diff --git a/CVE-2022-2906.patch b/CVE-2022-2906.patch deleted file mode 100644 index a7a12eb..0000000 --- a/CVE-2022-2906.patch +++ /dev/null @@ -1,138 +0,0 @@ -From 73df5c80538970ee1fbc4fe3348109bdc281e197 Mon Sep 17 00:00:00 2001 -From: Aram Sargsyan -Date: Thu, 18 Aug 2022 08:59:09 +0000 -Subject: [PATCH] Fix memory leaks in DH code - -When used with OpenSSL v3.0.0+, the `openssldh_compare()`, -`openssldh_paramcompare()`, and `openssldh_todns()` functions -fail to cleanup the used memory on some error paths. - -Use `DST_RET` instead of `return`, when there is memory to be -released before returning from the functions. - -Conflict: NA -Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/73df5c80538970ee1fbc4fe3348109bdc281e197 - -(cherry picked from commit 73d6bbff4e1df583810126fe58eac39bb52bc0d9) ---- - lib/dns/openssldh_link.c | 45 +++++++++++++++++++++++----------------- - 1 file changed, 26 insertions(+), 19 deletions(-) - -diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c -index 72b8209..ece97ea 100644 ---- a/lib/dns/openssldh_link.c -+++ b/lib/dns/openssldh_link.c -@@ -68,6 +68,12 @@ - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ - "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF" - -+#define DST_RET(a) \ -+ { \ -+ ret = a; \ -+ goto err; \ -+ } -+ - static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL; - - #if !HAVE_DH_GET0_KEY -@@ -180,7 +186,8 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, - - static bool - openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { -- DH *dh1, *dh2; -+ bool ret = true; -+ DH *dh1, *dh2; - const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; - const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; - const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; -@@ -202,23 +209,24 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { - if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || - BN_cmp(pub_key1, pub_key2) != 0) - { -- return (false); -+ DST_RET(false); - } - - if (priv_key1 != NULL || priv_key2 != NULL) { -- if (priv_key1 == NULL || priv_key2 == NULL) { -- return (false); -- } -- if (BN_cmp(priv_key1, priv_key2) != 0) { -- return (false); -+ if (priv_key1 == NULL || priv_key2 == NULL || -+ BN_cmp(priv_key1, priv_key2) != 0) { -+ DST_RET(false); - } - } -- return (true); -+ -+err: -+ return (ret); - } - - static bool - openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { -- DH *dh1, *dh2; -+ bool ret = true; -+ DH *dh1, *dh2; - const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; - - dh1 = key1->keydata.dh; -@@ -234,9 +242,11 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { - DH_get0_pqg(dh2, &p2, NULL, &g2); - - if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) { -- return (false); -+ DST_RET(false); - } -- return (true); -+ -+err: -+ return (ret); - } - - static int -@@ -386,7 +396,8 @@ uint16_fromregion(isc_region_t *region) { - - static isc_result_t - openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { -- DH *dh; -+ isc_result_t ret = ISC_R_SUCCESS; -+ DH *dh; - const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; - isc_region_t r; - uint16_t dnslen, plen, glen, publen; -@@ -412,7 +423,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { - publen = BN_num_bytes(pub_key); - dnslen = plen + glen + publen + 6; - if (r.length < (unsigned int)dnslen) { -- return (ISC_R_NOSPACE); -+ DST_RET(ISC_R_NOSPACE); - } - - uint16_toregion(plen, &r); -@@ -441,7 +452,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { - - isc_buffer_add(data, dnslen); - -- return (ISC_R_SUCCESS); -+err: -+ return (ret); - } - - static isc_result_t -@@ -659,11 +671,6 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - DH *dh = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; - isc_mem_t *mctx; --#define DST_RET(a) \ -- { \ -- ret = a; \ -- goto err; \ -- } - - UNUSED(pub); - mctx = key->mctx; --- -2.23.0 - diff --git a/backport-CVE-2023-2911.patch b/backport-CVE-2023-2911.patch deleted file mode 100644 index a5f2b2c..0000000 --- a/backport-CVE-2023-2911.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 240caa32b9cab90a38ab863fd64e6becf5d1393c Mon Sep 17 00:00:00 2001 -From: Evan Hunt -Date: Thu, 25 May 2023 23:53:50 -0700 -Subject: [PATCH] Stale answer lookups could loop when over recursion quota - -When a query was aborted because of the recursion quota being exceeded, -but triggered a stale answer response and a stale data refresh query, -it could cause named to loop back where we are iterating and following -a delegation. Having no good answer in cache, we would fall back to -using serve-stale again, use the stale data, try to refresh the RRset, -and loop back again, without ever terminating until crashing due to -stack overflow. - -This happens because in the functions 'query_notfound()' and -'query_delegation_recurse()', we check whether we can fall back to -serving stale data. We shouldn't do so if we are already refreshing -an RRset due to having prioritized stale data in cache. - -In other words, we need to add an extra check to 'query_usestale()' to -disallow serving stale data if we are currently refreshing a stale -RRset. - -As an additional mitigation to prevent looping, we now use the result -code ISC_R_ALREADYRUNNING rather than ISC_R_FAILURE when a recursion -loop is encountered, and we check for that condition in -'query_usestale()' as well. - ---- - lib/ns/query.c | 30 ++++++++++++++++++++++-------- - 1 file changed, 22 insertions(+), 8 deletions(-) - -diff --git a/lib/ns/query.c b/lib/ns/query.c -index 1444de5..3ce6742 100644 ---- a/lib/ns/query.c -+++ b/lib/ns/query.c -@@ -5696,6 +5696,7 @@ query_refresh_rrset(query_ctx_t *orig_qctx) { - qctx.client->query.dboptions &= ~(DNS_DBFIND_STALETIMEOUT | - DNS_DBFIND_STALEOK | - DNS_DBFIND_STALEENABLED); -+ qctx.client->nodetach = false; - - /* - * We'll need some resources... -@@ -5920,7 +5921,14 @@ query_lookup(query_ctx_t *qctx) { - "%s stale answer used, an attempt to " - "refresh the RRset will still be made", - namebuf); -+ - qctx->refresh_rrset = STALE(qctx->rdataset); -+ -+ /* -+ * If we are refreshing the RRSet, we must not -+ * detach from the client in query_send(). -+ */ -+ qctx->client->nodetach = qctx->refresh_rrset; - } - } else { - /* -@@ -6272,7 +6280,7 @@ ns_query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, - if (recparam_match(&client->query.recparam, qtype, qname, qdomain)) { - ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, - ISC_LOG_INFO, "recursion loop detected"); -- return (ISC_R_FAILURE); -+ return (ISC_R_ALREADYRUNNING); - } - - recparam_update(&client->query.recparam, qtype, qname, qdomain); -@@ -7235,10 +7243,21 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) { - return (false); - } - -- if (result == DNS_R_DUPLICATE || result == DNS_R_DROP) { -+ if (qctx->refresh_rrset) { -+ /* -+ * This is a refreshing query, we have already prioritized -+ * stale data, so don't enable serve-stale again. -+ */ -+ return (false); -+ } -+ -+ if (result == DNS_R_DUPLICATE || result == DNS_R_DROP || -+ result == ISC_R_ALREADYRUNNING) -+ { - /* - * Don't enable serve-stale if the result signals a duplicate -- * query or query that is being dropped. -+ * query or a query that is being dropped or can't proceed -+ * because of a recursion loop. - */ - return (false); - } -@@ -11490,12 +11509,7 @@ ns_query_done(query_ctx_t *qctx) { - /* - * Client may have been detached after query_send(), so - * we test and store the flag state here, for safety. -- * If we are refreshing the RRSet, we must not detach from the client -- * in the query_send(), so we need to override the flag. - */ -- if (qctx->refresh_rrset) { -- qctx->client->nodetach = true; -- } - nodetach = qctx->client->nodetach; - query_send(qctx->client); - --- -2.33.0 - diff --git a/backport-CVE-2023-3341.patch b/backport-CVE-2023-3341.patch deleted file mode 100644 index 690f23b..0000000 --- a/backport-CVE-2023-3341.patch +++ /dev/null @@ -1,172 +0,0 @@ -From 820b0cceef0b67b041973da4041ea53d5e276363 Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Tue, 20 Jun 2023 15:21:36 +1000 -Subject: [PATCH] Limit isccc_cc_fromwire recursion depth - -Named and rndc do not need a lot of recursion so the depth is -set to 10. - -Conflict: NA -Reference: https://downloads.isc.org/isc/bind9/9.16.44/patches/0001-CVE-2023-3341.patch - ---- - lib/isccc/cc.c | 39 ++++++++++++++++++++++++-------- - lib/isccc/include/isccc/result.h | 4 +++- - lib/isccc/result.c | 4 +++- - 3 files changed, 35 insertions(+), 12 deletions(-) - -diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c -index 0be28b9..3744d0f 100644 ---- a/lib/isccc/cc.c -+++ b/lib/isccc/cc.c -@@ -50,6 +50,10 @@ - - #define MAX_TAGS 256 - #define DUP_LIFETIME 900 -+#ifndef ISCCC_MAXDEPTH -+#define ISCCC_MAXDEPTH \ -+ 10 /* Big enough for rndc which just sends a string each way. */ -+#endif - - typedef isccc_sexpr_t *sexpr_ptr; - -@@ -480,19 +484,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, - - static isc_result_t - table_fromwire(isccc_region_t *source, isccc_region_t *secret, -- uint32_t algorithm, isccc_sexpr_t **alistp); -+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp); - - static isc_result_t --list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp); -+list_fromwire(isccc_region_t *source, unsigned int depth, -+ isccc_sexpr_t **listp); - - static isc_result_t --value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { -+value_fromwire(isccc_region_t *source, unsigned int depth, -+ isccc_sexpr_t **valuep) { - unsigned int msgtype; - uint32_t len; - isccc_sexpr_t *value; - isccc_region_t active; - isc_result_t result; - -+ if (depth > ISCCC_MAXDEPTH) { -+ return (ISCCC_R_MAXDEPTH); -+ } -+ - if (REGION_SIZE(*source) < 1 + 4) { - return (ISC_R_UNEXPECTEDEND); - } -@@ -513,9 +523,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { - result = ISC_R_NOMEMORY; - } - } else if (msgtype == ISCCC_CCMSGTYPE_TABLE) { -- result = table_fromwire(&active, NULL, 0, valuep); -+ result = table_fromwire(&active, NULL, 0, depth + 1, valuep); - } else if (msgtype == ISCCC_CCMSGTYPE_LIST) { -- result = list_fromwire(&active, valuep); -+ result = list_fromwire(&active, depth + 1, valuep); - } else { - result = ISCCC_R_SYNTAX; - } -@@ -525,7 +535,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { - - static isc_result_t - table_fromwire(isccc_region_t *source, isccc_region_t *secret, -- uint32_t algorithm, isccc_sexpr_t **alistp) { -+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp) { - char key[256]; - uint32_t len; - isc_result_t result; -@@ -535,6 +545,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, - - REQUIRE(alistp != NULL && *alistp == NULL); - -+ if (depth > ISCCC_MAXDEPTH) { -+ return (ISCCC_R_MAXDEPTH); -+ } -+ - checksum_rstart = NULL; - first_tag = true; - alist = isccc_alist_create(); -@@ -551,7 +565,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, - GET_MEM(key, len, source->rstart); - key[len] = '\0'; /* Ensure NUL termination. */ - value = NULL; -- result = value_fromwire(source, &value); -+ result = value_fromwire(source, depth + 1, &value); - if (result != ISC_R_SUCCESS) { - goto bad; - } -@@ -589,14 +603,19 @@ bad: - } - - static isc_result_t --list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) { -+list_fromwire(isccc_region_t *source, unsigned int depth, -+ isccc_sexpr_t **listp) { - isccc_sexpr_t *list, *value; - isc_result_t result; - -+ if (depth > ISCCC_MAXDEPTH) { -+ return (ISCCC_R_MAXDEPTH); -+ } -+ - list = NULL; - while (!REGION_EMPTY(*source)) { - value = NULL; -- result = value_fromwire(source, &value); -+ result = value_fromwire(source, depth + 1, &value); - if (result != ISC_R_SUCCESS) { - isccc_sexpr_free(&list); - return (result); -@@ -628,7 +647,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp, - return (ISCCC_R_UNKNOWNVERSION); - } - -- return (table_fromwire(source, secret, algorithm, alistp)); -+ return (table_fromwire(source, secret, algorithm, 0, alistp)); - } - - static isc_result_t -diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h -index 5346bab..5b6a876 100644 ---- a/lib/isccc/include/isccc/result.h -+++ b/lib/isccc/include/isccc/result.h -@@ -46,8 +46,10 @@ - #define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4) - /*% Duplicate */ - #define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5) -+/*% Maximum recursion depth */ -+#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6) - --#define ISCCC_R_NRESULTS 6 /*%< Number of results */ -+#define ISCCC_R_NRESULTS 7 /*%< Number of results */ - - ISC_LANG_BEGINDECLS - -diff --git a/lib/isccc/result.c b/lib/isccc/result.c -index 9285435..1956cb1 100644 ---- a/lib/isccc/result.c -+++ b/lib/isccc/result.c -@@ -36,12 +36,14 @@ static const char *text[ISCCC_R_NRESULTS] = { - "bad auth", /* 3 */ - "expired", /* 4 */ - "clock skew", /* 5 */ -- "duplicate" /* 6 */ -+ "duplicate", /* 6 */ -+ "max depth" /* 7 */ - }; - - static const char *ids[ISCCC_R_NRESULTS] = { - "ISCCC_R_UNKNOWNVERSION", "ISCCC_R_SYNTAX", "ISCCC_R_BADAUTH", - "ISCCC_R_EXPIRED", "ISCCC_R_CLOCKSKEW", "ISCCC_R_DUPLICATE", -+ "ISCCC_R_MAXDEPTH" - }; - - #define ISCCC_RESULT_RESULTSET 2 --- -2.33.0 - diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch deleted file mode 100644 index e4f1ebd..0000000 --- a/bind-9.10-dist-native-pkcs11.patch +++ /dev/null @@ -1,541 +0,0 @@ -From 1cbffe7e8b5bced9134abbae23a2a20c83d39a6a Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Thu, 21 Jan 2021 10:46:20 +0100 -Subject: [PATCH] Enable custom pkcs11 native build - -Share common parts like libisc, libcc and others. But provide native -pkcs11 libraries as a new copy of libdns and libns. ---- - bin/Makefile.in | 2 +- - bin/confgen/Makefile.in | 2 +- - bin/dnssec-pkcs11/Makefile.in | 39 +++++++++++++++++--------------- - bin/named-pkcs11/Makefile.in | 31 +++++++++++++------------ - configure.ac | 19 ++++++++++++++++ - lib/Makefile.in | 2 +- - lib/dns-pkcs11/Makefile.in | 22 +++++++++--------- - lib/dns-pkcs11/tests/Makefile.in | 8 +++---- - lib/ns-pkcs11/Makefile.in | 26 ++++++++++----------- - lib/ns-pkcs11/tests/Makefile.in | 12 +++++----- - make/includes.in | 7 ++++++ - 11 files changed, 100 insertions(+), 70 deletions(-) - -diff --git a/bin/Makefile.in b/bin/Makefile.in -index 9ad7f62..094775a 100644 ---- a/bin/Makefile.in -+++ b/bin/Makefile.in -@@ -11,7 +11,7 @@ srcdir = @srcdir@ - VPATH = @srcdir@ - top_srcdir = @top_srcdir@ - --SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \ -+SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate check confgen \ - @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests - TARGETS = - -diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in -index c126bf3..1b7512d 100644 ---- a/bin/confgen/Makefile.in -+++ b/bin/confgen/Makefile.in -@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ - CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \ - ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} - --CDEFINES = @USE_PKCS11@ -+CDEFINES = - CWARNINGS = - - ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ -diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in -index ace0e5a..e0f6a00 100644 ---- a/bin/dnssec-pkcs11/Makefile.in -+++ b/bin/dnssec-pkcs11/Makefile.in -@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@ - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ -+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ - ${OPENSSL_CFLAGS} - --CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -+CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1 - CWARNINGS = - --DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ - ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ - ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ - ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@ - --DNSDEPLIBS = ../../lib/dns/libdns.@A@ -+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ - ISCDEPLIBS = ../../lib/isc/libisc.@A@ - ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ - -@@ -36,12 +36,15 @@ LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@ - - NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@ - -+# Add suffix to all targets -+EXEEXT = -pkcs11@EXEEXT@ -+ - # Alphabetically --TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \ -- dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \ -- dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \ -- dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \ -- dnssec-verify@EXEEXT@ -+TARGETS = dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \ -+ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \ -+ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \ -+ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \ -+ dnssec-verify${EXEEXT} - - OBJS = dnssectool.@O@ - -@@ -52,19 +55,19 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \ - - @BIND9_MAKE_RULES@ - --dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS} -+dnssec-cds-pkcs11@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - --dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} -+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - --dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} -+dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - --dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} -+dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - -@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ - -c ${srcdir}/dnssec-signzone.c - --dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} -+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - -@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ - -c ${srcdir}/dnssec-verify.c - --dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} -+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - --dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} -+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dnssec-revoke.@O@ ${OBJS} ${LIBS} - --dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} -+dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dnssec-settime.@O@ ${OBJS} ${LIBS} - --dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} -+dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dnssec-importkey.@O@ ${OBJS} ${LIBS} - -diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in -index debb906..ecfdb6c 100644 ---- a/bin/named-pkcs11/Makefile.in -+++ b/bin/named-pkcs11/Makefile.in -@@ -37,13 +37,14 @@ DBDRIVER_LIBS = - - DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers - --DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@ --DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@ --DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ --DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ -+# Skip building on PKCS11 variant -+DLZDRIVER_OBJS = -+DLZDRIVER_SRCS = -+DLZDRIVER_INCLUDES = -+DLZDRIVER_LIBS = - - CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ -- ${NS_INCLUDES} ${DNS_INCLUDES} \ -+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \ - ${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \ - ${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \ - ${DBDRIVER_INCLUDES} \ -@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ - ${LIBXML2_CFLAGS} \ - ${MAXMINDDB_CFLAGS} - --CDEFINES = @CONTRIB_DLZ@ -+CDEFINES = - - CWARNINGS = - --DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ - ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ - ISCCCLIBS = ../../lib/isccc/libisccc.@A@ - ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ - ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@ - BIND9LIBS = ../../lib/bind9/libbind9.@A@ --NSLIBS = ../../lib/ns/libns.@A@ -+NSLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@ - --DNSDEPLIBS = ../../lib/dns/libdns.@A@ -+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ - ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ - ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ - ISCDEPLIBS = ../../lib/isc/libisc.@A@ - BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ --NSDEPLIBS = ../../lib/ns/libns.@A@ -+NSDEPLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@ - - DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ - ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} -@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ - - SUBDIRS = unix - --TARGETS = named@EXEEXT@ -+TARGETS = named-pkcs11@EXEEXT@ - - GEOIP2LINKOBJS = geoip.@O@ - -@@ -151,7 +152,7 @@ server.@O@: server.c - -DPRODUCT=\"${PRODUCT}\" \ - -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c - --named@EXEEXT@: ${OBJS} ${DEPLIBS} -+named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS} - export MAKE_SYMTABLE="yes"; \ - export BASEOBJS="${OBJS} ${UOBJS}"; \ - ${FINALBUILDCMD} -@@ -170,11 +171,11 @@ statschannel.@O@: bind9.xsl.h - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} - --install:: named@EXEEXT@ installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} -+install:: named-pkcs11@EXEEXT@ installdirs -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir} - - uninstall:: -- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ -+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@ - - @DLZ_DRIVER_RULES@ - -diff --git a/configure.ac b/configure.ac -index e405eaf..efaa5a7 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1269,12 +1269,14 @@ AC_SUBST(USE_GSSAPI) - AC_SUBST(DST_GSSAPI_INC) - AC_SUBST(DNS_GSSAPI_LIBS) - DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS" -+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS" - - # - # Applications linking with libdns also need to link with these libraries. - # - - AC_SUBST(DNS_CRYPTO_LIBS) -+AC_SUBST(DNS_CRYPTO_PK11_LIBS) - - # - # was --with-lmdb specified? -@@ -2345,6 +2347,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE) - AC_SUBST(BIND9_NS_BUILDINCLUDE) - AC_SUBST(BIND9_BIND9_BUILDINCLUDE) - AC_SUBST(BIND9_IRS_BUILDINCLUDE) -+AC_SUBST(BIND9_DNS_PKCS11_BUILDINCLUDE) -+AC_SUBST(BIND9_NS_PKCS11_BUILDINCLUDE) - if test "X$srcdir" != "X"; then - BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include" - BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include" -@@ -2353,6 +2357,8 @@ if test "X$srcdir" != "X"; then - BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include" - BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include" - BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include" -+ BIND9_DNS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns-pkcs11/include" -+ BIND9_NS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns-pkcs11/include" - else - BIND9_ISC_BUILDINCLUDE="" - BIND9_ISCCC_BUILDINCLUDE="" -@@ -2361,6 +2367,8 @@ else - BIND9_NS_BUILDINCLUDE="" - BIND9_BIND9_BUILDINCLUDE="" - BIND9_IRS_BUILDINCLUDE="" -+ BIND9_DNS_PKCS11_BUILDINCLUDE="" -+ BIND9_NS_PKCS11_BUILDINCLUDE="" - fi - - AC_SUBST_FILE(BIND9_MAKE_INCLUDES) -@@ -2816,8 +2824,11 @@ AC_CONFIG_FILES([ - bin/delv/Makefile - bin/dig/Makefile - bin/dnssec/Makefile -+ bin/dnssec-pkcs11/Makefile - bin/named/Makefile - bin/named/unix/Makefile -+ bin/named-pkcs11/Makefile -+ bin/named-pkcs11/unix/Makefile - bin/nsupdate/Makefile - bin/pkcs11/Makefile - bin/plugins/Makefile -@@ -2879,6 +2890,10 @@ AC_CONFIG_FILES([ - lib/dns/include/dns/Makefile - lib/dns/include/dst/Makefile - lib/dns/tests/Makefile -+ lib/dns-pkcs11/Makefile -+ lib/dns-pkcs11/include/Makefile -+ lib/dns-pkcs11/include/dns/Makefile -+ lib/dns-pkcs11/include/dst/Makefile - lib/irs/Makefile - lib/irs/include/Makefile - lib/irs/include/irs/Makefile -@@ -2911,6 +2926,10 @@ AC_CONFIG_FILES([ - lib/ns/include/Makefile - lib/ns/include/ns/Makefile - lib/ns/tests/Makefile -+ lib/ns-pkcs11/Makefile -+ lib/ns-pkcs11/include/Makefile -+ lib/ns-pkcs11/include/ns/Makefile -+ lib/ns-pkcs11/tests/Makefile - make/Makefile - make/mkdep - unit/unittest.sh -diff --git a/lib/Makefile.in b/lib/Makefile.in -index 833964e..058ba2f 100644 ---- a/lib/Makefile.in -+++ b/lib/Makefile.in -@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@ - # Attempt to disable parallel processing. - .NOTPARALLEL: - .NO_PARALLEL: --SUBDIRS = isc isccc dns ns isccfg bind9 irs -+SUBDIRS = isc isccc dns dns-pkcs11 ns ns-pkcs11 isccfg bind9 irs - TARGETS = - - @BIND9_MAKE_RULES@ -diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in -index 58bda3c..d6a45df 100644 ---- a/lib/dns-pkcs11/Makefile.in -+++ b/lib/dns-pkcs11/Makefile.in -@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ -+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ - ${ISC_INCLUDES} \ - ${FSTRM_CFLAGS} \ - ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ -@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ - ${LMDB_CFLAGS} \ - ${MAXMINDDB_CFLAGS} - --CDEFINES = @USE_GSSAPI@ -+CDEFINES = @USE_GSSAPI@ @USE_PKCS11@ - - CWARNINGS = - -@@ -135,15 +135,15 @@ version.@O@: version.c - -DMAPAPI=\"${MAPAPI}\" \ - -c ${srcdir}/version.c - --libdns.@SA@: ${OBJS} -+libdns-pkcs11.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libdns.la: ${OBJS} -+libdns-pkcs11.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \ - -release "${VERSION}" \ -- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} -+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} - - include: gen - ${MAKE} include/dns/enumtype.h -@@ -174,22 +174,22 @@ gen: gen.c - ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \ - ${BUILD_LIBS} ${LFS_LIBS} - --timestamp: include libdns.@A@ -+timestamp: include libdns-pkcs11.@A@ - touch timestamp - --testdirs: libdns.@A@ -+testdirs: libdns-pkcs11.@A@ - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir} -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir} - - uninstall:: -- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@ -+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@ - - clean distclean:: -- rm -f libdns.@A@ timestamp -+ rm -f libdns-pkcs11.@A@ timestamp - rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h - rm -f include/dns/rdatastruct.h - rm -f dnstap.pb-c.c dnstap.pb-c.h -diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in -index da91394..aadb73f 100644 ---- a/lib/dns-pkcs11/tests/Makefile.in -+++ b/lib/dns-pkcs11/tests/Makefile.in -@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@ - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ -+CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ - ${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \ - ${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@ --CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\"" -+CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" - - ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ - ISCDEPLIBS = ../../isc/libisc.@A@ --DNSLIBS = ../libdns.@A@ @NO_LIBTOOL_DNSLIBS@ --DNSDEPLIBS = ../libdns.@A@ -+DNSLIBS = ../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ -+DNSDEPLIBS = ../libdns-pkcs11.@A@ - - LIBS = @LIBS@ @CMOCKA_LIBS@ - -diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in -index bc683ce..7a9d2f2 100644 ---- a/lib/ns-pkcs11/Makefile.in -+++ b/lib/ns-pkcs11/Makefile.in -@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@ - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \ -- ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ -+CINCLUDES = -I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \ -+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ - ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ - ${FSTRM_CFLAGS} - --CDEFINES = -DNAMED_PLUGINDIR=\"${plugindir}\" -+CDEFINES = @USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\" - - CWARNINGS = - -@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ - - ISCDEPLIBS = ../../lib/isc/libisc.@A@ - --DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ - --DNSDEPLIBS = ../../lib/dns/libdns.@A@ -+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ - - LIBS = @LIBS@ - -@@ -60,28 +60,28 @@ version.@O@: version.c - -DMAJOR=\"${MAJOR}\" \ - -c ${srcdir}/version.c - --libns.@SA@: ${OBJS} -+libns-pkcs11.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libns.la: ${OBJS} -+libns-pkcs11.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \ - -release "${VERSION}" \ -- ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} -+ ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} - --timestamp: libns.@A@ -+timestamp: libns-pkcs11.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns-pkcs11.@A@ \ - ${DESTDIR}${libdir} - - uninstall:: -- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@ -+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns-pkcs11.@A@ - - clean distclean:: -- rm -f libns.@A@ timestamp -+ rm -f libns-pkcs11.@A@ timestamp -diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in -index 4c3e694..c1b6d99 100644 ---- a/lib/ns-pkcs11/tests/Makefile.in -+++ b/lib/ns-pkcs11/tests/Makefile.in -@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@ - - WRAP_OPTIONS = -Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach - --CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ -+CINCLUDES = -I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ - ${OPENSSL_CFLAGS} \ - @CMOCKA_CFLAGS@ --CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" -+CDEFINES = -DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@ - - ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ - ISCDEPLIBS = ../../isc/libisc.@A@ --DNSLIBS = ../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ --DNSDEPLIBS = ../../dns/libdns.@A@ --NSLIBS = ../libns.@A@ --NSDEPLIBS = ../libns.@A@ -+DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ -+DNSDEPLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ -+NSLIBS = ../libns-pkcs11.@A@ -+NSDEPLIBS = ../libns-pkcs11.@A@ - - LIBS = @LIBS@ @CMOCKA_LIBS@ - -diff --git a/make/includes.in b/make/includes.in -index b8317d3..b73b0c4 100644 ---- a/make/includes.in -+++ b/make/includes.in -@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ - - TEST_INCLUDES = \ - -I${top_srcdir}/lib/tests/include -+ -+DNS_PKCS11_INCLUDES = @BIND9_DNS_PKCS11_BUILDINCLUDE@ \ -+ -I${top_srcdir}/lib/dns-pkcs11/include -+ -+NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \ -+ -I${top_srcdir}/lib/ns-pkcs11/include -+ --- -2.31.1 - diff --git a/bind-9.11-fips-disable.patch b/bind-9.11-fips-disable.patch deleted file mode 100644 index c01d914..0000000 --- a/bind-9.11-fips-disable.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 2b0dce163a119f5f62eb4428b485f7575f321d6f Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Mon, 5 Aug 2019 11:54:03 +0200 -Subject: [PATCH] Allow explicit disabling of autodisabled MD5 - -Default security policy might include explicitly disabled RSAMD5 -algorithm. Current FIPS code automatically disables in FIPS mode. But if -RSAMD5 is included in security policy, it fails to start, because that -algorithm is not recognized. Allow it disabled, but fail on any -other usage. ---- - bin/named/server.c | 4 ++-- - lib/bind9/check.c | 4 ++++ - lib/dns/rcode.c | 1 + - 3 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/bin/named/server.c b/bin/named/server.c -index ee23f10..22a5c01 100644 ---- a/bin/named/server.c -+++ b/bin/named/server.c -@@ -1689,12 +1689,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { - r.length = strlen(r.base); - - result = dns_secalg_fromtext(&alg, &r); -- if (result != ISC_R_SUCCESS) { -+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) { - uint8_t ui; - result = isc_parse_uint8(&ui, r.base, 10); - alg = ui; - } -- if (result != ISC_R_SUCCESS) { -+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) { - cfg_obj_log(cfg_listelt_value(element), named_g_lctx, - ISC_LOG_ERROR, "invalid algorithm"); - CHECK(result); -diff --git a/lib/bind9/check.c b/lib/bind9/check.c -index f49a346..dbf9ddb 100644 ---- a/lib/bind9/check.c -+++ b/lib/bind9/check.c -@@ -317,6 +317,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) { - r.length = strlen(r.base); - - tresult = dns_secalg_fromtext(&alg, &r); -+ if (tresult == ISC_R_DISABLED) { -+ // Recognize disabled algorithms, disable it explicitly -+ tresult = ISC_R_SUCCESS; -+ } - if (tresult != ISC_R_SUCCESS) { - cfg_obj_log(cfg_listelt_value(element), logctx, - ISC_LOG_ERROR, "invalid algorithm '%s'", -diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c -index 327248e..78adf63 100644 ---- a/lib/dns/rcode.c -+++ b/lib/dns/rcode.c -@@ -152,6 +152,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES }; - static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES }; - static struct tbl certs[] = { CERTNAMES }; - static struct tbl secalgs[] = { SECALGNAMES }; -+static struct tbl md5_secalgs[] = { MD5_SECALGNAMES }; - static struct tbl secprotos[] = { SECPROTONAMES }; - static struct tbl hashalgs[] = { HASHALGNAMES }; - static struct tbl dsdigests[] = { DSDIGESTNAMES }; --- -2.21.1 - diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch deleted file mode 100644 index 19f91b1..0000000 --- a/bind-9.11-fips-tests.patch +++ /dev/null @@ -1,921 +0,0 @@ -From 3f04cf343dbeb8819197702ce1be737e26e0638a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Thu, 2 Aug 2018 23:46:45 +0200 -Subject: [PATCH] FIPS tests changes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Squashed commit of the following: - -commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa -Author: Petr Menšík -Date: Wed Mar 7 20:35:13 2018 +0100 - - Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available. - -commit ab303db70082db76ecf36493d0b82ef3e8750cad -Author: Petr Menšík -Date: Wed Mar 7 18:11:10 2018 +0100 - - Changed root key to be RSASHA256 - - Change bad trusted key to be the same algorithm. - -commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8 -Author: Petr Menšík -Date: Wed Mar 7 16:56:17 2018 +0100 - - Change used key to not use hmac-md5 - - Fix upforwd test, do not use hmac-md5 - -commit aec891571626f053acfb4d0a247240cbc21a84e9 -Author: Petr Menšík -Date: Wed Mar 7 15:54:11 2018 +0100 - - Increase bitsize of DSA key to pass FIPS 140-2 mode. - -commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696 -Author: Petr Menšík -Date: Wed Mar 7 15:41:08 2018 +0100 - - Fix tsig and rndc tests for disabled md5 - - Use hmac-sha256 instead of hmac-md5. - -commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67 -Author: Petr Menšík -Date: Wed Mar 7 13:21:00 2018 +0100 - - Add md5 availability detection to featuretest - -commit f389a918803e2853e4b55fed62765dc4a492e34f -Author: Petr Menšík -Date: Wed Mar 7 10:44:23 2018 +0100 - - Change tests to not use hmac-md5 algorithms if not required - - Use hmac-sha256 instead of default hmac-md5 for allow-query ---- - bin/tests/system/acl/ns2/named1.conf.in | 4 +- - bin/tests/system/acl/ns2/named2.conf.in | 4 +- - bin/tests/system/acl/ns2/named3.conf.in | 6 +- - bin/tests/system/acl/ns2/named4.conf.in | 4 +- - bin/tests/system/acl/ns2/named5.conf.in | 4 +- - bin/tests/system/acl/tests.sh | 32 ++++----- - .../system/allow-query/ns2/named10.conf.in | 2 +- - .../system/allow-query/ns2/named11.conf.in | 4 +- - .../system/allow-query/ns2/named12.conf.in | 2 +- - .../system/allow-query/ns2/named30.conf.in | 2 +- - .../system/allow-query/ns2/named31.conf.in | 4 +- - .../system/allow-query/ns2/named32.conf.in | 2 +- - .../system/allow-query/ns2/named40.conf.in | 4 +- - bin/tests/system/allow-query/tests.sh | 18 ++--- - bin/tests/system/catz/ns1/named.conf.in | 2 +- - bin/tests/system/catz/ns2/named.conf.in | 2 +- - bin/tests/system/checkconf/bad-tsig.conf | 2 +- - bin/tests/system/checkconf/good.conf | 2 +- - bin/tests/system/feature-test.c | 14 ++++ - bin/tests/system/notify/ns5/named.conf.in | 6 +- - bin/tests/system/notify/tests.sh | 6 +- - bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- - bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- - bin/tests/system/nsupdate/setup.sh | 6 +- - bin/tests/system/nsupdate/tests.sh | 15 +++-- - bin/tests/system/rndc/setup.sh | 2 +- - bin/tests/system/rndc/tests.sh | 23 ++++--- - bin/tests/system/tsig/ns1/named.conf.in | 10 +-- - bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++ - bin/tests/system/tsig/setup.sh | 5 ++ - bin/tests/system/tsig/tests.sh | 65 ++++++++++++------- - bin/tests/system/upforwd/ns1/named.conf.in | 2 +- - bin/tests/system/upforwd/tests.sh | 2 +- - 33 files changed, 162 insertions(+), 108 deletions(-) - create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in -diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in -index 745048a..93cb411 100644 ---- a/bin/tests/system/acl/ns2/named1.conf.in -+++ b/bin/tests/system/acl/ns2/named1.conf.in -@@ -35,12 +35,12 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in -index 21aa991..78e71cc 100644 ---- a/bin/tests/system/acl/ns2/named2.conf.in -+++ b/bin/tests/system/acl/ns2/named2.conf.in -@@ -35,12 +35,12 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in -index 3208c92..bed6325 100644 ---- a/bin/tests/system/acl/ns2/named3.conf.in -+++ b/bin/tests/system/acl/ns2/named3.conf.in -@@ -35,17 +35,17 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key three { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in -index 14e82ed..a22cafe 100644 ---- a/bin/tests/system/acl/ns2/named4.conf.in -+++ b/bin/tests/system/acl/ns2/named4.conf.in -@@ -35,12 +35,12 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in -index f43f33c..f4a865a 100644 ---- a/bin/tests/system/acl/ns2/named5.conf.in -+++ b/bin/tests/system/acl/ns2/named5.conf.in -@@ -37,12 +37,12 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh -index e30569e..edd2155 100644 ---- a/bin/tests/system/acl/tests.sh -+++ b/bin/tests/system/acl/tests.sh -@@ -24,14 +24,14 @@ echo_i "testing basic ACL processing" - # key "one" should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - - # any other key should be fine - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - copy_setports ns2/named2.conf.in ns2/named.conf -@@ -41,18 +41,18 @@ sleep 5 - # prefix 10/8 should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - # any other address should work, as long as it sends key "one" - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - echo_i "testing nested ACL processing" -@@ -64,31 +64,31 @@ sleep 5 - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # but only one or the other should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - t=`expr $t + 1` -@@ -99,7 +99,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 - # and other values? right out - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two -@@ -110,31 +110,31 @@ sleep 5 - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - # should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - # should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - echo_i "testing allow-query-on ACL processing" -diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in -index b91d19a..7d777c2 100644 ---- a/bin/tests/system/allow-query/ns2/named10.conf.in -+++ b/bin/tests/system/allow-query/ns2/named10.conf.in -@@ -12,7 +12,7 @@ - */ - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in -index 308c4ca..00f6f40 100644 ---- a/bin/tests/system/allow-query/ns2/named11.conf.in -+++ b/bin/tests/system/allow-query/ns2/named11.conf.in -@@ -12,12 +12,12 @@ - */ - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234efgh8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in -index 6b0fe55..491e514 100644 ---- a/bin/tests/system/allow-query/ns2/named12.conf.in -+++ b/bin/tests/system/allow-query/ns2/named12.conf.in -@@ -12,7 +12,7 @@ - */ - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in -index aefc474..7c06596 100644 ---- a/bin/tests/system/allow-query/ns2/named30.conf.in -+++ b/bin/tests/system/allow-query/ns2/named30.conf.in -@@ -12,7 +12,7 @@ - */ - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in -index 27eccc2..eecb990 100644 ---- a/bin/tests/system/allow-query/ns2/named31.conf.in -+++ b/bin/tests/system/allow-query/ns2/named31.conf.in -@@ -12,12 +12,12 @@ - */ - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234efgh8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in -index adbb203..744d122 100644 ---- a/bin/tests/system/allow-query/ns2/named32.conf.in -+++ b/bin/tests/system/allow-query/ns2/named32.conf.in -@@ -12,7 +12,7 @@ - */ - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in -index 364f94b..9518f82 100644 ---- a/bin/tests/system/allow-query/ns2/named40.conf.in -+++ b/bin/tests/system/allow-query/ns2/named40.conf.in -@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; - acl badaccept { 10.53.0.1; }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234efgh8765"; - }; - -diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh -index 41c7bb7..9d121b3 100644 ---- a/bin/tests/system/allow-query/tests.sh -+++ b/bin/tests/system/allow-query/tests.sh -@@ -184,7 +184,7 @@ rndc_reload ns2 10.53.0.2 - - echo_i "test $n: key allowed - query allowed" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -197,7 +197,7 @@ rndc_reload ns2 10.53.0.2 - - echo_i "test $n: key not allowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -210,7 +210,7 @@ rndc_reload ns2 10.53.0.2 - - echo_i "test $n: key disallowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -343,7 +343,7 @@ rndc_reload ns2 10.53.0.2 - - echo_i "test $n: views key allowed - query allowed" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -356,7 +356,7 @@ rndc_reload ns2 10.53.0.2 - - echo_i "test $n: views key not allowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -369,7 +369,7 @@ rndc_reload ns2 10.53.0.2 - - echo_i "test $n: views key disallowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -502,7 +502,7 @@ status=`expr $status + $ret` - n=`expr $n + 1` - echo_i "test $n: zone key allowed - query allowed" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -512,7 +512,7 @@ status=`expr $status + $ret` - n=`expr $n + 1` - echo_i "test $n: zone key not allowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -522,7 +522,7 @@ status=`expr $status + $ret` - n=`expr $n + 1` - echo_i "test $n: zone key disallowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf -index 4af25b0..9f202d5 100644 ---- a/bin/tests/system/checkconf/bad-tsig.conf -+++ b/bin/tests/system/checkconf/bad-tsig.conf -@@ -13,7 +13,7 @@ - - /* Bad secret */ - key "badtsig" { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "jEdD+BPKg=="; - }; - -diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf -index 0ecdb68..90b8ab3 100644 ---- a/bin/tests/system/checkconf/good.conf -+++ b/bin/tests/system/checkconf/good.conf -@@ -284,6 +284,6 @@ dyndb "name" "library.so" { - system; - }; - key "mykey" { -- algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; - secret "qwertyuiopasdfgh"; - }; -diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c -index 161a80c..c386200 100644 ---- a/bin/tests/system/feature-test.c -+++ b/bin/tests/system/feature-test.c -@@ -17,6 +17,7 @@ - #include - #include - -+#include - #include - #include - #include -@@ -195,6 +196,19 @@ main(int argc, char **argv) { - #endif /* ifdef DLZ_FILESYSTEM */ - } - -+ if (strcmp(argv[1], "--md5") == 0) { -+ unsigned char digest[ISC_MAX_MD_SIZE]; -+ const unsigned char test[] = "test"; -+ unsigned int size = sizeof(digest); -+ -+ if (isc_md(ISC_MD_MD5, test, sizeof(test), -+ digest, &size) == ISC_R_SUCCESS) { -+ return (0); -+ } else { -+ return (1); -+ } -+ } -+ - if (strcmp(argv[1], "--with-idn") == 0) { - #ifdef HAVE_LIBIDN2 - return (0); -diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in -index 5cab276..d4a7bf3 100644 ---- a/bin/tests/system/notify/ns5/named.conf.in -+++ b/bin/tests/system/notify/ns5/named.conf.in -@@ -12,17 +12,17 @@ - */ - - key "a" { -- algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; - secret "aaaaaaaaaaaaaaaaaaaa"; - }; - - key "b" { -- algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; - secret "bbbbbbbbbbbbbbbbbbbb"; - }; - - key "c" { -- algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; - secret "cccccccccccccccccccc"; - }; - -diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh -index c02654e..0453a87 100644 ---- a/bin/tests/system/notify/tests.sh -+++ b/bin/tests/system/notify/tests.sh -@@ -214,16 +214,16 @@ ret=0 - $NSUPDATE << EOF - server 10.53.0.5 ${PORT} - zone x21 --key a aaaaaaaaaaaaaaaaaaaa -+key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa - update add added.x21 0 in txt "test string" - send - EOF - - for i in 1 2 3 4 5 6 7 8 9 - do -- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ -+ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ - txt > dig.out.b.ns5.test$n || ret=1 -- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ -+ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \ - txt > dig.out.c.ns5.test$n || ret=1 - grep "test string" dig.out.b.ns5.test$n > /dev/null && - grep "test string" dig.out.c.ns5.test$n > /dev/null && -diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in -index a5cc36d..7bb8923 100644 ---- a/bin/tests/system/nsupdate/ns1/named.conf.in -+++ b/bin/tests/system/nsupdate/ns1/named.conf.in -@@ -40,7 +40,7 @@ controls { - }; - - key altkey { -- algorithm hmac-md5; -+ algorithm hmac-sha512; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in -index f1a1735..da2b3d1 100644 ---- a/bin/tests/system/nsupdate/ns2/named.conf.in -+++ b/bin/tests/system/nsupdate/ns2/named.conf.in -@@ -34,7 +34,7 @@ controls { - }; - - key altkey { -- algorithm hmac-md5; -+ algorithm hmac-sha512; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh -index c9a756e..fac39d4 100644 ---- a/bin/tests/system/nsupdate/setup.sh -+++ b/bin/tests/system/nsupdate/setup.sh -@@ -73,7 +73,11 @@ EOF - - $DDNSCONFGEN -q -z example.nil > ns1/ddns.key - --$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key -+if $FEATURETEST --md5; then -+ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key -+else -+ echo -n > ns1/md5.key -+fi - $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key - $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key - $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key -diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index 67ffc27..c554a3f 100755 ---- a/bin/tests/system/nsupdate/tests.sh -+++ b/bin/tests/system/nsupdate/tests.sh -@@ -852,7 +852,14 @@ fi - n=$((n + 1)) - ret=0 - echo_i "check TSIG key algorithms (nsupdate -k) ($n)" --for alg in md5 sha1 sha224 sha256 sha384 sha512; do -+if $FEATURETEST --md5 -+then -+ ALGS="md5 sha1 sha224 sha256 sha384 sha512" -+else -+ ALGS="sha1 sha224 sha256 sha384 sha512" -+ echo_i "skipping disabled md5 algorithm" -+fi -+for alg in $ALGS; do - $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 - server 10.53.0.1 ${PORT} - update add ${alg}.keytests.nil. 600 A 10.10.10.3 -@@ -860,7 +867,7 @@ send - END - done - sleep 2 --for alg in md5 sha1 sha224 sha256 sha384 sha512; do -+for alg in $ALGS; do - $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 - done - if [ $ret -ne 0 ]; then -@@ -871,7 +878,7 @@ fi - n=$((n + 1)) - ret=0 - echo_i "check TSIG key algorithms (nsupdate -y) ($n)" --for alg in md5 sha1 sha224 sha256 sha384 sha512; do -+for alg in $ALGS; do - secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) - $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" < /dev/null || ret=1 - server 10.53.0.1 ${PORT} -@@ -880,7 +887,7 @@ send - END - done - sleep 2 --for alg in md5 sha1 sha224 sha256 sha384 sha512; do -+for alg in $ALGS; do - $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1 - done - if [ $ret -ne 0 ]; then -diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh -index e7df6e4..7292818 100644 ---- a/bin/tests/system/rndc/setup.sh -+++ b/bin/tests/system/rndc/setup.sh -@@ -40,7 +40,7 @@ make_key () { - sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf - } - --make_key 1 ${EXTRAPORT1} hmac-md5 -+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 - make_key 2 ${EXTRAPORT2} hmac-sha1 - make_key 3 ${EXTRAPORT3} hmac-sha224 - make_key 4 ${EXTRAPORT4} hmac-sha256 -diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh -index 43e89d3..c2ee158 100644 ---- a/bin/tests/system/rndc/tests.sh -+++ b/bin/tests/system/rndc/tests.sh -@@ -351,15 +351,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - n=`expr $n + 1` --echo_i "testing rndc with hmac-md5 ($n)" --ret=0 --$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 --for i in 2 3 4 5 6 --do -- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 --done --if [ $ret != 0 ]; then echo_i "failed"; fi --status=`expr $status + $ret` -+if $FEATURETEST --md5 -+then -+ echo_i "testing rndc with hmac-md5 ($n)" -+ ret=0 -+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 -+ for i in 2 3 4 5 6 -+ do -+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 -+ done -+ if [ $ret != 0 ]; then echo_i "failed"; fi -+ status=`expr $status + $ret` -+else -+ echo_i "skipping rndc with hmac-md5 ($n)" -+fi - - n=`expr $n + 1` - echo_i "testing rndc with hmac-sha1 ($n)" -diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in -index 76cf970..22637af 100644 ---- a/bin/tests/system/tsig/ns1/named.conf.in -+++ b/bin/tests/system/tsig/ns1/named.conf.in -@@ -23,10 +23,7 @@ options { - notify no; - }; - --key "md5" { -- secret "97rnFx24Tfna4mHPfgnerA=="; -- algorithm hmac-md5; --}; -+# md5 key appended by setup.sh at the end - - key "sha1" { - secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; -@@ -53,10 +50,7 @@ key "sha512" { - algorithm hmac-sha512; - }; - --key "md5-trunc" { -- secret "97rnFx24Tfna4mHPfgnerA=="; -- algorithm hmac-md5-80; --}; -+# md5-trunc key appended by setup.sh at the end - - key "sha1-trunc" { - secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; -diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh -index 6020947..c8b69d0 100644 ---- a/bin/tests/system/tsig/setup.sh -+++ b/bin/tests/system/tsig/setup.sh -@@ -17,3 +17,8 @@ SYSTEMTESTTOP=.. - $SHELL clean.sh - - copy_setports ns1/named.conf.in ns1/named.conf -+ -+if $FEATURETEST --md5 -+then -+ cat ns1/rndc5.conf.in >> ns1/named.conf -+fi -diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh -index 02199e6..bbc39ab 100644 ---- a/bin/tests/system/tsig/tests.sh -+++ b/bin/tests/system/tsig/tests.sh -@@ -28,20 +28,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f - - status=0 - --echo_i "fetching using hmac-md5 (old form)" --ret=0 --$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 --grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 --fi -- --echo_i "fetching using hmac-md5 (new form)" --ret=0 --$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 --grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 -+if $FEATURETEST --md5 -+then -+ echo_i "fetching using hmac-md5 (old form)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 -+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi -+ -+ echo_i "fetching using hmac-md5 (new form)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 -+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi -+else -+ echo_i "skipping using hmac-md5" - fi - - echo_i "fetching using hmac-sha1" -@@ -89,12 +94,17 @@ fi - # Truncated TSIG - # - # --echo_i "fetching using hmac-md5 (trunc)" --ret=0 --$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 --grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 -+if $FEATURETEST --md5 -+then -+ echo_i "fetching using hmac-md5 (trunc)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 -+ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi -+else -+ echo_i "skipping using hmac-md5 (trunc)" - fi - - echo_i "fetching using hmac-sha1 (trunc)" -@@ -143,12 +153,17 @@ fi - # Check for bad truncation. - # - # --echo_i "fetching using hmac-md5-80 (BADTRUNC)" --ret=0 --$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 --grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 -+if $FEATURETEST --md5 -+then -+ echo_i "fetching using hmac-md5-80 (BADTRUNC)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 -+ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi -+else -+ echo_i "skipping using hmac-md5-80 (BADTRUNC)" - fi - - echo_i "fetching using hmac-sha1-80 (BADTRUNC)" -diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in -index c2b57dd..cb13aa1 100644 ---- a/bin/tests/system/upforwd/ns1/named.conf.in -+++ b/bin/tests/system/upforwd/ns1/named.conf.in -@@ -12,7 +12,7 @@ - */ - - key "update.example." { -- algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; - secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; - }; - -diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh -index 35c5588..c71042c 100644 ---- a/bin/tests/system/upforwd/tests.sh -+++ b/bin/tests/system/upforwd/tests.sh -@@ -81,7 +81,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi - - echo_i "updating zone (signed) ($n)" - ret=0 --$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - < -Date: Tue, 2 Jan 2018 18:13:07 +0100 -Subject: [PATCH] Fix pkcs11 variants atf tests - -Add dns-pkcs11 tests Makefile to configure - -Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode ---- - configure.ac | 1 + - lib/Kyuafile | 2 ++ - lib/dns-pkcs11/tests/dh_test.c | 3 ++- - 3 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index d80ae31..0fb9328 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -3090,6 +3090,7 @@ AC_CONFIG_FILES([ - lib/dns-pkcs11/include/Makefile - lib/dns-pkcs11/include/dns/Makefile - lib/dns-pkcs11/include/dst/Makefile -+ lib/dns-pkcs11/tests/Makefile - lib/irs/Makefile - lib/irs/include/Makefile - lib/irs/include/irs/Makefile -diff --git a/lib/Kyuafile b/lib/Kyuafile -index 39ce986..037e5ef 100644 ---- a/lib/Kyuafile -+++ b/lib/Kyuafile -@@ -2,8 +2,10 @@ syntax(2) - test_suite('bind9') - - include('dns/Kyuafile') -+include('dns-pkcs11/Kyuafile') - include('irs/Kyuafile') - include('isc/Kyuafile') - include('isccc/Kyuafile') - include('isccfg/Kyuafile') - include('ns/Kyuafile') -+include('ns-pkcs11/Kyuafile') -diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c -index 934e8fd..658d1af 100644 ---- a/lib/dns-pkcs11/tests/dh_test.c -+++ b/lib/dns-pkcs11/tests/dh_test.c -@@ -87,7 +87,8 @@ dh_computesecret(void **state) { - result = dst_key_computesecret(key, key, &buf); - assert_int_equal(result, DST_R_NOTPRIVATEKEY); - result = key->func->computesecret(key, key, &buf); -- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE); -+ /* PKCS11 variant gives different result, accept both */ -+ assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY); - - dst_key_free(&key); - } --- -2.20.1 - diff --git a/bind-9.11-rh1666814.patch b/bind-9.11-rh1666814.patch deleted file mode 100644 index 533781d..0000000 --- a/bind-9.11-rh1666814.patch +++ /dev/null @@ -1,29 +0,0 @@ -From d05d116da39c0a5c580ceaac6ba069899b82c5a0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Wed, 16 Jan 2019 16:27:33 +0100 -Subject: [PATCH] Fix possible crash when loading corrupted file - -Some values passes internal triggers by coincidence. Fix the check and -check also first_node_offset before even passing it further. ---- - lib/dns/rbt.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c -index 5aee5f6..7f2c2d2 100644 ---- a/lib/dns/rbt.c -+++ b/lib/dns/rbt.c -@@ -945,7 +945,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize, - rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset + - header->first_node_offset); - -- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) { -+ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize -+ || header->first_node_offset > filesize) { -+ - result = ISC_R_INVALIDFILE; - goto cleanup; - } --- -2.31.1 - diff --git a/bind-9.14-config-pkcs11.patch b/bind-9.14-config-pkcs11.patch deleted file mode 100644 index 0d62df6..0000000 --- a/bind-9.14-config-pkcs11.patch +++ /dev/null @@ -1,83 +0,0 @@ -From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Fri, 18 Oct 2019 21:30:52 +0200 -Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h - -Building two variants with the same common code requires to unset -USE_PKCS11 on part of build. That is not possible with config.h value. -Move it as normal define to CDEFINES. ---- - bin/confgen/Makefile.in | 2 +- - configure.ac | 8 ++++++-- - lib/dns/dst_internal.h | 12 +++++++++--- - 3 files changed, 16 insertions(+), 6 deletions(-) - -diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in -index 1b7512d..c126bf3 100644 ---- a/bin/confgen/Makefile.in -+++ b/bin/confgen/Makefile.in -@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ - CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \ - ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} - --CDEFINES = -+CDEFINES = @USE_PKCS11@ - CWARNINGS = - - ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ -diff --git a/configure.ac b/configure.ac -index f5483fe..08a7d8a 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST]) - AC_SUBST([PKCS11_TOOLS]) - AC_SUBST([PKCS11_MANS]) - -+USE_PKCS11='-DUSE_PKCS11=0' -+USE_OPENSSL='-DUSE_OPENSSL=0' - AC_SUBST([CRYPTO]) - AS_CASE([$CRYPTO], -- [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])], -- [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])]) -+ [pkcs11],[USE_PKCS11='-DUSE_PKCS11=1'], -+ [USE_OPENSSL='-DUSE_OPENSSL=1']) -+AC_SUBST(USE_PKCS11) -+AC_SUBST(USE_OPENSSL) - - # preparation for automake - # AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"]) -diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h -index 2c3b4a3..55e9dc4 100644 ---- a/lib/dns/dst_internal.h -+++ b/lib/dns/dst_internal.h -@@ -38,6 +38,13 @@ - #include - #include - -+#ifndef USE_PKCS11 -+#define USE_PKCS11 0 -+#endif -+#ifndef USE_OPENSSL -+#define USE_OPENSSL (! USE_PKCS11) -+#endif -+ - #if USE_PKCS11 - #include - #include -@@ -116,11 +123,10 @@ struct dst_key { - void *generic; - dns_gss_ctx_id_t gssctx; - DH *dh; --#if USE_OPENSSL -- EVP_PKEY *pkey; --#endif /* if USE_OPENSSL */ - #if USE_PKCS11 - pk11_object_t *pkey; -+#else -+ EVP_PKEY *pkey; - #endif /* if USE_PKCS11 */ - dst_hmac_key_t *hmac_key; - } keydata; /*%< pointer to key in crypto pkg fmt */ --- -2.26.2 - diff --git a/bind-9.14-json-c.patch b/bind-9.14-json-c.patch deleted file mode 100644 index 870b46b..0000000 --- a/bind-9.14-json-c.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 0698eb93f6e618d2882ae2c8758c5fa87524bea6 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Tue, 23 Jul 2019 12:10:39 +0200 -Subject: [PATCH] Allow explicitly using json-c but not libjson - -Separate detection of json support. Allows explicit use of json-c when -jsoncpp package is found. Have to use --without-libjson --with-json-c. ---- - configure.ac | 52 +++++++++++++++++++++++++++++++++++++++++----------- - 1 file changed, 41 insertions(+), 11 deletions(-) - -diff --git a/configure.ac b/configure.ac -index f7978e4..40b4f9f 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1331,7 +1331,6 @@ AC_ARG_WITH(libjson, - use_libjson="$withval", use_libjson="auto") - - have_libjson="" --have_libjson_c="" - case "$use_libjson" in - no) - libjson_libs="" -@@ -1347,7 +1346,43 @@ case "$use_libjson" in - LIBS="$LIBS -L${d}/lib" - fi - have_libjson="yes" -- elif test -f "${d}/include/json-c/json.h" -+ fi -+ done -+ ;; -+ *) -+ if test -f "${use_libjson}/include/json/json.h" -+ then -+ libjson_cflags="-I${use_libjson}/include" -+ LIBS="$LIBS -L${use_libjson}/lib" -+ have_libjson="yes" -+ else -+ AC_MSG_ERROR([$use_libjson/include/json/json.h not found.]) -+ fi -+ ;; -+esac -+ -+# -+# was --with-json-c specified? -+# -+AC_ARG_WITH(json-c, -+ AS_HELP_STRING([--with-json-c[=PATH]], -+ [build with json-c library [yes|no|path]]), -+ use_json_c="$withval", use_json_c="$use_libjson") -+ -+if test "X${have_libjson}" != "X" -+then -+ # Do not use if libjson were found -+ use_json_c=no -+fi -+ -+have_libjson_c="" -+case "$use_json_c" in -+ no) -+ ;; -+ auto|yes) -+ for d in /usr /usr/local /opt/local -+ do -+ if test -f "${d}/include/json-c/json.h" - then - if test ${d} != /usr - then -@@ -1360,19 +1395,14 @@ case "$use_libjson" in - done - ;; - *) -- if test -f "${use_libjson}/include/json/json.h" -- then -- libjson_cflags="-I${use_libjson}/include" -- LIBS="$LIBS -L${use_libjson}/lib" -- have_libjson="yes" -- elif test -f "${use_libjson}/include/json-c/json.h" -+ if test -f "${use_json_c}/include/json-c/json.h" - then -- libjson_cflags="-I${use_libjson}/include" -- LIBS="$LIBS -L${use_libjson}/lib" -+ libjson_cflags="-I${use_json_c}/include" -+ LIBS="$LIBS -L${use_json_c}/lib" - have_libjson="yes" - have_libjson_c="yes" - else -- AC_MSG_ERROR([$use_libjson/include/json{,-c}/json.h not found.]) -+ AC_MSG_ERROR([$use_json_c/include/json-c/json.h not found.]) - fi - ;; - esac --- -2.20.1 - diff --git a/bind-9.16-redhat_doc.patch b/bind-9.16-redhat_doc.patch deleted file mode 100644 index ef76e16..0000000 --- a/bind-9.16-redhat_doc.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 3a161af91bffcd457586ab466e32ac8484028763 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Wed, 17 Jun 2020 23:17:13 +0200 -Subject: [PATCH] Update man named with Red Hat specifics - -This is almost unmodified text and requires revalidation. Some of those -statements are no longer correct. ---- - bin/named/named.rst | 35 +++++++++++++++++++++++++++++++++++ - 1 file changed, 35 insertions(+) - -diff --git a/bin/named/named.rst b/bin/named/named.rst -index 6fd8f87..3cd6350 100644 ---- a/bin/named/named.rst -+++ b/bin/named/named.rst -@@ -228,6 +228,41 @@ Files - ``/var/run/named/named.pid`` - The default process-id file. - -+Notes -+~~~~~ -+ -+**Red Hat SELinux BIND Security Profile:** -+ -+By default, Red Hat ships BIND with the most secure SELinux policy -+that will not prevent normal BIND operation and will prevent exploitation -+of all known BIND security vulnerabilities. See the selinux(8) man page -+for information about SElinux. -+ -+It is not necessary to run named in a chroot environment if the Red Hat -+SELinux policy for named is enabled. When enabled, this policy is far -+more secure than a chroot environment. Users are recommended to enable -+SELinux and remove the bind-chroot package. -+ -+*With this extra security comes some restrictions:* -+ -+By default, the SELinux policy does not allow named to write outside directory -+/var/named. That directory used to be read-only for named, but write access is -+enabled by default now. -+ -+The "named" group must be granted read privelege to -+these files in order for named to be enabled to read them. -+Any file updated by named must be writeable by named user or named group. -+ -+Any file created in the zone database file directory is automatically assigned -+the SELinux file context *named_zone_t* . -+ -+The Red Hat BIND distribution and SELinux policy creates three directories where -+named were allowed to create and modify files: */var/named/slaves*, */var/named/dynamic* -+*/var/named/data*. The service is able to write and file under */var/named* with appropriate -+permissions. They are used for better organisation of zones and backward compatibility. -+Files in these directories are automatically assigned the '*named_cache_t*' -+file context, which SELinux always allows named to write. -+ - See Also - ~~~~~~~~ - --- -2.26.2 - diff --git a/bind-9.16.37.tar.xz b/bind-9.16.37.tar.xz deleted file mode 100644 index 29818fb..0000000 Binary files a/bind-9.16.37.tar.xz and /dev/null differ diff --git a/bind-9.18-zt-include-rwlock.patch b/bind-9.18-zt-include-rwlock.patch deleted file mode 100644 index 4375a2f..0000000 --- a/bind-9.18-zt-include-rwlock.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 395d6fca2638129e1cc1f55ee4b3aa0dbba44dc0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Mon, 16 Jan 2023 11:45:31 +0100 -Subject: [PATCH] Include isc_rwlocktype_t type definition in zt.h - -After changes zt.h uses rwlock type, which is not enforced to be always -defined. Ensure full type definition is ready by including appropriate -header. ---- - lib/dns/include/dns/zt.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h -index 077b26ddea..037d0a9495 100644 ---- a/lib/dns/include/dns/zt.h -+++ b/lib/dns/include/dns/zt.h -@@ -18,6 +18,7 @@ - #include - - #include -+#include - - #include - --- -2.39.0 diff --git a/bind-9.18.21.tar.xz b/bind-9.18.21.tar.xz new file mode 100644 index 0000000..c2b86b2 Binary files /dev/null and b/bind-9.18.21.tar.xz differ diff --git a/bind-9.18.21.tar.xz.asc b/bind-9.18.21.tar.xz.asc new file mode 100644 index 0000000..b4b062c --- /dev/null +++ b/bind-9.18.21.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmV3BGsACgkQUQpkKgbF +LOwu9w/+JciqKqT0JieUDwPzEhhulBCWEhbZFrHK6dFM5UkPHkaV79QkZAQEhnq1 +FXVEF99ZuTbz5s79wNAZ9I4AiU0al5RK1P5MwMBbjsQrfnkhmKnPIU1jx3FSVrCP +tC9l1xEjkLNi2vf28ZQ9KED2hUdqsgTZqDvgewEnrq1NtZ0K7ozz9nHQLfooDSJT +L5U9HDp3vf5BJWONjnKAPjJJdeRf7HPqokJVSjQcVxrT06VsMNUFFmyCbEJ0UTJm +mqDrRuEXhkAKf40DwMr0qGqiq5Q4m960yADEK1Aju/9cEf6Ag4FYyy70iyICe7Tj +T8qjVzzwboUJao3m/152+6qvzGXJKdUUZqCnNcCc2wmirmg/ES4DLLFyYYXBflj7 +hWCOLXeghF/785te4fmiH3gqcEZBEVcc0wl1HCL5m3q9kGutGgLJVOZgM5D6zf2T +0Sa60qIr5r+cKCS9OYowTH1+NqEsW4XhCVIe/RYEuXa3FFczIUbdGlUQ5t9ILBxi +zbZ04Tj0tecqUVkhoEYZfQzhHEa43LzxATdQ4Zc01USaxhbSFSoyG1+WP1tPD+PL +wqZA9tEuvKtngr/UP+BeLG0lWv5zbtShzM1V1cEg7JuoiI2onWstaN7NYXShiUMZ +oVYXIBbmNbXVmm2TYzt4mw9TotGWHkSNjPZGvvAYw/0mtcw6NXs= +=bzR1 +-----END PGP SIGNATURE----- diff --git a/bind-9.5-PIE.patch b/bind-9.5-PIE.patch deleted file mode 100644 index d3c73ee..0000000 --- a/bind-9.5-PIE.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in -index eb622d1..37053a7 100644 ---- a/bin/named/Makefile.in -+++ b/bin/named/Makefile.in -@@ -117,8 +117,12 @@ SRCS = builtin.c config.c control.c \ - tkeyconf.c tsigconf.c zoneconf.c \ - ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} - -+EXT_CFLAGS = -fpie -+ - @BIND9_MAKE_RULES@ - -+LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack -+ - main.@O@: main.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ - -DVERSION=\"${VERSION}\" \ -diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in -index fd9ca8d..f1c102c 100644 ---- a/bin/named/unix/Makefile.in -+++ b/bin/named/unix/Makefile.in -@@ -11,6 +11,8 @@ srcdir = @srcdir@ - VPATH = @srcdir@ - top_srcdir = @top_srcdir@ - -+EXT_CFLAGS = -fpie -+ - @BIND9_MAKE_INCLUDES@ - - CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \ diff --git a/bind-9.5-dlz-64bit.patch b/bind-9.5-dlz-64bit.patch deleted file mode 100644 index ec064c6..0000000 --- a/bind-9.5-dlz-64bit.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in -index 47525af..eefe3c3 100644 ---- a/contrib/dlz/config.dlz.in -+++ b/contrib/dlz/config.dlz.in -@@ -17,6 +17,13 @@ - # - dlzdir='${DLZ_DRIVER_DIR}' - -+AC_MSG_CHECKING([for target libdir]) -+AC_RUN_IFELSE([int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}], -+ [target_lib=lib64], -+ [target_lib=lib], -+) -+AC_MSG_RESULT(["$target_lib"]) -+ - # - # Private autoconf macro to simplify configuring drivers: - # -@@ -292,9 +299,9 @@ case "$use_dlz_bdb" in - then - break - fi -- elif test -f "$dd/lib/lib${d}.so" -+ elif test -f "$dd/${target_lib}/lib${d}.so" - then -- dlz_bdb_libs="-L${dd}/lib -l${d}" -+ dlz_bdb_libs="-L${dd}/${target_lib} -l${d}" - break - fi - done -@@ -396,7 +403,7 @@ case "$use_dlz_ldap" in - *) - DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver, - [-I$use_dlz_ldap/include], -- [-L$use_dlz_ldap/lib -lldap -llber]) -+ [-L$use_dlz_ldap/${target_lib} -lldap -llber]) - - AC_MSG_RESULT( - [using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include]) -@@ -432,11 +439,11 @@ then - odbcdirs="/usr /usr/local /usr/pkg" - for d in $odbcdirs - do -- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a -+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a - then - use_dlz_odbc=$d - dlz_odbc_include="-I$use_dlz_odbc/include" -- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc" -+ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc" - break - fi - done diff --git a/bind-9.9.1-P2-dlz-libdb.patch b/bind-9.9.1-P2-dlz-libdb.patch deleted file mode 100644 index 866ed8f..0000000 --- a/bind-9.9.1-P2-dlz-libdb.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -up bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb bind-9.10.1b1/contrib/dlz/config.dlz.in ---- bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb 2014-08-04 12:33:09.320735111 +0200 -+++ bind-9.10.1b1/contrib/dlz/config.dlz.in 2014-08-04 12:41:46.888241910 +0200 -@@ -263,7 +263,7 @@ case "$use_dlz_bdb" in - # Check other locations for includes. - # Order is important (sigh). - -- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db" -+ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db" - # include a blank element first - for d in "" $bdb_incdirs - do -@@ -288,16 +288,9 @@ case "$use_dlz_bdb" in - bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" - for d in $bdb_libnames - do -- if test "$dd" = "/usr" -+ if test -f "$dd/${target_lib}/lib${d}.so" - then -- AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}") -- if test $dlz_bdb_libs != "yes" -- then -- break -- fi -- elif test -f "$dd/${target_lib}/lib${d}.so" -- then -- dlz_bdb_libs="-L${dd}/${target_lib} -l${d}" -+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}" - break - fi - done diff --git a/bind.spec b/bind.spec index 532eb68..ba95753 100644 --- a/bind.spec +++ b/bind.spec @@ -1,6 +1,5 @@ %bcond_with SYSTEMTEST %bcond_without GSSTSIG -%bcond_without PKCS11 %bcond_without JSON %bcond_with DLZ %bcond_with GEOIP2 @@ -29,8 +28,8 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPLv2.0 -Version: 9.16.37 -Release: 6 +Version: 9.18.21 +Release: 1 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -58,30 +57,10 @@ Source42: generate-rndc-key.sh Source43: named.rwtab Source44: named-chroot-setup.service Source46: named-setup-rndc.service -Source47: named-pkcs11.service Source48: setup-named-softhsm.sh Source49: named-chroot.files -Patch1: bind-9.14-config-pkcs11.patch -Patch2: bind-9.10-dist-native-pkcs11.patch -Patch3: bind-9.11-kyua-pkcs11.patch # Common patches -Patch10: bind-9.5-PIE.patch -Patch11: bind-9.16-redhat_doc.patch -Patch12: bind-9.5-dlz-64bit.patch -Patch13: bind93-rh490837.patch -Patch14: bind97-rh645544.patch -Patch15: bind-9.9.1-P2-dlz-libdb.patch -Patch16: bind-9.11-fips-tests.patch -# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/2689 -Patch17: bind-9.11-rh1666814.patch -Patch18: bind-9.18-zt-include-rwlock.patch - -Patch6001: CVE-2022-2906.patch -Patch6002: backport-CVE-2023-2911.patch -Patch6003: backport-CVE-2023-3341.patch - -Patch9000: bugfix-limit-numbers-of-test-threads.patch %{?systemd_ordering} Requires: coreutils @@ -107,6 +86,9 @@ BuildRequires: findutils sed BuildRequires: libuv-devel BuildRequires: systemd BuildRequires: libnsl2 +BuildRequires: libnghttp2-devel +BuildRequires: chrpath + %if %{with DLZ} BuildRequires: openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-devel %endif @@ -114,7 +96,7 @@ BuildRequires: openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-d # make unit dependencies BuildRequires: libcmocka-devel kyua %endif -%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST}) +%if %{with UNITTEST} || %{with SYSTEMTEST} BuildRequires: softhsm %endif %if %{with SYSTEMTEST} @@ -139,10 +121,10 @@ BuildRequires: libmaxminddb-devel BuildRequires: fstrm-devel protobuf-c-devel %endif # Needed to regenerate dig.1 manpage -%if %{with DOC} + BuildRequires: python3-sphinx python3-sphinx_rtd_theme BuildRequires: doxygen -%endif + %if %{with DOCPDF} # Because remaining issues with COPR, allow turning off PDF (re)generation BuildRequires: python3-sphinx-latex latexmk texlive-xetex texlive-xindy @@ -158,48 +140,7 @@ which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. -%if %{with PKCS11} -%package pkcs11 -Summary: Bind with native PKCS#11 functionality for crypto -Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} -Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} -Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} -Recommends: softhsm -%description pkcs11 -This is a version of BIND server built with native PKCS#11 functionality. -It is important to have SoftHSM v2+ installed and some token initialized. -For other supported HSM modules please check the BIND documentation. - -%package pkcs11-utils -Summary: Bind tools with native PKCS#11 for using DNSSEC -Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} -Obsoletes: bind-pkcs11 < 32:9.9.4-16.P2 -Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release} - -%description pkcs11-utils -This is a set of PKCS#11 utilities that when used together create rsa -keys in a PKCS11 keystore. Also utilities for working with DNSSEC -compiled with native PKCS#11 functionality are included. - -%package pkcs11-libs -Summary: Bind libraries compiled with native PKCS#11 -Requires: bind-license = %{epoch}:%{version}-%{release} -Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} - -%description pkcs11-libs -This is a set of BIND libraries (dns, isc) compiled with native PKCS#11 -functionality. - -%package pkcs11-devel -Summary: Development files for Bind libraries compiled with native PKCS#11 -Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} -Requires: bind-devel%{?_isa} = %{epoch}:%{version}-%{release} - -%description pkcs11-devel -This a set of development files for BIND libraries (dns, isc) compiled -with native PKCS#11 functionality. -%endif %package libs Summary: Libraries used by the BIND DNS packages @@ -238,7 +179,6 @@ servers. Summary: DNSSEC keys and zones management utilities Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} Recommends: bind-utils -Requires: python3-bind = %{epoch}:%{version}-%{release} Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release} %description dnssec-utils @@ -265,6 +205,7 @@ Obsoletes: bind-lite-devel < 32:9.16.6-3 Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa} Requires: libcap-devel%{?_isa} + %if %{with GSSTSIG} Requires: krb5-devel%{?_isa} %endif @@ -332,18 +273,6 @@ Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} Dynamic Loadable Zones sqlite3 module for BIND server. %endif - -%package -n python3-bind -Summary: A module allowing rndc commands to be sent from Python programs -Requires: bind-license = %{epoch}:%{version}-%{release} -Requires: python3 python3-ply %{?py3_dist:%py3_dist ply} -BuildArch: noarch -%{?python_provide:%python_provide python3-bind} -%{?python_provide:%python_provide python3-isc} - -%description -n python3-bind -This package provides a module which allows commands to be sent to rndc directly from Python programs. - %if %{with DOC} %package doc Summary: BIND 9 Administrator Reference Manual @@ -370,23 +299,14 @@ in HTML and PDF format. # Common patches %autopatch -p1 -m 10 -%if %{with PKCS11} -%autopatch -p1 -m 1 -M 1 -cp -r bin/named{,-pkcs11} -cp -r bin/dnssec{,-pkcs11} -cp -r lib/dns{,-pkcs11} -cp -r lib/ns{,-pkcs11} -%autopatch -p1 -m 2 -M 9 -%endif # Sparc and s390 arches need to use -fPIE %ifarch sparcv9 sparc64 s390 s390x -for i in bin/named/{,unix}/Makefile.in; do +for i in bin/named/Makefile.am; do sed -i 's|fpie|fPIE|g' $i done %endif -sed -e 's|"$TOP/config.guess"|"$TOP_SRCDIR/config.guess"|' -i bin/tests/system/ifconfig.sh :; @@ -396,15 +316,12 @@ sed -e 's|"$TOP/config.guess"|"$TOP_SRCDIR/config.guess"|' -i bin/tests/system/i # normal and pkcs11 unit tests %define unit_prepare_build() \ - cp -uv Kyuafile "%{1}/" \ find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' \ - find lib -name 'Kyuafile' -exec cp -uv '{}' "%{1}/{}" ';' \ find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ %define systemtest_prepare_build() \ cp -Tuav bin/tests "%{1}/bin/tests/" \ - cp -uv version "%{1}" \ CFLAGS="$CFLAGS $RPM_OPT_FLAGS" %if %{with TSAN} @@ -418,7 +335,7 @@ export STD_CDEFINES="$CPPFLAGS" #'s/RELEASEVER=\(.*\)/RELEASEVER=\1-RH/' \ #version -libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f +autoconf --force mkdir build @@ -432,8 +349,6 @@ pushd build LIBDIR_SUFFIX= export LIBDIR_SUFFIX %configure \ - --with-python=%{__python3} \ - --with-libtool \ --localstatedir=%{_var} \ --with-pic \ --disable-static \ @@ -443,11 +358,6 @@ export LIBDIR_SUFFIX %if %{with GEOIP2} --with-maxminddb \ %endif -%if %{with PKCS11} - --enable-native-pkcs11 \ - --with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \ -%endif - --with-dlopen=yes \ %if %{with GSSTSIG} --with-gssapi=yes \ %endif @@ -457,7 +367,7 @@ export LIBDIR_SUFFIX --with-lmdb=no \ %endif %if %{with JSON} - --without-libjson --with-json-c \ +--with-json-c \ %endif %if %{with DNSTAP} --enable-dnstap \ @@ -472,9 +382,6 @@ export LIBDIR_SUFFIX pushd lib SRCLIB="../../../lib" (cd dns && ln -s ${SRCLIB}/dns/dnstap.proto) -%if %{with PKCS11} - (cd dns-pkcs11 && ln -s ${SRCLIB}/dns-pkcs11/dnstap.proto) -%endif popd %endif @@ -487,15 +394,6 @@ fmtutil-user --missing || : %endif %make_build - -# Regenerate dig.1 manpage -pushd bin/dig -make man -popd -pushd bin/python -make man -popd - %if %{with DOC} make doc %endif @@ -518,7 +416,7 @@ popd # build %systemtest_prepare_build build %check -%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST}) +%if %{with UNITTEST} || %{with SYSTEMTEST} # Tests require initialization of pkcs11 token eval "$(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")" %endif @@ -553,23 +451,6 @@ export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0" if perl bin/tests/system/testsock.pl then CONFIGURED=already -else - CONFIGURED= - sh bin/tests/system/ifconfig.sh up - perl bin/tests/system/testsock.pl && CONFIGURED=build -fi -if [ -n "$CONFIGURED" ] -then - set -e - pushd build/bin/tests - chown -R ${USER} . # Can be unknown user - %make_build test 2>&1 | tee test.log - e=$? - popd - [ "$CONFIGURED" = build ] && sh bin/tests/system/ifconfig.sh down - if [ "$e" -ne 0 ]; then - echo "ERROR: this build of BIND failed 'make test'. Aborting." - exit $e; fi; else echo 'SKIPPED: tests require root, CAP_NET_ADMIN or already configured test addresses.' @@ -604,7 +485,6 @@ touch ${RPM_BUILD_ROOT}/%{chroot_prefix}%{_sysconfdir}/named.conf pushd build %make_install popd -rpm -E %{_unitdir} # Remove unwanted files rm -f ${RPM_BUILD_ROOT}/etc/bind.keys @@ -616,36 +496,34 @@ install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir} install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir} install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir} -%if %{with PKCS11} -install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir} -%else -# Not packaged without PKCS11 -find ${RPM_BUILD_ROOT}%{_includedir}/bind9/pk11 ${RPM_BUILD_ROOT}%{_includedir}/bind9/pkcs11 \ - -name '*.h' \! -name site.h -delete - -%endif mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir} install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh install -m 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh -%if %{with PKCS11} install -m 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh -%endif install -m 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named install -m 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files +pushd ${RPM_BUILD_ROOT}%{_sbindir} +# Compatibility with previous major versions, only for selected binaries +for BIN in named-checkconf named-checkzone named-compilezone +do + ln -s ../bin/$BIN $BIN +done +popd + %if %{with DLZ} pushd build pushd contrib/dlz/modules for DIR in filesystem ldap mysql mysqldyn sqlite3; do - %make_install -C $DIR libdir=%{_libdir}/named + %make_install -C $DIR libdir=%{_libdir}/bind done - pushd ${RPM_BUILD_ROOT}/%{_libdir}/bind - cp -s ../named/dlz_*.so . + pushd ${RPM_BUILD_ROOT}/%{_libdir}/named + cp -s ../bind/dlz_*.so . popd mkdir -p doc/{mysql,mysqldyn} cp -p mysqldyn/testing/README doc/mysqldyn/README.testing @@ -655,27 +533,9 @@ install -m 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files popd %endif -# Install isc/errno2result.h header -install -m 644 lib/isc/unix/errno2result.h ${RPM_BUILD_ROOT}%{_includedir}/bind9/isc - # Remove libtool .la files: find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';'; -# PKCS11 versions manpages -%if %{with PKCS11} -pushd ${RPM_BUILD_ROOT}%{_mandir}/man8 -ln -s named.8.gz named-pkcs11.8.gz -ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz -ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz -ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz -ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz -ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz -ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz -ln -s dnssec-settime.8.gz dnssec-settime-pkcs11.8.gz -ln -s dnssec-signzone.8.gz dnssec-signzone-pkcs11.8.gz -ln -s dnssec-verify.8.gz dnssec-verify-pkcs11.8.gz -popd -%endif # 9.16.4 installs even manual pages for tools not generated %if %{without DNSTAP} @@ -687,7 +547,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man8/named-nzd2nzf.8* || true pushd ${RPM_BUILD_ROOT}%{_mandir}/man8 ln -s ddns-confgen.8.gz tsig-keygen.8.gz -ln -s named-checkzone.8.gz named-compilezone.8.gz +popd +pushd ${RPM_BUILD_ROOT}%{_mandir}/man1 +ln -s named-checkzone.1.gz named-compilezone.1.gz popd %if %{with DOC} @@ -696,19 +558,13 @@ cp -a build/doc/arm/_build/html ${RPM_BUILD_ROOT}%{_pkgdocdir} rm -rf ${RPM_BUILD_ROOT}%{_pkgdocdir}/html/.{buildinfo,doctrees} # Backward compatible link to 9.11 documentation (cd ${RPM_BUILD_ROOT}%{_pkgdocdir} && ln -s html/index.html Bv9ARM.html) -# Share static data from original sphinx package -for DIR in %{python3_sitelib}/sphinx_rtd_theme/static/* -do - BASE=$(basename -- "$DIR") - BINDTHEMEDIR="${RPM_BUILD_ROOT}%{_pkgdocdir}/html/_static/$BASE" - if [ -d "$BINDTHEMEDIR" ]; then rm -rf "$BINDTHEMEDIR" ln -s "$DIR" "$BINDTHEMEDIR" fi done %endif %if %{with DOCPDF} -cp -a build/doc/arm/Bv9ARM.pdf ${RPM_BUILD_ROOT}%{_pkgdocdir} +cp -a build/doc/arm/_build/latex/Bv9ARM.pdf ${RPM_BUILD_ROOT}%{_pkgdocdir} %endif # Ghost config files: @@ -735,7 +591,6 @@ install -m 644 %{SOURCE25} sample/etc/named.conf # Copy default configuration to %%doc to make it usable from system-config-bind install -m 644 %{SOURCE16} named.conf.default install -m 644 %{SOURCE23} sample/etc/named.rfc1912.zones -install -m 644 %{SOURCE18} %{SOURCE19} %{SOURCE20} sample/var/named install -m 644 %{SOURCE17} sample/var/named/named.ca for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do echo '@ in soa localhost. root 1 3H 15M 1W 1D @@ -774,7 +629,7 @@ else /sbin/usermod -s /sbin/nologin named fi # Checkconf will parse out comments - if /usr/sbin/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q named.iscdlv.key + if /usr/bin/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q named.iscdlv.key then echo "Replacing obsolete named.iscdlv.key with named.root.key..." if cp -Rf --preserve=all --remove-destination /etc/named.conf /etc/named.conf.rpmbackup; then @@ -800,19 +655,6 @@ if [ -e "%{_sysconfdir}/selinux/config" ]; then %selinux_unset_booleans -s mls %{selinuxbooleans} fi -%if %{with PKCS11} -%post pkcs11 -# Initial installation -%systemd_post named-pkcs11.service - -%preun pkcs11 -# Package removal, not upgrade -%systemd_preun named-pkcs11.service - -%postun pkcs11 -# Package upgrade, not uninstall -%systemd_postun_with_restart named-pkcs11.service -%endif # Fix permissions on existing device files on upgrade %define chroot_fix_devices() \ @@ -832,9 +674,7 @@ fi %ldconfig_scriptlets libs -%if %{with PKCS11} -%ldconfig_scriptlets pkcs11-libs -%endif + %post chroot %systemd_post named-chroot.service @@ -860,7 +700,7 @@ fi; %files %dir %{_libdir}/bind %dir %{_libdir}/named -%{_libdir}/named/*.so +%{_libdir}/bind/filter*.so %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named %config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key %config(noreplace) %{_sysconfdir}/logrotate.d/named @@ -868,24 +708,26 @@ fi; %{_sysconfdir}/rwtab.d/named %{_unitdir}/named.service %{_unitdir}/named-setup-rndc.service -%{_sbindir}/named-journalprint -%{_sbindir}/named-checkconf +%{_bindir}/named-journalprint +%{_bindir}/named-checkconf %{_bindir}/named-rrchecker %{_bindir}/mdig %{_sbindir}/named %{_sbindir}/rndc* +%{_sbindir}/named-checkconf %{_libexecdir}/generate-rndc-key.sh +%{_libexecdir}/setup-named-softhsm.sh %{_mandir}/man1/mdig.1* %{_mandir}/man1/named-rrchecker.1* %{_mandir}/man5/named.conf.5* %{_mandir}/man5/rndc.conf.5* %{_mandir}/man8/rndc.8* %{_mandir}/man8/named.8* -%{_mandir}/man8/named-checkconf.8* +%{_mandir}/man1/named-checkconf.1* %{_mandir}/man8/rndc-confgen.8* -%{_mandir}/man8/named-journalprint.8* -%{_mandir}/man8/filter-aaaa.8.gz -%doc CHANGES README named.conf.default +%{_mandir}/man1/named-journalprint.1* +%{_mandir}/man8/filter-*.8.gz +%doc CHANGES README.md named.conf.default %doc sample/ # Hide configuration @@ -935,7 +777,9 @@ fi; %{_bindir}/arpaname %{_sbindir}/ddns-confgen %{_sbindir}/tsig-keygen -%{_sbindir}/nsec3hash +%{_bindir}/nsec3hash +%{_bindir}/named-checkzone +%{_bindir}/named-compilezone %{_sbindir}/named-checkzone %{_sbindir}/named-compilezone %if %{with DNSTAP} @@ -943,8 +787,8 @@ fi; %{_mandir}/man1/dnstap-read.1* %endif %if %{with LMDB} -%{_sbindir}/named-nzd2nzf -%{_mandir}/man8/named-nzd2nzf.8* +%{_bindir}/named-nzd2nzf +%{_mandir}/man1/named-nzd2nzf.1* %endif %{_mandir}/man1/host.1* %{_mandir}/man1/nsupdate.1* @@ -954,22 +798,17 @@ fi; %{_mandir}/man1/arpaname.1* %{_mandir}/man8/ddns-confgen.8* %{_mandir}/man8/tsig-keygen.8* -%{_mandir}/man8/nsec3hash.8* -%{_mandir}/man8/named-checkzone.8* -%{_mandir}/man8/named-compilezone.8* +%{_mandir}/man1/nsec3hash.1* +%{_mandir}/man1/named-checkzone.1* +%{_mandir}/man1/named-compilezone.1* %{_sysconfdir}/trusted-key.key %files dnssec-utils -%{_sbindir}/dnssec* -%if %{with PKCS11} -%exclude %{_sbindir}/dnssec*pkcs11 -%endif +%{_bindir}/dnssec* %files dnssec-doc -%{_mandir}/man8/dnssec*.8* -%if %{with PKCS11} -%exclude %{_mandir}/man8/dnssec*-pkcs11.8* -%endif +%{_mandir}/man1/dnssec*.1* + %files devel %{_libdir}/libbind9.so @@ -987,8 +826,7 @@ fi; %{_includedir}/bind9/dst %{_includedir}/bind9/irs %{_includedir}/bind9/isc -%dir %{_includedir}/bind9/pk11 -%{_includedir}/bind9/pk11/site.h + %{_includedir}/bind9/isccfg %files chroot @@ -1028,33 +866,6 @@ fi; %dir %{chroot_prefix}/run/named %{chroot_prefix}%{_localstatedir}/run -%if %{with PKCS11} -%files pkcs11 -%{_sbindir}/named-pkcs11 -%{_unitdir}/named-pkcs11.service -%{_mandir}/man8/named-pkcs11.8* -%{_libexecdir}/setup-named-softhsm.sh - -%files pkcs11-utils -%{_sbindir}/dnssec*pkcs11 -%{_sbindir}/pkcs11-destroy -%{_sbindir}/pkcs11-keygen -%{_sbindir}/pkcs11-list -%{_sbindir}/pkcs11-tokens -%{_mandir}/man8/pkcs11*.8* -%{_mandir}/man8/dnssec*-pkcs11.8* - -%files pkcs11-libs -%{_libdir}/libdns-pkcs11-%{version}*.so -%{_libdir}/libns-pkcs11-%{version}*.so - -%files pkcs11-devel -%{_includedir}/bind9/pk11/*.h -%exclude %{_includedir}/bind9/pk11/site.h -%{_includedir}/bind9/pkcs11 -%{_libdir}/libdns-pkcs11.so -%{_libdir}/libns-pkcs11.so -%endif %if %{with DLZ} %files dlz-filesystem @@ -1076,9 +887,6 @@ fi; %endif -%files -n python3-bind -%{python3_sitelib}/*.egg-info -%{python3_sitelib}/isc/ %if %{with DOC} %files doc @@ -1091,6 +899,12 @@ fi; %endif %changelog +* Sun Feb 04 2024 zhanghao - 32:9.18.21-1 +- Type:requirement +- CVE:NA +- SUG:NA +- DESC:version update to 9.18.21 + * Tue Sep 26 2023 zhanghao - 32:9.16.37-6 - Type:CVE - CVE:CVE-2023-3341 @@ -1107,7 +921,7 @@ fi; - Type:requirement - CVE:NA - SUG:NA -- DESC:fix two patch from 9.16.23 and delete useless Patches +- DESC:fix two patch from 9.16.23 and delete useless Patches * Mon Feb 13 2023 zhanghao - 32:9.16.37-3 - Type:bugfix @@ -1119,7 +933,7 @@ fi; - Type:bugfix - CVE:NA - SUG:NA -- DESC:fix output expected information when install bing-sdborbind-sdb-chroot +- DESC:fix output expected information when install bing-sdborbind-sdb-chroot * Tue Feb 07 2023 zhanghao - 32:9.16.37-1 - Type:requirement @@ -1268,70 +1082,70 @@ CVE-2022-3080 CVE-2022-2906 CVE-2022-2881 - Type:bugfix - CVE:NA - SUG:NA -- DESC:free rbuf - mempool didn t work for sizes less than sizeof void - Reset dig exit code after a TCP connection is establ - Prevent a race after zone load - Fix isc_buffer_copyregion for auto reallocated buffe - free tmpzonename and restart_master - errors initalizing badcaches were not caught or clea - set freed pointers to NULL - cleanup allocated memory on error - Fix a small memleak in delv - pass the correct object to cfg_obj_log - Try to fix crash at sigchase topdown - Do not fail on NULL passed to OpenSSL_free - error out if there are extra command line options - correct errno to result translation - properly detect period as last character in filename - fail if ctime output is truncted - Fix a race in fctx_cancelquery - add missing MAYBE_UNLOCK - Fix race in unix socket code when closing a socket t - fix Ed448 length values for precomputed ASN.1 prefix - don t overwrite the dns_master_loadfile result befor - address NULL pointer dereferences - address potential NULL pointer dereference - Prevent query loops for misbehaving servers - Lock di manager buffer_lock before accessing b - Request exclusive access when crashing via fatal - Assign fctx client when fctx is created rather when - lock access to fctx nqueries - acquire task lock before calling push_readyq for tas - Call dns_dbiterator_destroy earlier to prevent poten - Handle catopen errors - Fixed crash when querying for non existing domain in - Fixed rebinding protection bug when using forwarder - initialize sockaddrdscp to prevent spurious output f - Lock access to answer to silence TSAN - Fix a data access race in resolver - Address race between zone_maintenance and dns_zone_s - rbtdb cleanup_dead_nodes should ignore alive nodes o - make sure new_zone_lock is locked before unlocking i - Prevent crash on dst initialization failure - IPSECKEY require non zero length public keys - NSEC3PARAM check that saltlen is consistent with the - A6 return FORMERR in fromwire if bits are non zero - Cast the original rcode to dns_ttl_t when setting ex - Lock on msg SELECT_POKE_CLOSE as it triggers a tsan - Lock access when updating reading manager epoll_even - Take complete ownership of aclp before calling destr - Take complete ownership of validatorp before calling - Address lock order inversion - It appears that you can t change what you are pollin - counter used was read without the lock being held - Missing locks in ns_lwresd_shutdown - Use atomics to update counters - Obtain a lock on the quota structure - The node lock was released too early - Address lock order inversion between the keytable an - Pause dbiterator to release rwlock to prevent lock o - Address lock order reversals when shutting down a vi - Hold qid lock when calling deref_portentry as - Lock zone before calling zone_namerd_tostr - Address TSAN error between dns_rbt_findnode and subt - Address data race in dns_stats_detach over reference - Lock check of DNS_ZONEFLG_EXITING flag +- DESC:free rbuf + mempool didn t work for sizes less than sizeof void + Reset dig exit code after a TCP connection is establ + Prevent a race after zone load + Fix isc_buffer_copyregion for auto reallocated buffe + free tmpzonename and restart_master + errors initalizing badcaches were not caught or clea + set freed pointers to NULL + cleanup allocated memory on error + Fix a small memleak in delv + pass the correct object to cfg_obj_log + Try to fix crash at sigchase topdown + Do not fail on NULL passed to OpenSSL_free + error out if there are extra command line options + correct errno to result translation + properly detect period as last character in filename + fail if ctime output is truncted + Fix a race in fctx_cancelquery + add missing MAYBE_UNLOCK + Fix race in unix socket code when closing a socket t + fix Ed448 length values for precomputed ASN.1 prefix + don t overwrite the dns_master_loadfile result befor + address NULL pointer dereferences + address potential NULL pointer dereference + Prevent query loops for misbehaving servers + Lock di manager buffer_lock before accessing b + Request exclusive access when crashing via fatal + Assign fctx client when fctx is created rather when + lock access to fctx nqueries + acquire task lock before calling push_readyq for tas + Call dns_dbiterator_destroy earlier to prevent poten + Handle catopen errors + Fixed crash when querying for non existing domain in + Fixed rebinding protection bug when using forwarder + initialize sockaddrdscp to prevent spurious output f + Lock access to answer to silence TSAN + Fix a data access race in resolver + Address race between zone_maintenance and dns_zone_s + rbtdb cleanup_dead_nodes should ignore alive nodes o + make sure new_zone_lock is locked before unlocking i + Prevent crash on dst initialization failure + IPSECKEY require non zero length public keys + NSEC3PARAM check that saltlen is consistent with the + A6 return FORMERR in fromwire if bits are non zero + Cast the original rcode to dns_ttl_t when setting ex + Lock on msg SELECT_POKE_CLOSE as it triggers a tsan + Lock access when updating reading manager epoll_even + Take complete ownership of aclp before calling destr + Take complete ownership of validatorp before calling + Address lock order inversion + It appears that you can t change what you are pollin + counter used was read without the lock being held + Missing locks in ns_lwresd_shutdown + Use atomics to update counters + Obtain a lock on the quota structure + The node lock was released too early + Address lock order inversion between the keytable an + Pause dbiterator to release rwlock to prevent lock o + Address lock order reversals when shutting down a vi + Hold qid lock when calling deref_portentry as + Lock zone before calling zone_namerd_tostr + Address TSAN error between dns_rbt_findnode and subt + Address data race in dns_stats_detach over reference + Lock check of DNS_ZONEFLG_EXITING flag * Mon Feb 22 2021 zhouyihang - 9.11.4-17.h9 - Type:CVE diff --git a/bind93-rh490837.patch b/bind93-rh490837.patch deleted file mode 100644 index 4b32b4d..0000000 --- a/bind93-rh490837.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff --git a/lib/isc/lex.c b/lib/isc/lex.c -index cd44fe3..5b7c539 100644 ---- a/lib/isc/lex.c -+++ b/lib/isc/lex.c -@@ -27,6 +27,8 @@ - #include - #include - -+#include "../errno2result.h" -+ - typedef struct inputsource { - isc_result_t result; - bool is_file; -@@ -422,7 +424,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) { - #endif /* if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED) */ - if (c == EOF) { - if (ferror(stream)) { -- source->result = ISC_R_IOERROR; -+ source->result = isc__errno2result(errno); - result = source->result; - goto done; - } -diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c -index e3e2644..5e58600 100644 ---- a/lib/isc/unix/errno2result.c -+++ b/lib/isc/unix/errno2result.c -@@ -37,6 +37,7 @@ isc___errno2result(int posixerrno, bool dolog, const char *file, - case EINVAL: /* XXX sometimes this is not for files */ - case ENAMETOOLONG: - case EBADF: -+ case EISDIR: - return (ISC_R_INVALIDFILE); - case ENOENT: - return (ISC_R_FILENOTFOUND); diff --git a/bind97-exportlib.patch b/bind97-exportlib.patch deleted file mode 100644 index 4468ef5..0000000 --- a/bind97-exportlib.patch +++ /dev/null @@ -1,226 +0,0 @@ -diff -up bind-9.9.3rc2/isc-config.sh.in.exportlib bind-9.9.3rc2/isc-config.sh.in -diff -up bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib bind-9.9.3rc2/lib/export/dns/Makefile.in ---- bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/lib/export/dns/Makefile.in 2013-05-13 10:45:22.574089729 +0200 -@@ -35,9 +35,9 @@ CDEFINES = -DUSE_MD5 @USE_OPENSSL@ @USE_ - - CWARNINGS = - --ISCLIBS = ../isc/libisc.@A@ -+ISCLIBS = ../isc/libisc-export.@A@ - --ISCDEPLIBS = ../isc/libisc.@A@ -+ISCDEPLIBS = ../isc/libisc-export.@A@ - - LIBS = @LIBS@ - -@@ -116,29 +116,29 @@ version.@O@: ${srcdir}/version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libdns.@SA@: ${OBJS} -+libdns-export.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libdns.la: ${OBJS} -+libdns-export.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-export.la \ - -rpath ${export_libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} - --timestamp: libdns.@A@ -+timestamp: libdns-export.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-export.@A@ \ - ${DESTDIR}${export_libdir}/ - - clean distclean:: -- rm -f libdns.@A@ timestamp -+ rm -f libdns-export.@A@ timestamp - rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h - rm -f include/dns/rdatastruct.h - -diff -up bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib bind-9.9.3rc2/lib/export/irs/Makefile.in ---- bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/lib/export/irs/Makefile.in 2013-05-13 10:45:22.575089729 +0200 -@@ -43,9 +43,9 @@ SRCS = context.c \ - gai_sterror.c getaddrinfo.c getnameinfo.c \ - resconf.c - --ISCLIBS = ../isc/libisc.@A@ --DNSLIBS = ../dns/libdns.@A@ --ISCCFGLIBS = ../isccfg/libisccfg.@A@ -+ISCLIBS = ../isc/libisc-export.@A@ -+DNSLIBS = ../dns/libdns-export.@A@ -+ISCCFGLIBS = ../isccfg/libisccfg-export.@A@ - - LIBS = @LIBS@ - -@@ -62,26 +62,26 @@ version.@O@: ${srcdir}/version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libirs.@SA@: ${OBJS} version.@O@ -+libirs-export.@SA@: ${OBJS} version.@O@ - ${AR} ${ARFLAGS} $@ ${OBJS} version.@O@ - ${RANLIB} $@ - --libirs.la: ${OBJS} version.@O@ -+libirs-export.la: ${OBJS} version.@O@ - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs-export.la \ - -rpath ${export_libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} version.@O@ ${LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} - --timestamp: libirs.@A@ -+timestamp: libirs-export.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libirs-export.@A@ \ - ${DESTDIR}${export_libdir}/ - - clean distclean:: -- rm -f libirs.@A@ libirs.la timestamp -+ rm -f libirs-export.@A@ libirs-export.la timestamp -diff -up bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isccfg/Makefile.in ---- bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/lib/export/isccfg/Makefile.in 2013-05-13 10:45:22.576089729 +0200 -@@ -30,11 +30,11 @@ CINCLUDES = -I. ${DNS_INCLUDES} -I${expo - CDEFINES = - CWARNINGS = - --ISCLIBS = ../isc/libisc.@A@ --DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -+ISCLIBS = ../isc/libisc-export.@A@ -+DNSLIBS = ../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@ - - ISCDEPLIBS = ../../lib/isc/libisc.@A@ --ISCCFGDEPLIBS = libisccfg.@A@ -+ISCCFGDEPLIBS = libisccfg-export.@A@ - - LIBS = @LIBS@ - -@@ -58,26 +58,26 @@ version.@O@: ${srcdir}/version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libisccfg.@SA@: ${OBJS} -+libisccfg-export.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libisccfg.la: ${OBJS} -+libisccfg-export.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg-export.la \ - -rpath ${export_libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} ${LIBS} ${DNSLIBS} ${ISCLIBS} - --timestamp: libisccfg.@A@ -+timestamp: libisccfg-export.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisccfg-export.@A@ \ - ${DESTDIR}${export_libdir}/ - - clean distclean:: -- rm -f libisccfg.@A@ timestamp -+ rm -f libisccfg-export.@A@ timestamp -diff -up bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isc/Makefile.in ---- bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/lib/export/isc/Makefile.in 2013-05-13 10:45:22.576089729 +0200 -@@ -100,6 +100,10 @@ SRCS = @ISC_EXTRA_SRCS@ \ - - LIBS = @LIBS@ - -+# Note: the order of SUBDIRS is important. -+# Attempt to disable parallel processing. -+.NOTPARALLEL: -+.NO_PARALLEL: - SUBDIRS = include unix nls @ISC_THREAD_DIR@ - TARGETS = timestamp - -@@ -113,26 +117,26 @@ version.@O@: ${srcdir}/version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libisc.@SA@: ${OBJS} -+libisc-export.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libisc.la: ${OBJS} -+libisc-export.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-export.la \ - -rpath ${export_libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} ${LIBS} - --timestamp: libisc.@A@ -+timestamp: libisc-export.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-export.@A@ \ - ${DESTDIR}${export_libdir} - - clean distclean:: -- rm -f libisc.@A@ libisc.la timestamp -+ rm -f libisc-export.@A@ libisc-export.la timestamp -diff -up bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib bind-9.9.3rc2/lib/export/samples/Makefile.in ---- bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/lib/export/samples/Makefile.in 2013-05-13 10:45:22.577089729 +0200 -@@ -31,15 +31,15 @@ CINCLUDES = -I${srcdir}/include -I../dns - CDEFINES = - CWARNINGS = - --DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@ --ISCLIBS = ../isc/libisc.@A@ --ISCCFGLIBS = ../isccfg/libisccfg.@A@ --IRSLIBS = ../irs/libirs.@A@ -+DNSLIBS = ../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@ -+ISCLIBS = ../isc/libisc-export.@A@ -+ISCCFGLIBS = ../isccfg/libisccfg-export.@A@ -+IRSLIBS = ../irs/libirs-export.@A@ - --DNSDEPLIBS = ../dns/libdns.@A@ --ISCDEPLIBS = ../isc/libisc.@A@ --ISCCFGDEPLIBS = ../isccfg/libisccfg.@A@ --IRSDEPLIBS = ../irs/libirs.@A@ -+DNSDEPLIBS = ../dns/libdns-export.@A@ -+ISCDEPLIBS = ../isc/libisc-export.@A@ -+ISCCFGDEPLIBS = ../isccfg/libisccfg-export.@A@ -+IRSDEPLIBS = ../irs/libirs-export.@A@ - - DEPLIBS = ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS} - diff --git a/bind97-rh645544.patch b/bind97-rh645544.patch deleted file mode 100644 index e2ae978..0000000 --- a/bind97-rh645544.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index 31549c6..65a14b6 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -1762,7 +1762,7 @@ log_edns(fetchctx_t *fctx) { - */ - dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); - isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED, -- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, -+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), - "success resolving '%s' (in '%s'?) after %s", fctx->info, - domainbuf, fctx->reason); - } -@@ -5298,7 +5298,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) { - dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); - isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf)); - isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS, -- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, -+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), - "lame server resolving '%s' (in '%s'?): %s", namebuf, - domainbuf, addrbuf); - } -@@ -5316,7 +5316,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) { - isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf)); - - isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, -- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE, -+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), - "DNS format error from %s resolving %s for %s: %s", nsbuf, - fctx->info, fctx->clientstr, msgbuf); - } diff --git a/bugfix-limit-numbers-of-test-threads.patch b/bugfix-limit-numbers-of-test-threads.patch deleted file mode 100644 index 6115096..0000000 --- a/bugfix-limit-numbers-of-test-threads.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 1d9843b58800b51e1366fba5e0bdef5f0336efaf Mon Sep 17 00:00:00 2001 -From: jiangheng -Date: Wed, 9 Feb 2022 16:21:10 +0800 -Subject: [PATCH] limit numbers of test threads to reduce execution time - ---- - lib/dns/tests/dnstest.c | 2 +- - lib/ns/tests/nstest.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/dns/tests/dnstest.c b/lib/dns/tests/dnstest.c -index 465ce9f..263b0d6 100644 ---- a/lib/dns/tests/dnstest.c -+++ b/lib/dns/tests/dnstest.c -@@ -114,7 +114,7 @@ cleanup_managers(void) { - static isc_result_t - create_managers(void) { - isc_result_t result; -- ncpus = isc_os_ncpus(); -+ ncpus = ISC_MIN(isc_os_ncpus(), 8); - - CHECK(isc_managers_create(dt_mctx, ncpus, 0, &netmgr, &taskmgr)); - CHECK(isc_timermgr_create(dt_mctx, &timermgr)); -diff --git a/lib/ns/tests/nstest.c b/lib/ns/tests/nstest.c -index 238450d..b5fa00c 100644 ---- a/lib/ns/tests/nstest.c -+++ b/lib/ns/tests/nstest.c -@@ -243,7 +243,7 @@ create_managers(void) { - in_port_t port = 5300 + isc_random8(); - ns_listenlist_t *listenon = NULL; - isc_event_t *event = NULL; -- ncpus = isc_os_ncpus(); -+ ncpus = ISC_MIN(isc_os_ncpus(), 8); - - CHECK(isc_managers_create(mctx, ncpus, 0, &netmgr, &taskmgr)); - CHECK(isc_task_create_bound(taskmgr, 0, &maintask, 0)); --- -1.8.3.1 -