<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
For lack of response here, the heimdal guys are putting in a
work-around for this bind bug.<br>
<br>
Sam<br>
<br>
On 25/08/10 17:41, Sam Liddicott wrote:
<blockquote cite="mid:4C7547A8.3050208@liddicott.com" type="cite"> I've
also reported this as a bind bug, but I'm posting it here as I
think it answers the case for the BSD user in the thread entitled:
Can't get BIND to use GSSAPI from /usr/local on FreeBSD
<br>
(Patch attached which fixes it for me)
<br>
<br>
I've traced my problem to what looks like a mismatch of
expectations
<br>
between heimdal 1.3.3 and bind 9 (BIND 9.7.1-P2)
<br>
<br>
in lib/dns/openssl_link.c, entropy_get returns the number of bytes
if
<br>
successful - always equal to argument num (if successful).
<br>
<br>
entropy_get is registered as a delegate for openSSL's RAND_bytes
in
<br>
dst__openssl_init.
<br>
<br>
My man page for RAND_bytes states:
<br>
RETURN VALUES
<br>
RAND_bytes() returns 1 on success, 0 otherwise. The error
code can be
<br>
obtained by ERR_get_error(3). RAND_pseudo_bytes() returns
1 if the
<br>
bytes generated are cryptographically strong, 0 otherwise.
Both
<br>
functions return -1 if they are not supported by the
current RAND
<br>
method.
<br>
and entropy_get varies from that behaviour.
<br>
<br>
This causes problems with heimdal 1.3.3, in heimdal's
lib/krb5/crypto.c:
<br>
3995 if (RAND_bytes(buf, len) != 1)
<br>
3996 krb5_abortx(NULL, "Failed to generate random block");
<br>
<br>
So "nsupdate -g" fails when linked with heimdal 1.3.3
<br>
<br>
It looks like bind 9 is at fault even though heimdal could be more
accepting.
<br>
<br>
I don't know if there are other similar errors in other
openssl_link.c
<br>
<br>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<a href="http://www.fsf.org/register_form?referrer=2325"><img
src="cid:part1.07070206.06030702@liddicott.com" alt="[FSF
Associate Member #2325]" height="31" width="88" border="0"></a>
</div>
</body>
</html>