Report information
The Basics
Id:
45019
Status:
resolved
Priority:
Medium/Medium
Queue:
bind9-public
People
Owner:
Evan Hunt <Evan_Hunt@isc.org>
Requestors:
Cc:
AdminCc:
BugTracker
Version Fixed:
(no value)
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P2 Normal
Severity:
S3 Low
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
BIND Server
Area:
feature
Attachments
signature.asc
Dates
Created:Wed, 05 Apr 2017 08:39:38 -0400
Updated:Fri, 06 Oct 2017 02:10:07 -0400
Closed:Fri, 06 Oct 2017 02:10:07 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Wed, 05 Apr 2017 08:39:38 -0400 Mukund Sivaraman <muks@isc.org> - Ticket created
Subject: Use OpenSSL for hash functions by default
Date: Wed, 5 Apr 2017 18:09:30 +0530
To: bind9-bugs@isc.org
From: "Mukund Sivaraman" <muks@isc.org>

checking for using OpenSSL for hash functions... no We don't use OpenSSL hash functions by default. The configure.in check looks like this: # # was --enable-openssl-hash specified? # AC_ARG_ENABLE(openssl-hash, [ --enable-openssl-hash use OpenSSL for hash functions [[default=no]]], want_openssl_hash="$enableval", want_openssl_hash="checkcc") At the end of configure, config.log has the following: ISC_PLATFORM_OPENSSLHASH='#undef ISC_PLATFORM_OPENSSLHASH' We ought to change that to use the OpenSSL hash functions by default (if they're found). The openssl hash function implementations are usually better optimized than what's in libisc (they have hand-crafted assembly implementations). Mukund
signature.asc

Message body not shown because it is not plain text.

Wed, 05 Apr 2017 10:37:52 -0400 Francis Dupont <Francis_Dupont@isc.org> - Status changed from 'new' to 'open'
Wed, 12 Apr 2017 17:44:07 -0400 Stephen Morris <stephen@isc.org> - Priority P2 Normal added
Wed, 12 Apr 2017 17:44:07 -0400 Stephen Morris <stephen@isc.org> - Severity S3 Low added
Wed, 12 Apr 2017 17:44:08 -0400 Stephen Morris <stephen@isc.org> - Area feature added
Wed, 12 Apr 2017 17:44:08 -0400 Stephen Morris <stephen@isc.org> - Component BIND Server added
Wed, 06 Sep 2017 05:10:04 -0400 Francis Dupont <Francis_Dupont@isc.org> - Taken
Wed, 06 Sep 2017 05:30:28 -0400 Francis Dupont <Francis_Dupont@isc.org> - Status changed from 'open' to 'review'
Wed, 06 Sep 2017 05:30:28 -0400 Francis Dupont <Francis_Dupont@isc.org> - Untaken
Wed, 06 Sep 2017 12:59:04 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public
  Wed, 06 Sep 2017 14:26:35 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

On Wed Sep 06 09:30:27 2017, fdupont wrote: > Done (at the exception of the CHANGES). On my system, using "configure --enable-developer", this causes several things to fail to link due to missing symbols in sha1.c and sha2.c: specifically rndc, nsec3hash, and the "parser_test" unit test in libisccfg. It might just be a library ordering problem on the linker command line but I don't have time to look at it any more closely.
Wed, 06 Sep 2017 14:26:36 -0400 Evan Hunt <Evan_Hunt@isc.org> - Given to Francis Dupont <Francis_Dupont@isc.org>
  Fri, 08 Sep 2017 13:03:48 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

The problem turned out to be that -lcrypto was being put in between libdns and libisc, and needed to be after libisc. The latest couple of commits in rt45019 address this. It's working for me now. I haven't had time to test with pkcs11, native or otherwise, but I can try to get to that later today.
  Fri, 08 Sep 2017 18:52:31 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

Oops, I forgot to say explicitly: this is okay to merge.
  Sat, 09 Sep 2017 04:34:08 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Fri Sep 08 22:52:31 2017, each wrote: > Oops, I forgot to say explicitly: this is okay to merge. => Merged to master. I take the occasion to remove a LWRES_INCLUDES from bin/tests/Makefile.in. BTW there is an OMAPI_INCLUDES in its file and in the bin/tools one? Moved to qa as this changes the default setting.
Sat, 09 Sep 2017 04:34:09 -0400 Francis Dupont <Francis_Dupont@isc.org> - Status changed from 'review' to 'qa'
Sat, 09 Sep 2017 04:34:09 -0400 Francis Dupont <Francis_Dupont@isc.org> - Untaken
  Sat, 09 Sep 2017 14:53:12 -0400 Evan Hunt <each@isc.org> - Correspondence added
From: "Evan Hunt" <each@isc.org>
CC:
To: "Francis Dupont via RT" <bind9-public@isc.org>
Subject: Re: [ISC-Bugs #45019] Use OpenSSL for hash functions by default
Date: Sat, 9 Sep 2017 18:53:10 +0000

On Sat, Sep 09, 2017 at 08:34:08AM +0000, Francis Dupont via RT wrote: > BTW there is an OMAPI_INCLUDES in its file and > in the bin/tools one? Ha! The last hangers-on from when BIND still used omapi back in 2001. I've removed them now. > Moved to qa as this changes the default setting. Should we backport this change?
  Sun, 10 Sep 2017 07:00:36 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Sat Sep 09 18:53:12 2017, each@isc.org wrote: > > Moved to qa as this changes the default setting. > > Should we backport this change? => I don't know for the configure change itself but IMHO we should back port Makefile fixes (and Mark's one to master where libns is backported).
Sun, 10 Sep 2017 07:00:37 -0400 Francis Dupont <Francis_Dupont@isc.org> - Given to Evan Hunt <Evan_Hunt@isc.org>
Fri, 06 Oct 2017 02:10:07 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'qa' to 'resolved'