diff --git a/.gitignore b/.gitignore index 955e90b..b564909 100644 --- a/.gitignore +++ b/.gitignore @@ -67,3 +67,4 @@ bind-9.7.2b1.tar.gz /bind-9.10.4-P2.tar.gz /bind-9.10.4-P3.tar.gz /bind-9.10.4-P4.tar.gz +/bind-9.11.0-P1.tar.gz diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch index d531cc2..a4e8dc2 100644 --- a/bind-9.10-dist-native-pkcs11.patch +++ b/bind-9.10-dist-native-pkcs11.patch @@ -2,13 +2,13 @@ diff --git a/bin/Makefile.in b/bin/Makefile.in index e3aeffb..7654169 100644 --- a/bin/Makefile.in +++ b/bin/Makefile.in -@@ -19,7 +19,7 @@ srcdir = @srcdir@ +@@ -10,7 +10,7 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -SUBDIRS = named rndc dig delv dnssec tools tests nsupdate \ +SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools tests nsupdate \ - check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ + check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ TARGETS = diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in @@ -137,14 +137,14 @@ diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in index 95e36c1..fb658e9 100644 --- a/bin/named-pkcs11/Makefile.in +++ b/bin/named-pkcs11/Makefile.in -@@ -47,26 +47,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ +@@ -36,26 +36,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ - ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ - ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ -+ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \ -+ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \ ++ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \ ++ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \ ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ -CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@ @@ -153,25 +153,25 @@ index 95e36c1..fb658e9 100644 CWARNINGS = -DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ ISCCCLIBS = ../../lib/isccc/libisccc.@A@ -ISCLIBS = ../../lib/isc/libisc.@A@ -+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ ++ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ LWRESLIBS = ../../lib/lwres/liblwres.@A@ BIND9LIBS = ../../lib/bind9/libbind9.@A@ -DNSDEPLIBS = ../../lib/dns/libdns.@A@ -+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ -ISCDEPLIBS = ../../lib/isc/libisc.@A@ -+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ ++ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@ BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ -@@ -75,15 +75,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ +@@ -64,15 +64,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ @@ -181,58 +181,57 @@ index 95e36c1..fb658e9 100644 NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \ - ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ -+ @LIBS@ ++ @LIBS@ SUBDIRS = unix -TARGETS = named@EXEEXT@ lwresd@EXEEXT@ -+TARGETS = named-pkcs11@EXEEXT@ ++TARGETS = named-pkcs11@EXEEXT@ GEOIPLINKOBJS = geoip.@O@ - -@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ + +@@ -83,8 +83,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ zoneconf.@O@ \ lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ - lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ - ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} -+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ ++ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ -@@ -110,8 +109,7 @@ SRCS = builtin.c client.c config.c control.c \ +@@ -99,8 +98,7 @@ SRCS = builtin.c client.c config.c control.c \ tkeyconf.c tsigconf.c update.c xfrout.c \ zoneconf.c \ lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ - lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ - ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} -+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c ++ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c MANPAGES = named.8 lwresd.8 named.conf.5 -@@ -144,7 +142,7 @@ config.@O@: config.c - -DNS_SYSCONFDIR=\"${sysconfdir}\" \ - -c ${srcdir}/config.c +@@ -139,7 +137,7 @@ server.@O@: server.c + -DPRODUCT=\"${PRODUCT}\" \ + -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c -named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS} +named-pkcs11@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS} export MAKE_SYMTABLE="yes"; \ export BASEOBJS="${OBJS} ${UOBJS}"; \ ${FINALBUILDCMD} -@@ -171,15 +169,9 @@ statschannel.@O@: bind9.xsl.h +@@ -166,15 +164,9 @@ statschannel.@O@: bind9.xsl.h installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 -- + -install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} - (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) - ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8 - ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 - ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 -+ +install:: named-pkcs11@EXEEXT@ installdirs + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir} @@ -291,27 +290,26 @@ index a28f773..8f3b8f4 100644 # # was --with-randomdev specified? -@@ -1383,10 +1385,10 @@ OPENSSL_WARNING= +@@ -1383,11 +1385,11 @@ + AC_MSG_CHECKING(for OpenSSL library) + OPENSSL_WARNING= openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw" +-if test "$want_native_pkcs11" = "yes" +-then +- use_openssl="native_pkcs11" +- AC_MSG_RESULT(use of native PKCS11 instead) +-fi ++# if test "$want_native_pkcs11" = "yes" ++# then ++# use_openssl="native_pkcs11" ++# AC_MSG_RESULT(use of native PKCS11 instead) ++# fi + if test "$use_openssl" = "auto" then -- if test "$want_native_pkcs11" = "yes" -- then -- use_openssl="native_pkcs11" -- else -+# if test "$want_native_pkcs11" = "yes" -+# then -+# use_openssl="native_pkcs11" -+# else - for d in $openssldirs - do - if test -f $d/include/openssl/opensslv.h -@@ -1395,8 +1397,9 @@ then - break - fi - done -- fi -+# fi +@@ -1395,6 +1397,7 @@ then + fi + done fi +CRYPTO_PK11="" OPENSSL_ECDSA="" @@ -470,9 +468,9 @@ index 5f1ce56..830c0d5 100644 ${RANLIB} $@ @@ -144,23 +144,23 @@ dynamic_db.@O@: dynamic_db.c - -c ${srcdir}/dynamic_db.c - - + ${AR} ${ARFLAGS} $@ ${OBJS} + ${RANLIB} $@ + -libdns.la: ${OBJS} +libdns-pkcs11.la: ${OBJS} ${LIBTOOL_MODE_LINK} \ @@ -481,24 +479,24 @@ index 5f1ce56..830c0d5 100644 -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} + ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} - + -timestamp: libdns.@A@ +timestamp: libdns-pkcs11.@A@ touch timestamp - + installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} - + install:: timestamp installdirs - ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir} - + clean distclean:: - rm -f libdns.@A@ timestamp + rm -f libdns-pkcs11.@A@ timestamp rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h rm -f include/dns/rdatastruct.h - + rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h @@ -190,7 +190,7 @@ code.h: gen ./gen -s ${srcdir} > code.h diff --git a/bind-9.10-dyndb.patch b/bind-9.10-dyndb.patch deleted file mode 100644 index a644bc1..0000000 --- a/bind-9.10-dyndb.patch +++ /dev/null @@ -1,731 +0,0 @@ -diff --git a/bin/named/main.c b/bin/named/main.c -index 556db54..0051f9a 100644 ---- a/bin/named/main.c -+++ b/bin/named/main.c -@@ -43,6 +43,7 @@ - #include - - #include -+#include - #include - #include - #include -diff --git a/bin/named/server.c b/bin/named/server.c -index 33483f8..3d2f1c6 100644 ---- a/bin/named/server.c -+++ b/bin/named/server.c -@@ -68,6 +68,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -1309,6 +1310,70 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { - return (result); - } - -+configure_dynamic_db(const cfg_obj_t *dynamic_db, isc_mem_t *mctx, -+ const dns_dyndb_arguments_t *dyndb_args) -+{ -+ isc_result_t result; -+ const cfg_obj_t *obj; -+ const cfg_obj_t *options; -+ const cfg_listelt_t *element; -+ const char *name; -+ const char *libname; -+ const char **argv = NULL; -+ unsigned int i; -+ unsigned int len; -+ -+ /* Get the name of the database. */ -+ obj = cfg_tuple_get(dynamic_db, "name"); -+ name = cfg_obj_asstring(obj); -+ -+ /* Get options. */ -+ options = cfg_tuple_get(dynamic_db, "options"); -+ -+ /* Get library name. */ -+ obj = NULL; -+ CHECK(cfg_map_get(options, "library", &obj)); -+ libname = cfg_obj_asstring(obj); -+ -+ /* Create a list of arguments. */ -+ obj = NULL; -+ result = cfg_map_get(options, "arg", &obj); -+ if (result == ISC_R_NOTFOUND) -+ len = 0; -+ else if (result == ISC_R_SUCCESS) -+ len = cfg_list_length(obj, isc_boolean_false); -+ else -+ goto cleanup; -+ -+ /* Account for the last terminating NULL. */ -+ len++; -+ -+ argv = isc_mem_allocate(mctx, len * sizeof(const char *)); -+ if (argv == NULL) { -+ result = ISC_R_NOMEMORY; -+ goto cleanup; -+ } -+ for (element = cfg_list_first(obj), i = 0; -+ element != NULL; -+ element = cfg_list_next(element), i++) -+ { -+ REQUIRE(i < len); -+ -+ obj = cfg_listelt_value(element); -+ argv[i] = cfg_obj_asstring(obj); -+ } -+ REQUIRE(i < len); -+ argv[i] = NULL; -+ -+ CHECK(dns_dynamic_db_load(libname, name, mctx, argv, dyndb_args)); -+ -+cleanup: -+ if (argv != NULL) -+ isc_mem_free(mctx, argv); -+ -+ return result; -+} -+ - static isc_result_t - disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { - isc_result_t result; -@@ -2349,6 +2414,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, - const cfg_obj_t *dlz; - unsigned int dlzargc; - char **dlzargv; -+ const cfg_obj_t *dynamic_db_list; - const cfg_obj_t *disabled; - const cfg_obj_t *obj; - #ifdef ENABLE_FETCHLIMIT -@@ -3704,6 +3770,37 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, - dns_view_setrootdelonly(view, ISC_FALSE); - - /* -+ * Configure dynamic databases. -+ */ -+ dynamic_db_list = NULL; -+ if (voptions != NULL) -+ (void)cfg_map_get(voptions, "dynamic-db", &dynamic_db_list); -+ else -+ (void)cfg_map_get(config, "dynamic-db", &dynamic_db_list); -+ element = cfg_list_first(dynamic_db_list); -+ if (element != NULL) { -+ dns_dyndb_arguments_t *args; -+ -+ args = dns_dyndb_arguments_create(mctx); -+ if (args == NULL) { -+ result = ISC_R_NOMEMORY; -+ goto cleanup; -+ } -+ dns_dyndb_set_view(args, view); -+ dns_dyndb_set_zonemgr(args, ns_g_server->zonemgr); -+ dns_dyndb_set_task(args, ns_g_server->task); -+ dns_dyndb_set_timermgr(args, ns_g_timermgr); -+ while (element != NULL) { -+ obj = cfg_listelt_value(element); -+ CHECK(configure_dynamic_db(obj, mctx, args)); -+ -+ element = cfg_list_next(element); -+ } -+ -+ dns_dyndb_arguments_destroy(mctx, args); -+ } -+ -+ /* - * Setup automatic empty zones. If recursion is off then - * they are disabled by default. - */ -@@ -5457,6 +5554,7 @@ load_configuration(const char *filename, ns_server_t *server, - cfg_aclconfctx_detach(&ns_g_aclconfctx); - CHECK(cfg_aclconfctx_create(ns_g_mctx, &ns_g_aclconfctx)); - -+ dns_dynamic_db_cleanup(ISC_FALSE); - /* - * Parse the global default pseudo-config file. - */ -@@ -6685,6 +6783,8 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { - dns_view_detach(&view); - } - -+ dns_dynamic_db_cleanup(ISC_TRUE); -+ - while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) { - ISC_LIST_UNLINK(server->cachelist, nsc, link); - dns_cache_detach(&nsc->cache); -diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in -index 4f3ef52..34973af 100644 ---- a/lib/dns/Makefile.in -+++ b/lib/dns/Makefile.in -@@ -65,7 +65,7 @@ GEOIPLINKOBJS = geoip.@O@ - DNSOBJS = acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \ - cache.@O@ callbacks.@O@ clientinfo.@O@ compress.@O@ \ - db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \ -- dlz.@O@ dns64.@O@ dnssec.@O@ ds.@O@ forward.@O@ \ -+ dlz.@O@ dns64.@O@ dnssec.@O@ ds.@O@ dynamic_db.@O@ forward.@O@ \ - iptable.@O@ journal.@O@ keydata.@O@ keytable.@O@ \ - lib.@O@ log.@O@ lookup.@O@ \ - master.@O@ masterdump.@O@ message.@O@ \ -@@ -103,7 +103,7 @@ GEOIOLINKSRCS = geoip.c - DNSSRCS = acache.c acl.c adb.c byaddr.c \ - cache.c callbacks.c clientinfo.c compress.c \ - db.c dbiterator.c dbtable.c diff.c dispatch.c \ -- dlz.c dns64.c dnssec.c ds.c forward.c \ -+ dlz.c dns64.c dnssec.c ds.c dynamic_db.c forward.c \ - iptable.c journal.c keydata.c keytable.c lib.c log.c \ - lookup.c master.c masterdump.c message.c \ - name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \ -@@ -142,6 +142,12 @@ libdns.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - -+dynamic_db.@O@: dynamic_db.c -+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -+ -DDYNDB_LIBDIR=\"@libdir@/bind/\" \ -+ -c ${srcdir}/dynamic_db.c -+ -+ - libdns.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ - ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ -diff --git a/lib/dns/dynamic_db.c b/lib/dns/dynamic_db.c -index e69de29..e32a3c8 100644 ---- a/lib/dns/dynamic_db.c -+++ b/lib/dns/dynamic_db.c -@@ -0,0 +1,367 @@ -+/* -+ * Copyright (C) 2008-2011 Red Hat, Inc. -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND Red Hat DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL Red Hat BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+ -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include -+ -+#if HAVE_DLFCN_H -+#include -+#endif -+ -+#ifndef DYNDB_LIBDIR -+#define DYNDB_LIBDIR "" -+#endif -+ -+#define CHECK(op) \ -+ do { result = (op); \ -+ if (result != ISC_R_SUCCESS) goto cleanup; \ -+ } while (0) -+ -+ -+typedef isc_result_t (*register_func_t)(isc_mem_t *mctx, const char *name, -+ const char * const *argv, -+ const dns_dyndb_arguments_t *dyndb_args); -+typedef void (*destroy_func_t)(void); -+ -+typedef struct dyndb_implementation dyndb_implementation_t; -+ -+struct dyndb_implementation { -+ isc_mem_t *mctx; -+ void *handle; -+ register_func_t register_function; -+ destroy_func_t destroy_function; -+ LINK(dyndb_implementation_t) link; -+}; -+ -+struct dns_dyndb_arguments { -+ dns_view_t *view; -+ dns_zonemgr_t *zmgr; -+ isc_task_t *task; -+ isc_timermgr_t *timermgr; -+}; -+ -+/* List of implementations. Locked by dyndb_lock. */ -+static LIST(dyndb_implementation_t) dyndb_implementations; -+/* Locks dyndb_implementations. */ -+static isc_mutex_t dyndb_lock; -+static isc_once_t once = ISC_ONCE_INIT; -+ -+static void -+dyndb_initialize(void) { -+ RUNTIME_CHECK(isc_mutex_init(&dyndb_lock) == ISC_R_SUCCESS); -+ INIT_LIST(dyndb_implementations); -+} -+ -+ -+#if HAVE_DLFCN_H -+static isc_result_t -+load_symbol(void *handle, const char *symbol_name, void **symbolp) -+{ -+ const char *errmsg; -+ void *symbol; -+ -+ REQUIRE(handle != NULL); -+ REQUIRE(symbolp != NULL && *symbolp == NULL); -+ -+ symbol = dlsym(handle, symbol_name); -+ if (symbol == NULL) { -+ errmsg = dlerror(); -+ if (errmsg == NULL) -+ errmsg = "returned function pointer is NULL"; -+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, -+ DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR, -+ "failed to lookup symbol %s: %s", -+ symbol_name, errmsg); -+ return ISC_R_FAILURE; -+ } -+ dlerror(); -+ -+ *symbolp = symbol; -+ -+ return ISC_R_SUCCESS; -+} -+ -+static isc_result_t -+load_library(isc_mem_t *mctx, const char *filename, dyndb_implementation_t **impp) -+{ -+ isc_result_t result; -+ size_t module_size; -+ isc_buffer_t *module_buf = NULL; -+ isc_region_t module_region; -+ void *handle = NULL; -+ dyndb_implementation_t *imp; -+ register_func_t register_function = NULL; -+ destroy_func_t destroy_function = NULL; -+ -+ REQUIRE(impp != NULL && *impp == NULL); -+ -+ /* Build up the full path. */ -+ module_size = strlen(DYNDB_LIBDIR) + strlen(filename) + 1; -+ CHECK(isc_buffer_allocate(mctx, &module_buf, module_size)); -+ isc_buffer_putstr(module_buf, DYNDB_LIBDIR); -+ isc_buffer_putstr(module_buf, filename); -+ isc_buffer_putuint8(module_buf, 0); -+ isc_buffer_region(module_buf, &module_region); -+ -+ handle = dlopen((char *)module_region.base, RTLD_LAZY); -+ if (handle == NULL) { -+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, -+ DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR, -+ "failed to dynamically load driver '%s': %s", -+ filename, dlerror()); -+ result = ISC_R_FAILURE; -+ goto cleanup; -+ } -+ dlerror(); -+ -+ CHECK(load_symbol(handle, "dynamic_driver_init", -+ (void **)®ister_function)); -+ CHECK(load_symbol(handle, "dynamic_driver_destroy", -+ (void **)&destroy_function)); -+ -+ imp = isc_mem_get(mctx, sizeof(dyndb_implementation_t)); -+ if (imp == NULL) { -+ result = ISC_R_NOMEMORY; -+ goto cleanup; -+ } -+ -+ imp->mctx = NULL; -+ isc_mem_attach(mctx, &imp->mctx); -+ imp->handle = handle; -+ imp->register_function = register_function; -+ imp->destroy_function = destroy_function; -+ INIT_LINK(imp, link); -+ -+ *impp = imp; -+ -+cleanup: -+ if (result != ISC_R_SUCCESS && handle != NULL) -+ dlclose(handle); -+ if (module_buf != NULL) -+ isc_buffer_free(&module_buf); -+ -+ return result; -+} -+ -+static void -+unload_library(dyndb_implementation_t **impp) -+{ -+ dyndb_implementation_t *imp; -+ -+ REQUIRE(impp != NULL && *impp != NULL); -+ -+ imp = *impp; -+ -+ isc_mem_putanddetach(&imp->mctx, imp, sizeof(dyndb_implementation_t)); -+ -+ *impp = NULL; -+} -+ -+#else /* HAVE_DLFCN_H */ -+static isc_result_t -+load_library(isc_mem_t *mctx, const char *filename, dyndb_implementation_t **impp) -+{ -+ UNUSED(mctx); -+ UNUSED(filename); -+ UNUSED(impp); -+ -+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DYNDB, -+ ISC_LOG_ERROR, -+ "dynamic database support is not implemented") -+ -+ return ISC_R_NOTIMPLEMENTED; -+} -+ -+static void -+unload_library(dyndb_implementation_t **impp) -+{ -+ dyndb_implementation_t *imp; -+ -+ REQUIRE(impp != NULL && *impp != NULL); -+ -+ imp = *impp; -+ -+ isc_mem_putanddetach(&imp->mctx, imp, sizeof(dyndb_implementation_t)); -+ -+ *impp = NULL; -+} -+#endif /* HAVE_DLFCN_H */ -+ -+isc_result_t -+dns_dynamic_db_load(const char *libname, const char *name, isc_mem_t *mctx, -+ const char * const *argv, -+ const dns_dyndb_arguments_t *dyndb_args) -+{ -+ isc_result_t result; -+ dyndb_implementation_t *implementation = NULL; -+ -+ RUNTIME_CHECK(isc_once_do(&once, dyndb_initialize) == ISC_R_SUCCESS); -+ -+ CHECK(load_library(mctx, libname, &implementation)); -+ CHECK(implementation->register_function(mctx, name, argv, dyndb_args)); -+ -+ LOCK(&dyndb_lock); -+ APPEND(dyndb_implementations, implementation, link); -+ UNLOCK(&dyndb_lock); -+ -+ return ISC_R_SUCCESS; -+ -+cleanup: -+ if (implementation != NULL) -+ unload_library(&implementation); -+ -+ return result; -+} -+ -+void -+dns_dynamic_db_cleanup(isc_boolean_t exiting) -+{ -+ dyndb_implementation_t *elem; -+ dyndb_implementation_t *prev; -+ -+ RUNTIME_CHECK(isc_once_do(&once, dyndb_initialize) == ISC_R_SUCCESS); -+ -+ LOCK(&dyndb_lock); -+ elem = TAIL(dyndb_implementations); -+ while (elem != NULL) { -+ prev = PREV(elem, link); -+ UNLINK(dyndb_implementations, elem, link); -+ elem->destroy_function(); -+ unload_library(&elem); -+ elem = prev; -+ } -+ UNLOCK(&dyndb_lock); -+ -+ if (exiting == ISC_TRUE) -+ isc_mutex_destroy(&dyndb_lock); -+} -+ -+dns_dyndb_arguments_t * -+dns_dyndb_arguments_create(isc_mem_t *mctx) -+{ -+ dns_dyndb_arguments_t *args; -+ -+ args = isc_mem_get(mctx, sizeof(*args)); -+ if (args != NULL) -+ memset(args, 0, sizeof(*args)); -+ -+ return args; -+} -+ -+void -+dns_dyndb_arguments_destroy(isc_mem_t *mctx, dns_dyndb_arguments_t *args) -+{ -+ REQUIRE(args != NULL); -+ -+ dns_dyndb_set_view(args, NULL); -+ dns_dyndb_set_zonemgr(args, NULL); -+ dns_dyndb_set_task(args, NULL); -+ dns_dyndb_set_timermgr(args, NULL); -+ -+ isc_mem_put(mctx, args, sizeof(*args)); -+} -+ -+void -+dns_dyndb_set_view(dns_dyndb_arguments_t *args, dns_view_t *view) -+{ -+ REQUIRE(args != NULL); -+ -+ if (args->view != NULL) -+ dns_view_detach(&args->view); -+ if (view != NULL) -+ dns_view_attach(view, &args->view); -+} -+ -+dns_view_t * -+dns_dyndb_get_view(dns_dyndb_arguments_t *args) -+{ -+ REQUIRE(args != NULL); -+ -+ return args->view; -+} -+ -+void -+dns_dyndb_set_zonemgr(dns_dyndb_arguments_t *args, dns_zonemgr_t *zmgr) -+{ -+ REQUIRE(args != NULL); -+ -+ if (args->zmgr != NULL) -+ dns_zonemgr_detach(&args->zmgr); -+ if (zmgr != NULL) -+ dns_zonemgr_attach(zmgr, &args->zmgr); -+} -+ -+dns_zonemgr_t * -+dns_dyndb_get_zonemgr(dns_dyndb_arguments_t *args) -+{ -+ REQUIRE(args != NULL); -+ -+ return args->zmgr; -+} -+ -+void -+dns_dyndb_set_task(dns_dyndb_arguments_t *args, isc_task_t *task) -+{ -+ REQUIRE(args != NULL); -+ -+ if (args->task != NULL) -+ isc_task_detach(&args->task); -+ if (task != NULL) -+ isc_task_attach(task, &args->task); -+} -+ -+isc_task_t * -+dns_dyndb_get_task(dns_dyndb_arguments_t *args) -+{ -+ REQUIRE(args != NULL); -+ -+ return args->task; -+} -+ -+void -+dns_dyndb_set_timermgr(dns_dyndb_arguments_t *args, isc_timermgr_t *timermgr) -+{ -+ REQUIRE(args != NULL); -+ -+ args->timermgr = timermgr; -+} -+ -+isc_timermgr_t * -+dns_dyndb_get_timermgr(dns_dyndb_arguments_t *args) -+{ -+ REQUIRE(args != NULL); -+ -+ return args->timermgr; -+} -+ -diff --git a/lib/dns/include/dns/Makefile.in b/lib/dns/include/dns/Makefile.in -index aecf6f0..8e24b54 100644 ---- a/lib/dns/include/dns/Makefile.in -+++ b/lib/dns/include/dns/Makefile.in -@@ -23,7 +23,7 @@ VERSION=@BIND9_VERSION@ - - HEADERS = acache.h acl.h adb.h bit.h byaddr.h cache.h callbacks.h cert.h \ - client.h clientinfo.h compress.h \ -- db.h dbiterator.h dbtable.h diff.h dispatch.h \ -+ db.h dbiterator.h dbtable.h diff.h dispatch.h dynamic_db.h \ - dlz.h dlz_dlopen.h dns64.h dnssec.h ds.h dsdigest.h \ - ecdb.h events.h fixedname.h forward.h geoip.h iptable.h \ - journal.h keydata.h keyflags.h keytable.h keyvalues.h \ -diff --git a/lib/dns/include/dns/dynamic_db.h b/lib/dns/include/dns/dynamic_db.h -index e69de29..719fa0f 100644 ---- a/lib/dns/include/dns/dynamic_db.h -+++ b/lib/dns/include/dns/dynamic_db.h -@@ -0,0 +1,51 @@ -+/* -+ * Copyright (C) 2008-2011 Red Hat, Inc. -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND Red Hat DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL Red Hat BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+ -+#ifndef DYNAMIC_DB_H -+#define DYNAMIC_DB_H -+ -+#include -+ -+#include -+ -+/* -+ * TODO: -+ * Reformat the prototypes. -+ * Add annotated comments. -+ */ -+ -+isc_result_t dns_dynamic_db_load(const char *libname, const char *name, -+ isc_mem_t *mctx, const char * const *argv, -+ const dns_dyndb_arguments_t *dyndb_args); -+ -+void dns_dynamic_db_cleanup(isc_boolean_t exiting); -+ -+dns_dyndb_arguments_t *dns_dyndb_arguments_create(isc_mem_t *mctx); -+void dns_dyndb_arguments_destroy(isc_mem_t *mctx, dns_dyndb_arguments_t *args); -+ -+void dns_dyndb_set_view(dns_dyndb_arguments_t *args, dns_view_t *view); -+dns_view_t *dns_dyndb_get_view(dns_dyndb_arguments_t *args); -+void dns_dyndb_set_zonemgr(dns_dyndb_arguments_t *args, dns_zonemgr_t *zmgr); -+dns_zonemgr_t *dns_dyndb_get_zonemgr(dns_dyndb_arguments_t *args); -+void dns_dyndb_set_task(dns_dyndb_arguments_t *args, isc_task_t *task); -+isc_task_t *dns_dyndb_get_task(dns_dyndb_arguments_t *args); -+void dns_dyndb_set_timermgr(dns_dyndb_arguments_t *args, -+ isc_timermgr_t *timermgr); -+isc_timermgr_t *dns_dyndb_get_timermgr(dns_dyndb_arguments_t *args); -+ -+#endif -+ -diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h -index 845be49..7b94ec6 100644 ---- a/lib/dns/include/dns/log.h -+++ b/lib/dns/include/dns/log.h -@@ -78,6 +78,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[]; - #define DNS_LOGMODULE_DNSSEC (&dns_modules[27]) - #define DNS_LOGMODULE_CRYPTO (&dns_modules[28]) - #define DNS_LOGMODULE_PACKETS (&dns_modules[29]) -+#define DNS_LOGMODULE_DYNDB (&dns_modules[30]) - - ISC_LANG_BEGINDECLS - -diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h -index 00ba58e..b7fdead 100644 ---- a/lib/dns/include/dns/types.h -+++ b/lib/dns/include/dns/types.h -@@ -64,6 +64,7 @@ typedef struct dns_dlzimplementation dns_dlzimplementation_t; - typedef struct dns_dlzdb dns_dlzdb_t; - typedef ISC_LIST(dns_dlzdb_t) dns_dlzdblist_t; - typedef struct dns_sdlzimplementation dns_sdlzimplementation_t; -+typedef struct dns_dyndb_arguments dns_dyndb_arguments_t; - typedef struct dns_decompress dns_decompress_t; - typedef struct dns_dispatch dns_dispatch_t; - typedef struct dns_dispatchevent dns_dispatchevent_t; -diff --git a/lib/dns/log.c b/lib/dns/log.c -index 377b03c..acef9e6 100644 ---- a/lib/dns/log.c -+++ b/lib/dns/log.c -@@ -84,6 +84,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = { - { "dns/dnssec", 0 }, - { "dns/crypto", 0 }, - { "dns/packets", 0 }, -+ { "dns/dynamic_db", 0 }, - { NULL, 0 } - }; - -diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c -index 67d65f0..bd348be 100644 ---- a/lib/isccfg/namedconf.c -+++ b/lib/isccfg/namedconf.c -@@ -106,6 +106,7 @@ static cfg_type_t cfg_type_controls; - static cfg_type_t cfg_type_controls_sockaddr; - static cfg_type_t cfg_type_destinationlist; - static cfg_type_t cfg_type_dialuptype; -+static cfg_type_t cfg_type_dynamic_db; - static cfg_type_t cfg_type_ixfrdifftype; - static cfg_type_t cfg_type_key; - static cfg_type_t cfg_type_logfile; -@@ -969,6 +970,7 @@ namedconf_or_view_clauses[] = { - { "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI }, - { "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI }, - { "dlz", &cfg_type_dlz, CFG_CLAUSEFLAG_MULTI }, -+ { "dynamic-db", &cfg_type_dynamic_db, CFG_CLAUSEFLAG_MULTI }, - { "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI }, - { "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI }, - { "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI }, -@@ -2230,6 +2232,40 @@ static cfg_type_t cfg_type_dialuptype = { - &cfg_rep_string, dialup_enums - }; - -+/* -+ * Dynamic database clauses. -+ */ -+ -+static cfg_clausedef_t -+dynamic_db_clauses[] = { -+ { "library", &cfg_type_qstring, 0 }, -+ { "arg", &cfg_type_qstring, CFG_CLAUSEFLAG_MULTI }, -+ { NULL, NULL, 0 } -+}; -+ -+static cfg_clausedef_t * -+dynamic_db_clausesets[] = { -+ dynamic_db_clauses, -+ NULL -+}; -+ -+static cfg_type_t cfg_type_dynamic_db_opts = { -+ "dynamically_loadable_zones_opts", cfg_parse_map, -+ cfg_print_map, cfg_doc_map, &cfg_rep_map, -+ dynamic_db_clausesets -+}; -+ -+static cfg_tuplefielddef_t dynamic_db_fields[] = { -+ { "name", &cfg_type_astring, 0 }, -+ { "options", &cfg_type_dynamic_db_opts, 0 }, -+ { NULL, NULL, 0 } -+}; -+ -+static cfg_type_t cfg_type_dynamic_db = { -+ "dynamic_db", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, -+ &cfg_rep_tuple, dynamic_db_fields -+}; -+ - static const char *notify_enums[] = { "explicit", "master-only", NULL }; - static isc_result_t - parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { diff --git a/bind-9.10-openssl-1.1.patch b/bind-9.10-openssl-1.1.patch index ea10971..70da6af 100644 --- a/bind-9.10-openssl-1.1.patch +++ b/bind-9.10-openssl-1.1.patch @@ -1,109 +1,741 @@ ---- bind-9.10.4-P3/configure.in 2016-11-07 17:57:34.328237767 +0100 -+++ bind-9.10.4-P3/configure.in 2016-11-07 17:57:34.336237955 +0100 -@@ -1562,28 +1562,6 @@ Please check the argument to --with-open - shared library configuration (e.g., LD_LIBRARY_PATH).)], - [AC_MSG_RESULT(assuming it does work on target platform)]) - -- AC_MSG_CHECKING(whether linking with OpenSSL requires -ldl) -- AC_TRY_LINK([ --#include --#include --], +diff --git a/README b/README +index e905d5e..17c0ddf 100644 +--- a/README ++++ b/README +@@ -322,7 +322,7 @@ Building + systems. + + For the server to support DNSSEC, you need to build it +- with crypto support. You must have OpenSSL 0.9.5a ++ with crypto support. You must have OpenSSL 1.0.1t + or newer installed and specify "--with-openssl" on the + configure command line. If OpenSSL is installed under + a nonstandard prefix, you can tell configure where to +diff --git a/bin/named/main.c b/bin/named/main.c +index e0dafb1..f716b3f 100644 +--- a/bin/named/main.c ++++ b/bin/named/main.c +@@ -688,8 +688,14 @@ parse_command_line(int argc, char *argv[]) { + #ifdef OPENSSL + printf("compiled with OpenSSL version: %s\n", + OPENSSL_VERSION_TEXT); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 or higher */ ++ printf("linked to OpenSSL version: %s\n", ++ OpenSSL_version(OPENSSL_VERSION)); ++ ++#else + printf("linked to OpenSSL version: %s\n", + SSLeay_version(SSLEAY_VERSION)); ++#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ + #endif + #ifdef HAVE_LIBXML2 + printf("compiled with libxml2 version: %s\n", +diff --git a/bin/tests/dst/t_dst.c b/bin/tests/dst/t_dst.c +index 0bb723d..27da3fd 100644 +--- a/bin/tests/dst/t_dst.c ++++ b/bin/tests/dst/t_dst.c +@@ -910,9 +910,42 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname, + * signed at some earlier time, possibly with an entire different + * version or implementation of the DSA and RSA algorithms + */ +-static const char *a2 = +- "the dst module provides the capability to " +- "verify data signed with the RSA and DSA algorithms"; ++ ++isc_mem_t *t2_mctx = NULL; ++isc_entropy_t *t2_ectx = NULL; ++ ++static int ++t2_vfy_init(void) { ++ isc_result_t isc_result; ++ ++ t2_mctx = NULL; ++ isc_result = isc_mem_create(0, 0, &t2_mctx); ++ if (isc_result != ISC_R_SUCCESS) { ++ t_info("isc_mem_create failed %s\n", ++ isc_result_totext(isc_result)); ++ return(0); ++ } ++ t2_ectx = NULL; ++ isc_result = isc_entropy_create(t2_mctx, &t2_ectx); ++ if (isc_result != ISC_R_SUCCESS) { ++ t_info("isc_entropy_create failed %s\n", ++ isc_result_totext(isc_result)); ++ return(0); ++ } ++ isc_result = isc_entropy_createfilesource(t2_ectx, "randomfile"); ++ if (isc_result != ISC_R_SUCCESS) { ++ t_info("isc_entropy_create failed %s\n", ++ isc_result_totext(isc_result)); ++ return(0); ++ } ++ isc_result = dst_lib_init(t2_mctx, t2_ectx, ISC_ENTROPY_BLOCKING); ++ if (isc_result != ISC_R_SUCCESS) { ++ t_info("dst_lib_init failed %s\n", ++ isc_result_totext(isc_result)); ++ return(0); ++ } ++ return(1); ++} + + /* + * av == datafile, sigpath, keyname, keyid, alg, exp_result. +@@ -929,9 +962,6 @@ t2_vfy(char **av) { + char *exp_result; + int nfails; + int nprobs; +- isc_mem_t *mctx; +- isc_entropy_t *ectx; +- isc_result_t isc_result; + int result; + + datapath = *av++; +@@ -953,33 +983,6 @@ t2_vfy(char **av) { + return(T_UNRESOLVED); + } + +- mctx = NULL; +- isc_result = isc_mem_create(0, 0, &mctx); +- if (isc_result != ISC_R_SUCCESS) { +- t_info("isc_mem_create failed %s\n", +- isc_result_totext(isc_result)); +- return(T_UNRESOLVED); +- } +- ectx = NULL; +- isc_result = isc_entropy_create(mctx, &ectx); +- if (isc_result != ISC_R_SUCCESS) { +- t_info("isc_entropy_create failed %s\n", +- isc_result_totext(isc_result)); +- return(T_UNRESOLVED); +- } +- isc_result = isc_entropy_createfilesource(ectx, "randomfile"); +- if (isc_result != ISC_R_SUCCESS) { +- t_info("isc_entropy_create failed %s\n", +- isc_result_totext(isc_result)); +- return(T_UNRESOLVED); +- } +- isc_result = dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING); +- if (isc_result != ISC_R_SUCCESS) { +- t_info("dst_lib_init failed %s\n", +- isc_result_totext(isc_result)); +- return(T_UNRESOLVED); +- } +- + if (!dst_algorithm_supported(DST_ALG_RSAMD5)) { + dst_lib_destroy(); + t_info("library built without crypto support\n"); +@@ -990,15 +993,9 @@ t2_vfy(char **av) { + datapath, sigpath, keyname, key, alg, exp_result); + t2_sigchk(datapath, sigpath, keyname, keyid, + algid, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, +- mctx, exp_result, ++ t2_mctx, exp_result, + &nfails, &nprobs); + +- dst_lib_destroy(); +- +- isc_entropy_detach(&ectx); +- +- isc_mem_destroy(&mctx); +- + result = T_UNRESOLVED; + if (nfails) + result = T_FAIL; +@@ -1008,11 +1005,24 @@ t2_vfy(char **av) { + return(result); + } + ++static const char *a2 = ++ "the dst module provides the capability to " ++ "verify data signed with the RSA and DSA algorithms"; ++ + static void + t2(void) { + int result; + t_assert("dst", 2, T_REQUIRED, "%s", a2); +- result = t_eval("dst_2_data", t2_vfy, 6); ++ if (!t2_vfy_init()) { ++ result = T_UNRESOLVED; ++ } else { ++ result = t_eval("dst_2_data", t2_vfy, 6); ++ dst_lib_destroy(); ++ } ++ if (t2_ectx) ++ isc_entropy_detach(&t2_ectx); ++ if (t2_mctx) ++ isc_mem_destroy(&t2_mctx); + t_result(result); + } + +diff --git a/configure b/configure +index 0ea01af..27156e2 100755 +--- a/configure ++++ b/configure +@@ -15916,8 +15916,8 @@ $as_echo "using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; } + saved_cc="$CC" + saved_cflags="$CFLAGS" + saved_libs="$LIBS" +- CFLAGS="$CFLAGS $DST_OPENSSL_INC" +- LIBS="$LIBS $DST_OPENSSL_LIBS" ++ CFLAGS="$DST_OPENSSL_INC $CFLAGS" ++ LIBS="$DST_OPENSSL_LIBS $LIBS" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL works" >&5 + $as_echo_n "checking whether linking with OpenSSL works... " >&6; } + if test "$cross_compiling" = yes; then : +@@ -15955,13 +15955,24 @@ $as_echo_n "checking whether linking with OpenSSL requires -ldl... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ + ++#include ++#if OPENSSL_VERSION_NUMBER >= 0x10100004L ++#include ++#else + #include + #include ++#endif + + int + main () + { +- DSO_METHOD_dlfcn(); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100004L ++OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); ++#else ++DSO_METHOD_dlfcn(); ++#endif ++ + ; + return 0; + } +@@ -15974,13 +15985,23 @@ else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ + ++#if OPENSSL_VERSION_NUMBER >= 0x10100004L ++#include ++#else + #include + #include ++#endif + + int + main () + { +- DSO_METHOD_dlfcn(); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100004L ++OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); ++#else ++DSO_METHOD_dlfcn(); ++#endif ++ + ; + return 0; + } +@@ -16027,7 +16048,7 @@ int main() { + OPENSSL_VERSION_NUMBER < 0x10002000L) || + OPENSSL_VERSION_NUMBER >= 0x1000205fL) + return (0); +- printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n", ++ printf("\n\nFound OPENSSL_VERSION_NUMBER %#010lx\n", + OPENSSL_VERSION_NUMBER); + printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n" + "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n" +@@ -16247,7 +16268,7 @@ else + + #include + int main() { +- EVP_CIPHER *aes128, *aes192, *aes256; ++ const EVP_CIPHER *aes128, *aes192, *aes256; + + aes128 = EVP_aes_128_ecb(); + aes192 = EVP_aes_192_ecb(); +@@ -16420,43 +16441,6 @@ $as_echo "yes" >&6; } + ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1" + ISC_OPENSSL_INC="$DST_OPENSSL_INC" + ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS" +- saved_cflags="$CFLAGS" +- save_libs="$LIBS" +- CFLAGS="$CFLAGS $ISC_OPENSSL_INC" +- LIBS="$LIBS $ISC_OPENSSL_LIBS" +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking HMAC_Init() return type" >&5 +-$as_echo_n "checking HMAC_Init() return type... " >&6; } +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +- #include +-int +-main () +-{ +- +- HMAC_CTX ctx; +- int n = HMAC_Init(&ctx, NULL, 0, NULL); +- n += HMAC_Update(&ctx, NULL, 0); +- n += HMAC_Final(&ctx, NULL, NULL); +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: int" >&5 +-$as_echo "int" >&6; } +- +-$as_echo "#define HMAC_RETURN_INT 1" >>confdefs.h +- +-else +- +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: void" >&5 +-$as_echo "void" >&6; } +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +- CFLAGS="$saved_cflags" +- LIBS="$save_libs" + ;; + no) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +diff --git a/configure.in b/configure.in +index 82480b5..d78e445 100644 +--- a/configure.in ++++ b/configure.in +@@ -1595,8 +1595,8 @@ If you don't want OpenSSL, use --without-openssl]) + saved_cc="$CC" + saved_cflags="$CFLAGS" + saved_libs="$LIBS" +- CFLAGS="$CFLAGS $DST_OPENSSL_INC" +- LIBS="$LIBS $DST_OPENSSL_LIBS" ++ CFLAGS="$DST_OPENSSL_INC $CFLAGS" ++ LIBS="$DST_OPENSSL_LIBS $LIBS" + AC_MSG_CHECKING(whether linking with OpenSSL works) + AC_TRY_RUN([ + #include +@@ -1615,16 +1615,38 @@ shared library configuration (e.g., LD_LIBRARY_PATH).)], + + AC_MSG_CHECKING(whether linking with OpenSSL requires -ldl) + AC_TRY_LINK([ ++#include ++#if OPENSSL_VERSION_NUMBER >= 0x10100004L ++#include ++#else + #include + #include ++#endif ++], ++[ ++#if OPENSSL_VERSION_NUMBER >= 0x10100004L ++OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); ++#else ++DSO_METHOD_dlfcn(); ++#endif + ], -[ DSO_METHOD_dlfcn(); ], -- [AC_MSG_RESULT(no)], -- [LIBS="$LIBS -ldl" -- AC_TRY_LINK([ --#include --#include + [AC_MSG_RESULT(no)], + [LIBS="$LIBS -ldl" + AC_TRY_LINK([ ++#if OPENSSL_VERSION_NUMBER >= 0x10100004L ++#include ++#else + #include + #include -],[ DSO_METHOD_dlfcn(); ], -- [AC_MSG_RESULT(yes) -- DST_OPENSSL_LIBS="$DST_OPENSSL_LIBS -ldl" -- ], -- [AC_MSG_RESULT(unknown) -- AC_MSG_ERROR(OpenSSL has unsupported dynamic loading)], -- [AC_MSG_RESULT(assuming it does work on target platform)]) -- ], -- [AC_MSG_RESULT(assuming it does work on target platform)] -- ) -- - AC_ARG_ENABLE(openssl-version-check, - [AC_HELP_STRING([--enable-openssl-version-check], - [check OpenSSL version @<:@default=yes@:>@])]) ---- bind-9.10.4-P3/lib/dns/dst_openssl.h 2016-09-14 03:23:44.000000000 +0200 -+++ bind-9.10.4-P3/lib/dns/dst_openssl.h 2016-11-07 17:57:34.336237955 +0100 -@@ -30,8 +30,10 @@ - #include ++#endif ++], ++[ ++#if OPENSSL_VERSION_NUMBER >= 0x10100004L ++OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); ++#else ++DSO_METHOD_dlfcn(); ++#endif ++], + [AC_MSG_RESULT(yes) + DST_OPENSSL_LIBS="$DST_OPENSSL_LIBS -ldl" + ], +@@ -1651,7 +1673,7 @@ int main() { + OPENSSL_VERSION_NUMBER < 0x10002000L) || + OPENSSL_VERSION_NUMBER >= 0x1000205fL) + return (0); +- printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n", ++ printf("\n\nFound OPENSSL_VERSION_NUMBER %#010lx\n", + OPENSSL_VERSION_NUMBER); + printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n" + "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n" +@@ -1803,7 +1825,7 @@ int main() { + AC_TRY_RUN([ + #include + int main() { +- EVP_CIPHER *aes128, *aes192, *aes256; ++ const EVP_CIPHER *aes128, *aes192, *aes256; + + aes128 = EVP_aes_128_ecb(); + aes192 = EVP_aes_192_ecb(); +@@ -1953,22 +1975,6 @@ case $want_openssl_hash in + ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1" + ISC_OPENSSL_INC="$DST_OPENSSL_INC" + ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS" +- saved_cflags="$CFLAGS" +- save_libs="$LIBS" +- CFLAGS="$CFLAGS $ISC_OPENSSL_INC" +- LIBS="$LIBS $ISC_OPENSSL_LIBS" +- AC_MSG_CHECKING([HMAC_Init() return type]) +- AC_TRY_COMPILE([ +- #include ],[ +- HMAC_CTX ctx; +- int n = HMAC_Init(&ctx, NULL, 0, NULL); +- n += HMAC_Update(&ctx, NULL, 0); +- n += HMAC_Final(&ctx, NULL, NULL);],[ +- AC_MSG_RESULT(int) +- AC_DEFINE(HMAC_RETURN_INT, 1, [HMAC_*() return ints])],[ +- AC_MSG_RESULT(void)]) +- CFLAGS="$saved_cflags" +- LIBS="$save_libs" + ;; + no) + AC_MSG_RESULT(no) +diff --git a/lib/dns/dst_gost.h b/lib/dns/dst_gost.h +index da6dcf5..86dda8b 100644 +--- a/lib/dns/dst_gost.h ++++ b/lib/dns/dst_gost.h +@@ -18,7 +18,13 @@ + #ifdef HAVE_OPENSSL_GOST + #include + +-typedef EVP_MD_CTX isc_gost_t; ++typedef struct { ++ EVP_MD_CTX *ctx; ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ EVP_MD_CTX _ctx; ++#endif ++} isc_gost_t; ++ + #endif + #ifdef HAVE_PKCS11_GOST + #include +diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h +index d7dd0e8..f8a3057 100644 +--- a/lib/dns/dst_openssl.h ++++ b/lib/dns/dst_openssl.h +@@ -22,8 +22,10 @@ #include #include -+#include -#if !defined(OPENSSL_NO_ENGINE) && defined(CRYPTO_LOCK_ENGINE) && \ -+#if !defined(OPENSSL_NO_ENGINE) && (defined(CRYPTO_LOCK_ENGINE) || \ -+ defined(CRYPTO_EX_INDEX_ENGINE)) && \ - (OPENSSL_VERSION_NUMBER >= 0x0090707f) +- (OPENSSL_VERSION_NUMBER >= 0x0090707f) ++#if !defined(OPENSSL_NO_ENGINE) && \ ++ ((defined(CRYPTO_LOCK_ENGINE) && \ ++ (OPENSSL_VERSION_NUMBER >= 0x0090707f)) || \ ++ (OPENSSL_VERSION_NUMBER >= 0x10100000L)) #define USE_ENGINE 1 #endif ---- bind-9.10.4-P3/lib/dns/openssldh_link.c 2016-09-14 03:23:44.000000000 +0200 -+++ bind-9.10.4-P3/lib/dns/openssldh_link.c 2016-11-07 17:57:34.336237955 +0100 -@@ -81,6 +81,7 @@ openssldh_computesecret(const dst_key_t + +@@ -41,6 +43,15 @@ + #define BN_GENCB_get_arg(x) ((x)->arg) + #endif + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++/* ++ * EVP_dss1() is a version of EVP_sha1() that was needed prior to ++ * 1.1.0 because there was a link between digests and signing algorithms; ++ * the link has been eliminated and EVP_sha1() can be used now instead. ++ */ ++#define EVP_dss1 EVP_sha1 ++#endif ++ + ISC_LANG_BEGINDECLS + + isc_result_t +diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c +index 2e8bcf6..58df04d 100644 +--- a/lib/dns/openssl_link.c ++++ b/lib/dns/openssl_link.c +@@ -102,6 +102,7 @@ entropy_add(const void *buf, int num, double entropy) { + } + #endif + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + static void + lock_callback(int mode, int type, const char *file, int line) { + UNUSED(file); +@@ -112,45 +113,59 @@ lock_callback(int mode, int type, const char *file, int line) { + UNLOCK(&locks[type]); + } + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + static unsigned long + id_callback(void) { + return ((unsigned long)isc_thread_self()); + } + #endif + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++#define FLARG_PASS , __FILE__, __LINE__ ++#define FLARG ++#define FILELINE ++#else ++#define FLARG , const char *file, int line ++#define FILELINE , __FILE__, __LINE__ ++#if ISC_MEM_TRACKLINES ++#define FLARG_PASS , file, line ++#else ++#define FLARG_PASS ++#endif ++ ++#endif ++ + static void * +-mem_alloc(size_t size) { ++mem_alloc(size_t size FLARG) { + #ifdef OPENSSL_LEAKS + void *ptr; + + INSIST(dst__memory_pool != NULL); +- ptr = isc_mem_allocate(dst__memory_pool, size); ++ ptr = isc__mem_allocate(dst__memory_pool, size FLARG_PASS); + return (ptr); + #else + INSIST(dst__memory_pool != NULL); +- return (isc_mem_allocate(dst__memory_pool, size)); ++ return (isc__mem_allocate(dst__memory_pool, size FLARG_PASS)); + #endif + } + + static void +-mem_free(void *ptr) { ++mem_free(void *ptr FLARG) { + INSIST(dst__memory_pool != NULL); + if (ptr != NULL) +- isc_mem_free(dst__memory_pool, ptr); ++ isc__mem_free(dst__memory_pool, ptr FLARG_PASS); + } + + static void * +-mem_realloc(void *ptr, size_t size) { ++mem_realloc(void *ptr, size_t size FLARG) { + #ifdef OPENSSL_LEAKS + void *rptr; + + INSIST(dst__memory_pool != NULL); +- rptr = isc_mem_reallocate(dst__memory_pool, ptr, size); ++ rptr = isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS); + return (rptr); + #else + INSIST(dst__memory_pool != NULL); +- return (isc_mem_reallocate(dst__memory_pool, ptr, size)); ++ return (isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS)); + #endif + } + +@@ -171,20 +186,20 @@ dst__openssl_init(const char *engine) { + #endif + CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free); + nlocks = CRYPTO_num_locks(); +- locks = mem_alloc(sizeof(isc_mutex_t) * nlocks); ++ locks = mem_alloc(sizeof(isc_mutex_t) * nlocks FILELINE); + if (locks == NULL) + return (ISC_R_NOMEMORY); + result = isc_mutexblock_init(locks, nlocks); + if (result != ISC_R_SUCCESS) + goto cleanup_mutexalloc; +- CRYPTO_set_locking_callback(lock_callback); + #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++ CRYPTO_set_locking_callback(lock_callback); + CRYPTO_set_id_callback(id_callback); + #endif + + ERR_load_crypto_strings(); + +- rm = mem_alloc(sizeof(RAND_METHOD)); ++ rm = mem_alloc(sizeof(RAND_METHOD) FILELINE); + if (rm == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup_mutexinit; +@@ -250,20 +265,27 @@ dst__openssl_init(const char *engine) { + if (e != NULL) + ENGINE_free(e); + e = NULL; +- mem_free(rm); ++ mem_free(rm FILELINE); + rm = NULL; + #endif + cleanup_mutexinit: + CRYPTO_set_locking_callback(NULL); + DESTROYMUTEXBLOCK(locks, nlocks); + cleanup_mutexalloc: +- mem_free(locks); ++ mem_free(locks FILELINE); + locks = NULL; + return (result); + } + + void + dst__openssl_destroy(void) { ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ OPENSSL_cleanup(); ++ if (rm != NULL) { ++ mem_free(rm FILELINE); ++ rm = NULL; ++ } ++#else + /* + * Sequence taken from apps_shutdown() in . + */ +@@ -271,7 +293,7 @@ dst__openssl_destroy(void) { + #if OPENSSL_VERSION_NUMBER >= 0x00907000L + RAND_cleanup(); + #endif +- mem_free(rm); ++ mem_free(rm FILELINE); + rm = NULL; + } + #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) +@@ -303,16 +325,18 @@ dst__openssl_destroy(void) { + if (locks != NULL) { + CRYPTO_set_locking_callback(NULL); + DESTROYMUTEXBLOCK(locks, nlocks); +- mem_free(locks); ++ mem_free(locks FILELINE); + locks = NULL; + } ++#endif + } + + static isc_result_t + toresult(isc_result_t fallback) { + isc_result_t result = fallback; + unsigned long err = ERR_get_error(); +-#ifdef HAVE_OPENSSL_ECDSA ++#if defined(HAVE_OPENSSL_ECDSA) && \ ++ defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) + int lib = ERR_GET_LIB(err); + #endif + int reason = ERR_GET_REASON(err); +@@ -326,7 +350,8 @@ toresult(isc_result_t fallback) { + result = ISC_R_NOMEMORY; + break; + default: +-#ifdef HAVE_OPENSSL_ECDSA ++#if defined(HAVE_OPENSSL_ECDSA) && \ ++ defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) + if (lib == ERR_R_ECDSA_LIB && + reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) { + result = ISC_R_NOENTROPY; +diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c +index 4237ad0..dec5b3c 100644 +--- a/lib/dns/openssldh_link.c ++++ b/lib/dns/openssldh_link.c +@@ -68,11 +68,74 @@ static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data); + + static BIGNUM *bn2, *bn768, *bn1024, *bn1536; + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++/* ++ * DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg ++ * are from OpenSSL 1.1.0. ++ */ ++static void ++DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) { ++ if (pub_key != NULL) ++ *pub_key = dh->pub_key; ++ if (priv_key != NULL) ++ *priv_key = dh->priv_key; ++} ++ ++static int ++DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) { ++ /* Note that it is valid for priv_key to be NULL */ ++ if (pub_key == NULL) ++ return 0; ++ ++ BN_free(dh->pub_key); ++ BN_free(dh->priv_key); ++ dh->pub_key = pub_key; ++ dh->priv_key = priv_key; ++ ++ return 1; ++} ++ ++static void ++DH_get0_pqg(const DH *dh, ++ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) ++{ ++ if (p != NULL) ++ *p = dh->p; ++ if (q != NULL) ++ *q = dh->q; ++ if (g != NULL) ++ *g = dh->g; ++} ++ ++static int ++DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { ++ /* q is optional */ ++ if (p == NULL || g == NULL) ++ return(0); ++ BN_free(dh->p); ++ BN_free(dh->q); ++ BN_free(dh->g); ++ dh->p = p; ++ dh->q = q; ++ dh->g = g; ++ ++ if (q != NULL) { ++ dh->length = BN_num_bits(q); ++ } ++ ++ return(1); ++} ++ ++#define DH_clear_flags(d, f) (d)->flags &= ~(f) ++ ++#endif ++ + static isc_result_t + openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + isc_buffer_t *secret) + { + DH *dhpub, *dhpriv; ++ const BIGNUM *pub_key = NULL; int ret; isc_region_t r; unsigned int len; -+ const BIGNUM *pub_key; - - REQUIRE(pub->keydata.dh != NULL); - REQUIRE(priv->keydata.dh != NULL); -@@ -92,7 +93,12 @@ openssldh_computesecret(const dst_key_t +@@ -87,7 +150,9 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, isc_buffer_availableregion(secret, &r); if (r.length < len) return (ISC_R_NOSPACE); - ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ pub_key = dhpub->pub_key; -+#else ++ + DH_get0_key(dhpub, &pub_key, NULL); -+#endif + ret = DH_compute_key(r.base, pub_key, dhpriv); if (ret <= 0) return (dst__openssl_toresult2("DH_compute_key", DST_R_COMPUTESECRETFAILURE)); -@@ -104,6 +110,8 @@ static isc_boolean_t +@@ -97,8 +162,10 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + + static isc_boolean_t openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { - int status; +- int status; DH *dh1, *dh2; -+ const BIGNUM *p1, *g1, *pub_key1, *priv_key1; -+ const BIGNUM *p2, *g2, *pub_key2, *priv_key2; ++ const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; ++ const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; ++ const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; dh1 = key1->keydata.dh; dh2 = key2->keydata.dh; -@@ -113,17 +121,33 @@ openssldh_compare(const dst_key_t *key1, +@@ -108,17 +175,19 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { else if (dh1 == NULL || dh2 == NULL) return (ISC_FALSE); - status = BN_cmp(dh1->p, dh2->p) || - BN_cmp(dh1->g, dh2->g) || - BN_cmp(dh1->pub_key, dh2->pub_key); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ p1 = dh1->p; -+ g1 = dh1->g; -+ pub_key1 = dh1->pub_key; -+ priv_key1 = dh1->priv_key; -+ p2 = dh2->p; -+ g2 = dh2->g; -+ pub_key2 = dh2->pub_key; -+ priv_key2 = dh2->priv_key; -+#else -+ DH_get0_pqg(dh1, &p1, NULL, &g1); + DH_get0_key(dh1, &pub_key1, &priv_key1); -+ DH_get0_pqg(dh2, &p2, NULL, &g2); + DH_get0_key(dh2, &pub_key2, &priv_key2); -+#endif -+ -+ status = BN_cmp(p1, p2) || -+ BN_cmp(g1, g2) || -+ BN_cmp(pub_key1, pub_key2); ++ DH_get0_pqg(dh1, &p1, NULL, &g1); ++ DH_get0_pqg(dh2, &p2, NULL, &g2); - if (status != 0) +- if (status != 0) ++ if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || ++ BN_cmp(pub_key1, pub_key2) != 0) return (ISC_FALSE); - if (dh1->priv_key != NULL || dh2->priv_key != NULL) { @@ -116,140 +748,114 @@ return (ISC_FALSE); } return (ISC_TRUE); -@@ -133,6 +157,8 @@ static isc_boolean_t +@@ -126,8 +195,8 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + + static isc_boolean_t openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { - int status; +- int status; DH *dh1, *dh2; -+ const BIGNUM *p1, *g1; -+ const BIGNUM *p2, *g2; ++ const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; dh1 = key1->keydata.dh; dh2 = key2->keydata.dh; -@@ -142,8 +168,18 @@ openssldh_paramcompare(const dst_key_t * +@@ -137,10 +206,10 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { else if (dh1 == NULL || dh2 == NULL) return (ISC_FALSE); - status = BN_cmp(dh1->p, dh2->p) || - BN_cmp(dh1->g, dh2->g); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ p1 = dh1->p; -+ g1 = dh1->g; -+ p2 = dh2->p; -+ g2 = dh2->g; -+#else + DH_get0_pqg(dh1, &p1, NULL, &g1); + DH_get0_pqg(dh2, &p2, NULL, &g2); -+#endif -+ -+ status = BN_cmp(p1, p2) || -+ BN_cmp(g1, g2); - if (status != 0) +- if (status != 0) ++ if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) return (ISC_FALSE); -@@ -190,16 +226,29 @@ openssldh_generate(dst_key_t *key, int g + return (ISC_TRUE); + } +@@ -185,16 +254,25 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { key->key_size == 1024 || key->key_size == 1536) { + BIGNUM *p, *g; dh = DH_new(); - if (dh == NULL) - return (dst__openssl_toresult(ISC_R_NOMEMORY)); +- if (dh == NULL) +- return (dst__openssl_toresult(ISC_R_NOMEMORY)); if (key->key_size == 768) - dh->p = bn768; -+ p = bn768; ++ p = BN_dup(bn768); else if (key->key_size == 1024) - dh->p = bn1024; -+ p = bn1024; ++ p = BN_dup(bn1024); else - dh->p = bn1536; -+ p = bn1536; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ dh->p = p; - dh->g = bn2; -+#else -+ p = BN_dup(p); +- dh->g = bn2; ++ p = BN_dup(bn1536); + g = BN_dup(bn2); -+ if (p == NULL || g == NULL) { -+ BN_free(p); -+ BN_free(g); ++ if (dh == NULL || p == NULL || g == NULL) { ++ if (dh != NULL) ++ DH_free(dh); ++ if (p != NULL) ++ BN_free(p); ++ if (g != NULL) ++ BN_free(g); + return (dst__openssl_toresult(ISC_R_NOMEMORY)); + } + DH_set0_pqg(dh, p, NULL, g); -+#endif } else generator = 2; } -@@ -247,7 +296,11 @@ openssldh_generate(dst_key_t *key, int g +@@ -242,8 +320,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { return (dst__openssl_toresult2("DH_generate_key", DST_R_OPENSSLFAILURE)); } -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - dh->flags &= ~DH_FLAG_CACHE_MONT_P; -+#else +- dh->flags &= ~DH_FLAG_CACHE_MONT_P; +- + DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P); -+#endif - key->keydata.dh = dh; -@@ -257,7 +310,17 @@ openssldh_generate(dst_key_t *key, int g + return (ISC_R_SUCCESS); +@@ -252,7 +329,10 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { static isc_boolean_t openssldh_isprivate(const dst_key_t *key) { DH *dh = key->keydata.dh; - return (ISC_TF(dh != NULL && dh->priv_key != NULL)); -+ const BIGNUM *priv_key; -+ -+ if (dh == NULL) -+ return (ISC_TF(0)); ++ const BIGNUM *priv_key = NULL; + -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ priv_key = dh->priv_key; -+#else + DH_get0_key(dh, NULL, &priv_key); -+#endif -+ return (ISC_TF(priv_key != NULL)); ++ return (ISC_TF(dh != NULL && priv_key != NULL)); } static void -@@ -267,10 +330,12 @@ openssldh_destroy(dst_key_t *key) { +@@ -262,10 +342,6 @@ openssldh_destroy(dst_key_t *key) { if (dh == NULL) return; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - if (dh->p == bn768 || dh->p == bn1024 || dh->p == bn1536) - dh->p = NULL; - if (dh->g == bn2) - dh->g = NULL; -+#endif +- if (dh->p == bn768 || dh->p == bn1024 || dh->p == bn1536) +- dh->p = NULL; +- if (dh->g == bn2) +- dh->g = NULL; DH_free(dh); key->keydata.dh = NULL; } -@@ -299,6 +364,7 @@ uint16_fromregion(isc_region_t *region) +@@ -294,6 +370,7 @@ uint16_fromregion(isc_region_t *region) { static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { DH *dh; -+ const BIGNUM *p, *g, *pub_key; ++ const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; isc_region_t r; isc_uint16_t dnslen, plen, glen, publen; -@@ -306,42 +372,51 @@ openssldh_todns(const dst_key_t *key, is - - dh = key->keydata.dh; +@@ -303,40 +380,43 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ p = dh->p; -+ g = dh->g; -+ pub_key = dh->pub_key; -+#else -+ DH_get0_pqg(dh, &p, NULL, &g); -+ DH_get0_key(dh, &pub_key, NULL); -+#endif -+ isc_buffer_availableregion(data, &r); - if (dh->g == bn2 && - (dh->p == bn768 || dh->p == bn1024 || dh->p == bn1536)) { ++ DH_get0_pqg(dh, &p, NULL, &g); + if (BN_cmp(g, bn2) == 0 && -+ (BN_cmp(p, bn768) == 0 || BN_cmp(p, bn1024) == 0 || BN_cmp(p, bn1536) == 0)) { ++ (BN_cmp(p, bn768) == 0 || ++ BN_cmp(p, bn1024) == 0 || ++ BN_cmp(p, bn1536) == 0)) { plen = 1; glen = 0; } @@ -260,6 +866,7 @@ + glen = BN_num_bytes(g); } - publen = BN_num_bytes(dh->pub_key); ++ DH_get0_key(dh, &pub_key, NULL); + publen = BN_num_bytes(pub_key); dnslen = plen + glen + publen + 6; if (r.length < (unsigned int) dnslen) @@ -275,9 +882,10 @@ *r.base = 2; else *r.base = 3; - } - else +- } +- else - BN_bn2bin(dh->p, r.base); ++ } else + BN_bn2bin(p, r.base); isc_region_consume(&r, plen); @@ -293,214 +901,123 @@ isc_region_consume(&r, publen); isc_buffer_add(data, dnslen); -@@ -355,6 +430,8 @@ openssldh_fromdns(dst_key_t *key, isc_bu +@@ -347,6 +427,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + static isc_result_t + openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + DH *dh; ++ BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; isc_region_t r; isc_uint16_t plen, glen, publen; int special = 0; -+ BIGNUM *p = NULL, *g = NULL, *pub_key = NULL; -+ isc_result_t ret = ISC_R_NOMEMORY; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) -@@ -363,24 +440,28 @@ openssldh_fromdns(dst_key_t *key, isc_bu +@@ -358,7 +439,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { dh = DH_new(); if (dh == NULL) return (dst__openssl_toresult(ISC_R_NOMEMORY)); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - dh->flags &= ~DH_FLAG_CACHE_MONT_P; -+#else +- dh->flags &= ~DH_FLAG_CACHE_MONT_P; + DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P); -+#endif /* * Read the prime length. 1 & 2 are table entries, > 16 means a - * prime follows, otherwise an error. - */ - if (r.length < 2) { -- DH_free(dh); -- return (DST_R_INVALIDPUBLICKEY); -+ ret = DST_R_INVALIDPUBLICKEY; -+ goto fail; - } - plen = uint16_fromregion(&r); - if (plen < 16 && plen != 1 && plen != 2) { -- DH_free(dh); -- return (DST_R_INVALIDPUBLICKEY); -+ ret = DST_R_INVALIDPUBLICKEY; -+ goto fail; - } - if (r.length < plen) { -- DH_free(dh); -- return (DST_R_INVALIDPUBLICKEY); -+ ret = DST_R_INVALIDPUBLICKEY; -+ goto fail; - } - if (plen == 1 || plen == 2) { - if (plen == 1) { -@@ -391,85 +472,119 @@ openssldh_fromdns(dst_key_t *key, isc_bu +@@ -386,20 +467,20 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { } switch (special) { case 1: - dh->p = bn768; -+ p = bn768; ++ p = BN_dup(bn768); break; case 2: - dh->p = bn1024; -+ p = bn1024; ++ p = BN_dup(bn1024); break; case 3: - dh->p = bn1536; -+ p = bn1536; ++ p = BN_dup(bn1536); break; default: -- DH_free(dh); -- return (DST_R_INVALIDPUBLICKEY); -+ ret = DST_R_INVALIDPUBLICKEY; -+ goto fail; + DH_free(dh); + return (DST_R_INVALIDPUBLICKEY); } -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ p = BN_dup(p); -+#endif } else { - dh->p = BN_bin2bn(r.base, plen, NULL); + p = BN_bin2bn(r.base, plen, NULL); isc_region_consume(&r, plen); } -+ if (p == NULL) { -+ ret = dst__openssl_toresult(ISC_R_NOMEMORY); -+ goto fail; -+ } -+ - /* - * Read the generator length. This should be 0 if the prime was - * special, but it might not be. If it's 0 and the prime is not - * special, we have a problem. - */ - if (r.length < 2) { -- DH_free(dh); -- return (DST_R_INVALIDPUBLICKEY); -+ ret = DST_R_INVALIDPUBLICKEY; -+ goto fail; - } - glen = uint16_fromregion(&r); - if (r.length < glen) { -- DH_free(dh); -- return (DST_R_INVALIDPUBLICKEY); -+ ret = DST_R_INVALIDPUBLICKEY; -+ goto fail; +@@ -419,15 +500,12 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { } if (special != 0) { -- if (glen == 0) + if (glen == 0) - dh->g = bn2; -- else { ++ g = BN_dup(bn2); + else { - dh->g = BN_bin2bn(r.base, glen, NULL); - if (BN_cmp(dh->g, bn2) == 0) { - BN_free(dh->g); - dh->g = bn2; - } - else { -- DH_free(dh); -- return (DST_R_INVALIDPUBLICKEY); -+ if (glen == 0) { -+ g = bn2; -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ g = BN_dup(g); -+#endif -+ } else { + g = BN_bin2bn(r.base, glen, NULL); -+ if (BN_cmp(g, bn2) != 0) { -+ ret = DST_R_INVALIDPUBLICKEY; -+ goto fail; ++ if (g != NULL && BN_cmp(g, bn2) != 0) { + DH_free(dh); ++ BN_free(g); + return (DST_R_INVALIDPUBLICKEY); } -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ BN_free(g); -+ g = bn2; -+#endif } - } else { - if (glen == 0) { -- DH_free(dh); -- return (DST_R_INVALIDPUBLICKEY); -+ ret = DST_R_INVALIDPUBLICKEY; -+ goto fail; +@@ -436,10 +514,20 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + DH_free(dh); + return (DST_R_INVALIDPUBLICKEY); } - dh->g = BN_bin2bn(r.base, glen, NULL); + g = BN_bin2bn(r.base, glen, NULL); } isc_region_consume(&r, glen); ++ if (p == NULL || g == NULL) { ++ DH_free(dh); ++ if (p != NULL) ++ BN_free(p); ++ if (g != NULL) ++ BN_free(g); ++ return (dst__openssl_toresult(ISC_R_NOMEMORY)); ++ } ++ DH_set0_pqg(dh, p, NULL, g); ++ if (r.length < 2) { -- DH_free(dh); -- return (DST_R_INVALIDPUBLICKEY); -+ ret = DST_R_INVALIDPUBLICKEY; -+ goto fail; - } - publen = uint16_fromregion(&r); - if (r.length < publen) { -- DH_free(dh); -- return (DST_R_INVALIDPUBLICKEY); -+ ret = DST_R_INVALIDPUBLICKEY; -+ goto fail; + DH_free(dh); + return (DST_R_INVALIDPUBLICKEY); +@@ -449,10 +537,15 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + DH_free(dh); + return (DST_R_INVALIDPUBLICKEY); } - dh->pub_key = BN_bin2bn(r.base, publen, NULL); + pub_key = BN_bin2bn(r.base, publen, NULL); ++ if (pub_key == NULL) { ++ DH_free(dh); ++ return (dst__openssl_toresult(ISC_R_NOMEMORY)); ++ } ++ DH_set0_key(dh, pub_key, NULL); isc_region_consume(&r, publen); - key->key_size = BN_num_bits(dh->p); -+ if (p == NULL || g == NULL || -+ pub_key == NULL) { -+ ret = dst__openssl_toresult(ISC_R_NOMEMORY); -+ goto fail; -+ } -+ + key->key_size = BN_num_bits(p); isc_buffer_forward(data, plen + glen + publen + 6); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ dh->p = p; -+ dh->g = g; -+ dh->pub_key = pub_key; -+#else -+ DH_set0_pqg(dh, p, NULL, g); -+ DH_set0_key(dh, pub_key, NULL); -+#endif -+ - key->keydata.dh = dh; - - return (ISC_R_SUCCESS); -+fail: -+ if (p != bn768 && p != bn1024 && p != bn1536) -+ BN_free(p); -+ if (g != bn2) -+ BN_free(g); -+ DH_free(dh); -+ return ret; - } - - static isc_result_t +@@ -465,6 +558,7 @@ static isc_result_t openssldh_tofile(const dst_key_t *key, const char *directory) { int i; DH *dh; -+ const BIGNUM *p, *g, *pub_key, *priv_key; ++ const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; dst_private_t priv; unsigned char *bufs[4]; isc_result_t result; -@@ -482,9 +597,19 @@ openssldh_tofile(const dst_key_t *key, c +@@ -476,10 +570,12 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { + return (DST_R_EXTERNALKEY); dh = key->keydata.dh; - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ p = dh->p; -+ g = dh->g; -+ pub_key = dh->pub_key; -+ priv_key = dh->priv_key; -+#else -+ DH_get0_pqg(dh, &p, NULL, &g); + DH_get0_key(dh, &pub_key, &priv_key); -+#endif -+ ++ DH_get0_pqg(dh, &p, NULL, &g); + memset(bufs, 0, sizeof(bufs)); for (i = 0; i < 4; i++) { - bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(dh->p)); @@ -508,7 +1025,7 @@ if (bufs[i] == NULL) { result = ISC_R_NOMEMORY; goto fail; -@@ -494,26 +619,26 @@ openssldh_tofile(const dst_key_t *key, c +@@ -489,26 +585,26 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { i = 0; priv.elements[i].tag = TAG_DH_PRIME; @@ -543,7 +1060,7 @@ priv.elements[i].data = bufs[i]; i++; -@@ -523,7 +648,7 @@ openssldh_tofile(const dst_key_t *key, c +@@ -518,7 +614,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { for (i = 0; i < 4; i++) { if (bufs[i] == NULL) break; @@ -552,27 +1069,29 @@ } return (result); } -@@ -534,6 +659,7 @@ openssldh_parse(dst_key_t *key, isc_lex_ +@@ -529,6 +625,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { isc_result_t ret; int i; DH *dh = NULL; -+ BIGNUM *p = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; ++ BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; isc_mem_t *mctx; #define DST_RET(a) {ret = a; goto err;} -@@ -551,7 +677,11 @@ openssldh_parse(dst_key_t *key, isc_lex_ +@@ -546,63 +643,47 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dh = DH_new(); if (dh == NULL) DST_RET(ISC_R_NOMEMORY); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - dh->flags &= ~DH_FLAG_CACHE_MONT_P; -+#else +- dh->flags &= ~DH_FLAG_CACHE_MONT_P; + DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P); -+#endif key->keydata.dh = dh; for (i = 0; i < priv.nelements; i++) { -@@ -563,51 +693,63 @@ openssldh_parse(dst_key_t *key, isc_lex_ + BIGNUM *bn; + bn = BN_bin2bn(priv.elements[i].data, + priv.elements[i].length, NULL); +- if (bn == NULL) ++ if (bn == NULL) + DST_RET(ISC_R_NOMEMORY); switch (priv.elements[i].tag) { case TAG_DH_PRIME: @@ -594,76 +1113,136 @@ } } dst__privstruct_free(&priv, mctx); ++ DH_set0_key(dh, pub_key, priv_key); ++ DH_set0_pqg(dh, p, NULL, g); - key->key_size = BN_num_bits(dh->p); -+ key->key_size = BN_num_bits(p); - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - if ((key->key_size == 768 || - key->key_size == 1024 || - key->key_size == 1536) && +- +- if ((key->key_size == 768 || +- key->key_size == 1024 || +- key->key_size == 1536) && - BN_cmp(dh->g, bn2) == 0) -+ BN_cmp(g, bn2) == 0) - { +- { - if (key->key_size == 768 && BN_cmp(dh->p, bn768) == 0) { - BN_free(dh->p); - BN_free(dh->g); -+ if (key->key_size == 768 && BN_cmp(p, bn768) == 0) { - dh->p = bn768; - dh->g = bn2; - } else if (key->key_size == 1024 && +- dh->p = bn768; +- dh->g = bn2; +- } else if (key->key_size == 1024 && - BN_cmp(dh->p, bn1024) == 0) { - BN_free(dh->p); - BN_free(dh->g); -+ BN_cmp(p, bn1024) == 0) { - dh->p = bn1024; - dh->g = bn2; - } else if (key->key_size == 1536 && +- dh->p = bn1024; +- dh->g = bn2; +- } else if (key->key_size == 1536 && - BN_cmp(dh->p, bn1536) == 0) { - BN_free(dh->p); - BN_free(dh->g); -+ BN_cmp(p, bn1536) == 0) { - dh->p = bn1536; - dh->g = bn2; -+ } else { -+ dh->p = p; -+ dh->g = g; - } -+ } else { -+ dh->p = p; -+ dh->g = g; - } +- dh->p = bn1536; +- dh->g = bn2; +- } +- } - -+ dh->pub_key = pub_key; -+ dh->priv_key = priv_key; -+#else -+ if (p == NULL || g == NULL || pub_key == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ DH_set0_pqg(dh, p, NULL, g); -+ DH_set0_key(dh, pub_key, priv_key); -+#endif ++ key->key_size = BN_num_bits(p); return (ISC_R_SUCCESS); err: -+ BN_free(p); -+ BN_free(g); -+ BN_free(pub_key); -+ BN_free(priv_key); ++ if (p != NULL) ++ BN_free(p); ++ if (g != NULL) ++ BN_free(g); ++ if (pub_key != NULL) ++ BN_free(pub_key); ++ if (priv_key != NULL) ++ BN_free(priv_key); openssldh_destroy(key); dst__privstruct_free(&priv, mctx); memset(&priv, 0, sizeof(priv)); ---- bind-9.10.4-P3/lib/dns/openssldsa_link.c 2016-09-14 03:23:44.000000000 +0200 -+++ bind-9.10.4-P3/lib/dns/openssldsa_link.c 2016-11-07 17:57:34.337237978 +0100 -@@ -64,7 +64,7 @@ openssldsa_createctx(dst_key_t *key, dst - if (evp_md_ctx == NULL) - return (ISC_R_NOMEMORY); +diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c +index 184c163..2b55bc4 100644 +--- a/lib/dns/openssldsa_link.c ++++ b/lib/dns/openssldsa_link.c +@@ -48,6 +48,79 @@ -- if (!EVP_DigestInit_ex(evp_md_ctx, EVP_dss1(), NULL)) { -+ if (!EVP_DigestInit_ex(evp_md_ctx, EVP_sha1(), NULL)) { - EVP_MD_CTX_destroy(evp_md_ctx); - return (ISC_R_FAILURE); - } -@@ -123,7 +123,7 @@ openssldsa_adddata(dst_context_t *dctx, + static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data); + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++static void ++DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, ++ const BIGNUM **g) ++{ ++ if (p != NULL) ++ *p = d->p; ++ if (q != NULL) ++ *q = d->q; ++ if (g != NULL) ++ *g = d->g; ++} ++ ++static int ++DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) { ++ if (p == NULL || q == NULL || g == NULL) ++ return 0; ++ BN_free(d->p); ++ BN_free(d->q); ++ BN_free(d->g); ++ d->p = p; ++ d->q = q; ++ d->g = g; ++ ++ return 1; ++} ++ ++static void ++DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) { ++ if (pub_key != NULL) ++ *pub_key = d->pub_key; ++ if (priv_key != NULL) ++ *priv_key = d->priv_key; ++} ++ ++static int ++DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) { ++ /* Note that it is valid for priv_key to be NULL */ ++ if (pub_key == NULL) ++ return 0; ++ ++ BN_free(d->pub_key); ++ BN_free(d->priv_key); ++ d->pub_key = pub_key; ++ d->priv_key = priv_key; ++ ++ return 1; ++} ++ ++static void ++DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) { ++ *pr = sig->r; ++ *ps = sig->s; ++} ++ ++static int ++DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) { ++ if (r == NULL || s == NULL) ++ return 0; ++ ++ BN_clear_free(sig->r); ++ BN_clear_free(sig->s); ++ sig->r = r; ++ sig->s = s; ++ ++ return 1; ++} ++ ++ ++#define DSA_clear_flags(d, x) (d)->flags &= ~(x) ++ ++#endif ++ + static isc_result_t + openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) { + #if USE_EVP +@@ -118,7 +191,7 @@ openssldsa_adddata(dst_context_t *dctx, const isc_region_t *data) { } static int @@ -672,75 +1251,85 @@ int bytes = size - BN_num_bytes(bn); while (bytes-- > 0) *buf++ = 0; -@@ -137,6 +137,7 @@ openssldsa_sign(dst_context_t *dctx, isc +@@ -130,8 +203,9 @@ static isc_result_t + openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { + dst_key_t *key = dctx->key; DSA *dsa = key->keydata.dsa; - isc_region_t r; +- isc_region_t r; ++ isc_region_t region; DSA_SIG *dsasig; -+ const BIGNUM *dr, *ds; ++ const BIGNUM *r = 0, *s = NULL; unsigned int klen; #if USE_EVP EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; -@@ -218,9 +219,16 @@ openssldsa_sign(dst_context_t *dctx, isc - *r.base = klen; - isc_region_consume(&r, 1); +@@ -144,8 +218,8 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { + unsigned char digest[ISC_SHA1_DIGESTLENGTH]; + #endif + +- isc_buffer_availableregion(sig, &r); +- if (r.length < ISC_SHA1_DIGESTLENGTH * 2 + 1) ++ isc_buffer_availableregion(sig, ®ion); ++ if (region.length < ISC_SHA1_DIGESTLENGTH * 2 + 1) + return (ISC_R_NOSPACE); + #if USE_EVP +@@ -210,13 +284,14 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { + klen = (key->key_size - 512)/64; + if (klen > 255) + return (ISC_R_FAILURE); +- *r.base = klen; +- isc_region_consume(&r, 1); +- - BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ dr = dsasig->r; -+ ds = dsasig->s; -+#else -+ DSA_SIG_get0(dsasig, &dr, &ds); -+#endif -+ -+ BN_bn2bin_fixed(dr, r.base, ISC_SHA1_DIGESTLENGTH); - isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); +- isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); - BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH); -+ BN_bn2bin_fixed(ds, r.base, ISC_SHA1_DIGESTLENGTH); - isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); +- isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); ++ *region.base = klen; ++ isc_region_consume(®ion, 1); ++ ++ DSA_SIG_get0(dsasig, &r, &s); ++ BN_bn2bin_fixed(r, region.base, ISC_SHA1_DIGESTLENGTH); ++ isc_region_consume(®ion, ISC_SHA1_DIGESTLENGTH); ++ BN_bn2bin_fixed(s, region.base, ISC_SHA1_DIGESTLENGTH); ++ isc_region_consume(®ion, ISC_SHA1_DIGESTLENGTH); DSA_SIG_free(dsasig); isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1); -@@ -235,6 +243,7 @@ openssldsa_verify(dst_context_t *dctx, c + +@@ -227,6 +302,7 @@ static isc_result_t + openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + dst_key_t *key = dctx->key; + DSA *dsa = key->keydata.dsa; ++ BIGNUM *r = NULL, *s = NULL; int status = 0; unsigned char *cp = sig->base; DSA_SIG *dsasig; -+ BIGNUM *dr = NULL, *ds = NULL; - #if USE_EVP - EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; - #if 0 -@@ -267,9 +276,21 @@ openssldsa_verify(dst_context_t *dctx, c +@@ -262,9 +338,10 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) { dsasig = DSA_SIG_new(); if (dsasig == NULL) return (ISC_R_NOMEMORY); - dsasig->r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL); -+ dr = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL); ++ r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL); cp += ISC_SHA1_DIGESTLENGTH; - dsasig->s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL); -+ ds = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL); -+ if (dr == NULL || ds == NULL) { -+ DSA_SIG_free(dsasig); -+ BN_free(dr); -+ BN_free(ds); -+ return (ISC_R_NOMEMORY); -+ } -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ dsasig->r = dr; -+ dsasig->s = ds; -+#else -+ DSA_SIG_set0(dsasig, dr, ds); -+#endif ++ s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL); ++ DSA_SIG_set0(dsasig, r, s); #if 0 pkey = EVP_PKEY_new(); -@@ -310,6 +331,8 @@ static isc_boolean_t +@@ -303,8 +380,11 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + + static isc_boolean_t openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - int status; +- int status; DSA *dsa1, *dsa2; -+ const BIGNUM *p1, *q1, *g1, *pub_key1, *priv_key1; -+ const BIGNUM *p2, *q2, *g2, *pub_key2, *priv_key2; ++ const BIGNUM *pub_key1 = NULL, *priv_key1 = NULL; ++ const BIGNUM *pub_key2 = NULL, *priv_key2 = NULL; ++ const BIGNUM *p1 = NULL, *q1 = NULL, *g1 = NULL; ++ const BIGNUM *p2 = NULL, *q2 = NULL, *g2 = NULL; dsa1 = key1->keydata.dsa; dsa2 = key2->keydata.dsa; -@@ -319,18 +342,36 @@ openssldsa_compare(const dst_key_t *key1 +@@ -314,18 +394,19 @@ openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) { else if (dsa1 == NULL || dsa2 == NULL) return (ISC_FALSE); @@ -748,30 +1337,14 @@ - BN_cmp(dsa1->q, dsa2->q) || - BN_cmp(dsa1->g, dsa2->g) || - BN_cmp(dsa1->pub_key, dsa2->pub_key); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ p1 = dsa1->p; -+ q1 = dsa1->q; -+ g1 = dsa1->g; -+ pub_key1 = dsa1->pub_key; -+ priv_key1 = dsa1->priv_key; -+ p2 = dsa2->p; -+ q2 = dsa2->q; -+ g2 = dsa2->g; -+ pub_key2 = dsa2->pub_key; -+ priv_key2 = dsa2->priv_key; -+#else -+ DSA_get0_pqg(dsa1, &p1, &q1, &g1); + DSA_get0_key(dsa1, &pub_key1, &priv_key1); -+ DSA_get0_pqg(dsa2, &p2, &q2, &g2); + DSA_get0_key(dsa2, &pub_key2, &priv_key2); -+#endif -+ -+ status = BN_cmp(p1, p2) || -+ BN_cmp(q1, q2) || -+ BN_cmp(g1, g2) || -+ BN_cmp(pub_key1, pub_key2); ++ DSA_get0_pqg(dsa1, &p1, &q1, &g1); ++ DSA_get0_pqg(dsa2, &p2, &q2, &g2); - if (status != 0) +- if (status != 0) ++ if (BN_cmp(p1, p2) != 0 || BN_cmp(q1, q2) != 0 || ++ BN_cmp(g1, g2) != 0 || BN_cmp(pub_key1, pub_key2) != 0) return (ISC_FALSE); - if (dsa1->priv_key != NULL || dsa2->priv_key != NULL) { @@ -780,73 +1353,58 @@ + if (priv_key1 == NULL || priv_key2 == NULL) return (ISC_FALSE); - if (BN_cmp(dsa1->priv_key, dsa2->priv_key)) -+ if (BN_cmp(priv_key2, priv_key2)) ++ if (BN_cmp(priv_key1, priv_key2)) return (ISC_FALSE); } return (ISC_TRUE); -@@ -422,7 +463,11 @@ openssldsa_generate(dst_key_t *key, int +@@ -417,7 +498,8 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { return (dst__openssl_toresult2("DSA_generate_key", DST_R_OPENSSLFAILURE)); } -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; -+#else +- dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; ++ + DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P); -+#endif key->keydata.dsa = dsa; -@@ -432,7 +477,17 @@ openssldsa_generate(dst_key_t *key, int +@@ -427,7 +509,10 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { static isc_boolean_t openssldsa_isprivate(const dst_key_t *key) { DSA *dsa = key->keydata.dsa; - return (ISC_TF(dsa != NULL && dsa->priv_key != NULL)); -+ const BIGNUM *priv_key; ++ const BIGNUM *priv_key = NULL; + -+ if (dsa == NULL) -+ return (ISC_TF(0)); -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ priv_key = dsa->priv_key; -+#else -+ DSA_get0_key(dsa, NULL, &priv_key); -+#endif -+ return (ISC_TF(priv_key != NULL)); ++ DSA_get0_key(dsa, NULL, &priv_key); ++ return (ISC_TF(dsa != NULL && priv_key != NULL)); } static void -@@ -446,6 +501,7 @@ openssldsa_destroy(dst_key_t *key) { +@@ -441,6 +526,7 @@ openssldsa_destroy(dst_key_t *key) { static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) { DSA *dsa; -+ const BIGNUM *p, *q, *g, *pub_key; ++ const BIGNUM *pub_key, *p = NULL, *q = NULL, *g = NULL; isc_region_t r; int dnslen; unsigned int t, p_bytes; -@@ -456,7 +512,17 @@ openssldsa_todns(const dst_key_t *key, i +@@ -451,7 +537,10 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) { isc_buffer_availableregion(data, &r); - t = (BN_num_bytes(dsa->p) - 64) / 8; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ p = dsa->p; -+ q = dsa->q; -+ g = dsa->g; -+ pub_key = dsa->pub_key; -+#else -+ DSA_get0_pqg(dsa, &p, &q, &g); + DSA_get0_key(dsa, &pub_key, NULL); -+#endif ++ DSA_get0_pqg(dsa, &p, &q, &g); + + t = (BN_num_bytes(p) - 64) / 8; if (t > 8) return (DST_R_INVALIDPUBLICKEY); p_bytes = 64 + 8 * t; -@@ -467,13 +533,13 @@ openssldsa_todns(const dst_key_t *key, i +@@ -462,13 +551,14 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) { *r.base = t; isc_region_consume(&r, 1); - BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH); ++ + BN_bn2bin_fixed(q, r.base, ISC_SHA1_DIGESTLENGTH); isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); - BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8); @@ -860,27 +1418,24 @@ isc_region_consume(&r, p_bytes); isc_buffer_add(data, dnslen); -@@ -484,6 +550,7 @@ openssldsa_todns(const dst_key_t *key, i +@@ -479,6 +569,7 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) { static isc_result_t openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) { DSA *dsa; -+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL; ++ BIGNUM *pub_key, *p, *q, *g; isc_region_t r; unsigned int t, p_bytes; isc_mem_t *mctx = key->mctx; -@@ -497,7 +564,11 @@ openssldsa_fromdns(dst_key_t *key, isc_b +@@ -492,7 +583,7 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) { dsa = DSA_new(); if (dsa == NULL) return (ISC_R_NOMEMORY); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; -+#else +- dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; + DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P); -+#endif t = (unsigned int) *r.base; isc_region_consume(&r, 1); -@@ -512,22 +583,42 @@ openssldsa_fromdns(dst_key_t *key, isc_b +@@ -507,18 +598,29 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) { return (DST_R_INVALIDPUBLICKEY); } @@ -900,55 +1455,35 @@ + pub_key = BN_bin2bn(r.base, p_bytes, NULL); isc_region_consume(&r, p_bytes); - key->key_size = p_bytes * 8; - - isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes); - -+ if (p == NULL || q == NULL || g == NULL || -+ pub_key == NULL) { ++ if (pub_key == NULL || p == NULL || q == NULL || g == NULL) { + DSA_free(dsa); -+ BN_free(p); -+ BN_free(q); -+ BN_free(g); -+ BN_free(pub_key); -+ return dst__openssl_toresult(ISC_R_NOMEMORY); ++ if (p != NULL) BN_free(p); ++ if (q != NULL) BN_free(q); ++ if (g != NULL) BN_free(g); ++ return (ISC_R_NOMEMORY); + } + -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ dsa->p = p; -+ dsa->q = q; -+ dsa->g = g; -+ dsa->pub_key = pub_key; -+#else -+ DSA_set0_pqg(dsa, p, q, g); + DSA_set0_key(dsa, pub_key, NULL); -+#endif ++ DSA_set0_pqg(dsa, p, q, g); + - key->keydata.dsa = dsa; + key->key_size = p_bytes * 8; - return (ISC_R_SUCCESS); -@@ -538,6 +629,7 @@ static isc_result_t + isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes); +@@ -533,6 +635,8 @@ static isc_result_t openssldsa_tofile(const dst_key_t *key, const char *directory) { int cnt = 0; DSA *dsa; -+ const BIGNUM *p, *q, *g, *pub_key, *priv_key; ++ const BIGNUM *pub_key = NULL, *priv_key = NULL; ++ const BIGNUM *p = NULL, *q = NULL, *g = NULL; dst_private_t priv; unsigned char bufs[5][128]; -@@ -551,33 +643,44 @@ openssldsa_tofile(const dst_key_t *key, +@@ -546,33 +650,36 @@ openssldsa_tofile(const dst_key_t *key, const char *directory) { dsa = key->keydata.dsa; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ p = dsa->p; -+ q = dsa->q; -+ g = dsa->g; -+ pub_key = dsa->pub_key; -+ priv_key = dsa->priv_key; -+#else -+ DSA_get0_pqg(dsa, &p, &q, &g); + DSA_get0_key(dsa, &pub_key, &priv_key); -+#endif ++ DSA_get0_pqg(dsa, &p, &q, &g); + priv.elements[cnt].tag = TAG_DSA_PRIME; - priv.elements[cnt].length = BN_num_bytes(dsa->p); @@ -990,27 +1525,25 @@ priv.elements[cnt].data = bufs[cnt]; cnt++; -@@ -591,6 +694,7 @@ openssldsa_parse(dst_key_t *key, isc_lex +@@ -586,6 +693,8 @@ openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { isc_result_t ret; int i; DSA *dsa = NULL; -+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; ++ BIGNUM *pub_key = NULL, *priv_key = NULL; ++ BIGNUM *p = NULL, *q = NULL, *g = NULL; isc_mem_t *mctx = key->mctx; #define DST_RET(a) {ret = a; goto err;} -@@ -615,7 +719,11 @@ openssldsa_parse(dst_key_t *key, isc_lex +@@ -610,7 +719,7 @@ openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dsa = DSA_new(); if (dsa == NULL) DST_RET(ISC_R_NOMEMORY); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; -+#else +- dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; + DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P); -+#endif key->keydata.dsa = dsa; for (i = 0; i < priv.nelements; i++) { -@@ -627,28 +735,45 @@ openssldsa_parse(dst_key_t *key, isc_lex +@@ -622,28 +731,36 @@ openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { switch (priv.elements[i].tag) { case TAG_DSA_PRIME: @@ -1038,33 +1571,57 @@ dst__privstruct_free(&priv, mctx); memset(&priv, 0, sizeof(priv)); - key->key_size = BN_num_bits(dsa->p); -+ key->key_size = BN_num_bits(p); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ dsa->p = p; -+ dsa->q = q; -+ dsa->g = g; -+ dsa->pub_key = pub_key; -+ dsa->priv_key = priv_key; -+#else -+ if (p == NULL || q == NULL || g == NULL || pub_key == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ DSA_set0_pqg(dsa, p, q, g); + DSA_set0_key(dsa, pub_key, priv_key); -+#endif ++ DSA_set0_pqg(dsa, p, q, g); ++ key->key_size = BN_num_bits(p); return (ISC_R_SUCCESS); err: -+ BN_free(p); -+ BN_free(q); -+ BN_free(g); -+ BN_free(pub_key); -+ BN_free(priv_key); ++ if (p != NULL) ++ BN_free(p); ++ if (q != NULL) ++ BN_free(q); ++ if (g != NULL) ++ BN_free(g); openssldsa_destroy(key); dst__privstruct_free(&priv, mctx); memset(&priv, 0, sizeof(priv)); ---- bind-9.10.4-P3/lib/dns/opensslecdsa_link.c 2016-09-14 03:23:44.000000000 +0200 -+++ bind-9.10.4-P3/lib/dns/opensslecdsa_link.c 2016-11-07 17:57:34.337237978 +0100 -@@ -110,7 +110,7 @@ opensslecdsa_adddata(dst_context_t *dctx +diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c +index a967736..76d5a9d 100644 +--- a/lib/dns/opensslecdsa_link.c ++++ b/lib/dns/opensslecdsa_link.c +@@ -41,6 +41,30 @@ + + #define DST_RET(a) {ret = a; goto err;} + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++/* From OpenSSL 1.1 */ ++static void ++ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) { ++ if (pr != NULL) ++ *pr = sig->r; ++ if (ps != NULL) ++ *ps = sig->s; ++} ++ ++static int ++ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { ++ if (r == NULL || s == NULL) ++ return 0; ++ ++ BN_clear_free(sig->r); ++ BN_clear_free(sig->s); ++ sig->r = r; ++ sig->s = s; ++ ++ return 1; ++} ++#endif ++ + static isc_result_t opensslecdsa_todns(const dst_key_t *key, + isc_buffer_t *data); + +@@ -102,7 +126,7 @@ opensslecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) { } static int @@ -1073,336 +1630,354 @@ int bytes = size - BN_num_bytes(bn); while (bytes-- > 0) -@@ -125,6 +125,7 @@ opensslecdsa_sign(dst_context_t *dctx, i +@@ -115,13 +139,14 @@ static isc_result_t + opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { + isc_result_t ret; dst_key_t *key = dctx->key; - isc_region_t r; +- isc_region_t r; ++ isc_region_t region; ECDSA_SIG *ecdsasig; -+ const BIGNUM *er, *es; EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; EVP_PKEY *pkey = key->keydata.pkey; EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey); -@@ -156,9 +157,15 @@ opensslecdsa_sign(dst_context_t *dctx, i + unsigned int dgstlen, siglen; + unsigned char digest[EVP_MAX_MD_SIZE]; ++ const BIGNUM *r, *s; + + REQUIRE(key->key_alg == DST_ALG_ECDSA256 || + key->key_alg == DST_ALG_ECDSA384); +@@ -134,8 +159,8 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { + else + siglen = DNS_SIG_ECDSA384SIZE; + +- isc_buffer_availableregion(sig, &r); +- if (r.length < siglen) ++ isc_buffer_availableregion(sig, ®ion); ++ if (region.length < siglen) + DST_RET(ISC_R_NOSPACE); + + if (!EVP_DigestFinal(evp_md_ctx, digest, &dgstlen)) +@@ -148,10 +173,11 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { DST_RET(dst__openssl_toresult3(dctx->category, "ECDSA_do_sign", DST_R_SIGNFAILURE)); - BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ er = ecdsasig->r; -+ es = ecdsasig->s; -+#else -+ ECDSA_SIG_get0(ecdsasig, &er, &es); -+#endif -+ BN_bn2bin_fixed(er, r.base, siglen / 2); - isc_region_consume(&r, siglen / 2); +- isc_region_consume(&r, siglen / 2); - BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2); -+ BN_bn2bin_fixed(es, r.base, siglen / 2); - isc_region_consume(&r, siglen / 2); +- isc_region_consume(&r, siglen / 2); ++ ECDSA_SIG_get0(ecdsasig, &r, &s); ++ BN_bn2bin_fixed(r, region.base, siglen / 2); ++ isc_region_consume(®ion, siglen / 2); ++ BN_bn2bin_fixed(s, region.base, siglen / 2); ++ isc_region_consume(®ion, siglen / 2); ECDSA_SIG_free(ecdsasig); isc_buffer_add(sig, siglen); -@@ -177,6 +184,7 @@ opensslecdsa_verify(dst_context_t *dctx, - int status; - unsigned char *cp = sig->base; - ECDSA_SIG *ecdsasig = NULL; -+ BIGNUM *er = NULL, *es = NULL; - EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; - EVP_PKEY *pkey = key->keydata.pkey; + ret = ISC_R_SUCCESS; +@@ -174,6 +200,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey); -@@ -205,14 +213,27 @@ opensslecdsa_verify(dst_context_t *dctx, + unsigned int dgstlen, siglen; + unsigned char digest[EVP_MAX_MD_SIZE]; ++ BIGNUM *r = NULL, *s = NULL ; + + REQUIRE(key->key_alg == DST_ALG_ECDSA256 || + key->key_alg == DST_ALG_ECDSA384); +@@ -197,13 +224,10 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { ecdsasig = ECDSA_SIG_new(); if (ecdsasig == NULL) DST_RET (ISC_R_NOMEMORY); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - if (ecdsasig->r != NULL) - BN_free(ecdsasig->r); +- if (ecdsasig->r != NULL) +- BN_free(ecdsasig->r); - ecdsasig->r = BN_bin2bn(cp, siglen / 2, NULL); -- cp += siglen / 2; - if (ecdsasig->s != NULL) - BN_free(ecdsasig->s); ++ r = BN_bin2bn(cp, siglen / 2, NULL); + cp += siglen / 2; +- if (ecdsasig->s != NULL) +- BN_free(ecdsasig->s); - ecdsasig->s = BN_bin2bn(cp, siglen / 2, NULL); -+#endif -+ er = BN_bin2bn(cp, siglen / 2, NULL); -+ cp += siglen / 2; -+ es = BN_bin2bn(cp, siglen / 2, NULL); ++ s = BN_bin2bn(cp, siglen / 2, NULL); ++ ECDSA_SIG_set0(ecdsasig, r, s); /* cp += siglen / 2; */ -+ if (er == NULL || es == NULL) { -+ BN_free(er); -+ BN_free(es); -+ DST_RET (dst__openssl_toresult(ISC_R_NOMEMORY)); -+ } -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ ecdsasig->r = er; -+ ecdsasig->s = es; -+#else -+ ECDSA_SIG_set0(ecdsasig, er, es); -+#endif status = ECDSA_do_verify(digest, dgstlen, ecdsasig, eckey); - switch (status) { ---- bind-9.10.4-P3/lib/dns/openssl_link.c 2016-09-14 03:23:44.000000000 +0200 -+++ bind-9.10.4-P3/lib/dns/openssl_link.c 2016-11-07 19:04:28.830074269 +0100 -@@ -128,8 +128,15 @@ id_callback(void) { - } - #endif +diff --git a/lib/dns/opensslgost_link.c b/lib/dns/opensslgost_link.c +index 6b04f7b..62d7238 100644 +--- a/lib/dns/opensslgost_link.c ++++ b/lib/dns/opensslgost_link.c +@@ -28,6 +28,11 @@ + #include + #include +#if OPENSSL_VERSION_NUMBER < 0x10100000L - static void * - mem_alloc(size_t size) { -+#else -+static void * -+mem_alloc(size_t size, const char *file, int line) { -+ UNUSED(file); -+ UNUSED(line); ++#define EVP_MD_CTX_new() &(ctx->_ctx), EVP_MD_CTX_init(&(ctx->_ctx)) ++#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) +#endif - #ifdef OPENSSL_LEAKS - void *ptr; - -@@ -142,15 +149,29 @@ mem_alloc(size_t size) { - #endif - } - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - static void - mem_free(void *ptr) { -+#else -+static void -+mem_free(void *ptr, const char *file, int line) { -+ UNUSED(file); -+ UNUSED(line); -+#endif - INSIST(dst__memory_pool != NULL); - if (ptr != NULL) - isc_mem_free(dst__memory_pool, ptr); - } - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - static void * - mem_realloc(void *ptr, size_t size) { -+#else -+static void * -+mem_realloc(void *ptr, size_t size, const char *file, int line) { -+ UNUSED(file); -+ UNUSED(line); -+#endif - #ifdef OPENSSL_LEAKS - void *rptr; ++ + static ENGINE *e = NULL; + static const EVP_MD *opensslgost_digest; + extern const EVP_MD *EVP_gost(void); +@@ -48,8 +53,10 @@ isc_gost_init(isc_gost_t *ctx) { + md = EVP_gost(); + if (md == NULL) + return (DST_R_CRYPTOFAILURE); +- EVP_MD_CTX_init(ctx); +- ret = EVP_DigestInit(ctx, md); ++ ctx->ctx = EVP_MD_CTX_new(); ++ if (ctx->ctx == NULL) ++ return (ISC_R_NOMEMORY); ++ ret = EVP_DigestInit(ctx->ctx, md); + if (ret != 1) + return (DST_R_CRYPTOFAILURE); + return (ISC_R_SUCCESS); +@@ -57,7 +64,8 @@ isc_gost_init(isc_gost_t *ctx) { -@@ -163,6 +184,16 @@ mem_realloc(void *ptr, size_t size) { - #endif + void + isc_gost_invalidate(isc_gost_t *ctx) { +- EVP_MD_CTX_cleanup(ctx); ++ EVP_MD_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; } -+static int -+rndeng_destroy(ENGINE *e) { -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ mem_free(rm); -+#else -+ mem_free(rm, NULL, 0); -+#endif -+ rm = NULL; -+} -+ isc_result_t - dst__openssl_init(const char *engine) { - isc_result_t result; -@@ -179,6 +210,7 @@ dst__openssl_init(const char *engine) { - CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); - #endif - CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - nlocks = CRYPTO_num_locks(); - locks = mem_alloc(sizeof(isc_mutex_t) * nlocks); - if (locks == NULL) -@@ -187,13 +219,16 @@ dst__openssl_init(const char *engine) { - if (result != ISC_R_SUCCESS) - goto cleanup_mutexalloc; - CRYPTO_set_locking_callback(lock_callback); --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - CRYPTO_set_id_callback(id_callback); - #endif +@@ -67,9 +75,10 @@ isc_gost_update(isc_gost_t *ctx, const unsigned char *data, + int ret; - ERR_load_crypto_strings(); + INSIST(ctx != NULL); ++ INSIST(ctx->ctx != NULL); + INSIST(data != NULL); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - rm = mem_alloc(sizeof(RAND_METHOD)); -+#else -+ rm = mem_alloc(sizeof(RAND_METHOD), NULL, 0); -+#endif - if (rm == NULL) { - result = ISC_R_NOMEMORY; - goto cleanup_mutexinit; -@@ -245,6 +280,7 @@ dst__openssl_init(const char *engine) { - goto cleanup_rm; - } - ENGINE_set_RAND(re, rm); -+ ENGINE_set_destroy_function(re, rndeng_destroy); - ENGINE_set_default_RAND(re); - ENGINE_free(re); - } else -@@ -259,15 +295,21 @@ dst__openssl_init(const char *engine) { - if (e != NULL) - ENGINE_free(e); - e = NULL; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - mem_free(rm); -+#else -+ mem_free(rm, NULL, 0); -+#endif - rm = NULL; - #endif - cleanup_mutexinit: -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - CRYPTO_set_locking_callback(NULL); - DESTROYMUTEXBLOCK(locks, nlocks); - cleanup_mutexalloc: - mem_free(locks); - locks = NULL; -+#endif - return (result); - } +- ret = EVP_DigestUpdate(ctx, (const void *) data, (size_t) len); ++ ret = EVP_DigestUpdate(ctx->ctx, (const void *) data, (size_t) len); + if (ret != 1) + return (DST_R_CRYPTOFAILURE); + return (ISC_R_SUCCESS); +@@ -80,9 +89,12 @@ isc_gost_final(isc_gost_t *ctx, unsigned char *digest) { + int ret; -@@ -276,13 +318,17 @@ dst__openssl_destroy(void) { - /* - * Sequence taken from apps_shutdown() in . - */ -- if (rm != NULL) { -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if defined(USE_ENGINE) -+ if (e != NULL) -+ ENGINE_free(e); -+ e = NULL; -+#endif -+ OPENSSL_cleanup(); -+#else - #if OPENSSL_VERSION_NUMBER >= 0x00907000L -- RAND_cleanup(); -+ RAND_cleanup(); - #endif -- mem_free(rm); -- rm = NULL; -- } - #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) - CONF_modules_free(); - #endif -@@ -315,8 +361,13 @@ dst__openssl_destroy(void) { - mem_free(locks); - locks = NULL; - } -+#endif - } + INSIST(ctx != NULL); ++ INSIST(ctx->ctx != NULL); + INSIST(digest != NULL); -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED EC_R_RANDOM_NUMBER_GENERATION_FAILED -+#endif -+ - static isc_result_t - toresult(isc_result_t fallback) { - isc_result_t result = fallback; ---- bind-9.10.4-P3/lib/dns/opensslrsa_link.c 2016-09-14 03:23:44.000000000 +0200 -+++ bind-9.10.4-P3/lib/dns/opensslrsa_link.c 2016-11-07 17:57:34.338238002 +0100 -@@ -107,6 +107,7 @@ +- ret = EVP_DigestFinal(ctx, digest, NULL); ++ ret = EVP_DigestFinal(ctx->ctx, digest, NULL); ++ EVP_MD_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; + if (ret != 1) + return (DST_R_CRYPTOFAILURE); + return (ISC_R_SUCCESS); +diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c +index b5ad913..89b4975 100644 +--- a/lib/dns/opensslrsa_link.c ++++ b/lib/dns/opensslrsa_link.c +@@ -99,7 +99,8 @@ + (rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \ (rsa)->flags &= ~RSA_FLAG_BLINDING; \ } while (0) - #elif defined(RSA_FLAG_NO_BLINDING) -+#if OPENSSL_VERSION_NUMBER < 0x10100000L +-#elif defined(RSA_FLAG_NO_BLINDING) ++#elif OPENSSL_VERSION_NUMBER < 0x10100000L ++#if defined(RSA_FLAG_NO_BLINDING) #define SET_FLAGS(rsa) \ do { \ (rsa)->flags &= ~RSA_FLAG_BLINDING; \ -@@ -115,6 +116,13 @@ - #else - #define SET_FLAGS(rsa) \ - do { \ -+ RSA_clear_flags((rsa), RSA_FLAG_BLINDING); \ -+ RSA_set_flags((rsa), RSA_FLAG_NO_BLINDING); \ -+ } while (0) -+#endif -+#else -+#define SET_FLAGS(rsa) \ -+ do { \ +@@ -111,9 +112,132 @@ (rsa)->flags &= ~RSA_FLAG_BLINDING; \ } while (0) #endif -@@ -520,6 +528,7 @@ opensslrsa_verify2(dst_context_t *dctx, +- ++#else ++#define SET_FLAGS(rsa) \ ++ do { \ ++ RSA_clear_flags(rsa, RSA_FLAG_BLINDING); \ ++ RSA_set_flags(rsa, RSA_FLAG_NO_BLINDING); \ ++ } while (0) ++#endif + #define DST_RET(a) {ret = a; goto err;} + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++/* From OpenSSL 1.1.0 */ ++static int ++RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { ++ ++ /* ++ * If the fields n and e in r are NULL, the corresponding input ++ * parameters MUST be non-NULL for n and e. d may be ++ * left NULL (in case only the public key is used). ++ */ ++ if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) ++ return 0; ++ ++ if (n != NULL) { ++ BN_free(r->n); ++ r->n = n; ++ } ++ if (e != NULL) { ++ BN_free(r->e); ++ r->e = e; ++ } ++ if (d != NULL) { ++ BN_free(r->d); ++ r->d = d; ++ } ++ ++ return 1; ++} ++ ++static int ++RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) { ++ ++ /* ++ * If the fields p and q in r are NULL, the corresponding input ++ * parameters MUST be non-NULL. ++ */ ++ if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free(r->p); ++ r->p = p; ++ } ++ if (q != NULL) { ++ BN_free(r->q); ++ r->q = q; ++ } ++ ++ return 1; ++} ++ ++static int ++RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) { ++ /* ++ * If the fields dmp1, dmq1 and iqmp in r are NULL, the ++ * corresponding input parameters MUST be non-NULL. ++ */ ++ if ((r->dmp1 == NULL && dmp1 == NULL) || ++ (r->dmq1 == NULL && dmq1 == NULL) || ++ (r->iqmp == NULL && iqmp == NULL)) ++ return 0; ++ ++ if (dmp1 != NULL) { ++ BN_free(r->dmp1); ++ r->dmp1 = dmp1; ++ } ++ if (dmq1 != NULL) { ++ BN_free(r->dmq1); ++ r->dmq1 = dmq1; ++ } ++ if (iqmp != NULL) { ++ BN_free(r->iqmp); ++ r->iqmp = iqmp; ++ } ++ ++ return 1; ++} ++ ++static void ++RSA_get0_key(const RSA *r, ++ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) ++{ ++ if (n != NULL) ++ *n = r->n; ++ if (e != NULL) ++ *e = r->e; ++ if (d != NULL) ++ *d = r->d; ++} ++ ++static void ++RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) { ++ if (p != NULL) ++ *p = r->p; ++ if (q != NULL) ++ *q = r->q; ++} ++ ++static void ++RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, ++ const BIGNUM **iqmp) ++{ ++ if (dmp1 != NULL) ++ *dmp1 = r->dmp1; ++ if (dmq1 != NULL) ++ *dmq1 = r->dmq1; ++ if (iqmp != NULL) ++ *iqmp = r->iqmp; ++} ++ ++static int ++RSA_test_flags(const RSA *r, int flags) { ++ return (r->flags & flags); ++} ++ ++#endif ++ + static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data); + + static isc_result_t +@@ -553,6 +677,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; EVP_PKEY *pkey = key->keydata.pkey; RSA *rsa; -+ const BIGNUM *e; ++ const BIGNUM *e = NULL; int bits; #else /* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */ -@@ -543,7 +552,12 @@ opensslrsa_verify2(dst_context_t *dctx, +@@ -583,7 +708,8 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { rsa = EVP_PKEY_get1_RSA(pkey); if (rsa == NULL) return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - bits = BN_num_bits(rsa->e); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ e = rsa->e; -+#else + RSA_get0_key(rsa, NULL, &e, NULL); -+#endif + bits = BN_num_bits(e); RSA_free(rsa); if (bits > maxbits && maxbits != 0) return (DST_R_VERIFYFAILURE); -@@ -685,6 +699,8 @@ static isc_boolean_t +@@ -600,7 +726,8 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { + DST_R_VERIFYFAILURE)); + } + #else +- if (BN_num_bits(rsa->e) > maxbits && maxbits != 0) ++ RSA_get0_key(rsa, NULL, &e, NULL); ++ if (BN_num_bits(e) > maxbits && maxbits != 0) + return (DST_R_VERIFYFAILURE); + + switch (dctx->key->key_alg) { +@@ -729,6 +856,11 @@ static isc_boolean_t opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { int status; RSA *rsa1 = NULL, *rsa2 = NULL; -+ const BIGNUM *n1, *e1, *d1, *p1, *q1; -+ const BIGNUM *n2, *e2, *d2, *p2, *q2; ++ const BIGNUM *n1 = NULL, *n2 = NULL; ++ const BIGNUM *e1 = NULL, *e2 = NULL; ++ const BIGNUM *d1 = NULL, *d2 = NULL; ++ const BIGNUM *p1 = NULL, *p2 = NULL; ++ const BIGNUM *q1 = NULL, *q2 = NULL; #if USE_EVP EVP_PKEY *pkey1, *pkey2; #endif -@@ -714,13 +730,32 @@ opensslrsa_compare(const dst_key_t *key1 +@@ -758,17 +890,18 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { else if (rsa1 == NULL || rsa2 == NULL) return (ISC_FALSE); - status = BN_cmp(rsa1->n, rsa2->n) || - BN_cmp(rsa1->e, rsa2->e); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ n1 = rsa1->n; -+ e1 = rsa1->e; -+ d1 = rsa1->d; -+ p1 = rsa1->p; -+ q1 = rsa1->q; -+ n2 = rsa2->n; -+ e2 = rsa2->e; -+ d2 = rsa2->d; -+ p2 = rsa2->p; -+ q2 = rsa2->q; -+#else + RSA_get0_key(rsa1, &n1, &e1, &d1); -+ RSA_get0_factors(rsa1, &p1, &q1); + RSA_get0_key(rsa2, &n2, &e2, &d2); -+ RSA_get0_factors(rsa2, &p2, &q2); -+#endif -+ -+ status = BN_cmp(n1, n2) || -+ BN_cmp(e1, e2); ++ status = BN_cmp(n1, n2) || BN_cmp(e1, e2); if (status != 0) return (ISC_FALSE); #if USE_EVP -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - if ((rsa1->flags & RSA_FLAG_EXT_PKEY) != 0 || - (rsa2->flags & RSA_FLAG_EXT_PKEY) != 0) { - if ((rsa1->flags & RSA_FLAG_EXT_PKEY) == 0 || -@@ -731,14 +766,27 @@ opensslrsa_compare(const dst_key_t *key1 - */ - return (ISC_TRUE); - } -+#else +- if ((rsa1->flags & RSA_FLAG_EXT_PKEY) != 0 || +- (rsa2->flags & RSA_FLAG_EXT_PKEY) != 0) { +- if ((rsa1->flags & RSA_FLAG_EXT_PKEY) == 0 || +- (rsa2->flags & RSA_FLAG_EXT_PKEY) == 0) + if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) != 0 || + RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) != 0) { + if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) == 0 || + RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) == 0) -+ return (ISC_FALSE); -+ /* -+ * Can't compare private parameters, BTW does it make sense? -+ */ -+ return (ISC_TRUE); -+ } -+ -+#endif + return (ISC_FALSE); + /* + * Can't compare private parameters, BTW does it make sense? +@@ -777,12 +910,12 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + } #endif - if (rsa1->d != NULL || rsa2->d != NULL) { @@ -1413,76 +1988,76 @@ - status = BN_cmp(rsa1->d, rsa2->d) || - BN_cmp(rsa1->p, rsa2->p) || - BN_cmp(rsa1->q, rsa2->q); -+ status = BN_cmp(d1, d2) || -+ BN_cmp(p1, p2) || -+ BN_cmp(q1, q2); ++ RSA_get0_factors(rsa1, &p1, &q1); ++ RSA_get0_factors(rsa2, &p2, &q2); ++ status = BN_cmp(d1, d2) || BN_cmp(p1, p1) || BN_cmp(q1, q2); if (status != 0) return (ISC_FALSE); -@@ -882,16 +930,31 @@ err: +@@ -868,7 +1001,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { + ret = dst__openssl_toresult2("RSA_generate_key_ex", + DST_R_OPENSSLFAILURE); + +-err: ++ err: + #if USE_EVP + if (pkey != NULL) + EVP_PKEY_free(pkey); +@@ -925,6 +1058,7 @@ err: + static isc_boolean_t opensslrsa_isprivate(const dst_key_t *key) { ++ const BIGNUM *d = NULL; #if USE_EVP -+#if OPENSSL_VERSION_NUMBER < 0x10100000L RSA *rsa = EVP_PKEY_get1_RSA(key->keydata.pkey); INSIST(rsa != NULL); - RSA_free(rsa); - /* key->keydata.pkey still has a reference so rsa is still valid. */ +@@ -933,9 +1067,10 @@ opensslrsa_isprivate(const dst_key_t *key) { #else -+ const RSA *rsa = EVP_PKEY_get0_RSA(key->keydata.pkey); -+#endif -+#else RSA *rsa = key->keydata.rsa; #endif - if (rsa != NULL && (rsa->flags & RSA_FLAG_EXT_PKEY) != 0) -+ const BIGNUM *d; -+ -+ if (rsa == NULL) -+ return (ISC_FALSE); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ if ((rsa->flags & RSA_FLAG_EXT_PKEY) != 0) ++ if (rsa != NULL && RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) != 0) return (ISC_TRUE); - return (ISC_TF(rsa != NULL && rsa->d != NULL)); -+#else -+ if (RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) != 0) -+ return (ISC_TRUE); +- return (ISC_TF(rsa != NULL && rsa->d != NULL)); + RSA_get0_key(rsa, NULL, NULL, &d); -+ return (ISC_TF(d != NULL)); -+#endif ++ return (ISC_TF(rsa != NULL && d != NULL)); } static void -@@ -915,6 +978,7 @@ opensslrsa_todns(const dst_key_t *key, i - unsigned int mod_bytes; - isc_result_t ret; - RSA *rsa; -+ const BIGNUM *n, *e; +@@ -951,7 +1086,6 @@ opensslrsa_destroy(dst_key_t *key) { + #endif + } + +- + static isc_result_t + opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { + isc_region_t r; +@@ -962,6 +1096,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { #if USE_EVP EVP_PKEY *pkey; #endif -@@ -936,8 +1000,15 @@ opensslrsa_todns(const dst_key_t *key, i ++ const BIGNUM *e = NULL, *n = NULL; + + #if USE_EVP + REQUIRE(key->keydata.pkey != NULL); +@@ -980,8 +1115,9 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { isc_buffer_availableregion(data, &r); - e_bytes = BN_num_bytes(rsa->e); - mod_bytes = BN_num_bytes(rsa->n); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ n = rsa->n; -+ e = rsa->e; -+#else + RSA_get0_key(rsa, &n, &e, NULL); -+#endif -+ -+ e_bytes = BN_num_bytes(e); + mod_bytes = BN_num_bytes(n); ++ e_bytes = BN_num_bytes(e); if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */ if (r.length < 1) -@@ -955,9 +1026,9 @@ opensslrsa_todns(const dst_key_t *key, i +@@ -999,9 +1135,10 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { if (r.length < e_bytes + mod_bytes) DST_RET(ISC_R_NOSPACE); - BN_bn2bin(rsa->e, r.base); ++ RSA_get0_key(rsa, &n, &e, NULL); + BN_bn2bin(e, r.base); isc_region_consume(&r, e_bytes); - BN_bn2bin(rsa->n, r.base); @@ -1490,81 +2065,67 @@ isc_buffer_add(data, e_bytes + mod_bytes); -@@ -973,6 +1044,7 @@ opensslrsa_todns(const dst_key_t *key, i - static isc_result_t - opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - RSA *rsa; -+ BIGNUM *n = NULL, *e = NULL; - isc_region_t r; - unsigned int e_bytes; - unsigned int length; -@@ -1012,15 +1084,29 @@ opensslrsa_fromdns(dst_key_t *key, isc_b +@@ -1023,6 +1160,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + #if USE_EVP + EVP_PKEY *pkey; + #endif ++ BIGNUM *e = NULL, *n = NULL; + + isc_buffer_remainingregion(data, &r); + if (r.length == 0) +@@ -1056,12 +1194,16 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { RSA_free(rsa); return (DST_R_INVALIDPUBLICKEY); } - rsa->e = BN_bin2bn(r.base, e_bytes, NULL); + e = BN_bin2bn(r.base, e_bytes, NULL); isc_region_consume(&r, e_bytes); - +- - rsa->n = BN_bin2bn(r.base, r.length, NULL); -+ n = BN_bin2bn(r.base, r.length, NULL); - +- - key->key_size = BN_num_bits(rsa->n); ++ n = BN_bin2bn(r.base, r.length, NULL); ++ if (RSA_set0_key(rsa, n, e, NULL) == 0) { ++ if (n != NULL) BN_free(n); ++ if (e != NULL) BN_free(e); ++ RSA_free(rsa); ++ return (ISC_R_NOMEMORY); ++ } + key->key_size = BN_num_bits(n); isc_buffer_forward(data, length); -+ if (n == NULL || e == NULL) { -+ RSA_free(rsa); -+ BN_free(n); -+ BN_free(e); -+ return dst__openssl_toresult(ISC_R_NOMEMORY); -+ } -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ rsa->n = n; -+ rsa->e = e; -+#else -+ RSA_set0_key(rsa, n, e, NULL); -+#endif -+ - #if USE_EVP - pkey = EVP_PKEY_new(); - if (pkey == NULL) { -@@ -1045,6 +1131,7 @@ static isc_result_t - opensslrsa_tofile(const dst_key_t *key, const char *directory) { - int i; - RSA *rsa; -+ const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp; +@@ -1092,6 +1234,9 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { dst_private_t priv; unsigned char *bufs[8]; isc_result_t result; -@@ -1068,8 +1155,23 @@ opensslrsa_tofile(const dst_key_t *key, - goto fail; - } ++ const BIGNUM *n = NULL, *e = NULL, *d = NULL; ++ const BIGNUM *p = NULL, *q = NULL; ++ const BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; + + #if USE_EVP + if (key->keydata.pkey == NULL) +@@ -1106,6 +1251,10 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { + #endif + memset(bufs, 0, sizeof(bufs)); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ n = rsa->n; -+ e = rsa->e; -+ d = rsa->d; -+ p = rsa->p; -+ q = rsa->q; -+ dmp1 = rsa->dmp1; -+ dmq1 = rsa->dmq1; -+ iqmp = rsa->iqmp; -+#else + RSA_get0_key(rsa, &n, &e, &d); + RSA_get0_factors(rsa, &p, &q); + RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp); -+#endif + + if (key->external) { + priv.nelements = 0; + result = dst__privstruct_writefile(key, &priv, directory); +@@ -1113,7 +1262,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { + } + for (i = 0; i < 8; i++) { - bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(rsa->n)); + bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(n)); if (bufs[i] == NULL) { result = ISC_R_NOMEMORY; goto fail; -@@ -1079,61 +1181,61 @@ opensslrsa_tofile(const dst_key_t *key, +@@ -1123,61 +1272,61 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { i = 0; priv.elements[i].tag = TAG_RSA_MODULUS; @@ -1648,148 +2209,117 @@ priv.elements[i].data = bufs[i]; i++; } -@@ -1156,14 +1258,14 @@ opensslrsa_tofile(const dst_key_t *key, - priv.nelements = i; - result = dst__privstruct_writefile(key, &priv, directory); - fail: --#if USE_EVP -- RSA_free(rsa); --#endif +@@ -1208,33 +1357,45 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { for (i = 0; i < 8; i++) { if (bufs[i] == NULL) break; - isc_mem_put(key->mctx, bufs[i], BN_num_bytes(rsa->n)); + isc_mem_put(key->mctx, bufs[i], BN_num_bytes(n)); } -+#if USE_EVP -+ RSA_free(rsa); -+#endif return (result); } -@@ -1172,23 +1274,57 @@ rsa_check(RSA *rsa, RSA *pub) - { - /* Public parameters should be the same but if they are not set - * copy them from the public key. */ -+ const BIGNUM *n, *e, *pn, *pe; -+ int copy = 0; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ n = rsa->n; -+ e = rsa->e; -+#else -+ RSA_get0_key(rsa, &n, &e, NULL); -+#endif - if (pub != NULL) { -- if (rsa->n != NULL) { + static isc_result_t +-rsa_check(RSA *rsa, RSA *pub) +-{ +- /* Public parameters should be the same but if they are not set +- * copy them from the public key. */ ++rsa_check(RSA *rsa, RSA *pub) { ++ const BIGNUM *n1 = NULL, *n2 = NULL; ++ const BIGNUM *e1 = NULL, *e2 = NULL; ++ BIGNUM *n = NULL, *e = NULL; ++ ++ /* ++ * Public parameters should be the same but if they are not set ++ * copy them from the public key. ++ */ ++ RSA_get0_key(rsa, &n1, &e1, NULL); + if (pub != NULL) { +- if (rsa->n != NULL) { - if (BN_cmp(rsa->n, pub->n) != 0) -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ pn = pub->n; -+ pe = pub->e; -+#else -+ RSA_get0_key(pub, &pn, &pe, NULL); -+#endif -+ if (n != NULL) { -+ if (BN_cmp(n, pn) != 0) ++ RSA_get0_key(pub, &n2, &e2, NULL); ++ if (n1 != NULL) { ++ if (BN_cmp(n1, n2) != 0) return (DST_R_INVALIDPRIVATEKEY); } else { - rsa->n = pub->n; - pub->n = NULL; -+ copy = 1; ++ n = BN_dup(n2); } - if (rsa->e != NULL) { - if (BN_cmp(rsa->e, pub->e) != 0) -+ if (e != NULL) { -+ if (BN_cmp(e, pe) != 0) ++ if (e1 != NULL) { ++ if (BN_cmp(e1, e2) != 0) return (DST_R_INVALIDPRIVATEKEY); } else { - rsa->e = pub->e; - pub->e = NULL; -+ copy = 1; ++ e = BN_dup(e2); + } -+ -+ if (copy) { -+ BIGNUM *dn, *de; -+ dn = BN_dup(pn); -+ de = BN_dup(pe); -+ if (dn == NULL || de == NULL) { -+ BN_free(dn); -+ BN_free(de); -+ return (ISC_R_NOMEMORY); -+ } -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ if (rsa->n != NULL) -+ BN_free(rsa->n); -+ if (rsa->e != NULL) -+ BN_free(rsa->e); -+ rsa->n = dn; -+ rsa->e = de; -+#else -+ RSA_set0_key(rsa, dn, de, NULL); -+#endif -+ return (ISC_R_SUCCESS); ++ if (RSA_set0_key(rsa, n, e, NULL) == 0) { ++ if (n != NULL) ++ BN_free(n); ++ if (e != NULL) ++ BN_free(e); } } - if (rsa->n == NULL || rsa->e == NULL) -+ if (n == NULL || e == NULL) ++ RSA_get0_key(rsa, &n1, &e1, NULL); ++ if (n1 == NULL || e1 == NULL) return (DST_R_INVALIDPRIVATEKEY); return (ISC_R_SUCCESS); } -@@ -1199,8 +1335,10 @@ opensslrsa_parse(dst_key_t *key, isc_lex - isc_result_t ret; +@@ -1246,13 +1407,17 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { int i; RSA *rsa = NULL, *pubrsa = NULL; -+ BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL; -+ BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; #ifdef USE_ENGINE - ENGINE *e = NULL; -+ ENGINE *eng = NULL; ++ ENGINE *ep = NULL; ++ const BIGNUM *ex = NULL; #endif isc_mem_t *mctx = key->mctx; const char *engine = NULL, *label = NULL; -@@ -1255,12 +1393,13 @@ opensslrsa_parse(dst_key_t *key, isc_lex - */ - if (label != NULL) { + #if defined(USE_ENGINE) || USE_EVP + EVP_PKEY *pkey = NULL; + #endif ++ BIGNUM *n = NULL, *e = NULL, *d = NULL; ++ BIGNUM *p = NULL, *q = NULL; ++ BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; + + /* read private key file */ + ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); +@@ -1303,10 +1468,10 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { #ifdef USE_ENGINE -+ const BIGNUM *e; if (engine == NULL) DST_RET(DST_R_NOENGINE); - e = dst__openssl_getengine(engine); - if (e == NULL) -+ eng = dst__openssl_getengine(engine); -+ if (eng == NULL) ++ ep = dst__openssl_getengine(engine); ++ if (ep == NULL) DST_RET(DST_R_NOENGINE); - pkey = ENGINE_load_private_key(e, label, NULL, NULL); -+ pkey = ENGINE_load_private_key(eng, label, NULL, NULL); ++ pkey = ENGINE_load_private_key(ep, label, NULL, NULL); if (pkey == NULL) DST_RET(dst__openssl_toresult2( "ENGINE_load_private_key", -@@ -1276,7 +1415,12 @@ opensslrsa_parse(dst_key_t *key, isc_lex +@@ -1322,7 +1487,8 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) DST_RET(DST_R_INVALIDPRIVATEKEY); - if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ e = rsa->e; -+#else -+ RSA_get0_key(rsa, NULL, &e, NULL); -+#endif -+ if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) ++ RSA_get0_key(rsa, NULL, &ex, NULL); ++ if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) DST_RET(ISC_R_RANGE); if (pubrsa != NULL) RSA_free(pubrsa); -@@ -1305,9 +1449,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex - pkey = EVP_PKEY_new(); - if (pkey == NULL) - DST_RET(ISC_R_NOMEMORY); -- if (!EVP_PKEY_set1_RSA(pkey, rsa)) -- DST_RET(ISC_R_FAILURE); -- key->keydata.pkey = pkey; - #else - key->keydata.rsa = rsa; - #endif -@@ -1328,42 +1469,86 @@ opensslrsa_parse(dst_key_t *key, isc_lex - - switch (priv.elements[i].tag) { +@@ -1370,43 +1536,57 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + priv.elements[i].length, NULL); + if (bn == NULL) + DST_RET(ISC_R_NOMEMORY); +- } +- +- switch (priv.elements[i].tag) { ++ switch (priv.elements[i].tag) { case TAG_RSA_MODULUS: - rsa->n = bn; + n = bn; @@ -1822,131 +2352,1112 @@ - rsa->iqmp = bn; + iqmp = bn; break; ++ } } } dst__privstruct_free(&priv, mctx); memset(&priv, 0, sizeof(priv)); -- if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ rsa->n = n; -+ rsa->e = e; -+ rsa->d = d; -+ rsa->p = p; -+ rsa->q = q; -+ rsa->dmp1 = dmp1; -+ rsa->dmq1 = dmq1; -+ rsa->iqmp = iqmp; -+ n = e = d = p = q = dmp1 = dmq1 = iqmp = NULL; -+#else -+ if (RSA_set0_key(rsa, n, e, d) <= 0) -+ DST_RET(ISC_R_NOMEMORY); -+ n = e = d = NULL; -+ if (p != NULL && q != NULL) { -+ RSA_set0_factors(rsa, p, q); -+ p = q = NULL; -+ if (dmp1 != NULL && dmq1 != NULL && iqmp != NULL) { -+ RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp); -+ dmp1 = dmq1 = iqmp = NULL; -+ } ++ if (RSA_set0_key(rsa, n, e, d) == 0) { ++ if (n != NULL) BN_free(n); ++ if (e != NULL) BN_free(e); ++ if (d != NULL) BN_free(d); + } -+ /* free any stray parameters */ -+ BN_free(p); -+ BN_free(q); -+ BN_free(dmp1); -+ BN_free(dmq1); -+ BN_free(iqmp); -+ p = q = dmp1 = dmq1 = iqmp = NULL; -+#endif -+ if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) { ++ if (RSA_set0_factors(rsa, p, q) == 0) { ++ if (p != NULL) BN_free(p); ++ if (q != NULL) BN_free(q); ++ } ++ if (RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp) == 0) { ++ if (dmp1 != NULL) BN_free(dmp1); ++ if (dmq1 != NULL) BN_free(dmq1); ++ if (iqmp != NULL) BN_free(iqmp); ++ } ++ + if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) DST_RET(DST_R_INVALIDPRIVATEKEY); - if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) -- DST_RET(ISC_R_RANGE); ++ if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) + DST_RET(ISC_R_RANGE); - key->key_size = BN_num_bits(rsa->n); -+ } else { -+ const BIGNUM *n, *e; -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ e = rsa->e; -+ n = rsa->n; -+#else -+ RSA_get0_key(rsa, &n, &e, NULL); -+#endif -+ if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) -+ DST_RET(ISC_R_RANGE); -+ -+ key->key_size = BN_num_bits(n); -+ } ++ key->key_size = BN_num_bits(n); if (pubrsa != NULL) RSA_free(pubrsa); #if USE_EVP -+ if (!EVP_PKEY_set1_RSA(pkey, rsa)) -+ DST_RET(ISC_R_FAILURE); -+ key->keydata.pkey = pkey; - RSA_free(rsa); - #endif - -@@ -1378,6 +1563,14 @@ opensslrsa_parse(dst_key_t *key, isc_lex - RSA_free(rsa); - if (pubrsa != NULL) - RSA_free(pubrsa); -+ BN_free(n); -+ BN_free(e); -+ BN_free(d); -+ BN_free(p); -+ BN_free(q); -+ BN_free(dmp1); -+ BN_free(dmq1); -+ BN_free(iqmp); - key->keydata.generic = NULL; - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); -@@ -1389,10 +1582,11 @@ opensslrsa_fromlabel(dst_key_t *key, con - const char *pin) - { - #ifdef USE_ENGINE -- ENGINE *e = NULL; -+ ENGINE *eng = NULL; - isc_result_t ret; +@@ -1440,6 +1620,7 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, EVP_PKEY *pkey = NULL; RSA *rsa = NULL, *pubrsa = NULL; -+ const BIGNUM *e; char *colon, *tmpengine = NULL; ++ const BIGNUM *ex = NULL; UNUSED(pin); -@@ -1407,17 +1601,17 @@ opensslrsa_fromlabel(dst_key_t *key, con - INSIST(colon != NULL); - *colon = '\0'; - } -- e = dst__openssl_getengine(engine); -- if (e == NULL) -+ eng = dst__openssl_getengine(engine); -+ if (eng == NULL) - DST_RET(DST_R_NOENGINE); -- pkey = ENGINE_load_public_key(e, label, NULL, NULL); -+ pkey = ENGINE_load_public_key(eng, label, NULL, NULL); - if (pkey != NULL) { - pubrsa = EVP_PKEY_get1_RSA(pkey); - EVP_PKEY_free(pkey); - if (pubrsa == NULL) - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } -- pkey = ENGINE_load_private_key(e, label, NULL, NULL); -+ pkey = ENGINE_load_private_key(eng, label, NULL, NULL); - if (pkey == NULL) - DST_RET(dst__openssl_toresult2("ENGINE_load_private_key", - ISC_R_NOTFOUND)); -@@ -1437,7 +1631,12 @@ opensslrsa_fromlabel(dst_key_t *key, con + +@@ -1483,7 +1664,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) DST_RET(DST_R_INVALIDPRIVATEKEY); - if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ e = rsa->e; -+#else -+ RSA_get0_key(rsa, NULL, &e, NULL); -+#endif -+ if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) ++ RSA_get0_key(rsa, NULL, &ex, NULL); ++ if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) DST_RET(ISC_R_RANGE); if (pubrsa != NULL) RSA_free(pubrsa); +diff --git a/lib/isc/aes.c b/lib/isc/aes.c +index a4a61b3..e47ecf3 100644 +--- a/lib/isc/aes.c ++++ b/lib/isc/aes.c +@@ -22,54 +22,72 @@ + #ifdef ISC_PLATFORM_WANTAES + #if HAVE_OPENSSL_EVP_AES + ++#include + #include + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define EVP_CIPHER_CTX_new() &(_context), EVP_CIPHER_CTX_init(&_context) ++#define EVP_CIPHER_CTX_free(c) RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(c) == 1) ++#endif ++ + void + isc_aes128_crypt(const unsigned char *key, const unsigned char *in, + unsigned char *out) + { +- EVP_CIPHER_CTX c; ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ EVP_CIPHER_CTX _context; ++#endif ++ EVP_CIPHER_CTX *c; + int len; + +- EVP_CIPHER_CTX_init(&c); +- RUNTIME_CHECK(EVP_EncryptInit(&c, EVP_aes_128_ecb(), key, NULL) == 1); +- EVP_CIPHER_CTX_set_padding(&c, 0); +- RUNTIME_CHECK(EVP_EncryptUpdate(&c, out, &len, in, ++ c = EVP_CIPHER_CTX_new(); ++ RUNTIME_CHECK(c != NULL); ++ RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_128_ecb(), key, NULL) == 1); ++ EVP_CIPHER_CTX_set_padding(c, 0); ++ RUNTIME_CHECK(EVP_EncryptUpdate(c, out, &len, in, + ISC_AES_BLOCK_LENGTH) == 1); + RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH); +- RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(&c) == 1); ++ EVP_CIPHER_CTX_free(c); + } + + void + isc_aes192_crypt(const unsigned char *key, const unsigned char *in, + unsigned char *out) + { +- EVP_CIPHER_CTX c; ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ EVP_CIPHER_CTX _context; ++#endif ++ EVP_CIPHER_CTX *c; + int len; + +- EVP_CIPHER_CTX_init(&c); +- RUNTIME_CHECK(EVP_EncryptInit(&c, EVP_aes_192_ecb(), key, NULL) == 1); +- EVP_CIPHER_CTX_set_padding(&c, 0); +- RUNTIME_CHECK(EVP_EncryptUpdate(&c, out, &len, in, ++ c = EVP_CIPHER_CTX_new(); ++ RUNTIME_CHECK(c != NULL); ++ RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_192_ecb(), key, NULL) == 1); ++ EVP_CIPHER_CTX_set_padding(c, 0); ++ RUNTIME_CHECK(EVP_EncryptUpdate(c, out, &len, in, + ISC_AES_BLOCK_LENGTH) == 1); + RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH); +- RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(&c) == 1); ++ EVP_CIPHER_CTX_free(c); + } + + void + isc_aes256_crypt(const unsigned char *key, const unsigned char *in, + unsigned char *out) + { +- EVP_CIPHER_CTX c; ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ EVP_CIPHER_CTX _context; ++#endif ++ EVP_CIPHER_CTX *c; + int len; + +- EVP_CIPHER_CTX_init(&c); +- RUNTIME_CHECK(EVP_EncryptInit(&c, EVP_aes_256_ecb(), key, NULL) == 1); +- EVP_CIPHER_CTX_set_padding(&c, 0); +- RUNTIME_CHECK(EVP_EncryptUpdate(&c, out, &len, in, ++ c = EVP_CIPHER_CTX_new(); ++ RUNTIME_CHECK(c != NULL); ++ RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_256_ecb(), key, NULL) == 1); ++ EVP_CIPHER_CTX_set_padding(c, 0); ++ RUNTIME_CHECK(EVP_EncryptUpdate(c, out, &len, in, + ISC_AES_BLOCK_LENGTH) == 1); + RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH); +- RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(&c) == 1); ++ EVP_CIPHER_CTX_free(c); + } + + #elif HAVE_OPENSSL_AES +diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c +index 621aa3b..1b81293 100644 +--- a/lib/isc/hmacmd5.c ++++ b/lib/isc/hmacmd5.c +@@ -34,43 +34,41 @@ + #endif + + #ifdef ISC_PLATFORM_OPENSSLHASH ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx)) ++#define HMAC_CTX_free(ptr) HMAC_CTX_cleanup(ptr) ++#endif + + void + isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, + unsigned int len) + { +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, +- (int) len, EVP_md5()) == 1); +-#else +- HMAC_Init(ctx, (const void *) key, (int) len, EVP_md5()); +-#endif ++ ctx->ctx = HMAC_CTX_new(); ++ RUNTIME_CHECK(ctx->ctx != NULL); ++ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key, ++ (int) len, EVP_md5(), NULL) == 1); + } + + void + isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) { +- HMAC_CTX_cleanup(ctx); ++ if (ctx->ctx == NULL) ++ return; ++ HMAC_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; + } + + void + isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf, + unsigned int len) + { +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +-#else +- HMAC_Update(ctx, buf, (int) len); +-#endif ++ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1); + } + + void + isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) { +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Final(ctx, digest, NULL) == 1); +-#else +- HMAC_Final(ctx, digest, NULL); +-#endif +- HMAC_CTX_cleanup(ctx); ++ RUNTIME_CHECK(HMAC_Final(ctx->ctx, digest, NULL) == 1); ++ HMAC_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; + } + + #elif PKCS11CRYPTO +diff --git a/lib/isc/hmacsha.c b/lib/isc/hmacsha.c +index ef1b8f0..c132aa2 100644 +--- a/lib/isc/hmacsha.c ++++ b/lib/isc/hmacsha.c +@@ -32,32 +32,34 @@ + #endif + + #ifdef ISC_PLATFORM_OPENSSLHASH ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx)) ++#define HMAC_CTX_free(ptr) HMAC_CTX_cleanup(ptr) ++#endif ++ + void + isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key, + unsigned int len) + { +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, +- (int) len, EVP_sha1()) == 1); +-#else +- HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha1()); +-#endif ++ ctx->ctx = HMAC_CTX_new(); ++ RUNTIME_CHECK(ctx->ctx != NULL); ++ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key, ++ (int) len, EVP_sha1(), NULL) == 1); + } + + void + isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) { +- HMAC_CTX_cleanup(ctx); ++ if (ctx->ctx == NULL) ++ return; ++ HMAC_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; + } + + void + isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf, + unsigned int len) + { +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +-#else +- HMAC_Update(ctx, buf, (int) len); +-#endif ++ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1); + } + + void +@@ -66,12 +68,9 @@ isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { + + REQUIRE(len <= ISC_SHA1_DIGESTLENGTH); + +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); +-#else +- HMAC_Final(ctx, newdigest, NULL); +-#endif +- HMAC_CTX_cleanup(ctx); ++ RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1); ++ HMAC_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; + memmove(digest, newdigest, len); + memset(newdigest, 0, sizeof(newdigest)); + } +@@ -80,28 +79,25 @@ void + isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key, + unsigned int len) + { +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, +- (int) len, EVP_sha224()) == 1); +-#else +- HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha224()); +-#endif ++ ctx->ctx = HMAC_CTX_new(); ++ RUNTIME_CHECK(ctx->ctx != NULL); ++ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key, ++ (int) len, EVP_sha224(), NULL) == 1); + } + + void + isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) { +- HMAC_CTX_cleanup(ctx); ++ if (ctx->ctx == NULL) ++ return; ++ HMAC_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; + } + + void + isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf, + unsigned int len) + { +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +-#else +- HMAC_Update(ctx, buf, (int) len); +-#endif ++ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1); + } + + void +@@ -110,12 +106,9 @@ isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) { + + REQUIRE(len <= ISC_SHA224_DIGESTLENGTH); + +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); +-#else +- HMAC_Final(ctx, newdigest, NULL); +-#endif +- HMAC_CTX_cleanup(ctx); ++ RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1); ++ HMAC_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; + memmove(digest, newdigest, len); + memset(newdigest, 0, sizeof(newdigest)); + } +@@ -124,28 +117,25 @@ void + isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key, + unsigned int len) + { +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, +- (int) len, EVP_sha256()) == 1); +-#else +- HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha256()); +-#endif ++ ctx->ctx = HMAC_CTX_new(); ++ RUNTIME_CHECK(ctx->ctx != NULL); ++ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key, ++ (int) len, EVP_sha256(), NULL) == 1); + } + + void + isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) { +- HMAC_CTX_cleanup(ctx); ++ if (ctx->ctx == NULL) ++ return; ++ HMAC_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; + } + + void + isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf, + unsigned int len) + { +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +-#else +- HMAC_Update(ctx, buf, (int) len); +-#endif ++ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1); + } + + void +@@ -154,12 +144,9 @@ isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) { + + REQUIRE(len <= ISC_SHA256_DIGESTLENGTH); + +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); +-#else +- HMAC_Final(ctx, newdigest, NULL); +-#endif +- HMAC_CTX_cleanup(ctx); ++ RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1); ++ HMAC_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; + memmove(digest, newdigest, len); + memset(newdigest, 0, sizeof(newdigest)); + } +@@ -168,28 +155,25 @@ void + isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, + unsigned int len) + { +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, +- (int) len, EVP_sha384()) == 1); +-#else +- HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha384()); +-#endif ++ ctx->ctx = HMAC_CTX_new(); ++ RUNTIME_CHECK(ctx->ctx != NULL); ++ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key, ++ (int) len, EVP_sha384(), NULL) == 1); + } + + void + isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) { +- HMAC_CTX_cleanup(ctx); ++ if (ctx->ctx == NULL) ++ return; ++ HMAC_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; + } + + void + isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf, + unsigned int len) + { +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +-#else +- HMAC_Update(ctx, buf, (int) len); +-#endif ++ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1); + } + + void +@@ -198,12 +182,9 @@ isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { + + REQUIRE(len <= ISC_SHA384_DIGESTLENGTH); + +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); +-#else +- HMAC_Final(ctx, newdigest, NULL); +-#endif +- HMAC_CTX_cleanup(ctx); ++ RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1); ++ HMAC_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; + memmove(digest, newdigest, len); + memset(newdigest, 0, sizeof(newdigest)); + } +@@ -212,28 +193,25 @@ void + isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key, + unsigned int len) + { +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, +- (int) len, EVP_sha512()) == 1); +-#else +- HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha512()); +-#endif ++ ctx->ctx = HMAC_CTX_new(); ++ RUNTIME_CHECK(ctx->ctx != NULL); ++ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key, ++ (int) len, EVP_sha512(), NULL) == 1); + } + + void + isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) { +- HMAC_CTX_cleanup(ctx); ++ if (ctx->ctx == NULL) ++ return; ++ HMAC_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; + } + + void + isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf, + unsigned int len) + { +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +-#else +- HMAC_Update(ctx, buf, (int) len); +-#endif ++ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1); + } + + void +@@ -242,12 +220,9 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { + + REQUIRE(len <= ISC_SHA512_DIGESTLENGTH); + +-#ifdef HMAC_RETURN_INT +- RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); +-#else +- HMAC_Final(ctx, newdigest, NULL); +-#endif +- HMAC_CTX_cleanup(ctx); ++ RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1); ++ HMAC_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; + memmove(digest, newdigest, len); + memset(newdigest, 0, sizeof(newdigest)); + } +diff --git a/lib/isc/include/isc/hmacmd5.h b/lib/isc/include/isc/hmacmd5.h +index 9d18b47..1ff0b87 100644 +--- a/lib/isc/include/isc/hmacmd5.h ++++ b/lib/isc/include/isc/hmacmd5.h +@@ -28,9 +28,15 @@ + #define ISC_HMACMD5_KEYLENGTH 64 + + #ifdef ISC_PLATFORM_OPENSSLHASH ++#include + #include + +-typedef HMAC_CTX isc_hmacmd5_t; ++typedef struct { ++ HMAC_CTX *ctx; ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ HMAC_CTX _ctx; ++#endif ++} isc_hmacmd5_t; + + #elif PKCS11CRYPTO + #include +diff --git a/lib/isc/include/isc/hmacsha.h b/lib/isc/include/isc/hmacsha.h +index 30808fb..d90c194 100644 +--- a/lib/isc/include/isc/hmacsha.h ++++ b/lib/isc/include/isc/hmacsha.h +@@ -29,13 +29,21 @@ + #define ISC_HMACSHA512_KEYLENGTH ISC_SHA512_BLOCK_LENGTH + + #ifdef ISC_PLATFORM_OPENSSLHASH ++#include + #include + +-typedef HMAC_CTX isc_hmacsha1_t; +-typedef HMAC_CTX isc_hmacsha224_t; +-typedef HMAC_CTX isc_hmacsha256_t; +-typedef HMAC_CTX isc_hmacsha384_t; +-typedef HMAC_CTX isc_hmacsha512_t; ++typedef struct { ++ HMAC_CTX *ctx; ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ HMAC_CTX _ctx; ++#endif ++} isc_hmacsha_t; ++ ++typedef isc_hmacsha_t isc_hmacsha1_t; ++typedef isc_hmacsha_t isc_hmacsha224_t; ++typedef isc_hmacsha_t isc_hmacsha256_t; ++typedef isc_hmacsha_t isc_hmacsha384_t; ++typedef isc_hmacsha_t isc_hmacsha512_t; + + #elif PKCS11CRYPTO + #include +diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h +index 0af4e27..b707aa6 100644 +--- a/lib/isc/include/isc/md5.h ++++ b/lib/isc/include/isc/md5.h +@@ -46,9 +46,15 @@ + #define ISC_MD5_BLOCK_LENGTH 64U + + #ifdef ISC_PLATFORM_OPENSSLHASH ++#include + #include + +-typedef EVP_MD_CTX isc_md5_t; ++typedef struct { ++ EVP_MD_CTX *ctx; ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ EVP_MD_CTX _ctx; ++#endif ++} isc_md5_t; + + #elif PKCS11CRYPTO + #include +diff --git a/lib/isc/include/isc/sha1.h b/lib/isc/include/isc/sha1.h +index c4fbfd3..7160a66 100644 +--- a/lib/isc/include/isc/sha1.h ++++ b/lib/isc/include/isc/sha1.h +@@ -27,9 +27,15 @@ + #define ISC_SHA1_BLOCK_LENGTH 64U + + #ifdef ISC_PLATFORM_OPENSSLHASH ++#include + #include + +-typedef EVP_MD_CTX isc_sha1_t; ++typedef struct { ++ EVP_MD_CTX *ctx; ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ EVP_MD_CTX _ctx; ++#endif ++} isc_sha1_t; + + #elif PKCS11CRYPTO + #include +diff --git a/lib/isc/include/isc/sha2.h b/lib/isc/include/isc/sha2.h +index 8a28bed..196f120 100644 +--- a/lib/isc/include/isc/sha2.h ++++ b/lib/isc/include/isc/sha2.h +@@ -71,10 +71,18 @@ + /*** SHA-256/384/512 Context Structures *******************************/ + + #ifdef ISC_PLATFORM_OPENSSLHASH ++#include + #include + +-typedef EVP_MD_CTX isc_sha256_t; +-typedef EVP_MD_CTX isc_sha512_t; ++typedef struct { ++ EVP_MD_CTX *ctx; ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ EVP_MD_CTX _ctx; ++#endif ++} isc_sha2_t; ++ ++typedef isc_sha2_t isc_sha256_t; ++typedef isc_sha2_t isc_sha512_t; + + #elif PKCS11CRYPTO + #include +diff --git a/lib/isc/md5.c b/lib/isc/md5.c +index 0a79263..8ada1cc 100644 +--- a/lib/isc/md5.c ++++ b/lib/isc/md5.c +@@ -45,28 +45,38 @@ + #include + + #ifdef ISC_PLATFORM_OPENSSLHASH ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define EVP_MD_CTX_new() &(ctx->_ctx) ++#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) ++#endif ++ + void + isc_md5_init(isc_md5_t *ctx) { +- RUNTIME_CHECK(EVP_DigestInit(ctx, EVP_md5()) == 1); ++ ctx->ctx = EVP_MD_CTX_new(); ++ RUNTIME_CHECK(ctx->ctx != NULL); ++ RUNTIME_CHECK(EVP_DigestInit(ctx->ctx, EVP_md5()) == 1); + } + + void + isc_md5_invalidate(isc_md5_t *ctx) { +- EVP_MD_CTX_cleanup(ctx); ++ EVP_MD_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; + } + + void + isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) { + if (len == 0U) + return; +- RUNTIME_CHECK(EVP_DigestUpdate(ctx, ++ RUNTIME_CHECK(EVP_DigestUpdate(ctx->ctx, + (const void *) buf, + (size_t) len) == 1); + } + + void + isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { +- RUNTIME_CHECK(EVP_DigestFinal(ctx, digest, NULL) == 1); ++ RUNTIME_CHECK(EVP_DigestFinal(ctx->ctx, digest, NULL) == 1); ++ EVP_MD_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; + } + + #elif PKCS11CRYPTO +diff --git a/lib/isc/sha1.c b/lib/isc/sha1.c +index e41b17c..1b7bc19 100644 +--- a/lib/isc/sha1.c ++++ b/lib/isc/sha1.c +@@ -41,17 +41,25 @@ + #endif + + #ifdef ISC_PLATFORM_OPENSSLHASH ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define EVP_MD_CTX_new() &(context->_ctx) ++#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) ++#endif ++ + void + isc_sha1_init(isc_sha1_t *context) + { + INSIST(context != NULL); + +- RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha1()) == 1); ++ context->ctx = EVP_MD_CTX_new(); ++ RUNTIME_CHECK(context->ctx != NULL); ++ RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha1()) == 1); + } + + void + isc_sha1_invalidate(isc_sha1_t *context) { +- EVP_MD_CTX_cleanup(context); ++ EVP_MD_CTX_free(context->ctx); ++ context->ctx = NULL; + } + + void +@@ -59,9 +67,10 @@ isc_sha1_update(isc_sha1_t *context, const unsigned char *data, + unsigned int len) + { + INSIST(context != 0); ++ INSIST(context->ctx != 0); + INSIST(data != 0); + +- RUNTIME_CHECK(EVP_DigestUpdate(context, ++ RUNTIME_CHECK(EVP_DigestUpdate(context->ctx, + (const void *) data, + (size_t) len) == 1); + } +@@ -70,8 +79,11 @@ void + isc_sha1_final(isc_sha1_t *context, unsigned char *digest) { + INSIST(digest != 0); + INSIST(context != 0); ++ INSIST(context->ctx != 0); + +- RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); ++ RUNTIME_CHECK(EVP_DigestFinal(context->ctx, digest, NULL) == 1); ++ EVP_MD_CTX_free(context->ctx); ++ context->ctx = NULL; + } + + #elif PKCS11CRYPTO +diff --git a/lib/isc/sha2.c b/lib/isc/sha2.c +index a3c00c9..26a940a 100644 +--- a/lib/isc/sha2.c ++++ b/lib/isc/sha2.c +@@ -61,18 +61,26 @@ + #endif + + #ifdef ISC_PLATFORM_OPENSSLHASH ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define EVP_MD_CTX_new() &(context->_ctx) ++#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) ++#define EVP_MD_CTX_reset(c) EVP_MD_CTX_cleanup(c) ++#endif + + void + isc_sha224_init(isc_sha224_t *context) { + if (context == (isc_sha224_t *)0) { + return; + } +- RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha224()) == 1); ++ context->ctx = EVP_MD_CTX_new(); ++ RUNTIME_CHECK(context->ctx != NULL); ++ RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha224()) == 1); + } + + void + isc_sha224_invalidate(isc_sha224_t *context) { +- EVP_MD_CTX_cleanup(context); ++ EVP_MD_CTX_free(context->ctx); ++ context->ctx = NULL; + } + + void +@@ -83,9 +91,11 @@ isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) { + } + + /* Sanity check: */ +- REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0); ++ REQUIRE(context != (isc_sha224_t *)0); ++ REQUIRE(context->ctx != (EVP_MD_CTX *)0); ++ REQUIRE(data != (isc_uint8_t*)0); + +- RUNTIME_CHECK(EVP_DigestUpdate(context, ++ RUNTIME_CHECK(EVP_DigestUpdate(context->ctx, + (const void *) data, len) == 1); + } + +@@ -93,13 +103,14 @@ void + isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) { + /* Sanity check: */ + REQUIRE(context != (isc_sha224_t *)0); ++ REQUIRE(context->ctx != (EVP_MD_CTX *)0); + + /* If no digest buffer is passed, we don't bother doing this: */ +- if (digest != (isc_uint8_t*)0) { +- RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); +- } else { +- EVP_MD_CTX_cleanup(context); +- } ++ if (digest != (isc_uint8_t*)0) ++ RUNTIME_CHECK(EVP_DigestFinal(context->ctx, ++ digest, NULL) == 1); ++ EVP_MD_CTX_free(context->ctx); ++ context->ctx = NULL; + } + + void +@@ -107,12 +118,15 @@ isc_sha256_init(isc_sha256_t *context) { + if (context == (isc_sha256_t *)0) { + return; + } +- RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha256()) == 1); ++ context->ctx = EVP_MD_CTX_new(); ++ RUNTIME_CHECK(context->ctx != NULL); ++ RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha256()) == 1); + } + + void + isc_sha256_invalidate(isc_sha256_t *context) { +- EVP_MD_CTX_cleanup(context); ++ EVP_MD_CTX_free(context->ctx); ++ context->ctx = NULL; + } + + void +@@ -123,9 +137,11 @@ isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) { + } + + /* Sanity check: */ +- REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0); ++ REQUIRE(context != (isc_sha256_t *)0); ++ REQUIRE(context->ctx != (EVP_MD_CTX *)0); ++ REQUIRE(data != (isc_uint8_t*)0); + +- RUNTIME_CHECK(EVP_DigestUpdate(context, ++ RUNTIME_CHECK(EVP_DigestUpdate(context->ctx, + (const void *) data, len) == 1); + } + +@@ -133,13 +149,14 @@ void + isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) { + /* Sanity check: */ + REQUIRE(context != (isc_sha256_t *)0); ++ REQUIRE(context->ctx != (EVP_MD_CTX *)0); + + /* If no digest buffer is passed, we don't bother doing this: */ +- if (digest != (isc_uint8_t*)0) { +- RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); +- } else { +- EVP_MD_CTX_cleanup(context); +- } ++ if (digest != (isc_uint8_t*)0) ++ RUNTIME_CHECK(EVP_DigestFinal(context->ctx, ++ digest, NULL) == 1); ++ EVP_MD_CTX_free(context->ctx); ++ context->ctx = NULL; + } + + void +@@ -147,12 +164,15 @@ isc_sha512_init(isc_sha512_t *context) { + if (context == (isc_sha512_t *)0) { + return; + } +- RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha512()) == 1); ++ context->ctx = EVP_MD_CTX_new(); ++ RUNTIME_CHECK(context->ctx != NULL); ++ RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha512()) == 1); + } + + void + isc_sha512_invalidate(isc_sha512_t *context) { +- EVP_MD_CTX_cleanup(context); ++ EVP_MD_CTX_free(context->ctx); ++ context->ctx = NULL; + } + + void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) { +@@ -162,22 +182,25 @@ void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t le + } + + /* Sanity check: */ +- REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0); ++ REQUIRE(context != (isc_sha512_t *)0); ++ REQUIRE(context->ctx != (EVP_MD_CTX *)0); ++ REQUIRE(data != (isc_uint8_t*)0); + +- RUNTIME_CHECK(EVP_DigestUpdate(context, ++ RUNTIME_CHECK(EVP_DigestUpdate(context->ctx, + (const void *) data, len) == 1); + } + + void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) { + /* Sanity check: */ + REQUIRE(context != (isc_sha512_t *)0); ++ REQUIRE(context->ctx != (EVP_MD_CTX *)0); + + /* If no digest buffer is passed, we don't bother doing this: */ +- if (digest != (isc_uint8_t*)0) { +- RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); +- } else { +- EVP_MD_CTX_cleanup(context); +- } ++ if (digest != (isc_uint8_t*)0) ++ RUNTIME_CHECK(EVP_DigestFinal(context->ctx, ++ digest, NULL) == 1); ++ EVP_MD_CTX_free(context->ctx); ++ context->ctx = NULL; + } + + void +@@ -185,12 +208,15 @@ isc_sha384_init(isc_sha384_t *context) { + if (context == (isc_sha384_t *)0) { + return; + } +- RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha384()) == 1); ++ context->ctx = EVP_MD_CTX_new(); ++ RUNTIME_CHECK(context->ctx != NULL); ++ RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha384()) == 1); + } + + void + isc_sha384_invalidate(isc_sha384_t *context) { +- EVP_MD_CTX_cleanup(context); ++ EVP_MD_CTX_free(context->ctx); ++ context->ctx = NULL; + } + + void +@@ -201,9 +227,11 @@ isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) { + } + + /* Sanity check: */ +- REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0); ++ REQUIRE(context != (isc_sha512_t *)0); ++ REQUIRE(context->ctx != (EVP_MD_CTX *)0); ++ REQUIRE(data != (isc_uint8_t*)0); + +- RUNTIME_CHECK(EVP_DigestUpdate(context, ++ RUNTIME_CHECK(EVP_DigestUpdate(context->ctx, + (const void *) data, len) == 1); + } + +@@ -211,13 +239,14 @@ void + isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) { + /* Sanity check: */ + REQUIRE(context != (isc_sha384_t *)0); ++ REQUIRE(context->ctx != (EVP_MD_CTX *)0); + + /* If no digest buffer is passed, we don't bother doing this: */ +- if (digest != (isc_uint8_t*)0) { +- RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); +- } else { +- EVP_MD_CTX_cleanup(context); +- } ++ if (digest != (isc_uint8_t*)0) ++ RUNTIME_CHECK(EVP_DigestFinal(context->ctx, ++ digest, NULL) == 1); ++ EVP_MD_CTX_free(context->ctx); ++ context->ctx = NULL; + } + + #elif PKCS11CRYPTO +@@ -1578,7 +1607,7 @@ isc_sha224_end(isc_sha224_t *context, char buffer[]) { + *buffer = (char)0; + } else { + #ifdef ISC_PLATFORM_OPENSSLHASH +- EVP_MD_CTX_cleanup(context); ++ EVP_MD_CTX_reset(context->ctx); + #elif PKCS11CRYPTO + pk11_return_session(context); + #else +@@ -1619,7 +1648,7 @@ isc_sha256_end(isc_sha256_t *context, char buffer[]) { + *buffer = (char)0; + } else { + #ifdef ISC_PLATFORM_OPENSSLHASH +- EVP_MD_CTX_cleanup(context); ++ EVP_MD_CTX_reset(context->ctx); + #elif PKCS11CRYPTO + pk11_return_session(context); + #else +@@ -1660,7 +1689,7 @@ isc_sha512_end(isc_sha512_t *context, char buffer[]) { + *buffer = (char)0; + } else { + #ifdef ISC_PLATFORM_OPENSSLHASH +- EVP_MD_CTX_cleanup(context); ++ EVP_MD_CTX_reset(context->ctx); + #elif PKCS11CRYPTO + pk11_return_session(context); + #else +@@ -1701,7 +1730,7 @@ isc_sha384_end(isc_sha384_t *context, char buffer[]) { + *buffer = (char)0; + } else { + #ifdef ISC_PLATFORM_OPENSSLHASH +- EVP_MD_CTX_cleanup(context); ++ EVP_MD_CTX_reset(context->ctx); + #elif PKCS11CRYPTO + pk11_return_session(context); + #else +diff --git a/win32utils/Configure b/win32utils/Configure +index 9aef5bc..0e2da8e 100644 +--- a/win32utils/Configure ++++ b/win32utils/Configure +@@ -432,7 +432,6 @@ my @substdefh = ("AES_CC", + "HAVE_PKCS11_GOST", + "HAVE_READLINE", + "HAVE_ZLIB", +- "HMAC_RETURN_INT", + "HMAC_SHA1_CC", + "HMAC_SHA256_CC", + "ISC_LIST_CHECKINIT", +@@ -1590,8 +1589,14 @@ if ($use_openssl eq "no") { + foreach $file (sort {uc($b) cmp uc($a)} @dirlist) { + if (-f File::Spec->catfile($openssl_path, + $file, +- "inc32\\openssl", +- "opensslv.h")) { ++ "inc32\\openssl\\opensslv.h")) { ++ $openssl_path = File::Spec->catdir($openssl_path, $file); ++ $use_openssl = "yes"; ++ last; ++ } ++ if (-f File::Spec->catfile($openssl_path, ++ $file, ++ "include\\openssl\\opensslv.h")) { + $openssl_path = File::Spec->catdir($openssl_path, $file); + $use_openssl = "yes"; + last; +@@ -1609,21 +1614,50 @@ if ($use_openssl eq "yes") { + if ($verbose) { + print "checking for OpenSSL built directory at \"$openssl_path\"\n"; + } ++ my $openssl_new = 0; + if (!-f File::Spec->catfile($openssl_path, +- "inc32\\openssl", +- "opensslv.h")) { +- die "can't find OpenSSL opensslv.h include\n"; +- } +- if (!-f File::Spec->catfile($openssl_path, "out32dll", "libeay32.lib")) { +- die "can't find OpenSSL libeay32.lib library\n"; +- } +- if (!-f File::Spec->catfile($openssl_path, "out32dll", "libeay32.dll")) { +- die "can't find OpenSSL libeay32.dll DLL\n"; ++ "inc32\\openssl\\opensslv.h")) { ++ $openssl_new = 1; ++ if (!-f File::Spec->catfile($openssl_path, ++ "include\\openssl\\opensslv.h")) { ++ die "can't find OpenSSL opensslv.h include\n"; ++ } + } + my $openssl_inc = File::Spec->catdir($openssl_path, "inc32"); + my $openssl_libdir = File::Spec->catdir($openssl_path, "out32dll"); + my $openssl_lib = File::Spec->catfile($openssl_libdir, "libeay32.lib"); + my $openssl_dll = File::Spec->catfile($openssl_libdir, "libeay32.dll"); ++ if (!$openssl_new) { ++ # Check libraries are where we expect ++ if (!-f $openssl_lib) { ++ die "can't find OpenSSL libeay32.lib library\n"; ++ } ++ if (!-f $openssl_dll) { ++ die "can't find OpenSSL libeay32.dll DLL\n"; ++ } ++ } else { ++ # OpenSSL >= 1.1 is easier at the exception of the DLL ++ if ($verbose) { ++ print "new (>= 1.1) OpenSSL version\n"; ++ } ++ $openssl_inc = File::Spec->catdir($openssl_path, "include"); ++ $openssl_libdir = $openssl_path; ++ $openssl_lib = File::Spec->catfile($openssl_path, "libcrypto.lib"); ++ if (!-f $openssl_lib) { ++ die "can't find OpenSSL libcrypto.lib library\n"; ++ } ++ opendir DIR, $openssl_path || die "No Directory: $!\n"; ++ my @dirlist = grep (/^libcrypto-[^.]+\.dll$/i, readdir(DIR)); ++ closedir(DIR); ++ # We must get one file only ++ if (scalar(@dirlist) == 0) { ++ die "can't find OpenSSL libcrypto-*.dll DLL\n"; ++ } ++ if (scalar(@dirlist) != 1) { ++ die "find more than one OpenSSL libcrypto-*.dll DLL candidate\n"; ++ } ++ $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); ++ } + + $configcond{"OPENSSL"} = 1; + $configdefd{"CRYPTO"} = "OPENSSL"; +@@ -2055,30 +2089,6 @@ if ($enable_openssl_hash eq "yes") { + die "No OpenSSL for hash functions\n"; + } + $configdefp{"ISC_PLATFORM_OPENSSLHASH"} = 1; +- if ($verbose) { +- print "checking HMAC_Init() return type\n"; +- } +- open F, ">testhmac.c" || die $!; +- print F << 'EOF'; +-#include +- +-int +-main(void) +-{ +- HMAC_CTX ctx; +- int n = HMAC_Init(&ctx, NULL, 0, NULL); +- n += HMAC_Update(&ctx, NULL, 0); +- n += HMAC_Final(&ctx, NULL, NULL); +- return(n); +-} +-EOF +- close F; +- my $include = $configinc{"OPENSSL_INC"}; +- my $library = $configlib{"OPENSSL_LIB"}; +- $compret = `cl /nologo /MD /I "$include" testhmac.c "$library"`; +- if (grep { -f and -x } ".\\testhmac.exe") { +- $configdefh{"HMAC_RETURN_INT"} = 1; +- } + } + + # with-pkcs11 +@@ -3186,7 +3196,11 @@ sub makeinstallfile { + print LOUT "liblwres.dll-BCFT\n"; + print LOUT "libirs.dll-BCFT\n"; + if ($use_openssl eq "yes") { +- print LOUT "libeay32.dll-BCFT\n"; ++ my $v; ++ my $d; ++ my $name; ++ ($v, $d, $name) =File::Spec->splitpath($configdll{"OPENSSL_DLL"}); ++ print LOUT "${name}-BCFT\n"; + } + if ($use_libxml2 eq "yes") { + print LOUT "libxml2.dll-BCFT\n"; +-- +2.9.0 + + diff --git a/bind-9.10-sdb.patch b/bind-9.10-sdb.patch index 3938b4b..333ebc6 100644 --- a/bind-9.10-sdb.patch +++ b/bind-9.10-sdb.patch @@ -7,9 +7,9 @@ index 7654169..b4c9c03 100644 top_srcdir = @top_srcdir@ -SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools tests nsupdate \ -- check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ +- check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ +SUBDIRS = named named-sdb named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools tests nsupdate \ -+ check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools ++ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools TARGETS = @BIND9_MAKE_RULES@ @@ -40,10 +40,10 @@ index ba5ec3c..d7ac259 100644 GEOIPLINKOBJS = geoip.@O@ -@@ -144,7 +144,7 @@ config.@O@: config.c - -DNS_SYSCONFDIR=\"${sysconfdir}\" \ - -c ${srcdir}/config.c - +@@ -144,7 +144,7 @@ server.@O@: server.c + -DPRODUCT=\"${PRODUCT}\" \ + -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c + -named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS} +named-sdb@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS} export MAKE_SYMTABLE="yes"; \ @@ -93,7 +93,7 @@ index 306295f..a7f3327 100644 + sqlitedb_clear(); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, - ISC_LOG_NOTICE, "starting %s %s%s%s %s", + ISC_LOG_NOTICE, "starting %s %s%s%s ", ns_g_product, ns_g_version, @@ -1099,6 +1108,75 @@ setup(void) { isc_result_totext(result)); @@ -280,7 +280,7 @@ diff --git a/configure.in b/configure.in index 6dab9dc..f84d161 100644 --- a/configure.in +++ b/configure.in -@@ -4686,12 +4686,15 @@ AC_CONFIG_FILES([ +@@ -4686,30 +4686,33 @@ AC_CONFIG_FILES([ bin/named/unix/Makefile bin/named-pkcs11/Makefile bin/named-pkcs11/unix/Makefile @@ -289,8 +289,26 @@ index 6dab9dc..f84d161 100644 bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile + bin/python/isc/Makefile + bin/python/isc/utils.py + bin/python/isc/tests/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py + bin/python/dnssec-keymgr.py + bin/python/isc/__init__.py + bin/python/isc/checkds.py + bin/python/isc/coverage.py + bin/python/isc/dnskey.py + bin/python/isc/eventlist.py + bin/python/isc/keydict.py + bin/python/isc/keyevent.py + bin/python/isc/keymgr.py + bin/python/isc/keyseries.py + bin/python/isc/keyzone.py + bin/python/isc/policy.py + bin/python/isc/rndc.py + bin/python/isc/tests/dnskey_test.py + bin/python/isc/tests/policy_test.py bin/rndc/Makefile + bin/sdb_tools/Makefile bin/tests/Makefile diff --git a/bind-9.3.2b1-fix_sdb_ldap.patch b/bind-9.3.2b1-fix_sdb_ldap.patch index 0ebae51..d027bb9 100644 --- a/bind-9.3.2b1-fix_sdb_ldap.patch +++ b/bind-9.3.2b1-fix_sdb_ldap.patch @@ -39,14 +39,6 @@ diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c index 23dd873..d56bc56 100644 --- a/bin/sdb_tools/zone2ldap.c +++ b/bin/sdb_tools/zone2ldap.c -@@ -26,6 +26,7 @@ - #include - #include - #include -+#include - #include - - #include @@ -65,6 +66,9 @@ ldap_info; /* usage Info */ void usage (void); diff --git a/bind-99-libidn.patch b/bind-99-libidn.patch index a03cc96..d782e66 100644 --- a/bind-99-libidn.patch +++ b/bind-99-libidn.patch @@ -167,7 +167,7 @@ index 3ca7cb9..f11884e 100644 #else if (lookup->origin != NULL) { debug("trying origin %s", lookup->origin->origin); -@@ -2348,6 +2387,13 @@ setup_lookup(dig_lookup_t *lookup) { +@@ -2372,6 +2411,13 @@ setup_lookup(dig_lookup_t *lookup) { result = dns_name_fromtext(lookup->name, &b, dns_rootname, 0, &lookup->namebuf); @@ -179,7 +179,7 @@ index 3ca7cb9..f11884e 100644 + dns_rootname, 0, + &lookup->namebuf); #else - len = strlen(lookup->textname); + len = (unsigned int) strlen(lookup->textname); isc_buffer_init(&b, lookup->textname, len); @@ -4227,7 +4273,7 @@ destroy_libs(void) { void * ptr; diff --git a/bind.spec b/bind.spec index 162a65f..8dcb413 100644 --- a/bind.spec +++ b/bind.spec @@ -2,7 +2,7 @@ # Red Hat BIND package .spec file # -%global PATCHVER P4 +%global PATCHVER P1 #%%global PREVER rc1 %global VERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}} @@ -23,9 +23,9 @@ # Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind -License: ISC -Version: 9.10.4 -Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +License: MPLv2.0 +Version: 9.11.0 +Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -66,11 +66,9 @@ Patch101:bind-96-old-api.patch Patch102:bind-95-rh452060.patch Patch106:bind93-rh490837.patch Patch109:bind97-rh478718.patch -Patch110:bind97-rh570851.patch Patch112:bind97-rh645544.patch Patch119:bind97-rh693982.patch Patch123:bind98-rh735103.patch -Patch125:bind99-buildfix.patch Patch130:bind-9.9.1-P2-dlz-libdb.patch Patch131:bind-9.9.1-P2-multlib-conflict.patch Patch133:bind99-rh640538.patch @@ -90,7 +88,6 @@ Patch12: bind-9.10-sdb.patch # needs inpection Patch17: bind-9.3.2b1-fix_sdb_ldap.patch -Patch104: bind-9.10-dyndb.patch # [ISC-Bugs #36101] IDN support in host/dig/nslookup using GNU libidn(2) Patch73: bind-99-libidn.patch @@ -101,6 +98,8 @@ Requires(preun): systemd Requires(postun): systemd Requires: coreutils Requires(pre): shadow-utils +Requires: python3-ply +BuildRequires: python3-ply Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} Obsoletes: bind-config < 30:9.3.2-34.fc6 Provides: bind-config = 30:9.3.2-34.fc6 @@ -291,6 +290,15 @@ chroot(2) jail for the named-sdb(8) program from the BIND package. Based on the code from Jan "Yenya" Kasprzak %endif +%package -n python3-bind +Summary: A module allowing rndc commands to be sent from Python programs +Group: Applications/System +Requires: bind-license = %{epoch}:%{version}-%{release} +Requires: python3 +%{?python_provide:%python_provide python3-bind} + +%description -n python3-bind +This package provides a module which allows commands to be sent to rndc directly from Python programs. %prep %setup -q -n %{name}-%{VERSION} @@ -298,7 +306,6 @@ Based on the code from Jan "Yenya" Kasprzak # Common patches %patch10 -p1 -b .PIE %patch16 -p1 -b .redhat_doc -%patch104 -p1 -b .dyndb %ifnarch alpha ia64 %patch72 -p1 -b .64bit %endif @@ -306,12 +313,11 @@ Based on the code from Jan "Yenya" Kasprzak %patch102 -p1 -b .rh452060 %patch106 -p0 -b .rh490837 %patch109 -p1 -b .rh478718 -%patch110 -p1 -b .rh570851 %patch112 -p1 -b .rh645544 %patch119 -p1 -b .rh693982 -%patch125 -p1 -b .buildfix %patch130 -p1 -b .libdb %patch131 -p1 -b .multlib-conflict +%patch138 -p1 -b .rh1390238 %if %{PKCS11} cp -r bin/named{,-pkcs11} @@ -351,7 +357,6 @@ cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools %patch133 -p1 -b .rh640538 %patch134 -p1 -b .rh669163 -%patch138 -p1 -b .rh1390238 # Sparc and s390 arches need to use -fPIE %ifarch sparcv9 sparc64 s390 s390x @@ -765,12 +770,14 @@ rm -rf ${RPM_BUILD_ROOT} %{_unitdir}/named-setup-rndc.service %{_sbindir}/named-journalprint %{_sbindir}/named-checkconf -%{_sbindir}/named-rrchecker +%{_bindir}/named-rrchecker +%{_bindir}/mdig %{_sbindir}/lwresd %{_sbindir}/named %{_sbindir}/rndc* %{_sbindir}/tsig-keygen %{_libexecdir}/generate-rndc-key.sh +%{_mandir}/man1/mdig.1* %{_mandir}/man1/named-rrchecker.1* %{_mandir}/man5/named.conf.5* %{_mandir}/man5/rndc.conf.5* @@ -831,16 +838,16 @@ rm -rf ${RPM_BUILD_ROOT} %files libs %defattr(-,root,root,-) -%{_libdir}/libbind9.so.140* -%{_libdir}/libisccc.so.140* -%{_libdir}/liblwres.so.141* +%{_libdir}/libbind9.so.160* +%{_libdir}/libisccc.so.160* +%{_libdir}/liblwres.so.160* %files libs-lite %defattr(-,root,root,-) -%{_libdir}/libdns.so.165* -%{_libdir}/libirs.so.141* +%{_libdir}/libdns.so.166* +%{_libdir}/libirs.so.160* %{_libdir}/libisc.so.160* -%{_libdir}/libisccfg.so.140* +%{_libdir}/libisccfg.so.160* %files license %defattr(-,root,root,-) @@ -854,7 +861,7 @@ rm -rf ${RPM_BUILD_ROOT} %{_bindir}/host %{_bindir}/nslookup %{_bindir}/nsupdate -%{_sbindir}/arpaname +%{_bindir}/arpaname %{_sbindir}/ddns-confgen %{_sbindir}/genrandom %{_sbindir}/nsec3hash @@ -893,6 +900,7 @@ rm -rf ${RPM_BUILD_ROOT} %{_includedir}/bind9/bind9 %{_includedir}/bind9/isccc %{_includedir}/bind9/lwres +%{_includedir}/bind9/pk11 %{_mandir}/man1/isc-config.sh.1* %{_mandir}/man1/bind9-config.1* %{_mandir}/man3/lwres* @@ -992,7 +1000,7 @@ rm -rf ${RPM_BUILD_ROOT} %files pkcs11-libs %defattr(-,root,root,-) -%{_libdir}/libdns-pkcs11.so.165* +%{_libdir}/libdns-pkcs11.so.166* %{_libdir}/libisc-pkcs11.so.160* %files pkcs11-devel @@ -1003,8 +1011,16 @@ rm -rf ${RPM_BUILD_ROOT} %{_libdir}/libisc-pkcs11.so %endif +%files -n python3-bind +%defattr(-,root,root,-) +%{python3_sitelib}/*py* +%{python3_sitelib}/isc/*py +%{python3_sitelib}/isc/__pycache__/*py* %changelog +* Wed Nov 16 2016 Michal Ruprich - 32:9.11.0-1.P1 +- Update to 9.11.0-P1 + * Tue Nov 08 2016 Petr Menšík - 32:9.10.4-3.P4 - Build with OpenSSL 1.1 diff --git a/bind97-rh570851.patch b/bind97-rh570851.patch deleted file mode 100644 index 08fc682..0000000 --- a/bind97-rh570851.patch +++ /dev/null @@ -1,151 +0,0 @@ -diff -up bind-9.9.5b1/bin/dig/dighost.c.rh570851 bind-9.9.5b1/bin/dig/dighost.c ---- bind-9.9.5b1/bin/dig/dighost.c.rh570851 2014-01-06 13:49:25.230380554 +0100 -+++ bind-9.9.5b1/bin/dig/dighost.c 2014-01-06 13:54:25.804839409 +0100 -@@ -131,6 +131,7 @@ isc_boolean_t - showsearch = ISC_FALSE, - qr = ISC_FALSE, - is_dst_up = ISC_FALSE, -+ verbose = ISC_FALSE, - keep_open = ISC_FALSE; - in_port_t port = 53; - unsigned int timeout = 0; -@@ -1257,10 +1258,24 @@ setup_system(void) { - } - } - -+ if (lwconf->resdebug) { -+ verbose = ISC_TRUE; -+ debug("verbose is on"); -+ } - if (ndots == -1) { - ndots = lwconf->ndots; - debug("ndots is %d.", ndots); - } -+ if (lwconf->attempts) { -+ tries = lwconf->attempts + 1; -+ if (tries < 2) -+ tries = 2; -+ debug("tries is %d.", tries); -+ } -+ if (lwconf->timeout) { -+ timeout = lwconf->timeout; -+ debug("timeout is %d.", timeout); -+ } - - /* If user doesn't specify server use nameservers from resolv.conf. */ - if (ISC_LIST_EMPTY(server_list)) -diff -up bind-9.9.5b1/bin/dig/host.c.rh570851 bind-9.9.5b1/bin/dig/host.c ---- bind-9.9.5b1/bin/dig/host.c.rh570851 2013-12-12 06:59:59.000000000 +0100 -+++ bind-9.9.5b1/bin/dig/host.c 2014-01-06 13:49:25.241380571 +0100 -@@ -672,6 +672,7 @@ parse_args(isc_boolean_t is_batchfile, i - - lookup->servfail_stops = ISC_FALSE; - lookup->comments = ISC_FALSE; -+ short_form = !verbose; - - while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) { - switch (c) { -@@ -882,8 +883,8 @@ main(int argc, char **argv) { - result = isc_app_start(); - check_result(result, "isc_app_start"); - setup_libs(); -- parse_args(ISC_FALSE, argc, argv); - setup_system(); -+ parse_args(ISC_FALSE, argc, argv); - result = isc_app_onrun(mctx, global_task, onrun_callback, NULL); - check_result(result, "isc_app_onrun"); - isc_app_run(); -diff -up bind-9.9.5b1/bin/dig/include/dig/dig.h.rh570851 bind-9.9.5b1/bin/dig/include/dig/dig.h ---- bind-9.9.5b1/bin/dig/include/dig/dig.h.rh570851 2013-12-12 06:59:59.000000000 +0100 -+++ bind-9.9.5b1/bin/dig/include/dig/dig.h 2014-01-06 13:49:25.241380571 +0100 -@@ -281,6 +281,7 @@ extern isc_boolean_t keep_open; - extern char *progname; - extern int tries; - extern int fatalexit; -+extern isc_boolean_t verbose; - #ifdef WITH_IDN - extern int idnoptions; - #endif -diff -up bind-9.9.5b1/lib/lwres/include/lwres/lwres.h.rh570851 bind-9.9.5b1/lib/lwres/include/lwres/lwres.h ---- bind-9.9.5b1/lib/lwres/include/lwres/lwres.h.rh570851 2013-12-12 06:59:59.000000000 +0100 -+++ bind-9.9.5b1/lib/lwres/include/lwres/lwres.h 2014-01-06 13:49:25.241380571 +0100 -@@ -243,6 +243,8 @@ typedef struct { - lwres_uint8_t resdebug; /*%< non-zero if 'options debug' set */ - lwres_uint8_t ndots; /*%< set to n in 'options ndots:n' */ - lwres_uint8_t no_tld_query; /*%< non-zero if 'options no_tld_query' */ -+ lwres_int32_t attempts; /*%< set to n in 'options attempts:n' */ -+ lwres_int32_t timeout; /*%< set to n in 'options timeout:n' */ - } lwres_conf_t; - - #define LWRES_ADDRTYPE_V4 0x00000001U /*%< ipv4 */ -diff -up bind-9.9.5b1/lib/lwres/lwconfig.c.rh570851 bind-9.9.5b1/lib/lwres/lwconfig.c ---- bind-9.9.5b1/lib/lwres/lwconfig.c.rh570851 2013-12-12 06:59:59.000000000 +0100 -+++ bind-9.9.5b1/lib/lwres/lwconfig.c 2014-01-06 13:49:25.241380571 +0100 -@@ -237,6 +237,8 @@ lwres_conf_init(lwres_context_t *ctx) { - confdata->resdebug = 0; - confdata->ndots = 1; - confdata->no_tld_query = 0; -+ confdata->attempts = 0; -+ confdata->timeout = 0; - - for (i = 0; i < LWRES_CONFMAXNAMESERVERS; i++) - lwres_resetaddr(&confdata->nameservers[i]); -@@ -289,6 +291,8 @@ lwres_conf_clear(lwres_context_t *ctx) { - confdata->resdebug = 0; - confdata->ndots = 1; - confdata->no_tld_query = 0; -+ confdata->attempts = 0; -+ confdata->timeout = 0; - } - - static lwres_result_t -@@ -530,6 +534,8 @@ static lwres_result_t - lwres_conf_parseoption(lwres_context_t *ctx, FILE *fp) { - int delim; - long ndots; -+ long attempts; -+ long timeout; - char *p; - char word[LWRES_CONFMAXLINELEN]; - lwres_conf_t *confdata; -@@ -546,6 +552,8 @@ lwres_conf_parseoption(lwres_context_t * - confdata->resdebug = 1; - } else if (strcmp("no_tld_query", word) == 0) { - confdata->no_tld_query = 1; -+ } else if (strcmp("debug", word) == 0) { -+ confdata->resdebug = 1; - } else if (strncmp("ndots:", word, 6) == 0) { - ndots = strtol(word + 6, &p, 10); - if (*p != '\0') /* Bad string. */ -@@ -553,6 +561,18 @@ lwres_conf_parseoption(lwres_context_t * - if (ndots < 0 || ndots > 0xff) /* Out of range. */ - return (LWRES_R_FAILURE); - confdata->ndots = (lwres_uint8_t)ndots; -+ } else if (strncmp("timeout:", word, 8) == 0) { -+ timeout = strtol(word + 8, &p, 10); -+ if (*p != '\0') /* Bad string. */ -+ return (LWRES_R_FAILURE); -+ confdata->timeout = (lwres_int32_t)timeout; -+ } else if (strncmp("attempts:", word, 9) == 0) { -+ attempts = strtol(word + 9, &p, 10); -+ if (*p != '\0') /* Bad string. */ -+ return (LWRES_R_FAILURE); -+ if (attempts < 0) /* Out of range. */ -+ return (LWRES_R_FAILURE); -+ confdata->attempts = (lwres_int32_t)attempts; - } - - if (delim == EOF || delim == '\n') -@@ -717,6 +737,12 @@ lwres_conf_print(lwres_context_t *ctx, F - if (confdata->no_tld_query) - fprintf(fp, "options no_tld_query\n"); - -+ if (confdata->attempts) -+ fprintf(fp, "options attempts:%d\n", confdata->attempts); -+ -+ if (confdata->timeout) -+ fprintf(fp, "options timeout:%d\n", confdata->timeout); -+ - return (LWRES_R_SUCCESS); - } - diff --git a/bind99-buildfix.patch b/bind99-buildfix.patch deleted file mode 100644 index 8ff5c44..0000000 --- a/bind99-buildfix.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in -index bdfd72a..706290c 100644 ---- a/bin/tests/system/Makefile.in -+++ b/bin/tests/system/Makefile.in -@@ -19,7 +19,7 @@ top_srcdir = @top_srcdir@ - - @BIND9_MAKE_INCLUDES@ - --SUBDIRS = builtin dlzexternal fetchlimit filter-aaaa geoip lwresd rpz rsabigexponent statistics tkey tsiggss -+SUBDIRS = builtin fetchlimit filter-aaaa geoip lwresd rpz rsabigexponent statistics tkey tsiggss - TARGETS = - - @BIND9_MAKE_RULES@ diff --git a/sources b/sources index 5c33cca..2d95551 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ +4ec15dcf90ad77e923a05d7386348080 bind-9.11.0-P1.tar.gz c47ee477f29baac49dc59ef4fb732b97 config-15.tar.bz2 -e110904a1d54f83f01d4be8bcd842927 bind-9.10.4-P4.tar.gz