For lack of response here, the heimdal guys are putting in a
work-around for this bind bug.
Sam
On 25/08/10 17:41, Sam Liddicott wrote:
I've
also reported this as a bind bug, but I'm posting it here as I
think it answers the case for the BSD user in the thread entitled:
Can't get BIND to use GSSAPI from /usr/local on FreeBSD
(Patch attached which fixes it for me)
I've traced my problem to what looks like a mismatch of
expectations
between heimdal 1.3.3 and bind 9 (BIND 9.7.1-P2)
in lib/dns/openssl_link.c, entropy_get returns the number of bytes
if
successful - always equal to argument num (if successful).
entropy_get is registered as a delegate for openSSL's RAND_bytes
in
dst__openssl_init.
My man page for RAND_bytes states:
RETURN VALUES
RAND_bytes() returns 1 on success, 0 otherwise. The error
code can be
obtained by ERR_get_error(3). RAND_pseudo_bytes() returns
1 if the
bytes generated are cryptographically strong, 0 otherwise.
Both
functions return -1 if they are not supported by the
current RAND
method.
and entropy_get varies from that behaviour.
This causes problems with heimdal 1.3.3, in heimdal's
lib/krb5/crypto.c:
3995 if (RAND_bytes(buf, len) != 1)
3996 krb5_abortx(NULL, "Failed to generate random block");
So "nsupdate -g" fails when linked with heimdal 1.3.3
It looks like bind 9 is at fault even though heimdal could be more
accepting.
I don't know if there are other similar errors in other
openssl_link.c
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
![[FSF
Associate Member #2325]](pngHgBycG6AmR.png)
|
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
