The package rpms/bind.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/bind.git/commit/?id=219b0e889f74e....
Change:
-%ifnarch alpha ia64
Thanks.
Full change:
============
commit fd11bcc212a10ae3ce6ec9eb0f10553c4454d63a
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri May 3 15:55:24 2019 +0200
Revert "Move dnssec related tools to bind-dnssec-utils"
This reverts commit 2830e00b88ea8bb956e0cdeb6f205fc72741b167.
diff --git a/bind.spec b/bind.spec
index 34c6c31..9da1b90 100644
--- a/bind.spec
+++ b/bind.spec
@@ -169,7 +169,6 @@ Provides: dnssec-conf = 1.27-2
# in case it needs to be used
Requires(post): ((policycoreutils-python-utils and libselinux-utils) if
(selinux-policy-targeted or selinux-policy-mls))
Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or
selinux-policy-mls))
-Recommends: bind-utils bind-dnssec-utils
BuildRequires: gcc, make
BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
BuildRequires: libidn2-devel, libxml2-devel, GeoIP-devel
@@ -307,14 +306,9 @@ Contains license of the BIND DNS suite.
%package utils
Summary: Utilities for querying DNS name servers
-Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
-# TODO: this is just temporary workaround until all packages depending on
-# bind-utils can be satisfied without dnssec-utils
-# It will be removed after some time, or changed to Recommends
-Suggests: bind-dnssec-utils
-# For compatibility with Debian package
-Provides: dnsutils = %{epoch}:%{version}-%{release}
+Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: python3-bind = %{epoch}:%{version}-%{release}
%description utils
Bind-utils contains a collection of utilities for querying DNS (Domain
@@ -326,20 +320,6 @@ network addresses.
You should install bind-utils if you need to get information from DNS name
servers.
-%package dnssec-utils
-Summary: Utilities for DNSSEC keys and DNS zone files management
-Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
-Recommends: bind-utils
-Requires: python3-bind = %{epoch}:%{version}-%{release}
-
-%description dnssec-utils
-Bind-dnssec-utils contains a collection of utilities for editing
-DNSSEC keys and BIND zone files. These tools provide generation,
-revocation and verification of keys and DNSSEC signatures in zone files.
-
-You should install bind-dnssec-utils if you need to sign a DNS zone
-or maintain keys for it.
-
%if %{with DEVEL}
%package devel
Summary: Header files and libraries needed for BIND DNS development
@@ -1280,19 +1260,6 @@ fi;
%{_bindir}/nslookup
%{_bindir}/nsupdate
%{_bindir}/arpaname
-%if %{with DNSTAP}
-%{_bindir}/dnstap-read
-%{_mandir}/man1/dnstap-read.1*
-%endif
-%{_mandir}/man1/host.1*
-%{_mandir}/man1/nsupdate.1*
-%{_mandir}/man1/dig.1*
-%{_mandir}/man1/delv.1*
-%{_mandir}/man1/nslookup.1*
-%{_mandir}/man1/arpaname.1*
-%{_sysconfdir}/trusted-key.key
-
-%files dnssec-utils
%{_sbindir}/ddns-confgen
%{_sbindir}/tsig-keygen
%{_sbindir}/genrandom
@@ -1307,6 +1274,16 @@ fi;
%if %{with LMDB}
%{_sbindir}/named-nzd2nzf
%endif
+%if %{with DNSTAP}
+%{_bindir}/dnstap-read
+%{_mandir}/man1/dnstap-read.1*
+%endif
+%{_mandir}/man1/host.1*
+%{_mandir}/man1/nsupdate.1*
+%{_mandir}/man1/dig.1*
+%{_mandir}/man1/delv.1*
+%{_mandir}/man1/nslookup.1*
+%{_mandir}/man1/arpaname.1*
%{_mandir}/man8/ddns-confgen.8*
%{_mandir}/man8/tsig-keygen.8*
%{_mandir}/man8/genrandom.8*
@@ -1321,6 +1298,7 @@ fi;
%if %{with LMDB}
%{_mandir}/man8/named-nzd2nzf.8*
%endif
+%{_sysconfdir}/trusted-key.key
%if %{with DEVEL}
%files devel
commit f6f181d9d55ccc62c08001c6d30f9c7a3a5412d1
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri May 3 15:53:27 2019 +0200
Update to 9.11.6-P1
Finish merge from more recent branches, cleanup changelog changes not
relevant to this branch.
diff --git a/bind.spec b/bind.spec
index 5b40270..34c6c31 100644
--- a/bind.spec
+++ b/bind.spec
@@ -53,7 +53,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.6
-Release: 0%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
https://www.isc.org/downloads/bind/
#
@@ -1519,6 +1519,9 @@ fi;
%changelog
+* Fri May 03 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.6-1.P1
+- Update to 9.11.6-P1 (#1702881)
+
* Fri Feb 22 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-4.P4
- Update to 9.11.5-P4
@@ -1532,45 +1535,10 @@ fi;
- disable IDN output from scripts
- Update project URL
- Removed revoked KSK 19164 from trusted keys
-* Thu Feb 21 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-11.P1
-- Disable often failing unit test random_test
-
-* Thu Feb 21 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-10.P1
-- Disable autodetected eddsa algorithm ED448
-
-* Thu Jan 31 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-9.P1
-- dig prints ASCII name instead of failure (#1647829)
-- disable IDN output from scripts
-- Update project URL
-- Removed revoked KSK 19164 from trusted keys
-
-* Thu Jan 31 2019 Fedora Release Engineering <releng(a)fedoraproject.org> -
32:9.11.5-8.P1
-- Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Sun Jan 27 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-7.P1
-- Update to 9.11.5-P1
-
-* Wed Jan 23 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-6
-- Reenable crypto rand for DHCP, disable just entropy check (#1663318)
-
-* Thu Jan 17 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-5
-- Move dnssec related tools from bind-utils to bind-dnssec-utils (#1649398)
-
-* Wed Jan 16 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-4
-- Reject invalid binary file (#1666814)
-
-* Mon Jan 14 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-3
-- Disable crypto rand for DHCP (#1663318)
-
-* Thu Oct 25 2018 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-2
-- Add optional support for JSON statistics
-- Add optional DNSTAP support (#1564776), new dnstap-read tool
* Wed Oct 24 2018 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-1
- Update to 9.11.5
-* Mon Jan 14 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.4-13.P2
-- Disable crypto rand for DHCP (#1663318)
* Tue Oct 02 2018 Petr Menk <pemensik(a)redhat.com> - 32:9.11.4-12.P2
- Add Requires to devel packages referenced by bind-devel
commit 3e06916fb7d69295eb19b2e7d0d3238c4dc8300b
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri May 3 15:39:13 2019 +0200
Revert "Enable LMDB support"
This reverts commit ec6f94669ad65412d41dfefc0f43e8bec2da7994.
diff --git a/bind.spec b/bind.spec
index 7f77ba8..5b40270 100644
--- a/bind.spec
+++ b/bind.spec
@@ -15,8 +15,8 @@
# due to extensive changes to Makefiles
%bcond_without PKCS11
%bcond_without DEVEL
+%bcond_with LMDB
%bcond_with JSON
-%bcond_without LMDB
%bcond_with DNSTAP
%bcond_with DLZ
%bcond_without EXPORT_LIBS
commit 9b172b6d29ef6ab30497e12c9537cbfa698a8f77
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri May 3 15:37:44 2019 +0200
Revert "Enable json statistics format"
This reverts commit d3fe8d6248ba08cb0c343f81f25d815bba173190.
diff --git a/bind.spec b/bind.spec
index 24c1bf6..7f77ba8 100644
--- a/bind.spec
+++ b/bind.spec
@@ -15,8 +15,8 @@
# due to extensive changes to Makefiles
%bcond_without PKCS11
%bcond_without DEVEL
+%bcond_with JSON
%bcond_without LMDB
-%bcond_without JSON
%bcond_with DNSTAP
%bcond_with DLZ
%bcond_without EXPORT_LIBS
@@ -1571,8 +1571,6 @@ fi;
* Mon Jan 14 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.4-13.P2
- Disable crypto rand for DHCP (#1663318)
-- Enable json format in statistics-channel
-
* Tue Oct 02 2018 Petr Menk <pemensik(a)redhat.com> - 32:9.11.4-12.P2
- Add Requires to devel packages referenced by bind-devel
commit 65cf5aa6e0ffd5fb7522162a0c0eef6604cbca60
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri May 3 15:35:58 2019 +0200
Revert "Enable DNSTAP (#1564776)"
This reverts commit f0b6f15ced5af5f309ccbfe35c6ec38ddca7b619.
diff --git a/bind.spec b/bind.spec
index ff220d7..24c1bf6 100644
--- a/bind.spec
+++ b/bind.spec
@@ -17,7 +17,7 @@
%bcond_without DEVEL
%bcond_without LMDB
%bcond_without JSON
-%bcond_without DNSTAP
+%bcond_with DNSTAP
%bcond_with DLZ
%bcond_without EXPORT_LIBS
%if 0%{?fedora} >= 28
@@ -1532,7 +1532,6 @@ fi;
- disable IDN output from scripts
- Update project URL
- Removed revoked KSK 19164 from trusted keys
-
* Thu Feb 21 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-11.P1
- Disable often failing unit test random_test
commit c1ece0be9b77d42f0876c21b02f9e3eb328e857f
Merge: 3a9a611 36d3753
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri May 3 15:32:35 2019 +0200
Merge branch 'f30' into f29
diff --cc bind.spec
index b5b836c,f5ba390..ff220d7
--- a/bind.spec
+++ b/bind.spec
@@@ -51,8 -52,8 +52,8 @@@
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Name: bind
License: MPLv2.0
- Version: 9.11.5
- Release: 4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+ Version: 9.11.6
-Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
++Release: 0%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
https://www.isc.org/downloads/bind/
#
@@@ -1461,27 -1519,66 +1519,61 @@@ fi
%changelog
-* Thu May 02 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.6-3.P1
-- Fix inefective limit of TCP clients (CVE-2018-5743)
-
-* Thu Mar 14 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.6-2
-- Fix dnstap and timer issues in unit test
-
-* Tue Mar 05 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.6-1
-- Update to 9.11.6
-
-* Fri Mar 01 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-15.P4
-- Support testing of named variants
-
-* Thu Feb 28 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-14.P4
-- Modify feature-test detection of dlz-filesystem
-
-* Fri Feb 22 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-13.P4
+* Fri Feb 22 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-4.P4
- Update to 9.11.5-P4
-* Fri Feb 22 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-12.P1
-- Enable DNSTAP support (#1564776)
-- Enable LMDB support for rndc addzone
-- Enable json format in statistics-channel
+* Thu Feb 21 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-3.P1
+- Disable autodetected eddsa algorithm ED448
+- Disable often failing unit test random_test
+
+* Sun Jan 27 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-2.P1
+- Update to 9.11.5-P1
+- dig prints ASCII name instead of failure (#1647829)
+- disable IDN output from scripts
+- Update project URL
+- Removed revoked KSK 19164 from trusted keys
- * Sun Jan 27 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-1
- - Update to 9.11.5
+ * Thu Feb 21 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-11.P1
+ - Disable often failing unit test random_test
+
+ * Thu Feb 21 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-10.P1
+ - Disable autodetected eddsa algorithm ED448
+
+ * Thu Jan 31 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-9.P1
+ - dig prints ASCII name instead of failure (#1647829)
+ - disable IDN output from scripts
+ - Update project URL
+ - Removed revoked KSK 19164 from trusted keys
+
+ * Thu Jan 31 2019 Fedora Release Engineering <releng(a)fedoraproject.org> -
32:9.11.5-8.P1
+ - Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+ * Sun Jan 27 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-7.P1
+ - Update to 9.11.5-P1
+
+ * Wed Jan 23 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-6
- Reenable crypto rand for DHCP, disable just entropy check (#1663318)
+ * Thu Jan 17 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-5
+ - Move dnssec related tools from bind-utils to bind-dnssec-utils (#1649398)
+
+ * Wed Jan 16 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-4
+ - Reject invalid binary file (#1666814)
+
+ * Mon Jan 14 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-3
+ - Disable crypto rand for DHCP (#1663318)
+
+ * Thu Oct 25 2018 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-2
+ - Add optional support for JSON statistics
+ - Add optional DNSTAP support (#1564776), new dnstap-read tool
+
+ * Wed Oct 24 2018 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-1
+ - Update to 9.11.5
+
+* Mon Jan 14 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.4-13.P2
+- Disable crypto rand for DHCP (#1663318)
++- Enable json format in statistics-channel
+
* Tue Oct 02 2018 Petr Menk <pemensik(a)redhat.com> - 32:9.11.4-12.P2
- Add Requires to devel packages referenced by bind-devel
commit 36d37531c94aae8f885e664b03aacd5a4d9ecb6d
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri May 3 12:51:18 2019 +0200
Revert "Enable optional features by default"
This reverts commit ae423dfbebbd150c56df1c7c1954ac6ba3090bc8.
diff --git a/bind.spec b/bind.spec
index d80a7e0..f5ba390 100644
--- a/bind.spec
+++ b/bind.spec
@@ -18,7 +18,7 @@
%bcond_without LMDB
%bcond_without JSON
%bcond_without DNSTAP
-%bcond_without DLZ
+%bcond_with DLZ
%bcond_without EXPORT_LIBS
%if 0%{?fedora} >= 28
%bcond_without UNITTEST
@@ -1524,7 +1524,6 @@ fi;
* Thu Mar 14 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.6-2
- Fix dnstap and timer issues in unit test
-- Enable DLZ modules
* Tue Mar 05 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.6-1
- Update to 9.11.6
commit 4b42a5c16289817095b3ed990fca5a83153a8baf
Author: Petr Menk <pemensik(a)redhat.com>
Date: Thu May 2 14:49:56 2019 +0200
5200. [security] tcp-clients settings could be exceeded in some cases,
which could lead to exhaustion of file descriptors.
(CVE-2018-5743) [GL #615]
diff --git a/.gitignore b/.gitignore
index 4c7e54a..9775b64 100644
--- a/.gitignore
+++ b/.gitignore
@@ -91,3 +91,4 @@ bind-9.7.2b1.tar.gz
/config-19.tar.bz2
/bind-9.11.5-P4.tar.gz
/bind-9.11.6.tar.gz
+/bind-9.11.6-P1.tar.gz
diff --git a/bind-9.11-CVE-2018-5741-atomic.patch b/bind-9.11-CVE-2018-5741-atomic.patch
new file mode 100644
index 0000000..cfbded6
--- /dev/null
+++ b/bind-9.11-CVE-2018-5741-atomic.patch
@@ -0,0 +1,132 @@
+From ef49780d30d3ddc5735cfc32561b678a634fa72f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej(a)sury.org>
+Date: Wed, 17 Apr 2019 15:22:27 +0200
+Subject: [PATCH] Replace atomic operations in bin/named/client.c with
+ isc_refcount reference counting
+
+---
+ bin/named/client.c | 18 +++++++-----------
+ bin/named/include/named/interfacemgr.h | 5 +++--
+ bin/named/interfacemgr.c | 7 +++++--
+ 3 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/bin/named/client.c b/bin/named/client.c
+index 845326abc0..29fecadca8 100644
+--- a/bin/named/client.c
++++ b/bin/named/client.c
+@@ -402,12 +402,10 @@ tcpconn_detach(ns_client_t *client) {
+ static void
+ mark_tcp_active(ns_client_t *client, bool active) {
+ if (active && !client->tcpactive) {
+- isc_atomic_xadd(&client->interface->ntcpactive, 1);
++ isc_refcount_increment0(&client->interface->ntcpactive, NULL);
+ client->tcpactive = active;
+ } else if (!active && client->tcpactive) {
+- uint32_t old =
+- isc_atomic_xadd(&client->interface->ntcpactive, -1);
+- INSIST(old > 0);
++ isc_refcount_decrement(&client->interface->ntcpactive, NULL);
+ client->tcpactive = active;
+ }
+ }
+@@ -554,7 +552,7 @@ exit_check(ns_client_t *client) {
+ if (client->mortal && TCP_CLIENT(client) &&
+ client->newstate != NS_CLIENTSTATE_FREED &&
+ !ns_g_clienttest &&
+- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
++ isc_refcount_current(&client->interface->ntcpaccepting) == 0)
+ {
+ /* Nobody else is accepting */
+ client->mortal = false;
+@@ -3328,7 +3326,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
+ isc_result_t result;
+ ns_client_t *client = event->ev_arg;
+ isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
+- uint32_t old;
+
+ REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
+ REQUIRE(NS_CLIENT_VALID(client));
+@@ -3348,8 +3345,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
+ INSIST(client->naccepts == 1);
+ client->naccepts--;
+
+- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
+- INSIST(old > 0);
++ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
+
+ /*
+ * We must take ownership of the new socket before the exit
+@@ -3480,8 +3476,8 @@ client_accept(ns_client_t *client) {
+ * quota is tcp-clients plus the number of listening
+ * interfaces plus 1.)
+ */
+- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
+- (client->tcpactive ? 1 : 0));
++ exit = (isc_refcount_current(&client->interface->ntcpactive) >
++ (client->tcpactive ? 1U : 0U));
+ if (exit) {
+ client->newstate = NS_CLIENTSTATE_INACTIVE;
+ (void)exit_check(client);
+@@ -3539,7 +3535,7 @@ client_accept(ns_client_t *client) {
+ * listening for connections itself to prevent the interface
+ * going dead.
+ */
+- isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
++ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
+ }
+
+ static void
+diff --git a/bin/named/include/named/interfacemgr.h
b/bin/named/include/named/interfacemgr.h
+index 3535ef22a8..6e10f210fd 100644
+--- a/bin/named/include/named/interfacemgr.h
++++ b/bin/named/include/named/interfacemgr.h
+@@ -45,6 +45,7 @@
+ #include <isc/magic.h>
+ #include <isc/mem.h>
+ #include <isc/socket.h>
++#include <isc/refcount.h>
+
+ #include <dns/result.h>
+
+@@ -75,11 +76,11 @@ struct ns_interface {
+ /*%< UDP dispatchers. */
+ isc_socket_t * tcpsocket; /*%< TCP socket. */
+ isc_dscp_t dscp; /*%< "listen-on" DSCP value */
+- int32_t ntcpaccepting; /*%< Number of clients
++ isc_refcount_t ntcpaccepting; /*%< Number of clients
+ ready to accept new
+ TCP connections on this
+ interface */
+- int32_t ntcpactive; /*%< Number of clients
++ isc_refcount_t ntcpactive; /*%< Number of clients
+ servicing TCP queries
+ (whether accepting or
+ connected) */
+diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
+index d9f6df5802..135533be6b 100644
+--- a/bin/named/interfacemgr.c
++++ b/bin/named/interfacemgr.c
+@@ -386,8 +386,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
+ * connections will be handled in parallel even though there is
+ * only one client initially.
+ */
+- ifp->ntcpaccepting = 0;
+- ifp->ntcpactive = 0;
++ isc_refcount_init(&ifp->ntcpaccepting, 0);
++ isc_refcount_init(&ifp->ntcpactive, 0);
+
+ ifp->nudpdispatch = 0;
+
+@@ -618,6 +618,9 @@ ns_interface_destroy(ns_interface_t *ifp) {
+
+ ns_interfacemgr_detach(&ifp->mgr);
+
++ isc_refcount_destroy(&ifp->ntcpactive);
++ isc_refcount_destroy(&ifp->ntcpaccepting);
++
+ ifp->magic = 0;
+ isc_mem_put(mctx, ifp, sizeof(*ifp));
+ }
+--
+2.18.1
+
diff --git a/bind-9.11-rt46047.patch b/bind-9.11-rt46047.patch
index 1f40a16..c5725f7 100644
--- a/bind-9.11-rt46047.patch
+++ b/bind-9.11-rt46047.patch
@@ -1,4 +1,4 @@
-From 2b7a633f29c2ae8fe801f2a98541013837ebaeaa Mon Sep 17 00:00:00 2001
+From 55e649d82a1adc5209738fb8402624f03287ca87 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each(a)isc.org>
Date: Thu, 28 Sep 2017 10:09:22 -0700
Subject: [PATCH] completed and corrected the crypto-random change
@@ -39,14 +39,14 @@ Subject: [PATCH] completed and corrected the crypto-random change
bin/tests/system/tkey/keycreate.c | 4 +-
bin/tests/system/tkey/keydelete.c | 4 +-
doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++-------
- doc/arm/notes.xml | 26 +++++++++++
+ doc/arm/notes.xml | 31 +++++++++++++
lib/dns/dst_api.c | 4 +-
lib/dns/include/dst/dst.h | 14 +++++-
lib/dns/openssl_link.c | 3 +-
lib/isc/include/isc/entropy.h | 50 +++++++++++++++------
lib/isc/include/isc/random.h | 28 +++++++-----
lib/isccfg/namedconf.c | 2 +-
- 22 files changed, 220 insertions(+), 107 deletions(-)
+ 22 files changed, 225 insertions(+), 107 deletions(-)
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
index 295e16f..0f79aa8 100644
@@ -140,10 +140,10 @@ index 31a99e7..38c83ed 100644
usekeyboard);
diff --git a/bin/named/client.c b/bin/named/client.c
-index d425df2..7ab3dec 100644
+index ce24670..0ce02a9 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
-@@ -1609,7 +1609,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
+@@ -1754,7 +1754,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
isc_buffer_init(&buf, cookie, sizeof(cookie));
isc_stdtime_get(&now);
@@ -241,7 +241,7 @@ index f5ed2b7..b2c1d05 100644
struct ns_altsecret {
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
-index 419927b..d721f47 100644
+index d9f6df5..662eb6c 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -17,6 +17,7 @@
@@ -436,7 +436,7 @@ index 2146f9b..ac2c311 100644
}
#endif
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
-index dd5365c..1a463b0 100644
+index bb79723..888959c 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5071,22 +5071,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
@@ -502,13 +502,15 @@ index dd5365c..1a463b0 100644
</listitem>
</varlistentry>
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
-index ad4b34c..2685b8e 100644
+index ba9a7cf..c0256f1 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
-@@ -229,6 +229,32 @@
- is used from the shell scripts.
- </para>
- </listitem>
+@@ -117,6 +117,37 @@
+ </itemizedlist>
+ </section>
+
++ <section xml:id="relnotes_rh_changes"><info><title>Red Hat
Specific Changes</title></info>
++ <itemizedlist>
+ <listitem>
+ <para>
+ By default, BIND now uses the random number generation functions
@@ -535,9 +537,12 @@ index ad4b34c..2685b8e 100644
+ entropy source. [RT #31459] [RT #46047]
+ </para>
+ </listitem>
- </itemizedlist>
- </section>
-
++ </itemizedlist>
++ </section>
++
+ <section xml:id="end_of_life"><info><title>End of
Life</title></info>
+ <para>
+ BIND 9.11 (Extended Support Version) will be supported until at
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index b55ebe0..d2b43d3 100644
--- a/lib/dns/dst_api.c
diff --git a/bind-9.11.6-P1.tar.gz.asc b/bind-9.11.6-P1.tar.gz.asc
new file mode 100644
index 0000000..53b9403
--- /dev/null
+++ b/bind-9.11.6-P1.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABAgAdFiEEFWiQaF6g32oTce8gF8xdsfAIhAcFAlysrg0ACgkQF8xdsfAI
+hAc4qQ/6A2odUTpjuaPQK/ziTD8UpJXyqFr5rZ+Qx3+wAA7XcFF6rviRwQ1dULu/
+AmQVhAWeXHa15ruFVFJZoovnRoKYUZLOtvTrcfJkHG0MwBivEpJ/rcOLlOWhAHeG
+N6q5teyOrG1kCXNcS8uGHqzm+QfMA3xCUqCpYHWOtZ60I9T3O+8Y6Xyzb+oc6+CY
+w1pXeq0doJa9tFnZpVvhCPTol4LPL8KkTLoMmpRA5dRMrVYH3f45fdixABn3HSFx
+Ea/CiMeGvIfZI0X119Txufw2Yi8/NMicf/iZBEmvvHUG49/tFX2Vmj4sxUkL4gY/
+qqXEkD7oQsVEUj3X12ITyOqj6CtfiJcOgJIzTVas3vD4QR51nRSY+IGYuH7zQUSf
+qVSCFKdLY2NlRwK6VSBVOxN5Ye31qwPEok6WgGgBy2+mWY+FvAm4Z4sIBeyX2QT/
+A0+42GuFErMne7Ppd9Pb+cCKhaIDC4i3vM/lA8kvMvhz+peqKux6MbD9Ab79hSuV
+HCZzAzFPsuaHxP1m6wRWYgeGUZWA89uTbwGa5iiAmiXXqhHswzxBCgfKXyUjuObn
+pH+XTeZ59qTgQZT3bdyj0QrmCM0JfvFEt2OkuBIDvAnoVcb0smyLrizYaZLo+0of
+6OLW76WW2GSjzvfT4RlDP5B3ns3PdjrCKaKji3aIUD7G/oYr7zA=
+=TsjB
+-----END PGP SIGNATURE-----
diff --git a/bind-9.11.6.tar.gz.asc
b/bind-9.11.6.tar.gz.asc
deleted file mode 100644
index 02ebf56..0000000
--- a/bind-9.11.6.tar.gz.asc
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Comment: GPGTools -
http://gpgtools.org
-
-iQIzBAABAgAdFiEEFWiQaF6g32oTce8gF8xdsfAIhAcFAlx4dTcACgkQF8xdsfAI
-hAc9QA/9FaZaH6OxWxjxdU2VdTzZzrxIn5VcTnrSLzeKapBgfH22dmmJZBPHqkCE
-uch+d4eWH3CwcVjDs5auW7o69q0KnUDObpg1aGXVjRnBHKyH88Ziny4sd1kMXcZz
-lk3HW3Cl+WQBxrA3l+QUQrW+IYIUM36ZpkMxbvgZOwGj8H8rzUjeszDqY86JH/QF
-7RekyZwQ/Mb21sJTNntYufOn1KnKm4WZ52jihLVEaNLzQQLRxPIajSOVo+77LPpI
-SJWo+iH4vz+5jEQUhDQ1eivDaKxRj/LcrVHQLB9JgCM+ZiRvxZRwqs6mANfDnpke
-Ohzwf9Lh255bfq3xNQLYwwDbUpQ8JoEQ91Qw6F1MQ/32uhiBlUnWd2Yua22oSlOg
-IcjXYW9i23Zyuuf1GLIENNaXNnVgxM44mmxQh0/Okf7Npake4kxKGEGtPkAdbWUk
-NSghxHu8/0h5rwth7Rox4mWvp1vjRMjOGAjqMr5eVjXvFnFSazkY47fmliZCTDFm
-O3Otqib4Z35hvXOZJvTIP/IOfjo4g3zNVcfxQHNCpyRSKqBs1smWPc3VbwlOr/nI
-g/BxY595ylLIW7Ln46/3mkqZJPQO5F8AqQ+YPr+6ts908qQbA+P8nXRrZ/tcxFaM
-N+LbjmvgzCtbReoKhS17PdTDqu8p61LIDdrtxZP02Fr4fcIRRQk=
-=uY61
------END PGP SIGNATURE-----
diff --git a/bind.spec b/bind.spec
index 870da24..d80a7e0 100644
--- a/bind.spec
+++ b/bind.spec
@@ -2,7 +2,7 @@
# Red Hat BIND package .spec file
#
-#%%global PATCHVER P4
+%global PATCHVER P1
#%%global PREVER rc1
%global BINDVERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}}
@@ -53,7 +53,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.6
-Release: 2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
https://www.isc.org/downloads/bind/
#
@@ -141,6 +141,7 @@ Patch171:bind-9.11-tests-variants.patch
Patch172:bind-9.11-tests-pkcs11.patch
Patch173: bind-9.11-unit-dnstap-pkcs11.patch
Patch174: bind-9.11-unit-timer-nothread.patch
+Patch175: bind-9.11-CVE-2018-5741-atomic.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -523,6 +524,7 @@ are used for building ISC DHCP.
%patch172 -p1 -b .test-pkcs11
%patch173 -p1 -b .unit-dnstap
%patch174 -p1 -b .unit-timer
+%patch175 -p1 -b .CVE-2018-5741-atomic
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1517,6 +1519,9 @@ fi;
%changelog
+* Thu May 02 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.6-3.P1
+- Fix inefective limit of TCP clients (CVE-2018-5743)
+
* Thu Mar 14 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.6-2
- Fix dnstap and timer issues in unit test
- Enable DLZ modules
diff --git a/sources b/sources
index cae8504..413be45 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (bind-9.11.6.tar.gz) =
17a76ad4aafddeb86e330c4ca9b5fecb8df9e1109df4ff8d7a31d1da406f2597050d569460529b710f213360642842fcb9bdaa4eb79be10fcb093872fe75fdfd
+SHA512 (bind-9.11.6-P1.tar.gz) =
419aeeddeab7aef818b9043db7b21a847993444f663dca04e58ee97a0ebee0610cbc5a9422d17a6f0ee5d44598a2cbb5651e3b4e8c56708eaf923dca0a5c4c03
SHA512 (config-19.tar.bz2) =
36aa38a0c7c33267ae594b31c81681290ac58dde7ca6749bd599da531380b5b1428330813dbe983e01071ccaed83e83f6a9cd92179a53b7d0ccbb6851a0b017c
commit 7232bc0a99a7f55d9b5b41e2fb0b901dc0af7623
Author: Petr Menk <pemensik(a)redhat.com>
Date: Tue Apr 9 21:22:46 2019 +0200
Attempt to use rich dependencies
Selinux boolean should be set only in case given selinux policy is
installed. Do not require it inside containers.
diff --git a/bind.spec b/bind.spec
index 494c5e9..870da24 100644
--- a/bind.spec
+++ b/bind.spec
@@ -164,9 +164,10 @@ Obsoletes: caching-nameserver < 31:9.4.1-7.fc8
Provides: caching-nameserver = 31:9.4.1-7.fc8
Obsoletes: dnssec-conf < 1.27-2
Provides: dnssec-conf = 1.27-2
-Requires(post): policycoreutils-python-utils
-Requires(post): libselinux-utils
-Requires(post): selinux-policy
+# This wild require should satisfy %selinux_set_boolean macro only
+# in case it needs to be used
+Requires(post): ((policycoreutils-python-utils and libselinux-utils) if
(selinux-policy-targeted or selinux-policy-mls))
+Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or
selinux-policy-mls))
Recommends: bind-utils bind-dnssec-utils
BuildRequires: gcc, make
BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
@@ -1029,7 +1030,10 @@ fi;
%post
%?ldconfig
-%selinux_set_booleans %{selinuxbooleans}
+if -e %{_sysconfdir}/selinux/config; then
+ %selinux_set_booleans -s targeted %{selinuxbooleans}
+ %selinux_set_booleans -s mls %{selinuxbooleans}
+fi
if [ "$1" -eq 1 ]; then
# Initial installation
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.*
>/dev/null 2>&1 ;
@@ -1061,9 +1065,12 @@ fi
%postun
%?ldconfig
-%selinux_unset_booleans %{selinuxbooleans}
# Package upgrade, not uninstall
%systemd_postun_with_restart named.service
+if -e %{_sysconfdir}/selinux/config; then
+ %selinux_unset_booleans -s targeted %{selinuxbooleans}
+ %selinux_unset_booleans -s mls %{selinuxbooleans}
+fi
%if %{with SDB}
%post sdb
commit e2a32c8eca6d490dabddf043aa8c79fa64379cf8
Author: Petr Menk <pemensik(a)redhat.com>
Date: Tue Apr 9 20:27:00 2019 +0200
Revert shell change to /bin/false
diff --git a/bind.spec b/bind.spec
index 42e0345..494c5e9 100644
--- a/bind.spec
+++ b/bind.spec
@@ -1023,7 +1023,7 @@ install -m 644 %{SOURCE43}
${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
%pre
if [ "$1" -eq 1 ]; then
/usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
- /usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /bin/false -d /var/named -c
Named named >/dev/null 2>&1 || :;
+ /usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c
Named named >/dev/null 2>&1 || :;
fi;
:;
@@ -1038,8 +1038,8 @@ if [ "$1" -eq 1 ]; then
[ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key
else
# Upgrade, use invalid shell
- if getent passwd named | grep ':/sbin/nologin$' >/dev/null; then
- usermod -s /bin/false named
+ if getent passwd named | grep ':/bin/false$' >/dev/null; then
+ /sbin/usermod -s /sbin/nologin named
fi
# Checkconf will parse out comments
if /usr/sbin/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q
named.iscdlv.key
commit ae423dfbebbd150c56df1c7c1954ac6ba3090bc8
Author: Petr Menk <pemensik(a)redhat.com>
Date: Mon Oct 15 17:25:58 2018 +0200
Enable optional features by default
diff --git a/bind.spec b/bind.spec
index 4adb395..42e0345 100644
--- a/bind.spec
+++ b/bind.spec
@@ -18,7 +18,7 @@
%bcond_without LMDB
%bcond_without JSON
%bcond_without DNSTAP
-%bcond_with DLZ
+%bcond_without DLZ
%bcond_without EXPORT_LIBS
%if 0%{?fedora} >= 28
%bcond_without UNITTEST
@@ -1512,6 +1512,7 @@ fi;
%changelog
* Thu Mar 14 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.6-2
- Fix dnstap and timer issues in unit test
+- Enable DLZ modules
* Tue Mar 05 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.6-1
- Update to 9.11.6
commit 16bdca79ba1b743352dab537c8f5404f8ee7affb
Author: Petr Menk <pemensik(a)redhat.com>
Date: Thu Mar 14 21:23:31 2019 +0100
Workaround to broken kyua handling of empty test
Also filter used subdirectories, run tests only for compiled libraries
for export-libs.
diff --git a/bind-9.11-unit-timer-nothread.patch b/bind-9.11-unit-timer-nothread.patch
new file mode 100644
index 0000000..f913724
--- /dev/null
+++ b/bind-9.11-unit-timer-nothread.patch
@@ -0,0 +1,49 @@
+From c88ba11ced1311e91a73ffdf42114ed14a805725 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik(a)redhat.com>
+Date: Thu, 14 Mar 2019 21:05:34 +0100
+Subject: [PATCH] Workaround to kyua bug
+
+Kyua 0.13 is not able to correctly handle whole test skipping.
+Make workaround to it, include skipping message.
+---
+ lib/isc/tests/timer_test.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/lib/isc/tests/timer_test.c b/lib/isc/tests/timer_test.c
+index f69f2b3..050cf6d 100644
+--- a/lib/isc/tests/timer_test.c
++++ b/lib/isc/tests/timer_test.c
+@@ -573,14 +573,13 @@ purge(void **state) {
+
+ int
+ main(int argc, char **argv) {
+- const struct CMUnitTest tests[] = {
+ #ifdef ISC_PLATFORM_USETHREADS
++ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_setup_teardown(ticker, _setup, _teardown),
+ cmocka_unit_test_setup_teardown(once_life, _setup, _teardown),
+ cmocka_unit_test_setup_teardown(once_idle, _setup, _teardown),
+ cmocka_unit_test_setup_teardown(reset, _setup, _teardown),
+ cmocka_unit_test_setup_teardown(purge, _setup, _teardown),
+-#endif
+ };
+ int c;
+
+@@ -595,6 +594,14 @@ main(int argc, char **argv) {
+ }
+
+ return (cmocka_run_group_tests(tests, NULL, NULL));
++#else
++ UNUSED(argc);
++ UNUSED(argv);
++ UNUSED(verbose);
++
++ printf("1..0 # Skipped: threads disabled\n");
++ return (0);
++#endif
+ }
+
+ #else /* HAVE_CMOCKA */
+--
+2.20.1
+
diff --git a/bind.spec b/bind.spec
index 286613f..4adb395 100644
--- a/bind.spec
+++ b/bind.spec
@@ -140,6 +140,7 @@ Patch170:bind-9.11-feature-test-named.patch
Patch171:bind-9.11-tests-variants.patch
Patch172:bind-9.11-tests-pkcs11.patch
Patch173: bind-9.11-unit-dnstap-pkcs11.patch
+Patch174: bind-9.11-unit-timer-nothread.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -520,6 +521,7 @@ are used for building ISC DHCP.
%patch171 -p1 -b .test-variant
%patch172 -p1 -b .test-pkcs11
%patch173 -p1 -b .unit-dnstap
+%patch174 -p1 -b .unit-timer
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -768,9 +770,15 @@ popd
# export library unit tests
%unit_prepare_build export-libs
-# Do not try pkcs11 and lwres in export libs
-sed -e '/^\s*include(.*-pkcs11/ d' -e '/^\s*include(.*lwres/ d' \
- -i export-libs/lib/Kyuafile
+# Test just compiled libraries
+for lib in %{bind_export_libs}
+do
+ sed -e "s,^\s*include(.*${lib}/.*,-- use &," \
+ -i export-libs/lib/Kyuafile
+done
+
+sed -e "/^\s*include(/ d" -e 's/^-- use //' \
+ -i export-libs/lib/Kyuafile
## End of export libs
%endif
@@ -1503,7 +1511,7 @@ fi;
%changelog
* Thu Mar 14 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.6-2
-- Fix dnstap issue in unit test once again
+- Fix dnstap and timer issues in unit test
* Tue Mar 05 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.6-1
- Update to 9.11.6
commit 812f6fb3361f58fcb29f14dc903d1994f4ab4afa
Author: Petr Menk <pemensik(a)redhat.com>
Date: Thu Mar 14 15:59:22 2019 +0100
Fix dnstap unit test issue with pkcs11
diff --git a/bind-9.11-unit-dnstap-pkcs11.patch b/bind-9.11-unit-dnstap-pkcs11.patch
new file mode 100644
index 0000000..60cc1cd
--- /dev/null
+++ b/bind-9.11-unit-dnstap-pkcs11.patch
@@ -0,0 +1,38 @@
+From dca9eea70cb33062905aefc389266da931e9d0d6 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik(a)redhat.com>
+Date: Thu, 14 Mar 2019 15:48:37 +0100
+Subject: [PATCH] Set TZ again before dns library is initialized
+
+PKCS11 uses it, initializes TZ offset from dst init. Setting environment
+in test is too late since use of cmocka.
+---
+ lib/dns/tests/dnstap_test.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/dns/tests/dnstap_test.c b/lib/dns/tests/dnstap_test.c
+index 22d6dc3..5a60b12 100644
+--- a/lib/dns/tests/dnstap_test.c
++++ b/lib/dns/tests/dnstap_test.c
+@@ -309,9 +309,6 @@ totext_test(void **state) {
+
+ UNUSED(state);
+
+- /* make sure text conversion gets the right local time */
+- setenv("TZ", "PST8", 1);
+-
+ result = dns_dt_open(TAPSAVED, dns_dtmode_file, mctx, &handle);
+ assert_int_equal(result, ISC_R_SUCCESS);
+
+@@ -378,6 +375,9 @@ main(void) {
+ cmocka_unit_test_setup_teardown(totext_test, _setup, _teardown),
+ };
+
++ /* make sure text conversion gets the right local time */
++ setenv("TZ", "PST8", 1);
++
+ return (cmocka_run_group_tests(tests, dns_test_init, dns_test_final));
+ #else
+ print_message("1..0 # Skip dnstap not enabled\n");
+--
+2.20.1
+
diff --git a/bind.spec b/bind.spec
index 09544bb..286613f 100644
--- a/bind.spec
+++ b/bind.spec
@@ -53,7 +53,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.6
-Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
https://www.isc.org/downloads/bind/
#
@@ -139,6 +139,7 @@ Patch169:bind-9.11-feature-test-dlz.patch
Patch170:bind-9.11-feature-test-named.patch
Patch171:bind-9.11-tests-variants.patch
Patch172:bind-9.11-tests-pkcs11.patch
+Patch173: bind-9.11-unit-dnstap-pkcs11.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -518,6 +519,7 @@ are used for building ISC DHCP.
%patch170 -p1 -b .featuretest-named
%patch171 -p1 -b .test-variant
%patch172 -p1 -b .test-pkcs11
+%patch173 -p1 -b .unit-dnstap
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1500,6 +1502,9 @@ fi;
%changelog
+* Thu Mar 14 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.6-2
+- Fix dnstap issue in unit test once again
+
* Tue Mar 05 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.6-1
- Update to 9.11.6
commit 395fbedb17a3c94004e4118e393fd3a2697c6101
Author: Petr Menk <pemensik(a)redhat.com>
Date: Thu Mar 14 11:41:44 2019 +0100
Use libcmocka instead of libatf
Upstream no longer ships bundled libatf library and no longer uses ATF
in sources. kyua and cmocka are mandatory for unit tests now. Removes
--with KYUA, use --with UNITTEST on different builds when cmocka and
kyua are available.
diff --git a/bind.spec b/bind.spec
index bba50b9..09544bb 100644
--- a/bind.spec
+++ b/bind.spec
@@ -8,7 +8,6 @@
# bcond_without is built by default, unless --without X is passed
# bcond_with is built only when --with X is passed to build
-%bcond_without UNITTEST
%bcond_with SYSTEMTEST
%bcond_without SDB
%bcond_without GSSTSIG
@@ -21,10 +20,10 @@
%bcond_without DNSTAP
%bcond_with DLZ
%bcond_without EXPORT_LIBS
-%if 0%{?fedora} >= 17
-%bcond_without KYUA
+%if 0%{?fedora} >= 28
+%bcond_without UNITTEST
%else
-%bcond_with KYUA
+%bcond_with UNITTEST
%endif
%{?!bind_uid: %global bind_uid 25}
@@ -180,12 +179,9 @@ BuildRequires: findutils sed
BuildRequires: openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-devel
BuildRequires: libdb-devel
%endif
-%if %{with KYUA}
+%if %{with UNITTEST}
# make unit dependencies
-BuildRequires: libatf-c-devel kyua
-%else
-# shipped atf library requires c++
-BuildRequires: gcc-c++
+BuildRequires: libcmocka-devel kyua
%endif
%if %{with PKCS11}
BuildRequires: softhsm
@@ -591,14 +587,6 @@ done
cp -Tuav bin/tests "%{1}/bin/tests/" \
cp -uv version "%{1}" \
-%if %{with KYUA}
-# Use system installed libatf-c library with kyua tool
-ATF_PATH=/usr
-%else
-# Disable tests, no longer shipped inside
-ATF_PATH=no
-%endif
-
export CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
export CPPFLAGS="$CPPFLAGS -DDIG_SIGCHASE"
export STD_CDEFINES="$CPPFLAGS"
@@ -665,7 +653,7 @@ export LIBDIR_SUFFIX
--enable-dnstap \
%endif
%if %{with UNITTEST}
- --with-atf=${ATF_PATH} \
+ --with-cmocka \
%endif
--enable-fixed-rrset \
--with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets \
@@ -737,7 +725,7 @@ export LIBDIR_SUFFIX
--disable-isc-spnego \
%endif
%if %{with UNITTEST}
- --with-atf=${ATF_PATH} \
+ --with-cmocka \
%endif
--enable-fixed-rrset \
--disable-rpz-nsip \
commit bcfdb893b9385e8f5747992db5e95531b46f8778
Author: Petr Menk <pemensik(a)redhat.com>
Date: Tue Mar 5 21:50:48 2019 +0100
So versions change
Requires rebuild of all dependent packages.
diff --git a/bind.spec b/bind.spec
index 510791e..bba50b9 100644
--- a/bind.spec
+++ b/bind.spec
@@ -45,7 +45,7 @@
#
# lib*.so.X versions of selected libraries
-%global sover_dns 1104
+%global sover_dns 1105
%global sover_isc 1100
%global sover_irs 161
%global sover_isccfg 163
commit 7bc8b1b992546e15ef00e4254405316059d83203
Author: Petr Menk <pemensik(a)redhat.com>
Date: Tue Mar 5 21:50:22 2019 +0100
Atf support was removed
cmocka is used instead. Unfortunately it is not packaged in Fedora yet.
diff --git a/bind.spec b/bind.spec
index ef1be71..510791e 100644
--- a/bind.spec
+++ b/bind.spec
@@ -581,10 +581,9 @@ done
# normal and pkcs11 unit tests
%define unit_prepare_build() \
- cp -uv Kyuafile Atffile "%{1}/" \
+ cp -uv Kyuafile "%{1}/" \
find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}"
';' \
find lib -name 'Kyuafile' -exec cp -uv '{}' "%{1}/{}"
';' \
- find lib -name 'Atffile' -exec cp -uv '{}' "%{1}/{}"
';' \
find lib -name 'testdata' -type d -exec cp -Tav '{}'
"%{1}/{}" ';' \
find lib -name 'testkeys' -type d -exec cp -Tav '{}'
"%{1}/{}" ';' \
@@ -596,8 +595,8 @@ done
# Use system installed libatf-c library with kyua tool
ATF_PATH=/usr
%else
-# Use bundled atf library with atf-run
-ATF_PATH=yes
+# Disable tests, no longer shipped inside
+ATF_PATH=no
%endif
export CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
@@ -698,16 +697,6 @@ pushd bin/python
make man
popd
-%if ! %{with KYUA}
-# Do not build atf again for export libs
-ATF_PATH="`pwd`/unit/atf"
-
-# Atf libs are built. Prevent their installation
-sed -i -e \
-'/^SUBDIRS =/s/atf-src//i' \
-unit/Makefile
-%endif
-
%if %{with DLZ}
pushd contrib/dlz
pushd bin/dlzbdb
@@ -776,10 +765,6 @@ sed -i -e \
"/^SUBDIRS =/s/.*/SUBDIRS = %{bind_export_libs}/i" \
lib/Makefile
-sed -i -e \
-'/^SUBDIRS =/s/atf-src//i' \
-unit/Makefile
-
for lib in %{bind_export_libs}
do
find . -name Makefile -exec sed "s/lib${lib}\./lib${lib}-export\./g"
-i {} \;
@@ -796,8 +781,6 @@ popd
# Do not try pkcs11 and lwres in export libs
sed -e '/^\s*include(.*-pkcs11/ d' -e '/^\s*include(.*lwres/ d' \
-i export-libs/lib/Kyuafile
-sed -e '/^tp:.*-pkcs11/ d' -e '/^tp:\s*lwres/ d' \
- -i export-libs/lib/Atffile
## End of export libs
%endif
commit 1e4169114ff7a8fee368f3e5d51104705aaff60f
Author: Petr Menk <pemensik(a)redhat.com>
Date: Tue Mar 5 21:49:26 2019 +0100
Adapted patches for new version
Removed merged upstream.
diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch
index f5a6d78..bd8e74d 100644
--- a/bind-9.10-dist-native-pkcs11.patch
+++ b/bind-9.10-dist-native-pkcs11.patch
@@ -1,22 +1,3 @@
-From c6c0dc7addd8b27718247aa9c67e3cf3f80a8be3 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik(a)redhat.com>
-Date: Fri, 1 Mar 2019 11:10:03 +0100
-Subject: [PATCH] bind-9.10-dist-native-pkcs11.patch
-
----
- bin/Makefile.in | 4 +--
- bin/dnssec-pkcs11/Makefile.in | 44 ++++++++++++++---------------
- bin/dnssec/Makefile.in | 2 +-
- bin/named-pkcs11/Makefile.in | 45 +++++++++++++----------------
- bin/named/Makefile.in | 2 +-
- bin/pkcs11/Makefile.in | 6 ++--
- configure.in | 53 +++++++++++++++++++++++++++--------
- lib/Makefile.in | 2 +-
- lib/dns-pkcs11/Makefile.in | 30 ++++++++++----------
- lib/isc-pkcs11/Makefile.in | 28 +++++++++---------
- make/includes.in | 10 +++++++
- 11 files changed, 129 insertions(+), 97 deletions(-)
-
diff --git a/bin/Makefile.in b/bin/Makefile.in
index f0c504a..ce7a2da 100644
--- a/bin/Makefile.in
@@ -318,11 +299,11 @@ index a058c91..d4b689a 100644
DEPLIBS = ${ISCDEPLIBS}
-diff --git a/configure.in b/configure.in
-index b2bb268..d9e0797 100644
---- a/configure.in
-+++ b/configure.in
-@@ -1109,12 +1109,14 @@ AC_SUBST(USE_GSSAPI)
+diff --git a/configure.ac b/configure.ac
+index 5e1ba8c..7aff0e6 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1070,12 +1070,14 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
@@ -337,7 +318,7 @@ index b2bb268..d9e0797 100644
#
# was --with-randomdev specified?
-@@ -1499,11 +1501,11 @@ fi
+@@ -1460,11 +1462,11 @@ fi
AC_MSG_CHECKING(for OpenSSL library)
OPENSSL_WARNING=
openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
@@ -354,7 +335,7 @@ index b2bb268..d9e0797 100644
if test "auto" = "$use_openssl"
then
-@@ -1516,6 +1518,7 @@ then
+@@ -1477,6 +1479,7 @@ then
fi
done
fi
@@ -362,7 +343,7 @@ index b2bb268..d9e0797 100644
OPENSSL_ECDSA=""
OPENSSL_GOST=""
OPENSSL_ED25519=""
-@@ -1537,11 +1540,10 @@ case "$with_gost" in
+@@ -1498,11 +1501,10 @@ case "$with_gost" in
;;
esac
@@ -377,7 +358,7 @@ index b2bb268..d9e0797 100644
CRYPTOLIB="pkcs11"
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
-@@ -1551,7 +1553,9 @@ case "$use_openssl" in
+@@ -1512,7 +1514,9 @@ case "$use_openssl" in
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
@@ -388,7 +369,7 @@ index b2bb268..d9e0797 100644
no)
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
-@@ -1583,7 +1587,7 @@ case "$use_openssl" in
+@@ -1544,7 +1548,7 @@ case "$use_openssl" in
If you do not want OpenSSL, use --without-openssl])
;;
*)
@@ -397,7 +378,7 @@ index b2bb268..d9e0797 100644
then
AC_MSG_RESULT()
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
-@@ -2016,6 +2020,7 @@ AC_SUBST(OPENSSL_ED25519)
+@@ -1972,6 +1976,7 @@ AC_SUBST(OPENSSL_ED25519)
AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
@@ -405,7 +386,7 @@ index b2bb268..d9e0797 100644
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
-@@ -2334,6 +2339,7 @@ esac
+@@ -2295,6 +2300,7 @@ esac
AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(CRYPTO)
@@ -413,7 +394,7 @@ index b2bb268..d9e0797 100644
AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_ED25519)
-@@ -5406,8 +5412,11 @@ AC_CONFIG_FILES([
+@@ -5425,8 +5431,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
@@ -425,7 +406,7 @@ index b2bb268..d9e0797 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
-@@ -5480,6 +5489,10 @@ AC_CONFIG_FILES([
+@@ -5499,6 +5508,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
@@ -436,7 +417,7 @@ index b2bb268..d9e0797 100644
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
-@@ -5504,6 +5517,24 @@ AC_CONFIG_FILES([
+@@ -5523,6 +5536,24 @@ AC_CONFIG_FILES([
lib/isc/unix/include/Makefile
lib/isc/unix/include/isc/Makefile
lib/isc/unix/include/pkcs11/Makefile
@@ -475,7 +456,7 @@ index 81270a0..bcb5312 100644
@BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
-index 4a8549e..6a19906 100644
+index 068bbac..d7f3d95 100644
--- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in
@@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@
@@ -638,6 +619,3 @@ index fa86ad1..3cfbe9f 100644
+
+DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/dns-pkcs11/include
---
-2.20.1
-
diff --git a/bind-9.10-sdb.patch b/bind-9.10-sdb.patch
index e087ad7..485e241 100644
--- a/bind-9.10-sdb.patch
+++ b/bind-9.10-sdb.patch
@@ -1,17 +1,3 @@
-From 09b71a1994d7ea3b299746167b6bcf24021edd76 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik(a)redhat.com>
-Date: Thu, 28 Feb 2019 18:37:01 +0100
-Subject: [PATCH] bind-9.10-sdb.patch
-
----
- bin/Makefile.in | 4 +-
- bin/named-sdb/Makefile.in | 25 +++++-------
- bin/named-sdb/main.c | 83 +++++++++++++++++++++++++++++++++++++++
- bin/named/Makefile.in | 16 +++-----
- bin/sdb_tools/Makefile.in | 10 +++--
- configure.in | 3 ++
- 6 files changed, 110 insertions(+), 31 deletions(-)
-
diff --git a/bin/Makefile.in b/bin/Makefile.in
index ce7a2da..4e6a824 100644
--- a/bin/Makefile.in
@@ -102,7 +88,7 @@ index 04dea99..4ff053e 100644
@DLZ_DRIVER_RULES@
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
-index 8cec1ad..de5e5bb 100644
+index 17f2daa..1bb9d79 100644
--- a/bin/named-sdb/main.c
+++ b/bin/named-sdb/main.c
@@ -93,6 +93,10 @@
@@ -309,11 +295,11 @@ index c7e0868..95ab742 100644
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
-diff --git a/configure.in b/configure.in
-index c09c21a..e48bd2e 100644
---- a/configure.in
-+++ b/configure.in
-@@ -5417,6 +5417,8 @@ AC_CONFIG_FILES([
+diff --git a/configure.ac b/configure.ac
+index 8374385..0af9b71 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -5436,6 +5436,8 @@ AC_CONFIG_FILES([
bin/named/unix/Makefile
bin/named-pkcs11/Makefile
bin/named-pkcs11/unix/Makefile
@@ -322,7 +308,7 @@ index c09c21a..e48bd2e 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
-@@ -5441,6 +5443,7 @@ AC_CONFIG_FILES([
+@@ -5460,6 +5462,7 @@ AC_CONFIG_FILES([
bin/python/isc/tests/dnskey_test.py
bin/python/isc/tests/policy_test.py
bin/rndc/Makefile
@@ -330,6 +316,3 @@ index c09c21a..e48bd2e 100644
bin/tests/Makefile
bin/tests/headerdep_test.sh
bin/tests/optional/Makefile
---
-2.20.1
-
diff --git a/bind-9.11-ed448-disable.patch b/bind-9.11-ed448-disable.patch
deleted file mode 100644
index 179f32f..0000000
--- a/bind-9.11-ed448-disable.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From e6bad0789c731f06de781997e33e864c71510ff2 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik(a)redhat.com>
-Date: Thu, 21 Feb 2019 12:36:17 +0100
-Subject: [PATCH] Disable autodetected ED448 algorithm support
-
-Implementation is broken in bind, disabled also in more recent versions.
-Makes bin/tests/system/dnssec fail.
----
- configure.in | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/configure.in b/configure.in
-index ca84ff3239..da4dd5f249 100644
---- a/configure.in
-+++ b/configure.in
-@@ -1917,6 +1917,9 @@ int main() {
- }
- ],
- [AC_MSG_RESULT(yes)
-+ # ED448 support is broken in BIND
-+ #
https://gitlab.isc.org/isc-projects/bind9/issues/225
-+ # disable if autodetected, can be enabled by --with-eddsa=all
- have_ed448="yes"],
- [AC_MSG_RESULT(no)
- have_ed448="no"],
-@@ -1929,8 +1932,10 @@ int main() {
- esac
- case $have_ed448 in
- yes)
-- AC_DEFINE(HAVE_OPENSSL_ED448, 1,
-- [Define if your OpenSSL version supports Ed448.])
-+ # ED448 support is broken in BIND
-+ #
https://gitlab.isc.org/isc-projects/bind9/issues/225
-+ # AC_DEFINE(HAVE_OPENSSL_ED448, 1,
-+ # [Define if your OpenSSL version supports Ed448.])
- ;;
- *)
- ;;
---
-2.20.1
-
diff --git a/bind-9.11-export-suffix.patch b/bind-9.11-export-suffix.patch
index e3ba29c..8703747 100644
--- a/bind-9.11-export-suffix.patch
+++ b/bind-9.11-export-suffix.patch
@@ -1,8 +1,8 @@
-diff --git a/configure.in b/configure.in
-index e6cd6a4..988b0a7 100644
---- a/configure.in
-+++ b/configure.in
-@@ -5116,6 +5116,8 @@ AC_SUBST(BUILD_CPPFLAGS)
+diff --git a/configure.ac b/configure.ac
+index c1bfd62..7c5ad51 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -5333,6 +5333,8 @@ AC_SUBST(BUILD_CPPFLAGS)
AC_SUBST(BUILD_LDFLAGS)
AC_SUBST(BUILD_LIBS)
@@ -12,10 +12,10 @@ index e6cd6a4..988b0a7 100644
# Commands to run at the end of config.status.
# Don't just put these into configure, it won't work right if somebody
diff --git a/isc-config.sh.in b/isc-config.sh.in
-index 110191a..5a64004 100644
+index b5e94ed..d2857e0 100644
--- a/isc-config.sh.in
+++ b/isc-config.sh.in
-@@ -12,16 +12,17 @@ prefix=@prefix@
+@@ -13,16 +13,17 @@ prefix=@prefix@
exec_prefix=@exec_prefix@
exec_prefix_set=
includedir=@includedir@
diff --git a/bind-9.11-feature-test-dlz.patch b/bind-9.11-feature-test-dlz.patch
index 2c06d9f..39e46c8 100644
--- a/bind-9.11-feature-test-dlz.patch
+++ b/bind-9.11-feature-test-dlz.patch
@@ -1,4 +1,4 @@
-From fe4074d27f642dd93afb5988a2edc7c173b22520 Mon Sep 17 00:00:00 2001
+From 71627db6c8852d7805ec559506f5f3cb8d89a131 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Wed, 30 Jan 2019 15:12:54 +0100
Subject: [PATCH] Support DLZ filesystem detection in feature-test
@@ -8,7 +8,7 @@ Do not use variable from configure to detect the feature.
bin/tests/system/Makefile.in | 2 +-
bin/tests/system/dlz/{prereq.sh.in => prereq.sh} | 2 +-
bin/tests/system/feature-test.c | 9 +++++++++
- configure.in | 1 -
+ configure.ac | 1 -
4 files changed, 11 insertions(+), 3 deletions(-)
rename bin/tests/system/dlz/{prereq.sh.in => prereq.sh} (91%)
@@ -42,7 +42,7 @@ index afec653..fb3328e 100644
exit 255
fi
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
-index 5eee6aa..78bd3b9 100644
+index 11863a3..428d107 100644
--- a/bin/tests/system/feature-test.c
+++ b/bin/tests/system/feature-test.c
@@ -51,6 +51,7 @@ usage() {
@@ -68,11 +68,11 @@ index 5eee6aa..78bd3b9 100644
if (strcmp(argv[1], "--ipv6only=no") == 0) {
#ifdef WIN32
return (0);
-diff --git a/configure.in b/configure.in
-index fc1ad41..b2bb268 100644
---- a/configure.in
-+++ b/configure.in
-@@ -5439,7 +5439,6 @@ AC_CONFIG_FILES([
+diff --git a/configure.ac b/configure.ac
+index fddc63a..5e1ba8c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -5458,7 +5458,6 @@ AC_CONFIG_FILES([
bin/tests/pkcs11/benchmarks/Makefile
bin/tests/system/Makefile
bin/tests/system/conf.sh
diff --git a/bind-9.11-fips-code.patch b/bind-9.11-fips-code.patch
index f4973a6..1640b3e 100644
--- a/bind-9.11-fips-code.patch
+++ b/bind-9.11-fips-code.patch
@@ -1,4 +1,4 @@
-From 9fa0831af989818eb6f908815967590e56a19ab1 Mon Sep 17 00:00:00 2001
+From 9ff202072b286ef57e0ffcd7c55777f2994d3985 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Thu, 2 Aug 2018 23:34:45 +0200
Subject: [PATCH] FIPS code changes
@@ -96,36 +96,36 @@ Date: Mon Jan 22 07:21:04 2018 +0100
Add runtime detection whether MD5 is useable.
---
- bin/confgen/keygen.c | 10 ++++-
- bin/confgen/rndc-confgen.c | 32 ++++------------
- bin/dig/dig.c | 7 ++--
- bin/dig/dighost.c | 14 +++++--
- bin/dnssec/dnssec-keygen.c | 14 +++++++
- bin/named/config.c | 25 ++++++++++++-
- bin/nsupdate/nsupdate.c | 24 +++++++-----
+ bin/confgen/keygen.c | 10 +++-
+ bin/confgen/rndc-confgen.c | 32 ++++---------
+ bin/dig/dig.c | 7 +--
+ bin/dig/dighost.c | 14 ++++--
+ bin/dnssec/dnssec-keygen.c | 14 ++++++
+ bin/named/config.c | 25 +++++++++-
+ bin/nsupdate/nsupdate.c | 24 ++++++----
bin/rndc/rndc.c | 3 +-
- bin/tests/optional/hash_test.c | 78 ++++++++++++++++++++-------------------
+ bin/tests/optional/hash_test.c | 78 ++++++++++++++++---------------
bin/tests/system/tkey/keycreate.c | 3 ++
- bin/tests/system/tkey/keydelete.c | 17 ++++++---
- lib/bind9/check.c | 10 +++++
- lib/dns/dst_api.c | 23 ++++++++----
+ bin/tests/system/tkey/keydelete.c | 17 ++++---
+ lib/bind9/check.c | 10 ++++
+ lib/dns/dst_api.c | 23 ++++++---
lib/dns/dst_internal.h | 3 +-
- lib/dns/dst_parse.c | 18 +++++++--
- lib/dns/hmac_link.c | 18 ++-------
+ lib/dns/dst_parse.c | 18 +++++--
+ lib/dns/hmac_link.c | 18 ++-----
lib/dns/opensslrsa_link.c | 6 +++
- lib/dns/pkcs11rsa_link.c | 33 +++++++++++++++--
- lib/dns/rcode.c | 21 ++++++++++-
- lib/dns/tests/rsa_test.c | 29 ++++++++-------
+ lib/dns/pkcs11rsa_link.c | 33 +++++++++++--
+ lib/dns/rcode.c | 21 ++++++++-
+ lib/dns/tests/rsa_test.c | 4 ++
lib/dns/tests/tsig_test.c | 1 +
- lib/dns/tkey.c | 9 +++++
+ lib/dns/tkey.c | 9 ++++
lib/dns/tsec.c | 8 +++-
- lib/dns/tsig.c | 17 +++++----
+ lib/dns/tsig.c | 17 ++++---
lib/isc/include/isc/md5.h | 3 ++
- lib/isc/md5.c | 59 +++++++++++++++++++++++++++++
- lib/isc/pk11.c | 44 +++++++++++++++-------
- lib/isc/tests/hash_test.c | 9 +++--
- lib/isccc/cc.c | 42 +++++++++++++--------
- 29 files changed, 409 insertions(+), 171 deletions(-)
+ lib/isc/md5.c | 59 +++++++++++++++++++++++
+ lib/isc/pk11.c | 44 +++++++++++------
+ lib/isc/tests/hash_test.c | 9 ++++
+ lib/isccc/cc.c | 42 +++++++++++------
+ 29 files changed, 400 insertions(+), 155 deletions(-)
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
index 8931ad5..5015abb 100644
@@ -241,7 +241,7 @@ index 5ca3d76..6b7790a 100644
port = DEFAULT_PORT;
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
-index 39f74be..597e830 100644
+index 2063a3b..8e856c5 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -20,6 +20,7 @@
@@ -252,7 +252,7 @@ index 39f74be..597e830 100644
#include <isc/netaddr.h>
#include <isc/parseint.h>
#include <isc/platform.h>
-@@ -1760,10 +1761,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
+@@ -1767,10 +1768,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
ptr = ptr2;
ptr2 = ptr3;
} else {
@@ -267,7 +267,7 @@ index 39f74be..597e830 100644
digestbits = 0;
}
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index 1fa711a..341ed80 100644
+index 011b118..5eabc1f 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -80,6 +80,7 @@
@@ -339,7 +339,7 @@ index 1476d0d..f5c9316 100644
alg = DST_ALG_HMACMD5;
#else
diff --git a/bin/named/config.c b/bin/named/config.c
-index 2732a8f..2c4c93c 100644
+index 7584efb..a153172 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -18,6 +18,7 @@
@@ -350,7 +350,7 @@ index 2732a8f..2c4c93c 100644
#include <isc/mem.h>
#include <isc/parseint.h>
#include <isc/region.h>
-@@ -967,6 +968,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
+@@ -969,6 +970,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits));
}
@@ -372,7 +372,7 @@ index 2732a8f..2c4c93c 100644
isc_result_t
ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
unsigned int *typep, uint16_t *digestbits)
-@@ -976,7 +992,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
+@@ -978,7 +994,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
uint16_t bits;
isc_result_t result;
@@ -381,7 +381,7 @@ index 2732a8f..2c4c93c 100644
len = strlen(algorithms[i].str);
if (strncasecmp(algorithms[i].str, str, len) == 0 &&
(str[len] == '\0' ||
-@@ -999,7 +1015,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
+@@ -1001,7 +1017,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
if (name != NULL) {
switch (algorithms[i].hmac) {
#ifndef PK11_MD5_DISABLE
@@ -396,7 +396,7 @@ index 2732a8f..2c4c93c 100644
case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index 8d1da3b..5eefc57 100644
+index 548e0ce..509784c 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -31,6 +31,7 @@
@@ -622,7 +622,7 @@ index bde66a4..70a40c3 100644
dst_key_free(&dstkey);
CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
-index d32a5a1..c749c27 100644
+index d6fba22..ac60ba8 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -23,6 +23,7 @@
@@ -633,7 +633,7 @@ index d32a5a1..c749c27 100644
#include <isc/mem.h>
#include <isc/netaddr.h>
#include <isc/parseint.h>
-@@ -2592,6 +2593,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
+@@ -2589,6 +2590,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
}
algorithm = cfg_obj_asstring(algobj);
@@ -650,7 +650,7 @@ index d32a5a1..c749c27 100644
len = strlen(algorithms[i].name);
if (strncasecmp(algorithms[i].name, algorithm, len) == 0 &&
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index 97fee68..5703f9c 100644
+index e3c47a9..320c0f8 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -192,6 +192,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
@@ -766,7 +766,7 @@ index f31c33d..87023a6 100644
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
-index 94e73b1..d904075 100644
+index 3b6579b..4bdce2f 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@@ -340,20 +340,10 @@ static dst_func_t hmacmd5_functions = {
@@ -792,13 +792,13 @@ index 94e73b1..d904075 100644
+ if (!isc_md5_available())
+ return (ISC_R_SUCCESS);
+ #if PK11_FLAVOR != PK11_UTIMACO_FLAVOR
/*
- * Prevent use of incorrect crypto
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
-index c03fd72..49b66fc 100644
+index ec35f50..c80fabe 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
-@@ -1802,6 +1802,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm)
{
+@@ -1812,6 +1812,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm)
{
if (*funcp == NULL) {
switch (algorithm) {
@@ -812,7 +812,7 @@ index c03fd72..49b66fc 100644
#if defined(HAVE_EVP_SHA256) || !USE_EVP
*funcp = &opensslrsa_functions;
diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
-index eb782c8..46fd844 100644
+index 096c1a8..6c280bf 100644
--- a/lib/dns/pkcs11rsa_link.c
+++ b/lib/dns/pkcs11rsa_link.c
@@ -96,10 +96,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
@@ -832,7 +832,7 @@ index eb782c8..46fd844 100644
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
-@@ -636,6 +641,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+@@ -641,6 +646,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
@@ -842,7 +842,7 @@ index eb782c8..46fd844 100644
mech.mechanism = CKM_MD5;
break;
#endif
-@@ -792,6 +800,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+@@ -799,6 +807,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
@@ -852,7 +852,7 @@ index eb782c8..46fd844 100644
der = md5_der;
derlen = sizeof(md5_der);
hashlen = ISC_MD5_DIGESTLENGTH;
-@@ -1016,6 +1027,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+@@ -1024,6 +1035,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
@@ -862,7 +862,7 @@ index eb782c8..46fd844 100644
der = md5_der;
derlen = sizeof(md5_der);
hashlen = ISC_MD5_DIGESTLENGTH;
-@@ -2219,11 +2233,22 @@ static dst_func_t pkcs11rsa_functions = {
+@@ -2231,11 +2245,22 @@ static dst_func_t pkcs11rsa_functions = {
};
isc_result_t
@@ -889,7 +889,7 @@ index eb782c8..46fd844 100644
}
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
-index 6a5948e..010dd1b 100644
+index 9c42c50..f51d548 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -16,6 +16,7 @@
@@ -900,7 +900,7 @@ index 6a5948e..010dd1b 100644
#include <isc/parseint.h>
#include <isc/print.h>
#include <isc/region.h>
-@@ -349,17 +350,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
+@@ -357,17 +358,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
return (dns_mnemonic_totext(cert, target, certs));
}
@@ -937,70 +937,48 @@ index 6a5948e..010dd1b 100644
void
diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c
-index fb207ef..3ef0a4e 100644
+index 16214c6..9b235ba 100644
--- a/lib/dns/tests/rsa_test.c
+++ b/lib/dns/tests/rsa_test.c
-@@ -19,6 +19,7 @@
- #include <stdio.h>
- #include <string.h>
+@@ -26,6 +26,7 @@
+ #define UNIT_TESTING
+ #include <cmocka.h>
+#include <isc/md5.h>
#include <isc/util.h>
#include <isc/print.h>
-@@ -225,23 +226,25 @@ ATF_TC_BODY(isc_rsa_verify, tc) {
+@@ -247,6 +248,8 @@ isc_rsa_verify_test(void **state) {
/* RSAMD5 */
#ifndef PK11_MD5_DISABLE
-- key->key_alg = DST_ALG_RSAMD5;
+ if (isc_md5_available()) {
-+ key->key_alg = DST_ALG_RSAMD5;
-
-- ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC,
-- false, &ctx);
-- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
-+ ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC,
-+ false, &ctx);
-+ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
-
-- r.base = d;
-- r.length = 10;
-- ret = dst_context_adddata(ctx, &r);
-- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
-+ r.base = d;
-+ r.length = 10;
-+ ret = dst_context_adddata(ctx, &r);
-+ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
-
-- r.base = sigmd5;
-- r.length = 256;
-- ret = dst_context_verify(ctx, &r);
-- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
-+ r.base = sigmd5;
-+ r.length = 256;
-+ ret = dst_context_verify(ctx, &r);
-+ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
-
-- dst_context_destroy(&ctx);
-+ dst_context_destroy(&ctx);
++ /* wrong indentation is kept for diff minimization */
+ key->key_alg = DST_ALG_RSAMD5;
+
+ ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC,
+@@ -264,6 +267,7 @@ isc_rsa_verify_test(void **state) {
+ assert_int_equal(ret, ISC_R_SUCCESS);
+
+ dst_context_destroy(&ctx);
+ }
#endif
/* RSASHA256 */
diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c
-index 443fb36..f003ff3 100644
+index 4d6847e..1a208b5 100644
--- a/lib/dns/tests/tsig_test.c
+++ b/lib/dns/tests/tsig_test.c
-@@ -14,6 +14,7 @@
- #include <config.h>
- #include <atf-c.h>
+@@ -24,6 +24,7 @@
+ #define UNIT_TESTING
+ #include <cmocka.h>
+#include <isc/md5.h>
#include <isc/mem.h>
#include <isc/print.h>
-
+ #include <isc/util.h>
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
-index 5b4ffd9..cc3469d 100644
+index 89cfc79..d07364a 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -245,6 +245,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
@@ -1027,7 +1005,7 @@ index 5b4ffd9..cc3469d 100644
tkey_log("process_dhtkey: algorithms other than "
"hmac-md5 are not supported");
diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c
-index c5eca0e..19b9002 100644
+index 9d8ead4..0c82f65 100644
--- a/lib/dns/tsec.c
+++ b/lib/dns/tsec.c
@@ -11,6 +11,7 @@
@@ -1053,7 +1031,7 @@ index c5eca0e..19b9002 100644
#endif
case DST_ALG_HMACSHA1:
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
-index a94ec69..f74c831 100644
+index 58c1104..00ee1e1 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -273,7 +273,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
@@ -1086,7 +1064,7 @@ index a94ec69..f74c831 100644
if (secret != NULL) {
isc_buffer_t b;
-@@ -1283,7 +1286,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+@@ -1291,7 +1294,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
return (ret);
if (
#ifndef PK11_MD5_DISABLE
@@ -1095,7 +1073,7 @@ index a94ec69..f74c831 100644
#endif
alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
-@@ -1452,7 +1455,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+@@ -1460,7 +1463,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
if (
#ifndef PK11_MD5_DISABLE
@@ -1104,7 +1082,7 @@ index a94ec69..f74c831 100644
#endif
alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
-@@ -1593,7 +1596,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+@@ -1601,7 +1604,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
goto cleanup_querystruct;
if (
#ifndef PK11_MD5_DISABLE
@@ -1113,7 +1091,7 @@ index a94ec69..f74c831 100644
#endif
alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 ||
-@@ -1772,7 +1775,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+@@ -1780,7 +1783,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
goto cleanup_context;
if (
#ifndef PK11_MD5_DISABLE
@@ -1137,7 +1115,7 @@ index 4d29398..e3f5cec 100644
#endif /* !PK11_MD5_DISABLE */
diff --git a/lib/isc/md5.c b/lib/isc/md5.c
-index 25c71a2..934a70c 100644
+index 920aed5..a086a57 100644
--- a/lib/isc/md5.c
+++ b/lib/isc/md5.c
@@ -37,6 +37,7 @@
@@ -1237,7 +1215,7 @@ index 25c71a2..934a70c 100644
/*
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
-index c5d2310..a01e698 100644
+index 0d5b009..bb9912b 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -197,8 +197,6 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) {
@@ -1356,39 +1334,39 @@ index c5d2310..a01e698 100644
/* ECDSA requires digest */
diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c
-index 8f12342..7eb1552 100644
+index 8ddfe70..9c4d299 100644
--- a/lib/isc/tests/hash_test.c
+++ b/lib/isc/tests/hash_test.c
-@@ -2009,7 +2009,8 @@ ATF_TP_ADD_TCS(tp) {
- * various cryptographic hashes.
- */
- #ifndef PK11_MD5_DISABLE
-- ATF_TP_ADD_TC(tp, md5_check);
-+ if (isc_md5_available())
-+ ATF_TP_ADD_TC(tp, md5_check);
- #endif
- ATF_TP_ADD_TC(tp, sha1_check);
+@@ -776,6 +776,9 @@ isc_md5_test(void **state) {
+
+ UNUSED(state);
+
++ if (!isc_md5_available())
++ return;
++
+ /*
+ * These are the various test vectors. All of these are passed
+ * through the hash function and the results are compared to the
+@@ -1631,6 +1634,9 @@ isc_hmacmd5_test(void **state) {
+
+ UNUSED(state);
+
++ if (!isc_md5_available())
++ return;
++
+ /*
+ * These are the various test vectors. All of these are passed
+ * through the hash function and the results are compared to the
+@@ -1941,6 +1947,9 @@ static void
+ md5_check_test(void **state) {
+ UNUSED(state);
+
++ if (!isc_md5_available())
++ return;
++
+ assert_true(isc_md5_check(false));
+ assert_false(isc_md5_check(true));
-@@ -2017,7 +2018,8 @@ ATF_TP_ADD_TCS(tp) {
- ATF_TP_ADD_TC(tp, isc_hash_function_reverse);
- ATF_TP_ADD_TC(tp, isc_hash_initializer);
- #ifndef PK11_MD5_DISABLE
-- ATF_TP_ADD_TC(tp, isc_hmacmd5);
-+ if (isc_md5_available())
-+ ATF_TP_ADD_TC(tp, isc_hmacmd5);
- #endif
- ATF_TP_ADD_TC(tp, isc_hmacsha1);
- ATF_TP_ADD_TC(tp, isc_hmacsha224);
-@@ -2025,7 +2027,8 @@ ATF_TP_ADD_TCS(tp) {
- ATF_TP_ADD_TC(tp, isc_hmacsha384);
- ATF_TP_ADD_TC(tp, isc_hmacsha512);
- #ifndef PK11_MD5_DISABLE
-- ATF_TP_ADD_TC(tp, isc_md5);
-+ if (isc_md5_available())
-+ ATF_TP_ADD_TC(tp, isc_md5);
- #endif
- ATF_TP_ADD_TC(tp, isc_sha1);
- ATF_TP_ADD_TC(tp, isc_sha224);
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
index c2740cb..c314d76 100644
--- a/lib/isccc/cc.c
@@ -1477,5 +1455,5 @@ index c2740cb..c314d76 100644
case ISCCC_ALG_HMACSHA1:
--
-2.14.4
+2.20.1
diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch
index 16d3b33..b86b783 100644
--- a/bind-9.11-fips-tests.patch
+++ b/bind-9.11-fips-tests.patch
@@ -1,4 +1,4 @@
-From 07876a60a9c2537f536901b214349d67f6b25666 Mon Sep 17 00:00:00 2001
+From 4e6888c1d32071ead4b7faeeb0f1774a6d8a1120 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Thu, 2 Aug 2018 23:46:45 +0200
Subject: [PATCH] FIPS tests changes
@@ -58,56 +58,54 @@ Date: Wed Mar 7 10:44:23 2018 +0100
Use hmac-sha256 instead of default hmac-md5 for allow-query
---
- bin/tests/system/acl/ns2/named1.conf.in | 4 +-
- bin/tests/system/acl/ns2/named2.conf.in | 4 +-
- bin/tests/system/acl/ns2/named3.conf.in | 6 +--
- bin/tests/system/acl/ns2/named4.conf.in | 4 +-
- bin/tests/system/acl/ns2/named5.conf.in | 4 +-
- bin/tests/system/acl/tests.sh | 32 +++++------
- bin/tests/system/allow-query/ns2/named10.conf.in | 2 +-
- bin/tests/system/allow-query/ns2/named11.conf.in | 4 +-
- bin/tests/system/allow-query/ns2/named12.conf.in | 2 +-
- bin/tests/system/allow-query/ns2/named30.conf.in | 2 +-
- bin/tests/system/allow-query/ns2/named31.conf.in | 4 +-
- bin/tests/system/allow-query/ns2/named32.conf.in | 2 +-
- bin/tests/system/allow-query/ns2/named40.conf.in | 4 +-
- bin/tests/system/allow-query/tests.sh | 18 +++----
- bin/tests/system/catz/ns1/named.conf.in | 2 +-
- bin/tests/system/catz/ns2/named.conf.in | 2 +-
- bin/tests/system/checkconf/bad-tsig.conf | 2 +-
- bin/tests/system/checkconf/good.conf | 2 +-
- bin/tests/system/digdelv/ns2/example.db | 15 +++---
- bin/tests/system/digdelv/tests.sh | 28 +++++-----
- bin/tests/system/dlv/ns1/sign.sh | 4 +-
- bin/tests/system/dlv/ns2/sign.sh | 4 +-
- bin/tests/system/dlv/ns3/sign.sh | 69 ++++++++++++------------
- bin/tests/system/dlv/ns6/sign.sh | 66 ++++++++++++-----------
- bin/tests/system/dnssec/ns1/sign.sh | 4 +-
- bin/tests/system/dnssec/ns2/sign.sh | 12 ++---
- bin/tests/system/dnssec/ns3/sign.sh | 20 +++----
- bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +-
- bin/tests/system/dnssec/tests.sh | 8 +--
- bin/tests/system/feature-test.c | 14 +++++
- bin/tests/system/filter-aaaa/ns1/sign.sh | 4 +-
- bin/tests/system/filter-aaaa/ns4/sign.sh | 4 +-
- bin/tests/system/notify/ns5/named.conf.in | 6 +--
- bin/tests/system/notify/tests.sh | 6 +--
- bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
- bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
- bin/tests/system/nsupdate/setup.sh | 7 ++-
- bin/tests/system/nsupdate/tests.sh | 11 +++-
- bin/tests/system/rndc/setup.sh | 2 +-
- bin/tests/system/rndc/tests.sh | 23 ++++----
- bin/tests/system/tsig/clean.sh | 1 +
- bin/tests/system/tsig/ns1/named.conf.in | 10 +---
- bin/tests/system/tsig/ns1/rndc5.conf.in | 11 ++++
- bin/tests/system/tsig/setup.sh | 4 ++
- bin/tests/system/tsig/tests.sh | 67 ++++++++++++++---------
- bin/tests/system/tsiggss/setup.sh | 2 +-
- bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
- bin/tests/system/upforwd/tests.sh | 2 +-
- 48 files changed, 287 insertions(+), 225 deletions(-)
- create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
+ bin/tests/system/acl/ns2/named1.conf.in | 4 +-
+ bin/tests/system/acl/ns2/named2.conf.in | 4 +-
+ bin/tests/system/acl/ns2/named3.conf.in | 6 +-
+ bin/tests/system/acl/ns2/named4.conf.in | 4 +-
+ bin/tests/system/acl/ns2/named5.conf.in | 4 +-
+ bin/tests/system/acl/tests.sh | 32 ++++-----
+ .../system/allow-query/ns2/named10.conf.in | 2 +-
+ .../system/allow-query/ns2/named11.conf.in | 4 +-
+ .../system/allow-query/ns2/named12.conf.in | 2 +-
+ .../system/allow-query/ns2/named30.conf.in | 2 +-
+ .../system/allow-query/ns2/named31.conf.in | 4 +-
+ .../system/allow-query/ns2/named32.conf.in | 2 +-
+ .../system/allow-query/ns2/named40.conf.in | 4 +-
+ bin/tests/system/allow-query/tests.sh | 18 ++---
+ bin/tests/system/catz/ns1/named.conf.in | 2 +-
+ bin/tests/system/catz/ns2/named.conf.in | 2 +-
+ bin/tests/system/checkconf/bad-tsig.conf | 2 +-
+ bin/tests/system/checkconf/good.conf | 2 +-
+ bin/tests/system/digdelv/ns2/example.db | 15 ++--
+ bin/tests/system/digdelv/tests.sh | 28 ++++----
+ bin/tests/system/dlv/ns1/sign.sh | 4 +-
+ bin/tests/system/dlv/ns2/sign.sh | 4 +-
+ bin/tests/system/dlv/ns3/sign.sh | 69 ++++++++++---------
+ bin/tests/system/dlv/ns6/sign.sh | 66 +++++++++---------
+ bin/tests/system/dnssec/ns1/sign.sh | 4 +-
+ bin/tests/system/dnssec/ns2/sign.sh | 12 ++--
+ bin/tests/system/dnssec/ns3/sign.sh | 20 +++---
+ bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +-
+ bin/tests/system/dnssec/tests.sh | 8 +--
+ bin/tests/system/feature-test.c | 14 ++++
+ bin/tests/system/filter-aaaa/ns1/sign.sh | 4 +-
+ bin/tests/system/filter-aaaa/ns4/sign.sh | 4 +-
+ bin/tests/system/notify/ns5/named.conf.in | 6 +-
+ bin/tests/system/notify/tests.sh | 6 +-
+ bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
+ bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
+ bin/tests/system/nsupdate/setup.sh | 7 +-
+ bin/tests/system/nsupdate/tests.sh | 11 ++-
+ bin/tests/system/rndc/setup.sh | 2 +-
+ bin/tests/system/rndc/tests.sh | 23 ++++---
+ bin/tests/system/tsig/clean.sh | 1 +
+ bin/tests/system/tsig/ns1/named.conf.in | 10 +--
+ bin/tests/system/tsig/setup.sh | 5 ++
+ bin/tests/system/tsig/tests.sh | 67 +++++++++++-------
+ bin/tests/system/tsiggss/setup.sh | 2 +-
+ bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
+ bin/tests/system/upforwd/tests.sh | 2 +-
+ 47 files changed, 277 insertions(+), 225 deletions(-)
diff --git a/bin/tests/system/acl/ns2/named1.conf.in
b/bin/tests/system/acl/ns2/named1.conf.in
index 0ea6502..026db3f 100644
@@ -604,7 +602,7 @@ index f4e30f5..9f53e31 100644
; TTL of 3 weeks
weeks 1814400 A 10.53.0.2
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
-index 95bd074..b566ecb 100644
+index 24aa7b3..54a3e2a 100644
--- a/bin/tests/system/digdelv/tests.sh
+++ b/bin/tests/system/digdelv/tests.sh
@@ -61,7 +61,7 @@ if [ -x ${DIG} ] ; then
@@ -670,7 +668,7 @@ index 95bd074..b566ecb 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -555,7 +555,7 @@ if [ -x ${DELV} ] ; then
+@@ -564,7 +564,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +multi +norrcomments works for dnskey (when default is
rrcomments)($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example >
delv.out.test$n || ret=1
@@ -679,7 +677,7 @@ index 95bd074..b566ecb 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -563,7 +563,7 @@ if [ -x ${DELV} ] ; then
+@@ -572,7 +572,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +multi +norrcomments works for soa (when default is
rrcomments)($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n
|| ret=1
@@ -688,7 +686,7 @@ index 95bd074..b566ecb 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -571,7 +571,7 @@ if [ -x ${DELV} ] ; then
+@@ -580,7 +580,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +rrcomments works for DNSKEY($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n
|| ret=1
@@ -697,7 +695,7 @@ index 95bd074..b566ecb 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -579,7 +579,7 @@ if [ -x ${DELV} ] ; then
+@@ -588,7 +588,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example >
delv.out.test$n || ret=1
@@ -706,7 +704,7 @@ index 95bd074..b566ecb 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -587,7 +587,7 @@ if [ -x ${DELV} ] ; then
+@@ -596,7 +596,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +rrcomments works ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example >
delv.out.test$n || ret=1
@@ -715,7 +713,7 @@ index 95bd074..b566ecb 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -595,7 +595,7 @@ if [ -x ${DELV} ] ; then
+@@ -604,7 +604,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +nosplit works ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example >
delv.out.test$n || ret=1
@@ -724,7 +722,7 @@ index 95bd074..b566ecb 100644
if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
f=`awk '{print NF}' < delv.out.test$n`
test "${f:-0}" -eq 14 || ret=1
-@@ -606,7 +606,7 @@ if [ -x ${DELV} ] ; then
+@@ -615,7 +615,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +nosplit +norrcomments works ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example
> delv.out.test$n || ret=1
@@ -1171,10 +1169,10 @@ index 198d60a..d89a539 100644
keyid=`expr $keyid + 0`
echo "$keyid" > managed.key.id
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
-index 9078459..9dcd028 100644
+index ca18608..25b6cab 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
-@@ -29,8 +29,8 @@ do
+@@ -30,8 +30,8 @@ do
cp ../ns3/dsset-$subdomain.example$TP .
done
@@ -1185,7 +1183,7 @@ index 9078459..9dcd028 100644
cat $infile $keyname1.key $keyname2.key >$zonefile
-@@ -89,8 +89,8 @@ zone=in-addr.arpa.
+@@ -91,8 +91,8 @@ zone=in-addr.arpa.
infile=in-addr.arpa.db.in
zonefile=in-addr.arpa.db
@@ -1196,7 +1194,7 @@ index 9078459..9dcd028 100644
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
-@@ -101,7 +101,7 @@ privzone=private.secure.example.
+@@ -103,7 +103,7 @@ privzone=private.secure.example.
privinfile=private.secure.example.db.in
privzonefile=private.secure.example.db
@@ -1205,7 +1203,7 @@ index 9078459..9dcd028 100644
cat $privinfile $privkeyname.key >$privzonefile
-@@ -115,7 +115,7 @@ dlvinfile=dlv.db.in
+@@ -117,7 +117,7 @@ dlvinfile=dlv.db.in
dlvzonefile=dlv.db
dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP
@@ -1215,7 +1213,7 @@ index 9078459..9dcd028 100644
cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
-index 330abf7..f95a6b7 100644
+index ff55d84..4f6a251 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -28,7 +28,7 @@ zone=bogus.example.
@@ -1292,7 +1290,7 @@ index 330abf7..f95a6b7 100644
cat $infile $keyname.key >$zonefile
-@@ -498,7 +498,7 @@ zone=badds.example.
+@@ -533,7 +533,7 @@ zone=badds.example.
infile=bogus.example.db.in
zonefile=badds.example.db
@@ -1313,10 +1311,10 @@ index ed30460..e6b1126 100644
+ "." 256 3 8
"AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
};
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
-index bb2315f..3156668 100644
+index 646434f..9a10f9f 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
-@@ -1690,7 +1690,7 @@ ret=0
+@@ -1688,7 +1688,7 @@ ret=0
$RNDCCMD 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i
keyid=`cat ns1/managed.key.id`
cp ns4/named.secroots named.secroots.test$n
@@ -1325,7 +1323,7 @@ index bb2315f..3156668 100644
[ "$linecount" -eq 1 ] || ret=1
linecount=`cat named.secroots.test$n | wc -l`
[ "$linecount" -eq 10 ] || ret=1
-@@ -3018,7 +3018,7 @@ echo_i "check dig's +nocrypto flag ($n)"
+@@ -3016,7 +3016,7 @@ echo_i "check dig's +nocrypto flag ($n)"
ret=0
$DIG $DIGOPTS +norec +nocrypto DNSKEY . \
@10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1
@@ -1334,7 +1332,7 @@ index bb2315f..3156668 100644
grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS +norec +nocrypto DS example \
@10.53.0.1 > dig.out.ds.ns1.test$n || ret=1
-@@ -3130,8 +3130,8 @@ do
+@@ -3128,8 +3128,8 @@ do
alg=`expr $alg + 1`
continue;;
3) size="-b 512";;
@@ -1346,7 +1344,7 @@ index bb2315f..3156668 100644
8) size="-b 512";;
10) size="-b 1024";;
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
-index 9612450..5eee6aa 100644
+index f934b63..11863a3 100644
--- a/bin/tests/system/feature-test.c
+++ b/bin/tests/system/feature-test.c
@@ -19,6 +19,7 @@
@@ -1440,10 +1438,10 @@ index cfcfe8f..0a1614d 100644
};
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
-index ad20e3e..5a9ce46 100644
+index 1f6e6d0..c08bd25 100644
--- a/bin/tests/system/notify/tests.sh
+++ b/bin/tests/system/notify/tests.sh
-@@ -186,16 +186,16 @@ ret=0
+@@ -212,16 +212,16 @@ ret=0
$NSUPDATE << EOF
server 10.53.0.5 ${PORT}
zone x21
@@ -1477,10 +1475,10 @@ index 1d999ad..26b6b7c 100644
};
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in
b/bin/tests/system/nsupdate/ns2/named.conf.in
-index b4ecf96..1adb33e 100644
+index 4549184..cb7dccd 100644
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
-@@ -24,7 +24,7 @@ options {
+@@ -33,7 +33,7 @@ controls {
};
key altkey {
@@ -1490,7 +1488,7 @@ index b4ecf96..1adb33e 100644
};
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
-index d6647fa..715314b 100644
+index 45dfeeb..594db77 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -63,7 +63,12 @@ EOF
@@ -1508,7 +1506,7 @@ index d6647fa..715314b 100644
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil >
ns1/sha224.key
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil >
ns1/sha256.key
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
-index 9f26572..fd0383f 100755
+index 901cd22..b72b59c 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -700,7 +700,14 @@ fi
@@ -1537,7 +1535,7 @@ index 9f26572..fd0383f 100755
done
if [ $ret -ne 0 ]; then
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
-index 850c4d2..09a3e0f 100644
+index 343869e..c30efb0 100644
--- a/bin/tests/system/rndc/setup.sh
+++ b/bin/tests/system/rndc/setup.sh
@@ -37,7 +37,7 @@ make_key () {
@@ -1550,7 +1548,7 @@ index 850c4d2..09a3e0f 100644
make_key 3 ${EXTRAPORT3} hmac-sha224
make_key 4 ${EXTRAPORT4} hmac-sha256
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
-index 647730e..7df752d 100644
+index b00056c..f7fad91 100644
--- a/bin/tests/system/rndc/tests.sh
+++ b/bin/tests/system/rndc/tests.sh
@@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -1620,31 +1618,15 @@ index fbf30c6..f61657d 100644
key "sha1-trunc" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
-diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in
b/bin/tests/system/tsig/ns1/rndc5.conf.in
-new file mode 100644
-index 0000000..4117830
---- /dev/null
-+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
-@@ -0,0 +1,11 @@
-+
-+key "md5" {
-+ secret "97rnFx24Tfna4mHPfgnerA==";
-+ algorithm hmac-md5;
-+};
-+
-+key "md5-trunc" {
-+ secret "97rnFx24Tfna4mHPfgnerA==";
-+ algorithm hmac-md5-80;
-+};
-+
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
-index 656e9bb..628c5bb 100644
+index 4dd4a25..aa0f966 100644
--- a/bin/tests/system/tsig/setup.sh
+++ b/bin/tests/system/tsig/setup.sh
-@@ -17,3 +17,7 @@ $SHELL clean.sh
+@@ -17,3 +17,8 @@ $SHELL clean.sh
copy_setports ns1/named.conf.in ns1/named.conf
- test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
++
+if $FEATURETEST --md5
+then
+ cat ns1/rndc5.conf.in >> ns1/named.conf
@@ -1742,10 +1724,10 @@ index f731fa6..cade35b 100644
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
-index 5da33cf..fb108b0 100644
+index 0d21c7b..dbcb7b4 100644
--- a/bin/tests/system/tsiggss/setup.sh
+++ b/bin/tests/system/tsiggss/setup.sh
-@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
copy_setports ns1/named.conf.in ns1/named.conf
@@ -1779,5 +1761,5 @@ index b0694bb..9adae82 100644
update add updated.example. 600 A 10.10.10.1
update add updated.example. 600 TXT Foo
--
-2.14.4
+2.20.1
diff --git a/bind-9.11-host-idn-disable.patch b/bind-9.11-host-idn-disable.patch
index 7d52964..7f02b4c 100644
--- a/bind-9.11-host-idn-disable.patch
+++ b/bind-9.11-host-idn-disable.patch
@@ -1,4 +1,4 @@
-From ed26f0f0eb4242706d2012e4abe0152071bb305b Mon Sep 17 00:00:00 2001
+From ec50eff97c259b5bfbfa4e050d69fe7b39b0f15a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Tue, 25 Sep 2018 18:08:46 +0200
Subject: [PATCH] Disable IDN from environment as documented
@@ -12,16 +12,16 @@ Support variable CHARSET=ASCII to disable IDN, supported in
downstream
RH patch since RHEL 5.
---
bin/dig/dig.docbook | 4 +++-
- bin/dig/dighost.c | 9 +++++++--
+ bin/dig/dighost.c | 5 +++++
bin/dig/host.docbook | 2 +-
bin/dig/nslookup.docbook | 15 +++++++++++++++
- 4 files changed, 26 insertions(+), 4 deletions(-)
+ 4 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
-index bd7510e..5cc696f 100644
+index 5d19301..933af79 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
-@@ -1288,7 +1288,9 @@ dig +qr
www.isc.org any -x 127.0.0.1
isc.org ns +noqr
+@@ -1312,7 +1312,9 @@ dig +qr
www.isc.org any -x 127.0.0.1
isc.org ns +noqr
reply from the server.
If you'd like to turn off the IDN support for some reason, use
parameters <parameter>+noidnin</parameter> and
@@ -33,15 +33,13 @@ index bd7510e..5cc696f 100644
</refsection>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index 341ed80..bb8702c 100644
+index 5eabc1f..73aaab8 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
-@@ -825,12 +825,17 @@ make_empty_lookup(void) {
- looknew->seenbadcookie = false;
+@@ -826,6 +826,11 @@ make_empty_lookup(void) {
looknew->badcookie = true;
#ifdef WITH_IDN_SUPPORT
-- looknew->idnin = true;
-+ looknew->idnin = (getenv("IDN_DISABLE") == NULL);
+ looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false;
+ if (looknew->idnin) {
+ const char *charset = getenv("CHARSET");
+ if (charset && !strcmp(charset, "ASCII"))
@@ -50,17 +48,11 @@ index 341ed80..bb8702c 100644
#else
looknew->idnin = false;
#endif
- #ifdef WITH_IDN_OUT_SUPPORT
-- looknew->idnout = true;
-+ looknew->idnout = looknew->idnin;
- #else
- looknew->idnout = false;
- #endif
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
-index 9c3aeaa..42cbbf9 100644
+index da0f8fb..9689b5a 100644
--- a/bin/dig/host.docbook
+++ b/bin/dig/host.docbook
-@@ -378,7 +378,7 @@
+@@ -379,7 +379,7 @@
<command>host</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
@@ -70,10 +62,10 @@ index 9c3aeaa..42cbbf9 100644
The IDN support is disabled if the variable is set when
<command>host</command> runs.
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
-index 3aff4e9..86a09c6 100644
+index d46fc2d..6d7d181 100644
--- a/bin/dig/nslookup.docbook
+++ b/bin/dig/nslookup.docbook
-@@ -478,6 +478,21 @@ nslookup -query=hinfo -timeout=10
+@@ -495,6 +495,21 @@ nslookup -query=hinfo -timeout=10
</para>
</refsection>
@@ -96,5 +88,5 @@ index 3aff4e9..86a09c6 100644
<para><filename>/etc/resolv.conf</filename>
--
-2.14.4
+2.20.1
diff --git a/bind-9.11-kyua-pkcs11.patch b/bind-9.11-kyua-pkcs11.patch
index 1b83800..caf57bb 100644
--- a/bind-9.11-kyua-pkcs11.patch
+++ b/bind-9.11-kyua-pkcs11.patch
@@ -1,4 +1,4 @@
-From 3474d13bbf08c441783bd72afbc8cec8857baf46 Mon Sep 17 00:00:00 2001
+From 17998f4feb9590522a0b50943075d9e8c97ec69d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Tue, 2 Jan 2018 18:13:07 +0100
Subject: [PATCH] Fix pkcs11 variants atf tests
@@ -7,20 +7,19 @@ Add dns-pkcs11 tests Makefile to configure
Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
---
- configure.in | 1 +
- lib/Atffile | 2 ++
+ configure.ac | 1 +
lib/Kyuafile | 2 ++
lib/dns-pkcs11/tests/Makefile.in | 10 +++++-----
lib/dns-pkcs11/tests/dh_test.c | 3 ++-
lib/isc-pkcs11/tests/Makefile.in | 6 +++---
lib/isc-pkcs11/tests/hash_test.c | 32 +++++++++++++++++++++++++-------
- 7 files changed, 40 insertions(+), 16 deletions(-)
+ 6 files changed, 38 insertions(+), 16 deletions(-)
-diff --git a/configure.in b/configure.in
-index 1edafd1..5466de1 100644
---- a/configure.in
-+++ b/configure.in
-@@ -5489,6 +5489,7 @@ AC_CONFIG_FILES([
+diff --git a/configure.ac b/configure.ac
+index 7aff0e6..8374385 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -5512,6 +5512,7 @@ AC_CONFIG_FILES([
lib/dns-pkcs11/include/Makefile
lib/dns-pkcs11/include/dns/Makefile
lib/dns-pkcs11/include/dst/Makefile
@@ -28,25 +27,11 @@ index 1edafd1..5466de1 100644
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
-diff --git a/lib/Atffile b/lib/Atffile
-index 93bbb01..4db3dce 100644
---- a/lib/Atffile
-+++ b/lib/Atffile
-@@ -3,7 +3,9 @@ Content-Type: application/X-atf-atffile; version="1"
- prop: test-suite = bind9
-
- tp: dns
-+tp: dns-pkcs11
- tp: irs
- tp: isc
-+tp: isc-pkcs11
- tp: isccfg
- tp: lwres
diff --git a/lib/Kyuafile b/lib/Kyuafile
-index ff9fc56..eaaf0dc 100644
+index 7c8bab0..eec9564 100644
--- a/lib/Kyuafile
+++ b/lib/Kyuafile
-@@ -2,7 +2,9 @@ syntax(2)
+@@ -2,8 +2,10 @@ syntax(2)
test_suite('bind9')
include('dns/Kyuafile')
@@ -54,18 +39,19 @@ index ff9fc56..eaaf0dc 100644
include('irs/Kyuafile')
include('isc/Kyuafile')
+include('isc-pkcs11/Kyuafile')
+ include('isccc/Kyuafile')
include('isccfg/Kyuafile')
include('lwres/Kyuafile')
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
-index 625e809..6fd4e36 100644
+index 9f1781a..e50463d 100644
--- a/lib/dns-pkcs11/tests/Makefile.in
+++ b/lib/dns-pkcs11/tests/Makefile.in
-@@ -21,12 +21,12 @@ VERSION=@BIND9_VERSION@
+@@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
@DST_OPENSSL_INC@
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
-+CDEFINES = @CRYPTO@
-DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
++CDEFINES = @CRYPTO_PK11@
-DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
-ISCLIBS = ../../isc/libisc.@A@
-ISCDEPLIBS = ../../isc/libisc.@A@
@@ -76,45 +62,45 @@ index 625e809..6fd4e36 100644
+DNSLIBS = ../libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
+DNSDEPLIBS = ../libdns-pkcs11.@A@
- LIBS = @LIBS@ @ATFLIBS@
-
+ LIBS = @LIBS@ @CMOCKA_LIBS@
+ CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
-index 6216b4e..dd74e58 100644
+index 4dbfd82..a383b8e 100644
--- a/lib/dns-pkcs11/tests/dh_test.c
+++ b/lib/dns-pkcs11/tests/dh_test.c
-@@ -64,7 +64,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) {
- ret = dst_key_computesecret(key, key, &buf);
- ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY);
- ret = key->func->computesecret(key, key, &buf);
-- ATF_REQUIRE_EQ(ret, DST_R_COMPUTESECRETFAILURE);
+@@ -86,7 +86,8 @@ dh_computesecret(void **state) {
+ result = dst_key_computesecret(key, key, &buf);
+ assert_int_equal(result, DST_R_NOTPRIVATEKEY);
+ result = key->func->computesecret(key, key, &buf);
+- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
+ /* PKCS11 variant gives different result, accept both */
-+ ATF_REQUIRE(ret == DST_R_COMPUTESECRETFAILURE || ret == DST_R_INVALIDPRIVATEKEY);
++ assert_true(result == DST_R_COMPUTESECRETFAILURE || result ==
DST_R_INVALIDPRIVATEKEY);
dst_key_free(&key);
- dns_test_end();
+ }
diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
-index add8068..a928dcf 100644
+index 2fdee0b..a263b35 100644
--- a/lib/isc-pkcs11/tests/Makefile.in
+++ b/lib/isc-pkcs11/tests/Makefile.in
-@@ -20,10 +20,10 @@ VERSION=@BIND9_VERSION@
+@@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\""
-+CDEFINES = @CRYPTO@
-DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
++CDEFINES = @CRYPTO_PK11@
-DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
-ISCLIBS = ../libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCDEPLIBS = ../libisc.@A@
+ISCLIBS = ../libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
+ISCDEPLIBS = ../libisc-pkcs11.@A@
- LIBS = @LIBS@ @ATFLIBS@
-
+ LIBS = @LIBS@ @CMOCKA_LIBS@
+ CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
-index 7eb1552..048ae9d 100644
+index 9c4d299..d9deba2 100644
--- a/lib/isc-pkcs11/tests/hash_test.c
+++ b/lib/isc-pkcs11/tests/hash_test.c
-@@ -78,7 +78,7 @@ typedef struct hash_testcase {
+@@ -85,7 +85,7 @@ typedef struct hash_testcase {
typedef struct hash_test_key {
const char *key;
@@ -123,7 +109,7 @@ index 7eb1552..048ae9d 100644
} hash_test_key_t;
/* non-hmac tests */
-@@ -961,8 +961,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) {
+@@ -956,8 +956,11 @@ isc_hmacsha1_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -136,7 +122,7 @@ index 7eb1552..048ae9d 100644
isc_hmacsha1_update(&hmacsha1,
(const uint8_t *) testcase->input,
testcase->input_len);
-@@ -1124,8 +1127,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) {
+@@ -1116,8 +1119,11 @@ isc_hmacsha224_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -149,7 +135,7 @@ index 7eb1552..048ae9d 100644
isc_hmacsha224_update(&hmacsha224,
(const uint8_t *) testcase->input,
testcase->input_len);
-@@ -1287,8 +1293,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) {
+@@ -1277,8 +1283,11 @@ isc_hmacsha256_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -162,7 +148,7 @@ index 7eb1552..048ae9d 100644
isc_hmacsha256_update(&hmacsha256,
(const uint8_t *) testcase->input,
testcase->input_len);
-@@ -1456,8 +1465,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) {
+@@ -1444,8 +1453,11 @@ isc_hmacsha384_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -175,7 +161,7 @@ index 7eb1552..048ae9d 100644
isc_hmacsha384_update(&hmacsha384,
(const uint8_t *) testcase->input,
testcase->input_len);
-@@ -1625,8 +1637,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) {
+@@ -1611,8 +1623,11 @@ isc_hmacsha512_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -188,7 +174,7 @@ index 7eb1552..048ae9d 100644
isc_hmacsha512_update(&hmacsha512,
(const uint8_t *) testcase->input,
testcase->input_len);
-@@ -1769,8 +1784,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) {
+@@ -1755,8 +1770,11 @@ isc_hmacmd5_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -202,5 +188,5 @@ index 7eb1552..048ae9d 100644
(const uint8_t *) testcase->input,
testcase->input_len);
--
-2.14.4
+2.20.1
diff --git a/bind-9.11-kyua.patch b/bind-9.11-kyua.patch
deleted file mode 100644
index af37219..0000000
--- a/bind-9.11-kyua.patch
+++ /dev/null
@@ -1,209 +0,0 @@
-From b93950dff6b3bf02225ad64d7c3e02e6b04917fd Mon Sep 17 00:00:00 2001
-From: Tinderbox User <tbox(a)isc.org>
-Date: Fri, 29 Dec 2017 02:23:11 +0000
-Subject: [PATCH] regen v9_11
-
----
- Kyuafile | 4 ++++
- lib/Kyuafile | 8 ++++++++
- lib/dns/Kyuafile | 4 ++++
- lib/dns/tests/Kyuafile | 30 ++++++++++++++++++++++++++++++
- lib/irs/Kyuafile | 4 ++++
- lib/irs/tests/Kyuafile | 4 ++++
- lib/isc/Kyuafile | 4 ++++
- lib/isc/tests/Kyuafile | 28 ++++++++++++++++++++++++++++
- lib/isccfg/Kyuafile | 4 ++++
- lib/isccfg/tests/Kyuafile | 4 ++++
- lib/lwres/Kyuafile | 4 ++++
- lib/lwres/tests/Kyuafile | 4 ++++
- 12 files changed, 102 insertions(+)
- create mode 100644 Kyuafile
- create mode 100644 lib/Kyuafile
- create mode 100644 lib/dns/Kyuafile
- create mode 100644 lib/dns/tests/Kyuafile
- create mode 100644 lib/irs/Kyuafile
- create mode 100644 lib/irs/tests/Kyuafile
- create mode 100644 lib/isc/Kyuafile
- create mode 100644 lib/isc/tests/Kyuafile
- create mode 100644 lib/isccfg/Kyuafile
- create mode 100644 lib/isccfg/tests/Kyuafile
- create mode 100644 lib/lwres/Kyuafile
- create mode 100644 lib/lwres/tests/Kyuafile
-
-diff --git a/Kyuafile b/Kyuafile
-new file mode 100644
-index 0000000..70b2cff
---- /dev/null
-+++ b/Kyuafile
-@@ -0,0 +1,4 @@
-+syntax(2)
-+test_suite('bind9')
-+
-+include('lib/Kyuafile')
-diff --git a/lib/Kyuafile b/lib/Kyuafile
-new file mode 100644
-index 0000000..ff9fc56
---- /dev/null
-+++ b/lib/Kyuafile
-@@ -0,0 +1,8 @@
-+syntax(2)
-+test_suite('bind9')
-+
-+include('dns/Kyuafile')
-+include('irs/Kyuafile')
-+include('isc/Kyuafile')
-+include('isccfg/Kyuafile')
-+include('lwres/Kyuafile')
-diff --git a/lib/dns/Kyuafile b/lib/dns/Kyuafile
-new file mode 100644
-index 0000000..0739e3a
---- /dev/null
-+++ b/lib/dns/Kyuafile
-@@ -0,0 +1,4 @@
-+syntax(2)
-+test_suite('bind9')
-+
-+include('tests/Kyuafile')
-diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile
-new file mode 100644
-index 0000000..72a581b
---- /dev/null
-+++ b/lib/dns/tests/Kyuafile
-@@ -0,0 +1,30 @@
-+syntax(2)
-+test_suite('bind9')
-+
-+atf_test_program{name='acl_test'}
-+atf_test_program{name='db_test'}
-+atf_test_program{name='dbdiff_test'}
-+atf_test_program{name='dbiterator_test'}
-+atf_test_program{name='dbversion_test'}
-+atf_test_program{name='dh_test'}
-+atf_test_program{name='dispatch_test'}
-+atf_test_program{name='dnstap_test'}
-+atf_test_program{name='geoip_test'}
-+atf_test_program{name='gost_test'}
-+atf_test_program{name='keytable_test'}
-+atf_test_program{name='master_test'}
-+atf_test_program{name='name_test'}
-+atf_test_program{name='nsec3_test'}
-+atf_test_program{name='peer_test'}
-+atf_test_program{name='private_test'}
-+atf_test_program{name='rbt_serialize_test'}
-+atf_test_program{name='rbt_test'}
-+atf_test_program{name='rdata_test'}
-+atf_test_program{name='rdataset_test'}
-+atf_test_program{name='rdatasetstats_test'}
-+atf_test_program{name='rsa_test'}
-+atf_test_program{name='time_test'}
-+atf_test_program{name='tsig_test'}
-+atf_test_program{name='update_test'}
-+atf_test_program{name='zonemgr_test'}
-+atf_test_program{name='zt_test'}
-diff --git a/lib/irs/Kyuafile b/lib/irs/Kyuafile
-new file mode 100644
-index 0000000..0739e3a
---- /dev/null
-+++ b/lib/irs/Kyuafile
-@@ -0,0 +1,4 @@
-+syntax(2)
-+test_suite('bind9')
-+
-+include('tests/Kyuafile')
-diff --git a/lib/irs/tests/Kyuafile b/lib/irs/tests/Kyuafile
-new file mode 100644
-index 0000000..4ef7136
---- /dev/null
-+++ b/lib/irs/tests/Kyuafile
-@@ -0,0 +1,4 @@
-+syntax(2)
-+test_suite('bind9')
-+
-+atf_test_program{name='resconf_test'}
-diff --git a/lib/isc/Kyuafile b/lib/isc/Kyuafile
-new file mode 100644
-index 0000000..0739e3a
---- /dev/null
-+++ b/lib/isc/Kyuafile
-@@ -0,0 +1,4 @@
-+syntax(2)
-+test_suite('bind9')
-+
-+include('tests/Kyuafile')
-diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
-new file mode 100644
-index 0000000..c558cbc
---- /dev/null
-+++ b/lib/isc/tests/Kyuafile
-@@ -0,0 +1,28 @@
-+syntax(2)
-+test_suite('bind9')
-+
-+atf_test_program{name='aes_test'}
-+atf_test_program{name='buffer_test'}
-+atf_test_program{name='counter_test'}
-+atf_test_program{name='errno_test'}
-+atf_test_program{name='file_test'}
-+atf_test_program{name='hash_test'}
-+atf_test_program{name='ht_test'}
-+atf_test_program{name='lex_test'}
-+atf_test_program{name='mem_test'}
-+atf_test_program{name='netaddr_test'}
-+atf_test_program{name='parse_test'}
-+atf_test_program{name='pool_test'}
-+atf_test_program{name='print_test'}
-+atf_test_program{name='queue_test'}
-+atf_test_program{name='radix_test'}
-+atf_test_program{name='random_test'}
-+atf_test_program{name='regex_test'}
-+atf_test_program{name='result_test'}
-+atf_test_program{name='safe_test'}
-+atf_test_program{name='sockaddr_test'}
-+atf_test_program{name='socket_test'}
-+atf_test_program{name='symtab_test'}
-+atf_test_program{name='task_test'}
-+atf_test_program{name='taskpool_test'}
-+atf_test_program{name='time_test'}
-diff --git a/lib/isccfg/Kyuafile b/lib/isccfg/Kyuafile
-new file mode 100644
-index 0000000..0739e3a
---- /dev/null
-+++ b/lib/isccfg/Kyuafile
-@@ -0,0 +1,4 @@
-+syntax(2)
-+test_suite('bind9')
-+
-+include('tests/Kyuafile')
-diff --git a/lib/isccfg/tests/Kyuafile b/lib/isccfg/tests/Kyuafile
-new file mode 100644
-index 0000000..342d25f
---- /dev/null
-+++ b/lib/isccfg/tests/Kyuafile
-@@ -0,0 +1,4 @@
-+syntax(2)
-+test_suite('bind9')
-+
-+atf_test_program{name='parser_test'}
-diff --git a/lib/lwres/Kyuafile b/lib/lwres/Kyuafile
-new file mode 100644
-index 0000000..0739e3a
---- /dev/null
-+++ b/lib/lwres/Kyuafile
-@@ -0,0 +1,4 @@
-+syntax(2)
-+test_suite('bind9')
-+
-+include('tests/Kyuafile')
-diff --git a/lib/lwres/tests/Kyuafile b/lib/lwres/tests/Kyuafile
-new file mode 100644
-index 0000000..6d373e8
---- /dev/null
-+++ b/lib/lwres/tests/Kyuafile
-@@ -0,0 +1,4 @@
-+syntax(2)
-+test_suite('bind9')
-+
-+atf_test_program{name='config_test'}
---
-2.9.5
-
diff --git a/bind-9.11-rh1410433.patch b/bind-9.11-rh1410433.patch
index b7fdc48..d307620 100644
--- a/bind-9.11-rh1410433.patch
+++ b/bind-9.11-rh1410433.patch
@@ -1,14 +1,16 @@
diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c
-index 0ce5e42..556d920 100644
+index 15561ce..e4449b0 100644
--- a/lib/dns/dyndb.c
+++ b/lib/dns/dyndb.c
-@@ -130,9 +130,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char
*instname,
+@@ -133,8 +133,11 @@ load_library(isc_mem_t *mctx, const char *filename, const char
*instname,
instname, filename);
flags = RTLD_NOW|RTLD_LOCAL;
--#ifdef RTLD_DEEPBIND
-- flags |= RTLD_DEEPBIND;
--#endif
++#if 0
++ /* Shared global namespace is required for dns-pkcs11 library */
+ #if defined(RTLD_DEEPBIND) && !__SANITIZE_ADDRESS__
+ flags |= RTLD_DEEPBIND;
++#endif
+ #endif
handle = dlopen(filename, flags);
- if (handle == NULL)
diff --git a/bind-9.11-rh1624100.patch b/bind-9.11-rh1624100.patch
index b17a6ca..00030cc 100644
--- a/bind-9.11-rh1624100.patch
+++ b/bind-9.11-rh1624100.patch
@@ -1,4 +1,4 @@
-From 4fc49ad102fd00343665273caf4349d4edb5e5ac Mon Sep 17 00:00:00 2001
+From 292a0ca28f2e8a49f8c7e62c39ad7160234ce23d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej(a)sury.org>
Date: Wed, 25 Apr 2018 14:04:31 +0200
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
@@ -14,13 +14,13 @@ Fix the isc_safe_memwipe() usage with (NULL, >0)
(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
---
bin/dnssec/dnssec-signzone.c | 2 +-
- lib/dns/nsec3.c | 4 +--
- lib/dns/spnego.c | 4 +--
- lib/isc/Makefile.in | 8 ++---
- lib/isc/include/isc/safe.h | 18 +++-------
- lib/isc/safe.c | 83 --------------------------------------------
- lib/isc/tests/safe_test.c | 20 -----------
- 7 files changed, 11 insertions(+), 128 deletions(-)
+ lib/dns/nsec3.c | 4 +-
+ lib/dns/spnego.c | 4 +-
+ lib/isc/Makefile.in | 8 +---
+ lib/isc/include/isc/safe.h | 18 ++------
+ lib/isc/safe.c | 83 ------------------------------------
+ lib/isc/tests/safe_test.c | 18 --------
+ 7 files changed, 11 insertions(+), 126 deletions(-)
delete mode 100644 lib/isc/safe.c
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
@@ -37,10 +37,10 @@ index 6ddaebe..d921870 100644
static void
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
-index e127893..895519e 100644
+index 6ae7ca8..01426d6 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
-@@ -1953,7 +1953,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
+@@ -1963,7 +1963,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
* Work out what this NSEC3 covers.
* Inside (<0) or outside (>=0).
*/
@@ -49,7 +49,7 @@ index e127893..895519e 100644
/*
* Prepare to compute all the hashes.
-@@ -1977,7 +1977,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
+@@ -1987,7 +1987,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
return (ISC_R_IGNORE);
}
@@ -241,35 +241,33 @@ index 7a464b6..0000000
-#endif
-}
diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
-index f721cd1..ea3e61f 100644
+index 5775b6e..3451b5d 100644
--- a/lib/isc/tests/safe_test.c
+++ b/lib/isc/tests/safe_test.c
-@@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) {
- "\x00\x00\x00\x00", 4));
+@@ -44,22 +44,6 @@ isc_safe_memequal_test(void **state) {
+ "\x00\x00\x00\x00", 4));
}
--ATF_TC(isc_safe_memcompare);
--ATF_TC_HEAD(isc_safe_memcompare, tc) {
-- atf_tc_set_md_var(tc, "descr", "safe memcompare()");
--}
--ATF_TC_BODY(isc_safe_memcompare, tc) {
-- UNUSED(tc);
+-/* test isc_safe_memcompare() */
+-static void
+-isc_safe_memcompare_test(void **state) {
+- UNUSED(state);
-
-- ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0);
-- ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0);
-- ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0);
-- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
-- "\x00\x00\x00\x00", 4) == 0);
-- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
-- "\x00\x00\x00\x01", 4) < 0);
-- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02",
-- "\x00\x00\x00\x00", 4) > 0);
+- assert_int_equal(isc_safe_memcompare("test", "test", 4), 0);
+- assert_true(isc_safe_memcompare("test", "tesc", 4) > 0);
+- assert_true(isc_safe_memcompare("test", "tesy", 4) < 0);
+- assert_int_equal(isc_safe_memcompare("\x00\x00\x00\x00",
+- "\x00\x00\x00\x00", 4), 0);
+- assert_true(isc_safe_memcompare("\x00\x00\x00\x00",
+- "\x00\x00\x00\x01", 4) < 0);
+- assert_true(isc_safe_memcompare("\x00\x00\x00\x02",
+- "\x00\x00\x00\x00", 4) > 0);
-}
-
- ATF_TC(isc_safe_memwipe);
- ATF_TC_HEAD(isc_safe_memwipe, tc) {
- atf_tc_set_md_var(tc, "descr", "isc_safe_memwipe()");
-@@ -67,7 +49,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
+ /* test isc_safe_memwipe() */
+ static void
+ isc_safe_memwipe_test(void **state) {
+@@ -68,7 +52,6 @@ isc_safe_memwipe_test(void **state) {
/* These should pass. */
isc_safe_memwipe(NULL, 0);
isc_safe_memwipe((void *) -1, 0);
@@ -277,14 +275,14 @@ index f721cd1..ea3e61f 100644
/*
* isc_safe_memwipe(ptr, size) should function same as
-@@ -106,7 +87,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
- */
- ATF_TP_ADD_TCS(tp) {
- ATF_TP_ADD_TC(tp, isc_safe_memequal);
-- ATF_TP_ADD_TC(tp, isc_safe_memcompare);
- ATF_TP_ADD_TC(tp, isc_safe_memwipe);
- return (atf_no_error());
- }
+@@ -107,7 +90,6 @@ main(void) {
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test(isc_safe_memequal_test),
+ cmocka_unit_test(isc_safe_memwipe_test),
+- cmocka_unit_test(isc_safe_memcompare_test),
+ };
+
+ return (cmocka_run_group_tests(tests, NULL, NULL));
--
-2.14.4
+2.20.1
diff --git a/bind-9.11-rh1647829-2.patch b/bind-9.11-rh1647829-2.patch
index bb8b3e9..98612bf 100644
--- a/bind-9.11-rh1647829-2.patch
+++ b/bind-9.11-rh1647829-2.patch
@@ -1,28 +1,86 @@
-From 58e1af6ca75d035b6391708be2c2272bb8d04620 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej(a)sury.org>
-Date: Sun, 4 Nov 2018 02:20:41 +0700
-Subject: [PATCH] Enable IDN processing (both idnin and idnout) only on tty,
- disable it when the stdout is not a tty
-
-(cherry picked from commit 0e1bf7d017e4f6d787cbeb72cc2aa74e7f30122e)
-(cherry picked from commit 8e1cc95c943b7dfaaaaf2d9a4971861735cc3fb2)
+From fdfc8ad6a1069eea6b012972c972798003d58312 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
+Date: Tue, 29 Jan 2019 18:07:44 +0100
+Subject: [PATCH] Fallback to ASCII on output IDN conversion error
+
+It is possible dig used ACE encoded name in locale, which does not
+support converting it to unicode. Instead of fatal error, fallback to
+ACE name on output.
+
+(cherry picked from commit 7f4cb8f9584597fea16de6557124ac8b1bd47440)
+
+Modify idna test to fallback to ACE
+
+Test valid A-label on input would be displayed as A-label on output if
+locale does not allow U-label.
+
+(cherry picked from commit 4ce232f8605bdbe0594ebe5a71383c9d4e6f263b)
+
+Emit warning on IDN output failure
+
+Warning is emitted before any dig headers.
+
+(cherry picked from commit 4b410038c531fbb902cd5fb83174eed1f06cb7d7)
---
- bin/dig/dighost.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ bin/dig/dighost.c | 15 +++++++++++++--
+ bin/tests/system/idna/tests.sh | 17 +++++++++++++++++
+ 2 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index 74791d671e..3b722ba0ff 100644
+index 73aaab8..375f99f 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
-@@ -825,7 +825,7 @@ make_empty_lookup(void) {
- looknew->seenbadcookie = false;
- looknew->badcookie = true;
- #ifdef WITH_IDN_SUPPORT
-- looknew->idnin = (getenv("IDN_DISABLE") == NULL);
-+ looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false;
- if (looknew->idnin) {
- const char *charset = getenv("CHARSET");
- if (charset && !strcmp(charset, "ASCII"))
+@@ -4877,9 +4877,20 @@ idn_ace_to_locale(const char *from, char *to, size_t tolen) {
+ */
+ res = idn2_to_unicode_8zlz(utf8_src, &tmp_str, 0);
+ if (res != IDN2_OK) {
+- fatal("Cannot represent '%s' in the current locale (%s), "
+- "use +noidnout or a different locale",
++ static bool warned = false;
++
++ res = idn2_to_ascii_8z(utf8_src, &tmp_str, 0);
++ if (res != IDN2_OK) {
++ fatal("Cannot represent '%s' "
++ "in the current locale nor ascii (%s), "
++ "use +noidnout or a different locale",
+ from, idn2_strerror(res));
++ } else if (!warned) {
++ fprintf(stderr, ";; Warning: cannot represent '%s' "
++ "in the current locale",
++ tmp_str);
++ warned = true;
++ }
+ }
+
+ /*
+diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh
+index 7acb0fa..0269bcd 100644
+--- a/bin/tests/system/idna/tests.sh
++++ b/bin/tests/system/idna/tests.sh
+@@ -244,6 +244,23 @@ idna_enabled_test() {
+ idna_test "$text" "+idnin +noidnout"
"xn--nxasmq6b.com" "xn--nxasmq6b.com."
+ idna_test "$text" "+idnin +idnout"
"xn--nxasmq6b.com" ".com."
+
++ # Test of valid A-label in locale that cannot display it
++ #
++ # +noidnout: The string is sent as-is to the server and the returned qname
++ # is displayed in the same form.
++ # +idnout: The string is sent as-is to the server and the returned qname
++ # is displayed as the corresponding A-label.
++ #
++ # The "+[no]idnout" flag has no effect in these cases.
++ text="Checking valid A-label in C locale"
++ label="xn--nxasmq6b.com"
++ LC_ALL=C idna_test "$text" ""
"$label" "$label."
++ LC_ALL=C idna_test "$text" "+noidnin +noidnout"
"$label" "$label."
++ LC_ALL=C idna_test "$text" "+noidnin +idnout"
"$label" "$label."
++ LC_ALL=C idna_test "$text" "+idnin +noidnout"
"$label" "$label."
++ LC_ALL=C idna_test "$text" "+idnin +idnout"
"$label" "$label."
++ LC_ALL=C idna_test "$text" "+noidnin +idnout"
"$label" "$label."
++
+
+
+ # Tests of invalid A-labels
--
2.20.1
diff --git a/bind-9.11-rt31459.patch b/bind-9.11-rt31459.patch
index 06847bf..e24aa8d 100644
--- a/bind-9.11-rt31459.patch
+++ b/bind-9.11-rt31459.patch
@@ -1,4 +1,4 @@
-From 45209f5153693339c4582795714b6859693673fc Mon Sep 17 00:00:00 2001
+From 99fc89de7b96713a7c82ea9b98d5bc0c70ad1f6e Mon Sep 17 00:00:00 2001
From: Evan Hunt <each(a)isc.org>
Date: Tue, 12 Sep 2017 19:05:46 -0700
Subject: [PATCH] rebased rt31459c
@@ -22,27 +22,25 @@ Include new unit test
bin/dnssec/dnssec-verify.c | 8 +-
bin/dnssec/dnssectool.c | 11 +-
bin/named/server.c | 6 +
- bin/nsupdate/nsupdate.c | 18 ++-
+ bin/nsupdate/nsupdate.c | 18 +-
bin/tests/makejournal.c | 6 +-
- bin/tests/system/pipelined/pipequeries.c | 21 ++-
+ bin/tests/system/pipelined/pipequeries.c | 21 +-
bin/tests/system/pipelined/tests.sh | 4 +-
bin/tests/system/rsabigexponent/bigkey.c | 4 +
- bin/tests/system/tkey/keycreate.c | 26 +++-
- bin/tests/system/tkey/keydelete.c | 26 +++-
+ bin/tests/system/tkey/keycreate.c | 26 ++-
+ bin/tests/system/tkey/keydelete.c | 26 ++-
bin/tests/system/tkey/tests.sh | 8 +-
bin/tools/mdig.c | 3 +-
- configure | 250 ++++++++++++++++++-------------
- configure.in | 77 +++++++++-
- lib/dns/dst_api.c | 21 ++-
+ configure | 250 +++++++++++++----------
+ configure.ac | 77 ++++++-
+ lib/dns/dst_api.c | 21 +-
lib/dns/include/dst/dst.h | 8 +
lib/dns/lib.c | 15 +-
- lib/dns/openssl_link.c | 72 ++++++++-
- lib/dns/pkcs11.c | 29 +++-
- lib/dns/tests/Atffile | 1 +
+ lib/dns/openssl_link.c | 72 ++++++-
+ lib/dns/pkcs11.c | 29 ++-
lib/dns/tests/Kyuafile | 1 +
lib/dns/tests/Makefile.in | 7 +
- lib/dns/tests/dnstest.c | 14 +-
- lib/dns/tests/dstrandom_test.c | 99 ++++++++++++
+ lib/dns/tests/dstrandom_test.c | 115 +++++++++++
lib/dns/win32/libdns.def.in | 7 +
lib/isc/entropy.c | 24 +++
lib/isc/include/isc/entropy.h | 12 ++
@@ -50,8 +48,8 @@ Include new unit test
lib/isc/include/isc/types.h | 2 +
lib/isc/pk11.c | 12 +-
lib/isc/win32/include/isc/platform.h.in | 5 +
- win32utils/Configure | 29 +++-
- 38 files changed, 699 insertions(+), 182 deletions(-)
+ win32utils/Configure | 29 ++-
+ 36 files changed, 707 insertions(+), 175 deletions(-)
create mode 100644 lib/dns/tests/dstrandom_test.c
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
@@ -73,10 +71,10 @@ index 5015abb..295e16f 100644
&entropy_source,
randomfile,
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
-index 65fdaaa..6612189 100644
+index 931d5de..864f2ad 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
-@@ -497,14 +497,14 @@ main(int argc, char **argv) {
+@@ -494,14 +494,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
@@ -94,7 +92,7 @@ index 65fdaaa..6612189 100644
isc_entropy_stopcallbacksources(ectx);
setup_logging(mctx, &log);
-@@ -566,8 +566,8 @@ main(int argc, char **argv) {
+@@ -563,8 +563,8 @@ main(int argc, char **argv) {
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
@@ -137,7 +135,7 @@ index 0d1e7f8..79c4d74 100644
dns_name_destroy();
if (verbose > 10)
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
-index 1a2b545..e33cb8b 100644
+index 7d82dbf..10f9359 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -184,14 +184,14 @@ main(int argc, char **argv) {
@@ -295,7 +293,7 @@ index fbc7ece..31a99e7 100644
usekeyboard);
diff --git a/bin/named/server.c b/bin/named/server.c
-index 7f87ccf..9258e7f 100644
+index b63a386..30e7eac 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -36,6 +36,7 @@
@@ -306,7 +304,7 @@ index 7f87ccf..9258e7f 100644
#include <isc/portset.h>
#include <isc/print.h>
#include <isc/random.h>
-@@ -8171,6 +8172,10 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8210,6 +8211,10 @@ load_configuration(const char *filename, ns_server_t *server,
"no source of entropy found");
} else {
const char *randomdev = cfg_obj_asstring(obj);
@@ -317,7 +315,7 @@ index 7f87ccf..9258e7f 100644
int level = ISC_LOG_ERROR;
result = isc_entropy_createfilesource(ns_g_entropy,
randomdev);
-@@ -8205,6 +8210,7 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8244,6 +8249,7 @@ load_configuration(const char *filename, ns_server_t *server,
}
isc_entropy_detach(&ns_g_fallbackentropy);
}
@@ -326,7 +324,7 @@ index 7f87ccf..9258e7f 100644
}
}
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index 5eefc57..1559a33 100644
+index 509784c..6d7a02e 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -35,6 +35,7 @@
@@ -469,7 +467,7 @@ index 2fcc064..7b4f617 100644
isc_log_destroy(&lctx);
diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh
-index a6720ce..9063b1f 100644
+index 61f1ff7..ed1302a 100644
--- a/bin/tests/system/pipelined/tests.sh
+++ b/bin/tests/system/pipelined/tests.sh
@@ -19,7 +19,7 @@ status=0
@@ -480,7 +478,7 @@ index a6720ce..9063b1f 100644
+$PIPEQUERIES -p ${PORT} -r $RANDFILE < input > raw || ret=1
awk '{ print $1 " " $5 }' < raw > output
sort < output > output-sorted
- diff ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; }
+ $DIFF ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; }
@@ -43,7 +43,7 @@ status=`expr $status + $ret`
echo_i "check keep-response-order"
@@ -488,7 +486,7 @@ index a6720ce..9063b1f 100644
-$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1
+$PIPEQUERIES -p ${PORT} -r $RANDFILE ++ < inputb > rawb || ret=1
awk '{ print $1 " " $5 }' < rawb > outputb
- diff refb outputb || ret=1
+ $DIFF refb outputb || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
diff --git a/bin/tests/system/rsabigexponent/bigkey.c
b/bin/tests/system/rsabigexponent/bigkey.c
index 4462f2e..f06268d 100644
@@ -691,10 +689,10 @@ index 9f90dd7..fad6c83 100644
echo "I:failed"
status=`expr $status + $ret`
diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c
-index 4876875..e46653a 100644
+index b27fc1d..e28871b 100644
--- a/bin/tools/mdig.c
+++ b/bin/tools/mdig.c
-@@ -1955,12 +1955,11 @@ main(int argc, char *argv[]) {
+@@ -1969,12 +1969,11 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
@@ -709,7 +707,7 @@ index 4876875..e46653a 100644
parse_args(false, argc, argv);
if (server == NULL)
diff --git a/configure b/configure
-index 4394755..2e0af33 100755
+index e425720..4f09c96 100755
--- a/configure
+++ b/configure
@@ -640,6 +640,7 @@ ac_includes_default="\
@@ -720,7 +718,7 @@ index 4394755..2e0af33 100755
BUILD_LIBS
BUILD_LDFLAGS
BUILD_CPPFLAGS
-@@ -823,6 +824,7 @@ XMLSTATS
+@@ -824,6 +825,7 @@ XMLSTATS
NZDTARGETS
NZDSRCS
NZD_TOOLS
@@ -728,7 +726,7 @@ index 4394755..2e0af33 100755
PKCS11_TEST
PKCS11_ED25519
PKCS11_GOST
-@@ -1035,6 +1037,7 @@ with_eddsa
+@@ -1039,6 +1041,7 @@ with_eddsa
with_aes
enable_openssl_hash
with_cc_alg
@@ -736,7 +734,7 @@ index 4394755..2e0af33 100755
with_lmdb
with_libxml2
with_libjson
-@@ -1728,6 +1731,7 @@ Optional Features:
+@@ -1735,6 +1738,7 @@ Optional Features:
--enable-threads enable multithreading
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
--enable-openssl-hash use OpenSSL for hash functions [default=no]
@@ -744,7 +742,7 @@ index 4394755..2e0af33 100755
--enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes]
--enable-symtable use internal symbol table for backtrace
-@@ -16631,6 +16635,7 @@ case "$use_openssl" in
+@@ -16684,6 +16688,7 @@ case "$use_openssl" in
$as_echo "disabled because of native PKCS11" >&6; }
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
@@ -752,7 +750,7 @@ index 4394755..2e0af33 100755
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -16645,6 +16650,7 @@ $as_echo "disabled because of native PKCS11"
>&6; }
+@@ -16698,6 +16703,7 @@ $as_echo "disabled because of native PKCS11"
>&6; }
$as_echo "no" >&6; }
DST_OPENSSL_INC=""
CRYPTO=""
@@ -760,7 +758,7 @@ index 4394755..2e0af33 100755
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -16657,6 +16663,7 @@ $as_echo "no" >&6; }
+@@ -16710,6 +16716,7 @@ $as_echo "no" >&6; }
auto)
DST_OPENSSL_INC=""
CRYPTO=""
@@ -768,7 +766,7 @@ index 4394755..2e0af33 100755
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -16666,7 +16673,7 @@ $as_echo "no" >&6; }
+@@ -16719,7 +16726,7 @@ $as_echo "no" >&6; }
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use
--with-openssl=/path
@@ -777,7 +775,7 @@ index 4394755..2e0af33 100755
;;
*)
if test "yes" = "$want_native_pkcs11"
-@@ -16697,6 +16704,7 @@ $as_echo "not found" >&6; }
+@@ -16750,6 +16757,7 @@ $as_echo "not found" >&6; }
as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not
found" "$LINENO" 5
fi
CRYPTO='-DOPENSSL'
@@ -785,7 +783,7 @@ index 4394755..2e0af33 100755
if test "/usr" = "$use_openssl"
then
DST_OPENSSL_INC=""
-@@ -17358,8 +17366,6 @@ fi
+@@ -17411,8 +17419,6 @@ fi
# Use OpenSSL for hash functions
#
@@ -794,7 +792,7 @@ index 4394755..2e0af33 100755
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
case $want_openssl_hash in
yes)
-@@ -17728,6 +17734,86 @@ if test "rt" = "$have_clock_gt"; then
+@@ -17787,6 +17793,86 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
@@ -881,7 +879,7 @@ index 4394755..2e0af33 100755
#
# was --with-lmdb specified?
#
-@@ -19810,9 +19896,12 @@ _ACEOF
+@@ -19869,9 +19955,12 @@ _ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for
flags" >&5
$as_echo "size_t for buflen; int for flags" >&6; }
@@ -896,7 +894,7 @@ index 4394755..2e0af33 100755
$as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
-@@ -21123,12 +21212,7 @@ ISC_PLATFORM_USEGCCASM="#undef
ISC_PLATFORM_USEGCCASM"
+@@ -21186,12 +21275,7 @@ ISC_PLATFORM_USEGCCASM="#undef
ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then
@@ -910,7 +908,7 @@ index 4394755..2e0af33 100755
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
# This bug is HP SR number 8606223364.
-@@ -21161,6 +21245,11 @@ cat >>confdefs.h <<_ACEOF
+@@ -21224,6 +21308,11 @@ cat >>confdefs.h <<_ACEOF
_ACEOF
@@ -922,7 +920,7 @@ index 4394755..2e0af33 100755
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
-@@ -21169,39 +21258,6 @@ _ACEOF
+@@ -21232,39 +21321,6 @@ _ACEOF
fi
;;
x86_64-*|amd64-*)
@@ -962,7 +960,7 @@ index 4394755..2e0af33 100755
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
-@@ -21232,6 +21288,10 @@ $as_echo_n "checking architecture type for atomic
operations... " >&6; }
+@@ -21295,6 +21351,10 @@ $as_echo_n "checking architecture type for atomic
operations... " >&6; }
$as_echo "$arch" >&6; }
fi
@@ -973,7 +971,7 @@ index 4394755..2e0af33 100755
if test "yes" = "$have_atomic"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline
assembly code" >&5
$as_echo_n "checking compiler support for inline assembly code... "
>&6; }
-@@ -23519,6 +23579,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
+@@ -23848,6 +23908,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
#
dlzdir='${DLZ_DRIVER_DIR}'
@@ -1004,7 +1002,7 @@ index 4394755..2e0af33 100755
#
# Private autoconf macro to simplify configuring drivers:
#
-@@ -23849,11 +23933,11 @@ $as_echo "no" >&6; }
+@@ -24178,11 +24262,11 @@ $as_echo "no" >&6; }
$as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}"
>&6; }
;;
*)
@@ -1019,7 +1017,7 @@ index 4394755..2e0af33 100755
fi
CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
-@@ -23938,7 +24022,7 @@ $as_echo "" >&6; }
+@@ -24267,7 +24351,7 @@ $as_echo "" >&6; }
# Check other locations for includes.
# Order is important (sigh).
@@ -1028,7 +1026,7 @@ index 4394755..2e0af33 100755
# include a blank element first
for d in "" $bdb_incdirs
do
-@@ -23963,57 +24047,9 @@ $as_echo "" >&6; }
+@@ -24292,57 +24376,9 @@ $as_echo "" >&6; }
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45
db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
for d in $bdb_libnames
do
@@ -1088,7 +1086,7 @@ index 4394755..2e0af33 100755
break
fi
done
-@@ -24172,10 +24208,10 @@ $as_echo "no" >&6; }
+@@ -24501,10 +24537,10 @@ $as_echo "no" >&6; }
DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
fi
@@ -1102,7 +1100,7 @@ index 4394755..2e0af33 100755
fi
-@@ -24261,11 +24297,11 @@ fi
+@@ -24590,11 +24626,11 @@ fi
odbcdirs="/usr /usr/local /usr/pkg"
for d in $odbcdirs
do
@@ -1116,7 +1114,7 @@ index 4394755..2e0af33 100755
break
fi
done
-@@ -24540,6 +24576,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
+@@ -24869,6 +24905,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
@@ -1125,7 +1123,7 @@ index 4394755..2e0af33 100755
#
# Commands to run at the end of config.status.
# Don't just put these into configure, it won't work right if somebody
-@@ -26930,6 +26968,8 @@ report() {
+@@ -27248,6 +27286,8 @@ report() {
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" =
"$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
@@ -1134,16 +1132,16 @@ index 4394755..2e0af33 100755
test "X$PYTHON" = "X" || echo " Python tools
(--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics
(--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics
(--with-libjson)"
-@@ -26970,6 +27010,8 @@ report() {
+@@ -27288,6 +27328,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
- test "no" = "$atf" || echo " Automated Testing Framework
(--with-atf)"
+ test "no" = "$with_cmocka" || echo " CMocka Unit Testing
Framework (--with-cmocka)"
+ echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
+
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"
-@@ -27017,6 +27059,8 @@ report() {
+@@ -27335,6 +27377,8 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" =
"$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
@@ -1152,11 +1150,11 @@ index 4394755..2e0af33 100755
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
-diff --git a/configure.in b/configure.in
-index b07895f..898b4ac 100644
---- a/configure.in
-+++ b/configure.in
-@@ -1542,6 +1542,7 @@ case "$use_openssl" in
+diff --git a/configure.ac b/configure.ac
+index 7c5ad51..fddc63a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1503,6 +1503,7 @@ case "$use_openssl" in
AC_MSG_RESULT(disabled because of native PKCS11)
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
@@ -1164,7 +1162,7 @@ index b07895f..898b4ac 100644
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -1555,6 +1556,7 @@ case "$use_openssl" in
+@@ -1516,6 +1517,7 @@ case "$use_openssl" in
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
CRYPTO=""
@@ -1172,7 +1170,7 @@ index b07895f..898b4ac 100644
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -1567,6 +1569,7 @@ case "$use_openssl" in
+@@ -1528,6 +1530,7 @@ case "$use_openssl" in
auto)
DST_OPENSSL_INC=""
CRYPTO=""
@@ -1180,7 +1178,7 @@ index b07895f..898b4ac 100644
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -1577,7 +1580,7 @@ case "$use_openssl" in
+@@ -1538,7 +1541,7 @@ case "$use_openssl" in
OPENSSLLINKSRCS=""
AC_MSG_ERROR(
[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@@ -1189,7 +1187,7 @@ index b07895f..898b4ac 100644
;;
*)
if test "yes" = "$want_native_pkcs11"
-@@ -1607,6 +1610,7 @@ If you don't want OpenSSL, use --without-openssl])
+@@ -1568,6 +1571,7 @@ If you don't want OpenSSL, use --without-openssl])
AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
fi
CRYPTO='-DOPENSSL'
@@ -1197,7 +1195,7 @@ index b07895f..898b4ac 100644
if test "/usr" = "$use_openssl"
then
DST_OPENSSL_INC=""
-@@ -2080,7 +2084,6 @@ fi
+@@ -2041,7 +2045,6 @@ fi
# Use OpenSSL for hash functions
#
@@ -1205,7 +1203,7 @@ index b07895f..898b4ac 100644
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
case $want_openssl_hash in
yes)
-@@ -2347,6 +2350,67 @@ if test "rt" = "$have_clock_gt"; then
+@@ -2313,6 +2316,67 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
@@ -1273,7 +1271,7 @@ index b07895f..898b4ac 100644
#
# was --with-lmdb specified?
#
-@@ -4139,12 +4203,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
+@@ -4109,12 +4173,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then
@@ -1287,7 +1285,7 @@ index b07895f..898b4ac 100644
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
-@@ -4153,7 +4217,6 @@ if test "yes" = "$use_atomic"; then
+@@ -4123,7 +4187,6 @@ if test "yes" = "$use_atomic"; then
fi
;;
x86_64-*|amd64-*)
@@ -1295,7 +1293,7 @@ index b07895f..898b4ac 100644
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
-@@ -5517,6 +5580,8 @@ report() {
+@@ -5541,6 +5604,8 @@ report() {
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" =
"$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
@@ -1304,16 +1302,16 @@ index b07895f..898b4ac 100644
test "X$PYTHON" = "X" || echo " Python tools
(--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics
(--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics
(--with-libjson)"
-@@ -5557,6 +5622,8 @@ report() {
+@@ -5581,6 +5646,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
- test "no" = "$atf" || echo " Automated Testing Framework
(--with-atf)"
+ test "no" = "$with_cmocka" || echo " CMocka Unit Testing
Framework (--with-cmocka)"
+ echo " Cryptographic library for DNSSEC: $CRYPTOLIB"
+
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"
-@@ -5604,6 +5671,8 @@ report() {
+@@ -5628,6 +5695,8 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" =
"$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
@@ -1323,7 +1321,7 @@ index b07895f..898b4ac 100644
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index 5703f9c..afb4d80 100644
+index 320c0f8..b55ebe0 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -276,6 +276,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
@@ -1359,7 +1357,7 @@ index 5703f9c..afb4d80 100644
if (dst__memory_pool != NULL)
isc_mem_detach(&dst__memory_pool);
if (dst_entropy_pool != NULL)
-@@ -1998,13 +2012,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
+@@ -2001,13 +2015,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
flags &= ~ISC_ENTROPY_GOODONLY;
else
flags |= ISC_ENTROPY_BLOCKING;
@@ -1378,7 +1376,7 @@ index 5703f9c..afb4d80 100644
#ifdef GSSAPI
unsigned int flags = dst_entropy_flags;
isc_result_t ret;
-@@ -2027,6 +2045,7 @@ dst__entropy_status(void) {
+@@ -2030,6 +2048,7 @@ dst__entropy_status(void) {
#endif
return (isc_entropy_status(dst_entropy_pool));
#else
@@ -1387,10 +1385,10 @@ index 5703f9c..afb4d80 100644
#endif
}
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
-index 32b0742..78e1277 100644
+index 1924e74..6813c96 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
-@@ -160,6 +160,14 @@ dst_lib_destroy(void);
+@@ -159,6 +159,14 @@ dst_lib_destroy(void);
* Releases all resources allocated by DST.
*/
@@ -1461,7 +1459,7 @@ index 304814b..60543c4 100644
isc_hash_destroy();
cleanup_db:
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index a30a2ab..d88d643 100644
+index d65ce26..6849732 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -31,6 +31,7 @@
@@ -1499,7 +1497,7 @@ index a30a2ab..d88d643 100644
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <
0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void
-@@ -190,7 +193,7 @@ _set_thread_id(CRYPTO_THREADID *id)
+@@ -192,7 +195,7 @@ _set_thread_id(CRYPTO_THREADID *id)
isc_result_t
dst__openssl_init(const char *engine) {
isc_result_t result;
@@ -1508,7 +1506,7 @@ index a30a2ab..d88d643 100644
ENGINE *re;
#else
UNUSED(engine);
-@@ -220,6 +223,7 @@ dst__openssl_init(const char *engine) {
+@@ -222,6 +225,7 @@ dst__openssl_init(const char *engine) {
ERR_load_crypto_strings();
#endif
@@ -1516,7 +1514,7 @@ index a30a2ab..d88d643 100644
rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
if (rm == NULL) {
result = ISC_R_NOMEMORY;
-@@ -231,6 +235,7 @@ dst__openssl_init(const char *engine) {
+@@ -233,6 +237,7 @@ dst__openssl_init(const char *engine) {
rm->add = entropy_add;
rm->pseudorand = entropy_getpseudo;
rm->status = entropy_status;
@@ -1524,7 +1522,7 @@ index a30a2ab..d88d643 100644
#if !defined(OPENSSL_NO_ENGINE)
#if !defined(CONF_MFLAGS_DEFAULT_SECTION)
-@@ -264,6 +269,7 @@ dst__openssl_init(const char *engine) {
+@@ -266,6 +271,7 @@ dst__openssl_init(const char *engine) {
}
}
@@ -1532,7 +1530,7 @@ index a30a2ab..d88d643 100644
re = ENGINE_get_default_RAND();
if (re == NULL) {
re = ENGINE_new();
-@@ -276,9 +282,21 @@ dst__openssl_init(const char *engine) {
+@@ -278,9 +284,21 @@ dst__openssl_init(const char *engine) {
ENGINE_free(re);
} else
ENGINE_finish(re);
@@ -1554,7 +1552,7 @@ index a30a2ab..d88d643 100644
return (ISC_R_SUCCESS);
#if !defined(OPENSSL_NO_ENGINE)
-@@ -286,10 +304,14 @@ dst__openssl_init(const char *engine) {
+@@ -288,10 +306,14 @@ dst__openssl_init(const char *engine) {
if (e != NULL)
ENGINE_free(e);
e = NULL;
@@ -1569,7 +1567,7 @@ index a30a2ab..d88d643 100644
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
CRYPTO_set_locking_callback(NULL);
DESTROYMUTEXBLOCK(locks, nlocks);
-@@ -304,14 +326,17 @@ void
+@@ -306,14 +328,17 @@ void
dst__openssl_destroy(void) {
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >=
0x10100000L)
OPENSSL_cleanup();
@@ -1587,7 +1585,7 @@ index a30a2ab..d88d643 100644
if (rm != NULL) {
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
RAND_cleanup();
-@@ -319,6 +344,7 @@ dst__openssl_destroy(void) {
+@@ -321,6 +346,7 @@ dst__openssl_destroy(void) {
mem_free(rm FILELINE);
rm = NULL;
}
@@ -1595,7 +1593,7 @@ index a30a2ab..d88d643 100644
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
CONF_modules_free();
#endif
-@@ -454,11 +480,45 @@ dst__openssl_getengine(const char *engine) {
+@@ -456,11 +482,45 @@ dst__openssl_getengine(const char *engine) {
}
#endif
@@ -1700,35 +1698,23 @@ index 5a2c502..8eaef53 100644
#endif /* PKCS11CRYPTO */
/*! \file */
-diff --git a/lib/dns/tests/Atffile b/lib/dns/tests/Atffile
-index 953082d..603c4b5 100644
---- a/lib/dns/tests/Atffile
-+++ b/lib/dns/tests/Atffile
-@@ -10,6 +10,7 @@ tp: dbversion_test
- tp: dh_test
- tp: dispatch_test
- tp: dnstap_test
-+tp: dstrandom_test
- tp: dst_test
- tp: geoip_test
- tp: gost_test
diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile
-index 0353a73..cb2324d 100644
+index 937b548..f3c0e38 100644
--- a/lib/dns/tests/Kyuafile
+++ b/lib/dns/tests/Kyuafile
-@@ -10,6 +10,7 @@ atf_test_program{name='dh_test'}
- atf_test_program{name='dispatch_test'}
- atf_test_program{name='dnstap_test'}
- atf_test_program{name='dst_test'}
-+atf_test_program{name='dstrandom_test'}
- atf_test_program{name='geoip_test'}
- atf_test_program{name='gost_test'}
- atf_test_program{name='keytable_test'}
+@@ -10,6 +10,7 @@ tap_test_program{name='dh_test'}
+ tap_test_program{name='dispatch_test'}
+ tap_test_program{name='dnstap_test'}
+ tap_test_program{name='dst_test'}
++tap_test_program{name='dstrandom_test'}
+ tap_test_program{name='geoip_test'}
+ tap_test_program{name='gost_test'}
+ tap_test_program{name='keytable_test'}
diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in
-index 58fa872..625e809 100644
+index 0897579..9f1781a 100644
--- a/lib/dns/tests/Makefile.in
+++ b/lib/dns/tests/Makefile.in
-@@ -40,6 +40,7 @@ SRCS = acl_test.c \
+@@ -37,6 +37,7 @@ SRCS = acl_test.c \
dnstap_test.c \
dst_test.c \
dnstest.c \
@@ -1736,7 +1722,7 @@ index 58fa872..625e809 100644
geoip_test.c \
gost_test.c \
keytable_test.c \
-@@ -71,6 +72,7 @@ TARGETS = acl_test@EXEEXT@ \
+@@ -69,6 +70,7 @@ TARGETS = acl_test@EXEEXT@ \
dh_test@EXEEXT@ \
dispatch_test@EXEEXT@ \
dnstap_test@EXEEXT@ \
@@ -1744,9 +1730,9 @@ index 58fa872..625e809 100644
dst_test@EXEEXT@ \
geoip_test@EXEEXT@ \
gost_test@EXEEXT@ \
-@@ -255,6 +257,11 @@ tsig_test@EXEEXT@: tsig_test.@O@ dnstest.@O@ ${ISCDEPLIBS}
${DNSDEPLIBS}
- tsig_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+@@ -258,6 +260,11 @@ zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ ${ISCDEPLIBS}
${DNSDEPLIBS}
+ ${LDFLAGS} -o $@ zt_test.@O@ dnstest.@O@ \
+ ${DNSLIBS} ${ISCLIBS} ${LIBS}
+dstrandom_test@EXEEXT@: dstrandom_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
@@ -1756,51 +1742,12 @@ index 58fa872..625e809 100644
unit::
sh ${top_builddir}/unit/unittest.sh
-diff --git a/lib/dns/tests/dnstest.c b/lib/dns/tests/dnstest.c
-index 51bb90b..1b25b90 100644
---- a/lib/dns/tests/dnstest.c
-+++ b/lib/dns/tests/dnstest.c
-@@ -122,12 +122,12 @@ dns_test_begin(FILE *logfile, bool start_managers) {
- CHECK(isc_mem_create(0, 0, &mctx));
- CHECK(isc_entropy_create(mctx, &ectx));
-
-- CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
-- hash_active = true;
--
- CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING));
- dst_active = true;
-
-+ CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
-+ hash_active = true;
-+
- if (logfile != NULL) {
- isc_logdestination_t destination;
- isc_logconfig_t *logconfig = NULL;
-@@ -171,14 +171,14 @@ dns_test_begin(FILE *logfile, bool start_managers) {
-
- void
- dns_test_end(void) {
-- if (dst_active) {
-- dst_lib_destroy();
-- dst_active = false;
-- }
- if (hash_active) {
- isc_hash_destroy();
- hash_active = false;
- }
-+ if (dst_active) {
-+ dst_lib_destroy();
-+ dst_active = false;
-+ }
- if (ectx != NULL)
- isc_entropy_detach(&ectx);
-
diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c
new file mode 100644
-index 0000000..b980d8a
+index 0000000..bd3d164
--- /dev/null
+++ b/lib/dns/tests/dstrandom_test.c
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
@@ -1812,18 +1759,25 @@ index 0000000..b980d8a
+ * information regarding copyright ownership.
+ */
+
-+/*! \file */
-+
+#include <config.h>
+
-+#include <atf-c.h>
++#if HAVE_CMOCKA
++
++#include <stdarg.h>
++#include <stddef.h>
++#include <setjmp.h>
+
++#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
++#define UNIT_TESTING
++#include <cmocka.h>
++
+#include <isc/entropy.h>
+#include <isc/mem.h>
++#include <isc/print.h>
+#include <isc/platform.h>
+#include <isc/util.h>
+
@@ -1833,26 +1787,23 @@ index 0000000..b980d8a
+isc_entropy_t *ectx = NULL;
+unsigned char buffer[128];
+
-+ATF_TC(isc_entropy_getdata);
-+ATF_TC_HEAD(isc_entropy_getdata, tc) {
-+ atf_tc_set_md_var(tc, "descr",
-+ "isc_entropy_getdata() examples");
-+ atf_tc_set_md_var(tc, "X-randomfile",
-+ "testdata/dstrandom/random.data");
-+}
-+ATF_TC_BODY(isc_entropy_getdata, tc) {
++/* isc_entropy_getdata() examples */
++static void
++isc_entropy_getdata_test(void **state) {
+ isc_result_t result;
+ unsigned int returned, status;
++ const char *randomfile = "testdata/dstrandom/random.data";
+ int ret;
-+ const char *randomfile = atf_tc_get_md_var(tc, "X-randomfile");
++
++ UNUSED(state);
+
+ isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+ result = isc_mem_create(0, 0, &mctx);
-+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
++ assert_int_equal(result, ISC_R_SUCCESS);
+ result = isc_entropy_create(mctx, &ectx);
-+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
++ assert_int_equal(result, ISC_R_SUCCESS);
+ result = dst_lib_init(mctx, ectx, 0);
-+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
++ assert_int_equal(result, ISC_R_SUCCESS);
+
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ isc_entropy_usehook(ectx, true);
@@ -1860,51 +1811,63 @@ index 0000000..b980d8a
+ returned = 0;
+ result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
+ &returned, 0);
-+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-+ ATF_REQUIRE(returned == sizeof(buffer));
++ assert_int_equal(result, ISC_R_SUCCESS);
++ assert_int_equal(returned, sizeof(buffer));
+
+ status = isc_entropy_status(ectx);
-+ ATF_REQUIRE_EQ(status, 0);
++ assert_int_equal(status, 0);
+
+ isc_entropy_usehook(ectx, false);
+#endif
+
+ ret = chdir(TESTS);
-+ ATF_REQUIRE_EQ(ret, 0);
++ assert_int_equal(ret, 0);
+
+ result = isc_entropy_createfilesource(ectx, randomfile);
-+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
++ assert_int_equal(result, ISC_R_SUCCESS);
+
+ returned = 0;
+ result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
+ &returned, 0);
-+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-+ ATF_REQUIRE(returned == sizeof(buffer));
++ assert_int_equal(result, ISC_R_SUCCESS);
++ assert_int_equal(returned, sizeof(buffer));
+
+ status = isc_entropy_status(ectx);
-+ ATF_REQUIRE(status > 0);
++ assert_true(status > 0);
+
+ dst_lib_destroy();
+ isc_entropy_detach(&ectx);
-+ ATF_REQUIRE(ectx == NULL);
++ assert_null(ectx);
++
+ isc_mem_destroy(&mctx);
-+ ATF_REQUIRE(mctx == NULL);
++ assert_null(mctx);
+}
+
-+/*
-+ * Main
-+ */
-+ATF_TP_ADD_TCS(tp) {
-+ ATF_TP_ADD_TC(tp, isc_entropy_getdata);
++int
++main(void) {
++ const struct CMUnitTest tests[] = {
++ cmocka_unit_test(isc_entropy_getdata_test),
++ };
+
-+ return (atf_no_error());
++ return (cmocka_run_group_tests(tests, NULL, NULL));
+}
+
++#else /* HAVE_CMOCKA */
++
++#include <stdio.h>
++
++int
++main(void) {
++ printf("1..0 # Skipped: cmocka not available\n");
++ return (0);
++}
++
++#endif
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
-index 62a156c..bf83fe5 100644
+index 5c45d59..34b660c 100644
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
-@@ -1483,6 +1483,13 @@ dst_lib_destroy
+@@ -1484,6 +1484,13 @@ dst_lib_destroy
dst_lib_init
dst_lib_init2
dst_lib_initmsgcat
@@ -2029,7 +1992,7 @@ index 42ff7e0..8d87c44 100644
typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
-index a01e698..875c232 100644
+index bb9912b..1f583a3 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
@@ -2071,7 +2034,7 @@ index 5b8a2c9..913a2ce 100644
* Define if the hash functions must be provided by OpenSSL.
*/
diff --git a/win32utils/Configure b/win32utils/Configure
-index ff596b7..09b476f 100644
+index ad99f89..2c55946 100644
--- a/win32utils/Configure
+++ b/win32utils/Configure
@@ -381,6 +381,7 @@ my @substdefh = ("AES_CC",
@@ -2082,7 +2045,7 @@ index ff596b7..09b476f 100644
"ISC_PLATFORM_HAVEATOMICSTORE",
"ISC_PLATFORM_HAVEATOMICSTOREQ",
"ISC_PLATFORM_HAVECMPXCHG",
-@@ -509,7 +510,8 @@ my @allcond = (@substcond, "NOTYET",
"NOLONGER");
+@@ -510,7 +511,8 @@ my @allcond = (@substcond, "NOTYET",
"NOLONGER");
# enable-xxx/disable-xxx
@@ -2092,7 +2055,7 @@ index ff596b7..09b476f 100644
"fixed-rrset",
"intrinsics",
"isc-spnego",
-@@ -571,6 +573,7 @@ my @help = (
+@@ -573,6 +575,7 @@ my @help = (
"\nOptional Features:\n",
" enable-intrinsics enable instrinsic/atomic functions [default=yes]\n",
" enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n",
@@ -2100,7 +2063,7 @@ index ff596b7..09b476f 100644
" enable-openssl-hash use OpenSSL for hash functions [default=yes]\n",
" enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n",
" enable-filter-aaaa enable filtering of AAAA records [default=yes]\n",
-@@ -614,7 +617,9 @@ my $want_clean = "no";
+@@ -617,7 +620,9 @@ my $want_clean = "no";
my $want_unknown = "no";
my $unknown_value;
my $enable_intrinsics = "yes";
@@ -2110,7 +2073,7 @@ index ff596b7..09b476f 100644
my $enable_openssl_hash = "auto";
my $enable_filter_aaaa = "yes";
my $enable_isc_spnego = "yes";
-@@ -823,6 +828,10 @@ sub myenable {
+@@ -828,6 +833,10 @@ sub myenable {
if ($val =~ /^yes$/i) {
$enable_native_pkcs11 = "yes";
}
@@ -2121,7 +2084,7 @@ index ff596b7..09b476f 100644
} elsif ($key =~ /^openssl-hash$/i) {
if ($val =~ /^yes$/i) {
$enable_openssl_hash = "yes";
-@@ -1106,6 +1115,11 @@ if ($verbose) {
+@@ -1119,6 +1128,11 @@ if ($verbose) {
} else {
print "native-pkcs11: disabled\n";
}
@@ -2133,7 +2096,7 @@ index ff596b7..09b476f 100644
if ($enable_openssl_hash eq "yes") {
print "openssl-hash: enabled\n";
} else {
-@@ -1454,6 +1468,7 @@ if ($enable_intrinsics eq "yes") {
+@@ -1472,6 +1486,7 @@ if ($enable_intrinsics eq "yes") {
# enable-native-pkcs11
if ($enable_native_pkcs11 eq "yes") {
@@ -2141,7 +2104,7 @@ index ff596b7..09b476f 100644
if ($use_openssl eq "auto") {
$use_openssl = "no";
}
-@@ -1663,6 +1678,7 @@ if ($use_openssl eq "yes") {
+@@ -1681,6 +1696,7 @@ if ($use_openssl eq "yes") {
$openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
}
@@ -2149,7 +2112,7 @@ index ff596b7..09b476f 100644
$configcond{"OPENSSL"} = 1;
$configdefd{"CRYPTO"} = "OPENSSL";
$configvar{"OPENSSL_PATH"} = "$openssl_path";
-@@ -2214,6 +2230,15 @@ if ($cookie_algorithm eq "sha1") {
+@@ -2232,6 +2248,15 @@ if ($cookie_algorithm eq "sha1") {
die "Unrecognized cookie algorithm: $cookie_algorithm\n";
}
@@ -2165,7 +2128,7 @@ index ff596b7..09b476f 100644
# enable-openssl-hash
if ($enable_openssl_hash eq "yes") {
if ($use_openssl eq "no") {
-@@ -3536,6 +3561,7 @@ exit 0;
+@@ -3558,6 +3583,7 @@ exit 0;
# --enable-developer partially supported
# --enable-newstats (9.9/9.9sub only)
# --enable-native-pkcs11 supported
@@ -2173,7 +2136,7 @@ index ff596b7..09b476f 100644
# --enable-openssl-version-check included without a way to disable it
# --enable-openssl-hash supported
# --enable-threads included without a way to disable it
-@@ -3561,6 +3587,7 @@ exit 0;
+@@ -3583,6 +3609,7 @@ exit 0;
# --with-gost supported
# --with-aes supported
# --with-cc-alg supported
@@ -2182,5 +2145,5 @@ index ff596b7..09b476f 100644
# --with-gssapi supported with MIT (K)erberos (f)or (W)indows
# --with-lmdb no supported on WIN32 (port is not reliable)
--
-2.14.4
+2.20.1
diff --git a/bind-9.11-rt46047.patch b/bind-9.11-rt46047.patch
index 3cb3c0f..1f40a16 100644
--- a/bind-9.11-rt46047.patch
+++ b/bind-9.11-rt46047.patch
@@ -1,4 +1,4 @@
-From 9a074d5cd6c6276d95bc1cce3a14afaabc88c6c5 Mon Sep 17 00:00:00 2001
+From 2b7a633f29c2ae8fe801f2a98541013837ebaeaa Mon Sep 17 00:00:00 2001
From: Evan Hunt <each(a)isc.org>
Date: Thu, 28 Sep 2017 10:09:22 -0700
Subject: [PATCH] completed and corrected the crypto-random change
@@ -24,29 +24,29 @@ Subject: [PATCH] completed and corrected the crypto-random change
"configure --disable-crypto-rand".
[RT #31459] [RT #46047]
---
- bin/confgen/keygen.c | 12 +++----
- bin/dnssec/dnssec-keygen.docbook | 24 +++++++++-----
- bin/dnssec/dnssectool.c | 12 +++----
+ bin/confgen/keygen.c | 12 +++---
+ bin/dnssec/dnssec-keygen.docbook | 24 +++++++----
+ bin/dnssec/dnssectool.c | 12 +++---
bin/named/client.c | 3 +-
- bin/named/config.c | 4 ++-
- bin/named/controlconf.c | 19 +++++++----
- bin/named/include/named/server.h | 2 ++
+ bin/named/config.c | 4 +-
+ bin/named/controlconf.c | 19 +++++---
+ bin/named/include/named/server.h | 2 +
bin/named/interfacemgr.c | 1 +
bin/named/query.c | 1 +
- bin/named/server.c | 53 ++++++++++++++++++------------
- bin/nsupdate/nsupdate.c | 4 +--
- bin/tests/system/pipelined/pipequeries.c | 4 +--
- bin/tests/system/tkey/keycreate.c | 4 +--
- bin/tests/system/tkey/keydelete.c | 4 +--
- doc/arm/Bv9ARM-book.xml | 55 ++++++++++++++++++++++----------
- doc/arm/notes.xml | 26 +++++++++++++++
- lib/dns/dst_api.c | 4 ++-
- lib/dns/include/dst/dst.h | 14 ++++++--
+ bin/named/server.c | 51 ++++++++++++++--------
+ bin/nsupdate/nsupdate.c | 4 +-
+ bin/tests/system/pipelined/pipequeries.c | 4 +-
+ bin/tests/system/tkey/keycreate.c | 4 +-
+ bin/tests/system/tkey/keydelete.c | 4 +-
+ doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++-------
+ doc/arm/notes.xml | 26 +++++++++++
+ lib/dns/dst_api.c | 4 +-
+ lib/dns/include/dst/dst.h | 14 +++++-
lib/dns/openssl_link.c | 3 +-
- lib/isc/include/isc/entropy.h | 50 +++++++++++++++++++++--------
- lib/isc/include/isc/random.h | 28 ++++++++++------
+ lib/isc/include/isc/entropy.h | 50 +++++++++++++++------
+ lib/isc/include/isc/random.h | 28 +++++++-----
lib/isccfg/namedconf.c | 2 +-
- 22 files changed, 221 insertions(+), 108 deletions(-)
+ 22 files changed, 220 insertions(+), 107 deletions(-)
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
index 295e16f..0f79aa8 100644
@@ -76,10 +76,10 @@ index 295e16f..0f79aa8 100644
&entropy_source,
randomfile,
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
-index 96dfef6..1c84b06 100644
+index ee6a489..17dddb6 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
-@@ -349,15 +349,23 @@
+@@ -350,15 +350,23 @@
<term>-r <replaceable
class="parameter">randomdev</replaceable></term>
<listitem>
<para>
@@ -140,10 +140,10 @@ index 31a99e7..38c83ed 100644
usekeyboard);
diff --git a/bin/named/client.c b/bin/named/client.c
-index 0f6e162..5e39b82 100644
+index d425df2..7ab3dec 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
-@@ -1608,7 +1608,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
+@@ -1609,7 +1609,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
isc_buffer_init(&buf, cookie, sizeof(cookie));
isc_stdtime_get(&now);
@@ -154,7 +154,7 @@ index 0f6e162..5e39b82 100644
compute_cookie(client, now, nonce, ns_g_server->secret, &buf);
diff --git a/bin/named/config.c b/bin/named/config.c
-index 2c4c93c..16ed248 100644
+index a153172..8d46bc3 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -93,7 +93,9 @@ options {\n\
@@ -253,7 +253,7 @@ index 419927b..d721f47 100644
#include <isc/task.h>
#include <isc/util.h>
diff --git a/bin/named/query.c b/bin/named/query.c
-index f8dbef2..2f3c0ca 100644
+index 1d3edbc..193efde 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -19,6 +19,7 @@
@@ -265,10 +265,10 @@ index f8dbef2..2f3c0ca 100644
#include <isc/serial.h>
#include <isc/stats.h>
diff --git a/bin/named/server.c b/bin/named/server.c
-index 9258e7f..f4320df 100644
+index 30e7eac..27ea3bf 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
-@@ -8164,21 +8164,30 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8203,21 +8203,30 @@ load_configuration(const char *filename, ns_server_t *server,
* Open the source of entropy.
*/
if (first_time) {
@@ -277,11 +277,6 @@ index 9258e7f..f4320df 100644
obj = NULL;
result = ns_config_get(maps, "random-device", &obj);
- if (result != ISC_R_SUCCESS) {
-- isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-- NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-- "no source of entropy found");
-- } else {
-- const char *randomdev = cfg_obj_asstring(obj);
+ if (result == ISC_R_SUCCESS) {
+ if (!cfg_obj_isvoid(obj)) {
+ level = ISC_LOG_INFO;
@@ -289,28 +284,32 @@ index 9258e7f..f4320df 100644
+ }
+ }
+ if (randomdev == NULL) {
- #ifdef ISC_PLATFORM_CRYPTORANDOM
-- if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
-- isc_entropy_usehook(ns_g_entropy, true);
++#ifdef ISC_PLATFORM_CRYPTORANDOM
+ isc_entropy_usehook(ns_g_entropy, true);
- #else
-- int level = ISC_LOG_ERROR;
-- result = isc_entropy_createfilesource(ns_g_entropy,
-- randomdev);
++#else
+ if ((obj != NULL) && !cfg_obj_isvoid(obj))
+ level = ISC_LOG_INFO;
-+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+- NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+ NS_LOGMODULE_SERVER, level,
-+ "no source of entropy found");
+ "no source of entropy found");
+ if ((obj == NULL) || cfg_obj_isvoid(obj)) {
+ CHECK(ISC_R_FAILURE);
+ }
+#endif
-+ } else {
+ } else {
+- const char *randomdev = cfg_obj_asstring(obj);
+-#ifdef ISC_PLATFORM_CRYPTORANDOM
+- if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
+- isc_entropy_usehook(ns_g_entropy, true);
+-#else
+- int level = ISC_LOG_ERROR;
+- result = isc_entropy_createfilesource(ns_g_entropy,
+- randomdev);
#ifdef PATH_RANDOMDEV
if (ns_g_fallbackentropy != NULL) {
level = ISC_LOG_INFO;
-@@ -8189,8 +8198,8 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8228,8 +8237,8 @@ load_configuration(const char *filename, ns_server_t *server,
NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER,
level,
@@ -321,7 +320,7 @@ index 9258e7f..f4320df 100644
randomdev,
isc_result_totext(result));
}
-@@ -8210,7 +8219,6 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8249,7 +8258,6 @@ load_configuration(const char *filename, ns_server_t *server,
}
isc_entropy_detach(&ns_g_fallbackentropy);
}
@@ -329,7 +328,7 @@ index 9258e7f..f4320df 100644
#endif
}
}
-@@ -8998,6 +9006,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
+@@ -9040,6 +9048,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
&server->tkeyctx),
"creating TKEY context");
@@ -339,7 +338,7 @@ index 9258e7f..f4320df 100644
/*
* Setup the server task, which is responsible for coordinating
-@@ -9204,7 +9215,8 @@ ns_server_destroy(ns_server_t **serverp) {
+@@ -9246,7 +9257,8 @@ ns_server_destroy(ns_server_t **serverp) {
if (server->zonemgr != NULL)
dns_zonemgr_detach(&server->zonemgr);
@@ -349,7 +348,7 @@ index 9258e7f..f4320df 100644
if (server->tkeyctx != NULL)
dns_tkeyctx_destroy(&server->tkeyctx);
-@@ -13105,10 +13117,10 @@ newzone_cfgctx_destroy(void **cfgp) {
+@@ -13197,10 +13209,10 @@ newzone_cfgctx_destroy(void **cfgp) {
static isc_result_t
generate_salt(unsigned char *salt, size_t saltlen) {
@@ -362,7 +361,7 @@ index 9258e7f..f4320df 100644
} rnd;
unsigned char text[512 + 1];
isc_region_t r;
-@@ -13118,9 +13130,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
+@@ -13210,9 +13222,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
if (saltlen > 256U)
return (ISC_R_RANGE);
@@ -377,7 +376,7 @@ index 9258e7f..f4320df 100644
memmove(salt, rnd.rnd, saltlen);
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index 1559a33..68b9a99 100644
+index 6d7a02e..626b1cf 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -283,9 +283,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t
**ectx) {
@@ -437,10 +436,10 @@ index 2146f9b..ac2c311 100644
}
#endif
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
-index baff8d3..00a50e4 100644
+index dd5365c..1a463b0 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
-@@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
+@@ -5071,22 +5071,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<term><command>random-device</command></term>
<listitem>
<para>
@@ -503,11 +502,11 @@ index baff8d3..00a50e4 100644
</listitem>
</varlistentry>
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
-index d9537a3..5c2cc13 100644
+index ad4b34c..2685b8e 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
-@@ -180,6 +180,32 @@
- option. [GL #105]
+@@ -229,6 +229,32 @@
+ is used from the shell scripts.
</para>
</listitem>
+ <listitem>
@@ -535,15 +534,15 @@ index d9537a3..5c2cc13 100644
+ case <filename>/dev/random</filename> will be the default
+ entropy source. [RT #31459] [RT #46047]
+ </para>
-+ </listitem>
++ </listitem>
</itemizedlist>
</section>
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index afb4d80..4e62a97 100644
+index b55ebe0..d2b43d3 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
-@@ -2013,10 +2013,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
+@@ -2016,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
else
flags |= ISC_ENTROPY_BLOCKING;
#ifdef ISC_PLATFORM_CRYPTORANDOM
@@ -558,10 +557,10 @@ index afb4d80..4e62a97 100644
}
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
-index 78e1277..10293d0 100644
+index 6813c96..665574d 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
-@@ -164,8 +164,18 @@ isc_result_t
+@@ -163,8 +163,18 @@ isc_result_t
dst_random_getdata(void *data, unsigned int length,
unsigned int *returned, unsigned int flags);
/*%<
@@ -583,10 +582,10 @@ index 78e1277..10293d0 100644
bool
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index d88d643..7a233dd 100644
+index 6849732..e00a0e4 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
-@@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) {
+@@ -484,7 +484,8 @@ dst__openssl_getengine(const char *engine) {
isc_result_t
dst_random_getdata(void *data, unsigned int length,
@@ -740,7 +739,7 @@ index f8aed34..17c551b 100644
ISC_LANG_ENDDECLS
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
-index cd797a6..589da07 100644
+index fbc62cc..9cad61d 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1109,7 +1109,7 @@ options_clauses[] = {
@@ -753,5 +752,5 @@ index cd797a6..589da07 100644
{ "recursive-clients", &cfg_type_uint32, 0 },
{ "reserved-sockets", &cfg_type_uint32, 0 },
--
-2.14.4
+2.20.1
diff --git a/bind-9.11-tests-variants.patch b/bind-9.11-tests-variants.patch
index b8ab1c0..55f4491 100644
--- a/bind-9.11-tests-variants.patch
+++ b/bind-9.11-tests-variants.patch
@@ -1,4 +1,4 @@
-From 118c70ab26f54f8ecd38da36f3e7d7ed66e2e764 Mon Sep 17 00:00:00 2001
+From 7d689f77714430a4ef6cead040ec304dca0b8bd3 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik(a)redhat.com>
Date: Fri, 1 Mar 2019 15:48:20 +0100
Subject: [PATCH] Make alternative named builds testable in system tests
@@ -17,19 +17,19 @@ export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
-index 0b9706a..a446c18 100644
+index b072af8..d2cb8ed 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
-@@ -20,7 +20,7 @@ TOP=${SYSTEMTESTTOP:=.}/../../..
- # Make it absolute so that it continues to work after we cd.
- TOP=`cd $TOP && pwd`
+@@ -27,7 +27,7 @@ ALTERNATIVE_ALGORITHM=RSASHA1
+ ALTERNATIVE_ALGORITHM_NUMBER=5
+ ALTERNATIVE_BITS=1280
-NAMED=$TOP/bin/named/named
+NAMED=$TOP/bin/named${NAMED_VARIANT}/named${NAMED_VARIANT}
# We must use "named -l" instead of "lwresd" because argv[0] is
lost
# if the program is libtoolized.
LWRESD="$TOP/bin/named/named -l"
-@@ -31,13 +31,14 @@ NSUPDATE=$TOP/bin/nsupdate/nsupdate
+@@ -38,13 +38,14 @@ NSUPDATE=$TOP/bin/nsupdate/nsupdate
DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
@@ -51,7 +51,7 @@ index 0b9706a..a446c18 100644
CHECKDS=$TOP/bin/python/dnssec-checkds
COVERAGE=$TOP/bin/python/dnssec-coverage
KEYMGR=$TOP/bin/python/dnssec-keymgr
-@@ -57,7 +58,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
+@@ -64,7 +65,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
MDIG=$TOP/bin/tools/mdig
NZD2NZF=$TOP/bin/tools/named-nzd2nzf
FSTRM_CAPTURE=@FSTRM_CAPTURE@
diff --git a/bind-9.11-unit-disable-random.patch b/bind-9.11-unit-disable-random.patch
index 5658d12..553f725 100644
--- a/bind-9.11-unit-disable-random.patch
+++ b/bind-9.11-unit-disable-random.patch
@@ -1,4 +1,4 @@
-From c89b0e288f923af69b97e8acc29250b262be7d1e Mon Sep 17 00:00:00 2001
+From 373f07148217a8e70e33446f5108fb42d1079ba6 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik(a)redhat.com>
Date: Thu, 21 Feb 2019 22:42:27 +0100
Subject: [PATCH] Disable random_test
@@ -9,37 +9,22 @@ subtests can occasionally fail, stop it.
It can be used again by defining 'unstable' variable in Kyuafile.
---
- lib/isc/tests/Atffile | 3 ++-
lib/isc/tests/Kyuafile | 2 +-
- 2 files changed, 3 insertions(+), 2 deletions(-)
+ 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/lib/isc/tests/Atffile b/lib/isc/tests/Atffile
-index 8681844..74a4a77 100644
---- a/lib/isc/tests/Atffile
-+++ b/lib/isc/tests/Atffile
-@@ -20,7 +20,8 @@ tp: pool_test
- tp: print_test
- tp: queue_test
- tp: radix_test
--tp: random_test
-+# random test fails too often
-+#tp: random_test
- tp: regex_test
- tp: result_test
- tp: safe_test
diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
-index 1c510c1..a86824a 100644
+index 4cd2574..9df2340 100644
--- a/lib/isc/tests/Kyuafile
+++ b/lib/isc/tests/Kyuafile
-@@ -19,7 +19,7 @@ atf_test_program{name='pool_test'}
- atf_test_program{name='print_test'}
- atf_test_program{name='queue_test'}
- atf_test_program{name='radix_test'}
--atf_test_program{name='random_test'}
-+atf_test_program{name='random_test', required_configs='unstable'}
- atf_test_program{name='regex_test'}
- atf_test_program{name='result_test'}
- atf_test_program{name='safe_test'}
+@@ -19,7 +19,7 @@ tap_test_program{name='pool_test'}
+ tap_test_program{name='print_test'}
+ tap_test_program{name='queue_test'}
+ tap_test_program{name='radix_test'}
+-tap_test_program{name='random_test'}
++tap_test_program{name='random_test', required_configs='unstable'}
+ tap_test_program{name='regex_test'}
+ tap_test_program{name='result_test'}
+ tap_test_program{name='safe_test'}
--
2.20.1
diff --git a/bind-9.11-unit-dnstap-pkcs11.patch b/bind-9.11-unit-dnstap-pkcs11.patch
deleted file mode 100644
index 8620e9f..0000000
--- a/bind-9.11-unit-dnstap-pkcs11.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff --git a/lib/dns/tests/dnstap_test.c b/lib/dns/tests/dnstap_test.c
-index 56e3da4..1f31542 100644
---- a/lib/dns/tests/dnstap_test.c
-+++ b/lib/dns/tests/dnstap_test.c
-@@ -297,6 +297,9 @@ ATF_TC_BODY(totext, tc) {
-
- UNUSED(tc);
-
-+ /* make sure text conversion gets the right local time */
-+ setenv("TZ", "PST8", 1);
-+
- result = dns_test_begin(NULL, true);
- ATF_REQUIRE(result == ISC_R_SUCCESS);
-
-@@ -306,9 +309,6 @@ ATF_TC_BODY(totext, tc) {
- result = isc_stdio_open(TAPTEXT, "r", &fp);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
-- /* make sure text conversion gets the right local time */
-- setenv("TZ", "PST8", 1);
--
- while (dns_dt_getframe(handle, &data, &dsize) == ISC_R_SUCCESS) {
- dns_dtdata_t *dtdata = NULL;
- isc_buffer_t *b = NULL;
diff --git a/bind-9.9.1-P2-multlib-conflict.patch b/bind-9.9.1-P2-multlib-conflict.patch
index 96506dd..8768b86 100644
--- a/bind-9.9.1-P2-multlib-conflict.patch
+++ b/bind-9.9.1-P2-multlib-conflict.patch
@@ -1,8 +1,8 @@
diff --git a/config.h.in b/config.h.in
-index e1364dd921..1dc65cfb21 100644
+index 4ecaa8f..2f65ccc 100644
--- a/config.h.in
+++ b/config.h.in
-@@ -588,7 +588,7 @@ int sigwait(const unsigned int *set, int *sig);
+@@ -600,7 +600,7 @@ int sigwait(const unsigned int *set, int *sig);
#undef PREFER_GOSTASN1
/* The size of `void *', as computed by sizeof. */
@@ -11,39 +11,8 @@ index e1364dd921..1dc65cfb21 100644
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
-diff --git a/configure.in b/configure.in
-index 73b1c8ccbb..129fc3f311 100644
---- a/configure.in
-+++ b/configure.in
-@@ -3523,14 +3523,14 @@ AC_TRY_COMPILE([
- #include <sys/socket.h>
- #include <netdb.h>
- int getnameinfo(const struct sockaddr *, socklen_t, char *,
-- socklen_t, char *, socklen_t, unsigned int);],
-+ socklen_t, char *, socklen_t, int);],
- [ return (0);],
-- [AC_MSG_RESULT(socklen_t for buflen; u_int for flags)
-+ [AC_MSG_RESULT(socklen_t for buflen; int for flags)
- AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t,
- [Define to the sockaddr length type used by getnameinfo(3).])
- AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t,
- [Define to the buffer length type used by getnameinfo(3).])
-- AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int,
-+ AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int,
- [Define to the flags type used by getnameinfo(3).])],
- [AC_TRY_COMPILE([
- #include <sys/types.h>
-@@ -3557,7 +3557,7 @@ int getnameinfo(const struct sockaddr *, size_t, char *,
- [AC_MSG_RESULT(not match any subspecies; assume standard definition)
- AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t)
- AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
--AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])])
-+AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)])])])
-
- #
- # ...and same for gai_strerror().
diff --git a/isc-config.sh.in b/isc-config.sh.in
-index a8a0a89e88..b5e94ed13e 100644
+index a8a0a89..b5e94ed 100644
--- a/isc-config.sh.in
+++ b/isc-config.sh.in
@@ -13,7 +13,18 @@ prefix=@prefix@
diff --git a/bind.spec b/bind.spec
index aa765cc..ef1be71 100644
--- a/bind.spec
+++ b/bind.spec
@@ -128,18 +128,12 @@ Patch159:bind-9.11-rt46047.patch
Patch160:bind-9.11-rh1624100.patch
#
https://gitlab.isc.org/isc-projects/bind9/issues/555
Patch161:bind-9.11-host-idn-disable.patch
-#
https://gitlab.isc.org/isc-projects/bind9/issues/624
-Patch162:bind-9.11-unit-dnstap-pkcs11.patch
#
https://gitlab.isc.org/isc-projects/bind9/commit/8a98277811e
Patch163:bind-9.11-rh1663318.patch
#
https://gitlab.isc.org/isc-projects/bind9/issues/819
Patch164:bind-9.11-rh1666814.patch
#
https://bugzilla.redhat.com/show_bug.cgi?id=1647829
Patch165:bind-9.11-rh1647829.patch
-# commit 8e1cc95c943b7dfaaaaf2d9a4971861735cc3fb2
-Patch166:bind-9.11-rh1647829-2.patch
-#
https://gitlab.isc.org/isc-projects/bind9/issues/225
-Patch167:bind-9.11-ed448-disable.patch
# random_test fails too often by random, disable it
Patch168:bind-9.11-unit-disable-random.patch
Patch169:bind-9.11-feature-test-dlz.patch
@@ -520,12 +514,9 @@ are used for building ISC DHCP.
%patch159 -p1 -b .rt46047
%patch160 -p1 -b .rh1624100
%patch161 -p1 -b .host-idn-disable
-%patch162 -p1 -b .dnstap-pkcs11
%patch163 -p1 -b .rh1663318
%patch164 -p1 -b .rh1666814
%patch165 -p1 -b .rh1647829
-%patch166 -p1 -b .rh1647829-2
-%patch167 -p1 -b .noed448
%patch168 -p1 -b .random_test-disable
%patch169 -p1 -b .featuretest-dlz
%patch170 -p1 -b .featuretest-named
diff --git a/bind97-rh478718.patch b/bind97-rh478718.patch
index ef44490..dfc4165 100644
--- a/bind97-rh478718.patch
+++ b/bind97-rh478718.patch
@@ -1,8 +1,8 @@
-diff --git a/configure.in b/configure.in
-index 896e81c1ce..73b1c8ccbb 100644
---- a/configure.in
-+++ b/configure.in
-@@ -4275,6 +4275,10 @@ if test "yes" = "$use_atomic"; then
+diff --git a/configure.ac b/configure.ac
+index 26c509e..c1bfd62 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -4152,6 +4152,10 @@ if test "yes" = "$use_atomic"; then
AC_MSG_RESULT($arch)
fi
@@ -14,10 +14,10 @@ index 896e81c1ce..73b1c8ccbb 100644
AC_MSG_CHECKING([compiler support for inline assembly code])
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
-index 2ff522342f..58df86adb3 100644
+index c902d46..9c7c342 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
-@@ -289,19 +289,25 @@
+@@ -284,19 +284,25 @@
* If the "xaddq" operation (64bit xadd) is available on this architecture,
* ISC_PLATFORM_HAVEXADDQ will be defined.
*/
diff --git a/bind98-rh735103.patch b/bind98-rh735103.patch
deleted file mode 100644
index 51bf290..0000000
--- a/bind98-rh735103.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-diff -up bind-9.10.1b1/lib/isc/unix/socket.c.rh735103
bind-9.10.1b1/lib/isc/unix/socket.c
---- bind-9.10.1b1/lib/isc/unix/socket.c.rh735103 2014-06-23 06:47:35.000000000 +0200
-+++ bind-9.10.1b1/lib/isc/unix/socket.c 2014-07-29 16:25:27.172818662 +0200
-@@ -67,6 +67,20 @@
- #include <isc/util.h>
- #include <isc/xml.h>
-
-+/* See task.c about the following definition: */
-+#ifdef BIND9
-+#ifdef ISC_PLATFORM_USETHREADS
-+#define USE_WATCHER_THREAD
-+#else
-+#define USE_SHARED_MANAGER
-+#endif /* ISC_PLATFORM_USETHREADS */
-+#else /* BIND9 */
-+#undef ISC_PLATFORM_HAVESYSUNH
-+#undef ISC_PLATFORM_HAVEKQUEUE
-+#undef ISC_PLATFORM_HAVEEPOLL
-+#undef ISC_PLATFORM_HAVEDEVPOLL
-+#endif /* BIND9 */
-+
- #ifdef ISC_PLATFORM_HAVESYSUNH
- #include <sys/un.h>
- #endif
-@@ -86,13 +100,6 @@
-
- #include "errno2result.h"
-
--/* See task.c about the following definition: */
--#ifdef ISC_PLATFORM_USETHREADS
--#define USE_WATCHER_THREAD
--#else
--#define USE_SHARED_MANAGER
--#endif /* ISC_PLATFORM_USETHREADS */
--
- #ifndef USE_WATCHER_THREAD
- #include "socket_p.h"
- #include "../task_p.h"
commit 2aa49f0cece9cce65d5255d5f03471b1951c2ec4
Author: Petr Menk <pemensik(a)redhat.com>
Date: Tue Mar 5 14:35:50 2019 +0100
Update to 9.11.6
Update lastest release, patches not yet adepted for it.
diff --git a/.gitignore b/.gitignore
index 858d487..4c7e54a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -90,3 +90,4 @@ bind-9.7.2b1.tar.gz
/bind-9.11.5-P1.tar.gz
/config-19.tar.bz2
/bind-9.11.5-P4.tar.gz
+/bind-9.11.6.tar.gz
diff --git a/bind-9.11.5-P4.tar.gz.asc b/bind-9.11.5-P4.tar.gz.asc
deleted file mode 100644
index d7b138e..0000000
--- a/bind-9.11.5-P4.tar.gz.asc
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Comment: GPGTools -
http://gpgtools.org
-
-iQIzBAABAgAdFiEEvg6XSLcYJToou4n/8bEb8FzwLlcFAlxks5sACgkQ8bEb8Fzw
-Lld2iA//SfqtuHZGjTKVk35vLEjpK52Xs/rmawtTI1aMApk8jEXgD7yASa5dkgM1
-xRcU7H/8omkf16Oi1m1fdamnMYhW6AvbfX4hdRY9EDn3JepXGdO0ft9G2KzmvZBt
-mU8bcqOfPHzEG0mu/oWMtL9eh9Edh5dFWxHkSGUnadXFTWH0NXRiyQwwmY6VexV4
-CQ7VkfP1fkuyZpq5tjyg9Z/umOmmwuwjkoaTbHxtfRLWVwMNgw24Pt6hUqjjJmCz
-auDlBuGXKjBgRqRmAQR3klmcvNCna3+4e1+W9w/pgRxeEr9YD1JLVyhsAvLZ9FUc
-Dpxz/MKfRkM71Lv3wvxrIODUrmSSecQ520lljxnNammnO0UuS6Og7LCpl6fSWm0c
-y3A51mq25TJ1AyOlaiSU2TPYc5XJOMjyBqIqAvJei1cV/R2gMTjbYGz3rU+b9LlG
-iRgdvAmUUhvBYAKXX7SmMUOFpXDiFv+Zbk0Gincok47VHihO4hksPx+RbL8BSOUJ
-PGsQytwVnSQJTrDGuELyQYSGJzN8l8fMLKckNiRecNWFHCOQFpkdbtlYp+C4yopR
-lGkx04ZVarlJBOPRkoN6mzZiXR17WaghHHXNq4gOP+HME6YAWJv3oLAAxeD8Tvyd
-p4M4xCHw3WZt6OiKwgCE02wnthn3aUyRv+oOGYCL3+eTtoUzdNKJAjMEAAECAB0W
-IQQVaJBoXqDfahNx7yAXzF2x8AiEBwUCXGSznAAKCRAXzF2x8AiEB3qgD/4qc2S3
-KcshK/BX10j75dmPVmNGdW1SH8V1h+nFKVIkvTzVXybBL3XeF7HP6/aJd460ku4n
-XZ5FXd78f+g+G2gJaMA+rprS0NfpclhUS64SVTSDY727dnmV49xDdRIpqmUB7B1w
-Nx9bLRHBxuPigE6S+Nmt78xrFmtS1cwegY2pz3ZD4HDDmtKMRuhZ9el71S7vLJyh
-60pvFCqQMPJX7r0OXFC4iYwgIHab0iHQu4AASvaXzi03dR2S058aRk6gBMoBlQcL
-Mcc/RzpHdJAKRx1bmU3h//HUAa5S6cKpRjDsFGj0GtFNY/ksdevTXTM3qB9k5GlR
-T4mEadsWP3ARL9qQHyW4eStTdkH1qzgJF2tKn2M+dXlfdRXNImZPrEDXOfzmyRfA
-ZoJLBeaJw5MaWeTtAcuPsppGDUuA9+hk9mpycmFZrxD21X4pr+NMrHa3TCFzAwgF
-qyc96uX1SiFMRyUmLJY2ZMBR2y8W7TdL+MWjWzsGxQg8Dj3IaAbvRg1XztxDP9XB
-RPYTniq7VOw4eEk3UgfjnIYfnEBQY+5d79MlSwxE4NBRg/h+ulZSHjP5HQ6BGzqu
-aPg+p/P+G2GfQ5x0RxchG0B/Ogj2PRIwXptgwOXVoEs1671odj3aEE5E8JKquYlO
-PRIIubc/EfYopZfyM2ryv2hAT+1z8ngeac1ycQ==
-=kFOo
------END PGP SIGNATURE-----
diff --git a/bind-9.11.6.tar.gz.asc
b/bind-9.11.6.tar.gz.asc
new file mode 100644
index 0000000..02ebf56
--- /dev/null
+++ b/bind-9.11.6.tar.gz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools -
http://gpgtools.org
+
+iQIzBAABAgAdFiEEFWiQaF6g32oTce8gF8xdsfAIhAcFAlx4dTcACgkQF8xdsfAI
+hAc9QA/9FaZaH6OxWxjxdU2VdTzZzrxIn5VcTnrSLzeKapBgfH22dmmJZBPHqkCE
+uch+d4eWH3CwcVjDs5auW7o69q0KnUDObpg1aGXVjRnBHKyH88Ziny4sd1kMXcZz
+lk3HW3Cl+WQBxrA3l+QUQrW+IYIUM36ZpkMxbvgZOwGj8H8rzUjeszDqY86JH/QF
+7RekyZwQ/Mb21sJTNntYufOn1KnKm4WZ52jihLVEaNLzQQLRxPIajSOVo+77LPpI
+SJWo+iH4vz+5jEQUhDQ1eivDaKxRj/LcrVHQLB9JgCM+ZiRvxZRwqs6mANfDnpke
+Ohzwf9Lh255bfq3xNQLYwwDbUpQ8JoEQ91Qw6F1MQ/32uhiBlUnWd2Yua22oSlOg
+IcjXYW9i23Zyuuf1GLIENNaXNnVgxM44mmxQh0/Okf7Npake4kxKGEGtPkAdbWUk
+NSghxHu8/0h5rwth7Rox4mWvp1vjRMjOGAjqMr5eVjXvFnFSazkY47fmliZCTDFm
+O3Otqib4Z35hvXOZJvTIP/IOfjo4g3zNVcfxQHNCpyRSKqBs1smWPc3VbwlOr/nI
+g/BxY595ylLIW7Ln46/3mkqZJPQO5F8AqQ+YPr+6ts908qQbA+P8nXRrZ/tcxFaM
+N+LbjmvgzCtbReoKhS17PdTDqu8p61LIDdrtxZP02Fr4fcIRRQk=
+=uY61
+-----END PGP SIGNATURE-----
diff --git a/bind.spec b/bind.spec
index ecbc8f7..aa765cc 100644
--- a/bind.spec
+++ b/bind.spec
@@ -2,7 +2,7 @@
# Red Hat BIND package .spec file
#
-%global PATCHVER P4
+#%%global PATCHVER P4
#%%global PREVER rc1
%global BINDVERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}}
@@ -53,8 +53,8 @@
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Name: bind
License: MPLv2.0
-Version: 9.11.5
-Release: 15%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Version: 9.11.6
+Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
https://www.isc.org/downloads/bind/
#
@@ -1538,6 +1538,9 @@ fi;
%changelog
+* Tue Mar 05 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.6-1
+- Update to 9.11.6
+
* Fri Mar 01 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-15.P4
- Support testing of named variants
diff --git a/sources b/sources
index 8336c9d..cae8504 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (bind-9.11.5-P4.tar.gz) =
ba750ffd080a47309db8be3df3d80896c5872aadb1a14ac7effd1bb783c2a2ae1e82959d6999eecc3d694336887060a84ae8813a17836b9064515cdd96fcb573
+SHA512 (bind-9.11.6.tar.gz) =
17a76ad4aafddeb86e330c4ca9b5fecb8df9e1109df4ff8d7a31d1da406f2597050d569460529b710f213360642842fcb9bdaa4eb79be10fcb093872fe75fdfd
SHA512 (config-19.tar.bz2) =
36aa38a0c7c33267ae594b31c81681290ac58dde7ca6749bd599da531380b5b1428330813dbe983e01071ccaed83e83f6a9cd92179a53b7d0ccbb6851a0b017c
commit 25e332108e68a819adc334c9c3261a9d8188bf71
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri Mar 1 16:24:20 2019 +0100
Make alternative named builds testable in system tests
Red Hat has alternative variant builds of named, which are not ever
tested by system tests. New variables make it relatively easy to test
alternative variants.
For sdb variant use:
export NAMED_VARIANT=-sdb DNSSEC_VARIANT=
For pkcs variant use:
export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
followed by make test in build directory.
Note: PKCS11 tests are still skipped, it requires SLOT variable
exported. Fails in some cases.
diff --git a/bind-9.11-tests-pkcs11.patch b/bind-9.11-tests-pkcs11.patch
new file mode 100644
index 0000000..79c55b2
--- /dev/null
+++ b/bind-9.11-tests-pkcs11.patch
@@ -0,0 +1,39 @@
+From 66298a12b09784eab2c052ab22f87bb2b2f1267b Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik(a)redhat.com>
+Date: Fri, 1 Mar 2019 15:55:46 +0100
+Subject: [PATCH] Detect correctly pkcs11 support
+
+It fails now always, because oot builds are not supported by
+cleanpkcs11.sh.
+---
+ bin/tests/system/cleanpkcs11.sh | 2 +-
+ bin/tests/system/conf.sh.in | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/bin/tests/system/cleanpkcs11.sh b/bin/tests/system/cleanpkcs11.sh
+index b974708..3bbef4c 100644
+--- a/bin/tests/system/cleanpkcs11.sh
++++ b/bin/tests/system/cleanpkcs11.sh
+@@ -12,6 +12,6 @@
+ SYSTEMTESTTOP=.
+ . $SYSTEMTESTTOP/conf.sh
+
+-if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi
++if [ ! -x "$PK11DESTROY" ]; then exit 1; fi
+
+ $PK11DEL -w0 > /dev/null 2>&1
+diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
+index a446c18..ede1203 100644
+--- a/bin/tests/system/conf.sh.in
++++ b/bin/tests/system/conf.sh.in
+@@ -46,6 +46,7 @@ CHECKZONE=$TOP/bin/check/named-checkzone
+ CHECKCONF=$TOP/bin/check/named-checkconf
+ PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
+ PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
++PK11DESTROY=$TOP/bin/pkcs11/pkcs11-destroy
+ PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w
0"
+ JOURNALPRINT=$TOP/bin/tools/named-journalprint
+ VERIFY=$TOP/bin/dnssec/dnssec-verify
+--
+2.20.1
+
diff --git a/bind-9.11-tests-variants.patch b/bind-9.11-tests-variants.patch
new file mode 100644
index 0000000..b8ab1c0
--- /dev/null
+++ b/bind-9.11-tests-variants.patch
@@ -0,0 +1,65 @@
+From 118c70ab26f54f8ecd38da36f3e7d7ed66e2e764 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik(a)redhat.com>
+Date: Fri, 1 Mar 2019 15:48:20 +0100
+Subject: [PATCH] Make alternative named builds testable in system tests
+
+Red Hat has alternative variant builds of named, which are not ever
+tested by system tests. New variables make it relatively easy to test
+alternative variants.
+
+For sdb variant use:
+export NAMED_VARIANT=-sdb DNSSEC_VARIANT=
+
+For pkcs variant use:
+export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
+---
+ bin/tests/system/conf.sh.in | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
+index 0b9706a..a446c18 100644
+--- a/bin/tests/system/conf.sh.in
++++ b/bin/tests/system/conf.sh.in
+@@ -20,7 +20,7 @@ TOP=${SYSTEMTESTTOP:=.}/../../..
+ # Make it absolute so that it continues to work after we cd.
+ TOP=`cd $TOP && pwd`
+
+-NAMED=$TOP/bin/named/named
++NAMED=$TOP/bin/named${NAMED_VARIANT}/named${NAMED_VARIANT}
+ # We must use "named -l" instead of "lwresd" because argv[0] is
lost
+ # if the program is libtoolized.
+ LWRESD="$TOP/bin/named/named -l"
+@@ -31,13 +31,14 @@ NSUPDATE=$TOP/bin/nsupdate/nsupdate
+ DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
+ TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
+ RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
+-KEYGEN=$TOP/bin/dnssec/dnssec-keygen
+-KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
+-SIGNER=$TOP/bin/dnssec/dnssec-signzone
+-REVOKE=$TOP/bin/dnssec/dnssec-revoke
+-SETTIME=$TOP/bin/dnssec/dnssec-settime
+-DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
+-IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
++KEYGEN=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keygen${DNSSEC_VARIANT}
++KEYFRLAB=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keyfromlabel${DNSSEC_VARIANT}
++SIGNER=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-signzone${DNSSEC_VARIANT}
++REVOKE=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-revoke${DNSSEC_VARIANT}
++SETTIME=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-settime${DNSSEC_VARIANT}
++DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT}
++IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT}
++CHECKDS=$TOP/bin/python/dnssec-checkds
+ CHECKDS=$TOP/bin/python/dnssec-checkds
+ COVERAGE=$TOP/bin/python/dnssec-coverage
+ KEYMGR=$TOP/bin/python/dnssec-keymgr
+@@ -57,7 +58,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
+ MDIG=$TOP/bin/tools/mdig
+ NZD2NZF=$TOP/bin/tools/named-nzd2nzf
+ FSTRM_CAPTURE=@FSTRM_CAPTURE@
+-FEATURETEST=$TOP/bin/named/feature-test
++FEATURETEST=$TOP/bin/named${NAMED_VARIANT}/feature-test${NAMED_VARIANT}
+
+ RANDFILE=$TOP/bin/tests/system/random.data
+
+--
+2.20.1
+
diff --git a/bind.spec b/bind.spec
index d2a0951..ecbc8f7 100644
--- a/bind.spec
+++ b/bind.spec
@@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 14%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 15%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
https://www.isc.org/downloads/bind/
#
@@ -144,6 +144,8 @@ Patch167:bind-9.11-ed448-disable.patch
Patch168:bind-9.11-unit-disable-random.patch
Patch169:bind-9.11-feature-test-dlz.patch
Patch170:bind-9.11-feature-test-named.patch
+Patch171:bind-9.11-tests-variants.patch
+Patch172:bind-9.11-tests-pkcs11.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -527,6 +529,8 @@ are used for building ISC DHCP.
%patch168 -p1 -b .random_test-disable
%patch169 -p1 -b .featuretest-dlz
%patch170 -p1 -b .featuretest-named
+%patch171 -p1 -b .test-variant
+%patch172 -p1 -b .test-pkcs11
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1534,6 +1538,9 @@ fi;
%changelog
+* Fri Mar 01 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-15.P4
+- Support testing of named variants
+
* Thu Feb 28 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-14.P4
- Modify feature-test detection of dlz-filesystem
commit d0d728803b336b60cd2cefe582adb87739ca377e
Author: Petr Menk <pemensik(a)redhat.com>
Date: Thu Feb 28 18:17:53 2019 +0100
Modify feature test to detect dlz support
System tests are failing for named, because it cannot detect it does not
support filesystem SDB. Move feature test to named directory, so it is
built for every variant.
diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch
index aa95e33..f5a6d78 100644
--- a/bind-9.10-dist-native-pkcs11.patch
+++ b/bind-9.10-dist-native-pkcs11.patch
@@ -1,3 +1,22 @@
+From c6c0dc7addd8b27718247aa9c67e3cf3f80a8be3 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik(a)redhat.com>
+Date: Fri, 1 Mar 2019 11:10:03 +0100
+Subject: [PATCH] bind-9.10-dist-native-pkcs11.patch
+
+---
+ bin/Makefile.in | 4 +--
+ bin/dnssec-pkcs11/Makefile.in | 44 ++++++++++++++---------------
+ bin/dnssec/Makefile.in | 2 +-
+ bin/named-pkcs11/Makefile.in | 45 +++++++++++++----------------
+ bin/named/Makefile.in | 2 +-
+ bin/pkcs11/Makefile.in | 6 ++--
+ configure.in | 53 +++++++++++++++++++++++++++--------
+ lib/Makefile.in | 2 +-
+ lib/dns-pkcs11/Makefile.in | 30 ++++++++++----------
+ lib/isc-pkcs11/Makefile.in | 28 +++++++++---------
+ make/includes.in | 10 +++++++
+ 11 files changed, 129 insertions(+), 97 deletions(-)
+
diff --git a/bin/Makefile.in b/bin/Makefile.in
index f0c504a..ce7a2da 100644
--- a/bin/Makefile.in
@@ -14,7 +33,7 @@ index f0c504a..ce7a2da 100644
@BIND9_MAKE_RULES@
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
-index ce0a177..f8370cf 100644
+index ce0a177..8908a45 100644
--- a/bin/dnssec-pkcs11/Makefile.in
+++ b/bin/dnssec-pkcs11/Makefile.in
@@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@
@@ -24,8 +43,9 @@ index ce0a177..f8370cf 100644
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES}
- CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
+-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
- @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
++CDEFINES = -DVERSION=\"${VERSION}\" @PKCS11_ENGINE@ \
+ @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
CWARNINGS =
@@ -142,7 +162,7 @@ index ce0a177..7cede84 100644
CWARNINGS =
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
-index d92bc9a..a8c42a4 100644
+index c0861f6..df80f81 100644
--- a/bin/named-pkcs11/Makefile.in
+++ b/bin/named-pkcs11/Makefile.in
@@ -43,26 +43,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
@@ -189,12 +209,12 @@ index d92bc9a..a8c42a4 100644
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
-+ @LIBS@
++ @LIBS@
SUBDIRS = unix
--TARGETS = named@EXEEXT@ lwresd@EXEEXT@
-+TARGETS = named-pkcs11@EXEEXT@
+-TARGETS = named@EXEEXT@ lwresd@EXEEXT@ feature-test@EXEEXT@
++TARGETS = named-pkcs11@EXEEXT@ feature-test-pkcs11@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
@@ -218,7 +238,7 @@ index d92bc9a..a8c42a4 100644
MANPAGES = named.8 lwresd.8 named.conf.5
-@@ -146,14 +144,14 @@ server.@O@: server.c
+@@ -146,21 +144,21 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
@@ -234,9 +254,17 @@ index d92bc9a..a8c42a4 100644
- @LN@ named@EXEEXT@ lwresd@EXEEXT@
+ @LN@ named-pkcs11@EXEEXT@ lwresd@EXEEXT@
- doc man:: ${MANOBJS}
+ # Bit of hack, do not produce intermediate .o object for featuretest
+ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+ -c ${top_srcdir}/bin/tests/system/feature-test.c
+
+-feature-test@EXEEXT@: feature-test.@O@
++feature-test-pkcs11@EXEEXT@: feature-test.@O@
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
-@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
+@@ -193,16 +191,11 @@ install-man8: named.8 lwresd.8
install-man: install-man5 install-man8
@@ -257,7 +285,7 @@ index d92bc9a..a8c42a4 100644
@DLZ_DRIVER_RULES@
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
-index d92bc9a..6d2bfd1 100644
+index c0861f6..04dea99 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -47,7 +47,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
@@ -291,7 +319,7 @@ index a058c91..d4b689a 100644
DEPLIBS = ${ISCDEPLIBS}
diff --git a/configure.in b/configure.in
-index 898b4ac..1edafd1 100644
+index b2bb268..d9e0797 100644
--- a/configure.in
+++ b/configure.in
@@ -1109,12 +1109,14 @@ AC_SUBST(USE_GSSAPI)
@@ -369,7 +397,7 @@ index 898b4ac..1edafd1 100644
then
AC_MSG_RESULT()
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
-@@ -2011,6 +2015,7 @@ AC_SUBST(OPENSSL_ED25519)
+@@ -2016,6 +2020,7 @@ AC_SUBST(OPENSSL_ED25519)
AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
@@ -377,7 +405,7 @@ index 898b4ac..1edafd1 100644
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
-@@ -2329,6 +2334,7 @@ esac
+@@ -2334,6 +2339,7 @@ esac
AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(CRYPTO)
@@ -385,7 +413,7 @@ index 898b4ac..1edafd1 100644
AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_ED25519)
-@@ -5401,8 +5407,11 @@ AC_CONFIG_FILES([
+@@ -5406,8 +5412,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
@@ -397,7 +425,7 @@ index 898b4ac..1edafd1 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
-@@ -5476,6 +5485,10 @@ AC_CONFIG_FILES([
+@@ -5480,6 +5489,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
@@ -408,7 +436,7 @@ index 898b4ac..1edafd1 100644
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
-@@ -5500,6 +5513,24 @@ AC_CONFIG_FILES([
+@@ -5504,6 +5517,24 @@ AC_CONFIG_FILES([
lib/isc/unix/include/Makefile
lib/isc/unix/include/isc/Makefile
lib/isc/unix/include/pkcs11/Makefile
@@ -610,3 +638,6 @@ index fa86ad1..3cfbe9f 100644
+
+DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/dns-pkcs11/include
+--
+2.20.1
+
diff --git a/bind-9.10-sdb.patch b/bind-9.10-sdb.patch
index 7874a5c..e087ad7 100644
--- a/bind-9.10-sdb.patch
+++ b/bind-9.10-sdb.patch
@@ -1,3 +1,17 @@
+From 09b71a1994d7ea3b299746167b6bcf24021edd76 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik(a)redhat.com>
+Date: Thu, 28 Feb 2019 18:37:01 +0100
+Subject: [PATCH] bind-9.10-sdb.patch
+
+---
+ bin/Makefile.in | 4 +-
+ bin/named-sdb/Makefile.in | 25 +++++-------
+ bin/named-sdb/main.c | 83 +++++++++++++++++++++++++++++++++++++++
+ bin/named/Makefile.in | 16 +++-----
+ bin/sdb_tools/Makefile.in | 10 +++--
+ configure.in | 3 ++
+ 6 files changed, 110 insertions(+), 31 deletions(-)
+
diff --git a/bin/Makefile.in b/bin/Makefile.in
index ce7a2da..4e6a824 100644
--- a/bin/Makefile.in
@@ -14,7 +28,7 @@ index ce7a2da..4e6a824 100644
@BIND9_MAKE_RULES@
diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
-index 6d2bfd1..d3f42e8 100644
+index 04dea99..4ff053e 100644
--- a/bin/named-sdb/Makefile.in
+++ b/bin/named-sdb/Makefile.in
@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@
@@ -35,8 +49,8 @@ index 6d2bfd1..d3f42e8 100644
SUBDIRS = unix
--TARGETS = named@EXEEXT@ lwresd@EXEEXT@
-+TARGETS = named-sdb@EXEEXT@
+-TARGETS = named@EXEEXT@ lwresd@EXEEXT@ feature-test@EXEEXT@
++TARGETS = named-sdb@EXEEXT@ feature-test-sdb@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
@@ -49,7 +63,16 @@ index 6d2bfd1..d3f42e8 100644
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
-@@ -173,8 +173,6 @@ statschannel.@O@: bind9.xsl.h
+@@ -160,7 +160,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+ -c ${top_srcdir}/bin/tests/system/feature-test.c
+
+-feature-test@EXEEXT@: feature-test.@O@
++feature-test-sdb@EXEEXT@: feature-test.@O@
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
+
+@@ -182,8 +182,6 @@ statschannel.@O@: bind9.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@@ -58,7 +81,7 @@ index 6d2bfd1..d3f42e8 100644
install-man5: named.conf.5
${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
-@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
+@@ -193,16 +191,11 @@ install-man8: named.8 lwresd.8
install-man: install-man5 install-man8
@@ -79,10 +102,10 @@ index 6d2bfd1..d3f42e8 100644
@DLZ_DRIVER_RULES@
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
-index bb639d9..555c4d9 100644
+index 8cec1ad..de5e5bb 100644
--- a/bin/named-sdb/main.c
+++ b/bin/named-sdb/main.c
-@@ -91,6 +91,10 @@
+@@ -93,6 +93,10 @@
* Include header files for database drivers here.
*/
/* #include "xxdb.h" */
@@ -93,7 +116,7 @@ index bb639d9..555c4d9 100644
#ifdef CONTRIB_DLZ
/*
-@@ -1061,6 +1065,11 @@ setup(void) {
+@@ -1063,6 +1067,11 @@ setup(void) {
ns_main_earlyfatal("isc_app_start() failed: %s",
isc_result_totext(result));
@@ -105,7 +128,7 @@ index bb639d9..555c4d9 100644
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
ns_g_product, ns_g_version,
-@@ -1261,6 +1270,75 @@ setup(void) {
+@@ -1263,6 +1272,75 @@ setup(void) {
isc_result_totext(result));
#endif
@@ -181,7 +204,7 @@ index bb639d9..555c4d9 100644
ns_server_create(ns_g_mctx, &ns_g_server);
#ifdef HAVE_LIBSECCOMP
-@@ -1303,6 +1381,11 @@ cleanup(void) {
+@@ -1305,6 +1383,11 @@ cleanup(void) {
dns_name_destroy();
@@ -194,7 +217,7 @@ index bb639d9..555c4d9 100644
ISC_LOG_NOTICE, "exiting");
ns_log_shutdown();
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
-index 6d2bfd1..86f8587 100644
+index 04dea99..9ed9637 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -45,9 +45,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
@@ -243,7 +266,7 @@ index 6d2bfd1..86f8587 100644
MANPAGES = named.8 lwresd.8 named.conf.5
-@@ -195,7 +193,5 @@ uninstall::
+@@ -204,7 +202,5 @@ uninstall::
rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
@@ -287,10 +310,10 @@ index c7e0868..95ab742 100644
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/configure.in b/configure.in
-index 62536a6..f571a4f 100644
+index c09c21a..e48bd2e 100644
--- a/configure.in
+++ b/configure.in
-@@ -5445,6 +5445,8 @@ AC_CONFIG_FILES([
+@@ -5417,6 +5417,8 @@ AC_CONFIG_FILES([
bin/named/unix/Makefile
bin/named-pkcs11/Makefile
bin/named-pkcs11/unix/Makefile
@@ -299,7 +322,7 @@ index 62536a6..f571a4f 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
-@@ -5469,6 +5471,7 @@ AC_CONFIG_FILES([
+@@ -5441,6 +5443,7 @@ AC_CONFIG_FILES([
bin/python/isc/tests/dnskey_test.py
bin/python/isc/tests/policy_test.py
bin/rndc/Makefile
@@ -307,3 +330,6 @@ index 62536a6..f571a4f 100644
bin/tests/Makefile
bin/tests/headerdep_test.sh
bin/tests/optional/Makefile
+--
+2.20.1
+
diff --git a/bind-9.11-feature-test-dlz.patch b/bind-9.11-feature-test-dlz.patch
new file mode 100644
index 0000000..2c06d9f
--- /dev/null
+++ b/bind-9.11-feature-test-dlz.patch
@@ -0,0 +1,85 @@
+From fe4074d27f642dd93afb5988a2edc7c173b22520 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
+Date: Wed, 30 Jan 2019 15:12:54 +0100
+Subject: [PATCH] Support DLZ filesystem detection in feature-test
+
+Do not use variable from configure to detect the feature.
+---
+ bin/tests/system/Makefile.in | 2 +-
+ bin/tests/system/dlz/{prereq.sh.in => prereq.sh} | 2 +-
+ bin/tests/system/feature-test.c | 9 +++++++++
+ configure.in | 1 -
+ 4 files changed, 11 insertions(+), 3 deletions(-)
+ rename bin/tests/system/dlz/{prereq.sh.in => prereq.sh} (91%)
+
+diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in
+index c18b4c5..dea2f75 100644
+--- a/bin/tests/system/Makefile.in
++++ b/bin/tests/system/Makefile.in
+@@ -19,7 +19,7 @@ SUBDIRS = dlzexternal dyndb lwresd pipelined rndc rsabigexponent tkey
+
+ CINCLUDES = ${ISC_INCLUDES} ${DNS_INCLUDES}
+
+-CDEFINES = @USE_GSSAPI@
++CDEFINES = @USE_GSSAPI@ @CONTRIB_DLZ@
+ CWARNINGS =
+
+ DNSLIBS =
+diff --git a/bin/tests/system/dlz/prereq.sh.in b/bin/tests/system/dlz/prereq.sh
+similarity index 91%
+rename from bin/tests/system/dlz/prereq.sh.in
+rename to bin/tests/system/dlz/prereq.sh
+index afec653..fb3328e 100644
+--- a/bin/tests/system/dlz/prereq.sh.in
++++ b/bin/tests/system/dlz/prereq.sh
+@@ -12,7 +12,7 @@
+ SYSTEMTESTTOP=..
+ . $SYSTEMTESTTOP/conf.sh
+
+-if [ "@DLZ_SYSTEM_TEST@" != "filesystem" ]; then
++if ! $FEATURETEST --with-dlz-filesystem; then
+ echo_i "DLZ filesystem driver not supported"
+ exit 255
+ fi
+diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
+index 5eee6aa..78bd3b9 100644
+--- a/bin/tests/system/feature-test.c
++++ b/bin/tests/system/feature-test.c
+@@ -51,6 +51,7 @@ usage() {
+ fprintf(stderr, " --rpz-nsip\n");
+ fprintf(stderr, " --with-idn\n");
+ fprintf(stderr, " --with-lmdb\n");
++ fprintf(stderr, " --with-dlz-filesystem\n");
+ }
+
+ int
+@@ -182,6 +183,14 @@ main(int argc, char **argv) {
+ #endif
+ }
+
++ if (strcmp(argv[1], "--with-dlz-filesystem") == 0) {
++#ifdef DLZ_FILESYSTEM
++ return (0);
++#else
++ return (1);
++#endif
++ }
++
+ if (strcmp(argv[1], "--ipv6only=no") == 0) {
+ #ifdef WIN32
+ return (0);
+diff --git a/configure.in b/configure.in
+index fc1ad41..b2bb268 100644
+--- a/configure.in
++++ b/configure.in
+@@ -5439,7 +5439,6 @@ AC_CONFIG_FILES([
+ bin/tests/pkcs11/benchmarks/Makefile
+ bin/tests/system/Makefile
+ bin/tests/system/conf.sh
+- bin/tests/system/dlz/prereq.sh
+ bin/tests/system/dlzexternal/Makefile
+ bin/tests/system/dlzexternal/ns1/dlzs.conf
+ bin/tests/system/dyndb/Makefile
+--
+2.20.1
+
diff --git a/bind-9.11-feature-test-named.patch b/bind-9.11-feature-test-named.patch
new file mode 100644
index 0000000..9758c38
--- /dev/null
+++ b/bind-9.11-feature-test-named.patch
@@ -0,0 +1,58 @@
+From 4293078b294cbb766abe84d3b1618b1cb5413c82 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
+Date: Wed, 30 Jan 2019 14:37:17 +0100
+Subject: [PATCH 2/2] Create feature-test in source directory
+
+Feature-test tool is used in system tests to test compiled in changes.
+Because we build more variants of named with different configuration,
+compile feature-test for each of them this way.
+---
+ bin/named/Makefile.in | 11 ++++++++++-
+ bin/tests/system/conf.sh.in | 2 +-
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
+index 1c413973d0..b31df9a718 100644
+--- a/bin/named/Makefile.in
++++ b/bin/named/Makefile.in
+@@ -79,7 +79,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
+
+ SUBDIRS = unix
+
+-TARGETS = named@EXEEXT@ lwresd@EXEEXT@
++TARGETS = named@EXEEXT@ lwresd@EXEEXT@ feature-test@EXEEXT@
+
+ GEOIPLINKOBJS = geoip.@O@
+
+@@ -151,6 +151,15 @@ lwresd@EXEEXT@: named@EXEEXT@
+ rm -f lwresd@EXEEXT@
+ @LN@ named@EXEEXT@ lwresd@EXEEXT@
+
++# Bit of hack, do not produce intermediate .o object for featuretest
++feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
++ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
++ -c ${top_srcdir}/bin/tests/system/feature-test.c
++
++feature-test@EXEEXT@: feature-test.@O@
++ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
++ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
++
+ doc man:: ${MANOBJS}
+
+ docclean manclean maintainer-clean::
+diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
+index 2236f0a151..b072af8467 100644
+--- a/bin/tests/system/conf.sh.in
++++ b/bin/tests/system/conf.sh.in
+@@ -64,7 +64,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
+ MDIG=$TOP/bin/tools/mdig
+ NZD2NZF=$TOP/bin/tools/named-nzd2nzf
+ FSTRM_CAPTURE=@FSTRM_CAPTURE@
+-FEATURETEST=$TOP/bin/tests/system/feature-test
++FEATURETEST=$TOP/bin/named/feature-test
+
+ RANDFILE=$TOP/bin/tests/system/random.data
+
+--
+2.20.1
+
diff --git a/bind.spec b/bind.spec
index eafbae7..d2a0951 100644
--- a/bind.spec
+++ b/bind.spec
@@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 13%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 14%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
https://www.isc.org/downloads/bind/
#
@@ -142,6 +142,8 @@ Patch166:bind-9.11-rh1647829-2.patch
Patch167:bind-9.11-ed448-disable.patch
# random_test fails too often by random, disable it
Patch168:bind-9.11-unit-disable-random.patch
+Patch169:bind-9.11-feature-test-dlz.patch
+Patch170:bind-9.11-feature-test-named.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -523,6 +525,8 @@ are used for building ISC DHCP.
%patch166 -p1 -b .rh1647829-2
%patch167 -p1 -b .noed448
%patch168 -p1 -b .random_test-disable
+%patch169 -p1 -b .featuretest-dlz
+%patch170 -p1 -b .featuretest-named
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1530,6 +1534,9 @@ fi;
%changelog
+* Thu Feb 28 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-14.P4
+- Modify feature-test detection of dlz-filesystem
+
* Fri Feb 22 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-13.P4
- Update to 9.11.5-P4
commit 8da0172aacced475265010cbe42e08c698235c15
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri Feb 22 21:31:30 2019 +0100
Upstream tests in beakerlib
Prepare system tests from source package and start them. Check results
and report failure.
diff --git a/tests/Run-internal-BIND-test-suite/Makefile
b/tests/Run-internal-BIND-test-suite/Makefile
new file mode 100644
index 0000000..2343d3d
--- /dev/null
+++ b/tests/Run-internal-BIND-test-suite/Makefile
@@ -0,0 +1,74 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# Makefile of tests/Run-internal-BIND-test-suite
+# Description: Run internal BIND test suite
+# Author: Martin Cermak <mcermak(a)redhat.com>
+# Author: Petr Mensik <pemensik(a)redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# Copyright (c) 2010 Red Hat, Inc. All rights reserved.
+#
+# This copyrighted material is made available to anyone wishing
+# to use, modify, copy, or redistribute it subject to the terms
+# and conditions of the GNU General Public License version 2.
+#
+# This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public
+# License along with this program; if not, write to the Free
+# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+# Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=tests/Run-internal-BIND-test-suite
+export TESTVERSION=1.3
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE knownerror* setup-named-softhsm.sh
bind-systest-filter.sh
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+ ./runtest.sh
+
+build: $(BUILT_FILES)
+ chmod a+x runtest.sh
+
+clean:
+ rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+ @echo "Owner: Martin Cermak <mcermak(a)redhat.com>" >
$(METADATA)
+ @echo "Name: $(TEST)" >> $(METADATA)
+ @echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
+ @echo "Path: $(TEST_DIR)" >> $(METADATA)
+ @echo "Description: Run internal BIND test suite" >> $(METADATA)
+ @echo "Type: Sanity" >> $(METADATA)
+ @echo "TestTime: 8h" >> $(METADATA)
+ @echo "RunFor: bind" >> $(METADATA)
+ @echo "Requires: bind rpm-build bind-utils" >> $(METADATA)
+ @echo "Requires: perl-Net-DNS perl-Net-DNS-Nameserver" >>
$(METADATA)
+ @echo "Requires: bind-pkcs11 bind-pkcs11-utils softhsm" >>
$(METADATA)
+ @echo "Requires: openssl-devel libtool autoconf" >> $(METADATA)
+ @echo "Requires: libcap-devel libidn-devel libxml2-devel" >>
$(METADATA)
+ @echo "Requires: openldap-devel postgresql-devel" >> $(METADATA)
+ @echo "Requires: sqlite-devel krb5-devel net-tools" >>
$(METADATA)
+ @echo "Requires: dnf-utils" >> $(METADATA)
+ @echo "Requires: kyua libatf-c" >> $(METADATA)
+ @echo "Requires: gcc-c++" >> $(METADATA)
+ @echo "Priority: Normal" >> $(METADATA)
+ @echo "License: GPLv2" >> $(METADATA)
+ @echo "Confidential: no" >> $(METADATA)
+ @echo "Destructive: no" >> $(METADATA)
+ @echo "Bug: 642970" >> $(METADATA)
+
+ rhts-lint $(METADATA)
diff --git a/tests/Run-internal-BIND-test-suite/PURPOSE
b/tests/Run-internal-BIND-test-suite/PURPOSE
new file mode 100644
index 0000000..754ba2a
--- /dev/null
+++ b/tests/Run-internal-BIND-test-suite/PURPOSE
@@ -0,0 +1,6 @@
+PURPOSE of tests/Run-internal-BIND-test-suite
+Description: Run internal BIND test suite
+Author: Martin Cermak <mcermak(a)redhat.com>
+Bug summary: Run internal BIND test suite
+Bugzilla link:
https://bugzilla.redhat.com/show_bug.cgi?id=642970
+
diff --git a/tests/Run-internal-BIND-test-suite/bind-systest-filter.sh
b/tests/Run-internal-BIND-test-suite/bind-systest-filter.sh
new file mode 100755
index 0000000..8a153a1
--- /dev/null
+++ b/tests/Run-internal-BIND-test-suite/bind-systest-filter.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+#
+# This script will filter out output from BINDs tests
+# It supports form from BIND 9.9 and BIND 9.11
+# Its purpose is to display only failed tests from list of all tests
+
+CURRENT_TEST=
+CURRENT_OUTPUT=
+STATUS_ONLY=
+
+for P; do
+ case "$P" in
+ -s|--status) STATUS_ONLY=yes; shift ;;
+ esac
+done
+
+cat $@ | while read LINE; do
+ if [ "${LINE#S:}" != "$LINE" ]; then
+ CURRENT_TEST=`echo $LINE | cut -d: -f2`
+ CURRENT_OUTPUT="$LINE"$'\n'
+ elif [ "${LINE#R:}" != "$LINE" ]; then
+ # echo "$CURRENT_TEST $LINE"
+ if [ "${LINE/#R:*:*}" != "$LINE" ]; then
+ # more recent results contain test name
+ # R:dlz:FAIL
+ CURRENT_TEST="${LINE#R:}"
+ CURRENT_TEST="${CURRENT_TEST/%:*}"
+ RESULT="${LINE/#*:}"
+ else
+ # S:dlz:time
+ # R:FAIL
+ RESULT="${LINE/#R*:/}"
+ fi
+ if [ "$RESULT" != "PASS" ]; then
+ if [ -n "$STATUS_ONLY" ]; then
+ echo "$RESULT $CURRENT_TEST"
+ else
+ CURRENT_OUTPUT+="$LINE"
+ echo "$CURRENT_OUTPUT"
+ echo
+ fi
+ fi
+ CURRENT_OUTPUT=
+ else
+ CURRENT_OUTPUT+="$LINE"$'\n'
+ fi
+done
diff --git a/tests/Run-internal-BIND-test-suite/knownerror
b/tests/Run-internal-BIND-test-suite/knownerror
new file mode 100644
index 0000000..2d0c8e9
--- /dev/null
+++ b/tests/Run-internal-BIND-test-suite/knownerror
@@ -0,0 +1,2 @@
+A:System test dlz
+A:System test idna
diff --git a/tests/Run-internal-BIND-test-suite/runtest.sh
b/tests/Run-internal-BIND-test-suite/runtest.sh
new file mode 100755
index 0000000..7f4d212
--- /dev/null
+++ b/tests/Run-internal-BIND-test-suite/runtest.sh
@@ -0,0 +1,146 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# runtest.sh of tests/Run-internal-BIND-test-suite
+# Description: Run internal BIND test suite
+# Author: Martin Cermak <mcermak(a)redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# Copyright (c) 2010 Red Hat, Inc. All rights reserved.
+#
+# This copyrighted material is made available to anyone wishing
+# to use, modify, copy, or redistribute it subject to the terms
+# and conditions of the GNU General Public License version 2.
+#
+# This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public
+# License along with this program; if not, write to the Free
+# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+# Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include rhts environment
+. /usr/bin/rhts-environment.sh
+. /usr/lib/beakerlib/beakerlib.sh
+
+PACKAGE="bind"
+
+rlJournalStart
+ rlPhaseStartSetup
+ # package assertions
+ rlAssertRpm $PACKAGE
+ rlAssertRpm rpm-build
+ rlAssertRpm perl-Net-DNS-Nameserver
+
+ #pwd
+ ORIG=`pwd`
+ FOUNDERROR=`mktemp`
+ SETUP_SOFTHSM=`readlink -f setup-named-softhsm.sh`
+ FILTER=`readlink -f bind-systest-filter.sh`
+
+ TAG=generic
+ if [ -f /etc/os-release ]; then
+ # extract platform tag
+ TAG=`(source /etc/os-release && echo ${PLATFORM_ID#platform:})`
+ fi
+
+ if [ -f "knownerror.$TAG" ]; then
+ KNOWNERROR=`readlink -f knownerror.$TAG`
+ elif [ -f "knownerror" ]; then
+ KNOWNERROR=`readlink -f knownerror`
+ fi
+
+ #tempdir
+ rlRun "TMPDIR=\`mktemp -d\`" 0 "Creating tmp directory"
+ rlRun "pushd $TMPDIR"
+
+ # topdir
+ TOPDIR=`rpm -E '%{_topdir}'`
+
+ # cleanup in topdir
+ mkdir -p $TOPDIR/{BUILD,SOURCES,SPECS}
+ rm -rf $TOPDIR/{BUILD,SOURCES,SPECS}/*
+
+ # download src rpm
+ if ! ls bind*.src.rpm; then
+ rlRun "dnf --enablerepo='*-source' download bind.src" 0 "Fetch
source from repository"
+ rlRun "rpm -i bind*.src.rpm"
+ fi
+
+ rlRun "rpm --define '_topdir $TOPDIR' -Uvh *rpm &>
$TMPDIR/install.txt"
+ rlRun "cd $TOPDIR/SPECS"
+
+ rlRun "dnf -y builddep *.spec"
+
+ # stop bind if it is running
+ rlServiceStop named
+ rlPhaseEnd
+
+ rlPhaseStartTest
+ # rebuild from source
+ rlRun "rpmbuild -ba *.spec &> $TMPDIR/build.txt"
+
+ # the test
+ rlRun "cd $TOPDIR/BUILD/bind*"
+
+ rlLogInfo "Test takes place in `pwd`"
+
+ rlRun "chown -R root ."
+
+ if [ -x "$SETUP_SOFTHSM" ]; then
+ rlRun "eval \"$(bash $SETUP_SOFTHSM -A)\"" 0 "Preparing
PKCS#11 token slot"
+ rlRun "pkcs11-tokens" 0 "Testing token slot availability"
+ else
+ rlLog "PKCS#11 not initialized"
+ fi
+
+ if [ -d build ]; then
+ BUILD=build
+ else
+ BUILD=.
+ fi
+
+ rlRun "./bin/tests/system/ifconfig.sh up" 0 "Setup fake network
interfaces."
+
+ # required by idna test
+ export LC_ALL=en_US.UTF-8
+
+ rlRun "pushd $BUILD"
+ rlRun "make test &> $TMPDIR/test.txt" 0-255 "Perform the
test."
+ rlRun "popd"
+
+ rlRun "grep -C 10 FAIL $TMPDIR/test.txt" 0-255 "Quickly show the
test error (if any)."
+
+ rlRun "./bin/tests/system/ifconfig.sh down" 0 "Remove fake network
interfaces."
+
+
+ #list of failures:
+ rlRun "$FILTER $TMPDIR/test.txt" 0 "Showing unsuccessful tests"
+ rlRun "$FILTER -s $TMPDIR/test.txt > $FOUNDERROR" 0
+ rlRun "ls $KNOWNERROR $FOUNDERROR $TMPDIR/test.txt" 0 'check if there is
needed files'
+ rlLog "`cat $FOUNDERROR`"
+
+ rlAssertLesserOrEqual "Checking number of found errors is in limits"
"$(grep '^FAIL' $FOUNDERROR | wc -l)" "$(wc -l
<$KNOWNERROR)"
+ cat $FOUNDERROR | while read STATUS TEST ; do
+ if [ "$STATUS" = FAIL ]; then
+ rlRun "grep '$TEST' $KNOWNERROR" 0 "Check $TEST failure is
expected"
+ else
+ rlLog "$STATUS $TEST"
+ fi
+ done
+ rlPhaseEnd
+
+ rlPhaseStartCleanup
+ rlBundleLogs "TEST_LOGS" "$TMPDIR/install.txt"
"$TMPDIR/builddeps.txt" "$TMPDIR/build.txt"
"$TMPDIR/test.txt"
+ rlRun "popd"
+ rlRun "rm -r $TMPDIR" 0 "Removing tmp directory"
+ rlRun "rm -rf $FOUNDERROR"
+ rlPhaseEnd
+rlJournalEnd
diff --git a/tests/Run-internal-BIND-test-suite/setup-named-softhsm.sh
b/tests/Run-internal-BIND-test-suite/setup-named-softhsm.sh
new file mode 100755
index 0000000..a13c91e
--- /dev/null
+++ b/tests/Run-internal-BIND-test-suite/setup-named-softhsm.sh
@@ -0,0 +1,123 @@
+#!/bin/sh
+#
+# This script will initialise token storage of softhsm PKCS11 provider
+# in custom location. Is useful to store tokens in non-standard location.
+#
+# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
+# Recommended use:
+# eval $(bash setup-named-softhsm.sh -A)
+#
+
+SOFTHSM2_CONF="$1"
+TOKENPATH="$2"
+GROUPNAME="$3"
+# Do not use this script for real keys worth protection
+# This is intended for crypto accelerators using PKCS11 interface.
+# Uninitialized token would fail any crypto operation.
+PIN=1234
+SO_PIN=1234
+LABEL=rpm
+
+set -e
+
+echo_i()
+{
+ echo "#" $@
+}
+
+random()
+{
+ if [ -x "$(which openssl 2>/dev/null)" ]; then
+ openssl rand -base64 $1
+ else
+ dd if=/dev/urandom bs=1c count=$1 | base64
+ fi
+}
+
+usage()
+{
+ echo "Usage: $0 -A [token directory] [group]"
+ echo " or: $0 <config file> <token directory> [group]"
+}
+
+if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
+ TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
+fi
+
+if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
+ usage >&2
+ exit 1
+fi
+
+if [ "$SOFTHSM2_CONF" = "-A" ]; then
+ # Automagic mode instead
+ MODE=secure
+ SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
+ PIN_SOURCE="$TOKENPATH/pin"
+ SOPIN_SOURCE="$TOKENPATH/so-pin"
+ TOKENPATH="$TOKENPATH/tokens"
+else
+ MODE=legacy
+fi
+
+[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
+
+umask 0022
+
+if ! [ -f "$SOFTHSM2_CONF" ]; then
+cat << SED > "$SOFTHSM2_CONF"
+# SoftHSM v2 configuration file
+
+directories.tokendir = ${TOKENPATH}
+objectstore.backend = file
+
+# ERROR, WARNING, INFO, DEBUG
+log.level = ERROR
+
+# If CKF_REMOVABLE_DEVICE flag should be set
+slots.removable = false
+SED
+else
+ echo_i "Config file $SOFTHSM2_CONF already exists" >&2
+fi
+
+if [ -n "$PIN_SOURCE" ]; then
+ touch "$PIN_SOURCE" "$SOPIN_SOURCE"
+ chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
+ if [ -n "$GROUPNAME" ]; then
+ chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
+ chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
+ fi
+fi
+
+export SOFTHSM2_CONF
+
+if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' >
/dev/null
+then
+ echo_i "Token in ${TOKENPATH} is already initialized" >&2
+
+ [ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
+ [ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
+else
+ PIN=$(random 6)
+ SO_PIN=$(random 18)
+ if [ -n "$PIN_SOURCE" ]; then
+ echo -n "$PIN" > "$PIN_SOURCE"
+ echo -n "$SO_PIN" > "$SOPIN_SOURCE"
+ fi
+
+ echo_i "Initializing tokens to ${TOKENPATH}..."
+ softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN"
--so-pin "$SO_PIN" | sed -e 's/^/# /'
+
+ if [ -n "$GROUPNAME" ]; then
+ chgrp -R -- "$GROUPNAME" "$TOKENPATH"
+ chmod -R -- g=rX,o= "$TOKENPATH"
+ fi
+fi
+
+echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
+echo "export PIN_SOURCE=\"$PIN_SOURCE\""
+echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
+# These are intentionaly not exported
+echo "PIN=\"$PIN\""
+echo "SO_PIN=\"$SO_PIN\""
commit 321554b987592b3a13f2b13c1700eba6b371630e
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri Feb 22 19:40:00 2019 +0100
Update to BIND 9.11.5-P4
Add also PGP signature as part of repository.
diff --git a/.gitignore b/.gitignore
index 854f798..858d487 100644
--- a/.gitignore
+++ b/.gitignore
@@ -89,3 +89,4 @@ bind-9.7.2b1.tar.gz
/bind-9.11.5.tar.gz
/bind-9.11.5-P1.tar.gz
/config-19.tar.bz2
+/bind-9.11.5-P4.tar.gz
diff --git a/bind-9.11.5-P4.tar.gz.asc b/bind-9.11.5-P4.tar.gz.asc
new file mode 100644
index 0000000..d7b138e
--- /dev/null
+++ b/bind-9.11.5-P4.tar.gz.asc
@@ -0,0 +1,29 @@
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools -
http://gpgtools.org
+
+iQIzBAABAgAdFiEEvg6XSLcYJToou4n/8bEb8FzwLlcFAlxks5sACgkQ8bEb8Fzw
+Lld2iA//SfqtuHZGjTKVk35vLEjpK52Xs/rmawtTI1aMApk8jEXgD7yASa5dkgM1
+xRcU7H/8omkf16Oi1m1fdamnMYhW6AvbfX4hdRY9EDn3JepXGdO0ft9G2KzmvZBt
+mU8bcqOfPHzEG0mu/oWMtL9eh9Edh5dFWxHkSGUnadXFTWH0NXRiyQwwmY6VexV4
+CQ7VkfP1fkuyZpq5tjyg9Z/umOmmwuwjkoaTbHxtfRLWVwMNgw24Pt6hUqjjJmCz
+auDlBuGXKjBgRqRmAQR3klmcvNCna3+4e1+W9w/pgRxeEr9YD1JLVyhsAvLZ9FUc
+Dpxz/MKfRkM71Lv3wvxrIODUrmSSecQ520lljxnNammnO0UuS6Og7LCpl6fSWm0c
+y3A51mq25TJ1AyOlaiSU2TPYc5XJOMjyBqIqAvJei1cV/R2gMTjbYGz3rU+b9LlG
+iRgdvAmUUhvBYAKXX7SmMUOFpXDiFv+Zbk0Gincok47VHihO4hksPx+RbL8BSOUJ
+PGsQytwVnSQJTrDGuELyQYSGJzN8l8fMLKckNiRecNWFHCOQFpkdbtlYp+C4yopR
+lGkx04ZVarlJBOPRkoN6mzZiXR17WaghHHXNq4gOP+HME6YAWJv3oLAAxeD8Tvyd
+p4M4xCHw3WZt6OiKwgCE02wnthn3aUyRv+oOGYCL3+eTtoUzdNKJAjMEAAECAB0W
+IQQVaJBoXqDfahNx7yAXzF2x8AiEBwUCXGSznAAKCRAXzF2x8AiEB3qgD/4qc2S3
+KcshK/BX10j75dmPVmNGdW1SH8V1h+nFKVIkvTzVXybBL3XeF7HP6/aJd460ku4n
+XZ5FXd78f+g+G2gJaMA+rprS0NfpclhUS64SVTSDY727dnmV49xDdRIpqmUB7B1w
+Nx9bLRHBxuPigE6S+Nmt78xrFmtS1cwegY2pz3ZD4HDDmtKMRuhZ9el71S7vLJyh
+60pvFCqQMPJX7r0OXFC4iYwgIHab0iHQu4AASvaXzi03dR2S058aRk6gBMoBlQcL
+Mcc/RzpHdJAKRx1bmU3h//HUAa5S6cKpRjDsFGj0GtFNY/ksdevTXTM3qB9k5GlR
+T4mEadsWP3ARL9qQHyW4eStTdkH1qzgJF2tKn2M+dXlfdRXNImZPrEDXOfzmyRfA
+ZoJLBeaJw5MaWeTtAcuPsppGDUuA9+hk9mpycmFZrxD21X4pr+NMrHa3TCFzAwgF
+qyc96uX1SiFMRyUmLJY2ZMBR2y8W7TdL+MWjWzsGxQg8Dj3IaAbvRg1XztxDP9XB
+RPYTniq7VOw4eEk3UgfjnIYfnEBQY+5d79MlSwxE4NBRg/h+ulZSHjP5HQ6BGzqu
+aPg+p/P+G2GfQ5x0RxchG0B/Ogj2PRIwXptgwOXVoEs1671odj3aEE5E8JKquYlO
+PRIIubc/EfYopZfyM2ryv2hAT+1z8ngeac1ycQ==
+=kFOo
+-----END PGP SIGNATURE-----
diff --git a/bind.spec b/bind.spec
index 5ca6e49..eafbae7 100644
--- a/bind.spec
+++ b/bind.spec
@@ -2,7 +2,7 @@
# Red Hat BIND package .spec file
#
-%global PATCHVER P1
+%global PATCHVER P4
#%%global PREVER rc1
%global BINDVERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}}
@@ -54,12 +54,13 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 12%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 13%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
https://www.isc.org/downloads/bind/
#
Source:
https://ftp.isc.org/isc/bind9/%{BINDVERSION}/bind-%{BINDVERSION}.tar.gz
Source1: named.sysconfig
+Source2:
https://ftp.isc.org/isc/bind9/%{BINDVERSION}/bind-%{BINDVERSION}.tar.gz.asc
Source3: named.logrotate
Source7: bind-9.3.1rc1-sdb_tools-Makefile.in
Source8: dnszone.schema
@@ -1529,6 +1530,9 @@ fi;
%changelog
+* Fri Feb 22 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-13.P4
+- Update to 9.11.5-P4
+
* Fri Feb 22 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-12.P1
- Enable DNSTAP support (#1564776)
- Enable LMDB support for rndc addzone
diff --git a/sources b/sources
index e4f563b..8336c9d 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (bind-9.11.5-P1.tar.gz) =
cf0e511342affc81fc89656417a6d74a8ee4c3ffcc242e3aad76864f34d8ff7b0b52ada422385b5becafb7ef3a81dddfb28ba1488c8bee168f16842e2c617069
+SHA512 (bind-9.11.5-P4.tar.gz) =
ba750ffd080a47309db8be3df3d80896c5872aadb1a14ac7effd1bb783c2a2ae1e82959d6999eecc3d694336887060a84ae8813a17836b9064515cdd96fcb573
SHA512 (config-19.tar.bz2) =
36aa38a0c7c33267ae594b31c81681290ac58dde7ca6749bd599da531380b5b1428330813dbe983e01071ccaed83e83f6a9cd92179a53b7d0ccbb6851a0b017c
commit d3fe8d6248ba08cb0c343f81f25d815bba173190
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri Feb 22 19:19:59 2019 +0100
Enable json statistics format
Statistics channel would include also json format, use URL
http://localhost:80/v3/json/. XML format is still supported.
diff --git a/bind.spec b/bind.spec
index 211da6b..5ca6e49 100644
--- a/bind.spec
+++ b/bind.spec
@@ -16,8 +16,8 @@
# due to extensive changes to Makefiles
%bcond_without PKCS11
%bcond_without DEVEL
-%bcond_with JSON
%bcond_without LMDB
+%bcond_without JSON
%bcond_without DNSTAP
%bcond_with DLZ
%bcond_without EXPORT_LIBS
@@ -1532,6 +1532,7 @@ fi;
* Fri Feb 22 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-12.P1
- Enable DNSTAP support (#1564776)
- Enable LMDB support for rndc addzone
+- Enable json format in statistics-channel
* Thu Feb 21 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-11.P1
- Disable often failing unit test random_test
commit ec6f94669ad65412d41dfefc0f43e8bec2da7994
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri Feb 22 19:18:45 2019 +0100
Enable LMDB support
Provides faster adding and removing of dynamically created zones
runtime. Useful on higher number of zones used.
diff --git a/bind.spec b/bind.spec
index 3e41327..211da6b 100644
--- a/bind.spec
+++ b/bind.spec
@@ -16,8 +16,8 @@
# due to extensive changes to Makefiles
%bcond_without PKCS11
%bcond_without DEVEL
-%bcond_with LMDB
%bcond_with JSON
+%bcond_without LMDB
%bcond_without DNSTAP
%bcond_with DLZ
%bcond_without EXPORT_LIBS
@@ -1531,6 +1531,7 @@ fi;
%changelog
* Fri Feb 22 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-12.P1
- Enable DNSTAP support (#1564776)
+- Enable LMDB support for rndc addzone
* Thu Feb 21 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-11.P1
- Disable often failing unit test random_test
commit f0b6f15ced5af5f309ccbfe35c6ec38ddca7b619
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri Feb 22 19:14:36 2019 +0100
Enable DNSTAP (#1564776)
Enable support for DNSTAP. It will introduce new linked libraries to
bind and its tools, including bind-utils.
diff --git a/bind.spec b/bind.spec
index 4c81673..3e41327 100644
--- a/bind.spec
+++ b/bind.spec
@@ -18,7 +18,7 @@
%bcond_without DEVEL
%bcond_with LMDB
%bcond_with JSON
-%bcond_with DNSTAP
+%bcond_without DNSTAP
%bcond_with DLZ
%bcond_without EXPORT_LIBS
%if 0%{?fedora} >= 17
@@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 11%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 12%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
https://www.isc.org/downloads/bind/
#
@@ -1529,6 +1529,9 @@ fi;
%changelog
+* Fri Feb 22 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-12.P1
+- Enable DNSTAP support (#1564776)
+
* Thu Feb 21 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-11.P1
- Disable often failing unit test random_test
commit bd6e8b8965ba3f68f1034213b7d933423828e9a6
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri Feb 22 16:39:54 2019 +0100
Fix spec usage of softhsm helper
Output produced by helper is multiline starting with comment. Unless it
is enclosed in quotes, it will be concatenated into single line.
Fixes commit fa1631eef77a827e0df168df837e84c2d8790ce5
diff --git a/bind.spec b/bind.spec
index 9165139..4c81673 100644
--- a/bind.spec
+++ b/bind.spec
@@ -805,7 +805,7 @@ sed -e '/^tp:.*-pkcs11/ d' -e '/^tp:\s*lwres/ d' \
%check
%if %{with PKCS11}
# Tests require initialization of pkcs11 token
- eval $(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")
+ eval "$(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")"
%endif
%if %{with UNITTEST}
diff --git a/setup-named-softhsm.sh b/setup-named-softhsm.sh
index a13c91e..c0f8445 100755
--- a/setup-named-softhsm.sh
+++ b/setup-named-softhsm.sh
@@ -4,8 +4,9 @@
# in custom location. Is useful to store tokens in non-standard location.
#
# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
+# Quotes around eval are mandatory!
# Recommended use:
-# eval $(bash setup-named-softhsm.sh -A)
+# eval "$(bash setup-named-softhsm.sh -A)"
#
SOFTHSM2_CONF="$1"
commit ad76423202011e1a254f57ac35160a17767adebd
Author: Petr Menk <pemensik(a)redhat.com>
Date: Thu Feb 21 22:50:12 2019 +0100
Disable random_test in unit tests
It fails sometimes, but aborts whole build just because some fail. Keep
it disabled until fixed.
diff --git a/bind-9.11-unit-disable-random.patch b/bind-9.11-unit-disable-random.patch
new file mode 100644
index 0000000..5658d12
--- /dev/null
+++ b/bind-9.11-unit-disable-random.patch
@@ -0,0 +1,45 @@
+From c89b0e288f923af69b97e8acc29250b262be7d1e Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik(a)redhat.com>
+Date: Thu, 21 Feb 2019 22:42:27 +0100
+Subject: [PATCH] Disable random_test
+
+It fails too often on some architecture, failing the whole build along.
+Because it runs two times for pkcs11 and normal build and any of
+subtests can occasionally fail, stop it.
+
+It can be used again by defining 'unstable' variable in Kyuafile.
+---
+ lib/isc/tests/Atffile | 3 ++-
+ lib/isc/tests/Kyuafile | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/isc/tests/Atffile b/lib/isc/tests/Atffile
+index 8681844..74a4a77 100644
+--- a/lib/isc/tests/Atffile
++++ b/lib/isc/tests/Atffile
+@@ -20,7 +20,8 @@ tp: pool_test
+ tp: print_test
+ tp: queue_test
+ tp: radix_test
+-tp: random_test
++# random test fails too often
++#tp: random_test
+ tp: regex_test
+ tp: result_test
+ tp: safe_test
+diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
+index 1c510c1..a86824a 100644
+--- a/lib/isc/tests/Kyuafile
++++ b/lib/isc/tests/Kyuafile
+@@ -19,7 +19,7 @@ atf_test_program{name='pool_test'}
+ atf_test_program{name='print_test'}
+ atf_test_program{name='queue_test'}
+ atf_test_program{name='radix_test'}
+-atf_test_program{name='random_test'}
++atf_test_program{name='random_test', required_configs='unstable'}
+ atf_test_program{name='regex_test'}
+ atf_test_program{name='result_test'}
+ atf_test_program{name='safe_test'}
+--
+2.20.1
+
diff --git a/bind.spec b/bind.spec
index 5af1fc5..9165139 100644
--- a/bind.spec
+++ b/bind.spec
@@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 10%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 11%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
https://www.isc.org/downloads/bind/
#
@@ -139,6 +139,8 @@ Patch165:bind-9.11-rh1647829.patch
Patch166:bind-9.11-rh1647829-2.patch
#
https://gitlab.isc.org/isc-projects/bind9/issues/225
Patch167:bind-9.11-ed448-disable.patch
+# random_test fails too often by random, disable it
+Patch168:bind-9.11-unit-disable-random.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -519,6 +521,7 @@ are used for building ISC DHCP.
%patch165 -p1 -b .rh1647829
%patch166 -p1 -b .rh1647829-2
%patch167 -p1 -b .noed448
+%patch168 -p1 -b .random_test-disable
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1526,6 +1529,9 @@ fi;
%changelog
+* Thu Feb 21 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-11.P1
+- Disable often failing unit test random_test
+
* Thu Feb 21 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-10.P1
- Disable autodetected eddsa algorithm ED448
commit c2772a07e8962b1fc25c24ae1597e7cdee284a06
Author: Petr Menk <pemensik(a)redhat.com>
Date: Thu Feb 21 15:36:27 2019 +0100
Disable ED448
It is breaking dnssec system test. Its implementation in BIND is broken.
diff --git a/bind-9.11-ed448-disable.patch b/bind-9.11-ed448-disable.patch
new file mode 100644
index 0000000..179f32f
--- /dev/null
+++ b/bind-9.11-ed448-disable.patch
@@ -0,0 +1,41 @@
+From e6bad0789c731f06de781997e33e864c71510ff2 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik(a)redhat.com>
+Date: Thu, 21 Feb 2019 12:36:17 +0100
+Subject: [PATCH] Disable autodetected ED448 algorithm support
+
+Implementation is broken in bind, disabled also in more recent versions.
+Makes bin/tests/system/dnssec fail.
+---
+ configure.in | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/configure.in b/configure.in
+index ca84ff3239..da4dd5f249 100644
+--- a/configure.in
++++ b/configure.in
+@@ -1917,6 +1917,9 @@ int main() {
+ }
+ ],
+ [AC_MSG_RESULT(yes)
++ # ED448 support is broken in BIND
++ #
https://gitlab.isc.org/isc-projects/bind9/issues/225
++ # disable if autodetected, can be enabled by --with-eddsa=all
+ have_ed448="yes"],
+ [AC_MSG_RESULT(no)
+ have_ed448="no"],
+@@ -1929,8 +1932,10 @@ int main() {
+ esac
+ case $have_ed448 in
+ yes)
+- AC_DEFINE(HAVE_OPENSSL_ED448, 1,
+- [Define if your OpenSSL version supports Ed448.])
++ # ED448 support is broken in BIND
++ #
https://gitlab.isc.org/isc-projects/bind9/issues/225
++ # AC_DEFINE(HAVE_OPENSSL_ED448, 1,
++ # [Define if your OpenSSL version supports Ed448.])
+ ;;
+ *)
+ ;;
+--
+2.20.1
+
diff --git a/bind.spec b/bind.spec
index f7ff9dc..5af1fc5 100644
--- a/bind.spec
+++ b/bind.spec
@@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 9%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 10%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
https://www.isc.org/downloads/bind/
#
@@ -137,6 +137,8 @@ Patch164:bind-9.11-rh1666814.patch
Patch165:bind-9.11-rh1647829.patch
# commit 8e1cc95c943b7dfaaaaf2d9a4971861735cc3fb2
Patch166:bind-9.11-rh1647829-2.patch
+#
https://gitlab.isc.org/isc-projects/bind9/issues/225
+Patch167:bind-9.11-ed448-disable.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -516,6 +518,7 @@ are used for building ISC DHCP.
%patch164 -p1 -b .rh1666814
%patch165 -p1 -b .rh1647829
%patch166 -p1 -b .rh1647829-2
+%patch167 -p1 -b .noed448
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1523,6 +1526,9 @@ fi;
%changelog
+* Thu Feb 21 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-10.P1
+- Disable autodetected eddsa algorithm ED448
+
* Thu Jan 31 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-9.P1
- dig prints ASCII name instead of failure (#1647829)
- disable IDN output from scripts
commit fa1631eef77a827e0df168df837e84c2d8790ce5
Author: Petr Menk <pemensik(a)redhat.com>
Date: Wed Feb 20 18:53:13 2019 +0100
Simplify pkcs11 token generation
Make default secure enough, no predefined pins are used. Generate pin
and save it into file protected by unix rights. HSM tools will probably
require it anyway. Use smart defaults.
diff --git a/bind.spec b/bind.spec
index cde769e..f7ff9dc 100644
--- a/bind.spec
+++ b/bind.spec
@@ -799,8 +799,7 @@ sed -e '/^tp:.*-pkcs11/ d' -e '/^tp:\s*lwres/ d' \
%check
%if %{with PKCS11}
# Tests require initialization of pkcs11 token
- export SOFTHSM2_CONF="`pwd`/softhsm2.conf"
- sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens"
+ eval $(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")
%endif
%if %{with UNITTEST}
diff --git a/setup-named-softhsm.sh b/setup-named-softhsm.sh
index 7ae0a6d..a13c91e 100755
--- a/setup-named-softhsm.sh
+++ b/setup-named-softhsm.sh
@@ -2,6 +2,11 @@
#
# This script will initialise token storage of softhsm PKCS11 provider
# in custom location. Is useful to store tokens in non-standard location.
+#
+# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
+# Recommended use:
+# eval $(bash setup-named-softhsm.sh -A)
+#
SOFTHSM2_CONF="$1"
TOKENPATH="$2"
@@ -10,14 +15,55 @@ GROUPNAME="$3"
# This is intended for crypto accelerators using PKCS11 interface.
# Uninitialized token would fail any crypto operation.
PIN=1234
+SO_PIN=1234
+LABEL=rpm
set -e
+echo_i()
+{
+ echo "#" $@
+}
+
+random()
+{
+ if [ -x "$(which openssl 2>/dev/null)" ]; then
+ openssl rand -base64 $1
+ else
+ dd if=/dev/urandom bs=1c count=$1 | base64
+ fi
+}
+
+usage()
+{
+ echo "Usage: $0 -A [token directory] [group]"
+ echo " or: $0 <config file> <token directory> [group]"
+}
+
+if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
+ TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
+fi
+
if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
- echo "Usage: $0 <config file> <token directory> [group]"
>&2
+ usage >&2
exit 1
fi
+if [ "$SOFTHSM2_CONF" = "-A" ]; then
+ # Automagic mode instead
+ MODE=secure
+ SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
+ PIN_SOURCE="$TOKENPATH/pin"
+ SOPIN_SOURCE="$TOKENPATH/so-pin"
+ TOKENPATH="$TOKENPATH/tokens"
+else
+ MODE=legacy
+fi
+
+[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
+
+umask 0022
+
if ! [ -f "$SOFTHSM2_CONF" ]; then
cat << SED > "$SOFTHSM2_CONF"
# SoftHSM v2 configuration file
@@ -32,19 +78,36 @@ log.level = ERROR
slots.removable = false
SED
else
- echo "Config file $SOFTHSM2_CONF already exists" >&2
+ echo_i "Config file $SOFTHSM2_CONF already exists" >&2
fi
-[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
+if [ -n "$PIN_SOURCE" ]; then
+ touch "$PIN_SOURCE" "$SOPIN_SOURCE"
+ chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
+ if [ -n "$GROUPNAME" ]; then
+ chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
+ chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
+ fi
+fi
export SOFTHSM2_CONF
if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' >
/dev/null
then
- echo "Token in ${TOKENPATH} is already initialized" >&2
+ echo_i "Token in ${TOKENPATH} is already initialized" >&2
+
+ [ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
+ [ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
else
- echo "Initializing tokens to ${TOKENPATH}..."
- softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN
+ PIN=$(random 6)
+ SO_PIN=$(random 18)
+ if [ -n "$PIN_SOURCE" ]; then
+ echo -n "$PIN" > "$PIN_SOURCE"
+ echo -n "$SO_PIN" > "$SOPIN_SOURCE"
+ fi
+
+ echo_i "Initializing tokens to ${TOKENPATH}..."
+ softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN"
--so-pin "$SO_PIN" | sed -e 's/^/# /'
if [ -n "$GROUPNAME" ]; then
chgrp -R -- "$GROUPNAME" "$TOKENPATH"
@@ -53,3 +116,8 @@ else
fi
echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
+echo "export PIN_SOURCE=\"$PIN_SOURCE\""
+echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
+# These are intentionaly not exported
+echo "PIN=\"$PIN\""
+echo "SO_PIN=\"$SO_PIN\""
commit 6fee3d63e97cc86062b9fedb5d9294455cf522b6
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri Feb 15 19:49:27 2019 +0100
Remove revoked KSK 19164 from trusted root keys
diff --git a/.gitignore b/.gitignore
index eb450f2..854f798 100644
--- a/.gitignore
+++ b/.gitignore
@@ -88,3 +88,4 @@ bind-9.7.2b1.tar.gz
/bind-9.11.4-P2.tar.gz
/bind-9.11.5.tar.gz
/bind-9.11.5-P1.tar.gz
+/config-19.tar.bz2
diff --git a/bind.spec b/bind.spec
index 82b6312..cde769e 100644
--- a/bind.spec
+++ b/bind.spec
@@ -66,7 +66,7 @@ Source8: dnszone.schema
Source12: README.sdb_pgsql
Source25: named.conf.sample
Source26: named.conf
-Source28: config-18.tar.bz2
+Source28: config-19.tar.bz2
Source30: ldap2zone.c
Source31: ldap2zone.1
Source32: named-sdb.8
@@ -1528,6 +1528,7 @@ fi;
- dig prints ASCII name instead of failure (#1647829)
- disable IDN output from scripts
- Update project URL
+- Removed revoked KSK 19164 from trusted keys
* Thu Jan 31 2019 Fedora Release Engineering <releng(a)fedoraproject.org> -
32:9.11.5-8.P1
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
diff --git a/sources b/sources
index 37dc9dc..e4f563b 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (bind-9.11.5-P1.tar.gz) =
cf0e511342affc81fc89656417a6d74a8ee4c3ffcc242e3aad76864f34d8ff7b0b52ada422385b5becafb7ef3a81dddfb28ba1488c8bee168f16842e2c617069
-SHA512 (config-18.tar.bz2) =
c0a0a1fd58a7e2c09fe69915b9a4c682d1b6c96e78583f63ce5355f663c9509d28facfd3aa078b228b69954d0af4bfa484ef661a9568aaafe6eade97dda3c3d9
+SHA512 (config-19.tar.bz2) =
36aa38a0c7c33267ae594b31c81681290ac58dde7ca6749bd599da531380b5b1428330813dbe983e01071ccaed83e83f6a9cd92179a53b7d0ccbb6851a0b017c
diff --git a/trusted-key.key b/trusted-key.key
index df2fd0d..7b845f3 100644
--- a/trusted-key.key
+++ b/trusted-key.key
@@ -1,2 +1 @@
-. 3600 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
. 3600 IN DNSKEY 257 3 8
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
commit 6ecd16d4585bafcc4fae224c16d6d0f059955492
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri Feb 15 10:10:44 2019 +0100
Update project URL
diff --git a/bind.spec b/bind.spec
index 35e9c5c..82b6312 100644
--- a/bind.spec
+++ b/bind.spec
@@ -56,7 +56,7 @@ License: MPLv2.0
Version: 9.11.5
Release: 9%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
-Url:
http://www.isc.org/products/BIND/
+Url:
https://www.isc.org/downloads/bind/
#
Source:
https://ftp.isc.org/isc/bind9/%{BINDVERSION}/bind-%{BINDVERSION}.tar.gz
Source1: named.sysconfig
@@ -1527,6 +1527,7 @@ fi;
* Thu Jan 31 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-9.P1
- dig prints ASCII name instead of failure (#1647829)
- disable IDN output from scripts
+- Update project URL
* Thu Jan 31 2019 Fedora Release Engineering <releng(a)fedoraproject.org> -
32:9.11.5-8.P1
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
commit 1da60a891af5ae99154986131505ff4233c61d88
Author: Petr Menk <pemensik(a)redhat.com>
Date: Tue Feb 12 22:09:48 2019 +0100
More fixes to compile DLZ
diff --git a/bind.spec b/bind.spec
index 0b3f47a..35e9c5c 100644
--- a/bind.spec
+++ b/bind.spec
@@ -641,6 +641,9 @@ export LIBDIR_SUFFIX
--with-dlz-filesystem=yes \
--with-dlz-bdb=yes \
%endif
+%if %{with DLZ}
+ --with-dlz-bdb=yes \
+%endif
%if %{with GSSTSIG}
--with-gssapi=yes \
--disable-isc-spnego \
@@ -941,9 +944,10 @@ install -m 644 %{SOURCE12} contrib/sdb/pgsql/
%endif
%if %{with DLZ}
+ pushd build
pushd contrib/dlz
pushd bin/dlzbdb
- make DESTDIR=${RPM_BUILD_ROOT} install
+ make DESTDIR=${RPM_BUILD_ROOT} install
popd
pushd modules
for DIR in bdbhpt filesystem ldap mysql mysqldyn sqlite3; do
@@ -952,6 +956,7 @@ install -m 644 %{SOURCE12} contrib/sdb/pgsql/
mv mysqldyn/testing/README mysqldyn/testing/README.testing
popd
popd
+ popd
%endif
# Install isc/errno2result.h header
commit de8fa0799a58ae497abd3327f2c4c13e32cb7674
Author: Petr Menk <pemensik(a)redhat.com>
Date: Tue Feb 12 20:45:49 2019 +0100
Improve descriptions for DLZ plugins
diff --git a/bind.spec b/bind.spec
index 4cf4e14..0b3f47a 100644
--- a/bind.spec
+++ b/bind.spec
@@ -404,42 +404,42 @@ Summary: BIND server bdb DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-bdb
-Dynamic Loadable Zones module for BIND server.
+Dynamic Loadable Zones Berkeley DB module for BIND server.
%package dlz-filesystem
Summary: BIND server filesystem DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-filesystem
-Dynamic Loadable Zones module for BIND server.
+Dynamic Loadable Zones filesystem module for BIND server.
%package dlz-ldap
Summary: BIND server ldap DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-ldap
-Dynamic Loadable Zones module for BIND server.
+Dynamic Loadable Zones LDAP module for BIND server.
%package dlz-mysql
Summary: BIND server mysql DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-mysql
-Dynamic Loadable Zones module for BIND server.
+Dynamic Loadable Zones MySQL module for BIND server.
%package dlz-mysqldyn
Summary: BIND server mysqldyn DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-mysqldyn
-Dynamic Loadable Zones module for BIND server.
+BIND 9 DLZ MySQL module with support for dynamic DNS (DDNS)
%package dlz-sqlite3
Summary: BIND server sqlite3 DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-sqlite3
-Dynamic Loadable Zones module for BIND server.
+Dynamic Loadable Zones sqlite3 module for BIND server.
%endif
@@ -1489,6 +1489,7 @@ fi;
%{_sbindir}/dlzbdb
%{_libdir}/bind/dlz_bdbhpt_dynamic.so
%doc contrib/dlz/modules/bdbhpt/testing/*
+%doc contrib/dlz/modules/bdbhpt/README*
%files dlz-filesystem
%{_libdir}/bind/dlz_filesystem_dynamic.so
@@ -1500,7 +1501,7 @@ fi;
%files dlz-mysqldyn
%{_libdir}/bind/dlz_mysqldyn_mod.so
%doc contrib/dlz/modules/mysqldyn/testing/*
-%doc contrib/dlz/modules/mysqldyn/README
+%doc contrib/dlz/modules/mysqldyn/README*
%files dlz-ldap
%{_libdir}/bind/dlz_ldap_dynamic.so
commit 7a958a2a9f9461e4d789cf15fd0bfac005a8e491
Author: Petr Menk <pemensik(a)redhat.com>
Date: Tue Jan 29 19:54:36 2019 +0100
Disable dig IDN output into scripts
Dig could be used to receive zone via AXFR. If IDN data are inside and
are decoded, it cannot be used as named zone file. Disable +idnout if
stdin is not a tty.
diff --git a/bind-9.11-rh1647829-2.patch b/bind-9.11-rh1647829-2.patch
new file mode 100644
index 0000000..bb8b3e9
--- /dev/null
+++ b/bind-9.11-rh1647829-2.patch
@@ -0,0 +1,28 @@
+From 58e1af6ca75d035b6391708be2c2272bb8d04620 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej(a)sury.org>
+Date: Sun, 4 Nov 2018 02:20:41 +0700
+Subject: [PATCH] Enable IDN processing (both idnin and idnout) only on tty,
+ disable it when the stdout is not a tty
+
+(cherry picked from commit 0e1bf7d017e4f6d787cbeb72cc2aa74e7f30122e)
+(cherry picked from commit 8e1cc95c943b7dfaaaaf2d9a4971861735cc3fb2)
+---
+ bin/dig/dighost.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
+index 74791d671e..3b722ba0ff 100644
+--- a/bin/dig/dighost.c
++++ b/bin/dig/dighost.c
+@@ -825,7 +825,7 @@ make_empty_lookup(void) {
+ looknew->seenbadcookie = false;
+ looknew->badcookie = true;
+ #ifdef WITH_IDN_SUPPORT
+- looknew->idnin = (getenv("IDN_DISABLE") == NULL);
++ looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false;
+ if (looknew->idnin) {
+ const char *charset = getenv("CHARSET");
+ if (charset && !strcmp(charset, "ASCII"))
+--
+2.20.1
+
diff --git a/bind.spec b/bind.spec
index a3023ea..4cf4e14 100644
--- a/bind.spec
+++ b/bind.spec
@@ -135,6 +135,8 @@ Patch163:bind-9.11-rh1663318.patch
Patch164:bind-9.11-rh1666814.patch
#
https://bugzilla.redhat.com/show_bug.cgi?id=1647829
Patch165:bind-9.11-rh1647829.patch
+# commit 8e1cc95c943b7dfaaaaf2d9a4971861735cc3fb2
+Patch166:bind-9.11-rh1647829-2.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -513,6 +515,7 @@ are used for building ISC DHCP.
%patch163 -p1 -b .rh1663318
%patch164 -p1 -b .rh1666814
%patch165 -p1 -b .rh1647829
+%patch166 -p1 -b .rh1647829-2
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1517,6 +1520,8 @@ fi;
%changelog
* Thu Jan 31 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-9.P1
- dig prints ASCII name instead of failure (#1647829)
+- disable IDN output from scripts
+
* Thu Jan 31 2019 Fedora Release Engineering <releng(a)fedoraproject.org> -
32:9.11.5-8.P1
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
commit a699858667627bb95545c41fca123366a9c4e7ce
Author: Petr Menk <pemensik(a)redhat.com>
Date: Tue Jan 29 19:41:22 2019 +0100
dig prints ASCII name instead of failure (#1647829)
diff --git a/bind-9.11-rh1647829.patch b/bind-9.11-rh1647829.patch
new file mode 100644
index 0000000..ceec7fc
--- /dev/null
+++ b/bind-9.11-rh1647829.patch
@@ -0,0 +1,86 @@
+From 2eca7f5fa97a24997e4d8f900460ba43ae167e97 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
+Date: Tue, 29 Jan 2019 18:07:44 +0100
+Subject: [PATCH] Fallback to ASCII on output IDN conversion error
+
+It is possible dig used ACE encoded name in locale, which does not
+support converting it to unicode. Instead of fatal error, fallback to
+ACE name on output.
+
+(cherry picked from commit 7f4cb8f9584597fea16de6557124ac8b1bd47440)
+
+Modify idna test to fallback to ACE
+
+Test valid A-label on input would be displayed as A-label on output if
+locale does not allow U-label.
+
+(cherry picked from commit 4ce232f8605bdbe0594ebe5a71383c9d4e6f263b)
+
+Emit warning on IDN output failure
+
+Warning is emitted before any dig headers.
+
+(cherry picked from commit 4b410038c531fbb902cd5fb83174eed1f06cb7d7)
+---
+ bin/dig/dighost.c | 15 +++++++++++++--
+ bin/tests/system/idna/tests.sh | 17 +++++++++++++++++
+ 2 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
+index bb8702c..d7cfc33 100644
+--- a/bin/dig/dighost.c
++++ b/bin/dig/dighost.c
+@@ -4860,9 +4860,20 @@ idn_ace_to_locale(const char *from, char *to, size_t tolen) {
+ */
+ res = idn2_to_unicode_8zlz(utf8_src, &tmp_str, 0);
+ if (res != IDN2_OK) {
+- fatal("Cannot represent '%s' in the current locale (%s), "
+- "use +noidnout or a different locale",
++ static bool warned = false;
++
++ res = idn2_to_ascii_8z(utf8_src, &tmp_str, 0);
++ if (res != IDN2_OK) {
++ fatal("Cannot represent '%s' "
++ "in the current locale nor ascii (%s), "
++ "use +noidnout or a different locale",
+ from, idn2_strerror(res));
++ } else if (!warned) {
++ fprintf(stderr, ";; Warning: cannot represent '%s' "
++ "in the current locale",
++ tmp_str);
++ warned = true;
++ }
+ }
+
+ /*
+diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh
+index 6637bf6..215a9d5 100644
+--- a/bin/tests/system/idna/tests.sh
++++ b/bin/tests/system/idna/tests.sh
+@@ -244,6 +244,23 @@ idna_enabled_test() {
+ idna_test "$text" "+idnin +noidnout"
"xn--nxasmq6b.com" "xn--nxasmq6b.com."
+ idna_test "$text" "+idnin +idnout"
"xn--nxasmq6b.com" ".com."
+
++ # Test of valid A-label in locale that cannot display it
++ #
++ # +noidnout: The string is sent as-is to the server and the returned qname
++ # is displayed in the same form.
++ # +idnout: The string is sent as-is to the server and the returned qname
++ # is displayed as the corresponding A-label.
++ #
++ # The "+[no]idnout" flag has no effect in these cases.
++ text="Checking valid A-label in C locale"
++ label="xn--nxasmq6b.com"
++ LC_ALL=C idna_test "$text" ""
"$label" "$label."
++ LC_ALL=C idna_test "$text" "+noidnin +noidnout"
"$label" "$label."
++ LC_ALL=C idna_test "$text" "+noidnin +idnout"
"$label" "$label."
++ LC_ALL=C idna_test "$text" "+idnin +noidnout"
"$label" "$label."
++ LC_ALL=C idna_test "$text" "+idnin +idnout"
"$label" "$label."
++ LC_ALL=C idna_test "$text" "+noidnin +idnout"
"$label" "$label."
++
+
+
+ # Tests of invalid A-labels
+--
+2.20.1
+
diff --git a/bind.spec b/bind.spec
index 7a11ebb..a3023ea 100644
--- a/bind.spec
+++ b/bind.spec
@@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 8%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 9%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
http://www.isc.org/products/BIND/
#
@@ -133,6 +133,8 @@ Patch162:bind-9.11-unit-dnstap-pkcs11.patch
Patch163:bind-9.11-rh1663318.patch
#
https://gitlab.isc.org/isc-projects/bind9/issues/819
Patch164:bind-9.11-rh1666814.patch
+#
https://bugzilla.redhat.com/show_bug.cgi?id=1647829
+Patch165:bind-9.11-rh1647829.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -510,6 +512,7 @@ are used for building ISC DHCP.
%patch162 -p1 -b .dnstap-pkcs11
%patch163 -p1 -b .rh1663318
%patch164 -p1 -b .rh1666814
+%patch165 -p1 -b .rh1647829
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1512,6 +1515,8 @@ fi;
%changelog
+* Thu Jan 31 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-9.P1
+- dig prints ASCII name instead of failure (#1647829)
* Thu Jan 31 2019 Fedora Release Engineering <releng(a)fedoraproject.org> -
32:9.11.5-8.P1
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
commit 432a81aeff2c5a01a5ccd78e553d20aeca1376b5
Author: Petr Menk <pemensik(a)redhat.com>
Date: Wed Feb 6 18:38:12 2019 +0100
Fix DLZ in oot builds
DLZ has no VPATH support. Just make duplicates in build directory
diff --git a/bind.spec b/bind.spec
index c2bbf99..7a11ebb 100644
--- a/bind.spec
+++ b/bind.spec
@@ -599,6 +599,13 @@ version
libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f
mkdir build
+
+%if %{with DLZ}
+# DLZ modules do not support oot builds. Copy files into build
+mkdir -p build/contrib/dlz
+cp -frp contrib/dlz/modules build/contrib/dlz/modules
+%endif
+
pushd build
LIBDIR_SUFFIX=
export LIBDIR_SUFFIX
commit 9a4b768e181047ed5934cb199f19b6412fdee6b4
Author: Fedora Release Engineering <releng(a)fedoraproject.org>
Date: Thu Jan 31 14:36:55 2019 +0000
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng(a)fedoraproject.org>
diff --git a/bind.spec b/bind.spec
index 66a0d39..c2bbf99 100644
--- a/bind.spec
+++ b/bind.spec
@@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 7%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 8%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
http://www.isc.org/products/BIND/
#
@@ -1505,6 +1505,9 @@ fi;
%changelog
+* Thu Jan 31 2019 Fedora Release Engineering <releng(a)fedoraproject.org> -
32:9.11.5-8.P1
+- Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
* Sun Jan 27 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-7.P1
- Update to 9.11.5-P1
commit b2a708808a89b215ffaf2133e711a25a4fe4d13c
Author: Igor Gnatenko <ignatenkobrain(a)fedoraproject.org>
Date: Tue Jan 29 05:45:26 2019 +0100
Remove unneeded %clean section
It is the behavior since EPEL5.
Signed-off-by: Igor Gnatenko <ignatenkobrain(a)fedoraproject.org>
diff --git a/bind.spec b/bind.spec
index bc2c940..66a0d39 100644
--- a/bind.spec
+++ b/bind.spec
@@ -1171,10 +1171,6 @@ fi;
%endif
-%clean
-rm -rf ${RPM_BUILD_ROOT}
-:;
-
%files
%{_libdir}/bind
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named
commit 13f8f23ec518ca7ecd2bb2c9ed231955c670079b
Author: Petr Menk <pemensik(a)redhat.com>
Date: Mon Jan 28 00:47:11 2019 +0100
Update to 9.11.5-P1
diff --git a/.gitignore b/.gitignore
index f656e89..eb450f2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -87,3 +87,4 @@ bind-9.7.2b1.tar.gz
/bind-9.11.4-P1.tar.gz
/bind-9.11.4-P2.tar.gz
/bind-9.11.5.tar.gz
+/bind-9.11.5-P1.tar.gz
diff --git a/bind.spec b/bind.spec
index 5b2f349..bc2c940 100644
--- a/bind.spec
+++ b/bind.spec
@@ -2,7 +2,7 @@
# Red Hat BIND package .spec file
#
-#%%global PATCHVER P2
+%global PATCHVER P1
#%%global PREVER rc1
%global BINDVERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}}
@@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 7%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
http://www.isc.org/products/BIND/
#
@@ -1509,6 +1509,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
+* Sun Jan 27 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-7.P1
+- Update to 9.11.5-P1
+
* Wed Jan 23 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-6
- Reenable crypto rand for DHCP, disable just entropy check (#1663318)
diff --git a/sources b/sources
index f7e1978..37dc9dc 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (bind-9.11.5.tar.gz) =
7e34c8033dabaed232479b1dc2849d1247c0137bcb2b63f08f8f72ff2cca0f73e0f05d0b9b8959f8c4db8ee36a700af30fe869be186c7bab7c81a25843384b8d
+SHA512 (bind-9.11.5-P1.tar.gz) =
cf0e511342affc81fc89656417a6d74a8ee4c3ffcc242e3aad76864f34d8ff7b0b52ada422385b5becafb7ef3a81dddfb28ba1488c8bee168f16842e2c617069
SHA512 (config-18.tar.bz2) =
c0a0a1fd58a7e2c09fe69915b9a4c682d1b6c96e78583f63ce5355f663c9509d28facfd3aa078b228b69954d0af4bfa484ef661a9568aaafe6eade97dda3c3d9
commit 32d91f12ca83ef8ec46df091fc0fe72cd05f91d9
Author: Petr Menk <pemensik(a)redhat.com>
Date: Wed Jan 23 21:15:03 2019 +0100
Made RAND_status check optional (broke --disable-crypto-rand)
Unlike upstream, skip it also for DHCP.
Disable RAND_status also in non-threaded builds. DHCP is built without
threads and should not check RAND_status on dns library initialization.
Lack of entropy is possible state for dhclient, but it must not fail
even in this case. Because DHCP itself does not require custom random
generator, leave default RAND_OpenSSL configured. It should help TLS
connection to LDAP in single DHCP binary, while keeping secure random
data if needed.
Resolves: #1663318
(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)
diff --git a/bind-9.11-rh1663318.patch b/bind-9.11-rh1663318.patch
index 79487b0..1af7efb 100644
--- a/bind-9.11-rh1663318.patch
+++ b/bind-9.11-rh1663318.patch
@@ -1,21 +1,37 @@
-From 48d86dd3d834bcedd0c977d193c36b12e8398b4e Mon Sep 17 00:00:00 2001
-From: Francis Dupont <fdupont(a)isc.org>
-Date: Sun, 17 Sep 2017 12:02:09 +0200
+From b16a1ff25644bb075f454afe68ee63f6f385ca9c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
+Date: Wed, 23 Jan 2019 21:11:07 +0100
Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Unlike upstream, skip it also for DHCP.
+
+Disable RAND_status also in non-threaded builds. DHCP is built without
+threads and should not check RAND_status on dns library initialization.
+Lack of entropy is possible state for dhclient, but it must not fail
+even in this case. Because DHCP itself does not require custom random
+generator, leave default RAND_OpenSSL configured. It should help TLS
+connection to LDAP in single DHCP binary, while keeping secure random
+data if needed.
+
+(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)
+
+Signed-off-by: Petr Menk <pemensik(a)redhat.com>
---
lib/dns/openssl_link.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index 91e87d0..3cddaa9 100644
+index 7a233dd..941eb17 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) {
#endif
#endif /* !defined(OPENSSL_NO_ENGINE) */
-+#ifdef ISC_PLATFORM_CRYPTORANDOM
++#if defined(ISC_PLATFORM_CRYPTORANDOM) && defined(ISC_PLATFORM_USETHREADS)
/* Protect ourselves against unseeded PRNG */
if (RAND_status() != 1) {
FATAL_ERROR(__FILE__, __LINE__,
diff --git a/bind.spec b/bind.spec
index 421da0d..5b2f349 100644
--- a/bind.spec
+++ b/bind.spec
@@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
http://www.isc.org/products/BIND/
#
@@ -736,7 +736,6 @@ export LIBDIR_SUFFIX
--without-libjson \
--without-zlib \
--without-dlopen \
- --disable-crypto-rand \
--enable-full-report
## We don't want to build other libs than -export twice
@@ -1510,6 +1509,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
+* Wed Jan 23 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-6
+- Reenable crypto rand for DHCP, disable just entropy check (#1663318)
+
* Thu Jan 17 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-5
- Move dnssec related tools from bind-utils to bind-dnssec-utils (#1649398)
commit 219b0e889f74ed22e0fa512d501eeba3355a11bf
Author: Petr Menk <pemensik(a)redhat.com>
Date: Thu Jan 17 13:51:29 2019 +0100
Remove conditional patch for alpha and ia64
It emits warning just because architectures no longer supported
diff --git a/bind.spec b/bind.spec
index 6293ab4..421da0d 100644
--- a/bind.spec
+++ b/bind.spec
@@ -489,9 +489,7 @@ are used for building ISC DHCP.
# Common patches
%patch10 -p1 -b .PIE
%patch16 -p1 -b .redhat_doc
-%ifnarch alpha ia64
%patch72 -p1 -b .64bit
-%endif
%patch102 -p1 -b .rh452060
%patch106 -p1 -b .rh490837
%patch109 -p1 -b .rh478718
commit 2830e00b88ea8bb956e0cdeb6f205fc72741b167
Author: Petr Menk <pemensik(a)redhat.com>
Date: Thu Jan 17 13:07:46 2019 +0100
Move dnssec related tools to bind-dnssec-utils
Most often clients require just dig or host to lookup addresses.
Move dnssec and zone file into dedicated subpackage. For a limited time,
make bind-utils suggest bind-dnssec-utils, until all dependencies are
resolved. (#1649398)
diff --git a/bind.spec b/bind.spec
index a6357de..6293ab4 100644
--- a/bind.spec
+++ b/bind.spec
@@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
http://www.isc.org/products/BIND/
#
@@ -159,6 +159,7 @@ Provides: dnssec-conf = 1.27-2
Requires(post): policycoreutils-python-utils
Requires(post): libselinux-utils
Requires(post): selinux-policy
+Recommends: bind-utils bind-dnssec-utils
BuildRequires: gcc, make
BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
BuildRequires: libidn2-devel, libxml2-devel, GeoIP-devel
@@ -299,9 +300,14 @@ Contains license of the BIND DNS suite.
%package utils
Summary: Utilities for querying DNS name servers
-Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
-Requires: python3-bind = %{epoch}:%{version}-%{release}
+Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+# TODO: this is just temporary workaround until all packages depending on
+# bind-utils can be satisfied without dnssec-utils
+# It will be removed after some time, or changed to Recommends
+Suggests: bind-dnssec-utils
+# For compatibility with Debian package
+Provides: dnsutils = %{epoch}:%{version}-%{release}
%description utils
Bind-utils contains a collection of utilities for querying DNS (Domain
@@ -313,6 +319,20 @@ network addresses.
You should install bind-utils if you need to get information from DNS name
servers.
+%package dnssec-utils
+Summary: Utilities for DNSSEC keys and DNS zone files management
+Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
+Recommends: bind-utils
+Requires: python3-bind = %{epoch}:%{version}-%{release}
+
+%description dnssec-utils
+Bind-dnssec-utils contains a collection of utilities for editing
+DNSSEC keys and BIND zone files. These tools provide generation,
+revocation and verification of keys and DNSSEC signatures in zone files.
+
+You should install bind-dnssec-utils if you need to sign a DNS zone
+or maintain keys for it.
+
%if %{with DEVEL}
%package devel
Summary: Header files and libraries needed for BIND DNS development
@@ -1254,6 +1274,19 @@ rm -rf ${RPM_BUILD_ROOT}
%{_bindir}/nslookup
%{_bindir}/nsupdate
%{_bindir}/arpaname
+%if %{with DNSTAP}
+%{_bindir}/dnstap-read
+%{_mandir}/man1/dnstap-read.1*
+%endif
+%{_mandir}/man1/host.1*
+%{_mandir}/man1/nsupdate.1*
+%{_mandir}/man1/dig.1*
+%{_mandir}/man1/delv.1*
+%{_mandir}/man1/nslookup.1*
+%{_mandir}/man1/arpaname.1*
+%{_sysconfdir}/trusted-key.key
+
+%files dnssec-utils
%{_sbindir}/ddns-confgen
%{_sbindir}/tsig-keygen
%{_sbindir}/genrandom
@@ -1268,16 +1301,6 @@ rm -rf ${RPM_BUILD_ROOT}
%if %{with LMDB}
%{_sbindir}/named-nzd2nzf
%endif
-%if %{with DNSTAP}
-%{_bindir}/dnstap-read
-%{_mandir}/man1/dnstap-read.1*
-%endif
-%{_mandir}/man1/host.1*
-%{_mandir}/man1/nsupdate.1*
-%{_mandir}/man1/dig.1*
-%{_mandir}/man1/delv.1*
-%{_mandir}/man1/nslookup.1*
-%{_mandir}/man1/arpaname.1*
%{_mandir}/man8/ddns-confgen.8*
%{_mandir}/man8/tsig-keygen.8*
%{_mandir}/man8/genrandom.8*
@@ -1292,7 +1315,6 @@ rm -rf ${RPM_BUILD_ROOT}
%if %{with LMDB}
%{_mandir}/man8/named-nzd2nzf.8*
%endif
-%{_sysconfdir}/trusted-key.key
%if %{with DEVEL}
%files devel
@@ -1490,6 +1512,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
+* Thu Jan 17 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-5
+- Move dnssec related tools from bind-utils to bind-dnssec-utils (#1649398)
+
* Wed Jan 16 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-4
- Reject invalid binary file (#1666814)
commit 685f10cbfd1120c865ff7d3e4ce3923998fe2286
Author: Petr Menk <pemensik(a)redhat.com>
Date: Wed Jan 16 17:08:53 2019 +0100
Reject invalid rbt file if header is corrupted
Resolves: rhbz#1666814
diff --git a/bind-9.11-rh1666814.patch b/bind-9.11-rh1666814.patch
new file mode 100644
index 0000000..ea1df5d
--- /dev/null
+++ b/bind-9.11-rh1666814.patch
@@ -0,0 +1,37 @@
+From 3bb29f45604ac6890f4ea5cdcbd1a62e6dad14a7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
+Date: Wed, 16 Jan 2019 16:27:33 +0100
+Subject: [PATCH 2/2] Fix possible crash when loading corrupted file
+
+Some values passes internal triggers by coincidence. Fix the check and
+check also first_node_offset before even passing it further.
+---
+ lib/dns/rbt.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
+index 62d0826..b029b7d 100644
+--- a/lib/dns/rbt.c
++++ b/lib/dns/rbt.c
+@@ -787,7 +787,7 @@ treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t
*n,
+ return (ISC_R_SUCCESS);
+
+ CONFIRM((void *) n >= base);
+- CONFIRM((char *) n - (char *) base <= (int) nodemax);
++ CONFIRM((size_t)((char *) n - (char *) base) <= nodemax);
+ CONFIRM(DNS_RBTNODE_VALID(n));
+
+ dns_name_init(&nodename, NULL);
+@@ -939,7 +939,8 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
+ rbt->root = (dns_rbtnode_t *)((char *)base_address +
+ header_offset + header->first_node_offset);
+
+- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
++ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize
++ || header->first_node_offset > filesize) {
+ result = ISC_R_INVALIDFILE;
+ goto cleanup;
+ }
+--
+2.20.1
+
diff --git a/bind.spec b/bind.spec
index f0c5d10..a6357de 100644
--- a/bind.spec
+++ b/bind.spec
@@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
http://www.isc.org/products/BIND/
#
@@ -131,6 +131,8 @@ Patch161:bind-9.11-host-idn-disable.patch
Patch162:bind-9.11-unit-dnstap-pkcs11.patch
#
https://gitlab.isc.org/isc-projects/bind9/commit/8a98277811e
Patch163:bind-9.11-rh1663318.patch
+#
https://gitlab.isc.org/isc-projects/bind9/issues/819
+Patch164:bind-9.11-rh1666814.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -489,6 +491,7 @@ are used for building ISC DHCP.
%patch161 -p1 -b .host-idn-disable
%patch162 -p1 -b .dnstap-pkcs11
%patch163 -p1 -b .rh1663318
+%patch164 -p1 -b .rh1666814
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1487,6 +1490,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
+* Wed Jan 16 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-4
+- Reject invalid binary file (#1666814)
+
* Mon Jan 14 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-3
- Disable crypto rand for DHCP (#1663318)
commit 67a5cd83ffa71f67f58648e6f6c5cbb1c7ab3fa7
Author: Petr Menk <pemensik(a)redhat.com>
Date: Mon Jan 14 18:51:53 2019 +0100
Made RAND_status check optional (broke --disable-crypto-rand)
dhclient can terminate if not enough entropy, but it never requires
random data. On a new virtual machine, lack of entropy can be common.
Ensure it does not prevent DHCP client assigning an IP address.
diff --git a/bind-9.11-rh1663318.patch b/bind-9.11-rh1663318.patch
new file mode 100644
index 0000000..79487b0
--- /dev/null
+++ b/bind-9.11-rh1663318.patch
@@ -0,0 +1,32 @@
+From 48d86dd3d834bcedd0c977d193c36b12e8398b4e Mon Sep 17 00:00:00 2001
+From: Francis Dupont <fdupont(a)isc.org>
+Date: Sun, 17 Sep 2017 12:02:09 +0200
+Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand)
+
+---
+ lib/dns/openssl_link.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
+index 91e87d0..3cddaa9 100644
+--- a/lib/dns/openssl_link.c
++++ b/lib/dns/openssl_link.c
+@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) {
+ #endif
+ #endif /* !defined(OPENSSL_NO_ENGINE) */
+
++#ifdef ISC_PLATFORM_CRYPTORANDOM
+ /* Protect ourselves against unseeded PRNG */
+ if (RAND_status() != 1) {
+ FATAL_ERROR(__FILE__, __LINE__,
+@@ -296,6 +297,7 @@ dst__openssl_init(const char *engine) {
+ "cannot be initialized (see the `PRNG not "
+ "seeded' message in the OpenSSL FAQ)");
+ }
++#endif
+
+ return (ISC_R_SUCCESS);
+
+--
+2.20.1
+
diff --git a/bind.spec b/bind.spec
index 110b520..f0c5d10 100644
--- a/bind.spec
+++ b/bind.spec
@@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
http://www.isc.org/products/BIND/
#
@@ -129,6 +129,8 @@ Patch160:bind-9.11-rh1624100.patch
Patch161:bind-9.11-host-idn-disable.patch
#
https://gitlab.isc.org/isc-projects/bind9/issues/624
Patch162:bind-9.11-unit-dnstap-pkcs11.patch
+#
https://gitlab.isc.org/isc-projects/bind9/commit/8a98277811e
+Patch163:bind-9.11-rh1663318.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -486,6 +488,7 @@ are used for building ISC DHCP.
%patch160 -p1 -b .rh1624100
%patch161 -p1 -b .host-idn-disable
%patch162 -p1 -b .dnstap-pkcs11
+%patch163 -p1 -b .rh1663318
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -712,6 +715,7 @@ export LIBDIR_SUFFIX
--without-libjson \
--without-zlib \
--without-dlopen \
+ --disable-crypto-rand \
--enable-full-report
## We don't want to build other libs than -export twice
@@ -1483,6 +1487,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
+* Mon Jan 14 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-3
+- Disable crypto rand for DHCP (#1663318)
+
* Thu Oct 25 2018 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-2
- Add optional support for JSON statistics
- Add optional DNSTAP support (#1564776), new dnstap-read tool
commit a1558710fbf2b46acfaab42af347805cf678b340
Author: Adam Williamson <awilliam(a)redhat.com>
Date: Fri Jan 11 23:35:03 2019 -0800
Correct a backport inconsistency in bind-9.11-rt46047.patch
The patch seems to have been generated from a more recent bind
tree in which `ns_g_lctx` was renamed `named_g_lctx`. So the
patch uses the `named_g_lctx` name, but the rest of server.c
in bind-9.11 still uses the name `ns_g_lctx`, so if you compile
with --disable-crypto-rand, the build actually fails with an
undeclared name error.
diff --git a/bind-9.11-rt46047.patch b/bind-9.11-rt46047.patch
index 5030c06..3cb3c0f 100644
--- a/bind-9.11-rt46047.patch
+++ b/bind-9.11-rt46047.patch
@@ -299,7 +299,7 @@ index 9258e7f..f4320df 100644
- randomdev);
+ if ((obj != NULL) && !cfg_obj_isvoid(obj))
+ level = ISC_LOG_INFO;
-+ isc_log_write(named_g_lctx, NS_LOGCATEGORY_GENERAL,
++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+ NS_LOGMODULE_SERVER, level,
+ "no source of entropy found");
+ if ((obj == NULL) || cfg_obj_isvoid(obj)) {
commit ae36af4c9fd8189ea9925222f6e9902239f61af3
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri Oct 19 17:41:16 2018 +0200
Add support for DNSTAP
Not enabled by default yet. Enables dumping of dns traffic.
Fix DNSTAP issues in build and unit tests.
Fool rpmlint to accept dnstap relative path. Rpmlint emited error
hardcoded-library-path on dnstap path. It is not system-wide library,
workaround by using variable.
Add dnstap-read utility to utils. When dnstap is enabled,
dnstap-read will be part of utils. Disadvantage is all utilities would have
dependency on protobuf library, including host and dig.
Resolves: #1564776
diff --git a/bind-9.11-unit-dnstap-pkcs11.patch b/bind-9.11-unit-dnstap-pkcs11.patch
new file mode 100644
index 0000000..8620e9f
--- /dev/null
+++ b/bind-9.11-unit-dnstap-pkcs11.patch
@@ -0,0 +1,24 @@
+diff --git a/lib/dns/tests/dnstap_test.c b/lib/dns/tests/dnstap_test.c
+index 56e3da4..1f31542 100644
+--- a/lib/dns/tests/dnstap_test.c
++++ b/lib/dns/tests/dnstap_test.c
+@@ -297,6 +297,9 @@ ATF_TC_BODY(totext, tc) {
+
+ UNUSED(tc);
+
++ /* make sure text conversion gets the right local time */
++ setenv("TZ", "PST8", 1);
++
+ result = dns_test_begin(NULL, true);
+ ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+@@ -306,9 +309,6 @@ ATF_TC_BODY(totext, tc) {
+ result = isc_stdio_open(TAPTEXT, "r", &fp);
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+- /* make sure text conversion gets the right local time */
+- setenv("TZ", "PST8", 1);
+-
+ while (dns_dt_getframe(handle, &data, &dsize) == ISC_R_SUCCESS) {
+ dns_dtdata_t *dtdata = NULL;
+ isc_buffer_t *b = NULL;
diff --git a/bind.spec b/bind.spec
index 14b76ff..110b520 100644
--- a/bind.spec
+++ b/bind.spec
@@ -18,6 +18,7 @@
%bcond_without DEVEL
%bcond_with LMDB
%bcond_with JSON
+%bcond_with DNSTAP
%bcond_with DLZ
%bcond_without EXPORT_LIBS
%if 0%{?fedora} >= 17
@@ -124,7 +125,10 @@ Patch159:bind-9.11-rt46047.patch
# commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c
# commit 083461d3329ff6f2410745848a926090586a9846
Patch160:bind-9.11-rh1624100.patch
+#
https://gitlab.isc.org/isc-projects/bind9/issues/555
Patch161:bind-9.11-host-idn-disable.patch
+#
https://gitlab.isc.org/isc-projects/bind9/issues/624
+Patch162:bind-9.11-unit-dnstap-pkcs11.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -187,6 +191,9 @@ BuildRequires: lmdb-devel
%if %{with JSON}
BuildRequires: json-c-devel
%endif
+%if %{with DNSTAP}
+BuildRequires: fstrm-devel protobuf-c-devel
+%endif
# Needed to regenerate dig.1 manpage
BuildRequires: docbook-style-xsl, libxslt
@@ -328,6 +335,9 @@ Requires: lmdb-devel
%if %{with JSON}
Requires: json-c-devel%{?_isa}
%endif
+%if %{with DNSTAP}
+Requires: fstrm-devel%{?_isa} protobuf-c-devel%{?_isa}
+%endif
%description lite-devel
The bind-lite-devel package contains lite version of the header
@@ -475,6 +485,7 @@ are used for building ISC DHCP.
%patch159 -p1 -b .rt46047
%patch160 -p1 -b .rh1624100
%patch161 -p1 -b .host-idn-disable
+%patch162 -p1 -b .dnstap-pkcs11
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -605,6 +616,9 @@ export LIBDIR_SUFFIX
%if %{with JSON}
--with-libjson \
%endif
+%if %{with DNSTAP}
+ --enable-dnstap \
+%endif
%if %{with UNITTEST}
--with-atf=${ATF_PATH} \
%endif
@@ -612,6 +626,15 @@ export LIBDIR_SUFFIX
--with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets \
--enable-full-report \
;
+%if %{with DNSTAP}
+ pushd lib
+ SRCLIB="../../../lib"
+ (cd dns && ln -s ${SRCLIB}/dns/dnstap.proto)
+%if %{with PKCS11}
+ (cd dns-pkcs11 && ln -s ${SRCLIB}/dns-pkcs11/dnstap.proto)
+%endif
+ popd
+%endif
make %{?_smp_mflags}
### FIXME hack!!!
@@ -1238,6 +1261,10 @@ rm -rf ${RPM_BUILD_ROOT}
%if %{with LMDB}
%{_sbindir}/named-nzd2nzf
%endif
+%if %{with DNSTAP}
+%{_bindir}/dnstap-read
+%{_mandir}/man1/dnstap-read.1*
+%endif
%{_mandir}/man1/host.1*
%{_mandir}/man1/nsupdate.1*
%{_mandir}/man1/dig.1*
@@ -1458,6 +1485,7 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
* Thu Oct 25 2018 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-2
- Add optional support for JSON statistics
+- Add optional DNSTAP support (#1564776), new dnstap-read tool
* Wed Oct 24 2018 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-1
- Update to 9.11.5
commit eba5779fc1ae3c7d8bc86e5099ccafac3c37f3ba
Author: Petr Menk <pemensik(a)redhat.com>
Date: Mon Oct 15 17:15:26 2018 +0200
Add JSON statistics support
Optional support for HTTP statistics. For now it is still disabled.
diff --git a/bind.spec b/bind.spec
index b557e44..14b76ff 100644
--- a/bind.spec
+++ b/bind.spec
@@ -17,6 +17,7 @@
%bcond_without PKCS11
%bcond_without DEVEL
%bcond_with LMDB
+%bcond_with JSON
%bcond_with DLZ
%bcond_without EXPORT_LIBS
%if 0%{?fedora} >= 17
@@ -52,7 +53,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
http://www.isc.org/products/BIND/
#
@@ -183,6 +184,9 @@ BuildRequires: krb5-devel
%if %{with LMDB}
BuildRequires: lmdb-devel
%endif
+%if %{with JSON}
+BuildRequires: json-c-devel
+%endif
# Needed to regenerate dig.1 manpage
BuildRequires: docbook-style-xsl, libxslt
@@ -321,6 +325,9 @@ Requires: krb5-devel%{?_isa}
%if %{with LMDB}
Requires: lmdb-devel
%endif
+%if %{with JSON}
+Requires: json-c-devel%{?_isa}
+%endif
%description lite-devel
The bind-lite-devel package contains lite version of the header
@@ -595,6 +602,9 @@ export LIBDIR_SUFFIX
%else
--with-lmdb=no \
%endif
+%if %{with JSON}
+ --with-libjson \
+%endif
%if %{with UNITTEST}
--with-atf=${ATF_PATH} \
%endif
@@ -1446,6 +1456,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
+* Thu Oct 25 2018 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-2
+- Add optional support for JSON statistics
+
* Wed Oct 24 2018 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-1
- Update to 9.11.5
commit ad7b3b8f1284fb8077c24233c4172e2174a6d90e
Author: Petr Menk <pemensik(a)redhat.com>
Date: Fri Oct 19 17:52:10 2018 +0200
Update to 9.11.5
Bump to higher version, update sources.
More fixes to rebased BIND. Many patches are affected by stdbool change.
Update libraries so versions.
diff --git a/.gitignore b/.gitignore
index 774f56c..f656e89 100644
--- a/.gitignore
+++ b/.gitignore
@@ -86,3 +86,4 @@ bind-9.7.2b1.tar.gz
/bind-9.11.4.tar.gz
/bind-9.11.4-P1.tar.gz
/bind-9.11.4-P2.tar.gz
+/bind-9.11.5.tar.gz
diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch
index 6f66dc1..aa95e33 100644
--- a/bind-9.10-dist-native-pkcs11.patch
+++ b/bind-9.10-dist-native-pkcs11.patch
@@ -14,7 +14,7 @@ index f0c504a..ce7a2da 100644
@BIND9_MAKE_RULES@
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
-index 1d0c4ce..7b7f89b 100644
+index ce0a177..f8370cf 100644
--- a/bin/dnssec-pkcs11/Makefile.in
+++ b/bin/dnssec-pkcs11/Makefile.in
@@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@
@@ -121,15 +121,15 @@ index 1d0c4ce..7b7f89b 100644
-install:: ${TARGETS} installdirs install-man8
+install:: ${TARGETS} installdirs
- for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t
${DESTDIR}${sbindir}; done
+ for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t
${DESTDIR}${sbindir} || exit 1; done
uninstall::
-- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
- for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ;
done
+- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
+ for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ||
exit 1; done
clean distclean::
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
-index 1d0c4ce..11538cf 100644
+index ce0a177..7cede84 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@
@@ -291,10 +291,10 @@ index a058c91..d4b689a 100644
DEPLIBS = ${ISCDEPLIBS}
diff --git a/configure.in b/configure.in
-index 849fa94..69e6373 100644
+index 898b4ac..1edafd1 100644
--- a/configure.in
+++ b/configure.in
-@@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI)
+@@ -1109,12 +1109,14 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
@@ -309,7 +309,7 @@ index 849fa94..69e6373 100644
#
# was --with-randomdev specified?
-@@ -1554,11 +1556,11 @@ fi
+@@ -1499,11 +1501,11 @@ fi
AC_MSG_CHECKING(for OpenSSL library)
OPENSSL_WARNING=
openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
@@ -326,7 +326,7 @@ index 849fa94..69e6373 100644
if test "auto" = "$use_openssl"
then
-@@ -1571,6 +1573,7 @@ then
+@@ -1516,6 +1518,7 @@ then
fi
done
fi
@@ -334,7 +334,7 @@ index 849fa94..69e6373 100644
OPENSSL_ECDSA=""
OPENSSL_GOST=""
OPENSSL_ED25519=""
-@@ -1592,11 +1595,10 @@ case "$with_gost" in
+@@ -1537,11 +1540,10 @@ case "$with_gost" in
;;
esac
@@ -349,7 +349,7 @@ index 849fa94..69e6373 100644
CRYPTOLIB="pkcs11"
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
-@@ -1606,7 +1608,9 @@ case "$use_openssl" in
+@@ -1551,7 +1553,9 @@ case "$use_openssl" in
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
@@ -360,7 +360,7 @@ index 849fa94..69e6373 100644
no)
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
-@@ -1638,7 +1642,7 @@ case "$use_openssl" in
+@@ -1583,7 +1587,7 @@ case "$use_openssl" in
If you do not want OpenSSL, use --without-openssl])
;;
*)
@@ -369,7 +369,7 @@ index 849fa94..69e6373 100644
then
AC_MSG_RESULT()
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
-@@ -2066,6 +2070,7 @@ AC_SUBST(OPENSSL_ED25519)
+@@ -2011,6 +2015,7 @@ AC_SUBST(OPENSSL_ED25519)
AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
@@ -377,7 +377,7 @@ index 849fa94..69e6373 100644
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
-@@ -2384,6 +2389,7 @@ esac
+@@ -2329,6 +2334,7 @@ esac
AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(CRYPTO)
@@ -385,7 +385,7 @@ index 849fa94..69e6373 100644
AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_ED25519)
-@@ -5497,8 +5503,11 @@ AC_CONFIG_FILES([
+@@ -5401,8 +5407,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
@@ -397,7 +397,7 @@ index 849fa94..69e6373 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
-@@ -5572,6 +5581,10 @@ AC_CONFIG_FILES([
+@@ -5476,6 +5485,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
@@ -408,7 +408,7 @@ index 849fa94..69e6373 100644
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
-@@ -5596,6 +5609,24 @@ AC_CONFIG_FILES([
+@@ -5500,6 +5513,24 @@ AC_CONFIG_FILES([
lib/isc/unix/include/Makefile
lib/isc/unix/include/isc/Makefile
lib/isc/unix/include/pkcs11/Makefile
@@ -525,7 +525,7 @@ index 4a8549e..6a19906 100644
rm -f include/dns/rdatastruct.h
rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
-index ba53ef1..d1f1771 100644
+index 98acfff..2fd6981 100644
--- a/lib/isc-pkcs11/Makefile.in
+++ b/lib/isc-pkcs11/Makefile.in
@@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \
@@ -539,7 +539,7 @@ index ba53ef1..d1f1771 100644
CWARNINGS =
# Alphabetically
-@@ -107,40 +107,40 @@ version.@O@: version.c
+@@ -103,40 +103,40 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
diff --git a/bind-9.11-fips-code.patch b/bind-9.11-fips-code.patch
index 2dccdea..f4973a6 100644
--- a/bind-9.11-fips-code.patch
+++ b/bind-9.11-fips-code.patch
@@ -1,11 +1,13 @@
-From fb8665aebd79ea33cb255f578544e1738f5bbb58 Mon Sep 17 00:00:00 2001
+From 9fa0831af989818eb6f908815967590e56a19ab1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Thu, 2 Aug 2018 23:34:45 +0200
-Subject: [PATCH 1/2] Squashed commit of the following:
+Subject: [PATCH] FIPS code changes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
+Squashed commit of the following:
+
commit b49f70ce0575b6b52a71b90fe0376dbf16f92c6b
Author: Petr Menk <pemensik(a)redhat.com>
Date: Mon Jan 22 14:12:37 2018 +0100
@@ -95,7 +97,7 @@ Date: Mon Jan 22 07:21:04 2018 +0100
Add runtime detection whether MD5 is useable.
---
bin/confgen/keygen.c | 10 ++++-
- bin/confgen/rndc-confgen.c | 36 +++++-------------
+ bin/confgen/rndc-confgen.c | 32 ++++------------
bin/dig/dig.c | 7 ++--
bin/dig/dighost.c | 14 +++++--
bin/dnssec/dnssec-keygen.c | 14 +++++++
@@ -104,12 +106,12 @@ Date: Mon Jan 22 07:21:04 2018 +0100
bin/rndc/rndc.c | 3 +-
bin/tests/optional/hash_test.c | 78 ++++++++++++++++++++-------------------
bin/tests/system/tkey/keycreate.c | 3 ++
- bin/tests/system/tkey/keydelete.c | 18 ++++++---
+ bin/tests/system/tkey/keydelete.c | 17 ++++++---
lib/bind9/check.c | 10 +++++
lib/dns/dst_api.c | 23 ++++++++----
lib/dns/dst_internal.h | 3 +-
lib/dns/dst_parse.c | 18 +++++++--
- lib/dns/hmac_link.c | 20 +++-------
+ lib/dns/hmac_link.c | 18 ++-------
lib/dns/opensslrsa_link.c | 6 +++
lib/dns/pkcs11rsa_link.c | 33 +++++++++++++++--
lib/dns/rcode.c | 21 ++++++++++-
@@ -120,13 +122,13 @@ Date: Mon Jan 22 07:21:04 2018 +0100
lib/dns/tsig.c | 17 +++++----
lib/isc/include/isc/md5.h | 3 ++
lib/isc/md5.c | 59 +++++++++++++++++++++++++++++
- lib/isc/pk11.c | 58 ++++++++++++++++++++---------
+ lib/isc/pk11.c | 44 +++++++++++++++-------
lib/isc/tests/hash_test.c | 9 +++--
lib/isccc/cc.c | 42 +++++++++++++--------
- 29 files changed, 424 insertions(+), 177 deletions(-)
+ 29 files changed, 409 insertions(+), 171 deletions(-)
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
-index 453c641dba..11cc54dd46 100644
+index 8931ad5..5015abb 100644
--- a/bin/confgen/keygen.c
+++ b/bin/confgen/keygen.c
@@ -22,6 +22,7 @@
@@ -150,7 +152,7 @@ index 453c641dba..11cc54dd46 100644
switch (alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
-+ if (isc_md5_available() == ISC_FALSE) {
++ if (!isc_md5_available()) {
+ fatal("unsupported algorithm %d\n", alg);
+ } else if (keysize < 1 || keysize > 512) {
+ fatal("keysize %d out of range (must be 1-512)\n",
@@ -161,10 +163,10 @@ index 453c641dba..11cc54dd46 100644
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c
-index 2925baf32f..d7d8418073 100644
+index 5ca3d76..6b7790a 100644
--- a/bin/confgen/rndc-confgen.c
+++ b/bin/confgen/rndc-confgen.c
-@@ -35,6 +35,7 @@
+@@ -36,6 +36,7 @@
#include <isc/file.h>
#include <isc/keyboard.h>
#include <isc/mem.h>
@@ -172,16 +174,16 @@ index 2925baf32f..d7d8418073 100644
#include <isc/net.h>
#include <isc/print.h>
#include <isc/result.h>
-@@ -62,7 +63,7 @@ const char *progname;
+@@ -63,7 +64,7 @@ const char *progname;
- isc_boolean_t verbose = ISC_FALSE;
+ bool verbose = false;
-const char *keyfile, *keydef;
+const char *keyfile, *keydef, *algdef;
ISC_PLATFORM_NORETURN_PRE static void
usage(int status) ISC_PLATFORM_NORETURN_POST;
-@@ -70,13 +71,12 @@ usage(int status) ISC_PLATFORM_NORETURN_POST;
+@@ -71,13 +72,12 @@ usage(int status) ISC_PLATFORM_NORETURN_POST;
static void
usage(int status) {
@@ -196,7 +198,7 @@ index 2925baf32f..d7d8418073 100644
-b bits: from 1 through 512, default 256; total length of the secret\n\
-c keyfile: specify an alternate key file (requires -a)\n\
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
-@@ -85,24 +85,7 @@ Usage:\n\
+@@ -86,24 +86,7 @@ Usage:\n\
-s addr: the address to which rndc should connect\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
@@ -222,31 +224,27 @@ index 2925baf32f..d7d8418073 100644
exit (status);
}
-@@ -138,13 +121,14 @@ main(int argc, char **argv) {
+@@ -139,11 +122,12 @@ main(int argc, char **argv) {
progname = program;
keyname = DEFAULT_KEYNAME;
-#ifndef PK11_MD5_DISABLE
- alg = DST_ALG_HMACMD5;
-#else
-- alg = DST_ALG_HMACSHA256;
--#endif
- serveraddr = DEFAULT_SERVER;
- port = DEFAULT_PORT;
-+ alg = DST_ALG_HMACSHA256;
+ alg = DST_ALG_HMACSHA256;
+#ifndef PK11_MD5_DISABLE
+ if (isc_md5_available())
+ alg = DST_ALG_HMACMD5;
-+#endif
+ #endif
+ algdef = alg_totext(alg);
-
- isc_commandline_errprint = ISC_FALSE;
+ serveraddr = DEFAULT_SERVER;
+ port = DEFAULT_PORT;
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
-index d4808ada67..9dff7c8ecd 100644
+index 39f74be..597e830 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
-@@ -17,6 +17,7 @@
+@@ -20,6 +20,7 @@
#include <ctype.h>
#include <isc/app.h>
@@ -254,7 +252,7 @@ index d4808ada67..9dff7c8ecd 100644
#include <isc/netaddr.h>
#include <isc/parseint.h>
#include <isc/platform.h>
-@@ -1757,10 +1758,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
+@@ -1760,10 +1761,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
ptr = ptr2;
ptr2 = ptr3;
} else {
@@ -269,10 +267,10 @@ index d4808ada67..9dff7c8ecd 100644
digestbits = 0;
}
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index ecefc98453..94c428ed30 100644
+index 1fa711a..341ed80 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
-@@ -77,6 +77,7 @@
+@@ -80,6 +80,7 @@
#include <isc/hex.h>
#include <isc/lang.h>
#include <isc/log.h>
@@ -280,7 +278,7 @@ index ecefc98453..94c428ed30 100644
#include <isc/netaddr.h>
#include <isc/netdb.h>
#include <isc/parseint.h>
-@@ -1243,9 +1244,10 @@ parse_hmac(const char *hmac) {
+@@ -1246,9 +1247,10 @@ parse_hmac(const char *hmac) {
digestbits = 0;
#ifndef PK11_MD5_DISABLE
@@ -293,7 +291,7 @@ index ecefc98453..94c428ed30 100644
hmacname = DNS_TSIG_HMACMD5_NAME;
digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
} else
-@@ -1365,7 +1367,13 @@ setup_file_key(void) {
+@@ -1368,7 +1370,13 @@ setup_file_key(void) {
switch (dst_key_alg(dstkey)) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
@@ -309,10 +307,10 @@ index ecefc98453..94c428ed30 100644
#endif
case DST_ALG_HMACSHA1:
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
-index 6fc3ab0979..fc04356ed4 100644
+index 1476d0d..f5c9316 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
-@@ -34,6 +34,7 @@
+@@ -36,6 +36,7 @@
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/entropy.h>
@@ -320,7 +318,7 @@ index 6fc3ab0979..fc04356ed4 100644
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/region.h>
-@@ -560,6 +561,19 @@ main(int argc, char **argv) {
+@@ -562,6 +563,19 @@ main(int argc, char **argv) {
"\"-a RSAMD5\"\n");
INSIST(freeit == NULL);
return (1);
@@ -333,7 +331,7 @@ index 6fc3ab0979..fc04356ed4 100644
+ return (1);
+ }
+ } else if (strcasecmp(algname, "RSAMD5") == 0 &&
-+ isc_md5_available() == ISC_FALSE) {
++ !isc_md5_available()) {
+ fprintf(stderr, "The use of RSAMD5 was disabled\n");
+ INSIST(freeit == NULL);
+ return (1);
@@ -341,10 +339,10 @@ index 6fc3ab0979..fc04356ed4 100644
alg = DST_ALG_HMACMD5;
#else
diff --git a/bin/named/config.c b/bin/named/config.c
-index 54bc37fff7..c50f759ddd 100644
+index 2732a8f..2c4c93c 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
-@@ -17,6 +17,7 @@
+@@ -18,6 +18,7 @@
#include <isc/buffer.h>
#include <isc/log.h>
@@ -352,14 +350,14 @@ index 54bc37fff7..c50f759ddd 100644
#include <isc/mem.h>
#include <isc/parseint.h>
#include <isc/region.h>
-@@ -966,6 +967,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
+@@ -967,6 +968,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits));
}
+static inline int
+algorithms_start() {
+#ifndef PK11_MD5_DISABLE
-+ if (isc_md5_available() == ISC_FALSE) {
++ if (!isc_md5_available()) {
+ int i = 0;
+ while (algorithms[i].str != NULL &&
+ algorithms[i].hmac == hmacmd5) {
@@ -373,9 +371,9 @@ index 54bc37fff7..c50f759ddd 100644
+
isc_result_t
ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
- unsigned int *typep, isc_uint16_t *digestbits)
-@@ -975,7 +991,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
- isc_uint16_t bits;
+ unsigned int *typep, uint16_t *digestbits)
+@@ -976,7 +992,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
+ uint16_t bits;
isc_result_t result;
- for (i = 0; algorithms[i].str != NULL; i++) {
@@ -383,7 +381,7 @@ index 54bc37fff7..c50f759ddd 100644
len = strlen(algorithms[i].str);
if (strncasecmp(algorithms[i].str, str, len) == 0 &&
(str[len] == '\0' ||
-@@ -998,7 +1014,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
+@@ -999,7 +1015,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
if (name != NULL) {
switch (algorithms[i].hmac) {
#ifndef PK11_MD5_DISABLE
@@ -398,10 +396,10 @@ index 54bc37fff7..c50f759ddd 100644
case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index 6967b49754..bb5d50038f 100644
+index 8d1da3b..5eefc57 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
-@@ -29,6 +29,7 @@
+@@ -31,6 +31,7 @@
#include <isc/hash.h>
#include <isc/lex.h>
#include <isc/log.h>
@@ -409,7 +407,7 @@ index 6967b49754..bb5d50038f 100644
#include <isc/mem.h>
#include <isc/parseint.h>
#include <isc/print.h>
-@@ -474,9 +475,10 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len,
+@@ -476,9 +477,10 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len,
strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf)));
#ifndef PK11_MD5_DISABLE
@@ -422,7 +420,7 @@ index 6967b49754..bb5d50038f 100644
*hmac = DNS_TSIG_HMACMD5_NAME;
result = isc_parse_uint16(&digestbits, &buf[9], 10);
if (result != ISC_R_SUCCESS || digestbits > 128) {
-@@ -589,10 +591,10 @@ setup_keystr(void) {
+@@ -591,10 +593,10 @@ setup_keystr(void) {
exit(1);
}
} else {
@@ -436,7 +434,7 @@ index 6967b49754..bb5d50038f 100644
#endif
name = keystr;
n = s;
-@@ -729,7 +731,8 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
+@@ -731,7 +733,8 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
switch (dst_key_alg(dstkey)) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
@@ -446,7 +444,7 @@ index 6967b49754..bb5d50038f 100644
break;
#endif
case DST_ALG_HMACSHA1:
-@@ -1604,12 +1607,13 @@ evaluate_key(char *cmdline) {
+@@ -1606,12 +1609,13 @@ evaluate_key(char *cmdline) {
return (STATUS_SYNTAX);
}
namestr = n + 1;
@@ -465,10 +463,10 @@ index 6967b49754..bb5d50038f 100644
isc_buffer_init(&b, namestr, strlen(namestr));
isc_buffer_add(&b, strlen(namestr));
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
-index 5c29caf86b..617b06b4a1 100644
+index 9eb0ce0..8083654 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
-@@ -21,6 +21,7 @@
+@@ -23,6 +23,7 @@
#include <isc/file.h>
#include <isc/log.h>
#include <isc/net.h>
@@ -476,7 +474,7 @@ index 5c29caf86b..617b06b4a1 100644
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/random.h>
-@@ -634,7 +635,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
+@@ -636,7 +637,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
algorithmstr = cfg_obj_asstring(algorithmobj);
#ifndef PK11_MD5_DISABLE
@@ -486,7 +484,7 @@ index 5c29caf86b..617b06b4a1 100644
else
#endif
diff --git a/bin/tests/optional/hash_test.c b/bin/tests/optional/hash_test.c
-index bf2891ad4c..b5f0a1c5f5 100644
+index bf2891a..b5f0a1c 100644
--- a/bin/tests/optional/hash_test.c
+++ b/bin/tests/optional/hash_test.c
@@ -90,43 +90,47 @@ main(int argc, char **argv) {
@@ -575,7 +573,7 @@ index bf2891ad4c..b5f0a1c5f5 100644
/*
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
-index 2a0ee94888..489f4390dc 100644
+index 5a00f86..653c951 100644
--- a/bin/tests/system/tkey/keycreate.c
+++ b/bin/tests/system/tkey/keycreate.c
@@ -20,6 +20,7 @@
@@ -590,30 +588,29 @@ index 2a0ee94888..489f4390dc 100644
static char keystr[] = "0123456789ab";
isc_event_free(&event);
-+ if (isc_md5_available() == ISC_FALSE)
++ if (!isc_md5_available())
+ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
result = ISC_R_FAILURE;
if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1)
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
-index 7057c318e4..36ee6c7d21 100644
+index bde66a4..70a40c3 100644
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
-@@ -225,12 +225,18 @@ main(int argc, char **argv) {
+@@ -225,12 +225,17 @@ main(int argc, char **argv) {
result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey);
CHECK("dst_key_fromnamedfile", result);
#ifndef PK11_MD5_DISABLE
- result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
- DNS_TSIG_HMACMD5_NAME,
-- dstkey, ISC_TRUE, NULL, 0, 0,
+- dstkey, true, NULL, 0, 0,
- mctx, ring, &tsigkey);
- dst_key_free(&dstkey);
- CHECK("dns_tsigkey_createfromkey", result);
+ if (isc_md5_available()) {
+ result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
+ DNS_TSIG_HMACMD5_NAME,
-+ dstkey, ISC_TRUE,
-+ NULL, 0, 0,
++ dstkey, true, NULL, 0, 0,
+ mctx, ring, &tsigkey);
+ dst_key_free(&dstkey);
+ CHECK("dns_tsigkey_createfromkey", result);
@@ -625,10 +622,10 @@ index 7057c318e4..36ee6c7d21 100644
dst_key_free(&dstkey);
CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
-index 3da83a7ae2..1a3d534799 100644
+index d32a5a1..c749c27 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
-@@ -21,6 +21,7 @@
+@@ -23,6 +23,7 @@
#include <isc/file.h>
#include <isc/hex.h>
#include <isc/log.h>
@@ -636,13 +633,13 @@ index 3da83a7ae2..1a3d534799 100644
#include <isc/mem.h>
#include <isc/netaddr.h>
#include <isc/parseint.h>
-@@ -2572,6 +2573,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
+@@ -2592,6 +2593,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
}
algorithm = cfg_obj_asstring(algobj);
+#ifndef PK11_MD5_DISABLE
+ /* Skip hmac-md5* algorithms */
-+ if (isc_md5_available() == ISC_FALSE &&
++ if (!isc_md5_available() &&
+ strncasecmp(algorithm, "hmac-md5", 8) == 0) {
+ cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
+ "disabled algorithm '%s'", algorithm);
@@ -653,10 +650,10 @@ index 3da83a7ae2..1a3d534799 100644
len = strlen(algorithms[i].name);
if (strncasecmp(algorithms[i].name, algorithm, len) == 0 &&
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index 4f3d6ac55c..dbece0ac56 100644
+index 97fee68..5703f9c 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
-@@ -190,6 +190,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+@@ -192,6 +192,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
dst_result_register();
memset(dst_t_func, 0, sizeof(dst_t_func));
@@ -669,7 +666,7 @@ index 4f3d6ac55c..dbece0ac56 100644
#ifndef PK11_MD5_DISABLE
RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
#endif
-@@ -199,7 +205,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+@@ -201,7 +207,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
#ifdef OPENSSL
@@ -677,7 +674,7 @@ index 4f3d6ac55c..dbece0ac56 100644
#ifndef PK11_MD5_DISABLE
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
DST_ALG_RSAMD5));
-@@ -233,14 +238,18 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+@@ -235,14 +240,18 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448]));
#endif
#elif PKCS11CRYPTO
@@ -703,10 +700,10 @@ index 4f3d6ac55c..dbece0ac56 100644
RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
-index 640519a5ba..deb7ed4e13 100644
+index 6ee796c..3e55d44 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
-@@ -245,7 +245,8 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
+@@ -250,7 +250,8 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
unsigned char algorithm);
@@ -717,10 +714,10 @@ index 640519a5ba..deb7ed4e13 100644
isc_result_t dst__openssldsa_init(struct dst_func **funcp);
isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp);
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
-index b0e5c895c6..03f2b8ace8 100644
+index f31c33d..87023a6 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
-@@ -30,6 +30,7 @@
+@@ -33,6 +33,7 @@
#include <isc/file.h>
#include <isc/fsaccess.h>
#include <isc/lex.h>
@@ -728,7 +725,7 @@ index b0e5c895c6..03f2b8ace8 100644
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/stdtime.h>
-@@ -393,6 +394,10 @@ check_data(const dst_private_t *priv, const unsigned int alg,
+@@ -396,6 +397,10 @@ check_data(const dst_private_t *priv, const unsigned int alg,
switch (alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
@@ -739,7 +736,7 @@ index b0e5c895c6..03f2b8ace8 100644
#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
-@@ -418,7 +423,10 @@ check_data(const dst_private_t *priv, const unsigned int alg,
+@@ -421,7 +426,10 @@ check_data(const dst_private_t *priv, const unsigned int alg,
return (check_eddsa(priv, external));
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
@@ -751,36 +748,35 @@ index b0e5c895c6..03f2b8ace8 100644
#endif
case DST_ALG_HMACSHA1:
return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg));
-@@ -637,11 +645,13 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t
*lex,
+@@ -640,11 +648,13 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t
*lex,
}
#ifdef PK11_MD5_DISABLE
- check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg,
-- ISC_TRUE, external);
+- true, external);
+ if (alg == DST_ALG_RSA)
+ alg = DST_ALG_RSASHA1;
#else
-- check = check_data(priv, alg, ISC_TRUE, external);
-+ if (isc_md5_available() == ISC_FALSE && alg == DST_ALG_RSA)
+- check = check_data(priv, alg, true, external);
++ if (!isc_md5_available() && alg == DST_ALG_RSA)
+ alg = DST_ALG_RSASHA1;
#endif
-+ check = check_data(priv, alg, ISC_TRUE, external);
++ check = check_data(priv, alg, true, external);
if (check < 0) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
-index 59aa4705e5..21bfa44450 100644
+index 94e73b1..d904075 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
-@@ -338,25 +338,17 @@ static dst_func_t hmacmd5_functions = {
+@@ -340,20 +340,10 @@ static dst_func_t hmacmd5_functions = {
isc_result_t
dst__hmacmd5_init(dst_func_t **funcp) {
-#ifdef HAVE_FIPS_MODE
- /*
+- /*
- * Problems from OpenSSL are likely from FIPS mode
-+ * Prevent use of incorrect crypto
- */
+- */
- int fips_mode = FIPS_mode();
-
- if (fips_mode != 0) {
@@ -789,26 +785,20 @@ index 59aa4705e5..21bfa44450 100644
- "if the value is 0.\n"
- "Please disable either FIPS mode or MD5.",
- fips_mode);
+- }
+-#endif
+
-+#ifndef PK11_MD5_DISABLE
-+ if (isc_md5_available() == ISC_FALSE) {
-+ /* Intentionally skip initialization */
++ /* Intentionally skip initialization */
++ if (!isc_md5_available())
+ return (ISC_R_SUCCESS);
- }
- #endif
-
-- /*
-- * Prevent use of incorrect crypto
-- */
--
- RUNTIME_CHECK(isc_md5_check(ISC_FALSE));
- RUNTIME_CHECK(isc_hmacmd5_check(0));
+ /*
+ * Prevent use of incorrect crypto
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
-index f4847bbe74..126cebca19 100644
+index c03fd72..49b66fc 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
-@@ -1801,6 +1801,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm)
{
+@@ -1802,6 +1802,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm)
{
if (*funcp == NULL) {
switch (algorithm) {
@@ -822,10 +812,10 @@ index f4847bbe74..126cebca19 100644
#if defined(HAVE_EVP_SHA256) || !USE_EVP
*funcp = &opensslrsa_functions;
diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
-index 56955203e9..af6008d4dd 100644
+index eb782c8..46fd844 100644
--- a/lib/dns/pkcs11rsa_link.c
+++ b/lib/dns/pkcs11rsa_link.c
-@@ -94,10 +94,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
+@@ -96,10 +96,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
#endif
/*
@@ -835,44 +825,44 @@ index 56955203e9..af6008d4dd 100644
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
+#ifndef PK11_MD5_DISABLE
-+ if (isc_md5_available() == ISC_FALSE)
++ if (!isc_md5_available())
+ return (ISC_R_FAILURE);
+#endif
+ /* FALLTHROUGH */
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
-@@ -634,6 +639,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+@@ -636,6 +641,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
-+ if (isc_md5_available() == ISC_FALSE)
++ if (!isc_md5_available())
+ return (ISC_R_FAILURE);
+
mech.mechanism = CKM_MD5;
break;
#endif
-@@ -790,6 +798,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+@@ -792,6 +800,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
-+ if (isc_md5_available() == ISC_FALSE)
++ if (!isc_md5_available())
+ return (ISC_R_FAILURE);
+
der = md5_der;
derlen = sizeof(md5_der);
hashlen = ISC_MD5_DIGESTLENGTH;
-@@ -1014,6 +1025,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+@@ -1016,6 +1027,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
-+ if (isc_md5_available() == ISC_FALSE)
++ if (!isc_md5_available())
+ return (ISC_R_FAILURE);
+
der = md5_der;
derlen = sizeof(md5_der);
hashlen = ISC_MD5_DIGESTLENGTH;
-@@ -2217,11 +2231,22 @@ static dst_func_t pkcs11rsa_functions = {
+@@ -2219,11 +2233,22 @@ static dst_func_t pkcs11rsa_functions = {
};
isc_result_t
@@ -899,18 +889,18 @@ index 56955203e9..af6008d4dd 100644
}
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
-index 937d8fc1ec..d1fa8d5870 100644
+index 6a5948e..010dd1b 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
-@@ -14,6 +14,7 @@
- #include <ctype.h>
+@@ -16,6 +16,7 @@
+ #include <stdbool.h>
#include <isc/buffer.h>
+#include <isc/md5.h>
#include <isc/parseint.h>
#include <isc/print.h>
#include <isc/region.h>
-@@ -347,17 +348,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
+@@ -349,17 +350,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
return (dns_mnemonic_totext(cert, target, certs));
}
@@ -919,7 +909,7 @@ index 937d8fc1ec..d1fa8d5870 100644
+ struct tbl *algs = secalgs;
+
+#ifndef PK11_MD5_DISABLE
-+ if (isc_md5_available() == ISC_FALSE) {
++ if (!isc_md5_available()) {
+ while (algs->name != NULL &&
+ algs->value == DNS_KEYALG_RSAMD5)
+ ++algs;
@@ -947,7 +937,7 @@ index 937d8fc1ec..d1fa8d5870 100644
void
diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c
-index 224cf5b475..44040dd8b7 100644
+index fb207ef..3ef0a4e 100644
--- a/lib/dns/tests/rsa_test.c
+++ b/lib/dns/tests/rsa_test.c
@@ -19,6 +19,7 @@
@@ -967,10 +957,10 @@ index 224cf5b475..44040dd8b7 100644
+ key->key_alg = DST_ALG_RSAMD5;
- ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC,
-- ISC_FALSE, &ctx);
+- false, &ctx);
- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+ ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC,
-+ ISC_FALSE, &ctx);
++ false, &ctx);
+ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
- r.base = d;
@@ -998,7 +988,7 @@ index 224cf5b475..44040dd8b7 100644
/* RSASHA256 */
diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c
-index ee025c2387..c403d9954d 100644
+index 443fb36..f003ff3 100644
--- a/lib/dns/tests/tsig_test.c
+++ b/lib/dns/tests/tsig_test.c
@@ -14,6 +14,7 @@
@@ -1010,24 +1000,24 @@ index ee025c2387..c403d9954d 100644
#include <isc/print.h>
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
-index d9f68e50b1..a8edde47b5 100644
+index 5b4ffd9..cc3469d 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
-@@ -242,6 +242,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
+@@ -245,6 +245,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
unsigned char digests[32];
unsigned int i;
-+ if (isc_md5_available() == ISC_FALSE)
++ if (!isc_md5_available())
+ return (ISC_R_NOTIMPLEMENTED);
+
isc_buffer_usedregion(shared, &r);
/*
-@@ -318,6 +321,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t
*name,
+@@ -321,6 +324,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t
*name,
}
#ifndef PK11_MD5_DISABLE
-+ if (isc_md5_available() == ISC_FALSE) {
++ if (!isc_md5_available()) {
+ tkey_log("process_dhtkey: MD5 was disabled");
+ tkeyout->error = dns_tsigerror_badalg;
+ return (ISC_R_SUCCESS);
@@ -1037,7 +1027,7 @@ index d9f68e50b1..a8edde47b5 100644
tkey_log("process_dhtkey: algorithms other than "
"hmac-md5 are not supported");
diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c
-index a367291f23..37baad7437 100644
+index c5eca0e..19b9002 100644
--- a/lib/dns/tsec.c
+++ b/lib/dns/tsec.c
@@ -11,6 +11,7 @@
@@ -1063,10 +1053,10 @@ index a367291f23..37baad7437 100644
#endif
case DST_ALG_HMACSHA1:
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
-index bdcc581bc3..70805bb709 100644
+index a94ec69..f74c831 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
-@@ -270,7 +270,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
+@@ -273,7 +273,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
(void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
#ifndef PK11_MD5_DISABLE
@@ -1076,7 +1066,7 @@ index bdcc581bc3..70805bb709 100644
tkey->algorithm = DNS_TSIG_HMACMD5_NAME;
if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) {
ret = DNS_R_BADALG;
-@@ -496,7 +497,8 @@ destroyring(dns_tsig_keyring_t *ring) {
+@@ -499,7 +500,8 @@ destroyring(dns_tsig_keyring_t *ring) {
static unsigned int
dst_alg_fromname(dns_name_t *algorithm) {
#ifndef PK11_MD5_DISABLE
@@ -1086,7 +1076,7 @@ index bdcc581bc3..70805bb709 100644
return (DST_ALG_HMACMD5);
} else
#endif
-@@ -680,7 +682,8 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
+@@ -683,7 +685,8 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
REQUIRE(secret != NULL);
#ifndef PK11_MD5_DISABLE
@@ -1096,7 +1086,7 @@ index bdcc581bc3..70805bb709 100644
if (secret != NULL) {
isc_buffer_t b;
-@@ -1280,7 +1283,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+@@ -1283,7 +1286,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
return (ret);
if (
#ifndef PK11_MD5_DISABLE
@@ -1105,7 +1095,7 @@ index bdcc581bc3..70805bb709 100644
#endif
alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
-@@ -1449,7 +1452,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+@@ -1452,7 +1455,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
if (
#ifndef PK11_MD5_DISABLE
@@ -1114,7 +1104,7 @@ index bdcc581bc3..70805bb709 100644
#endif
alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
-@@ -1590,7 +1593,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+@@ -1593,7 +1596,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
goto cleanup_querystruct;
if (
#ifndef PK11_MD5_DISABLE
@@ -1123,7 +1113,7 @@ index bdcc581bc3..70805bb709 100644
#endif
alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 ||
-@@ -1769,7 +1772,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+@@ -1772,7 +1775,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
goto cleanup_context;
if (
#ifndef PK11_MD5_DISABLE
@@ -1133,24 +1123,24 @@ index bdcc581bc3..70805bb709 100644
alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 ||
diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h
-index e5f46dd9c7..9d11f9f8b6 100644
+index 4d29398..e3f5cec 100644
--- a/lib/isc/include/isc/md5.h
+++ b/lib/isc/include/isc/md5.h
-@@ -89,6 +89,9 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest);
- isc_boolean_t
- isc_md5_check(isc_boolean_t testing);
+@@ -91,6 +91,9 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest);
+ bool
+ isc_md5_check(bool testing);
-+isc_boolean_t
++bool
+isc_md5_available(void);
+
ISC_LANG_ENDDECLS
#endif /* !PK11_MD5_DISABLE */
diff --git a/lib/isc/md5.c b/lib/isc/md5.c
-index 740d863b1b..aefd16478f 100644
+index 25c71a2..934a70c 100644
--- a/lib/isc/md5.c
+++ b/lib/isc/md5.c
-@@ -35,6 +35,7 @@
+@@ -37,6 +37,7 @@
#include <isc/assertions.h>
#include <isc/md5.h>
@@ -1158,17 +1148,17 @@ index 740d863b1b..aefd16478f 100644
#include <isc/platform.h>
#include <isc/safe.h>
#include <isc/string.h>
-@@ -53,6 +54,9 @@
+@@ -55,6 +56,9 @@
#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
#endif
+static isc_once_t available_once = ISC_ONCE_INIT;
-+static isc_boolean_t available = ISC_FALSE;
++static bool available = false;
+
void
isc_md5_init(isc_md5_t *ctx) {
ctx->ctx = EVP_MD_CTX_new();
-@@ -84,8 +88,33 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
+@@ -86,8 +90,33 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
ctx->ctx = NULL;
}
@@ -1180,14 +1170,14 @@ index 740d863b1b..aefd16478f 100644
+
+ ctx->ctx = EVP_MD_CTX_new();
+ RUNTIME_CHECK(ctx->ctx != NULL);
-+ available = ISC_TF(EVP_DigestInit(ctx->ctx, EVP_md5()) == 1);
++ available = (EVP_DigestInit(ctx->ctx, EVP_md5()) == 1);
+ if (available)
+ (void)EVP_DigestFinal(ctx->ctx, digest, NULL);
+ EVP_MD_CTX_free(ctx->ctx);
+ ctx->ctx = NULL;
+}
+
-+isc_boolean_t
++bool
+isc_md5_available() {
+ RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available)
+ == ISC_R_SUCCESS);
@@ -1197,12 +1187,12 @@ index 740d863b1b..aefd16478f 100644
#elif PKCS11CRYPTO
+static isc_once_t available_once = ISC_ONCE_INIT;
-+static isc_boolean_t available = ISC_FALSE;
++static bool available = false;
+
void
isc_md5_init(isc_md5_t *ctx) {
CK_RV rv;
-@@ -128,6 +157,31 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
+@@ -130,6 +159,31 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
pk11_return_session(ctx);
}
@@ -1213,18 +1203,18 @@ index 740d863b1b..aefd16478f 100644
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
+
-+ if (pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
-+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS)
++ if (pk11_get_session(ctx, OP_DIGEST, true, false,
++ false, NULL, 0) == ISC_R_SUCCESS)
+ {
+ rv = pkcs_C_DigestInit(ctx->session, &mech);
+ isc_md5_invalidate(ctx);
-+ available = (ISC_TF(rv == CKR_OK));
++ available = (rv == CKR_OK);
+ } else {
-+ available = ISC_FALSE;
++ available = false;
+ }
+}
+
-+isc_boolean_t
++bool
+isc_md5_available() {
+ RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available)
+ == ISC_R_SUCCESS);
@@ -1234,74 +1224,49 @@ index 740d863b1b..aefd16478f 100644
#else
static void
-@@ -337,6 +391,11 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
+@@ -339,6 +393,11 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
memmove(digest, ctx->buf, 16);
isc_safe_memwipe(ctx, sizeof(*ctx)); /* In case it's sensitive */
}
+
-+isc_boolean_t
++bool
+isc_md5_available() {
-+ return ISC_TRUE;
++ return true;
+}
#endif
/*
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
-index fc75a46154..48e1031974 100644
+index c5d2310..a01e698 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
-@@ -191,13 +191,12 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) {
- LOCK(&alloclock);
- if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0))
- isc_mem_attach(mctx, &pk11_mctx);
-+ UNLOCK(&alloclock);
-+
-+ LOCK(&sessionlock);
+@@ -197,8 +197,6 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) {
+ UNLOCK(&alloclock);
if (initialized) {
-- UNLOCK(&alloclock);
-- return (ISC_R_SUCCESS);
+ goto unlock;
- } else {
-- LOCK(&sessionlock);
-- initialized = ISC_TRUE;
-- UNLOCK(&alloclock);
-+ result = ISC_R_SUCCESS;
-+ goto unlock;
+- initialized = true;
}
ISC_LIST_INIT(tokens);
-@@ -237,6 +236,7 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) {
+@@ -236,6 +234,7 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) {
+ result = PK11_R_NOAESSERVICE;
+ goto unlock;
}
++ initialized = true;
#endif
#endif /* PKCS11CRYPTO */
-+ initialized = ISC_TRUE;
- result = ISC_R_SUCCESS;
unlock:
- UNLOCK(&sessionlock);
-@@ -273,9 +273,14 @@ pk11_finalize(void) {
- pk11_mem_put(token, sizeof(*token));
- token = next;
- }
-+ LOCK(&alloclock);
- if (pk11_mctx != NULL)
- isc_mem_detach(&pk11_mctx);
-+ UNLOCK(&alloclock);
-+
-+ LOCK(&sessionlock);
- initialized = ISC_FALSE;
-+ UNLOCK(&sessionlock);
- return (ret);
- }
-
-@@ -589,6 +594,8 @@ scan_slots(void) {
+@@ -589,6 +588,8 @@ scan_slots(void) {
pk11_token_t *token;
unsigned int i;
- isc_boolean_t bad;
+ bool bad;
+ unsigned int best_rsa_algorithms = 0;
+ unsigned int best_digest_algorithms = 0;
slotCount = 0;
PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount));
-@@ -601,6 +608,8 @@ scan_slots(void) {
+@@ -601,6 +602,8 @@ scan_slots(void) {
PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount));
for (i = 0; i < slotCount; i++) {
@@ -1310,12 +1275,12 @@ index fc75a46154..48e1031974 100644
slot = slotList[i];
PK11_TRACE2("slot#%u=0x%lx\n", i, slot);
-@@ -640,11 +649,12 @@ scan_slots(void) {
+@@ -640,11 +643,12 @@ scan_slots(void) {
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_SIGN) == 0) ||
((mechInfo.flags & CKF_VERIFY) == 0)) {
-#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE)
-- bad = ISC_TRUE;
+- bad = true;
-#endif
PK11_TRACEM(CKM_MD5_RSA_PKCS);
}
@@ -1326,28 +1291,28 @@ index fc75a46154..48e1031974 100644
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS,
&mechInfo);
if ((rv != CKR_OK) ||
-@@ -687,8 +697,14 @@ scan_slots(void) {
+@@ -687,8 +691,14 @@ scan_slots(void) {
if (bad)
goto try_dsa;
token->operations |= 1 << OP_RSA;
- if (best_rsa_token == NULL)
+ if (best_rsa_token == NULL) {
-+ best_rsa_token = token;
+ best_rsa_token = token;
+ best_rsa_algorithms = rsa_algorithms;
+ } else if (rsa_algorithms > best_rsa_algorithms) {
+ pk11_mem_put(best_rsa_token, sizeof(*best_rsa_token));
- best_rsa_token = token;
++ best_rsa_token = token;
+ best_rsa_algorithms = rsa_algorithms;
+ }
try_dsa:
- bad = ISC_FALSE;
-@@ -756,11 +772,12 @@ scan_slots(void) {
- bad = ISC_FALSE;
+ bad = false;
+@@ -756,11 +766,12 @@ scan_slots(void) {
+ bad = false;
rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo);
if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
-#ifndef PK11_MD5_DISABLE
-- bad = ISC_TRUE;
+- bad = true;
-#endif
PK11_TRACEM(CKM_MD5);
}
@@ -1357,13 +1322,13 @@ index fc75a46154..48e1031974 100644
+#endif
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo);
if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
- bad = ISC_TRUE;
-@@ -788,11 +805,12 @@ scan_slots(void) {
+ bad = true;
+@@ -788,11 +799,12 @@ scan_slots(void) {
}
rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo);
if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
-#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE)
-- bad = ISC_TRUE;
+- bad = true;
-#endif
PK11_TRACEM(CKM_MD5_HMAC);
}
@@ -1374,27 +1339,27 @@ index fc75a46154..48e1031974 100644
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo);
if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
#ifndef PK11_SHA_1_HMAC_REPLACE
-@@ -830,8 +848,14 @@ scan_slots(void) {
+@@ -830,8 +842,14 @@ scan_slots(void) {
}
if (!bad) {
token->operations |= 1 << OP_DIGEST;
- if (digest_token == NULL)
+ if (digest_token == NULL) {
-+ digest_token = token;
+ digest_token = token;
+ best_digest_algorithms = digest_algorithms;
+ } else if (digest_algorithms > best_digest_algorithms) {
+ pk11_mem_put(digest_token, sizeof(*digest_token));
- digest_token = token;
++ digest_token = token;
+ best_digest_algorithms = digest_algorithms;
+ }
}
/* ECDSA requires digest */
diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c
-index 18759903be..6bc45b1ad3 100644
+index 8f12342..7eb1552 100644
--- a/lib/isc/tests/hash_test.c
+++ b/lib/isc/tests/hash_test.c
-@@ -2008,7 +2008,8 @@ ATF_TP_ADD_TCS(tp) {
+@@ -2009,7 +2009,8 @@ ATF_TP_ADD_TCS(tp) {
* various cryptographic hashes.
*/
#ifndef PK11_MD5_DISABLE
@@ -1404,7 +1369,7 @@ index 18759903be..6bc45b1ad3 100644
#endif
ATF_TP_ADD_TC(tp, sha1_check);
-@@ -2016,7 +2017,8 @@ ATF_TP_ADD_TCS(tp) {
+@@ -2017,7 +2018,8 @@ ATF_TP_ADD_TCS(tp) {
ATF_TP_ADD_TC(tp, isc_hash_function_reverse);
ATF_TP_ADD_TC(tp, isc_hash_initializer);
#ifndef PK11_MD5_DISABLE
@@ -1414,7 +1379,7 @@ index 18759903be..6bc45b1ad3 100644
#endif
ATF_TP_ADD_TC(tp, isc_hmacsha1);
ATF_TP_ADD_TC(tp, isc_hmacsha224);
-@@ -2024,7 +2026,8 @@ ATF_TP_ADD_TCS(tp) {
+@@ -2025,7 +2027,8 @@ ATF_TP_ADD_TCS(tp) {
ATF_TP_ADD_TC(tp, isc_hmacsha384);
ATF_TP_ADD_TC(tp, isc_hmacsha512);
#ifndef PK11_MD5_DISABLE
@@ -1425,10 +1390,10 @@ index 18759903be..6bc45b1ad3 100644
ATF_TP_ADD_TC(tp, isc_sha1);
ATF_TP_ADD_TC(tp, isc_sha224);
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
-index 7225ab4a37..42b30466be 100644
+index c2740cb..c314d76 100644
--- a/lib/isccc/cc.c
+++ b/lib/isccc/cc.c
-@@ -270,11 +270,15 @@ sign(unsigned char *data, unsigned int length, unsigned char
*hmac,
+@@ -272,11 +272,15 @@ sign(unsigned char *data, unsigned int length, unsigned char
*hmac,
switch (algorithm) {
#ifndef PK11_MD5_DISABLE
case ISCCC_ALG_HMACMD5:
@@ -1449,14 +1414,14 @@ index 7225ab4a37..42b30466be 100644
break;
#endif
-@@ -348,14 +352,18 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer,
+@@ -350,14 +354,18 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer,
{
unsigned int hmac_base, signed_base;
isc_result_t result;
-+ const isc_boolean_t md5 = ISC_TF(algorithm == ISCCC_ALG_HMACMD5);
++ const bool md5 = (algorithm == ISCCC_ALG_HMACMD5);
#ifndef PK11_MD5_DISABLE
-+ if (md5 && isc_md5_available() == ISC_FALSE)
++ if (md5 && !isc_md5_available())
+ return (ISC_R_NOTIMPLEMENTED);
+
result = isc_buffer_reserve(buffer,
@@ -1470,7 +1435,7 @@ index 7225ab4a37..42b30466be 100644
return (ISC_R_NOTIMPLEMENTED);
result = isc_buffer_reserve(buffer, 4 + sizeof(auth_hsha));
#endif
-@@ -374,7 +382,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer,
+@@ -376,7 +384,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer,
* we know what it is.
*/
#ifndef PK11_MD5_DISABLE
@@ -1479,7 +1444,7 @@ index 7225ab4a37..42b30466be 100644
hmac_base = (*buffer)->used + HMD5_OFFSET;
isc_buffer_putmem(*buffer,
auth_hmd5, sizeof(auth_hmd5));
-@@ -440,7 +448,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int
length,
+@@ -442,7 +450,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int
length,
if (!isccc_alist_alistp(_auth))
return (ISC_R_FAILURE);
#ifndef PK11_MD5_DISABLE
@@ -1488,7 +1453,7 @@ index 7225ab4a37..42b30466be 100644
hmac = isccc_alist_lookup(_auth, "hmd5");
else
#endif
-@@ -455,12 +463,16 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int
length,
+@@ -457,12 +465,16 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int
length,
switch (algorithm) {
#ifndef PK11_MD5_DISABLE
case ISCCC_ALG_HMACMD5:
diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch
index f7a998d..16d3b33 100644
--- a/bind-9.11-fips-tests.patch
+++ b/bind-9.11-fips-tests.patch
@@ -1,11 +1,13 @@
-From 35b53607724ec4b5d4060385218c39ccd0d78a4d Mon Sep 17 00:00:00 2001
+From 07876a60a9c2537f536901b214349d67f6b25666 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Thu, 2 Aug 2018 23:46:45 +0200
-Subject: [PATCH 2/2] Squashed commit of the following:
+Subject: [PATCH] FIPS tests changes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
+Squashed commit of the following:
+
commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa
Author: Petr Menk <pemensik(a)redhat.com>
Date: Wed Mar 7 20:35:13 2018 +0100
@@ -108,7 +110,7 @@ Date: Wed Mar 7 10:44:23 2018 +0100
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
diff --git a/bin/tests/system/acl/ns2/named1.conf.in
b/bin/tests/system/acl/ns2/named1.conf.in
-index 0ea6502708..026db3f134 100644
+index 0ea6502..026db3f 100644
--- a/bin/tests/system/acl/ns2/named1.conf.in
+++ b/bin/tests/system/acl/ns2/named1.conf.in
@@ -33,12 +33,12 @@ options {
@@ -127,7 +129,7 @@ index 0ea6502708..026db3f134 100644
};
diff --git a/bin/tests/system/acl/ns2/named2.conf.in
b/bin/tests/system/acl/ns2/named2.conf.in
-index b877880554..d8f50be255 100644
+index b877880..d8f50be 100644
--- a/bin/tests/system/acl/ns2/named2.conf.in
+++ b/bin/tests/system/acl/ns2/named2.conf.in
@@ -33,12 +33,12 @@ options {
@@ -146,7 +148,7 @@ index b877880554..d8f50be255 100644
};
diff --git a/bin/tests/system/acl/ns2/named3.conf.in
b/bin/tests/system/acl/ns2/named3.conf.in
-index 0a950622a2..aa54088138 100644
+index 0a95062..aa54088 100644
--- a/bin/tests/system/acl/ns2/named3.conf.in
+++ b/bin/tests/system/acl/ns2/named3.conf.in
@@ -33,17 +33,17 @@ options {
@@ -171,7 +173,7 @@ index 0a950622a2..aa54088138 100644
};
diff --git a/bin/tests/system/acl/ns2/named4.conf.in
b/bin/tests/system/acl/ns2/named4.conf.in
-index 7cdcb6e341..606a3452d8 100644
+index 7cdcb6e..606a345 100644
--- a/bin/tests/system/acl/ns2/named4.conf.in
+++ b/bin/tests/system/acl/ns2/named4.conf.in
@@ -33,12 +33,12 @@ options {
@@ -190,7 +192,7 @@ index 7cdcb6e341..606a3452d8 100644
};
diff --git a/bin/tests/system/acl/ns2/named5.conf.in
b/bin/tests/system/acl/ns2/named5.conf.in
-index 4b4e05027a..0e679a821d 100644
+index 4b4e050..0e679a8 100644
--- a/bin/tests/system/acl/ns2/named5.conf.in
+++ b/bin/tests/system/acl/ns2/named5.conf.in
@@ -34,12 +34,12 @@ options {
@@ -209,7 +211,7 @@ index 4b4e05027a..0e679a821d 100644
};
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
-index 09f31f2bb9..f88f0d4430 100644
+index 09f31f2..f88f0d4 100644
--- a/bin/tests/system/acl/tests.sh
+++ b/bin/tests/system/acl/tests.sh
@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
@@ -335,7 +337,7 @@ index 09f31f2bb9..f88f0d4430 100644
echo_i "testing allow-query-on ACL processing"
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in
b/bin/tests/system/allow-query/ns2/named10.conf.in
-index 1569913b37..e9c5c2d574 100644
+index 1569913..e9c5c2d 100644
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
@@ -12,7 +12,7 @@
@@ -348,7 +350,7 @@ index 1569913b37..e9c5c2d574 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in
b/bin/tests/system/allow-query/ns2/named11.conf.in
-index 18ac91c6e7..2b1c8739d8 100644
+index 18ac91c..2b1c873 100644
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
@@ -12,12 +12,12 @@
@@ -367,7 +369,7 @@ index 18ac91c6e7..2b1c8739d8 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in
b/bin/tests/system/allow-query/ns2/named12.conf.in
-index b8248444dd..dd48945bf8 100644
+index b824844..dd48945 100644
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
@@ -12,7 +12,7 @@
@@ -380,7 +382,7 @@ index b8248444dd..dd48945bf8 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in
b/bin/tests/system/allow-query/ns2/named30.conf.in
-index aeb1540e95..bfce58bddd 100644
+index aeb1540..bfce58b 100644
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
@@ -12,7 +12,7 @@
@@ -393,7 +395,7 @@ index aeb1540e95..bfce58bddd 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in
b/bin/tests/system/allow-query/ns2/named31.conf.in
-index d4b743281a..e0f52526ba 100644
+index d4b7432..e0f5252 100644
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
@@ -12,12 +12,12 @@
@@ -412,7 +414,7 @@ index d4b743281a..e0f52526ba 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in
b/bin/tests/system/allow-query/ns2/named32.conf.in
-index c0259387e7..87afb3fa3a 100644
+index c025938..87afb3f 100644
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
@@ -12,7 +12,7 @@
@@ -425,7 +427,7 @@ index c0259387e7..87afb3fa3a 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in
b/bin/tests/system/allow-query/ns2/named40.conf.in
-index d83b376cfd..d726b9480b 100644
+index d83b376..d726b94 100644
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
@@ -444,7 +446,7 @@ index d83b376cfd..d726b9480b 100644
};
diff --git a/bin/tests/system/allow-query/tests.sh
b/bin/tests/system/allow-query/tests.sh
-index fb6059d5b8..f9601564a2 100644
+index fb6059d..f960156 100644
--- a/bin/tests/system/allow-query/tests.sh
+++ b/bin/tests/system/allow-query/tests.sh
@@ -190,7 +190,7 @@ rndc_reload
@@ -529,7 +531,7 @@ index fb6059d5b8..f9601564a2 100644
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
diff --git a/bin/tests/system/catz/ns1/named.conf.in
b/bin/tests/system/catz/ns1/named.conf.in
-index 74b7d371b7..c35376640d 100644
+index 74b7d37..c353766 100644
--- a/bin/tests/system/catz/ns1/named.conf.in
+++ b/bin/tests/system/catz/ns1/named.conf.in
@@ -61,5 +61,5 @@ zone "catalog4.example" {
@@ -540,7 +542,7 @@ index 74b7d371b7..c35376640d 100644
+ algorithm hmac-sha256;
};
diff --git a/bin/tests/system/catz/ns2/named.conf.in
b/bin/tests/system/catz/ns2/named.conf.in
-index ee83efbee4..35ced08842 100644
+index ee83efb..35ced08 100644
--- a/bin/tests/system/catz/ns2/named.conf.in
+++ b/bin/tests/system/catz/ns2/named.conf.in
@@ -70,5 +70,5 @@ zone "catalog4.example" {
@@ -551,7 +553,7 @@ index ee83efbee4..35ced08842 100644
+ algorithm hmac-sha256;
};
diff --git a/bin/tests/system/checkconf/bad-tsig.conf
b/bin/tests/system/checkconf/bad-tsig.conf
-index 21be03e9d2..e57c30875c 100644
+index 21be03e..e57c308 100644
--- a/bin/tests/system/checkconf/bad-tsig.conf
+++ b/bin/tests/system/checkconf/bad-tsig.conf
@@ -11,7 +11,7 @@
@@ -564,7 +566,7 @@ index 21be03e9d2..e57c30875c 100644
};
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
-index 9ab35b38a5..486551ae64 100644
+index 9ab35b3..486551a 100644
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -153,6 +153,6 @@ dyndb "name" "library.so" {
@@ -576,7 +578,7 @@ index 9ab35b38a5..486551ae64 100644
secret "qwertyuiopasdfgh";
};
diff --git a/bin/tests/system/digdelv/ns2/example.db
b/bin/tests/system/digdelv/ns2/example.db
-index f4e30f51e5..9f53e31c97 100644
+index f4e30f5..9f53e31 100644
--- a/bin/tests/system/digdelv/ns2/example.db
+++ b/bin/tests/system/digdelv/ns2/example.db
@@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890
@@ -602,10 +604,10 @@ index f4e30f51e5..9f53e31c97 100644
; TTL of 3 weeks
weeks 1814400 A 10.53.0.2
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
-index 1b25c4ddfc..5dbf20a3e1 100644
+index 95bd074..b566ecb 100644
--- a/bin/tests/system/digdelv/tests.sh
+++ b/bin/tests/system/digdelv/tests.sh
-@@ -62,7 +62,7 @@ if [ -x ${DIG} ] ; then
+@@ -61,7 +61,7 @@ if [ -x ${DIG} ] ; then
echo_i "checking dig +multi +norrcomments works for dnskey (when default is
rrcomments)($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example >
dig.out.test$n || ret=1
@@ -614,7 +616,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -70,7 +70,7 @@ if [ -x ${DIG} ] ; then
+@@ -69,7 +69,7 @@ if [ -x ${DIG} ] ; then
echo_i "checking dig +multi +norrcomments works for soa (when default is
rrcomments)($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > dig.out.test$n ||
ret=1
@@ -623,7 +625,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -78,7 +78,7 @@ if [ -x ${DIG} ] ; then
+@@ -77,7 +77,7 @@ if [ -x ${DIG} ] ; then
echo_i "checking dig +rrcomments works for DNSKEY($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n ||
ret=1
@@ -632,7 +634,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -86,7 +86,7 @@ if [ -x ${DIG} ] ; then
+@@ -85,7 +85,7 @@ if [ -x ${DIG} ] ; then
echo_i "checking dig +short +rrcomments works for DNSKEY ($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example >
dig.out.test$n || ret=1
@@ -641,7 +643,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -94,7 +94,7 @@ if [ -x ${DIG} ] ; then
+@@ -93,7 +93,7 @@ if [ -x ${DIG} ] ; then
echo_i "checking dig +short +nosplit works($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example >
dig.out.test$n || ret=1
@@ -650,7 +652,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -102,7 +102,7 @@ if [ -x ${DIG} ] ; then
+@@ -101,7 +101,7 @@ if [ -x ${DIG} ] ; then
echo_i "checking dig +short +rrcomments works($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example >
dig.out.test$n || ret=1
@@ -659,7 +661,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -118,7 +118,7 @@ if [ -x ${DIG} ] ; then
+@@ -117,7 +117,7 @@ if [ -x ${DIG} ] ; then
echo_i "checking dig +short +rrcomments works($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example >
dig.out.test$n || ret=1
@@ -668,7 +670,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -543,7 +543,7 @@ if [ -x ${DELV} ] ; then
+@@ -555,7 +555,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +multi +norrcomments works for dnskey (when default is
rrcomments)($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example >
delv.out.test$n || ret=1
@@ -677,7 +679,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -551,7 +551,7 @@ if [ -x ${DELV} ] ; then
+@@ -563,7 +563,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +multi +norrcomments works for soa (when default is
rrcomments)($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n
|| ret=1
@@ -686,7 +688,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -559,7 +559,7 @@ if [ -x ${DELV} ] ; then
+@@ -571,7 +571,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +rrcomments works for DNSKEY($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n
|| ret=1
@@ -695,7 +697,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -567,7 +567,7 @@ if [ -x ${DELV} ] ; then
+@@ -579,7 +579,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example >
delv.out.test$n || ret=1
@@ -704,7 +706,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -575,7 +575,7 @@ if [ -x ${DELV} ] ; then
+@@ -587,7 +587,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +rrcomments works ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example >
delv.out.test$n || ret=1
@@ -713,7 +715,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-@@ -583,7 +583,7 @@ if [ -x ${DELV} ] ; then
+@@ -595,7 +595,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +nosplit works ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example >
delv.out.test$n || ret=1
@@ -722,7 +724,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644
if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
f=`awk '{print NF}' < delv.out.test$n`
test "${f:-0}" -eq 14 || ret=1
-@@ -594,7 +594,7 @@ if [ -x ${DELV} ] ; then
+@@ -606,7 +606,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +nosplit +norrcomments works ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example
> delv.out.test$n || ret=1
@@ -732,7 +734,7 @@ index 1b25c4ddfc..5dbf20a3e1 100644
f=`awk '{print NF}' < delv.out.test$n`
test "${f:-0}" -eq 4 || ret=1
diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh
-index b8151620cc..2a62e583b8 100755
+index b815162..2a62e58 100755
--- a/bin/tests/system/dlv/ns1/sign.sh
+++ b/bin/tests/system/dlv/ns1/sign.sh
@@ -23,8 +23,8 @@ infile=root.db.in
@@ -747,7 +749,7 @@ index b8151620cc..2a62e583b8 100755
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh
-index 6f84d7a525..e128303a22 100755
+index 6f84d7a..e128303 100755
--- a/bin/tests/system/dlv/ns2/sign.sh
+++ b/bin/tests/system/dlv/ns2/sign.sh
@@ -24,8 +24,8 @@ zonefile=druz.db
@@ -762,7 +764,7 @@ index 6f84d7a525..e128303a22 100755
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh
-index bcc9922e26..846dbcc0df 100755
+index bcc9922..846dbcc 100755
--- a/bin/tests/system/dlv/ns3/sign.sh
+++ b/bin/tests/system/dlv/ns3/sign.sh
@@ -19,6 +19,7 @@ echo_i "dlv/ns3/sign.sh"
@@ -961,7 +963,7 @@ index bcc9922e26..846dbcc0df 100755
cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh
-index 1e398625f1..4ed19acd1f 100755
+index 1e39862..4ed19ac 100755
--- a/bin/tests/system/dlv/ns6/sign.sh
+++ b/bin/tests/system/dlv/ns6/sign.sh
@@ -16,13 +16,15 @@ SYSTESTDIR=dlv
@@ -1148,7 +1150,7 @@ index 1e398625f1..4ed19acd1f 100755
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
-index 198d60ae15..d89a539ffd 100644
+index 198d60a..d89a539 100644
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -27,7 +27,7 @@ cp ../ns2/dsset-in-addr.arpa$TP .
@@ -1169,7 +1171,7 @@ index 198d60ae15..d89a539ffd 100644
keyid=`expr $keyid + 0`
echo "$keyid" > managed.key.id
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
-index 9078459ac8..9dcd028eb5 100644
+index 9078459..9dcd028 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -29,8 +29,8 @@ do
@@ -1213,7 +1215,7 @@ index 9078459ac8..9dcd028eb5 100644
cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
-index 330abf7feb..f95a6b7ea8 100644
+index 330abf7..f95a6b7 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -28,7 +28,7 @@ zone=bogus.example.
@@ -1300,7 +1302,7 @@ index 330abf7feb..f95a6b7ea8 100644
cat $infile $keyname.key >$zonefile
diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad
b/bin/tests/system/dnssec/ns5/trusted.conf.bad
-index ed30460bda..e6b112630e 100644
+index ed30460..e6b1126 100644
--- a/bin/tests/system/dnssec/ns5/trusted.conf.bad
+++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad
@@ -10,5 +10,5 @@
@@ -1311,7 +1313,7 @@ index ed30460bda..e6b112630e 100644
+ "." 256 3 8
"AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
};
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
-index bb2315fbf3..315666825e 100644
+index bb2315f..3156668 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1690,7 +1690,7 @@ ret=0
@@ -1344,7 +1346,7 @@ index bb2315fbf3..315666825e 100644
8) size="-b 512";;
10) size="-b 1024";;
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
-index 9612450ab4..5eee6aa4f8 100644
+index 9612450..5eee6aa 100644
--- a/bin/tests/system/feature-test.c
+++ b/bin/tests/system/feature-test.c
@@ -19,6 +19,7 @@
@@ -1383,7 +1385,7 @@ index 9612450ab4..5eee6aa4f8 100644
#ifdef ENABLE_RPZ_NSIP
return (0);
diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh
b/bin/tests/system/filter-aaaa/ns1/sign.sh
-index f7555810a0..4a7d89004a 100755
+index f755581..4a7d890 100755
--- a/bin/tests/system/filter-aaaa/ns1/sign.sh
+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh
@@ -21,8 +21,8 @@ infile=signed.db.in
@@ -1398,7 +1400,7 @@ index f7555810a0..4a7d89004a 100755
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh
b/bin/tests/system/filter-aaaa/ns4/sign.sh
-index f7555810a0..4a7d89004a 100755
+index f755581..4a7d890 100755
--- a/bin/tests/system/filter-aaaa/ns4/sign.sh
+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh
@@ -21,8 +21,8 @@ infile=signed.db.in
@@ -1413,7 +1415,7 @@ index f7555810a0..4a7d89004a 100755
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/notify/ns5/named.conf.in
b/bin/tests/system/notify/ns5/named.conf.in
-index cfcfe8fa2f..0a1614d527 100644
+index cfcfe8f..0a1614d 100644
--- a/bin/tests/system/notify/ns5/named.conf.in
+++ b/bin/tests/system/notify/ns5/named.conf.in
@@ -10,17 +10,17 @@
@@ -1438,7 +1440,7 @@ index cfcfe8fa2f..0a1614d527 100644
};
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
-index ad20e3eaca..5a9ce4688a 100644
+index ad20e3e..5a9ce46 100644
--- a/bin/tests/system/notify/tests.sh
+++ b/bin/tests/system/notify/tests.sh
@@ -186,16 +186,16 @@ ret=0
@@ -1462,7 +1464,7 @@ index ad20e3eaca..5a9ce4688a 100644
grep "test string" dig.out.b.ns5.test$n > /dev/null &&
grep "test string" dig.out.c.ns5.test$n > /dev/null &&
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in
b/bin/tests/system/nsupdate/ns1/named.conf.in
-index 1d999adc39..26b6b7c9ab 100644
+index 1d999ad..26b6b7c 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -32,7 +32,7 @@ controls {
@@ -1475,7 +1477,7 @@ index 1d999adc39..26b6b7c9ab 100644
};
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in
b/bin/tests/system/nsupdate/ns2/named.conf.in
-index b4ecf96668..1adb33eb0b 100644
+index b4ecf96..1adb33e 100644
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
@@ -24,7 +24,7 @@ options {
@@ -1488,10 +1490,10 @@ index b4ecf96668..1adb33eb0b 100644
};
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
-index 32674eb382..2331b30b00 100644
+index d6647fa..715314b 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
-@@ -59,7 +59,12 @@ EOF
+@@ -63,7 +63,12 @@ EOF
$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
@@ -1506,10 +1508,10 @@ index 32674eb382..2331b30b00 100644
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil >
ns1/sha224.key
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil >
ns1/sha256.key
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
-index 2a01d1e46d..e8659587c3 100755
+index 9f26572..fd0383f 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
-@@ -680,7 +680,14 @@ fi
+@@ -700,7 +700,14 @@ fi
n=`expr $n + 1`
ret=0
echo_i "check TSIG key algorithms ($n)"
@@ -1525,7 +1527,7 @@ index 2a01d1e46d..e8659587c3 100755
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
server 10.53.0.1 ${PORT}
update add ${alg}.keytests.nil. 600 A 10.10.10.3
-@@ -688,7 +695,7 @@ send
+@@ -708,7 +715,7 @@ send
END
done
sleep 2
@@ -1535,7 +1537,7 @@ index 2a01d1e46d..e8659587c3 100755
done
if [ $ret -ne 0 ]; then
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
-index 850c4d2744..09a3e0f9ad 100644
+index 850c4d2..09a3e0f 100644
--- a/bin/tests/system/rndc/setup.sh
+++ b/bin/tests/system/rndc/setup.sh
@@ -37,7 +37,7 @@ make_key () {
@@ -1548,7 +1550,7 @@ index 850c4d2744..09a3e0f9ad 100644
make_key 3 ${EXTRAPORT3} hmac-sha224
make_key 4 ${EXTRAPORT4} hmac-sha256
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
-index d364e6fea0..dbf3bc6780 100644
+index 647730e..7df752d 100644
--- a/bin/tests/system/rndc/tests.sh
+++ b/bin/tests/system/rndc/tests.sh
@@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -1582,7 +1584,7 @@ index d364e6fea0..dbf3bc6780 100644
n=`expr $n + 1`
echo_i "testing rndc with hmac-sha1 ($n)"
diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh
-index 576ec70f76..cb7a852189 100644
+index 576ec70..cb7a852 100644
--- a/bin/tests/system/tsig/clean.sh
+++ b/bin/tests/system/tsig/clean.sh
@@ -20,3 +20,4 @@ rm -f */named.run
@@ -1591,7 +1593,7 @@ index 576ec70f76..cb7a852189 100644
rm -f keygen.out?
+rm -f ns1/named.conf
diff --git a/bin/tests/system/tsig/ns1/named.conf.in
b/bin/tests/system/tsig/ns1/named.conf.in
-index fbf30c6dc4..f61657d7cf 100644
+index fbf30c6..f61657d 100644
--- a/bin/tests/system/tsig/ns1/named.conf.in
+++ b/bin/tests/system/tsig/ns1/named.conf.in
@@ -21,10 +21,7 @@ options {
@@ -1620,7 +1622,7 @@ index fbf30c6dc4..f61657d7cf 100644
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in
b/bin/tests/system/tsig/ns1/rndc5.conf.in
new file mode 100644
-index 0000000000..4117830adb
+index 0000000..4117830
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
@@ -0,0 +1,11 @@
@@ -1636,7 +1638,7 @@ index 0000000000..4117830adb
+};
+
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
-index 656e9bbcd8..628c5bbac1 100644
+index 656e9bb..628c5bb 100644
--- a/bin/tests/system/tsig/setup.sh
+++ b/bin/tests/system/tsig/setup.sh
@@ -17,3 +17,7 @@ $SHELL clean.sh
@@ -1648,7 +1650,7 @@ index 656e9bbcd8..628c5bbac1 100644
+ cat ns1/rndc5.conf.in >> ns1/named.conf
+fi
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
-index f731fa604c..cade35bc1d 100644
+index f731fa6..cade35b 100644
--- a/bin/tests/system/tsig/tests.sh
+++ b/bin/tests/system/tsig/tests.sh
@@ -26,20 +26,25 @@
sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
@@ -1740,7 +1742,7 @@ index f731fa604c..cade35bc1d 100644
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
-index 5da33cfde0..fb108b02bd 100644
+index 5da33cf..fb108b0 100644
--- a/bin/tests/system/tsiggss/setup.sh
+++ b/bin/tests/system/tsiggss/setup.sh
@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
@@ -1751,7 +1753,7 @@ index 5da33cfde0..fb108b02bd 100644
+key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.`
cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in
b/bin/tests/system/upforwd/ns1/named.conf.in
-index e0a30cda15..6a77b1ce52 100644
+index e0a30cd..6a77b1c 100644
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -10,7 +10,7 @@
@@ -1764,7 +1766,7 @@ index e0a30cda15..6a77b1ce52 100644
};
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
-index b0694bbd5c..9adae8228e 100644
+index b0694bb..9adae82 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status
+ $ret`; fi
diff --git a/bind-9.11-host-idn-disable.patch b/bind-9.11-host-idn-disable.patch
index 434c596..7d52964 100644
--- a/bind-9.11-host-idn-disable.patch
+++ b/bind-9.11-host-idn-disable.patch
@@ -1,4 +1,4 @@
-From 145fac914bf47128307aea702fed7eb74b65cadd Mon Sep 17 00:00:00 2001
+From ed26f0f0eb4242706d2012e4abe0152071bb305b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Tue, 25 Sep 2018 18:08:46 +0200
Subject: [PATCH] Disable IDN from environment as documented
@@ -18,7 +18,7 @@ RH patch since RHEL 5.
4 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
-index fedd288..d5dba72 100644
+index bd7510e..5cc696f 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -1288,7 +1288,9 @@ dig +qr
www.isc.org any -x 127.0.0.1
isc.org ns +noqr
@@ -33,28 +33,28 @@ index fedd288..d5dba72 100644
</refsection>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index 7408193..d46379d 100644
+index 341ed80..bb8702c 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
-@@ -822,12 +822,17 @@ make_empty_lookup(void) {
- looknew->seenbadcookie = ISC_FALSE;
- looknew->badcookie = ISC_TRUE;
+@@ -825,12 +825,17 @@ make_empty_lookup(void) {
+ looknew->seenbadcookie = false;
+ looknew->badcookie = true;
#ifdef WITH_IDN_SUPPORT
-- looknew->idnin = ISC_TRUE;
+- looknew->idnin = true;
+ looknew->idnin = (getenv("IDN_DISABLE") == NULL);
+ if (looknew->idnin) {
+ const char *charset = getenv("CHARSET");
+ if (charset && !strcmp(charset, "ASCII"))
-+ looknew->idnin = ISC_FALSE;
++ looknew->idnin = false;
+ }
#else
- looknew->idnin = ISC_FALSE;
+ looknew->idnin = false;
#endif
#ifdef WITH_IDN_OUT_SUPPORT
-- looknew->idnout = ISC_TRUE;
+- looknew->idnout = true;
+ looknew->idnout = looknew->idnin;
#else
- looknew->idnout = ISC_FALSE;
+ looknew->idnout = false;
#endif
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
index 9c3aeaa..42cbbf9 100644
diff --git a/bind-9.11-kyua-pkcs11.patch b/bind-9.11-kyua-pkcs11.patch
index ab21828..1b83800 100644
--- a/bind-9.11-kyua-pkcs11.patch
+++ b/bind-9.11-kyua-pkcs11.patch
@@ -1,4 +1,4 @@
-From d0433a314534e104f52acf2a0a96a68dd84305ae Mon Sep 17 00:00:00 2001
+From 3474d13bbf08c441783bd72afbc8cec8857baf46 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Tue, 2 Jan 2018 18:13:07 +0100
Subject: [PATCH] Fix pkcs11 variants atf tests
@@ -17,10 +17,10 @@ Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
7 files changed, 40 insertions(+), 16 deletions(-)
diff --git a/configure.in b/configure.in
-index 67b3aab..4767eeb 100644
+index 1edafd1..5466de1 100644
--- a/configure.in
+++ b/configure.in
-@@ -5579,6 +5579,7 @@ AC_CONFIG_FILES([
+@@ -5489,6 +5489,7 @@ AC_CONFIG_FILES([
lib/dns-pkcs11/include/Makefile
lib/dns-pkcs11/include/dns/Makefile
lib/dns-pkcs11/include/dst/Makefile
@@ -57,10 +57,10 @@ index ff9fc56..eaaf0dc 100644
include('isccfg/Kyuafile')
include('lwres/Kyuafile')
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
-index 2a6571b..f25a784 100644
+index 625e809..6fd4e36 100644
--- a/lib/dns-pkcs11/tests/Makefile.in
+++ b/lib/dns-pkcs11/tests/Makefile.in
-@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@
+@@ -21,12 +21,12 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
@DST_OPENSSL_INC@
@@ -79,10 +79,10 @@ index 2a6571b..f25a784 100644
LIBS = @LIBS@ @ATFLIBS@
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
-index 036d27a..eb6554f 100644
+index 6216b4e..dd74e58 100644
--- a/lib/dns-pkcs11/tests/dh_test.c
+++ b/lib/dns-pkcs11/tests/dh_test.c
-@@ -63,7 +63,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) {
+@@ -64,7 +64,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) {
ret = dst_key_computesecret(key, key, &buf);
ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY);
ret = key->func->computesecret(key, key, &buf);
@@ -93,10 +93,10 @@ index 036d27a..eb6554f 100644
dst_key_free(&key);
dns_test_end();
diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
-index f7fa538..818dae4 100644
+index add8068..a928dcf 100644
--- a/lib/isc-pkcs11/tests/Makefile.in
+++ b/lib/isc-pkcs11/tests/Makefile.in
-@@ -17,10 +17,10 @@ VERSION=@BIND9_VERSION@
+@@ -20,10 +20,10 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@
@@ -111,10 +111,10 @@ index f7fa538..818dae4 100644
LIBS = @LIBS@ @ATFLIBS@
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
-index 5b8a374..c1891c2 100644
+index 7eb1552..048ae9d 100644
--- a/lib/isc-pkcs11/tests/hash_test.c
+++ b/lib/isc-pkcs11/tests/hash_test.c
-@@ -74,7 +74,7 @@ typedef struct hash_testcase {
+@@ -78,7 +78,7 @@ typedef struct hash_testcase {
typedef struct hash_test_key {
const char *key;
@@ -123,7 +123,7 @@ index 5b8a374..c1891c2 100644
} hash_test_key_t;
/* non-hmac tests */
-@@ -957,8 +957,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) {
+@@ -961,8 +961,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -134,9 +134,9 @@ index 5b8a374..c1891c2 100644
- isc_hmacsha1_init(&hmacsha1, buffer, test_key->len);
+ isc_hmacsha1_init(&hmacsha1, buffer, len);
isc_hmacsha1_update(&hmacsha1,
- (const isc_uint8_t *) testcase->input,
+ (const uint8_t *) testcase->input,
testcase->input_len);
-@@ -1120,8 +1123,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) {
+@@ -1124,8 +1127,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -147,9 +147,9 @@ index 5b8a374..c1891c2 100644
- isc_hmacsha224_init(&hmacsha224, buffer, test_key->len);
+ isc_hmacsha224_init(&hmacsha224, buffer, len);
isc_hmacsha224_update(&hmacsha224,
- (const isc_uint8_t *) testcase->input,
+ (const uint8_t *) testcase->input,
testcase->input_len);
-@@ -1283,8 +1289,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) {
+@@ -1287,8 +1293,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -160,9 +160,9 @@ index 5b8a374..c1891c2 100644
- isc_hmacsha256_init(&hmacsha256, buffer, test_key->len);
+ isc_hmacsha256_init(&hmacsha256, buffer, len);
isc_hmacsha256_update(&hmacsha256,
- (const isc_uint8_t *) testcase->input,
+ (const uint8_t *) testcase->input,
testcase->input_len);
-@@ -1452,8 +1461,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) {
+@@ -1456,8 +1465,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -173,9 +173,9 @@ index 5b8a374..c1891c2 100644
- isc_hmacsha384_init(&hmacsha384, buffer, test_key->len);
+ isc_hmacsha384_init(&hmacsha384, buffer, len);
isc_hmacsha384_update(&hmacsha384,
- (const isc_uint8_t *) testcase->input,
+ (const uint8_t *) testcase->input,
testcase->input_len);
-@@ -1621,8 +1633,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) {
+@@ -1625,8 +1637,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -186,9 +186,9 @@ index 5b8a374..c1891c2 100644
- isc_hmacsha512_init(&hmacsha512, buffer, test_key->len);
+ isc_hmacsha512_init(&hmacsha512, buffer, len);
isc_hmacsha512_update(&hmacsha512,
- (const isc_uint8_t *) testcase->input,
+ (const uint8_t *) testcase->input,
testcase->input_len);
-@@ -1765,8 +1780,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) {
+@@ -1769,8 +1784,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -199,8 +199,8 @@ index 5b8a374..c1891c2 100644
- isc_hmacmd5_init(&hmacmd5, buffer, test_key->len);
+ isc_hmacmd5_init(&hmacmd5, buffer, len);
isc_hmacmd5_update(&hmacmd5,
- (const isc_uint8_t *) testcase->input,
+ (const uint8_t *) testcase->input,
testcase->input_len);
--
-2.14.3
+2.14.4
diff --git a/bind-9.11-oot-manual.patch b/bind-9.11-oot-manual.patch
index b090b9f..84e9d25 100644
--- a/bind-9.11-oot-manual.patch
+++ b/bind-9.11-oot-manual.patch
@@ -1,4 +1,4 @@
-From e462d022a9dc52c40aece6f8ba3123ff3ffa59ed Mon Sep 17 00:00:00 2001
+From 8ca95f47231822df2b9c171a4da1e93ca5b748eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Wed, 25 Jul 2018 12:24:16 +0200
Subject: [PATCH] Use make automatic variables to install updated manuals
@@ -19,7 +19,7 @@ Install all files in single command instead of iterating on each of
them.
9 files changed, 54 insertions(+), 38 deletions(-)
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
-index 12f48d2d23..d8eac4c714 100644
+index c124e80..1174f8d 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -83,12 +83,14 @@ installdirs:
@@ -35,13 +35,13 @@ index 12f48d2d23..d8eac4c714 100644
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@
${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@
${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM}
named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
-- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
+- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit
1; done
- (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM}
named-checkzone.8 named-compilezone.8)
uninstall::
rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
-index 87f13dda4b..7865c0c73e 100644
+index 87f13dd..7865c0c 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -95,13 +95,14 @@ installdirs:
@@ -64,7 +64,7 @@ index 87f13dda4b..7865c0c73e 100644
uninstall::
rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8
diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in
-index e2d2802262..19361a83ea 100644
+index e2d2802..19361a8 100644
--- a/bin/delv/Makefile.in
+++ b/bin/delv/Makefile.in
@@ -63,10 +63,12 @@ installdirs:
@@ -83,7 +83,7 @@ index e2d2802262..19361a83ea 100644
uninstall::
rm -f ${DESTDIR}${mandir}/man1/delv.1
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
-index 773ac46395..3edd951e7e 100644
+index a9830a9..d7ac0b6 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -91,16 +91,16 @@ installdirs:
@@ -102,13 +102,13 @@ index 773ac46395..3edd951e7e 100644
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
nslookup@EXEEXT@ ${DESTDIR}${bindir}
- for m in ${MANPAGES}; do \
-- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
-- done
+- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1 || exit 1; \
+- done
uninstall::
for m in ${MANPAGES}; do \
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
-index 1be1d5ffc6..1d0c4ce5c1 100644
+index 2239ad1..ce0a177 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -110,9 +110,11 @@ installdirs:
@@ -120,16 +120,16 @@ index 1be1d5ffc6..1d0c4ce5c1 100644
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs install-man8
- for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t
${DESTDIR}${sbindir}; done
-- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
+ for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t
${DESTDIR}${sbindir} || exit 1; done
+- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit
1; done
uninstall::
- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
+ for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
-index 1c413973d0..03e4cb849b 100644
+index e1f85a9..d92bc9a 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
-@@ -172,12 +172,17 @@ installdirs:
+@@ -176,12 +176,17 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
@@ -152,7 +152,7 @@ index 1c413973d0..03e4cb849b 100644
uninstall::
rm -f ${DESTDIR}${mandir}/man5/named.conf.5
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
-index ae9061626c..a058c91214 100644
+index ae90616..a058c91 100644
--- a/bin/pkcs11/Makefile.in
+++ b/bin/pkcs11/Makefile.in
@@ -71,7 +71,10 @@ installdirs:
@@ -179,7 +179,7 @@ index ae9061626c..a058c91214 100644
uninstall::
rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8
diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
-index aa678d47ab..064c404e2f 100644
+index aa678d4..064c404 100644
--- a/bin/python/Makefile.in
+++ b/bin/python/Makefile.in
@@ -47,13 +47,13 @@ installdirs:
@@ -201,7 +201,7 @@ index aa678d47ab..064c404e2f 100644
if test -n "${DESTDIR}" ; then \
${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix}
@PYTHON_INSTALL_LIB@ ; \
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
-index 7bf2af4cea..c395bc7462 100644
+index 7bf2af4..c395bc7 100644
--- a/bin/tools/Makefile.in
+++ b/bin/tools/Makefile.in
@@ -119,17 +119,27 @@ installdirs:
diff --git a/bind-9.11-rh1624100.patch b/bind-9.11-rh1624100.patch
index 954661c..b17a6ca 100644
--- a/bind-9.11-rh1624100.patch
+++ b/bind-9.11-rh1624100.patch
@@ -1,4 +1,4 @@
-From 25ff8ab2b0772262d358272a3ed70a24fc6e4887 Mon Sep 17 00:00:00 2001
+From 4fc49ad102fd00343665273caf4349d4edb5e5ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej(a)sury.org>
Date: Wed, 25 Apr 2018 14:04:31 +0200
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
@@ -17,17 +17,17 @@ Fix the isc_safe_memwipe() usage with (NULL, >0)
lib/dns/nsec3.c | 4 +--
lib/dns/spnego.c | 4 +--
lib/isc/Makefile.in | 8 ++---
- lib/isc/include/isc/safe.h | 18 ++++------
- lib/isc/safe.c | 81 --------------------------------------------
+ lib/isc/include/isc/safe.h | 18 +++-------
+ lib/isc/safe.c | 83 --------------------------------------------
lib/isc/tests/safe_test.c | 20 -----------
- 7 files changed, 13 insertions(+), 124 deletions(-)
+ 7 files changed, 11 insertions(+), 128 deletions(-)
delete mode 100644 lib/isc/safe.c
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
-index 53be1f5c60..351296a356 100644
+index 6ddaebe..d921870 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
-@@ -786,7 +786,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
+@@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
static int
hashlist_comp(const void *a, const void *b) {
@@ -37,10 +37,10 @@ index 53be1f5c60..351296a356 100644
static void
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
-index d364308aaf..37b6a8a7fe 100644
+index e127893..895519e 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
-@@ -1950,7 +1950,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
+@@ -1953,7 +1953,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
* Work out what this NSEC3 covers.
* Inside (<0) or outside (>=0).
*/
@@ -49,7 +49,7 @@ index d364308aaf..37b6a8a7fe 100644
/*
* Prepare to compute all the hashes.
-@@ -1974,7 +1974,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
+@@ -1977,7 +1977,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
return (ISC_R_IGNORE);
}
@@ -59,10 +59,10 @@ index d364308aaf..37b6a8a7fe 100644
/*
* The hashes are the same.
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
-index ce3e42d650..079d4c1b4a 100644
+index ad77f24..670982a 100644
--- a/lib/dns/spnego.c
+++ b/lib/dns/spnego.c
-@@ -369,7 +369,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
+@@ -371,7 +371,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
/* mod_auth_kerb.c */
@@ -71,7 +71,7 @@ index ce3e42d650..079d4c1b4a 100644
cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
{
unsigned char *p;
-@@ -393,7 +393,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
+@@ -395,7 +395,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
if (((OM_uint32) *p++) != gssoid->length)
return (GSS_S_DEFECTIVE_TOKEN);
@@ -81,7 +81,7 @@ index ce3e42d650..079d4c1b4a 100644
/* accept_sec_context.c */
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
-index ba53ef1091..98acffffc9 100644
+index ba53ef1..98acfff 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
@@ -114,28 +114,28 @@ index ba53ef1091..98acffffc9 100644
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
-index f29f00bac6..b8a0b2290c 100644
+index 66ed08b..88b8f47 100644
--- a/lib/isc/include/isc/safe.h
+++ b/lib/isc/include/isc/safe.h
-@@ -15,27 +15,21 @@
+@@ -15,29 +15,19 @@
/*! \file isc/safe.h */
+-#include <stdbool.h>
+-
-#include <isc/types.h>
-#include <stdlib.h>
-+#include <isc/boolean.h>
+#include <isc/lang.h>
-+
+#include <openssl/crypto.h>
ISC_LANG_BEGINDECLS
--isc_boolean_t
+-bool
-isc_safe_memequal(const void *s1, const void *s2, size_t n);
-+#define isc_safe_memequal(s1, s2, n) ISC_TF(!CRYPTO_memcmp(s1, s2, n))
++#define isc_safe_memequal(s1, s2, n) !CRYPTO_memcmp(s1, s2, n)
/*%<
- * Returns ISC_TRUE iff. two blocks of memory are equal, otherwise
- * ISC_FALSE.
+ * Returns true iff. two blocks of memory are equal, otherwise
+ * false.
*
*/
@@ -153,10 +153,10 @@ index f29f00bac6..b8a0b2290c 100644
*
diff --git a/lib/isc/safe.c b/lib/isc/safe.c
deleted file mode 100644
-index 5c9e1e2d13..0000000000
+index 7a464b6..0000000
--- a/lib/isc/safe.c
+++ /dev/null
-@@ -1,81 +0,0 @@
+@@ -1,83 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
@@ -172,6 +172,8 @@ index 5c9e1e2d13..0000000000
-
-#include <config.h>
-
+-#include <stdbool.h>
+-
-#include <isc/safe.h>
-#include <isc/string.h>
-#include <isc/util.h>
@@ -184,18 +186,18 @@ index 5c9e1e2d13..0000000000
-#pragma optimize("", off)
-#endif
-
--isc_boolean_t
+-bool
-isc_safe_memequal(const void *s1, const void *s2, size_t n) {
-- isc_uint8_t acc = 0;
+- uint8_t acc = 0;
-
- if (n != 0U) {
-- const isc_uint8_t *p1 = s1, *p2 = s2;
+- const uint8_t *p1 = s1, *p2 = s2;
-
- do {
- acc |= *p1++ ^ *p2++;
- } while (--n != 0U);
- }
-- return (ISC_TF(acc == 0));
+- return (acc == 0);
-}
-
-
@@ -239,7 +241,7 @@ index 5c9e1e2d13..0000000000
-#endif
-}
diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
-index f721cd1096..ea3e61f98d 100644
+index f721cd1..ea3e61f 100644
--- a/lib/isc/tests/safe_test.c
+++ b/lib/isc/tests/safe_test.c
@@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) {
diff --git a/bind-9.11-rt31459.patch b/bind-9.11-rt31459.patch
index 6208ef2..06847bf 100644
--- a/bind-9.11-rt31459.patch
+++ b/bind-9.11-rt31459.patch
@@ -1,4 +1,4 @@
-From ae9c9ef5a5ba06cf57b5a87b5f2bbc71649ba41b Mon Sep 17 00:00:00 2001
+From 45209f5153693339c4582795714b6859693673fc Mon Sep 17 00:00:00 2001
From: Evan Hunt <each(a)isc.org>
Date: Tue, 12 Sep 2017 19:05:46 -0700
Subject: [PATCH] rebased rt31459c
@@ -24,7 +24,7 @@ Include new unit test
bin/named/server.c | 6 +
bin/nsupdate/nsupdate.c | 18 ++-
bin/tests/makejournal.c | 6 +-
- bin/tests/system/pipelined/pipequeries.c | 20 ++-
+ bin/tests/system/pipelined/pipequeries.c | 21 ++-
bin/tests/system/pipelined/tests.sh | 4 +-
bin/tests/system/rsabigexponent/bigkey.c | 4 +
bin/tests/system/tkey/keycreate.c | 26 +++-
@@ -35,14 +35,14 @@ Include new unit test
configure.in | 77 +++++++++-
lib/dns/dst_api.c | 21 ++-
lib/dns/include/dst/dst.h | 8 +
- lib/dns/lib.c | 17 ++-
+ lib/dns/lib.c | 15 +-
lib/dns/openssl_link.c | 72 ++++++++-
lib/dns/pkcs11.c | 29 +++-
lib/dns/tests/Atffile | 1 +
lib/dns/tests/Kyuafile | 1 +
lib/dns/tests/Makefile.in | 7 +
lib/dns/tests/dnstest.c | 14 +-
- lib/dns/tests/dstrandom_test.c | 105 +++++++++++++
+ lib/dns/tests/dstrandom_test.c | 99 ++++++++++++
lib/dns/win32/libdns.def.in | 7 +
lib/isc/entropy.c | 24 +++
lib/isc/include/isc/entropy.h | 12 ++
@@ -51,11 +51,11 @@ Include new unit test
lib/isc/pk11.c | 12 +-
lib/isc/win32/include/isc/platform.h.in | 5 +
win32utils/Configure | 29 +++-
- 38 files changed, 704 insertions(+), 184 deletions(-)
+ 38 files changed, 699 insertions(+), 182 deletions(-)
create mode 100644 lib/dns/tests/dstrandom_test.c
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
-index 11cc54d..fa439cc 100644
+index 5015abb..295e16f 100644
--- a/bin/confgen/keygen.c
+++ b/bin/confgen/keygen.c
@@ -165,6 +165,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t
alg,
@@ -66,17 +66,17 @@ index 11cc54d..fa439cc 100644
+ if (randomfile != NULL &&
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+ randomfile = NULL;
-+ isc_entropy_usehook(ectx, ISC_TRUE);
++ isc_entropy_usehook(ectx, true);
+ }
+#endif
DO("start entropy source", isc_entropy_usebestsource(ectx,
&entropy_source,
randomfile,
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
-index 94a982c..897c497 100644
+index 65fdaaa..6612189 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
-@@ -495,14 +495,14 @@ main(int argc, char **argv) {
+@@ -497,14 +497,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
@@ -94,7 +94,7 @@ index 94a982c..897c497 100644
isc_entropy_stopcallbacksources(ectx);
setup_logging(mctx, &log);
-@@ -564,8 +564,8 @@ main(int argc, char **argv) {
+@@ -566,8 +566,8 @@ main(int argc, char **argv) {
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
@@ -105,10 +105,10 @@ index 94a982c..897c497 100644
dns_name_destroy();
if (verbose > 10)
diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c
-index 2edf614..840316c 100644
+index 0d1e7f8..79c4d74 100644
--- a/bin/dnssec/dnssec-importkey.c
+++ b/bin/dnssec/dnssec-importkey.c
-@@ -406,14 +406,14 @@ main(int argc, char **argv) {
+@@ -407,14 +407,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
@@ -126,7 +126,7 @@ index 2edf614..840316c 100644
isc_entropy_stopcallbacksources(ectx);
setup_logging(mctx, &log);
-@@ -457,8 +457,8 @@ main(int argc, char **argv) {
+@@ -458,8 +458,8 @@ main(int argc, char **argv) {
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
@@ -137,10 +137,10 @@ index 2edf614..840316c 100644
dns_name_destroy();
if (verbose > 10)
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
-index 10fad0b..0b68e99 100644
+index 1a2b545..e33cb8b 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
-@@ -182,14 +182,14 @@ main(int argc, char **argv) {
+@@ -184,14 +184,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
@@ -158,7 +158,7 @@ index 10fad0b..0b68e99 100644
isc_entropy_stopcallbacksources(ectx);
result = dst_key_fromnamedfile(filename, dir,
-@@ -271,8 +271,8 @@ main(int argc, char **argv) {
+@@ -273,8 +273,8 @@ main(int argc, char **argv) {
cleanup:
dst_key_free(&key);
@@ -169,10 +169,10 @@ index 10fad0b..0b68e99 100644
if (verbose > 10)
isc_mem_stats(mctx, stdout);
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
-index 360cdb9..b7bf171 100644
+index f355903..6a2ca59 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
-@@ -380,14 +380,14 @@ main(int argc, char **argv) {
+@@ -382,14 +382,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
@@ -190,7 +190,7 @@ index 360cdb9..b7bf171 100644
isc_entropy_stopcallbacksources(ectx);
if (predecessor != NULL) {
-@@ -672,8 +672,8 @@ main(int argc, char **argv) {
+@@ -674,8 +674,8 @@ main(int argc, char **argv) {
if (prevkey != NULL)
dst_key_free(&prevkey);
dst_key_free(&key);
@@ -201,10 +201,10 @@ index 360cdb9..b7bf171 100644
if (verbose > 10)
isc_mem_stats(mctx, stdout);
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
-index 1bea357..53be1f5 100644
+index c6a0313..6ddaebe 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
-@@ -3459,14 +3459,15 @@ main(int argc, char *argv[]) {
+@@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) {
if (!pseudorandom)
eflags |= ISC_ENTROPY_GOODONLY;
@@ -224,7 +224,7 @@ index 1bea357..53be1f5 100644
isc_stdtime_get(&now);
if (startstr != NULL) {
-@@ -3878,8 +3879,8 @@ main(int argc, char *argv[]) {
+@@ -3879,8 +3880,8 @@ main(int argc, char *argv[]) {
dns_master_styledestroy(&dsstyle, mctx);
cleanup_logging(&log);
@@ -235,10 +235,10 @@ index 1bea357..53be1f5 100644
dns_name_destroy();
if (verbose > 10)
diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c
-index 792510a..dc32765 100644
+index 4c293bf..3263cbc 100644
--- a/bin/dnssec/dnssec-verify.c
+++ b/bin/dnssec/dnssec-verify.c
-@@ -280,15 +280,15 @@ main(int argc, char *argv[]) {
+@@ -281,15 +281,15 @@ main(int argc, char *argv[]) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
@@ -259,10 +259,10 @@ index 792510a..dc32765 100644
rdclass = strtoclass(classname);
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
-index dc32c90..4ea9eaf 100644
+index fbc7ece..31a99e7 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
-@@ -32,6 +32,7 @@
+@@ -34,6 +34,7 @@
#include <isc/heap.h>
#include <isc/list.h>
#include <isc/mem.h>
@@ -270,7 +270,7 @@ index dc32c90..4ea9eaf 100644
#include <isc/print.h>
#include <isc/string.h>
#include <isc/time.h>
-@@ -233,7 +234,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t
**ectx) {
+@@ -235,7 +236,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t
**ectx) {
if (*ectx == NULL) {
result = isc_entropy_create(mctx, ectx);
if (result != ISC_R_SUCCESS)
@@ -280,7 +280,7 @@ index dc32c90..4ea9eaf 100644
ISC_LIST_INIT(sources);
}
-@@ -242,6 +244,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t
**ectx) {
+@@ -244,6 +246,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t
**ectx) {
randomfile = NULL;
}
@@ -288,17 +288,17 @@ index dc32c90..4ea9eaf 100644
+ if (randomfile != NULL &&
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+ randomfile = NULL;
-+ isc_entropy_usehook(*ectx, ISC_TRUE);
++ isc_entropy_usehook(*ectx, true);
+ }
+#endif
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
usekeyboard);
diff --git a/bin/named/server.c b/bin/named/server.c
-index 59a8998..ee5186c 100644
+index 7f87ccf..9258e7f 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
-@@ -34,6 +34,7 @@
+@@ -36,6 +36,7 @@
#include <isc/lex.h>
#include <isc/meminfo.h>
#include <isc/parseint.h>
@@ -306,18 +306,18 @@ index 59a8998..ee5186c 100644
#include <isc/portset.h>
#include <isc/print.h>
#include <isc/random.h>
-@@ -8083,6 +8084,10 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8171,6 +8172,10 @@ load_configuration(const char *filename, ns_server_t *server,
"no source of entropy found");
} else {
const char *randomdev = cfg_obj_asstring(obj);
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
-+ isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
++ isc_entropy_usehook(ns_g_entropy, true);
+#else
int level = ISC_LOG_ERROR;
result = isc_entropy_createfilesource(ns_g_entropy,
randomdev);
-@@ -8117,6 +8122,7 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8205,6 +8210,7 @@ load_configuration(const char *filename, ns_server_t *server,
}
isc_entropy_detach(&ns_g_fallbackentropy);
}
@@ -326,10 +326,10 @@ index 59a8998..ee5186c 100644
}
}
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index bb5d500..46c7acf 100644
+index 5eefc57..1559a33 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
-@@ -33,6 +33,7 @@
+@@ -35,6 +35,7 @@
#include <isc/mem.h>
#include <isc/parseint.h>
#include <isc/print.h>
@@ -337,7 +337,7 @@ index bb5d500..46c7acf 100644
#include <isc/random.h>
#include <isc/region.h>
#include <isc/sockaddr.h>
-@@ -269,7 +270,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t
**ectx) {
+@@ -271,7 +272,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t
**ectx) {
if (*ectx == NULL) {
result = isc_entropy_create(mctx, ectx);
if (result != ISC_R_SUCCESS)
@@ -347,7 +347,7 @@ index bb5d500..46c7acf 100644
ISC_LIST_INIT(sources);
}
-@@ -278,6 +280,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t
**ectx) {
+@@ -280,6 +282,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t
**ectx) {
randomfile = NULL;
}
@@ -355,13 +355,13 @@ index bb5d500..46c7acf 100644
+ if (randomfile != NULL &&
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+ randomfile = NULL;
-+ isc_entropy_usehook(*ectx, ISC_TRUE);
++ isc_entropy_usehook(*ectx, true);
+ }
+#endif
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
usekeyboard);
-@@ -948,11 +957,11 @@ setup_system(void) {
+@@ -950,11 +959,11 @@ setup_system(void) {
}
}
@@ -375,9 +375,9 @@ index bb5d500..46c7acf 100644
result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr);
check_result(result, "dns_dispatchmgr_create");
-@@ -976,6 +985,9 @@ setup_system(void) {
+@@ -978,6 +987,9 @@ setup_system(void) {
check_result(result, "dst_lib_init");
- is_dst_up = ISC_TRUE;
+ is_dst_up = true;
+ /* moved after dst_lib_init() */
+ isc_hash_init();
@@ -386,30 +386,30 @@ index bb5d500..46c7acf 100644
attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c
-index fed59be..9f125da 100644
+index 61a41b0..acc71a1 100644
--- a/bin/tests/makejournal.c
+++ b/bin/tests/makejournal.c
-@@ -100,12 +100,12 @@ main(int argc, char **argv) {
+@@ -102,12 +102,12 @@ main(int argc, char **argv) {
CHECK(isc_mem_create(0, 0, &mctx));
CHECK(isc_entropy_create(mctx, &ectx));
- CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
-- hash_active = ISC_TRUE;
+- hash_active = true;
-
CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING));
- dst_active = ISC_TRUE;
+ dst_active = true;
+ CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
-+ hash_active = ISC_TRUE;
++ hash_active = true;
+
CHECK(isc_log_create(mctx, &lctx, &logconfig));
isc_log_registercategories(lctx, categories);
isc_log_setcontext(lctx);
diff --git a/bin/tests/system/pipelined/pipequeries.c
b/bin/tests/system/pipelined/pipequeries.c
-index 379b6a3..810d99e 100644
+index 2fcc064..7b4f617 100644
--- a/bin/tests/system/pipelined/pipequeries.c
+++ b/bin/tests/system/pipelined/pipequeries.c
-@@ -202,6 +202,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) {
+@@ -204,6 +204,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) {
int
main(int argc, char *argv[]) {
@@ -417,16 +417,17 @@ index 379b6a3..810d99e 100644
isc_sockaddr_t bind_any;
struct in_addr inaddr;
isc_result_t result;
-@@ -222,7 +223,7 @@ main(int argc, char *argv[]) {
+@@ -224,7 +225,8 @@ main(int argc, char *argv[]) {
UNUSED(argv);
- isc_commandline_errprint = ISC_FALSE;
+ isc_commandline_errprint = false;
- while ((c = isc_commandline_parse(argc, argv, "p:")) != -1) {
-+ while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) {
++ while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1)
++ {
switch (c) {
case 'p':
result = isc_parse_uint16(&port,
-@@ -233,6 +234,9 @@ main(int argc, char *argv[]) {
+@@ -235,6 +237,9 @@ main(int argc, char *argv[]) {
exit(1);
}
break;
@@ -436,7 +437,7 @@ index 379b6a3..810d99e 100644
case '?':
fprintf(stderr, "%s: invalid argument '%c'",
argv[0], c);
-@@ -274,10 +278,18 @@ main(int argc, char *argv[]) {
+@@ -276,10 +281,18 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
@@ -446,7 +447,7 @@ index 379b6a3..810d99e 100644
+ if (randomfile != NULL &&
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+ randomfile = NULL;
-+ isc_entropy_usehook(ectx, ISC_TRUE);
++ isc_entropy_usehook(ectx, true);
+ }
+#endif
+ if (randomfile != NULL)
@@ -457,7 +458,7 @@ index 379b6a3..810d99e 100644
taskmgr = NULL;
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
-@@ -330,8 +342,8 @@ main(int argc, char *argv[]) {
+@@ -332,8 +345,8 @@ main(int argc, char *argv[]) {
isc_task_detach(&task);
isc_taskmgr_destroy(&taskmgr);
@@ -490,7 +491,7 @@ index a6720ce..9063b1f 100644
diff refb outputb || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
diff --git a/bin/tests/system/rsabigexponent/bigkey.c
b/bin/tests/system/rsabigexponent/bigkey.c
-index 4462f2e..f1230d8 100644
+index 4462f2e..f06268d 100644
--- a/bin/tests/system/rsabigexponent/bigkey.c
+++ b/bin/tests/system/rsabigexponent/bigkey.c
@@ -20,6 +20,7 @@
@@ -506,13 +507,13 @@ index 4462f2e..f1230d8 100644
CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()");
CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()");
+#ifdef ISC_PLATFORM_CRYPTORANDOM
-+ isc_entropy_usehook(ectx, ISC_TRUE);
++ isc_entropy_usehook(ectx, true);
+#endif
CHECK(isc_entropy_usebestsource(ectx, &source,
"../random.data",
ISC_ENTROPY_KEYBOARDNO),
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
-index 489f439..4f2f5b4 100644
+index 653c951..fe8698e 100644
--- a/bin/tests/system/tkey/keycreate.c
+++ b/bin/tests/system/tkey/keycreate.c
@@ -206,6 +206,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
@@ -555,7 +556,7 @@ index 489f439..4f2f5b4 100644
+ if (randomfile != NULL &&
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+ randomfile = NULL;
-+ isc_entropy_usehook(ectx, ISC_TRUE);
++ isc_entropy_usehook(ectx, true);
+ }
+#endif
+ if (randomfile != NULL)
@@ -581,7 +582,7 @@ index 489f439..4f2f5b4 100644
isc_mem_destroy(&mctx);
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
-index 36ee6c7..0975bbe 100644
+index 70a40c3..2146f9b 100644
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
@@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
@@ -624,7 +625,7 @@ index 36ee6c7..0975bbe 100644
+ if (randomfile != NULL &&
+ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
+ randomfile = NULL;
-+ isc_entropy_usehook(ectx, ISC_TRUE);
++ isc_entropy_usehook(ectx, true);
+ }
+#endif
+ if (randomfile != NULL)
@@ -639,7 +640,7 @@ index 36ee6c7..0975bbe 100644
taskmgr = NULL;
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
-@@ -265,8 +285,8 @@ main(int argc, char **argv) {
+@@ -264,8 +284,8 @@ main(int argc, char **argv) {
isc_log_destroy(&log);
@@ -690,10 +691,10 @@ index 9f90dd7..fad6c83 100644
echo "I:failed"
status=`expr $status + $ret`
diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c
-index 1f5dd4c..4e3bfa5 100644
+index 4876875..e46653a 100644
--- a/bin/tools/mdig.c
+++ b/bin/tools/mdig.c
-@@ -1933,12 +1933,11 @@ main(int argc, char *argv[]) {
+@@ -1955,12 +1955,11 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
@@ -705,10 +706,10 @@ index 1f5dd4c..4e3bfa5 100644
- RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
-
ISC_LIST_INIT(queries);
- parse_args(ISC_FALSE, argc, argv);
+ parse_args(false, argc, argv);
if (server == NULL)
diff --git a/configure b/configure
-index c83773a..ac1ea3f 100755
+index 4394755..2e0af33 100755
--- a/configure
+++ b/configure
@@ -640,6 +640,7 @@ ac_includes_default="\
@@ -719,7 +720,7 @@ index c83773a..ac1ea3f 100755
BUILD_LIBS
BUILD_LDFLAGS
BUILD_CPPFLAGS
-@@ -825,6 +826,7 @@ XMLSTATS
+@@ -823,6 +824,7 @@ XMLSTATS
NZDTARGETS
NZDSRCS
NZD_TOOLS
@@ -727,7 +728,7 @@ index c83773a..ac1ea3f 100755
PKCS11_TEST
PKCS11_ED25519
PKCS11_GOST
-@@ -1037,6 +1039,7 @@ with_eddsa
+@@ -1035,6 +1037,7 @@ with_eddsa
with_aes
enable_openssl_hash
with_cc_alg
@@ -735,7 +736,7 @@ index c83773a..ac1ea3f 100755
with_lmdb
with_libxml2
with_libjson
-@@ -1730,6 +1733,7 @@ Optional Features:
+@@ -1728,6 +1731,7 @@ Optional Features:
--enable-threads enable multithreading
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
--enable-openssl-hash use OpenSSL for hash functions [default=no]
@@ -743,7 +744,7 @@ index c83773a..ac1ea3f 100755
--enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes]
--enable-symtable use internal symbol table for backtrace
-@@ -16486,6 +16490,7 @@ case "$use_openssl" in
+@@ -16631,6 +16635,7 @@ case "$use_openssl" in
$as_echo "disabled because of native PKCS11" >&6; }
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
@@ -751,7 +752,7 @@ index c83773a..ac1ea3f 100755
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -16500,6 +16505,7 @@ $as_echo "disabled because of native PKCS11"
>&6; }
+@@ -16645,6 +16650,7 @@ $as_echo "disabled because of native PKCS11"
>&6; }
$as_echo "no" >&6; }
DST_OPENSSL_INC=""
CRYPTO=""
@@ -759,7 +760,7 @@ index c83773a..ac1ea3f 100755
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -16512,6 +16518,7 @@ $as_echo "no" >&6; }
+@@ -16657,6 +16663,7 @@ $as_echo "no" >&6; }
auto)
DST_OPENSSL_INC=""
CRYPTO=""
@@ -767,7 +768,7 @@ index c83773a..ac1ea3f 100755
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -16521,7 +16528,7 @@ $as_echo "no" >&6; }
+@@ -16666,7 +16673,7 @@ $as_echo "no" >&6; }
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use
--with-openssl=/path
@@ -776,7 +777,7 @@ index c83773a..ac1ea3f 100755
;;
*)
if test "yes" = "$want_native_pkcs11"
-@@ -16552,6 +16559,7 @@ $as_echo "not found" >&6; }
+@@ -16697,6 +16704,7 @@ $as_echo "not found" >&6; }
as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not
found" "$LINENO" 5
fi
CRYPTO='-DOPENSSL'
@@ -784,7 +785,7 @@ index c83773a..ac1ea3f 100755
if test "/usr" = "$use_openssl"
then
DST_OPENSSL_INC=""
-@@ -17213,8 +17221,6 @@ fi
+@@ -17358,8 +17366,6 @@ fi
# Use OpenSSL for hash functions
#
@@ -793,7 +794,7 @@ index c83773a..ac1ea3f 100755
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
case $want_openssl_hash in
yes)
-@@ -17583,6 +17589,86 @@ if test "rt" = "$have_clock_gt"; then
+@@ -17728,6 +17734,86 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
@@ -880,7 +881,7 @@ index c83773a..ac1ea3f 100755
#
# was --with-lmdb specified?
#
-@@ -19665,9 +19751,12 @@ _ACEOF
+@@ -19810,9 +19896,12 @@ _ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for
flags" >&5
$as_echo "size_t for buflen; int for flags" >&6; }
@@ -895,7 +896,7 @@ index c83773a..ac1ea3f 100755
$as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
-@@ -21032,12 +21121,7 @@ ISC_PLATFORM_USEGCCASM="#undef
ISC_PLATFORM_USEGCCASM"
+@@ -21123,12 +21212,7 @@ ISC_PLATFORM_USEGCCASM="#undef
ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then
@@ -909,7 +910,7 @@ index c83773a..ac1ea3f 100755
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
# This bug is HP SR number 8606223364.
-@@ -21070,6 +21154,11 @@ cat >>confdefs.h <<_ACEOF
+@@ -21161,6 +21245,11 @@ cat >>confdefs.h <<_ACEOF
_ACEOF
@@ -921,7 +922,7 @@ index c83773a..ac1ea3f 100755
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
-@@ -21078,39 +21167,6 @@ _ACEOF
+@@ -21169,39 +21258,6 @@ _ACEOF
fi
;;
x86_64-*|amd64-*)
@@ -961,7 +962,7 @@ index c83773a..ac1ea3f 100755
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
-@@ -21141,6 +21197,10 @@ $as_echo_n "checking architecture type for atomic
operations... " >&6; }
+@@ -21232,6 +21288,10 @@ $as_echo_n "checking architecture type for atomic
operations... " >&6; }
$as_echo "$arch" >&6; }
fi
@@ -972,7 +973,7 @@ index c83773a..ac1ea3f 100755
if test "yes" = "$have_atomic"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline
assembly code" >&5
$as_echo_n "checking compiler support for inline assembly code... "
>&6; }
-@@ -23428,6 +23488,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
+@@ -23519,6 +23579,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
#
dlzdir='${DLZ_DRIVER_DIR}'
@@ -1003,7 +1004,7 @@ index c83773a..ac1ea3f 100755
#
# Private autoconf macro to simplify configuring drivers:
#
-@@ -23758,11 +23842,11 @@ $as_echo "no" >&6; }
+@@ -23849,11 +23933,11 @@ $as_echo "no" >&6; }
$as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}"
>&6; }
;;
*)
@@ -1018,7 +1019,7 @@ index c83773a..ac1ea3f 100755
fi
CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
-@@ -23847,7 +23931,7 @@ $as_echo "" >&6; }
+@@ -23938,7 +24022,7 @@ $as_echo "" >&6; }
# Check other locations for includes.
# Order is important (sigh).
@@ -1027,13 +1028,12 @@ index c83773a..ac1ea3f 100755
# include a blank element first
for d in "" $bdb_incdirs
do
-@@ -23872,57 +23956,9 @@ $as_echo "" >&6; }
+@@ -23963,57 +24047,9 @@ $as_echo "" >&6; }
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45
db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
for d in $bdb_libnames
do
- if test "$dd" = "/usr"
-+ if test -f "$dd/${target_lib}/lib${d}.so"
- then
+- then
- as_ac_Lib=`$as_echo "ac_cv_lib_$d''_db_create" | $as_tr_sh`
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for db_create in -l$d"
>&5
-$as_echo_n "checking for db_create in -l$d... " >&6; }
@@ -1081,13 +1081,14 @@ index c83773a..ac1ea3f 100755
- break
- fi
- elif test -f "$dd/lib/lib${d}.so"
-- then
++ if test -f "$dd/${target_lib}/lib${d}.so"
+ then
- dlz_bdb_libs="-L${dd}/lib -l${d}"
+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
break
fi
done
-@@ -24081,10 +24117,10 @@ $as_echo "no" >&6; }
+@@ -24172,10 +24208,10 @@ $as_echo "no" >&6; }
DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
fi
@@ -1101,7 +1102,7 @@ index c83773a..ac1ea3f 100755
fi
-@@ -24170,11 +24206,11 @@ fi
+@@ -24261,11 +24297,11 @@ fi
odbcdirs="/usr /usr/local /usr/pkg"
for d in $odbcdirs
do
@@ -1115,7 +1116,7 @@ index c83773a..ac1ea3f 100755
break
fi
done
-@@ -24449,6 +24485,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
+@@ -24540,6 +24576,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
@@ -1124,7 +1125,7 @@ index c83773a..ac1ea3f 100755
#
# Commands to run at the end of config.status.
# Don't just put these into configure, it won't work right if somebody
-@@ -26839,6 +26877,8 @@ report() {
+@@ -26930,6 +26968,8 @@ report() {
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" =
"$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
@@ -1133,7 +1134,7 @@ index c83773a..ac1ea3f 100755
test "X$PYTHON" = "X" || echo " Python tools
(--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics
(--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics
(--with-libjson)"
-@@ -26879,6 +26919,8 @@ report() {
+@@ -26970,6 +27010,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$atf" || echo " Automated Testing Framework
(--with-atf)"
@@ -1142,7 +1143,7 @@ index c83773a..ac1ea3f 100755
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"
-@@ -26926,6 +26968,8 @@ report() {
+@@ -27017,6 +27059,8 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" =
"$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
@@ -1152,10 +1153,10 @@ index c83773a..ac1ea3f 100755
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
diff --git a/configure.in b/configure.in
-index 9a1d16d..849fa94 100644
+index b07895f..898b4ac 100644
--- a/configure.in
+++ b/configure.in
-@@ -1597,6 +1597,7 @@ case "$use_openssl" in
+@@ -1542,6 +1542,7 @@ case "$use_openssl" in
AC_MSG_RESULT(disabled because of native PKCS11)
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
@@ -1163,7 +1164,7 @@ index 9a1d16d..849fa94 100644
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -1610,6 +1611,7 @@ case "$use_openssl" in
+@@ -1555,6 +1556,7 @@ case "$use_openssl" in
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
CRYPTO=""
@@ -1171,7 +1172,7 @@ index 9a1d16d..849fa94 100644
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -1622,6 +1624,7 @@ case "$use_openssl" in
+@@ -1567,6 +1569,7 @@ case "$use_openssl" in
auto)
DST_OPENSSL_INC=""
CRYPTO=""
@@ -1179,7 +1180,7 @@ index 9a1d16d..849fa94 100644
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -1632,7 +1635,7 @@ case "$use_openssl" in
+@@ -1577,7 +1580,7 @@ case "$use_openssl" in
OPENSSLLINKSRCS=""
AC_MSG_ERROR(
[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@@ -1188,7 +1189,7 @@ index 9a1d16d..849fa94 100644
;;
*)
if test "yes" = "$want_native_pkcs11"
-@@ -1662,6 +1665,7 @@ If you don't want OpenSSL, use --without-openssl])
+@@ -1607,6 +1610,7 @@ If you don't want OpenSSL, use --without-openssl])
AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
fi
CRYPTO='-DOPENSSL'
@@ -1196,7 +1197,7 @@ index 9a1d16d..849fa94 100644
if test "/usr" = "$use_openssl"
then
DST_OPENSSL_INC=""
-@@ -2135,7 +2139,6 @@ fi
+@@ -2080,7 +2084,6 @@ fi
# Use OpenSSL for hash functions
#
@@ -1204,7 +1205,7 @@ index 9a1d16d..849fa94 100644
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
case $want_openssl_hash in
yes)
-@@ -2402,6 +2405,67 @@ if test "rt" = "$have_clock_gt"; then
+@@ -2347,6 +2350,67 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
@@ -1272,7 +1273,7 @@ index 9a1d16d..849fa94 100644
#
# was --with-lmdb specified?
#
-@@ -4235,12 +4299,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
+@@ -4139,12 +4203,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then
@@ -1286,7 +1287,7 @@ index 9a1d16d..849fa94 100644
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
-@@ -4249,7 +4313,6 @@ if test "yes" = "$use_atomic"; then
+@@ -4153,7 +4217,6 @@ if test "yes" = "$use_atomic"; then
fi
;;
x86_64-*|amd64-*)
@@ -1294,7 +1295,7 @@ index 9a1d16d..849fa94 100644
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
-@@ -5613,6 +5676,8 @@ report() {
+@@ -5517,6 +5580,8 @@ report() {
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" =
"$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
@@ -1303,7 +1304,7 @@ index 9a1d16d..849fa94 100644
test "X$PYTHON" = "X" || echo " Python tools
(--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics
(--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics
(--with-libjson)"
-@@ -5653,6 +5718,8 @@ report() {
+@@ -5557,6 +5622,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$atf" || echo " Automated Testing Framework
(--with-atf)"
@@ -1312,7 +1313,7 @@ index 9a1d16d..849fa94 100644
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"
-@@ -5700,6 +5767,8 @@ report() {
+@@ -5604,6 +5671,8 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" =
"$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
@@ -1322,10 +1323,10 @@ index 9a1d16d..849fa94 100644
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index dbece0a..803e7b3 100644
+index 5703f9c..afb4d80 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
-@@ -274,6 +274,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+@@ -276,6 +276,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
#ifdef GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
#endif
@@ -1335,17 +1336,17 @@ index dbece0a..803e7b3 100644
+ isc_entropy_sethook(dst_random_getdata);
+#endif
+#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
- dst_initialized = ISC_TRUE;
+ dst_initialized = true;
return (ISC_R_SUCCESS);
-@@ -293,11 +299,19 @@ dst_lib_destroy(void) {
+@@ -295,11 +301,19 @@ dst_lib_destroy(void) {
for (i = 0; i < DST_MAX_ALGS; i++)
if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
dst_t_func[i]->cleanup();
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (dst_entropy_pool != NULL) {
-+ isc_entropy_usehook(dst_entropy_pool, ISC_FALSE);
++ isc_entropy_usehook(dst_entropy_pool, false);
+ isc_entropy_sethook(NULL);
+ }
+#endif
@@ -1358,7 +1359,7 @@ index dbece0a..803e7b3 100644
if (dst__memory_pool != NULL)
isc_mem_detach(&dst__memory_pool);
if (dst_entropy_pool != NULL)
-@@ -2000,13 +2014,17 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t
pseudo) {
+@@ -1998,13 +2012,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
flags &= ~ISC_ENTROPY_GOODONLY;
else
flags |= ISC_ENTROPY_BLOCKING;
@@ -1377,7 +1378,7 @@ index dbece0a..803e7b3 100644
#ifdef GSSAPI
unsigned int flags = dst_entropy_flags;
isc_result_t ret;
-@@ -2029,6 +2047,7 @@ dst__entropy_status(void) {
+@@ -2027,6 +2045,7 @@ dst__entropy_status(void) {
#endif
return (isc_entropy_status(dst_entropy_pool));
#else
@@ -1386,10 +1387,10 @@ index dbece0a..803e7b3 100644
#endif
}
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
-index fcc7b47..d9b6ab6 100644
+index 32b0742..78e1277 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
-@@ -157,6 +157,14 @@ dst_lib_destroy(void);
+@@ -160,6 +160,14 @@ dst_lib_destroy(void);
* Releases all resources allocated by DST.
*/
@@ -1401,38 +1402,30 @@ index fcc7b47..d9b6ab6 100644
+ * Specialization of isc_entropy_getdata().
+ */
+
- isc_boolean_t
+ bool
dst_algorithm_supported(unsigned int alg);
/*%<
diff --git a/lib/dns/lib.c b/lib/dns/lib.c
-index 53237d5..c6d83e9 100644
+index 304814b..60543c4 100644
--- a/lib/dns/lib.c
+++ b/lib/dns/lib.c
-@@ -9,14 +9,13 @@
- * information regarding copyright ownership.
- */
-
--/* $Id: lib.c,v 1.19 2009/09/03 00:12:23 each Exp $ */
--
- /*! \file */
-
- #include <config.h>
-
+@@ -18,6 +18,7 @@
+ #include <stdbool.h>
#include <stddef.h>
+#include <isc/entropy.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/msgcat.h>
-@@ -77,6 +76,7 @@ static unsigned int references = 0;
+@@ -78,6 +79,7 @@ static unsigned int references = 0;
static void
initialize(void) {
isc_result_t result;
+ isc_entropy_t *ectx = NULL;
- REQUIRE(initialize_done == ISC_FALSE);
+ REQUIRE(initialize_done == false);
-@@ -87,11 +87,14 @@ initialize(void) {
+@@ -88,11 +90,14 @@ initialize(void) {
result = dns_ecdb_register(dns_g_mctx, &dbimp);
if (result != ISC_R_SUCCESS)
goto cleanup_mctx;
@@ -1449,14 +1442,14 @@ index 53237d5..c6d83e9 100644
if (result != ISC_R_SUCCESS)
goto cleanup_hash;
-@@ -99,11 +102,17 @@ initialize(void) {
+@@ -100,11 +105,17 @@ initialize(void) {
if (result != ISC_R_SUCCESS)
goto cleanup_dst;
+ isc_hash_init();
+ isc_entropy_detach(&ectx);
+
- initialize_done = ISC_TRUE;
+ initialize_done = true;
return;
cleanup_dst:
@@ -1468,7 +1461,7 @@ index 53237d5..c6d83e9 100644
isc_hash_destroy();
cleanup_db:
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index ec6dc7f..c1e1bde 100644
+index a30a2ab..d88d643 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -31,6 +31,7 @@
@@ -1764,68 +1757,61 @@ index 58fa872..625e809 100644
sh ${top_builddir}/unit/unittest.sh
diff --git a/lib/dns/tests/dnstest.c b/lib/dns/tests/dnstest.c
-index fb9ef53..344a7c2 100644
+index 51bb90b..1b25b90 100644
--- a/lib/dns/tests/dnstest.c
+++ b/lib/dns/tests/dnstest.c
-@@ -120,12 +120,12 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) {
+@@ -122,12 +122,12 @@ dns_test_begin(FILE *logfile, bool start_managers) {
CHECK(isc_mem_create(0, 0, &mctx));
CHECK(isc_entropy_create(mctx, &ectx));
- CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
-- hash_active = ISC_TRUE;
+- hash_active = true;
-
CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING));
- dst_active = ISC_TRUE;
+ dst_active = true;
+ CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
-+ hash_active = ISC_TRUE;
++ hash_active = true;
+
if (logfile != NULL) {
isc_logdestination_t destination;
isc_logconfig_t *logconfig = NULL;
-@@ -169,14 +169,14 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) {
+@@ -171,14 +171,14 @@ dns_test_begin(FILE *logfile, bool start_managers) {
void
dns_test_end(void) {
- if (dst_active) {
- dst_lib_destroy();
-- dst_active = ISC_FALSE;
+- dst_active = false;
- }
if (hash_active) {
isc_hash_destroy();
- hash_active = ISC_FALSE;
+ hash_active = false;
}
+ if (dst_active) {
+ dst_lib_destroy();
-+ dst_active = ISC_FALSE;
++ dst_active = false;
+ }
if (ectx != NULL)
isc_entropy_detach(&ectx);
diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c
new file mode 100644
-index 0000000..d2c72e7
+index 0000000..b980d8a
--- /dev/null
+++ b/lib/dns/tests/dstrandom_test.c
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,99 @@
+/*
-+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
-+ * Permission to use, copy, modify, and/or distribute this software for any
-+ * purpose with or without fee is hereby granted, provided that the above
-+ * copyright notice and this permission notice appear in all copies.
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at
http://mozilla.org/MPL/2.0/.
+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-+ * PERFORMANCE OF THIS SOFTWARE.
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
+ */
+
-+/* $Id$ */
-+
+/*! \file */
+
+#include <config.h>
@@ -1834,6 +1820,7 @@ index 0000000..d2c72e7
+
+#include <stdio.h>
+#include <string.h>
++#include <unistd.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
@@ -1868,7 +1855,7 @@ index 0000000..d2c72e7
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+#ifdef ISC_PLATFORM_CRYPTORANDOM
-+ isc_entropy_usehook(ectx, ISC_TRUE);
++ isc_entropy_usehook(ectx, true);
+
+ returned = 0;
+ result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
@@ -1879,7 +1866,7 @@ index 0000000..d2c72e7
+ status = isc_entropy_status(ectx);
+ ATF_REQUIRE_EQ(status, 0);
+
-+ isc_entropy_usehook(ectx, ISC_FALSE);
++ isc_entropy_usehook(ectx, false);
+#endif
+
+ ret = chdir(TESTS);
@@ -1914,10 +1901,10 @@ index 0000000..d2c72e7
+}
+
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
-index d48eeb2..213e9d9 100644
+index 62a156c..bf83fe5 100644
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
-@@ -1480,6 +1480,13 @@ dst_lib_destroy
+@@ -1483,6 +1483,13 @@ dst_lib_destroy
dst_lib_init
dst_lib_init2
dst_lib_initmsgcat
@@ -1932,14 +1919,14 @@ index d48eeb2..213e9d9 100644
dst_region_computerid
dst_result_register
diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
-index 232094a..a85650b 100644
+index ab2f617..ed05ed6 100644
--- a/lib/isc/entropy.c
+++ b/lib/isc/entropy.c
-@@ -103,11 +103,15 @@ struct isc_entropy {
- isc_uint32_t initialized;
- isc_uint32_t initcount;
+@@ -104,11 +104,15 @@ struct isc_entropy {
+ uint32_t initialized;
+ uint32_t initcount;
isc_entropypool_t pool;
-+ isc_boolean_t usehook;
++ bool usehook;
unsigned int nsources;
isc_entropysource_t *nextsource;
ISC_LIST(isc_entropysource_t) sources;
@@ -1950,8 +1937,8 @@ index 232094a..a85650b 100644
+
/*% Sample Queue */
typedef struct {
- isc_uint32_t last_time; /*%< last time recorded */
-@@ -556,6 +560,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int
length,
+ uint32_t last_time; /*%< last time recorded */
+@@ -557,6 +561,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int
length,
LOCK(&ent->lock);
@@ -1963,11 +1950,11 @@ index 232094a..a85650b 100644
remain = length;
buf = data;
total = 0;
-@@ -707,6 +716,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) {
+@@ -708,6 +717,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) {
ent->refcnt = 1;
ent->initialized = 0;
ent->initcount = 0;
-+ ent->usehook = ISC_FALSE;
++ ent->usehook = false;
ent->magic = ENTROPY_MAGIC;
isc_entropypool_init(&ent->pool);
@@ -1977,7 +1964,7 @@ index 232094a..a85650b 100644
}
+
+void
-+isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff) {
++isc_entropy_usehook(isc_entropy_t *ectx, bool onoff) {
+ REQUIRE(VALID_ENTROPY(ectx));
+
+ LOCK(&ectx->lock);
@@ -1990,15 +1977,15 @@ index 232094a..a85650b 100644
+ hook = myhook;
+}
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
-index d52c43e..d9deb8a 100644
+index 4bba8e1..632166a 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
-@@ -303,6 +303,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t
**source,
+@@ -304,6 +304,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t
**source,
* isc_entropy_createcallbacksource().
*/
+void
-+isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff);
++isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
+/*!<
+ * \brief Mark/unmark the given entropy structure as being hooked.
+ */
@@ -2013,10 +2000,10 @@ index d52c43e..d9deb8a 100644
#endif /* ISC_ENTROPY_H */
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
-index d7a5bec..0166b79 100644
+index 9c7c342..ee8dc3e 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
-@@ -344,6 +344,11 @@
+@@ -341,6 +341,11 @@
*/
@ISC_PLATFORM_HAVESTRINGSH@
@@ -2029,7 +2016,7 @@ index d7a5bec..0166b79 100644
* Define if the hash functions must be provided by OpenSSL.
*/
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
-index f161faf..dec577e 100644
+index 42ff7e0..8d87c44 100644
--- a/lib/isc/include/isc/types.h
+++ b/lib/isc/include/isc/types.h
@@ -93,6 +93,8 @@ typedef struct isc_time isc_time_t; /*%< Time */
@@ -2042,10 +2029,10 @@ index f161faf..dec577e 100644
typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
-index 48e1031..74566c9 100644
+index a01e698..875c232 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
-@@ -327,14 +327,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
+@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
ret = isc_stdio_open(randomfile, "r", &stream);
if (ret != ISC_R_SUCCESS)
goto cleanup;
@@ -2068,10 +2055,10 @@ index 48e1031..74566c9 100644
cleanup:
if (stream != NULL)
diff --git a/lib/isc/win32/include/isc/platform.h.in
b/lib/isc/win32/include/isc/platform.h.in
-index de6a434..2c32782 100644
+index 5b8a2c9..913a2ce 100644
--- a/lib/isc/win32/include/isc/platform.h.in
+++ b/lib/isc/win32/include/isc/platform.h.in
-@@ -74,6 +74,11 @@
+@@ -69,6 +69,11 @@
#define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn)
#define ISC_PLATFORM_NORETURN_POST
@@ -2084,7 +2071,7 @@ index de6a434..2c32782 100644
* Define if the hash functions must be provided by OpenSSL.
*/
diff --git a/win32utils/Configure b/win32utils/Configure
-index e9f4680..79bb178 100644
+index ff596b7..09b476f 100644
--- a/win32utils/Configure
+++ b/win32utils/Configure
@@ -381,6 +381,7 @@ my @substdefh = ("AES_CC",
@@ -2146,7 +2133,7 @@ index e9f4680..79bb178 100644
if ($enable_openssl_hash eq "yes") {
print "openssl-hash: enabled\n";
} else {
-@@ -1449,6 +1463,7 @@ if ($enable_intrinsics eq "yes") {
+@@ -1454,6 +1468,7 @@ if ($enable_intrinsics eq "yes") {
# enable-native-pkcs11
if ($enable_native_pkcs11 eq "yes") {
@@ -2154,7 +2141,7 @@ index e9f4680..79bb178 100644
if ($use_openssl eq "auto") {
$use_openssl = "no";
}
-@@ -1658,6 +1673,7 @@ if ($use_openssl eq "yes") {
+@@ -1663,6 +1678,7 @@ if ($use_openssl eq "yes") {
$openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
}
@@ -2162,7 +2149,7 @@ index e9f4680..79bb178 100644
$configcond{"OPENSSL"} = 1;
$configdefd{"CRYPTO"} = "OPENSSL";
$configvar{"OPENSSL_PATH"} = "$openssl_path";
-@@ -2209,6 +2225,15 @@ if ($cookie_algorithm eq "sha1") {
+@@ -2214,6 +2230,15 @@ if ($cookie_algorithm eq "sha1") {
die "Unrecognized cookie algorithm: $cookie_algorithm\n";
}
@@ -2178,7 +2165,7 @@ index e9f4680..79bb178 100644
# enable-openssl-hash
if ($enable_openssl_hash eq "yes") {
if ($use_openssl eq "no") {
-@@ -3531,6 +3556,7 @@ exit 0;
+@@ -3536,6 +3561,7 @@ exit 0;
# --enable-developer partially supported
# --enable-newstats (9.9/9.9sub only)
# --enable-native-pkcs11 supported
@@ -2186,7 +2173,7 @@ index e9f4680..79bb178 100644
# --enable-openssl-version-check included without a way to disable it
# --enable-openssl-hash supported
# --enable-threads included without a way to disable it
-@@ -3556,6 +3582,7 @@ exit 0;
+@@ -3561,6 +3587,7 @@ exit 0;
# --with-gost supported
# --with-aes supported
# --with-cc-alg supported
diff --git a/bind-9.11-rt46047.patch b/bind-9.11-rt46047.patch
index 915b0ab..5030c06 100644
--- a/bind-9.11-rt46047.patch
+++ b/bind-9.11-rt46047.patch
@@ -1,4 +1,4 @@
-From 1ab1aabcf9b2b8de144bab7a3ff5d9f7e6ec9ad4 Mon Sep 17 00:00:00 2001
+From 9a074d5cd6c6276d95bc1cce3a14afaabc88c6c5 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each(a)isc.org>
Date: Thu, 28 Sep 2017 10:09:22 -0700
Subject: [PATCH] completed and corrected the crypto-random change
@@ -39,17 +39,17 @@ Subject: [PATCH] completed and corrected the crypto-random change
bin/tests/system/tkey/keycreate.c | 4 +--
bin/tests/system/tkey/keydelete.c | 4 +--
doc/arm/Bv9ARM-book.xml | 55 ++++++++++++++++++++++----------
- doc/arm/notes.xml | 23 ++++++++++++-
- lib/dns/dst_api.c | 7 ++--
+ doc/arm/notes.xml | 26 +++++++++++++++
+ lib/dns/dst_api.c | 4 ++-
lib/dns/include/dst/dst.h | 14 ++++++--
lib/dns/openssl_link.c | 3 +-
lib/isc/include/isc/entropy.h | 50 +++++++++++++++++++++--------
lib/isc/include/isc/random.h | 28 ++++++++++------
lib/isccfg/namedconf.c | 2 +-
- 22 files changed, 219 insertions(+), 110 deletions(-)
+ 22 files changed, 221 insertions(+), 108 deletions(-)
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
-index fa439cc..a7ad417 100644
+index 295e16f..0f79aa8 100644
--- a/bin/confgen/keygen.c
+++ b/bin/confgen/keygen.c
@@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t
alg,
@@ -65,7 +65,7 @@ index fa439cc..a7ad417 100644
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
- isc_entropy_usehook(ectx, ISC_TRUE);
+ isc_entropy_usehook(ectx, true);
}
#endif
+ if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
@@ -112,16 +112,16 @@ index 96dfef6..1c84b06 100644
</listitem>
</varlistentry>
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
-index 4ea9eaf..5dd9475 100644
+index 31a99e7..38c83ed 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
-@@ -239,18 +239,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile,
isc_entropy_t **ectx) {
+@@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile,
isc_entropy_t **ectx) {
ISC_LIST_INIT(sources);
}
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (randomfile == NULL) {
-+ isc_entropy_usehook(*ectx, ISC_TRUE);
++ isc_entropy_usehook(*ectx, true);
+ }
+#endif
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
@@ -133,17 +133,17 @@ index 4ea9eaf..5dd9475 100644
- if (randomfile != NULL &&
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
-- isc_entropy_usehook(*ectx, ISC_TRUE);
+- isc_entropy_usehook(*ectx, true);
- }
-#endif
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
usekeyboard);
diff --git a/bin/named/client.c b/bin/named/client.c
-index b9ebc93..20e5f39 100644
+index 0f6e162..5e39b82 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
-@@ -1605,7 +1605,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
+@@ -1608,7 +1608,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
isc_buffer_init(&buf, cookie, sizeof(cookie));
isc_stdtime_get(&now);
@@ -154,10 +154,10 @@ index b9ebc93..20e5f39 100644
compute_cookie(client, now, nonce, ns_g_server->secret, &buf);
diff --git a/bin/named/config.c b/bin/named/config.c
-index c50f759..c1e72ef 100644
+index 2c4c93c..16ed248 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
-@@ -92,7 +92,9 @@ options {\n\
+@@ -93,7 +93,9 @@ options {\n\
# pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or
/lwresd.pid */\n\
port 53;\n\
prefetch 2 9;\n"
@@ -169,10 +169,10 @@ index c50f759..c1e72ef 100644
#endif
" recursing-file \"named.recursing\";\n\
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
-index 237e8dc..b905475 100644
+index d955c2f..40621f2 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
-@@ -322,9 +322,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
+@@ -325,9 +325,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
static void
control_recvmessage(isc_task_t *task, isc_event_t *event) {
@@ -185,8 +185,8 @@ index 237e8dc..b905475 100644
+ controlkey_t *key = NULL;
isccc_sexpr_t *request = NULL;
isccc_sexpr_t *response = NULL;
- isc_uint32_t algorithm;
-@@ -335,16 +336,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
+ uint32_t algorithm;
+@@ -338,16 +339,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
isc_buffer_t *text;
isc_result_t result;
isc_result_t eresult;
@@ -194,7 +194,7 @@ index 237e8dc..b905475 100644
+ isccc_sexpr_t *_ctrl = NULL;
isccc_time_t sent;
isccc_time_t exp;
- isc_uint32_t nonce;
+ uint32_t nonce;
- isccc_sexpr_t *data;
+ isccc_sexpr_t *data = NULL;
@@ -206,25 +206,25 @@ index 237e8dc..b905475 100644
algorithm = DST_ALG_UNKNOWN;
secret.rstart = NULL;
text = NULL;
-@@ -455,8 +457,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
+@@ -458,8 +460,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
* Establish nonce.
*/
if (conn->nonce == 0) {
- while (conn->nonce == 0)
- isc_random_get(&conn->nonce);
+ while (conn->nonce == 0) {
-+ isc_uint16_t r1 = isc_rng_random(server->rngctx);
-+ isc_uint16_t r2 = isc_rng_random(server->rngctx);
++ uint16_t r1 = isc_rng_random(server->rngctx);
++ uint16_t r2 = isc_rng_random(server->rngctx);
+ conn->nonce = (r1 << 16) | r2;
+ }
eresult = ISC_R_SUCCESS;
} else
eresult = ns_control_docommand(request, listener->readonly, &text);
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
-index d8179a6..e03d24d 100644
+index f5ed2b7..b2c1d05 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
-@@ -17,6 +17,7 @@
+@@ -20,6 +20,7 @@
#include <isc/log.h>
#include <isc/magic.h>
#include <isc/quota.h>
@@ -232,19 +232,19 @@ index d8179a6..e03d24d 100644
#include <isc/sockaddr.h>
#include <isc/types.h>
#include <isc/xml.h>
-@@ -131,6 +132,7 @@ struct ns_server {
+@@ -134,6 +135,7 @@ struct ns_server {
char * lockfile;
- isc_uint16_t transfer_tcp_message_size;
+ uint16_t transfer_tcp_message_size;
+ isc_rng_t * rngctx;
};
struct ns_altsecret {
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
-index d8c7188..50f924e 100644
+index 419927b..d721f47 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
-@@ -15,6 +15,7 @@
+@@ -17,6 +17,7 @@
#include <isc/interfaceiter.h>
#include <isc/os.h>
@@ -253,10 +253,10 @@ index d8c7188..50f924e 100644
#include <isc/task.h>
#include <isc/util.h>
diff --git a/bin/named/query.c b/bin/named/query.c
-index accbf3b..d89622d 100644
+index f8dbef2..2f3c0ca 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
-@@ -18,6 +18,7 @@
+@@ -19,6 +19,7 @@
#include <isc/hex.h>
#include <isc/mem.h>
#include <isc/print.h>
@@ -265,10 +265,10 @@ index accbf3b..d89622d 100644
#include <isc/serial.h>
#include <isc/stats.h>
diff --git a/bin/named/server.c b/bin/named/server.c
-index ca789e5..1413e85 100644
+index 9258e7f..f4320df 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
-@@ -8076,21 +8076,30 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8164,21 +8164,30 @@ load_configuration(const char *filename, ns_server_t *server,
* Open the source of entropy.
*/
if (first_time) {
@@ -291,8 +291,8 @@ index ca789e5..1413e85 100644
+ if (randomdev == NULL) {
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
-- isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
-+ isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
+- isc_entropy_usehook(ns_g_entropy, true);
++ isc_entropy_usehook(ns_g_entropy, true);
#else
- int level = ISC_LOG_ERROR;
- result = isc_entropy_createfilesource(ns_g_entropy,
@@ -310,7 +310,7 @@ index ca789e5..1413e85 100644
#ifdef PATH_RANDOMDEV
if (ns_g_fallbackentropy != NULL) {
level = ISC_LOG_INFO;
-@@ -8101,8 +8110,8 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8189,8 +8198,8 @@ load_configuration(const char *filename, ns_server_t *server,
NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER,
level,
@@ -321,7 +321,7 @@ index ca789e5..1413e85 100644
randomdev,
isc_result_totext(result));
}
-@@ -8122,7 +8131,6 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8210,7 +8219,6 @@ load_configuration(const char *filename, ns_server_t *server,
}
isc_entropy_detach(&ns_g_fallbackentropy);
}
@@ -329,7 +329,7 @@ index ca789e5..1413e85 100644
#endif
}
}
-@@ -8911,6 +8919,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
+@@ -8998,6 +9006,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
&server->tkeyctx),
"creating TKEY context");
@@ -339,7 +339,7 @@ index ca789e5..1413e85 100644
/*
* Setup the server task, which is responsible for coordinating
-@@ -9117,7 +9128,8 @@ ns_server_destroy(ns_server_t **serverp) {
+@@ -9204,7 +9215,8 @@ ns_server_destroy(ns_server_t **serverp) {
if (server->zonemgr != NULL)
dns_zonemgr_detach(&server->zonemgr);
@@ -349,7 +349,7 @@ index ca789e5..1413e85 100644
if (server->tkeyctx != NULL)
dns_tkeyctx_destroy(&server->tkeyctx);
-@@ -13018,10 +13030,10 @@ newzone_cfgctx_destroy(void **cfgp) {
+@@ -13105,10 +13117,10 @@ newzone_cfgctx_destroy(void **cfgp) {
static isc_result_t
generate_salt(unsigned char *salt, size_t saltlen) {
@@ -357,19 +357,19 @@ index ca789e5..1413e85 100644
+ size_t i, n;
union {
unsigned char rnd[256];
-- isc_uint32_t rnd32[64];
-+ isc_uint16_t rnd16[128];
+- uint32_t rnd32[64];
++ uint16_t rnd16[128];
} rnd;
unsigned char text[512 + 1];
isc_region_t r;
-@@ -13031,9 +13043,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
+@@ -13118,9 +13130,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
if (saltlen > 256U)
return (ISC_R_RANGE);
-- n = (int) (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t);
+- n = (int) (saltlen + sizeof(uint32_t) - 1) / sizeof(uint32_t);
- for (i = 0; i < n; i++)
- isc_random_get(&rnd.rnd32[i]);
-+ n = (saltlen + sizeof(isc_uint16_t) - 1) / sizeof(isc_uint16_t);
++ n = (saltlen + sizeof(uint16_t) - 1) / sizeof(uint16_t);
+ for (i = 0; i < n; i++) {
+ rnd.rnd16[i] = isc_rng_random(ns_g_server->rngctx);
+ }
@@ -377,10 +377,10 @@ index ca789e5..1413e85 100644
memmove(salt, rnd.rnd, saltlen);
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index 46c7acf..a0d0278 100644
+index 1559a33..68b9a99 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
-@@ -281,9 +281,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t
**ectx) {
+@@ -283,9 +283,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t
**ectx) {
}
#ifdef ISC_PLATFORM_CRYPTORANDOM
@@ -388,14 +388,14 @@ index 46c7acf..a0d0278 100644
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
- isc_entropy_usehook(*ectx, ISC_TRUE);
+ isc_entropy_usehook(*ectx, true);
}
#endif
diff --git a/bin/tests/system/pipelined/pipequeries.c
b/bin/tests/system/pipelined/pipequeries.c
-index 810d99e..d7d10e2 100644
+index 7b4f617..507bf0a 100644
--- a/bin/tests/system/pipelined/pipequeries.c
+++ b/bin/tests/system/pipelined/pipequeries.c
-@@ -279,9 +279,7 @@ main(int argc, char *argv[]) {
+@@ -282,9 +282,7 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
#ifdef ISC_PLATFORM_CRYPTORANDOM
@@ -403,11 +403,11 @@ index 810d99e..d7d10e2 100644
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
- isc_entropy_usehook(ectx, ISC_TRUE);
+ isc_entropy_usehook(ectx, true);
}
#endif
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
-index 4f2f5b4..0894db7 100644
+index fe8698e..937fcc3 100644
--- a/bin/tests/system/tkey/keycreate.c
+++ b/bin/tests/system/tkey/keycreate.c
@@ -255,9 +255,7 @@ main(int argc, char *argv[]) {
@@ -418,11 +418,11 @@ index 4f2f5b4..0894db7 100644
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
- isc_entropy_usehook(ectx, ISC_TRUE);
+ isc_entropy_usehook(ectx, true);
}
#endif
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
-index 0975bbe..5b8a470 100644
+index 2146f9b..ac2c311 100644
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
@@ -182,9 +182,7 @@ main(int argc, char **argv) {
@@ -433,11 +433,11 @@ index 0975bbe..5b8a470 100644
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
- isc_entropy_usehook(ectx, ISC_TRUE);
+ isc_entropy_usehook(ectx, true);
}
#endif
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
-index a5d9e2e..2a96f71 100644
+index baff8d3..00a50e4 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
@@ -503,14 +503,15 @@ index a5d9e2e..2a96f71 100644
</listitem>
</varlistentry>
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
-index d3fdb5e..a8ad92d 100644
+index d9537a3..5c2cc13 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
-@@ -105,7 +105,28 @@
- <itemizedlist>
- <listitem>
- <para>
-- None.
+@@ -180,6 +180,32 @@
+ option. [GL #105]
+ </para>
+ </listitem>
++ <listitem>
++ <para>
+ By default, BIND now uses the random number generation functions
+ in the cryptographic library (i.e., OpenSSL or a PKCS#11
+ provider) as a source of high-quality randomness rather than
@@ -533,25 +534,16 @@ index d3fdb5e..a8ad92d 100644
+ <command>configure --disable-crypto-rand</command>, in which
+ case <filename>/dev/random</filename> will be the default
+ entropy source. [RT #31459] [RT #46047]
- </para>
- </listitem>
++ </para>
++ </listitem>
</itemizedlist>
+ </section>
+
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index 803e7b3..29a4fef 100644
+index afb4d80..4e62a97 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
-@@ -276,8 +276,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
- #endif
- #if defined(OPENSSL) || defined(PKCS11CRYPTO)
- #ifdef ISC_PLATFORM_CRYPTORANDOM
-- if (dst_entropy_pool != NULL)
-+ if (dst_entropy_pool != NULL) {
- isc_entropy_sethook(dst_random_getdata);
-+ }
- #endif
- #endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
- dst_initialized = ISC_TRUE;
-@@ -2015,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t
pseudo) {
+@@ -2013,10 +2013,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
else
flags |= ISC_ENTROPY_BLOCKING;
#ifdef ISC_PLATFORM_CRYPTORANDOM
@@ -566,10 +558,10 @@ index 803e7b3..29a4fef 100644
}
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
-index d9b6ab6..e8c1a3c 100644
+index 78e1277..10293d0 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
-@@ -161,8 +161,18 @@ isc_result_t
+@@ -164,8 +164,18 @@ isc_result_t
dst_random_getdata(void *data, unsigned int length,
unsigned int *returned, unsigned int flags);
/*%<
@@ -589,9 +581,9 @@ index d9b6ab6..e8c1a3c 100644
+ * \li DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error
*/
- isc_boolean_t
+ bool
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index c1e1bde..91e87d0 100644
+index d88d643..7a233dd 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) {
@@ -605,7 +597,7 @@ index c1e1bde..91e87d0 100644
#ifndef DONT_REQUIRE_DST_LIB_INIT
INSIST(dst__memory_pool != NULL);
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
-index d9deb8a..2d37363 100644
+index 632166a..c7cb17d 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
@@ -9,8 +9,6 @@
@@ -617,7 +609,7 @@ index d9deb8a..2d37363 100644
#ifndef ISC_ENTROPY_H
#define ISC_ENTROPY_H 1
-@@ -190,9 +188,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
+@@ -191,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
/*!<
* \brief Create an entropy source that is polled via a callback.
*
@@ -629,7 +621,7 @@ index d9deb8a..2d37363 100644
*
* Samples are added via isc_entropy_addcallbacksample(), below.
* _addcallbacksample() is the only function which may be called from
-@@ -233,15 +230,32 @@ isc_result_t
+@@ -234,15 +231,32 @@ isc_result_t
isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
unsigned int *returned, unsigned int flags);
/*!<
@@ -669,9 +661,9 @@ index d9deb8a..2d37363 100644
*/
void
-@@ -306,13 +320,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t
**source,
+@@ -307,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t
**source,
void
- isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff);
+ isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
/*!<
- * \brief Mark/unmark the given entropy structure as being hooked.
+ * \brief Configure entropy context 'ectx' to use the hook function
@@ -694,7 +686,7 @@ index d9deb8a..2d37363 100644
ISC_LANG_ENDDECLS
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
-index ba53ebf..b575728 100644
+index f8aed34..17c551b 100644
--- a/lib/isc/include/isc/random.h
+++ b/lib/isc/include/isc/random.h
@@ -9,8 +9,6 @@
@@ -737,8 +729,8 @@ index ba53ebf..b575728 100644
ISC_LANG_BEGINDECLS
@@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx);
- isc_uint16_t
- isc_rng_uniformrandom(isc_rng_t *rngctx, isc_uint16_t upper_bound);
+ uint16_t
+ isc_rng_uniformrandom(isc_rng_t *rngctx, uint16_t upper_bound);
/*%<
- * Returns a uniformly distributed pseudo random 16-bit unsigned
- * integer.
@@ -748,10 +740,10 @@ index ba53ebf..b575728 100644
ISC_LANG_ENDDECLS
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
-index 8d496ff..dd08187 100644
+index cd797a6..589da07 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
-@@ -1106,7 +1106,7 @@ options_clauses[] = {
+@@ -1109,7 +1109,7 @@ options_clauses[] = {
{ "pid-file", &cfg_type_qstringornone, 0 },
{ "port", &cfg_type_uint32, 0 },
{ "querylog", &cfg_type_boolean, 0 },
diff --git a/bind-95-rh452060.patch b/bind-95-rh452060.patch
index dac3a8d..c57ccab 100644
--- a/bind-95-rh452060.patch
+++ b/bind-95-rh452060.patch
@@ -1,34 +1,34 @@
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index f657c30..ff9a2d2 100644
+index aa5315d..1fa711a 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
-@@ -1694,6 +1694,13 @@ clear_query(dig_query_t *query) {
+@@ -1814,6 +1814,13 @@ clear_query(dig_query_t *query) {
if (query->timer != NULL)
isc_timer_detach(&query->timer);
+
+ if (query->waiting_senddone) {
+ debug("send_done not yet called");
-+ query->pending_free = ISC_TRUE;
++ query->pending_free = true;
+ return;
+ }
+
lookup = query->lookup;
if (lookup->current_query == query)
-@@ -1719,10 +1726,7 @@ clear_query(dig_query_t *query) {
+@@ -1839,10 +1846,7 @@ clear_query(dig_query_t *query) {
isc_mempool_put(commctx, query->recvspace);
isc_buffer_invalidate(&query->recvbuf);
isc_buffer_invalidate(&query->lengthbuf);
- if (query->waiting_senddone)
-- query->pending_free = ISC_TRUE;
+- query->pending_free = true;
- else
- isc_mem_free(mctx, query);
+ isc_mem_free(mctx, query);
}
/*%
-@@ -2811,9 +2815,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
+@@ -2892,9 +2896,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
isc_event_free(&event);
if (query->pending_free)
diff --git a/bind.spec b/bind.spec
index 2b22c57..b557e44 100644
--- a/bind.spec
+++ b/bind.spec
@@ -2,7 +2,7 @@
# Red Hat BIND package .spec file
#
-%global PATCHVER P2
+#%%global PATCHVER P2
#%%global PREVER rc1
%global BINDVERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}}
@@ -43,16 +43,16 @@
#
# lib*.so.X versions of selected libraries
-%global sover_dns 1102
-%global sover_isc 169
-%global sover_irs 160
-%global sover_isccfg 160
+%global sover_dns 1104
+%global sover_isc 1100
+%global sover_irs 161
+%global sover_isccfg 163
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Name: bind
License: MPLv2.0
-Version: 9.11.4
-Release: 12%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Version: 9.11.5
+Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
http://www.isc.org/products/BIND/
#
@@ -452,7 +452,7 @@ are used for building ISC DHCP.
%patch72 -p1 -b .64bit
%endif
%patch102 -p1 -b .rh452060
-%patch106 -p0 -b .rh490837
+%patch106 -p1 -b .rh490837
%patch109 -p1 -b .rh478718
%patch112 -p1 -b .rh645544
%patch130 -p1 -b .libdb
@@ -1193,9 +1193,9 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%files libs
-%{_libdir}/libbind9.so.160*
-%{_libdir}/libisccc.so.160*
-%{_libdir}/liblwres.so.160*
+%{_libdir}/libbind9.so.161*
+%{_libdir}/libisccc.so.161*
+%{_libdir}/liblwres.so.161*
%files libs-lite
%{_libdir}/libdns.so.%{sover_dns}*
@@ -1446,6 +1446,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
+* Wed Oct 24 2018 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-1
+- Update to 9.11.5
+
* Tue Oct 02 2018 Petr Menk <pemensik(a)redhat.com> - 32:9.11.4-12.P2
- Add Requires to devel packages referenced by bind-devel
diff --git a/bind93-rh490837.patch b/bind93-rh490837.patch
index 230d7a7..6ea55ba 100644
--- a/bind93-rh490837.patch
+++ b/bind93-rh490837.patch
@@ -1,13 +1,22 @@
-? patch
-? lib/isc/lex.c.rh490837
-Index: lib/isc/lex.c
-===================================================================
-RCS file: /var/snap/bind9/lib/isc/lex.c,v
-retrieving revision 1.86
-diff -p -u -r1.86 lex.c
---- lib/isc/lex.c 17 Sep 2007 09:56:29 -0000 1.86
-+++ lib/isc/lex.c 6 Apr 2009 13:24:15 -0000
-@@ -425,17 +425,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigne
+diff --git a/lib/isc/include/isc/stdio.h b/lib/isc/include/isc/stdio.h
+index 1f44b5a..a3625f9 100644
+--- a/lib/isc/include/isc/stdio.h
++++ b/lib/isc/include/isc/stdio.h
+@@ -69,6 +69,9 @@ isc_stdio_sync(FILE *f);
+ * direct counterpart in the stdio library.
+ */
+
++isc_result_t
++isc_stdio_fgetc(FILE *f, int *ret);
++
+ ISC_LANG_ENDDECLS
+
+ #endif /* ISC_STDIO_H */
+diff --git a/lib/isc/lex.c b/lib/isc/lex.c
+index a8955bc..fc6103b 100644
+--- a/lib/isc/lex.c
++++ b/lib/isc/lex.c
+@@ -434,17 +434,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t
*tokenp) {
if (source->is_file) {
stream = source->input;
@@ -28,34 +37,14 @@ diff -p -u -r1.86 lex.c
goto done;
}
+
- source->at_eof = ISC_TRUE;
+ source->at_eof = true;
}
} else {
-Index: lib/isc/include/isc/stdio.h
-===================================================================
-RCS file: /var/snap/bind9/lib/isc/include/isc/stdio.h,v
-retrieving revision 1.13
-diff -p -u -r1.13 stdio.h
---- lib/isc/include/isc/stdio.h 19 Jun 2007 23:47:18 -0000 1.13
-+++ lib/isc/include/isc/stdio.h 6 Apr 2009 13:24:15 -0000
-@@ -72,6 +72,9 @@ isc_stdio_sync(FILE *f);
- * direct counterpart in the stdio library.
- */
-
-+isc_result_t
-+isc_stdio_fgetc(FILE *f, int *ret);
-+
- ISC_LANG_ENDDECLS
-
- #endif /* ISC_STDIO_H */
-Index: lib/isc/unix/errno2result.c
-===================================================================
-RCS file: /var/snap/bind9/lib/isc/unix/errno2result.c,v
-retrieving revision 1.17
-diff -p -u -r1.17 errno2result.c
---- lib/isc/unix/errno2result.c 19 Jun 2007 23:47:18 -0000 1.17
-+++ lib/isc/unix/errno2result.c 6 Apr 2009 13:24:15 -0000
-@@ -43,6 +43,7 @@ isc__errno2result(int posixerrno) {
+diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
+index 2f12bcc..5bfd648 100644
+--- a/lib/isc/unix/errno2result.c
++++ b/lib/isc/unix/errno2result.c
+@@ -40,6 +40,7 @@ isc___errno2result(int posixerrno, bool dolog,
case EINVAL: /* XXX sometimes this is not for files */
case ENAMETOOLONG:
case EBADF:
@@ -63,14 +52,11 @@ diff -p -u -r1.17 errno2result.c
return (ISC_R_INVALIDFILE);
case ENOENT:
return (ISC_R_FILENOTFOUND);
-Index: lib/isc/unix/stdio.c
-===================================================================
-RCS file: /var/snap/bind9/lib/isc/unix/stdio.c,v
-retrieving revision 1.8
-diff -p -u -r1.8 stdio.c
---- lib/isc/unix/stdio.c 19 Jun 2007 23:47:18 -0000 1.8
-+++ lib/isc/unix/stdio.c 6 Apr 2009 13:24:15 -0000
-@@ -115,3 +115,22 @@ isc_stdio_sync(FILE *f) {
+diff --git a/lib/isc/unix/stdio.c b/lib/isc/unix/stdio.c
+index e60fa65..77f0b13 100644
+--- a/lib/isc/unix/stdio.c
++++ b/lib/isc/unix/stdio.c
+@@ -149,3 +149,22 @@ isc_stdio_sync(FILE *f) {
return (isc__errno2result(errno));
}
diff --git a/sources b/sources
index 43558ac..f7e1978 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (bind-9.11.4-P2.tar.gz) =
6c01810526fc40485a6c0403d1ddc3b76d2e59b3426b5789436bd671f158d2fa0ea7c0aef2de81998ec715dabd06683fed7b17224d5c794c61e7100a69d4cb60
+SHA512 (bind-9.11.5.tar.gz) =
7e34c8033dabaed232479b1dc2849d1247c0137bcb2b63f08f8f72ff2cca0f73e0f05d0b9b8959f8c4db8ee36a700af30fe869be186c7bab7c81a25843384b8d
SHA512 (config-18.tar.bz2) =
c0a0a1fd58a7e2c09fe69915b9a4c682d1b6c96e78583f63ce5355f663c9509d28facfd3aa078b228b69954d0af4bfa484ef661a9568aaafe6eade97dda3c3d9