import bind-9.11.36-2.el8
This commit is contained in:
		
							parent
							
								
									020fe571be
								
							
						
					
					
						commit
						8a1b969502
					
				| @ -1,2 +1,2 @@ | ||||
| 14064c865920842e48f444be2bda9dc91770e439 SOURCES/bind-9.11.26.tar.gz | ||||
| 4b45d15edc1e3b7902129ce27baec58a50d76b5c SOURCES/bind-9.11.36.tar.gz | ||||
| a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data | ||||
|  | ||||
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -1,2 +1,2 @@ | ||||
| SOURCES/bind-9.11.26.tar.gz | ||||
| SOURCES/bind-9.11.36.tar.gz | ||||
| SOURCES/random.data | ||||
|  | ||||
| @ -143,7 +143,7 @@ index 390aa0c..851a008 100644 | ||||
|  CWARNINGS = | ||||
|   | ||||
| diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
 | ||||
| index 3166368..a403941 100644
 | ||||
| index 277a0f5..52a6375 100644
 | ||||
| --- a/bin/named-pkcs11/Makefile.in
 | ||||
| +++ b/bin/named-pkcs11/Makefile.in
 | ||||
| @@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
 | ||||
| @ -260,7 +260,7 @@ index 3166368..a403941 100644 | ||||
|  @DLZ_DRIVER_RULES@ | ||||
|   | ||||
| diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
 | ||||
| index 3166368..890574f 100644
 | ||||
| index 277a0f5..0e00885 100644
 | ||||
| --- a/bin/named/Makefile.in
 | ||||
| +++ b/bin/named/Makefile.in
 | ||||
| @@ -48,7 +48,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
 | ||||
| @ -294,10 +294,10 @@ index 2c19e7e..8223d5e 100644 | ||||
|  DEPLIBS =	${ISCDEPLIBS} | ||||
|   | ||||
| diff --git a/configure.ac b/configure.ac
 | ||||
| index c6715b4..8144268 100644
 | ||||
| index 83cad4a..e1e1a32 100644
 | ||||
| --- a/configure.ac
 | ||||
| +++ b/configure.ac
 | ||||
| @@ -1176,12 +1176,14 @@ AC_SUBST(USE_GSSAPI)
 | ||||
| @@ -1178,12 +1178,14 @@ AC_SUBST(USE_GSSAPI)
 | ||||
|  AC_SUBST(DST_GSSAPI_INC) | ||||
|  AC_SUBST(DNS_GSSAPI_LIBS) | ||||
|  DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS" | ||||
| @ -312,7 +312,7 @@ index c6715b4..8144268 100644 | ||||
|   | ||||
|  # | ||||
|  # was --with-randomdev specified? | ||||
| @@ -1554,12 +1556,12 @@ AC_ARG_ENABLE(openssl-hash,
 | ||||
| @@ -1556,12 +1558,12 @@ AC_ARG_ENABLE(openssl-hash,
 | ||||
|  AC_MSG_CHECKING(for OpenSSL library) | ||||
|  OPENSSL_WARNING= | ||||
|  openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw" | ||||
| @ -331,7 +331,7 @@ index c6715b4..8144268 100644 | ||||
|   | ||||
|  if test "auto" = "$use_openssl" | ||||
|  then | ||||
| @@ -1572,6 +1574,7 @@ then
 | ||||
| @@ -1574,6 +1576,7 @@ then
 | ||||
|  		fi | ||||
|  	done | ||||
|  fi | ||||
| @ -339,7 +339,7 @@ index c6715b4..8144268 100644 | ||||
|  OPENSSL_ECDSA="" | ||||
|  OPENSSL_GOST="" | ||||
|  OPENSSL_ED25519="" | ||||
| @@ -1593,11 +1596,10 @@ case "$with_gost" in
 | ||||
| @@ -1595,11 +1598,10 @@ case "$with_gost" in
 | ||||
|  		;; | ||||
|  esac | ||||
|   | ||||
| @ -354,7 +354,7 @@ index c6715b4..8144268 100644 | ||||
|  		CRYPTOLIB="pkcs11" | ||||
|  		OPENSSLECDSALINKOBJS="" | ||||
|  		OPENSSLECDSALINKSRCS="" | ||||
| @@ -1607,7 +1609,9 @@ case "$use_openssl" in
 | ||||
| @@ -1609,7 +1611,9 @@ case "$use_openssl" in
 | ||||
|  		OPENSSLGOSTLINKSRCS="" | ||||
|  		OPENSSLLINKOBJS="" | ||||
|  		OPENSSLLINKSRCS="" | ||||
| @ -365,7 +365,7 @@ index c6715b4..8144268 100644 | ||||
|  	no) | ||||
|  		AC_MSG_RESULT(no) | ||||
|  		DST_OPENSSL_INC="" | ||||
| @@ -1639,7 +1643,7 @@ case "$use_openssl" in
 | ||||
| @@ -1641,7 +1645,7 @@ case "$use_openssl" in
 | ||||
|  If you do not want OpenSSL, use --without-openssl]) | ||||
|  		;; | ||||
|  	*) | ||||
| @ -374,7 +374,7 @@ index c6715b4..8144268 100644 | ||||
|  		then | ||||
|  			AC_MSG_RESULT() | ||||
|  			AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) | ||||
| @@ -2067,6 +2071,7 @@ AC_SUBST(OPENSSL_ED25519)
 | ||||
| @@ -2077,6 +2081,7 @@ AC_SUBST(OPENSSL_ED25519)
 | ||||
|  AC_SUBST(OPENSSL_GOST) | ||||
|   | ||||
|  DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS" | ||||
| @ -382,7 +382,7 @@ index c6715b4..8144268 100644 | ||||
|   | ||||
|  ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" | ||||
|  if test "yes" = "$with_aes" | ||||
| @@ -2353,6 +2358,7 @@ esac
 | ||||
| @@ -2363,6 +2368,7 @@ esac
 | ||||
|  AC_SUBST(PKCS11LINKOBJS) | ||||
|  AC_SUBST(PKCS11LINKSRCS) | ||||
|  AC_SUBST(CRYPTO) | ||||
| @ -390,7 +390,7 @@ index c6715b4..8144268 100644 | ||||
|  AC_SUBST(PKCS11_ECDSA) | ||||
|  AC_SUBST(PKCS11_GOST) | ||||
|  AC_SUBST(PKCS11_ED25519) | ||||
| @@ -5501,8 +5507,11 @@ AC_CONFIG_FILES([
 | ||||
| @@ -5491,8 +5497,11 @@ AC_CONFIG_FILES([
 | ||||
|  	bin/delv/Makefile | ||||
|  	bin/dig/Makefile | ||||
|  	bin/dnssec/Makefile | ||||
| @ -402,7 +402,7 @@ index c6715b4..8144268 100644 | ||||
|  	bin/nsupdate/Makefile | ||||
|  	bin/pkcs11/Makefile | ||||
|  	bin/python/Makefile | ||||
| @@ -5575,6 +5584,10 @@ AC_CONFIG_FILES([
 | ||||
| @@ -5565,6 +5574,10 @@ AC_CONFIG_FILES([
 | ||||
|  	lib/dns/include/dns/Makefile | ||||
|  	lib/dns/include/dst/Makefile | ||||
|  	lib/dns/tests/Makefile | ||||
| @ -413,7 +413,7 @@ index c6715b4..8144268 100644 | ||||
|  	lib/irs/Makefile | ||||
|  	lib/irs/include/Makefile | ||||
|  	lib/irs/include/irs/Makefile | ||||
| @@ -5599,6 +5612,24 @@ AC_CONFIG_FILES([
 | ||||
| @@ -5589,6 +5602,24 @@ AC_CONFIG_FILES([
 | ||||
|  	lib/isc/unix/include/Makefile | ||||
|  	lib/isc/unix/include/isc/Makefile | ||||
|  	lib/isc/unix/include/pkcs11/Makefile | ||||
| @ -452,21 +452,21 @@ index f089bea..3ed939b 100644 | ||||
|   | ||||
|  @BIND9_MAKE_RULES@ | ||||
| diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
 | ||||
| index 8fc4e94..5eefb14 100644
 | ||||
| index 1d0f5df..98c9ba0 100644
 | ||||
| --- a/lib/dns-pkcs11/Makefile.in
 | ||||
| +++ b/lib/dns-pkcs11/Makefile.in
 | ||||
| @@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@
 | ||||
| @@ -24,17 +24,17 @@ VERSION=@BIND9_VERSION@
 | ||||
|   | ||||
|  USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ | ||||
|  @BIND9_MAKE_INCLUDES@ | ||||
|   | ||||
| -CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
 | ||||
| -		${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
 | ||||
| -		@DST_OPENSSL_INC@ @DST_GSSAPI_INC@
 | ||||
| +CINCLUDES =	-I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
 | ||||
| +		${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
 | ||||
| +		${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} \
 | ||||
|  		@DST_OPENSSL_INC@ @DST_GSSAPI_INC@ | ||||
|   | ||||
| -CDEFINES =	-DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
 | ||||
| +CDEFINES =	-DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
 | ||||
| -CDEFINES =	-DUSE_MD5 @CRYPTO@ @USE_GSSAPI@
 | ||||
| +CDEFINES =	-DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@
 | ||||
|   | ||||
|  CWARNINGS = | ||||
|   | ||||
| @ -478,7 +478,7 @@ index 8fc4e94..5eefb14 100644 | ||||
|   | ||||
|  LIBS =		${MAXMINDDB_LIBS} @LIBS@ | ||||
|   | ||||
| @@ -150,15 +149,15 @@ version.@O@: version.c
 | ||||
| @@ -148,15 +148,15 @@ version.@O@: version.c
 | ||||
|  		-DLIBAGE=${LIBAGE} \ | ||||
|  		-c ${srcdir}/version.c | ||||
|   | ||||
| @ -498,7 +498,7 @@ index 8fc4e94..5eefb14 100644 | ||||
|   | ||||
|  include: gen | ||||
|  	${MAKE} include/dns/enumtype.h | ||||
| @@ -189,22 +188,22 @@ gen: gen.c
 | ||||
| @@ -187,22 +187,22 @@ gen: gen.c
 | ||||
|  	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \ | ||||
|  	${BUILD_LIBS} ${LFS_LIBS} | ||||
|   | ||||
|  | ||||
| @ -1,27 +0,0 @@ | ||||
| From 9f331a945071365ccc0cfba24241c4af6919af30 Mon Sep 17 00:00:00 2001 | ||||
| From: Petr Mensik <pemensik@redhat.com> | ||||
| Date: Mon, 15 Feb 2021 12:18:14 +0100 | ||||
| Subject: [PATCH] CVE-2020-8625 | ||||
| 
 | ||||
| 5562.	[security]	Fix off-by-one bug in ISC SPNEGO implementation. | ||||
| 			(CVE-2020-8625) [GL #2354] | ||||
| ---
 | ||||
|  lib/dns/spnego.c | 2 +- | ||||
|  1 file changed, 1 insertion(+), 1 deletion(-) | ||||
| 
 | ||||
| diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
 | ||||
| index dea108b..13cf15d 100644
 | ||||
| --- a/lib/dns/spnego.c
 | ||||
| +++ b/lib/dns/spnego.c
 | ||||
| @@ -877,7 +877,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
 | ||||
|  		return (ASN1_OVERRUN); | ||||
|  	} | ||||
|   | ||||
| -	data->components = malloc(len * sizeof(*data->components));
 | ||||
| +	data->components = malloc((len + 1) * sizeof(*data->components));
 | ||||
|  	if (data->components == NULL) { | ||||
|  		return (ENOMEM); | ||||
|  	} | ||||
| -- 
 | ||||
| 2.26.2 | ||||
| 
 | ||||
| @ -1,44 +0,0 @@ | ||||
| From 4eff09c6b1e524b0efc393ee948b5c4cdf16ccb8 Mon Sep 17 00:00:00 2001 | ||||
| From: Mark Andrews <marka@isc.org> | ||||
| Date: Wed, 3 Feb 2021 11:10:20 +1100 | ||||
| Subject: [PATCH] Check SOA owner names in zone transfers | ||||
| 
 | ||||
| An IXFR containing SOA records with owner names different than the | ||||
| transferred zone's origin can result in named serving a version of that | ||||
| zone without an SOA record at the apex.  This causes a RUNTIME_CHECK | ||||
| assertion failure the next time such a zone is refreshed.  Fix by | ||||
| immediately rejecting a zone transfer (either an incremental or | ||||
| non-incremental one) upon detecting an SOA record not placed at the apex | ||||
| of the transferred zone. | ||||
| ---
 | ||||
|  lib/dns/xfrin.c | 14 ++++++++++++++ | ||||
|  1 file changed, 14 insertions(+) | ||||
| 
 | ||||
| diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
 | ||||
| index 3a3f407289..0ba82e4974 100644
 | ||||
| --- a/lib/dns/xfrin.c
 | ||||
| +++ b/lib/dns/xfrin.c
 | ||||
| @@ -477,6 +477,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,
 | ||||
|  	    dns_rdatatype_ismeta(rdata->type)) | ||||
|  		FAIL(DNS_R_FORMERR); | ||||
|   | ||||
| +	/*
 | ||||
| +	 * Immediately reject the entire transfer if the RR that is currently
 | ||||
| +	 * being processed is an SOA record that is not placed at the zone
 | ||||
| +	 * apex.
 | ||||
| +	 */
 | ||||
| +	if (rdata->type == dns_rdatatype_soa &&
 | ||||
| +	    !dns_name_equal(&xfr->name, name)) {
 | ||||
| +		char namebuf[DNS_NAME_FORMATSIZE];
 | ||||
| +		dns_name_format(name, namebuf, sizeof(namebuf));
 | ||||
| +		xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
 | ||||
| +			  namebuf);
 | ||||
| +		FAIL(DNS_R_NOTZONETOP);
 | ||||
| +	}
 | ||||
| +
 | ||||
|   redo: | ||||
|  	switch (xfr->state) { | ||||
|  	case XFRST_SOAQUERY: | ||||
| -- 
 | ||||
| 2.26.3 | ||||
| 
 | ||||
| @ -1,40 +0,0 @@ | ||||
| From 6fc38d1c75ce5a6172267e6ca162c4fdc09657ad Mon Sep 17 00:00:00 2001 | ||||
| From: Petr Mensik <pemensik@redhat.com> | ||||
| Date: Tue, 27 Apr 2021 10:56:12 +0200 | ||||
| Subject: [PATCH 2/2] CVE-2021-25215 | ||||
| 
 | ||||
| 5616.	[security]	named crashed when a DNAME record placed in the ANSWER | ||||
| 			section during DNAME chasing turned out to be the final | ||||
| 			answer to a client query. (CVE-2021-25215) [GL #2540] | ||||
| ---
 | ||||
|  bin/named/query.c | 13 ++++++++++--- | ||||
|  1 file changed, 10 insertions(+), 3 deletions(-) | ||||
| 
 | ||||
| diff --git a/bin/named/query.c b/bin/named/query.c
 | ||||
| index a95f5ad..11a888e 100644
 | ||||
| --- a/bin/named/query.c
 | ||||
| +++ b/bin/named/query.c
 | ||||
| @@ -9301,10 +9301,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 | ||||
|  		if (noqname != NULL) | ||||
|  			query_addnoqnameproof(client, noqname); | ||||
|  		/* | ||||
| -		 * We shouldn't ever fail to add 'rdataset'
 | ||||
| -		 * because it's already in the answer.
 | ||||
| +		 * 'rdataset' will only be non-NULL here if the ANSWER section
 | ||||
| +		 * of the message to be sent to the client already contains an
 | ||||
| +		 * RRset with the same owner name and the same type as
 | ||||
| +		 * 'rdataset'.  This should never happen, with one exception:
 | ||||
| +		 * when chasing DNAME records, one of the DNAME records placed
 | ||||
| +		 * in the ANSWER section may turn out to be the final answer to
 | ||||
| +		 * the client's query, but we have no way of knowing that until
 | ||||
| +		 * now.  In such a case, 'rdataset' will be freed later, so we
 | ||||
| +		 * do not need to free it here.
 | ||||
|  		 */ | ||||
| -		INSIST(rdataset == NULL);
 | ||||
| +		INSIST(rdataset == NULL || qtype == dns_rdatatype_dname);
 | ||||
|  	} | ||||
|   | ||||
|   addauth: | ||||
| -- 
 | ||||
| 2.26.3 | ||||
| 
 | ||||
| @ -1,4 +1,4 @@ | ||||
| From 14ad3e0b42bc999072d30268396412bec158a22d Mon Sep 17 00:00:00 2001 | ||||
| From 1dc81c51cd5c70b783aab8b6156aec4cfedd6fe3 Mon Sep 17 00:00:00 2001 | ||||
| From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> | ||||
| Date: Thu, 2 Aug 2018 23:46:45 +0200 | ||||
| Subject: [PATCH] FIPS tests changes | ||||
| @ -96,12 +96,14 @@ Date:   Wed Mar 7 10:44:23 2018 +0100 | ||||
|  bin/tests/system/rndc/setup.sh                |  2 +- | ||||
|  bin/tests/system/rndc/tests.sh                | 23 ++++--- | ||||
|  bin/tests/system/tsig/ns1/named.conf.in       | 10 +-- | ||||
|  bin/tests/system/tsig/ns1/rndc5.conf.in       | 10 +++ | ||||
|  bin/tests/system/tsig/setup.sh                |  5 ++ | ||||
|  bin/tests/system/tsig/tests.sh                | 65 +++++++++++------- | ||||
|  bin/tests/system/tsiggss/setup.sh             |  2 +- | ||||
|  bin/tests/system/upforwd/ns1/named.conf.in    |  2 +- | ||||
|  bin/tests/system/upforwd/tests.sh             |  2 +- | ||||
|  43 files changed, 220 insertions(+), 170 deletions(-) | ||||
|  44 files changed, 230 insertions(+), 170 deletions(-) | ||||
|  create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in | ||||
| 
 | ||||
| diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
 | ||||
| index 9999ada..e3f8d0e 100644
 | ||||
| @ -598,10 +600,10 @@ index b66207a..359b220 100644 | ||||
|  ; TTL of 3 weeks | ||||
|  weeks		1814400	A	10.53.0.2 | ||||
| diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
 | ||||
| index 2109001..ded5557 100644
 | ||||
| index a3ebc31..0d9b9b8 100644
 | ||||
| --- a/bin/tests/system/digdelv/tests.sh
 | ||||
| +++ b/bin/tests/system/digdelv/tests.sh
 | ||||
| @@ -155,7 +155,7 @@ if [ -x "$DIG" ] ; then
 | ||||
| @@ -173,7 +173,7 @@ if [ -x "$DIG" ] ; then
 | ||||
|    echo_i "checking dig +rrcomments works for DNSKEY($n)" | ||||
|    ret=0 | ||||
|    $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 | ||||
| @ -610,7 +612,7 @@ index 2109001..ded5557 100644 | ||||
|    check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 | ||||
|    if [ $ret != 0 ]; then echo_i "failed"; fi | ||||
|    status=`expr $status + $ret` | ||||
| @@ -164,7 +164,7 @@ if [ -x "$DIG" ] ; then
 | ||||
| @@ -182,7 +182,7 @@ if [ -x "$DIG" ] ; then
 | ||||
|    echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" | ||||
|    ret=0 | ||||
|    $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 | ||||
| @ -619,7 +621,7 @@ index 2109001..ded5557 100644 | ||||
|    if [ $ret != 0 ]; then echo_i "failed"; fi | ||||
|    status=`expr $status + $ret` | ||||
|   | ||||
| @@ -172,7 +172,7 @@ if [ -x "$DIG" ] ; then
 | ||||
| @@ -190,7 +190,7 @@ if [ -x "$DIG" ] ; then
 | ||||
|    echo_i "checking dig +short +nosplit works($n)" | ||||
|    ret=0 | ||||
|    $DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1 | ||||
| @ -628,7 +630,7 @@ index 2109001..ded5557 100644 | ||||
|    if [ $ret != 0 ]; then echo_i "failed"; fi | ||||
|    status=`expr $status + $ret` | ||||
|   | ||||
| @@ -180,7 +180,7 @@ if [ -x "$DIG" ] ; then
 | ||||
| @@ -198,7 +198,7 @@ if [ -x "$DIG" ] ; then
 | ||||
|    echo_i "checking dig +short +rrcomments works($n)" | ||||
|    ret=0 | ||||
|    $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 | ||||
| @ -637,7 +639,7 @@ index 2109001..ded5557 100644 | ||||
|    if [ $ret != 0 ]; then echo_i "failed"; fi | ||||
|    status=`expr $status + $ret` | ||||
|   | ||||
| @@ -197,7 +197,7 @@ if [ -x "$DIG" ] ; then
 | ||||
| @@ -215,7 +215,7 @@ if [ -x "$DIG" ] ; then
 | ||||
|    echo_i "checking dig +short +rrcomments works($n)" | ||||
|    ret=0 | ||||
|    $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 | ||||
| @ -646,7 +648,7 @@ index 2109001..ded5557 100644 | ||||
|    if [ $ret != 0 ]; then echo_i "failed"; fi | ||||
|    status=`expr $status + $ret` | ||||
|   | ||||
| @@ -827,7 +827,7 @@ if [ -x ${DELV} ] ; then
 | ||||
| @@ -846,7 +846,7 @@ if [ -x ${DELV} ] ; then
 | ||||
|    echo_i "checking delv +rrcomments works for DNSKEY($n)" | ||||
|    ret=0 | ||||
|    $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 | ||||
| @ -655,7 +657,7 @@ index 2109001..ded5557 100644 | ||||
|    check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 | ||||
|    if [ $ret != 0 ]; then echo_i "failed"; fi | ||||
|    status=`expr $status + $ret` | ||||
| @@ -836,7 +836,7 @@ if [ -x ${DELV} ] ; then
 | ||||
| @@ -855,7 +855,7 @@ if [ -x ${DELV} ] ; then
 | ||||
|    echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" | ||||
|    ret=0 | ||||
|    $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 | ||||
| @ -664,7 +666,7 @@ index 2109001..ded5557 100644 | ||||
|    if [ $ret != 0 ]; then echo_i "failed"; fi | ||||
|    status=`expr $status + $ret` | ||||
|   | ||||
| @@ -844,7 +844,7 @@ if [ -x ${DELV} ] ; then
 | ||||
| @@ -863,7 +863,7 @@ if [ -x ${DELV} ] ; then
 | ||||
|    echo_i "checking delv +short +rrcomments works ($n)" | ||||
|    ret=0 | ||||
|    $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 | ||||
| @ -673,7 +675,7 @@ index 2109001..ded5557 100644 | ||||
|    if [ $ret != 0 ]; then echo_i "failed"; fi | ||||
|    status=`expr $status + $ret` | ||||
|   | ||||
| @@ -852,7 +852,7 @@ if [ -x ${DELV} ] ; then
 | ||||
| @@ -871,7 +871,7 @@ if [ -x ${DELV} ] ; then
 | ||||
|    echo_i "checking delv +short +nosplit works ($n)" | ||||
|    ret=0 | ||||
|    $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1 | ||||
| @ -682,7 +684,7 @@ index 2109001..ded5557 100644 | ||||
|    if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi | ||||
|    f=`awk '{print NF}' < delv.out.test$n` | ||||
|    test "${f:-0}" -eq 14 || ret=1 | ||||
| @@ -863,7 +863,7 @@ if [ -x ${DELV} ] ; then
 | ||||
| @@ -882,7 +882,7 @@ if [ -x ${DELV} ] ; then
 | ||||
|    echo_i "checking delv +short +nosplit +norrcomments works ($n)" | ||||
|    ret=0 | ||||
|    $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 | ||||
| @ -909,7 +911,7 @@ index ba39f90..f20a2dd 100755 | ||||
|  cat $infile $keyname1.key $keyname2.key >$zonefile | ||||
|   | ||||
| diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
 | ||||
| index e28b3f1..29c169b 100644
 | ||||
| index d401823..139c7ad 100644
 | ||||
| --- a/bin/tests/system/dnssec/ns2/sign.sh
 | ||||
| +++ b/bin/tests/system/dnssec/ns2/sign.sh
 | ||||
| @@ -126,8 +126,8 @@ zone=in-addr.arpa.
 | ||||
| @ -953,10 +955,10 @@ index 75cf699..b4d848c 100644 | ||||
| +    "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
 | ||||
|  }; | ||||
| diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
 | ||||
| index 3e8e4d5..da692f9 100644
 | ||||
| index 30f7fc5..2f34b6d 100644
 | ||||
| --- a/bin/tests/system/dnssec/tests.sh
 | ||||
| +++ b/bin/tests/system/dnssec/tests.sh
 | ||||
| @@ -3257,8 +3257,8 @@ do
 | ||||
| @@ -3281,8 +3281,8 @@ do
 | ||||
|  	   alg=`expr $alg + 1` | ||||
|  	   continue;; | ||||
|  	3) size="-b 512";; | ||||
| @ -1112,10 +1114,10 @@ index e6e2382..b0a94e0 100644 | ||||
|  }; | ||||
|   | ||||
| diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
 | ||||
| index 6fbf1d7..a712b17 100644
 | ||||
| index 2b3b154..8240c42 100644
 | ||||
| --- a/bin/tests/system/nsupdate/setup.sh
 | ||||
| +++ b/bin/tests/system/nsupdate/setup.sh
 | ||||
| @@ -53,7 +53,12 @@ EOF
 | ||||
| @@ -68,7 +68,12 @@ EOF
 | ||||
|   | ||||
|  $DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key | ||||
|   | ||||
| @ -1130,10 +1132,10 @@ index 6fbf1d7..a712b17 100644 | ||||
|  $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key | ||||
|  $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key | ||||
| diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
 | ||||
| index 6b2c8f6..96ad95e 100755
 | ||||
| index 60cf7ee..f8994ff 100755
 | ||||
| --- a/bin/tests/system/nsupdate/tests.sh
 | ||||
| +++ b/bin/tests/system/nsupdate/tests.sh
 | ||||
| @@ -788,7 +788,14 @@ fi
 | ||||
| @@ -804,7 +804,14 @@ fi
 | ||||
|  n=`expr $n + 1` | ||||
|  ret=0 | ||||
|  echo_i "check TSIG key algorithms ($n)" | ||||
| @ -1149,7 +1151,7 @@ index 6b2c8f6..96ad95e 100755 | ||||
|      $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1 | ||||
|  server 10.53.0.1 ${PORT} | ||||
|  update add ${alg}.keytests.nil. 600 A 10.10.10.3 | ||||
| @@ -796,7 +803,7 @@ send
 | ||||
| @@ -812,7 +819,7 @@ send
 | ||||
|  END | ||||
|  done | ||||
|  sleep 2 | ||||
| @ -1233,6 +1235,22 @@ index 4905ffd..958d9fb 100644 | ||||
|   | ||||
|  key "sha1-trunc" { | ||||
|  	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; | ||||
| diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
 | ||||
| new file mode 100644 | ||||
| index 0000000..0682194
 | ||||
| --- /dev/null
 | ||||
| +++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
 | ||||
| @@ -0,0 +1,10 @@
 | ||||
| +# Conditionally included when support for MD5 is available
 | ||||
| +key "md5" {
 | ||||
| +	secret "97rnFx24Tfna4mHPfgnerA==";
 | ||||
| +	algorithm hmac-md5;
 | ||||
| +};
 | ||||
| +
 | ||||
| +key "md5-trunc" {
 | ||||
| +	secret "97rnFx24Tfna4mHPfgnerA==";
 | ||||
| +	algorithm hmac-md5-80;
 | ||||
| +};
 | ||||
| diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
 | ||||
| index f42aa79..bfcf4a6 100644
 | ||||
| --- a/bin/tests/system/tsig/setup.sh
 | ||||
| @ -1247,7 +1265,7 @@ index f42aa79..bfcf4a6 100644 | ||||
| +	cat ns1/rndc5.conf.in >> ns1/named.conf
 | ||||
| +fi
 | ||||
| diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
 | ||||
| index ed41e1d..98c542e 100644
 | ||||
| index e0c2903..327fa50 100644
 | ||||
| --- a/bin/tests/system/tsig/tests.sh
 | ||||
| +++ b/bin/tests/system/tsig/tests.sh
 | ||||
| @@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
 | ||||
| @ -1375,5 +1393,5 @@ index 1cf8d3b..f4c3216 100644 | ||||
|  update add updated.example. 600 A 10.10.10.1 | ||||
|  update add updated.example. 600 TXT Foo | ||||
| -- 
 | ||||
| 2.26.2 | ||||
| 2.31.1 | ||||
| 
 | ||||
|  | ||||
| @ -1,38 +0,0 @@ | ||||
| From 4757898440d52b0adbf7ec7ee7f0f89b61aac0fb Mon Sep 17 00:00:00 2001 | ||||
| From: Mark Andrews <marka@isc.org> | ||||
| Date: Fri, 18 Dec 2020 13:31:07 +1100 | ||||
| Subject: [PATCH] Inactive incorrectly incremented | ||||
| 
 | ||||
| It is possible to have two threads destroying an rbtdb at the same | ||||
| time when detachnode() executes and removes the last reference to | ||||
| a node between exiting being set to true for the node and testing | ||||
| if the references are zero in maybe_free_rbtdb().  Move NODE_UNLOCK() | ||||
| to after checking if references is zero to prevent detachnode() | ||||
| changing the reference count too early. | ||||
| 
 | ||||
| (cherry picked from commit 859d2fdad6d1c6ff20083a4c463a929cbeb26438) | ||||
| (cherry picked from commit 25150c15e7cfa73289f04470e2e699ebb7c28fef) | ||||
| ---
 | ||||
|  lib/dns/rbtdb.c | 2 +- | ||||
|  1 file changed, 1 insertion(+), 1 deletion(-) | ||||
| 
 | ||||
| diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
 | ||||
| index 8ea4d47..77ef7a4 100644
 | ||||
| --- a/lib/dns/rbtdb.c
 | ||||
| +++ b/lib/dns/rbtdb.c
 | ||||
| @@ -1460,11 +1460,11 @@ maybe_free_rbtdb(dns_rbtdb_t *rbtdb) {
 | ||||
|  	for (i = 0; i < rbtdb->node_lock_count; i++) { | ||||
|  		NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write); | ||||
|  		rbtdb->node_locks[i].exiting = true; | ||||
| -		NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
 | ||||
|  		if (isc_refcount_current(&rbtdb->node_locks[i].references) | ||||
|  		    == 0) { | ||||
|  			inactive++; | ||||
|  		} | ||||
| +		NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
 | ||||
|  	} | ||||
|   | ||||
|  	if (inactive != 0) { | ||||
| -- 
 | ||||
| 2.26.3 | ||||
| 
 | ||||
| @ -1,4 +1,4 @@ | ||||
| From 63d1fe9e1ac0db37f89cf31b40c35d6d22578ded Mon Sep 17 00:00:00 2001 | ||||
| From 346683631ae0f83ad4f09a69cfa5e5c6ea49e5d9 Mon Sep 17 00:00:00 2001 | ||||
| From: Evan Hunt <each@isc.org> | ||||
| Date: Tue, 12 Sep 2017 19:05:46 -0700 | ||||
| Subject: [PATCH] rebased rt31459c | ||||
| @ -199,10 +199,10 @@ index f017895..2c568fc 100644 | ||||
|  	if (verbose > 10) | ||||
|  		isc_mem_stats(mctx, stdout); | ||||
| diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
 | ||||
| index dde1b2f..7308fc6 100644
 | ||||
| index a097ac8..6567421 100644
 | ||||
| --- a/bin/dnssec/dnssec-signzone.c
 | ||||
| +++ b/bin/dnssec/dnssec-signzone.c
 | ||||
| @@ -3465,14 +3465,15 @@ main(int argc, char *argv[]) {
 | ||||
| @@ -3472,14 +3472,15 @@ main(int argc, char *argv[]) {
 | ||||
|  	if (!pseudorandom) | ||||
|  		eflags |= ISC_ENTROPY_GOODONLY; | ||||
|   | ||||
| @ -222,7 +222,7 @@ index dde1b2f..7308fc6 100644 | ||||
|  	isc_stdtime_get(&now); | ||||
|   | ||||
|  	if (startstr != NULL) { | ||||
| @@ -3884,8 +3885,8 @@ main(int argc, char *argv[]) {
 | ||||
| @@ -3896,8 +3897,8 @@ main(int argc, char *argv[]) {
 | ||||
|  	dns_master_styledestroy(&dsstyle, mctx); | ||||
|   | ||||
|  	cleanup_logging(&log); | ||||
| @ -293,7 +293,7 @@ index 7f045e8..2a0f9c6 100644 | ||||
|  					   usekeyboard); | ||||
|   | ||||
| diff --git a/bin/named/server.c b/bin/named/server.c
 | ||||
| index 30d38be..b2ae57c 100644
 | ||||
| index 9826588..b3e3fc3 100644
 | ||||
| --- a/bin/named/server.c
 | ||||
| +++ b/bin/named/server.c
 | ||||
| @@ -36,6 +36,7 @@
 | ||||
| @ -304,7 +304,7 @@ index 30d38be..b2ae57c 100644 | ||||
|  #include <isc/portset.h> | ||||
|  #include <isc/print.h> | ||||
|  #include <isc/random.h> | ||||
| @@ -8286,6 +8287,10 @@ load_configuration(const char *filename, ns_server_t *server,
 | ||||
| @@ -8291,6 +8292,10 @@ load_configuration(const char *filename, ns_server_t *server,
 | ||||
|  				      "no source of entropy found"); | ||||
|  		} else { | ||||
|  			const char *randomdev = cfg_obj_asstring(obj); | ||||
| @ -315,7 +315,7 @@ index 30d38be..b2ae57c 100644 | ||||
|  			int level = ISC_LOG_ERROR; | ||||
|  			result = isc_entropy_createfilesource(ns_g_entropy, | ||||
|  							      randomdev); | ||||
| @@ -8320,6 +8325,7 @@ load_configuration(const char *filename, ns_server_t *server,
 | ||||
| @@ -8325,6 +8330,7 @@ load_configuration(const char *filename, ns_server_t *server,
 | ||||
|  				} | ||||
|  				isc_entropy_detach(&ns_g_fallbackentropy); | ||||
|  			} | ||||
| @ -324,10 +324,10 @@ index 30d38be..b2ae57c 100644 | ||||
|  		} | ||||
|   | ||||
| diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
 | ||||
| index 5a2c660..7f15cbc 100644
 | ||||
| index 52b0274..23b69c9 100644
 | ||||
| --- a/bin/nsupdate/nsupdate.c
 | ||||
| +++ b/bin/nsupdate/nsupdate.c
 | ||||
| @@ -278,7 +278,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 | ||||
| @@ -279,7 +279,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 | ||||
|  	if (*ectx == NULL) { | ||||
|  		result = isc_entropy_create(mctx, ectx); | ||||
|  		if (result != ISC_R_SUCCESS) | ||||
| @ -337,7 +337,7 @@ index 5a2c660..7f15cbc 100644 | ||||
|  		ISC_LIST_INIT(sources); | ||||
|  	} | ||||
|   | ||||
| @@ -287,6 +288,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 | ||||
| @@ -288,6 +289,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 | ||||
|  		randomfile = NULL; | ||||
|  	} | ||||
|   | ||||
| @ -351,7 +351,7 @@ index 5a2c660..7f15cbc 100644 | ||||
|  	result = isc_entropy_usebestsource(*ectx, &source, randomfile, | ||||
|  					   usekeyboard); | ||||
|   | ||||
| @@ -989,11 +997,11 @@ setup_system(void) {
 | ||||
| @@ -990,11 +998,11 @@ setup_system(void) {
 | ||||
|  		} | ||||
|  	} | ||||
|   | ||||
| @ -561,10 +561,10 @@ index 34360aa..3236968 100644 | ||||
|   | ||||
|  	isc_mem_destroy(&mctx); | ||||
| diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
 | ||||
| index 4b5b901..43fb6b0 100644
 | ||||
| index a3dd450..350723f 100644
 | ||||
| --- a/bin/tests/system/tkey/keydelete.c
 | ||||
| +++ b/bin/tests/system/tkey/keydelete.c
 | ||||
| @@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
 | ||||
| @@ -137,6 +137,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
 | ||||
|  int | ||||
|  main(int argc, char **argv) { | ||||
|  	char *keyname; | ||||
| @ -572,7 +572,7 @@ index 4b5b901..43fb6b0 100644 | ||||
|  	isc_taskmgr_t *taskmgr; | ||||
|  	isc_timermgr_t *timermgr; | ||||
|  	isc_socketmgr_t *socketmgr; | ||||
| @@ -156,10 +157,21 @@ main(int argc, char **argv) {
 | ||||
| @@ -157,10 +158,21 @@ main(int argc, char **argv) {
 | ||||
|   | ||||
|  	RUNCHECK(isc_app_start()); | ||||
|   | ||||
| @ -594,7 +594,7 @@ index 4b5b901..43fb6b0 100644 | ||||
|  	keyname = argv[1]; | ||||
|   | ||||
|  	dns_result_register(); | ||||
| @@ -169,14 +181,22 @@ main(int argc, char **argv) {
 | ||||
| @@ -170,14 +182,22 @@ main(int argc, char **argv) {
 | ||||
|   | ||||
|  	ectx = NULL; | ||||
|  	RUNCHECK(isc_entropy_create(mctx, &ectx)); | ||||
| @ -619,7 +619,7 @@ index 4b5b901..43fb6b0 100644 | ||||
|   | ||||
|  	taskmgr = NULL; | ||||
|  	RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); | ||||
| @@ -264,8 +284,8 @@ main(int argc, char **argv) {
 | ||||
| @@ -265,8 +285,8 @@ main(int argc, char **argv) {
 | ||||
|   | ||||
|  	isc_log_destroy(&log); | ||||
|   | ||||
| @ -688,7 +688,7 @@ index 26fa609..fb34aa0 100644 | ||||
|  	parse_args(false, argc, argv); | ||||
|  	if (server == NULL) | ||||
| diff --git a/configure b/configure
 | ||||
| index 0faca65..d5ffc87 100755
 | ||||
| index 368112f..e060e9d 100755
 | ||||
| --- a/configure
 | ||||
| +++ b/configure
 | ||||
| @@ -640,6 +640,7 @@ ac_includes_default="\
 | ||||
| @ -699,7 +699,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  BUILD_LIBS | ||||
|  BUILD_LDFLAGS | ||||
|  BUILD_CPPFLAGS | ||||
| @@ -823,6 +824,7 @@ LIBXML2_CFLAGS
 | ||||
| @@ -822,6 +823,7 @@ LIBXML2_CFLAGS
 | ||||
|  NZDTARGETS | ||||
|  NZDSRCS | ||||
|  NZD_TOOLS | ||||
| @ -707,7 +707,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  PKCS11_TEST | ||||
|  PKCS11_ED25519 | ||||
|  PKCS11_GOST | ||||
| @@ -1047,6 +1049,7 @@ with_eddsa
 | ||||
| @@ -1046,6 +1048,7 @@ with_eddsa
 | ||||
|  with_aes | ||||
|  enable_openssl_hash | ||||
|  with_cc_alg | ||||
| @ -715,7 +715,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  with_lmdb | ||||
|  with_libxml2 | ||||
|  with_libjson | ||||
| @@ -1749,6 +1752,7 @@ Optional Features:
 | ||||
| @@ -1747,6 +1750,7 @@ Optional Features:
 | ||||
|    --enable-threads        enable multithreading | ||||
|    --enable-native-pkcs11  use native PKCS11 for all crypto [default=no] | ||||
|    --enable-openssl-hash   use OpenSSL for hash functions [default=no] | ||||
| @ -723,7 +723,7 @@ index 0faca65..d5ffc87 100755 | ||||
|    --enable-largefile      64-bit file support | ||||
|    --enable-backtrace      log stack backtrace on abort [default=yes] | ||||
|    --enable-symtable       use internal symbol table for backtrace | ||||
| @@ -17205,6 +17209,7 @@ case "$use_openssl" in
 | ||||
| @@ -17204,6 +17208,7 @@ case "$use_openssl" in
 | ||||
|  $as_echo "disabled because of native PKCS11" >&6; } | ||||
|  		DST_OPENSSL_INC="" | ||||
|  		CRYPTO="-DPKCS11CRYPTO" | ||||
| @ -731,7 +731,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  		OPENSSLECDSALINKOBJS="" | ||||
|  		OPENSSLECDSALINKSRCS="" | ||||
|  		OPENSSLEDDSALINKOBJS="" | ||||
| @@ -17219,6 +17224,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
 | ||||
| @@ -17218,6 +17223,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
 | ||||
|  $as_echo "no" >&6; } | ||||
|  		DST_OPENSSL_INC="" | ||||
|  		CRYPTO="" | ||||
| @ -739,7 +739,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  		OPENSSLECDSALINKOBJS="" | ||||
|  		OPENSSLECDSALINKSRCS="" | ||||
|  		OPENSSLEDDSALINKOBJS="" | ||||
| @@ -17231,6 +17237,7 @@ $as_echo "no" >&6; }
 | ||||
| @@ -17230,6 +17236,7 @@ $as_echo "no" >&6; }
 | ||||
|  	auto) | ||||
|  		DST_OPENSSL_INC="" | ||||
|  		CRYPTO="" | ||||
| @ -747,7 +747,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  		OPENSSLECDSALINKOBJS="" | ||||
|  		OPENSSLECDSALINKSRCS="" | ||||
|  		OPENSSLEDDSALINKOBJS="" | ||||
| @@ -17240,7 +17247,7 @@ $as_echo "no" >&6; }
 | ||||
| @@ -17239,7 +17246,7 @@ $as_echo "no" >&6; }
 | ||||
|  		OPENSSLLINKOBJS="" | ||||
|  		OPENSSLLINKSRCS="" | ||||
|  		as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path | ||||
| @ -756,7 +756,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  		;; | ||||
|  	*) | ||||
|  		if test "yes" = "$want_native_pkcs11" | ||||
| @@ -17271,6 +17278,7 @@ $as_echo "not found" >&6; }
 | ||||
| @@ -17270,6 +17277,7 @@ $as_echo "not found" >&6; }
 | ||||
|  			as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5 | ||||
|  		fi | ||||
|  		CRYPTO='-DOPENSSL' | ||||
| @ -764,7 +764,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  		if test "/usr" = "$use_openssl" | ||||
|  		then | ||||
|  			DST_OPENSSL_INC="" | ||||
| @@ -17897,8 +17905,6 @@ fi
 | ||||
| @@ -17904,8 +17912,6 @@ fi
 | ||||
|  # Use OpenSSL for hash functions | ||||
|  # | ||||
|   | ||||
| @ -773,7 +773,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" | ||||
|  case $want_openssl_hash in | ||||
|  	yes) | ||||
| @@ -18273,6 +18279,86 @@ if test "rt" = "$have_clock_gt"; then
 | ||||
| @@ -18280,6 +18286,86 @@ if test "rt" = "$have_clock_gt"; then
 | ||||
|  	LIBS="-lrt $LIBS" | ||||
|  fi | ||||
|   | ||||
| @ -860,7 +860,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  # | ||||
|  # was --with-lmdb specified? | ||||
|  # | ||||
| @@ -20549,9 +20635,12 @@ _ACEOF
 | ||||
| @@ -20556,9 +20642,12 @@ _ACEOF
 | ||||
|  if ac_fn_c_try_compile "$LINENO"; then : | ||||
|    { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5 | ||||
|  $as_echo "size_t for buflen; int for flags" >&6; } | ||||
| @ -875,7 +875,7 @@ index 0faca65..d5ffc87 100755 | ||||
|   | ||||
|  	 $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h | ||||
|   | ||||
| @@ -21877,12 +21966,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
 | ||||
| @@ -21856,12 +21945,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
 | ||||
|  ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" | ||||
|  ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" | ||||
|  if test "yes" = "$use_atomic"; then | ||||
| @ -889,7 +889,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects | ||||
|  # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. | ||||
|  # This bug is HP SR number 8606223364. | ||||
| @@ -21915,6 +21999,11 @@ cat >>confdefs.h <<_ACEOF
 | ||||
| @@ -21894,6 +21978,11 @@ cat >>confdefs.h <<_ACEOF
 | ||||
|  _ACEOF | ||||
|   | ||||
|   | ||||
| @ -901,7 +901,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  		if test $ac_cv_sizeof_void_p = 8; then | ||||
|  			arch=x86_64 | ||||
|  			have_xaddq=yes | ||||
| @@ -21923,39 +22012,6 @@ _ACEOF
 | ||||
| @@ -21902,39 +21991,6 @@ _ACEOF
 | ||||
|  		fi | ||||
|  	;; | ||||
|  	x86_64-*|amd64-*) | ||||
| @ -941,7 +941,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  		if test $ac_cv_sizeof_void_p = 8; then | ||||
|  			arch=x86_64 | ||||
|  			have_xaddq=yes | ||||
| @@ -21986,6 +22042,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
 | ||||
| @@ -21965,6 +22021,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
 | ||||
|  $as_echo "$arch" >&6; } | ||||
|  fi | ||||
|   | ||||
| @ -952,7 +952,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  if test "yes" = "$have_atomic"; then | ||||
|  	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5 | ||||
|  $as_echo_n "checking compiler support for inline assembly code... " >&6; } | ||||
| @@ -24567,6 +24627,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
 | ||||
| @@ -24547,6 +24607,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
 | ||||
|  # | ||||
|  dlzdir='${DLZ_DRIVER_DIR}' | ||||
|   | ||||
| @ -983,7 +983,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  # | ||||
|  # Private autoconf macro to simplify configuring drivers: | ||||
|  # | ||||
| @@ -24897,11 +24981,11 @@ $as_echo "no" >&6; }
 | ||||
| @@ -24877,11 +24961,11 @@ $as_echo "no" >&6; }
 | ||||
|  $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; } | ||||
|  		;; | ||||
|  	*) | ||||
| @ -998,7 +998,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  		fi | ||||
|   | ||||
|  	CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL" | ||||
| @@ -24986,7 +25070,7 @@ $as_echo "" >&6; }
 | ||||
| @@ -24966,7 +25050,7 @@ $as_echo "" >&6; }
 | ||||
|  			# Check other locations for includes. | ||||
|  			# Order is important (sigh). | ||||
|   | ||||
| @ -1007,7 +1007,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  			# include a blank element first | ||||
|  			for d in "" $bdb_incdirs | ||||
|  			do | ||||
| @@ -25011,57 +25095,9 @@ $as_echo "" >&6; }
 | ||||
| @@ -24991,57 +25075,9 @@ $as_echo "" >&6; }
 | ||||
|  			bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" | ||||
|  			for d in $bdb_libnames | ||||
|  			do | ||||
| @ -1067,7 +1067,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  					break | ||||
|  				fi | ||||
|  			done | ||||
| @@ -25220,10 +25256,10 @@ $as_echo "no" >&6; }
 | ||||
| @@ -25200,10 +25236,10 @@ $as_echo "no" >&6; }
 | ||||
|  		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include" | ||||
|  		DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include" | ||||
|  	fi | ||||
| @ -1081,7 +1081,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  	fi | ||||
|   | ||||
|   | ||||
| @@ -25309,11 +25345,11 @@ fi
 | ||||
| @@ -25289,11 +25325,11 @@ fi
 | ||||
|  		odbcdirs="/usr /usr/local /usr/pkg" | ||||
|  		for d in $odbcdirs | ||||
|  		do | ||||
| @ -1095,7 +1095,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  				break | ||||
|  			fi | ||||
|  		done | ||||
| @@ -25588,6 +25624,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
 | ||||
| @@ -25568,6 +25604,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
 | ||||
|   | ||||
|   | ||||
|   | ||||
| @ -1104,7 +1104,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  # | ||||
|  # Commands to run at the end of config.status. | ||||
|  # Don't just put these into configure, it won't work right if somebody | ||||
| @@ -27966,6 +28004,8 @@ report() {
 | ||||
| @@ -27946,6 +27984,8 @@ report() {
 | ||||
|  	    echo "    IPv6 support (--enable-ipv6)" | ||||
|  	test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ | ||||
|  		echo "    OpenSSL cryptography/DNSSEC (--with-openssl)" | ||||
| @ -1113,7 +1113,7 @@ index 0faca65..d5ffc87 100755 | ||||
|  	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)" | ||||
|  	test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)" | ||||
|  	test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)" | ||||
| @@ -28006,6 +28046,8 @@ report() {
 | ||||
| @@ -27986,6 +28026,8 @@ report() {
 | ||||
|  	echo "    Very verbose query trace logging (--enable-querytrace)" | ||||
|      test "no" = "$with_cmocka" || echo "    CMocka Unit Testing Framework (--with-cmocka)" | ||||
|   | ||||
| @ -1122,7 +1122,7 @@ index 0faca65..d5ffc87 100755 | ||||
|      echo "    Dynamically loadable zone (DLZ) drivers:" | ||||
|      test "no" = "$use_dlz_bdb" || \ | ||||
|  	echo "        Berkeley DB (--with-dlz-bdb)" | ||||
| @@ -28053,6 +28095,8 @@ report() {
 | ||||
| @@ -28033,6 +28075,8 @@ report() {
 | ||||
|  	echo "    ECDSA algorithm support (--with-ecdsa)" | ||||
|      test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ | ||||
|  	echo "    EDDSA algorithm support (--with-eddsa)" | ||||
| @ -1132,10 +1132,10 @@ index 0faca65..d5ffc87 100755 | ||||
|      test "yes" = "$enable_seccomp" || \ | ||||
|  	echo "    Use libseccomp system call filtering (--enable-seccomp)" | ||||
| diff --git a/configure.ac b/configure.ac
 | ||||
| index 78535bd..faef2e8 100644
 | ||||
| index 11f41e8..fdcfc62 100644
 | ||||
| --- a/configure.ac
 | ||||
| +++ b/configure.ac
 | ||||
| @@ -1598,6 +1598,7 @@ case "$use_openssl" in
 | ||||
| @@ -1600,6 +1600,7 @@ case "$use_openssl" in
 | ||||
|  		AC_MSG_RESULT(disabled because of native PKCS11) | ||||
|  		DST_OPENSSL_INC="" | ||||
|  		CRYPTO="-DPKCS11CRYPTO" | ||||
| @ -1143,7 +1143,7 @@ index 78535bd..faef2e8 100644 | ||||
|  		OPENSSLECDSALINKOBJS="" | ||||
|  		OPENSSLECDSALINKSRCS="" | ||||
|  		OPENSSLEDDSALINKOBJS="" | ||||
| @@ -1611,6 +1612,7 @@ case "$use_openssl" in
 | ||||
| @@ -1613,6 +1614,7 @@ case "$use_openssl" in
 | ||||
|  		AC_MSG_RESULT(no) | ||||
|  		DST_OPENSSL_INC="" | ||||
|  		CRYPTO="" | ||||
| @ -1151,7 +1151,7 @@ index 78535bd..faef2e8 100644 | ||||
|  		OPENSSLECDSALINKOBJS="" | ||||
|  		OPENSSLECDSALINKSRCS="" | ||||
|  		OPENSSLEDDSALINKOBJS="" | ||||
| @@ -1623,6 +1625,7 @@ case "$use_openssl" in
 | ||||
| @@ -1625,6 +1627,7 @@ case "$use_openssl" in
 | ||||
|  	auto) | ||||
|  		DST_OPENSSL_INC="" | ||||
|  		CRYPTO="" | ||||
| @ -1159,7 +1159,7 @@ index 78535bd..faef2e8 100644 | ||||
|  		OPENSSLECDSALINKOBJS="" | ||||
|  		OPENSSLECDSALINKSRCS="" | ||||
|  		OPENSSLEDDSALINKOBJS="" | ||||
| @@ -1633,7 +1636,7 @@ case "$use_openssl" in
 | ||||
| @@ -1635,7 +1638,7 @@ case "$use_openssl" in
 | ||||
|  		OPENSSLLINKSRCS="" | ||||
|  		AC_MSG_ERROR( | ||||
|  [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path | ||||
| @ -1168,7 +1168,7 @@ index 78535bd..faef2e8 100644 | ||||
|  		;; | ||||
|  	*) | ||||
|  		if test "yes" = "$want_native_pkcs11" | ||||
| @@ -1663,6 +1666,7 @@ If you don't want OpenSSL, use --without-openssl])
 | ||||
| @@ -1665,6 +1668,7 @@ If you don't want OpenSSL, use --without-openssl])
 | ||||
|  			AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found]) | ||||
|  		fi | ||||
|  		CRYPTO='-DOPENSSL' | ||||
| @ -1176,7 +1176,7 @@ index 78535bd..faef2e8 100644 | ||||
|  		if test "/usr" = "$use_openssl" | ||||
|  		then | ||||
|  			DST_OPENSSL_INC="" | ||||
| @@ -2099,7 +2103,6 @@ fi
 | ||||
| @@ -2109,7 +2113,6 @@ fi
 | ||||
|  # Use OpenSSL for hash functions | ||||
|  # | ||||
|   | ||||
| @ -1184,7 +1184,7 @@ index 78535bd..faef2e8 100644 | ||||
|  ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" | ||||
|  case $want_openssl_hash in | ||||
|  	yes) | ||||
| @@ -2371,6 +2374,67 @@ if test "rt" = "$have_clock_gt"; then
 | ||||
| @@ -2381,6 +2384,67 @@ if test "rt" = "$have_clock_gt"; then
 | ||||
|  	LIBS="-lrt $LIBS" | ||||
|  fi | ||||
|   | ||||
| @ -1252,7 +1252,7 @@ index 78535bd..faef2e8 100644 | ||||
|  # | ||||
|  # was --with-lmdb specified? | ||||
|  # | ||||
| @@ -4188,12 +4252,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
 | ||||
| @@ -4174,12 +4238,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
 | ||||
|  ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" | ||||
|  ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" | ||||
|  if test "yes" = "$use_atomic"; then | ||||
| @ -1266,7 +1266,7 @@ index 78535bd..faef2e8 100644 | ||||
|  		if test $ac_cv_sizeof_void_p = 8; then | ||||
|  			arch=x86_64 | ||||
|  			have_xaddq=yes | ||||
| @@ -4202,7 +4266,6 @@ if test "yes" = "$use_atomic"; then
 | ||||
| @@ -4188,7 +4252,6 @@ if test "yes" = "$use_atomic"; then
 | ||||
|  		fi | ||||
|  	;; | ||||
|  	x86_64-*|amd64-*) | ||||
| @ -1274,7 +1274,7 @@ index 78535bd..faef2e8 100644 | ||||
|  		if test $ac_cv_sizeof_void_p = 8; then | ||||
|  			arch=x86_64 | ||||
|  			have_xaddq=yes | ||||
| @@ -5635,6 +5698,8 @@ report() {
 | ||||
| @@ -5622,6 +5685,8 @@ report() {
 | ||||
|  	    echo "    IPv6 support (--enable-ipv6)" | ||||
|  	test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ | ||||
|  		echo "    OpenSSL cryptography/DNSSEC (--with-openssl)" | ||||
| @ -1283,7 +1283,7 @@ index 78535bd..faef2e8 100644 | ||||
|  	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)" | ||||
|  	test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)" | ||||
|  	test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)" | ||||
| @@ -5675,6 +5740,8 @@ report() {
 | ||||
| @@ -5662,6 +5727,8 @@ report() {
 | ||||
|  	echo "    Very verbose query trace logging (--enable-querytrace)" | ||||
|      test "no" = "$with_cmocka" || echo "    CMocka Unit Testing Framework (--with-cmocka)" | ||||
|   | ||||
| @ -1292,7 +1292,7 @@ index 78535bd..faef2e8 100644 | ||||
|      echo "    Dynamically loadable zone (DLZ) drivers:" | ||||
|      test "no" = "$use_dlz_bdb" || \ | ||||
|  	echo "        Berkeley DB (--with-dlz-bdb)" | ||||
| @@ -5722,6 +5789,8 @@ report() {
 | ||||
| @@ -5709,6 +5776,8 @@ report() {
 | ||||
|  	echo "    ECDSA algorithm support (--with-ecdsa)" | ||||
|      test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ | ||||
|  	echo "    EDDSA algorithm support (--with-eddsa)" | ||||
| @ -2015,7 +2015,7 @@ index 1f785e0..f9051c3 100644 | ||||
|   * Define if the hash functions must be provided by OpenSSL. | ||||
|   */ | ||||
| diff --git a/win32utils/Configure b/win32utils/Configure
 | ||||
| index 5f66a82..ff39910 100644
 | ||||
| index 7ac30fb..55b6c23 100644
 | ||||
| --- a/win32utils/Configure
 | ||||
| +++ b/win32utils/Configure
 | ||||
| @@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
 | ||||
| @ -2026,7 +2026,7 @@ index 5f66a82..ff39910 100644 | ||||
|                   "ISC_PLATFORM_HAVEATOMICSTORE", | ||||
|                   "ISC_PLATFORM_HAVEATOMICSTOREQ", | ||||
|                   "ISC_PLATFORM_HAVECMPXCHG", | ||||
| @@ -517,7 +518,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
 | ||||
| @@ -516,7 +517,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
 | ||||
|   | ||||
|  # enable-xxx/disable-xxx | ||||
|   | ||||
| @ -2035,16 +2035,16 @@ index 5f66a82..ff39910 100644 | ||||
| +                  "developer",
 | ||||
|                    "fixed-rrset", | ||||
|                    "intrinsics", | ||||
|                    "isc-spnego", | ||||
| @@ -580,6 +582,7 @@ my @help = (
 | ||||
|                    "native-pkcs11", | ||||
| @@ -578,6 +580,7 @@ my @help = (
 | ||||
|  "\nOptional Features:\n", | ||||
|  "  enable-intrinsics     enable intrinsic/atomic functions [default=yes]\n", | ||||
|  "  enable-native-pkcs11  use native PKCS#11 for all crypto [default=no]\n", | ||||
| +"  enable-crypto-rand    use crypto provider for random [default=yes]\n",
 | ||||
|  "  enable-openssl-hash   use OpenSSL for hash functions [default=yes]\n", | ||||
|  "  enable-isc-spnego     use SPNEGO from lib/dns [default=yes]\n", | ||||
|  "  enable-filter-aaaa    enable filtering of AAAA records [default=yes]\n", | ||||
| @@ -628,7 +631,9 @@ my $want_clean = "no";
 | ||||
|  "  enable-fixed-rrset    enable fixed rrset ordering [default=no]\n", | ||||
| @@ -625,7 +628,9 @@ my $want_clean = "no";
 | ||||
|  my $want_unknown = "no"; | ||||
|  my $unknown_value; | ||||
|  my $enable_intrinsics = "yes"; | ||||
| @ -2053,8 +2053,8 @@ index 5f66a82..ff39910 100644 | ||||
| +my $enable_crypto_rand = "yes";
 | ||||
|  my $enable_openssl_hash = "auto"; | ||||
|  my $enable_filter_aaaa = "yes"; | ||||
|  my $enable_isc_spnego = "yes"; | ||||
| @@ -848,6 +853,10 @@ sub myenable {
 | ||||
|  my $enable_fixed_rrset = "no"; | ||||
| @@ -844,6 +849,10 @@ sub myenable {
 | ||||
|          if ($val =~ /^yes$/i) { | ||||
|              $enable_native_pkcs11 = "yes"; | ||||
|          } | ||||
| @ -2065,7 +2065,7 @@ index 5f66a82..ff39910 100644 | ||||
|      } elsif ($key =~ /^openssl-hash$/i) { | ||||
|          if ($val =~ /^yes$/i) { | ||||
|              $enable_openssl_hash = "yes"; | ||||
| @@ -1154,6 +1163,11 @@ if ($verbose) {
 | ||||
| @@ -1146,6 +1155,11 @@ if ($verbose) {
 | ||||
|      } else { | ||||
|          print "native-pkcs11: disabled\n"; | ||||
|      } | ||||
| @ -2077,7 +2077,7 @@ index 5f66a82..ff39910 100644 | ||||
|      if ($enable_openssl_hash eq "yes") { | ||||
|          print "openssl-hash: enabled\n"; | ||||
|      } else { | ||||
| @@ -1511,6 +1525,7 @@ if ($enable_intrinsics eq "yes") {
 | ||||
| @@ -1498,6 +1512,7 @@ if ($enable_intrinsics eq "yes") {
 | ||||
|   | ||||
|  # enable-native-pkcs11 | ||||
|  if ($enable_native_pkcs11 eq "yes") { | ||||
| @ -2085,15 +2085,15 @@ index 5f66a82..ff39910 100644 | ||||
|      if ($use_openssl eq "auto") { | ||||
|          $use_openssl = "no"; | ||||
|      } | ||||
| @@ -1720,6 +1735,7 @@ if ($use_openssl eq "yes") {
 | ||||
| @@ -1707,6 +1722,7 @@ if ($use_openssl eq "yes") {
 | ||||
|          $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); | ||||
|      }    | ||||
|      } | ||||
|   | ||||
| +    $cryptolib = "openssl";
 | ||||
|      $configcond{"OPENSSL"} = 1; | ||||
|      $configdefd{"CRYPTO"} = "OPENSSL"; | ||||
|      $configvar{"OPENSSL_PATH"} = "$openssl_path"; | ||||
| @@ -2291,6 +2307,15 @@ if ($use_aes eq "yes") {
 | ||||
| @@ -2278,6 +2294,15 @@ if ($use_aes eq "yes") {
 | ||||
|  } | ||||
|   | ||||
|   | ||||
| @ -2109,7 +2109,7 @@ index 5f66a82..ff39910 100644 | ||||
|  # enable-openssl-hash | ||||
|  if ($enable_openssl_hash eq "yes") { | ||||
|      if ($use_openssl eq "no") { | ||||
| @@ -3673,6 +3698,7 @@ exit 0;
 | ||||
| @@ -3650,6 +3675,7 @@ exit 0;
 | ||||
|  #  --enable-developer partially supported | ||||
|  #  --enable-newstats (9.9/9.9sub only) | ||||
|  #  --enable-native-pkcs11 supported | ||||
| @ -2118,5 +2118,5 @@ index 5f66a82..ff39910 100644 | ||||
|  #  --enable-openssl-hash supported | ||||
|  #  --enable-threads included without a way to disable it | ||||
| -- 
 | ||||
| 2.26.2 | ||||
| 2.31.1 | ||||
| 
 | ||||
|  | ||||
| @ -18,6 +18,7 @@ | ||||
| /usr/lib/bind | ||||
| /usr/share/GeoIP | ||||
| /run/named | ||||
| /proc/sys/net/ipv4/ip_local_port_range | ||||
| # Warning: the order is important | ||||
| # If a directory containing $ROOTDIR is listed here, | ||||
| # it MUST be listed last. (/var/named contains /var/named/chroot) | ||||
|  | ||||
| @ -47,7 +47,7 @@ | ||||
| %endif | ||||
| %global        chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\ | ||||
|                                          %{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\ | ||||
|                                          %{_libdir}/bind %{_datadir}/GeoIP | ||||
|                                          %{_libdir}/bind %{_datadir}/GeoIP %{_datadir}/GeoIP /proc/sys/net/ipv4 | ||||
| 
 | ||||
| ## The order of libs is important. See lib/Makefile.in for details | ||||
| %define bind_export_libs isc dns isccfg irs | ||||
| @ -59,7 +59,7 @@ | ||||
| # | ||||
| 
 | ||||
| # lib*.so.X versions of selected libraries | ||||
| %global sover_dns 1112 | ||||
| %global sover_dns 1115 | ||||
| %global sover_isc 1107 | ||||
| %global sover_irs 161 | ||||
| %global sover_isccfg 163 | ||||
| @ -67,12 +67,12 @@ | ||||
| Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server | ||||
| Name:     bind | ||||
| License:  MPLv2.0 | ||||
| Version:  9.11.26 | ||||
| Release:  6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} | ||||
| Version:  9.11.36 | ||||
| Release:  2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} | ||||
| Epoch:    32 | ||||
| Url:      https://www.isc.org/downloads/bind/ | ||||
| # | ||||
| Source:   https://ftp.isc.org/isc/bind9/%{BINDVERSION}/bind-%{BINDVERSION}.tar.gz | ||||
| Source:   https://downloads.isc.org/isc/bind9/%{BINDVERSION}/bind-%{BINDVERSION}.tar.gz | ||||
| Source1:  named.sysconfig | ||||
| Source3:  named.logrotate | ||||
| Source7:  bind-9.3.1rc1-sdb_tools-Makefile.in | ||||
| @ -154,12 +154,6 @@ Patch174:bind-9.11-fips-disable.patch | ||||
| Patch175:bind-9.11-json-c.patch | ||||
| Patch177:bind-9.11-serve-stale.patch | ||||
| Patch178:bind-9.11-dhcp-time-monotonic.patch | ||||
| Patch179:bind-9.11-CVE-2020-8625.patch | ||||
| Patch180:bind-9.11-CVE-2021-25215.patch | ||||
| # https://gitlab.isc.org/isc-projects/bind9/commit/dfadbc9d7b485b1af62d77ad6c309792bbaabfdf | ||||
| Patch181:bind-9.11-CVE-2021-25214.patch | ||||
| # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4533/diffs?commit_id=25150c15e7cfa73289f04470e2e699ebb7c28fef | ||||
| Patch182:bind-9.11-rh1935152.patch | ||||
| # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5253 | ||||
| Patch183:bind-9.11-rh1980757.patch | ||||
| 
 | ||||
| @ -205,7 +199,7 @@ BuildRequires:  libdb-devel | ||||
| # make unit dependencies | ||||
| BuildRequires:  libcmocka-devel kyua | ||||
| %endif | ||||
| %if %{with PKCS11} | ||||
| %if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST}) | ||||
| BuildRequires:  softhsm | ||||
| %endif | ||||
| %if %{with SYSTEMTEST} | ||||
| @ -253,7 +247,6 @@ Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} | ||||
| Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} | ||||
| Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} | ||||
| Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} | ||||
| Recommends: softhsm | ||||
| 
 | ||||
| %description pkcs11 | ||||
| This is a version of BIND server built with native PKCS#11 functionality. | ||||
| @ -556,10 +549,6 @@ are used for building ISC DHCP. | ||||
| %patch175 -p1 -b .json-c | ||||
| %patch177 -p1 -b .serve-stale | ||||
| %patch178 -p1 -b .time-monotonic | ||||
| %patch179 -p1 -b .CVE-2020-8625 | ||||
| %patch180 -p1 -b .CVE-2021-25215 | ||||
| %patch181 -p1 -b .CVE-2021-25214 | ||||
| %patch182 -p1 -b .rh1935152 | ||||
| %patch183 -p1 -b .rh1980757 | ||||
| 
 | ||||
| mkdir lib/dns/tests/testdata/dstrandom | ||||
| @ -576,13 +565,13 @@ find bin lib/lwres/man -name '*.docbook' -exec \ | ||||
|       -i '{}' ';' | ||||
| 
 | ||||
| %if %{with PKCS11} | ||||
| %patch150 -p1 -b .engine-pkcs11 | ||||
| cp -r bin/named{,-pkcs11} | ||||
| cp -r bin/dnssec{,-pkcs11} | ||||
| cp -r lib/isc{,-pkcs11} | ||||
| cp -r lib/dns{,-pkcs11} | ||||
| %patch136 -p1 -b .dist_pkcs11 | ||||
| %patch149 -p1 -b .kyua-pkcs11 | ||||
| %patch150 -p1 -b .engine-pkcs11 | ||||
| %endif | ||||
| 
 | ||||
| %if %{with SDB} | ||||
| @ -849,7 +838,7 @@ sed -e "/^\s*include(/ d" -e 's/^-- use //' \ | ||||
| %endif | ||||
| 
 | ||||
| %check | ||||
| %if %{with PKCS11} | ||||
| %if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST}) | ||||
|   # Tests require initialization of pkcs11 token | ||||
|   export SOFTHSM2_CONF="`pwd`/softhsm2.conf" | ||||
|   sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens" | ||||
| @ -1459,6 +1448,7 @@ rm -rf ${RPM_BUILD_ROOT} | ||||
| %dir %{chroot_prefix}/%{_libdir} | ||||
| %dir %{chroot_prefix}/%{_libdir}/bind | ||||
| %dir %{chroot_prefix}/%{_datadir}/GeoIP | ||||
| %{chroot_prefix}/proc | ||||
| %defattr(0660,root,named,01770) | ||||
| %dir %{chroot_prefix}%{_localstatedir}/named | ||||
| %defattr(0660,named,named,0770) | ||||
| @ -1612,6 +1602,22 @@ rm -rf ${RPM_BUILD_ROOT} | ||||
| %endif | ||||
| 
 | ||||
| %changelog | ||||
| * Tue Dec 21 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-2 | ||||
| - Rebuilt on a new side-tag (#2013993) | ||||
| 
 | ||||
| * Mon Nov 01 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-1 | ||||
| - Update to 9.11.36 | ||||
| 
 | ||||
| * Mon Nov 01 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-9 | ||||
| - Correct tsig system test | ||||
| 
 | ||||
| * Wed Oct 13 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-8 | ||||
| - Propagate ephemeral port ranges to chroot (#1950714) | ||||
| 
 | ||||
| * Tue Aug 24 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-7 | ||||
| - Do not request softhsm from bind-pkcs11, it is only in modular build | ||||
|   (#1934035) | ||||
| 
 | ||||
| * Fri Jul 09 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-6 | ||||
| - Use random entropy to generate unique TKEY identifiers (#1980916) | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user