From 843e5f5094e88557f9276840f5b9f10d86c5ae5f Mon Sep 17 00:00:00 2001 From: Petr Menšík Date: Aug 27 2019 19:39:46 +0000 Subject: Update patches to 9.11.10 --- diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch index 920440b..539cdcb 100644 --- a/bind-9.11-fips-tests.patch +++ b/bind-9.11-fips-tests.patch @@ -1,4 +1,4 @@ -From d0e3f8be48c8031ebe3d7e1bf2a32cb03c79484e Mon Sep 17 00:00:00 2001 +From f32eb98f81b33abd5b0d3c77f8f75cc3e77425ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:46:45 +0200 Subject: [PATCH] FIPS tests changes @@ -77,7 +77,7 @@ Date: Wed Mar 7 10:44:23 2018 +0100 bin/tests/system/checkconf/bad-tsig.conf | 2 +- bin/tests/system/checkconf/good.conf | 2 +- bin/tests/system/digdelv/ns2/example.db | 15 +++-- - bin/tests/system/digdelv/tests.sh | 28 ++++---- + bin/tests/system/digdelv/tests.sh | 20 +++--- bin/tests/system/dlv/ns1/sign.sh | 4 +- bin/tests/system/dlv/ns2/sign.sh | 4 +- bin/tests/system/dlv/ns6/sign.sh | 66 +++++++++--------- @@ -102,7 +102,7 @@ Date: Wed Mar 7 10:44:23 2018 +0100 bin/tests/system/tsiggss/setup.sh | 2 +- bin/tests/system/upforwd/ns1/named.conf.in | 2 +- bin/tests/system/upforwd/tests.sh | 2 +- - 44 files changed, 226 insertions(+), 175 deletions(-) + 44 files changed, 222 insertions(+), 171 deletions(-) diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in index 0ea6502..026db3f 100644 @@ -599,27 +599,9 @@ index f4e30f5..9f53e31 100644 ; TTL of 3 weeks weeks 1814400 A 10.53.0.2 diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh -index 1657dfd..299ba94 100644 +index ade45ce..d3aff24 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh -@@ -88,7 +88,7 @@ if [ -x "$DIG" ] ; then - echo_i "checking dig +multi +norrcomments works for dnskey (when default is rrcomments)($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1 - check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` -@@ -97,7 +97,7 @@ if [ -x "$DIG" ] ; then - echo_i "checking dig +multi +norrcomments works for soa (when default is rrcomments)($n)" - ret=0 - $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > dig.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1 - check_ttl_range dig.out.test$n "SOA" 300 || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` @@ -106,7 +106,7 @@ if [ -x "$DIG" ] ; then echo_i "checking dig +rrcomments works for DNSKEY($n)" ret=0 @@ -665,25 +647,7 @@ index 1657dfd..299ba94 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -661,7 +661,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +multi +norrcomments works for dnskey (when default is rrcomments)($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1 - check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` -@@ -670,7 +670,7 @@ if [ -x ${DELV} ] ; then - echo_i "checking delv +multi +norrcomments works for soa (when default is rrcomments)($n)" - ret=0 - $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1 -- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1 -+ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1 - check_ttl_range delv.out.test$n "SOA" 300 || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` -@@ -679,7 +679,7 @@ if [ -x ${DELV} ] ; then +@@ -695,7 +695,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +rrcomments works for DNSKEY($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -692,7 +656,7 @@ index 1657dfd..299ba94 100644 check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -688,7 +688,7 @@ if [ -x ${DELV} ] ; then +@@ -704,7 +704,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -701,7 +665,7 @@ index 1657dfd..299ba94 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -696,7 +696,7 @@ if [ -x ${DELV} ] ; then +@@ -712,7 +712,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +rrcomments works ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -710,7 +674,7 @@ index 1657dfd..299ba94 100644 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -@@ -704,7 +704,7 @@ if [ -x ${DELV} ] ; then +@@ -720,7 +720,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +nosplit works ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -719,7 +683,7 @@ index 1657dfd..299ba94 100644 if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi f=`awk '{print NF}' < delv.out.test$n` test "${f:-0}" -eq 14 || ret=1 -@@ -715,7 +715,7 @@ if [ -x ${DELV} ] ; then +@@ -731,7 +731,7 @@ if [ -x ${DELV} ] ; then echo_i "checking delv +short +nosplit +norrcomments works ($n)" ret=0 $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 @@ -990,10 +954,10 @@ index ed30460..e6b1126 100644 + "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV"; }; diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh -index d07881d..17ad256 100644 +index b31c1b4..a5e237b 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh -@@ -3227,8 +3227,8 @@ do +@@ -3235,8 +3235,8 @@ do alg=`expr $alg + 1` continue;; 3) size="-b 512";; @@ -1005,7 +969,7 @@ index d07881d..17ad256 100644 8) size="-b 512";; 10) size="-b 1024";; diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c -index 27a02d0..caf4166 100644 +index c1249ed..20a3139 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -19,6 +19,7 @@ @@ -1016,7 +980,7 @@ index 27a02d0..caf4166 100644 #include #ifdef WIN32 -@@ -46,6 +47,7 @@ usage() { +@@ -47,6 +48,7 @@ usage() { fprintf(stderr, " --have-geoip2\n"); fprintf(stderr, " --have-libxml2\n"); fprintf(stderr, " --ipv6only=no\n"); @@ -1024,7 +988,7 @@ index 27a02d0..caf4166 100644 fprintf(stderr, " --rpz-nsdname\n"); fprintf(stderr, " --rpz-nsip\n"); fprintf(stderr, " --with-idn\n"); -@@ -146,6 +148,18 @@ main(int argc, char **argv) { +@@ -155,6 +157,18 @@ main(int argc, char **argv) { #endif } @@ -1209,10 +1173,10 @@ index 343869e..c30efb0 100644 make_key 3 ${EXTRAPORT3} hmac-sha224 make_key 4 ${EXTRAPORT4} hmac-sha256 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh -index b00056c..f7fad91 100644 +index 57e066d..186a723 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh -@@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` diff --git a/bind-9.11-rh1624100.patch b/bind-9.11-rh1624100.patch index 00030cc..5764ed7 100644 --- a/bind-9.11-rh1624100.patch +++ b/bind-9.11-rh1624100.patch @@ -1,4 +1,4 @@ -From 292a0ca28f2e8a49f8c7e62c39ad7160234ce23d Mon Sep 17 00:00:00 2001 +From 76594cba9a1e910bb36160d96fc3872349341799 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Wed, 25 Apr 2018 14:04:31 +0200 Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts @@ -81,15 +81,15 @@ index ad77f24..670982a 100644 /* accept_sec_context.c */ diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in -index ba53ef1..98acfff 100644 +index 0fd0837..8ad54bb 100644 --- a/lib/isc/Makefile.in +++ b/lib/isc/Makefile.in @@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \ ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \ rwlock.@O@ \ -- safe.@O@ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ -+ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ +- safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ ++ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \ tm.@O@ timer.@O@ version.@O@ \ ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS} @@ -97,8 +97,8 @@ index ba53ef1..98acfff 100644 netaddr.c netscope.c pool.c ondestroy.c \ parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \ ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \ -- safe.c serial.c sha1.c sha2.c sockaddr.c stats.c string.c \ -+ serial.c sha1.c sha2.c sockaddr.c stats.c string.c \ +- safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \ ++ serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \ strtoul.c symtab.c task.c taskpool.c timer.c \ tm.c version.c @@ -241,10 +241,10 @@ index 7a464b6..0000000 -#endif -} diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c -index 5775b6e..3451b5d 100644 +index 266ac75..60e9181 100644 --- a/lib/isc/tests/safe_test.c +++ b/lib/isc/tests/safe_test.c -@@ -44,22 +44,6 @@ isc_safe_memequal_test(void **state) { +@@ -45,22 +45,6 @@ isc_safe_memequal_test(void **state) { "\x00\x00\x00\x00", 4)); } @@ -267,7 +267,7 @@ index 5775b6e..3451b5d 100644 /* test isc_safe_memwipe() */ static void isc_safe_memwipe_test(void **state) { -@@ -68,7 +52,6 @@ isc_safe_memwipe_test(void **state) { +@@ -69,7 +53,6 @@ isc_safe_memwipe_test(void **state) { /* These should pass. */ isc_safe_memwipe(NULL, 0); isc_safe_memwipe((void *) -1, 0); @@ -275,7 +275,7 @@ index 5775b6e..3451b5d 100644 /* * isc_safe_memwipe(ptr, size) should function same as -@@ -107,7 +90,6 @@ main(void) { +@@ -108,7 +91,6 @@ main(void) { const struct CMUnitTest tests[] = { cmocka_unit_test(isc_safe_memequal_test), cmocka_unit_test(isc_safe_memwipe_test), diff --git a/bind-9.11-rt31459.patch b/bind-9.11-rt31459.patch index bbb8948..27d8273 100644 --- a/bind-9.11-rt31459.patch +++ b/bind-9.11-rt31459.patch @@ -1,4 +1,4 @@ -From f0eee3c150b9b913819ecd864581ba50dd4ae9cf Mon Sep 17 00:00:00 2001 +From 9f62d68da08d21a8b35e27aeebd00afe6e5fb7be Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 12 Sep 2017 19:05:46 -0700 Subject: [PATCH] rebased rt31459c @@ -293,7 +293,7 @@ index fbc7ece..31a99e7 100644 usekeyboard); diff --git a/bin/named/server.c b/bin/named/server.c -index 767d83f..d3c2f9d 100644 +index c917cad..436a93a 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -36,6 +36,7 @@ @@ -304,7 +304,7 @@ index 767d83f..d3c2f9d 100644 #include #include #include -@@ -8208,6 +8209,10 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8209,6 +8210,10 @@ load_configuration(const char *filename, ns_server_t *server, "no source of entropy found"); } else { const char *randomdev = cfg_obj_asstring(obj); @@ -315,7 +315,7 @@ index 767d83f..d3c2f9d 100644 int level = ISC_LOG_ERROR; result = isc_entropy_createfilesource(ns_g_entropy, randomdev); -@@ -8242,6 +8247,7 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8243,6 +8248,7 @@ load_configuration(const char *filename, ns_server_t *server, } isc_entropy_detach(&ns_g_fallbackentropy); } @@ -671,10 +671,10 @@ index 9f90dd7..fad6c83 100644 echo "I:failed" status=`expr $status + $ret` diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c -index b27fc1d..e28871b 100644 +index 53579d4..e2f6810 100644 --- a/bin/tools/mdig.c +++ b/bin/tools/mdig.c -@@ -1969,12 +1969,11 @@ main(int argc, char *argv[]) { +@@ -1972,12 +1972,11 @@ main(int argc, char *argv[]) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); @@ -689,7 +689,7 @@ index b27fc1d..e28871b 100644 parse_args(false, argc, argv); if (server == NULL) diff --git a/configure b/configure -index 4a5db6c..64aca10 100755 +index 2a4d9ed..e4e8ea6 100755 --- a/configure +++ b/configure @@ -640,6 +640,7 @@ ac_includes_default="\ @@ -724,7 +724,7 @@ index 4a5db6c..64aca10 100755 --enable-largefile 64-bit file support --enable-backtrace log stack backtrace on abort [default=yes] --enable-symtable use internal symbol table for backtrace -@@ -17156,6 +17160,7 @@ case "$use_openssl" in +@@ -17117,6 +17121,7 @@ case "$use_openssl" in $as_echo "disabled because of native PKCS11" >&6; } DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" @@ -732,7 +732,7 @@ index 4a5db6c..64aca10 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -17170,6 +17175,7 @@ $as_echo "disabled because of native PKCS11" >&6; } +@@ -17131,6 +17136,7 @@ $as_echo "disabled because of native PKCS11" >&6; } $as_echo "no" >&6; } DST_OPENSSL_INC="" CRYPTO="" @@ -740,7 +740,7 @@ index 4a5db6c..64aca10 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -17182,6 +17188,7 @@ $as_echo "no" >&6; } +@@ -17143,6 +17149,7 @@ $as_echo "no" >&6; } auto) DST_OPENSSL_INC="" CRYPTO="" @@ -748,7 +748,7 @@ index 4a5db6c..64aca10 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -17191,7 +17198,7 @@ $as_echo "no" >&6; } +@@ -17152,7 +17159,7 @@ $as_echo "no" >&6; } OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path @@ -757,7 +757,7 @@ index 4a5db6c..64aca10 100755 ;; *) if test "yes" = "$want_native_pkcs11" -@@ -17222,6 +17229,7 @@ $as_echo "not found" >&6; } +@@ -17183,6 +17190,7 @@ $as_echo "not found" >&6; } as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5 fi CRYPTO='-DOPENSSL' @@ -765,7 +765,7 @@ index 4a5db6c..64aca10 100755 if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" -@@ -17883,8 +17891,6 @@ fi +@@ -17808,8 +17816,6 @@ fi # Use OpenSSL for hash functions # @@ -774,7 +774,7 @@ index 4a5db6c..64aca10 100755 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" case $want_openssl_hash in yes) -@@ -18259,6 +18265,86 @@ if test "rt" = "$have_clock_gt"; then +@@ -18184,6 +18190,86 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi @@ -861,7 +861,7 @@ index 4a5db6c..64aca10 100755 # # was --with-lmdb specified? # -@@ -20341,9 +20427,12 @@ _ACEOF +@@ -20266,9 +20352,12 @@ _ACEOF if ac_fn_c_try_compile "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5 $as_echo "size_t for buflen; int for flags" >&6; } @@ -876,7 +876,7 @@ index 4a5db6c..64aca10 100755 $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h -@@ -21658,12 +21747,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" +@@ -21583,12 +21672,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then @@ -890,7 +890,7 @@ index 4a5db6c..64aca10 100755 # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. -@@ -21696,6 +21780,11 @@ cat >>confdefs.h <<_ACEOF +@@ -21621,6 +21705,11 @@ cat >>confdefs.h <<_ACEOF _ACEOF @@ -902,7 +902,7 @@ index 4a5db6c..64aca10 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21704,39 +21793,6 @@ _ACEOF +@@ -21629,39 +21718,6 @@ _ACEOF fi ;; x86_64-*|amd64-*) @@ -942,7 +942,7 @@ index 4a5db6c..64aca10 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21767,6 +21823,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } +@@ -21692,6 +21748,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } $as_echo "$arch" >&6; } fi @@ -953,7 +953,7 @@ index 4a5db6c..64aca10 100755 if test "yes" = "$have_atomic"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5 $as_echo_n "checking compiler support for inline assembly code... " >&6; } -@@ -24372,6 +24432,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" +@@ -24297,6 +24357,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" # dlzdir='${DLZ_DRIVER_DIR}' @@ -984,7 +984,7 @@ index 4a5db6c..64aca10 100755 # # Private autoconf macro to simplify configuring drivers: # -@@ -24702,11 +24786,11 @@ $as_echo "no" >&6; } +@@ -24627,11 +24711,11 @@ $as_echo "no" >&6; } $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; } ;; *) @@ -999,7 +999,7 @@ index 4a5db6c..64aca10 100755 fi CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL" -@@ -24791,7 +24875,7 @@ $as_echo "" >&6; } +@@ -24716,7 +24800,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). @@ -1008,7 +1008,7 @@ index 4a5db6c..64aca10 100755 # include a blank element first for d in "" $bdb_incdirs do -@@ -24816,57 +24900,9 @@ $as_echo "" >&6; } +@@ -24741,57 +24825,9 @@ $as_echo "" >&6; } bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" for d in $bdb_libnames do @@ -1068,7 +1068,7 @@ index 4a5db6c..64aca10 100755 break fi done -@@ -25025,10 +25061,10 @@ $as_echo "no" >&6; } +@@ -24950,10 +24986,10 @@ $as_echo "no" >&6; } DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include" DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include" fi @@ -1082,7 +1082,7 @@ index 4a5db6c..64aca10 100755 fi -@@ -25114,11 +25150,11 @@ fi +@@ -25039,11 +25075,11 @@ fi odbcdirs="/usr /usr/local /usr/pkg" for d in $odbcdirs do @@ -1096,7 +1096,7 @@ index 4a5db6c..64aca10 100755 break fi done -@@ -25393,6 +25429,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" +@@ -25318,6 +25354,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" @@ -1105,7 +1105,7 @@ index 4a5db6c..64aca10 100755 # # Commands to run at the end of config.status. # Don't just put these into configure, it won't work right if somebody -@@ -27772,6 +27810,8 @@ report() { +@@ -27697,6 +27735,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1114,7 +1114,7 @@ index 4a5db6c..64aca10 100755 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -27812,6 +27852,8 @@ report() { +@@ -27737,6 +27777,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" @@ -1123,7 +1123,7 @@ index 4a5db6c..64aca10 100755 echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -27859,6 +27901,8 @@ report() { +@@ -27784,6 +27826,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -1133,10 +1133,10 @@ index 4a5db6c..64aca10 100755 test "yes" = "$enable_seccomp" || \ echo " Use libseccomp system call filtering (--enable-seccomp)" diff --git a/configure.ac b/configure.ac -index 0dc552c..3b88105 100644 +index 0e22d02..828581e 100644 --- a/configure.ac +++ b/configure.ac -@@ -1572,6 +1572,7 @@ case "$use_openssl" in +@@ -1537,6 +1537,7 @@ case "$use_openssl" in AC_MSG_RESULT(disabled because of native PKCS11) DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" @@ -1144,7 +1144,7 @@ index 0dc552c..3b88105 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1585,6 +1586,7 @@ case "$use_openssl" in +@@ -1550,6 +1551,7 @@ case "$use_openssl" in AC_MSG_RESULT(no) DST_OPENSSL_INC="" CRYPTO="" @@ -1152,7 +1152,7 @@ index 0dc552c..3b88105 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1597,6 +1599,7 @@ case "$use_openssl" in +@@ -1562,6 +1564,7 @@ case "$use_openssl" in auto) DST_OPENSSL_INC="" CRYPTO="" @@ -1160,7 +1160,7 @@ index 0dc552c..3b88105 100644 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -1607,7 +1610,7 @@ case "$use_openssl" in +@@ -1572,7 +1575,7 @@ case "$use_openssl" in OPENSSLLINKSRCS="" AC_MSG_ERROR( [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path @@ -1169,7 +1169,7 @@ index 0dc552c..3b88105 100644 ;; *) if test "yes" = "$want_native_pkcs11" -@@ -1637,6 +1640,7 @@ If you don't want OpenSSL, use --without-openssl]) +@@ -1602,6 +1605,7 @@ If you don't want OpenSSL, use --without-openssl]) AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found]) fi CRYPTO='-DOPENSSL' @@ -1177,7 +1177,7 @@ index 0dc552c..3b88105 100644 if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" -@@ -2110,7 +2114,6 @@ fi +@@ -2037,7 +2041,6 @@ fi # Use OpenSSL for hash functions # @@ -1185,7 +1185,7 @@ index 0dc552c..3b88105 100644 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" case $want_openssl_hash in yes) -@@ -2382,6 +2385,67 @@ if test "rt" = "$have_clock_gt"; then +@@ -2309,6 +2312,67 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi @@ -1253,7 +1253,7 @@ index 0dc552c..3b88105 100644 # # was --with-lmdb specified? # -@@ -4178,12 +4242,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" +@@ -4105,12 +4169,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then @@ -1267,7 +1267,7 @@ index 0dc552c..3b88105 100644 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -4192,7 +4256,6 @@ if test "yes" = "$use_atomic"; then +@@ -4119,7 +4183,6 @@ if test "yes" = "$use_atomic"; then fi ;; x86_64-*|amd64-*) @@ -1275,7 +1275,7 @@ index 0dc552c..3b88105 100644 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -5607,6 +5670,8 @@ report() { +@@ -5534,6 +5597,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1284,7 +1284,7 @@ index 0dc552c..3b88105 100644 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -5647,6 +5712,8 @@ report() { +@@ -5574,6 +5639,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" @@ -1293,7 +1293,7 @@ index 0dc552c..3b88105 100644 echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -5694,6 +5761,8 @@ report() { +@@ -5621,6 +5688,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -2016,10 +2016,10 @@ index 5b8a2c9..913a2ce 100644 * Define if the hash functions must be provided by OpenSSL. */ diff --git a/win32utils/Configure b/win32utils/Configure -index 93939f3..8bacf54 100644 +index 6f93814..4286baf 100644 --- a/win32utils/Configure +++ b/win32utils/Configure -@@ -381,6 +381,7 @@ my @substdefh = ("AES_CC", +@@ -378,6 +378,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA", my %configdefp; my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP", @@ -2027,7 +2027,7 @@ index 93939f3..8bacf54 100644 "ISC_PLATFORM_HAVEATOMICSTORE", "ISC_PLATFORM_HAVEATOMICSTOREQ", "ISC_PLATFORM_HAVECMPXCHG", -@@ -511,7 +512,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); +@@ -508,7 +509,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); # enable-xxx/disable-xxx @@ -2037,7 +2037,7 @@ index 93939f3..8bacf54 100644 "fixed-rrset", "intrinsics", "isc-spnego", -@@ -575,6 +577,7 @@ my @help = ( +@@ -572,6 +574,7 @@ my @help = ( "\nOptional Features:\n", " enable-intrinsics enable instrinsic/atomic functions [default=yes]\n", " enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n", @@ -2045,7 +2045,7 @@ index 93939f3..8bacf54 100644 " enable-openssl-hash use OpenSSL for hash functions [default=yes]\n", " enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n", " enable-filter-aaaa enable filtering of AAAA records [default=yes]\n", -@@ -620,7 +623,9 @@ my $want_clean = "no"; +@@ -617,7 +620,9 @@ my $want_clean = "no"; my $want_unknown = "no"; my $unknown_value; my $enable_intrinsics = "yes"; @@ -2055,7 +2055,7 @@ index 93939f3..8bacf54 100644 my $enable_openssl_hash = "auto"; my $enable_filter_aaaa = "yes"; my $enable_isc_spnego = "yes"; -@@ -840,6 +845,10 @@ sub myenable { +@@ -837,6 +842,10 @@ sub myenable { if ($val =~ /^yes$/i) { $enable_native_pkcs11 = "yes"; } @@ -2066,7 +2066,7 @@ index 93939f3..8bacf54 100644 } elsif ($key =~ /^openssl-hash$/i) { if ($val =~ /^yes$/i) { $enable_openssl_hash = "yes"; -@@ -1142,6 +1151,11 @@ if ($verbose) { +@@ -1139,6 +1148,11 @@ if ($verbose) { } else { print "native-pkcs11: disabled\n"; } @@ -2078,7 +2078,7 @@ index 93939f3..8bacf54 100644 if ($enable_openssl_hash eq "yes") { print "openssl-hash: enabled\n"; } else { -@@ -1500,6 +1514,7 @@ if ($enable_intrinsics eq "yes") { +@@ -1497,6 +1511,7 @@ if ($enable_intrinsics eq "yes") { # enable-native-pkcs11 if ($enable_native_pkcs11 eq "yes") { @@ -2086,7 +2086,7 @@ index 93939f3..8bacf54 100644 if ($use_openssl eq "auto") { $use_openssl = "no"; } -@@ -1709,6 +1724,7 @@ if ($use_openssl eq "yes") { +@@ -1706,6 +1721,7 @@ if ($use_openssl eq "yes") { $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); } @@ -2094,10 +2094,10 @@ index 93939f3..8bacf54 100644 $configcond{"OPENSSL"} = 1; $configdefd{"CRYPTO"} = "OPENSSL"; $configvar{"OPENSSL_PATH"} = "$openssl_path"; -@@ -2260,6 +2276,15 @@ if ($cookie_algorithm eq "sha1") { - die "Unrecognized cookie algorithm: $cookie_algorithm\n"; +@@ -2242,6 +2258,15 @@ if ($use_aes eq "yes") { } + +# enable-crypto-rand +if ($enable_crypto_rand eq "yes") { + if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) { @@ -2110,7 +2110,7 @@ index 93939f3..8bacf54 100644 # enable-openssl-hash if ($enable_openssl_hash eq "yes") { if ($use_openssl eq "no") { -@@ -3635,6 +3660,7 @@ exit 0; +@@ -3617,6 +3642,7 @@ exit 0; # --enable-developer partially supported # --enable-newstats (9.9/9.9sub only) # --enable-native-pkcs11 supported