6bc45b1ad3 100644 #endif ATF_TP_ADD_TC(tp, sha1_check);
-@@ -2016,7 +2017,8 @@ ATF_TP_ADD_TCS(tp) { +@@ -2017,7 +2018,8 @@ ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, isc_hash_function_reverse); ATF_TP_ADD_TC(tp, isc_hash_initializer); #ifndef PK11_MD5_DISABLE @@ -1414,7 +1379,7 @@ index 18759903be..6bc45b1ad3 100644 #endif ATF_TP_ADD_TC(tp, isc_hmacsha1); ATF_TP_ADD_TC(tp, isc_hmacsha224); -@@ -2024,7 +2026,8 @@ ATF_TP_ADD_TCS(tp) { +@@ -2025,7 +2027,8 @@ ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, isc_hmacsha384); ATF_TP_ADD_TC(tp, isc_hmacsha512); #ifndef PK11_MD5_DISABLE @@ -1425,10 +1390,10 @@ index 18759903be..6bc45b1ad3 100644 ATF_TP_ADD_TC(tp, isc_sha1); ATF_TP_ADD_TC(tp, isc_sha224); diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c -index 7225ab4a37..42b30466be 100644 +index c2740cb..c314d76 100644 --- a/lib/isccc/cc.c +++ b/lib/isccc/cc.c -@@ -270,11 +270,15 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac, +@@ -272,11 +272,15 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac, switch (algorithm) { #ifndef PK11_MD5_DISABLE case ISCCC_ALG_HMACMD5: @@ -1449,14 +1414,14 @@ index 7225ab4a37..42b30466be 100644 break; #endif
-@@ -348,14 +352,18 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, +@@ -350,14 +354,18 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, { unsigned int hmac_base, signed_base; isc_result_t result; -+ const isc_boolean_t md5 = ISC_TF(algorithm == ISCCC_ALG_HMACMD5); ++ const bool md5 = (algorithm == ISCCC_ALG_HMACMD5);
#ifndef PK11_MD5_DISABLE -+ if (md5 && isc_md5_available() == ISC_FALSE) ++ if (md5 && !isc_md5_available()) + return (ISC_R_NOTIMPLEMENTED); + result = isc_buffer_reserve(buffer, @@ -1470,7 +1435,7 @@ index 7225ab4a37..42b30466be 100644 return (ISC_R_NOTIMPLEMENTED); result = isc_buffer_reserve(buffer, 4 + sizeof(auth_hsha)); #endif -@@ -374,7 +382,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, +@@ -376,7 +384,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, * we know what it is. */ #ifndef PK11_MD5_DISABLE @@ -1479,7 +1444,7 @@ index 7225ab4a37..42b30466be 100644 hmac_base = (*buffer)->used + HMD5_OFFSET; isc_buffer_putmem(*buffer, auth_hmd5, sizeof(auth_hmd5)); -@@ -440,7 +448,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, +@@ -442,7 +450,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, if (!isccc_alist_alistp(_auth)) return (ISC_R_FAILURE); #ifndef PK11_MD5_DISABLE @@ -1488,7 +1453,7 @@ index 7225ab4a37..42b30466be 100644 hmac = isccc_alist_lookup(_auth, "hmd5"); else #endif -@@ -455,12 +463,16 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, +@@ -457,12 +465,16 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, switch (algorithm) { #ifndef PK11_MD5_DISABLE case ISCCC_ALG_HMACMD5: diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch index f7a998d..16d3b33 100644 --- a/bind-9.11-fips-tests.patch +++ b/bind-9.11-fips-tests.patch @@ -1,11 +1,13 @@ -From 35b53607724ec4b5d4060385218c39ccd0d78a4d Mon Sep 17 00:00:00 2001 +From 07876a60a9c2537f536901b214349d67f6b25666 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= pemensik@redhat.com Date: Thu, 2 Aug 2018 23:46:45 +0200 -Subject: [PATCH 2/2] Squashed commit of the following: +Subject: [PATCH] FIPS tests changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
+Squashed commit of the following: + commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa Author: Petr Menk pemensik@redhat.com Date: Wed Mar 7 20:35:13 2018 +0100 @@ -108,7 +110,7 @@ Date: Wed Mar 7 10:44:23 2018 +0100 create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in -index 0ea6502708..026db3f134 100644 +index 0ea6502..026db3f 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in @@ -33,12 +33,12 @@ options { @@ -127,7 +129,7 @@ index 0ea6502708..026db3f134 100644 };
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in -index b877880554..d8f50be255 100644 +index b877880..d8f50be 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in @@ -33,12 +33,12 @@ options { @@ -146,7 +148,7 @@ index b877880554..d8f50be255 100644 };
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in -index 0a950622a2..aa54088138 100644 +index 0a95062..aa54088 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in @@ -33,17 +33,17 @@ options { @@ -171,7 +173,7 @@ index 0a950622a2..aa54088138 100644 };
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in -index 7cdcb6e341..606a3452d8 100644 +index 7cdcb6e..606a345 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in @@ -33,12 +33,12 @@ options { @@ -190,7 +192,7 @@ index 7cdcb6e341..606a3452d8 100644 };
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in -index 4b4e05027a..0e679a821d 100644 +index 4b4e050..0e679a8 100644 --- a/bin/tests/system/acl/ns2/named5.conf.in +++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -34,12 +34,12 @@ options { @@ -209,7 +211,7 @@ index 4b4e05027a..0e679a821d 100644 };
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh -index 09f31f2bb9..f88f0d4430 100644 +index 09f31f2..f88f0d4 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" @@ -335,7 +337,7 @@ index 09f31f2bb9..f88f0d4430 100644
echo_i "testing allow-query-on ACL processing" diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in -index 1569913b37..e9c5c2d574 100644 +index 1569913..e9c5c2d 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in @@ -12,7 +12,7 @@ @@ -348,7 +350,7 @@ index 1569913b37..e9c5c2d574 100644 };
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in -index 18ac91c6e7..2b1c8739d8 100644 +index 18ac91c..2b1c873 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in @@ -12,12 +12,12 @@ @@ -367,7 +369,7 @@ index 18ac91c6e7..2b1c8739d8 100644 };
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in -index b8248444dd..dd48945bf8 100644 +index b824844..dd48945 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in @@ -12,7 +12,7 @@ @@ -380,7 +382,7 @@ index b8248444dd..dd48945bf8 100644 };
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in -index aeb1540e95..bfce58bddd 100644 +index aeb1540..bfce58b 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in @@ -12,7 +12,7 @@ @@ -393,7 +395,7 @@ index aeb1540e95..bfce58bddd 100644 };
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in -index d4b743281a..e0f52526ba 100644 +index d4b7432..e0f5252 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in @@ -12,12 +12,12 @@ @@ -412,7 +414,7 @@ index d4b743281a..e0f52526ba 100644 };
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in -index c0259387e7..87afb3fa3a 100644 +index c025938..87afb3f 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in @@ -12,7 +12,7 @@ @@ -425,7 +427,7 @@ index c0259387e7..87afb3fa3a 100644 };
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in -index d83b376cfd..d726b9480b 100644 +index d83b376..d726b94 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in @@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; @@ -444,7 +446,7 @@ index d83b376cfd..d726b9480b 100644 };
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh -index fb6059d5b8..f9601564a2 100644 +index fb6059d..f960156 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh @@ -190,7 +190,7 @@ rndc_reload @@ -529,7 +531,7 @@ index fb6059d5b8..f9601564a2 100644 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in -index 74b7d371b7..c35376640d 100644 +index 74b7d37..c353766 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -61,5 +61,5 @@ zone "catalog4.example" { @@ -540,7 +542,7 @@ index 74b7d371b7..c35376640d 100644 + algorithm hmac-sha256; }; diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in -index ee83efbee4..35ced08842 100644 +index ee83efb..35ced08 100644 --- a/bin/tests/system/catz/ns2/named.conf.in +++ b/bin/tests/system/catz/ns2/named.conf.in @@ -70,5 +70,5 @@ zone "catalog4.example" { @@ -551,7 +553,7 @@ index ee83efbee4..35ced08842 100644 + algorithm hmac-sha256; }; diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf -index 21be03e9d2..e57c30875c 100644 +index 21be03e..e57c308 100644 --- a/bin/tests/system/checkconf/bad-tsig.conf +++ b/bin/tests/system/checkconf/bad-tsig.conf @@ -11,7 +11,7 @@ @@ -564,7 +566,7 @@ index 21be03e9d2..e57c30875c 100644 };
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf -index 9ab35b38a5..486551ae64 100644 +index 9ab35b3..486551a 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -153,6 +153,6 @@ dyndb "name" "library.so" { @@ -576,7 +578,7 @@ index 9ab35b38a5..486551ae64 100644 secret "qwertyuiopasdfgh"; }; diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db -index f4e30f51e5..9f53e31c97 100644 +index f4e30f5..9f53e31 100644 --- a/bin/tests/system/digdelv/ns2/example.db +++ b/bin/tests/system/digdelv/ns2/example.db @@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890 @@ -602,10 +604,10 @@ index f4e30f51e5..9f53e31c97 100644 ; TTL of 3 weeks weeks 1814400 A 10.53.0.2 diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh -index 1b25c4ddfc..5dbf20a3e1 100644 +index 95bd074..b566ecb 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh -@@ -62,7 +62,7 @@ if [ -x ${DIG} ] ; then +@@ -61,7 +61,7 @@ if [ -x ${DIG} ] ; then echo_i "checking dig +multi +norrcomments works for dnskey (when default is rrcomments)($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -614,7 +616,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret`
-@@ -70,7 +70,7 @@ if [ -x ${DIG} ] ; then +@@ -69,7 +69,7 @@ if [ -x ${DIG} ] ; then echo_i "checking dig +multi +norrcomments works for soa (when default is rrcomments)($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > dig.out.test$n || ret=1 @@ -623,7 +625,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret`
-@@ -78,7 +78,7 @@ if [ -x ${DIG} ] ; then +@@ -77,7 +77,7 @@ if [ -x ${DIG} ] ; then echo_i "checking dig +rrcomments works for DNSKEY($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -632,7 +634,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret`
-@@ -86,7 +86,7 @@ if [ -x ${DIG} ] ; then +@@ -85,7 +85,7 @@ if [ -x ${DIG} ] ; then echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -641,7 +643,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret`
-@@ -94,7 +94,7 @@ if [ -x ${DIG} ] ; then +@@ -93,7 +93,7 @@ if [ -x ${DIG} ] ; then echo_i "checking dig +short +nosplit works($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -650,7 +652,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret`
-@@ -102,7 +102,7 @@ if [ -x ${DIG} ] ; then +@@ -101,7 +101,7 @@ if [ -x ${DIG} ] ; then echo_i "checking dig +short +rrcomments works($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -659,7 +661,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret`
-@@ -118,7 +118,7 @@ if [ -x ${DIG} ] ; then +@@ -117,7 +117,7 @@ if [ -x ${DIG} ] ; then echo_i "checking dig +short +rrcomments works($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -668,7 +670,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret`
-@@ -543,7 +543,7 @@ if [ -x ${DELV} ] ; then +@@ -555,7 +555,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +multi +norrcomments works for dnskey (when default is rrcomments)($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -677,7 +679,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret`
-@@ -551,7 +551,7 @@ if [ -x ${DELV} ] ; then +@@ -563,7 +563,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +multi +norrcomments works for soa (when default is rrcomments)($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1 @@ -686,7 +688,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret`
-@@ -559,7 +559,7 @@ if [ -x ${DELV} ] ; then +@@ -571,7 +571,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +rrcomments works for DNSKEY($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -695,7 +697,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret`
-@@ -567,7 +567,7 @@ if [ -x ${DELV} ] ; then +@@ -579,7 +579,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -704,7 +706,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret`
-@@ -575,7 +575,7 @@ if [ -x ${DELV} ] ; then +@@ -587,7 +587,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +rrcomments works ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -713,7 +715,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret`
-@@ -583,7 +583,7 @@ if [ -x ${DELV} ] ; then +@@ -595,7 +595,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +nosplit works ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -722,7 +724,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi f=`awk '{print NF}' < delv.out.test$n` test "${f:-0}" -eq 14 || ret=1 -@@ -594,7 +594,7 @@ if [ -x ${DELV} ] ; then +@@ -606,7 +606,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +nosplit +norrcomments works ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -732,7 +734,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 f=`awk '{print NF}' < delv.out.test$n` test "${f:-0}" -eq 4 || ret=1 diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh -index b8151620cc..2a62e583b8 100755 +index b815162..2a62e58 100755 --- a/bin/tests/system/dlv/ns1/sign.sh +++ b/bin/tests/system/dlv/ns1/sign.sh @@ -23,8 +23,8 @@ infile=root.db.in @@ -747,7 +749,7 @@ index b8151620cc..2a62e583b8 100755 cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh -index 6f84d7a525..e128303a22 100755 +index 6f84d7a..e128303 100755 --- a/bin/tests/system/dlv/ns2/sign.sh +++ b/bin/tests/system/dlv/ns2/sign.sh @@ -24,8 +24,8 @@ zonefile=druz.db @@ -762,7 +764,7 @@ index 6f84d7a525..e128303a22 100755 cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh -index bcc9922e26..846dbcc0df 100755 +index bcc9922..846dbcc 100755 --- a/bin/tests/system/dlv/ns3/sign.sh +++ b/bin/tests/system/dlv/ns3/sign.sh @@ -19,6 +19,7 @@ echo_i "dlv/ns3/sign.sh" @@ -961,7 +963,7 @@ index bcc9922e26..846dbcc0df 100755 cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh -index 1e398625f1..4ed19acd1f 100755 +index 1e39862..4ed19ac 100755 --- a/bin/tests/system/dlv/ns6/sign.sh +++ b/bin/tests/system/dlv/ns6/sign.sh @@ -16,13 +16,15 @@ SYSTESTDIR=dlv @@ -1148,7 +1150,7 @@ index 1e398625f1..4ed19acd1f 100755 cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh -index 198d60ae15..d89a539ffd 100644 +index 198d60a..d89a539 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -27,7 +27,7 @@ cp ../ns2/dsset-in-addr.arpa$TP . @@ -1169,7 +1171,7 @@ index 198d60ae15..d89a539ffd 100644 keyid=`expr $keyid + 0` echo "$keyid" > managed.key.id diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh -index 9078459ac8..9dcd028eb5 100644 +index 9078459..9dcd028 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -29,8 +29,8 @@ do @@ -1213,7 +1215,7 @@ index 9078459ac8..9dcd028eb5 100644 cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh -index 330abf7feb..f95a6b7ea8 100644 +index 330abf7..f95a6b7 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -28,7 +28,7 @@ zone=bogus.example. @@ -1300,7 +1302,7 @@ index 330abf7feb..f95a6b7ea8 100644 cat $infile $keyname.key >$zonefile
diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad -index ed30460bda..e6b112630e 100644 +index ed30460..e6b1126 100644 --- a/bin/tests/system/dnssec/ns5/trusted.conf.bad +++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad @@ -10,5 +10,5 @@ @@ -1311,7 +1313,7 @@ index ed30460bda..e6b112630e 100644 + "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV"; }; diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh -index bb2315fbf3..315666825e 100644 +index bb2315f..3156668 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1690,7 +1690,7 @@ ret=0 @@ -1344,7 +1346,7 @@ index bb2315fbf3..315666825e 100644 8) size="-b 512";; 10) size="-b 1024";; diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c -index 9612450ab4..5eee6aa4f8 100644 +index 9612450..5eee6aa 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -19,6 +19,7 @@ @@ -1383,7 +1385,7 @@ index 9612450ab4..5eee6aa4f8 100644 #ifdef ENABLE_RPZ_NSIP return (0); diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh -index f7555810a0..4a7d89004a 100755 +index f755581..4a7d890 100755 --- a/bin/tests/system/filter-aaaa/ns1/sign.sh +++ b/bin/tests/system/filter-aaaa/ns1/sign.sh @@ -21,8 +21,8 @@ infile=signed.db.in @@ -1398,7 +1400,7 @@ index f7555810a0..4a7d89004a 100755 cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh -index f7555810a0..4a7d89004a 100755 +index f755581..4a7d890 100755 --- a/bin/tests/system/filter-aaaa/ns4/sign.sh +++ b/bin/tests/system/filter-aaaa/ns4/sign.sh @@ -21,8 +21,8 @@ infile=signed.db.in @@ -1413,7 +1415,7 @@ index f7555810a0..4a7d89004a 100755 cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in -index cfcfe8fa2f..0a1614d527 100644 +index cfcfe8f..0a1614d 100644 --- a/bin/tests/system/notify/ns5/named.conf.in +++ b/bin/tests/system/notify/ns5/named.conf.in @@ -10,17 +10,17 @@ @@ -1438,7 +1440,7 @@ index cfcfe8fa2f..0a1614d527 100644 };
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh -index ad20e3eaca..5a9ce4688a 100644 +index ad20e3e..5a9ce46 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh @@ -186,16 +186,16 @@ ret=0 @@ -1462,7 +1464,7 @@ index ad20e3eaca..5a9ce4688a 100644 grep "test string" dig.out.b.ns5.test$n > /dev/null && grep "test string" dig.out.c.ns5.test$n > /dev/null && diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in -index 1d999adc39..26b6b7c9ab 100644 +index 1d999ad..26b6b7c 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in @@ -32,7 +32,7 @@ controls { @@ -1475,7 +1477,7 @@ index 1d999adc39..26b6b7c9ab 100644 };
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in -index b4ecf96668..1adb33eb0b 100644 +index b4ecf96..1adb33e 100644 --- a/bin/tests/system/nsupdate/ns2/named.conf.in +++ b/bin/tests/system/nsupdate/ns2/named.conf.in @@ -24,7 +24,7 @@ options { @@ -1488,10 +1490,10 @@ index b4ecf96668..1adb33eb0b 100644 };
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh -index 32674eb382..2331b30b00 100644 +index d6647fa..715314b 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh -@@ -59,7 +59,12 @@ EOF +@@ -63,7 +63,12 @@ EOF
$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
@@ -1506,10 +1508,10 @@ index 32674eb382..2331b30b00 100644 $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index 2a01d1e46d..e8659587c3 100755 +index 9f26572..fd0383f 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh -@@ -680,7 +680,14 @@ fi +@@ -700,7 +700,14 @@ fi n=`expr $n + 1` ret=0 echo_i "check TSIG key algorithms ($n)" @@ -1525,7 +1527,7 @@ index 2a01d1e46d..e8659587c3 100755 $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 -@@ -688,7 +695,7 @@ send +@@ -708,7 +715,7 @@ send END done sleep 2 @@ -1535,7 +1537,7 @@ index 2a01d1e46d..e8659587c3 100755 done if [ $ret -ne 0 ]; then diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh -index 850c4d2744..09a3e0f9ad 100644 +index 850c4d2..09a3e0f 100644 --- a/bin/tests/system/rndc/setup.sh +++ b/bin/tests/system/rndc/setup.sh @@ -37,7 +37,7 @@ make_key () { @@ -1548,7 +1550,7 @@ index 850c4d2744..09a3e0f9ad 100644 make_key 3 ${EXTRAPORT3} hmac-sha224 make_key 4 ${EXTRAPORT4} hmac-sha256 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh -index d364e6fea0..dbf3bc6780 100644 +index 647730e..7df752d 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh @@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1582,7 +1584,7 @@ index d364e6fea0..dbf3bc6780 100644 n=`expr $n + 1` echo_i "testing rndc with hmac-sha1 ($n)" diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh -index 576ec70f76..cb7a852189 100644 +index 576ec70..cb7a852 100644 --- a/bin/tests/system/tsig/clean.sh +++ b/bin/tests/system/tsig/clean.sh @@ -20,3 +20,4 @@ rm -f */named.run @@ -1591,7 +1593,7 @@ index 576ec70f76..cb7a852189 100644 rm -f keygen.out? +rm -f ns1/named.conf diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in -index fbf30c6dc4..f61657d7cf 100644 +index fbf30c6..f61657d 100644 --- a/bin/tests/system/tsig/ns1/named.conf.in +++ b/bin/tests/system/tsig/ns1/named.conf.in @@ -21,10 +21,7 @@ options { @@ -1620,7 +1622,7 @@ index fbf30c6dc4..f61657d7cf 100644 secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in new file mode 100644 -index 0000000000..4117830adb +index 0000000..4117830 --- /dev/null +++ b/bin/tests/system/tsig/ns1/rndc5.conf.in @@ -0,0 +1,11 @@ @@ -1636,7 +1638,7 @@ index 0000000000..4117830adb +}; + diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh -index 656e9bbcd8..628c5bbac1 100644 +index 656e9bb..628c5bb 100644 --- a/bin/tests/system/tsig/setup.sh +++ b/bin/tests/system/tsig/setup.sh @@ -17,3 +17,7 @@ $SHELL clean.sh @@ -1648,7 +1650,7 @@ index 656e9bbcd8..628c5bbac1 100644 + cat ns1/rndc5.conf.in >> ns1/named.conf +fi diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh -index f731fa604c..cade35bc1d 100644 +index f731fa6..cade35b 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh @@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f @@ -1740,7 +1742,7 @@ index f731fa604c..cade35bc1d 100644
echo_i "fetching using hmac-sha1-80 (BADTRUNC)" diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh -index 5da33cfde0..fb108b02bd 100644 +index 5da33cf..fb108b0 100644 --- a/bin/tests/system/tsiggss/setup.sh +++ b/bin/tests/system/tsiggss/setup.sh @@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE @@ -1751,7 +1753,7 @@ index 5da33cfde0..fb108b02bd 100644 +key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.` cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in -index e0a30cda15..6a77b1ce52 100644 +index e0a30cd..6a77b1c 100644 --- a/bin/tests/system/upforwd/ns1/named.conf.in +++ b/bin/tests/system/upforwd/ns1/named.conf.in @@ -10,7 +10,7 @@ @@ -1764,7 +1766,7 @@ index e0a30cda15..6a77b1ce52 100644 };
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh -index b0694bbd5c..9adae8228e 100644 +index b0694bb..9adae82 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh @@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi diff --git a/bind-9.11-host-idn-disable.patch b/bind-9.11-host-idn-disable.patch index 434c596..7d52964 100644 --- a/bind-9.11-host-idn-disable.patch +++ b/bind-9.11-host-idn-disable.patch @@ -1,4 +1,4 @@ -From 145fac914bf47128307aea702fed7eb74b65cadd Mon Sep 17 00:00:00 2001 +From ed26f0f0eb4242706d2012e4abe0152071bb305b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= pemensik@redhat.com Date: Tue, 25 Sep 2018 18:08:46 +0200 Subject: [PATCH] Disable IDN from environment as documented @@ -18,7 +18,7 @@ RH patch since RHEL 5. 4 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook -index fedd288..d5dba72 100644 +index bd7510e..5cc696f 100644 --- a/bin/dig/dig.docbook +++ b/bin/dig/dig.docbook @@ -1288,7 +1288,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr @@ -33,28 +33,28 @@ index fedd288..d5dba72 100644 </refsection>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index 7408193..d46379d 100644 +index 341ed80..bb8702c 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c -@@ -822,12 +822,17 @@ make_empty_lookup(void) { - looknew->seenbadcookie = ISC_FALSE; - looknew->badcookie = ISC_TRUE; +@@ -825,12 +825,17 @@ make_empty_lookup(void) { + looknew->seenbadcookie = false; + looknew->badcookie = true; #ifdef WITH_IDN_SUPPORT -- looknew->idnin = ISC_TRUE; +- looknew->idnin = true; + looknew->idnin = (getenv("IDN_DISABLE") == NULL); + if (looknew->idnin) { + const char *charset = getenv("CHARSET"); + if (charset && !strcmp(charset, "ASCII")) -+ looknew->idnin = ISC_FALSE; ++ looknew->idnin = false; + } #else - looknew->idnin = ISC_FALSE; + looknew->idnin = false; #endif #ifdef WITH_IDN_OUT_SUPPORT -- looknew->idnout = ISC_TRUE; +- looknew->idnout = true; + looknew->idnout = looknew->idnin; #else - looknew->idnout = ISC_FALSE; + looknew->idnout = false; #endif diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook index 9c3aeaa..42cbbf9 100644 diff --git a/bind-9.11-kyua-pkcs11.patch b/bind-9.11-kyua-pkcs11.patch index ab21828..1b83800 100644 --- a/bind-9.11-kyua-pkcs11.patch +++ b/bind-9.11-kyua-pkcs11.patch @@ -1,4 +1,4 @@ -From d0433a314534e104f52acf2a0a96a68dd84305ae Mon Sep 17 00:00:00 2001 +From 3474d13bbf08c441783bd72afbc8cec8857baf46 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= pemensik@redhat.com Date: Tue, 2 Jan 2018 18:13:07 +0100 Subject: [PATCH] Fix pkcs11 variants atf tests @@ -17,10 +17,10 @@ Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode 7 files changed, 40 insertions(+), 16 deletions(-)
diff --git a/configure.in b/configure.in -index 67b3aab..4767eeb 100644 +index 1edafd1..5466de1 100644 --- a/configure.in +++ b/configure.in -@@ -5579,6 +5579,7 @@ AC_CONFIG_FILES([ +@@ -5489,6 +5489,7 @@ AC_CONFIG_FILES([ lib/dns-pkcs11/include/Makefile lib/dns-pkcs11/include/dns/Makefile lib/dns-pkcs11/include/dst/Makefile @@ -57,10 +57,10 @@ index ff9fc56..eaaf0dc 100644 include('isccfg/Kyuafile') include('lwres/Kyuafile') diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in -index 2a6571b..f25a784 100644 +index 625e809..6fd4e36 100644 --- a/lib/dns-pkcs11/tests/Makefile.in +++ b/lib/dns-pkcs11/tests/Makefile.in -@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@ +@@ -21,12 +21,12 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ @DST_OPENSSL_INC@ @@ -79,10 +79,10 @@ index 2a6571b..f25a784 100644 LIBS = @LIBS@ @ATFLIBS@
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c -index 036d27a..eb6554f 100644 +index 6216b4e..dd74e58 100644 --- a/lib/dns-pkcs11/tests/dh_test.c +++ b/lib/dns-pkcs11/tests/dh_test.c -@@ -63,7 +63,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) { +@@ -64,7 +64,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) { ret = dst_key_computesecret(key, key, &buf); ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY); ret = key->func->computesecret(key, key, &buf); @@ -93,10 +93,10 @@ index 036d27a..eb6554f 100644 dst_key_free(&key); dns_test_end(); diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in -index f7fa538..818dae4 100644 +index add8068..a928dcf 100644 --- a/lib/isc-pkcs11/tests/Makefile.in +++ b/lib/isc-pkcs11/tests/Makefile.in -@@ -17,10 +17,10 @@ VERSION=@BIND9_VERSION@ +@@ -20,10 +20,10 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@
CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@ @@ -111,10 +111,10 @@ index f7fa538..818dae4 100644 LIBS = @LIBS@ @ATFLIBS@
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c -index 5b8a374..c1891c2 100644 +index 7eb1552..048ae9d 100644 --- a/lib/isc-pkcs11/tests/hash_test.c +++ b/lib/isc-pkcs11/tests/hash_test.c -@@ -74,7 +74,7 @@ typedef struct hash_testcase { +@@ -78,7 +78,7 @@ typedef struct hash_testcase {
typedef struct hash_test_key { const char *key; @@ -123,7 +123,7 @@ index 5b8a374..c1891c2 100644 } hash_test_key_t;
/* non-hmac tests */ -@@ -957,8 +957,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) { +@@ -961,8 +961,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) { hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) { @@ -134,9 +134,9 @@ index 5b8a374..c1891c2 100644 - isc_hmacsha1_init(&hmacsha1, buffer, test_key->len); + isc_hmacsha1_init(&hmacsha1, buffer, len); isc_hmacsha1_update(&hmacsha1, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -@@ -1120,8 +1123,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) { +@@ -1124,8 +1127,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) { hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) { @@ -147,9 +147,9 @@ index 5b8a374..c1891c2 100644 - isc_hmacsha224_init(&hmacsha224, buffer, test_key->len); + isc_hmacsha224_init(&hmacsha224, buffer, len); isc_hmacsha224_update(&hmacsha224, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -@@ -1283,8 +1289,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) { +@@ -1287,8 +1293,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) { hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) { @@ -160,9 +160,9 @@ index 5b8a374..c1891c2 100644 - isc_hmacsha256_init(&hmacsha256, buffer, test_key->len); + isc_hmacsha256_init(&hmacsha256, buffer, len); isc_hmacsha256_update(&hmacsha256, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -@@ -1452,8 +1461,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) { +@@ -1456,8 +1465,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) { hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) { @@ -173,9 +173,9 @@ index 5b8a374..c1891c2 100644 - isc_hmacsha384_init(&hmacsha384, buffer, test_key->len); + isc_hmacsha384_init(&hmacsha384, buffer, len); isc_hmacsha384_update(&hmacsha384, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -@@ -1621,8 +1633,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) { +@@ -1625,8 +1637,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) { hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) { @@ -186,9 +186,9 @@ index 5b8a374..c1891c2 100644 - isc_hmacsha512_init(&hmacsha512, buffer, test_key->len); + isc_hmacsha512_init(&hmacsha512, buffer, len); isc_hmacsha512_update(&hmacsha512, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -@@ -1765,8 +1780,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) { +@@ -1769,8 +1784,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) { hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) { @@ -199,8 +199,8 @@ index 5b8a374..c1891c2 100644 - isc_hmacmd5_init(&hmacmd5, buffer, test_key->len); + isc_hmacmd5_init(&hmacmd5, buffer, len); isc_hmacmd5_update(&hmacmd5, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -- -2.14.3 +2.14.4
diff --git a/bind-9.11-oot-manual.patch b/bind-9.11-oot-manual.patch index b090b9f..84e9d25 100644 --- a/bind-9.11-oot-manual.patch +++ b/bind-9.11-oot-manual.patch @@ -1,4 +1,4 @@ -From e462d022a9dc52c40aece6f8ba3123ff3ffa59ed Mon Sep 17 00:00:00 2001 +From 8ca95f47231822df2b9c171a4da1e93ca5b748eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= pemensik@redhat.com Date: Wed, 25 Jul 2018 12:24:16 +0200 Subject: [PATCH] Use make automatic variables to install updated manuals @@ -19,7 +19,7 @@ Install all files in single command instead of iterating on each of them. 9 files changed, 54 insertions(+), 38 deletions(-)
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in -index 12f48d2d23..d8eac4c714 100644 +index c124e80..1174f8d 100644 --- a/bin/check/Makefile.in +++ b/bin/check/Makefile.in @@ -83,12 +83,14 @@ installdirs: @@ -35,13 +35,13 @@ index 12f48d2d23..d8eac4c714 100644 ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir} ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir} (cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@) -- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done +- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done - (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
uninstall:: rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8 diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in -index 87f13dda4b..7865c0c73e 100644 +index 87f13dd..7865c0c 100644 --- a/bin/confgen/Makefile.in +++ b/bin/confgen/Makefile.in @@ -95,13 +95,14 @@ installdirs: @@ -64,7 +64,7 @@ index 87f13dda4b..7865c0c73e 100644 uninstall:: rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8 diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in -index e2d2802262..19361a83ea 100644 +index e2d2802..19361a8 100644 --- a/bin/delv/Makefile.in +++ b/bin/delv/Makefile.in @@ -63,10 +63,12 @@ installdirs: @@ -83,7 +83,7 @@ index e2d2802262..19361a83ea 100644 uninstall:: rm -f ${DESTDIR}${mandir}/man1/delv.1 diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in -index 773ac46395..3edd951e7e 100644 +index a9830a9..d7ac0b6 100644 --- a/bin/dig/Makefile.in +++ b/bin/dig/Makefile.in @@ -91,16 +91,16 @@ installdirs: @@ -102,13 +102,13 @@ index 773ac46395..3edd951e7e 100644 ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ nslookup@EXEEXT@ ${DESTDIR}${bindir} - for m in ${MANPAGES}; do \ -- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \ -- done +- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1 || exit 1; \ +- done
uninstall:: for m in ${MANPAGES}; do \ diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in -index 1be1d5ffc6..1d0c4ce5c1 100644 +index 2239ad1..ce0a177 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in @@ -110,9 +110,11 @@ installdirs: @@ -120,16 +120,16 @@ index 1be1d5ffc6..1d0c4ce5c1 100644 + ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 + +install:: ${TARGETS} installdirs install-man8 - for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done -- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done + for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done +- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
uninstall:: - for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done + for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in -index 1c413973d0..03e4cb849b 100644 +index e1f85a9..d92bc9a 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in -@@ -172,12 +172,17 @@ installdirs: +@@ -176,12 +176,17 @@ installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
@@ -152,7 +152,7 @@ index 1c413973d0..03e4cb849b 100644 uninstall:: rm -f ${DESTDIR}${mandir}/man5/named.conf.5 diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in -index ae9061626c..a058c91214 100644 +index ae90616..a058c91 100644 --- a/bin/pkcs11/Makefile.in +++ b/bin/pkcs11/Makefile.in @@ -71,7 +71,10 @@ installdirs: @@ -179,7 +179,7 @@ index ae9061626c..a058c91214 100644 uninstall:: rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8 diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in -index aa678d47ab..064c404e2f 100644 +index aa678d4..064c404 100644 --- a/bin/python/Makefile.in +++ b/bin/python/Makefile.in @@ -47,13 +47,13 @@ installdirs: @@ -201,7 +201,7 @@ index aa678d47ab..064c404e2f 100644 if test -n "${DESTDIR}" ; then \ ${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \ diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in -index 7bf2af4cea..c395bc7462 100644 +index 7bf2af4..c395bc7 100644 --- a/bin/tools/Makefile.in +++ b/bin/tools/Makefile.in @@ -119,17 +119,27 @@ installdirs: diff --git a/bind-9.11-rh1624100.patch b/bind-9.11-rh1624100.patch index 954661c..b17a6ca 100644 --- a/bind-9.11-rh1624100.patch +++ b/bind-9.11-rh1624100.patch @@ -1,4 +1,4 @@ -From 25ff8ab2b0772262d358272a3ed70a24fc6e4887 Mon Sep 17 00:00:00 2001 +From 4fc49ad102fd00343665273caf4349d4edb5e5ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= ondrej@sury.org Date: Wed, 25 Apr 2018 14:04:31 +0200 Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts @@ -17,17 +17,17 @@ Fix the isc_safe_memwipe() usage with (NULL, >0) lib/dns/nsec3.c | 4 +-- lib/dns/spnego.c | 4 +-- lib/isc/Makefile.in | 8 ++--- - lib/isc/include/isc/safe.h | 18 ++++------ - lib/isc/safe.c | 81 -------------------------------------------- + lib/isc/include/isc/safe.h | 18 +++------- + lib/isc/safe.c | 83 -------------------------------------------- lib/isc/tests/safe_test.c | 20 ----------- - 7 files changed, 13 insertions(+), 124 deletions(-) + 7 files changed, 11 insertions(+), 128 deletions(-) delete mode 100644 lib/isc/safe.c
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c -index 53be1f5c60..351296a356 100644 +index 6ddaebe..d921870 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c -@@ -786,7 +786,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, +@@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
static int hashlist_comp(const void *a, const void *b) { @@ -37,10 +37,10 @@ index 53be1f5c60..351296a356 100644
static void diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c -index d364308aaf..37b6a8a7fe 100644 +index e127893..895519e 100644 --- a/lib/dns/nsec3.c +++ b/lib/dns/nsec3.c -@@ -1950,7 +1950,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, +@@ -1953,7 +1953,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, * Work out what this NSEC3 covers. * Inside (<0) or outside (>=0). */ @@ -49,7 +49,7 @@ index d364308aaf..37b6a8a7fe 100644
/* * Prepare to compute all the hashes. -@@ -1974,7 +1974,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, +@@ -1977,7 +1977,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, return (ISC_R_IGNORE); }
@@ -59,10 +59,10 @@ index d364308aaf..37b6a8a7fe 100644 /* * The hashes are the same. diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c -index ce3e42d650..079d4c1b4a 100644 +index ad77f24..670982a 100644 --- a/lib/dns/spnego.c +++ b/lib/dns/spnego.c -@@ -369,7 +369,7 @@ gssapi_spnego_decapsulate(OM_uint32 *, +@@ -371,7 +371,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
/* mod_auth_kerb.c */
@@ -71,7 +71,7 @@ index ce3e42d650..079d4c1b4a 100644 cmp_gss_type(gss_buffer_t token, gss_OID gssoid) { unsigned char *p; -@@ -393,7 +393,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid) +@@ -395,7 +395,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid) if (((OM_uint32) *p++) != gssoid->length) return (GSS_S_DEFECTIVE_TOKEN);
@@ -81,7 +81,7 @@ index ce3e42d650..079d4c1b4a 100644
/* accept_sec_context.c */ diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in -index ba53ef1091..98acffffc9 100644 +index ba53ef1..98acfff 100644 --- a/lib/isc/Makefile.in +++ b/lib/isc/Makefile.in @@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ @@ -114,28 +114,28 @@ index ba53ef1091..98acffffc9 100644 ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DVERSION="${VERSION}" \ diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h -index f29f00bac6..b8a0b2290c 100644 +index 66ed08b..88b8f47 100644 --- a/lib/isc/include/isc/safe.h +++ b/lib/isc/include/isc/safe.h -@@ -15,27 +15,21 @@ +@@ -15,29 +15,19 @@
/*! \file isc/safe.h */
+-#include <stdbool.h> +- -#include <isc/types.h> -#include <stdlib.h> -+#include <isc/boolean.h> +#include <isc/lang.h> -+ +#include <openssl/crypto.h>
ISC_LANG_BEGINDECLS
--isc_boolean_t +-bool -isc_safe_memequal(const void *s1, const void *s2, size_t n); -+#define isc_safe_memequal(s1, s2, n) ISC_TF(!CRYPTO_memcmp(s1, s2, n)) ++#define isc_safe_memequal(s1, s2, n) !CRYPTO_memcmp(s1, s2, n) /*%< - * Returns ISC_TRUE iff. two blocks of memory are equal, otherwise - * ISC_FALSE. + * Returns true iff. two blocks of memory are equal, otherwise + * false. * */
@@ -153,10 +153,10 @@ index f29f00bac6..b8a0b2290c 100644 * diff --git a/lib/isc/safe.c b/lib/isc/safe.c deleted file mode 100644 -index 5c9e1e2d13..0000000000 +index 7a464b6..0000000 --- a/lib/isc/safe.c +++ /dev/null -@@ -1,81 +0,0 @@ +@@ -1,83 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * @@ -172,6 +172,8 @@ index 5c9e1e2d13..0000000000 - -#include <config.h> - +-#include <stdbool.h> +- -#include <isc/safe.h> -#include <isc/string.h> -#include <isc/util.h> @@ -184,18 +186,18 @@ index 5c9e1e2d13..0000000000 -#pragma optimize("", off) -#endif - --isc_boolean_t +-bool -isc_safe_memequal(const void *s1, const void *s2, size_t n) { -- isc_uint8_t acc = 0; +- uint8_t acc = 0; - - if (n != 0U) { -- const isc_uint8_t *p1 = s1, *p2 = s2; +- const uint8_t *p1 = s1, *p2 = s2; - - do { - acc |= *p1++ ^ *p2++; - } while (--n != 0U); - } -- return (ISC_TF(acc == 0)); +- return (acc == 0); -} - - @@ -239,7 +241,7 @@ index 5c9e1e2d13..0000000000 -#endif -} diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c -index f721cd1096..ea3e61f98d 100644 +index f721cd1..ea3e61f 100644 --- a/lib/isc/tests/safe_test.c +++ b/lib/isc/tests/safe_test.c @@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) { diff --git a/bind-9.11-rt31459.patch b/bind-9.11-rt31459.patch index 6208ef2..06847bf 100644 --- a/bind-9.11-rt31459.patch +++ b/bind-9.11-rt31459.patch @@ -1,4 +1,4 @@ -From ae9c9ef5a5ba06cf57b5a87b5f2bbc71649ba41b Mon Sep 17 00:00:00 2001 +From 45209f5153693339c4582795714b6859693673fc Mon Sep 17 00:00:00 2001 From: Evan Hunt each@isc.org Date: Tue, 12 Sep 2017 19:05:46 -0700 Subject: [PATCH] rebased rt31459c @@ -24,7 +24,7 @@ Include new unit test bin/named/server.c | 6 + bin/nsupdate/nsupdate.c | 18 ++- bin/tests/makejournal.c | 6 +- - bin/tests/system/pipelined/pipequeries.c | 20 ++- + bin/tests/system/pipelined/pipequeries.c | 21 ++- bin/tests/system/pipelined/tests.sh | 4 +- bin/tests/system/rsabigexponent/bigkey.c | 4 + bin/tests/system/tkey/keycreate.c | 26 +++- @@ -35,14 +35,14 @@ Include new unit test configure.in | 77 +++++++++- lib/dns/dst_api.c | 21 ++- lib/dns/include/dst/dst.h | 8 + - lib/dns/lib.c | 17 ++- + lib/dns/lib.c | 15 +- lib/dns/openssl_link.c | 72 ++++++++- lib/dns/pkcs11.c | 29 +++- lib/dns/tests/Atffile | 1 + lib/dns/tests/Kyuafile | 1 + lib/dns/tests/Makefile.in | 7 + lib/dns/tests/dnstest.c | 14 +- - lib/dns/tests/dstrandom_test.c | 105 +++++++++++++ + lib/dns/tests/dstrandom_test.c | 99 ++++++++++++ lib/dns/win32/libdns.def.in | 7 + lib/isc/entropy.c | 24 +++ lib/isc/include/isc/entropy.h | 12 ++ @@ -51,11 +51,11 @@ Include new unit test lib/isc/pk11.c | 12 +- lib/isc/win32/include/isc/platform.h.in | 5 + win32utils/Configure | 29 +++- - 38 files changed, 704 insertions(+), 184 deletions(-) + 38 files changed, 699 insertions(+), 182 deletions(-) create mode 100644 lib/dns/tests/dstrandom_test.c
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c -index 11cc54d..fa439cc 100644 +index 5015abb..295e16f 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -165,6 +165,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, @@ -66,17 +66,17 @@ index 11cc54d..fa439cc 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); + } +#endif DO("start entropy source", isc_entropy_usebestsource(ectx, &entropy_source, randomfile, diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c -index 94a982c..897c497 100644 +index 65fdaaa..6612189 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c -@@ -495,14 +495,14 @@ main(int argc, char **argv) { +@@ -497,14 +497,14 @@ main(int argc, char **argv) {
if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -94,7 +94,7 @@ index 94a982c..897c497 100644 isc_entropy_stopcallbacksources(ectx);
setup_logging(mctx, &log); -@@ -564,8 +564,8 @@ main(int argc, char **argv) { +@@ -566,8 +566,8 @@ main(int argc, char **argv) { if (dns_rdataset_isassociated(&rdataset)) dns_rdataset_disassociate(&rdataset); cleanup_logging(&log); @@ -105,10 +105,10 @@ index 94a982c..897c497 100644 dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c -index 2edf614..840316c 100644 +index 0d1e7f8..79c4d74 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c -@@ -406,14 +406,14 @@ main(int argc, char **argv) { +@@ -407,14 +407,14 @@ main(int argc, char **argv) {
if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -126,7 +126,7 @@ index 2edf614..840316c 100644 isc_entropy_stopcallbacksources(ectx);
setup_logging(mctx, &log); -@@ -457,8 +457,8 @@ main(int argc, char **argv) { +@@ -458,8 +458,8 @@ main(int argc, char **argv) { if (dns_rdataset_isassociated(&rdataset)) dns_rdataset_disassociate(&rdataset); cleanup_logging(&log); @@ -137,10 +137,10 @@ index 2edf614..840316c 100644 dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c -index 10fad0b..0b68e99 100644 +index 1a2b545..e33cb8b 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c -@@ -182,14 +182,14 @@ main(int argc, char **argv) { +@@ -184,14 +184,14 @@ main(int argc, char **argv) {
if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -158,7 +158,7 @@ index 10fad0b..0b68e99 100644 isc_entropy_stopcallbacksources(ectx);
result = dst_key_fromnamedfile(filename, dir, -@@ -271,8 +271,8 @@ main(int argc, char **argv) { +@@ -273,8 +273,8 @@ main(int argc, char **argv) {
cleanup: dst_key_free(&key); @@ -169,10 +169,10 @@ index 10fad0b..0b68e99 100644 if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c -index 360cdb9..b7bf171 100644 +index f355903..6a2ca59 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c -@@ -380,14 +380,14 @@ main(int argc, char **argv) { +@@ -382,14 +382,14 @@ main(int argc, char **argv) {
if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -190,7 +190,7 @@ index 360cdb9..b7bf171 100644 isc_entropy_stopcallbacksources(ectx);
if (predecessor != NULL) { -@@ -672,8 +672,8 @@ main(int argc, char **argv) { +@@ -674,8 +674,8 @@ main(int argc, char **argv) { if (prevkey != NULL) dst_key_free(&prevkey); dst_key_free(&key); @@ -201,10 +201,10 @@ index 360cdb9..b7bf171 100644 if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c -index 1bea357..53be1f5 100644 +index c6a0313..6ddaebe 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c -@@ -3459,14 +3459,15 @@ main(int argc, char *argv[]) { +@@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) { if (!pseudorandom) eflags |= ISC_ENTROPY_GOODONLY;
@@ -224,7 +224,7 @@ index 1bea357..53be1f5 100644 isc_stdtime_get(&now);
if (startstr != NULL) { -@@ -3878,8 +3879,8 @@ main(int argc, char *argv[]) { +@@ -3879,8 +3880,8 @@ main(int argc, char *argv[]) { dns_master_styledestroy(&dsstyle, mctx);
cleanup_logging(&log); @@ -235,10 +235,10 @@ index 1bea357..53be1f5 100644 dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c -index 792510a..dc32765 100644 +index 4c293bf..3263cbc 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c -@@ -280,15 +280,15 @@ main(int argc, char *argv[]) { +@@ -281,15 +281,15 @@ main(int argc, char *argv[]) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx);
@@ -259,10 +259,10 @@ index 792510a..dc32765 100644
rdclass = strtoclass(classname); diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c -index dc32c90..4ea9eaf 100644 +index fbc7ece..31a99e7 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c -@@ -32,6 +32,7 @@ +@@ -34,6 +34,7 @@ #include <isc/heap.h> #include <isc/list.h> #include <isc/mem.h> @@ -270,7 +270,7 @@ index dc32c90..4ea9eaf 100644 #include <isc/print.h> #include <isc/string.h> #include <isc/time.h> -@@ -233,7 +234,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -235,7 +236,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { if (*ectx == NULL) { result = isc_entropy_create(mctx, ectx); if (result != ISC_R_SUCCESS) @@ -280,7 +280,7 @@ index dc32c90..4ea9eaf 100644 ISC_LIST_INIT(sources); }
-@@ -242,6 +244,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -244,6 +246,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { randomfile = NULL; }
@@ -288,17 +288,17 @@ index dc32c90..4ea9eaf 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(*ectx, ISC_TRUE); ++ isc_entropy_usehook(*ectx, true); + } +#endif result = isc_entropy_usebestsource(*ectx, &source, randomfile, usekeyboard);
diff --git a/bin/named/server.c b/bin/named/server.c -index 59a8998..ee5186c 100644 +index 7f87ccf..9258e7f 100644 --- a/bin/named/server.c +++ b/bin/named/server.c -@@ -34,6 +34,7 @@ +@@ -36,6 +36,7 @@ #include <isc/lex.h> #include <isc/meminfo.h> #include <isc/parseint.h> @@ -306,18 +306,18 @@ index 59a8998..ee5186c 100644 #include <isc/portset.h> #include <isc/print.h> #include <isc/random.h> -@@ -8083,6 +8084,10 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8171,6 +8172,10 @@ load_configuration(const char *filename, ns_server_t *server, "no source of entropy found"); } else { const char *randomdev = cfg_obj_asstring(obj); +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0) -+ isc_entropy_usehook(ns_g_entropy, ISC_TRUE); ++ isc_entropy_usehook(ns_g_entropy, true); +#else int level = ISC_LOG_ERROR; result = isc_entropy_createfilesource(ns_g_entropy, randomdev); -@@ -8117,6 +8122,7 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8205,6 +8210,7 @@ load_configuration(const char *filename, ns_server_t *server, } isc_entropy_detach(&ns_g_fallbackentropy); } @@ -326,10 +326,10 @@ index 59a8998..ee5186c 100644 } } diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index bb5d500..46c7acf 100644 +index 5eefc57..1559a33 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c -@@ -33,6 +33,7 @@ +@@ -35,6 +35,7 @@ #include <isc/mem.h> #include <isc/parseint.h> #include <isc/print.h> @@ -337,7 +337,7 @@ index bb5d500..46c7acf 100644 #include <isc/random.h> #include <isc/region.h> #include <isc/sockaddr.h> -@@ -269,7 +270,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -271,7 +272,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { if (*ectx == NULL) { result = isc_entropy_create(mctx, ectx); if (result != ISC_R_SUCCESS) @@ -347,7 +347,7 @@ index bb5d500..46c7acf 100644 ISC_LIST_INIT(sources); }
-@@ -278,6 +280,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -280,6 +282,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { randomfile = NULL; }
@@ -355,13 +355,13 @@ index bb5d500..46c7acf 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(*ectx, ISC_TRUE); ++ isc_entropy_usehook(*ectx, true); + } +#endif result = isc_entropy_usebestsource(*ectx, &source, randomfile, usekeyboard);
-@@ -948,11 +957,11 @@ setup_system(void) { +@@ -950,11 +959,11 @@ setup_system(void) { } }
@@ -375,9 +375,9 @@ index bb5d500..46c7acf 100644
result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr); check_result(result, "dns_dispatchmgr_create"); -@@ -976,6 +985,9 @@ setup_system(void) { +@@ -978,6 +987,9 @@ setup_system(void) { check_result(result, "dst_lib_init"); - is_dst_up = ISC_TRUE; + is_dst_up = true;
+ /* moved after dst_lib_init() */ + isc_hash_init(); @@ -386,30 +386,30 @@ index bb5d500..46c7acf 100644 attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c -index fed59be..9f125da 100644 +index 61a41b0..acc71a1 100644 --- a/bin/tests/makejournal.c +++ b/bin/tests/makejournal.c -@@ -100,12 +100,12 @@ main(int argc, char **argv) { +@@ -102,12 +102,12 @@ main(int argc, char **argv) { CHECK(isc_mem_create(0, 0, &mctx)); CHECK(isc_entropy_create(mctx, &ectx));
- CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -- hash_active = ISC_TRUE; +- hash_active = true; - CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING)); - dst_active = ISC_TRUE; + dst_active = true;
+ CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -+ hash_active = ISC_TRUE; ++ hash_active = true; + CHECK(isc_log_create(mctx, &lctx, &logconfig)); isc_log_registercategories(lctx, categories); isc_log_setcontext(lctx); diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c -index 379b6a3..810d99e 100644 +index 2fcc064..7b4f617 100644 --- a/bin/tests/system/pipelined/pipequeries.c +++ b/bin/tests/system/pipelined/pipequeries.c -@@ -202,6 +202,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) { +@@ -204,6 +204,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) {
int main(int argc, char *argv[]) { @@ -417,16 +417,17 @@ index 379b6a3..810d99e 100644 isc_sockaddr_t bind_any; struct in_addr inaddr; isc_result_t result; -@@ -222,7 +223,7 @@ main(int argc, char *argv[]) { +@@ -224,7 +225,8 @@ main(int argc, char *argv[]) { UNUSED(argv);
- isc_commandline_errprint = ISC_FALSE; + isc_commandline_errprint = false; - while ((c = isc_commandline_parse(argc, argv, "p:")) != -1) { -+ while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) { ++ while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) ++ { switch (c) { case 'p': result = isc_parse_uint16(&port, -@@ -233,6 +234,9 @@ main(int argc, char *argv[]) { +@@ -235,6 +237,9 @@ main(int argc, char *argv[]) { exit(1); } break; @@ -436,7 +437,7 @@ index 379b6a3..810d99e 100644 case '?': fprintf(stderr, "%s: invalid argument '%c'", argv[0], c); -@@ -274,10 +278,18 @@ main(int argc, char *argv[]) { +@@ -276,10 +281,18 @@ main(int argc, char *argv[]) {
ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); @@ -446,7 +447,7 @@ index 379b6a3..810d99e 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); + } +#endif + if (randomfile != NULL) @@ -457,7 +458,7 @@ index 379b6a3..810d99e 100644
taskmgr = NULL; RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); -@@ -330,8 +342,8 @@ main(int argc, char *argv[]) { +@@ -332,8 +345,8 @@ main(int argc, char *argv[]) { isc_task_detach(&task); isc_taskmgr_destroy(&taskmgr);
@@ -490,7 +491,7 @@ index a6720ce..9063b1f 100644 diff refb outputb || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c -index 4462f2e..f1230d8 100644 +index 4462f2e..f06268d 100644 --- a/bin/tests/system/rsabigexponent/bigkey.c +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -20,6 +20,7 @@ @@ -506,13 +507,13 @@ index 4462f2e..f1230d8 100644 CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()"); CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()"); +#ifdef ISC_PLATFORM_CRYPTORANDOM -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); +#endif CHECK(isc_entropy_usebestsource(ectx, &source, "../random.data", ISC_ENTROPY_KEYBOARDNO), diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c -index 489f439..4f2f5b4 100644 +index 653c951..fe8698e 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -206,6 +206,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { @@ -555,7 +556,7 @@ index 489f439..4f2f5b4 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); + } +#endif + if (randomfile != NULL) @@ -581,7 +582,7 @@ index 489f439..4f2f5b4 100644
isc_mem_destroy(&mctx); diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 36ee6c7..0975bbe 100644 +index 70a40c3..2146f9b 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { @@ -624,7 +625,7 @@ index 36ee6c7..0975bbe 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); + } +#endif + if (randomfile != NULL) @@ -639,7 +640,7 @@ index 36ee6c7..0975bbe 100644
taskmgr = NULL; RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); -@@ -265,8 +285,8 @@ main(int argc, char **argv) { +@@ -264,8 +284,8 @@ main(int argc, char **argv) {
isc_log_destroy(&log);
@@ -690,10 +691,10 @@ index 9f90dd7..fad6c83 100644 echo "I:failed" status=`expr $status + $ret` diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c -index 1f5dd4c..4e3bfa5 100644 +index 4876875..e46653a 100644 --- a/bin/tools/mdig.c +++ b/bin/tools/mdig.c -@@ -1933,12 +1933,11 @@ main(int argc, char *argv[]) { +@@ -1955,12 +1955,11 @@ main(int argc, char *argv[]) {
ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); @@ -705,10 +706,10 @@ index 1f5dd4c..4e3bfa5 100644 - RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); - ISC_LIST_INIT(queries); - parse_args(ISC_FALSE, argc, argv); + parse_args(false, argc, argv); if (server == NULL) diff --git a/configure b/configure -index c83773a..ac1ea3f 100755 +index 4394755..2e0af33 100755 --- a/configure +++ b/configure @@ -640,6 +640,7 @@ ac_includes_default="\ @@ -719,7 +720,7 @@ index c83773a..ac1ea3f 100755 BUILD_LIBS BUILD_LDFLAGS BUILD_CPPFLAGS -@@ -825,6 +826,7 @@ XMLSTATS +@@ -823,6 +824,7 @@ XMLSTATS NZDTARGETS NZDSRCS NZD_TOOLS @@ -727,7 +728,7 @@ index c83773a..ac1ea3f 100755 PKCS11_TEST PKCS11_ED25519 PKCS11_GOST -@@ -1037,6 +1039,7 @@ with_eddsa +@@ -1035,6 +1037,7 @@ with_eddsa with_aes enable_openssl_hash with_cc_alg @@ -735,7 +736,7 @@ index c83773a..ac1ea3f 100755 with_lmdb with_libxml2 with_libjson -@@ -1730,6 +1733,7 @@ Optional Features: +@@ -1728,6 +1731,7 @@ Optional Features: --enable-threads enable multithreading --enable-native-pkcs11 use native PKCS11 for all crypto [default=no] --enable-openssl-hash use OpenSSL for hash functions [default=no] @@ -743,7 +744,7 @@ index c83773a..ac1ea3f 100755 --enable-largefile 64-bit file support --enable-backtrace log stack backtrace on abort [default=yes] --enable-symtable use internal symbol table for backtrace -@@ -16486,6 +16490,7 @@ case "$use_openssl" in +@@ -16631,6 +16635,7 @@ case "$use_openssl" in $as_echo "disabled because of native PKCS11" >&6; } DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" @@ -751,7 +752,7 @@ index c83773a..ac1ea3f 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -16500,6 +16505,7 @@ $as_echo "disabled because of native PKCS11" >&6; } +@@ -16645,6 +16650,7 @@ $as_echo "disabled because of native PKCS11" >&6; } $as_echo "no" >&6; } DST_OPENSSL_INC="" CRYPTO="" @@ -759,7 +760,7 @@ index c83773a..ac1ea3f 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -16512,6 +16518,7 @@ $as_echo "no" >&6; } +@@ -16657,6 +16663,7 @@ $as_echo "no" >&6; } auto) DST_OPENSSL_INC="" CRYPTO="" @@ -767,7 +768,7 @@ index c83773a..ac1ea3f 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -16521,7 +16528,7 @@ $as_echo "no" >&6; } +@@ -16666,7 +16673,7 @@ $as_echo "no" >&6; } OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path @@ -776,7 +777,7 @@ index c83773a..ac1ea3f 100755 ;; *) if test "yes" = "$want_native_pkcs11" -@@ -16552,6 +16559,7 @@ $as_echo "not found" >&6; } +@@ -16697,6 +16704,7 @@ $as_echo "not found" >&6; } as_fn_error $? ""$use_openssl/include/openssl/opensslv.h" not found" "$LINENO" 5 fi CRYPTO='-DOPENSSL' @@ -784,7 +785,7 @@ index c83773a..ac1ea3f 100755 if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" -@@ -17213,8 +17221,6 @@ fi +@@ -17358,8 +17366,6 @@ fi # Use OpenSSL for hash functions #
@@ -793,7 +794,7 @@ index c83773a..ac1ea3f 100755 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" case $want_openssl_hash in yes) -@@ -17583,6 +17589,86 @@ if test "rt" = "$have_clock_gt"; then +@@ -17728,6 +17734,86 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi
@@ -880,7 +881,7 @@ index c83773a..ac1ea3f 100755 # # was --with-lmdb specified? # -@@ -19665,9 +19751,12 @@ _ACEOF +@@ -19810,9 +19896,12 @@ _ACEOF if ac_fn_c_try_compile "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5 $as_echo "size_t for buflen; int for flags" >&6; } @@ -895,7 +896,7 @@ index c83773a..ac1ea3f 100755
$as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
-@@ -21032,12 +21121,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" +@@ -21123,12 +21212,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then @@ -909,7 +910,7 @@ index c83773a..ac1ea3f 100755 # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. -@@ -21070,6 +21154,11 @@ cat >>confdefs.h <<_ACEOF +@@ -21161,6 +21245,11 @@ cat >>confdefs.h <<_ACEOF _ACEOF
@@ -921,7 +922,7 @@ index c83773a..ac1ea3f 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21078,39 +21167,6 @@ _ACEOF +@@ -21169,39 +21258,6 @@ _ACEOF fi ;; x86_64-*|amd64-*) @@ -961,7 +962,7 @@ index c83773a..ac1ea3f 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21141,6 +21197,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } +@@ -21232,6 +21288,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } $as_echo "$arch" >&6; } fi
@@ -972,7 +973,7 @@ index c83773a..ac1ea3f 100755 if test "yes" = "$have_atomic"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5 $as_echo_n "checking compiler support for inline assembly code... " >&6; } -@@ -23428,6 +23488,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" +@@ -23519,6 +23579,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" # dlzdir='${DLZ_DRIVER_DIR}'
@@ -1003,7 +1004,7 @@ index c83773a..ac1ea3f 100755 # # Private autoconf macro to simplify configuring drivers: # -@@ -23758,11 +23842,11 @@ $as_echo "no" >&6; } +@@ -23849,11 +23933,11 @@ $as_echo "no" >&6; } $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; } ;; *) @@ -1018,7 +1019,7 @@ index c83773a..ac1ea3f 100755 fi
CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL" -@@ -23847,7 +23931,7 @@ $as_echo "" >&6; } +@@ -23938,7 +24022,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh).
@@ -1027,13 +1028,12 @@ index c83773a..ac1ea3f 100755 # include a blank element first for d in "" $bdb_incdirs do -@@ -23872,57 +23956,9 @@ $as_echo "" >&6; } +@@ -23963,57 +24047,9 @@ $as_echo "" >&6; } bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" for d in $bdb_libnames do - if test "$dd" = "/usr" -+ if test -f "$dd/${target_lib}/lib${d}.so" - then +- then - as_ac_Lib=`$as_echo "ac_cv_lib_$d''_db_create" | $as_tr_sh` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for db_create in -l$d" >&5 -$as_echo_n "checking for db_create in -l$d... " >&6; } @@ -1081,13 +1081,14 @@ index c83773a..ac1ea3f 100755 - break - fi - elif test -f "$dd/lib/lib${d}.so" -- then ++ if test -f "$dd/${target_lib}/lib${d}.so" + then - dlz_bdb_libs="-L${dd}/lib -l${d}" + dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}" break fi done -@@ -24081,10 +24117,10 @@ $as_echo "no" >&6; } +@@ -24172,10 +24208,10 @@ $as_echo "no" >&6; } DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include" DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include" fi @@ -1101,7 +1102,7 @@ index c83773a..ac1ea3f 100755 fi
-@@ -24170,11 +24206,11 @@ fi +@@ -24261,11 +24297,11 @@ fi odbcdirs="/usr /usr/local /usr/pkg" for d in $odbcdirs do @@ -1115,7 +1116,7 @@ index c83773a..ac1ea3f 100755 break fi done -@@ -24449,6 +24485,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" +@@ -24540,6 +24576,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
@@ -1124,7 +1125,7 @@ index c83773a..ac1ea3f 100755 # # Commands to run at the end of config.status. # Don't just put these into configure, it won't work right if somebody -@@ -26839,6 +26877,8 @@ report() { +@@ -26930,6 +26968,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1133,7 +1134,7 @@ index c83773a..ac1ea3f 100755 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -26879,6 +26919,8 @@ report() { +@@ -26970,6 +27010,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)"
@@ -1142,7 +1143,7 @@ index c83773a..ac1ea3f 100755 echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -26926,6 +26968,8 @@ report() { +@@ -27017,6 +27059,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -1152,10 +1153,10 @@ index c83773a..ac1ea3f 100755 test "yes" = "$enable_seccomp" || \ echo " Use libseccomp system call filtering (--enable-seccomp)" diff --git a/configure.in b/configure.in -index 9a1d16d..849fa94 100644 +index b07895f..898b4ac 100644 --- a/configure.in +++ b/configure.in -@@ -1597,6 +1597,7 @@ case "$use_openssl" in +@@ -1542,6 +1542,7 @@ case "$use_openssl" in AC_MSG_RESULT(disabled because of native PKCS11) DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" @@ -1163,7 +1164,7 @@ index 9a1d16d..849fa94 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1610,6 +1611,7 @@ case "$use_openssl" in +@@ -1555,6 +1556,7 @@ case "$use_openssl" in AC_MSG_RESULT(no) DST_OPENSSL_INC="" CRYPTO="" @@ -1171,7 +1172,7 @@ index 9a1d16d..849fa94 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1622,6 +1624,7 @@ case "$use_openssl" in +@@ -1567,6 +1569,7 @@ case "$use_openssl" in auto) DST_OPENSSL_INC="" CRYPTO="" @@ -1179,7 +1180,7 @@ index 9a1d16d..849fa94 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1632,7 +1635,7 @@ case "$use_openssl" in +@@ -1577,7 +1580,7 @@ case "$use_openssl" in OPENSSLLINKSRCS="" AC_MSG_ERROR( [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path @@ -1188,7 +1189,7 @@ index 9a1d16d..849fa94 100644 ;; *) if test "yes" = "$want_native_pkcs11" -@@ -1662,6 +1665,7 @@ If you don't want OpenSSL, use --without-openssl]) +@@ -1607,6 +1610,7 @@ If you don't want OpenSSL, use --without-openssl]) AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found]) fi CRYPTO='-DOPENSSL' @@ -1196,7 +1197,7 @@ index 9a1d16d..849fa94 100644 if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" -@@ -2135,7 +2139,6 @@ fi +@@ -2080,7 +2084,6 @@ fi # Use OpenSSL for hash functions #
@@ -1204,7 +1205,7 @@ index 9a1d16d..849fa94 100644 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" case $want_openssl_hash in yes) -@@ -2402,6 +2405,67 @@ if test "rt" = "$have_clock_gt"; then +@@ -2347,6 +2350,67 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi
@@ -1272,7 +1273,7 @@ index 9a1d16d..849fa94 100644 # # was --with-lmdb specified? # -@@ -4235,12 +4299,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" +@@ -4139,12 +4203,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then @@ -1286,7 +1287,7 @@ index 9a1d16d..849fa94 100644 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -4249,7 +4313,6 @@ if test "yes" = "$use_atomic"; then +@@ -4153,7 +4217,6 @@ if test "yes" = "$use_atomic"; then fi ;; x86_64-*|amd64-*) @@ -1294,7 +1295,7 @@ index 9a1d16d..849fa94 100644 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -5613,6 +5676,8 @@ report() { +@@ -5517,6 +5580,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1303,7 +1304,7 @@ index 9a1d16d..849fa94 100644 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -5653,6 +5718,8 @@ report() { +@@ -5557,6 +5622,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)"
@@ -1312,7 +1313,7 @@ index 9a1d16d..849fa94 100644 echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -5700,6 +5767,8 @@ report() { +@@ -5604,6 +5671,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -1322,10 +1323,10 @@ index 9a1d16d..849fa94 100644 test "yes" = "$enable_seccomp" || \ echo " Use libseccomp system call filtering (--enable-seccomp)" diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index dbece0a..803e7b3 100644 +index 5703f9c..afb4d80 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c -@@ -274,6 +274,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, +@@ -276,6 +276,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, #ifdef GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); #endif @@ -1335,17 +1336,17 @@ index dbece0a..803e7b3 100644 + isc_entropy_sethook(dst_random_getdata); +#endif +#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ - dst_initialized = ISC_TRUE; + dst_initialized = true; return (ISC_R_SUCCESS);
-@@ -293,11 +299,19 @@ dst_lib_destroy(void) { +@@ -295,11 +301,19 @@ dst_lib_destroy(void) { for (i = 0; i < DST_MAX_ALGS; i++) if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL) dst_t_func[i]->cleanup(); +#if defined(OPENSSL) || defined(PKCS11CRYPTO) +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (dst_entropy_pool != NULL) { -+ isc_entropy_usehook(dst_entropy_pool, ISC_FALSE); ++ isc_entropy_usehook(dst_entropy_pool, false); + isc_entropy_sethook(NULL); + } +#endif @@ -1358,7 +1359,7 @@ index dbece0a..803e7b3 100644 if (dst__memory_pool != NULL) isc_mem_detach(&dst__memory_pool); if (dst_entropy_pool != NULL) -@@ -2000,13 +2014,17 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { +@@ -1998,13 +2012,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) { flags &= ~ISC_ENTROPY_GOODONLY; else flags |= ISC_ENTROPY_BLOCKING; @@ -1377,7 +1378,7 @@ index dbece0a..803e7b3 100644 #ifdef GSSAPI unsigned int flags = dst_entropy_flags; isc_result_t ret; -@@ -2029,6 +2047,7 @@ dst__entropy_status(void) { +@@ -2027,6 +2045,7 @@ dst__entropy_status(void) { #endif return (isc_entropy_status(dst_entropy_pool)); #else @@ -1386,10 +1387,10 @@ index dbece0a..803e7b3 100644 #endif } diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h -index fcc7b47..d9b6ab6 100644 +index 32b0742..78e1277 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h -@@ -157,6 +157,14 @@ dst_lib_destroy(void); +@@ -160,6 +160,14 @@ dst_lib_destroy(void); * Releases all resources allocated by DST. */
@@ -1401,38 +1402,30 @@ index fcc7b47..d9b6ab6 100644 + * Specialization of isc_entropy_getdata(). + */ + - isc_boolean_t + bool dst_algorithm_supported(unsigned int alg); /*%< diff --git a/lib/dns/lib.c b/lib/dns/lib.c -index 53237d5..c6d83e9 100644 +index 304814b..60543c4 100644 --- a/lib/dns/lib.c +++ b/lib/dns/lib.c -@@ -9,14 +9,13 @@ - * information regarding copyright ownership. - */ - --/* $Id: lib.c,v 1.19 2009/09/03 00:12:23 each Exp $ */ -- - /*! \file */ - - #include <config.h> - +@@ -18,6 +18,7 @@ + #include <stdbool.h> #include <stddef.h>
+#include <isc/entropy.h> #include <isc/hash.h> #include <isc/mem.h> #include <isc/msgcat.h> -@@ -77,6 +76,7 @@ static unsigned int references = 0; +@@ -78,6 +79,7 @@ static unsigned int references = 0; static void initialize(void) { isc_result_t result; + isc_entropy_t *ectx = NULL;
- REQUIRE(initialize_done == ISC_FALSE); + REQUIRE(initialize_done == false);
-@@ -87,11 +87,14 @@ initialize(void) { +@@ -88,11 +90,14 @@ initialize(void) { result = dns_ecdb_register(dns_g_mctx, &dbimp); if (result != ISC_R_SUCCESS) goto cleanup_mctx; @@ -1449,14 +1442,14 @@ index 53237d5..c6d83e9 100644 if (result != ISC_R_SUCCESS) goto cleanup_hash;
-@@ -99,11 +102,17 @@ initialize(void) { +@@ -100,11 +105,17 @@ initialize(void) { if (result != ISC_R_SUCCESS) goto cleanup_dst;
+ isc_hash_init(); + isc_entropy_detach(&ectx); + - initialize_done = ISC_TRUE; + initialize_done = true; return;
cleanup_dst: @@ -1468,7 +1461,7 @@ index 53237d5..c6d83e9 100644 isc_hash_destroy(); cleanup_db: diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index ec6dc7f..c1e1bde 100644 +index a30a2ab..d88d643 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -31,6 +31,7 @@ @@ -1764,68 +1757,61 @@ index 58fa872..625e809 100644 sh ${top_builddir}/unit/unittest.sh
diff --git a/lib/dns/tests/dnstest.c b/lib/dns/tests/dnstest.c -index fb9ef53..344a7c2 100644 +index 51bb90b..1b25b90 100644 --- a/lib/dns/tests/dnstest.c +++ b/lib/dns/tests/dnstest.c -@@ -120,12 +120,12 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) { +@@ -122,12 +122,12 @@ dns_test_begin(FILE *logfile, bool start_managers) { CHECK(isc_mem_create(0, 0, &mctx)); CHECK(isc_entropy_create(mctx, &ectx));
- CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -- hash_active = ISC_TRUE; +- hash_active = true; - CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING)); - dst_active = ISC_TRUE; + dst_active = true;
+ CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -+ hash_active = ISC_TRUE; ++ hash_active = true; + if (logfile != NULL) { isc_logdestination_t destination; isc_logconfig_t *logconfig = NULL; -@@ -169,14 +169,14 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) { +@@ -171,14 +171,14 @@ dns_test_begin(FILE *logfile, bool start_managers) {
void dns_test_end(void) { - if (dst_active) { - dst_lib_destroy(); -- dst_active = ISC_FALSE; +- dst_active = false; - } if (hash_active) { isc_hash_destroy(); - hash_active = ISC_FALSE; + hash_active = false; } + if (dst_active) { + dst_lib_destroy(); -+ dst_active = ISC_FALSE; ++ dst_active = false; + } if (ectx != NULL) isc_entropy_detach(&ectx);
diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c new file mode 100644 -index 0000000..d2c72e7 +index 0000000..b980d8a --- /dev/null +++ b/lib/dns/tests/dstrandom_test.c -@@ -0,0 +1,105 @@ +@@ -0,0 +1,99 @@ +/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. + */ + -+/* $Id$ */ -+ +/*! \file */ + +#include <config.h> @@ -1834,6 +1820,7 @@ index 0000000..d2c72e7 + +#include <stdio.h> +#include <string.h> ++#include <unistd.h> + +#include <isc/entropy.h> +#include <isc/mem.h> @@ -1868,7 +1855,7 @@ index 0000000..d2c72e7 + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + +#ifdef ISC_PLATFORM_CRYPTORANDOM -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); + + returned = 0; + result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), @@ -1879,7 +1866,7 @@ index 0000000..d2c72e7 + status = isc_entropy_status(ectx); + ATF_REQUIRE_EQ(status, 0); + -+ isc_entropy_usehook(ectx, ISC_FALSE); ++ isc_entropy_usehook(ectx, false); +#endif + + ret = chdir(TESTS); @@ -1914,10 +1901,10 @@ index 0000000..d2c72e7 +} + diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in -index d48eeb2..213e9d9 100644 +index 62a156c..bf83fe5 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in -@@ -1480,6 +1480,13 @@ dst_lib_destroy +@@ -1483,6 +1483,13 @@ dst_lib_destroy dst_lib_init dst_lib_init2 dst_lib_initmsgcat @@ -1932,14 +1919,14 @@ index d48eeb2..213e9d9 100644 dst_region_computerid dst_result_register diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c -index 232094a..a85650b 100644 +index ab2f617..ed05ed6 100644 --- a/lib/isc/entropy.c +++ b/lib/isc/entropy.c -@@ -103,11 +103,15 @@ struct isc_entropy { - isc_uint32_t initialized; - isc_uint32_t initcount; +@@ -104,11 +104,15 @@ struct isc_entropy { + uint32_t initialized; + uint32_t initcount; isc_entropypool_t pool; -+ isc_boolean_t usehook; ++ bool usehook; unsigned int nsources; isc_entropysource_t *nextsource; ISC_LIST(isc_entropysource_t) sources; @@ -1950,8 +1937,8 @@ index 232094a..a85650b 100644 + /*% Sample Queue */ typedef struct { - isc_uint32_t last_time; /*%< last time recorded */ -@@ -556,6 +560,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, + uint32_t last_time; /*%< last time recorded */ +@@ -557,6 +561,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
LOCK(&ent->lock);
@@ -1963,11 +1950,11 @@ index 232094a..a85650b 100644 remain = length; buf = data; total = 0; -@@ -707,6 +716,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) { +@@ -708,6 +717,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) { ent->refcnt = 1; ent->initialized = 0; ent->initcount = 0; -+ ent->usehook = ISC_FALSE; ++ ent->usehook = false; ent->magic = ENTROPY_MAGIC;
isc_entropypool_init(&ent->pool); @@ -1977,7 +1964,7 @@ index 232094a..a85650b 100644 } + +void -+isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff) { ++isc_entropy_usehook(isc_entropy_t *ectx, bool onoff) { + REQUIRE(VALID_ENTROPY(ectx)); + + LOCK(&ectx->lock); @@ -1990,15 +1977,15 @@ index 232094a..a85650b 100644 + hook = myhook; +} diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h -index d52c43e..d9deb8a 100644 +index 4bba8e1..632166a 100644 --- a/lib/isc/include/isc/entropy.h +++ b/lib/isc/include/isc/entropy.h -@@ -303,6 +303,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, +@@ -304,6 +304,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, * isc_entropy_createcallbacksource(). */
+void -+isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff); ++isc_entropy_usehook(isc_entropy_t *ectx, bool onoff); +/*!< + * \brief Mark/unmark the given entropy structure as being hooked. + */ @@ -2013,10 +2000,10 @@ index d52c43e..d9deb8a 100644
#endif /* ISC_ENTROPY_H */ diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in -index d7a5bec..0166b79 100644 +index 9c7c342..ee8dc3e 100644 --- a/lib/isc/include/isc/platform.h.in +++ b/lib/isc/include/isc/platform.h.in -@@ -344,6 +344,11 @@ +@@ -341,6 +341,11 @@ */ @ISC_PLATFORM_HAVESTRINGSH@
@@ -2029,7 +2016,7 @@ index d7a5bec..0166b79 100644 * Define if the hash functions must be provided by OpenSSL. */ diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h -index f161faf..dec577e 100644 +index 42ff7e0..8d87c44 100644 --- a/lib/isc/include/isc/types.h +++ b/lib/isc/include/isc/types.h @@ -93,6 +93,8 @@ typedef struct isc_time isc_time_t; /*%< Time */ @@ -2042,10 +2029,10 @@ index f161faf..dec577e 100644 typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c -index 48e1031..74566c9 100644 +index a01e698..875c232 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c -@@ -327,14 +327,16 @@ pk11_rand_seed_fromfile(const char *randomfile) { +@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) { ret = isc_stdio_open(randomfile, "r", &stream); if (ret != ISC_R_SUCCESS) goto cleanup; @@ -2068,10 +2055,10 @@ index 48e1031..74566c9 100644 cleanup: if (stream != NULL) diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in -index de6a434..2c32782 100644 +index 5b8a2c9..913a2ce 100644 --- a/lib/isc/win32/include/isc/platform.h.in +++ b/lib/isc/win32/include/isc/platform.h.in -@@ -74,6 +74,11 @@ +@@ -69,6 +69,11 @@ #define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn) #define ISC_PLATFORM_NORETURN_POST
@@ -2084,7 +2071,7 @@ index de6a434..2c32782 100644 * Define if the hash functions must be provided by OpenSSL. */ diff --git a/win32utils/Configure b/win32utils/Configure -index e9f4680..79bb178 100644 +index ff596b7..09b476f 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -381,6 +381,7 @@ my @substdefh = ("AES_CC", @@ -2146,7 +2133,7 @@ index e9f4680..79bb178 100644 if ($enable_openssl_hash eq "yes") { print "openssl-hash: enabled\n"; } else { -@@ -1449,6 +1463,7 @@ if ($enable_intrinsics eq "yes") { +@@ -1454,6 +1468,7 @@ if ($enable_intrinsics eq "yes") {
# enable-native-pkcs11 if ($enable_native_pkcs11 eq "yes") { @@ -2154,7 +2141,7 @@ index e9f4680..79bb178 100644 if ($use_openssl eq "auto") { $use_openssl = "no"; } -@@ -1658,6 +1673,7 @@ if ($use_openssl eq "yes") { +@@ -1663,6 +1678,7 @@ if ($use_openssl eq "yes") { $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); }
@@ -2162,7 +2149,7 @@ index e9f4680..79bb178 100644 $configcond{"OPENSSL"} = 1; $configdefd{"CRYPTO"} = "OPENSSL"; $configvar{"OPENSSL_PATH"} = "$openssl_path"; -@@ -2209,6 +2225,15 @@ if ($cookie_algorithm eq "sha1") { +@@ -2214,6 +2230,15 @@ if ($cookie_algorithm eq "sha1") { die "Unrecognized cookie algorithm: $cookie_algorithm\n"; }
@@ -2178,7 +2165,7 @@ index e9f4680..79bb178 100644 # enable-openssl-hash if ($enable_openssl_hash eq "yes") { if ($use_openssl eq "no") { -@@ -3531,6 +3556,7 @@ exit 0; +@@ -3536,6 +3561,7 @@ exit 0; # --enable-developer partially supported # --enable-newstats (9.9/9.9sub only) # --enable-native-pkcs11 supported @@ -2186,7 +2173,7 @@ index e9f4680..79bb178 100644 # --enable-openssl-version-check included without a way to disable it # --enable-openssl-hash supported # --enable-threads included without a way to disable it -@@ -3556,6 +3582,7 @@ exit 0; +@@ -3561,6 +3587,7 @@ exit 0; # --with-gost supported # --with-aes supported # --with-cc-alg supported diff --git a/bind-9.11-rt46047.patch b/bind-9.11-rt46047.patch index 915b0ab..5030c06 100644 --- a/bind-9.11-rt46047.patch +++ b/bind-9.11-rt46047.patch @@ -1,4 +1,4 @@ -From 1ab1aabcf9b2b8de144bab7a3ff5d9f7e6ec9ad4 Mon Sep 17 00:00:00 2001 +From 9a074d5cd6c6276d95bc1cce3a14afaabc88c6c5 Mon Sep 17 00:00:00 2001 From: Evan Hunt each@isc.org Date: Thu, 28 Sep 2017 10:09:22 -0700 Subject: [PATCH] completed and corrected the crypto-random change @@ -39,17 +39,17 @@ Subject: [PATCH] completed and corrected the crypto-random change bin/tests/system/tkey/keycreate.c | 4 +-- bin/tests/system/tkey/keydelete.c | 4 +-- doc/arm/Bv9ARM-book.xml | 55 ++++++++++++++++++++++---------- - doc/arm/notes.xml | 23 ++++++++++++- - lib/dns/dst_api.c | 7 ++-- + doc/arm/notes.xml | 26 +++++++++++++++ + lib/dns/dst_api.c | 4 ++- lib/dns/include/dst/dst.h | 14 ++++++-- lib/dns/openssl_link.c | 3 +- lib/isc/include/isc/entropy.h | 50 +++++++++++++++++++++-------- lib/isc/include/isc/random.h | 28 ++++++++++------ lib/isccfg/namedconf.c | 2 +- - 22 files changed, 219 insertions(+), 110 deletions(-) + 22 files changed, 221 insertions(+), 108 deletions(-)
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c -index fa439cc..a7ad417 100644 +index 295e16f..0f79aa8 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, @@ -65,7 +65,7 @@ index fa439cc..a7ad417 100644 - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; + if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); + isc_entropy_usehook(ectx, true); } #endif + if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { @@ -112,16 +112,16 @@ index 96dfef6..1c84b06 100644 </listitem> </varlistentry> diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c -index 4ea9eaf..5dd9475 100644 +index 31a99e7..38c83ed 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c -@@ -239,18 +239,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { ISC_LIST_INIT(sources); }
+#ifdef ISC_PLATFORM_CRYPTORANDOM + if (randomfile == NULL) { -+ isc_entropy_usehook(*ectx, ISC_TRUE); ++ isc_entropy_usehook(*ectx, true); + } +#endif if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { @@ -133,17 +133,17 @@ index 4ea9eaf..5dd9475 100644 - if (randomfile != NULL && - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; -- isc_entropy_usehook(*ectx, ISC_TRUE); +- isc_entropy_usehook(*ectx, true); - } -#endif result = isc_entropy_usebestsource(*ectx, &source, randomfile, usekeyboard);
diff --git a/bin/named/client.c b/bin/named/client.c -index b9ebc93..20e5f39 100644 +index 0f6e162..5e39b82 100644 --- a/bin/named/client.c +++ b/bin/named/client.c -@@ -1605,7 +1605,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, +@@ -1608,7 +1608,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
isc_buffer_init(&buf, cookie, sizeof(cookie)); isc_stdtime_get(&now); @@ -154,10 +154,10 @@ index b9ebc93..20e5f39 100644 compute_cookie(client, now, nonce, ns_g_server->secret, &buf);
diff --git a/bin/named/config.c b/bin/named/config.c -index c50f759..c1e72ef 100644 +index 2c4c93c..16ed248 100644 --- a/bin/named/config.c +++ b/bin/named/config.c -@@ -92,7 +92,9 @@ options {\n\ +@@ -93,7 +93,9 @@ options {\n\ # pid-file "" NS_LOCALSTATEDIR "/run/named/named.pid"; /* or /lwresd.pid */\n\ port 53;\n\ prefetch 2 9;\n" @@ -169,10 +169,10 @@ index c50f759..c1e72ef 100644 #endif " recursing-file "named.recursing";\n\ diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c -index 237e8dc..b905475 100644 +index d955c2f..40621f2 100644 --- a/bin/named/controlconf.c +++ b/bin/named/controlconf.c -@@ -322,9 +322,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) { +@@ -325,9 +325,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
static void control_recvmessage(isc_task_t *task, isc_event_t *event) { @@ -185,8 +185,8 @@ index 237e8dc..b905475 100644 + controlkey_t *key = NULL; isccc_sexpr_t *request = NULL; isccc_sexpr_t *response = NULL; - isc_uint32_t algorithm; -@@ -335,16 +336,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { + uint32_t algorithm; +@@ -338,16 +339,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { isc_buffer_t *text; isc_result_t result; isc_result_t eresult; @@ -194,7 +194,7 @@ index 237e8dc..b905475 100644 + isccc_sexpr_t *_ctrl = NULL; isccc_time_t sent; isccc_time_t exp; - isc_uint32_t nonce; + uint32_t nonce; - isccc_sexpr_t *data; + isccc_sexpr_t *data = NULL;
@@ -206,25 +206,25 @@ index 237e8dc..b905475 100644 algorithm = DST_ALG_UNKNOWN; secret.rstart = NULL; text = NULL; -@@ -455,8 +457,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { +@@ -458,8 +460,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { * Establish nonce. */ if (conn->nonce == 0) { - while (conn->nonce == 0) - isc_random_get(&conn->nonce); + while (conn->nonce == 0) { -+ isc_uint16_t r1 = isc_rng_random(server->rngctx); -+ isc_uint16_t r2 = isc_rng_random(server->rngctx); ++ uint16_t r1 = isc_rng_random(server->rngctx); ++ uint16_t r2 = isc_rng_random(server->rngctx); + conn->nonce = (r1 << 16) | r2; + } eresult = ISC_R_SUCCESS; } else eresult = ns_control_docommand(request, listener->readonly, &text); diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h -index d8179a6..e03d24d 100644 +index f5ed2b7..b2c1d05 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h -@@ -17,6 +17,7 @@ +@@ -20,6 +20,7 @@ #include <isc/log.h> #include <isc/magic.h> #include <isc/quota.h> @@ -232,19 +232,19 @@ index d8179a6..e03d24d 100644 #include <isc/sockaddr.h> #include <isc/types.h> #include <isc/xml.h> -@@ -131,6 +132,7 @@ struct ns_server { +@@ -134,6 +135,7 @@ struct ns_server { char * lockfile;
- isc_uint16_t transfer_tcp_message_size; + uint16_t transfer_tcp_message_size; + isc_rng_t * rngctx; };
struct ns_altsecret { diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c -index d8c7188..50f924e 100644 +index 419927b..d721f47 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c -@@ -15,6 +15,7 @@ +@@ -17,6 +17,7 @@
#include <isc/interfaceiter.h> #include <isc/os.h> @@ -253,10 +253,10 @@ index d8c7188..50f924e 100644 #include <isc/task.h> #include <isc/util.h> diff --git a/bin/named/query.c b/bin/named/query.c -index accbf3b..d89622d 100644 +index f8dbef2..2f3c0ca 100644 --- a/bin/named/query.c +++ b/bin/named/query.c -@@ -18,6 +18,7 @@ +@@ -19,6 +19,7 @@ #include <isc/hex.h> #include <isc/mem.h> #include <isc/print.h> @@ -265,10 +265,10 @@ index accbf3b..d89622d 100644 #include <isc/serial.h> #include <isc/stats.h> diff --git a/bin/named/server.c b/bin/named/server.c -index ca789e5..1413e85 100644 +index 9258e7f..f4320df 100644 --- a/bin/named/server.c +++ b/bin/named/server.c -@@ -8076,21 +8076,30 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8164,21 +8164,30 @@ load_configuration(const char *filename, ns_server_t *server, * Open the source of entropy. */ if (first_time) { @@ -291,8 +291,8 @@ index ca789e5..1413e85 100644 + if (randomdev == NULL) { #ifdef ISC_PLATFORM_CRYPTORANDOM - if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0) -- isc_entropy_usehook(ns_g_entropy, ISC_TRUE); -+ isc_entropy_usehook(ns_g_entropy, ISC_TRUE); +- isc_entropy_usehook(ns_g_entropy, true); ++ isc_entropy_usehook(ns_g_entropy, true); #else - int level = ISC_LOG_ERROR; - result = isc_entropy_createfilesource(ns_g_entropy, @@ -310,7 +310,7 @@ index ca789e5..1413e85 100644 #ifdef PATH_RANDOMDEV if (ns_g_fallbackentropy != NULL) { level = ISC_LOG_INFO; -@@ -8101,8 +8110,8 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8189,8 +8198,8 @@ load_configuration(const char *filename, ns_server_t *server, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, level, @@ -321,7 +321,7 @@ index ca789e5..1413e85 100644 randomdev, isc_result_totext(result)); } -@@ -8122,7 +8131,6 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8210,7 +8219,6 @@ load_configuration(const char *filename, ns_server_t *server, } isc_entropy_detach(&ns_g_fallbackentropy); } @@ -329,7 +329,7 @@ index ca789e5..1413e85 100644 #endif } } -@@ -8911,6 +8919,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { +@@ -8998,6 +9006,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy, &server->tkeyctx), "creating TKEY context"); @@ -339,7 +339,7 @@ index ca789e5..1413e85 100644
/* * Setup the server task, which is responsible for coordinating -@@ -9117,7 +9128,8 @@ ns_server_destroy(ns_server_t **serverp) { +@@ -9204,7 +9215,8 @@ ns_server_destroy(ns_server_t **serverp) {
if (server->zonemgr != NULL) dns_zonemgr_detach(&server->zonemgr); @@ -349,7 +349,7 @@ index ca789e5..1413e85 100644 if (server->tkeyctx != NULL) dns_tkeyctx_destroy(&server->tkeyctx);
-@@ -13018,10 +13030,10 @@ newzone_cfgctx_destroy(void **cfgp) { +@@ -13105,10 +13117,10 @@ newzone_cfgctx_destroy(void **cfgp) {
static isc_result_t generate_salt(unsigned char *salt, size_t saltlen) { @@ -357,19 +357,19 @@ index ca789e5..1413e85 100644 + size_t i, n; union { unsigned char rnd[256]; -- isc_uint32_t rnd32[64]; -+ isc_uint16_t rnd16[128]; +- uint32_t rnd32[64]; ++ uint16_t rnd16[128]; } rnd; unsigned char text[512 + 1]; isc_region_t r; -@@ -13031,9 +13043,10 @@ generate_salt(unsigned char *salt, size_t saltlen) { +@@ -13118,9 +13130,10 @@ generate_salt(unsigned char *salt, size_t saltlen) { if (saltlen > 256U) return (ISC_R_RANGE);
-- n = (int) (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t); +- n = (int) (saltlen + sizeof(uint32_t) - 1) / sizeof(uint32_t); - for (i = 0; i < n; i++) - isc_random_get(&rnd.rnd32[i]); -+ n = (saltlen + sizeof(isc_uint16_t) - 1) / sizeof(isc_uint16_t); ++ n = (saltlen + sizeof(uint16_t) - 1) / sizeof(uint16_t); + for (i = 0; i < n; i++) { + rnd.rnd16[i] = isc_rng_random(ns_g_server->rngctx); + } @@ -377,10 +377,10 @@ index ca789e5..1413e85 100644 memmove(salt, rnd.rnd, saltlen);
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index 46c7acf..a0d0278 100644 +index 1559a33..68b9a99 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c -@@ -281,9 +281,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -283,9 +283,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { }
#ifdef ISC_PLATFORM_CRYPTORANDOM @@ -388,14 +388,14 @@ index 46c7acf..a0d0278 100644 - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; + if (randomfile == NULL) { - isc_entropy_usehook(*ectx, ISC_TRUE); + isc_entropy_usehook(*ectx, true); } #endif diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c -index 810d99e..d7d10e2 100644 +index 7b4f617..507bf0a 100644 --- a/bin/tests/system/pipelined/pipequeries.c +++ b/bin/tests/system/pipelined/pipequeries.c -@@ -279,9 +279,7 @@ main(int argc, char *argv[]) { +@@ -282,9 +282,7 @@ main(int argc, char *argv[]) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); #ifdef ISC_PLATFORM_CRYPTORANDOM @@ -403,11 +403,11 @@ index 810d99e..d7d10e2 100644 - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; + if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); + isc_entropy_usehook(ectx, true); } #endif diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c -index 4f2f5b4..0894db7 100644 +index fe8698e..937fcc3 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -255,9 +255,7 @@ main(int argc, char *argv[]) { @@ -418,11 +418,11 @@ index 4f2f5b4..0894db7 100644 - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; + if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); + isc_entropy_usehook(ectx, true); } #endif diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 0975bbe..5b8a470 100644 +index 2146f9b..ac2c311 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -182,9 +182,7 @@ main(int argc, char **argv) { @@ -433,11 +433,11 @@ index 0975bbe..5b8a470 100644 - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; + if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); + isc_entropy_usehook(ectx, true); } #endif diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml -index a5d9e2e..2a96f71 100644 +index baff8d3..00a50e4 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0] @@ -503,14 +503,15 @@ index a5d9e2e..2a96f71 100644 </listitem> </varlistentry> diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml -index d3fdb5e..a8ad92d 100644 +index d9537a3..5c2cc13 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml -@@ -105,7 +105,28 @@ - <itemizedlist> - <listitem> - <para> -- None. +@@ -180,6 +180,32 @@ + option. [GL #105] + </para> + </listitem> ++ <listitem> ++ <para> + By default, BIND now uses the random number generation functions + in the cryptographic library (i.e., OpenSSL or a PKCS#11 + provider) as a source of high-quality randomness rather than @@ -533,25 +534,16 @@ index d3fdb5e..a8ad92d 100644 + <command>configure --disable-crypto-rand</command>, in which + case <filename>/dev/random</filename> will be the default + entropy source. [RT #31459] [RT #46047] - </para> - </listitem> ++ </para> ++ </listitem> </itemizedlist> + </section> + diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index 803e7b3..29a4fef 100644 +index afb4d80..4e62a97 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c -@@ -276,8 +276,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, - #endif - #if defined(OPENSSL) || defined(PKCS11CRYPTO) - #ifdef ISC_PLATFORM_CRYPTORANDOM -- if (dst_entropy_pool != NULL) -+ if (dst_entropy_pool != NULL) { - isc_entropy_sethook(dst_random_getdata); -+ } - #endif - #endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ - dst_initialized = ISC_TRUE; -@@ -2015,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { +@@ -2013,10 +2013,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) { else flags |= ISC_ENTROPY_BLOCKING; #ifdef ISC_PLATFORM_CRYPTORANDOM @@ -566,10 +558,10 @@ index 803e7b3..29a4fef 100644 }
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h -index d9b6ab6..e8c1a3c 100644 +index 78e1277..10293d0 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h -@@ -161,8 +161,18 @@ isc_result_t +@@ -164,8 +164,18 @@ isc_result_t dst_random_getdata(void *data, unsigned int length, unsigned int *returned, unsigned int flags); /*%< @@ -589,9 +581,9 @@ index d9b6ab6..e8c1a3c 100644 + * \li DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error */
- isc_boolean_t + bool diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index c1e1bde..91e87d0 100644 +index d88d643..7a233dd 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) { @@ -605,7 +597,7 @@ index c1e1bde..91e87d0 100644 #ifndef DONT_REQUIRE_DST_LIB_INIT INSIST(dst__memory_pool != NULL); diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h -index d9deb8a..2d37363 100644 +index 632166a..c7cb17d 100644 --- a/lib/isc/include/isc/entropy.h +++ b/lib/isc/include/isc/entropy.h @@ -9,8 +9,6 @@ @@ -617,7 +609,7 @@ index d9deb8a..2d37363 100644 #ifndef ISC_ENTROPY_H #define ISC_ENTROPY_H 1
-@@ -190,9 +188,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent, +@@ -191,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent, /*!< * \brief Create an entropy source that is polled via a callback. * @@ -629,7 +621,7 @@ index d9deb8a..2d37363 100644 * * Samples are added via isc_entropy_addcallbacksample(), below. * _addcallbacksample() is the only function which may be called from -@@ -233,15 +230,32 @@ isc_result_t +@@ -234,15 +231,32 @@ isc_result_t isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, unsigned int *returned, unsigned int flags); /*!< @@ -669,9 +661,9 @@ index d9deb8a..2d37363 100644 */
void -@@ -306,13 +320,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, +@@ -307,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, void - isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff); + isc_entropy_usehook(isc_entropy_t *ectx, bool onoff); /*!< - * \brief Mark/unmark the given entropy structure as being hooked. + * \brief Configure entropy context 'ectx' to use the hook function @@ -694,7 +686,7 @@ index d9deb8a..2d37363 100644
ISC_LANG_ENDDECLS diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h -index ba53ebf..b575728 100644 +index f8aed34..17c551b 100644 --- a/lib/isc/include/isc/random.h +++ b/lib/isc/include/isc/random.h @@ -9,8 +9,6 @@ @@ -737,8 +729,8 @@ index ba53ebf..b575728 100644
ISC_LANG_BEGINDECLS @@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx); - isc_uint16_t - isc_rng_uniformrandom(isc_rng_t *rngctx, isc_uint16_t upper_bound); + uint16_t + isc_rng_uniformrandom(isc_rng_t *rngctx, uint16_t upper_bound); /*%< - * Returns a uniformly distributed pseudo random 16-bit unsigned - * integer. @@ -748,10 +740,10 @@ index ba53ebf..b575728 100644
ISC_LANG_ENDDECLS diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c -index 8d496ff..dd08187 100644 +index cd797a6..589da07 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c -@@ -1106,7 +1106,7 @@ options_clauses[] = { +@@ -1109,7 +1109,7 @@ options_clauses[] = { { "pid-file", &cfg_type_qstringornone, 0 }, { "port", &cfg_type_uint32, 0 }, { "querylog", &cfg_type_boolean, 0 }, diff --git a/bind-95-rh452060.patch b/bind-95-rh452060.patch index dac3a8d..c57ccab 100644 --- a/bind-95-rh452060.patch +++ b/bind-95-rh452060.patch @@ -1,34 +1,34 @@ diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index f657c30..ff9a2d2 100644 +index aa5315d..1fa711a 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c -@@ -1694,6 +1694,13 @@ clear_query(dig_query_t *query) { +@@ -1814,6 +1814,13 @@ clear_query(dig_query_t *query) {
if (query->timer != NULL) isc_timer_detach(&query->timer); + + if (query->waiting_senddone) { + debug("send_done not yet called"); -+ query->pending_free = ISC_TRUE; ++ query->pending_free = true; + return; + } + lookup = query->lookup;
if (lookup->current_query == query) -@@ -1719,10 +1726,7 @@ clear_query(dig_query_t *query) { +@@ -1839,10 +1846,7 @@ clear_query(dig_query_t *query) { isc_mempool_put(commctx, query->recvspace); isc_buffer_invalidate(&query->recvbuf); isc_buffer_invalidate(&query->lengthbuf); - if (query->waiting_senddone) -- query->pending_free = ISC_TRUE; +- query->pending_free = true; - else - isc_mem_free(mctx, query); + isc_mem_free(mctx, query); }
/*% -@@ -2811,9 +2815,9 @@ send_done(isc_task_t *_task, isc_event_t *event) { +@@ -2892,9 +2896,9 @@ send_done(isc_task_t *_task, isc_event_t *event) { isc_event_free(&event);
if (query->pending_free) diff --git a/bind.spec b/bind.spec index 2b22c57..b557e44 100644 --- a/bind.spec +++ b/bind.spec @@ -2,7 +2,7 @@ # Red Hat BIND package .spec file #
-%global PATCHVER P2 +#%%global PATCHVER P2 #%%global PREVER rc1 %global BINDVERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}}
@@ -43,16 +43,16 @@ #
# lib*.so.X versions of selected libraries -%global sover_dns 1102 -%global sover_isc 169 -%global sover_irs 160 -%global sover_isccfg 160 +%global sover_dns 1104 +%global sover_isc 1100 +%global sover_irs 161 +%global sover_isccfg 163
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPLv2.0 -Version: 9.11.4 -Release: 12%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Version: 9.11.5 +Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -452,7 +452,7 @@ are used for building ISC DHCP. %patch72 -p1 -b .64bit %endif %patch102 -p1 -b .rh452060 -%patch106 -p0 -b .rh490837 +%patch106 -p1 -b .rh490837 %patch109 -p1 -b .rh478718 %patch112 -p1 -b .rh645544 %patch130 -p1 -b .libdb @@ -1193,9 +1193,9 @@ rm -rf ${RPM_BUILD_ROOT} %endif
%files libs -%{_libdir}/libbind9.so.160* -%{_libdir}/libisccc.so.160* -%{_libdir}/liblwres.so.160* +%{_libdir}/libbind9.so.161* +%{_libdir}/libisccc.so.161* +%{_libdir}/liblwres.so.161*
%files libs-lite %{_libdir}/libdns.so.%{sover_dns}* @@ -1446,6 +1446,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog +* Wed Oct 24 2018 Petr Menk pemensik@redhat.com - 32:9.11.5-1 +- Update to 9.11.5 + * Tue Oct 02 2018 Petr Menk pemensik@redhat.com - 32:9.11.4-12.P2 - Add Requires to devel packages referenced by bind-devel
diff --git a/bind93-rh490837.patch b/bind93-rh490837.patch index 230d7a7..6ea55ba 100644 --- a/bind93-rh490837.patch +++ b/bind93-rh490837.patch @@ -1,13 +1,22 @@ -? patch -? lib/isc/lex.c.rh490837 -Index: lib/isc/lex.c -=================================================================== -RCS file: /var/snap/bind9/lib/isc/lex.c,v -retrieving revision 1.86 -diff -p -u -r1.86 lex.c ---- lib/isc/lex.c 17 Sep 2007 09:56:29 -0000 1.86 -+++ lib/isc/lex.c 6 Apr 2009 13:24:15 -0000 -@@ -425,17 +425,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigne +diff --git a/lib/isc/include/isc/stdio.h b/lib/isc/include/isc/stdio.h +index 1f44b5a..a3625f9 100644 +--- a/lib/isc/include/isc/stdio.h ++++ b/lib/isc/include/isc/stdio.h +@@ -69,6 +69,9 @@ isc_stdio_sync(FILE *f); + * direct counterpart in the stdio library. + */ + ++isc_result_t ++isc_stdio_fgetc(FILE *f, int *ret); ++ + ISC_LANG_ENDDECLS + + #endif /* ISC_STDIO_H */ +diff --git a/lib/isc/lex.c b/lib/isc/lex.c +index a8955bc..fc6103b 100644 +--- a/lib/isc/lex.c ++++ b/lib/isc/lex.c +@@ -434,17 +434,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) { if (source->is_file) { stream = source->input;
@@ -28,34 +37,14 @@ diff -p -u -r1.86 lex.c goto done; } + - source->at_eof = ISC_TRUE; + source->at_eof = true; } } else { -Index: lib/isc/include/isc/stdio.h -=================================================================== -RCS file: /var/snap/bind9/lib/isc/include/isc/stdio.h,v -retrieving revision 1.13 -diff -p -u -r1.13 stdio.h ---- lib/isc/include/isc/stdio.h 19 Jun 2007 23:47:18 -0000 1.13 -+++ lib/isc/include/isc/stdio.h 6 Apr 2009 13:24:15 -0000 -@@ -72,6 +72,9 @@ isc_stdio_sync(FILE *f); - * direct counterpart in the stdio library. - */ - -+isc_result_t -+isc_stdio_fgetc(FILE *f, int *ret); -+ - ISC_LANG_ENDDECLS - - #endif /* ISC_STDIO_H */ -Index: lib/isc/unix/errno2result.c -=================================================================== -RCS file: /var/snap/bind9/lib/isc/unix/errno2result.c,v -retrieving revision 1.17 -diff -p -u -r1.17 errno2result.c ---- lib/isc/unix/errno2result.c 19 Jun 2007 23:47:18 -0000 1.17 -+++ lib/isc/unix/errno2result.c 6 Apr 2009 13:24:15 -0000 -@@ -43,6 +43,7 @@ isc__errno2result(int posixerrno) { +diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c +index 2f12bcc..5bfd648 100644 +--- a/lib/isc/unix/errno2result.c ++++ b/lib/isc/unix/errno2result.c +@@ -40,6 +40,7 @@ isc___errno2result(int posixerrno, bool dolog, case EINVAL: /* XXX sometimes this is not for files */ case ENAMETOOLONG: case EBADF: @@ -63,14 +52,11 @@ diff -p -u -r1.17 errno2result.c return (ISC_R_INVALIDFILE); case ENOENT: return (ISC_R_FILENOTFOUND); -Index: lib/isc/unix/stdio.c -=================================================================== -RCS file: /var/snap/bind9/lib/isc/unix/stdio.c,v -retrieving revision 1.8 -diff -p -u -r1.8 stdio.c ---- lib/isc/unix/stdio.c 19 Jun 2007 23:47:18 -0000 1.8 -+++ lib/isc/unix/stdio.c 6 Apr 2009 13:24:15 -0000 -@@ -115,3 +115,22 @@ isc_stdio_sync(FILE *f) { +diff --git a/lib/isc/unix/stdio.c b/lib/isc/unix/stdio.c +index e60fa65..77f0b13 100644 +--- a/lib/isc/unix/stdio.c ++++ b/lib/isc/unix/stdio.c +@@ -149,3 +149,22 @@ isc_stdio_sync(FILE *f) { return (isc__errno2result(errno)); }
diff --git a/sources b/sources index 43558ac..f7e1978 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (bind-9.11.4-P2.tar.gz) = 6c01810526fc40485a6c0403d1ddc3b76d2e59b3426b5789436bd671f158d2fa0ea7c0aef2de81998ec715dabd06683fed7b17224d5c794c61e7100a69d4cb60 +SHA512 (bind-9.11.5.tar.gz) = 7e34c8033dabaed232479b1dc2849d1247c0137bcb2b63f08f8f72ff2cca0f73e0f05d0b9b8959f8c4db8ee36a700af30fe869be186c7bab7c81a25843384b8d SHA512 (config-18.tar.bz2) = c0a0a1fd58a7e2c09fe69915b9a4c682d1b6c96e78583f63ce5355f663c9509d28facfd3aa078b228b69954d0af4bfa484ef661a9568aaafe6eade97dda3c3d9
arch-excludes@lists.fedoraproject.org