From 230545da0aec9ba7c8b6e784c692b6a99cf6c1ed Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2020 11:46:26 +0000 Subject: import bind-9.11.20-5.el8 --- diff --git a/.bind.metadata b/.bind.metadata index c07b294..6031674 100644 --- a/.bind.metadata +++ b/.bind.metadata @@ -1,2 +1,2 @@ -550367762a653ac5ed0eb04b316d06517650a925 SOURCES/bind-9.11.13.tar.gz +ff6ad0d3f9282a77786e93eb889154008ef1ccdf SOURCES/bind-9.11.20.tar.gz a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data diff --git a/.gitignore b/.gitignore index 8008e19..e7ad81f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/bind-9.11.13.tar.gz +SOURCES/bind-9.11.20.tar.gz SOURCES/random.data diff --git a/SOURCES/bind-9.10-sdb.patch b/SOURCES/bind-9.10-sdb.patch index 5524daa..f36e156 100644 --- a/SOURCES/bind-9.10-sdb.patch +++ b/SOURCES/bind-9.10-sdb.patch @@ -79,10 +79,10 @@ index 03a72d5..4c1cb6d 100644 @DLZ_DRIVER_RULES@ diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c -index 108b8d6..a943421 100644 +index c9fc3cc..148ebb3 100644 --- a/bin/named-sdb/main.c +++ b/bin/named-sdb/main.c -@@ -93,6 +93,10 @@ +@@ -97,6 +97,10 @@ * Include header files for database drivers here. */ /* #include "xxdb.h" */ @@ -93,7 +93,7 @@ index 108b8d6..a943421 100644 #ifdef CONTRIB_DLZ /* -@@ -1069,6 +1073,11 @@ setup(void) { +@@ -1134,6 +1138,11 @@ setup(void) { ns_main_earlyfatal("isc_app_start() failed: %s", isc_result_totext(result)); @@ -105,7 +105,7 @@ index 108b8d6..a943421 100644 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ISC_LOG_NOTICE, "starting %s %s%s%s ", ns_g_product, ns_g_version, -@@ -1269,6 +1278,75 @@ setup(void) { +@@ -1334,6 +1343,75 @@ setup(void) { isc_result_totext(result)); #endif @@ -181,7 +181,7 @@ index 108b8d6..a943421 100644 ns_server_create(ns_g_mctx, &ns_g_server); #ifdef HAVE_LIBSECCOMP -@@ -1311,6 +1389,11 @@ cleanup(void) { +@@ -1376,6 +1454,11 @@ cleanup(void) { dns_name_destroy(); @@ -288,10 +288,10 @@ index c7e0868..95ab742 100644 + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir} ${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 diff --git a/configure.ac b/configure.ac -index eff9f05..d05ad1f 100644 +index f85f45f..7d28c52 100644 --- a/configure.ac +++ b/configure.ac -@@ -5429,6 +5429,8 @@ AC_CONFIG_FILES([ +@@ -5400,6 +5400,8 @@ AC_CONFIG_FILES([ bin/named/unix/Makefile bin/named-pkcs11/Makefile bin/named-pkcs11/unix/Makefile @@ -300,9 +300,9 @@ index eff9f05..d05ad1f 100644 bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile -@@ -5453,6 +5455,7 @@ AC_CONFIG_FILES([ - bin/python/isc/tests/dnskey_test.py +@@ -5424,6 +5426,7 @@ AC_CONFIG_FILES([ bin/python/isc/tests/policy_test.py + bin/python/isc/utils.py bin/rndc/Makefile + bin/sdb_tools/Makefile bin/tests/Makefile diff --git a/SOURCES/bind-9.11-CVE-2020-8616-test.patch b/SOURCES/bind-9.11-CVE-2020-8616-test.patch deleted file mode 100644 index a1d2823..0000000 --- a/SOURCES/bind-9.11-CVE-2020-8616-test.patch +++ /dev/null @@ -1,292 +0,0 @@ -From a64853318ade406ef0db744918bb2828cf0a6247 Mon Sep 17 00:00:00 2001 -From: Stephen Morris -Date: Thu, 5 Mar 2020 18:46:46 +0000 -Subject: [PATCH] Add test for reduction in number of fetches - -Add a system test that counts how many address fetches are made -for different numbers of NS records and checks that the number -are successfully limited. - -(cherry picked from commit 5fb65f45443225180296b361a12be0fead5049f2) ---- - bin/tests/system/resolver/clean.sh | 4 +- - bin/tests/system/resolver/ns4/named.conf.in | 5 ++ - bin/tests/system/resolver/ns4/root.db | 4 + - bin/tests/system/resolver/ns4/sourcens.db | 89 +++++++++++++++++++++ - bin/tests/system/resolver/ns5/named.conf.in | 9 ++- - bin/tests/system/resolver/ns6/named.conf.in | 15 ++++ - bin/tests/system/resolver/ns6/targetns.db | 23 ++++++ - bin/tests/system/resolver/tests.sh | 34 ++++++++ - 8 files changed, 180 insertions(+), 3 deletions(-) - create mode 100644 bin/tests/system/resolver/ns4/sourcens.db - create mode 100644 bin/tests/system/resolver/ns6/targetns.db - -diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh -index 4dfde1f3e7..b3e4bc0b5d 100644 ---- a/bin/tests/system/resolver/clean.sh -+++ b/bin/tests/system/resolver/clean.sh -@@ -17,8 +17,7 @@ rm -f */named.memstats - rm -f */named.run - rm -f */ans.run - rm -f */*.jdb --rm -f dig.out dig.out.* --rm -f dig.*.out.* -+rm -f dig.out dig.out.* dig.*.out.* - rm -f dig.*.foo.* - rm -f dig.*.bar.* - rm -f dig.*.prime.* -@@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db - rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db - rm -f ns6/dsset-ds.example.net* - rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl -+rm -f ns6/named.stats* - rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl - rm -f ns7/server.db ns7/server.db.jnl - rm -f resolve.out.*.test* -diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in -index c679dc3151..56fe5d0dd8 100644 ---- a/bin/tests/system/resolver/ns4/named.conf.in -+++ b/bin/tests/system/resolver/ns4/named.conf.in -@@ -50,6 +50,11 @@ zone "broken" { - file "broken.db"; - }; - -+zone "sourcens" { -+ type master; -+ file "sourcens.db"; -+}; -+ - key rndc_key { - secret "1234abcd8765"; - algorithm hmac-sha256; -diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db -index 721765d1be..ae541340da 100644 ---- a/bin/tests/system/resolver/ns4/root.db -+++ b/bin/tests/system/resolver/ns4/root.db -@@ -24,3 +24,7 @@ example.net. NS ns.example.net. - ns.example.net. A 10.53.0.6 - no-questions. NS ns.no-questions. - ns.no-questions. A 10.53.0.8 -+sourcens. NS ns.sourcens. -+ns.sourcens. A 10.53.0.4 -+targetns. NS ns.targetns. -+ns.targetns. A 10.53.0.6 -diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db -new file mode 100644 -index 0000000000..b02cc6e835 ---- /dev/null -+++ b/bin/tests/system/resolver/ns4/sourcens.db -@@ -0,0 +1,89 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, You can obtain one at http://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+; This zone contains a set of delegations with varying numbers of NS -+; records. This is used to check that BIND is limiting the number of -+; NS records it follows when resolving a delegation. It tests all -+; numbers of NS records up to twice the number followed. -+ -+$TTL 60 -+@ IN SOA marka.isc.org. ns.server. ( -+ 2010 ; serial -+ 600 ; refresh -+ 600 ; retry -+ 1200 ; expire -+ 600 ; minimum -+ ) -+@ NS ns -+ns A 10.53.0.4 -+ -+target1 NS ns.fake11.targetns. -+ -+target2 NS ns.fake21.targetns. -+ NS ns.fake22.targetns. -+ -+target3 NS ns.fake31.targetns. -+ NS ns.fake32.targetns. -+ NS ns.fake33.targetns. -+ -+target4 NS ns.fake41.targetns. -+ NS ns.fake42.targetns. -+ NS ns.fake43.targetns. -+ NS ns.fake44.targetns. -+ -+target5 NS ns.fake51.targetns. -+ NS ns.fake52.targetns. -+ NS ns.fake53.targetns. -+ NS ns.fake54.targetns. -+ NS ns.fake55.targetns. -+ -+target6 NS ns.fake61.targetns. -+ NS ns.fake62.targetns. -+ NS ns.fake63.targetns. -+ NS ns.fake64.targetns. -+ NS ns.fake65.targetns. -+ NS ns.fake66.targetns. -+ -+target7 NS ns.fake71.targetns. -+ NS ns.fake72.targetns. -+ NS ns.fake73.targetns. -+ NS ns.fake74.targetns. -+ NS ns.fake75.targetns. -+ NS ns.fake76.targetns. -+ NS ns.fake77.targetns. -+ -+target8 NS ns.fake81.targetns. -+ NS ns.fake82.targetns. -+ NS ns.fake83.targetns. -+ NS ns.fake84.targetns. -+ NS ns.fake85.targetns. -+ NS ns.fake86.targetns. -+ NS ns.fake87.targetns. -+ NS ns.fake88.targetns. -+ -+target9 NS ns.fake91.targetns. -+ NS ns.fake92.targetns. -+ NS ns.fake93.targetns. -+ NS ns.fake94.targetns. -+ NS ns.fake95.targetns. -+ NS ns.fake96.targetns. -+ NS ns.fake97.targetns. -+ NS ns.fake98.targetns. -+ NS ns.fake99.targetns. -+ -+target10 NS ns.fake101.targetns. -+ NS ns.fake102.targetns. -+ NS ns.fake103.targetns. -+ NS ns.fake104.targetns. -+ NS ns.fake105.targetns. -+ NS ns.fake106.targetns. -+ NS ns.fake107.targetns. -+ NS ns.fake108.targetns. -+ NS ns.fake109.targetns. -+ NS ns.fake1010.targetns. -diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in -index 07205c9938..90818e4556 100644 ---- a/bin/tests/system/resolver/ns5/named.conf.in -+++ b/bin/tests/system/resolver/ns5/named.conf.in -@@ -46,4 +46,11 @@ zone "delegation-only" { - type delegation-only; - }; - --include "trusted.conf"; -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in -index 7df48558b8..4b01f9ba14 100644 ---- a/bin/tests/system/resolver/ns6/named.conf.in -+++ b/bin/tests/system/resolver/ns6/named.conf.in -@@ -22,6 +22,7 @@ options { - recursion no; - // minimal-responses yes; - querylog yes; -+ statistics-file "named.stats"; - /* - * test that named loads with root-delegation-only that - * has a exclude list. -@@ -67,3 +68,17 @@ zone "delegation-only" { - type master; - file "delegation-only.db"; - }; -+ -+zone "targetns" { -+ type master; -+ file "targetns.db"; -+}; -+ -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db -new file mode 100644 -index 0000000000..036e64580b ---- /dev/null -+++ b/bin/tests/system/resolver/ns6/targetns.db -@@ -0,0 +1,23 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, You can obtain one at http://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+; In the test for checking how many NS records BIND will follow, this -+; zone marks the server as the one to which the NS lookups will be -+; directed. -+ -+$TTL 300 -+@ IN SOA marka.isc.org. ns.server. ( -+ 2010 ; serial -+ 600 ; refresh -+ 600 ; retry -+ 1200 ; expire -+ 600 ; minimum -+ ) -+ NS ns -+ns A 10.53.0.6 -diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh -index 12d2819e30..178ba4d79b 100755 ---- a/bin/tests/system/resolver/tests.sh -+++ b/bin/tests/system/resolver/tests.sh -@@ -247,6 +247,40 @@ if [ -x ${RESOLVE} ] ; then - status=`expr $status + $ret` - fi - -+n=`expr $n + 1` -+echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)" -+# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS -+# records pointing to non-existent nameservers in the targetns zone on ns6. -+ret=0 -+$RNDCCMD 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test -+for nscount in 1 2 3 4 5 6 7 8 9 10 -+do -+ # Verify number of NS records at source server -+ $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n} -+ sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l` -+ test $sourcerecs -eq $nscount || ret=1 -+ test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens" -+ # Expected queries = 2 * number of NS records, up to a maximum of 10. -+ expected=`expr 2 \* $nscount` -+ if [ $expected -gt 10 ]; then expected=10; fi -+ # Work out the queries made by checking statistics on the target before and after the test -+ $RNDCCMD 10.53.0.6 stats || ret=1 -+ initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats` -+ mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n} -+ $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1 -+ $RNDCCMD 10.53.0.6 stats || ret=1 -+ final_count=`awk '/responses sent/ {print $1}' ns6/named.stats` -+ mv ns6/named.stats ns6/named.stats.final.${nscount}.${n} -+ # Check number of queries during the test is as expected -+ actual=`expr $final_count - $initial_count` -+ if [ $actual -ne $expected ]; then -+ echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual" -+ ret=1 -+ fi -+done -+if [ $ret != 0 ]; then echo_i "failed"; fi -+status=`expr $status + $ret` -+ - n=`expr $n + 1` - echo_i "RT21594 regression test check setup ($n)" - ret=0 --- -2.21.1 - diff --git a/SOURCES/bind-9.11-CVE-2020-8617-test.patch b/SOURCES/bind-9.11-CVE-2020-8617-test.patch deleted file mode 100644 index 1d81c73..0000000 --- a/SOURCES/bind-9.11-CVE-2020-8617-test.patch +++ /dev/null @@ -1,78 +0,0 @@ -From eee06b7744c4999ec3c7cb0654f97a9b4c79f77f Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Wed, 25 Mar 2020 17:44:51 +1100 -Subject: [PATCH] Check that a 'BADTIME' response with 'QR=0' is handled as a - request - -(cherry picked from commit 67ba3f8f3ab2a748dff1e8a2029fde3bc84ec3f1) ---- - bin/tests/system/tsig/badtime | 37 ++++++++++++++++++++++++++++++++++ - bin/tests/system/tsig/tests.sh | 9 +++++++++ - 2 files changed, 46 insertions(+) - create mode 100644 bin/tests/system/tsig/badtime - -diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime -new file mode 100644 -index 0000000000..7926404cfb ---- /dev/null -+++ b/bin/tests/system/tsig/badtime -@@ -0,0 +1,37 @@ -+# Transaction ID -+1122 -+# Standard query -+0000 -+# Questions: 1, Additional: 1 -+0001 0000 0000 0001 -+# QNAME: isc.org -+03 69 73 63 03 6F 72 67 00 -+# Type: A (Host Address) -+0001 -+# Class: IN -+0001 -+# Specially crafted TSIG Resource Record -+# Name: "sha256" -+06 73 68 61 32 35 36 00 -+# Type: TSIG (Transaction Signature) -+00fa -+# Class: ANY -+00ff -+# TTL: 0 -+00000000 -+# RdLen: 29 -+001d -+# Algorithm Name: hmac-sha256 -+0b 68 6D 61 63 2D 73 68 61 32 35 36 00 -+# Time Signed: Jan 1, 1970 01:00:00.000000000 CET -+00 00 00 00 00 00 -+# Fudge: 300 -+012c -+# MAC Size: 0; MAC: empty -+0000 -+# Original ID: 0 -+0000 -+# Error: BADSIG -+0010 -+# Other Data Length: 0 -+0000 -diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh -index cade35bc1d..284aea1056 100644 ---- a/bin/tests/system/tsig/tests.sh -+++ b/bin/tests/system/tsig/tests.sh -@@ -233,5 +233,14 @@ if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 - fi - -+echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request" -+ret=0 -+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null -+$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1 -+grep "status: NOERROR" dig.out.verify > /dev/null || ret=1 -+if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+fi -+ - echo_i "exit status: $status" - [ $status -eq 0 ] || exit 1 --- -2.21.1 - diff --git a/SOURCES/bind-9.11-CVE-2020-8622.patch b/SOURCES/bind-9.11-CVE-2020-8622.patch new file mode 100644 index 0000000..74e8225 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2020-8622.patch @@ -0,0 +1,57 @@ +From c5a9fd85a19a63f88a5f17c7e6d074ee22364093 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 18 Aug 2020 10:53:33 +0200 +Subject: [PATCH] Fix CVE-2020-8622 + +5476. [security] It was possible to trigger an assertion failure when + verifying the response to a TSIG-signed request. + (CVE-2020-8622) [GL #2028] +--- + lib/dns/message.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/lib/dns/message.c b/lib/dns/message.c +index d9e341a..7c813a5 100644 +--- a/lib/dns/message.c ++++ b/lib/dns/message.c +@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, + msg->header_ok = 0; + msg->question_ok = 0; + ++ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) { ++ isc_buffer_usedregion(&origsource, &msg->saved); ++ } else { ++ msg->saved.length = isc_buffer_usedlength(&origsource); ++ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); ++ if (msg->saved.base == NULL) { ++ return (ISC_R_NOMEMORY); ++ } ++ memmove(msg->saved.base, isc_buffer_base(&origsource), ++ msg->saved.length); ++ msg->free_saved = 1; ++ } ++ + isc_buffer_remainingregion(source, &r); + if (r.length < DNS_MESSAGE_HEADERLEN) + return (ISC_R_UNEXPECTEDEND); +@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, + } + + truncated: +- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) +- isc_buffer_usedregion(&origsource, &msg->saved); +- else { +- msg->saved.length = isc_buffer_usedlength(&origsource); +- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); +- if (msg->saved.base == NULL) +- return (ISC_R_NOMEMORY); +- memmove(msg->saved.base, isc_buffer_base(&origsource), +- msg->saved.length); +- msg->free_saved = 1; +- } + + if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) + return (DNS_R_RECOVERABLE); +-- +2.26.2 + diff --git a/SOURCES/bind-9.11-CVE-2020-8623.patch b/SOURCES/bind-9.11-CVE-2020-8623.patch new file mode 100644 index 0000000..ee368d0 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2020-8623.patch @@ -0,0 +1,400 @@ +From e8b7be1e1ff3e11bc8d592c3c8d6a0f0d69e9947 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 18 Aug 2020 10:54:39 +0200 +Subject: [PATCH] Fix CVE-2020-8623 + +5480. [security] When BIND 9 was compiled with native PKCS#11 support, it + was possible to trigger an assertion failure in code + determining the number of bits in the PKCS#11 RSA public + key with a specially crafted packet. (CVE-2020-8623) + [GL #2037] +--- + lib/dns/pkcs11dh_link.c | 15 ++++++- + lib/dns/pkcs11dsa_link.c | 8 +++- + lib/dns/pkcs11rsa_link.c | 79 +++++++++++++++++++++++++-------- + lib/isc/include/pk11/internal.h | 3 +- + lib/isc/pk11.c | 61 ++++++++++++++++--------- + 5 files changed, 121 insertions(+), 45 deletions(-) + +diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c +index e2b60ea..4cd8e32 100644 +--- a/lib/dns/pkcs11dh_link.c ++++ b/lib/dns/pkcs11dh_link.c +@@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { + CK_BYTE *prime = NULL, *base = NULL, *pub = NULL; + CK_ATTRIBUTE *attr; + int special = 0; ++ unsigned int bits; + isc_result_t result; + + isc_buffer_remainingregion(data, &r); +@@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { + pub = r.base; + isc_region_consume(&r, publen); + +- key->key_size = pk11_numbits(prime, plen_); ++ result = pk11_numbits(prime, plen_, &bits); ++ if (result != ISC_R_SUCCESS) { ++ goto cleanup; ++ } ++ key->key_size = bits; + + dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3); + if (dh->repr == NULL) +@@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + dst_private_t priv; + isc_result_t ret; + int i; ++ unsigned int bits; + pk11_object_t *dh = NULL; + CK_ATTRIBUTE *attr; + isc_mem_t *mctx; +@@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + + attr = pk11_attribute_bytype(dh, CKA_PRIME); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + return (ISC_R_SUCCESS); + +diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c +index 12d707a..24d4c14 100644 +--- a/lib/dns/pkcs11dsa_link.c ++++ b/lib/dns/pkcs11dsa_link.c +@@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + dst_private_t priv; + isc_result_t ret; + int i; ++ unsigned int bits; + pk11_object_t *dsa = NULL; + CK_ATTRIBUTE *attr; + isc_mem_t *mctx = key->mctx; +@@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + + attr = pk11_attribute_bytype(dsa, CKA_PRIME); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + return (ISC_R_SUCCESS); + +diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c +index 6c280bf..86e136a 100644 +--- a/lib/dns/pkcs11rsa_link.c ++++ b/lib/dns/pkcs11rsa_link.c +@@ -337,6 +337,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, + key->key_alg == DST_ALG_RSASHA256 || + key->key_alg == DST_ALG_RSASHA512); + #endif ++ REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS); + + /* + * Reject incorrect RSA key lengths. +@@ -381,6 +382,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, + for (attr = pk11_attribute_first(rsa); + attr != NULL; + attr = pk11_attribute_next(rsa, attr)) ++ { + switch (attr->type) { + case CKA_MODULUS: + INSIST(keyTemplate[5].type == attr->type); +@@ -401,12 +403,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, + memmove(keyTemplate[6].pValue, attr->pValue, + attr->ulValueLen); + keyTemplate[6].ulValueLen = attr->ulValueLen; +- if (pk11_numbits(attr->pValue, +- attr->ulValueLen) > maxbits && +- maxbits != 0) ++ unsigned int bits; ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, ++ &bits); ++ if (ret != ISC_R_SUCCESS || ++ (bits > maxbits && maxbits != 0)) { + DST_RET(DST_R_VERIFYFAILURE); ++ } + break; + } ++ } + pk11_ctx->object = CK_INVALID_HANDLE; + pk11_ctx->ontoken = false; + PK11_RET(pkcs_C_CreateObject, +@@ -1086,6 +1092,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + keyTemplate[5].ulValueLen = attr->ulValueLen; + break; + case CKA_PUBLIC_EXPONENT: ++ unsigned int bits; + INSIST(keyTemplate[6].type == attr->type); + keyTemplate[6].pValue = isc_mem_get(dctx->mctx, + attr->ulValueLen); +@@ -1094,10 +1101,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + memmove(keyTemplate[6].pValue, attr->pValue, + attr->ulValueLen); + keyTemplate[6].ulValueLen = attr->ulValueLen; +- if (pk11_numbits(attr->pValue, +- attr->ulValueLen) +- > RSA_MAX_PUBEXP_BITS) ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, ++ &bits); ++ if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS) ++ { + DST_RET(DST_R_VERIFYFAILURE); ++ } + break; + } + pk11_ctx->object = CK_INVALID_HANDLE; +@@ -1475,6 +1484,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + CK_BYTE *exponent = NULL, *modulus = NULL; + CK_ATTRIBUTE *attr; + unsigned int length; ++ unsigned int bits; ++ isc_result_t ret = ISC_R_SUCCESS; + + isc_buffer_remainingregion(data, &r); + if (r.length == 0) +@@ -1492,9 +1503,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + + if (e_bytes == 0) { + if (r.length < 2) { +- isc_safe_memwipe(rsa, sizeof(*rsa)); +- isc_mem_put(key->mctx, rsa, sizeof(*rsa)); +- return (DST_R_INVALIDPUBLICKEY); ++ DST_RET(DST_R_INVALIDPUBLICKEY); + } + e_bytes = (*r.base) << 8; + isc_region_consume(&r, 1); +@@ -1503,16 +1512,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + } + + if (r.length < e_bytes) { +- isc_safe_memwipe(rsa, sizeof(*rsa)); +- isc_mem_put(key->mctx, rsa, sizeof(*rsa)); +- return (DST_R_INVALIDPUBLICKEY); ++ DST_RET(DST_R_INVALIDPUBLICKEY); + } + exponent = r.base; + isc_region_consume(&r, e_bytes); + modulus = r.base; + mod_bytes = r.length; + +- key->key_size = pk11_numbits(modulus, mod_bytes); ++ ret = pk11_numbits(modulus, mod_bytes, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + isc_buffer_forward(data, length); + +@@ -1562,9 +1573,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + rsa->repr, + rsa->attrcnt * sizeof(*attr)); + } ++ ret = ISC_R_NOMEMORY; ++ ++ err: + isc_safe_memwipe(rsa, sizeof(*rsa)); + isc_mem_put(key->mctx, rsa, sizeof(*rsa)); +- return (ISC_R_NOMEMORY); ++ return (ret); + } + + static isc_result_t +@@ -1743,6 +1757,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, + pk11_object_t *pubrsa; + pk11_context_t *pk11_ctx = NULL; + isc_result_t ret; ++ unsigned int bits; + + if (label == NULL) + return (DST_R_NOENGINE); +@@ -1829,7 +1844,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, + + attr = pk11_attribute_bytype(rsa, CKA_MODULUS); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + return (ISC_R_SUCCESS); + +@@ -1915,6 +1934,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + CK_ATTRIBUTE *attr; + isc_mem_t *mctx = key->mctx; + const char *engine = NULL, *label = NULL; ++ unsigned int bits; + + /* read private key file */ + ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); +@@ -2058,12 +2078,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + + attr = pk11_attribute_bytype(rsa, CKA_MODULUS); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); + INSIST(attr != NULL); +- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ if (bits > RSA_MAX_PUBEXP_BITS) { + DST_RET(ISC_R_RANGE); ++ } + + dst__privstruct_free(&priv, mctx); + isc_safe_memwipe(&priv, sizeof(priv)); +@@ -2098,6 +2128,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + pk11_context_t *pk11_ctx = NULL; + isc_result_t ret; + unsigned int i; ++ unsigned int bits; + + UNUSED(pin); + +@@ -2192,12 +2223,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + + attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); + INSIST(attr != NULL); +- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ if (bits > RSA_MAX_PUBEXP_BITS) { + DST_RET(ISC_R_RANGE); ++ } + + attr = pk11_attribute_bytype(rsa, CKA_MODULUS); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + pk11_return_session(pk11_ctx); + isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); +diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h +index 603712a..b9680bc 100644 +--- a/lib/isc/include/pk11/internal.h ++++ b/lib/isc/include/pk11/internal.h +@@ -27,7 +27,8 @@ void pk11_mem_put(void *ptr, size_t size); + + CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype); + +-unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt); ++isc_result_t ++pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits); + + CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj); + +diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c +index 4b85527..9c450da 100644 +--- a/lib/isc/pk11.c ++++ b/lib/isc/pk11.c +@@ -982,13 +982,15 @@ pk11_get_best_token(pk11_optype_t optype) { + return (token->slotid); + } + +-unsigned int +-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { ++isc_result_t ++pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) { + unsigned int bitcnt, i; + CK_BYTE top; + +- if (bytecnt == 0) +- return (0); ++ if (bytecnt == 0) { ++ *bits = 0; ++ return (ISC_R_SUCCESS); ++ } + bitcnt = bytecnt * 8; + for (i = 0; i < bytecnt; i++) { + top = data[i]; +@@ -996,26 +998,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { + bitcnt -= 8; + continue; + } +- if (top & 0x80) +- return (bitcnt); +- if (top & 0x40) +- return (bitcnt - 1); +- if (top & 0x20) +- return (bitcnt - 2); +- if (top & 0x10) +- return (bitcnt - 3); +- if (top & 0x08) +- return (bitcnt - 4); +- if (top & 0x04) +- return (bitcnt - 5); +- if (top & 0x02) +- return (bitcnt - 6); +- if (top & 0x01) +- return (bitcnt - 7); ++ if (top & 0x80) { ++ *bits = bitcnt; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x40) { ++ *bits = bitcnt - 1; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x20) { ++ *bits = bitcnt - 2; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x10) { ++ *bits = bitcnt - 3; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x08) { ++ *bits = bitcnt - 4; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x04) { ++ *bits = bitcnt - 5; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x02) { ++ *bits = bitcnt - 6; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x01) { ++ *bits = bitcnt - 7; ++ return (ISC_R_SUCCESS); ++ } + break; + } +- INSIST(0); +- ISC_UNREACHABLE(); ++ return (ISC_R_RANGE); + } + + CK_ATTRIBUTE * +-- +2.26.2 + diff --git a/SOURCES/bind-9.11-CVE-2020-8624-test.patch b/SOURCES/bind-9.11-CVE-2020-8624-test.patch new file mode 100644 index 0000000..288d916 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2020-8624-test.patch @@ -0,0 +1,152 @@ +From 221fb11e658e7dea1be6dbfd25e149f2d131e4fb Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 29 Jul 2020 23:36:03 +1000 +Subject: [PATCH] Add a test for update-policy 'subdomain' + +The new test checks that 'update-policy subdomain' is properly enforced. + +(cherry picked from commit 393e8f643c02215fa4e6d4edf67be7d77085da0e) + +Add a test for update-policy 'zonesub' + +The new test checks that 'update-policy zonesub' is properly enforced. + +(cherry picked from commit 58e560beb50873c699f3431cf57e215dc645d7aa) +--- + bin/tests/system/nsupdate/ns1/named.conf.in | 12 +++++ + bin/tests/system/nsupdate/tests.sh | 60 +++++++++++++++++++-- + 2 files changed, 68 insertions(+), 4 deletions(-) + +diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in +index 26b6b7c9ab..540a984842 100644 +--- a/bin/tests/system/nsupdate/ns1/named.conf.in ++++ b/bin/tests/system/nsupdate/ns1/named.conf.in +@@ -36,6 +36,16 @@ key altkey { + secret "1234abcd8765"; + }; + ++key restricted.example.nil { ++ algorithm hmac-md5; ++ secret "1234abcd8765"; ++}; ++ ++key zonesub-key.example.nil { ++ algorithm hmac-md5; ++ secret "1234subk8765"; ++}; ++ + include "ddns.key"; + + zone "example.nil" { +@@ -44,7 +54,9 @@ zone "example.nil" { + check-integrity no; + check-mx ignore; + update-policy { ++ grant zonesub-key.example.nil zonesub TXT; + grant ddns-key.example.nil subdomain example.nil ANY; ++ grant restricted.example.nil subdomain restricted.example.nil ANY; + }; + allow-transfer { any; }; + }; +diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh +index b08c5220e7..5f09e8c5bf 100755 +--- a/bin/tests/system/nsupdate/tests.sh ++++ b/bin/tests/system/nsupdate/tests.sh +@@ -428,7 +428,7 @@ EOF + # this also proves that the server is still running. + $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\ + @10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1 +-grep "ANSWER: 0" dig.out.ns3.$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1 + grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + +@@ -443,7 +443,7 @@ EOF + + $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\ + @10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1 +-grep "ANSWER: 1" dig.out.ns3.$n > /dev/null || ret=1 ++grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1 + grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1 + grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } +@@ -460,7 +460,7 @@ EOF + _ret=1 + for i in 0 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1 +- if grep "ANSWER: 2" dig.out.ns3.$n > /dev/null; then ++ if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then + _ret=0 + break + fi +@@ -485,7 +485,7 @@ EOF + _ret=1 + for i in 0 1 2 3 4 5 6 7 8 9; do + $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1 +- if grep "ANSWER: 1" dig.out.ns3.$n > /dev/null; then ++ if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then + _ret=0 + break + fi +@@ -631,6 +631,58 @@ then + echo_i "failed"; status=1 + fi + ++n=`expr $n + 1` ++ret=0 ++echo_i "check that 'update-policy subdomain' is properly enforced ($n)" ++# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil" ++# and thus this UPDATE should succeed. ++$NSUPDATE -d < nsupdate.out1-$n 2>&1 || ret=1 ++server 10.53.0.1 ${PORT} ++key restricted.example.nil 1234abcd8765 ++update add restricted.example.nil 0 IN TXT everywhere. ++send ++END ++$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1 ++grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1 ++# "example.nil" does not match "grant ... subdomain restricted.example.nil" and ++# thus this UPDATE should fail. ++$NSUPDATE -d < nsupdate.out2-$n 2>&1 && ret=1 ++server 10.53.0.1 ${PORT} ++key restricted.example.nil 1234abcd8765 ++update add example.nil 0 IN TXT everywhere. ++send ++END ++$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1 ++grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1 ++[ $ret = 0 ] || { echo_i "failed"; status=1; } ++ ++n=`expr $n + 1` ++ret=0 ++echo_i "check that 'update-policy zonesub' is properly enforced ($n)" ++# grant zonesub-key.example.nil zonesub TXT; ++# the A record update should be rejected as it is not in the type list ++$NSUPDATE -d < nsupdate.out1-$n 2>&1 && ret=1 ++server 10.53.0.1 ${PORT} ++key zonesub-key.example.nil 1234subk8765 ++update add zonesub.example.nil 0 IN A 1.2.3.4 ++send ++END ++$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1 ++grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1 ++grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1 ++# the TXT record update should be accepted as it is in the type list ++$NSUPDATE -d < nsupdate.out2-$n 2>&1 || ret=1 ++server 10.53.0.1 ${PORT} ++key zonesub-key.example.nil 1234subk8765 ++update add zonesub.example.nil 0 IN TXT everywhere. ++send ++END ++$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1 ++grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1 ++grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1 ++grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1 ++[ $ret = 0 ] || { echo_i "failed"; status=1; } ++ + n=`expr $n + 1` + ret=0 + echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)" +-- +2.26.2 + diff --git a/SOURCES/bind-9.11-CVE-2020-8624.patch b/SOURCES/bind-9.11-CVE-2020-8624.patch new file mode 100644 index 0000000..225298d --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2020-8624.patch @@ -0,0 +1,32 @@ +From e2aae621408c7622d094f13a67b928f911a2793b Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 18 Aug 2020 10:55:50 +0200 +Subject: [PATCH] Fix CVE-2020-8624 + +5481. [security] "update-policy" rules of type "subdomain" were + incorrectly treated as "zonesub" rules, which allowed + keys used in "subdomain" rules to update names outside + of the specified subdomains. The problem was fixed by + making sure "subdomain" rules are again processed as + described in the ARM. (CVE-2020-8624) [GL #2055] +--- + bin/named/zoneconf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c +index 55f191b..b77a07c 100644 +--- a/bin/named/zoneconf.c ++++ b/bin/named/zoneconf.c +@@ -239,7 +239,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, + + str = cfg_obj_asstring(matchtype); + CHECK(dns_ssu_mtypefromstring(str, &mtype)); +- if (mtype == dns_ssumatchtype_subdomain) { ++ if (mtype == dns_ssumatchtype_subdomain && ++ strcasecmp(str, "zonesub") == 0) { + usezone = true; + } + +-- +2.26.2 + diff --git a/SOURCES/bind-9.11-export-isc-config.patch b/SOURCES/bind-9.11-export-isc-config.patch deleted file mode 100644 index fd5622c..0000000 --- a/SOURCES/bind-9.11-export-isc-config.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff --git a/export-libs/Makefile b/export-libs/Makefile -index df15ea8..13f416b 100644 ---- a/export-libs/Makefile -+++ b/export-libs/Makefile -@@ -404,20 +404,18 @@ installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 - - install:: isc-config.sh installdirs -- ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir} -- rm -f ${DESTDIR}${bindir}/bind9-config -- ln ${DESTDIR}${bindir}/isc-config.sh ${DESTDIR}${bindir}/bind9-config -- ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1 -- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1 -- ln ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1 -- ${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir} -+ ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}/isc-export-config.sh -+ rm -f ${DESTDIR}${bindir}/bind9-export-config -+ ln ${DESTDIR}${bindir}/isc-export-config.sh ${DESTDIR}${bindir}/bind9-export-config -+ ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1/isc-export-config.sh.1 -+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1 -+ ln ${DESTDIR}${mandir}/man1/isc-export-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-export-config.1 - - uninstall:: -- rm -f ${DESTDIR}${sysconfdir}/bind.keys -- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1 -- rm -f ${DESTDIR}${mandir}/man1/isc-config.sh.1 -- rm -f ${DESTDIR}${bindir}/bind9-config -- rm -f ${DESTDIR}${bindir}/isc-config.sh -+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1 -+ rm -f ${DESTDIR}${mandir}/man1/isc-export-config.sh.1 -+ rm -f ${DESTDIR}${bindir}/bind9-export-config -+ rm -f ${DESTDIR}${bindir}/isc-export-config.sh - - tags: - rm -f TAGS diff --git a/SOURCES/bind-9.11-kyua-pkcs11.patch b/SOURCES/bind-9.11-kyua-pkcs11.patch index ac15d22..9cfa618 100644 --- a/SOURCES/bind-9.11-kyua-pkcs11.patch +++ b/SOURCES/bind-9.11-kyua-pkcs11.patch @@ -1,4 +1,4 @@ -From eb38d2278937ec3fe45d0af30cd080953bbb5b54 Mon Sep 17 00:00:00 2001 +From a9b5785f174cf7fd74891fa64f6b69b9a9b55466 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 2 Jan 2018 18:13:07 +0100 Subject: [PATCH] Fix pkcs11 variants atf tests @@ -16,10 +16,10 @@ Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode 6 files changed, 38 insertions(+), 16 deletions(-) diff --git a/configure.ac b/configure.ac -index 0532feb..a83ddd5 100644 +index 62ecf56..0940a7d 100644 --- a/configure.ac +++ b/configure.ac -@@ -5578,6 +5578,7 @@ AC_CONFIG_FILES([ +@@ -5476,6 +5476,7 @@ AC_CONFIG_FILES([ lib/dns-pkcs11/include/Makefile lib/dns-pkcs11/include/dns/Makefile lib/dns-pkcs11/include/dst/Makefile @@ -43,13 +43,13 @@ index 7c8bab0..eec9564 100644 include('isccfg/Kyuafile') include('lwres/Kyuafile') diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in -index 7671e1d..e237d5c 100644 +index 22a06a8..5df5b15 100644 --- a/lib/dns-pkcs11/tests/Makefile.in +++ b/lib/dns-pkcs11/tests/Makefile.in @@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@ CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ - @DST_OPENSSL_INC@ + @DST_OPENSSL_INC@ ${MAXMINDDB_CFLAGS} -CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\"" +CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" @@ -65,10 +65,10 @@ index 7671e1d..e237d5c 100644 LIBS = @LIBS@ @CMOCKA_LIBS@ CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@ diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c -index 4dbfd82..a383b8e 100644 +index a5bf46c..9ff2b76 100644 --- a/lib/dns-pkcs11/tests/dh_test.c +++ b/lib/dns-pkcs11/tests/dh_test.c -@@ -86,7 +86,8 @@ dh_computesecret(void **state) { +@@ -88,7 +88,8 @@ dh_computesecret(void **state) { result = dst_key_computesecret(key, key, &buf); assert_int_equal(result, DST_R_NOTPRIVATEKEY); result = key->func->computesecret(key, key, &buf); @@ -79,7 +79,7 @@ index 4dbfd82..a383b8e 100644 dst_key_free(&key); } diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in -index 2fdee0b..a263b35 100644 +index 36d2207..00dfbc9 100644 --- a/lib/isc-pkcs11/tests/Makefile.in +++ b/lib/isc-pkcs11/tests/Makefile.in @@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@ @@ -97,10 +97,10 @@ index 2fdee0b..a263b35 100644 LIBS = @LIBS@ @CMOCKA_LIBS@ CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@ diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c -index 9c4d299..d9deba2 100644 +index 4fafc38..5eb2be2 100644 --- a/lib/isc-pkcs11/tests/hash_test.c +++ b/lib/isc-pkcs11/tests/hash_test.c -@@ -85,7 +85,7 @@ typedef struct hash_testcase { +@@ -84,7 +84,7 @@ typedef struct hash_testcase { typedef struct hash_test_key { const char *key; @@ -109,7 +109,7 @@ index 9c4d299..d9deba2 100644 } hash_test_key_t; /* non-hmac tests */ -@@ -956,8 +956,11 @@ isc_hmacsha1_test(void **state) { +@@ -955,8 +955,11 @@ isc_hmacsha1_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -122,7 +122,7 @@ index 9c4d299..d9deba2 100644 isc_hmacsha1_update(&hmacsha1, (const uint8_t *) testcase->input, testcase->input_len); -@@ -1116,8 +1119,11 @@ isc_hmacsha224_test(void **state) { +@@ -1115,8 +1118,11 @@ isc_hmacsha224_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -135,7 +135,7 @@ index 9c4d299..d9deba2 100644 isc_hmacsha224_update(&hmacsha224, (const uint8_t *) testcase->input, testcase->input_len); -@@ -1277,8 +1283,11 @@ isc_hmacsha256_test(void **state) { +@@ -1276,8 +1282,11 @@ isc_hmacsha256_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -148,7 +148,7 @@ index 9c4d299..d9deba2 100644 isc_hmacsha256_update(&hmacsha256, (const uint8_t *) testcase->input, testcase->input_len); -@@ -1444,8 +1453,11 @@ isc_hmacsha384_test(void **state) { +@@ -1443,8 +1452,11 @@ isc_hmacsha384_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -161,7 +161,7 @@ index 9c4d299..d9deba2 100644 isc_hmacsha384_update(&hmacsha384, (const uint8_t *) testcase->input, testcase->input_len); -@@ -1611,8 +1623,11 @@ isc_hmacsha512_test(void **state) { +@@ -1610,8 +1622,11 @@ isc_hmacsha512_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -174,7 +174,7 @@ index 9c4d299..d9deba2 100644 isc_hmacsha512_update(&hmacsha512, (const uint8_t *) testcase->input, testcase->input_len); -@@ -1755,8 +1770,11 @@ isc_hmacmd5_test(void **state) { +@@ -1754,8 +1769,11 @@ isc_hmacmd5_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -188,5 +188,5 @@ index 9c4d299..d9deba2 100644 (const uint8_t *) testcase->input, testcase->input_len); -- -2.20.1 +2.21.1 diff --git a/SOURCES/bind-9.11-rh1624100.patch b/SOURCES/bind-9.11-rh1624100.patch index 5764ed7..0775820 100644 --- a/SOURCES/bind-9.11-rh1624100.patch +++ b/SOURCES/bind-9.11-rh1624100.patch @@ -1,4 +1,4 @@ -From 76594cba9a1e910bb36160d96fc3872349341799 Mon Sep 17 00:00:00 2001 +From f27598743ab6e03271e26f23da4beba748d19c60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Wed, 25 Apr 2018 14:04:31 +0200 Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts @@ -24,10 +24,10 @@ Fix the isc_safe_memwipe() usage with (NULL, >0) delete mode 100644 lib/isc/safe.c diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c -index 6ddaebe..d921870 100644 +index 6dded0c..a9c5557 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c -@@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, +@@ -784,7 +784,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, static int hashlist_comp(const void *a, const void *b) { @@ -81,7 +81,7 @@ index ad77f24..670982a 100644 /* accept_sec_context.c */ diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in -index 0fd0837..8ad54bb 100644 +index 149552a..8529a86 100644 --- a/lib/isc/Makefile.in +++ b/lib/isc/Makefile.in @@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ @@ -91,7 +91,7 @@ index 0fd0837..8ad54bb 100644 - safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ + serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \ - tm.@O@ timer.@O@ version.@O@ \ + tm.@O@ timer.@O@ utf8.@O@ version.@O@ \ ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS} @@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \ netaddr.c netscope.c pool.c ondestroy.c \ @@ -100,7 +100,7 @@ index 0fd0837..8ad54bb 100644 - safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \ + serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \ strtoul.c symtab.c task.c taskpool.c timer.c \ - tm.c version.c + tm.c utf8.c version.c @@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@ @@ -284,5 +284,5 @@ index 266ac75..60e9181 100644 return (cmocka_run_group_tests(tests, NULL, NULL)); -- -2.20.1 +2.26.2 diff --git a/SOURCES/bind-9.11-rh1790879.patch b/SOURCES/bind-9.11-rh1790879.patch deleted file mode 100644 index 7f44fee..0000000 --- a/SOURCES/bind-9.11-rh1790879.patch +++ /dev/null @@ -1,65 +0,0 @@ -From f9a37643528dc83b981156d0a1cf52e3d9a38322 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= -Date: Mon, 2 Dec 2019 15:15:06 +0100 -Subject: [PATCH] Fix GeoIP2 memory leak upon reconfiguration - -Loaded GeoIP2 databases are only released when named is shut down, but -not during server reconfiguration. This causes memory to be leaked -every time "rndc reconfig" or "rndc reload" is used, as long as any -GeoIP2 database is in use. Fix by releasing any loaded GeoIP2 databases -before reloading them. Do not call dns_geoip_shutdown() until server -shutdown as that function releases the memory context used for caching -GeoIP2 lookup results. - -(cherry picked from commit 670afbe84a87e202fa795079d9d6d1639bcf391d) -(cherry picked from commit 95a5589fa2ac3956fecfef780158a2745718c860) ---- - bin/named/geoip.c | 2 -- - bin/named/server.c | 6 ++++++ - 2 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/bin/named/geoip.c b/bin/named/geoip.c -index d560f8fbcf..0b11f6b803 100644 ---- a/bin/named/geoip.c -+++ b/bin/named/geoip.c -@@ -243,6 +243,4 @@ ns_geoip_shutdown(void) { - ns_g_geoip->domain = NULL; - } - #endif /* HAVE_GEOIP2 */ -- -- dns_geoip_shutdown(); - } -diff --git a/bin/named/server.c b/bin/named/server.c -index ebe7ad4702..4d7d2210ff 100644 ---- a/bin/named/server.c -+++ b/bin/named/server.c -@@ -72,6 +72,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -7684,6 +7685,10 @@ load_configuration(const char *filename, ns_server_t *server, - isc__socketmgr_setreserved(ns_g_socketmgr, reserved); - - #if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2) -+ /* -+ * Release any previously opened GeoIP2 databases. -+ */ -+ ns_geoip_shutdown(); - /* - * Initialize GeoIP databases from the configured location. - * This should happen before configuring any ACLs, so that we -@@ -9030,6 +9035,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { - #endif - #if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2) - ns_geoip_shutdown(); -+ dns_geoip_shutdown(); - #endif /* HAVE_GEOIP || HAVE_GEOIP2 */ - - dns_db_detach(&server->in_roothints); --- -2.21.1 - diff --git a/SOURCES/bind-9.11-rh1859454.patch b/SOURCES/bind-9.11-rh1859454.patch new file mode 100644 index 0000000..df0ff19 --- /dev/null +++ b/SOURCES/bind-9.11-rh1859454.patch @@ -0,0 +1,31 @@ +From 30753514ac06111da5b677fe7cdbafd696b1d620 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Wed, 22 Jul 2020 18:55:02 +0200 +Subject: [PATCH] Prevent crash on dst initialization failure + +server might be created, but not yet fully initialized, when fatal +function is called. Check both server and task before attaching +exclusive task. + +(cherry picked from commit c5e7152cf04f75d0fe00163f076f4cc3cafce259) +(cherry picked from commit 35fbfaa4981333286437f26557db26863d4c5299) +--- + bin/named/server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bin/named/server.c b/bin/named/server.c +index 3cd8daf99e..38780ad3d7 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -9341,7 +9341,7 @@ ns_server_destroy(ns_server_t **serverp) { + + static void + fatal(ns_server_t *server, const char *msg, isc_result_t result) { +- if (server != NULL) { ++ if (server != NULL && server->task != NULL) { + /* + * Prevent races between the OpenSSL on_exit registered + * function and any other OpenSSL calls from other tasks +-- +2.26.2 + diff --git a/SOURCES/bind-9.11-rh1865785.patch b/SOURCES/bind-9.11-rh1865785.patch deleted file mode 100644 index 7846798..0000000 --- a/SOURCES/bind-9.11-rh1865785.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 7e2d9531a79d289ee99dd436da14efb6d9a505fc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= -Date: Wed, 3 Jun 2020 14:42:11 +0200 -Subject: [PATCH] Change the invalid CIDR from parser error to warning - -In [RT #43367], the BIND 9 changed the strictness of address / prefix -length checks: - - Check prefixes in acls to make sure the address and - prefix lengths are consistent. Warn only in - BIND 9.11 and earlier. - -Unfortunately, a regression slipped in and the check was made an error -also in the BIND 9.11. This commit fixes the regression, but turning -the error into a warning. ---- - bin/tests/system/checkconf/tests.sh | 9 +++++++++ - ...conf => warn-address-prefix-length-mismatch.conf} | 12 ++++++++++-- - lib/isccfg/parser.c | 9 --------- - util/copyrights | 2 +- - 4 files changed, 20 insertions(+), 12 deletions(-) - rename bin/tests/system/checkconf/{bad-ipv4-prefix-dotted2.conf => warn-address-prefix-length-mismatch.conf} (70%) - -diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh -index 85fb4839e9..d2b0daa35c 100644 ---- a/bin/tests/system/checkconf/tests.sh -+++ b/bin/tests/system/checkconf/tests.sh -@@ -386,6 +386,15 @@ grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi - status=`expr $status + $ret` - -+n=`expr $n + 1` -+echo_i "check that invalid address/prefix length generates a warning ($n)" -+ret=0 -+$CHECKCONF warn-address-prefix-length-mismatch.conf > checkconf.out$n 2>/dev/null || ret=1 -+LINES=$(grep -c "address/prefix length mismatch" < checkconf.out$n) || ret=1 -+[ "$LINES" -eq 8 ] || ret=1 -+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -+status=`expr $status + $ret` -+ - n=`expr $n + 1` - echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)" - ret=0 -diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf -similarity index 70% -rename from bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf -rename to bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf -index 2c768c7e1a..5e3bc3f6ee 100644 ---- a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf -+++ b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf -@@ -9,6 +9,14 @@ - * information regarding copyright ownership. - */ - --acl myacl { -- 127.1/8; /* No-zero bits */ -+zone example { -+ type master; -+ file "example.db"; -+ auto-dnssec maintain; -+ allow-update { -+ 192.0.2.64/24; -+ 192.0.2.128/24; -+ 198.51.100.255/24; -+ 203.0.113.2/24; -+ }; - }; -diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c -index e2af054661..44a1dfc37a 100644 ---- a/lib/isccfg/parser.c -+++ b/lib/isccfg/parser.c -@@ -2634,15 +2634,6 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type, - "invalid prefix length"); - return (ISC_R_RANGE); - } -- result = isc_netaddr_prefixok(&netaddr, prefixlen); -- if (result != ISC_R_SUCCESS) { -- char buf[ISC_NETADDR_FORMATSIZE + 1]; -- isc_netaddr_format(&netaddr, buf, sizeof(buf)); -- cfg_parser_error(pctx, CFG_LOG_NOPREP, -- "'%s/%u': address/prefix length " -- "mismatch", buf, prefixlen); -- return (ISC_R_FAILURE); -- } - } else { - if (expectprefix) { - cfg_parser_error(pctx, CFG_LOG_NEAR, --- -GitLab - diff --git a/SOURCES/bind-9.11-rt31459.patch b/SOURCES/bind-9.11-rt31459.patch index ea25abe..266f78c 100644 --- a/SOURCES/bind-9.11-rt31459.patch +++ b/SOURCES/bind-9.11-rt31459.patch @@ -1,4 +1,4 @@ -From 7e61714a5d1509ec79af42391e41eb1afc53063a Mon Sep 17 00:00:00 2001 +From 5c29299e43db5a4e6f8b1b07af84dfe1687c4c2b Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 12 Sep 2017 19:05:46 -0700 Subject: [PATCH] rebased rt31459c @@ -71,10 +71,10 @@ index 5015abb..295e16f 100644 &entropy_source, randomfile, diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c -index 2c0c308..3e585af 100644 +index d9d6bb9..de4b15f 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c -@@ -494,14 +494,14 @@ main(int argc, char **argv) { +@@ -498,14 +498,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -92,7 +92,7 @@ index 2c0c308..3e585af 100644 isc_entropy_stopcallbacksources(ectx); setup_logging(mctx, &log); -@@ -571,8 +571,8 @@ main(int argc, char **argv) { +@@ -574,8 +574,8 @@ main(int argc, char **argv) { if (dns_rdataset_isassociated(&rdataset)) dns_rdataset_disassociate(&rdataset); cleanup_logging(&log); @@ -103,10 +103,10 @@ index 2c0c308..3e585af 100644 dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c -index 0d1e7f8..79c4d74 100644 +index d65a514..04b3094 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c -@@ -407,14 +407,14 @@ main(int argc, char **argv) { +@@ -404,14 +404,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -124,7 +124,7 @@ index 0d1e7f8..79c4d74 100644 isc_entropy_stopcallbacksources(ectx); setup_logging(mctx, &log); -@@ -458,8 +458,8 @@ main(int argc, char **argv) { +@@ -455,8 +455,8 @@ main(int argc, char **argv) { if (dns_rdataset_isassociated(&rdataset)) dns_rdataset_disassociate(&rdataset); cleanup_logging(&log); @@ -167,10 +167,10 @@ index 7d82dbf..10f9359 100644 if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c -index f355903..6a2ca59 100644 +index 7afcaee..1cfa511 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c -@@ -382,14 +382,14 @@ main(int argc, char **argv) { +@@ -380,14 +380,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -188,7 +188,7 @@ index f355903..6a2ca59 100644 isc_entropy_stopcallbacksources(ectx); if (predecessor != NULL) { -@@ -674,8 +674,8 @@ main(int argc, char **argv) { +@@ -672,8 +672,8 @@ main(int argc, char **argv) { if (prevkey != NULL) dst_key_free(&prevkey); dst_key_free(&key); @@ -199,7 +199,7 @@ index f355903..6a2ca59 100644 if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c -index c6a0313..6ddaebe 100644 +index 319a805..27ae4d4 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) { @@ -257,7 +257,7 @@ index 4c293bf..3263cbc 100644 rdclass = strtoclass(classname); diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c -index fbc7ece..31a99e7 100644 +index 618ec5b..5654435 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -34,6 +34,7 @@ @@ -293,7 +293,7 @@ index fbc7ece..31a99e7 100644 usekeyboard); diff --git a/bin/named/server.c b/bin/named/server.c -index 7d85d3b..c782073 100644 +index 4e503e5..f27071f 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -36,6 +36,7 @@ @@ -304,7 +304,7 @@ index 7d85d3b..c782073 100644 #include #include #include -@@ -8211,6 +8212,10 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8217,6 +8218,10 @@ load_configuration(const char *filename, ns_server_t *server, "no source of entropy found"); } else { const char *randomdev = cfg_obj_asstring(obj); @@ -315,7 +315,7 @@ index 7d85d3b..c782073 100644 int level = ISC_LOG_ERROR; result = isc_entropy_createfilesource(ns_g_entropy, randomdev); -@@ -8245,6 +8250,7 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8251,6 +8256,7 @@ load_configuration(const char *filename, ns_server_t *server, } isc_entropy_detach(&ns_g_fallbackentropy); } @@ -688,7 +688,7 @@ index bf6dbb6..0416b21 100644 parse_args(false, argc, argv); if (server == NULL) diff --git a/configure b/configure -index ed002e0..a578874 100755 +index 6d05371..33689c9 100755 --- a/configure +++ b/configure @@ -640,6 +640,7 @@ ac_includes_default="\ @@ -699,7 +699,7 @@ index ed002e0..a578874 100755 BUILD_LIBS BUILD_LDFLAGS BUILD_CPPFLAGS -@@ -821,6 +822,7 @@ XMLSTATS +@@ -823,6 +824,7 @@ LIBXML2_CFLAGS NZDTARGETS NZDSRCS NZD_TOOLS @@ -707,7 +707,7 @@ index ed002e0..a578874 100755 PKCS11_TEST PKCS11_ED25519 PKCS11_GOST -@@ -1045,6 +1047,7 @@ with_eddsa +@@ -1047,6 +1049,7 @@ with_eddsa with_aes enable_openssl_hash with_cc_alg @@ -715,7 +715,7 @@ index ed002e0..a578874 100755 with_lmdb with_libxml2 with_libjson -@@ -1744,6 +1747,7 @@ Optional Features: +@@ -1749,6 +1752,7 @@ Optional Features: --enable-threads enable multithreading --enable-native-pkcs11 use native PKCS11 for all crypto [default=no] --enable-openssl-hash use OpenSSL for hash functions [default=no] @@ -723,7 +723,7 @@ index ed002e0..a578874 100755 --enable-largefile 64-bit file support --enable-backtrace log stack backtrace on abort [default=yes] --enable-symtable use internal symbol table for backtrace -@@ -17115,6 +17119,7 @@ case "$use_openssl" in +@@ -17144,6 +17148,7 @@ case "$use_openssl" in $as_echo "disabled because of native PKCS11" >&6; } DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" @@ -731,7 +731,7 @@ index ed002e0..a578874 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -17129,6 +17134,7 @@ $as_echo "disabled because of native PKCS11" >&6; } +@@ -17158,6 +17163,7 @@ $as_echo "disabled because of native PKCS11" >&6; } $as_echo "no" >&6; } DST_OPENSSL_INC="" CRYPTO="" @@ -739,7 +739,7 @@ index ed002e0..a578874 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -17141,6 +17147,7 @@ $as_echo "no" >&6; } +@@ -17170,6 +17176,7 @@ $as_echo "no" >&6; } auto) DST_OPENSSL_INC="" CRYPTO="" @@ -747,7 +747,7 @@ index ed002e0..a578874 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -17150,7 +17157,7 @@ $as_echo "no" >&6; } +@@ -17179,7 +17186,7 @@ $as_echo "no" >&6; } OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path @@ -756,7 +756,7 @@ index ed002e0..a578874 100755 ;; *) if test "yes" = "$want_native_pkcs11" -@@ -17181,6 +17188,7 @@ $as_echo "not found" >&6; } +@@ -17210,6 +17217,7 @@ $as_echo "not found" >&6; } as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5 fi CRYPTO='-DOPENSSL' @@ -764,7 +764,7 @@ index ed002e0..a578874 100755 if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" -@@ -17806,8 +17814,6 @@ fi +@@ -17835,8 +17843,6 @@ fi # Use OpenSSL for hash functions # @@ -773,7 +773,7 @@ index ed002e0..a578874 100755 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" case $want_openssl_hash in yes) -@@ -18182,6 +18188,86 @@ if test "rt" = "$have_clock_gt"; then +@@ -18211,6 +18217,86 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi @@ -860,7 +860,7 @@ index ed002e0..a578874 100755 # # was --with-lmdb specified? # -@@ -20264,9 +20350,12 @@ _ACEOF +@@ -20441,9 +20527,12 @@ _ACEOF if ac_fn_c_try_compile "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5 $as_echo "size_t for buflen; int for flags" >&6; } @@ -875,7 +875,7 @@ index ed002e0..a578874 100755 $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h -@@ -21581,12 +21670,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" +@@ -21758,12 +21847,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then @@ -889,7 +889,7 @@ index ed002e0..a578874 100755 # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. -@@ -21619,6 +21703,11 @@ cat >>confdefs.h <<_ACEOF +@@ -21796,6 +21880,11 @@ cat >>confdefs.h <<_ACEOF _ACEOF @@ -901,7 +901,7 @@ index ed002e0..a578874 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21627,39 +21716,6 @@ _ACEOF +@@ -21804,39 +21893,6 @@ _ACEOF fi ;; x86_64-*|amd64-*) @@ -941,7 +941,7 @@ index ed002e0..a578874 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21690,6 +21746,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } +@@ -21867,6 +21923,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } $as_echo "$arch" >&6; } fi @@ -952,7 +952,7 @@ index ed002e0..a578874 100755 if test "yes" = "$have_atomic"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5 $as_echo_n "checking compiler support for inline assembly code... " >&6; } -@@ -24244,6 +24304,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" +@@ -24421,6 +24481,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" # dlzdir='${DLZ_DRIVER_DIR}' @@ -983,7 +983,7 @@ index ed002e0..a578874 100755 # # Private autoconf macro to simplify configuring drivers: # -@@ -24574,11 +24658,11 @@ $as_echo "no" >&6; } +@@ -24751,11 +24835,11 @@ $as_echo "no" >&6; } $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; } ;; *) @@ -998,7 +998,7 @@ index ed002e0..a578874 100755 fi CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL" -@@ -24663,7 +24747,7 @@ $as_echo "" >&6; } +@@ -24840,7 +24924,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). @@ -1007,7 +1007,7 @@ index ed002e0..a578874 100755 # include a blank element first for d in "" $bdb_incdirs do -@@ -24688,57 +24772,9 @@ $as_echo "" >&6; } +@@ -24865,57 +24949,9 @@ $as_echo "" >&6; } bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" for d in $bdb_libnames do @@ -1067,7 +1067,7 @@ index ed002e0..a578874 100755 break fi done -@@ -24897,10 +24933,10 @@ $as_echo "no" >&6; } +@@ -25074,10 +25110,10 @@ $as_echo "no" >&6; } DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include" DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include" fi @@ -1081,7 +1081,7 @@ index ed002e0..a578874 100755 fi -@@ -24986,11 +25022,11 @@ fi +@@ -25163,11 +25199,11 @@ fi odbcdirs="/usr /usr/local /usr/pkg" for d in $odbcdirs do @@ -1095,7 +1095,7 @@ index ed002e0..a578874 100755 break fi done -@@ -25265,6 +25301,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" +@@ -25442,6 +25478,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" @@ -1104,7 +1104,7 @@ index ed002e0..a578874 100755 # # Commands to run at the end of config.status. # Don't just put these into configure, it won't work right if somebody -@@ -27644,6 +27682,8 @@ report() { +@@ -27819,6 +27857,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1113,7 +1113,7 @@ index ed002e0..a578874 100755 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -27684,6 +27724,8 @@ report() { +@@ -27859,6 +27899,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" @@ -1122,7 +1122,7 @@ index ed002e0..a578874 100755 echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -27731,6 +27773,8 @@ report() { +@@ -27906,6 +27948,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -1132,10 +1132,10 @@ index ed002e0..a578874 100755 test "yes" = "$enable_seccomp" || \ echo " Use libseccomp system call filtering (--enable-seccomp)" diff --git a/configure.ac b/configure.ac -index 45a8126..bb1345b 100644 +index d10cde5..68bead8 100644 --- a/configure.ac +++ b/configure.ac -@@ -1537,6 +1537,7 @@ case "$use_openssl" in +@@ -1550,6 +1550,7 @@ case "$use_openssl" in AC_MSG_RESULT(disabled because of native PKCS11) DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" @@ -1143,7 +1143,7 @@ index 45a8126..bb1345b 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1550,6 +1551,7 @@ case "$use_openssl" in +@@ -1563,6 +1564,7 @@ case "$use_openssl" in AC_MSG_RESULT(no) DST_OPENSSL_INC="" CRYPTO="" @@ -1151,7 +1151,7 @@ index 45a8126..bb1345b 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1562,6 +1564,7 @@ case "$use_openssl" in +@@ -1575,6 +1577,7 @@ case "$use_openssl" in auto) DST_OPENSSL_INC="" CRYPTO="" @@ -1159,7 +1159,7 @@ index 45a8126..bb1345b 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1572,7 +1575,7 @@ case "$use_openssl" in +@@ -1585,7 +1588,7 @@ case "$use_openssl" in OPENSSLLINKSRCS="" AC_MSG_ERROR( [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path @@ -1168,7 +1168,7 @@ index 45a8126..bb1345b 100644 ;; *) if test "yes" = "$want_native_pkcs11" -@@ -1602,6 +1605,7 @@ If you don't want OpenSSL, use --without-openssl]) +@@ -1615,6 +1618,7 @@ If you don't want OpenSSL, use --without-openssl]) AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found]) fi CRYPTO='-DOPENSSL' @@ -1176,7 +1176,7 @@ index 45a8126..bb1345b 100644 if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" -@@ -2037,7 +2041,6 @@ fi +@@ -2050,7 +2054,6 @@ fi # Use OpenSSL for hash functions # @@ -1184,7 +1184,7 @@ index 45a8126..bb1345b 100644 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" case $want_openssl_hash in yes) -@@ -2309,6 +2312,67 @@ if test "rt" = "$have_clock_gt"; then +@@ -2322,6 +2325,67 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi @@ -1252,7 +1252,7 @@ index 45a8126..bb1345b 100644 # # was --with-lmdb specified? # -@@ -4105,12 +4169,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" +@@ -4098,12 +4162,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then @@ -1266,7 +1266,7 @@ index 45a8126..bb1345b 100644 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -4119,7 +4183,6 @@ if test "yes" = "$use_atomic"; then +@@ -4112,7 +4176,6 @@ if test "yes" = "$use_atomic"; then fi ;; x86_64-*|amd64-*) @@ -1274,7 +1274,7 @@ index 45a8126..bb1345b 100644 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -5527,6 +5590,8 @@ report() { +@@ -5518,6 +5581,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1283,7 +1283,7 @@ index 45a8126..bb1345b 100644 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -5567,6 +5632,8 @@ report() { +@@ -5558,6 +5623,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" @@ -1292,7 +1292,7 @@ index 45a8126..bb1345b 100644 echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -5614,6 +5681,8 @@ report() { +@@ -5605,6 +5672,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -1302,7 +1302,7 @@ index 45a8126..bb1345b 100644 test "yes" = "$enable_seccomp" || \ echo " Use libseccomp system call filtering (--enable-seccomp)" diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index ec6e00e..1614afa 100644 +index 65bf25d..1eccbe7 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -277,6 +277,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, @@ -1440,7 +1440,7 @@ index 304814b..60543c4 100644 isc_hash_destroy(); cleanup_db: diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index d65ce26..6849732 100644 +index 13e838f..ffe0a69 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -31,6 +31,7 @@ @@ -1476,7 +1476,7 @@ index d65ce26..6849732 100644 #endif +#endif /* !ISC_PLATFORM_CRYPTORANDOM */ - #if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) static void @@ -192,7 +195,7 @@ _set_thread_id(CRYPTO_THREADID *id) isc_result_t @@ -1845,10 +1845,10 @@ index 0000000..bd3d164 + +#endif diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in -index 5c45d59..34b660c 100644 +index 63be973..40b21fa 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in -@@ -1484,6 +1484,13 @@ dst_lib_destroy +@@ -1485,6 +1485,13 @@ dst_lib_destroy dst_lib_init dst_lib_init2 dst_lib_initmsgcat @@ -1863,7 +1863,7 @@ index 5c45d59..34b660c 100644 dst_region_computerid dst_result_register diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c -index ab2f617..ed05ed6 100644 +index 907e470..451544d 100644 --- a/lib/isc/entropy.c +++ b/lib/isc/entropy.c @@ -104,11 +104,15 @@ struct isc_entropy { @@ -1921,10 +1921,10 @@ index ab2f617..ed05ed6 100644 + hook = myhook; +} diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h -index 4bba8e1..632166a 100644 +index e8733db..c40a18c 100644 --- a/lib/isc/include/isc/entropy.h +++ b/lib/isc/include/isc/entropy.h -@@ -304,6 +304,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, +@@ -302,6 +302,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, * isc_entropy_createcallbacksource(). */ @@ -1944,10 +1944,10 @@ index 4bba8e1..632166a 100644 #endif /* ISC_ENTROPY_H */ diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in -index 9c7c342..ee8dc3e 100644 +index 61960f1..d22993d 100644 --- a/lib/isc/include/isc/platform.h.in +++ b/lib/isc/include/isc/platform.h.in -@@ -341,6 +341,11 @@ +@@ -359,6 +359,11 @@ */ @ISC_PLATFORM_HAVESTRINGSH@ @@ -1960,10 +1960,10 @@ index 9c7c342..ee8dc3e 100644 * Define if the hash functions must be provided by OpenSSL. */ diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h -index 42ff7e0..8d87c44 100644 +index da9d66f..4205400 100644 --- a/lib/isc/include/isc/types.h +++ b/lib/isc/include/isc/types.h -@@ -93,6 +93,8 @@ typedef struct isc_time isc_time_t; /*%< Time */ +@@ -97,6 +97,8 @@ typedef struct isc_time isc_time_t; /*%< Time */ typedef struct isc_timer isc_timer_t; /*%< Timer */ typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */ @@ -1973,7 +1973,7 @@ index 42ff7e0..8d87c44 100644 typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int); diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c -index 8e6ed93..ceb5a2c 100644 +index 68aebdc..4b85527 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c @@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) { @@ -1999,10 +1999,10 @@ index 8e6ed93..ceb5a2c 100644 cleanup: if (stream != NULL) diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in -index 5b8a2c9..913a2ce 100644 +index 8ade705..fa72f9d 100644 --- a/lib/isc/win32/include/isc/platform.h.in +++ b/lib/isc/win32/include/isc/platform.h.in -@@ -69,6 +69,11 @@ +@@ -73,6 +73,11 @@ #define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn) #define ISC_PLATFORM_NORETURN_POST @@ -2015,7 +2015,7 @@ index 5b8a2c9..913a2ce 100644 * Define if the hash functions must be provided by OpenSSL. */ diff --git a/win32utils/Configure b/win32utils/Configure -index ccaf067..240fb80 100644 +index 79d682e..6c78cb2 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA", @@ -2036,15 +2036,15 @@ index ccaf067..240fb80 100644 "fixed-rrset", "intrinsics", "isc-spnego", -@@ -581,6 +583,7 @@ my @help = ( +@@ -580,6 +582,7 @@ my @help = ( "\nOptional Features:\n", - " enable-intrinsics enable instrinsic/atomic functions [default=yes]\n", + " enable-intrinsics enable intrinsic/atomic functions [default=yes]\n", " enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n", +" enable-crypto-rand use crypto provider for random [default=yes]\n", " enable-openssl-hash use OpenSSL for hash functions [default=yes]\n", " enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n", " enable-filter-aaaa enable filtering of AAAA records [default=yes]\n", -@@ -630,7 +633,9 @@ my $want_clean = "no"; +@@ -628,7 +631,9 @@ my $want_clean = "no"; my $want_unknown = "no"; my $unknown_value; my $enable_intrinsics = "yes"; @@ -2054,7 +2054,7 @@ index ccaf067..240fb80 100644 my $enable_openssl_hash = "auto"; my $enable_filter_aaaa = "yes"; my $enable_isc_spnego = "yes"; -@@ -850,6 +855,10 @@ sub myenable { +@@ -847,6 +852,10 @@ sub myenable { if ($val =~ /^yes$/i) { $enable_native_pkcs11 = "yes"; } @@ -2065,7 +2065,7 @@ index ccaf067..240fb80 100644 } elsif ($key =~ /^openssl-hash$/i) { if ($val =~ /^yes$/i) { $enable_openssl_hash = "yes"; -@@ -1158,6 +1167,11 @@ if ($verbose) { +@@ -1153,6 +1162,11 @@ if ($verbose) { } else { print "native-pkcs11: disabled\n"; } @@ -2077,7 +2077,7 @@ index ccaf067..240fb80 100644 if ($enable_openssl_hash eq "yes") { print "openssl-hash: enabled\n"; } else { -@@ -1516,6 +1530,7 @@ if ($enable_intrinsics eq "yes") { +@@ -1510,6 +1524,7 @@ if ($enable_intrinsics eq "yes") { # enable-native-pkcs11 if ($enable_native_pkcs11 eq "yes") { @@ -2085,7 +2085,7 @@ index ccaf067..240fb80 100644 if ($use_openssl eq "auto") { $use_openssl = "no"; } -@@ -1725,6 +1740,7 @@ if ($use_openssl eq "yes") { +@@ -1719,6 +1734,7 @@ if ($use_openssl eq "yes") { $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); } @@ -2093,7 +2093,7 @@ index ccaf067..240fb80 100644 $configcond{"OPENSSL"} = 1; $configdefd{"CRYPTO"} = "OPENSSL"; $configvar{"OPENSSL_PATH"} = "$openssl_path"; -@@ -2296,6 +2312,15 @@ if ($use_aes eq "yes") { +@@ -2290,6 +2306,15 @@ if ($use_aes eq "yes") { } @@ -2109,7 +2109,7 @@ index ccaf067..240fb80 100644 # enable-openssl-hash if ($enable_openssl_hash eq "yes") { if ($use_openssl eq "no") { -@@ -3671,6 +3696,7 @@ exit 0; +@@ -3665,6 +3690,7 @@ exit 0; # --enable-developer partially supported # --enable-newstats (9.9/9.9sub only) # --enable-native-pkcs11 supported @@ -2118,5 +2118,5 @@ index ccaf067..240fb80 100644 # --enable-openssl-hash supported # --enable-threads included without a way to disable it -- -2.20.1 +2.21.1 diff --git a/SOURCES/bind-9.11-rt46047.patch b/SOURCES/bind-9.11-rt46047.patch index 8f413f6..ee9bae8 100644 --- a/SOURCES/bind-9.11-rt46047.patch +++ b/SOURCES/bind-9.11-rt46047.patch @@ -1,4 +1,4 @@ -From 5a465424f5249ceaf0547ab90361a16eb08f7a2b Mon Sep 17 00:00:00 2001 +From 344c19ad4b3f058e65a4b41650bb0ee20692cc5c Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 28 Sep 2017 10:09:22 -0700 Subject: [PATCH] completed and corrected the crypto-random change @@ -39,15 +39,15 @@ Subject: [PATCH] completed and corrected the crypto-random change bin/tests/system/tkey/keycreate.c | 4 +- bin/tests/system/tkey/keydelete.c | 5 +-- doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++------- - doc/arm/notes-rh-changes.xml | 43 ++++++++++++++++++ + doc/arm/notes-rh-changes.xml | 42 ++++++++++++++++++ doc/arm/notes.xml | 1 + lib/dns/dst_api.c | 4 +- lib/dns/include/dst/dst.h | 14 +++++- lib/dns/openssl_link.c | 3 +- - lib/isc/include/isc/entropy.h | 50 +++++++++++++++------ + lib/isc/include/isc/entropy.h | 48 +++++++++++++++------ lib/isc/include/isc/random.h | 28 +++++++----- lib/isccfg/namedconf.c | 2 +- - 23 files changed, 241 insertions(+), 106 deletions(-) + 23 files changed, 240 insertions(+), 104 deletions(-) create mode 100644 doc/arm/notes-rh-changes.xml diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c @@ -78,10 +78,10 @@ index 295e16f..0f79aa8 100644 &entropy_source, randomfile, diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook -index 0ae6b41..4562430 100644 +index 1826919..96543fc 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook -@@ -348,15 +348,23 @@ +@@ -349,15 +349,23 @@ -r randomdev @@ -114,7 +114,7 @@ index 0ae6b41..4562430 100644 diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c -index 31a99e7..38c83ed 100644 +index 5654435..24c0d5a 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { @@ -142,10 +142,10 @@ index 31a99e7..38c83ed 100644 usekeyboard); diff --git a/bin/named/client.c b/bin/named/client.c -index 50fa2cd..524d9a3 100644 +index 9a0d3c8..c573177 100644 --- a/bin/named/client.c +++ b/bin/named/client.c -@@ -1762,7 +1762,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, +@@ -1765,7 +1765,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, isc_buffer_init(&buf, cookie, sizeof(cookie)); isc_stdtime_get(&now); @@ -223,7 +223,7 @@ index d955c2f..40621f2 100644 } else eresult = ns_control_docommand(request, listener->readonly, &text); diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h -index 7ee8f66..8982d26 100644 +index 3f96b7b..c92922e 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -20,6 +20,7 @@ @@ -255,7 +255,7 @@ index 9dea7c1..272d300 100644 #include #include diff --git a/bin/named/query.c b/bin/named/query.c -index c9e5469..0940714 100644 +index 203f1e6..25eeced 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -19,6 +19,7 @@ @@ -267,10 +267,10 @@ index c9e5469..0940714 100644 #include #include diff --git a/bin/named/server.c b/bin/named/server.c -index 36fc047..3c1eec0 100644 +index f27071f..f132c19 100644 --- a/bin/named/server.c +++ b/bin/named/server.c -@@ -8208,21 +8208,32 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8210,21 +8210,32 @@ load_configuration(const char *filename, ns_server_t *server, * Open the source of entropy. */ if (first_time) { @@ -312,7 +312,7 @@ index 36fc047..3c1eec0 100644 #ifdef PATH_RANDOMDEV if (ns_g_fallbackentropy != NULL) { level = ISC_LOG_INFO; -@@ -8233,8 +8244,8 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8235,8 +8246,8 @@ load_configuration(const char *filename, ns_server_t *server, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, level, @@ -323,7 +323,7 @@ index 36fc047..3c1eec0 100644 randomdev, isc_result_totext(result)); } -@@ -8254,7 +8265,6 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8256,7 +8267,6 @@ load_configuration(const char *filename, ns_server_t *server, } isc_entropy_detach(&ns_g_fallbackentropy); } @@ -331,7 +331,7 @@ index 36fc047..3c1eec0 100644 #endif } -@@ -9022,6 +9032,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { +@@ -9025,6 +9035,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { server->in_roothints = NULL; server->blackholeacl = NULL; server->keepresporder = NULL; @@ -339,7 +339,7 @@ index 36fc047..3c1eec0 100644 /* Must be first. */ CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy, -@@ -9048,6 +9059,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { +@@ -9051,6 +9062,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy, &server->tkeyctx), "creating TKEY context"); @@ -349,7 +349,7 @@ index 36fc047..3c1eec0 100644 /* * Setup the server task, which is responsible for coordinating -@@ -9254,7 +9268,8 @@ ns_server_destroy(ns_server_t **serverp) { +@@ -9257,7 +9271,8 @@ ns_server_destroy(ns_server_t **serverp) { if (server->zonemgr != NULL) dns_zonemgr_detach(&server->zonemgr); @@ -359,7 +359,7 @@ index 36fc047..3c1eec0 100644 if (server->tkeyctx != NULL) dns_tkeyctx_destroy(&server->tkeyctx); -@@ -13230,10 +13245,10 @@ newzone_cfgctx_destroy(void **cfgp) { +@@ -13263,10 +13278,10 @@ newzone_cfgctx_destroy(void **cfgp) { static isc_result_t generate_salt(unsigned char *salt, size_t saltlen) { @@ -372,7 +372,7 @@ index 36fc047..3c1eec0 100644 } rnd; unsigned char text[512 + 1]; isc_region_t r; -@@ -13243,9 +13258,10 @@ generate_salt(unsigned char *salt, size_t saltlen) { +@@ -13276,9 +13291,10 @@ generate_salt(unsigned char *salt, size_t saltlen) { if (saltlen > 256U) return (ISC_R_RANGE); @@ -455,10 +455,10 @@ index 2146f9b..64b8e74 100644 } #endif diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml -index 33e06e6..539973c 100644 +index 93c7a08..bb1e81d 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml -@@ -5076,22 +5076,45 @@ badresp:1,adberr:0,findfail:0,valfail:0] +@@ -5081,22 +5081,45 @@ badresp:1,adberr:0,findfail:0,valfail:0] random-device @@ -522,11 +522,10 @@ index 33e06e6..539973c 100644 diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml new file mode 100644 -index 0000000..11c3a7c +index 0000000..89a4961 --- /dev/null +++ b/doc/arm/notes-rh-changes.xml -@@ -0,0 +1,43 @@ -+ +@@ -0,0 +1,42 @@ +