diff --git a/Makefile.in.diff b/Makefile.in.diff index 9a651cf..dd48504 100644 --- a/Makefile.in.diff +++ b/Makefile.in.diff @@ -1,8 +1,8 @@ -Index: bind-9.9.3-P1/bin/named/Makefile.in +Index: bind-9.11.2/bin/named/Makefile.in =================================================================== ---- bind-9.9.3-P1.orig/bin/named/Makefile.in -+++ bind-9.9.3-P1/bin/named/Makefile.in -@@ -173,9 +173,7 @@ installdirs: +--- bind-9.11.2.orig/bin/named/Makefile.in 2017-07-24 07:36:50.000000000 +0200 ++++ bind-9.11.2/bin/named/Makefile.in 2017-08-15 10:27:54.263889946 +0200 +@@ -168,9 +168,7 @@ installdirs: install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) @@ -11,5 +11,5 @@ Index: bind-9.9.3-P1/bin/named/Makefile.in - ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 + for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man$${m##*.}; done - @DLZ_DRIVER_RULES@ - + uninstall:: + rm -f ${DESTDIR}${mandir}/man5/named.conf.5 diff --git a/baselibs.conf b/baselibs.conf index 49c5207..50c7654 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,25 +1,18 @@ -libbind9-140 -libdns165 -libidnkit1 -libidnkitlite1 -libidnkitres1 -libirs141 -libisc160 +libbind9-160 +libdns169 +libirs160 +libisc166 obsoletes "bind-libs- = " provides "bind-libs- = " -libisccc140 -libisccfg140 -liblwres141 +libisccc160 +libisccfg160 +liblwres160 bind-devel requires -bind- - requires "libbind9-140- = " - requires "libdns165- = " - requires "libirs141- = " - requires "libisc160- = " - requires "libisccc140- = " - requires "libisccfg140- = " - requires "liblwres141- = " -idnkit-devel - requires "libdns165- = " - requires "libidnkit1- = " - requires "libidnkitlite1- = " + requires "libbind9-160- = " + requires "libdns169- = " + requires "libirs160- = " + requires "libisc166- = " + requires "libisccc160- = " + requires "libisccfg160- = " + requires "liblwres160- = " diff --git a/bind-9.10.4-P5.tar.gz b/bind-9.10.4-P5.tar.gz deleted file mode 100644 index 98f08d2..0000000 --- a/bind-9.10.4-P5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:89c47b413613feddb1b623ad092f3def2247402e4148c464dbc6c0021e3f0feb -size 9303205 diff --git a/bind-9.10.4-P5.tar.gz.asc b/bind-9.10.4-P5.tar.gz.asc deleted file mode 100644 index 17a4cf4..0000000 --- a/bind-9.10.4-P5.tar.gz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.11 (GNU/Linux) - -iQIcBAABAgAGBQJYUCKuAAoJEPGxG/Bc8C5XAawQAL/ZOekecEnCL9G7htXCttBd -1C/5l42RhgEi0dqclc4BfqB8PqHKYiTEpRrouyQjNBJTjw/KLFST5BfHDyRJ/1BB -z7+b5TNuPyM+v29j5eT7l//Y5C92CNazu7fwbKgq3+Nz1XrGCC1gMD2/45GwB8BA -WMTEYCPqBPwfu2Rhg/pcAga/5a9ymTzFTlB/sZJ74gMpjEMDdqeR3tILAqGzIOGE -kORJspF2ZKCvzCmv1ATP5VFH+iUgY/8nE0vuiun+cXXYlqLXVcyNWdgFgMx5ozcE -Wrf6MSjgdh697C8rvdJEld7xcOC6XGZLU1RgykloW+rb19pLliEi5chPtWVEuVSm -Hn9HqzUZSrmmqZpgHvbQvhVYoJsIgfS3lRdQIqiRZn2oKnUdHW7FwOU/ZH+L5elK -Ggta7UYNZvLsGPtu997hZNB7javrlUGLVZzgl/LB4mBa2xI+hMgAyOE09CsTvVAE -yBVuxnJ/L2yIjtdO7fy5C9HGyzN+vf5WUxZcfKpi1zLByEp9Pm71O0YWW9LNeU14 -qAFEcE3vvV0pAgE9tVBIPYf7AtO8O2tZVR/AGl9suacLzh5vXWy8WyXqPbZvBhQ/ -zVVhxlVIJQ9JtVfB1L8t2GT2lgMIN58V45C6ulXuN9RbcwbNerLBHDyIyzLBgX6p -lFafztjStRds/JW9cnkd -=Kgbj ------END PGP SIGNATURE----- diff --git a/bind-9.11.2.tar.gz b/bind-9.11.2.tar.gz new file mode 100644 index 0000000..7ad4be6 --- /dev/null +++ b/bind-9.11.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7f46ad8620f7c3b0ac375d7a5211b15677708fda84ce25d7aeb7222fe2e3c77a +size 9782180 diff --git a/bind-9.11.2.tar.gz.asc b/bind-9.11.2.tar.gz.asc new file mode 100644 index 0000000..8a48e52 --- /dev/null +++ b/bind-9.11.2.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABAgAGBQJZea3wAAoJEPGxG/Bc8C5Xh2oP/R1iUkk2l5Gp67xfitJLaFM6 +uA5t+pezactdPzwQkP30R5DxC05h3LHV1jBwC39Y9AzAcq4TNXqg4yClQmGSFfoS +JTM5LXguCw2LLqd1VzQgSTAb6Urmk+1HToasN5ct6u/gTi1W6l7Hg8aZrqPYKtov +0bI7wmo6z+vH+vgbl0hHoHBxdZaamt8VTIhBF/JP59WkxJHalf90VrDK/Ivx+lZY +9d0QjqCJsQZpZ9tGn01WW73NQQxtitrT0RoKfPWNp218QnJUZgebXvxxzxxarC/N +4HI8+vQTDQMWq6DS64ipZ0PhJofnQKHuTWg3qX/PTGNuDkrqRGAPBsEsbPv4Flqi +ieaf50ky+68ghBcGDS8DyFFXhZjjnIGQKgE5j3xlxqEqvmE944kMx/ty5/7rUCI4 +50zHJE6zfrsDaRAAOtudzw3nmI6lpetEk67k9u67rojZL36BVXrZPiUPldpToD9s +sJpep6KuEVG//Xcc5DVrmfYvxUASVa7uAPOfyvgSlW2f4xb7x2ZAS5t3H8/M5CiT +S+fiGzcGQAzckylwqOlVM/JfWkM19z56uE4kShMR8bj0oHE/zOFpfqFWpQ/jhxy6 +fIGrBFLAbm1wGOOhntN7833+OkOeucVqrBRTZ+HE4sRI4P0t2sZFtStYRV89TDPu +TwWLWtNVQ8rHKTKNAdkn +=q9OM +-----END PGP SIGNATURE----- diff --git a/bind-99-libidn.patch b/bind-99-libidn.patch new file mode 100644 index 0000000..df2125d --- /dev/null +++ b/bind-99-libidn.patch @@ -0,0 +1,297 @@ +diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in +index bd219c5..f71685b 100644 +--- a/bin/dig/Makefile.in ++++ b/bin/dig/Makefile.in +@@ -38,10 +38,10 @@ DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} \ + ${ISCCFGDEPLIBS} ${LWRESDEPLIBS} + + LIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ +- ${ISCLIBS} @IDNLIBS@ @LIBS@ ++ ${ISCLIBS} @IDNLIBS@ @LIBS@ -lidn + + NOSYMLIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ +- ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@ ++ ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@ -lidn + + SUBDIRS = + +@@ -59,6 +59,8 @@ HTMLPAGES = dig.html host.html nslookup.html + + MANOBJS = ${MANPAGES} ${HTMLPAGES} + ++EXT_CFLAGS = -DWITH_LIBIDN ++ + @BIND9_MAKE_RULES@ + + dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} +diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook +index 7a7e8e4..b36047f 100644 +--- a/bin/dig/dig.docbook ++++ b/bin/dig/dig.docbook +@@ -1251,8 +1251,8 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr + dig appropriately converts character encoding of + domain name before sending a request to DNS server or displaying a + reply from the server. +- If you'd like to turn off the IDN support for some reason, defines +- the IDN_DISABLE environment variable. ++ If you'd like to turn off the IDN support for some reason, define ++ the CHARSET=ASCII environment variable. + The IDN support is disabled if the variable is set when + dig runs. + +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index 1f8bcf2..f657c30 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -33,6 +33,11 @@ + #include + #endif + ++#ifdef WITH_LIBIDN ++#include ++#include ++#endif ++ + #include + #ifdef DIG_SIGCHASE + #include +@@ -158,6 +163,14 @@ static void idn_check_result(idn_result_t r, const char *msg); + int idnoptions = 0; + #endif + ++#ifdef WITH_LIBIDN ++static isc_result_t libidn_locale_to_utf8 (const char* from, char *to); ++static isc_result_t libidn_utf8_to_ascii (const char* from, char *to); ++static isc_result_t output_filter (isc_buffer_t *buffer, ++ unsigned int used_org, ++ isc_boolean_t absolute); ++#endif ++ + isc_socket_t *keep = NULL; + isc_sockaddr_t keepaddr; + +@@ -1448,8 +1461,15 @@ setup_system(isc_boolean_t ipv4only, isc_boolean_t ipv6only) { + + #ifdef WITH_IDN + initialize_idn(); ++ ++#endif ++#ifdef WITH_LIBIDN ++ result = dns_name_settotextfilter(output_filter); ++ check_result(result, "dns_name_settotextfilter"); ++#ifdef HAVE_SETLOCALE ++ setlocale (LC_ALL, ""); ++#endif + #endif +- + if (keyfile[0] != 0) + setup_file_key(); + else if (keysecret[0] != 0) +@@ -2231,8 +2251,11 @@ setup_lookup(dig_lookup_t *lookup) { + idn_result_t mr; + char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME]; + #endif ++#ifdef WITH_LIBIDN ++ char utf8_str[MXNAME], utf8_name[MXNAME], ascii_name[MXNAME]; ++#endif + +-#ifdef WITH_IDN ++#if defined (WITH_IDN) || defined (WITH_LIBIDN) + result = dns_name_settotextfilter(lookup->idnout ? + output_filter : NULL); + check_result(result, "dns_name_settotextfilter"); +@@ -2274,6 +2297,14 @@ setup_lookup(dig_lookup_t *lookup) { + mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname, + utf8_textname, sizeof(utf8_textname)); + idn_check_result(mr, "convert textname to UTF-8"); ++#elif defined (WITH_LIBIDN) ++ result = libidn_locale_to_utf8 (lookup->textname, utf8_str); ++ check_result (result, "convert textname to UTF-8"); ++ len = strlen (utf8_str); ++ if (len < MXNAME) ++ (void) strcpy (utf8_name, utf8_str); ++ else ++ fatal ("Too long name"); + #endif + + /* +@@ -2286,15 +2317,11 @@ setup_lookup(dig_lookup_t *lookup) { + if (lookup->new_search) { + #ifdef WITH_IDN + if ((count_dots(utf8_textname) >= ndots) || !usesearch) { +- lookup->origin = NULL; /* Force abs lookup */ +- lookup->done_as_is = ISC_TRUE; +- lookup->need_search = usesearch; +- } else if (lookup->origin == NULL && usesearch) { +- lookup->origin = ISC_LIST_HEAD(search_list); +- lookup->need_search = ISC_FALSE; +- } ++#elif defined (WITH_LIBIDN) ++ if ((count_dots(utf8_name) >= ndots) || !usesearch) { + #else + if ((count_dots(lookup->textname) >= ndots) || !usesearch) { ++#endif + lookup->origin = NULL; /* Force abs lookup */ + lookup->done_as_is = ISC_TRUE; + lookup->need_search = usesearch; +@@ -2302,7 +2329,6 @@ setup_lookup(dig_lookup_t *lookup) { + lookup->origin = ISC_LIST_HEAD(search_list); + lookup->need_search = ISC_FALSE; + } +-#endif + } + + #ifdef WITH_IDN +@@ -2319,6 +2345,20 @@ setup_lookup(dig_lookup_t *lookup) { + IDN_IDNCONV | IDN_LENCHECK, utf8_textname, + idn_textname, sizeof(idn_textname)); + idn_check_result(mr, "convert UTF-8 textname to IDN encoding"); ++#elif defined (WITH_LIBIDN) ++ if (lookup->origin != NULL) { ++ result = libidn_locale_to_utf8 (lookup->origin->origin, utf8_str); ++ check_result (result, "convert origin to UTF-8"); ++ if (len > 0 && utf8_name[len - 1] != '.') { ++ utf8_name[len++] = '.'; ++ if (len + strlen (utf8_str) < MXNAME) ++ (void) strcpy (utf8_name + len, utf8_str); ++ else ++ fatal ("Too long name + origin"); ++ } ++ } ++ ++ result = libidn_utf8_to_ascii (utf8_name, ascii_name); + #else + if (lookup->origin != NULL) { + debug("trying origin %s", lookup->origin->origin); +@@ -2389,6 +2429,13 @@ setup_lookup(dig_lookup_t *lookup) { + result = dns_name_fromtext(lookup->name, &b, + dns_rootname, 0, + &lookup->namebuf); ++#elif defined (WITH_LIBIDN) ++ len = strlen (ascii_name); ++ isc_buffer_init(&b, ascii_name, len); ++ isc_buffer_add(&b, len); ++ result = dns_name_fromtext(lookup->name, &b, ++ dns_rootname, 0, ++ &lookup->namebuf); + #else + len = (unsigned int) strlen(lookup->textname); + isc_buffer_init(&b, lookup->textname, len); +@@ -4377,7 +4424,7 @@ destroy_libs(void) { + void * ptr; + dig_message_t *chase_msg; + #endif +-#ifdef WITH_IDN ++#if defined (WITH_IDN) || defined (WITH_LIBIDN) + isc_result_t result; + #endif + +@@ -4418,6 +4465,10 @@ destroy_libs(void) { + result = dns_name_settotextfilter(NULL); + check_result(result, "dns_name_settotextfilter"); + #endif ++#ifdef WITH_LIBIDN ++ result = dns_name_settotextfilter (NULL); ++ check_result(result, "clearing dns_name_settotextfilter"); ++#endif + dns_name_destroy(); + + if (commctx != NULL) { +@@ -4603,6 +4654,97 @@ idn_check_result(idn_result_t r, const char *msg) { + } + } + #endif /* WITH_IDN */ ++#ifdef WITH_LIBIDN ++static isc_result_t ++libidn_locale_to_utf8 (const char *from, char *to) { ++ char *utf8_str; ++ ++ debug ("libidn_locale_to_utf8"); ++ utf8_str = stringprep_locale_to_utf8 (from); ++ if (utf8_str != NULL) { ++ (void) strcpy (to, utf8_str); ++ free (utf8_str); ++ return ISC_R_SUCCESS; ++ } ++ ++ debug ("libidn_locale_to_utf8: failure"); ++ return ISC_R_FAILURE; ++} ++static isc_result_t ++libidn_utf8_to_ascii (const char *from, char *to) { ++ char *ascii; ++ int iresult; ++ ++ debug ("libidn_utf8_to_ascii"); ++ iresult = idna_to_ascii_8z (from, &ascii, 0); ++ if (iresult != IDNA_SUCCESS) { ++ debug ("idna_to_ascii_8z: %s", idna_strerror (iresult)); ++ return ISC_R_FAILURE; ++ } ++ ++ (void) strcpy (to, ascii); ++ free (ascii); ++ return ISC_R_SUCCESS; ++} ++ ++static isc_result_t ++output_filter (isc_buffer_t *buffer, unsigned int used_org, ++ isc_boolean_t absolute) { ++ ++ char tmp1[MXNAME], *tmp2; ++ size_t fromlen, tolen; ++ isc_boolean_t end_with_dot; ++ int iresult; ++ ++ debug ("output_filter"); ++ ++ fromlen = isc_buffer_usedlength (buffer) - used_org; ++ if (fromlen >= MXNAME) ++ return ISC_R_SUCCESS; ++ memcpy (tmp1, (char *) isc_buffer_base (buffer) + used_org, fromlen); ++ end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE; ++ if (absolute && !end_with_dot) { ++ fromlen++; ++ if (fromlen >= MXNAME) ++ return ISC_R_SUCCESS; ++ tmp1[fromlen - 1] = '.'; ++ } ++ tmp1[fromlen] = '\0'; ++ ++ iresult = idna_to_unicode_8z8z (tmp1, &tmp2, 0); ++ if (iresult != IDNA_SUCCESS) { ++ debug ("output_filter: %s", idna_strerror (iresult)); ++ return ISC_R_SUCCESS; ++ } ++ ++ (void) strcpy (tmp1, tmp2); ++ free (tmp2); ++ ++ tmp2 = stringprep_utf8_to_locale (tmp1); ++ if (tmp2 == NULL) { ++ debug ("output_filter: stringprep_utf8_to_locale failed"); ++ return ISC_R_SUCCESS; ++ } ++ ++ (void) strcpy (tmp1, tmp2); ++ free (tmp2); ++ ++ tolen = strlen (tmp1); ++ if (absolute && !end_with_dot && tmp1[tolen - 1] == '.') ++ tolen--; ++ ++ if (isc_buffer_length (buffer) < used_org + tolen) ++ return ISC_R_NOSPACE; ++ ++ debug ("%s", tmp1); ++ ++ isc_buffer_subtract (buffer, isc_buffer_usedlength (buffer) - used_org); ++ memcpy (isc_buffer_used (buffer), tmp1, tolen); ++ isc_buffer_add (buffer, tolen); ++ ++ return ISC_R_SUCCESS; ++} ++#endif /* WITH_LIBIDN*/ + + #ifdef DIG_SIGCHASE + void diff --git a/bind-CVE-2017-3135.patch b/bind-CVE-2017-3135.patch deleted file mode 100644 index e02cdd7..0000000 --- a/bind-CVE-2017-3135.patch +++ /dev/null @@ -1,645 +0,0 @@ -Index: bind-9.10.4-P5/bin/tests/system/dname/ans3/ans.pl -=================================================================== ---- /dev/null -+++ bind-9.10.4-P5/bin/tests/system/dname/ans3/ans.pl -@@ -0,0 +1,95 @@ -+#!/usr/bin/env perl -+# -+# Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC") -+# -+# This Source Code Form is subject to the terms of the Mozilla Public -+# License, v. 2.0. If a copy of the MPL was not distributed with this -+# file, You can obtain one at http://mozilla.org/MPL/2.0/. -+ -+use strict; -+use warnings; -+ -+use IO::File; -+use Getopt::Long; -+use Net::DNS::Nameserver; -+ -+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; -+print $pidf "$$\n" or die "cannot write pid file: $!"; -+$pidf->close or die "cannot close pid file: $!"; -+sub rmpid { unlink "ans.pid"; exit 1; }; -+ -+$SIG{INT} = \&rmpid; -+$SIG{TERM} = \&rmpid; -+ -+my $localaddr = "10.53.0.3"; -+my $localport = 5300; -+my $verbose = 0; -+my $ttl = 60; -+my $zone = "example.broken"; -+my $nsname = "ns3.$zone"; -+my $synth = "synth-then-dname.$zone"; -+my $synth2 = "synth2-then-dname.$zone"; -+ -+sub reply_handler { -+ my ($qname, $qclass, $qtype, $peerhost, $query, $conn) = @_; -+ my ($rcode, @ans, @auth, @add); -+ -+ print ("request: $qname/$qtype\n"); -+ STDOUT->flush(); -+ -+ if ($qname eq "example.broken") { -+ if ($qtype eq "SOA") { -+ my $rr = new Net::DNS::RR("$qname $ttl $qclass SOA . . 0 0 0 0 0"); -+ push @ans, $rr; -+ } elsif ($qtype eq "NS") { -+ my $rr = new Net::DNS::RR("$qname $ttl $qclass NS $nsname"); -+ push @ans, $rr; -+ $rr = new Net::DNS::RR("$nsname $ttl $qclass A $localaddr"); -+ push @add, $rr; -+ } -+ $rcode = "NOERROR"; -+ } elsif ($qname eq "cname-to-$synth2") { -+ my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.$synth2"); -+ push @ans, $rr; -+ $rr = new Net::DNS::RR("name.$synth2 $ttl $qclass CNAME name"); -+ push @ans, $rr; -+ $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME ."); -+ push @ans, $rr; -+ $rcode = "NOERROR"; -+ } elsif ($qname eq "$synth" || $qname eq "$synth2") { -+ if ($qtype eq "DNAME") { -+ my $rr = new Net::DNS::RR("$qname $ttl $qclass DNAME ."); -+ push @ans, $rr; -+ } -+ $rcode = "NOERROR"; -+ } elsif ($qname eq "name.$synth") { -+ my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name."); -+ push @ans, $rr; -+ $rr = new Net::DNS::RR("$synth $ttl $qclass DNAME ."); -+ push @ans, $rr; -+ $rcode = "NOERROR"; -+ } elsif ($qname eq "name.$synth2") { -+ my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name."); -+ push @ans, $rr; -+ $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME ."); -+ push @ans, $rr; -+ $rcode = "NOERROR"; -+ } else { -+ $rcode = "REFUSED"; -+ } -+ return ($rcode, \@ans, \@auth, \@add, { aa => 1 }); -+} -+ -+GetOptions( -+ 'port=i' => \$localport, -+ 'verbose!' => \$verbose, -+); -+ -+my $ns = Net::DNS::Nameserver->new( -+ LocalAddr => $localaddr, -+ LocalPort => $localport, -+ ReplyHandler => \&reply_handler, -+ Verbose => $verbose, -+); -+ -+$ns->main_loop; -Index: bind-9.10.4-P5/bin/tests/system/dname/ns1/root.db -=================================================================== ---- bind-9.10.4-P5.orig/bin/tests/system/dname/ns1/root.db -+++ bind-9.10.4-P5/bin/tests/system/dname/ns1/root.db -@@ -12,8 +12,6 @@ - ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - ; PERFORMANCE OF THIS SOFTWARE. - --; $Id: root.db,v 1.2 2011/03/18 21:14:19 fdupont Exp $ -- - $TTL 300 - . IN SOA gson.nominum.com. a.root.servers.nil. ( - 2000042100 ; serial -@@ -27,3 +25,6 @@ a.root-servers.nil. A 10.53.0.1 - - example. NS ns2.example. - ns2.example. A 10.53.0.2 -+ -+example.broken. NS ns3.example.broken. -+ns3.example.broken. A 10.53.0.3 -Index: bind-9.10.4-P5/bin/tests/system/dname/tests.sh -=================================================================== ---- bind-9.10.4-P5.orig/bin/tests/system/dname/tests.sh -+++ bind-9.10.4-P5/bin/tests/system/dname/tests.sh -@@ -20,6 +20,7 @@ SYSTEMTESTTOP=.. - . $SYSTEMTESTTOP/conf.sh - - status=0 -+n=0 - - echo "I:checking short dname from authoritative" - ret=0 -@@ -81,6 +82,26 @@ grep '^a.target.example.' dig.out.ns4.cn - if [ $ret != 0 ]; then echo "I:failed"; fi - status=`expr $status + $ret` - --echo "I:exit status: $status" -+n=`expr $n + 1` -+echo "I:checking dname is returned with synthesized cname before dname ($n)" -+ret=0 -+$DIG @10.53.0.4 -p 5300 name.synth-then-dname.example.broken A > dig.out.test$n -+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -+grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 -+grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 -+if [ $ret != 0 ]; then echo "I:failed"; fi -+status=`expr $status + $ret` - --exit $status -+n=`expr $n + 1` -+echo "I:checking dname is returned with cname to synthesized cname before dname ($n)" -+ret=0 -+$DIG @10.53.0.4 -p 5300 cname-to-synth2-then-dname.example.broken A > dig.out.test$n -+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 -+grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n > /dev/null || ret=1 -+grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 -+grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 -+if [ $ret != 0 ]; then echo "I:failed"; fi -+status=`expr $status + $ret` -+ -+echo "I:exit status: $status" -+[ $status -eq 0 ] || exit 1 -Index: bind-9.10.4-P5/lib/dns/resolver.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/resolver.c -+++ bind-9.10.4-P5/lib/dns/resolver.c -@@ -6099,9 +6099,13 @@ cname_target(dns_rdataset_t *rdataset, d - return (ISC_R_SUCCESS); - } - -+/*% -+ * Construct the synthesised CNAME from the existing QNAME and -+ * the DNAME RR and store it in 'target'. -+ */ - static inline isc_result_t - dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, -- unsigned int nlabels, dns_fixedname_t *fixeddname) -+ unsigned int nlabels, dns_name_t *target) - { - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; -@@ -6121,14 +6125,33 @@ dname_target(dns_rdataset_t *rdataset, d - - dns_fixedname_init(&prefix); - dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); -- dns_fixedname_init(fixeddname); - result = dns_name_concatenate(dns_fixedname_name(&prefix), -- &dname.dname, -- dns_fixedname_name(fixeddname), NULL); -+ &dname.dname, target, NULL); - dns_rdata_freestruct(&dname); - return (result); - } - -+/*% -+ * Check if it was possible to construct 'qname' from 'lastcname' -+ * and 'rdataset'. -+ */ -+static inline isc_result_t -+fromdname(dns_rdataset_t *rdataset, dns_name_t *lastcname, -+ unsigned int nlabels, const dns_name_t *qname) -+{ -+ dns_fixedname_t fixed; -+ isc_result_t result; -+ dns_name_t *target; -+ -+ dns_fixedname_init(&fixed); -+ target = dns_fixedname_name(&fixed); -+ result = dname_target(rdataset, lastcname, nlabels, target); -+ if (result != ISC_R_SUCCESS || !dns_name_equal(qname, target)) -+ return (ISC_R_NOTFOUND); -+ -+ return (ISC_R_SUCCESS); -+} -+ - static isc_boolean_t - is_answeraddress_allowed(dns_view_t *view, dns_name_t *name, - dns_rdataset_t *rdataset) -@@ -6745,12 +6768,12 @@ answer_response(fetchctx_t *fctx) { - isc_result_t result; - dns_message_t *message; - dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; -- dns_name_t *cname = NULL; -+ dns_name_t *cname = NULL, *lastcname = NULL; - dns_rdataset_t *rdataset, *ns_rdataset; -- isc_boolean_t done, external, chaining, aa, found, want_chaining; -+ isc_boolean_t done, external, aa, found, want_chaining; - isc_boolean_t have_answer, found_cname, found_dname, found_type; - isc_boolean_t wanted_chaining; -- unsigned int aflag; -+ unsigned int aflag, chaining; - dns_rdatatype_t type; - dns_fixedname_t fdname, fqname; - dns_view_t *view; -@@ -6768,9 +6791,9 @@ answer_response(fetchctx_t *fctx) { - found_cname = ISC_FALSE; - found_dname = ISC_FALSE; - found_type = ISC_FALSE; -- chaining = ISC_FALSE; - have_answer = ISC_FALSE; - want_chaining = ISC_FALSE; -+ chaining = 0; - POST(want_chaining); - if ((message->flags & DNS_MESSAGEFLAG_AA) != 0) - aa = ISC_TRUE; -@@ -6781,14 +6804,15 @@ answer_response(fetchctx_t *fctx) { - view = fctx->res->view; - result = dns_message_firstname(message, DNS_SECTION_ANSWER); - while (!done && result == ISC_R_SUCCESS) { -- dns_namereln_t namereln; -- int order; -- unsigned int nlabels; -+ dns_namereln_t namereln, lastreln; -+ int order, lastorder; -+ unsigned int nlabels, lastnlabels; - - name = NULL; - dns_message_currentname(message, DNS_SECTION_ANSWER, &name); - external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); - namereln = dns_name_fullcompare(qname, name, &order, &nlabels); -+ - if (namereln == dns_namereln_equal) { - wanted_chaining = ISC_FALSE; - for (rdataset = ISC_LIST_HEAD(name->list); -@@ -6894,6 +6918,7 @@ answer_response(fetchctx_t *fctx) { - &fctx->domain)) { - return (DNS_R_SERVFAIL); - } -+ lastcname = name; - } else if (rdataset->type == dns_rdatatype_rrsig - && rdataset->covers == - dns_rdatatype_cname -@@ -6917,7 +6942,7 @@ answer_response(fetchctx_t *fctx) { - rdataset->attributes |= - DNS_RDATASETATTR_CACHE; - rdataset->trust = dns_trust_answer; -- if (!chaining) { -+ if (chaining == 0) { - /* - * This data is "the" answer - * to our question only if -@@ -6994,10 +7019,21 @@ answer_response(fetchctx_t *fctx) { - * cause us to ignore the signatures of - * CNAMEs. - */ -- if (wanted_chaining) -- chaining = ISC_TRUE; -+ if (wanted_chaining && chaining < 2U) -+ chaining++; - } else { - dns_rdataset_t *dnameset = NULL; -+ isc_boolean_t synthcname = ISC_FALSE; -+ -+ if (lastcname != NULL) { -+ lastreln = dns_name_fullcompare(lastcname, -+ name, -+ &lastorder, -+ &lastnlabels); -+ if (lastreln == dns_namereln_subdomain && -+ lastnlabels == dns_name_countlabels(name)) -+ synthcname = ISC_TRUE; -+ } - - /* - * Look for a DNAME (or its SIG). Anything else is -@@ -7026,7 +7062,7 @@ answer_response(fetchctx_t *fctx) { - * If we're not chaining, then the DNAME and - * its signature should not be external. - */ -- if (!chaining && external) { -+ if (chaining == 0 && external) { - char qbuf[DNS_NAME_FORMATSIZE]; - char obuf[DNS_NAME_FORMATSIZE]; - -@@ -7044,16 +7080,9 @@ answer_response(fetchctx_t *fctx) { - /* - * If DNAME + synthetic CNAME then the - * namereln is dns_namereln_subdomain. -- * -- * If synthetic CNAME + DNAME then the -- * namereln is dns_namereln_commonancestor -- * and the number of label must match the -- * DNAME. This order is not RFC compliant. - */ -- - if (namereln != dns_namereln_subdomain && -- (namereln != dns_namereln_commonancestor || -- nlabels != dns_name_countlabels(name))) -+ !synthcname) - { - char qbuf[DNS_NAME_FORMATSIZE]; - char obuf[DNS_NAME_FORMATSIZE]; -@@ -7073,8 +7102,19 @@ answer_response(fetchctx_t *fctx) { - want_chaining = ISC_TRUE; - POST(want_chaining); - aflag = DNS_RDATASETATTR_ANSWER; -- result = dname_target(rdataset, qname, -- nlabels, &fdname); -+ dns_fixedname_init(&fdname); -+ dname = dns_fixedname_name(&fdname); -+ if (synthcname) { -+ result = fromdname(rdataset, -+ lastcname, -+ lastnlabels, -+ qname); -+ } else { -+ result = dname_target(rdataset, -+ qname, -+ nlabels, -+ dname); -+ } - if (result == ISC_R_NOSPACE) { - /* - * We can't construct the -@@ -7088,8 +7128,8 @@ answer_response(fetchctx_t *fctx) { - else - dnameset = rdataset; - -- dname = dns_fixedname_name(&fdname); -- if (!is_answertarget_allowed(view, -+ if (!synthcname && -+ !is_answertarget_allowed(view, - qname, rdataset->type, - dname, &fctx->domain)) - { -@@ -7110,7 +7150,13 @@ answer_response(fetchctx_t *fctx) { - name->attributes |= DNS_NAMEATTR_CACHE; - rdataset->attributes |= DNS_RDATASETATTR_CACHE; - rdataset->trust = dns_trust_answer; -- if (!chaining) { -+ /* -+ * If we are not chaining or the first CNAME -+ * is a synthesised CNAME before the DNAME. -+ */ -+ if ((chaining == 0) || -+ (chaining == 1U && synthcname)) -+ { - /* - * This data is "the" answer to - * our question only if we're -@@ -7120,9 +7166,12 @@ answer_response(fetchctx_t *fctx) { - if (aflag == DNS_RDATASETATTR_ANSWER) { - have_answer = ISC_TRUE; - found_dname = ISC_TRUE; -- if (cname != NULL) -+ if (cname != NULL && -+ synthcname) -+ { - cname->attributes &= - ~DNS_NAMEATTR_ANSWER; -+ } - name->attributes |= - DNS_NAMEATTR_ANSWER; - } -@@ -7140,26 +7189,35 @@ answer_response(fetchctx_t *fctx) { - * DNAME chaining. - */ - if (dnameset != NULL) { -- /* -- * Copy the dname into the qname fixed name. -- * -- * Although we check for failure of the copy -- * operation, in practice it should never fail -- * since we already know that the result fits -- * in a fixedname. -- */ -- dns_fixedname_init(&fqname); -- qname = dns_fixedname_name(&fqname); -- result = dns_name_copy(dname, qname, NULL); -- if (result != ISC_R_SUCCESS) -- return (result); -+ if (!synthcname) { -+ /* -+ * Copy the dname into the qname fixed -+ * name. -+ * -+ * Although we check for failure of the -+ * copy operation, in practice it -+ * should never fail since we already -+ * know that the result fits in a -+ * fixedname. -+ */ -+ dns_fixedname_init(&fqname); -+ qname = dns_fixedname_name(&fqname); -+ result = dns_name_copy(dname, qname, -+ NULL); -+ if (result != ISC_R_SUCCESS) -+ return (result); -+ } - wanted_chaining = ISC_TRUE; - name->attributes |= DNS_NAMEATTR_CHAINING; - dnameset->attributes |= - DNS_RDATASETATTR_CHAINING; - } -- if (wanted_chaining) -- chaining = ISC_TRUE; -+ /* -+ * Ensure that we can't ever get chaining == 1 -+ * above if we have processed a DNAME. -+ */ -+ if (wanted_chaining && chaining < 2U) -+ chaining += 2; - } - result = dns_message_nextname(message, DNS_SECTION_ANSWER); - } -@@ -7184,7 +7242,7 @@ answer_response(fetchctx_t *fctx) { - /* - * Did chaining end before we got the final answer? - */ -- if (chaining) { -+ if (chaining != 0) { - /* - * Yes. This may be a negative reply, so hand off - * authority section processing to the noanswer code. -@@ -7233,7 +7291,7 @@ answer_response(fetchctx_t *fctx) { - DNS_NAMEATTR_CACHE; - rdataset->attributes |= - DNS_RDATASETATTR_CACHE; -- if (aa && !chaining) -+ if (aa && chaining == 0) - rdataset->trust = - dns_trust_authauthority; - else -Index: bind-9.10.4-P5/bin/named/query.c -=================================================================== ---- bind-9.10.4-P5.orig/bin/named/query.c -+++ bind-9.10.4-P5/bin/named/query.c -@@ -6237,7 +6237,7 @@ query_find(ns_client_t *client, dns_fetc - dns_rpz_st_t *rpz_st; - isc_boolean_t resuming; - int line = -1; -- isc_boolean_t dns64_exclude, dns64; -+ isc_boolean_t dns64_exclude, dns64, rpz; - isc_boolean_t nxrewrite = ISC_FALSE; - isc_boolean_t redirected = ISC_FALSE; - dns_clientinfomethods_t cm; -@@ -6250,6 +6250,7 @@ query_find(ns_client_t *client, dns_fetc - char mbuf[BUFSIZ]; - char qbuf[DNS_NAME_FORMATSIZE]; - #endif -+ dns_name_t *rpzqname; - - CTRACE(ISC_LOG_DEBUG(3), "query_find"); - -@@ -6275,7 +6276,7 @@ query_find(ns_client_t *client, dns_fetc - zone = NULL; - need_wildcardproof = ISC_FALSE; - empty_wild = ISC_FALSE; -- dns64_exclude = dns64 = ISC_FALSE; -+ dns64_exclude = dns64 = rpz = ISC_FALSE; - options = 0; - resuming = ISC_FALSE; - is_zone = ISC_FALSE; -@@ -6465,6 +6466,7 @@ query_find(ns_client_t *client, dns_fetc - authoritative = ISC_FALSE; - version = NULL; - need_wildcardproof = ISC_FALSE; -+ rpz = ISC_FALSE; - - if (client->view->checknames && - !dns_rdata_checkowner(client->query.qname, -@@ -6606,11 +6608,29 @@ query_find(ns_client_t *client, dns_fetc - } - - /* -- * Now look for an answer in the database. -+ * Now look for an answer in the database. If this is a dns64 -+ * AAAA lookup on a rpz database adjust the qname. - */ -- result = dns_db_findext(db, client->query.qname, version, type, -+ if (dns64 && rpz) -+ rpzqname = client->query.rpz_st->p_name; -+ else -+ rpzqname = client->query.qname; -+ -+ result = dns_db_findext(db, rpzqname, version, type, - client->query.dboptions, client->now, - &node, fname, &cm, &ci, rdataset, sigrdataset); -+ /* -+ * Fixup fname and sigrdataset. -+ */ -+ if (dns64 && rpz) { -+ isc_result_t rresult; -+ -+ rresult = dns_name_copy(client->query.qname, fname, NULL); -+ RUNTIME_CHECK(rresult == ISC_R_SUCCESS); -+ if (sigrdataset != NULL && -+ dns_rdataset_isassociated(sigrdataset)) -+ dns_rdataset_disassociate(sigrdataset); -+ } - - if (!is_zone) - dns_cache_updatestats(client->view->cache, result); -@@ -6840,10 +6860,12 @@ query_find(ns_client_t *client, dns_fetc - case DNS_RPZ_POLICY_NXDOMAIN: - result = DNS_R_NXDOMAIN; - nxrewrite = ISC_TRUE; -+ rpz = ISC_TRUE; - break; - case DNS_RPZ_POLICY_NODATA: - result = DNS_R_NXRRSET; - nxrewrite = ISC_TRUE; -+ rpz = ISC_TRUE; - break; - case DNS_RPZ_POLICY_RECORD: - result = rpz_st->m.result; -@@ -6863,6 +6885,7 @@ query_find(ns_client_t *client, dns_fetc - rdataset->ttl = ISC_MIN(rdataset->ttl, - rpz_st->m.ttl); - } -+ rpz = ISC_TRUE; - break; - case DNS_RPZ_POLICY_WILDCNAME: - result = dns_rdataset_first(rdataset); -@@ -6905,7 +6928,6 @@ query_find(ns_client_t *client, dns_fetc - NS_CLIENTATTR_WANTAD); - client->message->flags &= ~DNS_MESSAGEFLAG_AD; - query_putrdataset(client, &sigrdataset); -- rpz_st->q.is_zone = is_zone; - is_zone = ISC_TRUE; - rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy, - rpz_st->m.type, zone, rpz_st->p_name); -@@ -7289,15 +7311,6 @@ query_find(ns_client_t *client, dns_fetc - rdataset = NULL; - sigrdataset = NULL; - type = qtype = dns_rdatatype_a; -- rpz_st = client->query.rpz_st; -- if (rpz_st != NULL) { -- /* -- * Arrange for RPZ rewriting of any A records. -- */ -- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0) -- is_zone = rpz_st->q.is_zone; -- rpz_st_clear(client); -- } - dns64 = ISC_TRUE; - goto db_find; - } -@@ -7612,15 +7625,6 @@ query_find(ns_client_t *client, dns_fetc - sigrdataset = NULL; - fname = NULL; - type = qtype = dns_rdatatype_a; -- rpz_st = client->query.rpz_st; -- if (rpz_st != NULL) { -- /* -- * Arrange for RPZ rewriting of any A records. -- */ -- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0) -- is_zone = rpz_st->q.is_zone; -- rpz_st_clear(client); -- } - dns64 = ISC_TRUE; - goto db_find; - } -@@ -8154,15 +8158,6 @@ query_find(ns_client_t *client, dns_fetc - rdataset = NULL; - sigrdataset = NULL; - type = qtype = dns_rdatatype_a; -- rpz_st = client->query.rpz_st; -- if (rpz_st != NULL) { -- /* -- * Arrange for RPZ rewriting of any A records. -- */ -- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0) -- is_zone = rpz_st->q.is_zone; -- rpz_st_clear(client); -- } - dns64_exclude = dns64 = ISC_TRUE; - goto db_find; - } -Index: bind-9.10.4-P5/lib/dns/message.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/message.c -+++ bind-9.10.4-P5/lib/dns/message.c -@@ -1219,8 +1219,8 @@ getsection(isc_buffer_t *source, dns_mes - { - isc_region_t r; - unsigned int count, rdatalen; -- dns_name_t *name; -- dns_name_t *name2; -+ dns_name_t *name = NULL; -+ dns_name_t *name2 = NULL; - dns_offsets_t *offsets; - dns_rdataset_t *rdataset; - dns_rdatalist_t *rdatalist; -@@ -1230,7 +1230,7 @@ getsection(isc_buffer_t *source, dns_mes - dns_rdata_t *rdata; - dns_ttl_t ttl; - dns_namelist_t *section; -- isc_boolean_t free_name, free_rdataset; -+ isc_boolean_t free_name = ISC_FALSE, free_rdataset = ISC_FALSE; - isc_boolean_t preserve_order, best_effort, seen_problem; - isc_boolean_t issigzero; - -Index: bind-9.10.4-P5/lib/dns/rdataset.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/rdataset.c -+++ bind-9.10.4-P5/lib/dns/rdataset.c -@@ -338,6 +338,7 @@ towiresorted(dns_rdataset_t *rdataset, c - */ - - REQUIRE(DNS_RDATASET_VALID(rdataset)); -+ REQUIRE(rdataset->methods != NULL); - REQUIRE(countp != NULL); - REQUIRE((order == NULL) == (order_arg == NULL)); - REQUIRE(cctx != NULL && cctx->mctx != NULL); diff --git a/bind-CVE-2017-3142-and-3143.patch b/bind-CVE-2017-3142-and-3143.patch deleted file mode 100644 index 2f4735c..0000000 --- a/bind-CVE-2017-3142-and-3143.patch +++ /dev/null @@ -1,496 +0,0 @@ -Index: bind-9.10.4-P5/lib/dns/dnssec.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/dnssec.c -+++ bind-9.10.4-P5/lib/dns/dnssec.c -@@ -978,6 +978,8 @@ dns_dnssec_verifymessage(isc_buffer_t *s - mctx = msg->mctx; - - msg->verify_attempted = 1; -+ msg->verified_sig = 0; -+ msg->sig0status = dns_tsigerror_badsig; - - if (is_response(msg)) { - if (msg->query.base == NULL) -@@ -1073,6 +1075,7 @@ dns_dnssec_verifymessage(isc_buffer_t *s - } - - msg->verified_sig = 1; -+ msg->sig0status = dns_rcode_noerror; - - dst_context_destroy(&ctx); - dns_rdata_freestruct(&sig); -Index: bind-9.10.4-P5/lib/dns/message.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/message.c -+++ bind-9.10.4-P5/lib/dns/message.c -@@ -3055,12 +3055,19 @@ dns_message_signer(dns_message_t *msg, d - - result = dns_rdata_tostruct(&rdata, &tsig, NULL); - INSIST(result == ISC_R_SUCCESS); -- if (msg->tsigstatus != dns_rcode_noerror) -+ if (msg->verified_sig && -+ msg->tsigstatus == dns_rcode_noerror && -+ tsig.error == dns_rcode_noerror) -+ { -+ result = ISC_R_SUCCESS; -+ } else if ((!msg->verified_sig) || -+ (msg->tsigstatus != dns_rcode_noerror)) -+ { - result = DNS_R_TSIGVERIFYFAILURE; -- else if (tsig.error != dns_rcode_noerror) -+ } else { -+ INSIST(tsig.error != dns_rcode_noerror); - result = DNS_R_TSIGERRORSET; -- else -- result = ISC_R_SUCCESS; -+ } - dns_rdata_freestruct(&tsig); - - if (msg->tsigkey == NULL) { -Index: bind-9.10.4-P5/lib/dns/tsig.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/tsig.c -+++ bind-9.10.4-P5/lib/dns/tsig.c -@@ -942,11 +942,20 @@ dns_tsig_sign(dns_message_t *msg) { - isc_buffer_putuint48(&otherbuf, tsig.timesigned); - } - -- if (key->key != NULL && tsig.error != dns_tsigerror_badsig) { -+ if ((key->key != NULL) && -+ (tsig.error != dns_tsigerror_badsig) && -+ (tsig.error != dns_tsigerror_badkey)) -+ { - unsigned char header[DNS_MESSAGE_HEADERLEN]; - isc_buffer_t headerbuf; - isc_uint16_t digestbits; - -+ /* -+ * If it is a response, we assume that the request MAC -+ * has validated at this point. This is why we include a -+ * MAC length > 0 in the reply. -+ */ -+ - ret = dst_context_create3(key->key, mctx, - DNS_LOGCATEGORY_DNSSEC, - ISC_TRUE, &ctx); -@@ -954,7 +963,7 @@ dns_tsig_sign(dns_message_t *msg) { - return (ret); - - /* -- * If this is a response, digest the query signature. -+ * If this is a response, digest the request's MAC. - */ - if (response) { - dns_rdata_t querytsigrdata = DNS_RDATA_INIT; -@@ -1084,6 +1093,17 @@ dns_tsig_sign(dns_message_t *msg) { - dst_context_destroy(&ctx); - digestbits = dst_key_getbits(key->key); - if (digestbits != 0) { -+ /* -+ * XXXRAY: Is this correct? What is the -+ * expected behavior when digestbits is not an -+ * integral multiple of 8? It looks like bytes -+ * should either be (digestbits/8) or -+ * (digestbits+7)/8. -+ * -+ * In any case, for current algorithms, -+ * digestbits are an integral multiple of 8, so -+ * it has the same effect as (digestbits/8). -+ */ - unsigned int bytes = (digestbits + 1) / 8; - if (response && bytes < querytsig.siglen) - bytes = querytsig.siglen; -@@ -1193,6 +1213,8 @@ dns_tsig_verify(isc_buffer_t *source, dn - REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey)); - - msg->verify_attempted = 1; -+ msg->verified_sig = 0; -+ msg->tsigstatus = dns_tsigerror_badsig; - - if (msg->tcp_continuation) { - if (tsigkey == NULL || msg->querytsig == NULL) -@@ -1291,19 +1313,6 @@ dns_tsig_verify(isc_buffer_t *source, dn - key = tsigkey->key; - - /* -- * Is the time ok? -- */ -- if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) { -- msg->tsigstatus = dns_tsigerror_badtime; -- tsig_log(msg->tsigkey, 2, "signature has expired"); -- return (DNS_R_CLOCKSKEW); -- } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) { -- msg->tsigstatus = dns_tsigerror_badtime; -- tsig_log(msg->tsigkey, 2, "signature is in the future"); -- return (DNS_R_CLOCKSKEW); -- } -- -- /* - * Check digest length. - */ - alg = dst_key_alg(key); -@@ -1312,31 +1321,19 @@ dns_tsig_verify(isc_buffer_t *source, dn - return (ret); - if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 || - alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || -- alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) { -- isc_uint16_t digestbits = dst_key_getbits(key); -+ alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) -+ { - if (tsig.siglen > siglen) { - tsig_log(msg->tsigkey, 2, "signature length too big"); - return (DNS_R_FORMERR); - } - if (tsig.siglen > 0 && -- (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) { -+ (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) -+ { - tsig_log(msg->tsigkey, 2, - "signature length below minimum"); - return (DNS_R_FORMERR); - } -- if (tsig.siglen > 0 && digestbits != 0 && -- tsig.siglen < ((digestbits + 1) / 8)) { -- msg->tsigstatus = dns_tsigerror_badtrunc; -- tsig_log(msg->tsigkey, 2, -- "truncated signature length too small"); -- return (DNS_R_TSIGVERIFYFAILURE); -- } -- if (tsig.siglen > 0 && digestbits == 0 && -- tsig.siglen < siglen) { -- msg->tsigstatus = dns_tsigerror_badtrunc; -- tsig_log(msg->tsigkey, 2, "signature length too small"); -- return (DNS_R_TSIGVERIFYFAILURE); -- } - } - - if (tsig.siglen > 0) { -@@ -1451,34 +1448,92 @@ dns_tsig_verify(isc_buffer_t *source, dn - - ret = dst_context_verify(ctx, &sig_r); - if (ret == DST_R_VERIFYFAILURE) { -- msg->tsigstatus = dns_tsigerror_badsig; - ret = DNS_R_TSIGVERIFYFAILURE; - tsig_log(msg->tsigkey, 2, - "signature failed to verify(1)"); - goto cleanup_context; -- } else if (ret != ISC_R_SUCCESS) -+ } else if (ret != ISC_R_SUCCESS) { - goto cleanup_context; -- -- dst_context_destroy(&ctx); -+ } - } else if (tsig.error != dns_tsigerror_badsig && - tsig.error != dns_tsigerror_badkey) { -- msg->tsigstatus = dns_tsigerror_badsig; - tsig_log(msg->tsigkey, 2, "signature was empty"); - return (DNS_R_TSIGVERIFYFAILURE); - } - -- msg->tsigstatus = dns_rcode_noerror; -+ /* -+ * Here at this point, the MAC has been verified. Even if any of -+ * the following code returns a TSIG error, the reply will be -+ * signed and WILL always include the request MAC in the digest -+ * computation. -+ */ -+ -+ /* -+ * Is the time ok? -+ */ -+ if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) { -+ msg->tsigstatus = dns_tsigerror_badtime; -+ tsig_log(msg->tsigkey, 2, "signature has expired"); -+ ret = DNS_R_CLOCKSKEW; -+ goto cleanup_context; -+ } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) { -+ msg->tsigstatus = dns_tsigerror_badtime; -+ tsig_log(msg->tsigkey, 2, "signature is in the future"); -+ ret = DNS_R_CLOCKSKEW; -+ goto cleanup_context; -+ } -+ -+ if ( -+#ifndef PK11_MD5_DISABLE -+ alg == DST_ALG_HMACMD5 || -+#endif -+ alg == DST_ALG_HMACSHA1 || -+ alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || -+ alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) -+ { -+ isc_uint16_t digestbits = dst_key_getbits(key); -+ -+ /* -+ * XXXRAY: Is this correct? What is the expected -+ * behavior when digestbits is not an integral multiple -+ * of 8? It looks like bytes should either be -+ * (digestbits/8) or (digestbits+7)/8. -+ * -+ * In any case, for current algorithms, digestbits are -+ * an integral multiple of 8, so it has the same effect -+ * as (digestbits/8). -+ */ -+ if (tsig.siglen > 0 && digestbits != 0 && -+ tsig.siglen < ((digestbits + 1) / 8)) -+ { -+ msg->tsigstatus = dns_tsigerror_badtrunc; -+ tsig_log(msg->tsigkey, 2, -+ "truncated signature length too small"); -+ ret = DNS_R_TSIGVERIFYFAILURE; -+ goto cleanup_context; -+ } -+ if (tsig.siglen > 0 && digestbits == 0 && -+ tsig.siglen < siglen) -+ { -+ msg->tsigstatus = dns_tsigerror_badtrunc; -+ tsig_log(msg->tsigkey, 2, "signature length too small"); -+ ret = DNS_R_TSIGVERIFYFAILURE; -+ goto cleanup_context; -+ } -+ } - - if (tsig.error != dns_rcode_noerror) { -+ msg->tsigstatus = tsig.error; - if (tsig.error == dns_tsigerror_badtime) -- return (DNS_R_CLOCKSKEW); -+ ret = DNS_R_CLOCKSKEW; - else -- return (DNS_R_TSIGERRORSET); -+ ret = DNS_R_TSIGERRORSET; -+ goto cleanup_context; - } - -+ msg->tsigstatus = dns_rcode_noerror; - msg->verified_sig = 1; -- -- return (ISC_R_SUCCESS); -+ ret = ISC_R_SUCCESS; - - cleanup_context: - if (ctx != NULL) -@@ -1503,6 +1558,8 @@ tsig_verify_tcp(isc_buffer_t *source, dn - isc_uint16_t addcount, id; - isc_boolean_t has_tsig = ISC_FALSE; - isc_mem_t *mctx; -+ unsigned int siglen; -+ unsigned int alg; - - REQUIRE(source != NULL); - REQUIRE(msg != NULL); -@@ -1510,12 +1567,16 @@ tsig_verify_tcp(isc_buffer_t *source, dn - REQUIRE(msg->tcp_continuation == 1); - REQUIRE(msg->querytsig != NULL); - -+ msg->verified_sig = 0; -+ msg->tsigstatus = dns_tsigerror_badsig; -+ - if (!is_response(msg)) - return (DNS_R_EXPECTEDRESPONSE); - - mctx = msg->mctx; - - tsigkey = dns_message_gettsigkey(msg); -+ key = tsigkey->key; - - /* - * Extract and parse the previous TSIG -@@ -1548,7 +1609,8 @@ tsig_verify_tcp(isc_buffer_t *source, dn - * Do the key name and algorithm match that of the query? - */ - if (!dns_name_equal(keyname, &tsigkey->name) || -- !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) { -+ !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) -+ { - msg->tsigstatus = dns_tsigerror_badkey; - ret = DNS_R_TSIGVERIFYFAILURE; - tsig_log(msg->tsigkey, 2, -@@ -1557,27 +1619,40 @@ tsig_verify_tcp(isc_buffer_t *source, dn - } - - /* -- * Is the time ok? -+ * Check digest length. - */ -- isc_stdtime_get(&now); -- -- if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) { -- msg->tsigstatus = dns_tsigerror_badtime; -- tsig_log(msg->tsigkey, 2, "signature has expired"); -- ret = DNS_R_CLOCKSKEW; -- goto cleanup_querystruct; -- } else if (now + msg->timeadjust < -- tsig.timesigned - tsig.fudge) { -- msg->tsigstatus = dns_tsigerror_badtime; -- tsig_log(msg->tsigkey, 2, -- "signature is in the future"); -- ret = DNS_R_CLOCKSKEW; -+ alg = dst_key_alg(key); -+ ret = dst_key_sigsize(key, &siglen); -+ if (ret != ISC_R_SUCCESS) - goto cleanup_querystruct; -+ if ( -+#ifndef PK11_MD5_DISABLE -+ alg == DST_ALG_HMACMD5 || -+#endif -+ alg == DST_ALG_HMACSHA1 || -+ alg == DST_ALG_HMACSHA224 || -+ alg == DST_ALG_HMACSHA256 || -+ alg == DST_ALG_HMACSHA384 || -+ alg == DST_ALG_HMACSHA512) -+ { -+ if (tsig.siglen > siglen) { -+ tsig_log(tsigkey, 2, -+ "signature length too big"); -+ ret = DNS_R_FORMERR; -+ goto cleanup_querystruct; -+ } -+ if (tsig.siglen > 0 && -+ (tsig.siglen < 10 || -+ tsig.siglen < ((siglen + 1) / 2))) -+ { -+ tsig_log(tsigkey, 2, -+ "signature length below minimum"); -+ ret = DNS_R_FORMERR; -+ goto cleanup_querystruct; -+ } - } - } - -- key = tsigkey->key; -- - if (msg->tsigctx == NULL) { - ret = dst_context_create3(key, mctx, - DNS_LOGCATEGORY_DNSSEC, -@@ -1673,10 +1748,12 @@ tsig_verify_tcp(isc_buffer_t *source, dn - sig_r.length = tsig.siglen; - if (tsig.siglen == 0) { - if (tsig.error != dns_rcode_noerror) { -- if (tsig.error == dns_tsigerror_badtime) -+ msg->tsigstatus = tsig.error; -+ if (tsig.error == dns_tsigerror_badtime) { - ret = DNS_R_CLOCKSKEW; -- else -+ } else { - ret = DNS_R_TSIGERRORSET; -+ } - } else { - tsig_log(msg->tsigkey, 2, - "signature is empty"); -@@ -1687,29 +1764,111 @@ tsig_verify_tcp(isc_buffer_t *source, dn - - ret = dst_context_verify(msg->tsigctx, &sig_r); - if (ret == DST_R_VERIFYFAILURE) { -- msg->tsigstatus = dns_tsigerror_badsig; - tsig_log(msg->tsigkey, 2, - "signature failed to verify(2)"); - ret = DNS_R_TSIGVERIFYFAILURE; - goto cleanup_context; -+ } else if (ret != ISC_R_SUCCESS) { -+ goto cleanup_context; -+ } -+ -+ /* -+ * Here at this point, the MAC has been verified. Even -+ * if any of the following code returns a TSIG error, -+ * the reply will be signed and WILL always include the -+ * request MAC in the digest computation. -+ */ -+ -+ /* -+ * Is the time ok? -+ */ -+ isc_stdtime_get(&now); -+ -+ if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) { -+ msg->tsigstatus = dns_tsigerror_badtime; -+ tsig_log(msg->tsigkey, 2, "signature has expired"); -+ ret = DNS_R_CLOCKSKEW; -+ goto cleanup_context; -+ } else if (now + msg->timeadjust < -+ tsig.timesigned - tsig.fudge) -+ { -+ msg->tsigstatus = dns_tsigerror_badtime; -+ tsig_log(msg->tsigkey, 2, -+ "signature is in the future"); -+ ret = DNS_R_CLOCKSKEW; -+ goto cleanup_context; - } -- else if (ret != ISC_R_SUCCESS) -+ -+ alg = dst_key_alg(key); -+ ret = dst_key_sigsize(key, &siglen); -+ if (ret != ISC_R_SUCCESS) - goto cleanup_context; -+ if ( -+#ifndef PK11_MD5_DISABLE -+ alg == DST_ALG_HMACMD5 || -+#endif -+ alg == DST_ALG_HMACSHA1 || -+ alg == DST_ALG_HMACSHA224 || -+ alg == DST_ALG_HMACSHA256 || -+ alg == DST_ALG_HMACSHA384 || -+ alg == DST_ALG_HMACSHA512) -+ { -+ isc_uint16_t digestbits = dst_key_getbits(key); - -- dst_context_destroy(&msg->tsigctx); -+ /* -+ * XXXRAY: Is this correct? What is the -+ * expected behavior when digestbits is not an -+ * integral multiple of 8? It looks like bytes -+ * should either be (digestbits/8) or -+ * (digestbits+7)/8. -+ * -+ * In any case, for current algorithms, -+ * digestbits are an integral multiple of 8, so -+ * it has the same effect as (digestbits/8). -+ */ -+ if (tsig.siglen > 0 && digestbits != 0 && -+ tsig.siglen < ((digestbits + 1) / 8)) -+ { -+ msg->tsigstatus = dns_tsigerror_badtrunc; -+ tsig_log(msg->tsigkey, 2, -+ "truncated signature length " -+ "too small"); -+ ret = DNS_R_TSIGVERIFYFAILURE; -+ goto cleanup_context; -+ } -+ if (tsig.siglen > 0 && digestbits == 0 && -+ tsig.siglen < siglen) -+ { -+ msg->tsigstatus = dns_tsigerror_badtrunc; -+ tsig_log(msg->tsigkey, 2, -+ "signature length too small"); -+ ret = DNS_R_TSIGVERIFYFAILURE; -+ goto cleanup_context; -+ } -+ } -+ -+ if (tsig.error != dns_rcode_noerror) { -+ msg->tsigstatus = tsig.error; -+ if (tsig.error == dns_tsigerror_badtime) -+ ret = DNS_R_CLOCKSKEW; -+ else -+ ret = DNS_R_TSIGERRORSET; -+ goto cleanup_context; -+ } - } - - msg->tsigstatus = dns_rcode_noerror; -- return (ISC_R_SUCCESS); -+ msg->verified_sig = 1; -+ ret = ISC_R_SUCCESS; - - cleanup_context: -- dst_context_destroy(&msg->tsigctx); -+ if (msg->tsigctx != NULL) -+ dst_context_destroy(&msg->tsigctx); - - cleanup_querystruct: - dns_rdata_freestruct(&querytsig); - - return (ret); -- - } - - isc_result_t diff --git a/bind-openssl11.patch b/bind-openssl11.patch deleted file mode 100644 index 11a5e47..0000000 --- a/bind-openssl11.patch +++ /dev/null @@ -1,3458 +0,0 @@ -From: Mark Andrews -Date: Sun, 30 Oct 2016 23:04:37 +0000 (+1100) -Subject: 4497. [port] Add support for OpenSSL 1.1.0. [RT #41284] -X-Git-Url: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff_plain;h=1fce0951ed172fc3834a3a379c4e00b78224cc5d;hp=c970f162b6daae68154ef350efcbc6bb6bf32b59 - -4497. [port] Add support for OpenSSL 1.1.0. [RT #41284] ---- - -Index: bind-9.10.4-P5/README -=================================================================== ---- bind-9.10.4-P5.orig/README -+++ bind-9.10.4-P5/README -@@ -433,7 +433,7 @@ Building - systems. - - For the server to support DNSSEC, you need to build it -- with crypto support. You must have OpenSSL 0.9.5a -+ with crypto support. You must have OpenSSL 1.0.1t - or newer installed and specify "--with-openssl" on the - configure command line. If OpenSSL is installed under - a nonstandard prefix, you can tell configure where to -Index: bind-9.10.4-P5/bin/named/main.c -=================================================================== ---- bind-9.10.4-P5.orig/bin/named/main.c -+++ bind-9.10.4-P5/bin/named/main.c -@@ -660,8 +660,14 @@ parse_command_line(int argc, char *argv[ - #ifdef OPENSSL - printf("compiled with OpenSSL version: %s\n", - OPENSSL_VERSION_TEXT); -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 or higher */ -+ printf("linked to OpenSSL version: %s\n", -+ OpenSSL_version(OPENSSL_VERSION)); -+ -+#else - printf("linked to OpenSSL version: %s\n", - SSLeay_version(SSLEAY_VERSION)); -+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ - #endif - #ifdef HAVE_LIBXML2 - printf("compiled with libxml2 version: %s\n", -Index: bind-9.10.4-P5/bin/tests/dst/t_dst.c -=================================================================== ---- bind-9.10.4-P5.orig/bin/tests/dst/t_dst.c -+++ bind-9.10.4-P5/bin/tests/dst/t_dst.c -@@ -919,9 +919,42 @@ t2_sigchk(char *datapath, char *sigpath, - * signed at some earlier time, possibly with an entire different - * version or implementation of the DSA and RSA algorithms - */ --static const char *a2 = -- "the dst module provides the capability to " -- "verify data signed with the RSA and DSA algorithms"; -+ -+isc_mem_t *t2_mctx = NULL; -+isc_entropy_t *t2_ectx = NULL; -+ -+static int -+t2_vfy_init(void) { -+ isc_result_t isc_result; -+ -+ t2_mctx = NULL; -+ isc_result = isc_mem_create(0, 0, &t2_mctx); -+ if (isc_result != ISC_R_SUCCESS) { -+ t_info("isc_mem_create failed %s\n", -+ isc_result_totext(isc_result)); -+ return(0); -+ } -+ t2_ectx = NULL; -+ isc_result = isc_entropy_create(t2_mctx, &t2_ectx); -+ if (isc_result != ISC_R_SUCCESS) { -+ t_info("isc_entropy_create failed %s\n", -+ isc_result_totext(isc_result)); -+ return(0); -+ } -+ isc_result = isc_entropy_createfilesource(t2_ectx, "randomfile"); -+ if (isc_result != ISC_R_SUCCESS) { -+ t_info("isc_entropy_create failed %s\n", -+ isc_result_totext(isc_result)); -+ return(0); -+ } -+ isc_result = dst_lib_init(t2_mctx, t2_ectx, ISC_ENTROPY_BLOCKING); -+ if (isc_result != ISC_R_SUCCESS) { -+ t_info("dst_lib_init failed %s\n", -+ isc_result_totext(isc_result)); -+ return(0); -+ } -+ return(1); -+} - - /* - * av == datafile, sigpath, keyname, keyid, alg, exp_result. -@@ -938,9 +971,6 @@ t2_vfy(char **av) { - char *exp_result; - int nfails; - int nprobs; -- isc_mem_t *mctx; -- isc_entropy_t *ectx; -- isc_result_t isc_result; - int result; - - datapath = *av++; -@@ -962,33 +992,6 @@ t2_vfy(char **av) { - return(T_UNRESOLVED); - } - -- mctx = NULL; -- isc_result = isc_mem_create(0, 0, &mctx); -- if (isc_result != ISC_R_SUCCESS) { -- t_info("isc_mem_create failed %s\n", -- isc_result_totext(isc_result)); -- return(T_UNRESOLVED); -- } -- ectx = NULL; -- isc_result = isc_entropy_create(mctx, &ectx); -- if (isc_result != ISC_R_SUCCESS) { -- t_info("isc_entropy_create failed %s\n", -- isc_result_totext(isc_result)); -- return(T_UNRESOLVED); -- } -- isc_result = isc_entropy_createfilesource(ectx, "randomfile"); -- if (isc_result != ISC_R_SUCCESS) { -- t_info("isc_entropy_create failed %s\n", -- isc_result_totext(isc_result)); -- return(T_UNRESOLVED); -- } -- isc_result = dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING); -- if (isc_result != ISC_R_SUCCESS) { -- t_info("dst_lib_init failed %s\n", -- isc_result_totext(isc_result)); -- return(T_UNRESOLVED); -- } -- - if (!dst_algorithm_supported(DST_ALG_RSAMD5)) { - dst_lib_destroy(); - t_info("library built without crypto support\n"); -@@ -999,15 +1002,9 @@ t2_vfy(char **av) { - datapath, sigpath, keyname, key, alg, exp_result); - t2_sigchk(datapath, sigpath, keyname, keyid, - algid, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, -- mctx, exp_result, -+ t2_mctx, exp_result, - &nfails, &nprobs); - -- dst_lib_destroy(); -- -- isc_entropy_detach(&ectx); -- -- isc_mem_destroy(&mctx); -- - result = T_UNRESOLVED; - if (nfails) - result = T_FAIL; -@@ -1017,11 +1014,24 @@ t2_vfy(char **av) { - return(result); - } - -+static const char *a2 = -+ "the dst module provides the capability to " -+ "verify data signed with the RSA and DSA algorithms"; -+ - static void - t2(void) { - int result; - t_assert("dst", 2, T_REQUIRED, "%s", a2); -- result = t_eval("dst_2_data", t2_vfy, 6); -+ if (!t2_vfy_init()) { -+ result = T_UNRESOLVED; -+ } else { -+ result = t_eval("dst_2_data", t2_vfy, 6); -+ dst_lib_destroy(); -+ } -+ if (t2_ectx) -+ isc_entropy_detach(&t2_ectx); -+ if (t2_mctx) -+ isc_mem_destroy(&t2_mctx); - t_result(result); - } - -Index: bind-9.10.4-P5/configure -=================================================================== ---- bind-9.10.4-P5.orig/configure -+++ bind-9.10.4-P5/configure -@@ -15733,8 +15733,8 @@ $as_echo "using OpenSSL from $use_openss - saved_cc="$CC" - saved_cflags="$CFLAGS" - saved_libs="$LIBS" -- CFLAGS="$CFLAGS $DST_OPENSSL_INC" -- LIBS="$LIBS $DST_OPENSSL_LIBS" -+ CFLAGS="$DST_OPENSSL_INC $CFLAGS" -+ LIBS="$DST_OPENSSL_LIBS $LIBS" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL works" >&5 - $as_echo_n "checking whether linking with OpenSSL works... " >&6; } - if test "$cross_compiling" = yes; then : -@@ -15772,13 +15772,24 @@ $as_echo_n "checking whether linking wit - cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - -+#include -+#if OPENSSL_VERSION_NUMBER >= 0x10100004L -+#include -+#else - #include - #include -+#endif - - int - main () - { -- DSO_METHOD_dlfcn(); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100004L -+OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); -+#else -+DSO_METHOD_dlfcn(); -+#endif -+ - ; - return 0; - } -@@ -15791,13 +15802,23 @@ else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - -+#if OPENSSL_VERSION_NUMBER >= 0x10100004L -+#include -+#else - #include - #include -+#endif - - int - main () - { -- DSO_METHOD_dlfcn(); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100004L -+OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); -+#else -+DSO_METHOD_dlfcn(); -+#endif -+ - ; - return 0; - } -@@ -15844,7 +15865,7 @@ int main() { - OPENSSL_VERSION_NUMBER < 0x10002000L) || - OPENSSL_VERSION_NUMBER >= 0x1000205fL) - return (0); -- printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n", -+ printf("\n\nFound OPENSSL_VERSION_NUMBER %#010lx\n", - OPENSSL_VERSION_NUMBER); - printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n" - "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n" -@@ -16064,7 +16085,7 @@ else - - #include - int main() { -- EVP_CIPHER *aes128, *aes192, *aes256; -+ const EVP_CIPHER *aes128, *aes192, *aes256; - - aes128 = EVP_aes_128_ecb(); - aes192 = EVP_aes_192_ecb(); -@@ -16252,43 +16273,6 @@ $as_echo "yes" >&6; } - ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1" - ISC_OPENSSL_INC="$DST_OPENSSL_INC" - ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS" -- saved_cflags="$CFLAGS" -- save_libs="$LIBS" -- CFLAGS="$CFLAGS $ISC_OPENSSL_INC" -- LIBS="$LIBS $ISC_OPENSSL_LIBS" -- { $as_echo "$as_me:${as_lineno-$LINENO}: checking HMAC_Init() return type" >&5 --$as_echo_n "checking HMAC_Init() return type... " >&6; } -- cat confdefs.h - <<_ACEOF >conftest.$ac_ext --/* end confdefs.h. */ -- -- #include --int --main () --{ -- -- HMAC_CTX ctx; -- int n = HMAC_Init(&ctx, NULL, 0, NULL); -- n += HMAC_Update(&ctx, NULL, 0); -- n += HMAC_Final(&ctx, NULL, NULL); -- ; -- return 0; --} --_ACEOF --if ac_fn_c_try_compile "$LINENO"; then : -- -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: int" >&5 --$as_echo "int" >&6; } -- --$as_echo "#define HMAC_RETURN_INT 1" >>confdefs.h -- --else -- -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: void" >&5 --$as_echo "void" >&6; } --fi --rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -- CFLAGS="$saved_cflags" -- LIBS="$save_libs" - ;; - no) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -Index: bind-9.10.4-P5/configure.in -=================================================================== ---- bind-9.10.4-P5.orig/configure.in -+++ bind-9.10.4-P5/configure.in -@@ -1540,8 +1540,8 @@ If you don't want OpenSSL, use --without - saved_cc="$CC" - saved_cflags="$CFLAGS" - saved_libs="$LIBS" -- CFLAGS="$CFLAGS $DST_OPENSSL_INC" -- LIBS="$LIBS $DST_OPENSSL_LIBS" -+ CFLAGS="$DST_OPENSSL_INC $CFLAGS" -+ LIBS="$DST_OPENSSL_LIBS $LIBS" - AC_MSG_CHECKING(whether linking with OpenSSL works) - AC_TRY_RUN([ - #include -@@ -1560,16 +1560,38 @@ shared library configuration (e.g., LD_L - - AC_MSG_CHECKING(whether linking with OpenSSL requires -ldl) - AC_TRY_LINK([ -+#include -+#if OPENSSL_VERSION_NUMBER >= 0x10100004L -+#include -+#else - #include - #include -+#endif -+], -+[ -+#if OPENSSL_VERSION_NUMBER >= 0x10100004L -+OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); -+#else -+DSO_METHOD_dlfcn(); -+#endif - ], --[ DSO_METHOD_dlfcn(); ], - [AC_MSG_RESULT(no)], - [LIBS="$LIBS -ldl" - AC_TRY_LINK([ -+#if OPENSSL_VERSION_NUMBER >= 0x10100004L -+#include -+#else - #include - #include --],[ DSO_METHOD_dlfcn(); ], -+#endif -+], -+[ -+#if OPENSSL_VERSION_NUMBER >= 0x10100004L -+OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); -+#else -+DSO_METHOD_dlfcn(); -+#endif -+], - [AC_MSG_RESULT(yes) - DST_OPENSSL_LIBS="$DST_OPENSSL_LIBS -ldl" - ], -@@ -1596,7 +1618,7 @@ int main() { - OPENSSL_VERSION_NUMBER < 0x10002000L) || - OPENSSL_VERSION_NUMBER >= 0x1000205fL) - return (0); -- printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n", -+ printf("\n\nFound OPENSSL_VERSION_NUMBER %#010lx\n", - OPENSSL_VERSION_NUMBER); - printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n" - "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n" -@@ -1748,7 +1770,7 @@ int main() { - AC_TRY_RUN([ - #include - int main() { -- EVP_CIPHER *aes128, *aes192, *aes256; -+ const EVP_CIPHER *aes128, *aes192, *aes256; - - aes128 = EVP_aes_128_ecb(); - aes192 = EVP_aes_192_ecb(); -@@ -1913,22 +1935,6 @@ case $want_openssl_hash in - ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1" - ISC_OPENSSL_INC="$DST_OPENSSL_INC" - ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS" -- saved_cflags="$CFLAGS" -- save_libs="$LIBS" -- CFLAGS="$CFLAGS $ISC_OPENSSL_INC" -- LIBS="$LIBS $ISC_OPENSSL_LIBS" -- AC_MSG_CHECKING([HMAC_Init() return type]) -- AC_TRY_COMPILE([ -- #include ],[ -- HMAC_CTX ctx; -- int n = HMAC_Init(&ctx, NULL, 0, NULL); -- n += HMAC_Update(&ctx, NULL, 0); -- n += HMAC_Final(&ctx, NULL, NULL);],[ -- AC_MSG_RESULT(int) -- AC_DEFINE(HMAC_RETURN_INT, 1, [HMAC_*() return ints])],[ -- AC_MSG_RESULT(void)]) -- CFLAGS="$saved_cflags" -- LIBS="$save_libs" - ;; - no) - AC_MSG_RESULT(no) -Index: bind-9.10.4-P5/lib/dns/dst_gost.h -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/dst_gost.h -+++ bind-9.10.4-P5/lib/dns/dst_gost.h -@@ -26,7 +26,13 @@ - #ifdef HAVE_OPENSSL_GOST - #include - --typedef EVP_MD_CTX isc_gost_t; -+typedef struct { -+ EVP_MD_CTX *ctx; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ EVP_MD_CTX _ctx; -+#endif -+} isc_gost_t; -+ - #endif - #ifdef HAVE_PKCS11_GOST - #include -Index: bind-9.10.4-P5/lib/dns/dst_openssl.h -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/dst_openssl.h -+++ bind-9.10.4-P5/lib/dns/dst_openssl.h -@@ -31,8 +31,10 @@ - #include - #include - --#if !defined(OPENSSL_NO_ENGINE) && defined(CRYPTO_LOCK_ENGINE) && \ -- (OPENSSL_VERSION_NUMBER >= 0x0090707f) -+#if !defined(OPENSSL_NO_ENGINE) && \ -+ ((defined(CRYPTO_LOCK_ENGINE) && \ -+ (OPENSSL_VERSION_NUMBER >= 0x0090707f)) || \ -+ (OPENSSL_VERSION_NUMBER >= 0x10100000L)) - #define USE_ENGINE 1 - #endif - -@@ -50,6 +52,15 @@ - #define BN_GENCB_get_arg(x) ((x)->arg) - #endif - -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+/* -+ * EVP_dss1() is a version of EVP_sha1() that was needed prior to -+ * 1.1.0 because there was a link between digests and signing algorithms; -+ * the link has been eliminated and EVP_sha1() can be used now instead. -+ */ -+#define EVP_dss1 EVP_sha1 -+#endif -+ - ISC_LANG_BEGINDECLS - - isc_result_t -Index: bind-9.10.4-P5/lib/dns/openssl_link.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/openssl_link.c -+++ bind-9.10.4-P5/lib/dns/openssl_link.c -@@ -111,6 +111,7 @@ entropy_add(const void *buf, int num, do - } - #endif - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - static void - lock_callback(int mode, int type, const char *file, int line) { - UNUSED(file); -@@ -121,45 +122,59 @@ lock_callback(int mode, int type, const - UNLOCK(&locks[type]); - } - --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - static unsigned long - id_callback(void) { - return ((unsigned long)isc_thread_self()); - } - #endif - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+#define FLARG_PASS , __FILE__, __LINE__ -+#define FLARG -+#define FILELINE -+#else -+#define FLARG , const char *file, int line -+#define FILELINE , __FILE__, __LINE__ -+#if ISC_MEM_TRACKLINES -+#define FLARG_PASS , file, line -+#else -+#define FLARG_PASS -+#endif -+ -+#endif -+ - static void * --mem_alloc(size_t size) { -+mem_alloc(size_t size FLARG) { - #ifdef OPENSSL_LEAKS - void *ptr; - - INSIST(dst__memory_pool != NULL); -- ptr = isc_mem_allocate(dst__memory_pool, size); -+ ptr = isc__mem_allocate(dst__memory_pool, size FLARG_PASS); - return (ptr); - #else - INSIST(dst__memory_pool != NULL); -- return (isc_mem_allocate(dst__memory_pool, size)); -+ return (isc__mem_allocate(dst__memory_pool, size FLARG_PASS)); - #endif - } - - static void --mem_free(void *ptr) { -+mem_free(void *ptr FLARG) { - INSIST(dst__memory_pool != NULL); - if (ptr != NULL) -- isc_mem_free(dst__memory_pool, ptr); -+ isc__mem_free(dst__memory_pool, ptr FLARG_PASS); - } - - static void * --mem_realloc(void *ptr, size_t size) { -+mem_realloc(void *ptr, size_t size FLARG) { - #ifdef OPENSSL_LEAKS - void *rptr; - - INSIST(dst__memory_pool != NULL); -- rptr = isc_mem_reallocate(dst__memory_pool, ptr, size); -+ rptr = isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS); - return (rptr); - #else - INSIST(dst__memory_pool != NULL); -- return (isc_mem_reallocate(dst__memory_pool, ptr, size)); -+ return (isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS)); - #endif - } - -@@ -180,20 +195,20 @@ dst__openssl_init(const char *engine) { - #endif - CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free); - nlocks = CRYPTO_num_locks(); -- locks = mem_alloc(sizeof(isc_mutex_t) * nlocks); -+ locks = mem_alloc(sizeof(isc_mutex_t) * nlocks FILELINE); - if (locks == NULL) - return (ISC_R_NOMEMORY); - result = isc_mutexblock_init(locks, nlocks); - if (result != ISC_R_SUCCESS) - goto cleanup_mutexalloc; -- CRYPTO_set_locking_callback(lock_callback); - #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+ CRYPTO_set_locking_callback(lock_callback); - CRYPTO_set_id_callback(id_callback); - #endif - - ERR_load_crypto_strings(); - -- rm = mem_alloc(sizeof(RAND_METHOD)); -+ rm = mem_alloc(sizeof(RAND_METHOD) FILELINE); - if (rm == NULL) { - result = ISC_R_NOMEMORY; - goto cleanup_mutexinit; -@@ -259,20 +274,27 @@ dst__openssl_init(const char *engine) { - if (e != NULL) - ENGINE_free(e); - e = NULL; -- mem_free(rm); -+ mem_free(rm FILELINE); - rm = NULL; - #endif - cleanup_mutexinit: - CRYPTO_set_locking_callback(NULL); - DESTROYMUTEXBLOCK(locks, nlocks); - cleanup_mutexalloc: -- mem_free(locks); -+ mem_free(locks FILELINE); - locks = NULL; - return (result); - } - - void - dst__openssl_destroy(void) { -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ OPENSSL_cleanup(); -+ if (rm != NULL) { -+ mem_free(rm FILELINE); -+ rm = NULL; -+ } -+#else - /* - * Sequence taken from apps_shutdown() in . - */ -@@ -280,7 +302,7 @@ dst__openssl_destroy(void) { - #if OPENSSL_VERSION_NUMBER >= 0x00907000L - RAND_cleanup(); - #endif -- mem_free(rm); -+ mem_free(rm FILELINE); - rm = NULL; - } - #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) -@@ -312,16 +334,18 @@ dst__openssl_destroy(void) { - if (locks != NULL) { - CRYPTO_set_locking_callback(NULL); - DESTROYMUTEXBLOCK(locks, nlocks); -- mem_free(locks); -+ mem_free(locks FILELINE); - locks = NULL; - } -+#endif - } - - static isc_result_t - toresult(isc_result_t fallback) { - isc_result_t result = fallback; - unsigned long err = ERR_get_error(); --#ifdef HAVE_OPENSSL_ECDSA -+#if defined(HAVE_OPENSSL_ECDSA) && \ -+ defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) - int lib = ERR_GET_LIB(err); - #endif - int reason = ERR_GET_REASON(err); -@@ -335,7 +359,8 @@ toresult(isc_result_t fallback) { - result = ISC_R_NOMEMORY; - break; - default: --#ifdef HAVE_OPENSSL_ECDSA -+#if defined(HAVE_OPENSSL_ECDSA) && \ -+ defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) - if (lib == ERR_R_ECDSA_LIB && - reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) { - result = ISC_R_NOENTROPY; -Index: bind-9.10.4-P5/lib/dns/openssldh_link.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/openssldh_link.c -+++ bind-9.10.4-P5/lib/dns/openssldh_link.c -@@ -73,11 +73,74 @@ static isc_result_t openssldh_todns(cons - - static BIGNUM *bn2, *bn768, *bn1024, *bn1536; - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+/* -+ * DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg -+ * are from OpenSSL 1.1.0. -+ */ -+static void -+DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) { -+ if (pub_key != NULL) -+ *pub_key = dh->pub_key; -+ if (priv_key != NULL) -+ *priv_key = dh->priv_key; -+} -+ -+static int -+DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) { -+ /* Note that it is valid for priv_key to be NULL */ -+ if (pub_key == NULL) -+ return 0; -+ -+ BN_free(dh->pub_key); -+ BN_free(dh->priv_key); -+ dh->pub_key = pub_key; -+ dh->priv_key = priv_key; -+ -+ return 1; -+} -+ -+static void -+DH_get0_pqg(const DH *dh, -+ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) -+{ -+ if (p != NULL) -+ *p = dh->p; -+ if (q != NULL) -+ *q = dh->q; -+ if (g != NULL) -+ *g = dh->g; -+} -+ -+static int -+DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { -+ /* q is optional */ -+ if (p == NULL || g == NULL) -+ return(0); -+ BN_free(dh->p); -+ BN_free(dh->q); -+ BN_free(dh->g); -+ dh->p = p; -+ dh->q = q; -+ dh->g = g; -+ -+ if (q != NULL) { -+ dh->length = BN_num_bits(q); -+ } -+ -+ return(1); -+} -+ -+#define DH_clear_flags(d, f) (d)->flags &= ~(f) -+ -+#endif -+ - static isc_result_t - openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, - isc_buffer_t *secret) - { - DH *dhpub, *dhpriv; -+ const BIGNUM *pub_key = NULL; - int ret; - isc_region_t r; - unsigned int len; -@@ -92,7 +155,9 @@ openssldh_computesecret(const dst_key_t - isc_buffer_availableregion(secret, &r); - if (r.length < len) - return (ISC_R_NOSPACE); -- ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv); -+ -+ DH_get0_key(dhpub, &pub_key, NULL); -+ ret = DH_compute_key(r.base, pub_key, dhpriv); - if (ret <= 0) - return (dst__openssl_toresult2("DH_compute_key", - DST_R_COMPUTESECRETFAILURE)); -@@ -102,8 +167,10 @@ openssldh_computesecret(const dst_key_t - - static isc_boolean_t - openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { -- int status; - DH *dh1, *dh2; -+ const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; -+ const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; -+ const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; - - dh1 = key1->keydata.dh; - dh2 = key2->keydata.dh; -@@ -113,17 +180,19 @@ openssldh_compare(const dst_key_t *key1, - else if (dh1 == NULL || dh2 == NULL) - return (ISC_FALSE); - -- status = BN_cmp(dh1->p, dh2->p) || -- BN_cmp(dh1->g, dh2->g) || -- BN_cmp(dh1->pub_key, dh2->pub_key); -+ DH_get0_key(dh1, &pub_key1, &priv_key1); -+ DH_get0_key(dh2, &pub_key2, &priv_key2); -+ DH_get0_pqg(dh1, &p1, NULL, &g1); -+ DH_get0_pqg(dh2, &p2, NULL, &g2); - -- if (status != 0) -+ if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || -+ BN_cmp(pub_key1, pub_key2) != 0) - return (ISC_FALSE); - -- if (dh1->priv_key != NULL || dh2->priv_key != NULL) { -- if (dh1->priv_key == NULL || dh2->priv_key == NULL) -+ if (priv_key1 != NULL || priv_key2 != NULL) { -+ if (priv_key1 == NULL || priv_key2 == NULL) - return (ISC_FALSE); -- if (BN_cmp(dh1->priv_key, dh2->priv_key) != 0) -+ if (BN_cmp(priv_key1, priv_key2) != 0) - return (ISC_FALSE); - } - return (ISC_TRUE); -@@ -131,8 +200,8 @@ openssldh_compare(const dst_key_t *key1, - - static isc_boolean_t - openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { -- int status; - DH *dh1, *dh2; -+ const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; - - dh1 = key1->keydata.dh; - dh2 = key2->keydata.dh; -@@ -142,10 +211,10 @@ openssldh_paramcompare(const dst_key_t * - else if (dh1 == NULL || dh2 == NULL) - return (ISC_FALSE); - -- status = BN_cmp(dh1->p, dh2->p) || -- BN_cmp(dh1->g, dh2->g); -+ DH_get0_pqg(dh1, &p1, NULL, &g1); -+ DH_get0_pqg(dh2, &p2, NULL, &g2); - -- if (status != 0) -+ if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) - return (ISC_FALSE); - return (ISC_TRUE); - } -@@ -190,16 +259,25 @@ openssldh_generate(dst_key_t *key, int g - key->key_size == 1024 || - key->key_size == 1536) - { -+ BIGNUM *p, *g; - dh = DH_new(); -- if (dh == NULL) -- return (dst__openssl_toresult(ISC_R_NOMEMORY)); - if (key->key_size == 768) -- dh->p = bn768; -+ p = BN_dup(bn768); - else if (key->key_size == 1024) -- dh->p = bn1024; -+ p = BN_dup(bn1024); - else -- dh->p = bn1536; -- dh->g = bn2; -+ p = BN_dup(bn1536); -+ g = BN_dup(bn2); -+ if (dh == NULL || p == NULL || g == NULL) { -+ if (dh != NULL) -+ DH_free(dh); -+ if (p != NULL) -+ BN_free(p); -+ if (g != NULL) -+ BN_free(g); -+ return (dst__openssl_toresult(ISC_R_NOMEMORY)); -+ } -+ DH_set0_pqg(dh, p, NULL, g); - } else - generator = 2; - } -@@ -247,8 +325,7 @@ openssldh_generate(dst_key_t *key, int g - return (dst__openssl_toresult2("DH_generate_key", - DST_R_OPENSSLFAILURE)); - } -- dh->flags &= ~DH_FLAG_CACHE_MONT_P; -- -+ DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P); - key->keydata.dh = dh; - - return (ISC_R_SUCCESS); -@@ -257,7 +334,10 @@ openssldh_generate(dst_key_t *key, int g - static isc_boolean_t - openssldh_isprivate(const dst_key_t *key) { - DH *dh = key->keydata.dh; -- return (ISC_TF(dh != NULL && dh->priv_key != NULL)); -+ const BIGNUM *priv_key = NULL; -+ -+ DH_get0_key(dh, NULL, &priv_key); -+ return (ISC_TF(dh != NULL && priv_key != NULL)); - } - - static void -@@ -267,10 +347,6 @@ openssldh_destroy(dst_key_t *key) { - if (dh == NULL) - return; - -- if (dh->p == bn768 || dh->p == bn1024 || dh->p == bn1536) -- dh->p = NULL; -- if (dh->g == bn2) -- dh->g = NULL; - DH_free(dh); - key->keydata.dh = NULL; - } -@@ -299,6 +375,7 @@ uint16_fromregion(isc_region_t *region) - static isc_result_t - openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { - DH *dh; -+ const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; - isc_region_t r; - isc_uint16_t dnslen, plen, glen, publen; - -@@ -308,40 +385,43 @@ openssldh_todns(const dst_key_t *key, is - - isc_buffer_availableregion(data, &r); - -- if (dh->g == bn2 && -- (dh->p == bn768 || dh->p == bn1024 || dh->p == bn1536)) { -+ DH_get0_pqg(dh, &p, NULL, &g); -+ if (BN_cmp(g, bn2) == 0 && -+ (BN_cmp(p, bn768) == 0 || -+ BN_cmp(p, bn1024) == 0 || -+ BN_cmp(p, bn1536) == 0)) { - plen = 1; - glen = 0; - } - else { -- plen = BN_num_bytes(dh->p); -- glen = BN_num_bytes(dh->g); -+ plen = BN_num_bytes(p); -+ glen = BN_num_bytes(g); - } -- publen = BN_num_bytes(dh->pub_key); -+ DH_get0_key(dh, &pub_key, NULL); -+ publen = BN_num_bytes(pub_key); - dnslen = plen + glen + publen + 6; - if (r.length < (unsigned int) dnslen) - return (ISC_R_NOSPACE); - - uint16_toregion(plen, &r); - if (plen == 1) { -- if (dh->p == bn768) -+ if (BN_cmp(p, bn768) == 0) - *r.base = 1; -- else if (dh->p == bn1024) -+ else if (BN_cmp(p, bn1024) == 0) - *r.base = 2; - else - *r.base = 3; -- } -- else -- BN_bn2bin(dh->p, r.base); -+ } else -+ BN_bn2bin(p, r.base); - isc_region_consume(&r, plen); - - uint16_toregion(glen, &r); - if (glen > 0) -- BN_bn2bin(dh->g, r.base); -+ BN_bn2bin(g, r.base); - isc_region_consume(&r, glen); - - uint16_toregion(publen, &r); -- BN_bn2bin(dh->pub_key, r.base); -+ BN_bn2bin(pub_key, r.base); - isc_region_consume(&r, publen); - - isc_buffer_add(data, dnslen); -@@ -352,6 +432,7 @@ openssldh_todns(const dst_key_t *key, is - static isc_result_t - openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { - DH *dh; -+ BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; - isc_region_t r; - isc_uint16_t plen, glen, publen; - int special = 0; -@@ -363,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_bu - dh = DH_new(); - if (dh == NULL) - return (dst__openssl_toresult(ISC_R_NOMEMORY)); -- dh->flags &= ~DH_FLAG_CACHE_MONT_P; -+ DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P); - - /* - * Read the prime length. 1 & 2 are table entries, > 16 means a -@@ -391,20 +472,20 @@ openssldh_fromdns(dst_key_t *key, isc_bu - } - switch (special) { - case 1: -- dh->p = bn768; -+ p = BN_dup(bn768); - break; - case 2: -- dh->p = bn1024; -+ p = BN_dup(bn1024); - break; - case 3: -- dh->p = bn1536; -+ p = BN_dup(bn1536); - break; - default: - DH_free(dh); - return (DST_R_INVALIDPUBLICKEY); - } - } else { -- dh->p = BN_bin2bn(r.base, plen, NULL); -+ p = BN_bin2bn(r.base, plen, NULL); - isc_region_consume(&r, plen); - } - -@@ -424,15 +505,12 @@ openssldh_fromdns(dst_key_t *key, isc_bu - } - if (special != 0) { - if (glen == 0) -- dh->g = bn2; -+ g = BN_dup(bn2); - else { -- dh->g = BN_bin2bn(r.base, glen, NULL); -- if (BN_cmp(dh->g, bn2) == 0) { -- BN_free(dh->g); -- dh->g = bn2; -- } -- else { -+ g = BN_bin2bn(r.base, glen, NULL); -+ if (g != NULL && BN_cmp(g, bn2) != 0) { - DH_free(dh); -+ BN_free(g); - return (DST_R_INVALIDPUBLICKEY); - } - } -@@ -441,10 +519,20 @@ openssldh_fromdns(dst_key_t *key, isc_bu - DH_free(dh); - return (DST_R_INVALIDPUBLICKEY); - } -- dh->g = BN_bin2bn(r.base, glen, NULL); -+ g = BN_bin2bn(r.base, glen, NULL); - } - isc_region_consume(&r, glen); - -+ if (p == NULL || g == NULL) { -+ DH_free(dh); -+ if (p != NULL) -+ BN_free(p); -+ if (g != NULL) -+ BN_free(g); -+ return (dst__openssl_toresult(ISC_R_NOMEMORY)); -+ } -+ DH_set0_pqg(dh, p, NULL, g); -+ - if (r.length < 2) { - DH_free(dh); - return (DST_R_INVALIDPUBLICKEY); -@@ -454,10 +542,15 @@ openssldh_fromdns(dst_key_t *key, isc_bu - DH_free(dh); - return (DST_R_INVALIDPUBLICKEY); - } -- dh->pub_key = BN_bin2bn(r.base, publen, NULL); -+ pub_key = BN_bin2bn(r.base, publen, NULL); -+ if (pub_key == NULL) { -+ DH_free(dh); -+ return (dst__openssl_toresult(ISC_R_NOMEMORY)); -+ } -+ DH_set0_key(dh, pub_key, NULL); - isc_region_consume(&r, publen); - -- key->key_size = BN_num_bits(dh->p); -+ key->key_size = BN_num_bits(p); - - isc_buffer_forward(data, plen + glen + publen + 6); - -@@ -470,6 +563,7 @@ static isc_result_t - openssldh_tofile(const dst_key_t *key, const char *directory) { - int i; - DH *dh; -+ const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; - dst_private_t priv; - unsigned char *bufs[4]; - isc_result_t result; -@@ -481,10 +575,12 @@ openssldh_tofile(const dst_key_t *key, c - return (DST_R_EXTERNALKEY); - - dh = key->keydata.dh; -+ DH_get0_key(dh, &pub_key, &priv_key); -+ DH_get0_pqg(dh, &p, NULL, &g); - - memset(bufs, 0, sizeof(bufs)); - for (i = 0; i < 4; i++) { -- bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(dh->p)); -+ bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(p)); - if (bufs[i] == NULL) { - result = ISC_R_NOMEMORY; - goto fail; -@@ -494,26 +590,26 @@ openssldh_tofile(const dst_key_t *key, c - i = 0; - - priv.elements[i].tag = TAG_DH_PRIME; -- priv.elements[i].length = BN_num_bytes(dh->p); -- BN_bn2bin(dh->p, bufs[i]); -+ priv.elements[i].length = BN_num_bytes(p); -+ BN_bn2bin(p, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_DH_GENERATOR; -- priv.elements[i].length = BN_num_bytes(dh->g); -- BN_bn2bin(dh->g, bufs[i]); -+ priv.elements[i].length = BN_num_bytes(g); -+ BN_bn2bin(g, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_DH_PRIVATE; -- priv.elements[i].length = BN_num_bytes(dh->priv_key); -- BN_bn2bin(dh->priv_key, bufs[i]); -+ priv.elements[i].length = BN_num_bytes(priv_key); -+ BN_bn2bin(priv_key, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_DH_PUBLIC; -- priv.elements[i].length = BN_num_bytes(dh->pub_key); -- BN_bn2bin(dh->pub_key, bufs[i]); -+ priv.elements[i].length = BN_num_bytes(pub_key); -+ BN_bn2bin(pub_key, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - -@@ -523,7 +619,7 @@ openssldh_tofile(const dst_key_t *key, c - for (i = 0; i < 4; i++) { - if (bufs[i] == NULL) - break; -- isc_mem_put(key->mctx, bufs[i], BN_num_bytes(dh->p)); -+ isc_mem_put(key->mctx, bufs[i], BN_num_bytes(p)); - } - return (result); - } -@@ -534,6 +630,7 @@ openssldh_parse(dst_key_t *key, isc_lex_ - isc_result_t ret; - int i; - DH *dh = NULL; -+ BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; - isc_mem_t *mctx; - #define DST_RET(a) {ret = a; goto err;} - -@@ -551,63 +648,47 @@ openssldh_parse(dst_key_t *key, isc_lex_ - dh = DH_new(); - if (dh == NULL) - DST_RET(ISC_R_NOMEMORY); -- dh->flags &= ~DH_FLAG_CACHE_MONT_P; -+ DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P); - key->keydata.dh = dh; - - for (i = 0; i < priv.nelements; i++) { - BIGNUM *bn; - bn = BN_bin2bn(priv.elements[i].data, - priv.elements[i].length, NULL); -- if (bn == NULL) -+ if (bn == NULL) - DST_RET(ISC_R_NOMEMORY); - - switch (priv.elements[i].tag) { - case TAG_DH_PRIME: -- dh->p = bn; -+ p = bn; - break; - case TAG_DH_GENERATOR: -- dh->g = bn; -+ g = bn; - break; - case TAG_DH_PRIVATE: -- dh->priv_key = bn; -+ priv_key = bn; - break; - case TAG_DH_PUBLIC: -- dh->pub_key = bn; -+ pub_key = bn; - break; - } - } - dst__privstruct_free(&priv, mctx); -+ DH_set0_key(dh, pub_key, priv_key); -+ DH_set0_pqg(dh, p, NULL, g); - -- key->key_size = BN_num_bits(dh->p); -- -- if ((key->key_size == 768 || -- key->key_size == 1024 || -- key->key_size == 1536) && -- BN_cmp(dh->g, bn2) == 0) -- { -- if (key->key_size == 768 && BN_cmp(dh->p, bn768) == 0) { -- BN_free(dh->p); -- BN_free(dh->g); -- dh->p = bn768; -- dh->g = bn2; -- } else if (key->key_size == 1024 && -- BN_cmp(dh->p, bn1024) == 0) { -- BN_free(dh->p); -- BN_free(dh->g); -- dh->p = bn1024; -- dh->g = bn2; -- } else if (key->key_size == 1536 && -- BN_cmp(dh->p, bn1536) == 0) { -- BN_free(dh->p); -- BN_free(dh->g); -- dh->p = bn1536; -- dh->g = bn2; -- } -- } -- -+ key->key_size = BN_num_bits(p); - return (ISC_R_SUCCESS); - - err: -+ if (p != NULL) -+ BN_free(p); -+ if (g != NULL) -+ BN_free(g); -+ if (pub_key != NULL) -+ BN_free(pub_key); -+ if (priv_key != NULL) -+ BN_free(priv_key); - openssldh_destroy(key); - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); -Index: bind-9.10.4-P5/lib/dns/openssldsa_link.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/openssldsa_link.c -+++ bind-9.10.4-P5/lib/dns/openssldsa_link.c -@@ -53,6 +53,79 @@ - - static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data); - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+static void -+DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, -+ const BIGNUM **g) -+{ -+ if (p != NULL) -+ *p = d->p; -+ if (q != NULL) -+ *q = d->q; -+ if (g != NULL) -+ *g = d->g; -+} -+ -+static int -+DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) { -+ if (p == NULL || q == NULL || g == NULL) -+ return 0; -+ BN_free(d->p); -+ BN_free(d->q); -+ BN_free(d->g); -+ d->p = p; -+ d->q = q; -+ d->g = g; -+ -+ return 1; -+} -+ -+static void -+DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) { -+ if (pub_key != NULL) -+ *pub_key = d->pub_key; -+ if (priv_key != NULL) -+ *priv_key = d->priv_key; -+} -+ -+static int -+DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) { -+ /* Note that it is valid for priv_key to be NULL */ -+ if (pub_key == NULL) -+ return 0; -+ -+ BN_free(d->pub_key); -+ BN_free(d->priv_key); -+ d->pub_key = pub_key; -+ d->priv_key = priv_key; -+ -+ return 1; -+} -+ -+static void -+DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) { -+ *pr = sig->r; -+ *ps = sig->s; -+} -+ -+static int -+DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) { -+ if (r == NULL || s == NULL) -+ return 0; -+ -+ BN_clear_free(sig->r); -+ BN_clear_free(sig->s); -+ sig->r = r; -+ sig->s = s; -+ -+ return 1; -+} -+ -+ -+#define DSA_clear_flags(d, x) (d)->flags &= ~(x) -+ -+#endif -+ - static isc_result_t - openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) { - #if USE_EVP -@@ -123,7 +196,7 @@ openssldsa_adddata(dst_context_t *dctx, - } - - static int --BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) { -+BN_bn2bin_fixed(const BIGNUM *bn, unsigned char *buf, int size) { - int bytes = size - BN_num_bytes(bn); - while (bytes-- > 0) - *buf++ = 0; -@@ -135,8 +208,9 @@ static isc_result_t - openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { - dst_key_t *key = dctx->key; - DSA *dsa = key->keydata.dsa; -- isc_region_t r; -+ isc_region_t region; - DSA_SIG *dsasig; -+ const BIGNUM *r = 0, *s = NULL; - unsigned int klen; - #if USE_EVP - EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; -@@ -149,8 +223,8 @@ openssldsa_sign(dst_context_t *dctx, isc - unsigned char digest[ISC_SHA1_DIGESTLENGTH]; - #endif - -- isc_buffer_availableregion(sig, &r); -- if (r.length < ISC_SHA1_DIGESTLENGTH * 2 + 1) -+ isc_buffer_availableregion(sig, ®ion); -+ if (region.length < ISC_SHA1_DIGESTLENGTH * 2 + 1) - return (ISC_R_NOSPACE); - - #if USE_EVP -@@ -215,13 +289,14 @@ openssldsa_sign(dst_context_t *dctx, isc - klen = (key->key_size - 512)/64; - if (klen > 255) - return (ISC_R_FAILURE); -- *r.base = klen; -- isc_region_consume(&r, 1); -+ *region.base = klen; -+ isc_region_consume(®ion, 1); - -- BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH); -- isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); -- BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH); -- isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); -+ DSA_SIG_get0(dsasig, &r, &s); -+ BN_bn2bin_fixed(r, region.base, ISC_SHA1_DIGESTLENGTH); -+ isc_region_consume(®ion, ISC_SHA1_DIGESTLENGTH); -+ BN_bn2bin_fixed(s, region.base, ISC_SHA1_DIGESTLENGTH); -+ isc_region_consume(®ion, ISC_SHA1_DIGESTLENGTH); - DSA_SIG_free(dsasig); - isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1); - -@@ -232,6 +307,7 @@ static isc_result_t - openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) { - dst_key_t *key = dctx->key; - DSA *dsa = key->keydata.dsa; -+ BIGNUM *r = NULL, *s = NULL; - int status = 0; - unsigned char *cp = sig->base; - DSA_SIG *dsasig; -@@ -267,9 +343,10 @@ openssldsa_verify(dst_context_t *dctx, c - dsasig = DSA_SIG_new(); - if (dsasig == NULL) - return (ISC_R_NOMEMORY); -- dsasig->r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL); -+ r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL); - cp += ISC_SHA1_DIGESTLENGTH; -- dsasig->s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL); -+ s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL); -+ DSA_SIG_set0(dsasig, r, s); - - #if 0 - pkey = EVP_PKEY_new(); -@@ -308,8 +385,11 @@ openssldsa_verify(dst_context_t *dctx, c - - static isc_boolean_t - openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) { -- int status; - DSA *dsa1, *dsa2; -+ const BIGNUM *pub_key1 = NULL, *priv_key1 = NULL; -+ const BIGNUM *pub_key2 = NULL, *priv_key2 = NULL; -+ const BIGNUM *p1 = NULL, *q1 = NULL, *g1 = NULL; -+ const BIGNUM *p2 = NULL, *q2 = NULL, *g2 = NULL; - - dsa1 = key1->keydata.dsa; - dsa2 = key2->keydata.dsa; -@@ -319,18 +399,19 @@ openssldsa_compare(const dst_key_t *key1 - else if (dsa1 == NULL || dsa2 == NULL) - return (ISC_FALSE); - -- status = BN_cmp(dsa1->p, dsa2->p) || -- BN_cmp(dsa1->q, dsa2->q) || -- BN_cmp(dsa1->g, dsa2->g) || -- BN_cmp(dsa1->pub_key, dsa2->pub_key); -+ DSA_get0_key(dsa1, &pub_key1, &priv_key1); -+ DSA_get0_key(dsa2, &pub_key2, &priv_key2); -+ DSA_get0_pqg(dsa1, &p1, &q1, &g1); -+ DSA_get0_pqg(dsa2, &p2, &q2, &g2); - -- if (status != 0) -+ if (BN_cmp(p1, p2) != 0 || BN_cmp(q1, q2) != 0 || -+ BN_cmp(g1, g2) != 0 || BN_cmp(pub_key1, pub_key2) != 0) - return (ISC_FALSE); - -- if (dsa1->priv_key != NULL || dsa2->priv_key != NULL) { -- if (dsa1->priv_key == NULL || dsa2->priv_key == NULL) -+ if (priv_key1 != NULL || priv_key2 != NULL) { -+ if (priv_key1 == NULL || priv_key2 == NULL) - return (ISC_FALSE); -- if (BN_cmp(dsa1->priv_key, dsa2->priv_key)) -+ if (BN_cmp(priv_key1, priv_key2)) - return (ISC_FALSE); - } - return (ISC_TRUE); -@@ -422,7 +503,8 @@ openssldsa_generate(dst_key_t *key, int - return (dst__openssl_toresult2("DSA_generate_key", - DST_R_OPENSSLFAILURE)); - } -- dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; -+ -+ DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P); - - key->keydata.dsa = dsa; - -@@ -432,7 +514,10 @@ openssldsa_generate(dst_key_t *key, int - static isc_boolean_t - openssldsa_isprivate(const dst_key_t *key) { - DSA *dsa = key->keydata.dsa; -- return (ISC_TF(dsa != NULL && dsa->priv_key != NULL)); -+ const BIGNUM *priv_key = NULL; -+ -+ DSA_get0_key(dsa, NULL, &priv_key); -+ return (ISC_TF(dsa != NULL && priv_key != NULL)); - } - - static void -@@ -446,6 +531,7 @@ openssldsa_destroy(dst_key_t *key) { - static isc_result_t - openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) { - DSA *dsa; -+ const BIGNUM *pub_key, *p = NULL, *q = NULL, *g = NULL; - isc_region_t r; - int dnslen; - unsigned int t, p_bytes; -@@ -456,7 +542,10 @@ openssldsa_todns(const dst_key_t *key, i - - isc_buffer_availableregion(data, &r); - -- t = (BN_num_bytes(dsa->p) - 64) / 8; -+ DSA_get0_key(dsa, &pub_key, NULL); -+ DSA_get0_pqg(dsa, &p, &q, &g); -+ -+ t = (BN_num_bytes(p) - 64) / 8; - if (t > 8) - return (DST_R_INVALIDPUBLICKEY); - p_bytes = 64 + 8 * t; -@@ -467,13 +556,14 @@ openssldsa_todns(const dst_key_t *key, i - - *r.base = t; - isc_region_consume(&r, 1); -- BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH); -+ -+ BN_bn2bin_fixed(q, r.base, ISC_SHA1_DIGESTLENGTH); - isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); -- BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8); -+ BN_bn2bin_fixed(p, r.base, key->key_size/8); - isc_region_consume(&r, p_bytes); -- BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8); -+ BN_bn2bin_fixed(g, r.base, key->key_size/8); - isc_region_consume(&r, p_bytes); -- BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8); -+ BN_bn2bin_fixed(pub_key, r.base, key->key_size/8); - isc_region_consume(&r, p_bytes); - - isc_buffer_add(data, dnslen); -@@ -484,6 +574,7 @@ openssldsa_todns(const dst_key_t *key, i - static isc_result_t - openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - DSA *dsa; -+ BIGNUM *pub_key, *p, *q, *g; - isc_region_t r; - unsigned int t, p_bytes; - isc_mem_t *mctx = key->mctx; -@@ -497,7 +588,7 @@ openssldsa_fromdns(dst_key_t *key, isc_b - dsa = DSA_new(); - if (dsa == NULL) - return (ISC_R_NOMEMORY); -- dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; -+ DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P); - - t = (unsigned int) *r.base; - isc_region_consume(&r, 1); -@@ -512,18 +603,29 @@ openssldsa_fromdns(dst_key_t *key, isc_b - return (DST_R_INVALIDPUBLICKEY); - } - -- dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL); -+ q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL); - isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); - -- dsa->p = BN_bin2bn(r.base, p_bytes, NULL); -+ p = BN_bin2bn(r.base, p_bytes, NULL); - isc_region_consume(&r, p_bytes); - -- dsa->g = BN_bin2bn(r.base, p_bytes, NULL); -+ g = BN_bin2bn(r.base, p_bytes, NULL); - isc_region_consume(&r, p_bytes); - -- dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL); -+ pub_key = BN_bin2bn(r.base, p_bytes, NULL); - isc_region_consume(&r, p_bytes); - -+ if (pub_key == NULL || p == NULL || q == NULL || g == NULL) { -+ DSA_free(dsa); -+ if (p != NULL) BN_free(p); -+ if (q != NULL) BN_free(q); -+ if (g != NULL) BN_free(g); -+ return (ISC_R_NOMEMORY); -+ } -+ -+ DSA_set0_key(dsa, pub_key, NULL); -+ DSA_set0_pqg(dsa, p, q, g); -+ - key->key_size = p_bytes * 8; - - isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes); -@@ -538,6 +640,8 @@ static isc_result_t - openssldsa_tofile(const dst_key_t *key, const char *directory) { - int cnt = 0; - DSA *dsa; -+ const BIGNUM *pub_key = NULL, *priv_key = NULL; -+ const BIGNUM *p = NULL, *q = NULL, *g = NULL; - dst_private_t priv; - unsigned char bufs[5][128]; - -@@ -551,33 +655,36 @@ openssldsa_tofile(const dst_key_t *key, - - dsa = key->keydata.dsa; - -+ DSA_get0_key(dsa, &pub_key, &priv_key); -+ DSA_get0_pqg(dsa, &p, &q, &g); -+ - priv.elements[cnt].tag = TAG_DSA_PRIME; -- priv.elements[cnt].length = BN_num_bytes(dsa->p); -- BN_bn2bin(dsa->p, bufs[cnt]); -+ priv.elements[cnt].length = BN_num_bytes(p); -+ BN_bn2bin(p, bufs[cnt]); - priv.elements[cnt].data = bufs[cnt]; - cnt++; - - priv.elements[cnt].tag = TAG_DSA_SUBPRIME; -- priv.elements[cnt].length = BN_num_bytes(dsa->q); -- BN_bn2bin(dsa->q, bufs[cnt]); -+ priv.elements[cnt].length = BN_num_bytes(q); -+ BN_bn2bin(q, bufs[cnt]); - priv.elements[cnt].data = bufs[cnt]; - cnt++; - - priv.elements[cnt].tag = TAG_DSA_BASE; -- priv.elements[cnt].length = BN_num_bytes(dsa->g); -- BN_bn2bin(dsa->g, bufs[cnt]); -+ priv.elements[cnt].length = BN_num_bytes(g); -+ BN_bn2bin(g, bufs[cnt]); - priv.elements[cnt].data = bufs[cnt]; - cnt++; - - priv.elements[cnt].tag = TAG_DSA_PRIVATE; -- priv.elements[cnt].length = BN_num_bytes(dsa->priv_key); -- BN_bn2bin(dsa->priv_key, bufs[cnt]); -+ priv.elements[cnt].length = BN_num_bytes(priv_key); -+ BN_bn2bin(priv_key, bufs[cnt]); - priv.elements[cnt].data = bufs[cnt]; - cnt++; - - priv.elements[cnt].tag = TAG_DSA_PUBLIC; -- priv.elements[cnt].length = BN_num_bytes(dsa->pub_key); -- BN_bn2bin(dsa->pub_key, bufs[cnt]); -+ priv.elements[cnt].length = BN_num_bytes(pub_key); -+ BN_bn2bin(pub_key, bufs[cnt]); - priv.elements[cnt].data = bufs[cnt]; - cnt++; - -@@ -591,6 +698,8 @@ openssldsa_parse(dst_key_t *key, isc_lex - isc_result_t ret; - int i; - DSA *dsa = NULL; -+ BIGNUM *pub_key = NULL, *priv_key = NULL; -+ BIGNUM *p = NULL, *q = NULL, *g = NULL; - isc_mem_t *mctx = key->mctx; - #define DST_RET(a) {ret = a; goto err;} - -@@ -615,7 +724,7 @@ openssldsa_parse(dst_key_t *key, isc_lex - dsa = DSA_new(); - if (dsa == NULL) - DST_RET(ISC_R_NOMEMORY); -- dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; -+ DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P); - key->keydata.dsa = dsa; - - for (i = 0; i < priv.nelements; i++) { -@@ -627,28 +736,36 @@ openssldsa_parse(dst_key_t *key, isc_lex - - switch (priv.elements[i].tag) { - case TAG_DSA_PRIME: -- dsa->p = bn; -+ p = bn; - break; - case TAG_DSA_SUBPRIME: -- dsa->q = bn; -+ q = bn; - break; - case TAG_DSA_BASE: -- dsa->g = bn; -+ g = bn; - break; - case TAG_DSA_PRIVATE: -- dsa->priv_key = bn; -+ priv_key = bn; - break; - case TAG_DSA_PUBLIC: -- dsa->pub_key = bn; -+ pub_key = bn; - break; - } - } - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); -- key->key_size = BN_num_bits(dsa->p); -+ DSA_set0_key(dsa, pub_key, priv_key); -+ DSA_set0_pqg(dsa, p, q, g); -+ key->key_size = BN_num_bits(p); - return (ISC_R_SUCCESS); - - err: -+ if (p != NULL) -+ BN_free(p); -+ if (q != NULL) -+ BN_free(q); -+ if (g != NULL) -+ BN_free(g); - openssldsa_destroy(key); - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); -Index: bind-9.10.4-P5/lib/dns/opensslecdsa_link.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/opensslecdsa_link.c -+++ bind-9.10.4-P5/lib/dns/opensslecdsa_link.c -@@ -49,6 +49,30 @@ - - #define DST_RET(a) {ret = a; goto err;} - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+/* From OpenSSL 1.1 */ -+static void -+ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) { -+ if (pr != NULL) -+ *pr = sig->r; -+ if (ps != NULL) -+ *ps = sig->s; -+} -+ -+static int -+ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { -+ if (r == NULL || s == NULL) -+ return 0; -+ -+ BN_clear_free(sig->r); -+ BN_clear_free(sig->s); -+ sig->r = r; -+ sig->s = s; -+ -+ return 1; -+} -+#endif -+ - static isc_result_t opensslecdsa_todns(const dst_key_t *key, - isc_buffer_t *data); - -@@ -110,7 +134,7 @@ opensslecdsa_adddata(dst_context_t *dctx - } - - static int --BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) { -+BN_bn2bin_fixed(const BIGNUM *bn, unsigned char *buf, int size) { - int bytes = size - BN_num_bytes(bn); - - while (bytes-- > 0) -@@ -123,13 +147,14 @@ static isc_result_t - opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { - isc_result_t ret; - dst_key_t *key = dctx->key; -- isc_region_t r; -+ isc_region_t region; - ECDSA_SIG *ecdsasig; - EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; - EVP_PKEY *pkey = key->keydata.pkey; - EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey); - unsigned int dgstlen, siglen; - unsigned char digest[EVP_MAX_MD_SIZE]; -+ const BIGNUM *r, *s; - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || - key->key_alg == DST_ALG_ECDSA384); -@@ -142,8 +167,8 @@ opensslecdsa_sign(dst_context_t *dctx, i - else - siglen = DNS_SIG_ECDSA384SIZE; - -- isc_buffer_availableregion(sig, &r); -- if (r.length < siglen) -+ isc_buffer_availableregion(sig, ®ion); -+ if (region.length < siglen) - DST_RET(ISC_R_NOSPACE); - - if (!EVP_DigestFinal(evp_md_ctx, digest, &dgstlen)) -@@ -156,10 +181,11 @@ opensslecdsa_sign(dst_context_t *dctx, i - DST_RET(dst__openssl_toresult3(dctx->category, - "ECDSA_do_sign", - DST_R_SIGNFAILURE)); -- BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2); -- isc_region_consume(&r, siglen / 2); -- BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2); -- isc_region_consume(&r, siglen / 2); -+ ECDSA_SIG_get0(ecdsasig, &r, &s); -+ BN_bn2bin_fixed(r, region.base, siglen / 2); -+ isc_region_consume(®ion, siglen / 2); -+ BN_bn2bin_fixed(s, region.base, siglen / 2); -+ isc_region_consume(®ion, siglen / 2); - ECDSA_SIG_free(ecdsasig); - isc_buffer_add(sig, siglen); - ret = ISC_R_SUCCESS; -@@ -182,6 +208,7 @@ opensslecdsa_verify(dst_context_t *dctx, - EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey); - unsigned int dgstlen, siglen; - unsigned char digest[EVP_MAX_MD_SIZE]; -+ BIGNUM *r = NULL, *s = NULL ; - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || - key->key_alg == DST_ALG_ECDSA384); -@@ -205,13 +232,10 @@ opensslecdsa_verify(dst_context_t *dctx, - ecdsasig = ECDSA_SIG_new(); - if (ecdsasig == NULL) - DST_RET (ISC_R_NOMEMORY); -- if (ecdsasig->r != NULL) -- BN_free(ecdsasig->r); -- ecdsasig->r = BN_bin2bn(cp, siglen / 2, NULL); -+ r = BN_bin2bn(cp, siglen / 2, NULL); - cp += siglen / 2; -- if (ecdsasig->s != NULL) -- BN_free(ecdsasig->s); -- ecdsasig->s = BN_bin2bn(cp, siglen / 2, NULL); -+ s = BN_bin2bn(cp, siglen / 2, NULL); -+ ECDSA_SIG_set0(ecdsasig, r, s); - /* cp += siglen / 2; */ - - status = ECDSA_do_verify(digest, dgstlen, ecdsasig, eckey); -Index: bind-9.10.4-P5/lib/dns/opensslgost_link.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/opensslgost_link.c -+++ bind-9.10.4-P5/lib/dns/opensslgost_link.c -@@ -36,6 +36,11 @@ - #include - #include - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#define EVP_MD_CTX_new() &(ctx->_ctx), EVP_MD_CTX_init(&(ctx->_ctx)) -+#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) -+#endif -+ - static ENGINE *e = NULL; - static const EVP_MD *opensslgost_digest; - extern const EVP_MD *EVP_gost(void); -@@ -56,8 +61,10 @@ isc_gost_init(isc_gost_t *ctx) { - md = EVP_gost(); - if (md == NULL) - return (DST_R_CRYPTOFAILURE); -- EVP_MD_CTX_init(ctx); -- ret = EVP_DigestInit(ctx, md); -+ ctx->ctx = EVP_MD_CTX_new(); -+ if (ctx->ctx == NULL) -+ return (ISC_R_NOMEMORY); -+ ret = EVP_DigestInit(ctx->ctx, md); - if (ret != 1) - return (DST_R_CRYPTOFAILURE); - return (ISC_R_SUCCESS); -@@ -65,7 +72,8 @@ isc_gost_init(isc_gost_t *ctx) { - - void - isc_gost_invalidate(isc_gost_t *ctx) { -- EVP_MD_CTX_cleanup(ctx); -+ EVP_MD_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - } - - isc_result_t -@@ -75,9 +83,10 @@ isc_gost_update(isc_gost_t *ctx, const u - int ret; - - INSIST(ctx != NULL); -+ INSIST(ctx->ctx != NULL); - INSIST(data != NULL); - -- ret = EVP_DigestUpdate(ctx, (const void *) data, (size_t) len); -+ ret = EVP_DigestUpdate(ctx->ctx, (const void *) data, (size_t) len); - if (ret != 1) - return (DST_R_CRYPTOFAILURE); - return (ISC_R_SUCCESS); -@@ -88,9 +97,12 @@ isc_gost_final(isc_gost_t *ctx, unsigned - int ret; - - INSIST(ctx != NULL); -+ INSIST(ctx->ctx != NULL); - INSIST(digest != NULL); - -- ret = EVP_DigestFinal(ctx, digest, NULL); -+ ret = EVP_DigestFinal(ctx->ctx, digest, NULL); -+ EVP_MD_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - if (ret != 1) - return (DST_R_CRYPTOFAILURE); - return (ISC_R_SUCCESS); -Index: bind-9.10.4-P5/lib/dns/opensslrsa_link.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/opensslrsa_link.c -+++ bind-9.10.4-P5/lib/dns/opensslrsa_link.c -@@ -106,7 +106,8 @@ - (rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \ - (rsa)->flags &= ~RSA_FLAG_BLINDING; \ - } while (0) --#elif defined(RSA_FLAG_NO_BLINDING) -+#elif OPENSSL_VERSION_NUMBER < 0x10100000L -+#if defined(RSA_FLAG_NO_BLINDING) - #define SET_FLAGS(rsa) \ - do { \ - (rsa)->flags &= ~RSA_FLAG_BLINDING; \ -@@ -118,9 +119,132 @@ - (rsa)->flags &= ~RSA_FLAG_BLINDING; \ - } while (0) - #endif -- -+#else -+#define SET_FLAGS(rsa) \ -+ do { \ -+ RSA_clear_flags(rsa, RSA_FLAG_BLINDING); \ -+ RSA_set_flags(rsa, RSA_FLAG_NO_BLINDING); \ -+ } while (0) -+#endif - #define DST_RET(a) {ret = a; goto err;} - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+/* From OpenSSL 1.1.0 */ -+static int -+RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { -+ -+ /* -+ * If the fields n and e in r are NULL, the corresponding input -+ * parameters MUST be non-NULL for n and e. d may be -+ * left NULL (in case only the public key is used). -+ */ -+ if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) -+ return 0; -+ -+ if (n != NULL) { -+ BN_free(r->n); -+ r->n = n; -+ } -+ if (e != NULL) { -+ BN_free(r->e); -+ r->e = e; -+ } -+ if (d != NULL) { -+ BN_free(r->d); -+ r->d = d; -+ } -+ -+ return 1; -+} -+ -+static int -+RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) { -+ -+ /* -+ * If the fields p and q in r are NULL, the corresponding input -+ * parameters MUST be non-NULL. -+ */ -+ if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) -+ return 0; -+ -+ if (p != NULL) { -+ BN_free(r->p); -+ r->p = p; -+ } -+ if (q != NULL) { -+ BN_free(r->q); -+ r->q = q; -+ } -+ -+ return 1; -+} -+ -+static int -+RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) { -+ /* -+ * If the fields dmp1, dmq1 and iqmp in r are NULL, the -+ * corresponding input parameters MUST be non-NULL. -+ */ -+ if ((r->dmp1 == NULL && dmp1 == NULL) || -+ (r->dmq1 == NULL && dmq1 == NULL) || -+ (r->iqmp == NULL && iqmp == NULL)) -+ return 0; -+ -+ if (dmp1 != NULL) { -+ BN_free(r->dmp1); -+ r->dmp1 = dmp1; -+ } -+ if (dmq1 != NULL) { -+ BN_free(r->dmq1); -+ r->dmq1 = dmq1; -+ } -+ if (iqmp != NULL) { -+ BN_free(r->iqmp); -+ r->iqmp = iqmp; -+ } -+ -+ return 1; -+} -+ -+static void -+RSA_get0_key(const RSA *r, -+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) -+{ -+ if (n != NULL) -+ *n = r->n; -+ if (e != NULL) -+ *e = r->e; -+ if (d != NULL) -+ *d = r->d; -+} -+ -+static void -+RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) { -+ if (p != NULL) -+ *p = r->p; -+ if (q != NULL) -+ *q = r->q; -+} -+ -+static void -+RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, -+ const BIGNUM **iqmp) -+{ -+ if (dmp1 != NULL) -+ *dmp1 = r->dmp1; -+ if (dmq1 != NULL) -+ *dmq1 = r->dmq1; -+ if (iqmp != NULL) -+ *iqmp = r->iqmp; -+} -+ -+static int -+RSA_test_flags(const RSA *r, int flags) { -+ return (r->flags & flags); -+} -+ -+#endif -+ - static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data); - - static isc_result_t -@@ -520,6 +644,7 @@ opensslrsa_verify2(dst_context_t *dctx, - EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; - EVP_PKEY *pkey = key->keydata.pkey; - RSA *rsa; -+ const BIGNUM *e = NULL; - int bits; - #else - /* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */ -@@ -543,7 +668,8 @@ opensslrsa_verify2(dst_context_t *dctx, - rsa = EVP_PKEY_get1_RSA(pkey); - if (rsa == NULL) - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -- bits = BN_num_bits(rsa->e); -+ RSA_get0_key(rsa, NULL, &e, NULL); -+ bits = BN_num_bits(e); - RSA_free(rsa); - if (bits > maxbits && maxbits != 0) - return (DST_R_VERIFYFAILURE); -@@ -560,7 +686,8 @@ opensslrsa_verify2(dst_context_t *dctx, - DST_R_VERIFYFAILURE)); - } - #else -- if (BN_num_bits(rsa->e) > maxbits && maxbits != 0) -+ RSA_get0_key(rsa, NULL, &e, NULL); -+ if (BN_num_bits(e) > maxbits && maxbits != 0) - return (DST_R_VERIFYFAILURE); - - switch (dctx->key->key_alg) { -@@ -685,6 +812,11 @@ static isc_boolean_t - opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - int status; - RSA *rsa1 = NULL, *rsa2 = NULL; -+ const BIGNUM *n1 = NULL, *n2 = NULL; -+ const BIGNUM *e1 = NULL, *e2 = NULL; -+ const BIGNUM *d1 = NULL, *d2 = NULL; -+ const BIGNUM *p1 = NULL, *p2 = NULL; -+ const BIGNUM *q1 = NULL, *q2 = NULL; - #if USE_EVP - EVP_PKEY *pkey1, *pkey2; - #endif -@@ -714,17 +846,18 @@ opensslrsa_compare(const dst_key_t *key1 - else if (rsa1 == NULL || rsa2 == NULL) - return (ISC_FALSE); - -- status = BN_cmp(rsa1->n, rsa2->n) || -- BN_cmp(rsa1->e, rsa2->e); -+ RSA_get0_key(rsa1, &n1, &e1, &d1); -+ RSA_get0_key(rsa2, &n2, &e2, &d2); -+ status = BN_cmp(n1, n2) || BN_cmp(e1, e2); - - if (status != 0) - return (ISC_FALSE); - - #if USE_EVP -- if ((rsa1->flags & RSA_FLAG_EXT_PKEY) != 0 || -- (rsa2->flags & RSA_FLAG_EXT_PKEY) != 0) { -- if ((rsa1->flags & RSA_FLAG_EXT_PKEY) == 0 || -- (rsa2->flags & RSA_FLAG_EXT_PKEY) == 0) -+ if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) != 0 || -+ RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) != 0) { -+ if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) == 0 || -+ RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) == 0) - return (ISC_FALSE); - /* - * Can't compare private parameters, BTW does it make sense? -@@ -733,12 +866,12 @@ opensslrsa_compare(const dst_key_t *key1 - } - #endif - -- if (rsa1->d != NULL || rsa2->d != NULL) { -- if (rsa1->d == NULL || rsa2->d == NULL) -+ if (d1 != NULL || d2 != NULL) { -+ if (d1 == NULL || d2 == NULL) - return (ISC_FALSE); -- status = BN_cmp(rsa1->d, rsa2->d) || -- BN_cmp(rsa1->p, rsa2->p) || -- BN_cmp(rsa1->q, rsa2->q); -+ RSA_get0_factors(rsa1, &p1, &q1); -+ RSA_get0_factors(rsa2, &p2, &q2); -+ status = BN_cmp(d1, d2) || BN_cmp(p1, p1) || BN_cmp(q1, q2); - - if (status != 0) - return (ISC_FALSE); -@@ -824,7 +957,7 @@ opensslrsa_generate(dst_key_t *key, int - ret = dst__openssl_toresult2("RSA_generate_key_ex", - DST_R_OPENSSLFAILURE); - --err: -+ err: - #if USE_EVP - if (pkey != NULL) - EVP_PKEY_free(pkey); -@@ -881,6 +1014,7 @@ err: - - static isc_boolean_t - opensslrsa_isprivate(const dst_key_t *key) { -+ const BIGNUM *d = NULL; - #if USE_EVP - RSA *rsa = EVP_PKEY_get1_RSA(key->keydata.pkey); - INSIST(rsa != NULL); -@@ -889,9 +1023,10 @@ opensslrsa_isprivate(const dst_key_t *ke - #else - RSA *rsa = key->keydata.rsa; - #endif -- if (rsa != NULL && (rsa->flags & RSA_FLAG_EXT_PKEY) != 0) -+ if (rsa != NULL && RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) != 0) - return (ISC_TRUE); -- return (ISC_TF(rsa != NULL && rsa->d != NULL)); -+ RSA_get0_key(rsa, NULL, NULL, &d); -+ return (ISC_TF(rsa != NULL && d != NULL)); - } - - static void -@@ -907,7 +1042,6 @@ opensslrsa_destroy(dst_key_t *key) { - #endif - } - -- - static isc_result_t - opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { - isc_region_t r; -@@ -918,6 +1052,7 @@ opensslrsa_todns(const dst_key_t *key, i - #if USE_EVP - EVP_PKEY *pkey; - #endif -+ const BIGNUM *e = NULL, *n = NULL; - - #if USE_EVP - REQUIRE(key->keydata.pkey != NULL); -@@ -936,8 +1071,9 @@ opensslrsa_todns(const dst_key_t *key, i - - isc_buffer_availableregion(data, &r); - -- e_bytes = BN_num_bytes(rsa->e); -- mod_bytes = BN_num_bytes(rsa->n); -+ RSA_get0_key(rsa, &n, &e, NULL); -+ mod_bytes = BN_num_bytes(n); -+ e_bytes = BN_num_bytes(e); - - if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */ - if (r.length < 1) -@@ -955,9 +1091,10 @@ opensslrsa_todns(const dst_key_t *key, i - if (r.length < e_bytes + mod_bytes) - DST_RET(ISC_R_NOSPACE); - -- BN_bn2bin(rsa->e, r.base); -+ RSA_get0_key(rsa, &n, &e, NULL); -+ BN_bn2bin(e, r.base); - isc_region_consume(&r, e_bytes); -- BN_bn2bin(rsa->n, r.base); -+ BN_bn2bin(n, r.base); - - isc_buffer_add(data, e_bytes + mod_bytes); - -@@ -979,6 +1116,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b - #if USE_EVP - EVP_PKEY *pkey; - #endif -+ BIGNUM *e = NULL, *n = NULL; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) -@@ -1012,12 +1150,16 @@ opensslrsa_fromdns(dst_key_t *key, isc_b - RSA_free(rsa); - return (DST_R_INVALIDPUBLICKEY); - } -- rsa->e = BN_bin2bn(r.base, e_bytes, NULL); -+ e = BN_bin2bn(r.base, e_bytes, NULL); - isc_region_consume(&r, e_bytes); -- -- rsa->n = BN_bin2bn(r.base, r.length, NULL); -- -- key->key_size = BN_num_bits(rsa->n); -+ n = BN_bin2bn(r.base, r.length, NULL); -+ if (RSA_set0_key(rsa, n, e, NULL) == 0) { -+ if (n != NULL) BN_free(n); -+ if (e != NULL) BN_free(e); -+ RSA_free(rsa); -+ return (ISC_R_NOMEMORY); -+ } -+ key->key_size = BN_num_bits(n); - - isc_buffer_forward(data, length); - -@@ -1048,6 +1190,9 @@ opensslrsa_tofile(const dst_key_t *key, - dst_private_t priv; - unsigned char *bufs[8]; - isc_result_t result; -+ const BIGNUM *n = NULL, *e = NULL, *d = NULL; -+ const BIGNUM *p = NULL, *q = NULL; -+ const BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; - - #if USE_EVP - if (key->keydata.pkey == NULL) -@@ -1062,6 +1207,10 @@ opensslrsa_tofile(const dst_key_t *key, - #endif - memset(bufs, 0, sizeof(bufs)); - -+ RSA_get0_key(rsa, &n, &e, &d); -+ RSA_get0_factors(rsa, &p, &q); -+ RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp); -+ - if (key->external) { - priv.nelements = 0; - result = dst__privstruct_writefile(key, &priv, directory); -@@ -1069,7 +1218,7 @@ opensslrsa_tofile(const dst_key_t *key, - } - - for (i = 0; i < 8; i++) { -- bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(rsa->n)); -+ bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(n)); - if (bufs[i] == NULL) { - result = ISC_R_NOMEMORY; - goto fail; -@@ -1079,61 +1228,61 @@ opensslrsa_tofile(const dst_key_t *key, - i = 0; - - priv.elements[i].tag = TAG_RSA_MODULUS; -- priv.elements[i].length = BN_num_bytes(rsa->n); -- BN_bn2bin(rsa->n, bufs[i]); -+ priv.elements[i].length = BN_num_bytes(n); -+ BN_bn2bin(n, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT; -- priv.elements[i].length = BN_num_bytes(rsa->e); -- BN_bn2bin(rsa->e, bufs[i]); -+ priv.elements[i].length = BN_num_bytes(e); -+ BN_bn2bin(e, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - -- if (rsa->d != NULL) { -+ if (d != NULL) { - priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT; -- priv.elements[i].length = BN_num_bytes(rsa->d); -- BN_bn2bin(rsa->d, bufs[i]); -+ priv.elements[i].length = BN_num_bytes(d); -+ BN_bn2bin(d, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - } - -- if (rsa->p != NULL) { -+ if (p != NULL) { - priv.elements[i].tag = TAG_RSA_PRIME1; -- priv.elements[i].length = BN_num_bytes(rsa->p); -- BN_bn2bin(rsa->p, bufs[i]); -+ priv.elements[i].length = BN_num_bytes(p); -+ BN_bn2bin(p, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - } - -- if (rsa->q != NULL) { -+ if (q != NULL) { - priv.elements[i].tag = TAG_RSA_PRIME2; -- priv.elements[i].length = BN_num_bytes(rsa->q); -- BN_bn2bin(rsa->q, bufs[i]); -+ priv.elements[i].length = BN_num_bytes(q); -+ BN_bn2bin(q, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - } - -- if (rsa->dmp1 != NULL) { -+ if (dmp1 != NULL) { - priv.elements[i].tag = TAG_RSA_EXPONENT1; -- priv.elements[i].length = BN_num_bytes(rsa->dmp1); -- BN_bn2bin(rsa->dmp1, bufs[i]); -+ priv.elements[i].length = BN_num_bytes(dmp1); -+ BN_bn2bin(dmp1, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - } - -- if (rsa->dmq1 != NULL) { -+ if (dmq1 != NULL) { - priv.elements[i].tag = TAG_RSA_EXPONENT2; -- priv.elements[i].length = BN_num_bytes(rsa->dmq1); -- BN_bn2bin(rsa->dmq1, bufs[i]); -+ priv.elements[i].length = BN_num_bytes(dmq1); -+ BN_bn2bin(dmq1, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - } - -- if (rsa->iqmp != NULL) { -+ if (iqmp != NULL) { - priv.elements[i].tag = TAG_RSA_COEFFICIENT; -- priv.elements[i].length = BN_num_bytes(rsa->iqmp); -- BN_bn2bin(rsa->iqmp, bufs[i]); -+ priv.elements[i].length = BN_num_bytes(iqmp); -+ BN_bn2bin(iqmp, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - } -@@ -1162,33 +1311,45 @@ opensslrsa_tofile(const dst_key_t *key, - for (i = 0; i < 8; i++) { - if (bufs[i] == NULL) - break; -- isc_mem_put(key->mctx, bufs[i], BN_num_bytes(rsa->n)); -+ isc_mem_put(key->mctx, bufs[i], BN_num_bytes(n)); - } - return (result); - } - - static isc_result_t --rsa_check(RSA *rsa, RSA *pub) --{ -- /* Public parameters should be the same but if they are not set -- * copy them from the public key. */ -+rsa_check(RSA *rsa, RSA *pub) { -+ const BIGNUM *n1 = NULL, *n2 = NULL; -+ const BIGNUM *e1 = NULL, *e2 = NULL; -+ BIGNUM *n = NULL, *e = NULL; -+ -+ /* -+ * Public parameters should be the same but if they are not set -+ * copy them from the public key. -+ */ -+ RSA_get0_key(rsa, &n1, &e1, NULL); - if (pub != NULL) { -- if (rsa->n != NULL) { -- if (BN_cmp(rsa->n, pub->n) != 0) -+ RSA_get0_key(pub, &n2, &e2, NULL); -+ if (n1 != NULL) { -+ if (BN_cmp(n1, n2) != 0) - return (DST_R_INVALIDPRIVATEKEY); - } else { -- rsa->n = pub->n; -- pub->n = NULL; -+ n = BN_dup(n2); - } -- if (rsa->e != NULL) { -- if (BN_cmp(rsa->e, pub->e) != 0) -+ if (e1 != NULL) { -+ if (BN_cmp(e1, e2) != 0) - return (DST_R_INVALIDPRIVATEKEY); - } else { -- rsa->e = pub->e; -- pub->e = NULL; -+ e = BN_dup(e2); -+ } -+ if (RSA_set0_key(rsa, n, e, NULL) == 0) { -+ if (n != NULL) -+ BN_free(n); -+ if (e != NULL) -+ BN_free(e); - } - } -- if (rsa->n == NULL || rsa->e == NULL) -+ RSA_get0_key(rsa, &n1, &e1, NULL); -+ if (n1 == NULL || e1 == NULL) - return (DST_R_INVALIDPRIVATEKEY); - return (ISC_R_SUCCESS); - } -@@ -1200,13 +1361,17 @@ opensslrsa_parse(dst_key_t *key, isc_lex - int i; - RSA *rsa = NULL, *pubrsa = NULL; - #ifdef USE_ENGINE -- ENGINE *e = NULL; -+ ENGINE *ep = NULL; -+ const BIGNUM *ex = NULL; - #endif - isc_mem_t *mctx = key->mctx; - const char *engine = NULL, *label = NULL; - #if defined(USE_ENGINE) || USE_EVP - EVP_PKEY *pkey = NULL; - #endif -+ BIGNUM *n = NULL, *e = NULL, *d = NULL; -+ BIGNUM *p = NULL, *q = NULL; -+ BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); -@@ -1257,10 +1422,10 @@ opensslrsa_parse(dst_key_t *key, isc_lex - #ifdef USE_ENGINE - if (engine == NULL) - DST_RET(DST_R_NOENGINE); -- e = dst__openssl_getengine(engine); -- if (e == NULL) -+ ep = dst__openssl_getengine(engine); -+ if (ep == NULL) - DST_RET(DST_R_NOENGINE); -- pkey = ENGINE_load_private_key(e, label, NULL, NULL); -+ pkey = ENGINE_load_private_key(ep, label, NULL, NULL); - if (pkey == NULL) - DST_RET(dst__openssl_toresult2( - "ENGINE_load_private_key", -@@ -1276,7 +1441,8 @@ opensslrsa_parse(dst_key_t *key, isc_lex - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) - DST_RET(DST_R_INVALIDPRIVATEKEY); -- if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) -+ RSA_get0_key(rsa, NULL, &ex, NULL); -+ if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) - DST_RET(ISC_R_RANGE); - if (pubrsa != NULL) - RSA_free(pubrsa); -@@ -1324,43 +1490,57 @@ opensslrsa_parse(dst_key_t *key, isc_lex - priv.elements[i].length, NULL); - if (bn == NULL) - DST_RET(ISC_R_NOMEMORY); -- } -- -- switch (priv.elements[i].tag) { -+ switch (priv.elements[i].tag) { - case TAG_RSA_MODULUS: -- rsa->n = bn; -+ n = bn; - break; - case TAG_RSA_PUBLICEXPONENT: -- rsa->e = bn; -+ e = bn; - break; - case TAG_RSA_PRIVATEEXPONENT: -- rsa->d = bn; -+ d = bn; - break; - case TAG_RSA_PRIME1: -- rsa->p = bn; -+ p = bn; - break; - case TAG_RSA_PRIME2: -- rsa->q = bn; -+ q = bn; - break; - case TAG_RSA_EXPONENT1: -- rsa->dmp1 = bn; -+ dmp1 = bn; - break; - case TAG_RSA_EXPONENT2: -- rsa->dmq1 = bn; -+ dmq1 = bn; - break; - case TAG_RSA_COEFFICIENT: -- rsa->iqmp = bn; -+ iqmp = bn; - break; -+ } - } - } - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - -+ if (RSA_set0_key(rsa, n, e, d) == 0) { -+ if (n != NULL) BN_free(n); -+ if (e != NULL) BN_free(e); -+ if (d != NULL) BN_free(d); -+ } -+ if (RSA_set0_factors(rsa, p, q) == 0) { -+ if (p != NULL) BN_free(p); -+ if (q != NULL) BN_free(q); -+ } -+ if (RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp) == 0) { -+ if (dmp1 != NULL) BN_free(dmp1); -+ if (dmq1 != NULL) BN_free(dmq1); -+ if (iqmp != NULL) BN_free(iqmp); -+ } -+ - if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) - DST_RET(DST_R_INVALIDPRIVATEKEY); -- if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) -+ if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) - DST_RET(ISC_R_RANGE); -- key->key_size = BN_num_bits(rsa->n); -+ key->key_size = BN_num_bits(n); - if (pubrsa != NULL) - RSA_free(pubrsa); - #if USE_EVP -@@ -1394,6 +1574,7 @@ opensslrsa_fromlabel(dst_key_t *key, con - EVP_PKEY *pkey = NULL; - RSA *rsa = NULL, *pubrsa = NULL; - char *colon, *tmpengine = NULL; -+ const BIGNUM *ex = NULL; - - UNUSED(pin); - -@@ -1437,7 +1618,8 @@ opensslrsa_fromlabel(dst_key_t *key, con - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) - DST_RET(DST_R_INVALIDPRIVATEKEY); -- if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) -+ RSA_get0_key(rsa, NULL, &ex, NULL); -+ if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) - DST_RET(ISC_R_RANGE); - if (pubrsa != NULL) - RSA_free(pubrsa); -Index: bind-9.10.4-P5/lib/isc/aes.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/isc/aes.c -+++ bind-9.10.4-P5/lib/isc/aes.c -@@ -30,54 +30,72 @@ - #ifdef ISC_PLATFORM_WANTAES - #if HAVE_OPENSSL_EVP_AES - -+#include - #include - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#define EVP_CIPHER_CTX_new() &(_context), EVP_CIPHER_CTX_init(&_context) -+#define EVP_CIPHER_CTX_free(c) RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(c) == 1) -+#endif -+ - void - isc_aes128_crypt(const unsigned char *key, const unsigned char *in, - unsigned char *out) - { -- EVP_CIPHER_CTX c; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ EVP_CIPHER_CTX _context; -+#endif -+ EVP_CIPHER_CTX *c; - int len; - -- EVP_CIPHER_CTX_init(&c); -- RUNTIME_CHECK(EVP_EncryptInit(&c, EVP_aes_128_ecb(), key, NULL) == 1); -- EVP_CIPHER_CTX_set_padding(&c, 0); -- RUNTIME_CHECK(EVP_EncryptUpdate(&c, out, &len, in, -+ c = EVP_CIPHER_CTX_new(); -+ RUNTIME_CHECK(c != NULL); -+ RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_128_ecb(), key, NULL) == 1); -+ EVP_CIPHER_CTX_set_padding(c, 0); -+ RUNTIME_CHECK(EVP_EncryptUpdate(c, out, &len, in, - ISC_AES_BLOCK_LENGTH) == 1); - RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH); -- RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(&c) == 1); -+ EVP_CIPHER_CTX_free(c); - } - - void - isc_aes192_crypt(const unsigned char *key, const unsigned char *in, - unsigned char *out) - { -- EVP_CIPHER_CTX c; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ EVP_CIPHER_CTX _context; -+#endif -+ EVP_CIPHER_CTX *c; - int len; - -- EVP_CIPHER_CTX_init(&c); -- RUNTIME_CHECK(EVP_EncryptInit(&c, EVP_aes_192_ecb(), key, NULL) == 1); -- EVP_CIPHER_CTX_set_padding(&c, 0); -- RUNTIME_CHECK(EVP_EncryptUpdate(&c, out, &len, in, -+ c = EVP_CIPHER_CTX_new(); -+ RUNTIME_CHECK(c != NULL); -+ RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_192_ecb(), key, NULL) == 1); -+ EVP_CIPHER_CTX_set_padding(c, 0); -+ RUNTIME_CHECK(EVP_EncryptUpdate(c, out, &len, in, - ISC_AES_BLOCK_LENGTH) == 1); - RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH); -- RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(&c) == 1); -+ EVP_CIPHER_CTX_free(c); - } - - void - isc_aes256_crypt(const unsigned char *key, const unsigned char *in, - unsigned char *out) - { -- EVP_CIPHER_CTX c; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ EVP_CIPHER_CTX _context; -+#endif -+ EVP_CIPHER_CTX *c; - int len; - -- EVP_CIPHER_CTX_init(&c); -- RUNTIME_CHECK(EVP_EncryptInit(&c, EVP_aes_256_ecb(), key, NULL) == 1); -- EVP_CIPHER_CTX_set_padding(&c, 0); -- RUNTIME_CHECK(EVP_EncryptUpdate(&c, out, &len, in, -+ c = EVP_CIPHER_CTX_new(); -+ RUNTIME_CHECK(c != NULL); -+ RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_256_ecb(), key, NULL) == 1); -+ EVP_CIPHER_CTX_set_padding(c, 0); -+ RUNTIME_CHECK(EVP_EncryptUpdate(c, out, &len, in, - ISC_AES_BLOCK_LENGTH) == 1); - RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH); -- RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(&c) == 1); -+ EVP_CIPHER_CTX_free(c); - } - - #elif HAVE_OPENSSL_AES -Index: bind-9.10.4-P5/lib/isc/hmacmd5.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/isc/hmacmd5.c -+++ bind-9.10.4-P5/lib/isc/hmacmd5.c -@@ -39,43 +39,41 @@ - #endif - - #ifdef ISC_PLATFORM_OPENSSLHASH -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx)) -+#define HMAC_CTX_free(ptr) HMAC_CTX_cleanup(ptr) -+#endif - - void - isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, - unsigned int len) - { --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, -- (int) len, EVP_md5()) == 1); --#else -- HMAC_Init(ctx, (const void *) key, (int) len, EVP_md5()); --#endif -+ ctx->ctx = HMAC_CTX_new(); -+ RUNTIME_CHECK(ctx->ctx != NULL); -+ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key, -+ (int) len, EVP_md5(), NULL) == 1); - } - - void - isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) { -- HMAC_CTX_cleanup(ctx); -+ if (ctx->ctx == NULL) -+ return; -+ HMAC_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - } - - void - isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf, - unsigned int len) - { --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); --#else -- HMAC_Update(ctx, buf, (int) len); --#endif -+ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1); - } - - void - isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) { --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Final(ctx, digest, NULL) == 1); --#else -- HMAC_Final(ctx, digest, NULL); --#endif -- HMAC_CTX_cleanup(ctx); -+ RUNTIME_CHECK(HMAC_Final(ctx->ctx, digest, NULL) == 1); -+ HMAC_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - } - - #elif PKCS11CRYPTOWITHHMAC -Index: bind-9.10.4-P5/lib/isc/hmacsha.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/isc/hmacsha.c -+++ bind-9.10.4-P5/lib/isc/hmacsha.c -@@ -40,32 +40,34 @@ - #endif - - #ifdef ISC_PLATFORM_OPENSSLHASH -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx)) -+#define HMAC_CTX_free(ptr) HMAC_CTX_cleanup(ptr) -+#endif -+ - void - isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key, - unsigned int len) - { --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, -- (int) len, EVP_sha1()) == 1); --#else -- HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha1()); --#endif -+ ctx->ctx = HMAC_CTX_new(); -+ RUNTIME_CHECK(ctx->ctx != NULL); -+ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key, -+ (int) len, EVP_sha1(), NULL) == 1); - } - - void - isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) { -- HMAC_CTX_cleanup(ctx); -+ if (ctx->ctx == NULL) -+ return; -+ HMAC_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - } - - void - isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf, - unsigned int len) - { --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); --#else -- HMAC_Update(ctx, buf, (int) len); --#endif -+ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1); - } - - void -@@ -74,12 +76,9 @@ isc_hmacsha1_sign(isc_hmacsha1_t *ctx, u - - REQUIRE(len <= ISC_SHA1_DIGESTLENGTH); - --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); --#else -- HMAC_Final(ctx, newdigest, NULL); --#endif -- HMAC_CTX_cleanup(ctx); -+ RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1); -+ HMAC_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - memmove(digest, newdigest, len); - memset(newdigest, 0, sizeof(newdigest)); - } -@@ -88,28 +87,25 @@ void - isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key, - unsigned int len) - { --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, -- (int) len, EVP_sha224()) == 1); --#else -- HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha224()); --#endif -+ ctx->ctx = HMAC_CTX_new(); -+ RUNTIME_CHECK(ctx->ctx != NULL); -+ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key, -+ (int) len, EVP_sha224(), NULL) == 1); - } - - void - isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) { -- HMAC_CTX_cleanup(ctx); -+ if (ctx->ctx == NULL) -+ return; -+ HMAC_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - } - - void - isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf, - unsigned int len) - { --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); --#else -- HMAC_Update(ctx, buf, (int) len); --#endif -+ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1); - } - - void -@@ -118,12 +114,9 @@ isc_hmacsha224_sign(isc_hmacsha224_t *ct - - REQUIRE(len <= ISC_SHA224_DIGESTLENGTH); - --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); --#else -- HMAC_Final(ctx, newdigest, NULL); --#endif -- HMAC_CTX_cleanup(ctx); -+ RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1); -+ HMAC_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - memmove(digest, newdigest, len); - memset(newdigest, 0, sizeof(newdigest)); - } -@@ -132,28 +125,25 @@ void - isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key, - unsigned int len) - { --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, -- (int) len, EVP_sha256()) == 1); --#else -- HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha256()); --#endif -+ ctx->ctx = HMAC_CTX_new(); -+ RUNTIME_CHECK(ctx->ctx != NULL); -+ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key, -+ (int) len, EVP_sha256(), NULL) == 1); - } - - void - isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) { -- HMAC_CTX_cleanup(ctx); -+ if (ctx->ctx == NULL) -+ return; -+ HMAC_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - } - - void - isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf, - unsigned int len) - { --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); --#else -- HMAC_Update(ctx, buf, (int) len); --#endif -+ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1); - } - - void -@@ -162,12 +152,9 @@ isc_hmacsha256_sign(isc_hmacsha256_t *ct - - REQUIRE(len <= ISC_SHA256_DIGESTLENGTH); - --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); --#else -- HMAC_Final(ctx, newdigest, NULL); --#endif -- HMAC_CTX_cleanup(ctx); -+ RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1); -+ HMAC_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - memmove(digest, newdigest, len); - memset(newdigest, 0, sizeof(newdigest)); - } -@@ -176,28 +163,25 @@ void - isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, - unsigned int len) - { --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, -- (int) len, EVP_sha384()) == 1); --#else -- HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha384()); --#endif -+ ctx->ctx = HMAC_CTX_new(); -+ RUNTIME_CHECK(ctx->ctx != NULL); -+ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key, -+ (int) len, EVP_sha384(), NULL) == 1); - } - - void - isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) { -- HMAC_CTX_cleanup(ctx); -+ if (ctx->ctx == NULL) -+ return; -+ HMAC_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - } - - void - isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf, - unsigned int len) - { --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); --#else -- HMAC_Update(ctx, buf, (int) len); --#endif -+ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1); - } - - void -@@ -206,12 +190,9 @@ isc_hmacsha384_sign(isc_hmacsha384_t *ct - - REQUIRE(len <= ISC_SHA384_DIGESTLENGTH); - --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); --#else -- HMAC_Final(ctx, newdigest, NULL); --#endif -- HMAC_CTX_cleanup(ctx); -+ RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1); -+ HMAC_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - memmove(digest, newdigest, len); - memset(newdigest, 0, sizeof(newdigest)); - } -@@ -220,28 +201,25 @@ void - isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key, - unsigned int len) - { --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, -- (int) len, EVP_sha512()) == 1); --#else -- HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha512()); --#endif -+ ctx->ctx = HMAC_CTX_new(); -+ RUNTIME_CHECK(ctx->ctx != NULL); -+ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key, -+ (int) len, EVP_sha512(), NULL) == 1); - } - - void - isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) { -- HMAC_CTX_cleanup(ctx); -+ if (ctx->ctx == NULL) -+ return; -+ HMAC_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - } - - void - isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf, - unsigned int len) - { --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); --#else -- HMAC_Update(ctx, buf, (int) len); --#endif -+ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1); - } - - void -@@ -250,12 +228,9 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ct - - REQUIRE(len <= ISC_SHA512_DIGESTLENGTH); - --#ifdef HMAC_RETURN_INT -- RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); --#else -- HMAC_Final(ctx, newdigest, NULL); --#endif -- HMAC_CTX_cleanup(ctx); -+ RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1); -+ HMAC_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - memmove(digest, newdigest, len); - memset(newdigest, 0, sizeof(newdigest)); - } -Index: bind-9.10.4-P5/lib/isc/include/isc/hmacmd5.h -=================================================================== ---- bind-9.10.4-P5.orig/lib/isc/include/isc/hmacmd5.h -+++ bind-9.10.4-P5/lib/isc/include/isc/hmacmd5.h -@@ -33,9 +33,15 @@ - #define ISC_HMACMD5_KEYLENGTH 64 - - #ifdef ISC_PLATFORM_OPENSSLHASH -+#include - #include - --typedef HMAC_CTX isc_hmacmd5_t; -+typedef struct { -+ HMAC_CTX *ctx; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ HMAC_CTX _ctx; -+#endif -+} isc_hmacmd5_t; - - #elif PKCS11CRYPTO - #include -Index: bind-9.10.4-P5/lib/isc/include/isc/hmacsha.h -=================================================================== ---- bind-9.10.4-P5.orig/lib/isc/include/isc/hmacsha.h -+++ bind-9.10.4-P5/lib/isc/include/isc/hmacsha.h -@@ -37,13 +37,21 @@ - #define ISC_HMACSHA512_KEYLENGTH ISC_SHA512_BLOCK_LENGTH - - #ifdef ISC_PLATFORM_OPENSSLHASH -+#include - #include - --typedef HMAC_CTX isc_hmacsha1_t; --typedef HMAC_CTX isc_hmacsha224_t; --typedef HMAC_CTX isc_hmacsha256_t; --typedef HMAC_CTX isc_hmacsha384_t; --typedef HMAC_CTX isc_hmacsha512_t; -+typedef struct { -+ HMAC_CTX *ctx; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ HMAC_CTX _ctx; -+#endif -+} isc_hmacsha_t; -+ -+typedef isc_hmacsha_t isc_hmacsha1_t; -+typedef isc_hmacsha_t isc_hmacsha224_t; -+typedef isc_hmacsha_t isc_hmacsha256_t; -+typedef isc_hmacsha_t isc_hmacsha384_t; -+typedef isc_hmacsha_t isc_hmacsha512_t; - - #elif PKCS11CRYPTO - #include -Index: bind-9.10.4-P5/lib/isc/include/isc/md5.h -=================================================================== ---- bind-9.10.4-P5.orig/lib/isc/include/isc/md5.h -+++ bind-9.10.4-P5/lib/isc/include/isc/md5.h -@@ -51,9 +51,15 @@ - #define ISC_MD5_BLOCK_LENGTH 64U - - #ifdef ISC_PLATFORM_OPENSSLHASH -+#include - #include - --typedef EVP_MD_CTX isc_md5_t; -+typedef struct { -+ EVP_MD_CTX *ctx; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ EVP_MD_CTX _ctx; -+#endif -+} isc_md5_t; - - #elif PKCS11CRYPTO - #include -Index: bind-9.10.4-P5/lib/isc/include/isc/sha1.h -=================================================================== ---- bind-9.10.4-P5.orig/lib/isc/include/isc/sha1.h -+++ bind-9.10.4-P5/lib/isc/include/isc/sha1.h -@@ -36,9 +36,15 @@ - #define ISC_SHA1_BLOCK_LENGTH 64U - - #ifdef ISC_PLATFORM_OPENSSLHASH -+#include - #include - --typedef EVP_MD_CTX isc_sha1_t; -+typedef struct { -+ EVP_MD_CTX *ctx; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ EVP_MD_CTX _ctx; -+#endif -+} isc_sha1_t; - - #elif PKCS11CRYPTO - #include -Index: bind-9.10.4-P5/lib/isc/include/isc/sha2.h -=================================================================== ---- bind-9.10.4-P5.orig/lib/isc/include/isc/sha2.h -+++ bind-9.10.4-P5/lib/isc/include/isc/sha2.h -@@ -79,10 +79,18 @@ - /*** SHA-256/384/512 Context Structures *******************************/ - - #ifdef ISC_PLATFORM_OPENSSLHASH -+#include - #include - --typedef EVP_MD_CTX isc_sha256_t; --typedef EVP_MD_CTX isc_sha512_t; -+typedef struct { -+ EVP_MD_CTX *ctx; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ EVP_MD_CTX _ctx; -+#endif -+} isc_sha2_t; -+ -+typedef isc_sha2_t isc_sha256_t; -+typedef isc_sha2_t isc_sha512_t; - - #elif PKCS11CRYPTO - #include -Index: bind-9.10.4-P5/lib/isc/md5.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/isc/md5.c -+++ bind-9.10.4-P5/lib/isc/md5.c -@@ -50,28 +50,38 @@ - #include - - #ifdef ISC_PLATFORM_OPENSSLHASH -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#define EVP_MD_CTX_new() &(ctx->_ctx) -+#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) -+#endif -+ - void - isc_md5_init(isc_md5_t *ctx) { -- RUNTIME_CHECK(EVP_DigestInit(ctx, EVP_md5()) == 1); -+ ctx->ctx = EVP_MD_CTX_new(); -+ RUNTIME_CHECK(ctx->ctx != NULL); -+ RUNTIME_CHECK(EVP_DigestInit(ctx->ctx, EVP_md5()) == 1); - } - - void - isc_md5_invalidate(isc_md5_t *ctx) { -- EVP_MD_CTX_cleanup(ctx); -+ EVP_MD_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - } - - void - isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) { - if (len == 0U) - return; -- RUNTIME_CHECK(EVP_DigestUpdate(ctx, -+ RUNTIME_CHECK(EVP_DigestUpdate(ctx->ctx, - (const void *) buf, - (size_t) len) == 1); - } - - void - isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { -- RUNTIME_CHECK(EVP_DigestFinal(ctx, digest, NULL) == 1); -+ RUNTIME_CHECK(EVP_DigestFinal(ctx->ctx, digest, NULL) == 1); -+ EVP_MD_CTX_free(ctx->ctx); -+ ctx->ctx = NULL; - } - - #elif PKCS11CRYPTO -Index: bind-9.10.4-P5/lib/isc/sha1.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/isc/sha1.c -+++ bind-9.10.4-P5/lib/isc/sha1.c -@@ -50,17 +50,25 @@ - #endif - - #ifdef ISC_PLATFORM_OPENSSLHASH -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#define EVP_MD_CTX_new() &(context->_ctx) -+#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) -+#endif -+ - void - isc_sha1_init(isc_sha1_t *context) - { - INSIST(context != NULL); - -- RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha1()) == 1); -+ context->ctx = EVP_MD_CTX_new(); -+ RUNTIME_CHECK(context->ctx != NULL); -+ RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha1()) == 1); - } - - void - isc_sha1_invalidate(isc_sha1_t *context) { -- EVP_MD_CTX_cleanup(context); -+ EVP_MD_CTX_free(context->ctx); -+ context->ctx = NULL; - } - - void -@@ -68,9 +76,10 @@ isc_sha1_update(isc_sha1_t *context, con - unsigned int len) - { - INSIST(context != 0); -+ INSIST(context->ctx != 0); - INSIST(data != 0); - -- RUNTIME_CHECK(EVP_DigestUpdate(context, -+ RUNTIME_CHECK(EVP_DigestUpdate(context->ctx, - (const void *) data, - (size_t) len) == 1); - } -@@ -79,8 +88,11 @@ void - isc_sha1_final(isc_sha1_t *context, unsigned char *digest) { - INSIST(digest != 0); - INSIST(context != 0); -+ INSIST(context->ctx != 0); - -- RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); -+ RUNTIME_CHECK(EVP_DigestFinal(context->ctx, digest, NULL) == 1); -+ EVP_MD_CTX_free(context->ctx); -+ context->ctx = NULL; - } - - #elif PKCS11CRYPTO -Index: bind-9.10.4-P5/lib/isc/sha2.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/isc/sha2.c -+++ bind-9.10.4-P5/lib/isc/sha2.c -@@ -69,18 +69,26 @@ - #endif - - #ifdef ISC_PLATFORM_OPENSSLHASH -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#define EVP_MD_CTX_new() &(context->_ctx) -+#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) -+#define EVP_MD_CTX_reset(c) EVP_MD_CTX_cleanup(c) -+#endif - - void - isc_sha224_init(isc_sha224_t *context) { - if (context == (isc_sha224_t *)0) { - return; - } -- RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha224()) == 1); -+ context->ctx = EVP_MD_CTX_new(); -+ RUNTIME_CHECK(context->ctx != NULL); -+ RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha224()) == 1); - } - - void - isc_sha224_invalidate(isc_sha224_t *context) { -- EVP_MD_CTX_cleanup(context); -+ EVP_MD_CTX_free(context->ctx); -+ context->ctx = NULL; - } - - void -@@ -91,9 +99,11 @@ isc_sha224_update(isc_sha224_t *context, - } - - /* Sanity check: */ -- REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0); -+ REQUIRE(context != (isc_sha224_t *)0); -+ REQUIRE(context->ctx != (EVP_MD_CTX *)0); -+ REQUIRE(data != (isc_uint8_t*)0); - -- RUNTIME_CHECK(EVP_DigestUpdate(context, -+ RUNTIME_CHECK(EVP_DigestUpdate(context->ctx, - (const void *) data, len) == 1); - } - -@@ -101,13 +111,14 @@ void - isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) { - /* Sanity check: */ - REQUIRE(context != (isc_sha224_t *)0); -+ REQUIRE(context->ctx != (EVP_MD_CTX *)0); - - /* If no digest buffer is passed, we don't bother doing this: */ -- if (digest != (isc_uint8_t*)0) { -- RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); -- } else { -- EVP_MD_CTX_cleanup(context); -- } -+ if (digest != (isc_uint8_t*)0) -+ RUNTIME_CHECK(EVP_DigestFinal(context->ctx, -+ digest, NULL) == 1); -+ EVP_MD_CTX_free(context->ctx); -+ context->ctx = NULL; - } - - void -@@ -115,12 +126,15 @@ isc_sha256_init(isc_sha256_t *context) { - if (context == (isc_sha256_t *)0) { - return; - } -- RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha256()) == 1); -+ context->ctx = EVP_MD_CTX_new(); -+ RUNTIME_CHECK(context->ctx != NULL); -+ RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha256()) == 1); - } - - void - isc_sha256_invalidate(isc_sha256_t *context) { -- EVP_MD_CTX_cleanup(context); -+ EVP_MD_CTX_free(context->ctx); -+ context->ctx = NULL; - } - - void -@@ -131,9 +145,11 @@ isc_sha256_update(isc_sha256_t *context, - } - - /* Sanity check: */ -- REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0); -+ REQUIRE(context != (isc_sha256_t *)0); -+ REQUIRE(context->ctx != (EVP_MD_CTX *)0); -+ REQUIRE(data != (isc_uint8_t*)0); - -- RUNTIME_CHECK(EVP_DigestUpdate(context, -+ RUNTIME_CHECK(EVP_DigestUpdate(context->ctx, - (const void *) data, len) == 1); - } - -@@ -141,13 +157,14 @@ void - isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) { - /* Sanity check: */ - REQUIRE(context != (isc_sha256_t *)0); -+ REQUIRE(context->ctx != (EVP_MD_CTX *)0); - - /* If no digest buffer is passed, we don't bother doing this: */ -- if (digest != (isc_uint8_t*)0) { -- RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); -- } else { -- EVP_MD_CTX_cleanup(context); -- } -+ if (digest != (isc_uint8_t*)0) -+ RUNTIME_CHECK(EVP_DigestFinal(context->ctx, -+ digest, NULL) == 1); -+ EVP_MD_CTX_free(context->ctx); -+ context->ctx = NULL; - } - - void -@@ -155,12 +172,15 @@ isc_sha512_init(isc_sha512_t *context) { - if (context == (isc_sha512_t *)0) { - return; - } -- RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha512()) == 1); -+ context->ctx = EVP_MD_CTX_new(); -+ RUNTIME_CHECK(context->ctx != NULL); -+ RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha512()) == 1); - } - - void - isc_sha512_invalidate(isc_sha512_t *context) { -- EVP_MD_CTX_cleanup(context); -+ EVP_MD_CTX_free(context->ctx); -+ context->ctx = NULL; - } - - void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) { -@@ -170,22 +190,25 @@ void isc_sha512_update(isc_sha512_t *con - } - - /* Sanity check: */ -- REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0); -+ REQUIRE(context != (isc_sha512_t *)0); -+ REQUIRE(context->ctx != (EVP_MD_CTX *)0); -+ REQUIRE(data != (isc_uint8_t*)0); - -- RUNTIME_CHECK(EVP_DigestUpdate(context, -+ RUNTIME_CHECK(EVP_DigestUpdate(context->ctx, - (const void *) data, len) == 1); - } - - void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) { - /* Sanity check: */ - REQUIRE(context != (isc_sha512_t *)0); -+ REQUIRE(context->ctx != (EVP_MD_CTX *)0); - - /* If no digest buffer is passed, we don't bother doing this: */ -- if (digest != (isc_uint8_t*)0) { -- RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); -- } else { -- EVP_MD_CTX_cleanup(context); -- } -+ if (digest != (isc_uint8_t*)0) -+ RUNTIME_CHECK(EVP_DigestFinal(context->ctx, -+ digest, NULL) == 1); -+ EVP_MD_CTX_free(context->ctx); -+ context->ctx = NULL; - } - - void -@@ -193,12 +216,15 @@ isc_sha384_init(isc_sha384_t *context) { - if (context == (isc_sha384_t *)0) { - return; - } -- RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha384()) == 1); -+ context->ctx = EVP_MD_CTX_new(); -+ RUNTIME_CHECK(context->ctx != NULL); -+ RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha384()) == 1); - } - - void - isc_sha384_invalidate(isc_sha384_t *context) { -- EVP_MD_CTX_cleanup(context); -+ EVP_MD_CTX_free(context->ctx); -+ context->ctx = NULL; - } - - void -@@ -209,9 +235,11 @@ isc_sha384_update(isc_sha384_t *context, - } - - /* Sanity check: */ -- REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0); -+ REQUIRE(context != (isc_sha512_t *)0); -+ REQUIRE(context->ctx != (EVP_MD_CTX *)0); -+ REQUIRE(data != (isc_uint8_t*)0); - -- RUNTIME_CHECK(EVP_DigestUpdate(context, -+ RUNTIME_CHECK(EVP_DigestUpdate(context->ctx, - (const void *) data, len) == 1); - } - -@@ -219,13 +247,14 @@ void - isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) { - /* Sanity check: */ - REQUIRE(context != (isc_sha384_t *)0); -+ REQUIRE(context->ctx != (EVP_MD_CTX *)0); - - /* If no digest buffer is passed, we don't bother doing this: */ -- if (digest != (isc_uint8_t*)0) { -- RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); -- } else { -- EVP_MD_CTX_cleanup(context); -- } -+ if (digest != (isc_uint8_t*)0) -+ RUNTIME_CHECK(EVP_DigestFinal(context->ctx, -+ digest, NULL) == 1); -+ EVP_MD_CTX_free(context->ctx); -+ context->ctx = NULL; - } - - #elif PKCS11CRYPTO -@@ -1586,7 +1615,7 @@ isc_sha224_end(isc_sha224_t *context, ch - *buffer = (char)0; - } else { - #ifdef ISC_PLATFORM_OPENSSLHASH -- EVP_MD_CTX_cleanup(context); -+ EVP_MD_CTX_reset(context->ctx); - #elif PKCS11CRYPTO - pk11_return_session(context); - #else -@@ -1627,7 +1656,7 @@ isc_sha256_end(isc_sha256_t *context, ch - *buffer = (char)0; - } else { - #ifdef ISC_PLATFORM_OPENSSLHASH -- EVP_MD_CTX_cleanup(context); -+ EVP_MD_CTX_reset(context->ctx); - #elif PKCS11CRYPTO - pk11_return_session(context); - #else -@@ -1668,7 +1697,7 @@ isc_sha512_end(isc_sha512_t *context, ch - *buffer = (char)0; - } else { - #ifdef ISC_PLATFORM_OPENSSLHASH -- EVP_MD_CTX_cleanup(context); -+ EVP_MD_CTX_reset(context->ctx); - #elif PKCS11CRYPTO - pk11_return_session(context); - #else -@@ -1709,7 +1738,7 @@ isc_sha384_end(isc_sha384_t *context, ch - *buffer = (char)0; - } else { - #ifdef ISC_PLATFORM_OPENSSLHASH -- EVP_MD_CTX_cleanup(context); -+ EVP_MD_CTX_reset(context->ctx); - #elif PKCS11CRYPTO - pk11_return_session(context); - #else -Index: bind-9.10.4-P5/win32utils/Configure -=================================================================== ---- bind-9.10.4-P5.orig/win32utils/Configure -+++ bind-9.10.4-P5/win32utils/Configure -@@ -1473,8 +1473,14 @@ if ($use_openssl eq "no") { - foreach $file (sort {uc($b) cmp uc($a)} @dirlist) { - if (-f File::Spec->catfile($openssl_path, - $file, -- "inc32\\openssl", -- "opensslv.h")) { -+ "inc32\\openssl\\opensslv.h")) { -+ $openssl_path = File::Spec->catdir($openssl_path, $file); -+ $use_openssl = "yes"; -+ last; -+ } -+ if (-f File::Spec->catfile($openssl_path, -+ $file, -+ "include\\openssl\\opensslv.h")) { - $openssl_path = File::Spec->catdir($openssl_path, $file); - $use_openssl = "yes"; - last; -@@ -1492,21 +1498,50 @@ if ($use_openssl eq "yes") { - if ($verbose) { - print "checking for OpenSSL built directory at \"$openssl_path\"\n"; - } -+ my $openssl_new = 0; - if (!-f File::Spec->catfile($openssl_path, -- "inc32\\openssl", -- "opensslv.h")) { -- die "can't find OpenSSL opensslv.h include\n"; -- } -- if (!-f File::Spec->catfile($openssl_path, "out32dll", "libeay32.lib")) { -- die "can't find OpenSSL libeay32.lib library\n"; -- } -- if (!-f File::Spec->catfile($openssl_path, "out32dll", "libeay32.dll")) { -- die "can't find OpenSSL libeay32.dll DLL\n"; -+ "inc32\\openssl\\opensslv.h")) { -+ $openssl_new = 1; -+ if (!-f File::Spec->catfile($openssl_path, -+ "include\\openssl\\opensslv.h")) { -+ die "can't find OpenSSL opensslv.h include\n"; -+ } - } - my $openssl_inc = File::Spec->catdir($openssl_path, "inc32"); - my $openssl_libdir = File::Spec->catdir($openssl_path, "out32dll"); - my $openssl_lib = File::Spec->catfile($openssl_libdir, "libeay32.lib"); - my $openssl_dll = File::Spec->catfile($openssl_libdir, "libeay32.dll"); -+ if (!$openssl_new) { -+ # Check libraries are where we expect -+ if (!-f $openssl_lib) { -+ die "can't find OpenSSL libeay32.lib library\n"; -+ } -+ if (!-f $openssl_dll) { -+ die "can't find OpenSSL libeay32.dll DLL\n"; -+ } -+ } else { -+ # OpenSSL >= 1.1 is easier at the exception of the DLL -+ if ($verbose) { -+ print "new (>= 1.1) OpenSSL version\n"; -+ } -+ $openssl_inc = File::Spec->catdir($openssl_path, "include"); -+ $openssl_libdir = $openssl_path; -+ $openssl_lib = File::Spec->catfile($openssl_path, "libcrypto.lib"); -+ if (!-f $openssl_lib) { -+ die "can't find OpenSSL libcrypto.lib library\n"; -+ } -+ opendir DIR, $openssl_path || die "No Directory: $!\n"; -+ my @dirlist = grep (/^libcrypto-[^.]+\.dll$/i, readdir(DIR)); -+ closedir(DIR); -+ # We must get one file only -+ if (scalar(@dirlist) == 0) { -+ die "can't find OpenSSL libcrypto-*.dll DLL\n"; -+ } -+ if (scalar(@dirlist) != 1) { -+ die "find more than one OpenSSL libcrypto-*.dll DLL candidate\n"; -+ } -+ $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); -+ } - - $configcond{"OPENSSL"} = 1; - $configdefd{"CRYPTO"} = "OPENSSL"; -@@ -1940,30 +1975,6 @@ if ($enable_openssl_hash eq "yes") { - die "No OpenSSL for hash functions\n"; - } - $configdefp{"ISC_PLATFORM_OPENSSLHASH"} = 1; -- if ($verbose) { -- print "checking HMAC_Init() return type\n"; -- } -- open F, ">testhmac.c" || die $!; -- print F << 'EOF'; --#include -- --int --main(void) --{ -- HMAC_CTX ctx; -- int n = HMAC_Init(&ctx, NULL, 0, NULL); -- n += HMAC_Update(&ctx, NULL, 0); -- n += HMAC_Final(&ctx, NULL, NULL); -- return(n); --} --EOF -- close F; -- my $include = $configinc{"OPENSSL_INC"}; -- my $library = $configlib{"OPENSSL_LIB"}; -- $compret = `cl /nologo /MD /I "$include" testhmac.c "$library"`; -- if (grep { -f and -x } ".\\testhmac.exe") { -- $configdefh{"HMAC_RETURN_INT"} = 1; -- } - } - - # with-pkcs11 -@@ -2907,7 +2918,11 @@ sub makeinstallfile { - print LOUT "liblwres.dll-BCFT\n"; - print LOUT "libirs.dll-BCFT\n"; - if ($use_openssl eq "yes") { -- print LOUT "libeay32.dll-BCFT\n"; -+ my $v; -+ my $d; -+ my $name; -+ ($v, $d, $name) =File::Spec->splitpath($configdll{"OPENSSL_DLL"}); -+ print LOUT "${name}-BCFT\n"; - } - if ($use_libxml2 eq "yes") { - print LOUT "libxml2.dll-BCFT\n"; diff --git a/bind.changes b/bind.changes index 11d4992..8575bc0 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,90 @@ +------------------------------------------------------------------- +Wed Dec 6 13:35:59 UTC 2017 - vcizek@suse.com + +- Use getent when adding user/group +- update changelog to mention removed options + +------------------------------------------------------------------- +Sat Nov 25 15:31:18 UTC 2017 - meissner@suse.com + +- license changed to MPL-2.0 according to legal. + +------------------------------------------------------------------- +Thu Nov 23 13:38:07 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Wed Nov 22 13:13:26 UTC 2017 - vcizek@suse.com + +- Add back init scripts, systemd units aren't ready yet + +------------------------------------------------------------------- +Thu Nov 21 14:30:52 UTC 2017 - tchvatal@suse.com + +- Add python3-bind subpackage to allow python bind interactions + +------------------------------------------------------------------- +Thu Nov 21 13:41:38 UTC 2017 - tchvatal@suse.com + +- Sync configure options with RH package and remove unused ones + * Enable python3 + * Enable gssapi + * Enable dnssec scripts + * Remove no longer recognized --enable-rrl + +------------------------------------------------------------------- +Thu Nov 21 12:54:35 UTC 2017 - tchvatal@suse.com + +- Drop idnkit from the build, the bind uses libidn since 2007 to run + all the resolutions in dig/etc. bsc#1030306 +- Add patch to make sure we build against system idn: + * bind-99-libidn.patch +- Refresh patch: + * pie_compile.diff +- Remove patches that are unused due to above: + * idnkit-powerpc-ltconfig.patch + * runidn.diff + +------------------------------------------------------------------- +Thu Nov 21 12:11:08 UTC 2017 - vcizek@suse.com + +- drop bind-openssl11.patch (merged upstream) + +------------------------------------------------------------------- +Thu Nov 17 11:35:29 UTC 2017 - tchvatal@suse.com + +- Remove systemd conditionals as we are not building on sle11 anyway +- Force the systemd to be base for the initscript deployment + +------------------------------------------------------------------- +Tue Nov 15 08:43:05 UTC 2017 - vcizek@suse.com + +- Bump up version of most of the libraries +- Rename the subpackages to match the version updates +- Add macros for easier handling of the library package names +- Drop more unneeded patches + * dns_dynamic_db.patch (upstream) + +------------------------------------------------------------------- +Tue Nov 14 11:17:03 UTC 2017 - tchvatal@suse.com + +- Update to 9.11.2 release: + * Many changes compared to 9.10 see the README file for in-depth listing + * For detailed changes with issues see CHANGES file + * Fixes for CVE-2017-3141 CVE-2017-3140 CVE-2017-3138 CVE-2017-3137 + CVE-3136 CVE-2016-9778 + * OpenSSL 1.1 support +- Remove support for some old distributions and cleanup the spec file + to require only what is really needed +- Switch to systemd (bsc#1053808) +- Remove german from the postinst messages +- Remove patches merged upstream: + * bind-CVE-2017-3135.patch + * bind-CVE-2017-3142-and-3143.patch +- Refresh named.root with another update + ------------------------------------------------------------------- Mon Nov 13 14:20:43 UTC 2017 - mpluskal@suse.com @@ -43,7 +130,7 @@ Fri Jun 30 07:12:50 UTC 2017 - sflees@suse.de ------------------------------------------------------------------- Sat May 20 11:46:44 UTC 2017 - dimstar@opensuse.org -a- Fix named init script to dynamically find the location of the +- Fix named init script to dynamically find the location of the openssl engines (boo#1040027). ------------------------------------------------------------------- diff --git a/bind.spec b/bind.spec index 0467926..0b1f237 100644 --- a/bind.spec +++ b/bind.spec @@ -16,88 +16,93 @@ # -Name: bind -%define pkg_name bind -%define pkg_vers 9.10.4-P5 -%define rpm_vers 9.10.4P5 -%define idn_vers 1.0 -%define with_systemd 0 -Summary: Domain Name System (DNS) Server (named) -License: ISC -Group: Productivity/Networking/DNS/Servers -Version: %rpm_vers -Release: 0 - -Source: ftp://ftp.isc.org/isc/bind9/%{pkg_vers}/bind-%{pkg_vers}.tar.gz -Source3: ftp://ftp.isc.org/isc/bind9/%{pkg_vers}/bind-%{pkg_vers}.tar.gz.asc -# from http://www.isc.org/about/openpgp/ ... changes yearly apparently. -Source4: %name.keyring -Source1: vendor-files.tar.bz2 -Source2: baselibs.conf -Source9: ftp://ftp.internic.net/domain/named.root -# url http://www.venaas.no/ldap/bind-sdb/dnszone-schema.txt no longer exists... -Source40: dnszone-schema.txt -Patch: configure.in.diff -Patch1: Makefile.in.diff -Patch4: perl-path.diff -Patch5: dns_dynamic_db.patch -Patch51: pie_compile.diff -Patch52: named-bootconf.diff -Patch53: bind-sdb-ldap.patch -Patch101: runidn.diff -Patch102: idnkit-powerpc-ltconfig.patch -Patch103: bind-CVE-2017-3135.patch -Patch104: bind-CVE-2017-3142-and-3143.patch - -Patch200: bind-openssl11.patch - -BuildRequires: krb5-devel -BuildRequires: libcap-devel -BuildRequires: libjson-c-devel -BuildRequires: libmysqlclient-devel -BuildRequires: libtool -BuildRequires: libxml2-devel -BuildRequires: openldap2-devel -BuildRequires: openssl -BuildRequires: openssl-devel -BuildRequires: python3-base -%if %{with_systemd} -BuildRequires: systemd-rpm-macros -%else -PreReq: %insserv_prereq -%endif -BuildRequires: update-desktop-files -Provides: bind8 -Provides: bind9 -Provides: dns_daemon -Obsoletes: bind8 < %version -Obsoletes: bind9 < %version -Requires: %{name}-chrootenv -Requires: %{name}-utils -PreReq: %fillup_prereq bind-utils /bin/grep /bin/sed /bin/mkdir /usr/bin/tee /bin/chmod /bin/chown /bin/mv /bin/cat /usr/bin/dirname /usr/bin/diff /usr/bin/old -Requires(pre): /usr/sbin/groupadd /usr/sbin/useradd /usr/sbin/usermod -Url: http://isc.org/sw/bind/ - -Source60: dlz-schema.txt -%if "%{_vendor}" == "suse" -%define VENDOR SUSE -%else -%define VENDOR %_vendor -%endif +# Don't forget to update the package names also in baselibs.conf +%define bind9_sonum 160 +%define libbind9 libbind9-%{bind9_sonum} +%define dns_sonum 169 +%define libdns libdns%{dns_sonum} +%define irs_sonum 160 +%define libirs libirs%{irs_sonum} +%define isc_sonum 166 +%define libisc libisc%{isc_sonum} +%define isccc_sonum 160 +%define libisccc libisccc%{isccc_sonum} +%define isccfg_sonum 160 +%define libisccfg libisccfg%{isccfg_sonum} +%define lwres_sonum 160 +%define liblwres liblwres%{lwres_sonum} +%define VENDOR SUSE # Defines for user and group add %define NAMED_UID 44 %define NAMED_UID_NAME named %define NAMED_GID 44 %define NAMED_GID_NAME named %define NAMED_COMMENT Name server daemon -%define NAMED_HOMEDIR /var/lib/named +%define NAMED_HOMEDIR %{_localstatedir}/lib/named %define NAMED_SHELL /bin/false -%define GROUPADD_NAMED /usr/sbin/groupadd -g %{NAMED_GID} -o -r %{NAMED_GID_NAME} 2> /dev/null || : -%define USERADD_NAMED /usr/sbin/useradd -r -o -g %{NAMED_GID_NAME} -u %{NAMED_UID} -s %{NAMED_SHELL} -c "%{NAMED_COMMENT}" -d %{NAMED_HOMEDIR} %{NAMED_UID_NAME} 2> /dev/null || : -%define USERMOD_NAMED /usr/sbin/usermod -s %{NAMED_SHELL} -d %{NAMED_HOMEDIR} %{NAMED_UID_NAME} 2>/dev/null || : -BuildRoot: %{_tmppath}/%{name}-%{version}-build -%if ! %{defined _rundir} -%define _rundir %{_localstatedir}/run +%define GROUPADD_NAMED getent group %{NAMED_GID_NAME} >/dev/null || %{_sbindir}/groupadd -g %{NAMED_GID} -o -r %{NAMED_GID_NAME} +%define USERADD_NAMED getent passwd %{NAMED_UID_NAME} >/dev/null || %{_sbindir}/useradd -r -o -g %{NAMED_GID_NAME} -u %{NAMED_UID} -s %{NAMED_SHELL} -c "%{NAMED_COMMENT}" -d %{NAMED_HOMEDIR} %{NAMED_UID_NAME} +%define USERMOD_NAMED getent passwd %{NAMED_UID_NAME} >/dev/null || %{_sbindir}/usermod -s %{NAMED_SHELL} -d %{NAMED_HOMEDIR} %{NAMED_UID_NAME} +%define with_systemd 0 +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif +Name: bind +Version: 9.11.2 +Release: 0 +Summary: Domain Name System (DNS) Server (named) +License: MPL-2.0 +Group: Productivity/Networking/DNS/Servers +Url: http://isc.org/sw/bind/ +Source: ftp://ftp.isc.org/isc/bind9/%{version}/bind-%{version}.tar.gz +Source1: vendor-files.tar.bz2 +Source2: baselibs.conf +Source3: ftp://ftp.isc.org/isc/bind9/%{version}/bind-%{version}.tar.gz.asc +# from http://www.isc.org/about/openpgp/ ... changes yearly apparently. +Source4: %{name}.keyring +Source9: ftp://ftp.internic.net/domain/named.root +# url http://www.venaas.no/ldap/bind-sdb/dnszone-schema.txt no longer exists... +Source40: dnszone-schema.txt +Source60: dlz-schema.txt +Patch0: configure.in.diff +Patch1: Makefile.in.diff +Patch2: bind-99-libidn.patch +Patch4: perl-path.diff +Patch51: pie_compile.diff +Patch52: named-bootconf.diff +Patch53: bind-sdb-ldap.patch +BuildRequires: libcap-devel +BuildRequires: libmysqlclient-devel +BuildRequires: libopenssl-devel +BuildRequires: libtool +BuildRequires: openldap2-devel +BuildRequires: openssl +BuildRequires: pkgconfig +BuildRequires: python3 +BuildRequires: python3-ply +BuildRequires: update-desktop-files +BuildRequires: pkgconfig(geoip) +BuildRequires: pkgconfig(json) +BuildRequires: pkgconfig(krb5) +BuildRequires: pkgconfig(libidn) +BuildRequires: pkgconfig(libxml-2.0) +Requires: %{name}-chrootenv +Requires: %{name}-utils +Requires(post): %fillup_prereq +Requires(post): bind-utils +Requires(post): coreutils +Requires(pre): shadow +Provides: bind8 +Provides: bind9 +Provides: dns_daemon +Obsoletes: bind8 < %{version} +Obsoletes: bind9 < %{version} +%{?systemd_requires} +%if %{with_systemd} +BuildRequires: systemd-rpm-macros +%else +Requires(post): %insserv_prereq %endif %description @@ -106,56 +111,19 @@ Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System. This package includes the components to operate a DNS server. -%package -n idnkit -Summary: Toolkit for internationalized domain names -Group: Productivity/Networking/DNS/Utilities -Version: %idn_vers -Release: 0 -# Added on 2014-10-01 -Provides: bind-utils:%_bindir/idnconv -Provides: bind-utils:%_bindir/runidn - -%description -n idnkit -idnkit is a toolkit for handling internationalized domain names. It -consists of the following components. - -* library for handling internationalized domain names (libidnkit) -* codeset conversion utility (idnconv) -* a command which adds IDN feature dynamically to Unix applications - (runidn) - -%package -n idnkit-devel -Summary: Development files for idnkit -Group: Development/Libraries/C and C++ -Version: %idn_vers -Release: 0 -Provides: bind-devel:%_includedir/bind/idn -Requires: libidnkit1 = %idn_vers -Requires: libidnkitlite1 = %idn_vers -Requires: libidnkitres1 = %idn_vers - -%description -n idnkit-devel -idnkit is a toolkit for handling internationalized domain names. This -subpackage contains the header files needed for building programs -with it. - -%package -n libbind9-140 +%package -n %{libbind9} Summary: BIND9 shared library used by BIND Group: System/Libraries -Version: %rpm_vers -Release: 0 -%description -n libbind9-140 +%description -n %{libbind9} This library contains a few utility functions used by the BIND server and utilities. -%package -n libdns165 +%package -n %{libdns} Summary: DNS library used by BIND Group: System/Libraries -Version: %rpm_vers -Release: 0 -%description -n libdns165 +%description -n %{libdns} This subpackage contains the "DNS client" module. This is a higher level API that provides an interface to name resolution, single DNS transaction with a particular server, and dynamic update. Regarding @@ -171,63 +139,21 @@ alternate data sources (for instance, a relational database) or using specialized algorithms (for instance, for load-balancing). [Book links for SDB: "Pro DNS and BIND 10", R. Aitchison, Apress] -%package -n libidnkit1 -Summary: BIND Internationalized Domain Names library -Group: System/Libraries -Version: %idn_vers -Release: 0 - -%description -n libidnkit1 -The libidnkit library support various manipulations of -internationalized domain names. - -libidnkit internally uses iconv function to provide encoding -conversion from UTF-8 to the local encoding (such as ISO-8859-1, -usually determined by the current locale), and vise versa. - -%package -n libidnkitlite1 -Summary: BIND Internationalized Domain Names lightweight library -Group: System/Libraries -Version: %idn_vers -Release: 0 - -%description -n libidnkitlite1 -The libidnkitlite library support various manipulations of -internationalized domain names. - -libidnkitlite is lightweight version of libidnkit. It assumes local -encoding is UTF-8 so that it never uses iconv. - -%package -n libidnkitres1 -Summary: Resolver function library with IDN support -Group: System/Libraries -Version: %idn_vers -Release: 0 - -%description -n libidnkitres1 -libidnkitres is a LD_PRELOAD-able library which provides a modified -version of resolver functions (gethostbyname, getaddrinfo, etc.) -which implement features for handling internationalized domain names. - -%package -n libirs141 +%package -n %{libirs} Summary: The BIND Information Retrieval System library Group: System/Libraries -Version: %rpm_vers -Release: 0 -%description -n libirs141 +%description -n %{libirs} libirs provides an interface to parse the traditional resolv.conf file and an "advanced" configuration file related to the DNS library for configuration parameters that would be beyond the capability of the resolv.conf file. Specifically, it is intended to provide DNSSEC related configuration -parameters. By default, the path to this configuration file is /etc/dns.conf. +parameters. By default, the path to this configuration file is %{_sysconfdir}/dns.conf. %package -n libirs-devel Summary: Development files for IRS Group: Development/Libraries/C and C++ -Version: %rpm_vers -Release: 0 -Requires: libirs141 = %rpm_vers +Requires: %{libirs} = %{version} %description -n libirs-devel libirs provides an interface to parse the traditional resolv.conf file and an @@ -235,50 +161,39 @@ libirs provides an interface to parse the traditional resolv.conf file and an parameters that would be beyond the capability of the resolv.conf file. This subpackage contains the header files needed for building programs with it. -%package -n libisc160 +%package -n %{libisc} Summary: ISC shared library used by BIND Group: System/Libraries -Version: %rpm_vers -Release: 0 -# Added on 2014-10-01. Does not really matter where it is put, we just need to -# flush the old name from the rpmdb. The libs will be automatically pulled in -# by way of rpm symbol requirements already. -Obsoletes: bind-libs = %version-%release -Provides: bind-libs < %version-%release +Provides: bind-libs = %{version}-%{release} +Obsoletes: bind-libs < %{version}-%{release} -%description -n libisc160 +%description -n %{libisc} This library contains miscellaneous utility function used by the BIND server and utilities. It includes functions for assertion handling, balanced binary (AVL) trees, bit masks comparison, event based programs, heap-based priority queues, memory handling, and program logging. -%package -n libisccc140 -Summary: Command Channel Library used by BIND +%package -n %{libisccc} +Summary: Command Channel Library used by BIND Group: System/Libraries -Version: %rpm_vers -Release: 0 -%description -n libisccc140 +%description -n %{libisccc} This library is used for communicating with BIND servers' administrative command channel (port 953 by default). -%package -n libisccfg140 +%package -n %{libisccfg} Summary: Exported ISC configuration shared library Group: System/Libraries -Version: %rpm_vers -Release: 0 -%description -n libisccfg140 +%description -n %{libisccfg} This BIND library contains the configuration file parser. -%package -n liblwres141 +%package -n %{liblwres} Summary: Lightweight Resolver API library Group: System/Libraries -Version: %rpm_vers -Release: 0 -%description -n liblwres141 +%description -n %{liblwres} The BIND 9 lightweight resolver library is a name service independent stub resolver library. It provides hostname-to-address and address-to-hostname lookup services to applications by transmitting @@ -291,31 +206,27 @@ communicate using a UDP-based protocol. %package chrootenv Summary: Chroot environment for BIND named and lwresd Group: Productivity/Networking/DNS/Servers -Version: %rpm_vers -Release: 0 -Requires(pre): /usr/sbin/groupadd /usr/sbin/useradd +Requires(pre): shadow %description chrootenv This package contains all directories and files which are common to the chroot environment of BIND named and lwresd. Most is part of the -structure below /var/lib/named. +structure below %{_localstatedir}/lib/named. %package devel Summary: Development Libraries and Header Files of BIND Group: Development/Libraries/C and C++ -Version: %rpm_vers -Release: 0 -Requires: libbind9-140 = %version -Requires: libdns165 = %version -Requires: libirs141 = %version -Requires: libisc160 = %version -Requires: libisccc140 = %version -Requires: libisccfg140 = %version -Requires: liblwres141 = %version +Requires: %{libbind9} = %{version} +Requires: %{libdns} = %{version} +Requires: %{libirs} = %{version} +Requires: %{libisccc} = %{version} +Requires: %{libisccfg} = %{version} +Requires: %{libisc} = %{version} +Requires: %{liblwres} = %{version} Provides: bind8-devel Provides: bind9-devel -Obsoletes: bind8-devel < %version -Obsoletes: bind9-devel < %version +Obsoletes: bind8-devel < %{version} +Obsoletes: bind9-devel < %{version} %description devel This package contains the header files, libraries, and documentation @@ -326,11 +237,7 @@ System (DNS) protocols. %package doc Summary: BIND documentation Group: Documentation/Other -Version: %rpm_vers -Release: 0 -%if 0%{?suse_version} == 0 || 0%{?suse_version} > 1230 BuildArch: noarch -%endif %description doc Documentation of the Berkeley Internet Name Domain (BIND) Domain Name @@ -340,16 +247,13 @@ includes also the BIND Administrator Reference Manual (ARM). %package lwresd Summary: Lightweight Resolver Daemon Group: Productivity/Networking/DNS/Utilities -Version: %rpm_vers -Release: 0 Requires: %{name}-chrootenv +Requires(pre): shadow +Requires(pre): sysvinit(network) +Requires(pre): sysvinit(syslog) Provides: dns_daemon -Requires(pre): /usr/sbin/groupadd /usr/sbin/useradd %if !%{with_systemd} -PreReq: %insserv_prereq -%endif -%if 0%{?suse_version} == 0 || 0%{?suse_version} > 1230 -PreReq: sysvinit(network) sysvinit(syslog) +Requires(post): %insserv_prereq %endif %description lwresd @@ -362,38 +266,42 @@ protocol. %package utils Summary: Utilities to query and test DNS +# Needed for dnssec parts Group: Productivity/Networking/DNS/Utilities -Version: %rpm_vers -Release: 0 +Requires: python3-bind = %{version} Provides: bind9-utils Provides: bindutil Provides: dns_utils -Obsoletes: bind9-utils < %version -Obsoletes: bindutil < %version +Obsoletes: bind9-utils < %{version} +Obsoletes: bindutil < %{version} %description utils This package includes the utilities "host", "dig", and "nslookup" used to test and query the Domain Name System (DNS). The Berkeley Internet Name Domain (BIND) DNS server is found in the package named bind. +%package -n python3-bind +Summary: A module allowing rndc commands to be sent from Python programs +Group: Development/Languages/Python +Requires: python3 +Requires: python3-ply +BuildArch: noarch + +%description -n python3-bind +This package provides a module which allows commands to be sent to rndc directly from Python programs. + %prep -%setup -q -n %{pkg_name}-%{pkg_vers} -a1 -%patch -p1 +%setup -q -a1 +%patch0 -p1 %patch1 -p1 -%patch4 -p0 -%patch5 -p1 -#%patch50 +%patch2 -p1 +%patch4 %patch51 %patch52 %patch53 -%patch101 -p1 -%patch102 -p1 -%patch103 -p1 -%patch104 -p1 -%patch200 -p1 # use the year from source gzip header instead of current one to make reproducible rpms -year=$(perl -e 'sysread(STDIN, $h, 8); print (1900+(gmtime(unpack("l",substr($h,4))))[5])' < %{S:0}) +year=$(perl -e 'sysread(STDIN, $h, 8); print (1900+(gmtime(unpack("l",substr($h,4))))[5])' < %{SOURCE0}) sed -i "s/stdout, copyright, year/stdout, copyright, \"-$year\"/" lib/dns/gen.c # modify settings of some files regarding to OS version and vendor @@ -401,7 +309,7 @@ function replaceStrings() { file="$1" sed -e "s@__NSD__@/lib@g" \ - -e "s@__BIND_PACKAGE_NAME__@%{pkg_name}@g" \ + -e "s@__BIND_PACKAGE_NAME__@%{name}@g" \ -e "s@__VENDOR__@%{VENDOR}@g" \ -e "s@___lib__@%{_lib}@g" \ -e "s@__openssl__@$(pkg-config --variable=enginesdir libcrypto)@g" \ @@ -414,174 +322,107 @@ done popd cp contrib/sdb/ldap/ldapdb.c bin/named/ cp contrib/sdb/ldap/ldapdb.h bin/named/include/ -# --------------------------------------------------------------------------- %build -%{?suse_update_config:%{suse_update_config -f}} -# gssapi/gssapi_krb5.h isn't found if aclocal.m4 gets modified this way -#cat /usr/share/aclocal/libtool.m4 >> aclocal.m4 -%{__libtoolize} -f -%{__aclocal} -%{__autoconf} -#pushd lib/bind -#%{?suse_update_config:%{suse_update_config -f}} -#cat /usr/share/aclocal/libtool.m4 >> aclocal.m4 -#%{__libtoolize} -f -#%{__aclocal} -#%{__autoconf} -#popd -#pushd contrib/idn/idnkit-1.0-src -#%{?suse_update_config:%{suse_update_config -f}} -#cat /usr/share/aclocal/libtool.m4 >> aclocal.m4 -#%{__libtoolize} -f -#%{__aclocal} -#%{__autoconf} -#popd -export CFLAGS="$RPM_OPT_FLAGS -DNO_VERSION_DATE -fno-strict-aliasing $(getconf LFS_CFLAGS)" LDFLAGS="-L%{_libdir}" -#export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -DLDAP_DEPRECATED" LDFLAGS="-L%{_libdir}" -#export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -fpie" LDFLAGS="-L%{_libdir} -pie" -CONFIGURE_OPTIONS="\ - --prefix=%{_prefix} \ - --bindir=%{_bindir} \ - --sbindir=%{_sbindir} \ - --sysconfdir=%{_sysconfdir} \ - --localstatedir=%{_var} \ - --libdir=%{_libdir} \ - --enable-exportlib \ - --with-export-libdir=%{_libdir} \ - --with-export-includedir=%{_includedir} \ +autoreconf -fvi +export CFLAGS="%{optflags}" +%configure \ + --with-python=%{_bindir}/python3 \ --includedir=%{_includedir}/bind \ - --mandir=%{_mandir} \ - --infodir=%{_infodir} \ --disable-static \ --with-openssl \ --enable-threads \ --with-libtool \ - --enable-runidn \ --with-libxml2 \ --with-libjson \ --with-dlz-mysql \ --with-dlz-ldap \ - --enable-rrl \ --with-randomdev=/dev/urandom \ -" -cp -f -p config.guess config.sub contrib/idn/idnkit-1.0-src/ -./configure ${CONFIGURE_OPTIONS} + --enable-ipv6 \ + --with-pic \ + --disable-openssl-version-check \ + --with-tuning=large \ + --with-geoip \ + --with-dlopen \ + --with-gssapi=yes \ + --disable-isc-spnego \ + --enable-fixed-rrset \ + --enable-full-report # disable rpath sed -i ' s|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g s|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g ' libtool -%{__make} %{?_smp_mflags} -pushd contrib/idn/idnkit-1.0-src -./configure ${CONFIGURE_OPTIONS} -# disable rpath -sed -i ' - s|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g - s|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g -' libtool -%{__make} %{?_smp_mflags} -popd -# running BIND system tests -# FIXME: enable make test if every test checks for a free port first; fixed port -# 5300 might lead to test failures if port is already in use. -#pushd bin/tests/system/ -#./ifconfig.sh up -#%{__make} test -#./ifconfig.sh down -#popd -# replace __NSD__ in some files by a sub directory to set the full path to -# named's root directory -# --------------------------------------------------------------------------- +make %{?_smp_mflags} %install -%{GROUPADD_NAMED} -%{USERADD_NAMED} mkdir -p \ - ${RPM_BUILD_ROOT}/%{_sysconfdir}/init.d \ - ${RPM_BUILD_ROOT}/%{_sysconfdir}/named.d \ - ${RPM_BUILD_ROOT}/%{_sysconfdir}/openldap/schema \ - ${RPM_BUILD_ROOT}/%{_sysconfdir}/slp.reg.d \ - ${RPM_BUILD_ROOT}/usr/{bin,%{_lib},sbin,include} \ - ${RPM_BUILD_ROOT}/%{_datadir}/bind \ - ${RPM_BUILD_ROOT}/%{_datadir}/susehelp/meta/Administration/System \ - ${RPM_BUILD_ROOT}/%{_defaultdocdir}/bind \ - ${RPM_BUILD_ROOT}/var/lib/named/{etc/named.d,dev,dyn,log,master,slave,var/{lib,run/{lwresd,named}}} \ - ${RPM_BUILD_ROOT}%{_mandir}/{man1,man3,man5,man8} \ - ${RPM_BUILD_ROOT}/var/adm/fillup-templates \ - ${RPM_BUILD_ROOT}/%{_rundir} \ - ${RPM_BUILD_ROOT}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services \ - ${RPM_BUILD_ROOT}%{_includedir}/bind/dns \ - ${RPM_BUILD_ROOT}%{_libexecdir}/bind -%{__make} DESTDIR=${RPM_BUILD_ROOT} install -pushd contrib/idn/idnkit-1.0-src -%{__make} DESTDIR=${RPM_BUILD_ROOT} install -popd -# install interface header file for developing Dynamic DB plugin -install -m 0644 lib/dns/include/dns/dynamic_db.h ${RPM_BUILD_ROOT}%{_includedir}/bind/dns/ + %{buildroot}/%{_sysconfdir}/init.d \ + %{buildroot}/%{_sysconfdir}/named.d \ + %{buildroot}/%{_sysconfdir}/openldap/schema \ + %{buildroot}/%{_sysconfdir}/slp.reg.d \ + %{buildroot}%{_prefix}/{bin,%{_lib},sbin,include} \ + %{buildroot}/%{_datadir}/bind \ + %{buildroot}/%{_datadir}/susehelp/meta/Administration/System \ + %{buildroot}/%{_defaultdocdir}/bind \ + %{buildroot}%{_localstatedir}/lib/named/{etc/named.d,dev,dyn,log,master,slave,var/{lib,run/{lwresd,named}}} \ + %{buildroot}%{_mandir}/{man1,man3,man5,man8} \ + %{buildroot}%{_fillupdir} \ + %{buildroot}/%{_rundir} \ + %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services \ + %{buildroot}%{_includedir}/bind/dns \ + %{buildroot}%{_libexecdir}/bind +%make_install # install errno2result.h, some dynamic DB plugins could use it. -install -m 0755 -d ${RPM_BUILD_ROOT}%{_includedir}/isc/ -install -m 0644 lib/isc/unix/errno2result.h ${RPM_BUILD_ROOT}%{_includedir}/isc/ +install -m 0755 -d %{buildroot}%{_includedir}/isc/ +install -m 0644 lib/isc/unix/errno2result.h %{buildroot}%{_includedir}/isc/ # remove useless .la files -rm -f ${RPM_BUILD_ROOT}/%{_lib}/libidnkit.la -rm -f ${RPM_BUILD_ROOT}/%{_lib}/libidnkitlite.la -rm -f ${RPM_BUILD_ROOT}/%{_libdir}/lib*.{la,a} -mv vendor-files/config/named.conf ${RPM_BUILD_ROOT}/%{_sysconfdir} -mv vendor-files/config/bind.reg ${RPM_BUILD_ROOT}/%{_sysconfdir}/slp.reg.d -mv vendor-files/config/rndc-access.conf ${RPM_BUILD_ROOT}/%{_sysconfdir}/named.d +rm -f %{buildroot}/%{_libdir}/lib*.{la,a} +mv vendor-files/config/named.conf %{buildroot}/%{_sysconfdir} +mv vendor-files/config/bind.reg %{buildroot}/%{_sysconfdir}/slp.reg.d +mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d for file in lwresd.conf named.conf.include rndc.key; do - touch ${RPM_BUILD_ROOT}/%{_sysconfdir}/${file} + touch %{buildroot}/%{_sysconfdir}/${file} done for file in lwresd named; do - install -m 0754 vendor-files/init/${file} ${RPM_BUILD_ROOT}/etc/init.d/${file} - ln -sf /etc/init.d/${file} ${RPM_BUILD_ROOT}/usr/sbin/rc${file} + install -m 0754 vendor-files/init/${file} %{buildroot}%{_initddir}/${file} + ln -sf %{_initddir}/${file} %{buildroot}%{_sbindir}/rc${file} done -install -m 0644 ${RPM_SOURCE_DIR}/named.root ${RPM_BUILD_ROOT}/var/lib/named/root.hint -mv vendor-files/config/{127.0.0,localhost}.zone ${RPM_BUILD_ROOT}/var/lib/named -install -m 0754 vendor-files/tools/createNamedConfInclude ${RPM_BUILD_ROOT}/%{_datadir}/bind -install -m 0755 vendor-files/tools/bind.genDDNSkey ${RPM_BUILD_ROOT}/%{_bindir}/genDDNSkey -cp -a vendor-files/docu/BIND.desktop ${RPM_BUILD_ROOT}/%{_datadir}/susehelp/meta/Administration/System -cp -p ${RPM_SOURCE_DIR}/dnszone-schema.txt ${RPM_BUILD_ROOT}/%{_sysconfdir}/openldap/schema/dnszone.schema -cp -p "%{S:60}" "${RPM_BUILD_ROOT}/%{_sysconfdir}/openldap/schema/dlz.schema" -install -m 0754 vendor-files/tools/ldapdump ${RPM_BUILD_ROOT}/%{_datadir}/bind -find ${RPM_BUILD_ROOT}/%{_libdir} -type f -name '*.so*' -print0 | xargs -0 chmod 0755 -touch ${RPM_BUILD_ROOT}/var/lib/named/etc/{localtime,named.conf.include,named.d/rndc.access.conf} -touch ${RPM_BUILD_ROOT}/var/lib/named/dev/log -ln -s ../.. ${RPM_BUILD_ROOT}/var/lib/named/var/lib/named -ln -s ../log ${RPM_BUILD_ROOT}/var/lib/named/var -%if "%_rundir" == "/run" -ln -s ../var/lib/named/var/run/lwresd ${RPM_BUILD_ROOT}/run -ln -s ../var/lib/named/var/run/named ${RPM_BUILD_ROOT}/run -%else -ln -s ../lib/named/var/run/lwresd ${RPM_BUILD_ROOT}/var/run -ln -s ../lib/named/var/run/named ${RPM_BUILD_ROOT}/var/run -%endif +install -m 0644 ${RPM_SOURCE_DIR}/named.root %{buildroot}%{_localstatedir}/lib/named/root.hint +mv vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_localstatedir}/lib/named +install -m 0754 vendor-files/tools/createNamedConfInclude %{buildroot}/%{_datadir}/bind +install -m 0755 vendor-files/tools/bind.genDDNSkey %{buildroot}/%{_bindir}/genDDNSkey +cp -a vendor-files/docu/BIND.desktop %{buildroot}/%{_datadir}/susehelp/meta/Administration/System +cp -p ${RPM_SOURCE_DIR}/dnszone-schema.txt %{buildroot}/%{_sysconfdir}/openldap/schema/dnszone.schema +cp -p "%{SOURCE60}" "%{buildroot}/%{_sysconfdir}/openldap/schema/dlz.schema" +install -m 0754 vendor-files/tools/ldapdump %{buildroot}/%{_datadir}/bind +find %{buildroot}/%{_libdir} -type f -name '*.so*' -print0 | xargs -0 chmod 0755 +touch %{buildroot}%{_localstatedir}/lib/named%{_sysconfdir}/{localtime,named.conf.include,named.d/rndc.access.conf} +touch %{buildroot}%{_localstatedir}/lib/named/dev/log +ln -s ../.. %{buildroot}%{_localstatedir}/lib/named%{_localstatedir}/lib/named +ln -s ../log %{buildroot}%{_localstatedir}/lib/named%{_localstatedir} +ln -s ..%{_localstatedir}/lib/named%{_localstatedir}/run/lwresd %{buildroot}/run +ln -s ..%{_localstatedir}/lib/named%{_localstatedir}/run/named %{buildroot}/run for file in named-common named-named syslog-named; do - install -m 0644 vendor-files/sysconfig/${file} ${RPM_BUILD_ROOT}/var/adm/fillup-templates/sysconfig.${file} + install -m 0644 vendor-files/sysconfig/${file} %{buildroot}%{_fillupdir}/sysconfig.${file} done install -m 644 vendor-files/sysconfig/SuSEFirewall.named %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/bind # Cleanup doc rm doc/misc/Makefile* -# Remove samples -rm ${RPM_BUILD_ROOT}/etc/*.sample find doc/arm -type f ! -name '*.html' -print0 | xargs -0 rm -f # Create doc as we want it in bind and not bind-doc -cp -a vendor-files/docu/README ${RPM_BUILD_ROOT}/%{_defaultdocdir}/bind/README.%{VENDOR} +cp -a vendor-files/docu/README %{buildroot}/%{_defaultdocdir}/bind/README.%{VENDOR} cp -a vendor-files/docu/dnszonehowto.html contrib/sdb/ldap/ mkdir -p vendor-files/config/ISC-examples cp -a bin/tests/*.conf* vendor-files/config/ISC-examples -for file in CHANGES COPYRIGHT README FAQ version contrib doc/{arm,misc} vendor-files/config contrib/sdb/ldap/INSTALL.ldap; do +for file in CHANGES COPYRIGHT README version contrib doc/{arm,misc} vendor-files/config contrib/sdb/ldap/INSTALL.ldap; do basename=$( basename ${file}) - cp -a ${file} ${RPM_BUILD_ROOT}/%{_defaultdocdir}/bind/${basename} + cp -a ${file} %{buildroot}/%{_defaultdocdir}/bind/${basename} echo "%doc %{_defaultdocdir}/bind/${basename}" >>filelist-bind-doc done -pushd ${RPM_BUILD_ROOT}%{_defaultdocdir}/bind/contrib/idn/idnkit-1.0-src -%{__make} distclean -rm -rf include lib man map patch tools win wsock Makefile.in acconfig.h aclocal.m4 config.* configure* install-sh ltconfig make.wnt mkinstalldirs -popd # --------------------------------------------------------------------------- -install -m 0644 bind.keys ${RPM_BUILD_ROOT}/var/lib/named/named.root.key +install -m 0644 bind.keys %{buildroot}%{_localstatedir}/lib/named/named.root.key %pre # Are we updating from a package named bind9? @@ -633,12 +474,12 @@ TEMP_SYSCONFIG_FILE="var/adm/named-chroot" # Are we in update mode? if [ ${FIRST_ARG:-0} -gt 1 ]; then # Is named.conf an old, /var/named configuration? -if [ -f etc/named.conf ] && grep -qi '^[[:space:]]*directory[[:space:]]*"/var/named"[[:space:]]*;' etc/named.conf; then +if [ -f etc/named.conf ] && grep -qi '^[[:space:]]*directory[[:space:]]*"%{_localstatedir}/named"[[:space:]]*;' etc/named.conf; then test -d var/log || \ mkdir -p var/log - CONVLOG="/var/log/named-move-to-var-lib" + CONVLOG="%{_localstatedir}/log/named-move-to-var-lib" # move zone files to new location - echo "Moving zone files to new location /var/lib/named" | tee ${CONVLOG} + echo "Moving zone files to new location %{_localstatedir}/lib/named" | tee ${CONVLOG} IFS=" " for dir in var/named var/named/slave; do @@ -649,7 +490,7 @@ if [ -f etc/named.conf ] && grep -qi '^[[:space:]]*directory[[:space:]]*"/var/na sourcedir=$( echo "${source%/*}") destdir=$( echo "${sourcedir#var/named}") if [ -e "var/lib/named/${destdir}/${source##*/}" ]; then - echo "Warning: /var/lib/named${destdir}/${source##*/} already exists; skipped." | tee -a ${CONVLOG} + echo "Warning: %{_localstatedir}/lib/named${destdir}/${source##*/} already exists; skipped." | tee -a ${CONVLOG} else echo "${source#var/named/}" | tee -a ${CONVLOG} mv "${source}" "var/lib/named/${destdir}" @@ -657,11 +498,11 @@ if [ -f etc/named.conf ] && grep -qi '^[[:space:]]*directory[[:space:]]*"/var/na done done # updating named.conf - echo -n "Backup old /etc/named.conf to " | tee -a ${CONVLOG} + echo -n "Backup old %{_sysconfdir}/named.conf to " | tee -a ${CONVLOG} oldconfig=$( old etc/named.conf) 2>/dev/null oldconfig=${oldconfig##*/} - echo -n "/etc/${oldconfig}. Conversion " | tee -a ${CONVLOG} - sed -e "s@\"/var/named\"@\"/var/lib/named\"@" "etc/${oldconfig}" > etc/named.conf 2>/dev/null + echo -n "%{_sysconfdir}/${oldconfig}. Conversion " | tee -a ${CONVLOG} + sed -e "s@\"%{_localstatedir}/named\"@\"%{_localstatedir}/lib/named\"@" "etc/${oldconfig}" > etc/named.conf 2>/dev/null conv_rc=$? if [ ${conv_rc} -eq 0 ]; then echo "succeded." | tee -a ${CONVLOG} @@ -674,20 +515,16 @@ if [ -f etc/named.conf ] && grep -qi '^[[:space:]]*directory[[:space:]]*"/var/na cat << EOF >>${CONVLOG} Result: named.conf conversion succeded. For details check the following diff of the the old and new configuration. -Ergebnis: Die named.conf-Konvertierung war erfolgreich. Details finden -Sie in der nachfolgenden Differenz der alten und neuen Konfiguration. EOF diff -u etc/${oldconfig} etc/named.conf >>${CONVLOG} else cat << EOF >>${CONVLOG} -Result: Conversion failed. You must check your /etc/named.conf -Ergebnis: Die Konvertierung ist fehlgeschlagen. Sie müssen Ihre -/etc/named.conf überprüfen. +Result: Conversion failed. You must check your %{_sysconfdir}/named.conf EOF fi else rm -f var/lib/update-messages/bind.1 -fi # End of 'Is named.conf an old, /var/named configuration?'. +fi # End of 'Is named.conf an old, %{_localstatedir}/named configuration?'. # Add include files to NAMED_CONF_INCLUDE_FILES if we have already a include # file (SL Standard Server 8) and NAMED_RUN_CHROOTED from the # TEMP_SYSCONFIG_FILE is empty. @@ -703,26 +540,26 @@ if [ -s etc/named.conf.include -a -z "${NAMED_RUN_CHROOTED}" ]; then if [ "${INCLUDE_LINES}" -a -z "${NAMED_CONF_INCLUDE_FILES}" ]; then for file in ${INCLUDE_LINES}; do # don't add a file a second time - echo "${INCLUDE_FILES}" | grep -qe "\<${file#/etc/named.d/}\>" && continue + echo "${INCLUDE_FILES}" | grep -qe "\<${file#%{_sysconfdir}/named.d/}\>" && continue # don't add the meta include file as the init script copy it anyway # to the chroot jail - test "${file}" = "/etc/named.conf.include" && continue + test "${file}" = "%{_sysconfdir}/named.conf.include" && continue test "${INCLUDE_FILES}" && INCLUDE_FILES="${INCLUDE_FILES} " - # strip off any leading /etc/named.d/ as the init script takes care + # strip off any leading %{_sysconfdir}/named.d/ as the init script takes care # of relative file names - INCLUDE_FILES="${INCLUDE_FILES}${file#/etc/named.d/}" + INCLUDE_FILES="${INCLUDE_FILES}${file#%{_sysconfdir}/named.d/}" done - TMPFILE=$( mktemp /var/tmp/named.sysconfig.XXXXXX) + TMPFILE=$( mktemp %{_localstatedir}/tmp/named.sysconfig.XXXXXX) if [ $? -ne 0 ]; then - echo "Can't create temp file. Please add your included files from /etc/named.conf to" - echo "NAMED_CONF_INCLUDE_FILES of /etc/sysconfig/named manually." + echo "Can't create temp file. Please add your included files from %{_sysconfdir}/named.conf to" + echo "NAMED_CONF_INCLUDE_FILES of %{_sysconfdir}/sysconfig/named manually." return fi chmod --reference=etc/sysconfig/named ${TMPFILE} if sed "s+^NAMED_CONF_INCLUDE_FILES.*$+NAMED_CONF_INCLUDE_FILES=\"${INCLUDE_FILES}\"+" etc/sysconfig/named > "${TMPFILE}"; then mv "${TMPFILE}" etc/sysconfig/named else - echo "Can't set NAMED_CONF_INCLUDE_FILES of /etc/sysconfig/named to \"${INCLUDE_FILES}\"." + echo "Can't set NAMED_CONF_INCLUDE_FILES of %{_sysconfdir}/sysconfig/named to \"${INCLUDE_FILES}\"." fi fi fi @@ -757,27 +594,20 @@ fi %insserv_cleanup %endif -%post -n libbind9-140 -p /sbin/ldconfig -%postun -n libbind9-140 -p /sbin/ldconfig -%post -n libdns165 -p /sbin/ldconfig -%postun -n libdns165 -p /sbin/ldconfig -%post -n libidnkit1 -p /sbin/ldconfig -%postun -n libidnkit1 -p /sbin/ldconfig -%post -n libidnkitlite1 -p /sbin/ldconfig -%postun -n libidnkitlite1 -p /sbin/ldconfig -%post -n libidnkitres1 -p /sbin/ldconfig -%postun -n libidnkitres1 -p /sbin/ldconfig -%post -n libirs141 -p /sbin/ldconfig -%postun -n libirs141 -p /sbin/ldconfig -%post -n libisc160 -p /sbin/ldconfig -%postun -n libisc160 -p /sbin/ldconfig -%post -n libisccc140 -p /sbin/ldconfig -%postun -n libisccc140 -p /sbin/ldconfig -%post -n libisccfg140 -p /sbin/ldconfig -%postun -n libisccfg140 -p /sbin/ldconfig -%post -n liblwres141 -p /sbin/ldconfig -%postun -n liblwres141 -p /sbin/ldconfig - +%post -n %{libbind9} -p /sbin/ldconfig +%postun -n %{libbind9} -p /sbin/ldconfig +%post -n %{libdns} -p /sbin/ldconfig +%postun -n %{libdns} -p /sbin/ldconfig +%post -n %{libirs} -p /sbin/ldconfig +%postun -n %{libirs} -p /sbin/ldconfig +%post -n %{libisc} -p /sbin/ldconfig +%postun -n %{libisc} -p /sbin/ldconfig +%post -n %{libisccc} -p /sbin/ldconfig +%postun -n %{libisccc} -p /sbin/ldconfig +%post -n %{libisccfg} -p /sbin/ldconfig +%postun -n %{libisccfg} -p /sbin/ldconfig +%post -n %{liblwres} -p /sbin/ldconfig +%postun -n %{liblwres} -p /sbin/ldconfig %pre chrootenv %{GROUPADD_NAMED} %{USERADD_NAMED} @@ -829,17 +659,14 @@ fi %endif %post utils -/sbin/ldconfig # Create a key if lwresd is installed. -if [ -x usr/sbin/lwresd -a ! -f etc/rndc.key ]; then - usr/sbin/rndc-confgen -a -b 512 -r dev/urandom - chmod 0640 etc/rndc.key - chown root:named etc/rndc.key +if [ -x %{_sbindir}/lwresd -a ! -f %{_sysconfdir}/rndc.key ]; then + %{_sbindir}/rndc-confgen -a -b 512 -r dev/urandom + chmod 0640 %{_sysconfdir}/rndc.key + chown root:named %{_sysconfdir}/rndc.key fi -# --------------------------------------------------------------------------- %files -%defattr(-,root,root) %attr(0644,root,named) %config(noreplace) /%{_sysconfdir}/named.conf %dir %{_sysconfdir}/slp.reg.d %attr(0644,root,root) /%{_sysconfdir}/slp.reg.d/bind.reg @@ -848,24 +675,24 @@ fi %config /%{_sysconfdir}/init.d/named %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/bind %{_bindir}/bind9-config +%{_bindir}/named-rrchecker %{_sbindir}/rcnamed %{_sbindir}/named %{_sbindir}/named-checkconf %{_sbindir}/named-checkzone %{_sbindir}/named-compilezone -%{_sbindir}/named-rrchecker -%{_mandir}/man1/bind9-config.1.gz -%{_mandir}/man1/named-rrchecker.1.gz -%{_mandir}/man5/named.conf.5.gz -%{_mandir}/man8/named-checkconf.8.gz -%{_mandir}/man8/named-checkzone.8.gz -%{_mandir}/man8/named.8.gz -%{_mandir}/man8/named-compilezone.8.gz +%{_mandir}/man1/bind9-config.1%{ext_man} +%{_mandir}/man1/named-rrchecker.1%{ext_man} +%{_mandir}/man5/named.conf.5%{ext_man} +%{_mandir}/man8/named-checkconf.8%{ext_man} +%{_mandir}/man8/named-checkzone.8%{ext_man} +%{_mandir}/man8/named.8%{ext_man} +%{_mandir}/man8/named-compilezone.8%{ext_man} %dir %{_datadir}/bind %{_datadir}/bind/createNamedConfInclude %{_datadir}/bind/ldapdump %ghost %{_rundir}/named -%{_var}/adm/fillup-templates/sysconfig.named-named +%{_fillupdir}/sysconfig.named-named %dir %{_var}/lib/named/master %attr(-,named,named) %dir %{_var}/lib/named/dyn %attr(-,named,named) %dir %{_var}/lib/named/slave @@ -873,96 +700,54 @@ fi %config %{_var}/lib/named/127.0.0.zone %config %{_var}/lib/named/localhost.zone %config %{_var}/lib/named/named.root.key -%ghost %{_var}/lib/named/etc/localtime -%attr(0644,root,named) %ghost %{_var}/lib/named/etc/named.conf.include -%attr(-,named,named) %dir %{_var}/lib/named/var/run/named +%ghost %{_var}/lib/named%{_sysconfdir}/localtime +%attr(0644,root,named) %ghost %{_var}/lib/named%{_sysconfdir}/named.conf.include +%attr(-,named,named) %dir %{_var}/lib/named%{_localstatedir}/run/named %dir %{_libexecdir}/bind -%files -n idnkit -%defattr(-,root,root) -%config(noreplace) %{_sysconfdir}/idn.conf -%config(noreplace) %{_sysconfdir}/idnalias.conf -%{_bindir}/idnconv -%{_bindir}/runidn -%{_mandir}/man1/idnconv.1.gz -%{_mandir}/man1/runidn.1.gz -%{_mandir}/man5/idn.conf.5.gz -%{_mandir}/man5/idnalias.conf.5.gz -%{_mandir}/man5/idnrc.5.gz -%{_datadir}/idnkit/ +%files -n %{libbind9} +%{_libdir}/libbind9.so.%{bind9_sonum}* -%files -n idnkit-devel -%defattr(-,root,root) -%dir %_includedir/bind/ -%_includedir/bind/idn/ -%_libdir/libidn*.so -%_mandir/man3/libidn*.3* +%files -n %{libdns} +%{_libdir}/libdns.so.%{dns_sonum}* -%files -n libbind9-140 -%defattr(-,root,root) -%_libdir/libbind9.so.140* - -%files -n libdns165 -%defattr(-,root,root) -%_libdir/libdns.so.165* - -%files -n libidnkit1 -%defattr(-,root,root) -%_libdir/libidnkit.so.1* - -%files -n libidnkitlite1 -%defattr(-,root,root) -%_libdir/libidnkitlite.so.1* - -%files -n libidnkitres1 -%defattr(-,root,root) -%_libdir/libidnkitres.so.1* - -%files -n libirs141 -%defattr(-,root,root) -%_libdir/libirs.so.141* +%files -n %{libirs} +%{_libdir}/libirs.so.%{irs_sonum}* %files -n libirs-devel -%defattr(-,root,root) -%_libdir/libirs.so +%{_libdir}/libirs.so -%files -n libisc160 -%defattr(-,root,root) -%_libdir/libisc.so.160* +%files -n %{libisc} +%{_libdir}/libisc.so.%{isc_sonum}* -%files -n libisccc140 -%defattr(-,root,root) -%_libdir/libisccc.so.140* +%files -n %{libisccc} +%{_libdir}/libisccc.so.%{isccc_sonum}* -%files -n libisccfg140 -%defattr(-,root,root) -%_libdir/libisccfg.so.140* +%files -n %{libisccfg} +%{_libdir}/libisccfg.so.%{isccfg_sonum}* -%files -n liblwres141 -%defattr(-,root,root) -%_libdir/liblwres.so.141* +%files -n %{liblwres} +%{_libdir}/liblwres.so.%{lwres_sonum}* %files chrootenv -%defattr(-,root,root) %attr(-,named,named) %dir %{_var}/lib/named -%dir %{_var}/lib/named/etc -%dir %{_var}/lib/named/etc/named.d +%dir %{_var}/lib/named%{_sysconfdir} +%dir %{_var}/lib/named%{_sysconfdir}/named.d %dir %{_var}/lib/named/dev -%dir %{_var}/lib/named/var -%dir %{_var}/lib/named/var/lib -%dir %{_var}/lib/named/var/run +%dir %{_var}/lib/named%{_localstatedir} +%dir %{_var}/lib/named%{_localstatedir}/lib +%dir %{_var}/lib/named%{_localstatedir}/run %attr(-,named,named) %dir %{_var}/lib/named/log -%ghost %{_var}/lib/named/etc/named.d/rndc.access.conf +%ghost %{_var}/lib/named%{_sysconfdir}/named.d/rndc.access.conf %ghost %{_var}/lib/named/dev/log %attr(0666, root, root) %dev(c, 1, 3) %{_var}/lib/named/dev/null %attr(0666, root, root) %dev(c, 1, 8) %{_var}/lib/named/dev/random -%{_var}/lib/named/var/lib/named -%{_var}/lib/named/var/log -%{_var}/adm/fillup-templates/sysconfig.named-common -%{_var}/adm/fillup-templates/sysconfig.syslog-named +%{_var}/lib/named%{_localstatedir}/lib/named +%{_var}/lib/named%{_localstatedir}/log +%{_fillupdir}/sysconfig.named-common +%{_fillupdir}/sysconfig.syslog-named %files devel -%defattr(-,root,root) %dir %{_includedir}/isc %{_includedir}/isc/errno2result.h %{_bindir}/isc-config.sh @@ -971,29 +756,25 @@ fi %{_libdir}/libisc*.so %{_libdir}/liblwres.so %{_includedir}/bind -%exclude %{_includedir}/bind/idn %{_mandir}/man3/lwres*.3* %files doc -f filelist-bind-doc -%defattr(-,root,root) %dir %doc %{_defaultdocdir}/bind %doc %{_datadir}/susehelp %files lwresd -%defattr(-,root,root) %ghost %attr(0644,root,named) %config(noreplace) /%{_sysconfdir}/lwresd.conf -%config /etc/init.d/lwresd +%config %{_initddir}/lwresd %{_sbindir}/rclwresd %{_sbindir}/lwresd -%{_mandir}/man8/lwresd.8.gz +%{_mandir}/man8/lwresd.8%{ext_man} %ghost %{_rundir}/lwresd -%attr(-,named,named) %dir %{_var}/lib/named/var/run/lwresd +%attr(-,named,named) %dir %{_var}/lib/named%{_localstatedir}/run/lwresd %files utils -%defattr(-,root,root) -%dir /etc/named.d -%config(noreplace) /etc/named.d/rndc-access.conf -%config(noreplace) /etc/bind.keys +%dir %{_sysconfdir}/named.d +%config(noreplace) %{_sysconfdir}/named.d/rndc-access.conf +%config(noreplace) %{_sysconfdir}/bind.keys %dir %{_sysconfdir}/openldap %dir %{_sysconfdir}/openldap/schema %attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/dnszone.schema @@ -1001,15 +782,12 @@ fi %{_bindir}/delv %{_bindir}/dig %{_bindir}/host +%{_bindir}/mdig %{_bindir}/nslookup %{_bindir}/nsupdate %{_bindir}/genDDNSkey -%{_sbindir}/arpaname +%{_bindir}/arpaname %{_sbindir}/ddns-confgen -%if 0%{?suse_version} == 0 || 0%{?suse_version} > 1230 -%{_sbindir}/dnssec-checkds -%{_sbindir}/dnssec-coverage -%endif %{_sbindir}/dnssec-dsfromkey %{_sbindir}/dnssec-importkey %{_sbindir}/dnssec-keyfromlabel @@ -1018,6 +796,9 @@ fi %{_sbindir}/dnssec-settime %{_sbindir}/dnssec-signzone %{_sbindir}/dnssec-verify +%{_sbindir}/dnssec-checkds +%{_sbindir}/dnssec-coverage +%{_sbindir}/dnssec-keymgr %{_sbindir}/genrandom %{_sbindir}/isc-hmac-fixup %{_sbindir}/named-journalprint @@ -1027,33 +808,37 @@ fi %{_sbindir}/tsig-keygen %dir %doc %{_defaultdocdir}/bind %{_defaultdocdir}/bind/README.%{VENDOR} -%{_mandir}/man1/arpaname.1.gz -%{_mandir}/man1/delv.1.gz -%{_mandir}/man1/dig.1.gz -%{_mandir}/man1/host.1.gz -%{_mandir}/man1/isc-config.sh.1.gz -%{_mandir}/man1/nslookup.1.gz -%{_mandir}/man1/nsupdate.1.gz -%{_mandir}/man5/rndc.conf.5.gz -%{_mandir}/man8/ddns-confgen.8.gz -%if 0%{?suse_version} == 0 || 0%{?suse_version} > 1230 -%{_mandir}/man8/dnssec-checkds.8.gz -%{_mandir}/man8/dnssec-coverage.8.gz -%endif -%{_mandir}/man8/dnssec-dsfromkey.8.gz -%{_mandir}/man8/dnssec-importkey.8.gz -%{_mandir}/man8/dnssec-keyfromlabel.8.gz -%{_mandir}/man8/dnssec-keygen.8.gz -%{_mandir}/man8/dnssec-revoke.8.gz -%{_mandir}/man8/dnssec-settime.8.gz -%{_mandir}/man8/dnssec-signzone.8.gz -%{_mandir}/man8/dnssec-verify.8.gz -%{_mandir}/man8/genrandom.8.gz -%{_mandir}/man8/isc-hmac-fixup.8.gz -%{_mandir}/man8/named-journalprint.8.gz -%{_mandir}/man8/nsec3hash.8.gz -%{_mandir}/man8/rndc.8.gz -%{_mandir}/man8/rndc-confgen.8.gz -%{_mandir}/man8/tsig-keygen.8.gz +%{_mandir}/man1/arpaname.1%{ext_man} +%{_mandir}/man1/delv.1%{ext_man} +%{_mandir}/man1/dig.1%{ext_man} +%{_mandir}/man1/host.1%{ext_man} +%{_mandir}/man1/isc-config.sh.1%{ext_man} +%{_mandir}/man1/mdig.1%{ext_man} +%{_mandir}/man1/nslookup.1%{ext_man} +%{_mandir}/man1/nsupdate.1%{ext_man} +%{_mandir}/man5/rndc.conf.5%{ext_man} +%{_mandir}/man8/ddns-confgen.8%{ext_man} +%{_mandir}/man8/dnssec-dsfromkey.8%{ext_man} +%{_mandir}/man8/dnssec-importkey.8%{ext_man} +%{_mandir}/man8/dnssec-keyfromlabel.8%{ext_man} +%{_mandir}/man8/dnssec-keygen.8%{ext_man} +%{_mandir}/man8/dnssec-revoke.8%{ext_man} +%{_mandir}/man8/dnssec-settime.8%{ext_man} +%{_mandir}/man8/dnssec-signzone.8%{ext_man} +%{_mandir}/man8/dnssec-verify.8%{ext_man} +%{_mandir}/man8/dnssec-checkds.8%{ext_man} +%{_mandir}/man8/dnssec-coverage.8%{ext_man} +%{_mandir}/man8/dnssec-keymgr.8%{ext_man} +%{_mandir}/man8/genrandom.8%{ext_man} +%{_mandir}/man8/isc-hmac-fixup.8%{ext_man} +%{_mandir}/man8/named-journalprint.8%{ext_man} +%{_mandir}/man8/nsec3hash.8%{ext_man} +%{_mandir}/man8/rndc.8%{ext_man} +%{_mandir}/man8/rndc-confgen.8%{ext_man} +%{_mandir}/man8/tsig-keygen.8%{ext_man} + +%files -n python3-bind +%{python3_sitelib}/isc +%{python3_sitelib}/isc-*.egg-info %changelog diff --git a/dns_dynamic_db.patch b/dns_dynamic_db.patch deleted file mode 100644 index cd02ab4..0000000 --- a/dns_dynamic_db.patch +++ /dev/null @@ -1,753 +0,0 @@ -# The patch content was originally written by Tomas Hozza: -# From 9b40e9166ee28f2d00424248fe303045e42b1c93 Mon Sep 17 00:00:00 2001 -# From: Tomas Hozza -# Date: Tue, 29 Jul 2014 15:16:10 +0200 -# Subject: [PATCH] Dynamic DB database for BIND 9.10 -# Signed-off-by: Tomas Hozza -# -# Based on the original patch, some minor adjustments to line numbers are made by Howard Guo . - -Index: bind-9.10.4-P5/bin/named/main.c -=================================================================== ---- bind-9.10.4-P5.orig/bin/named/main.c -+++ bind-9.10.4-P5/bin/named/main.c -@@ -43,6 +43,7 @@ - #include - - #include -+#include - #include - #include - #include -Index: bind-9.10.4-P5/bin/named/server.c -=================================================================== ---- bind-9.10.4-P5.orig/bin/named/server.c -+++ bind-9.10.4-P5/bin/named/server.c -@@ -68,6 +68,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -1310,6 +1311,72 @@ configure_peer(const cfg_obj_t *cpeer, i - } - - static isc_result_t -+configure_dynamic_db(const cfg_obj_t *dynamic_db, isc_mem_t *mctx, -+ const dns_dyndb_arguments_t *dyndb_args) -+{ -+ isc_result_t result; -+ const cfg_obj_t *obj; -+ const cfg_obj_t *options; -+ const cfg_listelt_t *element; -+ const char *name; -+ const char *libname; -+ const char **argv = NULL; -+ unsigned int i; -+ unsigned int len; -+ -+ /* Get the name of the database. */ -+ obj = cfg_tuple_get(dynamic_db, "name"); -+ name = cfg_obj_asstring(obj); -+ -+ /* Get options. */ -+ options = cfg_tuple_get(dynamic_db, "options"); -+ -+ /* Get library name. */ -+ obj = NULL; -+ CHECK(cfg_map_get(options, "library", &obj)); -+ libname = cfg_obj_asstring(obj); -+ -+ /* Create a list of arguments. */ -+ obj = NULL; -+ result = cfg_map_get(options, "arg", &obj); -+ if (result == ISC_R_NOTFOUND) -+ len = 0; -+ else if (result == ISC_R_SUCCESS) -+ len = cfg_list_length(obj, isc_boolean_false); -+ else -+ goto cleanup; -+ -+ /* Account for the last terminating NULL. */ -+ len++; -+ -+ argv = isc_mem_allocate(mctx, len * sizeof(const char *)); -+ if (argv == NULL) { -+ result = ISC_R_NOMEMORY; -+ goto cleanup; -+ } -+ for (element = cfg_list_first(obj), i = 0; -+ element != NULL; -+ element = cfg_list_next(element), i++) -+ { -+ REQUIRE(i < len); -+ -+ obj = cfg_listelt_value(element); -+ argv[i] = cfg_obj_asstring(obj); -+ } -+ REQUIRE(i < len); -+ argv[i] = NULL; -+ -+ CHECK(dns_dynamic_db_load(libname, name, mctx, argv, dyndb_args)); -+ -+cleanup: -+ if (argv != NULL) -+ isc_mem_free(mctx, argv); -+ -+ return result; -+} -+ -+ -+static isc_result_t - disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { - isc_result_t result; - const cfg_obj_t *algorithms; -@@ -2349,6 +2416,7 @@ configure_view(dns_view_t *view, dns_vie - const cfg_obj_t *dlz; - unsigned int dlzargc; - char **dlzargv; -+ const cfg_obj_t *dynamic_db_list; - const cfg_obj_t *disabled; - const cfg_obj_t *obj; - #ifdef ENABLE_FETCHLIMIT -@@ -2628,6 +2696,8 @@ configure_view(dns_view_t *view, dns_vie - } - } - -+ -+ - /* - * Obtain configuration parameters that affect the decision of whether - * we can reuse/share an existing cache. -@@ -3704,6 +3774,37 @@ configure_view(dns_view_t *view, dns_vie - dns_view_setrootdelonly(view, ISC_FALSE); - - /* -+ * Configure dynamic databases. -+ */ -+ dynamic_db_list = NULL; -+ if (voptions != NULL) -+ (void)cfg_map_get(voptions, "dynamic-db", &dynamic_db_list); -+ else -+ (void)cfg_map_get(config, "dynamic-db", &dynamic_db_list); -+ element = cfg_list_first(dynamic_db_list); -+ if (element != NULL) { -+ dns_dyndb_arguments_t *args; -+ -+ args = dns_dyndb_arguments_create(mctx); -+ if (args == NULL) { -+ result = ISC_R_NOMEMORY; -+ goto cleanup; -+ } -+ dns_dyndb_set_view(args, view); -+ dns_dyndb_set_zonemgr(args, ns_g_server->zonemgr); -+ dns_dyndb_set_task(args, ns_g_server->task); -+ dns_dyndb_set_timermgr(args, ns_g_timermgr); -+ while (element != NULL) { -+ obj = cfg_listelt_value(element); -+ CHECK(configure_dynamic_db(obj, mctx, args)); -+ -+ element = cfg_list_next(element); -+ } -+ -+ dns_dyndb_arguments_destroy(mctx, args); -+ } -+ -+ /* - * Setup automatic empty zones. If recursion is off then - * they are disabled by default. - */ -@@ -5457,6 +5558,7 @@ load_configuration(const char *filename, - cfg_aclconfctx_detach(&ns_g_aclconfctx); - CHECK(cfg_aclconfctx_create(ns_g_mctx, &ns_g_aclconfctx)); - -+ dns_dynamic_db_cleanup(ISC_FALSE); - /* - * Parse the global default pseudo-config file. - */ -@@ -6685,6 +6787,8 @@ shutdown_server(isc_task_t *task, isc_ev - dns_view_detach(&view); - } - -+ dns_dynamic_db_cleanup(ISC_TRUE); -+ - while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) { - ISC_LIST_UNLINK(server->cachelist, nsc, link); - dns_cache_detach(&nsc->cache); -Index: bind-9.10.4-P5/lib/dns/dynamic_db.c -=================================================================== ---- /dev/null -+++ bind-9.10.4-P5/lib/dns/dynamic_db.c -@@ -0,0 +1,366 @@ -+/* -+ * Copyright (C) 2008-2011 Red Hat, Inc. -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND Red Hat DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL Red Hat BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+ -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include -+ -+#if HAVE_DLFCN_H -+#include -+#endif -+ -+#ifndef DYNDB_LIBDIR -+#define DYNDB_LIBDIR "" -+#endif -+ -+#define CHECK(op) \ -+ do { result = (op); \ -+ if (result != ISC_R_SUCCESS) goto cleanup; \ -+ } while (0) -+ -+ -+typedef isc_result_t (*register_func_t)(isc_mem_t *mctx, const char *name, -+ const char * const *argv, -+ const dns_dyndb_arguments_t *dyndb_args); -+typedef void (*destroy_func_t)(void); -+ -+typedef struct dyndb_implementation dyndb_implementation_t; -+ -+struct dyndb_implementation { -+ isc_mem_t *mctx; -+ void *handle; -+ register_func_t register_function; -+ destroy_func_t destroy_function; -+ LINK(dyndb_implementation_t) link; -+}; -+ -+struct dns_dyndb_arguments { -+ dns_view_t *view; -+ dns_zonemgr_t *zmgr; -+ isc_task_t *task; -+ isc_timermgr_t *timermgr; -+}; -+ -+/* List of implementations. Locked by dyndb_lock. */ -+static LIST(dyndb_implementation_t) dyndb_implementations; -+/* Locks dyndb_implementations. */ -+static isc_mutex_t dyndb_lock; -+static isc_once_t once = ISC_ONCE_INIT; -+ -+static void -+dyndb_initialize(void) { -+ RUNTIME_CHECK(isc_mutex_init(&dyndb_lock) == ISC_R_SUCCESS); -+ INIT_LIST(dyndb_implementations); -+} -+ -+ -+#if HAVE_DLFCN_H -+static isc_result_t -+load_symbol(void *handle, const char *symbol_name, void **symbolp) -+{ -+ const char *errmsg; -+ void *symbol; -+ -+ REQUIRE(handle != NULL); -+ REQUIRE(symbolp != NULL && *symbolp == NULL); -+ -+ symbol = dlsym(handle, symbol_name); -+ if (symbol == NULL) { -+ errmsg = dlerror(); -+ if (errmsg == NULL) -+ errmsg = "returned function pointer is NULL"; -+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, -+ DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR, -+ "failed to lookup symbol %s: %s", -+ symbol_name, errmsg); -+ return ISC_R_FAILURE; -+ } -+ dlerror(); -+ -+ *symbolp = symbol; -+ -+ return ISC_R_SUCCESS; -+} -+ -+static isc_result_t -+load_library(isc_mem_t *mctx, const char *filename, dyndb_implementation_t **impp) -+{ -+ isc_result_t result; -+ size_t module_size; -+ isc_buffer_t *module_buf = NULL; -+ isc_region_t module_region; -+ void *handle = NULL; -+ dyndb_implementation_t *imp; -+ register_func_t register_function = NULL; -+ destroy_func_t destroy_function = NULL; -+ -+ REQUIRE(impp != NULL && *impp == NULL); -+ -+ /* Build up the full path. */ -+ module_size = strlen(DYNDB_LIBDIR) + strlen(filename) + 1; -+ CHECK(isc_buffer_allocate(mctx, &module_buf, module_size)); -+ isc_buffer_putstr(module_buf, DYNDB_LIBDIR); -+ isc_buffer_putstr(module_buf, filename); -+ isc_buffer_putuint8(module_buf, 0); -+ isc_buffer_region(module_buf, &module_region); -+ -+ handle = dlopen((char *)module_region.base, RTLD_LAZY); -+ if (handle == NULL) { -+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, -+ DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR, -+ "failed to dynamically load driver '%s': %s", -+ filename, dlerror()); -+ result = ISC_R_FAILURE; -+ goto cleanup; -+ } -+ dlerror(); -+ -+ CHECK(load_symbol(handle, "dynamic_driver_init", -+ (void **)®ister_function)); -+ CHECK(load_symbol(handle, "dynamic_driver_destroy", -+ (void **)&destroy_function)); -+ -+ imp = isc_mem_get(mctx, sizeof(dyndb_implementation_t)); -+ if (imp == NULL) { -+ result = ISC_R_NOMEMORY; -+ goto cleanup; -+ } -+ -+ imp->mctx = NULL; -+ isc_mem_attach(mctx, &imp->mctx); -+ imp->handle = handle; -+ imp->register_function = register_function; -+ imp->destroy_function = destroy_function; -+ INIT_LINK(imp, link); -+ -+ *impp = imp; -+ -+cleanup: -+ if (result != ISC_R_SUCCESS && handle != NULL) -+ dlclose(handle); -+ if (module_buf != NULL) -+ isc_buffer_free(&module_buf); -+ -+ return result; -+} -+ -+static void -+unload_library(dyndb_implementation_t **impp) -+{ -+ dyndb_implementation_t *imp; -+ -+ REQUIRE(impp != NULL && *impp != NULL); -+ -+ imp = *impp; -+ -+ isc_mem_putanddetach(&imp->mctx, imp, sizeof(dyndb_implementation_t)); -+ -+ *impp = NULL; -+} -+ -+#else /* HAVE_DLFCN_H */ -+static isc_result_t -+load_library(isc_mem_t *mctx, const char *filename, dyndb_implementation_t **impp) -+{ -+ UNUSED(mctx); -+ UNUSED(filename); -+ UNUSED(impp); -+ -+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DYNDB, -+ ISC_LOG_ERROR, -+ "dynamic database support is not implemented") -+ -+ return ISC_R_NOTIMPLEMENTED; -+} -+ -+static void -+unload_library(dyndb_implementation_t **impp) -+{ -+ dyndb_implementation_t *imp; -+ -+ REQUIRE(impp != NULL && *impp != NULL); -+ -+ imp = *impp; -+ -+ isc_mem_putanddetach(&imp->mctx, imp, sizeof(dyndb_implementation_t)); -+ -+ *impp = NULL; -+} -+#endif /* HAVE_DLFCN_H */ -+ -+isc_result_t -+dns_dynamic_db_load(const char *libname, const char *name, isc_mem_t *mctx, -+ const char * const *argv, -+ const dns_dyndb_arguments_t *dyndb_args) -+{ -+ isc_result_t result; -+ dyndb_implementation_t *implementation = NULL; -+ -+ RUNTIME_CHECK(isc_once_do(&once, dyndb_initialize) == ISC_R_SUCCESS); -+ -+ CHECK(load_library(mctx, libname, &implementation)); -+ CHECK(implementation->register_function(mctx, name, argv, dyndb_args)); -+ -+ LOCK(&dyndb_lock); -+ APPEND(dyndb_implementations, implementation, link); -+ UNLOCK(&dyndb_lock); -+ -+ return ISC_R_SUCCESS; -+ -+cleanup: -+ if (implementation != NULL) -+ unload_library(&implementation); -+ -+ return result; -+} -+ -+void -+dns_dynamic_db_cleanup(isc_boolean_t exiting) -+{ -+ dyndb_implementation_t *elem; -+ dyndb_implementation_t *prev; -+ -+ RUNTIME_CHECK(isc_once_do(&once, dyndb_initialize) == ISC_R_SUCCESS); -+ -+ LOCK(&dyndb_lock); -+ elem = TAIL(dyndb_implementations); -+ while (elem != NULL) { -+ prev = PREV(elem, link); -+ UNLINK(dyndb_implementations, elem, link); -+ elem->destroy_function(); -+ unload_library(&elem); -+ elem = prev; -+ } -+ UNLOCK(&dyndb_lock); -+ -+ if (exiting == ISC_TRUE) -+ isc_mutex_destroy(&dyndb_lock); -+} -+ -+dns_dyndb_arguments_t * -+dns_dyndb_arguments_create(isc_mem_t *mctx) -+{ -+ dns_dyndb_arguments_t *args; -+ -+ args = isc_mem_get(mctx, sizeof(*args)); -+ if (args != NULL) -+ memset(args, 0, sizeof(*args)); -+ -+ return args; -+} -+ -+void -+dns_dyndb_arguments_destroy(isc_mem_t *mctx, dns_dyndb_arguments_t *args) -+{ -+ REQUIRE(args != NULL); -+ -+ dns_dyndb_set_view(args, NULL); -+ dns_dyndb_set_zonemgr(args, NULL); -+ dns_dyndb_set_task(args, NULL); -+ dns_dyndb_set_timermgr(args, NULL); -+ -+ isc_mem_put(mctx, args, sizeof(*args)); -+} -+ -+void -+dns_dyndb_set_view(dns_dyndb_arguments_t *args, dns_view_t *view) -+{ -+ REQUIRE(args != NULL); -+ -+ if (args->view != NULL) -+ dns_view_detach(&args->view); -+ if (view != NULL) -+ dns_view_attach(view, &args->view); -+} -+ -+dns_view_t * -+dns_dyndb_get_view(dns_dyndb_arguments_t *args) -+{ -+ REQUIRE(args != NULL); -+ -+ return args->view; -+} -+ -+void -+dns_dyndb_set_zonemgr(dns_dyndb_arguments_t *args, dns_zonemgr_t *zmgr) -+{ -+ REQUIRE(args != NULL); -+ -+ if (args->zmgr != NULL) -+ dns_zonemgr_detach(&args->zmgr); -+ if (zmgr != NULL) -+ dns_zonemgr_attach(zmgr, &args->zmgr); -+} -+ -+dns_zonemgr_t * -+dns_dyndb_get_zonemgr(dns_dyndb_arguments_t *args) -+{ -+ REQUIRE(args != NULL); -+ -+ return args->zmgr; -+} -+ -+void -+dns_dyndb_set_task(dns_dyndb_arguments_t *args, isc_task_t *task) -+{ -+ REQUIRE(args != NULL); -+ -+ if (args->task != NULL) -+ isc_task_detach(&args->task); -+ if (task != NULL) -+ isc_task_attach(task, &args->task); -+} -+ -+isc_task_t * -+dns_dyndb_get_task(dns_dyndb_arguments_t *args) -+{ -+ REQUIRE(args != NULL); -+ -+ return args->task; -+} -+ -+void -+dns_dyndb_set_timermgr(dns_dyndb_arguments_t *args, isc_timermgr_t *timermgr) -+{ -+ REQUIRE(args != NULL); -+ -+ args->timermgr = timermgr; -+} -+ -+isc_timermgr_t * -+dns_dyndb_get_timermgr(dns_dyndb_arguments_t *args) -+{ -+ REQUIRE(args != NULL); -+ -+ return args->timermgr; -+} -Index: bind-9.10.4-P5/lib/dns/include/dns/dynamic_db.h -=================================================================== ---- /dev/null -+++ bind-9.10.4-P5/lib/dns/include/dns/dynamic_db.h -@@ -0,0 +1,50 @@ -+/* -+ * Copyright (C) 2008-2011 Red Hat, Inc. -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND Red Hat DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL Red Hat BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+ -+#ifndef DYNAMIC_DB_H -+#define DYNAMIC_DB_H -+ -+#include -+ -+#include -+ -+/* -+ * TODO: -+ * Reformat the prototypes. -+ * Add annotated comments. -+ */ -+ -+isc_result_t dns_dynamic_db_load(const char *libname, const char *name, -+ isc_mem_t *mctx, const char * const *argv, -+ const dns_dyndb_arguments_t *dyndb_args); -+ -+void dns_dynamic_db_cleanup(isc_boolean_t exiting); -+ -+dns_dyndb_arguments_t *dns_dyndb_arguments_create(isc_mem_t *mctx); -+void dns_dyndb_arguments_destroy(isc_mem_t *mctx, dns_dyndb_arguments_t *args); -+ -+void dns_dyndb_set_view(dns_dyndb_arguments_t *args, dns_view_t *view); -+dns_view_t *dns_dyndb_get_view(dns_dyndb_arguments_t *args); -+void dns_dyndb_set_zonemgr(dns_dyndb_arguments_t *args, dns_zonemgr_t *zmgr); -+dns_zonemgr_t *dns_dyndb_get_zonemgr(dns_dyndb_arguments_t *args); -+void dns_dyndb_set_task(dns_dyndb_arguments_t *args, isc_task_t *task); -+isc_task_t *dns_dyndb_get_task(dns_dyndb_arguments_t *args); -+void dns_dyndb_set_timermgr(dns_dyndb_arguments_t *args, -+ isc_timermgr_t *timermgr); -+isc_timermgr_t *dns_dyndb_get_timermgr(dns_dyndb_arguments_t *args); -+ -+#endif -Index: bind-9.10.4-P5/lib/dns/include/dns/log.h -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/include/dns/log.h -+++ bind-9.10.4-P5/lib/dns/include/dns/log.h -@@ -78,6 +78,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodul - #define DNS_LOGMODULE_DNSSEC (&dns_modules[27]) - #define DNS_LOGMODULE_CRYPTO (&dns_modules[28]) - #define DNS_LOGMODULE_PACKETS (&dns_modules[29]) -+#define DNS_LOGMODULE_DYNDB (&dns_modules[30]) - - ISC_LANG_BEGINDECLS - -Index: bind-9.10.4-P5/lib/dns/include/dns/Makefile.in -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/include/dns/Makefile.in -+++ bind-9.10.4-P5/lib/dns/include/dns/Makefile.in -@@ -23,7 +23,7 @@ VERSION=@BIND9_VERSION@ - - HEADERS = acache.h acl.h adb.h bit.h byaddr.h cache.h callbacks.h cert.h \ - client.h clientinfo.h compress.h \ -- db.h dbiterator.h dbtable.h diff.h dispatch.h \ -+ db.h dbiterator.h dbtable.h diff.h dispatch.h dynamic_db.h \ - dlz.h dlz_dlopen.h dns64.h dnssec.h ds.h dsdigest.h \ - ecdb.h events.h fixedname.h forward.h geoip.h iptable.h \ - journal.h keydata.h keyflags.h keytable.h keyvalues.h \ -Index: bind-9.10.4-P5/lib/dns/include/dns/types.h -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/include/dns/types.h -+++ bind-9.10.4-P5/lib/dns/include/dns/types.h -@@ -140,6 +140,7 @@ typedef struct dns_zone dns_zone_t; - typedef ISC_LIST(dns_zone_t) dns_zonelist_t; - typedef struct dns_zonemgr dns_zonemgr_t; - typedef struct dns_zt dns_zt_t; -+typedef struct dns_dyndb_arguments dns_dyndb_arguments_t; - - /* - * If we are not using GSSAPI, define the types we use as opaque types here. -Index: bind-9.10.4-P5/lib/dns/log.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/log.c -+++ bind-9.10.4-P5/lib/dns/log.c -@@ -84,6 +84,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns - { "dns/dnssec", 0 }, - { "dns/crypto", 0 }, - { "dns/packets", 0 }, -+ { "dns/dynamic_db", 0 }, - { NULL, 0 } - }; - -Index: bind-9.10.4-P5/lib/dns/Makefile.in -=================================================================== ---- bind-9.10.4-P5.orig/lib/dns/Makefile.in -+++ bind-9.10.4-P5/lib/dns/Makefile.in -@@ -65,7 +65,7 @@ GEOIPLINKOBJS = geoip.@O@ - DNSOBJS = acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \ - cache.@O@ callbacks.@O@ clientinfo.@O@ compress.@O@ \ - db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \ -- dlz.@O@ dns64.@O@ dnssec.@O@ ds.@O@ forward.@O@ \ -+ dlz.@O@ dns64.@O@ dnssec.@O@ ds.@O@ dynamic_db.@O@ forward.@O@ \ - iptable.@O@ journal.@O@ keydata.@O@ keytable.@O@ \ - lib.@O@ log.@O@ lookup.@O@ \ - master.@O@ masterdump.@O@ message.@O@ \ -@@ -103,7 +103,7 @@ GEOIOLINKSRCS = geoip.c - DNSSRCS = acache.c acl.c adb.c byaddr.c \ - cache.c callbacks.c clientinfo.c compress.c \ - db.c dbiterator.c dbtable.c diff.c dispatch.c \ -- dlz.c dns64.c dnssec.c ds.c forward.c \ -+ dlz.c dns64.c dnssec.c ds.c dynamic_db.c forward.c \ - iptable.c journal.c keydata.c keytable.c lib.c log.c \ - lookup.c master.c masterdump.c message.c \ - name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \ -@@ -138,6 +138,11 @@ version.@O@: version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - -+dynamic_db.@O@: dynamic_db.c -+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -+ -DDYNDB_LIBDIR=\"/usr/lib/bind/\" \ -+ -c ${srcdir}/dynamic_db.c -+ - libdns.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ -Index: bind-9.10.4-P5/lib/isccfg/namedconf.c -=================================================================== ---- bind-9.10.4-P5.orig/lib/isccfg/namedconf.c -+++ bind-9.10.4-P5/lib/isccfg/namedconf.c -@@ -666,6 +666,40 @@ static cfg_type_t cfg_type_transferforma - &transferformat_enums - }; - -+/* -+ * Dynamic database clauses. -+ */ -+ -+static cfg_clausedef_t -+dynamic_db_clauses[] = { -+ { "library", &cfg_type_qstring, 0 }, -+ { "arg", &cfg_type_qstring, CFG_CLAUSEFLAG_MULTI }, -+ { NULL, NULL, 0 } -+}; -+ -+static cfg_clausedef_t * -+dynamic_db_clausesets[] = { -+ dynamic_db_clauses, -+ NULL -+}; -+ -+static cfg_type_t cfg_type_dynamic_db_opts = { -+ "dynamically_loadable_zones_opts", cfg_parse_map, -+ cfg_print_map, cfg_doc_map, &cfg_rep_map, -+ dynamic_db_clausesets -+}; -+ -+static cfg_tuplefielddef_t dynamic_db_fields[] = { -+ { "name", &cfg_type_astring, 0 }, -+ { "options", &cfg_type_dynamic_db_opts, 0 }, -+ { NULL, NULL, 0 } -+}; -+ -+static cfg_type_t cfg_type_dynamic_db = { -+ "dynamic_db", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, -+ &cfg_rep_tuple, dynamic_db_fields -+}; -+ - /*% - * The special keyword "none", as used in the pid-file option. - */ -@@ -969,6 +1003,7 @@ namedconf_or_view_clauses[] = { - { "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI }, - { "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI }, - { "dlz", &cfg_type_dlz, CFG_CLAUSEFLAG_MULTI }, -+ { "dynamic-db", &cfg_type_dynamic_db, CFG_CLAUSEFLAG_MULTI }, - { "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI }, - { "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI }, - { "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI }, -@@ -2230,6 +2265,7 @@ static cfg_type_t cfg_type_dialuptype = - &cfg_rep_string, dialup_enums - }; - -+ - static const char *notify_enums[] = { "explicit", "master-only", NULL }; - static isc_result_t - parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { -@@ -3335,3 +3371,4 @@ static cfg_type_t cfg_type_maxttl = { - "maxttl_no_default", parse_maxttl, cfg_print_ustring, doc_maxttl, - &cfg_rep_string, maxttl_enums - }; -+ diff --git a/idnkit-powerpc-ltconfig.patch b/idnkit-powerpc-ltconfig.patch deleted file mode 100644 index f825929..0000000 --- a/idnkit-powerpc-ltconfig.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: bind-9.10.1-P1/contrib/idn/idnkit-1.0-src/ltconfig -=================================================================== ---- bind-9.10.1-P1.orig/contrib/idn/idnkit-1.0-src/ltconfig -+++ bind-9.10.1-P1/contrib/idn/idnkit-1.0-src/ltconfig -@@ -1999,7 +1999,6 @@ linux-gnu*) - else - # Only the GNU ld.so supports shared libraries on MkLinux. - case "$host_cpu" in -- powerpc*) dynamic_linker=no ;; - *) dynamic_linker='Linux ld.so' ;; - esac - fi diff --git a/named-bootconf.diff b/named-bootconf.diff index fbb2ad9..45d6a76 100644 --- a/named-bootconf.diff +++ b/named-bootconf.diff @@ -1,8 +1,8 @@ -Index: contrib/named-bootconf/named-bootconf.sh +Index: contrib/scripts/named-bootconf.sh =================================================================== ---- contrib/scripts/named-bootconf.sh.orig -+++ contrib/scripts/named-bootconf.sh -@@ -47,7 +47,8 @@ +--- contrib/scripts/named-bootconf.sh.orig 2017-08-15 13:08:41.636256254 +0200 ++++ contrib/scripts/named-bootconf.sh 2017-08-15 13:08:42.516270950 +0200 +@@ -38,7 +38,8 @@ # POSSIBILITY OF SUCH DAMAGE. if [ ${OPTIONFILE-X} = X ]; then @@ -12,7 +12,7 @@ Index: contrib/named-bootconf/named-bootconf.sh ( umask 077 ; mkdir $WORKDIR ) || { echo "unable to create work directory '$WORKDIR'" >&2 exit 1 -@@ -301,7 +302,7 @@ if [ $DUMP -eq 1 ]; then +@@ -292,7 +293,7 @@ if [ $DUMP -eq 1 ]; then cat $ZONEFILE $COMMENTFILE rm -f $OPTIONFILE $ZONEFILE $COMMENTFILE diff --git a/named.root b/named.root index 6603cf7..6996882 100644 --- a/named.root +++ b/named.root @@ -1,92 +1,92 @@ -; This file holds the information on root name servers needed to +; This file holds the information on root name servers needed to ; initialize cache of Internet domain name servers ; (e.g. reference this file in the "cache . " -; configuration file of BIND domain name servers). -; +; configuration file of BIND domain name servers). +; ; This file is made available by InterNIC ; under anonymous FTP as -; file /domain/named.cache +; file /domain/named.cache ; on server FTP.INTERNIC.NET ; -OR- RS.INTERNIC.NET -; -; last update: June 01, 2017 -; related version of root zone: 2017060102 -; -; formerly NS.INTERNIC.NET +; +; last update: July 26, 2017 +; related version of root zone: 2017072601 +; +; FORMERLY NS.INTERNIC.NET ; . 3600000 NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 -; -; FORMERLY NS1.ISI.EDU +; +; FORMERLY NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b -; -; FORMERLY C.PSI.NET +; +; FORMERLY C.PSI.NET ; . 3600000 NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c -; -; FORMERLY TERP.UMD.EDU +; +; FORMERLY TERP.UMD.EDU ; . 3600000 NS D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d -; +; ; FORMERLY NS.NASA.GOV ; . 3600000 NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e -; +; ; FORMERLY NS.ISC.ORG ; . 3600000 NS F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f -; +; ; FORMERLY NS.NIC.DDN.MIL ; . 3600000 NS G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d -; +; ; FORMERLY AOS.ARL.ARMY.MIL ; . 3600000 NS H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 -; +; ; FORMERLY NIC.NORDU.NET ; . 3600000 NS I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53 -; +; ; OPERATED BY VERISIGN, INC. ; . 3600000 NS J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30 -; +; ; OPERATED BY RIPE NCC ; . 3600000 NS K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 -; +; ; OPERATED BY ICANN ; . 3600000 NS L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42 -; +; ; OPERATED BY WIDE ; . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 -; End of file +; End of file \ No newline at end of file diff --git a/perl-path.diff b/perl-path.diff index d9fc1c4..e273760 100644 --- a/perl-path.diff +++ b/perl-path.diff @@ -1,17 +1,17 @@ Index: bin/tests/t_api.pl =================================================================== ---- bin/tests/t_api.pl.orig -+++ bin/tests/t_api.pl +--- bin/tests/t_api.pl.orig 2017-07-24 07:36:50.000000000 +0200 ++++ bin/tests/t_api.pl 2017-08-15 10:29:56.969817140 +0200 @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/perl # - # Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") - # Copyright (C) 1999-2001 Internet Software Consortium. + # Copyright (C) 1999-2001, 2004, 2007, 2012, 2016 Internet Systems Consortium, Inc. ("ISC") + # Index: contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl =================================================================== ---- contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl.orig -+++ contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl +--- contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl.orig 2017-07-24 07:36:50.000000000 +0200 ++++ contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl 2017-08-15 10:29:56.969817140 +0200 @@ -1,4 +1,4 @@ -#! /usr/local/bin/perl -w +#! /usr/bin/perl -w @@ -20,8 +20,8 @@ Index: contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl # Copyright (c) 2001 Japan Network Information Center. All rights reserved. Index: contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl =================================================================== ---- contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl.orig -+++ contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl +--- contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl.orig 2017-07-24 07:36:50.000000000 +0200 ++++ contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl 2017-08-15 10:29:56.969817140 +0200 @@ -1,4 +1,4 @@ -#! /usr/local/bin/perl -w +#! /usr/bin/perl -w diff --git a/pie_compile.diff b/pie_compile.diff index cab48e1..a65ae7b 100644 --- a/pie_compile.diff +++ b/pie_compile.diff @@ -1,8 +1,8 @@ Index: bin/check/Makefile.in =================================================================== ---- bin/check/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 -+++ bin/check/Makefile.in 2013-08-06 12:08:19.492457714 +0200 -@@ -57,8 +57,12 @@ +--- bin/check/Makefile.in.orig ++++ bin/check/Makefile.in +@@ -48,8 +48,12 @@ HTMLPAGES = named-checkconf.html named-c MANOBJS = ${MANPAGES} ${HTMLPAGES} @@ -17,9 +17,9 @@ Index: bin/check/Makefile.in -DVERSION=\"${VERSION}\" \ Index: bin/confgen/Makefile.in =================================================================== ---- bin/confgen/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 -+++ bin/confgen/Makefile.in 2013-08-06 12:08:19.492457714 +0200 -@@ -64,8 +64,12 @@ +--- bin/confgen/Makefile.in.orig ++++ bin/confgen/Makefile.in +@@ -56,8 +56,12 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} UOBJS = unix/os.@O@ @@ -34,9 +34,9 @@ Index: bin/confgen/Makefile.in -DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \ Index: bin/confgen/unix/Makefile.in =================================================================== ---- bin/confgen/unix/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 -+++ bin/confgen/unix/Makefile.in 2013-08-06 12:08:19.492457714 +0200 -@@ -32,4 +32,8 @@ +--- bin/confgen/unix/Makefile.in.orig ++++ bin/confgen/unix/Makefile.in +@@ -24,4 +24,8 @@ SRCS = os.c TARGETS = ${OBJS} @@ -47,11 +47,11 @@ Index: bin/confgen/unix/Makefile.in +LDFLAGS += -pie Index: bin/dig/Makefile.in =================================================================== ---- bin/dig/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 -+++ bin/dig/Makefile.in 2013-08-06 12:08:19.492457714 +0200 -@@ -69,8 +69,12 @@ HTMLPAGES = dig.html host.html nslookup. +--- bin/dig/Makefile.in.orig ++++ bin/dig/Makefile.in +@@ -61,8 +61,12 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} - MANOBJS = ${MANPAGES} ${HTMLPAGES} + EXT_CFLAGS = -DWITH_LIBIDN +EXT_CFLAGS = -fPIE -static + @@ -64,9 +64,9 @@ Index: bin/dig/Makefile.in export LIBS0="${DNSLIBS}"; \ Index: bin/dnssec/Makefile.in =================================================================== ---- bin/dnssec/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 -+++ bin/dnssec/Makefile.in 2013-08-06 12:08:19.493457729 +0200 -@@ -65,8 +65,12 @@ +--- bin/dnssec/Makefile.in.orig ++++ bin/dnssec/Makefile.in +@@ -56,8 +56,12 @@ HTMLPAGES = dnssec-dsfromkey.html dnssec MANOBJS = ${MANPAGES} ${HTMLPAGES} @@ -81,10 +81,10 @@ Index: bin/dnssec/Makefile.in ${FINALBUILDCMD} Index: bin/Makefile.in =================================================================== ---- bin/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 -+++ bin/Makefile.in 2013-08-06 12:08:19.493457729 +0200 -@@ -23,4 +23,8 @@ - check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ +--- bin/Makefile.in.orig ++++ bin/Makefile.in +@@ -14,4 +14,8 @@ SUBDIRS = named rndc dig delv dnssec too + check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ TARGETS = +EXT_CFLAGS = -fPIE -static @@ -94,9 +94,9 @@ Index: bin/Makefile.in +LDFLAGS += -pie Index: bin/named/Makefile.in =================================================================== ---- bin/named/Makefile.in.orig 2013-08-06 12:08:17.653432490 +0200 -+++ bin/named/Makefile.in 2013-08-06 12:08:19.493457729 +0200 -@@ -119,8 +119,12 @@ +--- bin/named/Makefile.in.orig ++++ bin/named/Makefile.in +@@ -108,8 +108,12 @@ HTMLPAGES = named.html lwresd.html named MANOBJS = ${MANPAGES} ${HTMLPAGES} @@ -111,9 +111,9 @@ Index: bin/named/Makefile.in -DVERSION=\"${VERSION}\" \ Index: bin/named/unix/Makefile.in =================================================================== ---- bin/named/unix/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 -+++ bin/named/unix/Makefile.in 2013-08-06 12:08:19.493457729 +0200 -@@ -34,4 +34,6 @@ +--- bin/named/unix/Makefile.in.orig ++++ bin/named/unix/Makefile.in +@@ -25,4 +25,6 @@ SRCS = os.c dlz_dlopen_driver.c TARGETS = ${OBJS} @@ -122,9 +122,9 @@ Index: bin/named/unix/Makefile.in @BIND9_MAKE_RULES@ Index: bin/nsupdate/Makefile.in =================================================================== ---- bin/nsupdate/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 -+++ bin/nsupdate/Makefile.in 2013-08-06 12:08:19.493457729 +0200 -@@ -68,8 +68,12 @@ +--- bin/nsupdate/Makefile.in.orig ++++ bin/nsupdate/Makefile.in +@@ -60,8 +60,12 @@ HTMLPAGES = nsupdate.html MANOBJS = ${MANPAGES} ${HTMLPAGES} @@ -139,9 +139,9 @@ Index: bin/nsupdate/Makefile.in -DSESSION_KEYFILE=\"${localstatedir}/run/named/session.key\" \ Index: bin/rndc/Makefile.in =================================================================== ---- bin/rndc/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 -+++ bin/rndc/Makefile.in 2013-08-06 12:08:19.493457729 +0200 -@@ -59,8 +59,12 @@ +--- bin/rndc/Makefile.in.orig ++++ bin/rndc/Makefile.in +@@ -50,8 +50,12 @@ HTMLPAGES = rndc.html rndc.conf.html MANOBJS = ${MANPAGES} ${HTMLPAGES} @@ -156,10 +156,10 @@ Index: bin/rndc/Makefile.in -DVERSION=\"${VERSION}\" \ Index: bin/tools/Makefile.in =================================================================== ---- bin/tools/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 -+++ bin/tools/Makefile.in 2013-08-06 12:08:19.493457729 +0200 -@@ -54,8 +54,12 @@ HTMLPAGES = arpaname.html named-journalp - nsec3hash.html genrandom.html isc-hmac-fixup.html +--- bin/tools/Makefile.in.orig ++++ bin/tools/Makefile.in +@@ -60,8 +60,12 @@ HTMLPAGES = arpaname.html dnstap-read.ht + MANOBJS = ${MANPAGES} ${HTMLPAGES} +EXT_CFLAGS = -fPIE -static @@ -173,9 +173,9 @@ Index: bin/tools/Makefile.in -o $@ arpaname.@O@ ${ISCLIBS} ${LIBS} Index: contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in =================================================================== ---- contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 -+++ contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in 2013-08-06 12:08:19.493457729 +0200 -@@ -68,8 +68,8 @@ +--- contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in.orig ++++ contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in +@@ -68,8 +68,8 @@ IDNLIB = ../../lib/libidnkit.la INCS = -I$(srcdir) -I$(srcdir)/../../include -I../../include $(ICONVINC) DEFS = @@ -186,11 +186,11 @@ Index: contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in SRCS = idnconv.c util.c selectiveencode.c OBJS = idnconv.o util.o selectiveencode.o -Index: contrib/zkt/Makefile.in +Index: contrib/zkt-1.1.3/Makefile.in =================================================================== ---- contrib/zkt-1.1.3/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 -+++ contrib/zkt-1.1.3/Makefile.in 2013-08-06 12:08:19.494457743 +0200 -@@ -13,11 +13,11 @@ +--- contrib/zkt-1.1.3/Makefile.in.orig ++++ contrib/zkt-1.1.3/Makefile.in +@@ -13,11 +13,11 @@ PROFILE = # -pg OPTIM = # -O3 -DNDEBUG #CFLAGS ?= @CFLAGS@ @DEFS@ -I@top_srcdir@ diff --git a/runidn.diff b/runidn.diff deleted file mode 100644 index 4769bb8..0000000 --- a/runidn.diff +++ /dev/null @@ -1,34 +0,0 @@ -From: Jan Engelhardt -Date: 2014-10-01 19:52:10.339340849 +0200 - -We do not normally ship the .la files in openSUSE; -make runidn work without it. -And do it portably (\$LIB), too, which the original runidn can't. ---- - contrib/idn/idnkit-1.0-src/tools/runidn/runidn.in | 6 ++++++ - 1 file changed, 6 insertions(+) - -Index: bind-9.9.5-P1/contrib/idn/idnkit-1.0-src/tools/runidn/runidn.in -=================================================================== ---- bind-9.9.5-P1.orig/contrib/idn/idnkit-1.0-src/tools/runidn/runidn.in -+++ bind-9.9.5-P1/contrib/idn/idnkit-1.0-src/tools/runidn/runidn.in -@@ -79,6 +79,7 @@ if test "$iconv_file" != none; then - preload="$iconv_file@PRELOAD_SEP@" - fi - -+if false; then - prefix=@prefix@ - exec_prefix=@exec_prefix@ - libdir=`echo @libdir@` -@@ -96,6 +97,11 @@ EOF - exit 1 - fi - preload=$preload$libdir/$dlname -+else -+prefix=$(echo "@prefix@") -+exec_prefix=$(echo "@exec_prefix@") -+preload="$exec_prefix/\$LIB/libidnkitres.so.1" -+fi - - # Set @PRELOAD_VAR@. - if [ X$@PRELOAD_VAR@ = X ]; then