diff --git a/.bind.metadata b/.bind.metadata index 6031674..06b0f1d 100644 --- a/.bind.metadata +++ b/.bind.metadata @@ -1,2 +1,2 @@ -ff6ad0d3f9282a77786e93eb889154008ef1ccdf SOURCES/bind-9.11.20.tar.gz +14064c865920842e48f444be2bda9dc91770e439 SOURCES/bind-9.11.26.tar.gz a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data diff --git a/.gitignore b/.gitignore index e7ad81f..e31c942 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/bind-9.11.20.tar.gz +SOURCES/bind-9.11.26.tar.gz SOURCES/random.data diff --git a/SOURCES/bind-9.10-dist-native-pkcs11.patch b/SOURCES/bind-9.10-dist-native-pkcs11.patch index e553d5f..62ceee2 100644 --- a/SOURCES/bind-9.10-dist-native-pkcs11.patch +++ b/SOURCES/bind-9.10-dist-native-pkcs11.patch @@ -1,5 +1,5 @@ diff --git a/bin/Makefile.in b/bin/Makefile.in -index f0c504a..ce7a2da 100644 +index a18b222..26a7e4e 100644 --- a/bin/Makefile.in +++ b/bin/Makefile.in @@ -11,8 +11,8 @@ srcdir = @srcdir@ @@ -14,7 +14,7 @@ index f0c504a..ce7a2da 100644 @BIND9_MAKE_RULES@ diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in -index 4b8ca13..32f4470 100644 +index 390aa0c..e59a118 100644 --- a/bin/dnssec-pkcs11/Makefile.in +++ b/bin/dnssec-pkcs11/Makefile.in @@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@ @@ -130,7 +130,7 @@ index 4b8ca13..32f4470 100644 clean distclean:: diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in -index 4b8ca13..4175996 100644 +index 390aa0c..851a008 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in @@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@ @@ -273,10 +273,10 @@ index 3166368..890574f 100644 CWARNINGS = diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in -index a058c91..d4b689a 100644 +index 2c19e7e..8223d5e 100644 --- a/bin/pkcs11/Makefile.in +++ b/bin/pkcs11/Makefile.in -@@ -15,13 +15,13 @@ top_srcdir = @top_srcdir@ +@@ -13,13 +13,13 @@ top_srcdir = @top_srcdir@ @BIND9_MAKE_INCLUDES@ @@ -294,10 +294,10 @@ index a058c91..d4b689a 100644 DEPLIBS = ${ISCDEPLIBS} diff --git a/configure.ac b/configure.ac -index 9b7d778..59ba20b 100644 +index c6715b4..8144268 100644 --- a/configure.ac +++ b/configure.ac -@@ -1139,12 +1139,14 @@ AC_SUBST(USE_GSSAPI) +@@ -1176,12 +1176,14 @@ AC_SUBST(USE_GSSAPI) AC_SUBST(DST_GSSAPI_INC) AC_SUBST(DNS_GSSAPI_LIBS) DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS" @@ -312,24 +312,26 @@ index 9b7d778..59ba20b 100644 # # was --with-randomdev specified? -@@ -1494,11 +1496,11 @@ AC_ARG_ENABLE(openssl-hash, +@@ -1554,12 +1556,12 @@ AC_ARG_ENABLE(openssl-hash, AC_MSG_CHECKING(for OpenSSL library) OPENSSL_WARNING= openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw" -if test "yes" = "$want_native_pkcs11" -then - use_openssl="native_pkcs11" +- want_openssl_hash="no" - AC_MSG_RESULT(use of native PKCS11 instead) -fi -+# if test "yes" = "$want_native_pkcs11" -+# then -+# use_openssl="native_pkcs11" -+# AC_MSG_RESULT(use of native PKCS11 instead) -+# fi ++#if test "yes" = "$want_native_pkcs11" ++#then ++# use_openssl="native_pkcs11" ++# want_openssl_hash="no" ++# AC_MSG_RESULT(use of native PKCS11 instead) ++#fi if test "auto" = "$use_openssl" then -@@ -1511,6 +1513,7 @@ then +@@ -1572,6 +1574,7 @@ then fi done fi @@ -337,7 +339,7 @@ index 9b7d778..59ba20b 100644 OPENSSL_ECDSA="" OPENSSL_GOST="" OPENSSL_ED25519="" -@@ -1532,11 +1535,10 @@ case "$with_gost" in +@@ -1593,11 +1596,10 @@ case "$with_gost" in ;; esac @@ -352,7 +354,7 @@ index 9b7d778..59ba20b 100644 CRYPTOLIB="pkcs11" OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" -@@ -1546,7 +1548,9 @@ case "$use_openssl" in +@@ -1607,7 +1609,9 @@ case "$use_openssl" in OPENSSLGOSTLINKSRCS="" OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" @@ -363,7 +365,7 @@ index 9b7d778..59ba20b 100644 no) AC_MSG_RESULT(no) DST_OPENSSL_INC="" -@@ -1578,7 +1582,7 @@ case "$use_openssl" in +@@ -1639,7 +1643,7 @@ case "$use_openssl" in If you do not want OpenSSL, use --without-openssl]) ;; *) @@ -372,7 +374,7 @@ index 9b7d778..59ba20b 100644 then AC_MSG_RESULT() AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) -@@ -2006,6 +2010,7 @@ AC_SUBST(OPENSSL_ED25519) +@@ -2067,6 +2071,7 @@ AC_SUBST(OPENSSL_ED25519) AC_SUBST(OPENSSL_GOST) DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS" @@ -380,7 +382,7 @@ index 9b7d778..59ba20b 100644 ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" if test "yes" = "$with_aes" -@@ -2291,6 +2296,7 @@ esac +@@ -2353,6 +2358,7 @@ esac AC_SUBST(PKCS11LINKOBJS) AC_SUBST(PKCS11LINKSRCS) AC_SUBST(CRYPTO) @@ -388,7 +390,7 @@ index 9b7d778..59ba20b 100644 AC_SUBST(PKCS11_ECDSA) AC_SUBST(PKCS11_GOST) AC_SUBST(PKCS11_ED25519) -@@ -5405,8 +5411,11 @@ AC_CONFIG_FILES([ +@@ -5501,8 +5507,11 @@ AC_CONFIG_FILES([ bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile @@ -400,7 +402,7 @@ index 9b7d778..59ba20b 100644 bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile -@@ -5479,6 +5488,10 @@ AC_CONFIG_FILES([ +@@ -5575,6 +5584,10 @@ AC_CONFIG_FILES([ lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile @@ -411,7 +413,7 @@ index 9b7d778..59ba20b 100644 lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile -@@ -5503,6 +5516,24 @@ AC_CONFIG_FILES([ +@@ -5599,6 +5612,24 @@ AC_CONFIG_FILES([ lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile @@ -437,7 +439,7 @@ index 9b7d778..59ba20b 100644 lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile diff --git a/lib/Makefile.in b/lib/Makefile.in -index 81270a0..bcb5312 100644 +index f089bea..3ed939b 100644 --- a/lib/Makefile.in +++ b/lib/Makefile.in @@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@ @@ -450,7 +452,7 @@ index 81270a0..bcb5312 100644 @BIND9_MAKE_RULES@ diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in -index 7f09bd6..c388d9e 100644 +index 8fc4e94..5eefb14 100644 --- a/lib/dns-pkcs11/Makefile.in +++ b/lib/dns-pkcs11/Makefile.in @@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@ @@ -525,7 +527,7 @@ index 7f09bd6..c388d9e 100644 rm -f include/dns/rdatastruct.h rm -f dnstap.pb-c.c dnstap.pb-c.h diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in -index 8ad54bb..a3ecdfb 100644 +index 7e3e9ce..58d7466 100644 --- a/lib/isc-pkcs11/Makefile.in +++ b/lib/isc-pkcs11/Makefile.in @@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \ @@ -539,7 +541,7 @@ index 8ad54bb..a3ecdfb 100644 CWARNINGS = # Alphabetically -@@ -103,40 +103,40 @@ version.@O@: version.c +@@ -107,40 +107,40 @@ version.@O@: version.c -DLIBAGE=${LIBAGE} \ -c ${srcdir}/version.c @@ -593,10 +595,10 @@ index 8ad54bb..a3ecdfb 100644 + rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \ + libisc-pkcs11-nosymtbl.la timestamp diff --git a/make/includes.in b/make/includes.in -index fa86ad1..3cfbe9f 100644 +index 66efe68..966671f 100644 --- a/make/includes.in +++ b/make/includes.in -@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ +@@ -41,3 +41,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ TEST_INCLUDES = \ -I${top_srcdir}/lib/tests/include diff --git a/SOURCES/bind-9.11-CVE-2020-8622.patch b/SOURCES/bind-9.11-CVE-2020-8622.patch deleted file mode 100644 index 74e8225..0000000 --- a/SOURCES/bind-9.11-CVE-2020-8622.patch +++ /dev/null @@ -1,57 +0,0 @@ -From c5a9fd85a19a63f88a5f17c7e6d074ee22364093 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Tue, 18 Aug 2020 10:53:33 +0200 -Subject: [PATCH] Fix CVE-2020-8622 - -5476. [security] It was possible to trigger an assertion failure when - verifying the response to a TSIG-signed request. - (CVE-2020-8622) [GL #2028] ---- - lib/dns/message.c | 24 +++++++++++++----------- - 1 file changed, 13 insertions(+), 11 deletions(-) - -diff --git a/lib/dns/message.c b/lib/dns/message.c -index d9e341a..7c813a5 100644 ---- a/lib/dns/message.c -+++ b/lib/dns/message.c -@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, - msg->header_ok = 0; - msg->question_ok = 0; - -+ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) { -+ isc_buffer_usedregion(&origsource, &msg->saved); -+ } else { -+ msg->saved.length = isc_buffer_usedlength(&origsource); -+ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); -+ if (msg->saved.base == NULL) { -+ return (ISC_R_NOMEMORY); -+ } -+ memmove(msg->saved.base, isc_buffer_base(&origsource), -+ msg->saved.length); -+ msg->free_saved = 1; -+ } -+ - isc_buffer_remainingregion(source, &r); - if (r.length < DNS_MESSAGE_HEADERLEN) - return (ISC_R_UNEXPECTEDEND); -@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, - } - - truncated: -- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) -- isc_buffer_usedregion(&origsource, &msg->saved); -- else { -- msg->saved.length = isc_buffer_usedlength(&origsource); -- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); -- if (msg->saved.base == NULL) -- return (ISC_R_NOMEMORY); -- memmove(msg->saved.base, isc_buffer_base(&origsource), -- msg->saved.length); -- msg->free_saved = 1; -- } - - if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) - return (DNS_R_RECOVERABLE); --- -2.26.2 - diff --git a/SOURCES/bind-9.11-CVE-2020-8623.patch b/SOURCES/bind-9.11-CVE-2020-8623.patch deleted file mode 100644 index ee368d0..0000000 --- a/SOURCES/bind-9.11-CVE-2020-8623.patch +++ /dev/null @@ -1,400 +0,0 @@ -From e8b7be1e1ff3e11bc8d592c3c8d6a0f0d69e9947 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Tue, 18 Aug 2020 10:54:39 +0200 -Subject: [PATCH] Fix CVE-2020-8623 - -5480. [security] When BIND 9 was compiled with native PKCS#11 support, it - was possible to trigger an assertion failure in code - determining the number of bits in the PKCS#11 RSA public - key with a specially crafted packet. (CVE-2020-8623) - [GL #2037] ---- - lib/dns/pkcs11dh_link.c | 15 ++++++- - lib/dns/pkcs11dsa_link.c | 8 +++- - lib/dns/pkcs11rsa_link.c | 79 +++++++++++++++++++++++++-------- - lib/isc/include/pk11/internal.h | 3 +- - lib/isc/pk11.c | 61 ++++++++++++++++--------- - 5 files changed, 121 insertions(+), 45 deletions(-) - -diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c -index e2b60ea..4cd8e32 100644 ---- a/lib/dns/pkcs11dh_link.c -+++ b/lib/dns/pkcs11dh_link.c -@@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { - CK_BYTE *prime = NULL, *base = NULL, *pub = NULL; - CK_ATTRIBUTE *attr; - int special = 0; -+ unsigned int bits; - isc_result_t result; - - isc_buffer_remainingregion(data, &r); -@@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { - pub = r.base; - isc_region_consume(&r, publen); - -- key->key_size = pk11_numbits(prime, plen_); -+ result = pk11_numbits(prime, plen_, &bits); -+ if (result != ISC_R_SUCCESS) { -+ goto cleanup; -+ } -+ key->key_size = bits; - - dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3); - if (dh->repr == NULL) -@@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - int i; -+ unsigned int bits; - pk11_object_t *dh = NULL; - CK_ATTRIBUTE *attr; - isc_mem_t *mctx; -@@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - - attr = pk11_attribute_bytype(dh, CKA_PRIME); - INSIST(attr != NULL); -- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); -+ -+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); -+ if (ret != ISC_R_SUCCESS) { -+ goto err; -+ } -+ key->key_size = bits; - - return (ISC_R_SUCCESS); - -diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c -index 12d707a..24d4c14 100644 ---- a/lib/dns/pkcs11dsa_link.c -+++ b/lib/dns/pkcs11dsa_link.c -@@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - int i; -+ unsigned int bits; - pk11_object_t *dsa = NULL; - CK_ATTRIBUTE *attr; - isc_mem_t *mctx = key->mctx; -@@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - - attr = pk11_attribute_bytype(dsa, CKA_PRIME); - INSIST(attr != NULL); -- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); -+ -+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); -+ if (ret != ISC_R_SUCCESS) { -+ goto err; -+ } -+ key->key_size = bits; - - return (ISC_R_SUCCESS); - -diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c -index 6c280bf..86e136a 100644 ---- a/lib/dns/pkcs11rsa_link.c -+++ b/lib/dns/pkcs11rsa_link.c -@@ -337,6 +337,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); - #endif -+ REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS); - - /* - * Reject incorrect RSA key lengths. -@@ -381,6 +382,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, - for (attr = pk11_attribute_first(rsa); - attr != NULL; - attr = pk11_attribute_next(rsa, attr)) -+ { - switch (attr->type) { - case CKA_MODULUS: - INSIST(keyTemplate[5].type == attr->type); -@@ -401,12 +403,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; -- if (pk11_numbits(attr->pValue, -- attr->ulValueLen) > maxbits && -- maxbits != 0) -+ unsigned int bits; -+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, -+ &bits); -+ if (ret != ISC_R_SUCCESS || -+ (bits > maxbits && maxbits != 0)) { - DST_RET(DST_R_VERIFYFAILURE); -+ } - break; - } -+ } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = false; - PK11_RET(pkcs_C_CreateObject, -@@ -1086,6 +1092,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - case CKA_PUBLIC_EXPONENT: -+ unsigned int bits; - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); -@@ -1094,10 +1101,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; -- if (pk11_numbits(attr->pValue, -- attr->ulValueLen) -- > RSA_MAX_PUBEXP_BITS) -+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, -+ &bits); -+ if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS) -+ { - DST_RET(DST_R_VERIFYFAILURE); -+ } - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; -@@ -1475,6 +1484,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - CK_BYTE *exponent = NULL, *modulus = NULL; - CK_ATTRIBUTE *attr; - unsigned int length; -+ unsigned int bits; -+ isc_result_t ret = ISC_R_SUCCESS; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) -@@ -1492,9 +1503,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - - if (e_bytes == 0) { - if (r.length < 2) { -- isc_safe_memwipe(rsa, sizeof(*rsa)); -- isc_mem_put(key->mctx, rsa, sizeof(*rsa)); -- return (DST_R_INVALIDPUBLICKEY); -+ DST_RET(DST_R_INVALIDPUBLICKEY); - } - e_bytes = (*r.base) << 8; - isc_region_consume(&r, 1); -@@ -1503,16 +1512,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - } - - if (r.length < e_bytes) { -- isc_safe_memwipe(rsa, sizeof(*rsa)); -- isc_mem_put(key->mctx, rsa, sizeof(*rsa)); -- return (DST_R_INVALIDPUBLICKEY); -+ DST_RET(DST_R_INVALIDPUBLICKEY); - } - exponent = r.base; - isc_region_consume(&r, e_bytes); - modulus = r.base; - mod_bytes = r.length; - -- key->key_size = pk11_numbits(modulus, mod_bytes); -+ ret = pk11_numbits(modulus, mod_bytes, &bits); -+ if (ret != ISC_R_SUCCESS) { -+ goto err; -+ } -+ key->key_size = bits; - - isc_buffer_forward(data, length); - -@@ -1562,9 +1573,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - rsa->repr, - rsa->attrcnt * sizeof(*attr)); - } -+ ret = ISC_R_NOMEMORY; -+ -+ err: - isc_safe_memwipe(rsa, sizeof(*rsa)); - isc_mem_put(key->mctx, rsa, sizeof(*rsa)); -- return (ISC_R_NOMEMORY); -+ return (ret); - } - - static isc_result_t -@@ -1743,6 +1757,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, - pk11_object_t *pubrsa; - pk11_context_t *pk11_ctx = NULL; - isc_result_t ret; -+ unsigned int bits; - - if (label == NULL) - return (DST_R_NOENGINE); -@@ -1829,7 +1844,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, - - attr = pk11_attribute_bytype(rsa, CKA_MODULUS); - INSIST(attr != NULL); -- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); -+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); -+ if (ret != ISC_R_SUCCESS) { -+ goto err; -+ } -+ key->key_size = bits; - - return (ISC_R_SUCCESS); - -@@ -1915,6 +1934,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - CK_ATTRIBUTE *attr; - isc_mem_t *mctx = key->mctx; - const char *engine = NULL, *label = NULL; -+ unsigned int bits; - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); -@@ -2058,12 +2078,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - - attr = pk11_attribute_bytype(rsa, CKA_MODULUS); - INSIST(attr != NULL); -- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); -+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); -+ if (ret != ISC_R_SUCCESS) { -+ goto err; -+ } -+ key->key_size = bits; - - attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); - INSIST(attr != NULL); -- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) -+ -+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); -+ if (ret != ISC_R_SUCCESS) { -+ goto err; -+ } -+ if (bits > RSA_MAX_PUBEXP_BITS) { - DST_RET(ISC_R_RANGE); -+ } - - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); -@@ -2098,6 +2128,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - pk11_context_t *pk11_ctx = NULL; - isc_result_t ret; - unsigned int i; -+ unsigned int bits; - - UNUSED(pin); - -@@ -2192,12 +2223,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - - attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); - INSIST(attr != NULL); -- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) -+ -+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); -+ if (ret != ISC_R_SUCCESS) { -+ goto err; -+ } -+ if (bits > RSA_MAX_PUBEXP_BITS) { - DST_RET(ISC_R_RANGE); -+ } - - attr = pk11_attribute_bytype(rsa, CKA_MODULUS); - INSIST(attr != NULL); -- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); -+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); -+ if (ret != ISC_R_SUCCESS) { -+ goto err; -+ } -+ key->key_size = bits; - - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); -diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h -index 603712a..b9680bc 100644 ---- a/lib/isc/include/pk11/internal.h -+++ b/lib/isc/include/pk11/internal.h -@@ -27,7 +27,8 @@ void pk11_mem_put(void *ptr, size_t size); - - CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype); - --unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt); -+isc_result_t -+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits); - - CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj); - -diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c -index 4b85527..9c450da 100644 ---- a/lib/isc/pk11.c -+++ b/lib/isc/pk11.c -@@ -982,13 +982,15 @@ pk11_get_best_token(pk11_optype_t optype) { - return (token->slotid); - } - --unsigned int --pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { -+isc_result_t -+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) { - unsigned int bitcnt, i; - CK_BYTE top; - -- if (bytecnt == 0) -- return (0); -+ if (bytecnt == 0) { -+ *bits = 0; -+ return (ISC_R_SUCCESS); -+ } - bitcnt = bytecnt * 8; - for (i = 0; i < bytecnt; i++) { - top = data[i]; -@@ -996,26 +998,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { - bitcnt -= 8; - continue; - } -- if (top & 0x80) -- return (bitcnt); -- if (top & 0x40) -- return (bitcnt - 1); -- if (top & 0x20) -- return (bitcnt - 2); -- if (top & 0x10) -- return (bitcnt - 3); -- if (top & 0x08) -- return (bitcnt - 4); -- if (top & 0x04) -- return (bitcnt - 5); -- if (top & 0x02) -- return (bitcnt - 6); -- if (top & 0x01) -- return (bitcnt - 7); -+ if (top & 0x80) { -+ *bits = bitcnt; -+ return (ISC_R_SUCCESS); -+ } -+ if (top & 0x40) { -+ *bits = bitcnt - 1; -+ return (ISC_R_SUCCESS); -+ } -+ if (top & 0x20) { -+ *bits = bitcnt - 2; -+ return (ISC_R_SUCCESS); -+ } -+ if (top & 0x10) { -+ *bits = bitcnt - 3; -+ return (ISC_R_SUCCESS); -+ } -+ if (top & 0x08) { -+ *bits = bitcnt - 4; -+ return (ISC_R_SUCCESS); -+ } -+ if (top & 0x04) { -+ *bits = bitcnt - 5; -+ return (ISC_R_SUCCESS); -+ } -+ if (top & 0x02) { -+ *bits = bitcnt - 6; -+ return (ISC_R_SUCCESS); -+ } -+ if (top & 0x01) { -+ *bits = bitcnt - 7; -+ return (ISC_R_SUCCESS); -+ } - break; - } -- INSIST(0); -- ISC_UNREACHABLE(); -+ return (ISC_R_RANGE); - } - - CK_ATTRIBUTE * --- -2.26.2 - diff --git a/SOURCES/bind-9.11-CVE-2020-8624-test.patch b/SOURCES/bind-9.11-CVE-2020-8624-test.patch deleted file mode 100644 index 288d916..0000000 --- a/SOURCES/bind-9.11-CVE-2020-8624-test.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 221fb11e658e7dea1be6dbfd25e149f2d131e4fb Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Wed, 29 Jul 2020 23:36:03 +1000 -Subject: [PATCH] Add a test for update-policy 'subdomain' - -The new test checks that 'update-policy subdomain' is properly enforced. - -(cherry picked from commit 393e8f643c02215fa4e6d4edf67be7d77085da0e) - -Add a test for update-policy 'zonesub' - -The new test checks that 'update-policy zonesub' is properly enforced. - -(cherry picked from commit 58e560beb50873c699f3431cf57e215dc645d7aa) ---- - bin/tests/system/nsupdate/ns1/named.conf.in | 12 +++++ - bin/tests/system/nsupdate/tests.sh | 60 +++++++++++++++++++-- - 2 files changed, 68 insertions(+), 4 deletions(-) - -diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in -index 26b6b7c9ab..540a984842 100644 ---- a/bin/tests/system/nsupdate/ns1/named.conf.in -+++ b/bin/tests/system/nsupdate/ns1/named.conf.in -@@ -36,6 +36,16 @@ key altkey { - secret "1234abcd8765"; - }; - -+key restricted.example.nil { -+ algorithm hmac-md5; -+ secret "1234abcd8765"; -+}; -+ -+key zonesub-key.example.nil { -+ algorithm hmac-md5; -+ secret "1234subk8765"; -+}; -+ - include "ddns.key"; - - zone "example.nil" { -@@ -44,7 +54,9 @@ zone "example.nil" { - check-integrity no; - check-mx ignore; - update-policy { -+ grant zonesub-key.example.nil zonesub TXT; - grant ddns-key.example.nil subdomain example.nil ANY; -+ grant restricted.example.nil subdomain restricted.example.nil ANY; - }; - allow-transfer { any; }; - }; -diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index b08c5220e7..5f09e8c5bf 100755 ---- a/bin/tests/system/nsupdate/tests.sh -+++ b/bin/tests/system/nsupdate/tests.sh -@@ -428,7 +428,7 @@ EOF - # this also proves that the server is still running. - $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\ - @10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1 --grep "ANSWER: 0" dig.out.ns3.$n > /dev/null || ret=1 -+grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1 - grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } - -@@ -443,7 +443,7 @@ EOF - - $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\ - @10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1 --grep "ANSWER: 1" dig.out.ns3.$n > /dev/null || ret=1 -+grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1 - grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1 - grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1 - [ $ret = 0 ] || { echo_i "failed"; status=1; } -@@ -460,7 +460,7 @@ EOF - _ret=1 - for i in 0 1 2 3 4 5 6 7 8 9; do - $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1 -- if grep "ANSWER: 2" dig.out.ns3.$n > /dev/null; then -+ if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then - _ret=0 - break - fi -@@ -485,7 +485,7 @@ EOF - _ret=1 - for i in 0 1 2 3 4 5 6 7 8 9; do - $DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1 -- if grep "ANSWER: 1" dig.out.ns3.$n > /dev/null; then -+ if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then - _ret=0 - break - fi -@@ -631,6 +631,58 @@ then - echo_i "failed"; status=1 - fi - -+n=`expr $n + 1` -+ret=0 -+echo_i "check that 'update-policy subdomain' is properly enforced ($n)" -+# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil" -+# and thus this UPDATE should succeed. -+$NSUPDATE -d < nsupdate.out1-$n 2>&1 || ret=1 -+server 10.53.0.1 ${PORT} -+key restricted.example.nil 1234abcd8765 -+update add restricted.example.nil 0 IN TXT everywhere. -+send -+END -+$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1 -+grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1 -+# "example.nil" does not match "grant ... subdomain restricted.example.nil" and -+# thus this UPDATE should fail. -+$NSUPDATE -d < nsupdate.out2-$n 2>&1 && ret=1 -+server 10.53.0.1 ${PORT} -+key restricted.example.nil 1234abcd8765 -+update add example.nil 0 IN TXT everywhere. -+send -+END -+$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1 -+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1 -+[ $ret = 0 ] || { echo_i "failed"; status=1; } -+ -+n=`expr $n + 1` -+ret=0 -+echo_i "check that 'update-policy zonesub' is properly enforced ($n)" -+# grant zonesub-key.example.nil zonesub TXT; -+# the A record update should be rejected as it is not in the type list -+$NSUPDATE -d < nsupdate.out1-$n 2>&1 && ret=1 -+server 10.53.0.1 ${PORT} -+key zonesub-key.example.nil 1234subk8765 -+update add zonesub.example.nil 0 IN A 1.2.3.4 -+send -+END -+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1 -+grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1 -+grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1 -+# the TXT record update should be accepted as it is in the type list -+$NSUPDATE -d < nsupdate.out2-$n 2>&1 || ret=1 -+server 10.53.0.1 ${PORT} -+key zonesub-key.example.nil 1234subk8765 -+update add zonesub.example.nil 0 IN TXT everywhere. -+send -+END -+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1 -+grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1 -+grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1 -+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1 -+[ $ret = 0 ] || { echo_i "failed"; status=1; } -+ - n=`expr $n + 1` - ret=0 - echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)" --- -2.26.2 - diff --git a/SOURCES/bind-9.11-CVE-2020-8624.patch b/SOURCES/bind-9.11-CVE-2020-8624.patch deleted file mode 100644 index 225298d..0000000 --- a/SOURCES/bind-9.11-CVE-2020-8624.patch +++ /dev/null @@ -1,32 +0,0 @@ -From e2aae621408c7622d094f13a67b928f911a2793b Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Tue, 18 Aug 2020 10:55:50 +0200 -Subject: [PATCH] Fix CVE-2020-8624 - -5481. [security] "update-policy" rules of type "subdomain" were - incorrectly treated as "zonesub" rules, which allowed - keys used in "subdomain" rules to update names outside - of the specified subdomains. The problem was fixed by - making sure "subdomain" rules are again processed as - described in the ARM. (CVE-2020-8624) [GL #2055] ---- - bin/named/zoneconf.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c -index 55f191b..b77a07c 100644 ---- a/bin/named/zoneconf.c -+++ b/bin/named/zoneconf.c -@@ -239,7 +239,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, - - str = cfg_obj_asstring(matchtype); - CHECK(dns_ssu_mtypefromstring(str, &mtype)); -- if (mtype == dns_ssumatchtype_subdomain) { -+ if (mtype == dns_ssumatchtype_subdomain && -+ strcasecmp(str, "zonesub") == 0) { - usezone = true; - } - --- -2.26.2 - diff --git a/SOURCES/bind-9.11-fips-code-includes.patch b/SOURCES/bind-9.11-fips-code-includes.patch index f71a021..9ec3052 100644 --- a/SOURCES/bind-9.11-fips-code-includes.patch +++ b/SOURCES/bind-9.11-fips-code-includes.patch @@ -1,4 +1,4 @@ -From 68baeb7211ba2fcd4eff53d987e9b70ba38294cb Mon Sep 17 00:00:00 2001 +From c928591eb2a3b17c5be0cad56c8e061ebba11a95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 20 Dec 2018 11:52:12 +0100 Subject: [PATCH] Fix implicit declaration warning @@ -11,7 +11,7 @@ header providing it in files that use it. 2 files changed, 2 insertions(+) diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 36ee6c7..6051cd2 100644 +index 4b5b901..a3dd450 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -21,6 +21,7 @@ @@ -23,7 +23,7 @@ index 36ee6c7..6051cd2 100644 #include #include diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c -index 70805bb..33870f3 100644 +index c37b235..7786801 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -18,6 +18,7 @@ @@ -32,8 +32,8 @@ index 70805bb..33870f3 100644 #include +#include #include + #include #include - #include -- -2.14.5 +2.26.2 diff --git a/SOURCES/bind-9.11-fips-tests.patch b/SOURCES/bind-9.11-fips-tests.patch index 29dda07..592b0d2 100644 --- a/SOURCES/bind-9.11-fips-tests.patch +++ b/SOURCES/bind-9.11-fips-tests.patch @@ -1,4 +1,4 @@ -From c23daf334d5487fa53fef88c82312e439a2d8523 Mon Sep 17 00:00:00 2001 +From 14ad3e0b42bc999072d30268396412bec158a22d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:46:45 +0200 Subject: [PATCH] FIPS tests changes @@ -80,7 +80,7 @@ Date: Wed Mar 7 10:44:23 2018 +0100 bin/tests/system/digdelv/tests.sh | 20 +++--- bin/tests/system/dlv/ns1/sign.sh | 4 +- bin/tests/system/dlv/ns2/sign.sh | 4 +- - bin/tests/system/dlv/ns6/sign.sh | 66 +++++++++--------- + bin/tests/system/dlv/ns6/sign.sh | 66 ++++++++++--------- bin/tests/system/dnssec/ns2/sign.sh | 8 +-- bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +- bin/tests/system/dnssec/tests.sh | 4 +- @@ -92,22 +92,19 @@ Date: Wed Mar 7 10:44:23 2018 +0100 bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- bin/tests/system/nsupdate/setup.sh | 7 +- - bin/tests/system/nsupdate/tests.sh | 11 ++- + bin/tests/system/nsupdate/tests.sh | 11 +++- bin/tests/system/rndc/setup.sh | 2 +- bin/tests/system/rndc/tests.sh | 23 ++++--- - bin/tests/system/tsig/clean.sh | 1 + bin/tests/system/tsig/ns1/named.conf.in | 10 +-- bin/tests/system/tsig/setup.sh | 5 ++ - bin/tests/system/tsig/tests.sh | 67 ++++++++++++------- + bin/tests/system/tsig/tests.sh | 65 +++++++++++------- bin/tests/system/tsiggss/setup.sh | 2 +- bin/tests/system/upforwd/ns1/named.conf.in | 2 +- bin/tests/system/upforwd/tests.sh | 2 +- - bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++ - 45 files changed, 232 insertions(+), 171 deletions(-) - create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in + 43 files changed, 220 insertions(+), 170 deletions(-) diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in -index 0ea6502..026db3f 100644 +index 9999ada..e3f8d0e 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in @@ -33,12 +33,12 @@ options { @@ -126,7 +123,7 @@ index 0ea6502..026db3f 100644 }; diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in -index b877880..d8f50be 100644 +index f8ec34e..d2d6ad3 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in @@ -33,12 +33,12 @@ options { @@ -145,7 +142,7 @@ index b877880..d8f50be 100644 }; diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in -index 0a95062..aa54088 100644 +index 2acb813..6a00344 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in @@ -33,17 +33,17 @@ options { @@ -170,7 +167,7 @@ index 0a95062..aa54088 100644 }; diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in -index 7cdcb6e..606a345 100644 +index bca3ee1..5913420 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in @@ -33,12 +33,12 @@ options { @@ -189,7 +186,7 @@ index 7cdcb6e..606a345 100644 }; diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in -index 4b4e050..0e679a8 100644 +index 9ef8171..5ae8d38 100644 --- a/bin/tests/system/acl/ns2/named5.conf.in +++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -34,12 +34,12 @@ options { @@ -208,7 +205,7 @@ index 4b4e050..0e679a8 100644 }; diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh -index 09f31f2..f88f0d4 100644 +index 2ee34a0..a73a54e 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" @@ -334,7 +331,7 @@ index 09f31f2..f88f0d4 100644 echo_i "testing allow-query-on ACL processing" diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in -index 1569913..e9c5c2d 100644 +index a579f32..3b8f853 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in @@ -12,7 +12,7 @@ @@ -347,7 +344,7 @@ index 1569913..e9c5c2d 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in -index 18ac91c..2b1c873 100644 +index 166afa1..997ece9 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in @@ -12,12 +12,12 @@ @@ -366,7 +363,7 @@ index 18ac91c..2b1c873 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in -index b824844..dd48945 100644 +index 25271a5..a9cb65d 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in @@ -12,7 +12,7 @@ @@ -379,7 +376,7 @@ index b824844..dd48945 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in -index aeb1540..bfce58b 100644 +index c7c8254..f165e65 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in @@ -12,7 +12,7 @@ @@ -392,7 +389,7 @@ index aeb1540..bfce58b 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in -index d4b7432..e0f5252 100644 +index 567bbcc..4fd2035 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in @@ -12,12 +12,12 @@ @@ -411,7 +408,7 @@ index d4b7432..e0f5252 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in -index c025938..87afb3f 100644 +index b75161f..7b254e6 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in @@ -12,7 +12,7 @@ @@ -424,7 +421,7 @@ index c025938..87afb3f 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in -index d83b376..d726b94 100644 +index 9e17818..22f5001 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in @@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; @@ -443,7 +440,7 @@ index d83b376..d726b94 100644 }; diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh -index fb6059d..f960156 100644 +index 791a1a4..95cd971 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh @@ -190,7 +190,7 @@ rndc_reload @@ -528,7 +525,7 @@ index fb6059d..f960156 100644 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in -index 74b7d37..c353766 100644 +index 6856ec7..0ac1fa3 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -61,5 +61,5 @@ zone "catalog4.example" { @@ -539,7 +536,7 @@ index 74b7d37..c353766 100644 + algorithm hmac-sha256; }; diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in -index ee83efb..35ced08 100644 +index dd3a9dc..77b8d96 100644 --- a/bin/tests/system/catz/ns2/named.conf.in +++ b/bin/tests/system/catz/ns2/named.conf.in @@ -70,5 +70,5 @@ zone "catalog4.example" { @@ -550,7 +547,7 @@ index ee83efb..35ced08 100644 + algorithm hmac-sha256; }; diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf -index 21be03e..e57c308 100644 +index 338dddb..90cd424 100644 --- a/bin/tests/system/checkconf/bad-tsig.conf +++ b/bin/tests/system/checkconf/bad-tsig.conf @@ -11,7 +11,7 @@ @@ -563,10 +560,10 @@ index 21be03e..e57c308 100644 }; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf -index 9ab35b3..486551a 100644 +index 2282f87..1359cf3 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf -@@ -153,6 +153,6 @@ dyndb "name" "library.so" { +@@ -159,6 +159,6 @@ dyndb "name" "library.so" { system; }; key "mykey" { @@ -575,7 +572,7 @@ index 9ab35b3..486551a 100644 secret "qwertyuiopasdfgh"; }; diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db -index f4e30f5..9f53e31 100644 +index b66207a..359b220 100644 --- a/bin/tests/system/digdelv/ns2/example.db +++ b/bin/tests/system/digdelv/ns2/example.db @@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890 @@ -601,10 +598,10 @@ index f4e30f5..9f53e31 100644 ; TTL of 3 weeks weeks 1814400 A 10.53.0.2 diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh -index ade45ce..d3aff24 100644 +index 2109001..ded5557 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh -@@ -106,7 +106,7 @@ if [ -x "$DIG" ] ; then +@@ -155,7 +155,7 @@ if [ -x "$DIG" ] ; then echo_i "checking dig +rrcomments works for DNSKEY($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -613,7 +610,7 @@ index ade45ce..d3aff24 100644 check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -115,7 +115,7 @@ if [ -x "$DIG" ] ; then +@@ -164,7 +164,7 @@ if [ -x "$DIG" ] ; then echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -622,7 +619,7 @@ index ade45ce..d3aff24 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -123,7 +123,7 @@ if [ -x "$DIG" ] ; then +@@ -172,7 +172,7 @@ if [ -x "$DIG" ] ; then echo_i "checking dig +short +nosplit works($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -631,7 +628,7 @@ index ade45ce..d3aff24 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -131,7 +131,7 @@ if [ -x "$DIG" ] ; then +@@ -180,7 +180,7 @@ if [ -x "$DIG" ] ; then echo_i "checking dig +short +rrcomments works($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -640,7 +637,7 @@ index ade45ce..d3aff24 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -148,7 +148,7 @@ if [ -x "$DIG" ] ; then +@@ -197,7 +197,7 @@ if [ -x "$DIG" ] ; then echo_i "checking dig +short +rrcomments works($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 @@ -649,7 +646,7 @@ index ade45ce..d3aff24 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -695,7 +695,7 @@ if [ -x ${DELV} ] ; then +@@ -827,7 +827,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +rrcomments works for DNSKEY($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -658,7 +655,7 @@ index ade45ce..d3aff24 100644 check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -704,7 +704,7 @@ if [ -x ${DELV} ] ; then +@@ -836,7 +836,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -667,7 +664,7 @@ index ade45ce..d3aff24 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -712,7 +712,7 @@ if [ -x ${DELV} ] ; then +@@ -844,7 +844,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +rrcomments works ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -676,7 +673,7 @@ index ade45ce..d3aff24 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -720,7 +720,7 @@ if [ -x ${DELV} ] ; then +@@ -852,7 +852,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +nosplit works ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -685,7 +682,7 @@ index ade45ce..d3aff24 100644 if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi f=`awk '{print NF}' < delv.out.test$n` test "${f:-0}" -eq 14 || ret=1 -@@ -731,7 +731,7 @@ if [ -x ${DELV} ] ; then +@@ -863,7 +863,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +nosplit +norrcomments works ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -695,7 +692,7 @@ index ade45ce..d3aff24 100644 f=`awk '{print NF}' < delv.out.test$n` test "${f:-0}" -eq 4 || ret=1 diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh -index 606e7cc..a3a0d60 100755 +index 14ca5db..3f522d0 100755 --- a/bin/tests/system/dlv/ns1/sign.sh +++ b/bin/tests/system/dlv/ns1/sign.sh @@ -23,8 +23,8 @@ infile=root.db.in @@ -710,7 +707,7 @@ index 606e7cc..a3a0d60 100755 cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh -index 9825c57..202c978 100755 +index d870798..b0ab372 100755 --- a/bin/tests/system/dlv/ns2/sign.sh +++ b/bin/tests/system/dlv/ns2/sign.sh @@ -24,8 +24,8 @@ zonefile=druz.db @@ -725,7 +722,7 @@ index 9825c57..202c978 100755 cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh -index 1e39862..4ed19ac 100755 +index ba39f90..f20a2dd 100755 --- a/bin/tests/system/dlv/ns6/sign.sh +++ b/bin/tests/system/dlv/ns6/sign.sh @@ -16,13 +16,15 @@ SYSTESTDIR=dlv @@ -912,7 +909,7 @@ index 1e39862..4ed19ac 100755 cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh -index 13fb924..1ffa279 100644 +index e28b3f1..29c169b 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -126,8 +126,8 @@ zone=in-addr.arpa. @@ -945,7 +942,7 @@ index 13fb924..1ffa279 100644 cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad -index ed30460..e6b1126 100644 +index 75cf699..b4d848c 100644 --- a/bin/tests/system/dnssec/ns5/trusted.conf.bad +++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad @@ -10,5 +10,5 @@ @@ -956,10 +953,10 @@ index ed30460..e6b1126 100644 + "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV"; }; diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh -index b31c1b4..a5e237b 100644 +index 3e8e4d5..da692f9 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh -@@ -3235,8 +3235,8 @@ do +@@ -3257,8 +3257,8 @@ do alg=`expr $alg + 1` continue;; 3) size="-b 512";; @@ -971,7 +968,7 @@ index b31c1b4..a5e237b 100644 8) size="-b 512";; 10) size="-b 1024";; diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c -index c1249ed..20a3139 100644 +index 5e473ab..b08692e 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -19,6 +19,7 @@ @@ -983,14 +980,14 @@ index c1249ed..20a3139 100644 #ifdef WIN32 @@ -47,6 +48,7 @@ usage() { - fprintf(stderr, " --have-geoip2\n"); - fprintf(stderr, " --have-libxml2\n"); - fprintf(stderr, " --ipv6only=no\n"); -+ fprintf(stderr, " --md5\n"); - fprintf(stderr, " --rpz-nsdname\n"); - fprintf(stderr, " --rpz-nsip\n"); - fprintf(stderr, " --with-idn\n"); -@@ -155,6 +157,18 @@ main(int argc, char **argv) { + fprintf(stderr, "\t--have-geoip\n"); + fprintf(stderr, "\t--have-libxml2\n"); + fprintf(stderr, "\t--ipv6only=no\n"); ++ fprintf(stderr, "\t--md5\n"); + fprintf(stderr, "\t--rpz-log-qtype-qclass\n"); + fprintf(stderr, "\t--rpz-nsdname\n"); + fprintf(stderr, "\t--rpz-nsip\n"); +@@ -194,6 +196,18 @@ main(int argc, char **argv) { #endif } @@ -1010,7 +1007,7 @@ index c1249ed..20a3139 100644 #ifdef ENABLE_RPZ_NSIP return (0); diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh -index f755581..4a7d890 100755 +index 479f98c..4d4a765 100755 --- a/bin/tests/system/filter-aaaa/ns1/sign.sh +++ b/bin/tests/system/filter-aaaa/ns1/sign.sh @@ -21,8 +21,8 @@ infile=signed.db.in @@ -1025,7 +1022,7 @@ index f755581..4a7d890 100755 cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh -index f755581..4a7d890 100755 +index 479f98c..4d4a765 100755 --- a/bin/tests/system/filter-aaaa/ns4/sign.sh +++ b/bin/tests/system/filter-aaaa/ns4/sign.sh @@ -21,8 +21,8 @@ infile=signed.db.in @@ -1040,7 +1037,7 @@ index f755581..4a7d890 100755 cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in -index cfcfe8f..0a1614d 100644 +index 157ef16..b802288 100644 --- a/bin/tests/system/notify/ns5/named.conf.in +++ b/bin/tests/system/notify/ns5/named.conf.in @@ -10,17 +10,17 @@ @@ -1065,7 +1062,7 @@ index cfcfe8f..0a1614d 100644 }; diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh -index 1f6e6d0..c08bd25 100644 +index f9fd3f5..916af75 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh @@ -212,16 +212,16 @@ ret=0 @@ -1089,7 +1086,7 @@ index 1f6e6d0..c08bd25 100644 grep "test string" dig.out.b.ns5.test$n > /dev/null && grep "test string" dig.out.c.ns5.test$n > /dev/null && diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in -index 1d999ad..26b6b7c 100644 +index b0ded3a..cb80269 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in @@ -32,7 +32,7 @@ controls { @@ -1102,7 +1099,7 @@ index 1d999ad..26b6b7c 100644 }; diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in -index 4549184..cb7dccd 100644 +index e6e2382..b0a94e0 100644 --- a/bin/tests/system/nsupdate/ns2/named.conf.in +++ b/bin/tests/system/nsupdate/ns2/named.conf.in @@ -33,7 +33,7 @@ controls { @@ -1115,10 +1112,10 @@ index 4549184..cb7dccd 100644 }; diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh -index 21805c5..0d3d85c 100644 +index 6fbf1d7..a712b17 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh -@@ -58,7 +58,12 @@ EOF +@@ -53,7 +53,12 @@ EOF $DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key @@ -1133,10 +1130,10 @@ index 21805c5..0d3d85c 100644 $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index 4da4849..b3bc807 100755 +index 6b2c8f6..96ad95e 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh -@@ -708,7 +708,14 @@ fi +@@ -788,7 +788,14 @@ fi n=`expr $n + 1` ret=0 echo_i "check TSIG key algorithms ($n)" @@ -1152,7 +1149,7 @@ index 4da4849..b3bc807 100755 $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 -@@ -716,7 +723,7 @@ send +@@ -796,7 +803,7 @@ send END done sleep 2 @@ -1162,10 +1159,10 @@ index 4da4849..b3bc807 100755 done if [ $ret -ne 0 ]; then diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh -index 343869e..c30efb0 100644 +index 2eb2cd5..36f5114 100644 --- a/bin/tests/system/rndc/setup.sh +++ b/bin/tests/system/rndc/setup.sh -@@ -37,7 +37,7 @@ make_key () { +@@ -35,7 +35,7 @@ make_key () { sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf } @@ -1175,7 +1172,7 @@ index 343869e..c30efb0 100644 make_key 3 ${EXTRAPORT3} hmac-sha224 make_key 4 ${EXTRAPORT4} hmac-sha256 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh -index 57e066d..186a723 100644 +index 4e25e51..cb8934c 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh @@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1208,17 +1205,8 @@ index 57e066d..186a723 100644 n=`expr $n + 1` echo_i "testing rndc with hmac-sha1 ($n)" -diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh -index 576ec70..cb7a852 100644 ---- a/bin/tests/system/tsig/clean.sh -+++ b/bin/tests/system/tsig/clean.sh -@@ -20,3 +20,4 @@ rm -f */named.run - rm -f ns*/named.lock - rm -f Kexample.net.+163+* - rm -f keygen.out? -+rm -f ns1/named.conf diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in -index fbf30c6..f61657d 100644 +index 4905ffd..958d9fb 100644 --- a/bin/tests/system/tsig/ns1/named.conf.in +++ b/bin/tests/system/tsig/ns1/named.conf.in @@ -21,10 +21,7 @@ options { @@ -1246,10 +1234,10 @@ index fbf30c6..f61657d 100644 key "sha1-trunc" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh -index 4dd4a25..aa0f966 100644 +index f42aa79..bfcf4a6 100644 --- a/bin/tests/system/tsig/setup.sh +++ b/bin/tests/system/tsig/setup.sh -@@ -17,3 +17,8 @@ $SHELL clean.sh +@@ -15,3 +15,8 @@ SYSTEMTESTTOP=.. copy_setports ns1/named.conf.in ns1/named.conf test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE @@ -1259,7 +1247,7 @@ index 4dd4a25..aa0f966 100644 + cat ns1/rndc5.conf.in >> ns1/named.conf +fi diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh -index f731fa6..cade35b 100644 +index ed41e1d..98c542e 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh @@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f @@ -1273,13 +1261,6 @@ index f731fa6..cade35b 100644 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 -fi -- --echo_i "fetching using hmac-md5 (new form)" --ret=0 --$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 --grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5 (old form)" @@ -1289,7 +1270,13 @@ index f731fa6..cade35b 100644 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi -+ + +-echo_i "fetching using hmac-md5 (new form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 + echo_i "fetching using hmac-md5 (new form)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 @@ -1351,10 +1338,10 @@ index f731fa6..cade35b 100644 echo_i "fetching using hmac-sha1-80 (BADTRUNC)" diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh -index 0d21c7b..dbcb7b4 100644 +index f04c907..09da5f9 100644 --- a/bin/tests/system/tsiggss/setup.sh +++ b/bin/tests/system/tsiggss/setup.sh -@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE +@@ -16,5 +16,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE copy_setports ns1/named.conf.in ns1/named.conf @@ -1362,7 +1349,7 @@ index 0d21c7b..dbcb7b4 100644 +key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.` cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in -index e0a30cd..6a77b1c 100644 +index 4ddd7a4..238f52a 100644 --- a/bin/tests/system/upforwd/ns1/named.conf.in +++ b/bin/tests/system/upforwd/ns1/named.conf.in @@ -10,7 +10,7 @@ @@ -1375,7 +1362,7 @@ index e0a30cd..6a77b1c 100644 }; diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh -index b0694bb..9adae82 100644 +index 1cf8d3b..f4c3216 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh @@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi @@ -1387,22 +1374,6 @@ index b0694bb..9adae82 100644 server 10.53.0.3 ${PORT} update add updated.example. 600 A 10.10.10.1 update add updated.example. 600 TXT Foo -diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in -new file mode 100644 -index 0000000..0682194 ---- /dev/null -+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in -@@ -0,0 +1,10 @@ -+# Conditionally included when support for MD5 is available -+key "md5" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5; -+}; -+ -+key "md5-trunc" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5-80; -+}; -- -2.20.1 +2.26.2 diff --git a/SOURCES/bind-9.11-rh1624100.patch b/SOURCES/bind-9.11-rh1624100.patch deleted file mode 100644 index 0775820..0000000 --- a/SOURCES/bind-9.11-rh1624100.patch +++ /dev/null @@ -1,288 +0,0 @@ -From f27598743ab6e03271e26f23da4beba748d19c60 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= -Date: Wed, 25 Apr 2018 14:04:31 +0200 -Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts - -(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d) - -Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp() - -(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c) - -Fix the isc_safe_memwipe() usage with (NULL, >0) - -(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846) ---- - bin/dnssec/dnssec-signzone.c | 2 +- - lib/dns/nsec3.c | 4 +- - lib/dns/spnego.c | 4 +- - lib/isc/Makefile.in | 8 +--- - lib/isc/include/isc/safe.h | 18 ++------ - lib/isc/safe.c | 83 ------------------------------------ - lib/isc/tests/safe_test.c | 18 -------- - 7 files changed, 11 insertions(+), 126 deletions(-) - delete mode 100644 lib/isc/safe.c - -diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c -index 6dded0c..a9c5557 100644 ---- a/bin/dnssec/dnssec-signzone.c -+++ b/bin/dnssec/dnssec-signzone.c -@@ -784,7 +784,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, - - static int - hashlist_comp(const void *a, const void *b) { -- return (isc_safe_memcompare(a, b, hash_length + 1)); -+ return (memcmp(a, b, hash_length + 1)); - } - - static void -diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c -index 6ae7ca8..01426d6 100644 ---- a/lib/dns/nsec3.c -+++ b/lib/dns/nsec3.c -@@ -1963,7 +1963,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, - * Work out what this NSEC3 covers. - * Inside (<0) or outside (>=0). - */ -- scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length); -+ scope = memcmp(owner, nsec3.next, nsec3.next_length); - - /* - * Prepare to compute all the hashes. -@@ -1987,7 +1987,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, - return (ISC_R_IGNORE); - } - -- order = isc_safe_memcompare(hash, owner, length); -+ order = memcmp(hash, owner, length); - if (first && order == 0) { - /* - * The hashes are the same. -diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c -index ad77f24..670982a 100644 ---- a/lib/dns/spnego.c -+++ b/lib/dns/spnego.c -@@ -371,7 +371,7 @@ gssapi_spnego_decapsulate(OM_uint32 *, - - /* mod_auth_kerb.c */ - --static int -+static isc_boolean_t - cmp_gss_type(gss_buffer_t token, gss_OID gssoid) - { - unsigned char *p; -@@ -395,7 +395,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid) - if (((OM_uint32) *p++) != gssoid->length) - return (GSS_S_DEFECTIVE_TOKEN); - -- return (isc_safe_memcompare(p, gssoid->elements, gssoid->length)); -+ return (!isc_safe_memequal(p, gssoid->elements, gssoid->length)); - } - - /* accept_sec_context.c */ -diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in -index 149552a..8529a86 100644 ---- a/lib/isc/Makefile.in -+++ b/lib/isc/Makefile.in -@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ - parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \ - ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \ - rwlock.@O@ \ -- safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ -+ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ - string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \ - tm.@O@ timer.@O@ utf8.@O@ version.@O@ \ - ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS} -@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \ - netaddr.c netscope.c pool.c ondestroy.c \ - parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \ - ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \ -- safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \ -+ serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \ - strtoul.c symtab.c task.c taskpool.c timer.c \ - tm.c utf8.c version.c - -@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@ - - @BIND9_MAKE_RULES@ - --safe.@O@: safe.c -- ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \ -- -c ${srcdir}/safe.c -- - version.@O@: version.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ - -DVERSION=\"${VERSION}\" \ -diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h -index 66ed08b..88b8f47 100644 ---- a/lib/isc/include/isc/safe.h -+++ b/lib/isc/include/isc/safe.h -@@ -15,29 +15,19 @@ - - /*! \file isc/safe.h */ - --#include -- --#include --#include -+#include -+#include - - ISC_LANG_BEGINDECLS - --bool --isc_safe_memequal(const void *s1, const void *s2, size_t n); -+#define isc_safe_memequal(s1, s2, n) !CRYPTO_memcmp(s1, s2, n) - /*%< - * Returns true iff. two blocks of memory are equal, otherwise - * false. - * - */ - --int --isc_safe_memcompare(const void *b1, const void *b2, size_t len); --/*%< -- * Clone of libc memcmp() which is safe to differential timing attacks. -- */ -- --void --isc_safe_memwipe(void *ptr, size_t len); -+#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len) - /*%< - * Clear the memory of length `len` pointed to by `ptr`. - * -diff --git a/lib/isc/safe.c b/lib/isc/safe.c -deleted file mode 100644 -index 7a464b6..0000000 ---- a/lib/isc/safe.c -+++ /dev/null -@@ -1,83 +0,0 @@ --/* -- * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -- * -- * This Source Code Form is subject to the terms of the Mozilla Public -- * License, v. 2.0. If a copy of the MPL was not distributed with this -- * file, You can obtain one at http://mozilla.org/MPL/2.0/. -- * -- * See the COPYRIGHT file distributed with this work for additional -- * information regarding copyright ownership. -- */ -- --/*! \file */ -- --#include -- --#include -- --#include --#include --#include -- --#ifdef WIN32 --#include --#endif -- --#ifdef _MSC_VER --#pragma optimize("", off) --#endif -- --bool --isc_safe_memequal(const void *s1, const void *s2, size_t n) { -- uint8_t acc = 0; -- -- if (n != 0U) { -- const uint8_t *p1 = s1, *p2 = s2; -- -- do { -- acc |= *p1++ ^ *p2++; -- } while (--n != 0U); -- } -- return (acc == 0); --} -- -- --int --isc_safe_memcompare(const void *b1, const void *b2, size_t len) { -- const unsigned char *p1 = b1, *p2 = b2; -- size_t i; -- int res = 0, done = 0; -- -- for (i = 0; i < len; i++) { -- /* lt is -1 if p1[i] < p2[i]; else 0. */ -- int lt = (p1[i] - p2[i]) >> CHAR_BIT; -- -- /* gt is -1 if p1[i] > p2[i]; else 0. */ -- int gt = (p2[i] - p1[i]) >> CHAR_BIT; -- -- /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */ -- int cmp = lt - gt; -- -- /* set res = cmp if !done. */ -- res |= cmp & ~done; -- -- /* set done if p1[i] != p2[i]. */ -- done |= lt | gt; -- } -- -- return (res); --} -- --void --isc_safe_memwipe(void *ptr, size_t len) { -- if (ISC_UNLIKELY(ptr == NULL || len == 0)) -- return; -- --#ifdef WIN32 -- SecureZeroMemory(ptr, len); --#elif HAVE_EXPLICIT_BZERO -- explicit_bzero(ptr, len); --#else -- memset(ptr, 0, len); --#endif --} -diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c -index 266ac75..60e9181 100644 ---- a/lib/isc/tests/safe_test.c -+++ b/lib/isc/tests/safe_test.c -@@ -45,22 +45,6 @@ isc_safe_memequal_test(void **state) { - "\x00\x00\x00\x00", 4)); - } - --/* test isc_safe_memcompare() */ --static void --isc_safe_memcompare_test(void **state) { -- UNUSED(state); -- -- assert_int_equal(isc_safe_memcompare("test", "test", 4), 0); -- assert_true(isc_safe_memcompare("test", "tesc", 4) > 0); -- assert_true(isc_safe_memcompare("test", "tesy", 4) < 0); -- assert_int_equal(isc_safe_memcompare("\x00\x00\x00\x00", -- "\x00\x00\x00\x00", 4), 0); -- assert_true(isc_safe_memcompare("\x00\x00\x00\x00", -- "\x00\x00\x00\x01", 4) < 0); -- assert_true(isc_safe_memcompare("\x00\x00\x00\x02", -- "\x00\x00\x00\x00", 4) > 0); --} -- - /* test isc_safe_memwipe() */ - static void - isc_safe_memwipe_test(void **state) { -@@ -69,7 +53,6 @@ isc_safe_memwipe_test(void **state) { - /* These should pass. */ - isc_safe_memwipe(NULL, 0); - isc_safe_memwipe((void *) -1, 0); -- isc_safe_memwipe(NULL, 42); - - /* - * isc_safe_memwipe(ptr, size) should function same as -@@ -108,7 +91,6 @@ main(void) { - const struct CMUnitTest tests[] = { - cmocka_unit_test(isc_safe_memequal_test), - cmocka_unit_test(isc_safe_memwipe_test), -- cmocka_unit_test(isc_safe_memcompare_test), - }; - - return (cmocka_run_group_tests(tests, NULL, NULL)); --- -2.26.2 - diff --git a/SOURCES/bind-9.11-rh1859454.patch b/SOURCES/bind-9.11-rh1859454.patch deleted file mode 100644 index df0ff19..0000000 --- a/SOURCES/bind-9.11-rh1859454.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 30753514ac06111da5b677fe7cdbafd696b1d620 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Wed, 22 Jul 2020 18:55:02 +0200 -Subject: [PATCH] Prevent crash on dst initialization failure - -server might be created, but not yet fully initialized, when fatal -function is called. Check both server and task before attaching -exclusive task. - -(cherry picked from commit c5e7152cf04f75d0fe00163f076f4cc3cafce259) -(cherry picked from commit 35fbfaa4981333286437f26557db26863d4c5299) ---- - bin/named/server.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/bin/named/server.c b/bin/named/server.c -index 3cd8daf99e..38780ad3d7 100644 ---- a/bin/named/server.c -+++ b/bin/named/server.c -@@ -9341,7 +9341,7 @@ ns_server_destroy(ns_server_t **serverp) { - - static void - fatal(ns_server_t *server, const char *msg, isc_result_t result) { -- if (server != NULL) { -+ if (server != NULL && server->task != NULL) { - /* - * Prevent races between the OpenSSL on_exit registered - * function and any other OpenSSL calls from other tasks --- -2.26.2 - diff --git a/SOURCES/bind-9.11-rt31459.patch b/SOURCES/bind-9.11-rt31459.patch index 266f78c..822839c 100644 --- a/SOURCES/bind-9.11-rt31459.patch +++ b/SOURCES/bind-9.11-rt31459.patch @@ -1,4 +1,4 @@ -From 5c29299e43db5a4e6f8b1b07af84dfe1687c4c2b Mon Sep 17 00:00:00 2001 +From 63d1fe9e1ac0db37f89cf31b40c35d6d22578ded Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 12 Sep 2017 19:05:46 -0700 Subject: [PATCH] rebased rt31459c @@ -53,7 +53,7 @@ Include new unit test create mode 100644 lib/dns/tests/dstrandom_test.c diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c -index 5015abb..295e16f 100644 +index 40cf74c..bd269e7 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -165,6 +165,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, @@ -71,7 +71,7 @@ index 5015abb..295e16f 100644 &entropy_source, randomfile, diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c -index d9d6bb9..de4b15f 100644 +index 4420f2d..9cb63a8 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -498,14 +498,14 @@ main(int argc, char **argv) { @@ -103,7 +103,7 @@ index d9d6bb9..de4b15f 100644 dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c -index d65a514..04b3094 100644 +index dc9a293..52863a1 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c @@ -404,14 +404,14 @@ main(int argc, char **argv) { @@ -135,7 +135,7 @@ index d65a514..04b3094 100644 dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c -index 7d82dbf..10f9359 100644 +index 0121a34..74a99b0 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -184,14 +184,14 @@ main(int argc, char **argv) { @@ -167,10 +167,10 @@ index 7d82dbf..10f9359 100644 if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c -index 7afcaee..1cfa511 100644 +index f017895..2c568fc 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c -@@ -380,14 +380,14 @@ main(int argc, char **argv) { +@@ -391,14 +391,14 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); @@ -188,7 +188,7 @@ index 7afcaee..1cfa511 100644 isc_entropy_stopcallbacksources(ectx); if (predecessor != NULL) { -@@ -672,8 +672,8 @@ main(int argc, char **argv) { +@@ -683,8 +683,8 @@ main(int argc, char **argv) { if (prevkey != NULL) dst_key_free(&prevkey); dst_key_free(&key); @@ -199,10 +199,10 @@ index 7afcaee..1cfa511 100644 if (verbose > 10) isc_mem_stats(mctx, stdout); diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c -index 319a805..27ae4d4 100644 +index dde1b2f..7308fc6 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c -@@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) { +@@ -3465,14 +3465,15 @@ main(int argc, char *argv[]) { if (!pseudorandom) eflags |= ISC_ENTROPY_GOODONLY; @@ -222,7 +222,7 @@ index 319a805..27ae4d4 100644 isc_stdtime_get(&now); if (startstr != NULL) { -@@ -3879,8 +3880,8 @@ main(int argc, char *argv[]) { +@@ -3884,8 +3885,8 @@ main(int argc, char *argv[]) { dns_master_styledestroy(&dsstyle, mctx); cleanup_logging(&log); @@ -233,7 +233,7 @@ index 319a805..27ae4d4 100644 dns_name_destroy(); if (verbose > 10) diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c -index 4c293bf..3263cbc 100644 +index 087cd5d..07c7294 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c @@ -281,15 +281,15 @@ main(int argc, char *argv[]) { @@ -257,7 +257,7 @@ index 4c293bf..3263cbc 100644 rdclass = strtoclass(classname); diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c -index 618ec5b..5654435 100644 +index 7f045e8..2a0f9c6 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -34,6 +34,7 @@ @@ -293,7 +293,7 @@ index 618ec5b..5654435 100644 usekeyboard); diff --git a/bin/named/server.c b/bin/named/server.c -index 4e503e5..f27071f 100644 +index 30d38be..b2ae57c 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -36,6 +36,7 @@ @@ -304,7 +304,7 @@ index 4e503e5..f27071f 100644 #include #include #include -@@ -8217,6 +8218,10 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8286,6 +8287,10 @@ load_configuration(const char *filename, ns_server_t *server, "no source of entropy found"); } else { const char *randomdev = cfg_obj_asstring(obj); @@ -315,7 +315,7 @@ index 4e503e5..f27071f 100644 int level = ISC_LOG_ERROR; result = isc_entropy_createfilesource(ns_g_entropy, randomdev); -@@ -8251,6 +8256,7 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8320,6 +8325,7 @@ load_configuration(const char *filename, ns_server_t *server, } isc_entropy_detach(&ns_g_fallbackentropy); } @@ -324,10 +324,10 @@ index 4e503e5..f27071f 100644 } diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index bbb3936..0286987 100644 +index 5a2c660..7f15cbc 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c -@@ -272,7 +272,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -278,7 +278,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { if (*ectx == NULL) { result = isc_entropy_create(mctx, ectx); if (result != ISC_R_SUCCESS) @@ -337,7 +337,7 @@ index bbb3936..0286987 100644 ISC_LIST_INIT(sources); } -@@ -281,6 +282,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -287,6 +288,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { randomfile = NULL; } @@ -351,7 +351,7 @@ index bbb3936..0286987 100644 result = isc_entropy_usebestsource(*ectx, &source, randomfile, usekeyboard); -@@ -979,11 +987,11 @@ setup_system(void) { +@@ -989,11 +997,11 @@ setup_system(void) { } } @@ -366,7 +366,7 @@ index bbb3936..0286987 100644 result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr); check_result(result, "dns_dispatchmgr_create"); diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c -index 61a41b0..acc71a1 100644 +index 68b5e5a..cd54c8d 100644 --- a/bin/tests/makejournal.c +++ b/bin/tests/makejournal.c @@ -102,12 +102,12 @@ main(int argc, char **argv) { @@ -386,7 +386,7 @@ index 61a41b0..acc71a1 100644 isc_log_registercategories(lctx, categories); isc_log_setcontext(lctx); diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c -index c6ab7f8..f0a6ff2 100644 +index e16ec11..95b65bf 100644 --- a/bin/tests/system/pipelined/pipequeries.c +++ b/bin/tests/system/pipelined/pipequeries.c @@ -204,6 +204,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) { @@ -448,7 +448,7 @@ index c6ab7f8..f0a6ff2 100644 isc_log_destroy(&lctx); diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh -index 61f1ff7..ed1302a 100644 +index c0a99a2..0245527 100644 --- a/bin/tests/system/pipelined/tests.sh +++ b/bin/tests/system/pipelined/tests.sh @@ -19,7 +19,7 @@ status=0 @@ -470,7 +470,7 @@ index 61f1ff7..ed1302a 100644 $DIFF refb outputb || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c -index 4462f2e..f06268d 100644 +index abf12ed..fa5182c 100644 --- a/bin/tests/system/rsabigexponent/bigkey.c +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -20,6 +20,7 @@ @@ -492,7 +492,7 @@ index 4462f2e..f06268d 100644 "../random.data", ISC_ENTROPY_KEYBOARDNO), diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c -index 653c951..fe8698e 100644 +index 34360aa..3236968 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -206,6 +206,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { @@ -561,7 +561,7 @@ index 653c951..fe8698e 100644 isc_mem_destroy(&mctx); diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 70a40c3..2146f9b 100644 +index 4b5b901..43fb6b0 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { @@ -630,50 +630,50 @@ index 70a40c3..2146f9b 100644 isc_mem_destroy(&mctx); diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh -index 9f90dd7..fad6c83 100644 +index b265156..bcd60a6 100644 --- a/bin/tests/system/tkey/tests.sh +++ b/bin/tests/system/tkey/tests.sh @@ -33,7 +33,7 @@ for owner in . foo.example. do - echo "I:creating new key using owner name \"$owner\"" + echo_i "creating new key using owner name \"$owner\" ($n)" ret=0 - keyname=`$KEYCREATE $dhkeyname $owner` || ret=1 + keyname=`$KEYCREATE -r $RANDFILE $dhkeyname $owner` || ret=1 if [ $ret != 0 ]; then - echo "I:failed" - status=`expr $status + $ret` -@@ -55,7 +55,7 @@ do + echo_i "failed" + status=$((status+ret)) +@@ -57,7 +57,7 @@ do - echo "I:deleting new key" + echo_i "deleting new key ($n)" ret=0 - $KEYDELETE $keyname || ret=1 + $KEYDELETE -r $RANDFILE $keyname || ret=1 if [ $ret != 0 ]; then - echo "I:failed" + echo_i "failed" fi -@@ -75,7 +75,7 @@ done +@@ -79,7 +79,7 @@ done - echo "I:creating new key using owner name bar.example." + echo_i "creating new key using owner name bar.example. ($n)" ret=0 -keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1 +keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1 if [ $ret != 0 ]; then - echo "I:failed" - status=`expr $status + $ret` -@@ -116,7 +116,7 @@ status=`expr $status + $ret` + echo_i "failed" + status=$((status+ret)) +@@ -124,7 +124,7 @@ n=$((n+1)) - echo "I:recreating the bar.example. key" + echo_i "recreating the bar.example. key ($n)" ret=0 -keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1 +keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1 if [ $ret != 0 ]; then - echo "I:failed" - status=`expr $status + $ret` + echo_i "failed" + status=$((status+ret)) diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c -index bf6dbb6..0416b21 100644 +index 26fa609..fb34aa0 100644 --- a/bin/tools/mdig.c +++ b/bin/tools/mdig.c -@@ -1972,12 +1972,11 @@ main(int argc, char *argv[]) { +@@ -2005,12 +2005,11 @@ main(int argc, char *argv[]) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); @@ -688,7 +688,7 @@ index bf6dbb6..0416b21 100644 parse_args(false, argc, argv); if (server == NULL) diff --git a/configure b/configure -index 6d05371..33689c9 100755 +index 0faca65..d5ffc87 100755 --- a/configure +++ b/configure @@ -640,6 +640,7 @@ ac_includes_default="\ @@ -723,7 +723,7 @@ index 6d05371..33689c9 100755 --enable-largefile 64-bit file support --enable-backtrace log stack backtrace on abort [default=yes] --enable-symtable use internal symbol table for backtrace -@@ -17144,6 +17148,7 @@ case "$use_openssl" in +@@ -17205,6 +17209,7 @@ case "$use_openssl" in $as_echo "disabled because of native PKCS11" >&6; } DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" @@ -731,7 +731,7 @@ index 6d05371..33689c9 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -17158,6 +17163,7 @@ $as_echo "disabled because of native PKCS11" >&6; } +@@ -17219,6 +17224,7 @@ $as_echo "disabled because of native PKCS11" >&6; } $as_echo "no" >&6; } DST_OPENSSL_INC="" CRYPTO="" @@ -739,7 +739,7 @@ index 6d05371..33689c9 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -17170,6 +17176,7 @@ $as_echo "no" >&6; } +@@ -17231,6 +17237,7 @@ $as_echo "no" >&6; } auto) DST_OPENSSL_INC="" CRYPTO="" @@ -747,7 +747,7 @@ index 6d05371..33689c9 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -17179,7 +17186,7 @@ $as_echo "no" >&6; } +@@ -17240,7 +17247,7 @@ $as_echo "no" >&6; } OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path @@ -756,7 +756,7 @@ index 6d05371..33689c9 100755 ;; *) if test "yes" = "$want_native_pkcs11" -@@ -17210,6 +17217,7 @@ $as_echo "not found" >&6; } +@@ -17271,6 +17278,7 @@ $as_echo "not found" >&6; } as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5 fi CRYPTO='-DOPENSSL' @@ -764,7 +764,7 @@ index 6d05371..33689c9 100755 if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" -@@ -17835,8 +17843,6 @@ fi +@@ -17897,8 +17905,6 @@ fi # Use OpenSSL for hash functions # @@ -773,7 +773,7 @@ index 6d05371..33689c9 100755 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" case $want_openssl_hash in yes) -@@ -18211,6 +18217,86 @@ if test "rt" = "$have_clock_gt"; then +@@ -18273,6 +18279,86 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi @@ -860,7 +860,7 @@ index 6d05371..33689c9 100755 # # was --with-lmdb specified? # -@@ -20441,9 +20527,12 @@ _ACEOF +@@ -20549,9 +20635,12 @@ _ACEOF if ac_fn_c_try_compile "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5 $as_echo "size_t for buflen; int for flags" >&6; } @@ -875,7 +875,7 @@ index 6d05371..33689c9 100755 $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h -@@ -21758,12 +21847,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" +@@ -21877,12 +21966,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then @@ -889,7 +889,7 @@ index 6d05371..33689c9 100755 # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. -@@ -21796,6 +21880,11 @@ cat >>confdefs.h <<_ACEOF +@@ -21915,6 +21999,11 @@ cat >>confdefs.h <<_ACEOF _ACEOF @@ -901,7 +901,7 @@ index 6d05371..33689c9 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21804,39 +21893,6 @@ _ACEOF +@@ -21923,39 +22012,6 @@ _ACEOF fi ;; x86_64-*|amd64-*) @@ -941,7 +941,7 @@ index 6d05371..33689c9 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21867,6 +21923,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } +@@ -21986,6 +22042,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } $as_echo "$arch" >&6; } fi @@ -952,7 +952,7 @@ index 6d05371..33689c9 100755 if test "yes" = "$have_atomic"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5 $as_echo_n "checking compiler support for inline assembly code... " >&6; } -@@ -24421,6 +24481,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" +@@ -24567,6 +24627,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" # dlzdir='${DLZ_DRIVER_DIR}' @@ -983,7 +983,7 @@ index 6d05371..33689c9 100755 # # Private autoconf macro to simplify configuring drivers: # -@@ -24751,11 +24835,11 @@ $as_echo "no" >&6; } +@@ -24897,11 +24981,11 @@ $as_echo "no" >&6; } $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; } ;; *) @@ -998,7 +998,7 @@ index 6d05371..33689c9 100755 fi CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL" -@@ -24840,7 +24924,7 @@ $as_echo "" >&6; } +@@ -24986,7 +25070,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). @@ -1007,7 +1007,7 @@ index 6d05371..33689c9 100755 # include a blank element first for d in "" $bdb_incdirs do -@@ -24865,57 +24949,9 @@ $as_echo "" >&6; } +@@ -25011,57 +25095,9 @@ $as_echo "" >&6; } bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" for d in $bdb_libnames do @@ -1067,7 +1067,7 @@ index 6d05371..33689c9 100755 break fi done -@@ -25074,10 +25110,10 @@ $as_echo "no" >&6; } +@@ -25220,10 +25256,10 @@ $as_echo "no" >&6; } DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include" DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include" fi @@ -1081,7 +1081,7 @@ index 6d05371..33689c9 100755 fi -@@ -25163,11 +25199,11 @@ fi +@@ -25309,11 +25345,11 @@ fi odbcdirs="/usr /usr/local /usr/pkg" for d in $odbcdirs do @@ -1095,7 +1095,7 @@ index 6d05371..33689c9 100755 break fi done -@@ -25442,6 +25478,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" +@@ -25588,6 +25624,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" @@ -1104,7 +1104,7 @@ index 6d05371..33689c9 100755 # # Commands to run at the end of config.status. # Don't just put these into configure, it won't work right if somebody -@@ -27819,6 +27857,8 @@ report() { +@@ -27966,6 +28004,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1113,7 +1113,7 @@ index 6d05371..33689c9 100755 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -27859,6 +27899,8 @@ report() { +@@ -28006,6 +28046,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" @@ -1122,7 +1122,7 @@ index 6d05371..33689c9 100755 echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -27906,6 +27948,8 @@ report() { +@@ -28053,6 +28095,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -1132,10 +1132,10 @@ index 6d05371..33689c9 100755 test "yes" = "$enable_seccomp" || \ echo " Use libseccomp system call filtering (--enable-seccomp)" diff --git a/configure.ac b/configure.ac -index d10cde5..68bead8 100644 +index 78535bd..faef2e8 100644 --- a/configure.ac +++ b/configure.ac -@@ -1550,6 +1550,7 @@ case "$use_openssl" in +@@ -1598,6 +1598,7 @@ case "$use_openssl" in AC_MSG_RESULT(disabled because of native PKCS11) DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" @@ -1143,7 +1143,7 @@ index d10cde5..68bead8 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1563,6 +1564,7 @@ case "$use_openssl" in +@@ -1611,6 +1612,7 @@ case "$use_openssl" in AC_MSG_RESULT(no) DST_OPENSSL_INC="" CRYPTO="" @@ -1151,7 +1151,7 @@ index d10cde5..68bead8 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1575,6 +1577,7 @@ case "$use_openssl" in +@@ -1623,6 +1625,7 @@ case "$use_openssl" in auto) DST_OPENSSL_INC="" CRYPTO="" @@ -1159,7 +1159,7 @@ index d10cde5..68bead8 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1585,7 +1588,7 @@ case "$use_openssl" in +@@ -1633,7 +1636,7 @@ case "$use_openssl" in OPENSSLLINKSRCS="" AC_MSG_ERROR( [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path @@ -1168,7 +1168,7 @@ index d10cde5..68bead8 100644 ;; *) if test "yes" = "$want_native_pkcs11" -@@ -1615,6 +1618,7 @@ If you don't want OpenSSL, use --without-openssl]) +@@ -1663,6 +1666,7 @@ If you don't want OpenSSL, use --without-openssl]) AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found]) fi CRYPTO='-DOPENSSL' @@ -1176,7 +1176,7 @@ index d10cde5..68bead8 100644 if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" -@@ -2050,7 +2054,6 @@ fi +@@ -2099,7 +2103,6 @@ fi # Use OpenSSL for hash functions # @@ -1184,7 +1184,7 @@ index d10cde5..68bead8 100644 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" case $want_openssl_hash in yes) -@@ -2322,6 +2325,67 @@ if test "rt" = "$have_clock_gt"; then +@@ -2371,6 +2374,67 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi @@ -1252,7 +1252,7 @@ index d10cde5..68bead8 100644 # # was --with-lmdb specified? # -@@ -4098,12 +4162,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" +@@ -4188,12 +4252,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then @@ -1266,7 +1266,7 @@ index d10cde5..68bead8 100644 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -4112,7 +4176,6 @@ if test "yes" = "$use_atomic"; then +@@ -4202,7 +4266,6 @@ if test "yes" = "$use_atomic"; then fi ;; x86_64-*|amd64-*) @@ -1274,7 +1274,7 @@ index d10cde5..68bead8 100644 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -5518,6 +5581,8 @@ report() { +@@ -5635,6 +5698,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1283,7 +1283,7 @@ index d10cde5..68bead8 100644 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -5558,6 +5623,8 @@ report() { +@@ -5675,6 +5740,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" @@ -1292,7 +1292,7 @@ index d10cde5..68bead8 100644 echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -5605,6 +5672,8 @@ report() { +@@ -5722,6 +5789,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -1302,7 +1302,7 @@ index d10cde5..68bead8 100644 test "yes" = "$enable_seccomp" || \ echo " Use libseccomp system call filtering (--enable-seccomp)" diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index 65bf25d..1eccbe7 100644 +index 7a86506..aa54afc 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -277,6 +277,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, @@ -1366,7 +1366,7 @@ index 65bf25d..1eccbe7 100644 #endif } diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h -index 1924e74..6813c96 100644 +index 5b42ab4..3aba028 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -159,6 +159,14 @@ dst_lib_destroy(void); @@ -1385,10 +1385,10 @@ index 1924e74..6813c96 100644 dst_algorithm_supported(unsigned int alg); /*%< diff --git a/lib/dns/lib.c b/lib/dns/lib.c -index 304814b..60543c4 100644 +index d9417de..0dc935d 100644 --- a/lib/dns/lib.c +++ b/lib/dns/lib.c -@@ -18,6 +18,7 @@ +@@ -16,6 +16,7 @@ #include #include @@ -1396,7 +1396,7 @@ index 304814b..60543c4 100644 #include #include #include -@@ -78,6 +79,7 @@ static unsigned int references = 0; +@@ -76,6 +77,7 @@ static unsigned int references = 0; static void initialize(void) { isc_result_t result; @@ -1404,7 +1404,7 @@ index 304814b..60543c4 100644 REQUIRE(initialize_done == false); -@@ -88,11 +90,14 @@ initialize(void) { +@@ -86,11 +88,14 @@ initialize(void) { result = dns_ecdb_register(dns_g_mctx, &dbimp); if (result != ISC_R_SUCCESS) goto cleanup_mctx; @@ -1421,7 +1421,7 @@ index 304814b..60543c4 100644 if (result != ISC_R_SUCCESS) goto cleanup_hash; -@@ -100,11 +105,17 @@ initialize(void) { +@@ -98,11 +103,17 @@ initialize(void) { if (result != ISC_R_SUCCESS) goto cleanup_dst; @@ -1440,7 +1440,7 @@ index 304814b..60543c4 100644 isc_hash_destroy(); cleanup_db: diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index 13e838f..ffe0a69 100644 +index 1e57c71..3f4f822 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -31,6 +31,7 @@ @@ -1624,7 +1624,7 @@ index 13e838f..ffe0a69 100644 #endif /* OPENSSL */ /*! \file */ diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c -index 5a2c502..8eaef53 100644 +index 6b30309..20552fa 100644 --- a/lib/dns/pkcs11.c +++ b/lib/dns/pkcs11.c @@ -13,12 +13,15 @@ @@ -1692,7 +1692,7 @@ index 937b548..f3c0e38 100644 tap_test_program{name='gost_test'} tap_test_program{name='keytable_test'} diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in -index 90dc3a6..7671e1d 100644 +index 4126372..30cab17 100644 --- a/lib/dns/tests/Makefile.in +++ b/lib/dns/tests/Makefile.in @@ -37,6 +37,7 @@ SRCS = acl_test.c \ @@ -1845,10 +1845,10 @@ index 0000000..bd3d164 + +#endif diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in -index 63be973..40b21fa 100644 +index 9c2ef79..f597049 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in -@@ -1485,6 +1485,13 @@ dst_lib_destroy +@@ -1487,6 +1487,13 @@ dst_lib_destroy dst_lib_init dst_lib_init2 dst_lib_initmsgcat @@ -1863,7 +1863,7 @@ index 63be973..40b21fa 100644 dst_region_computerid dst_result_register diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c -index 907e470..451544d 100644 +index 0c1f3ed..fdd17d7 100644 --- a/lib/isc/entropy.c +++ b/lib/isc/entropy.c @@ -104,11 +104,15 @@ struct isc_entropy { @@ -1921,7 +1921,7 @@ index 907e470..451544d 100644 + hook = myhook; +} diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h -index e8733db..c40a18c 100644 +index b5bc956..f32c9dc 100644 --- a/lib/isc/include/isc/entropy.h +++ b/lib/isc/include/isc/entropy.h @@ -302,6 +302,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, @@ -1944,7 +1944,7 @@ index e8733db..c40a18c 100644 #endif /* ISC_ENTROPY_H */ diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in -index 61960f1..d22993d 100644 +index 2bf8758..f4c684e 100644 --- a/lib/isc/include/isc/platform.h.in +++ b/lib/isc/include/isc/platform.h.in @@ -359,6 +359,11 @@ @@ -1960,10 +1960,10 @@ index 61960f1..d22993d 100644 * Define if the hash functions must be provided by OpenSSL. */ diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h -index da9d66f..4205400 100644 +index 3bdd54f..d5acd39 100644 --- a/lib/isc/include/isc/types.h +++ b/lib/isc/include/isc/types.h -@@ -97,6 +97,8 @@ typedef struct isc_time isc_time_t; /*%< Time */ +@@ -95,6 +95,8 @@ typedef struct isc_time isc_time_t; /*%< Time */ typedef struct isc_timer isc_timer_t; /*%< Timer */ typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */ @@ -1973,7 +1973,7 @@ index da9d66f..4205400 100644 typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int); diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c -index 68aebdc..4b85527 100644 +index 227f807..4a63fdf 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c @@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) { @@ -1999,7 +1999,7 @@ index 68aebdc..4b85527 100644 cleanup: if (stream != NULL) diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in -index 8ade705..fa72f9d 100644 +index 1f785e0..f9051c3 100644 --- a/lib/isc/win32/include/isc/platform.h.in +++ b/lib/isc/win32/include/isc/platform.h.in @@ -73,6 +73,11 @@ @@ -2015,7 +2015,7 @@ index 8ade705..fa72f9d 100644 * Define if the hash functions must be provided by OpenSSL. */ diff --git a/win32utils/Configure b/win32utils/Configure -index 79d682e..6c78cb2 100644 +index 5f66a82..ff39910 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA", @@ -2054,7 +2054,7 @@ index 79d682e..6c78cb2 100644 my $enable_openssl_hash = "auto"; my $enable_filter_aaaa = "yes"; my $enable_isc_spnego = "yes"; -@@ -847,6 +852,10 @@ sub myenable { +@@ -848,6 +853,10 @@ sub myenable { if ($val =~ /^yes$/i) { $enable_native_pkcs11 = "yes"; } @@ -2065,7 +2065,7 @@ index 79d682e..6c78cb2 100644 } elsif ($key =~ /^openssl-hash$/i) { if ($val =~ /^yes$/i) { $enable_openssl_hash = "yes"; -@@ -1153,6 +1162,11 @@ if ($verbose) { +@@ -1154,6 +1163,11 @@ if ($verbose) { } else { print "native-pkcs11: disabled\n"; } @@ -2077,7 +2077,7 @@ index 79d682e..6c78cb2 100644 if ($enable_openssl_hash eq "yes") { print "openssl-hash: enabled\n"; } else { -@@ -1510,6 +1524,7 @@ if ($enable_intrinsics eq "yes") { +@@ -1511,6 +1525,7 @@ if ($enable_intrinsics eq "yes") { # enable-native-pkcs11 if ($enable_native_pkcs11 eq "yes") { @@ -2085,7 +2085,7 @@ index 79d682e..6c78cb2 100644 if ($use_openssl eq "auto") { $use_openssl = "no"; } -@@ -1719,6 +1734,7 @@ if ($use_openssl eq "yes") { +@@ -1720,6 +1735,7 @@ if ($use_openssl eq "yes") { $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); } @@ -2093,7 +2093,7 @@ index 79d682e..6c78cb2 100644 $configcond{"OPENSSL"} = 1; $configdefd{"CRYPTO"} = "OPENSSL"; $configvar{"OPENSSL_PATH"} = "$openssl_path"; -@@ -2290,6 +2306,15 @@ if ($use_aes eq "yes") { +@@ -2291,6 +2307,15 @@ if ($use_aes eq "yes") { } @@ -2109,7 +2109,7 @@ index 79d682e..6c78cb2 100644 # enable-openssl-hash if ($enable_openssl_hash eq "yes") { if ($use_openssl eq "no") { -@@ -3665,6 +3690,7 @@ exit 0; +@@ -3673,6 +3698,7 @@ exit 0; # --enable-developer partially supported # --enable-newstats (9.9/9.9sub only) # --enable-native-pkcs11 supported @@ -2118,5 +2118,5 @@ index 79d682e..6c78cb2 100644 # --enable-openssl-hash supported # --enable-threads included without a way to disable it -- -2.21.1 +2.26.2 diff --git a/SOURCES/bind-9.11-rt46047.patch b/SOURCES/bind-9.11-rt46047.patch index ee9bae8..dc2a8e2 100644 --- a/SOURCES/bind-9.11-rt46047.patch +++ b/SOURCES/bind-9.11-rt46047.patch @@ -1,4 +1,4 @@ -From 344c19ad4b3f058e65a4b41650bb0ee20692cc5c Mon Sep 17 00:00:00 2001 +From af3b530773231f8cff6548e36962ad1f25e38c5d Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 28 Sep 2017 10:09:22 -0700 Subject: [PATCH] completed and corrected the crypto-random change @@ -45,13 +45,13 @@ Subject: [PATCH] completed and corrected the crypto-random change lib/dns/include/dst/dst.h | 14 +++++- lib/dns/openssl_link.c | 3 +- lib/isc/include/isc/entropy.h | 48 +++++++++++++++------ - lib/isc/include/isc/random.h | 28 +++++++----- + lib/isc/include/isc/random.h | 26 +++++++---- lib/isccfg/namedconf.c | 2 +- - 23 files changed, 240 insertions(+), 104 deletions(-) + 23 files changed, 240 insertions(+), 102 deletions(-) create mode 100644 doc/arm/notes-rh-changes.xml diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c -index 295e16f..0f79aa8 100644 +index bd269e7..1ac775f 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, @@ -78,7 +78,7 @@ index 295e16f..0f79aa8 100644 &entropy_source, randomfile, diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook -index 1826919..96543fc 100644 +index bd19e1d..2c09b30 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -349,15 +349,23 @@ @@ -114,7 +114,7 @@ index 1826919..96543fc 100644 diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c -index 5654435..24c0d5a 100644 +index 2a0f9c6..6fcd411 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { @@ -142,10 +142,10 @@ index 5654435..24c0d5a 100644 usekeyboard); diff --git a/bin/named/client.c b/bin/named/client.c -index 9a0d3c8..c573177 100644 +index 4a50ad9..4d140e8 100644 --- a/bin/named/client.c +++ b/bin/named/client.c -@@ -1765,7 +1765,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, +@@ -1768,7 +1768,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, isc_buffer_init(&buf, cookie, sizeof(cookie)); isc_stdtime_get(&now); @@ -156,7 +156,7 @@ index 9a0d3c8..c573177 100644 compute_cookie(client, now, nonce, ns_g_server->secret, &buf); diff --git a/bin/named/config.c b/bin/named/config.c -index dbdff64..63da4b0 100644 +index 9b343fa..5e663c6 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -98,7 +98,9 @@ options {\n\ @@ -171,10 +171,10 @@ index dbdff64..63da4b0 100644 #endif " recursing-file \"named.recursing\";\n\ diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c -index d955c2f..40621f2 100644 +index 9fdf49b..42128dc 100644 --- a/bin/named/controlconf.c +++ b/bin/named/controlconf.c -@@ -325,9 +325,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) { +@@ -327,9 +327,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) { static void control_recvmessage(isc_task_t *task, isc_event_t *event) { @@ -188,7 +188,7 @@ index d955c2f..40621f2 100644 isccc_sexpr_t *request = NULL; isccc_sexpr_t *response = NULL; uint32_t algorithm; -@@ -338,16 +339,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { +@@ -340,16 +341,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { isc_buffer_t *text; isc_result_t result; isc_result_t eresult; @@ -208,7 +208,7 @@ index d955c2f..40621f2 100644 algorithm = DST_ALG_UNKNOWN; secret.rstart = NULL; text = NULL; -@@ -458,8 +460,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { +@@ -462,8 +464,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { * Establish nonce. */ if (conn->nonce == 0) { @@ -223,7 +223,7 @@ index d955c2f..40621f2 100644 } else eresult = ns_control_docommand(request, listener->readonly, &text); diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h -index 3f96b7b..c92922e 100644 +index 4fd0194..0ba2627 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -20,6 +20,7 @@ @@ -234,7 +234,7 @@ index 3f96b7b..c92922e 100644 #include #include #include -@@ -134,6 +135,7 @@ struct ns_server { +@@ -135,6 +136,7 @@ struct ns_server { char * lockfile; uint16_t transfer_tcp_message_size; @@ -243,7 +243,7 @@ index 3f96b7b..c92922e 100644 struct ns_altsecret { diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c -index 9dea7c1..272d300 100644 +index 93aac31..e12fad9 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c @@ -17,6 +17,7 @@ @@ -255,22 +255,22 @@ index 9dea7c1..272d300 100644 #include #include diff --git a/bin/named/query.c b/bin/named/query.c -index 203f1e6..25eeced 100644 +index 58b5914..edf42d2 100644 --- a/bin/named/query.c +++ b/bin/named/query.c -@@ -19,6 +19,7 @@ - #include +@@ -20,6 +20,7 @@ #include + #include #include +#include #include #include #include diff --git a/bin/named/server.c b/bin/named/server.c -index f27071f..f132c19 100644 +index b2ae57c..cca7fe8 100644 --- a/bin/named/server.c +++ b/bin/named/server.c -@@ -8210,21 +8210,32 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8279,21 +8279,32 @@ load_configuration(const char *filename, ns_server_t *server, * Open the source of entropy. */ if (first_time) { @@ -312,7 +312,7 @@ index f27071f..f132c19 100644 #ifdef PATH_RANDOMDEV if (ns_g_fallbackentropy != NULL) { level = ISC_LOG_INFO; -@@ -8235,8 +8246,8 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8304,8 +8315,8 @@ load_configuration(const char *filename, ns_server_t *server, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, level, @@ -323,7 +323,7 @@ index f27071f..f132c19 100644 randomdev, isc_result_totext(result)); } -@@ -8256,7 +8267,6 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8325,7 +8336,6 @@ load_configuration(const char *filename, ns_server_t *server, } isc_entropy_detach(&ns_g_fallbackentropy); } @@ -331,7 +331,7 @@ index f27071f..f132c19 100644 #endif } -@@ -9025,6 +9035,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { +@@ -9097,6 +9107,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { server->in_roothints = NULL; server->blackholeacl = NULL; server->keepresporder = NULL; @@ -339,7 +339,7 @@ index f27071f..f132c19 100644 /* Must be first. */ CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy, -@@ -9051,6 +9062,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { +@@ -9123,6 +9134,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy, &server->tkeyctx), "creating TKEY context"); @@ -349,7 +349,7 @@ index f27071f..f132c19 100644 /* * Setup the server task, which is responsible for coordinating -@@ -9257,7 +9271,8 @@ ns_server_destroy(ns_server_t **serverp) { +@@ -9329,7 +9343,8 @@ ns_server_destroy(ns_server_t **serverp) { if (server->zonemgr != NULL) dns_zonemgr_detach(&server->zonemgr); @@ -359,7 +359,7 @@ index f27071f..f132c19 100644 if (server->tkeyctx != NULL) dns_tkeyctx_destroy(&server->tkeyctx); -@@ -13263,10 +13278,10 @@ newzone_cfgctx_destroy(void **cfgp) { +@@ -13366,10 +13381,10 @@ newzone_cfgctx_destroy(void **cfgp) { static isc_result_t generate_salt(unsigned char *salt, size_t saltlen) { @@ -372,7 +372,7 @@ index f27071f..f132c19 100644 } rnd; unsigned char text[512 + 1]; isc_region_t r; -@@ -13276,9 +13291,10 @@ generate_salt(unsigned char *salt, size_t saltlen) { +@@ -13379,9 +13394,10 @@ generate_salt(unsigned char *salt, size_t saltlen) { if (saltlen > 256U) return (ISC_R_RANGE); @@ -387,10 +387,10 @@ index f27071f..f132c19 100644 memmove(salt, rnd.rnd, saltlen); diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index 0286987..0376377 100644 +index 7f15cbc..458aa76 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c -@@ -283,9 +283,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { +@@ -289,9 +289,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { } #ifdef ISC_PLATFORM_CRYPTORANDOM @@ -402,7 +402,7 @@ index 0286987..0376377 100644 } #endif diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c -index f0a6ff2..55064f6 100644 +index 95b65bf..7a81d4e 100644 --- a/bin/tests/system/pipelined/pipequeries.c +++ b/bin/tests/system/pipelined/pipequeries.c @@ -280,9 +280,7 @@ main(int argc, char *argv[]) { @@ -417,7 +417,7 @@ index f0a6ff2..55064f6 100644 } #endif diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c -index fe8698e..937fcc3 100644 +index 3236968..4fa77b6 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -255,9 +255,7 @@ main(int argc, char *argv[]) { @@ -432,7 +432,7 @@ index fe8698e..937fcc3 100644 } #endif diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c -index 2146f9b..64b8e74 100644 +index 43fb6b0..105e151 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -171,6 +171,7 @@ main(int argc, char **argv) { @@ -455,22 +455,22 @@ index 2146f9b..64b8e74 100644 } #endif diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml -index 93c7a08..bb1e81d 100644 +index ca98726..1f9df2c 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml -@@ -5081,22 +5081,45 @@ badresp:1,adberr:0,findfail:0,valfail:0] +@@ -5034,22 +5034,45 @@ badresp:1,adberr:0,findfail:0,valfail:0] random-device -- The source of entropy to be used by the server. Entropy is +- This specifies a source of entropy to be used by the server. Entropy is - primarily needed - for DNSSEC operations, such as TKEY transactions and dynamic - update of signed -- zones. This options specifies the device (or file) from which +- zones. This option specifies the device (or file) from which - to read -- entropy. If this is a file, operations requiring entropy will +- entropy. If it is a file, operations requiring entropy will - fail when the -- file has been exhausted. If not specified, the default value +- file has been exhausted. If random-device is not specified, the default value - is - /dev/random - (or equivalent) when present, and none otherwise. The @@ -569,10 +569,10 @@ index 0000000..89a4961 + + diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml -index 589a347..052a0bd 100644 +index a5e42c0..f8cb1f9 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml -@@ -40,6 +40,7 @@ +@@ -47,6 +47,7 @@ @@ -581,7 +581,7 @@ index 589a347..052a0bd 100644 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index 1eccbe7..1933993 100644 +index aa54afc..2156384 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -2017,10 +2017,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) { @@ -599,7 +599,7 @@ index 1eccbe7..1933993 100644 } diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h -index 6813c96..665574d 100644 +index 3aba028..180c841 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -163,8 +163,18 @@ isc_result_t @@ -624,7 +624,7 @@ index 6813c96..665574d 100644 bool diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index ffe0a69..5e48686 100644 +index 3f4f822..cfdc757 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -484,7 +484,8 @@ dst__openssl_getengine(const char *engine) { @@ -638,7 +638,7 @@ index ffe0a69..5e48686 100644 #ifndef DONT_REQUIRE_DST_LIB_INIT INSIST(dst__memory_pool != NULL); diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h -index c40a18c..c7cb17d 100644 +index f32c9dc..bed276b 100644 --- a/lib/isc/include/isc/entropy.h +++ b/lib/isc/include/isc/entropy.h @@ -189,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent, @@ -718,26 +718,21 @@ index c40a18c..c7cb17d 100644 ISC_LANG_ENDDECLS diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h -index f8aed34..17c551b 100644 +index f38e80d..3cb1c56 100644 --- a/lib/isc/include/isc/random.h +++ b/lib/isc/include/isc/random.h -@@ -9,8 +9,6 @@ - * information regarding copyright ownership. - */ - --/* $Id: random.h,v 1.20 2009/01/17 23:47:43 tbox Exp $ */ -- - #ifndef ISC_RANDOM_H - #define ISC_RANDOM_H 1 - -@@ -21,13 +19,23 @@ +@@ -19,13 +19,23 @@ #include /*! \file isc/random.h - * \brief Implements a random state pool which will let the caller return a - * series of possibly non-reproducible random values. + * \brief Implements pseudo random number generators. -+ * + * +- * Note that the +- * strength of these numbers is not all that high, and should not be +- * used in cryptography functions. It is useful for jittering values +- * a bit here and there, such as timeouts, etc. + * Two pseudo-random number generators are implemented, in isc_random_* + * and isc_rng_*. Neither one is very strong; they should not be used + * in cryptography functions. @@ -747,11 +742,7 @@ index f8aed34..17c551b 100644 + * It is useful for jittering values a bit here and there, such as + * timeouts, etc, but should not be relied upon to generate + * unpredictable sequences (for example, when choosing transaction IDs). - * -- * Note that the -- * strength of these numbers is not all that high, and should not be -- * used in cryptography functions. It is useful for jittering values -- * a bit here and there, such as timeouts, etc. ++ * + * isc_rng_* is based on ChaCha20, and is seeded and stirred from the + * system entropy source. It is stronger than isc_random_* and can + * be used for generating unpredictable sequences. It is still not as @@ -760,7 +751,7 @@ index f8aed34..17c551b 100644 */ ISC_LANG_BEGINDECLS -@@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx); +@@ -113,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx); uint16_t isc_rng_uniformrandom(isc_rng_t *rngctx, uint16_t upper_bound); /*%< @@ -772,7 +763,7 @@ index f8aed34..17c551b 100644 ISC_LANG_ENDDECLS diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c -index 1c45d5c..91693b5 100644 +index e74c93b..212194e 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1109,7 +1109,7 @@ options_clauses[] = { @@ -785,5 +776,5 @@ index 1c45d5c..91693b5 100644 { "recursive-clients", &cfg_type_uint32, 0 }, { "reserved-sockets", &cfg_type_uint32, 0 }, -- -2.21.1 +2.26.2 diff --git a/SOURCES/bind-9.11-serve-stale.patch b/SOURCES/bind-9.11-serve-stale.patch index 724a57b..764a40c 100644 --- a/SOURCES/bind-9.11-serve-stale.patch +++ b/SOURCES/bind-9.11-serve-stale.patch @@ -1,4 +1,4 @@ -From 521fc8dcc0ac064ae8bc521418f5b03f0ceec657 Mon Sep 17 00:00:00 2001 +From d55a57427ee696dec51149950478394e43019607 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 7 Nov 2019 14:31:03 +0100 Subject: [PATCH] Implement serve-stale in 9.11 @@ -240,7 +240,7 @@ Signed-off-by: Petr Menšík bin/tests/system/serve-stale/prereq.sh | 38 ++ bin/tests/system/serve-stale/setup.sh | 13 + bin/tests/system/serve-stale/tests.sh | 536 ++++++++++++++++++ - doc/arm/Bv9ARM-book.xml | 69 ++- + doc/arm/Bv9ARM-book.xml | 77 ++- doc/arm/logging-categories.xml | 11 + doc/arm/notes-rh-changes.xml | 14 +- doc/misc/options | 10 + @@ -263,7 +263,7 @@ Signed-off-by: Petr Menšík lib/dns/tests/db_test.c | 198 ++++++- lib/dns/view.c | 3 + lib/isccfg/namedconf.c | 5 + - 48 files changed, 2122 insertions(+), 102 deletions(-) + 48 files changed, 2126 insertions(+), 106 deletions(-) create mode 100644 bin/tests/system/serve-stale/.gitignore create mode 100644 bin/tests/system/serve-stale/ans2/ans.pl.in create mode 100644 bin/tests/system/serve-stale/clean.sh @@ -276,7 +276,7 @@ Signed-off-by: Petr Menšík create mode 100755 bin/tests/system/serve-stale/tests.sh diff --git a/bin/named/config.c b/bin/named/config.c -index 63da4b0..b598f9b 100644 +index 9e071bb..d2cd3bc 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -182,13 +182,14 @@ options {\n\ @@ -291,7 +291,7 @@ index 63da4b0..b598f9b 100644 max-clients-per-query 100;\n\ max-ncache-ttl 10800; /* 3 hours */\n\ max-recursion-depth 7;\n\ - max-recursion-queries 75;\n\ + max-recursion-queries 100;\n\ + max-stale-ttl 604800; /* 1 week */\n\ message-compression yes;\n\ # min-roots ;\n\ @@ -312,7 +312,7 @@ index 63da4b0..b598f9b 100644 transfer-format many-answers;\n\ v6-bias 50;\n\ diff --git a/bin/named/control.c b/bin/named/control.c -index df23c26..8b79850 100644 +index 23620b4..0756c73 100644 --- a/bin/named/control.c +++ b/bin/named/control.c @@ -282,6 +282,8 @@ ns_control_docommand(isccc_sexpr_t *message, bool readonly, @@ -325,10 +325,10 @@ index df23c26..8b79850 100644 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_CONTROL, ISC_LOG_WARNING, diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h -index 8705fdd..1634154 100644 +index 56bad8d..37403f1 100644 --- a/bin/named/include/named/control.h +++ b/bin/named/include/named/control.h -@@ -69,6 +69,7 @@ +@@ -67,6 +67,7 @@ #define NS_COMMAND_MKEYS "managed-keys" #define NS_COMMAND_DNSTAPREOPEN "dnstap-reopen" #define NS_COMMAND_DNSTAP "dnstap" @@ -337,10 +337,10 @@ index 8705fdd..1634154 100644 isc_result_t ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp); diff --git a/bin/named/include/named/log.h b/bin/named/include/named/log.h -index 56bfcd4..cd8db60 100644 +index 76e3a51..0d1d985 100644 --- a/bin/named/include/named/log.h +++ b/bin/named/include/named/log.h -@@ -32,6 +32,7 @@ +@@ -30,6 +30,7 @@ #define NS_LOGCATEGORY_UPDATE_SECURITY (&ns_g_categories[6]) #define NS_LOGCATEGORY_QUERY_ERRORS (&ns_g_categories[7]) #define NS_LOGCATEGORY_TAT (&ns_g_categories[8]) @@ -349,7 +349,7 @@ index 56bfcd4..cd8db60 100644 /* * Backwards compatibility. diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h -index 9661f56..445b578 100644 +index ef1b172..53c052b 100644 --- a/bin/named/include/named/query.h +++ b/bin/named/include/named/query.h @@ -35,6 +35,18 @@ typedef struct ns_dbversion { @@ -389,10 +389,10 @@ index 9661f56..445b578 100644 bool root_key_sentinel_is_ta; bool root_key_sentinel_not_ta; diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h -index c92922e..588bf2d 100644 +index 0ba2627..08a02dc 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h -@@ -226,7 +226,10 @@ enum { +@@ -227,7 +227,10 @@ enum { dns_nsstatscounter_reclimitdropped = 58, @@ -404,7 +404,7 @@ index c92922e..588bf2d 100644 }; /*% -@@ -765,4 +768,12 @@ ns_server_mkeys(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text); +@@ -766,4 +769,12 @@ ns_server_mkeys(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text); isc_result_t ns_server_dnstap(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text); @@ -418,7 +418,7 @@ index c92922e..588bf2d 100644 + isc_buffer_t **text); #endif /* NAMED_SERVER_H */ diff --git a/bin/named/log.c b/bin/named/log.c -index 3aa25e9..12f178b 100644 +index acfa766..ea6f114 100644 --- a/bin/named/log.c +++ b/bin/named/log.c @@ -38,6 +38,7 @@ static isc_logcategory_t categories[] = { @@ -430,10 +430,10 @@ index 3aa25e9..12f178b 100644 }; diff --git a/bin/named/query.c b/bin/named/query.c -index 25eeced..162e4ea 100644 +index b14f081..a95f5ad 100644 --- a/bin/named/query.c +++ b/bin/named/query.c -@@ -125,10 +125,14 @@ +@@ -149,10 +149,14 @@ last_cmpxchg(isc_stdtime_t *x, isc_stdtime_t *e, isc_stdtime_t r) { #define REDIRECT(c) (((c)->query.attributes & \ NS_QUERYATTR_REDIRECT) != 0) @@ -449,7 +449,7 @@ index 25eeced..162e4ea 100644 #ifdef WANT_QUERYTRACE static inline void client_trace(ns_client_t *client, int level, const char *message) { -@@ -217,6 +221,10 @@ static bool +@@ -241,6 +245,10 @@ static bool rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); @@ -460,7 +460,7 @@ index 25eeced..162e4ea 100644 /*% * Increment query statistics counters. */ -@@ -470,6 +478,7 @@ query_reset(ns_client_t *client, bool everything) { +@@ -494,6 +502,7 @@ query_reset(ns_client_t *client, bool everything) { client->query.isreferral = false; client->query.dns64_options = 0; client->query.dns64_ttl = UINT32_MAX; @@ -468,8 +468,8 @@ index 25eeced..162e4ea 100644 client->query.root_key_sentinel_keyid = 0; client->query.root_key_sentinel_is_ta = false; client->query.root_key_sentinel_not_ta = false; -@@ -4254,6 +4263,54 @@ query_prefetch(ns_client_t *client, dns_name_t *qname, - dns_rdataset_clearprefetch(rdataset); +@@ -4305,6 +4314,54 @@ log_quota(ns_client_t *client, isc_stdtime_t *last, isc_stdtime_t now, + } } +/*% @@ -523,7 +523,7 @@ index 25eeced..162e4ea 100644 static isc_result_t query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, dns_name_t *qdomain, dns_rdataset_t *nameservers, -@@ -4263,6 +4320,19 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, +@@ -4314,6 +4371,19 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, dns_rdataset_t *rdataset, *sigrdataset; isc_sockaddr_t *peeraddr; @@ -543,7 +543,7 @@ index 25eeced..162e4ea 100644 if (!resuming) inc_stats(client, dns_nsstatscounter_recursion); -@@ -6780,6 +6850,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) +@@ -6821,6 +6891,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) int line = -1; bool dns64_exclude, dns64, rpz; bool nxrewrite = false; @@ -551,7 +551,7 @@ index 25eeced..162e4ea 100644 bool redirected = false; dns_clientinfomethods_t cm; dns_clientinfo_t ci; -@@ -7089,6 +7160,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) +@@ -7130,6 +7201,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) type = qtype; restart: @@ -559,7 +559,7 @@ index 25eeced..162e4ea 100644 CTRACE(ISC_LOG_DEBUG(3), "query_find: restart"); want_restart = false; authoritative = false; -@@ -7233,6 +7305,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) +@@ -7274,6 +7346,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) } db_find: @@ -567,7 +567,7 @@ index 25eeced..162e4ea 100644 CTRACE(ISC_LOG_DEBUG(3), "query_find: db_find"); /* * We'll need some resources... -@@ -7290,6 +7363,35 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) +@@ -7331,6 +7404,35 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (!is_zone) dns_cache_updatestats(client->view->cache, result); @@ -603,7 +603,7 @@ index 25eeced..162e4ea 100644 resume: CTRACE(ISC_LOG_DEBUG(3), "query_find: resume"); -@@ -7635,6 +7737,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) +@@ -7676,6 +7778,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * The cache doesn't even have the root NS. Get them from * the hints DB. */ @@ -611,7 +611,7 @@ index 25eeced..162e4ea 100644 INSIST(!is_zone); if (db != NULL) dns_db_detach(&db); -@@ -7697,12 +7800,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) +@@ -7738,12 +7841,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) */ /* FALLTHROUGH */ case DNS_R_DELEGATION: @@ -626,7 +626,7 @@ index 25eeced..162e4ea 100644 if (!RECURSIONOK(client) && (options & DNS_GETDB_NOEXACT) != 0 && qtype == dns_rdatatype_ds) { -@@ -8089,6 +8194,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) +@@ -8130,6 +8235,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) false, true); } } @@ -634,7 +634,7 @@ index 25eeced..162e4ea 100644 if (dns_rdataset_isassociated(rdataset)) { /* * If we've got a NSEC record, we need to save the -@@ -8409,7 +8515,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) +@@ -8450,7 +8556,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * If we have a zero ttl from the cache refetch it. */ @@ -644,7 +644,7 @@ index 25eeced..162e4ea 100644 RECURSIONOK(client)) { if (dns_rdataset_isassociated(rdataset)) -@@ -8627,7 +8734,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) +@@ -8676,7 +8783,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) "query_find: unexpected error after resuming: %s", isc_result_totext(result)); CTRACE(ISC_LOG_ERROR, errmsg); @@ -657,7 +657,7 @@ index 25eeced..162e4ea 100644 goto cleanup; } -@@ -8883,7 +8994,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) +@@ -8932,7 +9043,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * If we have a zero ttl from the cache refetch it. */ @@ -666,7 +666,7 @@ index 25eeced..162e4ea 100644 RECURSIONOK(client)) { if (dns_rdataset_isassociated(rdataset)) -@@ -8894,6 +9005,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) +@@ -8943,6 +9054,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (node != NULL) dns_db_detachnode(db, &node); @@ -674,7 +674,7 @@ index 25eeced..162e4ea 100644 INSIST(!REDIRECT(client)); result = query_recurse(client, qtype, client->query.qname, -@@ -9174,6 +9286,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) +@@ -9223,6 +9335,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) dns_fixedname_name(&wildcardname), true, false); cleanup: @@ -682,7 +682,7 @@ index 25eeced..162e4ea 100644 CTRACE(ISC_LOG_DEBUG(3), "query_find: cleanup"); /* * General cleanup. -@@ -9230,6 +9343,49 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) +@@ -9279,6 +9392,49 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) goto restart; } @@ -733,7 +733,7 @@ index 25eeced..162e4ea 100644 (!PARTIALANSWER(client) || WANTRECURSION(client) || eresult == DNS_R_DROP)) { diff --git a/bin/named/server.c b/bin/named/server.c -index 1f23cf0..1fa836f 100644 +index 2bdf690..3a5ba91 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -1720,7 +1720,8 @@ static bool @@ -843,7 +843,7 @@ index 1f23cf0..1fa836f 100644 /* * Set supported DNSSEC algorithms. */ -@@ -14456,3 +14500,132 @@ ns_server_dnstap(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) { +@@ -14559,3 +14603,132 @@ ns_server_dnstap(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) { return (ISC_R_NOTIMPLEMENTED); #endif } @@ -977,7 +977,7 @@ index 1f23cf0..1fa836f 100644 + return (result); +} diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c -index 4b8d972..8c68737 100644 +index 12ab048..4938c03 100644 --- a/bin/named/statschannel.c +++ b/bin/named/statschannel.c @@ -300,6 +300,12 @@ init_desc(void) { @@ -994,7 +994,7 @@ index 4b8d972..8c68737 100644 /* Initialize resolver statistics */ diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c -index 8083654..d519983 100644 +index 0acfe3a..2c21c1d 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -160,6 +160,8 @@ command is one of the following:\n\ @@ -1007,7 +1007,7 @@ index 8083654..d519983 100644 Print a zone's configuration.\n\ sign zone [class [view]]\n\ diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook -index e14a17e..eaf32d3 100644 +index 159ded9..12a7208 100644 --- a/bin/rndc/rndc.docbook +++ b/bin/rndc/rndc.docbook @@ -689,6 +689,25 @@ @@ -1037,7 +1037,7 @@ index e14a17e..eaf32d3 100644 secroots - view ... diff --git a/bin/tests/system/chain/prereq.sh b/bin/tests/system/chain/prereq.sh -index f3f1939..9ff3f07 100644 +index 23bedcd..43385de 100644 --- a/bin/tests/system/chain/prereq.sh +++ b/bin/tests/system/chain/prereq.sh @@ -48,3 +48,10 @@ else @@ -1052,7 +1052,7 @@ index f3f1939..9ff3f07 100644 + exit 1 +fi diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in -index 22749b9..a247fd5 100644 +index f6412f6..26c8901 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -128,7 +128,7 @@ PARALLELDIRS="dnssec rpzrecurse \ @@ -2039,10 +2039,10 @@ index 0000000..201c996 +echo "I:exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml -index bb1e81d..6dbbfad 100644 +index 99c8680..5fbabfe 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml -@@ -4381,6 +4381,9 @@ badresp:1,adberr:0,findfail:0,valfail:0] +@@ -4336,6 +4336,9 @@ badresp:1,adberr:0,findfail:0,valfail:0] statement in the named.conf file: @@ -2052,7 +2052,7 @@ index bb1e81d..6dbbfad 100644
<command>options</command> Statement Definition and -@@ -4474,6 +4477,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] +@@ -4429,6 +4432,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] <command>dnssec-validation</command>, <command>max-cache-ttl</command>, <command>max-ncache-ttl</command>, @@ -2060,7 +2060,7 @@ index bb1e81d..6dbbfad 100644 <command>max-cache-size</command>, and <command>zero-no-soa-ttl</command>. </para> -@@ -5485,7 +5489,6 @@ options { +@@ -5438,7 +5442,6 @@ options { </listitem> </varlistentry> @@ -2068,7 +2068,7 @@ index bb1e81d..6dbbfad 100644 <varlistentry> <term><command>max-zone-ttl</command></term> <listitem> -@@ -5521,6 +5524,21 @@ options { +@@ -5474,6 +5477,21 @@ options { </listitem> </varlistentry> @@ -2090,7 +2090,7 @@ index bb1e81d..6dbbfad 100644 <varlistentry> <term><command>serial-update-method</command></term> <listitem> -@@ -6280,6 +6298,22 @@ options { +@@ -6227,6 +6245,22 @@ options { </listitem> </varlistentry> @@ -2113,31 +2113,34 @@ index bb1e81d..6dbbfad 100644 <varlistentry> <term><command>nocookie-udp-size</command></term> <listitem> -@@ -7501,14 +7535,20 @@ options { +@@ -7449,13 +7483,19 @@ options { <term><command>resolver-query-timeout</command></term> <listitem> <para> -- The amount of time in seconds that the resolver -+ The amount of time in milliseconds that the resolver - will spend attempting to resolve a recursive - query before failing. The default and minimum +- This is the amount of time in seconds that the +- resolver spends attempting to resolve a recursive +- query before failing. The default and minimum - is <literal>10</literal> and the maximum is - <literal>30</literal>. Setting it to +- <literal>0</literal> results in the default +- being used. ++ The amount of time in milliseconds that the resolver ++ will spend attempting to resolve a recursive ++ query before failing. The default and minimum + is <literal>10000</literal> and the maximum is + <literal>30000</literal>. Setting it to - <literal>0</literal> will result in the default - being used. - </para> ++ <literal>0</literal> will result in the default ++ being used. ++ </para> + <para> + This value was originally specified in seconds. + Values less than or equal to 300 will be be treated + as seconds and converted to milliseconds before + applying the above limits. -+ </para> + </para> </listitem> </varlistentry> - </variablelist> -@@ -8994,6 +9034,27 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; +@@ -9016,6 +9056,27 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </listitem> </varlistentry> @@ -2166,7 +2169,7 @@ index bb1e81d..6dbbfad 100644 <term><command>min-roots</command></term> <listitem> diff --git a/doc/arm/logging-categories.xml b/doc/arm/logging-categories.xml -index 181def7..59f6afb 100644 +index 56d05e8..098342b 100644 --- a/doc/arm/logging-categories.xml +++ b/doc/arm/logging-categories.xml @@ -311,6 +311,17 @@ @@ -2278,7 +2281,7 @@ index e11beed..fde93c7 100644 topology { <address_match_element>; ... }; // not implemented transfer-format ( many-answers | one-answer ); diff --git a/lib/bind9/check.c b/lib/bind9/check.c -index eaac5ba..a89d78f 100644 +index bf769fe..6c57fa4 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -99,7 +99,8 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) { @@ -2522,7 +2525,7 @@ index eaac5ba..a89d78f 100644 } diff --git a/lib/dns/cache.c b/lib/dns/cache.c -index 4701ff8..97e427a 100644 +index 2965a4f..617737a 100644 --- a/lib/dns/cache.c +++ b/lib/dns/cache.c @@ -138,6 +138,7 @@ struct dns_cache { @@ -2592,7 +2595,7 @@ index 4701ff8..97e427a 100644 * The cleaner task is shutting down; do the necessary cleanup. */ diff --git a/lib/dns/db.c b/lib/dns/db.c -index ee3e00d..576aa65 100644 +index a28a566..c581646 100644 --- a/lib/dns/db.c +++ b/lib/dns/db.c @@ -1130,3 +1130,25 @@ dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) { @@ -2622,7 +2625,7 @@ index ee3e00d..576aa65 100644 + return (ISC_R_NOTIMPLEMENTED); +} diff --git a/lib/dns/ecdb.c b/lib/dns/ecdb.c -index 47994ea..23bfe7d 100644 +index fc94ccf..76d0417 100644 --- a/lib/dns/ecdb.c +++ b/lib/dns/ecdb.c @@ -588,7 +588,9 @@ static dns_dbmethods_t ecdb_methods = { @@ -2637,7 +2640,7 @@ index 47994ea..23bfe7d 100644 static isc_result_t diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h -index 62797db..714b78e 100644 +index ab4b0b5..e158014 100644 --- a/lib/dns/include/dns/cache.h +++ b/lib/dns/include/dns/cache.h @@ -260,6 +260,27 @@ dns_cache_getcachesize(dns_cache_t *cache); @@ -2669,7 +2672,7 @@ index 62797db..714b78e 100644 dns_cache_flush(dns_cache_t *cache); /*%< diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h -index 6f0eed0..e3917f2 100644 +index 96f3a8f..452770f 100644 --- a/lib/dns/include/dns/db.h +++ b/lib/dns/include/dns/db.h @@ -195,6 +195,8 @@ typedef struct dns_dbmethods { @@ -2729,7 +2732,7 @@ index 6f0eed0..e3917f2 100644 #endif /* DNS_DB_H */ diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h -index 5295d8e..97071ed 100644 +index ed9119a..710e97c 100644 --- a/lib/dns/include/dns/rdataset.h +++ b/lib/dns/include/dns/rdataset.h @@ -128,6 +128,7 @@ struct dns_rdataset { @@ -2783,7 +2786,7 @@ index 5295d8e..97071ed 100644 /*% * _OMITDNSSEC: diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h -index 0b66c75..4b4b6bd 100644 +index 7b3c047..bd7d225 100644 --- a/lib/dns/include/dns/resolver.h +++ b/lib/dns/include/dns/resolver.h @@ -547,9 +547,12 @@ dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name); @@ -2852,12 +2855,12 @@ index 0b66c75..4b4b6bd 100644 dns_resolver_getoptions(dns_resolver_t *resolver); diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h -index 567e8a8..7bf2b60 100644 +index 2468e3c..934a641 100644 --- a/lib/dns/include/dns/types.h +++ b/lib/dns/include/dns/types.h -@@ -385,6 +385,12 @@ typedef enum { - dns_updatemethod_date - } dns_updatemethod_t; +@@ -390,6 +390,12 @@ typedef struct { + size_t count; + } dns_indent_t; +typedef enum { + dns_stale_answer_no, @@ -2869,7 +2872,7 @@ index 567e8a8..7bf2b60 100644 * Functions. */ diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h -index c849dec..647ca2a 100644 +index 53f1db1..96148c7 100644 --- a/lib/dns/include/dns/view.h +++ b/lib/dns/include/dns/view.h @@ -229,6 +229,9 @@ struct dns_view { @@ -2883,7 +2886,7 @@ index c849dec..647ca2a 100644 #define DNS_VIEW_MAGIC ISC_MAGIC('V','i','e','w') diff --git a/lib/dns/master.c b/lib/dns/master.c -index 8edd732..8c9f00e 100644 +index 7d26b81..36999b5 100644 --- a/lib/dns/master.c +++ b/lib/dns/master.c @@ -1948,12 +1948,18 @@ load_text(dns_loadctx_t *lctx) { @@ -2910,7 +2913,7 @@ index 8edd732..8c9f00e 100644 /* diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c -index 13d1a3e..873b694 100644 +index fa839a0..91b3cab 100644 --- a/lib/dns/masterdump.c +++ b/lib/dns/masterdump.c @@ -81,6 +81,9 @@ struct dns_master_style { @@ -2979,10 +2982,10 @@ index 13d1a3e..873b694 100644 RUNTIME_CHECK(result == ISC_R_SUCCESS); isc_buffer_usedregion(&buffer, &r); diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c -index 02f2c84..fda991d 100644 +index 3a60bcf..8ea4d47 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c -@@ -490,6 +490,7 @@ typedef ISC_LIST(rdatasetheader_t) rdatasetheaderlist_t; +@@ -511,6 +511,7 @@ typedef ISC_LIST(rdatasetheader_t) rdatasetheaderlist_t; typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t; #define RDATASET_ATTR_NONEXISTENT 0x0001 @@ -2990,7 +2993,7 @@ index 02f2c84..fda991d 100644 #define RDATASET_ATTR_STALE 0x0002 #define RDATASET_ATTR_IGNORE 0x0004 #define RDATASET_ATTR_RETAIN 0x0008 -@@ -502,6 +503,8 @@ typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t; +@@ -523,6 +524,8 @@ typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t; #define RDATASET_ATTR_CASESET 0x0400 #define RDATASET_ATTR_ZEROTTL 0x0800 #define RDATASET_ATTR_CASEFULLYLOWER 0x1000 @@ -2999,7 +3002,7 @@ index 02f2c84..fda991d 100644 typedef struct acache_cbarg { dns_rdatasetadditional_t type; -@@ -552,6 +555,8 @@ struct acachectl { +@@ -573,6 +576,8 @@ struct acachectl { (((header)->attributes & RDATASET_ATTR_ZEROTTL) != 0) #define CASEFULLYLOWER(header) \ (((header)->attributes & RDATASET_ATTR_CASEFULLYLOWER) != 0) @@ -3008,7 +3011,7 @@ index 02f2c84..fda991d 100644 #define ACTIVE(header, now) \ -@@ -611,6 +616,12 @@ typedef enum { +@@ -632,6 +637,12 @@ typedef enum { expire_flush } expire_t; @@ -3021,7 +3024,7 @@ index 02f2c84..fda991d 100644 typedef struct rbtdb_version { /* Not locked */ rbtdb_serial_t serial; -@@ -678,6 +689,12 @@ struct dns_rbtdb { +@@ -699,6 +710,12 @@ struct dns_rbtdb { dns_dbnode_t *soanode; dns_dbnode_t *nsnode; @@ -3034,7 +3037,7 @@ index 02f2c84..fda991d 100644 /* * This is a linked list used to implement the LRU cache. There will * be node_lock_count linked lists here. Nodes in bucket 1 will be -@@ -721,6 +738,8 @@ struct dns_rbtdb { +@@ -742,6 +759,8 @@ struct dns_rbtdb { #define RBTDB_ATTR_LOADED 0x01 #define RBTDB_ATTR_LOADING 0x02 @@ -3043,7 +3046,7 @@ index 02f2c84..fda991d 100644 /*% * Search Context */ -@@ -1791,15 +1810,15 @@ rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) { +@@ -1816,15 +1835,15 @@ rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) { } static inline void @@ -3063,7 +3066,7 @@ index 02f2c84..fda991d 100644 header->node->dirty = 1; /* -@@ -1840,8 +1859,8 @@ clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { +@@ -1865,8 +1884,8 @@ clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { /* * If current is nonexistent or stale, we can clean it up. */ @@ -3074,7 +3077,7 @@ index 02f2c84..fda991d 100644 if (top_prev != NULL) top_prev->next = current->next; else -@@ -2086,6 +2105,80 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { +@@ -2111,6 +2130,80 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { } } @@ -3155,7 +3158,7 @@ index 02f2c84..fda991d 100644 /* * Caller must be holding the node lock. */ -@@ -3313,6 +3406,12 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, +@@ -3343,6 +3436,12 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdatasetheader_t *header, rdataset->attributes |= DNS_RDATASETATTR_OPTOUT; if (PREFETCH(header)) rdataset->attributes |= DNS_RDATASETATTR_PREFETCH; @@ -3168,7 +3171,7 @@ index 02f2c84..fda991d 100644 rdataset->private1 = rbtdb; rdataset->private2 = node; raw = (unsigned char *)header + sizeof(*header); -@@ -4653,6 +4752,19 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header, +@@ -4698,6 +4797,19 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header, #endif if (!ACTIVE(header, search->now)) { @@ -3188,7 +3191,7 @@ index 02f2c84..fda991d 100644 /* * This rdataset is stale. If no one else is using the * node, we can clean it up right now, otherwise we mark -@@ -4692,7 +4804,7 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header, +@@ -4737,7 +4849,7 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header, node->data = header->next; free_rdataset(search->rbtdb, mctx, header); } else { @@ -3197,7 +3200,7 @@ index 02f2c84..fda991d 100644 *header_prev = header; } } else -@@ -5130,7 +5242,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, +@@ -5178,7 +5290,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, &locktype, lock, &search, &header_prev)) { /* Do nothing. */ @@ -3206,7 +3209,7 @@ index 02f2c84..fda991d 100644 /* * We now know that there is at least one active * non-stale rdataset at this node. -@@ -5608,7 +5720,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) { +@@ -5661,7 +5773,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) { * refcurrent(rbtnode) must be non-zero. This is so * because 'node' is an argument to the function. */ @@ -3215,7 +3218,7 @@ index 02f2c84..fda991d 100644 if (log) isc_log_write(dns_lctx, category, module, level, "overmem cache: stale %s", -@@ -5616,7 +5728,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) { +@@ -5669,7 +5781,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) { } else if (force_expire) { if (! RETAIN(header)) { set_ttl(rbtdb, header, 0); @@ -3224,7 +3227,7 @@ index 02f2c84..fda991d 100644 } else if (log) { isc_log_write(dns_lctx, category, module, level, "overmem cache: " -@@ -5873,9 +5985,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, +@@ -5928,9 +6040,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, * non-zero. This is so because 'node' is an * argument to the function. */ @@ -3236,7 +3239,7 @@ index 02f2c84..fda991d 100644 if (header->type == matchtype) found = header; else if (header->type == RBTDB_RDATATYPE_NCACHEANY || -@@ -6167,7 +6279,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, +@@ -6232,7 +6344,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, topheader = topheader->next) { set_ttl(rbtdb, topheader, 0); @@ -3245,7 +3248,7 @@ index 02f2c84..fda991d 100644 } goto find_header; } -@@ -6225,7 +6337,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, +@@ -6293,7 +6405,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, * ncache entry. */ set_ttl(rbtdb, topheader, 0); @@ -3254,7 +3257,7 @@ index 02f2c84..fda991d 100644 topheader = NULL; goto find_header; } -@@ -6263,8 +6375,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, +@@ -6331,8 +6443,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, } /* @@ -3268,7 +3271,7 @@ index 02f2c84..fda991d 100644 */ if (rbtversion == NULL && trust < header->trust && (ACTIVE(header, now) || header_nx)) { -@@ -6293,6 +6408,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, +@@ -6362,6 +6477,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, if ((options & DNS_DBADD_EXACT) != 0) flags |= DNS_RDATASLAB_EXACT; @@ -3279,7 +3282,7 @@ index 02f2c84..fda991d 100644 if ((options & DNS_DBADD_EXACTTTL) != 0 && newheader->rdh_ttl != header->rdh_ttl) result = DNS_R_NOTEXACT; -@@ -6336,11 +6455,12 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, +@@ -6405,11 +6524,12 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, } } /* @@ -3297,7 +3300,7 @@ index 02f2c84..fda991d 100644 */ if (IS_CACHE(rbtdb) && ACTIVE(header, now) && header->type == dns_rdatatype_ns && -@@ -6511,10 +6631,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, +@@ -6582,10 +6702,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, changed->dirty = true; if (rbtversion == NULL) { set_ttl(rbtdb, header, 0); @@ -3310,7 +3313,7 @@ index 02f2c84..fda991d 100644 } } if (rbtversion != NULL && !header_nx) { -@@ -8331,6 +8451,30 @@ nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) { +@@ -8436,6 +8556,30 @@ nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) { return (result); } @@ -3341,7 +3344,7 @@ index 02f2c84..fda991d 100644 static dns_dbmethods_t zone_methods = { attach, detach, -@@ -8376,7 +8520,9 @@ static dns_dbmethods_t zone_methods = { +@@ -8481,7 +8625,9 @@ static dns_dbmethods_t zone_methods = { NULL, hashsize, nodefullname, @@ -3352,7 +3355,7 @@ index 02f2c84..fda991d 100644 }; static dns_dbmethods_t cache_methods = { -@@ -8424,7 +8570,9 @@ static dns_dbmethods_t cache_methods = { +@@ -8529,7 +8675,9 @@ static dns_dbmethods_t cache_methods = { setcachestats, hashsize, nodefullname, @@ -3363,7 +3366,7 @@ index 02f2c84..fda991d 100644 }; isc_result_t -@@ -8695,7 +8843,7 @@ dns_rbtdb_create +@@ -8800,7 +8948,7 @@ dns_rbtdb_create rbtdb->rpzs = NULL; rbtdb->load_rpzs = NULL; rbtdb->rpz_num = DNS_RPZ_INVALID_NUM; @@ -3372,7 +3375,7 @@ index 02f2c84..fda991d 100644 /* * Version Initialization. */ -@@ -9113,7 +9261,8 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) { +@@ -9218,7 +9366,8 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) { * rdatasets to work. */ if (NONEXISTENT(header) || @@ -3382,7 +3385,7 @@ index 02f2c84..fda991d 100644 header = NULL; break; } else -@@ -10322,7 +10471,7 @@ static inline bool +@@ -10427,7 +10576,7 @@ static inline bool need_headerupdate(rdatasetheader_t *header, isc_stdtime_t now) { if ((header->attributes & (RDATASET_ATTR_NONEXISTENT | @@ -3391,7 +3394,7 @@ index 02f2c84..fda991d 100644 RDATASET_ATTR_ZEROTTL)) != 0) return (false); -@@ -10428,7 +10577,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, +@@ -10533,7 +10682,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, bool tree_locked, expire_t reason) { set_ttl(rbtdb, header, 0); @@ -3401,7 +3404,7 @@ index 02f2c84..fda991d 100644 /* * Caller must hold the node (write) lock. diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index 337a2f3..24e14d2 100644 +index 49ec49c..2de70a6 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -141,16 +141,17 @@ @@ -3434,7 +3437,7 @@ index 337a2f3..24e14d2 100644 #endif /* The default maximum number of recursions to follow before giving up. */ -@@ -515,6 +516,11 @@ struct dns_resolver { +@@ -529,6 +530,11 @@ struct dns_resolver { dns_fetch_t * primefetch; /* Locked by nlock. */ unsigned int nfctx; @@ -3446,7 +3449,7 @@ index 337a2f3..24e14d2 100644 }; #define RES_MAGIC ISC_MAGIC('R', 'e', 's', '!') -@@ -1625,14 +1631,12 @@ fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) { +@@ -1650,14 +1656,12 @@ fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) { unsigned int seconds; unsigned int us; @@ -3465,7 +3468,7 @@ index 337a2f3..24e14d2 100644 /* * Add a fudge factor to the expected rtt based on the current -@@ -4494,7 +4498,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, +@@ -4542,7 +4546,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, /* * Compute an expiration time for the entire fetch. */ @@ -3475,7 +3478,7 @@ index 337a2f3..24e14d2 100644 iresult = isc_time_nowplusinterval(&fctx->expires, &interval); if (iresult != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, -@@ -8983,6 +8988,8 @@ dns_resolver_create(dns_view_t *view, +@@ -9105,6 +9110,8 @@ dns_resolver_create(dns_view_t *view, res->spillattimer = NULL; res->zspill = 0; res->zero_no_soa_ttl = false; @@ -3484,7 +3487,7 @@ index 337a2f3..24e14d2 100644 res->query_timeout = DEFAULT_QUERY_TIMEOUT; res->maxdepth = DEFAULT_RECURSION_DEPTH; res->maxqueries = DEFAULT_MAX_QUERIES; -@@ -10317,17 +10324,20 @@ dns_resolver_gettimeout(dns_resolver_t *resolver) { +@@ -10439,17 +10446,20 @@ dns_resolver_gettimeout(dns_resolver_t *resolver) { } void @@ -3513,7 +3516,7 @@ index 337a2f3..24e14d2 100644 } void -@@ -10424,3 +10434,34 @@ dns_resolver_getquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which) +@@ -10546,3 +10556,34 @@ dns_resolver_getquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which) return (resolver->quotaresp[which]); } @@ -3549,10 +3552,10 @@ index 337a2f3..24e14d2 100644 + resolver->nonbackofftries = tries; +} diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c -index d4c8c67..ee9be79 100644 +index 477bb74..09cf932 100644 --- a/lib/dns/sdb.c +++ b/lib/dns/sdb.c -@@ -1368,7 +1368,9 @@ static dns_dbmethods_t sdb_methods = { +@@ -1370,7 +1370,9 @@ static dns_dbmethods_t sdb_methods = { NULL, /* setcachestats */ NULL, /* hashsize */ NULL, /* nodefullname */ @@ -3564,7 +3567,7 @@ index d4c8c67..ee9be79 100644 static isc_result_t diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c -index 0b9620c..331992e 100644 +index 037d74a..9218fed 100644 --- a/lib/dns/sdlz.c +++ b/lib/dns/sdlz.c @@ -1336,7 +1336,9 @@ static dns_dbmethods_t sdlzdb_methods = { @@ -3579,7 +3582,7 @@ index 0b9620c..331992e 100644 /* diff --git a/lib/dns/tests/db_test.c b/lib/dns/tests/db_test.c -index 2849775..812f750 100644 +index bc1cc3f..60fdb81 100644 --- a/lib/dns/tests/db_test.c +++ b/lib/dns/tests/db_test.c @@ -28,8 +28,9 @@ @@ -3810,7 +3813,7 @@ index 2849775..812f750 100644 _setup, _teardown), cmocka_unit_test_setup_teardown(dbtype_test, diff --git a/lib/dns/view.c b/lib/dns/view.c -index 0fca1d9..55ede81 100644 +index a7ba613..a644c5f 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -229,6 +229,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, @@ -3824,7 +3827,7 @@ index 0fca1d9..55ede81 100644 view->maxbits = 0; view->v4_aaaa = dns_aaaa_ok; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c -index 91693b5..5771774 100644 +index 212194e..b562f95 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1778,6 +1778,7 @@ view_clauses[] = { @@ -3855,5 +3858,5 @@ index 91693b5..5771774 100644 { "topology", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_NOTIMP }, { "transfer-format", &cfg_type_transferformat, 0 }, -- -2.21.1 +2.26.2 diff --git a/SOURCES/bind-9.3.2-redhat_doc.patch b/SOURCES/bind-9.3.2-redhat_doc.patch index 4c9d90d..d50374f 100644 --- a/SOURCES/bind-9.3.2-redhat_doc.patch +++ b/SOURCES/bind-9.3.2-redhat_doc.patch @@ -1,62 +1,98 @@ -diff --git a/bin/named/named.8 b/bin/named/named.8 -index cd990a9..890be36 100644 ---- a/bin/named/named.8 -+++ b/bin/named/named.8 -@@ -358,6 +358,57 @@ The default configuration file\&. - /var/run/named/named\&.pid - .RS 4 - The default process\-id file\&. -+.PP -+.SH "NOTES" -+.PP -+.TP -+\fBRed Hat SELinux BIND Security Profile:\fR -+.PP -+By default, Red Hat ships BIND with the most secure SELinux policy -+that will not prevent normal BIND operation and will prevent exploitation -+of all known BIND security vulnerabilities . See the selinux(8) man page -+for information about SElinux. -+.PP -+It is not necessary to run named in a chroot environment if the Red Hat -+SELinux policy for named is enabled. When enabled, this policy is far -+more secure than a chroot environment. Users are recommended to enable -+SELinux and remove the bind-chroot package. -+.PP -+With this extra security comes some restrictions: -+.PP -+By default, the SELinux policy does not allow named to write any master -+zone database files. Only the root user may create files in the $ROOTDIR/var/named -+zone database file directory (the options { "directory" } option), where -+$ROOTDIR is set in /etc/sysconfig/named. -+.PP -+The "named" group must be granted read privelege to -+these files in order for named to be enabled to read them. -+.PP -+Any file created in the zone database file directory is automatically assigned -+the SELinux file context named_zone_t . -+.PP -+By default, SELinux prevents any role from modifying named_zone_t files; this -+means that files in the zone database directory cannot be modified by dynamic -+DNS (DDNS) updates or zone transfers. -+.PP -+The Red Hat BIND distribution and SELinux policy creates three directories where -+named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic -+/var/named/data. By placing files you want named to modify, such as -+slave or DDNS updateable zone files and database / statistics dump files in -+these directories, named will work normally and no further operator action is -+required. Files in these directories are automatically assigned the 'named_cache_t' -+file context, which SELinux allows named to write. -+.PP -+\fBRed Hat BIND SDB support:\fR -+.PP -+Red Hat ships named with compiled in Simplified Database Backend modules that ISC -+provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them -+.PP -+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb. -+.PP -+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ . -+.br -+.PP - .RE - .SH "SEE ALSO" - .PP +From facdbb0f2a266c6a3a1fa823afaa09cbd3fc38a5 Mon Sep 17 00:00:00 2001 +From: Petr Mensik <pemensik@redhat.com> +Date: Thu, 26 Nov 2020 12:13:10 +0100 +Subject: [PATCH] Note specific Red Hat changes in manual page + +Change docbook template instead of generated manual page. Remove +system-config-bind reference, package were discontinued. +--- + bin/named/named.docbook | 73 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 73 insertions(+) + +diff --git a/bin/named/named.docbook b/bin/named/named.docbook +index 7e743a9..802bec3 100644 +--- a/bin/named/named.docbook ++++ b/bin/named/named.docbook +@@ -516,6 +516,79 @@ + + </refsection> + ++ <refsection><info><title>NOTES ++ Red Hat SELinux BIND Security Profile ++ ++ ++ By default, Red Hat ships BIND with the most secure SELinux policy ++ that will not prevent normal BIND operation and will prevent exploitation ++ of all known BIND security vulnerabilities . See the selinux(8) man page ++ for information about SElinux. ++ ++ ++ ++ It is not necessary to run named in a chroot environment if the Red Hat ++ SELinux policy for named is enabled. When enabled, this policy is far ++ more secure than a chroot environment. Users are recommended to enable ++ SELinux and remove the bind-chroot package. ++ ++ ++ ++ With this extra security comes some restrictions: ++ ++ ++ ++ By default, the SELinux policy allows named to write any master ++ zone database files. Only the root user may create files in the $ROOTDIR/var/named ++ zone database file directory (the options { "directory" } option), where ++ $ROOTDIR is set in /etc/sysconfig/named. ++ ++ ++ ++ The "named" group must be granted read privelege to ++ these files in order for named to be enabled to read them. ++ ++ ++ ++ Any file created in the zone database file directory is automatically assigned ++ the SELinux file context named_zone_t . ++ ++ ++ ++ By default, SELinux prevents any role from modifying named_zone_t files; this ++ means that files in the zone database directory cannot be modified by dynamic ++ DNS (DDNS) updates or zone transfers. ++ ++ ++ ++ The Red Hat BIND distribution and SELinux policy creates three directories where ++ named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic ++ /var/named/data. By placing files you want named to modify, such as ++ slave or DDNS updateable zone files and database / statistics dump files in ++ these directories, named will work normally and no further operator action is ++ required. Files in these directories are automatically assigned the 'named_cache_t' ++ file context, which SELinux allows named to write. ++ ++ ++ ++ Red Hat BIND SDB support ++ ++ ++ Red Hat ships named with compiled in Simplified Database Backend modules that ISC ++ provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them. ++ ++ ++ ++ The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb. ++ ++ ++ ++ See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ . ++ ++ ++ ++ ++ + SEE ALSO + + RFC 1033, +-- +2.26.2 + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index d4263e6..12a5ad1 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -15,13 +15,15 @@ # it is not possible to build the package without PKCS11 sub-package # due to extensive changes to Makefiles %bcond_without PKCS11 -%bcond_without DEVEL +%bcond_without JSON %bcond_with LMDB +%bcond_without DNSTAP %bcond_with DLZ %bcond_without EXPORT_LIBS %bcond_without BDB # Legacy GeoIP support %bcond_with GEOIP +%bcond_with DOC %if 0%{?fedora} >= 28 || 0%{?rhel} >= 8 %bcond_without UNITTEST %else @@ -37,6 +39,7 @@ %{?!bind_uid: %global bind_uid 25} %{?!bind_gid: %global bind_gid 25} +%{!?_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} %global bind_dir /var/named %global chroot_prefix %{bind_dir}/chroot %if %{with SDB} @@ -56,18 +59,18 @@ # # lib*.so.X versions of selected libraries -%global sover_dns 1110 -%global sover_isc 1105 +%global sover_dns 1112 +%global sover_isc 1107 %global sover_irs 161 %global sover_isccfg 163 Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPLv2.0 -Version: 9.11.20 -Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.1 +Version: 9.11.26 +Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 -Url: http://www.isc.org/products/BIND/ +Url: https://www.isc.org/downloads/bind/ # Source: https://ftp.isc.org/isc/bind9/%{BINDVERSION}/bind-%{BINDVERSION}.tar.gz Source1: named.sysconfig @@ -137,10 +140,6 @@ Patch154:bind-9.11-oot-manual.patch Patch155:bind-9.11-pk11.patch Patch156:bind-9.11-fips-code.patch Patch157:bind-9.11-fips-tests.patch -# commit 66ba2fdad583d962a1f4971c85d58381f0849e4d -# commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c -# commit 083461d3329ff6f2410745848a926090586a9846 -Patch158:bind-9.11-rh1624100.patch Patch159:bind-9.11-host-idn-disable.patch Patch164:bind-9.11-fips-code-includes.patch # [RT #31459] commit 06a8051d2476fb526fe6960832209392c763a9af @@ -155,15 +154,7 @@ Patch174:bind-9.11-fips-disable.patch Patch175:bind-9.11-json-c.patch Patch177:bind-9.11-serve-stale.patch Patch178:bind-9.11-dhcp-time-monotonic.patch -Patch179:bind-9.11-rh1859454.patch -# https://gitlab.isc.org/isc-projects/bind9/commit/ae9af802b5e7169c55cc5ef04dcfbded351c743d -Patch180:bind-9.11-CVE-2020-8622.patch -# https://gitlab.isc.org/isc-projects/bind9/commit/0660b022fc6130dda2a27d6164fc7decdcabce8d -Patch181:bind-9.11-CVE-2020-8623.patch -# https://gitlab.isc.org/isc-projects/bind9/commit/8e919cf6e47c4f52612069ac0868f8caa5089e74 -Patch182:bind-9.11-CVE-2020-8624.patch -Patch183:bind-9.11-CVE-2020-8624-test.patch -Patch184:bind-9.11-CVE-2020-8625.patch +Patch179:bind-9.11-CVE-2020-8625.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -222,14 +213,20 @@ BuildRequires: krb5-devel %if %{with LMDB} BuildRequires: lmdb-devel %endif +%if %{with JSON} +BuildRequires: json-c-devel +%endif %if %{with GEOIP} BuildRequires: GeoIP-devel %endif %if %{with GEOIP2} BuildRequires: libmaxminddb-devel %endif +%if %{with DNSTAP} +BuildRequires: fstrm-devel protobuf-c-devel +%endif # Needed to regenerate dig.1 manpage -BuildRequires: docbook-style-xsl, libxslt +BuildRequires: docbook-style-xsl, libxslt %if %{with TSAN} BuildRequires: libtsan %endif @@ -346,7 +343,6 @@ network addresses. You should install bind-utils if you need to get information from DNS name servers. -%if %{with DEVEL} %package devel Summary: Header files and libraries needed for BIND DNS development Obsoletes:bind-libbind-devel < 31:9.3.3-4.fc7 @@ -357,12 +353,25 @@ Requires: bind-lite-devel%{?_isa} = %{epoch}:%{version}-%{release} %description devel The bind-devel package contains full version of the header files and libraries required for development with ISC BIND 9 -%endif %package lite-devel Summary: Lite version of header files and libraries needed for BIND DNS development Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa} +# Not required by headers, but "isc-config.sh --libs isc" requires it +Requires: libcap-devel%{?_isa} +%if %{with GSSTSIG} +Requires: krb5-devel%{?_isa} +%endif +%if %{with LMDB} +Requires: lmdb-devel%{?_isa} +%endif +%if %{with JSON} +Requires: json-c-devel%{?_isa} +%endif +%if %{with DNSTAP} +Requires: fstrm-devel%{?_isa} protobuf-c-devel%{?_isa} +%endif %description lite-devel The bind-lite-devel package contains lite version of the header @@ -456,6 +465,25 @@ BuildArch: noarch %description -n python3-bind This package provides a module which allows commands to be sent to rndc directly from Python programs. +%if %{with DOC} +%package doc +Summary: BIND 9 Administrator Reference Manual +Requires: bind-license = %{epoch}:%{version}-%{release} +BuildArch: noarch + +%description doc +BIND (Berkeley Internet Name Domain) is an implementation of the DNS +(Domain Name System) protocols. BIND includes a DNS server (named), +which resolves host names to IP addresses; a resolver library +(routines for applications to use when interfacing with DNS); and +tools for verifying that the DNS server is operating properly. + +This package contains BIND 9 Administrator Reference Manual +in HTML and PDF format. +%end + +%endif + %if %{with EXPORT_LIBS} %package export-libs Summary: ISC libs for DHCP application @@ -511,7 +539,6 @@ are used for building ISC DHCP. %patch155 -p1 -b .pk11-internal %patch156 -p1 -b .fips-code %patch157 -p1 -b .fips-tests -%patch158 -p1 -b .rh1624100 %patch159 -p1 -b .host-idn-disable %patch164 -p1 -b .fips-includes %patch165 -p1 -b .rt31459 @@ -522,16 +549,21 @@ are used for building ISC DHCP. %patch175 -p1 -b .json-c %patch177 -p1 -b .serve-stale %patch178 -p1 -b .time-monotonic -%patch179 -p1 -b .rh1859454 -%patch180 -p1 -b .CVE-2020-8622 -%patch181 -p1 -b .CVE-2020-8623 -%patch182 -p1 -b .CVE-2020-8624 -%patch183 -p1 -b .CVE-2020-8624-test -%patch184 -p1 -b .CVE-2020-8625 +%patch179 -p1 -b .CVE-2020-8625 mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data +# Avoid having [FIXME: manual] on top of generated manual pages +# Alternative approach due missing docbook5 style sheets. +# Remove namespace, so docbook is threated as version 4. +# Spaces should be fine. +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4524 +find bin lib/lwres/man -name '*.docbook' -exec \ + sed -e 's|BIND9|BIND9|' \ + -e 's|xmlns="http://docbook.org/ns/docbook"\sversion="5.0"\s||' \ + -i '{}' ';' + %if %{with PKCS11} cp -r bin/named{,-pkcs11} cp -r bin/dnssec{,-pkcs11} @@ -660,6 +692,14 @@ export LIBDIR_SUFFIX %else --with-lmdb=no \ %endif +%if %{with JSON} + --with-libjson \ +%endif +%if %{with DNSTAP} + --enable-dnstap \ +%else + --disable-dnstap \ +%endif %if %{with UNITTEST} --with-cmocka \ %endif @@ -667,6 +707,15 @@ export LIBDIR_SUFFIX --with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets \ --enable-full-report \ ; +%if %{with DNSTAP} + pushd lib + SRCLIB="../../../lib" + (cd dns && ln -s ${SRCLIB}/dns/dnstap.proto) +%if %{with PKCS11} + (cd dns-pkcs11 && ln -s ${SRCLIB}/dns-pkcs11/dnstap.proto) +%endif + popd +%endif make %{?_smp_mflags} ### FIXME hack!!! @@ -684,6 +733,11 @@ pushd bin/python make man popd +%if %{with DOC} + # Does not work. Use upstream generated documentation instead. + # make doc +%endif + %if %{with DLZ} pushd contrib/dlz pushd modules @@ -969,14 +1023,6 @@ popd # Remove libtool .la files: find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';'; -# Remove -devel files out of buildroot if not needed -%if !%{with DEVEL} -rm -f ${RPM_BUILD_ROOT}/%{_libdir}/bind9/*so -rm -rf ${RPM_BUILD_ROOT}/%{_includedir}/bind9 -rm -f ${RPM_BUILD_ROOT}/%{_mandir}/man1/isc-config.sh.1* -rm -f ${RPM_BUILD_ROOT}/%{_mandir}/man3/lwres* -rm -f ${RPM_BUILD_ROOT}/%{_bindir}/isc-config.sh -%endif # SDB manpages %if %{with SDB} @@ -1002,6 +1048,11 @@ ln -s dnssec-verify.8.gz dnssec-verify-pkcs11.8.gz popd %endif +%if %{with DOC} +mkdir -p ${RPM_BUILD_ROOT}%{_pkgdocdir} +cp -a doc/arm/*.html doc/arm/*.pdf ${RPM_BUILD_ROOT}%{_pkgdocdir} +%endif + # Ghost config files: touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log @@ -1227,8 +1278,10 @@ rm -rf ${RPM_BUILD_ROOT} %{_mandir}/man8/rndc-confgen.8* %{_mandir}/man8/named-journalprint.8* %doc CHANGES README named.conf.default -%doc doc/arm/*html doc/arm/*pdf %doc sample/ +%if %{without DOC} +%doc doc/arm/*.html doc/arm/*.pdf +%endif # Hide configuration %defattr(0640,root,named,0750) @@ -1307,9 +1360,17 @@ rm -rf ${RPM_BUILD_ROOT} %{_sbindir}/isc-hmac-fixup %{_sbindir}/named-checkzone %{_sbindir}/named-compilezone +%if %{with DNSTAP} +%{_bindir}/dnstap-read +%{_mandir}/man1/dnstap-read.1* +%endif %if %{with LMDB} %{_sbindir}/named-nzd2nzf %endif +%if %{with DNSTAP} +%{_bindir}/dnstap-read +%{_mandir}/man1/dnstap-read.1* +%endif %{_mandir}/man1/host.1* %{_mandir}/man1/nsupdate.1* %{_mandir}/man1/dig.1* @@ -1332,7 +1393,6 @@ rm -rf ${RPM_BUILD_ROOT} %endif %{_sysconfdir}/trusted-key.key -%if %{with DEVEL} %files devel %{_libdir}/libbind9.so %{_libdir}/libisccc.so @@ -1346,7 +1406,6 @@ rm -rf ${RPM_BUILD_ROOT} %{_mandir}/man3/lwres* %{_bindir}/isc-config.sh %{_bindir}/bind9-config -%endif %files lite-devel %{_libdir}/libdns.so @@ -1534,11 +1593,32 @@ rm -rf ${RPM_BUILD_ROOT} %{python3_sitelib}/*.egg-info %{python3_sitelib}/isc/ +%if %{with DOC} +%files doc +%dir %{_pkgdocdir} +%doc %{_pkgdocdir}/*.html +%doc %{_pkgdocdir}/*.pdf +%endif %changelog -* Mon Feb 15 2021 Petr Menšík - 32:9.11.20-5.1 +* Mon Feb 15 2021 Petr Menšík - 32:9.11.26-3 - Fix off-by-one bug in ISC SPNEGO implementation (CVE-2020-8625) +* Tue Jan 05 2021 Petr Menšík - 32:9.11.26-2 +- Add DNSTAP support (#1854148), new dnstap-read tool +- Add JSON support in statistics-channel (#1899257) + +* Mon Jan 04 2021 Petr Menšík - 32:9.11.26-1 +- Update to 9.11.26 + +* Thu Nov 26 2020 Petr Menšík - 32:9.11.25-1 +- Update to 9.11.25 +- Require libcap from devel package +- Fix crash on NTA recheck failure (#1893761) + +* Fri Sep 25 2020 Tomas Korbar - 32:9.11.20-6 +- Do not ignore RPZ wildcard passthru (#1876492) + * Tue Aug 18 2020 Petr Menšík - 32:9.11.20-5 - Fix tsig-request verify (CVE-2020-8622) - Prevent PKCS11 daemon crash on crafted packet (CVE-2020-8623)