From 6035a1c215688d9f726897a3ad84df04dd6816fc Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 28 May 2015 11:06:39 +1000 Subject: [PATCH 01/11] link against ISC_OPENSSL_LIBS (cherry picked from commit 52a487f71a4c4132ea43f52dc6c83e7729444875) --- bin/tests/system/builtin/Makefile.in | 2 +- bin/tests/system/rsabigexponent/Makefile.in | 2 +- bin/tests/system/tkey/Makefile.in | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/tests/system/builtin/Makefile.in b/bin/tests/system/builtin/Makefile.in index be40c35cbb..135c1f9cb4 100644 --- a/bin/tests/system/builtin/Makefile.in +++ b/bin/tests/system/builtin/Makefile.in @@ -29,7 +29,7 @@ CDEFINES = CWARNINGS = DNSLIBS = -ISCLIBS = ../../../../lib/isc/libisc.@A@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ DNSDEPLIBS = ISCDEPLIBS = diff --git a/bin/tests/system/rsabigexponent/Makefile.in b/bin/tests/system/rsabigexponent/Makefile.in index d32eb15a86..72cebaf560 100644 --- a/bin/tests/system/rsabigexponent/Makefile.in +++ b/bin/tests/system/rsabigexponent/Makefile.in @@ -28,7 +28,7 @@ CDEFINES = @USE_OPENSSL@ CWARNINGS = DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCLIBS = ../../../../lib/isc/libisc.@A@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ DNSDEPLIBS = ../../../../lib/dns/libdns.@A@ ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ diff --git a/bin/tests/system/tkey/Makefile.in b/bin/tests/system/tkey/Makefile.in index 899d1b9b28..c572ed75d6 100644 --- a/bin/tests/system/tkey/Makefile.in +++ b/bin/tests/system/tkey/Makefile.in @@ -29,7 +29,7 @@ CDEFINES = CWARNINGS = DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCLIBS = ../../../../lib/isc/libisc.@A@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ DNSDEPLIBS = ../../../../lib/dns/libdns.@A@ ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ From 64b34aee395e8a632d69756f7cb276fcc4cede89 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 28 May 2015 13:17:07 +1000 Subject: [PATCH 02/11] 4128. [bug] Address issues raised by Coverity 7.6. [RT #39537] (cherry picked from commit e53e202ef3b51c58fb9abe0d15e3829a970b00e7) --- CHANGES | 2 ++ bin/dnssec/dnssec-signzone.c | 5 ++++- bin/named/interfacemgr.c | 2 +- bin/tests/rbt/t_rbt.c | 3 ++- bin/tests/tasks/t_tasks.c | 6 ++++++ lib/dns/dlz.c | 22 +++++++++------------- lib/dns/dst_api.c | 5 ----- lib/dns/journal.c | 2 ++ lib/dns/master.c | 2 +- lib/dns/openssldh_link.c | 8 ++++---- lib/dns/opensslrsa_link.c | 28 +++++++++++++++++----------- lib/dns/rbt.c | 6 ++---- lib/dns/rrl.c | 11 +++-------- lib/dns/view.c | 2 +- lib/dns/zone.c | 6 +++--- lib/isc/unix/app.c | 2 +- 16 files changed, 58 insertions(+), 54 deletions(-) diff --git a/CHANGES b/CHANGES index 07f0f5da78..aad5d4750d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +4128. [bug] Address issues raised by Coverity 7.6. [RT #39537] + 4127. [protocol] CDS and CDNSKEY need to be signed by the key signing key as per RFC 7344, Section 4.1. [RT #37215] diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 694b7c457d..d0602fe2ec 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -3513,7 +3513,10 @@ main(int argc, char *argv[]) { * of keys rather early. */ ISC_LIST_INIT(keylist); - isc_rwlock_init(&keylist_lock, 0, 0); + result = isc_rwlock_init(&keylist_lock, 0, 0); + if (result != ISC_R_SUCCESS) + fatal("could not initialize keylist_lock: %s", + isc_result_totext(result)); /* * Fill keylist with: diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c index 850222ad02..f8d94c2310 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c @@ -302,7 +302,7 @@ ns_interface_listenudp(ns_interface_t *ifp) { return (ISC_R_SUCCESS); addtodispatch_failure: - for (i = disp - 1; i <= 0; i--) { + for (i = disp - 1; i >= 0; i--) { dns_dispatch_changeattributes(ifp->udpdispatch[i], 0, DNS_DISPATCHATTR_NOLISTEN); dns_dispatch_detach(&(ifp->udpdispatch[i])); diff --git a/bin/tests/rbt/t_rbt.c b/bin/tests/rbt/t_rbt.c index d99fd7301f..26004994f8 100644 --- a/bin/tests/rbt/t_rbt.c +++ b/bin/tests/rbt/t_rbt.c @@ -297,6 +297,7 @@ rbt_init(char *filename, dns_rbt_t **rbt, isc_mem_t *mctx) { if ((rval != 0) || (dns_result != ISC_R_SUCCESS)) { t_info("add of %s failed\n", p); dns_rbt_destroy(rbt); + (void) free(p); fclose(fp); return(1); } @@ -704,7 +705,7 @@ t9_walkchain(dns_rbtnodechain_t *chain, dns_rbt_t *rbt) { if (order >= 0) { t_info("unexpected order %s %s %s\n", dnsname_totext(dns_fixedname_name(&fullname1)), - order == -1 ? "<" : (order == 0 ? "==" : ">"), + order == 0 ? "==" : ">", dnsname_totext(dns_fixedname_name(&fullname2))); ++nprobs; } diff --git a/bin/tests/tasks/t_tasks.c b/bin/tests/tasks/t_tasks.c index 3da3a89174..e11acd36b3 100644 --- a/bin/tests/tasks/t_tasks.c +++ b/bin/tests/tasks/t_tasks.c @@ -999,6 +999,12 @@ t_tasks4(void) { NULL, sizeof(*event)); if (event == NULL) { t_info("isc_event_allocate failed\n"); + isc_result = isc_mutex_unlock(&T4_mx); + if (isc_result != ISC_R_SUCCESS) { + t_info("isc_mutex_unlock failed %s\n", + isc_result_totext(isc_result)); + ++T4_nprobs; + } DESTROYLOCK(&T4_mx); isc_task_destroy(&task); (void) isc_condition_destroy(&T4_cv); diff --git a/lib/dns/dlz.c b/lib/dns/dlz.c index 19c600c941..eae87ab82d 100644 --- a/lib/dns/dlz.c +++ b/lib/dns/dlz.c @@ -221,8 +221,8 @@ dns_dlzcreate(isc_mem_t *mctx, const char *dlzname, const char *drivername, void dns_dlzdestroy(dns_dlzdb_t **dbp) { - isc_mem_t *mctx; dns_dlzdestroy_t destroy; + dns_dlzdb_t *db; /* Write debugging message to log */ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, @@ -234,23 +234,19 @@ dns_dlzdestroy(dns_dlzdb_t **dbp) { */ REQUIRE(dbp != NULL && DNS_DLZ_VALID(*dbp)); + db = *dbp; + *dbp = NULL; + #ifdef BIND9 - if ((*dbp)->ssutable != NULL) { + if (db->ssutable != NULL) dns_ssutable_detach(&(*dbp)->ssutable); - } #endif /* call the drivers destroy method */ - if ((*dbp) != NULL) { - mctx = (*dbp)->mctx; - destroy = (*dbp)->implementation->methods->destroy; - (*destroy)((*dbp)->implementation->driverarg,(*dbp)->dbdata); - /* return memory */ - isc_mem_put(mctx, (*dbp), sizeof(dns_dlzdb_t)); - isc_mem_detach(&mctx); - } - - *dbp = NULL; + destroy = db->implementation->methods->destroy; + (*destroy)(db->implementation->driverarg, db->dbdata); + /* return memory and detach */ + isc_mem_putanddetach(&db->mctx, db, sizeof(dns_dlzdb_t)); } diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 6416273760..0eac2285af 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -1001,9 +1001,6 @@ comparekeys(const dst_key_t *key1, const dst_key_t *key2, if (key1 == key2) return (ISC_TRUE); - if (key1 == NULL || key2 == NULL) - return (ISC_FALSE); - if (key1->key_alg != key2->key_alg) return (ISC_FALSE); @@ -1093,8 +1090,6 @@ dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { if (key1 == key2) return (ISC_TRUE); - if (key1 == NULL || key2 == NULL) - return (ISC_FALSE); if (key1->key_alg == key2->key_alg && key1->func->paramcompare != NULL && key1->func->paramcompare(key1, key2) == ISC_TRUE) diff --git a/lib/dns/journal.c b/lib/dns/journal.c index 5f70c39a20..4811ebbd80 100644 --- a/lib/dns/journal.c +++ b/lib/dns/journal.c @@ -2112,6 +2112,8 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial, char backup[1024]; isc_boolean_t is_backup = ISC_FALSE; + REQUIRE(filename != NULL); + namelen = strlen(filename); if (namelen > 4U && strcmp(filename + namelen - 4, ".jnl") == 0) namelen -= 4; diff --git a/lib/dns/master.c b/lib/dns/master.c index c6344fca75..f560641e17 100644 --- a/lib/dns/master.c +++ b/lib/dns/master.c @@ -280,7 +280,7 @@ loadctx_destroy(dns_loadctx_t *lctx); SETRESULT(lctx, result); \ LOGIT(result); \ read_till_eol = ISC_TRUE; \ - continue; \ + break; \ } else if (result != ISC_R_SUCCESS) \ goto log_and_cleanup; \ } \ diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c index 953e8fd50e..6ad3ce058e 100644 --- a/lib/dns/openssldh_link.c +++ b/lib/dns/openssldh_link.c @@ -224,13 +224,13 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { #else dh = DH_generate_parameters(key->key_size, generator, NULL, NULL); + if (dh == NULL) + return (dst__openssl_toresult2( + "DH_generate_parameters", + DST_R_OPENSSLFAILURE)); #endif } - if (dh == NULL) - return (dst__openssl_toresult2("DH_generate_parameters", - DST_R_OPENSSLFAILURE)); - if (DH_generate_key(dh) == 0) { DH_free(dh); return (dst__openssl_toresult2("DH_generate_key", diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index 8421c64070..ad957026be 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -1375,12 +1375,20 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, isc_result_t ret; EVP_PKEY *pkey = NULL; RSA *rsa = NULL, *pubrsa = NULL; - char *colon; + char *colon, *tmpengine = NULL; UNUSED(pin); - if (engine == NULL) - DST_RET(DST_R_NOENGINE); + if (engine == NULL) { + colon = strchr(label, ':'); + if (colon == NULL) + DST_RET(DST_R_NOENGINE); + tmpengine = isc_mem_strdup(key->mctx, label); + if (tmpengine == NULL) + DST_RET(ISC_R_NOMEMORY); + colon = strchr(tmpengine, ':'); + *colon = '\0'; + } e = dst__openssl_getengine(engine); if (e == NULL) DST_RET(DST_R_NOENGINE); @@ -1395,17 +1403,13 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, if (pkey == NULL) DST_RET(dst__openssl_toresult2("ENGINE_load_private_key", ISC_R_NOTFOUND)); - if (engine != NULL) { + if (tmpengine != NULL) { + key->engine = tmpengine; + tmpengine = NULL; + } else { key->engine = isc_mem_strdup(key->mctx, engine); if (key->engine == NULL) DST_RET(ISC_R_NOMEMORY); - } else { - key->engine = isc_mem_strdup(key->mctx, label); - if (key->engine == NULL) - DST_RET(ISC_R_NOMEMORY); - colon = strchr(key->engine, ':'); - if (colon != NULL) - *colon = '\0'; } key->label = isc_mem_strdup(key->mctx, label); if (key->label == NULL) @@ -1430,6 +1434,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, return (ISC_R_SUCCESS); err: + if (tmpengine != NULL) + isc_mem_free(key->mctx, tmpengine); if (rsa != NULL) RSA_free(rsa); if (pubrsa != NULL) diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c index 1b6121de79..74aad1b355 100644 --- a/lib/dns/rbt.c +++ b/lib/dns/rbt.c @@ -1610,8 +1610,7 @@ rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp) { PARENT(LEFT(child)) = node; LEFT(child) = node; - if (child != NULL) - PARENT(child) = PARENT(node); + PARENT(child) = PARENT(node); if (IS_ROOT(node)) { *rootp = child; @@ -1643,8 +1642,7 @@ rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp) { PARENT(RIGHT(child)) = node; RIGHT(child) = node; - if (child != NULL) - PARENT(child) = PARENT(node); + PARENT(child) = PARENT(node); if (IS_ROOT(node)) { *rootp = child; diff --git a/lib/dns/rrl.c b/lib/dns/rrl.c index 08fc8e712f..c0295bd20a 100644 --- a/lib/dns/rrl.c +++ b/lib/dns/rrl.c @@ -1161,22 +1161,17 @@ dns_rrl(dns_view_t *view, client_addr, now, log_buf, log_buf_len); if (rrl_all_result != DNS_RRL_RESULT_OK) { - int level; - e = e_all; rrl_result = rrl_all_result; - if (rrl_result == DNS_RRL_RESULT_OK) - level = DNS_RRL_LOG_DEBUG2; - else - level = DNS_RRL_LOG_DEBUG1; - if (isc_log_wouldlog(dns_lctx, level)) { + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG1)) { make_log_buf(rrl, e, "prefer all-per-second limiting ", NULL, ISC_TRUE, qname, ISC_FALSE, DNS_RRL_RESULT_OK, resp_result, log_buf, log_buf_len); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, - DNS_LOGMODULE_REQUEST, level, + DNS_LOGMODULE_REQUEST, + DNS_RRL_LOG_DEBUG1, "%s", log_buf); } } diff --git a/lib/dns/view.c b/lib/dns/view.c index 0aec370811..630797ee20 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -1322,7 +1322,7 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname, if (result == ISC_R_SUCCESS) { if (zfname != NULL && (!dns_name_issubdomain(fname, zfname) || - (dns_zone_staticstub && + (dns_zone_gettype(zone) == dns_zone_staticstub && dns_name_equal(fname, zfname)))) { /* * We found a zonecut in the cache, but our diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 4b2e064e07..819eb525dd 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -12160,10 +12160,10 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from, return (ISC_R_SUCCESS); } zone->notifyfrom = *from; - local = zone->masteraddr; - remote = zone->sourceaddr; + remote = zone->masteraddr; + local = zone->sourceaddr; UNLOCK_ZONE(zone); - dns_zonemgr_unreachabledel(zone->zmgr, &local, &remote); + dns_zonemgr_unreachabledel(zone->zmgr, &remote, &local); dns_zone_refresh(zone); return (ISC_R_SUCCESS); } diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c index c17587879d..141e9c21a9 100644 --- a/lib/isc/unix/app.c +++ b/lib/isc/unix/app.c @@ -704,7 +704,7 @@ isc__app_ctxrun(isc_appctx_t *ctx0) { return (ISC_R_UNEXPECTED); } #endif - result = sigsuspend(&sset); + (void)sigsuspend(&sset); #endif /* HAVE_SIGWAIT */ if (ctx->want_reload) { From 263a38f27b2d92b5b33e297fa566e499f678156d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 28 May 2015 13:57:01 +1000 Subject: [PATCH 03/11] Revert "link against ISC_OPENSSL_LIBS" This is not needed for 9.9.x. This reverts commit 6035a1c215688d9f726897a3ad84df04dd6816fc. --- bin/tests/system/builtin/Makefile.in | 2 +- bin/tests/system/rsabigexponent/Makefile.in | 2 +- bin/tests/system/tkey/Makefile.in | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/tests/system/builtin/Makefile.in b/bin/tests/system/builtin/Makefile.in index 135c1f9cb4..be40c35cbb 100644 --- a/bin/tests/system/builtin/Makefile.in +++ b/bin/tests/system/builtin/Makefile.in @@ -29,7 +29,7 @@ CDEFINES = CWARNINGS = DNSLIBS = -ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ DNSDEPLIBS = ISCDEPLIBS = diff --git a/bin/tests/system/rsabigexponent/Makefile.in b/bin/tests/system/rsabigexponent/Makefile.in index 72cebaf560..d32eb15a86 100644 --- a/bin/tests/system/rsabigexponent/Makefile.in +++ b/bin/tests/system/rsabigexponent/Makefile.in @@ -28,7 +28,7 @@ CDEFINES = @USE_OPENSSL@ CWARNINGS = DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ DNSDEPLIBS = ../../../../lib/dns/libdns.@A@ ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ diff --git a/bin/tests/system/tkey/Makefile.in b/bin/tests/system/tkey/Makefile.in index c572ed75d6..899d1b9b28 100644 --- a/bin/tests/system/tkey/Makefile.in +++ b/bin/tests/system/tkey/Makefile.in @@ -29,7 +29,7 @@ CDEFINES = CWARNINGS = DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ DNSDEPLIBS = ../../../../lib/dns/libdns.@A@ ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ From 8167dedf5e1df82f71cf779d6ac9dfb3106a09b3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 28 May 2015 14:07:56 +1000 Subject: [PATCH 04/11] Handle git commit -mifdef BIND9 case --- lib/dns/view.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/dns/view.c b/lib/dns/view.c index 630797ee20..51f758f427 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -1320,10 +1320,16 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname, result = dns_db_findzonecut(db, name, options, now, NULL, fname, rdataset, sigrdataset); if (result == ISC_R_SUCCESS) { +#ifdef BIND9 if (zfname != NULL && (!dns_name_issubdomain(fname, zfname) || (dns_zone_gettype(zone) == dns_zone_staticstub && - dns_name_equal(fname, zfname)))) { + dns_name_equal(fname, zfname)))) +#else + if (zfname != NULL && + !dns_name_issubdomain(fname, zfname)) +#endif + { /* * We found a zonecut in the cache, but our * zone delegation is better. From fe8790e6c954ae44207a4b6fc46ff1ae451392cb Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 28 May 2015 14:27:59 +1000 Subject: [PATCH 05/11] update --- util/copyrights | 39 +++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/util/copyrights b/util/copyrights index c2b1fe5b67..c99c237593 100644 --- a/util/copyrights +++ b/util/copyrights @@ -118,7 +118,7 @@ ./bin/dnssec/Makefile.in MAKE 2000,2001,2002,2004,2005,2007,2008,2009,2012,2013,2014 ./bin/dnssec/dnssec-dsfromkey.8 MAN DOCBOOK ./bin/dnssec/dnssec-dsfromkey.c C 2008,2009,2010,2011,2012,2014,2015 -./bin/dnssec/dnssec-dsfromkey.docbook SGML 2008,2009,2010,2011,2012,2014 +./bin/dnssec/dnssec-dsfromkey.docbook SGML 2008,2009,2010,2011,2012,2014,2015 ./bin/dnssec/dnssec-dsfromkey.html HTML DOCBOOK ./bin/dnssec/dnssec-importkey.8 MAN 2013,2014 ./bin/dnssec/dnssec-importkey.c C 2013,2014,2015 @@ -245,7 +245,7 @@ ./bin/named/include/named/update.h C 1999,2000,2001,2004,2005,2007 ./bin/named/include/named/xfrout.h C 1999,2000,2001,2004,2005,2007 ./bin/named/include/named/zoneconf.h C 1999,2000,2001,2002,2004,2005,2006,2007,2010,2011 -./bin/named/interfacemgr.c C 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014 +./bin/named/interfacemgr.c C 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015 ./bin/named/listenlist.c C 2000,2001,2004,2005,2007 ./bin/named/log.c C 1999,2000,2001,2002,2004,2005,2006,2007,2009,2013 ./bin/named/logconf.c C 1999,2000,2001,2004,2005,2006,2007,2011,2013,2015 @@ -279,7 +279,7 @@ ./bin/named/unix/dlz_dlopen_driver.c C 2011,2012,2013,2014 ./bin/named/unix/include/named/os.h C 1999,2000,2001,2002,2004,2005,2007,2008,2009 ./bin/named/unix/os.c C 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2013,2014 -./bin/named/update.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014 +./bin/named/update.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015 ./bin/named/win32/dlz_dlopen_driver.c C 2011,2014 ./bin/named/win32/include/named/ntservice.h C 1999,2000,2001,2002,2003,2004,2007 ./bin/named/win32/include/named/os.h C 1999,2000,2001,2002,2004,2007,2008,2009 @@ -642,7 +642,7 @@ ./bin/tests/rbt/dns_rbtnodechain_next_data X 1999,2000,2001 ./bin/tests/rbt/dns_rbtnodechain_prev.data X 1999,2000,2001 ./bin/tests/rbt/dns_rbtnodechain_prev_data X 1999,2000,2001 -./bin/tests/rbt/t_rbt.c C 1998,1999,2000,2001,2003,2004,2005,2007,2009,2011,2012,2013 +./bin/tests/rbt/t_rbt.c C 1998,1999,2000,2001,2003,2004,2005,2007,2009,2011,2012,2013,2015 ./bin/tests/rbt/win32/t_rbt.dsp.in X 2013 ./bin/tests/rbt/win32/t_rbt.dsw X 2013 ./bin/tests/rbt/win32/t_rbt.mak.in X 2013 @@ -1056,6 +1056,12 @@ ./bin/tests/system/dnssec/ns1/sign.sh SH 2000,2001,2002,2003,2004,2006,2007,2008,2009,2010,2011,2012,2013,2014 ./bin/tests/system/dnssec/ns2/algroll.db.in ZONE 2010 ./bin/tests/system/dnssec/ns2/badparam.db.in ZONE 2010 +./bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in ZONE 2015 +./bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in ZONE 2015 +./bin/tests/system/dnssec/ns2/cdnskey.secure.db.in ZONE 2015 +./bin/tests/system/dnssec/ns2/cds-auto.secure.db.in ZONE 2015 +./bin/tests/system/dnssec/ns2/cds-update.secure.db.in ZONE 2015 +./bin/tests/system/dnssec/ns2/cds.secure.db.in ZONE 2015 ./bin/tests/system/dnssec/ns2/child.nsec3.example.db ZONE 2006,2008 ./bin/tests/system/dnssec/ns2/child.optout.example.db ZONE 2006,2008 ./bin/tests/system/dnssec/ns2/dlv.db.in ZONE 2004,2007 @@ -1063,10 +1069,10 @@ ./bin/tests/system/dnssec/ns2/example.db.in ZONE 2000,2001,2002,2004,2007,2008,2009,2010,2011,2012,2013,2014 ./bin/tests/system/dnssec/ns2/in-addr.arpa.db.in ZONE 2014 ./bin/tests/system/dnssec/ns2/insecure.secure.example.db ZONE 2000,2001,2004,2007,2013 -./bin/tests/system/dnssec/ns2/named.conf CONF-C 2000,2001,2002,2004,2006,2007,2008,2010,2011,2014 +./bin/tests/system/dnssec/ns2/named.conf CONF-C 2000,2001,2002,2004,2006,2007,2008,2010,2011,2014,2015 ./bin/tests/system/dnssec/ns2/private.secure.example.db.in ZONE 2000,2001,2004,2007 ./bin/tests/system/dnssec/ns2/rfc2335.example.db X 2004 -./bin/tests/system/dnssec/ns2/sign.sh SH 2000,2001,2002,2003,2004,2006,2007,2008,2009,2010,2011,2012,2014 +./bin/tests/system/dnssec/ns2/sign.sh SH 2000,2001,2002,2003,2004,2006,2007,2008,2009,2010,2011,2012,2014,2015 ./bin/tests/system/dnssec/ns2/single-nsec3.db.in ZONE 2010 ./bin/tests/system/dnssec/ns3/auto-nsec.example.db.in ZONE 2011 ./bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in ZONE 2011 @@ -1587,7 +1593,7 @@ ./bin/tests/system/rrsetorder/ns2/named.conf CONF-C 2006,2007 ./bin/tests/system/rrsetorder/ns3/named.conf CONF-C 2006,2007 ./bin/tests/system/rrsetorder/tests.sh SH 2006,2007,2008,2011,2012,2014 -./bin/tests/system/rsabigexponent/Makefile.in MAKE 2012 +./bin/tests/system/rsabigexponent/Makefile.in MAKE 2012,2015 ./bin/tests/system/rsabigexponent/bigkey.c C 2012,2014,2015 ./bin/tests/system/rsabigexponent/clean.sh SH 2012,2014 ./bin/tests/system/rsabigexponent/conf/bad01.conf CONF-C 2012 @@ -1693,7 +1699,7 @@ ./bin/tests/system/testcrypto.sh SH 2014 ./bin/tests/system/testsock.pl PERL 2000,2001,2004,2007,2010,2011,2012,2013 ./bin/tests/system/testsock6.pl PERL 2010,2012,2014 -./bin/tests/system/tkey/Makefile.in MAKE 2001,2002,2004,2007,2009,2012 +./bin/tests/system/tkey/Makefile.in MAKE 2001,2002,2004,2007,2009,2012,2015 ./bin/tests/system/tkey/clean.sh SH 2001,2004,2007,2011,2012,2013,2014 ./bin/tests/system/tkey/keycreate.c C 2001,2004,2005,2007,2009,2011,2012,2014,2015 ./bin/tests/system/tkey/keydelete.c C 2001,2004,2005,2007,2009,2010,2011,2014,2015 @@ -1858,7 +1864,7 @@ ./bin/tests/t_api.pl PERL 1999,2000,2001,2004,2007,2012 ./bin/tests/task_test.c C 1998,1999,2000,2001,2004,2007,2013,2014,2015 ./bin/tests/tasks/Makefile.in MAKE 1998,1999,2000,2001,2002,2004,2007,2009,2012 -./bin/tests/tasks/t_tasks.c C 1998,1999,2000,2001,2004,2005,2007,2009,2011,2013,2014 +./bin/tests/tasks/t_tasks.c C 1998,1999,2000,2001,2004,2005,2007,2009,2011,2013,2014,2015 ./bin/tests/tasks/win32/t_tasks.dsp.in X 2013 ./bin/tests/tasks/win32/t_tasks.dsw X 2013 ./bin/tests/tasks/win32/t_tasks.mak.in X 2013 @@ -2540,6 +2546,7 @@ ./doc/arm/notes.xml SGML 2014,2015 ./doc/arm/pkcs11.xml SGML 2010,2012,2013,2014 ./doc/design/addressdb TXT.BRIEF 2000,2001,2004 +./doc/design/cds-child TXT.BRIEF 2015 ./doc/design/compression TXT.BRIEF 1999,2000,2001,2004 ./doc/design/database TXT.BRIEF 1999,2000,2001,2004 ./doc/design/db_rules TXT.BRIEF 1999,2000,2001,2004 @@ -2653,11 +2660,11 @@ ./lib/dns/dbtable.c C 1999,2000,2001,2004,2005,2007,2013 ./lib/dns/diff.c C 2000,2001,2002,2003,2004,2005,2007,2008,2009,2011,2013,2014,2015 ./lib/dns/dispatch.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015 -./lib/dns/dlz.c C.PORTION 1999,2000,2001,2005,2007,2009,2010,2011,2012,2013 +./lib/dns/dlz.c C.PORTION 1999,2000,2001,2005,2007,2009,2010,2011,2012,2013,2015 ./lib/dns/dns64.c C 2010,2011,2014 ./lib/dns/dnssec.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015 ./lib/dns/ds.c C 2002,2003,2004,2005,2006,2007,2010,2012 -./lib/dns/dst_api.c C.NAI 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013 +./lib/dns/dst_api.c C.NAI 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2015 ./lib/dns/dst_internal.h C.NAI 2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013 ./lib/dns/dst_lib.c C 1999,2000,2001,2004,2005,2007 ./lib/dns/dst_openssl.h C 2002,2004,2005,2007,2008,2009,2011,2012 @@ -2731,7 +2738,7 @@ ./lib/dns/include/dns/rdatatype.h C 1998,1999,2000,2001,2004,2005,2006,2007,2008 ./lib/dns/include/dns/request.h C 2000,2001,2002,2004,2005,2006,2007,2009,2010,2014 ./lib/dns/include/dns/resolver.h C 1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2014 -./lib/dns/include/dns/result.h C 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013 +./lib/dns/include/dns/result.h C 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2015 ./lib/dns/include/dns/rootns.h C 1999,2000,2001,2004,2005,2006,2007 ./lib/dns/include/dns/rpz.h C 2011,2012,2013 ./lib/dns/include/dns/rriterator.h C 2009,2011 @@ -2780,11 +2787,11 @@ ./lib/dns/nsec.c C 1999,2000,2001,2003,2004,2005,2007,2008,2009,2011,2012,2013,2014,2015 ./lib/dns/nsec3.c C 2006,2008,2009,2010,2011,2012,2013,2014,2015 ./lib/dns/openssl_link.c C.NAI 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2014 -./lib/dns/openssldh_link.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014 +./lib/dns/openssldh_link.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015 ./lib/dns/openssldsa_link.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013 ./lib/dns/opensslecdsa_link.c C 2012,2013,2014 ./lib/dns/opensslgost_link.c C 2010,2011,2012,2013,2014 -./lib/dns/opensslrsa_link.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014 +./lib/dns/opensslrsa_link.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015 ./lib/dns/order.c C 2002,2004,2005,2007 ./lib/dns/peer.c C 2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2014 ./lib/dns/portlist.c C 2003,2004,2005,2006,2007,2014 @@ -2943,11 +2950,11 @@ ./lib/dns/rdataslab.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014 ./lib/dns/request.c C 2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015 ./lib/dns/resolver.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015 -./lib/dns/result.c C 1998,1999,2000,2001,2002,2003,2004,2005,2007,2008,2009,2010,2011,2012,2013 +./lib/dns/result.c C 1998,1999,2000,2001,2002,2003,2004,2005,2007,2008,2009,2010,2011,2012,2013,2015 ./lib/dns/rootns.c C 1999,2000,2001,2002,2004,2005,2007,2008,2010,2012,2013,2014,2015 ./lib/dns/rpz.c C 2011,2012,2013,2014,2015 ./lib/dns/rriterator.c C 2009,2011,2012 -./lib/dns/rrl.c C 2013,2014 +./lib/dns/rrl.c C 2013,2014,2015 ./lib/dns/sdb.c C 2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2015 ./lib/dns/sdlz.c C.PORTION 1999,2000,2001,2005,2006,2007,2008,2009,2010,2011,2012,2015 ./lib/dns/soa.c C 2000,2001,2004,2005,2007,2009 From 4adbc245055e75b837bd6abe87e733c48916c509 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 28 May 2015 14:41:21 +1000 Subject: [PATCH 06/11] 4129. [port] Address API changes in OpenSSL 1.1.0. [RT #39532] (cherry picked from commit 8bb630c7513ecfe224622a3923f0de477c44f2a9) --- CHANGES | 2 + lib/dns/dst_openssl.h | 15 ++++++ lib/dns/openssl_link.c | 19 +++++++ lib/dns/openssldh_link.c | 108 ++++++++++++++++++++++---------------- lib/dns/openssldsa_link.c | 21 ++++++-- lib/dns/opensslrsa_link.c | 19 ++++--- 6 files changed, 129 insertions(+), 55 deletions(-) diff --git a/CHANGES b/CHANGES index aad5d4750d..1bfe41857f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +4129. [port] Address API changes in OpenSSL 1.1.0. [RT #39532] + 4128. [bug] Address issues raised by Coverity 7.6. [RT #39537] 4127. [protocol] CDS and CDNSKEY need to be signed by the key signing diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h index 99a43ef948..73ec30e772 100644 --- a/lib/dns/dst_openssl.h +++ b/lib/dns/dst_openssl.h @@ -29,12 +29,27 @@ #include #include #include +#include #if !defined(OPENSSL_NO_ENGINE) && defined(CRYPTO_LOCK_ENGINE) && \ (OPENSSL_VERSION_NUMBER >= 0x0090707f) #define USE_ENGINE 1 #endif +#if OPENSSL_VERSION_NUMBER < 0x10100000L +/* + * These are new in OpenSSL 1.1.0. BN_GENCB _cb needs to be declared in + * the function like this before the BN_GENCB_new call: + * + * #if OPENSSL_VERSION_NUMBER < 0x10100000L + * _cb; + * #endif + */ +#define BN_GENCB_free(x) (x = NULL); +#define BN_GENCB_new() (&_cb) +#define BN_GENCB_get_arg(x) ((x)->arg) +#endif + ISC_LANG_BEGINDECLS isc_result_t diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index a0a2724f41..1c9d102ebe 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -88,6 +88,7 @@ entropy_getpseudo(unsigned char *buf, int num) { return (result == ISC_R_SUCCESS ? 1 : -1); } +#if OPENSSL_VERSION_NUMBER < 0x10100000L static void entropy_add(const void *buf, int num, double entropy) { /* @@ -97,6 +98,18 @@ entropy_add(const void *buf, int num, double entropy) { UNUSED(num); UNUSED(entropy); } +#else +static int +entropy_add(const void *buf, int num, double entropy) { + /* + * Do nothing. The only call to this provides no useful data anyway. + */ + UNUSED(buf); + UNUSED(num); + UNUSED(entropy); + return (1); +} +#endif static void lock_callback(int mode, int type, const char *file, int line) { @@ -108,10 +121,12 @@ lock_callback(int mode, int type, const char *file, int line) { UNLOCK(&locks[type]); } +#if OPENSSL_VERSION_NUMBER < 0x10100000L static unsigned long id_callback(void) { return ((unsigned long)isc_thread_self()); } +#endif static void * mem_alloc(size_t size) { @@ -172,7 +187,9 @@ dst__openssl_init(const char *engine) { if (result != ISC_R_SUCCESS) goto cleanup_mutexalloc; CRYPTO_set_locking_callback(lock_callback); +#if OPENSSL_VERSION_NUMBER < 0x10100000L CRYPTO_set_id_callback(id_callback); +#endif ERR_load_crypto_strings(); @@ -270,7 +287,9 @@ dst__openssl_destroy(void) { CRYPTO_cleanup_all_ex_data(); #endif ERR_clear_error(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L ERR_remove_state(0); +#endif ERR_free_strings(); #ifdef DNS_CRYPTO_LEAKS diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c index 6ad3ce058e..45fdf8ff33 100644 --- a/lib/dns/openssldh_link.c +++ b/lib/dns/openssldh_link.c @@ -71,7 +71,7 @@ static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data); -static BIGNUM bn2, bn768, bn1024, bn1536; +static BIGNUM *bn2, *bn768, *bn1024, *bn1536; static isc_result_t openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, @@ -161,7 +161,7 @@ progress_cb(int p, int n, BN_GENCB *cb) UNUSED(n); - u.dptr = cb->arg; + u.dptr = BN_GENCB_get_arg(cb); if (u.fptr != NULL) u.fptr(p); return (1); @@ -172,7 +172,10 @@ static isc_result_t openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { DH *dh = NULL; #if OPENSSL_VERSION_NUMBER > 0x00908000L - BN_GENCB cb; + BN_GENCB *cb; +#if OPENSSL_VERSION_NUMBER < 0x10100000L + BN_GENCB _cb; +#endif union { void *dptr; void (*fptr)(int); @@ -191,12 +194,12 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { if (dh == NULL) return (dst__openssl_toresult(ISC_R_NOMEMORY)); if (key->key_size == 768) - dh->p = &bn768; + dh->p = bn768; else if (key->key_size == 1024) - dh->p = &bn1024; + dh->p = bn1024; else - dh->p = &bn1536; - dh->g = &bn2; + dh->p = bn1536; + dh->g = bn2; } else generator = 2; } @@ -206,21 +209,28 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { dh = DH_new(); if (dh == NULL) return (dst__openssl_toresult(ISC_R_NOMEMORY)); + cb = BN_GENCB_new(); + if (cb == NULL) { + DH_free(dh); + return (dst__openssl_toresult(ISC_R_NOMEMORY)); + } if (callback == NULL) { - BN_GENCB_set_old(&cb, NULL, NULL); + BN_GENCB_set_old(cb, NULL, NULL); } else { u.fptr = callback; - BN_GENCB_set(&cb, &progress_cb, u.dptr); + BN_GENCB_set(cb, &progress_cb, u.dptr); } if (!DH_generate_parameters_ex(dh, key->key_size, generator, - &cb)) { + cb)) { DH_free(dh); + BN_GENCB_free(cb); return (dst__openssl_toresult2( "DH_generate_parameters_ex", DST_R_OPENSSLFAILURE)); } + BN_GENCB_free(cb); #else dh = DH_generate_parameters(key->key_size, generator, NULL, NULL); @@ -256,9 +266,9 @@ openssldh_destroy(dst_key_t *key) { if (dh == NULL) return; - if (dh->p == &bn768 || dh->p == &bn1024 || dh->p == &bn1536) + if (dh->p == bn768 || dh->p == bn1024 || dh->p == bn1536) dh->p = NULL; - if (dh->g == &bn2) + if (dh->g == bn2) dh->g = NULL; DH_free(dh); key->keydata.dh = NULL; @@ -294,8 +304,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { isc_buffer_availableregion(data, &r); - if (dh->g == &bn2 && - (dh->p == &bn768 || dh->p == &bn1024 || dh->p == &bn1536)) { + if (dh->g == bn2 && + (dh->p == bn768 || dh->p == bn1024 || dh->p == bn1536)) { plen = 1; glen = 0; } @@ -310,9 +320,9 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { uint16_toregion(plen, &r); if (plen == 1) { - if (dh->p == &bn768) + if (dh->p == bn768) *r.base = 1; - else if (dh->p == &bn1024) + else if (dh->p == bn1024) *r.base = 2; else *r.base = 3; @@ -375,13 +385,13 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { special = uint16_fromregion(&r); switch (special) { case 1: - dh->p = &bn768; + dh->p = bn768; break; case 2: - dh->p = &bn1024; + dh->p = bn1024; break; case 3: - dh->p = &bn1536; + dh->p = bn1536; break; default: DH_free(dh); @@ -409,12 +419,12 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { } if (special != 0) { if (glen == 0) - dh->g = &bn2; + dh->g = bn2; else { dh->g = BN_bin2bn(r.base, glen, NULL); - if (BN_cmp(dh->g, &bn2) == 0) { + if (BN_cmp(dh->g, bn2) == 0) { BN_free(dh->g); - dh->g = &bn2; + dh->g = bn2; } else { DH_free(dh); @@ -563,25 +573,25 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { if ((key->key_size == 768 || key->key_size == 1024 || key->key_size == 1536) && - BN_cmp(dh->g, &bn2) == 0) + BN_cmp(dh->g, bn2) == 0) { - if (key->key_size == 768 && BN_cmp(dh->p, &bn768) == 0) { + if (key->key_size == 768 && BN_cmp(dh->p, bn768) == 0) { BN_free(dh->p); BN_free(dh->g); - dh->p = &bn768; - dh->g = &bn2; + dh->p = bn768; + dh->g = bn2; } else if (key->key_size == 1024 && - BN_cmp(dh->p, &bn1024) == 0) { + BN_cmp(dh->p, bn1024) == 0) { BN_free(dh->p); BN_free(dh->g); - dh->p = &bn1024; - dh->g = &bn2; + dh->p = bn1024; + dh->g = bn2; } else if (key->key_size == 1536 && - BN_cmp(dh->p, &bn1536) == 0) { + BN_cmp(dh->p, bn1536) == 0) { BN_free(dh->p); BN_free(dh->g); - dh->p = &bn1536; - dh->g = &bn2; + dh->p = bn1536; + dh->g = bn2; } } @@ -622,10 +632,10 @@ BN_fromhex(BIGNUM *b, const char *str) { static void openssldh_cleanup(void) { - BN_free(&bn2); - BN_free(&bn768); - BN_free(&bn1024); - BN_free(&bn1536); + BN_free(bn2); + BN_free(bn768); + BN_free(bn1024); + BN_free(bn1536); } static dst_func_t openssldh_functions = { @@ -655,17 +665,27 @@ isc_result_t dst__openssldh_init(dst_func_t **funcp) { REQUIRE(funcp != NULL); if (*funcp == NULL) { - BN_init(&bn2); - BN_init(&bn768); - BN_init(&bn1024); - BN_init(&bn1536); - BN_set_word(&bn2, 2); - BN_fromhex(&bn768, PRIME768); - BN_fromhex(&bn1024, PRIME1024); - BN_fromhex(&bn1536, PRIME1536); + bn2 = BN_new(); + bn768 = BN_new(); + bn1024 = BN_new(); + bn1536 = BN_new(); + if (bn2 == NULL || bn768 == NULL || + bn1024 == NULL || bn1536 == NULL) + goto cleanup; + BN_set_word(bn2, 2); + BN_fromhex(bn768, PRIME768); + BN_fromhex(bn1024, PRIME1024); + BN_fromhex(bn1536, PRIME1536); *funcp = &openssldh_functions; } return (ISC_R_SUCCESS); + + cleanup: + if (bn2 != NULL) BN_free(bn2); + if (bn768 != NULL) BN_free(bn768); + if (bn1024 != NULL) BN_free(bn1024); + if (bn1536 != NULL) BN_free(bn1536); + return (ISC_R_NOMEMORY); } #else /* OPENSSL */ diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c index 61e64db0d4..90c7d42288 100644 --- a/lib/dns/openssldsa_link.c +++ b/lib/dns/openssldsa_link.c @@ -339,7 +339,7 @@ progress_cb(int p, int n, BN_GENCB *cb) UNUSED(n); - u.dptr = cb->arg; + u.dptr = BN_GENCB_get_arg(cb); if (u.fptr != NULL) u.fptr(p); return (1); @@ -352,7 +352,10 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { unsigned char rand_array[ISC_SHA1_DIGESTLENGTH]; isc_result_t result; #if OPENSSL_VERSION_NUMBER > 0x00908000L - BN_GENCB cb; + BN_GENCB *cb; +#if OPENSSL_VERSION_NUMBER < 0x10100000L + BN_GENCB _cb; +#endif union { void *dptr; void (*fptr)(int); @@ -373,22 +376,30 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { dsa = DSA_new(); if (dsa == NULL) return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + cb = BN_GENCB_new(); + if (cb == NULL) { + DSA_free(dsa); + return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } + if (callback == NULL) { - BN_GENCB_set_old(&cb, NULL, NULL); + BN_GENCB_set_old(cb, NULL, NULL); } else { u.fptr = callback; - BN_GENCB_set(&cb, &progress_cb, u.dptr); + BN_GENCB_set(cb, &progress_cb, u.dptr); } if (!DSA_generate_parameters_ex(dsa, key->key_size, rand_array, ISC_SHA1_DIGESTLENGTH, NULL, NULL, - &cb)) + cb)) { DSA_free(dsa); + BN_GENCB_free(cb); return (dst__openssl_toresult2("DSA_generate_parameters_ex", DST_R_OPENSSLFAILURE)); } + BN_GENCB_free(cb); #else dsa = DSA_generate_parameters(key->key_size, rand_array, ISC_SHA1_DIGESTLENGTH, NULL, NULL, diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index ad957026be..e55616cf23 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -753,7 +753,7 @@ progress_cb(int p, int n, BN_GENCB *cb) UNUSED(n); - u.dptr = cb->arg; + u.dptr = BN_GENCB_get_arg(cb); if (u.fptr != NULL) u.fptr(p); return (1); @@ -764,18 +764,21 @@ static isc_result_t opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { #if OPENSSL_VERSION_NUMBER > 0x00908000L isc_result_t ret = DST_R_OPENSSLFAILURE; - BN_GENCB cb; union { void *dptr; void (*fptr)(int); } u; RSA *rsa = RSA_new(); BIGNUM *e = BN_new(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + BN_GENCB _cb; +#endif + BN_GENCB *cb = BN_GENCB_new(); #if USE_EVP EVP_PKEY *pkey = EVP_PKEY_new(); #endif - if (rsa == NULL || e == NULL) + if (rsa == NULL || e == NULL || cb == NULL) goto err; #if USE_EVP if (pkey == NULL) @@ -795,14 +798,15 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { } if (callback == NULL) { - BN_GENCB_set_old(&cb, NULL, NULL); + BN_GENCB_set_old(cb, NULL, NULL); } else { u.fptr = callback; - BN_GENCB_set(&cb, &progress_cb, u.dptr); + BN_GENCB_set(cb, &progress_cb, u.dptr); } - if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) { + if (RSA_generate_key_ex(rsa, key->key_size, e, cb)) { BN_free(e); + BN_GENCB_free(cb); SET_FLAGS(rsa); #if USE_EVP key->keydata.pkey = pkey; @@ -813,6 +817,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { #endif return (ISC_R_SUCCESS); } + BN_GENCB_free(cb); ret = dst__openssl_toresult2("RSA_generate_key_ex", DST_R_OPENSSLFAILURE); @@ -825,6 +830,8 @@ err: BN_free(e); if (rsa != NULL) RSA_free(rsa); + if (cb != NULL) + BN_GENCB_free(cb); return (dst__openssl_toresult(ret)); #else RSA *rsa; From 03d6a438457afcca78bc90ff69aebe74b7bdb92e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 28 May 2015 16:31:35 +1000 Subject: [PATCH 07/11] fix merge error --- lib/dns/dlz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/dns/dlz.c b/lib/dns/dlz.c index eae87ab82d..8acf436c31 100644 --- a/lib/dns/dlz.c +++ b/lib/dns/dlz.c @@ -239,7 +239,7 @@ dns_dlzdestroy(dns_dlzdb_t **dbp) { #ifdef BIND9 if (db->ssutable != NULL) - dns_ssutable_detach(&(*dbp)->ssutable); + dns_ssutable_detach(&dp->ssutable); #endif /* call the drivers destroy method */ From f86443709f84ca93a7910ebdbadb739be146bf24 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 28 May 2015 18:35:01 +1000 Subject: [PATCH 08/11] fix typo --- lib/dns/dlz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/dns/dlz.c b/lib/dns/dlz.c index 8acf436c31..d46010732e 100644 --- a/lib/dns/dlz.c +++ b/lib/dns/dlz.c @@ -239,7 +239,7 @@ dns_dlzdestroy(dns_dlzdb_t **dbp) { #ifdef BIND9 if (db->ssutable != NULL) - dns_ssutable_detach(&dp->ssutable); + dns_ssutable_detach(&db->ssutable); #endif /* call the drivers destroy method */ From 263cbd6fa193ea927e924b754c86883444cfa283 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 29 May 2015 07:21:49 +1000 Subject: [PATCH 09/11] 4130. [bug] The compatability shim for *printf() misprinted some large numbers. [RT #39586] (cherry picked from commit 38c19e577915221b1783791cbb4f4e3ceea20019) --- CHANGES | 3 + lib/isc/print.c | 120 ++++++++++++++++++++++++------------- lib/isc/tests/print_test.c | 27 +++++++++ 3 files changed, 109 insertions(+), 41 deletions(-) diff --git a/CHANGES b/CHANGES index 1bfe41857f..73ea2d392c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +4130. [bug] The compatability shim for *printf() misprinted some + large numbers. [RT #39586] + 4129. [port] Address API changes in OpenSSL 1.1.0. [RT #39532] 4128. [bug] Address issues raised by Coverity 7.6. [RT #39537] diff --git a/lib/isc/print.c b/lib/isc/print.c index 4a1d553719..9ef76a8c8d 100644 --- a/lib/isc/print.c +++ b/lib/isc/print.c @@ -22,6 +22,7 @@ #include #include /* for sprintf() */ #include /* for strlen() */ +#include /* for assert() */ #define ISC__PRINT_SOURCE /* Used to get the isc_print_* prototypes. */ @@ -32,29 +33,42 @@ #include #include +/* + * We use the system's sprintf so we undef it here. + */ +#undef sprintf + static int -isc__print_printf(void (*emit)(char, void *), void *arg, const char *format, va_list ap); +isc__print_printf(void (*emit)(char, void *), void *arg, + const char *format, va_list ap); static void file_emit(char c, void *arg) { - fputc(c, arg); + FILE *fp = arg; + int i = c & 0xff; + + putc(i, fp); } +#if 0 static int isc_print_vfprintf(FILE *fp, const char *format, va_list ap) { - INSIST(fp != NULL); - INSIST(format != NULL); + assert(fp != NULL); + assert(format != NULL); return (isc__print_printf(file_emit, fp, format, ap)); } +#endif int isc_print_printf(const char *format, ...) { va_list ap; int n; + assert(format != NULL); + va_start(ap, format); - n = isc_print_vfprintf(stdout, format, ap); + n = isc__print_printf(file_emit, stdout, format, ap); va_end(ap); return (n); } @@ -64,20 +78,34 @@ isc_print_fprintf(FILE *fp, const char *format, ...) { va_list ap; int n; + assert(fp != NULL); + assert(format != NULL); + va_start(ap, format); - n = isc_print_vfprintf(fp, format, ap); + n = isc__print_printf(file_emit, fp, format, ap); va_end(ap); return (n); } +static void +nocheck_emit(char c, void *arg) { + struct { char *str; } *a = arg; + + *(a->str)++ = c; +} + int isc_print_sprintf(char *str, const char *format, ...) { + struct { char *str; } arg; + int n; va_list ap; + arg.str = str; + va_start(ap, format); - vsprintf(str, format, ap); + n = isc__print_printf(nocheck_emit, &arg, format, ap); va_end(ap); - return (strlen(str)); + return (n); } /*! @@ -90,7 +118,7 @@ isc_print_snprintf(char *str, size_t size, const char *format, ...) { int ret; va_start(ap, format); - ret = vsnprintf(str, size, format, ap); + ret = isc_print_vsnprintf(str, size, format, ap); va_end(ap); return (ret); @@ -106,7 +134,7 @@ string_emit(char c, void *arg) { if (p->size > 0U) { *(p->str)++ = c; - (p->size)--; + p->size--; } } @@ -115,8 +143,8 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { struct { char *str; size_t size; } arg; int n; - INSIST(str != NULL); - INSIST(format != NULL); + assert(str != NULL); + assert(format != NULL); arg.str = str; arg.size = size; @@ -156,14 +184,15 @@ isc__print_printf(void (*emit)(char, void *), void *arg, int zeropad; int dot; double dbl; + isc_boolean_t precision_set; #ifdef HAVE_LONG_DOUBLE long double ldbl; #endif char fmt[32]; - INSIST(emit != NULL); - INSIST(arg != NULL); - INSIST(format != NULL); + assert(emit != NULL); + assert(arg != NULL); + assert(format != NULL); while (*format != '\0') { if (*format != '%') { @@ -180,6 +209,7 @@ isc__print_printf(void (*emit)(char, void *), void *arg, width = precision = 0; head = ""; pad = zeropad = 0; + precision_set = ISC_FALSE; do { if (*format == '#') { @@ -225,10 +255,12 @@ isc__print_printf(void (*emit)(char, void *), void *arg, dot = 1; if (*format == '*') { precision = va_arg(ap, int); + precision_set = ISC_TRUE; format++; } else if (isdigit((unsigned char)*format)) { char *e; precision = strtoul(format, &e, 10); + precision_set = ISC_TRUE; format = e; } } @@ -275,22 +307,22 @@ isc__print_printf(void (*emit)(char, void *), void *arg, if (h) { short int *p; p = va_arg(ap, short *); - REQUIRE(p != NULL); + assert(p != NULL); *p = count; } else if (l) { long int *p; p = va_arg(ap, long *); - REQUIRE(p != NULL); + assert(p != NULL); *p = count; } else if (z) { size_t *p; p = va_arg(ap, size_t *); - REQUIRE(p != NULL); + assert(p != NULL); *p = count; } else { int *p; p = va_arg(ap, int *); - REQUIRE(p != NULL); + assert(p != NULL); *p = count; } break; @@ -327,12 +359,14 @@ isc__print_printf(void (*emit)(char, void *), void *arg, tmpui /= 1000000000; mid = tmpui % 1000000000; hi = tmpui / 1000000000; - if (hi != 0U) + if (hi != 0U) { sprintf(buf, "%lu", hi); - else - buf[0] = '\0'; - sprintf(buf + strlen(buf), "%lu", mid); - sprintf(buf + strlen(buf), "%lu", lo); + sprintf(buf + strlen(buf), + "%09lu", mid); + } else + sprintf(buf, "%lu", mid); + sprintf(buf + strlen(buf), "%09lu", + lo); } goto printint; case 'o': @@ -360,12 +394,12 @@ isc__print_printf(void (*emit)(char, void *), void *arg, alt ? "%#lo" : "%lo", hi); sprintf(buf + strlen(buf), - "%lo", mid); + "%09lo", mid); } else sprintf(buf, alt ? "%#lo" : "%lo", mid); - sprintf(buf + strlen(buf), "%lo", lo); + sprintf(buf + strlen(buf), "%09lo", lo); } goto printint; case 'u': @@ -388,12 +422,14 @@ isc__print_printf(void (*emit)(char, void *), void *arg, tmpui /= 1000000000; mid = tmpui % 1000000000; hi = tmpui / 1000000000; - if (hi != 0U) + if (hi != 0U) { sprintf(buf, "%lu", hi); - else - buf[0] = '\0'; - sprintf(buf + strlen(buf), "%lu", mid); - sprintf(buf + strlen(buf), "%lu", lo); + sprintf(buf + strlen(buf), + "%09lu", mid); + } else + sprintf(buf, "%lu", mid); + sprintf(buf + strlen(buf), "%09lu", + lo); } goto printint; case 'x': @@ -417,7 +453,7 @@ isc__print_printf(void (*emit)(char, void *), void *arg, unsigned long hi = tmpui>>32; unsigned long lo = tmpui & 0xffffffff; sprintf(buf, "%lx", hi); - sprintf(buf + strlen(buf), "%lx", lo); + sprintf(buf + strlen(buf), "%08lx", lo); } goto printint; case 'X': @@ -441,11 +477,11 @@ isc__print_printf(void (*emit)(char, void *), void *arg, unsigned long hi = tmpui>>32; unsigned long lo = tmpui & 0xffffffff; sprintf(buf, "%lX", hi); - sprintf(buf + strlen(buf), "%lX", lo); + sprintf(buf + strlen(buf), "%08lX", lo); } goto printint; printint: - if (precision != 0U || width != 0U) { + if (precision_set || width != 0U) { length = strlen(buf); if (length < precision) zeropad = precision - length; @@ -487,21 +523,23 @@ isc__print_printf(void (*emit)(char, void *), void *arg, break; case 's': cp = va_arg(ap, char *); - REQUIRE(cp != NULL); - if (precision != 0U) { + if (precision_set) { /* * cp need not be NULL terminated. */ const char *tp; unsigned long n; + if (precision != 0U) + assert(cp != NULL); n = precision; tp = cp; while (n != 0U && *tp != '\0') n--, tp++; length = precision - n; } else { + assert(cp != NULL); length = strlen(cp); } if (width != 0U) { @@ -515,7 +553,7 @@ isc__print_printf(void (*emit)(char, void *), void *arg, emit(' ', arg); pad--; } - if (precision != 0U) + if (precision_set) while (precision > 0U && *cp != '\0') { emit(*cp++, arg); precision--; @@ -579,17 +617,17 @@ isc__print_printf(void (*emit)(char, void *), void *arg, } break; case 'D': /*deprecated*/ - INSIST("use %ld instead of %D" == NULL); + assert("use %ld instead of %D" == NULL); case 'O': /*deprecated*/ - INSIST("use %lo instead of %O" == NULL); + assert("use %lo instead of %O" == NULL); case 'U': /*deprecated*/ - INSIST("use %lu instead of %U" == NULL); + assert("use %lu instead of %U" == NULL); case 'L': #ifdef HAVE_LONG_DOUBLE l = 1; #else - INSIST("long doubles are not supported" == NULL); + assert("long doubles are not supported" == NULL); #endif /*FALLTHROUGH*/ case 'e': diff --git a/lib/isc/tests/print_test.c b/lib/isc/tests/print_test.c index 6923eea9e5..7d0342ba8a 100644 --- a/lib/isc/tests/print_test.c +++ b/lib/isc/tests/print_test.c @@ -53,6 +53,8 @@ ATF_TC_HEAD(snprintf, tc) { ATF_TC_BODY(snprintf, tc) { char buf[10000]; isc_uint64_t ll = 8589934592ULL; + isc_uint64_t nn = 20000000000000ULL; + isc_uint64_t zz = 10000000000000000000LLU; int n; size_t size; @@ -73,6 +75,31 @@ ATF_TC_BODY(snprintf, tc) { ATF_CHECK_EQ(n, 10); ATF_CHECK_STREQ(buf, "8589934592"); + memset(buf, 0xff, sizeof(buf)); + n = isc_print_snprintf(buf, sizeof(buf), "%qu", nn); + ATF_CHECK_EQ(n, 14); + ATF_CHECK_STREQ(buf, "20000000000000"); + + memset(buf, 0xff, sizeof(buf)); + n = isc_print_snprintf(buf, sizeof(buf), "%llu", nn); + ATF_CHECK_EQ(n, 14); + ATF_CHECK_STREQ(buf, "20000000000000"); + + memset(buf, 0xff, sizeof(buf)); + n = isc_print_snprintf(buf, sizeof(buf), "%qu", zz); + ATF_CHECK_EQ(n, 20); + ATF_CHECK_STREQ(buf, "10000000000000000000"); + + memset(buf, 0xff, sizeof(buf)); + n = isc_print_snprintf(buf, sizeof(buf), "%llu", zz); + ATF_CHECK_EQ(n, 20); + ATF_CHECK_STREQ(buf, "10000000000000000000"); + + memset(buf, 0xff, sizeof(buf)); + n = isc_print_snprintf(buf, sizeof(buf), "%lld", nn); + ATF_CHECK_EQ(n, 14); + ATF_CHECK_STREQ(buf, "20000000000000"); + size = 1000; memset(buf, 0xff, sizeof(buf)); n = isc_print_snprintf(buf, sizeof(buf), "%zu", size); From 14b169888ad1098db88e3e522c128ac7ffdcfa82 Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Thu, 28 May 2015 23:30:12 +0000 Subject: [PATCH 10/11] newcopyrights --- util/copyrights | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/util/copyrights b/util/copyrights index c99c237593..64f88dfdba 100644 --- a/util/copyrights +++ b/util/copyrights @@ -2667,7 +2667,7 @@ ./lib/dns/dst_api.c C.NAI 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2015 ./lib/dns/dst_internal.h C.NAI 2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013 ./lib/dns/dst_lib.c C 1999,2000,2001,2004,2005,2007 -./lib/dns/dst_openssl.h C 2002,2004,2005,2007,2008,2009,2011,2012 +./lib/dns/dst_openssl.h C 2002,2004,2005,2007,2008,2009,2011,2012,2015 ./lib/dns/dst_parse.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2015 ./lib/dns/dst_parse.h C.NAI 2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2012 ./lib/dns/dst_result.c C 1999,2000,2001,2004,2005,2007,2008,2012,2013 @@ -2786,9 +2786,9 @@ ./lib/dns/ncache.c C 1999,2000,2001,2002,2003,2004,2005,2007,2008,2010,2011,2012,2013,2015 ./lib/dns/nsec.c C 1999,2000,2001,2003,2004,2005,2007,2008,2009,2011,2012,2013,2014,2015 ./lib/dns/nsec3.c C 2006,2008,2009,2010,2011,2012,2013,2014,2015 -./lib/dns/openssl_link.c C.NAI 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2014 +./lib/dns/openssl_link.c C.NAI 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2014,2015 ./lib/dns/openssldh_link.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015 -./lib/dns/openssldsa_link.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013 +./lib/dns/openssldsa_link.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2015 ./lib/dns/opensslecdsa_link.c C 2012,2013,2014 ./lib/dns/opensslgost_link.c C 2010,2011,2012,2013,2014 ./lib/dns/opensslrsa_link.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015 From 2a71b08491b1a068661f21586ec17feec0a4f409 Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Thu, 28 May 2015 23:46:13 +0000 Subject: [PATCH 11/11] update copyright notice / whitespace --- bin/dnssec/dnssec-dsfromkey.docbook | 3 ++- bin/named/interfacemgr.c | 2 +- bin/named/update.c | 4 ++-- bin/tests/rbt/t_rbt.c | 2 +- bin/tests/system/dnssec/ns2/named.conf | 2 +- bin/tests/system/dnssec/ns2/sign.sh | 2 +- bin/tests/system/rsabigexponent/Makefile.in | 2 +- bin/tests/system/tkey/Makefile.in | 2 +- bin/tests/tasks/t_tasks.c | 2 +- doc/design/cds-child | 2 ++ lib/dns/dlz.c | 2 +- lib/dns/dst_api.c | 2 +- lib/dns/dst_openssl.h | 2 +- lib/dns/include/dns/result.h | 2 +- lib/dns/openssl_link.c | 2 +- lib/dns/openssldh_link.c | 4 ++-- lib/dns/openssldsa_link.c | 2 +- lib/dns/opensslrsa_link.c | 2 +- lib/dns/result.c | 2 +- lib/dns/rrl.c | 2 +- lib/isc/print.c | 2 +- 21 files changed, 25 insertions(+), 22 deletions(-) diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook index 9f8230e8d7..1127fa04e8 100644 --- a/bin/dnssec/dnssec-dsfromkey.docbook +++ b/bin/dnssec/dnssec-dsfromkey.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>