From ad7b3b8f1284fb8077c24233c4172e2174a6d90e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 19 Oct 2018 17:52:10 +0200 Subject: [PATCH] Update to 9.11.5 Bump to higher version, update sources. More fixes to rebased BIND. Many patches are affected by stdbool change. Update libraries so versions. --- .gitignore | 1 + bind-9.10-dist-native-pkcs11.patch | 38 +-- bind-9.11-fips-code.patch | 399 +++++++++++++---------------- bind-9.11-fips-tests.patch | 136 +++++----- bind-9.11-host-idn-disable.patch | 22 +- bind-9.11-kyua-pkcs11.patch | 48 ++-- bind-9.11-oot-manual.patch | 34 +-- bind-9.11-rh1624100.patch | 58 +++-- bind-9.11-rt31459.patch | 365 +++++++++++++------------- bind-9.11-rt46047.patch | 172 ++++++------- bind-95-rh452060.patch | 12 +- bind.spec | 25 +- bind93-rh490837.patch | 74 +++--- sources | 2 +- 14 files changed, 662 insertions(+), 724 deletions(-) diff --git a/.gitignore b/.gitignore index 774f56c..f656e89 100644 --- a/.gitignore +++ b/.gitignore @@ -86,3 +86,4 @@ bind-9.7.2b1.tar.gz /bind-9.11.4.tar.gz /bind-9.11.4-P1.tar.gz /bind-9.11.4-P2.tar.gz +/bind-9.11.5.tar.gz diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch index 6f66dc1..aa95e33 100644 --- a/bind-9.10-dist-native-pkcs11.patch +++ b/bind-9.10-dist-native-pkcs11.patch @@ -14,7 +14,7 @@ index f0c504a..ce7a2da 100644 @BIND9_MAKE_RULES@ diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in -index 1d0c4ce..7b7f89b 100644 +index ce0a177..f8370cf 100644 --- a/bin/dnssec-pkcs11/Makefile.in +++ b/bin/dnssec-pkcs11/Makefile.in @@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@ @@ -121,15 +121,15 @@ index 1d0c4ce..7b7f89b 100644 -install:: ${TARGETS} installdirs install-man8 +install:: ${TARGETS} installdirs - for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done + for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done uninstall:: -- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done - for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done +- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done + for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done clean distclean:: diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in -index 1d0c4ce..11538cf 100644 +index ce0a177..7cede84 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in @@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@ @@ -291,10 +291,10 @@ index a058c91..d4b689a 100644 DEPLIBS = ${ISCDEPLIBS} diff --git a/configure.in b/configure.in -index 849fa94..69e6373 100644 +index 898b4ac..1edafd1 100644 --- a/configure.in +++ b/configure.in -@@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI) +@@ -1109,12 +1109,14 @@ AC_SUBST(USE_GSSAPI) AC_SUBST(DST_GSSAPI_INC) AC_SUBST(DNS_GSSAPI_LIBS) DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS" @@ -309,7 +309,7 @@ index 849fa94..69e6373 100644 # # was --with-randomdev specified? -@@ -1554,11 +1556,11 @@ fi +@@ -1499,11 +1501,11 @@ fi AC_MSG_CHECKING(for OpenSSL library) OPENSSL_WARNING= openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw" @@ -326,7 +326,7 @@ index 849fa94..69e6373 100644 if test "auto" = "$use_openssl" then -@@ -1571,6 +1573,7 @@ then +@@ -1516,6 +1518,7 @@ then fi done fi @@ -334,7 +334,7 @@ index 849fa94..69e6373 100644 OPENSSL_ECDSA="" OPENSSL_GOST="" OPENSSL_ED25519="" -@@ -1592,11 +1595,10 @@ case "$with_gost" in +@@ -1537,11 +1540,10 @@ case "$with_gost" in ;; esac @@ -349,7 +349,7 @@ index 849fa94..69e6373 100644 CRYPTOLIB="pkcs11" OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" -@@ -1606,7 +1608,9 @@ case "$use_openssl" in +@@ -1551,7 +1553,9 @@ case "$use_openssl" in OPENSSLGOSTLINKSRCS="" OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" @@ -360,7 +360,7 @@ index 849fa94..69e6373 100644 no) AC_MSG_RESULT(no) DST_OPENSSL_INC="" -@@ -1638,7 +1642,7 @@ case "$use_openssl" in +@@ -1583,7 +1587,7 @@ case "$use_openssl" in If you do not want OpenSSL, use --without-openssl]) ;; *) @@ -369,7 +369,7 @@ index 849fa94..69e6373 100644 then AC_MSG_RESULT() AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) -@@ -2066,6 +2070,7 @@ AC_SUBST(OPENSSL_ED25519) +@@ -2011,6 +2015,7 @@ AC_SUBST(OPENSSL_ED25519) AC_SUBST(OPENSSL_GOST) DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS" @@ -377,7 +377,7 @@ index 849fa94..69e6373 100644 ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" if test "yes" = "$with_aes" -@@ -2384,6 +2389,7 @@ esac +@@ -2329,6 +2334,7 @@ esac AC_SUBST(PKCS11LINKOBJS) AC_SUBST(PKCS11LINKSRCS) AC_SUBST(CRYPTO) @@ -385,7 +385,7 @@ index 849fa94..69e6373 100644 AC_SUBST(PKCS11_ECDSA) AC_SUBST(PKCS11_GOST) AC_SUBST(PKCS11_ED25519) -@@ -5497,8 +5503,11 @@ AC_CONFIG_FILES([ +@@ -5401,8 +5407,11 @@ AC_CONFIG_FILES([ bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile @@ -397,7 +397,7 @@ index 849fa94..69e6373 100644 bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile -@@ -5572,6 +5581,10 @@ AC_CONFIG_FILES([ +@@ -5476,6 +5485,10 @@ AC_CONFIG_FILES([ lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile @@ -408,7 +408,7 @@ index 849fa94..69e6373 100644 lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile -@@ -5596,6 +5609,24 @@ AC_CONFIG_FILES([ +@@ -5500,6 +5513,24 @@ AC_CONFIG_FILES([ lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile @@ -525,7 +525,7 @@ index 4a8549e..6a19906 100644 rm -f include/dns/rdatastruct.h rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in -index ba53ef1..d1f1771 100644 +index 98acfff..2fd6981 100644 --- a/lib/isc-pkcs11/Makefile.in +++ b/lib/isc-pkcs11/Makefile.in @@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \ @@ -539,7 +539,7 @@ index ba53ef1..d1f1771 100644 CWARNINGS = # Alphabetically -@@ -107,40 +107,40 @@ version.@O@: version.c +@@ -103,40 +103,40 @@ version.@O@: version.c -DLIBAGE=${LIBAGE} \ -c ${srcdir}/version.c diff --git a/bind-9.11-fips-code.patch b/bind-9.11-fips-code.patch index 2dccdea..f4973a6 100644 --- a/bind-9.11-fips-code.patch +++ b/bind-9.11-fips-code.patch @@ -1,11 +1,13 @@ -From fb8665aebd79ea33cb255f578544e1738f5bbb58 Mon Sep 17 00:00:00 2001 +From 9fa0831af989818eb6f908815967590e56a19ab1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:34:45 +0200 -Subject: [PATCH 1/2] Squashed commit of the following: +Subject: [PATCH] FIPS code changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Squashed commit of the following: + commit b49f70ce0575b6b52a71b90fe0376dbf16f92c6b Author: Petr Menšík Date: Mon Jan 22 14:12:37 2018 +0100 @@ -95,7 +97,7 @@ Date: Mon Jan 22 07:21:04 2018 +0100 Add runtime detection whether MD5 is useable. --- bin/confgen/keygen.c | 10 ++++- - bin/confgen/rndc-confgen.c | 36 +++++------------- + bin/confgen/rndc-confgen.c | 32 ++++------------ bin/dig/dig.c | 7 ++-- bin/dig/dighost.c | 14 +++++-- bin/dnssec/dnssec-keygen.c | 14 +++++++ @@ -104,12 +106,12 @@ Date: Mon Jan 22 07:21:04 2018 +0100 bin/rndc/rndc.c | 3 +- bin/tests/optional/hash_test.c | 78 ++++++++++++++++++++------------------- bin/tests/system/tkey/keycreate.c | 3 ++ - bin/tests/system/tkey/keydelete.c | 18 ++++++--- + bin/tests/system/tkey/keydelete.c | 17 ++++++--- lib/bind9/check.c | 10 +++++ lib/dns/dst_api.c | 23 ++++++++---- lib/dns/dst_internal.h | 3 +- lib/dns/dst_parse.c | 18 +++++++-- - lib/dns/hmac_link.c | 20 +++------- + lib/dns/hmac_link.c | 18 ++------- lib/dns/opensslrsa_link.c | 6 +++ lib/dns/pkcs11rsa_link.c | 33 +++++++++++++++-- lib/dns/rcode.c | 21 ++++++++++- @@ -120,13 +122,13 @@ Date: Mon Jan 22 07:21:04 2018 +0100 lib/dns/tsig.c | 17 +++++---- lib/isc/include/isc/md5.h | 3 ++ lib/isc/md5.c | 59 +++++++++++++++++++++++++++++ - lib/isc/pk11.c | 58 ++++++++++++++++++++--------- + lib/isc/pk11.c | 44 +++++++++++++++------- lib/isc/tests/hash_test.c | 9 +++-- lib/isccc/cc.c | 42 +++++++++++++-------- - 29 files changed, 424 insertions(+), 177 deletions(-) + 29 files changed, 409 insertions(+), 171 deletions(-) diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c -index 453c641dba..11cc54dd46 100644 +index 8931ad5..5015abb 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -22,6 +22,7 @@ @@ -150,7 +152,7 @@ index 453c641dba..11cc54dd46 100644 switch (alg) { #ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: -+ if (isc_md5_available() == ISC_FALSE) { ++ if (!isc_md5_available()) { + fatal("unsupported algorithm %d\n", alg); + } else if (keysize < 1 || keysize > 512) { + fatal("keysize %d out of range (must be 1-512)\n", @@ -161,10 +163,10 @@ index 453c641dba..11cc54dd46 100644 case DST_ALG_HMACSHA1: case DST_ALG_HMACSHA224: diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c -index 2925baf32f..d7d8418073 100644 +index 5ca3d76..6b7790a 100644 --- a/bin/confgen/rndc-confgen.c +++ b/bin/confgen/rndc-confgen.c -@@ -35,6 +35,7 @@ +@@ -36,6 +36,7 @@ #include #include #include @@ -172,16 +174,16 @@ index 2925baf32f..d7d8418073 100644 #include #include #include -@@ -62,7 +63,7 @@ const char *progname; +@@ -63,7 +64,7 @@ const char *progname; - isc_boolean_t verbose = ISC_FALSE; + bool verbose = false; -const char *keyfile, *keydef; +const char *keyfile, *keydef, *algdef; ISC_PLATFORM_NORETURN_PRE static void usage(int status) ISC_PLATFORM_NORETURN_POST; -@@ -70,13 +71,12 @@ usage(int status) ISC_PLATFORM_NORETURN_POST; +@@ -71,13 +72,12 @@ usage(int status) ISC_PLATFORM_NORETURN_POST; static void usage(int status) { @@ -196,7 +198,7 @@ index 2925baf32f..d7d8418073 100644 -b bits: from 1 through 512, default 256; total length of the secret\n\ -c keyfile: specify an alternate key file (requires -a)\n\ -k keyname: the name as it will be used in named.conf and rndc.conf\n\ -@@ -85,24 +85,7 @@ Usage:\n\ +@@ -86,24 +86,7 @@ Usage:\n\ -s addr: the address to which rndc should connect\n\ -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\ -u user: set the keyfile owner to \"user\" (requires -a)\n", @@ -222,31 +224,27 @@ index 2925baf32f..d7d8418073 100644 exit (status); } -@@ -138,13 +121,14 @@ main(int argc, char **argv) { +@@ -139,11 +122,12 @@ main(int argc, char **argv) { progname = program; keyname = DEFAULT_KEYNAME; -#ifndef PK11_MD5_DISABLE - alg = DST_ALG_HMACMD5; -#else -- alg = DST_ALG_HMACSHA256; --#endif - serveraddr = DEFAULT_SERVER; - port = DEFAULT_PORT; -+ alg = DST_ALG_HMACSHA256; + alg = DST_ALG_HMACSHA256; +#ifndef PK11_MD5_DISABLE + if (isc_md5_available()) + alg = DST_ALG_HMACMD5; -+#endif + #endif + algdef = alg_totext(alg); - - isc_commandline_errprint = ISC_FALSE; + serveraddr = DEFAULT_SERVER; + port = DEFAULT_PORT; diff --git a/bin/dig/dig.c b/bin/dig/dig.c -index d4808ada67..9dff7c8ecd 100644 +index 39f74be..597e830 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c -@@ -17,6 +17,7 @@ +@@ -20,6 +20,7 @@ #include #include @@ -254,7 +252,7 @@ index d4808ada67..9dff7c8ecd 100644 #include #include #include -@@ -1757,10 +1758,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, +@@ -1760,10 +1761,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, ptr = ptr2; ptr2 = ptr3; } else { @@ -269,10 +267,10 @@ index d4808ada67..9dff7c8ecd 100644 digestbits = 0; } diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index ecefc98453..94c428ed30 100644 +index 1fa711a..341ed80 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c -@@ -77,6 +77,7 @@ +@@ -80,6 +80,7 @@ #include #include #include @@ -280,7 +278,7 @@ index ecefc98453..94c428ed30 100644 #include #include #include -@@ -1243,9 +1244,10 @@ parse_hmac(const char *hmac) { +@@ -1246,9 +1247,10 @@ parse_hmac(const char *hmac) { digestbits = 0; #ifndef PK11_MD5_DISABLE @@ -293,7 +291,7 @@ index ecefc98453..94c428ed30 100644 hmacname = DNS_TSIG_HMACMD5_NAME; digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128); } else -@@ -1365,7 +1367,13 @@ setup_file_key(void) { +@@ -1368,7 +1370,13 @@ setup_file_key(void) { switch (dst_key_alg(dstkey)) { #ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: @@ -309,10 +307,10 @@ index ecefc98453..94c428ed30 100644 #endif case DST_ALG_HMACSHA1: diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c -index 6fc3ab0979..fc04356ed4 100644 +index 1476d0d..f5c9316 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c -@@ -34,6 +34,7 @@ +@@ -36,6 +36,7 @@ #include #include #include @@ -320,7 +318,7 @@ index 6fc3ab0979..fc04356ed4 100644 #include #include #include -@@ -560,6 +561,19 @@ main(int argc, char **argv) { +@@ -562,6 +563,19 @@ main(int argc, char **argv) { "\"-a RSAMD5\"\n"); INSIST(freeit == NULL); return (1); @@ -333,7 +331,7 @@ index 6fc3ab0979..fc04356ed4 100644 + return (1); + } + } else if (strcasecmp(algname, "RSAMD5") == 0 && -+ isc_md5_available() == ISC_FALSE) { ++ !isc_md5_available()) { + fprintf(stderr, "The use of RSAMD5 was disabled\n"); + INSIST(freeit == NULL); + return (1); @@ -341,10 +339,10 @@ index 6fc3ab0979..fc04356ed4 100644 alg = DST_ALG_HMACMD5; #else diff --git a/bin/named/config.c b/bin/named/config.c -index 54bc37fff7..c50f759ddd 100644 +index 2732a8f..2c4c93c 100644 --- a/bin/named/config.c +++ b/bin/named/config.c -@@ -17,6 +17,7 @@ +@@ -18,6 +18,7 @@ #include #include @@ -352,14 +350,14 @@ index 54bc37fff7..c50f759ddd 100644 #include #include #include -@@ -966,6 +967,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name, +@@ -967,6 +968,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name, return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits)); } +static inline int +algorithms_start() { +#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { ++ if (!isc_md5_available()) { + int i = 0; + while (algorithms[i].str != NULL && + algorithms[i].hmac == hmacmd5) { @@ -373,9 +371,9 @@ index 54bc37fff7..c50f759ddd 100644 + isc_result_t ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, - unsigned int *typep, isc_uint16_t *digestbits) -@@ -975,7 +991,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, - isc_uint16_t bits; + unsigned int *typep, uint16_t *digestbits) +@@ -976,7 +992,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, + uint16_t bits; isc_result_t result; - for (i = 0; algorithms[i].str != NULL; i++) { @@ -383,7 +381,7 @@ index 54bc37fff7..c50f759ddd 100644 len = strlen(algorithms[i].str); if (strncasecmp(algorithms[i].str, str, len) == 0 && (str[len] == '\0' || -@@ -998,7 +1014,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, +@@ -999,7 +1015,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, if (name != NULL) { switch (algorithms[i].hmac) { #ifndef PK11_MD5_DISABLE @@ -398,10 +396,10 @@ index 54bc37fff7..c50f759ddd 100644 case hmacsha1: *name = dns_tsig_hmacsha1_name; break; case hmacsha224: *name = dns_tsig_hmacsha224_name; break; diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index 6967b49754..bb5d50038f 100644 +index 8d1da3b..5eefc57 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c -@@ -29,6 +29,7 @@ +@@ -31,6 +31,7 @@ #include #include #include @@ -409,7 +407,7 @@ index 6967b49754..bb5d50038f 100644 #include #include #include -@@ -474,9 +475,10 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len, +@@ -476,9 +477,10 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len, strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf))); #ifndef PK11_MD5_DISABLE @@ -422,7 +420,7 @@ index 6967b49754..bb5d50038f 100644 *hmac = DNS_TSIG_HMACMD5_NAME; result = isc_parse_uint16(&digestbits, &buf[9], 10); if (result != ISC_R_SUCCESS || digestbits > 128) { -@@ -589,10 +591,10 @@ setup_keystr(void) { +@@ -591,10 +593,10 @@ setup_keystr(void) { exit(1); } } else { @@ -436,7 +434,7 @@ index 6967b49754..bb5d50038f 100644 #endif name = keystr; n = s; -@@ -729,7 +731,8 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { +@@ -731,7 +733,8 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { switch (dst_key_alg(dstkey)) { #ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: @@ -446,7 +444,7 @@ index 6967b49754..bb5d50038f 100644 break; #endif case DST_ALG_HMACSHA1: -@@ -1604,12 +1607,13 @@ evaluate_key(char *cmdline) { +@@ -1606,12 +1609,13 @@ evaluate_key(char *cmdline) { return (STATUS_SYNTAX); } namestr = n + 1; @@ -465,10 +463,10 @@ index 6967b49754..bb5d50038f 100644 isc_buffer_init(&b, namestr, strlen(namestr)); isc_buffer_add(&b, strlen(namestr)); diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c -index 5c29caf86b..617b06b4a1 100644 +index 9eb0ce0..8083654 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c -@@ -21,6 +21,7 @@ +@@ -23,6 +23,7 @@ #include #include #include @@ -476,7 +474,7 @@ index 5c29caf86b..617b06b4a1 100644 #include #include #include -@@ -634,7 +635,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, +@@ -636,7 +637,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, algorithmstr = cfg_obj_asstring(algorithmobj); #ifndef PK11_MD5_DISABLE @@ -486,7 +484,7 @@ index 5c29caf86b..617b06b4a1 100644 else #endif diff --git a/bin/tests/optional/hash_test.c b/bin/tests/optional/hash_test.c -index bf2891ad4c..b5f0a1c5f5 100644 +index bf2891a..b5f0a1c 100644 --- a/bin/tests/optional/hash_test.c +++ b/bin/tests/optional/hash_test.c @@ -90,43 +90,47 @@ main(int argc, char **argv) { @@ -575,7 +573,7 @@ index bf2891ad4c..b5f0a1c5f5 100644 /* diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c -index 2a0ee94888..489f4390dc 100644 +index 5a00f86..653c951 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -20,6 +20,7 @@ @@ -590,30 +588,29 @@ index 2a0ee94888..489f4390dc 100644 static char keystr[] = "0123456789ab"; isc_event_free(&event); -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); result = ISC_R_FAILURE; if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1) diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 7057c318e4..36ee6c7d21 100644 +index bde66a4..70a40c3 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c -@@ -225,12 +225,18 @@ main(int argc, char **argv) { +@@ -225,12 +225,17 @@ main(int argc, char **argv) { result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey); CHECK("dst_key_fromnamedfile", result); #ifndef PK11_MD5_DISABLE - result = dns_tsigkey_createfromkey(dst_key_name(dstkey), - DNS_TSIG_HMACMD5_NAME, -- dstkey, ISC_TRUE, NULL, 0, 0, +- dstkey, true, NULL, 0, 0, - mctx, ring, &tsigkey); - dst_key_free(&dstkey); - CHECK("dns_tsigkey_createfromkey", result); + if (isc_md5_available()) { + result = dns_tsigkey_createfromkey(dst_key_name(dstkey), + DNS_TSIG_HMACMD5_NAME, -+ dstkey, ISC_TRUE, -+ NULL, 0, 0, ++ dstkey, true, NULL, 0, 0, + mctx, ring, &tsigkey); + dst_key_free(&dstkey); + CHECK("dns_tsigkey_createfromkey", result); @@ -625,10 +622,10 @@ index 7057c318e4..36ee6c7d21 100644 dst_key_free(&dstkey); CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); diff --git a/lib/bind9/check.c b/lib/bind9/check.c -index 3da83a7ae2..1a3d534799 100644 +index d32a5a1..c749c27 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c -@@ -21,6 +21,7 @@ +@@ -23,6 +23,7 @@ #include #include #include @@ -636,13 +633,13 @@ index 3da83a7ae2..1a3d534799 100644 #include #include #include -@@ -2572,6 +2573,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) { +@@ -2592,6 +2593,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) { } algorithm = cfg_obj_asstring(algobj); +#ifndef PK11_MD5_DISABLE + /* Skip hmac-md5* algorithms */ -+ if (isc_md5_available() == ISC_FALSE && ++ if (!isc_md5_available() && + strncasecmp(algorithm, "hmac-md5", 8) == 0) { + cfg_obj_log(algobj, logctx, ISC_LOG_ERROR, + "disabled algorithm '%s'", algorithm); @@ -653,10 +650,10 @@ index 3da83a7ae2..1a3d534799 100644 len = strlen(algorithms[i].name); if (strncasecmp(algorithms[i].name, algorithm, len) == 0 && diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index 4f3d6ac55c..dbece0ac56 100644 +index 97fee68..5703f9c 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c -@@ -190,6 +190,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, +@@ -192,6 +192,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, dst_result_register(); memset(dst_t_func, 0, sizeof(dst_t_func)); @@ -669,7 +666,7 @@ index 4f3d6ac55c..dbece0ac56 100644 #ifndef PK11_MD5_DISABLE RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5])); #endif -@@ -199,7 +205,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, +@@ -201,7 +207,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384])); RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512])); #ifdef OPENSSL @@ -677,7 +674,7 @@ index 4f3d6ac55c..dbece0ac56 100644 #ifndef PK11_MD5_DISABLE RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5], DST_ALG_RSAMD5)); -@@ -233,14 +238,18 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, +@@ -235,14 +240,18 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448])); #endif #elif PKCS11CRYPTO @@ -703,10 +700,10 @@ index 4f3d6ac55c..dbece0ac56 100644 RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA])); RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA])); diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h -index 640519a5ba..deb7ed4e13 100644 +index 6ee796c..3e55d44 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h -@@ -245,7 +245,8 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp); +@@ -250,7 +250,8 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp); isc_result_t dst__hmacsha512_init(struct dst_func **funcp); isc_result_t dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm); @@ -717,10 +714,10 @@ index 640519a5ba..deb7ed4e13 100644 isc_result_t dst__openssldsa_init(struct dst_func **funcp); isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp); diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c -index b0e5c895c6..03f2b8ace8 100644 +index f31c33d..87023a6 100644 --- a/lib/dns/dst_parse.c +++ b/lib/dns/dst_parse.c -@@ -30,6 +30,7 @@ +@@ -33,6 +33,7 @@ #include #include #include @@ -728,7 +725,7 @@ index b0e5c895c6..03f2b8ace8 100644 #include #include #include -@@ -393,6 +394,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, +@@ -396,6 +397,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, switch (alg) { #ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: @@ -739,7 +736,7 @@ index b0e5c895c6..03f2b8ace8 100644 #endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: -@@ -418,7 +423,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, +@@ -421,7 +426,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, return (check_eddsa(priv, external)); #ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: @@ -751,36 +748,35 @@ index b0e5c895c6..03f2b8ace8 100644 #endif case DST_ALG_HMACSHA1: return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg)); -@@ -637,11 +645,13 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, +@@ -640,11 +648,13 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, } #ifdef PK11_MD5_DISABLE - check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg, -- ISC_TRUE, external); +- true, external); + if (alg == DST_ALG_RSA) + alg = DST_ALG_RSASHA1; #else -- check = check_data(priv, alg, ISC_TRUE, external); -+ if (isc_md5_available() == ISC_FALSE && alg == DST_ALG_RSA) +- check = check_data(priv, alg, true, external); ++ if (!isc_md5_available() && alg == DST_ALG_RSA) + alg = DST_ALG_RSASHA1; #endif -+ check = check_data(priv, alg, ISC_TRUE, external); ++ check = check_data(priv, alg, true, external); if (check < 0) { ret = DST_R_INVALIDPRIVATEKEY; goto fail; diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c -index 59aa4705e5..21bfa44450 100644 +index 94e73b1..d904075 100644 --- a/lib/dns/hmac_link.c +++ b/lib/dns/hmac_link.c -@@ -338,25 +338,17 @@ static dst_func_t hmacmd5_functions = { +@@ -340,20 +340,10 @@ static dst_func_t hmacmd5_functions = { isc_result_t dst__hmacmd5_init(dst_func_t **funcp) { -#ifdef HAVE_FIPS_MODE - /* +- /* - * Problems from OpenSSL are likely from FIPS mode -+ * Prevent use of incorrect crypto - */ +- */ - int fips_mode = FIPS_mode(); - - if (fips_mode != 0) { @@ -789,26 +785,20 @@ index 59aa4705e5..21bfa44450 100644 - "if the value is 0.\n" - "Please disable either FIPS mode or MD5.", - fips_mode); +- } +-#endif + -+#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { -+ /* Intentionally skip initialization */ ++ /* Intentionally skip initialization */ ++ if (!isc_md5_available()) + return (ISC_R_SUCCESS); - } - #endif - -- /* -- * Prevent use of incorrect crypto -- */ -- - RUNTIME_CHECK(isc_md5_check(ISC_FALSE)); - RUNTIME_CHECK(isc_hmacmd5_check(0)); + /* + * Prevent use of incorrect crypto diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c -index f4847bbe74..126cebca19 100644 +index c03fd72..49b66fc 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c -@@ -1801,6 +1801,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) { +@@ -1802,6 +1802,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) { if (*funcp == NULL) { switch (algorithm) { @@ -822,10 +812,10 @@ index f4847bbe74..126cebca19 100644 #if defined(HAVE_EVP_SHA256) || !USE_EVP *funcp = &opensslrsa_functions; diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c -index 56955203e9..af6008d4dd 100644 +index eb782c8..46fd844 100644 --- a/lib/dns/pkcs11rsa_link.c +++ b/lib/dns/pkcs11rsa_link.c -@@ -94,10 +94,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { +@@ -96,10 +96,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { #endif /* @@ -835,44 +825,44 @@ index 56955203e9..af6008d4dd 100644 switch (dctx->key->key_alg) { case DST_ALG_RSAMD5: +#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + return (ISC_R_FAILURE); +#endif + /* FALLTHROUGH */ case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: /* From RFC 3110 */ -@@ -634,6 +639,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { +@@ -636,6 +641,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { switch (key->key_alg) { #ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + return (ISC_R_FAILURE); + mech.mechanism = CKM_MD5; break; #endif -@@ -790,6 +798,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { +@@ -792,6 +800,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { switch (key->key_alg) { #ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + return (ISC_R_FAILURE); + der = md5_der; derlen = sizeof(md5_der); hashlen = ISC_MD5_DIGESTLENGTH; -@@ -1014,6 +1025,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { +@@ -1016,6 +1027,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { switch (key->key_alg) { #ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + return (ISC_R_FAILURE); + der = md5_der; derlen = sizeof(md5_der); hashlen = ISC_MD5_DIGESTLENGTH; -@@ -2217,11 +2231,22 @@ static dst_func_t pkcs11rsa_functions = { +@@ -2219,11 +2233,22 @@ static dst_func_t pkcs11rsa_functions = { }; isc_result_t @@ -899,18 +889,18 @@ index 56955203e9..af6008d4dd 100644 } diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c -index 937d8fc1ec..d1fa8d5870 100644 +index 6a5948e..010dd1b 100644 --- a/lib/dns/rcode.c +++ b/lib/dns/rcode.c -@@ -14,6 +14,7 @@ - #include +@@ -16,6 +16,7 @@ + #include #include +#include #include #include #include -@@ -347,17 +348,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { +@@ -349,17 +350,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { return (dns_mnemonic_totext(cert, target, certs)); } @@ -919,7 +909,7 @@ index 937d8fc1ec..d1fa8d5870 100644 + struct tbl *algs = secalgs; + +#ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { ++ if (!isc_md5_available()) { + while (algs->name != NULL && + algs->value == DNS_KEYALG_RSAMD5) + ++algs; @@ -947,7 +937,7 @@ index 937d8fc1ec..d1fa8d5870 100644 void diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c -index 224cf5b475..44040dd8b7 100644 +index fb207ef..3ef0a4e 100644 --- a/lib/dns/tests/rsa_test.c +++ b/lib/dns/tests/rsa_test.c @@ -19,6 +19,7 @@ @@ -967,10 +957,10 @@ index 224cf5b475..44040dd8b7 100644 + key->key_alg = DST_ALG_RSAMD5; - ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC, -- ISC_FALSE, &ctx); +- false, &ctx); - ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); + ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC, -+ ISC_FALSE, &ctx); ++ false, &ctx); + ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); - r.base = d; @@ -998,7 +988,7 @@ index 224cf5b475..44040dd8b7 100644 /* RSASHA256 */ diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c -index ee025c2387..c403d9954d 100644 +index 443fb36..f003ff3 100644 --- a/lib/dns/tests/tsig_test.c +++ b/lib/dns/tests/tsig_test.c @@ -14,6 +14,7 @@ @@ -1010,24 +1000,24 @@ index ee025c2387..c403d9954d 100644 #include diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c -index d9f68e50b1..a8edde47b5 100644 +index 5b4ffd9..cc3469d 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c -@@ -242,6 +242,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness, +@@ -245,6 +245,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness, unsigned char digests[32]; unsigned int i; -+ if (isc_md5_available() == ISC_FALSE) ++ if (!isc_md5_available()) + return (ISC_R_NOTIMPLEMENTED); + isc_buffer_usedregion(shared, &r); /* -@@ -318,6 +321,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, +@@ -321,6 +324,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, } #ifndef PK11_MD5_DISABLE -+ if (isc_md5_available() == ISC_FALSE) { ++ if (!isc_md5_available()) { + tkey_log("process_dhtkey: MD5 was disabled"); + tkeyout->error = dns_tsigerror_badalg; + return (ISC_R_SUCCESS); @@ -1037,7 +1027,7 @@ index d9f68e50b1..a8edde47b5 100644 tkey_log("process_dhtkey: algorithms other than " "hmac-md5 are not supported"); diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c -index a367291f23..37baad7437 100644 +index c5eca0e..19b9002 100644 --- a/lib/dns/tsec.c +++ b/lib/dns/tsec.c @@ -11,6 +11,7 @@ @@ -1063,10 +1053,10 @@ index a367291f23..37baad7437 100644 #endif case DST_ALG_HMACSHA1: diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c -index bdcc581bc3..70805bb709 100644 +index a94ec69..f74c831 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c -@@ -270,7 +270,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, +@@ -273,7 +273,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, (void)dns_name_downcase(&tkey->name, &tkey->name, NULL); #ifndef PK11_MD5_DISABLE @@ -1076,7 +1066,7 @@ index bdcc581bc3..70805bb709 100644 tkey->algorithm = DNS_TSIG_HMACMD5_NAME; if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) { ret = DNS_R_BADALG; -@@ -496,7 +497,8 @@ destroyring(dns_tsig_keyring_t *ring) { +@@ -499,7 +500,8 @@ destroyring(dns_tsig_keyring_t *ring) { static unsigned int dst_alg_fromname(dns_name_t *algorithm) { #ifndef PK11_MD5_DISABLE @@ -1086,7 +1076,7 @@ index bdcc581bc3..70805bb709 100644 return (DST_ALG_HMACMD5); } else #endif -@@ -680,7 +682,8 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, +@@ -683,7 +685,8 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, REQUIRE(secret != NULL); #ifndef PK11_MD5_DISABLE @@ -1096,7 +1086,7 @@ index bdcc581bc3..70805bb709 100644 if (secret != NULL) { isc_buffer_t b; -@@ -1280,7 +1283,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, +@@ -1283,7 +1286,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, return (ret); if ( #ifndef PK11_MD5_DISABLE @@ -1105,7 +1095,7 @@ index bdcc581bc3..70805bb709 100644 #endif alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || -@@ -1449,7 +1452,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, +@@ -1452,7 +1455,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, if ( #ifndef PK11_MD5_DISABLE @@ -1114,7 +1104,7 @@ index bdcc581bc3..70805bb709 100644 #endif alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || -@@ -1590,7 +1593,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { +@@ -1593,7 +1596,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { goto cleanup_querystruct; if ( #ifndef PK11_MD5_DISABLE @@ -1123,7 +1113,7 @@ index bdcc581bc3..70805bb709 100644 #endif alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || -@@ -1769,7 +1772,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { +@@ -1772,7 +1775,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { goto cleanup_context; if ( #ifndef PK11_MD5_DISABLE @@ -1133,24 +1123,24 @@ index bdcc581bc3..70805bb709 100644 alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h -index e5f46dd9c7..9d11f9f8b6 100644 +index 4d29398..e3f5cec 100644 --- a/lib/isc/include/isc/md5.h +++ b/lib/isc/include/isc/md5.h -@@ -89,6 +89,9 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest); - isc_boolean_t - isc_md5_check(isc_boolean_t testing); +@@ -91,6 +91,9 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest); + bool + isc_md5_check(bool testing); -+isc_boolean_t ++bool +isc_md5_available(void); + ISC_LANG_ENDDECLS #endif /* !PK11_MD5_DISABLE */ diff --git a/lib/isc/md5.c b/lib/isc/md5.c -index 740d863b1b..aefd16478f 100644 +index 25c71a2..934a70c 100644 --- a/lib/isc/md5.c +++ b/lib/isc/md5.c -@@ -35,6 +35,7 @@ +@@ -37,6 +37,7 @@ #include #include @@ -1158,17 +1148,17 @@ index 740d863b1b..aefd16478f 100644 #include #include #include -@@ -53,6 +54,9 @@ +@@ -55,6 +56,9 @@ #define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) #endif +static isc_once_t available_once = ISC_ONCE_INIT; -+static isc_boolean_t available = ISC_FALSE; ++static bool available = false; + void isc_md5_init(isc_md5_t *ctx) { ctx->ctx = EVP_MD_CTX_new(); -@@ -84,8 +88,33 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { +@@ -86,8 +90,33 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { ctx->ctx = NULL; } @@ -1180,14 +1170,14 @@ index 740d863b1b..aefd16478f 100644 + + ctx->ctx = EVP_MD_CTX_new(); + RUNTIME_CHECK(ctx->ctx != NULL); -+ available = ISC_TF(EVP_DigestInit(ctx->ctx, EVP_md5()) == 1); ++ available = (EVP_DigestInit(ctx->ctx, EVP_md5()) == 1); + if (available) + (void)EVP_DigestFinal(ctx->ctx, digest, NULL); + EVP_MD_CTX_free(ctx->ctx); + ctx->ctx = NULL; +} + -+isc_boolean_t ++bool +isc_md5_available() { + RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available) + == ISC_R_SUCCESS); @@ -1197,12 +1187,12 @@ index 740d863b1b..aefd16478f 100644 #elif PKCS11CRYPTO +static isc_once_t available_once = ISC_ONCE_INIT; -+static isc_boolean_t available = ISC_FALSE; ++static bool available = false; + void isc_md5_init(isc_md5_t *ctx) { CK_RV rv; -@@ -128,6 +157,31 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { +@@ -130,6 +159,31 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { pk11_return_session(ctx); } @@ -1213,18 +1203,18 @@ index 740d863b1b..aefd16478f 100644 + CK_RV rv; + CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; + -+ if (pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS) ++ if (pk11_get_session(ctx, OP_DIGEST, true, false, ++ false, NULL, 0) == ISC_R_SUCCESS) + { + rv = pkcs_C_DigestInit(ctx->session, &mech); + isc_md5_invalidate(ctx); -+ available = (ISC_TF(rv == CKR_OK)); ++ available = (rv == CKR_OK); + } else { -+ available = ISC_FALSE; ++ available = false; + } +} + -+isc_boolean_t ++bool +isc_md5_available() { + RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available) + == ISC_R_SUCCESS); @@ -1234,74 +1224,49 @@ index 740d863b1b..aefd16478f 100644 #else static void -@@ -337,6 +391,11 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { +@@ -339,6 +393,11 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { memmove(digest, ctx->buf, 16); isc_safe_memwipe(ctx, sizeof(*ctx)); /* In case it's sensitive */ } + -+isc_boolean_t ++bool +isc_md5_available() { -+ return ISC_TRUE; ++ return true; +} #endif /* diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c -index fc75a46154..48e1031974 100644 +index c5d2310..a01e698 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c -@@ -191,13 +191,12 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { - LOCK(&alloclock); - if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0)) - isc_mem_attach(mctx, &pk11_mctx); -+ UNLOCK(&alloclock); -+ -+ LOCK(&sessionlock); +@@ -197,8 +197,6 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { + UNLOCK(&alloclock); if (initialized) { -- UNLOCK(&alloclock); -- return (ISC_R_SUCCESS); + goto unlock; - } else { -- LOCK(&sessionlock); -- initialized = ISC_TRUE; -- UNLOCK(&alloclock); -+ result = ISC_R_SUCCESS; -+ goto unlock; +- initialized = true; } ISC_LIST_INIT(tokens); -@@ -237,6 +236,7 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { +@@ -236,6 +234,7 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { + result = PK11_R_NOAESSERVICE; + goto unlock; } ++ initialized = true; #endif #endif /* PKCS11CRYPTO */ -+ initialized = ISC_TRUE; - result = ISC_R_SUCCESS; unlock: - UNLOCK(&sessionlock); -@@ -273,9 +273,14 @@ pk11_finalize(void) { - pk11_mem_put(token, sizeof(*token)); - token = next; - } -+ LOCK(&alloclock); - if (pk11_mctx != NULL) - isc_mem_detach(&pk11_mctx); -+ UNLOCK(&alloclock); -+ -+ LOCK(&sessionlock); - initialized = ISC_FALSE; -+ UNLOCK(&sessionlock); - return (ret); - } - -@@ -589,6 +594,8 @@ scan_slots(void) { +@@ -589,6 +588,8 @@ scan_slots(void) { pk11_token_t *token; unsigned int i; - isc_boolean_t bad; + bool bad; + unsigned int best_rsa_algorithms = 0; + unsigned int best_digest_algorithms = 0; slotCount = 0; PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount)); -@@ -601,6 +608,8 @@ scan_slots(void) { +@@ -601,6 +602,8 @@ scan_slots(void) { PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount)); for (i = 0; i < slotCount; i++) { @@ -1310,12 +1275,12 @@ index fc75a46154..48e1031974 100644 slot = slotList[i]; PK11_TRACE2("slot#%u=0x%lx\n", i, slot); -@@ -640,11 +649,12 @@ scan_slots(void) { +@@ -640,11 +643,12 @@ scan_slots(void) { if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || ((mechInfo.flags & CKF_VERIFY) == 0)) { -#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE) -- bad = ISC_TRUE; +- bad = true; -#endif PK11_TRACEM(CKM_MD5_RSA_PKCS); } @@ -1326,28 +1291,28 @@ index fc75a46154..48e1031974 100644 rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS, &mechInfo); if ((rv != CKR_OK) || -@@ -687,8 +697,14 @@ scan_slots(void) { +@@ -687,8 +691,14 @@ scan_slots(void) { if (bad) goto try_dsa; token->operations |= 1 << OP_RSA; - if (best_rsa_token == NULL) + if (best_rsa_token == NULL) { -+ best_rsa_token = token; + best_rsa_token = token; + best_rsa_algorithms = rsa_algorithms; + } else if (rsa_algorithms > best_rsa_algorithms) { + pk11_mem_put(best_rsa_token, sizeof(*best_rsa_token)); - best_rsa_token = token; ++ best_rsa_token = token; + best_rsa_algorithms = rsa_algorithms; + } try_dsa: - bad = ISC_FALSE; -@@ -756,11 +772,12 @@ scan_slots(void) { - bad = ISC_FALSE; + bad = false; +@@ -756,11 +766,12 @@ scan_slots(void) { + bad = false; rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { -#ifndef PK11_MD5_DISABLE -- bad = ISC_TRUE; +- bad = true; -#endif PK11_TRACEM(CKM_MD5); } @@ -1357,13 +1322,13 @@ index fc75a46154..48e1031974 100644 +#endif rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; -@@ -788,11 +805,12 @@ scan_slots(void) { + bad = true; +@@ -788,11 +799,12 @@ scan_slots(void) { } rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { -#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE) -- bad = ISC_TRUE; +- bad = true; -#endif PK11_TRACEM(CKM_MD5_HMAC); } @@ -1374,27 +1339,27 @@ index fc75a46154..48e1031974 100644 rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { #ifndef PK11_SHA_1_HMAC_REPLACE -@@ -830,8 +848,14 @@ scan_slots(void) { +@@ -830,8 +842,14 @@ scan_slots(void) { } if (!bad) { token->operations |= 1 << OP_DIGEST; - if (digest_token == NULL) + if (digest_token == NULL) { -+ digest_token = token; + digest_token = token; + best_digest_algorithms = digest_algorithms; + } else if (digest_algorithms > best_digest_algorithms) { + pk11_mem_put(digest_token, sizeof(*digest_token)); - digest_token = token; ++ digest_token = token; + best_digest_algorithms = digest_algorithms; + } } /* ECDSA requires digest */ diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c -index 18759903be..6bc45b1ad3 100644 +index 8f12342..7eb1552 100644 --- a/lib/isc/tests/hash_test.c +++ b/lib/isc/tests/hash_test.c -@@ -2008,7 +2008,8 @@ ATF_TP_ADD_TCS(tp) { +@@ -2009,7 +2009,8 @@ ATF_TP_ADD_TCS(tp) { * various cryptographic hashes. */ #ifndef PK11_MD5_DISABLE @@ -1404,7 +1369,7 @@ index 18759903be..6bc45b1ad3 100644 #endif ATF_TP_ADD_TC(tp, sha1_check); -@@ -2016,7 +2017,8 @@ ATF_TP_ADD_TCS(tp) { +@@ -2017,7 +2018,8 @@ ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, isc_hash_function_reverse); ATF_TP_ADD_TC(tp, isc_hash_initializer); #ifndef PK11_MD5_DISABLE @@ -1414,7 +1379,7 @@ index 18759903be..6bc45b1ad3 100644 #endif ATF_TP_ADD_TC(tp, isc_hmacsha1); ATF_TP_ADD_TC(tp, isc_hmacsha224); -@@ -2024,7 +2026,8 @@ ATF_TP_ADD_TCS(tp) { +@@ -2025,7 +2027,8 @@ ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, isc_hmacsha384); ATF_TP_ADD_TC(tp, isc_hmacsha512); #ifndef PK11_MD5_DISABLE @@ -1425,10 +1390,10 @@ index 18759903be..6bc45b1ad3 100644 ATF_TP_ADD_TC(tp, isc_sha1); ATF_TP_ADD_TC(tp, isc_sha224); diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c -index 7225ab4a37..42b30466be 100644 +index c2740cb..c314d76 100644 --- a/lib/isccc/cc.c +++ b/lib/isccc/cc.c -@@ -270,11 +270,15 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac, +@@ -272,11 +272,15 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac, switch (algorithm) { #ifndef PK11_MD5_DISABLE case ISCCC_ALG_HMACMD5: @@ -1449,14 +1414,14 @@ index 7225ab4a37..42b30466be 100644 break; #endif -@@ -348,14 +352,18 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, +@@ -350,14 +354,18 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, { unsigned int hmac_base, signed_base; isc_result_t result; -+ const isc_boolean_t md5 = ISC_TF(algorithm == ISCCC_ALG_HMACMD5); ++ const bool md5 = (algorithm == ISCCC_ALG_HMACMD5); #ifndef PK11_MD5_DISABLE -+ if (md5 && isc_md5_available() == ISC_FALSE) ++ if (md5 && !isc_md5_available()) + return (ISC_R_NOTIMPLEMENTED); + result = isc_buffer_reserve(buffer, @@ -1470,7 +1435,7 @@ index 7225ab4a37..42b30466be 100644 return (ISC_R_NOTIMPLEMENTED); result = isc_buffer_reserve(buffer, 4 + sizeof(auth_hsha)); #endif -@@ -374,7 +382,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, +@@ -376,7 +384,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, * we know what it is. */ #ifndef PK11_MD5_DISABLE @@ -1479,7 +1444,7 @@ index 7225ab4a37..42b30466be 100644 hmac_base = (*buffer)->used + HMD5_OFFSET; isc_buffer_putmem(*buffer, auth_hmd5, sizeof(auth_hmd5)); -@@ -440,7 +448,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, +@@ -442,7 +450,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, if (!isccc_alist_alistp(_auth)) return (ISC_R_FAILURE); #ifndef PK11_MD5_DISABLE @@ -1488,7 +1453,7 @@ index 7225ab4a37..42b30466be 100644 hmac = isccc_alist_lookup(_auth, "hmd5"); else #endif -@@ -455,12 +463,16 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, +@@ -457,12 +465,16 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, switch (algorithm) { #ifndef PK11_MD5_DISABLE case ISCCC_ALG_HMACMD5: diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch index f7a998d..16d3b33 100644 --- a/bind-9.11-fips-tests.patch +++ b/bind-9.11-fips-tests.patch @@ -1,11 +1,13 @@ -From 35b53607724ec4b5d4060385218c39ccd0d78a4d Mon Sep 17 00:00:00 2001 +From 07876a60a9c2537f536901b214349d67f6b25666 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:46:45 +0200 -Subject: [PATCH 2/2] Squashed commit of the following: +Subject: [PATCH] FIPS tests changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Squashed commit of the following: + commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa Author: Petr Menšík Date: Wed Mar 7 20:35:13 2018 +0100 @@ -108,7 +110,7 @@ Date: Wed Mar 7 10:44:23 2018 +0100 create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in -index 0ea6502708..026db3f134 100644 +index 0ea6502..026db3f 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in @@ -33,12 +33,12 @@ options { @@ -127,7 +129,7 @@ index 0ea6502708..026db3f134 100644 }; diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in -index b877880554..d8f50be255 100644 +index b877880..d8f50be 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in @@ -33,12 +33,12 @@ options { @@ -146,7 +148,7 @@ index b877880554..d8f50be255 100644 }; diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in -index 0a950622a2..aa54088138 100644 +index 0a95062..aa54088 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in @@ -33,17 +33,17 @@ options { @@ -171,7 +173,7 @@ index 0a950622a2..aa54088138 100644 }; diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in -index 7cdcb6e341..606a3452d8 100644 +index 7cdcb6e..606a345 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in @@ -33,12 +33,12 @@ options { @@ -190,7 +192,7 @@ index 7cdcb6e341..606a3452d8 100644 }; diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in -index 4b4e05027a..0e679a821d 100644 +index 4b4e050..0e679a8 100644 --- a/bin/tests/system/acl/ns2/named5.conf.in +++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -34,12 +34,12 @@ options { @@ -209,7 +211,7 @@ index 4b4e05027a..0e679a821d 100644 }; diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh -index 09f31f2bb9..f88f0d4430 100644 +index 09f31f2..f88f0d4 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" @@ -335,7 +337,7 @@ index 09f31f2bb9..f88f0d4430 100644 echo_i "testing allow-query-on ACL processing" diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in -index 1569913b37..e9c5c2d574 100644 +index 1569913..e9c5c2d 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in @@ -12,7 +12,7 @@ @@ -348,7 +350,7 @@ index 1569913b37..e9c5c2d574 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in -index 18ac91c6e7..2b1c8739d8 100644 +index 18ac91c..2b1c873 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in @@ -12,12 +12,12 @@ @@ -367,7 +369,7 @@ index 18ac91c6e7..2b1c8739d8 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in -index b8248444dd..dd48945bf8 100644 +index b824844..dd48945 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in @@ -12,7 +12,7 @@ @@ -380,7 +382,7 @@ index b8248444dd..dd48945bf8 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in -index aeb1540e95..bfce58bddd 100644 +index aeb1540..bfce58b 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in @@ -12,7 +12,7 @@ @@ -393,7 +395,7 @@ index aeb1540e95..bfce58bddd 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in -index d4b743281a..e0f52526ba 100644 +index d4b7432..e0f5252 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in @@ -12,12 +12,12 @@ @@ -412,7 +414,7 @@ index d4b743281a..e0f52526ba 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in -index c0259387e7..87afb3fa3a 100644 +index c025938..87afb3f 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in @@ -12,7 +12,7 @@ @@ -425,7 +427,7 @@ index c0259387e7..87afb3fa3a 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in -index d83b376cfd..d726b9480b 100644 +index d83b376..d726b94 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in @@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; @@ -444,7 +446,7 @@ index d83b376cfd..d726b9480b 100644 }; diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh -index fb6059d5b8..f9601564a2 100644 +index fb6059d..f960156 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh @@ -190,7 +190,7 @@ rndc_reload @@ -529,7 +531,7 @@ index fb6059d5b8..f9601564a2 100644 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in -index 74b7d371b7..c35376640d 100644 +index 74b7d37..c353766 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -61,5 +61,5 @@ zone "catalog4.example" { @@ -540,7 +542,7 @@ index 74b7d371b7..c35376640d 100644 + algorithm hmac-sha256; }; diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in -index ee83efbee4..35ced08842 100644 +index ee83efb..35ced08 100644 --- a/bin/tests/system/catz/ns2/named.conf.in +++ b/bin/tests/system/catz/ns2/named.conf.in @@ -70,5 +70,5 @@ zone "catalog4.example" { @@ -551,7 +553,7 @@ index ee83efbee4..35ced08842 100644 + algorithm hmac-sha256; }; diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf -index 21be03e9d2..e57c30875c 100644 +index 21be03e..e57c308 100644 --- a/bin/tests/system/checkconf/bad-tsig.conf +++ b/bin/tests/system/checkconf/bad-tsig.conf @@ -11,7 +11,7 @@ @@ -564,7 +566,7 @@ index 21be03e9d2..e57c30875c 100644 }; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf -index 9ab35b38a5..486551ae64 100644 +index 9ab35b3..486551a 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -153,6 +153,6 @@ dyndb "name" "library.so" { @@ -576,7 +578,7 @@ index 9ab35b38a5..486551ae64 100644 secret "qwertyuiopasdfgh"; }; diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db -index f4e30f51e5..9f53e31c97 100644 +index f4e30f5..9f53e31 100644 --- a/bin/tests/system/digdelv/ns2/example.db +++ b/bin/tests/system/digdelv/ns2/example.db @@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890 @@ -602,10 +604,10 @@ index f4e30f51e5..9f53e31c97 100644 ; TTL of 3 weeks weeks 1814400 A 10.53.0.2 diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh -index 1b25c4ddfc..5dbf20a3e1 100644 +index 95bd074..b566ecb 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh -@@ -62,7 +62,7 @@ if [ -x ${DIG} ] ; then +@@ -61,7 +61,7 @@ if [ -x ${DIG} ] ; then echo_i "checking dig +multi +norrcomments works for dnskey (when default is rrcomments)($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -614,7 +616,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -70,7 +70,7 @@ if [ -x ${DIG} ] ; then +@@ -69,7 +69,7 @@ if [ -x ${DIG} ] ; then echo_i "checking dig +multi +norrcomments works for soa (when default is rrcomments)($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > dig.out.test$n || ret=1 @@ -623,7 +625,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -78,7 +78,7 @@ if [ -x ${DIG} ] ; then +@@ -77,7 +77,7 @@ if [ -x ${DIG} ] ; then echo_i "checking dig +rrcomments works for DNSKEY($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -632,7 +634,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -86,7 +86,7 @@ if [ -x ${DIG} ] ; then +@@ -85,7 +85,7 @@ if [ -x ${DIG} ] ; then echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -641,7 +643,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -94,7 +94,7 @@ if [ -x ${DIG} ] ; then +@@ -93,7 +93,7 @@ if [ -x ${DIG} ] ; then echo_i "checking dig +short +nosplit works($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -650,7 +652,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -102,7 +102,7 @@ if [ -x ${DIG} ] ; then +@@ -101,7 +101,7 @@ if [ -x ${DIG} ] ; then echo_i "checking dig +short +rrcomments works($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -659,7 +661,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -118,7 +118,7 @@ if [ -x ${DIG} ] ; then +@@ -117,7 +117,7 @@ if [ -x ${DIG} ] ; then echo_i "checking dig +short +rrcomments works($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -668,7 +670,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -543,7 +543,7 @@ if [ -x ${DELV} ] ; then +@@ -555,7 +555,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +multi +norrcomments works for dnskey (when default is rrcomments)($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -677,7 +679,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -551,7 +551,7 @@ if [ -x ${DELV} ] ; then +@@ -563,7 +563,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +multi +norrcomments works for soa (when default is rrcomments)($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1 @@ -686,7 +688,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -559,7 +559,7 @@ if [ -x ${DELV} ] ; then +@@ -571,7 +571,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +rrcomments works for DNSKEY($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -695,7 +697,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -567,7 +567,7 @@ if [ -x ${DELV} ] ; then +@@ -579,7 +579,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -704,7 +706,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -575,7 +575,7 @@ if [ -x ${DELV} ] ; then +@@ -587,7 +587,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +rrcomments works ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -713,7 +715,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -583,7 +583,7 @@ if [ -x ${DELV} ] ; then +@@ -595,7 +595,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +nosplit works ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -722,7 +724,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi f=`awk '{print NF}' < delv.out.test$n` test "${f:-0}" -eq 14 || ret=1 -@@ -594,7 +594,7 @@ if [ -x ${DELV} ] ; then +@@ -606,7 +606,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +nosplit +norrcomments works ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -732,7 +734,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644 f=`awk '{print NF}' < delv.out.test$n` test "${f:-0}" -eq 4 || ret=1 diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh -index b8151620cc..2a62e583b8 100755 +index b815162..2a62e58 100755 --- a/bin/tests/system/dlv/ns1/sign.sh +++ b/bin/tests/system/dlv/ns1/sign.sh @@ -23,8 +23,8 @@ infile=root.db.in @@ -747,7 +749,7 @@ index b8151620cc..2a62e583b8 100755 cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh -index 6f84d7a525..e128303a22 100755 +index 6f84d7a..e128303 100755 --- a/bin/tests/system/dlv/ns2/sign.sh +++ b/bin/tests/system/dlv/ns2/sign.sh @@ -24,8 +24,8 @@ zonefile=druz.db @@ -762,7 +764,7 @@ index 6f84d7a525..e128303a22 100755 cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh -index bcc9922e26..846dbcc0df 100755 +index bcc9922..846dbcc 100755 --- a/bin/tests/system/dlv/ns3/sign.sh +++ b/bin/tests/system/dlv/ns3/sign.sh @@ -19,6 +19,7 @@ echo_i "dlv/ns3/sign.sh" @@ -961,7 +963,7 @@ index bcc9922e26..846dbcc0df 100755 cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh -index 1e398625f1..4ed19acd1f 100755 +index 1e39862..4ed19ac 100755 --- a/bin/tests/system/dlv/ns6/sign.sh +++ b/bin/tests/system/dlv/ns6/sign.sh @@ -16,13 +16,15 @@ SYSTESTDIR=dlv @@ -1148,7 +1150,7 @@ index 1e398625f1..4ed19acd1f 100755 cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh -index 198d60ae15..d89a539ffd 100644 +index 198d60a..d89a539 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -27,7 +27,7 @@ cp ../ns2/dsset-in-addr.arpa$TP . @@ -1169,7 +1171,7 @@ index 198d60ae15..d89a539ffd 100644 keyid=`expr $keyid + 0` echo "$keyid" > managed.key.id diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh -index 9078459ac8..9dcd028eb5 100644 +index 9078459..9dcd028 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -29,8 +29,8 @@ do @@ -1213,7 +1215,7 @@ index 9078459ac8..9dcd028eb5 100644 cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh -index 330abf7feb..f95a6b7ea8 100644 +index 330abf7..f95a6b7 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -28,7 +28,7 @@ zone=bogus.example. @@ -1300,7 +1302,7 @@ index 330abf7feb..f95a6b7ea8 100644 cat $infile $keyname.key >$zonefile diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad -index ed30460bda..e6b112630e 100644 +index ed30460..e6b1126 100644 --- a/bin/tests/system/dnssec/ns5/trusted.conf.bad +++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad @@ -10,5 +10,5 @@ @@ -1311,7 +1313,7 @@ index ed30460bda..e6b112630e 100644 + "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV"; }; diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh -index bb2315fbf3..315666825e 100644 +index bb2315f..3156668 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1690,7 +1690,7 @@ ret=0 @@ -1344,7 +1346,7 @@ index bb2315fbf3..315666825e 100644 8) size="-b 512";; 10) size="-b 1024";; diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c -index 9612450ab4..5eee6aa4f8 100644 +index 9612450..5eee6aa 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -19,6 +19,7 @@ @@ -1383,7 +1385,7 @@ index 9612450ab4..5eee6aa4f8 100644 #ifdef ENABLE_RPZ_NSIP return (0); diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh -index f7555810a0..4a7d89004a 100755 +index f755581..4a7d890 100755 --- a/bin/tests/system/filter-aaaa/ns1/sign.sh +++ b/bin/tests/system/filter-aaaa/ns1/sign.sh @@ -21,8 +21,8 @@ infile=signed.db.in @@ -1398,7 +1400,7 @@ index f7555810a0..4a7d89004a 100755 cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh -index f7555810a0..4a7d89004a 100755 +index f755581..4a7d890 100755 --- a/bin/tests/system/filter-aaaa/ns4/sign.sh +++ b/bin/tests/system/filter-aaaa/ns4/sign.sh @@ -21,8 +21,8 @@ infile=signed.db.in @@ -1413,7 +1415,7 @@ index f7555810a0..4a7d89004a 100755 cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in -index cfcfe8fa2f..0a1614d527 100644 +index cfcfe8f..0a1614d 100644 --- a/bin/tests/system/notify/ns5/named.conf.in +++ b/bin/tests/system/notify/ns5/named.conf.in @@ -10,17 +10,17 @@ @@ -1438,7 +1440,7 @@ index cfcfe8fa2f..0a1614d527 100644 }; diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh -index ad20e3eaca..5a9ce4688a 100644 +index ad20e3e..5a9ce46 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh @@ -186,16 +186,16 @@ ret=0 @@ -1462,7 +1464,7 @@ index ad20e3eaca..5a9ce4688a 100644 grep "test string" dig.out.b.ns5.test$n > /dev/null && grep "test string" dig.out.c.ns5.test$n > /dev/null && diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in -index 1d999adc39..26b6b7c9ab 100644 +index 1d999ad..26b6b7c 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in @@ -32,7 +32,7 @@ controls { @@ -1475,7 +1477,7 @@ index 1d999adc39..26b6b7c9ab 100644 }; diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in -index b4ecf96668..1adb33eb0b 100644 +index b4ecf96..1adb33e 100644 --- a/bin/tests/system/nsupdate/ns2/named.conf.in +++ b/bin/tests/system/nsupdate/ns2/named.conf.in @@ -24,7 +24,7 @@ options { @@ -1488,10 +1490,10 @@ index b4ecf96668..1adb33eb0b 100644 }; diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh -index 32674eb382..2331b30b00 100644 +index d6647fa..715314b 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh -@@ -59,7 +59,12 @@ EOF +@@ -63,7 +63,12 @@ EOF $DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key @@ -1506,10 +1508,10 @@ index 32674eb382..2331b30b00 100644 $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index 2a01d1e46d..e8659587c3 100755 +index 9f26572..fd0383f 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh -@@ -680,7 +680,14 @@ fi +@@ -700,7 +700,14 @@ fi n=`expr $n + 1` ret=0 echo_i "check TSIG key algorithms ($n)" @@ -1525,7 +1527,7 @@ index 2a01d1e46d..e8659587c3 100755 $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 -@@ -688,7 +695,7 @@ send +@@ -708,7 +715,7 @@ send END done sleep 2 @@ -1535,7 +1537,7 @@ index 2a01d1e46d..e8659587c3 100755 done if [ $ret -ne 0 ]; then diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh -index 850c4d2744..09a3e0f9ad 100644 +index 850c4d2..09a3e0f 100644 --- a/bin/tests/system/rndc/setup.sh +++ b/bin/tests/system/rndc/setup.sh @@ -37,7 +37,7 @@ make_key () { @@ -1548,7 +1550,7 @@ index 850c4d2744..09a3e0f9ad 100644 make_key 3 ${EXTRAPORT3} hmac-sha224 make_key 4 ${EXTRAPORT4} hmac-sha256 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh -index d364e6fea0..dbf3bc6780 100644 +index 647730e..7df752d 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh @@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1582,7 +1584,7 @@ index d364e6fea0..dbf3bc6780 100644 n=`expr $n + 1` echo_i "testing rndc with hmac-sha1 ($n)" diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh -index 576ec70f76..cb7a852189 100644 +index 576ec70..cb7a852 100644 --- a/bin/tests/system/tsig/clean.sh +++ b/bin/tests/system/tsig/clean.sh @@ -20,3 +20,4 @@ rm -f */named.run @@ -1591,7 +1593,7 @@ index 576ec70f76..cb7a852189 100644 rm -f keygen.out? +rm -f ns1/named.conf diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in -index fbf30c6dc4..f61657d7cf 100644 +index fbf30c6..f61657d 100644 --- a/bin/tests/system/tsig/ns1/named.conf.in +++ b/bin/tests/system/tsig/ns1/named.conf.in @@ -21,10 +21,7 @@ options { @@ -1620,7 +1622,7 @@ index fbf30c6dc4..f61657d7cf 100644 secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in new file mode 100644 -index 0000000000..4117830adb +index 0000000..4117830 --- /dev/null +++ b/bin/tests/system/tsig/ns1/rndc5.conf.in @@ -0,0 +1,11 @@ @@ -1636,7 +1638,7 @@ index 0000000000..4117830adb +}; + diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh -index 656e9bbcd8..628c5bbac1 100644 +index 656e9bb..628c5bb 100644 --- a/bin/tests/system/tsig/setup.sh +++ b/bin/tests/system/tsig/setup.sh @@ -17,3 +17,7 @@ $SHELL clean.sh @@ -1648,7 +1650,7 @@ index 656e9bbcd8..628c5bbac1 100644 + cat ns1/rndc5.conf.in >> ns1/named.conf +fi diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh -index f731fa604c..cade35bc1d 100644 +index f731fa6..cade35b 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh @@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f @@ -1740,7 +1742,7 @@ index f731fa604c..cade35bc1d 100644 echo_i "fetching using hmac-sha1-80 (BADTRUNC)" diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh -index 5da33cfde0..fb108b02bd 100644 +index 5da33cf..fb108b0 100644 --- a/bin/tests/system/tsiggss/setup.sh +++ b/bin/tests/system/tsiggss/setup.sh @@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE @@ -1751,7 +1753,7 @@ index 5da33cfde0..fb108b02bd 100644 +key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.` cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in -index e0a30cda15..6a77b1ce52 100644 +index e0a30cd..6a77b1c 100644 --- a/bin/tests/system/upforwd/ns1/named.conf.in +++ b/bin/tests/system/upforwd/ns1/named.conf.in @@ -10,7 +10,7 @@ @@ -1764,7 +1766,7 @@ index e0a30cda15..6a77b1ce52 100644 }; diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh -index b0694bbd5c..9adae8228e 100644 +index b0694bb..9adae82 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh @@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi diff --git a/bind-9.11-host-idn-disable.patch b/bind-9.11-host-idn-disable.patch index 434c596..7d52964 100644 --- a/bind-9.11-host-idn-disable.patch +++ b/bind-9.11-host-idn-disable.patch @@ -1,4 +1,4 @@ -From 145fac914bf47128307aea702fed7eb74b65cadd Mon Sep 17 00:00:00 2001 +From ed26f0f0eb4242706d2012e4abe0152071bb305b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 25 Sep 2018 18:08:46 +0200 Subject: [PATCH] Disable IDN from environment as documented @@ -18,7 +18,7 @@ RH patch since RHEL 5. 4 files changed, 26 insertions(+), 4 deletions(-) diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook -index fedd288..d5dba72 100644 +index bd7510e..5cc696f 100644 --- a/bin/dig/dig.docbook +++ b/bin/dig/dig.docbook @@ -1288,7 +1288,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr @@ -33,28 +33,28 @@ index fedd288..d5dba72 100644 diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index 7408193..d46379d 100644 +index 341ed80..bb8702c 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c -@@ -822,12 +822,17 @@ make_empty_lookup(void) { - looknew->seenbadcookie = ISC_FALSE; - looknew->badcookie = ISC_TRUE; +@@ -825,12 +825,17 @@ make_empty_lookup(void) { + looknew->seenbadcookie = false; + looknew->badcookie = true; #ifdef WITH_IDN_SUPPORT -- looknew->idnin = ISC_TRUE; +- looknew->idnin = true; + looknew->idnin = (getenv("IDN_DISABLE") == NULL); + if (looknew->idnin) { + const char *charset = getenv("CHARSET"); + if (charset && !strcmp(charset, "ASCII")) -+ looknew->idnin = ISC_FALSE; ++ looknew->idnin = false; + } #else - looknew->idnin = ISC_FALSE; + looknew->idnin = false; #endif #ifdef WITH_IDN_OUT_SUPPORT -- looknew->idnout = ISC_TRUE; +- looknew->idnout = true; + looknew->idnout = looknew->idnin; #else - looknew->idnout = ISC_FALSE; + looknew->idnout = false; #endif diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook index 9c3aeaa..42cbbf9 100644 diff --git a/bind-9.11-kyua-pkcs11.patch b/bind-9.11-kyua-pkcs11.patch index ab21828..1b83800 100644 --- a/bind-9.11-kyua-pkcs11.patch +++ b/bind-9.11-kyua-pkcs11.patch @@ -1,4 +1,4 @@ -From d0433a314534e104f52acf2a0a96a68dd84305ae Mon Sep 17 00:00:00 2001 +From 3474d13bbf08c441783bd72afbc8cec8857baf46 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 2 Jan 2018 18:13:07 +0100 Subject: [PATCH] Fix pkcs11 variants atf tests @@ -17,10 +17,10 @@ Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode 7 files changed, 40 insertions(+), 16 deletions(-) diff --git a/configure.in b/configure.in -index 67b3aab..4767eeb 100644 +index 1edafd1..5466de1 100644 --- a/configure.in +++ b/configure.in -@@ -5579,6 +5579,7 @@ AC_CONFIG_FILES([ +@@ -5489,6 +5489,7 @@ AC_CONFIG_FILES([ lib/dns-pkcs11/include/Makefile lib/dns-pkcs11/include/dns/Makefile lib/dns-pkcs11/include/dst/Makefile @@ -57,10 +57,10 @@ index ff9fc56..eaaf0dc 100644 include('isccfg/Kyuafile') include('lwres/Kyuafile') diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in -index 2a6571b..f25a784 100644 +index 625e809..6fd4e36 100644 --- a/lib/dns-pkcs11/tests/Makefile.in +++ b/lib/dns-pkcs11/tests/Makefile.in -@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@ +@@ -21,12 +21,12 @@ VERSION=@BIND9_VERSION@ CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ @DST_OPENSSL_INC@ @@ -79,10 +79,10 @@ index 2a6571b..f25a784 100644 LIBS = @LIBS@ @ATFLIBS@ diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c -index 036d27a..eb6554f 100644 +index 6216b4e..dd74e58 100644 --- a/lib/dns-pkcs11/tests/dh_test.c +++ b/lib/dns-pkcs11/tests/dh_test.c -@@ -63,7 +63,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) { +@@ -64,7 +64,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) { ret = dst_key_computesecret(key, key, &buf); ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY); ret = key->func->computesecret(key, key, &buf); @@ -93,10 +93,10 @@ index 036d27a..eb6554f 100644 dst_key_free(&key); dns_test_end(); diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in -index f7fa538..818dae4 100644 +index add8068..a928dcf 100644 --- a/lib/isc-pkcs11/tests/Makefile.in +++ b/lib/isc-pkcs11/tests/Makefile.in -@@ -17,10 +17,10 @@ VERSION=@BIND9_VERSION@ +@@ -20,10 +20,10 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@ @@ -111,10 +111,10 @@ index f7fa538..818dae4 100644 LIBS = @LIBS@ @ATFLIBS@ diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c -index 5b8a374..c1891c2 100644 +index 7eb1552..048ae9d 100644 --- a/lib/isc-pkcs11/tests/hash_test.c +++ b/lib/isc-pkcs11/tests/hash_test.c -@@ -74,7 +74,7 @@ typedef struct hash_testcase { +@@ -78,7 +78,7 @@ typedef struct hash_testcase { typedef struct hash_test_key { const char *key; @@ -123,7 +123,7 @@ index 5b8a374..c1891c2 100644 } hash_test_key_t; /* non-hmac tests */ -@@ -957,8 +957,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) { +@@ -961,8 +961,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -134,9 +134,9 @@ index 5b8a374..c1891c2 100644 - isc_hmacsha1_init(&hmacsha1, buffer, test_key->len); + isc_hmacsha1_init(&hmacsha1, buffer, len); isc_hmacsha1_update(&hmacsha1, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -@@ -1120,8 +1123,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) { +@@ -1124,8 +1127,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -147,9 +147,9 @@ index 5b8a374..c1891c2 100644 - isc_hmacsha224_init(&hmacsha224, buffer, test_key->len); + isc_hmacsha224_init(&hmacsha224, buffer, len); isc_hmacsha224_update(&hmacsha224, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -@@ -1283,8 +1289,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) { +@@ -1287,8 +1293,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -160,9 +160,9 @@ index 5b8a374..c1891c2 100644 - isc_hmacsha256_init(&hmacsha256, buffer, test_key->len); + isc_hmacsha256_init(&hmacsha256, buffer, len); isc_hmacsha256_update(&hmacsha256, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -@@ -1452,8 +1461,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) { +@@ -1456,8 +1465,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -173,9 +173,9 @@ index 5b8a374..c1891c2 100644 - isc_hmacsha384_init(&hmacsha384, buffer, test_key->len); + isc_hmacsha384_init(&hmacsha384, buffer, len); isc_hmacsha384_update(&hmacsha384, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -@@ -1621,8 +1633,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) { +@@ -1625,8 +1637,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -186,9 +186,9 @@ index 5b8a374..c1891c2 100644 - isc_hmacsha512_init(&hmacsha512, buffer, test_key->len); + isc_hmacsha512_init(&hmacsha512, buffer, len); isc_hmacsha512_update(&hmacsha512, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -@@ -1765,8 +1780,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) { +@@ -1769,8 +1784,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -199,8 +199,8 @@ index 5b8a374..c1891c2 100644 - isc_hmacmd5_init(&hmacmd5, buffer, test_key->len); + isc_hmacmd5_init(&hmacmd5, buffer, len); isc_hmacmd5_update(&hmacmd5, - (const isc_uint8_t *) testcase->input, + (const uint8_t *) testcase->input, testcase->input_len); -- -2.14.3 +2.14.4 diff --git a/bind-9.11-oot-manual.patch b/bind-9.11-oot-manual.patch index b090b9f..84e9d25 100644 --- a/bind-9.11-oot-manual.patch +++ b/bind-9.11-oot-manual.patch @@ -1,4 +1,4 @@ -From e462d022a9dc52c40aece6f8ba3123ff3ffa59ed Mon Sep 17 00:00:00 2001 +From 8ca95f47231822df2b9c171a4da1e93ca5b748eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 25 Jul 2018 12:24:16 +0200 Subject: [PATCH] Use make automatic variables to install updated manuals @@ -19,7 +19,7 @@ Install all files in single command instead of iterating on each of them. 9 files changed, 54 insertions(+), 38 deletions(-) diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in -index 12f48d2d23..d8eac4c714 100644 +index c124e80..1174f8d 100644 --- a/bin/check/Makefile.in +++ b/bin/check/Makefile.in @@ -83,12 +83,14 @@ installdirs: @@ -35,13 +35,13 @@ index 12f48d2d23..d8eac4c714 100644 ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir} ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir} (cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@) -- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done +- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done - (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8) uninstall:: rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8 diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in -index 87f13dda4b..7865c0c73e 100644 +index 87f13dd..7865c0c 100644 --- a/bin/confgen/Makefile.in +++ b/bin/confgen/Makefile.in @@ -95,13 +95,14 @@ installdirs: @@ -64,7 +64,7 @@ index 87f13dda4b..7865c0c73e 100644 uninstall:: rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8 diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in -index e2d2802262..19361a83ea 100644 +index e2d2802..19361a8 100644 --- a/bin/delv/Makefile.in +++ b/bin/delv/Makefile.in @@ -63,10 +63,12 @@ installdirs: @@ -83,7 +83,7 @@ index e2d2802262..19361a83ea 100644 uninstall:: rm -f ${DESTDIR}${mandir}/man1/delv.1 diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in -index 773ac46395..3edd951e7e 100644 +index a9830a9..d7ac0b6 100644 --- a/bin/dig/Makefile.in +++ b/bin/dig/Makefile.in @@ -91,16 +91,16 @@ installdirs: @@ -102,13 +102,13 @@ index 773ac46395..3edd951e7e 100644 ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ nslookup@EXEEXT@ ${DESTDIR}${bindir} - for m in ${MANPAGES}; do \ -- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \ -- done +- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1 || exit 1; \ +- done uninstall:: for m in ${MANPAGES}; do \ diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in -index 1be1d5ffc6..1d0c4ce5c1 100644 +index 2239ad1..ce0a177 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in @@ -110,9 +110,11 @@ installdirs: @@ -120,16 +120,16 @@ index 1be1d5ffc6..1d0c4ce5c1 100644 + ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 + +install:: ${TARGETS} installdirs install-man8 - for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done -- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done + for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done +- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done uninstall:: - for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done + for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in -index 1c413973d0..03e4cb849b 100644 +index e1f85a9..d92bc9a 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in -@@ -172,12 +172,17 @@ installdirs: +@@ -176,12 +176,17 @@ installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 @@ -152,7 +152,7 @@ index 1c413973d0..03e4cb849b 100644 uninstall:: rm -f ${DESTDIR}${mandir}/man5/named.conf.5 diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in -index ae9061626c..a058c91214 100644 +index ae90616..a058c91 100644 --- a/bin/pkcs11/Makefile.in +++ b/bin/pkcs11/Makefile.in @@ -71,7 +71,10 @@ installdirs: @@ -179,7 +179,7 @@ index ae9061626c..a058c91214 100644 uninstall:: rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8 diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in -index aa678d47ab..064c404e2f 100644 +index aa678d4..064c404 100644 --- a/bin/python/Makefile.in +++ b/bin/python/Makefile.in @@ -47,13 +47,13 @@ installdirs: @@ -201,7 +201,7 @@ index aa678d47ab..064c404e2f 100644 if test -n "${DESTDIR}" ; then \ ${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \ diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in -index 7bf2af4cea..c395bc7462 100644 +index 7bf2af4..c395bc7 100644 --- a/bin/tools/Makefile.in +++ b/bin/tools/Makefile.in @@ -119,17 +119,27 @@ installdirs: diff --git a/bind-9.11-rh1624100.patch b/bind-9.11-rh1624100.patch index 954661c..b17a6ca 100644 --- a/bind-9.11-rh1624100.patch +++ b/bind-9.11-rh1624100.patch @@ -1,4 +1,4 @@ -From 25ff8ab2b0772262d358272a3ed70a24fc6e4887 Mon Sep 17 00:00:00 2001 +From 4fc49ad102fd00343665273caf4349d4edb5e5ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Wed, 25 Apr 2018 14:04:31 +0200 Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts @@ -17,17 +17,17 @@ Fix the isc_safe_memwipe() usage with (NULL, >0) lib/dns/nsec3.c | 4 +-- lib/dns/spnego.c | 4 +-- lib/isc/Makefile.in | 8 ++--- - lib/isc/include/isc/safe.h | 18 ++++------ - lib/isc/safe.c | 81 -------------------------------------------- + lib/isc/include/isc/safe.h | 18 +++------- + lib/isc/safe.c | 83 -------------------------------------------- lib/isc/tests/safe_test.c | 20 ----------- - 7 files changed, 13 insertions(+), 124 deletions(-) + 7 files changed, 11 insertions(+), 128 deletions(-) delete mode 100644 lib/isc/safe.c diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c -index 53be1f5c60..351296a356 100644 +index 6ddaebe..d921870 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c -@@ -786,7 +786,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, +@@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, static int hashlist_comp(const void *a, const void *b) { @@ -37,10 +37,10 @@ index 53be1f5c60..351296a356 100644 static void diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c -index d364308aaf..37b6a8a7fe 100644 +index e127893..895519e 100644 --- a/lib/dns/nsec3.c +++ b/lib/dns/nsec3.c -@@ -1950,7 +1950,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, +@@ -1953,7 +1953,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, * Work out what this NSEC3 covers. * Inside (<0) or outside (>=0). */ @@ -49,7 +49,7 @@ index d364308aaf..37b6a8a7fe 100644 /* * Prepare to compute all the hashes. -@@ -1974,7 +1974,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, +@@ -1977,7 +1977,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, return (ISC_R_IGNORE); } @@ -59,10 +59,10 @@ index d364308aaf..37b6a8a7fe 100644 /* * The hashes are the same. diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c -index ce3e42d650..079d4c1b4a 100644 +index ad77f24..670982a 100644 --- a/lib/dns/spnego.c +++ b/lib/dns/spnego.c -@@ -369,7 +369,7 @@ gssapi_spnego_decapsulate(OM_uint32 *, +@@ -371,7 +371,7 @@ gssapi_spnego_decapsulate(OM_uint32 *, /* mod_auth_kerb.c */ @@ -71,7 +71,7 @@ index ce3e42d650..079d4c1b4a 100644 cmp_gss_type(gss_buffer_t token, gss_OID gssoid) { unsigned char *p; -@@ -393,7 +393,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid) +@@ -395,7 +395,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid) if (((OM_uint32) *p++) != gssoid->length) return (GSS_S_DEFECTIVE_TOKEN); @@ -81,7 +81,7 @@ index ce3e42d650..079d4c1b4a 100644 /* accept_sec_context.c */ diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in -index ba53ef1091..98acffffc9 100644 +index ba53ef1..98acfff 100644 --- a/lib/isc/Makefile.in +++ b/lib/isc/Makefile.in @@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ @@ -114,28 +114,28 @@ index ba53ef1091..98acffffc9 100644 ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DVERSION=\"${VERSION}\" \ diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h -index f29f00bac6..b8a0b2290c 100644 +index 66ed08b..88b8f47 100644 --- a/lib/isc/include/isc/safe.h +++ b/lib/isc/include/isc/safe.h -@@ -15,27 +15,21 @@ +@@ -15,29 +15,19 @@ /*! \file isc/safe.h */ +-#include +- -#include -#include -+#include +#include -+ +#include ISC_LANG_BEGINDECLS --isc_boolean_t +-bool -isc_safe_memequal(const void *s1, const void *s2, size_t n); -+#define isc_safe_memequal(s1, s2, n) ISC_TF(!CRYPTO_memcmp(s1, s2, n)) ++#define isc_safe_memequal(s1, s2, n) !CRYPTO_memcmp(s1, s2, n) /*%< - * Returns ISC_TRUE iff. two blocks of memory are equal, otherwise - * ISC_FALSE. + * Returns true iff. two blocks of memory are equal, otherwise + * false. * */ @@ -153,10 +153,10 @@ index f29f00bac6..b8a0b2290c 100644 * diff --git a/lib/isc/safe.c b/lib/isc/safe.c deleted file mode 100644 -index 5c9e1e2d13..0000000000 +index 7a464b6..0000000 --- a/lib/isc/safe.c +++ /dev/null -@@ -1,81 +0,0 @@ +@@ -1,83 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * @@ -172,6 +172,8 @@ index 5c9e1e2d13..0000000000 - -#include - +-#include +- -#include -#include -#include @@ -184,18 +186,18 @@ index 5c9e1e2d13..0000000000 -#pragma optimize("", off) -#endif - --isc_boolean_t +-bool -isc_safe_memequal(const void *s1, const void *s2, size_t n) { -- isc_uint8_t acc = 0; +- uint8_t acc = 0; - - if (n != 0U) { -- const isc_uint8_t *p1 = s1, *p2 = s2; +- const uint8_t *p1 = s1, *p2 = s2; - - do { - acc |= *p1++ ^ *p2++; - } while (--n != 0U); - } -- return (ISC_TF(acc == 0)); +- return (acc == 0); -} - - @@ -239,7 +241,7 @@ index 5c9e1e2d13..0000000000 -#endif -} diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c -index f721cd1096..ea3e61f98d 100644 +index f721cd1..ea3e61f 100644 --- a/lib/isc/tests/safe_test.c +++ b/lib/isc/tests/safe_test.c @@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) { diff --git a/bind-9.11-rt31459.patch b/bind-9.11-rt31459.patch index 6208ef2..06847bf 100644 --- a/bind-9.11-rt31459.patch +++ b/bind-9.11-rt31459.patch @@ -1,4 +1,4 @@ -From ae9c9ef5a5ba06cf57b5a87b5f2bbc71649ba41b Mon Sep 17 00:00:00 2001 +From 45209f5153693339c4582795714b6859693673fc Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 12 Sep 2017 19:05:46 -0700 Subject: [PATCH] rebased rt31459c @@ -24,7 +24,7 @@ Include new unit test bin/named/server.c | 6 + bin/nsupdate/nsupdate.c | 18 ++- bin/tests/makejournal.c | 6 +- - bin/tests/system/pipelined/pipequeries.c | 20 ++- + bin/tests/system/pipelined/pipequeries.c | 21 ++- bin/tests/system/pipelined/tests.sh | 4 +- bin/tests/system/rsabigexponent/bigkey.c | 4 + bin/tests/system/tkey/keycreate.c | 26 +++- @@ -35,14 +35,14 @@ Include new unit test configure.in | 77 +++++++++- lib/dns/dst_api.c | 21 ++- lib/dns/include/dst/dst.h | 8 + - lib/dns/lib.c | 17 ++- + lib/dns/lib.c | 15 +- lib/dns/openssl_link.c | 72 ++++++++- lib/dns/pkcs11.c | 29 +++- lib/dns/tests/Atffile | 1 + lib/dns/tests/Kyuafile | 1 + lib/dns/tests/Makefile.in | 7 + lib/dns/tests/dnstest.c | 14 +- - lib/dns/tests/dstrandom_test.c | 105 +++++++++++++ + lib/dns/tests/dstrandom_test.c | 99 ++++++++++++ lib/dns/win32/libdns.def.in | 7 + lib/isc/entropy.c | 24 +++ lib/isc/include/isc/entropy.h | 12 ++ @@ -51,11 +51,11 @@ Include new unit test lib/isc/pk11.c | 12 +- lib/isc/win32/include/isc/platform.h.in | 5 + win32utils/Configure | 29 +++- - 38 files changed, 704 insertions(+), 184 deletions(-) + 38 files changed, 699 insertions(+), 182 deletions(-) create mode 100644 lib/dns/tests/dstrandom_test.c diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c -index 11cc54d..fa439cc 100644 +index 5015abb..295e16f 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -165,6 +165,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, @@ -66,17 +66,17 @@ index 11cc54d..fa439cc 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); + } +#endif DO("start entropy source", isc_entropy_usebestsource(ectx, &entropy_source, randomfile, diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c -index 94a982c..897c497 100644 +index 65fdaaa..6612189 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c -@@ -495,14 +495,14 @@ main(int argc, char **argv) { +@@ -497,14 +497,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -94,7 +94,7 @@ index 94a982c..897c497 100644 isc_entropy_stopcallbacksources(ectx); setup_logging(mctx, &log); -@@ -564,8 +564,8 @@ main(int argc, char **argv) { +@@ -566,8 +566,8 @@ main(int argc, char **argv) { if (dns_rdataset_isassociated(&rdataset)) dns_rdataset_disassociate(&rdataset); cleanup_logging(&log); @@ -105,10 +105,10 @@ index 94a982c..897c497 100644 dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c -index 2edf614..840316c 100644 +index 0d1e7f8..79c4d74 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c -@@ -406,14 +406,14 @@ main(int argc, char **argv) { +@@ -407,14 +407,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -126,7 +126,7 @@ index 2edf614..840316c 100644 isc_entropy_stopcallbacksources(ectx); setup_logging(mctx, &log); -@@ -457,8 +457,8 @@ main(int argc, char **argv) { +@@ -458,8 +458,8 @@ main(int argc, char **argv) { if (dns_rdataset_isassociated(&rdataset)) dns_rdataset_disassociate(&rdataset); cleanup_logging(&log); @@ -137,10 +137,10 @@ index 2edf614..840316c 100644 dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c -index 10fad0b..0b68e99 100644 +index 1a2b545..e33cb8b 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c -@@ -182,14 +182,14 @@ main(int argc, char **argv) { +@@ -184,14 +184,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -158,7 +158,7 @@ index 10fad0b..0b68e99 100644 isc_entropy_stopcallbacksources(ectx); result = dst_key_fromnamedfile(filename, dir, -@@ -271,8 +271,8 @@ main(int argc, char **argv) { +@@ -273,8 +273,8 @@ main(int argc, char **argv) { cleanup: dst_key_free(&key); @@ -169,10 +169,10 @@ index 10fad0b..0b68e99 100644 if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c -index 360cdb9..b7bf171 100644 +index f355903..6a2ca59 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c -@@ -380,14 +380,14 @@ main(int argc, char **argv) { +@@ -382,14 +382,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -190,7 +190,7 @@ index 360cdb9..b7bf171 100644 isc_entropy_stopcallbacksources(ectx); if (predecessor != NULL) { -@@ -672,8 +672,8 @@ main(int argc, char **argv) { +@@ -674,8 +674,8 @@ main(int argc, char **argv) { if (prevkey != NULL) dst_key_free(&prevkey); dst_key_free(&key); @@ -201,10 +201,10 @@ index 360cdb9..b7bf171 100644 if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c -index 1bea357..53be1f5 100644 +index c6a0313..6ddaebe 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c -@@ -3459,14 +3459,15 @@ main(int argc, char *argv[]) { +@@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) { if (!pseudorandom) eflags |= ISC_ENTROPY_GOODONLY; @@ -224,7 +224,7 @@ index 1bea357..53be1f5 100644 isc_stdtime_get(&now); if (startstr != NULL) { -@@ -3878,8 +3879,8 @@ main(int argc, char *argv[]) { +@@ -3879,8 +3880,8 @@ main(int argc, char *argv[]) { dns_master_styledestroy(&dsstyle, mctx); cleanup_logging(&log); @@ -235,10 +235,10 @@ index 1bea357..53be1f5 100644 dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c -index 792510a..dc32765 100644 +index 4c293bf..3263cbc 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c -@@ -280,15 +280,15 @@ main(int argc, char *argv[]) { +@@ -281,15 +281,15 @@ main(int argc, char *argv[]) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -259,10 +259,10 @@ index 792510a..dc32765 100644 rdclass = strtoclass(classname); diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c -index dc32c90..4ea9eaf 100644 +index fbc7ece..31a99e7 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c -@@ -32,6 +32,7 @@ +@@ -34,6 +34,7 @@ #include #include #include @@ -270,7 +270,7 @@ index dc32c90..4ea9eaf 100644 #include #include #include -@@ -233,7 +234,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -235,7 +236,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { if (*ectx == NULL) { result = isc_entropy_create(mctx, ectx); if (result != ISC_R_SUCCESS) @@ -280,7 +280,7 @@ index dc32c90..4ea9eaf 100644 ISC_LIST_INIT(sources); } -@@ -242,6 +244,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -244,6 +246,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { randomfile = NULL; } @@ -288,17 +288,17 @@ index dc32c90..4ea9eaf 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(*ectx, ISC_TRUE); ++ isc_entropy_usehook(*ectx, true); + } +#endif result = isc_entropy_usebestsource(*ectx, &source, randomfile, usekeyboard); diff --git a/bin/named/server.c b/bin/named/server.c -index 59a8998..ee5186c 100644 +index 7f87ccf..9258e7f 100644 --- a/bin/named/server.c +++ b/bin/named/server.c -@@ -34,6 +34,7 @@ +@@ -36,6 +36,7 @@ #include #include #include @@ -306,18 +306,18 @@ index 59a8998..ee5186c 100644 #include #include #include -@@ -8083,6 +8084,10 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8171,6 +8172,10 @@ load_configuration(const char *filename, ns_server_t *server, "no source of entropy found"); } else { const char *randomdev = cfg_obj_asstring(obj); +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0) -+ isc_entropy_usehook(ns_g_entropy, ISC_TRUE); ++ isc_entropy_usehook(ns_g_entropy, true); +#else int level = ISC_LOG_ERROR; result = isc_entropy_createfilesource(ns_g_entropy, randomdev); -@@ -8117,6 +8122,7 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8205,6 +8210,7 @@ load_configuration(const char *filename, ns_server_t *server, } isc_entropy_detach(&ns_g_fallbackentropy); } @@ -326,10 +326,10 @@ index 59a8998..ee5186c 100644 } } diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index bb5d500..46c7acf 100644 +index 5eefc57..1559a33 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c -@@ -33,6 +33,7 @@ +@@ -35,6 +35,7 @@ #include #include #include @@ -337,7 +337,7 @@ index bb5d500..46c7acf 100644 #include #include #include -@@ -269,7 +270,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -271,7 +272,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { if (*ectx == NULL) { result = isc_entropy_create(mctx, ectx); if (result != ISC_R_SUCCESS) @@ -347,7 +347,7 @@ index bb5d500..46c7acf 100644 ISC_LIST_INIT(sources); } -@@ -278,6 +280,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -280,6 +282,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { randomfile = NULL; } @@ -355,13 +355,13 @@ index bb5d500..46c7acf 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(*ectx, ISC_TRUE); ++ isc_entropy_usehook(*ectx, true); + } +#endif result = isc_entropy_usebestsource(*ectx, &source, randomfile, usekeyboard); -@@ -948,11 +957,11 @@ setup_system(void) { +@@ -950,11 +959,11 @@ setup_system(void) { } } @@ -375,9 +375,9 @@ index bb5d500..46c7acf 100644 result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr); check_result(result, "dns_dispatchmgr_create"); -@@ -976,6 +985,9 @@ setup_system(void) { +@@ -978,6 +987,9 @@ setup_system(void) { check_result(result, "dst_lib_init"); - is_dst_up = ISC_TRUE; + is_dst_up = true; + /* moved after dst_lib_init() */ + isc_hash_init(); @@ -386,30 +386,30 @@ index bb5d500..46c7acf 100644 attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6; diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c -index fed59be..9f125da 100644 +index 61a41b0..acc71a1 100644 --- a/bin/tests/makejournal.c +++ b/bin/tests/makejournal.c -@@ -100,12 +100,12 @@ main(int argc, char **argv) { +@@ -102,12 +102,12 @@ main(int argc, char **argv) { CHECK(isc_mem_create(0, 0, &mctx)); CHECK(isc_entropy_create(mctx, &ectx)); - CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -- hash_active = ISC_TRUE; +- hash_active = true; - CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING)); - dst_active = ISC_TRUE; + dst_active = true; + CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -+ hash_active = ISC_TRUE; ++ hash_active = true; + CHECK(isc_log_create(mctx, &lctx, &logconfig)); isc_log_registercategories(lctx, categories); isc_log_setcontext(lctx); diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c -index 379b6a3..810d99e 100644 +index 2fcc064..7b4f617 100644 --- a/bin/tests/system/pipelined/pipequeries.c +++ b/bin/tests/system/pipelined/pipequeries.c -@@ -202,6 +202,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) { +@@ -204,6 +204,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) { int main(int argc, char *argv[]) { @@ -417,16 +417,17 @@ index 379b6a3..810d99e 100644 isc_sockaddr_t bind_any; struct in_addr inaddr; isc_result_t result; -@@ -222,7 +223,7 @@ main(int argc, char *argv[]) { +@@ -224,7 +225,8 @@ main(int argc, char *argv[]) { UNUSED(argv); - isc_commandline_errprint = ISC_FALSE; + isc_commandline_errprint = false; - while ((c = isc_commandline_parse(argc, argv, "p:")) != -1) { -+ while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) { ++ while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) ++ { switch (c) { case 'p': result = isc_parse_uint16(&port, -@@ -233,6 +234,9 @@ main(int argc, char *argv[]) { +@@ -235,6 +237,9 @@ main(int argc, char *argv[]) { exit(1); } break; @@ -436,7 +437,7 @@ index 379b6a3..810d99e 100644 case '?': fprintf(stderr, "%s: invalid argument '%c'", argv[0], c); -@@ -274,10 +278,18 @@ main(int argc, char *argv[]) { +@@ -276,10 +281,18 @@ main(int argc, char *argv[]) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); @@ -446,7 +447,7 @@ index 379b6a3..810d99e 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); + } +#endif + if (randomfile != NULL) @@ -457,7 +458,7 @@ index 379b6a3..810d99e 100644 taskmgr = NULL; RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); -@@ -330,8 +342,8 @@ main(int argc, char *argv[]) { +@@ -332,8 +345,8 @@ main(int argc, char *argv[]) { isc_task_detach(&task); isc_taskmgr_destroy(&taskmgr); @@ -490,7 +491,7 @@ index a6720ce..9063b1f 100644 diff refb outputb || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c -index 4462f2e..f1230d8 100644 +index 4462f2e..f06268d 100644 --- a/bin/tests/system/rsabigexponent/bigkey.c +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -20,6 +20,7 @@ @@ -506,13 +507,13 @@ index 4462f2e..f1230d8 100644 CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()"); CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()"); +#ifdef ISC_PLATFORM_CRYPTORANDOM -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); +#endif CHECK(isc_entropy_usebestsource(ectx, &source, "../random.data", ISC_ENTROPY_KEYBOARDNO), diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c -index 489f439..4f2f5b4 100644 +index 653c951..fe8698e 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -206,6 +206,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { @@ -555,7 +556,7 @@ index 489f439..4f2f5b4 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); + } +#endif + if (randomfile != NULL) @@ -581,7 +582,7 @@ index 489f439..4f2f5b4 100644 isc_mem_destroy(&mctx); diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 36ee6c7..0975bbe 100644 +index 70a40c3..2146f9b 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { @@ -624,7 +625,7 @@ index 36ee6c7..0975bbe 100644 + if (randomfile != NULL && + strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { + randomfile = NULL; -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); + } +#endif + if (randomfile != NULL) @@ -639,7 +640,7 @@ index 36ee6c7..0975bbe 100644 taskmgr = NULL; RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); -@@ -265,8 +285,8 @@ main(int argc, char **argv) { +@@ -264,8 +284,8 @@ main(int argc, char **argv) { isc_log_destroy(&log); @@ -690,10 +691,10 @@ index 9f90dd7..fad6c83 100644 echo "I:failed" status=`expr $status + $ret` diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c -index 1f5dd4c..4e3bfa5 100644 +index 4876875..e46653a 100644 --- a/bin/tools/mdig.c +++ b/bin/tools/mdig.c -@@ -1933,12 +1933,11 @@ main(int argc, char *argv[]) { +@@ -1955,12 +1955,11 @@ main(int argc, char *argv[]) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); @@ -705,10 +706,10 @@ index 1f5dd4c..4e3bfa5 100644 - RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); - ISC_LIST_INIT(queries); - parse_args(ISC_FALSE, argc, argv); + parse_args(false, argc, argv); if (server == NULL) diff --git a/configure b/configure -index c83773a..ac1ea3f 100755 +index 4394755..2e0af33 100755 --- a/configure +++ b/configure @@ -640,6 +640,7 @@ ac_includes_default="\ @@ -719,7 +720,7 @@ index c83773a..ac1ea3f 100755 BUILD_LIBS BUILD_LDFLAGS BUILD_CPPFLAGS -@@ -825,6 +826,7 @@ XMLSTATS +@@ -823,6 +824,7 @@ XMLSTATS NZDTARGETS NZDSRCS NZD_TOOLS @@ -727,7 +728,7 @@ index c83773a..ac1ea3f 100755 PKCS11_TEST PKCS11_ED25519 PKCS11_GOST -@@ -1037,6 +1039,7 @@ with_eddsa +@@ -1035,6 +1037,7 @@ with_eddsa with_aes enable_openssl_hash with_cc_alg @@ -735,7 +736,7 @@ index c83773a..ac1ea3f 100755 with_lmdb with_libxml2 with_libjson -@@ -1730,6 +1733,7 @@ Optional Features: +@@ -1728,6 +1731,7 @@ Optional Features: --enable-threads enable multithreading --enable-native-pkcs11 use native PKCS11 for all crypto [default=no] --enable-openssl-hash use OpenSSL for hash functions [default=no] @@ -743,7 +744,7 @@ index c83773a..ac1ea3f 100755 --enable-largefile 64-bit file support --enable-backtrace log stack backtrace on abort [default=yes] --enable-symtable use internal symbol table for backtrace -@@ -16486,6 +16490,7 @@ case "$use_openssl" in +@@ -16631,6 +16635,7 @@ case "$use_openssl" in $as_echo "disabled because of native PKCS11" >&6; } DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" @@ -751,7 +752,7 @@ index c83773a..ac1ea3f 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -16500,6 +16505,7 @@ $as_echo "disabled because of native PKCS11" >&6; } +@@ -16645,6 +16650,7 @@ $as_echo "disabled because of native PKCS11" >&6; } $as_echo "no" >&6; } DST_OPENSSL_INC="" CRYPTO="" @@ -759,7 +760,7 @@ index c83773a..ac1ea3f 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -16512,6 +16518,7 @@ $as_echo "no" >&6; } +@@ -16657,6 +16663,7 @@ $as_echo "no" >&6; } auto) DST_OPENSSL_INC="" CRYPTO="" @@ -767,7 +768,7 @@ index c83773a..ac1ea3f 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -16521,7 +16528,7 @@ $as_echo "no" >&6; } +@@ -16666,7 +16673,7 @@ $as_echo "no" >&6; } OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path @@ -776,7 +777,7 @@ index c83773a..ac1ea3f 100755 ;; *) if test "yes" = "$want_native_pkcs11" -@@ -16552,6 +16559,7 @@ $as_echo "not found" >&6; } +@@ -16697,6 +16704,7 @@ $as_echo "not found" >&6; } as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5 fi CRYPTO='-DOPENSSL' @@ -784,7 +785,7 @@ index c83773a..ac1ea3f 100755 if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" -@@ -17213,8 +17221,6 @@ fi +@@ -17358,8 +17366,6 @@ fi # Use OpenSSL for hash functions # @@ -793,7 +794,7 @@ index c83773a..ac1ea3f 100755 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" case $want_openssl_hash in yes) -@@ -17583,6 +17589,86 @@ if test "rt" = "$have_clock_gt"; then +@@ -17728,6 +17734,86 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi @@ -880,7 +881,7 @@ index c83773a..ac1ea3f 100755 # # was --with-lmdb specified? # -@@ -19665,9 +19751,12 @@ _ACEOF +@@ -19810,9 +19896,12 @@ _ACEOF if ac_fn_c_try_compile "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5 $as_echo "size_t for buflen; int for flags" >&6; } @@ -895,7 +896,7 @@ index c83773a..ac1ea3f 100755 $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h -@@ -21032,12 +21121,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" +@@ -21123,12 +21212,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then @@ -909,7 +910,7 @@ index c83773a..ac1ea3f 100755 # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. -@@ -21070,6 +21154,11 @@ cat >>confdefs.h <<_ACEOF +@@ -21161,6 +21245,11 @@ cat >>confdefs.h <<_ACEOF _ACEOF @@ -921,7 +922,7 @@ index c83773a..ac1ea3f 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21078,39 +21167,6 @@ _ACEOF +@@ -21169,39 +21258,6 @@ _ACEOF fi ;; x86_64-*|amd64-*) @@ -961,7 +962,7 @@ index c83773a..ac1ea3f 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21141,6 +21197,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } +@@ -21232,6 +21288,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } $as_echo "$arch" >&6; } fi @@ -972,7 +973,7 @@ index c83773a..ac1ea3f 100755 if test "yes" = "$have_atomic"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5 $as_echo_n "checking compiler support for inline assembly code... " >&6; } -@@ -23428,6 +23488,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" +@@ -23519,6 +23579,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" # dlzdir='${DLZ_DRIVER_DIR}' @@ -1003,7 +1004,7 @@ index c83773a..ac1ea3f 100755 # # Private autoconf macro to simplify configuring drivers: # -@@ -23758,11 +23842,11 @@ $as_echo "no" >&6; } +@@ -23849,11 +23933,11 @@ $as_echo "no" >&6; } $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; } ;; *) @@ -1018,7 +1019,7 @@ index c83773a..ac1ea3f 100755 fi CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL" -@@ -23847,7 +23931,7 @@ $as_echo "" >&6; } +@@ -23938,7 +24022,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). @@ -1027,13 +1028,12 @@ index c83773a..ac1ea3f 100755 # include a blank element first for d in "" $bdb_incdirs do -@@ -23872,57 +23956,9 @@ $as_echo "" >&6; } +@@ -23963,57 +24047,9 @@ $as_echo "" >&6; } bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" for d in $bdb_libnames do - if test "$dd" = "/usr" -+ if test -f "$dd/${target_lib}/lib${d}.so" - then +- then - as_ac_Lib=`$as_echo "ac_cv_lib_$d''_db_create" | $as_tr_sh` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for db_create in -l$d" >&5 -$as_echo_n "checking for db_create in -l$d... " >&6; } @@ -1081,13 +1081,14 @@ index c83773a..ac1ea3f 100755 - break - fi - elif test -f "$dd/lib/lib${d}.so" -- then ++ if test -f "$dd/${target_lib}/lib${d}.so" + then - dlz_bdb_libs="-L${dd}/lib -l${d}" + dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}" break fi done -@@ -24081,10 +24117,10 @@ $as_echo "no" >&6; } +@@ -24172,10 +24208,10 @@ $as_echo "no" >&6; } DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include" DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include" fi @@ -1101,7 +1102,7 @@ index c83773a..ac1ea3f 100755 fi -@@ -24170,11 +24206,11 @@ fi +@@ -24261,11 +24297,11 @@ fi odbcdirs="/usr /usr/local /usr/pkg" for d in $odbcdirs do @@ -1115,7 +1116,7 @@ index c83773a..ac1ea3f 100755 break fi done -@@ -24449,6 +24485,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" +@@ -24540,6 +24576,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" @@ -1124,7 +1125,7 @@ index c83773a..ac1ea3f 100755 # # Commands to run at the end of config.status. # Don't just put these into configure, it won't work right if somebody -@@ -26839,6 +26877,8 @@ report() { +@@ -26930,6 +26968,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1133,7 +1134,7 @@ index c83773a..ac1ea3f 100755 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -26879,6 +26919,8 @@ report() { +@@ -26970,6 +27010,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)" @@ -1142,7 +1143,7 @@ index c83773a..ac1ea3f 100755 echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -26926,6 +26968,8 @@ report() { +@@ -27017,6 +27059,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -1152,10 +1153,10 @@ index c83773a..ac1ea3f 100755 test "yes" = "$enable_seccomp" || \ echo " Use libseccomp system call filtering (--enable-seccomp)" diff --git a/configure.in b/configure.in -index 9a1d16d..849fa94 100644 +index b07895f..898b4ac 100644 --- a/configure.in +++ b/configure.in -@@ -1597,6 +1597,7 @@ case "$use_openssl" in +@@ -1542,6 +1542,7 @@ case "$use_openssl" in AC_MSG_RESULT(disabled because of native PKCS11) DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" @@ -1163,7 +1164,7 @@ index 9a1d16d..849fa94 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1610,6 +1611,7 @@ case "$use_openssl" in +@@ -1555,6 +1556,7 @@ case "$use_openssl" in AC_MSG_RESULT(no) DST_OPENSSL_INC="" CRYPTO="" @@ -1171,7 +1172,7 @@ index 9a1d16d..849fa94 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1622,6 +1624,7 @@ case "$use_openssl" in +@@ -1567,6 +1569,7 @@ case "$use_openssl" in auto) DST_OPENSSL_INC="" CRYPTO="" @@ -1179,7 +1180,7 @@ index 9a1d16d..849fa94 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1632,7 +1635,7 @@ case "$use_openssl" in +@@ -1577,7 +1580,7 @@ case "$use_openssl" in OPENSSLLINKSRCS="" AC_MSG_ERROR( [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path @@ -1188,7 +1189,7 @@ index 9a1d16d..849fa94 100644 ;; *) if test "yes" = "$want_native_pkcs11" -@@ -1662,6 +1665,7 @@ If you don't want OpenSSL, use --without-openssl]) +@@ -1607,6 +1610,7 @@ If you don't want OpenSSL, use --without-openssl]) AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found]) fi CRYPTO='-DOPENSSL' @@ -1196,7 +1197,7 @@ index 9a1d16d..849fa94 100644 if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" -@@ -2135,7 +2139,6 @@ fi +@@ -2080,7 +2084,6 @@ fi # Use OpenSSL for hash functions # @@ -1204,7 +1205,7 @@ index 9a1d16d..849fa94 100644 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" case $want_openssl_hash in yes) -@@ -2402,6 +2405,67 @@ if test "rt" = "$have_clock_gt"; then +@@ -2347,6 +2350,67 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi @@ -1272,7 +1273,7 @@ index 9a1d16d..849fa94 100644 # # was --with-lmdb specified? # -@@ -4235,12 +4299,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" +@@ -4139,12 +4203,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then @@ -1286,7 +1287,7 @@ index 9a1d16d..849fa94 100644 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -4249,7 +4313,6 @@ if test "yes" = "$use_atomic"; then +@@ -4153,7 +4217,6 @@ if test "yes" = "$use_atomic"; then fi ;; x86_64-*|amd64-*) @@ -1294,7 +1295,7 @@ index 9a1d16d..849fa94 100644 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -5613,6 +5676,8 @@ report() { +@@ -5517,6 +5580,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1303,7 +1304,7 @@ index 9a1d16d..849fa94 100644 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -5653,6 +5718,8 @@ report() { +@@ -5557,6 +5622,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)" @@ -1312,7 +1313,7 @@ index 9a1d16d..849fa94 100644 echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -5700,6 +5767,8 @@ report() { +@@ -5604,6 +5671,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -1322,10 +1323,10 @@ index 9a1d16d..849fa94 100644 test "yes" = "$enable_seccomp" || \ echo " Use libseccomp system call filtering (--enable-seccomp)" diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index dbece0a..803e7b3 100644 +index 5703f9c..afb4d80 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c -@@ -274,6 +274,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, +@@ -276,6 +276,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, #ifdef GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); #endif @@ -1335,17 +1336,17 @@ index dbece0a..803e7b3 100644 + isc_entropy_sethook(dst_random_getdata); +#endif +#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ - dst_initialized = ISC_TRUE; + dst_initialized = true; return (ISC_R_SUCCESS); -@@ -293,11 +299,19 @@ dst_lib_destroy(void) { +@@ -295,11 +301,19 @@ dst_lib_destroy(void) { for (i = 0; i < DST_MAX_ALGS; i++) if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL) dst_t_func[i]->cleanup(); +#if defined(OPENSSL) || defined(PKCS11CRYPTO) +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (dst_entropy_pool != NULL) { -+ isc_entropy_usehook(dst_entropy_pool, ISC_FALSE); ++ isc_entropy_usehook(dst_entropy_pool, false); + isc_entropy_sethook(NULL); + } +#endif @@ -1358,7 +1359,7 @@ index dbece0a..803e7b3 100644 if (dst__memory_pool != NULL) isc_mem_detach(&dst__memory_pool); if (dst_entropy_pool != NULL) -@@ -2000,13 +2014,17 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { +@@ -1998,13 +2012,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) { flags &= ~ISC_ENTROPY_GOODONLY; else flags |= ISC_ENTROPY_BLOCKING; @@ -1377,7 +1378,7 @@ index dbece0a..803e7b3 100644 #ifdef GSSAPI unsigned int flags = dst_entropy_flags; isc_result_t ret; -@@ -2029,6 +2047,7 @@ dst__entropy_status(void) { +@@ -2027,6 +2045,7 @@ dst__entropy_status(void) { #endif return (isc_entropy_status(dst_entropy_pool)); #else @@ -1386,10 +1387,10 @@ index dbece0a..803e7b3 100644 #endif } diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h -index fcc7b47..d9b6ab6 100644 +index 32b0742..78e1277 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h -@@ -157,6 +157,14 @@ dst_lib_destroy(void); +@@ -160,6 +160,14 @@ dst_lib_destroy(void); * Releases all resources allocated by DST. */ @@ -1401,38 +1402,30 @@ index fcc7b47..d9b6ab6 100644 + * Specialization of isc_entropy_getdata(). + */ + - isc_boolean_t + bool dst_algorithm_supported(unsigned int alg); /*%< diff --git a/lib/dns/lib.c b/lib/dns/lib.c -index 53237d5..c6d83e9 100644 +index 304814b..60543c4 100644 --- a/lib/dns/lib.c +++ b/lib/dns/lib.c -@@ -9,14 +9,13 @@ - * information regarding copyright ownership. - */ - --/* $Id: lib.c,v 1.19 2009/09/03 00:12:23 each Exp $ */ -- - /*! \file */ - - #include - +@@ -18,6 +18,7 @@ + #include #include +#include #include #include #include -@@ -77,6 +76,7 @@ static unsigned int references = 0; +@@ -78,6 +79,7 @@ static unsigned int references = 0; static void initialize(void) { isc_result_t result; + isc_entropy_t *ectx = NULL; - REQUIRE(initialize_done == ISC_FALSE); + REQUIRE(initialize_done == false); -@@ -87,11 +87,14 @@ initialize(void) { +@@ -88,11 +90,14 @@ initialize(void) { result = dns_ecdb_register(dns_g_mctx, &dbimp); if (result != ISC_R_SUCCESS) goto cleanup_mctx; @@ -1449,14 +1442,14 @@ index 53237d5..c6d83e9 100644 if (result != ISC_R_SUCCESS) goto cleanup_hash; -@@ -99,11 +102,17 @@ initialize(void) { +@@ -100,11 +105,17 @@ initialize(void) { if (result != ISC_R_SUCCESS) goto cleanup_dst; + isc_hash_init(); + isc_entropy_detach(&ectx); + - initialize_done = ISC_TRUE; + initialize_done = true; return; cleanup_dst: @@ -1468,7 +1461,7 @@ index 53237d5..c6d83e9 100644 isc_hash_destroy(); cleanup_db: diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index ec6dc7f..c1e1bde 100644 +index a30a2ab..d88d643 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -31,6 +31,7 @@ @@ -1764,68 +1757,61 @@ index 58fa872..625e809 100644 sh ${top_builddir}/unit/unittest.sh diff --git a/lib/dns/tests/dnstest.c b/lib/dns/tests/dnstest.c -index fb9ef53..344a7c2 100644 +index 51bb90b..1b25b90 100644 --- a/lib/dns/tests/dnstest.c +++ b/lib/dns/tests/dnstest.c -@@ -120,12 +120,12 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) { +@@ -122,12 +122,12 @@ dns_test_begin(FILE *logfile, bool start_managers) { CHECK(isc_mem_create(0, 0, &mctx)); CHECK(isc_entropy_create(mctx, &ectx)); - CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -- hash_active = ISC_TRUE; +- hash_active = true; - CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING)); - dst_active = ISC_TRUE; + dst_active = true; + CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); -+ hash_active = ISC_TRUE; ++ hash_active = true; + if (logfile != NULL) { isc_logdestination_t destination; isc_logconfig_t *logconfig = NULL; -@@ -169,14 +169,14 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) { +@@ -171,14 +171,14 @@ dns_test_begin(FILE *logfile, bool start_managers) { void dns_test_end(void) { - if (dst_active) { - dst_lib_destroy(); -- dst_active = ISC_FALSE; +- dst_active = false; - } if (hash_active) { isc_hash_destroy(); - hash_active = ISC_FALSE; + hash_active = false; } + if (dst_active) { + dst_lib_destroy(); -+ dst_active = ISC_FALSE; ++ dst_active = false; + } if (ectx != NULL) isc_entropy_detach(&ectx); diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c new file mode 100644 -index 0000000..d2c72e7 +index 0000000..b980d8a --- /dev/null +++ b/lib/dns/tests/dstrandom_test.c -@@ -0,0 +1,105 @@ +@@ -0,0 +1,99 @@ +/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. + */ + -+/* $Id$ */ -+ +/*! \file */ + +#include @@ -1834,6 +1820,7 @@ index 0000000..d2c72e7 + +#include +#include ++#include + +#include +#include @@ -1868,7 +1855,7 @@ index 0000000..d2c72e7 + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + +#ifdef ISC_PLATFORM_CRYPTORANDOM -+ isc_entropy_usehook(ectx, ISC_TRUE); ++ isc_entropy_usehook(ectx, true); + + returned = 0; + result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), @@ -1879,7 +1866,7 @@ index 0000000..d2c72e7 + status = isc_entropy_status(ectx); + ATF_REQUIRE_EQ(status, 0); + -+ isc_entropy_usehook(ectx, ISC_FALSE); ++ isc_entropy_usehook(ectx, false); +#endif + + ret = chdir(TESTS); @@ -1914,10 +1901,10 @@ index 0000000..d2c72e7 +} + diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in -index d48eeb2..213e9d9 100644 +index 62a156c..bf83fe5 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in -@@ -1480,6 +1480,13 @@ dst_lib_destroy +@@ -1483,6 +1483,13 @@ dst_lib_destroy dst_lib_init dst_lib_init2 dst_lib_initmsgcat @@ -1932,14 +1919,14 @@ index d48eeb2..213e9d9 100644 dst_region_computerid dst_result_register diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c -index 232094a..a85650b 100644 +index ab2f617..ed05ed6 100644 --- a/lib/isc/entropy.c +++ b/lib/isc/entropy.c -@@ -103,11 +103,15 @@ struct isc_entropy { - isc_uint32_t initialized; - isc_uint32_t initcount; +@@ -104,11 +104,15 @@ struct isc_entropy { + uint32_t initialized; + uint32_t initcount; isc_entropypool_t pool; -+ isc_boolean_t usehook; ++ bool usehook; unsigned int nsources; isc_entropysource_t *nextsource; ISC_LIST(isc_entropysource_t) sources; @@ -1950,8 +1937,8 @@ index 232094a..a85650b 100644 + /*% Sample Queue */ typedef struct { - isc_uint32_t last_time; /*%< last time recorded */ -@@ -556,6 +560,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, + uint32_t last_time; /*%< last time recorded */ +@@ -557,6 +561,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, LOCK(&ent->lock); @@ -1963,11 +1950,11 @@ index 232094a..a85650b 100644 remain = length; buf = data; total = 0; -@@ -707,6 +716,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) { +@@ -708,6 +717,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) { ent->refcnt = 1; ent->initialized = 0; ent->initcount = 0; -+ ent->usehook = ISC_FALSE; ++ ent->usehook = false; ent->magic = ENTROPY_MAGIC; isc_entropypool_init(&ent->pool); @@ -1977,7 +1964,7 @@ index 232094a..a85650b 100644 } + +void -+isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff) { ++isc_entropy_usehook(isc_entropy_t *ectx, bool onoff) { + REQUIRE(VALID_ENTROPY(ectx)); + + LOCK(&ectx->lock); @@ -1990,15 +1977,15 @@ index 232094a..a85650b 100644 + hook = myhook; +} diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h -index d52c43e..d9deb8a 100644 +index 4bba8e1..632166a 100644 --- a/lib/isc/include/isc/entropy.h +++ b/lib/isc/include/isc/entropy.h -@@ -303,6 +303,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, +@@ -304,6 +304,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, * isc_entropy_createcallbacksource(). */ +void -+isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff); ++isc_entropy_usehook(isc_entropy_t *ectx, bool onoff); +/*!< + * \brief Mark/unmark the given entropy structure as being hooked. + */ @@ -2013,10 +2000,10 @@ index d52c43e..d9deb8a 100644 #endif /* ISC_ENTROPY_H */ diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in -index d7a5bec..0166b79 100644 +index 9c7c342..ee8dc3e 100644 --- a/lib/isc/include/isc/platform.h.in +++ b/lib/isc/include/isc/platform.h.in -@@ -344,6 +344,11 @@ +@@ -341,6 +341,11 @@ */ @ISC_PLATFORM_HAVESTRINGSH@ @@ -2029,7 +2016,7 @@ index d7a5bec..0166b79 100644 * Define if the hash functions must be provided by OpenSSL. */ diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h -index f161faf..dec577e 100644 +index 42ff7e0..8d87c44 100644 --- a/lib/isc/include/isc/types.h +++ b/lib/isc/include/isc/types.h @@ -93,6 +93,8 @@ typedef struct isc_time isc_time_t; /*%< Time */ @@ -2042,10 +2029,10 @@ index f161faf..dec577e 100644 typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int); diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c -index 48e1031..74566c9 100644 +index a01e698..875c232 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c -@@ -327,14 +327,16 @@ pk11_rand_seed_fromfile(const char *randomfile) { +@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) { ret = isc_stdio_open(randomfile, "r", &stream); if (ret != ISC_R_SUCCESS) goto cleanup; @@ -2068,10 +2055,10 @@ index 48e1031..74566c9 100644 cleanup: if (stream != NULL) diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in -index de6a434..2c32782 100644 +index 5b8a2c9..913a2ce 100644 --- a/lib/isc/win32/include/isc/platform.h.in +++ b/lib/isc/win32/include/isc/platform.h.in -@@ -74,6 +74,11 @@ +@@ -69,6 +69,11 @@ #define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn) #define ISC_PLATFORM_NORETURN_POST @@ -2084,7 +2071,7 @@ index de6a434..2c32782 100644 * Define if the hash functions must be provided by OpenSSL. */ diff --git a/win32utils/Configure b/win32utils/Configure -index e9f4680..79bb178 100644 +index ff596b7..09b476f 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -381,6 +381,7 @@ my @substdefh = ("AES_CC", @@ -2146,7 +2133,7 @@ index e9f4680..79bb178 100644 if ($enable_openssl_hash eq "yes") { print "openssl-hash: enabled\n"; } else { -@@ -1449,6 +1463,7 @@ if ($enable_intrinsics eq "yes") { +@@ -1454,6 +1468,7 @@ if ($enable_intrinsics eq "yes") { # enable-native-pkcs11 if ($enable_native_pkcs11 eq "yes") { @@ -2154,7 +2141,7 @@ index e9f4680..79bb178 100644 if ($use_openssl eq "auto") { $use_openssl = "no"; } -@@ -1658,6 +1673,7 @@ if ($use_openssl eq "yes") { +@@ -1663,6 +1678,7 @@ if ($use_openssl eq "yes") { $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); } @@ -2162,7 +2149,7 @@ index e9f4680..79bb178 100644 $configcond{"OPENSSL"} = 1; $configdefd{"CRYPTO"} = "OPENSSL"; $configvar{"OPENSSL_PATH"} = "$openssl_path"; -@@ -2209,6 +2225,15 @@ if ($cookie_algorithm eq "sha1") { +@@ -2214,6 +2230,15 @@ if ($cookie_algorithm eq "sha1") { die "Unrecognized cookie algorithm: $cookie_algorithm\n"; } @@ -2178,7 +2165,7 @@ index e9f4680..79bb178 100644 # enable-openssl-hash if ($enable_openssl_hash eq "yes") { if ($use_openssl eq "no") { -@@ -3531,6 +3556,7 @@ exit 0; +@@ -3536,6 +3561,7 @@ exit 0; # --enable-developer partially supported # --enable-newstats (9.9/9.9sub only) # --enable-native-pkcs11 supported @@ -2186,7 +2173,7 @@ index e9f4680..79bb178 100644 # --enable-openssl-version-check included without a way to disable it # --enable-openssl-hash supported # --enable-threads included without a way to disable it -@@ -3556,6 +3582,7 @@ exit 0; +@@ -3561,6 +3587,7 @@ exit 0; # --with-gost supported # --with-aes supported # --with-cc-alg supported diff --git a/bind-9.11-rt46047.patch b/bind-9.11-rt46047.patch index 915b0ab..5030c06 100644 --- a/bind-9.11-rt46047.patch +++ b/bind-9.11-rt46047.patch @@ -1,4 +1,4 @@ -From 1ab1aabcf9b2b8de144bab7a3ff5d9f7e6ec9ad4 Mon Sep 17 00:00:00 2001 +From 9a074d5cd6c6276d95bc1cce3a14afaabc88c6c5 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 28 Sep 2017 10:09:22 -0700 Subject: [PATCH] completed and corrected the crypto-random change @@ -39,17 +39,17 @@ Subject: [PATCH] completed and corrected the crypto-random change bin/tests/system/tkey/keycreate.c | 4 +-- bin/tests/system/tkey/keydelete.c | 4 +-- doc/arm/Bv9ARM-book.xml | 55 ++++++++++++++++++++++---------- - doc/arm/notes.xml | 23 ++++++++++++- - lib/dns/dst_api.c | 7 ++-- + doc/arm/notes.xml | 26 +++++++++++++++ + lib/dns/dst_api.c | 4 ++- lib/dns/include/dst/dst.h | 14 ++++++-- lib/dns/openssl_link.c | 3 +- lib/isc/include/isc/entropy.h | 50 +++++++++++++++++++++-------- lib/isc/include/isc/random.h | 28 ++++++++++------ lib/isccfg/namedconf.c | 2 +- - 22 files changed, 219 insertions(+), 110 deletions(-) + 22 files changed, 221 insertions(+), 108 deletions(-) diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c -index fa439cc..a7ad417 100644 +index 295e16f..0f79aa8 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, @@ -65,7 +65,7 @@ index fa439cc..a7ad417 100644 - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; + if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); + isc_entropy_usehook(ectx, true); } #endif + if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { @@ -112,16 +112,16 @@ index 96dfef6..1c84b06 100644 diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c -index 4ea9eaf..5dd9475 100644 +index 31a99e7..38c83ed 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c -@@ -239,18 +239,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { ISC_LIST_INIT(sources); } +#ifdef ISC_PLATFORM_CRYPTORANDOM + if (randomfile == NULL) { -+ isc_entropy_usehook(*ectx, ISC_TRUE); ++ isc_entropy_usehook(*ectx, true); + } +#endif if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { @@ -133,17 +133,17 @@ index 4ea9eaf..5dd9475 100644 - if (randomfile != NULL && - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; -- isc_entropy_usehook(*ectx, ISC_TRUE); +- isc_entropy_usehook(*ectx, true); - } -#endif result = isc_entropy_usebestsource(*ectx, &source, randomfile, usekeyboard); diff --git a/bin/named/client.c b/bin/named/client.c -index b9ebc93..20e5f39 100644 +index 0f6e162..5e39b82 100644 --- a/bin/named/client.c +++ b/bin/named/client.c -@@ -1605,7 +1605,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, +@@ -1608,7 +1608,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, isc_buffer_init(&buf, cookie, sizeof(cookie)); isc_stdtime_get(&now); @@ -154,10 +154,10 @@ index b9ebc93..20e5f39 100644 compute_cookie(client, now, nonce, ns_g_server->secret, &buf); diff --git a/bin/named/config.c b/bin/named/config.c -index c50f759..c1e72ef 100644 +index 2c4c93c..16ed248 100644 --- a/bin/named/config.c +++ b/bin/named/config.c -@@ -92,7 +92,9 @@ options {\n\ +@@ -93,7 +93,9 @@ options {\n\ # pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\ port 53;\n\ prefetch 2 9;\n" @@ -169,10 +169,10 @@ index c50f759..c1e72ef 100644 #endif " recursing-file \"named.recursing\";\n\ diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c -index 237e8dc..b905475 100644 +index d955c2f..40621f2 100644 --- a/bin/named/controlconf.c +++ b/bin/named/controlconf.c -@@ -322,9 +322,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) { +@@ -325,9 +325,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) { static void control_recvmessage(isc_task_t *task, isc_event_t *event) { @@ -185,8 +185,8 @@ index 237e8dc..b905475 100644 + controlkey_t *key = NULL; isccc_sexpr_t *request = NULL; isccc_sexpr_t *response = NULL; - isc_uint32_t algorithm; -@@ -335,16 +336,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { + uint32_t algorithm; +@@ -338,16 +339,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { isc_buffer_t *text; isc_result_t result; isc_result_t eresult; @@ -194,7 +194,7 @@ index 237e8dc..b905475 100644 + isccc_sexpr_t *_ctrl = NULL; isccc_time_t sent; isccc_time_t exp; - isc_uint32_t nonce; + uint32_t nonce; - isccc_sexpr_t *data; + isccc_sexpr_t *data = NULL; @@ -206,25 +206,25 @@ index 237e8dc..b905475 100644 algorithm = DST_ALG_UNKNOWN; secret.rstart = NULL; text = NULL; -@@ -455,8 +457,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { +@@ -458,8 +460,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { * Establish nonce. */ if (conn->nonce == 0) { - while (conn->nonce == 0) - isc_random_get(&conn->nonce); + while (conn->nonce == 0) { -+ isc_uint16_t r1 = isc_rng_random(server->rngctx); -+ isc_uint16_t r2 = isc_rng_random(server->rngctx); ++ uint16_t r1 = isc_rng_random(server->rngctx); ++ uint16_t r2 = isc_rng_random(server->rngctx); + conn->nonce = (r1 << 16) | r2; + } eresult = ISC_R_SUCCESS; } else eresult = ns_control_docommand(request, listener->readonly, &text); diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h -index d8179a6..e03d24d 100644 +index f5ed2b7..b2c1d05 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h -@@ -17,6 +17,7 @@ +@@ -20,6 +20,7 @@ #include #include #include @@ -232,19 +232,19 @@ index d8179a6..e03d24d 100644 #include #include #include -@@ -131,6 +132,7 @@ struct ns_server { +@@ -134,6 +135,7 @@ struct ns_server { char * lockfile; - isc_uint16_t transfer_tcp_message_size; + uint16_t transfer_tcp_message_size; + isc_rng_t * rngctx; }; struct ns_altsecret { diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c -index d8c7188..50f924e 100644 +index 419927b..d721f47 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c -@@ -15,6 +15,7 @@ +@@ -17,6 +17,7 @@ #include #include @@ -253,10 +253,10 @@ index d8c7188..50f924e 100644 #include #include diff --git a/bin/named/query.c b/bin/named/query.c -index accbf3b..d89622d 100644 +index f8dbef2..2f3c0ca 100644 --- a/bin/named/query.c +++ b/bin/named/query.c -@@ -18,6 +18,7 @@ +@@ -19,6 +19,7 @@ #include #include #include @@ -265,10 +265,10 @@ index accbf3b..d89622d 100644 #include #include diff --git a/bin/named/server.c b/bin/named/server.c -index ca789e5..1413e85 100644 +index 9258e7f..f4320df 100644 --- a/bin/named/server.c +++ b/bin/named/server.c -@@ -8076,21 +8076,30 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8164,21 +8164,30 @@ load_configuration(const char *filename, ns_server_t *server, * Open the source of entropy. */ if (first_time) { @@ -291,8 +291,8 @@ index ca789e5..1413e85 100644 + if (randomdev == NULL) { #ifdef ISC_PLATFORM_CRYPTORANDOM - if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0) -- isc_entropy_usehook(ns_g_entropy, ISC_TRUE); -+ isc_entropy_usehook(ns_g_entropy, ISC_TRUE); +- isc_entropy_usehook(ns_g_entropy, true); ++ isc_entropy_usehook(ns_g_entropy, true); #else - int level = ISC_LOG_ERROR; - result = isc_entropy_createfilesource(ns_g_entropy, @@ -310,7 +310,7 @@ index ca789e5..1413e85 100644 #ifdef PATH_RANDOMDEV if (ns_g_fallbackentropy != NULL) { level = ISC_LOG_INFO; -@@ -8101,8 +8110,8 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8189,8 +8198,8 @@ load_configuration(const char *filename, ns_server_t *server, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, level, @@ -321,7 +321,7 @@ index ca789e5..1413e85 100644 randomdev, isc_result_totext(result)); } -@@ -8122,7 +8131,6 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8210,7 +8219,6 @@ load_configuration(const char *filename, ns_server_t *server, } isc_entropy_detach(&ns_g_fallbackentropy); } @@ -329,7 +329,7 @@ index ca789e5..1413e85 100644 #endif } } -@@ -8911,6 +8919,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { +@@ -8998,6 +9006,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy, &server->tkeyctx), "creating TKEY context"); @@ -339,7 +339,7 @@ index ca789e5..1413e85 100644 /* * Setup the server task, which is responsible for coordinating -@@ -9117,7 +9128,8 @@ ns_server_destroy(ns_server_t **serverp) { +@@ -9204,7 +9215,8 @@ ns_server_destroy(ns_server_t **serverp) { if (server->zonemgr != NULL) dns_zonemgr_detach(&server->zonemgr); @@ -349,7 +349,7 @@ index ca789e5..1413e85 100644 if (server->tkeyctx != NULL) dns_tkeyctx_destroy(&server->tkeyctx); -@@ -13018,10 +13030,10 @@ newzone_cfgctx_destroy(void **cfgp) { +@@ -13105,10 +13117,10 @@ newzone_cfgctx_destroy(void **cfgp) { static isc_result_t generate_salt(unsigned char *salt, size_t saltlen) { @@ -357,19 +357,19 @@ index ca789e5..1413e85 100644 + size_t i, n; union { unsigned char rnd[256]; -- isc_uint32_t rnd32[64]; -+ isc_uint16_t rnd16[128]; +- uint32_t rnd32[64]; ++ uint16_t rnd16[128]; } rnd; unsigned char text[512 + 1]; isc_region_t r; -@@ -13031,9 +13043,10 @@ generate_salt(unsigned char *salt, size_t saltlen) { +@@ -13118,9 +13130,10 @@ generate_salt(unsigned char *salt, size_t saltlen) { if (saltlen > 256U) return (ISC_R_RANGE); -- n = (int) (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t); +- n = (int) (saltlen + sizeof(uint32_t) - 1) / sizeof(uint32_t); - for (i = 0; i < n; i++) - isc_random_get(&rnd.rnd32[i]); -+ n = (saltlen + sizeof(isc_uint16_t) - 1) / sizeof(isc_uint16_t); ++ n = (saltlen + sizeof(uint16_t) - 1) / sizeof(uint16_t); + for (i = 0; i < n; i++) { + rnd.rnd16[i] = isc_rng_random(ns_g_server->rngctx); + } @@ -377,10 +377,10 @@ index ca789e5..1413e85 100644 memmove(salt, rnd.rnd, saltlen); diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index 46c7acf..a0d0278 100644 +index 1559a33..68b9a99 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c -@@ -281,9 +281,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -283,9 +283,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { } #ifdef ISC_PLATFORM_CRYPTORANDOM @@ -388,14 +388,14 @@ index 46c7acf..a0d0278 100644 - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; + if (randomfile == NULL) { - isc_entropy_usehook(*ectx, ISC_TRUE); + isc_entropy_usehook(*ectx, true); } #endif diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c -index 810d99e..d7d10e2 100644 +index 7b4f617..507bf0a 100644 --- a/bin/tests/system/pipelined/pipequeries.c +++ b/bin/tests/system/pipelined/pipequeries.c -@@ -279,9 +279,7 @@ main(int argc, char *argv[]) { +@@ -282,9 +282,7 @@ main(int argc, char *argv[]) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); #ifdef ISC_PLATFORM_CRYPTORANDOM @@ -403,11 +403,11 @@ index 810d99e..d7d10e2 100644 - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; + if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); + isc_entropy_usehook(ectx, true); } #endif diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c -index 4f2f5b4..0894db7 100644 +index fe8698e..937fcc3 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -255,9 +255,7 @@ main(int argc, char *argv[]) { @@ -418,11 +418,11 @@ index 4f2f5b4..0894db7 100644 - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; + if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); + isc_entropy_usehook(ectx, true); } #endif diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 0975bbe..5b8a470 100644 +index 2146f9b..ac2c311 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -182,9 +182,7 @@ main(int argc, char **argv) { @@ -433,11 +433,11 @@ index 0975bbe..5b8a470 100644 - strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { - randomfile = NULL; + if (randomfile == NULL) { - isc_entropy_usehook(ectx, ISC_TRUE); + isc_entropy_usehook(ectx, true); } #endif diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml -index a5d9e2e..2a96f71 100644 +index baff8d3..00a50e4 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0] @@ -503,14 +503,15 @@ index a5d9e2e..2a96f71 100644 diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml -index d3fdb5e..a8ad92d 100644 +index d9537a3..5c2cc13 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml -@@ -105,7 +105,28 @@ - - - -- None. +@@ -180,6 +180,32 @@ + option. [GL #105] + + ++ ++ + By default, BIND now uses the random number generation functions + in the cryptographic library (i.e., OpenSSL or a PKCS#11 + provider) as a source of high-quality randomness rather than @@ -533,25 +534,16 @@ index d3fdb5e..a8ad92d 100644 + configure --disable-crypto-rand, in which + case /dev/random will be the default + entropy source. [RT #31459] [RT #46047] - - ++ ++ + + diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index 803e7b3..29a4fef 100644 +index afb4d80..4e62a97 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c -@@ -276,8 +276,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, - #endif - #if defined(OPENSSL) || defined(PKCS11CRYPTO) - #ifdef ISC_PLATFORM_CRYPTORANDOM -- if (dst_entropy_pool != NULL) -+ if (dst_entropy_pool != NULL) { - isc_entropy_sethook(dst_random_getdata); -+ } - #endif - #endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ - dst_initialized = ISC_TRUE; -@@ -2015,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { +@@ -2013,10 +2013,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) { else flags |= ISC_ENTROPY_BLOCKING; #ifdef ISC_PLATFORM_CRYPTORANDOM @@ -566,10 +558,10 @@ index 803e7b3..29a4fef 100644 } diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h -index d9b6ab6..e8c1a3c 100644 +index 78e1277..10293d0 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h -@@ -161,8 +161,18 @@ isc_result_t +@@ -164,8 +164,18 @@ isc_result_t dst_random_getdata(void *data, unsigned int length, unsigned int *returned, unsigned int flags); /*%< @@ -589,9 +581,9 @@ index d9b6ab6..e8c1a3c 100644 + * \li DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error */ - isc_boolean_t + bool diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index c1e1bde..91e87d0 100644 +index d88d643..7a233dd 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) { @@ -605,7 +597,7 @@ index c1e1bde..91e87d0 100644 #ifndef DONT_REQUIRE_DST_LIB_INIT INSIST(dst__memory_pool != NULL); diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h -index d9deb8a..2d37363 100644 +index 632166a..c7cb17d 100644 --- a/lib/isc/include/isc/entropy.h +++ b/lib/isc/include/isc/entropy.h @@ -9,8 +9,6 @@ @@ -617,7 +609,7 @@ index d9deb8a..2d37363 100644 #ifndef ISC_ENTROPY_H #define ISC_ENTROPY_H 1 -@@ -190,9 +188,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent, +@@ -191,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent, /*!< * \brief Create an entropy source that is polled via a callback. * @@ -629,7 +621,7 @@ index d9deb8a..2d37363 100644 * * Samples are added via isc_entropy_addcallbacksample(), below. * _addcallbacksample() is the only function which may be called from -@@ -233,15 +230,32 @@ isc_result_t +@@ -234,15 +231,32 @@ isc_result_t isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, unsigned int *returned, unsigned int flags); /*!< @@ -669,9 +661,9 @@ index d9deb8a..2d37363 100644 */ void -@@ -306,13 +320,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, +@@ -307,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, void - isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff); + isc_entropy_usehook(isc_entropy_t *ectx, bool onoff); /*!< - * \brief Mark/unmark the given entropy structure as being hooked. + * \brief Configure entropy context 'ectx' to use the hook function @@ -694,7 +686,7 @@ index d9deb8a..2d37363 100644 ISC_LANG_ENDDECLS diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h -index ba53ebf..b575728 100644 +index f8aed34..17c551b 100644 --- a/lib/isc/include/isc/random.h +++ b/lib/isc/include/isc/random.h @@ -9,8 +9,6 @@ @@ -737,8 +729,8 @@ index ba53ebf..b575728 100644 ISC_LANG_BEGINDECLS @@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx); - isc_uint16_t - isc_rng_uniformrandom(isc_rng_t *rngctx, isc_uint16_t upper_bound); + uint16_t + isc_rng_uniformrandom(isc_rng_t *rngctx, uint16_t upper_bound); /*%< - * Returns a uniformly distributed pseudo random 16-bit unsigned - * integer. @@ -748,10 +740,10 @@ index ba53ebf..b575728 100644 ISC_LANG_ENDDECLS diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c -index 8d496ff..dd08187 100644 +index cd797a6..589da07 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c -@@ -1106,7 +1106,7 @@ options_clauses[] = { +@@ -1109,7 +1109,7 @@ options_clauses[] = { { "pid-file", &cfg_type_qstringornone, 0 }, { "port", &cfg_type_uint32, 0 }, { "querylog", &cfg_type_boolean, 0 }, diff --git a/bind-95-rh452060.patch b/bind-95-rh452060.patch index dac3a8d..c57ccab 100644 --- a/bind-95-rh452060.patch +++ b/bind-95-rh452060.patch @@ -1,34 +1,34 @@ diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index f657c30..ff9a2d2 100644 +index aa5315d..1fa711a 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c -@@ -1694,6 +1694,13 @@ clear_query(dig_query_t *query) { +@@ -1814,6 +1814,13 @@ clear_query(dig_query_t *query) { if (query->timer != NULL) isc_timer_detach(&query->timer); + + if (query->waiting_senddone) { + debug("send_done not yet called"); -+ query->pending_free = ISC_TRUE; ++ query->pending_free = true; + return; + } + lookup = query->lookup; if (lookup->current_query == query) -@@ -1719,10 +1726,7 @@ clear_query(dig_query_t *query) { +@@ -1839,10 +1846,7 @@ clear_query(dig_query_t *query) { isc_mempool_put(commctx, query->recvspace); isc_buffer_invalidate(&query->recvbuf); isc_buffer_invalidate(&query->lengthbuf); - if (query->waiting_senddone) -- query->pending_free = ISC_TRUE; +- query->pending_free = true; - else - isc_mem_free(mctx, query); + isc_mem_free(mctx, query); } /*% -@@ -2811,9 +2815,9 @@ send_done(isc_task_t *_task, isc_event_t *event) { +@@ -2892,9 +2896,9 @@ send_done(isc_task_t *_task, isc_event_t *event) { isc_event_free(&event); if (query->pending_free) diff --git a/bind.spec b/bind.spec index 2b22c57..b557e44 100644 --- a/bind.spec +++ b/bind.spec @@ -2,7 +2,7 @@ # Red Hat BIND package .spec file # -%global PATCHVER P2 +#%%global PATCHVER P2 #%%global PREVER rc1 %global BINDVERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}} @@ -43,16 +43,16 @@ # # lib*.so.X versions of selected libraries -%global sover_dns 1102 -%global sover_isc 169 -%global sover_irs 160 -%global sover_isccfg 160 +%global sover_dns 1104 +%global sover_isc 1100 +%global sover_irs 161 +%global sover_isccfg 163 Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPLv2.0 -Version: 9.11.4 -Release: 12%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Version: 9.11.5 +Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -452,7 +452,7 @@ are used for building ISC DHCP. %patch72 -p1 -b .64bit %endif %patch102 -p1 -b .rh452060 -%patch106 -p0 -b .rh490837 +%patch106 -p1 -b .rh490837 %patch109 -p1 -b .rh478718 %patch112 -p1 -b .rh645544 %patch130 -p1 -b .libdb @@ -1193,9 +1193,9 @@ rm -rf ${RPM_BUILD_ROOT} %endif %files libs -%{_libdir}/libbind9.so.160* -%{_libdir}/libisccc.so.160* -%{_libdir}/liblwres.so.160* +%{_libdir}/libbind9.so.161* +%{_libdir}/libisccc.so.161* +%{_libdir}/liblwres.so.161* %files libs-lite %{_libdir}/libdns.so.%{sover_dns}* @@ -1446,6 +1446,9 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Wed Oct 24 2018 Petr Menšík - 32:9.11.5-1 +- Update to 9.11.5 + * Tue Oct 02 2018 Petr Menšík - 32:9.11.4-12.P2 - Add Requires to devel packages referenced by bind-devel diff --git a/bind93-rh490837.patch b/bind93-rh490837.patch index 230d7a7..6ea55ba 100644 --- a/bind93-rh490837.patch +++ b/bind93-rh490837.patch @@ -1,13 +1,22 @@ -? patch -? lib/isc/lex.c.rh490837 -Index: lib/isc/lex.c -=================================================================== -RCS file: /var/snap/bind9/lib/isc/lex.c,v -retrieving revision 1.86 -diff -p -u -r1.86 lex.c ---- lib/isc/lex.c 17 Sep 2007 09:56:29 -0000 1.86 -+++ lib/isc/lex.c 6 Apr 2009 13:24:15 -0000 -@@ -425,17 +425,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigne +diff --git a/lib/isc/include/isc/stdio.h b/lib/isc/include/isc/stdio.h +index 1f44b5a..a3625f9 100644 +--- a/lib/isc/include/isc/stdio.h ++++ b/lib/isc/include/isc/stdio.h +@@ -69,6 +69,9 @@ isc_stdio_sync(FILE *f); + * direct counterpart in the stdio library. + */ + ++isc_result_t ++isc_stdio_fgetc(FILE *f, int *ret); ++ + ISC_LANG_ENDDECLS + + #endif /* ISC_STDIO_H */ +diff --git a/lib/isc/lex.c b/lib/isc/lex.c +index a8955bc..fc6103b 100644 +--- a/lib/isc/lex.c ++++ b/lib/isc/lex.c +@@ -434,17 +434,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) { if (source->is_file) { stream = source->input; @@ -28,34 +37,14 @@ diff -p -u -r1.86 lex.c goto done; } + - source->at_eof = ISC_TRUE; + source->at_eof = true; } } else { -Index: lib/isc/include/isc/stdio.h -=================================================================== -RCS file: /var/snap/bind9/lib/isc/include/isc/stdio.h,v -retrieving revision 1.13 -diff -p -u -r1.13 stdio.h ---- lib/isc/include/isc/stdio.h 19 Jun 2007 23:47:18 -0000 1.13 -+++ lib/isc/include/isc/stdio.h 6 Apr 2009 13:24:15 -0000 -@@ -72,6 +72,9 @@ isc_stdio_sync(FILE *f); - * direct counterpart in the stdio library. - */ - -+isc_result_t -+isc_stdio_fgetc(FILE *f, int *ret); -+ - ISC_LANG_ENDDECLS - - #endif /* ISC_STDIO_H */ -Index: lib/isc/unix/errno2result.c -=================================================================== -RCS file: /var/snap/bind9/lib/isc/unix/errno2result.c,v -retrieving revision 1.17 -diff -p -u -r1.17 errno2result.c ---- lib/isc/unix/errno2result.c 19 Jun 2007 23:47:18 -0000 1.17 -+++ lib/isc/unix/errno2result.c 6 Apr 2009 13:24:15 -0000 -@@ -43,6 +43,7 @@ isc__errno2result(int posixerrno) { +diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c +index 2f12bcc..5bfd648 100644 +--- a/lib/isc/unix/errno2result.c ++++ b/lib/isc/unix/errno2result.c +@@ -40,6 +40,7 @@ isc___errno2result(int posixerrno, bool dolog, case EINVAL: /* XXX sometimes this is not for files */ case ENAMETOOLONG: case EBADF: @@ -63,14 +52,11 @@ diff -p -u -r1.17 errno2result.c return (ISC_R_INVALIDFILE); case ENOENT: return (ISC_R_FILENOTFOUND); -Index: lib/isc/unix/stdio.c -=================================================================== -RCS file: /var/snap/bind9/lib/isc/unix/stdio.c,v -retrieving revision 1.8 -diff -p -u -r1.8 stdio.c ---- lib/isc/unix/stdio.c 19 Jun 2007 23:47:18 -0000 1.8 -+++ lib/isc/unix/stdio.c 6 Apr 2009 13:24:15 -0000 -@@ -115,3 +115,22 @@ isc_stdio_sync(FILE *f) { +diff --git a/lib/isc/unix/stdio.c b/lib/isc/unix/stdio.c +index e60fa65..77f0b13 100644 +--- a/lib/isc/unix/stdio.c ++++ b/lib/isc/unix/stdio.c +@@ -149,3 +149,22 @@ isc_stdio_sync(FILE *f) { return (isc__errno2result(errno)); } diff --git a/sources b/sources index 43558ac..f7e1978 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (bind-9.11.4-P2.tar.gz) = 6c01810526fc40485a6c0403d1ddc3b76d2e59b3426b5789436bd671f158d2fa0ea7c0aef2de81998ec715dabd06683fed7b17224d5c794c61e7100a69d4cb60 +SHA512 (bind-9.11.5.tar.gz) = 7e34c8033dabaed232479b1dc2849d1247c0137bcb2b63f08f8f72ff2cca0f73e0f05d0b9b8959f8c4db8ee36a700af30fe869be186c7bab7c81a25843384b8d SHA512 (config-18.tar.bz2) = c0a0a1fd58a7e2c09fe69915b9a4c682d1b6c96e78583f63ce5355f663c9509d28facfd3aa078b228b69954d0af4bfa484ef661a9568aaafe6eade97dda3c3d9