From 89a8919f88370ae09e9e17ece71e87fe4570c45c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 05 2019 18:48:51 +0000 Subject: import bind-9.11.4-26.P2.el8 --- diff --git a/.bind.metadata b/.bind.metadata index 013caa7..afb5fba 100644 --- a/.bind.metadata +++ b/.bind.metadata @@ -1,2 +1,3 @@ f01eada382fb2bd4d1fcab3f6f83bd3ebc35a9ab SOURCES/bind-9.11.4-P2.tar.gz 1dc72fe31e4c84853ea2d016e36f0419d1885fa0 SOURCES/config-18.tar.bz2 +a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data diff --git a/.gitignore b/.gitignore index 918743b..575c6ab 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ SOURCES/bind-9.11.4-P2.tar.gz SOURCES/config-18.tar.bz2 +SOURCES/random.data diff --git a/SOURCES/bind-9.10-dist-native-pkcs11.patch b/SOURCES/bind-9.10-dist-native-pkcs11.patch index a700078..6f66dc1 100644 --- a/SOURCES/bind-9.10-dist-native-pkcs11.patch +++ b/SOURCES/bind-9.10-dist-native-pkcs11.patch @@ -270,7 +270,7 @@ index d92bc9a..6d2bfd1 100644 CWARNINGS = diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in -index 70ee8b5..0fd8644 100644 +index a058c91..d4b689a 100644 --- a/bin/pkcs11/Makefile.in +++ b/bin/pkcs11/Makefile.in @@ -15,13 +15,13 @@ top_srcdir = @top_srcdir@ @@ -291,7 +291,7 @@ index 70ee8b5..0fd8644 100644 DEPLIBS = ${ISCDEPLIBS} diff --git a/configure.in b/configure.in -index 9a1d16d..2f13059 100644 +index 849fa94..69e6373 100644 --- a/configure.in +++ b/configure.in @@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI) @@ -346,10 +346,10 @@ index 9a1d16d..2f13059 100644 DST_OPENSSL_INC="" - CRYPTO="-DPKCS11CRYPTO" + CRYPTO_PK11="-DPKCS11CRYPTO" + CRYPTOLIB="pkcs11" OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" -@@ -1605,7 +1607,9 @@ case "$use_openssl" in +@@ -1606,7 +1608,9 @@ case "$use_openssl" in OPENSSLGOSTLINKSRCS="" OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" @@ -360,24 +360,16 @@ index 9a1d16d..2f13059 100644 no) AC_MSG_RESULT(no) DST_OPENSSL_INC="" -@@ -1635,11 +1639,11 @@ case "$use_openssl" in - If you don't want OpenSSL, use --without-openssl]) +@@ -1638,7 +1642,7 @@ case "$use_openssl" in + If you do not want OpenSSL, use --without-openssl]) ;; *) - if test "yes" = "$want_native_pkcs11" -- then -- AC_MSG_RESULT() -- AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) -- fi -+ # if test "yes" = "$want_native_pkcs11" -+ # then -+ # AC_MSG_RESULT() -+ # AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) -+ # fi - if test "yes" = "$use_openssl" ++ if false # test "yes" = "$want_native_pkcs11" then - # User did not specify a path - guess it -@@ -2062,6 +2066,7 @@ AC_SUBST(OPENSSL_ED25519) + AC_MSG_RESULT() + AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) +@@ -2066,6 +2070,7 @@ AC_SUBST(OPENSSL_ED25519) AC_SUBST(OPENSSL_GOST) DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS" @@ -385,7 +377,7 @@ index 9a1d16d..2f13059 100644 ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" if test "yes" = "$with_aes" -@@ -2381,6 +2386,7 @@ esac +@@ -2384,6 +2389,7 @@ esac AC_SUBST(PKCS11LINKOBJS) AC_SUBST(PKCS11LINKSRCS) AC_SUBST(CRYPTO) @@ -393,7 +385,7 @@ index 9a1d16d..2f13059 100644 AC_SUBST(PKCS11_ECDSA) AC_SUBST(PKCS11_GOST) AC_SUBST(PKCS11_ED25519) -@@ -5434,8 +5440,11 @@ AC_CONFIG_FILES([ +@@ -5497,8 +5503,11 @@ AC_CONFIG_FILES([ bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile @@ -405,7 +397,7 @@ index 9a1d16d..2f13059 100644 bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile -@@ -5509,6 +5518,10 @@ AC_CONFIG_FILES([ +@@ -5572,6 +5581,10 @@ AC_CONFIG_FILES([ lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile @@ -416,7 +408,7 @@ index 9a1d16d..2f13059 100644 lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile -@@ -5533,6 +5546,24 @@ AC_CONFIG_FILES([ +@@ -5596,6 +5609,24 @@ AC_CONFIG_FILES([ lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile diff --git a/SOURCES/bind-9.11-CVE-2018-5745.patch b/SOURCES/bind-9.11-CVE-2018-5745.patch new file mode 100644 index 0000000..1ea50c6 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2018-5745.patch @@ -0,0 +1,474 @@ +From c705a3eac69286b47a70b851aa5dd9119d04512f Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 23 Jul 2019 16:43:55 +0200 +Subject: [PATCH] Fix CVE-2018-5745 + +Squashed commit of the following: + +commit c38e1dd10567e246bb802d889c3b2d2d286c7616 +Author: Evan Hunt +Date: Fri Dec 21 17:24:47 2018 -0800 + + use algorithm 255 for both unsupported keys + + (cherry picked from commit de8b2d4a6a97bb2ddf19024918581e70512ebc41) + +commit caf8a62270c850fbc59cfa6bb9dcedb2ef7228c2 +Author: Matthijs Mekking +Date: Wed Dec 19 18:45:43 2018 +0100 + + Add tests for mkeys with unsupported algorithm + + These tests check if a key with an unsupported algorithm in + managed-keys is ignored and when seeing an algorithm rollover to + an unsupported algorithm, the new key will be ignored too. + + (cherry picked from commit 144cb53d0ae3aa5e6e3123720b603f9ab2bd1fa9) + (cherry picked from commit 8c2a8ca50946449bf26a7e0843cc5e54e36071ae) + +commit 634655f38385595fb9a35e93ec3a72ed4c48bda6 +Author: Matthijs Mekking +Date: Wed Dec 19 18:47:43 2018 +0100 + + Update keyfetch_done compute_tag check + + If in keyfetch_done the compute_tag fails (because for example the + algorithm is not supported), don't crash, but instead ignore the + key. + + (cherry picked from commit b1d5411569ae10830b63f07560091193646cc739) + (cherry picked from commit 8f64928e2eb9395d8cdcd62183a1eaec3b1c5256) + +commit e5cb28c3f3df4c37d528665e67fb460cc1662259 +Author: Matthijs Mekking +Date: Wed Dec 12 14:06:10 2018 +0100 + + Don't free key in compute_tag in case of failure + + If `dns_dnssec_keyfromrdata` failed we don't need to call + `dst_key_free` because no `dstkey` was created. Doing so + nevertheless will result in an assertion failure. + + This can happen if the key uses an unsupported algorithm. + + (cherry picked from commit 7a1ca39b950b7d5230b605ac60f15a1cb94e3d69) + (cherry picked from commit acae423ef4274c5535da324da78ce1441628d5f6) +--- + bin/tests/system/mkeys/README | 3 + + bin/tests/system/mkeys/clean.sh | 2 + + bin/tests/system/mkeys/ns1/root.db | 20 +++---- + bin/tests/system/mkeys/ns1/sign.sh | 7 ++- + bin/tests/system/mkeys/ns1/unsupported.key | 1 + + bin/tests/system/mkeys/ns6/named.args | 1 + + bin/tests/system/mkeys/ns6/named.conf.in | 43 +++++++++++++++ + bin/tests/system/mkeys/ns6/setup.sh | 30 ++++++++++ + .../system/mkeys/ns6/unsupported-managed.key | 1 + + bin/tests/system/mkeys/ns7/named.conf.in | 50 +++++++++++++++++ + bin/tests/system/mkeys/setup.sh | 1 + + bin/tests/system/mkeys/tests.sh | 55 +++++++++++++++++++ + lib/dns/include/dst/dst.h | 3 +- + lib/dns/zone.c | 27 ++++++++- + 14 files changed, 229 insertions(+), 15 deletions(-) + create mode 100644 bin/tests/system/mkeys/ns1/unsupported.key + create mode 100644 bin/tests/system/mkeys/ns6/named.args + create mode 100644 bin/tests/system/mkeys/ns6/named.conf.in + create mode 100644 bin/tests/system/mkeys/ns6/setup.sh + create mode 100644 bin/tests/system/mkeys/ns6/unsupported-managed.key + create mode 100644 bin/tests/system/mkeys/ns7/named.conf.in + +diff --git a/bin/tests/system/mkeys/README b/bin/tests/system/mkeys/README +index 700e6c21ca..257ef5406f 100644 +--- a/bin/tests/system/mkeys/README ++++ b/bin/tests/system/mkeys/README +@@ -16,3 +16,6 @@ ns3 is a validator with a broken key in managed-keys. + + ns5 is a validator which is prevented from getting a response from the + root server, causing key refresh queries to fail. ++ ++ns6 is a validator which has unsupported algorithms, one at start up, ++one because of an algorithm rollover. +diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh +index 17bd50f273..844d813eb4 100644 +--- a/bin/tests/system/mkeys/clean.sh ++++ b/bin/tests/system/mkeys/clean.sh +@@ -11,6 +11,7 @@ + + rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk + rm -f dsset-. ns1/dsset-. ++rm -f ns1/zone.key + rm -f ns*/named.lock + rm -f */managed-keys.bind* */named.secroots + rm -f */managed.conf ns1/managed.key ns1/managed.key.id +@@ -19,3 +20,4 @@ rm -f dig.out* delv.out* rndc.out* signer.out* + rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp + rm -f */named.conf + rm -f ns5/named.args ++rm -f ns7/view1.mkeys ns7/view2.mkeys +diff --git a/bin/tests/system/mkeys/ns1/root.db b/bin/tests/system/mkeys/ns1/root.db +index 6ba922af09..0070f13942 100644 +--- a/bin/tests/system/mkeys/ns1/root.db ++++ b/bin/tests/system/mkeys/ns1/root.db +@@ -8,16 +8,16 @@ + ; information regarding copyright ownership. + + $TTL 20 +-. IN SOA gson.nominum.com. a.root.servers.nil. ( +- 2000042100 ; serial +- 600 ; refresh +- 600 ; retry +- 1200 ; expire +- 2 ; minimum +- ) +-. NS a.root-servers.nil. +-a.root-servers.nil. A 10.53.0.1 ++. IN SOA gson.nominum.com. a.root.servers.nil. ( ++ 2000042100 ; serial ++ 600 ; refresh ++ 600 ; retry ++ 1200 ; expire ++ 2 ; minimum ++ ) ++. NS a.root-servers.nil. ++a.root-servers.nil. A 10.53.0.1 + + ; no delegation + +-example. TXT "This is a test." ++example. TXT "This is a test." +diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh +index ccc7889ad9..e5e7ec05d6 100644 +--- a/bin/tests/system/mkeys/ns1/sign.sh ++++ b/bin/tests/system/mkeys/ns1/sign.sh +@@ -25,13 +25,18 @@ keyfile_to_managed_keys $keyname > managed.conf + cp managed.conf ../ns2/managed.conf + cp managed.conf ../ns5/managed.conf + +-# Configure a trusted key statement (used by delv) ++# Configure a trusted key statement (used by delv). + keyfile_to_trusted_keys $keyname > trusted.conf + ++# Prepare an unsupported algorithm key. ++unsupportedkey=Kunknown.+255+00000 ++cp unsupported.key "${unsupportedkey}.key" ++ + # + # Save keyname and keyid for managed key id test. + # + echo "$keyname" > managed.key ++echo "$zskkeyname" > zone.key + keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'` + keyid=`expr $keyid + 0` + echo "$keyid" > managed.key.id +diff --git a/bin/tests/system/mkeys/ns1/unsupported.key b/bin/tests/system/mkeys/ns1/unsupported.key +new file mode 100644 +index 0000000000..7435d03b63 +--- /dev/null ++++ b/bin/tests/system/mkeys/ns1/unsupported.key +@@ -0,0 +1 @@ ++. IN DNSKEY 257 3 255 BJiXuidPHuGIne8GlCBLG+Oq/FZruQd2s3uBo+SxY16NUP/Vwl8MctMK62KsblDU1gIJAdEMVep2tsOkuSm0bIbJ8NBex+N9rSvzH2YJlDCT9QnNfv4q5RRTcVA3lk9nkmWHo6zcAT33yuS+THOCSznOMCJRq8JGZ6xqMJLv9FucuK6CCe6QBAZ5e98dpyGTWQLu7AERKKFqda9YCk3KQfdzx/HZ4SpQpRLncIXvGm1PIMT8Ar95NB/BsFJGwr5ZTaQtRYOXf2DD7wD3pfMsTJCdZyC0J0EtGBG109I+Oou1cswUfqZLXip/aV3eaBAUqLcZpg8P8vAbrvEq4uMS4OMZeXL6nu0irrdS1Pqmax8RsC+x3fg9EBH3QmHroJZtiU5h+0x4qApp7HE4Z5zFRuxIp9iB +diff --git a/bin/tests/system/mkeys/ns6/named.args b/bin/tests/system/mkeys/ns6/named.args +new file mode 100644 +index 0000000000..02f8f670f6 +--- /dev/null ++++ b/bin/tests/system/mkeys/ns6/named.args +@@ -0,0 +1 @@ ++-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=5/10/20 +diff --git a/bin/tests/system/mkeys/ns6/named.conf.in b/bin/tests/system/mkeys/ns6/named.conf.in +new file mode 100644 +index 0000000000..8d76f7f2e7 +--- /dev/null ++++ b/bin/tests/system/mkeys/ns6/named.conf.in +@@ -0,0 +1,43 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++// NS6 ++ ++options { ++ query-source address 10.53.0.6; ++ notify-source 10.53.0.6; ++ transfer-source 10.53.0.6; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.6; }; ++ listen-on-v6 { none; }; ++ recursion yes; ++ notify no; ++ dnssec-enable yes; ++ dnssec-validation yes; ++ trust-anchor-telemetry no; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++zone "." { ++ type hint; ++ file "../../common/root.hint"; ++}; ++ ++include "managed.conf"; +diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh +new file mode 100644 +index 0000000000..5ba1647da5 +--- /dev/null ++++ b/bin/tests/system/mkeys/ns6/setup.sh +@@ -0,0 +1,30 @@ ++#!/bin/sh -e ++# ++# Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++# ++# See the COPYRIGHT file distributed with this work for additional ++# information regarding copyright ownership. ++ ++SYSTEMTESTTOP=../.. ++. $SYSTEMTESTTOP/conf.sh ++ ++zone=. ++zonefile=root.db ++ ++# an RSA key ++rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.` ++ ++# a key with unsupported algorithm ++unsupportedkey=Kunknown.+255+00000 ++cp unsupported-managed.key "${unsupportedkey}.key" ++ ++# root key ++rootkey=`cat ../ns1/managed.key` ++cp "../ns1/${rootkey}.key" . ++ ++# Configure the resolving server with a managed trusted key. ++keyfile_to_managed_keys $unsupportedkey $rsakey $rootkey > managed.conf +diff --git a/bin/tests/system/mkeys/ns6/unsupported-managed.key b/bin/tests/system/mkeys/ns6/unsupported-managed.key +new file mode 100644 +index 0000000000..be872a00f0 +--- /dev/null ++++ b/bin/tests/system/mkeys/ns6/unsupported-managed.key +@@ -0,0 +1 @@ ++unsupported. IN DNSKEY 257 3 255 BOOVAhiJDPqhfU7+yGXjhetrtC/rtjmwO1yo52BUHUd8R4hQ/ZPdYCVvQlvNkRxDblPkFM5YRXkesS30pJSoNYrg+djbMNumJrLG+lbhFIc/ahTjlYOxb1zm2z00ubHju/1uGBifiRvKWSK0Vr0u6NtS4PKZfsnXt+piSHiRAHSfkjGHwqPYYKh9EUW12kJmIzlMaM6WYl+gJOvL+f8VqNLtvsMPT6OPK/3h/Dnfnxyeudp/jzAnNDDiTgX2XfzIXB4UwxtzIOGaHLnprpNf3zoBm0kyaEdSQQ/qKkpCOqjBasYEHRjVz3RncPUkdLr7PQuPBfFDr3SUMMJqufJrO4IJjtD4cCBT7K1i39Jg471nEzU1vkPzxF+Rw1QHT4nZaXbltf3BEZGS4Knoe9XPwi5KjGW6 +diff --git a/bin/tests/system/mkeys/ns7/named.conf.in b/bin/tests/system/mkeys/ns7/named.conf.in +new file mode 100644 +index 0000000000..a9aba00733 +--- /dev/null ++++ b/bin/tests/system/mkeys/ns7/named.conf.in +@@ -0,0 +1,50 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++// NS7 ++ ++options { ++ query-source address 10.53.0.7; ++ notify-source 10.53.0.7; ++ transfer-source 10.53.0.7; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.7; }; ++ listen-on-v6 { none; }; ++ recursion yes; ++ notify no; ++ dnssec-enable yes; ++ dnssec-validation auto; ++ bindkeys-file "managed.conf"; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++view view1 { ++ zone "." { ++ type hint; ++ file "../../common/root.hint"; ++ }; ++}; ++ ++view view2 { ++ zone "." { ++ type hint; ++ file "../../common/root.hint"; ++ }; ++}; +diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh +index bd3169f9b6..100a86959b 100644 +--- a/bin/tests/system/mkeys/setup.sh ++++ b/bin/tests/system/mkeys/setup.sh +@@ -25,3 +25,4 @@ copy_setports ns5/named.conf.in ns5/named.conf + cp ns5/named1.args ns5/named.args + + ( cd ns1 && $SHELL sign.sh ) ++( cd ns6 && $SHELL setup.sh ) +diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh +index f65f49e98d..b8410902d7 100644 +--- a/bin/tests/system/mkeys/tests.sh ++++ b/bin/tests/system/mkeys/tests.sh +@@ -701,6 +701,8 @@ rm -f ns1/root.db.signed.jnl + nextpart ns5/named.run > /dev/null + mkeys_reconfig_on 1 + wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run ++#mkeys_secroots_on 5 ++#grep '; managed' ns5/named.secroots > /dev/null || ret=1 + # ns1 should not longer REFUSE queries from ns5, so managed keys should be + # correctly refreshed and resolving should succeed + $DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1 +@@ -710,5 +712,58 @@ grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + ++echo_i "reinitialize trust anchors, add unsupported algorithm ($n)" ++ret=0 ++$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6 ++rm -f ns6/managed-keys.bind* ++nextpart ns6/named.run > /dev/null ++$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6 ++# log when an unsupported algorithm is encountered during startup ++wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo_i "skipping unsupported algorithm in managed-keys ($n)" ++ret=0 ++mkeys_status_on 6 > rndc.out.$n 2>&1 ++# there should still be only two keys listed (for . and rsasha256.) ++count=`grep -c "keyid: " rndc.out.$n` ++[ "$count" -eq 2 ] || ret=1 ++# two lines indicating trust status ++count=`grep -c "trust" rndc.out.$n` ++[ "$count" -eq 2 ] || ret=1 ++ ++n=`expr $n + 1` ++echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)" ++ret=0 ++cp ns1/root.db ns1/root.db.orig ++ksk=`cat ns1/managed.key` ++zsk=`cat ns1/zone.key` ++cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db ++grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1 ++$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1 ++grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1 ++cp ns1/root.db.orig ns1/root.db ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo_i "skipping unsupported algorithm in rollover ($n)" ++ret=0 ++mkeys_reload_on 1 ++mkeys_refresh_on 6 ++mkeys_status_on 6 > rndc.out.$n 2>&1 ++# there should still be only two keys listed (for . and rsasha256.) ++count=`grep -c "keyid: " rndc.out.$n` ++[ "$count" -eq 2 ] || ret=1 ++# two lines indicating trust status ++count=`grep -c "trust" rndc.out.$n` ++[ "$count" -eq 2 ] || ret=1 ++# log when an unsupported algorithm is encountered during rollover ++wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=`expr $status + $ret` ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h +index e8c1a3c287..91f4a6e300 100644 +--- a/lib/dns/include/dst/dst.h ++++ b/lib/dns/include/dst/dst.h +@@ -67,8 +67,7 @@ typedef struct dst_context dst_context_t; + #define DST_ALG_HMACSHA512 165 /* XXXMPA */ + #define DST_ALG_INDIRECT 252 + #define DST_ALG_PRIVATE 254 +-#define DST_ALG_EXPAND 255 +-#define DST_MAX_ALGS 255 ++#define DST_MAX_ALGS 256 + + /*% A buffer of this size is large enough to hold any key */ + #define DST_KEY_MAXSIZE 1280 +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 055b2417eb..96c98d585c 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -3903,9 +3903,10 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx, + dns_rdatatype_dnskey, dnskey, &buffer); + + result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey); +- if (result == ISC_R_SUCCESS) ++ if (result == ISC_R_SUCCESS) { + *tag = dst_key_id(dstkey); +- dst_key_free(&dstkey); ++ dst_key_free(&dstkey); ++ } + + return (result); + } +@@ -9364,6 +9365,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { + + dns_keydata_todnskey(&keydata, &dnskey, NULL); + result = compute_tag(keyname, &dnskey, mctx, &keytag); ++ if (result != ISC_R_SUCCESS) { ++ /* ++ * Skip if we cannot compute the key tag. ++ * This may happen if the algorithm is unsupported ++ */ ++ dns_zone_log(zone, ISC_LOG_ERROR, ++ "Cannot compute tag for key in zone %s: %s " ++ "(skipping)", ++ namebuf, dns_result_totext(result)); ++ continue; ++ } + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + /* +@@ -9475,6 +9487,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { + continue; + + result = compute_tag(keyname, &dnskey, mctx, &keytag); ++ if (result != ISC_R_SUCCESS) { ++ /* ++ * Skip if we cannot compute the key tag. ++ * This may happen if the algorithm is unsupported ++ */ ++ dns_zone_log(zone, ISC_LOG_ERROR, ++ "Cannot compute tag for key in zone %s: %s " ++ "(skipping)", ++ namebuf, dns_result_totext(result)); ++ continue; ++ } + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE); +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-CVE-2019-6465.patch b/SOURCES/bind-9.11-CVE-2019-6465.patch new file mode 100644 index 0000000..0657aa3 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2019-6465.patch @@ -0,0 +1,100 @@ +From 3824a600a51188c713e900115d6af129b54706df Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 6 Feb 2019 11:35:21 -0800 +Subject: [PATCH] denied axfr requests were not effective for writable DLZ + zones + +(cherry picked from commit d9077cd0038e59726e1956de18b4b7872038a283) +(cherry picked from commit 34348d9ee4db15307c6c42db294419b4df569f76) +--- + bin/named/xfrout.c | 8 ++++---- + bin/tests/system/dlzexternal/driver.c | 18 +++++++++++++++--- + bin/tests/system/dlzexternal/tests.sh | 16 ++++++++++++---- + 3 files changed, 31 insertions(+), 11 deletions(-) + +diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c +index c531e0acef..f6e57d889e 100644 +--- a/bin/named/xfrout.c ++++ b/bin/named/xfrout.c +@@ -803,12 +803,12 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { + result = dns_zt_find(client->view->zonetable, question_name, 0, NULL, + &zone); + +- if (result != ISC_R_SUCCESS) { ++ if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) { + /* +- * Normal zone table does not have a match. +- * Try the DLZ database ++ * The normal zone table does not have a match, or this is ++ * marked in the zone table as a DLZ zone. Check the DLZ ++ * databases for a match. + */ +- // Temporary: only searching the first DLZ database + if (! ISC_LIST_EMPTY(client->view->dlz_searched)) { + result = dns_dlzallowzonexfr(client->view, + question_name, +diff --git a/bin/tests/system/dlzexternal/driver.c b/bin/tests/system/dlzexternal/driver.c +index 37a62622da..dfa7847984 100644 +--- a/bin/tests/system/dlzexternal/driver.c ++++ b/bin/tests/system/dlzexternal/driver.c +@@ -542,10 +542,22 @@ dlz_lookup(const char *zone, const char *name, void *dbdata, + */ + isc_result_t + dlz_allowzonexfr(void *dbdata, const char *name, const char *client) { +- UNUSED(client); ++ isc_result_t result; ++ ++ result = dlz_findzonedb(dbdata, name, NULL, NULL); ++ if (result != ISC_R_SUCCESS) { ++ return (result); ++ } + +- /* Just say yes for all our zones */ +- return (dlz_findzonedb(dbdata, name, NULL, NULL)); ++ /* ++ * Exception for 10.53.0.5 so we can test that allow-transfer ++ * is effective. ++ */ ++ if (strcmp(client, "10.53.0.5") == 0) { ++ return (ISC_R_NOPERM); ++ } ++ ++ return (ISC_R_SUCCESS); + } + + /* +diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh +index 87dd13b10e..1754aaa57c 100644 +--- a/bin/tests/system/dlzexternal/tests.sh ++++ b/bin/tests/system/dlzexternal/tests.sh +@@ -108,15 +108,23 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 + status=`expr $status + $ret` + + newtest "testing AXFR from DLZ drivers" +-$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.ns1.test$n +-lines=`cat dig.out.ns1.test$n | wc -l` ++$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n ++lines=`cat dig.out.example.ns1.test$n | wc -l` + [ ${lines:-0} -eq 4 ] || ret=1 +-$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.ns1.test$n +-lines=`cat dig.out.ns1.test$n | wc -l` ++$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n ++lines=`cat dig.out.alternate.ns1.test$n | wc -l` + [ ${lines:-0} -eq 5 ] || ret=1 + [ "$ret" -eq 0 ] || echo_i "failed" + status=`expr $status + $ret` + ++newtest "testing AXFR denied from DLZ drivers" ++$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n ++grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1 ++$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n ++grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1 ++[ "$ret" -eq 0 ] || echo_i "failed" ++status=`expr $status + $ret` ++ + newtest "testing unsearched/unregistered DLZ zone is not found" + $DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n + grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1 +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-fips-code-includes.patch b/SOURCES/bind-9.11-fips-code-includes.patch new file mode 100644 index 0000000..f71a021 --- /dev/null +++ b/SOURCES/bind-9.11-fips-code-includes.patch @@ -0,0 +1,39 @@ +From 68baeb7211ba2fcd4eff53d987e9b70ba38294cb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 20 Dec 2018 11:52:12 +0100 +Subject: [PATCH] Fix implicit declaration warning + +isc_md5_available() function is not declared before its use. Include +header providing it in files that use it. +--- + bin/tests/system/tkey/keydelete.c | 1 + + lib/dns/tsig.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c +index 36ee6c7..6051cd2 100644 +--- a/bin/tests/system/tkey/keydelete.c ++++ b/bin/tests/system/tkey/keydelete.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c +index 70805bb..33870f3 100644 +--- a/lib/dns/tsig.c ++++ b/lib/dns/tsig.c +@@ -18,6 +18,7 @@ + + #include + #include ++#include + #include + #include + #include +-- +2.14.5 + diff --git a/SOURCES/bind-9.11-fips-disable.patch b/SOURCES/bind-9.11-fips-disable.patch new file mode 100644 index 0000000..4ba1d2e --- /dev/null +++ b/SOURCES/bind-9.11-fips-disable.patch @@ -0,0 +1,121 @@ +From 38ae0949251e7bd228858120d8eaa2a697f84f1a Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 5 Aug 2019 11:54:03 +0200 +Subject: [PATCH] Allow explicit disabling of autodisabled MD5 + +Default security policy might include explicitly disabled RSAMD5 +algorithm. Current FIPS code automatically disables in FIPS mode. But if +RSAMD5 is included in security policy, it fails to start, because that +algorithm is not recognized. Allow it disabled, but fail on any +other usage. +--- + bin/named/server.c | 4 ++-- + lib/bind9/check.c | 4 ++++ + lib/dns/rcode.c | 33 +++++++++++++++------------------ + 3 files changed, 21 insertions(+), 20 deletions(-) + +diff --git a/bin/named/server.c b/bin/named/server.c +index 1afb461226..8116cab0cb 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -1530,12 +1530,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { + r.length = strlen(r.base); + + result = dns_secalg_fromtext(&alg, &r); +- if (result != ISC_R_SUCCESS) { ++ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) { + isc_uint8_t ui; + result = isc_parse_uint8(&ui, r.base, 10); + alg = ui; + } +- if (result != ISC_R_SUCCESS) { ++ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) { + cfg_obj_log(cfg_listelt_value(element), + ns_g_lctx, ISC_LOG_ERROR, + "invalid algorithm"); +diff --git a/lib/bind9/check.c b/lib/bind9/check.c +index 1a3d534799..545e3c6a5e 100644 +--- a/lib/bind9/check.c ++++ b/lib/bind9/check.c +@@ -298,6 +298,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) { + r.length = strlen(r.base); + + tresult = dns_secalg_fromtext(&alg, &r); ++ if (tresult == ISC_R_DISABLED) { ++ // Recognize disabled algorithms, disable it explicitly ++ tresult = ISC_R_SUCCESS; ++ } + if (tresult != ISC_R_SUCCESS) { + cfg_obj_log(cfg_listelt_value(element), logctx, + ISC_LOG_ERROR, "invalid algorithm '%s'", +diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c +index d1fa8d5870..d57a798e29 100644 +--- a/lib/dns/rcode.c ++++ b/lib/dns/rcode.c +@@ -124,7 +124,6 @@ + #endif + + #define SECALGNAMES \ +- MD5_SECALGNAMES \ + DH_SECALGNAMES \ + DSA_SECALGNAMES \ + { DNS_KEYALG_ECC, "ECC", 0 }, \ +@@ -176,6 +175,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES }; + static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES }; + static struct tbl certs[] = { CERTNAMES }; + static struct tbl secalgs[] = { SECALGNAMES }; ++static struct tbl md5_secalgs[] = { MD5_SECALGNAMES }; + static struct tbl secprotos[] = { SECPROTONAMES }; + static struct tbl hashalgs[] = { HASHALGNAMES }; + static struct tbl dsdigests[] = { DSDIGESTNAMES }; +@@ -348,33 +348,30 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { + return (dns_mnemonic_totext(cert, target, certs)); + } + +-static inline struct tbl * +-secalgs_tbl_start() { +- struct tbl *algs = secalgs; +- +-#ifndef PK11_MD5_DISABLE +- if (isc_md5_available() == ISC_FALSE) { +- while (algs->name != NULL && +- algs->value == DNS_KEYALG_RSAMD5) +- ++algs; +- } +-#endif +- return algs; +-} +- + isc_result_t + dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) { + unsigned int value; ++ isc_result_t result; + +- RETERR(dns_mnemonic_fromtext(&value, source, +- secalgs_tbl_start(), 0xff)); ++ result = dns_mnemonic_fromtext(&value, source, ++ secalgs, 0xff); ++ if (result != ISC_R_SUCCESS) { ++ result = dns_mnemonic_fromtext(&value, source, ++ md5_secalgs, 0xff); ++ if (result != ISC_R_SUCCESS) { ++ return (result); ++ } else if (!isc_md5_available()) { ++ *secalgp = value; ++ return (ISC_R_DISABLED); ++ } ++ } + *secalgp = value; + return (ISC_R_SUCCESS); + } + + isc_result_t + dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) { +- return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start())); ++ return (dns_mnemonic_totext(secalg, target, secalgs)); + } + + void +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-rh1668682.patch b/SOURCES/bind-9.11-rh1668682.patch new file mode 100644 index 0000000..3e268b6 --- /dev/null +++ b/SOURCES/bind-9.11-rh1668682.patch @@ -0,0 +1,37 @@ +From 16c1bd61384e993fef13d7be88fdd34551a2b3ce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Wed, 23 Jan 2019 20:12:51 +0100 +Subject: [PATCH] Use custom random generator only for bind build + +Do not test random entropy on startup when used by DHCP. On most cases +random entropy is not even used by DHCP. In cases it is (LDAP SSL), fail +whenever it is not available. + +Resolves: rhbz#1668682 +--- + lib/dns/openssl_link.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c +index 91e87d0..2551b0a 100644 +--- a/lib/dns/openssl_link.c ++++ b/lib/dns/openssl_link.c +@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) { + #endif + #endif /* !defined(OPENSSL_NO_ENGINE) */ + ++#ifdef ISC_PLATFORM_USETHREADS + /* Protect ourselves against unseeded PRNG */ + if (RAND_status() != 1) { + FATAL_ERROR(__FILE__, __LINE__, +@@ -296,6 +297,7 @@ dst__openssl_init(const char *engine) { + "cannot be initialized (see the `PRNG not " + "seeded' message in the OpenSSL FAQ)"); + } ++#endif /* ISC_PLATFORM_USETHREADS */ + + return (ISC_R_SUCCESS); + +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-rh1679307.patch b/SOURCES/bind-9.11-rh1679307.patch new file mode 100644 index 0000000..05c553f --- /dev/null +++ b/SOURCES/bind-9.11-rh1679307.patch @@ -0,0 +1,245 @@ +From 88cf9dec060e8c3f1705a4e41a30e283bc3c8b1b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Tue, 10 Jul 2018 14:34:35 +0200 +Subject: [PATCH] Improve error handling in idn_ace_to_locale() + +While idn2_to_unicode_8zlz() takes a 'flags' argument, it is ignored and +thus cannot be used to perform IDN checks on the output string. + +The bug in libidn2 versions before 2.0.5 was not that a call to +idn2_to_unicode_8zlz() with certain flags set did not cause IDN checks +to be performed. The bug was that idn2_to_unicode_8zlz() did not check +whether a conversion can be performed between UTF-8 and the current +locale's character encoding. In other words, with libidn2 version +2.0.5+, if the current locale's character encoding is ASCII, then +idn2_to_unicode_8zlz() will fail when it is passed any Punycode string +which decodes to a non-ASCII string, even if it is a valid IDNA2008 +name. + +Rework idn_ace_to_locale() so that invalid IDNA2008 names are properly +and consistently detected for all libidn2 versions and locales. + +Update the "idna" system test accordingly. Add checks for processing a +server response containing Punycode which decodes to an invalid IDNA2008 +name. Fix invalid subtest description. + +(cherry picked from commit 7fe0f00a3bf31dc26ee3dc8777e3076546b83990) +(cherry picked from commit 4fdee34a0b0ad142182914327a1bc53144b90ed1) +--- + bin/dig/dighost.c | 72 ++++++++++++++++++++++++------- + bin/tests/system/idna/tests.sh | 77 +++++++++++----------------------- + 2 files changed, 82 insertions(+), 67 deletions(-) + +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index d46379ddc2..26528af3cc 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -4812,26 +4812,70 @@ idn_locale_to_ace(const char *from, char *to, size_t tolen) { + static isc_result_t + idn_ace_to_locale(const char *from, char *to, size_t tolen) { + int res; +- char *tmp_str = NULL; ++ char *utf8_src, *tmp_str = NULL; + +- res = idn2_to_unicode_8zlz(from, &tmp_str, +- IDN2_NONTRANSITIONAL|IDN2_NFC_INPUT); ++ /* ++ * We need to: ++ * ++ * 1) check whether 'from' is a valid IDNA2008 name, ++ * 2) if it is, output it in the current locale's character encoding. ++ * ++ * Unlike idn2_to_ascii_*(), idn2_to_unicode_*() functions are unable ++ * to perform IDNA2008 validity checks. Thus, we need to decode any ++ * Punycode in 'from', check if the resulting name is a valid IDNA2008 ++ * name, and only once we ensure it is, output that name in the current ++ * locale's character encoding. ++ * ++ * We could just use idn2_to_unicode_8zlz() + idn2_to_ascii_lz(), but ++ * then we would not be able to universally tell invalid names and ++ * character encoding errors apart (if the current locale uses ASCII ++ * for character encoding, the former function would fail even for a ++ * valid IDNA2008 name, as long as it contained any non-ASCII ++ * character). Thus, we need to take a longer route. ++ * ++ * First, convert 'from' to UTF-8, ignoring the current locale. ++ */ ++ res = idn2_to_unicode_8z8z(from, &utf8_src, 0); ++ if (res != IDN2_OK) { ++ fatal("Bad ACE string '%s' (%s), use +noidnout", ++ from, idn2_strerror(res)); ++ } + +- if (res == IDN2_OK) { +- /* check the length */ +- if (strlen(tmp_str) >= tolen) { +- debug("encoded ASC string is too long"); +- idn2_free(tmp_str); +- return ISC_R_FAILURE; +- } ++ /* ++ * Then, check whether decoded 'from' is a valid IDNA2008 name. ++ */ ++ res = idn2_to_ascii_8z(utf8_src, NULL, IDN2_NONTRANSITIONAL); ++ if (res != IDN2_OK) { ++ fatal("'%s' is not a legal IDNA2008 name (%s), use +noidnout", ++ from, idn2_strerror(res)); ++ } + +- (void) strlcpy(to, tmp_str, tolen); ++ /* ++ * Finally, try converting the decoded 'from' into the current locale's ++ * character encoding. ++ */ ++ res = idn2_to_unicode_8zlz(utf8_src, &tmp_str, 0); ++ if (res != IDN2_OK) { ++ fatal("Cannot represent '%s' in the current locale (%s), " ++ "use +noidnout or a different locale", ++ from, idn2_strerror(res)); ++ } ++ ++ /* ++ * Free the interim conversion result. ++ */ ++ idn2_free(utf8_src); ++ ++ /* check the length */ ++ if (strlen(tmp_str) >= tolen) { ++ debug("encoded ASC string is too long"); + idn2_free(tmp_str); +- return ISC_R_SUCCESS; ++ return (ISC_R_FAILURE); + } + +- fatal("'%s' is not a legal IDN name (%s), use +noidnout", from, idn2_strerror(res)); +- return ISC_R_FAILURE; ++ (void) strlcpy(to, tmp_str, tolen); ++ idn2_free(tmp_str); ++ return (ISC_R_SUCCESS); + } + #endif /* WITH_IDN_OUT_SUPPORT */ + #endif /* WITH_LIBIDN2 */ +diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh +index 3a9b91b442..6637bf6828 100644 +--- a/bin/tests/system/idna/tests.sh ++++ b/bin/tests/system/idna/tests.sh +@@ -136,46 +136,6 @@ idna_fail() { + status=`expr $status + $ret` + } + +-# Check if current version of libidn2 is >= a given version +-# +-# This requires that: +-# a) "pkg-config" exists on the system +-# b) The libidn2 installed has an associated ".pc" file +-# c) The system sort command supports "-V" +-# +-# $1 - Minimum version required +-# +-# Returns: +-# 0 - Version check is OK, libidn2 at required version or greater. +-# 1 - Version check was made, but libidn2 not at required version. +-# 2 - Could not carry out version check +- +-libidn_version_check() { +- ret=2 +- if [ -n "`command -v pkg-config`" ]; then +- version=`pkg-config --modversion --silence-errors libidn2` +- if [ -n "$version" ]; then +- # Does the sort command have a "-V" flag on this system? +- sort -V 2>&1 > /dev/null << . +-. +- if [ $? -eq 0 ]; then +- # Sort -V exists. Sort the IDN version and the minimum version +- # required. If the IDN version is greater than or equal to that +- # version, it will appear last in the list. +- last_version=`printf "%s\n" $version $1 | sort -V | tail -1` +- if [ "$version" = "$last_version" ]; then +- ret=0 +- else +- ret=1 +- fi +- fi +- fi +- fi +- +- return $ret +-} +- +- + # Function to check that case is preserved for an all-ASCII label. + # + # Without IDNA support, case-preservation is the expected behavior. +@@ -310,16 +270,7 @@ idna_enabled_test() { + text="Checking fake A-label" + idna_fail "$text" "" "xn--ahahah" + idna_test "$text" "+noidnin +noidnout" "xn--ahahah" "xn--ahahah." +- +- # Owing to issues with libdns, the next test will fail for versions of +- # libidn earlier than 2.0.5. For this reason, get the version (if +- # available) and compare with 2.0.5. +- libidn_version_check 2.0.5 +- if [ $? -ne 0 ]; then +- echo_i "Skipping fake A-label +noidnin +idnout test (libidn2 version issues)" +- else +- idna_test "$text" "+noidnin +idnout" "xn--ahahah" "xn--ahahah." +- fi ++ idna_fail "$text" "+noidnin +idnout" "xn--ahahah" + idna_fail "$text" "+idnin +noidnout" "xn--ahahah" + idna_fail "$text" "+idnin +idnout" "xn--ahahah" + +@@ -327,7 +278,7 @@ idna_enabled_test() { + # BIND rejects such labels: with +idnin + + label="xn--xflod18hstflod18hstflod18hstflod18hstflod18hstflod18-1iejjjj" +- text="Checking punycode label shorter than minimum valid length" ++ text="Checking punycode label longer than maximum valid length" + idna_fail "$text" "" "$label" + idna_fail "$text" "+noidnin +noidnout" "$label" + idna_fail "$text" "+noidnin +idnout" "$label" +@@ -337,7 +288,7 @@ idna_enabled_test() { + + + +- # Tests of a valid unicode string but an invalid U-label ++ # Tests of a valid unicode string but an invalid U-label (input) + # + # Symbols are not valid IDNA names. + # +@@ -347,12 +298,32 @@ idna_enabled_test() { + # + # The +[no]idnout options should not have any effect on the test. + +- text="Checking invalid U-label" ++ text="Checking invalid input U-label" + idna_fail "$text" "" "🧦.com" + idna_test "$text" "+noidnin +noidnout" "🧦.com" "\240\159\167\166.com." + idna_test "$text" "+noidnin +idnout" "🧦.com" "\240\159\167\166.com." + idna_fail "$text" "+idnin +noidnout" "🧦.com" + idna_fail "$text" "+idnin +idnout" "🧦.com" ++ ++ # Tests of a valid unicode string but an invalid U-label (output) ++ # ++ # Symbols are not valid IDNA names. ++ # ++ # Note that an invalid U-label is accepted even when +idnin is in effect ++ # because "xn--19g" is valid Punycode. ++ # ++ # +noidnout: "dig" should send the ACE string to the server and display the ++ # returned qname. ++ # +idnout: "dig" should generate an error. ++ # ++ # The +[no]idnin options should not have any effect on the test. ++ ++ text="Checking invalid output U-label" ++ idna_fail "$text" "" "xn--19g" ++ idna_test "$text" "+noidnin +noidnout" "xn--19g" "xn--19g." ++ idna_fail "$text" "+noidnin +idnout" "xn--19g" ++ idna_test "$text" "+idnin +noidnout" "xn--19g" "xn--19g." ++ idna_fail "$text" "+idnin +idnout" "xn--19g" + } + + +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-rt31459.patch b/SOURCES/bind-9.11-rt31459.patch new file mode 100644 index 0000000..6208ef2 --- /dev/null +++ b/SOURCES/bind-9.11-rt31459.patch @@ -0,0 +1,2199 @@ +From ae9c9ef5a5ba06cf57b5a87b5f2bbc71649ba41b Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Tue, 12 Sep 2017 19:05:46 -0700 +Subject: [PATCH] rebased rt31459c + +[rt31459d] update the newer tools + +[rt31459d] setup entropy in dns_lib_init() + +[rt31459d] silence compiler warning + +DNS_OPENSSL_LIBS -> DST_OPENSSL_LIBS + +Include new unit test +--- + bin/confgen/keygen.c | 7 + + bin/dnssec/dnssec-dsfromkey.c | 8 +- + bin/dnssec/dnssec-importkey.c | 8 +- + bin/dnssec/dnssec-revoke.c | 8 +- + bin/dnssec/dnssec-settime.c | 8 +- + bin/dnssec/dnssec-signzone.c | 11 +- + bin/dnssec/dnssec-verify.c | 8 +- + bin/dnssec/dnssectool.c | 11 +- + bin/named/server.c | 6 + + bin/nsupdate/nsupdate.c | 18 ++- + bin/tests/makejournal.c | 6 +- + bin/tests/system/pipelined/pipequeries.c | 20 ++- + bin/tests/system/pipelined/tests.sh | 4 +- + bin/tests/system/rsabigexponent/bigkey.c | 4 + + bin/tests/system/tkey/keycreate.c | 26 +++- + bin/tests/system/tkey/keydelete.c | 26 +++- + bin/tests/system/tkey/tests.sh | 8 +- + bin/tools/mdig.c | 3 +- + configure | 250 ++++++++++++++++++------------- + configure.in | 77 +++++++++- + lib/dns/dst_api.c | 21 ++- + lib/dns/include/dst/dst.h | 8 + + lib/dns/lib.c | 17 ++- + lib/dns/openssl_link.c | 72 ++++++++- + lib/dns/pkcs11.c | 29 +++- + lib/dns/tests/Atffile | 1 + + lib/dns/tests/Kyuafile | 1 + + lib/dns/tests/Makefile.in | 7 + + lib/dns/tests/dnstest.c | 14 +- + lib/dns/tests/dstrandom_test.c | 105 +++++++++++++ + lib/dns/win32/libdns.def.in | 7 + + lib/isc/entropy.c | 24 +++ + lib/isc/include/isc/entropy.h | 12 ++ + lib/isc/include/isc/platform.h.in | 5 + + lib/isc/include/isc/types.h | 2 + + lib/isc/pk11.c | 12 +- + lib/isc/win32/include/isc/platform.h.in | 5 + + win32utils/Configure | 29 +++- + 38 files changed, 704 insertions(+), 184 deletions(-) + create mode 100644 lib/dns/tests/dstrandom_test.c + +diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c +index 11cc54d..fa439cc 100644 +--- a/bin/confgen/keygen.c ++++ b/bin/confgen/keygen.c +@@ -165,6 +165,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, + randomfile = NULL; + open_keyboard = ISC_ENTROPY_KEYBOARDYES; + } ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (randomfile != NULL && ++ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { ++ randomfile = NULL; ++ isc_entropy_usehook(ectx, ISC_TRUE); ++ } ++#endif + DO("start entropy source", isc_entropy_usebestsource(ectx, + &entropy_source, + randomfile, +diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c +index 94a982c..897c497 100644 +--- a/bin/dnssec/dnssec-dsfromkey.c ++++ b/bin/dnssec/dnssec-dsfromkey.c +@@ -495,14 +495,14 @@ main(int argc, char **argv) { + + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); +- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); +- if (result != ISC_R_SUCCESS) +- fatal("could not initialize hash"); + result = dst_lib_init(mctx, ectx, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + if (result != ISC_R_SUCCESS) + fatal("could not initialize dst: %s", + isc_result_totext(result)); ++ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); ++ if (result != ISC_R_SUCCESS) ++ fatal("could not initialize hash"); + isc_entropy_stopcallbacksources(ectx); + + setup_logging(mctx, &log); +@@ -564,8 +564,8 @@ main(int argc, char **argv) { + if (dns_rdataset_isassociated(&rdataset)) + dns_rdataset_disassociate(&rdataset); + cleanup_logging(&log); +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + cleanup_entropy(&ectx); + dns_name_destroy(); + if (verbose > 10) +diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c +index 2edf614..840316c 100644 +--- a/bin/dnssec/dnssec-importkey.c ++++ b/bin/dnssec/dnssec-importkey.c +@@ -406,14 +406,14 @@ main(int argc, char **argv) { + + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); +- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); +- if (result != ISC_R_SUCCESS) +- fatal("could not initialize hash"); + result = dst_lib_init(mctx, ectx, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + if (result != ISC_R_SUCCESS) + fatal("could not initialize dst: %s", + isc_result_totext(result)); ++ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); ++ if (result != ISC_R_SUCCESS) ++ fatal("could not initialize hash"); + isc_entropy_stopcallbacksources(ectx); + + setup_logging(mctx, &log); +@@ -457,8 +457,8 @@ main(int argc, char **argv) { + if (dns_rdataset_isassociated(&rdataset)) + dns_rdataset_disassociate(&rdataset); + cleanup_logging(&log); +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + cleanup_entropy(&ectx); + dns_name_destroy(); + if (verbose > 10) +diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c +index 10fad0b..0b68e99 100644 +--- a/bin/dnssec/dnssec-revoke.c ++++ b/bin/dnssec/dnssec-revoke.c +@@ -182,14 +182,14 @@ main(int argc, char **argv) { + + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); +- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); +- if (result != ISC_R_SUCCESS) +- fatal("Could not initialize hash"); + result = dst_lib_init2(mctx, ectx, engine, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + if (result != ISC_R_SUCCESS) + fatal("Could not initialize dst: %s", + isc_result_totext(result)); ++ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); ++ if (result != ISC_R_SUCCESS) ++ fatal("Could not initialize hash"); + isc_entropy_stopcallbacksources(ectx); + + result = dst_key_fromnamedfile(filename, dir, +@@ -271,8 +271,8 @@ main(int argc, char **argv) { + + cleanup: + dst_key_free(&key); +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + cleanup_entropy(&ectx); + if (verbose > 10) + isc_mem_stats(mctx, stdout); +diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c +index 360cdb9..b7bf171 100644 +--- a/bin/dnssec/dnssec-settime.c ++++ b/bin/dnssec/dnssec-settime.c +@@ -380,14 +380,14 @@ main(int argc, char **argv) { + + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); +- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); +- if (result != ISC_R_SUCCESS) +- fatal("Could not initialize hash"); + result = dst_lib_init2(mctx, ectx, engine, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + if (result != ISC_R_SUCCESS) + fatal("Could not initialize dst: %s", + isc_result_totext(result)); ++ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); ++ if (result != ISC_R_SUCCESS) ++ fatal("Could not initialize hash"); + isc_entropy_stopcallbacksources(ectx); + + if (predecessor != NULL) { +@@ -672,8 +672,8 @@ main(int argc, char **argv) { + if (prevkey != NULL) + dst_key_free(&prevkey); + dst_key_free(&key); +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + cleanup_entropy(&ectx); + if (verbose > 10) + isc_mem_stats(mctx, stdout); +diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c +index 1bea357..53be1f5 100644 +--- a/bin/dnssec/dnssec-signzone.c ++++ b/bin/dnssec/dnssec-signzone.c +@@ -3459,14 +3459,15 @@ main(int argc, char *argv[]) { + if (!pseudorandom) + eflags |= ISC_ENTROPY_GOODONLY; + +- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); +- if (result != ISC_R_SUCCESS) +- fatal("could not create hash context"); +- + result = dst_lib_init2(mctx, ectx, engine, eflags); + if (result != ISC_R_SUCCESS) + fatal("could not initialize dst: %s", + isc_result_totext(result)); ++ ++ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); ++ if (result != ISC_R_SUCCESS) ++ fatal("could not create hash context"); ++ + isc_stdtime_get(&now); + + if (startstr != NULL) { +@@ -3878,8 +3879,8 @@ main(int argc, char *argv[]) { + dns_master_styledestroy(&dsstyle, mctx); + + cleanup_logging(&log); +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + cleanup_entropy(&ectx); + dns_name_destroy(); + if (verbose > 10) +diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c +index 792510a..dc32765 100644 +--- a/bin/dnssec/dnssec-verify.c ++++ b/bin/dnssec/dnssec-verify.c +@@ -280,15 +280,15 @@ main(int argc, char *argv[]) { + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); + +- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); +- if (result != ISC_R_SUCCESS) +- fatal("could not create hash context"); +- + result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING); + if (result != ISC_R_SUCCESS) + fatal("could not initialize dst: %s", + isc_result_totext(result)); + ++ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); ++ if (result != ISC_R_SUCCESS) ++ fatal("could not create hash context"); ++ + isc_stdtime_get(&now); + + rdclass = strtoclass(classname); +diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c +index dc32c90..4ea9eaf 100644 +--- a/bin/dnssec/dnssectool.c ++++ b/bin/dnssec/dnssectool.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -233,7 +234,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { + if (*ectx == NULL) { + result = isc_entropy_create(mctx, ectx); + if (result != ISC_R_SUCCESS) +- fatal("could not create entropy object"); ++ fatal("could not create entropy object: %s", ++ isc_result_totext(result)); + ISC_LIST_INIT(sources); + } + +@@ -242,6 +244,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { + randomfile = NULL; + } + ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (randomfile != NULL && ++ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { ++ randomfile = NULL; ++ isc_entropy_usehook(*ectx, ISC_TRUE); ++ } ++#endif + result = isc_entropy_usebestsource(*ectx, &source, randomfile, + usekeyboard); + +diff --git a/bin/named/server.c b/bin/named/server.c +index 59a8998..ee5186c 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -8083,6 +8084,10 @@ load_configuration(const char *filename, ns_server_t *server, + "no source of entropy found"); + } else { + const char *randomdev = cfg_obj_asstring(obj); ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0) ++ isc_entropy_usehook(ns_g_entropy, ISC_TRUE); ++#else + int level = ISC_LOG_ERROR; + result = isc_entropy_createfilesource(ns_g_entropy, + randomdev); +@@ -8117,6 +8122,7 @@ load_configuration(const char *filename, ns_server_t *server, + } + isc_entropy_detach(&ns_g_fallbackentropy); + } ++#endif + #endif + } + } +diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c +index bb5d500..46c7acf 100644 +--- a/bin/nsupdate/nsupdate.c ++++ b/bin/nsupdate/nsupdate.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -269,7 +270,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { + if (*ectx == NULL) { + result = isc_entropy_create(mctx, ectx); + if (result != ISC_R_SUCCESS) +- fatal("could not create entropy object"); ++ fatal("could not create entropy object: %s", ++ isc_result_totext(result)); + ISC_LIST_INIT(sources); + } + +@@ -278,6 +280,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { + randomfile = NULL; + } + ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (randomfile != NULL && ++ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { ++ randomfile = NULL; ++ isc_entropy_usehook(*ectx, ISC_TRUE); ++ } ++#endif + result = isc_entropy_usebestsource(*ectx, &source, randomfile, + usekeyboard); + +@@ -948,11 +957,11 @@ setup_system(void) { + } + } + +- setup_entropy(gmctx, NULL, &entropy); ++ if (entropy == NULL) ++ setup_entropy(gmctx, NULL, &entropy); + + result = isc_hash_create(gmctx, entropy, DNS_NAME_MAXWIRE); + check_result(result, "isc_hash_create"); +- isc_hash_init(); + + result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr); + check_result(result, "dns_dispatchmgr_create"); +@@ -976,6 +985,9 @@ setup_system(void) { + check_result(result, "dst_lib_init"); + is_dst_up = ISC_TRUE; + ++ /* moved after dst_lib_init() */ ++ isc_hash_init(); ++ + attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP; + attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6; + +diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c +index fed59be..9f125da 100644 +--- a/bin/tests/makejournal.c ++++ b/bin/tests/makejournal.c +@@ -100,12 +100,12 @@ main(int argc, char **argv) { + CHECK(isc_mem_create(0, 0, &mctx)); + CHECK(isc_entropy_create(mctx, &ectx)); + +- CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); +- hash_active = ISC_TRUE; +- + CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING)); + dst_active = ISC_TRUE; + ++ CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); ++ hash_active = ISC_TRUE; ++ + CHECK(isc_log_create(mctx, &lctx, &logconfig)); + isc_log_registercategories(lctx, categories); + isc_log_setcontext(lctx); +diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c +index 379b6a3..810d99e 100644 +--- a/bin/tests/system/pipelined/pipequeries.c ++++ b/bin/tests/system/pipelined/pipequeries.c +@@ -202,6 +202,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) { + + int + main(int argc, char *argv[]) { ++ char *randomfile = NULL; + isc_sockaddr_t bind_any; + struct in_addr inaddr; + isc_result_t result; +@@ -222,7 +223,7 @@ main(int argc, char *argv[]) { + UNUSED(argv); + + isc_commandline_errprint = ISC_FALSE; +- while ((c = isc_commandline_parse(argc, argv, "p:")) != -1) { ++ while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) { + switch (c) { + case 'p': + result = isc_parse_uint16(&port, +@@ -233,6 +234,9 @@ main(int argc, char *argv[]) { + exit(1); + } + break; ++ case 'r': ++ randomfile = isc_commandline_argument; ++ break; + case '?': + fprintf(stderr, "%s: invalid argument '%c'", + argv[0], c); +@@ -274,10 +278,18 @@ main(int argc, char *argv[]) { + + ectx = NULL; + RUNCHECK(isc_entropy_create(mctx, &ectx)); +- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data")); +- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (randomfile != NULL && ++ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { ++ randomfile = NULL; ++ isc_entropy_usehook(ectx, ISC_TRUE); ++ } ++#endif ++ if (randomfile != NULL) ++ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); + + RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); ++ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); + + taskmgr = NULL; + RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); +@@ -330,8 +342,8 @@ main(int argc, char *argv[]) { + isc_task_detach(&task); + isc_taskmgr_destroy(&taskmgr); + +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + isc_entropy_detach(&ectx); + + isc_log_destroy(&lctx); +diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh +index a6720ce..9063b1f 100644 +--- a/bin/tests/system/pipelined/tests.sh ++++ b/bin/tests/system/pipelined/tests.sh +@@ -19,7 +19,7 @@ status=0 + + echo_i "check pipelined TCP queries" + ret=0 +-$PIPEQUERIES -p ${PORT} < input > raw || ret=1 ++$PIPEQUERIES -p ${PORT} -r $RANDFILE < input > raw || ret=1 + awk '{ print $1 " " $5 }' < raw > output + sort < output > output-sorted + diff ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; } +@@ -43,7 +43,7 @@ status=`expr $status + $ret` + + echo_i "check keep-response-order" + ret=0 +-$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1 ++$PIPEQUERIES -p ${PORT} -r $RANDFILE ++ < inputb > rawb || ret=1 + awk '{ print $1 " " $5 }' < rawb > outputb + diff refb outputb || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c +index 4462f2e..f1230d8 100644 +--- a/bin/tests/system/rsabigexponent/bigkey.c ++++ b/bin/tests/system/rsabigexponent/bigkey.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -183,6 +184,9 @@ main(int argc, char **argv) { + + CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()"); + CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()"); ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ isc_entropy_usehook(ectx, ISC_TRUE); ++#endif + CHECK(isc_entropy_usebestsource(ectx, &source, + "../random.data", + ISC_ENTROPY_KEYBOARDNO), +diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c +index 489f439..4f2f5b4 100644 +--- a/bin/tests/system/tkey/keycreate.c ++++ b/bin/tests/system/tkey/keycreate.c +@@ -206,6 +206,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { + int + main(int argc, char *argv[]) { + char *ourkeyname; ++ char *randomfile; + isc_taskmgr_t *taskmgr; + isc_timermgr_t *timermgr; + isc_socketmgr_t *socketmgr; +@@ -225,10 +226,21 @@ main(int argc, char *argv[]) { + + RUNCHECK(isc_app_start()); + ++ randomfile = NULL; ++ + if (argc < 2) { + fprintf(stderr, "I:no DH key provided\n"); + exit(-1); + } ++ if (strcmp(argv[1], "-r") == 0) { ++ if (argc < 4) { ++ fprintf(stderr, "I:no DH key provided\n"); ++ exit(-1); ++ } ++ randomfile = argv[2]; ++ argv += 2; ++ argc -= 2; ++ } + ourkeyname = argv[1]; + + if (argc >= 3) +@@ -242,14 +254,22 @@ main(int argc, char *argv[]) { + + ectx = NULL; + RUNCHECK(isc_entropy_create(mctx, &ectx)); +- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data")); +- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (randomfile != NULL && ++ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { ++ randomfile = NULL; ++ isc_entropy_usehook(ectx, ISC_TRUE); ++ } ++#endif ++ if (randomfile != NULL) ++ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); + + log = NULL; + logconfig = NULL; + RUNCHECK(isc_log_create(mctx, &log, &logconfig)); + + RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); ++ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); + + taskmgr = NULL; + RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); +@@ -328,8 +348,8 @@ main(int argc, char *argv[]) { + + isc_log_destroy(&log); + +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + isc_entropy_detach(&ectx); + + isc_mem_destroy(&mctx); +diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c +index 36ee6c7..0975bbe 100644 +--- a/bin/tests/system/tkey/keydelete.c ++++ b/bin/tests/system/tkey/keydelete.c +@@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { + int + main(int argc, char **argv) { + char *keyname; ++ char *randomfile; + isc_taskmgr_t *taskmgr; + isc_timermgr_t *timermgr; + isc_socketmgr_t *socketmgr; +@@ -156,10 +157,21 @@ main(int argc, char **argv) { + + RUNCHECK(isc_app_start()); + ++ randomfile = NULL; ++ + if (argc < 2) { + fprintf(stderr, "I:no key to delete\n"); + exit(-1); + } ++ if (strcmp(argv[1], "-r") == 0) { ++ if (argc < 4) { ++ fprintf(stderr, "I:no DH key provided\n"); ++ exit(-1); ++ } ++ randomfile = argv[2]; ++ argv += 2; ++ argc -= 2; ++ } + keyname = argv[1]; + + dns_result_register(); +@@ -169,14 +181,22 @@ main(int argc, char **argv) { + + ectx = NULL; + RUNCHECK(isc_entropy_create(mctx, &ectx)); +- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data")); +- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (randomfile != NULL && ++ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { ++ randomfile = NULL; ++ isc_entropy_usehook(ectx, ISC_TRUE); ++ } ++#endif ++ if (randomfile != NULL) ++ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); + + log = NULL; + logconfig = NULL; + RUNCHECK(isc_log_create(mctx, &log, &logconfig)); + + RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); ++ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); + + taskmgr = NULL; + RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); +@@ -265,8 +285,8 @@ main(int argc, char **argv) { + + isc_log_destroy(&log); + +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + isc_entropy_detach(&ectx); + + isc_mem_destroy(&mctx); +diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh +index 9f90dd7..fad6c83 100644 +--- a/bin/tests/system/tkey/tests.sh ++++ b/bin/tests/system/tkey/tests.sh +@@ -33,7 +33,7 @@ for owner in . foo.example. + do + echo "I:creating new key using owner name \"$owner\"" + ret=0 +- keyname=`$KEYCREATE $dhkeyname $owner` || ret=1 ++ keyname=`$KEYCREATE -r $RANDFILE $dhkeyname $owner` || ret=1 + if [ $ret != 0 ]; then + echo "I:failed" + status=`expr $status + $ret` +@@ -55,7 +55,7 @@ do + + echo "I:deleting new key" + ret=0 +- $KEYDELETE $keyname || ret=1 ++ $KEYDELETE -r $RANDFILE $keyname || ret=1 + if [ $ret != 0 ]; then + echo "I:failed" + fi +@@ -75,7 +75,7 @@ done + + echo "I:creating new key using owner name bar.example." + ret=0 +-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1 ++keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1 + if [ $ret != 0 ]; then + echo "I:failed" + status=`expr $status + $ret` +@@ -116,7 +116,7 @@ status=`expr $status + $ret` + + echo "I:recreating the bar.example. key" + ret=0 +-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1 ++keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1 + if [ $ret != 0 ]; then + echo "I:failed" + status=`expr $status + $ret` +diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c +index 1f5dd4c..4e3bfa5 100644 +--- a/bin/tools/mdig.c ++++ b/bin/tools/mdig.c +@@ -1933,12 +1933,11 @@ main(int argc, char *argv[]) { + + ectx = NULL; + RUNCHECK(isc_entropy_create(mctx, &ectx)); ++ RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); + RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); + RUNCHECK(isc_entropy_getdata(ectx, cookie_secret, + sizeof(cookie_secret), NULL, 0)); + +- RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); +- + ISC_LIST_INIT(queries); + parse_args(ISC_FALSE, argc, argv); + if (server == NULL) +diff --git a/configure b/configure +index c83773a..ac1ea3f 100755 +--- a/configure ++++ b/configure +@@ -640,6 +640,7 @@ ac_includes_default="\ + + ac_subst_vars='LTLIBOBJS + LIBOBJS ++LIBDIR_SUFFIX + BUILD_LIBS + BUILD_LDFLAGS + BUILD_CPPFLAGS +@@ -825,6 +826,7 @@ XMLSTATS + NZDTARGETS + NZDSRCS + NZD_TOOLS ++ISC_PLATFORM_CRYPTORANDOM + PKCS11_TEST + PKCS11_ED25519 + PKCS11_GOST +@@ -1037,6 +1039,7 @@ with_eddsa + with_aes + enable_openssl_hash + with_cc_alg ++enable_crypto_rand + with_lmdb + with_libxml2 + with_libjson +@@ -1730,6 +1733,7 @@ Optional Features: + --enable-threads enable multithreading + --enable-native-pkcs11 use native PKCS11 for all crypto [default=no] + --enable-openssl-hash use OpenSSL for hash functions [default=no] ++ --enable-crypto-rand use the crypto provider for random [default=yes] + --enable-largefile 64-bit file support + --enable-backtrace log stack backtrace on abort [default=yes] + --enable-symtable use internal symbol table for backtrace +@@ -16486,6 +16490,7 @@ case "$use_openssl" in + $as_echo "disabled because of native PKCS11" >&6; } + DST_OPENSSL_INC="" + CRYPTO="-DPKCS11CRYPTO" ++ CRYPTOLIB="pkcs11" + OPENSSLECDSALINKOBJS="" + OPENSSLECDSALINKSRCS="" + OPENSSLEDDSALINKOBJS="" +@@ -16500,6 +16505,7 @@ $as_echo "disabled because of native PKCS11" >&6; } + $as_echo "no" >&6; } + DST_OPENSSL_INC="" + CRYPTO="" ++ CRYPTOLIB="" + OPENSSLECDSALINKOBJS="" + OPENSSLECDSALINKSRCS="" + OPENSSLEDDSALINKOBJS="" +@@ -16512,6 +16518,7 @@ $as_echo "no" >&6; } + auto) + DST_OPENSSL_INC="" + CRYPTO="" ++ CRYPTOLIB="" + OPENSSLECDSALINKOBJS="" + OPENSSLECDSALINKSRCS="" + OPENSSLEDDSALINKOBJS="" +@@ -16521,7 +16528,7 @@ $as_echo "no" >&6; } + OPENSSLLINKOBJS="" + OPENSSLLINKSRCS="" + as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path +-If you don't want OpenSSL, use --without-openssl" "$LINENO" 5 ++If you do not want OpenSSL, use --without-openssl" "$LINENO" 5 + ;; + *) + if test "yes" = "$want_native_pkcs11" +@@ -16552,6 +16559,7 @@ $as_echo "not found" >&6; } + as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5 + fi + CRYPTO='-DOPENSSL' ++ CRYPTOLIB="openssl" + if test "/usr" = "$use_openssl" + then + DST_OPENSSL_INC="" +@@ -17213,8 +17221,6 @@ fi + # Use OpenSSL for hash functions + # + +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using OpenSSL for hash functions" >&5 +-$as_echo_n "checking for using OpenSSL for hash functions... " >&6; } + ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" + case $want_openssl_hash in + yes) +@@ -17583,6 +17589,86 @@ if test "rt" = "$have_clock_gt"; then + LIBS="-lrt $LIBS" + fi + ++# ++# Use the crypto provider (OpenSSL/PKCS#11) for random functions ++# ++ ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using the crypto library (vs. builtin) for random functions" >&5 ++$as_echo_n "checking for using the crypto library (vs. builtin) for random functions... " >&6; } ++# Check whether --enable-crypto-rand was given. ++if test "${enable_crypto_rand+set}" = set; then : ++ enableval=$enable_crypto_rand; want_crypto_rand="$enableval" ++else ++ want_crypto_rand="auto" ++fi ++ ++if test "$want_crypto_rand" = "auto" ++then ++ case "$CRYPTOLIB" in ++ "") ++ want_crypto_rand="no" ++ ;; ++ pkcs11) ++ want_crypto_rand="yes" ++ ;; ++ openssl) ++ saved_cflags="$CFLAGS" ++ saved_libs="$LIBS" ++ CFLAGS="$CFLAGS $DST_OPENSSL_INC" ++ LIBS="$LIBS $DST_OPENSSL_LIBS" ++ if test "$cross_compiling" = yes; then : ++ want_crypto_rand="yes" ++else ++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++ ++#include ++ ++unsigned char buf[128]; ++ ++int main() ++{ ++ if (RAND_bytes(buf, 128) != 1) ++ return (1); ++ return (0); ++} ++ ++_ACEOF ++if ac_fn_c_try_run "$LINENO"; then : ++ want_crypto_rand="yes" ++else ++ want_crypto_rand="no" ++fi ++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ ++ conftest.$ac_objext conftest.beam conftest.$ac_ext ++fi ++ ++ CFLAGS="$saved_cflags" ++ LIBS="$saved_libs" ++ ;; ++ *) ++ as_fn_error $? "Unknown crypto library define $CRYPTOLIB" "$LINENO" 5 ++ ;; ++ esac ++fi ++case $want_crypto_rand in ++ yes) ++ if test "$CRYPTOLIB" = "" ++ then ++ as_fn_error $? "No crypto library for random functions" "$LINENO" 5 ++ fi ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$CRYPTOLIB\"" >&5 ++$as_echo "\"$CRYPTOLIB\"" >&6; } ++ ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\"" ++ ;; ++ no) ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM" ++ ;; ++esac ++ ++ + # + # was --with-lmdb specified? + # +@@ -19665,9 +19751,12 @@ _ACEOF + if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5 + $as_echo "size_t for buflen; int for flags" >&6; } +- $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T size_t" >>confdefs.h ++ # Changed to solve multilib conflict on Fedora ++ # AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, size_t) ++ # AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t) ++ $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T socklen_t" >>confdefs.h + +- $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T size_t" >>confdefs.h ++ $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T socklen_t" >>confdefs.h + + $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h + +@@ -21032,12 +21121,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" + ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" + ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" + if test "yes" = "$use_atomic"; then +- have_atomic=yes # set default +- case "$host" in +- i[3456]86-*) +- # XXX: some old x86 architectures actually do not support +- # (some of) these operations. Do we need stricter checks? +- # The cast to long int works around a bug in the HP C Compiler ++ # The cast to long int works around a bug in the HP C Compiler + # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects + # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. + # This bug is HP SR number 8606223364. +@@ -21070,6 +21154,11 @@ cat >>confdefs.h <<_ACEOF + _ACEOF + + ++ have_atomic=yes # set default ++ case "$host" in ++ i[3456]86-*) ++ # XXX: some old x86 architectures actually do not support ++ # (some of) these operations. Do we need stricter checks? + if test $ac_cv_sizeof_void_p = 8; then + arch=x86_64 + have_xaddq=yes +@@ -21078,39 +21167,6 @@ _ACEOF + fi + ;; + x86_64-*|amd64-*) +- # The cast to long int works around a bug in the HP C Compiler +-# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +-# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +-# This bug is HP SR number 8606223364. +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of void *" >&5 +-$as_echo_n "checking size of void *... " >&6; } +-if ${ac_cv_sizeof_void_p+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (void *))" "ac_cv_sizeof_void_p" "$ac_includes_default"; then : +- +-else +- if test "$ac_cv_type_void_p" = yes; then +- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +-as_fn_error 77 "cannot compute sizeof (void *) +-See \`config.log' for more details" "$LINENO" 5; } +- else +- ac_cv_sizeof_void_p=0 +- fi +-fi +- +-fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_void_p" >&5 +-$as_echo "$ac_cv_sizeof_void_p" >&6; } +- +- +- +-cat >>confdefs.h <<_ACEOF +-#define SIZEOF_VOID_P $ac_cv_sizeof_void_p +-_ACEOF +- +- + if test $ac_cv_sizeof_void_p = 8; then + arch=x86_64 + have_xaddq=yes +@@ -21141,6 +21197,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } + $as_echo "$arch" >&6; } + fi + ++if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then ++ as_fn_error $? "XADDQ present but disabled by Fedora patch!" "$LINENO" 5 ++fi ++ + if test "yes" = "$have_atomic"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5 + $as_echo_n "checking compiler support for inline assembly code... " >&6; } +@@ -23428,6 +23488,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" + # + dlzdir='${DLZ_DRIVER_DIR}' + ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for target libdir" >&5 ++$as_echo_n "checking for target libdir... " >&6; } ++if test "$cross_compiling" = yes; then : ++ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 ++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} ++as_fn_error $? "cannot run test program while cross compiling ++See \`config.log' for more details" "$LINENO" 5; } ++else ++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);} ++_ACEOF ++if ac_fn_c_try_run "$LINENO"; then : ++ target_lib=lib64 ++else ++ target_lib=lib ++fi ++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ ++ conftest.$ac_objext conftest.beam conftest.$ac_ext ++fi ++ ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$target_lib\"" >&5 ++$as_echo "\"$target_lib\"" >&6; } ++ + # + # Private autoconf macro to simplify configuring drivers: + # +@@ -23758,11 +23842,11 @@ $as_echo "no" >&6; } + $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; } + ;; + *) +- if test -d "$use_dlz_mysql/lib/mysql" ++ if test -d $use_dlz_mysql/${target_lib}/mysql + then +- mysql_lib="$use_dlz_mysql/lib/mysql" ++ mysql_lib=$use_dlz_mysql/${target_lib}/mysql + else +- mysql_lib="$use_dlz_mysql/lib" ++ mysql_lib=$use_dlz_mysql/${target_lib} + fi + + CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL" +@@ -23847,7 +23931,7 @@ $as_echo "" >&6; } + # Check other locations for includes. + # Order is important (sigh). + +- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db" ++ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db" + # include a blank element first + for d in "" $bdb_incdirs + do +@@ -23872,57 +23956,9 @@ $as_echo "" >&6; } + bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" + for d in $bdb_libnames + do +- if test "$dd" = "/usr" ++ if test -f "$dd/${target_lib}/lib${d}.so" + then +- as_ac_Lib=`$as_echo "ac_cv_lib_$d''_db_create" | $as_tr_sh` +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for db_create in -l$d" >&5 +-$as_echo_n "checking for db_create in -l$d... " >&6; } +-if eval \${$as_ac_Lib+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- ac_check_lib_save_LIBS=$LIBS +-LIBS="-l$d $LIBS" +-cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +-/* Override any GCC internal prototype to avoid an error. +- Use char because int might match the return type of a GCC +- builtin and then its argument prototype would still apply. */ +-#ifdef __cplusplus +-extern "C" +-#endif +-char db_create (); +-int +-main () +-{ +-return db_create (); +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- eval "$as_ac_Lib=yes" +-else +- eval "$as_ac_Lib=no" +-fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +-LIBS=$ac_check_lib_save_LIBS +-fi +-eval ac_res=\$$as_ac_Lib +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +-$as_echo "$ac_res" >&6; } +-if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then : +- dlz_bdb_libs="-l${d}" +-fi +- +- if test $dlz_bdb_libs != "yes" +- then +- break +- fi +- elif test -f "$dd/lib/lib${d}.so" +- then +- dlz_bdb_libs="-L${dd}/lib -l${d}" ++ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}" + break + fi + done +@@ -24081,10 +24117,10 @@ $as_echo "no" >&6; } + DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include" + DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include" + fi +- if test -n "-L$use_dlz_ldap/lib -lldap -llber" ++ if test -n "-L$use_dlz_ldap/${target_lib} -lldap -llber" + then +- DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/lib -lldap -llber" +- DLZ_DRIVER_LDAP_LIBS="-L$use_dlz_ldap/lib -lldap -llber" ++ DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/${target_lib} -lldap -llber" ++ DLZ_DRIVER_LDAP_LIBS="-L$use_dlz_ldap/${target_lib} -lldap -llber" + fi + + +@@ -24170,11 +24206,11 @@ fi + odbcdirs="/usr /usr/local /usr/pkg" + for d in $odbcdirs + do +- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a ++ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a + then + use_dlz_odbc=$d + dlz_odbc_include="-I$use_dlz_odbc/include" +- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc" ++ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc" + break + fi + done +@@ -24449,6 +24485,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" + + + ++ ++ + # + # Commands to run at the end of config.status. + # Don't just put these into configure, it won't work right if somebody +@@ -26839,6 +26877,8 @@ report() { + echo " IPv6 support (--enable-ipv6)" + test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ + echo " OpenSSL cryptography/DNSSEC (--with-openssl)" ++ test "no" = "$want_crypto_rand" || \ ++ echo " Crypto provider entropy source (--enable-crypto-rand)" + test "X$PYTHON" = "X" || echo " Python tools (--with-python)" + test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" + test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" +@@ -26879,6 +26919,8 @@ report() { + echo " Very verbose query trace logging (--enable-querytrace)" + test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)" + ++ echo " Cryptographic library for DNSSEC: $CRYPTOLIB" ++ + echo " Dynamically loadable zone (DLZ) drivers:" + test "no" = "$use_dlz_bdb" || \ + echo " Berkeley DB (--with-dlz-bdb)" +@@ -26926,6 +26968,8 @@ report() { + echo " ECDSA algorithm support (--with-ecdsa)" + test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ + echo " EDDSA algorithm support (--with-eddsa)" ++ test "yes" = "$want_crypto_rand" || \ ++ echo " Crypto provider entropy source (--enable-crypto-rand)" + + test "yes" = "$enable_seccomp" || \ + echo " Use libseccomp system call filtering (--enable-seccomp)" +diff --git a/configure.in b/configure.in +index 9a1d16d..849fa94 100644 +--- a/configure.in ++++ b/configure.in +@@ -1597,6 +1597,7 @@ case "$use_openssl" in + AC_MSG_RESULT(disabled because of native PKCS11) + DST_OPENSSL_INC="" + CRYPTO="-DPKCS11CRYPTO" ++ CRYPTOLIB="pkcs11" + OPENSSLECDSALINKOBJS="" + OPENSSLECDSALINKSRCS="" + OPENSSLEDDSALINKOBJS="" +@@ -1610,6 +1611,7 @@ case "$use_openssl" in + AC_MSG_RESULT(no) + DST_OPENSSL_INC="" + CRYPTO="" ++ CRYPTOLIB="" + OPENSSLECDSALINKOBJS="" + OPENSSLECDSALINKSRCS="" + OPENSSLEDDSALINKOBJS="" +@@ -1622,6 +1624,7 @@ case "$use_openssl" in + auto) + DST_OPENSSL_INC="" + CRYPTO="" ++ CRYPTOLIB="" + OPENSSLECDSALINKOBJS="" + OPENSSLECDSALINKSRCS="" + OPENSSLEDDSALINKOBJS="" +@@ -1632,7 +1635,7 @@ case "$use_openssl" in + OPENSSLLINKSRCS="" + AC_MSG_ERROR( + [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path +-If you don't want OpenSSL, use --without-openssl]) ++If you do not want OpenSSL, use --without-openssl]) + ;; + *) + if test "yes" = "$want_native_pkcs11" +@@ -1662,6 +1665,7 @@ If you don't want OpenSSL, use --without-openssl]) + AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found]) + fi + CRYPTO='-DOPENSSL' ++ CRYPTOLIB="openssl" + if test "/usr" = "$use_openssl" + then + DST_OPENSSL_INC="" +@@ -2135,7 +2139,6 @@ fi + # Use OpenSSL for hash functions + # + +-AC_MSG_CHECKING(for using OpenSSL for hash functions) + ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" + case $want_openssl_hash in + yes) +@@ -2402,6 +2405,67 @@ if test "rt" = "$have_clock_gt"; then + LIBS="-lrt $LIBS" + fi + ++# ++# Use the crypto provider (OpenSSL/PKCS#11) for random functions ++# ++ ++AC_MSG_CHECKING(for using the crypto library (vs. builtin) for random functions) ++AC_ARG_ENABLE(crypto-rand, ++ [ --enable-crypto-rand use the crypto provider for random [[default=yes]]], ++ want_crypto_rand="$enableval", want_crypto_rand="auto") ++if test "$want_crypto_rand" = "auto" ++then ++ case "$CRYPTOLIB" in ++ "") ++ want_crypto_rand="no" ++ ;; ++ pkcs11) ++ want_crypto_rand="yes" ++ ;; ++ openssl) ++ saved_cflags="$CFLAGS" ++ saved_libs="$LIBS" ++ CFLAGS="$CFLAGS $DST_OPENSSL_INC" ++ LIBS="$LIBS $DST_OPENSSL_LIBS" ++ AC_TRY_RUN([ ++#include ++ ++unsigned char buf[128]; ++ ++int main() ++{ ++ if (RAND_bytes(buf, 128) != 1) ++ return (1); ++ return (0); ++} ++], ++ [want_crypto_rand="yes"], ++ [want_crypto_rand="no"], ++ [want_crypto_rand="yes"]) ++ CFLAGS="$saved_cflags" ++ LIBS="$saved_libs" ++ ;; ++ *) ++ AC_MSG_ERROR([Unknown crypto library define $CRYPTOLIB]) ++ ;; ++ esac ++fi ++case $want_crypto_rand in ++ yes) ++ if test "$CRYPTOLIB" = "" ++ then ++ AC_MSG_ERROR([No crypto library for random functions]) ++ fi ++ AC_MSG_RESULT(["$CRYPTOLIB"]) ++ ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\"" ++ ;; ++ no) ++ AC_MSG_RESULT(no) ++ ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM" ++ ;; ++esac ++AC_SUBST(ISC_PLATFORM_CRYPTORANDOM) ++ + # + # was --with-lmdb specified? + # +@@ -4235,12 +4299,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" + ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" + ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" + if test "yes" = "$use_atomic"; then ++ AC_CHECK_SIZEOF([void *]) + have_atomic=yes # set default + case "$host" in + [i[3456]86-*]) + # XXX: some old x86 architectures actually do not support + # (some of) these operations. Do we need stricter checks? +- AC_CHECK_SIZEOF([void *]) + if test $ac_cv_sizeof_void_p = 8; then + arch=x86_64 + have_xaddq=yes +@@ -4249,7 +4313,6 @@ if test "yes" = "$use_atomic"; then + fi + ;; + x86_64-*|amd64-*) +- AC_CHECK_SIZEOF([void *]) + if test $ac_cv_sizeof_void_p = 8; then + arch=x86_64 + have_xaddq=yes +@@ -5613,6 +5676,8 @@ report() { + echo " IPv6 support (--enable-ipv6)" + test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ + echo " OpenSSL cryptography/DNSSEC (--with-openssl)" ++ test "no" = "$want_crypto_rand" || \ ++ echo " Crypto provider entropy source (--enable-crypto-rand)" + test "X$PYTHON" = "X" || echo " Python tools (--with-python)" + test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" + test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" +@@ -5653,6 +5718,8 @@ report() { + echo " Very verbose query trace logging (--enable-querytrace)" + test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)" + ++ echo " Cryptographic library for DNSSEC: $CRYPTOLIB" ++ + echo " Dynamically loadable zone (DLZ) drivers:" + test "no" = "$use_dlz_bdb" || \ + echo " Berkeley DB (--with-dlz-bdb)" +@@ -5700,6 +5767,8 @@ report() { + echo " ECDSA algorithm support (--with-ecdsa)" + test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ + echo " EDDSA algorithm support (--with-eddsa)" ++ test "yes" = "$want_crypto_rand" || \ ++ echo " Crypto provider entropy source (--enable-crypto-rand)" + + test "yes" = "$enable_seccomp" || \ + echo " Use libseccomp system call filtering (--enable-seccomp)" +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index dbece0a..803e7b3 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -274,6 +274,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, + #ifdef GSSAPI + RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); + #endif ++#if defined(OPENSSL) || defined(PKCS11CRYPTO) ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (dst_entropy_pool != NULL) ++ isc_entropy_sethook(dst_random_getdata); ++#endif ++#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ + dst_initialized = ISC_TRUE; + return (ISC_R_SUCCESS); + +@@ -293,11 +299,19 @@ dst_lib_destroy(void) { + for (i = 0; i < DST_MAX_ALGS; i++) + if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL) + dst_t_func[i]->cleanup(); ++#if defined(OPENSSL) || defined(PKCS11CRYPTO) ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (dst_entropy_pool != NULL) { ++ isc_entropy_usehook(dst_entropy_pool, ISC_FALSE); ++ isc_entropy_sethook(NULL); ++ } ++#endif + #ifdef OPENSSL + dst__openssl_destroy(); + #elif PKCS11CRYPTO + (void) dst__pkcs11_destroy(); + #endif /* if OPENSSL, elif PKCS11CRYPTO */ ++#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ + if (dst__memory_pool != NULL) + isc_mem_detach(&dst__memory_pool); + if (dst_entropy_pool != NULL) +@@ -2000,13 +2014,17 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { + flags &= ~ISC_ENTROPY_GOODONLY; + else + flags |= ISC_ENTROPY_BLOCKING; ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ return (dst_random_getdata(buf, len, NULL, flags)); ++#else + return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags)); ++#endif + #endif /* PKCS11CRYPTO */ + } + + unsigned int + dst__entropy_status(void) { +-#ifndef PKCS11CRYPTO ++#if !defined(PKCS11CRYPTO) && !defined(ISC_PLATFORM_CRYPTORANDOM) + #ifdef GSSAPI + unsigned int flags = dst_entropy_flags; + isc_result_t ret; +@@ -2029,6 +2047,7 @@ dst__entropy_status(void) { + #endif + return (isc_entropy_status(dst_entropy_pool)); + #else ++ /* Doesn't matter as it is not used in this case. */ + return (0); + #endif + } +diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h +index fcc7b47..d9b6ab6 100644 +--- a/lib/dns/include/dst/dst.h ++++ b/lib/dns/include/dst/dst.h +@@ -157,6 +157,14 @@ dst_lib_destroy(void); + * Releases all resources allocated by DST. + */ + ++isc_result_t ++dst_random_getdata(void *data, unsigned int length, ++ unsigned int *returned, unsigned int flags); ++/*%< ++ * \brief Return data from the crypto random generator. ++ * Specialization of isc_entropy_getdata(). ++ */ ++ + isc_boolean_t + dst_algorithm_supported(unsigned int alg); + /*%< +diff --git a/lib/dns/lib.c b/lib/dns/lib.c +index 53237d5..c6d83e9 100644 +--- a/lib/dns/lib.c ++++ b/lib/dns/lib.c +@@ -9,14 +9,13 @@ + * information regarding copyright ownership. + */ + +-/* $Id: lib.c,v 1.19 2009/09/03 00:12:23 each Exp $ */ +- + /*! \file */ + + #include + + #include + ++#include + #include + #include + #include +@@ -77,6 +76,7 @@ static unsigned int references = 0; + static void + initialize(void) { + isc_result_t result; ++ isc_entropy_t *ectx = NULL; + + REQUIRE(initialize_done == ISC_FALSE); + +@@ -87,11 +87,14 @@ initialize(void) { + result = dns_ecdb_register(dns_g_mctx, &dbimp); + if (result != ISC_R_SUCCESS) + goto cleanup_mctx; +- result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE); ++ result = isc_entropy_create(dns_g_mctx, &ectx); + if (result != ISC_R_SUCCESS) + goto cleanup_db; ++ result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE); ++ if (result != ISC_R_SUCCESS) ++ goto cleanup_ectx; + +- result = dst_lib_init(dns_g_mctx, NULL, 0); ++ result = dst_lib_init(dns_g_mctx, ectx, 0); + if (result != ISC_R_SUCCESS) + goto cleanup_hash; + +@@ -99,11 +102,17 @@ initialize(void) { + if (result != ISC_R_SUCCESS) + goto cleanup_dst; + ++ isc_hash_init(); ++ isc_entropy_detach(&ectx); ++ + initialize_done = ISC_TRUE; + return; + + cleanup_dst: + dst_lib_destroy(); ++ cleanup_ectx: ++ if (ectx != NULL) ++ isc_entropy_detach(&ectx); + cleanup_hash: + isc_hash_destroy(); + cleanup_db: +diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c +index ec6dc7f..c1e1bde 100644 +--- a/lib/dns/openssl_link.c ++++ b/lib/dns/openssl_link.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -46,8 +47,6 @@ + #include + #endif + +-static RAND_METHOD *rm = NULL; +- + #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + static isc_mutex_t *locks = NULL; + static int nlocks; +@@ -57,6 +56,9 @@ static int nlocks; + static ENGINE *e = NULL; + #endif + ++#ifndef ISC_PLATFORM_CRYPTORANDOM ++static RAND_METHOD *rm = NULL; ++ + static int + entropy_get(unsigned char *buf, int num) { + isc_result_t result; +@@ -102,6 +104,7 @@ entropy_add(const void *buf, int num, double entropy) { + return (1); + } + #endif ++#endif /* !ISC_PLATFORM_CRYPTORANDOM */ + + #if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + static void +@@ -190,7 +193,7 @@ _set_thread_id(CRYPTO_THREADID *id) + isc_result_t + dst__openssl_init(const char *engine) { + isc_result_t result; +-#if !defined(OPENSSL_NO_ENGINE) ++#if !defined(OPENSSL_NO_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM) + ENGINE *re; + #else + UNUSED(engine); +@@ -220,6 +223,7 @@ dst__openssl_init(const char *engine) { + ERR_load_crypto_strings(); + #endif + ++#ifndef ISC_PLATFORM_CRYPTORANDOM + rm = mem_alloc(sizeof(RAND_METHOD) FILELINE); + if (rm == NULL) { + result = ISC_R_NOMEMORY; +@@ -231,6 +235,7 @@ dst__openssl_init(const char *engine) { + rm->add = entropy_add; + rm->pseudorand = entropy_getpseudo; + rm->status = entropy_status; ++#endif + + #if !defined(OPENSSL_NO_ENGINE) + #if !defined(CONF_MFLAGS_DEFAULT_SECTION) +@@ -264,6 +269,7 @@ dst__openssl_init(const char *engine) { + } + } + ++#ifndef ISC_PLATFORM_CRYPTORANDOM + re = ENGINE_get_default_RAND(); + if (re == NULL) { + re = ENGINE_new(); +@@ -276,9 +282,21 @@ dst__openssl_init(const char *engine) { + ENGINE_free(re); + } else + ENGINE_finish(re); ++#endif + #else ++#ifndef ISC_PLATFORM_CRYPTORANDOM + RAND_set_rand_method(rm); ++#endif + #endif /* !defined(OPENSSL_NO_ENGINE) */ ++ ++ /* Protect ourselves against unseeded PRNG */ ++ if (RAND_status() != 1) { ++ FATAL_ERROR(__FILE__, __LINE__, ++ "OpenSSL pseudorandom number generator " ++ "cannot be initialized (see the `PRNG not " ++ "seeded' message in the OpenSSL FAQ)"); ++ } ++ + return (ISC_R_SUCCESS); + + #if !defined(OPENSSL_NO_ENGINE) +@@ -286,10 +304,14 @@ dst__openssl_init(const char *engine) { + if (e != NULL) + ENGINE_free(e); + e = NULL; ++#ifndef ISC_PLATFORM_CRYPTORANDOM + mem_free(rm FILELINE); + rm = NULL; + #endif ++#endif ++#ifndef ISC_PLATFORM_CRYPTORANDOM + cleanup_mutexinit: ++#endif + #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + CRYPTO_set_locking_callback(NULL); + DESTROYMUTEXBLOCK(locks, nlocks); +@@ -304,14 +326,17 @@ void + dst__openssl_destroy(void) { + #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) + OPENSSL_cleanup(); ++#ifndef ISC_PLATFORM_CRYPTORANDOM + if (rm != NULL) { + mem_free(rm FILELINE); + rm = NULL; + } ++#endif + #else + /* + * Sequence taken from apps_shutdown() in . + */ ++#ifndef ISC_PLATFORM_CRYPTORANDOM + if (rm != NULL) { + #if OPENSSL_VERSION_NUMBER >= 0x00907000L + RAND_cleanup(); +@@ -319,6 +344,7 @@ dst__openssl_destroy(void) { + mem_free(rm FILELINE); + rm = NULL; + } ++#endif + #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) + CONF_modules_free(); + #endif +@@ -454,11 +480,45 @@ dst__openssl_getengine(const char *engine) { + } + #endif + +-#else /* OPENSSL */ ++isc_result_t ++dst_random_getdata(void *data, unsigned int length, ++ unsigned int *returned, unsigned int flags) { ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++#ifndef DONT_REQUIRE_DST_LIB_INIT ++ INSIST(dst__memory_pool != NULL); ++#endif ++ REQUIRE(data != NULL); ++ REQUIRE(length > 0); + +-#include ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++ if ((flags & ISC_ENTROPY_GOODONLY) == 0) { ++ if (RAND_pseudo_bytes((unsigned char *)data, (int)length) < 0) ++ return (dst__openssl_toresult2("RAND_pseudo_bytes", ++ DST_R_OPENSSLFAILURE)); ++ } else { ++ if (RAND_bytes((unsigned char *)data, (int)length) != 1) ++ return (dst__openssl_toresult2("RAND_bytes", ++ DST_R_OPENSSLFAILURE)); ++ } ++#else ++ UNUSED(flags); + +-EMPTY_TRANSLATION_UNIT ++ if (RAND_bytes((unsigned char *)data, (int)length) != 1) ++ return (dst__openssl_toresult2("RAND_bytes", ++ DST_R_OPENSSLFAILURE)); ++#endif ++ if (returned != NULL) ++ *returned = length; ++ return (ISC_R_SUCCESS); ++#else ++ UNUSED(data); ++ UNUSED(length); ++ UNUSED(returned); ++ UNUSED(flags); ++ ++ return (ISC_R_NOTIMPLEMENTED); ++#endif ++} + + #endif /* OPENSSL */ + /*! \file */ +diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c +index 5a2c502..8eaef53 100644 +--- a/lib/dns/pkcs11.c ++++ b/lib/dns/pkcs11.c +@@ -13,12 +13,15 @@ + + #include + ++#include ++ + #include + #include + + #include + #include + ++#include "dst_internal.h" + #include "dst_pkcs11.h" + + isc_result_t +@@ -34,12 +37,32 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line, + return (fallback); + } + ++isc_result_t ++dst_random_getdata(void *data, unsigned int length, ++ unsigned int *returned, unsigned int flags) { ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ isc_result_t ret; + +-#else /* PKCS11CRYPTO */ ++#ifndef DONT_REQUIRE_DST_LIB_INIT ++ INSIST(dst__memory_pool != NULL); ++#endif ++ REQUIRE(data != NULL); ++ REQUIRE(length > 0); ++ UNUSED(flags); + +-#include ++ ret = pk11_rand_bytes(data, (int) length); ++ if ((ret == ISC_R_SUCCESS) && (returned != NULL)) ++ *returned = length; ++ return (ret); ++#else ++ UNUSED(data); ++ UNUSED(length); ++ UNUSED(returned); ++ UNUSED(flags); + +-EMPTY_TRANSLATION_UNIT ++ return (ISC_R_NOTIMPLEMENTED); ++#endif ++} + + #endif /* PKCS11CRYPTO */ + /*! \file */ +diff --git a/lib/dns/tests/Atffile b/lib/dns/tests/Atffile +index 953082d..603c4b5 100644 +--- a/lib/dns/tests/Atffile ++++ b/lib/dns/tests/Atffile +@@ -10,6 +10,7 @@ tp: dbversion_test + tp: dh_test + tp: dispatch_test + tp: dnstap_test ++tp: dstrandom_test + tp: dst_test + tp: geoip_test + tp: gost_test +diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile +index 0353a73..cb2324d 100644 +--- a/lib/dns/tests/Kyuafile ++++ b/lib/dns/tests/Kyuafile +@@ -10,6 +10,7 @@ atf_test_program{name='dh_test'} + atf_test_program{name='dispatch_test'} + atf_test_program{name='dnstap_test'} + atf_test_program{name='dst_test'} ++atf_test_program{name='dstrandom_test'} + atf_test_program{name='geoip_test'} + atf_test_program{name='gost_test'} + atf_test_program{name='keytable_test'} +diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in +index 58fa872..625e809 100644 +--- a/lib/dns/tests/Makefile.in ++++ b/lib/dns/tests/Makefile.in +@@ -40,6 +40,7 @@ SRCS = acl_test.c \ + dnstap_test.c \ + dst_test.c \ + dnstest.c \ ++ dstrandom_test.c \ + geoip_test.c \ + gost_test.c \ + keytable_test.c \ +@@ -71,6 +72,7 @@ TARGETS = acl_test@EXEEXT@ \ + dh_test@EXEEXT@ \ + dispatch_test@EXEEXT@ \ + dnstap_test@EXEEXT@ \ ++ dstrandom_test@EXEEXT@ \ + dst_test@EXEEXT@ \ + geoip_test@EXEEXT@ \ + gost_test@EXEEXT@ \ +@@ -255,6 +257,11 @@ tsig_test@EXEEXT@: tsig_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + tsig_test.@O@ dnstest.@O@ ${DNSLIBS} \ + ${ISCLIBS} ${LIBS} + ++dstrandom_test@EXEEXT@: dstrandom_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ++ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ ++ dstrandom_test.@O@ ${DNSLIBS} \ ++ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS} ++ + unit:: + sh ${top_builddir}/unit/unittest.sh + +diff --git a/lib/dns/tests/dnstest.c b/lib/dns/tests/dnstest.c +index fb9ef53..344a7c2 100644 +--- a/lib/dns/tests/dnstest.c ++++ b/lib/dns/tests/dnstest.c +@@ -120,12 +120,12 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) { + CHECK(isc_mem_create(0, 0, &mctx)); + CHECK(isc_entropy_create(mctx, &ectx)); + +- CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); +- hash_active = ISC_TRUE; +- + CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING)); + dst_active = ISC_TRUE; + ++ CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); ++ hash_active = ISC_TRUE; ++ + if (logfile != NULL) { + isc_logdestination_t destination; + isc_logconfig_t *logconfig = NULL; +@@ -169,14 +169,14 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) { + + void + dns_test_end(void) { +- if (dst_active) { +- dst_lib_destroy(); +- dst_active = ISC_FALSE; +- } + if (hash_active) { + isc_hash_destroy(); + hash_active = ISC_FALSE; + } ++ if (dst_active) { ++ dst_lib_destroy(); ++ dst_active = ISC_FALSE; ++ } + if (ectx != NULL) + isc_entropy_detach(&ectx); + +diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c +new file mode 100644 +index 0000000..d2c72e7 +--- /dev/null ++++ b/lib/dns/tests/dstrandom_test.c +@@ -0,0 +1,105 @@ ++/* ++ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") ++ * ++ * Permission to use, copy, modify, and/or distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH ++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY ++ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, ++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM ++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE ++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ++ * PERFORMANCE OF THIS SOFTWARE. ++ */ ++ ++/* $Id$ */ ++ ++/*! \file */ ++ ++#include ++ ++#include ++ ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include ++ ++isc_mem_t *mctx = NULL; ++isc_entropy_t *ectx = NULL; ++unsigned char buffer[128]; ++ ++ATF_TC(isc_entropy_getdata); ++ATF_TC_HEAD(isc_entropy_getdata, tc) { ++ atf_tc_set_md_var(tc, "descr", ++ "isc_entropy_getdata() examples"); ++ atf_tc_set_md_var(tc, "X-randomfile", ++ "testdata/dstrandom/random.data"); ++} ++ATF_TC_BODY(isc_entropy_getdata, tc) { ++ isc_result_t result; ++ unsigned int returned, status; ++ int ret; ++ const char *randomfile = atf_tc_get_md_var(tc, "X-randomfile"); ++ ++ isc_mem_debugging |= ISC_MEM_DEBUGRECORD; ++ result = isc_mem_create(0, 0, &mctx); ++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ result = isc_entropy_create(mctx, &ectx); ++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ result = dst_lib_init(mctx, ectx, 0); ++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ isc_entropy_usehook(ectx, ISC_TRUE); ++ ++ returned = 0; ++ result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), ++ &returned, 0); ++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ ATF_REQUIRE(returned == sizeof(buffer)); ++ ++ status = isc_entropy_status(ectx); ++ ATF_REQUIRE_EQ(status, 0); ++ ++ isc_entropy_usehook(ectx, ISC_FALSE); ++#endif ++ ++ ret = chdir(TESTS); ++ ATF_REQUIRE_EQ(ret, 0); ++ ++ result = isc_entropy_createfilesource(ectx, randomfile); ++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ ++ returned = 0; ++ result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), ++ &returned, 0); ++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ ATF_REQUIRE(returned == sizeof(buffer)); ++ ++ status = isc_entropy_status(ectx); ++ ATF_REQUIRE(status > 0); ++ ++ dst_lib_destroy(); ++ isc_entropy_detach(&ectx); ++ ATF_REQUIRE(ectx == NULL); ++ isc_mem_destroy(&mctx); ++ ATF_REQUIRE(mctx == NULL); ++} ++ ++/* ++ * Main ++ */ ++ATF_TP_ADD_TCS(tp) { ++ ATF_TP_ADD_TC(tp, isc_entropy_getdata); ++ ++ return (atf_no_error()); ++} ++ +diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in +index d48eeb2..213e9d9 100644 +--- a/lib/dns/win32/libdns.def.in ++++ b/lib/dns/win32/libdns.def.in +@@ -1480,6 +1480,13 @@ dst_lib_destroy + dst_lib_init + dst_lib_init2 + dst_lib_initmsgcat ++@IF PKCS11 ++dst_random_getdata ++@ELSE PKCS11 ++@IF OPENSSL ++dst_random_getdata ++@END OPENSSL ++@END PKCS11 + dst_region_computeid + dst_region_computerid + dst_result_register +diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c +index 232094a..a85650b 100644 +--- a/lib/isc/entropy.c ++++ b/lib/isc/entropy.c +@@ -103,11 +103,15 @@ struct isc_entropy { + isc_uint32_t initialized; + isc_uint32_t initcount; + isc_entropypool_t pool; ++ isc_boolean_t usehook; + unsigned int nsources; + isc_entropysource_t *nextsource; + ISC_LIST(isc_entropysource_t) sources; + }; + ++/*% Global Hook */ ++static isc_entropy_getdata_t hook; ++ + /*% Sample Queue */ + typedef struct { + isc_uint32_t last_time; /*%< last time recorded */ +@@ -556,6 +560,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, + + LOCK(&ent->lock); + ++ if (ent->usehook && (hook != NULL)) { ++ UNLOCK(&ent->lock); ++ return (hook(data, length, returned, flags)); ++ } ++ + remain = length; + buf = data; + total = 0; +@@ -707,6 +716,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) { + ent->refcnt = 1; + ent->initialized = 0; + ent->initcount = 0; ++ ent->usehook = ISC_FALSE; + ent->magic = ENTROPY_MAGIC; + + isc_entropypool_init(&ent->pool); +@@ -1286,3 +1296,17 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, + */ + return (final_result); + } ++ ++void ++isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff) { ++ REQUIRE(VALID_ENTROPY(ectx)); ++ ++ LOCK(&ectx->lock); ++ ectx->usehook = onoff; ++ UNLOCK(&ectx->lock); ++} ++ ++void ++isc_entropy_sethook(isc_entropy_getdata_t myhook) { ++ hook = myhook; ++} +diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h +index d52c43e..d9deb8a 100644 +--- a/lib/isc/include/isc/entropy.h ++++ b/lib/isc/include/isc/entropy.h +@@ -303,6 +303,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, + * isc_entropy_createcallbacksource(). + */ + ++void ++isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff); ++/*!< ++ * \brief Mark/unmark the given entropy structure as being hooked. ++ */ ++ ++void ++isc_entropy_sethook(isc_entropy_getdata_t myhook); ++/*!< ++ * \brief Set the getdata hook (e.g., for a crypto random generator). ++ */ ++ + ISC_LANG_ENDDECLS + + #endif /* ISC_ENTROPY_H */ +diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in +index d7a5bec..0166b79 100644 +--- a/lib/isc/include/isc/platform.h.in ++++ b/lib/isc/include/isc/platform.h.in +@@ -344,6 +344,11 @@ + */ + @ISC_PLATFORM_HAVESTRINGSH@ + ++/* ++ * Define if the random functions are provided by crypto. ++ */ ++@ISC_PLATFORM_CRYPTORANDOM@ ++ + /* + * Define if the hash functions must be provided by OpenSSL. + */ +diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h +index f161faf..dec577e 100644 +--- a/lib/isc/include/isc/types.h ++++ b/lib/isc/include/isc/types.h +@@ -93,6 +93,8 @@ typedef struct isc_time isc_time_t; /*%< Time */ + typedef struct isc_timer isc_timer_t; /*%< Timer */ + typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */ + ++typedef isc_result_t (*isc_entropy_getdata_t)(void *, unsigned int, ++ unsigned int *, unsigned int); + typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *); + typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int); + +diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c +index 48e1031..74566c9 100644 +--- a/lib/isc/pk11.c ++++ b/lib/isc/pk11.c +@@ -327,14 +327,16 @@ pk11_rand_seed_fromfile(const char *randomfile) { + ret = isc_stdio_open(randomfile, "r", &stream); + if (ret != ISC_R_SUCCESS) + goto cleanup; +- ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc); +- if (ret!= ISC_R_SUCCESS) +- goto cleanup; ++ while (ret == ISC_R_SUCCESS) { ++ ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc); ++ if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF)) ++ goto cleanup; ++ (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc); ++ } + ret = isc_stdio_close(stream); + stream = NULL; +- if (ret!= ISC_R_SUCCESS) ++ if (ret != ISC_R_SUCCESS) + goto cleanup; +- (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc); + + cleanup: + if (stream != NULL) +diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in +index de6a434..2c32782 100644 +--- a/lib/isc/win32/include/isc/platform.h.in ++++ b/lib/isc/win32/include/isc/platform.h.in +@@ -74,6 +74,11 @@ + #define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn) + #define ISC_PLATFORM_NORETURN_POST + ++/* ++ * Define if the random functions are provided by crypto. ++ */ ++@ISC_PLATFORM_CRYPTORANDOM@ ++ + /* + * Define if the hash functions must be provided by OpenSSL. + */ +diff --git a/win32utils/Configure b/win32utils/Configure +index e9f4680..79bb178 100644 +--- a/win32utils/Configure ++++ b/win32utils/Configure +@@ -381,6 +381,7 @@ my @substdefh = ("AES_CC", + my %configdefp; + + my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP", ++ "ISC_PLATFORM_CRYPTORANDOM", + "ISC_PLATFORM_HAVEATOMICSTORE", + "ISC_PLATFORM_HAVEATOMICSTOREQ", + "ISC_PLATFORM_HAVECMPXCHG", +@@ -509,7 +510,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); + + # enable-xxx/disable-xxx + +-my @enablelist = ("developer", ++my @enablelist = ("crypto-rand", ++ "developer", + "fixed-rrset", + "intrinsics", + "isc-spnego", +@@ -571,6 +573,7 @@ my @help = ( + "\nOptional Features:\n", + " enable-intrinsics enable instrinsic/atomic functions [default=yes]\n", + " enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n", ++" enable-crypto-rand use crypto provider for random [default=yes]\n", + " enable-openssl-hash use OpenSSL for hash functions [default=yes]\n", + " enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n", + " enable-filter-aaaa enable filtering of AAAA records [default=yes]\n", +@@ -614,7 +617,9 @@ my $want_clean = "no"; + my $want_unknown = "no"; + my $unknown_value; + my $enable_intrinsics = "yes"; ++my $cryptolib = ""; + my $enable_native_pkcs11 = "no"; ++my $enable_crypto_rand = "yes"; + my $enable_openssl_hash = "auto"; + my $enable_filter_aaaa = "yes"; + my $enable_isc_spnego = "yes"; +@@ -823,6 +828,10 @@ sub myenable { + if ($val =~ /^yes$/i) { + $enable_native_pkcs11 = "yes"; + } ++ } elsif ($key =~ /^crypto-rand$/i) { ++ if ($val =~ /^no$/i) { ++ $enable_crypto_rand = "no"; ++ } + } elsif ($key =~ /^openssl-hash$/i) { + if ($val =~ /^yes$/i) { + $enable_openssl_hash = "yes"; +@@ -1106,6 +1115,11 @@ if ($verbose) { + } else { + print "native-pkcs11: disabled\n"; + } ++ if ($enable_crypto_rand eq "yes") { ++ print "crypto-rand: enabled\n"; ++ } else { ++ print "crypto-rand: disabled\n"; ++ } + if ($enable_openssl_hash eq "yes") { + print "openssl-hash: enabled\n"; + } else { +@@ -1449,6 +1463,7 @@ if ($enable_intrinsics eq "yes") { + + # enable-native-pkcs11 + if ($enable_native_pkcs11 eq "yes") { ++ $cryptolib = "pkcs11"; + if ($use_openssl eq "auto") { + $use_openssl = "no"; + } +@@ -1658,6 +1673,7 @@ if ($use_openssl eq "yes") { + $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); + } + ++ $cryptolib = "openssl"; + $configcond{"OPENSSL"} = 1; + $configdefd{"CRYPTO"} = "OPENSSL"; + $configvar{"OPENSSL_PATH"} = "$openssl_path"; +@@ -2209,6 +2225,15 @@ if ($cookie_algorithm eq "sha1") { + die "Unrecognized cookie algorithm: $cookie_algorithm\n"; + } + ++# enable-crypto-rand ++if ($enable_crypto_rand eq "yes") { ++ if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) { ++ die "No crypto provider for random functions\n"; ++ } ++ $configdefp{"ISC_PLATFORM_CRYPTORANDOM"} = "\"$cryptolib\""; ++} ++print "Cryptographic library for DNSSEC: $cryptolib"; ++ + # enable-openssl-hash + if ($enable_openssl_hash eq "yes") { + if ($use_openssl eq "no") { +@@ -3531,6 +3556,7 @@ exit 0; + # --enable-developer partially supported + # --enable-newstats (9.9/9.9sub only) + # --enable-native-pkcs11 supported ++# --enable-crypto-rand supported + # --enable-openssl-version-check included without a way to disable it + # --enable-openssl-hash supported + # --enable-threads included without a way to disable it +@@ -3556,6 +3582,7 @@ exit 0; + # --with-gost supported + # --with-aes supported + # --with-cc-alg supported ++# --with-randomdev not supported on WIN32 (makes no sense) + # --with-geoip supported + # --with-gssapi supported with MIT (K)erberos (f)or (W)indows + # --with-lmdb no supported on WIN32 (port is not reliable) +-- +2.14.4 + diff --git a/SOURCES/bind-9.11-rt46047-2.patch b/SOURCES/bind-9.11-rt46047-2.patch new file mode 100644 index 0000000..f3b1710 --- /dev/null +++ b/SOURCES/bind-9.11-rt46047-2.patch @@ -0,0 +1,91 @@ +From c79ff443ba029eaf7da8781aef0b1ddbed467781 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Fri, 14 Jun 2019 12:30:01 +0200 +Subject: [PATCH] Fix OpenSSL random generator warnings Squashed commit of the + following: + +commit 70492c6361e55309dae0e48ae031e295f0a46a5e +Author: Evan Hunt +Date: Sat Sep 16 21:01:06 2017 -0700 + + [master] silence compiler warning + + (cherry picked from commit 6e5ae91479408540f04337c9dc27c3f3fffae6c7) + +commit 4d8c2767b584d993eb898d2210c85ffce214d1dc +Author: Mark Andrews +Date: Fri Dec 22 08:48:38 2017 +1100 + + add POST(argc); + + (cherry picked from commit be5a0eaa7adafc454658e09672d865eb453baeab) + (cherry picked from commit 0163c3b8130cbed705c3267948ab49eebe26286d) + +commit c64b5b10a3a175482b89eddbe63d8b5107a2fbf3 +Author: Petr Mensik +Date: Thu Jun 13 22:23:14 2019 +0200 + + fixup! completed and corrected the crypto-random change +--- + bin/named/server.c | 3 +++ + bin/tests/system/tkey/keydelete.c | 1 + + lib/dns/tests/dstrandom_test.c | 3 +-- + 3 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/bin/named/server.c b/bin/named/server.c +index db0270900f..1afb461226 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -8100,6 +8100,8 @@ load_configuration(const char *filename, ns_server_t *server, + } + #endif + } else { ++ result = isc_entropy_createfilesource(ns_g_entropy, ++ randomdev); + #ifdef PATH_RANDOMDEV + if (ns_g_fallbackentropy != NULL) { + level = ISC_LOG_INFO; +@@ -8893,6 +8895,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { + server->in_roothints = NULL; + server->blackholeacl = NULL; + server->keepresporder = NULL; ++ server->rngctx = NULL; + + /* Must be first. */ + CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy, +diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c +index 3d5ac74486..55ebb66a60 100644 +--- a/bin/tests/system/tkey/keydelete.c ++++ b/bin/tests/system/tkey/keydelete.c +@@ -172,6 +172,7 @@ main(int argc, char **argv) { + randomfile = argv[2]; + argv += 2; + argc -= 2; ++ POST(argc); + } + keyname = argv[1]; + +diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c +index d2c72e7685..56738d14a4 100644 +--- a/lib/dns/tests/dstrandom_test.c ++++ b/lib/dns/tests/dstrandom_test.c +@@ -14,8 +14,6 @@ + * PERFORMANCE OF THIS SOFTWARE. + */ + +-/* $Id$ */ +- + /*! \file */ + + #include +@@ -24,6 +22,7 @@ + + #include + #include ++#include + + #include + #include +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-rt46047.patch b/SOURCES/bind-9.11-rt46047.patch new file mode 100644 index 0000000..2444cbd --- /dev/null +++ b/SOURCES/bind-9.11-rt46047.patch @@ -0,0 +1,764 @@ +From dc861636b6bcb4a028b2392347a57a61bb5ece6e Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Thu, 28 Sep 2017 10:09:22 -0700 +Subject: [PATCH] completed and corrected the crypto-random change + +4724. [func] By default, BIND now uses the random number + functions provided by the crypto library (i.e., + OpenSSL or a PKCS#11 provider) as a source of + randomness rather than /dev/random. This is + suitable for virtual machine environments + which have limited entropy pools and lack + hardware random number generators. + + This can be overridden by specifying another + entropy source via the "random-device" option + in named.conf, or via the -r command line option; + however, for functions requiring full cryptographic + strength, such as DNSSEC key generation, this + cannot be overridden. In particular, the -r + command line option no longer has any effect on + dnssec-keygen. + + This can be disabled by building with + "configure --disable-crypto-rand". + [RT #31459] [RT #46047] +--- + bin/confgen/keygen.c | 12 +++--- + bin/dnssec/dnssec-keygen.docbook | 24 +++++++---- + bin/dnssec/dnssectool.c | 12 +++--- + bin/named/client.c | 3 +- + bin/named/config.c | 4 +- + bin/named/controlconf.c | 19 +++++--- + bin/named/include/named/server.h | 2 + + bin/named/interfacemgr.c | 1 + + bin/named/query.c | 1 + + bin/named/server.c | 52 +++++++++++++--------- + bin/nsupdate/nsupdate.c | 4 +- + bin/tests/system/pipelined/pipequeries.c | 4 +- + bin/tests/system/tkey/keycreate.c | 4 +- + bin/tests/system/tkey/keydelete.c | 4 +- + doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++------- + doc/arm/notes.xml | 23 +++++++++- + lib/dns/dst_api.c | 7 ++- + lib/dns/include/dst/dst.h | 14 +++++- + lib/dns/openssl_link.c | 3 +- + lib/isc/include/isc/entropy.h | 50 +++++++++++++++------ + lib/isc/include/isc/random.h | 28 +++++++----- + lib/isccfg/namedconf.c | 2 +- + 22 files changed, 218 insertions(+), 110 deletions(-) + +diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c +index fa439cc..a7ad417 100644 +--- a/bin/confgen/keygen.c ++++ b/bin/confgen/keygen.c +@@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, + + DO("create entropy context", isc_entropy_create(mctx, &ectx)); + +- if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { +- randomfile = NULL; +- open_keyboard = ISC_ENTROPY_KEYBOARDYES; +- } + #ifdef ISC_PLATFORM_CRYPTORANDOM +- if (randomfile != NULL && +- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { +- randomfile = NULL; ++ if (randomfile == NULL) { + isc_entropy_usehook(ectx, ISC_TRUE); + } + #endif ++ if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { ++ randomfile = NULL; ++ open_keyboard = ISC_ENTROPY_KEYBOARDYES; ++ } + DO("start entropy source", isc_entropy_usebestsource(ectx, + &entropy_source, + randomfile, +diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook +index 96dfef6..1c84b06 100644 +--- a/bin/dnssec/dnssec-keygen.docbook ++++ b/bin/dnssec/dnssec-keygen.docbook +@@ -349,15 +349,23 @@ + -r randomdev + + +- Specifies the source of randomness. If the operating +- system does not provide a /dev/random +- or equivalent device, the default source of randomness +- is keyboard input. randomdev +- specifies ++ Specifies a source of randomness. Normally, when generating ++ DNSSEC keys, this option has no effect; the random number ++ generation function provided by the cryptographic library will ++ be used. ++ ++ ++ If that behavior is disabled at compile time, however, ++ the specified file will be used as entropy source ++ for key generation. randomdev is + the name of a character device or file containing random +- data to be used instead of the default. The special value +- keyboard indicates that keyboard +- input should be used. ++ data to be used. The special value keyboard ++ indicates that keyboard input should be used. ++ ++ ++ The default is /dev/random if the ++ operating system provides it or an equivalent device; ++ if not, the default source of randomness is keyboard input. + + + +diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c +index 4ea9eaf..5dd9475 100644 +--- a/bin/dnssec/dnssectool.c ++++ b/bin/dnssec/dnssectool.c +@@ -239,18 +239,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { + ISC_LIST_INIT(sources); + } + ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (randomfile == NULL) { ++ isc_entropy_usehook(*ectx, ISC_TRUE); ++ } ++#endif + if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { + usekeyboard = ISC_ENTROPY_KEYBOARDYES; + randomfile = NULL; + } + +-#ifdef ISC_PLATFORM_CRYPTORANDOM +- if (randomfile != NULL && +- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { +- randomfile = NULL; +- isc_entropy_usehook(*ectx, ISC_TRUE); +- } +-#endif + result = isc_entropy_usebestsource(*ectx, &source, randomfile, + usekeyboard); + +diff --git a/bin/named/client.c b/bin/named/client.c +index b7d8a98..56d475c 100644 +--- a/bin/named/client.c ++++ b/bin/named/client.c +@@ -1605,7 +1605,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, + + isc_buffer_init(&buf, cookie, sizeof(cookie)); + isc_stdtime_get(&now); +- isc_random_get(&nonce); ++ nonce = ((isc_rng_random(ns_g_server->rngctx) << 16) | ++ isc_rng_random(ns_g_server->rngctx)); + + compute_cookie(client, now, nonce, ns_g_server->secret, &buf); + +diff --git a/bin/named/config.c b/bin/named/config.c +index c50f759..c1e72ef 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -92,7 +92,9 @@ options {\n\ + # pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\ + port 53;\n\ + prefetch 2 9;\n" +-#ifdef PATH_RANDOMDEV ++#if defined(ISC_PLATFORM_CRYPTORANDOM) ++" random-device none;\n" ++#elif defined(PATH_RANDOMDEV) + " random-device \"" PATH_RANDOMDEV "\";\n" + #endif + " recursing-file \"named.recursing\";\n\ +diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c +index 237e8dc..b905475 100644 +--- a/bin/named/controlconf.c ++++ b/bin/named/controlconf.c +@@ -322,9 +322,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) { + + static void + control_recvmessage(isc_task_t *task, isc_event_t *event) { +- controlconnection_t *conn; +- controllistener_t *listener; +- controlkey_t *key; ++ controlconnection_t *conn = NULL; ++ controllistener_t *listener = NULL; ++ ns_server_t *server = NULL; ++ controlkey_t *key = NULL; + isccc_sexpr_t *request = NULL; + isccc_sexpr_t *response = NULL; + isc_uint32_t algorithm; +@@ -335,16 +336,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { + isc_buffer_t *text; + isc_result_t result; + isc_result_t eresult; +- isccc_sexpr_t *_ctrl; ++ isccc_sexpr_t *_ctrl = NULL; + isccc_time_t sent; + isccc_time_t exp; + isc_uint32_t nonce; +- isccc_sexpr_t *data; ++ isccc_sexpr_t *data = NULL; + + REQUIRE(event->ev_type == ISCCC_EVENT_CCMSG); + + conn = event->ev_arg; + listener = conn->listener; ++ server = listener->controls->server; + algorithm = DST_ALG_UNKNOWN; + secret.rstart = NULL; + text = NULL; +@@ -455,8 +457,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { + * Establish nonce. + */ + if (conn->nonce == 0) { +- while (conn->nonce == 0) +- isc_random_get(&conn->nonce); ++ while (conn->nonce == 0) { ++ isc_uint16_t r1 = isc_rng_random(server->rngctx); ++ isc_uint16_t r2 = isc_rng_random(server->rngctx); ++ conn->nonce = (r1 << 16) | r2; ++ } + eresult = ISC_R_SUCCESS; + } else + eresult = ns_control_docommand(request, listener->readonly, &text); +diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h +index d8179a6..e03d24d 100644 +--- a/bin/named/include/named/server.h ++++ b/bin/named/include/named/server.h +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -131,6 +132,7 @@ struct ns_server { + char * lockfile; + + isc_uint16_t transfer_tcp_message_size; ++ isc_rng_t * rngctx; + }; + + struct ns_altsecret { +diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c +index d8c7188..50f924e 100644 +--- a/bin/named/interfacemgr.c ++++ b/bin/named/interfacemgr.c +@@ -15,6 +15,7 @@ + + #include + #include ++#include + #include + #include + #include +diff --git a/bin/named/query.c b/bin/named/query.c +index accbf3b..d89622d 100644 +--- a/bin/named/query.c ++++ b/bin/named/query.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/bin/named/server.c b/bin/named/server.c +index ca789e5..db02709 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -8076,21 +8076,30 @@ load_configuration(const char *filename, ns_server_t *server, + * Open the source of entropy. + */ + if (first_time) { ++ const char *randomdev = NULL; ++ int level = ISC_LOG_ERROR; + obj = NULL; + result = ns_config_get(maps, "random-device", &obj); +- if (result != ISC_R_SUCCESS) { +- isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, +- NS_LOGMODULE_SERVER, ISC_LOG_INFO, +- "no source of entropy found"); +- } else { +- const char *randomdev = cfg_obj_asstring(obj); ++ if (result == ISC_R_SUCCESS) { ++ if (!cfg_obj_isvoid(obj)) { ++ level = ISC_LOG_INFO; ++ randomdev = cfg_obj_asstring(obj); ++ } ++ } ++ if (randomdev == NULL) { + #ifdef ISC_PLATFORM_CRYPTORANDOM +- if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0) +- isc_entropy_usehook(ns_g_entropy, ISC_TRUE); ++ isc_entropy_usehook(ns_g_entropy, ISC_TRUE); + #else +- int level = ISC_LOG_ERROR; +- result = isc_entropy_createfilesource(ns_g_entropy, +- randomdev); ++ if ((obj != NULL) && !cfg_obj_isvoid(obj)) ++ level = ISC_LOG_INFO; ++ isc_log_write(named_g_lctx, NS_LOGCATEGORY_GENERAL, ++ NS_LOGMODULE_SERVER, level, ++ "no source of entropy found"); ++ if ((obj == NULL) || cfg_obj_isvoid(obj)) { ++ CHECK(ISC_R_FAILURE); ++ } ++#endif ++ } else { + #ifdef PATH_RANDOMDEV + if (ns_g_fallbackentropy != NULL) { + level = ISC_LOG_INFO; +@@ -8101,8 +8110,8 @@ load_configuration(const char *filename, ns_server_t *server, + NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, + level, +- "could not open entropy source " +- "%s: %s", ++ "could not open " ++ "entropy source %s: %s", + randomdev, + isc_result_totext(result)); + } +@@ -8122,7 +8131,6 @@ load_configuration(const char *filename, ns_server_t *server, + } + isc_entropy_detach(&ns_g_fallbackentropy); + } +-#endif + #endif + } + } +@@ -8911,6 +8919,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { + CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy, + &server->tkeyctx), + "creating TKEY context"); ++ CHECKFATAL(isc_rng_create(ns_g_mctx, ns_g_entropy, &server->rngctx), ++ "creating random numbers context"); + + /* + * Setup the server task, which is responsible for coordinating +@@ -9117,7 +9127,8 @@ ns_server_destroy(ns_server_t **serverp) { + + if (server->zonemgr != NULL) + dns_zonemgr_detach(&server->zonemgr); +- ++ if (server->rngctx != NULL) ++ isc_rng_detach(&server->rngctx); + if (server->tkeyctx != NULL) + dns_tkeyctx_destroy(&server->tkeyctx); + +@@ -13018,10 +13029,10 @@ newzone_cfgctx_destroy(void **cfgp) { + + static isc_result_t + generate_salt(unsigned char *salt, size_t saltlen) { +- int i, n; ++ size_t i, n; + union { + unsigned char rnd[256]; +- isc_uint32_t rnd32[64]; ++ isc_uint16_t rnd16[128]; + } rnd; + unsigned char text[512 + 1]; + isc_region_t r; +@@ -13031,9 +13042,10 @@ generate_salt(unsigned char *salt, size_t saltlen) { + if (saltlen > 256U) + return (ISC_R_RANGE); + +- n = (int) (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t); +- for (i = 0; i < n; i++) +- isc_random_get(&rnd.rnd32[i]); ++ n = (saltlen + sizeof(isc_uint16_t) - 1) / sizeof(isc_uint16_t); ++ for (i = 0; i < n; i++) { ++ rnd.rnd16[i] = isc_rng_random(ns_g_server->rngctx); ++ } + + memmove(salt, rnd.rnd, saltlen); + +diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c +index 46c7acf..a0d0278 100644 +--- a/bin/nsupdate/nsupdate.c ++++ b/bin/nsupdate/nsupdate.c +@@ -281,9 +281,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { + } + + #ifdef ISC_PLATFORM_CRYPTORANDOM +- if (randomfile != NULL && +- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { +- randomfile = NULL; ++ if (randomfile == NULL) { + isc_entropy_usehook(*ectx, ISC_TRUE); + } + #endif +diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c +index 810d99e..d7d10e2 100644 +--- a/bin/tests/system/pipelined/pipequeries.c ++++ b/bin/tests/system/pipelined/pipequeries.c +@@ -279,9 +279,7 @@ main(int argc, char *argv[]) { + ectx = NULL; + RUNCHECK(isc_entropy_create(mctx, &ectx)); + #ifdef ISC_PLATFORM_CRYPTORANDOM +- if (randomfile != NULL && +- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { +- randomfile = NULL; ++ if (randomfile == NULL) { + isc_entropy_usehook(ectx, ISC_TRUE); + } + #endif +diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c +index 4f2f5b4..0894db7 100644 +--- a/bin/tests/system/tkey/keycreate.c ++++ b/bin/tests/system/tkey/keycreate.c +@@ -255,9 +255,7 @@ main(int argc, char *argv[]) { + ectx = NULL; + RUNCHECK(isc_entropy_create(mctx, &ectx)); + #ifdef ISC_PLATFORM_CRYPTORANDOM +- if (randomfile != NULL && +- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { +- randomfile = NULL; ++ if (randomfile == NULL) { + isc_entropy_usehook(ectx, ISC_TRUE); + } + #endif +diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c +index 0975bbe..5b8a470 100644 +--- a/bin/tests/system/tkey/keydelete.c ++++ b/bin/tests/system/tkey/keydelete.c +@@ -182,9 +182,7 @@ main(int argc, char **argv) { + ectx = NULL; + RUNCHECK(isc_entropy_create(mctx, &ectx)); + #ifdef ISC_PLATFORM_CRYPTORANDOM +- if (randomfile != NULL && +- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { +- randomfile = NULL; ++ if (randomfile == NULL) { + isc_entropy_usehook(ectx, ISC_TRUE); + } + #endif +diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml +index a5d9e2e..2a96f71 100644 +--- a/doc/arm/Bv9ARM-book.xml ++++ b/doc/arm/Bv9ARM-book.xml +@@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0] + random-device + + +- The source of entropy to be used by the server. Entropy is +- primarily needed +- for DNSSEC operations, such as TKEY transactions and dynamic +- update of signed +- zones. This options specifies the device (or file) from which +- to read +- entropy. If this is a file, operations requiring entropy will +- fail when the +- file has been exhausted. If not specified, the default value +- is +- /dev/random +- (or equivalent) when present, and none otherwise. The +- random-device option takes +- effect during +- the initial configuration load at server startup time and +- is ignored on subsequent reloads. ++ Specifies a source of entropy to be used by the server. ++ This is a device or file from which to read entropy. ++ If it is a file, operations requiring entropy ++ will fail when the file has been exhausted. ++ ++ ++ Entropy is needed for cryptographic operations such as ++ TKEY transactions, dynamic update of signed zones, and ++ generation of TSIG session keys. It is also used for ++ seeding and stirring the pseudo-random number generator, ++ which is used for less critical functions requiring ++ randomness such as generation of DNS message transaction ++ ID's. ++ ++ ++ If random-device is not specified, or ++ if it is set to none, entropy will be ++ read from the random number generation function supplied ++ by the cryptographic library with which BIND was linked ++ (i.e. OpenSSL or a PKCS#11 provider). ++ ++ ++ The random-device option takes ++ effect during the initial configuration load at server ++ startup time and is ignored on subsequent reloads. ++ ++ ++ If BIND is built with ++ configure --disable-crypto-rand, then ++ entropy is not sourced from the ++ cryptographic library. In this case, if ++ random-device is not specified, the ++ default value is the system random device, ++ /dev/random or the equivalent. ++ This default can be overridden with ++ configure --with-randomdev. ++ If no system random device exists, then no entropy source ++ will be configured, and named will only ++ be able to use pseudo-random numbers. + + + +diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml +index d3fdb5e..fbc78a0 100644 +--- a/doc/arm/notes.xml ++++ b/doc/arm/notes.xml +@@ -115,7 +115,28 @@ + + + +- None. ++ By default, BIND now uses the random number generation functions ++ in the cryptographic library (i.e., OpenSSL or a PKCS#11 ++ provider) as a source of high-quality randomness rather than ++ /dev/random. This is suitable for virtual ++ machine environments, which may have limited entropy pools and ++ lack hardware random number generators. ++ ++ ++ This can be overridden by specifying another entropy source via ++ the random-device option in ++ named.conf, or via the -r ++ command line option. However, for functions requiring full ++ cryptographic strength, such as DNSSEC key generation, this ++ cannot be overridden. In particular, the ++ -r command line option no longer has any ++ effect on dnssec-keygen. ++ ++ ++ This can be disabled by building with ++ configure --disable-crypto-rand, in which ++ case /dev/random will be the default ++ entropy source. [RT #31459] [RT #46047] + + + +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index 803e7b3..29a4fef 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -276,8 +276,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, + #endif + #if defined(OPENSSL) || defined(PKCS11CRYPTO) + #ifdef ISC_PLATFORM_CRYPTORANDOM +- if (dst_entropy_pool != NULL) ++ if (dst_entropy_pool != NULL) { + isc_entropy_sethook(dst_random_getdata); ++ } + #endif + #endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ + dst_initialized = ISC_TRUE; +@@ -2015,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { + else + flags |= ISC_ENTROPY_BLOCKING; + #ifdef ISC_PLATFORM_CRYPTORANDOM ++ /* get entropy directly from crypto provider */ + return (dst_random_getdata(buf, len, NULL, flags)); + #else ++ /* get entropy from entropy source or hook function */ + return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags)); +-#endif ++#endif /* ISC_PLATFORM_CRYPTORANDOM */ + #endif /* PKCS11CRYPTO */ + } + +diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h +index d9b6ab6..e8c1a3c 100644 +--- a/lib/dns/include/dst/dst.h ++++ b/lib/dns/include/dst/dst.h +@@ -161,8 +161,18 @@ isc_result_t + dst_random_getdata(void *data, unsigned int length, + unsigned int *returned, unsigned int flags); + /*%< +- * \brief Return data from the crypto random generator. +- * Specialization of isc_entropy_getdata(). ++ * Gets random data from the random generator provided by the ++ * crypto library, if BIND was built with --enable-crypto-rand. ++ * ++ * See isc_entropy_getdata() for parameter usage. Normally when ++ * this function is available, it will be set up as a hook in the ++ * entropy context, so that isc_entropy_getdata() is a front-end to ++ * this function. ++ * ++ * Returns: ++ * \li ISC_R_SUCCESS on success ++ * \li ISC_R_NOTIMPLEMENTED if BIND is built with --disable-crypto-rand ++ * \li DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error + */ + + isc_boolean_t +diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c +index c1e1bde..91e87d0 100644 +--- a/lib/dns/openssl_link.c ++++ b/lib/dns/openssl_link.c +@@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) { + + isc_result_t + dst_random_getdata(void *data, unsigned int length, +- unsigned int *returned, unsigned int flags) { ++ unsigned int *returned, unsigned int flags) ++{ + #ifdef ISC_PLATFORM_CRYPTORANDOM + #ifndef DONT_REQUIRE_DST_LIB_INIT + INSIST(dst__memory_pool != NULL); +diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h +index d9deb8a..2d37363 100644 +--- a/lib/isc/include/isc/entropy.h ++++ b/lib/isc/include/isc/entropy.h +@@ -9,8 +9,6 @@ + * information regarding copyright ownership. + */ + +-/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */ +- + #ifndef ISC_ENTROPY_H + #define ISC_ENTROPY_H 1 + +@@ -190,9 +188,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent, + /*!< + * \brief Create an entropy source that is polled via a callback. + * +- * This would +- * be used when keyboard input is used, or a GUI input method. It can +- * also be used to hook in any external entropy source. ++ * This would be used when keyboard input is used, or a GUI input method. ++ * It can also be used to hook in any external entropy source. + * + * Samples are added via isc_entropy_addcallbacksample(), below. + * _addcallbacksample() is the only function which may be called from +@@ -233,15 +230,32 @@ isc_result_t + isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, + unsigned int *returned, unsigned int flags); + /*!< +- * \brief Extract data from the entropy pool. This may load the pool from various +- * sources. ++ * \brief Get random data from entropy pool 'ent'. ++ * ++ * If a hook has been set up using isc_entropy_sethook() and ++ * isc_entropy_usehook(), then the hook function will be called to get ++ * random data. ++ * ++ * Otherwise, randomness is extracted from the entropy pool set up in BIND. ++ * This may cause the pool to be loaded from various sources. Ths is done ++ * by stirring the pool and returning a part of hash as randomness. ++ * (Note that no secrets are given away here since parts of the hash are ++ * XORed together before returning.) ++ * ++ * 'flags' may contain ISC_ENTROPY_GOODONLY, ISC_ENTROPY_PARTIAL, or ++ * ISC_ENTROPY_BLOCKING. These will be honored if the hook function is ++ * not in use. If it is, the flags will be passed to the hook function ++ * but it may ignore them. + * +- * Do this by stiring the pool and returning a part of hash as randomness. +- * Note that no secrets are given away here since parts of the hash are +- * xored together before returned. ++ * Up to 'length' bytes of randomness are retrieved and copied into 'data'. ++ * (If 'returned' is not NULL, and the number of bytes copied is less than ++ * 'length' - which may happen if ISC_ENTROPY_PARTIAL was used - then the ++ * number of bytes copied will be stored in *returned.) + * +- * Honor the request from the caller to only return good data, any data, +- * etc. ++ * Returns: ++ * \li ISC_R_SUCCESS on success ++ * \li ISC_R_NOENTROPY if entropy pool is empty ++ * \li other error codes are possible when a hook is in use + */ + + void +@@ -306,13 +320,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, + void + isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff); + /*!< +- * \brief Mark/unmark the given entropy structure as being hooked. ++ * \brief Configure entropy context 'ectx' to use the hook function ++ * ++ * Sets the entropy context to call the hook function for random number ++ * generation, if such a function has been configured via ++ * isc_entropy_sethook(), whenever isc_entropy_getdata() is called. + */ + + void + isc_entropy_sethook(isc_entropy_getdata_t myhook); + /*!< +- * \brief Set the getdata hook (e.g., for a crypto random generator). ++ * \brief Set the hook function. ++ * ++ * The hook function is a global value: only one hook function ++ * can be set in the system. Individual entropy contexts may be ++ * configured to use it, or not, by calling isc_entropy_usehook(). + */ + + ISC_LANG_ENDDECLS +diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h +index ba53ebf..b575728 100644 +--- a/lib/isc/include/isc/random.h ++++ b/lib/isc/include/isc/random.h +@@ -9,8 +9,6 @@ + * information regarding copyright ownership. + */ + +-/* $Id: random.h,v 1.20 2009/01/17 23:47:43 tbox Exp $ */ +- + #ifndef ISC_RANDOM_H + #define ISC_RANDOM_H 1 + +@@ -21,13 +19,23 @@ + #include + + /*! \file isc/random.h +- * \brief Implements a random state pool which will let the caller return a +- * series of possibly non-reproducible random values. ++ * \brief Implements pseudo random number generators. ++ * ++ * Two pseudo-random number generators are implemented, in isc_random_* ++ * and isc_rng_*. Neither one is very strong; they should not be used ++ * in cryptography functions. ++ * ++ * isc_random_* is based on arc4random if it is available on the system. ++ * Otherwise it is based on the posix srand() and rand() functions. ++ * It is useful for jittering values a bit here and there, such as ++ * timeouts, etc, but should not be relied upon to generate ++ * unpredictable sequences (for example, when choosing transaction IDs). + * +- * Note that the +- * strength of these numbers is not all that high, and should not be +- * used in cryptography functions. It is useful for jittering values +- * a bit here and there, such as timeouts, etc. ++ * isc_rng_* is based on ChaCha20, and is seeded and stirred from the ++ * system entropy source. It is stronger than isc_random_* and can ++ * be used for generating unpredictable sequences. It is still not as ++ * good as using system entropy directly (see entropy.h) and should not ++ * be used for cryptographic functions such as key generation. + */ + + ISC_LANG_BEGINDECLS +@@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx); + isc_uint16_t + isc_rng_uniformrandom(isc_rng_t *rngctx, isc_uint16_t upper_bound); + /*%< +- * Returns a uniformly distributed pseudo random 16-bit unsigned +- * integer. ++ * Returns a uniformly distributed pseudo-random 16-bit unsigned integer ++ * less than 'upper_bound'. + */ + + ISC_LANG_ENDDECLS +diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c +index 8d496ff..dd08187 100644 +--- a/lib/isccfg/namedconf.c ++++ b/lib/isccfg/namedconf.c +@@ -1106,7 +1106,7 @@ options_clauses[] = { + { "pid-file", &cfg_type_qstringornone, 0 }, + { "port", &cfg_type_uint32, 0 }, + { "querylog", &cfg_type_boolean, 0 }, +- { "random-device", &cfg_type_qstring, 0 }, ++ { "random-device", &cfg_type_qstringornone, 0 }, + { "recursing-file", &cfg_type_qstring, 0 }, + { "recursive-clients", &cfg_type_uint32, 0 }, + { "reserved-sockets", &cfg_type_uint32, 0 }, +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-unit-disable-random.patch b/SOURCES/bind-9.11-unit-disable-random.patch new file mode 100644 index 0000000..5658d12 --- /dev/null +++ b/SOURCES/bind-9.11-unit-disable-random.patch @@ -0,0 +1,45 @@ +From c89b0e288f923af69b97e8acc29250b262be7d1e Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Thu, 21 Feb 2019 22:42:27 +0100 +Subject: [PATCH] Disable random_test + +It fails too often on some architecture, failing the whole build along. +Because it runs two times for pkcs11 and normal build and any of +subtests can occasionally fail, stop it. + +It can be used again by defining 'unstable' variable in Kyuafile. +--- + lib/isc/tests/Atffile | 3 ++- + lib/isc/tests/Kyuafile | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/isc/tests/Atffile b/lib/isc/tests/Atffile +index 8681844..74a4a77 100644 +--- a/lib/isc/tests/Atffile ++++ b/lib/isc/tests/Atffile +@@ -20,7 +20,8 @@ tp: pool_test + tp: print_test + tp: queue_test + tp: radix_test +-tp: random_test ++# random test fails too often ++#tp: random_test + tp: regex_test + tp: result_test + tp: safe_test +diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile +index 1c510c1..a86824a 100644 +--- a/lib/isc/tests/Kyuafile ++++ b/lib/isc/tests/Kyuafile +@@ -19,7 +19,7 @@ atf_test_program{name='pool_test'} + atf_test_program{name='print_test'} + atf_test_program{name='queue_test'} + atf_test_program{name='radix_test'} +-atf_test_program{name='random_test'} ++atf_test_program{name='random_test', required_configs='unstable'} + atf_test_program{name='regex_test'} + atf_test_program{name='result_test'} + atf_test_program{name='safe_test'} +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-zone2ldap.patch b/SOURCES/bind-9.11-zone2ldap.patch new file mode 100644 index 0000000..e576c03 --- /dev/null +++ b/SOURCES/bind-9.11-zone2ldap.patch @@ -0,0 +1,196 @@ +From 738d12594972ad816e8cff9821f760aa0682fd08 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 18 Dec 2018 16:06:26 +0100 +Subject: [PATCH] Make absolute hostname by dns API instead of strings + +Duplicate all strings in dc_list. Free allocated memory on each record. +--- + bin/sdb_tools/zone2ldap.c | 72 +++++++++++++++++++++++++++++------------------ + 1 file changed, 45 insertions(+), 27 deletions(-) + +diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c +index acf160b..cc482dc 100644 +--- a/bin/sdb_tools/zone2ldap.c ++++ b/bin/sdb_tools/zone2ldap.c +@@ -87,6 +87,10 @@ int get_attr_list_size (char **tmp); + /* Get a DN */ + char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone); + ++/* Free a DN list */ ++static void ++free_dc_list(char **dc_list); ++ + /* Add to RR list */ + void add_to_rr_list (char *dn, char *name, char *type, char *data, + unsigned int ttl, unsigned int flags); +@@ -123,6 +127,7 @@ static char dNSTTL []="dNSTTL"; + static char zoneName []="zoneName"; + static char dc []="dc"; + static char sameZone []="@"; ++static char dot []="."; + /* LDAPMod mod_values: */ + static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL }; + static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL }; +@@ -396,6 +401,8 @@ main (int argc, char **argv) + } + + } ++ ++ free_dc_list(dc_list); + } + else + { +@@ -451,12 +458,17 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl) + char data[2048]; + char **dc_list; + char *dn; ++ size_t argzone_len; ++ isc_boolean_t omit_dot; + + isc_buffer_t buff; + isc_result_t result; + + isc_buffer_init (&buff, name, sizeof (name)); +- result = dns_name_totext (dnsname, ISC_TRUE, &buff); ++ argzone_len = strlen(argzone); ++ /* If argzone is absolute, output absolute name too */ ++ omit_dot = ISC_TF(!(argzone_len > 0 && argzone[argzone_len-1] == '.')); ++ result = dns_name_totext (dnsname, omit_dot, &buff); + isc_result_check (result, "dns_name_totext"); + name[isc_buffer_usedlength (&buff)] = 0; + +@@ -478,6 +490,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl) + printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data); + + add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT); ++ free_dc_list(dc_list); + } + + +@@ -538,12 +551,9 @@ add_to_rr_list (char *dn, char *name, char *type, + if (tmp->attrs == (LDAPMod **) NULL) + fatal("calloc"); + +- for (i = 0; i < (int)flags; i++) +- { +- tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod)); +- if (tmp->attrs[i] == (LDAPMod *) NULL) +- fatal("malloc"); +- } ++ tmp->attrs[0] = (LDAPMod *) malloc (sizeof (LDAPMod)); ++ if (tmp->attrs[0] == (LDAPMod *) NULL) ++ fatal("malloc"); + tmp->attrs[0]->mod_op = LDAP_MOD_ADD; + tmp->attrs[0]->mod_type = objectClass; + +@@ -559,9 +569,18 @@ add_to_rr_list (char *dn, char *name, char *type, + return; + } + ++ for (i = 1; i < (int)flags-1; i++) ++ { ++ tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod)); ++ if (tmp->attrs[i] == (LDAPMod *) NULL) ++ fatal("malloc"); ++ } ++ tmp->attrs[i] = NULL; ++ ++ + tmp->attrs[1]->mod_op = LDAP_MOD_ADD; + tmp->attrs[1]->mod_type = relativeDomainName; +- tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2); ++ tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 3); + + if (tmp->attrs[1]->mod_values == (char **)NULL) + fatal("calloc"); +@@ -705,25 +724,16 @@ char ** + hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) + { + char *tmp; +- int i = 0; ++ int i = 0, j = 0; + char *hname=0L, *last=0L; + int hlen=strlen(hostname), zlen=(strlen(zone)); + + /* printf("hostname: %s zone: %s\n",hostname, zone); */ +- hname=0L; + if(flags == DNS_OBJECT) + { +- if( (zone[ zlen - 1 ] == '.') && (hostname[hlen - 1] != '.') ) +- { +- hname=(char*)malloc(hlen + 1); +- hlen += 1; +- sprintf(hname, "%s.", hostname); +- hostname = hname; +- } + if(strcmp(hostname, zone) == 0) + { +- if( hname == 0 ) +- hname=strdup(hostname); ++ hname=strdup(hostname); + last = strdup(sameZone); + }else + { +@@ -731,8 +741,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) + ||( strcmp( hostname + (hlen - zlen), zone ) != 0) + ) + { +- if( hname != 0 ) +- free(hname); + hname=(char*)malloc( hlen + zlen + 1); + if( *zone == '.' ) + sprintf(hname, "%s%s", hostname, zone); +@@ -740,8 +748,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) + sprintf(hname,"%s",zone); + }else + { +- if( hname == 0 ) +- hname = strdup(hostname); ++ hname = strdup(hostname); + } + last = hname; + } +@@ -754,18 +761,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) + for (tmp = strrchr (hname, '.'); tmp != (char *) 0; + tmp = strrchr (hname, '.')) + { +- if( *( tmp + 1 ) != '\0' ) ++ tmp[0] = '\0'; ++ if( tmp[1] != '\0' ) + { +- *tmp = '\0'; + dn_buffer[i++] = ++tmp; + }else + { /* trailing '.' ! */ +- dn_buffer[i++] = strdup("."); +- *tmp = '\0'; ++ dn_buffer[i++] = dot; + if( tmp == hname ) + break; + } + } ++ for (j=0; j + #include + int getnameinfo(const struct sockaddr *, socklen_t, char *, +- socklen_t, char *, socklen_t, unsigned int);], ++ socklen_t, char *, socklen_t, int);], [ return (0);], - [AC_MSG_RESULT(size_t for buflen; int for flags) -- AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, size_t) -- AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t) -+ # Changed to solve multilib conflict on Fedora -+ # AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, size_t) -+ # AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t) -+ AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t) -+ AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t) - AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)], +- [AC_MSG_RESULT(socklen_t for buflen; u_int for flags) ++ [AC_MSG_RESULT(socklen_t for buflen; int for flags) + AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t, + [Define to the sockaddr length type used by getnameinfo(3).]) + AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t, + [Define to the buffer length type used by getnameinfo(3).]) +- AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int, ++ AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int, + [Define to the flags type used by getnameinfo(3).])], + [AC_TRY_COMPILE([ + #include +@@ -3557,7 +3557,7 @@ int getnameinfo(const struct sockaddr *, size_t, char *, [AC_MSG_RESULT(not match any subspecies; assume standard definition) AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t) + AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t) +-AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])]) ++AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)])])]) + + # + # ...and same for gai_strerror(). diff --git a/isc-config.sh.in b/isc-config.sh.in -index 04a9e5c..67400d8 100644 +index a8a0a89e88..b5e94ed13e 100644 --- a/isc-config.sh.in +++ b/isc-config.sh.in -@@ -21,7 +21,18 @@ prefix=@prefix@ +@@ -13,7 +13,18 @@ prefix=@prefix@ exec_prefix=@exec_prefix@ exec_prefix_set= includedir=@includedir@ @@ -53,7 +66,7 @@ index 04a9e5c..67400d8 100644 usage() { -@@ -140,6 +151,16 @@ if test x"$echo_libs" = x"true"; then +@@ -132,6 +143,16 @@ if test x"$echo_libs" = x"true"; then if test x"${exec_prefix_set}" = x"true"; then libs="-L${exec_prefix}/lib" else diff --git a/SOURCES/bind97-rh478718.patch b/SOURCES/bind97-rh478718.patch index e0094aa..ef44490 100644 --- a/SOURCES/bind97-rh478718.patch +++ b/SOURCES/bind97-rh478718.patch @@ -1,8 +1,8 @@ diff --git a/configure.in b/configure.in -index 97d9d15..999040d 100644 +index 896e81c1ce..73b1c8ccbb 100644 --- a/configure.in +++ b/configure.in -@@ -4041,6 +4041,10 @@ if test "yes" = "$use_atomic"; then +@@ -4275,6 +4275,10 @@ if test "yes" = "$use_atomic"; then AC_MSG_RESULT($arch) fi @@ -14,19 +14,38 @@ index 97d9d15..999040d 100644 AC_MSG_CHECKING([compiler support for inline assembly code]) diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in -index 24b61db..28f49c8 100644 +index 2ff522342f..58df86adb3 100644 --- a/lib/isc/include/isc/platform.h.in +++ b/lib/isc/include/isc/platform.h.in -@@ -286,7 +286,11 @@ +@@ -289,19 +289,25 @@ * If the "xaddq" operation (64bit xadd) is available on this architecture, * ISC_PLATFORM_HAVEXADDQ will be defined. */ -@ISC_PLATFORM_HAVEXADDQ@ + + /* +- * If the 32-bit "atomic swap" operation is available on this +- * architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined. ++ * If the 64-bit "atomic swap" operation is available on this ++ * architecture, ISC_PLATFORM_HAVEATOMICSTOREQ" will be defined. + */ +-@ISC_PLATFORM_HAVEATOMICSTORE@ ++ +#ifdef __x86_64__ +#define ISC_PLATFORM_HAVEXADDQ 1 ++#define ISC_PLATFORM_HAVEATOMICSTOREQ 1 +#else +#undef ISC_PLATFORM_HAVEXADDQ ++#undef ISC_PLATFORM_HAVEATOMICSTOREQ +#endif /* - * If the 32-bit "atomic swap" operation is available on this +- * If the 64-bit "atomic swap" operation is available on this ++ * If the 32-bit "atomic swap" operation is available on this + * architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined. + */ +-@ISC_PLATFORM_HAVEATOMICSTOREQ@ ++@ISC_PLATFORM_HAVEATOMICSTORE@ + + /* + * If the "compare-and-exchange" operation is available on this architecture, diff --git a/SOURCES/setup-named-chroot.sh b/SOURCES/setup-named-chroot.sh index 28134f5..5e68915 100755 --- a/SOURCES/setup-named-chroot.sh +++ b/SOURCES/setup-named-chroot.sh @@ -44,9 +44,10 @@ dev_create() dev_chroot_prep() { - dev_create random c 1 8 - dev_create zero c 1 5 - dev_create null c 1 3 + dev_create random c 1 8 + dev_create urandom c 1 9 + dev_create zero c 1 5 + dev_create null c 1 3 } files_comment_filter() diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 56108fc..06c5ea7 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -53,7 +53,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.4 -Release: 17%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.1 +Release: 26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -86,6 +86,7 @@ Source46: named-setup-rndc.service Source47: named-pkcs11.service Source48: setup-named-softhsm.sh Source49: named-chroot.files +Source50: random.data # Common patches Patch10: bind-9.5-PIE.patch @@ -124,7 +125,20 @@ Patch160:bind-9.11-CVE-2018-5744.patch Patch161:bind-9.11-CVE-2018-5744-test.patch Patch162:bind-9.11-CVE-2018-5743.patch Patch163:bind-9.11-CVE-2018-5743-atomic.patch -Patch164:bind-9.11-CVE-2019-6471.patch +Patch164:bind-9.11-fips-code-includes.patch +# [RT #31459] commit 06a8051d2476fb526fe6960832209392c763a9af +Patch165:bind-9.11-rt31459.patch +# [RT #46047] commit 24172bd2eeba91441ab1c65d2717b0692309244a ISC 4724 +Patch166:bind-9.11-rt46047.patch +Patch167:bind-9.11-rh1668682.patch +# random_test fails too often by random, disable it +Patch168:bind-9.11-unit-disable-random.patch +Patch169:bind-9.11-rt46047-2.patch +Patch170:bind-9.11-CVE-2019-6471.patch +Patch171:bind-9.11-rh1679307.patch +Patch172:bind-9.11-CVE-2018-5745.patch +Patch173:bind-9.11-CVE-2019-6465.patch +Patch174:bind-9.11-fips-disable.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -135,6 +149,7 @@ Patch135:bind-9.11-export-isc-config.patch # needs inpection Patch17: bind-9.3.2b1-fix_sdb_ldap.patch +Patch18: bind-9.11-zone2ldap.patch Requires(post): systemd Requires(preun): systemd @@ -462,7 +477,20 @@ are used for building ISC DHCP. %patch161 -p1 -b .CVE-2018-5744-test %patch162 -p1 -b .CVE-2018-5743 %patch163 -p1 -b .CVE-2018-5743-atomic -%patch164 -p1 -b .CVE-2019-6471 +%patch164 -p1 -b .fips-includes +%patch165 -p1 -b .rt31459 +%patch166 -p1 -b .rt46047 +%patch167 -p1 -b .rh1668682 +%patch168 -p1 -b .random_test-disable +%patch169 -p1 -b .rt46047-2 +%patch170 -p1 -b .CVE-2019-6471 +%patch171 -p1 -b .rh1679307 +%patch172 -p1 -b .CVE-2018-5745 +%patch173 -p1 -b .CVE-2019-6465 +%patch174 -p1 -b .rh1737407 + +mkdir lib/dns/tests/testdata/dstrandom +cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data %if %{with PKCS11} cp -r bin/named{,-pkcs11} @@ -498,6 +526,7 @@ cp -fp contrib/sdb/pgsql/zonetodb.c bin/sdb_tools cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools %patch12 -p1 -b .sdb %patch17 -p1 -b .fix_sdb_ldap +%patch18 -p1 -b .fix_zone2ldap %patch137 -p1 -b .strlcat_fix %endif @@ -1276,6 +1305,7 @@ rm -rf ${RPM_BUILD_ROOT} %defattr(0664,root,named,-) %ghost %dev(c,1,3) %verify(not mtime) %{chroot_prefix}/dev/null %ghost %dev(c,1,8) %verify(not mtime) %{chroot_prefix}/dev/random +%ghost %dev(c,1,9) %verify(not mtime) %{chroot_prefix}/dev/urandom %ghost %dev(c,1,5) %verify(not mtime) %{chroot_prefix}/dev/zero %defattr(0640,root,named,0750) %dir %{chroot_prefix} @@ -1311,6 +1341,7 @@ rm -rf ${RPM_BUILD_ROOT} %defattr(0664,root,named,-) %ghost %dev(c,1,3) %verify(not mtime) %{chroot_sdb_prefix}/dev/null %ghost %dev(c,1,8) %verify(not mtime) %{chroot_sdb_prefix}/dev/random +%ghost %dev(c,1,9) %verify(not mtime) %{chroot_sdb_prefix}/dev/urandom %ghost %dev(c,1,5) %verify(not mtime) %{chroot_sdb_prefix}/dev/zero %defattr(0640,root,named,0750) %dir %{chroot_sdb_prefix} @@ -1432,9 +1463,37 @@ rm -rf ${RPM_BUILD_ROOT} %changelog -* Wed Jun 19 2019 Petr Menšík - 32:9.11.4-17.P2.1 +* Thu Aug 08 2019 Petr Menšík - 32:9.11.4-26.P2 +- Permit explicit disabling of RSAMD5 in FIPS mode (#1737407) + +* Wed Jul 17 2019 Petr Menšík - 32:9.11.4-25.P2 +- Fix CVE-2018-5745 +- Fix CVE-2019-6465 + +* Wed Jul 17 2019 Petr Menšík - 32:9.11.4-24.P2 +- Do not override random numbers provider in DHCP (#1668682) + +* Wed Jul 17 2019 Petr Menšík - 32:9.11.4-23.P2 +- Report errors on invalid IDN 2008 names (#1679307) + +* Wed Jun 19 2019 Petr Menšík - 32:9.11.4-22.P2 - Fix CVE-2019-6471 +* Thu Jun 13 2019 Petr Menšík - 32:9.11.4-21.P2 +- Fix random generator initialization + +* Wed Apr 24 2019 Petr Menšík - 32:9.11.4-20.P2 +- Fix multilib conflict of devel packages (#1666785) + +* Wed Apr 24 2019 Petr Menšík - 32:9.11.4-19.P2 +- Add support for OpenSSL provided random data +- Disable often failing unit test random_test +- Add /dev/urandom to chroot + +* Wed Apr 24 2019 Petr Menšík - 32:9.11.4-18.P2 +- Fix zone2ldap tool memory management (#1602451) +- Add support for OpenSSL provided random data + * Wed Apr 24 2019 Petr Menšík - 32:9.11.4-17.P2 - Fix inefective limit of TCP clients (CVE-2018-5743)