packages/bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update bind to 9.11.21

Browse Source
This commit is contained in:
eaglegai 2020-07-27 17:33:59 +08:00
parent 3e5d4c0c9a
commit c13ec7edbf
71 changed files with 6579 additions and 3725 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
2432-check-param_template-i-.pValue-is-non-NULL.patch
View File

@ -1,53 +0,0 @@
From 8ac0152651725cfa3dd887f9f73e6ff9671ce2dd Mon Sep 17 00:00:00 2001
From: Bill Parker <wp02855@gmail.com>
Date: Tue, 10 Jul 2018 12:34:00 +1000
Subject: [PATCH 2432/3677] check param_template[i].pValue is non NULL
---
bin/pkcs11/pkcs11-keygen.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
index fe314ab..9631c0e 100644
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -657,8 +657,18 @@ main(int argc, char *argv[]) {
}
/* Allocate space for parameter attributes */
- for (i = 0; i < param_attrcnt; i++)
+ for (i = 0; i < param_attrcnt; i++) {
+ param_template[i].pValue = NULL;
+ }
+
+ for (i = 0; i < param_attrcnt; i++) {
param_template[i].pValue = malloc(param_template[i].ulValueLen);
+ if (param_template[i].pValue == NULL) {
+ fprintf(stderr, "malloc failed\n");
+ error = 1;
+ goto exit_params;
+ }
+ }
rv = pkcs_C_GetAttributeValue(hSession, domainparams,
dsa_param_template, DSA_PARAM_ATTRS);
@@ -713,9 +723,13 @@ main(int argc, char *argv[]) {
exit_params:
/* Free parameter attributes */
- if (keyclass == key_dsa || keyclass == key_dh)
- for (i = 0; i < param_attrcnt; i++)
- free(param_template[i].pValue);
+ if (keyclass == key_dsa || keyclass == key_dh) {
+ for (i = 0; i < param_attrcnt; i++) {
+ if (param_template[i].pValue != NULL) {
+ free(param_template[i].pValue);
+ }
+ }
+ }
exit_domain:
/* Destroy domain parameters */
--
1.8.3.1

53
2497-refcount-errors-on-error-paths.patch
View File

@ -1,53 +0,0 @@
From 4093efc900e250a39f9669e3d740a4286a0edb9c Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 31 Jul 2018 17:41:45 +1000
Subject: [PATCH 2497/3677] refcount errors on error paths
---
lib/dns/rbtdb.c | 3 ---
lib/dns/view.c | 1 +
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index e332802..01c7cd8 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -8368,7 +8368,6 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
if (result != ISC_R_SUCCESS) {
while (i-- > 0) {
NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock);
- isc_refcount_decrement(&rbtdb->node_locks[i].references, NULL);
isc_refcount_destroy(&rbtdb->node_locks[i].references);
}
goto cleanup_deadnodes;
@@ -8491,7 +8490,6 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
rbtdb->current_version = allocate_version(mctx, 1, 1, ISC_FALSE);
if (rbtdb->current_version == NULL) {
isc_refcount_decrement(&rbtdb->references, NULL);
- isc_refcount_destroy(&rbtdb->references);
free_rbtdb(rbtdb, ISC_FALSE, NULL);
return (ISC_R_NOMEMORY);
}
@@ -8513,7 +8511,6 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
sizeof(*rbtdb->current_version));
rbtdb->current_version = NULL;
isc_refcount_decrement(&rbtdb->references, NULL);
- isc_refcount_destroy(&rbtdb->references);
free_rbtdb(rbtdb, ISC_FALSE, NULL);
return (result);
}
diff --git a/lib/dns/view.c b/lib/dns/view.c
index e36576f..7751535 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -311,6 +311,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
dns_tsigkeyring_detach(&view->dynamickeys);
cleanup_references:
+ isc_refcount_decrement(&view->references, NULL);
isc_refcount_destroy(&view->references);
cleanup_fwdtable:
--
1.8.3.1

11
2559-Do-not-remove-errors-from-the-OpenSSL-error-queue-in.patch
View File

@ -1,11 +0,0 @@
--- a/lib/dns/openssl_link.c 2019-04-17 06:00:00.086000000 -0400
+++ b/lib/dns/openssl_link_1.c 2019-04-17 06:03:38.556000000 -0400
@@ -385,7 +385,7 @@ dst__openssl_destroy(void) {
static isc_result_t
toresult(isc_result_t fallback) {
isc_result_t result = fallback;
- unsigned long err = ERR_get_error();
+ unsigned long err = ERR_peek_error();
#if defined(HAVE_OPENSSL_ECDSA) && \
defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
int lib = ERR_GET_LIB(err);

47
2711-Align-CMSG-buffers-to-a-void-boundary-fixes-crash-on.patch
View File

@ -1,47 +0,0 @@
From 17212cf9965a1a0ec8412b807fe08f74e059cc1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
Date: Fri, 7 Sep 2018 09:34:32 +0200
Subject: [PATCH 2711/3677] Align CMSG buffers to a void* boundary, fixes crash
on architectures with strict alignment CHANGES entry
---
CHANGES | 3 +++
lib/isc/include/isc/util.h | 5 +++++
lib/isc/unix/socket.c | 5 +++--
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
index bb0c885..acc3d64 100644
--- a/lib/isc/include/isc/util.h
+++ b/lib/isc/include/isc/util.h
@@ -260,6 +260,11 @@ extern void mock_assert(const int result, const char* const expression,
#define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
/*%
+ * Alignment
+ */
+#define ALIGN(x, a) (((x) + (a) - 1) & ~((typeof(x))(a)-1))
+
+/*%
* Misc
*/
#include <isc/deprecated.h>
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index 343cec2..62a00cd 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -315,8 +315,9 @@ typedef isc_event_t intev_t;
#define CMSG_SP_INT 24
-#define RECVCMSGBUFLEN (2*(CMSG_SP_IN6PKT + CMSG_SP_TIMESTAMP + CMSG_SP_TCTOS)+1)
-#define SENDCMSGBUFLEN (2*(CMSG_SP_IN6PKT + CMSG_SP_INT + CMSG_SP_TCTOS)+1)
+/* Align cmsg buffers to be safe on SPARC etc. */
+#define RECVCMSGBUFLEN ALIGN(2*(CMSG_SP_IN6PKT + CMSG_SP_TIMESTAMP + CMSG_SP_TCTOS)+1, sizeof(void*))
+#define SENDCMSGBUFLEN ALIGN(2*(CMSG_SP_IN6PKT + CMSG_SP_INT + CMSG_SP_TCTOS)+1, sizeof(void*))
/*%
* The number of times a send operation is repeated if the result is EINTR.
--
1.8.3.1

22
2776-Fix-crash-caused-by-race-condition-in-timer-creation.patch
View File

@ -1,22 +0,0 @@
--- a/lib/isc/timer.c 2018-09-04 00:04:41.000000000 -0400
+++ b/lib/isc/timer_1.c 2019-04-17 23:40:41.930000000 -0400
@@ -472,8 +472,10 @@ isc__timer_create(isc_timermgr_t *manage
result = schedule(timer, &now, ISC_TRUE);
else
result = ISC_R_SUCCESS;
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS){
+ *timerp = (isc_timer_t *)timer;
APPEND(manager->timers, timer, link);
+ }
UNLOCK(&manager->lock);
@@ -486,7 +488,6 @@ isc__timer_create(isc_timermgr_t *manage
return (result);
}
- *timerp = (isc_timer_t *)timer;
return (ISC_R_SUCCESS);
}

26
2865-free-key-on-error.patch
View File

@ -1,26 +0,0 @@
From 607c2d7441b5b56272765dfd6ee56de983c3b407 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 19 Oct 2018 19:23:39 +1100
Subject: [PATCH 2865/3677] free key on error
---
lib/dns/dst_api.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 7685dcb..c0684d9 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -802,6 +802,9 @@ dst_key_fromgssapi(const dns_name_t *name, gss_ctx_id_t gssctx,
*keyp = key;
result = ISC_R_SUCCESS;
out:
+ if (result != ISC_R_SUCCESS) {
+ dst_key_free(&key);
+ }
return result;
}
--
1.8.3.1

49
2879-expand-the-pool-then-copy-over-the-old-entries-so-we.patch
View File

@ -1,49 +0,0 @@
From afde30fe9b1fd43595290a6763db6d52e0903c5a Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 19 Oct 2018 19:36:17 +1100
Subject: [PATCH 2879/3677] expand the pool then copy over the old entries so
we that failures do not break the old pool; also don't leak the new pool on
error
---
lib/isc/pool.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/lib/isc/pool.c b/lib/isc/pool.c
index 5c693a6..8fb2a45 100644
--- a/lib/isc/pool.c
+++ b/lib/isc/pool.c
@@ -131,21 +131,22 @@ isc_pool_expand(isc_pool_t **sourcep, unsigned int count,
newpool->init = pool->init;
newpool->initarg = pool->initarg;
- /* Copy over the objects from the old pool */
- for (i = 0; i < pool->count; i++) {
- newpool->pool[i] = pool->pool[i];
- pool->pool[i] = NULL;
- }
-
/* Populate the new entries */
for (i = pool->count; i < count; i++) {
- result = pool->init(&newpool->pool[i], pool->initarg);
+ result = newpool->init(&newpool->pool[i],
+ newpool->initarg);
if (result != ISC_R_SUCCESS) {
- isc_pool_destroy(&pool);
+ isc_pool_destroy(&newpool);
return (result);
}
}
+ /* Copy over the objects from the old pool */
+ for (i = 0; i < pool->count; i++) {
+ newpool->pool[i] = pool->pool[i];
+ pool->pool[i] = NULL;
+ }
+
isc_pool_destroy(&pool);
pool = newpool;
}
--
1.8.3.1

52
2998-Use-larger-buffers-on-snprintf-buffer-overflow-false.patch
View File

@ -1,52 +0,0 @@
--- a/lib/dns/rdata/generic/loc_29.c 2018-09-04 00:04:41.000000000 -0400
+++ b/lib/dns/rdata/generic/loc_291.c 2019-04-18 00:09:34.927000000 -0400
@@ -454,11 +454,12 @@ totext_loc(ARGS_TOTEXT) {
isc_boolean_t east;
isc_boolean_t below;
isc_region_t sr;
- char buf[sizeof("89 59 59.999 N 179 59 59.999 E "
- "-42849672.95m 90000000m 90000000m 90000000m")];
char sbuf[sizeof("90000000m")];
char hbuf[sizeof("90000000m")];
char vbuf[sizeof("90000000m")];
+ /* "89 59 59.999 N 179 59 59.999 E " */
+ /* "-42849672.95m 90000000m 90000000m 90000000m"; */
+ char buf[8*6 + 12*1 + 2*10 + sizeof(sbuf)+sizeof(hbuf)+sizeof(vbuf)];
unsigned char size, hp, vp;
unsigned long poweroften[8] = { 1, 10, 100, 1000,
10000, 100000, 1000000, 10000000 };
@@ -550,7 +551,7 @@ totext_loc(ARGS_TOTEXT) {
altitude -= 10000000;
}
- snprintf(buf, sizeof(buf),
+ snprintf(NULL, 0,
"%d %d %d.%03d %s %d %d %d.%03d %s %s%lu.%02lum %s %s %s",
d1, m1, s1, fs1, north ? "N" : "S",
d2, m2, s2, fs2, east ? "E" : "W",
--- a/lib/dns/rdata/in_1/dhcid_49.c 2018-09-04 00:04:41.000000000 -0400
+++ b/lib/dns/rdata/in_1/dhcid_491.c 2019-04-18 00:12:14.143000000 -0400
@@ -35,9 +35,8 @@ fromtext_in_dhcid(ARGS_FROMTEXT) {
static inline isc_result_t
totext_in_dhcid(ARGS_TOTEXT) {
isc_region_t sr, sr2;
- char buf[sizeof(" ; 64000 255 64000")];
- size_t n;
-
+ /* " ; 64000 255 64000" */
+ char buf[5 + 3*5 + 1];
REQUIRE(rdata->type == dns_rdatatype_dhcid);
REQUIRE(rdata->rdclass == dns_rdataclass_in);
REQUIRE(rdata->length != 0);
@@ -55,10 +54,9 @@ totext_in_dhcid(ARGS_TOTEXT) {
if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
RETERR(str_totext(/* ( */ " )", target));
if (rdata->length > 2) {
- n = snprintf(buf, sizeof(buf), " ; %u %u %u",
+ snprintf(NULL, 0, " ; %u %u %u",
sr2.base[0] * 256U + sr2.base[1],
sr2.base[2], rdata->length - 3U);
- INSIST(n < sizeof(buf));
RETERR(str_totext(buf, target));
}
}

35
3022-Fix-a-shutdown-race-in-bin-dig-dighost.c.patch
View File

@ -1,35 +0,0 @@
From 462175659674a10c0d39c7c328f1a5324ce2e38b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Tue, 13 Nov 2018 13:50:47 +0100
Subject: [PATCH 3022/3677] Fix a shutdown race in bin/dig/dighost.c
If a tool using the routines defined in bin/dig/dighost.c is sent an
interruption signal around the time a connection timeout is scheduled to
fire, connect_timeout() may be executed after destroy_libs() detaches
from the global task (setting 'global_task' to NULL), which results in a
crash upon a UDP retry due to bringup_timer() attempting to create a
timer with 'task' set to NULL. Fix by preventing connect_timeout() from
attempting a retry when shutdown is in progress.
---
bin/dig/dighost.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index f4e5e55..410b634 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -2902,6 +2902,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
INSIST(!free_now);
+ if (cancel_now) {
+ UNLOCK_LOOKUP;
+ return;
+ }
+
if ((query != NULL) && (query->lookup->current_query != NULL) &&
ISC_LINK_LINKED(query->lookup->current_query, link) &&
(ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
--
1.8.3.1

25
3046-uninitalize-memory-read-on-error-path.patch
View File

@ -1,25 +0,0 @@
From 4eadebe2b2feade839d8f178e6ddf8b4406d093a Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 9 Nov 2018 15:32:33 +1100
Subject: [PATCH 3046/3677] uninitalize memory read on error path
---
lib/dns/nta.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/dns/nta.c b/lib/dns/nta.c
index 73674b3..498b7f1 100644
--- a/lib/dns/nta.c
+++ b/lib/dns/nta.c
@@ -149,7 +149,7 @@ dns_ntatable_create(dns_view_t *view,
isc_task_detach(&ntatable->task);
cleanup_ntatable:
- isc_mem_put(ntatable->view->mctx, ntatable, sizeof(*ntatable));
+ isc_mem_put(view->mctx, ntatable, sizeof(*ntatable));
return (result);
}
--
1.8.3.1

77
3318-Allow-unsupported-alg-in-zone-w-dnssec-signzone.patch
View File

@ -1,77 +0,0 @@
From 1dd11fc754baf396bb3040527087b14f0678dd83 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <github@pletterpet.nl>
Date: Tue, 18 Dec 2018 12:14:04 +0100
Subject: [PATCH 3318/3677] Allow unsupported alg in zone /w dnssec-signzone
dnssec-signzone should sign a zonefile that contains a DNSKEY record
with an unsupported algorithm. Current behavior is that it will
fail, hitting a fatal error. The fix detects unsupported algorithms
and will not try to add it to the keylist.
Also when determining the maximum iterations for NSEC3, don't take
into account DNSKEY records in the zonefile with an unsupported
algorithm.
---
lib/dns/dnssec.c | 8 ++++++++
lib/dns/include/dns/dnssec.h | 2 +-
lib/dns/nsec3.c | 11 ++++++++++-
3 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index c12ecac..e255b6e 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1622,6 +1622,14 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin,
result = dns_rdataset_next(&keys)) {
dns_rdata_reset(&rdata);
dns_rdataset_current(&keys, &rdata);
+
+ /* Skip unsupported algorithms */
+ REQUIRE(rdata.type == dns_rdatatype_key ||
+ rdata.type == dns_rdatatype_dnskey);
+ REQUIRE(rdata.length > 3);
+ if (!dst_algorithm_supported(rdata.data[3]))
+ goto skip;
+
RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
dst_key_setttl(pubkey, keys.ttl);
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 50930b6..e60375e 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -274,7 +274,7 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
/*%<
* Search 'directory' for K* key files matching the name in 'origin'.
* Append all such keys, along with use hints gleaned from their
- * metadata, onto 'keylist'.
+ * metadata, onto 'keylist'. Skip any unsupported algorithms.
*
* Requires:
*\li 'keylist' is not NULL
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 861e909..f30d695 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1811,8 +1811,17 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&rdataset)) {
dns_rdata_t rdata = DNS_RDATA_INIT;
-
dns_rdataset_current(&rdataset, &rdata);
+
+ /* Skip unsupported algorithms when
+ * calculating the maximum iterations.
+ */
+ REQUIRE(rdata.type == dns_rdatatype_key ||
+ rdata.type == dns_rdatatype_dnskey);
+ REQUIRE(rdata.length > 3);
+ if (!dst_algorithm_supported(rdata.data[3]))
+ continue;
+
isc_buffer_init(&buffer, rdata.data, rdata.length);
isc_buffer_add(&buffer, rdata.length);
CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,
--
1.8.3.1

112
3543-fix-memory-leak.patch
View File

@ -1,112 +0,0 @@
From 7114d16098b0cf4910e06490fa70758f1c2c62a3 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 15 Feb 2019 08:52:16 +1100
Subject: [PATCH 3543/3677] fix memory leak
---
lib/dns/spnego_asn1.c | 56 +++++++++++++++++++++++++++++++--------------------
1 file changed, 34 insertions(+), 22 deletions(-)
diff --git a/lib/dns/spnego_asn1.c b/lib/dns/spnego_asn1.c
index fb51b0d..46e487a 100644
--- a/lib/dns/spnego_asn1.c
+++ b/lib/dns/spnego_asn1.c
@@ -467,25 +467,25 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz
FORW;
{
int dce_fix;
- if ((dce_fix = fix_dce(reallen, &len)) < 0)
- return ASN1_BAD_FORMAT;
+ if ((dce_fix = fix_dce(reallen, &len)) < 0) {
+ e = ASN1_BAD_FORMAT;
+ goto fail;
+ }
{
size_t newlen, oldlen;
e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 0, &l);
- if (e)
- return e;
- else {
- p += l;
- len -= l;
- ret += l;
+ FORW;
+ {
e = der_get_length(p, len, &newlen, &l);
FORW;
{
int mydce_fix;
oldlen = len;
- if ((mydce_fix = fix_dce(newlen, &len)) < 0)
- return ASN1_BAD_FORMAT;
+ if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
+ e = ASN1_BAD_FORMAT;
+ goto fail;
+ }
e = decode_MechTypeList(p, len, &(data)->mechTypes, &l);
FORW;
if (mydce_fix) {
@@ -511,11 +511,15 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz
{
int mydce_fix;
oldlen = len;
- if ((mydce_fix = fix_dce(newlen, &len)) < 0)
- return ASN1_BAD_FORMAT;
+ if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
+ e = ASN1_BAD_FORMAT;
+ goto fail;
+ }
(data)->reqFlags = malloc(sizeof(*(data)->reqFlags));
- if ((data)->reqFlags == NULL)
- return ENOMEM;
+ if ((data)->reqFlags == NULL) {
+ e = ENOMEM;
+ goto fail;
+ }
e = decode_ContextFlags(p, len, (data)->reqFlags, &l);
FORW;
if (mydce_fix) {
@@ -541,11 +545,15 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz
{
int mydce_fix;
oldlen = len;
- if ((mydce_fix = fix_dce(newlen, &len)) < 0)
- return ASN1_BAD_FORMAT;
+ if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
+ e = ASN1_BAD_FORMAT;
+ goto fail;
+ }
(data)->mechToken = malloc(sizeof(*(data)->mechToken));
- if ((data)->mechToken == NULL)
- return ENOMEM;
+ if ((data)->mechToken == NULL) {
+ e = ENOMEM;
+ goto fail;
+ }
e = decode_octet_string(p, len, (data)->mechToken, &l);
FORW;
if (mydce_fix) {
@@ -571,11 +579,15 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz
{
int mydce_fix;
oldlen = len;
- if ((mydce_fix = fix_dce(newlen, &len)) < 0)
- return ASN1_BAD_FORMAT;
+ if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
+ e = ASN1_BAD_FORMAT;
+ goto fail;
+ }
(data)->mechListMIC = malloc(sizeof(*(data)->mechListMIC));
- if ((data)->mechListMIC == NULL)
- return ENOMEM;
+ if ((data)->mechListMIC == NULL) {
+ e = ENOMEM;
+ goto fail;
+ }
e = decode_octet_string(p, len, (data)->mechListMIC, &l);
FORW;
if (mydce_fix) {
--
1.8.3.1

16
2985-Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch → Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch
View File

@ -11,7 +11,7 @@
+ }
if (query->waiting_senddone) {
debug("send_done not yet called");
query->pending_free = ISC_TRUE;
query->pending_free = true;
@@ -1833,13 +1833,15 @@ clear_query(dig_query_t *query) {
lookup = query->lookup;
@ -58,7 +58,7 @@
+ debug("create query %p linked to lookup %p", query, lookup);
query->lookup = lookup;
query->timer = NULL;
query->waiting_connect = ISC_FALSE;
query->waiting_connect = false;
@@ -2838,9 +2842,9 @@ setup_lookup(dig_lookup_t *lookup) {
ISC_LIST_INIT(query->lengthlist);
query->sock = NULL;
@ -82,21 +82,21 @@
@@ -2856,9 +2861,10 @@ setup_lookup(dig_lookup_t *lookup) {
extrabytes = 0;
dighost_printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg,
ISC_TRUE);
true);
- if (lookup->stats)
+ if (lookup->stats){
printf(";; QUERY SIZE: %u\n\n",
isc_buffer_usedlength(&lookup->renderbuf));
+ }
}
return (ISC_TRUE);
return (true);
}
@@ -2893,20 +2899,26 @@ send_done(isc_task_t *_task, isc_event_t
}
query = event->ev_arg;
+ REQUIRE(DIG_VALID_QUERY(query));
query->waiting_senddone = ISC_FALSE;
query->waiting_senddone = false;
l = query->lookup;
- if (l->ns_search_only && !l->trace_root && !l->tcp_mode) {
@ -189,9 +189,9 @@
+ REQUIRE(DIG_VALID_QUERY(query));
INSIST(query->waiting_connect);
query->waiting_connect = ISC_FALSE;
query->waiting_connect = false;
@@ -4460,6 +4475,7 @@ do_lookup(dig_lookup_t *lookup) {
lookup->pending = ISC_TRUE;
lookup->pending = true;
query = ISC_LIST_HEAD(lookup->q);
if (query != NULL) {
+ REQUIRE(DIG_VALID_QUERY(query));
@ -224,5 +224,5 @@
struct dig_query {
+ unsigned int magic;
dig_lookup_t *lookup;
isc_boolean_t waiting_connect,
bool waiting_connect,
pending_free,

131
CVE-2018-5743-atomic-fix.patch
View File

@ -1,131 +0,0 @@
Backport of:
From 17623d26e4e7b0fd45f2b39f00cd46e6044ce4c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 17 Apr 2019 15:22:27 +0200
Subject: [PATCH] Replace atomic operations in bin/named/client.c with
isc_refcount reference counting
---
bin/named/client.c | 18 +++++++-----------
bin/named/include/named/interfacemgr.h | 5 +++--
bin/named/interfacemgr.c | 7 +++++--
3 files changed, 15 insertions(+), 15 deletions(-)
Index: bind9-9.11.4+dfsg/bin/named/client.c
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/client.c 2019-04-24 15:25:11.891463104 -0400
+++ bind9-9.11.4+dfsg/bin/named/client.c 2019-04-24 15:25:42.091541114 -0400
@@ -399,12 +399,10 @@ tcpconn_detach(ns_client_t *client) {
static void
mark_tcp_active(ns_client_t *client, isc_boolean_t active) {
if (active && !client->tcpactive) {
- isc_atomic_xadd(&client->interface->ntcpactive, 1);
+ isc_refcount_increment0(&client->interface->ntcpactive, NULL);
client->tcpactive = active;
} else if (!active && client->tcpactive) {
- uint32_t old =
- isc_atomic_xadd(&client->interface->ntcpactive, -1);
- INSIST(old > 0);
+ isc_refcount_decrement(&client->interface->ntcpactive, NULL);
client->tcpactive = active;
}
}
@@ -551,7 +549,7 @@ exit_check(ns_client_t *client) {
if (client->mortal && TCP_CLIENT(client) &&
client->newstate != NS_CLIENTSTATE_FREED &&
!ns_g_clienttest &&
- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
+ isc_refcount_current(&client->interface->ntcpaccepting) == 0)
{
/* Nobody else is accepting */
client->mortal = ISC_FALSE;
@@ -3314,7 +3312,6 @@ client_newconn(isc_task_t *task, isc_eve
isc_result_t result;
ns_client_t *client = event->ev_arg;
isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
- isc_uint32_t old;
REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
REQUIRE(NS_CLIENT_VALID(client));
@@ -3334,8 +3331,7 @@ client_newconn(isc_task_t *task, isc_eve
INSIST(client->naccepts == 1);
client->naccepts--;
- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
- INSIST(old > 0);
+ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
/*
* We must take ownership of the new socket before the exit
@@ -3466,8 +3462,8 @@ client_accept(ns_client_t *client) {
* quota is tcp-clients plus the number of listening
* interfaces plus 1.)
*/
- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
- (client->tcpactive ? 1 : 0));
+ exit = (isc_refcount_current(&client->interface->ntcpactive) >
+ (client->tcpactive ? 1U : 0U));
if (exit) {
client->newstate = NS_CLIENTSTATE_INACTIVE;
(void)exit_check(client);
@@ -3525,7 +3521,7 @@ client_accept(ns_client_t *client) {
* listening for connections itself to prevent the interface
* going dead.
*/
- isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
+ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
}
static void
Index: bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/include/named/interfacemgr.h 2019-04-24 15:25:11.891463104 -0400
+++ bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h 2019-04-24 15:26:03.943597701 -0400
@@ -43,6 +43,7 @@
#include <isc/magic.h>
#include <isc/mem.h>
#include <isc/socket.h>
+#include <isc/refcount.h>
#include <dns/result.h>
@@ -73,11 +74,11 @@ struct ns_interface {
/*%< UDP dispatchers. */
isc_socket_t * tcpsocket; /*%< TCP socket. */
isc_dscp_t dscp; /*%< "listen-on" DSCP value */
- isc_int32_t ntcpaccepting; /*%< Number of clients
+ isc_refcount_t ntcpaccepting; /*%< Number of clients
ready to accept new
TCP connections on this
interface */
- isc_int32_t ntcpactive; /*%< Number of clients
+ isc_refcount_t ntcpactive; /*%< Number of clients
servicing TCP queries
(whether accepting or
connected) */
Index: bind9-9.11.4+dfsg/bin/named/interfacemgr.c
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/interfacemgr.c 2019-04-24 15:25:11.891463104 -0400
+++ bind9-9.11.4+dfsg/bin/named/interfacemgr.c 2019-04-24 15:25:11.891463104 -0400
@@ -384,8 +384,8 @@ ns_interface_create(ns_interfacemgr_t *m
* connections will be handled in parallel even though there is
* only one client initially.
*/
- ifp->ntcpaccepting = 0;
- ifp->ntcpactive = 0;
+ isc_refcount_init(&ifp->ntcpaccepting, 0);
+ isc_refcount_init(&ifp->ntcpactive, 0);
ifp->nudpdispatch = 0;
@@ -616,6 +616,9 @@ ns_interface_destroy(ns_interface_t *ifp
ns_interfacemgr_detach(&ifp->mgr);
+ isc_refcount_destroy(&ifp->ntcpactive);
+ isc_refcount_destroy(&ifp->ntcpaccepting);
+
ifp->magic = 0;
isc_mem_put(mctx, ifp, sizeof(*ifp));
}

872
CVE-2018-5743.patch
View File

@ -1,872 +0,0 @@
Description: fix limiting simultaneous TCP clients is ineffective
Origin: backported from patch provided by ISC
Index: bind9-9.11.4+dfsg/bin/named/client.c
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/client.c 2019-04-24 05:05:24.068523718 -0400
+++ bind9-9.11.4+dfsg/bin/named/client.c 2019-04-24 05:16:21.089731949 -0400
@@ -243,10 +243,11 @@ static void ns_client_dumpmessage(ns_cli
static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
dns_dispatch_t *disp, isc_boolean_t tcp);
static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp,
- isc_socket_t *sock);
+ isc_socket_t *sock, ns_client_t *oldclient);
static inline isc_boolean_t
-allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr,
- isc_uint8_t ecs_addrlen, isc_uint8_t *ecs_scope, dns_acl_t *acl);
+allowed(isc_netaddr_t *addr, dns_name_t *signer,
+ isc_netaddr_t *ecs_addr, isc_uint8_t ecs_addrlen,
+ isc_uint8_t *ecs_scope, dns_acl_t *acl);
static void compute_cookie(ns_client_t *client, isc_uint32_t when,
isc_uint32_t nonce, const unsigned char *secret,
isc_buffer_t *buf);
@@ -296,6 +297,119 @@ ns_client_settimeout(ns_client_t *client
}
/*%
+ * Allocate a reference-counted object that will maintain a single pointer to
+ * the (also reference-counted) TCP client quota, shared between all the
+ * clients processing queries on a single TCP connection, so that all
+ * clients sharing the one socket will together consume only one slot in
+ * the 'tcp-clients' quota.
+ */
+static isc_result_t
+tcpconn_init(ns_client_t *client, isc_boolean_t force) {
+ isc_result_t result;
+ isc_quota_t *quota = NULL;
+ ns_tcpconn_t *tconn = NULL;
+
+ REQUIRE(client->tcpconn == NULL);
+
+ /*
+ * Try to attach to the quota first, so we won't pointlessly
+ * allocate memory for a tcpconn object if we can't get one.
+ */
+ if (force) {
+ result = isc_quota_force(&ns_g_server->tcpquota, &quota);
+ } else {
+ result = isc_quota_attach(&ns_g_server->tcpquota, &quota);
+ }
+ if (result != ISC_R_SUCCESS) {
+ return (result);
+ }
+
+ /*
+ * A global memory context is used for the allocation as different
+ * client structures may have different memory contexts assigned and a
+ * reference counter allocated here might need to be freed by a
+ * different client. The performance impact caused by memory context
+ * contention here is expected to be negligible, given that this code
+ * is only executed for TCP connections.
+ */
+ tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn));
+
+ isc_refcount_init(&tconn->refs, 1);
+ tconn->tcpquota = quota;
+ quota = NULL;
+ tconn->pipelined = ISC_FALSE;
+
+ client->tcpconn = tconn;
+
+ return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Increase the count of client structures sharing the TCP connection
+ * that 'source' is associated with; add a pointer to the same tcpconn
+ * to 'target', thus associating it with the same TCP connection.
+ */
+static void
+tcpconn_attach(ns_client_t *source, ns_client_t *target) {
+ int refs;
+
+ REQUIRE(source->tcpconn != NULL);
+ REQUIRE(target->tcpconn == NULL);
+ REQUIRE(source->tcpconn->pipelined);
+
+ isc_refcount_increment(&source->tcpconn->refs, &refs);
+ INSIST(refs > 1);
+ target->tcpconn = source->tcpconn;
+}
+
+/*%
+ * Decrease the count of client structures sharing the TCP connection that
+ * 'client' is associated with. If this is the last client using this TCP
+ * connection, we detach from the TCP quota and free the tcpconn
+ * object. Either way, client->tcpconn is set to NULL.
+ */
+static void
+tcpconn_detach(ns_client_t *client) {
+ ns_tcpconn_t *tconn = NULL;
+ int refs;
+
+ REQUIRE(client->tcpconn != NULL);
+
+ tconn = client->tcpconn;
+ client->tcpconn = NULL;
+
+ isc_refcount_decrement(&tconn->refs, &refs);
+ if (refs == 0) {
+ isc_quota_detach(&tconn->tcpquota);
+ isc_mem_free(ns_g_mctx, tconn);
+ }
+}
+
+/*%
+ * Mark a client as active and increment the interface's 'ntcpactive'
+ * counter, as a signal that there is at least one client servicing
+ * TCP queries for the interface. If we reach the TCP client quota at
+ * some point, this will be used to determine whether a quota overrun
+ * should be permitted.
+ *
+ * Marking the client active with the 'tcpactive' flag ensures proper
+ * accounting, by preventing us from incrementing or decrementing
+ * 'ntcpactive' more than once per client.
+ */
+static void
+mark_tcp_active(ns_client_t *client, isc_boolean_t active) {
+ if (active && !client->tcpactive) {
+ isc_atomic_xadd(&client->interface->ntcpactive, 1);
+ client->tcpactive = active;
+ } else if (!active && client->tcpactive) {
+ uint32_t old =
+ isc_atomic_xadd(&client->interface->ntcpactive, -1);
+ INSIST(old > 0);
+ client->tcpactive = active;
+ }
+}
+
+/*%
* Check for a deactivation or shutdown request and take appropriate
* action. Returns ISC_TRUE if either is in progress; in this case
* the caller must no longer use the client object as it may have been
@@ -384,7 +498,8 @@ exit_check(ns_client_t *client) {
INSIST(client->recursionquota == NULL);
if (NS_CLIENTSTATE_READING == client->newstate) {
- if (!client->pipelined) {
+ INSIST(client->tcpconn != NULL);
+ if (!client->tcpconn->pipelined) {
client_read(client);
client->newstate = NS_CLIENTSTATE_MAX;
return (ISC_TRUE); /* We're done. */
@@ -402,10 +517,13 @@ exit_check(ns_client_t *client) {
*/
INSIST(client->recursionquota == NULL);
INSIST(client->newstate <= NS_CLIENTSTATE_READY);
- if (client->nreads > 0)
+
+ if (client->nreads > 0) {
dns_tcpmsg_cancelread(&client->tcpmsg);
- if (client->nreads != 0) {
- /* Still waiting for read cancel completion. */
+ }
+
+ /* Still waiting for read cancel completion. */
+ if (client->nreads > 0) {
return (ISC_TRUE);
}
@@ -413,14 +531,49 @@ exit_check(ns_client_t *client) {
dns_tcpmsg_invalidate(&client->tcpmsg);
client->tcpmsg_valid = ISC_FALSE;
}
+
+ /*
+ * Soon the client will be ready to accept a new TCP
+ * connection or UDP request, but we may have enough
+ * clients doing that already. Check whether this client
+ * needs to remain active and allow it go inactive if
+ * not.
+ *
+ * UDP clients always go inactive at this point, but a TCP
+ * client may need to stay active and return to READY
+ * state if no other clients are available to listen
+ * for TCP requests on this interface.
+ *
+ * Regardless, if we're going to FREED state, that means
+ * the system is shutting down and we don't need to
+ * retain clients.
+ */
+ if (client->mortal && TCP_CLIENT(client) &&
+ client->newstate != NS_CLIENTSTATE_FREED &&
+ !ns_g_clienttest &&
+ isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
+ {
+ /* Nobody else is accepting */
+ client->mortal = ISC_FALSE;
+ client->newstate = NS_CLIENTSTATE_READY;
+ }
+
+ /*
+ * Detach from TCP connection and TCP client quota,
+ * if appropriate. If this is the last reference to
+ * the TCP connection in our pipeline group, the
+ * TCP quota slot will be released.
+ */
+ if (client->tcpconn) {
+ tcpconn_detach(client);
+ }
+
if (client->tcpsocket != NULL) {
CTRACE("closetcp");
isc_socket_detach(&client->tcpsocket);
+ mark_tcp_active(client, ISC_FALSE);
}
- if (client->tcpquota != NULL)
- isc_quota_detach(&client->tcpquota);
-
if (client->timerset) {
(void)isc_timer_reset(client->timer,
isc_timertype_inactive,
@@ -428,45 +581,26 @@ exit_check(ns_client_t *client) {
client->timerset = ISC_FALSE;
}
- client->pipelined = ISC_FALSE;
-
client->peeraddr_valid = ISC_FALSE;
client->state = NS_CLIENTSTATE_READY;
- INSIST(client->recursionquota == NULL);
-
- /*
- * Now the client is ready to accept a new TCP connection
- * or UDP request, but we may have enough clients doing
- * that already. Check whether this client needs to remain
- * active and force it to go inactive if not.
- *
- * UDP clients go inactive at this point, but TCP clients
- * may remain active if we have fewer active TCP client
- * objects than desired due to an earlier quota exhaustion.
- */
- if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) {
- LOCK(&client->interface->lock);
- if (client->interface->ntcpcurrent <
- client->interface->ntcptarget)
- client->mortal = ISC_FALSE;
- UNLOCK(&client->interface->lock);
- }
/*
* We don't need the client; send it to the inactive
* queue for recycling.
*/
if (client->mortal) {
- if (client->newstate > NS_CLIENTSTATE_INACTIVE)
+ if (client->newstate > NS_CLIENTSTATE_INACTIVE) {
client->newstate = NS_CLIENTSTATE_INACTIVE;
+ }
}
if (NS_CLIENTSTATE_READY == client->newstate) {
if (TCP_CLIENT(client)) {
client_accept(client);
- } else
+ } else {
client_udprecv(client);
+ }
client->newstate = NS_CLIENTSTATE_MAX;
return (ISC_TRUE);
}
@@ -478,41 +612,50 @@ exit_check(ns_client_t *client) {
/*
* We are trying to enter the inactive state.
*/
- if (client->naccepts > 0)
+ if (client->naccepts > 0) {
isc_socket_cancel(client->tcplistener, client->task,
ISC_SOCKCANCEL_ACCEPT);
+ }
/* Still waiting for accept cancel completion. */
- if (! (client->naccepts == 0))
+ if (client->naccepts > 0) {
return (ISC_TRUE);
+ }
/* Accept cancel is complete. */
- if (client->nrecvs > 0)
+ if (client->nrecvs > 0) {
isc_socket_cancel(client->udpsocket, client->task,
ISC_SOCKCANCEL_RECV);
+ }
/* Still waiting for recv cancel completion. */
- if (! (client->nrecvs == 0))
+ if (client->nrecvs > 0) {
return (ISC_TRUE);
+ }
/* Still waiting for control event to be delivered */
- if (client->nctls > 0)
+ if (client->nctls > 0) {
return (ISC_TRUE);
-
- /* Deactivate the client. */
- if (client->interface)
- ns_interface_detach(&client->interface);
+ }
INSIST(client->naccepts == 0);
INSIST(client->recursionquota == NULL);
- if (client->tcplistener != NULL)
+ if (client->tcplistener != NULL) {
isc_socket_detach(&client->tcplistener);
-
- if (client->udpsocket != NULL)
+ mark_tcp_active(client, ISC_FALSE);
+ }
+ if (client->udpsocket != NULL) {
isc_socket_detach(&client->udpsocket);
+ }
- if (client->dispatch != NULL)
+ /* Deactivate the client. */
+ if (client->interface != NULL) {
+ ns_interface_detach(&client->interface);
+ }
+
+ if (client->dispatch != NULL) {
dns_dispatch_detach(&client->dispatch);
+ }
client->attributes = 0;
client->mortal = ISC_FALSE;
@@ -537,10 +680,13 @@ exit_check(ns_client_t *client) {
client->newstate = NS_CLIENTSTATE_MAX;
if (!ns_g_clienttest && manager != NULL &&
!manager->exiting)
+ {
ISC_QUEUE_PUSH(manager->inactive, client,
ilink);
- if (client->needshutdown)
+ }
+ if (client->needshutdown) {
isc_task_shutdown(client->task);
+ }
return (ISC_TRUE);
}
}
@@ -650,7 +796,7 @@ client_start(isc_task_t *task, isc_event
return;
if (TCP_CLIENT(client)) {
- if (client->pipelined) {
+ if (client->tcpconn != NULL) {
client_read(client);
} else {
client_accept(client);
@@ -660,7 +806,6 @@ client_start(isc_task_t *task, isc_event
}
}
-
/*%
* The client's task has received a shutdown event.
*/
@@ -2301,6 +2446,7 @@ client_request(isc_task_t *task, isc_eve
client->nrecvs--;
} else {
INSIST(TCP_CLIENT(client));
+ INSIST(client->tcpconn != NULL);
REQUIRE(event->ev_type == DNS_EVENT_TCPMSG);
REQUIRE(event->ev_sender == &client->tcpmsg);
buffer = &client->tcpmsg.buffer;
@@ -2484,18 +2630,27 @@ client_request(isc_task_t *task, isc_eve
/*
* Pipeline TCP query processing.
*/
- if (client->message->opcode != dns_opcode_query)
- client->pipelined = ISC_FALSE;
- if (TCP_CLIENT(client) && client->pipelined) {
- result = isc_quota_reserve(&ns_g_server->tcpquota);
- if (result == ISC_R_SUCCESS)
- result = ns_client_replace(client);
+ if (TCP_CLIENT(client) &&
+ client->message->opcode != dns_opcode_query)
+ {
+ client->tcpconn->pipelined = ISC_FALSE;
+ }
+ if (TCP_CLIENT(client) && client->tcpconn->pipelined) {
+ /*
+ * We're pipelining. Replace the client; the
+ * replacement can read the TCP socket looking
+ * for new messages and this one can process the
+ * current message asynchronously.
+ *
+ * There will now be at least three clients using this
+ * TCP socket - one accepting new connections,
+ * one reading an existing connection to get new
+ * messages, and one answering the message already
+ * received.
+ */
+ result = ns_client_replace(client);
if (result != ISC_R_SUCCESS) {
- ns_client_log(client, NS_LOGCATEGORY_CLIENT,
- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
- "no more TCP clients(read): %s",
- isc_result_totext(result));
- client->pipelined = ISC_FALSE;
+ client->tcpconn->pipelined = ISC_FALSE;
}
}
@@ -3051,8 +3206,7 @@ client_create(ns_clientmgr_t *manager, n
client->signer = NULL;
dns_name_init(&client->signername, NULL);
client->mortal = ISC_FALSE;
- client->pipelined = ISC_FALSE;
- client->tcpquota = NULL;
+ client->tcpconn = NULL;
client->recursionquota = NULL;
client->interface = NULL;
client->peeraddr_valid = ISC_FALSE;
@@ -3062,6 +3216,7 @@ client_create(ns_clientmgr_t *manager, n
client->filter_aaaa = dns_aaaa_ok;
#endif
client->needshutdown = ns_g_clienttest;
+ client->tcpactive = ISC_FALSE;
ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
NS_EVENT_CLIENTCONTROL, client_start, client, client,
@@ -3156,9 +3311,10 @@ client_read(ns_client_t *client) {
static void
client_newconn(isc_task_t *task, isc_event_t *event) {
+ isc_result_t result;
ns_client_t *client = event->ev_arg;
isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
- isc_result_t result;
+ isc_uint32_t old;
REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
REQUIRE(NS_CLIENT_VALID(client));
@@ -3168,13 +3324,18 @@ client_newconn(isc_task_t *task, isc_eve
INSIST(client->state == NS_CLIENTSTATE_READY);
+ /*
+ * The accept() was successful and we're now establishing a new
+ * connection. We need to make note of it in the client and
+ * interface objects so client objects can do the right thing
+ * when going inactive in exit_check() (see comments in
+ * client_accept() for details).
+ */
INSIST(client->naccepts == 1);
client->naccepts--;
- LOCK(&client->interface->lock);
- INSIST(client->interface->ntcpcurrent > 0);
- client->interface->ntcpcurrent--;
- UNLOCK(&client->interface->lock);
+ old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
+ INSIST(old > 0);
/*
* We must take ownership of the new socket before the exit
@@ -3207,6 +3368,7 @@ client_newconn(isc_task_t *task, isc_eve
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
"accept failed: %s",
isc_result_totext(nevent->result));
+ tcpconn_detach(client);
}
if (exit_check(client))
@@ -3244,20 +3406,13 @@ client_newconn(isc_task_t *task, isc_eve
* telnetting to port 53 (once per CPU) will
* deny service to legitimate TCP clients.
*/
- client->pipelined = ISC_FALSE;
- result = isc_quota_attach(&ns_g_server->tcpquota,
- &client->tcpquota);
- if (result == ISC_R_SUCCESS)
- result = ns_client_replace(client);
- if (result != ISC_R_SUCCESS) {
- ns_client_log(client, NS_LOGCATEGORY_CLIENT,
- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
- "no more TCP clients(accept): %s",
- isc_result_totext(result));
- } else if (ns_g_server->keepresporder == NULL ||
- !allowed(&netaddr, NULL, NULL, 0, NULL,
- ns_g_server->keepresporder)) {
- client->pipelined = ISC_TRUE;
+ result = ns_client_replace(client);
+ if (result == ISC_R_SUCCESS &&
+ (ns_g_server->keepresporder == NULL ||
+ !allowed(&netaddr, NULL, NULL, 0, NULL,
+ ns_g_server->keepresporder)))
+ {
+ client->tcpconn->pipelined = ISC_TRUE;
}
client_read(client);
@@ -3273,12 +3428,66 @@ client_accept(ns_client_t *client) {
CTRACE("accept");
+ /*
+ * Set up a new TCP connection. This means try to attach to the
+ * TCP client quota (tcp-clients), but fail if we're over quota.
+ */
+ result = tcpconn_init(client, ISC_FALSE);
+ if (result != ISC_R_SUCCESS) {
+ isc_boolean_t exit;
+
+ ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+ NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
+ "TCP client quota reached: %s",
+ isc_result_totext(result));
+
+ /*
+ * We have exceeded the system-wide TCP client quota. But,
+ * we can't just block this accept in all cases, because if
+ * we did, a heavy TCP load on other interfaces might cause
+ * this interface to be starved, with no clients able to
+ * accept new connections.
+ *
+ * So, we check here to see if any other clients are
+ * already servicing TCP queries on this interface (whether
+ * accepting, reading, or processing). If we find that at
+ * least one client other than this one is active, then
+ * it's okay *not* to call accept - we can let this
+ * client go inactive and another will take over when it's
+ * done.
+ *
+ * If there aren't enough active clients on the interface,
+ * then we can be a little bit flexible about the quota.
+ * We'll allow *one* extra client through to ensure we're
+ * listening on every interface; we do this by setting the
+ * 'force' option to tcpconn_init().
+ *
+ * (Note: In practice this means that the real TCP client
+ * quota is tcp-clients plus the number of listening
+ * interfaces plus 1.)
+ */
+ exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
+ (client->tcpactive ? 1 : 0));
+ if (exit) {
+ client->newstate = NS_CLIENTSTATE_INACTIVE;
+ (void)exit_check(client);
+ return;
+ }
+
+ result = tcpconn_init(client, ISC_TRUE);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ }
+
+ /*
+ * If this client was set up using get_client() or get_worker(),
+ * then TCP is already marked active. However, if it was restarted
+ * from exit_check(), it might not be, so we take care of it now.
+ */
+ mark_tcp_active(client, ISC_TRUE);
+
result = isc_socket_accept(client->tcplistener, client->task,
client_newconn, client);
if (result != ISC_R_SUCCESS) {
- UNEXPECTED_ERROR(__FILE__, __LINE__,
- "isc_socket_accept() failed: %s",
- isc_result_totext(result));
/*
* XXXRTH What should we do? We're trying to accept but
* it didn't work. If we just give up, then TCP
@@ -3286,13 +3495,37 @@ client_accept(ns_client_t *client) {
*
* For now, we just go idle.
*/
+ UNEXPECTED_ERROR(__FILE__, __LINE__,
+ "isc_socket_accept() failed: %s",
+ isc_result_totext(result));
+
+ tcpconn_detach(client);
+ mark_tcp_active(client, ISC_FALSE);
return;
}
+
+ /*
+ * The client's 'naccepts' counter indicates that this client has
+ * called accept() and is waiting for a new connection. It should
+ * never exceed 1.
+ */
INSIST(client->naccepts == 0);
client->naccepts++;
- LOCK(&client->interface->lock);
- client->interface->ntcpcurrent++;
- UNLOCK(&client->interface->lock);
+
+ /*
+ * The interface's 'ntcpaccepting' counter is incremented when
+ * any client calls accept(), and decremented in client_newconn()
+ * once the connection is established.
+ *
+ * When the client object is shutting down after handling a TCP
+ * request (see exit_check()), if this value is at least one, that
+ * means another client has called accept() and is waiting to
+ * establish the next connection. That means the client may be
+ * be free to become inactive; otherwise it may need to start
+ * listening for connections itself to prevent the interface
+ * going dead.
+ */
+ isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
}
static void
@@ -3363,15 +3596,17 @@ ns_client_replace(ns_client_t *client) {
REQUIRE(client->manager != NULL);
tcp = TCP_CLIENT(client);
- if (tcp && client->pipelined) {
+ if (tcp && client->tcpconn != NULL && client->tcpconn->pipelined) {
result = get_worker(client->manager, client->interface,
- client->tcpsocket);
+ client->tcpsocket, client);
} else {
result = get_client(client->manager, client->interface,
client->dispatch, tcp);
+
}
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
/*
* The responsibility for listening for new requests is hereby
@@ -3557,9 +3792,12 @@ get_client(ns_clientmgr_t *manager, ns_i
client->dscp = ifp->dscp;
if (tcp) {
+ mark_tcp_active(client, ISC_TRUE);
+
client->attributes |= NS_CLIENTATTR_TCP;
isc_socket_attach(ifp->tcpsocket,
&client->tcplistener);
+
} else {
isc_socket_t *sock;
@@ -3577,7 +3815,8 @@ get_client(ns_clientmgr_t *manager, ns_i
}
static isc_result_t
-get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
+get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
+ ns_client_t *oldclient)
{
isc_result_t result = ISC_R_SUCCESS;
isc_event_t *ev;
@@ -3585,6 +3824,7 @@ get_worker(ns_clientmgr_t *manager, ns_i
MTRACE("get worker");
REQUIRE(manager != NULL);
+ REQUIRE(oldclient != NULL);
if (manager->exiting)
return (ISC_R_SHUTTINGDOWN);
@@ -3617,14 +3857,15 @@ get_worker(ns_clientmgr_t *manager, ns_i
ns_interface_attach(ifp, &client->interface);
client->newstate = client->state = NS_CLIENTSTATE_WORKING;
INSIST(client->recursionquota == NULL);
- client->tcpquota = &ns_g_server->tcpquota;
client->dscp = ifp->dscp;
client->attributes |= NS_CLIENTATTR_TCP;
- client->pipelined = ISC_TRUE;
client->mortal = ISC_TRUE;
+ tcpconn_attach(oldclient, client);
+ mark_tcp_active(client, ISC_TRUE);
+
isc_socket_attach(ifp->tcpsocket, &client->tcplistener);
isc_socket_attach(sock, &client->tcpsocket);
isc_socket_setname(client->tcpsocket, "worker-tcp", NULL);
Index: bind9-9.11.4+dfsg/bin/named/include/named/client.h
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/include/named/client.h 2019-04-24 05:05:24.068523718 -0400
+++ bind9-9.11.4+dfsg/bin/named/include/named/client.h 2019-04-24 05:18:09.894205195 -0400
@@ -9,8 +9,6 @@
* information regarding copyright ownership.
*/
-/* $Id: client.h,v 1.96 2012/01/31 23:47:31 tbox Exp $ */
-
#ifndef NAMED_CLIENT_H
#define NAMED_CLIENT_H 1
@@ -77,6 +75,13 @@
*** Types
***/
+/*% reference-counted TCP connection object */
+typedef struct ns_tcpconn {
+ isc_refcount_t refs;
+ isc_quota_t *tcpquota;
+ isc_boolean_t pipelined;
+} ns_tcpconn_t;
+
/*% nameserver client structure */
struct ns_client {
unsigned int magic;
@@ -91,6 +96,7 @@ struct ns_client {
int nupdates;
int nctls;
int references;
+ isc_boolean_t tcpactive;
isc_boolean_t needshutdown; /*
* Used by clienttest to get
* the client to go from
@@ -127,10 +133,9 @@ struct ns_client {
isc_stdtime_t now;
isc_time_t tnow;
dns_name_t signername; /*%< [T]SIG key name */
- dns_name_t * signer; /*%< NULL if not valid sig */
+ dns_name_t *signer; /*%< NULL if not valid sig */
isc_boolean_t mortal; /*%< Die after handling request */
- isc_boolean_t pipelined; /*%< TCP queries not in sequence */
- isc_quota_t *tcpquota;
+ ns_tcpconn_t *tcpconn;
isc_quota_t *recursionquota;
ns_interface_t *interface;
Index: bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/include/named/interfacemgr.h 2019-04-24 05:05:24.068523718 -0400
+++ bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h 2019-04-24 05:05:24.068523718 -0400
@@ -9,8 +9,6 @@
* information regarding copyright ownership.
*/
-/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */
-
#ifndef NAMED_INTERFACEMGR_H
#define NAMED_INTERFACEMGR_H 1
@@ -75,9 +73,14 @@ struct ns_interface {
/*%< UDP dispatchers. */
isc_socket_t * tcpsocket; /*%< TCP socket. */
isc_dscp_t dscp; /*%< "listen-on" DSCP value */
- int ntcptarget; /*%< Desired number of concurrent
- TCP accepts */
- int ntcpcurrent; /*%< Current ditto, locked */
+ isc_int32_t ntcpaccepting; /*%< Number of clients
+ ready to accept new
+ TCP connections on this
+ interface */
+ isc_int32_t ntcpactive; /*%< Number of clients
+ servicing TCP queries
+ (whether accepting or
+ connected) */
int nudpdispatch; /*%< Number of UDP dispatches */
ns_clientmgr_t * clientmgr; /*%< Client manager. */
ISC_LINK(ns_interface_t) link;
Index: bind9-9.11.4+dfsg/bin/named/interfacemgr.c
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/interfacemgr.c 2019-04-24 05:05:24.068523718 -0400
+++ bind9-9.11.4+dfsg/bin/named/interfacemgr.c 2019-04-24 05:19:06.102432272 -0400
@@ -384,8 +384,9 @@ ns_interface_create(ns_interfacemgr_t *m
* connections will be handled in parallel even though there is
* only one client initially.
*/
- ifp->ntcptarget = 1;
- ifp->ntcpcurrent = 0;
+ ifp->ntcpaccepting = 0;
+ ifp->ntcpactive = 0;
+
ifp->nudpdispatch = 0;
ifp->dscp = -1;
@@ -520,9 +521,7 @@ ns_interface_accepttcp(ns_interface_t *i
*/
(void)isc_socket_filter(ifp->tcpsocket, "dataready");
- result = ns_clientmgr_createclients(ifp->clientmgr,
- ifp->ntcptarget, ifp,
- ISC_TRUE);
+ result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, ISC_TRUE);
if (result != ISC_R_SUCCESS) {
UNEXPECTED_ERROR(__FILE__, __LINE__,
"TCP ns_clientmgr_createclients(): %s",
Index: bind9-9.11.4+dfsg/lib/isc/include/isc/quota.h
===================================================================
--- bind9-9.11.4+dfsg.orig/lib/isc/include/isc/quota.h 2019-04-24 05:05:24.068523718 -0400
+++ bind9-9.11.4+dfsg/lib/isc/include/isc/quota.h 2019-04-24 05:05:24.068523718 -0400
@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc
* quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
*/
+isc_result_t
+isc_quota_force(isc_quota_t *quota, isc_quota_t **p);
+/*%<
+ * Like isc_quota_attach, but will attach '*p' to the quota
+ * even if the hard quota has been exceeded.
+ */
+
void
isc_quota_detach(isc_quota_t **p);
/*%<
Index: bind9-9.11.4+dfsg/lib/isc/quota.c
===================================================================
--- bind9-9.11.4+dfsg.orig/lib/isc/quota.c 2019-04-24 05:05:24.068523718 -0400
+++ bind9-9.11.4+dfsg/lib/isc/quota.c 2019-04-24 05:05:24.068523718 -0400
@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) {
UNLOCK(&quota->lock);
}
-isc_result_t
-isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
-{
+static isc_result_t
+doattach(isc_quota_t *quota, isc_quota_t **p, isc_boolean_t force) {
isc_result_t result;
- INSIST(p != NULL && *p == NULL);
+ REQUIRE(p != NULL && *p == NULL);
+
result = isc_quota_reserve(quota);
- if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
+ if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) {
+ *p = quota;
+ } else if (result == ISC_R_QUOTA && force) {
+ /* attach anyway */
+ LOCK(&quota->lock);
+ quota->used++;
+ UNLOCK(&quota->lock);
+
*p = quota;
+ result = ISC_R_SUCCESS;
+ }
+
return (result);
}
+isc_result_t
+isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) {
+ return (doattach(quota, p, ISC_FALSE));
+}
+
+isc_result_t
+isc_quota_force(isc_quota_t *quota, isc_quota_t **p) {
+ return (doattach(quota, p, ISC_TRUE));
+}
+
void
-isc_quota_detach(isc_quota_t **p)
-{
+isc_quota_detach(isc_quota_t **p) {
INSIST(p != NULL && *p != NULL);
isc_quota_release(*p);
*p = NULL;
Index: bind9-9.11.4+dfsg/lib/isc/win32/libisc.def.in
===================================================================
--- bind9-9.11.4+dfsg.orig/lib/isc/win32/libisc.def.in 2019-04-24 05:05:24.068523718 -0400
+++ bind9-9.11.4+dfsg/lib/isc/win32/libisc.def.in 2019-04-24 05:05:24.068523718 -0400
@@ -519,6 +519,7 @@ isc_portset_removerange
isc_quota_attach
isc_quota_destroy
isc_quota_detach
+isc_quota_force
isc_quota_init
isc_quota_max
isc_quota_release

71
CVE-2018-5745.patch
View File

@ -1,71 +0,0 @@
Description: fix assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
Origin: provided by ISC
Index: bind9-9.11.4+dfsg/lib/dns/include/dst/dst.h
===================================================================
--- bind9-9.11.4+dfsg.orig/lib/dns/include/dst/dst.h 2019-02-20 09:01:27.450680701 +0100
+++ bind9-9.11.4+dfsg/lib/dns/include/dst/dst.h 2019-02-20 09:01:27.446680698 +0100
@@ -67,8 +67,7 @@ typedef struct dst_context dst_context_
#define DST_ALG_HMACSHA512 165 /* XXXMPA */
#define DST_ALG_INDIRECT 252
#define DST_ALG_PRIVATE 254
-#define DST_ALG_EXPAND 255
-#define DST_MAX_ALGS 255
+#define DST_MAX_ALGS 256
/*% A buffer of this size is large enough to hold any key */
#define DST_KEY_MAXSIZE 1280
Index: bind9-9.11.4+dfsg/lib/dns/zone.c
===================================================================
--- bind9-9.11.4+dfsg.orig/lib/dns/zone.c 2019-02-20 09:01:27.450680701 +0100
+++ bind9-9.11.4+dfsg/lib/dns/zone.c 2019-02-20 09:01:27.450680701 +0100
@@ -3873,9 +3873,10 @@ compute_tag(dns_name_t *name, dns_rdata_
dns_rdatatype_dnskey, dnskey, &buffer);
result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS) {
*tag = dst_key_id(dstkey);
- dst_key_free(&dstkey);
+ dst_key_free(&dstkey);
+ }
return (result);
}
@@ -9315,6 +9316,17 @@ keyfetch_done(isc_task_t *task, isc_even
dns_keydata_todnskey(&keydata, &dnskey, NULL);
result = compute_tag(keyname, &dnskey, mctx, &keytag);
+ if (result != ISC_R_SUCCESS) {
+ /*
+ * Skip if we cannot compute the key tag.
+ * This may happen if the algorithm is unsupported
+ */
+ dns_zone_log(zone, ISC_LOG_ERROR,
+ "Cannot compute tag for key in zone %s: %s "
+ "(skipping)",
+ namebuf, dns_result_totext(result));
+ continue;
+ }
RUNTIME_CHECK(result == ISC_R_SUCCESS);
/*
@@ -9426,6 +9438,17 @@ keyfetch_done(isc_task_t *task, isc_even
continue;
result = compute_tag(keyname, &dnskey, mctx, &keytag);
+ if (result != ISC_R_SUCCESS) {
+ /*
+ * Skip if we cannot compute the key tag.
+ * This may happen if the algorithm is unsupported
+ */
+ dns_zone_log(zone, ISC_LOG_ERROR,
+ "Cannot compute tag for key in zone %s: %s "
+ "(skipping)",
+ namebuf, dns_result_totext(result));
+ continue;
+ }
RUNTIME_CHECK(result == ISC_R_SUCCESS);
revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE);

25
CVE-2019-6465.patch
View File

@ -1,25 +0,0 @@
Description: fix controls for zone transfers not being properly applied to
Dynamically Loadable Zones (DLZs) if the zones are writable
Origin: provided by ISC
Index: bind9-9.11.4+dfsg/bin/named/xfrout.c
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/xfrout.c 2019-02-20 09:02:00.710689380 +0100
+++ bind9-9.11.4+dfsg/bin/named/xfrout.c 2019-02-20 09:02:00.706689381 +0100
@@ -803,12 +803,12 @@ ns_xfr_start(ns_client_t *client, dns_rd
result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
&zone);
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) {
/*
- * Normal zone table does not have a match.
- * Try the DLZ database
+ * The normal zone table does not have a match, or this is
+ * marked in the zone table as a DLZ zone. Check the DLZ
+ * databases for a match.
*/
- // Temporary: only searching the first DLZ database
if (! ISC_LIST_EMPTY(client->view->dlz_searched)) {
result = dns_dlzallowzonexfr(client->view,
question_name,

6
Use-clock_gettime-instead-of-gettimeofday.patch
View File

@ -27,16 +27,16 @@ index f06d31a5508c2d3f7227063c21d9d4563789e72a..da25e5bf8e07639c8f70420a5c3f3c98
-#if ISC_FIX_TV_USEC
-static inline void
-fix_tv_usec(struct timeval *tv) {
- isc_boolean_t fixed = ISC_FALSE;
- bool fixed = false;
-
- if (tv->tv_usec < 0) {
- fixed = ISC_TRUE;
- fixed = true;
- do {
- tv->tv_sec -= 1;
- tv->tv_usec += US_PER_S;
- } while (tv->tv_usec < 0);
- } else if (tv->tv_usec >= US_PER_S) {
- fixed = ISC_TRUE;
- fixed = true;
- do {
- tv->tv_sec += 1;
- tv->tv_usec -= US_PER_S;

160
bind-9.10-dist-native-pkcs11.patch
View File

@ -14,25 +14,26 @@ index f0c504a..ce7a2da 100644
@BIND9_MAKE_RULES@
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
index 1d0c4ce..7b7f89b 100644
index 4b8ca13..32f4470 100644
--- a/bin/dnssec-pkcs11/Makefile.in
+++ b/bin/dnssec-pkcs11/Makefile.in
@@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@
@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES}
CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
- @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
+CDEFINES = -DVERSION=\"${VERSION}\" @PKCS11_ENGINE@ \
+ @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-ISCLIBS = ../../lib/isc/libisc.@A@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
@ -43,7 +44,7 @@ index 1d0c4ce..7b7f89b 100644
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
@@ -37,10 +37,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
@@ -35,10 +35,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
@ -58,7 +59,7 @@ index 1d0c4ce..7b7f89b 100644
OBJS = dnssectool.@O@
@@ -61,15 +61,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@@ -59,15 +59,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
@ -77,7 +78,7 @@ index 1d0c4ce..7b7f89b 100644
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -77,7 +77,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
@@ -75,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-signzone.c
@ -86,7 +87,7 @@ index 1d0c4ce..7b7f89b 100644
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -85,19 +85,19 @@ dnssec-verify.@O@: dnssec-verify.c
@@ -83,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-verify.c
@ -110,7 +111,7 @@ index 1d0c4ce..7b7f89b 100644
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-importkey.@O@ ${OBJS} ${LIBS}
@@ -108,16 +108,14 @@ docclean manclean maintainer-clean::
@@ -106,16 +106,14 @@ docclean manclean maintainer-clean::
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@ -121,18 +122,18 @@ index 1d0c4ce..7b7f89b 100644
-install:: ${TARGETS} installdirs install-man8
+install:: ${TARGETS} installdirs
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
uninstall::
- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done
- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
clean distclean::
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 1d0c4ce..11538cf 100644
index 4b8ca13..4175996 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@
@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
@ -142,44 +143,46 @@ index 1d0c4ce..11538cf 100644
CWARNINGS =
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
index d92bc9a..a8c42a4 100644
index 70e5571..b5a4a6b 100644
--- a/bin/named-pkcs11/Makefile.in
+++ b/bin/named-pkcs11/Makefile.in
@@ -43,26 +43,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
@@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
- ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
- ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
+ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \
+ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
+ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \
+ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @USE_GSSAPI@ @CRYPTO@
+CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@ @USE_GSSAPI@
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
-DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
-ISCLIBS = ../../lib/isc/libisc.@A@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
@@ -71,15 +71,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
@@ -72,15 +72,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
@ -189,16 +192,16 @@ index d92bc9a..a8c42a4 100644
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
+ @LIBS@
SUBDIRS = unix
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@
+TARGETS = named-pkcs11@EXEEXT@
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@ feature-test@EXEEXT@
+TARGETS = named-pkcs11@EXEEXT@ feature-test-pkcs11@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
GEOIP2LINKOBJS = geoip.@O@
@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
@ -208,7 +211,7 @@ index d92bc9a..a8c42a4 100644
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \
@@ -113,8 +112,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@ -218,7 +221,7 @@ index d92bc9a..a8c42a4 100644
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -146,14 +144,14 @@ server.@O@: server.c
@@ -154,21 +152,21 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
@ -234,9 +237,17 @@ index d92bc9a..a8c42a4 100644
- @LN@ named@EXEEXT@ lwresd@EXEEXT@
+ @LN@ named-pkcs11@EXEEXT@ lwresd@EXEEXT@
doc man:: ${MANOBJS}
# Bit of hack, do not produce intermediate .o object for featuretest
feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-c ${top_srcdir}/bin/tests/system/feature-test.c
@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
-feature-test@EXEEXT@: feature-test.@O@
+feature-test-pkcs11@EXEEXT@: feature-test.@O@
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
-o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
@@ -201,16 +199,11 @@ install-man8: named.8 lwresd.8
install-man: install-man5 install-man8
@ -257,15 +268,15 @@ index d92bc9a..a8c42a4 100644
@DLZ_DRIVER_RULES@
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index d92bc9a..6d2bfd1 100644
index 70e5571..4cfed4d 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -47,7 +47,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
@@ -48,7 +48,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+CDEFINES = @CONTRIB_DLZ@ @CRYPTO@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @USE_GSSAPI@ @CRYPTO@
+CDEFINES = @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
CWARNINGS =
@ -290,11 +301,11 @@ index a058c91..d4b689a 100644
DEPLIBS = ${ISCDEPLIBS}
diff --git a/configure.in b/configure.in
index 849fa94..69e6373 100644
--- a/configure.in
+++ b/configure.in
@@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI)
diff --git a/configure.ac b/configure.ac
index 9b7d778..59ba20b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1139,12 +1139,14 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
@ -309,10 +320,10 @@ index 849fa94..69e6373 100644
#
# was --with-randomdev specified?
@@ -1554,11 +1556,11 @@ fi
@@ -1494,11 +1496,11 @@ AC_ARG_ENABLE(openssl-hash,
AC_MSG_CHECKING(for OpenSSL library)
OPENSSL_WARNING=
openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
-if test "yes" = "$want_native_pkcs11"
-then
- use_openssl="native_pkcs11"
@ -326,7 +337,7 @@ index 849fa94..69e6373 100644
if test "auto" = "$use_openssl"
then
@@ -1571,6 +1573,7 @@ then
@@ -1511,6 +1513,7 @@ then
fi
done
fi
@ -334,7 +345,7 @@ index 849fa94..69e6373 100644
OPENSSL_ECDSA=""
OPENSSL_GOST=""
OPENSSL_ED25519=""
@@ -1592,11 +1595,10 @@ case "$with_gost" in
@@ -1532,11 +1535,10 @@ case "$with_gost" in
;;
esac
@ -349,7 +360,7 @@ index 849fa94..69e6373 100644
CRYPTOLIB="pkcs11"
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
@@ -1606,7 +1608,9 @@ case "$use_openssl" in
@@ -1546,7 +1548,9 @@ case "$use_openssl" in
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
@ -360,7 +371,7 @@ index 849fa94..69e6373 100644
no)
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
@@ -1638,7 +1642,7 @@ case "$use_openssl" in
@@ -1578,7 +1582,7 @@ case "$use_openssl" in
If you do not want OpenSSL, use --without-openssl])
;;
*)
@ -369,7 +380,7 @@ index 849fa94..69e6373 100644
then
AC_MSG_RESULT()
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
@@ -2066,6 +2070,7 @@ AC_SUBST(OPENSSL_ED25519)
@@ -2006,6 +2010,7 @@ AC_SUBST(OPENSSL_ED25519)
AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
@ -377,7 +388,7 @@ index 849fa94..69e6373 100644
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
@@ -2384,6 +2389,7 @@ esac
@@ -2291,6 +2296,7 @@ esac
AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(CRYPTO)
@ -385,7 +396,7 @@ index 849fa94..69e6373 100644
AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_ED25519)
@@ -5497,8 +5503,11 @@ AC_CONFIG_FILES([
@@ -5405,8 +5411,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
@ -397,7 +408,7 @@ index 849fa94..69e6373 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5572,6 +5581,10 @@ AC_CONFIG_FILES([
@@ -5479,6 +5488,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
@ -408,7 +419,7 @@ index 849fa94..69e6373 100644
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
@@ -5596,6 +5609,24 @@ AC_CONFIG_FILES([
@@ -5503,6 +5516,24 @@ AC_CONFIG_FILES([
lib/isc/unix/include/Makefile
lib/isc/unix/include/isc/Makefile
lib/isc/unix/include/pkcs11/Makefile
@ -447,17 +458,18 @@ index 81270a0..bcb5312 100644
@BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
index 4a8549e..6a19906 100644
index 7f09bd6..c388d9e 100644
--- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in
@@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@
@@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
- ${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
- @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
+ ${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+ ${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
@ -470,9 +482,9 @@ index 4a8549e..6a19906 100644
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
LIBS = @LIBS@
LIBS = ${MAXMINDDB_LIBS} @LIBS@
@@ -146,15 +146,15 @@ version.@O@: version.c
@@ -150,15 +149,15 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
@ -492,13 +504,9 @@ index 4a8549e..6a19906 100644
include: gen
${MAKE} include/dns/enumtype.h
@@ -180,25 +180,25 @@ code.h: gen
./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; }
gen: gen.c
- ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
+ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc-pkcs11/include \
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
@@ -189,22 +188,22 @@ gen: gen.c
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
${BUILD_LIBS} ${LFS_LIBS}
-timestamp: include libdns.@A@
+timestamp: include libdns-pkcs11.@A@
@ -523,9 +531,9 @@ index 4a8549e..6a19906 100644
+ rm -f libdns-pkcs11.@A@ timestamp
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
rm -f include/dns/rdatastruct.h
rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h
rm -f dnstap.pb-c.c dnstap.pb-c.h
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
index ba53ef1..d1f1771 100644
index 8ad54bb..a3ecdfb 100644
--- a/lib/isc-pkcs11/Makefile.in
+++ b/lib/isc-pkcs11/Makefile.in
@@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \
@ -539,7 +547,7 @@ index ba53ef1..d1f1771 100644
CWARNINGS =
# Alphabetically
@@ -107,40 +107,40 @@ version.@O@: version.c
@@ -103,40 +103,40 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c

70
bind-9.10-sdb.patch
View File

@ -14,7 +14,7 @@ index ce7a2da..4e6a824 100644
@BIND9_MAKE_RULES@
diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
index 6d2bfd1..d3f42e8 100644
index 4cfed4d..c6b42b2 100644
--- a/bin/named-sdb/Makefile.in
+++ b/bin/named-sdb/Makefile.in
@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@
@ -31,16 +31,16 @@ index 6d2bfd1..d3f42e8 100644
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
@@ -79,7 +79,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
@@ -80,7 +80,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@
+TARGETS = named-sdb@EXEEXT@
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@ feature-test@EXEEXT@
+TARGETS = named-sdb@EXEEXT@ feature-test-sdb@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
@@ -146,7 +146,7 @@ server.@O@: server.c
GEOIP2LINKOBJS = geoip.@O@
@@ -154,7 +154,7 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
@ -49,7 +49,16 @@ index 6d2bfd1..d3f42e8 100644
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
@@ -173,8 +173,6 @@ statschannel.@O@: bind9.xsl.h
@@ -168,7 +168,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-c ${top_srcdir}/bin/tests/system/feature-test.c
-feature-test@EXEEXT@: feature-test.@O@
+feature-test-sdb@EXEEXT@: feature-test.@O@
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
-o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
@@ -190,8 +190,6 @@ statschannel.@O@: bind9.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@ -58,7 +67,7 @@ index 6d2bfd1..d3f42e8 100644
install-man5: named.conf.5
${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
@@ -201,16 +199,11 @@ install-man8: named.8 lwresd.8
install-man: install-man5 install-man8
@ -79,10 +88,10 @@ index 6d2bfd1..d3f42e8 100644
@DLZ_DRIVER_RULES@
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
index bb639d9..555c4d9 100644
index c9fc3cc..148ebb3 100644
--- a/bin/named-sdb/main.c
+++ b/bin/named-sdb/main.c
@@ -91,6 +91,10 @@
@@ -97,6 +97,10 @@
* Include header files for database drivers here.
*/
/* #include "xxdb.h" */
@ -93,7 +102,7 @@ index bb639d9..555c4d9 100644
#ifdef CONTRIB_DLZ
/*
@@ -1061,6 +1065,11 @@ setup(void) {
@@ -1134,6 +1138,11 @@ setup(void) {
ns_main_earlyfatal("isc_app_start() failed: %s",
isc_result_totext(result));
@ -105,7 +114,7 @@ index bb639d9..555c4d9 100644
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
ns_g_product, ns_g_version,
@@ -1261,6 +1270,75 @@ setup(void) {
@@ -1334,6 +1343,75 @@ setup(void) {
isc_result_totext(result));
#endif
@ -181,7 +190,7 @@ index bb639d9..555c4d9 100644
ns_server_create(ns_g_mctx, &ns_g_server);
#ifdef HAVE_LIBSECCOMP
@@ -1303,6 +1381,11 @@ cleanup(void) {
@@ -1376,6 +1454,11 @@ cleanup(void) {
dns_name_destroy();
@ -194,22 +203,23 @@ index bb639d9..555c4d9 100644
ISC_LOG_NOTICE, "exiting");
ns_log_shutdown();
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 6d2bfd1..86f8587 100644
index 4cfed4d..f4bce7b 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -45,9 +45,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
@@ -45,10 +45,10 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
+ @DST_OPENSSL_INC@
- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
+ ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @CRYPTO@
+CDEFINES = @CRYPTO@
-CDEFINES = @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
+CDEFINES = @USE_GSSAPI@ @CRYPTO@
CWARNINGS =
@@ -71,11 +71,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
@@ -72,11 +72,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
@ -223,7 +233,7 @@ index 6d2bfd1..86f8587 100644
SUBDIRS = unix
@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
@ -233,7 +243,7 @@ index 6d2bfd1..86f8587 100644
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \
@@ -113,8 +112,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@ -243,7 +253,7 @@ index 6d2bfd1..86f8587 100644
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -195,7 +193,5 @@ uninstall::
@@ -212,7 +210,5 @@ uninstall::
rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
@ -286,11 +296,11 @@ index c7e0868..95ab742 100644
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/configure.in b/configure.in
index 62536a6..f571a4f 100644
--- a/configure.in
+++ b/configure.in
@@ -5445,6 +5445,8 @@ AC_CONFIG_FILES([
diff --git a/configure.ac b/configure.ac
index f85f45f..7d28c52 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5400,6 +5400,8 @@ AC_CONFIG_FILES([
bin/named/unix/Makefile
bin/named-pkcs11/Makefile
bin/named-pkcs11/unix/Makefile
@ -299,9 +309,9 @@ index 62536a6..f571a4f 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5469,6 +5471,7 @@ AC_CONFIG_FILES([
bin/python/isc/tests/dnskey_test.py
@@ -5424,6 +5426,7 @@ AC_CONFIG_FILES([
bin/python/isc/tests/policy_test.py
bin/python/isc/utils.py
bin/rndc/Makefile
+ bin/sdb_tools/Makefile
bin/tests/Makefile

27
bind-9.11-engine-pkcs11.patch Normal file
View File

@ -0,0 +1,27 @@
From 37f89ccfc439f8d86c401d9ae10e94e53b924961 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 27 Aug 2019 20:39:59 +0200
Subject: [PATCH] Do not set engine for native PKCS11
It resets already set lib_path to pkcs11, which is invalid in native
pkcs11 crypto. Engine has to be path to PKCS#11 module.
---
bin/named/include/named/globals.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index eda2214..2a611d5 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -160,7 +160,7 @@ EXTERN const char * ns_g_defaultdnstap INIT(NULL);
EXTERN const char * ns_g_username INIT(NULL);
-#if defined(USE_PKCS11)
+#if defined(USE_PKCS11) && !defined(PKCS11CRYPTO)
EXTERN const char * ns_g_engine INIT(PKCS11_ENGINE);
#else
EXTERN const char * ns_g_engine INIT(NULL);
--
2.20.1

14
bind-9.11-export-suffix.patch
View File

@ -1,8 +1,8 @@
diff --git a/configure.in b/configure.in
index e6cd6a4..988b0a7 100644
--- a/configure.in
+++ b/configure.in
@@ -5116,6 +5116,8 @@ AC_SUBST(BUILD_CPPFLAGS)
diff --git a/configure.ac b/configure.ac
index c1bfd62..7c5ad51 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5333,6 +5333,8 @@ AC_SUBST(BUILD_CPPFLAGS)
AC_SUBST(BUILD_LDFLAGS)
AC_SUBST(BUILD_LIBS)
@ -12,10 +12,10 @@ index e6cd6a4..988b0a7 100644
# Commands to run at the end of config.status.
# Don't just put these into configure, it won't work right if somebody
diff --git a/isc-config.sh.in b/isc-config.sh.in
index 110191a..5a64004 100644
index b5e94ed..d2857e0 100644
--- a/isc-config.sh.in
+++ b/isc-config.sh.in
@@ -12,16 +12,17 @@ prefix=@prefix@
@@ -13,16 +13,17 @@ prefix=@prefix@
exec_prefix=@exec_prefix@
exec_prefix_set=
includedir=@includedir@

71
bind-9.11-feature-test-named.patch Normal file
View File

@ -0,0 +1,71 @@
From 3f2fafe5368655225eddf0537e58e425bbc297be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 30 Jan 2019 14:37:17 +0100
Subject: [PATCH] Create feature-test in source directory
Feature-test tool is used in system tests to test compiled in changes.
Because we build more variants of named with different configuration,
compile feature-test for each of them this way.
Named variant specific feature-test does not have defined gss support,
even when it was enabled by configure. bin/tests/system Makefile defines
it, so define it also in named variants.
---
bin/named/Makefile.in | 13 +++++++++++--
bin/tests/system/conf.sh.in | 2 +-
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 3166368..70e5571 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -48,7 +48,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @USE_GSSAPI@ @CRYPTO@
CWARNINGS =
@@ -80,7 +80,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@
+TARGETS = named@EXEEXT@ lwresd@EXEEXT@ feature-test@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
GEOIP2LINKOBJS = geoip.@O@
@@ -163,6 +163,15 @@ lwresd@EXEEXT@: named@EXEEXT@
rm -f lwresd@EXEEXT@
@LN@ named@EXEEXT@ lwresd@EXEEXT@
+# Bit of hack, do not produce intermediate .o object for featuretest
+feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+ -c ${top_srcdir}/bin/tests/system/feature-test.c
+
+feature-test@EXEEXT@: feature-test.@O@
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
+
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index cedabbe..e1bf5da 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -71,7 +71,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
MDIG=$TOP/bin/tools/mdig
NZD2NZF=$TOP/bin/tools/named-nzd2nzf
FSTRM_CAPTURE=@FSTRM_CAPTURE@
-FEATURETEST=$TOP/bin/tests/system/feature-test
+FEATURETEST=$TOP/bin/named/feature-test
RANDFILE=$TOP/bin/tests/system/random.data
--
2.20.1

535
bind-9.11-fips-code.patch
View File

File diff suppressed because it is too large Load Diff

121
bind-9.11-fips-disable.patch Normal file
View File

@ -0,0 +1,121 @@
From 83b889c238282b210f874a3ad81bb56299767495 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 5 Aug 2019 11:54:03 +0200
Subject: [PATCH] Allow explicit disabling of autodisabled MD5
Default security policy might include explicitly disabled RSAMD5
algorithm. Current FIPS code automatically disables in FIPS mode. But if
RSAMD5 is included in security policy, it fails to start, because that
algorithm is not recognized. Allow it disabled, but fail on any
other usage.
---
bin/named/server.c | 4 ++--
lib/bind9/check.c | 4 ++++
lib/dns/rcode.c | 33 +++++++++++++++------------------
3 files changed, 21 insertions(+), 20 deletions(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index 5b57371..51702ab 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -1547,12 +1547,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
r.length = strlen(r.base);
result = dns_secalg_fromtext(&alg, &r);
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
uint8_t ui;
result = isc_parse_uint8(&ui, r.base, 10);
alg = ui;
}
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
cfg_obj_log(cfg_listelt_value(element),
ns_g_lctx, ISC_LOG_ERROR,
"invalid algorithm");
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index e0803d4..8023784 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -302,6 +302,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
r.length = strlen(r.base);
tresult = dns_secalg_fromtext(&alg, &r);
+ if (tresult == ISC_R_DISABLED) {
+ // Recognize disabled algorithms, disable it explicitly
+ tresult = ISC_R_SUCCESS;
+ }
if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(cfg_listelt_value(element), logctx,
ISC_LOG_ERROR, "invalid algorithm '%s'",
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
index f51d548..c49b8d1 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -126,7 +126,6 @@
#endif
#define SECALGNAMES \
- MD5_SECALGNAMES \
DH_SECALGNAMES \
DSA_SECALGNAMES \
{ DNS_KEYALG_ECC, "ECC", 0 }, \
@@ -178,6 +177,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
static struct tbl certs[] = { CERTNAMES };
static struct tbl secalgs[] = { SECALGNAMES };
+static struct tbl md5_secalgs[] = { MD5_SECALGNAMES };
static struct tbl secprotos[] = { SECPROTONAMES };
static struct tbl hashalgs[] = { HASHALGNAMES };
static struct tbl dsdigests[] = { DSDIGESTNAMES };
@@ -358,33 +358,30 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
return (dns_mnemonic_totext(cert, target, certs));
}
-static inline struct tbl *
-secalgs_tbl_start() {
- struct tbl *algs = secalgs;
-
-#ifndef PK11_MD5_DISABLE
- if (!isc_md5_available()) {
- while (algs->name != NULL &&
- algs->value == DNS_KEYALG_RSAMD5)
- ++algs;
- }
-#endif
- return algs;
-}
-
isc_result_t
dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
unsigned int value;
+ isc_result_t result;
- RETERR(dns_mnemonic_fromtext(&value, source,
- secalgs_tbl_start(), 0xff));
+ result = dns_mnemonic_fromtext(&value, source,
+ secalgs, 0xff);
+ if (result != ISC_R_SUCCESS) {
+ result = dns_mnemonic_fromtext(&value, source,
+ md5_secalgs, 0xff);
+ if (result != ISC_R_SUCCESS) {
+ return (result);
+ } else if (!isc_md5_available()) {
+ *secalgp = value;
+ return (ISC_R_DISABLED);
+ }
+ }
*secalgp = value;
return (ISC_R_SUCCESS);
}
isc_result_t
dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
- return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start()));
+ return (dns_mnemonic_totext(secalg, target, secalgs));
}
void
--
2.20.1

659
bind-9.11-fips-tests.patch
View File

File diff suppressed because it is too large Load Diff

40
bind-9.11-host-idn-disable.patch
View File

@ -1,4 +1,4 @@
From 145fac914bf47128307aea702fed7eb74b65cadd Mon Sep 17 00:00:00 2001
From ec50eff97c259b5bfbfa4e050d69fe7b39b0f15a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 25 Sep 2018 18:08:46 +0200
Subject: [PATCH] Disable IDN from environment as documented
@ -12,16 +12,16 @@ Support variable CHARSET=ASCII to disable IDN, supported in downstream
RH patch since RHEL 5.
---
bin/dig/dig.docbook | 4 +++-
bin/dig/dighost.c | 9 +++++++--
bin/dig/dighost.c | 5 +++++
bin/dig/host.docbook | 2 +-
bin/dig/nslookup.docbook | 15 +++++++++++++++
4 files changed, 26 insertions(+), 4 deletions(-)
4 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index fedd288..d5dba72 100644
index 5d19301..933af79 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -1288,7 +1288,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
@@ -1312,7 +1312,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
reply from the server.
If you'd like to turn off the IDN support for some reason, use
parameters <parameter>+noidnin</parameter> and
@ -33,34 +33,26 @@ index fedd288..d5dba72 100644
</refsection>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 7408193..d46379d 100644
index 5eabc1f..73aaab8 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -822,12 +822,17 @@ make_empty_lookup(void) {
looknew->seenbadcookie = ISC_FALSE;
looknew->badcookie = ISC_TRUE;
@@ -826,6 +826,11 @@ make_empty_lookup(void) {
looknew->badcookie = true;
#ifdef WITH_IDN_SUPPORT
- looknew->idnin = ISC_TRUE;
+ looknew->idnin = (getenv("IDN_DISABLE") == NULL);
looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false;
+ if (looknew->idnin) {
+ const char *charset = getenv("CHARSET");
+ if (charset && !strcmp(charset, "ASCII"))
+ looknew->idnin = ISC_FALSE;
+ looknew->idnin = false;
+ }
#else
looknew->idnin = ISC_FALSE;
#endif
#ifdef WITH_IDN_OUT_SUPPORT
- looknew->idnout = ISC_TRUE;
+ looknew->idnout = looknew->idnin;
#else
looknew->idnout = ISC_FALSE;
looknew->idnin = false;
#endif
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
index 9c3aeaa..42cbbf9 100644
index da0f8fb..9689b5a 100644
--- a/bin/dig/host.docbook
+++ b/bin/dig/host.docbook
@@ -378,7 +378,7 @@
@@ -379,7 +379,7 @@
<command>host</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
@ -70,10 +62,10 @@ index 9c3aeaa..42cbbf9 100644
The IDN support is disabled if the variable is set when
<command>host</command> runs.
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
index 3aff4e9..86a09c6 100644
index d46fc2d..6d7d181 100644
--- a/bin/dig/nslookup.docbook
+++ b/bin/dig/nslookup.docbook
@@ -478,6 +478,21 @@ nslookup -query=hinfo -timeout=10
@@ -495,6 +495,21 @@ nslookup -query=hinfo -timeout=10
</para>
</refsection>
@ -96,5 +88,5 @@ index 3aff4e9..86a09c6 100644
<para><filename>/etc/resolv.conf</filename>
--
2.14.4
2.20.1

50
bind-9.11-json-c.patch Normal file
View File

@ -0,0 +1,50 @@
From cb6d2019766a6c8c5516fd8859cedf0052f03293 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 25 Jul 2019 11:37:57 +0200
Subject: [PATCH] Skip support of jsoncpp
Bind cannot be compiled when jsoncpp-devel is installed. Remove support
for jsoncpp, use only json-c-devel. Bind 9.15 has already support for
--with-json-c, do not yet introduce it.
---
configure.ac | 17 ++---------------
1 file changed, 2 insertions(+), 15 deletions(-)
diff --git a/configure.ac b/configure.ac
index 6d05337..5ce83b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2594,15 +2594,7 @@ case "$use_libjson" in
auto|yes)
for d in /usr /usr/local /opt/local
do
- if test -f "${d}/include/json/json.h"
- then
- if test ${d} != /usr
- then
- libjson_cflags="-I ${d}/include"
- LIBS="$LIBS -L${d}/lib"
- fi
- have_libjson="yes"
- elif test -f "${d}/include/json-c/json.h"
+ if test -f "${d}/include/json-c/json.h"
then
if test ${d} != /usr
then
@@ -2615,12 +2607,7 @@ case "$use_libjson" in
done
;;
*)
- if test -f "${use_libjson}/include/json/json.h"
- then
- libjson_cflags="-I${use_libjson}/include"
- LIBS="$LIBS -L${use_libjson}/lib"
- have_libjson="yes"
- elif test -f "${use_libjson}/include/json-c/json.h"
+ if test -f "${use_libjson}/include/json-c/json.h"
then
libjson_cflags="-I${use_libjson}/include"
LIBS="$LIBS -L${use_libjson}/lib"
--
2.20.1

108
bind-9.11-kyua-pkcs11.patch
View File

@ -1,4 +1,4 @@
From d0433a314534e104f52acf2a0a96a68dd84305ae Mon Sep 17 00:00:00 2001
From a9b5785f174cf7fd74891fa64f6b69b9a9b55466 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 2 Jan 2018 18:13:07 +0100
Subject: [PATCH] Fix pkcs11 variants atf tests
@ -7,20 +7,19 @@ Add dns-pkcs11 tests Makefile to configure
Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
---
configure.in | 1 +
lib/Atffile | 2 ++
configure.ac | 1 +
lib/Kyuafile | 2 ++
lib/dns-pkcs11/tests/Makefile.in | 10 +++++-----
lib/dns-pkcs11/tests/dh_test.c | 3 ++-
lib/isc-pkcs11/tests/Makefile.in | 6 +++---
lib/isc-pkcs11/tests/hash_test.c | 32 +++++++++++++++++++++++++-------
7 files changed, 40 insertions(+), 16 deletions(-)
6 files changed, 38 insertions(+), 16 deletions(-)
diff --git a/configure.in b/configure.in
index 67b3aab..4767eeb 100644
--- a/configure.in
+++ b/configure.in
@@ -5579,6 +5579,7 @@ AC_CONFIG_FILES([
diff --git a/configure.ac b/configure.ac
index 62ecf56..0940a7d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5476,6 +5476,7 @@ AC_CONFIG_FILES([
lib/dns-pkcs11/include/Makefile
lib/dns-pkcs11/include/dns/Makefile
lib/dns-pkcs11/include/dst/Makefile
@ -28,25 +27,11 @@ index 67b3aab..4767eeb 100644
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
diff --git a/lib/Atffile b/lib/Atffile
index 93bbb01..4db3dce 100644
--- a/lib/Atffile
+++ b/lib/Atffile
@@ -3,7 +3,9 @@ Content-Type: application/X-atf-atffile; version="1"
prop: test-suite = bind9
tp: dns
+tp: dns-pkcs11
tp: irs
tp: isc
+tp: isc-pkcs11
tp: isccfg
tp: lwres
diff --git a/lib/Kyuafile b/lib/Kyuafile
index ff9fc56..eaaf0dc 100644
index 7c8bab0..eec9564 100644
--- a/lib/Kyuafile
+++ b/lib/Kyuafile
@@ -2,7 +2,9 @@ syntax(2)
@@ -2,8 +2,10 @@ syntax(2)
test_suite('bind9')
include('dns/Kyuafile')
@ -54,67 +39,68 @@ index ff9fc56..eaaf0dc 100644
include('irs/Kyuafile')
include('isc/Kyuafile')
+include('isc-pkcs11/Kyuafile')
include('isccc/Kyuafile')
include('isccfg/Kyuafile')
include('lwres/Kyuafile')
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
index 2a6571b..f25a784 100644
index 22a06a8..5df5b15 100644
--- a/lib/dns-pkcs11/tests/Makefile.in
+++ b/lib/dns-pkcs11/tests/Makefile.in
@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@
@@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
@DST_OPENSSL_INC@
@DST_OPENSSL_INC@ ${MAXMINDDB_CFLAGS}
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
+CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
-ISCLIBS = ../../isc/libisc.@A@
-ISCDEPLIBS = ../../isc/libisc.@A@
-DNSLIBS = ../libdns.@A@ @DNS_CRYPTO_LIBS@
-DNSLIBS = ../libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-DNSDEPLIBS = ../libdns.@A@
+ISCLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@
+ISCDEPLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@
+DNSLIBS = ../libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
+DNSLIBS = ../libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSDEPLIBS = ../libdns-pkcs11.@A@
LIBS = @LIBS@ @ATFLIBS@
LIBS = @LIBS@ @CMOCKA_LIBS@
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
index 036d27a..eb6554f 100644
index a5bf46c..9ff2b76 100644
--- a/lib/dns-pkcs11/tests/dh_test.c
+++ b/lib/dns-pkcs11/tests/dh_test.c
@@ -63,7 +63,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) {
ret = dst_key_computesecret(key, key, &buf);
ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY);
ret = key->func->computesecret(key, key, &buf);
- ATF_REQUIRE_EQ(ret, DST_R_COMPUTESECRETFAILURE);
@@ -88,7 +88,8 @@ dh_computesecret(void **state) {
result = dst_key_computesecret(key, key, &buf);
assert_int_equal(result, DST_R_NOTPRIVATEKEY);
result = key->func->computesecret(key, key, &buf);
- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
+ /* PKCS11 variant gives different result, accept both */
+ ATF_REQUIRE(ret == DST_R_COMPUTESECRETFAILURE || ret == DST_R_INVALIDPRIVATEKEY);
+ assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY);
dst_key_free(&key);
dns_test_end();
}
diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
index f7fa538..818dae4 100644
index 36d2207..00dfbc9 100644
--- a/lib/isc-pkcs11/tests/Makefile.in
+++ b/lib/isc-pkcs11/tests/Makefile.in
@@ -17,10 +17,10 @@ VERSION=@BIND9_VERSION@
@@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\""
+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
+CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
-ISCLIBS = ../libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCDEPLIBS = ../libisc.@A@
+ISCLIBS = ../libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
+ISCDEPLIBS = ../libisc-pkcs11.@A@
LIBS = @LIBS@ @ATFLIBS@
LIBS = @LIBS@ @CMOCKA_LIBS@
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
index 5b8a374..c1891c2 100644
index 4fafc38..5eb2be2 100644
--- a/lib/isc-pkcs11/tests/hash_test.c
+++ b/lib/isc-pkcs11/tests/hash_test.c
@@ -74,7 +74,7 @@ typedef struct hash_testcase {
@@ -84,7 +84,7 @@ typedef struct hash_testcase {
typedef struct hash_test_key {
const char *key;
@ -123,7 +109,7 @@ index 5b8a374..c1891c2 100644
} hash_test_key_t;
/* non-hmac tests */
@@ -957,8 +957,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) {
@@ -955,8 +955,11 @@ isc_hmacsha1_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -134,9 +120,9 @@ index 5b8a374..c1891c2 100644
- isc_hmacsha1_init(&hmacsha1, buffer, test_key->len);
+ isc_hmacsha1_init(&hmacsha1, buffer, len);
isc_hmacsha1_update(&hmacsha1,
(const isc_uint8_t *) testcase->input,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1120,8 +1123,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) {
@@ -1115,8 +1118,11 @@ isc_hmacsha224_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -147,9 +133,9 @@ index 5b8a374..c1891c2 100644
- isc_hmacsha224_init(&hmacsha224, buffer, test_key->len);
+ isc_hmacsha224_init(&hmacsha224, buffer, len);
isc_hmacsha224_update(&hmacsha224,
(const isc_uint8_t *) testcase->input,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1283,8 +1289,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) {
@@ -1276,8 +1282,11 @@ isc_hmacsha256_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -160,9 +146,9 @@ index 5b8a374..c1891c2 100644
- isc_hmacsha256_init(&hmacsha256, buffer, test_key->len);
+ isc_hmacsha256_init(&hmacsha256, buffer, len);
isc_hmacsha256_update(&hmacsha256,
(const isc_uint8_t *) testcase->input,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1452,8 +1461,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) {
@@ -1443,8 +1452,11 @@ isc_hmacsha384_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -173,9 +159,9 @@ index 5b8a374..c1891c2 100644
- isc_hmacsha384_init(&hmacsha384, buffer, test_key->len);
+ isc_hmacsha384_init(&hmacsha384, buffer, len);
isc_hmacsha384_update(&hmacsha384,
(const isc_uint8_t *) testcase->input,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1621,8 +1633,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) {
@@ -1610,8 +1622,11 @@ isc_hmacsha512_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -186,9 +172,9 @@ index 5b8a374..c1891c2 100644
- isc_hmacsha512_init(&hmacsha512, buffer, test_key->len);
+ isc_hmacsha512_init(&hmacsha512, buffer, len);
isc_hmacsha512_update(&hmacsha512,
(const isc_uint8_t *) testcase->input,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1765,8 +1780,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) {
@@ -1754,8 +1769,11 @@ isc_hmacmd5_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -199,8 +185,8 @@ index 5b8a374..c1891c2 100644
- isc_hmacmd5_init(&hmacmd5, buffer, test_key->len);
+ isc_hmacmd5_init(&hmacmd5, buffer, len);
isc_hmacmd5_update(&hmacmd5,
(const isc_uint8_t *) testcase->input,
(const uint8_t *) testcase->input,
testcase->input_len);
--
2.14.3
2.21.1

34
bind-9.11-oot-manual.patch
View File

@ -1,4 +1,4 @@
From e462d022a9dc52c40aece6f8ba3123ff3ffa59ed Mon Sep 17 00:00:00 2001
From 8ca95f47231822df2b9c171a4da1e93ca5b748eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 25 Jul 2018 12:24:16 +0200
Subject: [PATCH] Use make automatic variables to install updated manuals
@ -19,7 +19,7 @@ Install all files in single command instead of iterating on each of them.
9 files changed, 54 insertions(+), 38 deletions(-)
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index 12f48d2d23..d8eac4c714 100644
index c124e80..1174f8d 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -83,12 +83,14 @@ installdirs:
@ -35,13 +35,13 @@ index 12f48d2d23..d8eac4c714 100644
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
- (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
uninstall::
rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index 87f13dda4b..7865c0c73e 100644
index 87f13dd..7865c0c 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -95,13 +95,14 @@ installdirs:
@ -64,7 +64,7 @@ index 87f13dda4b..7865c0c73e 100644
uninstall::
rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8
diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in
index e2d2802262..19361a83ea 100644
index e2d2802..19361a8 100644
--- a/bin/delv/Makefile.in
+++ b/bin/delv/Makefile.in
@@ -63,10 +63,12 @@ installdirs:
@ -83,7 +83,7 @@ index e2d2802262..19361a83ea 100644
uninstall::
rm -f ${DESTDIR}${mandir}/man1/delv.1
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index 773ac46395..3edd951e7e 100644
index a9830a9..d7ac0b6 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -91,16 +91,16 @@ installdirs:
@ -102,13 +102,13 @@ index 773ac46395..3edd951e7e 100644
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
nslookup@EXEEXT@ ${DESTDIR}${bindir}
- for m in ${MANPAGES}; do \
- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
- done
- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1 || exit 1; \
- done
uninstall::
for m in ${MANPAGES}; do \
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 1be1d5ffc6..1d0c4ce5c1 100644
index 2239ad1..ce0a177 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -110,9 +110,11 @@ installdirs:
@ -120,16 +120,16 @@ index 1be1d5ffc6..1d0c4ce5c1 100644
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs install-man8
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
uninstall::
for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 1c413973d0..03e4cb849b 100644
index e1f85a9..d92bc9a 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -172,12 +172,17 @@ installdirs:
@@ -176,12 +176,17 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
@ -152,7 +152,7 @@ index 1c413973d0..03e4cb849b 100644
uninstall::
rm -f ${DESTDIR}${mandir}/man5/named.conf.5
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
index ae9061626c..a058c91214 100644
index ae90616..a058c91 100644
--- a/bin/pkcs11/Makefile.in
+++ b/bin/pkcs11/Makefile.in
@@ -71,7 +71,10 @@ installdirs:
@ -179,7 +179,7 @@ index ae9061626c..a058c91214 100644
uninstall::
rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8
diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
index aa678d47ab..064c404e2f 100644
index aa678d4..064c404 100644
--- a/bin/python/Makefile.in
+++ b/bin/python/Makefile.in
@@ -47,13 +47,13 @@ installdirs:
@ -201,7 +201,7 @@ index aa678d47ab..064c404e2f 100644
if test -n "${DESTDIR}" ; then \
${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
index 7bf2af4cea..c395bc7462 100644
index 7bf2af4..c395bc7 100644
--- a/bin/tools/Makefile.in
+++ b/bin/tools/Makefile.in
@@ -119,17 +119,27 @@ installdirs:

14
bind-9.11-rh1410433.patch
View File

@ -1,14 +1,16 @@
diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c
index 0ce5e42..556d920 100644
index 15561ce..e4449b0 100644
--- a/lib/dns/dyndb.c
+++ b/lib/dns/dyndb.c
@@ -130,9 +130,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
@@ -133,8 +133,11 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
instname, filename);
flags = RTLD_NOW|RTLD_LOCAL;
-#ifdef RTLD_DEEPBIND
- flags |= RTLD_DEEPBIND;
-#endif
+#if 0
+ /* Shared global namespace is required for dns-pkcs11 library */
#if defined(RTLD_DEEPBIND) && !__SANITIZE_ADDRESS__
flags |= RTLD_DEEPBIND;
+#endif
#endif
handle = dlopen(filename, flags);
if (handle == NULL)

136
bind-9.11-rh1624100.patch
View File

@ -1,4 +1,4 @@
From 25ff8ab2b0772262d358272a3ed70a24fc6e4887 Mon Sep 17 00:00:00 2001
From f27598743ab6e03271e26f23da4beba748d19c60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 25 Apr 2018 14:04:31 +0200
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
@ -14,20 +14,20 @@ Fix the isc_safe_memwipe() usage with (NULL, >0)
(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
---
bin/dnssec/dnssec-signzone.c | 2 +-
lib/dns/nsec3.c | 4 +--
lib/dns/spnego.c | 4 +--
lib/isc/Makefile.in | 8 ++---
lib/isc/include/isc/safe.h | 18 ++++------
lib/isc/safe.c | 81 --------------------------------------------
lib/isc/tests/safe_test.c | 20 -----------
7 files changed, 13 insertions(+), 124 deletions(-)
lib/dns/nsec3.c | 4 +-
lib/dns/spnego.c | 4 +-
lib/isc/Makefile.in | 8 +---
lib/isc/include/isc/safe.h | 18 ++------
lib/isc/safe.c | 83 ------------------------------------
lib/isc/tests/safe_test.c | 18 --------
7 files changed, 11 insertions(+), 126 deletions(-)
delete mode 100644 lib/isc/safe.c
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 53be1f5c60..351296a356 100644
index 6dded0c..a9c5557 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -786,7 +786,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
@@ -784,7 +784,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
static int
hashlist_comp(const void *a, const void *b) {
@ -37,10 +37,10 @@ index 53be1f5c60..351296a356 100644
static void
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index d364308aaf..37b6a8a7fe 100644
index 6ae7ca8..01426d6 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1950,7 +1950,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
@@ -1963,7 +1963,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
* Work out what this NSEC3 covers.
* Inside (<0) or outside (>=0).
*/
@ -49,7 +49,7 @@ index d364308aaf..37b6a8a7fe 100644
/*
* Prepare to compute all the hashes.
@@ -1974,7 +1974,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
@@ -1987,7 +1987,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
return (ISC_R_IGNORE);
}
@ -59,10 +59,10 @@ index d364308aaf..37b6a8a7fe 100644
/*
* The hashes are the same.
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
index ce3e42d650..079d4c1b4a 100644
index ad77f24..670982a 100644
--- a/lib/dns/spnego.c
+++ b/lib/dns/spnego.c
@@ -369,7 +369,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
@@ -371,7 +371,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
/* mod_auth_kerb.c */
@ -71,7 +71,7 @@ index ce3e42d650..079d4c1b4a 100644
cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
{
unsigned char *p;
@@ -393,7 +393,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
@@ -395,7 +395,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
if (((OM_uint32) *p++) != gssoid->length)
return (GSS_S_DEFECTIVE_TOKEN);
@ -81,26 +81,26 @@ index ce3e42d650..079d4c1b4a 100644
/* accept_sec_context.c */
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index ba53ef1091..98acffffc9 100644
index 149552a..8529a86 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \
ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \
rwlock.@O@ \
- safe.@O@ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
+ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
- safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
+ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
tm.@O@ timer.@O@ version.@O@ \
tm.@O@ timer.@O@ utf8.@O@ version.@O@ \
${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
netaddr.c netscope.c pool.c ondestroy.c \
parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \
ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
- safe.c serial.c sha1.c sha2.c sockaddr.c stats.c string.c \
+ serial.c sha1.c sha2.c sockaddr.c stats.c string.c \
- safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
+ serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
strtoul.c symtab.c task.c taskpool.c timer.c \
tm.c version.c
tm.c utf8.c version.c
@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@
@ -114,28 +114,28 @@ index ba53ef1091..98acffffc9 100644
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
index f29f00bac6..b8a0b2290c 100644
index 66ed08b..88b8f47 100644
--- a/lib/isc/include/isc/safe.h
+++ b/lib/isc/include/isc/safe.h
@@ -15,27 +15,21 @@
@@ -15,29 +15,19 @@
/*! \file isc/safe.h */
-#include <stdbool.h>
-
-#include <isc/types.h>
-#include <stdlib.h>
+#include <isc/boolean.h>
+#include <isc/lang.h>
+
+#include <openssl/crypto.h>
ISC_LANG_BEGINDECLS
-isc_boolean_t
-bool
-isc_safe_memequal(const void *s1, const void *s2, size_t n);
+#define isc_safe_memequal(s1, s2, n) ISC_TF(!CRYPTO_memcmp(s1, s2, n))
+#define isc_safe_memequal(s1, s2, n) !CRYPTO_memcmp(s1, s2, n)
/*%<
* Returns ISC_TRUE iff. two blocks of memory are equal, otherwise
* ISC_FALSE.
* Returns true iff. two blocks of memory are equal, otherwise
* false.
*
*/
@ -153,10 +153,10 @@ index f29f00bac6..b8a0b2290c 100644
*
diff --git a/lib/isc/safe.c b/lib/isc/safe.c
deleted file mode 100644
index 5c9e1e2d13..0000000000
index 7a464b6..0000000
--- a/lib/isc/safe.c
+++ /dev/null
@@ -1,81 +0,0 @@
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
@ -172,6 +172,8 @@ index 5c9e1e2d13..0000000000
-
-#include <config.h>
-
-#include <stdbool.h>
-
-#include <isc/safe.h>
-#include <isc/string.h>
-#include <isc/util.h>
@ -184,18 +186,18 @@ index 5c9e1e2d13..0000000000
-#pragma optimize("", off)
-#endif
-
-isc_boolean_t
-bool
-isc_safe_memequal(const void *s1, const void *s2, size_t n) {
- isc_uint8_t acc = 0;
- uint8_t acc = 0;
-
- if (n != 0U) {
- const isc_uint8_t *p1 = s1, *p2 = s2;
- const uint8_t *p1 = s1, *p2 = s2;
-
- do {
- acc |= *p1++ ^ *p2++;
- } while (--n != 0U);
- }
- return (ISC_TF(acc == 0));
- return (acc == 0);
-}
-
-
@ -239,35 +241,33 @@ index 5c9e1e2d13..0000000000
-#endif
-}
diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
index f721cd1096..ea3e61f98d 100644
index 266ac75..60e9181 100644
--- a/lib/isc/tests/safe_test.c
+++ b/lib/isc/tests/safe_test.c
@@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) {
"\x00\x00\x00\x00", 4));
@@ -45,22 +45,6 @@ isc_safe_memequal_test(void **state) {
"\x00\x00\x00\x00", 4));
}
-ATF_TC(isc_safe_memcompare);
-ATF_TC_HEAD(isc_safe_memcompare, tc) {
- atf_tc_set_md_var(tc, "descr", "safe memcompare()");
-}
-ATF_TC_BODY(isc_safe_memcompare, tc) {
- UNUSED(tc);
-/* test isc_safe_memcompare() */
-static void
-isc_safe_memcompare_test(void **state) {
- UNUSED(state);
-
- ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0);
- ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0);
- ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0);
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
- "\x00\x00\x00\x00", 4) == 0);
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
- "\x00\x00\x00\x01", 4) < 0);
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02",
- "\x00\x00\x00\x00", 4) > 0);
- assert_int_equal(isc_safe_memcompare("test", "test", 4), 0);
- assert_true(isc_safe_memcompare("test", "tesc", 4) > 0);
- assert_true(isc_safe_memcompare("test", "tesy", 4) < 0);
- assert_int_equal(isc_safe_memcompare("\x00\x00\x00\x00",
- "\x00\x00\x00\x00", 4), 0);
- assert_true(isc_safe_memcompare("\x00\x00\x00\x00",
- "\x00\x00\x00\x01", 4) < 0);
- assert_true(isc_safe_memcompare("\x00\x00\x00\x02",
- "\x00\x00\x00\x00", 4) > 0);
-}
-
ATF_TC(isc_safe_memwipe);
ATF_TC_HEAD(isc_safe_memwipe, tc) {
atf_tc_set_md_var(tc, "descr", "isc_safe_memwipe()");
@@ -67,7 +49,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
/* test isc_safe_memwipe() */
static void
isc_safe_memwipe_test(void **state) {
@@ -69,7 +53,6 @@ isc_safe_memwipe_test(void **state) {
/* These should pass. */
isc_safe_memwipe(NULL, 0);
isc_safe_memwipe((void *) -1, 0);
@ -275,14 +275,14 @@ index f721cd1096..ea3e61f98d 100644
/*
* isc_safe_memwipe(ptr, size) should function same as
@@ -106,7 +87,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
*/
ATF_TP_ADD_TCS(tp) {
ATF_TP_ADD_TC(tp, isc_safe_memequal);
- ATF_TP_ADD_TC(tp, isc_safe_memcompare);
ATF_TP_ADD_TC(tp, isc_safe_memwipe);
return (atf_no_error());
}
@@ -108,7 +91,6 @@ main(void) {
const struct CMUnitTest tests[] = {
cmocka_unit_test(isc_safe_memequal_test),
cmocka_unit_test(isc_safe_memwipe_test),
- cmocka_unit_test(isc_safe_memcompare_test),
};
return (cmocka_run_group_tests(tests, NULL, NULL));
--
2.14.4
2.26.2

48
bind-9.11-rh1663318.patch Normal file
View File

@ -0,0 +1,48 @@
From b16a1ff25644bb075f454afe68ee63f6f385ca9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 23 Jan 2019 21:11:07 +0100
Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Unlike upstream, skip it also for DHCP.
Disable RAND_status also in non-threaded builds. DHCP is built without
threads and should not check RAND_status on dns library initialization.
Lack of entropy is possible state for dhclient, but it must not fail
even in this case. Because DHCP itself does not require custom random
generator, leave default RAND_OpenSSL configured. It should help TLS
connection to LDAP in single DHCP binary, while keeping secure random
data if needed.
(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)
Signed-off-by: Petr Menšík <pemensik@redhat.com>
---
lib/dns/openssl_link.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 7a233dd..941eb17 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) {
#endif
#endif /* !defined(OPENSSL_NO_ENGINE) */
+#if defined(ISC_PLATFORM_CRYPTORANDOM) && defined(ISC_PLATFORM_USETHREADS)
/* Protect ourselves against unseeded PRNG */
if (RAND_status() != 1) {
FATAL_ERROR(__FILE__, __LINE__,
@@ -296,6 +297,7 @@ dst__openssl_init(const char *engine) {
"cannot be initialized (see the `PRNG not "
"seeded' message in the OpenSSL FAQ)");
}
+#endif
return (ISC_R_SUCCESS);
--
2.20.1

37
bind-9.11-rh1666814.patch Normal file
View File

@ -0,0 +1,37 @@
From 3bb29f45604ac6890f4ea5cdcbd1a62e6dad14a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 16 Jan 2019 16:27:33 +0100
Subject: [PATCH 2/2] Fix possible crash when loading corrupted file
Some values passes internal triggers by coincidence. Fix the check and
check also first_node_offset before even passing it further.
---
lib/dns/rbt.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index 62d0826..b029b7d 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -787,7 +787,7 @@ treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n,
return (ISC_R_SUCCESS);
CONFIRM((void *) n >= base);
- CONFIRM((char *) n - (char *) base <= (int) nodemax);
+ CONFIRM((size_t)((char *) n - (char *) base) <= nodemax);
CONFIRM(DNS_RBTNODE_VALID(n));
dns_name_init(&nodename, NULL);
@@ -939,7 +939,8 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
rbt->root = (dns_rbtnode_t *)((char *)base_address +
header_offset + header->first_node_offset);
- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
+ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize
+ || header->first_node_offset > filesize) {
result = ISC_R_INVALIDFILE;
goto cleanup;
}
--
2.20.1

194
bind-9.11-rh1732883.patch Normal file
View File

@ -0,0 +1,194 @@
From 6010876e561b4345e569ffd11eaec9ea52725817 Mon Sep 17 00:00:00 2001
From: Pavel Zhukov <pzhukov@redhat.com>
Date: Wed, 24 Jul 2019 17:15:55 +0200
Subject: [PATCH] Detect system time jumps
In case if system time was changed backward it's possible to have ip
address dropped by the kernel due to lifetime expirity. Try to detect
this situation using either monotonic time or saved timestamp and execute
go_reboot() procedure to request lease extention
---
lib/isc/include/isc/result.h | 3 ++-
lib/isc/include/isc/util.h | 3 +++
lib/isc/result.c | 2 ++
lib/isc/unix/app.c | 39 +++++++++++++++++++++++++++++----
lib/isc/unix/include/isc/time.h | 20 +++++++++++++++++
lib/isc/unix/time.c | 22 +++++++++++++++++++
6 files changed, 84 insertions(+), 5 deletions(-)
diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
index 0389efa..149cde5 100644
--- a/lib/isc/include/isc/result.h
+++ b/lib/isc/include/isc/result.h
@@ -89,7 +89,8 @@
#define ISC_R_DISCFULL 67 /*%< disc full */
#define ISC_R_DEFAULT 68 /*%< default */
#define ISC_R_IPV4PREFIX 69 /*%< IPv4 prefix */
-#define ISC_R_NRESULTS 70
+#define ISC_R_TIMESHIFTED 70 /*%< system time changed */
+#define ISC_R_NRESULTS 71
ISC_LANG_BEGINDECLS
diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
index 973c348..8160dd3 100644
--- a/lib/isc/include/isc/util.h
+++ b/lib/isc/include/isc/util.h
@@ -289,6 +289,9 @@ extern void mock_assert(const int result, const char* const expression,
* Time
*/
#define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
+#ifdef CLOCK_BOOTTIME
+#define TIME_MONOTONIC(tp) RUNTIME_CHECK(isc_time_boottime((tp)) == ISC_R_SUCCESS)
+#endif
/*%
* Alignment
diff --git a/lib/isc/result.c b/lib/isc/result.c
index a9db132..7c04831 100644
--- a/lib/isc/result.c
+++ b/lib/isc/result.c
@@ -105,6 +105,7 @@ static const char *description[ISC_R_NRESULTS] = {
"disc full", /*%< 67 */
"default", /*%< 68 */
"IPv4 prefix", /*%< 69 */
+ "time changed", /*%< 70 */
};
static const char *identifier[ISC_R_NRESULTS] = {
@@ -178,6 +179,7 @@ static const char *identifier[ISC_R_NRESULTS] = {
"ISC_R_DISCFULL",
"ISC_R_DEFAULT",
"ISC_R_IPV4PREFIX",
+ "ISC_R_TIMESHIFTED",
};
#define ISC_RESULT_RESULTSET 2
diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
index a6e9882..52eb3e0 100644
--- a/lib/isc/unix/app.c
+++ b/lib/isc/unix/app.c
@@ -442,15 +442,48 @@ isc__app_ctxonrun(isc_appctx_t *ctx0, isc_mem_t *mctx, isc_task_t *task,
static isc_result_t
evloop(isc__appctx_t *ctx) {
isc_result_t result;
+ isc_time_t now;
+#ifdef CLOCK_BOOTTIME
+ isc_time_t monotonic;
+ uint64_t diff = 0;
+#else
+ isc_time_t prev;
+ TIME_NOW(&prev);
+#endif
+
+
while (!ctx->want_shutdown) {
int n;
- isc_time_t when, now;
+ isc_time_t when;
struct timeval tv, *tvp;
isc_socketwait_t *swait;
bool readytasks;
bool call_timer_dispatch = false;
-
+ uint64_t us;
+
+#ifdef CLOCK_BOOTTIME
+ // TBD macros for following three lines
+ TIME_NOW(&now);
+ TIME_MONOTONIC(&monotonic);
+ INSIST(now.seconds > monotonic.seconds)
+ us = isc_time_microdiff (&now, &monotonic);
+ if (us < diff){
+ us = diff - us;
+ if (us > 1000000){ // ignoring shifts less than one second
+ return ISC_R_TIMESHIFTED;
+ };
+ diff = isc_time_microdiff (&now, &monotonic);
+ } else {
+ diff = isc_time_microdiff (&now, &monotonic);
+ // not implemented
+ }
+#else
+ TIME_NOW(&now);
+ if (isc_time_compare (&now, &prev) < 0)
+ return ISC_R_TIMESHIFTED;
+ TIME_NOW(&prev);
+#endif
/*
* Check the reload (or suspend) case first for exiting the
* loop as fast as possible in case:
@@ -475,8 +508,6 @@ evloop(isc__appctx_t *ctx) {
if (result != ISC_R_SUCCESS)
tvp = NULL;
else {
- uint64_t us;
-
TIME_NOW(&now);
us = isc_time_microdiff(&when, &now);
if (us == 0)
diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h
index b864c29..5dd43c9 100644
--- a/lib/isc/unix/include/isc/time.h
+++ b/lib/isc/unix/include/isc/time.h
@@ -132,6 +132,26 @@ isc_time_isepoch(const isc_time_t *t);
*\li 't' is a valid pointer.
*/
+#ifdef CLOCK_BOOTTIME
+isc_result_t
+isc_time_boottime(isc_time_t *t);
+/*%<
+ * Set 't' to monotonic time from previous boot
+ * it's not affected by system time change. It also
+ * includes the time system was suspended
+ *
+ * Requires:
+ *\li 't' is a valid pointer.
+ *
+ * Returns:
+ *
+ *\li Success
+ *\li Unexpected error
+ * Getting the time from the system failed.
+ */
+#endif /* CLOCK_BOOTTIME */
+
+
isc_result_t
isc_time_now(isc_time_t *t);
/*%<
diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
index 8edc9df..fe0bb91 100644
--- a/lib/isc/unix/time.c
+++ b/lib/isc/unix/time.c
@@ -498,3 +498,25 @@ isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len) {
t->nanoseconds / NS_PER_MS);
}
}
+
+
+#ifdef CLOCK_BOOTTIME
+isc_result_t
+isc_time_boottime(isc_time_t *t) {
+ struct timespec ts;
+
+ char strbuf[ISC_STRERRORSIZE];
+
+ if (clock_gettime (CLOCK_BOOTTIME, &ts) != 0){
+ isc__strerror(errno, strbuf, sizeof(strbuf));
+ UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
+ return (ISC_R_UNEXPECTED);
+ }
+
+ t->seconds = ts.tv_sec;
+ t->nanoseconds = ts.tv_nsec;
+
+ return (ISC_R_SUCCESS);
+
+};
+#endif
--
2.20.1

59
bind-9.11-rh1736762-5.patch Normal file
View File

@ -0,0 +1,59 @@
From 6257d829c9d7e71ac51bcdc6b5b981c7a19200e2 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 25 Nov 2019 05:46:55 +0000
Subject: [PATCH] Merge branch
'1373-threadsanitizer-data-race-rbtdb-c-5193-in-detachnode' into 'master'
Resolve "ThreadSanitizer: data race rbtdb.c:5193 in detachnode"
Closes #1373
See merge request isc-projects/bind9!2598
---
lib/dns/include/dns/rbt.h | 22 +++++++++-------------
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
index 67ac3e4d8a..a084bd6193 100644
--- a/lib/dns/include/dns/rbt.h
+++ b/lib/dns/include/dns/rbt.h
@@ -49,10 +49,7 @@ ISC_LANG_BEGINDECLS
#define DNS_RBT_USEMAGIC 1
-/*
- * These should add up to 30.
- */
-#define DNS_RBT_LOCKLENGTH 10
+#define DNS_RBT_LOCKLENGTH (sizeof(((dns_rbtnode_t *)0)->locknum)*8)
#define DNS_RBT_REFLENGTH 20
#define DNS_RBTNODE_MAGIC ISC_MAGIC('R','B','N','O')
@@ -159,16 +156,15 @@ struct dns_rbtnode {
* separate region of memory.
*/
void *data;
- unsigned int :0; /* start of bitfields c/o node lock */
- unsigned int dirty:1;
- unsigned int wild:1;
- unsigned int locknum:DNS_RBT_LOCKLENGTH;
-#ifndef DNS_RBT_USEISCREFCOUNT
- unsigned int references:DNS_RBT_REFLENGTH;
-#endif
- unsigned int :0; /* end of bitfields c/o node lock */
+ uint8_t :0; /* start of bitfields c/o node lock */
+ uint8_t dirty:1;
+ uint8_t wild:1;
+ uint8_t :0; /* end of bitfields c/o node lock */
+ uint16_t locknum; /* note that this is not in the bitfield */
#ifdef DNS_RBT_USEISCREFCOUNT
- isc_refcount_t references; /* note that this is not in the bitfield */
+ isc_refcount_t references;
+#else
+ unsigned int references:DNS_RBT_REFLENGTH;
#endif
/*@}*/
};
--
2.21.0

593
bind-9.11-rt31459.patch
View File

File diff suppressed because it is too large Load Diff

356
bind-9.11-rt46047.patch
View File

@ -1,4 +1,4 @@
From 1ab1aabcf9b2b8de144bab7a3ff5d9f7e6ec9ad4 Mon Sep 17 00:00:00 2001
From 344c19ad4b3f058e65a4b41650bb0ee20692cc5c Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 28 Sep 2017 10:09:22 -0700
Subject: [PATCH] completed and corrected the crypto-random change
@ -24,32 +24,34 @@ Subject: [PATCH] completed and corrected the crypto-random change
"configure --disable-crypto-rand".
[RT #31459] [RT #46047]
---
bin/confgen/keygen.c | 12 +++----
bin/dnssec/dnssec-keygen.docbook | 24 +++++++++-----
bin/dnssec/dnssectool.c | 12 +++----
bin/confgen/keygen.c | 12 +++---
bin/dnssec/dnssec-keygen.docbook | 24 +++++++----
bin/dnssec/dnssectool.c | 12 +++---
bin/named/client.c | 3 +-
bin/named/config.c | 4 ++-
bin/named/controlconf.c | 19 +++++++----
bin/named/include/named/server.h | 2 ++
bin/named/config.c | 4 +-
bin/named/controlconf.c | 19 +++++---
bin/named/include/named/server.h | 2 +
bin/named/interfacemgr.c | 1 +
bin/named/query.c | 1 +
bin/named/server.c | 53 ++++++++++++++++++------------
bin/nsupdate/nsupdate.c | 4 +--
bin/tests/system/pipelined/pipequeries.c | 4 +--
bin/tests/system/tkey/keycreate.c | 4 +--
bin/tests/system/tkey/keydelete.c | 4 +--
doc/arm/Bv9ARM-book.xml | 55 ++++++++++++++++++++++----------
doc/arm/notes.xml | 23 ++++++++++++-
lib/dns/dst_api.c | 7 ++--
lib/dns/include/dst/dst.h | 14 ++++++--
bin/named/server.c | 52 ++++++++++++++--------
bin/nsupdate/nsupdate.c | 4 +-
bin/tests/system/pipelined/pipequeries.c | 4 +-
bin/tests/system/tkey/keycreate.c | 4 +-
bin/tests/system/tkey/keydelete.c | 5 +--
doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++-------
doc/arm/notes-rh-changes.xml | 42 ++++++++++++++++++
doc/arm/notes.xml | 1 +
lib/dns/dst_api.c | 4 +-
lib/dns/include/dst/dst.h | 14 +++++-
lib/dns/openssl_link.c | 3 +-
lib/isc/include/isc/entropy.h | 50 +++++++++++++++++++++--------
lib/isc/include/isc/random.h | 28 ++++++++++------
lib/isc/include/isc/entropy.h | 48 +++++++++++++++------
lib/isc/include/isc/random.h | 28 +++++++-----
lib/isccfg/namedconf.c | 2 +-
22 files changed, 219 insertions(+), 110 deletions(-)
23 files changed, 240 insertions(+), 104 deletions(-)
create mode 100644 doc/arm/notes-rh-changes.xml
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
index fa439cc..a7ad417 100644
index 295e16f..0f79aa8 100644
--- a/bin/confgen/keygen.c
+++ b/bin/confgen/keygen.c
@@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
@ -65,7 +67,7 @@ index fa439cc..a7ad417 100644
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
isc_entropy_usehook(ectx, true);
}
#endif
+ if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
@ -76,7 +78,7 @@ index fa439cc..a7ad417 100644
&entropy_source,
randomfile,
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 96dfef6..1c84b06 100644
index 1826919..96543fc 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -349,15 +349,23 @@
@ -112,16 +114,16 @@ index 96dfef6..1c84b06 100644
</listitem>
</varlistentry>
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 4ea9eaf..5dd9475 100644
index 5654435..24c0d5a 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -239,18 +239,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
@@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
ISC_LIST_INIT(sources);
}
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (randomfile == NULL) {
+ isc_entropy_usehook(*ectx, ISC_TRUE);
+ isc_entropy_usehook(*ectx, true);
+ }
+#endif
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
@ -133,17 +135,17 @@ index 4ea9eaf..5dd9475 100644
- if (randomfile != NULL &&
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
- isc_entropy_usehook(*ectx, ISC_TRUE);
- isc_entropy_usehook(*ectx, true);
- }
-#endif
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
usekeyboard);
diff --git a/bin/named/client.c b/bin/named/client.c
index b9ebc93..20e5f39 100644
index 9a0d3c8..c573177 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -1605,7 +1605,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
@@ -1765,7 +1765,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
isc_buffer_init(&buf, cookie, sizeof(cookie));
isc_stdtime_get(&now);
@ -154,10 +156,10 @@ index b9ebc93..20e5f39 100644
compute_cookie(client, now, nonce, ns_g_server->secret, &buf);
diff --git a/bin/named/config.c b/bin/named/config.c
index c50f759..c1e72ef 100644
index dbdff64..63da4b0 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -92,7 +92,9 @@ options {\n\
@@ -98,7 +98,9 @@ options {\n\
# pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
port 53;\n\
prefetch 2 9;\n"
@ -169,10 +171,10 @@ index c50f759..c1e72ef 100644
#endif
" recursing-file \"named.recursing\";\n\
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index 237e8dc..b905475 100644
index d955c2f..40621f2 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -322,9 +322,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
@@ -325,9 +325,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
static void
control_recvmessage(isc_task_t *task, isc_event_t *event) {
@ -185,8 +187,8 @@ index 237e8dc..b905475 100644
+ controlkey_t *key = NULL;
isccc_sexpr_t *request = NULL;
isccc_sexpr_t *response = NULL;
isc_uint32_t algorithm;
@@ -335,16 +336,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
uint32_t algorithm;
@@ -338,16 +339,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
isc_buffer_t *text;
isc_result_t result;
isc_result_t eresult;
@ -194,7 +196,7 @@ index 237e8dc..b905475 100644
+ isccc_sexpr_t *_ctrl = NULL;
isccc_time_t sent;
isccc_time_t exp;
isc_uint32_t nonce;
uint32_t nonce;
- isccc_sexpr_t *data;
+ isccc_sexpr_t *data = NULL;
@ -206,25 +208,25 @@ index 237e8dc..b905475 100644
algorithm = DST_ALG_UNKNOWN;
secret.rstart = NULL;
text = NULL;
@@ -455,8 +457,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
@@ -458,8 +460,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
* Establish nonce.
*/
if (conn->nonce == 0) {
- while (conn->nonce == 0)
- isc_random_get(&conn->nonce);
+ while (conn->nonce == 0) {
+ isc_uint16_t r1 = isc_rng_random(server->rngctx);
+ isc_uint16_t r2 = isc_rng_random(server->rngctx);
+ uint16_t r1 = isc_rng_random(server->rngctx);
+ uint16_t r2 = isc_rng_random(server->rngctx);
+ conn->nonce = (r1 << 16) | r2;
+ }
eresult = ISC_R_SUCCESS;
} else
eresult = ns_control_docommand(request, listener->readonly, &text);
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index d8179a6..e03d24d 100644
index 3f96b7b..c92922e 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -17,6 +17,7 @@
@@ -20,6 +20,7 @@
#include <isc/log.h>
#include <isc/magic.h>
#include <isc/quota.h>
@ -232,19 +234,19 @@ index d8179a6..e03d24d 100644
#include <isc/sockaddr.h>
#include <isc/types.h>
#include <isc/xml.h>
@@ -131,6 +132,7 @@ struct ns_server {
@@ -134,6 +135,7 @@ struct ns_server {
char * lockfile;
isc_uint16_t transfer_tcp_message_size;
uint16_t transfer_tcp_message_size;
+ isc_rng_t * rngctx;
};
struct ns_altsecret {
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index d8c7188..50f924e 100644
index 9dea7c1..272d300 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -15,6 +15,7 @@
@@ -17,6 +17,7 @@
#include <isc/interfaceiter.h>
#include <isc/os.h>
@ -253,10 +255,10 @@ index d8c7188..50f924e 100644
#include <isc/task.h>
#include <isc/util.h>
diff --git a/bin/named/query.c b/bin/named/query.c
index accbf3b..d89622d 100644
index 203f1e6..25eeced 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -18,6 +18,7 @@
@@ -19,6 +19,7 @@
#include <isc/hex.h>
#include <isc/mem.h>
#include <isc/print.h>
@ -265,10 +267,10 @@ index accbf3b..d89622d 100644
#include <isc/serial.h>
#include <isc/stats.h>
diff --git a/bin/named/server.c b/bin/named/server.c
index ca789e5..1413e85 100644
index f27071f..f132c19 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -8076,21 +8076,30 @@ load_configuration(const char *filename, ns_server_t *server,
@@ -8210,21 +8210,32 @@ load_configuration(const char *filename, ns_server_t *server,
* Open the source of entropy.
*/
if (first_time) {
@ -277,11 +279,6 @@ index ca789e5..1413e85 100644
obj = NULL;
result = ns_config_get(maps, "random-device", &obj);
- if (result != ISC_R_SUCCESS) {
- isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
- NS_LOGMODULE_SERVER, ISC_LOG_INFO,
- "no source of entropy found");
- } else {
- const char *randomdev = cfg_obj_asstring(obj);
+ if (result == ISC_R_SUCCESS) {
+ if (!cfg_obj_isvoid(obj)) {
+ level = ISC_LOG_INFO;
@ -289,28 +286,33 @@ index ca789e5..1413e85 100644
+ }
+ }
+ if (randomdev == NULL) {
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
- isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
+ isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
#else
- int level = ISC_LOG_ERROR;
- result = isc_entropy_createfilesource(ns_g_entropy,
- randomdev);
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ isc_entropy_usehook(ns_g_entropy, true);
+#else
+ if ((obj != NULL) && !cfg_obj_isvoid(obj))
+ level = ISC_LOG_INFO;
+ isc_log_write(named_g_lctx, NS_LOGCATEGORY_GENERAL,
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
- NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+ NS_LOGMODULE_SERVER, level,
+ "no source of entropy found");
"no source of entropy found");
+ if ((obj == NULL) || cfg_obj_isvoid(obj)) {
+ CHECK(ISC_R_FAILURE);
+ }
+#endif
+ } else {
} else {
- const char *randomdev = cfg_obj_asstring(obj);
-#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
- isc_entropy_usehook(ns_g_entropy, true);
-#else
- int level = ISC_LOG_ERROR;
result = isc_entropy_createfilesource(ns_g_entropy,
- randomdev);
+ randomdev);
#ifdef PATH_RANDOMDEV
if (ns_g_fallbackentropy != NULL) {
level = ISC_LOG_INFO;
@@ -8101,8 +8110,8 @@ load_configuration(const char *filename, ns_server_t *server,
@@ -8235,8 +8246,8 @@ load_configuration(const char *filename, ns_server_t *server,
NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER,
level,
@ -321,15 +323,23 @@ index ca789e5..1413e85 100644
randomdev,
isc_result_totext(result));
}
@@ -8122,7 +8131,6 @@ load_configuration(const char *filename, ns_server_t *server,
@@ -8256,7 +8267,6 @@ load_configuration(const char *filename, ns_server_t *server,
}
isc_entropy_detach(&ns_g_fallbackentropy);
}
-#endif
#endif
}
}
@@ -8911,6 +8919,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
@@ -9025,6 +9035,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
server->in_roothints = NULL;
server->blackholeacl = NULL;
server->keepresporder = NULL;
+ server->rngctx = NULL;
/* Must be first. */
CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
@@ -9051,6 +9062,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
&server->tkeyctx),
"creating TKEY context");
@ -339,7 +349,7 @@ index ca789e5..1413e85 100644
/*
* Setup the server task, which is responsible for coordinating
@@ -9117,7 +9128,8 @@ ns_server_destroy(ns_server_t **serverp) {
@@ -9257,7 +9271,8 @@ ns_server_destroy(ns_server_t **serverp) {
if (server->zonemgr != NULL)
dns_zonemgr_detach(&server->zonemgr);
@ -349,7 +359,7 @@ index ca789e5..1413e85 100644
if (server->tkeyctx != NULL)
dns_tkeyctx_destroy(&server->tkeyctx);
@@ -13018,10 +13030,10 @@ newzone_cfgctx_destroy(void **cfgp) {
@@ -13263,10 +13278,10 @@ newzone_cfgctx_destroy(void **cfgp) {
static isc_result_t
generate_salt(unsigned char *salt, size_t saltlen) {
@ -357,19 +367,19 @@ index ca789e5..1413e85 100644
+ size_t i, n;
union {
unsigned char rnd[256];
- isc_uint32_t rnd32[64];
+ isc_uint16_t rnd16[128];
- uint32_t rnd32[64];
+ uint16_t rnd16[128];
} rnd;
unsigned char text[512 + 1];
isc_region_t r;
@@ -13031,9 +13043,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
@@ -13276,9 +13291,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
if (saltlen > 256U)
return (ISC_R_RANGE);
- n = (int) (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t);
- n = (int) (saltlen + sizeof(uint32_t) - 1) / sizeof(uint32_t);
- for (i = 0; i < n; i++)
- isc_random_get(&rnd.rnd32[i]);
+ n = (saltlen + sizeof(isc_uint16_t) - 1) / sizeof(isc_uint16_t);
+ n = (saltlen + sizeof(uint16_t) - 1) / sizeof(uint16_t);
+ for (i = 0; i < n; i++) {
+ rnd.rnd16[i] = isc_rng_random(ns_g_server->rngctx);
+ }
@ -377,10 +387,10 @@ index ca789e5..1413e85 100644
memmove(salt, rnd.rnd, saltlen);
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 46c7acf..a0d0278 100644
index 0286987..0376377 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -281,9 +281,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
@@ -283,9 +283,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
}
#ifdef ISC_PLATFORM_CRYPTORANDOM
@ -388,14 +398,14 @@ index 46c7acf..a0d0278 100644
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(*ectx, ISC_TRUE);
isc_entropy_usehook(*ectx, true);
}
#endif
diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
index 810d99e..d7d10e2 100644
index f0a6ff2..55064f6 100644
--- a/bin/tests/system/pipelined/pipequeries.c
+++ b/bin/tests/system/pipelined/pipequeries.c
@@ -279,9 +279,7 @@ main(int argc, char *argv[]) {
@@ -280,9 +280,7 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
#ifdef ISC_PLATFORM_CRYPTORANDOM
@ -403,11 +413,11 @@ index 810d99e..d7d10e2 100644
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
isc_entropy_usehook(ectx, true);
}
#endif
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
index 4f2f5b4..0894db7 100644
index fe8698e..937fcc3 100644
--- a/bin/tests/system/tkey/keycreate.c
+++ b/bin/tests/system/tkey/keycreate.c
@@ -255,9 +255,7 @@ main(int argc, char *argv[]) {
@ -418,14 +428,22 @@ index 4f2f5b4..0894db7 100644
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
isc_entropy_usehook(ectx, true);
}
#endif
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
index 0975bbe..5b8a470 100644
index 2146f9b..64b8e74 100644
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
@@ -182,9 +182,7 @@ main(int argc, char **argv) {
@@ -171,6 +171,7 @@ main(int argc, char **argv) {
randomfile = argv[2];
argv += 2;
argc -= 2;
+ POST(argc);
}
keyname = argv[1];
@@ -182,9 +183,7 @@ main(int argc, char **argv) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
#ifdef ISC_PLATFORM_CRYPTORANDOM
@ -433,14 +451,14 @@ index 0975bbe..5b8a470 100644
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
isc_entropy_usehook(ectx, true);
}
#endif
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index a5d9e2e..2a96f71 100644
index 93c7a08..bb1e81d 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
@@ -5081,22 +5081,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<term><command>random-device</command></term>
<listitem>
<para>
@ -502,56 +520,71 @@ index a5d9e2e..2a96f71 100644
</para>
</listitem>
</varlistentry>
diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml
new file mode 100644
index 0000000..89a4961
--- /dev/null
+++ b/doc/arm/notes-rh-changes.xml
@@ -0,0 +1,42 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes_rh_changes"><info><title>Red Hat Specific Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ By default, BIND now uses the random number generation functions
+ in the cryptographic library (i.e., OpenSSL or a PKCS#11
+ provider) as a source of high-quality randomness rather than
+ <filename>/dev/random</filename>. This is suitable for virtual
+ machine environments, which may have limited entropy pools and
+ lack hardware random number generators.
+ </para>
+ <para>
+ This can be overridden by specifying another entropy source via
+ the <command>random-device</command> option in
+ <filename>named.conf</filename>, or via the <command>-r</command>
+ command line option. However, for functions requiring full
+ cryptographic strength, such as DNSSEC key generation, this
+ <emphasis>cannot</emphasis> be overridden. In particular, the
+ <command>-r</command> command line option no longer has any
+ effect on <command>dnssec-keygen</command>.
+ </para>
+ <para>
+ This can be disabled by building with
+ <command>configure --disable-crypto-rand</command>, in which
+ case <filename>/dev/random</filename> will be the default
+ entropy source. [RT #31459] [RT #46047]
+ </para>
+ </listitem>
+ </itemizedlist>
+</section>
+
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index d3fdb5e..a8ad92d 100644
index 589a347..052a0bd 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -105,7 +105,28 @@
<itemizedlist>
<listitem>
<para>
- None.
+ By default, BIND now uses the random number generation functions
+ in the cryptographic library (i.e., OpenSSL or a PKCS#11
+ provider) as a source of high-quality randomness rather than
+ <filename>/dev/random</filename>. This is suitable for virtual
+ machine environments, which may have limited entropy pools and
+ lack hardware random number generators.
+ </para>
+ <para>
+ This can be overridden by specifying another entropy source via
+ the <command>random-device</command> option in
+ <filename>named.conf</filename>, or via the <command>-r</command>
+ command line option. However, for functions requiring full
+ cryptographic strength, such as DNSSEC key generation, this
+ <emphasis>cannot</emphasis> be overridden. In particular, the
+ <command>-r</command> command line option no longer has any
+ effect on <command>dnssec-keygen</command>.
+ </para>
+ <para>
+ This can be disabled by building with
+ <command>configure --disable-crypto-rand</command>, in which
+ case <filename>/dev/random</filename> will be the default
+ entropy source. [RT #31459] [RT #46047]
</para>
</listitem>
</itemizedlist>
@@ -40,6 +40,7 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.1.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.0.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-rh-changes.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-eol.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-thankyou.xml"/>
</section>
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 803e7b3..29a4fef 100644
index 1eccbe7..1933993 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -276,8 +276,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
#endif
#if defined(OPENSSL) || defined(PKCS11CRYPTO)
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (dst_entropy_pool != NULL)
+ if (dst_entropy_pool != NULL) {
isc_entropy_sethook(dst_random_getdata);
+ }
#endif
#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
dst_initialized = ISC_TRUE;
@@ -2015,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
@@ -2017,10 +2017,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
else
flags |= ISC_ENTROPY_BLOCKING;
#ifdef ISC_PLATFORM_CRYPTORANDOM
@ -566,10 +599,10 @@ index 803e7b3..29a4fef 100644
}
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index d9b6ab6..e8c1a3c 100644
index 6813c96..665574d 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -161,8 +161,18 @@ isc_result_t
@@ -163,8 +163,18 @@ isc_result_t
dst_random_getdata(void *data, unsigned int length,
unsigned int *returned, unsigned int flags);
/*%<
@ -589,12 +622,12 @@ index d9b6ab6..e8c1a3c 100644
+ * \li DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error
*/
isc_boolean_t
bool
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index c1e1bde..91e87d0 100644
index ffe0a69..5e48686 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) {
@@ -484,7 +484,8 @@ dst__openssl_getengine(const char *engine) {
isc_result_t
dst_random_getdata(void *data, unsigned int length,
@ -605,19 +638,10 @@ index c1e1bde..91e87d0 100644
#ifndef DONT_REQUIRE_DST_LIB_INIT
INSIST(dst__memory_pool != NULL);
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
index d9deb8a..2d37363 100644
index c40a18c..c7cb17d 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
@@ -9,8 +9,6 @@
* information regarding copyright ownership.
*/
-/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */
-
#ifndef ISC_ENTROPY_H
#define ISC_ENTROPY_H 1
@@ -190,9 +188,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
@@ -189,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
/*!<
* \brief Create an entropy source that is polled via a callback.
*
@ -629,18 +653,23 @@ index d9deb8a..2d37363 100644
*
* Samples are added via isc_entropy_addcallbacksample(), below.
* _addcallbacksample() is the only function which may be called from
@@ -233,15 +230,32 @@ isc_result_t
@@ -232,15 +231,32 @@ isc_result_t
isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
unsigned int *returned, unsigned int flags);
/*!<
- * \brief Extract data from the entropy pool. This may load the pool from various
- * sources.
+ * \brief Get random data from entropy pool 'ent'.
+ *
*
- * Do this by stirring the pool and returning a part of hash as randomness.
- * Note that no secrets are given away here since parts of the hash are
- * xored together before returned.
+ * If a hook has been set up using isc_entropy_sethook() and
+ * isc_entropy_usehook(), then the hook function will be called to get
+ * random data.
+ *
*
- * Honor the request from the caller to only return good data, any data,
- * etc.
+ * Otherwise, randomness is extracted from the entropy pool set up in BIND.
+ * This may cause the pool to be loaded from various sources. Ths is done
+ * by stirring the pool and returning a part of hash as randomness.
@ -651,17 +680,12 @@ index d9deb8a..2d37363 100644
+ * ISC_ENTROPY_BLOCKING. These will be honored if the hook function is
+ * not in use. If it is, the flags will be passed to the hook function
+ * but it may ignore them.
*
- * Do this by stiring the pool and returning a part of hash as randomness.
- * Note that no secrets are given away here since parts of the hash are
- * xored together before returned.
+ *
+ * Up to 'length' bytes of randomness are retrieved and copied into 'data'.
+ * (If 'returned' is not NULL, and the number of bytes copied is less than
+ * 'length' - which may happen if ISC_ENTROPY_PARTIAL was used - then the
+ * number of bytes copied will be stored in *returned.)
*
- * Honor the request from the caller to only return good data, any data,
- * etc.
+ *
+ * Returns:
+ * \li ISC_R_SUCCESS on success
+ * \li ISC_R_NOENTROPY if entropy pool is empty
@ -669,9 +693,9 @@ index d9deb8a..2d37363 100644
*/
void
@@ -306,13 +320,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
@@ -305,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
void
isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff);
isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
/*!<
- * \brief Mark/unmark the given entropy structure as being hooked.
+ * \brief Configure entropy context 'ectx' to use the hook function
@ -694,7 +718,7 @@ index d9deb8a..2d37363 100644
ISC_LANG_ENDDECLS
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
index ba53ebf..b575728 100644
index f8aed34..17c551b 100644
--- a/lib/isc/include/isc/random.h
+++ b/lib/isc/include/isc/random.h
@@ -9,8 +9,6 @@
@ -737,8 +761,8 @@ index ba53ebf..b575728 100644
ISC_LANG_BEGINDECLS
@@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx);
isc_uint16_t
isc_rng_uniformrandom(isc_rng_t *rngctx, isc_uint16_t upper_bound);
uint16_t
isc_rng_uniformrandom(isc_rng_t *rngctx, uint16_t upper_bound);
/*%<
- * Returns a uniformly distributed pseudo random 16-bit unsigned
- * integer.
@ -748,10 +772,10 @@ index ba53ebf..b575728 100644
ISC_LANG_ENDDECLS
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 8d496ff..dd08187 100644
index 1c45d5c..91693b5 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1106,7 +1106,7 @@ options_clauses[] = {
@@ -1109,7 +1109,7 @@ options_clauses[] = {
{ "pid-file", &cfg_type_qstringornone, 0 },
{ "port", &cfg_type_uint32, 0 },
{ "querylog", &cfg_type_boolean, 0 },
@ -761,5 +785,5 @@ index 8d496ff..dd08187 100644
{ "recursive-clients", &cfg_type_uint32, 0 },
{ "reserved-sockets", &cfg_type_uint32, 0 },
--
2.14.4
2.21.1

42
bind-9.11-serve-stale-dbfix.patch Normal file
View File

@ -0,0 +1,42 @@
From 20848d8284951481051f6ebdeb8128c05c7e82e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 11 Nov 2019 16:56:52 +0100
Subject: [PATCH] Move stale_ttl from middle to the end
bind-dyndb-ldap is using rdataset structure. Do not modify its body,
move stale_ttl to the end. Make it binary compatible.
---
lib/dns/include/dns/rdataset.h | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index 97071ed496..a0c6afe624 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -137,11 +137,6 @@ struct dns_rdataset {
dns_rdataclass_t rdclass;
dns_rdatatype_t type;
dns_ttl_t ttl;
- /*
- * Stale ttl is used to see how long this RRset can still be used
- * to serve to clients, after the TTL has expired.
- */
- dns_ttl_t stale_ttl;
dns_trust_t trust;
dns_rdatatype_t covers;
@@ -178,6 +173,11 @@ struct dns_rdataset {
void * private7;
/*@}*/
+ /*
+ * Stale ttl is used to see how long this RRset can still be used
+ * to serve to clients, after the TTL has expired.
+ */
+ dns_ttl_t stale_ttl;
};
/*!
--
2.20.1

3859
bind-9.11-serve-stale.patch Normal file
View File

File diff suppressed because it is too large Load Diff

39
bind-9.11-tests-pkcs11.patch Normal file
View File

@ -0,0 +1,39 @@
From 66298a12b09784eab2c052ab22f87bb2b2f1267b Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 1 Mar 2019 15:55:46 +0100
Subject: [PATCH] Detect correctly pkcs11 support
It fails now always, because oot builds are not supported by
cleanpkcs11.sh.
---
bin/tests/system/cleanpkcs11.sh | 2 +-
bin/tests/system/conf.sh.in | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/bin/tests/system/cleanpkcs11.sh b/bin/tests/system/cleanpkcs11.sh
index b974708..3bbef4c 100644
--- a/bin/tests/system/cleanpkcs11.sh
+++ b/bin/tests/system/cleanpkcs11.sh
@@ -12,6 +12,6 @@
SYSTEMTESTTOP=.
. $SYSTEMTESTTOP/conf.sh
-if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi
+if [ ! -x "$PK11DESTROY" ]; then exit 1; fi
$PK11DEL -w0 > /dev/null 2>&1
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index a446c18..ede1203 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -46,6 +46,7 @@ CHECKZONE=$TOP/bin/check/named-checkzone
CHECKCONF=$TOP/bin/check/named-checkconf
PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
+PK11DESTROY=$TOP/bin/pkcs11/pkcs11-destroy
PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
JOURNALPRINT=$TOP/bin/tools/named-journalprint
VERIFY=$TOP/bin/dnssec/dnssec-verify
--
2.20.1

65
bind-9.11-tests-variants.patch Normal file
View File

@ -0,0 +1,65 @@
From 9576e960ad3719aa9c1707734ad7ba0eccf16e5f Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 1 Mar 2019 15:48:20 +0100
Subject: [PATCH] Make alternative named builds testable in system tests
Red Hat has alternative variant builds of named, which are not ever
tested by system tests. New variables make it relatively easy to test
alternative variants.
For sdb variant use:
export NAMED_VARIANT=-sdb DNSSEC_VARIANT=
For pkcs variant use:
export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
---
bin/tests/system/conf.sh.in | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 6f2dbcd..05605ae 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -37,7 +37,7 @@ DISABLED_ALGORITHM=ECDSAP384SHA384
DISABLED_ALGORITHM_NUMBER=14
DISABLED_BITS=384
-NAMED=$TOP/bin/named/named
+NAMED=$TOP/bin/named${NAMED_VARIANT}/named${NAMED_VARIANT}
# We must use "named -l" instead of "lwresd" because argv[0] is lost
# if the program is libtoolized.
LWRESD="$TOP/bin/named/named -l"
@@ -48,14 +48,14 @@ NSUPDATE=$TOP/bin/nsupdate/nsupdate
DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
-KEYGEN=$TOP/bin/dnssec/dnssec-keygen
-KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
-SIGNER=$TOP/bin/dnssec/dnssec-signzone
-REVOKE=$TOP/bin/dnssec/dnssec-revoke
-SETTIME=$TOP/bin/dnssec/dnssec-settime
-DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
+KEYGEN=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keygen${DNSSEC_VARIANT}
+KEYFRLAB=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keyfromlabel${DNSSEC_VARIANT}
+SIGNER=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-signzone${DNSSEC_VARIANT}
+REVOKE=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-revoke${DNSSEC_VARIANT}
+SETTIME=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-settime${DNSSEC_VARIANT}
+DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT}
HOST=$TOP/bin/dig/host
-IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
+IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT}
CHECKDS=$TOP/bin/python/dnssec-checkds
COVERAGE=$TOP/bin/python/dnssec-coverage
KEYMGR=$TOP/bin/python/dnssec-keymgr
@@ -75,7 +75,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
MDIG=$TOP/bin/tools/mdig
NZD2NZF=$TOP/bin/tools/named-nzd2nzf
FSTRM_CAPTURE=@FSTRM_CAPTURE@
-FEATURETEST=$TOP/bin/named/feature-test
+FEATURETEST=$TOP/bin/named${NAMED_VARIANT}/feature-test${NAMED_VARIANT}
RANDFILE=$TOP/bin/tests/system/random.data
--
2.21.1

30
bind-9.11-unit-disable-random.patch Normal file
View File

@ -0,0 +1,30 @@
From 373f07148217a8e70e33446f5108fb42d1079ba6 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 21 Feb 2019 22:42:27 +0100
Subject: [PATCH] Disable random_test
It fails too often on some architecture, failing the whole build along.
Because it runs two times for pkcs11 and normal build and any of
subtests can occasionally fail, stop it.
It can be used again by defining 'unstable' variable in Kyuafile.
---
lib/isc/tests/Kyuafile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
index 4cd2574..9df2340 100644
--- a/lib/isc/tests/Kyuafile
+++ b/lib/isc/tests/Kyuafile
@@ -19,7 +19,7 @@ tap_test_program{name='pool_test'}
tap_test_program{name='print_test'}
tap_test_program{name='queue_test'}
tap_test_program{name='radix_test'}
-tap_test_program{name='random_test'}
+tap_test_program{name='random_test', required_configs='unstable'}
tap_test_program{name='regex_test'}
tap_test_program{name='result_test'}
tap_test_program{name='safe_test'}
--
2.20.1

BIN
bind-9.11.21.tar.gz Normal file
View File

Binary file not shown.

16
bind-9.11.21.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABAgAdFiEElc7aJWscoKFfMC+1lSGn7V2s6RgFAl8Fgc8ACgkQlSGn7V2s
6Rj/ThAAlpExE5fpqdUFncwGzw1XTBHuHOlvQN4cJQseL/6c0O7lwjUxddAKYNyB
+TnGEgbd+OG6ifvxIG7m/4JkTuuw7hdj88MNHhhD6r7BnnTnwWL50qlL1McbhOCG
ThqbxCOL+ncg48f/LytXj02l38dt136lxJlpkwyHaykMJO4Im19Te69hWROftKpP
X4c3/GtJL5ZMtFxUyHpvHv0MJbZrLgys9+R7FtOlSckSgCMIj/D2fiPBCpNkY2uN
DdLkOe5oVqpypQfY2K1NbyJPaUUkDfnf2VHNF/c6DLLzCz/kYA14QxJjDKGtKV20
5tDJF+7buDqi/egUCB3VNagPWgYyIbVFR/VGReepOR+gedEiqwyN0Q0B76VEtB7H
lkeMRol07wm88tLHTIH+JpgGz7vYSyIPgZ3K/gJMmJUgk70zArlzb/WSMrfVtJqd
irB/cPiKhlG3Ktau7/LgVeX7s5isoXImwQ3JgSTlw2ZlhkT7PzALkVbT7CRtjOT9
+VqEA7iYClBuSgdFv9Dr41pho9bWBjGvATekSTHnQJfGvSvtGzD+XbxhyLhJQnZ+
XgsZ0uQZxzxqHk23TirGIA3iWSwIFGxeLYsTzg9wY4Qx8pwjDZVD0hrkuKaRQZS3
CrxBfqzT8zTD9okforH/E3tau38ENZO42XqQDXdAjw+ioMjqUOM=
=I3HH
-----END PGP SIGNATURE-----

BIN
bind-9.11.4-P2.tar.gz
View File

Binary file not shown.

68
bind-9.3.2-redhat_doc.patch Normal file
View File

@ -0,0 +1,68 @@
diff --git a/bin/named/named.8 b/bin/named/named.8
index ef10ef4..3150b22 100644
--- a/bin/named/named.8
+++ b/bin/named/named.8
@@ -349,6 +349,63 @@ The default configuration file\&.
/var/run/named/named\&.pid
.RS 4
The default process\-id file\&.
+.PP
+.SH "NOTES"
+.PP
+.TP
+\fBRed Hat SELinux BIND Security Profile:\fR
+.PP
+By default, Red Hat ships BIND with the most secure SELinux policy
+that will not prevent normal BIND operation and will prevent exploitation
+of all known BIND security vulnerabilities . See the selinux(8) man page
+for information about SElinux.
+.PP
+It is not necessary to run named in a chroot environment if the Red Hat
+SELinux policy for named is enabled. When enabled, this policy is far
+more secure than a chroot environment. Users are recommended to enable
+SELinux and remove the bind-chroot package.
+.PP
+With this extra security comes some restrictions:
+.PP
+By default, the SELinux policy does not allow named to write any master
+zone database files. Only the root user may create files in the $ROOTDIR/var/named
+zone database file directory (the options { "directory" } option), where
+$ROOTDIR is set in /etc/sysconfig/named.
+.PP
+The "named" group must be granted read privelege to
+these files in order for named to be enabled to read them.
+.PP
+Any file created in the zone database file directory is automatically assigned
+the SELinux file context named_zone_t .
+.PP
+By default, SELinux prevents any role from modifying named_zone_t files; this
+means that files in the zone database directory cannot be modified by dynamic
+DNS (DDNS) updates or zone transfers.
+.PP
+The Red Hat BIND distribution and SELinux policy creates three directories where
+named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
+/var/named/data. By placing files you want named to modify, such as
+slave or DDNS updateable zone files and database / statistics dump files in
+these directories, named will work normally and no further operator action is
+required. Files in these directories are automatically assigned the 'named_cache_t'
+file context, which SELinux allows named to write.
+.PP
+\fBRed Hat BIND SDB support:\fR
+.PP
+Red Hat ships named with compiled in Simplified Database Backend modules that ISC
+provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them
+.PP
+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb.
+.PP
+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
+.br
+.PP
+\fBRed Hat system-config-bind:\fR
+.PP
+Red Hat provides the system-config-bind GUI to configure named.conf and zone
+database files. Run the "system-config-bind" command and access the manual
+by selecting the Help menu.
+.PP
.RE
.SH "SEE ALSO"
.PP

224
bind-9.3.2b1-fix_sdb_ldap.patch
View File

@ -1,5 +1,5 @@
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
index 95ab742..6069f09 100644
index 95ab742..5059a17 100644
--- a/bin/sdb_tools/Makefile.in
+++ b/bin/sdb_tools/Makefile.in
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
@ -7,49 +7,46 @@ index 95ab742..6069f09 100644
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
+TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ ldap2zone@EXEEXT@
-OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@
+OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ ldap2zone.@O@
-SRCS = zone2ldap.c zonetodb.c zone2sqlite.c
+SRCS = zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c
+SRCS = zone2ldap.c zonetodb.c zone2sqlite.c ldap2zone.c
MANPAGES = zone2ldap.1
@@ -53,6 +53,9 @@ zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
@@ -47,6 +47,9 @@ EXT_CFLAGS =
zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS}
+ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS}
+
clean distclean manclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
@@ -62,6 +65,7 @@ installdirs:
install:: ${TARGETS} installdirs
@@ -64,4 +67,5 @@ install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
index 23dd873..d56bc56 100644
index e0e9207..d59936c 100644
--- a/bin/sdb_tools/zone2ldap.c
+++ b/bin/sdb_tools/zone2ldap.c
@@ -65,6 +66,9 @@ ldap_info;
/* usage Info */
void usage (void);
@@ -73,7 +73,7 @@ void add_ldap_values (ldap_info * ldinfo);
void init_ldap_conn (void);
+/* Check for existence of (and possibly add) containing dNSZone objects */
+int lookup_dns_zones( ldap_info *ldinfo);
+
/* Add to the ldap dit */
void add_ldap_values (ldap_info * ldinfo);
/* Ldap error checking */
-void ldap_result_check (const char *msg, char *dn, int err);
+void ldap_result_check (const char *msg, const char *dn, int err);
@@ -81,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
/* Put a hostname into a char ** array */
char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
@@ -82,7 +82,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
int get_attr_list_size (char **tmp);
/* Get a DN */
@ -58,7 +55,7 @@ index 23dd873..d56bc56 100644
/* Add to RR list */
void add_to_rr_list (char *dn, char *name, char *type, char *data,
@@ -103,11 +107,27 @@ void
@@ -104,11 +104,26 @@ void
init_ldap_conn ();
void usage();
@ -87,11 +84,19 @@ index 23dd873..d56bc56 100644
+static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
+static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
+static char *dn_buffer [64]={NULL};
+
LDAP *conn;
unsigned int debug = 0;
@@ -131,12 +151,12 @@ main (int argc, char **argv)
@@ -120,7 +135,7 @@ static void
fatal(const char *msg) {
perror(msg);
if (conn != NULL)
- ldap_unbind_s(conn);
+ ldap_unbind_ext_s(conn, NULL, NULL);
exit(1);
}
@@ -132,12 +147,13 @@ main (int argc, char **argv)
isc_result_t result;
char *basedn;
ldap_info *tmp;
@ -102,12 +107,12 @@ index 23dd873..d56bc56 100644
isc_buffer_t buff;
char *zonefile=0L;
char fullbasedn[1024];
- char *ctmp;
+ char *ctmp, *zn, *dcp[2], *znp[2], *rdn[2];
char *ctmp;
+ char *zn, *dcp[2], *znp[2], *rdn[2];
dns_fixedname_t fixedzone, fixedname;
dns_rdataset_t rdataset;
char **dc_list;
@@ -149,7 +169,7 @@ main (int argc, char **argv)
@@ -150,7 +166,7 @@ main (int argc, char **argv)
extern char *optarg;
extern int optind, opterr, optopt;
int create_base = 0;
@ -116,7 +121,7 @@ index 23dd873..d56bc56 100644
if (argc < 2)
{
@@ -157,7 +177,7 @@ main (int argc, char **argv)
@@ -158,7 +174,7 @@ main (int argc, char **argv)
exit (-1);
}
@ -125,7 +130,7 @@ index 23dd873..d56bc56 100644
{
switch (topt)
{
@@ -180,6 +200,9 @@ main (int argc, char **argv)
@@ -181,6 +197,9 @@ main (int argc, char **argv)
if (bindpw == NULL)
fatal("strdup");
break;
@ -135,35 +140,27 @@ index 23dd873..d56bc56 100644
case 'b':
ldapbase = strdup (optarg);
if (ldapbase == NULL)
@@ -301,27 +324,62 @@ main (int argc, char **argv)
{
if (debug)
@@ -302,17 +321,51 @@ main (int argc, char **argv)
printf ("Creating base zone DN %s\n", argzone);
-
+
dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP);
- basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC);
- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
+ basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC, argzone);
+ if (debug)
+ printf ("base DN %s\n", basedn);
+
- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
+ for (ctmp = &basedn[strlen (basedn)], dcn=0; ctmp >= &basedn[0]; ctmp--)
{
- if ((*ctmp == ',') || (ctmp == &basedn[0]))
+ if ((*ctmp == ',') || (ctmp == &basedn[0]))
if ((*ctmp == ',') || (ctmp == &basedn[0]))
{
+
base.mod_op = LDAP_MOD_ADD;
- base.mod_type = (char*)"objectClass";
- base.mod_values = (char**)topObjectClasses;
+ base.mod_type = objectClass;
+ base.mod_values = topObjectClasses;
base.mod_values = (char**)topObjectClasses;
base_attrs[0] = (void*)&base;
- base_attrs[1] = NULL;
-
+
+
+ dcBase.mod_op = LDAP_MOD_ADD;
+ dcBase.mod_type = dc;
+ dcp[0]=dc_list[dcn];
@ -172,13 +169,13 @@ index 23dd873..d56bc56 100644
+ base_attrs[1] = (void*)&dcBase;
+
+ znBase.mod_op = LDAP_MOD_ADD;
+ znBase.mod_type = zoneName;
+ znBase.mod_type = zoneName;
+ for( zdn = dcn, znlen = 0; zdn >= 0; zdn-- )
+ znlen += strlen(dc_list[zdn])+1;
+ znp[0] = (char*)malloc(znlen+1);
+ znp[1] = 0L;
+ for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- )
+ zn+=sprintf(zn,"%s%s",dc_list[zdn],
+ for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- )
+ zn+=sprintf(zn,"%s%s",dc_list[zdn],
+ ((zdn > 0) && (*(dc_list[zdn-1])!='.')) ? "." : ""
+ );
+
@ -191,24 +188,15 @@ index 23dd873..d56bc56 100644
+ rdn[1] = 0L;
+ rdnBase.mod_values = rdn;
+ base_attrs[3] = (void*)&rdnBase;
+
+
+ dcn++;
+
+ base.mod_values = topObjectClasses;
+ base_attrs[4] = NULL;
+
+ base_attrs[4] = NULL;
if (ldapbase)
{
if (ctmp != &basedn[0])
sprintf (fullbasedn, "%s,%s", ctmp + 1, ldapbase);
else
- sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
-
+ sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
}
else
{
@@ -330,8 +388,13 @@ main (int argc, char **argv)
@@ -329,6 +382,10 @@ main (int argc, char **argv)
else
sprintf (fullbasedn, "%s", ctmp);
}
@ -217,12 +205,9 @@ index 23dd873..d56bc56 100644
+ printf("Full base dn: %s\n", fullbasedn);
+
result = ldap_add_s (conn, fullbasedn, base_attrs);
ldap_result_check ("intial ldap_add_s", fullbasedn, result);
+
ldap_result_check ("initial ldap_add_s", fullbasedn, result);
}
}
@@ -409,14 +472,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
@@ -408,14 +465,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
isc_result_check (result, "dns_rdata_totext");
data[isc_buffer_usedlength (&buff)] = 0;
@ -240,7 +225,7 @@ index 23dd873..d56bc56 100644
}
@@ -456,7 +519,8 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -455,7 +512,8 @@ add_to_rr_list (char *dn, char *name, char *type,
int attrlist;
char ldap_type_buffer[128];
char charttl[64];
@ -250,7 +235,7 @@ index 23dd873..d56bc56 100644
if ((tmp = locate_by_dn (dn)) == NULL)
{
@@ -483,13 +547,13 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -482,10 +540,10 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("malloc");
}
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
@ -262,12 +247,8 @@ index 23dd873..d56bc56 100644
+ tmp->attrs[0]->mod_values = objectClasses;
else
{
- tmp->attrs[0]->mod_values = (char**)topObjectClasses;
+ tmp->attrs[0]->mod_values =topObjectClasses;
tmp->attrs[1] = NULL;
tmp->attrcnt = 2;
tmp->next = ldap_info_base;
@@ -498,7 +562,7 @@ add_to_rr_list (char *dn, char *name, char *type,
tmp->attrs[0]->mod_values = (char**)topObjectClasses;
@@ -497,7 +555,7 @@ add_to_rr_list (char *dn, char *name, char *type,
}
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
@ -276,7 +257,7 @@ index 23dd873..d56bc56 100644
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[1]->mod_values == (char **)NULL)
@@ -527,7 +591,7 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -526,7 +584,7 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("strdup");
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
@ -285,16 +266,16 @@ index 23dd873..d56bc56 100644
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[3]->mod_values == (char **)NULL)
@@ -540,14 +604,25 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -539,14 +597,25 @@ add_to_rr_list (char *dn, char *name, char *type,
if (tmp->attrs[3]->mod_values[0] == NULL)
fatal("strdup");
+ znlen=strlen(gbl_zone);
+ if ( *(gbl_zone + (znlen-1)) == '.' )
+ znlen=strlen(gbl_zone);
+ if ( gbl_zone[znlen-1] == '.' )
+ { /* ldapdb MUST search by relative zone name */
+ zn = (char*)malloc(znlen);
+ strncpy(zn,gbl_zone,znlen-1);
+ *(zn + (znlen-1))='\0';
+ memcpy(zn, gbl_zone, znlen-1);
+ zn[znlen-1]='\0';
+ }else
+ {
+ zn = gbl_zone;
@ -313,7 +294,7 @@ index 23dd873..d56bc56 100644
tmp->attrs[4]->mod_values[1] = NULL;
tmp->attrs[5] = NULL;
@@ -558,7 +633,7 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -557,7 +626,7 @@ add_to_rr_list (char *dn, char *name, char *type,
else
{
@ -322,7 +303,7 @@ index 23dd873..d56bc56 100644
{
sprintf (ldap_type_buffer, "%sRecord", type);
if (!strncmp
@@ -632,44 +707,70 @@ char **
@@ -631,44 +700,70 @@ char **
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
{
char *tmp;
@ -382,10 +363,10 @@ index 23dd873..d56bc56 100644
+ {
+ if( hname == 0 )
+ hname=strdup(hostname);
+ last = strdup(sameZone);
+ last = strdup(sameZone);
+ }else
+ {
+ if( (hlen < zlen)
+ {
+ if( (hlen < zlen)
+ ||( strcmp( hostname + (hlen - zlen), zone ) != 0)
+ )
+ {
@ -422,7 +403,7 @@ index 23dd873..d56bc56 100644
+ *tmp = '\0';
+ if( tmp == hname )
+ break;
+ }
+ }
+ }
+ if( ( last != hname ) && (tmp != hname) )
+ dn_buffer[i++] = hname;
@ -430,7 +411,7 @@ index 23dd873..d56bc56 100644
dn_buffer[i] = NULL;
return dn_buffer;
@@ -681,24 +782,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
@@ -680,30 +775,38 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
* exception of "@"/SOA. */
char *
@ -439,19 +420,21 @@ index 23dd873..d56bc56 100644
{
int size;
- int x;
- static char dn[1024];
- char tmp[128];
+ int x, znlen;
static char dn[1024];
char tmp[128];
+ static char dn[DNS_NAME_MAXTEXT*3/2];
+ char tmp[DNS_NAME_MAXTEXT*3/2];
+ char zn[DNS_NAME_MAXTEXT+1];
bzero (tmp, sizeof (tmp));
bzero (dn, sizeof (dn));
size = get_attr_list_size (dc_list);
+ znlen = strlen(zone);
+ if ( *(zone + (znlen-1)) == '.' )
+ if ( zone[znlen-1] == '.' )
+ { /* ldapdb MUST search by relative zone name */
+ memcpy(&(zn[0]),zone,znlen-1);
+ *(zn + (znlen-1))='\0';
+ zn[znlen-1]='\0';
+ zone = zn;
+ }
for (x = size - 2; x > 0; x--)
@ -459,41 +442,48 @@ index 23dd873..d56bc56 100644
if (flag == WI_SPEC)
{
if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl))
- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%d,", dc_list[x], ttl);
+ sprintf (tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%u,", dc_list[x], ttl);
+ snprintf (tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
else if (x == (size - 2))
- sprintf(tmp, "relativeDomainName=%s,",dc_list[x]);
+ sprintf(tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
+ snprintf(tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
else
sprintf(tmp,"dc=%s,", dc_list[x]);
- sprintf(tmp,"dc=%s,", dc_list[x]);
+ snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
}
@@ -724,6 +833,7 @@ void
init_ldap_conn ()
{
int result;
+ char ldb_tag[]="LDAP Bind";
conn = ldap_open (ldapsystem, LDAP_PORT);
if (conn == NULL)
else
{
@@ -733,7 +843,7 @@ init_ldap_conn ()
- sprintf(tmp, "dc=%s,", dc_list[x]);
+ snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
}
@@ -732,19 +835,18 @@ init_ldap_conn ()
}
result = ldap_simple_bind_s (conn, binddn, bindpw);
- ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
+ ldap_result_check ("ldap_simple_bind_s", ldb_tag , result);
+ ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result);
}
/* Like isc_result_check, only for LDAP */
@@ -750,8 +860,6 @@ ldap_result_check (const char *msg, char *dn, int err)
void
-ldap_result_check (const char *msg, char *dn, int err)
+ldap_result_check (const char *msg, const char *dn, int err)
{
if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
{
- fprintf(stderr, "Error while adding %s (%s):\n",
- dn, msg);
- ldap_perror (conn, dn);
- ldap_unbind_s (conn);
+ fprintf(stderr, "Error while adding %s (%s):\n%s",
+ dn, msg, ldap_err2string(err));
+ ldap_unbind_ext_s (conn, NULL, NULL);
exit (-1);
}
}
-
-
/* For running the ldap_info run queue. */
void
add_ldap_values (ldap_info * ldinfo)
@@ -759,14 +867,14 @@ add_ldap_values (ldap_info * ldinfo)
@@ -758,16 +860,15 @@ add_ldap_values (ldap_info * ldinfo)
int result;
char dnbuffer[1024];
@ -505,12 +495,14 @@ index 23dd873..d56bc56 100644
result = ldap_add_s (conn, dnbuffer, ldinfo->attrs);
- ldap_result_check ("ldap_add_s", dnbuffer, result);
-}
+ ldap_result_check ("ldap_add_s", dnbuffer, result);
+
}
+}
@@ -777,5 +885,5 @@ void
@@ -776,5 +877,5 @@ void
usage ()
{
fprintf (stderr,

37
bind-9.9.1-P2-multlib-conflict.patch
View File

@ -1,8 +1,8 @@
diff --git a/config.h.in b/config.h.in
index e1364dd921..1dc65cfb21 100644
index 4ecaa8f..2f65ccc 100644
--- a/config.h.in
+++ b/config.h.in
@@ -588,7 +588,7 @@ int sigwait(const unsigned int *set, int *sig);
@@ -600,7 +600,7 @@ int sigwait(const unsigned int *set, int *sig);
#undef PREFER_GOSTASN1
/* The size of `void *', as computed by sizeof. */
@ -11,39 +11,8 @@ index e1364dd921..1dc65cfb21 100644
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
diff --git a/configure.in b/configure.in
index 73b1c8ccbb..129fc3f311 100644
--- a/configure.in
+++ b/configure.in
@@ -3523,14 +3523,14 @@ AC_TRY_COMPILE([
#include <sys/socket.h>
#include <netdb.h>
int getnameinfo(const struct sockaddr *, socklen_t, char *,
- socklen_t, char *, socklen_t, unsigned int);],
+ socklen_t, char *, socklen_t, int);],
[ return (0);],
- [AC_MSG_RESULT(socklen_t for buflen; u_int for flags)
+ [AC_MSG_RESULT(socklen_t for buflen; int for flags)
AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t,
[Define to the sockaddr length type used by getnameinfo(3).])
AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t,
[Define to the buffer length type used by getnameinfo(3).])
- AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int,
+ AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int,
[Define to the flags type used by getnameinfo(3).])],
[AC_TRY_COMPILE([
#include <sys/types.h>
@@ -3557,7 +3557,7 @@ int getnameinfo(const struct sockaddr *, size_t, char *,
[AC_MSG_RESULT(not match any subspecies; assume standard definition)
AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t)
AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
-AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])])
+AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)])])])
#
# ...and same for gai_strerror().
diff --git a/isc-config.sh.in b/isc-config.sh.in
index a8a0a89e88..b5e94ed13e 100644
index a8a0a89..b5e94ed 100644
--- a/isc-config.sh.in
+++ b/isc-config.sh.in
@@ -13,7 +13,18 @@ prefix=@prefix@

12
bind-95-rh452060.patch
View File

@ -1,34 +1,34 @@
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index f657c30..ff9a2d2 100644
index aa5315d..1fa711a 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -1694,6 +1694,13 @@ clear_query(dig_query_t *query) {
@@ -1814,6 +1814,13 @@ clear_query(dig_query_t *query) {
if (query->timer != NULL)
isc_timer_detach(&query->timer);
+
+ if (query->waiting_senddone) {
+ debug("send_done not yet called");
+ query->pending_free = ISC_TRUE;
+ query->pending_free = true;
+ return;
+ }
+
lookup = query->lookup;
if (lookup->current_query == query)
@@ -1719,10 +1726,7 @@ clear_query(dig_query_t *query) {
@@ -1839,10 +1846,7 @@ clear_query(dig_query_t *query) {
isc_mempool_put(commctx, query->recvspace);
isc_buffer_invalidate(&query->recvbuf);
isc_buffer_invalidate(&query->lengthbuf);
- if (query->waiting_senddone)
- query->pending_free = ISC_TRUE;
- query->pending_free = true;
- else
- isc_mem_free(mctx, query);
+ isc_mem_free(mctx, query);
}
/*%
@@ -2811,9 +2815,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
@@ -2892,9 +2896,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
isc_event_free(&event);
if (query->pending_free)

462
bind.spec
View File

@ -1,12 +1,16 @@
%bcond_with LMDB
%bcond_without LMDB
%bcond_without JSON
%bcond_with DNSTAP
%bcond_with DLZ
%bcond_with KYUA
%bcond_with SYSTEMTEST
%bcond_without UNITTEST
%bcond_with UNITTEST
%bcond_without SDB
%bcond_without GSSTSIG
%bcond_without PKCS11
%bcond_without EXPORT_LIBS
%bcond_with GEOIP
%bcond_without GEOIP2
%bcond_with TSAN
%{?!bind_uid: %global bind_uid 25}
%{?!bind_gid: %global bind_gid 25}
@ -16,11 +20,11 @@
Name: bind
Summary: Domain Name System (DNS) Server (named)
License: MPLv2.0
Version: 9.11.4
Release: 13
Version: 9.11.21
Release: 1
Epoch: 32
Url: http://www.isc.org/products/BIND/
Source0: https://ftp.isc.org/isc/bind9/9.11.4/bind-%{version}-P2.tar.gz
Source0: https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz
Source1: named.sysconfig
Source2: named.logrotate
Source3: bind-9.3.1rc1-sdb_tools-Makefile.in
@ -28,7 +32,7 @@ Source4: dnszone.schema
Source5: README.sdb_pgsql
Source6: named.conf.sample
Source7: named.conf
Source8: config-18.tar.bz2
#Source8: config-18.tar.bz2
Source9: ldap2zone.c
Source10: ldap2zone.1
Source11: named-sdb.8
@ -50,18 +54,23 @@ Source26: named-pkcs11.service
Source27: setup-named-softhsm.sh
Source28: named-chroot.files
Source29: random.data
Source30: https://www.internic.net/domain/named.root
Source31: named.rfc1912.zones
Source32: named.empty
Source33: named.localhost
Source34: named.loopback
Source35: named.root.key
BuildRequires: openssl-devel libtool autoconf pkgconfig libcap-devel python3-devel python3-ply docbook-style-xsl
BuildRequires: libidn2-devel libxml2-devel GeoIP-devel make systemd selinux-policy findutils sed libxslt gdb
BuildRequires: libidn2-devel libxml2-devel make systemd selinux-policy findutils sed libxslt gdb
BuildRequires: bind-libs bind-libs-lite bind-export-libs bind-pkcs11
%if %{with SDB}
BuildRequires: openldap-devel libpq-devel sqlite-devel mariadb-connector-c-devel libdb-devel
%endif
%if %{with KYUA}
#BuildRequires: libatf-c-devel kyua
%else
BuildRequires: gcc-c++
%if %{with UNITTEST}
BuildRequires: libcmocka-devel kyua
%endif
%if %{with PKCS11}
@ -80,66 +89,88 @@ BuildRequires: krb5-devel
BuildRequires: lmdb-devel
%endif
%if %{with JSON}
BuildRequires: json-c-devel
%endif
%if %{with GEOIP}
BuildRequires: GeoIP-devel
%endif
%if %{with GEOIP2}
BuildRequires: libmaxminddb-devel
%endif
%if %{with DNSTAP}
BuildRequires: fstrm-devel protobuf-c-devel
%endif
%if %{with TSAN}
BuildRequires: libtsan
%endif
Requires: systemd coreutils shadow-utils glibc-common grep policycoreutils-python-utils
Requires: python3-bind = %{epoch}:%{version}-%{release} libselinux-utils selinux-policy bind-libs = %{epoch}:%{version}-%{release}
Requires: python3-bind = %{epoch}:%{version}-%{release} libselinux-utils selinux-policy bind-libs = %{epoch}:%{version}-%{release} bind-libs-lite = %{epoch}:%{version}-%{release}
Provides: bind-config = 30:9.3.2-34.fc6 caching-nameserver = 31:9.4.1-7.fc8 dnssec-conf = 1.27-2
Provides: bind-license
Obsoletes: bind-config < 30:9.3.2-34.fc6 caching-nameserver < 31:9.4.1-7.fc8 dnssec-conf < 1.27-2
Obsoletes: bind-license
Patch0001: bind-9.5-PIE.patch
Patch0003: bind-9.5-dlz-64bit.patch
Patch0004: bind-95-rh452060.patch
Patch0005: bind93-rh490837.patch
Patch0006: bind97-rh478718.patch
Patch0007: bind97-rh645544.patch
Patch0008: bind-9.9.1-P2-dlz-libdb.patch
Patch0009: bind-9.9.1-P2-multlib-conflict.patch
Patch0010: bind-9.11-rh1410433.patch
Patch0011: bind-9.11-rh1205168.patch
Patch0012: bind-9.11-export-suffix.patch
Patch0013: bind-9.11-oot-manual.patch
Patch0014: bind-9.11-pk11.patch
Patch0015: bind-9.11-fips-code.patch
Patch0016: bind-9.11-fips-tests.patch
Patch0017: bind-9.11-rt31459.patch
Patch0018: bind-9.11-rt46047.patch
Patch0019: bind-9.11-rh1624100.patch
Patch0020: bind-9.11-host-idn-disable.patch
Patch0021: bind-9.10-dist-native-pkcs11.patch
Patch0022: bind-9.11-kyua-pkcs11.patch
Patch0023: bind-96-old-api.patch
Patch0024: bind-9.3.2b2-sdbsrc.patch
Patch0025: bind-9.10-sdb.patch
Patch0026: bind-9.3.2b1-fix_sdb_ldap.patch
Patch0027: bind-9.10-use-of-strlcat.patch
Patch0028: bind99-rh640538.patch
Patch0029: bind97-rh669163.patch
# Common patches
Patch10: bind-9.5-PIE.patch
Patch16: bind-9.3.2-redhat_doc.patch
Patch72: bind-9.5-dlz-64bit.patch
Patch101:bind-96-old-api.patch
Patch102:bind-95-rh452060.patch
Patch106:bind93-rh490837.patch
Patch109:bind97-rh478718.patch
Patch112:bind97-rh645544.patch
Patch130:bind-9.9.1-P2-dlz-libdb.patch
Patch131:bind-9.9.1-P2-multlib-conflict.patch
Patch133:bind99-rh640538.patch
Patch134:bind97-rh669163.patch
# Fedora specific patch to distribute native-pkcs#11 functionality
Patch136:bind-9.10-dist-native-pkcs11.patch
Patch6001: 1314-master-dnssec-checkds-s.patch
Patch6002: 2432-check-param_template-i-.pValue-is-non-NULL.patch
Patch6003: 2497-refcount-errors-on-error-paths.patch
Patch6004: 2559-Do-not-remove-errors-from-the-OpenSSL-error-queue-in.patch
Patch6005: 2574-Do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch
Patch6006: 2711-Align-CMSG-buffers-to-a-void-boundary-fixes-crash-on.patch
Patch6007: 2776-Fix-crash-caused-by-race-condition-in-timer-creation.patch
Patch6008: 2865-free-key-on-error.patch
Patch6009: 2879-expand-the-pool-then-copy-over-the-old-entries-so-we.patch
Patch6010: 2985-Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch
Patch6011: 2998-Use-larger-buffers-on-snprintf-buffer-overflow-false.patch
Patch6012: 3022-Fix-a-shutdown-race-in-bin-dig-dighost.c.patch
Patch6013: 3046-uninitalize-memory-read-on-error-path.patch
Patch6014: 3318-Allow-unsupported-alg-in-zone-w-dnssec-signzone.patch
Patch6015: 3543-fix-memory-leak.patch
Patch6016: Use-clock_gettime-instead-of-gettimeofday.patch
Patch6017: CVE-2018-5743.patch
Patch6018: CVE-2018-5743-atomic-fix.patch
Patch6019: CVE-2018-5745.patch
Patch6020: CVE-2019-6465.patch
Patch137:bind-9.10-use-of-strlcat.patch
Patch140:bind-9.11-rh1410433.patch
Patch145:bind-9.11-rh1205168.patch
Patch149:bind-9.11-kyua-pkcs11.patch
Patch150:bind-9.11-engine-pkcs11.patch
Patch153:bind-9.11-export-suffix.patch
Patch154:bind-9.11-oot-manual.patch
Patch155:bind-9.11-pk11.patch
Patch156:bind-9.11-fips-code.patch
Patch157:bind-9.11-fips-tests.patch
Patch158:bind-9.11-rt31459.patch
Patch159:bind-9.11-rt46047.patch
Patch160:bind-9.11-rh1624100.patch
Patch161:bind-9.11-host-idn-disable.patch
Patch163:bind-9.11-rh1663318.patch
Patch164:bind-9.11-rh1666814.patch
Patch168:bind-9.11-unit-disable-random.patch
Patch170:bind-9.11-feature-test-named.patch
Patch171:bind-9.11-tests-variants.patch
Patch172:bind-9.11-tests-pkcs11.patch
Patch173:bind-9.11-rh1732883.patch
Patch174:bind-9.11-json-c.patch
Patch175:bind-9.11-fips-disable.patch
Patch177: bind-9.11-serve-stale.patch
Patch178: bind-9.11-serve-stale-dbfix.patch
Patch183: bind-9.11-rh1736762-5.patch
Patch9000: feature-bind99-euler-range-port.patch
Patch9001: bugfix-nslookup-norec.patch
Patch9002: bugfix-named-log-time.patch
Patch184: feature-bind99-euler-range-port.patch
Patch185: bugfix-nslookup-norec.patch
Patch186: bugfix-named-log-time.patch
Patch187: dnssec-checkds-s.patch
Patch188: do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch
Patch189: Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch
Patch190: Use-clock_gettime-instead-of-gettimeofday.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
Patch12: bind-9.10-sdb.patch
# needs inpection
Patch13: bind-9.3.2b1-fix_sdb_ldap.patch
%description
Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name
@ -259,7 +290,7 @@ Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
%package -n python3-bind
Summary: A module allowing rndc commands to be sent from Python programs
Requires: bind = %{epoch}:%{version}-%{release}
Requires: python3 python3-ply %{py3_dist ply}
Requires: python3 python3-ply %{?py3_dist:%py3_dist ply}
BuildArch: noarch
%{?python_provide:%python_provide python3-bind}
%{?python_provide:%python_provide python3-isc}
@ -291,94 +322,108 @@ are used for building ISC DHCP.
%endif
%prep
%setup -q -n %{name}-%{version}-P2
%setup -q -n %{name}-%{version}
# Common patches
%patch10 -p1 -b .PIE
%patch16 -p1 -b .redhat_doc
%patch72 -p1 -b .64bit
%patch102 -p1 -b .rh452060
%patch106 -p1 -b .rh490837
%patch109 -p1 -b .rh478718
%patch112 -p1 -b .rh645544
%patch130 -p1 -b .libdb
%patch131 -p1 -b .multlib-conflict
%patch140 -p1 -b .rh1410433
%patch145 -p1 -b .rh1205168
%patch153 -p1 -b .export_suffix
%patch154 -p1 -b .oot-man
%patch155 -p1 -b .pk11-internal
%patch156 -p1 -b .fips-code
%patch157 -p1 -b .fips-tests
%patch158 -p1 -b .rt31459
%patch159 -p1 -b .rt46047
%patch160 -p1 -b .rh1624100
%patch161 -p1 -b .host-idn-disable
%patch163 -p1 -b .rh1663318
%patch164 -p1 -b .rh1666814
%patch168 -p1 -b .random_test-disable
%patch170 -p1 -b .featuretest-named
%patch171 -p1 -b .test-variant
%patch172 -p1 -b .test-pkcs11
%patch173 -p1 -b .rh1732883
%patch174 -p1 -b .json-c
%patch175 -p1 -b .rh1709553
%patch177 -p1 -b .serve-stale
%patch178 -p1 -b .rh1770492
%patch183 -p1 -b .rh1736762-5
%patch0001 -p1
%patch0003 -p1
%patch0004 -p1
%patch0005 -p0
%patch0006 -p1
%patch0007 -p1
%patch0008 -p1
%patch0009 -p1
%patch0010 -p1
%patch0011 -p1
%patch0012 -p1
%patch0013 -p1
%patch0014 -p1
%patch0015 -p1
%patch0016 -p1
%patch0017 -p1
%patch0018 -p1
%patch0019 -p1
%patch0020 -p1
%patch184 -p1
%patch185 -p1
%patch186 -p1
%patch187 -p1
%patch188 -p1
%patch189 -p1
%patch190 -p1
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data
%if %{with PKCS11}
cp -r bin/named bin/named-pkcs11
cp -r bin/dnssec bin/dnssec-pkcs11
cp -r lib/isc lib/isc-pkcs11
cp -r lib/dns lib/dns-pkcs11
%patch0021 -p1
%patch0022 -p1
cp -r bin/named{,-pkcs11}
cp -r bin/dnssec{,-pkcs11}
cp -r lib/isc{,-pkcs11}
cp -r lib/dns{,-pkcs11}
%patch136 -p1 -b .dist_pkcs11
%patch149 -p1 -b .kyua-pkcs11
%patch150 -p1 -b .engine-pkcs11
%endif
%if %{with SDB}
%patch0023 -p1
%patch101 -p1 -b .old-api
mkdir bin/named-sdb
mkdir bin/sdb_tools
cp -r bin/named/* bin/named-sdb
%patch0024 -p1
cp -fp contrib/sdb/ldap/ldapdb.[ch] bin/named-sdb
cp -fp contrib/sdb/pgsql/pgsqldb.[ch] bin/named-sdb
cp -fp contrib/sdb/sqlite/sqlitedb.[ch] bin/named-sdb
cp -fp contrib/sdb/dir/dirdb.[ch] bin/named-sdb
cp -fp %{SOURCE9} bin/sdb_tools/ldap2zone.c
cp -fp %{SOURCE3} bin/sdb_tools/Makefile.in
%patch11 -p1 -b .sdbsrc
# SDB ldap
cp -fp contrib/sdb/ldap/ldapdb.[ch] bin/named-sdb
# SDB postgreSQL
cp -fp contrib/sdb/pgsql/pgsqldb.[ch] bin/named-sdb
# SDB sqlite
cp -fp contrib/sdb/sqlite/sqlitedb.[ch] bin/named-sdb
# SDB Berkeley DB - needs to be ported to DB4!
#cp -fp contrib/sdb/bdb/bdb.[ch] bin/named_sdb
# SDB dir
cp -fp contrib/sdb/dir/dirdb.[ch] bin/named-sdb
# SDB tools
mkdir -p bin/sdb_tools
cp -fp %{SOURCE9} bin/sdb_tools/ldap2zone.c
cp -fp %{SOURCE3} bin/sdb_tools/Makefile.in
#cp -fp contrib/sdb/bdb/zone2bdb.c bin/sdb_tools
cp -fp contrib/sdb/ldap/{zone2ldap.1,zone2ldap.c} bin/sdb_tools
cp -fp contrib/sdb/pgsql/zonetodb.c bin/sdb_tools
cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools
%patch0025 -p1
%patch0026 -p1
%patch0027 -p1
cp -fp contrib/sdb/pgsql/zonetodb.c bin/sdb_tools
cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools
%patch12 -p1 -b .sdb
%patch13 -p1 -b .fix_sdb_ldap
%patch137 -p1 -b .strlcat_fix
%endif
%patch0028 -p1
%patch0029 -p1
%patch133 -p1 -b .rh640538
%patch134 -p1 -b .rh669163
%patch9000 -p1
%patch9001 -p1
%patch6001 -p1
%patch6002 -p1
%patch6003 -p1
%patch6004 -p1
%patch6005 -p1
%patch6006 -p1
%patch6007 -p1
%patch6008 -p1
%patch6009 -p1
%patch6010 -p1
%patch6011 -p1
%patch6012 -p1
%patch6013 -p1
%patch6014 -p1
%patch6015 -p1
%patch6016 -p1
%patch6017 -p1
%patch6018 -p1
%patch6019 -p1
%patch6020 -p1
%patch9002 -p1
# Sparc and s390 arches need to use -fPIE
%ifarch sparcv9 sparc64 s390 s390x
for i in bin/named{,-sdb}/{,unix}/Makefile.in; do
sed -i 's|fpie|fPIE|g' $i
done
%endif
:;
%build
%define _configure "../configure"
%define unit_prepare_build() \
cp -uv Kyuafile Atffile "%{1}/" \
cp -uv Kyuafile "%{1}/" \
find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' \
find lib -name 'Kyuafile' -exec cp -uv '{}' "%{1}/{}" ';' \
find lib -name 'Atffile' -exec cp -uv '{}' "%{1}/{}" ';' \
find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \
find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \
@ -386,13 +431,11 @@ cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools
cp -Tuav bin/tests "%{1}/bin/tests/" \
cp -uv version "%{1}"
%if %{with KYUA}
ATF_PATH=/usr
%else
ATF_PATH=yes
CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
%if %{with TSAN}
CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
%endif
export CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
export CFLAGS
export CPPFLAGS="$CPPFLAGS -DDIG_SIGCHASE"
export STD_CDEFINES="$CPPFLAGS"
@ -407,7 +450,7 @@ export LIBDIR_SUFFIXi=
%configure \
--with-python=%{__python3} --with-libtool --localstatedir=/var \
--enable-threads --enable-ipv6 --enable-filter-aaaa --with-pic \
--disable-static --includedir=%{_includedir}/bind9 --with-geoip \
--disable-static --includedir=%{_includedir}/bind9 \
--with-tuning=large --with-libidn2 --enable-openssl-hash \
--enable-fixed-rrset --enable-full-report \
--with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets \
@ -426,8 +469,29 @@ export LIBDIR_SUFFIXi=
%else
--with-lmdb=no \
%endif
%if %{with JSON}
--with-libjson \
%endif
%if %{with DNSTAP}
--enable-dnstap \
%endif
%if %{with GEOIP}
--with-geoip \
%endif
%if %{with GEOIP2}
--with-geoip2 \
%endif
%if %{with UNITTEST}
--with-atf=${ATF_PATH}
--with-cmocka \
%endif
%if %{with DNSTAP}
pushd lib
SRCLIB="../../../lib"
(cd dns && ln -s ${SRCLIB}/dns/dnstap.proto)
%if %{with PKCS11}
(cd dns-pkcs11 && ln -s ${SRCLIB}/dns-pkcs11/dnstap.proto)
%endif
popd
%endif
make -j32
@ -440,11 +504,6 @@ pushd bin/python
make man
popd
%if ! %{with KYUA}
ATF_PATH="`pwd`/unit/atf"
sed -i -e '/^SUBDIRS =/s/atf-src//i' unit/Makefile
%endif
popd # build
%unit_prepare_build build
@ -466,7 +525,7 @@ export LIBDIR_SUFFIX=%{_export_dir}
--with-gssapi=yes --disable-isc-spnego \
%endif
%if %{with UNITTEST}
--with-atf=${ATF_PATH}
--with-cmocka \
%endif
mv isc-config.sh isc-export-config.sh
@ -478,7 +537,6 @@ sed -i \
Makefile
sed -i -e "/^SUBDIRS =/s/.*/SUBDIRS = isc dns isccfg irs/i" lib/Makefile
sed -i -e '/^SUBDIRS =/s/atf-src//i' unit/Makefile
for lib in isc dns isccfg irs; do
find . -name Makefile -exec sed "s/lib${lib}\./lib${lib}-export\./g" -i {} \;
@ -491,10 +549,46 @@ make -j32
popd
%unit_prepare_build export-libs
sed -e '/^\s*include(.*-pkcs11/ d' -e '/^\s*include(.*lwres/ d' -i export-libs/lib/Kyuafile
# Test just compiled libraries
for lib in %{bind_export_libs}
do
sed -e "s,^\s*include(.*${lib}/.*,-- use &," -i export-libs/lib/Kyuafile
done
sed -e "/^\s*include(/ d" -e 's/^-- use //' -i export-libs/lib/Kyuafile
%endif #end EXPORT_LIBS
%check
%if %{with PKCS11}
# Tests require initialization of pkcs11 token
eval "$(bash %{SOURCE27} -A "`pwd`/softhsm-tokens")"
%endif
%if %{with TSAN}
export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0"
%endif
%if %{with UNITTEST}
pushd build
make unit
e=$?
if [ "$e" -ne 0 ]; then
echo "ERROR: this build of BIND failed 'make unit'. Aborting."
exit $e;
fi;
popd
%if %{with EXPORT_LIBS}
pushd export-libs
make unit
e=$?
if [ "$e" -ne 0 ]; then
echo "ERROR: this build of BIND export-libs failed 'make unit'. Aborting."
exit $e;
fi;
popd
%endif
%endif
%if %{with SYSTEMTEST}
if [ "`whoami`" = 'root' ]; then
@ -616,29 +710,44 @@ cp -fp build/config.h ${RPM_BUILD_ROOT}/%{_includedir}/bind9
find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';';
touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log
tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE8}
touch ${RPM_BUILD_ROOT}/etc/rndc.key
touch ${RPM_BUILD_ROOT}/etc/rndc.conf
install -m 640 %{SOURCE7} ${RPM_BUILD_ROOT}/etc/named.conf
# configuration files
install -m 640 %{SOURCE7} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.conf
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/rndc.{key,conf}
install -m 644 %{SOURCE35} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.root.key
install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}%{_sysconfdir}/trusted-key.key
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/named
# data files
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named
install -m 640 %{SOURCE30} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.ca
install -m 640 %{SOURCE33} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.localhost
install -m 640 %{SOURCE34} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.loopback
install -m 640 %{SOURCE32} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.empty
install -m 640 %{SOURCE31} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.rfc1912.zones
mkdir -p sample/etc sample/var/named/{data,slaves}
mkdir ${RPM_BUILD_ROOT}/etc/named
install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/trusted-key.key
install -m 644 %{SOURCE6} sample/etc/named.conf
install -m 644 %{SOURCE7} named.conf.default
install -m 644 ${RPM_BUILD_ROOT}/etc/named.rfc1912.zones sample/etc/named.rfc1912.zones
install -m 644 ${RPM_BUILD_ROOT}/var/named/{named.ca,named.localhost,named.loopback,named.empty} sample/var/named
install -m 644 %{SOURCE31} sample/etc/named.rfc1912.zones
install -m 644 %{SOURCE33} %{SOURCE34} %{SOURCE32} sample/var/named
install -m 644 %{SOURCE30} sample/var/named/named.ca
mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d
install -m 644 %{SOURCE14} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/named.conf
install -m 644 %{SOURCE22} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
cp -a %{_libdir}/%{_export_dir}/lib{dns,irs,isc,isccfg}-export.so.* %{buildroot}%{_libdir}/%{_export_dir}
cp -a %{_libdir}/lib{dns,isc}-pkcs11.so.* %{buildroot}%{_libdir}
cp -a %{_libdir}/lib{bind9,isccc,lwres,irs,isccfg}.so.160* %{buildroot}%{_libdir}
cp -a %{_libdir}/lib{dns.so.1102*,isc.so.169*} %{buildroot}%{_libdir}
%pre
if [ "$1" -eq 1 ]; then
/usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
/usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /bin/false -d /var/named -c Named named >/dev/null 2>&1 || :;
/usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :;
fi
%post
@ -649,8 +758,8 @@ if [ "$1" -eq 1 ]; then
[ -e /etc/rndc.key ] && chown root:named /etc/rndc.key
[ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key
else
if getent passwd named | grep ':/sbin/nologin$' >/dev/null; then
usermod -s /bin/false named
if getent passwd named | grep ':/bin/false$' >/dev/null; then
/sbin/usermod -s /sbin/nologin named
fi
fi
@ -712,9 +821,11 @@ fi
%if %{with EXPORT_LIBS}
%post export-libs
/sbin/ldconfig
%end
%postun export-libs
/sbin/ldconfig
%end
%endif
@ -826,12 +937,21 @@ rm -rf ${RPM_BUILD_ROOT}
%{_libdir}/libisccc.so.160*
%{_libdir}/liblwres.so.160*
%{_libdir}/libbind9.so.161*
%{_libdir}/libisccc.so.161*
%{_libdir}/liblwres.so.161*
%files libs-lite
%{_libdir}/libdns.so.1102*
%{_libdir}/libirs.so.160*
%{_libdir}/libisc.so.169*
%{_libdir}/libisccfg.so.160*
%{_libdir}/libdns.so.1110*
%{_libdir}/libirs.so.161*
%{_libdir}/libisc.so.1105*
%{_libdir}/libisccfg.so.163*
%files utils
%{_bindir}/dig
@ -875,6 +995,10 @@ rm -rf ${RPM_BUILD_ROOT}
%if %{with LMDB}
%{_mandir}/man8/named-nzd2nzf.8*
%endif
%if %{with DNSTAP}
%{_bindir}/dnstap-read
%{_mandir}/man1/dnstap-read.1*
%endif
%{_sysconfdir}/trusted-key.key
%if %{with SDB}
@ -1004,11 +1128,13 @@ rm -rf ${RPM_BUILD_ROOT}
%{_sbindir}/named-pkcs11
%{_sbindir}/dnssec*pkcs11
%{_sbindir}/pkcs11-*
%{_libdir}/libdns-pkcs11.so.1102*
%{_libdir}/libisc-pkcs11.so.169*
%{_libdir}/libdns-pkcs11.so.1110*
%{_libdir}/libisc-pkcs11.so.1105*
%{_unitdir}/named-pkcs11.service
%{_libexecdir}/setup-named-softhsm.sh
%{_mandir}/man8/*pkcs11*.8*
%{_libdir}/libdns-pkcs11.so.1102*
%{_libdir}/libisc-pkcs11.so.169*
%files pkcs11-devel
%{_libdir}/lib*-pkcs11.so
@ -1022,10 +1148,16 @@ rm -rf ${RPM_BUILD_ROOT}
%files export-libs
%dir %{_libdir}/%{_export_dir}
%{_libdir}/%{_export_dir}/libdns-export.so.1110*
%{_libdir}/%{_export_dir}/libirs-export.so.161*
%{_libdir}/%{_export_dir}/libisc-export.so.1105*
%{_libdir}/%{_export_dir}/libisccfg-export.so.163*
%{_libdir}/%{_export_dir}/libdns-export.so.1102*
%{_libdir}/%{_export_dir}/libirs-export.so.160*
%{_libdir}/%{_export_dir}/libisc-export.so.169*
%{_libdir}/%{_export_dir}/libisccfg-export.so.160*
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-export-%{_arch}.conf
%files export-devel
@ -1045,6 +1177,12 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
* Mon Jul 27 2020 gaihuiying <gaihuiying1@huawei.com> - 9.11.21-1
- Type:requirement
- ID:NA
- SUG:NA
- DESC:update c-ares version to 9.11.21
* Thu Mar 19 2020 songnannan <songnannan2@huawei.com> - 9.11.4-13
- add gdb in buildrequires

74
bind93-rh490837.patch
View File

@ -1,13 +1,22 @@
? patch
? lib/isc/lex.c.rh490837
Index: lib/isc/lex.c
===================================================================
RCS file: /var/snap/bind9/lib/isc/lex.c,v
retrieving revision 1.86
diff -p -u -r1.86 lex.c
--- lib/isc/lex.c 17 Sep 2007 09:56:29 -0000 1.86
+++ lib/isc/lex.c 6 Apr 2009 13:24:15 -0000
@@ -425,17 +425,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigne
diff --git a/lib/isc/include/isc/stdio.h b/lib/isc/include/isc/stdio.h
index 1f44b5a..a3625f9 100644
--- a/lib/isc/include/isc/stdio.h
+++ b/lib/isc/include/isc/stdio.h
@@ -69,6 +69,9 @@ isc_stdio_sync(FILE *f);
* direct counterpart in the stdio library.
*/
+isc_result_t
+isc_stdio_fgetc(FILE *f, int *ret);
+
ISC_LANG_ENDDECLS
#endif /* ISC_STDIO_H */
diff --git a/lib/isc/lex.c b/lib/isc/lex.c
index a8955bc..fc6103b 100644
--- a/lib/isc/lex.c
+++ b/lib/isc/lex.c
@@ -434,17 +434,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
if (source->is_file) {
stream = source->input;
@ -28,34 +37,14 @@ diff -p -u -r1.86 lex.c
goto done;
}
+
source->at_eof = ISC_TRUE;
source->at_eof = true;
}
} else {
Index: lib/isc/include/isc/stdio.h
===================================================================
RCS file: /var/snap/bind9/lib/isc/include/isc/stdio.h,v
retrieving revision 1.13
diff -p -u -r1.13 stdio.h
--- lib/isc/include/isc/stdio.h 19 Jun 2007 23:47:18 -0000 1.13
+++ lib/isc/include/isc/stdio.h 6 Apr 2009 13:24:15 -0000
@@ -72,6 +72,9 @@ isc_stdio_sync(FILE *f);
* direct counterpart in the stdio library.
*/
+isc_result_t
+isc_stdio_fgetc(FILE *f, int *ret);
+
ISC_LANG_ENDDECLS
#endif /* ISC_STDIO_H */
Index: lib/isc/unix/errno2result.c
===================================================================
RCS file: /var/snap/bind9/lib/isc/unix/errno2result.c,v
retrieving revision 1.17
diff -p -u -r1.17 errno2result.c
--- lib/isc/unix/errno2result.c 19 Jun 2007 23:47:18 -0000 1.17
+++ lib/isc/unix/errno2result.c 6 Apr 2009 13:24:15 -0000
@@ -43,6 +43,7 @@ isc__errno2result(int posixerrno) {
diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
index 2f12bcc..5bfd648 100644
--- a/lib/isc/unix/errno2result.c
+++ b/lib/isc/unix/errno2result.c
@@ -40,6 +40,7 @@ isc___errno2result(int posixerrno, bool dolog,
case EINVAL: /* XXX sometimes this is not for files */
case ENAMETOOLONG:
case EBADF:
@ -63,14 +52,11 @@ diff -p -u -r1.17 errno2result.c
return (ISC_R_INVALIDFILE);
case ENOENT:
return (ISC_R_FILENOTFOUND);
Index: lib/isc/unix/stdio.c
===================================================================
RCS file: /var/snap/bind9/lib/isc/unix/stdio.c,v
retrieving revision 1.8
diff -p -u -r1.8 stdio.c
--- lib/isc/unix/stdio.c 19 Jun 2007 23:47:18 -0000 1.8
+++ lib/isc/unix/stdio.c 6 Apr 2009 13:24:15 -0000
@@ -115,3 +115,22 @@ isc_stdio_sync(FILE *f) {
diff --git a/lib/isc/unix/stdio.c b/lib/isc/unix/stdio.c
index e60fa65..77f0b13 100644
--- a/lib/isc/unix/stdio.c
+++ b/lib/isc/unix/stdio.c
@@ -149,3 +149,22 @@ isc_stdio_sync(FILE *f) {
return (isc__errno2result(errno));
}

14
bind97-rh478718.patch
View File

@ -1,8 +1,8 @@
diff --git a/configure.in b/configure.in
index 896e81c1ce..73b1c8ccbb 100644
--- a/configure.in
+++ b/configure.in
@@ -4275,6 +4275,10 @@ if test "yes" = "$use_atomic"; then
diff --git a/configure.ac b/configure.ac
index 26c509e..c1bfd62 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4152,6 +4152,10 @@ if test "yes" = "$use_atomic"; then
AC_MSG_RESULT($arch)
fi
@ -14,10 +14,10 @@ index 896e81c1ce..73b1c8ccbb 100644
AC_MSG_CHECKING([compiler support for inline assembly code])
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
index 2ff522342f..58df86adb3 100644
index c902d46..9c7c342 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
@@ -289,19 +289,25 @@
@@ -284,19 +284,25 @@
* If the "xaddq" operation (64bit xadd) is available on this architecture,
* ISC_PLATFORM_HAVEXADDQ will be defined.
*/

19
bind97-rh645544.patch
View File

@ -1,7 +1,8 @@
diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolver.c
--- bind-9.9.4rc2/lib/dns/resolver.c.rh645544 2013-08-19 10:30:52.000000000 +0200
+++ bind-9.9.4rc2/lib/dns/resolver.c 2013-09-06 17:58:03.864165823 +0200
@@ -1138,7 +1138,7 @@ log_edns(fetchctx_t *fctx) {
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index ecb3ddb..f7f73cd 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -1456,7 +1456,7 @@ log_edns(fetchctx_t *fctx) {
*/
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
@ -10,7 +11,7 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve
"success resolving '%s' (in '%s'?) after %s",
fctx->info, domainbuf, fctx->reason);
@@ -3804,7 +3804,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrin
@@ -4667,7 +4667,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
@ -19,12 +20,12 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve
"lame server resolving '%s' (in '%s'?): %s",
namebuf, domainbuf, addrbuf);
}
@@ -3831,7 +3831,7 @@ log_formerr(fetchctx_t *fctx, const char
}
@@ -4685,7 +4685,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
"DNS format error from %s resolving %s%s%s: %s",
nsbuf, fctx->info, clmsg, clbuf, msgbuf);
"DNS format error from %s resolving %s for %s: %s",
nsbuf, fctx->info, fctx->clientstr, msgbuf);
}

49
bugfix-named-log-time.patch
View File

@ -1,15 +1,14 @@
diff -upNr b/lib/isc/include/isc/util.h a/lib/isc/include/isc/util.h
--- b/lib/isc/include/isc/util.h 2019-07-30 19:52:09.600000000 +0800
+++ a/lib/isc/include/isc/util.h 2019-07-30 21:39:03.400000000 +0800
@@ -233,7 +233,7 @@
@@ -233,6 +233,7 @@
* Time
*/
#define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
-
+#define TIME_REAL_NOW(tp) RUNTIME_CHECK(isc_time_real_now((tp)) == ISC_R_SUCCESS)
/*%
* Alignment
*/
#ifdef CLOCK_BOOTTIME
#define TIME_MONOTONIC(tp) RUNTIME_CHECK(isc_time_boottime((tp)) == ISC_R_SUCCESS)
#endif
diff -upNr b/lib/isc/log.c a/lib/isc/log.c
--- b/lib/isc/log.c 2019-07-30 19:52:09.610000000 +0800
+++ a/lib/isc/log.c 2019-07-30 21:39:03.410000000 +0800
@ -55,44 +54,6 @@ diff -upNr b/lib/isc/unix/include/isc/time.h a/lib/isc/unix/include/isc/time.h
diff -upNr b/lib/isc/unix/time.c a/lib/isc/unix/time.c
--- b/lib/isc/unix/time.c 2019-07-30 19:52:09.600000000 +0800
+++ a/lib/isc/unix/time.c 2019-07-30 21:39:03.400000000 +0800
@@ -36,6 +36,9 @@
#define NS_PER_MS 1000000 /*%< Nanoseconds per millisecond. */
#define US_PER_S 1000000 /*%< Microseconds per second. */
+#ifndef ISC_FIX_TV_USEC
+#define ISC_FIX_TV_USEC 1
+#endif
#define CLOCKSOURCE CLOCK_MONOTONIC
/*%
@@ -44,6 +47,27 @@
static const isc_interval_t zero_interval = { 0, 0 };
const isc_interval_t * const isc_interval_zero = &zero_interval;
+#if ISC_FIX_TV_USEC
+static inline void
+fix_tv_usec(struct timeval *tv) {
+ isc_boolean_t fixed = ISC_FALSE;
+ if (tv->tv_usec < 0) {
+ fixed = ISC_TRUE;
+ do {
+ tv->tv_sec -= 1;
+ tv->tv_usec += US_PER_S;
+ } while (tv->tv_usec < 0);
+ } else if (tv->tv_usec >= US_PER_S) {
+ fixed = ISC_TRUE;
+ do {
+ tv->tv_sec += 1;
+ tv->tv_usec -= US_PER_S;
+ } while (tv->tv_usec >=US_PER_S);
+ }
+ if (fixed)
+ (void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
+}
+#endif
void
isc_interval_set(isc_interval_t *i,
@@ -105,6 +129,50 @@ isc_time_isepoch(const isc_time_t *t) {
@ -142,5 +103,5 @@ diff -upNr b/lib/isc/unix/time.c a/lib/isc/unix/time.c
+
+isc_result_t
isc_time_now(isc_time_t *t) {
struct timespec ts;
struct timeval tv;
char strbuf[ISC_STRERRORSIZE];

BIN
config-18.tar.bz2
View File

Binary file not shown.

22
1314-master-dnssec-checkds-s.patch → dnssec-checkds-s.patch
View File

@ -9,7 +9,6 @@ Subject: [PATCH 1314/3677] [master] dnssec-checkds -s
---
CHANGES | 8 +-
bin/python/dnssec-checkds.docbook | 24 +++---
bin/python/isc/checkds.py.in | 49 ++++++-----
bin/tests/system/checkds/clean.sh | 2 -
bin/tests/system/checkds/dig.pl | 2 -
bin/tests/system/checkds/dig.sh | 3 -
@ -71,20 +70,7 @@ diff --git a/bin/python/isc/checkds.py.in b/bin/python/isc/checkds.py.in
index ce50355..a161554 100644
--- a/bin/python/isc/checkds.py.in
+++ b/bin/python/isc/checkds.py.in
@@ -34,7 +34,11 @@ class SECRR:
if not rrtext:
raise Exception
- fields = rrtext.decode('ascii').split()
+ # 'str' does not have decode method in python3
+ if type(rrtext) is not str:
+ fields = rrtext.decode('ascii').split()
+ else:
+ fields = rrtext.split()
if len(fields) < 7:
raise Exception
@@ -89,35 +93,39 @@ class SECRR:
@@ -89,39 +93,43 @@ class SECRR:
# Generate a set of expected DS/DLV records from the DNSKEY RRset,
# and report on congruency.
############################################################################
@ -103,6 +89,8 @@ index ce50355..a161554 100644
+ fp, _ = Popen(cmd, stdout=PIPE).communicate()
for line in fp.splitlines():
if type(line) is not str:
line = line.decode('ascii')
- rrlist.append(SECRR(line, lookaside))
+ rrlist.append(SECRR(line, args.lookaside))
rrlist = sorted(rrlist, key=lambda rr: (rr.keyid, rr.keyalg, rr.hashalg))
@ -131,6 +119,8 @@ index ce50355..a161554 100644
fp, _ = Popen(cmd, stdin=PIPE, stdout=PIPE).communicate(intods)
for line in fp.splitlines():
if type(line) is not str:
line = line.decode('ascii')
- klist.append(SECRR(line, lookaside))
+ klist.append(SECRR(line, args.lookaside))
@ -160,7 +150,7 @@ index ce50355..a161554 100644
@@ -162,6 +167,12 @@ def parse_args():
default=os.path.join(prefix(sbindir),
'dnssec-dsfromkey'),
type=str, help='path to \'dig\'')
type=str, help='path to \'dnssec-dsfromkey\'')
+ parser.add_argument('-f', '--file', dest='masterfile', type=str,
+ help='zone master file')
+ parser.add_argument('-l', '--lookaside', dest='lookaside', type=str,

0
2574-Do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch → do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch
View File

15
generate-rndc-key.sh
View File

@ -1,6 +1,17 @@
#!/bin/bash
. /etc/rc.d/init.d/functions
if [ -r /etc/rc.d/init.d/functions ]; then
. /etc/rc.d/init.d/functions
else
success() {
echo $" OK "
}
failure() {
echo -n " "
echo $"FAILED"
}
fi
# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
@ -14,7 +25,9 @@ if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
success $"/etc/rndc.key generation"
echo
else
rc=$?
failure $"/etc/rndc.key generation"
echo
exit $rc
fi
fi

2
named-chroot.service
View File

@ -20,7 +20,7 @@ PIDFile=/var/named/chroot/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

2
named-pkcs11.service
View File

@ -16,7 +16,7 @@ PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

2
named-sdb-chroot.service
View File

@ -20,7 +20,7 @@ PIDFile=/var/named/chroot_sdb/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot_sdb -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} -t /var/named/chroot_sdb $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

2
named-sdb.service
View File

@ -16,7 +16,7 @@ PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

10
named.empty Normal file
View File

@ -0,0 +1,10 @@
$TTL 3H
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1

10
named.localhost Normal file
View File

@ -0,0 +1,10 @@
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1

11
named.loopback Normal file
View File

@ -0,0 +1,11 @@
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
PTR localhost.

45
named.rfc1912.zones Normal file
View File

@ -0,0 +1,45 @@
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};

61
named.root Normal file
View File

@ -0,0 +1,61 @@
; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 518400 IN A 198.41.0.4
b.root-servers.net. 518400 IN A 199.9.14.201
c.root-servers.net. 518400 IN A 192.33.4.12
d.root-servers.net. 518400 IN A 199.7.91.13
e.root-servers.net. 518400 IN A 192.203.230.10
f.root-servers.net. 518400 IN A 192.5.5.241
g.root-servers.net. 518400 IN A 192.112.36.4
h.root-servers.net. 518400 IN A 198.97.190.53
i.root-servers.net. 518400 IN A 192.36.148.17
j.root-servers.net. 518400 IN A 192.58.128.30
k.root-servers.net. 518400 IN A 193.0.14.129
l.root-servers.net. 518400 IN A 199.7.83.42
m.root-servers.net. 518400 IN A 202.12.27.33
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 518400 IN AAAA 2001:500:200::b
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
h.root-servers.net. 518400 IN AAAA 2001:500:1::53
i.root-servers.net. 518400 IN AAAA 2001:7fe::53
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 518400 IN AAAA 2001:7fd::1
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
;; Query time: 24 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Thu Apr 05 15:57:34 CEST 2018
;; MSG SIZE rcvd: 811

19
named.root.key Normal file
View File

@ -0,0 +1,19 @@
managed-keys {
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
#
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
# being set up for the first time can use the contents of this
# file as initializing keys; thereafter, the keys in the
# managed key database will be trusted and maintained
# automatically.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
};

3
named.service
View File

@ -15,8 +15,7 @@ PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

81
setup-named-softhsm.sh
View File

@ -2,6 +2,12 @@
#
# This script will initialise token storage of softhsm PKCS11 provider
# in custom location. Is useful to store tokens in non-standard location.
#
# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
# Quotes around eval are mandatory!
# Recommended use:
# eval "$(bash setup-named-softhsm.sh -A)"
#
SOFTHSM2_CONF="$1"
TOKENPATH="$2"
@ -10,14 +16,55 @@ GROUPNAME="$3"
# This is intended for crypto accelerators using PKCS11 interface.
# Uninitialized token would fail any crypto operation.
PIN=1234
SO_PIN=1234
LABEL=rpm
set -e
echo_i()
{
echo "#" $@
}
random()
{
if [ -x "$(which openssl 2>/dev/null)" ]; then
openssl rand -base64 $1
else
dd if=/dev/urandom bs=1c count=$1 | base64
fi
}
usage()
{
echo "Usage: $0 -A [token directory] [group]"
echo " or: $0 <config file> <token directory> [group]"
}
if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
fi
if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
echo "Usage: $0 <config file> <token directory> [group]" >&2
usage >&2
exit 1
fi
if [ "$SOFTHSM2_CONF" = "-A" ]; then
# Automagic mode instead
MODE=secure
SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
PIN_SOURCE="$TOKENPATH/pin"
SOPIN_SOURCE="$TOKENPATH/so-pin"
TOKENPATH="$TOKENPATH/tokens"
else
MODE=legacy
fi
[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
umask 0022
if ! [ -f "$SOFTHSM2_CONF" ]; then
cat << SED > "$SOFTHSM2_CONF"
# SoftHSM v2 configuration file
@ -32,19 +79,36 @@ log.level = ERROR
slots.removable = false
SED
else
echo "Config file $SOFTHSM2_CONF already exists" >&2
echo_i "Config file $SOFTHSM2_CONF already exists" >&2
fi
[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
if [ -n "$PIN_SOURCE" ]; then
touch "$PIN_SOURCE" "$SOPIN_SOURCE"
chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
if [ -n "$GROUPNAME" ]; then
chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
fi
fi
export SOFTHSM2_CONF
if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
then
echo "Token in ${TOKENPATH} is already initialized" >&2
echo_i "Token in ${TOKENPATH} is already initialized" >&2
[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
else
echo "Initializing tokens to ${TOKENPATH}..."
softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN
PIN=$(random 6)
SO_PIN=$(random 18)
if [ -n "$PIN_SOURCE" ]; then
echo -n "$PIN" > "$PIN_SOURCE"
echo -n "$SO_PIN" > "$SOPIN_SOURCE"
fi
echo_i "Initializing tokens to ${TOKENPATH}..."
softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
if [ -n "$GROUPNAME" ]; then
chgrp -R -- "$GROUPNAME" "$TOKENPATH"
@ -53,3 +117,8 @@ else
fi
echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
echo "export PIN_SOURCE=\"$PIN_SOURCE\""
echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
# These are intentionaly not exported
echo "PIN=\"$PIN\""
echo "SO_PIN=\"$SO_PIN\""