From bf6ee26309c2a3236ec264962fc19356dcca7548 Mon Sep 17 00:00:00 2001 From: Petr Menšík Date: Nov 26 2019 19:20:30 +0000 Subject: Adjust patches to 9.11.12 Few changes occured, remove one upstream applied patch. --- diff --git a/bind-9.11-rh1647829.patch b/bind-9.11-rh1647829.patch deleted file mode 100644 index ceec7fc..0000000 --- a/bind-9.11-rh1647829.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 2eca7f5fa97a24997e4d8f900460ba43ae167e97 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Tue, 29 Jan 2019 18:07:44 +0100 -Subject: [PATCH] Fallback to ASCII on output IDN conversion error - -It is possible dig used ACE encoded name in locale, which does not -support converting it to unicode. Instead of fatal error, fallback to -ACE name on output. - -(cherry picked from commit 7f4cb8f9584597fea16de6557124ac8b1bd47440) - -Modify idna test to fallback to ACE - -Test valid A-label on input would be displayed as A-label on output if -locale does not allow U-label. - -(cherry picked from commit 4ce232f8605bdbe0594ebe5a71383c9d4e6f263b) - -Emit warning on IDN output failure - -Warning is emitted before any dig headers. - -(cherry picked from commit 4b410038c531fbb902cd5fb83174eed1f06cb7d7) ---- - bin/dig/dighost.c | 15 +++++++++++++-- - bin/tests/system/idna/tests.sh | 17 +++++++++++++++++ - 2 files changed, 30 insertions(+), 2 deletions(-) - -diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index bb8702c..d7cfc33 100644 ---- a/bin/dig/dighost.c -+++ b/bin/dig/dighost.c -@@ -4860,9 +4860,20 @@ idn_ace_to_locale(const char *from, char *to, size_t tolen) { - */ - res = idn2_to_unicode_8zlz(utf8_src, &tmp_str, 0); - if (res != IDN2_OK) { -- fatal("Cannot represent '%s' in the current locale (%s), " -- "use +noidnout or a different locale", -+ static bool warned = false; -+ -+ res = idn2_to_ascii_8z(utf8_src, &tmp_str, 0); -+ if (res != IDN2_OK) { -+ fatal("Cannot represent '%s' " -+ "in the current locale nor ascii (%s), " -+ "use +noidnout or a different locale", - from, idn2_strerror(res)); -+ } else if (!warned) { -+ fprintf(stderr, ";; Warning: cannot represent '%s' " -+ "in the current locale", -+ tmp_str); -+ warned = true; -+ } - } - - /* -diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh -index 6637bf6..215a9d5 100644 ---- a/bin/tests/system/idna/tests.sh -+++ b/bin/tests/system/idna/tests.sh -@@ -244,6 +244,23 @@ idna_enabled_test() { - idna_test "$text" "+idnin +noidnout" "xn--nxasmq6b.com" "xn--nxasmq6b.com." - idna_test "$text" "+idnin +idnout" "xn--nxasmq6b.com" "βόλοσ.com." - -+ # Test of valid A-label in locale that cannot display it -+ # -+ # +noidnout: The string is sent as-is to the server and the returned qname -+ # is displayed in the same form. -+ # +idnout: The string is sent as-is to the server and the returned qname -+ # is displayed as the corresponding A-label. -+ # -+ # The "+[no]idnout" flag has no effect in these cases. -+ text="Checking valid A-label in C locale" -+ label="xn--nxasmq6b.com" -+ LC_ALL=C idna_test "$text" "" "$label" "$label." -+ LC_ALL=C idna_test "$text" "+noidnin +noidnout" "$label" "$label." -+ LC_ALL=C idna_test "$text" "+noidnin +idnout" "$label" "$label." -+ LC_ALL=C idna_test "$text" "+idnin +noidnout" "$label" "$label." -+ LC_ALL=C idna_test "$text" "+idnin +idnout" "$label" "$label." -+ LC_ALL=C idna_test "$text" "+noidnin +idnout" "$label" "$label." -+ - - - # Tests of invalid A-labels --- -2.20.1 - diff --git a/bind-9.11-rt31459.patch b/bind-9.11-rt31459.patch index 8413061..ea25abe 100644 --- a/bind-9.11-rt31459.patch +++ b/bind-9.11-rt31459.patch @@ -1,4 +1,4 @@ -From 108a0f57f423a27995ac96272832278f4aa3a612 Mon Sep 17 00:00:00 2001 +From 7e61714a5d1509ec79af42391e41eb1afc53063a Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 12 Sep 2017 19:05:46 -0700 Subject: [PATCH] rebased rt31459c @@ -71,7 +71,7 @@ index 5015abb..295e16f 100644 &entropy_source, randomfile, diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c -index 060892b..c2cc9c7 100644 +index 2c0c308..3e585af 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -494,14 +494,14 @@ main(int argc, char **argv) { @@ -92,7 +92,7 @@ index 060892b..c2cc9c7 100644 isc_entropy_stopcallbacksources(ectx); setup_logging(mctx, &log); -@@ -563,8 +563,8 @@ main(int argc, char **argv) { +@@ -571,8 +571,8 @@ main(int argc, char **argv) { if (dns_rdataset_isassociated(&rdataset)) dns_rdataset_disassociate(&rdataset); cleanup_logging(&log); @@ -293,7 +293,7 @@ index fbc7ece..31a99e7 100644 usekeyboard); diff --git a/bin/named/server.c b/bin/named/server.c -index c917cad..436a93a 100644 +index 7d85d3b..c782073 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -36,6 +36,7 @@ @@ -304,7 +304,7 @@ index c917cad..436a93a 100644 #include #include #include -@@ -8209,6 +8210,10 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8211,6 +8212,10 @@ load_configuration(const char *filename, ns_server_t *server, "no source of entropy found"); } else { const char *randomdev = cfg_obj_asstring(obj); @@ -315,14 +315,14 @@ index c917cad..436a93a 100644 int level = ISC_LOG_ERROR; result = isc_entropy_createfilesource(ns_g_entropy, randomdev); -@@ -8243,6 +8248,7 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8245,6 +8250,7 @@ load_configuration(const char *filename, ns_server_t *server, } isc_entropy_detach(&ns_g_fallbackentropy); } +#endif #endif } - } + diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index bbb3936..0286987 100644 --- a/bin/nsupdate/nsupdate.c @@ -670,7 +670,7 @@ index 9f90dd7..fad6c83 100644 echo "I:failed" status=`expr $status + $ret` diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c -index 53579d4..e2f6810 100644 +index bf6dbb6..0416b21 100644 --- a/bin/tools/mdig.c +++ b/bin/tools/mdig.c @@ -1972,12 +1972,11 @@ main(int argc, char *argv[]) { @@ -688,7 +688,7 @@ index 53579d4..e2f6810 100644 parse_args(false, argc, argv); if (server == NULL) diff --git a/configure b/configure -index 2a4d9ed..e4e8ea6 100755 +index ed002e0..a578874 100755 --- a/configure +++ b/configure @@ -640,6 +640,7 @@ ac_includes_default="\ @@ -699,7 +699,7 @@ index 2a4d9ed..e4e8ea6 100755 BUILD_LIBS BUILD_LDFLAGS BUILD_CPPFLAGS -@@ -823,6 +824,7 @@ XMLSTATS +@@ -821,6 +822,7 @@ XMLSTATS NZDTARGETS NZDSRCS NZD_TOOLS @@ -707,7 +707,7 @@ index 2a4d9ed..e4e8ea6 100755 PKCS11_TEST PKCS11_ED25519 PKCS11_GOST -@@ -1047,6 +1049,7 @@ with_eddsa +@@ -1045,6 +1047,7 @@ with_eddsa with_aes enable_openssl_hash with_cc_alg @@ -715,7 +715,7 @@ index 2a4d9ed..e4e8ea6 100755 with_lmdb with_libxml2 with_libjson -@@ -1746,6 +1749,7 @@ Optional Features: +@@ -1744,6 +1747,7 @@ Optional Features: --enable-threads enable multithreading --enable-native-pkcs11 use native PKCS11 for all crypto [default=no] --enable-openssl-hash use OpenSSL for hash functions [default=no] @@ -723,7 +723,7 @@ index 2a4d9ed..e4e8ea6 100755 --enable-largefile 64-bit file support --enable-backtrace log stack backtrace on abort [default=yes] --enable-symtable use internal symbol table for backtrace -@@ -17117,6 +17121,7 @@ case "$use_openssl" in +@@ -17115,6 +17119,7 @@ case "$use_openssl" in $as_echo "disabled because of native PKCS11" >&6; } DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" @@ -731,7 +731,7 @@ index 2a4d9ed..e4e8ea6 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -17131,6 +17136,7 @@ $as_echo "disabled because of native PKCS11" >&6; } +@@ -17129,6 +17134,7 @@ $as_echo "disabled because of native PKCS11" >&6; } $as_echo "no" >&6; } DST_OPENSSL_INC="" CRYPTO="" @@ -739,7 +739,7 @@ index 2a4d9ed..e4e8ea6 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -17143,6 +17149,7 @@ $as_echo "no" >&6; } +@@ -17141,6 +17147,7 @@ $as_echo "no" >&6; } auto) DST_OPENSSL_INC="" CRYPTO="" @@ -747,7 +747,7 @@ index 2a4d9ed..e4e8ea6 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -17152,7 +17159,7 @@ $as_echo "no" >&6; } +@@ -17150,7 +17157,7 @@ $as_echo "no" >&6; } OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path @@ -756,7 +756,7 @@ index 2a4d9ed..e4e8ea6 100755 ;; *) if test "yes" = "$want_native_pkcs11" -@@ -17183,6 +17190,7 @@ $as_echo "not found" >&6; } +@@ -17181,6 +17188,7 @@ $as_echo "not found" >&6; } as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5 fi CRYPTO='-DOPENSSL' @@ -764,7 +764,7 @@ index 2a4d9ed..e4e8ea6 100755 if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" -@@ -17808,8 +17816,6 @@ fi +@@ -17806,8 +17814,6 @@ fi # Use OpenSSL for hash functions # @@ -773,7 +773,7 @@ index 2a4d9ed..e4e8ea6 100755 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" case $want_openssl_hash in yes) -@@ -18184,6 +18190,86 @@ if test "rt" = "$have_clock_gt"; then +@@ -18182,6 +18188,86 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi @@ -860,7 +860,7 @@ index 2a4d9ed..e4e8ea6 100755 # # was --with-lmdb specified? # -@@ -20266,9 +20352,12 @@ _ACEOF +@@ -20264,9 +20350,12 @@ _ACEOF if ac_fn_c_try_compile "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5 $as_echo "size_t for buflen; int for flags" >&6; } @@ -875,7 +875,7 @@ index 2a4d9ed..e4e8ea6 100755 $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h -@@ -21583,12 +21672,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" +@@ -21581,12 +21670,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then @@ -889,7 +889,7 @@ index 2a4d9ed..e4e8ea6 100755 # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. -@@ -21621,6 +21705,11 @@ cat >>confdefs.h <<_ACEOF +@@ -21619,6 +21703,11 @@ cat >>confdefs.h <<_ACEOF _ACEOF @@ -901,7 +901,7 @@ index 2a4d9ed..e4e8ea6 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21629,39 +21718,6 @@ _ACEOF +@@ -21627,39 +21716,6 @@ _ACEOF fi ;; x86_64-*|amd64-*) @@ -941,7 +941,7 @@ index 2a4d9ed..e4e8ea6 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21692,6 +21748,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } +@@ -21690,6 +21746,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } $as_echo "$arch" >&6; } fi @@ -952,7 +952,7 @@ index 2a4d9ed..e4e8ea6 100755 if test "yes" = "$have_atomic"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5 $as_echo_n "checking compiler support for inline assembly code... " >&6; } -@@ -24297,6 +24357,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" +@@ -24244,6 +24304,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" # dlzdir='${DLZ_DRIVER_DIR}' @@ -983,7 +983,7 @@ index 2a4d9ed..e4e8ea6 100755 # # Private autoconf macro to simplify configuring drivers: # -@@ -24627,11 +24711,11 @@ $as_echo "no" >&6; } +@@ -24574,11 +24658,11 @@ $as_echo "no" >&6; } $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; } ;; *) @@ -998,7 +998,7 @@ index 2a4d9ed..e4e8ea6 100755 fi CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL" -@@ -24716,7 +24800,7 @@ $as_echo "" >&6; } +@@ -24663,7 +24747,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). @@ -1007,7 +1007,7 @@ index 2a4d9ed..e4e8ea6 100755 # include a blank element first for d in "" $bdb_incdirs do -@@ -24741,57 +24825,9 @@ $as_echo "" >&6; } +@@ -24688,57 +24772,9 @@ $as_echo "" >&6; } bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" for d in $bdb_libnames do @@ -1067,7 +1067,7 @@ index 2a4d9ed..e4e8ea6 100755 break fi done -@@ -24950,10 +24986,10 @@ $as_echo "no" >&6; } +@@ -24897,10 +24933,10 @@ $as_echo "no" >&6; } DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include" DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include" fi @@ -1081,7 +1081,7 @@ index 2a4d9ed..e4e8ea6 100755 fi -@@ -25039,11 +25075,11 @@ fi +@@ -24986,11 +25022,11 @@ fi odbcdirs="/usr /usr/local /usr/pkg" for d in $odbcdirs do @@ -1095,7 +1095,7 @@ index 2a4d9ed..e4e8ea6 100755 break fi done -@@ -25318,6 +25354,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" +@@ -25265,6 +25301,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" @@ -1104,7 +1104,7 @@ index 2a4d9ed..e4e8ea6 100755 # # Commands to run at the end of config.status. # Don't just put these into configure, it won't work right if somebody -@@ -27697,6 +27735,8 @@ report() { +@@ -27644,6 +27682,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1113,7 +1113,7 @@ index 2a4d9ed..e4e8ea6 100755 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -27737,6 +27777,8 @@ report() { +@@ -27684,6 +27724,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" @@ -1122,7 +1122,7 @@ index 2a4d9ed..e4e8ea6 100755 echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -27784,6 +27826,8 @@ report() { +@@ -27731,6 +27773,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -1132,7 +1132,7 @@ index 2a4d9ed..e4e8ea6 100755 test "yes" = "$enable_seccomp" || \ echo " Use libseccomp system call filtering (--enable-seccomp)" diff --git a/configure.ac b/configure.ac -index 0e22d02..828581e 100644 +index 45a8126..bb1345b 100644 --- a/configure.ac +++ b/configure.ac @@ -1537,6 +1537,7 @@ case "$use_openssl" in @@ -1274,7 +1274,7 @@ index 0e22d02..828581e 100644 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -5534,6 +5597,8 @@ report() { +@@ -5527,6 +5590,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1283,7 +1283,7 @@ index 0e22d02..828581e 100644 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -5574,6 +5639,8 @@ report() { +@@ -5567,6 +5632,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" @@ -1292,7 +1292,7 @@ index 0e22d02..828581e 100644 echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -5621,6 +5688,8 @@ report() { +@@ -5614,6 +5681,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -1302,10 +1302,10 @@ index 0e22d02..828581e 100644 test "yes" = "$enable_seccomp" || \ echo " Use libseccomp system call filtering (--enable-seccomp)" diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index 320c0f8..b55ebe0 100644 +index ec6e00e..1614afa 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c -@@ -276,6 +276,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, +@@ -277,6 +277,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, #ifdef GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); #endif @@ -1318,7 +1318,7 @@ index 320c0f8..b55ebe0 100644 dst_initialized = true; return (ISC_R_SUCCESS); -@@ -295,11 +301,19 @@ dst_lib_destroy(void) { +@@ -296,11 +302,19 @@ dst_lib_destroy(void) { for (i = 0; i < DST_MAX_ALGS; i++) if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL) dst_t_func[i]->cleanup(); @@ -1338,7 +1338,7 @@ index 320c0f8..b55ebe0 100644 if (dst__memory_pool != NULL) isc_mem_detach(&dst__memory_pool); if (dst_entropy_pool != NULL) -@@ -2001,13 +2015,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) { +@@ -2002,13 +2016,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) { flags &= ~ISC_ENTROPY_GOODONLY; else flags |= ISC_ENTROPY_BLOCKING; @@ -1357,7 +1357,7 @@ index 320c0f8..b55ebe0 100644 #ifdef GSSAPI unsigned int flags = dst_entropy_flags; isc_result_t ret; -@@ -2030,6 +2048,7 @@ dst__entropy_status(void) { +@@ -2031,6 +2049,7 @@ dst__entropy_status(void) { #endif return (isc_entropy_status(dst_entropy_pool)); #else @@ -1973,7 +1973,7 @@ index 42ff7e0..8d87c44 100644 typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int); diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c -index 7809e7b..c43357a 100644 +index 8e6ed93..ceb5a2c 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c @@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) { @@ -2015,10 +2015,10 @@ index 5b8a2c9..913a2ce 100644 * Define if the hash functions must be provided by OpenSSL. */ diff --git a/win32utils/Configure b/win32utils/Configure -index 6f93814..4286baf 100644 +index ccaf067..240fb80 100644 --- a/win32utils/Configure +++ b/win32utils/Configure -@@ -378,6 +378,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA", +@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA", my %configdefp; my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP", @@ -2026,7 +2026,7 @@ index 6f93814..4286baf 100644 "ISC_PLATFORM_HAVEATOMICSTORE", "ISC_PLATFORM_HAVEATOMICSTOREQ", "ISC_PLATFORM_HAVECMPXCHG", -@@ -508,7 +509,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); +@@ -517,7 +518,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); # enable-xxx/disable-xxx @@ -2036,7 +2036,7 @@ index 6f93814..4286baf 100644 "fixed-rrset", "intrinsics", "isc-spnego", -@@ -572,6 +574,7 @@ my @help = ( +@@ -581,6 +583,7 @@ my @help = ( "\nOptional Features:\n", " enable-intrinsics enable instrinsic/atomic functions [default=yes]\n", " enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n", @@ -2044,7 +2044,7 @@ index 6f93814..4286baf 100644 " enable-openssl-hash use OpenSSL for hash functions [default=yes]\n", " enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n", " enable-filter-aaaa enable filtering of AAAA records [default=yes]\n", -@@ -617,7 +620,9 @@ my $want_clean = "no"; +@@ -630,7 +633,9 @@ my $want_clean = "no"; my $want_unknown = "no"; my $unknown_value; my $enable_intrinsics = "yes"; @@ -2054,7 +2054,7 @@ index 6f93814..4286baf 100644 my $enable_openssl_hash = "auto"; my $enable_filter_aaaa = "yes"; my $enable_isc_spnego = "yes"; -@@ -837,6 +842,10 @@ sub myenable { +@@ -850,6 +855,10 @@ sub myenable { if ($val =~ /^yes$/i) { $enable_native_pkcs11 = "yes"; } @@ -2065,7 +2065,7 @@ index 6f93814..4286baf 100644 } elsif ($key =~ /^openssl-hash$/i) { if ($val =~ /^yes$/i) { $enable_openssl_hash = "yes"; -@@ -1139,6 +1148,11 @@ if ($verbose) { +@@ -1158,6 +1167,11 @@ if ($verbose) { } else { print "native-pkcs11: disabled\n"; } @@ -2077,7 +2077,7 @@ index 6f93814..4286baf 100644 if ($enable_openssl_hash eq "yes") { print "openssl-hash: enabled\n"; } else { -@@ -1497,6 +1511,7 @@ if ($enable_intrinsics eq "yes") { +@@ -1516,6 +1530,7 @@ if ($enable_intrinsics eq "yes") { # enable-native-pkcs11 if ($enable_native_pkcs11 eq "yes") { @@ -2085,7 +2085,7 @@ index 6f93814..4286baf 100644 if ($use_openssl eq "auto") { $use_openssl = "no"; } -@@ -1706,6 +1721,7 @@ if ($use_openssl eq "yes") { +@@ -1725,6 +1740,7 @@ if ($use_openssl eq "yes") { $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); } @@ -2093,7 +2093,7 @@ index 6f93814..4286baf 100644 $configcond{"OPENSSL"} = 1; $configdefd{"CRYPTO"} = "OPENSSL"; $configvar{"OPENSSL_PATH"} = "$openssl_path"; -@@ -2242,6 +2258,15 @@ if ($use_aes eq "yes") { +@@ -2296,6 +2312,15 @@ if ($use_aes eq "yes") { } @@ -2109,7 +2109,7 @@ index 6f93814..4286baf 100644 # enable-openssl-hash if ($enable_openssl_hash eq "yes") { if ($use_openssl eq "no") { -@@ -3617,6 +3642,7 @@ exit 0; +@@ -3671,6 +3696,7 @@ exit 0; # --enable-developer partially supported # --enable-newstats (9.9/9.9sub only) # --enable-native-pkcs11 supported diff --git a/bind-9.11-rt46047.patch b/bind-9.11-rt46047.patch index 4f8181d..4bb47e8 100644 --- a/bind-9.11-rt46047.patch +++ b/bind-9.11-rt46047.patch @@ -1,4 +1,4 @@ -From ab9ee91f596c14cfc55a67ba3523b42a54e3e244 Mon Sep 17 00:00:00 2001 +From 4c7b644910e21e690e5f51d5596a9fe46d9c7b7a Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 28 Sep 2017 10:09:22 -0700 Subject: [PATCH] completed and corrected the crypto-random change @@ -39,14 +39,16 @@ Subject: [PATCH] completed and corrected the crypto-random change bin/tests/system/tkey/keycreate.c | 4 +- bin/tests/system/tkey/keydelete.c | 5 +-- doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++------- - doc/arm/notes.xml | 31 +++++++++++++ + doc/arm/notes-rh-changes.xml | 43 ++++++++++++++++++ + doc/arm/notes.xml | 1 + lib/dns/dst_api.c | 4 +- lib/dns/include/dst/dst.h | 14 +++++- lib/dns/openssl_link.c | 3 +- lib/isc/include/isc/entropy.h | 50 +++++++++++++++------ lib/isc/include/isc/random.h | 28 +++++++----- lib/isccfg/namedconf.c | 2 +- - 22 files changed, 228 insertions(+), 106 deletions(-) + 23 files changed, 241 insertions(+), 106 deletions(-) + create mode 100644 doc/arm/notes-rh-changes.xml diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index 295e16f..0f79aa8 100644 @@ -140,10 +142,10 @@ index 31a99e7..38c83ed 100644 usekeyboard); diff --git a/bin/named/client.c b/bin/named/client.c -index 29fecad..a12623a 100644 +index 2169954..c6c59f7 100644 --- a/bin/named/client.c +++ b/bin/named/client.c -@@ -1752,7 +1752,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, +@@ -1754,7 +1754,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, isc_buffer_init(&buf, cookie, sizeof(cookie)); isc_stdtime_get(&now); @@ -154,10 +156,10 @@ index 29fecad..a12623a 100644 compute_cookie(client, now, nonce, ns_g_server->secret, &buf); diff --git a/bin/named/config.c b/bin/named/config.c -index a153172..8d46bc3 100644 +index de64ca5..833c1dc 100644 --- a/bin/named/config.c +++ b/bin/named/config.c -@@ -93,7 +93,9 @@ options {\n\ +@@ -98,7 +98,9 @@ options {\n\ # pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\ port 53;\n\ prefetch 2 9;\n" @@ -241,7 +243,7 @@ index f5ed2b7..b2c1d05 100644 struct ns_altsecret { diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c -index 135533b..4546831 100644 +index 9bd1f93..851d3c9 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c @@ -17,6 +17,7 @@ @@ -253,7 +255,7 @@ index 135533b..4546831 100644 #include #include diff --git a/bin/named/query.c b/bin/named/query.c -index f85cc76..43a3661 100644 +index 86417c7..55b7b7c 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -19,6 +19,7 @@ @@ -265,10 +267,10 @@ index f85cc76..43a3661 100644 #include #include diff --git a/bin/named/server.c b/bin/named/server.c -index 405ff71..700f83d 100644 +index c782073..bc59cbc 100644 --- a/bin/named/server.c +++ b/bin/named/server.c -@@ -8203,21 +8203,32 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8204,21 +8204,32 @@ load_configuration(const char *filename, ns_server_t *server, * Open the source of entropy. */ if (first_time) { @@ -310,7 +312,7 @@ index 405ff71..700f83d 100644 #ifdef PATH_RANDOMDEV if (ns_g_fallbackentropy != NULL) { level = ISC_LOG_INFO; -@@ -8228,8 +8239,8 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8229,8 +8240,8 @@ load_configuration(const char *filename, ns_server_t *server, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, level, @@ -321,15 +323,15 @@ index 405ff71..700f83d 100644 randomdev, isc_result_totext(result)); } -@@ -8249,7 +8260,6 @@ load_configuration(const char *filename, ns_server_t *server, +@@ -8250,7 +8261,6 @@ load_configuration(const char *filename, ns_server_t *server, } isc_entropy_detach(&ns_g_fallbackentropy); } -#endif #endif } - } -@@ -9014,6 +9024,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { + +@@ -9018,6 +9028,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { server->in_roothints = NULL; server->blackholeacl = NULL; server->keepresporder = NULL; @@ -337,7 +339,7 @@ index 405ff71..700f83d 100644 /* Must be first. */ CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy, -@@ -9040,6 +9051,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { +@@ -9044,6 +9055,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy, &server->tkeyctx), "creating TKEY context"); @@ -347,7 +349,7 @@ index 405ff71..700f83d 100644 /* * Setup the server task, which is responsible for coordinating -@@ -9246,7 +9260,8 @@ ns_server_destroy(ns_server_t **serverp) { +@@ -9250,7 +9264,8 @@ ns_server_destroy(ns_server_t **serverp) { if (server->zonemgr != NULL) dns_zonemgr_detach(&server->zonemgr); @@ -357,7 +359,7 @@ index 405ff71..700f83d 100644 if (server->tkeyctx != NULL) dns_tkeyctx_destroy(&server->tkeyctx); -@@ -13197,10 +13212,10 @@ newzone_cfgctx_destroy(void **cfgp) { +@@ -13221,10 +13236,10 @@ newzone_cfgctx_destroy(void **cfgp) { static isc_result_t generate_salt(unsigned char *salt, size_t saltlen) { @@ -370,7 +372,7 @@ index 405ff71..700f83d 100644 } rnd; unsigned char text[512 + 1]; isc_region_t r; -@@ -13210,9 +13225,10 @@ generate_salt(unsigned char *salt, size_t saltlen) { +@@ -13234,9 +13249,10 @@ generate_salt(unsigned char *salt, size_t saltlen) { if (saltlen > 256U) return (ISC_R_RANGE); @@ -400,10 +402,10 @@ index 0286987..0376377 100644 } #endif diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c -index 7b4f617..507bf0a 100644 +index f0a6ff2..55064f6 100644 --- a/bin/tests/system/pipelined/pipequeries.c +++ b/bin/tests/system/pipelined/pipequeries.c -@@ -282,9 +282,7 @@ main(int argc, char *argv[]) { +@@ -280,9 +280,7 @@ main(int argc, char *argv[]) { ectx = NULL; RUNCHECK(isc_entropy_create(mctx, &ectx)); #ifdef ISC_PLATFORM_CRYPTORANDOM @@ -453,10 +455,10 @@ index 2146f9b..64b8e74 100644 } #endif diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml -index b40cb05..8a81438 100644 +index 9bf100f..c161e71 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml -@@ -5071,22 +5071,45 @@ badresp:1,adberr:0,findfail:0,valfail:0] +@@ -5076,22 +5076,45 @@ badresp:1,adberr:0,findfail:0,valfail:0] random-device @@ -518,53 +520,72 @@ index b40cb05..8a81438 100644 +diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml +new file mode 100644 +index 0000000..11c3a7c +--- /dev/null ++++ b/doc/arm/notes-rh-changes.xml +@@ -0,0 +1,43 @@ ++ ++ ++ ++
Red Hat Specific Changes ++ ++ ++ ++ By default, BIND now uses the random number generation functions ++ in the cryptographic library (i.e., OpenSSL or a PKCS#11 ++ provider) as a source of high-quality randomness rather than ++ /dev/random. This is suitable for virtual ++ machine environments, which may have limited entropy pools and ++ lack hardware random number generators. ++ ++ ++ This can be overridden by specifying another entropy source via ++ the random-device option in ++ named.conf, or via the -r ++ command line option. However, for functions requiring full ++ cryptographic strength, such as DNSSEC key generation, this ++ cannot be overridden. In particular, the ++ -r command line option no longer has any ++ effect on dnssec-keygen. ++ ++ ++ This can be disabled by building with ++ configure --disable-crypto-rand, in which ++ case /dev/random will be the default ++ entropy source. [RT #31459] [RT #46047] ++ ++ ++ ++
++ diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml -index 00ce8f1..527135a 100644 +index 3a9cfcf..ded2000 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml -@@ -124,6 +124,37 @@ - - - -+
Red Hat Specific Changes -+ -+ -+ -+ By default, BIND now uses the random number generation functions -+ in the cryptographic library (i.e., OpenSSL or a PKCS#11 -+ provider) as a source of high-quality randomness rather than -+ /dev/random. This is suitable for virtual -+ machine environments, which may have limited entropy pools and -+ lack hardware random number generators. -+ -+ -+ This can be overridden by specifying another entropy source via -+ the random-device option in -+ named.conf, or via the -r -+ command line option. However, for functions requiring full -+ cryptographic strength, such as DNSSEC key generation, this -+ cannot be overridden. In particular, the -+ -r command line option no longer has any -+ effect on dnssec-keygen. -+ -+ -+ This can be disabled by building with -+ configure --disable-crypto-rand, in which -+ case /dev/random will be the default -+ entropy source. [RT #31459] [RT #46047] -+ -+ -+ -+
-+ -
End of Life - - BIND 9.11 (Extended Support Version) will be supported until at +@@ -23,6 +23,7 @@ + + + ++ + + +
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c -index b55ebe0..d2b43d3 100644 +index 1614afa..0f52df9 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c -@@ -2016,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) { +@@ -2017,10 +2017,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) { else flags |= ISC_ENTROPY_BLOCKING; #ifdef ISC_PLATFORM_CRYPTORANDOM @@ -761,7 +782,7 @@ index f8aed34..17c551b 100644 ISC_LANG_ENDDECLS diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c -index fbc62cc..9cad61d 100644 +index 03890a3..7bad989 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1109,7 +1109,7 @@ options_clauses[] = { diff --git a/bind.spec b/bind.spec index e9805d0..7bb38f5 100644 --- a/bind.spec +++ b/bind.spec @@ -137,8 +137,6 @@ Patch161:bind-9.11-host-idn-disable.patch Patch163:bind-9.11-rh1663318.patch # https://gitlab.isc.org/isc-projects/bind9/issues/819 Patch164:bind-9.11-rh1666814.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1647829 -Patch165:bind-9.11-rh1647829.patch # random_test fails too often by random, disable it Patch168:bind-9.11-unit-disable-random.patch Patch170:bind-9.11-feature-test-named.patch @@ -518,7 +516,6 @@ are used for building ISC DHCP. %patch161 -p1 -b .host-idn-disable %patch163 -p1 -b .rh1663318 %patch164 -p1 -b .rh1666814 -%patch165 -p1 -b .rh1647829 %patch168 -p1 -b .random_test-disable %patch170 -p1 -b .featuretest-named %patch171 -p1 -b .test-variant