Fix OpenSSL random patch

- Add new notes into notes.xml - Initialize random provider before creation
2018-09-24 13:10:15 +02:00 · 2018-09-24 13:10:15 +02:00 · e0ab89b893
parent fdbf64ca93
commit e0ab89b893
1 changed files with 39 additions and 41 deletions
--- a/bind-9.11-rt46047.patch
+++ b/bind-9.11-rt46047.patch
@ -1,7 +1,7 @@
-From 71dbb3a1a96a012683125a22e9bf263efb97df4d Mon Sep 17 00:00:00 2001
+From 1ab1aabcf9b2b8de144bab7a3ff5d9f7e6ec9ad4 Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Thu, 28 Sep 2017 10:09:22 -0700
-Subject: [PATCH] [master] completed and corrected the crypto-random change
+Subject: [PATCH] completed and corrected the crypto-random change

 4724.	[func]		By default, BIND now uses the random number
 			functions provided by the crypto library (i.e.,
@ -33,23 +33,23 @@ Subject: [PATCH] [master] completed and corrected the crypto-random change
 bin/named/include/named/server.h         |  2 ++
 bin/named/interfacemgr.c                 |  1 +
 bin/named/query.c                        |  1 +
- bin/named/server.c                       | 52 ++++++++++++++++++------------
+ bin/named/server.c                       | 53 ++++++++++++++++++------------
 bin/nsupdate/nsupdate.c                  |  4 +--
 bin/tests/system/pipelined/pipequeries.c |  4 +--
 bin/tests/system/tkey/keycreate.c        |  4 +--
 bin/tests/system/tkey/keydelete.c        |  4 +--
 doc/arm/Bv9ARM-book.xml                  | 55 ++++++++++++++++++++++----------
- doc/arm/notes.xml                        | 26 +++++++++++++++
+ doc/arm/notes.xml                        | 23 ++++++++++++-
 lib/dns/dst_api.c                        |  7 ++--
 lib/dns/include/dst/dst.h                | 14 ++++++--
 lib/dns/openssl_link.c                   |  3 +-
 lib/isc/include/isc/entropy.h            | 50 +++++++++++++++++++++--------
 lib/isc/include/isc/random.h             | 28 ++++++++++------
 lib/isccfg/namedconf.c                   |  2 +-
- 22 files changed, 222 insertions(+), 109 deletions(-)
+ 22 files changed, 219 insertions(+), 110 deletions(-)

 diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
-index fa439cc158..a7ad417a18 100644
+index fa439cc..a7ad417 100644
 --- a/bin/confgen/keygen.c
 +++ b/bin/confgen/keygen.c
@@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
@ -76,7 +76,7 @@ index fa439cc158..a7ad417a18 100644
 							     &entropy_source,
 							     randomfile,
 diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
-index 96dfef64b4..1c84b06126 100644
+index 96dfef6..1c84b06 100644
 --- a/bin/dnssec/dnssec-keygen.docbook
 +++ b/bin/dnssec/dnssec-keygen.docbook
@@ -349,15 +349,23 @@
@ -112,7 +112,7 @@ index 96dfef64b4..1c84b06126 100644
 	</listitem>
       </varlistentry>
 diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
-index 4ea9eafa44..5dd9475dd3 100644
+index 4ea9eaf..5dd9475 100644
 --- a/bin/dnssec/dnssectool.c
 +++ b/bin/dnssec/dnssectool.c
@@ -239,18 +239,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
@ -140,7 +140,7 @@ index 4ea9eafa44..5dd9475dd3 100644
 					   usekeyboard);
 
 diff --git a/bin/named/client.c b/bin/named/client.c
-index b9ebc93094..20e5f395d4 100644
+index b9ebc93..20e5f39 100644
 --- a/bin/named/client.c
 +++ b/bin/named/client.c
@@ -1605,7 +1605,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
@ -154,7 +154,7 @@ index b9ebc93094..20e5f395d4 100644
 		compute_cookie(client, now, nonce, ns_g_server->secret, &buf);
 
 diff --git a/bin/named/config.c b/bin/named/config.c
-index c50f759ddd..c1e72ef996 100644
+index c50f759..c1e72ef 100644
 --- a/bin/named/config.c
 +++ b/bin/named/config.c
@@ -92,7 +92,9 @@ options {\n\
@ -169,7 +169,7 @@ index c50f759ddd..c1e72ef996 100644
 #endif
 "	recursing-file \"named.recursing\";\n\
 diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
-index 237e8dc31d..b905475890 100644
+index 237e8dc..b905475 100644
 --- a/bin/named/controlconf.c
 +++ b/bin/named/controlconf.c
@@ -322,9 +322,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
@ -221,7 +221,7 @@ index 237e8dc31d..b905475890 100644
 	} else
 		eresult = ns_control_docommand(request, listener->readonly, &text);
 diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
-index d8179a60a0..e03d24d85d 100644
+index d8179a6..e03d24d 100644
 --- a/bin/named/include/named/server.h
 +++ b/bin/named/include/named/server.h
@@ -17,6 +17,7 @@
@ -241,7 +241,7 @@ index d8179a60a0..e03d24d85d 100644
 
 struct ns_altsecret {
 diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
-index d8c7188186..50f924eadb 100644
+index d8c7188..50f924e 100644
 --- a/bin/named/interfacemgr.c
 +++ b/bin/named/interfacemgr.c
@@ -15,6 +15,7 @@
@ -253,7 +253,7 @@ index d8c7188186..50f924eadb 100644
 #include <isc/task.h>
 #include <isc/util.h>
 diff --git a/bin/named/query.c b/bin/named/query.c
-index accbf3b24d..d89622d835 100644
+index accbf3b..d89622d 100644
 --- a/bin/named/query.c
 +++ b/bin/named/query.c
@@ -18,6 +18,7 @@
@ -265,7 +265,7 @@ index accbf3b24d..d89622d835 100644
 #include <isc/serial.h>
 #include <isc/stats.h>
 diff --git a/bin/named/server.c b/bin/named/server.c
-index ee5186c165..553e0f1ae6 100644
+index ca789e5..1413e85 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
@@ -8076,21 +8076,30 @@ load_configuration(const char *filename, ns_server_t *server,
@ -329,16 +329,17 @@ index ee5186c165..553e0f1ae6 100644
 #endif
 		}
 	}
-@@ -8911,6 +8919,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
+@@ -8911,6 +8919,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
 				      &server->tkeyctx),
 		   "creating TKEY context");
+	server->rngctx = NULL;
 +	CHECKFATAL(isc_rng_create(ns_g_mctx, ns_g_entropy, &server->rngctx),
 +	           "creating random numbers context");
 
 	/*
 	 * Setup the server task, which is responsible for coordinating
-@@ -9117,7 +9127,8 @@ ns_server_destroy(ns_server_t **serverp) {
+@@ -9117,7 +9128,8 @@ ns_server_destroy(ns_server_t **serverp) {
 
 	if (server->zonemgr != NULL)
 		dns_zonemgr_detach(&server->zonemgr);
@ -348,7 +349,7 @@ index ee5186c165..553e0f1ae6 100644
 	if (server->tkeyctx != NULL)
 		dns_tkeyctx_destroy(&server->tkeyctx);
 
-@@ -13018,10 +13029,10 @@ newzone_cfgctx_destroy(void **cfgp) {
+@@ -13018,10 +13030,10 @@ newzone_cfgctx_destroy(void **cfgp) {
 
 static isc_result_t
 generate_salt(unsigned char *salt, size_t saltlen) {
@ -361,7 +362,7 @@ index ee5186c165..553e0f1ae6 100644
 	} rnd;
 	unsigned char text[512 + 1];
 	isc_region_t r;
-@@ -13031,9 +13042,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
+@@ -13031,9 +13043,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
 	if (saltlen > 256U)
 		return (ISC_R_RANGE);
 
@ -376,7 +377,7 @@ index ee5186c165..553e0f1ae6 100644
 	memmove(salt, rnd.rnd, saltlen);
 
 diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index 46c7acf4dc..a0d0278635 100644
+index 46c7acf..a0d0278 100644
 --- a/bin/nsupdate/nsupdate.c
 +++ b/bin/nsupdate/nsupdate.c
@@ -281,9 +281,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
@ -391,7 +392,7 @@ index 46c7acf4dc..a0d0278635 100644
 	}
 #endif
 diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
-index 810d99e267..d7d10e2e3c 100644
+index 810d99e..d7d10e2 100644
 --- a/bin/tests/system/pipelined/pipequeries.c
 +++ b/bin/tests/system/pipelined/pipequeries.c
@@ -279,9 +279,7 @@ main(int argc, char *argv[]) {
@ -406,7 +407,7 @@ index 810d99e267..d7d10e2e3c 100644
 	}
 #endif
 diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
-index 4f2f5b4cc5..0894db7066 100644
+index 4f2f5b4..0894db7 100644
 --- a/bin/tests/system/tkey/keycreate.c
 +++ b/bin/tests/system/tkey/keycreate.c
@@ -255,9 +255,7 @@ main(int argc, char *argv[]) {
@ -421,7 +422,7 @@ index 4f2f5b4cc5..0894db7066 100644
 	}
 #endif
 diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
-index 0975bbe4ea..5b8a4701a8 100644
+index 0975bbe..5b8a470 100644
 --- a/bin/tests/system/tkey/keydelete.c
 +++ b/bin/tests/system/tkey/keydelete.c
@@ -182,9 +182,7 @@ main(int argc, char **argv) {
@ -436,7 +437,7 @@ index 0975bbe4ea..5b8a4701a8 100644
 	}
 #endif
 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
-index 3ecdc046d0..34c9e85f52 100644
+index a5d9e2e..2a96f71 100644
 --- a/doc/arm/Bv9ARM-book.xml
 +++ b/doc/arm/Bv9ARM-book.xml
@@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
@ -502,15 +503,14 @@ index 3ecdc046d0..34c9e85f52 100644
 	    </listitem>
 	  </varlistentry>
 diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
-index 7b7475b58f..49fe0a413e 100644
+index d3fdb5e..a8ad92d 100644
 --- a/doc/arm/notes.xml
 +++ b/doc/arm/notes.xml
-@@ -128,6 +128,32 @@
- 	  necessary.
- 	</para>
-       </listitem>
-+      <listitem>
-+	<para>
+@@ -105,7 +105,28 @@
+     <itemizedlist>
+       <listitem>
+ 	<para>
+-	  None.
 +	  By default, BIND now uses the random number generation functions
 +	  in the cryptographic library (i.e., OpenSSL or a PKCS#11
 +	  provider) as a source of high-quality randomness rather than
@ -533,13 +533,11 @@ index 7b7475b58f..49fe0a413e 100644
 +	  <command>configure --disable-crypto-rand</command>, in which
 +	  case <filename>/dev/random</filename> will be the default
 +	  entropy source.  [RT #31459] [RT #46047]
-+	</para>
-+      </listitem>
+ 	</para>
+       </listitem>
     </itemizedlist>
-   </section>
- 
 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index 803e7b3538..29a4fef44b 100644
+index 803e7b3..29a4fef 100644
 --- a/lib/dns/dst_api.c
 +++ b/lib/dns/dst_api.c
@@ -276,8 +276,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
@ -568,7 +566,7 @@ index 803e7b3538..29a4fef44b 100644
 }
 
 diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
-index d9b6ab6bfb..e8c1a3c287 100644
+index d9b6ab6..e8c1a3c 100644
 --- a/lib/dns/include/dst/dst.h
 +++ b/lib/dns/include/dst/dst.h
@@ -161,8 +161,18 @@ isc_result_t
@ -593,7 +591,7 @@ index d9b6ab6bfb..e8c1a3c287 100644
 
 isc_boolean_t
 diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index c1e1bde95a..91e87d00b4 100644
+index c1e1bde..91e87d0 100644
 --- a/lib/dns/openssl_link.c
 +++ b/lib/dns/openssl_link.c
@@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) {
@ -607,7 +605,7 @@ index c1e1bde95a..91e87d00b4 100644
 #ifndef DONT_REQUIRE_DST_LIB_INIT
 	INSIST(dst__memory_pool != NULL);
 diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
-index d9deb8ad9b..2d373630ae 100644
+index d9deb8a..2d37363 100644
 --- a/lib/isc/include/isc/entropy.h
 +++ b/lib/isc/include/isc/entropy.h
@@ -9,8 +9,6 @@
@ -696,7 +694,7 @@ index d9deb8ad9b..2d373630ae 100644
 
 ISC_LANG_ENDDECLS
 diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
-index ba53ebf35c..b57572842c 100644
+index ba53ebf..b575728 100644
 --- a/lib/isc/include/isc/random.h
 +++ b/lib/isc/include/isc/random.h
@@ -9,8 +9,6 @@
@ -750,7 +748,7 @@ index ba53ebf35c..b57572842c 100644
 
 ISC_LANG_ENDDECLS
 diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
-index 8d496ff9ce..dd08187312 100644
+index 8d496ff..dd08187 100644
 --- a/lib/isccfg/namedconf.c
 +++ b/lib/isccfg/namedconf.c
@@ -1106,7 +1106,7 @@ options_clauses[] = {