diff --git a/1314-master-dnssec-checkds-s.patch b/1314-master-dnssec-checkds-s.patch deleted file mode 100644 index 461847171180313ceaad6ec13962f8f16dffa513..0000000000000000000000000000000000000000 --- a/1314-master-dnssec-checkds-s.patch +++ /dev/null @@ -1,183 +0,0 @@ -From 3b4f23cdbfa3f285d06eea8c4101650d2ab4e945 Mon Sep 17 00:00:00 2001 -From: Evan Hunt -Date: Thu, 26 Oct 2017 21:05:11 -0700 -Subject: [PATCH 1314/3677] [master] dnssec-checkds -s - -4794. [func] "dnssec-checkds -s" specifies a file from which - to read a DS set rather than querying the parent. - [RT #44667] ---- - CHANGES | 8 +- - bin/python/dnssec-checkds.docbook | 24 +++--- - bin/python/isc/checkds.py.in | 49 ++++++----- - bin/tests/system/checkds/clean.sh | 2 - - bin/tests/system/checkds/dig.pl | 2 - - bin/tests/system/checkds/dig.sh | 3 - - bin/tests/system/checkds/prep.example.db | 121 ++++++++++++++++++++++++++++ - bin/tests/system/checkds/prep.example.ds.db | 2 + - bin/tests/system/checkds/tests.sh | 9 +++ - doc/arm/notes.xml | 8 ++ - 10 files changed, 190 insertions(+), 38 deletions(-) - create mode 100644 bin/tests/system/checkds/prep.example.db - create mode 100644 bin/tests/system/checkds/prep.example.ds.db - -diff --git a/bin/python/dnssec-checkds.docbook b/bin/python/dnssec-checkds.docbook -index 91716bc..069d6e9 100644 ---- a/bin/python/dnssec-checkds.docbook -+++ b/bin/python/dnssec-checkds.docbook -@@ -42,20 +42,13 @@ - - - dnssec-checkds -- -- - - -- zone -- -- -- dnssec-dsfromkey -- - -- -- -+ -+ - zone -- -+ - - - DESCRIPTION -@@ -93,6 +86,17 @@ - - - -+ -s file -+ -+ -+ Specifies a prepared dsset file, such as would be generated -+ by dnssec-signzone, to use as a source for -+ the DS RRset instead of querying the parent. -+ -+ -+ -+ -+ - -d dig path - - -diff --git a/bin/python/isc/checkds.py.in b/bin/python/isc/checkds.py.in -index ce50355..a161554 100644 ---- a/bin/python/isc/checkds.py.in -+++ b/bin/python/isc/checkds.py.in -@@ -34,7 +34,11 @@ class SECRR: - if not rrtext: - raise Exception - -- fields = rrtext.decode('ascii').split() -+ # 'str' does not have decode method in python3 -+ if type(rrtext) is not str: -+ fields = rrtext.decode('ascii').split() -+ else: -+ fields = rrtext.split() - if len(fields) < 7: - raise Exception - -@@ -89,35 +93,39 @@ class SECRR: - # Generate a set of expected DS/DLV records from the DNSKEY RRset, - # and report on congruency. - ############################################################################ --def check(zone, args, masterfile=None, lookaside=None): -+def check(zone, args): - rrlist = [] -- cmd = [args.dig, "+noall", "+answer", "-t", "dlv" if lookaside else "ds", -- "-q", zone + "." + lookaside if lookaside else zone] -- fp, _ = Popen(cmd, stdout=PIPE).communicate() -+ if args.dssetfile: -+ fp = open(args.dssetfile).read() -+ else: -+ cmd = [args.dig, "+noall", "+answer", "-t", -+ "dlv" if args.lookaside else "ds", "-q", -+ zone + "." + args.lookaside if args.lookaside else zone] -+ fp, _ = Popen(cmd, stdout=PIPE).communicate() - - for line in fp.splitlines(): -- rrlist.append(SECRR(line, lookaside)) -+ rrlist.append(SECRR(line, args.lookaside)) - rrlist = sorted(rrlist, key=lambda rr: (rr.keyid, rr.keyalg, rr.hashalg)) - - klist = [] - -- if masterfile: -- cmd = [args.dsfromkey, "-f", masterfile] -- if lookaside: -- cmd += ["-l", lookaside] -+ if args.masterfile: -+ cmd = [args.dsfromkey, "-f", args.masterfile] -+ if args.lookaside: -+ cmd += ["-l", args.lookaside] - cmd.append(zone) - fp, _ = Popen(cmd, stdout=PIPE).communicate() - else: - intods, _ = Popen([args.dig, "+noall", "+answer", "-t", "dnskey", - "-q", zone], stdout=PIPE).communicate() - cmd = [args.dsfromkey, "-f", "-"] -- if lookaside: -- cmd += ["-l", lookaside] -+ if args.lookaside: -+ cmd += ["-l", args.lookaside] - cmd.append(zone) - fp, _ = Popen(cmd, stdin=PIPE, stdout=PIPE).communicate(intods) - - for line in fp.splitlines(): -- klist.append(SECRR(line, lookaside)) -+ klist.append(SECRR(line, args.lookaside)) - - if len(klist) < 1: - print("No DNSKEY records found in zone apex") -@@ -136,7 +144,8 @@ def check(zone, args, masterfile=None, lookaside=None): - rr.keyid, SECRR.hashalgs[rr.hashalg])) - - if not found: -- print("No %s records were found for any DNSKEY" % ("DLV" if lookaside else "DS")) -+ print("No %s records were found for any DNSKEY" % -+ ("DLV" if args.lookaside else "DS")) - - return found - -@@ -151,10 +160,6 @@ def parse_args(): - sbindir = 'bin' if os.name == 'nt' else 'sbin' - - parser.add_argument('zone', type=str, help='zone to check') -- parser.add_argument('-f', '--file', dest='masterfile', type=str, -- help='zone master file') -- parser.add_argument('-l', '--lookaside', dest='lookaside', type=str, -- help='DLV lookaside zone') - parser.add_argument('-d', '--dig', dest='dig', - default=os.path.join(prefix(bindir), 'dig'), - type=str, help='path to \'dig\'') -@@ -162,6 +167,12 @@ def parse_args(): - default=os.path.join(prefix(sbindir), - 'dnssec-dsfromkey'), - type=str, help='path to \'dig\'') -+ parser.add_argument('-f', '--file', dest='masterfile', type=str, -+ help='zone master file') -+ parser.add_argument('-l', '--lookaside', dest='lookaside', type=str, -+ help='DLV lookaside zone') -+ parser.add_argument('-s', '--dsset', dest='dssetfile', type=str, -+ help='prepared DSset file') - parser.add_argument('-v', '--version', action='version', - version=version) - args = parser.parse_args() -@@ -178,5 +189,5 @@ def parse_args(): - ############################################################################ - def main(): - args = parse_args() -- found = check(args.zone, args, args.masterfile, args.lookaside) -+ found = check(args.zone, args) - exit(0 if found else 1) - --- -1.8.3.1 - diff --git a/2432-check-param_template-i-.pValue-is-non-NULL.patch b/2432-check-param_template-i-.pValue-is-non-NULL.patch deleted file mode 100644 index 02eaf26c3dac6f1d33150f9c8847085b6c798927..0000000000000000000000000000000000000000 --- a/2432-check-param_template-i-.pValue-is-non-NULL.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 8ac0152651725cfa3dd887f9f73e6ff9671ce2dd Mon Sep 17 00:00:00 2001 -From: Bill Parker -Date: Tue, 10 Jul 2018 12:34:00 +1000 -Subject: [PATCH 2432/3677] check param_template[i].pValue is non NULL - ---- - bin/pkcs11/pkcs11-keygen.c | 22 ++++++++++++++++++---- - 1 file changed, 18 insertions(+), 4 deletions(-) - -diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c -index fe314ab..9631c0e 100644 ---- a/bin/pkcs11/pkcs11-keygen.c -+++ b/bin/pkcs11/pkcs11-keygen.c -@@ -657,8 +657,18 @@ main(int argc, char *argv[]) { - } - - /* Allocate space for parameter attributes */ -- for (i = 0; i < param_attrcnt; i++) -+ for (i = 0; i < param_attrcnt; i++) { -+ param_template[i].pValue = NULL; -+ } -+ -+ for (i = 0; i < param_attrcnt; i++) { - param_template[i].pValue = malloc(param_template[i].ulValueLen); -+ if (param_template[i].pValue == NULL) { -+ fprintf(stderr, "malloc failed\n"); -+ error = 1; -+ goto exit_params; -+ } -+ } - - rv = pkcs_C_GetAttributeValue(hSession, domainparams, - dsa_param_template, DSA_PARAM_ATTRS); -@@ -713,9 +723,13 @@ main(int argc, char *argv[]) { - - exit_params: - /* Free parameter attributes */ -- if (keyclass == key_dsa || keyclass == key_dh) -- for (i = 0; i < param_attrcnt; i++) -- free(param_template[i].pValue); -+ if (keyclass == key_dsa || keyclass == key_dh) { -+ for (i = 0; i < param_attrcnt; i++) { -+ if (param_template[i].pValue != NULL) { -+ free(param_template[i].pValue); -+ } -+ } -+ } - - exit_domain: - /* Destroy domain parameters */ --- -1.8.3.1 - diff --git a/2497-refcount-errors-on-error-paths.patch b/2497-refcount-errors-on-error-paths.patch deleted file mode 100644 index 9d8e42b41f2279d1f959b9aa71bf9ac169e89450..0000000000000000000000000000000000000000 --- a/2497-refcount-errors-on-error-paths.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 4093efc900e250a39f9669e3d740a4286a0edb9c Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Tue, 31 Jul 2018 17:41:45 +1000 -Subject: [PATCH 2497/3677] refcount errors on error paths - ---- - lib/dns/rbtdb.c | 3 --- - lib/dns/view.c | 1 + - 2 files changed, 1 insertion(+), 3 deletions(-) - -diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c -index e332802..01c7cd8 100644 ---- a/lib/dns/rbtdb.c -+++ b/lib/dns/rbtdb.c -@@ -8368,7 +8368,6 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type, - if (result != ISC_R_SUCCESS) { - while (i-- > 0) { - NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock); -- isc_refcount_decrement(&rbtdb->node_locks[i].references, NULL); - isc_refcount_destroy(&rbtdb->node_locks[i].references); - } - goto cleanup_deadnodes; -@@ -8491,7 +8490,6 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type, - rbtdb->current_version = allocate_version(mctx, 1, 1, ISC_FALSE); - if (rbtdb->current_version == NULL) { - isc_refcount_decrement(&rbtdb->references, NULL); -- isc_refcount_destroy(&rbtdb->references); - free_rbtdb(rbtdb, ISC_FALSE, NULL); - return (ISC_R_NOMEMORY); - } -@@ -8513,7 +8511,6 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type, - sizeof(*rbtdb->current_version)); - rbtdb->current_version = NULL; - isc_refcount_decrement(&rbtdb->references, NULL); -- isc_refcount_destroy(&rbtdb->references); - free_rbtdb(rbtdb, ISC_FALSE, NULL); - return (result); - } -diff --git a/lib/dns/view.c b/lib/dns/view.c -index e36576f..7751535 100644 ---- a/lib/dns/view.c -+++ b/lib/dns/view.c -@@ -311,6 +311,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, - dns_tsigkeyring_detach(&view->dynamickeys); - - cleanup_references: -+ isc_refcount_decrement(&view->references, NULL); - isc_refcount_destroy(&view->references); - - cleanup_fwdtable: --- -1.8.3.1 - diff --git a/2559-Do-not-remove-errors-from-the-OpenSSL-error-queue-in.patch b/2559-Do-not-remove-errors-from-the-OpenSSL-error-queue-in.patch deleted file mode 100644 index a5a6f2c2b9bdca5802bead20e6ebf51b0a098a1e..0000000000000000000000000000000000000000 --- a/2559-Do-not-remove-errors-from-the-OpenSSL-error-queue-in.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/lib/dns/openssl_link.c 2019-04-17 06:00:00.086000000 -0400 -+++ b/lib/dns/openssl_link_1.c 2019-04-17 06:03:38.556000000 -0400 -@@ -385,7 +385,7 @@ dst__openssl_destroy(void) { - static isc_result_t - toresult(isc_result_t fallback) { - isc_result_t result = fallback; -- unsigned long err = ERR_get_error(); -+ unsigned long err = ERR_peek_error(); - #if defined(HAVE_OPENSSL_ECDSA) && \ - defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) - int lib = ERR_GET_LIB(err); diff --git a/2574-Do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch b/2574-Do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch deleted file mode 100644 index 02bba3757f8d4c6bd887ca6337a6377ea96029e5..0000000000000000000000000000000000000000 --- a/2574-Do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/lib/dns/resolver.c 2019-04-17 06:06:06.700000000 -0400 -+++ b/lib/dns/resolver_1.c 2019-04-17 06:08:47.697000000 -0400 -@@ -8419,7 +8419,9 @@ resquery_response(isc_task_t *task, isc_ - if (result != ISC_R_SUCCESS) - FCTXTRACE3("noanswer_response", result); - } -- if (result != DNS_R_DELEGATION) { -+ if (result == DNS_R_DELEGATION) { -+ result = ISC_R_SUCCESS; -+ } else { - /* - * At this point, AA is not set, the response - * is not a referral, and the server is not a diff --git a/2711-Align-CMSG-buffers-to-a-void-boundary-fixes-crash-on.patch b/2711-Align-CMSG-buffers-to-a-void-boundary-fixes-crash-on.patch deleted file mode 100644 index 39a74df447c1861adcd43f9f3911504bd8af9b57..0000000000000000000000000000000000000000 --- a/2711-Align-CMSG-buffers-to-a-void-boundary-fixes-crash-on.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 17212cf9965a1a0ec8412b807fe08f74e059cc1c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= -Date: Fri, 7 Sep 2018 09:34:32 +0200 -Subject: [PATCH 2711/3677] Align CMSG buffers to a void* boundary, fixes crash - on architectures with strict alignment CHANGES entry - ---- - CHANGES | 3 +++ - lib/isc/include/isc/util.h | 5 +++++ - lib/isc/unix/socket.c | 5 +++-- - 3 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h -index bb0c885..acc3d64 100644 ---- a/lib/isc/include/isc/util.h -+++ b/lib/isc/include/isc/util.h -@@ -260,6 +260,11 @@ extern void mock_assert(const int result, const char* const expression, - #define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS) - - /*% -+ * Alignment -+ */ -+#define ALIGN(x, a) (((x) + (a) - 1) & ~((typeof(x))(a)-1)) -+ -+/*% - * Misc - */ - #include -diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c -index 343cec2..62a00cd 100644 ---- a/lib/isc/unix/socket.c -+++ b/lib/isc/unix/socket.c -@@ -315,8 +315,9 @@ typedef isc_event_t intev_t; - - #define CMSG_SP_INT 24 - --#define RECVCMSGBUFLEN (2*(CMSG_SP_IN6PKT + CMSG_SP_TIMESTAMP + CMSG_SP_TCTOS)+1) --#define SENDCMSGBUFLEN (2*(CMSG_SP_IN6PKT + CMSG_SP_INT + CMSG_SP_TCTOS)+1) -+/* Align cmsg buffers to be safe on SPARC etc. */ -+#define RECVCMSGBUFLEN ALIGN(2*(CMSG_SP_IN6PKT + CMSG_SP_TIMESTAMP + CMSG_SP_TCTOS)+1, sizeof(void*)) -+#define SENDCMSGBUFLEN ALIGN(2*(CMSG_SP_IN6PKT + CMSG_SP_INT + CMSG_SP_TCTOS)+1, sizeof(void*)) - - /*% - * The number of times a send operation is repeated if the result is EINTR. --- -1.8.3.1 - diff --git a/2776-Fix-crash-caused-by-race-condition-in-timer-creation.patch b/2776-Fix-crash-caused-by-race-condition-in-timer-creation.patch deleted file mode 100644 index 5625134d61faf3c9c3dd52c8b03bdcc1ae4d2598..0000000000000000000000000000000000000000 --- a/2776-Fix-crash-caused-by-race-condition-in-timer-creation.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- a/lib/isc/timer.c 2018-09-04 00:04:41.000000000 -0400 -+++ b/lib/isc/timer_1.c 2019-04-17 23:40:41.930000000 -0400 -@@ -472,8 +472,10 @@ isc__timer_create(isc_timermgr_t *manage - result = schedule(timer, &now, ISC_TRUE); - else - result = ISC_R_SUCCESS; -- if (result == ISC_R_SUCCESS) -+ if (result == ISC_R_SUCCESS){ -+ *timerp = (isc_timer_t *)timer; - APPEND(manager->timers, timer, link); -+ } - - UNLOCK(&manager->lock); - -@@ -486,7 +488,6 @@ isc__timer_create(isc_timermgr_t *manage - return (result); - } - -- *timerp = (isc_timer_t *)timer; - - return (ISC_R_SUCCESS); - } diff --git a/2865-free-key-on-error.patch b/2865-free-key-on-error.patch deleted file mode 100644 index f51cb4fbe2955cb4b04e39cb11844cb4b846a68f..0000000000000000000000000000000000000000 --- a/2865-free-key-on-error.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 607c2d7441b5b56272765dfd6ee56de983c3b407 Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Fri, 19 Oct 2018 19:23:39 +1100 -Subject: [PATCH 2865/3677] free key on error - ---- - lib/dns/dst_api.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index 7685dcb..c0684d9 100644 ---- a/lib/dns/dst_api.c -+++ b/lib/dns/dst_api.c -@@ -802,6 +802,9 @@ dst_key_fromgssapi(const dns_name_t *name, gss_ctx_id_t gssctx, - *keyp = key; - result = ISC_R_SUCCESS; - out: -+ if (result != ISC_R_SUCCESS) { -+ dst_key_free(&key); -+ } - return result; - } - --- -1.8.3.1 - diff --git a/2879-expand-the-pool-then-copy-over-the-old-entries-so-we.patch b/2879-expand-the-pool-then-copy-over-the-old-entries-so-we.patch deleted file mode 100644 index f8eca082ce7e122eac5bc1ded2f8bd68ef73a170..0000000000000000000000000000000000000000 --- a/2879-expand-the-pool-then-copy-over-the-old-entries-so-we.patch +++ /dev/null @@ -1,49 +0,0 @@ -From afde30fe9b1fd43595290a6763db6d52e0903c5a Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Fri, 19 Oct 2018 19:36:17 +1100 -Subject: [PATCH 2879/3677] expand the pool then copy over the old entries so - we that failures do not break the old pool; also don't leak the new pool on - error - ---- - lib/isc/pool.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - -diff --git a/lib/isc/pool.c b/lib/isc/pool.c -index 5c693a6..8fb2a45 100644 ---- a/lib/isc/pool.c -+++ b/lib/isc/pool.c -@@ -131,21 +131,22 @@ isc_pool_expand(isc_pool_t **sourcep, unsigned int count, - newpool->init = pool->init; - newpool->initarg = pool->initarg; - -- /* Copy over the objects from the old pool */ -- for (i = 0; i < pool->count; i++) { -- newpool->pool[i] = pool->pool[i]; -- pool->pool[i] = NULL; -- } -- - /* Populate the new entries */ - for (i = pool->count; i < count; i++) { -- result = pool->init(&newpool->pool[i], pool->initarg); -+ result = newpool->init(&newpool->pool[i], -+ newpool->initarg); - if (result != ISC_R_SUCCESS) { -- isc_pool_destroy(&pool); -+ isc_pool_destroy(&newpool); - return (result); - } - } - -+ /* Copy over the objects from the old pool */ -+ for (i = 0; i < pool->count; i++) { -+ newpool->pool[i] = pool->pool[i]; -+ pool->pool[i] = NULL; -+ } -+ - isc_pool_destroy(&pool); - pool = newpool; - } --- -1.8.3.1 - diff --git a/2985-Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch b/2985-Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch deleted file mode 100644 index 445f324ba9e81926b89d3e5b05d5a57f07fffc76..0000000000000000000000000000000000000000 --- a/2985-Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch +++ /dev/null @@ -1,228 +0,0 @@ ---- a/bin/dig/dighost.c 2019-04-18 00:14:08.120000000 -0400 -+++ b/bin/dig/dighost_1.c 2019-04-18 02:34:32.947000000 -0400 -@@ -1822,9 +1822,9 @@ clear_query(dig_query_t *query) { - - debug("clear_query(%p)", query); - -- if (query->timer != NULL) -+ if (query->timer != NULL){ - isc_timer_detach(&query->timer); -- -+ } - if (query->waiting_senddone) { - debug("send_done not yet called"); - query->pending_free = ISC_TRUE; -@@ -1833,13 +1833,15 @@ clear_query(dig_query_t *query) { - - lookup = query->lookup; - -- if (lookup->current_query == query) -+ if (lookup->current_query == query){ - lookup->current_query = NULL; -- -- if (ISC_LINK_LINKED(query, link)) -+ } -+ if (ISC_LINK_LINKED(query, link)){ - ISC_LIST_UNLINK(lookup->q, query, link); -- if (ISC_LINK_LINKED(query, clink)) -+ } -+ if (ISC_LINK_LINKED(query, clink)){ - ISC_LIST_UNLINK(lookup->connecting, query, clink); -+ } - if (ISC_LINK_LINKED(&query->recvbuf, link)) - ISC_LIST_DEQUEUE(query->recvlist, &query->recvbuf, - link); -@@ -1856,6 +1858,7 @@ clear_query(dig_query_t *query) { - isc_mempool_put(commctx, query->recvspace); - isc_buffer_invalidate(&query->recvbuf); - isc_buffer_invalidate(&query->lengthbuf); -+ query->magic = 0; - isc_mem_free(mctx, query); - } - -@@ -2807,13 +2810,14 @@ setup_lookup(dig_lookup_t *lookup) { - - for (serv = ISC_LIST_HEAD(lookup->my_server_list); - serv != NULL; -- serv = ISC_LIST_NEXT(serv, link)) { -+ serv = ISC_LIST_NEXT(serv, link)) -+ { - query = isc_mem_allocate(mctx, sizeof(dig_query_t)); -- if (query == NULL) -+ if (query == NULL){ - fatal("memory allocation failure in %s:%d", - __FILE__, __LINE__); -- debug("create query %p linked to lookup %p", -- query, lookup); -+ } -+ debug("create query %p linked to lookup %p", query, lookup); - query->lookup = lookup; - query->timer = NULL; - query->waiting_connect = ISC_FALSE; -@@ -2838,9 +2842,9 @@ setup_lookup(dig_lookup_t *lookup) { - ISC_LIST_INIT(query->lengthlist); - query->sock = NULL; - query->recvspace = isc_mempool_get(commctx); -- if (query->recvspace == NULL) -+ if (query->recvspace == NULL){ - fatal("memory allocation failure"); -- -+ } - isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE); - isc_buffer_init(&query->lengthbuf, query->lengthspace, 2); - isc_buffer_init(&query->slbuf, query->slspace, 2); -@@ -2848,6 +2852,7 @@ setup_lookup(dig_lookup_t *lookup) { - - ISC_LINK_INIT(query, clink); - ISC_LINK_INIT(query, link); -+ query->magic = DIG_QUERY_MAGIC; - ISC_LIST_ENQUEUE(lookup->q, query, link); - } - -@@ -2856,9 +2861,10 @@ setup_lookup(dig_lookup_t *lookup) { - extrabytes = 0; - dighost_printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg, - ISC_TRUE); -- if (lookup->stats) -+ if (lookup->stats){ - printf(";; QUERY SIZE: %u\n\n", - isc_buffer_usedlength(&lookup->renderbuf)); -+ } - } - return (ISC_TRUE); - } -@@ -2893,20 +2899,26 @@ send_done(isc_task_t *_task, isc_event_t - } - - query = event->ev_arg; -+ REQUIRE(DIG_VALID_QUERY(query)); - query->waiting_senddone = ISC_FALSE; - l = query->lookup; - -- if (l->ns_search_only && !l->trace_root && !l->tcp_mode) { -+ if (!query->pending_free && l->ns_search_only && -+ !l->trace_root && !l->tcp_mode) -+ { - debug("sending next, since searching"); - next = ISC_LIST_NEXT(query, link); -- if (next != NULL) -+ if (next != NULL){ - send_udp(next); -+ } - } - - isc_event_free(&event); - -- if (query->pending_free) -+ if (query->pending_free){ -+ query->magic = 0; - clear_query(query); -+ } - - check_next_lookup(l); - UNLOCK_LOOKUP; -@@ -2924,6 +2936,7 @@ cancel_lookup(dig_lookup_t *lookup) { - debug("cancel_lookup()"); - query = ISC_LIST_HEAD(lookup->q); - while (query != NULL) { -+ REQUIRE(DIG_VALID_QUERY(query)); - next = ISC_LIST_NEXT(query, link); - if (query->sock != NULL) { - isc_socket_cancel(query->sock, global_task, -@@ -2943,6 +2956,7 @@ bringup_timer(dig_query_t *query, unsign - dig_lookup_t *l; - unsigned int local_timeout; - isc_result_t result; -+ REQUIRE(DIG_VALID_QUERY(query)); - - debug("bringup_timer()"); - /* -@@ -3007,7 +3021,7 @@ send_tcp_connect(dig_query_t *query) { - isc_result_t result; - dig_query_t *next; - dig_lookup_t *l; -- -+ REQUIRE(DIG_VALID_QUERY(query)); - debug("send_tcp_connect(%p)", query); - - l = query->lookup; -@@ -3145,7 +3159,7 @@ send_udp(dig_query_t *query) { - isc_result_t result; - isc_buffer_t *sendbuf; - dig_query_t *next; -- -+ REQUIRE(DIG_VALID_QUERY(query)); - debug("send_udp(%p)", query); - - l = query->lookup; -@@ -3248,6 +3262,7 @@ connect_timeout(isc_task_t *task, isc_ev - - LOCK_LOOKUP; - query = event->ev_arg; -+ REQUIRE(DIG_VALID_QUERY(query)); - l = query->lookup; - isc_event_free(&event); - -@@ -3335,7 +3350,7 @@ tcp_length_done(isc_task_t *task, isc_ev - LOCK_LOOKUP; - sevent = (isc_socketevent_t *)event; - query = event->ev_arg; -- -+ REQUIRE(DIG_VALID_QUERY(query)); - recvcount--; - INSIST(recvcount >= 0); - -@@ -3412,7 +3427,7 @@ launch_next_query(dig_query_t *query, is - isc_result_t result; - dig_lookup_t *l; - isc_buffer_t *buffer; -- -+ REQUIRE(DIG_VALID_QUERY(query)); - INSIST(!free_now); - - debug("launch_next_query()"); -@@ -3491,7 +3506,7 @@ connect_done(isc_task_t *task, isc_event - LOCK_LOOKUP; - sevent = (isc_socketevent_t *)event; - query = sevent->ev_arg; -- -+ REQUIRE(DIG_VALID_QUERY(query)); - INSIST(query->waiting_connect); - - query->waiting_connect = ISC_FALSE; -@@ -4460,6 +4475,7 @@ do_lookup(dig_lookup_t *lookup) { - lookup->pending = ISC_TRUE; - query = ISC_LIST_HEAD(lookup->q); - if (query != NULL) { -+ REQUIRE(DIG_VALID_QUERY(query)); - if (lookup->tcp_mode) - send_tcp_connect(query); - else ---- a/bin/dig/include/dig/dig.h 2018-09-04 00:04:41.000000000 -0400 -+++ b/bin/dig/include/dig/dig_1.h 2019-04-18 02:36:44.313000000 -0400 -@@ -24,6 +24,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -90,6 +91,9 @@ typedef struct dig_message dig_message_t - #endif - typedef ISC_LIST(dig_server_t) dig_serverlist_t; - typedef struct dig_searchlist dig_searchlist_t; -+#define DIG_QUERY_MAGIC ISC_MAGIC('D','i','g','q') -+ -+#define DIG_VALID_QUERY(x) ISC_MAGIC_VALID((x), DIG_QUERY_MAGIC) - - /*% The dig_lookup structure */ - struct dig_lookup { -@@ -199,6 +203,7 @@ isc_boolean_t sigchase; - - /*% The dig_query structure */ - struct dig_query { -+ unsigned int magic; - dig_lookup_t *lookup; - isc_boolean_t waiting_connect, - pending_free, diff --git a/2998-Use-larger-buffers-on-snprintf-buffer-overflow-false.patch b/2998-Use-larger-buffers-on-snprintf-buffer-overflow-false.patch deleted file mode 100644 index ba6b7d456d79fab44571cfc38d4892af9a120cf5..0000000000000000000000000000000000000000 --- a/2998-Use-larger-buffers-on-snprintf-buffer-overflow-false.patch +++ /dev/null @@ -1,52 +0,0 @@ ---- a/lib/dns/rdata/generic/loc_29.c 2018-09-04 00:04:41.000000000 -0400 -+++ b/lib/dns/rdata/generic/loc_291.c 2019-04-18 00:09:34.927000000 -0400 -@@ -454,11 +454,12 @@ totext_loc(ARGS_TOTEXT) { - isc_boolean_t east; - isc_boolean_t below; - isc_region_t sr; -- char buf[sizeof("89 59 59.999 N 179 59 59.999 E " -- "-42849672.95m 90000000m 90000000m 90000000m")]; - char sbuf[sizeof("90000000m")]; - char hbuf[sizeof("90000000m")]; - char vbuf[sizeof("90000000m")]; -+ /* "89 59 59.999 N 179 59 59.999 E " */ -+ /* "-42849672.95m 90000000m 90000000m 90000000m"; */ -+ char buf[8*6 + 12*1 + 2*10 + sizeof(sbuf)+sizeof(hbuf)+sizeof(vbuf)]; - unsigned char size, hp, vp; - unsigned long poweroften[8] = { 1, 10, 100, 1000, - 10000, 100000, 1000000, 10000000 }; -@@ -550,7 +551,7 @@ totext_loc(ARGS_TOTEXT) { - altitude -= 10000000; - } - -- snprintf(buf, sizeof(buf), -+ snprintf(NULL, 0, - "%d %d %d.%03d %s %d %d %d.%03d %s %s%lu.%02lum %s %s %s", - d1, m1, s1, fs1, north ? "N" : "S", - d2, m2, s2, fs2, east ? "E" : "W", ---- a/lib/dns/rdata/in_1/dhcid_49.c 2018-09-04 00:04:41.000000000 -0400 -+++ b/lib/dns/rdata/in_1/dhcid_491.c 2019-04-18 00:12:14.143000000 -0400 -@@ -35,9 +35,8 @@ fromtext_in_dhcid(ARGS_FROMTEXT) { - static inline isc_result_t - totext_in_dhcid(ARGS_TOTEXT) { - isc_region_t sr, sr2; -- char buf[sizeof(" ; 64000 255 64000")]; -- size_t n; -- -+ /* " ; 64000 255 64000" */ -+ char buf[5 + 3*5 + 1]; - REQUIRE(rdata->type == dns_rdatatype_dhcid); - REQUIRE(rdata->rdclass == dns_rdataclass_in); - REQUIRE(rdata->length != 0); -@@ -55,10 +54,9 @@ totext_in_dhcid(ARGS_TOTEXT) { - if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) { - RETERR(str_totext(/* ( */ " )", target)); - if (rdata->length > 2) { -- n = snprintf(buf, sizeof(buf), " ; %u %u %u", -+ snprintf(NULL, 0, " ; %u %u %u", - sr2.base[0] * 256U + sr2.base[1], - sr2.base[2], rdata->length - 3U); -- INSIST(n < sizeof(buf)); - RETERR(str_totext(buf, target)); - } - } diff --git a/3022-Fix-a-shutdown-race-in-bin-dig-dighost.c.patch b/3022-Fix-a-shutdown-race-in-bin-dig-dighost.c.patch deleted file mode 100644 index 15561c73ce2041a9af24e24fe5987def75a0023d..0000000000000000000000000000000000000000 --- a/3022-Fix-a-shutdown-race-in-bin-dig-dighost.c.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 462175659674a10c0d39c7c328f1a5324ce2e38b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= -Date: Tue, 13 Nov 2018 13:50:47 +0100 -Subject: [PATCH 3022/3677] Fix a shutdown race in bin/dig/dighost.c - -If a tool using the routines defined in bin/dig/dighost.c is sent an -interruption signal around the time a connection timeout is scheduled to -fire, connect_timeout() may be executed after destroy_libs() detaches -from the global task (setting 'global_task' to NULL), which results in a -crash upon a UDP retry due to bringup_timer() attempting to create a -timer with 'task' set to NULL. Fix by preventing connect_timeout() from -attempting a retry when shutdown is in progress. ---- - bin/dig/dighost.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index f4e5e55..410b634 100644 ---- a/bin/dig/dighost.c -+++ b/bin/dig/dighost.c -@@ -2902,6 +2902,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) { - - INSIST(!free_now); - -+ if (cancel_now) { -+ UNLOCK_LOOKUP; -+ return; -+ } -+ - if ((query != NULL) && (query->lookup->current_query != NULL) && - ISC_LINK_LINKED(query->lookup->current_query, link) && - (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) { --- -1.8.3.1 - diff --git a/3046-uninitalize-memory-read-on-error-path.patch b/3046-uninitalize-memory-read-on-error-path.patch deleted file mode 100644 index 4968db34aa9f907a20040e5ea7d1fe1a9a77e7ea..0000000000000000000000000000000000000000 --- a/3046-uninitalize-memory-read-on-error-path.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 4eadebe2b2feade839d8f178e6ddf8b4406d093a Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Fri, 9 Nov 2018 15:32:33 +1100 -Subject: [PATCH 3046/3677] uninitalize memory read on error path - ---- - lib/dns/nta.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/dns/nta.c b/lib/dns/nta.c -index 73674b3..498b7f1 100644 ---- a/lib/dns/nta.c -+++ b/lib/dns/nta.c -@@ -149,7 +149,7 @@ dns_ntatable_create(dns_view_t *view, - isc_task_detach(&ntatable->task); - - cleanup_ntatable: -- isc_mem_put(ntatable->view->mctx, ntatable, sizeof(*ntatable)); -+ isc_mem_put(view->mctx, ntatable, sizeof(*ntatable)); - - return (result); - } --- -1.8.3.1 - diff --git a/3318-Allow-unsupported-alg-in-zone-w-dnssec-signzone.patch b/3318-Allow-unsupported-alg-in-zone-w-dnssec-signzone.patch deleted file mode 100644 index ddef69034d540e928ae832e349e81fc56f886d52..0000000000000000000000000000000000000000 --- a/3318-Allow-unsupported-alg-in-zone-w-dnssec-signzone.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 1dd11fc754baf396bb3040527087b14f0678dd83 Mon Sep 17 00:00:00 2001 -From: Matthijs Mekking -Date: Tue, 18 Dec 2018 12:14:04 +0100 -Subject: [PATCH 3318/3677] Allow unsupported alg in zone /w dnssec-signzone - -dnssec-signzone should sign a zonefile that contains a DNSKEY record -with an unsupported algorithm. Current behavior is that it will -fail, hitting a fatal error. The fix detects unsupported algorithms -and will not try to add it to the keylist. - -Also when determining the maximum iterations for NSEC3, don't take -into account DNSKEY records in the zonefile with an unsupported -algorithm. ---- - lib/dns/dnssec.c | 8 ++++++++ - lib/dns/include/dns/dnssec.h | 2 +- - lib/dns/nsec3.c | 11 ++++++++++- - 3 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c -index c12ecac..e255b6e 100644 ---- a/lib/dns/dnssec.c -+++ b/lib/dns/dnssec.c -@@ -1622,6 +1622,14 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, - result = dns_rdataset_next(&keys)) { - dns_rdata_reset(&rdata); - dns_rdataset_current(&keys, &rdata); -+ -+ /* Skip unsupported algorithms */ -+ REQUIRE(rdata.type == dns_rdatatype_key || -+ rdata.type == dns_rdatatype_dnskey); -+ REQUIRE(rdata.length > 3); -+ if (!dst_algorithm_supported(rdata.data[3])) -+ goto skip; -+ - RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey)); - dst_key_setttl(pubkey, keys.ttl); - -diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h -index 50930b6..e60375e 100644 ---- a/lib/dns/include/dns/dnssec.h -+++ b/lib/dns/include/dns/dnssec.h -@@ -274,7 +274,7 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory, - /*%< - * Search 'directory' for K* key files matching the name in 'origin'. - * Append all such keys, along with use hints gleaned from their -- * metadata, onto 'keylist'. -+ * metadata, onto 'keylist'. Skip any unsupported algorithms. - * - * Requires: - *\li 'keylist' is not NULL -diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c -index 861e909..f30d695 100644 ---- a/lib/dns/nsec3.c -+++ b/lib/dns/nsec3.c -@@ -1811,8 +1811,17 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version, - result == ISC_R_SUCCESS; - result = dns_rdataset_next(&rdataset)) { - dns_rdata_t rdata = DNS_RDATA_INIT; -- - dns_rdataset_current(&rdataset, &rdata); -+ -+ /* Skip unsupported algorithms when -+ * calculating the maximum iterations. -+ */ -+ REQUIRE(rdata.type == dns_rdatatype_key || -+ rdata.type == dns_rdatatype_dnskey); -+ REQUIRE(rdata.length > 3); -+ if (!dst_algorithm_supported(rdata.data[3])) -+ continue; -+ - isc_buffer_init(&buffer, rdata.data, rdata.length); - isc_buffer_add(&buffer, rdata.length); - CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass, --- -1.8.3.1 - diff --git a/3543-fix-memory-leak.patch b/3543-fix-memory-leak.patch deleted file mode 100644 index 1da4f13caf911b2883d39e5faef456cdaeba36a8..0000000000000000000000000000000000000000 --- a/3543-fix-memory-leak.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 7114d16098b0cf4910e06490fa70758f1c2c62a3 Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Fri, 15 Feb 2019 08:52:16 +1100 -Subject: [PATCH 3543/3677] fix memory leak - ---- - lib/dns/spnego_asn1.c | 56 +++++++++++++++++++++++++++++++-------------------- - 1 file changed, 34 insertions(+), 22 deletions(-) - -diff --git a/lib/dns/spnego_asn1.c b/lib/dns/spnego_asn1.c -index fb51b0d..46e487a 100644 ---- a/lib/dns/spnego_asn1.c -+++ b/lib/dns/spnego_asn1.c -@@ -467,25 +467,25 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz - FORW; - { - int dce_fix; -- if ((dce_fix = fix_dce(reallen, &len)) < 0) -- return ASN1_BAD_FORMAT; -+ if ((dce_fix = fix_dce(reallen, &len)) < 0) { -+ e = ASN1_BAD_FORMAT; -+ goto fail; -+ } - { - size_t newlen, oldlen; - - e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 0, &l); -- if (e) -- return e; -- else { -- p += l; -- len -= l; -- ret += l; -+ FORW; -+ { - e = der_get_length(p, len, &newlen, &l); - FORW; - { - int mydce_fix; - oldlen = len; -- if ((mydce_fix = fix_dce(newlen, &len)) < 0) -- return ASN1_BAD_FORMAT; -+ if ((mydce_fix = fix_dce(newlen, &len)) < 0) { -+ e = ASN1_BAD_FORMAT; -+ goto fail; -+ } - e = decode_MechTypeList(p, len, &(data)->mechTypes, &l); - FORW; - if (mydce_fix) { -@@ -511,11 +511,15 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz - { - int mydce_fix; - oldlen = len; -- if ((mydce_fix = fix_dce(newlen, &len)) < 0) -- return ASN1_BAD_FORMAT; -+ if ((mydce_fix = fix_dce(newlen, &len)) < 0) { -+ e = ASN1_BAD_FORMAT; -+ goto fail; -+ } - (data)->reqFlags = malloc(sizeof(*(data)->reqFlags)); -- if ((data)->reqFlags == NULL) -- return ENOMEM; -+ if ((data)->reqFlags == NULL) { -+ e = ENOMEM; -+ goto fail; -+ } - e = decode_ContextFlags(p, len, (data)->reqFlags, &l); - FORW; - if (mydce_fix) { -@@ -541,11 +545,15 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz - { - int mydce_fix; - oldlen = len; -- if ((mydce_fix = fix_dce(newlen, &len)) < 0) -- return ASN1_BAD_FORMAT; -+ if ((mydce_fix = fix_dce(newlen, &len)) < 0) { -+ e = ASN1_BAD_FORMAT; -+ goto fail; -+ } - (data)->mechToken = malloc(sizeof(*(data)->mechToken)); -- if ((data)->mechToken == NULL) -- return ENOMEM; -+ if ((data)->mechToken == NULL) { -+ e = ENOMEM; -+ goto fail; -+ } - e = decode_octet_string(p, len, (data)->mechToken, &l); - FORW; - if (mydce_fix) { -@@ -571,11 +579,15 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz - { - int mydce_fix; - oldlen = len; -- if ((mydce_fix = fix_dce(newlen, &len)) < 0) -- return ASN1_BAD_FORMAT; -+ if ((mydce_fix = fix_dce(newlen, &len)) < 0) { -+ e = ASN1_BAD_FORMAT; -+ goto fail; -+ } - (data)->mechListMIC = malloc(sizeof(*(data)->mechListMIC)); -- if ((data)->mechListMIC == NULL) -- return ENOMEM; -+ if ((data)->mechListMIC == NULL) { -+ e = ENOMEM; -+ goto fail; -+ } - e = decode_octet_string(p, len, (data)->mechListMIC, &l); - FORW; - if (mydce_fix) { --- -1.8.3.1 - diff --git a/CVE-2018-5743-atomic-fix.patch b/CVE-2018-5743-atomic-fix.patch deleted file mode 100644 index 8246b0c6a76d1a58c00b80913dba8445f33bb38e..0000000000000000000000000000000000000000 --- a/CVE-2018-5743-atomic-fix.patch +++ /dev/null @@ -1,131 +0,0 @@ -Backport of: - -From 17623d26e4e7b0fd45f2b39f00cd46e6044ce4c1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= -Date: Wed, 17 Apr 2019 15:22:27 +0200 -Subject: [PATCH] Replace atomic operations in bin/named/client.c with - isc_refcount reference counting - ---- - bin/named/client.c | 18 +++++++----------- - bin/named/include/named/interfacemgr.h | 5 +++-- - bin/named/interfacemgr.c | 7 +++++-- - 3 files changed, 15 insertions(+), 15 deletions(-) - -Index: bind9-9.11.4+dfsg/bin/named/client.c -=================================================================== ---- bind9-9.11.4+dfsg.orig/bin/named/client.c 2019-04-24 15:25:11.891463104 -0400 -+++ bind9-9.11.4+dfsg/bin/named/client.c 2019-04-24 15:25:42.091541114 -0400 -@@ -399,12 +399,10 @@ tcpconn_detach(ns_client_t *client) { - static void - mark_tcp_active(ns_client_t *client, isc_boolean_t active) { - if (active && !client->tcpactive) { -- isc_atomic_xadd(&client->interface->ntcpactive, 1); -+ isc_refcount_increment0(&client->interface->ntcpactive, NULL); - client->tcpactive = active; - } else if (!active && client->tcpactive) { -- uint32_t old = -- isc_atomic_xadd(&client->interface->ntcpactive, -1); -- INSIST(old > 0); -+ isc_refcount_decrement(&client->interface->ntcpactive, NULL); - client->tcpactive = active; - } - } -@@ -551,7 +549,7 @@ exit_check(ns_client_t *client) { - if (client->mortal && TCP_CLIENT(client) && - client->newstate != NS_CLIENTSTATE_FREED && - !ns_g_clienttest && -- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0) -+ isc_refcount_current(&client->interface->ntcpaccepting) == 0) - { - /* Nobody else is accepting */ - client->mortal = ISC_FALSE; -@@ -3314,7 +3312,6 @@ client_newconn(isc_task_t *task, isc_eve - isc_result_t result; - ns_client_t *client = event->ev_arg; - isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event; -- isc_uint32_t old; - - REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN); - REQUIRE(NS_CLIENT_VALID(client)); -@@ -3334,8 +3331,7 @@ client_newconn(isc_task_t *task, isc_eve - INSIST(client->naccepts == 1); - client->naccepts--; - -- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1); -- INSIST(old > 0); -+ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL); - - /* - * We must take ownership of the new socket before the exit -@@ -3466,8 +3462,8 @@ client_accept(ns_client_t *client) { - * quota is tcp-clients plus the number of listening - * interfaces plus 1.) - */ -- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > -- (client->tcpactive ? 1 : 0)); -+ exit = (isc_refcount_current(&client->interface->ntcpactive) > -+ (client->tcpactive ? 1U : 0U)); - if (exit) { - client->newstate = NS_CLIENTSTATE_INACTIVE; - (void)exit_check(client); -@@ -3525,7 +3521,7 @@ client_accept(ns_client_t *client) { - * listening for connections itself to prevent the interface - * going dead. - */ -- isc_atomic_xadd(&client->interface->ntcpaccepting, 1); -+ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL); - } - - static void -Index: bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h -=================================================================== ---- bind9-9.11.4+dfsg.orig/bin/named/include/named/interfacemgr.h 2019-04-24 15:25:11.891463104 -0400 -+++ bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h 2019-04-24 15:26:03.943597701 -0400 -@@ -43,6 +43,7 @@ - #include - #include - #include -+#include - - #include - -@@ -73,11 +74,11 @@ struct ns_interface { - /*%< UDP dispatchers. */ - isc_socket_t * tcpsocket; /*%< TCP socket. */ - isc_dscp_t dscp; /*%< "listen-on" DSCP value */ -- isc_int32_t ntcpaccepting; /*%< Number of clients -+ isc_refcount_t ntcpaccepting; /*%< Number of clients - ready to accept new - TCP connections on this - interface */ -- isc_int32_t ntcpactive; /*%< Number of clients -+ isc_refcount_t ntcpactive; /*%< Number of clients - servicing TCP queries - (whether accepting or - connected) */ -Index: bind9-9.11.4+dfsg/bin/named/interfacemgr.c -=================================================================== ---- bind9-9.11.4+dfsg.orig/bin/named/interfacemgr.c 2019-04-24 15:25:11.891463104 -0400 -+++ bind9-9.11.4+dfsg/bin/named/interfacemgr.c 2019-04-24 15:25:11.891463104 -0400 -@@ -384,8 +384,8 @@ ns_interface_create(ns_interfacemgr_t *m - * connections will be handled in parallel even though there is - * only one client initially. - */ -- ifp->ntcpaccepting = 0; -- ifp->ntcpactive = 0; -+ isc_refcount_init(&ifp->ntcpaccepting, 0); -+ isc_refcount_init(&ifp->ntcpactive, 0); - - ifp->nudpdispatch = 0; - -@@ -616,6 +616,9 @@ ns_interface_destroy(ns_interface_t *ifp - - ns_interfacemgr_detach(&ifp->mgr); - -+ isc_refcount_destroy(&ifp->ntcpactive); -+ isc_refcount_destroy(&ifp->ntcpaccepting); -+ - ifp->magic = 0; - isc_mem_put(mctx, ifp, sizeof(*ifp)); - } diff --git a/CVE-2018-5743.patch b/CVE-2018-5743.patch deleted file mode 100644 index 784d9a022226f23500fe0e04328f2d08f280618a..0000000000000000000000000000000000000000 --- a/CVE-2018-5743.patch +++ /dev/null @@ -1,872 +0,0 @@ -Description: fix limiting simultaneous TCP clients is ineffective -Origin: backported from patch provided by ISC - -Index: bind9-9.11.4+dfsg/bin/named/client.c -=================================================================== ---- bind9-9.11.4+dfsg.orig/bin/named/client.c 2019-04-24 05:05:24.068523718 -0400 -+++ bind9-9.11.4+dfsg/bin/named/client.c 2019-04-24 05:16:21.089731949 -0400 -@@ -243,10 +243,11 @@ static void ns_client_dumpmessage(ns_cli - static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp, - dns_dispatch_t *disp, isc_boolean_t tcp); - static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, -- isc_socket_t *sock); -+ isc_socket_t *sock, ns_client_t *oldclient); - static inline isc_boolean_t --allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr, -- isc_uint8_t ecs_addrlen, isc_uint8_t *ecs_scope, dns_acl_t *acl); -+allowed(isc_netaddr_t *addr, dns_name_t *signer, -+ isc_netaddr_t *ecs_addr, isc_uint8_t ecs_addrlen, -+ isc_uint8_t *ecs_scope, dns_acl_t *acl); - static void compute_cookie(ns_client_t *client, isc_uint32_t when, - isc_uint32_t nonce, const unsigned char *secret, - isc_buffer_t *buf); -@@ -296,6 +297,119 @@ ns_client_settimeout(ns_client_t *client - } - - /*% -+ * Allocate a reference-counted object that will maintain a single pointer to -+ * the (also reference-counted) TCP client quota, shared between all the -+ * clients processing queries on a single TCP connection, so that all -+ * clients sharing the one socket will together consume only one slot in -+ * the 'tcp-clients' quota. -+ */ -+static isc_result_t -+tcpconn_init(ns_client_t *client, isc_boolean_t force) { -+ isc_result_t result; -+ isc_quota_t *quota = NULL; -+ ns_tcpconn_t *tconn = NULL; -+ -+ REQUIRE(client->tcpconn == NULL); -+ -+ /* -+ * Try to attach to the quota first, so we won't pointlessly -+ * allocate memory for a tcpconn object if we can't get one. -+ */ -+ if (force) { -+ result = isc_quota_force(&ns_g_server->tcpquota, "a); -+ } else { -+ result = isc_quota_attach(&ns_g_server->tcpquota, "a); -+ } -+ if (result != ISC_R_SUCCESS) { -+ return (result); -+ } -+ -+ /* -+ * A global memory context is used for the allocation as different -+ * client structures may have different memory contexts assigned and a -+ * reference counter allocated here might need to be freed by a -+ * different client. The performance impact caused by memory context -+ * contention here is expected to be negligible, given that this code -+ * is only executed for TCP connections. -+ */ -+ tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn)); -+ -+ isc_refcount_init(&tconn->refs, 1); -+ tconn->tcpquota = quota; -+ quota = NULL; -+ tconn->pipelined = ISC_FALSE; -+ -+ client->tcpconn = tconn; -+ -+ return (ISC_R_SUCCESS); -+} -+ -+/*% -+ * Increase the count of client structures sharing the TCP connection -+ * that 'source' is associated with; add a pointer to the same tcpconn -+ * to 'target', thus associating it with the same TCP connection. -+ */ -+static void -+tcpconn_attach(ns_client_t *source, ns_client_t *target) { -+ int refs; -+ -+ REQUIRE(source->tcpconn != NULL); -+ REQUIRE(target->tcpconn == NULL); -+ REQUIRE(source->tcpconn->pipelined); -+ -+ isc_refcount_increment(&source->tcpconn->refs, &refs); -+ INSIST(refs > 1); -+ target->tcpconn = source->tcpconn; -+} -+ -+/*% -+ * Decrease the count of client structures sharing the TCP connection that -+ * 'client' is associated with. If this is the last client using this TCP -+ * connection, we detach from the TCP quota and free the tcpconn -+ * object. Either way, client->tcpconn is set to NULL. -+ */ -+static void -+tcpconn_detach(ns_client_t *client) { -+ ns_tcpconn_t *tconn = NULL; -+ int refs; -+ -+ REQUIRE(client->tcpconn != NULL); -+ -+ tconn = client->tcpconn; -+ client->tcpconn = NULL; -+ -+ isc_refcount_decrement(&tconn->refs, &refs); -+ if (refs == 0) { -+ isc_quota_detach(&tconn->tcpquota); -+ isc_mem_free(ns_g_mctx, tconn); -+ } -+} -+ -+/*% -+ * Mark a client as active and increment the interface's 'ntcpactive' -+ * counter, as a signal that there is at least one client servicing -+ * TCP queries for the interface. If we reach the TCP client quota at -+ * some point, this will be used to determine whether a quota overrun -+ * should be permitted. -+ * -+ * Marking the client active with the 'tcpactive' flag ensures proper -+ * accounting, by preventing us from incrementing or decrementing -+ * 'ntcpactive' more than once per client. -+ */ -+static void -+mark_tcp_active(ns_client_t *client, isc_boolean_t active) { -+ if (active && !client->tcpactive) { -+ isc_atomic_xadd(&client->interface->ntcpactive, 1); -+ client->tcpactive = active; -+ } else if (!active && client->tcpactive) { -+ uint32_t old = -+ isc_atomic_xadd(&client->interface->ntcpactive, -1); -+ INSIST(old > 0); -+ client->tcpactive = active; -+ } -+} -+ -+/*% - * Check for a deactivation or shutdown request and take appropriate - * action. Returns ISC_TRUE if either is in progress; in this case - * the caller must no longer use the client object as it may have been -@@ -384,7 +498,8 @@ exit_check(ns_client_t *client) { - INSIST(client->recursionquota == NULL); - - if (NS_CLIENTSTATE_READING == client->newstate) { -- if (!client->pipelined) { -+ INSIST(client->tcpconn != NULL); -+ if (!client->tcpconn->pipelined) { - client_read(client); - client->newstate = NS_CLIENTSTATE_MAX; - return (ISC_TRUE); /* We're done. */ -@@ -402,10 +517,13 @@ exit_check(ns_client_t *client) { - */ - INSIST(client->recursionquota == NULL); - INSIST(client->newstate <= NS_CLIENTSTATE_READY); -- if (client->nreads > 0) -+ -+ if (client->nreads > 0) { - dns_tcpmsg_cancelread(&client->tcpmsg); -- if (client->nreads != 0) { -- /* Still waiting for read cancel completion. */ -+ } -+ -+ /* Still waiting for read cancel completion. */ -+ if (client->nreads > 0) { - return (ISC_TRUE); - } - -@@ -413,14 +531,49 @@ exit_check(ns_client_t *client) { - dns_tcpmsg_invalidate(&client->tcpmsg); - client->tcpmsg_valid = ISC_FALSE; - } -+ -+ /* -+ * Soon the client will be ready to accept a new TCP -+ * connection or UDP request, but we may have enough -+ * clients doing that already. Check whether this client -+ * needs to remain active and allow it go inactive if -+ * not. -+ * -+ * UDP clients always go inactive at this point, but a TCP -+ * client may need to stay active and return to READY -+ * state if no other clients are available to listen -+ * for TCP requests on this interface. -+ * -+ * Regardless, if we're going to FREED state, that means -+ * the system is shutting down and we don't need to -+ * retain clients. -+ */ -+ if (client->mortal && TCP_CLIENT(client) && -+ client->newstate != NS_CLIENTSTATE_FREED && -+ !ns_g_clienttest && -+ isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0) -+ { -+ /* Nobody else is accepting */ -+ client->mortal = ISC_FALSE; -+ client->newstate = NS_CLIENTSTATE_READY; -+ } -+ -+ /* -+ * Detach from TCP connection and TCP client quota, -+ * if appropriate. If this is the last reference to -+ * the TCP connection in our pipeline group, the -+ * TCP quota slot will be released. -+ */ -+ if (client->tcpconn) { -+ tcpconn_detach(client); -+ } -+ - if (client->tcpsocket != NULL) { - CTRACE("closetcp"); - isc_socket_detach(&client->tcpsocket); -+ mark_tcp_active(client, ISC_FALSE); - } - -- if (client->tcpquota != NULL) -- isc_quota_detach(&client->tcpquota); -- - if (client->timerset) { - (void)isc_timer_reset(client->timer, - isc_timertype_inactive, -@@ -428,45 +581,26 @@ exit_check(ns_client_t *client) { - client->timerset = ISC_FALSE; - } - -- client->pipelined = ISC_FALSE; -- - client->peeraddr_valid = ISC_FALSE; - - client->state = NS_CLIENTSTATE_READY; -- INSIST(client->recursionquota == NULL); -- -- /* -- * Now the client is ready to accept a new TCP connection -- * or UDP request, but we may have enough clients doing -- * that already. Check whether this client needs to remain -- * active and force it to go inactive if not. -- * -- * UDP clients go inactive at this point, but TCP clients -- * may remain active if we have fewer active TCP client -- * objects than desired due to an earlier quota exhaustion. -- */ -- if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) { -- LOCK(&client->interface->lock); -- if (client->interface->ntcpcurrent < -- client->interface->ntcptarget) -- client->mortal = ISC_FALSE; -- UNLOCK(&client->interface->lock); -- } - - /* - * We don't need the client; send it to the inactive - * queue for recycling. - */ - if (client->mortal) { -- if (client->newstate > NS_CLIENTSTATE_INACTIVE) -+ if (client->newstate > NS_CLIENTSTATE_INACTIVE) { - client->newstate = NS_CLIENTSTATE_INACTIVE; -+ } - } - - if (NS_CLIENTSTATE_READY == client->newstate) { - if (TCP_CLIENT(client)) { - client_accept(client); -- } else -+ } else { - client_udprecv(client); -+ } - client->newstate = NS_CLIENTSTATE_MAX; - return (ISC_TRUE); - } -@@ -478,41 +612,50 @@ exit_check(ns_client_t *client) { - /* - * We are trying to enter the inactive state. - */ -- if (client->naccepts > 0) -+ if (client->naccepts > 0) { - isc_socket_cancel(client->tcplistener, client->task, - ISC_SOCKCANCEL_ACCEPT); -+ } - - /* Still waiting for accept cancel completion. */ -- if (! (client->naccepts == 0)) -+ if (client->naccepts > 0) { - return (ISC_TRUE); -+ } - - /* Accept cancel is complete. */ -- if (client->nrecvs > 0) -+ if (client->nrecvs > 0) { - isc_socket_cancel(client->udpsocket, client->task, - ISC_SOCKCANCEL_RECV); -+ } - - /* Still waiting for recv cancel completion. */ -- if (! (client->nrecvs == 0)) -+ if (client->nrecvs > 0) { - return (ISC_TRUE); -+ } - - /* Still waiting for control event to be delivered */ -- if (client->nctls > 0) -+ if (client->nctls > 0) { - return (ISC_TRUE); -- -- /* Deactivate the client. */ -- if (client->interface) -- ns_interface_detach(&client->interface); -+ } - - INSIST(client->naccepts == 0); - INSIST(client->recursionquota == NULL); -- if (client->tcplistener != NULL) -+ if (client->tcplistener != NULL) { - isc_socket_detach(&client->tcplistener); -- -- if (client->udpsocket != NULL) -+ mark_tcp_active(client, ISC_FALSE); -+ } -+ if (client->udpsocket != NULL) { - isc_socket_detach(&client->udpsocket); -+ } - -- if (client->dispatch != NULL) -+ /* Deactivate the client. */ -+ if (client->interface != NULL) { -+ ns_interface_detach(&client->interface); -+ } -+ -+ if (client->dispatch != NULL) { - dns_dispatch_detach(&client->dispatch); -+ } - - client->attributes = 0; - client->mortal = ISC_FALSE; -@@ -537,10 +680,13 @@ exit_check(ns_client_t *client) { - client->newstate = NS_CLIENTSTATE_MAX; - if (!ns_g_clienttest && manager != NULL && - !manager->exiting) -+ { - ISC_QUEUE_PUSH(manager->inactive, client, - ilink); -- if (client->needshutdown) -+ } -+ if (client->needshutdown) { - isc_task_shutdown(client->task); -+ } - return (ISC_TRUE); - } - } -@@ -650,7 +796,7 @@ client_start(isc_task_t *task, isc_event - return; - - if (TCP_CLIENT(client)) { -- if (client->pipelined) { -+ if (client->tcpconn != NULL) { - client_read(client); - } else { - client_accept(client); -@@ -660,7 +806,6 @@ client_start(isc_task_t *task, isc_event - } - } - -- - /*% - * The client's task has received a shutdown event. - */ -@@ -2301,6 +2446,7 @@ client_request(isc_task_t *task, isc_eve - client->nrecvs--; - } else { - INSIST(TCP_CLIENT(client)); -+ INSIST(client->tcpconn != NULL); - REQUIRE(event->ev_type == DNS_EVENT_TCPMSG); - REQUIRE(event->ev_sender == &client->tcpmsg); - buffer = &client->tcpmsg.buffer; -@@ -2484,18 +2630,27 @@ client_request(isc_task_t *task, isc_eve - /* - * Pipeline TCP query processing. - */ -- if (client->message->opcode != dns_opcode_query) -- client->pipelined = ISC_FALSE; -- if (TCP_CLIENT(client) && client->pipelined) { -- result = isc_quota_reserve(&ns_g_server->tcpquota); -- if (result == ISC_R_SUCCESS) -- result = ns_client_replace(client); -+ if (TCP_CLIENT(client) && -+ client->message->opcode != dns_opcode_query) -+ { -+ client->tcpconn->pipelined = ISC_FALSE; -+ } -+ if (TCP_CLIENT(client) && client->tcpconn->pipelined) { -+ /* -+ * We're pipelining. Replace the client; the -+ * replacement can read the TCP socket looking -+ * for new messages and this one can process the -+ * current message asynchronously. -+ * -+ * There will now be at least three clients using this -+ * TCP socket - one accepting new connections, -+ * one reading an existing connection to get new -+ * messages, and one answering the message already -+ * received. -+ */ -+ result = ns_client_replace(client); - if (result != ISC_R_SUCCESS) { -- ns_client_log(client, NS_LOGCATEGORY_CLIENT, -- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, -- "no more TCP clients(read): %s", -- isc_result_totext(result)); -- client->pipelined = ISC_FALSE; -+ client->tcpconn->pipelined = ISC_FALSE; - } - } - -@@ -3051,8 +3206,7 @@ client_create(ns_clientmgr_t *manager, n - client->signer = NULL; - dns_name_init(&client->signername, NULL); - client->mortal = ISC_FALSE; -- client->pipelined = ISC_FALSE; -- client->tcpquota = NULL; -+ client->tcpconn = NULL; - client->recursionquota = NULL; - client->interface = NULL; - client->peeraddr_valid = ISC_FALSE; -@@ -3062,6 +3216,7 @@ client_create(ns_clientmgr_t *manager, n - client->filter_aaaa = dns_aaaa_ok; - #endif - client->needshutdown = ns_g_clienttest; -+ client->tcpactive = ISC_FALSE; - - ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL, - NS_EVENT_CLIENTCONTROL, client_start, client, client, -@@ -3156,9 +3311,10 @@ client_read(ns_client_t *client) { - - static void - client_newconn(isc_task_t *task, isc_event_t *event) { -+ isc_result_t result; - ns_client_t *client = event->ev_arg; - isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event; -- isc_result_t result; -+ isc_uint32_t old; - - REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN); - REQUIRE(NS_CLIENT_VALID(client)); -@@ -3168,13 +3324,18 @@ client_newconn(isc_task_t *task, isc_eve - - INSIST(client->state == NS_CLIENTSTATE_READY); - -+ /* -+ * The accept() was successful and we're now establishing a new -+ * connection. We need to make note of it in the client and -+ * interface objects so client objects can do the right thing -+ * when going inactive in exit_check() (see comments in -+ * client_accept() for details). -+ */ - INSIST(client->naccepts == 1); - client->naccepts--; - -- LOCK(&client->interface->lock); -- INSIST(client->interface->ntcpcurrent > 0); -- client->interface->ntcpcurrent--; -- UNLOCK(&client->interface->lock); -+ old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1); -+ INSIST(old > 0); - - /* - * We must take ownership of the new socket before the exit -@@ -3207,6 +3368,7 @@ client_newconn(isc_task_t *task, isc_eve - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), - "accept failed: %s", - isc_result_totext(nevent->result)); -+ tcpconn_detach(client); - } - - if (exit_check(client)) -@@ -3244,20 +3406,13 @@ client_newconn(isc_task_t *task, isc_eve - * telnetting to port 53 (once per CPU) will - * deny service to legitimate TCP clients. - */ -- client->pipelined = ISC_FALSE; -- result = isc_quota_attach(&ns_g_server->tcpquota, -- &client->tcpquota); -- if (result == ISC_R_SUCCESS) -- result = ns_client_replace(client); -- if (result != ISC_R_SUCCESS) { -- ns_client_log(client, NS_LOGCATEGORY_CLIENT, -- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, -- "no more TCP clients(accept): %s", -- isc_result_totext(result)); -- } else if (ns_g_server->keepresporder == NULL || -- !allowed(&netaddr, NULL, NULL, 0, NULL, -- ns_g_server->keepresporder)) { -- client->pipelined = ISC_TRUE; -+ result = ns_client_replace(client); -+ if (result == ISC_R_SUCCESS && -+ (ns_g_server->keepresporder == NULL || -+ !allowed(&netaddr, NULL, NULL, 0, NULL, -+ ns_g_server->keepresporder))) -+ { -+ client->tcpconn->pipelined = ISC_TRUE; - } - - client_read(client); -@@ -3273,12 +3428,66 @@ client_accept(ns_client_t *client) { - - CTRACE("accept"); - -+ /* -+ * Set up a new TCP connection. This means try to attach to the -+ * TCP client quota (tcp-clients), but fail if we're over quota. -+ */ -+ result = tcpconn_init(client, ISC_FALSE); -+ if (result != ISC_R_SUCCESS) { -+ isc_boolean_t exit; -+ -+ ns_client_log(client, NS_LOGCATEGORY_CLIENT, -+ NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, -+ "TCP client quota reached: %s", -+ isc_result_totext(result)); -+ -+ /* -+ * We have exceeded the system-wide TCP client quota. But, -+ * we can't just block this accept in all cases, because if -+ * we did, a heavy TCP load on other interfaces might cause -+ * this interface to be starved, with no clients able to -+ * accept new connections. -+ * -+ * So, we check here to see if any other clients are -+ * already servicing TCP queries on this interface (whether -+ * accepting, reading, or processing). If we find that at -+ * least one client other than this one is active, then -+ * it's okay *not* to call accept - we can let this -+ * client go inactive and another will take over when it's -+ * done. -+ * -+ * If there aren't enough active clients on the interface, -+ * then we can be a little bit flexible about the quota. -+ * We'll allow *one* extra client through to ensure we're -+ * listening on every interface; we do this by setting the -+ * 'force' option to tcpconn_init(). -+ * -+ * (Note: In practice this means that the real TCP client -+ * quota is tcp-clients plus the number of listening -+ * interfaces plus 1.) -+ */ -+ exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > -+ (client->tcpactive ? 1 : 0)); -+ if (exit) { -+ client->newstate = NS_CLIENTSTATE_INACTIVE; -+ (void)exit_check(client); -+ return; -+ } -+ -+ result = tcpconn_init(client, ISC_TRUE); -+ RUNTIME_CHECK(result == ISC_R_SUCCESS); -+ } -+ -+ /* -+ * If this client was set up using get_client() or get_worker(), -+ * then TCP is already marked active. However, if it was restarted -+ * from exit_check(), it might not be, so we take care of it now. -+ */ -+ mark_tcp_active(client, ISC_TRUE); -+ - result = isc_socket_accept(client->tcplistener, client->task, - client_newconn, client); - if (result != ISC_R_SUCCESS) { -- UNEXPECTED_ERROR(__FILE__, __LINE__, -- "isc_socket_accept() failed: %s", -- isc_result_totext(result)); - /* - * XXXRTH What should we do? We're trying to accept but - * it didn't work. If we just give up, then TCP -@@ -3286,13 +3495,37 @@ client_accept(ns_client_t *client) { - * - * For now, we just go idle. - */ -+ UNEXPECTED_ERROR(__FILE__, __LINE__, -+ "isc_socket_accept() failed: %s", -+ isc_result_totext(result)); -+ -+ tcpconn_detach(client); -+ mark_tcp_active(client, ISC_FALSE); - return; - } -+ -+ /* -+ * The client's 'naccepts' counter indicates that this client has -+ * called accept() and is waiting for a new connection. It should -+ * never exceed 1. -+ */ - INSIST(client->naccepts == 0); - client->naccepts++; -- LOCK(&client->interface->lock); -- client->interface->ntcpcurrent++; -- UNLOCK(&client->interface->lock); -+ -+ /* -+ * The interface's 'ntcpaccepting' counter is incremented when -+ * any client calls accept(), and decremented in client_newconn() -+ * once the connection is established. -+ * -+ * When the client object is shutting down after handling a TCP -+ * request (see exit_check()), if this value is at least one, that -+ * means another client has called accept() and is waiting to -+ * establish the next connection. That means the client may be -+ * be free to become inactive; otherwise it may need to start -+ * listening for connections itself to prevent the interface -+ * going dead. -+ */ -+ isc_atomic_xadd(&client->interface->ntcpaccepting, 1); - } - - static void -@@ -3363,15 +3596,17 @@ ns_client_replace(ns_client_t *client) { - REQUIRE(client->manager != NULL); - - tcp = TCP_CLIENT(client); -- if (tcp && client->pipelined) { -+ if (tcp && client->tcpconn != NULL && client->tcpconn->pipelined) { - result = get_worker(client->manager, client->interface, -- client->tcpsocket); -+ client->tcpsocket, client); - } else { - result = get_client(client->manager, client->interface, - client->dispatch, tcp); -+ - } -- if (result != ISC_R_SUCCESS) -+ if (result != ISC_R_SUCCESS) { - return (result); -+ } - - /* - * The responsibility for listening for new requests is hereby -@@ -3557,9 +3792,12 @@ get_client(ns_clientmgr_t *manager, ns_i - client->dscp = ifp->dscp; - - if (tcp) { -+ mark_tcp_active(client, ISC_TRUE); -+ - client->attributes |= NS_CLIENTATTR_TCP; - isc_socket_attach(ifp->tcpsocket, - &client->tcplistener); -+ - } else { - isc_socket_t *sock; - -@@ -3577,7 +3815,8 @@ get_client(ns_clientmgr_t *manager, ns_i - } - - static isc_result_t --get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock) -+get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock, -+ ns_client_t *oldclient) - { - isc_result_t result = ISC_R_SUCCESS; - isc_event_t *ev; -@@ -3585,6 +3824,7 @@ get_worker(ns_clientmgr_t *manager, ns_i - MTRACE("get worker"); - - REQUIRE(manager != NULL); -+ REQUIRE(oldclient != NULL); - - if (manager->exiting) - return (ISC_R_SHUTTINGDOWN); -@@ -3617,14 +3857,15 @@ get_worker(ns_clientmgr_t *manager, ns_i - ns_interface_attach(ifp, &client->interface); - client->newstate = client->state = NS_CLIENTSTATE_WORKING; - INSIST(client->recursionquota == NULL); -- client->tcpquota = &ns_g_server->tcpquota; - - client->dscp = ifp->dscp; - - client->attributes |= NS_CLIENTATTR_TCP; -- client->pipelined = ISC_TRUE; - client->mortal = ISC_TRUE; - -+ tcpconn_attach(oldclient, client); -+ mark_tcp_active(client, ISC_TRUE); -+ - isc_socket_attach(ifp->tcpsocket, &client->tcplistener); - isc_socket_attach(sock, &client->tcpsocket); - isc_socket_setname(client->tcpsocket, "worker-tcp", NULL); -Index: bind9-9.11.4+dfsg/bin/named/include/named/client.h -=================================================================== ---- bind9-9.11.4+dfsg.orig/bin/named/include/named/client.h 2019-04-24 05:05:24.068523718 -0400 -+++ bind9-9.11.4+dfsg/bin/named/include/named/client.h 2019-04-24 05:18:09.894205195 -0400 -@@ -9,8 +9,6 @@ - * information regarding copyright ownership. - */ - --/* $Id: client.h,v 1.96 2012/01/31 23:47:31 tbox Exp $ */ -- - #ifndef NAMED_CLIENT_H - #define NAMED_CLIENT_H 1 - -@@ -77,6 +75,13 @@ - *** Types - ***/ - -+/*% reference-counted TCP connection object */ -+typedef struct ns_tcpconn { -+ isc_refcount_t refs; -+ isc_quota_t *tcpquota; -+ isc_boolean_t pipelined; -+} ns_tcpconn_t; -+ - /*% nameserver client structure */ - struct ns_client { - unsigned int magic; -@@ -91,6 +96,7 @@ struct ns_client { - int nupdates; - int nctls; - int references; -+ isc_boolean_t tcpactive; - isc_boolean_t needshutdown; /* - * Used by clienttest to get - * the client to go from -@@ -127,10 +133,9 @@ struct ns_client { - isc_stdtime_t now; - isc_time_t tnow; - dns_name_t signername; /*%< [T]SIG key name */ -- dns_name_t * signer; /*%< NULL if not valid sig */ -+ dns_name_t *signer; /*%< NULL if not valid sig */ - isc_boolean_t mortal; /*%< Die after handling request */ -- isc_boolean_t pipelined; /*%< TCP queries not in sequence */ -- isc_quota_t *tcpquota; -+ ns_tcpconn_t *tcpconn; - isc_quota_t *recursionquota; - ns_interface_t *interface; - -Index: bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h -=================================================================== ---- bind9-9.11.4+dfsg.orig/bin/named/include/named/interfacemgr.h 2019-04-24 05:05:24.068523718 -0400 -+++ bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h 2019-04-24 05:05:24.068523718 -0400 -@@ -9,8 +9,6 @@ - * information regarding copyright ownership. - */ - --/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */ -- - #ifndef NAMED_INTERFACEMGR_H - #define NAMED_INTERFACEMGR_H 1 - -@@ -75,9 +73,14 @@ struct ns_interface { - /*%< UDP dispatchers. */ - isc_socket_t * tcpsocket; /*%< TCP socket. */ - isc_dscp_t dscp; /*%< "listen-on" DSCP value */ -- int ntcptarget; /*%< Desired number of concurrent -- TCP accepts */ -- int ntcpcurrent; /*%< Current ditto, locked */ -+ isc_int32_t ntcpaccepting; /*%< Number of clients -+ ready to accept new -+ TCP connections on this -+ interface */ -+ isc_int32_t ntcpactive; /*%< Number of clients -+ servicing TCP queries -+ (whether accepting or -+ connected) */ - int nudpdispatch; /*%< Number of UDP dispatches */ - ns_clientmgr_t * clientmgr; /*%< Client manager. */ - ISC_LINK(ns_interface_t) link; -Index: bind9-9.11.4+dfsg/bin/named/interfacemgr.c -=================================================================== ---- bind9-9.11.4+dfsg.orig/bin/named/interfacemgr.c 2019-04-24 05:05:24.068523718 -0400 -+++ bind9-9.11.4+dfsg/bin/named/interfacemgr.c 2019-04-24 05:19:06.102432272 -0400 -@@ -384,8 +384,9 @@ ns_interface_create(ns_interfacemgr_t *m - * connections will be handled in parallel even though there is - * only one client initially. - */ -- ifp->ntcptarget = 1; -- ifp->ntcpcurrent = 0; -+ ifp->ntcpaccepting = 0; -+ ifp->ntcpactive = 0; -+ - ifp->nudpdispatch = 0; - - ifp->dscp = -1; -@@ -520,9 +521,7 @@ ns_interface_accepttcp(ns_interface_t *i - */ - (void)isc_socket_filter(ifp->tcpsocket, "dataready"); - -- result = ns_clientmgr_createclients(ifp->clientmgr, -- ifp->ntcptarget, ifp, -- ISC_TRUE); -+ result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, ISC_TRUE); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "TCP ns_clientmgr_createclients(): %s", -Index: bind9-9.11.4+dfsg/lib/isc/include/isc/quota.h -=================================================================== ---- bind9-9.11.4+dfsg.orig/lib/isc/include/isc/quota.h 2019-04-24 05:05:24.068523718 -0400 -+++ bind9-9.11.4+dfsg/lib/isc/include/isc/quota.h 2019-04-24 05:05:24.068523718 -0400 -@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc - * quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA). - */ - -+isc_result_t -+isc_quota_force(isc_quota_t *quota, isc_quota_t **p); -+/*%< -+ * Like isc_quota_attach, but will attach '*p' to the quota -+ * even if the hard quota has been exceeded. -+ */ -+ - void - isc_quota_detach(isc_quota_t **p); - /*%< -Index: bind9-9.11.4+dfsg/lib/isc/quota.c -=================================================================== ---- bind9-9.11.4+dfsg.orig/lib/isc/quota.c 2019-04-24 05:05:24.068523718 -0400 -+++ bind9-9.11.4+dfsg/lib/isc/quota.c 2019-04-24 05:05:24.068523718 -0400 -@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) { - UNLOCK("a->lock); - } - --isc_result_t --isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) --{ -+static isc_result_t -+doattach(isc_quota_t *quota, isc_quota_t **p, isc_boolean_t force) { - isc_result_t result; -- INSIST(p != NULL && *p == NULL); -+ REQUIRE(p != NULL && *p == NULL); -+ - result = isc_quota_reserve(quota); -- if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) -+ if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) { -+ *p = quota; -+ } else if (result == ISC_R_QUOTA && force) { -+ /* attach anyway */ -+ LOCK("a->lock); -+ quota->used++; -+ UNLOCK("a->lock); -+ - *p = quota; -+ result = ISC_R_SUCCESS; -+ } -+ - return (result); - } - -+isc_result_t -+isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) { -+ return (doattach(quota, p, ISC_FALSE)); -+} -+ -+isc_result_t -+isc_quota_force(isc_quota_t *quota, isc_quota_t **p) { -+ return (doattach(quota, p, ISC_TRUE)); -+} -+ - void --isc_quota_detach(isc_quota_t **p) --{ -+isc_quota_detach(isc_quota_t **p) { - INSIST(p != NULL && *p != NULL); - isc_quota_release(*p); - *p = NULL; -Index: bind9-9.11.4+dfsg/lib/isc/win32/libisc.def.in -=================================================================== ---- bind9-9.11.4+dfsg.orig/lib/isc/win32/libisc.def.in 2019-04-24 05:05:24.068523718 -0400 -+++ bind9-9.11.4+dfsg/lib/isc/win32/libisc.def.in 2019-04-24 05:05:24.068523718 -0400 -@@ -519,6 +519,7 @@ isc_portset_removerange - isc_quota_attach - isc_quota_destroy - isc_quota_detach -+isc_quota_force - isc_quota_init - isc_quota_max - isc_quota_release diff --git a/CVE-2018-5745.patch b/CVE-2018-5745.patch deleted file mode 100644 index 7b4e97d0ad48d153bf3908e5c8ac583bd29e7445..0000000000000000000000000000000000000000 --- a/CVE-2018-5745.patch +++ /dev/null @@ -1,71 +0,0 @@ -Description: fix assertion failure when a trust anchor rolls over to an - unsupported key algorithm when using managed-keys -Origin: provided by ISC - -Index: bind9-9.11.4+dfsg/lib/dns/include/dst/dst.h -=================================================================== ---- bind9-9.11.4+dfsg.orig/lib/dns/include/dst/dst.h 2019-02-20 09:01:27.450680701 +0100 -+++ bind9-9.11.4+dfsg/lib/dns/include/dst/dst.h 2019-02-20 09:01:27.446680698 +0100 -@@ -67,8 +67,7 @@ typedef struct dst_context dst_context_ - #define DST_ALG_HMACSHA512 165 /* XXXMPA */ - #define DST_ALG_INDIRECT 252 - #define DST_ALG_PRIVATE 254 --#define DST_ALG_EXPAND 255 --#define DST_MAX_ALGS 255 -+#define DST_MAX_ALGS 256 - - /*% A buffer of this size is large enough to hold any key */ - #define DST_KEY_MAXSIZE 1280 -Index: bind9-9.11.4+dfsg/lib/dns/zone.c -=================================================================== ---- bind9-9.11.4+dfsg.orig/lib/dns/zone.c 2019-02-20 09:01:27.450680701 +0100 -+++ bind9-9.11.4+dfsg/lib/dns/zone.c 2019-02-20 09:01:27.450680701 +0100 -@@ -3873,9 +3873,10 @@ compute_tag(dns_name_t *name, dns_rdata_ - dns_rdatatype_dnskey, dnskey, &buffer); - - result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey); -- if (result == ISC_R_SUCCESS) -+ if (result == ISC_R_SUCCESS) { - *tag = dst_key_id(dstkey); -- dst_key_free(&dstkey); -+ dst_key_free(&dstkey); -+ } - - return (result); - } -@@ -9315,6 +9316,17 @@ keyfetch_done(isc_task_t *task, isc_even - - dns_keydata_todnskey(&keydata, &dnskey, NULL); - result = compute_tag(keyname, &dnskey, mctx, &keytag); -+ if (result != ISC_R_SUCCESS) { -+ /* -+ * Skip if we cannot compute the key tag. -+ * This may happen if the algorithm is unsupported -+ */ -+ dns_zone_log(zone, ISC_LOG_ERROR, -+ "Cannot compute tag for key in zone %s: %s " -+ "(skipping)", -+ namebuf, dns_result_totext(result)); -+ continue; -+ } - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - /* -@@ -9426,6 +9438,17 @@ keyfetch_done(isc_task_t *task, isc_even - continue; - - result = compute_tag(keyname, &dnskey, mctx, &keytag); -+ if (result != ISC_R_SUCCESS) { -+ /* -+ * Skip if we cannot compute the key tag. -+ * This may happen if the algorithm is unsupported -+ */ -+ dns_zone_log(zone, ISC_LOG_ERROR, -+ "Cannot compute tag for key in zone %s: %s " -+ "(skipping)", -+ namebuf, dns_result_totext(result)); -+ continue; -+ } - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE); diff --git a/CVE-2019-6465.patch b/CVE-2019-6465.patch deleted file mode 100644 index 1fc492c0e8ddcf789d21e634ebb460fd3daf7741..0000000000000000000000000000000000000000 --- a/CVE-2019-6465.patch +++ /dev/null @@ -1,25 +0,0 @@ -Description: fix controls for zone transfers not being properly applied to - Dynamically Loadable Zones (DLZs) if the zones are writable -Origin: provided by ISC - -Index: bind9-9.11.4+dfsg/bin/named/xfrout.c -=================================================================== ---- bind9-9.11.4+dfsg.orig/bin/named/xfrout.c 2019-02-20 09:02:00.710689380 +0100 -+++ bind9-9.11.4+dfsg/bin/named/xfrout.c 2019-02-20 09:02:00.706689381 +0100 -@@ -803,12 +803,12 @@ ns_xfr_start(ns_client_t *client, dns_rd - result = dns_zt_find(client->view->zonetable, question_name, 0, NULL, - &zone); - -- if (result != ISC_R_SUCCESS) { -+ if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) { - /* -- * Normal zone table does not have a match. -- * Try the DLZ database -+ * The normal zone table does not have a match, or this is -+ * marked in the zone table as a DLZ zone. Check the DLZ -+ * databases for a match. - */ -- // Temporary: only searching the first DLZ database - if (! ISC_LIST_EMPTY(client->view->dlz_searched)) { - result = dns_dlzallowzonexfr(client->view, - question_name, diff --git a/Changes.md b/Changes.md new file mode 100644 index 0000000000000000000000000000000000000000..66610342d0e94a868595068956b0ee20c31af0d9 --- /dev/null +++ b/Changes.md @@ -0,0 +1,43 @@ +# Significant Changes in BIND9 package + +## BIND 9.16 + +### New features + +- *libuv* is used for network subsystem as a mandatory dependency +- *dnssec-policy* support in named.conf is introduced, providing a a key and signing policy + ([KASP](https://gitlab.isc.org/isc-projects/bind9/-/wikis/DNSSEC-Key-and-Signing-Policy-(KASP))) +- *trusted-keys* and *managed-keys* are deprecated, replaced by *trust-anchors* +- *trust-anchors* support also anchor in a *DS* format, in addition to *DNSKEY* format +- **dig, mdig** and **delv** support **+yaml** parameter to print detailed machine parseable output + +### Feature changes + +- Static trust anchor and *dnssec-validation auto;* are incompatible and cause fatal error, when used together. +- *DS* and *CDS* now generates only SHA-256 digest, SHA-1 is no longer generated by default +- SipHash 2-4 DNS Cookie ([RFC 7873](https://www.rfc-editor.org/rfc/rfc7873.html) is now default). + Only AES alternative algorithm is kept, HMAC-SHA cookie support were removed. +- **dnssec-signzone** and **dnssec-verify** commands print output to stdout, *-q* parameter can silence them + +### Features removed + +- *dnssec-enable* option is obsolete, DNSSEC support is always enabled +- *dnssec-lookaside* option is deprecated and support for it removed from all tools +- *cleaning-interval* option is removed + +### Upstream release notes + +- [9.16.10 notes](https://downloads.isc.org/isc/bind9/9.16.10/doc/arm/html/notes.html#notes-for-bind-9-16-10) +- [9.16.0 notes](https://downloads.isc.org/isc/bind9/9.16.0/doc/arm/html/notes.html#notes-for-bind-9-16-0) + +## BIND 9.14 + +- single thread support removed. Cannot provide *bind-export-libs* for DHCP +- *lwres* support completely removed. Both daemon and library +- common parts of daemon moved into *libns* shared library +- introduced plugin for filtering aaaa responses +- some SDB utilities no longer supported + +### Upstream release notes + +- [9.14.7 notes](https://downloads.isc.org/isc/bind9/9.14.7/RELEASE-NOTES-bind-9.14.7.html) diff --git a/README.en.md b/README.en.md deleted file mode 100644 index 5e0a40041c06568d00ab23397a0da785caf958e3..0000000000000000000000000000000000000000 --- a/README.en.md +++ /dev/null @@ -1,36 +0,0 @@ -# bind - -#### Description -{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**} - -#### Software Architecture -Software architecture description - -#### Installation - -1. xxxx -2. xxxx -3. xxxx - -#### Instructions - -1. xxxx -2. xxxx -3. xxxx - -#### Contribution - -1. Fork the repository -2. Create Feat_xxx branch -3. Commit your code -4. Create Pull Request - - -#### Gitee Feature - -1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md -2. Gitee blog [blog.gitee.com](https://blog.gitee.com) -3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore) -4. The most valuable open source project [GVP](https://gitee.com/gvp) -5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help) -6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/README.sdb_pgsql b/README.sdb_pgsql deleted file mode 100644 index c10c29468907a3a897126e79a11863f7f6a3dc70..0000000000000000000000000000000000000000 --- a/README.sdb_pgsql +++ /dev/null @@ -1,79 +0,0 @@ - PGSQL BIND SDB driver - -The postgresql BIND SDB driver is of experimental status and should not be -used for production systems. - -Usage: - -o Use the named_sdb process ( put ENABLE_SDB=yes in /etc/sysconfig/named ) - -o Edit your named.conf to contain a database zone, eg. : - -zone "pgdb.net." IN { - type master; - database "pgsql bind pgdb localhost pguser pgpasswd"; - # ^- DB name ^-Table ^-host ^-user ^-password -}; - -o Create the database zone table - The table must contain the columns "name", "rdtype", and "rdata", and - is expected to contain a properly constructed zone. The program "zonetodb" - creates such a table. - - zonetodb usage: - - zonetodb origin file dbname dbtable - - where - origin : zone origin, eg "pgdb.net." - file : master zone database file, eg. pgdb.net.db - dbname : name of postgresql database - dbtable: name of table in database - - Eg. to import this zone in the file 'pgdb.net.db' into the 'bind' database - 'pgdb' table: - ---- -#pgdb.net.db: -$TTL 1H -@ SOA localhost. root.localhost. ( 1 - 3H - 1H - 1W - 1H ) - NS localhost. -host1 A 192.168.2.1 -host2 A 192.168.2.2 -host3 A 192.168.2.3 -host4 A 192.168.2.4 -host5 A 192.168.2.5 -host6 A 192.168.2.6 -host7 A 192.168.2.7 ---- - -Issue this command as the pgsql user authorized to update the bind database: - -# zonetodb pgdb.net. pgdb.net.db bind pgdb - -will create / update the pgdb table in the 'bind' db: - -$ psql -dbind -c 'select * from pgdb;' - name | ttl | rdtype | rdata -----------------+------+--------+----------------------------------------------------- - pgdb.net | 3600 | SOA | localhost. root.localhost. 1 10800 3600 604800 3600 - pgdb.net | 3600 | NS | localhost. - host1.pgdb.net | 3600 | A | 192.168.2.1 - host2.pgdb.net | 3600 | A | 192.168.2.2 - host3.pgdb.net | 3600 | A | 192.168.2.3 - host4.pgdb.net | 3600 | A | 192.168.2.4 - host5.pgdb.net | 3600 | A | 192.168.2.5 - host6.pgdb.net | 3600 | A | 192.168.2.6 - host7.pgdb.net | 3600 | A | 192.168.2.7 -(9 rows) - -I've tested exactly the above configuration with bind-sdb-9.3.1+ and it works OK. - -NOTE: If you use pgsqldb SDB, ensure the postgresql service is started before the named - service . - -USE AT YOUR OWN RISK! diff --git a/Use-clock_gettime-instead-of-gettimeofday.patch b/Use-clock_gettime-instead-of-gettimeofday.patch deleted file mode 100644 index 4247641542f602131d5709f4d5476cdd89458d21..0000000000000000000000000000000000000000 --- a/Use-clock_gettime-instead-of-gettimeofday.patch +++ /dev/null @@ -1,161 +0,0 @@ -diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c -index f06d31a5508c2d3f7227063c21d9d4563789e72a..da25e5bf8e07639c8f70420a5c3f3c98a36a0548 100644 ---- a/lib/isc/unix/time.c -+++ b/lib/isc/unix/time.c -@@ -36,16 +36,7 @@ - #define NS_PER_MS 1000000 /*%< Nanoseconds per millisecond. */ - #define US_PER_S 1000000 /*%< Microseconds per second. */ - --/* -- * All of the INSIST()s checks of nanoseconds < NS_PER_S are for -- * consistency checking of the type. In lieu of magic numbers, it -- * is the best we've got. The check is only performed on functions which -- * need an initialized type. -- */ -- --#ifndef ISC_FIX_TV_USEC --#define ISC_FIX_TV_USEC 1 --#endif -+#define CLOCKSOURCE CLOCK_MONOTONIC - - /*% - *** Intervals -@@ -54,32 +49,6 @@ - static const isc_interval_t zero_interval = { 0, 0 }; - const isc_interval_t * const isc_interval_zero = &zero_interval; - --#if ISC_FIX_TV_USEC --static inline void --fix_tv_usec(struct timeval *tv) { -- isc_boolean_t fixed = ISC_FALSE; -- -- if (tv->tv_usec < 0) { -- fixed = ISC_TRUE; -- do { -- tv->tv_sec -= 1; -- tv->tv_usec += US_PER_S; -- } while (tv->tv_usec < 0); -- } else if (tv->tv_usec >= US_PER_S) { -- fixed = ISC_TRUE; -- do { -- tv->tv_sec += 1; -- tv->tv_usec -= US_PER_S; -- } while (tv->tv_usec >=US_PER_S); -- } -- /* -- * Call syslog directly as was are called from the logging functions. -- */ -- if (fixed) -- (void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected"); --} --#endif -- - void - isc_interval_set(isc_interval_t *i, - unsigned int seconds, unsigned int nanoseconds) -@@ -141,76 +110,52 @@ isc_time_isepoch(const isc_time_t *t) { - - isc_result_t - isc_time_now(isc_time_t *t) { -- struct timeval tv; -+ struct timespec ts; - char strbuf[ISC_STRERRORSIZE]; - - REQUIRE(t != NULL); - -- if (gettimeofday(&tv, NULL) == -1) { -+ if (clock_gettime(CLOCKSOURCE, &ts) == -1) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf); - return (ISC_R_UNEXPECTED); - } - -- /* -- * Does POSIX guarantee the signedness of tv_sec and tv_usec? If not, -- * then this test will generate warnings for platforms on which it is -- * unsigned. In any event, the chances of any of these problems -- * happening are pretty much zero, but since the libisc library ensures -- * certain things to be true ... -- */ --#if ISC_FIX_TV_USEC -- fix_tv_usec(&tv); -- if (tv.tv_sec < 0) -- return (ISC_R_UNEXPECTED); --#else -- if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S) -+ if (ts.tv_sec < 0 || ts.tv_nsec < 0 || ts.tv_nsec >= NS_PER_S) { - return (ISC_R_UNEXPECTED); --#endif -+ } - - /* - * Ensure the tv_sec value fits in t->seconds. - */ -- if (sizeof(tv.tv_sec) > sizeof(t->seconds) && -- ((tv.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U) -+ if (sizeof(ts.tv_sec) > sizeof(t->seconds) && -+ ((ts.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U) - return (ISC_R_RANGE); - -- t->seconds = tv.tv_sec; -- t->nanoseconds = tv.tv_usec * NS_PER_US; -+ t->seconds = ts.tv_sec; -+ t->nanoseconds = ts.tv_nsec; - - return (ISC_R_SUCCESS); - } - - isc_result_t - isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) { -- struct timeval tv; -+ struct timespec ts; - char strbuf[ISC_STRERRORSIZE]; - - REQUIRE(t != NULL); - REQUIRE(i != NULL); - INSIST(i->nanoseconds < NS_PER_S); - -- if (gettimeofday(&tv, NULL) == -1) { -+ if (clock_gettime(CLOCKSOURCE, &ts) == -1) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf); - return (ISC_R_UNEXPECTED); - } - -- /* -- * Does POSIX guarantee the signedness of tv_sec and tv_usec? If not, -- * then this test will generate warnings for platforms on which it is -- * unsigned. In any event, the chances of any of these problems -- * happening are pretty much zero, but since the libisc library ensures -- * certain things to be true ... -- */ --#if ISC_FIX_TV_USEC -- fix_tv_usec(&tv); -- if (tv.tv_sec < 0) -- return (ISC_R_UNEXPECTED); --#else -- if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S) -+ if (ts.tv_sec < 0 || ts.tv_nsec < 0 || ts.tv_nsec >= NS_PER_S) { - return (ISC_R_UNEXPECTED); --#endif -+ } - - /* - * Ensure the resulting seconds value fits in the size of an -@@ -218,12 +163,12 @@ isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) { - * note that even if both values == INT_MAX, then when added - * and getting another 1 added below the result is UINT_MAX.) - */ -- if ((tv.tv_sec > INT_MAX || i->seconds > INT_MAX) && -- ((long long)tv.tv_sec + i->seconds > UINT_MAX)) -+ if ((ts.tv_sec > INT_MAX || i->seconds > INT_MAX) && -+ ((long long)ts.tv_sec + i->seconds > UINT_MAX)) - return (ISC_R_RANGE); - -- t->seconds = tv.tv_sec + i->seconds; -- t->nanoseconds = tv.tv_usec * NS_PER_US + i->nanoseconds; -+ t->seconds = ts.tv_sec + i->seconds; -+ t->nanoseconds = ts.tv_nsec + i->nanoseconds; - if (t->nanoseconds >= NS_PER_S) { - t->seconds++; - t->nanoseconds -= NS_PER_S; diff --git a/backport-bind-9.11-CVE-2023-50387-fixup.patch .patch b/backport-bind-9.11-CVE-2023-50387-fixup.patch .patch new file mode 100644 index 0000000000000000000000000000000000000000..42b8287c2120582a0a5001bf0ed72344b076c86a --- /dev/null +++ b/backport-bind-9.11-CVE-2023-50387-fixup.patch .patch @@ -0,0 +1,64 @@ +From f0fc9d7999a94da3d471c4e0a35b1f447f25eea6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Mon, 26 Feb 2024 21:08:42 +0100 +Subject: [PATCH] Add normal task queue also to non-thread version + +Non-thread builds are used by us for dhcp package. Make it working +again. + +Related to [GL #4424] and [GL #4459]. +--- + lib/isc/task.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/lib/isc/task.c b/lib/isc/task.c +index cc83269..5315b51 100644 +--- a/lib/isc/task.c ++++ b/lib/isc/task.c +@@ -1115,7 +1115,7 @@ dispatch(isc__taskmgr_t *manager, isc_taskqueue_t qid) { + } + #else /* USE_WORKER_THREADS */ + if (total_dispatch_count >= DEFAULT_TASKMGR_QUANTUM || +- empty_readyq(manager)) ++ empty_readyq(manager, qid)) + break; + #endif /* USE_WORKER_THREADS */ + XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TASK, +@@ -1318,11 +1318,11 @@ dispatch(isc__taskmgr_t *manager, isc_taskqueue_t qid) { + } + + #ifndef USE_WORKER_THREADS +- ISC_LIST_APPENDLIST(manager->ready_tasks, new_ready_tasks, ready_link); +- ISC_LIST_APPENDLIST(manager->ready_priority_tasks, new_priority_tasks, ++ ISC_LIST_APPENDLIST(manager->ready_tasks[qid], new_ready_tasks, ready_link); ++ ISC_LIST_APPENDLIST(manager->ready_priority_tasks[qid], new_priority_tasks, + ready_priority_link); + manager->tasks_ready += tasks_ready; +- if (empty_readyq(manager)) ++ if (empty_readyq(manager, qid)) + manager->mode = isc_taskmgrmode_normal; + #endif + +@@ -1713,7 +1713,8 @@ isc__taskmgr_ready(isc_taskmgr_t *manager0) { + return (false); + + LOCK(&manager->lock); +- is_ready = !empty_readyq(manager); ++ is_ready = !empty_readyq(manager, isc_taskqueue_normal) || ++ !empty_readyq(manager, isc_taskqueue_slow); + UNLOCK(&manager->lock); + + return (is_ready); +@@ -1730,7 +1731,8 @@ isc__taskmgr_dispatch(isc_taskmgr_t *manager0) { + if (manager == NULL) + return (ISC_R_NOTFOUND); + +- dispatch(manager); ++ dispatch(manager, isc_taskqueue_normal); ++ dispatch(manager, isc_taskqueue_slow); + + return (ISC_R_SUCCESS); + } +-- +2.43.2 + diff --git a/backport-bind-9.11-CVE-2023-50387.patch b/backport-bind-9.11-CVE-2023-50387.patch new file mode 100644 index 0000000000000000000000000000000000000000..2f90d656577bea4e9d20bfb7a5eaad11d89c1238 --- /dev/null +++ b/backport-bind-9.11-CVE-2023-50387.patch @@ -0,0 +1,737 @@ +From 4c20ab54ec503f65d8ee0b863cbf41103d95130a Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 22 Nov 2023 16:59:03 +1100 +Subject: [PATCH] Fail the DNSSEC validation on the first failure + +Be more strict when encountering DNSSEC validation failures - fail on +the first failure. This will break domains that have DNSSEC signing +keys with duplicate key ids, but this is something that's much easier +to fix on the authoritative side, so we are just going to be strict +on the resolver side where it is causing performance problems. + +(cherry picked from commit 8b7ecba9885e163c07c2dd3e1ceab79b2ba89e34) + +Add normal and slow task queues + +Split the task manager queues into normal and slow task queues, so we +can move the tasks that blocks processing for a long time (like DNSSEC +validation) into the slow queue which doesn't block fast +operations (like responding from the cache). This mitigates the whole +class of KeyTrap-like issues. + +(cherry picked from commit db083a21726300916fa0b9fd8a433a796fedf636) + +Don't iterate from start every time we select new signing key + +Improve the selecting of the new signing key by remembering where +we stopped the iteration and just continue from that place instead +of iterating from the start over and over again each time. + +(cherry picked from commit 75faeefcab47e4f1e12b358525190b4be90f97de) + +Optimize selecting the signing key + +Don't parse the crypto data before parsing and matching the id and the +algorithm. + +(cherry picked from commit b38552cca7200a72658e482f8407f57516efc5db) + +6322. [security] Specific DNS answers could cause a denial-of-service + condition due to DNS validation taking a long time. + (CVE-2023-50387) [GL #4424] + + The same code change also addresses another problem: + preparing NSEC3 closest encloser proofs could exhaust + available CPU resources. (CVE-2023-50868) [GL #4459] +--- + lib/dns/dst_api.c | 25 ++++-- + lib/dns/include/dns/validator.h | 1 + + lib/dns/include/dst/dst.h | 4 + + lib/dns/resolver.c | 2 +- + lib/dns/validator.c | 97 +++++++++----------- + lib/dns/win32/libdns.def.in | 1 + + lib/isc/include/isc/task.h | 11 ++- + lib/isc/task.c | 153 ++++++++++++++++++++++---------- + 8 files changed, 186 insertions(+), 108 deletions(-) + +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index 2156384ec1..6bcd99796c 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -105,6 +105,7 @@ static isc_result_t frombuffer(dns_name_t *name, + dns_rdataclass_t rdclass, + isc_buffer_t *source, + isc_mem_t *mctx, ++ bool no_rdata, + dst_key_t **keyp); + + static isc_result_t algorithm_status(unsigned int alg); +@@ -764,6 +765,13 @@ isc_result_t + dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass, + isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp) + { ++ return (dst_key_fromdns_ex(name, rdclass, source, mctx, false, keyp)); ++} ++ ++isc_result_t ++dst_key_fromdns_ex(dns_name_t *name, dns_rdataclass_t rdclass, ++ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata, ++ dst_key_t **keyp) { + uint8_t alg, proto; + uint32_t flags, extflags; + dst_key_t *key = NULL; +@@ -792,7 +800,7 @@ dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass, + } + + result = frombuffer(name, alg, flags, proto, rdclass, source, +- mctx, &key); ++ mctx, no_rdata, &key); + if (result != ISC_R_SUCCESS) + return (result); + key->key_id = id; +@@ -814,7 +822,7 @@ dst_key_frombuffer(dns_name_t *name, unsigned int alg, + REQUIRE(dst_initialized); + + result = frombuffer(name, alg, flags, protocol, rdclass, source, +- mctx, &key); ++ mctx, false, &key); + if (result != ISC_R_SUCCESS) + return (result); + +@@ -1915,7 +1923,8 @@ computeid(dst_key_t *key) { + static isc_result_t + frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags, + unsigned int protocol, dns_rdataclass_t rdclass, +- isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp) ++ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata, ++ dst_key_t **keyp) + { + dst_key_t *key; + isc_result_t ret; +@@ -1940,10 +1949,12 @@ frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags, + return (DST_R_UNSUPPORTEDALG); + } + +- ret = key->func->fromdns(key, source); +- if (ret != ISC_R_SUCCESS) { +- dst_key_free(&key); +- return (ret); ++ if (!no_rdata) { ++ ret = key->func->fromdns(key, source); ++ if (ret != ISC_R_SUCCESS) { ++ dst_key_free(&key); ++ return (ret); ++ } + } + } + +diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h +index cc4478d6d4..b4bf8f29db 100644 +--- a/lib/dns/include/dns/validator.h ++++ b/lib/dns/include/dns/validator.h +@@ -160,6 +160,7 @@ struct dns_validator { + unsigned int depth; + unsigned int authcount; + unsigned int authfail; ++ bool failed; + isc_stdtime_t start; + }; + +diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h +index 180c841307..a8be2daf67 100644 +--- a/lib/dns/include/dst/dst.h ++++ b/lib/dns/include/dst/dst.h +@@ -435,6 +435,10 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory); + */ + + isc_result_t ++dst_key_fromdns_ex(dns_name_t *name, dns_rdataclass_t rdclass, ++ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata, ++ dst_key_t **keyp); ++isc_result_t + dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass, + isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp); + /*%< +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 4f71f48039..487107614c 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -9267,7 +9267,7 @@ dns_resolver_create(dns_view_t *view, + if (result != ISC_R_SUCCESS) + goto cleanup_buckets; + res->buckets[i].task = NULL; +- result = isc_task_create(taskmgr, 0, &res->buckets[i].task); ++ result = isc_task_create(taskmgr, ISC_TASK_QUANTUM_SLOW, &res->buckets[i].task); + if (result != ISC_R_SUCCESS) { + DESTROYLOCK(&res->buckets[i].lock); + goto cleanup_buckets; +diff --git a/lib/dns/validator.c b/lib/dns/validator.c +index 2a5c3caa6a..0b257fe874 100644 +--- a/lib/dns/validator.c ++++ b/lib/dns/validator.c +@@ -1207,6 +1207,12 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, + * val->key at it. + * + * If val->key is non-NULL, this returns the next matching key. ++ * If val->key is already non-NULL, start searching from the next position in ++ * 'rdataset' to find the *next* key that could have signed 'siginfo', then ++ * set val->key to that. ++ * ++ * Returns ISC_R_SUCCESS if a possible matching key has been found, ++ * ISC_R_NOTFOUND if not. Any other value indicates error. + */ + static isc_result_t + get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo, +@@ -1216,54 +1222,59 @@ get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo, + isc_buffer_t b; + dns_rdata_t rdata = DNS_RDATA_INIT; + dst_key_t *oldkey = val->key; +- bool foundold; ++ bool no_rdata = false; + +- if (oldkey == NULL) +- foundold = true; +- else { +- foundold = false; ++ if (oldkey == NULL) { ++ result = dns_rdataset_first(rdataset); ++ } else { ++ dst_key_free(&oldkey); + val->key = NULL; ++ result = dns_rdataset_next(rdataset); ++ } ++ ++ if (result != ISC_R_SUCCESS) { ++ goto done; + } + +- result = dns_rdataset_first(rdataset); +- if (result != ISC_R_SUCCESS) +- goto failure; + do { + dns_rdataset_current(rdataset, &rdata); + + isc_buffer_init(&b, rdata.data, rdata.length); + isc_buffer_add(&b, rdata.length); + INSIST(val->key == NULL); +- result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b, +- val->view->mctx, &val->key); ++ result = dst_key_fromdns_ex(&siginfo->signer, rdata.rdclass, &b, ++ val->view->mctx, no_rdata, ++ &val->key); + if (result == ISC_R_SUCCESS) { + if (siginfo->algorithm == + (dns_secalg_t)dst_key_alg(val->key) && + siginfo->keyid == + (dns_keytag_t)dst_key_id(val->key) && ++ (dst_key_flags(val->key) & DNS_KEYFLAG_REVOKE) == ++ 0 && + dst_key_iszonekey(val->key)) + { +- if (foundold) { +- /* +- * This is the key we're looking for. +- */ +- return (ISC_R_SUCCESS); +- } else if (dst_key_compare(oldkey, val->key)) { +- foundold = true; +- dst_key_free(&oldkey); ++ if (no_rdata) { ++ /* Retry with full key */ ++ dns_rdata_reset(&rdata); ++ dst_key_free(&val->key); ++ no_rdata = false; ++ continue; + } ++ /* This is the key we're looking for. */ ++ goto done; + } + dst_key_free(&val->key); + } + dns_rdata_reset(&rdata); + result = dns_rdataset_next(rdataset); ++ no_rdata = true; + } while (result == ISC_R_SUCCESS); +- if (result == ISC_R_NOMORE) +- result = ISC_R_NOTFOUND; + +- failure: +- if (oldkey != NULL) +- dst_key_free(&oldkey); ++done: ++ if (result == ISC_R_NOMORE) { ++ result = ISC_R_NOTFOUND; ++ } + + return (result); + } +@@ -1633,37 +1644,13 @@ validate(dns_validator_t *val, bool resume) { + continue; + } + +- do { +- vresult = verify(val, val->key, &rdata, +- val->siginfo->keyid); +- if (vresult == ISC_R_SUCCESS) +- break; +- if (val->keynode != NULL) { +- dns_keynode_t *nextnode = NULL; +- result = dns_keytable_findnextkeynode( +- val->keytable, +- val->keynode, +- &nextnode); +- dns_keytable_detachkeynode(val->keytable, +- &val->keynode); +- val->keynode = nextnode; +- if (result != ISC_R_SUCCESS) { +- val->key = NULL; +- break; +- } +- val->key = dns_keynode_key(val->keynode); +- if (val->key == NULL) +- break; +- } else { +- if (get_dst_key(val, val->siginfo, val->keyset) +- != ISC_R_SUCCESS) +- break; +- } +- } while (1); +- if (vresult != ISC_R_SUCCESS) ++ vresult = verify(val, val->key, &rdata, ++ val->siginfo->keyid); ++ if (vresult != ISC_R_SUCCESS) { ++ val->failed = true; + validator_log(val, ISC_LOG_DEBUG(3), + "failed to verify rdataset"); +- else { ++ } else { + dns_rdataset_trimttl(event->rdataset, + event->sigrdataset, + val->siginfo, val->start, +@@ -1700,9 +1687,13 @@ validate(dns_validator_t *val, bool resume) { + } else { + validator_log(val, ISC_LOG_DEBUG(3), + "verify failure: %s", +- isc_result_totext(result)); ++ isc_result_totext(vresult)); + resume = false; + } ++ if (val->failed) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + validator_log(val, ISC_LOG_DEBUG(3), +diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in +index f597049493..7320653439 100644 +--- a/lib/dns/win32/libdns.def.in ++++ b/lib/dns/win32/libdns.def.in +@@ -1439,6 +1439,7 @@ dst_key_format + dst_key_free + dst_key_frombuffer + dst_key_fromdns ++dst_key_fromdns_ex + dst_key_fromfile + dst_key_fromgssapi + dst_key_fromlabel +diff --git a/lib/isc/include/isc/task.h b/lib/isc/include/isc/task.h +index 28e5e25fc6..42f7763869 100644 +--- a/lib/isc/include/isc/task.h ++++ b/lib/isc/include/isc/task.h +@@ -98,8 +98,15 @@ ISC_LANG_BEGINDECLS + ***/ + + typedef enum { +- isc_taskmgrmode_normal = 0, +- isc_taskmgrmode_privileged ++ isc_taskqueue_normal = 0, ++ isc_taskqueue_slow = 1, ++} isc_taskqueue_t; ++ ++#define ISC_TASK_QUANTUM_SLOW 1024 ++ ++typedef enum { ++ isc_taskmgrmode_normal = 0, ++ isc_taskmgrmode_privileged + } isc_taskmgrmode_t; + + /*% Task and task manager methods */ +diff --git a/lib/isc/task.c b/lib/isc/task.c +index 048639350b..cc83269df2 100644 +--- a/lib/isc/task.c ++++ b/lib/isc/task.c +@@ -107,6 +107,7 @@ struct isc__task { + isc_eventlist_t on_shutdown; + unsigned int nevents; + unsigned int quantum; ++ unsigned int qid; + unsigned int flags; + isc_stdtime_t now; + isc_time_t tnow; +@@ -141,11 +142,11 @@ struct isc__taskmgr { + /* Locked by task manager lock. */ + unsigned int default_quantum; + LIST(isc__task_t) tasks; +- isc__tasklist_t ready_tasks; +- isc__tasklist_t ready_priority_tasks; ++ isc__tasklist_t ready_tasks[2]; ++ isc__tasklist_t ready_priority_tasks[2]; + isc_taskmgrmode_t mode; + #ifdef ISC_PLATFORM_USETHREADS +- isc_condition_t work_available; ++ isc_condition_t work_available[2]; + isc_condition_t exclusive_granted; + isc_condition_t paused; + #endif /* ISC_PLATFORM_USETHREADS */ +@@ -247,13 +248,13 @@ isc_taskmgrmode_t + isc__taskmgr_mode(isc_taskmgr_t *manager0); + + static inline bool +-empty_readyq(isc__taskmgr_t *manager); ++empty_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid); + + static inline isc__task_t * +-pop_readyq(isc__taskmgr_t *manager); ++pop_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid); + + static inline void +-push_readyq(isc__taskmgr_t *manager, isc__task_t *task); ++push_readyq(isc__taskmgr_t *manager, isc__task_t *task, isc_taskqueue_t qid); + + static struct isc__taskmethods { + isc_taskmethods_t methods; +@@ -324,7 +325,8 @@ task_finished(isc__task_t *task) { + * any idle worker threads so they + * can exit. + */ +- BROADCAST(&manager->work_available); ++ BROADCAST(&manager->work_available[isc_taskqueue_normal]); ++ BROADCAST(&manager->work_available[isc_taskqueue_slow]); + } + #endif /* USE_WORKER_THREADS */ + UNLOCK(&manager->lock); +@@ -364,7 +366,13 @@ isc__task_create(isc_taskmgr_t *manager0, unsigned int quantum, + INIT_LIST(task->events); + INIT_LIST(task->on_shutdown); + task->nevents = 0; +- task->quantum = quantum; ++ if (quantum >= ISC_TASK_QUANTUM_SLOW) { ++ task->qid = isc_taskqueue_slow; ++ task->quantum = quantum - ISC_TASK_QUANTUM_SLOW; ++ } else { ++ task->qid = isc_taskqueue_normal; ++ task->quantum = quantum; ++ } + task->flags = 0; + task->now = 0; + isc_time_settoepoch(&task->tnow); +@@ -476,11 +484,11 @@ task_ready(isc__task_t *task) { + + LOCK(&manager->lock); + LOCK(&task->lock); +- push_readyq(manager, task); ++ push_readyq(manager, task, task->qid); + UNLOCK(&task->lock); + #ifdef USE_WORKER_THREADS + if (manager->mode == isc_taskmgrmode_normal || has_privilege) +- SIGNAL(&manager->work_available); ++ SIGNAL(&manager->work_available[task->qid]); + #endif /* USE_WORKER_THREADS */ + UNLOCK(&manager->lock); + } +@@ -961,13 +969,13 @@ isc__task_getcurrenttimex(isc_task_t *task0, isc_time_t *t) { + * Caller must hold the task manager lock. + */ + static inline bool +-empty_readyq(isc__taskmgr_t *manager) { ++empty_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid) { + isc__tasklist_t queue; + + if (manager->mode == isc_taskmgrmode_normal) +- queue = manager->ready_tasks; ++ queue = manager->ready_tasks[qid]; + else +- queue = manager->ready_priority_tasks; ++ queue = manager->ready_priority_tasks[qid]; + + return (EMPTY(queue)); + } +@@ -981,18 +989,18 @@ empty_readyq(isc__taskmgr_t *manager) { + * Caller must hold the task manager lock. + */ + static inline isc__task_t * +-pop_readyq(isc__taskmgr_t *manager) { ++pop_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid) { + isc__task_t *task; + + if (manager->mode == isc_taskmgrmode_normal) +- task = HEAD(manager->ready_tasks); ++ task = HEAD(manager->ready_tasks[qid]); + else +- task = HEAD(manager->ready_priority_tasks); ++ task = HEAD(manager->ready_priority_tasks[qid]); + + if (task != NULL) { +- DEQUEUE(manager->ready_tasks, task, ready_link); ++ DEQUEUE(manager->ready_tasks[qid], task, ready_link); + if (ISC_LINK_LINKED(task, ready_priority_link)) +- DEQUEUE(manager->ready_priority_tasks, task, ++ DEQUEUE(manager->ready_priority_tasks[qid], task, + ready_priority_link); + } + +@@ -1006,16 +1014,16 @@ pop_readyq(isc__taskmgr_t *manager) { + * Caller must hold the task manager lock. + */ + static inline void +-push_readyq(isc__taskmgr_t *manager, isc__task_t *task) { +- ENQUEUE(manager->ready_tasks, task, ready_link); ++push_readyq(isc__taskmgr_t *manager, isc__task_t *task, isc_taskqueue_t qid) { ++ ENQUEUE(manager->ready_tasks[qid], task, ready_link); + if ((task->flags & TASK_F_PRIVILEGED) != 0) +- ENQUEUE(manager->ready_priority_tasks, task, ++ ENQUEUE(manager->ready_priority_tasks[qid], task, + ready_priority_link); + manager->tasks_ready++; + } + + static void +-dispatch(isc__taskmgr_t *manager) { ++dispatch(isc__taskmgr_t *manager, isc_taskqueue_t qid) { + isc__task_t *task; + #ifndef USE_WORKER_THREADS + unsigned int total_dispatch_count = 0; +@@ -1094,13 +1102,13 @@ dispatch(isc__taskmgr_t *manager) { + * If a pause has been requested, don't do any work + * until it's been released. + */ +- while ((empty_readyq(manager) || manager->pause_requested || ++ while ((empty_readyq(manager, qid) || manager->pause_requested || + manager->exclusive_requested) && !FINISHED(manager)) + { + XTHREADTRACE(isc_msgcat_get(isc_msgcat, + ISC_MSGSET_GENERAL, + ISC_MSG_WAIT, "wait")); +- WAIT(&manager->work_available, &manager->lock); ++ WAIT(&manager->work_available[qid], &manager->lock); + XTHREADTRACE(isc_msgcat_get(isc_msgcat, + ISC_MSGSET_TASK, + ISC_MSG_AWAKE, "awake")); +@@ -1113,7 +1121,7 @@ dispatch(isc__taskmgr_t *manager) { + XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TASK, + ISC_MSG_WORKING, "working")); + +- task = pop_readyq(manager); ++ task = pop_readyq(manager, qid); + if (task != NULL) { + unsigned int dispatch_count = 0; + bool done = false; +@@ -1278,7 +1286,7 @@ dispatch(isc__taskmgr_t *manager) { + */ + #ifdef USE_WORKER_THREADS + LOCK(&task->lock); +- push_readyq(manager, task); ++ push_readyq(manager, task, qid); + UNLOCK(&task->lock); + #else + ENQUEUE(new_ready_tasks, task, ready_link); +@@ -1297,10 +1305,14 @@ dispatch(isc__taskmgr_t *manager) { + * we're stuck. Automatically drop privileges at that + * point and continue with the regular ready queue. + */ +- if (manager->tasks_running == 0 && empty_readyq(manager)) { ++ if (manager->tasks_running == 0 && empty_readyq(manager, isc_taskqueue_normal) && empty_readyq(manager, isc_taskqueue_slow)) { + manager->mode = isc_taskmgrmode_normal; +- if (!empty_readyq(manager)) +- BROADCAST(&manager->work_available); ++ if (!empty_readyq(manager, isc_taskqueue_normal)) { ++ BROADCAST(&manager->work_available[isc_taskqueue_normal]); ++ } ++ if (!empty_readyq(manager, isc_taskqueue_slow)) { ++ BROADCAST(&manager->work_available[isc_taskqueue_slow]); ++ } + } + #endif + } +@@ -1322,13 +1334,37 @@ static isc_threadresult_t + #ifdef _WIN32 + WINAPI + #endif +-run(void *uap) { ++run_normal(void *uap) { + isc__taskmgr_t *manager = uap; + + XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL, + ISC_MSG_STARTING, "starting")); + +- dispatch(manager); ++ dispatch(manager, isc_taskqueue_normal); ++ ++ XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL, ++ ISC_MSG_EXITING, "exiting")); ++ ++#ifdef OPENSSL_LEAKS ++ ERR_remove_state(0); ++#endif ++ ++ return ((isc_threadresult_t)0); ++} ++#endif /* USE_WORKER_THREADS */ ++ ++#ifdef USE_WORKER_THREADS ++static isc_threadresult_t ++#ifdef _WIN32 ++WINAPI ++#endif ++run_slow(void *uap) { ++ isc__taskmgr_t *manager = uap; ++ ++ XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL, ++ ISC_MSG_STARTING, "starting")); ++ ++ dispatch(manager, isc_taskqueue_slow); + + XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL, + ISC_MSG_EXITING, "exiting")); +@@ -1347,7 +1383,8 @@ manager_free(isc__taskmgr_t *manager) { + + #ifdef USE_WORKER_THREADS + (void)isc_condition_destroy(&manager->exclusive_granted); +- (void)isc_condition_destroy(&manager->work_available); ++ (void)isc_condition_destroy(&manager->work_available[isc_taskqueue_normal]); ++ (void)isc_condition_destroy(&manager->work_available[isc_taskqueue_slow]); + (void)isc_condition_destroy(&manager->paused); + isc_mem_free(manager->mctx, manager->threads); + #endif /* USE_WORKER_THREADS */ +@@ -1414,12 +1451,20 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers, + #ifdef USE_WORKER_THREADS + manager->workers = 0; + manager->threads = isc_mem_allocate(mctx, +- workers * sizeof(isc_thread_t)); ++ 2 * workers * sizeof(isc_thread_t)); + if (manager->threads == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup_lock; + } +- if (isc_condition_init(&manager->work_available) != ISC_R_SUCCESS) { ++ if (isc_condition_init(&manager->work_available[isc_taskqueue_normal]) != ISC_R_SUCCESS) { ++ UNEXPECTED_ERROR(__FILE__, __LINE__, ++ "isc_condition_init() %s", ++ isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL, ++ ISC_MSG_FAILED, "failed")); ++ result = ISC_R_UNEXPECTED; ++ goto cleanup_threads; ++ } ++ if (isc_condition_init(&manager->work_available[isc_taskqueue_slow]) != ISC_R_SUCCESS) { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "isc_condition_init() %s", + isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL, +@@ -1448,8 +1493,10 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers, + default_quantum = DEFAULT_DEFAULT_QUANTUM; + manager->default_quantum = default_quantum; + INIT_LIST(manager->tasks); +- INIT_LIST(manager->ready_tasks); +- INIT_LIST(manager->ready_priority_tasks); ++ INIT_LIST(manager->ready_tasks[isc_taskqueue_normal]); ++ INIT_LIST(manager->ready_tasks[isc_taskqueue_slow]); ++ INIT_LIST(manager->ready_priority_tasks[isc_taskqueue_normal]); ++ INIT_LIST(manager->ready_priority_tasks[isc_taskqueue_slow]); + manager->tasks_running = 0; + manager->tasks_ready = 0; + manager->exclusive_requested = false; +@@ -1465,7 +1512,19 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers, + * Start workers. + */ + for (i = 0; i < workers; i++) { +- if (isc_thread_create(run, manager, ++ if (isc_thread_create(run_normal, manager, ++ &manager->threads[manager->workers]) == ++ ISC_R_SUCCESS) { ++ char name[21]; /* thread name limit on Linux */ ++ snprintf(name, sizeof(name), "isc-worker%04u", i); ++ isc_thread_setname(manager->threads[manager->workers], ++ name); ++ manager->workers++; ++ started++; ++ } ++ } ++ for (; i < workers * 2; i++) { ++ if (isc_thread_create(run_slow, manager, + &manager->threads[manager->workers]) == + ISC_R_SUCCESS) { + char name[21]; /* thread name limit on Linux */ +@@ -1482,7 +1541,7 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers, + manager_free(manager); + return (ISC_R_NOTHREADS); + } +- isc_thread_setconcurrency(workers); ++ isc_thread_setconcurrency(workers * 2); + #endif /* USE_WORKER_THREADS */ + #ifdef USE_SHARED_MANAGER + manager->refs = 1; +@@ -1497,7 +1556,8 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers, + cleanup_exclusivegranted: + (void)isc_condition_destroy(&manager->exclusive_granted); + cleanup_workavailable: +- (void)isc_condition_destroy(&manager->work_available); ++ (void)isc_condition_destroy(&manager->work_available[isc_taskqueue_slow]); ++ (void)isc_condition_destroy(&manager->work_available[isc_taskqueue_normal]); + cleanup_threads: + isc_mem_free(mctx, manager->threads); + cleanup_lock: +@@ -1582,7 +1642,7 @@ isc__taskmgr_destroy(isc_taskmgr_t **managerp) { + task = NEXT(task, link)) { + LOCK(&task->lock); + if (task_shutdown(task)) +- push_readyq(manager, task); ++ push_readyq(manager, task, task->qid); + UNLOCK(&task->lock); + } + #ifdef USE_WORKER_THREADS +@@ -1591,7 +1651,8 @@ isc__taskmgr_destroy(isc_taskmgr_t **managerp) { + * there's work left to do, and if there are already no tasks left + * it will cause the workers to see manager->exiting. + */ +- BROADCAST(&manager->work_available); ++ BROADCAST(&manager->work_available[isc_taskqueue_normal]); ++ BROADCAST(&manager->work_available[isc_taskqueue_slow]); + UNLOCK(&manager->lock); + + /* +@@ -1693,7 +1754,8 @@ isc__taskmgr_resume(isc_taskmgr_t *manager0) { + LOCK(&manager->lock); + if (manager->pause_requested) { + manager->pause_requested = false; +- BROADCAST(&manager->work_available); ++ BROADCAST(&manager->work_available[isc_taskqueue_normal]); ++ BROADCAST(&manager->work_available[isc_taskqueue_slow]); + } + UNLOCK(&manager->lock); + } +@@ -1778,7 +1840,8 @@ isc__task_endexclusive(isc_task_t *task0) { + LOCK(&manager->lock); + REQUIRE(manager->exclusive_requested); + manager->exclusive_requested = false; +- BROADCAST(&manager->work_available); ++ BROADCAST(&manager->work_available[isc_taskqueue_normal]); ++ BROADCAST(&manager->work_available[isc_taskqueue_slow]); + UNLOCK(&manager->lock); + #else + UNUSED(task0); +@@ -1804,10 +1867,10 @@ isc__task_setprivilege(isc_task_t *task0, bool priv) { + + LOCK(&manager->lock); + if (priv && ISC_LINK_LINKED(task, ready_link)) +- ENQUEUE(manager->ready_priority_tasks, task, ++ ENQUEUE(manager->ready_priority_tasks[task->qid], task, + ready_priority_link); + else if (!priv && ISC_LINK_LINKED(task, ready_priority_link)) +- DEQUEUE(manager->ready_priority_tasks, task, ++ DEQUEUE(manager->ready_priority_tasks[task->qid], task, + ready_priority_link); + UNLOCK(&manager->lock); + } +-- +2.43.2 + diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch deleted file mode 100644 index 6f66dc167f820740c48d3bb62290ccb49c67227f..0000000000000000000000000000000000000000 --- a/bind-9.10-dist-native-pkcs11.patch +++ /dev/null @@ -1,612 +0,0 @@ -diff --git a/bin/Makefile.in b/bin/Makefile.in -index f0c504a..ce7a2da 100644 ---- a/bin/Makefile.in -+++ b/bin/Makefile.in -@@ -11,8 +11,8 @@ srcdir = @srcdir@ - VPATH = @srcdir@ - top_srcdir = @top_srcdir@ - --SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \ -- @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests -+SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \ -+ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests - TARGETS = - - @BIND9_MAKE_RULES@ -diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in -index 1d0c4ce..7b7f89b 100644 ---- a/bin/dnssec-pkcs11/Makefile.in -+++ b/bin/dnssec-pkcs11/Makefile.in -@@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@ - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ -+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES} - - CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \ -- @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" -+ @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" - CWARNINGS = - --DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ --ISCLIBS = ../../lib/isc/libisc.@A@ --ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ -+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ -+ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@ - --DNSDEPLIBS = ../../lib/dns/libdns.@A@ --ISCDEPLIBS = ../../lib/isc/libisc.@A@ -+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ -+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ - - DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} - -@@ -37,10 +37,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ - NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@ - - # Alphabetically --TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \ -- dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \ -- dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \ -- dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@ -+TARGETS = dnssec-keygen-pkcs11@EXEEXT@ dnssec-signzone-pkcs11@EXEEXT@ \ -+ dnssec-keyfromlabel-pkcs11@EXEEXT@ dnssec-dsfromkey-pkcs11@EXEEXT@ \ -+ dnssec-revoke-pkcs11@EXEEXT@ dnssec-settime-pkcs11@EXEEXT@ \ -+ dnssec-verify-pkcs11@EXEEXT@ dnssec-importkey-pkcs11@EXEEXT@ - - OBJS = dnssectool.@O@ - -@@ -61,15 +61,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} - - @BIND9_MAKE_RULES@ - --dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} -+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - --dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} -+dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - --dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} -+dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - -@@ -77,7 +77,7 @@ dnssec-signzone.@O@: dnssec-signzone.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ - -c ${srcdir}/dnssec-signzone.c - --dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} -+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - -@@ -85,19 +85,19 @@ dnssec-verify.@O@: dnssec-verify.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ - -c ${srcdir}/dnssec-verify.c - --dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} -+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - --dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} -+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dnssec-revoke.@O@ ${OBJS} ${LIBS} - --dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} -+dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dnssec-settime.@O@ ${OBJS} ${LIBS} - --dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} -+dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dnssec-importkey.@O@ ${OBJS} ${LIBS} - -@@ -108,16 +108,14 @@ docclean manclean maintainer-clean:: - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} -- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - - install-man8: ${MANPAGES} - ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 - --install:: ${TARGETS} installdirs install-man8 -+install:: ${TARGETS} installdirs - for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done - - uninstall:: -- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done - for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done - - clean distclean:: -diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in -index 1d0c4ce..11538cf 100644 ---- a/bin/dnssec/Makefile.in -+++ b/bin/dnssec/Makefile.in -@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@ - - CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ - --CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \ -+CDEFINES = -DVERSION=\"${VERSION}\" \ - @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" - CWARNINGS = - -diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in -index d92bc9a..a8c42a4 100644 ---- a/bin/named-pkcs11/Makefile.in -+++ b/bin/named-pkcs11/Makefile.in -@@ -43,26 +43,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ - DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ - - CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ -- ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ -- ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ -+ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \ -+ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \ - ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ - --CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@ -+CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@ - - CWARNINGS = - --DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ - ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ - ISCCCLIBS = ../../lib/isccc/libisccc.@A@ --ISCLIBS = ../../lib/isc/libisc.@A@ -+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ - ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ - LWRESLIBS = ../../lib/lwres/liblwres.@A@ - BIND9LIBS = ../../lib/bind9/libbind9.@A@ - --DNSDEPLIBS = ../../lib/dns/libdns.@A@ -+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ - ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ - ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ --ISCDEPLIBS = ../../lib/isc/libisc.@A@ -+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ - LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@ - BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ - -@@ -71,15 +71,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ - - LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ - ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ -- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ -+ @LIBS@ - - NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ - ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \ -- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ -+ @LIBS@ - - SUBDIRS = unix - --TARGETS = named@EXEEXT@ lwresd@EXEEXT@ -+TARGETS = named-pkcs11@EXEEXT@ - - GEOIPLINKOBJS = geoip.@O@ - -@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ - tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ - zoneconf.@O@ \ - lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ -- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ -- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} -+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ - - UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ - -@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \ - tkeyconf.c tsigconf.c update.c xfrout.c \ - zoneconf.c \ - lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ -- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ -- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} -+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c - - MANPAGES = named.8 lwresd.8 named.conf.5 - -@@ -146,14 +144,14 @@ server.@O@: server.c - -DPRODUCT=\"${PRODUCT}\" \ - -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c - --named@EXEEXT@: ${OBJS} ${DEPLIBS} -+named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS} - export MAKE_SYMTABLE="yes"; \ - export BASEOBJS="${OBJS} ${UOBJS}"; \ - ${FINALBUILDCMD} - --lwresd@EXEEXT@: named@EXEEXT@ -+lwresd@EXEEXT@: named-pkcs11@EXEEXT@ - rm -f lwresd@EXEEXT@ -- @LN@ named@EXEEXT@ lwresd@EXEEXT@ -+ @LN@ named-pkcs11@EXEEXT@ lwresd@EXEEXT@ - - doc man:: ${MANOBJS} - -@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8 - - install-man: install-man5 install-man8 - --install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} -- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) -+install:: named-pkcs11@EXEEXT@ installdirs -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir} - - uninstall:: -- rm -f ${DESTDIR}${mandir}/man5/named.conf.5 -- rm -f ${DESTDIR}${mandir}/man8/lwresd.8 -- rm -f ${DESTDIR}${mandir}/man8/named.8 -- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@ -- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ -+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@ - - @DLZ_DRIVER_RULES@ - -diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in -index d92bc9a..6d2bfd1 100644 ---- a/bin/named/Makefile.in -+++ b/bin/named/Makefile.in -@@ -47,7 +47,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ - ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ - ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ - --CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@ -+CDEFINES = @CONTRIB_DLZ@ @CRYPTO@ - - CWARNINGS = - -diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in -index a058c91..d4b689a 100644 ---- a/bin/pkcs11/Makefile.in -+++ b/bin/pkcs11/Makefile.in -@@ -15,13 +15,13 @@ top_srcdir = @top_srcdir@ - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = ${ISC_INCLUDES} -+CINCLUDES = ${ISC_PKCS11_INCLUDES} - - CDEFINES = - --ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ -+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@ - --ISCDEPLIBS = ../../lib/isc/libisc.@A@ -+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ - - DEPLIBS = ${ISCDEPLIBS} - -diff --git a/configure.in b/configure.in -index 849fa94..69e6373 100644 ---- a/configure.in -+++ b/configure.in -@@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI) - AC_SUBST(DST_GSSAPI_INC) - AC_SUBST(DNS_GSSAPI_LIBS) - DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS" -+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS" - - # - # Applications linking with libdns also need to link with these libraries. - # - - AC_SUBST(DNS_CRYPTO_LIBS) -+AC_SUBST(DNS_CRYPTO_PK11_LIBS) - - # - # was --with-randomdev specified? -@@ -1554,11 +1556,11 @@ fi - AC_MSG_CHECKING(for OpenSSL library) - OPENSSL_WARNING= - openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw" --if test "yes" = "$want_native_pkcs11" --then -- use_openssl="native_pkcs11" -- AC_MSG_RESULT(use of native PKCS11 instead) --fi -+# if test "yes" = "$want_native_pkcs11" -+# then -+# use_openssl="native_pkcs11" -+# AC_MSG_RESULT(use of native PKCS11 instead) -+# fi - - if test "auto" = "$use_openssl" - then -@@ -1571,6 +1573,7 @@ then - fi - done - fi -+CRYPTO_PK11="" - OPENSSL_ECDSA="" - OPENSSL_GOST="" - OPENSSL_ED25519="" -@@ -1592,11 +1595,10 @@ case "$with_gost" in - ;; - esac - --case "$use_openssl" in -- native_pkcs11) -- AC_MSG_RESULT(disabled because of native PKCS11) -+if test "$want_native_pkcs11" = "yes" -+then - DST_OPENSSL_INC="" -- CRYPTO="-DPKCS11CRYPTO" -+ CRYPTO_PK11="-DPKCS11CRYPTO" - CRYPTOLIB="pkcs11" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" -@@ -1606,7 +1608,9 @@ case "$use_openssl" in - OPENSSLGOSTLINKSRCS="" - OPENSSLLINKOBJS="" - OPENSSLLINKSRCS="" -- ;; -+fi -+ -+case "$use_openssl" in - no) - AC_MSG_RESULT(no) - DST_OPENSSL_INC="" -@@ -1638,7 +1642,7 @@ case "$use_openssl" in - If you do not want OpenSSL, use --without-openssl]) - ;; - *) -- if test "yes" = "$want_native_pkcs11" -+ if false # test "yes" = "$want_native_pkcs11" - then - AC_MSG_RESULT() - AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) -@@ -2066,6 +2070,7 @@ AC_SUBST(OPENSSL_ED25519) - AC_SUBST(OPENSSL_GOST) - - DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS" -+DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS" - - ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" - if test "yes" = "$with_aes" -@@ -2384,6 +2389,7 @@ esac - AC_SUBST(PKCS11LINKOBJS) - AC_SUBST(PKCS11LINKSRCS) - AC_SUBST(CRYPTO) -+AC_SUBST(CRYPTO_PK11) - AC_SUBST(PKCS11_ECDSA) - AC_SUBST(PKCS11_GOST) - AC_SUBST(PKCS11_ED25519) -@@ -5497,8 +5503,11 @@ AC_CONFIG_FILES([ - bin/delv/Makefile - bin/dig/Makefile - bin/dnssec/Makefile -+ bin/dnssec-pkcs11/Makefile - bin/named/Makefile - bin/named/unix/Makefile -+ bin/named-pkcs11/Makefile -+ bin/named-pkcs11/unix/Makefile - bin/nsupdate/Makefile - bin/pkcs11/Makefile - bin/python/Makefile -@@ -5572,6 +5581,10 @@ AC_CONFIG_FILES([ - lib/dns/include/dns/Makefile - lib/dns/include/dst/Makefile - lib/dns/tests/Makefile -+ lib/dns-pkcs11/Makefile -+ lib/dns-pkcs11/include/Makefile -+ lib/dns-pkcs11/include/dns/Makefile -+ lib/dns-pkcs11/include/dst/Makefile - lib/irs/Makefile - lib/irs/include/Makefile - lib/irs/include/irs/Makefile -@@ -5596,6 +5609,24 @@ AC_CONFIG_FILES([ - lib/isc/unix/include/Makefile - lib/isc/unix/include/isc/Makefile - lib/isc/unix/include/pkcs11/Makefile -+ lib/isc-pkcs11/$arch/Makefile -+ lib/isc-pkcs11/$arch/include/Makefile -+ lib/isc-pkcs11/$arch/include/isc/Makefile -+ lib/isc-pkcs11/$thread_dir/Makefile -+ lib/isc-pkcs11/$thread_dir/include/Makefile -+ lib/isc-pkcs11/$thread_dir/include/isc/Makefile -+ lib/isc-pkcs11/Makefile -+ lib/isc-pkcs11/include/Makefile -+ lib/isc-pkcs11/include/isc/Makefile -+ lib/isc-pkcs11/include/isc/platform.h -+ lib/isc-pkcs11/include/pk11/Makefile -+ lib/isc-pkcs11/include/pkcs11/Makefile -+ lib/isc-pkcs11/tests/Makefile -+ lib/isc-pkcs11/nls/Makefile -+ lib/isc-pkcs11/unix/Makefile -+ lib/isc-pkcs11/unix/include/Makefile -+ lib/isc-pkcs11/unix/include/isc/Makefile -+ lib/isc-pkcs11/unix/include/pkcs11/Makefile - lib/isccc/Makefile - lib/isccc/include/Makefile - lib/isccc/include/isccc/Makefile -diff --git a/lib/Makefile.in b/lib/Makefile.in -index 81270a0..bcb5312 100644 ---- a/lib/Makefile.in -+++ b/lib/Makefile.in -@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@ - # Attempt to disable parallel processing. - .NOTPARALLEL: - .NO_PARALLEL: --SUBDIRS = isc isccc dns isccfg bind9 lwres irs samples -+SUBDIRS = isc isc-pkcs11 isccc dns dns-pkcs11 isccfg bind9 lwres irs samples - TARGETS = - - @BIND9_MAKE_RULES@ -diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in -index 4a8549e..6a19906 100644 ---- a/lib/dns-pkcs11/Makefile.in -+++ b/lib/dns-pkcs11/Makefile.in -@@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@ - - USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ - --CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ -- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ -+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ -+ ${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ - --CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} -+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} - - CWARNINGS = - --ISCLIBS = ../../lib/isc/libisc.@A@ -+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ - --ISCDEPLIBS = ../../lib/isc/libisc.@A@ -+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ - - LIBS = @LIBS@ - -@@ -146,15 +146,15 @@ version.@O@: version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libdns.@SA@: ${OBJS} -+libdns-pkcs11.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libdns.la: ${OBJS} -+libdns-pkcs11.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ -- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} -+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} - - include: gen - ${MAKE} include/dns/enumtype.h -@@ -180,25 +180,25 @@ code.h: gen - ./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; } - - gen: gen.c -- ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \ -+ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc-pkcs11/include \ - ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS} - --timestamp: include libdns.@A@ -+timestamp: include libdns-pkcs11.@A@ - touch timestamp - --testdirs: libdns.@A@ -+testdirs: libdns-pkcs11.@A@ - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir} -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir} - - uninstall:: -- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@ -+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@ - - clean distclean:: -- rm -f libdns.@A@ timestamp -+ rm -f libdns-pkcs11.@A@ timestamp - rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h - rm -f include/dns/rdatastruct.h - rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h -diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in -index ba53ef1..d1f1771 100644 ---- a/lib/isc-pkcs11/Makefile.in -+++ b/lib/isc-pkcs11/Makefile.in -@@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \ - -I${srcdir}/@ISC_THREAD_DIR@/include \ - -I${srcdir}/@ISC_ARCH_DIR@/include \ - -I./include \ -- -I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@ --CDEFINES = @CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\" -+ -I${srcdir}/include ${DNS_PKCS11_INCLUDES} -+CDEFINES = @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"${PROVIDER}\" - CWARNINGS = - - # Alphabetically -@@ -107,40 +107,40 @@ version.@O@: version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libisc.@SA@: ${OBJS} ${SYMTBLOBJS} -+libisc-pkcs11.@SA@: ${OBJS} ${SYMTBLOBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS} - ${RANLIB} $@ - --libisc-nosymtbl.@SA@: ${OBJS} -+libisc-pkcs11-nosymtbl.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libisc.la: ${OBJS} ${SYMTBLOBJS} -+libisc-pkcs11.la: ${OBJS} ${SYMTBLOBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11.la -rpath ${libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} ${SYMTBLOBJS} ${LIBS} - --libisc-nosymtbl.la: ${OBJS} -+libisc-pkcs11-nosymtbl.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-nosymtbl.la -rpath ${libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} ${LIBS} - --timestamp: libisc.@A@ libisc-nosymtbl.@A@ -+timestamp: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ - touch timestamp - --testdirs: libisc.@A@ libisc-nosymtbl.@A@ -+testdirs: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc.@A@ ${DESTDIR}${libdir} -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc-pkcs11.@A@ ${DESTDIR}${libdir} - - uninstall:: -- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc.@A@ -+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc-pkcs11.@A@ - - clean distclean:: -- rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \ -- libisc-nosymtbl.la timestamp -+ rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \ -+ libisc-pkcs11-nosymtbl.la timestamp -diff --git a/make/includes.in b/make/includes.in -index fa86ad1..3cfbe9f 100644 ---- a/make/includes.in -+++ b/make/includes.in -@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ - - TEST_INCLUDES = \ - -I${top_srcdir}/lib/tests/include -+ -+ISC_PKCS11_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \ -+ -I${top_srcdir}/lib/isc-pkcs11 \ -+ -I${top_srcdir}/lib/isc-pkcs11/include \ -+ -I${top_srcdir}/lib/isc-pkcs11/unix/include \ -+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_THREAD_DIR@/include \ -+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_ARCH_DIR@/include -+ -+DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \ -+ -I${top_srcdir}/lib/dns-pkcs11/include diff --git a/bind-9.10-sdb.patch b/bind-9.10-sdb.patch deleted file mode 100644 index 7874a5c51a72a7c87989f7bce5d73ed25dc36135..0000000000000000000000000000000000000000 --- a/bind-9.10-sdb.patch +++ /dev/null @@ -1,309 +0,0 @@ -diff --git a/bin/Makefile.in b/bin/Makefile.in -index ce7a2da..4e6a824 100644 ---- a/bin/Makefile.in -+++ b/bin/Makefile.in -@@ -11,8 +11,8 @@ srcdir = @srcdir@ - VPATH = @srcdir@ - top_srcdir = @top_srcdir@ - --SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \ -- check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests -+SUBDIRS = named named-sdb named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \ -+ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools tests - TARGETS = - - @BIND9_MAKE_RULES@ -diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in -index 6d2bfd1..d3f42e8 100644 ---- a/bin/named-sdb/Makefile.in -+++ b/bin/named-sdb/Makefile.in -@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@ - # - # Add database drivers here. - # --DBDRIVER_OBJS = --DBDRIVER_SRCS = -+DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@ -+DBDRIVER_SRCS = ldapdb.c pgsqldb.c sqlitedb.c dirdb.c - DBDRIVER_INCLUDES = --DBDRIVER_LIBS = -+DBDRIVER_LIBS = -lldap -llber -lsqlite3 -lpq - - DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers - -@@ -79,7 +79,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ - - SUBDIRS = unix - --TARGETS = named@EXEEXT@ lwresd@EXEEXT@ -+TARGETS = named-sdb@EXEEXT@ - - GEOIPLINKOBJS = geoip.@O@ - -@@ -146,7 +146,7 @@ server.@O@: server.c - -DPRODUCT=\"${PRODUCT}\" \ - -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c - --named@EXEEXT@: ${OBJS} ${DEPLIBS} -+named-sdb@EXEEXT@: ${OBJS} ${DEPLIBS} - export MAKE_SYMTABLE="yes"; \ - export BASEOBJS="${OBJS} ${UOBJS}"; \ - ${FINALBUILDCMD} -@@ -173,8 +173,6 @@ statschannel.@O@: bind9.xsl.h - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} -- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 -- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - - install-man5: named.conf.5 - ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5 -@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8 - - install-man: install-man5 install-man8 - --install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} -- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) -+install:: ${TARGETS} installdirs -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir} - - uninstall:: -- rm -f ${DESTDIR}${mandir}/man5/named.conf.5 -- rm -f ${DESTDIR}${mandir}/man8/lwresd.8 -- rm -f ${DESTDIR}${mandir}/man8/named.8 -- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@ -- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ -+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-sdb@EXEEXT@ - - @DLZ_DRIVER_RULES@ - -diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c -index bb639d9..555c4d9 100644 ---- a/bin/named-sdb/main.c -+++ b/bin/named-sdb/main.c -@@ -91,6 +91,10 @@ - * Include header files for database drivers here. - */ - /* #include "xxdb.h" */ -+#include "ldapdb.h" -+#include "pgsqldb.h" -+#include "sqlitedb.h" -+#include "dirdb.h" - - #ifdef CONTRIB_DLZ - /* -@@ -1061,6 +1065,11 @@ setup(void) { - ns_main_earlyfatal("isc_app_start() failed: %s", - isc_result_totext(result)); - -+ ldapdb_clear(); -+ pgsqldb_clear(); -+ dirdb_clear(); -+ sqlitedb_clear(); -+ - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, - ISC_LOG_NOTICE, "starting %s %s%s%s ", - ns_g_product, ns_g_version, -@@ -1261,6 +1270,75 @@ setup(void) { - isc_result_totext(result)); - #endif - -+ result = ldapdb_init(); -+ if (result != ISC_R_SUCCESS) -+ { -+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -+ ISC_LOG_ERROR, -+ "SDB ldap module initialisation failed: %s.", -+ isc_result_totext(result) -+ ); -+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -+ ISC_LOG_ERROR, -+ "SDB ldap zone database will be unavailable." -+ ); -+ }else -+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -+ ISC_LOG_NOTICE, "SDB ldap zone database module loaded." -+ ); -+ -+ result = pgsqldb_init(); -+ if (result != ISC_R_SUCCESS) -+ { -+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -+ ISC_LOG_ERROR, -+ "SDB pgsql module initialisation failed: %s.", -+ isc_result_totext(result) -+ ); -+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -+ ISC_LOG_ERROR, -+ "SDB pgsql zone database will be unavailable." -+ ); -+ }else -+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -+ ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded." -+ ); -+ -+ result = sqlitedb_init(); -+ if (result != ISC_R_SUCCESS) -+ { -+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -+ ISC_LOG_ERROR, -+ "SDB sqlite3 module initialisation failed: %s.", -+ isc_result_totext(result) -+ ); -+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -+ ISC_LOG_ERROR, -+ "SDB sqlite3 zone database will be unavailable." -+ ); -+ }else -+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -+ ISC_LOG_NOTICE, "SDB sqlite3 DB zone database module loaded." -+ ); -+ -+ result = dirdb_init(); -+ if (result != ISC_R_SUCCESS) -+ { -+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -+ ISC_LOG_ERROR, -+ "SDB directory DB module initialisation failed: %s.", -+ isc_result_totext(result) -+ ); -+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -+ ISC_LOG_ERROR, -+ "SDB directory DB zone database will be unavailable." -+ ); -+ }else -+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -+ ISC_LOG_NOTICE, "SDB directory DB zone database module loaded." -+ ); -+ -+ - ns_server_create(ns_g_mctx, &ns_g_server); - - #ifdef HAVE_LIBSECCOMP -@@ -1303,6 +1381,11 @@ cleanup(void) { - - dns_name_destroy(); - -+ ldapdb_clear(); -+ pgsqldb_clear(); -+ sqlitedb_clear(); -+ dirdb_clear(); -+ - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, - ISC_LOG_NOTICE, "exiting"); - ns_log_shutdown(); -diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in -index 6d2bfd1..86f8587 100644 ---- a/bin/named/Makefile.in -+++ b/bin/named/Makefile.in -@@ -45,9 +45,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ - CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ - ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ - ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ -- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ -+ @DST_OPENSSL_INC@ - --CDEFINES = @CONTRIB_DLZ@ @CRYPTO@ -+CDEFINES = @CRYPTO@ - - CWARNINGS = - -@@ -71,11 +71,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ - - LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ - ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ -- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ -+ @LIBS@ - - NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ - ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \ -- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ -+ @LIBS@ - - SUBDIRS = unix - -@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ - tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ - zoneconf.@O@ \ - lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ -- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ -- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} -+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ - - UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ - -@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \ - tkeyconf.c tsigconf.c update.c xfrout.c \ - zoneconf.c \ - lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ -- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ -- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} -+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c - - MANPAGES = named.8 lwresd.8 named.conf.5 - -@@ -195,7 +193,5 @@ uninstall:: - rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@ - ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ - --@DLZ_DRIVER_RULES@ -- - named-symtbl.@O@: named-symtbl.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c -diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in -index c7e0868..95ab742 100644 ---- a/bin/sdb_tools/Makefile.in -+++ b/bin/sdb_tools/Makefile.in -@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ - LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ - ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ - --TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ -+TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ - --OBJS = zone2ldap.@O@ zonetodb.@O@ -+OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ - --SRCS = zone2ldap.c zonetodb.c -+SRCS = zone2ldap.c zonetodb.c zone2sqlite.c - - MANPAGES = zone2ldap.1 - -@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS} - zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS} - -+zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS} -+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS} -+ - clean distclean manclean maintainer-clean:: - rm -f ${TARGETS} ${OBJS} - -@@ -60,4 +63,5 @@ installdirs: - install:: ${TARGETS} installdirs - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir} - ${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 -diff --git a/configure.in b/configure.in -index 62536a6..f571a4f 100644 ---- a/configure.in -+++ b/configure.in -@@ -5445,6 +5445,8 @@ AC_CONFIG_FILES([ - bin/named/unix/Makefile - bin/named-pkcs11/Makefile - bin/named-pkcs11/unix/Makefile -+ bin/named-sdb/Makefile -+ bin/named-sdb/unix/Makefile - bin/nsupdate/Makefile - bin/pkcs11/Makefile - bin/python/Makefile -@@ -5469,6 +5471,7 @@ AC_CONFIG_FILES([ - bin/python/isc/tests/dnskey_test.py - bin/python/isc/tests/policy_test.py - bin/rndc/Makefile -+ bin/sdb_tools/Makefile - bin/tests/Makefile - bin/tests/headerdep_test.sh - bin/tests/optional/Makefile diff --git a/bind-9.10-use-of-strlcat.patch b/bind-9.10-use-of-strlcat.patch deleted file mode 100644 index 2a399165f996d3b45cd978e47a686b82c763af65..0000000000000000000000000000000000000000 --- a/bind-9.10-use-of-strlcat.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c -index d56bc56..99c3314 100644 ---- a/bin/sdb_tools/zone2ldap.c -+++ b/bin/sdb_tools/zone2ldap.c -@@ -817,11 +817,11 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone) - } - - -- strlcat (dn, tmp, sizeof (dn)); -+ strncat (dn, tmp, sizeof (dn) - strlen (dn)); - } - - sprintf (tmp, "dc=%s", dc_list[0]); -- strlcat (dn, tmp, sizeof (dn)); -+ strncat (dn, tmp, sizeof (dn) - strlen (dn)); - - fflush(NULL); - return dn; diff --git a/bind-9.11-export-suffix.patch b/bind-9.11-export-suffix.patch deleted file mode 100644 index e3ba29cf6ed65f24a8e77c4737bcbb6c8ff151ab..0000000000000000000000000000000000000000 --- a/bind-9.11-export-suffix.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff --git a/configure.in b/configure.in -index e6cd6a4..988b0a7 100644 ---- a/configure.in -+++ b/configure.in -@@ -5116,6 +5116,8 @@ AC_SUBST(BUILD_CPPFLAGS) - AC_SUBST(BUILD_LDFLAGS) - AC_SUBST(BUILD_LIBS) - -+AC_SUBST(LIBDIR_SUFFIX) -+ - # - # Commands to run at the end of config.status. - # Don't just put these into configure, it won't work right if somebody -diff --git a/isc-config.sh.in b/isc-config.sh.in -index 110191a..5a64004 100644 ---- a/isc-config.sh.in -+++ b/isc-config.sh.in -@@ -12,16 +12,17 @@ prefix=@prefix@ - exec_prefix=@exec_prefix@ - exec_prefix_set= - includedir=@includedir@ -+libdir_suffix=@LIBDIR_SUFFIX@ - arch=$(uname -m) - - case $arch in - x86_64 | amd64 | sparc64 | s390x | ppc64) -- libdir=/usr/lib64 -- sec_libdir=/usr/lib -+ libdir=/usr/lib64${libdir_suffix} -+ sec_libdir=/usr/lib${libdir_suffix} - ;; - * ) -- libdir=/usr/lib -- sec_libdir=/usr/lib64 -+ libdir=/usr/lib${libdir_suffix} -+ sec_libdir=/usr/lib64${libdir_suffix} - ;; - esac - diff --git a/bind-9.11-fips-code.patch b/bind-9.11-fips-code.patch deleted file mode 100644 index 2dccdea09a13c118c2065a775a37690c2b0a0339..0000000000000000000000000000000000000000 --- a/bind-9.11-fips-code.patch +++ /dev/null @@ -1,1516 +0,0 @@ -From fb8665aebd79ea33cb255f578544e1738f5bbb58 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Thu, 2 Aug 2018 23:34:45 +0200 -Subject: [PATCH 1/2] Squashed commit of the following: -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit b49f70ce0575b6b52a71b90fe0376dbf16f92c6b -Author: Petr Menšík -Date: Mon Jan 22 14:12:37 2018 +0100 - - Update system tests to detect MD5 disabled at runtime - -commit 80ceffee4860c24baf70bc9a8653d92731eda2e4 -Author: Petr Menšík -Date: Thu Aug 2 14:53:54 2018 +0200 - - Avoid warning about undefined parameters - -commit e4ad4363e3d1acaac58456117579f02761f38fdc -Author: Petr Menšík -Date: Wed Jun 20 19:31:19 2018 +0200 - - Fix rndc-confgen default algorithm, report true algorithm in usage. - -commit 7e629a351010cb75e0589ec361f720085675998c -Author: Petr Menšík -Date: Fri Feb 23 21:21:30 2018 +0100 - - Cleanup only if initialization was successful - -commit 2101b948c77cbcbe07eb4a1e60f3e693b2245ec6 -Author: Petr Menšík -Date: Mon Feb 5 12:19:28 2018 +0100 - - Ensure dst backend is initialized first even before hmac algorithms. - -commit 7567c7edde7519115a9ae7e20818c835d3eb1ffe -Author: Petr Menšík -Date: Mon Feb 5 12:17:54 2018 +0100 - - Skip initialization of MD5 based algorithms if not available. - -commit 5782137df6b45a6d900d5a1c250c1257227e917a -Author: Petr Menšík -Date: Mon Feb 5 10:21:27 2018 +0100 - - Change secalgs skipping to be more safe - -commit f2d78729898182d2d19d5064de1bec9b66817159 -Author: Petr Menšík -Date: Wed Jan 31 18:26:11 2018 +0100 - - Skip MD5 algorithm also in case of NULL name - -commit 32a2ad4abc7aaca1c257730319ad3c27405d3407 -Author: Petr Menšík -Date: Wed Jan 31 11:38:12 2018 +0100 - - Make MD5 behave like unknown algorithm in TSIG. - -commit 13cd3f704dce568fdf24a567be5802b58ac6007b -Author: Petr Menšík -Date: Tue Nov 28 20:14:37 2017 +0100 - - Select token with most supported functions, instead of demanding it must support all functions - - Initialize PKCS#11 always until successfully initialized - -commit a71df74abdca4fe63bcdf542b81a109cf1f495b4 -Author: Petr Menšík -Date: Mon Jan 22 16:17:44 2018 +0100 - - Handle MD5 unavailability from DST - -commit dd82cb263efa2753d3ee772972726ea08bcc639b -Author: Petr Menšík -Date: Mon Jan 22 14:11:16 2018 +0100 - - Check runtime flag from library and applications, fail gracefully. - -commit c7b2f87f07ecae75b821a908e29f08a42371e32e -Author: Petr Menšík -Date: Mon Jan 22 08:39:08 2018 +0100 - - Modify libraries to use isc_md5_available() if PK11_MD5_DISABLE is not - defined. - TODO: pk11.c should accept slot without MD5 support. - -commit 0b8e470ec636b9e350b5ec3203eb2b4091415fde -Author: Petr Menšík -Date: Mon Jan 22 07:21:04 2018 +0100 - - Add runtime detection whether MD5 is useable. ---- - bin/confgen/keygen.c | 10 ++++- - bin/confgen/rndc-confgen.c | 36 +++++------------- - bin/dig/dig.c | 7 ++-- - bin/dig/dighost.c | 14 +++++-- - bin/dnssec/dnssec-keygen.c | 14 +++++++ - bin/named/config.c | 25 ++++++++++++- - bin/nsupdate/nsupdate.c | 24 +++++++----- - bin/rndc/rndc.c | 3 +- - bin/tests/optional/hash_test.c | 78 ++++++++++++++++++++------------------- - bin/tests/system/tkey/keycreate.c | 3 ++ - bin/tests/system/tkey/keydelete.c | 18 ++++++--- - lib/bind9/check.c | 10 +++++ - lib/dns/dst_api.c | 23 ++++++++---- - lib/dns/dst_internal.h | 3 +- - lib/dns/dst_parse.c | 18 +++++++-- - lib/dns/hmac_link.c | 20 +++------- - lib/dns/opensslrsa_link.c | 6 +++ - lib/dns/pkcs11rsa_link.c | 33 +++++++++++++++-- - lib/dns/rcode.c | 21 ++++++++++- - lib/dns/tests/rsa_test.c | 29 ++++++++------- - lib/dns/tests/tsig_test.c | 1 + - lib/dns/tkey.c | 9 +++++ - lib/dns/tsec.c | 8 +++- - lib/dns/tsig.c | 17 +++++---- - lib/isc/include/isc/md5.h | 3 ++ - lib/isc/md5.c | 59 +++++++++++++++++++++++++++++ - lib/isc/pk11.c | 58 ++++++++++++++++++++--------- - lib/isc/tests/hash_test.c | 9 +++-- - lib/isccc/cc.c | 42 +++++++++++++-------- - 29 files changed, 424 insertions(+), 177 deletions(-) - -diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c -index 453c641dba..11cc54dd46 100644 ---- a/bin/confgen/keygen.c -+++ b/bin/confgen/keygen.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -73,7 +74,7 @@ alg_fromtext(const char *name) { - p = &name[5]; - - #ifndef PK11_MD5_DISABLE -- if (strcasecmp(p, "md5") == 0) -+ if (strcasecmp(p, "md5") == 0 && isc_md5_available()) - return DST_ALG_HMACMD5; - #endif - if (strcasecmp(p, "sha1") == 0) -@@ -132,6 +133,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, - switch (alg) { - #ifndef PK11_MD5_DISABLE - case DST_ALG_HMACMD5: -+ if (isc_md5_available() == ISC_FALSE) { -+ fatal("unsupported algorithm %d\n", alg); -+ } else if (keysize < 1 || keysize > 512) { -+ fatal("keysize %d out of range (must be 1-512)\n", -+ keysize); -+ } -+ break; - #endif - case DST_ALG_HMACSHA1: - case DST_ALG_HMACSHA224: -diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c -index 2925baf32f..d7d8418073 100644 ---- a/bin/confgen/rndc-confgen.c -+++ b/bin/confgen/rndc-confgen.c -@@ -35,6 +35,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -62,7 +63,7 @@ const char *progname; - - isc_boolean_t verbose = ISC_FALSE; - --const char *keyfile, *keydef; -+const char *keyfile, *keydef, *algdef; - - ISC_PLATFORM_NORETURN_PRE static void - usage(int status) ISC_PLATFORM_NORETURN_POST; -@@ -70,13 +71,12 @@ usage(int status) ISC_PLATFORM_NORETURN_POST; - static void - usage(int status) { - --#ifndef PK11_MD5_DISABLE - fprintf(stderr, "\ - Usage:\n\ - %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \ - [-s addr] [-t chrootdir] [-u user]\n\ - -a: generate just the key clause and write it to keyfile (%s)\n\ -- -A alg: algorithm (default hmac-md5)\n\ -+ -A alg: algorithm (default %s)\n\ - -b bits: from 1 through 512, default 256; total length of the secret\n\ - -c keyfile: specify an alternate key file (requires -a)\n\ - -k keyname: the name as it will be used in named.conf and rndc.conf\n\ -@@ -85,24 +85,7 @@ Usage:\n\ - -s addr: the address to which rndc should connect\n\ - -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\ - -u user: set the keyfile owner to \"user\" (requires -a)\n", -- progname, keydef); --#else -- fprintf(stderr, "\ --Usage:\n\ -- %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \ --[-s addr] [-t chrootdir] [-u user]\n\ -- -a: generate just the key clause and write it to keyfile (%s)\n\ -- -A alg: algorithm (default hmac-sha256)\n\ -- -b bits: from 1 through 512, default 256; total length of the secret\n\ -- -c keyfile: specify an alternate key file (requires -a)\n\ -- -k keyname: the name as it will be used in named.conf and rndc.conf\n\ -- -p port: the port named will listen on and rndc will connect to\n\ -- -r randomfile: source of random data (use \"keyboard\" for key timing)\n\ -- -s addr: the address to which rndc should connect\n\ -- -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\ -- -u user: set the keyfile owner to \"user\" (requires -a)\n", -- progname, keydef); --#endif -+ progname, keydef, algdef); - - exit (status); - } -@@ -138,13 +121,14 @@ main(int argc, char **argv) { - progname = program; - - keyname = DEFAULT_KEYNAME; --#ifndef PK11_MD5_DISABLE -- alg = DST_ALG_HMACMD5; --#else -- alg = DST_ALG_HMACSHA256; --#endif - serveraddr = DEFAULT_SERVER; - port = DEFAULT_PORT; -+ alg = DST_ALG_HMACSHA256; -+#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available()) -+ alg = DST_ALG_HMACMD5; -+#endif -+ algdef = alg_totext(alg); - - isc_commandline_errprint = ISC_FALSE; - -diff --git a/bin/dig/dig.c b/bin/dig/dig.c -index d4808ada67..9dff7c8ecd 100644 ---- a/bin/dig/dig.c -+++ b/bin/dig/dig.c -@@ -17,6 +17,7 @@ - #include - - #include -+#include - #include - #include - #include -@@ -1757,10 +1758,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, - ptr = ptr2; - ptr2 = ptr3; - } else { --#ifndef PK11_MD5_DISABLE -- hmacname = DNS_TSIG_HMACMD5_NAME; --#else - hmacname = DNS_TSIG_HMACSHA256_NAME; -+#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available()) -+ hmacname = DNS_TSIG_HMACMD5_NAME; - #endif - digestbits = 0; - } -diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index ecefc98453..94c428ed30 100644 ---- a/bin/dig/dighost.c -+++ b/bin/dig/dighost.c -@@ -77,6 +77,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -1243,9 +1244,10 @@ parse_hmac(const char *hmac) { - digestbits = 0; - - #ifndef PK11_MD5_DISABLE -- if (strcasecmp(buf, "hmac-md5") == 0) { -+ if (strcasecmp(buf, "hmac-md5") == 0 && isc_md5_available()) { - hmacname = DNS_TSIG_HMACMD5_NAME; -- } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { -+ } else if (strncasecmp(buf, "hmac-md5-", 9) == 0 && -+ isc_md5_available()) { - hmacname = DNS_TSIG_HMACMD5_NAME; - digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128); - } else -@@ -1365,7 +1367,13 @@ setup_file_key(void) { - switch (dst_key_alg(dstkey)) { - #ifndef PK11_MD5_DISABLE - case DST_ALG_HMACMD5: -- hmacname = DNS_TSIG_HMACMD5_NAME; -+ if (isc_md5_available()) { -+ hmacname = DNS_TSIG_HMACMD5_NAME; -+ } else { -+ printf(";; Couldn't create key %s: bad algorithm\n", -+ keynametext); -+ goto failure; -+ } - break; - #endif - case DST_ALG_HMACSHA1: -diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c -index 6fc3ab0979..fc04356ed4 100644 ---- a/bin/dnssec/dnssec-keygen.c -+++ b/bin/dnssec/dnssec-keygen.c -@@ -34,6 +34,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -560,6 +561,19 @@ main(int argc, char **argv) { - "\"-a RSAMD5\"\n"); - INSIST(freeit == NULL); - return (1); -+ } else if (strcasecmp(algname, "HMAC-MD5") == 0) { -+ if (isc_md5_available()) { -+ alg = DST_ALG_HMACMD5; -+ } else { -+ fprintf(stderr, -+ "The use of HMAC-MD5 was disabled\n"); -+ return (1); -+ } -+ } else if (strcasecmp(algname, "RSAMD5") == 0 && -+ isc_md5_available() == ISC_FALSE) { -+ fprintf(stderr, "The use of RSAMD5 was disabled\n"); -+ INSIST(freeit == NULL); -+ return (1); - } else if (strcasecmp(algname, "HMAC-MD5") == 0) { - alg = DST_ALG_HMACMD5; - #else -diff --git a/bin/named/config.c b/bin/named/config.c -index 54bc37fff7..c50f759ddd 100644 ---- a/bin/named/config.c -+++ b/bin/named/config.c -@@ -17,6 +17,7 @@ - - #include - #include -+#include - #include - #include - #include -@@ -966,6 +967,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name, - return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits)); - } - -+static inline int -+algorithms_start() { -+#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { -+ int i = 0; -+ while (algorithms[i].str != NULL && -+ algorithms[i].hmac == hmacmd5) { -+ i++; -+ } -+ return i; -+ } -+#endif -+ return 0; -+} -+ - isc_result_t - ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, - unsigned int *typep, isc_uint16_t *digestbits) -@@ -975,7 +991,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, - isc_uint16_t bits; - isc_result_t result; - -- for (i = 0; algorithms[i].str != NULL; i++) { -+ for (i = algorithms_start(); algorithms[i].str != NULL; i++) { - len = strlen(algorithms[i].str); - if (strncasecmp(algorithms[i].str, str, len) == 0 && - (str[len] == '\0' || -@@ -998,7 +1014,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, - if (name != NULL) { - switch (algorithms[i].hmac) { - #ifndef PK11_MD5_DISABLE -- case hmacmd5: *name = dns_tsig_hmacmd5_name; break; -+ case hmacmd5: -+ if (isc_md5_available()) { -+ *name = dns_tsig_hmacmd5_name; break; -+ } else { -+ return (ISC_R_NOTFOUND); -+ } - #endif - case hmacsha1: *name = dns_tsig_hmacsha1_name; break; - case hmacsha224: *name = dns_tsig_hmacsha224_name; break; -diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index 6967b49754..bb5d50038f 100644 ---- a/bin/nsupdate/nsupdate.c -+++ b/bin/nsupdate/nsupdate.c -@@ -29,6 +29,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -474,9 +475,10 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len, - strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf))); - - #ifndef PK11_MD5_DISABLE -- if (strcasecmp(buf, "hmac-md5") == 0) { -+ if (strcasecmp(buf, "hmac-md5") == 0 && isc_md5_available()) { - *hmac = DNS_TSIG_HMACMD5_NAME; -- } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { -+ } else if (strncasecmp(buf, "hmac-md5-", 9) == 0 && -+ isc_md5_available()) { - *hmac = DNS_TSIG_HMACMD5_NAME; - result = isc_parse_uint16(&digestbits, &buf[9], 10); - if (result != ISC_R_SUCCESS || digestbits > 128) { -@@ -589,10 +591,10 @@ setup_keystr(void) { - exit(1); - } - } else { --#ifndef PK11_MD5_DISABLE -- hmacname = DNS_TSIG_HMACMD5_NAME; --#else - hmacname = DNS_TSIG_HMACSHA256_NAME; -+#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available()) -+ hmacname = DNS_TSIG_HMACMD5_NAME; - #endif - name = keystr; - n = s; -@@ -729,7 +731,8 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { - switch (dst_key_alg(dstkey)) { - #ifndef PK11_MD5_DISABLE - case DST_ALG_HMACMD5: -- hmacname = DNS_TSIG_HMACMD5_NAME; -+ if (isc_md5_available()) -+ hmacname = DNS_TSIG_HMACMD5_NAME; - break; - #endif - case DST_ALG_HMACSHA1: -@@ -1604,12 +1607,13 @@ evaluate_key(char *cmdline) { - return (STATUS_SYNTAX); - } - namestr = n + 1; -- } else --#ifndef PK11_MD5_DISABLE -- hmacname = DNS_TSIG_HMACMD5_NAME; --#else -+ } else { - hmacname = DNS_TSIG_HMACSHA256_NAME; -+#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available()) -+ hmacname = DNS_TSIG_HMACMD5_NAME; - #endif -+ } - - isc_buffer_init(&b, namestr, strlen(namestr)); - isc_buffer_add(&b, strlen(namestr)); -diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c -index 5c29caf86b..617b06b4a1 100644 ---- a/bin/rndc/rndc.c -+++ b/bin/rndc/rndc.c -@@ -21,6 +21,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -634,7 +635,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, - algorithmstr = cfg_obj_asstring(algorithmobj); - - #ifndef PK11_MD5_DISABLE -- if (strcasecmp(algorithmstr, "hmac-md5") == 0) -+ if (strcasecmp(algorithmstr, "hmac-md5") == 0 && isc_md5_available()) - algorithm = ISCCC_ALG_HMACMD5; - else - #endif -diff --git a/bin/tests/optional/hash_test.c b/bin/tests/optional/hash_test.c -index bf2891ad4c..b5f0a1c5f5 100644 ---- a/bin/tests/optional/hash_test.c -+++ b/bin/tests/optional/hash_test.c -@@ -90,43 +90,47 @@ main(int argc, char **argv) { - print_digest(s, "sha224", digest, ISC_SHA224_DIGESTLENGTH/4); - - #ifndef PK11_MD5_DISABLE -- s = "abc"; -- isc_md5_init(&md5); -- memmove(buffer, s, strlen(s)); -- isc_md5_update(&md5, buffer, strlen(s)); -- isc_md5_final(&md5, digest); -- print_digest(s, "md5", digest, 4); -- -- /* -- * The 3 HMAC-MD5 examples from RFC2104 -- */ -- s = "Hi There"; -- memset(key, 0x0b, 16); -- isc_hmacmd5_init(&hmacmd5, key, 16); -- memmove(buffer, s, strlen(s)); -- isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); -- isc_hmacmd5_sign(&hmacmd5, digest); -- print_digest(s, "hmacmd5", digest, 4); -- -- s = "what do ya want for nothing?"; -- strlcpy((char *)key, "Jefe", sizeof(key)); -- isc_hmacmd5_init(&hmacmd5, key, 4); -- memmove(buffer, s, strlen(s)); -- isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); -- isc_hmacmd5_sign(&hmacmd5, digest); -- print_digest(s, "hmacmd5", digest, 4); -- -- s = "\335\335\335\335\335\335\335\335\335\335" -- "\335\335\335\335\335\335\335\335\335\335" -- "\335\335\335\335\335\335\335\335\335\335" -- "\335\335\335\335\335\335\335\335\335\335" -- "\335\335\335\335\335\335\335\335\335\335"; -- memset(key, 0xaa, 16); -- isc_hmacmd5_init(&hmacmd5, key, 16); -- memmove(buffer, s, strlen(s)); -- isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); -- isc_hmacmd5_sign(&hmacmd5, digest); -- print_digest(s, "hmacmd5", digest, 4); -+ if (isc_md5_available()) { -+ s = "abc"; -+ isc_md5_init(&md5); -+ memmove(buffer, s, strlen(s)); -+ isc_md5_update(&md5, buffer, strlen(s)); -+ isc_md5_final(&md5, digest); -+ print_digest(s, "md5", digest, 4); -+ -+ /* -+ * The 3 HMAC-MD5 examples from RFC2104 -+ */ -+ s = "Hi There"; -+ memset(key, 0x0b, 16); -+ isc_hmacmd5_init(&hmacmd5, key, 16); -+ memmove(buffer, s, strlen(s)); -+ isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); -+ isc_hmacmd5_sign(&hmacmd5, digest); -+ print_digest(s, "hmacmd5", digest, 4); -+ -+ s = "what do ya want for nothing?"; -+ strlcpy((char *)key, "Jefe", sizeof(key)); -+ isc_hmacmd5_init(&hmacmd5, key, 4); -+ memmove(buffer, s, strlen(s)); -+ isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); -+ isc_hmacmd5_sign(&hmacmd5, digest); -+ print_digest(s, "hmacmd5", digest, 4); -+ -+ s = "\335\335\335\335\335\335\335\335\335\335" -+ "\335\335\335\335\335\335\335\335\335\335" -+ "\335\335\335\335\335\335\335\335\335\335" -+ "\335\335\335\335\335\335\335\335\335\335" -+ "\335\335\335\335\335\335\335\335\335\335"; -+ memset(key, 0xaa, 16); -+ isc_hmacmd5_init(&hmacmd5, key, 16); -+ memmove(buffer, s, strlen(s)); -+ isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); -+ isc_hmacmd5_sign(&hmacmd5, digest); -+ print_digest(s, "hmacmd5", digest, 4); -+ } else { -+ fprintf(stderr, "Skipping disabled MD5 algorithm\n"); -+ } - #endif - - /* -diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c -index 2a0ee94888..489f4390dc 100644 ---- a/bin/tests/system/tkey/keycreate.c -+++ b/bin/tests/system/tkey/keycreate.c -@@ -20,6 +20,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -142,6 +143,8 @@ sendquery(isc_task_t *task, isc_event_t *event) { - static char keystr[] = "0123456789ab"; - - isc_event_free(&event); -+ if (isc_md5_available() == ISC_FALSE) -+ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); - - result = ISC_R_FAILURE; - if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1) -diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 7057c318e4..36ee6c7d21 100644 ---- a/bin/tests/system/tkey/keydelete.c -+++ b/bin/tests/system/tkey/keydelete.c -@@ -225,12 +225,18 @@ main(int argc, char **argv) { - result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey); - CHECK("dst_key_fromnamedfile", result); - #ifndef PK11_MD5_DISABLE -- result = dns_tsigkey_createfromkey(dst_key_name(dstkey), -- DNS_TSIG_HMACMD5_NAME, -- dstkey, ISC_TRUE, NULL, 0, 0, -- mctx, ring, &tsigkey); -- dst_key_free(&dstkey); -- CHECK("dns_tsigkey_createfromkey", result); -+ if (isc_md5_available()) { -+ result = dns_tsigkey_createfromkey(dst_key_name(dstkey), -+ DNS_TSIG_HMACMD5_NAME, -+ dstkey, ISC_TRUE, -+ NULL, 0, 0, -+ mctx, ring, &tsigkey); -+ dst_key_free(&dstkey); -+ CHECK("dns_tsigkey_createfromkey", result); -+ } else { -+ dst_key_free(&dstkey); -+ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); -+ } - #else - dst_key_free(&dstkey); - CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); -diff --git a/lib/bind9/check.c b/lib/bind9/check.c -index 3da83a7ae2..1a3d534799 100644 ---- a/lib/bind9/check.c -+++ b/lib/bind9/check.c -@@ -21,6 +21,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -2572,6 +2573,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) { - } - - algorithm = cfg_obj_asstring(algobj); -+#ifndef PK11_MD5_DISABLE -+ /* Skip hmac-md5* algorithms */ -+ if (isc_md5_available() == ISC_FALSE && -+ strncasecmp(algorithm, "hmac-md5", 8) == 0) { -+ cfg_obj_log(algobj, logctx, ISC_LOG_ERROR, -+ "disabled algorithm '%s'", algorithm); -+ return (ISC_R_DISABLED); -+ } -+#endif - for (i = 0; algorithms[i].name != NULL; i++) { - len = strlen(algorithms[i].name); - if (strncasecmp(algorithms[i].name, algorithm, len) == 0 && -diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index 4f3d6ac55c..dbece0ac56 100644 ---- a/lib/dns/dst_api.c -+++ b/lib/dns/dst_api.c -@@ -190,6 +190,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, - dst_result_register(); - - memset(dst_t_func, 0, sizeof(dst_t_func)); -+ -+#ifdef OPENSSL -+ RETERR(dst__openssl_init(engine)); -+#elif PKCS11CRYPTO -+ RETERR(dst__pkcs11_init(mctx, engine)); -+#endif - #ifndef PK11_MD5_DISABLE - RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5])); - #endif -@@ -199,7 +205,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, - RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384])); - RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512])); - #ifdef OPENSSL -- RETERR(dst__openssl_init(engine)); - #ifndef PK11_MD5_DISABLE - RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5], - DST_ALG_RSAMD5)); -@@ -233,14 +238,18 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, - RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448])); - #endif - #elif PKCS11CRYPTO -- RETERR(dst__pkcs11_init(mctx, engine)); - #ifndef PK11_MD5_DISABLE -- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5])); -+ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5], -+ DST_ALG_RSAMD5)); - #endif -- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1])); -- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1])); -- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256])); -- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512])); -+ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1], -+ DST_ALG_RSASHA1)); -+ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1], -+ DST_ALG_NSEC3RSASHA1)); -+ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256], -+ DST_ALG_RSASHA256)); -+ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512], -+ DST_ALG_RSASHA512)); - #ifndef PK11_DSA_DISABLE - RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA])); - RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA])); -diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h -index 640519a5ba..deb7ed4e13 100644 ---- a/lib/dns/dst_internal.h -+++ b/lib/dns/dst_internal.h -@@ -245,7 +245,8 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp); - isc_result_t dst__hmacsha512_init(struct dst_func **funcp); - isc_result_t dst__opensslrsa_init(struct dst_func **funcp, - unsigned char algorithm); --isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp); -+isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp, -+ unsigned char algorithm); - #ifndef PK11_DSA_DISABLE - isc_result_t dst__openssldsa_init(struct dst_func **funcp); - isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp); -diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c -index b0e5c895c6..03f2b8ace8 100644 ---- a/lib/dns/dst_parse.c -+++ b/lib/dns/dst_parse.c -@@ -30,6 +30,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -393,6 +394,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, - switch (alg) { - #ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: -+ if (isc_md5_available()) -+ return (check_rsa(priv, external)); -+ else -+ return (DST_R_UNSUPPORTEDALG); - #endif - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: -@@ -418,7 +423,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, - return (check_eddsa(priv, external)); - #ifndef PK11_MD5_DISABLE - case DST_ALG_HMACMD5: -- return (check_hmac_md5(priv, old)); -+ if (isc_md5_available()) -+ return (check_hmac_md5(priv, old)); -+ else -+ return (DST_R_UNSUPPORTEDALG); - #endif - case DST_ALG_HMACSHA1: - return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg)); -@@ -637,11 +645,13 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, - } - - #ifdef PK11_MD5_DISABLE -- check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg, -- ISC_TRUE, external); -+ if (alg == DST_ALG_RSA) -+ alg = DST_ALG_RSASHA1; - #else -- check = check_data(priv, alg, ISC_TRUE, external); -+ if (isc_md5_available() == ISC_FALSE && alg == DST_ALG_RSA) -+ alg = DST_ALG_RSASHA1; - #endif -+ check = check_data(priv, alg, ISC_TRUE, external); - if (check < 0) { - ret = DST_R_INVALIDPRIVATEKEY; - goto fail; -diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c -index 59aa4705e5..21bfa44450 100644 ---- a/lib/dns/hmac_link.c -+++ b/lib/dns/hmac_link.c -@@ -338,25 +338,17 @@ static dst_func_t hmacmd5_functions = { - - isc_result_t - dst__hmacmd5_init(dst_func_t **funcp) { --#ifdef HAVE_FIPS_MODE - /* -- * Problems from OpenSSL are likely from FIPS mode -+ * Prevent use of incorrect crypto - */ -- int fips_mode = FIPS_mode(); -- -- if (fips_mode != 0) { -- UNEXPECTED_ERROR(__FILE__, __LINE__, -- "FIPS mode is %d: MD5 is only supported " -- "if the value is 0.\n" -- "Please disable either FIPS mode or MD5.", -- fips_mode); -+ -+#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { -+ /* Intentionally skip initialization */ -+ return (ISC_R_SUCCESS); - } - #endif - -- /* -- * Prevent use of incorrect crypto -- */ -- - RUNTIME_CHECK(isc_md5_check(ISC_FALSE)); - RUNTIME_CHECK(isc_hmacmd5_check(0)); - -diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c -index f4847bbe74..126cebca19 100644 ---- a/lib/dns/opensslrsa_link.c -+++ b/lib/dns/opensslrsa_link.c -@@ -1801,6 +1801,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) { - - if (*funcp == NULL) { - switch (algorithm) { -+#ifndef PK11_MD5_DISABLE -+ case DST_ALG_RSAMD5: -+ if (isc_md5_available()) -+ *funcp = &opensslrsa_functions; -+ break; -+#endif - case DST_ALG_RSASHA256: - #if defined(HAVE_EVP_SHA256) || !USE_EVP - *funcp = &opensslrsa_functions; -diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c -index 56955203e9..af6008d4dd 100644 ---- a/lib/dns/pkcs11rsa_link.c -+++ b/lib/dns/pkcs11rsa_link.c -@@ -94,10 +94,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { - #endif - - /* -- * Reject incorrect RSA key lengths. -+ * Reject incorrect RSA key lengths or disabled algorithms. - */ - switch (dctx->key->key_alg) { - case DST_ALG_RSAMD5: -+#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) -+ return (ISC_R_FAILURE); -+#endif -+ /* FALLTHROUGH */ - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - /* From RFC 3110 */ -@@ -634,6 +639,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { - switch (key->key_alg) { - #ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: -+ if (isc_md5_available() == ISC_FALSE) -+ return (ISC_R_FAILURE); -+ - mech.mechanism = CKM_MD5; - break; - #endif -@@ -790,6 +798,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { - switch (key->key_alg) { - #ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: -+ if (isc_md5_available() == ISC_FALSE) -+ return (ISC_R_FAILURE); -+ - der = md5_der; - derlen = sizeof(md5_der); - hashlen = ISC_MD5_DIGESTLENGTH; -@@ -1014,6 +1025,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { - switch (key->key_alg) { - #ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: -+ if (isc_md5_available() == ISC_FALSE) -+ return (ISC_R_FAILURE); -+ - der = md5_der; - derlen = sizeof(md5_der); - hashlen = ISC_MD5_DIGESTLENGTH; -@@ -2217,11 +2231,22 @@ static dst_func_t pkcs11rsa_functions = { - }; - - isc_result_t --dst__pkcs11rsa_init(dst_func_t **funcp) { -+dst__pkcs11rsa_init(dst_func_t **funcp, unsigned char algorithm) { - REQUIRE(funcp != NULL); - -- if (*funcp == NULL) -- *funcp = &pkcs11rsa_functions; -+ if (*funcp == NULL) { -+ switch (algorithm) { -+#ifndef PK11_MD5_DISABLE -+ case DST_ALG_RSAMD5: -+ if (isc_md5_available()) -+ *funcp = &pkcs11rsa_functions; -+ break; -+#endif -+ default: -+ *funcp = &pkcs11rsa_functions; -+ break; -+ } -+ } - return (ISC_R_SUCCESS); - } - -diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c -index 937d8fc1ec..d1fa8d5870 100644 ---- a/lib/dns/rcode.c -+++ b/lib/dns/rcode.c -@@ -14,6 +14,7 @@ - #include - - #include -+#include - #include - #include - #include -@@ -347,17 +348,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { - return (dns_mnemonic_totext(cert, target, certs)); - } - -+static inline struct tbl * -+secalgs_tbl_start() { -+ struct tbl *algs = secalgs; -+ -+#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { -+ while (algs->name != NULL && -+ algs->value == DNS_KEYALG_RSAMD5) -+ ++algs; -+ } -+#endif -+ return algs; -+} -+ - isc_result_t - dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) { - unsigned int value; -- RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff)); -+ -+ RETERR(dns_mnemonic_fromtext(&value, source, -+ secalgs_tbl_start(), 0xff)); - *secalgp = value; - return (ISC_R_SUCCESS); - } - - isc_result_t - dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) { -- return (dns_mnemonic_totext(secalg, target, secalgs)); -+ return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start())); - } - - void -diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c -index 224cf5b475..44040dd8b7 100644 ---- a/lib/dns/tests/rsa_test.c -+++ b/lib/dns/tests/rsa_test.c -@@ -19,6 +19,7 @@ - #include - #include - -+#include - #include - #include - -@@ -225,23 +226,25 @@ ATF_TC_BODY(isc_rsa_verify, tc) { - /* RSAMD5 */ - - #ifndef PK11_MD5_DISABLE -- key->key_alg = DST_ALG_RSAMD5; -+ if (isc_md5_available()) { -+ key->key_alg = DST_ALG_RSAMD5; - -- ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC, -- ISC_FALSE, &ctx); -- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); -+ ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC, -+ ISC_FALSE, &ctx); -+ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); - -- r.base = d; -- r.length = 10; -- ret = dst_context_adddata(ctx, &r); -- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); -+ r.base = d; -+ r.length = 10; -+ ret = dst_context_adddata(ctx, &r); -+ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); - -- r.base = sigmd5; -- r.length = 256; -- ret = dst_context_verify(ctx, &r); -- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); -+ r.base = sigmd5; -+ r.length = 256; -+ ret = dst_context_verify(ctx, &r); -+ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); - -- dst_context_destroy(&ctx); -+ dst_context_destroy(&ctx); -+ } - #endif - - /* RSASHA256 */ -diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c -index ee025c2387..c403d9954d 100644 ---- a/lib/dns/tests/tsig_test.c -+++ b/lib/dns/tests/tsig_test.c -@@ -14,6 +14,7 @@ - #include - #include - -+#include - #include - #include - -diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c -index d9f68e50b1..a8edde47b5 100644 ---- a/lib/dns/tkey.c -+++ b/lib/dns/tkey.c -@@ -242,6 +242,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness, - unsigned char digests[32]; - unsigned int i; - -+ if (isc_md5_available() == ISC_FALSE) -+ return (ISC_R_NOTIMPLEMENTED); -+ - isc_buffer_usedregion(shared, &r); - - /* -@@ -318,6 +321,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, - } - - #ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { -+ tkey_log("process_dhtkey: MD5 was disabled"); -+ tkeyout->error = dns_tsigerror_badalg; -+ return (ISC_R_SUCCESS); -+ } -+ - if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) { - tkey_log("process_dhtkey: algorithms other than " - "hmac-md5 are not supported"); -diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c -index a367291f23..37baad7437 100644 ---- a/lib/dns/tsec.c -+++ b/lib/dns/tsec.c -@@ -11,6 +11,7 @@ - - #include - -+#include - #include - #include - -@@ -63,7 +64,12 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key, - switch (dst_key_alg(key)) { - #ifndef PK11_MD5_DISABLE - case DST_ALG_HMACMD5: -- algname = dns_tsig_hmacmd5_name; -+ if (isc_md5_available()) { -+ algname = dns_tsig_hmacmd5_name; -+ } else { -+ isc_mem_put(mctx, tsec, sizeof(*tsec)); -+ return (DNS_R_BADALG); -+ } - break; - #endif - case DST_ALG_HMACSHA1: -diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c -index bdcc581bc3..70805bb709 100644 ---- a/lib/dns/tsig.c -+++ b/lib/dns/tsig.c -@@ -270,7 +270,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, - (void)dns_name_downcase(&tkey->name, &tkey->name, NULL); - - #ifndef PK11_MD5_DISABLE -- if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { -+ if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) && -+ isc_md5_available()) { - tkey->algorithm = DNS_TSIG_HMACMD5_NAME; - if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) { - ret = DNS_R_BADALG; -@@ -496,7 +497,8 @@ destroyring(dns_tsig_keyring_t *ring) { - static unsigned int - dst_alg_fromname(dns_name_t *algorithm) { - #ifndef PK11_MD5_DISABLE -- if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { -+ if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) && -+ isc_md5_available()) { - return (DST_ALG_HMACMD5); - } else - #endif -@@ -680,7 +682,8 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, - REQUIRE(secret != NULL); - - #ifndef PK11_MD5_DISABLE -- if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { -+ if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) && -+ isc_md5_available()) { - if (secret != NULL) { - isc_buffer_t b; - -@@ -1280,7 +1283,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, - return (ret); - if ( - #ifndef PK11_MD5_DISABLE -- alg == DST_ALG_HMACMD5 || -+ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || - #endif - alg == DST_ALG_HMACSHA1 || - alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || -@@ -1449,7 +1452,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, - - if ( - #ifndef PK11_MD5_DISABLE -- alg == DST_ALG_HMACMD5 || -+ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || - #endif - alg == DST_ALG_HMACSHA1 || - alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || -@@ -1590,7 +1593,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { - goto cleanup_querystruct; - if ( - #ifndef PK11_MD5_DISABLE -- alg == DST_ALG_HMACMD5 || -+ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || - #endif - alg == DST_ALG_HMACSHA1 || - alg == DST_ALG_HMACSHA224 || -@@ -1769,7 +1772,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { - goto cleanup_context; - if ( - #ifndef PK11_MD5_DISABLE -- alg == DST_ALG_HMACMD5 || -+ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || - #endif - alg == DST_ALG_HMACSHA1 || - alg == DST_ALG_HMACSHA224 || -diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h -index e5f46dd9c7..9d11f9f8b6 100644 ---- a/lib/isc/include/isc/md5.h -+++ b/lib/isc/include/isc/md5.h -@@ -89,6 +89,9 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest); - isc_boolean_t - isc_md5_check(isc_boolean_t testing); - -+isc_boolean_t -+isc_md5_available(void); -+ - ISC_LANG_ENDDECLS - - #endif /* !PK11_MD5_DISABLE */ -diff --git a/lib/isc/md5.c b/lib/isc/md5.c -index 740d863b1b..aefd16478f 100644 ---- a/lib/isc/md5.c -+++ b/lib/isc/md5.c -@@ -35,6 +35,7 @@ - - #include - #include -+#include - #include - #include - #include -@@ -53,6 +54,9 @@ - #define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) - #endif - -+static isc_once_t available_once = ISC_ONCE_INIT; -+static isc_boolean_t available = ISC_FALSE; -+ - void - isc_md5_init(isc_md5_t *ctx) { - ctx->ctx = EVP_MD_CTX_new(); -@@ -84,8 +88,33 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { - ctx->ctx = NULL; - } - -+static void -+do_detect_available() { -+ isc_md5_t local; -+ isc_md5_t *ctx = &local; -+ unsigned char digest[ISC_MD5_DIGESTLENGTH]; -+ -+ ctx->ctx = EVP_MD_CTX_new(); -+ RUNTIME_CHECK(ctx->ctx != NULL); -+ available = ISC_TF(EVP_DigestInit(ctx->ctx, EVP_md5()) == 1); -+ if (available) -+ (void)EVP_DigestFinal(ctx->ctx, digest, NULL); -+ EVP_MD_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; -+} -+ -+isc_boolean_t -+isc_md5_available() { -+ RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available) -+ == ISC_R_SUCCESS); -+ return available; -+} -+ - #elif PKCS11CRYPTO - -+static isc_once_t available_once = ISC_ONCE_INIT; -+static isc_boolean_t available = ISC_FALSE; -+ - void - isc_md5_init(isc_md5_t *ctx) { - CK_RV rv; -@@ -128,6 +157,31 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { - pk11_return_session(ctx); - } - -+static void -+do_detect_available() { -+ isc_md5_t local; -+ isc_md5_t *ctx = &local; -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; -+ -+ if (pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS) -+ { -+ rv = pkcs_C_DigestInit(ctx->session, &mech); -+ isc_md5_invalidate(ctx); -+ available = (ISC_TF(rv == CKR_OK)); -+ } else { -+ available = ISC_FALSE; -+ } -+} -+ -+isc_boolean_t -+isc_md5_available() { -+ RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available) -+ == ISC_R_SUCCESS); -+ return available; -+} -+ - #else - - static void -@@ -337,6 +391,11 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { - memmove(digest, ctx->buf, 16); - isc_safe_memwipe(ctx, sizeof(*ctx)); /* In case it's sensitive */ - } -+ -+isc_boolean_t -+isc_md5_available() { -+ return ISC_TRUE; -+} - #endif - - /* -diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c -index fc75a46154..48e1031974 100644 ---- a/lib/isc/pk11.c -+++ b/lib/isc/pk11.c -@@ -191,13 +191,12 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { - LOCK(&alloclock); - if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0)) - isc_mem_attach(mctx, &pk11_mctx); -+ UNLOCK(&alloclock); -+ -+ LOCK(&sessionlock); - if (initialized) { -- UNLOCK(&alloclock); -- return (ISC_R_SUCCESS); -- } else { -- LOCK(&sessionlock); -- initialized = ISC_TRUE; -- UNLOCK(&alloclock); -+ result = ISC_R_SUCCESS; -+ goto unlock; - } - - ISC_LIST_INIT(tokens); -@@ -237,6 +236,7 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { - } - #endif - #endif /* PKCS11CRYPTO */ -+ initialized = ISC_TRUE; - result = ISC_R_SUCCESS; - unlock: - UNLOCK(&sessionlock); -@@ -273,9 +273,14 @@ pk11_finalize(void) { - pk11_mem_put(token, sizeof(*token)); - token = next; - } -+ LOCK(&alloclock); - if (pk11_mctx != NULL) - isc_mem_detach(&pk11_mctx); -+ UNLOCK(&alloclock); -+ -+ LOCK(&sessionlock); - initialized = ISC_FALSE; -+ UNLOCK(&sessionlock); - return (ret); - } - -@@ -589,6 +594,8 @@ scan_slots(void) { - pk11_token_t *token; - unsigned int i; - isc_boolean_t bad; -+ unsigned int best_rsa_algorithms = 0; -+ unsigned int best_digest_algorithms = 0; - - slotCount = 0; - PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount)); -@@ -601,6 +608,8 @@ scan_slots(void) { - PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount)); - - for (i = 0; i < slotCount; i++) { -+ unsigned int rsa_algorithms = 0; -+ unsigned int digest_algorithms = 0; - slot = slotList[i]; - PK11_TRACE2("slot#%u=0x%lx\n", i, slot); - -@@ -640,11 +649,12 @@ scan_slots(void) { - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) { --#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE) -- bad = ISC_TRUE; --#endif - PK11_TRACEM(CKM_MD5_RSA_PKCS); - } -+#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE) -+ else -+ ++rsa_algorithms; -+#endif - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS, - &mechInfo); - if ((rv != CKR_OK) || -@@ -687,8 +697,14 @@ scan_slots(void) { - if (bad) - goto try_dsa; - token->operations |= 1 << OP_RSA; -- if (best_rsa_token == NULL) -+ if (best_rsa_token == NULL) { -+ best_rsa_token = token; -+ best_rsa_algorithms = rsa_algorithms; -+ } else if (rsa_algorithms > best_rsa_algorithms) { -+ pk11_mem_put(best_rsa_token, sizeof(*best_rsa_token)); - best_rsa_token = token; -+ best_rsa_algorithms = rsa_algorithms; -+ } - - try_dsa: - bad = ISC_FALSE; -@@ -756,11 +772,12 @@ scan_slots(void) { - bad = ISC_FALSE; - rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { --#ifndef PK11_MD5_DISABLE -- bad = ISC_TRUE; --#endif - PK11_TRACEM(CKM_MD5); - } -+#ifndef PK11_MD5_DISABLE -+ else -+ ++digest_algorithms; -+#endif - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; -@@ -788,11 +805,12 @@ scan_slots(void) { - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { --#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE) -- bad = ISC_TRUE; --#endif - PK11_TRACEM(CKM_MD5_HMAC); - } -+#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE) -+ else -+ ++digest_algorithms; -+#endif - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { - #ifndef PK11_SHA_1_HMAC_REPLACE -@@ -830,8 +848,14 @@ scan_slots(void) { - } - if (!bad) { - token->operations |= 1 << OP_DIGEST; -- if (digest_token == NULL) -+ if (digest_token == NULL) { -+ digest_token = token; -+ best_digest_algorithms = digest_algorithms; -+ } else if (digest_algorithms > best_digest_algorithms) { -+ pk11_mem_put(digest_token, sizeof(*digest_token)); - digest_token = token; -+ best_digest_algorithms = digest_algorithms; -+ } - } - - /* ECDSA requires digest */ -diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c -index 18759903be..6bc45b1ad3 100644 ---- a/lib/isc/tests/hash_test.c -+++ b/lib/isc/tests/hash_test.c -@@ -2008,7 +2008,8 @@ ATF_TP_ADD_TCS(tp) { - * various cryptographic hashes. - */ - #ifndef PK11_MD5_DISABLE -- ATF_TP_ADD_TC(tp, md5_check); -+ if (isc_md5_available()) -+ ATF_TP_ADD_TC(tp, md5_check); - #endif - ATF_TP_ADD_TC(tp, sha1_check); - -@@ -2016,7 +2017,8 @@ ATF_TP_ADD_TCS(tp) { - ATF_TP_ADD_TC(tp, isc_hash_function_reverse); - ATF_TP_ADD_TC(tp, isc_hash_initializer); - #ifndef PK11_MD5_DISABLE -- ATF_TP_ADD_TC(tp, isc_hmacmd5); -+ if (isc_md5_available()) -+ ATF_TP_ADD_TC(tp, isc_hmacmd5); - #endif - ATF_TP_ADD_TC(tp, isc_hmacsha1); - ATF_TP_ADD_TC(tp, isc_hmacsha224); -@@ -2024,7 +2026,8 @@ ATF_TP_ADD_TCS(tp) { - ATF_TP_ADD_TC(tp, isc_hmacsha384); - ATF_TP_ADD_TC(tp, isc_hmacsha512); - #ifndef PK11_MD5_DISABLE -- ATF_TP_ADD_TC(tp, isc_md5); -+ if (isc_md5_available()) -+ ATF_TP_ADD_TC(tp, isc_md5); - #endif - ATF_TP_ADD_TC(tp, isc_sha1); - ATF_TP_ADD_TC(tp, isc_sha224); -diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c -index 7225ab4a37..42b30466be 100644 ---- a/lib/isccc/cc.c -+++ b/lib/isccc/cc.c -@@ -270,11 +270,15 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac, - switch (algorithm) { - #ifndef PK11_MD5_DISABLE - case ISCCC_ALG_HMACMD5: -- isc_hmacmd5_init(&ctx.hmd5, secret->rstart, -- REGION_SIZE(*secret)); -- isc_hmacmd5_update(&ctx.hmd5, data, length); -- isc_hmacmd5_sign(&ctx.hmd5, digest); -- source.rend = digest + ISC_MD5_DIGESTLENGTH; -+ if (isc_md5_available()) { -+ isc_hmacmd5_init(&ctx.hmd5, secret->rstart, -+ REGION_SIZE(*secret)); -+ isc_hmacmd5_update(&ctx.hmd5, data, length); -+ isc_hmacmd5_sign(&ctx.hmd5, digest); -+ source.rend = digest + ISC_MD5_DIGESTLENGTH; -+ } else { -+ return (ISC_R_FAILURE); -+ } - break; - #endif - -@@ -348,14 +352,18 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, - { - unsigned int hmac_base, signed_base; - isc_result_t result; -+ const isc_boolean_t md5 = ISC_TF(algorithm == ISCCC_ALG_HMACMD5); - - #ifndef PK11_MD5_DISABLE -+ if (md5 && isc_md5_available() == ISC_FALSE) -+ return (ISC_R_NOTIMPLEMENTED); -+ - result = isc_buffer_reserve(buffer, -- 4 + ((algorithm == ISCCC_ALG_HMACMD5) ? -+ 4 + ((md5) ? - sizeof(auth_hmd5) : - sizeof(auth_hsha))); - #else -- if (algorithm == ISCCC_ALG_HMACMD5) -+ if (md5) - return (ISC_R_NOTIMPLEMENTED); - result = isc_buffer_reserve(buffer, 4 + sizeof(auth_hsha)); - #endif -@@ -374,7 +382,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, - * we know what it is. - */ - #ifndef PK11_MD5_DISABLE -- if (algorithm == ISCCC_ALG_HMACMD5) { -+ if (md5) { - hmac_base = (*buffer)->used + HMD5_OFFSET; - isc_buffer_putmem(*buffer, - auth_hmd5, sizeof(auth_hmd5)); -@@ -440,7 +448,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, - if (!isccc_alist_alistp(_auth)) - return (ISC_R_FAILURE); - #ifndef PK11_MD5_DISABLE -- if (algorithm == ISCCC_ALG_HMACMD5) -+ if (algorithm == ISCCC_ALG_HMACMD5 && isc_md5_available()) - hmac = isccc_alist_lookup(_auth, "hmd5"); - else - #endif -@@ -455,12 +463,16 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, - switch (algorithm) { - #ifndef PK11_MD5_DISABLE - case ISCCC_ALG_HMACMD5: -- isc_hmacmd5_init(&ctx.hmd5, secret->rstart, -- REGION_SIZE(*secret)); -- isc_hmacmd5_update(&ctx.hmd5, data, length); -- isc_hmacmd5_sign(&ctx.hmd5, digest); -- source.rend = digest + ISC_MD5_DIGESTLENGTH; -- break; -+ if (isc_md5_available()) { -+ isc_hmacmd5_init(&ctx.hmd5, secret->rstart, -+ REGION_SIZE(*secret)); -+ isc_hmacmd5_update(&ctx.hmd5, data, length); -+ isc_hmacmd5_sign(&ctx.hmd5, digest); -+ source.rend = digest + ISC_MD5_DIGESTLENGTH; -+ break; -+ } else { -+ return (ISC_R_FAILURE); -+ } - #endif - - case ISCCC_ALG_HMACSHA1: --- -2.14.4 - diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch deleted file mode 100644 index f7a998dfb89149e1742d8f4c972036a45017df51..0000000000000000000000000000000000000000 --- a/bind-9.11-fips-tests.patch +++ /dev/null @@ -1,1781 +0,0 @@ -From 35b53607724ec4b5d4060385218c39ccd0d78a4d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Thu, 2 Aug 2018 23:46:45 +0200 -Subject: [PATCH 2/2] Squashed commit of the following: -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa -Author: Petr Menšík -Date: Wed Mar 7 20:35:13 2018 +0100 - - Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available. - -commit ab303db70082db76ecf36493d0b82ef3e8750cad -Author: Petr Menšík -Date: Wed Mar 7 18:11:10 2018 +0100 - - Changed root key to be RSASHA256 - - Change bad trusted key to be the same algorithm. - -commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8 -Author: Petr Menšík -Date: Wed Mar 7 16:56:17 2018 +0100 - - Change used key to not use hmac-md5 - - Fix upforwd test, do not use hmac-md5 - -commit aec891571626f053acfb4d0a247240cbc21a84e9 -Author: Petr Menšík -Date: Wed Mar 7 15:54:11 2018 +0100 - - Increase bitsize of DSA key to pass FIPS 140-2 mode. - -commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696 -Author: Petr Menšík -Date: Wed Mar 7 15:41:08 2018 +0100 - - Fix tsig and rndc tests for disabled md5 - - Use hmac-sha256 instead of hmac-md5. - -commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67 -Author: Petr Menšík -Date: Wed Mar 7 13:21:00 2018 +0100 - - Add md5 availability detection to featuretest - -commit f389a918803e2853e4b55fed62765dc4a492e34f -Author: Petr Menšík -Date: Wed Mar 7 10:44:23 2018 +0100 - - Change tests to not use hmac-md5 algorithms if not required - - Use hmac-sha256 instead of default hmac-md5 for allow-query ---- - bin/tests/system/acl/ns2/named1.conf.in | 4 +- - bin/tests/system/acl/ns2/named2.conf.in | 4 +- - bin/tests/system/acl/ns2/named3.conf.in | 6 +-- - bin/tests/system/acl/ns2/named4.conf.in | 4 +- - bin/tests/system/acl/ns2/named5.conf.in | 4 +- - bin/tests/system/acl/tests.sh | 32 +++++------ - bin/tests/system/allow-query/ns2/named10.conf.in | 2 +- - bin/tests/system/allow-query/ns2/named11.conf.in | 4 +- - bin/tests/system/allow-query/ns2/named12.conf.in | 2 +- - bin/tests/system/allow-query/ns2/named30.conf.in | 2 +- - bin/tests/system/allow-query/ns2/named31.conf.in | 4 +- - bin/tests/system/allow-query/ns2/named32.conf.in | 2 +- - bin/tests/system/allow-query/ns2/named40.conf.in | 4 +- - bin/tests/system/allow-query/tests.sh | 18 +++---- - bin/tests/system/catz/ns1/named.conf.in | 2 +- - bin/tests/system/catz/ns2/named.conf.in | 2 +- - bin/tests/system/checkconf/bad-tsig.conf | 2 +- - bin/tests/system/checkconf/good.conf | 2 +- - bin/tests/system/digdelv/ns2/example.db | 15 +++--- - bin/tests/system/digdelv/tests.sh | 28 +++++----- - bin/tests/system/dlv/ns1/sign.sh | 4 +- - bin/tests/system/dlv/ns2/sign.sh | 4 +- - bin/tests/system/dlv/ns3/sign.sh | 69 ++++++++++++------------ - bin/tests/system/dlv/ns6/sign.sh | 66 ++++++++++++----------- - bin/tests/system/dnssec/ns1/sign.sh | 4 +- - bin/tests/system/dnssec/ns2/sign.sh | 12 ++--- - bin/tests/system/dnssec/ns3/sign.sh | 20 +++---- - bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +- - bin/tests/system/dnssec/tests.sh | 8 +-- - bin/tests/system/feature-test.c | 14 +++++ - bin/tests/system/filter-aaaa/ns1/sign.sh | 4 +- - bin/tests/system/filter-aaaa/ns4/sign.sh | 4 +- - bin/tests/system/notify/ns5/named.conf.in | 6 +-- - bin/tests/system/notify/tests.sh | 6 +-- - bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- - bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- - bin/tests/system/nsupdate/setup.sh | 7 ++- - bin/tests/system/nsupdate/tests.sh | 11 +++- - bin/tests/system/rndc/setup.sh | 2 +- - bin/tests/system/rndc/tests.sh | 23 ++++---- - bin/tests/system/tsig/clean.sh | 1 + - bin/tests/system/tsig/ns1/named.conf.in | 10 +--- - bin/tests/system/tsig/ns1/rndc5.conf.in | 11 ++++ - bin/tests/system/tsig/setup.sh | 4 ++ - bin/tests/system/tsig/tests.sh | 67 ++++++++++++++--------- - bin/tests/system/tsiggss/setup.sh | 2 +- - bin/tests/system/upforwd/ns1/named.conf.in | 2 +- - bin/tests/system/upforwd/tests.sh | 2 +- - 48 files changed, 287 insertions(+), 225 deletions(-) - create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in - -diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in -index 0ea6502708..026db3f134 100644 ---- a/bin/tests/system/acl/ns2/named1.conf.in -+++ b/bin/tests/system/acl/ns2/named1.conf.in -@@ -33,12 +33,12 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in -index b877880554..d8f50be255 100644 ---- a/bin/tests/system/acl/ns2/named2.conf.in -+++ b/bin/tests/system/acl/ns2/named2.conf.in -@@ -33,12 +33,12 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in -index 0a950622a2..aa54088138 100644 ---- a/bin/tests/system/acl/ns2/named3.conf.in -+++ b/bin/tests/system/acl/ns2/named3.conf.in -@@ -33,17 +33,17 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key three { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in -index 7cdcb6e341..606a3452d8 100644 ---- a/bin/tests/system/acl/ns2/named4.conf.in -+++ b/bin/tests/system/acl/ns2/named4.conf.in -@@ -33,12 +33,12 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in -index 4b4e05027a..0e679a821d 100644 ---- a/bin/tests/system/acl/ns2/named5.conf.in -+++ b/bin/tests/system/acl/ns2/named5.conf.in -@@ -34,12 +34,12 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh -index 09f31f2bb9..f88f0d4430 100644 ---- a/bin/tests/system/acl/tests.sh -+++ b/bin/tests/system/acl/tests.sh -@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" - # key "one" should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - - # any other key should be fine - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - copy_setports ns2/named2.conf.in ns2/named.conf -@@ -39,18 +39,18 @@ sleep 5 - # prefix 10/8 should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - # any other address should work, as long as it sends key "one" - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - echo_i "testing nested ACL processing" -@@ -62,31 +62,31 @@ sleep 5 - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # but only one or the other should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - t=`expr $t + 1` -@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 - # and other values? right out - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two -@@ -108,31 +108,31 @@ sleep 5 - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - # should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - # should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - echo_i "testing allow-query-on ACL processing" -diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in -index 1569913b37..e9c5c2d574 100644 ---- a/bin/tests/system/allow-query/ns2/named10.conf.in -+++ b/bin/tests/system/allow-query/ns2/named10.conf.in -@@ -12,7 +12,7 @@ - controls { /* empty */ }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in -index 18ac91c6e7..2b1c8739d8 100644 ---- a/bin/tests/system/allow-query/ns2/named11.conf.in -+++ b/bin/tests/system/allow-query/ns2/named11.conf.in -@@ -12,12 +12,12 @@ - controls { /* empty */ }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234efgh8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in -index b8248444dd..dd48945bf8 100644 ---- a/bin/tests/system/allow-query/ns2/named12.conf.in -+++ b/bin/tests/system/allow-query/ns2/named12.conf.in -@@ -12,7 +12,7 @@ - controls { /* empty */ }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in -index aeb1540e95..bfce58bddd 100644 ---- a/bin/tests/system/allow-query/ns2/named30.conf.in -+++ b/bin/tests/system/allow-query/ns2/named30.conf.in -@@ -12,7 +12,7 @@ - controls { /* empty */ }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in -index d4b743281a..e0f52526ba 100644 ---- a/bin/tests/system/allow-query/ns2/named31.conf.in -+++ b/bin/tests/system/allow-query/ns2/named31.conf.in -@@ -12,12 +12,12 @@ - controls { /* empty */ }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234efgh8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in -index c0259387e7..87afb3fa3a 100644 ---- a/bin/tests/system/allow-query/ns2/named32.conf.in -+++ b/bin/tests/system/allow-query/ns2/named32.conf.in -@@ -12,7 +12,7 @@ - controls { /* empty */ }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in -index d83b376cfd..d726b9480b 100644 ---- a/bin/tests/system/allow-query/ns2/named40.conf.in -+++ b/bin/tests/system/allow-query/ns2/named40.conf.in -@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; - acl badaccept { 10.53.0.1; }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234efgh8765"; - }; - -diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh -index fb6059d5b8..f9601564a2 100644 ---- a/bin/tests/system/allow-query/tests.sh -+++ b/bin/tests/system/allow-query/tests.sh -@@ -190,7 +190,7 @@ rndc_reload - - echo_i "test $n: key allowed - query allowed" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -203,7 +203,7 @@ rndc_reload - - echo_i "test $n: key not allowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -216,7 +216,7 @@ rndc_reload - - echo_i "test $n: key disallowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -349,7 +349,7 @@ rndc_reload - - echo_i "test $n: views key allowed - query allowed" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -362,7 +362,7 @@ rndc_reload - - echo_i "test $n: views key not allowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -375,7 +375,7 @@ rndc_reload - - echo_i "test $n: views key disallowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -508,7 +508,7 @@ status=`expr $status + $ret` - n=`expr $n + 1` - echo_i "test $n: zone key allowed - query allowed" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -518,7 +518,7 @@ status=`expr $status + $ret` - n=`expr $n + 1` - echo_i "test $n: zone key not allowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -528,7 +528,7 @@ status=`expr $status + $ret` - n=`expr $n + 1` - echo_i "test $n: zone key disallowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in -index 74b7d371b7..c35376640d 100644 ---- a/bin/tests/system/catz/ns1/named.conf.in -+++ b/bin/tests/system/catz/ns1/named.conf.in -@@ -61,5 +61,5 @@ zone "catalog4.example" { - - key tsig_key. { - secret "LSAnCU+Z"; -- algorithm hmac-md5; -+ algorithm hmac-sha256; - }; -diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in -index ee83efbee4..35ced08842 100644 ---- a/bin/tests/system/catz/ns2/named.conf.in -+++ b/bin/tests/system/catz/ns2/named.conf.in -@@ -70,5 +70,5 @@ zone "catalog4.example" { - - key tsig_key. { - secret "LSAnCU+Z"; -- algorithm hmac-md5; -+ algorithm hmac-sha256; - }; -diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf -index 21be03e9d2..e57c30875c 100644 ---- a/bin/tests/system/checkconf/bad-tsig.conf -+++ b/bin/tests/system/checkconf/bad-tsig.conf -@@ -11,7 +11,7 @@ - - /* Bad secret */ - key "badtsig" { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "jEdD+BPKg=="; - }; - -diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf -index 9ab35b38a5..486551ae64 100644 ---- a/bin/tests/system/checkconf/good.conf -+++ b/bin/tests/system/checkconf/good.conf -@@ -153,6 +153,6 @@ dyndb "name" "library.so" { - system; - }; - key "mykey" { -- algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; - secret "qwertyuiopasdfgh"; - }; -diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db -index f4e30f51e5..9f53e31c97 100644 ---- a/bin/tests/system/digdelv/ns2/example.db -+++ b/bin/tests/system/digdelv/ns2/example.db -@@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890 - ;; - ;; we are not testing DNSSEC behavior, so we don't care about the semantics - ;; of the following records. --dnskey 300 DNSKEY 256 3 1 ( -- AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg -- +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD -- Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R -- b9VIE5x7KNHAYTvTO5d4S8M= -- ) -+dnskey 300 DNSKEY 256 3 8 ( -+ AwEAAaWmCoDpj2K59zcpqnmnQM7IC/XbjS6jIP7uTBR4X7p1bdQJzAeo -+ EnMhnpnxPp0j+20eZm4847DB2U+HuHy79Mvqd3aozTmfBJvzjKs9qyba -+ zY/ZHn6BDYxNJiFfjSS/VJ1KuQPDbpCzhm2hbvT5s9nSOaG0WyRk+d+R -+ qEca11E7ZKkmmNiGlyzMAgfmTTBwgxWBAAhvd9nU1GqD6eQ6Z63hpTc/ -+ KDIHnFTo7pOcZ4z5urIKUMCMcFytedETlEoR5CIWGPdQq2eIEEMfn5ld -+ QqdEZRHVErD9og8aluJ2s767HZb8LzjCfYgBFoT9/n48T75oZLEKtSkG -+ /idCeeQlaLU= -+ ) - - ; TTL of 3 weeks - weeks 1814400 A 10.53.0.2 -diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh -index 1b25c4ddfc..5dbf20a3e1 100644 ---- a/bin/tests/system/digdelv/tests.sh -+++ b/bin/tests/system/digdelv/tests.sh -@@ -62,7 +62,7 @@ if [ -x ${DIG} ] ; then - echo_i "checking dig +multi +norrcomments works for dnskey (when default is rrcomments)($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -70,7 +70,7 @@ if [ -x ${DIG} ] ; then - echo_i "checking dig +multi +norrcomments works for soa (when default is rrcomments)($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > dig.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -78,7 +78,7 @@ if [ -x ${DIG} ] ; then - echo_i "checking dig +rrcomments works for DNSKEY($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -86,7 +86,7 @@ if [ -x ${DIG} ] ; then - echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -94,7 +94,7 @@ if [ -x ${DIG} ] ; then - echo_i "checking dig +short +nosplit works($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1 -- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < dig.out.test$n > /dev/null || ret=1 -+ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -102,7 +102,7 @@ if [ -x ${DIG} ] ; then - echo_i "checking dig +short +rrcomments works($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 -- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1 -+ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -118,7 +118,7 @@ if [ -x ${DIG} ] ; then - echo_i "checking dig +short +rrcomments works($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 -- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1 -+ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -543,7 +543,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +multi +norrcomments works for dnskey (when default is rrcomments)($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -551,7 +551,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +multi +norrcomments works for soa (when default is rrcomments)($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -559,7 +559,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +rrcomments works for DNSKEY($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -567,7 +567,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -575,7 +575,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +short +rrcomments works ($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 -- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < delv.out.test$n > /dev/null || ret=1 -+ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < delv.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -583,7 +583,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +short +nosplit works ($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1 -- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=" < delv.out.test$n > /dev/null || ret=1 -+ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=" < delv.out.test$n > /dev/null || ret=1 - if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi - f=`awk '{print NF}' < delv.out.test$n` - test "${f:-0}" -eq 14 || ret=1 -@@ -594,7 +594,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +short +nosplit +norrcomments works ($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 -- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < delv.out.test$n > /dev/null || ret=1 -+ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < delv.out.test$n > /dev/null || ret=1 - if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi - f=`awk '{print NF}' < delv.out.test$n` - test "${f:-0}" -eq 4 || ret=1 -diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh -index b8151620cc..2a62e583b8 100755 ---- a/bin/tests/system/dlv/ns1/sign.sh -+++ b/bin/tests/system/dlv/ns1/sign.sh -@@ -23,8 +23,8 @@ infile=root.db.in - zonefile=root.db - outfile=root.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh -index 6f84d7a525..e128303a22 100755 ---- a/bin/tests/system/dlv/ns2/sign.sh -+++ b/bin/tests/system/dlv/ns2/sign.sh -@@ -24,8 +24,8 @@ zonefile=druz.db - outfile=druz.pre - dlvzone=utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh -index bcc9922e26..846dbcc0df 100755 ---- a/bin/tests/system/dlv/ns3/sign.sh -+++ b/bin/tests/system/dlv/ns3/sign.sh -@@ -19,6 +19,7 @@ echo_i "dlv/ns3/sign.sh" - dlvzone=dlv.utld. - dlvsets= - dssets= -+bits=1024 - - zone=child1.utld. - infile=child.db.in -@@ -26,8 +27,8 @@ zonefile=child1.utld.db - outfile=child1.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -42,8 +43,8 @@ zonefile=child3.utld.db - outfile=child3.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -58,8 +59,8 @@ zonefile=child4.utld.db - outfile=child4.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -73,8 +74,8 @@ zonefile=child5.utld.db - outfile=child5.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -88,8 +89,8 @@ infile=child.db.in - zonefile=child7.utld.db - outfile=child7.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -103,8 +104,8 @@ infile=child.db.in - zonefile=child8.utld.db - outfile=child8.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -118,8 +119,8 @@ zonefile=child9.utld.db - outfile=child9.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -132,8 +133,8 @@ zonefile=child10.utld.db - outfile=child10.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -147,8 +148,8 @@ outfile=child1.druz.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -164,8 +165,8 @@ outfile=child3.druz.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -181,8 +182,8 @@ outfile=child4.druz.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -197,8 +198,8 @@ outfile=child5.druz.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -213,8 +214,8 @@ zonefile=child7.druz.db - outfile=child7.druz.signed - dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP - cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile -@@ -228,8 +229,8 @@ infile=child.db.in - zonefile=child8.druz.db - outfile=child8.druz.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -243,8 +244,8 @@ zonefile=child9.druz.db - outfile=child9.druz.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -258,8 +259,8 @@ outfile=child10.druz.signed - dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" - dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -272,8 +273,8 @@ infile=dlv.db.in - zonefile=dlv.utld.db - outfile=dlv.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile - -diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh -index 1e398625f1..4ed19acd1f 100755 ---- a/bin/tests/system/dlv/ns6/sign.sh -+++ b/bin/tests/system/dlv/ns6/sign.sh -@@ -16,13 +16,15 @@ SYSTESTDIR=dlv - - echo_i "dlv/ns6/sign.sh" - -+bits=1024 -+ - zone=grand.child1.utld. - infile=child.db.in - zonefile=grand.child1.utld.db - outfile=grand.child1.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -36,8 +38,8 @@ zonefile=grand.child3.utld.db - outfile=grand.child3.signed - dlvzone=dlv.utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -51,8 +53,8 @@ zonefile=grand.child4.utld.db - outfile=grand.child4.signed - dlvzone=dlv.utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -66,8 +68,8 @@ zonefile=grand.child5.utld.db - outfile=grand.child5.signed - dlvzone=dlv.utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -81,8 +83,8 @@ zonefile=grand.child7.utld.db - outfile=grand.child7.signed - dlvzone=dlv.utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -96,8 +98,8 @@ zonefile=grand.child8.utld.db - outfile=grand.child8.signed - dlvzone=dlv.utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -111,8 +113,8 @@ zonefile=grand.child9.utld.db - outfile=grand.child9.signed - dlvzone=dlv.utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -125,8 +127,8 @@ zonefile=grand.child10.utld.db - outfile=grand.child10.signed - dlvzone=dlv.utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -138,8 +140,8 @@ infile=child.db.in - zonefile=grand.child1.druz.db - outfile=grand.child1.druz.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -153,8 +155,8 @@ zonefile=grand.child3.druz.db - outfile=grand.child3.druz.signed - dlvzone=dlv.druz. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -168,8 +170,8 @@ zonefile=grand.child4.druz.db - outfile=grand.child4.druz.signed - dlvzone=dlv.druz. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -183,8 +185,8 @@ zonefile=grand.child5.druz.db - outfile=grand.child5.druz.signed - dlvzone=dlv.druz. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -198,8 +200,8 @@ zonefile=grand.child7.druz.db - outfile=grand.child7.druz.signed - dlvzone=dlv.druz. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -213,8 +215,8 @@ zonefile=grand.child8.druz.db - outfile=grand.child8.druz.signed - dlvzone=dlv.druz. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -228,8 +230,8 @@ zonefile=grand.child9.druz.db - outfile=grand.child9.druz.signed - dlvzone=dlv.druz. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -242,8 +244,8 @@ zonefile=grand.child10.druz.db - outfile=grand.child10.druz.signed - dlvzone=dlv.druz. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh -index 198d60ae15..d89a539ffd 100644 ---- a/bin/tests/system/dnssec/ns1/sign.sh -+++ b/bin/tests/system/dnssec/ns1/sign.sh -@@ -27,7 +27,7 @@ cp ../ns2/dsset-in-addr.arpa$TP . - grep "8 [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP - cp ../ns6/dsset-optout-tld$TP . - --keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` - - cat $infile $keyname.key > $zonefile - -@@ -48,6 +48,6 @@ cp managed.conf ../ns4/managed.conf - # - # Save keyid for managed key id test. - # --keyid=`expr $keyname : 'K.+001+\(.*\)'` -+keyid=`expr $keyname : 'K.+008+\([0-9]*\)'` - keyid=`expr $keyid + 0` - echo "$keyid" > managed.key.id -diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh -index 9078459ac8..9dcd028eb5 100644 ---- a/bin/tests/system/dnssec/ns2/sign.sh -+++ b/bin/tests/system/dnssec/ns2/sign.sh -@@ -29,8 +29,8 @@ do - cp ../ns3/dsset-$subdomain.example$TP . - done - --keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` --keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` -+keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` -+keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -89,8 +89,8 @@ zone=in-addr.arpa. - infile=in-addr.arpa.db.in - zonefile=in-addr.arpa.db - --keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` --keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` -+keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` -+keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` - - cat $infile $keyname1.key $keyname2.key >$zonefile - $SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null -@@ -101,7 +101,7 @@ privzone=private.secure.example. - privinfile=private.secure.example.db.in - privzonefile=private.secure.example.db - --privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone` -+privkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $privzone` - - cat $privinfile $privkeyname.key >$privzonefile - -@@ -115,7 +115,7 @@ dlvinfile=dlv.db.in - dlvzonefile=dlv.db - dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP - --dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone` -+dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $dlvzone` - - cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile - -diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh -index 330abf7feb..f95a6b7ea8 100644 ---- a/bin/tests/system/dnssec/ns3/sign.sh -+++ b/bin/tests/system/dnssec/ns3/sign.sh -@@ -28,7 +28,7 @@ zone=bogus.example. - infile=bogus.example.db.in - zonefile=bogus.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` - - cat $infile $keyname.key >$zonefile - -@@ -38,8 +38,8 @@ zone=dynamic.example. - infile=dynamic.example.db.in - zonefile=dynamic.example.db - --keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` --keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone` -+keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` -+keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone -f KSK $zone` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -49,7 +49,7 @@ zone=keyless.example. - infile=generic.example.db.in - zonefile=keyless.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` - - cat $infile $keyname.key >$zonefile - -@@ -69,7 +69,7 @@ zone=secure.nsec3.example. - infile=secure.nsec3.example.db.in - zonefile=secure.nsec3.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` - - cat $infile $keyname.key >$zonefile - -@@ -82,7 +82,7 @@ zone=nsec3.nsec3.example. - infile=nsec3.nsec3.example.db.in - zonefile=nsec3.nsec3.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` - - cat $infile $keyname.key >$zonefile - -@@ -95,7 +95,7 @@ zone=optout.nsec3.example. - infile=optout.nsec3.example.db.in - zonefile=optout.nsec3.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` - - cat $infile $keyname.key >$zonefile - -@@ -108,7 +108,7 @@ zone=nsec3.example. - infile=nsec3.example.db.in - zonefile=nsec3.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` - - cat $infile $keyname.key >$zonefile - -@@ -121,7 +121,7 @@ zone=secure.optout.example. - infile=secure.optout.example.db.in - zonefile=secure.optout.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` - - cat $infile $keyname.key >$zonefile - -@@ -498,7 +498,7 @@ zone=badds.example. - infile=bogus.example.db.in - zonefile=badds.example.db - --keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` -+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` - - cat $infile $keyname.key >$zonefile - -diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad -index ed30460bda..e6b112630e 100644 ---- a/bin/tests/system/dnssec/ns5/trusted.conf.bad -+++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad -@@ -10,5 +10,5 @@ - */ - - trusted-keys { -- "." 256 3 1 "AQO6Cl+slAf+iuieDim9L3kujFHQD7s/IOj03ClMOpKYcTXtK4mRpuULVfvWxDi9Ew/gj0xLnnX7z9OJHIxLI+DSrAHd8Dm0XfBEAtVtJSn70GaPZgnLMw1rk5ap2DsEoWk="; -+ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV"; - }; -diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh -index bb2315fbf3..315666825e 100644 ---- a/bin/tests/system/dnssec/tests.sh -+++ b/bin/tests/system/dnssec/tests.sh -@@ -1690,7 +1690,7 @@ ret=0 - $RNDCCMD 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i - keyid=`cat ns1/managed.key.id` - cp ns4/named.secroots named.secroots.test$n --linecount=`grep "./RSAMD5/$keyid ; trusted" named.secroots.test$n | wc -l` -+linecount=`grep "./RSASHA256/$keyid ; trusted" named.secroots.test$n | wc -l` - [ "$linecount" -eq 1 ] || ret=1 - linecount=`cat named.secroots.test$n | wc -l` - [ "$linecount" -eq 10 ] || ret=1 -@@ -3018,7 +3018,7 @@ echo_i "check dig's +nocrypto flag ($n)" - ret=0 - $DIG $DIGOPTS +norec +nocrypto DNSKEY . \ - @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1 --grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 -+grep '256 3 8 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 - grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 - $DIG $DIGOPTS +norec +nocrypto DS example \ - @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1 -@@ -3130,8 +3130,8 @@ do - alg=`expr $alg + 1` - continue;; - 3) size="-b 512";; -- 5) size="-b 512";; -- 6) size="-b 512";; -+ 5) size="-b 1024";; -+ 6) size="-b 1024";; - 7) size="-b 512";; - 8) size="-b 512";; - 10) size="-b 1024";; -diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c -index 9612450ab4..5eee6aa4f8 100644 ---- a/bin/tests/system/feature-test.c -+++ b/bin/tests/system/feature-test.c -@@ -19,6 +19,7 @@ - #include - #include - #include -+#include - #include - - #ifdef WIN32 -@@ -45,6 +46,7 @@ usage() { - fprintf(stderr, " --have-geoip\n"); - fprintf(stderr, " --have-libxml2\n"); - fprintf(stderr, " --ipv6only=no\n"); -+ fprintf(stderr, " --md5\n"); - fprintf(stderr, " --rpz-nsdname\n"); - fprintf(stderr, " --rpz-nsip\n"); - fprintf(stderr, " --with-idn\n"); -@@ -136,6 +138,18 @@ main(int argc, char **argv) { - #endif - } - -+ if (strcmp(argv[1], "--md5") == 0) { -+#ifdef PK11_MD5_DISABLE -+ return (1); -+#else -+ if (isc_md5_available()) { -+ return (0); -+ } else { -+ return (1); -+ } -+#endif -+ } -+ - if (strcmp(argv[1], "--rpz-nsip") == 0) { - #ifdef ENABLE_RPZ_NSIP - return (0); -diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh -index f7555810a0..4a7d89004a 100755 ---- a/bin/tests/system/filter-aaaa/ns1/sign.sh -+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh -@@ -21,8 +21,8 @@ infile=signed.db.in - zonefile=signed.db.signed - outfile=signed.db.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh -index f7555810a0..4a7d89004a 100755 ---- a/bin/tests/system/filter-aaaa/ns4/sign.sh -+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh -@@ -21,8 +21,8 @@ infile=signed.db.in - zonefile=signed.db.signed - outfile=signed.db.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in -index cfcfe8fa2f..0a1614d527 100644 ---- a/bin/tests/system/notify/ns5/named.conf.in -+++ b/bin/tests/system/notify/ns5/named.conf.in -@@ -10,17 +10,17 @@ - */ - - key "a" { -- algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; - secret "aaaaaaaaaaaaaaaaaaaa"; - }; - - key "b" { -- algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; - secret "bbbbbbbbbbbbbbbbbbbb"; - }; - - key "c" { -- algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; - secret "cccccccccccccccccccc"; - }; - -diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh -index ad20e3eaca..5a9ce4688a 100644 ---- a/bin/tests/system/notify/tests.sh -+++ b/bin/tests/system/notify/tests.sh -@@ -186,16 +186,16 @@ ret=0 - $NSUPDATE << EOF - server 10.53.0.5 ${PORT} - zone x21 --key a aaaaaaaaaaaaaaaaaaaa -+key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa - update add added.x21 0 in txt "test string" - send - EOF - - for i in 1 2 3 4 5 6 7 8 9 - do -- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ -+ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ - txt > dig.out.b.ns5.test$n || ret=1 -- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ -+ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \ - txt > dig.out.c.ns5.test$n || ret=1 - grep "test string" dig.out.b.ns5.test$n > /dev/null && - grep "test string" dig.out.c.ns5.test$n > /dev/null && -diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in -index 1d999adc39..26b6b7c9ab 100644 ---- a/bin/tests/system/nsupdate/ns1/named.conf.in -+++ b/bin/tests/system/nsupdate/ns1/named.conf.in -@@ -32,7 +32,7 @@ controls { - }; - - key altkey { -- algorithm hmac-md5; -+ algorithm hmac-sha512; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in -index b4ecf96668..1adb33eb0b 100644 ---- a/bin/tests/system/nsupdate/ns2/named.conf.in -+++ b/bin/tests/system/nsupdate/ns2/named.conf.in -@@ -24,7 +24,7 @@ options { - }; - - key altkey { -- algorithm hmac-md5; -+ algorithm hmac-sha512; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh -index 32674eb382..2331b30b00 100644 ---- a/bin/tests/system/nsupdate/setup.sh -+++ b/bin/tests/system/nsupdate/setup.sh -@@ -59,7 +59,12 @@ EOF - - $DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key - --$DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key -+if $FEATURETEST --md5; then -+ $DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key -+else -+ echo -n > ns1/md5.key -+fi -+ - $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key - $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key - $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key -diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index 2a01d1e46d..e8659587c3 100755 ---- a/bin/tests/system/nsupdate/tests.sh -+++ b/bin/tests/system/nsupdate/tests.sh -@@ -680,7 +680,14 @@ fi - n=`expr $n + 1` - ret=0 - echo_i "check TSIG key algorithms ($n)" --for alg in md5 sha1 sha224 sha256 sha384 sha512; do -+if $FEATURETEST --md5 -+then -+ ALGS="md5 sha1 sha224 sha256 sha384 sha512" -+else -+ ALGS="sha1 sha224 sha256 sha384 sha512" -+ echo_i "skipping disabled md5 algorithm" -+fi -+for alg in $ALGS; do - $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 - server 10.53.0.1 ${PORT} - update add ${alg}.keytests.nil. 600 A 10.10.10.3 -@@ -688,7 +695,7 @@ send - END - done - sleep 2 --for alg in md5 sha1 sha224 sha256 sha384 sha512; do -+for alg in $ALGS; do - $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 - done - if [ $ret -ne 0 ]; then -diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh -index 850c4d2744..09a3e0f9ad 100644 ---- a/bin/tests/system/rndc/setup.sh -+++ b/bin/tests/system/rndc/setup.sh -@@ -37,7 +37,7 @@ make_key () { - sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf - } - --make_key 1 ${EXTRAPORT1} hmac-md5 -+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 - make_key 2 ${EXTRAPORT2} hmac-sha1 - make_key 3 ${EXTRAPORT3} hmac-sha224 - make_key 4 ${EXTRAPORT4} hmac-sha256 -diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh -index d364e6fea0..dbf3bc6780 100644 ---- a/bin/tests/system/rndc/tests.sh -+++ b/bin/tests/system/rndc/tests.sh -@@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - n=`expr $n + 1` --echo_i "testing rndc with hmac-md5 ($n)" --ret=0 --$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 --for i in 2 3 4 5 6 --do -- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 --done --if [ $ret != 0 ]; then echo_i "failed"; fi --status=`expr $status + $ret` -+if $FEATURETEST --md5 -+then -+ echo_i "testing rndc with hmac-md5 ($n)" -+ ret=0 -+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 -+ for i in 2 3 4 5 6 -+ do -+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 -+ done -+ if [ $ret != 0 ]; then echo_i "failed"; fi -+ status=`expr $status + $ret` -+else -+ echo_i "skipping rndc with hmac-md5 ($n)" -+fi - - n=`expr $n + 1` - echo_i "testing rndc with hmac-sha1 ($n)" -diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh -index 576ec70f76..cb7a852189 100644 ---- a/bin/tests/system/tsig/clean.sh -+++ b/bin/tests/system/tsig/clean.sh -@@ -20,3 +20,4 @@ rm -f */named.run - rm -f ns*/named.lock - rm -f Kexample.net.+163+* - rm -f keygen.out? -+rm -f ns1/named.conf -diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in -index fbf30c6dc4..f61657d7cf 100644 ---- a/bin/tests/system/tsig/ns1/named.conf.in -+++ b/bin/tests/system/tsig/ns1/named.conf.in -@@ -21,10 +21,7 @@ options { - notify no; - }; - --key "md5" { -- secret "97rnFx24Tfna4mHPfgnerA=="; -- algorithm hmac-md5; --}; -+# md5 key appended by setup.sh at the end - - key "sha1" { - secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; -@@ -51,10 +48,7 @@ key "sha512" { - algorithm hmac-sha512; - }; - --key "md5-trunc" { -- secret "97rnFx24Tfna4mHPfgnerA=="; -- algorithm hmac-md5-80; --}; -+# md5-trunc key appended by setup.sh at the end - - key "sha1-trunc" { - secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; -diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in -new file mode 100644 -index 0000000000..4117830adb ---- /dev/null -+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in -@@ -0,0 +1,11 @@ -+ -+key "md5" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5; -+}; -+ -+key "md5-trunc" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5-80; -+}; -+ -diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh -index 656e9bbcd8..628c5bbac1 100644 ---- a/bin/tests/system/tsig/setup.sh -+++ b/bin/tests/system/tsig/setup.sh -@@ -17,3 +17,7 @@ $SHELL clean.sh - copy_setports ns1/named.conf.in ns1/named.conf - - test -r $RANDFILE || $GENRANDOM 400 $RANDFILE -+if $FEATURETEST --md5 -+then -+ cat ns1/rndc5.conf.in >> ns1/named.conf -+fi -diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh -index f731fa604c..cade35bc1d 100644 ---- a/bin/tests/system/tsig/tests.sh -+++ b/bin/tests/system/tsig/tests.sh -@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f - - status=0 - --echo_i "fetching using hmac-md5 (old form)" --ret=0 --$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 --grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 --fi -- --echo_i "fetching using hmac-md5 (new form)" --ret=0 --$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 --grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 -+if $FEATURETEST --md5 -+then -+ echo_i "fetching using hmac-md5 (old form)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 -+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi -+ -+ echo_i "fetching using hmac-md5 (new form)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 -+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi -+else -+ echo_i "skipping using hmac-md5" - fi - - echo_i "fetching using hmac-sha1" -@@ -87,12 +92,17 @@ fi - # Truncated TSIG - # - # --echo_i "fetching using hmac-md5 (trunc)" --ret=0 --$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 --grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 -+if $FEATURETEST --md5 -+then -+ echo_i "fetching using hmac-md5 (trunc)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 -+ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi -+else -+ echo_i "skipping using hmac-md5 (trunc)" - fi - - echo_i "fetching using hmac-sha1 (trunc)" -@@ -141,12 +151,17 @@ fi - # Check for bad truncation. - # - # --echo_i "fetching using hmac-md5-80 (BADTRUNC)" --ret=0 --$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 --grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 -+if $FEATURETEST --md5 -+then -+ echo_i "fetching using hmac-md5-80 (BADTRUNC)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 -+ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi -+else -+ echo_i "skipping using hmac-md5-80 (BADTRUNC)" - fi - - echo_i "fetching using hmac-sha1-80 (BADTRUNC)" -diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh -index 5da33cfde0..fb108b02bd 100644 ---- a/bin/tests/system/tsiggss/setup.sh -+++ b/bin/tests/system/tsiggss/setup.sh -@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE - - copy_setports ns1/named.conf.in ns1/named.conf - --key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.` -+key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.` - cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db -diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in -index e0a30cda15..6a77b1ce52 100644 ---- a/bin/tests/system/upforwd/ns1/named.conf.in -+++ b/bin/tests/system/upforwd/ns1/named.conf.in -@@ -10,7 +10,7 @@ - */ - - key "update.example." { -- algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; - secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; - }; - -diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh -index b0694bbd5c..9adae8228e 100644 ---- a/bin/tests/system/upforwd/tests.sh -+++ b/bin/tests/system/upforwd/tests.sh -@@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi - - echo_i "updating zone (signed) ($n)" - ret=0 --$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - < -Date: Tue, 25 Sep 2018 18:08:46 +0200 -Subject: [PATCH] Disable IDN from environment as documented - -Manual page of host contained instructions to disable IDN processing -when it was built with libidn2. When refactoring IDN support however, -support for disabling IDN in host and nslookup was lost. Use also -environment variable and document it for nslookup, host and dig. - -Support variable CHARSET=ASCII to disable IDN, supported in downstream -RH patch since RHEL 5. ---- - bin/dig/dig.docbook | 4 +++- - bin/dig/dighost.c | 9 +++++++-- - bin/dig/host.docbook | 2 +- - bin/dig/nslookup.docbook | 15 +++++++++++++++ - 4 files changed, 26 insertions(+), 4 deletions(-) - -diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook -index fedd288..d5dba72 100644 ---- a/bin/dig/dig.docbook -+++ b/bin/dig/dig.docbook -@@ -1288,7 +1288,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr - reply from the server. - If you'd like to turn off the IDN support for some reason, use - parameters +noidnin and -- +noidnout. -+ +noidnout or define -+ the IDN_DISABLE environment variable. -+ - - - -diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index 7408193..d46379d 100644 ---- a/bin/dig/dighost.c -+++ b/bin/dig/dighost.c -@@ -822,12 +822,17 @@ make_empty_lookup(void) { - looknew->seenbadcookie = ISC_FALSE; - looknew->badcookie = ISC_TRUE; - #ifdef WITH_IDN_SUPPORT -- looknew->idnin = ISC_TRUE; -+ looknew->idnin = (getenv("IDN_DISABLE") == NULL); -+ if (looknew->idnin) { -+ const char *charset = getenv("CHARSET"); -+ if (charset && !strcmp(charset, "ASCII")) -+ looknew->idnin = ISC_FALSE; -+ } - #else - looknew->idnin = ISC_FALSE; - #endif - #ifdef WITH_IDN_OUT_SUPPORT -- looknew->idnout = ISC_TRUE; -+ looknew->idnout = looknew->idnin; - #else - looknew->idnout = ISC_FALSE; - #endif -diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook -index 9c3aeaa..42cbbf9 100644 ---- a/bin/dig/host.docbook -+++ b/bin/dig/host.docbook -@@ -378,7 +378,7 @@ - host appropriately converts character encoding of - domain name before sending a request to DNS server or displaying a - reply from the server. -- If you'd like to turn off the IDN support for some reason, defines -+ If you'd like to turn off the IDN support for some reason, define - the IDN_DISABLE environment variable. - The IDN support is disabled if the variable is set when - host runs. -diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook -index 3aff4e9..86a09c6 100644 ---- a/bin/dig/nslookup.docbook -+++ b/bin/dig/nslookup.docbook -@@ -478,6 +478,21 @@ nslookup -query=hinfo -timeout=10 - - - -+ IDN SUPPORT -+ -+ -+ If nslookup has been built with IDN (internationalized -+ domain name) support, it can accept and display non-ASCII domain names. -+ nslookup appropriately converts character encoding of -+ domain name before sending a request to DNS server or displaying a -+ reply from the server. -+ If you'd like to turn off the IDN support for some reason, define -+ the IDN_DISABLE environment variable. -+ The IDN support is disabled if the variable is set when -+ nslookup runs. -+ -+ -+ - FILES - - /etc/resolv.conf --- -2.14.4 - diff --git a/bind-9.11-kyua-pkcs11.patch b/bind-9.11-kyua-pkcs11.patch deleted file mode 100644 index ab2182844c1a08811e04ac896240865ca12c99d0..0000000000000000000000000000000000000000 --- a/bind-9.11-kyua-pkcs11.patch +++ /dev/null @@ -1,206 +0,0 @@ -From d0433a314534e104f52acf2a0a96a68dd84305ae Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Tue, 2 Jan 2018 18:13:07 +0100 -Subject: [PATCH] Fix pkcs11 variants atf tests - -Add dns-pkcs11 tests Makefile to configure - -Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode ---- - configure.in | 1 + - lib/Atffile | 2 ++ - lib/Kyuafile | 2 ++ - lib/dns-pkcs11/tests/Makefile.in | 10 +++++----- - lib/dns-pkcs11/tests/dh_test.c | 3 ++- - lib/isc-pkcs11/tests/Makefile.in | 6 +++--- - lib/isc-pkcs11/tests/hash_test.c | 32 +++++++++++++++++++++++++------- - 7 files changed, 40 insertions(+), 16 deletions(-) - -diff --git a/configure.in b/configure.in -index 67b3aab..4767eeb 100644 ---- a/configure.in -+++ b/configure.in -@@ -5579,6 +5579,7 @@ AC_CONFIG_FILES([ - lib/dns-pkcs11/include/Makefile - lib/dns-pkcs11/include/dns/Makefile - lib/dns-pkcs11/include/dst/Makefile -+ lib/dns-pkcs11/tests/Makefile - lib/irs/Makefile - lib/irs/include/Makefile - lib/irs/include/irs/Makefile -diff --git a/lib/Atffile b/lib/Atffile -index 93bbb01..4db3dce 100644 ---- a/lib/Atffile -+++ b/lib/Atffile -@@ -3,7 +3,9 @@ Content-Type: application/X-atf-atffile; version="1" - prop: test-suite = bind9 - - tp: dns -+tp: dns-pkcs11 - tp: irs - tp: isc -+tp: isc-pkcs11 - tp: isccfg - tp: lwres -diff --git a/lib/Kyuafile b/lib/Kyuafile -index ff9fc56..eaaf0dc 100644 ---- a/lib/Kyuafile -+++ b/lib/Kyuafile -@@ -2,7 +2,9 @@ syntax(2) - test_suite('bind9') - - include('dns/Kyuafile') -+include('dns-pkcs11/Kyuafile') - include('irs/Kyuafile') - include('isc/Kyuafile') -+include('isc-pkcs11/Kyuafile') - include('isccfg/Kyuafile') - include('lwres/Kyuafile') -diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in -index 2a6571b..f25a784 100644 ---- a/lib/dns-pkcs11/tests/Makefile.in -+++ b/lib/dns-pkcs11/tests/Makefile.in -@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@ - - CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ - @DST_OPENSSL_INC@ --CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\"" -+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" - --ISCLIBS = ../../isc/libisc.@A@ --ISCDEPLIBS = ../../isc/libisc.@A@ --DNSLIBS = ../libdns.@A@ @DNS_CRYPTO_LIBS@ --DNSDEPLIBS = ../libdns.@A@ -+ISCLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@ -+ISCDEPLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@ -+DNSLIBS = ../libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ -+DNSDEPLIBS = ../libdns-pkcs11.@A@ - - LIBS = @LIBS@ @ATFLIBS@ - -diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c -index 036d27a..eb6554f 100644 ---- a/lib/dns-pkcs11/tests/dh_test.c -+++ b/lib/dns-pkcs11/tests/dh_test.c -@@ -63,7 +63,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) { - ret = dst_key_computesecret(key, key, &buf); - ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY); - ret = key->func->computesecret(key, key, &buf); -- ATF_REQUIRE_EQ(ret, DST_R_COMPUTESECRETFAILURE); -+ /* PKCS11 variant gives different result, accept both */ -+ ATF_REQUIRE(ret == DST_R_COMPUTESECRETFAILURE || ret == DST_R_INVALIDPRIVATEKEY); - - dst_key_free(&key); - dns_test_end(); -diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in -index f7fa538..818dae4 100644 ---- a/lib/isc-pkcs11/tests/Makefile.in -+++ b/lib/isc-pkcs11/tests/Makefile.in -@@ -17,10 +17,10 @@ VERSION=@BIND9_VERSION@ - @BIND9_MAKE_INCLUDES@ - - CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@ --CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\"" -+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\"" - --ISCLIBS = ../libisc.@A@ @ISC_OPENSSL_LIBS@ --ISCDEPLIBS = ../libisc.@A@ -+ISCLIBS = ../libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@ -+ISCDEPLIBS = ../libisc-pkcs11.@A@ - - LIBS = @LIBS@ @ATFLIBS@ - -diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c -index 5b8a374..c1891c2 100644 ---- a/lib/isc-pkcs11/tests/hash_test.c -+++ b/lib/isc-pkcs11/tests/hash_test.c -@@ -74,7 +74,7 @@ typedef struct hash_testcase { - - typedef struct hash_test_key { - const char *key; -- const int len; -+ const unsigned len; - } hash_test_key_t; - - /* non-hmac tests */ -@@ -957,8 +957,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) { - hash_test_key_t *test_key = test_keys; - - while (testcase->input != NULL && testcase->result != NULL) { -+ int len = ISC_MAX(test_key->len, ISC_SHA1_DIGESTLENGTH); -+ -+ memset(buffer, 0, ISC_SHA1_DIGESTLENGTH); - memmove(buffer, test_key->key, test_key->len); -- isc_hmacsha1_init(&hmacsha1, buffer, test_key->len); -+ isc_hmacsha1_init(&hmacsha1, buffer, len); - isc_hmacsha1_update(&hmacsha1, - (const isc_uint8_t *) testcase->input, - testcase->input_len); -@@ -1120,8 +1123,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) { - hash_test_key_t *test_key = test_keys; - - while (testcase->input != NULL && testcase->result != NULL) { -+ int len = ISC_MAX(test_key->len, ISC_SHA224_DIGESTLENGTH); -+ -+ memset(buffer, 0, ISC_SHA224_DIGESTLENGTH); - memmove(buffer, test_key->key, test_key->len); -- isc_hmacsha224_init(&hmacsha224, buffer, test_key->len); -+ isc_hmacsha224_init(&hmacsha224, buffer, len); - isc_hmacsha224_update(&hmacsha224, - (const isc_uint8_t *) testcase->input, - testcase->input_len); -@@ -1283,8 +1289,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) { - hash_test_key_t *test_key = test_keys; - - while (testcase->input != NULL && testcase->result != NULL) { -+ int len = ISC_MAX(test_key->len, ISC_SHA256_DIGESTLENGTH); -+ -+ memset(buffer, 0, ISC_SHA256_DIGESTLENGTH); - memmove(buffer, test_key->key, test_key->len); -- isc_hmacsha256_init(&hmacsha256, buffer, test_key->len); -+ isc_hmacsha256_init(&hmacsha256, buffer, len); - isc_hmacsha256_update(&hmacsha256, - (const isc_uint8_t *) testcase->input, - testcase->input_len); -@@ -1452,8 +1461,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) { - hash_test_key_t *test_key = test_keys; - - while (testcase->input != NULL && testcase->result != NULL) { -+ int len = ISC_MAX(test_key->len, ISC_SHA384_DIGESTLENGTH); -+ -+ memset(buffer, 0, ISC_SHA384_DIGESTLENGTH); - memmove(buffer, test_key->key, test_key->len); -- isc_hmacsha384_init(&hmacsha384, buffer, test_key->len); -+ isc_hmacsha384_init(&hmacsha384, buffer, len); - isc_hmacsha384_update(&hmacsha384, - (const isc_uint8_t *) testcase->input, - testcase->input_len); -@@ -1621,8 +1633,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) { - hash_test_key_t *test_key = test_keys; - - while (testcase->input != NULL && testcase->result != NULL) { -+ int len = ISC_MAX(test_key->len, ISC_SHA512_DIGESTLENGTH); -+ -+ memset(buffer, 0, ISC_SHA512_DIGESTLENGTH); - memmove(buffer, test_key->key, test_key->len); -- isc_hmacsha512_init(&hmacsha512, buffer, test_key->len); -+ isc_hmacsha512_init(&hmacsha512, buffer, len); - isc_hmacsha512_update(&hmacsha512, - (const isc_uint8_t *) testcase->input, - testcase->input_len); -@@ -1765,8 +1780,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) { - hash_test_key_t *test_key = test_keys; - - while (testcase->input != NULL && testcase->result != NULL) { -+ int len = ISC_MAX(test_key->len, ISC_MD5_DIGESTLENGTH); -+ -+ memset(buffer, 0, ISC_MD5_DIGESTLENGTH); - memmove(buffer, test_key->key, test_key->len); -- isc_hmacmd5_init(&hmacmd5, buffer, test_key->len); -+ isc_hmacmd5_init(&hmacmd5, buffer, len); - isc_hmacmd5_update(&hmacmd5, - (const isc_uint8_t *) testcase->input, - testcase->input_len); --- -2.14.3 - diff --git a/bind-9.11-oot-manual.patch b/bind-9.11-oot-manual.patch deleted file mode 100644 index b090b9f04b12c8e9dcf78da81974ac51d8b8fe6b..0000000000000000000000000000000000000000 --- a/bind-9.11-oot-manual.patch +++ /dev/null @@ -1,256 +0,0 @@ -From e462d022a9dc52c40aece6f8ba3123ff3ffa59ed Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Wed, 25 Jul 2018 12:24:16 +0200 -Subject: [PATCH] Use make automatic variables to install updated manuals - -Make will choose modified manual from build directory or original from source -directory automagically. Take advantage of install tool feature. -Install all files in single command instead of iterating on each of them. ---- - bin/check/Makefile.in | 8 +++++--- - bin/confgen/Makefile.in | 9 +++++---- - bin/delv/Makefile.in | 6 ++++-- - bin/dig/Makefile.in | 8 ++++---- - bin/dnssec/Makefile.in | 6 ++++-- - bin/named/Makefile.in | 13 +++++++++---- - bin/pkcs11/Makefile.in | 9 ++++----- - bin/python/Makefile.in | 8 ++++---- - bin/tools/Makefile.in | 25 +++++++++++++++---------- - 9 files changed, 54 insertions(+), 38 deletions(-) - -diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in -index 12f48d2d23..d8eac4c714 100644 ---- a/bin/check/Makefile.in -+++ b/bin/check/Makefile.in -@@ -83,12 +83,14 @@ installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - --install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs -+install-man8: ${MANPAGES} -+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 -+ (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8) -+ -+install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs install-man8 - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir} - (cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@) -- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done -- (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8) - - uninstall:: - rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8 -diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in -index 87f13dda4b..7865c0c73e 100644 ---- a/bin/confgen/Makefile.in -+++ b/bin/confgen/Makefile.in -@@ -95,13 +95,14 @@ installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - --install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs -+install-man8: rndc-confgen.8 ddns-confgen.8 -+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 -+ (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8) -+ -+install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs install-man8 - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir} -- ${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8 -- ${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8 - (cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@) -- (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8) - - uninstall:: - rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8 -diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in -index e2d2802262..19361a83ea 100644 ---- a/bin/delv/Makefile.in -+++ b/bin/delv/Makefile.in -@@ -63,10 +63,12 @@ installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 - --install:: delv@EXEEXT@ installdirs -+install-man1: delv.1 -+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 -+ -+install:: delv@EXEEXT@ installdirs install-man1 - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ - delv@EXEEXT@ ${DESTDIR}${bindir} -- ${INSTALL_DATA} ${srcdir}/delv.1 ${DESTDIR}${mandir}/man1 - - uninstall:: - rm -f ${DESTDIR}${mandir}/man1/delv.1 -diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in -index 773ac46395..3edd951e7e 100644 ---- a/bin/dig/Makefile.in -+++ b/bin/dig/Makefile.in -@@ -91,16 +91,16 @@ installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 - --install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs -+install-man1: ${MANPAGES} -+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 -+ -+install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs install-man1 - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ - dig@EXEEXT@ ${DESTDIR}${bindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ - host@EXEEXT@ ${DESTDIR}${bindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ - nslookup@EXEEXT@ ${DESTDIR}${bindir} -- for m in ${MANPAGES}; do \ -- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \ -- done - - uninstall:: - for m in ${MANPAGES}; do \ -diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in -index 1be1d5ffc6..1d0c4ce5c1 100644 ---- a/bin/dnssec/Makefile.in -+++ b/bin/dnssec/Makefile.in -@@ -110,9 +110,11 @@ installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - --install:: ${TARGETS} installdirs -+install-man8: ${MANPAGES} -+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 -+ -+install:: ${TARGETS} installdirs install-man8 - for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done -- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done - - uninstall:: - for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done -diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in -index 1c413973d0..03e4cb849b 100644 ---- a/bin/named/Makefile.in -+++ b/bin/named/Makefile.in -@@ -172,12 +172,17 @@ installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - --install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs -+install-man5: named.conf.5 -+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5 -+ -+install-man8: named.8 lwresd.8 -+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 -+ -+install-man: install-man5 install-man8 -+ -+install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} - (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) -- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8 -- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 -- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 - - uninstall:: - rm -f ${DESTDIR}${mandir}/man5/named.conf.5 -diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in -index ae9061626c..a058c91214 100644 ---- a/bin/pkcs11/Makefile.in -+++ b/bin/pkcs11/Makefile.in -@@ -71,7 +71,10 @@ installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - --install:: ${TARGETS} installdirs -+install-man8: ${MANPAGES} -+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 -+ -+install:: ${TARGETS} installdirs install-man8 - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ \ - ${DESTDIR}${sbindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ \ -@@ -80,10 +83,6 @@ install:: ${TARGETS} installdirs - ${DESTDIR}${sbindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-tokens@EXEEXT@ \ - ${DESTDIR}${sbindir} -- ${INSTALL_DATA} ${srcdir}/pkcs11-list.8 ${DESTDIR}${mandir}/man8 -- ${INSTALL_DATA} ${srcdir}/pkcs11-destroy.8 ${DESTDIR}${mandir}/man8 -- ${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8 -- ${INSTALL_DATA} ${srcdir}/pkcs11-tokens.8 ${DESTDIR}${mandir}/man8 - - uninstall:: - rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8 -diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in -index aa678d47ab..064c404e2f 100644 ---- a/bin/python/Makefile.in -+++ b/bin/python/Makefile.in -@@ -47,13 +47,13 @@ installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - --install:: ${TARGETS} installdirs -+install-man8: ${MANPAGES} -+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 -+ -+install:: ${TARGETS} installdirs install-man8 - ${INSTALL_SCRIPT} dnssec-checkds ${DESTDIR}${sbindir} - ${INSTALL_SCRIPT} dnssec-coverage ${DESTDIR}${sbindir} - ${INSTALL_SCRIPT} dnssec-keymgr ${DESTDIR}${sbindir} -- ${INSTALL_DATA} ${srcdir}/dnssec-checkds.8 ${DESTDIR}${mandir}/man8 -- ${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8 -- ${INSTALL_DATA} ${srcdir}/dnssec-keymgr.8 ${DESTDIR}${mandir}/man8 - if test -n "${PYTHON}" ; then \ - if test -n "${DESTDIR}" ; then \ - ${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \ -diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in -index 7bf2af4cea..c395bc7462 100644 ---- a/bin/tools/Makefile.in -+++ b/bin/tools/Makefile.in -@@ -119,17 +119,27 @@ installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - --nzd: -+nzd-man: named-nzd2nzf.8 -+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 -+ -+nzd: nzd-man - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-nzd2nzf@EXEEXT@ \ - ${DESTDIR}${sbindir} -- ${INSTALL_DATA} ${srcdir}/named-nzd2nzf.8 ${DESTDIR}${mandir}/man8 - --dnstap: -+dnstap-man: dnstap-read.1 -+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 -+ -+dnstap: dnstap-man - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} dnstap-read@EXEEXT@ \ - ${DESTDIR}${bindir} -- ${INSTALL_DATA} ${srcdir}/dnstap-read.1 ${DESTDIR}${mandir}/man1 - --install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ -+install-man1: arpaname.1 named-rrchecker.1 mdig.1 -+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 -+ -+install-man8: named-journalprint.8 nsec3hash.8 -+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 -+ -+install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ install-man1 install-man8 - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ \ - ${DESTDIR}${bindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ \ -@@ -144,13 +154,8 @@ install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ - ${DESTDIR}${sbindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} mdig@EXEEXT@ \ - ${DESTDIR}${bindir} -- ${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1 - ${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8 -- ${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8 -- ${INSTALL_DATA} ${srcdir}/named-rrchecker.1 ${DESTDIR}${mandir}/man1 -- ${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8 - ${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8 -- ${INSTALL_DATA} ${srcdir}/mdig.1 ${DESTDIR}${mandir}/man1 - - uninstall:: - rm -f ${DESTDIR}${mandir}/man1/mdig.1 --- -2.14.4 - diff --git a/bind-9.11-pk11.patch b/bind-9.11-pk11.patch deleted file mode 100644 index d80231495888fd7f92cbc0bd316238572cc15132..0000000000000000000000000000000000000000 --- a/bind-9.11-pk11.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h -index 640519a..fc40472 100644 ---- a/lib/dns/dst_internal.h -+++ b/lib/dns/dst_internal.h -@@ -59,6 +59,9 @@ - #include - #include - #endif -+#if PKCS11CRYPTO -+#include -+#endif - - ISC_LANG_BEGINDECLS - -diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h -index aa8907a..603712a 100644 ---- a/lib/isc/include/pk11/internal.h -+++ b/lib/isc/include/pk11/internal.h -@@ -13,6 +13,8 @@ - #ifndef PK11_INTERNAL_H - #define PK11_INTERNAL_H 1 - -+#include -+ - /*! \file pk11/internal.h */ - - ISC_LANG_BEGINDECLS diff --git a/bind-9.11-rh1205168.patch b/bind-9.11-rh1205168.patch deleted file mode 100644 index 181cec9f32d103b38303b8dc99c8825eb7181b43..0000000000000000000000000000000000000000 --- a/bind-9.11-rh1205168.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 90416594843a56550e40b11561807786219ce1c4 Mon Sep 17 00:00:00 2001 -From: Evan Hunt -Date: Mon, 11 Sep 2017 15:01:36 -0700 -Subject: [PATCH] remap getaddrinfo() to irs_getgetaddrinfo() - -The libirs version of getaddrinfo() cannot be called from within BIND9. - -fix prototypes ---- - lib/irs/include/irs/netdb.h.in | 94 ++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 94 insertions(+) - -diff --git a/lib/irs/include/irs/netdb.h.in b/lib/irs/include/irs/netdb.h.in -index 23dcd37..f36113d 100644 ---- a/lib/irs/include/irs/netdb.h.in -+++ b/lib/irs/include/irs/netdb.h.in -@@ -150,6 +150,100 @@ struct addrinfo { - #define NI_DGRAM 0x00000010 - - /* -+ * Define to map into irs_ namespace. -+ */ -+ -+#define IRS_NAMESPACE -+ -+#ifdef IRS_NAMESPACE -+ -+/* -+ * Use our versions not the ones from the C library. -+ */ -+ -+#ifdef getnameinfo -+#undef getnameinfo -+#endif -+#define getnameinfo irs_getnameinfo -+ -+#ifdef getaddrinfo -+#undef getaddrinfo -+#endif -+#define getaddrinfo irs_getaddrinfo -+ -+#ifdef freeaddrinfo -+#undef freeaddrinfo -+#endif -+#define freeaddrinfo irs_freeaddrinfo -+ -+#ifdef gai_strerror -+#undef gai_strerror -+#endif -+#define gai_strerror irs_gai_strerror -+ -+#endif -+ -+extern int getaddrinfo (const char *name, -+ const char *service, -+ const struct addrinfo *req, -+ struct addrinfo **pai); -+extern int getnameinfo (const struct sockaddr *sa, -+ socklen_t salen, char *host, -+ socklen_t hostlen, char *serv, -+ socklen_t servlen, int flags); -+extern void freeaddrinfo (struct addrinfo *ai); -+extern const char *gai_strerror (int ecode); -+ -+/* -+ * Define to map into irs_ namespace. -+ */ -+ -+#define IRS_NAMESPACE -+ -+#ifdef IRS_NAMESPACE -+ -+/* -+ * Use our versions not the ones from the C library. -+ */ -+ -+#ifdef getnameinfo -+#undef getnameinfo -+#endif -+#define getnameinfo irs_getnameinfo -+ -+#ifdef getaddrinfo -+#undef getaddrinfo -+#endif -+#define getaddrinfo irs_getaddrinfo -+ -+#ifdef freeaddrinfo -+#undef freeaddrinfo -+#endif -+#define freeaddrinfo irs_freeaddrinfo -+ -+#ifdef gai_strerror -+#undef gai_strerror -+#endif -+#define gai_strerror irs_gai_strerror -+ -+int -+getaddrinfo(const char *hostname, const char *servname, -+ const struct addrinfo *hints, struct addrinfo **res); -+ -+int -+getnameinfo(const struct sockaddr *sa, IRS_GETNAMEINFO_SOCKLEN_T salen, -+ char *host, IRS_GETNAMEINFO_BUFLEN_T hostlen, -+ char *serv, IRS_GETNAMEINFO_BUFLEN_T servlen, -+ IRS_GETNAMEINFO_FLAGS_T flags); -+ -+void freeaddrinfo (struct addrinfo *ai); -+ -+IRS_GAISTRERROR_RETURN_T -+gai_strerror(int ecode); -+ -+#endif -+ -+/* - * Tell Emacs to use C mode on this file. - * Local variables: - * mode: c --- -2.9.5 - diff --git a/bind-9.11-rh1410433.patch b/bind-9.11-rh1410433.patch deleted file mode 100644 index b7fdc48073963120252da76cf31e8bdd878cdb55..0000000000000000000000000000000000000000 --- a/bind-9.11-rh1410433.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c -index 0ce5e42..556d920 100644 ---- a/lib/dns/dyndb.c -+++ b/lib/dns/dyndb.c -@@ -130,9 +130,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname, - instname, filename); - - flags = RTLD_NOW|RTLD_LOCAL; --#ifdef RTLD_DEEPBIND -- flags |= RTLD_DEEPBIND; --#endif - - handle = dlopen(filename, flags); - if (handle == NULL) diff --git a/bind-9.11-rh1624100.patch b/bind-9.11-rh1624100.patch deleted file mode 100644 index 954661cf6162f9585ade48270a9ebcd48a95d64c..0000000000000000000000000000000000000000 --- a/bind-9.11-rh1624100.patch +++ /dev/null @@ -1,288 +0,0 @@ -From 25ff8ab2b0772262d358272a3ed70a24fc6e4887 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= -Date: Wed, 25 Apr 2018 14:04:31 +0200 -Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts - -(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d) - -Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp() - -(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c) - -Fix the isc_safe_memwipe() usage with (NULL, >0) - -(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846) ---- - bin/dnssec/dnssec-signzone.c | 2 +- - lib/dns/nsec3.c | 4 +-- - lib/dns/spnego.c | 4 +-- - lib/isc/Makefile.in | 8 ++--- - lib/isc/include/isc/safe.h | 18 ++++------ - lib/isc/safe.c | 81 -------------------------------------------- - lib/isc/tests/safe_test.c | 20 ----------- - 7 files changed, 13 insertions(+), 124 deletions(-) - delete mode 100644 lib/isc/safe.c - -diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c -index 53be1f5c60..351296a356 100644 ---- a/bin/dnssec/dnssec-signzone.c -+++ b/bin/dnssec/dnssec-signzone.c -@@ -786,7 +786,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, - - static int - hashlist_comp(const void *a, const void *b) { -- return (isc_safe_memcompare(a, b, hash_length + 1)); -+ return (memcmp(a, b, hash_length + 1)); - } - - static void -diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c -index d364308aaf..37b6a8a7fe 100644 ---- a/lib/dns/nsec3.c -+++ b/lib/dns/nsec3.c -@@ -1950,7 +1950,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, - * Work out what this NSEC3 covers. - * Inside (<0) or outside (>=0). - */ -- scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length); -+ scope = memcmp(owner, nsec3.next, nsec3.next_length); - - /* - * Prepare to compute all the hashes. -@@ -1974,7 +1974,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, - return (ISC_R_IGNORE); - } - -- order = isc_safe_memcompare(hash, owner, length); -+ order = memcmp(hash, owner, length); - if (first && order == 0) { - /* - * The hashes are the same. -diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c -index ce3e42d650..079d4c1b4a 100644 ---- a/lib/dns/spnego.c -+++ b/lib/dns/spnego.c -@@ -369,7 +369,7 @@ gssapi_spnego_decapsulate(OM_uint32 *, - - /* mod_auth_kerb.c */ - --static int -+static isc_boolean_t - cmp_gss_type(gss_buffer_t token, gss_OID gssoid) - { - unsigned char *p; -@@ -393,7 +393,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid) - if (((OM_uint32) *p++) != gssoid->length) - return (GSS_S_DEFECTIVE_TOKEN); - -- return (isc_safe_memcompare(p, gssoid->elements, gssoid->length)); -+ return (!isc_safe_memequal(p, gssoid->elements, gssoid->length)); - } - - /* accept_sec_context.c */ -diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in -index ba53ef1091..98acffffc9 100644 ---- a/lib/isc/Makefile.in -+++ b/lib/isc/Makefile.in -@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ - parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \ - ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \ - rwlock.@O@ \ -- safe.@O@ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ -+ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ - string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \ - tm.@O@ timer.@O@ version.@O@ \ - ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS} -@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \ - netaddr.c netscope.c pool.c ondestroy.c \ - parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \ - ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \ -- safe.c serial.c sha1.c sha2.c sockaddr.c stats.c string.c \ -+ serial.c sha1.c sha2.c sockaddr.c stats.c string.c \ - strtoul.c symtab.c task.c taskpool.c timer.c \ - tm.c version.c - -@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@ - - @BIND9_MAKE_RULES@ - --safe.@O@: safe.c -- ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \ -- -c ${srcdir}/safe.c -- - version.@O@: version.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ - -DVERSION=\"${VERSION}\" \ -diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h -index f29f00bac6..b8a0b2290c 100644 ---- a/lib/isc/include/isc/safe.h -+++ b/lib/isc/include/isc/safe.h -@@ -15,27 +15,21 @@ - - /*! \file isc/safe.h */ - --#include --#include -+#include -+#include -+ -+#include - - ISC_LANG_BEGINDECLS - --isc_boolean_t --isc_safe_memequal(const void *s1, const void *s2, size_t n); -+#define isc_safe_memequal(s1, s2, n) ISC_TF(!CRYPTO_memcmp(s1, s2, n)) - /*%< - * Returns ISC_TRUE iff. two blocks of memory are equal, otherwise - * ISC_FALSE. - * - */ - --int --isc_safe_memcompare(const void *b1, const void *b2, size_t len); --/*%< -- * Clone of libc memcmp() which is safe to differential timing attacks. -- */ -- --void --isc_safe_memwipe(void *ptr, size_t len); -+#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len) - /*%< - * Clear the memory of length `len` pointed to by `ptr`. - * -diff --git a/lib/isc/safe.c b/lib/isc/safe.c -deleted file mode 100644 -index 5c9e1e2d13..0000000000 ---- a/lib/isc/safe.c -+++ /dev/null -@@ -1,81 +0,0 @@ --/* -- * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -- * -- * This Source Code Form is subject to the terms of the Mozilla Public -- * License, v. 2.0. If a copy of the MPL was not distributed with this -- * file, You can obtain one at http://mozilla.org/MPL/2.0/. -- * -- * See the COPYRIGHT file distributed with this work for additional -- * information regarding copyright ownership. -- */ -- --/*! \file */ -- --#include -- --#include --#include --#include -- --#ifdef WIN32 --#include --#endif -- --#ifdef _MSC_VER --#pragma optimize("", off) --#endif -- --isc_boolean_t --isc_safe_memequal(const void *s1, const void *s2, size_t n) { -- isc_uint8_t acc = 0; -- -- if (n != 0U) { -- const isc_uint8_t *p1 = s1, *p2 = s2; -- -- do { -- acc |= *p1++ ^ *p2++; -- } while (--n != 0U); -- } -- return (ISC_TF(acc == 0)); --} -- -- --int --isc_safe_memcompare(const void *b1, const void *b2, size_t len) { -- const unsigned char *p1 = b1, *p2 = b2; -- size_t i; -- int res = 0, done = 0; -- -- for (i = 0; i < len; i++) { -- /* lt is -1 if p1[i] < p2[i]; else 0. */ -- int lt = (p1[i] - p2[i]) >> CHAR_BIT; -- -- /* gt is -1 if p1[i] > p2[i]; else 0. */ -- int gt = (p2[i] - p1[i]) >> CHAR_BIT; -- -- /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */ -- int cmp = lt - gt; -- -- /* set res = cmp if !done. */ -- res |= cmp & ~done; -- -- /* set done if p1[i] != p2[i]. */ -- done |= lt | gt; -- } -- -- return (res); --} -- --void --isc_safe_memwipe(void *ptr, size_t len) { -- if (ISC_UNLIKELY(ptr == NULL || len == 0)) -- return; -- --#ifdef WIN32 -- SecureZeroMemory(ptr, len); --#elif HAVE_EXPLICIT_BZERO -- explicit_bzero(ptr, len); --#else -- memset(ptr, 0, len); --#endif --} -diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c -index f721cd1096..ea3e61f98d 100644 ---- a/lib/isc/tests/safe_test.c -+++ b/lib/isc/tests/safe_test.c -@@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) { - "\x00\x00\x00\x00", 4)); - } - --ATF_TC(isc_safe_memcompare); --ATF_TC_HEAD(isc_safe_memcompare, tc) { -- atf_tc_set_md_var(tc, "descr", "safe memcompare()"); --} --ATF_TC_BODY(isc_safe_memcompare, tc) { -- UNUSED(tc); -- -- ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0); -- ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0); -- ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0); -- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00", -- "\x00\x00\x00\x00", 4) == 0); -- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00", -- "\x00\x00\x00\x01", 4) < 0); -- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02", -- "\x00\x00\x00\x00", 4) > 0); --} -- - ATF_TC(isc_safe_memwipe); - ATF_TC_HEAD(isc_safe_memwipe, tc) { - atf_tc_set_md_var(tc, "descr", "isc_safe_memwipe()"); -@@ -67,7 +49,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) { - /* These should pass. */ - isc_safe_memwipe(NULL, 0); - isc_safe_memwipe((void *) -1, 0); -- isc_safe_memwipe(NULL, 42); - - /* - * isc_safe_memwipe(ptr, size) should function same as -@@ -106,7 +87,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) { - */ - ATF_TP_ADD_TCS(tp) { - ATF_TP_ADD_TC(tp, isc_safe_memequal); -- ATF_TP_ADD_TC(tp, isc_safe_memcompare); - ATF_TP_ADD_TC(tp, isc_safe_memwipe); - return (atf_no_error()); - } --- -2.14.4 - diff --git a/bind-9.11-rt31459.patch b/bind-9.11-rt31459.patch deleted file mode 100644 index 6208ef27224b75c534e529faddc045c37964957c..0000000000000000000000000000000000000000 --- a/bind-9.11-rt31459.patch +++ /dev/null @@ -1,2199 +0,0 @@ -From ae9c9ef5a5ba06cf57b5a87b5f2bbc71649ba41b Mon Sep 17 00:00:00 2001 -From: Evan Hunt -Date: Tue, 12 Sep 2017 19:05:46 -0700 -Subject: [PATCH] rebased rt31459c - -[rt31459d] update the newer tools - -[rt31459d] setup entropy in dns_lib_init() - -[rt31459d] silence compiler warning - -DNS_OPENSSL_LIBS -> DST_OPENSSL_LIBS - -Include new unit test ---- - bin/confgen/keygen.c | 7 + - bin/dnssec/dnssec-dsfromkey.c | 8 +- - bin/dnssec/dnssec-importkey.c | 8 +- - bin/dnssec/dnssec-revoke.c | 8 +- - bin/dnssec/dnssec-settime.c | 8 +- - bin/dnssec/dnssec-signzone.c | 11 +- - bin/dnssec/dnssec-verify.c | 8 +- - bin/dnssec/dnssectool.c | 11 +- - bin/named/server.c | 6 + - bin/nsupdate/nsupdate.c | 18 ++- - bin/tests/makejournal.c | 6 +- - bin/tests/system/pipelined/pipequeries.c | 20 ++- - bin/tests/system/pipelined/tests.sh | 4 +- - bin/tests/system/rsabigexponent/bigkey.c | 4 + - bin/tests/system/tkey/keycreate.c | 26 +++- - bin/tests/system/tkey/keydelete.c | 26 +++- - bin/tests/system/tkey/tests.sh | 8 +- - bin/tools/mdig.c | 3 +- - configure | 250 ++++++++++++++++++------------- - configure.in | 77 +++++++++- - lib/dns/dst_api.c | 21 ++- - lib/dns/include/dst/dst.h | 8 + - lib/dns/lib.c | 17 ++- - lib/dns/openssl_link.c | 72 ++++++++- - lib/dns/pkcs11.c | 29 +++- - lib/dns/tests/Atffile | 1 + - lib/dns/tests/Kyuafile | 1 + - lib/dns/tests/Makefile.in | 7 + - lib/dns/tests/dnstest.c | 14 +- - lib/dns/tests/dstrandom_test.c | 105 +++++++++++++ - lib/dns/win32/libdns.def.in | 7 + - lib/isc/entropy.c | 24 +++ - lib/isc/include/isc/entropy.h | 12 ++ - lib/isc/include/isc/platform.h.in | 5 + - lib/isc/include/isc/types.h | 2 + - lib/isc/pk11.c | 12 +- - lib/isc/win32/include/isc/platform.h.in | 5 + - win32utils/Configure | 29 +++- - 38 files changed, 704 insertions(+), 184 deletions(-) - create mode 100644 lib/dns/tests/dstrandom_test.c - -diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c -index 11cc54d..fa439cc 100644 ---- a/bin/confgen/keygen.c -+++ b/bin/confgen/keygen.c -@@ -165,6 +165,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, - randomfile = NULL; - open_keyboard = ISC_ENTROPY_KEYBOARDYES; - } -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (randomfile != NULL && -+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -+ randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); -+ } -+#endif - DO("start entropy source", isc_entropy_usebestsource(ectx, - &entropy_source, - randomfile, -diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c -index 94a982c..897c497 100644 ---- a/bin/dnssec/dnssec-dsfromkey.c -+++ b/bin/dnssec/dnssec-dsfromkey.c -@@ -495,14 +495,14 @@ main(int argc, char **argv) { - - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); -- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -- if (result != ISC_R_SUCCESS) -- fatal("could not initialize hash"); - result = dst_lib_init(mctx, ectx, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); - if (result != ISC_R_SUCCESS) - fatal("could not initialize dst: %s", - isc_result_totext(result)); -+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -+ if (result != ISC_R_SUCCESS) -+ fatal("could not initialize hash"); - isc_entropy_stopcallbacksources(ectx); - - setup_logging(mctx, &log); -@@ -564,8 +564,8 @@ main(int argc, char **argv) { - if (dns_rdataset_isassociated(&rdataset)) - dns_rdataset_disassociate(&rdataset); - cleanup_logging(&log); -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - cleanup_entropy(&ectx); - dns_name_destroy(); - if (verbose > 10) -diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c -index 2edf614..840316c 100644 ---- a/bin/dnssec/dnssec-importkey.c -+++ b/bin/dnssec/dnssec-importkey.c -@@ -406,14 +406,14 @@ main(int argc, char **argv) { - - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); -- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -- if (result != ISC_R_SUCCESS) -- fatal("could not initialize hash"); - result = dst_lib_init(mctx, ectx, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); - if (result != ISC_R_SUCCESS) - fatal("could not initialize dst: %s", - isc_result_totext(result)); -+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -+ if (result != ISC_R_SUCCESS) -+ fatal("could not initialize hash"); - isc_entropy_stopcallbacksources(ectx); - - setup_logging(mctx, &log); -@@ -457,8 +457,8 @@ main(int argc, char **argv) { - if (dns_rdataset_isassociated(&rdataset)) - dns_rdataset_disassociate(&rdataset); - cleanup_logging(&log); -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - cleanup_entropy(&ectx); - dns_name_destroy(); - if (verbose > 10) -diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c -index 10fad0b..0b68e99 100644 ---- a/bin/dnssec/dnssec-revoke.c -+++ b/bin/dnssec/dnssec-revoke.c -@@ -182,14 +182,14 @@ main(int argc, char **argv) { - - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); -- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -- if (result != ISC_R_SUCCESS) -- fatal("Could not initialize hash"); - result = dst_lib_init2(mctx, ectx, engine, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); - if (result != ISC_R_SUCCESS) - fatal("Could not initialize dst: %s", - isc_result_totext(result)); -+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -+ if (result != ISC_R_SUCCESS) -+ fatal("Could not initialize hash"); - isc_entropy_stopcallbacksources(ectx); - - result = dst_key_fromnamedfile(filename, dir, -@@ -271,8 +271,8 @@ main(int argc, char **argv) { - - cleanup: - dst_key_free(&key); -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - cleanup_entropy(&ectx); - if (verbose > 10) - isc_mem_stats(mctx, stdout); -diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c -index 360cdb9..b7bf171 100644 ---- a/bin/dnssec/dnssec-settime.c -+++ b/bin/dnssec/dnssec-settime.c -@@ -380,14 +380,14 @@ main(int argc, char **argv) { - - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); -- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -- if (result != ISC_R_SUCCESS) -- fatal("Could not initialize hash"); - result = dst_lib_init2(mctx, ectx, engine, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); - if (result != ISC_R_SUCCESS) - fatal("Could not initialize dst: %s", - isc_result_totext(result)); -+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -+ if (result != ISC_R_SUCCESS) -+ fatal("Could not initialize hash"); - isc_entropy_stopcallbacksources(ectx); - - if (predecessor != NULL) { -@@ -672,8 +672,8 @@ main(int argc, char **argv) { - if (prevkey != NULL) - dst_key_free(&prevkey); - dst_key_free(&key); -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - cleanup_entropy(&ectx); - if (verbose > 10) - isc_mem_stats(mctx, stdout); -diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c -index 1bea357..53be1f5 100644 ---- a/bin/dnssec/dnssec-signzone.c -+++ b/bin/dnssec/dnssec-signzone.c -@@ -3459,14 +3459,15 @@ main(int argc, char *argv[]) { - if (!pseudorandom) - eflags |= ISC_ENTROPY_GOODONLY; - -- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -- if (result != ISC_R_SUCCESS) -- fatal("could not create hash context"); -- - result = dst_lib_init2(mctx, ectx, engine, eflags); - if (result != ISC_R_SUCCESS) - fatal("could not initialize dst: %s", - isc_result_totext(result)); -+ -+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -+ if (result != ISC_R_SUCCESS) -+ fatal("could not create hash context"); -+ - isc_stdtime_get(&now); - - if (startstr != NULL) { -@@ -3878,8 +3879,8 @@ main(int argc, char *argv[]) { - dns_master_styledestroy(&dsstyle, mctx); - - cleanup_logging(&log); -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - cleanup_entropy(&ectx); - dns_name_destroy(); - if (verbose > 10) -diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c -index 792510a..dc32765 100644 ---- a/bin/dnssec/dnssec-verify.c -+++ b/bin/dnssec/dnssec-verify.c -@@ -280,15 +280,15 @@ main(int argc, char *argv[]) { - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - -- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -- if (result != ISC_R_SUCCESS) -- fatal("could not create hash context"); -- - result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING); - if (result != ISC_R_SUCCESS) - fatal("could not initialize dst: %s", - isc_result_totext(result)); - -+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -+ if (result != ISC_R_SUCCESS) -+ fatal("could not create hash context"); -+ - isc_stdtime_get(&now); - - rdclass = strtoclass(classname); -diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c -index dc32c90..4ea9eaf 100644 ---- a/bin/dnssec/dnssectool.c -+++ b/bin/dnssec/dnssectool.c -@@ -32,6 +32,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -233,7 +234,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { - if (*ectx == NULL) { - result = isc_entropy_create(mctx, ectx); - if (result != ISC_R_SUCCESS) -- fatal("could not create entropy object"); -+ fatal("could not create entropy object: %s", -+ isc_result_totext(result)); - ISC_LIST_INIT(sources); - } - -@@ -242,6 +244,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { - randomfile = NULL; - } - -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (randomfile != NULL && -+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -+ randomfile = NULL; -+ isc_entropy_usehook(*ectx, ISC_TRUE); -+ } -+#endif - result = isc_entropy_usebestsource(*ectx, &source, randomfile, - usekeyboard); - -diff --git a/bin/named/server.c b/bin/named/server.c -index 59a8998..ee5186c 100644 ---- a/bin/named/server.c -+++ b/bin/named/server.c -@@ -34,6 +34,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -8083,6 +8084,10 @@ load_configuration(const char *filename, ns_server_t *server, - "no source of entropy found"); - } else { - const char *randomdev = cfg_obj_asstring(obj); -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0) -+ isc_entropy_usehook(ns_g_entropy, ISC_TRUE); -+#else - int level = ISC_LOG_ERROR; - result = isc_entropy_createfilesource(ns_g_entropy, - randomdev); -@@ -8117,6 +8122,7 @@ load_configuration(const char *filename, ns_server_t *server, - } - isc_entropy_detach(&ns_g_fallbackentropy); - } -+#endif - #endif - } - } -diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index bb5d500..46c7acf 100644 ---- a/bin/nsupdate/nsupdate.c -+++ b/bin/nsupdate/nsupdate.c -@@ -33,6 +33,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -269,7 +270,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { - if (*ectx == NULL) { - result = isc_entropy_create(mctx, ectx); - if (result != ISC_R_SUCCESS) -- fatal("could not create entropy object"); -+ fatal("could not create entropy object: %s", -+ isc_result_totext(result)); - ISC_LIST_INIT(sources); - } - -@@ -278,6 +280,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { - randomfile = NULL; - } - -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (randomfile != NULL && -+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -+ randomfile = NULL; -+ isc_entropy_usehook(*ectx, ISC_TRUE); -+ } -+#endif - result = isc_entropy_usebestsource(*ectx, &source, randomfile, - usekeyboard); - -@@ -948,11 +957,11 @@ setup_system(void) { - } - } - -- setup_entropy(gmctx, NULL, &entropy); -+ if (entropy == NULL) -+ setup_entropy(gmctx, NULL, &entropy); - - result = isc_hash_create(gmctx, entropy, DNS_NAME_MAXWIRE); - check_result(result, "isc_hash_create"); -- isc_hash_init(); - - result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr); - check_result(result, "dns_dispatchmgr_create"); -@@ -976,6 +985,9 @@ setup_system(void) { - check_result(result, "dst_lib_init"); - is_dst_up = ISC_TRUE; - -+ /* moved after dst_lib_init() */ -+ isc_hash_init(); -+ - attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP; - attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6; - -diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c -index fed59be..9f125da 100644 ---- a/bin/tests/makejournal.c -+++ b/bin/tests/makejournal.c -@@ -100,12 +100,12 @@ main(int argc, char **argv) { - CHECK(isc_mem_create(0, 0, &mctx)); - CHECK(isc_entropy_create(mctx, &ectx)); - -- CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -- hash_active = ISC_TRUE; -- - CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING)); - dst_active = ISC_TRUE; - -+ CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -+ hash_active = ISC_TRUE; -+ - CHECK(isc_log_create(mctx, &lctx, &logconfig)); - isc_log_registercategories(lctx, categories); - isc_log_setcontext(lctx); -diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c -index 379b6a3..810d99e 100644 ---- a/bin/tests/system/pipelined/pipequeries.c -+++ b/bin/tests/system/pipelined/pipequeries.c -@@ -202,6 +202,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) { - - int - main(int argc, char *argv[]) { -+ char *randomfile = NULL; - isc_sockaddr_t bind_any; - struct in_addr inaddr; - isc_result_t result; -@@ -222,7 +223,7 @@ main(int argc, char *argv[]) { - UNUSED(argv); - - isc_commandline_errprint = ISC_FALSE; -- while ((c = isc_commandline_parse(argc, argv, "p:")) != -1) { -+ while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) { - switch (c) { - case 'p': - result = isc_parse_uint16(&port, -@@ -233,6 +234,9 @@ main(int argc, char *argv[]) { - exit(1); - } - break; -+ case 'r': -+ randomfile = isc_commandline_argument; -+ break; - case '?': - fprintf(stderr, "%s: invalid argument '%c'", - argv[0], c); -@@ -274,10 +278,18 @@ main(int argc, char *argv[]) { - - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); -- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data")); -- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (randomfile != NULL && -+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -+ randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); -+ } -+#endif -+ if (randomfile != NULL) -+ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); - - RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); -+ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); - - taskmgr = NULL; - RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); -@@ -330,8 +342,8 @@ main(int argc, char *argv[]) { - isc_task_detach(&task); - isc_taskmgr_destroy(&taskmgr); - -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - isc_entropy_detach(&ectx); - - isc_log_destroy(&lctx); -diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh -index a6720ce..9063b1f 100644 ---- a/bin/tests/system/pipelined/tests.sh -+++ b/bin/tests/system/pipelined/tests.sh -@@ -19,7 +19,7 @@ status=0 - - echo_i "check pipelined TCP queries" - ret=0 --$PIPEQUERIES -p ${PORT} < input > raw || ret=1 -+$PIPEQUERIES -p ${PORT} -r $RANDFILE < input > raw || ret=1 - awk '{ print $1 " " $5 }' < raw > output - sort < output > output-sorted - diff ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; } -@@ -43,7 +43,7 @@ status=`expr $status + $ret` - - echo_i "check keep-response-order" - ret=0 --$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1 -+$PIPEQUERIES -p ${PORT} -r $RANDFILE ++ < inputb > rawb || ret=1 - awk '{ print $1 " " $5 }' < rawb > outputb - diff refb outputb || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c -index 4462f2e..f1230d8 100644 ---- a/bin/tests/system/rsabigexponent/bigkey.c -+++ b/bin/tests/system/rsabigexponent/bigkey.c -@@ -20,6 +20,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -183,6 +184,9 @@ main(int argc, char **argv) { - - CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()"); - CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()"); -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ isc_entropy_usehook(ectx, ISC_TRUE); -+#endif - CHECK(isc_entropy_usebestsource(ectx, &source, - "../random.data", - ISC_ENTROPY_KEYBOARDNO), -diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c -index 489f439..4f2f5b4 100644 ---- a/bin/tests/system/tkey/keycreate.c -+++ b/bin/tests/system/tkey/keycreate.c -@@ -206,6 +206,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { - int - main(int argc, char *argv[]) { - char *ourkeyname; -+ char *randomfile; - isc_taskmgr_t *taskmgr; - isc_timermgr_t *timermgr; - isc_socketmgr_t *socketmgr; -@@ -225,10 +226,21 @@ main(int argc, char *argv[]) { - - RUNCHECK(isc_app_start()); - -+ randomfile = NULL; -+ - if (argc < 2) { - fprintf(stderr, "I:no DH key provided\n"); - exit(-1); - } -+ if (strcmp(argv[1], "-r") == 0) { -+ if (argc < 4) { -+ fprintf(stderr, "I:no DH key provided\n"); -+ exit(-1); -+ } -+ randomfile = argv[2]; -+ argv += 2; -+ argc -= 2; -+ } - ourkeyname = argv[1]; - - if (argc >= 3) -@@ -242,14 +254,22 @@ main(int argc, char *argv[]) { - - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); -- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data")); -- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (randomfile != NULL && -+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -+ randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); -+ } -+#endif -+ if (randomfile != NULL) -+ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); - - log = NULL; - logconfig = NULL; - RUNCHECK(isc_log_create(mctx, &log, &logconfig)); - - RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); -+ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); - - taskmgr = NULL; - RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); -@@ -328,8 +348,8 @@ main(int argc, char *argv[]) { - - isc_log_destroy(&log); - -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - isc_entropy_detach(&ectx); - - isc_mem_destroy(&mctx); -diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 36ee6c7..0975bbe 100644 ---- a/bin/tests/system/tkey/keydelete.c -+++ b/bin/tests/system/tkey/keydelete.c -@@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { - int - main(int argc, char **argv) { - char *keyname; -+ char *randomfile; - isc_taskmgr_t *taskmgr; - isc_timermgr_t *timermgr; - isc_socketmgr_t *socketmgr; -@@ -156,10 +157,21 @@ main(int argc, char **argv) { - - RUNCHECK(isc_app_start()); - -+ randomfile = NULL; -+ - if (argc < 2) { - fprintf(stderr, "I:no key to delete\n"); - exit(-1); - } -+ if (strcmp(argv[1], "-r") == 0) { -+ if (argc < 4) { -+ fprintf(stderr, "I:no DH key provided\n"); -+ exit(-1); -+ } -+ randomfile = argv[2]; -+ argv += 2; -+ argc -= 2; -+ } - keyname = argv[1]; - - dns_result_register(); -@@ -169,14 +181,22 @@ main(int argc, char **argv) { - - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); -- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data")); -- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (randomfile != NULL && -+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -+ randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); -+ } -+#endif -+ if (randomfile != NULL) -+ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); - - log = NULL; - logconfig = NULL; - RUNCHECK(isc_log_create(mctx, &log, &logconfig)); - - RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); -+ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); - - taskmgr = NULL; - RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); -@@ -265,8 +285,8 @@ main(int argc, char **argv) { - - isc_log_destroy(&log); - -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - isc_entropy_detach(&ectx); - - isc_mem_destroy(&mctx); -diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh -index 9f90dd7..fad6c83 100644 ---- a/bin/tests/system/tkey/tests.sh -+++ b/bin/tests/system/tkey/tests.sh -@@ -33,7 +33,7 @@ for owner in . foo.example. - do - echo "I:creating new key using owner name \"$owner\"" - ret=0 -- keyname=`$KEYCREATE $dhkeyname $owner` || ret=1 -+ keyname=`$KEYCREATE -r $RANDFILE $dhkeyname $owner` || ret=1 - if [ $ret != 0 ]; then - echo "I:failed" - status=`expr $status + $ret` -@@ -55,7 +55,7 @@ do - - echo "I:deleting new key" - ret=0 -- $KEYDELETE $keyname || ret=1 -+ $KEYDELETE -r $RANDFILE $keyname || ret=1 - if [ $ret != 0 ]; then - echo "I:failed" - fi -@@ -75,7 +75,7 @@ done - - echo "I:creating new key using owner name bar.example." - ret=0 --keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1 -+keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1 - if [ $ret != 0 ]; then - echo "I:failed" - status=`expr $status + $ret` -@@ -116,7 +116,7 @@ status=`expr $status + $ret` - - echo "I:recreating the bar.example. key" - ret=0 --keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1 -+keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1 - if [ $ret != 0 ]; then - echo "I:failed" - status=`expr $status + $ret` -diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c -index 1f5dd4c..4e3bfa5 100644 ---- a/bin/tools/mdig.c -+++ b/bin/tools/mdig.c -@@ -1933,12 +1933,11 @@ main(int argc, char *argv[]) { - - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); -+ RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); - RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); - RUNCHECK(isc_entropy_getdata(ectx, cookie_secret, - sizeof(cookie_secret), NULL, 0)); - -- RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); -- - ISC_LIST_INIT(queries); - parse_args(ISC_FALSE, argc, argv); - if (server == NULL) -diff --git a/configure b/configure -index c83773a..ac1ea3f 100755 ---- a/configure -+++ b/configure -@@ -640,6 +640,7 @@ ac_includes_default="\ - - ac_subst_vars='LTLIBOBJS - LIBOBJS -+LIBDIR_SUFFIX - BUILD_LIBS - BUILD_LDFLAGS - BUILD_CPPFLAGS -@@ -825,6 +826,7 @@ XMLSTATS - NZDTARGETS - NZDSRCS - NZD_TOOLS -+ISC_PLATFORM_CRYPTORANDOM - PKCS11_TEST - PKCS11_ED25519 - PKCS11_GOST -@@ -1037,6 +1039,7 @@ with_eddsa - with_aes - enable_openssl_hash - with_cc_alg -+enable_crypto_rand - with_lmdb - with_libxml2 - with_libjson -@@ -1730,6 +1733,7 @@ Optional Features: - --enable-threads enable multithreading - --enable-native-pkcs11 use native PKCS11 for all crypto [default=no] - --enable-openssl-hash use OpenSSL for hash functions [default=no] -+ --enable-crypto-rand use the crypto provider for random [default=yes] - --enable-largefile 64-bit file support - --enable-backtrace log stack backtrace on abort [default=yes] - --enable-symtable use internal symbol table for backtrace -@@ -16486,6 +16490,7 @@ case "$use_openssl" in - $as_echo "disabled because of native PKCS11" >&6; } - DST_OPENSSL_INC="" - CRYPTO="-DPKCS11CRYPTO" -+ CRYPTOLIB="pkcs11" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" -@@ -16500,6 +16505,7 @@ $as_echo "disabled because of native PKCS11" >&6; } - $as_echo "no" >&6; } - DST_OPENSSL_INC="" - CRYPTO="" -+ CRYPTOLIB="" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" -@@ -16512,6 +16518,7 @@ $as_echo "no" >&6; } - auto) - DST_OPENSSL_INC="" - CRYPTO="" -+ CRYPTOLIB="" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" -@@ -16521,7 +16528,7 @@ $as_echo "no" >&6; } - OPENSSLLINKOBJS="" - OPENSSLLINKSRCS="" - as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path --If you don't want OpenSSL, use --without-openssl" "$LINENO" 5 -+If you do not want OpenSSL, use --without-openssl" "$LINENO" 5 - ;; - *) - if test "yes" = "$want_native_pkcs11" -@@ -16552,6 +16559,7 @@ $as_echo "not found" >&6; } - as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5 - fi - CRYPTO='-DOPENSSL' -+ CRYPTOLIB="openssl" - if test "/usr" = "$use_openssl" - then - DST_OPENSSL_INC="" -@@ -17213,8 +17221,6 @@ fi - # Use OpenSSL for hash functions - # - --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using OpenSSL for hash functions" >&5 --$as_echo_n "checking for using OpenSSL for hash functions... " >&6; } - ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" - case $want_openssl_hash in - yes) -@@ -17583,6 +17589,86 @@ if test "rt" = "$have_clock_gt"; then - LIBS="-lrt $LIBS" - fi - -+# -+# Use the crypto provider (OpenSSL/PKCS#11) for random functions -+# -+ -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using the crypto library (vs. builtin) for random functions" >&5 -+$as_echo_n "checking for using the crypto library (vs. builtin) for random functions... " >&6; } -+# Check whether --enable-crypto-rand was given. -+if test "${enable_crypto_rand+set}" = set; then : -+ enableval=$enable_crypto_rand; want_crypto_rand="$enableval" -+else -+ want_crypto_rand="auto" -+fi -+ -+if test "$want_crypto_rand" = "auto" -+then -+ case "$CRYPTOLIB" in -+ "") -+ want_crypto_rand="no" -+ ;; -+ pkcs11) -+ want_crypto_rand="yes" -+ ;; -+ openssl) -+ saved_cflags="$CFLAGS" -+ saved_libs="$LIBS" -+ CFLAGS="$CFLAGS $DST_OPENSSL_INC" -+ LIBS="$LIBS $DST_OPENSSL_LIBS" -+ if test "$cross_compiling" = yes; then : -+ want_crypto_rand="yes" -+else -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+ -+#include -+ -+unsigned char buf[128]; -+ -+int main() -+{ -+ if (RAND_bytes(buf, 128) != 1) -+ return (1); -+ return (0); -+} -+ -+_ACEOF -+if ac_fn_c_try_run "$LINENO"; then : -+ want_crypto_rand="yes" -+else -+ want_crypto_rand="no" -+fi -+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ -+ conftest.$ac_objext conftest.beam conftest.$ac_ext -+fi -+ -+ CFLAGS="$saved_cflags" -+ LIBS="$saved_libs" -+ ;; -+ *) -+ as_fn_error $? "Unknown crypto library define $CRYPTOLIB" "$LINENO" 5 -+ ;; -+ esac -+fi -+case $want_crypto_rand in -+ yes) -+ if test "$CRYPTOLIB" = "" -+ then -+ as_fn_error $? "No crypto library for random functions" "$LINENO" 5 -+ fi -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$CRYPTOLIB\"" >&5 -+$as_echo "\"$CRYPTOLIB\"" >&6; } -+ ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\"" -+ ;; -+ no) -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+ ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM" -+ ;; -+esac -+ -+ - # - # was --with-lmdb specified? - # -@@ -19665,9 +19751,12 @@ _ACEOF - if ac_fn_c_try_compile "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5 - $as_echo "size_t for buflen; int for flags" >&6; } -- $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T size_t" >>confdefs.h -+ # Changed to solve multilib conflict on Fedora -+ # AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, size_t) -+ # AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t) -+ $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T socklen_t" >>confdefs.h - -- $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T size_t" >>confdefs.h -+ $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T socklen_t" >>confdefs.h - - $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h - -@@ -21032,12 +21121,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" - ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" - ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" - if test "yes" = "$use_atomic"; then -- have_atomic=yes # set default -- case "$host" in -- i[3456]86-*) -- # XXX: some old x86 architectures actually do not support -- # (some of) these operations. Do we need stricter checks? -- # The cast to long int works around a bug in the HP C Compiler -+ # The cast to long int works around a bug in the HP C Compiler - # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects - # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. - # This bug is HP SR number 8606223364. -@@ -21070,6 +21154,11 @@ cat >>confdefs.h <<_ACEOF - _ACEOF - - -+ have_atomic=yes # set default -+ case "$host" in -+ i[3456]86-*) -+ # XXX: some old x86 architectures actually do not support -+ # (some of) these operations. Do we need stricter checks? - if test $ac_cv_sizeof_void_p = 8; then - arch=x86_64 - have_xaddq=yes -@@ -21078,39 +21167,6 @@ _ACEOF - fi - ;; - x86_64-*|amd64-*) -- # The cast to long int works around a bug in the HP C Compiler --# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects --# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. --# This bug is HP SR number 8606223364. --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of void *" >&5 --$as_echo_n "checking size of void *... " >&6; } --if ${ac_cv_sizeof_void_p+:} false; then : -- $as_echo_n "(cached) " >&6 --else -- if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (void *))" "ac_cv_sizeof_void_p" "$ac_includes_default"; then : -- --else -- if test "$ac_cv_type_void_p" = yes; then -- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 --$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} --as_fn_error 77 "cannot compute sizeof (void *) --See \`config.log' for more details" "$LINENO" 5; } -- else -- ac_cv_sizeof_void_p=0 -- fi --fi -- --fi --{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_void_p" >&5 --$as_echo "$ac_cv_sizeof_void_p" >&6; } -- -- -- --cat >>confdefs.h <<_ACEOF --#define SIZEOF_VOID_P $ac_cv_sizeof_void_p --_ACEOF -- -- - if test $ac_cv_sizeof_void_p = 8; then - arch=x86_64 - have_xaddq=yes -@@ -21141,6 +21197,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } - $as_echo "$arch" >&6; } - fi - -+if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then -+ as_fn_error $? "XADDQ present but disabled by Fedora patch!" "$LINENO" 5 -+fi -+ - if test "yes" = "$have_atomic"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5 - $as_echo_n "checking compiler support for inline assembly code... " >&6; } -@@ -23428,6 +23488,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" - # - dlzdir='${DLZ_DRIVER_DIR}' - -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for target libdir" >&5 -+$as_echo_n "checking for target libdir... " >&6; } -+if test "$cross_compiling" = yes; then : -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -+as_fn_error $? "cannot run test program while cross compiling -+See \`config.log' for more details" "$LINENO" 5; } -+else -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);} -+_ACEOF -+if ac_fn_c_try_run "$LINENO"; then : -+ target_lib=lib64 -+else -+ target_lib=lib -+fi -+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ -+ conftest.$ac_objext conftest.beam conftest.$ac_ext -+fi -+ -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$target_lib\"" >&5 -+$as_echo "\"$target_lib\"" >&6; } -+ - # - # Private autoconf macro to simplify configuring drivers: - # -@@ -23758,11 +23842,11 @@ $as_echo "no" >&6; } - $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; } - ;; - *) -- if test -d "$use_dlz_mysql/lib/mysql" -+ if test -d $use_dlz_mysql/${target_lib}/mysql - then -- mysql_lib="$use_dlz_mysql/lib/mysql" -+ mysql_lib=$use_dlz_mysql/${target_lib}/mysql - else -- mysql_lib="$use_dlz_mysql/lib" -+ mysql_lib=$use_dlz_mysql/${target_lib} - fi - - CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL" -@@ -23847,7 +23931,7 @@ $as_echo "" >&6; } - # Check other locations for includes. - # Order is important (sigh). - -- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db" -+ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db" - # include a blank element first - for d in "" $bdb_incdirs - do -@@ -23872,57 +23956,9 @@ $as_echo "" >&6; } - bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" - for d in $bdb_libnames - do -- if test "$dd" = "/usr" -+ if test -f "$dd/${target_lib}/lib${d}.so" - then -- as_ac_Lib=`$as_echo "ac_cv_lib_$d''_db_create" | $as_tr_sh` --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for db_create in -l$d" >&5 --$as_echo_n "checking for db_create in -l$d... " >&6; } --if eval \${$as_ac_Lib+:} false; then : -- $as_echo_n "(cached) " >&6 --else -- ac_check_lib_save_LIBS=$LIBS --LIBS="-l$d $LIBS" --cat confdefs.h - <<_ACEOF >conftest.$ac_ext --/* end confdefs.h. */ -- --/* Override any GCC internal prototype to avoid an error. -- Use char because int might match the return type of a GCC -- builtin and then its argument prototype would still apply. */ --#ifdef __cplusplus --extern "C" --#endif --char db_create (); --int --main () --{ --return db_create (); -- ; -- return 0; --} --_ACEOF --if ac_fn_c_try_link "$LINENO"; then : -- eval "$as_ac_Lib=yes" --else -- eval "$as_ac_Lib=no" --fi --rm -f core conftest.err conftest.$ac_objext \ -- conftest$ac_exeext conftest.$ac_ext --LIBS=$ac_check_lib_save_LIBS --fi --eval ac_res=\$$as_ac_Lib -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 --$as_echo "$ac_res" >&6; } --if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then : -- dlz_bdb_libs="-l${d}" --fi -- -- if test $dlz_bdb_libs != "yes" -- then -- break -- fi -- elif test -f "$dd/lib/lib${d}.so" -- then -- dlz_bdb_libs="-L${dd}/lib -l${d}" -+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}" - break - fi - done -@@ -24081,10 +24117,10 @@ $as_echo "no" >&6; } - DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include" - DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include" - fi -- if test -n "-L$use_dlz_ldap/lib -lldap -llber" -+ if test -n "-L$use_dlz_ldap/${target_lib} -lldap -llber" - then -- DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/lib -lldap -llber" -- DLZ_DRIVER_LDAP_LIBS="-L$use_dlz_ldap/lib -lldap -llber" -+ DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/${target_lib} -lldap -llber" -+ DLZ_DRIVER_LDAP_LIBS="-L$use_dlz_ldap/${target_lib} -lldap -llber" - fi - - -@@ -24170,11 +24206,11 @@ fi - odbcdirs="/usr /usr/local /usr/pkg" - for d in $odbcdirs - do -- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a -+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a - then - use_dlz_odbc=$d - dlz_odbc_include="-I$use_dlz_odbc/include" -- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc" -+ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc" - break - fi - done -@@ -24449,6 +24485,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" - - - -+ -+ - # - # Commands to run at the end of config.status. - # Don't just put these into configure, it won't work right if somebody -@@ -26839,6 +26877,8 @@ report() { - echo " IPv6 support (--enable-ipv6)" - test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ - echo " OpenSSL cryptography/DNSSEC (--with-openssl)" -+ test "no" = "$want_crypto_rand" || \ -+ echo " Crypto provider entropy source (--enable-crypto-rand)" - test "X$PYTHON" = "X" || echo " Python tools (--with-python)" - test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" - test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -26879,6 +26919,8 @@ report() { - echo " Very verbose query trace logging (--enable-querytrace)" - test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)" - -+ echo " Cryptographic library for DNSSEC: $CRYPTOLIB" -+ - echo " Dynamically loadable zone (DLZ) drivers:" - test "no" = "$use_dlz_bdb" || \ - echo " Berkeley DB (--with-dlz-bdb)" -@@ -26926,6 +26968,8 @@ report() { - echo " ECDSA algorithm support (--with-ecdsa)" - test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ - echo " EDDSA algorithm support (--with-eddsa)" -+ test "yes" = "$want_crypto_rand" || \ -+ echo " Crypto provider entropy source (--enable-crypto-rand)" - - test "yes" = "$enable_seccomp" || \ - echo " Use libseccomp system call filtering (--enable-seccomp)" -diff --git a/configure.in b/configure.in -index 9a1d16d..849fa94 100644 ---- a/configure.in -+++ b/configure.in -@@ -1597,6 +1597,7 @@ case "$use_openssl" in - AC_MSG_RESULT(disabled because of native PKCS11) - DST_OPENSSL_INC="" - CRYPTO="-DPKCS11CRYPTO" -+ CRYPTOLIB="pkcs11" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" -@@ -1610,6 +1611,7 @@ case "$use_openssl" in - AC_MSG_RESULT(no) - DST_OPENSSL_INC="" - CRYPTO="" -+ CRYPTOLIB="" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" -@@ -1622,6 +1624,7 @@ case "$use_openssl" in - auto) - DST_OPENSSL_INC="" - CRYPTO="" -+ CRYPTOLIB="" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" -@@ -1632,7 +1635,7 @@ case "$use_openssl" in - OPENSSLLINKSRCS="" - AC_MSG_ERROR( - [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path --If you don't want OpenSSL, use --without-openssl]) -+If you do not want OpenSSL, use --without-openssl]) - ;; - *) - if test "yes" = "$want_native_pkcs11" -@@ -1662,6 +1665,7 @@ If you don't want OpenSSL, use --without-openssl]) - AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found]) - fi - CRYPTO='-DOPENSSL' -+ CRYPTOLIB="openssl" - if test "/usr" = "$use_openssl" - then - DST_OPENSSL_INC="" -@@ -2135,7 +2139,6 @@ fi - # Use OpenSSL for hash functions - # - --AC_MSG_CHECKING(for using OpenSSL for hash functions) - ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" - case $want_openssl_hash in - yes) -@@ -2402,6 +2405,67 @@ if test "rt" = "$have_clock_gt"; then - LIBS="-lrt $LIBS" - fi - -+# -+# Use the crypto provider (OpenSSL/PKCS#11) for random functions -+# -+ -+AC_MSG_CHECKING(for using the crypto library (vs. builtin) for random functions) -+AC_ARG_ENABLE(crypto-rand, -+ [ --enable-crypto-rand use the crypto provider for random [[default=yes]]], -+ want_crypto_rand="$enableval", want_crypto_rand="auto") -+if test "$want_crypto_rand" = "auto" -+then -+ case "$CRYPTOLIB" in -+ "") -+ want_crypto_rand="no" -+ ;; -+ pkcs11) -+ want_crypto_rand="yes" -+ ;; -+ openssl) -+ saved_cflags="$CFLAGS" -+ saved_libs="$LIBS" -+ CFLAGS="$CFLAGS $DST_OPENSSL_INC" -+ LIBS="$LIBS $DST_OPENSSL_LIBS" -+ AC_TRY_RUN([ -+#include -+ -+unsigned char buf[128]; -+ -+int main() -+{ -+ if (RAND_bytes(buf, 128) != 1) -+ return (1); -+ return (0); -+} -+], -+ [want_crypto_rand="yes"], -+ [want_crypto_rand="no"], -+ [want_crypto_rand="yes"]) -+ CFLAGS="$saved_cflags" -+ LIBS="$saved_libs" -+ ;; -+ *) -+ AC_MSG_ERROR([Unknown crypto library define $CRYPTOLIB]) -+ ;; -+ esac -+fi -+case $want_crypto_rand in -+ yes) -+ if test "$CRYPTOLIB" = "" -+ then -+ AC_MSG_ERROR([No crypto library for random functions]) -+ fi -+ AC_MSG_RESULT(["$CRYPTOLIB"]) -+ ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\"" -+ ;; -+ no) -+ AC_MSG_RESULT(no) -+ ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM" -+ ;; -+esac -+AC_SUBST(ISC_PLATFORM_CRYPTORANDOM) -+ - # - # was --with-lmdb specified? - # -@@ -4235,12 +4299,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" - ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" - ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" - if test "yes" = "$use_atomic"; then -+ AC_CHECK_SIZEOF([void *]) - have_atomic=yes # set default - case "$host" in - [i[3456]86-*]) - # XXX: some old x86 architectures actually do not support - # (some of) these operations. Do we need stricter checks? -- AC_CHECK_SIZEOF([void *]) - if test $ac_cv_sizeof_void_p = 8; then - arch=x86_64 - have_xaddq=yes -@@ -4249,7 +4313,6 @@ if test "yes" = "$use_atomic"; then - fi - ;; - x86_64-*|amd64-*) -- AC_CHECK_SIZEOF([void *]) - if test $ac_cv_sizeof_void_p = 8; then - arch=x86_64 - have_xaddq=yes -@@ -5613,6 +5676,8 @@ report() { - echo " IPv6 support (--enable-ipv6)" - test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ - echo " OpenSSL cryptography/DNSSEC (--with-openssl)" -+ test "no" = "$want_crypto_rand" || \ -+ echo " Crypto provider entropy source (--enable-crypto-rand)" - test "X$PYTHON" = "X" || echo " Python tools (--with-python)" - test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" - test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -5653,6 +5718,8 @@ report() { - echo " Very verbose query trace logging (--enable-querytrace)" - test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)" - -+ echo " Cryptographic library for DNSSEC: $CRYPTOLIB" -+ - echo " Dynamically loadable zone (DLZ) drivers:" - test "no" = "$use_dlz_bdb" || \ - echo " Berkeley DB (--with-dlz-bdb)" -@@ -5700,6 +5767,8 @@ report() { - echo " ECDSA algorithm support (--with-ecdsa)" - test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ - echo " EDDSA algorithm support (--with-eddsa)" -+ test "yes" = "$want_crypto_rand" || \ -+ echo " Crypto provider entropy source (--enable-crypto-rand)" - - test "yes" = "$enable_seccomp" || \ - echo " Use libseccomp system call filtering (--enable-seccomp)" -diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index dbece0a..803e7b3 100644 ---- a/lib/dns/dst_api.c -+++ b/lib/dns/dst_api.c -@@ -274,6 +274,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, - #ifdef GSSAPI - RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); - #endif -+#if defined(OPENSSL) || defined(PKCS11CRYPTO) -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (dst_entropy_pool != NULL) -+ isc_entropy_sethook(dst_random_getdata); -+#endif -+#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ - dst_initialized = ISC_TRUE; - return (ISC_R_SUCCESS); - -@@ -293,11 +299,19 @@ dst_lib_destroy(void) { - for (i = 0; i < DST_MAX_ALGS; i++) - if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL) - dst_t_func[i]->cleanup(); -+#if defined(OPENSSL) || defined(PKCS11CRYPTO) -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (dst_entropy_pool != NULL) { -+ isc_entropy_usehook(dst_entropy_pool, ISC_FALSE); -+ isc_entropy_sethook(NULL); -+ } -+#endif - #ifdef OPENSSL - dst__openssl_destroy(); - #elif PKCS11CRYPTO - (void) dst__pkcs11_destroy(); - #endif /* if OPENSSL, elif PKCS11CRYPTO */ -+#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ - if (dst__memory_pool != NULL) - isc_mem_detach(&dst__memory_pool); - if (dst_entropy_pool != NULL) -@@ -2000,13 +2014,17 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { - flags &= ~ISC_ENTROPY_GOODONLY; - else - flags |= ISC_ENTROPY_BLOCKING; -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ return (dst_random_getdata(buf, len, NULL, flags)); -+#else - return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags)); -+#endif - #endif /* PKCS11CRYPTO */ - } - - unsigned int - dst__entropy_status(void) { --#ifndef PKCS11CRYPTO -+#if !defined(PKCS11CRYPTO) && !defined(ISC_PLATFORM_CRYPTORANDOM) - #ifdef GSSAPI - unsigned int flags = dst_entropy_flags; - isc_result_t ret; -@@ -2029,6 +2047,7 @@ dst__entropy_status(void) { - #endif - return (isc_entropy_status(dst_entropy_pool)); - #else -+ /* Doesn't matter as it is not used in this case. */ - return (0); - #endif - } -diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h -index fcc7b47..d9b6ab6 100644 ---- a/lib/dns/include/dst/dst.h -+++ b/lib/dns/include/dst/dst.h -@@ -157,6 +157,14 @@ dst_lib_destroy(void); - * Releases all resources allocated by DST. - */ - -+isc_result_t -+dst_random_getdata(void *data, unsigned int length, -+ unsigned int *returned, unsigned int flags); -+/*%< -+ * \brief Return data from the crypto random generator. -+ * Specialization of isc_entropy_getdata(). -+ */ -+ - isc_boolean_t - dst_algorithm_supported(unsigned int alg); - /*%< -diff --git a/lib/dns/lib.c b/lib/dns/lib.c -index 53237d5..c6d83e9 100644 ---- a/lib/dns/lib.c -+++ b/lib/dns/lib.c -@@ -9,14 +9,13 @@ - * information regarding copyright ownership. - */ - --/* $Id: lib.c,v 1.19 2009/09/03 00:12:23 each Exp $ */ -- - /*! \file */ - - #include - - #include - -+#include - #include - #include - #include -@@ -77,6 +76,7 @@ static unsigned int references = 0; - static void - initialize(void) { - isc_result_t result; -+ isc_entropy_t *ectx = NULL; - - REQUIRE(initialize_done == ISC_FALSE); - -@@ -87,11 +87,14 @@ initialize(void) { - result = dns_ecdb_register(dns_g_mctx, &dbimp); - if (result != ISC_R_SUCCESS) - goto cleanup_mctx; -- result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE); -+ result = isc_entropy_create(dns_g_mctx, &ectx); - if (result != ISC_R_SUCCESS) - goto cleanup_db; -+ result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE); -+ if (result != ISC_R_SUCCESS) -+ goto cleanup_ectx; - -- result = dst_lib_init(dns_g_mctx, NULL, 0); -+ result = dst_lib_init(dns_g_mctx, ectx, 0); - if (result != ISC_R_SUCCESS) - goto cleanup_hash; - -@@ -99,11 +102,17 @@ initialize(void) { - if (result != ISC_R_SUCCESS) - goto cleanup_dst; - -+ isc_hash_init(); -+ isc_entropy_detach(&ectx); -+ - initialize_done = ISC_TRUE; - return; - - cleanup_dst: - dst_lib_destroy(); -+ cleanup_ectx: -+ if (ectx != NULL) -+ isc_entropy_detach(&ectx); - cleanup_hash: - isc_hash_destroy(); - cleanup_db: -diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index ec6dc7f..c1e1bde 100644 ---- a/lib/dns/openssl_link.c -+++ b/lib/dns/openssl_link.c -@@ -31,6 +31,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -46,8 +47,6 @@ - #include - #endif - --static RAND_METHOD *rm = NULL; -- - #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - static isc_mutex_t *locks = NULL; - static int nlocks; -@@ -57,6 +56,9 @@ static int nlocks; - static ENGINE *e = NULL; - #endif - -+#ifndef ISC_PLATFORM_CRYPTORANDOM -+static RAND_METHOD *rm = NULL; -+ - static int - entropy_get(unsigned char *buf, int num) { - isc_result_t result; -@@ -102,6 +104,7 @@ entropy_add(const void *buf, int num, double entropy) { - return (1); - } - #endif -+#endif /* !ISC_PLATFORM_CRYPTORANDOM */ - - #if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - static void -@@ -190,7 +193,7 @@ _set_thread_id(CRYPTO_THREADID *id) - isc_result_t - dst__openssl_init(const char *engine) { - isc_result_t result; --#if !defined(OPENSSL_NO_ENGINE) -+#if !defined(OPENSSL_NO_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM) - ENGINE *re; - #else - UNUSED(engine); -@@ -220,6 +223,7 @@ dst__openssl_init(const char *engine) { - ERR_load_crypto_strings(); - #endif - -+#ifndef ISC_PLATFORM_CRYPTORANDOM - rm = mem_alloc(sizeof(RAND_METHOD) FILELINE); - if (rm == NULL) { - result = ISC_R_NOMEMORY; -@@ -231,6 +235,7 @@ dst__openssl_init(const char *engine) { - rm->add = entropy_add; - rm->pseudorand = entropy_getpseudo; - rm->status = entropy_status; -+#endif - - #if !defined(OPENSSL_NO_ENGINE) - #if !defined(CONF_MFLAGS_DEFAULT_SECTION) -@@ -264,6 +269,7 @@ dst__openssl_init(const char *engine) { - } - } - -+#ifndef ISC_PLATFORM_CRYPTORANDOM - re = ENGINE_get_default_RAND(); - if (re == NULL) { - re = ENGINE_new(); -@@ -276,9 +282,21 @@ dst__openssl_init(const char *engine) { - ENGINE_free(re); - } else - ENGINE_finish(re); -+#endif - #else -+#ifndef ISC_PLATFORM_CRYPTORANDOM - RAND_set_rand_method(rm); -+#endif - #endif /* !defined(OPENSSL_NO_ENGINE) */ -+ -+ /* Protect ourselves against unseeded PRNG */ -+ if (RAND_status() != 1) { -+ FATAL_ERROR(__FILE__, __LINE__, -+ "OpenSSL pseudorandom number generator " -+ "cannot be initialized (see the `PRNG not " -+ "seeded' message in the OpenSSL FAQ)"); -+ } -+ - return (ISC_R_SUCCESS); - - #if !defined(OPENSSL_NO_ENGINE) -@@ -286,10 +304,14 @@ dst__openssl_init(const char *engine) { - if (e != NULL) - ENGINE_free(e); - e = NULL; -+#ifndef ISC_PLATFORM_CRYPTORANDOM - mem_free(rm FILELINE); - rm = NULL; - #endif -+#endif -+#ifndef ISC_PLATFORM_CRYPTORANDOM - cleanup_mutexinit: -+#endif - #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - CRYPTO_set_locking_callback(NULL); - DESTROYMUTEXBLOCK(locks, nlocks); -@@ -304,14 +326,17 @@ void - dst__openssl_destroy(void) { - #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) - OPENSSL_cleanup(); -+#ifndef ISC_PLATFORM_CRYPTORANDOM - if (rm != NULL) { - mem_free(rm FILELINE); - rm = NULL; - } -+#endif - #else - /* - * Sequence taken from apps_shutdown() in . - */ -+#ifndef ISC_PLATFORM_CRYPTORANDOM - if (rm != NULL) { - #if OPENSSL_VERSION_NUMBER >= 0x00907000L - RAND_cleanup(); -@@ -319,6 +344,7 @@ dst__openssl_destroy(void) { - mem_free(rm FILELINE); - rm = NULL; - } -+#endif - #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) - CONF_modules_free(); - #endif -@@ -454,11 +480,45 @@ dst__openssl_getengine(const char *engine) { - } - #endif - --#else /* OPENSSL */ -+isc_result_t -+dst_random_getdata(void *data, unsigned int length, -+ unsigned int *returned, unsigned int flags) { -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+#ifndef DONT_REQUIRE_DST_LIB_INIT -+ INSIST(dst__memory_pool != NULL); -+#endif -+ REQUIRE(data != NULL); -+ REQUIRE(length > 0); - --#include -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+ if ((flags & ISC_ENTROPY_GOODONLY) == 0) { -+ if (RAND_pseudo_bytes((unsigned char *)data, (int)length) < 0) -+ return (dst__openssl_toresult2("RAND_pseudo_bytes", -+ DST_R_OPENSSLFAILURE)); -+ } else { -+ if (RAND_bytes((unsigned char *)data, (int)length) != 1) -+ return (dst__openssl_toresult2("RAND_bytes", -+ DST_R_OPENSSLFAILURE)); -+ } -+#else -+ UNUSED(flags); - --EMPTY_TRANSLATION_UNIT -+ if (RAND_bytes((unsigned char *)data, (int)length) != 1) -+ return (dst__openssl_toresult2("RAND_bytes", -+ DST_R_OPENSSLFAILURE)); -+#endif -+ if (returned != NULL) -+ *returned = length; -+ return (ISC_R_SUCCESS); -+#else -+ UNUSED(data); -+ UNUSED(length); -+ UNUSED(returned); -+ UNUSED(flags); -+ -+ return (ISC_R_NOTIMPLEMENTED); -+#endif -+} - - #endif /* OPENSSL */ - /*! \file */ -diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c -index 5a2c502..8eaef53 100644 ---- a/lib/dns/pkcs11.c -+++ b/lib/dns/pkcs11.c -@@ -13,12 +13,15 @@ - - #include - -+#include -+ - #include - #include - - #include - #include - -+#include "dst_internal.h" - #include "dst_pkcs11.h" - - isc_result_t -@@ -34,12 +37,32 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line, - return (fallback); - } - -+isc_result_t -+dst_random_getdata(void *data, unsigned int length, -+ unsigned int *returned, unsigned int flags) { -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ isc_result_t ret; - --#else /* PKCS11CRYPTO */ -+#ifndef DONT_REQUIRE_DST_LIB_INIT -+ INSIST(dst__memory_pool != NULL); -+#endif -+ REQUIRE(data != NULL); -+ REQUIRE(length > 0); -+ UNUSED(flags); - --#include -+ ret = pk11_rand_bytes(data, (int) length); -+ if ((ret == ISC_R_SUCCESS) && (returned != NULL)) -+ *returned = length; -+ return (ret); -+#else -+ UNUSED(data); -+ UNUSED(length); -+ UNUSED(returned); -+ UNUSED(flags); - --EMPTY_TRANSLATION_UNIT -+ return (ISC_R_NOTIMPLEMENTED); -+#endif -+} - - #endif /* PKCS11CRYPTO */ - /*! \file */ -diff --git a/lib/dns/tests/Atffile b/lib/dns/tests/Atffile -index 953082d..603c4b5 100644 ---- a/lib/dns/tests/Atffile -+++ b/lib/dns/tests/Atffile -@@ -10,6 +10,7 @@ tp: dbversion_test - tp: dh_test - tp: dispatch_test - tp: dnstap_test -+tp: dstrandom_test - tp: dst_test - tp: geoip_test - tp: gost_test -diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile -index 0353a73..cb2324d 100644 ---- a/lib/dns/tests/Kyuafile -+++ b/lib/dns/tests/Kyuafile -@@ -10,6 +10,7 @@ atf_test_program{name='dh_test'} - atf_test_program{name='dispatch_test'} - atf_test_program{name='dnstap_test'} - atf_test_program{name='dst_test'} -+atf_test_program{name='dstrandom_test'} - atf_test_program{name='geoip_test'} - atf_test_program{name='gost_test'} - atf_test_program{name='keytable_test'} -diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in -index 58fa872..625e809 100644 ---- a/lib/dns/tests/Makefile.in -+++ b/lib/dns/tests/Makefile.in -@@ -40,6 +40,7 @@ SRCS = acl_test.c \ - dnstap_test.c \ - dst_test.c \ - dnstest.c \ -+ dstrandom_test.c \ - geoip_test.c \ - gost_test.c \ - keytable_test.c \ -@@ -71,6 +72,7 @@ TARGETS = acl_test@EXEEXT@ \ - dh_test@EXEEXT@ \ - dispatch_test@EXEEXT@ \ - dnstap_test@EXEEXT@ \ -+ dstrandom_test@EXEEXT@ \ - dst_test@EXEEXT@ \ - geoip_test@EXEEXT@ \ - gost_test@EXEEXT@ \ -@@ -255,6 +257,11 @@ tsig_test@EXEEXT@: tsig_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - tsig_test.@O@ dnstest.@O@ ${DNSLIBS} \ - ${ISCLIBS} ${LIBS} - -+dstrandom_test@EXEEXT@: dstrandom_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} -+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ -+ dstrandom_test.@O@ ${DNSLIBS} \ -+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS} -+ - unit:: - sh ${top_builddir}/unit/unittest.sh - -diff --git a/lib/dns/tests/dnstest.c b/lib/dns/tests/dnstest.c -index fb9ef53..344a7c2 100644 ---- a/lib/dns/tests/dnstest.c -+++ b/lib/dns/tests/dnstest.c -@@ -120,12 +120,12 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) { - CHECK(isc_mem_create(0, 0, &mctx)); - CHECK(isc_entropy_create(mctx, &ectx)); - -- CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -- hash_active = ISC_TRUE; -- - CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING)); - dst_active = ISC_TRUE; - -+ CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -+ hash_active = ISC_TRUE; -+ - if (logfile != NULL) { - isc_logdestination_t destination; - isc_logconfig_t *logconfig = NULL; -@@ -169,14 +169,14 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) { - - void - dns_test_end(void) { -- if (dst_active) { -- dst_lib_destroy(); -- dst_active = ISC_FALSE; -- } - if (hash_active) { - isc_hash_destroy(); - hash_active = ISC_FALSE; - } -+ if (dst_active) { -+ dst_lib_destroy(); -+ dst_active = ISC_FALSE; -+ } - if (ectx != NULL) - isc_entropy_detach(&ectx); - -diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c -new file mode 100644 -index 0000000..d2c72e7 ---- /dev/null -+++ b/lib/dns/tests/dstrandom_test.c -@@ -0,0 +1,105 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/* $Id$ */ -+ -+/*! \file */ -+ -+#include -+ -+#include -+ -+#include -+#include -+ -+#include -+#include -+#include -+#include -+ -+#include -+ -+isc_mem_t *mctx = NULL; -+isc_entropy_t *ectx = NULL; -+unsigned char buffer[128]; -+ -+ATF_TC(isc_entropy_getdata); -+ATF_TC_HEAD(isc_entropy_getdata, tc) { -+ atf_tc_set_md_var(tc, "descr", -+ "isc_entropy_getdata() examples"); -+ atf_tc_set_md_var(tc, "X-randomfile", -+ "testdata/dstrandom/random.data"); -+} -+ATF_TC_BODY(isc_entropy_getdata, tc) { -+ isc_result_t result; -+ unsigned int returned, status; -+ int ret; -+ const char *randomfile = atf_tc_get_md_var(tc, "X-randomfile"); -+ -+ isc_mem_debugging |= ISC_MEM_DEBUGRECORD; -+ result = isc_mem_create(0, 0, &mctx); -+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); -+ result = isc_entropy_create(mctx, &ectx); -+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); -+ result = dst_lib_init(mctx, ectx, 0); -+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); -+ -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ isc_entropy_usehook(ectx, ISC_TRUE); -+ -+ returned = 0; -+ result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), -+ &returned, 0); -+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); -+ ATF_REQUIRE(returned == sizeof(buffer)); -+ -+ status = isc_entropy_status(ectx); -+ ATF_REQUIRE_EQ(status, 0); -+ -+ isc_entropy_usehook(ectx, ISC_FALSE); -+#endif -+ -+ ret = chdir(TESTS); -+ ATF_REQUIRE_EQ(ret, 0); -+ -+ result = isc_entropy_createfilesource(ectx, randomfile); -+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); -+ -+ returned = 0; -+ result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), -+ &returned, 0); -+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); -+ ATF_REQUIRE(returned == sizeof(buffer)); -+ -+ status = isc_entropy_status(ectx); -+ ATF_REQUIRE(status > 0); -+ -+ dst_lib_destroy(); -+ isc_entropy_detach(&ectx); -+ ATF_REQUIRE(ectx == NULL); -+ isc_mem_destroy(&mctx); -+ ATF_REQUIRE(mctx == NULL); -+} -+ -+/* -+ * Main -+ */ -+ATF_TP_ADD_TCS(tp) { -+ ATF_TP_ADD_TC(tp, isc_entropy_getdata); -+ -+ return (atf_no_error()); -+} -+ -diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in -index d48eeb2..213e9d9 100644 ---- a/lib/dns/win32/libdns.def.in -+++ b/lib/dns/win32/libdns.def.in -@@ -1480,6 +1480,13 @@ dst_lib_destroy - dst_lib_init - dst_lib_init2 - dst_lib_initmsgcat -+@IF PKCS11 -+dst_random_getdata -+@ELSE PKCS11 -+@IF OPENSSL -+dst_random_getdata -+@END OPENSSL -+@END PKCS11 - dst_region_computeid - dst_region_computerid - dst_result_register -diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c -index 232094a..a85650b 100644 ---- a/lib/isc/entropy.c -+++ b/lib/isc/entropy.c -@@ -103,11 +103,15 @@ struct isc_entropy { - isc_uint32_t initialized; - isc_uint32_t initcount; - isc_entropypool_t pool; -+ isc_boolean_t usehook; - unsigned int nsources; - isc_entropysource_t *nextsource; - ISC_LIST(isc_entropysource_t) sources; - }; - -+/*% Global Hook */ -+static isc_entropy_getdata_t hook; -+ - /*% Sample Queue */ - typedef struct { - isc_uint32_t last_time; /*%< last time recorded */ -@@ -556,6 +560,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, - - LOCK(&ent->lock); - -+ if (ent->usehook && (hook != NULL)) { -+ UNLOCK(&ent->lock); -+ return (hook(data, length, returned, flags)); -+ } -+ - remain = length; - buf = data; - total = 0; -@@ -707,6 +716,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) { - ent->refcnt = 1; - ent->initialized = 0; - ent->initcount = 0; -+ ent->usehook = ISC_FALSE; - ent->magic = ENTROPY_MAGIC; - - isc_entropypool_init(&ent->pool); -@@ -1286,3 +1296,17 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, - */ - return (final_result); - } -+ -+void -+isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff) { -+ REQUIRE(VALID_ENTROPY(ectx)); -+ -+ LOCK(&ectx->lock); -+ ectx->usehook = onoff; -+ UNLOCK(&ectx->lock); -+} -+ -+void -+isc_entropy_sethook(isc_entropy_getdata_t myhook) { -+ hook = myhook; -+} -diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h -index d52c43e..d9deb8a 100644 ---- a/lib/isc/include/isc/entropy.h -+++ b/lib/isc/include/isc/entropy.h -@@ -303,6 +303,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, - * isc_entropy_createcallbacksource(). - */ - -+void -+isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff); -+/*!< -+ * \brief Mark/unmark the given entropy structure as being hooked. -+ */ -+ -+void -+isc_entropy_sethook(isc_entropy_getdata_t myhook); -+/*!< -+ * \brief Set the getdata hook (e.g., for a crypto random generator). -+ */ -+ - ISC_LANG_ENDDECLS - - #endif /* ISC_ENTROPY_H */ -diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in -index d7a5bec..0166b79 100644 ---- a/lib/isc/include/isc/platform.h.in -+++ b/lib/isc/include/isc/platform.h.in -@@ -344,6 +344,11 @@ - */ - @ISC_PLATFORM_HAVESTRINGSH@ - -+/* -+ * Define if the random functions are provided by crypto. -+ */ -+@ISC_PLATFORM_CRYPTORANDOM@ -+ - /* - * Define if the hash functions must be provided by OpenSSL. - */ -diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h -index f161faf..dec577e 100644 ---- a/lib/isc/include/isc/types.h -+++ b/lib/isc/include/isc/types.h -@@ -93,6 +93,8 @@ typedef struct isc_time isc_time_t; /*%< Time */ - typedef struct isc_timer isc_timer_t; /*%< Timer */ - typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */ - -+typedef isc_result_t (*isc_entropy_getdata_t)(void *, unsigned int, -+ unsigned int *, unsigned int); - typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *); - typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int); - -diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c -index 48e1031..74566c9 100644 ---- a/lib/isc/pk11.c -+++ b/lib/isc/pk11.c -@@ -327,14 +327,16 @@ pk11_rand_seed_fromfile(const char *randomfile) { - ret = isc_stdio_open(randomfile, "r", &stream); - if (ret != ISC_R_SUCCESS) - goto cleanup; -- ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc); -- if (ret!= ISC_R_SUCCESS) -- goto cleanup; -+ while (ret == ISC_R_SUCCESS) { -+ ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc); -+ if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF)) -+ goto cleanup; -+ (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc); -+ } - ret = isc_stdio_close(stream); - stream = NULL; -- if (ret!= ISC_R_SUCCESS) -+ if (ret != ISC_R_SUCCESS) - goto cleanup; -- (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc); - - cleanup: - if (stream != NULL) -diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in -index de6a434..2c32782 100644 ---- a/lib/isc/win32/include/isc/platform.h.in -+++ b/lib/isc/win32/include/isc/platform.h.in -@@ -74,6 +74,11 @@ - #define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn) - #define ISC_PLATFORM_NORETURN_POST - -+/* -+ * Define if the random functions are provided by crypto. -+ */ -+@ISC_PLATFORM_CRYPTORANDOM@ -+ - /* - * Define if the hash functions must be provided by OpenSSL. - */ -diff --git a/win32utils/Configure b/win32utils/Configure -index e9f4680..79bb178 100644 ---- a/win32utils/Configure -+++ b/win32utils/Configure -@@ -381,6 +381,7 @@ my @substdefh = ("AES_CC", - my %configdefp; - - my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP", -+ "ISC_PLATFORM_CRYPTORANDOM", - "ISC_PLATFORM_HAVEATOMICSTORE", - "ISC_PLATFORM_HAVEATOMICSTOREQ", - "ISC_PLATFORM_HAVECMPXCHG", -@@ -509,7 +510,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); - - # enable-xxx/disable-xxx - --my @enablelist = ("developer", -+my @enablelist = ("crypto-rand", -+ "developer", - "fixed-rrset", - "intrinsics", - "isc-spnego", -@@ -571,6 +573,7 @@ my @help = ( - "\nOptional Features:\n", - " enable-intrinsics enable instrinsic/atomic functions [default=yes]\n", - " enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n", -+" enable-crypto-rand use crypto provider for random [default=yes]\n", - " enable-openssl-hash use OpenSSL for hash functions [default=yes]\n", - " enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n", - " enable-filter-aaaa enable filtering of AAAA records [default=yes]\n", -@@ -614,7 +617,9 @@ my $want_clean = "no"; - my $want_unknown = "no"; - my $unknown_value; - my $enable_intrinsics = "yes"; -+my $cryptolib = ""; - my $enable_native_pkcs11 = "no"; -+my $enable_crypto_rand = "yes"; - my $enable_openssl_hash = "auto"; - my $enable_filter_aaaa = "yes"; - my $enable_isc_spnego = "yes"; -@@ -823,6 +828,10 @@ sub myenable { - if ($val =~ /^yes$/i) { - $enable_native_pkcs11 = "yes"; - } -+ } elsif ($key =~ /^crypto-rand$/i) { -+ if ($val =~ /^no$/i) { -+ $enable_crypto_rand = "no"; -+ } - } elsif ($key =~ /^openssl-hash$/i) { - if ($val =~ /^yes$/i) { - $enable_openssl_hash = "yes"; -@@ -1106,6 +1115,11 @@ if ($verbose) { - } else { - print "native-pkcs11: disabled\n"; - } -+ if ($enable_crypto_rand eq "yes") { -+ print "crypto-rand: enabled\n"; -+ } else { -+ print "crypto-rand: disabled\n"; -+ } - if ($enable_openssl_hash eq "yes") { - print "openssl-hash: enabled\n"; - } else { -@@ -1449,6 +1463,7 @@ if ($enable_intrinsics eq "yes") { - - # enable-native-pkcs11 - if ($enable_native_pkcs11 eq "yes") { -+ $cryptolib = "pkcs11"; - if ($use_openssl eq "auto") { - $use_openssl = "no"; - } -@@ -1658,6 +1673,7 @@ if ($use_openssl eq "yes") { - $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); - } - -+ $cryptolib = "openssl"; - $configcond{"OPENSSL"} = 1; - $configdefd{"CRYPTO"} = "OPENSSL"; - $configvar{"OPENSSL_PATH"} = "$openssl_path"; -@@ -2209,6 +2225,15 @@ if ($cookie_algorithm eq "sha1") { - die "Unrecognized cookie algorithm: $cookie_algorithm\n"; - } - -+# enable-crypto-rand -+if ($enable_crypto_rand eq "yes") { -+ if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) { -+ die "No crypto provider for random functions\n"; -+ } -+ $configdefp{"ISC_PLATFORM_CRYPTORANDOM"} = "\"$cryptolib\""; -+} -+print "Cryptographic library for DNSSEC: $cryptolib"; -+ - # enable-openssl-hash - if ($enable_openssl_hash eq "yes") { - if ($use_openssl eq "no") { -@@ -3531,6 +3556,7 @@ exit 0; - # --enable-developer partially supported - # --enable-newstats (9.9/9.9sub only) - # --enable-native-pkcs11 supported -+# --enable-crypto-rand supported - # --enable-openssl-version-check included without a way to disable it - # --enable-openssl-hash supported - # --enable-threads included without a way to disable it -@@ -3556,6 +3582,7 @@ exit 0; - # --with-gost supported - # --with-aes supported - # --with-cc-alg supported -+# --with-randomdev not supported on WIN32 (makes no sense) - # --with-geoip supported - # --with-gssapi supported with MIT (K)erberos (f)or (W)indows - # --with-lmdb no supported on WIN32 (port is not reliable) --- -2.14.4 - diff --git a/bind-9.11-rt46047.patch b/bind-9.11-rt46047.patch deleted file mode 100644 index 915b0ab0dd5e759478122603e79cc2504c4f06fe..0000000000000000000000000000000000000000 --- a/bind-9.11-rt46047.patch +++ /dev/null @@ -1,765 +0,0 @@ -From 1ab1aabcf9b2b8de144bab7a3ff5d9f7e6ec9ad4 Mon Sep 17 00:00:00 2001 -From: Evan Hunt -Date: Thu, 28 Sep 2017 10:09:22 -0700 -Subject: [PATCH] completed and corrected the crypto-random change - -4724. [func] By default, BIND now uses the random number - functions provided by the crypto library (i.e., - OpenSSL or a PKCS#11 provider) as a source of - randomness rather than /dev/random. This is - suitable for virtual machine environments - which have limited entropy pools and lack - hardware random number generators. - - This can be overridden by specifying another - entropy source via the "random-device" option - in named.conf, or via the -r command line option; - however, for functions requiring full cryptographic - strength, such as DNSSEC key generation, this - cannot be overridden. In particular, the -r - command line option no longer has any effect on - dnssec-keygen. - - This can be disabled by building with - "configure --disable-crypto-rand". - [RT #31459] [RT #46047] ---- - bin/confgen/keygen.c | 12 +++---- - bin/dnssec/dnssec-keygen.docbook | 24 +++++++++----- - bin/dnssec/dnssectool.c | 12 +++---- - bin/named/client.c | 3 +- - bin/named/config.c | 4 ++- - bin/named/controlconf.c | 19 +++++++---- - bin/named/include/named/server.h | 2 ++ - bin/named/interfacemgr.c | 1 + - bin/named/query.c | 1 + - bin/named/server.c | 53 ++++++++++++++++++------------ - bin/nsupdate/nsupdate.c | 4 +-- - bin/tests/system/pipelined/pipequeries.c | 4 +-- - bin/tests/system/tkey/keycreate.c | 4 +-- - bin/tests/system/tkey/keydelete.c | 4 +-- - doc/arm/Bv9ARM-book.xml | 55 ++++++++++++++++++++++---------- - doc/arm/notes.xml | 23 ++++++++++++- - lib/dns/dst_api.c | 7 ++-- - lib/dns/include/dst/dst.h | 14 ++++++-- - lib/dns/openssl_link.c | 3 +- - lib/isc/include/isc/entropy.h | 50 +++++++++++++++++++++-------- - lib/isc/include/isc/random.h | 28 ++++++++++------ - lib/isccfg/namedconf.c | 2 +- - 22 files changed, 219 insertions(+), 110 deletions(-) - -diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c -index fa439cc..a7ad417 100644 ---- a/bin/confgen/keygen.c -+++ b/bin/confgen/keygen.c -@@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, - - DO("create entropy context", isc_entropy_create(mctx, &ectx)); - -- if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { -- randomfile = NULL; -- open_keyboard = ISC_ENTROPY_KEYBOARDYES; -- } - #ifdef ISC_PLATFORM_CRYPTORANDOM -- if (randomfile != NULL && -- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -- randomfile = NULL; -+ if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); - } - #endif -+ if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { -+ randomfile = NULL; -+ open_keyboard = ISC_ENTROPY_KEYBOARDYES; -+ } - DO("start entropy source", isc_entropy_usebestsource(ectx, - &entropy_source, - randomfile, -diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook -index 96dfef6..1c84b06 100644 ---- a/bin/dnssec/dnssec-keygen.docbook -+++ b/bin/dnssec/dnssec-keygen.docbook -@@ -349,15 +349,23 @@ - -r randomdev - - -- Specifies the source of randomness. If the operating -- system does not provide a /dev/random -- or equivalent device, the default source of randomness -- is keyboard input. randomdev -- specifies -+ Specifies a source of randomness. Normally, when generating -+ DNSSEC keys, this option has no effect; the random number -+ generation function provided by the cryptographic library will -+ be used. -+ -+ -+ If that behavior is disabled at compile time, however, -+ the specified file will be used as entropy source -+ for key generation. randomdev is - the name of a character device or file containing random -- data to be used instead of the default. The special value -- keyboard indicates that keyboard -- input should be used. -+ data to be used. The special value keyboard -+ indicates that keyboard input should be used. -+ -+ -+ The default is /dev/random if the -+ operating system provides it or an equivalent device; -+ if not, the default source of randomness is keyboard input. - - - -diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c -index 4ea9eaf..5dd9475 100644 ---- a/bin/dnssec/dnssectool.c -+++ b/bin/dnssec/dnssectool.c -@@ -239,18 +239,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { - ISC_LIST_INIT(sources); - } - -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (randomfile == NULL) { -+ isc_entropy_usehook(*ectx, ISC_TRUE); -+ } -+#endif - if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { - usekeyboard = ISC_ENTROPY_KEYBOARDYES; - randomfile = NULL; - } - --#ifdef ISC_PLATFORM_CRYPTORANDOM -- if (randomfile != NULL && -- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -- randomfile = NULL; -- isc_entropy_usehook(*ectx, ISC_TRUE); -- } --#endif - result = isc_entropy_usebestsource(*ectx, &source, randomfile, - usekeyboard); - -diff --git a/bin/named/client.c b/bin/named/client.c -index b9ebc93..20e5f39 100644 ---- a/bin/named/client.c -+++ b/bin/named/client.c -@@ -1605,7 +1605,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, - - isc_buffer_init(&buf, cookie, sizeof(cookie)); - isc_stdtime_get(&now); -- isc_random_get(&nonce); -+ nonce = ((isc_rng_random(ns_g_server->rngctx) << 16) | -+ isc_rng_random(ns_g_server->rngctx)); - - compute_cookie(client, now, nonce, ns_g_server->secret, &buf); - -diff --git a/bin/named/config.c b/bin/named/config.c -index c50f759..c1e72ef 100644 ---- a/bin/named/config.c -+++ b/bin/named/config.c -@@ -92,7 +92,9 @@ options {\n\ - # pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\ - port 53;\n\ - prefetch 2 9;\n" --#ifdef PATH_RANDOMDEV -+#if defined(ISC_PLATFORM_CRYPTORANDOM) -+" random-device none;\n" -+#elif defined(PATH_RANDOMDEV) - " random-device \"" PATH_RANDOMDEV "\";\n" - #endif - " recursing-file \"named.recursing\";\n\ -diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c -index 237e8dc..b905475 100644 ---- a/bin/named/controlconf.c -+++ b/bin/named/controlconf.c -@@ -322,9 +322,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) { - - static void - control_recvmessage(isc_task_t *task, isc_event_t *event) { -- controlconnection_t *conn; -- controllistener_t *listener; -- controlkey_t *key; -+ controlconnection_t *conn = NULL; -+ controllistener_t *listener = NULL; -+ ns_server_t *server = NULL; -+ controlkey_t *key = NULL; - isccc_sexpr_t *request = NULL; - isccc_sexpr_t *response = NULL; - isc_uint32_t algorithm; -@@ -335,16 +336,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { - isc_buffer_t *text; - isc_result_t result; - isc_result_t eresult; -- isccc_sexpr_t *_ctrl; -+ isccc_sexpr_t *_ctrl = NULL; - isccc_time_t sent; - isccc_time_t exp; - isc_uint32_t nonce; -- isccc_sexpr_t *data; -+ isccc_sexpr_t *data = NULL; - - REQUIRE(event->ev_type == ISCCC_EVENT_CCMSG); - - conn = event->ev_arg; - listener = conn->listener; -+ server = listener->controls->server; - algorithm = DST_ALG_UNKNOWN; - secret.rstart = NULL; - text = NULL; -@@ -455,8 +457,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { - * Establish nonce. - */ - if (conn->nonce == 0) { -- while (conn->nonce == 0) -- isc_random_get(&conn->nonce); -+ while (conn->nonce == 0) { -+ isc_uint16_t r1 = isc_rng_random(server->rngctx); -+ isc_uint16_t r2 = isc_rng_random(server->rngctx); -+ conn->nonce = (r1 << 16) | r2; -+ } - eresult = ISC_R_SUCCESS; - } else - eresult = ns_control_docommand(request, listener->readonly, &text); -diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h -index d8179a6..e03d24d 100644 ---- a/bin/named/include/named/server.h -+++ b/bin/named/include/named/server.h -@@ -17,6 +17,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -131,6 +132,7 @@ struct ns_server { - char * lockfile; - - isc_uint16_t transfer_tcp_message_size; -+ isc_rng_t * rngctx; - }; - - struct ns_altsecret { -diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c -index d8c7188..50f924e 100644 ---- a/bin/named/interfacemgr.c -+++ b/bin/named/interfacemgr.c -@@ -15,6 +15,7 @@ - - #include - #include -+#include - #include - #include - #include -diff --git a/bin/named/query.c b/bin/named/query.c -index accbf3b..d89622d 100644 ---- a/bin/named/query.c -+++ b/bin/named/query.c -@@ -18,6 +18,7 @@ - #include - #include - #include -+#include - #include - #include - #include -diff --git a/bin/named/server.c b/bin/named/server.c -index ca789e5..1413e85 100644 ---- a/bin/named/server.c -+++ b/bin/named/server.c -@@ -8076,21 +8076,30 @@ load_configuration(const char *filename, ns_server_t *server, - * Open the source of entropy. - */ - if (first_time) { -+ const char *randomdev = NULL; -+ int level = ISC_LOG_ERROR; - obj = NULL; - result = ns_config_get(maps, "random-device", &obj); -- if (result != ISC_R_SUCCESS) { -- isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, -- NS_LOGMODULE_SERVER, ISC_LOG_INFO, -- "no source of entropy found"); -- } else { -- const char *randomdev = cfg_obj_asstring(obj); -+ if (result == ISC_R_SUCCESS) { -+ if (!cfg_obj_isvoid(obj)) { -+ level = ISC_LOG_INFO; -+ randomdev = cfg_obj_asstring(obj); -+ } -+ } -+ if (randomdev == NULL) { - #ifdef ISC_PLATFORM_CRYPTORANDOM -- if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0) -- isc_entropy_usehook(ns_g_entropy, ISC_TRUE); -+ isc_entropy_usehook(ns_g_entropy, ISC_TRUE); - #else -- int level = ISC_LOG_ERROR; -- result = isc_entropy_createfilesource(ns_g_entropy, -- randomdev); -+ if ((obj != NULL) && !cfg_obj_isvoid(obj)) -+ level = ISC_LOG_INFO; -+ isc_log_write(named_g_lctx, NS_LOGCATEGORY_GENERAL, -+ NS_LOGMODULE_SERVER, level, -+ "no source of entropy found"); -+ if ((obj == NULL) || cfg_obj_isvoid(obj)) { -+ CHECK(ISC_R_FAILURE); -+ } -+#endif -+ } else { - #ifdef PATH_RANDOMDEV - if (ns_g_fallbackentropy != NULL) { - level = ISC_LOG_INFO; -@@ -8101,8 +8110,8 @@ load_configuration(const char *filename, ns_server_t *server, - NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, - level, -- "could not open entropy source " -- "%s: %s", -+ "could not open " -+ "entropy source %s: %s", - randomdev, - isc_result_totext(result)); - } -@@ -8122,7 +8131,6 @@ load_configuration(const char *filename, ns_server_t *server, - } - isc_entropy_detach(&ns_g_fallbackentropy); - } --#endif - #endif - } - } -@@ -8911,6 +8919,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { - CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy, - &server->tkeyctx), - "creating TKEY context"); -+ server->rngctx = NULL; -+ CHECKFATAL(isc_rng_create(ns_g_mctx, ns_g_entropy, &server->rngctx), -+ "creating random numbers context"); - - /* - * Setup the server task, which is responsible for coordinating -@@ -9117,7 +9128,8 @@ ns_server_destroy(ns_server_t **serverp) { - - if (server->zonemgr != NULL) - dns_zonemgr_detach(&server->zonemgr); -- -+ if (server->rngctx != NULL) -+ isc_rng_detach(&server->rngctx); - if (server->tkeyctx != NULL) - dns_tkeyctx_destroy(&server->tkeyctx); - -@@ -13018,10 +13030,10 @@ newzone_cfgctx_destroy(void **cfgp) { - - static isc_result_t - generate_salt(unsigned char *salt, size_t saltlen) { -- int i, n; -+ size_t i, n; - union { - unsigned char rnd[256]; -- isc_uint32_t rnd32[64]; -+ isc_uint16_t rnd16[128]; - } rnd; - unsigned char text[512 + 1]; - isc_region_t r; -@@ -13031,9 +13043,10 @@ generate_salt(unsigned char *salt, size_t saltlen) { - if (saltlen > 256U) - return (ISC_R_RANGE); - -- n = (int) (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t); -- for (i = 0; i < n; i++) -- isc_random_get(&rnd.rnd32[i]); -+ n = (saltlen + sizeof(isc_uint16_t) - 1) / sizeof(isc_uint16_t); -+ for (i = 0; i < n; i++) { -+ rnd.rnd16[i] = isc_rng_random(ns_g_server->rngctx); -+ } - - memmove(salt, rnd.rnd, saltlen); - -diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index 46c7acf..a0d0278 100644 ---- a/bin/nsupdate/nsupdate.c -+++ b/bin/nsupdate/nsupdate.c -@@ -281,9 +281,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { - } - - #ifdef ISC_PLATFORM_CRYPTORANDOM -- if (randomfile != NULL && -- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -- randomfile = NULL; -+ if (randomfile == NULL) { - isc_entropy_usehook(*ectx, ISC_TRUE); - } - #endif -diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c -index 810d99e..d7d10e2 100644 ---- a/bin/tests/system/pipelined/pipequeries.c -+++ b/bin/tests/system/pipelined/pipequeries.c -@@ -279,9 +279,7 @@ main(int argc, char *argv[]) { - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); - #ifdef ISC_PLATFORM_CRYPTORANDOM -- if (randomfile != NULL && -- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -- randomfile = NULL; -+ if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); - } - #endif -diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c -index 4f2f5b4..0894db7 100644 ---- a/bin/tests/system/tkey/keycreate.c -+++ b/bin/tests/system/tkey/keycreate.c -@@ -255,9 +255,7 @@ main(int argc, char *argv[]) { - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); - #ifdef ISC_PLATFORM_CRYPTORANDOM -- if (randomfile != NULL && -- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -- randomfile = NULL; -+ if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); - } - #endif -diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 0975bbe..5b8a470 100644 ---- a/bin/tests/system/tkey/keydelete.c -+++ b/bin/tests/system/tkey/keydelete.c -@@ -182,9 +182,7 @@ main(int argc, char **argv) { - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); - #ifdef ISC_PLATFORM_CRYPTORANDOM -- if (randomfile != NULL && -- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -- randomfile = NULL; -+ if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); - } - #endif -diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml -index a5d9e2e..2a96f71 100644 ---- a/doc/arm/Bv9ARM-book.xml -+++ b/doc/arm/Bv9ARM-book.xml -@@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0] - random-device - - -- The source of entropy to be used by the server. Entropy is -- primarily needed -- for DNSSEC operations, such as TKEY transactions and dynamic -- update of signed -- zones. This options specifies the device (or file) from which -- to read -- entropy. If this is a file, operations requiring entropy will -- fail when the -- file has been exhausted. If not specified, the default value -- is -- /dev/random -- (or equivalent) when present, and none otherwise. The -- random-device option takes -- effect during -- the initial configuration load at server startup time and -- is ignored on subsequent reloads. -+ Specifies a source of entropy to be used by the server. -+ This is a device or file from which to read entropy. -+ If it is a file, operations requiring entropy -+ will fail when the file has been exhausted. -+ -+ -+ Entropy is needed for cryptographic operations such as -+ TKEY transactions, dynamic update of signed zones, and -+ generation of TSIG session keys. It is also used for -+ seeding and stirring the pseudo-random number generator, -+ which is used for less critical functions requiring -+ randomness such as generation of DNS message transaction -+ ID's. -+ -+ -+ If random-device is not specified, or -+ if it is set to none, entropy will be -+ read from the random number generation function supplied -+ by the cryptographic library with which BIND was linked -+ (i.e. OpenSSL or a PKCS#11 provider). -+ -+ -+ The random-device option takes -+ effect during the initial configuration load at server -+ startup time and is ignored on subsequent reloads. -+ -+ -+ If BIND is built with -+ configure --disable-crypto-rand, then -+ entropy is not sourced from the -+ cryptographic library. In this case, if -+ random-device is not specified, the -+ default value is the system random device, -+ /dev/random or the equivalent. -+ This default can be overridden with -+ configure --with-randomdev. -+ If no system random device exists, then no entropy source -+ will be configured, and named will only -+ be able to use pseudo-random numbers. - - - -diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml -index d3fdb5e..a8ad92d 100644 ---- a/doc/arm/notes.xml -+++ b/doc/arm/notes.xml -@@ -105,7 +105,28 @@ - - - -- None. -+ By default, BIND now uses the random number generation functions -+ in the cryptographic library (i.e., OpenSSL or a PKCS#11 -+ provider) as a source of high-quality randomness rather than -+ /dev/random. This is suitable for virtual -+ machine environments, which may have limited entropy pools and -+ lack hardware random number generators. -+ -+ -+ This can be overridden by specifying another entropy source via -+ the random-device option in -+ named.conf, or via the -r -+ command line option. However, for functions requiring full -+ cryptographic strength, such as DNSSEC key generation, this -+ cannot be overridden. In particular, the -+ -r command line option no longer has any -+ effect on dnssec-keygen. -+ -+ -+ This can be disabled by building with -+ configure --disable-crypto-rand, in which -+ case /dev/random will be the default -+ entropy source. [RT #31459] [RT #46047] - - - -diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index 803e7b3..29a4fef 100644 ---- a/lib/dns/dst_api.c -+++ b/lib/dns/dst_api.c -@@ -276,8 +276,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, - #endif - #if defined(OPENSSL) || defined(PKCS11CRYPTO) - #ifdef ISC_PLATFORM_CRYPTORANDOM -- if (dst_entropy_pool != NULL) -+ if (dst_entropy_pool != NULL) { - isc_entropy_sethook(dst_random_getdata); -+ } - #endif - #endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ - dst_initialized = ISC_TRUE; -@@ -2015,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { - else - flags |= ISC_ENTROPY_BLOCKING; - #ifdef ISC_PLATFORM_CRYPTORANDOM -+ /* get entropy directly from crypto provider */ - return (dst_random_getdata(buf, len, NULL, flags)); - #else -+ /* get entropy from entropy source or hook function */ - return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags)); --#endif -+#endif /* ISC_PLATFORM_CRYPTORANDOM */ - #endif /* PKCS11CRYPTO */ - } - -diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h -index d9b6ab6..e8c1a3c 100644 ---- a/lib/dns/include/dst/dst.h -+++ b/lib/dns/include/dst/dst.h -@@ -161,8 +161,18 @@ isc_result_t - dst_random_getdata(void *data, unsigned int length, - unsigned int *returned, unsigned int flags); - /*%< -- * \brief Return data from the crypto random generator. -- * Specialization of isc_entropy_getdata(). -+ * Gets random data from the random generator provided by the -+ * crypto library, if BIND was built with --enable-crypto-rand. -+ * -+ * See isc_entropy_getdata() for parameter usage. Normally when -+ * this function is available, it will be set up as a hook in the -+ * entropy context, so that isc_entropy_getdata() is a front-end to -+ * this function. -+ * -+ * Returns: -+ * \li ISC_R_SUCCESS on success -+ * \li ISC_R_NOTIMPLEMENTED if BIND is built with --disable-crypto-rand -+ * \li DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error - */ - - isc_boolean_t -diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index c1e1bde..91e87d0 100644 ---- a/lib/dns/openssl_link.c -+++ b/lib/dns/openssl_link.c -@@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) { - - isc_result_t - dst_random_getdata(void *data, unsigned int length, -- unsigned int *returned, unsigned int flags) { -+ unsigned int *returned, unsigned int flags) -+{ - #ifdef ISC_PLATFORM_CRYPTORANDOM - #ifndef DONT_REQUIRE_DST_LIB_INIT - INSIST(dst__memory_pool != NULL); -diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h -index d9deb8a..2d37363 100644 ---- a/lib/isc/include/isc/entropy.h -+++ b/lib/isc/include/isc/entropy.h -@@ -9,8 +9,6 @@ - * information regarding copyright ownership. - */ - --/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */ -- - #ifndef ISC_ENTROPY_H - #define ISC_ENTROPY_H 1 - -@@ -190,9 +188,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent, - /*!< - * \brief Create an entropy source that is polled via a callback. - * -- * This would -- * be used when keyboard input is used, or a GUI input method. It can -- * also be used to hook in any external entropy source. -+ * This would be used when keyboard input is used, or a GUI input method. -+ * It can also be used to hook in any external entropy source. - * - * Samples are added via isc_entropy_addcallbacksample(), below. - * _addcallbacksample() is the only function which may be called from -@@ -233,15 +230,32 @@ isc_result_t - isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, - unsigned int *returned, unsigned int flags); - /*!< -- * \brief Extract data from the entropy pool. This may load the pool from various -- * sources. -+ * \brief Get random data from entropy pool 'ent'. -+ * -+ * If a hook has been set up using isc_entropy_sethook() and -+ * isc_entropy_usehook(), then the hook function will be called to get -+ * random data. -+ * -+ * Otherwise, randomness is extracted from the entropy pool set up in BIND. -+ * This may cause the pool to be loaded from various sources. Ths is done -+ * by stirring the pool and returning a part of hash as randomness. -+ * (Note that no secrets are given away here since parts of the hash are -+ * XORed together before returning.) -+ * -+ * 'flags' may contain ISC_ENTROPY_GOODONLY, ISC_ENTROPY_PARTIAL, or -+ * ISC_ENTROPY_BLOCKING. These will be honored if the hook function is -+ * not in use. If it is, the flags will be passed to the hook function -+ * but it may ignore them. - * -- * Do this by stiring the pool and returning a part of hash as randomness. -- * Note that no secrets are given away here since parts of the hash are -- * xored together before returned. -+ * Up to 'length' bytes of randomness are retrieved and copied into 'data'. -+ * (If 'returned' is not NULL, and the number of bytes copied is less than -+ * 'length' - which may happen if ISC_ENTROPY_PARTIAL was used - then the -+ * number of bytes copied will be stored in *returned.) - * -- * Honor the request from the caller to only return good data, any data, -- * etc. -+ * Returns: -+ * \li ISC_R_SUCCESS on success -+ * \li ISC_R_NOENTROPY if entropy pool is empty -+ * \li other error codes are possible when a hook is in use - */ - - void -@@ -306,13 +320,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, - void - isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff); - /*!< -- * \brief Mark/unmark the given entropy structure as being hooked. -+ * \brief Configure entropy context 'ectx' to use the hook function -+ * -+ * Sets the entropy context to call the hook function for random number -+ * generation, if such a function has been configured via -+ * isc_entropy_sethook(), whenever isc_entropy_getdata() is called. - */ - - void - isc_entropy_sethook(isc_entropy_getdata_t myhook); - /*!< -- * \brief Set the getdata hook (e.g., for a crypto random generator). -+ * \brief Set the hook function. -+ * -+ * The hook function is a global value: only one hook function -+ * can be set in the system. Individual entropy contexts may be -+ * configured to use it, or not, by calling isc_entropy_usehook(). - */ - - ISC_LANG_ENDDECLS -diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h -index ba53ebf..b575728 100644 ---- a/lib/isc/include/isc/random.h -+++ b/lib/isc/include/isc/random.h -@@ -9,8 +9,6 @@ - * information regarding copyright ownership. - */ - --/* $Id: random.h,v 1.20 2009/01/17 23:47:43 tbox Exp $ */ -- - #ifndef ISC_RANDOM_H - #define ISC_RANDOM_H 1 - -@@ -21,13 +19,23 @@ - #include - - /*! \file isc/random.h -- * \brief Implements a random state pool which will let the caller return a -- * series of possibly non-reproducible random values. -+ * \brief Implements pseudo random number generators. -+ * -+ * Two pseudo-random number generators are implemented, in isc_random_* -+ * and isc_rng_*. Neither one is very strong; they should not be used -+ * in cryptography functions. -+ * -+ * isc_random_* is based on arc4random if it is available on the system. -+ * Otherwise it is based on the posix srand() and rand() functions. -+ * It is useful for jittering values a bit here and there, such as -+ * timeouts, etc, but should not be relied upon to generate -+ * unpredictable sequences (for example, when choosing transaction IDs). - * -- * Note that the -- * strength of these numbers is not all that high, and should not be -- * used in cryptography functions. It is useful for jittering values -- * a bit here and there, such as timeouts, etc. -+ * isc_rng_* is based on ChaCha20, and is seeded and stirred from the -+ * system entropy source. It is stronger than isc_random_* and can -+ * be used for generating unpredictable sequences. It is still not as -+ * good as using system entropy directly (see entropy.h) and should not -+ * be used for cryptographic functions such as key generation. - */ - - ISC_LANG_BEGINDECLS -@@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx); - isc_uint16_t - isc_rng_uniformrandom(isc_rng_t *rngctx, isc_uint16_t upper_bound); - /*%< -- * Returns a uniformly distributed pseudo random 16-bit unsigned -- * integer. -+ * Returns a uniformly distributed pseudo-random 16-bit unsigned integer -+ * less than 'upper_bound'. - */ - - ISC_LANG_ENDDECLS -diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c -index 8d496ff..dd08187 100644 ---- a/lib/isccfg/namedconf.c -+++ b/lib/isccfg/namedconf.c -@@ -1106,7 +1106,7 @@ options_clauses[] = { - { "pid-file", &cfg_type_qstringornone, 0 }, - { "port", &cfg_type_uint32, 0 }, - { "querylog", &cfg_type_boolean, 0 }, -- { "random-device", &cfg_type_qstring, 0 }, -+ { "random-device", &cfg_type_qstringornone, 0 }, - { "recursing-file", &cfg_type_qstring, 0 }, - { "recursive-clients", &cfg_type_uint32, 0 }, - { "reserved-sockets", &cfg_type_uint32, 0 }, --- -2.14.4 - diff --git a/bind-9.11.4-P2.tar.gz b/bind-9.18.33.tar.xz similarity index 34% rename from bind-9.11.4-P2.tar.gz rename to bind-9.18.33.tar.xz index 356af5beed75cbe98e187f42836ee0fb23102c54..4d8dab471eae842839163e08e625f1fe5a37e0da 100644 Binary files a/bind-9.11.4-P2.tar.gz and b/bind-9.18.33.tar.xz differ diff --git a/bind-9.18.33.tar.xz.asc b/bind-9.18.33.tar.xz.asc new file mode 100644 index 0000000000000000000000000000000000000000..55084f20cad4eb5308979bfa34abfd68c1af8beb --- /dev/null +++ b/bind-9.18.33.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE2ZzOr4eXRwFPA41jGC4jV5Ri76oFAmePaRMACgkQGC4jV5Ri +76qwUQ//buDAfAdEW1UKO63ugwHoyy4fqaGzKnbQpFmg9vc9Us9M2nDL2MDgE4aM +5JwbYpqdeuZfcMuM/R2GVT79U52JdEgsPGSI3jP+N3nFq+l0J447HAm8T9PdAA4E +YFbuvd2SjMHV9xkKS+V8k/kCo3tLmbZQ6m8eoyzV8rIqsEmL+2uR4LdcTncyC0cQ +x+9oxxBQPQAVAcQp+bYGA00TW7B36xEGJysPxB5hy94awmt4T1eiWgv6uCSkW6kN +48XXgYKFpFGXm4lQTTMTPtotRDHJ1azbOTh6385XUsJy95IMPd2eLqlm9YL3dlDD ++2L0EHR6UInj3/azEnuyZr9cQEBqM1OxTlZ8f1mfjzNITJy1LBGmgVxfL5X2u20g +Z+vCodmdSyV0UgdRLai3QlloY6mNFw7OyDP7iBviwI6zFrE90BSSQkK1F46sk8OE +hDwA5Wu8Kc511ygzEHAL2gzsZieZ941LaJq5kNOFbRdtEJuWTBzFHmlE0cGG9lbt +RCBHHvzKP1oj2zGARZ7PxSHesrs2p+x6dIM1X8QCyCoirS4CRQiYJ/0Va4jAHusy +zfrkuwixtNvZ3waOyckJQiVWNOXlSCkE1IlR56VSDNNIJfAaDi7G+EUthtoVcd57 +c3wtu0mhML68Kazq0sS0LiYDH6DU90anpVEj9owZNJqOyBJnbcY= +=GaWc +-----END PGP SIGNATURE----- diff --git a/bind-9.3.1rc1-sdb_tools-Makefile.in b/bind-9.3.1rc1-sdb_tools-Makefile.in deleted file mode 100644 index c7e0868a03b41a2bda605b171ed0def6c9b94e91..0000000000000000000000000000000000000000 --- a/bind-9.3.1rc1-sdb_tools-Makefile.in +++ /dev/null @@ -1,63 +0,0 @@ -srcdir = @srcdir@ -VPATH = @srcdir@ -top_srcdir = @top_srcdir@ - -VERSION=@BIND9_VERSION@ - -@BIND9_MAKE_INCLUDES@ - -CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include \ - ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ - ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} - -CDEFINES = -DBIND9 - -DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ -ISCCCLIBS = ../../lib/isccc/libisccc.@A@ -ISCLIBS = ../../lib/isc/libisc.@A@ -LWRESLIBS = ../../lib/lwres/liblwres.@A@ -BIND9LIBS = ../../lib/bind9/libbind9.@A@ - -DNSDEPLIBS = ../../lib/dns/libdns.@A@ -ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ -ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ -ISCDEPLIBS = ../../lib/isc/libisc.@A@ -LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@ -BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ - -DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ - ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} - -LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ - ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ - -TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ - -OBJS = zone2ldap.@O@ zonetodb.@O@ - -SRCS = zone2ldap.c zonetodb.c - -MANPAGES = zone2ldap.1 - -EXT_CFLAGS = - -@BIND9_MAKE_RULES@ - -zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS} - -zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS} - -clean distclean manclean maintainer-clean:: - rm -f ${TARGETS} ${OBJS} - -installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 - -install:: ${TARGETS} installdirs - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} - ${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 diff --git a/bind-9.3.2b1-fix_sdb_ldap.patch b/bind-9.3.2b1-fix_sdb_ldap.patch deleted file mode 100644 index d027bb92c9c505e12b8f161e686263b1d39f5ba6..0000000000000000000000000000000000000000 --- a/bind-9.3.2b1-fix_sdb_ldap.patch +++ /dev/null @@ -1,519 +0,0 @@ -diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in -index 95ab742..6069f09 100644 ---- a/bin/sdb_tools/Makefile.in -+++ b/bin/sdb_tools/Makefile.in -@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ - LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ - ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ - --TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ -+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ - --OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ -+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@ - --SRCS = zone2ldap.c zonetodb.c zone2sqlite.c -+SRCS = zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c - - MANPAGES = zone2ldap.1 - -@@ -53,6 +53,9 @@ zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS} - zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS} - -+ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS} -+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS} -+ - clean distclean manclean maintainer-clean:: - rm -f ${TARGETS} ${OBJS} - -@@ -62,6 +65,7 @@ installdirs: - - install:: ${TARGETS} installdirs - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir} -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir} - ${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 -diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c -index 23dd873..d56bc56 100644 ---- a/bin/sdb_tools/zone2ldap.c -+++ b/bin/sdb_tools/zone2ldap.c -@@ -65,6 +66,9 @@ ldap_info; - /* usage Info */ - void usage (void); - -+/* Check for existence of (and possibly add) containing dNSZone objects */ -+int lookup_dns_zones( ldap_info *ldinfo); -+ - /* Add to the ldap dit */ - void add_ldap_values (ldap_info * ldinfo); - -@@ -81,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags); - int get_attr_list_size (char **tmp); - - /* Get a DN */ --char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag); -+char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone); - - /* Add to RR list */ - void add_to_rr_list (char *dn, char *name, char *type, char *data, -@@ -103,11 +107,27 @@ void - init_ldap_conn (); - void usage(); - --char *argzone, *ldapbase, *binddn, *bindpw = NULL; --const char *ldapsystem = "localhost"; --static const char *objectClasses[] = -- { "top", "dNSZone", NULL }; --static const char *topObjectClasses[] = { "top", NULL }; -+static char *argzone, *ldapbase, *binddn, *bindpw = NULL; -+ -+/* these are needed to placate gcc4's const-ness const-ernations : */ -+static char localhost[] = "localhost"; -+static char *ldapsystem=&(localhost[0]); -+/* dnszone schema class names: */ -+static char topClass [] ="top"; -+static char dNSZoneClass[] ="dNSZone"; -+static char objectClass [] ="objectClass"; -+static char dcObjectClass[]="dcObject"; -+/* dnszone schema attribute names: */ -+static char relativeDomainName[]="relativeDomainName"; -+static char dNSTTL []="dNSTTL"; -+static char zoneName []="zoneName"; -+static char dc []="dc"; -+static char sameZone []="@"; -+/* LDAPMod mod_values: */ -+static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL }; -+static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL }; -+static char *dn_buffer [64]={NULL}; -+ - LDAP *conn; - unsigned int debug = 0; - -@@ -131,12 +151,12 @@ main (int argc, char **argv) - isc_result_t result; - char *basedn; - ldap_info *tmp; -- LDAPMod *base_attrs[2]; -- LDAPMod base; -+ LDAPMod *base_attrs[5]; -+ LDAPMod base, dcBase, znBase, rdnBase; - isc_buffer_t buff; - char *zonefile=0L; - char fullbasedn[1024]; -- char *ctmp; -+ char *ctmp, *zn, *dcp[2], *znp[2], *rdn[2]; - dns_fixedname_t fixedzone, fixedname; - dns_rdataset_t rdataset; - char **dc_list; -@@ -149,7 +169,7 @@ main (int argc, char **argv) - extern char *optarg; - extern int optind, opterr, optopt; - int create_base = 0; -- int topt; -+ int topt, dcn, zdn, znlen; - - if (argc < 2) - { -@@ -157,7 +177,7 @@ main (int argc, char **argv) - exit (-1); - } - -- while ((topt = getopt (argc, argv, "D:w:b:z:f:h:?dcv")) != -1) -+ while ((topt = getopt (argc, argv, "D:Ww:b:z:f:h:?dcv")) != -1) - { - switch (topt) - { -@@ -180,6 +200,9 @@ main (int argc, char **argv) - if (bindpw == NULL) - fatal("strdup"); - break; -+ case 'W': -+ bindpw = getpass("Enter LDAP Password: "); -+ break; - case 'b': - ldapbase = strdup (optarg); - if (ldapbase == NULL) -@@ -301,27 +324,62 @@ main (int argc, char **argv) - { - if (debug) - printf ("Creating base zone DN %s\n", argzone); -- -+ - dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP); -- basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC); - -- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--) -+ basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC, argzone); -+ if (debug) -+ printf ("base DN %s\n", basedn); -+ -+ for (ctmp = &basedn[strlen (basedn)], dcn=0; ctmp >= &basedn[0]; ctmp--) - { -- if ((*ctmp == ',') || (ctmp == &basedn[0])) -+ if ((*ctmp == ',') || (ctmp == &basedn[0])) - { -+ - base.mod_op = LDAP_MOD_ADD; -- base.mod_type = (char*)"objectClass"; -- base.mod_values = (char**)topObjectClasses; -+ base.mod_type = objectClass; -+ base.mod_values = topObjectClasses; - base_attrs[0] = (void*)&base; -- base_attrs[1] = NULL; -- -+ -+ dcBase.mod_op = LDAP_MOD_ADD; -+ dcBase.mod_type = dc; -+ dcp[0]=dc_list[dcn]; -+ dcp[1]=0L; -+ dcBase.mod_values=dcp; -+ base_attrs[1] = (void*)&dcBase; -+ -+ znBase.mod_op = LDAP_MOD_ADD; -+ znBase.mod_type = zoneName; -+ for( zdn = dcn, znlen = 0; zdn >= 0; zdn-- ) -+ znlen += strlen(dc_list[zdn])+1; -+ znp[0] = (char*)malloc(znlen+1); -+ znp[1] = 0L; -+ for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- ) -+ zn+=sprintf(zn,"%s%s",dc_list[zdn], -+ ((zdn > 0) && (*(dc_list[zdn-1])!='.')) ? "." : "" -+ ); -+ -+ znBase.mod_values = znp; -+ base_attrs[2] = (void*)&znBase; -+ -+ rdnBase.mod_op = LDAP_MOD_ADD; -+ rdnBase.mod_type = relativeDomainName; -+ rdn[0] = strdup(sameZone); -+ rdn[1] = 0L; -+ rdnBase.mod_values = rdn; -+ base_attrs[3] = (void*)&rdnBase; -+ -+ dcn++; -+ -+ base.mod_values = topObjectClasses; -+ base_attrs[4] = NULL; -+ - if (ldapbase) - { - if (ctmp != &basedn[0]) - sprintf (fullbasedn, "%s,%s", ctmp + 1, ldapbase); - else -- sprintf (fullbasedn, "%s,%s", ctmp, ldapbase); -- -+ sprintf (fullbasedn, "%s,%s", ctmp, ldapbase); - } - else - { -@@ -330,8 +388,13 @@ main (int argc, char **argv) - else - sprintf (fullbasedn, "%s", ctmp); - } -+ -+ if( debug ) -+ printf("Full base dn: %s\n", fullbasedn); -+ - result = ldap_add_s (conn, fullbasedn, base_attrs); - ldap_result_check ("intial ldap_add_s", fullbasedn, result); -+ - } - - } -@@ -409,14 +472,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl) - isc_result_check (result, "dns_rdata_totext"); - data[isc_buffer_usedlength (&buff)] = 0; - -- dc_list = hostname_to_dn_list (name, argzone, DNS_OBJECT); -+ dc_list = hostname_to_dn_list ((char*)name, argzone, DNS_OBJECT); - len = (get_attr_list_size (dc_list) - 2); -- dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC); -+ dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC, argzone); - - if (debug) - printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data); - -- add_to_rr_list (dn, dc_list[len], type, data, ttl, DNS_OBJECT); -+ add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT); - } - - -@@ -456,7 +519,8 @@ add_to_rr_list (char *dn, char *name, char *type, - int attrlist; - char ldap_type_buffer[128]; - char charttl[64]; -- -+ char *zn; -+ int znlen; - - if ((tmp = locate_by_dn (dn)) == NULL) - { -@@ -483,13 +547,13 @@ add_to_rr_list (char *dn, char *name, char *type, - fatal("malloc"); - } - tmp->attrs[0]->mod_op = LDAP_MOD_ADD; -- tmp->attrs[0]->mod_type = (char*)"objectClass"; -+ tmp->attrs[0]->mod_type = objectClass; - - if (flags == DNS_OBJECT) -- tmp->attrs[0]->mod_values = (char**)objectClasses; -+ tmp->attrs[0]->mod_values = objectClasses; - else - { -- tmp->attrs[0]->mod_values = (char**)topObjectClasses; -+ tmp->attrs[0]->mod_values =topObjectClasses; - tmp->attrs[1] = NULL; - tmp->attrcnt = 2; - tmp->next = ldap_info_base; -@@ -498,7 +562,7 @@ add_to_rr_list (char *dn, char *name, char *type, - } - - tmp->attrs[1]->mod_op = LDAP_MOD_ADD; -- tmp->attrs[1]->mod_type = (char*)"relativeDomainName"; -+ tmp->attrs[1]->mod_type = relativeDomainName; - tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2); - - if (tmp->attrs[1]->mod_values == (char **)NULL) -@@ -527,7 +591,7 @@ add_to_rr_list (char *dn, char *name, char *type, - fatal("strdup"); - - tmp->attrs[3]->mod_op = LDAP_MOD_ADD; -- tmp->attrs[3]->mod_type = (char*)"dNSTTL"; -+ tmp->attrs[3]->mod_type = dNSTTL; - tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2); - - if (tmp->attrs[3]->mod_values == (char **)NULL) -@@ -540,14 +604,25 @@ add_to_rr_list (char *dn, char *name, char *type, - if (tmp->attrs[3]->mod_values[0] == NULL) - fatal("strdup"); - -+ znlen=strlen(gbl_zone); -+ if ( *(gbl_zone + (znlen-1)) == '.' ) -+ { /* ldapdb MUST search by relative zone name */ -+ zn = (char*)malloc(znlen); -+ strncpy(zn,gbl_zone,znlen-1); -+ *(zn + (znlen-1))='\0'; -+ }else -+ { -+ zn = gbl_zone; -+ } -+ - tmp->attrs[4]->mod_op = LDAP_MOD_ADD; -- tmp->attrs[4]->mod_type = (char*)"zoneName"; -+ tmp->attrs[4]->mod_type = zoneName; - tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2); - - if (tmp->attrs[4]->mod_values == (char **)NULL) - fatal("calloc"); - -- tmp->attrs[4]->mod_values[0] = gbl_zone; -+ tmp->attrs[4]->mod_values[0] = zn; - tmp->attrs[4]->mod_values[1] = NULL; - - tmp->attrs[5] = NULL; -@@ -558,7 +633,7 @@ add_to_rr_list (char *dn, char *name, char *type, - else - { - -- for (i = 0; tmp->attrs[i] != NULL; i++) -+ for (i = 0; tmp->attrs[i] != NULL; i++) - { - sprintf (ldap_type_buffer, "%sRecord", type); - if (!strncmp -@@ -632,44 +707,70 @@ char ** - hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) - { - char *tmp; -- static char *dn_buffer[64]; - int i = 0; -- char *zname; -- char *hnamebuff; -- -- zname = strdup (hostname); -- if (zname == NULL) -- fatal("strdup"); -- -- if (flags == DNS_OBJECT) -- { -- -- if (strlen (zname) != strlen (zone)) -- { -- tmp = &zname[strlen (zname) - strlen (zone)]; -- *--tmp = '\0'; -- hnamebuff = strdup (zname); -- if (hnamebuff == NULL) -- fatal("strdup"); -- zname = ++tmp; -- } -- else -- hnamebuff = (char*)"@"; -- } -- else -- { -- zname = zone; -- hnamebuff = NULL; -- } -- -- for (tmp = strrchr (zname, '.'); tmp != (char *) 0; -- tmp = strrchr (zname, '.')) -- { -- *tmp++ = '\0'; -- dn_buffer[i++] = tmp; -- } -- dn_buffer[i++] = zname; -- dn_buffer[i++] = hnamebuff; -+ char *hname=0L, *last=0L; -+ int hlen=strlen(hostname), zlen=(strlen(zone)); -+ -+/* printf("hostname: %s zone: %s\n",hostname, zone); */ -+ hname=0L; -+ if(flags == DNS_OBJECT) -+ { -+ if( (zone[ zlen - 1 ] == '.') && (hostname[hlen - 1] != '.') ) -+ { -+ hname=(char*)malloc(hlen + 1); -+ hlen += 1; -+ sprintf(hname, "%s.", hostname); -+ hostname = hname; -+ } -+ if(strcmp(hostname, zone) == 0) -+ { -+ if( hname == 0 ) -+ hname=strdup(hostname); -+ last = strdup(sameZone); -+ }else -+ { -+ if( (hlen < zlen) -+ ||( strcmp( hostname + (hlen - zlen), zone ) != 0) -+ ) -+ { -+ if( hname != 0 ) -+ free(hname); -+ hname=(char*)malloc( hlen + zlen + 1); -+ if( *zone == '.' ) -+ sprintf(hname, "%s%s", hostname, zone); -+ else -+ sprintf(hname,"%s",zone); -+ }else -+ { -+ if( hname == 0 ) -+ hname = strdup(hostname); -+ } -+ last = hname; -+ } -+ }else -+ { /* flags == DNS_TOP */ -+ hname = strdup(zone); -+ last = hname; -+ } -+ -+ for (tmp = strrchr (hname, '.'); tmp != (char *) 0; -+ tmp = strrchr (hname, '.')) -+ { -+ if( *( tmp + 1 ) != '\0' ) -+ { -+ *tmp = '\0'; -+ dn_buffer[i++] = ++tmp; -+ }else -+ { /* trailing '.' ! */ -+ dn_buffer[i++] = strdup("."); -+ *tmp = '\0'; -+ if( tmp == hname ) -+ break; -+ } -+ } -+ if( ( last != hname ) && (tmp != hname) ) -+ dn_buffer[i++] = hname; -+ dn_buffer[i++] = last; - dn_buffer[i] = NULL; - - return dn_buffer; -@@ -681,24 +782,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) - * exception of "@"/SOA. */ - - char * --build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag) -+build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone) - { - int size; -- int x; -+ int x, znlen; - static char dn[1024]; - char tmp[128]; -+ char zn[DNS_NAME_MAXTEXT+1]; - - bzero (tmp, sizeof (tmp)); - bzero (dn, sizeof (dn)); - size = get_attr_list_size (dc_list); -+ znlen = strlen(zone); -+ if ( *(zone + (znlen-1)) == '.' ) -+ { /* ldapdb MUST search by relative zone name */ -+ memcpy(&(zn[0]),zone,znlen-1); -+ *(zn + (znlen-1))='\0'; -+ zone = zn; -+ } - for (x = size - 2; x > 0; x--) - { - if (flag == WI_SPEC) - { - if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl)) -- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%d,", dc_list[x], ttl); -+ sprintf (tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]); - else if (x == (size - 2)) -- sprintf(tmp, "relativeDomainName=%s,",dc_list[x]); -+ sprintf(tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]); - else - sprintf(tmp,"dc=%s,", dc_list[x]); - } -@@ -724,6 +833,7 @@ void - init_ldap_conn () - { - int result; -+ char ldb_tag[]="LDAP Bind"; - conn = ldap_open (ldapsystem, LDAP_PORT); - if (conn == NULL) - { -@@ -733,7 +843,7 @@ init_ldap_conn () - } - - result = ldap_simple_bind_s (conn, binddn, bindpw); -- ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result); -+ ldap_result_check ("ldap_simple_bind_s", ldb_tag , result); - } - - /* Like isc_result_check, only for LDAP */ -@@ -750,8 +860,6 @@ ldap_result_check (const char *msg, char *dn, int err) - } - } - -- -- - /* For running the ldap_info run queue. */ - void - add_ldap_values (ldap_info * ldinfo) -@@ -759,14 +867,14 @@ add_ldap_values (ldap_info * ldinfo) - int result; - char dnbuffer[1024]; - -- - if (ldapbase != NULL) - sprintf (dnbuffer, "%s,%s", ldinfo->dn, ldapbase); - else - sprintf (dnbuffer, "%s", ldinfo->dn); - - result = ldap_add_s (conn, dnbuffer, ldinfo->attrs); -- ldap_result_check ("ldap_add_s", dnbuffer, result); -+ ldap_result_check ("ldap_add_s", dnbuffer, result); -+ - } - - -@@ -777,5 +885,5 @@ void - usage () - { - fprintf (stderr, -- "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] " -+ "zone2ldap -D [BIND DN] [-w BIND PASSWORD | -W:prompt] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] " - "[-c Create LDAP Base structure][-d Debug Output (lots !)] \n ");} diff --git a/bind-9.3.2b2-sdbsrc.patch b/bind-9.3.2b2-sdbsrc.patch deleted file mode 100644 index 46e183c149f83ee2bc388f9087941f3d337f2fb4..0000000000000000000000000000000000000000 --- a/bind-9.3.2b2-sdbsrc.patch +++ /dev/null @@ -1,230 +0,0 @@ -diff --git a/contrib/sdb/bdb/bdb.c b/contrib/sdb/bdb/bdb.c -index 23594bb..b3c6619 100644 ---- a/contrib/sdb/bdb/bdb.c -+++ b/contrib/sdb/bdb/bdb.c -@@ -43,7 +43,7 @@ - #include - #include - --#include -+#include "bdb.h" - #include - #include - -diff --git a/contrib/sdb/ldap/zone2ldap.c b/contrib/sdb/ldap/zone2ldap.c -index 07c89bc..23dd873 100644 ---- a/contrib/sdb/ldap/zone2ldap.c -+++ b/contrib/sdb/ldap/zone2ldap.c -@@ -63,16 +63,16 @@ typedef struct LDAP_INFO - ldap_info; - - /* usage Info */ --void usage (); -+void usage (void); - - /* Add to the ldap dit */ - void add_ldap_values (ldap_info * ldinfo); - - /* Init an ldap connection */ --void init_ldap_conn (); -+void init_ldap_conn (void); - - /* Ldap error checking */ --void ldap_result_check (char *msg, char *dn, int err); -+void ldap_result_check (const char *msg, char *dn, int err); - - /* Put a hostname into a char ** array */ - char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags); -@@ -88,7 +88,7 @@ void add_to_rr_list (char *dn, char *name, char *type, char *data, - unsigned int ttl, unsigned int flags); - - /* Error checking */ --void isc_result_check (isc_result_t res, char *errorstr); -+void isc_result_check (isc_result_t res, const char *errorstr); - - /* Generate LDIF Format files */ - void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, -@@ -97,11 +97,17 @@ void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, - /* head pointer to the list */ - ldap_info *ldap_info_base = NULL; - -+ldap_info * -+locate_by_dn (char *dn); -+void -+init_ldap_conn (); -+void usage(); -+ - char *argzone, *ldapbase, *binddn, *bindpw = NULL; --char *ldapsystem = "localhost"; --static char *objectClasses[] = -+const char *ldapsystem = "localhost"; -+static const char *objectClasses[] = - { "top", "dNSZone", NULL }; --static char *topObjectClasses[] = { "top", NULL }; -+static const char *topObjectClasses[] = { "top", NULL }; - LDAP *conn; - unsigned int debug = 0; - -@@ -128,7 +134,7 @@ main (int argc, char **argv) - LDAPMod *base_attrs[2]; - LDAPMod base; - isc_buffer_t buff; -- char *zonefile; -+ char *zonefile=0L; - char fullbasedn[1024]; - char *ctmp; - dns_fixedname_t fixedzone, fixedname; -@@ -304,9 +310,9 @@ main (int argc, char **argv) - if ((*ctmp == ',') || (ctmp == &basedn[0])) - { - base.mod_op = LDAP_MOD_ADD; -- base.mod_type = "objectClass"; -- base.mod_values = topObjectClasses; -- base_attrs[0] = &base; -+ base.mod_type = (char*)"objectClass"; -+ base.mod_values = (char**)topObjectClasses; -+ base_attrs[0] = (void*)&base; - base_attrs[1] = NULL; - - if (ldapbase) -@@ -363,7 +369,7 @@ main (int argc, char **argv) - * I should probably rename this function, as not to cause any - * confusion with the isc* routines. Will exit on error. */ - void --isc_result_check (isc_result_t res, char *errorstr) -+isc_result_check (isc_result_t res, const char *errorstr) - { - if (res != ISC_R_SUCCESS) - { -@@ -470,20 +476,20 @@ add_to_rr_list (char *dn, char *name, char *type, - if (tmp->attrs == (LDAPMod **) NULL) - fatal("calloc"); - -- for (i = 0; i < flags; i++) -+ for (i = 0; i < (int)flags; i++) - { - tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod)); - if (tmp->attrs[i] == (LDAPMod *) NULL) - fatal("malloc"); - } - tmp->attrs[0]->mod_op = LDAP_MOD_ADD; -- tmp->attrs[0]->mod_type = "objectClass"; -+ tmp->attrs[0]->mod_type = (char*)"objectClass"; - - if (flags == DNS_OBJECT) -- tmp->attrs[0]->mod_values = objectClasses; -+ tmp->attrs[0]->mod_values = (char**)objectClasses; - else - { -- tmp->attrs[0]->mod_values = topObjectClasses; -+ tmp->attrs[0]->mod_values = (char**)topObjectClasses; - tmp->attrs[1] = NULL; - tmp->attrcnt = 2; - tmp->next = ldap_info_base; -@@ -492,7 +498,7 @@ add_to_rr_list (char *dn, char *name, char *type, - } - - tmp->attrs[1]->mod_op = LDAP_MOD_ADD; -- tmp->attrs[1]->mod_type = "relativeDomainName"; -+ tmp->attrs[1]->mod_type = (char*)"relativeDomainName"; - tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2); - - if (tmp->attrs[1]->mod_values == (char **)NULL) -@@ -521,7 +527,7 @@ add_to_rr_list (char *dn, char *name, char *type, - fatal("strdup"); - - tmp->attrs[3]->mod_op = LDAP_MOD_ADD; -- tmp->attrs[3]->mod_type = "dNSTTL"; -+ tmp->attrs[3]->mod_type = (char*)"dNSTTL"; - tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2); - - if (tmp->attrs[3]->mod_values == (char **)NULL) -@@ -535,7 +541,7 @@ add_to_rr_list (char *dn, char *name, char *type, - fatal("strdup"); - - tmp->attrs[4]->mod_op = LDAP_MOD_ADD; -- tmp->attrs[4]->mod_type = "zoneName"; -+ tmp->attrs[4]->mod_type = (char*)"zoneName"; - tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2); - - if (tmp->attrs[4]->mod_values == (char **)NULL) -@@ -648,7 +654,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) - zname = ++tmp; - } - else -- hnamebuff = "@"; -+ hnamebuff = (char*)"@"; - } - else - { -@@ -727,12 +733,12 @@ init_ldap_conn () - } - - result = ldap_simple_bind_s (conn, binddn, bindpw); -- ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result); -+ ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result); - } - - /* Like isc_result_check, only for LDAP */ - void --ldap_result_check (char *msg, char *dn, int err) -+ldap_result_check (const char *msg, char *dn, int err) - { - if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS)) - { -diff --git a/contrib/sdb/pgsql/pgsqldb.c b/contrib/sdb/pgsql/pgsqldb.c -index 50d3cba..516eb9f 100644 ---- a/contrib/sdb/pgsql/pgsqldb.c -+++ b/contrib/sdb/pgsql/pgsqldb.c -@@ -23,7 +23,7 @@ - #include - #include - --#include -+#include - - #include - #include -diff --git a/contrib/sdb/pgsql/zonetodb.c b/contrib/sdb/pgsql/zonetodb.c -index b8f5912..ff2d135 100644 ---- a/contrib/sdb/pgsql/zonetodb.c -+++ b/contrib/sdb/pgsql/zonetodb.c -@@ -37,7 +37,7 @@ - #include - #include - --#include -+#include - - /* - * Generate a PostgreSQL table from a zone. -@@ -54,6 +54,9 @@ char *dbname, *dbtable; - char str[10240]; - - void -+closeandexit(int status); -+ -+void - closeandexit(int status) { - if (conn != NULL) - PQfinish(conn); -@@ -61,6 +64,9 @@ closeandexit(int status) { - } - - void -+check_result(isc_result_t result, const char *message); -+ -+void - check_result(isc_result_t result, const char *message) { - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "%s: %s\n", message, -@@ -84,7 +90,8 @@ quotestring(const unsigned char *source, unsigned char *dest) { - } - *dest++ = 0; - } -- -+void -+addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata); - void - addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata) { - unsigned char namearray[DNS_NAME_MAXTEXT + 1]; diff --git a/bind-9.5-PIE.patch b/bind-9.5-PIE.patch deleted file mode 100644 index a525b9b02d306688a85528e4436ded4f36455f19..0000000000000000000000000000000000000000 --- a/bind-9.5-PIE.patch +++ /dev/null @@ -1,27 +0,0 @@ ---- bind-9.5.0b2/bin/named/Makefile.in.pie 2008-02-11 17:21:47.000000000 +0100 -+++ bind-9.5.0b2/bin/named/Makefile.in 2008-02-11 17:22:10.000000000 +0100 -@@ -100,8 +100,12 @@ HTMLPAGES = named.html lwresd.html named - - MANOBJS = ${MANPAGES} ${HTMLPAGES} - -+EXT_CFLAGS = -fpie -+ - @BIND9_MAKE_RULES@ - -+LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack -+ - main.@O@: main.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ - -DVERSION=\"${VERSION}\" \ -diff -up bind-9.5.0b2/bin/named/unix/Makefile.in.pie bind-9.5.0b2/bin/named/unix/Makefile.in ---- bind-9.5.0b2/bin/named/unix/Makefile.in.pie 2008-02-11 17:22:21.000000000 +0100 -+++ bind-9.5.0b2/bin/named/unix/Makefile.in 2008-02-11 17:23:00.000000000 +0100 -@@ -19,6 +19,8 @@ srcdir = @srcdir@ - VPATH = @srcdir@ - top_srcdir = @top_srcdir@ - -+EXT_CFLAGS = -fpie -+ - @BIND9_MAKE_INCLUDES@ - - CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \ diff --git a/bind-9.5-dlz-64bit.patch b/bind-9.5-dlz-64bit.patch deleted file mode 100644 index ec064c6b04a389fc965f9af3fbd36536da585a74..0000000000000000000000000000000000000000 --- a/bind-9.5-dlz-64bit.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in -index 47525af..eefe3c3 100644 ---- a/contrib/dlz/config.dlz.in -+++ b/contrib/dlz/config.dlz.in -@@ -17,6 +17,13 @@ - # - dlzdir='${DLZ_DRIVER_DIR}' - -+AC_MSG_CHECKING([for target libdir]) -+AC_RUN_IFELSE([int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}], -+ [target_lib=lib64], -+ [target_lib=lib], -+) -+AC_MSG_RESULT(["$target_lib"]) -+ - # - # Private autoconf macro to simplify configuring drivers: - # -@@ -292,9 +299,9 @@ case "$use_dlz_bdb" in - then - break - fi -- elif test -f "$dd/lib/lib${d}.so" -+ elif test -f "$dd/${target_lib}/lib${d}.so" - then -- dlz_bdb_libs="-L${dd}/lib -l${d}" -+ dlz_bdb_libs="-L${dd}/${target_lib} -l${d}" - break - fi - done -@@ -396,7 +403,7 @@ case "$use_dlz_ldap" in - *) - DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver, - [-I$use_dlz_ldap/include], -- [-L$use_dlz_ldap/lib -lldap -llber]) -+ [-L$use_dlz_ldap/${target_lib} -lldap -llber]) - - AC_MSG_RESULT( - [using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include]) -@@ -432,11 +439,11 @@ then - odbcdirs="/usr /usr/local /usr/pkg" - for d in $odbcdirs - do -- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a -+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a - then - use_dlz_odbc=$d - dlz_odbc_include="-I$use_dlz_odbc/include" -- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc" -+ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc" - break - fi - done diff --git a/bind-9.9.1-P2-dlz-libdb.patch b/bind-9.9.1-P2-dlz-libdb.patch deleted file mode 100644 index 866ed8f6ee72e4cab08686c65b6bb24b9fe639dc..0000000000000000000000000000000000000000 --- a/bind-9.9.1-P2-dlz-libdb.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -up bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb bind-9.10.1b1/contrib/dlz/config.dlz.in ---- bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb 2014-08-04 12:33:09.320735111 +0200 -+++ bind-9.10.1b1/contrib/dlz/config.dlz.in 2014-08-04 12:41:46.888241910 +0200 -@@ -263,7 +263,7 @@ case "$use_dlz_bdb" in - # Check other locations for includes. - # Order is important (sigh). - -- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db" -+ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db" - # include a blank element first - for d in "" $bdb_incdirs - do -@@ -288,16 +288,9 @@ case "$use_dlz_bdb" in - bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" - for d in $bdb_libnames - do -- if test "$dd" = "/usr" -+ if test -f "$dd/${target_lib}/lib${d}.so" - then -- AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}") -- if test $dlz_bdb_libs != "yes" -- then -- break -- fi -- elif test -f "$dd/${target_lib}/lib${d}.so" -- then -- dlz_bdb_libs="-L${dd}/${target_lib} -l${d}" -+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}" - break - fi - done diff --git a/bind-9.9.1-P2-multlib-conflict.patch b/bind-9.9.1-P2-multlib-conflict.patch deleted file mode 100644 index 96506dd7a290742924fef8be3b4feb0420a339e7..0000000000000000000000000000000000000000 --- a/bind-9.9.1-P2-multlib-conflict.patch +++ /dev/null @@ -1,85 +0,0 @@ -diff --git a/config.h.in b/config.h.in -index e1364dd921..1dc65cfb21 100644 ---- a/config.h.in -+++ b/config.h.in -@@ -588,7 +588,7 @@ int sigwait(const unsigned int *set, int *sig); - #undef PREFER_GOSTASN1 - - /* The size of `void *', as computed by sizeof. */ --#undef SIZEOF_VOID_P -+/* #undef SIZEOF_VOID_P */ - - /* Define to 1 if you have the ANSI C header files. */ - #undef STDC_HEADERS -diff --git a/configure.in b/configure.in -index 73b1c8ccbb..129fc3f311 100644 ---- a/configure.in -+++ b/configure.in -@@ -3523,14 +3523,14 @@ AC_TRY_COMPILE([ - #include - #include - int getnameinfo(const struct sockaddr *, socklen_t, char *, -- socklen_t, char *, socklen_t, unsigned int);], -+ socklen_t, char *, socklen_t, int);], - [ return (0);], -- [AC_MSG_RESULT(socklen_t for buflen; u_int for flags) -+ [AC_MSG_RESULT(socklen_t for buflen; int for flags) - AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t, - [Define to the sockaddr length type used by getnameinfo(3).]) - AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t, - [Define to the buffer length type used by getnameinfo(3).]) -- AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int, -+ AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int, - [Define to the flags type used by getnameinfo(3).])], - [AC_TRY_COMPILE([ - #include -@@ -3557,7 +3557,7 @@ int getnameinfo(const struct sockaddr *, size_t, char *, - [AC_MSG_RESULT(not match any subspecies; assume standard definition) - AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t) - AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t) --AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])]) -+AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)])])]) - - # - # ...and same for gai_strerror(). -diff --git a/isc-config.sh.in b/isc-config.sh.in -index a8a0a89e88..b5e94ed13e 100644 ---- a/isc-config.sh.in -+++ b/isc-config.sh.in -@@ -13,7 +13,18 @@ prefix=@prefix@ - exec_prefix=@exec_prefix@ - exec_prefix_set= - includedir=@includedir@ --libdir=@libdir@ -+arch=$(uname -m) -+ -+case $arch in -+ x86_64 | amd64 | sparc64 | s390x | ppc64) -+ libdir=/usr/lib64 -+ sec_libdir=/usr/lib -+ ;; -+ * ) -+ libdir=/usr/lib -+ sec_libdir=/usr/lib64 -+ ;; -+esac - - usage() - { -@@ -132,6 +143,16 @@ if test x"$echo_libs" = x"true"; then - if test x"${exec_prefix_set}" = x"true"; then - libs="-L${exec_prefix}/lib" - else -+ if [ ! -x $libdir/libisc.so ] ; then -+ if [ ! -x $sec_libdir/libisc.so ] ; then -+ echo "Error: ISC libs not found in $libdir" -+ if [ -d $sec_libdir ] ; then -+ echo "Error: ISC libs not found in $sec_libdir" -+ fi -+ exit 1 -+ fi -+ libdir=$sec_libdir -+ fi - libs="-L${libdir}" - fi - if test x"$libirs" = x"true" ; then diff --git a/bind-95-rh452060.patch b/bind-95-rh452060.patch deleted file mode 100644 index dac3a8d5b62bbf74b935c6a7b9f49438b67736fd..0000000000000000000000000000000000000000 --- a/bind-95-rh452060.patch +++ /dev/null @@ -1,42 +0,0 @@ -diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index f657c30..ff9a2d2 100644 ---- a/bin/dig/dighost.c -+++ b/bin/dig/dighost.c -@@ -1694,6 +1694,13 @@ clear_query(dig_query_t *query) { - - if (query->timer != NULL) - isc_timer_detach(&query->timer); -+ -+ if (query->waiting_senddone) { -+ debug("send_done not yet called"); -+ query->pending_free = ISC_TRUE; -+ return; -+ } -+ - lookup = query->lookup; - - if (lookup->current_query == query) -@@ -1719,10 +1726,7 @@ clear_query(dig_query_t *query) { - isc_mempool_put(commctx, query->recvspace); - isc_buffer_invalidate(&query->recvbuf); - isc_buffer_invalidate(&query->lengthbuf); -- if (query->waiting_senddone) -- query->pending_free = ISC_TRUE; -- else -- isc_mem_free(mctx, query); -+ isc_mem_free(mctx, query); - } - - /*% -@@ -2811,9 +2815,9 @@ send_done(isc_task_t *_task, isc_event_t *event) { - isc_event_free(&event); - - if (query->pending_free) -- isc_mem_free(mctx, query); -+ clear_query(query); - -- check_if_done(); -+ check_next_lookup(l); - UNLOCK_LOOKUP; - } - diff --git a/bind-96-old-api.patch b/bind-96-old-api.patch deleted file mode 100644 index d181d3ef64187bbeb1d0b00571779fbcc0febb69..0000000000000000000000000000000000000000 --- a/bind-96-old-api.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c ---- bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api 2008-11-24 13:28:13.000000000 +0100 -+++ bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c 2008-11-24 13:28:23.000000000 +0100 -@@ -25,6 +25,7 @@ - /* Using LDAPv3 by default, change this if you want v2 */ - #ifndef LDAPDB_LDAP_VERSION - #define LDAPDB_LDAP_VERSION 3 -+#define LDAP_DEPRECATED 1 - #endif - - #include -diff -up bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c ---- bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api 2008-11-24 13:29:05.000000000 +0100 -+++ bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c 2008-11-24 13:29:14.000000000 +0100 -@@ -13,6 +13,8 @@ - * ditched dNSDomain2 schema support. Version 0.3-ALPHA - */ - -+#define LDAP_DEPRECATED 1 -+ - #include - #include - #include diff --git a/bind.spec b/bind.spec index 10dd7ce34dcec25347ae070e5f7db0d3f17f7d00..7fd6f15d06d7e4cd41ece69023705c3d4af15390 100644 --- a/bind.spec +++ b/bind.spec @@ -1,12 +1,14 @@ -%bcond_with LMDB +%bcond_without LMDB +%bcond_without JSON +%bcond_with DNSTAP %bcond_with DLZ -%bcond_with KYUA %bcond_with SYSTEMTEST %bcond_without UNITTEST -%bcond_without SDB +%bcond_with SDB %bcond_without GSSTSIG %bcond_without PKCS11 %bcond_without EXPORT_LIBS +%bcond_with TSAN %{?!bind_uid: %global bind_uid 25} %{?!bind_gid: %global bind_gid 25} @@ -16,11 +18,11 @@ Name: bind Summary: Domain Name System (DNS) Server (named) License: MPLv2.0 -Version: 9.11.4 -Release: 13 +Version: 9.11.21 +Release: 21 Epoch: 32 Url: http://www.isc.org/products/BIND/ -Source0: https://ftp.isc.org/isc/bind9/9.11.4/bind-%{version}-P2.tar.gz +Source0: https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz Source1: named.sysconfig Source2: named.logrotate Source3: bind-9.3.1rc1-sdb_tools-Makefile.in @@ -28,7 +30,7 @@ Source4: dnszone.schema Source5: README.sdb_pgsql Source6: named.conf.sample Source7: named.conf -Source8: config-18.tar.bz2 +#Source8: config-18.tar.bz2 Source9: ldap2zone.c Source10: ldap2zone.1 Source11: named-sdb.8 @@ -50,18 +52,22 @@ Source26: named-pkcs11.service Source27: setup-named-softhsm.sh Source28: named-chroot.files Source29: random.data +Source30: https://www.internic.net/domain/named.root +Source31: named.rfc1912.zones +Source32: named.empty +Source33: named.localhost +Source34: named.loopback +Source35: named.root.key BuildRequires: openssl-devel libtool autoconf pkgconfig libcap-devel python3-devel python3-ply docbook-style-xsl -BuildRequires: libidn2-devel libxml2-devel GeoIP-devel make systemd selinux-policy findutils sed libxslt gdb +BuildRequires: libidn2-devel libxml2-devel make systemd selinux-policy findutils sed libxslt %if %{with SDB} -BuildRequires: openldap-devel libpq-devel sqlite-devel mariadb-connector-c-devel libdb-devel +BuildRequires: openldap-devel libpq-devel sqlite-devel mariadb-connector-c-devel %endif -%if %{with KYUA} -#BuildRequires: libatf-c-devel kyua -%else -BuildRequires: gcc-c++ +%if %{with UNITTEST} +BuildRequires: libcmocka-devel kyua %endif %if %{with PKCS11} @@ -80,66 +86,174 @@ BuildRequires: krb5-devel BuildRequires: lmdb-devel %endif +%if %{with JSON} +BuildRequires: json-c-devel +%endif + +%if %{with DNSTAP} +BuildRequires: fstrm-devel protobuf-c-devel +%endif + +%if %{with TSAN} +BuildRequires: libtsan +%endif + Requires: systemd coreutils shadow-utils glibc-common grep policycoreutils-python-utils -Requires: python3-bind = %{epoch}:%{version}-%{release} libselinux-utils selinux-policy bind-libs = %{epoch}:%{version}-%{release} +Requires: python3-bind = %{epoch}:%{version}-%{release} libselinux-utils selinux-policy selinux-policy-targeted bind-libs = %{epoch}:%{version}-%{release} bind-libs-lite = %{epoch}:%{version}-%{release} Provides: bind-config = 30:9.3.2-34.fc6 caching-nameserver = 31:9.4.1-7.fc8 dnssec-conf = 1.27-2 Provides: bind-license Obsoletes: bind-config < 30:9.3.2-34.fc6 caching-nameserver < 31:9.4.1-7.fc8 dnssec-conf < 1.27-2 Obsoletes: bind-license -Patch0001: bind-9.5-PIE.patch -Patch0003: bind-9.5-dlz-64bit.patch -Patch0004: bind-95-rh452060.patch -Patch0005: bind93-rh490837.patch -Patch0006: bind97-rh478718.patch -Patch0007: bind97-rh645544.patch -Patch0008: bind-9.9.1-P2-dlz-libdb.patch -Patch0009: bind-9.9.1-P2-multlib-conflict.patch -Patch0010: bind-9.11-rh1410433.patch -Patch0011: bind-9.11-rh1205168.patch -Patch0012: bind-9.11-export-suffix.patch -Patch0013: bind-9.11-oot-manual.patch -Patch0014: bind-9.11-pk11.patch -Patch0015: bind-9.11-fips-code.patch -Patch0016: bind-9.11-fips-tests.patch -Patch0017: bind-9.11-rt31459.patch -Patch0018: bind-9.11-rt46047.patch -Patch0019: bind-9.11-rh1624100.patch -Patch0020: bind-9.11-host-idn-disable.patch -Patch0021: bind-9.10-dist-native-pkcs11.patch -Patch0022: bind-9.11-kyua-pkcs11.patch -Patch0023: bind-96-old-api.patch -Patch0024: bind-9.3.2b2-sdbsrc.patch -Patch0025: bind-9.10-sdb.patch -Patch0026: bind-9.3.2b1-fix_sdb_ldap.patch -Patch0027: bind-9.10-use-of-strlcat.patch -Patch0028: bind99-rh640538.patch -Patch0029: bind97-rh669163.patch - -Patch6001: 1314-master-dnssec-checkds-s.patch -Patch6002: 2432-check-param_template-i-.pValue-is-non-NULL.patch -Patch6003: 2497-refcount-errors-on-error-paths.patch -Patch6004: 2559-Do-not-remove-errors-from-the-OpenSSL-error-queue-in.patch -Patch6005: 2574-Do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch -Patch6006: 2711-Align-CMSG-buffers-to-a-void-boundary-fixes-crash-on.patch -Patch6007: 2776-Fix-crash-caused-by-race-condition-in-timer-creation.patch -Patch6008: 2865-free-key-on-error.patch -Patch6009: 2879-expand-the-pool-then-copy-over-the-old-entries-so-we.patch -Patch6010: 2985-Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch -Patch6011: 2998-Use-larger-buffers-on-snprintf-buffer-overflow-false.patch -Patch6012: 3022-Fix-a-shutdown-race-in-bin-dig-dighost.c.patch -Patch6013: 3046-uninitalize-memory-read-on-error-path.patch -Patch6014: 3318-Allow-unsupported-alg-in-zone-w-dnssec-signzone.patch -Patch6015: 3543-fix-memory-leak.patch -Patch6016: Use-clock_gettime-instead-of-gettimeofday.patch -Patch6017: CVE-2018-5743.patch -Patch6018: CVE-2018-5743-atomic-fix.patch -Patch6019: CVE-2018-5745.patch -Patch6020: CVE-2019-6465.patch - -Patch9000: feature-bind99-euler-range-port.patch -Patch9001: bugfix-nslookup-norec.patch -Patch9002: bugfix-named-log-time.patch +# Common patches +Patch10: bind-9.5-PIE.patch +Patch16: bind-9.3.2-redhat_doc.patch +Patch72: bind-9.5-dlz-64bit.patch +Patch101:bind-96-old-api.patch +Patch102:bind-95-rh452060.patch +Patch106:bind93-rh490837.patch +Patch109:bind97-rh478718.patch +Patch112:bind97-rh645544.patch +Patch130:bind-9.9.1-P2-dlz-libdb.patch +Patch131:bind-9.9.1-P2-multlib-conflict.patch +Patch133:bind99-rh640538.patch +Patch134:bind97-rh669163.patch +# Fedora specific patch to distribute native-pkcs#11 functionality +Patch136:bind-9.10-dist-native-pkcs11.patch + +Patch137:bind-9.10-use-of-strlcat.patch +Patch140:bind-9.11-rh1410433.patch +Patch145:bind-9.11-rh1205168.patch +Patch149:bind-9.11-kyua-pkcs11.patch +Patch150:bind-9.11-engine-pkcs11.patch +Patch153:bind-9.11-export-suffix.patch +Patch154:bind-9.11-oot-manual.patch +Patch155:bind-9.11-pk11.patch +Patch156:bind-9.11-fips-code.patch +Patch157:bind-9.11-fips-tests.patch +Patch158:bind-9.11-rt31459.patch +Patch159:bind-9.11-rt46047.patch +Patch160:bind-9.11-rh1624100.patch +Patch161:bind-9.11-host-idn-disable.patch +Patch163:bind-9.11-rh1663318.patch +Patch164:bind-9.11-rh1666814.patch +Patch168:bind-9.11-unit-disable-random.patch +Patch170:bind-9.11-feature-test-named.patch +Patch171:bind-9.11-tests-variants.patch +Patch172:bind-9.11-tests-pkcs11.patch +Patch173:bind-9.11-rh1732883.patch +Patch174:bind-9.11-json-c.patch +Patch175:bind-9.11-fips-disable.patch +Patch177: bind-9.11-serve-stale.patch +Patch178: bind-9.11-serve-stale-dbfix.patch +Patch183: bind-9.11-rh1736762-5.patch + +Patch184: feature-bind99-euler-range-port.patch +Patch186: bugfix-named-log-time.patch +Patch187: dnssec-checkds-s.patch +Patch188: do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch +Patch189: Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch +Patch190: Use-clock_gettime-instead-of-gettimeofday.patch + +Patch191: CVE-2020-8622.patch +Patch192: CVE-2020-8623.patch +Patch193: CVE-2020-8624.patch +Patch194: Fix_the_difference_at_the_macro_definition_using_clock_gettime_instead_of_gettimeofda.patch +Patch195: CVE-2020-8625.patch +Patch196: CVE-2021-25214.patch +Patch197: CVE-2021-25215.patch +Patch198: backport-CVE-2021-25219.patch +Patch199: backport-CVE-2021-25220.patch + +# SDB patches +Patch11: bind-9.3.2b2-sdbsrc.patch +Patch12: bind-9.10-sdb.patch +# needs inpection +Patch13: bind-9.3.2b1-fix_sdb_ldap.patch + +Patch6000: backport-0000-Fix-nxdomain-redirect-assertion-failure.patch +Patch6001: backport-0001-Add-test-for-nxdomain-redirect-ncachenxdomain.patch +Patch6002: backport-0002-make-sure-new_zone_lock-is-locked-before-unlocking-i.patch +Patch6003: backport-0003-Prevent-crash-on-dst-initialization-failure.patch +Patch6004: backport-0004-IPSECKEY-require-non-zero-length-public-keys.patch +Patch6005: backport-0005-NSEC3PARAM-check-that-saltlen-is-consistent-with-the.patch +Patch6006: backport-0006-A6-return-FORMERR-in-fromwire-if-bits-are-non-zero.patch +Patch6007: backport-0007-Cast-the-original-rcode-to-dns_ttl_t-when-setting-ex.patch +Patch6008: backport-0008-Lock-on-msg-SELECT_POKE_CLOSE-as-it-triggers-a-tsan-.patch +Patch6009: backport-0009-Lock-access-when-updating-reading-manager-epoll_even.patch +Patch6010: backport-0010-Take-complete-ownership-of-aclp-before-calling-destr.patch +Patch6011: backport-0011-Take-complete-ownership-of-validatorp-before-calling.patch +Patch6012: backport-0012-Address-lock-order-inversion.patch +Patch6013: backport-0013-It-appears-that-you-can-t-change-what-you-are-pollin.patch +Patch6014: backport-0014-counter-used-was-read-without-the-lock-being-held.patch +Patch6015: backport-0015-Missing-locks-in-ns_lwresd_shutdown.patch +Patch6016: backport-0016-Use-atomics-to-update-counters.patch +Patch6017: backport-0017-Obtain-a-lock-on-the-quota-structure.patch +Patch6018: backport-0018-The-node-lock-was-released-too-early.patch +Patch6019: backport-0019-Address-lock-order-inversion-between-the-keytable-an.patch +Patch6020: backport-0020-Pause-dbiterator-to-release-rwlock-to-prevent-lock-o.patch +Patch6021: backport-0021-Address-lock-order-reversals-when-shutting-down-a-vi.patch +Patch6022: backport-0022-Hold-qid-lock-when-calling-deref_portentry-as.patch +Patch6023: backport-0023-Lock-zone-before-calling-zone_namerd_tostr.patch +Patch6024: backport-0024-Address-TSAN-error-between-dns_rbt_findnode-and-subt.patch +Patch6025: backport-0025-Address-data-race-in-dns_stats_detach-over-reference.patch +Patch6026: backport-0026-Lock-check-of-DNS_ZONEFLG_EXITING-flag.patch +Patch6027: backport-0027-Fix-locking-for-LMDB-0.9.26.patch +Patch6028: backport-0028-Correctly-encode-LOC-records-with-non-integer-negati.patch +Patch6029: backport-0029-isc_ratelimiter-needs-to-hold-a-reference-to-its-tas.patch +Patch6030: backport-0030-Lock-access-to-flags-in-dns__zone_loadpending.patch +Patch6031: backport-0031-Update-init_count-atomically-to-silence-tsan-errors.patch +Patch6032: backport-0032-dig-bufsize-0-failed-to-disable-EDNS-as-a-side-effec.patch +Patch6033: backport-0033-Remove-optimisation-on-obtaining-a-headlock-as-it-tr.patch +Patch6034: backport-0034-Address-tsan-error-in-view-destroy.patch +Patch6035: backport-0035-Lock-access-to-ctx-blocked-as-it-is-updated-by-multi.patch +Patch6036: backport-0036-Only-test-node-data-if-we-care-about-whether-data-is.patch +Patch6037: backport-0037-Test-if-linked-while-holding-the-queue-lock.patch +Patch6038: backport-0038-Address-data-race-in-dns_adbentry_overquota.patch +Patch6039: backport-0039-Address-lock-order-inversion.patch +Patch6040: backport-0040-Prevent-loads_pending-going-to-zero-while-kicking-th.patch +Patch6041: backport-0041-Address-data-races-between-socket-bitfields.patch +Patch6042: backport-0042-Only-read-dns_master_indent-and-dns_master_indentstr.patch +Patch6043: backport-0043-Defer-read-of-zl-server-and-zl-reconfig-until.patch +Patch6044: backport-0044-Use-a-reference-counter-for-zt.patch +Patch6045: backport-0045-Pause-dbiterator-to-release-rwlock-to-prevent-lock-o.patch +Patch6046: backport-0046-Pause-dbiterator-to-release-rwlock-to-prevent-lock-o.patch +Patch6047: backport-0047-Pause-dbiterator-to-release-rwlock-to-prevent-lock-o.patch +Patch6048: backport-0048-Pause-dbiterator-ealier-to-prevent-lock-order-invers.patch +Patch6049: backport-0049-Lock-access-to-control-symtab-to-prevent-data-race.patch +Patch6050: backport-0050-Address-lock-order-inversion.patch +Patch6051: backport-0051-Break-lock-order-loop-by-sending-TAT-in-an-event.patch +Patch6052: backport-0052-Handle-DNS_R_NCACHENXRRSET-in-fetch_callback_-dnskey.patch +Patch6053: backport-0053-Lock-read-of-refs-when-atomics-are-not-available.patch +Patch6054: backport-0054-Inactive-incorrectly-incremented.patch +Patch6055: backport-0055-Resolve-TSAN-data-race-in-zone_maintenance.patch +Patch6056: backport-0056-Free-resources-when-gss_accept_sec_context-fails.patch +Patch6057: backport-0057-Unload-a-zone-if-a-transfer-breaks-its-SOA-record.patch +Patch6058: backport-0058-Address-inconsistencies-in-checking-added-RRsets.patch +Patch6059: backport-0059-dns_rdata_tostruct-should-reject-rdata-with-DNS_RDAT.patch +Patch6060: backport-0060-Update-init_count-atomically-to-silence-tsan-errors.patch +Patch6061: backport-0061-Refactored-dns_message_t-for-using-attach-detach-sem.patch +Patch6062: backport-0062-Fix-invalid-dns-message-state-in-resolver-s-logic.patch +Patch6063: backport-0063-Properly-handling-dns_message_t-shared-references.patch +Patch6064: backport-CVE-2022-2795.patch +Patch6065: backport-CVE-2022-2881.patch +Patch6066: backport-CVE-2022-2906.patch +Patch6067: backport-CVE-2022-38177.patch +Patch6068: backport-CVE-2022-38178.patch + +Patch6069: backport-CVE-2023-2828.patch + +Patch6070: backport-CVE-2023-3341.patch +Patch6071:backport-CVE-2024-1975.patch +Patch6072:backport-optimize-the-slabheader-placement-for-certain-RRtype.patch +Patch6073:backport-0001-CVE-2024-1737.patch +Patch6074:backport-0002-CVE-2024-1737.patch +Patch6075:backport-0003-CVE-2024-1737.patch +Patch6076:backport-0004-CVE-2024-1737.patch +Patch6077:backport-CVE-2024-11187.patch + +Patch6078:backport-bind-9.11-CVE-2023-50387.patch +Patch6079:backport-bind-9.11-CVE-2023-50387-fixup.patch .patch %description Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name @@ -259,7 +373,7 @@ Based on the code from Jan "Yenya" Kasprzak %package -n python3-bind Summary: A module allowing rndc commands to be sent from Python programs Requires: bind = %{epoch}:%{version}-%{release} -Requires: python3 python3-ply %{py3_dist ply} +Requires: python3 python3-ply %{?py3_dist:%py3_dist ply} BuildArch: noarch %{?python_provide:%python_provide python3-bind} %{?python_provide:%python_provide python3-isc} @@ -291,66 +405,62 @@ are used for building ISC DHCP. %endif %prep -%setup -q -n %{name}-%{version}-P2 - -%patch0001 -p1 -%patch0003 -p1 -%patch0004 -p1 -%patch0005 -p0 -%patch0006 -p1 -%patch0007 -p1 -%patch0008 -p1 -%patch0009 -p1 -%patch0010 -p1 -%patch0011 -p1 -%patch0012 -p1 -%patch0013 -p1 -%patch0014 -p1 -%patch0015 -p1 -%patch0016 -p1 -%patch0017 -p1 -%patch0018 -p1 -%patch0019 -p1 -%patch0020 -p1 +%setup -q -n %{name}-%{version} +# Common patches +%patch10 -p1 -b .PIE +%patch16 -p1 -b .redhat_doc +%patch72 -p1 -b .64bit +%patch102 -p1 -b .rh452060 +%patch106 -p1 -b .rh490837 +%patch109 -p1 -b .rh478718 +%patch112 -p1 -b .rh645544 +%patch130 -p1 -b .libdb +%patch131 -p1 -b .multlib-conflict +%patch140 -p1 -b .rh1410433 +%patch145 -p1 -b .rh1205168 +%patch153 -p1 -b .export_suffix +%patch154 -p1 -b .oot-man +%patch155 -p1 -b .pk11-internal +%patch156 -p1 -b .fips-code +%patch157 -p1 -b .fips-tests +%patch158 -p1 -b .rt31459 +%patch159 -p1 -b .rt46047 +%patch160 -p1 -b .rh1624100 +%patch161 -p1 -b .host-idn-disable +%patch163 -p1 -b .rh1663318 +%patch164 -p1 -b .rh1666814 +%patch168 -p1 -b .random_test-disable +%patch170 -p1 -b .featuretest-named +%patch171 -p1 -b .test-variant +%patch172 -p1 -b .test-pkcs11 +%patch173 -p1 -b .rh1732883 +%patch174 -p1 -b .json-c +%patch175 -p1 -b .rh1709553 +%patch177 -p1 -b .serve-stale +%patch178 -p1 -b .rh1770492 +%patch183 -p1 -b .rh1736762-5 + +%patch184 -p1 +%patch186 -p1 +%patch187 -p1 +%patch188 -p1 +%patch189 -p1 +%patch190 -p1 +%patch191 -p1 +%patch192 -p1 +%patch193 -p1 +%patch194 -p1 +%patch195 -p1 mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data -%if %{with PKCS11} -cp -r bin/named bin/named-pkcs11 -cp -r bin/dnssec bin/dnssec-pkcs11 -cp -r lib/isc lib/isc-pkcs11 -cp -r lib/dns lib/dns-pkcs11 -%patch0021 -p1 -%patch0022 -p1 -%endif - -%if %{with SDB} -%patch0023 -p1 -mkdir bin/named-sdb -mkdir bin/sdb_tools -cp -r bin/named/* bin/named-sdb -%patch0024 -p1 -cp -fp contrib/sdb/ldap/ldapdb.[ch] bin/named-sdb -cp -fp contrib/sdb/pgsql/pgsqldb.[ch] bin/named-sdb -cp -fp contrib/sdb/sqlite/sqlitedb.[ch] bin/named-sdb -cp -fp contrib/sdb/dir/dirdb.[ch] bin/named-sdb -cp -fp %{SOURCE9} bin/sdb_tools/ldap2zone.c -cp -fp %{SOURCE3} bin/sdb_tools/Makefile.in -cp -fp contrib/sdb/ldap/{zone2ldap.1,zone2ldap.c} bin/sdb_tools -cp -fp contrib/sdb/pgsql/zonetodb.c bin/sdb_tools -cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools -%patch0025 -p1 -%patch0026 -p1 -%patch0027 -p1 -%endif - -%patch0028 -p1 -%patch0029 -p1 +%patch133 -p1 -b .rh640538 +%patch134 -p1 -b .rh669163 -%patch9000 -p1 -%patch9001 -p1 +%patch6000 -p1 %patch6001 -p1 +%patch6027 -p1 %patch6002 -p1 %patch6003 -p1 %patch6004 -p1 @@ -370,15 +480,129 @@ cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools %patch6018 -p1 %patch6019 -p1 %patch6020 -p1 -%patch9002 -p1 +%patch6021 -p1 +%patch6022 -p1 +%patch6023 -p1 +%patch6024 -p1 +%patch6025 -p1 +%patch6026 -p1 + +%patch196 -p1 +%patch197 -p1 + +%patch6028 -p1 +%patch6029 -p1 +%patch6030 -p1 +%patch6031 -p1 +%patch6032 -p1 +%patch6033 -p1 +%patch6034 -p1 +%patch6035 -p1 +%patch6036 -p1 +%patch6037 -p1 +%patch6038 -p1 +%patch6039 -p1 +%patch6040 -p1 +%patch6041 -p1 +%patch6042 -p1 +%patch6043 -p1 +%patch6044 -p1 +%patch6045 -p1 +%patch6046 -p1 +%patch6047 -p1 +%patch6048 -p1 +%patch6049 -p1 +%patch6050 -p1 +%patch6051 -p1 +%patch6052 -p1 +%patch6053 -p1 +%patch6054 -p1 +%patch6055 -p1 +%patch6056 -p1 +%patch6057 -p1 +%patch6058 -p1 +%patch6059 -p1 +%patch6060 -p1 + +%patch198 -p1 + +%patch6061 -p1 +%patch6062 -p1 +%patch6063 -p1 +%patch6064 -p1 +%patch6065 -p1 +%patch6066 -p1 +%patch6067 -p1 +%patch6068 -p1 + +%patch6069 -p1 +%patch6070 -p1 +%patch6071 -p1 +%patch6072 -p1 +%patch6073 -p1 +%patch6074 -p1 +%patch6075 -p1 +%patch6076 -p1 +%patch6077 -p1 + +%patch6078 -p1 +%patch6079 -p1 + +%patch199 -p1 + +%if %{with PKCS11} +cp -r bin/named{,-pkcs11} +cp -r bin/dnssec{,-pkcs11} +cp -r lib/isc{,-pkcs11} +cp -r lib/dns{,-pkcs11} +%patch136 -p1 -b .dist_pkcs11 +%patch149 -p1 -b .kyua-pkcs11 +%patch150 -p1 -b .engine-pkcs11 +%endif + +%if %{with SDB} +%patch101 -p1 -b .old-api +mkdir bin/named-sdb +cp -r bin/named/* bin/named-sdb +%patch11 -p1 -b .sdbsrc +# SDB ldap +cp -fp contrib/sdb/ldap/ldapdb.[ch] bin/named-sdb +# SDB postgreSQL +cp -fp contrib/sdb/pgsql/pgsqldb.[ch] bin/named-sdb +# SDB sqlite +cp -fp contrib/sdb/sqlite/sqlitedb.[ch] bin/named-sdb +# SDB Berkeley DB - needs to be ported to DB4! +#cp -fp contrib/sdb/bdb/bdb.[ch] bin/named_sdb +# SDB dir +cp -fp contrib/sdb/dir/dirdb.[ch] bin/named-sdb +# SDB tools +mkdir -p bin/sdb_tools +cp -fp %{SOURCE9} bin/sdb_tools/ldap2zone.c +cp -fp %{SOURCE3} bin/sdb_tools/Makefile.in +#cp -fp contrib/sdb/bdb/zone2bdb.c bin/sdb_tools +cp -fp contrib/sdb/ldap/{zone2ldap.1,zone2ldap.c} bin/sdb_tools +cp -fp contrib/sdb/pgsql/zonetodb.c bin/sdb_tools +cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools + +%patch12 -p1 -b .sdb +%patch13 -p1 -b .fix_sdb_ldap +%patch137 -p1 -b .strlcat_fix +%endif + +# Sparc and s390 arches need to use -fPIE +%ifarch sparcv9 sparc64 s390 s390x +for i in bin/named{,-sdb}/{,unix}/Makefile.in; do + sed -i 's|fpie|fPIE|g' $i +done +%endif +:; %build %define _configure "../configure" %define unit_prepare_build() \ - cp -uv Kyuafile Atffile "%{1}/" \ + cp -uv Kyuafile "%{1}/" \ find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' \ find lib -name 'Kyuafile' -exec cp -uv '{}' "%{1}/{}" ';' \ - find lib -name 'Atffile' -exec cp -uv '{}' "%{1}/{}" ';' \ find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ @@ -386,13 +610,11 @@ cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools cp -Tuav bin/tests "%{1}/bin/tests/" \ cp -uv version "%{1}" -%if %{with KYUA} - ATF_PATH=/usr -%else - ATF_PATH=yes +CFLAGS="$CFLAGS $RPM_OPT_FLAGS" +%if %{with TSAN} + CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie" %endif - -export CFLAGS="$CFLAGS $RPM_OPT_FLAGS" +export CFLAGS export CPPFLAGS="$CPPFLAGS -DDIG_SIGCHASE" export STD_CDEFINES="$CPPFLAGS" @@ -407,7 +629,7 @@ export LIBDIR_SUFFIXi= %configure \ --with-python=%{__python3} --with-libtool --localstatedir=/var \ --enable-threads --enable-ipv6 --enable-filter-aaaa --with-pic \ - --disable-static --includedir=%{_includedir}/bind9 --with-geoip \ + --disable-static --includedir=%{_includedir}/bind9 \ --with-tuning=large --with-libidn2 --enable-openssl-hash \ --enable-fixed-rrset --enable-full-report \ --with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets \ @@ -416,7 +638,7 @@ export LIBDIR_SUFFIXi= %endif %if %{with SDB} --with-dlopen=yes --with-dlz-ldap=yes --with-dlz-postgres=yes \ - --with-dlz-mysql=yes --with-dlz-filesystem=yes --with-dlz-bdb=yes \ + --with-dlz-mysql=yes --with-dlz-filesystem=yes \ %endif %if %{with GSSTSIG} --with-gssapi=yes --disable-isc-spnego \ @@ -426,8 +648,23 @@ export LIBDIR_SUFFIXi= %else --with-lmdb=no \ %endif +%if %{with JSON} + --with-libjson \ +%endif +%if %{with DNSTAP} + --enable-dnstap \ +%endif %if %{with UNITTEST} - --with-atf=${ATF_PATH} + --with-cmocka \ +%endif +%if %{with DNSTAP} + pushd lib + SRCLIB="../../../lib" + (cd dns && ln -s ${SRCLIB}/dns/dnstap.proto) +%if %{with PKCS11} + (cd dns-pkcs11 && ln -s ${SRCLIB}/dns-pkcs11/dnstap.proto) +%endif + popd %endif make -j32 @@ -440,11 +677,6 @@ pushd bin/python make man popd -%if ! %{with KYUA} -ATF_PATH="`pwd`/unit/atf" -sed -i -e '/^SUBDIRS =/s/atf-src//i' unit/Makefile -%endif - popd # build %unit_prepare_build build @@ -466,7 +698,7 @@ export LIBDIR_SUFFIX=%{_export_dir} --with-gssapi=yes --disable-isc-spnego \ %endif %if %{with UNITTEST} - --with-atf=${ATF_PATH} + --with-cmocka \ %endif mv isc-config.sh isc-export-config.sh @@ -478,7 +710,6 @@ sed -i \ Makefile sed -i -e "/^SUBDIRS =/s/.*/SUBDIRS = isc dns isccfg irs/i" lib/Makefile -sed -i -e '/^SUBDIRS =/s/atf-src//i' unit/Makefile for lib in isc dns isccfg irs; do find . -name Makefile -exec sed "s/lib${lib}\./lib${lib}-export\./g" -i {} \; @@ -491,10 +722,46 @@ make -j32 popd %unit_prepare_build export-libs -sed -e '/^\s*include(.*-pkcs11/ d' -e '/^\s*include(.*lwres/ d' -i export-libs/lib/Kyuafile +# Test just compiled libraries +for lib in %{bind_export_libs} +do + sed -e "s,^\s*include(.*${lib}/.*,-- use &," -i export-libs/lib/Kyuafile +done +sed -e "/^\s*include(/ d" -e 's/^-- use //' -i export-libs/lib/Kyuafile %endif #end EXPORT_LIBS %check +%if %{with PKCS11} + # Tests require initialization of pkcs11 token + eval "$(bash %{SOURCE27} -A "`pwd`/softhsm-tokens")" +%endif + +%if %{with TSAN} + export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0" +%endif + +%if %{with UNITTEST} + pushd build + make unit + e=$? + if [ "$e" -ne 0 ]; then + echo "ERROR: this build of BIND failed 'make unit'. Aborting." + exit $e; + fi; + popd + + %if %{with EXPORT_LIBS} + pushd export-libs + make unit + e=$? + if [ "$e" -ne 0 ]; then + echo "ERROR: this build of BIND export-libs failed 'make unit'. Aborting." + exit $e; + fi; + popd + %endif + +%endif %if %{with SYSTEMTEST} if [ "`whoami`" = 'root' ]; then @@ -616,19 +883,29 @@ cp -fp build/config.h ${RPM_BUILD_ROOT}/%{_includedir}/bind9 find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';'; touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log -tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE8} -touch ${RPM_BUILD_ROOT}/etc/rndc.key -touch ${RPM_BUILD_ROOT}/etc/rndc.conf -install -m 640 %{SOURCE7} ${RPM_BUILD_ROOT}/etc/named.conf -mkdir -p sample/etc sample/var/named/{data,slaves} -mkdir ${RPM_BUILD_ROOT}/etc/named +# configuration files +install -m 640 %{SOURCE7} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.conf +touch ${RPM_BUILD_ROOT}%{_sysconfdir}/rndc.{key,conf} +install -m 644 %{SOURCE35} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.root.key +install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}%{_sysconfdir}/trusted-key.key +mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/named + +# data files +mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named +install -m 640 %{SOURCE30} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.ca +install -m 640 %{SOURCE33} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.localhost +install -m 640 %{SOURCE34} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.loopback +install -m 640 %{SOURCE32} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.empty +install -m 640 %{SOURCE31} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.rfc1912.zones -install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/trusted-key.key +mkdir -p sample/etc sample/var/named/{data,slaves} install -m 644 %{SOURCE6} sample/etc/named.conf + install -m 644 %{SOURCE7} named.conf.default -install -m 644 ${RPM_BUILD_ROOT}/etc/named.rfc1912.zones sample/etc/named.rfc1912.zones -install -m 644 ${RPM_BUILD_ROOT}/var/named/{named.ca,named.localhost,named.loopback,named.empty} sample/var/named +install -m 644 %{SOURCE31} sample/etc/named.rfc1912.zones +install -m 644 %{SOURCE33} %{SOURCE34} %{SOURCE32} sample/var/named +install -m 644 %{SOURCE30} sample/var/named/named.ca mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir} mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d @@ -638,7 +915,7 @@ install -m 644 %{SOURCE22} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named %pre if [ "$1" -eq 1 ]; then /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :; - /usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /bin/false -d /var/named -c Named named >/dev/null 2>&1 || :; + /usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :; fi %post @@ -649,8 +926,8 @@ if [ "$1" -eq 1 ]; then [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key else -if getent passwd named | grep ':/sbin/nologin$' >/dev/null; then - usermod -s /bin/false named +if getent passwd named | grep ':/bin/false$' >/dev/null; then + /sbin/usermod -s /sbin/nologin named fi fi @@ -712,16 +989,18 @@ fi %if %{with EXPORT_LIBS} %post export-libs /sbin/ldconfig +%end %postun export-libs /sbin/ldconfig +%end %endif %define chroot_fix_devices() \ if [ $1 -gt 1 ]; then \ for DEV in "%{1}/dev"/{null,random,zero}; do \ - if [ -e "$DEV" -a "$(/bin/stat --printf="%G %a" "$DEV")" = "root 644" ]; then \ + if [ -e "$DEV" ] && [ "$(/bin/stat --printf="%G %a" "$DEV")" = "root 644" ]; then \ /bin/chmod 0664 "$DEV" \ /bin/chgrp named "$DEV" \ fi \ @@ -822,16 +1101,15 @@ rm -rf ${RPM_BUILD_ROOT} %dir /run/named %files libs -%{_libdir}/libbind9.so.160* -%{_libdir}/libisccc.so.160* -%{_libdir}/liblwres.so.160* +%{_libdir}/libbind9.so.161* +%{_libdir}/libisccc.so.161* +%{_libdir}/liblwres.so.161* %files libs-lite -%{_libdir}/libdns.so.1102* -%{_libdir}/libirs.so.160* -%{_libdir}/libisc.so.169* -%{_libdir}/libisccfg.so.160* - +%{_libdir}/libdns.so.1110* +%{_libdir}/libirs.so.161* +%{_libdir}/libisc.so.1105* +%{_libdir}/libisccfg.so.163* %files utils %{_bindir}/dig @@ -875,6 +1153,10 @@ rm -rf ${RPM_BUILD_ROOT} %if %{with LMDB} %{_mandir}/man8/named-nzd2nzf.8* %endif +%if %{with DNSTAP} +%{_bindir}/dnstap-read +%{_mandir}/man1/dnstap-read.1* +%endif %{_sysconfdir}/trusted-key.key %if %{with SDB} @@ -893,9 +1175,6 @@ rm -rf ${RPM_BUILD_ROOT} %{_mandir}/man1/ldap2zone.1* %{_mandir}/man1/zonetodb.1* %{_mandir}/man1/zone2sqlite.1* -%{_mandir}/man1/isc-config.sh.1* -%{_mandir}/man1/bind9-config.1* -%{_mandir}/man3/lwres* %{_mandir}/man8/named-sdb.8* %endif #end SDB @@ -923,6 +1202,9 @@ rm -rf ${RPM_BUILD_ROOT} %{_includedir}/bind9/isccfg %{_bindir}/isc-config.sh %{_bindir}/bind9-config +%{_mandir}/man1/isc-config.sh.1* +%{_mandir}/man1/bind9-config.1* +%{_mandir}/man3/lwres* %files chroot %config(noreplace) %{_sysconfdir}/named-chroot.files @@ -1004,8 +1286,8 @@ rm -rf ${RPM_BUILD_ROOT} %{_sbindir}/named-pkcs11 %{_sbindir}/dnssec*pkcs11 %{_sbindir}/pkcs11-* -%{_libdir}/libdns-pkcs11.so.1102* -%{_libdir}/libisc-pkcs11.so.169* +%{_libdir}/libdns-pkcs11.so.1110* +%{_libdir}/libisc-pkcs11.so.1105* %{_unitdir}/named-pkcs11.service %{_libexecdir}/setup-named-softhsm.sh %{_mandir}/man8/*pkcs11*.8* @@ -1022,10 +1304,11 @@ rm -rf ${RPM_BUILD_ROOT} %files export-libs %dir %{_libdir}/%{_export_dir} -%{_libdir}/%{_export_dir}/libdns-export.so.1102* -%{_libdir}/%{_export_dir}/libirs-export.so.160* -%{_libdir}/%{_export_dir}/libisc-export.so.169* -%{_libdir}/%{_export_dir}/libisccfg-export.so.160* +%{_libdir}/%{_export_dir}/libdns-export.so.1110* +%{_libdir}/%{_export_dir}/libirs-export.so.161* +%{_libdir}/%{_export_dir}/libisc-export.so.1105* +%{_libdir}/%{_export_dir}/libisccfg-export.so.163* + %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-export-%{_arch}.conf %files export-devel @@ -1045,6 +1328,132 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Mon Oct 20 2025 lifeifei - 32:9.11.21-21 +- Type:CVE +- CVE:CVE-2023-50387,CVE-2023-50868 +- SUG:NA +- DESC:fix CVE-2023-50387 CVE-2023-50868 + +* Tue Apr 22 2025 Funda Wang - 32:9.11.21-20 +- Type:CVE +- CVE:CVE-2024-11187 +- SUG:NA +- DESC:fix CVE-2024-11187 + +* Fri Aug 02 2024 chengyechun - 32:9.11.21-19 +- Type:CVE +- CVE:CVE-2024-1975,CVE-2024-1737 +- SUG:NA +- DESC:fix CVE-2024-1975 CVE-2024-1737 + +* Thu Sep 28 2023 sunhai - 32:9.11.21-18 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix update + +* Tue Sep 26 2023 zhanghao - 32:9.11.21-17 +- Type:CVE +- ID:CVE-2023-3341 +- SUG:NA +- DESC:FIX CVE-2023-3341 + +* Mon Jun 26 2023 zhanghao - 32:9.11.21-16 +- Type:CVE +- ID:CVE-2023-2828 +- SUG:NA +- DESC:FIX CVE-2023-2828 + +* Thu Feb 09 2023 zhanghao - 32:9.11.21-15 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix output expected information when install bing-sdborbind-sdb-chroot + +* Tue Oct 11 2022 huangyu - 32:9.11.21-14 +- Type:CVE +- ID:CVE-2022-2906 CVE-2022-38177 CVE-2022-38178 CVE-2022-2795 CVE-2022-2881 +- SUG:NA +- DESC:FIX CVE-2022-2906CVE-2022-38177CVE-2022-38178CVE-2022-2795CVE-2022-2881 + +* Sat Sep 03 2022 jiangheng - 32:9.11.21-13 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:backport some patches from community + +* Fri Sep 02 2022 jiangheng - 32:9.11.21-12 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:remove obsolete patch + +* Wed Apr 20 2022 jiangheng - 9.11.21-11 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:add selinux-policy-targeted requires + +* Wed Mar 30 2022 jiangheng - 9.11.21-10 +- Type:CVE +- ID:CVE-2021-25220 +- SUG:NA +- DESC:fix CVE-2021-25220 + +* Mon Nov 15 2021 jiangheng - 9.11.21-9 +- Type:CVE +- ID:CVE-2021-25219 +- SUG:NA +- DESC:fix CVE-2021-25219 + +* Sat Jul 24 2021 jiangheng - 9.11.21-8 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:remove gdb buildrequires + +* Wed May 26 2021 jiangheng - 9.11.21-7 +- Type:CVE +- ID:NA +- SUG:NA +- DESC:fix CVE-2021-25214 CVE-2021-25215 + +* Fri Mar 12 2021 yanan - 9.11.21-6 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:remove useless bind-sdb package + +* Thu Feb 18 2021 liulong - 9.11.21-5 +- Type:CVE +- ID:NA +- SUG:NA +- DESC:fix CVE-2020-8625 + +* Wed Jan 13 2021 gaihuiying - 9.11.21-4 +- Type:requirement +- ID:NA +- SUG:NA +- DESC:remove GeoIP and libdb dependency + +* Wed Dec 9 2020 hanzhijun - 9.11.21-3 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:Fix the difference at the macro definition using clock gettime instead of gettimeofda + +* Wed Sep 30 2020 yuanxin - 9.11.21-2 +- Type:CVE +- ID:CVE-2020-8622.patch CVE-2020-8623.patch CVE-2020-8624.patch +- SUG:NA +- DESC:fix CVE-2020-8622.patch CVE-2020-8623.patch CVE-2020-8624.patch + +* Tue Aug 25 2020 gaihuiying - 9.11.21-1 +- Type:requirement +- ID:NA +- SUG:NA +- DESC:update bind version to 9.11.21 + * Thu Mar 19 2020 songnannan - 9.11.4-13 - add gdb in buildrequires diff --git a/bind.yaml b/bind.yaml new file mode 100644 index 0000000000000000000000000000000000000000..1e569bda29ef56da7e5b606877e921915bf75fdf --- /dev/null +++ b/bind.yaml @@ -0,0 +1,4 @@ +version_control: git +src_repo: https://gitlab.isc.org/isc-projects/bind9.git +tag_prefix: ^v +separator: . diff --git a/bind93-rh490837.patch b/bind93-rh490837.patch deleted file mode 100644 index 230d7a707d44fb3fd9e979a97712240c220a471b..0000000000000000000000000000000000000000 --- a/bind93-rh490837.patch +++ /dev/null @@ -1,95 +0,0 @@ -? patch -? lib/isc/lex.c.rh490837 -Index: lib/isc/lex.c -=================================================================== -RCS file: /var/snap/bind9/lib/isc/lex.c,v -retrieving revision 1.86 -diff -p -u -r1.86 lex.c ---- lib/isc/lex.c 17 Sep 2007 09:56:29 -0000 1.86 -+++ lib/isc/lex.c 6 Apr 2009 13:24:15 -0000 -@@ -425,17 +425,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigne - if (source->is_file) { - stream = source->input; - --#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED) -- c = getc_unlocked(stream); --#else -- c = getc(stream); --#endif -- if (c == EOF) { -- if (ferror(stream)) { -- source->result = ISC_R_IOERROR; -- result = source->result; -+ result = isc_stdio_fgetc(stream, &c); -+ -+ if (result != ISC_R_SUCCESS) { -+ if (result != ISC_R_EOF) { -+ source->result = result; - goto done; - } -+ - source->at_eof = ISC_TRUE; - } - } else { -Index: lib/isc/include/isc/stdio.h -=================================================================== -RCS file: /var/snap/bind9/lib/isc/include/isc/stdio.h,v -retrieving revision 1.13 -diff -p -u -r1.13 stdio.h ---- lib/isc/include/isc/stdio.h 19 Jun 2007 23:47:18 -0000 1.13 -+++ lib/isc/include/isc/stdio.h 6 Apr 2009 13:24:15 -0000 -@@ -72,6 +72,9 @@ isc_stdio_sync(FILE *f); - * direct counterpart in the stdio library. - */ - -+isc_result_t -+isc_stdio_fgetc(FILE *f, int *ret); -+ - ISC_LANG_ENDDECLS - - #endif /* ISC_STDIO_H */ -Index: lib/isc/unix/errno2result.c -=================================================================== -RCS file: /var/snap/bind9/lib/isc/unix/errno2result.c,v -retrieving revision 1.17 -diff -p -u -r1.17 errno2result.c ---- lib/isc/unix/errno2result.c 19 Jun 2007 23:47:18 -0000 1.17 -+++ lib/isc/unix/errno2result.c 6 Apr 2009 13:24:15 -0000 -@@ -43,6 +43,7 @@ isc__errno2result(int posixerrno) { - case EINVAL: /* XXX sometimes this is not for files */ - case ENAMETOOLONG: - case EBADF: -+ case EISDIR: - return (ISC_R_INVALIDFILE); - case ENOENT: - return (ISC_R_FILENOTFOUND); -Index: lib/isc/unix/stdio.c -=================================================================== -RCS file: /var/snap/bind9/lib/isc/unix/stdio.c,v -retrieving revision 1.8 -diff -p -u -r1.8 stdio.c ---- lib/isc/unix/stdio.c 19 Jun 2007 23:47:18 -0000 1.8 -+++ lib/isc/unix/stdio.c 6 Apr 2009 13:24:15 -0000 -@@ -115,3 +115,22 @@ isc_stdio_sync(FILE *f) { - return (isc__errno2result(errno)); - } - -+isc_result_t -+isc_stdio_fgetc(FILE *f, int *ret) { -+ int r; -+ isc_result_t result = ISC_R_SUCCESS; -+ -+#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED) -+ r = fgetc_unlocked(f); -+#else -+ r = fgets(f); -+#endif -+ -+ if (r == EOF) -+ result = ferror(f) ? isc__errno2result(errno) : ISC_R_EOF; -+ -+ *ret = r; -+ -+ return result; -+} -+ diff --git a/bind97-rh478718.patch b/bind97-rh478718.patch deleted file mode 100644 index ef4449039f1058a573595bac9a39eff3b2a71f79..0000000000000000000000000000000000000000 --- a/bind97-rh478718.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff --git a/configure.in b/configure.in -index 896e81c1ce..73b1c8ccbb 100644 ---- a/configure.in -+++ b/configure.in -@@ -4275,6 +4275,10 @@ if test "yes" = "$use_atomic"; then - AC_MSG_RESULT($arch) - fi - -+if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then -+ AC_MSG_ERROR([XADDQ present but disabled by Fedora patch!]) -+fi -+ - if test "yes" = "$have_atomic"; then - AC_MSG_CHECKING([compiler support for inline assembly code]) - -diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in -index 2ff522342f..58df86adb3 100644 ---- a/lib/isc/include/isc/platform.h.in -+++ b/lib/isc/include/isc/platform.h.in -@@ -289,19 +289,25 @@ - * If the "xaddq" operation (64bit xadd) is available on this architecture, - * ISC_PLATFORM_HAVEXADDQ will be defined. - */ --@ISC_PLATFORM_HAVEXADDQ@ - - /* -- * If the 32-bit "atomic swap" operation is available on this -- * architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined. -+ * If the 64-bit "atomic swap" operation is available on this -+ * architecture, ISC_PLATFORM_HAVEATOMICSTOREQ" will be defined. - */ --@ISC_PLATFORM_HAVEATOMICSTORE@ -+ -+#ifdef __x86_64__ -+#define ISC_PLATFORM_HAVEXADDQ 1 -+#define ISC_PLATFORM_HAVEATOMICSTOREQ 1 -+#else -+#undef ISC_PLATFORM_HAVEXADDQ -+#undef ISC_PLATFORM_HAVEATOMICSTOREQ -+#endif - - /* -- * If the 64-bit "atomic swap" operation is available on this -+ * If the 32-bit "atomic swap" operation is available on this - * architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined. - */ --@ISC_PLATFORM_HAVEATOMICSTOREQ@ -+@ISC_PLATFORM_HAVEATOMICSTORE@ - - /* - * If the "compare-and-exchange" operation is available on this architecture, diff --git a/bind97-rh645544.patch b/bind97-rh645544.patch deleted file mode 100644 index d1d8429f9d85eb76ec781a976f505df560b2fe43..0000000000000000000000000000000000000000 --- a/bind97-rh645544.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolver.c ---- bind-9.9.4rc2/lib/dns/resolver.c.rh645544 2013-08-19 10:30:52.000000000 +0200 -+++ bind-9.9.4rc2/lib/dns/resolver.c 2013-09-06 17:58:03.864165823 +0200 -@@ -1138,7 +1138,7 @@ log_edns(fetchctx_t *fctx) { - */ - dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); - isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED, -- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, -+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), - "success resolving '%s' (in '%s'?) after %s", - fctx->info, domainbuf, fctx->reason); - -@@ -3804,7 +3804,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrin - dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); - isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf)); - isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS, -- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, -+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), - "lame server resolving '%s' (in '%s'?): %s", - namebuf, domainbuf, addrbuf); - } -@@ -3831,7 +3831,7 @@ log_formerr(fetchctx_t *fctx, const char - } - - isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, -- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE, -+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), - "DNS format error from %s resolving %s%s%s: %s", - nsbuf, fctx->info, clmsg, clbuf, msgbuf); - } diff --git a/bind97-rh669163.patch b/bind97-rh669163.patch deleted file mode 100644 index 125049fb722495f3eddcff9beb8ea1310274613d..0000000000000000000000000000000000000000 --- a/bind97-rh669163.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 bind-9.7.2-P3/lib/lwres/lwconfig.c ---- bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 2011-01-28 14:48:38.934472578 +0100 -+++ bind-9.7.2-P3/lib/lwres/lwconfig.c 2011-01-28 14:49:50.421326035 +0100 -@@ -612,6 +612,10 @@ lwres_conf_parse(lwres_context_t *ctx, c - break; - } - -+ /* Ignore options with no parameters */ -+ if (stopchar == '\n') -+ continue; -+ - if (strlen(word) == 0U) - rval = LWRES_R_SUCCESS; - else if (strcmp(word, "nameserver") == 0) diff --git a/bind99-rh640538.patch b/bind99-rh640538.patch deleted file mode 100644 index 5066a1450a3fdb4f7130b483cf0e47fe29a00440..0000000000000000000000000000000000000000 --- a/bind99-rh640538.patch +++ /dev/null @@ -1,44 +0,0 @@ -diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook -index 1079421..f11abd1 100644 ---- a/bin/dig/dig.docbook -+++ b/bin/dig/dig.docbook -@@ -1177,6 +1177,39 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr - - - -+ RETURN CODES -+ -+ Dig return codes are: -+ -+ -+ -+ 0: Everything went well, including things like NXDOMAIN -+ -+ -+ -+ -+ 1: Usage error -+ -+ -+ -+ -+ 8: Couldn't open batch file -+ -+ -+ -+ -+ 9: No reply from server -+ -+ -+ -+ -+ 10: Internal error -+ -+ -+ -+ -+ -+ - FILES - - /etc/resolv.conf diff --git a/bugfix-named-log-time.patch b/bugfix-named-log-time.patch deleted file mode 100644 index 0e80c762db733cf492976b835c124d9fc95f0c70..0000000000000000000000000000000000000000 --- a/bugfix-named-log-time.patch +++ /dev/null @@ -1,146 +0,0 @@ -diff -upNr b/lib/isc/include/isc/util.h a/lib/isc/include/isc/util.h ---- b/lib/isc/include/isc/util.h 2019-07-30 19:52:09.600000000 +0800 -+++ a/lib/isc/include/isc/util.h 2019-07-30 21:39:03.400000000 +0800 -@@ -233,7 +233,7 @@ - * Time - */ - #define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS) -- -+#define TIME_REAL_NOW(tp) RUNTIME_CHECK(isc_time_real_now((tp)) == ISC_R_SUCCESS) - /*% - * Alignment - */ -diff -upNr b/lib/isc/log.c a/lib/isc/log.c ---- b/lib/isc/log.c 2019-07-30 19:52:09.610000000 +0800 -+++ a/lib/isc/log.c 2019-07-30 21:39:03.410000000 +0800 -@@ -1498,7 +1498,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcat - time_string[0] == '\0') { - isc_time_t isctime; - -- TIME_NOW(&isctime); -+ TIME_REAL_NOW(&isctime); - isc_time_formattimestamp(&isctime, time_string, - sizeof(time_string)); - } -@@ -1545,7 +1545,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcat - * which fall within the duplicate_interval - * range. - */ -- TIME_NOW(&oldest); -+ TIME_REAL_NOW(&oldest); - if (isc_time_subtract(&oldest, &interval, - &oldest) - != ISC_R_SUCCESS) -@@ -1622,7 +1622,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcat - strlcpy(message->text, lctx->buffer, - size); - -- TIME_NOW(&message->time); -+ TIME_REAL_NOW(&message->time); - - ISC_LINK_INIT(message, link); - ISC_LIST_APPEND(lctx->messages, -diff -upNr b/lib/isc/unix/include/isc/time.h a/lib/isc/unix/include/isc/time.h ---- b/lib/isc/unix/include/isc/time.h 2019-07-30 19:52:09.600000000 +0800 -+++ a/lib/isc/unix/include/isc/time.h 2019-07-30 21:39:03.400000000 +0800 -@@ -149,6 +149,8 @@ isc_time_now(isc_time_t *t); - */ - - isc_result_t -+isc_time_real_now(isc_time_t *t); -+isc_result_t - isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i); - /*%< - * Set *t to the current absolute time + i. -diff -upNr b/lib/isc/unix/time.c a/lib/isc/unix/time.c ---- b/lib/isc/unix/time.c 2019-07-30 19:52:09.600000000 +0800 -+++ a/lib/isc/unix/time.c 2019-07-30 21:39:03.400000000 +0800 -@@ -36,6 +36,9 @@ - #define NS_PER_MS 1000000 /*%< Nanoseconds per millisecond. */ - #define US_PER_S 1000000 /*%< Microseconds per second. */ - -+#ifndef ISC_FIX_TV_USEC -+#define ISC_FIX_TV_USEC 1 -+#endif - #define CLOCKSOURCE CLOCK_MONOTONIC - - /*% -@@ -44,6 +47,27 @@ - - static const isc_interval_t zero_interval = { 0, 0 }; - const isc_interval_t * const isc_interval_zero = &zero_interval; -+#if ISC_FIX_TV_USEC -+static inline void -+fix_tv_usec(struct timeval *tv) { -+ isc_boolean_t fixed = ISC_FALSE; -+ if (tv->tv_usec < 0) { -+ fixed = ISC_TRUE; -+ do { -+ tv->tv_sec -= 1; -+ tv->tv_usec += US_PER_S; -+ } while (tv->tv_usec < 0); -+ } else if (tv->tv_usec >= US_PER_S) { -+ fixed = ISC_TRUE; -+ do { -+ tv->tv_sec += 1; -+ tv->tv_usec -= US_PER_S; -+ } while (tv->tv_usec >=US_PER_S); -+ } -+ if (fixed) -+ (void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected"); -+} -+#endif - - void - isc_interval_set(isc_interval_t *i, -@@ -105,6 +129,50 @@ isc_time_isepoch(const isc_time_t *t) { - - - isc_result_t -+isc_time_real_now(isc_time_t *t) { -+ struct timeval tv; -+ char strbuf[ISC_STRERRORSIZE]; -+ -+ REQUIRE(t != NULL); -+ -+ if (gettimeofday(&tv, NULL) == -1) { -+ isc__strerror(errno, strbuf, sizeof(strbuf)); -+ UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf); -+ return (ISC_R_UNEXPECTED); -+ } -+ -+ /* -+ * Does POSIX guarantee the signedness of tv_sec and tv_usec? If not, -+ * then this test will generate warnings for platforms on which it is -+ * unsigned. In any event, the chances of any of these problems -+ * happening are pretty much zero, but since the libisc library ensures -+ * certain things to be true ... -+ */ -+#if ISC_FIX_TV_USEC -+ fix_tv_usec(&tv); -+ if (tv.tv_sec < 0) -+ return (ISC_R_UNEXPECTED); -+#else -+ if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S) -+ return (ISC_R_UNEXPECTED); -+#endif -+ -+ /* -+ * Ensure the tv_sec value fits in t->seconds. -+ */ -+ if (sizeof(tv.tv_sec) > sizeof(t->seconds) && -+ ((tv.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U) -+ return (ISC_R_RANGE); -+ -+ t->seconds = tv.tv_sec; -+ t->nanoseconds = tv.tv_usec * NS_PER_US; -+ -+ return (ISC_R_SUCCESS); -+} -+ -+ -+ -+isc_result_t - isc_time_now(isc_time_t *t) { - struct timespec ts; - char strbuf[ISC_STRERRORSIZE]; diff --git a/bugfix-nslookup-norec.patch b/bugfix-nslookup-norec.patch deleted file mode 100644 index a67899ad2437e7a87b92e7af96ae3656c9b0a89a..0000000000000000000000000000000000000000 --- a/bugfix-nslookup-norec.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c ---- a/bin/dig/dighost.c.orig 2011-03-11 07:46:58.000000000 +0100 -+++ b/bin/dig/dighost.c 2011-10-28 14:31:29.806591603 +0200 -@@ -3291,8 +3291,13 @@ - } else { - if (!l->ns_search_only) { - fputs(l->cmdline, stdout); -- printf(";; connection timed out; no servers could be " -- "reached\n"); -+ if (!next_origin(ISC_LIST_HEAD(l->q))) { -+ printf(";; connection timed out; no servers could be " -+ "reached\n"); -+ } else { -+ printf(";; connection timed out; trying next " -+ "origin\n"); -+ } - } - cancel_lookup(l); - check_next_lookup(l); diff --git a/codesign2021.txt b/codesign2021.txt new file mode 100644 index 0000000000000000000000000000000000000000..d021b564512488bfecbd6a0083affd51d51f92d6 --- /dev/null +++ b/codesign2021.txt @@ -0,0 +1,534 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m +r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk +pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI +yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG +ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0 +/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh +qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF +UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv +SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D +o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt +LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB +tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5 +LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln +EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB +Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA +1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj +tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+ +5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn +Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF +JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI +hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa +xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd +gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX +pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP +vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf +6f2op3tMuQINBFwq9BQBEAC59lflbMmvSVkCHFoakdjokwGviNU4I/hOsNmHALYr +gJc0z88ss2KxbOq6JZoW9QOEHz2QLGsSGKnBUViEGvXoINDGuvzKFqHdEjGsExiF +FPGAgCQA2CSEZZ8MlITNdq4DuSti1LetjCF9d7hw2xOQs9ucxSXIslyqPbCdlxki +33tov40VE/J8jDUp9Rv27e0H2x4Nhu9MRQt4vTtpOcelYzl/dtPAmsnY4U/Nex4I +LM+JU2HcG/5i0nWkxOtz9Qc7kOgm4cuwXTCJw9KukPS3CykV1H/StPp43JyxoK1X +gZDMFww+9jupqLletmYKqCW6jVbqXr4Xlisq9Ey3LIWRQ0Zw/LB2NKU/jgnJGtLa +7O8VRWJKwkCtyYUbZMksKiGex7zCqPDR0hRVuYNsTjONobnrOS+7ST7ThbCndc+A +5mtuXpxuFffIuG78a3R3N30RF6g18peTfaEHMpqz+914HkNl6Ns445Zh+2rJkLUu +8O++tgWEUrpUajN9nosWaXWHOf7E9qGnm1G/3f9P3Nd5U+b3OKUYyqb+CNGCHyiN +bE1Cg3MnKpM9Yi9aZu4Qg/dPdxMWrqUmkmyDf6x/Oh8ZZkIacFlAaqbysQ6hRaJo +p7UG9AJfXHynj/Hz+1dNpUOlAIairFe3T2mWQO4Yy6IMgLEGVodZRHaMugdzZwus +HwARAQABiQI8BBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlwq9BQCGwwF +CQPslwAACgkQdLtrmky7PTikHw/8CZ+DnggV4AuI86spuMLdtUBDOux/T0gvyxSW +f8sJkjH0eAYAmP9/flJDfmwra5yNaINfqoLFWtaYLpxpBcWBc4VIoiWqVp2aaCPi +wh0sznCPiduiYcKGkHmupX8aCQXBYFDeQ8Jq1e9zwGD7Mon7BeBO48Vd5/IT1H5I +u5qzaCtD2ECO9MYdhuqJjFKU0MVzVocsBDdtLvrfnUwe4wc6kvOgHQ6RkMJU1bgY +0Sqstsg12vnREAr4uihnZQEihsRmNdiiv0DYVaRK92PLPpfVAox1Axq2HpH3WT87 +RpsFruXLj/zTl4AZczfDVd/Z4yWmJSzr0F5igkGSUrxo0ye2kNES6cmOGI9TgmgP +NLGXlC/su5fKXKjRgkD1ibJ0qFNNxF3Cwpz/+cav9ySDgFGX5Vu0kFi93fEYHshD +6lP9M5qS/2oKiykCGvcRCNU/9emdYlF37H52rxRerBaZN6dYMTjZw2vsEMUl06pL +llbLiwjPix2OlLFcwH3yKJG0pKkpEImBdJwHtJh5uHzfkSAbZjJAZ2Ekw7sLqiT0 +85hAGovywGpHMiYkqhNUO84fjZYCsrAlZMdriY92IMcQhmWQ416t5zcle2Xgx+/x +zBnktvx9KIH/HwBa+qym5z/uFC2S6zhNyC61LV/CEDCmcUi2lUXr7vcIxCsmxuUF +1ONbRP65Ag0EXFtUfAEQAN5tk4luE92Ed4E92VlgTetGMHyxwOlZ2OsK6l+Z5ML0 +wzomAITgMQwG0FeT6HX7vB+luVhg0XAZUW/K0bme8ZEO0dbHB3Vn07wXHhmq7QXH +/ACftkvevIT610dHskrtIvE5rZfj1P/wtjRTxDrkjhlGj9vhUxxcCkKadzDdBJGo +dP+Zh02d/4cc++LePNqZ3eJWm0JLghqKxzTv0MV1r6G1ZeykFzXeWY+La8ZCRaON +LcHjI7wlpyTJA9WGmyAphtEHM4fQqKLxtebIDo7m4glgR12nlV6B53gUT96PcKuA +Y/UPRiTV6nHyUtuL1EGTAVLsMDmtDbdSdtLLVbJXVmA+tapABa4amMxNVNY3QSUj +cAbECcTyVmVJfIT5fJW4eOMhWtrIGMspWoO5It0pl4K8jhCzIcfoXQ0olCSeC9fE +tljE7qzRzYQUUvN1VZPVX0Yw/xSwOutv4mxmNRWY9HW1M/jGoRAboqN8WhCbldak +a0XCH3U4rWXB/8HHb8KP4+q4ssVyPuEQ/v1UNNRk9AB25NPEh5PMdcf7HU8IcUHX +THEfd7zZVJ0l4FSsnGeuJfMrnRIpNOYX65ikeoTwmDU3ZjWfmSy7F5hTLw8WOEB4 +EKpnplyV1QN/j3317/M9PxvB8IOvyNF2okeurtHFMmI/lGwy51akp6iHMkbBDm5n +ABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9OAUCXFtUfAIbAgUJ +A70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBJXO2iVrHKChXzAvtZUhp+1drOkY +BQJcW1R8AAoJEJUhp+1drOkY94wQAKb2fED9Up/xHEOjZm5ODK5LCVHy0KMATiTf +5SiJhRtqaRbimPH1WB3XMLls3FJZnm+UngIfwCsoWo0rksFUNmqFi6t4Cj/UB/Zv +29EnDT9BAeG5fP+Op5PDCsu4qnLv3oam35oV9yZLRkLhBd/EkRGEA/q27WnpiYCx +Jv5uPOJBWQqu32aE6st23PpY/QWDWOhGPfcWCecu1rIe+2BCs0UjfO0KOT8HYWNh +nGpsEZ+TmDKjRxMTYWKguEb9evEihl6kUwmQZgROdhBes63Yq4ku9rBXvRhCYbwS +odhjx2soDRcNmzxNV1Ply8a+2bwRHPnOeyyxEHFAwjkyXo7ZqGtenwSriG0LOW87 +y3Yw63O+oAlGLIB3psBSj4wZVGme9485HVICAFcJ3jXqsXSIJdzW61nGerB2r2Qk +Bn7yYIvHg3iOToB0alfNw2QuDtCZTNefvlHFnoashRhkk0yWzBerleFJbijx4+Vr +FaOH35BO1T3rgBmGkDW6gewoZMHEcmzTDoxxmbXiRvY+5o7b+ul/yzwhnJz3f5jk +7+Adnr9qAGMD2o3rCRBHV3lSEkLhBL+bfmsEYEor1fd+pDFoEKKjpDP6bgDcZyGv +O0mmr7Y/6ZrnKWxOrmNXieOTLbpY22tXv43QLgyiPcjhCfphT95IxqdNfMfOiI9k +IQf8g7GBciIP/1mbdnMj6Hg0J9IbI/XX/DWATOVMdDhq38VcggOHRjZk2lY99+4V +Au1wRHa/Io/CENikYzI00deSzhrN+tdUK/TCZI0Ft5Lykmti2ilmkIQGsBuD9gu/ +2bmWkNJEdpHeC/+oxntDFj43CpyKpPAarrw+4XiYNK+1+4WZsQRL0jJuKJ754v/o +NTaSd8GOCyFR7q8SVH4tig9DjkZjYjFFMnWkxdpnDX56/AfdS+x5EaRHKCJoGChT ++pHimvKe+MxBxpwJr4JpGddklin+6xUF5jTG6322hz385wsagGvmH2XliOu47a+7 +xUei7w3S1qtVCfdhtBEWL5i021yVYlrw+rUCwpFMIXAPA/p44O/qY06sQXJ01Fym +JCbOnjtVYX9gdF8fMKoDXAcvEtSulBNpXDongWp50BDfVoA7h9oDsxL5kw0GpkJn +uVMYLpO+iOqoEA3bJfsCedilkcz6UamLb+6RXMupKQaZ006Bu75Rm+h6PdicdiKD +jJY/7PbGuUmXxuSFT92v0hATlpEIQ8H8laEcnb8apiX2qOyGUHnb7pfYoNqvCm06 +3NP2igCtiGkzAohiHfhztfy2UApiTtXmPu3EhEUMooB+0Lt0zzY+e1cnFKRbJHvQ +ZidiOJfKuqp6upPvEgKYMRCAU4+nLT3MVbralo726JnDqrDJvCqAamhfuQINBFxb +VNsBEADcRGjaY+/ZVWBlQWvgy08ObhQbTRglb8thrcPeTR7211JJwAJemuTWwCjF +SVDH8JJ0Ss8rBcbitrGI3i3mcgJRQ1hILR2HT0bbmMLufCxZzQBjJm76H8XN++k6 +bd8HCYGXMguUaHRRHAcV+P18e3qGizgL7c8Vln9fbhowkX9yi/WhiL2uoXC3+XSa +C08TzwjKPb9Wnct6uCBAzMp8S7KW6P18vZyBTRBrugA9eZrGEe25rhy9szlJcajc +VeMiDMf058z7ait5t43AfUzd5zrD6c+ZGYIku88oY55LsZVcvn9o7I+UNbNJdiek +IpLae3Dgrie3QgDyfzPV1vXT2X8LaegOsNIkSo6jzjdKE0ZNg4xVSuPdr5jujYBN +z2k1lqV/Q/Ccpqzs0NsgnXnY8RDDrrmJhdy/ZrCMsXpbTK5KryR+JoDEiuyJ7YO2 +jTOCo6zQ631jvi7XUeHAFIdQ7eYRklJwABwj/IMXY++O8JBLO7iZ1dvvu3pfY7pg +dQvPgDttVAIxrNxMMj39LRbb6LE+eclWcTfGCMr3O6LOOLwkMnDWEkJAz7JMtWqr +2l+9xF9Dq7CkxHPP87dLTMNGIDr38bJ83CSmDPlBoaljTYgrlatBTV2hGMjPgEcB +jOgg6QyRGpO2N0SVBnD8PfBI7a7CwQw3BHOJtH8vPUkXZoafoQARAQABiQRyBBgB +CAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVNsCGwIFCQO9IQACQAkQdLtr +mky7PTjBdCAEGQEIAB0WIQTXDITmS1WOW8zsByEy4hdfHXV6KgUCXFtU2wAKCRAy +4hdfHXV6KoJ9D/9IUN+s4gSiyWnqfq+UK5q86DTbC+OyQpAY/U/VDi/jQXDUaXzu +f25cCgyl4Xgf6nNTE6IEdgJCL4R6bChxJOHNpZ8/N3ckb/Q5xHKZ/5k5wFv7nxUk +vunzxB0wUgCLkn4oy4B8QbTMuRz1qcSdehUyZAlfkr7o/J5UO8FtgaMuNACxZNlO +JW5AjTDdbEW0MZapAgjx7+oTQMDtz9q4afuPaGJ3fTz4Vx1+mYt59b1h6xaMTXJi +8egJF0U4n/tJ+3gxAIhF7tQRPdNEwG+2Kw/YNyrLMY+nbazhlgUIIkk2IH3Ztd0S +XnNd7gV/slN80T9CtHtaDlH2FkeAd1unynxsDd/TLb1gLHem5iDsFuZBaIyHetdY +TlvT3SlKnDQr0FBTe86Kuv7n/ZNoU4lceXhUXTcataxKdxKEJt2x1Ei/hMHSVjaY +3ir57tuOUDMkl6hpL3sYiq7cMGUAnLH9nBZbbcNdfChDiM24mGmXaNoITutVAHS4 +uNunSL1l13hJ1hnGY79j4l+CgnPx7LHzBmLh4PPWKM3RYqwgaPEkflVQr1JOOKMM +x4bpllEtzpvVAIaF73tlsOQRRN1Aah67gvkWKqiZrXc0Sx/yh8EO/6bImb87rtVr +0kjeDGEiuGYXsszNBCmVjHal5kLUKaESefzd223zeaFe9foO2HrnsFb9B34ZD/9J +W5M+42QFd+tOLh1ue/5xToiyggGh1MX9axDqHiRu2w+E7kNuuws2426aupUQ3yPD +4dSwR428U14ytM90bZXztKFDgFAaQJ/4YVEGPSbLHFc4VlhDHpGljl8J7vI5xPOm +Ruc9aabtXwd065nQ2csk1DliiA4jpS9dUq/flH2oGj4b2OSGFvR5oC7oERHMpUA0 +p+wY3vnjkSVnWqV98yEBCFcZvpOy8J5KDZxYZvZydUvZ3ny5W6QPg8OKriqrCAKW +QXds47vRIiAasK14duLgex6il7HmboaqqOhRhevtBAHBJpB1z6Aq0SMwcKwdtTId +GTSoQd0R77ZGYvR3StpAwl8rJhCNwJHu2euA3hYPWHg0pF0L8pFbfUwOYf1dU+uQ +4xAJQKcCteQ7B0pawp+Hxp/0erB5c5PUUck38ze1ZoGm/oqh24XZ/amPVWE9nYSo +VTJwnbqWsfI6mzKdBHr5MP5zW5ei0PAo3lFb5gvVzJ2TqaGJvrh907I9R5Nwd6GM +wAWAzZ/nCLflSNyPyJ3ftxY6pGyCBJsycY7gBQD9i1xU0bxONltqSyifwQ0rt7yr +iwSI0VRnv8K3M2iTAdDm44bX6oHzljgiYachlV6IGmO3vdVVrCDhm+b+ia1bnQ/1 +H7itWEwllkUCCtaDwEcf8o3OdbS9S5KEbwH7YUD967kCDQRcW1UMARAAvl+0jUaB +UkQWBflWy4Wd8Gcf3lzOqbARdpM/iztebc7RbLnv0TNFQPV4TD9RoP+rY4dJzC8w +/rlxlhD3DiGcI3of3o/3pN6jss4wKyy9Jcg7uCo/fcspOoPOwigAUfBYTd2rWNvI +/pPUl7zmavQR2+TyQ4IHWG52zAABGej/tf3Ma6WGHC4QeTkh7LtHn3JFRCoFy101 +x60bJqIWONfR6+5UAOL/P+zTteEMsO3v7dWCWHX/tcYLrhCEH1CNnyPS7v7TF+Ys +uOGL7sSmQOUAcgldfUfTACw84YqViu5BSYiww18Eg1l66UcQFnhwB3fTGwzb3oPM +npAv2wAZ9gyFGzRgcH8QnXRm/SLDWlTaMIJS//0p/gXifCAdBZA/skBt+E4hQ5Sr +9iXGNMueR3bn7u8Pcoc1DpSJENE5H0nB62l3/OiSl/k7mJMGlUv6wKr42xNnIM6M +hO97axjRXy/XQz5n6ktyn9xRngkQNL9Ynj+i8E0k/xv5jA39EGAKOXxQFf8357sA +DnZ5g/Yf0Yr1c+TNIIRXER/k/KMavB52mguTNqCsewO5aje4Gq4vKd5P+jOKGopA +C4idTLkHutZTiakod7lW2jmjpm6P7oyAeAhDNEroNrbOIw0SaujHBmJtxgK1Q929 +y/EaH5vJyWfMFyUqM7CQBqUU/HRLERsebM8AEQEAAYkEcgQYAQgAJhYhBK4/rHln +EexZ/AB6pHS7a5pMuz04BQJcW1UMAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkB +CAAdFiEErtYi/gIHfrS1wUbBQqJ50kjNwxAFAlxbVQwACgkQQqJ50kjNwxAf5xAA +hBhcOeqLgeXbUu0CCTKlnG6D7H8sQJWXCSsh9pAXffv58b4f0ntJ1TztKfVd79hS +BCcXRc/9+MhUUzR79NvFWWZMWqJ6MucjAkkOBRoc7c85PawYTI7e1zSapLPJEHG0 +xDzK8ClxwGEvlA4O/eGGVFaCTkxdTQg95fDXfghab6j89GI8Ghc9rC9V8RUgGVQV +qJJkBJ/gECJJp3holB4/w/I/sU+9AHXGKJvSJJ62fpmY143Y5JQk+I8DxoT0kIq4 +W2iZVAQMzQGpAOXkDuHk7a7J/QuL78CuoG98GOsfTd7nNsgPTZ07cPYGOxXeNR5U +9DlYOBWDwsf6d+D+tHLB8KzH3MWnWa3crjE3a/sgrDEad0CmAJzHXuCyPMy8vPQn +uxIai/gw2POq8YQMoKW5S80perLuN73FxAumjK9a2hYVdZNtABwrlW/6ELruv1se +mMjUq6oDyFio0rGy/uzCItl13hIr1Ii7B/SPz9dNnCagV8aiUmKXRk3HKoEXf34I +xWlod0szWopnP31NXNKHihs46ORSMrjnzFKjRcJsnipdins+DHJYroYhtOjNtsb/ +WV3D4tSerG3xKF/v3ssn2VsjcgK5HY/k9iUol/dvoP0bJ+rKs/fzt8oAqEexiRnV +cPnj/zAiBOt1940+0vTWaNYOPDkq872S48GNybOC342u2xAAnAp5myKostxjyQn3 +E/7/G1OWHaJW5kx/HCqHCWjgwwLOmhssNn8kpTf3ybvt5uhMolIF95RjFB3gBOfU +vw0sqMvEoBoGSMSTSc3zD05RBsWWFD9qwvPMXtn0gYaH39ISAFnxXrtrQ7dDD1d2 +LcBErdttnxEhUnT4/0YIat+r2PhmYYDYviKsuOy8MC/sJIxvhYEpbyPQnPksUzA4 +wmAbVNPlzqU2oWPrLT2tlxUue3z6VS/YHDcsLSgjVOMWSusLMh1+D76Y+Lcr9kVz +nRu+dYXh4I6OBnlT1VuzEVmrf69NFwh8j3PaVn0I0NEDU7mMa+5W0QYuJIsXZonq +SI2uIu64ZOVd+D8WmCEZO/Kmk5PMXs+0fMcFD9mOeFaiOdz+PIlHAsrxwKXr4Q5z +zzu/wEOaqAVa2bJywTbl8MntQUY/XeD94MvdlSAwO3Ll1BpQ5NfXjm3YpP6Uyqlj +pkrYQL56iqucgYn61jLSXhFHGLXSZs2G48ggN2mHtf6ZQeAJ4D2DIXRj4uqIHoJf +7MWDui8u+cJsw/F0ZerPsCN/CpkEoj4FW4F4O3JbiieYSUK7lxc0qyDdbQiVCVl/ +08wNToe3RctSzsQ99tCwfVWqLVcTVb+0aeSaNykb+qW30bHW7AUYs/qKiapQFzZz +QZnpHXGmVe93fDfILx3yUCA8Yia5Ag0EXFtVOgEQAOS7GFDH2DGXPMJzSdS7a/zZ +ewP4bM42n2Ku3XiCyXG173p4ppNdOLS3l7JrRflMhjfBtETCOV8B4z0B9wCZZywz +iLOt8+0A0zpY7EHZNvMRjZyq/s0FCKLtnlqo/KNwiJPRvQazZ6+UOSffEQEGpNKs +1ycZIDb1tk8iRpRvtCin8CeLRLf+2BxHbWBewnCSCl80rC89PTcvPf+jmtcDJqDQ +z/blp2CT1JUo1xdzyHYdIa/kQ2PBQo02ejBVs0vDjbzuYVQzZV3q6cYnYwGPtpTB +Ot8GXuA1X3qYx0MlZwGEYpiTFS+Ju4cJrYofuBOudXpfux2uAPkJskw+ro5k1I/q +fptRWDbZ4fGgROmUXBPg29XdyVExYgAbVeBdHWX30sCHs8+c8wzWkdAY/BgdCySg +EVLiDmSfMekH2H1N9ncwzhwNlHk2BaYTR9hWdZ7lrH7BbT8g6SVSge/eqgvjKI33 +AUmragvNQ1B3362yqLK/FJOHyJiYd6DKfkq4E+ysw+C+qIo51qVNkqRqT0M7HhwZ +AvaoeykrGIE5vq6jHa9+MxDlsN5Sf7gNgx2dk0d7LAJR6AmYNqRS2V+837XfogMc +bB90ZyK2rOzDN3f48jaqXA8TX2CSun01RoPdCPZm0M/uxTZxOFzoatrkpEVbx/3x +sjvuPVa7qkKdgUuo/PhBABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2ua +TLs9OAUCXFtVOgIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBHkdfriO +vI0BOENKrDPfNZrnpgp5BQJcW1U6AAoJEDPfNZrnpgp5JY4QAMry7TcsRIZJCVlC +qecIAjyJizWz5dEwScba0BDU4rv/h42CvXJlySZpbgUEyB4SBggEnu/dKVbsd/t0 +TXRNg80Zs/pTFVbwcg+sDgIg1wZldZbClLfvgk0xLoDl5vq+K4SAQwSLTSPHQyYu +8IxkrKmbBdBSXlgnmcHK2lDXrzWYJDEYEyFPV4pC3cHicCygSc/4eepUz+crEF6Z +IE1df4LRv9h5CgsLewMv5nQ1EjxTo9mX1GiSh3e7KcfS98FgIQl3oy+yO2cmVVVq +x5ggDcRI2sUbXa3D3kjAo2tUIA1nUMFLIrii+aZawOsf64VMdIs2OXEi5XFR+Zdw +t+Bx6lUKZ3/tntStZitJdK8/RUbhmYQ8Tu01vxt/IAN+07VxWyZwcFB5KuC+lKtO +/0vwyhyiOlHm8lzV/5qwFPusB4bNk/2uLPUaavJdrBpmB0t9pol/NFCRzW5MKFvu +Qw35QyFVR0IBeaGjRc5J9yxbzi78umN1iHZbDjXFA7oRa9tkM2AP8V2anxSHUyon +UN6OuLqSM2frA8iZcl0S7qcepYNF1ix9PhdQHXy0H7hoikXMLIiCl/unW5pVTs6q +KnmxmRz9ZcqvvuVXbeY9C+kZE0LOBTZMljuS1Hcs69RU3rA18swfN5CTXw12ZwQZ +SsnRhi2X28Tn8SD0vrEsEf08q3XshDwP/0MvBBfymXd+5MzxlvMg8vGJeFuDMEFN +cpETa7Xzzz5Eir3ETtxpUWPCriqmCpnlIWidNwbg+LlyTeYUDPIDnMtEX5ySmYGn +BI8ykvAKm/XTfr0PWOEAXcmxTC3oMhvYEhIyGHZOFJQxIo7vmrwZKi2wqMnKMPq+ +XXHgvtZe5tNbESI27APeQCMVZLVnVVa0D1JRFYBuwNoJXhWbAIKlIjBGv05NvK71 +e4x0zEY2mXxLBbsxVBvHhpg29HseX/AhHvUAcBehJ+sqnenXZqdeNhgBIeZubXq6 +A/gfscswF/Ocp63Z/vqAjEmvUKwAxNKrKlwLVShVvobPx2N4hH4ZT7p58cjhMhQz +Lm4whTHy1hvBIR6j/Lo2eOkkVhiMlrrvWJIAEic3Gzj5f7XOsVr7CXjkSdoXHOIR +63ZDO/9Wy6ygu8vCdiIFlyRyUBLnGhUYVbRYnTU58tQMfEYy30ZKF4vxz4Ysxoy1 +oJa6emaa33Nn1Z2kE64AaW4wbUJ57nROuFdoYTwJ02vyc51J4s0C94EA+a5VrQkN +J7bT8P9G5gksp4b1WyoFm+O4aU5Sx+XpSO2IZFuBL05anF57Pm6Bz3LJX6sEYima +chv72q7PYeYbETrl4DZxE2xlEiMUvN4DH/RExpPWeUsVMFtS5n60n5+AW1EYyGJ9 +mfWlvZ0xCjQ3uQINBFxbVW4BEAC/gtho2rZl6/+/szkOfEumAdFwyQbtM5CnJyuU +rnrneWWlnNPLeaHml5a9yrcgOZ15QgnFD5YOHZ/S9L40goML8cB118etk9uE7vMv +EtwxbkqZXTlqdxpFI/SzT4jJCa9XFQ2uA+KdmKmGW9EagtdLql2B9ziMhH0Ha6Y9 +5x+9+7/oRYU+ddmAbwrJjdn6bCuYQ7QVpccFC67qdpy2I97v03hst7yGT1FbrIjE +sF4nMig6Uhwma5Edqm2dLaVXeZ+Fl0WeQCnWjprZMvkHCAxjTBlQpmvvwcQwqHot +s832s96l/Sd5R6r+TWU0lTtXpcxL6t7MXfW+BInkqg0ZiHG1Znni6SwfatzDv6W2 +lJW2pj3Ub++JulEIkbct1f+TEeeLU0RbJmWlL/qe24fodKg1ixH0gyxsRKzdBUIf +vgCkrzwLFgJEHRISjQzIASVtDdt8QoIqX8XALgjMBgAnZqtYrAEdFImWys0K1zOu +MbuPcTImufz5ObnKM7rRMdCO9z+cHGs0TT2vUvPPuOsNYL1GX4EfrCp2eLKahjJQ +BCxfatn4mFqHVmR/4a7vqq1j4Qfj3h08z7QVrNwGWAF3r8nmaHdaT0m55xctMRQa +3N3UaYj0IQ08CSUJq5e005Z5Oinbt2O4paxnG4/UbJXpRiLEVU5Ja17IBsDfZydx +W//ZlQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVW4C +GwIFCQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQQVaJBoXqDfahNx7yAXzF2x +8AiEBwUCXFtVbgAKCRAXzF2x8AiEB3iPEACI735VFBDd4E6wlGAA12Av+XnWSruo +Te7zGdKo2SuZ1gN1PYdNgflbifYCYajnQENp92N3q263Sq3MDf+EZYKijJ3EoU6y +chjOJR6ge+UgKPdGQc7Lu61wWECBFaL6TMXCedcZ/Xd0xT2IbvK8qsKsITDjiDOh +DUqdjVeyPXyfkmSrF5P3hvNxJvPbQ6k5Igx9JA+unLXxatljAeh1whnchRQAIKkx +l19Nr1z+odFD+tzCX4HQmUfHRXgBiJICyIxWB+U7USqLtqk+7DE893meceSt0Mz0 +JgLct0E5EFfCdwbehnl5NJeay8XEdcfjUkeyb/VAVxWYUBiG72okUIaIP7xR5MW1 +P6ecdTr0GzOC1SySpfyT0+ot0rtXGSnXrBzpY6nU14hDoV3g/FMas+qz1smTtOVi +1MVakDRf4QyP9Jqf4q4/GosRrgBvXZHi+zWkKuf+DXPcL/q6MfgHvQc6tFMh5ONQ +snrF3Bca3BQDT2GKjSukeG3JmECHmKtQk22jhk6T9DJ3518yw29El9tUgraaZ5Fo +Gen3TYCxA2BhV2LYCSLSHiTPdtUsbDuIP/FXaFXr34nAtKKOSSY6nP8SMzCPSEMN +iscfdjejR1Xd012T/mLqVCBzFJWyX2RaUdygSWUpt/QdvWa4pXCgYZjEVidraOws +VWMbb0zuI9KCseOaD/4jd+awtnRUj2SbGeJSVnqDPk0Hk8ndFebAo70uQGATkLXC +m5ls0RDU2xHZumuUk+b74Y1KjwdqF65NEmfjaSQ6B8gnCO69eKHcUT821ED9bwfa +4XpgsOMEoZklvFByax0JMS4JEJU/xfsLmfeuXVirN9Z82vxAXG8fuK8bso6VLG/J +Mpxhq1Zv24NQ+uevvh9loyWMcaw3IqPvQzNlyuuya3rXJYZHSH7TauYgqWySXiGS +H6oXl6Ej4GR3t5uWwHKvEREQer+KPZV3uXRnrTpgITy+PxZ9ywmPwmPBHcD6c0P+ +g0lNNtDdvw69qy+oh7JaqqYaDvedseN39UgBSx++ewRhq0OTikAD/BCv1zhPizlD +9BHAOsCxrgnz0WsONYKFAE8vtNo/wB//djf/zqMsI3iWdbWqM9e/muEEV4jQRWLW +TWp1XTqqvkc6TsLBBNO5zisJ0VwSfDyRUplr/IWeUl9FrRngjBJqF2nl90US5p3o +uk5wUWdjFa0haFyDgZNFwyFr85mex+o6qIC3oif7UjC4kHPe4wzvHDYAxrHMB6MY +QvrcXzULmInot3qRAr5duUNbQbrjdtVvOQFvjowBP5Scu5ZBSzc0O2TUUSKgnJZS +Bs7+yswfgyhYzusbxlOdA+iE2Y8GuovamGYTbsdCxDStOMfZnaiXuLL04Uy1PQ== +=fX+D +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF/u5KMBEAC0hPiTonjYEe5FqNzFn73KmcN8KGD2wzujmWWLnFXGEVDEpFcS +ULQDshhCclwNeXUArUey4nficwpqUe+Xl2h4dP4z7yh3WiL5nA5JRjJjw8KJQGVW +AkgiZTnJHH8DrzNt9LnDL516qMDJarTHemDUUUZLNxnuv0RDEhDxsXWiVCQZZcw/ +41yIY97uCf30dsDwnckVl3iEmYaGTYavWbKP60S8WaxO0YG57RI1etmlIQ0nMmka +4bvFnwwb9Jdnwle4LIiRMCGymsheaKCKrEZgIJY+idyBuExLLykiL8iNBj2Pzi7z +XSCniH9qcEwfqgZlP/KZwujLhGOc4c4peNwpuDGcmYZoAsUD8CZ8H/LU1FIR2A1u +/UrRREtC8nNTDGxCckSMEquHNURfMk1QmDbJ9gaa9aOk0AArxuTxyj6Cn+KQd5l5 +0mN0R1sDVQq9xWdvnB7N0d3MDhnV7f19iUhi3KYvjVTkCMXjhNXjDH/KXFKoFhKa +9SkxYGfW25inwSQoqbP1TE5+rESf57bo+XFxfVQuYfVJ5BlZobz+sRl2iDQyBJDM +uDFyXE/t+E76BmwyHeOI1weqUMYebqHgu0x76dTYj9yWgWdQAC1pXi15/MTIaOtQ +hWezb5rkI2yZqaZLaRBOIRBIPM5C5AOjL2XbfwUuSr2W4+TvxLocxi48DwARAQAB +tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5 +LCAyMDIxLTIwMjIpIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBH4ckayA +MKWlnR76uXUPPIdyPkASBQJf7uSjAhsPBQkD60WABQsJCAcCBhUKCQgLAgQWAgMB +Ah4BAheAAAoJEHUPPIdyPkAS0lMP/2IgMErScBUaXrZXqYXoluR8xU0p9DyZEBx+ +ZGNAcJ2CTPAbn3FrkNGNpK4SOCLXEZPKOQ09umaIxl8H6uEGaTut1JLj1qGaZ8ID +4gAeQcTIN9OQA5ElQo+ci20XE9JSvzqY1zb04EkMuVL678xPCYJhUSLS0MAQkcDJ +JQLN17SwNi4vGqzVhnwKUviQU9/s+LRUkThsTg4qT0fNnmGoVJXqrshxJa2ZWM6J +QtOWBgJiC6xZ+zRiZS898L0tekU4o9yxtnnDWry2bI+mJbxAp94ZAXgKahOU7LKV +3SPxkx7TAng24nOWi1EaP51pe7usTFH1BR3CUHZdoIQ4xruZGkt/qPumskofzl+1 +8bw1bEFbq8S6jC+twT3JUcE02HbEIbrd6l2T8pYBXaojFggGjUTSv9d5YUN5N9U/ +/Qy0o3xZwHNdXLx6xSrUO+NT5JU1Nh/0sutEH7ru/YqFZof9vfCbV86y8fIOPgk8 +LkJNUSu4QCJ1PHKB+fJp7yAhlPkOXNG1b9+W/hVp96rdkovpCUkLD83s+suQyJGk +QB7Qpem7nS4zp7/Naui+g3M3p/uRSzZgELTnXNyY//bw9fOqx5SDLjSUslUMz+TH +sFTwfo/Mot70MPHMe6aE6tdTDoJTcv4Iim/8MDhJ6yqKt8sxprataZoWwFi6zAF9 +BzWkJcrbuQINBF/u5P4BEACso8iLzFJ+M1wqcsCDup+GtRMzte04CAlLmaLgyzfL +3xxBo4AUgX6UbUCGycG878JVn52S6Nsl6FlasmyH00MGjZt1CuNz4htfSmLGcBMj +IwQv1CYR8bm9EPwR15NaWdgzJHShCduMHv4HdfqSa6UQfzO/P8mwioER19fkDQSE +U1KsY0yl//ipWiW3ZJGShGHLnn4YbxogQtsRPESKUsQ9MtzuMt3ehGtkN4RguOXC +6pCWP8J4F9lgjSZ+uLOQKV4rmpbSMXntOJi2nu+14Zj36enW8xyAXO/w5z/wci2G +LN/aa/v2a3GM3WJQsPNzpDwB+pr1n0Kp+wK6K7siVmDoV+WecD2KNNgOuSyUve7h +BjWRM9W13LsgLGhKJA8yUpPvhXk91vLRUhwFJ2GUirxLPLs2TSTjHlHvhcPy6aX2 +HxbHkcOt53n2h0zx7ntl1N7XHozMWmHphPsSvOZ5StuQRAFvfE63EyfR84KUPIbZ +kvftbAJPKCJC8W6GqhfORzYZqldDNNva5iYHF1OItF79ZLGI56diNsBV9SOVKk4d +f9Qp6urYOd+9RGQGmCQte/WSFaU9z9QYPEGl1NlmGAWt7KKyB6QXZH1oEMwXtPd8 +4GQX3XGtyggEp6BGwkFFWRQzF1EZ0maRPrpN4bpQqLXSJiqQxsX+FAcOkhpo6X7b +8QARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5P4CGwIF +CQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQTpq255IzwEFuiZP0UMA6+pClln +xAUCX+7k/gAKCRAMA6+pCllnxDtmD/0YCUccmKudW9PiQw7mI1HSuwL6aS+MlG6/ +LJ79nmi6TTpe87NDcEv2bBpVWYcQK87smCxIYyuj4SCZuBQivjyuecipRoG14PUh +KU8UiqdF+vKDvUAA7huOBlR4dgr7/KvjirnbwO3mGouwZszDOLvaHuO403+TPm1b +mJtEA9y6Wbk/+PTtfPymQwnaiJkPhQ6Q7ZbyasRIisO3MRPacUjt2DXFi5VV/Mya +8o5Pae3zY+5SjMyE2siPnVE4/nzp424jDzSq4DGEUip/x+QYHFwxhCJmdZlRIFmn +vSCAGXBpyPVbckC0Gw8kZ8HsGzNbMbx/VjDG3LFT8TR2Djsh99/6icO1J+jDkPNn +IFEsYjAw7Tos5IPhIT1XkSCW84KqBG5pGI5h7fJzf19sR7Ki6XyFe6VYvggeQIS7 +VN1ISl3tRN/dk0GbrKkUKr0OVfaRD0wXQHTzbec8Fs43G0z/DKoFutGB/J3yjAmw +IOcP5R6rqjhVp4APQpsB51XCaaqEXaXZyMWrKILbPIjlE6FHeh1qd+zdIjullnF2 +YZv89HU9dIXxKr35CM8f3BWm4D4cRjsUOWoGhMNwdHzHYOdys6T72KBK9D2irz8C +L0bycjN+SIpde/auo+dQKqKD3/ipr4dyKJyOUsls9cyhxkFp031cZ5rWbXcLJ8/s +1BeVPjFCngqPD/9rMKA6kCSnTo+rSqZRxo9RlQwy4K6xfPPdHZvBi3A4UYCsurgl +qLtFtGG8SMWigmUZWLT6uhsi0orR5wfG7vzajF0Hcd8yuWa4zGeu0rFJXgG64Pyj +nJHtv2Tzi8DNY5Y+8mfXqUewyEUXQLxnLqpGlPjNUAJKvjm4SstNadewgWeb6F8x +UQJc8owGmK5+yZQ5LZj6bjt9Dr3SCM3Og/iS5XK5POGUJgtgXLXp3uy7p9SzsJ73 +qhrDII/YqSwToMu8tUv4xEGxyceVPDm+ywde5SXYmtvMYrq5DBdlalZ9kBlC5fyc +IIzKoIOOkKKpa/YAyKdLTk8ZByjDk1RrdcOyP4VNpCvyisf6JPwWfKdM5mxf47hb +s7zioUH7miUGA6i5TNi1e+DU2mL92sJwQ0WkHw6KaUez2Y9CaD8hZnQw/h/JcNq6 +nb8y0GR8h7qWms3K0rtSs8SuDXUsdZrFAeURivccmohXddtt0FDzkheKGXs27SSl +8oOCh+jl/hEUzz2mJGFwRBo0FI5ipN51IfjhMJ8zzSmvfrtdwT2Tu6wSY9DLsYR7 +0tWGOc2HA6o7kdcC1V0p2jvQct281FrC9dTXFgcDuGUBYhzEZeWwjuYQXBzMquF6 +ersVnPo/Z5l1SnkK+wVBQbf4igHOaobl0AQxnb86W4CXBTZ3CvRq6o8vWbkCDQRf +7uUlARAA7oTlVZXhdVlPnSQlnI5JwovG2jEIrRifpbyavlhlosX+rgtQ5EILn0DS +PJ35CNfOAeOcLQeRrJAZj6w/x9FHWfKRAHUeiTTsVDzTrDyJBCVuC40ck587KVUc +GuB3vee03/y8qAczj5TZNaDdl+4qAzOFQuV4MjwJOx5fsXZw3dUAS7pw1mTkAYTh +nz557buc8JJCxrebT6FvN8bugk7LJ8SYmI154Q5wCdXB6Q42sdSMFlKKPYRRmIvX +vI4Ytl/J35v43gCLbXccTWQpBX+ra75sndS2hYGQhcC+WdNtt4THgU6Sb7ErpJK7 +7A1r1Wf0WSioQ2VWjT0QbUE+6IXD1J8duh6ZgzuqppMm13aDdMDZGwdcxlFw+vlo +bM+IAX+QgzPjslM3FHVvvfCLka+ctMO+lL0bz1G4njNEXcIAILhmoqRI4ItVH7Nl +ZI3pAfLLB4qbhTKTIiS+uIoA82RU86ozr5oJZCsJa5N5EpJnYxnjv2tYhU42eh+j +hyM+5ra1dXtveKvL5SkVuRUlPZvgOuwQ14Qnj6sv8CmtBpyVpupHmY2RbNtLVLdH +Ix3lyQbgVo9iMJIoXiPXmcRWCgLgOeuETjFXsEcFLxuN+D0My0dtwWcg+271vtPn +0orTObxkctFK+V32ByJYxVvytNCW245bICpxCicxmh5kYEmQCnMAEQEAAYkEcgQY +AQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uUlAhsCBQkD60WAAkAJEHUP +PIdyPkASwXQgBBkBCAAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAl/u5SUACgkQ +xbTukxqfnf2aeg//ZspIr4ETVf3ai0dXCm2Pf6gpM7QUfI9fPUHymvBhNrNhfZqN +ADpzbJefzLif8as7kUr904zTc5Jse5a0MzCrMyEwTDIoCKDv2ktLq1L20bwflZs+ +oP27CYC5FkJYgLYPrQZ/7hRC8EWjgn6v3seJtEo8G73kiVEBOnxVEfGZ8zxmX1Cp +aOWfhiFYCmkEe6Ck9hG+OaWt7+WW0wWT1UFiluzRRAEMROcCUtyB5IPCqCH/Rz/m +/bE6G+lHZo6OY/wY2q/oW2f9JB/4QyJeSI+fkjY/wDjfNQjiPMLfZctv25IeZYVY +ZvIKrdnjbzRe+GwYLg5G/SbpSOEb5O55Ps8mNUpYFaMCfefW+DG48a4WyUGzFr52 +BMKvHKtc6c7P3+muBAqcNZYxRqyLIQiYiV9CCjpIV1WgUeedroHUXvJF/SAvNVvB +ZR00I/D2hsD9BFh3B1FEYbw7GuYuG27Z6fgRolOQUeTabjQLI386SV3IxZ1KFwm4 +GU8BTbUA2zwT3hu/BaaCI5jTSLyBpdo10b1wgMEnqmXG6AbNdxFVEWwE+CE++BHW +0YBhKp8fghHwwN1fwTCV+QyA4Qn6EBVDkTrUPKqTeCmHzt3AQh8WVrsmrodyr5Yp +69LoRnlkLcGJiOCKMOmkop9Z32ckGieYHrl24Dw6hmUSWDG+pBn0ezbSPit3FhAA +qD2y1VzqxsaCOD634Ltq8AbvphP8XZPrrsC3DIA36ITaCQDa5Cn7madLCXy/uP6N ++tojtzXf4tUzumwGJGFLtdMXNmuEuXrj++NrU1xcscbvDn5O4NDMadwI1EDlQo7w +uWK9jaQAVhF7iDEBEazZe26knQFxC0my4SyO1uQaEg3BKHj6z7dkAjzWJaQZhzql +yrRzbCiVUUI8ZkrgM/+/6NJohUG/had6DoefgK6H8/yjgVx1Wtx+XAuBQ2cvclhc +TAmHs128dWduNHxI2Yx+uM4kuHYpPKBwdEh91ZNeNqtBJURfSVjBCjKkTYiS7kiv +XyvQOBdZVeSVpj/QoAfaUlQoBVm7aF6xf7GtYlVzjMsLYdpjXhy4ZbQQVUuPI+1f +yFkw8PpASZ3gvO6KQ4V2w3hOYAxYQ1kSwTtaA7+18nyv65VolTmAotmLun94UKn7 +zjopByBnC/XEqsU3tibg9A7xQ2KUpWkpmG35f4ZR9aEIxSe2Jmm+Se0JfiAq6Szf +dyWvr/TzaS/BZL4WEPk2Vw/mzWEPZOscpIkBFGK+Ul7yuXvbrbwr+zmAikHmTb1V +XfPb9eBnwDDuRHhLBym4FMrPjzeziAxxkScTfDjWq6rvMmaEe1CX+dj6ldx9Jp9d +iUngol89eSgAQOtptjcit5o0Y0Mu/RF6KIBG89ghFly5Ag0EX+7lVAEQAKFx5asK +W7A9BNKPkaXgym0AlW2szQR1nwxi3APLVLS0Al9Y/3mnBbYyO84HDr82AtMSWSMY +UZIKtkUj2sVqUb+xHOPkY/MenyoBrCl2qaTVJ89nnWMUjtrX2qk0O09+ByoYXTit +BVPAIZ/qZfGNB+Dsp1haNKRdowkf6WXkw7A9dHB5isVmaM/Z0THNJRHwc6mcqbEV +M4fDL+OCx6m2KQHTHirk+OE9Nwral82IIqj3d5UBHmjHAbQNXTDzZbWg6tYbLN3I +EYxSRQpkJZIVheyBmWFZuivm4hCDZxJlZ1sgxQeIZk6wR2LBR6ccTW6PH11PhIpr +6O8aQh8JUMg+/aJK2eQXINozYdjOTUjnWAUeUqML7Pg/vERRAgHXO9Z+NTIEWEOo +Ee+8WOFmrmfjb9Uz27DtymhUjOl0ryiG6F1b90t1rZvVKWR2OaCUhICm88o3MCgb +HFeOh7v3tnQb2Uot7kY1hgch6j1MNYWGb8LjwoTAmx9okEv9mh119k+SdVJP6wsX +ZtL4860vTfTw6RQM7rkZBzTyf4qCvU5uRSd2u6JqtUhw4m/gkKQyW8jLEkqX7JaT ++iEBgPzjALvfSWDbDgst0szqU5jltYpgjG3On7/ZGFFJrkB06orUvovxLThWWvm1 +iugw4/av3n64hl/yfxvKQHLQA3Kfkjjzc3oPABEBAAGJBHIEGAEIACYWIQR+HJGs +gDClpZ0e+rl1DzyHcj5AEgUCX+7lVAIbAgUJA+tFgAJACRB1DzyHcj5AEsF0IAQZ +AQgAHRYhBGFPhWcuJXtdQn6ZBiGZBzrXgrS4BQJf7uVUAAoJECGZBzrXgrS4jfkP +/ApYZIRnBL+LdTPYdbZDYXotkE6RO6ZsPdcV1G6na5jJ7igdVuvoz5nP3rX+oQoH +6k9DysQzyh/SkXRPnbOOyvQsI7atmH7SkhNn7ke8zmEJLzApHA0ZMGXtBJHQkZwA +5LDWIQb8HbtJTBr2DyJcQdpRmP3hHDgyYgwg0AUG/2JEwYqps+/pqJCrLSP+GLOA +ia+wRH9xwv1Vl2gIxWXqEO6U3puqUg+0z1Av4Gj/xzuw1F3eLrOfgklhpASc8QtC +89kx1nhFS+OybQfRAH7YN9DKE5L1kJxQ4t+uW8TiXf9r+MdcVMEI3LATZRtgowFc +493g7EkTppmqabFns9OamyxXdIzLAKoKvykr7HPCBWUnZn2I2RrcGQltRBQlR0Mb +jO+sFi89XnFPwXIw/t/9zoq1bXCGTt7H5RtrfxC1wTYXqLEdV9pptNj7j5mlff9g +DMw1v3MfUxbz9gIDzs7ANnw3SkWi+d0v0bLadWdItkq2WKvvgB58NJtKPc8Jwilh +nO7W31U/kv8FR9JcFXzS9+Y6ejIClF4FAwr5tK07N/xSFAKEs5kyAYEKxP6vI59m +5h+tO8cws+pi4gqfWa3t3b+dVzKl9AIkWAYjq9FvbfiqZgKTlTviSUMpmK5qJVld +72+NiolUVniJbw9Z10ps4G4zmXSl1ZxyKnehUzcKyPieEEsP/1/tctQx1LhVu0TJ +RLtWrE523hqxpqDdF8/QrNp9dX3YVoEkMQW3YYir2oERtaosWXmRjldq5dNfgtwc +lhG+/CP5rxNeCJlI+b64pC/yQMCrbz/V74aAipuv7ZZMflgr7ZD5i3jyM/7/AunS +qOUPwkKrjetNF85eibeO7c0Y9/HhILkLQ8EoNfJshdc0/scwMZEpLHTMAHSrxCAV +FuhLsF9epenA6IbtuMsp43aSxshX05RH7F94uj4VCMUSs/90viB5njItpPdZCqUH +eXSvLSjxqsmS4Tz9Dn+uWvxleBLRRcpZykuNLGgwVXafWftWbA+U9KaJnDWFdzjJ ++gAsWfHfFBOa1RfXYP++e+VJflcHaEZ4byLG5Zf1HqAvvcaShAVuMXY1hoYJinvh +uk1zJRW9dP7apZx7BXWxbWcn8LMR5GFfunl/M2iNASmkqxJ9gvy6TBRWJu2QeNbN +5Ks0/GDUawQqvhmM3V6zFQWVsPwaHpufIaGqnKC2gXaIHXPP0ldyXdLXwgZ+6A7D +IEqHQB2BDbiJtovk6GaK8PUCEHTiDmRF/mBzlpBJOn+Hc5ELufgr9E2lkrKJzFag +CBCucNhVEaUedFrycxfSALing7DJPWb5cobu9K+3T9L3k57XgxSAj+g6vOxHuxHL +ve1IPheCWfkKpJH5faFDWKpJYYPauQINBF/u5YABEADgWTS7wFA39XvpWNHSfAAR +2/nlGWuTvD7zoirzUwOd2+I2XYwgl910KsznhlqDrHZlqKuGRjQlbpyTbsOH2N5k +IE+0uEXidU3iwslSZ33RLL0h9+czDnlgijYXLCg5ScswBEC1E/kXX685AUCTPX2n +D1+Ymxxgov3AvItVxKDd3N5ERsy6hYWPK4ACXt47hJFqPfPtnQe2IdFkRm3bOuX/ +X79Kb5N6cAoao65Tpsix1pm6tTNww0+THzIWzK/yhi1/tUOv/QJMEVAxeBAPr+Pm +mvjHvsI9RNQt7VnoHVkqJhPDxyQZR2IOVQXvlYyCtkPA4WQlyxLzWM24TG8xhD1v +zZzA8qs//o9QI8OLg2ZYxplC4lW6GEZk3GnrTXs7bW6HUq+RlayIbDw7oMs30jAv +YyDdQpZrYuZvsWKbKu+65Yi3M5kW0v96LT3ueMJaL/RanL9JhAWuEqyezffsBZ5a +88/i0n9FJ8cQ1fZq2/GLq/mN2JZ3e/HSWynTnlmk+qGk2bq0cRFJNHAs2HNAm0Id +pjSFCPmek9j30wp2c2knML+SsSw5h6570mwILuKwFr6i2hyFlPk4H7nP04vPQ8P2 +Pu5O/Cfg9rPSBjIi9FsNS8/a29sSuOmsSGHZnMrVUpGw+iKmx/jVejOtqe6hYydu +MSQtIU59E2fq5TM4tub6qwARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88 +h3I+QBIFAl/u5YACGwIFCQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQQjoUGa +YHzyVyZWN3UsTffOV4ELlAUCX+7lgAAKCRAsTffOV4ELlDerEACBP9kAH17GHloL +XJjd1IHttRWU2Qs/VV0H14g14hgRz2/Qa7KRR4mGrXPKS/ctMkDXwlvs4HPUTeO4 +MMT38hwxv54AjW7CtF8DR3EQFXKR51roICQognvqpPe1auNERdLzAdcn+NoHEQB7 +eyPqjQM3OGGq0SVRwNnv777o+Kd8Ncv/4fR1xvA20Ds94G5vCYpHB6J+lPPVXBmz +rOYSf+QZWsXjAZdnAAYkpEjfJhNrqvqSoRxZ0dweCqieenm8Nzt/vdL9nT3+4AGy +5hmaAG2ENj5AhI194gtgACvKwCl5hF0VKMhtm5d9SWS+1quHzgn3UFh3VZrfjPid +CR64mIu3RpZe7EcR+lMl7gCJxdFlHVD3z1lbz2V6u+xH4ZsLrTY+v8kDxzY8ojM/ +zDbnlEK+xzA9akhlaD3D3wKXRVuSlrxfEVv14mwKN5AYHN7bLL3bjOo9WYtLznH6 +Av4GqXSQ+LOl0+6bLKmD68/N0q2IiZwUSOsxTE1fUdYPF8eiN8L+35Qt0jwybieU +a3JYtmO8EW4ZEmjJGwKgyrf+eigJN2/0AeBwcJyUw1YfzaqqS35NNyn5eKANyFQ2 +ZhIjuXRyBOoUMBAx2TSm7FGeFOIw+aQgap6HuGbZ0EZBz6hr9ogNC9FVXCPENKo+ +GdTGoIEs0n6gGOPP5ssp7xUK3420AM3HEACSmYaNC1Gfq2d81fI0TBJ9ATCRPo14 +MjJGiWaFaXoVp/lQeOvlX2JyBG2I6fhMGPGKntCfX+/MERLNAiahQgOjvnOCQdlL +hbq+6loQ1eSTX2AXpRlQpvyxLuebbM+HX3N/9mqAksgQdljmqoJQbiE/HqXqjmKe +16ylU3Rjabyc2p/31p7hm0IJ/3yqDsM06FUBJ108SALQyVvKqRA6q1t/Odb3xgt2 +isbCEgvhJ8kYz3LQkvTW75rSa1cM53Udd1rbyo1t0PaOSGeUZw73/nY1+6LtUEg7 +Q0x4ohL1UE7z7+14mAtn4OvGDuZJil7Lf4cPszf0SFoHPs8iUFpSorBwn3u+5ZXW +NYFblPU2WK3O52qZqsjuQI/gK7uQhXjJO5nA5M8Yv7bVrbLMOj64hdOpNbd56Ycc +qwYbHZL3WyRAN7TNg5ZlHgIVac22StawjXiHWDGaAXpCaHJn8ryM3LY+LTz16R2M +bi+HVaw+0fY9f/mIcOdT6AyDg+V200GkGXL6aw0LZkBZmDin+OMmL7AS8TZ4dvZt +zj+sykcT8DsaFj5Au6zHJoCnsuShMquHOA/vcUkhoe8/E2Y2QdiX7zwDM8vFM8tX +DujFLNPIZuItcVEpE3ysFV2ZfVgBXoxTlZUQxdgJBQ0zg6Ez7rDYEAhVqo2gY9sk +XtN80X/unsjGSbkCDQRf7uWiARAA3i7pu8/QvukeIBoIk1V0GHGPjX+GeV3fR4fu +ciYgx+NKTXT/oJ/89KVeetT4CSnGEZcEpAvsBL3hsiblJYyLVmeoCniFlU+rMem4 +zYP2PnEX70Q56d6SjBArs3K1FZK25S5qqv5ceM10NVRwPufV1RIuui6mQLm2ZwlY +JyyANZZXMrHMJdaHpK9mMBSSF42MFQZhcauQCrhMhcpmZKn0D2+PpRveYwSr43Qi +qBWR2INTDmj/V3ERMviE7vLajWQcmDdcrBp4u3miAJcJSn3XR5SiuL5W77jFEzgJ +zR8yTC4hWE60nWJOk8UrEbpLyr7mBE0Tr7+1IBMgVXh8WHyzLE2ENREFvtp8KlSS +y47Ky9n+5aqPI4M7epMNwU/ZGQnC8o3yX0zZL1tKq0fTAw1Ly4NGE1gRbmzrQcCh +qUHg/J4KFYBMg8eCAzuPp4CRk8wUzu4fRWrOraoz/7bvhH8ilgPu1teLLKzDdOdx +QAaiz/nGy00ICNbYqifR5m73K/rDdjtIqgsMp9Az0mEpgVNq8SPzM5grqAnP/iww +QxwFftiXq/pEP2d8rn65e8NikN42Q28PH1D/uBYnOuVdZUvjU9wwywmfyr+NZMaH +X9sN8R3Kk990W9VxwdOTITpAjz0qMtpE7i/GwPEtpZPTIfl54+cVKvyUjBuTXkWn +vXN+6MkAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uWi +AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEEBjEqvVaiYb6sKxATk1aQ +aqvQi4MFAl/u5aIACgkQk1aQaqvQi4P2Mg/9FXfsIZAgPN/Dq95y1fHG8jsPXEoY +VNY1codxxAaNqvBXZkfJbFwSYpLY3xIbyxHuGuOtC9NpIy9M1+PR7MsxtZAvSjP+ +flP/12x+6nP2H3NWOICpsY1tNOnQe2SjKJxZXHFnDqDBgKpv3QfKUHmYEdExJe3p +NQrjZAgmdbEHeoj+P2VV5vqRrJoqNV/pUbM9czfEHeMVMm/mwWNOi/paCh1y/PxZ +Mkj2bqLMRFfML9O/7QOJRxu3wQwl6jJHj4o6CHks6t237FSB+qZhhQP+vR2CZl5w +lQ4trw0wpNgbZRIMlU3tUfFQ+KdFsM7UqwzwrVgWFur5r7KrFzJN88EKSplrIY0q +se6S5b58H7Tw1jtfjb/xF6jQz5aoZ9xemd8roLReRpKPq70o2eIP1HkjCtqmd5Xc +RQaVEUvlv34WZQ5w2eA1bEBESjbrKhX+H0Un0msUS0JpnpegRNZqW3Bedeos0usy +MsfqMYmZEcZb3hw51XnSb8B/WhkSmcoEuECRxeCu1tw0pn7o4GemAeqT5ng8LXeE +RJhrUTlCIyRab8TIQZvmf6XjneT0stZLKCoZUXO+7FH7F7nPsew1dU+WFIauQX71 +PkZp2JMT7W57HKPuEillF8v5+H1k9Jq/2k+ZdgmT1Gd27nALBOc7q8rr00Lf6BU3 +K+XsfWo+p08CXKudfQ/+JFzzpyKeX5nVqiqbxqUakPy/Ot010/7457YVpvcLmcvT +Yn4cR0dottl96lp5wT1jN7VXfZu/tsHEtTg1ofeExNuCL8DZVsSN836idRmObhLP +dnYmThZcXBJ3RgSniQNwvuuGUtpH7OXb5vnAOe42+n3yucxhPI9Gzo5g6fTqWwb+ +qwh39ydxtiv3v3jgFixJLj/HH3MsxTm6cNUTWNLzvX+HugBeuOfyDG9++fe3UmZe +MczAF9N9tDFP+0b1diXywJWfSdVLBmMARYeh0Swjud60SQLTqaqXVfPSECGo9LVc +wot2u4q67QhUC2OTKiTkF6QVE05iKoPEPkCTmMvSpbHF3ERZE3J6YsVg17Uc7LrZ +7DRRF+03mu4njS8LvIoeBuqsB96mNQNH/PwLSANWTtclCwj2C9W1HKy3zKjnu3kC +PHLzwQFEO28TE5EsblnBdA8ozNIV887V7yw89MxPhpuXRn8BVAU1S9Dj7j3mNHLj +rVAgZmr/nx3oDt8VfOZpK8u3u1voZdC+cnTBdcG2gzM8Ya+h8C60Y8dFzykr8hr4 +b5gDeDI1OkQ2vOQHtnQPdscYKl0v1ntHq2wrFuCIol4WneKh3Jrvdb37cL971u4g +dpw0jTO/ykCvLlipxjJ/NrnXFb6TriZRgWZqiIwY2lKEfZDXqc/iOa2L0yBr21a5 +Ag0EX+7luwEQAM/CQdinTzIHaEJsCe42g6tt4dBC/UC4wD367rJcyJbEd+qaLJwS +CQUbg/wrEdRT+aROHVKLwrvXxtgJs0x15vvFTurkn1BnNMh7p8woYwip7PKrNn2+ +96Yg7Aqc3a3gkDQeF8Q7uipOH/5feJh6l7Iu718pvnDUw4UFZt/RUrdqseFXVwr/ +ffSalLx7gJhL3mYuU1qpJZxsonNwAS43eViagI0FHSqixB5kPgFcbBf3BIiisOCy +a1L9a+zSt1y1aEFC7m+9YlGJA3C0/X8s+dK0VWOrJlP/WmKUp3Epxpu6srsBItcT +YMuGA82/03YAJ+jpGMRb+X1Dq9vuOUxvDjG+G10Cgew2EjiAkXpVg/1NsCrQWRbs +KtFf5PXGfKCO0i8hEzwmJLd5OlNIIiup450iX4eS77Tey69hGyweLIC4YDPDwFpp +bkDdRG6nDvePbEHi5z1L41NaWNa0wEyh28OqrmD0FCcGukk24pBVemVEx0En4siQ +la6/1QXQlG/wTi7Yi71V/4oz7iZ4lSPWs0ACFGD9W5InlRykiRXC1cV27f+qMw9u +Y6UbgvN70cWflK5C7e2h/eAQfxj+seYFUjMnJTkXiZE85m63p1Yu2A1c9+jqJ0L3 +Lfn5YIQdtWdY3Qc1RIQYPVRl5NcgXIPV7TwjvnjowuHjWX0IQbhv61lNABEBAAGJ +BHIEGAEIACYWIQR+HJGsgDClpZ0e+rl1DzyHcj5AEgUCX+7luwIbAgUJA+tFgAJA +CRB1DzyHcj5AEsF0IAQZAQgAHRYhBOJesM8c6ASdR/HZpjPhDkoYOo5GBQJf7uW7 +AAoJEDPhDkoYOo5GhpcQALowCpZ8UowMWlQFfZ2ySJalnZM6S2RxCFiss4W9pGuu +9PKuN2wdXW3HGkBGDAuQgLwanSfhGSt/urT3+DT40OlDMzanRwEK0qiSaSs/xBtK +dNL7JmGbcWTXpNP3aHhfYhVOg7NJnsfZ8Ti3dfuv3ZrjcLvgdnZ/s6O9S3gU8DtH +fpnOfE3hxjUEHEw9hs9Otc6foCqMDZDvfU3emYduD5AvTiXYdeD/mZBD4OmF99II +XWNuQexAJ+xgOPdvXaYt0lBuXmfMcn/1hrU3RJqguwnPZ2cU5zo41/uSbdsFrTHK +yEOLTn0XYYk07mZGdscljzmXbpsbAC4Jp8CDBhUfdzfi1n3AOyblk1nywfionLlz +HDtfWQYCxp16N8S2MU7tA1w8rFNwVDVwmxIfgjLrjPAgvqSpCmLHTXNBfdLUYRAv +SpY9TR+U4YOOuEx2Niwnprdjm1qilN+fmPR3tWvVChlD3kHmSpi1+9ix+xizlBjN +eZ08Eq5rDBPsTpqJmoNS8pHE0EL3IVpcB1pZ5rd6UBSa7LoMLeWwWm7Ap5VZALfp +jMNws4SA2q5OTRY2or/+m1+cfDWIP+2XQV4YaNFMbO7XKr3vnUOxY9gyADqfRJiv +DljHiw5iLzbkaHs7dYJOPNMGMlRzZfkkxg6Patx44TQ2rO7LnyCgVdFZWDHNevgR +Z8AP/152xfh3qsOnT+R32Rt8CcwXmKFxLylgpjegcUmbutow9zdlX26qZ67cJ/3p +hNLZgAYKPrGecGA0BJ2UzsPEKKz8I/dAp96LpHo/24WqUamh1z2PRAgyJGC43zm0 +rA/KAlcht8bbI/VuZ5eAYXjH01QfPS7i7fFOryYYFqfH+BTp3ZEr/A7FkcOZXmNV +Gg4+oC2t6cJnzDsM0MUJ7dgNAHTLGx6RZZahdE3LJ8oVJ8Vek9KtjJbPr143EZLt +ymkiy93pzLUaKWfCZJCCI9nfJnNZnvoQXv0l3wnrQIFE14Fv0jbTALHRgRJlB4cZ +i3teEuf7shSDsd13JDdfmxMsxnfeVsIUPa+J0GBSbe14JHXlcd0t03cpbzO547Qb +rFpD98XO6Y7OefWD3pwDF2Izjnn4Cny/hpUIEO1A2j4qHhUkqmnFmBO6yIFic637 +CJnYe3uU7ss/TNIUKLhujqlcNl8WeOMVPbhnCuOhyQh2aioAKn1yiQ1EgNSIGIVD +LwqMt0kxI52/aDkZgCcEfBFC1c17IeUH+G0HMGm49/acFHkhX61S4efXhvzH5J0l +Dr+0qk4aVKNwqkUNp56GSMLhiiSYivX9Xa4qQGNlmrki1pC2DamlTXDLB67XQcRp +dAc+4nNTK4E/czrr0+wlkgz7pC1MAllCLilyTSPGnKIPlOd2uQINBF/u5d0BEADF ++6hDuKvzbmKWZNXjJK6Em/5nnzBOa155YQLN91zMs6COI4p+YuIVPPzVWZYR0yHs +gTWw45cMV+RYwuL/P+1Z84bgOyPloIVF9VQjOC+wB3Gn4qmTzobr6q+UfQVvUiUQ +8fGG11teWvYpWiG91uialjHZmrpAOQxjHRxHPpi0cZtTFEqinCIy6c942xbtZnzf +nzPpxkKl0a8s1eKZ0KlDK6Ab59nxAinilohXRg/U6sqypsyLl41L0qMZek5dEt4C +r3spdSkZgxqJpLTqQy/5VB4pcfEaIaank3sLxhpil/oQiq+38WA0VkICQyeiCsvf +eEKyt1C6COBNH+olegUxudTKDHFthyGMPRz3McI5jHxCyru0mfLJag2hHXzgGoaD +VkYIwkvyVsHWDqrZMMXcCIUVlpphxtHo1M32AATnWFe4K1nFdbejR9XC5xWOgwbT +zCblqporHzU0c8WBbfJ0Y10IDrHsa/F08PkFvVN48Ydik6rcwowSPxP+59Q9AKLh +Isd2hzfWU2zAbG5Ph1wecwlYR3tp/0i3uSTDXfuuaY+vrqpoECN6fnSg8NxiBbjU +JR0Ju6KDM2SeBUz5hp9BzL8+OPTogRZoinxBogrRAvdGLOnLG5hMjBezzF8UEvp6 +IMisGHBZgXoX4Juvf78RE8JOwHa+HUejj5kYiQW6TwARAQABiQRyBBgBCAAmFiEE +fhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5d0CGwIFCQPrRYACQAkQdQ88h3I+QBLB +dCAEGQEIAB0WIQT2AU9wN9W7TuO6I3E56nu98JFFWwUCX+7l3QAKCRA56nu98JFF +W5whD/9Hu5cnJ0hnzqk3MQsdMXbTNLsv+KePV71kcMRat4hjw2Li/TUaC8xtA81d +O/1obmsuoDAgv82KlQ7DLDXjFk2q45lJdgZxAkN3dEoYakdTIEi11FvwbhV+qxZK +jTq3jFQho4i3GDLgrvBMG4B1TGMH0IPux9fmBGpxYKmp1GjhpgoMXp9bqzsV/mPZ +TxPlmIpeJEO2jeCWKhHHw6rzwGjF68G3HiJ0TqvjdCtcNrwd3GTDsdEJtUl49aqF +M7VfoqKjVdRO/YDL//+TJNOYz5EBGjIZxbhgZJ9Qz+geSBx9GJtDWdq193ofFi39 +oleTFnEMj+OeIr1Bc2pc8Z3HJttFknicJDkeze3mM0CZAkhVkLFy6DvAQkXrgvfp +AUYFACQW8E2XmRBiKd4huojWYz5QGSEIk2fYRVhse2HAUZ9gTODSX2L13nls+BEi +sArsmSFA/RQslDXW+Jl+P0e37BzN51uk2Dg4ylJUBgcpTRUn4Q8c1DgHDhkEVnBI +ny2H/MFuhImw9g5xqlBfCEKh5D8D0e4fX28MhSsBlOCeIKJoY85U3GNY0tlIwAt8 +M7IIHe1n1qncPbAMmq0K48J1lfyTEbXpnSfArzEdbnosjBUaiQX5EwA656eZ6wb3 +Vq02UDei6KPuOosl4Voy+Ffq5MCkanVMA97/0wV3CeCvQYGbsvsUD/9fLYc3yH7A +0xksK7PImztDR8MLsUPoiv/vnfZ+WJJ+YJ0TKAHm1ZO3NqeZmD7XoWHKwh83zsK8 +x/JUASCBN16isC+Ym6IwF83/HXJfKNvvotkr2WG6Dv8Vg1Hhk2Iv5y3EMbFa9rfv +6vjxho+0sYrraJH8qQAM08IIOi7+afrkR/ikgA8V7ymqmdxtMMHZqG+h5R0VGTVw +QBxZ5/ZiY56Qn5UH2m0Tc2AHOcAQTvCEwyb19IPyhif+rek3npSvKtDc6WBJioyi +gvDhl+jgIfcIo77w6GthgbFc9k68Je56Peu2J30zWj76Z+Di1OJhAj1wFr4/XT5o +c1MB/Vfyx3hEPRDNz7dRaDqoVnYVdoI0blyCiSkD9I4/axb4X3xN2SK4XA/zv+Lb +1FbCM1XFL2aF+09tk+77EVdWsBmQpOArD0d54E1YulBGaxVm5QKfov23KiqHIFVF +8WYqJqNJwbJRZii7klczkVm3wFte3NWK7HW8kfF147lv0z3AiZYnk0O6Mj1ip3R8 +Qm5yiv57DbbgIMkSPWCpEtFGHIoK2msJ2bQcizh2WGxLos00RTx3IVAeSAS54+kr +rMBg50wNczcGHKPDUKLwkYczgHonUtljAkeXnTl69rifChI+KpjHNtF6dFgC1aSt +MOud6HhAcd0f3lmuPzCGGp4YOQx9tV139bkCDQRf7uX4ARAAxaybudQK4fMIzLiV +grIzthhb3/DK83PNohTNMemM2V2z1Ij5Dlu2XNDypMdR0rKM/QI3zWud1+vd2h/l +QZlg58FspvrY6I7hI+cbdRldVaAKDGQHo5Bi0a7BkonZvS/0wnNUPIhy/znzXtXR +f4L7ePZMofH/2shz4TZ1yNpU8zaomY6eNjSc51P4vVxtDQ4QofQeJEn8aO9a4whu +O0TVEAPKRYBRgjM8faDuUJtLfiC3OrhLg+B7JVSF3di4JITAyafPbZACLjV7Umxb +SUL3qTJZVpIuhF0xQOCE+WRx3Xs7lkPdHMqP2OaJ8Y4ymR08cSfIP2XFKsQFtoqT +VyMQgGgI6VXF8OfnCnGgx0Do1vJNoL0neFzVXpCPPzh1RbcrtndZWum/1R4egkYg +J8TPQH5X391J58Uwd5l9/ZDdoSeeQYdtTR4YQ8//ATFO3hoSRvES4U6ZwO8LM6di +ra6pqb6j0liT+DdcBwE4C1bGJMJ6d93S5SfH3llDIMJo7uJDbKILFMES9rg7S6I8 ++SW75TjKUk4Y7L8R8qwURqEyuOOGfaQXirqvji4PdcGDBiIk2Oq69Ky6lmlJgyIH +SZ7SO1JXk0yAJTXb+a6FJTLFxidkIZzu+LhLBn/MhAPjVyv3qCTQ7O0lu8Mfcqg5 +8hhJ6IE79PBHS3z8ok+mFK0iGrcAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76 +uXUPPIdyPkASBQJf7uX4AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEE +JFV3TUL9/mucOD64/hACvFlwgR8FAl/u5fgACgkQ/hACvFlwgR+LoRAAgtIgaKb4 +ZY8qoAFZeph+Syg+mMKfPJkBuGUedJl6IxbHBSg2mhnCjJ0bmdqxsAXgtcSUqmtZ +Yw9NyoGgiVjs+gu5sQp1Oxc2/keQXaVksTkoXwdnf+2iXyp1WPeeLGySHmzuwy9c +eExt+h0mVmBgFls2wNdFGPbVfiT3PvFkwqsnta6HebDTN4pMzvG1IIGV7L5KRo1E +dmkrt3lXQWmdgHl3JoNQ9v/Jgf4jo6gDw53YvJFKJcaOOAS3d4CzPWmcLzcy4mf0 +9YI3DoQCbYL3cRNelUwzUF2L6QyPCwonXemLCmfkBgsSVqvW4fq8qbEHGF2fK7x3 +d7bZEsUiGCt/tXOkDkNJ31T/mC35nxZfcj8AMPixO+BnAeKeYC37LbQD76jrw526 +tUXsAF+QON5DPeot+e8bIx9qSbvdqpXDkK4lGcRTuS2OVC8J9XfDTch4wm3Kd4P4 +lDdRAJWnLfVay0m05LGlekWdEzcjP8KDaICH9rEs6f9e1gy6mTEBnBW//41BxELT +KxoTGlcX3yEhCmK36g5C/+d6b7Ji5arGGTCa96v/xG32KYc1zfn3TYkCx06pPUbz +iAl2l0MTpGeqz2hJMOGA3JuxwlksJKqnPYy0hHKdVW4Pnn25NeXcBp8wpkt8VZOR +bzjw/TJB7qvJHoRo1tat85Uij9rAXqTyO8Ea0hAAi/EfuiDDy3GV7bvjFSA1XEjL +d+F40g2X0QG/PHTScYB4rFJwV0GFUxLHr4g7iypAVI+BB4EYikx8gpee6B0g3J+r +aCFDDrRPDKdqrpZK53oYcBPkdSBbCr5MAa/M3DerKBEgoBVUbaSHWN7OH2ae+5R6 +X2ERmYZdW4PCj6lw7a+RhkAsgKo8RjonjV61ehQPZh20noI19Q80BYYSCfHHvzy5 +vwvByhmTMJNrl3PDpBy9/TwBR5DpnHfOPJX6bnl3pdu65F2TRM6yoFbfoUiEqrXV +4wC1I++N9VjrQvXSp0ik/XaMWq87wLIg+1owElJIzwyZWukQkZMAYtesVFz20YwC +7Nu8SNr/NTSCH1EqLsS4YhBTsjpc2T8AqUlgxKrilmLbrj64PXgMsQ9WYm5zwlC5 +UA5eky5YhETFJ25dIaplMm47aIbPSH5f9y5eYPkfOCoMu5oDzDzoXdH9V1YfsHqa +8bboSgTdariC23x38E9PaWQNyY2MFKL6cFt2ilIsMSSD6JAm1x8kBtn1bBopG588 +7mTDtlqHCw/QrTuLreJG9KJ1dQFJ/Q42+csH09l081wlv4BBuVlN1Xmj+c2sWn90 +l1BPZfYHd9jhggI96yTZhfTfFbSMSuGPQyqHnwDYdA3cNj5BYievBkO5FZaCe9SZ +4xcYgqlVpv15O7VrD+I= +=Uugw +-----END PGP PUBLIC KEY BLOCK----- diff --git a/config-18.tar.bz2 b/config-18.tar.bz2 deleted file mode 100644 index 249ee69b0bf7a58b3403593b2b828ffcbce46fdb..0000000000000000000000000000000000000000 Binary files a/config-18.tar.bz2 and /dev/null differ diff --git a/dnszone.schema b/dnszone.schema deleted file mode 100644 index cb72a3fd923962030c23bfd105e7f6a92fe1378f..0000000000000000000000000000000000000000 --- a/dnszone.schema +++ /dev/null @@ -1,148 +0,0 @@ -# A schema for storing DNS zones in LDAP -# -attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' - DESC 'An integer denoting time to live' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) - -attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' - DESC 'The class of a resource record' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName' - DESC 'The name of a zone, i.e. the name of the highest node in the zone' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName' - DESC 'The starting labels of a domain name' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' - DESC 'domain name pointer, RFC 1035' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' - DESC 'host information, RFC 1035' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' - DESC 'mailbox or mail list information, RFC 1035' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' - DESC 'text string, RFC 1035' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord' - DESC 'for AFS Data Base location, RFC 1183' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' - DESC 'Signature, RFC 2535' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' - DESC 'Key, RFC 2535' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord' - DESC 'IPv6 address, RFC 1886' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord' - DESC 'Location, RFC 1876' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord' - DESC 'non-existant, RFC 2535' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord' - DESC 'service location, RFC 2782' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' - DESC 'Naming Authority Pointer, RFC 2915' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' - DESC 'Key Exchange Delegation, RFC 2230' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' - DESC 'certificate, RFC 2538' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' - DESC 'A6 Record Type, RFC 2874' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' - DESC 'Non-Terminal DNS Name Redirection, RFC 2672' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' - DESC 'Delegation Signer, RFC 3658' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' - DESC 'RRSIG, RFC 3755' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' - DESC 'NSEC, RFC 3755' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone' - SUP top STRUCTURAL - MUST ( zoneName $ relativeDomainName ) - MAY ( DNSTTL $ DNSClass $ - ARecord $ MDRecord $ MXRecord $ NSRecord $ - SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $ - MINFORecord $ TXTRecord $ SIGRecord $ KEYRecord $ - AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $ - NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ - DNAMERecord ) ) diff --git a/feature-bind99-euler-range-port.patch b/feature-bind99-euler-range-port.patch deleted file mode 100644 index 19f8e87c5055d29752c23be2cbe280a5d454bf59..0000000000000000000000000000000000000000 --- a/feature-bind99-euler-range-port.patch +++ /dev/null @@ -1,282 +0,0 @@ -diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c -index c93651d..d03ef2d 100644 ---- a/lib/dns/dispatch.c -+++ b/lib/dns/dispatch.c -@@ -49,6 +49,7 @@ - #include - #include - -+const char *conffile = "/etc/dns_port.conf"; - typedef ISC_LIST(dns_dispentry_t) dns_displist_t; - - typedef struct dispsocket dispsocket_t; -@@ -1933,6 +1934,168 @@ open_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local, - return (ISC_R_SUCCESS); - } - -+static int convert_num(char *str) -+{ -+ int negative = 0; -+ int tval; -+ int val = 0; -+ int base = 10; -+ char *ptr = str; -+ if (str == NULL) -+ return -ISC_R_FAILURE; -+ -+ if (*ptr == '-') { -+ negative = 1; -+ ++ptr; -+ } -+ -+ do { -+ tval = *ptr++; -+ /* XXX assumes ASCII... */ -+ if (tval >= '0') -+ tval -= '0'; -+ else { -+ syslog (LOG_ERR, "Bogus number: %s.", str); -+ return -ISC_R_BADNUMBER; -+ } -+ if (tval >= base) { -+ syslog (LOG_ERR, "Bogus number: %s.", str); -+ return -ISC_R_BADNUMBER; -+ } -+ val = val * base + tval; -+ } while (*ptr); -+ -+ if (negative) -+ val = -val; -+ return val; -+} -+ -+static int str_token(char *str, int *digit, unsigned int len, const char *semi) -+{ -+ int num = 0; -+ char *p; -+ p = strtok(str, semi); -+ while (p !=NULL) { -+ if (num >= len-1) { -+ digit[num] = '\0'; -+ break; -+ } -+ /* convert string to integer */ -+ digit[num] = convert_num(p); -+ if (digit[num] < 0) -+ return -ISC_R_BADNUMBER; -+ -+ p = strtok(NULL, semi); -+ num++; -+ } -+ -+ return num; -+} -+ -+static int parse_port_config(const char *buffer, const char *sub_buf, int *ports, unsigned int len, const char *semi) -+{ -+ char *str; -+ char string[256] = {0}; -+ int start, end; -+ int ret = -ISC_R_DISABLED; -+ -+ if (str = strstr(buffer, sub_buf)) { -+ start = strlen(sub_buf); -+ end = strlen(str); -+ strncpy(string, str + start, end - start -1); -+ /* string segmentation with semi character */ -+ ret = str_token(string, ports, len, semi); -+ if (ret < 0) -+ return -ISC_R_BADNUMBER; -+ } -+ -+ return ret; -+} -+ -+static isc_result_t -+parse_config(const char *file, in_port_t *port_lo, in_port_t *port_hi, in_port_t *no_use_ports) -+{ -+ FILE *fp; -+ char *str = NULL; -+ char buffer[256] = {0}; -+ int ports[8] = {0}; -+ int unports[17] = {0}; -+ int i = 0; -+ int ret; -+ -+ fp = fopen(file, "r"); -+ if (fp) { -+ while (fgets(buffer, 256, fp)) { -+ const char *buffer_s = buffer; -+ str = buffer; -+ /* skip the comment line */ -+ while (isspace(*str)) -+ str++; -+ if (strncmp(str, "#", 1) == 0) -+ continue; -+ /* get default set of dispatch ports */ -+ ret = parse_port_config(buffer_s, "dns-range-port", ports, 8, " "); -+ if (ret == 2) { -+ *port_lo = (in_port_t)ports[0]; -+ *port_hi = (in_port_t)ports[1]; -+ if (*port_lo < 1024 || *port_hi > 65535 || *port_lo > *port_hi) { -+ syslog(LOG_ERR, -+ "Unexpected ports contents in %s file.", file); -+ fclose(fp); -+ fp = NULL; -+ return ISC_R_INVALIDFILE; -+ } -+ } else if (ret != -ISC_R_DISABLED){ -+ syslog(LOG_ERR, -+ "Unexpected ports contents in %s file.", file); -+ fclose(fp); -+ fp = NULL; -+ return ISC_R_INVALIDFILE; -+ } -+ /* get excluded ports */ -+ ret = parse_port_config(buffer_s, "dns-excluded-ports", unports, 17, " "); -+ if (ret > 0) { -+ while (unports[i] != '\0') { -+ no_use_ports[i] = (in_port_t)unports[i]; -+ i++; -+ } -+ } else if (ret != -ISC_R_DISABLED) { -+ syslog(LOG_ERR, -+ "Unexpected ports contents in %s file.", file); -+ fclose(fp); -+ fp = NULL; -+ return ISC_R_INVALIDFILE; -+ } -+ } -+ -+ fclose(fp); -+ fp = NULL; -+ return ISC_R_SUCCESS; -+ } -+ -+ syslog(LOG_ERR, -+ "Open %s fail, return.\n", file); -+ return ISC_R_FILENOTFOUND; -+} -+ -+/*% -+ * Create a temporary port list to set the initial default set of dispatch -+ * ports and excluded ports. This is almost meaningless as the application will -+ * normally set the ports explicitly, but is provided to fill some minor corner -+ * cases. -+ */ -+static isc_result_t -+create_portset_by_range(isc_mem_t *mctx, isc_portset_t **portsetp, in_port_t port_lo, in_port_t port_hi, in_port_t *no_use_ports) { -+ isc_result_t result; -+ -+ result = isc_portset_create(mctx, portsetp); -+ if (result != ISC_R_SUCCESS) -+ return (result); -+ isc_portset_addrange_by_range(*portsetp, port_lo, port_hi, no_use_ports); -+ -+ return (ISC_R_SUCCESS); -+} -+ - /*% - * Create a temporary port list to set the initial default set of dispatch - * ports: [1024, 65535]. This is almost meaningless as the application will -@@ -1963,6 +2125,9 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy, - isc_result_t result; - isc_portset_t *v4portset = NULL; - isc_portset_t *v6portset = NULL; -+ in_port_t port_lo = 1024; -+ in_port_t port_hi = 65535; -+ in_port_t no_use_ports[17] = {0}; - - REQUIRE(mctx != NULL); - REQUIRE(mgrp != NULL && *mgrp == NULL); -@@ -2063,14 +2228,23 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy, - mgr->nv6ports = 0; - mgr->magic = DNS_DISPATCHMGR_MAGIC; - -- result = create_default_portset(mctx, &v4portset); -+ /* parse port list file, get default set of dispatch ports and excluded ports */ -+ result = parse_config(conffile, &port_lo, &port_hi, no_use_ports); - if (result == ISC_R_SUCCESS) { -- result = create_default_portset(mctx, &v6portset); -- if (result == ISC_R_SUCCESS) { -- result = dns_dispatchmgr_setavailports(mgr, -- v4portset, -- v6portset); -- } -+ create_portset_by_range(mctx, &v4portset, port_lo, port_hi, no_use_ports); -+ if (result == ISC_R_SUCCESS) -+ result = create_portset_by_range(mctx, &v6portset, port_lo, port_hi, no_use_ports); -+ } -+ else { -+ result = create_default_portset(mctx, &v4portset); -+ if (result == ISC_R_SUCCESS) -+ result = create_default_portset(mctx, &v6portset); -+ } -+ -+ if (result == ISC_R_SUCCESS) { -+ result = dns_dispatchmgr_setavailports(mgr, -+ v4portset, -+ v6portset); - } - if (v4portset != NULL) - isc_portset_destroy(mctx, &v4portset); -diff --git a/lib/isc/include/isc/portset.h b/lib/isc/include/isc/portset.h -index 774d6bb..cfd0bcb 100644 ---- a/lib/isc/include/isc/portset.h -+++ b/lib/isc/include/isc/portset.h -@@ -125,6 +125,19 @@ isc_portset_addrange(isc_portset_t *portset, in_port_t port_lo, - */ - - void -+isc_portset_addrange_by_range(isc_portset_t *portset, in_port_t port_lo, -+ in_port_t port_hi, in_port_t *no_use_ports); -+/*%< -+ * Add a subset of [port_lo, port_hi] (inclusive) and no_use_ports(exclusive) to the portset. Ports in the -+ * subset may or may not be stored in portset. -+ * -+ * Requires: -+ *\li 'portlist' to be valid. -+ *\li port_lo <= port_hi -+ *\li no_use_ports > 0 -+ */ -+ -+void - isc_portset_removerange(isc_portset_t *portset, in_port_t port_lo, - in_port_t port_hi); - /*%< -diff --git a/lib/isc/portset.c b/lib/isc/portset.c -index 471ca8e..0ebd79f 100644 ---- a/lib/isc/portset.c -+++ b/lib/isc/portset.c -@@ -128,6 +128,31 @@ isc_portset_addrange(isc_portset_t *portset, in_port_t port_lo, - } - - void -+isc_portset_addrange_by_range(isc_portset_t *portset, in_port_t port_lo, -+ in_port_t port_hi, in_port_t *no_use_ports) -+{ -+ in_port_t p; -+ int i, flag; -+ REQUIRE(portset != NULL); -+ REQUIRE(port_lo <= port_hi); -+ -+ p = port_lo; -+ do { -+ i = 0; -+ flag = 0; -+ while (no_use_ports[i] != '\0') { -+ if (no_use_ports[i] == p) { -+ flag = 1; -+ break; -+ } -+ i++; -+ } -+ if (flag == 0) -+ portset_add(portset, p); -+ } while (p++ < port_hi); -+} -+ -+void - isc_portset_removerange(isc_portset_t *portset, in_port_t port_lo, - in_port_t port_hi) - { diff --git a/generate-rndc-key.sh b/generate-rndc-key.sh old mode 100644 new mode 100755 index dde7f7098e0b00c3b76cda45516f0cbc23f8382b..956bb8e4eaaadabcf5db36eb5ecdf307944dd90d --- a/generate-rndc-key.sh +++ b/generate-rndc-key.sh @@ -1,12 +1,23 @@ #!/bin/bash -. /etc/rc.d/init.d/functions +if [ -r /etc/rc.d/init.d/functions ]; then + . /etc/rc.d/init.d/functions +else +success() { + echo $" OK " +} + +failure() { + echo -n " " + echo $"FAILED" +} +fi # This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then echo -n $"Generating /etc/rndc.key:" - if /usr/sbin/rndc-confgen -a -A hmac-sha256 -r /dev/urandom > /dev/null 2>&1 + if /usr/sbin/rndc-confgen -a -A hmac-sha256 > /dev/null 2>&1 then chmod 640 /etc/rndc.key chown root:named /etc/rndc.key @@ -14,7 +25,9 @@ if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then success $"/etc/rndc.key generation" echo else + rc=$? failure $"/etc/rndc.key generation" echo + exit $rc fi fi diff --git a/ldap2zone.1 b/ldap2zone.1 deleted file mode 100644 index a48c69f60a9f2762b09136628605d1385240febb..0000000000000000000000000000000000000000 --- a/ldap2zone.1 +++ /dev/null @@ -1,41 +0,0 @@ -.\" Copyright (C) 2004, 2005 Stig Venaas -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" Manpage written by Jan Gorig -.TH ldap2zone 1 "15 March 2010" "BIND9" -.SH NAME -ldap2zone - Creates zone file from LDAP dnszone information -.SH SYNOPSIS -.B ldap2zone zone-name LDAP-URL default-ttl [serial] -.SH DESCRIPTION -ldap2zone is a tool that reads info for a zone from LDAP and constructs a standard plain ascii zone file that is written to the standard output. The LDAP information has to be stored using the dnszone schema. The schema is used by BIND with LDAP back-end. - -\fBzone-name\fR -.RS 4 -Name of the zone, eg "mydomain.net." -.RE -.PP -\fBLDAP-URL\fR -.RS 4 -LDAP URL to dnszone information -.RE -.PP -\fBdefault-ttl\fR -.RS 4 -Default TTL value to be used in zone -.RE -.PP -\fBserial\fR -.RS 4 -(optional) Program checks this number to be different than SOA serial number. -.RE - -.SH "EXIT STATUS" -Exits with 0 on success or 1 on failure. -.SH "SEE ALSO" -named(8) ldap(3) -http://www.venaas.no/dns/ldap2zone/ -.SH "COPYRIGHT" -Copyright (C) 2004, 2005 Stig Venaas diff --git a/makefile-replace-libs.py b/makefile-replace-libs.py new file mode 100755 index 0000000000000000000000000000000000000000..86689a4009ed7b111f798035fe3f331afb8157fd --- /dev/null +++ b/makefile-replace-libs.py @@ -0,0 +1,127 @@ +#!/usr/bin/python3 + +import re +import argparse + +""" +Script for replacing Makefile ISC_INCLUDES with runtime flags. + +Should translate part of Makefile to use isc-config.sh instead static linked sources. +ISC_INCLUDES = -I/home/pemensik/rhel/bind/bind-9.11.12/build/lib/isc/include \ + -I${top_srcdir}/lib/isc \ + -I${top_srcdir}/lib/isc/include \ + -I${top_srcdir}/lib/isc/unix/include \ + -I${top_srcdir}/lib/isc/pthreads/include \ + -I${top_srcdir}/lib/isc/x86_32/include + +Should be translated to: +ISC_INCLUDES = $(shell isc-config.sh --cflags isc) +""" + +def isc_config(mode, lib): + if mode: + return '$(shell isc-config.sh {mode} {lib})'.format(mode=mode, lib=lib) + else: + return '' + +def check_match(match, debug=False): + """ + Check this definition is handled by internal library + """ + if not match: + return False + lib = match.group(2).lower() + ok = not lib_filter or lib in lib_filter + if debug: + print('{status} {lib}: {text}'.format(status=ok, lib=lib, text=match.group(1))) + return ok + +def fix_line(match, mode): + lib = match.group(2).lower() + return match.group(1)+isc_config(mode, lib)+"\n" + +def fix_file_lines(path, debug=False): + """ + Opens file and scans fixes selected parameters + + Returns list of lines if something should be changed, + None if no action is required + """ + fixed = [] + changed = False + with open(path, 'r') as fin: + fout = None + + line = next(fin, None) + while line: + appended = False + while line.endswith("\\\n"): + line += next(fin, None) + + inc = re_includes.match(line) + deplibs = re_deplibs.match(line) + libs = re_libs.match(line) + newline = None + if check_match(inc, debug=debug): + newline = fix_line(inc, '--cflags') + elif check_match(deplibs, debug=debug): + newline = fix_line(libs, None) + elif check_match(libs, debug=debug): + newline = fix_line(libs, '--libs') + + if newline and line != newline: + changed = True + line = newline + + fixed.append(line) + line = next(fin, None) + + if not changed: + return None + else: + return fixed + +def write_lines(path, lines): + fout = open(path, 'w') + for line in lines: + fout.write(line) + fout.close() + +def print_lines(lines): + for line in lines: + print(line, end='') + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description='Makefile multiline include replacer') + parser.add_argument('files', nargs='+') + parser.add_argument('--filter', type=str, + default='isc isccc isccfg dns lwres bind9 irs', + help='List of libraries supported by isc-config.sh') + parser.add_argument('--check', action='store_true', + help='Test file only') + parser.add_argument('--print', action='store_true', + help='Print changed file only') + parser.add_argument('--debug', action='store_true', + help='Enable debug outputs') + + args = parser.parse_args() + lib_filter = None + + re_includes = re.compile(r'^\s*((\w+)_INCLUDES\s+=\s*).*') + re_deplibs = re.compile(r'^\s*((\w+)DEPLIBS\s*=).*') + re_libs = re.compile(r'^\s*((\w+)LIBS\s*=).*') + + if args.filter: + lib_filter = set(args.filter.split(' ')) + pass + + for path in args.files: + lines = fix_file_lines(path, debug=args.debug) + if lines: + if args.print: + print_lines(lines) + elif not args.check: + write_lines(path, lines) + print('File {path} was fixed'.format(path=path)) + else: + print('File {path} does not need fixing'.format(path=path)) diff --git a/named-chroot.files b/named-chroot.files index b38cbe68dd5cae77fb0326cc2c5226fb35b4c811..9a768e4b7705afb6a911fbe69160ad849090ec43 100644 --- a/named-chroot.files +++ b/named-chroot.files @@ -16,6 +16,9 @@ /etc/named /usr/lib64/bind /usr/lib/bind +/usr/lib64/named +/usr/lib/named +/usr/share/GeoIP /run/named # Warning: the order is important # If a directory containing $ROOTDIR is listed here, diff --git a/named-chroot.service b/named-chroot.service index 5732b1c6fc2eaf50130afeb5fc1f5355ba3529c6..a49df15c58fe7072ab2cccc83292439922536139 100644 --- a/named-chroot.service +++ b/named-chroot.service @@ -20,7 +20,7 @@ PIDFile=/var/named/chroot/run/named/named.pid ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS -ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' +ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' diff --git a/named-pkcs11.service b/named-pkcs11.service index c1a19d1aaa2e1451e13e71ca7f42ebe604baf6a4..27e06935caf9dcb80b41b4e36635de1931bd09bc 100644 --- a/named-pkcs11.service +++ b/named-pkcs11.service @@ -16,7 +16,7 @@ PIDFile=/run/named/named.pid ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS -ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' +ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' diff --git a/named-sdb-chroot-setup.service b/named-sdb-chroot-setup.service deleted file mode 100644 index 5a3e173c60476af8e495879c47eeec31aa0d3d92..0000000000000000000000000000000000000000 --- a/named-sdb-chroot-setup.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Set-up/destroy chroot environment for named-sdb -BindsTo=named-sdb-chroot.service -Wants=named-setup-rndc.service -After=named-setup-rndc.service - - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on /etc/named-chroot.files -ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off /etc/named-chroot.files diff --git a/named-sdb-chroot.service b/named-sdb-chroot.service deleted file mode 100644 index 5294f4767195c8dd864eac2be131931aa169b1db..0000000000000000000000000000000000000000 --- a/named-sdb-chroot.service +++ /dev/null @@ -1,30 +0,0 @@ -# Don't forget to add "$AddUnixListenSocket /var/named/chroot_sdb/dev/log" -# line to your /etc/rsyslog.conf file. Otherwise your logging becomes -# broken when rsyslogd daemon is restarted (due update, for example). - -[Unit] -Description=Berkeley Internet Name Domain (DNS) -Wants=nss-lookup.target -Requires=named-sdb-chroot-setup.service -Before=nss-lookup.target -After=named-sdb-chroot-setup.service -After=network.target - -[Service] -Type=forking -Environment=NAMEDCONF=/etc/named.conf -EnvironmentFile=-/etc/sysconfig/named -Environment=KRB5_KTNAME=/etc/named.keytab -PIDFile=/var/named/chroot_sdb/run/named/named.pid - -ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot_sdb -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' -ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} -t /var/named/chroot_sdb $OPTIONS - -ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' - -ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' - -PrivateTmp=false - -[Install] -WantedBy=multi-user.target diff --git a/named-sdb.8 b/named-sdb.8 deleted file mode 100644 index 1e456c31aeebfba999fd97b6586a24292c35dd45..0000000000000000000000000000000000000000 --- a/named-sdb.8 +++ /dev/null @@ -1 +0,0 @@ -.so man8/named.8.gz \ No newline at end of file diff --git a/named-sdb.service b/named-sdb.service deleted file mode 100644 index b80ec172927514b453b41877f3f1c4a7bb47a47c..0000000000000000000000000000000000000000 --- a/named-sdb.service +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=Berkeley Internet Name Domain (DNS) -Wants=nss-lookup.target -Wants=named-setup-rndc.service -Before=nss-lookup.target -After=named-setup-rndc.service -After=network.target - -[Service] -Type=forking -Environment=NAMEDCONF=/etc/named.conf -EnvironmentFile=-/etc/sysconfig/named -Environment=KRB5_KTNAME=/etc/named.keytab -PIDFile=/run/named/named.pid - -ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' -ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} $OPTIONS - -ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' - -ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' - -PrivateTmp=true - -[Install] -WantedBy=multi-user.target diff --git a/named.conf b/named.conf index 1dc9d1590736f3c3415a802a7c4bf1b616801833..d62d3890cedc5b72cdcd0f6a9f981b8902a28ba8 100644 --- a/named.conf +++ b/named.conf @@ -30,7 +30,6 @@ options { */ recursion yes; - dnssec-enable yes; dnssec-validation yes; managed-keys-directory "/var/named/dynamic"; @@ -38,7 +37,6 @@ options { pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; - /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config"; }; diff --git a/named.conf.sample b/named.conf.sample index a6cdc5efe6297e12685a0d280fd22770792a8546..a49004ec850cae45c50f328a670d49d3d7cb401c 100644 --- a/named.conf.sample +++ b/named.conf.sample @@ -63,10 +63,6 @@ options /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */ - /* Enable serving of DNSSEC related data - enable on both authoritative - and recursive servers DNSSEC aware servers */ - dnssec-enable yes; - /* Enable DNSSEC validation on recursive servers */ dnssec-validation yes; @@ -77,9 +73,7 @@ options managed-keys-directory "/var/named/dynamic"; - /* In Fedora we use system-wide Crypto Policy */ - /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ - include "/etc/crypto-policies/back-ends/bind.config"; + include "/etc/crypto-policies/back-ends/bind.config"; }; logging @@ -182,8 +176,8 @@ view "internal" key ddns_key { - algorithm hmac-md5; - secret "use /usr/sbin/dnssec-keygen to generate TSIG keys"; + algorithm hmac-sha256; + secret "use /usr/sbin/ddns-confgen to generate TSIG keys"; }; view "external" @@ -214,39 +208,34 @@ view "external" /* Trusted keys This statement contains DNSSEC keys. If you want DNSSEC aware resolver you - have to configure at least one trusted key. + should configure at least one trusted key. Note that no key written below is valid. Especially root key because root zone is not signed yet. */ /* -trusted-keys { +trust-anchors { // Root Key -"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/ - E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3 - zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz - MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M - /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M - iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI - Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3"; +. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; // Key for forward zone -example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe - 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb - OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC - lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt - 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b - iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn - SCThlHf3xiYleDbt/o1OTQ09A0="; +example.com. static-key 257 3 8 "AwEAAZ0aqu1rJ6orJynrRfNpPmayJZoAx9Ic2/Rl9VQW + LMHyjxxem3VUSoNUIFXERQbj0A9Ogp0zDM9YIccKLRd6 + LmWiDCt7UJQxVdD+heb5Ec4qlqGmyX9MDabkvX2NvMws + UecbYBq8oXeTT9LRmCUt9KUt/WOi6DKECxoG/bWTykrX + yBR8elD+SQY43OAVjlWrVltHxgp4/rhBCvRbmdflunaP + Igu27eE2U4myDSLT8a4A0rB5uHG4PkOa9dIRs9y00M2m + Wf4lyPee7vi5few2dbayHXmieGcaAHrx76NGAABeY393 + xjlmDNcUkF1gpNWUla4fWZbbaYQzA93mLdrng+M="; + // Key for reverse zone. -2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA - VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0 - tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0 - yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ - 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06 - zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL - 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD - 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib"; +2.0.192.IN-ADDRPA.NET. initial-ds 31406 8 2 "F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D"; }; */ diff --git a/named.empty b/named.empty new file mode 100644 index 0000000000000000000000000000000000000000..8e271e7e2a94ed03c338bc37b83dd8d27550b6b0 --- /dev/null +++ b/named.empty @@ -0,0 +1,10 @@ +$TTL 3H +@ IN SOA @ rname.invalid. ( + 0 ; serial + 1D ; refresh + 1H ; retry + 1W ; expire + 3H ) ; minimum + NS @ + A 127.0.0.1 + AAAA ::1 diff --git a/named.localhost b/named.localhost new file mode 100644 index 0000000000000000000000000000000000000000..6fe6a5258a5f54bd0a134389c0b9b5ee402d9a94 --- /dev/null +++ b/named.localhost @@ -0,0 +1,10 @@ +$TTL 1D +@ IN SOA @ rname.invalid. ( + 0 ; serial + 1D ; refresh + 1H ; retry + 1W ; expire + 3H ) ; minimum + NS @ + A 127.0.0.1 + AAAA ::1 diff --git a/named.loopback b/named.loopback new file mode 100644 index 0000000000000000000000000000000000000000..7f3d862793a9485f95368cbfaf6d5a28eb719203 --- /dev/null +++ b/named.loopback @@ -0,0 +1,11 @@ +$TTL 1D +@ IN SOA @ rname.invalid. ( + 0 ; serial + 1D ; refresh + 1H ; retry + 1W ; expire + 3H ) ; minimum + NS @ + A 127.0.0.1 + AAAA ::1 + PTR localhost. diff --git a/named.rfc1912.zones b/named.rfc1912.zones new file mode 100644 index 0000000000000000000000000000000000000000..fa8caf58544eb06f96641a74456488b5dc0d4e7f --- /dev/null +++ b/named.rfc1912.zones @@ -0,0 +1,45 @@ +// named.rfc1912.zones: +// +// Provided by Red Hat caching-nameserver package +// +// ISC BIND named zone configuration for zones recommended by +// RFC 1912 section 4.1 : localhost TLDs and address zones +// and https://tools.ietf.org/html/rfc6303 +// (c)2007 R W Franks +// +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// +// Note: empty-zones-enable yes; option is default. +// If private ranges should be forwarded, add +// disable-empty-zone "."; into options +// + +zone "localhost.localdomain" IN { + type master; + file "named.localhost"; + allow-update { none; }; +}; + +zone "localhost" IN { + type master; + file "named.localhost"; + allow-update { none; }; +}; + +zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { + type master; + file "named.loopback"; + allow-update { none; }; +}; + +zone "1.0.0.127.in-addr.arpa" IN { + type master; + file "named.loopback"; + allow-update { none; }; +}; + +zone "0.in-addr.arpa" IN { + type master; + file "named.empty"; + allow-update { none; }; +}; diff --git a/named.root b/named.root new file mode 100644 index 0000000000000000000000000000000000000000..532d4ff82d011640092f69076eed290ed03a1077 --- /dev/null +++ b/named.root @@ -0,0 +1,61 @@ + +; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net +; (2 servers found) +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900 +;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 1472 +;; QUESTION SECTION: +;. IN NS + +;; ANSWER SECTION: +. 518400 IN NS a.root-servers.net. +. 518400 IN NS b.root-servers.net. +. 518400 IN NS c.root-servers.net. +. 518400 IN NS d.root-servers.net. +. 518400 IN NS e.root-servers.net. +. 518400 IN NS f.root-servers.net. +. 518400 IN NS g.root-servers.net. +. 518400 IN NS h.root-servers.net. +. 518400 IN NS i.root-servers.net. +. 518400 IN NS j.root-servers.net. +. 518400 IN NS k.root-servers.net. +. 518400 IN NS l.root-servers.net. +. 518400 IN NS m.root-servers.net. + +;; ADDITIONAL SECTION: +a.root-servers.net. 518400 IN A 198.41.0.4 +b.root-servers.net. 518400 IN A 199.9.14.201 +c.root-servers.net. 518400 IN A 192.33.4.12 +d.root-servers.net. 518400 IN A 199.7.91.13 +e.root-servers.net. 518400 IN A 192.203.230.10 +f.root-servers.net. 518400 IN A 192.5.5.241 +g.root-servers.net. 518400 IN A 192.112.36.4 +h.root-servers.net. 518400 IN A 198.97.190.53 +i.root-servers.net. 518400 IN A 192.36.148.17 +j.root-servers.net. 518400 IN A 192.58.128.30 +k.root-servers.net. 518400 IN A 193.0.14.129 +l.root-servers.net. 518400 IN A 199.7.83.42 +m.root-servers.net. 518400 IN A 202.12.27.33 +a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 +b.root-servers.net. 518400 IN AAAA 2001:500:200::b +c.root-servers.net. 518400 IN AAAA 2001:500:2::c +d.root-servers.net. 518400 IN AAAA 2001:500:2d::d +e.root-servers.net. 518400 IN AAAA 2001:500:a8::e +f.root-servers.net. 518400 IN AAAA 2001:500:2f::f +g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d +h.root-servers.net. 518400 IN AAAA 2001:500:1::53 +i.root-servers.net. 518400 IN AAAA 2001:7fe::53 +j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30 +k.root-servers.net. 518400 IN AAAA 2001:7fd::1 +l.root-servers.net. 518400 IN AAAA 2001:500:9f::42 +m.root-servers.net. 518400 IN AAAA 2001:dc3::35 + +;; Query time: 24 msec +;; SERVER: 198.41.0.4#53(198.41.0.4) +;; WHEN: Thu Apr 05 15:57:34 CEST 2018 +;; MSG SIZE rcvd: 811 + diff --git a/named.root.key b/named.root.key new file mode 100644 index 0000000000000000000000000000000000000000..fbcb5d330a5caf230dc17aaadd03e2c4a33127b0 --- /dev/null +++ b/named.root.key @@ -0,0 +1,13 @@ +trust-anchors { + # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml + # for current trust anchor information. + # + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D"; +}; diff --git a/named.service b/named.service index 6a162ad15e28c2b3510907eb23d22682408a084b..7cd6d3452b318a774310db1705301f60f106fd7b 100644 --- a/named.service +++ b/named.service @@ -15,8 +15,7 @@ PIDFile=/run/named/named.pid ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS - -ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' +ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' diff --git a/random.data b/random.data deleted file mode 100644 index 354add021c50385a89450e5babe1977007bb3352..0000000000000000000000000000000000000000 Binary files a/random.data and /dev/null differ diff --git a/setup-named-chroot.sh b/setup-named-chroot.sh old mode 100644 new mode 100755 diff --git a/setup-named-softhsm.sh b/setup-named-softhsm.sh old mode 100644 new mode 100755 index 7ae0a6de8ff8409b7627ae2c6b1e94be728f2c81..c0f8445a11b345773d385c3b614bdb27cc1736d1 --- a/setup-named-softhsm.sh +++ b/setup-named-softhsm.sh @@ -2,6 +2,12 @@ # # This script will initialise token storage of softhsm PKCS11 provider # in custom location. Is useful to store tokens in non-standard location. +# +# Output can be evaluated from bash, it will prepare it for usage of temporary tokens. +# Quotes around eval are mandatory! +# Recommended use: +# eval "$(bash setup-named-softhsm.sh -A)" +# SOFTHSM2_CONF="$1" TOKENPATH="$2" @@ -10,14 +16,55 @@ GROUPNAME="$3" # This is intended for crypto accelerators using PKCS11 interface. # Uninitialized token would fail any crypto operation. PIN=1234 +SO_PIN=1234 +LABEL=rpm set -e +echo_i() +{ + echo "#" $@ +} + +random() +{ + if [ -x "$(which openssl 2>/dev/null)" ]; then + openssl rand -base64 $1 + else + dd if=/dev/urandom bs=1c count=$1 | base64 + fi +} + +usage() +{ + echo "Usage: $0 -A [token directory] [group]" + echo " or: $0 [group]" +} + +if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then + TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX) +fi + if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then - echo "Usage: $0 [group]" >&2 + usage >&2 exit 1 fi +if [ "$SOFTHSM2_CONF" = "-A" ]; then + # Automagic mode instead + MODE=secure + SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf" + PIN_SOURCE="$TOKENPATH/pin" + SOPIN_SOURCE="$TOKENPATH/so-pin" + TOKENPATH="$TOKENPATH/tokens" +else + MODE=legacy +fi + +[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH" + +umask 0022 + if ! [ -f "$SOFTHSM2_CONF" ]; then cat << SED > "$SOFTHSM2_CONF" # SoftHSM v2 configuration file @@ -32,19 +79,36 @@ log.level = ERROR slots.removable = false SED else - echo "Config file $SOFTHSM2_CONF already exists" >&2 + echo_i "Config file $SOFTHSM2_CONF already exists" >&2 fi -[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH" +if [ -n "$PIN_SOURCE" ]; then + touch "$PIN_SOURCE" "$SOPIN_SOURCE" + chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE" + if [ -n "$GROUPNAME" ]; then + chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE" + chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE" + fi +fi export SOFTHSM2_CONF if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null then - echo "Token in ${TOKENPATH} is already initialized" >&2 + echo_i "Token in ${TOKENPATH} is already initialized" >&2 + + [ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE") + [ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE") else - echo "Initializing tokens to ${TOKENPATH}..." - softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN + PIN=$(random 6) + SO_PIN=$(random 18) + if [ -n "$PIN_SOURCE" ]; then + echo -n "$PIN" > "$PIN_SOURCE" + echo -n "$SO_PIN" > "$SOPIN_SOURCE" + fi + + echo_i "Initializing tokens to ${TOKENPATH}..." + softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /' if [ -n "$GROUPNAME" ]; then chgrp -R -- "$GROUPNAME" "$TOKENPATH" @@ -53,3 +117,8 @@ else fi echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\"" +echo "export PIN_SOURCE=\"$PIN_SOURCE\"" +echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\"" +# These are intentionaly not exported +echo "PIN=\"$PIN\"" +echo "SO_PIN=\"$SO_PIN\"" diff --git a/softhsm2.conf.in b/softhsm2.conf.in new file mode 100644 index 0000000000000000000000000000000000000000..1f393201e6ed4b1d9ad001274bd4cc4e3579ff9e --- /dev/null +++ b/softhsm2.conf.in @@ -0,0 +1,10 @@ +# SoftHSM v2 configuration file + +directories.tokendir = @TOKENPATH@ +objectstore.backend = file + +# ERROR, WARNING, INFO, DEBUG +log.level = ERROR + +# If CKF_REMOVABLE_DEVICE flag should be set +slots.removable = false diff --git a/trusted-key.key b/trusted-key.key index df2fd0ddbf2bde0973944ad732b4d5487a9746a0..7b845f3bd015275c66c23c8c09d4132c830fbb53 100644 --- a/trusted-key.key +++ b/trusted-key.key @@ -1,2 +1 @@ -. 3600 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= . 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= diff --git a/zone2sqlite.1 b/zone2sqlite.1 deleted file mode 100644 index 689782740f7538cf1b21dffca987de6d549189da..0000000000000000000000000000000000000000 --- a/zone2sqlite.1 +++ /dev/null @@ -1,53 +0,0 @@ -.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and/or distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" Manpage written by Jan Gorig -.TH zone2sqlite 1 "15 March 2010" "BIND9" -.SH NAME -zone2sqlite - Load BIND 9 zone file into SQLite database -.SH SYNOPSIS -.B zone2sqlite zone zonefile dbfile dbtable -.SH DESCRIPTION -zone2sqlite parses DNS zone file and creates database for use with SQLite BIND SDB driver. - -\fBzone\fR -.RS 4 -Zone origin, eg "mydomain.net." -.RE -.PP -\fBzonefile\fR -.RS 4 -Master zone database file, eg. mydomain.net.zone -.RE -.PP -\fBdbfile\fR -.RS 4 -Name of SQLite database file -.RE -.PP -\fBdbtable\fR -.RS 4 -Name of table in database -.RE - -.SH "EXIT STATUS" -Exits with 0 on success or 1 on failure. -.SH "SEE ALSO" -named(8) -.SH "COPYRIGHT" -Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC") -.br -Copyright \(co 2000, 2001 Internet Software Consortium. -.br diff --git a/zonetodb.1 b/zonetodb.1 deleted file mode 100644 index 897e74fdfd1df26b6d54564df0345e291f0b4a82..0000000000000000000000000000000000000000 --- a/zonetodb.1 +++ /dev/null @@ -1,53 +0,0 @@ -.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and/or distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" Manpage written by Jan Gorig -.TH zonetodb 1 "15 March 2010" "BIND9" -.SH NAME -zonetodb - Generate a PostgreSQL table from a zone. -.SH SYNOPSIS -.B zonetodb origin file dbname dbtable -.SH DESCRIPTION -zonetodb parses DNS zone file and creates table in selected database for use with PostgreSQL BIND SDB driver. - -\fBzone\fR -.RS 4 -Zone origin, eg "pgdb.net." -.RE -.PP -\fBfile\fR -.RS 4 -Master zone database file, eg. pgdb.net.db -.RE -.PP -\fBdbname\fR -.RS 4 -Name of PostgreSQL database (database must exist) -.RE -.PP -\fBdbtable\fR -.RS 4 -Name of table in database -.RE - -.SH "EXIT STATUS" -Exits with 0 on success or 1 on failure. -.SH "SEE ALSO" -named(8) -.SH "COPYRIGHT" -Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC") -.br -Copyright \(co 2000, 2001 Internet Software Consortium. -.br