/[packages]/cauldron/bind/current/SOURCES/bind-9.11-rh1624100.patch
ViewVC logotype

Contents of /cauldron/bind/current/SOURCES/bind-9.11-rh1624100.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1461579 - (show annotations) (download)
Sun Nov 17 22:22:25 2019 UTC (3 weeks, 5 days ago) by guillomovitch
File size: 8398 byte(s)
new version 9.11.12
1 From 76594cba9a1e910bb36160d96fc3872349341799 Mon Sep 17 00:00:00 2001
2 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
3 Date: Wed, 25 Apr 2018 14:04:31 +0200
4 Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
5
6 (cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d)
7
8 Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp()
9
10 (cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c)
11
12 Fix the isc_safe_memwipe() usage with (NULL, >0)
13
14 (cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
15 ---
16 bin/dnssec/dnssec-signzone.c | 2 +-
17 lib/dns/nsec3.c | 4 +-
18 lib/dns/spnego.c | 4 +-
19 lib/isc/Makefile.in | 8 +---
20 lib/isc/include/isc/safe.h | 18 ++------
21 lib/isc/safe.c | 83 ------------------------------------
22 lib/isc/tests/safe_test.c | 18 --------
23 7 files changed, 11 insertions(+), 126 deletions(-)
24 delete mode 100644 lib/isc/safe.c
25
26 diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
27 index 6ddaebe..d921870 100644
28 --- a/bin/dnssec/dnssec-signzone.c
29 +++ b/bin/dnssec/dnssec-signzone.c
30 @@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
31
32 static int
33 hashlist_comp(const void *a, const void *b) {
34 - return (isc_safe_memcompare(a, b, hash_length + 1));
35 + return (memcmp(a, b, hash_length + 1));
36 }
37
38 static void
39 diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
40 index 6ae7ca8..01426d6 100644
41 --- a/lib/dns/nsec3.c
42 +++ b/lib/dns/nsec3.c
43 @@ -1963,7 +1963,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
44 * Work out what this NSEC3 covers.
45 * Inside (<0) or outside (>=0).
46 */
47 - scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length);
48 + scope = memcmp(owner, nsec3.next, nsec3.next_length);
49
50 /*
51 * Prepare to compute all the hashes.
52 @@ -1987,7 +1987,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
53 return (ISC_R_IGNORE);
54 }
55
56 - order = isc_safe_memcompare(hash, owner, length);
57 + order = memcmp(hash, owner, length);
58 if (first && order == 0) {
59 /*
60 * The hashes are the same.
61 diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
62 index ad77f24..670982a 100644
63 --- a/lib/dns/spnego.c
64 +++ b/lib/dns/spnego.c
65 @@ -371,7 +371,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
66
67 /* mod_auth_kerb.c */
68
69 -static int
70 +static isc_boolean_t
71 cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
72 {
73 unsigned char *p;
74 @@ -395,7 +395,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
75 if (((OM_uint32) *p++) != gssoid->length)
76 return (GSS_S_DEFECTIVE_TOKEN);
77
78 - return (isc_safe_memcompare(p, gssoid->elements, gssoid->length));
79 + return (!isc_safe_memequal(p, gssoid->elements, gssoid->length));
80 }
81
82 /* accept_sec_context.c */
83 diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
84 index 0fd0837..8ad54bb 100644
85 --- a/lib/isc/Makefile.in
86 +++ b/lib/isc/Makefile.in
87 @@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
88 parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \
89 ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \
90 rwlock.@O@ \
91 - safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
92 + serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
93 string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
94 tm.@O@ timer.@O@ version.@O@ \
95 ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
96 @@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
97 netaddr.c netscope.c pool.c ondestroy.c \
98 parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \
99 ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
100 - safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
101 + serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
102 strtoul.c symtab.c task.c taskpool.c timer.c \
103 tm.c version.c
104
105 @@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@
106
107 @BIND9_MAKE_RULES@
108
109 -safe.@O@: safe.c
110 - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \
111 - -c ${srcdir}/safe.c
112 -
113 version.@O@: version.c
114 ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
115 -DVERSION=\"${VERSION}\" \
116 diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
117 index 66ed08b..88b8f47 100644
118 --- a/lib/isc/include/isc/safe.h
119 +++ b/lib/isc/include/isc/safe.h
120 @@ -15,29 +15,19 @@
121
122 /*! \file isc/safe.h */
123
124 -#include <stdbool.h>
125 -
126 -#include <isc/types.h>
127 -#include <stdlib.h>
128 +#include <isc/lang.h>
129 +#include <openssl/crypto.h>
130
131 ISC_LANG_BEGINDECLS
132
133 -bool
134 -isc_safe_memequal(const void *s1, const void *s2, size_t n);
135 +#define isc_safe_memequal(s1, s2, n) !CRYPTO_memcmp(s1, s2, n)
136 /*%<
137 * Returns true iff. two blocks of memory are equal, otherwise
138 * false.
139 *
140 */
141
142 -int
143 -isc_safe_memcompare(const void *b1, const void *b2, size_t len);
144 -/*%<
145 - * Clone of libc memcmp() which is safe to differential timing attacks.
146 - */
147 -
148 -void
149 -isc_safe_memwipe(void *ptr, size_t len);
150 +#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len)
151 /*%<
152 * Clear the memory of length `len` pointed to by `ptr`.
153 *
154 diff --git a/lib/isc/safe.c b/lib/isc/safe.c
155 deleted file mode 100644
156 index 7a464b6..0000000
157 --- a/lib/isc/safe.c
158 +++ /dev/null
159 @@ -1,83 +0,0 @@
160 -/*
161 - * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
162 - *
163 - * This Source Code Form is subject to the terms of the Mozilla Public
164 - * License, v. 2.0. If a copy of the MPL was not distributed with this
165 - * file, You can obtain one at http://mozilla.org/MPL/2.0/.
166 - *
167 - * See the COPYRIGHT file distributed with this work for additional
168 - * information regarding copyright ownership.
169 - */
170 -
171 -/*! \file */
172 -
173 -#include <config.h>
174 -
175 -#include <stdbool.h>
176 -
177 -#include <isc/safe.h>
178 -#include <isc/string.h>
179 -#include <isc/util.h>
180 -
181 -#ifdef WIN32
182 -#include <windows.h>
183 -#endif
184 -
185 -#ifdef _MSC_VER
186 -#pragma optimize("", off)
187 -#endif
188 -
189 -bool
190 -isc_safe_memequal(const void *s1, const void *s2, size_t n) {
191 - uint8_t acc = 0;
192 -
193 - if (n != 0U) {
194 - const uint8_t *p1 = s1, *p2 = s2;
195 -
196 - do {
197 - acc |= *p1++ ^ *p2++;
198 - } while (--n != 0U);
199 - }
200 - return (acc == 0);
201 -}
202 -
203 -
204 -int
205 -isc_safe_memcompare(const void *b1, const void *b2, size_t len) {
206 - const unsigned char *p1 = b1, *p2 = b2;
207 - size_t i;
208 - int res = 0, done = 0;
209 -
210 - for (i = 0; i < len; i++) {
211 - /* lt is -1 if p1[i] < p2[i]; else 0. */
212 - int lt = (p1[i] - p2[i]) >> CHAR_BIT;
213 -
214 - /* gt is -1 if p1[i] > p2[i]; else 0. */
215 - int gt = (p2[i] - p1[i]) >> CHAR_BIT;
216 -
217 - /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */
218 - int cmp = lt - gt;
219 -
220 - /* set res = cmp if !done. */
221 - res |= cmp & ~done;
222 -
223 - /* set done if p1[i] != p2[i]. */
224 - done |= lt | gt;
225 - }
226 -
227 - return (res);
228 -}
229 -
230 -void
231 -isc_safe_memwipe(void *ptr, size_t len) {
232 - if (ISC_UNLIKELY(ptr == NULL || len == 0))
233 - return;
234 -
235 -#ifdef WIN32
236 - SecureZeroMemory(ptr, len);
237 -#elif HAVE_EXPLICIT_BZERO
238 - explicit_bzero(ptr, len);
239 -#else
240 - memset(ptr, 0, len);
241 -#endif
242 -}
243 diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
244 index 266ac75..60e9181 100644
245 --- a/lib/isc/tests/safe_test.c
246 +++ b/lib/isc/tests/safe_test.c
247 @@ -45,22 +45,6 @@ isc_safe_memequal_test(void **state) {
248 "\x00\x00\x00\x00", 4));
249 }
250
251 -/* test isc_safe_memcompare() */
252 -static void
253 -isc_safe_memcompare_test(void **state) {
254 - UNUSED(state);
255 -
256 - assert_int_equal(isc_safe_memcompare("test", "test", 4), 0);
257 - assert_true(isc_safe_memcompare("test", "tesc", 4) > 0);
258 - assert_true(isc_safe_memcompare("test", "tesy", 4) < 0);
259 - assert_int_equal(isc_safe_memcompare("\x00\x00\x00\x00",
260 - "\x00\x00\x00\x00", 4), 0);
261 - assert_true(isc_safe_memcompare("\x00\x00\x00\x00",
262 - "\x00\x00\x00\x01", 4) < 0);
263 - assert_true(isc_safe_memcompare("\x00\x00\x00\x02",
264 - "\x00\x00\x00\x00", 4) > 0);
265 -}
266 -
267 /* test isc_safe_memwipe() */
268 static void
269 isc_safe_memwipe_test(void **state) {
270 @@ -69,7 +53,6 @@ isc_safe_memwipe_test(void **state) {
271 /* These should pass. */
272 isc_safe_memwipe(NULL, 0);
273 isc_safe_memwipe((void *) -1, 0);
274 - isc_safe_memwipe(NULL, 42);
275
276 /*
277 * isc_safe_memwipe(ptr, size) should function same as
278 @@ -108,7 +91,6 @@ main(void) {
279 const struct CMUnitTest tests[] = {
280 cmocka_unit_test(isc_safe_memequal_test),
281 cmocka_unit_test(isc_safe_memwipe_test),
282 - cmocka_unit_test(isc_safe_memcompare_test),
283 };
284
285 return (cmocka_run_group_tests(tests, NULL, NULL));
286 --
287 2.20.1
288

  ViewVC Help
Powered by ViewVC 1.1.26