summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Menšík <pemensik@redhat.com>2017-06-15 17:50:41 +0200
committerPetr Menšík <pemensik@redhat.com>2017-06-15 21:42:29 +0200
commit102df25a21fe04f655c7b74f8ac028f9c222429f (patch)
treeecb064eb9e52152d84eee5fd5669446ce8345498
parent08bdf0ebe6a7ffebd92fcd00f0da03d159bb3c4e (diff)
downloadbind-102df25a21fe04f655c7b74f8ac028f9c222429f.tar.gz
bind-102df25a21fe04f655c7b74f8ac028f9c222429f.tar.xz
bind-102df25a21fe04f655c7b74f8ac028f9c222429f.zip
Fix changed patches
-rw-r--r--bind-9.10-dist-native-pkcs11.patch147
-rw-r--r--bind-9.10-openssl-1.1.patch3463
-rw-r--r--bind-9.10-sdb.patch78
-rw-r--r--bind-9.11-docbook-xsl.patch958
-rw-r--r--bind-95-rh452060.patch18
-rw-r--r--bind-99-libidn.patch46
-rw-r--r--bind.spec4
-rw-r--r--bind97-rh478718.patch10
8 files changed, 151 insertions, 4573 deletions
diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch
index a4e8dc2..41cf91f 100644
--- a/bind-9.10-dist-native-pkcs11.patch
+++ b/bind-9.10-dist-native-pkcs11.patch
@@ -1,5 +1,5 @@
diff --git a/bin/Makefile.in b/bin/Makefile.in
-index e3aeffb..7654169 100644
+index f3cbed3..7d21984 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -10,7 +10,7 @@ srcdir = @srcdir@
@@ -12,14 +12,14 @@ index e3aeffb..7654169 100644
TARGETS =
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
-index 4f1bf90..b8dc6fe 100644
+index 8c6627a..0427349 100644
--- a/bin/dnssec-pkcs11/Makefile.in
+++ b/bin/dnssec-pkcs11/Makefile.in
-@@ -23,18 +23,18 @@ top_srcdir = @top_srcdir@
+@@ -14,18 +14,18 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
--CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES}
+-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES}
CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
@@ -41,7 +41,7 @@ index 4f1bf90..b8dc6fe 100644
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
-@@ -43,10 +43,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
+@@ -34,10 +34,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
@@ -56,7 +56,7 @@ index 4f1bf90..b8dc6fe 100644
OBJS = dnssectool.@O@
-@@ -67,15 +67,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
+@@ -58,15 +58,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
@@ -75,7 +75,7 @@ index 4f1bf90..b8dc6fe 100644
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-@@ -83,7 +83,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
+@@ -74,7 +74,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-signzone.c
@@ -84,7 +84,7 @@ index 4f1bf90..b8dc6fe 100644
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-@@ -91,19 +91,19 @@ dnssec-verify.@O@: dnssec-verify.c
+@@ -82,19 +82,19 @@ dnssec-verify.@O@: dnssec-verify.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-verify.c
@@ -108,7 +108,7 @@ index 4f1bf90..b8dc6fe 100644
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-importkey.@O@ ${OBJS} ${LIBS}
-@@ -114,11 +114,9 @@ docclean manclean maintainer-clean::
+@@ -105,14 +105,11 @@ docclean manclean maintainer-clean::
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@@ -118,15 +118,18 @@ index 4f1bf90..b8dc6fe 100644
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
+ uninstall::
+- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
+ for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done
+
clean distclean::
- rm -f ${TARGETS}
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
-index 4f1bf90..e1132ea 100644
+index 8c6627a..c070881 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
-@@ -25,7 +25,7 @@ top_srcdir = @top_srcdir@
+@@ -16,7 +16,7 @@ VERSION=@BIND9_VERSION@
- CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES}
+ CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
+CDEFINES = -DVERSION=\"${VERSION}\" \
@@ -134,7 +137,7 @@ index 4f1bf90..e1132ea 100644
CWARNINGS =
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
-index 95e36c1..fb658e9 100644
+index 903023b..b40303d 100644
--- a/bin/named-pkcs11/Makefile.in
+++ b/bin/named-pkcs11/Makefile.in
@@ -36,26 +36,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
@@ -189,7 +192,7 @@ index 95e36c1..fb658e9 100644
+TARGETS = named-pkcs11@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
-
+
@@ -83,8 +83,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
@@ -219,7 +222,7 @@ index 95e36c1..fb658e9 100644
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
-@@ -166,15 +164,9 @@ statschannel.@O@: bind9.xsl.h
+@@ -166,22 +164,12 @@ statschannel.@O@: bind9.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@@ -235,13 +238,21 @@ index 95e36c1..fb658e9 100644
+install:: named-pkcs11@EXEEXT@ installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
+ uninstall::
+- rm -f ${DESTDIR}${mandir}/man5/named.conf.5
+- rm -f ${DESTDIR}${mandir}/man8/lwresd.8
+- rm -f ${DESTDIR}${mandir}/man8/named.8
+- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
+- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@
+
@DLZ_DRIVER_RULES@
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
-index 95e36c1..ba5ec3c 100644
+index 903023b..9c14b73 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
-@@ -51,7 +51,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
+@@ -40,7 +40,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
@@ -251,10 +262,10 @@ index 95e36c1..ba5ec3c 100644
CWARNINGS =
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
-index dac3832..43d8241 100644
+index d9aa66b..1900e3c 100644
--- a/bin/pkcs11/Makefile.in
+++ b/bin/pkcs11/Makefile.in
-@@ -20,13 +20,13 @@ top_srcdir = @top_srcdir@
+@@ -12,13 +12,13 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
@@ -272,10 +283,10 @@ index dac3832..43d8241 100644
DEPLIBS = ${ISCDEPLIBS}
diff --git a/configure.in b/configure.in
-index a28f773..8f3b8f4 100644
+index 0bde24d..6435274 100644
--- a/configure.in
+++ b/configure.in
-@@ -982,12 +982,14 @@ AC_SUBST(USE_GSSAPI)
+@@ -1116,12 +1116,14 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
@@ -290,24 +301,24 @@ index a28f773..8f3b8f4 100644
#
# was --with-randomdev specified?
-@@ -1383,11 +1385,11 @@
+@@ -1489,11 +1491,11 @@ fi
AC_MSG_CHECKING(for OpenSSL library)
OPENSSL_WARNING=
openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
--if test "$want_native_pkcs11" = "yes"
+-if test "yes" = "$want_native_pkcs11"
-then
- use_openssl="native_pkcs11"
- AC_MSG_RESULT(use of native PKCS11 instead)
-fi
-+# if test "$want_native_pkcs11" = "yes"
-+# then
-+# use_openssl="native_pkcs11"
-+# AC_MSG_RESULT(use of native PKCS11 instead)
-+# fi
++# if test "yes" = "$want_native_pkcs11"
++# then
++# use_openssl="native_pkcs11"
++# AC_MSG_RESULT(use of native PKCS11 instead)
++# fi
- if test "$use_openssl" = "auto"
+ if test "auto" = "$use_openssl"
then
-@@ -1395,6 +1397,7 @@ then
+@@ -1506,6 +1508,7 @@ then
fi
done
fi
@@ -315,7 +326,7 @@ index a28f773..8f3b8f4 100644
OPENSSL_ECDSA=""
OPENSSL_GOST=""
gosttype="raw"
-@@ -1417,16 +1420,17 @@ case "$with_gost" in
+@@ -1526,16 +1529,17 @@ case "$with_gost" in
;;
esac
@@ -338,32 +349,32 @@ index a28f773..8f3b8f4 100644
no)
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
-@@ -1448,11 +1452,11 @@ case "$use_openssl" in
+@@ -1557,11 +1561,11 @@ case "$use_openssl" in
If you don't want OpenSSL, use --without-openssl])
;;
*)
-- if test "$want_native_pkcs11" = "yes"
+- if test "yes" = "$want_native_pkcs11"
- then
- AC_MSG_RESULT()
- AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
- fi
-+# if test "$want_native_pkcs11" = "yes"
-+# then
-+# AC_MSG_RESULT()
-+# AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
-+# fi
- if test "$use_openssl" = "yes"
++# if test "yes" = "$want_native_pkcs11"
++# then
++# AC_MSG_RESULT()
++# AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
++# fi
+ if test "yes" = "$use_openssl"
then
# User did not specify a path - guess it
-@@ -1776,6 +1780,7 @@ AC_SUBST(OPENSSL_ECDSA)
+@@ -1917,6 +1921,7 @@ AC_SUBST(OPENSSL_ECDSA)
AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
+DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS"
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
- if test "$with_aes" = "yes"
-@@ -2047,6 +2052,7 @@ esac
+ if test "yes" = "$with_aes"
+@@ -2212,6 +2217,7 @@ esac
AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(CRYPTO)
@@ -371,7 +382,7 @@ index a28f773..8f3b8f4 100644
AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_TEST)
-@@ -4466,8 +4472,11 @@ AC_CONFIG_FILES([
+@@ -5114,8 +5120,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
@@ -383,7 +394,7 @@ index a28f773..8f3b8f4 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
-@@ -4548,6 +4557,10 @@ AC_CONFIG_FILES([
+@@ -5216,6 +5225,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
@@ -394,7 +405,7 @@ index a28f773..8f3b8f4 100644
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
-@@ -4571,6 +4584,24 @@ AC_CONFIG_FILES([
+@@ -5240,6 +5253,24 @@ AC_CONFIG_FILES([
lib/isc/unix/include/Makefile
lib/isc/unix/include/isc/Makefile
lib/isc/unix/include/pkcs11/Makefile
@@ -420,10 +431,10 @@ index a28f773..8f3b8f4 100644
lib/isccc/include/Makefile
lib/isccc/include/isccc/Makefile
diff --git a/lib/Makefile.in b/lib/Makefile.in
-index 86302bd..318744f 100644
+index 318450c..87cde21 100644
--- a/lib/Makefile.in
+++ b/lib/Makefile.in
-@@ -23,7 +23,7 @@ top_srcdir = @top_srcdir@
+@@ -14,7 +14,7 @@ top_srcdir = @top_srcdir@
# Attempt to disable parallel processing.
.NOTPARALLEL:
.NO_PARALLEL:
@@ -433,10 +444,10 @@ index 86302bd..318744f 100644
@BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
-index 5f1ce56..830c0d5 100644
+index a22b721..a38960b 100644
--- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in
-@@ -28,16 +28,16 @@ top_srcdir = @top_srcdir@
+@@ -23,16 +23,16 @@ VERSION=@BIND9_VERSION@
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
@@ -458,7 +469,7 @@ index 5f1ce56..830c0d5 100644
LIBS = @LIBS@
-@@ -134,7 +134,7 @@ version.@O@: version.c
+@@ -136,30 +136,30 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
@@ -467,10 +478,6 @@ index 5f1ce56..830c0d5 100644
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-@@ -144,23 +144,23 @@ dynamic_db.@O@: dynamic_db.c
- ${AR} ${ARFLAGS} $@ ${OBJS}
- ${RANLIB} $@
-
-libdns.la: ${OBJS}
+libdns-pkcs11.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
@@ -479,26 +486,30 @@ index 5f1ce56..830c0d5 100644
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
-
+
-timestamp: libdns.@A@
+timestamp: libdns-pkcs11.@A@
touch timestamp
-
+
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
-
+
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir}
-
+
+ uninstall::
+- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@
++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@
+
clean distclean::
- rm -f libdns.@A@ timestamp
+ rm -f libdns-pkcs11.@A@ timestamp
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
rm -f include/dns/rdatastruct.h
rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h
-@@ -190,7 +190,7 @@ code.h: gen
- ./gen -s ${srcdir} > code.h
+@@ -191,7 +191,7 @@ code.h: gen
+ ./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; }
gen: gen.c
- ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
@@ -507,10 +518,10 @@ index 5f1ce56..830c0d5 100644
rbtdb64.@O@: rbtdb64.c rbtdb.c
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
-index e0b2038..0f919a9 100644
+index e5c4db0..c7a623c 100644
--- a/lib/isc-pkcs11/Makefile.in
+++ b/lib/isc-pkcs11/Makefile.in
-@@ -31,8 +31,8 @@ CINCLUDES = -I${srcdir}/unix/include \
+@@ -20,8 +20,8 @@ CINCLUDES = -I${srcdir}/unix/include \
-I${srcdir}/@ISC_THREAD_DIR@/include \
-I${srcdir}/@ISC_ARCH_DIR@/include \
-I./include \
@@ -521,7 +532,7 @@ index e0b2038..0f919a9 100644
CWARNINGS =
# Alphabetically
-@@ -111,35 +111,35 @@ version.@O@: version.c
+@@ -104,38 +104,38 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
@@ -562,16 +573,20 @@ index e0b2038..0f919a9 100644
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc-pkcs11.@A@ ${DESTDIR}${libdir}
+ uninstall::
+- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc.@A@
++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc-pkcs11.@A@
+
clean distclean::
- rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
- libisc-nosymtbl.la timestamp
+ rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \
+ libisc-pkcs11-nosymtbl.la timestamp
diff --git a/make/includes.in b/make/includes.in
-index 1d5e776..877dd38 100644
+index f41e3cd..b97534c 100644
--- a/make/includes.in
+++ b/make/includes.in
-@@ -49,3 +49,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
+@@ -40,3 +40,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
TEST_INCLUDES = \
-I${top_srcdir}/lib/tests/include
diff --git a/bind-9.10-openssl-1.1.patch b/bind-9.10-openssl-1.1.patch
deleted file mode 100644
index 70da6af..0000000
--- a/bind-9.10-openssl-1.1.patch
+++ /dev/null
@@ -1,3463 +0,0 @@
-diff --git a/README b/README
-index e905d5e..17c0ddf 100644
---- a/README
-+++ b/README
-@@ -322,7 +322,7 @@ Building
- systems.
-
- For the server to support DNSSEC, you need to build it
-- with crypto support. You must have OpenSSL 0.9.5a
-+ with crypto support. You must have OpenSSL 1.0.1t
- or newer installed and specify "--with-openssl" on the
- configure command line. If OpenSSL is installed under
- a nonstandard prefix, you can tell configure where to
-diff --git a/bin/named/main.c b/bin/named/main.c
-index e0dafb1..f716b3f 100644
---- a/bin/named/main.c
-+++ b/bin/named/main.c
-@@ -688,8 +688,14 @@ parse_command_line(int argc, char *argv[]) {
- #ifdef OPENSSL
- printf("compiled with OpenSSL version: %s\n",
- OPENSSL_VERSION_TEXT);
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 or higher */
-+ printf("linked to OpenSSL version: %s\n",
-+ OpenSSL_version(OPENSSL_VERSION));
-+
-+#else
- printf("linked to OpenSSL version: %s\n",
- SSLeay_version(SSLEAY_VERSION));
-+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
- #endif
- #ifdef HAVE_LIBXML2
- printf("compiled with libxml2 version: %s\n",
-diff --git a/bin/tests/dst/t_dst.c b/bin/tests/dst/t_dst.c
-index 0bb723d..27da3fd 100644
---- a/bin/tests/dst/t_dst.c
-+++ b/bin/tests/dst/t_dst.c
-@@ -910,9 +910,42 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
- * signed at some earlier time, possibly with an entire different
- * version or implementation of the DSA and RSA algorithms
- */
--static const char *a2 =
-- "the dst module provides the capability to "
-- "verify data signed with the RSA and DSA algorithms";
-+
-+isc_mem_t *t2_mctx = NULL;
-+isc_entropy_t *t2_ectx = NULL;
-+
-+static int
-+t2_vfy_init(void) {
-+ isc_result_t isc_result;
-+
-+ t2_mctx = NULL;
-+ isc_result = isc_mem_create(0, 0, &t2_mctx);
-+ if (isc_result != ISC_R_SUCCESS) {
-+ t_info("isc_mem_create failed %s\n",
-+ isc_result_totext(isc_result));
-+ return(0);
-+ }
-+ t2_ectx = NULL;
-+ isc_result = isc_entropy_create(t2_mctx, &t2_ectx);
-+ if (isc_result != ISC_R_SUCCESS) {
-+ t_info("isc_entropy_create failed %s\n",
-+ isc_result_totext(isc_result));
-+ return(0);
-+ }
-+ isc_result = isc_entropy_createfilesource(t2_ectx, "randomfile");
-+ if (isc_result != ISC_R_SUCCESS) {
-+ t_info("isc_entropy_create failed %s\n",
-+ isc_result_totext(isc_result));
-+ return(0);
-+ }
-+ isc_result = dst_lib_init(t2_mctx, t2_ectx, ISC_ENTROPY_BLOCKING);
-+ if (isc_result != ISC_R_SUCCESS) {
-+ t_info("dst_lib_init failed %s\n",
-+ isc_result_totext(isc_result));
-+ return(0);
-+ }
-+ return(1);
-+}
-
- /*
- * av == datafile, sigpath, keyname, keyid, alg, exp_result.
-@@ -929,9 +962,6 @@ t2_vfy(char **av) {
- char *exp_result;
- int nfails;
- int nprobs;
-- isc_mem_t *mctx;
-- isc_entropy_t *ectx;
-- isc_result_t isc_result;
- int result;
-
- datapath = *av++;
-@@ -953,33 +983,6 @@ t2_vfy(char **av) {
- return(T_UNRESOLVED);
- }
-
-- mctx = NULL;
-- isc_result = isc_mem_create(0, 0, &mctx);
-- if (isc_result != ISC_R_SUCCESS) {
-- t_info("isc_mem_create failed %s\n",
-- isc_result_totext(isc_result));
-- return(T_UNRESOLVED);
-- }
-- ectx = NULL;
-- isc_result = isc_entropy_create(mctx, &ectx);
-- if (isc_result != ISC_R_SUCCESS) {
-- t_info("isc_entropy_create failed %s\n",
-- isc_result_totext(isc_result));
-- return(T_UNRESOLVED);
-- }
-- isc_result = isc_entropy_createfilesource(ectx, "randomfile");
-- if (isc_result != ISC_R_SUCCESS) {
-- t_info("isc_entropy_create failed %s\n",
-- isc_result_totext(isc_result));
-- return(T_UNRESOLVED);
-- }
-- isc_result = dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING);
-- if (isc_result != ISC_R_SUCCESS) {
-- t_info("dst_lib_init failed %s\n",
-- isc_result_totext(isc_result));
-- return(T_UNRESOLVED);
-- }
--
- if (!dst_algorithm_supported(DST_ALG_RSAMD5)) {
- dst_lib_destroy();
- t_info("library built without crypto support\n");
-@@ -990,15 +993,9 @@ t2_vfy(char **av) {
- datapath, sigpath, keyname, key, alg, exp_result);
- t2_sigchk(datapath, sigpath, keyname, keyid,
- algid, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC,
-- mctx, exp_result,
-+ t2_mctx, exp_result,
- &nfails, &nprobs);
-
-- dst_lib_destroy();
--
-- isc_entropy_detach(&ectx);
--
-- isc_mem_destroy(&mctx);
--
- result = T_UNRESOLVED;
- if (nfails)
- result = T_FAIL;
-@@ -1008,11 +1005,24 @@ t2_vfy(char **av) {
- return(result);
- }
-
-+static const char *a2 =
-+ "the dst module provides the capability to "
-+ "verify data signed with the RSA and DSA algorithms";
-+
- static void
- t2(void) {
- int result;
- t_assert("dst", 2, T_REQUIRED, "%s", a2);
-- result = t_eval("dst_2_data", t2_vfy, 6);
-+ if (!t2_vfy_init()) {
-+ result = T_UNRESOLVED;
-+ } else {
-+ result = t_eval("dst_2_data", t2_vfy, 6);
-+ dst_lib_destroy();
-+ }
-+ if (t2_ectx)
-+ isc_entropy_detach(&t2_ectx);
-+ if (t2_mctx)
-+ isc_mem_destroy(&t2_mctx);
- t_result(result);
- }
-
-diff --git a/configure b/configure
-index 0ea01af..27156e2 100755
---- a/configure
-+++ b/configure
-@@ -15916,8 +15916,8 @@ $as_echo "using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; }
- saved_cc="$CC"
- saved_cflags="$CFLAGS"
- saved_libs="$LIBS"
-- CFLAGS="$CFLAGS $DST_OPENSSL_INC"
-- LIBS="$LIBS $DST_OPENSSL_LIBS"
-+ CFLAGS="$DST_OPENSSL_INC $CFLAGS"
-+ LIBS="$DST_OPENSSL_LIBS $LIBS"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL works" >&5
- $as_echo_n "checking whether linking with OpenSSL works... " >&6; }
- if test "$cross_compiling" = yes; then :
-@@ -15955,13 +15955,24 @@ $as_echo_n "checking whether linking with OpenSSL requires -ldl... " >&6; }
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
-+#include <openssl/opensslv.h>
-+#if OPENSSL_VERSION_NUMBER >= 0x10100004L
-+#include <openssl/crypto.h>
-+#else
- #include <openssl/err.h>
- #include <openssl/dso.h>
-+#endif
-
- int
- main ()
- {
-- DSO_METHOD_dlfcn();
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100004L
-+OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
-+#else
-+DSO_METHOD_dlfcn();
-+#endif
-+
- ;
- return 0;
- }
-@@ -15974,13 +15985,23 @@ else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
-+#if OPENSSL_VERSION_NUMBER >= 0x10100004L
-+#include <openssl/crypto.h>
-+#else
- #include <openssl/err.h>
- #include <openssl/dso.h>
-+#endif
-
- int
- main ()
- {
-- DSO_METHOD_dlfcn();
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100004L
-+OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
-+#else
-+DSO_METHOD_dlfcn();
-+#endif
-+
- ;
- return 0;
- }
-@@ -16027,7 +16048,7 @@ int main() {
- OPENSSL_VERSION_NUMBER < 0x10002000L) ||
- OPENSSL_VERSION_NUMBER >= 0x1000205fL)
- return (0);
-- printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
-+ printf("\n\nFound OPENSSL_VERSION_NUMBER %#010lx\n",
- OPENSSL_VERSION_NUMBER);
- printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
- "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n"
-@@ -16247,7 +16268,7 @@ else
-
- #include <openssl/evp.h>
- int main() {
-- EVP_CIPHER *aes128, *aes192, *aes256;
-+ const EVP_CIPHER *aes128, *aes192, *aes256;
-
- aes128 = EVP_aes_128_ecb();
- aes192 = EVP_aes_192_ecb();
-@@ -16420,43 +16441,6 @@ $as_echo "yes" >&6; }
- ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
- ISC_OPENSSL_INC="$DST_OPENSSL_INC"
- ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS"
-- saved_cflags="$CFLAGS"
-- save_libs="$LIBS"
-- CFLAGS="$CFLAGS $ISC_OPENSSL_INC"
-- LIBS="$LIBS $ISC_OPENSSL_LIBS"
-- { $as_echo "$as_me:${as_lineno-$LINENO}: checking HMAC_Init() return type" >&5
--$as_echo_n "checking HMAC_Init() return type... " >&6; }
-- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
--/* end confdefs.h. */
--
-- #include <openssl/hmac.h>
--int
--main ()
--{
--
-- HMAC_CTX ctx;
-- int n = HMAC_Init(&ctx, NULL, 0, NULL);
-- n += HMAC_Update(&ctx, NULL, 0);
-- n += HMAC_Final(&ctx, NULL, NULL);
-- ;
-- return 0;
--}
--_ACEOF
--if ac_fn_c_try_compile "$LINENO"; then :
--
-- { $as_echo "$as_me:${as_lineno-$LINENO}: result: int" >&5
--$as_echo "int" >&6; }
--
--$as_echo "#define HMAC_RETURN_INT 1" >>confdefs.h
--
--else
--
-- { $as_echo "$as_me:${as_lineno-$LINENO}: result: void" >&5
--$as_echo "void" >&6; }
--fi
--rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-- CFLAGS="$saved_cflags"
-- LIBS="$save_libs"
- ;;
- no)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-diff --git a/configure.in b/configure.in
-index 82480b5..d78e445 100644
---- a/configure.in
-+++ b/configure.in
-@@ -1595,8 +1595,8 @@ If you don't want OpenSSL, use --without-openssl])
- saved_cc="$CC"
- saved_cflags="$CFLAGS"
- saved_libs="$LIBS"
-- CFLAGS="$CFLAGS $DST_OPENSSL_INC"
-- LIBS="$LIBS $DST_OPENSSL_LIBS"
-+ CFLAGS="$DST_OPENSSL_INC $CFLAGS"
-+ LIBS="$DST_OPENSSL_LIBS $LIBS"
- AC_MSG_CHECKING(whether linking with OpenSSL works)
- AC_TRY_RUN([
- #include <openssl/err.h>
-@@ -1615,16 +1615,38 @@ shared library configuration (e.g., LD_LIBRARY_PATH).)],
-
- AC_MSG_CHECKING(whether linking with OpenSSL requires -ldl)
- AC_TRY_LINK([
-+#include <openssl/opensslv.h>
-+#if OPENSSL_VERSION_NUMBER >= 0x10100004L
-+#include <openssl/crypto.h>
-+#else
- #include <openssl/err.h>
- #include <openssl/dso.h>
-+#endif
-+],
-+[
-+#if OPENSSL_VERSION_NUMBER >= 0x10100004L
-+OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
-+#else
-+DSO_METHOD_dlfcn();
-+#endif
- ],
--[ DSO_METHOD_dlfcn(); ],
- [AC_MSG_RESULT(no)],
- [LIBS="$LIBS -ldl"
- AC_TRY_LINK([
-+#if OPENSSL_VERSION_NUMBER >= 0x10100004L
-+#include <openssl/crypto.h>
-+#else
- #include <openssl/err.h>
- #include <openssl/dso.h>
--],[ DSO_METHOD_dlfcn(); ],
-+#endif
-+],
-+[
-+#if OPENSSL_VERSION_NUMBER >= 0x10100004L
-+OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
-+#else
-+DSO_METHOD_dlfcn();
-+#endif
-+],
- [AC_MSG_RESULT(yes)
- DST_OPENSSL_LIBS="$DST_OPENSSL_LIBS -ldl"
- ],
-@@ -1651,7 +1673,7 @@ int main() {
- OPENSSL_VERSION_NUMBER < 0x10002000L) ||
- OPENSSL_VERSION_NUMBER >= 0x1000205fL)
- return (0);
-- printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
-+ printf("\n\nFound OPENSSL_VERSION_NUMBER %#010lx\n",
- OPENSSL_VERSION_NUMBER);
- printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
- "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n"
-@@ -1803,7 +1825,7 @@ int main() {
- AC_TRY_RUN([
- #include <openssl/evp.h>
- int main() {
-- EVP_CIPHER *aes128, *aes192, *aes256;
-+ const EVP_CIPHER *aes128, *aes192, *aes256;
-
- aes128 = EVP_aes_128_ecb();
- aes192 = EVP_aes_192_ecb();
-@@ -1953,22 +1975,6 @@ case $want_openssl_hash in
- ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
- ISC_OPENSSL_INC="$DST_OPENSSL_INC"
- ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS"
-- saved_cflags="$CFLAGS"
-- save_libs="$LIBS"
-- CFLAGS="$CFLAGS $ISC_OPENSSL_INC"
-- LIBS="$LIBS $ISC_OPENSSL_LIBS"
-- AC_MSG_CHECKING([HMAC_Init() return type])
-- AC_TRY_COMPILE([
-- #include <openssl/hmac.h>],[
-- HMAC_CTX ctx;
-- int n = HMAC_Init(&ctx, NULL, 0, NULL);
-- n += HMAC_Update(&ctx, NULL, 0);
-- n += HMAC_Final(&ctx, NULL, NULL);],[
-- AC_MSG_RESULT(int)
-- AC_DEFINE(HMAC_RETURN_INT, 1, [HMAC_*() return ints])],[
-- AC_MSG_RESULT(void)])
-- CFLAGS="$saved_cflags"
-- LIBS="$save_libs"
- ;;
- no)
- AC_MSG_RESULT(no)
-diff --git a/lib/dns/dst_gost.h b/lib/dns/dst_gost.h
-index da6dcf5..86dda8b 100644
---- a/lib/dns/dst_gost.h
-+++ b/lib/dns/dst_gost.h
-@@ -18,7 +18,13 @@
- #ifdef HAVE_OPENSSL_GOST
- #include <openssl/evp.h>
-
--typedef EVP_MD_CTX isc_gost_t;
-+typedef struct {
-+ EVP_MD_CTX *ctx;
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ EVP_MD_CTX _ctx;
-+#endif
-+} isc_gost_t;
-+
- #endif
- #ifdef HAVE_PKCS11_GOST
- #include <pk11/pk11.h>
-diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h
-index d7dd0e8..f8a3057 100644
---- a/lib/dns/dst_openssl.h
-+++ b/lib/dns/dst_openssl.h
-@@ -22,8 +22,10 @@
- #include <openssl/crypto.h>
- #include <openssl/bn.h>
-
--#if !defined(OPENSSL_NO_ENGINE) && defined(CRYPTO_LOCK_ENGINE) && \
-- (OPENSSL_VERSION_NUMBER >= 0x0090707f)
-+#if !defined(OPENSSL_NO_ENGINE) && \
-+ ((defined(CRYPTO_LOCK_ENGINE) && \
-+ (OPENSSL_VERSION_NUMBER >= 0x0090707f)) || \
-+ (OPENSSL_VERSION_NUMBER >= 0x10100000L))
- #define USE_ENGINE 1
- #endif
-
-@@ -41,6 +43,15 @@
- #define BN_GENCB_get_arg(x) ((x)->arg)
- #endif
-
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+/*
-+ * EVP_dss1() is a version of EVP_sha1() that was needed prior to
-+ * 1.1.0 because there was a link between digests and signing algorithms;
-+ * the link has been eliminated and EVP_sha1() can be used now instead.
-+ */
-+#define EVP_dss1 EVP_sha1
-+#endif
-+
- ISC_LANG_BEGINDECLS
-
- isc_result_t
-diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index 2e8bcf6..58df04d 100644
---- a/lib/dns/openssl_link.c
-+++ b/lib/dns/openssl_link.c
-@@ -102,6 +102,7 @@ entropy_add(const void *buf, int num, double entropy) {
- }
- #endif
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- static void
- lock_callback(int mode, int type, const char *file, int line) {
- UNUSED(file);
-@@ -112,45 +113,59 @@ lock_callback(int mode, int type, const char *file, int line) {
- UNLOCK(&locks[type]);
- }
-
--#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- static unsigned long
- id_callback(void) {
- return ((unsigned long)isc_thread_self());
- }
- #endif
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-+#define FLARG_PASS , __FILE__, __LINE__
-+#define FLARG
-+#define FILELINE
-+#else
-+#define FLARG , const char *file, int line
-+#define FILELINE , __FILE__, __LINE__
-+#if ISC_MEM_TRACKLINES
-+#define FLARG_PASS , file, line
-+#else
-+#define FLARG_PASS
-+#endif
-+
-+#endif
-+
- static void *
--mem_alloc(size_t size) {
-+mem_alloc(size_t size FLARG) {
- #ifdef OPENSSL_LEAKS
- void *ptr;
-
- INSIST(dst__memory_pool != NULL);
-- ptr = isc_mem_allocate(dst__memory_pool, size);
-+ ptr = isc__mem_allocate(dst__memory_pool, size FLARG_PASS);
- return (ptr);
- #else
- INSIST(dst__memory_pool != NULL);
-- return (isc_mem_allocate(dst__memory_pool, size));
-+ return (isc__mem_allocate(dst__memory_pool, size FLARG_PASS));
- #endif
- }
-
- static void
--mem_free(void *ptr) {
-+mem_free(void *ptr FLARG) {
- INSIST(dst__memory_pool != NULL);
- if (ptr != NULL)
-- isc_mem_free(dst__memory_pool, ptr);
-+ isc__mem_free(dst__memory_pool, ptr FLARG_PASS);
- }
-
- static void *
--mem_realloc(void *ptr, size_t size) {
-+mem_realloc(void *ptr, size_t size FLARG) {
- #ifdef OPENSSL_LEAKS
- void *rptr;
-
- INSIST(dst__memory_pool != NULL);
-- rptr = isc_mem_reallocate(dst__memory_pool, ptr, size);
-+ rptr = isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS);
- return (rptr);
- #else
- INSIST(dst__memory_pool != NULL);
-- return (isc_mem_reallocate(dst__memory_pool, ptr, size));
-+ return (isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS));
- #endif
- }
-
-@@ -171,20 +186,20 @@ dst__openssl_init(const char *engine) {
- #endif
- CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
- nlocks = CRYPTO_num_locks();
-- locks = mem_alloc(sizeof(isc_mutex_t) * nlocks);
-+ locks = mem_alloc(sizeof(isc_mutex_t) * nlocks FILELINE);
- if (locks == NULL)
- return (ISC_R_NOMEMORY);
- result = isc_mutexblock_init(locks, nlocks);
- if (result != ISC_R_SUCCESS)
- goto cleanup_mutexalloc;
-- CRYPTO_set_locking_callback(lock_callback);
- #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-+ CRYPTO_set_locking_callback(lock_callback);
- CRYPTO_set_id_callback(id_callback);
- #endif
-
- ERR_load_crypto_strings();
-
-- rm = mem_alloc(sizeof(RAND_METHOD));
-+ rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
- if (rm == NULL) {
- result = ISC_R_NOMEMORY;
- goto cleanup_mutexinit;
-@@ -250,20 +265,27 @@ dst__openssl_init(const char *engine) {
- if (e != NULL)
- ENGINE_free(e);
- e = NULL;
-- mem_free(rm);
-+ mem_free(rm FILELINE);
- rm = NULL;
- #endif
- cleanup_mutexinit:
- CRYPTO_set_locking_callback(NULL);
- DESTROYMUTEXBLOCK(locks, nlocks);
- cleanup_mutexalloc:
-- mem_free(locks);
-+ mem_free(locks FILELINE);
- locks = NULL;
- return (result);
- }
-
- void
- dst__openssl_destroy(void) {
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ OPENSSL_cleanup();
-+ if (rm != NULL) {
-+ mem_free(rm FILELINE);
-+ rm = NULL;
-+ }
-+#else
- /*
- * Sequence taken from apps_shutdown() in <apps/apps.h>.
- */
-@@ -271,7 +293,7 @@ dst__openssl_destroy(void) {
- #if OPENSSL_VERSION_NUMBER >= 0x00907000L
- RAND_cleanup();
- #endif
-- mem_free(rm);
-+ mem_free(rm FILELINE);
- rm = NULL;
- }
- #if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
-@@ -303,16 +325,18 @@ dst__openssl_destroy(void) {
- if (locks != NULL) {
- CRYPTO_set_locking_callback(NULL);
- DESTROYMUTEXBLOCK(locks, nlocks);
-- mem_free(locks);
-+ mem_free(locks FILELINE);
- locks = NULL;
- }
-+#endif
- }
-
- static isc_result_t
- toresult(isc_result_t fallback) {
- isc_result_t result = fallback;
- unsigned long err = ERR_get_error();
--#ifdef HAVE_OPENSSL_ECDSA
-+#if defined(HAVE_OPENSSL_ECDSA) && \
-+ defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
- int lib = ERR_GET_LIB(err);
- #endif
- int reason = ERR_GET_REASON(err);
-@@ -326,7 +350,8 @@ toresult(isc_result_t fallback) {
- result = ISC_R_NOMEMORY;
- break;
- default:
--#ifdef HAVE_OPENSSL_ECDSA
-+#if defined(HAVE_OPENSSL_ECDSA) && \
-+ defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
- if (lib == ERR_R_ECDSA_LIB &&
- reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) {
- result = ISC_R_NOENTROPY;
-diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
-index 4237ad0..dec5b3c 100644
---- a/lib/dns/openssldh_link.c
-+++ b/lib/dns/openssldh_link.c
-@@ -68,11 +68,74 @@ static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data);
-
- static BIGNUM *bn2, *bn768, *bn1024, *bn1536;
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-+/*
-+ * DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg
-+ * are from OpenSSL 1.1.0.
-+ */
-+static void
-+DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) {
-+ if (pub_key != NULL)
-+ *pub_key = dh->pub_key;
-+ if (priv_key != NULL)
-+ *priv_key = dh->priv_key;
-+}
-+
-+static int
-+DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) {
-+ /* Note that it is valid for priv_key to be NULL */
-+ if (pub_key == NULL)
-+ return 0;
-+
-+ BN_free(dh->pub_key);
-+ BN_free(dh->priv_key);
-+ dh->pub_key = pub_key;
-+ dh->priv_key = priv_key;
-+
-+ return 1;
-+}
-+
-+static void
-+DH_get0_pqg(const DH *dh,
-+ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
-+{
-+ if (p != NULL)
-+ *p = dh->p;
-+ if (q != NULL)
-+ *q = dh->q;
-+ if (g != NULL)
-+ *g = dh->g;
-+}
-+
-+static int
-+DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
-+ /* q is optional */
-+ if (p == NULL || g == NULL)
-+ return(0);
-+ BN_free(dh->p);
-+ BN_free(dh->q);
-+ BN_free(dh->g);
-+ dh->p = p;
-+ dh->q = q;
-+ dh->g = g;
-+
-+ if (q != NULL) {
-+ dh->length = BN_num_bits(q);
-+ }
-+
-+ return(1);
-+}
-+
-+#define DH_clear_flags(d, f) (d)->flags &= ~(f)
-+
-+#endif
-+
- static isc_result_t
- openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
- isc_buffer_t *secret)
- {
- DH *dhpub, *dhpriv;
-+ const BIGNUM *pub_key = NULL;
- int ret;
- isc_region_t r;
- unsigned int len;
-@@ -87,7 +150,9 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
- isc_buffer_availableregion(secret, &r);
- if (r.length < len)
- return (ISC_R_NOSPACE);
-- ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv);
-+
-+ DH_get0_key(dhpub, &pub_key, NULL);
-+ ret = DH_compute_key(r.base, pub_key, dhpriv);
- if (ret <= 0)
- return (dst__openssl_toresult2("DH_compute_key",
- DST_R_COMPUTESECRETFAILURE));
-@@ -97,8 +162,10 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
-
- static isc_boolean_t
- openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
-- int status;
- DH *dh1, *dh2;
-+ const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
-+ const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
-+ const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
-
- dh1 = key1->keydata.dh;
- dh2 = key2->keydata.dh;
-@@ -108,17 +175,19 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
- else if (dh1 == NULL || dh2 == NULL)
- return (ISC_FALSE);
-
-- status = BN_cmp(dh1->p, dh2->p) ||
-- BN_cmp(dh1->g, dh2->g) ||
-- BN_cmp(dh1->pub_key, dh2->pub_key);
-+ DH_get0_key(dh1, &pub_key1, &priv_key1);
-+ DH_get0_key(dh2, &pub_key2, &priv_key2);
-+ DH_get0_pqg(dh1, &p1, NULL, &g1);
-+ DH_get0_pqg(dh2, &p2, NULL, &g2);
-
-- if (status != 0)
-+ if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 ||
-+ BN_cmp(pub_key1, pub_key2) != 0)
- return (ISC_FALSE);
-
-- if (dh1->priv_key != NULL || dh2->priv_key != NULL) {
-- if (dh1->priv_key == NULL || dh2->priv_key == NULL)
-+ if (priv_key1 != NULL || priv_key2 != NULL) {
-+ if (priv_key1 == NULL || priv_key2 == NULL)
- return (ISC_FALSE);
-- if (BN_cmp(dh1->priv_key, dh2->priv_key) != 0)
-+ if (BN_cmp(priv_key1, priv_key2) != 0)
- return (ISC_FALSE);
- }
- return (ISC_TRUE);
-@@ -126,8 +195,8 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
-
- static isc_boolean_t
- openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
-- int status;
- DH *dh1, *dh2;
-+ const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
-
- dh1 = key1->keydata.dh;
- dh2 = key2->keydata.dh;
-@@ -137,10 +206,10 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
- else if (dh1 == NULL || dh2 == NULL)
- return (ISC_FALSE);
-
-- status = BN_cmp(dh1->p, dh2->p) ||
-- BN_cmp(dh1->g, dh2->g);
-+ DH_get0_pqg(dh1, &p1, NULL, &g1);
-+ DH_get0_pqg(dh2, &p2, NULL, &g2);
-
-- if (status != 0)
-+ if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0)
- return (ISC_FALSE);
- return (ISC_TRUE);
- }
-@@ -185,16 +254,25 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
- key->key_size == 1024 ||
- key->key_size == 1536)
- {
-+ BIGNUM *p, *g;
- dh = DH_new();
-- if (dh == NULL)
-- return (dst__openssl_toresult(ISC_R_NOMEMORY));
- if (key->key_size == 768)
-- dh->p = bn768;
-+ p = BN_dup(bn768);
- else if (key->key_size == 1024)
-- dh->p = bn1024;
-+ p = BN_dup(bn1024);
- else
-- dh->p = bn1536;
-- dh->g = bn2;
-+ p = BN_dup(bn1536);
-+ g = BN_dup(bn2);
-+ if (dh == NULL || p == NULL || g == NULL) {
-+ if (dh != NULL)
-+ DH_free(dh);
-+ if (p != NULL)
-+ BN_free(p);
-+ if (g != NULL)
-+ BN_free(g);
-+ return (dst__openssl_toresult(ISC_R_NOMEMORY));
-+ }
-+ DH_set0_pqg(dh, p, NULL, g);
- } else
- generator = 2;
- }
-@@ -242,8 +320,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
- return (dst__openssl_toresult2("DH_generate_key",
- DST_R_OPENSSLFAILURE));
- }
-- dh->flags &= ~DH_FLAG_CACHE_MONT_P;
--
-+ DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
- key->keydata.dh = dh;
-
- return (ISC_R_SUCCESS);
-@@ -252,7 +329,10 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
- static isc_boolean_t
- openssldh_isprivate(const dst_key_t *key) {
- DH *dh = key->keydata.dh;
-- return (ISC_TF(dh != NULL && dh->priv_key != NULL));
-+ const BIGNUM *priv_key = NULL;
-+
-+ DH_get0_key(dh, NULL, &priv_key);
-+ return (ISC_TF(dh != NULL && priv_key != NULL));
- }
-
- static void
-@@ -262,10 +342,6 @@ openssldh_destroy(dst_key_t *key) {
- if (dh == NULL)
- return;
-
-- if (dh->p == bn768 || dh->p == bn1024 || dh->p == bn1536)
-- dh->p = NULL;
-- if (dh->g == bn2)
-- dh->g = NULL;
- DH_free(dh);
- key->keydata.dh = NULL;
- }
-@@ -294,6 +370,7 @@ uint16_fromregion(isc_region_t *region) {
- static isc_result_t
- openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
- DH *dh;
-+ const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
- isc_region_t r;
- isc_uint16_t dnslen, plen, glen, publen;
-
-@@ -303,40 +380,43 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
-
- isc_buffer_availableregion(data, &r);
-
-- if (dh->g == bn2 &&
-- (dh->p == bn768 || dh->p == bn1024 || dh->p == bn1536)) {
-+ DH_get0_pqg(dh, &p, NULL, &g);
-+ if (BN_cmp(g, bn2) == 0 &&
-+ (BN_cmp(p, bn768) == 0 ||
-+ BN_cmp(p, bn1024) == 0 ||
-+ BN_cmp(p, bn1536) == 0)) {
- plen = 1;
- glen = 0;
- }
- else {
-- plen = BN_num_bytes(dh->p);
-- glen = BN_num_bytes(dh->g);
-+ plen = BN_num_bytes(p);
-+ glen = BN_num_bytes(g);
- }
-- publen = BN_num_bytes(dh->pub_key);
-+ DH_get0_key(dh, &pub_key, NULL);
-+ publen = BN_num_bytes(pub_key);
- dnslen = plen + glen + publen + 6;
- if (r.length < (unsigned int) dnslen)
- return (ISC_R_NOSPACE);
-
- uint16_toregion(plen, &r);
- if (plen == 1) {
-- if (dh->p == bn768)
-+ if (BN_cmp(p, bn768) == 0)
- *r.base = 1;
-- else if (dh->p == bn1024)
-+ else if (BN_cmp(p, bn1024) == 0)
- *r.base = 2;
- else
- *r.base = 3;
-- }
-- else
-- BN_bn2bin(dh->p, r.base);
-+ } else
-+ BN_bn2bin(p, r.base);
- isc_region_consume(&r, plen);
-
- uint16_toregion(glen, &r);
- if (glen > 0)
-- BN_bn2bin(dh->g, r.base);
-+ BN_bn2bin(g, r.base);
- isc_region_consume(&r, glen);
-
- uint16_toregion(publen, &r);
-- BN_bn2bin(dh->pub_key, r.base);
-+ BN_bn2bin(pub_key, r.base);
- isc_region_consume(&r, publen);
-
- isc_buffer_add(data, dnslen);
-@@ -347,6 +427,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
- static isc_result_t
- openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- DH *dh;
-+ BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
- isc_region_t r;
- isc_uint16_t plen, glen, publen;
- int special = 0;
-@@ -358,7 +439,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- dh = DH_new();
- if (dh == NULL)
- return (dst__openssl_toresult(ISC_R_NOMEMORY));
-- dh->flags &= ~DH_FLAG_CACHE_MONT_P;
-+ DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
-
- /*
- * Read the prime length. 1 & 2 are table entries, > 16 means a
-@@ -386,20 +467,20 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- }
- switch (special) {
- case 1:
-- dh->p = bn768;
-+ p = BN_dup(bn768);
- break;
- case 2:
-- dh->p = bn1024;
-+ p = BN_dup(bn1024);
- break;
- case 3:
-- dh->p = bn1536;
-+ p = BN_dup(bn1536);
- break;
- default:
- DH_free(dh);
- return (DST_R_INVALIDPUBLICKEY);
- }
- } else {
-- dh->p = BN_bin2bn(r.base, plen, NULL);
-+ p = BN_bin2bn(r.base, plen, NULL);
- isc_region_consume(&r, plen);
- }
-
-@@ -419,15 +500,12 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- }
- if (special != 0) {
- if (glen == 0)
-- dh->g = bn2;
-+ g = BN_dup(bn2);
- else {
-- dh->g = BN_bin2bn(r.base, glen, NULL);
-- if (BN_cmp(dh->g, bn2) == 0) {
-- BN_free(dh->g);
-- dh->g = bn2;
-- }
-- else {
-+ g = BN_bin2bn(r.base, glen, NULL);
-+ if (g != NULL && BN_cmp(g, bn2) != 0) {
- DH_free(dh);
-+ BN_free(g);
- return (DST_R_INVALIDPUBLICKEY);
- }
- }
-@@ -436,10 +514,20 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- DH_free(dh);
- return (DST_R_INVALIDPUBLICKEY);
- }
-- dh->g = BN_bin2bn(r.base, glen, NULL);
-+ g = BN_bin2bn(r.base, glen, NULL);
- }
- isc_region_consume(&r, glen);
-
-+ if (p == NULL || g == NULL) {
-+ DH_free(dh);
-+ if (p != NULL)
-+ BN_free(p);
-+ if (g != NULL)
-+ BN_free(g);
-+ return (dst__openssl_toresult(ISC_R_NOMEMORY));
-+ }
-+ DH_set0_pqg(dh, p, NULL, g);
-+
- if (r.length < 2) {
- DH_free(dh);
- return (DST_R_INVALIDPUBLICKEY);
-@@ -449,10 +537,15 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- DH_free(dh);
- return (DST_R_INVALIDPUBLICKEY);
- }
-- dh->pub_key = BN_bin2bn(r.base, publen, NULL);
-+ pub_key = BN_bin2bn(r.base, publen, NULL);
-+ if (pub_key == NULL) {
-+ DH_free(dh);
-+ return (dst__openssl_toresult(ISC_R_NOMEMORY));
-+ }
-+ DH_set0_key(dh, pub_key, NULL);
- isc_region_consume(&r, publen);
-
-- key->key_size = BN_num_bits(dh->p);
-+ key->key_size = BN_num_bits(p);
-
- isc_buffer_forward(data, plen + glen + publen + 6);
-
-@@ -465,6 +558,7 @@ static isc_result_t
- openssldh_tofile(const dst_key_t *key, const char *directory) {
- int i;
- DH *dh;
-+ const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
- dst_private_t priv;
- unsigned char *bufs[4];
- isc_result_t result;
-@@ -476,10 +570,12 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
- return (DST_R_EXTERNALKEY);
-
- dh = key->keydata.dh;
-+ DH_get0_key(dh, &pub_key, &priv_key);
-+ DH_get0_pqg(dh, &p, NULL, &g);
-
- memset(bufs, 0, sizeof(bufs));
- for (i = 0; i < 4; i++) {
-- bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(dh->p));
-+ bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(p));
- if (bufs[i] == NULL) {
- result = ISC_R_NOMEMORY;
- goto fail;
-@@ -489,26 +585,26 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
- i = 0;
-
- priv.elements[i].tag = TAG_DH_PRIME;
-- priv.elements[i].length = BN_num_bytes(dh->p);
-- BN_bn2bin(dh->p, bufs[i]);
-+ priv.elements[i].length = BN_num_bytes(p);
-+ BN_bn2bin(p, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
-
- priv.elements[i].tag = TAG_DH_GENERATOR;
-- priv.elements[i].length = BN_num_bytes(dh->g);
-- BN_bn2bin(dh->g, bufs[i]);
-+ priv.elements[i].length = BN_num_bytes(g);
-+ BN_bn2bin(g, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
-
- priv.elements[i].tag = TAG_DH_PRIVATE;
-- priv.elements[i].length = BN_num_bytes(dh->priv_key);
-- BN_bn2bin(dh->priv_key, bufs[i]);
-+ priv.elements[i].length = BN_num_bytes(priv_key);
-+ BN_bn2bin(priv_key, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
-
- priv.elements[i].tag = TAG_DH_PUBLIC;
-- priv.elements[i].length = BN_num_bytes(dh->pub_key);
-- BN_bn2bin(dh->pub_key, bufs[i]);
-+ priv.elements[i].length = BN_num_bytes(pub_key);
-+ BN_bn2bin(pub_key, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
-
-@@ -518,7 +614,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
- for (i = 0; i < 4; i++) {
- if (bufs[i] == NULL)
- break;
-- isc_mem_put(key->mctx, bufs[i], BN_num_bytes(dh->p));
-+ isc_mem_put(key->mctx, bufs[i], BN_num_bytes(p));
- }
- return (result);
- }
-@@ -529,6 +625,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- isc_result_t ret;
- int i;
- DH *dh = NULL;
-+ BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
- isc_mem_t *mctx;
- #define DST_RET(a) {ret = a; goto err;}
-
-@@ -546,63 +643,47 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- dh = DH_new();
- if (dh == NULL)
- DST_RET(ISC_R_NOMEMORY);
-- dh->flags &= ~DH_FLAG_CACHE_MONT_P;
-+ DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
- key->keydata.dh = dh;
-
- for (i = 0; i < priv.nelements; i++) {
- BIGNUM *bn;
- bn = BN_bin2bn(priv.elements[i].data,
- priv.elements[i].length, NULL);
-- if (bn == NULL)
-+ if (bn == NULL)
- DST_RET(ISC_R_NOMEMORY);
-
- switch (priv.elements[i].tag) {
- case TAG_DH_PRIME:
-- dh->p = bn;
-+ p = bn;
- break;
- case TAG_DH_GENERATOR:
-- dh->g = bn;
-+ g = bn;
- break;
- case TAG_DH_PRIVATE:
-- dh->priv_key = bn;
-+ priv_key = bn;
- break;
- case TAG_DH_PUBLIC:
-- dh->pub_key = bn;
-+ pub_key = bn;
- break;
- }
- }
- dst__privstruct_free(&priv, mctx);
-+ DH_set0_key(dh, pub_key, priv_key);
-+ DH_set0_pqg(dh, p, NULL, g);
-
-- key->key_size = BN_num_bits(dh->p);
--
-- if ((key->key_size == 768 ||
-- key->key_size == 1024 ||
-- key->key_size == 1536) &&
-- BN_cmp(dh->g, bn2) == 0)
-- {
-- if (key->key_size == 768 && BN_cmp(dh->p, bn768) == 0) {
-- BN_free(dh->p);
-- BN_free(dh->g);
-- dh->p = bn768;
-- dh->g = bn2;
-- } else if (key->key_size == 1024 &&
-- BN_cmp(dh->p, bn1024) == 0) {
-- BN_free(dh->p);
-- BN_free(dh->g);
-- dh->p = bn1024;
-- dh->g = bn2;
-- } else if (key->key_size == 1536 &&
-- BN_cmp(dh->p, bn1536) == 0) {
-- BN_free(dh->p);
-- BN_free(dh->g);
-- dh->p = bn1536;
-- dh->g = bn2;
-- }
-- }
--
-+ key->key_size = BN_num_bits(p);
- return (ISC_R_SUCCESS);
-
- err:
-+ if (p != NULL)
-+ BN_free(p);
-+ if (g != NULL)
-+ BN_free(g);
-+ if (pub_key != NULL)
-+ BN_free(pub_key);
-+ if (priv_key != NULL)
-+ BN_free(priv_key);
- openssldh_destroy(key);
- dst__privstruct_free(&priv, mctx);
- memset(&priv, 0, sizeof(priv));
-diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
-index 184c163..2b55bc4 100644
---- a/lib/dns/openssldsa_link.c
-+++ b/lib/dns/openssldsa_link.c
-@@ -48,6 +48,79 @@
-
- static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-+static void
-+DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
-+ const BIGNUM **g)
-+{
-+ if (p != NULL)
-+ *p = d->p;
-+ if (q != NULL)
-+ *q = d->q;
-+ if (g != NULL)
-+ *g = d->g;
-+}
-+
-+static int
-+DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
-+ if (p == NULL || q == NULL || g == NULL)
-+ return 0;
-+ BN_free(d->p);
-+ BN_free(d->q);
-+ BN_free(d->g);
-+ d->p = p;
-+ d->q = q;
-+ d->g = g;
-+
-+ return 1;
-+}
-+
-+static void
-+DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) {
-+ if (pub_key != NULL)
-+ *pub_key = d->pub_key;
-+ if (priv_key != NULL)
-+ *priv_key = d->priv_key;
-+}
-+
-+static int
-+DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) {
-+ /* Note that it is valid for priv_key to be NULL */
-+ if (pub_key == NULL)
-+ return 0;
-+
-+ BN_free(d->pub_key);
-+ BN_free(d->priv_key);
-+ d->pub_key = pub_key;
-+ d->priv_key = priv_key;
-+
-+ return 1;
-+}
-+
-+static void
-+DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
-+ *pr = sig->r;
-+ *ps = sig->s;
-+}
-+
-+static int
-+DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
-+ if (r == NULL || s == NULL)
-+ return 0;
-+
-+ BN_clear_free(sig->r);
-+ BN_clear_free(sig->s);
-+ sig->r = r;
-+ sig->s = s;
-+
-+ return 1;
-+}
-+
-+
-+#define DSA_clear_flags(d, x) (d)->flags &= ~(x)
-+
-+#endif
-+
- static isc_result_t
- openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) {
- #if USE_EVP
-@@ -118,7 +191,7 @@ openssldsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
- }
-
- static int
--BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) {
-+BN_bn2bin_fixed(const BIGNUM *bn, unsigned char *buf, int size) {
- int bytes = size - BN_num_bytes(bn);
- while (bytes-- > 0)
- *buf++ = 0;
-@@ -130,8 +203,9 @@ static isc_result_t
- openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- dst_key_t *key = dctx->key;
- DSA *dsa = key->keydata.dsa;
-- isc_region_t r;
-+ isc_region_t region;
- DSA_SIG *dsasig;
-+ const BIGNUM *r = 0, *s = NULL;
- unsigned int klen;
- #if USE_EVP
- EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-@@ -144,8 +218,8 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- unsigned char digest[ISC_SHA1_DIGESTLENGTH];
- #endif
-
-- isc_buffer_availableregion(sig, &r);
-- if (r.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
-+ isc_buffer_availableregion(sig, &region);
-+ if (region.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
- return (ISC_R_NOSPACE);
-
- #if USE_EVP
-@@ -210,13 +284,14 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- klen = (key->key_size - 512)/64;
- if (klen > 255)
- return (ISC_R_FAILURE);
-- *r.base = klen;
-- isc_region_consume(&r, 1);
--
-- BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
-- isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
-- BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
-- isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
-+ *region.base = klen;
-+ isc_region_consume(&region, 1);
-+
-+ DSA_SIG_get0(dsasig, &r, &s);
-+ BN_bn2bin_fixed(r, region.base, ISC_SHA1_DIGESTLENGTH);
-+ isc_region_consume(&region, ISC_SHA1_DIGESTLENGTH);
-+ BN_bn2bin_fixed(s, region.base, ISC_SHA1_DIGESTLENGTH);
-+ isc_region_consume(&region, ISC_SHA1_DIGESTLENGTH);
- DSA_SIG_free(dsasig);
- isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
-
-@@ -227,6 +302,7 @@ static isc_result_t
- openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
- dst_key_t *key = dctx->key;
- DSA *dsa = key->keydata.dsa;
-+ BIGNUM *r = NULL, *s = NULL;
- int status = 0;
- unsigned char *cp = sig->base;
- DSA_SIG *dsasig;
-@@ -262,9 +338,10 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
- dsasig = DSA_SIG_new();
- if (dsasig == NULL)
- return (ISC_R_NOMEMORY);
-- dsasig->r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
-+ r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
- cp += ISC_SHA1_DIGESTLENGTH;
-- dsasig->s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
-+ s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
-+ DSA_SIG_set0(dsasig, r, s);
-
- #if 0
- pkey = EVP_PKEY_new();
-@@ -303,8 +380,11 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
-
- static isc_boolean_t
- openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
-- int status;
- DSA *dsa1, *dsa2;
-+ const BIGNUM *pub_key1 = NULL, *priv_key1 = NULL;
-+ const BIGNUM *pub_key2 = NULL, *priv_key2 = NULL;
-+ const BIGNUM *p1 = NULL, *q1 = NULL, *g1 = NULL;
-+ const BIGNUM *p2 = NULL, *q2 = NULL, *g2 = NULL;
-
- dsa1 = key1->keydata.dsa;
- dsa2 = key2->keydata.dsa;
-@@ -314,18 +394,19 @@ openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- else if (dsa1 == NULL || dsa2 == NULL)
- return (ISC_FALSE);
-
-- status = BN_cmp(dsa1->p, dsa2->p) ||
-- BN_cmp(dsa1->q, dsa2->q) ||
-- BN_cmp(dsa1->g, dsa2->g) ||
-- BN_cmp(dsa1->pub_key, dsa2->pub_key);
-+ DSA_get0_key(dsa1, &pub_key1, &priv_key1);
-+ DSA_get0_key(dsa2, &pub_key2, &priv_key2);
-+ DSA_get0_pqg(dsa1, &p1, &q1, &g1);
-+ DSA_get0_pqg(dsa2, &p2, &q2, &g2);
-
-- if (status != 0)
-+ if (BN_cmp(p1, p2) != 0 || BN_cmp(q1, q2) != 0 ||
-+ BN_cmp(g1, g2) != 0 || BN_cmp(pub_key1, pub_key2) != 0)
- return (ISC_FALSE);
-
-- if (dsa1->priv_key != NULL || dsa2->priv_key != NULL) {
-- if (dsa1->priv_key == NULL || dsa2->priv_key == NULL)
-+ if (priv_key1 != NULL || priv_key2 != NULL) {
-+ if (priv_key1 == NULL || priv_key2 == NULL)
- return (ISC_FALSE);
-- if (BN_cmp(dsa1->priv_key, dsa2->priv_key))
-+ if (BN_cmp(priv_key1, priv_key2))
- return (ISC_FALSE);
- }
- return (ISC_TRUE);
-@@ -417,7 +498,8 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
- return (dst__openssl_toresult2("DSA_generate_key",
- DST_R_OPENSSLFAILURE));
- }
-- dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
-+
-+ DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P);
-
- key->keydata.dsa = dsa;
-
-@@ -427,7 +509,10 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
- static isc_boolean_t
- openssldsa_isprivate(const dst_key_t *key) {
- DSA *dsa = key->keydata.dsa;
-- return (ISC_TF(dsa != NULL && dsa->priv_key != NULL));
-+ const BIGNUM *priv_key = NULL;
-+
-+ DSA_get0_key(dsa, NULL, &priv_key);
-+ return (ISC_TF(dsa != NULL && priv_key != NULL));
- }
-
- static void
-@@ -441,6 +526,7 @@ openssldsa_destroy(dst_key_t *key) {
- static isc_result_t
- openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- DSA *dsa;
-+ const BIGNUM *pub_key, *p = NULL, *q = NULL, *g = NULL;
- isc_region_t r;
- int dnslen;
- unsigned int t, p_bytes;
-@@ -451,7 +537,10 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
-
- isc_buffer_availableregion(data, &r);
-
-- t = (BN_num_bytes(dsa->p) - 64) / 8;
-+ DSA_get0_key(dsa, &pub_key, NULL);
-+ DSA_get0_pqg(dsa, &p, &q, &g);
-+
-+ t = (BN_num_bytes(p) - 64) / 8;
- if (t > 8)
- return (DST_R_INVALIDPUBLICKEY);
- p_bytes = 64 + 8 * t;
-@@ -462,13 +551,14 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
-
- *r.base = t;
- isc_region_consume(&r, 1);
-- BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
-+
-+ BN_bn2bin_fixed(q, r.base, ISC_SHA1_DIGESTLENGTH);
- isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
-- BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
-+ BN_bn2bin_fixed(p, r.base, key->key_size/8);
- isc_region_consume(&r, p_bytes);
-- BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
-+ BN_bn2bin_fixed(g, r.base, key->key_size/8);
- isc_region_consume(&r, p_bytes);
-- BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
-+ BN_bn2bin_fixed(pub_key, r.base, key->key_size/8);
- isc_region_consume(&r, p_bytes);
-
- isc_buffer_add(data, dnslen);
-@@ -479,6 +569,7 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- static isc_result_t
- openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- DSA *dsa;
-+ BIGNUM *pub_key, *p, *q, *g;
- isc_region_t r;
- unsigned int t, p_bytes;
- isc_mem_t *mctx = key->mctx;
-@@ -492,7 +583,7 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- dsa = DSA_new();
- if (dsa == NULL)
- return (ISC_R_NOMEMORY);
-- dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
-+ DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P);
-
- t = (unsigned int) *r.base;
- isc_region_consume(&r, 1);
-@@ -507,18 +598,29 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- return (DST_R_INVALIDPUBLICKEY);
- }
-
-- dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
-+ q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
- isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
-
-- dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
-+ p = BN_bin2bn(r.base, p_bytes, NULL);
- isc_region_consume(&r, p_bytes);
-
-- dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
-+ g = BN_bin2bn(r.base, p_bytes, NULL);
- isc_region_consume(&r, p_bytes);
-
-- dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
-+ pub_key = BN_bin2bn(r.base, p_bytes, NULL);
- isc_region_consume(&r, p_bytes);
-
-+ if (pub_key == NULL || p == NULL || q == NULL || g == NULL) {
-+ DSA_free(dsa);
-+ if (p != NULL) BN_free(p);
-+ if (q != NULL) BN_free(q);
-+ if (g != NULL) BN_free(g);
-+ return (ISC_R_NOMEMORY);
-+ }
-+
-+ DSA_set0_key(dsa, pub_key, NULL);
-+ DSA_set0_pqg(dsa, p, q, g);
-+
- key->key_size = p_bytes * 8;
-
- isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes);
-@@ -533,6 +635,8 @@ static isc_result_t
- openssldsa_tofile(const dst_key_t *key, const char *directory) {
- int cnt = 0;
- DSA *dsa;
-+ const BIGNUM *pub_key = NULL, *priv_key = NULL;
-+ const BIGNUM *p = NULL, *q = NULL, *g = NULL;
- dst_private_t priv;
- unsigned char bufs[5][128];
-
-@@ -546,33 +650,36 @@ openssldsa_tofile(const dst_key_t *key, const char *directory) {
-
- dsa = key->keydata.dsa;
-
-+ DSA_get0_key(dsa, &pub_key, &priv_key);
-+ DSA_get0_pqg(dsa, &p, &q, &g);
-+
- priv.elements[cnt].tag = TAG_DSA_PRIME;
-- priv.elements[cnt].length = BN_num_bytes(dsa->p);
-- BN_bn2bin(dsa->p, bufs[cnt]);
-+ priv.elements[cnt].length = BN_num_bytes(p);
-+ BN_bn2bin(p, bufs[cnt]);
- priv.elements[cnt].data = bufs[cnt];
- cnt++;
-
- priv.elements[cnt].tag = TAG_DSA_SUBPRIME;
-- priv.elements[cnt].length = BN_num_bytes(dsa->q);
-- BN_bn2bin(dsa->q, bufs[cnt]);
-+ priv.elements[cnt].length = BN_num_bytes(q);
-+ BN_bn2bin(q, bufs[cnt]);
- priv.elements[cnt].data = bufs[cnt];
- cnt++;
-
- priv.elements[cnt].tag = TAG_DSA_BASE;
-- priv.elements[cnt].length = BN_num_bytes(dsa->g);
-- BN_bn2bin(dsa->g, bufs[cnt]);
-+ priv.elements[cnt].length = BN_num_bytes(g);
-+ BN_bn2bin(g, bufs[cnt]);
- priv.elements[cnt].data = bufs[cnt];
- cnt++;
-
- priv.elements[cnt].tag = TAG_DSA_PRIVATE;
-- priv.elements[cnt].length = BN_num_bytes(dsa->priv_key);
-- BN_bn2bin(dsa->priv_key, bufs[cnt]);
-+ priv.elements[cnt].length = BN_num_bytes(priv_key);
-+ BN_bn2bin(priv_key, bufs[cnt]);
- priv.elements[cnt].data = bufs[cnt];
- cnt++;
-
- priv.elements[cnt].tag = TAG_DSA_PUBLIC;
-- priv.elements[cnt].length = BN_num_bytes(dsa->pub_key);
-- BN_bn2bin(dsa->pub_key, bufs[cnt]);
-+ priv.elements[cnt].length = BN_num_bytes(pub_key);
-+ BN_bn2bin(pub_key, bufs[cnt]);
- priv.elements[cnt].data = bufs[cnt];
- cnt++;
-
-@@ -586,6 +693,8 @@ openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- isc_result_t ret;
- int i;
- DSA *dsa = NULL;
-+ BIGNUM *pub_key = NULL, *priv_key = NULL;
-+ BIGNUM *p = NULL, *q = NULL, *g = NULL;
- isc_mem_t *mctx = key->mctx;
- #define DST_RET(a) {ret = a; goto err;}
-
-@@ -610,7 +719,7 @@ openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- dsa = DSA_new();
- if (dsa == NULL)
- DST_RET(ISC_R_NOMEMORY);
-- dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
-+ DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P);
- key->keydata.dsa = dsa;
-
- for (i = 0; i < priv.nelements; i++) {
-@@ -622,28 +731,36 @@ openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
-
- switch (priv.elements[i].tag) {
- case TAG_DSA_PRIME:
-- dsa->p = bn;
-+ p = bn;
- break;
- case TAG_DSA_SUBPRIME:
-- dsa->q = bn;
-+ q = bn;
- break;
- case TAG_DSA_BASE:
-- dsa->g = bn;
-+ g = bn;
- break;
- case TAG_DSA_PRIVATE:
-- dsa->priv_key = bn;
-+ priv_key = bn;
- break;
- case TAG_DSA_PUBLIC:
-- dsa->pub_key = bn;
-+ pub_key = bn;
- break;
- }
- }
- dst__privstruct_free(&priv, mctx);
- memset(&priv, 0, sizeof(priv));
-- key->key_size = BN_num_bits(dsa->p);
-+ DSA_set0_key(dsa, pub_key, priv_key);
-+ DSA_set0_pqg(dsa, p, q, g);
-+ key->key_size = BN_num_bits(p);
- return (ISC_R_SUCCESS);
-
- err:
-+ if (p != NULL)
-+ BN_free(p);
-+ if (q != NULL)
-+ BN_free(q);
-+ if (g != NULL)
-+ BN_free(g);
- openssldsa_destroy(key);
- dst__privstruct_free(&priv, mctx);
- memset(&priv, 0, sizeof(priv));
-diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
-index a967736..76d5a9d 100644
---- a/lib/dns/opensslecdsa_link.c
-+++ b/lib/dns/opensslecdsa_link.c
-@@ -41,6 +41,30 @@
-
- #define DST_RET(a) {ret = a; goto err;}
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+/* From OpenSSL 1.1 */
-+static void
-+ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
-+ if (pr != NULL)
-+ *pr = sig->r;
-+ if (ps != NULL)
-+ *ps = sig->s;
-+}
-+
-+static int
-+ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
-+ if (r == NULL || s == NULL)
-+ return 0;
-+
-+ BN_clear_free(sig->r);
-+ BN_clear_free(sig->s);
-+ sig->r = r;
-+ sig->s = s;
-+
-+ return 1;
-+}
-+#endif
-+
- static isc_result_t opensslecdsa_todns(const dst_key_t *key,
- isc_buffer_t *data);
-
-@@ -102,7 +126,7 @@ opensslecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
- }
-
- static int
--BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) {
-+BN_bn2bin_fixed(const BIGNUM *bn, unsigned char *buf, int size) {
- int bytes = size - BN_num_bytes(bn);
-
- while (bytes-- > 0)
-@@ -115,13 +139,14 @@ static isc_result_t
- opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- isc_result_t ret;
- dst_key_t *key = dctx->key;
-- isc_region_t r;
-+ isc_region_t region;
- ECDSA_SIG *ecdsasig;
- EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
- EVP_PKEY *pkey = key->keydata.pkey;
- EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
- unsigned int dgstlen, siglen;
- unsigned char digest[EVP_MAX_MD_SIZE];
-+ const BIGNUM *r, *s;
-
- REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
- key->key_alg == DST_ALG_ECDSA384);
-@@ -134,8 +159,8 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- else
- siglen = DNS_SIG_ECDSA384SIZE;
-
-- isc_buffer_availableregion(sig, &r);
-- if (r.length < siglen)
-+ isc_buffer_availableregion(sig, &region);
-+ if (region.length < siglen)
- DST_RET(ISC_R_NOSPACE);
-
- if (!EVP_DigestFinal(evp_md_ctx, digest, &dgstlen))
-@@ -148,10 +173,11 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- DST_RET(dst__openssl_toresult3(dctx->category,
- "ECDSA_do_sign",
- DST_R_SIGNFAILURE));
-- BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
-- isc_region_consume(&r, siglen / 2);
-- BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
-- isc_region_consume(&r, siglen / 2);
-+ ECDSA_SIG_get0(ecdsasig, &r, &s);
-+ BN_bn2bin_fixed(r, region.base, siglen / 2);
-+ isc_region_consume(&region, siglen / 2);
-+ BN_bn2bin_fixed(s, region.base, siglen / 2);
-+ isc_region_consume(&region, siglen / 2);
- ECDSA_SIG_free(ecdsasig);
- isc_buffer_add(sig, siglen);
- ret = ISC_R_SUCCESS;
-@@ -174,6 +200,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
- EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
- unsigned int dgstlen, siglen;
- unsigned char digest[EVP_MAX_MD_SIZE];
-+ BIGNUM *r = NULL, *s = NULL ;
-
- REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
- key->key_alg == DST_ALG_ECDSA384);
-@@ -197,13 +224,10 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
- ecdsasig = ECDSA_SIG_new();
- if (ecdsasig == NULL)
- DST_RET (ISC_R_NOMEMORY);
-- if (ecdsasig->r != NULL)
-- BN_free(ecdsasig->r);
-- ecdsasig->r = BN_bin2bn(cp, siglen / 2, NULL);
-+ r = BN_bin2bn(cp, siglen / 2, NULL);
- cp += siglen / 2;
-- if (ecdsasig->s != NULL)
-- BN_free(ecdsasig->s);
-- ecdsasig->s = BN_bin2bn(cp, siglen / 2, NULL);
-+ s = BN_bin2bn(cp, siglen / 2, NULL);
-+ ECDSA_SIG_set0(ecdsasig, r, s);
- /* cp += siglen / 2; */
-
- status = ECDSA_do_verify(digest, dgstlen, ecdsasig, eckey);
-diff --git a/lib/dns/opensslgost_link.c b/lib/dns/opensslgost_link.c
-index 6b04f7b..62d7238 100644
---- a/lib/dns/opensslgost_link.c
-+++ b/lib/dns/opensslgost_link.c
-@@ -28,6 +28,11 @@
- #include <openssl/rsa.h>
- #include <openssl/engine.h>
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#define EVP_MD_CTX_new() &(ctx->_ctx), EVP_MD_CTX_init(&(ctx->_ctx))
-+#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
-+#endif
-+
- static ENGINE *e = NULL;
- static const EVP_MD *opensslgost_digest;
- extern const EVP_MD *EVP_gost(void);
-@@ -48,8 +53,10 @@ isc_gost_init(isc_gost_t *ctx) {
- md = EVP_gost();
- if (md == NULL)
- return (DST_R_CRYPTOFAILURE);
-- EVP_MD_CTX_init(ctx);
-- ret = EVP_DigestInit(ctx, md);
-+ ctx->ctx = EVP_MD_CTX_new();
-+ if (ctx->ctx == NULL)
-+ return (ISC_R_NOMEMORY);
-+ ret = EVP_DigestInit(ctx->ctx, md);
- if (ret != 1)
- return (DST_R_CRYPTOFAILURE);
- return (ISC_R_SUCCESS);
-@@ -57,7 +64,8 @@ isc_gost_init(isc_gost_t *ctx) {
-
- void
- isc_gost_invalidate(isc_gost_t *ctx) {
-- EVP_MD_CTX_cleanup(ctx);
-+ EVP_MD_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- }
-
- isc_result_t
-@@ -67,9 +75,10 @@ isc_gost_update(isc_gost_t *ctx, const unsigned char *data,
- int ret;
-
- INSIST(ctx != NULL);
-+ INSIST(ctx->ctx != NULL);
- INSIST(data != NULL);
-
-- ret = EVP_DigestUpdate(ctx, (const void *) data, (size_t) len);
-+ ret = EVP_DigestUpdate(ctx->ctx, (const void *) data, (size_t) len);
- if (ret != 1)
- return (DST_R_CRYPTOFAILURE);
- return (ISC_R_SUCCESS);
-@@ -80,9 +89,12 @@ isc_gost_final(isc_gost_t *ctx, unsigned char *digest) {
- int ret;
-
- INSIST(ctx != NULL);
-+ INSIST(ctx->ctx != NULL);
- INSIST(digest != NULL);
-
-- ret = EVP_DigestFinal(ctx, digest, NULL);
-+ ret = EVP_DigestFinal(ctx->ctx, digest, NULL);
-+ EVP_MD_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- if (ret != 1)
- return (DST_R_CRYPTOFAILURE);
- return (ISC_R_SUCCESS);
-diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
-index b5ad913..89b4975 100644
---- a/lib/dns/opensslrsa_link.c
-+++ b/lib/dns/opensslrsa_link.c
-@@ -99,7 +99,8 @@
- (rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
- (rsa)->flags &= ~RSA_FLAG_BLINDING; \
- } while (0)
--#elif defined(RSA_FLAG_NO_BLINDING)
-+#elif OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if defined(RSA_FLAG_NO_BLINDING)
- #define SET_FLAGS(rsa) \
- do { \
- (rsa)->flags &= ~RSA_FLAG_BLINDING; \
-@@ -111,9 +112,132 @@
- (rsa)->flags &= ~RSA_FLAG_BLINDING; \
- } while (0)
- #endif
--
-+#else
-+#define SET_FLAGS(rsa) \
-+ do { \
-+ RSA_clear_flags(rsa, RSA_FLAG_BLINDING); \
-+ RSA_set_flags(rsa, RSA_FLAG_NO_BLINDING); \
-+ } while (0)
-+#endif
- #define DST_RET(a) {ret = a; goto err;}
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+/* From OpenSSL 1.1.0 */
-+static int
-+RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
-+
-+ /*
-+ * If the fields n and e in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL for n and e. d may be
-+ * left NULL (in case only the public key is used).
-+ */
-+ if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL))
-+ return 0;
-+
-+ if (n != NULL) {
-+ BN_free(r->n);
-+ r->n = n;
-+ }
-+ if (e != NULL) {
-+ BN_free(r->e);
-+ r->e = e;
-+ }
-+ if (d != NULL) {
-+ BN_free(r->d);
-+ r->d = d;
-+ }
-+
-+ return 1;
-+}
-+
-+static int
-+RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) {
-+
-+ /*
-+ * If the fields p and q in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL.
-+ */
-+ if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL))
-+ return 0;
-+
-+ if (p != NULL) {
-+ BN_free(r->p);
-+ r->p = p;
-+ }
-+ if (q != NULL) {
-+ BN_free(r->q);
-+ r->q = q;
-+ }
-+
-+ return 1;
-+}
-+
-+static int
-+RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
-+ /*
-+ * If the fields dmp1, dmq1 and iqmp in r are NULL, the
-+ * corresponding input parameters MUST be non-NULL.
-+ */
-+ if ((r->dmp1 == NULL && dmp1 == NULL) ||
-+ (r->dmq1 == NULL && dmq1 == NULL) ||
-+ (r->iqmp == NULL && iqmp == NULL))
-+ return 0;
-+
-+ if (dmp1 != NULL) {
-+ BN_free(r->dmp1);
-+ r->dmp1 = dmp1;
-+ }
-+ if (dmq1 != NULL) {
-+ BN_free(r->dmq1);
-+ r->dmq1 = dmq1;
-+ }
-+ if (iqmp != NULL) {
-+ BN_free(r->iqmp);
-+ r->iqmp = iqmp;
-+ }
-+
-+ return 1;
-+}
-+
-+static void
-+RSA_get0_key(const RSA *r,
-+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
-+{
-+ if (n != NULL)
-+ *n = r->n;
-+ if (e != NULL)
-+ *e = r->e;
-+ if (d != NULL)
-+ *d = r->d;
-+}
-+
-+static void
-+RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) {
-+ if (p != NULL)
-+ *p = r->p;
-+ if (q != NULL)
-+ *q = r->q;
-+}
-+
-+static void
-+RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
-+ const BIGNUM **iqmp)
-+{
-+ if (dmp1 != NULL)
-+ *dmp1 = r->dmp1;
-+ if (dmq1 != NULL)
-+ *dmq1 = r->dmq1;
-+ if (iqmp != NULL)
-+ *iqmp = r->iqmp;
-+}
-+
-+static int
-+RSA_test_flags(const RSA *r, int flags) {
-+ return (r->flags & flags);
-+}
-+
-+#endif
-+
- static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
-
- static isc_result_t
-@@ -553,6 +677,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
- EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
- EVP_PKEY *pkey = key->keydata.pkey;
- RSA *rsa;
-+ const BIGNUM *e = NULL;
- int bits;
- #else
- /* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
-@@ -583,7 +708,8 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
- rsa = EVP_PKEY_get1_RSA(pkey);
- if (rsa == NULL)
- return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-- bits = BN_num_bits(rsa->e);
-+ RSA_get0_key(rsa, NULL, &e, NULL);
-+ bits = BN_num_bits(e);
- RSA_free(rsa);
- if (bits > maxbits && maxbits != 0)
- return (DST_R_VERIFYFAILURE);
-@@ -600,7 +726,8 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
- DST_R_VERIFYFAILURE));
- }
- #else
-- if (BN_num_bits(rsa->e) > maxbits && maxbits != 0)
-+ RSA_get0_key(rsa, NULL, &e, NULL);
-+ if (BN_num_bits(e) > maxbits && maxbits != 0)
- return (DST_R_VERIFYFAILURE);
-
- switch (dctx->key->key_alg) {
-@@ -729,6 +856,11 @@ static isc_boolean_t
- opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- int status;
- RSA *rsa1 = NULL, *rsa2 = NULL;
-+ const BIGNUM *n1 = NULL, *n2 = NULL;
-+ const BIGNUM *e1 = NULL, *e2 = NULL;
-+ const BIGNUM *d1 = NULL, *d2 = NULL;
-+ const BIGNUM *p1 = NULL, *p2 = NULL;
-+ const BIGNUM *q1 = NULL, *q2 = NULL;
- #if USE_EVP
- EVP_PKEY *pkey1, *pkey2;
- #endif
-@@ -758,17 +890,18 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- else if (rsa1 == NULL || rsa2 == NULL)
- return (ISC_FALSE);
-
-- status = BN_cmp(rsa1->n, rsa2->n) ||
-- BN_cmp(rsa1->e, rsa2->e);
-+ RSA_get0_key(rsa1, &n1, &e1, &d1);
-+ RSA_get0_key(rsa2, &n2, &e2, &d2);
-+ status = BN_cmp(n1, n2) || BN_cmp(e1, e2);
-
- if (status != 0)
- return (ISC_FALSE);
-
- #if USE_EVP
-- if ((rsa1->flags & RSA_FLAG_EXT_PKEY) != 0 ||
-- (rsa2->flags & RSA_FLAG_EXT_PKEY) != 0) {
-- if ((rsa1->flags & RSA_FLAG_EXT_PKEY) == 0 ||
-- (rsa2->flags & RSA_FLAG_EXT_PKEY) == 0)
-+ if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) != 0 ||
-+ RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) != 0) {
-+ if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) == 0 ||
-+ RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) == 0)
- return (ISC_FALSE);
- /*
- * Can't compare private parameters, BTW does it make sense?
-@@ -777,12 +910,12 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- }
- #endif
-
-- if (rsa1->d != NULL || rsa2->d != NULL) {
-- if (rsa1->d == NULL || rsa2->d == NULL)
-+ if (d1 != NULL || d2 != NULL) {
-+ if (d1 == NULL || d2 == NULL)
- return (ISC_FALSE);
-- status = BN_cmp(rsa1->d, rsa2->d) ||
-- BN_cmp(rsa1->p, rsa2->p) ||
-- BN_cmp(rsa1->q, rsa2->q);
-+ RSA_get0_factors(rsa1, &p1, &q1);
-+ RSA_get0_factors(rsa2, &p2, &q2);
-+ status = BN_cmp(d1, d2) || BN_cmp(p1, p1) || BN_cmp(q1, q2);
-
- if (status != 0)
- return (ISC_FALSE);
-@@ -868,7 +1001,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
- ret = dst__openssl_toresult2("RSA_generate_key_ex",
- DST_R_OPENSSLFAILURE);
-
--err:
-+ err:
- #if USE_EVP
- if (pkey != NULL)
- EVP_PKEY_free(pkey);
-@@ -925,6 +1058,7 @@ err:
-
- static isc_boolean_t
- opensslrsa_isprivate(const dst_key_t *key) {
-+ const BIGNUM *d = NULL;
- #if USE_EVP
- RSA *rsa = EVP_PKEY_get1_RSA(key->keydata.pkey);
- INSIST(rsa != NULL);
-@@ -933,9 +1067,10 @@ opensslrsa_isprivate(const dst_key_t *key) {
- #else
- RSA *rsa = key->keydata.rsa;
- #endif
-- if (rsa != NULL && (rsa->flags & RSA_FLAG_EXT_PKEY) != 0)
-+ if (rsa != NULL && RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) != 0)
- return (ISC_TRUE);
-- return (ISC_TF(rsa != NULL && rsa->d != NULL));
-+ RSA_get0_key(rsa, NULL, NULL, &d);
-+ return (ISC_TF(rsa != NULL && d != NULL));
- }
-
- static void
-@@ -951,7 +1086,6 @@ opensslrsa_destroy(dst_key_t *key) {
- #endif
- }
-
--
- static isc_result_t
- opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- isc_region_t r;
-@@ -962,6 +1096,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- #if USE_EVP
- EVP_PKEY *pkey;
- #endif
-+ const BIGNUM *e = NULL, *n = NULL;
-
- #if USE_EVP
- REQUIRE(key->keydata.pkey != NULL);
-@@ -980,8 +1115,9 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
-
- isc_buffer_availableregion(data, &r);
-
-- e_bytes = BN_num_bytes(rsa->e);
-- mod_bytes = BN_num_bytes(rsa->n);
-+ RSA_get0_key(rsa, &n, &e, NULL);
-+ mod_bytes = BN_num_bytes(n);
-+ e_bytes = BN_num_bytes(e);
-
- if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */
- if (r.length < 1)
-@@ -999,9 +1135,10 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- if (r.length < e_bytes + mod_bytes)
- DST_RET(ISC_R_NOSPACE);
-
-- BN_bn2bin(rsa->e, r.base);
-+ RSA_get0_key(rsa, &n, &e, NULL);
-+ BN_bn2bin(e, r.base);
- isc_region_consume(&r, e_bytes);
-- BN_bn2bin(rsa->n, r.base);
-+ BN_bn2bin(n, r.base);
-
- isc_buffer_add(data, e_bytes + mod_bytes);
-
-@@ -1023,6 +1160,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- #if USE_EVP
- EVP_PKEY *pkey;
- #endif
-+ BIGNUM *e = NULL, *n = NULL;
-
- isc_buffer_remainingregion(data, &r);
- if (r.length == 0)
-@@ -1056,12 +1194,16 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- RSA_free(rsa);
- return (DST_R_INVALIDPUBLICKEY);
- }
-- rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
-+ e = BN_bin2bn(r.base, e_bytes, NULL);
- isc_region_consume(&r, e_bytes);
--
-- rsa->n = BN_bin2bn(r.base, r.length, NULL);
--
-- key->key_size = BN_num_bits(rsa->n);
-+ n = BN_bin2bn(r.base, r.length, NULL);
-+ if (RSA_set0_key(rsa, n, e, NULL) == 0) {
-+ if (n != NULL) BN_free(n);
-+ if (e != NULL) BN_free(e);
-+ RSA_free(rsa);
-+ return (ISC_R_NOMEMORY);
-+ }
-+ key->key_size = BN_num_bits(n);
-
- isc_buffer_forward(data, length);
-
-@@ -1092,6 +1234,9 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
- dst_private_t priv;
- unsigned char *bufs[8];
- isc_result_t result;
-+ const BIGNUM *n = NULL, *e = NULL, *d = NULL;
-+ const BIGNUM *p = NULL, *q = NULL;
-+ const BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
-
- #if USE_EVP
- if (key->keydata.pkey == NULL)
-@@ -1106,6 +1251,10 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
- #endif
- memset(bufs, 0, sizeof(bufs));
-
-+ RSA_get0_key(rsa, &n, &e, &d);
-+ RSA_get0_factors(rsa, &p, &q);
-+ RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
-+
- if (key->external) {
- priv.nelements = 0;
- result = dst__privstruct_writefile(key, &priv, directory);
-@@ -1113,7 +1262,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
- }
-
- for (i = 0; i < 8; i++) {
-- bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(rsa->n));
-+ bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(n));
- if (bufs[i] == NULL) {
- result = ISC_R_NOMEMORY;
- goto fail;
-@@ -1123,61 +1272,61 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
- i = 0;
-
- priv.elements[i].tag = TAG_RSA_MODULUS;
-- priv.elements[i].length = BN_num_bytes(rsa->n);
-- BN_bn2bin(rsa->n, bufs[i]);
-+ priv.elements[i].length = BN_num_bytes(n);
-+ BN_bn2bin(n, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
-
- priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
-- priv.elements[i].length = BN_num_bytes(rsa->e);
-- BN_bn2bin(rsa->e, bufs[i]);
-+ priv.elements[i].length = BN_num_bytes(e);
-+ BN_bn2bin(e, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
-
-- if (rsa->d != NULL) {
-+ if (d != NULL) {
- priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
-- priv.elements[i].length = BN_num_bytes(rsa->d);
-- BN_bn2bin(rsa->d, bufs[i]);
-+ priv.elements[i].length = BN_num_bytes(d);
-+ BN_bn2bin(d, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
- }
-
-- if (rsa->p != NULL) {
-+ if (p != NULL) {
- priv.elements[i].tag = TAG_RSA_PRIME1;
-- priv.elements[i].length = BN_num_bytes(rsa->p);
-- BN_bn2bin(rsa->p, bufs[i]);
-+ priv.elements[i].length = BN_num_bytes(p);
-+ BN_bn2bin(p, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
- }
-
-- if (rsa->q != NULL) {
-+ if (q != NULL) {
- priv.elements[i].tag = TAG_RSA_PRIME2;
-- priv.elements[i].length = BN_num_bytes(rsa->q);
-- BN_bn2bin(rsa->q, bufs[i]);
-+ priv.elements[i].length = BN_num_bytes(q);
-+ BN_bn2bin(q, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
- }
-
-- if (rsa->dmp1 != NULL) {
-+ if (dmp1 != NULL) {
- priv.elements[i].tag = TAG_RSA_EXPONENT1;
-- priv.elements[i].length = BN_num_bytes(rsa->dmp1);
-- BN_bn2bin(rsa->dmp1, bufs[i]);
-+ priv.elements[i].length = BN_num_bytes(dmp1);
-+ BN_bn2bin(dmp1, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
- }
-
-- if (rsa->dmq1 != NULL) {
-+ if (dmq1 != NULL) {
- priv.elements[i].tag = TAG_RSA_EXPONENT2;
-- priv.elements[i].length = BN_num_bytes(rsa->dmq1);
-- BN_bn2bin(rsa->dmq1, bufs[i]);
-+ priv.elements[i].length = BN_num_bytes(dmq1);
-+ BN_bn2bin(dmq1, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
- }
-
-- if (rsa->iqmp != NULL) {
-+ if (iqmp != NULL) {
- priv.elements[i].tag = TAG_RSA_COEFFICIENT;
-- priv.elements[i].length = BN_num_bytes(rsa->iqmp);
-- BN_bn2bin(rsa->iqmp, bufs[i]);
-+ priv.elements[i].length = BN_num_bytes(iqmp);
-+ BN_bn2bin(iqmp, bufs[i]);
- priv.elements[i].data = bufs[i];
- i++;
- }
-@@ -1208,33 +1357,45 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
- for (i = 0; i < 8; i++) {
- if (bufs[i] == NULL)
- break;
-- isc_mem_put(key->mctx, bufs[i], BN_num_bytes(rsa->n));
-+ isc_mem_put(key->mctx, bufs[i], BN_num_bytes(n));
- }
- return (result);
- }
-
- static isc_result_t
--rsa_check(RSA *rsa, RSA *pub)
--{
-- /* Public parameters should be the same but if they are not set
-- * copy them from the public key. */
-+rsa_check(RSA *rsa, RSA *pub) {
-+ const BIGNUM *n1 = NULL, *n2 = NULL;
-+ const BIGNUM *e1 = NULL, *e2 = NULL;
-+ BIGNUM *n = NULL, *e = NULL;
-+
-+ /*
-+ * Public parameters should be the same but if they are not set
-+ * copy them from the public key.
-+ */
-+ RSA_get0_key(rsa, &n1, &e1, NULL);
- if (pub != NULL) {
-- if (rsa->n != NULL) {
-- if (BN_cmp(rsa->n, pub->n) != 0)
-+ RSA_get0_key(pub, &n2, &e2, NULL);
-+ if (n1 != NULL) {
-+ if (BN_cmp(n1, n2) != 0)
- return (DST_R_INVALIDPRIVATEKEY);
- } else {
-- rsa->n = pub->n;
-- pub->n = NULL;
-+ n = BN_dup(n2);
- }
-- if (rsa->e != NULL) {
-- if (BN_cmp(rsa->e, pub->e) != 0)
-+ if (e1 != NULL) {
-+ if (BN_cmp(e1, e2) != 0)
- return (DST_R_INVALIDPRIVATEKEY);
- } else {
-- rsa->e = pub->e;
-- pub->e = NULL;
-+ e = BN_dup(e2);
-+ }
-+ if (RSA_set0_key(rsa, n, e, NULL) == 0) {
-+ if (n != NULL)
-+ BN_free(n);
-+ if (e != NULL)
-+ BN_free(e);
- }
- }
-- if (rsa->n == NULL || rsa->e == NULL)
-+ RSA_get0_key(rsa, &n1, &e1, NULL);
-+ if (n1 == NULL || e1 == NULL)
- return (DST_R_INVALIDPRIVATEKEY);
- return (ISC_R_SUCCESS);
- }
-@@ -1246,13 +1407,17 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- int i;
- RSA *rsa = NULL, *pubrsa = NULL;
- #ifdef USE_ENGINE
-- ENGINE *e = NULL;
-+ ENGINE *ep = NULL;
-+ const BIGNUM *ex = NULL;
- #endif
- isc_mem_t *mctx = key->mctx;
- const char *engine = NULL, *label = NULL;
- #if defined(USE_ENGINE) || USE_EVP
- EVP_PKEY *pkey = NULL;
- #endif
-+ BIGNUM *n = NULL, *e = NULL, *d = NULL;
-+ BIGNUM *p = NULL, *q = NULL;
-+ BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
-
- /* read private key file */
- ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
-@@ -1303,10 +1468,10 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- #ifdef USE_ENGINE
- if (engine == NULL)
- DST_RET(DST_R_NOENGINE);
-- e = dst__openssl_getengine(engine);
-- if (e == NULL)
-+ ep = dst__openssl_getengine(engine);
-+ if (ep == NULL)
- DST_RET(DST_R_NOENGINE);
-- pkey = ENGINE_load_private_key(e, label, NULL, NULL);
-+ pkey = ENGINE_load_private_key(ep, label, NULL, NULL);
- if (pkey == NULL)
- DST_RET(dst__openssl_toresult2(
- "ENGINE_load_private_key",
-@@ -1322,7 +1487,8 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
- DST_RET(DST_R_INVALIDPRIVATEKEY);
-- if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS)
-+ RSA_get0_key(rsa, NULL, &ex, NULL);
-+ if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS)
- DST_RET(ISC_R_RANGE);
- if (pubrsa != NULL)
- RSA_free(pubrsa);
-@@ -1370,43 +1536,57 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- priv.elements[i].length, NULL);
- if (bn == NULL)
- DST_RET(ISC_R_NOMEMORY);
-- }
--
-- switch (priv.elements[i].tag) {
-+ switch (priv.elements[i].tag) {
- case TAG_RSA_MODULUS:
-- rsa->n = bn;
-+ n = bn;
- break;
- case TAG_RSA_PUBLICEXPONENT:
-- rsa->e = bn;
-+ e = bn;
- break;
- case TAG_RSA_PRIVATEEXPONENT:
-- rsa->d = bn;
-+ d = bn;
- break;
- case TAG_RSA_PRIME1:
-- rsa->p = bn;
-+ p = bn;
- break;
- case TAG_RSA_PRIME2:
-- rsa->q = bn;
-+ q = bn;
- break;
- case TAG_RSA_EXPONENT1:
-- rsa->dmp1 = bn;
-+ dmp1 = bn;
- break;
- case TAG_RSA_EXPONENT2:
-- rsa->dmq1 = bn;
-+ dmq1 = bn;
- break;
- case TAG_RSA_COEFFICIENT:
-- rsa->iqmp = bn;
-+ iqmp = bn;
- break;
-+ }
- }
- }
- dst__privstruct_free(&priv, mctx);
- memset(&priv, 0, sizeof(priv));
-
-+ if (RSA_set0_key(rsa, n, e, d) == 0) {
-+ if (n != NULL) BN_free(n);
-+ if (e != NULL) BN_free(e);
-+ if (d != NULL) BN_free(d);
-+ }
-+ if (RSA_set0_factors(rsa, p, q) == 0) {
-+ if (p != NULL) BN_free(p);
-+ if (q != NULL) BN_free(q);
-+ }
-+ if (RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp) == 0) {
-+ if (dmp1 != NULL) BN_free(dmp1);
-+ if (dmq1 != NULL) BN_free(dmq1);
-+ if (iqmp != NULL) BN_free(iqmp);
-+ }
-+
- if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
- DST_RET(DST_R_INVALIDPRIVATEKEY);
-- if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS)
-+ if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS)
- DST_RET(ISC_R_RANGE);
-- key->key_size = BN_num_bits(rsa->n);
-+ key->key_size = BN_num_bits(n);
- if (pubrsa != NULL)
- RSA_free(pubrsa);
- #if USE_EVP
-@@ -1440,6 +1620,7 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- EVP_PKEY *pkey = NULL;
- RSA *rsa = NULL, *pubrsa = NULL;
- char *colon, *tmpengine = NULL;
-+ const BIGNUM *ex = NULL;
-
- UNUSED(pin);
-
-@@ -1483,7 +1664,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
- DST_RET(DST_R_INVALIDPRIVATEKEY);
-- if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS)
-+ RSA_get0_key(rsa, NULL, &ex, NULL);
-+ if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS)
- DST_RET(ISC_R_RANGE);
- if (pubrsa != NULL)
- RSA_free(pubrsa);
-diff --git a/lib/isc/aes.c b/lib/isc/aes.c
-index a4a61b3..e47ecf3 100644
---- a/lib/isc/aes.c
-+++ b/lib/isc/aes.c
-@@ -22,54 +22,72 @@
- #ifdef ISC_PLATFORM_WANTAES
- #if HAVE_OPENSSL_EVP_AES
-
-+#include <openssl/opensslv.h>
- #include <openssl/evp.h>
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#define EVP_CIPHER_CTX_new() &(_context), EVP_CIPHER_CTX_init(&_context)
-+#define EVP_CIPHER_CTX_free(c) RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(c) == 1)
-+#endif
-+
- void
- isc_aes128_crypt(const unsigned char *key, const unsigned char *in,
- unsigned char *out)
- {
-- EVP_CIPHER_CTX c;
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ EVP_CIPHER_CTX _context;
-+#endif
-+ EVP_CIPHER_CTX *c;
- int len;
-
-- EVP_CIPHER_CTX_init(&c);
-- RUNTIME_CHECK(EVP_EncryptInit(&c, EVP_aes_128_ecb(), key, NULL) == 1);
-- EVP_CIPHER_CTX_set_padding(&c, 0);
-- RUNTIME_CHECK(EVP_EncryptUpdate(&c, out, &len, in,
-+ c = EVP_CIPHER_CTX_new();
-+ RUNTIME_CHECK(c != NULL);
-+ RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_128_ecb(), key, NULL) == 1);
-+ EVP_CIPHER_CTX_set_padding(c, 0);
-+ RUNTIME_CHECK(EVP_EncryptUpdate(c, out, &len, in,
- ISC_AES_BLOCK_LENGTH) == 1);
- RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH);
-- RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(&c) == 1);
-+ EVP_CIPHER_CTX_free(c);
- }
-
- void
- isc_aes192_crypt(const unsigned char *key, const unsigned char *in,
- unsigned char *out)
- {
-- EVP_CIPHER_CTX c;
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ EVP_CIPHER_CTX _context;
-+#endif
-+ EVP_CIPHER_CTX *c;
- int len;
-
-- EVP_CIPHER_CTX_init(&c);
-- RUNTIME_CHECK(EVP_EncryptInit(&c, EVP_aes_192_ecb(), key, NULL) == 1);
-- EVP_CIPHER_CTX_set_padding(&c, 0);
-- RUNTIME_CHECK(EVP_EncryptUpdate(&c, out, &len, in,
-+ c = EVP_CIPHER_CTX_new();
-+ RUNTIME_CHECK(c != NULL);
-+ RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_192_ecb(), key, NULL) == 1);
-+ EVP_CIPHER_CTX_set_padding(c, 0);
-+ RUNTIME_CHECK(EVP_EncryptUpdate(c, out, &len, in,
- ISC_AES_BLOCK_LENGTH) == 1);
- RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH);
-- RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(&c) == 1);
-+ EVP_CIPHER_CTX_free(c);
- }
-
- void
- isc_aes256_crypt(const unsigned char *key, const unsigned char *in,
- unsigned char *out)
- {
-- EVP_CIPHER_CTX c;
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ EVP_CIPHER_CTX _context;
-+#endif
-+ EVP_CIPHER_CTX *c;
- int len;
-
-- EVP_CIPHER_CTX_init(&c);
-- RUNTIME_CHECK(EVP_EncryptInit(&c, EVP_aes_256_ecb(), key, NULL) == 1);
-- EVP_CIPHER_CTX_set_padding(&c, 0);
-- RUNTIME_CHECK(EVP_EncryptUpdate(&c, out, &len, in,
-+ c = EVP_CIPHER_CTX_new();
-+ RUNTIME_CHECK(c != NULL);
-+ RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_256_ecb(), key, NULL) == 1);
-+ EVP_CIPHER_CTX_set_padding(c, 0);
-+ RUNTIME_CHECK(EVP_EncryptUpdate(c, out, &len, in,
- ISC_AES_BLOCK_LENGTH) == 1);
- RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH);
-- RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(&c) == 1);
-+ EVP_CIPHER_CTX_free(c);
- }
-
- #elif HAVE_OPENSSL_AES
-diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c
-index 621aa3b..1b81293 100644
---- a/lib/isc/hmacmd5.c
-+++ b/lib/isc/hmacmd5.c
-@@ -34,43 +34,41 @@
- #endif
-
- #ifdef ISC_PLATFORM_OPENSSLHASH
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx))
-+#define HMAC_CTX_free(ptr) HMAC_CTX_cleanup(ptr)
-+#endif
-
- void
- isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
- unsigned int len)
- {
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
-- (int) len, EVP_md5()) == 1);
--#else
-- HMAC_Init(ctx, (const void *) key, (int) len, EVP_md5());
--#endif
-+ ctx->ctx = HMAC_CTX_new();
-+ RUNTIME_CHECK(ctx->ctx != NULL);
-+ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key,
-+ (int) len, EVP_md5(), NULL) == 1);
- }
-
- void
- isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
-- HMAC_CTX_cleanup(ctx);
-+ if (ctx->ctx == NULL)
-+ return;
-+ HMAC_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- }
-
- void
- isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
- unsigned int len)
- {
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
--#else
-- HMAC_Update(ctx, buf, (int) len);
--#endif
-+ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1);
- }
-
- void
- isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Final(ctx, digest, NULL) == 1);
--#else
-- HMAC_Final(ctx, digest, NULL);
--#endif
-- HMAC_CTX_cleanup(ctx);
-+ RUNTIME_CHECK(HMAC_Final(ctx->ctx, digest, NULL) == 1);
-+ HMAC_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- }
-
- #elif PKCS11CRYPTO
-diff --git a/lib/isc/hmacsha.c b/lib/isc/hmacsha.c
-index ef1b8f0..c132aa2 100644
---- a/lib/isc/hmacsha.c
-+++ b/lib/isc/hmacsha.c
-@@ -32,32 +32,34 @@
- #endif
-
- #ifdef ISC_PLATFORM_OPENSSLHASH
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx))
-+#define HMAC_CTX_free(ptr) HMAC_CTX_cleanup(ptr)
-+#endif
-+
- void
- isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
- unsigned int len)
- {
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
-- (int) len, EVP_sha1()) == 1);
--#else
-- HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha1());
--#endif
-+ ctx->ctx = HMAC_CTX_new();
-+ RUNTIME_CHECK(ctx->ctx != NULL);
-+ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key,
-+ (int) len, EVP_sha1(), NULL) == 1);
- }
-
- void
- isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
-- HMAC_CTX_cleanup(ctx);
-+ if (ctx->ctx == NULL)
-+ return;
-+ HMAC_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- }
-
- void
- isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
- unsigned int len)
- {
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
--#else
-- HMAC_Update(ctx, buf, (int) len);
--#endif
-+ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1);
- }
-
- void
-@@ -66,12 +68,9 @@ isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
-
- REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
-
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1);
--#else
-- HMAC_Final(ctx, newdigest, NULL);
--#endif
-- HMAC_CTX_cleanup(ctx);
-+ RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1);
-+ HMAC_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- memmove(digest, newdigest, len);
- memset(newdigest, 0, sizeof(newdigest));
- }
-@@ -80,28 +79,25 @@ void
- isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
- unsigned int len)
- {
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
-- (int) len, EVP_sha224()) == 1);
--#else
-- HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha224());
--#endif
-+ ctx->ctx = HMAC_CTX_new();
-+ RUNTIME_CHECK(ctx->ctx != NULL);
-+ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key,
-+ (int) len, EVP_sha224(), NULL) == 1);
- }
-
- void
- isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
-- HMAC_CTX_cleanup(ctx);
-+ if (ctx->ctx == NULL)
-+ return;
-+ HMAC_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- }
-
- void
- isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
- unsigned int len)
- {
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
--#else
-- HMAC_Update(ctx, buf, (int) len);
--#endif
-+ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1);
- }
-
- void
-@@ -110,12 +106,9 @@ isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
-
- REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
-
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1);
--#else
-- HMAC_Final(ctx, newdigest, NULL);
--#endif
-- HMAC_CTX_cleanup(ctx);
-+ RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1);
-+ HMAC_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- memmove(digest, newdigest, len);
- memset(newdigest, 0, sizeof(newdigest));
- }
-@@ -124,28 +117,25 @@ void
- isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
- unsigned int len)
- {
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
-- (int) len, EVP_sha256()) == 1);
--#else
-- HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha256());
--#endif
-+ ctx->ctx = HMAC_CTX_new();
-+ RUNTIME_CHECK(ctx->ctx != NULL);
-+ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key,
-+ (int) len, EVP_sha256(), NULL) == 1);
- }
-
- void
- isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
-- HMAC_CTX_cleanup(ctx);
-+ if (ctx->ctx == NULL)
-+ return;
-+ HMAC_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- }
-
- void
- isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
- unsigned int len)
- {
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
--#else
-- HMAC_Update(ctx, buf, (int) len);
--#endif
-+ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1);
- }
-
- void
-@@ -154,12 +144,9 @@ isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
-
- REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
-
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1);
--#else
-- HMAC_Final(ctx, newdigest, NULL);
--#endif
-- HMAC_CTX_cleanup(ctx);
-+ RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1);
-+ HMAC_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- memmove(digest, newdigest, len);
- memset(newdigest, 0, sizeof(newdigest));
- }
-@@ -168,28 +155,25 @@ void
- isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
- unsigned int len)
- {
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
-- (int) len, EVP_sha384()) == 1);
--#else
-- HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha384());
--#endif
-+ ctx->ctx = HMAC_CTX_new();
-+ RUNTIME_CHECK(ctx->ctx != NULL);
-+ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key,
-+ (int) len, EVP_sha384(), NULL) == 1);
- }
-
- void
- isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
-- HMAC_CTX_cleanup(ctx);
-+ if (ctx->ctx == NULL)
-+ return;
-+ HMAC_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- }
-
- void
- isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
- unsigned int len)
- {
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
--#else
-- HMAC_Update(ctx, buf, (int) len);
--#endif
-+ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1);
- }
-
- void
-@@ -198,12 +182,9 @@ isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
-
- REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
-
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1);
--#else
-- HMAC_Final(ctx, newdigest, NULL);
--#endif
-- HMAC_CTX_cleanup(ctx);
-+ RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1);
-+ HMAC_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- memmove(digest, newdigest, len);
- memset(newdigest, 0, sizeof(newdigest));
- }
-@@ -212,28 +193,25 @@ void
- isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
- unsigned int len)
- {
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
-- (int) len, EVP_sha512()) == 1);
--#else
-- HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha512());
--#endif
-+ ctx->ctx = HMAC_CTX_new();
-+ RUNTIME_CHECK(ctx->ctx != NULL);
-+ RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key,
-+ (int) len, EVP_sha512(), NULL) == 1);
- }
-
- void
- isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
-- HMAC_CTX_cleanup(ctx);
-+ if (ctx->ctx == NULL)
-+ return;
-+ HMAC_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- }
-
- void
- isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
- unsigned int len)
- {
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
--#else
-- HMAC_Update(ctx, buf, (int) len);
--#endif
-+ RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1);
- }
-
- void
-@@ -242,12 +220,9 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
-
- REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
-
--#ifdef HMAC_RETURN_INT
-- RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1);
--#else
-- HMAC_Final(ctx, newdigest, NULL);
--#endif
-- HMAC_CTX_cleanup(ctx);
-+ RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1);
-+ HMAC_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- memmove(digest, newdigest, len);
- memset(newdigest, 0, sizeof(newdigest));
- }
-diff --git a/lib/isc/include/isc/hmacmd5.h b/lib/isc/include/isc/hmacmd5.h
-index 9d18b47..1ff0b87 100644
---- a/lib/isc/include/isc/hmacmd5.h
-+++ b/lib/isc/include/isc/hmacmd5.h
-@@ -28,9 +28,15 @@
- #define ISC_HMACMD5_KEYLENGTH 64
-
- #ifdef ISC_PLATFORM_OPENSSLHASH
-+#include <openssl/opensslv.h>
- #include <openssl/hmac.h>
-
--typedef HMAC_CTX isc_hmacmd5_t;
-+typedef struct {
-+ HMAC_CTX *ctx;
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ HMAC_CTX _ctx;
-+#endif
-+} isc_hmacmd5_t;
-
- #elif PKCS11CRYPTO
- #include <pk11/pk11.h>
-diff --git a/lib/isc/include/isc/hmacsha.h b/lib/isc/include/isc/hmacsha.h
-index 30808fb..d90c194 100644
---- a/lib/isc/include/isc/hmacsha.h
-+++ b/lib/isc/include/isc/hmacsha.h
-@@ -29,13 +29,21 @@
- #define ISC_HMACSHA512_KEYLENGTH ISC_SHA512_BLOCK_LENGTH
-
- #ifdef ISC_PLATFORM_OPENSSLHASH
-+#include <openssl/opensslv.h>
- #include <openssl/hmac.h>
-
--typedef HMAC_CTX isc_hmacsha1_t;
--typedef HMAC_CTX isc_hmacsha224_t;
--typedef HMAC_CTX isc_hmacsha256_t;
--typedef HMAC_CTX isc_hmacsha384_t;
--typedef HMAC_CTX isc_hmacsha512_t;
-+typedef struct {
-+ HMAC_CTX *ctx;
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ HMAC_CTX _ctx;
-+#endif
-+} isc_hmacsha_t;
-+
-+typedef isc_hmacsha_t isc_hmacsha1_t;
-+typedef isc_hmacsha_t isc_hmacsha224_t;
-+typedef isc_hmacsha_t isc_hmacsha256_t;
-+typedef isc_hmacsha_t isc_hmacsha384_t;
-+typedef isc_hmacsha_t isc_hmacsha512_t;
-
- #elif PKCS11CRYPTO
- #include <pk11/pk11.h>
-diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h
-index 0af4e27..b707aa6 100644
---- a/lib/isc/include/isc/md5.h
-+++ b/lib/isc/include/isc/md5.h
-@@ -46,9 +46,15 @@
- #define ISC_MD5_BLOCK_LENGTH 64U
-
- #ifdef ISC_PLATFORM_OPENSSLHASH
-+#include <openssl/opensslv.h>
- #include <openssl/evp.h>
-
--typedef EVP_MD_CTX isc_md5_t;
-+typedef struct {
-+ EVP_MD_CTX *ctx;
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ EVP_MD_CTX _ctx;
-+#endif
-+} isc_md5_t;
-
- #elif PKCS11CRYPTO
- #include <pk11/pk11.h>
-diff --git a/lib/isc/include/isc/sha1.h b/lib/isc/include/isc/sha1.h
-index c4fbfd3..7160a66 100644
---- a/lib/isc/include/isc/sha1.h
-+++ b/lib/isc/include/isc/sha1.h
-@@ -27,9 +27,15 @@
- #define ISC_SHA1_BLOCK_LENGTH 64U
-
- #ifdef ISC_PLATFORM_OPENSSLHASH
-+#include <openssl/opensslv.h>
- #include <openssl/evp.h>
-
--typedef EVP_MD_CTX isc_sha1_t;
-+typedef struct {
-+ EVP_MD_CTX *ctx;
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ EVP_MD_CTX _ctx;
-+#endif
-+} isc_sha1_t;
-
- #elif PKCS11CRYPTO
- #include <pk11/pk11.h>
-diff --git a/lib/isc/include/isc/sha2.h b/lib/isc/include/isc/sha2.h
-index 8a28bed..196f120 100644
---- a/lib/isc/include/isc/sha2.h
-+++ b/lib/isc/include/isc/sha2.h
-@@ -71,10 +71,18 @@
- /*** SHA-256/384/512 Context Structures *******************************/
-
- #ifdef ISC_PLATFORM_OPENSSLHASH
-+#include <openssl/opensslv.h>
- #include <openssl/evp.h>
-
--typedef EVP_MD_CTX isc_sha256_t;
--typedef EVP_MD_CTX isc_sha512_t;
-+typedef struct {
-+ EVP_MD_CTX *ctx;
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ EVP_MD_CTX _ctx;
-+#endif
-+} isc_sha2_t;
-+
-+typedef isc_sha2_t isc_sha256_t;
-+typedef isc_sha2_t isc_sha512_t;
-
- #elif PKCS11CRYPTO
- #include <pk11/pk11.h>
-diff --git a/lib/isc/md5.c b/lib/isc/md5.c
-index 0a79263..8ada1cc 100644
---- a/lib/isc/md5.c
-+++ b/lib/isc/md5.c
-@@ -45,28 +45,38 @@
- #include <isc/util.h>
-
- #ifdef ISC_PLATFORM_OPENSSLHASH
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#define EVP_MD_CTX_new() &(ctx->_ctx)
-+#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
-+#endif
-+
- void
- isc_md5_init(isc_md5_t *ctx) {
-- RUNTIME_CHECK(EVP_DigestInit(ctx, EVP_md5()) == 1);
-+ ctx->ctx = EVP_MD_CTX_new();
-+ RUNTIME_CHECK(ctx->ctx != NULL);
-+ RUNTIME_CHECK(EVP_DigestInit(ctx->ctx, EVP_md5()) == 1);
- }
-
- void
- isc_md5_invalidate(isc_md5_t *ctx) {
-- EVP_MD_CTX_cleanup(ctx);
-+ EVP_MD_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- }
-
- void
- isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
- if (len == 0U)
- return;
-- RUNTIME_CHECK(EVP_DigestUpdate(ctx,
-+ RUNTIME_CHECK(EVP_DigestUpdate(ctx->ctx,
- (const void *) buf,
- (size_t) len) == 1);
- }
-
- void
- isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
-- RUNTIME_CHECK(EVP_DigestFinal(ctx, digest, NULL) == 1);
-+ RUNTIME_CHECK(EVP_DigestFinal(ctx->ctx, digest, NULL) == 1);
-+ EVP_MD_CTX_free(ctx->ctx);
-+ ctx->ctx = NULL;
- }
-
- #elif PKCS11CRYPTO
-diff --git a/lib/isc/sha1.c b/lib/isc/sha1.c
-index e41b17c..1b7bc19 100644
---- a/lib/isc/sha1.c
-+++ b/lib/isc/sha1.c
-@@ -41,17 +41,25 @@
- #endif
-
- #ifdef ISC_PLATFORM_OPENSSLHASH
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#define EVP_MD_CTX_new() &(context->_ctx)
-+#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
-+#endif
-+
- void
- isc_sha1_init(isc_sha1_t *context)
- {
- INSIST(context != NULL);
-
-- RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha1()) == 1);
-+ context->ctx = EVP_MD_CTX_new();
-+ RUNTIME_CHECK(context->ctx != NULL);
-+ RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha1()) == 1);
- }
-
- void
- isc_sha1_invalidate(isc_sha1_t *context) {
-- EVP_MD_CTX_cleanup(context);
-+ EVP_MD_CTX_free(context->ctx);
-+ context->ctx = NULL;
- }
-
- void
-@@ -59,9 +67,10 @@ isc_sha1_update(isc_sha1_t *context, const unsigned char *data,
- unsigned int len)
- {
- INSIST(context != 0);
-+ INSIST(context->ctx != 0);
- INSIST(data != 0);
-
-- RUNTIME_CHECK(EVP_DigestUpdate(context,
-+ RUNTIME_CHECK(EVP_DigestUpdate(context->ctx,
- (const void *) data,
- (size_t) len) == 1);
- }
-@@ -70,8 +79,11 @@ void
- isc_sha1_final(isc_sha1_t *context, unsigned char *digest) {
- INSIST(digest != 0);
- INSIST(context != 0);
-+ INSIST(context->ctx != 0);
-
-- RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1);
-+ RUNTIME_CHECK(EVP_DigestFinal(context->ctx, digest, NULL) == 1);
-+ EVP_MD_CTX_free(context->ctx);
-+ context->ctx = NULL;
- }
-
- #elif PKCS11CRYPTO
-diff --git a/lib/isc/sha2.c b/lib/isc/sha2.c
-index a3c00c9..26a940a 100644
---- a/lib/isc/sha2.c
-+++ b/lib/isc/sha2.c
-@@ -61,18 +61,26 @@
- #endif
-
- #ifdef ISC_PLATFORM_OPENSSLHASH
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#define EVP_MD_CTX_new() &(context->_ctx)
-+#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
-+#define EVP_MD_CTX_reset(c) EVP_MD_CTX_cleanup(c)
-+#endif
-
- void
- isc_sha224_init(isc_sha224_t *context) {
- if (context == (isc_sha224_t *)0) {
- return;
- }
-- RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha224()) == 1);
-+ context->ctx = EVP_MD_CTX_new();
-+ RUNTIME_CHECK(context->ctx != NULL);
-+ RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha224()) == 1);
- }
-
- void
- isc_sha224_invalidate(isc_sha224_t *context) {
-- EVP_MD_CTX_cleanup(context);
-+ EVP_MD_CTX_free(context->ctx);
-+ context->ctx = NULL;
- }
-
- void
-@@ -83,9 +91,11 @@ isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
- }
-
- /* Sanity check: */
-- REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0);
-+ REQUIRE(context != (isc_sha224_t *)0);
-+ REQUIRE(context->ctx != (EVP_MD_CTX *)0);
-+ REQUIRE(data != (isc_uint8_t*)0);
-
-- RUNTIME_CHECK(EVP_DigestUpdate(context,
-+ RUNTIME_CHECK(EVP_DigestUpdate(context->ctx,
- (const void *) data, len) == 1);
- }
-
-@@ -93,13 +103,14 @@ void
- isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) {
- /* Sanity check: */
- REQUIRE(context != (isc_sha224_t *)0);
-+ REQUIRE(context->ctx != (EVP_MD_CTX *)0);
-
- /* If no digest buffer is passed, we don't bother doing this: */
-- if (digest != (isc_uint8_t*)0) {
-- RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1);
-- } else {
-- EVP_MD_CTX_cleanup(context);
-- }
-+ if (digest != (isc_uint8_t*)0)
-+ RUNTIME_CHECK(EVP_DigestFinal(context->ctx,
-+ digest, NULL) == 1);
-+ EVP_MD_CTX_free(context->ctx);
-+ context->ctx = NULL;
- }
-
- void
-@@ -107,12 +118,15 @@ isc_sha256_init(isc_sha256_t *context) {
- if (context == (isc_sha256_t *)0) {
- return;
- }
-- RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha256()) == 1);
-+ context->ctx = EVP_MD_CTX_new();
-+ RUNTIME_CHECK(context->ctx != NULL);
-+ RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha256()) == 1);
- }
-
- void
- isc_sha256_invalidate(isc_sha256_t *context) {
-- EVP_MD_CTX_cleanup(context);
-+ EVP_MD_CTX_free(context->ctx);
-+ context->ctx = NULL;
- }
-
- void
-@@ -123,9 +137,11 @@ isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) {
- }
-
- /* Sanity check: */
-- REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0);
-+ REQUIRE(context != (isc_sha256_t *)0);
-+ REQUIRE(context->ctx != (EVP_MD_CTX *)0);
-+ REQUIRE(data != (isc_uint8_t*)0);
-
-- RUNTIME_CHECK(EVP_DigestUpdate(context,
-+ RUNTIME_CHECK(EVP_DigestUpdate(context->ctx,
- (const void *) data, len) == 1);
- }
-
-@@ -133,13 +149,14 @@ void
- isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
- /* Sanity check: */
- REQUIRE(context != (isc_sha256_t *)0);
-+ REQUIRE(context->ctx != (EVP_MD_CTX *)0);
-
- /* If no digest buffer is passed, we don't bother doing this: */
-- if (digest != (isc_uint8_t*)0) {
-- RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1);
-- } else {
-- EVP_MD_CTX_cleanup(context);
-- }
-+ if (digest != (isc_uint8_t*)0)
-+ RUNTIME_CHECK(EVP_DigestFinal(context->ctx,
-+ digest, NULL) == 1);
-+ EVP_MD_CTX_free(context->ctx);
-+ context->ctx = NULL;
- }
-
- void
-@@ -147,12 +164,15 @@ isc_sha512_init(isc_sha512_t *context) {
- if (context == (isc_sha512_t *)0) {
- return;
- }
-- RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha512()) == 1);
-+ context->ctx = EVP_MD_CTX_new();
-+ RUNTIME_CHECK(context->ctx != NULL);
-+ RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha512()) == 1);
- }
-
- void
- isc_sha512_invalidate(isc_sha512_t *context) {
-- EVP_MD_CTX_cleanup(context);
-+ EVP_MD_CTX_free(context->ctx);
-+ context->ctx = NULL;
- }
-
- void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) {
-@@ -162,22 +182,25 @@ void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t le
- }
-
- /* Sanity check: */
-- REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
-+ REQUIRE(context != (isc_sha512_t *)0);
-+ REQUIRE(context->ctx != (EVP_MD_CTX *)0);
-+ REQUIRE(data != (isc_uint8_t*)0);
-
-- RUNTIME_CHECK(EVP_DigestUpdate(context,
-+ RUNTIME_CHECK(EVP_DigestUpdate(context->ctx,
- (const void *) data, len) == 1);
- }
-
- void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) {
- /* Sanity check: */
- REQUIRE(context != (isc_sha512_t *)0);
-+ REQUIRE(context->ctx != (EVP_MD_CTX *)0);
-
- /* If no digest buffer is passed, we don't bother doing this: */
-- if (digest != (isc_uint8_t*)0) {
-- RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1);
-- } else {
-- EVP_MD_CTX_cleanup(context);
-- }
-+ if (digest != (isc_uint8_t*)0)
-+ RUNTIME_CHECK(EVP_DigestFinal(context->ctx,
-+ digest, NULL) == 1);
-+ EVP_MD_CTX_free(context->ctx);
-+ context->ctx = NULL;
- }
-
- void
-@@ -185,12 +208,15 @@ isc_sha384_init(isc_sha384_t *context) {
- if (context == (isc_sha384_t *)0) {
- return;
- }
-- RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha384()) == 1);
-+ context->ctx = EVP_MD_CTX_new();
-+ RUNTIME_CHECK(context->ctx != NULL);
-+ RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha384()) == 1);
- }
-
- void
- isc_sha384_invalidate(isc_sha384_t *context) {
-- EVP_MD_CTX_cleanup(context);
-+ EVP_MD_CTX_free(context->ctx);
-+ context->ctx = NULL;
- }
-
- void
-@@ -201,9 +227,11 @@ isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
- }
-
- /* Sanity check: */
-- REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
-+ REQUIRE(context != (isc_sha512_t *)0);
-+ REQUIRE(context->ctx != (EVP_MD_CTX *)0);
-+ REQUIRE(data != (isc_uint8_t*)0);
-
-- RUNTIME_CHECK(EVP_DigestUpdate(context,
-+ RUNTIME_CHECK(EVP_DigestUpdate(context->ctx,
- (const void *) data, len) == 1);
- }
-
-@@ -211,13 +239,14 @@ void
- isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
- /* Sanity check: */
- REQUIRE(context != (isc_sha384_t *)0);
-+ REQUIRE(context->ctx != (EVP_MD_CTX *)0);
-
- /* If no digest buffer is passed, we don't bother doing this: */
-- if (digest != (isc_uint8_t*)0) {
-- RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1);
-- } else {
-- EVP_MD_CTX_cleanup(context);
-- }
-+ if (digest != (isc_uint8_t*)0)
-+ RUNTIME_CHECK(EVP_DigestFinal(context->ctx,
-+ digest, NULL) == 1);
-+ EVP_MD_CTX_free(context->ctx);
-+ context->ctx = NULL;
- }
-
- #elif PKCS11CRYPTO
-@@ -1578,7 +1607,7 @@ isc_sha224_end(isc_sha224_t *context, char buffer[]) {
- *buffer = (char)0;
- } else {
- #ifdef ISC_PLATFORM_OPENSSLHASH
-- EVP_MD_CTX_cleanup(context);
-+ EVP_MD_CTX_reset(context->ctx);
- #elif PKCS11CRYPTO
- pk11_return_session(context);
- #else
-@@ -1619,7 +1648,7 @@ isc_sha256_end(isc_sha256_t *context, char buffer[]) {
- *buffer = (char)0;
- } else {
- #ifdef ISC_PLATFORM_OPENSSLHASH
-- EVP_MD_CTX_cleanup(context);
-+ EVP_MD_CTX_reset(context->ctx);
- #elif PKCS11CRYPTO
- pk11_return_session(context);
- #else
-@@ -1660,7 +1689,7 @@ isc_sha512_end(isc_sha512_t *context, char buffer[]) {
- *buffer = (char)0;
- } else {
- #ifdef ISC_PLATFORM_OPENSSLHASH
-- EVP_MD_CTX_cleanup(context);
-+ EVP_MD_CTX_reset(context->ctx);
- #elif PKCS11CRYPTO
- pk11_return_session(context);
- #else
-@@ -1701,7 +1730,7 @@ isc_sha384_end(isc_sha384_t *context, char buffer[]) {
- *buffer = (char)0;
- } else {
- #ifdef ISC_PLATFORM_OPENSSLHASH
-- EVP_MD_CTX_cleanup(context);
-+ EVP_MD_CTX_reset(context->ctx);
- #elif PKCS11CRYPTO
- pk11_return_session(context);
- #else
-diff --git a/win32utils/Configure b/win32utils/Configure
-index 9aef5bc..0e2da8e 100644
---- a/win32utils/Configure
-+++ b/win32utils/Configure
-@@ -432,7 +432,6 @@ my @substdefh = ("AES_CC",
- "HAVE_PKCS11_GOST",
- "HAVE_READLINE",
- "HAVE_ZLIB",
-- "HMAC_RETURN_INT",
- "HMAC_SHA1_CC",
- "HMAC_SHA256_CC",
- "ISC_LIST_CHECKINIT",
-@@ -1590,8 +1589,14 @@ if ($use_openssl eq "no") {
- foreach $file (sort {uc($b) cmp uc($a)} @dirlist) {
- if (-f File::Spec->catfile($openssl_path,
- $file,
-- "inc32\\openssl",
-- "opensslv.h")) {
-+ "inc32\\openssl\\opensslv.h")) {
-+ $openssl_path = File::Spec->catdir($openssl_path, $file);
-+ $use_openssl = "yes";
-+ last;
-+ }
-+ if (-f File::Spec->catfile($openssl_path,
-+ $file,
-+ "include\\openssl\\opensslv.h")) {
- $openssl_path = File::Spec->catdir($openssl_path, $file);
- $use_openssl = "yes";
- last;
-@@ -1609,21 +1614,50 @@ if ($use_openssl eq "yes") {
- if ($verbose) {
- print "checking for OpenSSL built directory at \"$openssl_path\"\n";
- }
-+ my $openssl_new = 0;
- if (!-f File::Spec->catfile($openssl_path,
-- "inc32\\openssl",
-- "opensslv.h")) {
-- die "can't find OpenSSL opensslv.h include\n";
-- }
-- if (!-f File::Spec->catfile($openssl_path, "out32dll", "libeay32.lib")) {
-- die "can't find OpenSSL libeay32.lib library\n";
-- }
-- if (!-f File::Spec->catfile($openssl_path, "out32dll", "libeay32.dll")) {
-- die "can't find OpenSSL libeay32.dll DLL\n";
-+ "inc32\\openssl\\opensslv.h")) {
-+ $openssl_new = 1;
-+ if (!-f File::Spec->catfile($openssl_path,
-+ "include\\openssl\\opensslv.h")) {
-+ die "can't find OpenSSL opensslv.h include\n";
-+ }
- }
- my $openssl_inc = File::Spec->catdir($openssl_path, "inc32");
- my $openssl_libdir = File::Spec->catdir($openssl_path, "out32dll");
- my $openssl_lib = File::Spec->catfile($openssl_libdir, "libeay32.lib");
- my $openssl_dll = File::Spec->catfile($openssl_libdir, "libeay32.dll");
-+ if (!$openssl_new) {
-+ # Check libraries are where we expect
-+ if (!-f $openssl_lib) {
-+ die "can't find OpenSSL libeay32.lib library\n";
-+ }
-+ if (!-f $openssl_dll) {
-+ die "can't find OpenSSL libeay32.dll DLL\n";
-+ }
-+ } else {
-+ # OpenSSL >= 1.1 is easier at the exception of the DLL
-+ if ($verbose) {
-+ print "new (>= 1.1) OpenSSL version\n";
-+ }
-+ $openssl_inc = File::Spec->catdir($openssl_path, "include");
-+ $openssl_libdir = $openssl_path;
-+ $openssl_lib = File::Spec->catfile($openssl_path, "libcrypto.lib");
-+ if (!-f $openssl_lib) {
-+ die "can't find OpenSSL libcrypto.lib library\n";
-+ }
-+ opendir DIR, $openssl_path || die "No Directory: $!\n";
-+ my @dirlist = grep (/^libcrypto-[^.]+\.dll$/i, readdir(DIR));
-+ closedir(DIR);
-+ # We must get one file only
-+ if (scalar(@dirlist) == 0) {
-+ die "can't find OpenSSL libcrypto-*.dll DLL\n";
-+ }
-+ if (scalar(@dirlist) != 1) {
-+ die "find more than one OpenSSL libcrypto-*.dll DLL candidate\n";
-+ }
-+ $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
-+ }
-
- $configcond{"OPENSSL"} = 1;
- $configdefd{"CRYPTO"} = "OPENSSL";
-@@ -2055,30 +2089,6 @@ if ($enable_openssl_hash eq "yes") {
- die "No OpenSSL for hash functions\n";
- }
- $configdefp{"ISC_PLATFORM_OPENSSLHASH"} = 1;
-- if ($verbose) {
-- print "checking HMAC_Init() return type\n";
-- }
-- open F, ">testhmac.c" || die $!;
-- print F << 'EOF';
--#include <openssl/hmac.h>
--
--int
--main(void)
--{
-- HMAC_CTX ctx;
-- int n = HMAC_Init(&ctx, NULL, 0, NULL);
-- n += HMAC_Update(&ctx, NULL, 0);
-- n += HMAC_Final(&ctx, NULL, NULL);
-- return(n);
--}
--EOF
-- close F;
-- my $include = $configinc{"OPENSSL_INC"};
-- my $library = $configlib{"OPENSSL_LIB"};
-- $compret = `cl /nologo /MD /I "$include" testhmac.c "$library"`;
-- if (grep { -f and -x } ".\\testhmac.exe") {
-- $configdefh{"HMAC_RETURN_INT"} = 1;
-- }
- }
-
- # with-pkcs11
-@@ -3186,7 +3196,11 @@ sub makeinstallfile {
- print LOUT "liblwres.dll-BCFT\n";
- print LOUT "libirs.dll-BCFT\n";
- if ($use_openssl eq "yes") {
-- print LOUT "libeay32.dll-BCFT\n";
-+ my $v;
-+ my $d;
-+ my $name;
-+ ($v, $d, $name) =File::Spec->splitpath($configdll{"OPENSSL_DLL"});
-+ print LOUT "${name}-BCFT\n";
- }
- if ($use_libxml2 eq "yes") {
- print LOUT "libxml2.dll-BCFT\n";
---
-2.9.0
-
-
diff --git a/bind-9.10-sdb.patch b/bind-9.10-sdb.patch
index 333ebc6..f2179b0 100644
--- a/bind-9.10-sdb.patch
+++ b/bind-9.10-sdb.patch
@@ -1,8 +1,8 @@
diff --git a/bin/Makefile.in b/bin/Makefile.in
-index 7654169..b4c9c03 100644
+index 7d21984..015ff45 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
-@@ -19,8 +19,8 @@ srcdir = @srcdir@
+@@ -10,8 +10,8 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@@ -14,10 +14,10 @@ index 7654169..b4c9c03 100644
@BIND9_MAKE_RULES@
diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
-index ba5ec3c..d7ac259 100644
+index 9c14b73..36e7916 100644
--- a/bin/named-sdb/Makefile.in
+++ b/bin/named-sdb/Makefile.in
-@@ -34,10 +34,10 @@ top_srcdir = @top_srcdir@
+@@ -23,10 +23,10 @@ VERSION=@BIND9_VERSION@
#
# Add database drivers here.
#
@@ -31,7 +31,7 @@ index ba5ec3c..d7ac259 100644
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
-@@ -83,7 +83,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
+@@ -72,7 +72,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
@@ -40,39 +40,46 @@ index ba5ec3c..d7ac259 100644
GEOIPLINKOBJS = geoip.@O@
-@@ -144,7 +144,7 @@ server.@O@: server.c
+@@ -139,7 +139,7 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
-
+
-named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
+named-sdb@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
-@@ -171,15 +171,9 @@ statschannel.@O@: bind9.xsl.h
+@@ -166,22 +166,12 @@ statschannel.@O@: bind9.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
--
+
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
-+
+install:: named-sdb@EXEEXT@ installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir}
+ uninstall::
+- rm -f ${DESTDIR}${mandir}/man5/named.conf.5
+- rm -f ${DESTDIR}${mandir}/man8/lwresd.8
+- rm -f ${DESTDIR}${mandir}/man8/named.8
+- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
+- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-sdb@EXEEXT@
+
@DLZ_DRIVER_RULES@
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
-index 306295f..a7f3327 100644
+index 00002a9..cb9b5f5 100644
--- a/bin/named-sdb/main.c
+++ b/bin/named-sdb/main.c
-@@ -91,6 +91,10 @@
+@@ -88,6 +88,10 @@
* Include header files for database drivers here.
*/
/* #include "xxdb.h" */
@@ -83,7 +90,7 @@ index 306295f..a7f3327 100644
#ifdef CONTRIB_DLZ
/*
-@@ -985,6 +989,11 @@ setup(void) {
+@@ -1052,6 +1056,11 @@ setup(void) {
ns_main_earlyfatal("isc_app_start() failed: %s",
isc_result_totext(result));
@@ -95,7 +102,7 @@ index 306295f..a7f3327 100644
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
ns_g_product, ns_g_version,
-@@ -1099,6 +1108,75 @@ setup(void) {
+@@ -1173,6 +1182,75 @@ setup(void) {
isc_result_totext(result));
#endif
@@ -171,7 +178,7 @@ index 306295f..a7f3327 100644
ns_server_create(ns_g_mctx, &ns_g_server);
#ifdef HAVE_LIBSECCOMP
-@@ -1138,6 +1216,11 @@ cleanup(void) {
+@@ -1215,6 +1293,11 @@ cleanup(void) {
dns_name_destroy();
@@ -184,10 +191,10 @@ index 306295f..a7f3327 100644
ISC_LOG_NOTICE, "exiting");
ns_log_shutdown();
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
-index ba5ec3c..2c88f46 100644
+index 9c14b73..08318a2 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
-@@ -49,9 +49,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
+@@ -38,9 +38,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
@@ -199,7 +206,7 @@ index ba5ec3c..2c88f46 100644
CWARNINGS =
-@@ -75,11 +75,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
+@@ -64,11 +64,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
@@ -213,7 +220,7 @@ index ba5ec3c..2c88f46 100644
SUBDIRS = unix
-@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
+@@ -83,8 +83,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
@@ -223,7 +230,7 @@ index ba5ec3c..2c88f46 100644
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
-@@ -110,8 +109,7 @@ SRCS = builtin.c client.c config.c control.c \
+@@ -99,8 +98,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@@ -233,16 +240,16 @@ index ba5ec3c..2c88f46 100644
MANPAGES = named.8 lwresd.8 named.conf.5
-@@ -181,7 +179,5 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
+@@ -183,7 +181,5 @@ uninstall::
+ rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
-@DLZ_DRIVER_RULES@
-
named-symtbl.@O@: named-symtbl.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
-index 7f3c5e2..b1bca66 100644
+index c7e0868..95ab742 100644
--- a/bin/sdb_tools/Makefile.in
+++ b/bin/sdb_tools/Makefile.in
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
@@ -277,10 +284,10 @@ index 7f3c5e2..b1bca66 100644
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/configure.in b/configure.in
-index 6dab9dc..f84d161 100644
+index 6435274..5e614a7 100644
--- a/configure.in
+++ b/configure.in
-@@ -4686,30 +4686,33 @@ AC_CONFIG_FILES([
+@@ -5125,6 +5125,8 @@ AC_CONFIG_FILES([
bin/named/unix/Makefile
bin/named-pkcs11/Makefile
bin/named-pkcs11/unix/Makefile
@@ -289,24 +296,7 @@ index 6dab9dc..f84d161 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
- bin/python/isc/Makefile
- bin/python/isc/utils.py
- bin/python/isc/tests/Makefile
- bin/python/dnssec-checkds.py
- bin/python/dnssec-coverage.py
- bin/python/dnssec-keymgr.py
- bin/python/isc/__init__.py
- bin/python/isc/checkds.py
- bin/python/isc/coverage.py
- bin/python/isc/dnskey.py
- bin/python/isc/eventlist.py
- bin/python/isc/keydict.py
- bin/python/isc/keyevent.py
- bin/python/isc/keymgr.py
- bin/python/isc/keyseries.py
- bin/python/isc/keyzone.py
- bin/python/isc/policy.py
- bin/python/isc/rndc.py
+@@ -5149,6 +5151,7 @@ AC_CONFIG_FILES([
bin/python/isc/tests/dnskey_test.py
bin/python/isc/tests/policy_test.py
bin/rndc/Makefile
diff --git a/bind-9.11-docbook-xsl.patch b/bind-9.11-docbook-xsl.patch
deleted file mode 100644
index 92fdca3..0000000
--- a/bind-9.11-docbook-xsl.patch
+++ /dev/null
@@ -1,958 +0,0 @@
-From 164076e873cf0c40fa622a489e6916ad7250e979 Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka@isc.org>
-Date: Wed, 7 Dec 2016 10:49:55 +1100
-Subject: [PATCH] 4527. [doc] Support DocBook XSL Stylesheets v1.79.1. [RT
- #43831]
-
----
- bin/check/named-checkconf.docbook | 2 +-
- bin/check/named-checkzone.docbook | 2 +-
- bin/confgen/ddns-confgen.docbook | 2 +-
- bin/confgen/rndc-confgen.docbook | 2 +-
- bin/delv/delv.docbook | 2 +-
- bin/dig/dig.docbook | 2 +-
- bin/dig/host.docbook | 2 +-
- bin/dig/nslookup.docbook | 2 +-
- bin/dnssec/dnssec-dsfromkey.docbook | 2 +-
- bin/dnssec/dnssec-importkey.docbook | 2 +-
- bin/dnssec/dnssec-keyfromlabel.docbook | 2 +-
- bin/dnssec/dnssec-keygen.docbook | 2 +-
- bin/dnssec/dnssec-revoke.docbook | 2 +-
- bin/dnssec/dnssec-settime.docbook | 2 +-
- bin/dnssec/dnssec-signzone.docbook | 2 +-
- bin/dnssec/dnssec-verify.docbook | 2 +-
- bin/named/lwresd.docbook | 2 +-
- bin/named/named.conf.docbook | 2 +-
- bin/named/named.docbook | 2 +-
- bin/nsupdate/nsupdate.docbook | 2 +-
- bin/pkcs11/pkcs11-destroy.docbook | 2 +-
- bin/pkcs11/pkcs11-keygen.docbook | 2 +-
- bin/pkcs11/pkcs11-list.docbook | 2 +-
- bin/pkcs11/pkcs11-tokens.docbook | 2 +-
- bin/python/dnssec-checkds.docbook | 2 +-
- bin/python/dnssec-coverage.docbook | 2 +-
- bin/python/dnssec-keymgr.docbook | 2 +-
- bin/rndc/rndc.conf.docbook | 2 +-
- bin/rndc/rndc.docbook | 2 +-
- bin/tools/arpaname.docbook | 2 +-
- bin/tools/dnstap-read.docbook | 2 +-
- bin/tools/genrandom.docbook | 2 +-
- bin/tools/isc-hmac-fixup.docbook | 2 +-
- bin/tools/mdig.docbook | 2 +-
- bin/tools/named-journalprint.docbook | 2 +-
- bin/tools/named-rrchecker.docbook | 2 +-
- bin/tools/nsec3hash.docbook | 2 +-
- doc/arm/Bv9ARM-book.xml | 2 +-
- doc/arm/catz.xml | 2 +-
- doc/arm/dlz.xml | 2 +-
- doc/arm/dnssec.xml | 2 +-
- doc/arm/dyndb.xml | 2 +-
- doc/arm/libdns.xml | 2 +-
- doc/arm/logging-categories.xml | 2 +-
- doc/arm/managed-keys.xml | 2 +-
- doc/arm/notes-wrapper.xml | 2 +-
- doc/arm/notes.xml | 2 +-
- doc/arm/pkcs11.xml | 2 +-
- doc/xsl/copyright.xsl | 6 +++---
- isc-config.sh.docbook | 2 +-
- lib/lwres/man/lwres.docbook | 2 +-
- lib/lwres/man/lwres_buffer.docbook | 2 +-
- lib/lwres/man/lwres_config.docbook | 2 +-
- lib/lwres/man/lwres_context.docbook | 2 +-
- lib/lwres/man/lwres_gabn.docbook | 2 +-
- lib/lwres/man/lwres_gai_strerror.docbook | 2 +-
- lib/lwres/man/lwres_getaddrinfo.docbook | 2 +-
- lib/lwres/man/lwres_gethostent.docbook | 2 +-
- lib/lwres/man/lwres_getipnode.docbook | 2 +-
- lib/lwres/man/lwres_getnameinfo.docbook | 2 +-
- lib/lwres/man/lwres_getrrsetbyname.docbook | 2 +-
- lib/lwres/man/lwres_gnba.docbook | 2 +-
- lib/lwres/man/lwres_hstrerror.docbook | 2 +-
- lib/lwres/man/lwres_inetntop.docbook | 2 +-
- lib/lwres/man/lwres_noop.docbook | 2 +-
- lib/lwres/man/lwres_packet.docbook | 2 +-
- lib/lwres/man/lwres_resutil.docbook | 2 +-
- 67 files changed, 69 insertions(+), 69 deletions(-)
-
-diff --git a/bin/check/named-checkconf.docbook b/bin/check/named-checkconf.docbook
-index 040071e..6f6a496 100644
---- a/bin/check/named-checkconf.docbook
-+++ b/bin/check/named-checkconf.docbook
-@@ -9,7 +9,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkconf">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkconf">
- <info>
- <date>2014-01-10</date>
- </info>
-diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook
-index e7c5f60..e3ddbe4 100644
---- a/bin/check/named-checkzone.docbook
-+++ b/bin/check/named-checkzone.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkzone">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkzone">
- <info>
- <date>2014-02-19</date>
- </info>
-diff --git a/bin/confgen/ddns-confgen.docbook b/bin/confgen/ddns-confgen.docbook
-index 523936e..36fc909 100644
---- a/bin/confgen/ddns-confgen.docbook
-+++ b/bin/confgen/ddns-confgen.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.ddns-confgen">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.ddns-confgen">
- <info>
- <date>2014-03-06</date>
- </info>
-diff --git a/bin/confgen/rndc-confgen.docbook b/bin/confgen/rndc-confgen.docbook
-index 84eb337..9da257b 100644
---- a/bin/confgen/rndc-confgen.docbook
-+++ b/bin/confgen/rndc-confgen.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc-confgen">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc-confgen">
- <info>
- <date>2013-03-14</date>
- </info>
-diff --git a/bin/delv/delv.docbook b/bin/delv/delv.docbook
-index 9c12d33..0b70018 100644
---- a/bin/delv/delv.docbook
-+++ b/bin/delv/delv.docbook
-@@ -9,7 +9,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.delv">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.delv">
- <info>
- <date>2014-04-23</date>
- </info>
-diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
-index 1e0047d..a36e716 100644
---- a/bin/dig/dig.docbook
-+++ b/bin/dig/dig.docbook
-@@ -9,7 +9,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dig">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dig">
- <info>
- <date>2014-02-19</date>
- </info>
-diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
-index cdf9df7..3cc4981 100644
---- a/bin/dig/host.docbook
-+++ b/bin/dig/host.docbook
-@@ -9,7 +9,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.host">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.host">
- <info>
- <date>2009-01-20</date>
- </info>
-diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
-index fea3c0a..c2a8668 100644
---- a/bin/dig/nslookup.docbook
-+++ b/bin/dig/nslookup.docbook
-@@ -35,7 +35,7 @@
- - SUCH DAMAGE.
- -->
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nslookup">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nslookup">
- <info>
- <date>2014-01-24</date>
- </info>
-diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook
-index b722611..69bd7d7 100644
---- a/bin/dnssec/dnssec-dsfromkey.docbook
-+++ b/bin/dnssec/dnssec-dsfromkey.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
- <info>
- <date>2012-05-02</date>
- </info>
-diff --git a/bin/dnssec/dnssec-importkey.docbook b/bin/dnssec/dnssec-importkey.docbook
-index d2457cf..ed579f7 100644
---- a/bin/dnssec/dnssec-importkey.docbook
-+++ b/bin/dnssec/dnssec-importkey.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-importkey">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-importkey">
- <info>
- <date>2014-02-20</date>
- </info>
-diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
-index 6400466..aeaca1a 100644
---- a/bin/dnssec/dnssec-keyfromlabel.docbook
-+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keyfromlabel">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keyfromlabel">
- <info>
- <date>2014-02-27</date>
- </info>
-diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
-index fd5fda6..f0b5665 100644
---- a/bin/dnssec/dnssec-keygen.docbook
-+++ b/bin/dnssec/dnssec-keygen.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keygen">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keygen">
- <info>
- <date>2014-02-06</date>
- </info>
-diff --git a/bin/dnssec/dnssec-revoke.docbook b/bin/dnssec/dnssec-revoke.docbook
-index 03b4c3e..a5aab1a 100644
---- a/bin/dnssec/dnssec-revoke.docbook
-+++ b/bin/dnssec/dnssec-revoke.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-revoke">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-revoke">
- <info>
- <date>2014-01-15</date>
- </info>
-diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook
-index b586b41..72e978c 100644
---- a/bin/dnssec/dnssec-settime.docbook
-+++ b/bin/dnssec/dnssec-settime.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-settime">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-settime">
- <info>
- <date>2015-08-21</date>
- </info>
-diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
-index 761d343..029b2cd 100644
---- a/bin/dnssec/dnssec-signzone.docbook
-+++ b/bin/dnssec/dnssec-signzone.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-signzone">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-signzone">
- <info>
- <date>2014-02-18</date>
- </info>
-diff --git a/bin/dnssec/dnssec-verify.docbook b/bin/dnssec/dnssec-verify.docbook
-index 7982aa9..e1ed25f 100644
---- a/bin/dnssec/dnssec-verify.docbook
-+++ b/bin/dnssec/dnssec-verify.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-verify">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-verify">
- <info>
- <date>2014-01-15</date>
- </info>
-diff --git a/bin/named/lwresd.docbook b/bin/named/lwresd.docbook
-index 43e54d4..48dda31 100644
---- a/bin/named/lwresd.docbook
-+++ b/bin/named/lwresd.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.lwresd">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.lwresd">
- <info>
- <date>2009-01-20</date>
- </info>
-diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
-index 6731075..402179d 100644
---- a/bin/named/named.conf.docbook
-+++ b/bin/named/named.conf.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
- <info>
- <date>2014-01-08</date>
- </info>
-diff --git a/bin/named/named.docbook b/bin/named/named.docbook
-index 2e4e2a5..79fe9f1 100644
---- a/bin/named/named.docbook
-+++ b/bin/named/named.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named">
- <info>
- <date>2014-02-19</date>
- </info>
-diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook
-index aef1bab..2c839b2 100644
---- a/bin/nsupdate/nsupdate.docbook
-+++ b/bin/nsupdate/nsupdate.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nsupdate">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nsupdate">
- <info>
- <date>2014-04-18</date>
- </info>
-diff --git a/bin/pkcs11/pkcs11-destroy.docbook b/bin/pkcs11/pkcs11-destroy.docbook
-index c69c808..f66bc75 100644
---- a/bin/pkcs11/pkcs11-destroy.docbook
-+++ b/bin/pkcs11/pkcs11-destroy.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-destroy">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-destroy">
- <info>
- <date>2014-01-15</date>
- </info>
-diff --git a/bin/pkcs11/pkcs11-keygen.docbook b/bin/pkcs11/pkcs11-keygen.docbook
-index d7141cf..f4ff131 100644
---- a/bin/pkcs11/pkcs11-keygen.docbook
-+++ b/bin/pkcs11/pkcs11-keygen.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-keygen">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-keygen">
- <info>
- <date>2014-01-15</date>
- </info>
-diff --git a/bin/pkcs11/pkcs11-list.docbook b/bin/pkcs11/pkcs11-list.docbook
-index 3fa6b36..570ef1f 100644
---- a/bin/pkcs11/pkcs11-list.docbook
-+++ b/bin/pkcs11/pkcs11-list.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-list">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-list">
- <info>
- <date>2009-10-05</date>
- </info>
-diff --git a/bin/pkcs11/pkcs11-tokens.docbook b/bin/pkcs11/pkcs11-tokens.docbook
-index 7d13851..93f4bbb 100644
---- a/bin/pkcs11/pkcs11-tokens.docbook
-+++ b/bin/pkcs11/pkcs11-tokens.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-tokens">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.pkcs11-tokens">
- <info>
- <date>2014-01-15</date>
- </info>
-diff --git a/bin/python/dnssec-checkds.docbook b/bin/python/dnssec-checkds.docbook
-index 040d31a..cce5dc3 100644
---- a/bin/python/dnssec-checkds.docbook
-+++ b/bin/python/dnssec-checkds.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-checkds">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-checkds">
- <info>
- <date>2013-01-01</date>
- </info>
-diff --git a/bin/python/dnssec-coverage.docbook b/bin/python/dnssec-coverage.docbook
-index 8d0c350..7400d7e 100644
---- a/bin/python/dnssec-coverage.docbook
-+++ b/bin/python/dnssec-coverage.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-coverage">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-coverage">
- <info>
- <date>2014-01-11</date>
- </info>
-diff --git a/bin/python/dnssec-keymgr.docbook b/bin/python/dnssec-keymgr.docbook
-index 685b073..e072121 100644
---- a/bin/python/dnssec-keymgr.docbook
-+++ b/bin/python/dnssec-keymgr.docbook
-@@ -6,7 +6,7 @@
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -->
-
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keymgr">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keymgr">
- <info>
- <date>2016-06-03</date>
- </info>
-diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook
-index 0e51cb4..84284c7 100644
---- a/bin/rndc/rndc.conf.docbook
-+++ b/bin/rndc/rndc.conf.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc.conf">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc.conf">
- <info>
- <date>2013-03-14</date>
- </info>
-diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
-index f719a22..f273519 100644
---- a/bin/rndc/rndc.docbook
-+++ b/bin/rndc/rndc.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc">
- <info>
- <date>2014-08-15</date>
- </info>
-diff --git a/bin/tools/arpaname.docbook b/bin/tools/arpaname.docbook
-index f60291e..7310425 100644
---- a/bin/tools/arpaname.docbook
-+++ b/bin/tools/arpaname.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.arpaname">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.arpaname">
- <info>
- <date>2009-03-03</date>
- </info>
-diff --git a/bin/tools/dnstap-read.docbook b/bin/tools/dnstap-read.docbook
-index bbb43d9..3dfef70 100644
---- a/bin/tools/dnstap-read.docbook
-+++ b/bin/tools/dnstap-read.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnstap-read">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnstap-read">
- <info>
- <date>2015-09-13</date>
- </info>
-diff --git a/bin/tools/genrandom.docbook b/bin/tools/genrandom.docbook
-index 1f53df7..f106702 100644
---- a/bin/tools/genrandom.docbook
-+++ b/bin/tools/genrandom.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.genrandom">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.genrandom">
- <info>
- <date>2011-08-08</date>
- </info>
-diff --git a/bin/tools/isc-hmac-fixup.docbook b/bin/tools/isc-hmac-fixup.docbook
-index 79c2ed3..50fffaf 100644
---- a/bin/tools/isc-hmac-fixup.docbook
-+++ b/bin/tools/isc-hmac-fixup.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-hmac-fixup">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-hmac-fixup">
- <info>
- <date>2013-04-28</date>
- </info>
-diff --git a/bin/tools/mdig.docbook b/bin/tools/mdig.docbook
-index 46f3825..75f054b 100644
---- a/bin/tools/mdig.docbook
-+++ b/bin/tools/mdig.docbook
-@@ -9,7 +9,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.mdig">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.mdig">
- <info>
- <date>2015-01-05</date>
- </info>
-diff --git a/bin/tools/named-journalprint.docbook b/bin/tools/named-journalprint.docbook
-index 4b2121b..df82c64 100644
---- a/bin/tools/named-journalprint.docbook
-+++ b/bin/tools/named-journalprint.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-journalprint">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-journalprint">
- <info>
- <date>2009-12-04</date>
- </info>
-diff --git a/bin/tools/named-rrchecker.docbook b/bin/tools/named-rrchecker.docbook
-index 59185db..94ba015 100644
---- a/bin/tools/named-rrchecker.docbook
-+++ b/bin/tools/named-rrchecker.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-rrchecker">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-rrchecker">
- <info>
- <date>2013-11-12</date>
- </info>
-diff --git a/bin/tools/nsec3hash.docbook b/bin/tools/nsec3hash.docbook
-index 7345e0d..ddc0342 100644
---- a/bin/tools/nsec3hash.docbook
-+++ b/bin/tools/nsec3hash.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nsec3hash">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nsec3hash">
- <info>
- <date>2009-03-02</date>
- </info>
-diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
-index 94c7af6..911bc2e 100644
---- a/doc/arm/Bv9ARM-book.xml
-+++ b/doc/arm/Bv9ARM-book.xml
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<book xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<book xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <title>BIND 9 Administrator Reference Manual</title>
- <copyright>
-diff --git a/doc/arm/catz.xml b/doc/arm/catz.xml
-index a0a8362..56bcfa4 100644
---- a/doc/arm/catz.xml
-+++ b/doc/arm/catz.xml
-@@ -6,7 +6,7 @@
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -->
-
--<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="catz-info"><info><title>Catalog Zones</title></info>
-+<section xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="catz-info"><info><title>Catalog Zones</title></info>
-
- <para>
- A "catalog zone" is a special DNS zone that contains a list of
-diff --git a/doc/arm/dlz.xml b/doc/arm/dlz.xml
-index 0658dab..89a20f8 100644
---- a/doc/arm/dlz.xml
-+++ b/doc/arm/dlz.xml
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dlz-info"><info><title>DLZ (Dynamically Loadable Zones)</title></info>
-+<section xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="dlz-info"><info><title>DLZ (Dynamically Loadable Zones)</title></info>
-
- <para>
- DLZ (Dynamically Loadable Zones) is an extension to BIND 9 that allows
-diff --git a/doc/arm/dnssec.xml b/doc/arm/dnssec.xml
-index 16ec45c..f8e14a3 100644
---- a/doc/arm/dnssec.xml
-+++ b/doc/arm/dnssec.xml
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dnssec.dynamic.zones"><info><title>DNSSEC, Dynamic Zones, and Automatic Signing</title></info>
-+<section xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="dnssec.dynamic.zones"><info><title>DNSSEC, Dynamic Zones, and Automatic Signing</title></info>
-
- <para>As of BIND 9.7.0 it is possible to change a dynamic zone
- from insecure to signed and back again. A secure zone can use
-diff --git a/doc/arm/dyndb.xml b/doc/arm/dyndb.xml
-index 6a6ccbd..0d449f0 100644
---- a/doc/arm/dyndb.xml
-+++ b/doc/arm/dyndb.xml
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dyndb-info"><info><title>DynDB (Dynamic Database)</title></info>
-+<section xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="dyndb-info"><info><title>DynDB (Dynamic Database)</title></info>
-
- <para>
- DynDB is an extension to BIND 9 which, like DLZ
-diff --git a/doc/arm/libdns.xml b/doc/arm/libdns.xml
-index eded111..fc940a6 100644
---- a/doc/arm/libdns.xml
-+++ b/doc/arm/libdns.xml
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="bind9.library"><info><title>BIND 9 DNS Library Support</title></info>
-+<section xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="bind9.library"><info><title>BIND 9 DNS Library Support</title></info>
-
- <para>This version of BIND 9 "exports" its internal libraries so
- that they can be used by third-party applications more easily (we
-diff --git a/doc/arm/logging-categories.xml b/doc/arm/logging-categories.xml
-index 0e2c084..e0e635c 100644
---- a/doc/arm/logging-categories.xml
-+++ b/doc/arm/logging-categories.xml
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<informaltable xmlns="http://docbook.org/ns/docbook" version="5.0" colsep="0" rowsep="0">
-+<informaltable xmlns:db="http://docbook.org/ns/docbook" version="5.0" colsep="0" rowsep="0">
- <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
- <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
- <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
-diff --git a/doc/arm/managed-keys.xml b/doc/arm/managed-keys.xml
-index 0be3338..342a72e 100644
---- a/doc/arm/managed-keys.xml
-+++ b/doc/arm/managed-keys.xml
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="rfc5011.support"><info><title>Dynamic Trust Anchor Management</title></info>
-+<section xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="rfc5011.support"><info><title>Dynamic Trust Anchor Management</title></info>
-
- <para>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
- anchor management. Using this feature allows
-diff --git a/doc/arm/notes-wrapper.xml b/doc/arm/notes-wrapper.xml
-index 2e1e505..95c545c 100644
---- a/doc/arm/notes-wrapper.xml
-+++ b/doc/arm/notes-wrapper.xml
-@@ -9,7 +9,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<article xmlns="http://docbook.org/ns/docbook" version="5.0"><info><title/></info>
-+<article xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info><title/></info>
-
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes.xml"/>
- </article>
-diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
-index 165c01f..670ae6c 100644
---- a/doc/arm/notes.xml
-+++ b/doc/arm/notes.xml
-@@ -9,7 +9,7 @@
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -->
-
--<section xmlns="http://docbook.org/ns/docbook" version="5.0"><info/>
-+<section xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
- <section xml:id="relnotes_intro"><info><title>Introduction</title></info>
- <para>
-diff --git a/doc/arm/pkcs11.xml b/doc/arm/pkcs11.xml
-index 9e6a6b9..11a125a 100644
---- a/doc/arm/pkcs11.xml
-+++ b/doc/arm/pkcs11.xml
-@@ -9,7 +9,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pkcs11"><info><title>PKCS#11 (Cryptoki) support</title></info>
-+<section xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="pkcs11"><info><title>PKCS#11 (Cryptoki) support</title></info>
-
- <para>
- PKCS#11 (Public Key Cryptography Standard #11) defines a
-diff --git a/doc/xsl/copyright.xsl b/doc/xsl/copyright.xsl
-index c46d55f..991afa3 100644
---- a/doc/xsl/copyright.xsl
-+++ b/doc/xsl/copyright.xsl
-@@ -39,13 +39,13 @@
- <xsl:variable name="isc.copyright">
- <xsl:call-template name="isc.copyright.format">
- <xsl:with-param name="text">
-- <xsl:for-each select="db:book/db:info/db:copyright | db:refentry/db:docinfo/db:copyright">
-+ <xsl:for-each select="book/info/copyright | refentry/docinfo/copyright">
- <xsl:text>Copyright (C) </xsl:text>
- <xsl:call-template name="copyright.years">
-- <xsl:with-param name="years" select="db:year"/>
-+ <xsl:with-param name="years" select="year"/>
- </xsl:call-template>
- <xsl:text> </xsl:text>
-- <xsl:value-of select="db:holder"/>
-+ <xsl:value-of select="holder"/>
- <xsl:value-of select="$isc.copyright.breakline"/>
- <xsl:text>&#10;</xsl:text>
- </xsl:for-each>
-diff --git a/isc-config.sh.docbook b/isc-config.sh.docbook
-index f13cd8c..6d1f478 100644
---- a/isc-config.sh.docbook
-+++ b/isc-config.sh.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-config.sh">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-config.sh">
- <info>
- <date>2009-02-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres.docbook b/lib/lwres/man/lwres.docbook
-index b409b85..3bb8f03 100644
---- a/lib/lwres/man/lwres.docbook
-+++ b/lib/lwres/man/lwres.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_buffer.docbook b/lib/lwres/man/lwres_buffer.docbook
-index f7c543a..ef8ff1f 100644
---- a/lib/lwres/man/lwres_buffer.docbook
-+++ b/lib/lwres/man/lwres_buffer.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_config.docbook b/lib/lwres/man/lwres_config.docbook
-index 1516af8..ffdb7dc 100644
---- a/lib/lwres/man/lwres_config.docbook
-+++ b/lib/lwres/man/lwres_config.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_context.docbook b/lib/lwres/man/lwres_context.docbook
-index 1754e4f..efb3a30 100644
---- a/lib/lwres/man/lwres_context.docbook
-+++ b/lib/lwres/man/lwres_context.docbook
-@@ -9,7 +9,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_gabn.docbook b/lib/lwres/man/lwres_gabn.docbook
-index 7bcbc2a..1727ae7 100644
---- a/lib/lwres/man/lwres_gabn.docbook
-+++ b/lib/lwres/man/lwres_gabn.docbook
-@@ -9,7 +9,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_gai_strerror.docbook b/lib/lwres/man/lwres_gai_strerror.docbook
-index b5d3c62..52d3e7d 100644
---- a/lib/lwres/man/lwres_gai_strerror.docbook
-+++ b/lib/lwres/man/lwres_gai_strerror.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_getaddrinfo.docbook b/lib/lwres/man/lwres_getaddrinfo.docbook
-index aad61f1..9a86c84 100644
---- a/lib/lwres/man/lwres_getaddrinfo.docbook
-+++ b/lib/lwres/man/lwres_getaddrinfo.docbook
-@@ -9,7 +9,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_gethostent.docbook b/lib/lwres/man/lwres_gethostent.docbook
-index 21ad2a1..9cc3065 100644
---- a/lib/lwres/man/lwres_gethostent.docbook
-+++ b/lib/lwres/man/lwres_gethostent.docbook
-@@ -9,7 +9,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_getipnode.docbook b/lib/lwres/man/lwres_getipnode.docbook
-index b0625ba..b290d9f 100644
---- a/lib/lwres/man/lwres_getipnode.docbook
-+++ b/lib/lwres/man/lwres_getipnode.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_getnameinfo.docbook b/lib/lwres/man/lwres_getnameinfo.docbook
-index a1e7f13..acc2608 100644
---- a/lib/lwres/man/lwres_getnameinfo.docbook
-+++ b/lib/lwres/man/lwres_getnameinfo.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_getrrsetbyname.docbook b/lib/lwres/man/lwres_getrrsetbyname.docbook
-index 5d5ee0d..aab909a 100644
---- a/lib/lwres/man/lwres_getrrsetbyname.docbook
-+++ b/lib/lwres/man/lwres_getrrsetbyname.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_gnba.docbook b/lib/lwres/man/lwres_gnba.docbook
-index 8d9b0e8..e7011ce 100644
---- a/lib/lwres/man/lwres_gnba.docbook
-+++ b/lib/lwres/man/lwres_gnba.docbook
-@@ -9,7 +9,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_hstrerror.docbook b/lib/lwres/man/lwres_hstrerror.docbook
-index c1b9056..49e3c21 100644
---- a/lib/lwres/man/lwres_hstrerror.docbook
-+++ b/lib/lwres/man/lwres_hstrerror.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_inetntop.docbook b/lib/lwres/man/lwres_inetntop.docbook
-index ab3920e..7faa467 100644
---- a/lib/lwres/man/lwres_inetntop.docbook
-+++ b/lib/lwres/man/lwres_inetntop.docbook
-@@ -9,7 +9,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_noop.docbook b/lib/lwres/man/lwres_noop.docbook
-index 900e79c..a6b6f6f 100644
---- a/lib/lwres/man/lwres_noop.docbook
-+++ b/lib/lwres/man/lwres_noop.docbook
-@@ -9,7 +9,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_packet.docbook b/lib/lwres/man/lwres_packet.docbook
-index 66c22c2..a7ec451 100644
---- a/lib/lwres/man/lwres_packet.docbook
-+++ b/lib/lwres/man/lwres_packet.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
-diff --git a/lib/lwres/man/lwres_resutil.docbook b/lib/lwres/man/lwres_resutil.docbook
-index 80c9bd2..a34cf91 100644
---- a/lib/lwres/man/lwres_resutil.docbook
-+++ b/lib/lwres/man/lwres_resutil.docbook
-@@ -7,7 +7,7 @@
- -->
-
- <!-- Converted by db4-upgrade version 1.0 -->
--<refentry xmlns="http://docbook.org/ns/docbook" version="5.0">
-+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
- <info>
- <date>2007-06-18</date>
- </info>
---
-2.7.4
-
diff --git a/bind-95-rh452060.patch b/bind-95-rh452060.patch
index 58808b0..dac3a8d 100644
--- a/bind-95-rh452060.patch
+++ b/bind-95-rh452060.patch
@@ -1,10 +1,12 @@
-diff -up bind-9.5.0-P2/bin/dig/dighost.c.rh452060 bind-9.5.0-P2/bin/dig/dighost.c
---- bind-9.5.0-P2/bin/dig/dighost.c.rh452060 2008-12-01 22:30:01.000000000 +0100
-+++ bind-9.5.0-P2/bin/dig/dighost.c 2008-12-01 22:30:07.000000000 +0100
-@@ -1280,6 +1280,12 @@ clear_query(dig_query_t *query) {
-
- debug("clear_query(%p)", query);
+diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
+index f657c30..ff9a2d2 100644
+--- a/bin/dig/dighost.c
++++ b/bin/dig/dighost.c
+@@ -1694,6 +1694,13 @@ clear_query(dig_query_t *query) {
+ if (query->timer != NULL)
+ isc_timer_detach(&query->timer);
++
+ if (query->waiting_senddone) {
+ debug("send_done not yet called");
+ query->pending_free = ISC_TRUE;
@@ -14,7 +16,7 @@ diff -up bind-9.5.0-P2/bin/dig/dighost.c.rh452060 bind-9.5.0-P2/bin/dig/dighost.
lookup = query->lookup;
if (lookup->current_query == query)
-@@ -1301,10 +1307,7 @@ clear_query(dig_query_t *query) {
+@@ -1719,10 +1726,7 @@ clear_query(dig_query_t *query) {
isc_mempool_put(commctx, query->recvspace);
isc_buffer_invalidate(&query->recvbuf);
isc_buffer_invalidate(&query->lengthbuf);
@@ -26,7 +28,7 @@ diff -up bind-9.5.0-P2/bin/dig/dighost.c.rh452060 bind-9.5.0-P2/bin/dig/dighost.
}
/*%
-@@ -2175,9 +2178,9 @@ send_done(isc_task_t *_task, isc_event_t
+@@ -2811,9 +2815,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
isc_event_free(&event);
if (query->pending_free)
diff --git a/bind-99-libidn.patch b/bind-99-libidn.patch
index d782e66..6e042be 100644
--- a/bind-99-libidn.patch
+++ b/bind-99-libidn.patch
@@ -1,8 +1,8 @@
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
-index 5e9febc..b1861a5 100644
+index bd219c5..f71685b 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
-@@ -48,10 +48,10 @@ DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} \
+@@ -38,10 +38,10 @@ DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} \
${ISCCFGDEPLIBS} ${LWRESDEPLIBS}
LIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
@@ -15,7 +15,7 @@ index 5e9febc..b1861a5 100644
SUBDIRS =
-@@ -69,6 +69,8 @@ HTMLPAGES = dig.html host.html nslookup.html
+@@ -59,6 +59,8 @@ HTMLPAGES = dig.html host.html nslookup.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@@ -25,10 +25,10 @@ index 5e9febc..b1861a5 100644
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
-index c54d677..1079421 100644
+index 7a7e8e4..b36047f 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
-@@ -1170,8 +1170,8 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
+@@ -1251,8 +1251,8 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
<command>dig</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
@@ -40,10 +40,10 @@ index c54d677..1079421 100644
<command>dig</command> runs.
</para>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index 3ca7cb9..f11884e 100644
+index 1f8bcf2..f657c30 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
-@@ -44,6 +44,11 @@
+@@ -33,6 +33,11 @@
#include <idn/api.h>
#endif
@@ -55,7 +55,7 @@ index 3ca7cb9..f11884e 100644
#include <dns/byaddr.h>
#ifdef DIG_SIGCHASE
#include <dns/callbacks.h>
-@@ -168,6 +173,14 @@ static void idn_check_result(idn_result_t r, const char *msg);
+@@ -158,6 +163,14 @@ static void idn_check_result(idn_result_t r, const char *msg);
int idnoptions = 0;
#endif
@@ -70,7 +70,7 @@ index 3ca7cb9..f11884e 100644
isc_socket_t *keep = NULL;
isc_sockaddr_t keepaddr;
-@@ -1404,8 +1417,15 @@ setup_system(void) {
+@@ -1448,8 +1461,15 @@ setup_system(isc_boolean_t ipv4only, isc_boolean_t ipv6only) {
#ifdef WITH_IDN
initialize_idn();
@@ -87,7 +87,7 @@ index 3ca7cb9..f11884e 100644
if (keyfile[0] != 0)
setup_file_key();
else if (keysecret[0] != 0)
-@@ -2191,12 +2211,14 @@ setup_lookup(dig_lookup_t *lookup) {
+@@ -2231,8 +2251,11 @@ setup_lookup(dig_lookup_t *lookup) {
idn_result_t mr;
char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME];
#endif
@@ -97,14 +97,10 @@ index 3ca7cb9..f11884e 100644
-#ifdef WITH_IDN
+#if defined (WITH_IDN) || defined (WITH_LIBIDN)
- result = dns_name_settotextfilter(output_filter);
+ result = dns_name_settotextfilter(lookup->idnout ?
+ output_filter : NULL);
check_result(result, "dns_name_settotextfilter");
- #endif
--
- REQUIRE(lookup != NULL);
- INSIST(!free_now);
-
-@@ -2233,6 +2255,14 @@ setup_lookup(dig_lookup_t *lookup) {
+@@ -2274,6 +2297,14 @@ setup_lookup(dig_lookup_t *lookup) {
mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname,
utf8_textname, sizeof(utf8_textname));
idn_check_result(mr, "convert textname to UTF-8");
@@ -119,7 +115,7 @@ index 3ca7cb9..f11884e 100644
#endif
/*
-@@ -2245,15 +2275,11 @@ setup_lookup(dig_lookup_t *lookup) {
+@@ -2286,15 +2317,11 @@ setup_lookup(dig_lookup_t *lookup) {
if (lookup->new_search) {
#ifdef WITH_IDN
if ((count_dots(utf8_textname) >= ndots) || !usesearch) {
@@ -138,7 +134,7 @@ index 3ca7cb9..f11884e 100644
lookup->origin = NULL; /* Force abs lookup */
lookup->done_as_is = ISC_TRUE;
lookup->need_search = usesearch;
-@@ -2261,7 +2287,6 @@ setup_lookup(dig_lookup_t *lookup) {
+@@ -2302,7 +2329,6 @@ setup_lookup(dig_lookup_t *lookup) {
lookup->origin = ISC_LIST_HEAD(search_list);
lookup->need_search = ISC_FALSE;
}
@@ -146,7 +142,7 @@ index 3ca7cb9..f11884e 100644
}
#ifdef WITH_IDN
-@@ -2278,6 +2303,20 @@ setup_lookup(dig_lookup_t *lookup) {
+@@ -2319,6 +2345,20 @@ setup_lookup(dig_lookup_t *lookup) {
IDN_IDNCONV | IDN_LENCHECK, utf8_textname,
idn_textname, sizeof(idn_textname));
idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
@@ -167,7 +163,7 @@ index 3ca7cb9..f11884e 100644
#else
if (lookup->origin != NULL) {
debug("trying origin %s", lookup->origin->origin);
-@@ -2372,6 +2411,13 @@ setup_lookup(dig_lookup_t *lookup) {
+@@ -2389,6 +2429,13 @@ setup_lookup(dig_lookup_t *lookup) {
result = dns_name_fromtext(lookup->name, &b,
dns_rootname, 0,
&lookup->namebuf);
@@ -179,9 +175,9 @@ index 3ca7cb9..f11884e 100644
+ dns_rootname, 0,
+ &lookup->namebuf);
#else
- len = (unsigned int) strlen(lookup->textname);
+ len = (unsigned int) strlen(lookup->textname);
isc_buffer_init(&b, lookup->textname, len);
-@@ -4227,7 +4273,7 @@ destroy_libs(void) {
+@@ -4377,7 +4424,7 @@ destroy_libs(void) {
void * ptr;
dig_message_t *chase_msg;
#endif
@@ -190,7 +186,7 @@ index 3ca7cb9..f11884e 100644
isc_result_t result;
#endif
-@@ -4268,6 +4314,10 @@ destroy_libs(void) {
+@@ -4418,6 +4465,10 @@ destroy_libs(void) {
result = dns_name_settotextfilter(NULL);
check_result(result, "dns_name_settotextfilter");
#endif
@@ -201,7 +197,7 @@ index 3ca7cb9..f11884e 100644
dns_name_destroy();
if (commctx != NULL) {
-@@ -4453,6 +4503,97 @@ idn_check_result(idn_result_t r, const char *msg) {
+@@ -4603,6 +4654,97 @@ idn_check_result(idn_result_t r, const char *msg) {
}
}
#endif /* WITH_IDN */
diff --git a/bind.spec b/bind.spec
index 70cb9fa..d075ccf 100644
--- a/bind.spec
+++ b/bind.spec
@@ -79,8 +79,6 @@ Patch136:bind-9.10-dist-native-pkcs11.patch
# [ISC-Bugs #42525] non-portable use of strlcat in contrib/sdb/ldap/zone2ldap.c
# introduced by https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=fc9f0ac5778f78003a7acc957a23711811fec122
Patch137:bind-9.10-use-of-strlcat.patch
-Patch138:bind-9.10-openssl-1.1.patch
-Patch139:bind-9.11-docbook-xsl.patch
Patch140:bind-9.11-rh1410433.patch
Patch141:bind-9.11-rh1236087.patch
@@ -320,8 +318,6 @@ This package provides a module which allows commands to be sent to rndc directly
%patch119 -p1 -b .rh693982
%patch130 -p1 -b .libdb
%patch131 -p1 -b .multlib-conflict
-%patch138 -p1 -b .rh1390238
-%patch139 -p1 -b .rh1397186
%patch140 -p1 -b .rh1410433
%patch141 -p1 -b .rh1236087
diff --git a/bind97-rh478718.patch b/bind97-rh478718.patch
index 51f5674..e0094aa 100644
--- a/bind97-rh478718.patch
+++ b/bind97-rh478718.patch
@@ -1,8 +1,8 @@
diff --git a/configure.in b/configure.in
-index b79aab0..da67ad5 100644
+index 97d9d15..999040d 100644
--- a/configure.in
+++ b/configure.in
-@@ -3774,6 +3774,10 @@ if test "$use_atomic" = "yes"; then
+@@ -4041,6 +4041,10 @@ if test "yes" = "$use_atomic"; then
AC_MSG_RESULT($arch)
fi
@@ -10,14 +10,14 @@ index b79aab0..da67ad5 100644
+ AC_MSG_ERROR([XADDQ present but disabled by Fedora patch!])
+fi
+
- if test "$have_atomic" = "yes"; then
+ if test "yes" = "$have_atomic"; then
AC_MSG_CHECKING([compiler support for inline assembly code])
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
-index 2c6e2a5..bf34499 100644
+index 24b61db..28f49c8 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
-@@ -285,7 +285,11 @@
+@@ -286,7 +286,11 @@
* If the "xaddq" operation (64bit xadd) is available on this architecture,
* ISC_PLATFORM_HAVEXADDQ will be defined.
*/