diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch index 29dda07..18e0433 100644 --- a/bind-9.11-fips-tests.patch +++ b/bind-9.11-fips-tests.patch @@ -1,4 +1,4 @@ -From c23daf334d5487fa53fef88c82312e439a2d8523 Mon Sep 17 00:00:00 2001 +From f37b26cb7c8f7351d22dfea79df33edb74d42e23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:46:45 +0200 Subject: [PATCH] FIPS tests changes @@ -76,35 +76,22 @@ Date: Wed Mar 7 10:44:23 2018 +0100 bin/tests/system/catz/ns2/named.conf.in | 2 +- bin/tests/system/checkconf/bad-tsig.conf | 2 +- bin/tests/system/checkconf/good.conf | 2 +- - bin/tests/system/digdelv/ns2/example.db | 15 +++-- - bin/tests/system/digdelv/tests.sh | 20 +++--- - bin/tests/system/dlv/ns1/sign.sh | 4 +- - bin/tests/system/dlv/ns2/sign.sh | 4 +- - bin/tests/system/dlv/ns6/sign.sh | 66 +++++++++--------- - bin/tests/system/dnssec/ns2/sign.sh | 8 +-- - bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +- - bin/tests/system/dnssec/tests.sh | 4 +- - bin/tests/system/feature-test.c | 14 ++++ - bin/tests/system/filter-aaaa/ns1/sign.sh | 4 +- - bin/tests/system/filter-aaaa/ns4/sign.sh | 4 +- + bin/tests/system/dlv/ns3/sign.sh | 1 + + bin/tests/system/feature-test.c | 13 ++++ bin/tests/system/notify/ns5/named.conf.in | 6 +- bin/tests/system/notify/tests.sh | 6 +- bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- - bin/tests/system/nsupdate/setup.sh | 7 +- + bin/tests/system/nsupdate/setup.sh | 6 +- bin/tests/system/nsupdate/tests.sh | 11 ++- bin/tests/system/rndc/setup.sh | 2 +- bin/tests/system/rndc/tests.sh | 23 ++++--- - bin/tests/system/tsig/clean.sh | 1 + bin/tests/system/tsig/ns1/named.conf.in | 10 +-- bin/tests/system/tsig/setup.sh | 5 ++ bin/tests/system/tsig/tests.sh | 67 ++++++++++++------- - bin/tests/system/tsiggss/setup.sh | 2 +- bin/tests/system/upforwd/ns1/named.conf.in | 2 +- bin/tests/system/upforwd/tests.sh | 2 +- - bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++ - 45 files changed, 232 insertions(+), 171 deletions(-) - create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in + 33 files changed, 151 insertions(+), 107 deletions(-) diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in index 0ea6502..026db3f 100644 @@ -208,7 +195,7 @@ index 4b4e050..0e679a8 100644 }; diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh -index 09f31f2..f88f0d4 100644 +index fe49a86..d7819f1 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" @@ -334,11 +321,11 @@ index 09f31f2..f88f0d4 100644 echo_i "testing allow-query-on ACL processing" diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in -index 1569913..e9c5c2d 100644 +index c5f38c9..00db0da 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in -@@ -12,7 +12,7 @@ - controls { /* empty */ }; +@@ -10,7 +10,7 @@ + */ key one { - algorithm hmac-md5; @@ -347,11 +334,11 @@ index 1569913..e9c5c2d 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in -index 18ac91c..2b1c873 100644 +index 56e5cc4..2c32b71 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in -@@ -12,12 +12,12 @@ - controls { /* empty */ }; +@@ -10,12 +10,12 @@ + */ key one { - algorithm hmac-md5; @@ -366,11 +353,11 @@ index 18ac91c..2b1c873 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in -index b824844..dd48945 100644 +index 8381950..21a6366 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in -@@ -12,7 +12,7 @@ - controls { /* empty */ }; +@@ -10,7 +10,7 @@ + */ key one { - algorithm hmac-md5; @@ -379,11 +366,11 @@ index b824844..dd48945 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in -index aeb1540..bfce58b 100644 +index 0e5ff55..a90ed6a 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in -@@ -12,7 +12,7 @@ - controls { /* empty */ }; +@@ -10,7 +10,7 @@ + */ key one { - algorithm hmac-md5; @@ -392,11 +379,11 @@ index aeb1540..bfce58b 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in -index d4b7432..e0f5252 100644 +index faadb3f..b99f337 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in -@@ -12,12 +12,12 @@ - controls { /* empty */ }; +@@ -10,12 +10,12 @@ + */ key one { - algorithm hmac-md5; @@ -411,11 +398,11 @@ index d4b7432..e0f5252 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in -index c025938..87afb3f 100644 +index 9e78dd0..ea7a413 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in -@@ -12,7 +12,7 @@ - controls { /* empty */ }; +@@ -10,7 +10,7 @@ + */ key one { - algorithm hmac-md5; @@ -424,10 +411,10 @@ index c025938..87afb3f 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in -index d83b376..d726b94 100644 +index f4bc399..e01f312 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in -@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; +@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; }; acl badaccept { 10.53.0.1; }; key one { @@ -443,10 +430,10 @@ index d83b376..d726b94 100644 }; diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh -index fb6059d..f960156 100644 +index 479910c..53b9e5c 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh -@@ -190,7 +190,7 @@ rndc_reload +@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key allowed - query allowed" ret=0 @@ -455,7 +442,7 @@ index fb6059d..f960156 100644 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -203,7 +203,7 @@ rndc_reload +@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key not allowed - query refused" ret=0 @@ -464,7 +451,7 @@ index fb6059d..f960156 100644 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -216,7 +216,7 @@ rndc_reload +@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key disallowed - query refused" ret=0 @@ -473,7 +460,7 @@ index fb6059d..f960156 100644 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -349,7 +349,7 @@ rndc_reload +@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key allowed - query allowed" ret=0 @@ -482,7 +469,7 @@ index fb6059d..f960156 100644 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -362,7 +362,7 @@ rndc_reload +@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key not allowed - query refused" ret=0 @@ -491,7 +478,7 @@ index fb6059d..f960156 100644 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -375,7 +375,7 @@ rndc_reload +@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key disallowed - query refused" ret=0 @@ -500,7 +487,7 @@ index fb6059d..f960156 100644 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -508,7 +508,7 @@ status=`expr $status + $ret` +@@ -500,7 +500,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "test $n: zone key allowed - query allowed" ret=0 @@ -509,7 +496,7 @@ index fb6059d..f960156 100644 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -518,7 +518,7 @@ status=`expr $status + $ret` +@@ -510,7 +510,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "test $n: zone key not allowed - query refused" ret=0 @@ -518,7 +505,7 @@ index fb6059d..f960156 100644 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -528,7 +528,7 @@ status=`expr $status + $ret` +@@ -520,7 +520,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "test $n: zone key disallowed - query refused" ret=0 @@ -563,10 +550,10 @@ index 21be03e..e57c308 100644 }; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf -index 9ab35b3..486551a 100644 +index d627d2a..9d0322a 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf -@@ -153,6 +153,6 @@ dyndb "name" "library.so" { +@@ -157,6 +157,6 @@ dyndb "name" "library.so" { system; }; key "mykey" { @@ -574,473 +561,51 @@ index 9ab35b3..486551a 100644 + algorithm "hmac-sha256"; secret "qwertyuiopasdfgh"; }; -diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db -index f4e30f5..9f53e31 100644 ---- a/bin/tests/system/digdelv/ns2/example.db -+++ b/bin/tests/system/digdelv/ns2/example.db -@@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890 - ;; - ;; we are not testing DNSSEC behavior, so we don't care about the semantics - ;; of the following records. --dnskey 300 DNSKEY 256 3 1 ( -- AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg -- +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD -- Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R -- b9VIE5x7KNHAYTvTO5d4S8M= -- ) -+dnskey 300 DNSKEY 256 3 8 ( -+ AwEAAaWmCoDpj2K59zcpqnmnQM7IC/XbjS6jIP7uTBR4X7p1bdQJzAeo -+ EnMhnpnxPp0j+20eZm4847DB2U+HuHy79Mvqd3aozTmfBJvzjKs9qyba -+ zY/ZHn6BDYxNJiFfjSS/VJ1KuQPDbpCzhm2hbvT5s9nSOaG0WyRk+d+R -+ qEca11E7ZKkmmNiGlyzMAgfmTTBwgxWBAAhvd9nU1GqD6eQ6Z63hpTc/ -+ KDIHnFTo7pOcZ4z5urIKUMCMcFytedETlEoR5CIWGPdQq2eIEEMfn5ld -+ QqdEZRHVErD9og8aluJ2s767HZb8LzjCfYgBFoT9/n48T75oZLEKtSkG -+ /idCeeQlaLU= -+ ) - - ; TTL of 3 weeks - weeks 1814400 A 10.53.0.2 -diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh -index ade45ce..d3aff24 100644 ---- a/bin/tests/system/digdelv/tests.sh -+++ b/bin/tests/system/digdelv/tests.sh -@@ -106,7 +106,7 @@ if [ -x "$DIG" ] ; then - echo_i "checking dig +rrcomments works for DNSKEY($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 - check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` -@@ -115,7 +115,7 @@ if [ -x "$DIG" ] ; then - echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -123,7 +123,7 @@ if [ -x "$DIG" ] ; then - echo_i "checking dig +short +nosplit works($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1 -- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < dig.out.test$n > /dev/null || ret=1 -+ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -131,7 +131,7 @@ if [ -x "$DIG" ] ; then - echo_i "checking dig +short +rrcomments works($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 -- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1 -+ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -148,7 +148,7 @@ if [ -x "$DIG" ] ; then - echo_i "checking dig +short +rrcomments works($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 -- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1 -+ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -695,7 +695,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +rrcomments works for DNSKEY($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1 - check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` -@@ -704,7 +704,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -712,7 +712,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +short +rrcomments works ($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 -- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < delv.out.test$n > /dev/null || ret=1 -+ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < delv.out.test$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - -@@ -720,7 +720,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +short +nosplit works ($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1 -- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=" < delv.out.test$n > /dev/null || ret=1 -+ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=" < delv.out.test$n > /dev/null || ret=1 - if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi - f=`awk '{print NF}' < delv.out.test$n` - test "${f:-0}" -eq 14 || ret=1 -@@ -731,7 +731,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +short +nosplit +norrcomments works ($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 -- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < delv.out.test$n > /dev/null || ret=1 -+ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < delv.out.test$n > /dev/null || ret=1 - if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi - f=`awk '{print NF}' < delv.out.test$n` - test "${f:-0}" -eq 4 || ret=1 -diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh -index 606e7cc..a3a0d60 100755 ---- a/bin/tests/system/dlv/ns1/sign.sh -+++ b/bin/tests/system/dlv/ns1/sign.sh -@@ -23,8 +23,8 @@ infile=root.db.in - zonefile=root.db - outfile=root.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh -index 9825c57..202c978 100755 ---- a/bin/tests/system/dlv/ns2/sign.sh -+++ b/bin/tests/system/dlv/ns2/sign.sh -@@ -24,8 +24,8 @@ zonefile=druz.db - outfile=druz.pre - dlvzone=utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh -index 1e39862..4ed19ac 100755 ---- a/bin/tests/system/dlv/ns6/sign.sh -+++ b/bin/tests/system/dlv/ns6/sign.sh -@@ -16,13 +16,15 @@ SYSTESTDIR=dlv - - echo_i "dlv/ns6/sign.sh" - +diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh +index fa51ae1..bc46942 100755 +--- a/bin/tests/system/dlv/ns3/sign.sh ++++ b/bin/tests/system/dlv/ns3/sign.sh +@@ -19,6 +19,7 @@ echo_i "dlv/ns3/sign.sh" + dlvzone=dlv.utld. + dlvsets= + dssets= +bits=1024 -+ - zone=grand.child1.utld. + + zone=child1.utld. infile=child.db.in - zonefile=grand.child1.utld.db - outfile=grand.child1.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -36,8 +38,8 @@ zonefile=grand.child3.utld.db - outfile=grand.child3.signed - dlvzone=dlv.utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -51,8 +53,8 @@ zonefile=grand.child4.utld.db - outfile=grand.child4.signed - dlvzone=dlv.utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -66,8 +68,8 @@ zonefile=grand.child5.utld.db - outfile=grand.child5.signed - dlvzone=dlv.utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -81,8 +83,8 @@ zonefile=grand.child7.utld.db - outfile=grand.child7.signed - dlvzone=dlv.utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -96,8 +98,8 @@ zonefile=grand.child8.utld.db - outfile=grand.child8.signed - dlvzone=dlv.utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -111,8 +113,8 @@ zonefile=grand.child9.utld.db - outfile=grand.child9.signed - dlvzone=dlv.utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -125,8 +127,8 @@ zonefile=grand.child10.utld.db - outfile=grand.child10.signed - dlvzone=dlv.utld. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -138,8 +140,8 @@ infile=child.db.in - zonefile=grand.child1.druz.db - outfile=grand.child1.druz.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -153,8 +155,8 @@ zonefile=grand.child3.druz.db - outfile=grand.child3.druz.signed - dlvzone=dlv.druz. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -168,8 +170,8 @@ zonefile=grand.child4.druz.db - outfile=grand.child4.druz.signed - dlvzone=dlv.druz. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -183,8 +185,8 @@ zonefile=grand.child5.druz.db - outfile=grand.child5.druz.signed - dlvzone=dlv.druz. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -198,8 +200,8 @@ zonefile=grand.child7.druz.db - outfile=grand.child7.druz.signed - dlvzone=dlv.druz. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -213,8 +215,8 @@ zonefile=grand.child8.druz.db - outfile=grand.child8.druz.signed - dlvzone=dlv.druz. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -228,8 +230,8 @@ zonefile=grand.child9.druz.db - outfile=grand.child9.druz.signed - dlvzone=dlv.druz. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -@@ -242,8 +244,8 @@ zonefile=grand.child10.druz.db - outfile=grand.child10.druz.signed - dlvzone=dlv.druz. - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh -index 13fb924..1ffa279 100644 ---- a/bin/tests/system/dnssec/ns2/sign.sh -+++ b/bin/tests/system/dnssec/ns2/sign.sh -@@ -126,8 +126,8 @@ zone=in-addr.arpa. - infile=in-addr.arpa.db.in - zonefile=in-addr.arpa.db - --keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` --keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` -+keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` -+keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` - - cat $infile $keyname1.key $keyname2.key >$zonefile - $SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null -@@ -138,7 +138,7 @@ privzone=private.secure.example - privinfile=private.secure.example.db.in - privzonefile=private.secure.example.db - --privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone` -+privkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $privzone` - - cat $privinfile $privkeyname.key >$privzonefile - -@@ -152,7 +152,7 @@ dlvinfile=dlv.db.in - dlvzonefile=dlv.db - dlvsetfile=dlvset-${privzone}${TP} - --dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone` -+dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $dlvzone` - - cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile - -diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad -index ed30460..e6b1126 100644 ---- a/bin/tests/system/dnssec/ns5/trusted.conf.bad -+++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad -@@ -10,5 +10,5 @@ - */ - - trusted-keys { -- "." 256 3 1 "AQO6Cl+slAf+iuieDim9L3kujFHQD7s/IOj03ClMOpKYcTXtK4mRpuULVfvWxDi9Ew/gj0xLnnX7z9OJHIxLI+DSrAHd8Dm0XfBEAtVtJSn70GaPZgnLMw1rk5ap2DsEoWk="; -+ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV"; - }; -diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh -index b31c1b4..a5e237b 100644 ---- a/bin/tests/system/dnssec/tests.sh -+++ b/bin/tests/system/dnssec/tests.sh -@@ -3235,8 +3235,8 @@ do - alg=`expr $alg + 1` - continue;; - 3) size="-b 512";; -- 5) size="-b 512";; -- 6) size="-b 512";; -+ 5) size="-b 1024";; -+ 6) size="-b 1024";; - 7) size="-b 512";; - 8) size="-b 512";; - 10) size="-b 1024";; diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c -index c1249ed..20a3139 100644 +index 8b9deb6..ceb4fe8 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -19,6 +19,7 @@ #include #include #include -+#include ++#include #include #ifdef WIN32 -@@ -47,6 +48,7 @@ usage() { - fprintf(stderr, " --have-geoip2\n"); - fprintf(stderr, " --have-libxml2\n"); - fprintf(stderr, " --ipv6only=no\n"); -+ fprintf(stderr, " --md5\n"); - fprintf(stderr, " --rpz-nsdname\n"); - fprintf(stderr, " --rpz-nsip\n"); - fprintf(stderr, " --with-idn\n"); -@@ -155,6 +157,18 @@ main(int argc, char **argv) { +@@ -159,6 +160,18 @@ main(int argc, char **argv) { #endif } + if (strcmp(argv[1], "--md5") == 0) { -+#ifdef PK11_MD5_DISABLE -+ return (1); -+#else -+ if (isc_md5_available()) { ++ unsigned char digest[ISC_MAX_MD_SIZE]; ++ const char test[] = test; ++ ++ if (isc_md(ISC_MD_MD5, test, sizeof(test), ++ digest, sizeof(digest)) == ISC_R_SUCCESS) { + return (0); + } else { + return (1); + } -+#endif + } + - if (strcmp(argv[1], "--rpz-nsip") == 0) { - #ifdef ENABLE_RPZ_NSIP + if (strcmp(argv[1], "--ipv6only=no") == 0) { + #ifdef WIN32 return (0); -diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh -index f755581..4a7d890 100755 ---- a/bin/tests/system/filter-aaaa/ns1/sign.sh -+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh -@@ -21,8 +21,8 @@ infile=signed.db.in - zonefile=signed.db.signed - outfile=signed.db.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - -diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh -index f755581..4a7d890 100755 ---- a/bin/tests/system/filter-aaaa/ns4/sign.sh -+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh -@@ -21,8 +21,8 @@ infile=signed.db.in - zonefile=signed.db.signed - outfile=signed.db.signed - --keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` --keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` -+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` -+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` - - cat $infile $keyname1.key $keyname2.key >$zonefile - diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in -index cfcfe8f..0a1614d 100644 +index 2976bfc..256d846 100644 --- a/bin/tests/system/notify/ns5/named.conf.in +++ b/bin/tests/system/notify/ns5/named.conf.in @@ -10,17 +10,17 @@ @@ -1065,7 +630,7 @@ index cfcfe8f..0a1614d 100644 }; diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh -index 1f6e6d0..c08bd25 100644 +index fb2eb74..0e45424 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh @@ -212,16 +212,16 @@ ret=0 @@ -1089,22 +654,9 @@ index 1f6e6d0..c08bd25 100644 grep "test string" dig.out.b.ns5.test$n > /dev/null && grep "test string" dig.out.c.ns5.test$n > /dev/null && diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in -index 1d999ad..26b6b7c 100644 +index e7b6adb..4ad5cc1 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in -@@ -32,7 +32,7 @@ controls { - }; - - key altkey { -- algorithm hmac-md5; -+ algorithm hmac-sha512; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in -index 4549184..cb7dccd 100644 ---- a/bin/tests/system/nsupdate/ns2/named.conf.in -+++ b/bin/tests/system/nsupdate/ns2/named.conf.in @@ -33,7 +33,7 @@ controls { }; @@ -1114,29 +666,41 @@ index 4549184..cb7dccd 100644 secret "1234abcd8765"; }; +diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in +index b703843..8bfe2b0 100644 +--- a/bin/tests/system/nsupdate/ns2/named.conf.in ++++ b/bin/tests/system/nsupdate/ns2/named.conf.in +@@ -32,7 +32,7 @@ controls { + }; + + key altkey { +- algorithm hmac-md5; ++ algorithm hmac-sha512; + secret "1234abcd8765"; + }; + diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh -index 21805c5..0d3d85c 100644 +index 5d70114..6c4b55a 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh -@@ -58,7 +58,12 @@ EOF +@@ -56,7 +56,11 @@ EOF - $DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key + $DDNSCONFGEN -q -z example.nil > ns1/ddns.key --$DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key +-$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key +if $FEATURETEST --md5; then -+ $DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key +else + echo -n > ns1/md5.key +fi -+ - $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key - $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key - $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key + $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key + $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key + $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index 4da4849..b3bc807 100755 +index dd0286f..906135c 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh -@@ -708,7 +708,14 @@ fi +@@ -700,7 +700,14 @@ fi n=`expr $n + 1` ret=0 echo_i "check TSIG key algorithms ($n)" @@ -1152,7 +716,7 @@ index 4da4849..b3bc807 100755 $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 -@@ -716,7 +723,7 @@ send +@@ -708,7 +715,7 @@ send END done sleep 2 @@ -1162,10 +726,10 @@ index 4da4849..b3bc807 100755 done if [ $ret -ne 0 ]; then diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh -index 343869e..c30efb0 100644 +index cb64dd9..c9b2447 100644 --- a/bin/tests/system/rndc/setup.sh +++ b/bin/tests/system/rndc/setup.sh -@@ -37,7 +37,7 @@ make_key () { +@@ -35,7 +35,7 @@ make_key () { sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf } @@ -1175,10 +739,10 @@ index 343869e..c30efb0 100644 make_key 3 ${EXTRAPORT3} hmac-sha224 make_key 4 ${EXTRAPORT4} hmac-sha256 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh -index 57e066d..186a723 100644 +index 7cbe2c7..b8cc6a0 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh -@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` @@ -1208,15 +772,6 @@ index 57e066d..186a723 100644 n=`expr $n + 1` echo_i "testing rndc with hmac-sha1 ($n)" -diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh -index 576ec70..cb7a852 100644 ---- a/bin/tests/system/tsig/clean.sh -+++ b/bin/tests/system/tsig/clean.sh -@@ -20,3 +20,4 @@ rm -f */named.run - rm -f ns*/named.lock - rm -f Kexample.net.+163+* - rm -f keygen.out? -+rm -f ns1/named.conf diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in index fbf30c6..f61657d 100644 --- a/bin/tests/system/tsig/ns1/named.conf.in @@ -1246,20 +801,20 @@ index fbf30c6..f61657d 100644 key "sha1-trunc" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh -index 4dd4a25..aa0f966 100644 +index b3e0450..90a6ce4 100644 --- a/bin/tests/system/tsig/setup.sh +++ b/bin/tests/system/tsig/setup.sh -@@ -17,3 +17,8 @@ $SHELL clean.sh - copy_setports ns1/named.conf.in ns1/named.conf +@@ -15,3 +15,8 @@ SYSTEMTESTTOP=.. + $SHELL clean.sh - test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE + copy_setports ns1/named.conf.in ns1/named.conf + +if $FEATURETEST --md5 +then + cat ns1/rndc5.conf.in >> ns1/named.conf +fi diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh -index f731fa6..cade35b 100644 +index 3a720de..e20e7f9 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh @@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f @@ -1350,19 +905,8 @@ index f731fa6..cade35b 100644 fi echo_i "fetching using hmac-sha1-80 (BADTRUNC)" -diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh -index 0d21c7b..dbcb7b4 100644 ---- a/bin/tests/system/tsiggss/setup.sh -+++ b/bin/tests/system/tsiggss/setup.sh -@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE - - copy_setports ns1/named.conf.in ns1/named.conf - --key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.` -+key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.` - cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in -index e0a30cd..6a77b1c 100644 +index ea42b4d..08676da 100644 --- a/bin/tests/system/upforwd/ns1/named.conf.in +++ b/bin/tests/system/upforwd/ns1/named.conf.in @@ -10,7 +10,7 @@ @@ -1387,22 +931,6 @@ index b0694bb..9adae82 100644 server 10.53.0.3 ${PORT} update add updated.example. 600 A 10.10.10.1 update add updated.example. 600 TXT Foo -diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in -new file mode 100644 -index 0000000..0682194 ---- /dev/null -+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in -@@ -0,0 +1,10 @@ -+# Conditionally included when support for MD5 is available -+key "md5" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5; -+}; -+ -+key "md5-trunc" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5-80; -+}; -- 2.20.1 diff --git a/bind-9.11-host-idn-disable.patch b/bind-9.11-host-idn-disable.patch deleted file mode 100644 index 7f02b4c..0000000 --- a/bind-9.11-host-idn-disable.patch +++ /dev/null @@ -1,92 +0,0 @@ -From ec50eff97c259b5bfbfa4e050d69fe7b39b0f15a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Tue, 25 Sep 2018 18:08:46 +0200 -Subject: [PATCH] Disable IDN from environment as documented - -Manual page of host contained instructions to disable IDN processing -when it was built with libidn2. When refactoring IDN support however, -support for disabling IDN in host and nslookup was lost. Use also -environment variable and document it for nslookup, host and dig. - -Support variable CHARSET=ASCII to disable IDN, supported in downstream -RH patch since RHEL 5. ---- - bin/dig/dig.docbook | 4 +++- - bin/dig/dighost.c | 5 +++++ - bin/dig/host.docbook | 2 +- - bin/dig/nslookup.docbook | 15 +++++++++++++++ - 4 files changed, 24 insertions(+), 2 deletions(-) - -diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook -index 5d19301..933af79 100644 ---- a/bin/dig/dig.docbook -+++ b/bin/dig/dig.docbook -@@ -1312,7 +1312,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr - reply from the server. - If you'd like to turn off the IDN support for some reason, use - parameters +noidnin and -- +noidnout. -+ +noidnout or define -+ the IDN_DISABLE environment variable. -+ - - - -diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index 5eabc1f..73aaab8 100644 ---- a/bin/dig/dighost.c -+++ b/bin/dig/dighost.c -@@ -826,6 +826,11 @@ make_empty_lookup(void) { - looknew->badcookie = true; - #ifdef WITH_IDN_SUPPORT - looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false; -+ if (looknew->idnin) { -+ const char *charset = getenv("CHARSET"); -+ if (charset && !strcmp(charset, "ASCII")) -+ looknew->idnin = false; -+ } - #else - looknew->idnin = false; - #endif -diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook -index da0f8fb..9689b5a 100644 ---- a/bin/dig/host.docbook -+++ b/bin/dig/host.docbook -@@ -379,7 +379,7 @@ - host appropriately converts character encoding of - domain name before sending a request to DNS server or displaying a - reply from the server. -- If you'd like to turn off the IDN support for some reason, defines -+ If you'd like to turn off the IDN support for some reason, define - the IDN_DISABLE environment variable. - The IDN support is disabled if the variable is set when - host runs. -diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook -index d46fc2d..6d7d181 100644 ---- a/bin/dig/nslookup.docbook -+++ b/bin/dig/nslookup.docbook -@@ -495,6 +495,21 @@ nslookup -query=hinfo -timeout=10 - - - -+ IDN SUPPORT -+ -+ -+ If nslookup has been built with IDN (internationalized -+ domain name) support, it can accept and display non-ASCII domain names. -+ nslookup appropriately converts character encoding of -+ domain name before sending a request to DNS server or displaying a -+ reply from the server. -+ If you'd like to turn off the IDN support for some reason, define -+ the IDN_DISABLE environment variable. -+ The IDN support is disabled if the variable is set when -+ nslookup runs. -+ -+ -+ - FILES - - /etc/resolv.conf --- -2.20.1 - diff --git a/bind-9.11-rh1624100.patch b/bind-9.11-rh1624100.patch deleted file mode 100644 index 5764ed7..0000000 --- a/bind-9.11-rh1624100.patch +++ /dev/null @@ -1,288 +0,0 @@ -From 76594cba9a1e910bb36160d96fc3872349341799 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= -Date: Wed, 25 Apr 2018 14:04:31 +0200 -Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts - -(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d) - -Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp() - -(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c) - -Fix the isc_safe_memwipe() usage with (NULL, >0) - -(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846) ---- - bin/dnssec/dnssec-signzone.c | 2 +- - lib/dns/nsec3.c | 4 +- - lib/dns/spnego.c | 4 +- - lib/isc/Makefile.in | 8 +--- - lib/isc/include/isc/safe.h | 18 ++------ - lib/isc/safe.c | 83 ------------------------------------ - lib/isc/tests/safe_test.c | 18 -------- - 7 files changed, 11 insertions(+), 126 deletions(-) - delete mode 100644 lib/isc/safe.c - -diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c -index 6ddaebe..d921870 100644 ---- a/bin/dnssec/dnssec-signzone.c -+++ b/bin/dnssec/dnssec-signzone.c -@@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, - - static int - hashlist_comp(const void *a, const void *b) { -- return (isc_safe_memcompare(a, b, hash_length + 1)); -+ return (memcmp(a, b, hash_length + 1)); - } - - static void -diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c -index 6ae7ca8..01426d6 100644 ---- a/lib/dns/nsec3.c -+++ b/lib/dns/nsec3.c -@@ -1963,7 +1963,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, - * Work out what this NSEC3 covers. - * Inside (<0) or outside (>=0). - */ -- scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length); -+ scope = memcmp(owner, nsec3.next, nsec3.next_length); - - /* - * Prepare to compute all the hashes. -@@ -1987,7 +1987,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, - return (ISC_R_IGNORE); - } - -- order = isc_safe_memcompare(hash, owner, length); -+ order = memcmp(hash, owner, length); - if (first && order == 0) { - /* - * The hashes are the same. -diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c -index ad77f24..670982a 100644 ---- a/lib/dns/spnego.c -+++ b/lib/dns/spnego.c -@@ -371,7 +371,7 @@ gssapi_spnego_decapsulate(OM_uint32 *, - - /* mod_auth_kerb.c */ - --static int -+static isc_boolean_t - cmp_gss_type(gss_buffer_t token, gss_OID gssoid) - { - unsigned char *p; -@@ -395,7 +395,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid) - if (((OM_uint32) *p++) != gssoid->length) - return (GSS_S_DEFECTIVE_TOKEN); - -- return (isc_safe_memcompare(p, gssoid->elements, gssoid->length)); -+ return (!isc_safe_memequal(p, gssoid->elements, gssoid->length)); - } - - /* accept_sec_context.c */ -diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in -index 0fd0837..8ad54bb 100644 ---- a/lib/isc/Makefile.in -+++ b/lib/isc/Makefile.in -@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ - parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \ - ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \ - rwlock.@O@ \ -- safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ -+ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ - string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \ - tm.@O@ timer.@O@ version.@O@ \ - ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS} -@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \ - netaddr.c netscope.c pool.c ondestroy.c \ - parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \ - ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \ -- safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \ -+ serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \ - strtoul.c symtab.c task.c taskpool.c timer.c \ - tm.c version.c - -@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@ - - @BIND9_MAKE_RULES@ - --safe.@O@: safe.c -- ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \ -- -c ${srcdir}/safe.c -- - version.@O@: version.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ - -DVERSION=\"${VERSION}\" \ -diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h -index 66ed08b..88b8f47 100644 ---- a/lib/isc/include/isc/safe.h -+++ b/lib/isc/include/isc/safe.h -@@ -15,29 +15,19 @@ - - /*! \file isc/safe.h */ - --#include -- --#include --#include -+#include -+#include - - ISC_LANG_BEGINDECLS - --bool --isc_safe_memequal(const void *s1, const void *s2, size_t n); -+#define isc_safe_memequal(s1, s2, n) !CRYPTO_memcmp(s1, s2, n) - /*%< - * Returns true iff. two blocks of memory are equal, otherwise - * false. - * - */ - --int --isc_safe_memcompare(const void *b1, const void *b2, size_t len); --/*%< -- * Clone of libc memcmp() which is safe to differential timing attacks. -- */ -- --void --isc_safe_memwipe(void *ptr, size_t len); -+#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len) - /*%< - * Clear the memory of length `len` pointed to by `ptr`. - * -diff --git a/lib/isc/safe.c b/lib/isc/safe.c -deleted file mode 100644 -index 7a464b6..0000000 ---- a/lib/isc/safe.c -+++ /dev/null -@@ -1,83 +0,0 @@ --/* -- * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -- * -- * This Source Code Form is subject to the terms of the Mozilla Public -- * License, v. 2.0. If a copy of the MPL was not distributed with this -- * file, You can obtain one at http://mozilla.org/MPL/2.0/. -- * -- * See the COPYRIGHT file distributed with this work for additional -- * information regarding copyright ownership. -- */ -- --/*! \file */ -- --#include -- --#include -- --#include --#include --#include -- --#ifdef WIN32 --#include --#endif -- --#ifdef _MSC_VER --#pragma optimize("", off) --#endif -- --bool --isc_safe_memequal(const void *s1, const void *s2, size_t n) { -- uint8_t acc = 0; -- -- if (n != 0U) { -- const uint8_t *p1 = s1, *p2 = s2; -- -- do { -- acc |= *p1++ ^ *p2++; -- } while (--n != 0U); -- } -- return (acc == 0); --} -- -- --int --isc_safe_memcompare(const void *b1, const void *b2, size_t len) { -- const unsigned char *p1 = b1, *p2 = b2; -- size_t i; -- int res = 0, done = 0; -- -- for (i = 0; i < len; i++) { -- /* lt is -1 if p1[i] < p2[i]; else 0. */ -- int lt = (p1[i] - p2[i]) >> CHAR_BIT; -- -- /* gt is -1 if p1[i] > p2[i]; else 0. */ -- int gt = (p2[i] - p1[i]) >> CHAR_BIT; -- -- /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */ -- int cmp = lt - gt; -- -- /* set res = cmp if !done. */ -- res |= cmp & ~done; -- -- /* set done if p1[i] != p2[i]. */ -- done |= lt | gt; -- } -- -- return (res); --} -- --void --isc_safe_memwipe(void *ptr, size_t len) { -- if (ISC_UNLIKELY(ptr == NULL || len == 0)) -- return; -- --#ifdef WIN32 -- SecureZeroMemory(ptr, len); --#elif HAVE_EXPLICIT_BZERO -- explicit_bzero(ptr, len); --#else -- memset(ptr, 0, len); --#endif --} -diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c -index 266ac75..60e9181 100644 ---- a/lib/isc/tests/safe_test.c -+++ b/lib/isc/tests/safe_test.c -@@ -45,22 +45,6 @@ isc_safe_memequal_test(void **state) { - "\x00\x00\x00\x00", 4)); - } - --/* test isc_safe_memcompare() */ --static void --isc_safe_memcompare_test(void **state) { -- UNUSED(state); -- -- assert_int_equal(isc_safe_memcompare("test", "test", 4), 0); -- assert_true(isc_safe_memcompare("test", "tesc", 4) > 0); -- assert_true(isc_safe_memcompare("test", "tesy", 4) < 0); -- assert_int_equal(isc_safe_memcompare("\x00\x00\x00\x00", -- "\x00\x00\x00\x00", 4), 0); -- assert_true(isc_safe_memcompare("\x00\x00\x00\x00", -- "\x00\x00\x00\x01", 4) < 0); -- assert_true(isc_safe_memcompare("\x00\x00\x00\x02", -- "\x00\x00\x00\x00", 4) > 0); --} -- - /* test isc_safe_memwipe() */ - static void - isc_safe_memwipe_test(void **state) { -@@ -69,7 +53,6 @@ isc_safe_memwipe_test(void **state) { - /* These should pass. */ - isc_safe_memwipe(NULL, 0); - isc_safe_memwipe((void *) -1, 0); -- isc_safe_memwipe(NULL, 42); - - /* - * isc_safe_memwipe(ptr, size) should function same as -@@ -108,7 +91,6 @@ main(void) { - const struct CMUnitTest tests[] = { - cmocka_unit_test(isc_safe_memequal_test), - cmocka_unit_test(isc_safe_memwipe_test), -- cmocka_unit_test(isc_safe_memcompare_test), - }; - - return (cmocka_run_group_tests(tests, NULL, NULL)); --- -2.20.1 - diff --git a/bind-9.11-rh1663318.patch b/bind-9.11-rh1663318.patch deleted file mode 100644 index 1af7efb..0000000 --- a/bind-9.11-rh1663318.patch +++ /dev/null @@ -1,48 +0,0 @@ -From b16a1ff25644bb075f454afe68ee63f6f385ca9c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Wed, 23 Jan 2019 21:11:07 +0100 -Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Unlike upstream, skip it also for DHCP. - -Disable RAND_status also in non-threaded builds. DHCP is built without -threads and should not check RAND_status on dns library initialization. -Lack of entropy is possible state for dhclient, but it must not fail -even in this case. Because DHCP itself does not require custom random -generator, leave default RAND_OpenSSL configured. It should help TLS -connection to LDAP in single DHCP binary, while keeping secure random -data if needed. - -(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099) - -Signed-off-by: Petr Menšík ---- - lib/dns/openssl_link.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index 7a233dd..941eb17 100644 ---- a/lib/dns/openssl_link.c -+++ b/lib/dns/openssl_link.c -@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) { - #endif - #endif /* !defined(OPENSSL_NO_ENGINE) */ - -+#if defined(ISC_PLATFORM_CRYPTORANDOM) && defined(ISC_PLATFORM_USETHREADS) - /* Protect ourselves against unseeded PRNG */ - if (RAND_status() != 1) { - FATAL_ERROR(__FILE__, __LINE__, -@@ -296,6 +297,7 @@ dst__openssl_init(const char *engine) { - "cannot be initialized (see the `PRNG not " - "seeded' message in the OpenSSL FAQ)"); - } -+#endif - - return (ISC_R_SUCCESS); - --- -2.20.1 - diff --git a/bind-9.11-rt31459.patch b/bind-9.11-rt31459.patch index efcc6fa..587fc28 100644 --- a/bind-9.11-rt31459.patch +++ b/bind-9.11-rt31459.patch @@ -1,4 +1,4 @@ -From e83a6723d84e4c4400ca646077393a24b092c623 Mon Sep 17 00:00:00 2001 +From 31612e4f76eeb07d0fffa33814ce5edef04b286a Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 12 Sep 2017 19:05:46 -0700 Subject: [PATCH] rebased rt31459c @@ -13,383 +13,24 @@ DNS_OPENSSL_LIBS -> DST_OPENSSL_LIBS Include new unit test --- - bin/confgen/keygen.c | 7 + - bin/dnssec/dnssec-dsfromkey.c | 8 +- - bin/dnssec/dnssec-importkey.c | 8 +- - bin/dnssec/dnssec-revoke.c | 8 +- - bin/dnssec/dnssec-settime.c | 8 +- - bin/dnssec/dnssec-signzone.c | 11 +- - bin/dnssec/dnssec-verify.c | 8 +- - bin/dnssec/dnssectool.c | 11 +- - bin/named/server.c | 6 + - bin/nsupdate/nsupdate.c | 14 +- - bin/tests/makejournal.c | 6 +- - bin/tests/system/pipelined/pipequeries.c | 20 +- - bin/tests/system/pipelined/tests.sh | 4 +- - bin/tests/system/rsabigexponent/bigkey.c | 4 + - bin/tests/system/tkey/keycreate.c | 26 ++- - bin/tests/system/tkey/keydelete.c | 26 ++- - bin/tests/system/tkey/tests.sh | 8 +- - bin/tools/mdig.c | 3 +- - configure | 250 +++++++++++++---------- - configure.ac | 77 ++++++- - lib/dns/dst_api.c | 21 +- - lib/dns/include/dst/dst.h | 8 + - lib/dns/lib.c | 15 +- - lib/dns/openssl_link.c | 72 ++++++- - lib/dns/pkcs11.c | 29 ++- - lib/dns/tests/Kyuafile | 1 + - lib/dns/tests/Makefile.in | 7 + - lib/dns/tests/dstrandom_test.c | 115 +++++++++++ - lib/dns/win32/libdns.def.in | 7 + - lib/isc/entropy.c | 24 +++ - lib/isc/include/isc/entropy.h | 12 ++ - lib/isc/include/isc/platform.h.in | 5 + - lib/isc/include/isc/types.h | 2 + - lib/isc/pk11.c | 12 +- - lib/isc/win32/include/isc/platform.h.in | 5 + - win32utils/Configure | 28 ++- - 36 files changed, 701 insertions(+), 175 deletions(-) - create mode 100644 lib/dns/tests/dstrandom_test.c + bin/tests/system/pipelined/pipequeries.c | 1 + + bin/tests/system/pipelined/tests.sh | 4 +- + bin/tests/system/tkey/keycreate.c | 1 + + bin/tests/system/tkey/keydelete.c | 1 + + bin/tests/system/tkey/tests.sh | 8 +- + configure | 97 ++++++++++-------------- + lib/dns/include/dst/dst.h | 8 ++ + lib/dns/lib.c | 1 + + lib/dns/tests/Makefile.in | 5 ++ + lib/isc/include/isc/types.h | 2 + + win32utils/Configure | 4 +- + 11 files changed, 66 insertions(+), 66 deletions(-) -diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c -index 5015abb..295e16f 100644 ---- a/bin/confgen/keygen.c -+++ b/bin/confgen/keygen.c -@@ -165,6 +165,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, - randomfile = NULL; - open_keyboard = ISC_ENTROPY_KEYBOARDYES; - } -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (randomfile != NULL && -+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -+ randomfile = NULL; -+ isc_entropy_usehook(ectx, true); -+ } -+#endif - DO("start entropy source", isc_entropy_usebestsource(ectx, - &entropy_source, - randomfile, -diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c -index d9d6bb9..de4b15f 100644 ---- a/bin/dnssec/dnssec-dsfromkey.c -+++ b/bin/dnssec/dnssec-dsfromkey.c -@@ -498,14 +498,14 @@ main(int argc, char **argv) { - - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); -- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -- if (result != ISC_R_SUCCESS) -- fatal("could not initialize hash"); - result = dst_lib_init(mctx, ectx, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); - if (result != ISC_R_SUCCESS) - fatal("could not initialize dst: %s", - isc_result_totext(result)); -+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -+ if (result != ISC_R_SUCCESS) -+ fatal("could not initialize hash"); - isc_entropy_stopcallbacksources(ectx); - - setup_logging(mctx, &log); -@@ -574,8 +574,8 @@ main(int argc, char **argv) { - if (dns_rdataset_isassociated(&rdataset)) - dns_rdataset_disassociate(&rdataset); - cleanup_logging(&log); -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - cleanup_entropy(&ectx); - dns_name_destroy(); - if (verbose > 10) -diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c -index d65a514..04b3094 100644 ---- a/bin/dnssec/dnssec-importkey.c -+++ b/bin/dnssec/dnssec-importkey.c -@@ -404,14 +404,14 @@ main(int argc, char **argv) { - - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); -- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -- if (result != ISC_R_SUCCESS) -- fatal("could not initialize hash"); - result = dst_lib_init(mctx, ectx, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); - if (result != ISC_R_SUCCESS) - fatal("could not initialize dst: %s", - isc_result_totext(result)); -+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -+ if (result != ISC_R_SUCCESS) -+ fatal("could not initialize hash"); - isc_entropy_stopcallbacksources(ectx); - - setup_logging(mctx, &log); -@@ -455,8 +455,8 @@ main(int argc, char **argv) { - if (dns_rdataset_isassociated(&rdataset)) - dns_rdataset_disassociate(&rdataset); - cleanup_logging(&log); -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - cleanup_entropy(&ectx); - dns_name_destroy(); - if (verbose > 10) -diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c -index 7d82dbf..10f9359 100644 ---- a/bin/dnssec/dnssec-revoke.c -+++ b/bin/dnssec/dnssec-revoke.c -@@ -184,14 +184,14 @@ main(int argc, char **argv) { - - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); -- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -- if (result != ISC_R_SUCCESS) -- fatal("Could not initialize hash"); - result = dst_lib_init2(mctx, ectx, engine, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); - if (result != ISC_R_SUCCESS) - fatal("Could not initialize dst: %s", - isc_result_totext(result)); -+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -+ if (result != ISC_R_SUCCESS) -+ fatal("Could not initialize hash"); - isc_entropy_stopcallbacksources(ectx); - - result = dst_key_fromnamedfile(filename, dir, -@@ -273,8 +273,8 @@ main(int argc, char **argv) { - - cleanup: - dst_key_free(&key); -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - cleanup_entropy(&ectx); - if (verbose > 10) - isc_mem_stats(mctx, stdout); -diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c -index 7afcaee..1cfa511 100644 ---- a/bin/dnssec/dnssec-settime.c -+++ b/bin/dnssec/dnssec-settime.c -@@ -380,14 +380,14 @@ main(int argc, char **argv) { - - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); -- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -- if (result != ISC_R_SUCCESS) -- fatal("Could not initialize hash"); - result = dst_lib_init2(mctx, ectx, engine, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); - if (result != ISC_R_SUCCESS) - fatal("Could not initialize dst: %s", - isc_result_totext(result)); -+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -+ if (result != ISC_R_SUCCESS) -+ fatal("Could not initialize hash"); - isc_entropy_stopcallbacksources(ectx); - - if (predecessor != NULL) { -@@ -672,8 +672,8 @@ main(int argc, char **argv) { - if (prevkey != NULL) - dst_key_free(&prevkey); - dst_key_free(&key); -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - cleanup_entropy(&ectx); - if (verbose > 10) - isc_mem_stats(mctx, stdout); -diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c -index 71f5672..9b100ca 100644 ---- a/bin/dnssec/dnssec-signzone.c -+++ b/bin/dnssec/dnssec-signzone.c -@@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) { - if (!pseudorandom) - eflags |= ISC_ENTROPY_GOODONLY; - -- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -- if (result != ISC_R_SUCCESS) -- fatal("could not create hash context"); -- - result = dst_lib_init2(mctx, ectx, engine, eflags); - if (result != ISC_R_SUCCESS) - fatal("could not initialize dst: %s", - isc_result_totext(result)); -+ -+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -+ if (result != ISC_R_SUCCESS) -+ fatal("could not create hash context"); -+ - isc_stdtime_get(&now); - - if (startstr != NULL) { -@@ -3879,8 +3880,8 @@ main(int argc, char *argv[]) { - dns_master_styledestroy(&dsstyle, mctx); - - cleanup_logging(&log); -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - cleanup_entropy(&ectx); - dns_name_destroy(); - if (verbose > 10) -diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c -index 4c293bf..3263cbc 100644 ---- a/bin/dnssec/dnssec-verify.c -+++ b/bin/dnssec/dnssec-verify.c -@@ -281,15 +281,15 @@ main(int argc, char *argv[]) { - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - -- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -- if (result != ISC_R_SUCCESS) -- fatal("could not create hash context"); -- - result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING); - if (result != ISC_R_SUCCESS) - fatal("could not initialize dst: %s", - isc_result_totext(result)); - -+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); -+ if (result != ISC_R_SUCCESS) -+ fatal("could not create hash context"); -+ - isc_stdtime_get(&now); - - rdclass = strtoclass(classname); -diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c -index 9d2a016..a9f90b6 100644 ---- a/bin/dnssec/dnssectool.c -+++ b/bin/dnssec/dnssectool.c -@@ -34,6 +34,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -235,7 +236,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { - if (*ectx == NULL) { - result = isc_entropy_create(mctx, ectx); - if (result != ISC_R_SUCCESS) -- fatal("could not create entropy object"); -+ fatal("could not create entropy object: %s", -+ isc_result_totext(result)); - ISC_LIST_INIT(sources); - } - -@@ -244,6 +246,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { - randomfile = NULL; - } - -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (randomfile != NULL && -+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -+ randomfile = NULL; -+ isc_entropy_usehook(*ectx, true); -+ } -+#endif - result = isc_entropy_usebestsource(*ectx, &source, randomfile, - usekeyboard); - -diff --git a/bin/named/server.c b/bin/named/server.c -index 5a860e4..21c340c 100644 ---- a/bin/named/server.c -+++ b/bin/named/server.c -@@ -36,6 +36,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -8217,6 +8218,10 @@ load_configuration(const char *filename, ns_server_t *server, - "no source of entropy found"); - } else { - const char *randomdev = cfg_obj_asstring(obj); -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0) -+ isc_entropy_usehook(ns_g_entropy, true); -+#else - int level = ISC_LOG_ERROR; - result = isc_entropy_createfilesource(ns_g_entropy, - randomdev); -@@ -8251,6 +8256,7 @@ load_configuration(const char *filename, ns_server_t *server, - } - isc_entropy_detach(&ns_g_fallbackentropy); - } -+#endif - #endif - } - -diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index bbb3936..0286987 100644 ---- a/bin/nsupdate/nsupdate.c -+++ b/bin/nsupdate/nsupdate.c -@@ -272,7 +272,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { - if (*ectx == NULL) { - result = isc_entropy_create(mctx, ectx); - if (result != ISC_R_SUCCESS) -- fatal("could not create entropy object"); -+ fatal("could not create entropy object: %s", -+ isc_result_totext(result)); - ISC_LIST_INIT(sources); - } - -@@ -281,6 +282,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { - randomfile = NULL; - } - -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (randomfile != NULL && -+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -+ randomfile = NULL; -+ isc_entropy_usehook(*ectx, true); -+ } -+#endif - result = isc_entropy_usebestsource(*ectx, &source, randomfile, - usekeyboard); - -@@ -979,11 +987,11 @@ setup_system(void) { - } - } - -- setup_entropy(gmctx, NULL, &entropy); -+ if (entropy == NULL) -+ setup_entropy(gmctx, NULL, &entropy); - - result = isc_hash_create(gmctx, entropy, DNS_NAME_MAXWIRE); - check_result(result, "isc_hash_create"); -- isc_hash_init(); - - result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr); - check_result(result, "dns_dispatchmgr_create"); -diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c -index 61a41b0..acc71a1 100644 ---- a/bin/tests/makejournal.c -+++ b/bin/tests/makejournal.c -@@ -102,12 +102,12 @@ main(int argc, char **argv) { - CHECK(isc_mem_create(0, 0, &mctx)); - CHECK(isc_entropy_create(mctx, &ectx)); - -- CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -- hash_active = true; -- - CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING)); - dst_active = true; - -+ CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -+ hash_active = true; -+ - CHECK(isc_log_create(mctx, &lctx, &logconfig)); - isc_log_registercategories(lctx, categories); - isc_log_setcontext(lctx); diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c -index c6ab7f8..f0a6ff2 100644 +index 74de833..4fac3cb 100644 --- a/bin/tests/system/pipelined/pipequeries.c +++ b/bin/tests/system/pipelined/pipequeries.c -@@ -204,6 +204,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) { +@@ -205,6 +205,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) { int main(int argc, char *argv[]) { @@ -397,56 +38,6 @@ index c6ab7f8..f0a6ff2 100644 isc_sockaddr_t bind_any; struct in_addr inaddr; isc_result_t result; -@@ -222,7 +223,7 @@ main(int argc, char *argv[]) { - int c; - - isc_commandline_errprint = false; -- while ((c = isc_commandline_parse(argc, argv, "p:")) != -1) { -+ while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) { - switch (c) { - case 'p': - result = isc_parse_uint16(&port, -@@ -233,6 +234,9 @@ main(int argc, char *argv[]) { - exit(1); - } - break; -+ case 'r': -+ randomfile = isc_commandline_argument; -+ break; - case '?': - fprintf(stderr, "%s: invalid argument '%c'", - argv[0], c); -@@ -275,10 +279,18 @@ main(int argc, char *argv[]) { - - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); -- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data")); -- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (randomfile != NULL && -+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -+ randomfile = NULL; -+ isc_entropy_usehook(ectx, true); -+ } -+#endif -+ if (randomfile != NULL) -+ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); - - RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); -+ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); - - taskmgr = NULL; - RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); -@@ -331,8 +343,8 @@ main(int argc, char *argv[]) { - isc_task_detach(&task); - isc_taskmgr_destroy(&taskmgr); - -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - isc_entropy_detach(&ectx); - - isc_log_destroy(&lctx); diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh index 61f1ff7..ed1302a 100644 --- a/bin/tests/system/pipelined/tests.sh @@ -469,33 +60,11 @@ index 61f1ff7..ed1302a 100644 awk '{ print $1 " " $5 }' < rawb > outputb $DIFF refb outputb || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c -index 4462f2e..f06268d 100644 ---- a/bin/tests/system/rsabigexponent/bigkey.c -+++ b/bin/tests/system/rsabigexponent/bigkey.c -@@ -20,6 +20,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -183,6 +184,9 @@ main(int argc, char **argv) { - - CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()"); - CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()"); -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ isc_entropy_usehook(ectx, true); -+#endif - CHECK(isc_entropy_usebestsource(ectx, &source, - "../random.data", - ISC_ENTROPY_KEYBOARDNO), diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c -index 653c951..fe8698e 100644 +index c39f6a4..b29a3cb 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c -@@ -206,6 +206,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { +@@ -195,6 +195,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { int main(int argc, char *argv[]) { char *ourkeyname; @@ -503,65 +72,8 @@ index 653c951..fe8698e 100644 isc_taskmgr_t *taskmgr; isc_timermgr_t *timermgr; isc_socketmgr_t *socketmgr; -@@ -225,10 +226,21 @@ main(int argc, char *argv[]) { - - RUNCHECK(isc_app_start()); - -+ randomfile = NULL; -+ - if (argc < 2) { - fprintf(stderr, "I:no DH key provided\n"); - exit(-1); - } -+ if (strcmp(argv[1], "-r") == 0) { -+ if (argc < 4) { -+ fprintf(stderr, "I:no DH key provided\n"); -+ exit(-1); -+ } -+ randomfile = argv[2]; -+ argv += 2; -+ argc -= 2; -+ } - ourkeyname = argv[1]; - - if (argc >= 3) -@@ -242,14 +254,22 @@ main(int argc, char *argv[]) { - - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); -- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data")); -- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (randomfile != NULL && -+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -+ randomfile = NULL; -+ isc_entropy_usehook(ectx, true); -+ } -+#endif -+ if (randomfile != NULL) -+ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); - - log = NULL; - logconfig = NULL; - RUNCHECK(isc_log_create(mctx, &log, &logconfig)); - - RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); -+ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); - - taskmgr = NULL; - RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); -@@ -328,8 +348,8 @@ main(int argc, char *argv[]) { - - isc_log_destroy(&log); - -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - isc_entropy_detach(&ectx); - - isc_mem_destroy(&mctx); diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 70a40c3..2146f9b 100644 +index 547e8d0..efcea1d 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { @@ -572,68 +84,11 @@ index 70a40c3..2146f9b 100644 isc_taskmgr_t *taskmgr; isc_timermgr_t *timermgr; isc_socketmgr_t *socketmgr; -@@ -156,10 +157,21 @@ main(int argc, char **argv) { - - RUNCHECK(isc_app_start()); - -+ randomfile = NULL; -+ - if (argc < 2) { - fprintf(stderr, "I:no key to delete\n"); - exit(-1); - } -+ if (strcmp(argv[1], "-r") == 0) { -+ if (argc < 4) { -+ fprintf(stderr, "I:no DH key provided\n"); -+ exit(-1); -+ } -+ randomfile = argv[2]; -+ argv += 2; -+ argc -= 2; -+ } - keyname = argv[1]; - - dns_result_register(); -@@ -169,14 +181,22 @@ main(int argc, char **argv) { - - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); -- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data")); -- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (randomfile != NULL && -+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { -+ randomfile = NULL; -+ isc_entropy_usehook(ectx, true); -+ } -+#endif -+ if (randomfile != NULL) -+ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); - - log = NULL; - logconfig = NULL; - RUNCHECK(isc_log_create(mctx, &log, &logconfig)); - - RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); -+ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); - - taskmgr = NULL; - RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); -@@ -264,8 +284,8 @@ main(int argc, char **argv) { - - isc_log_destroy(&log); - -- dst_lib_destroy(); - isc_hash_destroy(); -+ dst_lib_destroy(); - isc_entropy_detach(&ectx); - - isc_mem_destroy(&mctx); diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh -index 9f90dd7..fad6c83 100644 +index a293d32..51ed2cb 100644 --- a/bin/tests/system/tkey/tests.sh +++ b/bin/tests/system/tkey/tests.sh -@@ -33,7 +33,7 @@ for owner in . foo.example. +@@ -31,7 +31,7 @@ for owner in . foo.example. do echo "I:creating new key using owner name \"$owner\"" ret=0 @@ -642,7 +97,7 @@ index 9f90dd7..fad6c83 100644 if [ $ret != 0 ]; then echo "I:failed" status=`expr $status + $ret` -@@ -55,7 +55,7 @@ do +@@ -53,7 +53,7 @@ do echo "I:deleting new key" ret=0 @@ -651,7 +106,7 @@ index 9f90dd7..fad6c83 100644 if [ $ret != 0 ]; then echo "I:failed" fi -@@ -75,7 +75,7 @@ done +@@ -73,7 +73,7 @@ done echo "I:creating new key using owner name bar.example." ret=0 @@ -660,7 +115,7 @@ index 9f90dd7..fad6c83 100644 if [ $ret != 0 ]; then echo "I:failed" status=`expr $status + $ret` -@@ -116,7 +116,7 @@ status=`expr $status + $ret` +@@ -114,7 +114,7 @@ status=`expr $status + $ret` echo "I:recreating the bar.example. key" ret=0 @@ -669,29 +124,11 @@ index 9f90dd7..fad6c83 100644 if [ $ret != 0 ]; then echo "I:failed" status=`expr $status + $ret` -diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c -index bf6dbb6..0416b21 100644 ---- a/bin/tools/mdig.c -+++ b/bin/tools/mdig.c -@@ -1972,12 +1972,11 @@ main(int argc, char *argv[]) { - - ectx = NULL; - RUNCHECK(isc_entropy_create(mctx, &ectx)); -+ RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); - RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); - RUNCHECK(isc_entropy_getdata(ectx, cookie_secret, - sizeof(cookie_secret), NULL, 0)); - -- RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); -- - ISC_LIST_INIT(queries); - parse_args(false, argc, argv); - if (server == NULL) diff --git a/configure b/configure -index aab472a..b686178 100755 +index 4c97c8c..1e047bd 100755 --- a/configure +++ b/configure -@@ -640,6 +640,7 @@ ac_includes_default="\ +@@ -632,6 +632,7 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS LIBOBJS @@ -699,260 +136,7 @@ index aab472a..b686178 100755 BUILD_LIBS BUILD_LDFLAGS BUILD_CPPFLAGS -@@ -821,6 +822,7 @@ XMLSTATS - NZDTARGETS - NZDSRCS - NZD_TOOLS -+ISC_PLATFORM_CRYPTORANDOM - PKCS11_TEST - PKCS11_ED25519 - PKCS11_GOST -@@ -1045,6 +1047,7 @@ with_eddsa - with_aes - enable_openssl_hash - with_cc_alg -+enable_crypto_rand - with_lmdb - with_libxml2 - with_libjson -@@ -1745,6 +1748,7 @@ Optional Features: - --enable-threads enable multithreading - --enable-native-pkcs11 use native PKCS11 for all crypto [default=no] - --enable-openssl-hash use OpenSSL for hash functions [default=no] -+ --enable-crypto-rand use the crypto provider for random [default=yes] - --enable-largefile 64-bit file support - --enable-backtrace log stack backtrace on abort [default=yes] - --enable-symtable use internal symbol table for backtrace -@@ -17135,6 +17139,7 @@ case "$use_openssl" in - $as_echo "disabled because of native PKCS11" >&6; } - DST_OPENSSL_INC="" - CRYPTO="-DPKCS11CRYPTO" -+ CRYPTOLIB="pkcs11" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" -@@ -17149,6 +17154,7 @@ $as_echo "disabled because of native PKCS11" >&6; } - $as_echo "no" >&6; } - DST_OPENSSL_INC="" - CRYPTO="" -+ CRYPTOLIB="" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" -@@ -17161,6 +17167,7 @@ $as_echo "no" >&6; } - auto) - DST_OPENSSL_INC="" - CRYPTO="" -+ CRYPTOLIB="" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" -@@ -17170,7 +17177,7 @@ $as_echo "no" >&6; } - OPENSSLLINKOBJS="" - OPENSSLLINKSRCS="" - as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path --If you don't want OpenSSL, use --without-openssl" "$LINENO" 5 -+If you do not want OpenSSL, use --without-openssl" "$LINENO" 5 - ;; - *) - if test "yes" = "$want_native_pkcs11" -@@ -17201,6 +17208,7 @@ $as_echo "not found" >&6; } - as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5 - fi - CRYPTO='-DOPENSSL' -+ CRYPTOLIB="openssl" - if test "/usr" = "$use_openssl" - then - DST_OPENSSL_INC="" -@@ -17826,8 +17834,6 @@ fi - # Use OpenSSL for hash functions - # - --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using OpenSSL for hash functions" >&5 --$as_echo_n "checking for using OpenSSL for hash functions... " >&6; } - ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" - case $want_openssl_hash in - yes) -@@ -18202,6 +18208,86 @@ if test "rt" = "$have_clock_gt"; then - LIBS="-lrt $LIBS" - fi - -+# -+# Use the crypto provider (OpenSSL/PKCS#11) for random functions -+# -+ -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using the crypto library (vs. builtin) for random functions" >&5 -+$as_echo_n "checking for using the crypto library (vs. builtin) for random functions... " >&6; } -+# Check whether --enable-crypto-rand was given. -+if test "${enable_crypto_rand+set}" = set; then : -+ enableval=$enable_crypto_rand; want_crypto_rand="$enableval" -+else -+ want_crypto_rand="auto" -+fi -+ -+if test "$want_crypto_rand" = "auto" -+then -+ case "$CRYPTOLIB" in -+ "") -+ want_crypto_rand="no" -+ ;; -+ pkcs11) -+ want_crypto_rand="yes" -+ ;; -+ openssl) -+ saved_cflags="$CFLAGS" -+ saved_libs="$LIBS" -+ CFLAGS="$CFLAGS $DST_OPENSSL_INC" -+ LIBS="$LIBS $DST_OPENSSL_LIBS" -+ if test "$cross_compiling" = yes; then : -+ want_crypto_rand="yes" -+else -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+ -+#include -+ -+unsigned char buf[128]; -+ -+int main() -+{ -+ if (RAND_bytes(buf, 128) != 1) -+ return (1); -+ return (0); -+} -+ -+_ACEOF -+if ac_fn_c_try_run "$LINENO"; then : -+ want_crypto_rand="yes" -+else -+ want_crypto_rand="no" -+fi -+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ -+ conftest.$ac_objext conftest.beam conftest.$ac_ext -+fi -+ -+ CFLAGS="$saved_cflags" -+ LIBS="$saved_libs" -+ ;; -+ *) -+ as_fn_error $? "Unknown crypto library define $CRYPTOLIB" "$LINENO" 5 -+ ;; -+ esac -+fi -+case $want_crypto_rand in -+ yes) -+ if test "$CRYPTOLIB" = "" -+ then -+ as_fn_error $? "No crypto library for random functions" "$LINENO" 5 -+ fi -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$CRYPTOLIB\"" >&5 -+$as_echo "\"$CRYPTOLIB\"" >&6; } -+ ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\"" -+ ;; -+ no) -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+ ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM" -+ ;; -+esac -+ -+ - # - # was --with-lmdb specified? - # -@@ -20284,9 +20370,12 @@ _ACEOF - if ac_fn_c_try_compile "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5 - $as_echo "size_t for buflen; int for flags" >&6; } -- $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T size_t" >>confdefs.h -+ # Changed to solve multilib conflict on Fedora -+ # AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, size_t) -+ # AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t) -+ $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T socklen_t" >>confdefs.h - -- $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T size_t" >>confdefs.h -+ $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T socklen_t" >>confdefs.h - - $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h - -@@ -21601,12 +21690,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" - ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" - ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" - if test "yes" = "$use_atomic"; then -- have_atomic=yes # set default -- case "$host" in -- i[3456]86-*) -- # XXX: some old x86 architectures actually do not support -- # (some of) these operations. Do we need stricter checks? -- # The cast to long int works around a bug in the HP C Compiler -+ # The cast to long int works around a bug in the HP C Compiler - # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects - # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. - # This bug is HP SR number 8606223364. -@@ -21639,6 +21723,11 @@ cat >>confdefs.h <<_ACEOF - _ACEOF - - -+ have_atomic=yes # set default -+ case "$host" in -+ i[3456]86-*) -+ # XXX: some old x86 architectures actually do not support -+ # (some of) these operations. Do we need stricter checks? - if test $ac_cv_sizeof_void_p = 8; then - arch=x86_64 - have_xaddq=yes -@@ -21647,39 +21736,6 @@ _ACEOF - fi - ;; - x86_64-*|amd64-*) -- # The cast to long int works around a bug in the HP C Compiler --# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects --# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. --# This bug is HP SR number 8606223364. --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of void *" >&5 --$as_echo_n "checking size of void *... " >&6; } --if ${ac_cv_sizeof_void_p+:} false; then : -- $as_echo_n "(cached) " >&6 --else -- if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (void *))" "ac_cv_sizeof_void_p" "$ac_includes_default"; then : -- --else -- if test "$ac_cv_type_void_p" = yes; then -- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 --$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} --as_fn_error 77 "cannot compute sizeof (void *) --See \`config.log' for more details" "$LINENO" 5; } -- else -- ac_cv_sizeof_void_p=0 -- fi --fi -- --fi --{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_void_p" >&5 --$as_echo "$ac_cv_sizeof_void_p" >&6; } -- -- -- --cat >>confdefs.h <<_ACEOF --#define SIZEOF_VOID_P $ac_cv_sizeof_void_p --_ACEOF -- -- - if test $ac_cv_sizeof_void_p = 8; then - arch=x86_64 - have_xaddq=yes -@@ -21710,6 +21766,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } - $as_echo "$arch" >&6; } - fi - -+if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then -+ as_fn_error $? "XADDQ present but disabled by Fedora patch!" "$LINENO" 5 -+fi -+ - if test "yes" = "$have_atomic"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5 - $as_echo_n "checking compiler support for inline assembly code... " >&6; } -@@ -24264,6 +24324,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" +@@ -20509,6 +20510,30 @@ fi # dlzdir='${DLZ_DRIVER_DIR}' @@ -983,7 +167,7 @@ index aab472a..b686178 100755 # # Private autoconf macro to simplify configuring drivers: # -@@ -24594,11 +24678,11 @@ $as_echo "no" >&6; } +@@ -20839,11 +20864,11 @@ $as_echo "no" >&6; } $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; } ;; *) @@ -998,7 +182,7 @@ index aab472a..b686178 100755 fi CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL" -@@ -24683,7 +24767,7 @@ $as_echo "" >&6; } +@@ -20928,7 +20953,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). @@ -1007,7 +191,7 @@ index aab472a..b686178 100755 # include a blank element first for d in "" $bdb_incdirs do -@@ -24708,57 +24792,9 @@ $as_echo "" >&6; } +@@ -20953,57 +20978,9 @@ $as_echo "" >&6; } bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" for d in $bdb_libnames do @@ -1067,7 +251,7 @@ index aab472a..b686178 100755 break fi done -@@ -24917,10 +24953,10 @@ $as_echo "no" >&6; } +@@ -21162,10 +21139,10 @@ $as_echo "no" >&6; } DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include" DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include" fi @@ -1081,7 +265,7 @@ index aab472a..b686178 100755 fi -@@ -25006,11 +25042,11 @@ fi +@@ -21251,11 +21228,11 @@ fi odbcdirs="/usr /usr/local /usr/pkg" for d in $odbcdirs do @@ -1095,7 +279,7 @@ index aab472a..b686178 100755 break fi done -@@ -25285,6 +25321,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" +@@ -21530,6 +21507,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" @@ -1104,272 +288,11 @@ index aab472a..b686178 100755 # # Commands to run at the end of config.status. # Don't just put these into configure, it won't work right if somebody -@@ -27661,6 +27699,8 @@ report() { - echo " IPv6 support (--enable-ipv6)" - test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ - echo " OpenSSL cryptography/DNSSEC (--with-openssl)" -+ test "no" = "$want_crypto_rand" || \ -+ echo " Crypto provider entropy source (--enable-crypto-rand)" - test "X$PYTHON" = "X" || echo " Python tools (--with-python)" - test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" - test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -27701,6 +27741,8 @@ report() { - echo " Very verbose query trace logging (--enable-querytrace)" - test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" - -+ echo " Cryptographic library for DNSSEC: $CRYPTOLIB" -+ - echo " Dynamically loadable zone (DLZ) drivers:" - test "no" = "$use_dlz_bdb" || \ - echo " Berkeley DB (--with-dlz-bdb)" -@@ -27748,6 +27790,8 @@ report() { - echo " ECDSA algorithm support (--with-ecdsa)" - test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ - echo " EDDSA algorithm support (--with-eddsa)" -+ test "yes" = "$want_crypto_rand" || \ -+ echo " Crypto provider entropy source (--enable-crypto-rand)" - - test "yes" = "$enable_seccomp" || \ - echo " Use libseccomp system call filtering (--enable-seccomp)" -diff --git a/configure.ac b/configure.ac -index 0e16cc8..dd0055d 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1550,6 +1550,7 @@ case "$use_openssl" in - AC_MSG_RESULT(disabled because of native PKCS11) - DST_OPENSSL_INC="" - CRYPTO="-DPKCS11CRYPTO" -+ CRYPTOLIB="pkcs11" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" -@@ -1563,6 +1564,7 @@ case "$use_openssl" in - AC_MSG_RESULT(no) - DST_OPENSSL_INC="" - CRYPTO="" -+ CRYPTOLIB="" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" -@@ -1575,6 +1577,7 @@ case "$use_openssl" in - auto) - DST_OPENSSL_INC="" - CRYPTO="" -+ CRYPTOLIB="" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" -@@ -1585,7 +1588,7 @@ case "$use_openssl" in - OPENSSLLINKSRCS="" - AC_MSG_ERROR( - [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path --If you don't want OpenSSL, use --without-openssl]) -+If you do not want OpenSSL, use --without-openssl]) - ;; - *) - if test "yes" = "$want_native_pkcs11" -@@ -1615,6 +1618,7 @@ If you don't want OpenSSL, use --without-openssl]) - AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found]) - fi - CRYPTO='-DOPENSSL' -+ CRYPTOLIB="openssl" - if test "/usr" = "$use_openssl" - then - DST_OPENSSL_INC="" -@@ -2050,7 +2054,6 @@ fi - # Use OpenSSL for hash functions - # - --AC_MSG_CHECKING(for using OpenSSL for hash functions) - ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" - case $want_openssl_hash in - yes) -@@ -2322,6 +2325,67 @@ if test "rt" = "$have_clock_gt"; then - LIBS="-lrt $LIBS" - fi - -+# -+# Use the crypto provider (OpenSSL/PKCS#11) for random functions -+# -+ -+AC_MSG_CHECKING(for using the crypto library (vs. builtin) for random functions) -+AC_ARG_ENABLE(crypto-rand, -+ [ --enable-crypto-rand use the crypto provider for random [[default=yes]]], -+ want_crypto_rand="$enableval", want_crypto_rand="auto") -+if test "$want_crypto_rand" = "auto" -+then -+ case "$CRYPTOLIB" in -+ "") -+ want_crypto_rand="no" -+ ;; -+ pkcs11) -+ want_crypto_rand="yes" -+ ;; -+ openssl) -+ saved_cflags="$CFLAGS" -+ saved_libs="$LIBS" -+ CFLAGS="$CFLAGS $DST_OPENSSL_INC" -+ LIBS="$LIBS $DST_OPENSSL_LIBS" -+ AC_TRY_RUN([ -+#include -+ -+unsigned char buf[128]; -+ -+int main() -+{ -+ if (RAND_bytes(buf, 128) != 1) -+ return (1); -+ return (0); -+} -+], -+ [want_crypto_rand="yes"], -+ [want_crypto_rand="no"], -+ [want_crypto_rand="yes"]) -+ CFLAGS="$saved_cflags" -+ LIBS="$saved_libs" -+ ;; -+ *) -+ AC_MSG_ERROR([Unknown crypto library define $CRYPTOLIB]) -+ ;; -+ esac -+fi -+case $want_crypto_rand in -+ yes) -+ if test "$CRYPTOLIB" = "" -+ then -+ AC_MSG_ERROR([No crypto library for random functions]) -+ fi -+ AC_MSG_RESULT(["$CRYPTOLIB"]) -+ ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\"" -+ ;; -+ no) -+ AC_MSG_RESULT(no) -+ ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM" -+ ;; -+esac -+AC_SUBST(ISC_PLATFORM_CRYPTORANDOM) -+ - # - # was --with-lmdb specified? - # -@@ -4118,12 +4182,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" - ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" - ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" - if test "yes" = "$use_atomic"; then -+ AC_CHECK_SIZEOF([void *]) - have_atomic=yes # set default - case "$host" in - [i[3456]86-*]) - # XXX: some old x86 architectures actually do not support - # (some of) these operations. Do we need stricter checks? -- AC_CHECK_SIZEOF([void *]) - if test $ac_cv_sizeof_void_p = 8; then - arch=x86_64 - have_xaddq=yes -@@ -4132,7 +4196,6 @@ if test "yes" = "$use_atomic"; then - fi - ;; - x86_64-*|amd64-*) -- AC_CHECK_SIZEOF([void *]) - if test $ac_cv_sizeof_void_p = 8; then - arch=x86_64 - have_xaddq=yes -@@ -5537,6 +5600,8 @@ report() { - echo " IPv6 support (--enable-ipv6)" - test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ - echo " OpenSSL cryptography/DNSSEC (--with-openssl)" -+ test "no" = "$want_crypto_rand" || \ -+ echo " Crypto provider entropy source (--enable-crypto-rand)" - test "X$PYTHON" = "X" || echo " Python tools (--with-python)" - test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" - test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -5577,6 +5642,8 @@ report() { - echo " Very verbose query trace logging (--enable-querytrace)" - test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" - -+ echo " Cryptographic library for DNSSEC: $CRYPTOLIB" -+ - echo " Dynamically loadable zone (DLZ) drivers:" - test "no" = "$use_dlz_bdb" || \ - echo " Berkeley DB (--with-dlz-bdb)" -@@ -5624,6 +5691,8 @@ report() { - echo " ECDSA algorithm support (--with-ecdsa)" - test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ - echo " EDDSA algorithm support (--with-eddsa)" -+ test "yes" = "$want_crypto_rand" || \ -+ echo " Crypto provider entropy source (--enable-crypto-rand)" - - test "yes" = "$enable_seccomp" || \ - echo " Use libseccomp system call filtering (--enable-seccomp)" -diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index 65bf25d..1eccbe7 100644 ---- a/lib/dns/dst_api.c -+++ b/lib/dns/dst_api.c -@@ -277,6 +277,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, - #ifdef GSSAPI - RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); - #endif -+#if defined(OPENSSL) || defined(PKCS11CRYPTO) -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (dst_entropy_pool != NULL) -+ isc_entropy_sethook(dst_random_getdata); -+#endif -+#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ - dst_initialized = true; - return (ISC_R_SUCCESS); - -@@ -296,11 +302,19 @@ dst_lib_destroy(void) { - for (i = 0; i < DST_MAX_ALGS; i++) - if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL) - dst_t_func[i]->cleanup(); -+#if defined(OPENSSL) || defined(PKCS11CRYPTO) -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ if (dst_entropy_pool != NULL) { -+ isc_entropy_usehook(dst_entropy_pool, false); -+ isc_entropy_sethook(NULL); -+ } -+#endif - #ifdef OPENSSL - dst__openssl_destroy(); - #elif PKCS11CRYPTO - (void) dst__pkcs11_destroy(); - #endif /* if OPENSSL, elif PKCS11CRYPTO */ -+#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ - if (dst__memory_pool != NULL) - isc_mem_detach(&dst__memory_pool); - if (dst_entropy_pool != NULL) -@@ -2002,13 +2016,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) { - flags &= ~ISC_ENTROPY_GOODONLY; - else - flags |= ISC_ENTROPY_BLOCKING; -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ return (dst_random_getdata(buf, len, NULL, flags)); -+#else - return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags)); -+#endif - #endif /* PKCS11CRYPTO */ - } - - unsigned int - dst__entropy_status(void) { --#ifndef PKCS11CRYPTO -+#if !defined(PKCS11CRYPTO) && !defined(ISC_PLATFORM_CRYPTORANDOM) - #ifdef GSSAPI - unsigned int flags = dst_entropy_flags; - isc_result_t ret; -@@ -2031,6 +2049,7 @@ dst__entropy_status(void) { - #endif - return (isc_entropy_status(dst_entropy_pool)); - #else -+ /* Doesn't matter as it is not used in this case. */ - return (0); - #endif - } diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h -index 1924e74..6813c96 100644 +index 3146d88..3f7ac4d 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h -@@ -159,6 +159,14 @@ dst_lib_destroy(void); +@@ -153,6 +153,14 @@ dst_lib_destroy(void); * Releases all resources allocated by DST. */ @@ -1385,18 +308,10 @@ index 1924e74..6813c96 100644 dst_algorithm_supported(unsigned int alg); /*%< diff --git a/lib/dns/lib.c b/lib/dns/lib.c -index 304814b..60543c4 100644 +index 5fccb57..1f627c4 100644 --- a/lib/dns/lib.c +++ b/lib/dns/lib.c -@@ -18,6 +18,7 @@ - #include - #include - -+#include - #include - #include - #include -@@ -78,6 +79,7 @@ static unsigned int references = 0; +@@ -51,6 +51,7 @@ static unsigned int references = 0; static void initialize(void) { isc_result_t result; @@ -1404,314 +319,11 @@ index 304814b..60543c4 100644 REQUIRE(initialize_done == false); -@@ -88,11 +90,14 @@ initialize(void) { - result = dns_ecdb_register(dns_g_mctx, &dbimp); - if (result != ISC_R_SUCCESS) - goto cleanup_mctx; -- result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE); -+ result = isc_entropy_create(dns_g_mctx, &ectx); - if (result != ISC_R_SUCCESS) - goto cleanup_db; -+ result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE); -+ if (result != ISC_R_SUCCESS) -+ goto cleanup_ectx; - -- result = dst_lib_init(dns_g_mctx, NULL, 0); -+ result = dst_lib_init(dns_g_mctx, ectx, 0); - if (result != ISC_R_SUCCESS) - goto cleanup_hash; - -@@ -100,11 +105,17 @@ initialize(void) { - if (result != ISC_R_SUCCESS) - goto cleanup_dst; - -+ isc_hash_init(); -+ isc_entropy_detach(&ectx); -+ - initialize_done = true; - return; - - cleanup_dst: - dst_lib_destroy(); -+ cleanup_ectx: -+ if (ectx != NULL) -+ isc_entropy_detach(&ectx); - cleanup_hash: - isc_hash_destroy(); - cleanup_db: -diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index 13e838f..ffe0a69 100644 ---- a/lib/dns/openssl_link.c -+++ b/lib/dns/openssl_link.c -@@ -31,6 +31,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -46,8 +47,6 @@ - #include - #endif - --static RAND_METHOD *rm = NULL; -- - #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - static isc_mutex_t *locks = NULL; - static int nlocks; -@@ -57,6 +56,9 @@ static int nlocks; - static ENGINE *e = NULL; - #endif - -+#ifndef ISC_PLATFORM_CRYPTORANDOM -+static RAND_METHOD *rm = NULL; -+ - static int - entropy_get(unsigned char *buf, int num) { - isc_result_t result; -@@ -102,6 +104,7 @@ entropy_add(const void *buf, int num, double entropy) { - return (1); - } - #endif -+#endif /* !ISC_PLATFORM_CRYPTORANDOM */ - - #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - static void -@@ -192,7 +195,7 @@ _set_thread_id(CRYPTO_THREADID *id) - isc_result_t - dst__openssl_init(const char *engine) { - isc_result_t result; --#if !defined(OPENSSL_NO_ENGINE) -+#if !defined(OPENSSL_NO_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM) - ENGINE *re; - #else - UNUSED(engine); -@@ -222,6 +225,7 @@ dst__openssl_init(const char *engine) { - ERR_load_crypto_strings(); - #endif - -+#ifndef ISC_PLATFORM_CRYPTORANDOM - rm = mem_alloc(sizeof(RAND_METHOD) FILELINE); - if (rm == NULL) { - result = ISC_R_NOMEMORY; -@@ -233,6 +237,7 @@ dst__openssl_init(const char *engine) { - rm->add = entropy_add; - rm->pseudorand = entropy_getpseudo; - rm->status = entropy_status; -+#endif - - #if !defined(OPENSSL_NO_ENGINE) - #if !defined(CONF_MFLAGS_DEFAULT_SECTION) -@@ -266,6 +271,7 @@ dst__openssl_init(const char *engine) { - } - } - -+#ifndef ISC_PLATFORM_CRYPTORANDOM - re = ENGINE_get_default_RAND(); - if (re == NULL) { - re = ENGINE_new(); -@@ -278,9 +284,21 @@ dst__openssl_init(const char *engine) { - ENGINE_free(re); - } else - ENGINE_finish(re); -+#endif - #else -+#ifndef ISC_PLATFORM_CRYPTORANDOM - RAND_set_rand_method(rm); -+#endif - #endif /* !defined(OPENSSL_NO_ENGINE) */ -+ -+ /* Protect ourselves against unseeded PRNG */ -+ if (RAND_status() != 1) { -+ FATAL_ERROR(__FILE__, __LINE__, -+ "OpenSSL pseudorandom number generator " -+ "cannot be initialized (see the `PRNG not " -+ "seeded' message in the OpenSSL FAQ)"); -+ } -+ - return (ISC_R_SUCCESS); - - #if !defined(OPENSSL_NO_ENGINE) -@@ -288,10 +306,14 @@ dst__openssl_init(const char *engine) { - if (e != NULL) - ENGINE_free(e); - e = NULL; -+#ifndef ISC_PLATFORM_CRYPTORANDOM - mem_free(rm FILELINE); - rm = NULL; - #endif -+#endif -+#ifndef ISC_PLATFORM_CRYPTORANDOM - cleanup_mutexinit: -+#endif - #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - CRYPTO_set_locking_callback(NULL); - DESTROYMUTEXBLOCK(locks, nlocks); -@@ -306,14 +328,17 @@ void - dst__openssl_destroy(void) { - #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) - OPENSSL_cleanup(); -+#ifndef ISC_PLATFORM_CRYPTORANDOM - if (rm != NULL) { - mem_free(rm FILELINE); - rm = NULL; - } -+#endif - #else - /* - * Sequence taken from apps_shutdown() in . - */ -+#ifndef ISC_PLATFORM_CRYPTORANDOM - if (rm != NULL) { - #if OPENSSL_VERSION_NUMBER >= 0x00907000L - RAND_cleanup(); -@@ -321,6 +346,7 @@ dst__openssl_destroy(void) { - mem_free(rm FILELINE); - rm = NULL; - } -+#endif - #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) - CONF_modules_free(); - #endif -@@ -456,11 +482,45 @@ dst__openssl_getengine(const char *engine) { - } - #endif - --#else /* OPENSSL */ -+isc_result_t -+dst_random_getdata(void *data, unsigned int length, -+ unsigned int *returned, unsigned int flags) { -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+#ifndef DONT_REQUIRE_DST_LIB_INIT -+ INSIST(dst__memory_pool != NULL); -+#endif -+ REQUIRE(data != NULL); -+ REQUIRE(length > 0); - --#include -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+ if ((flags & ISC_ENTROPY_GOODONLY) == 0) { -+ if (RAND_pseudo_bytes((unsigned char *)data, (int)length) < 0) -+ return (dst__openssl_toresult2("RAND_pseudo_bytes", -+ DST_R_OPENSSLFAILURE)); -+ } else { -+ if (RAND_bytes((unsigned char *)data, (int)length) != 1) -+ return (dst__openssl_toresult2("RAND_bytes", -+ DST_R_OPENSSLFAILURE)); -+ } -+#else -+ UNUSED(flags); - --EMPTY_TRANSLATION_UNIT -+ if (RAND_bytes((unsigned char *)data, (int)length) != 1) -+ return (dst__openssl_toresult2("RAND_bytes", -+ DST_R_OPENSSLFAILURE)); -+#endif -+ if (returned != NULL) -+ *returned = length; -+ return (ISC_R_SUCCESS); -+#else -+ UNUSED(data); -+ UNUSED(length); -+ UNUSED(returned); -+ UNUSED(flags); -+ -+ return (ISC_R_NOTIMPLEMENTED); -+#endif -+} - - #endif /* OPENSSL */ - /*! \file */ -diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c -index 5a2c502..8eaef53 100644 ---- a/lib/dns/pkcs11.c -+++ b/lib/dns/pkcs11.c -@@ -13,12 +13,15 @@ - - #include - -+#include -+ - #include - #include - - #include - #include - -+#include "dst_internal.h" - #include "dst_pkcs11.h" - - isc_result_t -@@ -34,12 +37,32 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line, - return (fallback); - } - -+isc_result_t -+dst_random_getdata(void *data, unsigned int length, -+ unsigned int *returned, unsigned int flags) { -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ isc_result_t ret; - --#else /* PKCS11CRYPTO */ -+#ifndef DONT_REQUIRE_DST_LIB_INIT -+ INSIST(dst__memory_pool != NULL); -+#endif -+ REQUIRE(data != NULL); -+ REQUIRE(length > 0); -+ UNUSED(flags); - --#include -+ ret = pk11_rand_bytes(data, (int) length); -+ if ((ret == ISC_R_SUCCESS) && (returned != NULL)) -+ *returned = length; -+ return (ret); -+#else -+ UNUSED(data); -+ UNUSED(length); -+ UNUSED(returned); -+ UNUSED(flags); - --EMPTY_TRANSLATION_UNIT -+ return (ISC_R_NOTIMPLEMENTED); -+#endif -+} - - #endif /* PKCS11CRYPTO */ - /*! \file */ -diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile -index 937b548..f3c0e38 100644 ---- a/lib/dns/tests/Kyuafile -+++ b/lib/dns/tests/Kyuafile -@@ -10,6 +10,7 @@ tap_test_program{name='dh_test'} - tap_test_program{name='dispatch_test'} - tap_test_program{name='dnstap_test'} - tap_test_program{name='dst_test'} -+tap_test_program{name='dstrandom_test'} - tap_test_program{name='geoip_test'} - tap_test_program{name='gost_test'} - tap_test_program{name='keytable_test'} diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in -index 90dc3a6..7671e1d 100644 +index 7b35b93..c5befff 100644 --- a/lib/dns/tests/Makefile.in +++ b/lib/dns/tests/Makefile.in -@@ -37,6 +37,7 @@ SRCS = acl_test.c \ - dnstap_test.c \ - dst_test.c \ - dnstest.c \ -+ dstrandom_test.c \ - geoip_test.c \ - gost_test.c \ - keytable_test.c \ -@@ -69,6 +70,7 @@ TARGETS = acl_test@EXEEXT@ \ - dh_test@EXEEXT@ \ - dispatch_test@EXEEXT@ \ - dnstap_test@EXEEXT@ \ -+ dstrandom_test@EXEEXT@ \ - dst_test@EXEEXT@ \ - geoip_test@EXEEXT@ \ - gost_test@EXEEXT@ \ -@@ -258,6 +260,11 @@ zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} +@@ -259,6 +259,11 @@ zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${LDFLAGS} -o $@ zt_test.@O@ dnstest.@O@ \ ${DNSLIBS} ${ISCLIBS} ${LIBS} @@ -1723,247 +335,11 @@ index 90dc3a6..7671e1d 100644 unit:: sh ${top_builddir}/unit/unittest.sh -diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c -new file mode 100644 -index 0000000..bd3d164 ---- /dev/null -+++ b/lib/dns/tests/dstrandom_test.c -@@ -0,0 +1,115 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+#include -+ -+#if HAVE_CMOCKA -+ -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+ -+#define UNIT_TESTING -+#include -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include -+ -+isc_mem_t *mctx = NULL; -+isc_entropy_t *ectx = NULL; -+unsigned char buffer[128]; -+ -+/* isc_entropy_getdata() examples */ -+static void -+isc_entropy_getdata_test(void **state) { -+ isc_result_t result; -+ unsigned int returned, status; -+ const char *randomfile = "testdata/dstrandom/random.data"; -+ int ret; -+ -+ UNUSED(state); -+ -+ isc_mem_debugging |= ISC_MEM_DEBUGRECORD; -+ result = isc_mem_create(0, 0, &mctx); -+ assert_int_equal(result, ISC_R_SUCCESS); -+ result = isc_entropy_create(mctx, &ectx); -+ assert_int_equal(result, ISC_R_SUCCESS); -+ result = dst_lib_init(mctx, ectx, 0); -+ assert_int_equal(result, ISC_R_SUCCESS); -+ -+#ifdef ISC_PLATFORM_CRYPTORANDOM -+ isc_entropy_usehook(ectx, true); -+ -+ returned = 0; -+ result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), -+ &returned, 0); -+ assert_int_equal(result, ISC_R_SUCCESS); -+ assert_int_equal(returned, sizeof(buffer)); -+ -+ status = isc_entropy_status(ectx); -+ assert_int_equal(status, 0); -+ -+ isc_entropy_usehook(ectx, false); -+#endif -+ -+ ret = chdir(TESTS); -+ assert_int_equal(ret, 0); -+ -+ result = isc_entropy_createfilesource(ectx, randomfile); -+ assert_int_equal(result, ISC_R_SUCCESS); -+ -+ returned = 0; -+ result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), -+ &returned, 0); -+ assert_int_equal(result, ISC_R_SUCCESS); -+ assert_int_equal(returned, sizeof(buffer)); -+ -+ status = isc_entropy_status(ectx); -+ assert_true(status > 0); -+ -+ dst_lib_destroy(); -+ isc_entropy_detach(&ectx); -+ assert_null(ectx); -+ -+ isc_mem_destroy(&mctx); -+ assert_null(mctx); -+} -+ -+int -+main(void) { -+ const struct CMUnitTest tests[] = { -+ cmocka_unit_test(isc_entropy_getdata_test), -+ }; -+ -+ return (cmocka_run_group_tests(tests, NULL, NULL)); -+} -+ -+#else /* HAVE_CMOCKA */ -+ -+#include -+ -+int -+main(void) { -+ printf("1..0 # Skipped: cmocka not available\n"); -+ return (0); -+} -+ -+#endif -diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in -index 63be973..40b21fa 100644 ---- a/lib/dns/win32/libdns.def.in -+++ b/lib/dns/win32/libdns.def.in -@@ -1485,6 +1485,13 @@ dst_lib_destroy - dst_lib_init - dst_lib_init2 - dst_lib_initmsgcat -+@IF PKCS11 -+dst_random_getdata -+@ELSE PKCS11 -+@IF OPENSSL -+dst_random_getdata -+@END OPENSSL -+@END PKCS11 - dst_region_computeid - dst_region_computerid - dst_result_register -diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c -index ab2f617..ed05ed6 100644 ---- a/lib/isc/entropy.c -+++ b/lib/isc/entropy.c -@@ -104,11 +104,15 @@ struct isc_entropy { - uint32_t initialized; - uint32_t initcount; - isc_entropypool_t pool; -+ bool usehook; - unsigned int nsources; - isc_entropysource_t *nextsource; - ISC_LIST(isc_entropysource_t) sources; - }; - -+/*% Global Hook */ -+static isc_entropy_getdata_t hook; -+ - /*% Sample Queue */ - typedef struct { - uint32_t last_time; /*%< last time recorded */ -@@ -557,6 +561,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, - - LOCK(&ent->lock); - -+ if (ent->usehook && (hook != NULL)) { -+ UNLOCK(&ent->lock); -+ return (hook(data, length, returned, flags)); -+ } -+ - remain = length; - buf = data; - total = 0; -@@ -708,6 +717,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) { - ent->refcnt = 1; - ent->initialized = 0; - ent->initcount = 0; -+ ent->usehook = false; - ent->magic = ENTROPY_MAGIC; - - isc_entropypool_init(&ent->pool); -@@ -1286,3 +1296,17 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, - */ - return (final_result); - } -+ -+void -+isc_entropy_usehook(isc_entropy_t *ectx, bool onoff) { -+ REQUIRE(VALID_ENTROPY(ectx)); -+ -+ LOCK(&ectx->lock); -+ ectx->usehook = onoff; -+ UNLOCK(&ectx->lock); -+} -+ -+void -+isc_entropy_sethook(isc_entropy_getdata_t myhook) { -+ hook = myhook; -+} -diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h -index 4bba8e1..632166a 100644 ---- a/lib/isc/include/isc/entropy.h -+++ b/lib/isc/include/isc/entropy.h -@@ -304,6 +304,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, - * isc_entropy_createcallbacksource(). - */ - -+void -+isc_entropy_usehook(isc_entropy_t *ectx, bool onoff); -+/*!< -+ * \brief Mark/unmark the given entropy structure as being hooked. -+ */ -+ -+void -+isc_entropy_sethook(isc_entropy_getdata_t myhook); -+/*!< -+ * \brief Set the getdata hook (e.g., for a crypto random generator). -+ */ -+ - ISC_LANG_ENDDECLS - - #endif /* ISC_ENTROPY_H */ -diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in -index 4192946..dbd1560 100644 ---- a/lib/isc/include/isc/platform.h.in -+++ b/lib/isc/include/isc/platform.h.in -@@ -359,6 +359,11 @@ - */ - @ISC_PLATFORM_HAVESTRINGSH@ - -+/* -+ * Define if the random functions are provided by crypto. -+ */ -+@ISC_PLATFORM_CRYPTORANDOM@ -+ - /* - * Define if the hash functions must be provided by OpenSSL. - */ diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h -index da9d66f..4205400 100644 +index f8e5ae6..d0dc9b5 100644 --- a/lib/isc/include/isc/types.h +++ b/lib/isc/include/isc/types.h -@@ -97,6 +97,8 @@ typedef struct isc_time isc_time_t; /*%< Time */ +@@ -82,6 +82,8 @@ typedef struct isc_time isc_time_t; /*%< Time */ typedef struct isc_timer isc_timer_t; /*%< Timer */ typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */ @@ -1972,61 +348,11 @@ index da9d66f..4205400 100644 typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *); typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int); -diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c -index 68aebdc..4b85527 100644 ---- a/lib/isc/pk11.c -+++ b/lib/isc/pk11.c -@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) { - ret = isc_stdio_open(randomfile, "r", &stream); - if (ret != ISC_R_SUCCESS) - goto cleanup; -- ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc); -- if (ret!= ISC_R_SUCCESS) -- goto cleanup; -+ while (ret == ISC_R_SUCCESS) { -+ ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc); -+ if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF)) -+ goto cleanup; -+ (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc); -+ } - ret = isc_stdio_close(stream); - stream = NULL; -- if (ret!= ISC_R_SUCCESS) -+ if (ret != ISC_R_SUCCESS) - goto cleanup; -- (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc); - - cleanup: - if (stream != NULL) -diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in -index 8ade705..fa72f9d 100644 ---- a/lib/isc/win32/include/isc/platform.h.in -+++ b/lib/isc/win32/include/isc/platform.h.in -@@ -73,6 +73,11 @@ - #define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn) - #define ISC_PLATFORM_NORETURN_POST - -+/* -+ * Define if the random functions are provided by crypto. -+ */ -+@ISC_PLATFORM_CRYPTORANDOM@ -+ - /* - * Define if the hash functions must be provided by OpenSSL. - */ diff --git a/win32utils/Configure b/win32utils/Configure -index 953f2aa..55cc929 100644 +index 9731b0c..0b7bc6e 100644 --- a/win32utils/Configure +++ b/win32utils/Configure -@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA", - my %configdefp; - - my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP", -+ "ISC_PLATFORM_CRYPTORANDOM", - "ISC_PLATFORM_HAVEATOMICSTORE", - "ISC_PLATFORM_HAVEATOMICSTOREQ", - "ISC_PLATFORM_HAVECMPXCHG", -@@ -517,7 +518,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); +@@ -353,7 +353,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); # enable-xxx/disable-xxx @@ -2036,80 +362,7 @@ index 953f2aa..55cc929 100644 "fixed-rrset", "intrinsics", "isc-spnego", -@@ -580,6 +582,7 @@ my @help = ( - "\nOptional Features:\n", - " enable-intrinsics enable instrinsic/atomic functions [default=yes]\n", - " enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n", -+" enable-crypto-rand use crypto provider for random [default=yes]\n", - " enable-openssl-hash use OpenSSL for hash functions [default=yes]\n", - " enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n", - " enable-filter-aaaa enable filtering of AAAA records [default=yes]\n", -@@ -628,7 +631,9 @@ my $want_clean = "no"; - my $want_unknown = "no"; - my $unknown_value; - my $enable_intrinsics = "yes"; -+my $cryptolib = ""; - my $enable_native_pkcs11 = "no"; -+my $enable_crypto_rand = "yes"; - my $enable_openssl_hash = "auto"; - my $enable_filter_aaaa = "yes"; - my $enable_isc_spnego = "yes"; -@@ -847,6 +852,10 @@ sub myenable { - if ($val =~ /^yes$/i) { - $enable_native_pkcs11 = "yes"; - } -+ } elsif ($key =~ /^crypto-rand$/i) { -+ if ($val =~ /^no$/i) { -+ $enable_crypto_rand = "no"; -+ } - } elsif ($key =~ /^openssl-hash$/i) { - if ($val =~ /^yes$/i) { - $enable_openssl_hash = "yes"; -@@ -1153,6 +1162,11 @@ if ($verbose) { - } else { - print "native-pkcs11: disabled\n"; - } -+ if ($enable_crypto_rand eq "yes") { -+ print "crypto-rand: enabled\n"; -+ } else { -+ print "crypto-rand: disabled\n"; -+ } - if ($enable_openssl_hash eq "yes") { - print "openssl-hash: enabled\n"; - } else { -@@ -1510,6 +1524,7 @@ if ($enable_intrinsics eq "yes") { - - # enable-native-pkcs11 - if ($enable_native_pkcs11 eq "yes") { -+ $cryptolib = "pkcs11"; - if ($use_openssl eq "auto") { - $use_openssl = "no"; - } -@@ -1719,6 +1734,7 @@ if ($use_openssl eq "yes") { - $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); - } - -+ $cryptolib = "openssl"; - $configcond{"OPENSSL"} = 1; - $configdefd{"CRYPTO"} = "OPENSSL"; - $configvar{"OPENSSL_PATH"} = "$openssl_path"; -@@ -2290,6 +2306,15 @@ if ($use_aes eq "yes") { - } - - -+# enable-crypto-rand -+if ($enable_crypto_rand eq "yes") { -+ if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) { -+ die "No crypto provider for random functions\n"; -+ } -+ $configdefp{"ISC_PLATFORM_CRYPTORANDOM"} = "\"$cryptolib\""; -+} -+print "Cryptographic library for DNSSEC: $cryptolib"; -+ - # enable-openssl-hash - if ($enable_openssl_hash eq "yes") { - if ($use_openssl eq "no") { -@@ -3665,6 +3690,7 @@ exit 0; +@@ -2929,6 +2930,7 @@ exit 0; # --enable-developer partially supported # --enable-newstats (9.9/9.9sub only) # --enable-native-pkcs11 supported @@ -2118,5 +371,5 @@ index 953f2aa..55cc929 100644 # --enable-openssl-hash supported # --enable-threads included without a way to disable it -- -2.21.0 +2.20.1 diff --git a/bind-9.11-unit-disable-random.patch b/bind-9.11-unit-disable-random.patch index 553f725..dbd0cb6 100644 --- a/bind-9.11-unit-disable-random.patch +++ b/bind-9.11-unit-disable-random.patch @@ -1,4 +1,4 @@ -From 373f07148217a8e70e33446f5108fb42d1079ba6 Mon Sep 17 00:00:00 2001 +From 605d1575414c67f5e7eefeaae9dd2d0820c082dc Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Thu, 21 Feb 2019 22:42:27 +0100 Subject: [PATCH] Disable random_test @@ -9,19 +9,18 @@ subtests can occasionally fail, stop it. It can be used again by defining 'unstable' variable in Kyuafile. --- - lib/isc/tests/Kyuafile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + lib/isc/tests/Kyuafile | 1 + + 1 file changed, 1 insertion(+) diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile -index 4cd2574..9df2340 100644 +index e2b2498..df2741e 100644 --- a/lib/isc/tests/Kyuafile +++ b/lib/isc/tests/Kyuafile -@@ -19,7 +19,7 @@ tap_test_program{name='pool_test'} - tap_test_program{name='print_test'} +@@ -18,6 +18,7 @@ tap_test_program{name='parse_test'} + tap_test_program{name='pool_test'} tap_test_program{name='queue_test'} tap_test_program{name='radix_test'} --tap_test_program{name='random_test'} -+tap_test_program{name='random_test', required_configs='unstable'} ++-- tap_test_program{name='random_test', required_configs='unstable'} tap_test_program{name='regex_test'} tap_test_program{name='result_test'} tap_test_program{name='safe_test'} diff --git a/bind.spec b/bind.spec index bf07be7..c35e15d 100644 --- a/bind.spec +++ b/bind.spec @@ -133,23 +133,25 @@ Patch150:bind-9.11-engine-pkcs11.patch Patch153:bind-9.11-export-suffix.patch Patch154:bind-9.11-oot-manual.patch Patch155:bind-9.11-pk11.patch -Patch156:bind-9.11-fips-code.patch +# FIXME: needs review. Should not be required +#Patch156:bind-9.11-fips-code.patch Patch157:bind-9.11-fips-tests.patch # [RT #31459] commit 06a8051d2476fb526fe6960832209392c763a9af -Patch158:bind-9.11-rt31459.patch +#Patch158:bind-9.11-rt31459.patch # [RT #46047] commit 24172bd2eeba91441ab1c65d2717b0692309244a ISC 4724 -Patch159:bind-9.11-rt46047.patch +#Patch159:bind-9.11-rt46047.patch # commit 66ba2fdad583d962a1f4971c85d58381f0849e4d # commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c # commit 083461d3329ff6f2410745848a926090586a9846 -Patch160:bind-9.11-rh1624100.patch +#Patch160:bind-9.11-rh1624100.patch # https://gitlab.isc.org/isc-projects/bind9/issues/555 -Patch161:bind-9.11-host-idn-disable.patch +#Patch161:bind-9.11-host-idn-disable.patch # https://gitlab.isc.org/isc-projects/bind9/commit/8a98277811e -Patch163:bind-9.11-rh1663318.patch +#Patch163:bind-9.11-rh1663318.patch # https://gitlab.isc.org/isc-projects/bind9/issues/819 Patch164:bind-9.11-rh1666814.patch # random_test fails too often by random, disable it +# not present on 9.14.0 Patch168:bind-9.11-unit-disable-random.patch Patch170:bind-9.11-feature-test-named.patch Patch171:bind-9.11-tests-variants.patch @@ -545,13 +547,13 @@ are used for building ISC DHCP. %patch153 -p1 -b .export_suffix %patch154 -p1 -b .oot-man %patch155 -p1 -b .pk11-internal -%patch156 -p1 -b .fips-code +#%patch156 -p1 -b .fips-code %patch157 -p1 -b .fips-tests -%patch158 -p1 -b .rt31459 -%patch159 -p1 -b .rt46047 -%patch160 -p1 -b .rh1624100 -%patch161 -p1 -b .host-idn-disable -%patch163 -p1 -b .rh1663318 +#%patch158 -p1 -b .rt31459 +#%patch159 -p1 -b .rt46047 +#%patch160 -p1 -b .rh1624100 +#%patch161 -p1 -b .host-idn-disable +#%patch163 -p1 -b .rh1663318 %patch164 -p1 -b .rh1666814 %patch168 -p1 -b .random_test-disable %patch170 -p1 -b .featuretest-named diff --git a/bind97-rh669163.patch b/bind97-rh669163.patch deleted file mode 100644 index 125049f..0000000 --- a/bind97-rh669163.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 bind-9.7.2-P3/lib/lwres/lwconfig.c ---- bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 2011-01-28 14:48:38.934472578 +0100 -+++ bind-9.7.2-P3/lib/lwres/lwconfig.c 2011-01-28 14:49:50.421326035 +0100 -@@ -612,6 +612,10 @@ lwres_conf_parse(lwres_context_t *ctx, c - break; - } - -+ /* Ignore options with no parameters */ -+ if (stopchar == '\n') -+ continue; -+ - if (strlen(word) == 0U) - rval = LWRES_R_SUCCESS; - else if (strcmp(word, "nameserver") == 0) diff --git a/random.data b/random.data deleted file mode 100644 index 354add0..0000000 Binary files a/random.data and /dev/null differ