packages/bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to 9.16.23

Browse Source
This commit is contained in:
jiangheng 2021-12-04 15:31:20 +08:00 committed by shirely16
parent 66871a3bb6
commit d7abb9fca3
91 changed files with 2672 additions and 15433 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

228
Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch
View File

@ -1,228 +0,0 @@
--- a/bin/dig/dighost.c 2019-04-18 00:14:08.120000000 -0400
+++ b/bin/dig/dighost_1.c 2019-04-18 02:34:32.947000000 -0400
@@ -1822,9 +1822,9 @@ clear_query(dig_query_t *query) {
debug("clear_query(%p)", query);
- if (query->timer != NULL)
+ if (query->timer != NULL){
isc_timer_detach(&query->timer);
-
+ }
if (query->waiting_senddone) {
debug("send_done not yet called");
query->pending_free = true;
@@ -1833,13 +1833,15 @@ clear_query(dig_query_t *query) {
lookup = query->lookup;
- if (lookup->current_query == query)
+ if (lookup->current_query == query){
lookup->current_query = NULL;
-
- if (ISC_LINK_LINKED(query, link))
+ }
+ if (ISC_LINK_LINKED(query, link)){
ISC_LIST_UNLINK(lookup->q, query, link);
- if (ISC_LINK_LINKED(query, clink))
+ }
+ if (ISC_LINK_LINKED(query, clink)){
ISC_LIST_UNLINK(lookup->connecting, query, clink);
+ }
if (ISC_LINK_LINKED(&query->recvbuf, link))
ISC_LIST_DEQUEUE(query->recvlist, &query->recvbuf,
link);
@@ -1856,6 +1858,7 @@ clear_query(dig_query_t *query) {
isc_mempool_put(commctx, query->recvspace);
isc_buffer_invalidate(&query->recvbuf);
isc_buffer_invalidate(&query->lengthbuf);
+ query->magic = 0;
isc_mem_free(mctx, query);
}
@@ -2807,13 +2810,14 @@ setup_lookup(dig_lookup_t *lookup) {
for (serv = ISC_LIST_HEAD(lookup->my_server_list);
serv != NULL;
- serv = ISC_LIST_NEXT(serv, link)) {
+ serv = ISC_LIST_NEXT(serv, link))
+ {
query = isc_mem_allocate(mctx, sizeof(dig_query_t));
- if (query == NULL)
+ if (query == NULL){
fatal("memory allocation failure in %s:%d",
__FILE__, __LINE__);
- debug("create query %p linked to lookup %p",
- query, lookup);
+ }
+ debug("create query %p linked to lookup %p", query, lookup);
query->lookup = lookup;
query->timer = NULL;
query->waiting_connect = false;
@@ -2838,9 +2842,9 @@ setup_lookup(dig_lookup_t *lookup) {
ISC_LIST_INIT(query->lengthlist);
query->sock = NULL;
query->recvspace = isc_mempool_get(commctx);
- if (query->recvspace == NULL)
+ if (query->recvspace == NULL){
fatal("memory allocation failure");
-
+ }
isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
isc_buffer_init(&query->lengthbuf, query->lengthspace, 2);
isc_buffer_init(&query->slbuf, query->slspace, 2);
@@ -2848,6 +2852,7 @@ setup_lookup(dig_lookup_t *lookup) {
ISC_LINK_INIT(query, clink);
ISC_LINK_INIT(query, link);
+ query->magic = DIG_QUERY_MAGIC;
ISC_LIST_ENQUEUE(lookup->q, query, link);
}
@@ -2856,9 +2861,10 @@ setup_lookup(dig_lookup_t *lookup) {
extrabytes = 0;
dighost_printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg,
true);
- if (lookup->stats)
+ if (lookup->stats){
printf(";; QUERY SIZE: %u\n\n",
isc_buffer_usedlength(&lookup->renderbuf));
+ }
}
return (true);
}
@@ -2893,20 +2899,26 @@ send_done(isc_task_t *_task, isc_event_t
}
query = event->ev_arg;
+ REQUIRE(DIG_VALID_QUERY(query));
query->waiting_senddone = false;
l = query->lookup;
- if (l->ns_search_only && !l->trace_root && !l->tcp_mode) {
+ if (!query->pending_free && l->ns_search_only &&
+ !l->trace_root && !l->tcp_mode)
+ {
debug("sending next, since searching");
next = ISC_LIST_NEXT(query, link);
- if (next != NULL)
+ if (next != NULL){
send_udp(next);
+ }
}
isc_event_free(&event);
- if (query->pending_free)
+ if (query->pending_free){
+ query->magic = 0;
clear_query(query);
+ }
check_next_lookup(l);
UNLOCK_LOOKUP;
@@ -2924,6 +2936,7 @@ cancel_lookup(dig_lookup_t *lookup) {
debug("cancel_lookup()");
query = ISC_LIST_HEAD(lookup->q);
while (query != NULL) {
+ REQUIRE(DIG_VALID_QUERY(query));
next = ISC_LIST_NEXT(query, link);
if (query->sock != NULL) {
isc_socket_cancel(query->sock, global_task,
@@ -2943,6 +2956,7 @@ bringup_timer(dig_query_t *query, unsign
dig_lookup_t *l;
unsigned int local_timeout;
isc_result_t result;
+ REQUIRE(DIG_VALID_QUERY(query));
debug("bringup_timer()");
/*
@@ -3007,7 +3021,7 @@ send_tcp_connect(dig_query_t *query) {
isc_result_t result;
dig_query_t *next;
dig_lookup_t *l;
-
+ REQUIRE(DIG_VALID_QUERY(query));
debug("send_tcp_connect(%p)", query);
l = query->lookup;
@@ -3145,7 +3159,7 @@ send_udp(dig_query_t *query) {
isc_result_t result;
isc_buffer_t *sendbuf;
dig_query_t *next;
-
+ REQUIRE(DIG_VALID_QUERY(query));
debug("send_udp(%p)", query);
l = query->lookup;
@@ -3248,6 +3262,7 @@ connect_timeout(isc_task_t *task, isc_ev
LOCK_LOOKUP;
query = event->ev_arg;
+ REQUIRE(DIG_VALID_QUERY(query));
l = query->lookup;
isc_event_free(&event);
@@ -3335,7 +3350,7 @@ tcp_length_done(isc_task_t *task, isc_ev
LOCK_LOOKUP;
sevent = (isc_socketevent_t *)event;
query = event->ev_arg;
-
+ REQUIRE(DIG_VALID_QUERY(query));
recvcount--;
INSIST(recvcount >= 0);
@@ -3412,7 +3427,7 @@ launch_next_query(dig_query_t *query, is
isc_result_t result;
dig_lookup_t *l;
isc_buffer_t *buffer;
-
+ REQUIRE(DIG_VALID_QUERY(query));
INSIST(!free_now);
debug("launch_next_query()");
@@ -3491,7 +3506,7 @@ connect_done(isc_task_t *task, isc_event
LOCK_LOOKUP;
sevent = (isc_socketevent_t *)event;
query = sevent->ev_arg;
-
+ REQUIRE(DIG_VALID_QUERY(query));
INSIST(query->waiting_connect);
query->waiting_connect = false;
@@ -4460,6 +4475,7 @@ do_lookup(dig_lookup_t *lookup) {
lookup->pending = true;
query = ISC_LIST_HEAD(lookup->q);
if (query != NULL) {
+ REQUIRE(DIG_VALID_QUERY(query));
if (lookup->tcp_mode)
send_tcp_connect(query);
else
--- a/bin/dig/include/dig/dig.h 2018-09-04 00:04:41.000000000 -0400
+++ b/bin/dig/include/dig/dig_1.h 2019-04-18 02:36:44.313000000 -0400
@@ -24,6 +24,7 @@
#include <isc/formatcheck.h>
#include <isc/lang.h>
#include <isc/list.h>
+#include <isc/magic.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/sockaddr.h>
@@ -90,6 +91,9 @@ typedef struct dig_message dig_message_t
#endif
typedef ISC_LIST(dig_server_t) dig_serverlist_t;
typedef struct dig_searchlist dig_searchlist_t;
+#define DIG_QUERY_MAGIC ISC_MAGIC('D','i','g','q')
+
+#define DIG_VALID_QUERY(x) ISC_MAGIC_VALID((x), DIG_QUERY_MAGIC)
/*% The dig_lookup structure */
struct dig_lookup {
@@ -199,6 +203,7 @@ isc_boolean_t sigchase;
/*% The dig_query structure */
struct dig_query {
+ unsigned int magic;
dig_lookup_t *lookup;
bool waiting_connect,
pending_free,

56
CVE-2020-8622.patch
View File

@ -1,56 +0,0 @@
From 6ed167ad0a647dff20c8cb08c944a7967df2d415 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 15 Jul 2020 16:07:51 +1000
Subject: [PATCH] Always keep a copy of the message
this allows it to be available even when dns_message_parse()
returns a error.
---
lib/dns/message.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/lib/dns/message.c b/lib/dns/message.c
index d9e341a09e..7c813a5cf6 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
msg->header_ok = 0;
msg->question_ok = 0;
+ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
+ isc_buffer_usedregion(&origsource, &msg->saved);
+ } else {
+ msg->saved.length = isc_buffer_usedlength(&origsource);
+ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
+ if (msg->saved.base == NULL) {
+ return (ISC_R_NOMEMORY);
+ }
+ memmove(msg->saved.base, isc_buffer_base(&origsource),
+ msg->saved.length);
+ msg->free_saved = 1;
+ }
+
isc_buffer_remainingregion(source, &r);
if (r.length < DNS_MESSAGE_HEADERLEN)
return (ISC_R_UNEXPECTEDEND);
@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
}
truncated:
- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
- isc_buffer_usedregion(&origsource, &msg->saved);
- else {
- msg->saved.length = isc_buffer_usedlength(&origsource);
- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
- if (msg->saved.base == NULL)
- return (ISC_R_NOMEMORY);
- memmove(msg->saved.base, isc_buffer_base(&origsource),
- msg->saved.length);
- msg->free_saved = 1;
- }
if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
return (DNS_R_RECOVERABLE);
--
GitLab

398
CVE-2020-8623.patch
View File

@ -1,398 +0,0 @@
From 8d807cc21655eaa6e6a08afafeec3682c0f3f2ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Tue, 21 Jul 2020 14:42:47 +0200
Subject: [PATCH] Fix crash in pk11_numbits() when native-pkcs11 is used
When pk11_numbits() is passed a user provided input that contains all
zeroes (via crafted DNS message), it would crash with assertion
failure. Fix that by properly handling such input.
---
lib/dns/pkcs11dh_link.c | 15 ++++++-
lib/dns/pkcs11dsa_link.c | 8 +++-
lib/dns/pkcs11rsa_link.c | 79 +++++++++++++++++++++++++--------
lib/isc/include/pk11/internal.h | 3 +-
lib/isc/pk11.c | 61 ++++++++++++++++---------
5 files changed, 121 insertions(+), 45 deletions(-)
diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c
index e2b60ea7c5..4cd8e32d60 100644
--- a/lib/dns/pkcs11dh_link.c
+++ b/lib/dns/pkcs11dh_link.c
@@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
CK_ATTRIBUTE *attr;
int special = 0;
+ unsigned int bits;
isc_result_t result;
isc_buffer_remainingregion(data, &r);
@@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
pub = r.base;
isc_region_consume(&r, publen);
- key->key_size = pk11_numbits(prime, plen_);
+ result = pk11_numbits(prime, plen_, &bits);
+ if (result != ISC_R_SUCCESS) {
+ goto cleanup;
+ }
+ key->key_size = bits;
dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
if (dh->repr == NULL)
@@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv;
isc_result_t ret;
int i;
+ unsigned int bits;
pk11_object_t *dh = NULL;
CK_ATTRIBUTE *attr;
isc_mem_t *mctx;
@@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
attr = pk11_attribute_bytype(dh, CKA_PRIME);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
return (ISC_R_SUCCESS);
diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c
index 12d707a112..24d4c149ff 100644
--- a/lib/dns/pkcs11dsa_link.c
+++ b/lib/dns/pkcs11dsa_link.c
@@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv;
isc_result_t ret;
int i;
+ unsigned int bits;
pk11_object_t *dsa = NULL;
CK_ATTRIBUTE *attr;
isc_mem_t *mctx = key->mctx;
@@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
attr = pk11_attribute_bytype(dsa, CKA_PRIME);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
return (ISC_R_SUCCESS);
diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
index 096c1a8e91..1d10d26564 100644
--- a/lib/dns/pkcs11rsa_link.c
+++ b/lib/dns/pkcs11rsa_link.c
@@ -332,6 +332,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
#endif
+ REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS);
/*
* Reject incorrect RSA key lengths.
@@ -376,6 +377,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
for (attr = pk11_attribute_first(rsa);
attr != NULL;
attr = pk11_attribute_next(rsa, attr))
+ {
switch (attr->type) {
case CKA_MODULUS:
INSIST(keyTemplate[5].type == attr->type);
@@ -396,12 +398,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
memmove(keyTemplate[6].pValue, attr->pValue,
attr->ulValueLen);
keyTemplate[6].ulValueLen = attr->ulValueLen;
- if (pk11_numbits(attr->pValue,
- attr->ulValueLen) > maxbits &&
- maxbits != 0)
+ unsigned int bits;
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
+ &bits);
+ if (ret != ISC_R_SUCCESS ||
+ (bits > maxbits && maxbits != 0)) {
DST_RET(DST_R_VERIFYFAILURE);
+ }
break;
}
+ }
pk11_ctx->object = CK_INVALID_HANDLE;
pk11_ctx->ontoken = false;
PK11_RET(pkcs_C_CreateObject,
@@ -1072,6 +1078,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
keyTemplate[5].ulValueLen = attr->ulValueLen;
break;
case CKA_PUBLIC_EXPONENT:
+ unsigned int bits;
INSIST(keyTemplate[6].type == attr->type);
keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
attr->ulValueLen);
@@ -1080,10 +1087,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
memmove(keyTemplate[6].pValue, attr->pValue,
attr->ulValueLen);
keyTemplate[6].ulValueLen = attr->ulValueLen;
- if (pk11_numbits(attr->pValue,
- attr->ulValueLen)
- > RSA_MAX_PUBEXP_BITS)
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
+ &bits);
+ if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS)
+ {
DST_RET(DST_R_VERIFYFAILURE);
+ }
break;
}
pk11_ctx->object = CK_INVALID_HANDLE;
@@ -1461,6 +1470,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
CK_BYTE *exponent = NULL, *modulus = NULL;
CK_ATTRIBUTE *attr;
unsigned int length;
+ unsigned int bits;
+ isc_result_t ret = ISC_R_SUCCESS;
isc_buffer_remainingregion(data, &r);
if (r.length == 0)
@@ -1478,9 +1489,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
if (e_bytes == 0) {
if (r.length < 2) {
- isc_safe_memwipe(rsa, sizeof(*rsa));
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
- return (DST_R_INVALIDPUBLICKEY);
+ DST_RET(DST_R_INVALIDPUBLICKEY);
}
e_bytes = (*r.base) << 8;
isc_region_consume(&r, 1);
@@ -1489,16 +1498,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
}
if (r.length < e_bytes) {
- isc_safe_memwipe(rsa, sizeof(*rsa));
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
- return (DST_R_INVALIDPUBLICKEY);
+ DST_RET(DST_R_INVALIDPUBLICKEY);
}
exponent = r.base;
isc_region_consume(&r, e_bytes);
modulus = r.base;
mod_bytes = r.length;
- key->key_size = pk11_numbits(modulus, mod_bytes);
+ ret = pk11_numbits(modulus, mod_bytes, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
isc_buffer_forward(data, length);
@@ -1548,9 +1559,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
rsa->repr,
rsa->attrcnt * sizeof(*attr));
}
+ ret = ISC_R_NOMEMORY;
+
+ err:
isc_safe_memwipe(rsa, sizeof(*rsa));
isc_mem_put(key->mctx, rsa, sizeof(*rsa));
- return (ISC_R_NOMEMORY);
+ return (ret);
}
static isc_result_t
@@ -1729,6 +1743,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
pk11_object_t *pubrsa;
pk11_context_t *pk11_ctx = NULL;
isc_result_t ret;
+ unsigned int bits;
if (label == NULL)
return (DST_R_NOENGINE);
@@ -1815,7 +1830,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
return (ISC_R_SUCCESS);
@@ -1901,6 +1920,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
CK_ATTRIBUTE *attr;
isc_mem_t *mctx = key->mctx;
const char *engine = NULL, *label = NULL;
+ unsigned int bits;
/* read private key file */
ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
@@ -2044,12 +2064,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
INSIST(attr != NULL);
- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ if (bits > RSA_MAX_PUBEXP_BITS) {
DST_RET(ISC_R_RANGE);
+ }
dst__privstruct_free(&priv, mctx);
isc_safe_memwipe(&priv, sizeof(priv));
@@ -2084,6 +2114,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
pk11_context_t *pk11_ctx = NULL;
isc_result_t ret;
unsigned int i;
+ unsigned int bits;
UNUSED(pin);
@@ -2178,12 +2209,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
INSIST(attr != NULL);
- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ if (bits > RSA_MAX_PUBEXP_BITS) {
DST_RET(ISC_R_RANGE);
+ }
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
pk11_return_session(pk11_ctx);
isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
index aa8907ab08..7cc8ec812b 100644
--- a/lib/isc/include/pk11/internal.h
+++ b/lib/isc/include/pk11/internal.h
@@ -25,7 +25,8 @@ void pk11_mem_put(void *ptr, size_t size);
CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype);
-unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt);
+isc_result_t
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits);
CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj);
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
index 012afd968a..4e4052044b 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -962,13 +962,15 @@ pk11_get_best_token(pk11_optype_t optype) {
return (token->slotid);
}
-unsigned int
-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
+isc_result_t
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) {
unsigned int bitcnt, i;
CK_BYTE top;
- if (bytecnt == 0)
- return (0);
+ if (bytecnt == 0) {
+ *bits = 0;
+ return (ISC_R_SUCCESS);
+ }
bitcnt = bytecnt * 8;
for (i = 0; i < bytecnt; i++) {
top = data[i];
@@ -976,26 +978,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
bitcnt -= 8;
continue;
}
- if (top & 0x80)
- return (bitcnt);
- if (top & 0x40)
- return (bitcnt - 1);
- if (top & 0x20)
- return (bitcnt - 2);
- if (top & 0x10)
- return (bitcnt - 3);
- if (top & 0x08)
- return (bitcnt - 4);
- if (top & 0x04)
- return (bitcnt - 5);
- if (top & 0x02)
- return (bitcnt - 6);
- if (top & 0x01)
- return (bitcnt - 7);
+ if (top & 0x80) {
+ *bits = bitcnt;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x40) {
+ *bits = bitcnt - 1;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x20) {
+ *bits = bitcnt - 2;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x10) {
+ *bits = bitcnt - 3;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x08) {
+ *bits = bitcnt - 4;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x04) {
+ *bits = bitcnt - 5;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x02) {
+ *bits = bitcnt - 6;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x01) {
+ *bits = bitcnt - 7;
+ return (ISC_R_SUCCESS);
+ }
break;
}
- INSIST(0);
- ISC_UNREACHABLE();
+ return (ISC_R_RANGE);
}
CK_ATTRIBUTE *
--
GitLab

29
CVE-2020-8624.patch
View File

@ -1,29 +0,0 @@
From e4cccf9668c7adee4724a7649ec64685f82c8677 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 29 Jul 2020 23:36:03 +1000
Subject: [PATCH] Update-policy 'subdomain' was incorrectly treated as
'zonesub'
resulting in names outside the specified subdomain having the wrong
restrictions for the given key.
---
bin/named/zoneconf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 55f191bad4..b77a07c14a 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -239,7 +239,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
str = cfg_obj_asstring(matchtype);
CHECK(dns_ssu_mtypefromstring(str, &mtype));
- if (mtype == dns_ssumatchtype_subdomain) {
+ if (mtype == dns_ssumatchtype_subdomain &&
+ strcasecmp(str, "zonesub") == 0) {
usezone = true;
}
--
GitLab

13
CVE-2020-8625.patch
View File

@ -1,13 +0,0 @@
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
index dea108bad05..13cf15d7404 100644
--- a/lib/dns/spnego.c
+++ b/lib/dns/spnego.c
@@ -877,7 +877,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
return (ASN1_OVERRUN);
}
- data->components = malloc(len * sizeof(*data->components));
+ data->components = malloc((len + 1) * sizeof(*data->components));
if (data->components == NULL) {
return (ENOMEM);
}

43
Changes.md Normal file
View File

@ -0,0 +1,43 @@
# Significant Changes in BIND9 package
## BIND 9.16
### New features
- *libuv* is used for network subsystem as a mandatory dependency
- *dnssec-policy* support in named.conf is introduced, providing a a key and signing policy
([KASP](https://gitlab.isc.org/isc-projects/bind9/-/wikis/DNSSEC-Key-and-Signing-Policy-(KASP)))
- *trusted-keys* and *managed-keys* are deprecated, replaced by *trust-anchors*
- *trust-anchors* support also anchor in a *DS* format, in addition to *DNSKEY* format
- **dig, mdig** and **delv** support **+yaml** parameter to print detailed machine parseable output
### Feature changes
- Static trust anchor and *dnssec-validation auto;* are incompatible and cause fatal error, when used together.
- *DS* and *CDS* now generates only SHA-256 digest, SHA-1 is no longer generated by default
- SipHash 2-4 DNS Cookie ([RFC 7873](https://www.rfc-editor.org/rfc/rfc7873.html) is now default).
Only AES alternative algorithm is kept, HMAC-SHA cookie support were removed.
- **dnssec-signzone** and **dnssec-verify** commands print output to stdout, *-q* parameter can silence them
### Features removed
- *dnssec-enable* option is obsolete, DNSSEC support is always enabled
- *dnssec-lookaside* option is deprecated and support for it removed from all tools
- *cleaning-interval* option is removed
### Upstream release notes
- [9.16.10 notes](https://downloads.isc.org/isc/bind9/9.16.10/doc/arm/html/notes.html#notes-for-bind-9-16-10)
- [9.16.0 notes](https://downloads.isc.org/isc/bind9/9.16.0/doc/arm/html/notes.html#notes-for-bind-9-16-0)
## BIND 9.14
- single thread support removed. Cannot provide *bind-export-libs* for DHCP
- *lwres* support completely removed. Both daemon and library
- common parts of daemon moved into *libns* shared library
- introduced plugin for filtering aaaa responses
- some SDB utilities no longer supported
### Upstream release notes
- [9.14.7 notes](https://downloads.isc.org/isc/bind9/9.14.7/RELEASE-NOTES-bind-9.14.7.html)

30
Fix_the_difference_at_the_macro_definition_using_clock_gettime_instead_of_gettimeofda.patch
View File

@ -1,30 +0,0 @@
From 33bf90331b48c7378316c141e5e9acb2862dd0ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
Date: Sun, 9 Dec 2018 00:41:21 +0100
Subject: [PATCH] use clock_gettime() instead of gettimeofday() for isc_itme
functions
---
lib/isc/unix/time.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
index 9828250..c2ae60e 100644
--- a/lib/isc/unix/time.c
+++ b/lib/isc/unix/time.c
@@ -38,7 +38,11 @@
#define NS_PER_MS 1000000 /*%< Nanoseconds per millisecond. */
#define US_PER_S 1000000 /*%< Microseconds per second. */
-#define CLOCKSOURCE CLOCK_MONOTONIC
+#ifdef CLOCK_REALTIME_COARSE
+#define CLOCKSOURCE CLOCK_REALTIME_COARSE
+#else
+#define CLOCKSOURCE CLOCK_REALTIME
+#endif
/*%
*** Intervals
--
2.23.0

36
README.en.md
View File

@ -1,36 +0,0 @@
# bind
#### Description
{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
#### Software Architecture
Software architecture description
#### Installation
1. xxxx
2. xxxx
3. xxxx
#### Instructions
1. xxxx
2. xxxx
3. xxxx
#### Contribution
1. Fork the repository
2. Create Feat_xxx branch
3. Commit your code
4. Create Pull Request
#### Gitee Feature
1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
2. Gitee blog [blog.gitee.com](https://blog.gitee.com)
3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
4. The most valuable open source project [GVP](https://gitee.com/gvp)
5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

79
README.sdb_pgsql
View File

@ -1,79 +0,0 @@
PGSQL BIND SDB driver
The postgresql BIND SDB driver is of experimental status and should not be
used for production systems.
Usage:
o Use the named_sdb process ( put ENABLE_SDB=yes in /etc/sysconfig/named )
o Edit your named.conf to contain a database zone, eg. :
zone "pgdb.net." IN {
type master;
database "pgsql bind pgdb localhost pguser pgpasswd";
# ^- DB name ^-Table ^-host ^-user ^-password
};
o Create the database zone table
The table must contain the columns "name", "rdtype", and "rdata", and
is expected to contain a properly constructed zone. The program "zonetodb"
creates such a table.
zonetodb usage:
zonetodb origin file dbname dbtable
where
origin : zone origin, eg "pgdb.net."
file : master zone database file, eg. pgdb.net.db
dbname : name of postgresql database
dbtable: name of table in database
Eg. to import this zone in the file 'pgdb.net.db' into the 'bind' database
'pgdb' table:
---
#pgdb.net.db:
$TTL 1H
@ SOA localhost. root.localhost. ( 1
3H
1H
1W
1H )
NS localhost.
host1 A 192.168.2.1
host2 A 192.168.2.2
host3 A 192.168.2.3
host4 A 192.168.2.4
host5 A 192.168.2.5
host6 A 192.168.2.6
host7 A 192.168.2.7
---
Issue this command as the pgsql user authorized to update the bind database:
# zonetodb pgdb.net. pgdb.net.db bind pgdb
will create / update the pgdb table in the 'bind' db:
$ psql -dbind -c 'select * from pgdb;'
name | ttl | rdtype | rdata
----------------+------+--------+-----------------------------------------------------
pgdb.net | 3600 | SOA | localhost. root.localhost. 1 10800 3600 604800 3600
pgdb.net | 3600 | NS | localhost.
host1.pgdb.net | 3600 | A | 192.168.2.1
host2.pgdb.net | 3600 | A | 192.168.2.2
host3.pgdb.net | 3600 | A | 192.168.2.3
host4.pgdb.net | 3600 | A | 192.168.2.4
host5.pgdb.net | 3600 | A | 192.168.2.5
host6.pgdb.net | 3600 | A | 192.168.2.6
host7.pgdb.net | 3600 | A | 192.168.2.7
(9 rows)
I've tested exactly the above configuration with bind-sdb-9.3.1+ and it works OK.
NOTE: If you use pgsqldb SDB, ensure the postgresql service is started before the named
service .
USE AT YOUR OWN RISK!

161
Use-clock_gettime-instead-of-gettimeofday.patch
View File

@ -1,161 +0,0 @@
diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
index f06d31a5508c2d3f7227063c21d9d4563789e72a..da25e5bf8e07639c8f70420a5c3f3c98a36a0548 100644
--- a/lib/isc/unix/time.c
+++ b/lib/isc/unix/time.c
@@ -36,16 +36,7 @@
#define NS_PER_MS 1000000 /*%< Nanoseconds per millisecond. */
#define US_PER_S 1000000 /*%< Microseconds per second. */
-/*
- * All of the INSIST()s checks of nanoseconds < NS_PER_S are for
- * consistency checking of the type. In lieu of magic numbers, it
- * is the best we've got. The check is only performed on functions which
- * need an initialized type.
- */
-
-#ifndef ISC_FIX_TV_USEC
-#define ISC_FIX_TV_USEC 1
-#endif
+#define CLOCKSOURCE CLOCK_MONOTONIC
/*%
*** Intervals
@@ -54,32 +49,6 @@
static const isc_interval_t zero_interval = { 0, 0 };
const isc_interval_t * const isc_interval_zero = &zero_interval;
-#if ISC_FIX_TV_USEC
-static inline void
-fix_tv_usec(struct timeval *tv) {
- bool fixed = false;
-
- if (tv->tv_usec < 0) {
- fixed = true;
- do {
- tv->tv_sec -= 1;
- tv->tv_usec += US_PER_S;
- } while (tv->tv_usec < 0);
- } else if (tv->tv_usec >= US_PER_S) {
- fixed = true;
- do {
- tv->tv_sec += 1;
- tv->tv_usec -= US_PER_S;
- } while (tv->tv_usec >=US_PER_S);
- }
- /*
- * Call syslog directly as was are called from the logging functions.
- */
- if (fixed)
- (void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
-}
-#endif
-
void
isc_interval_set(isc_interval_t *i,
unsigned int seconds, unsigned int nanoseconds)
@@ -141,76 +110,52 @@ isc_time_isepoch(const isc_time_t *t) {
isc_result_t
isc_time_now(isc_time_t *t) {
- struct timeval tv;
+ struct timespec ts;
char strbuf[ISC_STRERRORSIZE];
REQUIRE(t != NULL);
- if (gettimeofday(&tv, NULL) == -1) {
+ if (clock_gettime(CLOCKSOURCE, &ts) == -1) {
isc__strerror(errno, strbuf, sizeof(strbuf));
UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
return (ISC_R_UNEXPECTED);
}
- /*
- * Does POSIX guarantee the signedness of tv_sec and tv_usec? If not,
- * then this test will generate warnings for platforms on which it is
- * unsigned. In any event, the chances of any of these problems
- * happening are pretty much zero, but since the libisc library ensures
- * certain things to be true ...
- */
-#if ISC_FIX_TV_USEC
- fix_tv_usec(&tv);
- if (tv.tv_sec < 0)
- return (ISC_R_UNEXPECTED);
-#else
- if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
+ if (ts.tv_sec < 0 || ts.tv_nsec < 0 || ts.tv_nsec >= NS_PER_S) {
return (ISC_R_UNEXPECTED);
-#endif
+ }
/*
* Ensure the tv_sec value fits in t->seconds.
*/
- if (sizeof(tv.tv_sec) > sizeof(t->seconds) &&
- ((tv.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U)
+ if (sizeof(ts.tv_sec) > sizeof(t->seconds) &&
+ ((ts.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U)
return (ISC_R_RANGE);
- t->seconds = tv.tv_sec;
- t->nanoseconds = tv.tv_usec * NS_PER_US;
+ t->seconds = ts.tv_sec;
+ t->nanoseconds = ts.tv_nsec;
return (ISC_R_SUCCESS);
}
isc_result_t
isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) {
- struct timeval tv;
+ struct timespec ts;
char strbuf[ISC_STRERRORSIZE];
REQUIRE(t != NULL);
REQUIRE(i != NULL);
INSIST(i->nanoseconds < NS_PER_S);
- if (gettimeofday(&tv, NULL) == -1) {
+ if (clock_gettime(CLOCKSOURCE, &ts) == -1) {
isc__strerror(errno, strbuf, sizeof(strbuf));
UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
return (ISC_R_UNEXPECTED);
}
- /*
- * Does POSIX guarantee the signedness of tv_sec and tv_usec? If not,
- * then this test will generate warnings for platforms on which it is
- * unsigned. In any event, the chances of any of these problems
- * happening are pretty much zero, but since the libisc library ensures
- * certain things to be true ...
- */
-#if ISC_FIX_TV_USEC
- fix_tv_usec(&tv);
- if (tv.tv_sec < 0)
- return (ISC_R_UNEXPECTED);
-#else
- if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
+ if (ts.tv_sec < 0 || ts.tv_nsec < 0 || ts.tv_nsec >= NS_PER_S) {
return (ISC_R_UNEXPECTED);
-#endif
+ }
/*
* Ensure the resulting seconds value fits in the size of an
@@ -218,12 +163,12 @@ isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) {
* note that even if both values == INT_MAX, then when added
* and getting another 1 added below the result is UINT_MAX.)
*/
- if ((tv.tv_sec > INT_MAX || i->seconds > INT_MAX) &&
- ((long long)tv.tv_sec + i->seconds > UINT_MAX))
+ if ((ts.tv_sec > INT_MAX || i->seconds > INT_MAX) &&
+ ((long long)ts.tv_sec + i->seconds > UINT_MAX))
return (ISC_R_RANGE);
- t->seconds = tv.tv_sec + i->seconds;
- t->nanoseconds = tv.tv_usec * NS_PER_US + i->nanoseconds;
+ t->seconds = ts.tv_sec + i->seconds;
+ t->nanoseconds = ts.tv_nsec + i->nanoseconds;
if (t->nanoseconds >= NS_PER_S) {
t->seconds++;
t->nanoseconds -= NS_PER_S;

36
backport-CVE-2021-25214.patch
View File

@ -1,36 +0,0 @@
From 813a1d0f943f7b4ecf43c449a08762a8d8557a45 Mon Sep 17 00:00:00 2001
From: UNKNOWN <>
Date: Tue, 27 Apr 2021 12:02:53 +0800
Subject: [PATCH v2 1/2] Fix CVE-2021-25214
Conflict:NA
Reference:https://downloads.isc.org/isc/bind9/private/40732ca6e4fcc9d0/patches/CVE-2021-25214.patch
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 558f40c..bae6d41 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -474,6 +474,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
dns_rdatatype_ismeta(rdata->type))
FAIL(DNS_R_FORMERR);
+ /*
+ * Immediately reject the entire transfer if the RR that is currently
+ * being processed is an SOA record that is not placed at the zone
+ * apex.
+ */
+ if (rdata->type == dns_rdatatype_soa &&
+ !dns_name_equal(&xfr->name, name)) {
+ char namebuf[DNS_NAME_FORMATSIZE];
+ dns_name_format(name, namebuf, sizeof(namebuf));
+ xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
+ namebuf);
+ FAIL(DNS_R_NOTZONETOP);
+ }
+
redo:
switch (xfr->state) {
case XFRST_SOAQUERY:
--
1.8.3.1

36
backport-CVE-2021-25215.patch
View File

@ -1,36 +0,0 @@
From c42cc79ef9a23d8273b273bb86a1c8c9995b28a0 Mon Sep 17 00:00:00 2001
From: UNKNOWN <>
Date: Tue, 27 Apr 2021 12:12:24 +0800
Subject: [PATCH v2 2/2] Fix CVE-2021-25215
Conflict:NA
Reference:https://downloads.isc.org/isc/bind9/private/40732ca6e4fcc9d0/patches/CVE-2021-25215.patch
diff --git a/bin/named/query.c b/bin/named/query.c
index 6e988f5..2e7700a 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -9092,10 +9092,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
if (noqname != NULL)
query_addnoqnameproof(client, noqname);
/*
- * We shouldn't ever fail to add 'rdataset'
- * because it's already in the answer.
+ * 'rdataset' will only be non-NULL here if the ANSWER section
+ * of the message to be sent to the client already contains an
+ * RRset with the same owner name and the same type as
+ * 'rdataset'. This should never happen, with one exception:
+ * when chasing DNAME records, one of the DNAME records placed
+ * in the ANSWER section may turn out to be the final answer to
+ * the client's query, but we have no way of knowing that until
+ * now. In such a case, 'rdataset' will be freed later, so we
+ * do not need to free it here.
*/
- INSIST(rdataset == NULL);
+ INSIST(rdataset == NULL || qtype == dns_rdatatype_dname);
}
addauth:
--
1.8.3.1

69
backport-CVE-2021-25219.patch
View File

@ -1,69 +0,0 @@
Conflict: is_lame(fctx, rmessage) to is_lame(fctx)
Reference : https://downloads.isc.org/bind9/cur/9.11/patches/CVE-2021-25219.patch
diff --git a/bin/named/config.c b/bin/named/config.c
index fbd2f2126c..d24e4f8a26 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -175,7 +175,7 @@ options {\n\
#if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2)
" geoip-use-ecs yes;\n"
#endif
-" lame-ttl 600;\n"
+" lame-ttl 0;\n"
#ifdef HAVE_LMDB
" lmdb-mapsize 32M;\n"
#endif
diff --git a/bin/named/server.c b/bin/named/server.c
index 6ff95e3bcc..9826588e6d 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -3987,8 +3987,12 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
result = ns_config_get(maps, "lame-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
lame_ttl = cfg_obj_asuint32(obj);
- if (lame_ttl > 1800)
- lame_ttl = 1800;
+ if (lame_ttl > 0) {
+ cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
+ "disabling lame cache despite lame-ttl > 0 as it "
+ "may cause performance issues");
+ lame_ttl = 0;
+ }
dns_resolver_setlamettl(view->resolver, lame_ttl);
/*
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 8175f7918b..b34cb12b73 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -8489,18 +8489,20 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
/*
* Is the server lame?
*/
- if (res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
- is_lame(fctx)) {
+ if (!ISFORWARDER(query->addrinfo) && is_lame(fctx)) {
inc_stats(res, dns_resstatscounter_lame);
log_lame(fctx, query->addrinfo);
- result = dns_adb_marklame(fctx->adb, query->addrinfo,
- &fctx->name, fctx->type,
- now + res->lame_ttl);
- if (result != ISC_R_SUCCESS)
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
- "could not mark server as lame: %s",
- isc_result_totext(result));
+ if (res->lame_ttl != 0) {
+ result = dns_adb_marklame(fctx->adb, query->addrinfo,
+ &fctx->name, fctx->type,
+ now + res->lame_ttl);
+ if (result != ISC_R_SUCCESS) {
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+ "could not mark server as lame: %s",
+ isc_result_totext(result));
+ }
+ }
broken_server = DNS_R_LAME;
keep_trying = true;
FCTXTRACE("lame server");

659
bind-9.10-dist-native-pkcs11.patch
View File

@ -1,68 +1,107 @@
From 1cbffe7e8b5bced9134abbae23a2a20c83d39a6a Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 21 Jan 2021 10:46:20 +0100
Subject: [PATCH] Enable custom pkcs11 native build
Share common parts like libisc, libcc and others. But provide native
pkcs11 libraries as a new copy of libdns and libns.
---
bin/Makefile.in | 2 +-
bin/confgen/Makefile.in | 2 +-
bin/dnssec-pkcs11/Makefile.in | 39 +++++++++++++++++---------------
bin/named-pkcs11/Makefile.in | 31 +++++++++++++------------
configure.ac | 19 ++++++++++++++++
lib/Makefile.in | 2 +-
lib/dns-pkcs11/Makefile.in | 22 +++++++++---------
lib/dns-pkcs11/tests/Makefile.in | 8 +++----
lib/ns-pkcs11/Makefile.in | 26 ++++++++++-----------
lib/ns-pkcs11/tests/Makefile.in | 12 +++++-----
make/includes.in | 7 ++++++
11 files changed, 100 insertions(+), 70 deletions(-)
diff --git a/bin/Makefile.in b/bin/Makefile.in
index f0c504a..ce7a2da 100644
index 9ad7f62..094775a 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -11,8 +11,8 @@ srcdir = @srcdir@
@@ -11,7 +11,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \
- @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
+SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
+ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
+SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate check confgen \
@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index c126bf3..1b7512d 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
-CDEFINES = @USE_PKCS11@
+CDEFINES =
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
index 4b8ca13..32f4470 100644
index ace0e5a..e0f6a00 100644
--- a/bin/dnssec-pkcs11/Makefile.in
+++ b/bin/dnssec-pkcs11/Makefile.in
@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES}
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
${OPENSSL_CFLAGS}
-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
- @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
+CDEFINES = -DVERSION=\"${VERSION}\" @PKCS11_ENGINE@ \
+ @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
-CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
+CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-ISCLIBS = ../../lib/isc/libisc.@A@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
@@ -36,12 +36,15 @@ LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
@@ -35,10 +35,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
+# Add suffix to all targets
+EXEEXT = -pkcs11@EXEEXT@
+
# Alphabetically
-TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
- dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
- dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \
- dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@
+TARGETS = dnssec-keygen-pkcs11@EXEEXT@ dnssec-signzone-pkcs11@EXEEXT@ \
+ dnssec-keyfromlabel-pkcs11@EXEEXT@ dnssec-dsfromkey-pkcs11@EXEEXT@ \
+ dnssec-revoke-pkcs11@EXEEXT@ dnssec-settime-pkcs11@EXEEXT@ \
+ dnssec-verify-pkcs11@EXEEXT@ dnssec-importkey-pkcs11@EXEEXT@
-TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
- dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \
- dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \
- dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
- dnssec-verify@EXEEXT@
+TARGETS = dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \
+ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \
+ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \
+ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \
+ dnssec-verify${EXEEXT}
OBJS = dnssectool.@O@
@@ -59,15 +59,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@@ -52,19 +55,19 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
@BIND9_MAKE_RULES@
-dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
+dnssec-cds-pkcs11@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
@ -78,7 +117,7 @@ index 4b8ca13..32f4470 100644
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -75,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-signzone.c
@ -87,7 +126,7 @@ index 4b8ca13..32f4470 100644
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -83,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-verify.c
@ -111,117 +150,70 @@ index 4b8ca13..32f4470 100644
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-importkey.@O@ ${OBJS} ${LIBS}
@@ -106,16 +106,14 @@ docclean manclean maintainer-clean::
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install-man8: ${MANPAGES}
${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
-install:: ${TARGETS} installdirs install-man8
+install:: ${TARGETS} installdirs
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
uninstall::
- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
clean distclean::
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 4b8ca13..4175996 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
+CDEFINES = -DVERSION=\"${VERSION}\" \
@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
CWARNINGS =
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
index 70e5571..b5a4a6b 100644
index debb906..ecfdb6c 100644
--- a/bin/named-pkcs11/Makefile.in
+++ b/bin/named-pkcs11/Makefile.in
@@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
@@ -37,13 +37,14 @@ DBDRIVER_LIBS =
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
-DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@
-DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@
-DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
-DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
+# Skip building on PKCS11 variant
+DLZDRIVER_OBJS =
+DLZDRIVER_SRCS =
+DLZDRIVER_INCLUDES =
+DLZDRIVER_LIBS =
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
- ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
- ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
+ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \
+ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@
- ${NS_INCLUDES} ${DNS_INCLUDES} \
+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \
${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \
${DBDRIVER_INCLUDES} \
@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LIBXML2_CFLAGS} \
${MAXMINDDB_CFLAGS}
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @USE_GSSAPI@ @CRYPTO@
+CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@ @USE_GSSAPI@
-CDEFINES = @CONTRIB_DLZ@
+CDEFINES =
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
-ISCLIBS = ../../lib/isc/libisc.@A@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
-NSLIBS = ../../lib/ns/libns.@A@
+NSLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
-NSDEPLIBS = ../../lib/ns/libns.@A@
+NSDEPLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@
@@ -72,15 +72,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@ feature-test@EXEEXT@
+TARGETS = named-pkcs11@EXEEXT@ feature-test-pkcs11@EXEEXT@
-TARGETS = named@EXEEXT@
+TARGETS = named-pkcs11@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
GEOIP2LINKOBJS = geoip.@O@
@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -113,8 +112,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -154,21 +152,21 @@ server.@O@: server.c
@@ -151,7 +152,7 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
@ -230,85 +222,29 @@ index 70e5571..b5a4a6b 100644
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
@@ -170,11 +171,11 @@ statschannel.@O@: bind9.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-lwresd@EXEEXT@: named@EXEEXT@
+lwresd@EXEEXT@: named-pkcs11@EXEEXT@
rm -f lwresd@EXEEXT@
- @LN@ named@EXEEXT@ lwresd@EXEEXT@
+ @LN@ named-pkcs11@EXEEXT@ lwresd@EXEEXT@
# Bit of hack, do not produce intermediate .o object for featuretest
feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-c ${top_srcdir}/bin/tests/system/feature-test.c
-feature-test@EXEEXT@: feature-test.@O@
+feature-test-pkcs11@EXEEXT@: feature-test.@O@
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
-o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
@@ -201,16 +199,11 @@ install-man8: named.8 lwresd.8
install-man: install-man5 install-man8
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
-install:: named@EXEEXT@ installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
+install:: named-pkcs11@EXEEXT@ installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
uninstall::
- rm -f ${DESTDIR}${mandir}/man5/named.conf.5
- rm -f ${DESTDIR}${mandir}/man8/lwresd.8
- rm -f ${DESTDIR}${mandir}/man8/named.8
- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@
@DLZ_DRIVER_RULES@
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 70e5571..4cfed4d 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -48,7 +48,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @USE_GSSAPI@ @CRYPTO@
+CDEFINES = @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
CWARNINGS =
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
index a058c91..d4b689a 100644
--- a/bin/pkcs11/Makefile.in
+++ b/bin/pkcs11/Makefile.in
@@ -15,13 +15,13 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${ISC_INCLUDES}
+CINCLUDES = ${ISC_PKCS11_INCLUDES}
CDEFINES =
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
DEPLIBS = ${ISCDEPLIBS}
diff --git a/configure.ac b/configure.ac
index 9b7d778..59ba20b 100644
index e405eaf..efaa5a7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1139,12 +1139,14 @@ AC_SUBST(USE_GSSAPI)
@@ -1269,12 +1269,14 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
#
@ -319,84 +255,35 @@ index 9b7d778..59ba20b 100644
+AC_SUBST(DNS_CRYPTO_PK11_LIBS)
#
# was --with-randomdev specified?
@@ -1494,11 +1496,11 @@ AC_ARG_ENABLE(openssl-hash,
AC_MSG_CHECKING(for OpenSSL library)
OPENSSL_WARNING=
openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
-if test "yes" = "$want_native_pkcs11"
-then
- use_openssl="native_pkcs11"
- AC_MSG_RESULT(use of native PKCS11 instead)
-fi
+# if test "yes" = "$want_native_pkcs11"
+# then
+# use_openssl="native_pkcs11"
+# AC_MSG_RESULT(use of native PKCS11 instead)
+# fi
if test "auto" = "$use_openssl"
then
@@ -1511,6 +1513,7 @@ then
fi
done
# was --with-lmdb specified?
@@ -2345,6 +2347,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
AC_SUBST(BIND9_NS_BUILDINCLUDE)
AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
AC_SUBST(BIND9_IRS_BUILDINCLUDE)
+AC_SUBST(BIND9_DNS_PKCS11_BUILDINCLUDE)
+AC_SUBST(BIND9_NS_PKCS11_BUILDINCLUDE)
if test "X$srcdir" != "X"; then
BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
@@ -2353,6 +2357,8 @@ if test "X$srcdir" != "X"; then
BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
+ BIND9_DNS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns-pkcs11/include"
+ BIND9_NS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns-pkcs11/include"
else
BIND9_ISC_BUILDINCLUDE=""
BIND9_ISCCC_BUILDINCLUDE=""
@@ -2361,6 +2367,8 @@ else
BIND9_NS_BUILDINCLUDE=""
BIND9_BIND9_BUILDINCLUDE=""
BIND9_IRS_BUILDINCLUDE=""
+ BIND9_DNS_PKCS11_BUILDINCLUDE=""
+ BIND9_NS_PKCS11_BUILDINCLUDE=""
fi
+CRYPTO_PK11=""
OPENSSL_ECDSA=""
OPENSSL_GOST=""
OPENSSL_ED25519=""
@@ -1532,11 +1535,10 @@ case "$with_gost" in
;;
esac
-case "$use_openssl" in
- native_pkcs11)
- AC_MSG_RESULT(disabled because of native PKCS11)
+if test "$want_native_pkcs11" = "yes"
+then
DST_OPENSSL_INC=""
- CRYPTO="-DPKCS11CRYPTO"
+ CRYPTO_PK11="-DPKCS11CRYPTO"
CRYPTOLIB="pkcs11"
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
@@ -1546,7 +1548,9 @@ case "$use_openssl" in
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
- ;;
+fi
+
+case "$use_openssl" in
no)
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
@@ -1578,7 +1582,7 @@ case "$use_openssl" in
If you do not want OpenSSL, use --without-openssl])
;;
*)
- if test "yes" = "$want_native_pkcs11"
+ if false # test "yes" = "$want_native_pkcs11"
then
AC_MSG_RESULT()
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
@@ -2006,6 +2010,7 @@ AC_SUBST(OPENSSL_ED25519)
AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
+DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS"
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
@@ -2291,6 +2296,7 @@ esac
AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(CRYPTO)
+AC_SUBST(CRYPTO_PK11)
AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_ED25519)
@@ -5405,8 +5411,11 @@ AC_CONFIG_FILES([
AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
@@ -2816,8 +2824,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
@ -407,8 +294,8 @@ index 9b7d778..59ba20b 100644
+ bin/named-pkcs11/unix/Makefile
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5479,6 +5488,10 @@ AC_CONFIG_FILES([
bin/plugins/Makefile
@@ -2879,6 +2890,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
@ -419,73 +306,54 @@ index 9b7d778..59ba20b 100644
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
@@ -5503,6 +5516,24 @@ AC_CONFIG_FILES([
lib/isc/unix/include/Makefile
lib/isc/unix/include/isc/Makefile
lib/isc/unix/include/pkcs11/Makefile
+ lib/isc-pkcs11/$arch/Makefile
+ lib/isc-pkcs11/$arch/include/Makefile
+ lib/isc-pkcs11/$arch/include/isc/Makefile
+ lib/isc-pkcs11/$thread_dir/Makefile
+ lib/isc-pkcs11/$thread_dir/include/Makefile
+ lib/isc-pkcs11/$thread_dir/include/isc/Makefile
+ lib/isc-pkcs11/Makefile
+ lib/isc-pkcs11/include/Makefile
+ lib/isc-pkcs11/include/isc/Makefile
+ lib/isc-pkcs11/include/isc/platform.h
+ lib/isc-pkcs11/include/pk11/Makefile
+ lib/isc-pkcs11/include/pkcs11/Makefile
+ lib/isc-pkcs11/tests/Makefile
+ lib/isc-pkcs11/nls/Makefile
+ lib/isc-pkcs11/unix/Makefile
+ lib/isc-pkcs11/unix/include/Makefile
+ lib/isc-pkcs11/unix/include/isc/Makefile
+ lib/isc-pkcs11/unix/include/pkcs11/Makefile
lib/isccc/Makefile
lib/isccc/include/Makefile
lib/isccc/include/isccc/Makefile
@@ -2911,6 +2926,10 @@ AC_CONFIG_FILES([
lib/ns/include/Makefile
lib/ns/include/ns/Makefile
lib/ns/tests/Makefile
+ lib/ns-pkcs11/Makefile
+ lib/ns-pkcs11/include/Makefile
+ lib/ns-pkcs11/include/ns/Makefile
+ lib/ns-pkcs11/tests/Makefile
make/Makefile
make/mkdep
unit/unittest.sh
diff --git a/lib/Makefile.in b/lib/Makefile.in
index 81270a0..bcb5312 100644
index 833964e..058ba2f 100644
--- a/lib/Makefile.in
+++ b/lib/Makefile.in
@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@
# Attempt to disable parallel processing.
.NOTPARALLEL:
.NO_PARALLEL:
-SUBDIRS = isc isccc dns isccfg bind9 lwres irs samples
+SUBDIRS = isc isc-pkcs11 isccc dns dns-pkcs11 isccfg bind9 lwres irs samples
-SUBDIRS = isc isccc dns ns isccfg bind9 irs
+SUBDIRS = isc isccc dns dns-pkcs11 ns ns-pkcs11 isccfg bind9 irs
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
index 7f09bd6..c388d9e 100644
index 58bda3c..d6a45df 100644
--- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in
@@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
- ${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
- @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
+ ${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
${ISC_INCLUDES} \
${FSTRM_CFLAGS} \
${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
${LMDB_CFLAGS} \
${MAXMINDDB_CFLAGS}
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
-CDEFINES = @USE_GSSAPI@
+CDEFINES = @USE_GSSAPI@ @USE_PKCS11@
CWARNINGS =
-ISCLIBS = ../../lib/isc/libisc.@A@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
LIBS = ${MAXMINDDB_LIBS} @LIBS@
@@ -150,15 +149,15 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
@@ -135,15 +135,15 @@ version.@O@: version.c
-DMAPAPI=\"${MAPAPI}\" \
-c ${srcdir}/version.c
-libdns.@SA@: ${OBJS}
@ -498,13 +366,13 @@ index 7f09bd6..c388d9e 100644
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-release "${VERSION}" \
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
include: gen
${MAKE} include/dns/enumtype.h
@@ -189,22 +188,22 @@ gen: gen.c
@@ -174,22 +174,22 @@ gen: gen.c
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
${BUILD_LIBS} ${LFS_LIBS}
@ -532,89 +400,142 @@ index 7f09bd6..c388d9e 100644
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
rm -f include/dns/rdatastruct.h
rm -f dnstap.pb-c.c dnstap.pb-c.h
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
index 8ad54bb..a3ecdfb 100644
--- a/lib/isc-pkcs11/Makefile.in
+++ b/lib/isc-pkcs11/Makefile.in
@@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \
-I${srcdir}/@ISC_THREAD_DIR@/include \
-I${srcdir}/@ISC_ARCH_DIR@/include \
-I./include \
- -I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@
-CDEFINES = @CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+ -I${srcdir}/include ${DNS_PKCS11_INCLUDES}
+CDEFINES = @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
index da91394..aadb73f 100644
--- a/lib/dns-pkcs11/tests/Makefile.in
+++ b/lib/dns-pkcs11/tests/Makefile.in
@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
+CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \
${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@
-CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCDEPLIBS = ../../isc/libisc.@A@
-DNSLIBS = ../libdns.@A@ @NO_LIBTOOL_DNSLIBS@
-DNSDEPLIBS = ../libdns.@A@
+DNSLIBS = ../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSDEPLIBS = ../libdns-pkcs11.@A@
LIBS = @LIBS@ @CMOCKA_LIBS@
diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in
index bc683ce..7a9d2f2 100644
--- a/lib/ns-pkcs11/Makefile.in
+++ b/lib/ns-pkcs11/Makefile.in
@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \
- ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+CINCLUDES = -I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \
+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
${FSTRM_CFLAGS}
-CDEFINES = -DNAMED_PLUGINDIR=\"${plugindir}\"
+CDEFINES = @USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\"
CWARNINGS =
# Alphabetically
@@ -103,40 +103,40 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
LIBS = @LIBS@
@@ -60,28 +60,28 @@ version.@O@: version.c
-DMAJOR=\"${MAJOR}\" \
-c ${srcdir}/version.c
-libisc.@SA@: ${OBJS} ${SYMTBLOBJS}
+libisc-pkcs11.@SA@: ${OBJS} ${SYMTBLOBJS}
${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS}
${RANLIB} $@
-libisc-nosymtbl.@SA@: ${OBJS}
+libisc-pkcs11-nosymtbl.@SA@: ${OBJS}
-libns.@SA@: ${OBJS}
+libns-pkcs11.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libisc.la: ${OBJS} ${SYMTBLOBJS}
+libisc-pkcs11.la: ${OBJS} ${SYMTBLOBJS}
-libns.la: ${OBJS}
+libns-pkcs11.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${SYMTBLOBJS} ${LIBS}
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \
-release "${VERSION}" \
- ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
-libisc-nosymtbl.la: ${OBJS}
+libisc-pkcs11-nosymtbl.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-nosymtbl.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${LIBS}
-timestamp: libisc.@A@ libisc-nosymtbl.@A@
+timestamp: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@
-timestamp: libns.@A@
+timestamp: libns-pkcs11.@A@
touch timestamp
-testdirs: libisc.@A@ libisc-nosymtbl.@A@
+testdirs: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc-pkcs11.@A@ ${DESTDIR}${libdir}
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns-pkcs11.@A@ \
${DESTDIR}${libdir}
uninstall::
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc.@A@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc-pkcs11.@A@
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns-pkcs11.@A@
clean distclean::
- rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
- libisc-nosymtbl.la timestamp
+ rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \
+ libisc-pkcs11-nosymtbl.la timestamp
- rm -f libns.@A@ timestamp
+ rm -f libns-pkcs11.@A@ timestamp
diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in
index 4c3e694..c1b6d99 100644
--- a/lib/ns-pkcs11/tests/Makefile.in
+++ b/lib/ns-pkcs11/tests/Makefile.in
@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@
WRAP_OPTIONS = -Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach
-CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+CINCLUDES = -I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
${OPENSSL_CFLAGS} \
@CMOCKA_CFLAGS@
-CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\"
+CDEFINES = -DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@
ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCDEPLIBS = ../../isc/libisc.@A@
-DNSLIBS = ../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
-DNSDEPLIBS = ../../dns/libdns.@A@
-NSLIBS = ../libns.@A@
-NSDEPLIBS = ../libns.@A@
+DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSDEPLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@
+NSLIBS = ../libns-pkcs11.@A@
+NSDEPLIBS = ../libns-pkcs11.@A@
LIBS = @LIBS@ @CMOCKA_LIBS@
diff --git a/make/includes.in b/make/includes.in
index fa86ad1..3cfbe9f 100644
index b8317d3..b73b0c4 100644
--- a/make/includes.in
+++ b/make/includes.in
@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
TEST_INCLUDES = \
-I${top_srcdir}/lib/tests/include
+
+ISC_PKCS11_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/isc-pkcs11 \
+ -I${top_srcdir}/lib/isc-pkcs11/include \
+ -I${top_srcdir}/lib/isc-pkcs11/unix/include \
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_THREAD_DIR@/include \
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_ARCH_DIR@/include
+
+DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
+DNS_PKCS11_INCLUDES = @BIND9_DNS_PKCS11_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/dns-pkcs11/include
+
+NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/ns-pkcs11/include
+
--
2.31.1

319
bind-9.10-sdb.patch
View File

@ -1,319 +0,0 @@
diff --git a/bin/Makefile.in b/bin/Makefile.in
index ce7a2da..4e6a824 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -11,8 +11,8 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
- check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
+SUBDIRS = named named-sdb named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
+ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools tests
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
index 4cfed4d..c6b42b2 100644
--- a/bin/named-sdb/Makefile.in
+++ b/bin/named-sdb/Makefile.in
@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@
#
# Add database drivers here.
#
-DBDRIVER_OBJS =
-DBDRIVER_SRCS =
+DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@
+DBDRIVER_SRCS = ldapdb.c pgsqldb.c sqlitedb.c dirdb.c
DBDRIVER_INCLUDES =
-DBDRIVER_LIBS =
+DBDRIVER_LIBS = -lldap -llber -lsqlite3 -lpq
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
@@ -80,7 +80,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@ feature-test@EXEEXT@
+TARGETS = named-sdb@EXEEXT@ feature-test-sdb@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
GEOIP2LINKOBJS = geoip.@O@
@@ -154,7 +154,7 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
-named@EXEEXT@: ${OBJS} ${DEPLIBS}
+named-sdb@EXEEXT@: ${OBJS} ${DEPLIBS}
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
@@ -168,7 +168,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-c ${top_srcdir}/bin/tests/system/feature-test.c
-feature-test@EXEEXT@: feature-test.@O@
+feature-test-sdb@EXEEXT@: feature-test.@O@
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
-o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
@@ -190,8 +190,6 @@ statschannel.@O@: bind9.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install-man5: named.conf.5
${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
@@ -201,16 +199,11 @@ install-man8: named.8 lwresd.8
install-man: install-man5 install-man8
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
+install:: ${TARGETS} installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir}
uninstall::
- rm -f ${DESTDIR}${mandir}/man5/named.conf.5
- rm -f ${DESTDIR}${mandir}/man8/lwresd.8
- rm -f ${DESTDIR}${mandir}/man8/named.8
- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-sdb@EXEEXT@
@DLZ_DRIVER_RULES@
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
index c9fc3cc..148ebb3 100644
--- a/bin/named-sdb/main.c
+++ b/bin/named-sdb/main.c
@@ -97,6 +97,10 @@
* Include header files for database drivers here.
*/
/* #include "xxdb.h" */
+#include "ldapdb.h"
+#include "pgsqldb.h"
+#include "sqlitedb.h"
+#include "dirdb.h"
#ifdef CONTRIB_DLZ
/*
@@ -1134,6 +1138,11 @@ setup(void) {
ns_main_earlyfatal("isc_app_start() failed: %s",
isc_result_totext(result));
+ ldapdb_clear();
+ pgsqldb_clear();
+ dirdb_clear();
+ sqlitedb_clear();
+
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
ns_g_product, ns_g_version,
@@ -1334,6 +1343,75 @@ setup(void) {
isc_result_totext(result));
#endif
+ result = ldapdb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB ldap module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB ldap zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB ldap zone database module loaded."
+ );
+
+ result = pgsqldb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB pgsql module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB pgsql zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded."
+ );
+
+ result = sqlitedb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB sqlite3 module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB sqlite3 zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB sqlite3 DB zone database module loaded."
+ );
+
+ result = dirdb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB directory DB module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB directory DB zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB directory DB zone database module loaded."
+ );
+
+
ns_server_create(ns_g_mctx, &ns_g_server);
#ifdef HAVE_LIBSECCOMP
@@ -1376,6 +1454,11 @@ cleanup(void) {
dns_name_destroy();
+ ldapdb_clear();
+ pgsqldb_clear();
+ sqlitedb_clear();
+ dirdb_clear();
+
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "exiting");
ns_log_shutdown();
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 4cfed4d..f4bce7b 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -45,10 +45,10 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
+ ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
+CDEFINES = @USE_GSSAPI@ @CRYPTO@
CWARNINGS =
@@ -72,11 +72,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
SUBDIRS = unix
@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -113,8 +112,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -212,7 +210,5 @@ uninstall::
rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
-@DLZ_DRIVER_RULES@
-
named-symtbl.@O@: named-symtbl.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
index c7e0868..95ab742 100644
--- a/bin/sdb_tools/Makefile.in
+++ b/bin/sdb_tools/Makefile.in
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@
+TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
-OBJS = zone2ldap.@O@ zonetodb.@O@
+OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
-SRCS = zone2ldap.c zonetodb.c
+SRCS = zone2ldap.c zonetodb.c zone2sqlite.c
MANPAGES = zone2ldap.1
@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
+zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
+
clean distclean manclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
@@ -60,4 +63,5 @@ installdirs:
install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/configure.ac b/configure.ac
index f85f45f..7d28c52 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5400,6 +5400,8 @@ AC_CONFIG_FILES([
bin/named/unix/Makefile
bin/named-pkcs11/Makefile
bin/named-pkcs11/unix/Makefile
+ bin/named-sdb/Makefile
+ bin/named-sdb/unix/Makefile
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5424,6 +5426,7 @@ AC_CONFIG_FILES([
bin/python/isc/tests/policy_test.py
bin/python/isc/utils.py
bin/rndc/Makefile
+ bin/sdb_tools/Makefile
bin/tests/Makefile
bin/tests/headerdep_test.sh
bin/tests/optional/Makefile

18
bind-9.10-use-of-strlcat.patch
View File

@ -1,18 +0,0 @@
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
index d56bc56..99c3314 100644
--- a/bin/sdb_tools/zone2ldap.c
+++ b/bin/sdb_tools/zone2ldap.c
@@ -817,11 +817,11 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
}
- strlcat (dn, tmp, sizeof (dn));
+ strncat (dn, tmp, sizeof (dn) - strlen (dn));
}
sprintf (tmp, "dc=%s", dc_list[0]);
- strlcat (dn, tmp, sizeof (dn));
+ strncat (dn, tmp, sizeof (dn) - strlen (dn));
fflush(NULL);
return dn;

27
bind-9.11-engine-pkcs11.patch
View File

@ -1,27 +0,0 @@
From 37f89ccfc439f8d86c401d9ae10e94e53b924961 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 27 Aug 2019 20:39:59 +0200
Subject: [PATCH] Do not set engine for native PKCS11
It resets already set lib_path to pkcs11, which is invalid in native
pkcs11 crypto. Engine has to be path to PKCS#11 module.
---
bin/named/include/named/globals.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index eda2214..2a611d5 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -160,7 +160,7 @@ EXTERN const char * ns_g_defaultdnstap INIT(NULL);
EXTERN const char * ns_g_username INIT(NULL);
-#if defined(USE_PKCS11)
+#if defined(USE_PKCS11) && !defined(PKCS11CRYPTO)
EXTERN const char * ns_g_engine INIT(PKCS11_ENGINE);
#else
EXTERN const char * ns_g_engine INIT(NULL);
--
2.20.1

39
bind-9.11-export-suffix.patch
View File

@ -1,39 +0,0 @@
diff --git a/configure.ac b/configure.ac
index c1bfd62..7c5ad51 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5333,6 +5333,8 @@ AC_SUBST(BUILD_CPPFLAGS)
AC_SUBST(BUILD_LDFLAGS)
AC_SUBST(BUILD_LIBS)
+AC_SUBST(LIBDIR_SUFFIX)
+
#
# Commands to run at the end of config.status.
# Don't just put these into configure, it won't work right if somebody
diff --git a/isc-config.sh.in b/isc-config.sh.in
index b5e94ed..d2857e0 100644
--- a/isc-config.sh.in
+++ b/isc-config.sh.in
@@ -13,16 +13,17 @@ prefix=@prefix@
exec_prefix=@exec_prefix@
exec_prefix_set=
includedir=@includedir@
+libdir_suffix=@LIBDIR_SUFFIX@
arch=$(uname -m)
case $arch in
x86_64 | amd64 | sparc64 | s390x | ppc64)
- libdir=/usr/lib64
- sec_libdir=/usr/lib
+ libdir=/usr/lib64${libdir_suffix}
+ sec_libdir=/usr/lib${libdir_suffix}
;;
* )
- libdir=/usr/lib
- sec_libdir=/usr/lib64
+ libdir=/usr/lib${libdir_suffix}
+ sec_libdir=/usr/lib64${libdir_suffix}
;;
esac

71
bind-9.11-feature-test-named.patch
View File

@ -1,71 +0,0 @@
From 3f2fafe5368655225eddf0537e58e425bbc297be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 30 Jan 2019 14:37:17 +0100
Subject: [PATCH] Create feature-test in source directory
Feature-test tool is used in system tests to test compiled in changes.
Because we build more variants of named with different configuration,
compile feature-test for each of them this way.
Named variant specific feature-test does not have defined gss support,
even when it was enabled by configure. bin/tests/system Makefile defines
it, so define it also in named variants.
---
bin/named/Makefile.in | 13 +++++++++++--
bin/tests/system/conf.sh.in | 2 +-
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 3166368..70e5571 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -48,7 +48,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @USE_GSSAPI@ @CRYPTO@
CWARNINGS =
@@ -80,7 +80,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@
+TARGETS = named@EXEEXT@ lwresd@EXEEXT@ feature-test@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
GEOIP2LINKOBJS = geoip.@O@
@@ -163,6 +163,15 @@ lwresd@EXEEXT@: named@EXEEXT@
rm -f lwresd@EXEEXT@
@LN@ named@EXEEXT@ lwresd@EXEEXT@
+# Bit of hack, do not produce intermediate .o object for featuretest
+feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+ -c ${top_srcdir}/bin/tests/system/feature-test.c
+
+feature-test@EXEEXT@: feature-test.@O@
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
+
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index cedabbe..e1bf5da 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -71,7 +71,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
MDIG=$TOP/bin/tools/mdig
NZD2NZF=$TOP/bin/tools/named-nzd2nzf
FSTRM_CAPTURE=@FSTRM_CAPTURE@
-FEATURETEST=$TOP/bin/tests/system/feature-test
+FEATURETEST=$TOP/bin/named/feature-test
RANDFILE=$TOP/bin/tests/system/random.data
--
2.20.1

1459
bind-9.11-fips-code.patch
View File

File diff suppressed because it is too large Load Diff

86
bind-9.11-fips-disable.patch
View File

@ -1,4 +1,4 @@
From 83b889c238282b210f874a3ad81bb56299767495 Mon Sep 17 00:00:00 2001
From 2b0dce163a119f5f62eb4428b485f7575f321d6f Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 5 Aug 2019 11:54:03 +0200
Subject: [PATCH] Allow explicit disabling of autodisabled MD5
@ -9,16 +9,16 @@ RSAMD5 is included in security policy, it fails to start, because that
algorithm is not recognized. Allow it disabled, but fail on any
other usage.
---
bin/named/server.c | 4 ++--
lib/bind9/check.c | 4 ++++
lib/dns/rcode.c | 33 +++++++++++++++------------------
3 files changed, 21 insertions(+), 20 deletions(-)
bin/named/server.c | 4 ++--
lib/bind9/check.c | 4 ++++
lib/dns/rcode.c | 1 +
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index 5b57371..51702ab 100644
index ee23f10..22a5c01 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -1547,12 +1547,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
@@ -1689,12 +1689,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
r.length = strlen(r.base);
result = dns_secalg_fromtext(&alg, &r);
@ -30,14 +30,14 @@ index 5b57371..51702ab 100644
}
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
cfg_obj_log(cfg_listelt_value(element),
ns_g_lctx, ISC_LOG_ERROR,
"invalid algorithm");
cfg_obj_log(cfg_listelt_value(element), named_g_lctx,
ISC_LOG_ERROR, "invalid algorithm");
CHECK(result);
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index e0803d4..8023784 100644
index f49a346..dbf9ddb 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -302,6 +302,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
@@ -317,6 +317,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
r.length = strlen(r.base);
tresult = dns_secalg_fromtext(&alg, &r);
@ -49,18 +49,10 @@ index e0803d4..8023784 100644
cfg_obj_log(cfg_listelt_value(element), logctx,
ISC_LOG_ERROR, "invalid algorithm '%s'",
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
index f51d548..c49b8d1 100644
index 327248e..78adf63 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -126,7 +126,6 @@
#endif
#define SECALGNAMES \
- MD5_SECALGNAMES \
DH_SECALGNAMES \
DSA_SECALGNAMES \
{ DNS_KEYALG_ECC, "ECC", 0 }, \
@@ -178,6 +177,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
@@ -152,6 +152,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
static struct tbl certs[] = { CERTNAMES };
static struct tbl secalgs[] = { SECALGNAMES };
@ -68,54 +60,6 @@ index f51d548..c49b8d1 100644
static struct tbl secprotos[] = { SECPROTONAMES };
static struct tbl hashalgs[] = { HASHALGNAMES };
static struct tbl dsdigests[] = { DSDIGESTNAMES };
@@ -358,33 +358,30 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
return (dns_mnemonic_totext(cert, target, certs));
}
-static inline struct tbl *
-secalgs_tbl_start() {
- struct tbl *algs = secalgs;
-
-#ifndef PK11_MD5_DISABLE
- if (!isc_md5_available()) {
- while (algs->name != NULL &&
- algs->value == DNS_KEYALG_RSAMD5)
- ++algs;
- }
-#endif
- return algs;
-}
-
isc_result_t
dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
unsigned int value;
+ isc_result_t result;
- RETERR(dns_mnemonic_fromtext(&value, source,
- secalgs_tbl_start(), 0xff));
+ result = dns_mnemonic_fromtext(&value, source,
+ secalgs, 0xff);
+ if (result != ISC_R_SUCCESS) {
+ result = dns_mnemonic_fromtext(&value, source,
+ md5_secalgs, 0xff);
+ if (result != ISC_R_SUCCESS) {
+ return (result);
+ } else if (!isc_md5_available()) {
+ *secalgp = value;
+ return (ISC_R_DISABLED);
+ }
+ }
*secalgp = value;
return (ISC_R_SUCCESS);
}
isc_result_t
dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
- return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start()));
+ return (dns_mnemonic_totext(secalg, target, secalgs));
}
void
--
2.20.1
2.21.1

721
bind-9.11-fips-tests.patch
View File

File diff suppressed because it is too large Load Diff

92
bind-9.11-host-idn-disable.patch
View File

@ -1,92 +0,0 @@
From ec50eff97c259b5bfbfa4e050d69fe7b39b0f15a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 25 Sep 2018 18:08:46 +0200
Subject: [PATCH] Disable IDN from environment as documented
Manual page of host contained instructions to disable IDN processing
when it was built with libidn2. When refactoring IDN support however,
support for disabling IDN in host and nslookup was lost. Use also
environment variable and document it for nslookup, host and dig.
Support variable CHARSET=ASCII to disable IDN, supported in downstream
RH patch since RHEL 5.
---
bin/dig/dig.docbook | 4 +++-
bin/dig/dighost.c | 5 +++++
bin/dig/host.docbook | 2 +-
bin/dig/nslookup.docbook | 15 +++++++++++++++
4 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index 5d19301..933af79 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -1312,7 +1312,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
reply from the server.
If you'd like to turn off the IDN support for some reason, use
parameters <parameter>+noidnin</parameter> and
- <parameter>+noidnout</parameter>.
+ <parameter>+noidnout</parameter> or define
+ the <envar>IDN_DISABLE</envar> environment variable.
+
</para>
</refsection>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 5eabc1f..73aaab8 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -826,6 +826,11 @@ make_empty_lookup(void) {
looknew->badcookie = true;
#ifdef WITH_IDN_SUPPORT
looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false;
+ if (looknew->idnin) {
+ const char *charset = getenv("CHARSET");
+ if (charset && !strcmp(charset, "ASCII"))
+ looknew->idnin = false;
+ }
#else
looknew->idnin = false;
#endif
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
index da0f8fb..9689b5a 100644
--- a/bin/dig/host.docbook
+++ b/bin/dig/host.docbook
@@ -379,7 +379,7 @@
<command>host</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
- If you'd like to turn off the IDN support for some reason, defines
+ If you'd like to turn off the IDN support for some reason, define
the <envar>IDN_DISABLE</envar> environment variable.
The IDN support is disabled if the variable is set when
<command>host</command> runs.
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
index d46fc2d..6d7d181 100644
--- a/bin/dig/nslookup.docbook
+++ b/bin/dig/nslookup.docbook
@@ -495,6 +495,21 @@ nslookup -query=hinfo -timeout=10
</para>
</refsection>
+ <refsection><info><title>IDN SUPPORT</title></info>
+
+ <para>
+ If <command>nslookup</command> has been built with IDN (internationalized
+ domain name) support, it can accept and display non-ASCII domain names.
+ <command>nslookup</command> appropriately converts character encoding of
+ domain name before sending a request to DNS server or displaying a
+ reply from the server.
+ If you'd like to turn off the IDN support for some reason, define
+ the <envar>IDN_DISABLE</envar> environment variable.
+ The IDN support is disabled if the variable is set when
+ <command>nslookup</command> runs.
+ </para>
+ </refsection>
+
<refsection><info><title>FILES</title></info>
<para><filename>/etc/resolv.conf</filename>
--
2.20.1

50
bind-9.11-json-c.patch
View File

@ -1,50 +0,0 @@
From cb6d2019766a6c8c5516fd8859cedf0052f03293 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 25 Jul 2019 11:37:57 +0200
Subject: [PATCH] Skip support of jsoncpp
Bind cannot be compiled when jsoncpp-devel is installed. Remove support
for jsoncpp, use only json-c-devel. Bind 9.15 has already support for
--with-json-c, do not yet introduce it.
---
configure.ac | 17 ++---------------
1 file changed, 2 insertions(+), 15 deletions(-)
diff --git a/configure.ac b/configure.ac
index 6d05337..5ce83b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2594,15 +2594,7 @@ case "$use_libjson" in
auto|yes)
for d in /usr /usr/local /opt/local
do
- if test -f "${d}/include/json/json.h"
- then
- if test ${d} != /usr
- then
- libjson_cflags="-I ${d}/include"
- LIBS="$LIBS -L${d}/lib"
- fi
- have_libjson="yes"
- elif test -f "${d}/include/json-c/json.h"
+ if test -f "${d}/include/json-c/json.h"
then
if test ${d} != /usr
then
@@ -2615,12 +2607,7 @@ case "$use_libjson" in
done
;;
*)
- if test -f "${use_libjson}/include/json/json.h"
- then
- libjson_cflags="-I${use_libjson}/include"
- LIBS="$LIBS -L${use_libjson}/lib"
- have_libjson="yes"
- elif test -f "${use_libjson}/include/json-c/json.h"
+ if test -f "${use_libjson}/include/json-c/json.h"
then
libjson_cflags="-I${use_libjson}/include"
LIBS="$LIBS -L${use_libjson}/lib"
--
2.20.1

160
bind-9.11-kyua-pkcs11.patch
View File

@ -1,4 +1,4 @@
From a9b5785f174cf7fd74891fa64f6b69b9a9b55466 Mon Sep 17 00:00:00 2001
From 1241f2005d08673c28a595c5a6cd61350b95a929 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 2 Jan 2018 18:13:07 +0100
Subject: [PATCH] Fix pkcs11 variants atf tests
@ -7,19 +7,16 @@ Add dns-pkcs11 tests Makefile to configure
Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
---
configure.ac | 1 +
lib/Kyuafile | 2 ++
lib/dns-pkcs11/tests/Makefile.in | 10 +++++-----
lib/dns-pkcs11/tests/dh_test.c | 3 ++-
lib/isc-pkcs11/tests/Makefile.in | 6 +++---
lib/isc-pkcs11/tests/hash_test.c | 32 +++++++++++++++++++++++++-------
6 files changed, 38 insertions(+), 16 deletions(-)
configure.ac | 1 +
lib/Kyuafile | 2 ++
lib/dns-pkcs11/tests/dh_test.c | 3 ++-
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 62ecf56..0940a7d 100644
index d80ae31..0fb9328 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5476,6 +5476,7 @@ AC_CONFIG_FILES([
@@ -3090,6 +3090,7 @@ AC_CONFIG_FILES([
lib/dns-pkcs11/include/Makefile
lib/dns-pkcs11/include/dns/Makefile
lib/dns-pkcs11/include/dst/Makefile
@ -28,7 +25,7 @@ index 62ecf56..0940a7d 100644
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
diff --git a/lib/Kyuafile b/lib/Kyuafile
index 7c8bab0..eec9564 100644
index 39ce986..037e5ef 100644
--- a/lib/Kyuafile
+++ b/lib/Kyuafile
@@ -2,8 +2,10 @@ syntax(2)
@ -38,37 +35,15 @@ index 7c8bab0..eec9564 100644
+include('dns-pkcs11/Kyuafile')
include('irs/Kyuafile')
include('isc/Kyuafile')
+include('isc-pkcs11/Kyuafile')
include('isccc/Kyuafile')
include('isccfg/Kyuafile')
include('lwres/Kyuafile')
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
index 22a06a8..5df5b15 100644
--- a/lib/dns-pkcs11/tests/Makefile.in
+++ b/lib/dns-pkcs11/tests/Makefile.in
@@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
@DST_OPENSSL_INC@ ${MAXMINDDB_CFLAGS}
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
-ISCLIBS = ../../isc/libisc.@A@
-ISCDEPLIBS = ../../isc/libisc.@A@
-DNSLIBS = ../libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-DNSDEPLIBS = ../libdns.@A@
+ISCLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@
+ISCDEPLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@
+DNSLIBS = ../libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSDEPLIBS = ../libdns-pkcs11.@A@
LIBS = @LIBS@ @CMOCKA_LIBS@
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
include('ns/Kyuafile')
+include('ns-pkcs11/Kyuafile')
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
index a5bf46c..9ff2b76 100644
index 934e8fd..658d1af 100644
--- a/lib/dns-pkcs11/tests/dh_test.c
+++ b/lib/dns-pkcs11/tests/dh_test.c
@@ -88,7 +88,8 @@ dh_computesecret(void **state) {
@@ -87,7 +87,8 @@ dh_computesecret(void **state) {
result = dst_key_computesecret(key, key, &buf);
assert_int_equal(result, DST_R_NOTPRIVATEKEY);
result = key->func->computesecret(key, key, &buf);
@ -78,115 +53,6 @@ index a5bf46c..9ff2b76 100644
dst_key_free(&key);
}
diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
index 36d2207..00dfbc9 100644
--- a/lib/isc-pkcs11/tests/Makefile.in
+++ b/lib/isc-pkcs11/tests/Makefile.in
@@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\""
+CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
-ISCLIBS = ../libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCDEPLIBS = ../libisc.@A@
+ISCLIBS = ../libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
+ISCDEPLIBS = ../libisc-pkcs11.@A@
LIBS = @LIBS@ @CMOCKA_LIBS@
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
index 4fafc38..5eb2be2 100644
--- a/lib/isc-pkcs11/tests/hash_test.c
+++ b/lib/isc-pkcs11/tests/hash_test.c
@@ -84,7 +84,7 @@ typedef struct hash_testcase {
typedef struct hash_test_key {
const char *key;
- const int len;
+ const unsigned len;
} hash_test_key_t;
/* non-hmac tests */
@@ -955,8 +955,11 @@ isc_hmacsha1_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_SHA1_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_SHA1_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacsha1_init(&hmacsha1, buffer, test_key->len);
+ isc_hmacsha1_init(&hmacsha1, buffer, len);
isc_hmacsha1_update(&hmacsha1,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1115,8 +1118,11 @@ isc_hmacsha224_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_SHA224_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_SHA224_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacsha224_init(&hmacsha224, buffer, test_key->len);
+ isc_hmacsha224_init(&hmacsha224, buffer, len);
isc_hmacsha224_update(&hmacsha224,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1276,8 +1282,11 @@ isc_hmacsha256_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_SHA256_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_SHA256_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacsha256_init(&hmacsha256, buffer, test_key->len);
+ isc_hmacsha256_init(&hmacsha256, buffer, len);
isc_hmacsha256_update(&hmacsha256,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1443,8 +1452,11 @@ isc_hmacsha384_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_SHA384_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_SHA384_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacsha384_init(&hmacsha384, buffer, test_key->len);
+ isc_hmacsha384_init(&hmacsha384, buffer, len);
isc_hmacsha384_update(&hmacsha384,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1610,8 +1622,11 @@ isc_hmacsha512_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_SHA512_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_SHA512_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacsha512_init(&hmacsha512, buffer, test_key->len);
+ isc_hmacsha512_init(&hmacsha512, buffer, len);
isc_hmacsha512_update(&hmacsha512,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1754,8 +1769,11 @@ isc_hmacmd5_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_MD5_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_MD5_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacmd5_init(&hmacmd5, buffer, test_key->len);
+ isc_hmacmd5_init(&hmacmd5, buffer, len);
isc_hmacmd5_update(&hmacmd5,
(const uint8_t *) testcase->input,
testcase->input_len);
--
2.21.1
2.20.1

256
bind-9.11-oot-manual.patch
View File

@ -1,256 +0,0 @@
From 8ca95f47231822df2b9c171a4da1e93ca5b748eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 25 Jul 2018 12:24:16 +0200
Subject: [PATCH] Use make automatic variables to install updated manuals
Make will choose modified manual from build directory or original from source
directory automagically. Take advantage of install tool feature.
Install all files in single command instead of iterating on each of them.
---
bin/check/Makefile.in | 8 +++++---
bin/confgen/Makefile.in | 9 +++++----
bin/delv/Makefile.in | 6 ++++--
bin/dig/Makefile.in | 8 ++++----
bin/dnssec/Makefile.in | 6 ++++--
bin/named/Makefile.in | 13 +++++++++----
bin/pkcs11/Makefile.in | 9 ++++-----
bin/python/Makefile.in | 8 ++++----
bin/tools/Makefile.in | 25 +++++++++++++++----------
9 files changed, 54 insertions(+), 38 deletions(-)
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index c124e80..1174f8d 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -83,12 +83,14 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
+install-man8: ${MANPAGES}
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+ (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
+
+install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs install-man8
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
- (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
uninstall::
rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index 87f13dd..7865c0c 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -95,13 +95,14 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
+install-man8: rndc-confgen.8 ddns-confgen.8
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+ (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
+
+install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs install-man8
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
- ${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
(cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@)
- (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
uninstall::
rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8
diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in
index e2d2802..19361a8 100644
--- a/bin/delv/Makefile.in
+++ b/bin/delv/Makefile.in
@@ -63,10 +63,12 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
-install:: delv@EXEEXT@ installdirs
+install-man1: delv.1
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
+
+install:: delv@EXEEXT@ installdirs install-man1
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
delv@EXEEXT@ ${DESTDIR}${bindir}
- ${INSTALL_DATA} ${srcdir}/delv.1 ${DESTDIR}${mandir}/man1
uninstall::
rm -f ${DESTDIR}${mandir}/man1/delv.1
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index a9830a9..d7ac0b6 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -91,16 +91,16 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
-install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
+install-man1: ${MANPAGES}
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
+
+install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs install-man1
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
dig@EXEEXT@ ${DESTDIR}${bindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
host@EXEEXT@ ${DESTDIR}${bindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
nslookup@EXEEXT@ ${DESTDIR}${bindir}
- for m in ${MANPAGES}; do \
- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1 || exit 1; \
- done
uninstall::
for m in ${MANPAGES}; do \
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 2239ad1..ce0a177 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -110,9 +110,11 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: ${TARGETS} installdirs
+install-man8: ${MANPAGES}
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs install-man8
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
uninstall::
for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index e1f85a9..d92bc9a 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -176,12 +176,17 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
+install-man5: named.conf.5
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
+
+install-man8: named.8 lwresd.8
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install-man: install-man5 install-man8
+
+install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
uninstall::
rm -f ${DESTDIR}${mandir}/man5/named.conf.5
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
index ae90616..a058c91 100644
--- a/bin/pkcs11/Makefile.in
+++ b/bin/pkcs11/Makefile.in
@@ -71,7 +71,10 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: ${TARGETS} installdirs
+install-man8: ${MANPAGES}
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs install-man8
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ \
${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ \
@@ -80,10 +83,6 @@ install:: ${TARGETS} installdirs
${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-tokens@EXEEXT@ \
${DESTDIR}${sbindir}
- ${INSTALL_DATA} ${srcdir}/pkcs11-list.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/pkcs11-destroy.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/pkcs11-tokens.8 ${DESTDIR}${mandir}/man8
uninstall::
rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8
diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
index aa678d4..064c404 100644
--- a/bin/python/Makefile.in
+++ b/bin/python/Makefile.in
@@ -47,13 +47,13 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: ${TARGETS} installdirs
+install-man8: ${MANPAGES}
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs install-man8
${INSTALL_SCRIPT} dnssec-checkds ${DESTDIR}${sbindir}
${INSTALL_SCRIPT} dnssec-coverage ${DESTDIR}${sbindir}
${INSTALL_SCRIPT} dnssec-keymgr ${DESTDIR}${sbindir}
- ${INSTALL_DATA} ${srcdir}/dnssec-checkds.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/dnssec-keymgr.8 ${DESTDIR}${mandir}/man8
if test -n "${PYTHON}" ; then \
if test -n "${DESTDIR}" ; then \
${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
index 7bf2af4..c395bc7 100644
--- a/bin/tools/Makefile.in
+++ b/bin/tools/Makefile.in
@@ -119,17 +119,27 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-nzd:
+nzd-man: named-nzd2nzf.8
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+nzd: nzd-man
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-nzd2nzf@EXEEXT@ \
${DESTDIR}${sbindir}
- ${INSTALL_DATA} ${srcdir}/named-nzd2nzf.8 ${DESTDIR}${mandir}/man8
-dnstap:
+dnstap-man: dnstap-read.1
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
+
+dnstap: dnstap-man
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} dnstap-read@EXEEXT@ \
${DESTDIR}${bindir}
- ${INSTALL_DATA} ${srcdir}/dnstap-read.1 ${DESTDIR}${mandir}/man1
-install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@
+install-man1: arpaname.1 named-rrchecker.1 mdig.1
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
+
+install-man8: named-journalprint.8 nsec3hash.8
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ install-man1 install-man8
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ \
${DESTDIR}${bindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ \
@@ -144,13 +154,8 @@ install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@
${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} mdig@EXEEXT@ \
${DESTDIR}${bindir}
- ${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/named-rrchecker.1 ${DESTDIR}${mandir}/man1
- ${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/mdig.1 ${DESTDIR}${mandir}/man1
uninstall::
rm -f ${DESTDIR}${mandir}/man1/mdig.1
--
2.14.4

27
bind-9.11-pk11.patch
View File

@ -1,27 +0,0 @@
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index 640519a..fc40472 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -59,6 +59,9 @@
#include <openssl/objects.h>
#include <openssl/rsa.h>
#endif
+#if PKCS11CRYPTO
+#include <pk11/pk11.h>
+#endif
ISC_LANG_BEGINDECLS
diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
index aa8907a..603712a 100644
--- a/lib/isc/include/pk11/internal.h
+++ b/lib/isc/include/pk11/internal.h
@@ -13,6 +13,8 @@
#ifndef PK11_INTERNAL_H
#define PK11_INTERNAL_H 1
+#include <pk11/pk11.h>
+
/*! \file pk11/internal.h */
ISC_LANG_BEGINDECLS

120
bind-9.11-rh1205168.patch
View File

@ -1,120 +0,0 @@
From 90416594843a56550e40b11561807786219ce1c4 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Mon, 11 Sep 2017 15:01:36 -0700
Subject: [PATCH] remap getaddrinfo() to irs_getgetaddrinfo()
The libirs version of getaddrinfo() cannot be called from within BIND9.
fix prototypes
---
lib/irs/include/irs/netdb.h.in | 94 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 94 insertions(+)
diff --git a/lib/irs/include/irs/netdb.h.in b/lib/irs/include/irs/netdb.h.in
index 23dcd37..f36113d 100644
--- a/lib/irs/include/irs/netdb.h.in
+++ b/lib/irs/include/irs/netdb.h.in
@@ -150,6 +150,100 @@ struct addrinfo {
#define NI_DGRAM 0x00000010
/*
+ * Define to map into irs_ namespace.
+ */
+
+#define IRS_NAMESPACE
+
+#ifdef IRS_NAMESPACE
+
+/*
+ * Use our versions not the ones from the C library.
+ */
+
+#ifdef getnameinfo
+#undef getnameinfo
+#endif
+#define getnameinfo irs_getnameinfo
+
+#ifdef getaddrinfo
+#undef getaddrinfo
+#endif
+#define getaddrinfo irs_getaddrinfo
+
+#ifdef freeaddrinfo
+#undef freeaddrinfo
+#endif
+#define freeaddrinfo irs_freeaddrinfo
+
+#ifdef gai_strerror
+#undef gai_strerror
+#endif
+#define gai_strerror irs_gai_strerror
+
+#endif
+
+extern int getaddrinfo (const char *name,
+ const char *service,
+ const struct addrinfo *req,
+ struct addrinfo **pai);
+extern int getnameinfo (const struct sockaddr *sa,
+ socklen_t salen, char *host,
+ socklen_t hostlen, char *serv,
+ socklen_t servlen, int flags);
+extern void freeaddrinfo (struct addrinfo *ai);
+extern const char *gai_strerror (int ecode);
+
+/*
+ * Define to map into irs_ namespace.
+ */
+
+#define IRS_NAMESPACE
+
+#ifdef IRS_NAMESPACE
+
+/*
+ * Use our versions not the ones from the C library.
+ */
+
+#ifdef getnameinfo
+#undef getnameinfo
+#endif
+#define getnameinfo irs_getnameinfo
+
+#ifdef getaddrinfo
+#undef getaddrinfo
+#endif
+#define getaddrinfo irs_getaddrinfo
+
+#ifdef freeaddrinfo
+#undef freeaddrinfo
+#endif
+#define freeaddrinfo irs_freeaddrinfo
+
+#ifdef gai_strerror
+#undef gai_strerror
+#endif
+#define gai_strerror irs_gai_strerror
+
+int
+getaddrinfo(const char *hostname, const char *servname,
+ const struct addrinfo *hints, struct addrinfo **res);
+
+int
+getnameinfo(const struct sockaddr *sa, IRS_GETNAMEINFO_SOCKLEN_T salen,
+ char *host, IRS_GETNAMEINFO_BUFLEN_T hostlen,
+ char *serv, IRS_GETNAMEINFO_BUFLEN_T servlen,
+ IRS_GETNAMEINFO_FLAGS_T flags);
+
+void freeaddrinfo (struct addrinfo *ai);
+
+IRS_GAISTRERROR_RETURN_T
+gai_strerror(int ecode);
+
+#endif
+
+/*
* Tell Emacs to use C mode on this file.
* Local variables:
* mode: c
--
2.9.5

16
bind-9.11-rh1410433.patch
View File

@ -1,16 +0,0 @@
diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c
index 15561ce..e4449b0 100644
--- a/lib/dns/dyndb.c
+++ b/lib/dns/dyndb.c
@@ -133,8 +133,11 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
instname, filename);
flags = RTLD_NOW|RTLD_LOCAL;
+#if 0
+ /* Shared global namespace is required for dns-pkcs11 library */
#if defined(RTLD_DEEPBIND) && !__SANITIZE_ADDRESS__
flags |= RTLD_DEEPBIND;
+#endif
#endif
handle = dlopen(filename, flags);

288
bind-9.11-rh1624100.patch
View File

@ -1,288 +0,0 @@
From f27598743ab6e03271e26f23da4beba748d19c60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 25 Apr 2018 14:04:31 +0200
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d)
Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp()
(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c)
Fix the isc_safe_memwipe() usage with (NULL, >0)
(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
---
bin/dnssec/dnssec-signzone.c | 2 +-
lib/dns/nsec3.c | 4 +-
lib/dns/spnego.c | 4 +-
lib/isc/Makefile.in | 8 +---
lib/isc/include/isc/safe.h | 18 ++------
lib/isc/safe.c | 83 ------------------------------------
lib/isc/tests/safe_test.c | 18 --------
7 files changed, 11 insertions(+), 126 deletions(-)
delete mode 100644 lib/isc/safe.c
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 6dded0c..a9c5557 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -784,7 +784,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
static int
hashlist_comp(const void *a, const void *b) {
- return (isc_safe_memcompare(a, b, hash_length + 1));
+ return (memcmp(a, b, hash_length + 1));
}
static void
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 6ae7ca8..01426d6 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1963,7 +1963,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
* Work out what this NSEC3 covers.
* Inside (<0) or outside (>=0).
*/
- scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length);
+ scope = memcmp(owner, nsec3.next, nsec3.next_length);
/*
* Prepare to compute all the hashes.
@@ -1987,7 +1987,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
return (ISC_R_IGNORE);
}
- order = isc_safe_memcompare(hash, owner, length);
+ order = memcmp(hash, owner, length);
if (first && order == 0) {
/*
* The hashes are the same.
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
index ad77f24..670982a 100644
--- a/lib/dns/spnego.c
+++ b/lib/dns/spnego.c
@@ -371,7 +371,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
/* mod_auth_kerb.c */
-static int
+static isc_boolean_t
cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
{
unsigned char *p;
@@ -395,7 +395,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
if (((OM_uint32) *p++) != gssoid->length)
return (GSS_S_DEFECTIVE_TOKEN);
- return (isc_safe_memcompare(p, gssoid->elements, gssoid->length));
+ return (!isc_safe_memequal(p, gssoid->elements, gssoid->length));
}
/* accept_sec_context.c */
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index 149552a..8529a86 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \
ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \
rwlock.@O@ \
- safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
+ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
tm.@O@ timer.@O@ utf8.@O@ version.@O@ \
${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
netaddr.c netscope.c pool.c ondestroy.c \
parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \
ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
- safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
+ serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
strtoul.c symtab.c task.c taskpool.c timer.c \
tm.c utf8.c version.c
@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@
@BIND9_MAKE_RULES@
-safe.@O@: safe.c
- ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \
- -c ${srcdir}/safe.c
-
version.@O@: version.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
index 66ed08b..88b8f47 100644
--- a/lib/isc/include/isc/safe.h
+++ b/lib/isc/include/isc/safe.h
@@ -15,29 +15,19 @@
/*! \file isc/safe.h */
-#include <stdbool.h>
-
-#include <isc/types.h>
-#include <stdlib.h>
+#include <isc/lang.h>
+#include <openssl/crypto.h>
ISC_LANG_BEGINDECLS
-bool
-isc_safe_memequal(const void *s1, const void *s2, size_t n);
+#define isc_safe_memequal(s1, s2, n) !CRYPTO_memcmp(s1, s2, n)
/*%<
* Returns true iff. two blocks of memory are equal, otherwise
* false.
*
*/
-int
-isc_safe_memcompare(const void *b1, const void *b2, size_t len);
-/*%<
- * Clone of libc memcmp() which is safe to differential timing attacks.
- */
-
-void
-isc_safe_memwipe(void *ptr, size_t len);
+#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len)
/*%<
* Clear the memory of length `len` pointed to by `ptr`.
*
diff --git a/lib/isc/safe.c b/lib/isc/safe.c
deleted file mode 100644
index 7a464b6..0000000
--- a/lib/isc/safe.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdbool.h>
-
-#include <isc/safe.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#ifdef WIN32
-#include <windows.h>
-#endif
-
-#ifdef _MSC_VER
-#pragma optimize("", off)
-#endif
-
-bool
-isc_safe_memequal(const void *s1, const void *s2, size_t n) {
- uint8_t acc = 0;
-
- if (n != 0U) {
- const uint8_t *p1 = s1, *p2 = s2;
-
- do {
- acc |= *p1++ ^ *p2++;
- } while (--n != 0U);
- }
- return (acc == 0);
-}
-
-
-int
-isc_safe_memcompare(const void *b1, const void *b2, size_t len) {
- const unsigned char *p1 = b1, *p2 = b2;
- size_t i;
- int res = 0, done = 0;
-
- for (i = 0; i < len; i++) {
- /* lt is -1 if p1[i] < p2[i]; else 0. */
- int lt = (p1[i] - p2[i]) >> CHAR_BIT;
-
- /* gt is -1 if p1[i] > p2[i]; else 0. */
- int gt = (p2[i] - p1[i]) >> CHAR_BIT;
-
- /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */
- int cmp = lt - gt;
-
- /* set res = cmp if !done. */
- res |= cmp & ~done;
-
- /* set done if p1[i] != p2[i]. */
- done |= lt | gt;
- }
-
- return (res);
-}
-
-void
-isc_safe_memwipe(void *ptr, size_t len) {
- if (ISC_UNLIKELY(ptr == NULL || len == 0))
- return;
-
-#ifdef WIN32
- SecureZeroMemory(ptr, len);
-#elif HAVE_EXPLICIT_BZERO
- explicit_bzero(ptr, len);
-#else
- memset(ptr, 0, len);
-#endif
-}
diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
index 266ac75..60e9181 100644
--- a/lib/isc/tests/safe_test.c
+++ b/lib/isc/tests/safe_test.c
@@ -45,22 +45,6 @@ isc_safe_memequal_test(void **state) {
"\x00\x00\x00\x00", 4));
}
-/* test isc_safe_memcompare() */
-static void
-isc_safe_memcompare_test(void **state) {
- UNUSED(state);
-
- assert_int_equal(isc_safe_memcompare("test", "test", 4), 0);
- assert_true(isc_safe_memcompare("test", "tesc", 4) > 0);
- assert_true(isc_safe_memcompare("test", "tesy", 4) < 0);
- assert_int_equal(isc_safe_memcompare("\x00\x00\x00\x00",
- "\x00\x00\x00\x00", 4), 0);
- assert_true(isc_safe_memcompare("\x00\x00\x00\x00",
- "\x00\x00\x00\x01", 4) < 0);
- assert_true(isc_safe_memcompare("\x00\x00\x00\x02",
- "\x00\x00\x00\x00", 4) > 0);
-}
-
/* test isc_safe_memwipe() */
static void
isc_safe_memwipe_test(void **state) {
@@ -69,7 +53,6 @@ isc_safe_memwipe_test(void **state) {
/* These should pass. */
isc_safe_memwipe(NULL, 0);
isc_safe_memwipe((void *) -1, 0);
- isc_safe_memwipe(NULL, 42);
/*
* isc_safe_memwipe(ptr, size) should function same as
@@ -108,7 +91,6 @@ main(void) {
const struct CMUnitTest tests[] = {
cmocka_unit_test(isc_safe_memequal_test),
cmocka_unit_test(isc_safe_memwipe_test),
- cmocka_unit_test(isc_safe_memcompare_test),
};
return (cmocka_run_group_tests(tests, NULL, NULL));
--
2.26.2

48
bind-9.11-rh1663318.patch
View File

@ -1,48 +0,0 @@
From b16a1ff25644bb075f454afe68ee63f6f385ca9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 23 Jan 2019 21:11:07 +0100
Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Unlike upstream, skip it also for DHCP.
Disable RAND_status also in non-threaded builds. DHCP is built without
threads and should not check RAND_status on dns library initialization.
Lack of entropy is possible state for dhclient, but it must not fail
even in this case. Because DHCP itself does not require custom random
generator, leave default RAND_OpenSSL configured. It should help TLS
connection to LDAP in single DHCP binary, while keeping secure random
data if needed.
(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)
Signed-off-by: Petr Menšík <pemensik@redhat.com>
---
lib/dns/openssl_link.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 7a233dd..941eb17 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) {
#endif
#endif /* !defined(OPENSSL_NO_ENGINE) */
+#if defined(ISC_PLATFORM_CRYPTORANDOM) && defined(ISC_PLATFORM_USETHREADS)
/* Protect ourselves against unseeded PRNG */
if (RAND_status() != 1) {
FATAL_ERROR(__FILE__, __LINE__,
@@ -296,6 +297,7 @@ dst__openssl_init(const char *engine) {
"cannot be initialized (see the `PRNG not "
"seeded' message in the OpenSSL FAQ)");
}
+#endif
return (ISC_R_SUCCESS);
--
2.20.1

28
bind-9.11-rh1666814.patch
View File

@ -1,37 +1,29 @@
From 3bb29f45604ac6890f4ea5cdcbd1a62e6dad14a7 Mon Sep 17 00:00:00 2001
From d05d116da39c0a5c580ceaac6ba069899b82c5a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 16 Jan 2019 16:27:33 +0100
Subject: [PATCH 2/2] Fix possible crash when loading corrupted file
Subject: [PATCH] Fix possible crash when loading corrupted file
Some values passes internal triggers by coincidence. Fix the check and
check also first_node_offset before even passing it further.
---
lib/dns/rbt.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
lib/dns/rbt.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index 62d0826..b029b7d 100644
index 5aee5f6..7f2c2d2 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -787,7 +787,7 @@ treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n,
return (ISC_R_SUCCESS);
CONFIRM((void *) n >= base);
- CONFIRM((char *) n - (char *) base <= (int) nodemax);
+ CONFIRM((size_t)((char *) n - (char *) base) <= nodemax);
CONFIRM(DNS_RBTNODE_VALID(n));
dns_name_init(&nodename, NULL);
@@ -939,7 +939,8 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
rbt->root = (dns_rbtnode_t *)((char *)base_address +
header_offset + header->first_node_offset);
@@ -945,7 +945,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset +
header->first_node_offset);
- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
+ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize
+ || header->first_node_offset > filesize) {
+
result = ISC_R_INVALIDFILE;
goto cleanup;
}
--
2.20.1
2.31.1

194
bind-9.11-rh1732883.patch
View File

@ -1,194 +0,0 @@
From 6010876e561b4345e569ffd11eaec9ea52725817 Mon Sep 17 00:00:00 2001
From: Pavel Zhukov <pzhukov@redhat.com>
Date: Wed, 24 Jul 2019 17:15:55 +0200
Subject: [PATCH] Detect system time jumps
In case if system time was changed backward it's possible to have ip
address dropped by the kernel due to lifetime expirity. Try to detect
this situation using either monotonic time or saved timestamp and execute
go_reboot() procedure to request lease extention
---
lib/isc/include/isc/result.h | 3 ++-
lib/isc/include/isc/util.h | 3 +++
lib/isc/result.c | 2 ++
lib/isc/unix/app.c | 39 +++++++++++++++++++++++++++++----
lib/isc/unix/include/isc/time.h | 20 +++++++++++++++++
lib/isc/unix/time.c | 22 +++++++++++++++++++
6 files changed, 84 insertions(+), 5 deletions(-)
diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
index 0389efa..149cde5 100644
--- a/lib/isc/include/isc/result.h
+++ b/lib/isc/include/isc/result.h
@@ -89,7 +89,8 @@
#define ISC_R_DISCFULL 67 /*%< disc full */
#define ISC_R_DEFAULT 68 /*%< default */
#define ISC_R_IPV4PREFIX 69 /*%< IPv4 prefix */
-#define ISC_R_NRESULTS 70
+#define ISC_R_TIMESHIFTED 70 /*%< system time changed */
+#define ISC_R_NRESULTS 71
ISC_LANG_BEGINDECLS
diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
index 973c348..8160dd3 100644
--- a/lib/isc/include/isc/util.h
+++ b/lib/isc/include/isc/util.h
@@ -289,6 +289,9 @@ extern void mock_assert(const int result, const char* const expression,
* Time
*/
#define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
+#ifdef CLOCK_BOOTTIME
+#define TIME_MONOTONIC(tp) RUNTIME_CHECK(isc_time_boottime((tp)) == ISC_R_SUCCESS)
+#endif
/*%
* Alignment
diff --git a/lib/isc/result.c b/lib/isc/result.c
index a9db132..7c04831 100644
--- a/lib/isc/result.c
+++ b/lib/isc/result.c
@@ -105,6 +105,7 @@ static const char *description[ISC_R_NRESULTS] = {
"disc full", /*%< 67 */
"default", /*%< 68 */
"IPv4 prefix", /*%< 69 */
+ "time changed", /*%< 70 */
};
static const char *identifier[ISC_R_NRESULTS] = {
@@ -178,6 +179,7 @@ static const char *identifier[ISC_R_NRESULTS] = {
"ISC_R_DISCFULL",
"ISC_R_DEFAULT",
"ISC_R_IPV4PREFIX",
+ "ISC_R_TIMESHIFTED",
};
#define ISC_RESULT_RESULTSET 2
diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
index a6e9882..52eb3e0 100644
--- a/lib/isc/unix/app.c
+++ b/lib/isc/unix/app.c
@@ -442,15 +442,48 @@ isc__app_ctxonrun(isc_appctx_t *ctx0, isc_mem_t *mctx, isc_task_t *task,
static isc_result_t
evloop(isc__appctx_t *ctx) {
isc_result_t result;
+ isc_time_t now;
+#ifdef CLOCK_BOOTTIME
+ isc_time_t monotonic;
+ uint64_t diff = 0;
+#else
+ isc_time_t prev;
+ TIME_NOW(&prev);
+#endif
+
+
while (!ctx->want_shutdown) {
int n;
- isc_time_t when, now;
+ isc_time_t when;
struct timeval tv, *tvp;
isc_socketwait_t *swait;
bool readytasks;
bool call_timer_dispatch = false;
-
+ uint64_t us;
+
+#ifdef CLOCK_BOOTTIME
+ // TBD macros for following three lines
+ TIME_NOW(&now);
+ TIME_MONOTONIC(&monotonic);
+ INSIST(now.seconds > monotonic.seconds)
+ us = isc_time_microdiff (&now, &monotonic);
+ if (us < diff){
+ us = diff - us;
+ if (us > 1000000){ // ignoring shifts less than one second
+ return ISC_R_TIMESHIFTED;
+ };
+ diff = isc_time_microdiff (&now, &monotonic);
+ } else {
+ diff = isc_time_microdiff (&now, &monotonic);
+ // not implemented
+ }
+#else
+ TIME_NOW(&now);
+ if (isc_time_compare (&now, &prev) < 0)
+ return ISC_R_TIMESHIFTED;
+ TIME_NOW(&prev);
+#endif
/*
* Check the reload (or suspend) case first for exiting the
* loop as fast as possible in case:
@@ -475,8 +508,6 @@ evloop(isc__appctx_t *ctx) {
if (result != ISC_R_SUCCESS)
tvp = NULL;
else {
- uint64_t us;
-
TIME_NOW(&now);
us = isc_time_microdiff(&when, &now);
if (us == 0)
diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h
index b864c29..5dd43c9 100644
--- a/lib/isc/unix/include/isc/time.h
+++ b/lib/isc/unix/include/isc/time.h
@@ -132,6 +132,26 @@ isc_time_isepoch(const isc_time_t *t);
*\li 't' is a valid pointer.
*/
+#ifdef CLOCK_BOOTTIME
+isc_result_t
+isc_time_boottime(isc_time_t *t);
+/*%<
+ * Set 't' to monotonic time from previous boot
+ * it's not affected by system time change. It also
+ * includes the time system was suspended
+ *
+ * Requires:
+ *\li 't' is a valid pointer.
+ *
+ * Returns:
+ *
+ *\li Success
+ *\li Unexpected error
+ * Getting the time from the system failed.
+ */
+#endif /* CLOCK_BOOTTIME */
+
+
isc_result_t
isc_time_now(isc_time_t *t);
/*%<
diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
index 8edc9df..fe0bb91 100644
--- a/lib/isc/unix/time.c
+++ b/lib/isc/unix/time.c
@@ -498,3 +498,25 @@ isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len) {
t->nanoseconds / NS_PER_MS);
}
}
+
+
+#ifdef CLOCK_BOOTTIME
+isc_result_t
+isc_time_boottime(isc_time_t *t) {
+ struct timespec ts;
+
+ char strbuf[ISC_STRERRORSIZE];
+
+ if (clock_gettime (CLOCK_BOOTTIME, &ts) != 0){
+ isc__strerror(errno, strbuf, sizeof(strbuf));
+ UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
+ return (ISC_R_UNEXPECTED);
+ }
+
+ t->seconds = ts.tv_sec;
+ t->nanoseconds = ts.tv_nsec;
+
+ return (ISC_R_SUCCESS);
+
+};
+#endif
--
2.20.1

59
bind-9.11-rh1736762-5.patch
View File

@ -1,59 +0,0 @@
From 6257d829c9d7e71ac51bcdc6b5b981c7a19200e2 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 25 Nov 2019 05:46:55 +0000
Subject: [PATCH] Merge branch
'1373-threadsanitizer-data-race-rbtdb-c-5193-in-detachnode' into 'master'
Resolve "ThreadSanitizer: data race rbtdb.c:5193 in detachnode"
Closes #1373
See merge request isc-projects/bind9!2598
---
lib/dns/include/dns/rbt.h | 22 +++++++++-------------
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
index 67ac3e4d8a..a084bd6193 100644
--- a/lib/dns/include/dns/rbt.h
+++ b/lib/dns/include/dns/rbt.h
@@ -49,10 +49,7 @@ ISC_LANG_BEGINDECLS
#define DNS_RBT_USEMAGIC 1
-/*
- * These should add up to 30.
- */
-#define DNS_RBT_LOCKLENGTH 10
+#define DNS_RBT_LOCKLENGTH (sizeof(((dns_rbtnode_t *)0)->locknum)*8)
#define DNS_RBT_REFLENGTH 20
#define DNS_RBTNODE_MAGIC ISC_MAGIC('R','B','N','O')
@@ -159,16 +156,15 @@ struct dns_rbtnode {
* separate region of memory.
*/
void *data;
- unsigned int :0; /* start of bitfields c/o node lock */
- unsigned int dirty:1;
- unsigned int wild:1;
- unsigned int locknum:DNS_RBT_LOCKLENGTH;
-#ifndef DNS_RBT_USEISCREFCOUNT
- unsigned int references:DNS_RBT_REFLENGTH;
-#endif
- unsigned int :0; /* end of bitfields c/o node lock */
+ uint8_t :0; /* start of bitfields c/o node lock */
+ uint8_t dirty:1;
+ uint8_t wild:1;
+ uint8_t :0; /* end of bitfields c/o node lock */
+ uint16_t locknum; /* note that this is not in the bitfield */
#ifdef DNS_RBT_USEISCREFCOUNT
- isc_refcount_t references; /* note that this is not in the bitfield */
+ isc_refcount_t references;
+#else
+ unsigned int references:DNS_RBT_REFLENGTH;
#endif
/*@}*/
};
--
2.21.0

2122
bind-9.11-rt31459.patch
View File

File diff suppressed because it is too large Load Diff

789
bind-9.11-rt46047.patch
View File

@ -1,789 +0,0 @@
From 344c19ad4b3f058e65a4b41650bb0ee20692cc5c Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 28 Sep 2017 10:09:22 -0700
Subject: [PATCH] completed and corrected the crypto-random change
4724. [func] By default, BIND now uses the random number
functions provided by the crypto library (i.e.,
OpenSSL or a PKCS#11 provider) as a source of
randomness rather than /dev/random. This is
suitable for virtual machine environments
which have limited entropy pools and lack
hardware random number generators.
This can be overridden by specifying another
entropy source via the "random-device" option
in named.conf, or via the -r command line option;
however, for functions requiring full cryptographic
strength, such as DNSSEC key generation, this
cannot be overridden. In particular, the -r
command line option no longer has any effect on
dnssec-keygen.
This can be disabled by building with
"configure --disable-crypto-rand".
[RT #31459] [RT #46047]
---
bin/confgen/keygen.c | 12 +++---
bin/dnssec/dnssec-keygen.docbook | 24 +++++++----
bin/dnssec/dnssectool.c | 12 +++---
bin/named/client.c | 3 +-
bin/named/config.c | 4 +-
bin/named/controlconf.c | 19 +++++---
bin/named/include/named/server.h | 2 +
bin/named/interfacemgr.c | 1 +
bin/named/query.c | 1 +
bin/named/server.c | 52 ++++++++++++++--------
bin/nsupdate/nsupdate.c | 4 +-
bin/tests/system/pipelined/pipequeries.c | 4 +-
bin/tests/system/tkey/keycreate.c | 4 +-
bin/tests/system/tkey/keydelete.c | 5 +--
doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++-------
doc/arm/notes-rh-changes.xml | 42 ++++++++++++++++++
doc/arm/notes.xml | 1 +
lib/dns/dst_api.c | 4 +-
lib/dns/include/dst/dst.h | 14 +++++-
lib/dns/openssl_link.c | 3 +-
lib/isc/include/isc/entropy.h | 48 +++++++++++++++------
lib/isc/include/isc/random.h | 28 +++++++-----
lib/isccfg/namedconf.c | 2 +-
23 files changed, 240 insertions(+), 104 deletions(-)
create mode 100644 doc/arm/notes-rh-changes.xml
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
index 295e16f..0f79aa8 100644
--- a/bin/confgen/keygen.c
+++ b/bin/confgen/keygen.c
@@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
DO("create entropy context", isc_entropy_create(mctx, &ectx));
- if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
- randomfile = NULL;
- open_keyboard = ISC_ENTROPY_KEYBOARDYES;
- }
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (randomfile != NULL &&
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, true);
}
#endif
+ if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
+ randomfile = NULL;
+ open_keyboard = ISC_ENTROPY_KEYBOARDYES;
+ }
DO("start entropy source", isc_entropy_usebestsource(ectx,
&entropy_source,
randomfile,
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 1826919..96543fc 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -349,15 +349,23 @@
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
- Specifies the source of randomness. If the operating
- system does not provide a <filename>/dev/random</filename>
- or equivalent device, the default source of randomness
- is keyboard input. <filename>randomdev</filename>
- specifies
+ Specifies a source of randomness. Normally, when generating
+ DNSSEC keys, this option has no effect; the random number
+ generation function provided by the cryptographic library will
+ be used.
+ </para>
+ <para>
+ If that behavior is disabled at compile time, however,
+ the specified file will be used as entropy source
+ for key generation. <filename>randomdev</filename> is
the name of a character device or file containing random
- data to be used instead of the default. The special value
- <filename>keyboard</filename> indicates that keyboard
- input should be used.
+ data to be used. The special value <filename>keyboard</filename>
+ indicates that keyboard input should be used.
+ </para>
+ <para>
+ The default is <filename>/dev/random</filename> if the
+ operating system provides it or an equivalent device;
+ if not, the default source of randomness is keyboard input.
</para>
</listitem>
</varlistentry>
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 5654435..24c0d5a 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
ISC_LIST_INIT(sources);
}
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (randomfile == NULL) {
+ isc_entropy_usehook(*ectx, true);
+ }
+#endif
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
usekeyboard = ISC_ENTROPY_KEYBOARDYES;
randomfile = NULL;
}
-#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (randomfile != NULL &&
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
- isc_entropy_usehook(*ectx, true);
- }
-#endif
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
usekeyboard);
diff --git a/bin/named/client.c b/bin/named/client.c
index 9a0d3c8..c573177 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -1765,7 +1765,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
isc_buffer_init(&buf, cookie, sizeof(cookie));
isc_stdtime_get(&now);
- isc_random_get(&nonce);
+ nonce = ((isc_rng_random(ns_g_server->rngctx) << 16) |
+ isc_rng_random(ns_g_server->rngctx));
compute_cookie(client, now, nonce, ns_g_server->secret, &buf);
diff --git a/bin/named/config.c b/bin/named/config.c
index dbdff64..63da4b0 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -98,7 +98,9 @@ options {\n\
# pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
port 53;\n\
prefetch 2 9;\n"
-#ifdef PATH_RANDOMDEV
+#if defined(ISC_PLATFORM_CRYPTORANDOM)
+" random-device none;\n"
+#elif defined(PATH_RANDOMDEV)
" random-device \"" PATH_RANDOMDEV "\";\n"
#endif
" recursing-file \"named.recursing\";\n\
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index d955c2f..40621f2 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -325,9 +325,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
static void
control_recvmessage(isc_task_t *task, isc_event_t *event) {
- controlconnection_t *conn;
- controllistener_t *listener;
- controlkey_t *key;
+ controlconnection_t *conn = NULL;
+ controllistener_t *listener = NULL;
+ ns_server_t *server = NULL;
+ controlkey_t *key = NULL;
isccc_sexpr_t *request = NULL;
isccc_sexpr_t *response = NULL;
uint32_t algorithm;
@@ -338,16 +339,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
isc_buffer_t *text;
isc_result_t result;
isc_result_t eresult;
- isccc_sexpr_t *_ctrl;
+ isccc_sexpr_t *_ctrl = NULL;
isccc_time_t sent;
isccc_time_t exp;
uint32_t nonce;
- isccc_sexpr_t *data;
+ isccc_sexpr_t *data = NULL;
REQUIRE(event->ev_type == ISCCC_EVENT_CCMSG);
conn = event->ev_arg;
listener = conn->listener;
+ server = listener->controls->server;
algorithm = DST_ALG_UNKNOWN;
secret.rstart = NULL;
text = NULL;
@@ -458,8 +460,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
* Establish nonce.
*/
if (conn->nonce == 0) {
- while (conn->nonce == 0)
- isc_random_get(&conn->nonce);
+ while (conn->nonce == 0) {
+ uint16_t r1 = isc_rng_random(server->rngctx);
+ uint16_t r2 = isc_rng_random(server->rngctx);
+ conn->nonce = (r1 << 16) | r2;
+ }
eresult = ISC_R_SUCCESS;
} else
eresult = ns_control_docommand(request, listener->readonly, &text);
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index 3f96b7b..c92922e 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -20,6 +20,7 @@
#include <isc/log.h>
#include <isc/magic.h>
#include <isc/quota.h>
+#include <isc/random.h>
#include <isc/sockaddr.h>
#include <isc/types.h>
#include <isc/xml.h>
@@ -134,6 +135,7 @@ struct ns_server {
char * lockfile;
uint16_t transfer_tcp_message_size;
+ isc_rng_t * rngctx;
};
struct ns_altsecret {
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index 9dea7c1..272d300 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -17,6 +17,7 @@
#include <isc/interfaceiter.h>
#include <isc/os.h>
+#include <isc/random.h>
#include <isc/string.h>
#include <isc/task.h>
#include <isc/util.h>
diff --git a/bin/named/query.c b/bin/named/query.c
index 203f1e6..25eeced 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -19,6 +19,7 @@
#include <isc/hex.h>
#include <isc/mem.h>
#include <isc/print.h>
+#include <isc/random.h>
#include <isc/rwlock.h>
#include <isc/serial.h>
#include <isc/stats.h>
diff --git a/bin/named/server.c b/bin/named/server.c
index f27071f..f132c19 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -8210,21 +8210,32 @@ load_configuration(const char *filename, ns_server_t *server,
* Open the source of entropy.
*/
if (first_time) {
+ const char *randomdev = NULL;
+ int level = ISC_LOG_ERROR;
obj = NULL;
result = ns_config_get(maps, "random-device", &obj);
- if (result != ISC_R_SUCCESS) {
+ if (result == ISC_R_SUCCESS) {
+ if (!cfg_obj_isvoid(obj)) {
+ level = ISC_LOG_INFO;
+ randomdev = cfg_obj_asstring(obj);
+ }
+ }
+ if (randomdev == NULL) {
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ isc_entropy_usehook(ns_g_entropy, true);
+#else
+ if ((obj != NULL) && !cfg_obj_isvoid(obj))
+ level = ISC_LOG_INFO;
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
- NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+ NS_LOGMODULE_SERVER, level,
"no source of entropy found");
+ if ((obj == NULL) || cfg_obj_isvoid(obj)) {
+ CHECK(ISC_R_FAILURE);
+ }
+#endif
} else {
- const char *randomdev = cfg_obj_asstring(obj);
-#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
- isc_entropy_usehook(ns_g_entropy, true);
-#else
- int level = ISC_LOG_ERROR;
result = isc_entropy_createfilesource(ns_g_entropy,
- randomdev);
+ randomdev);
#ifdef PATH_RANDOMDEV
if (ns_g_fallbackentropy != NULL) {
level = ISC_LOG_INFO;
@@ -8235,8 +8246,8 @@ load_configuration(const char *filename, ns_server_t *server,
NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER,
level,
- "could not open entropy source "
- "%s: %s",
+ "could not open "
+ "entropy source %s: %s",
randomdev,
isc_result_totext(result));
}
@@ -8256,7 +8267,6 @@ load_configuration(const char *filename, ns_server_t *server,
}
isc_entropy_detach(&ns_g_fallbackentropy);
}
-#endif
#endif
}
@@ -9025,6 +9035,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
server->in_roothints = NULL;
server->blackholeacl = NULL;
server->keepresporder = NULL;
+ server->rngctx = NULL;
/* Must be first. */
CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
@@ -9051,6 +9062,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
&server->tkeyctx),
"creating TKEY context");
+ server->rngctx = NULL;
+ CHECKFATAL(isc_rng_create(ns_g_mctx, ns_g_entropy, &server->rngctx),
+ "creating random numbers context");
/*
* Setup the server task, which is responsible for coordinating
@@ -9257,7 +9271,8 @@ ns_server_destroy(ns_server_t **serverp) {
if (server->zonemgr != NULL)
dns_zonemgr_detach(&server->zonemgr);
-
+ if (server->rngctx != NULL)
+ isc_rng_detach(&server->rngctx);
if (server->tkeyctx != NULL)
dns_tkeyctx_destroy(&server->tkeyctx);
@@ -13263,10 +13278,10 @@ newzone_cfgctx_destroy(void **cfgp) {
static isc_result_t
generate_salt(unsigned char *salt, size_t saltlen) {
- int i, n;
+ size_t i, n;
union {
unsigned char rnd[256];
- uint32_t rnd32[64];
+ uint16_t rnd16[128];
} rnd;
unsigned char text[512 + 1];
isc_region_t r;
@@ -13276,9 +13291,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
if (saltlen > 256U)
return (ISC_R_RANGE);
- n = (int) (saltlen + sizeof(uint32_t) - 1) / sizeof(uint32_t);
- for (i = 0; i < n; i++)
- isc_random_get(&rnd.rnd32[i]);
+ n = (saltlen + sizeof(uint16_t) - 1) / sizeof(uint16_t);
+ for (i = 0; i < n; i++) {
+ rnd.rnd16[i] = isc_rng_random(ns_g_server->rngctx);
+ }
memmove(salt, rnd.rnd, saltlen);
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 0286987..0376377 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -283,9 +283,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
}
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (randomfile != NULL &&
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(*ectx, true);
}
#endif
diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
index f0a6ff2..55064f6 100644
--- a/bin/tests/system/pipelined/pipequeries.c
+++ b/bin/tests/system/pipelined/pipequeries.c
@@ -280,9 +280,7 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (randomfile != NULL &&
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, true);
}
#endif
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
index fe8698e..937fcc3 100644
--- a/bin/tests/system/tkey/keycreate.c
+++ b/bin/tests/system/tkey/keycreate.c
@@ -255,9 +255,7 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (randomfile != NULL &&
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, true);
}
#endif
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
index 2146f9b..64b8e74 100644
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
@@ -171,6 +171,7 @@ main(int argc, char **argv) {
randomfile = argv[2];
argv += 2;
argc -= 2;
+ POST(argc);
}
keyname = argv[1];
@@ -182,9 +183,7 @@ main(int argc, char **argv) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (randomfile != NULL &&
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, true);
}
#endif
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 93c7a08..bb1e81d 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5081,22 +5081,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<term><command>random-device</command></term>
<listitem>
<para>
- The source of entropy to be used by the server. Entropy is
- primarily needed
- for DNSSEC operations, such as TKEY transactions and dynamic
- update of signed
- zones. This options specifies the device (or file) from which
- to read
- entropy. If this is a file, operations requiring entropy will
- fail when the
- file has been exhausted. If not specified, the default value
- is
- <filename>/dev/random</filename>
- (or equivalent) when present, and none otherwise. The
- <command>random-device</command> option takes
- effect during
- the initial configuration load at server startup time and
- is ignored on subsequent reloads.
+ Specifies a source of entropy to be used by the server.
+ This is a device or file from which to read entropy.
+ If it is a file, operations requiring entropy
+ will fail when the file has been exhausted.
+ </para>
+ <para>
+ Entropy is needed for cryptographic operations such as
+ TKEY transactions, dynamic update of signed zones, and
+ generation of TSIG session keys. It is also used for
+ seeding and stirring the pseudo-random number generator,
+ which is used for less critical functions requiring
+ randomness such as generation of DNS message transaction
+ ID's.
+ </para>
+ <para>
+ If <command>random-device</command> is not specified, or
+ if it is set to <literal>none</literal>, entropy will be
+ read from the random number generation function supplied
+ by the cryptographic library with which BIND was linked
+ (i.e. OpenSSL or a PKCS#11 provider).
+ </para>
+ <para>
+ The <command>random-device</command> option takes
+ effect during the initial configuration load at server
+ startup time and is ignored on subsequent reloads.
+ </para>
+ <para>
+ If BIND is built with
+ <command>configure --disable-crypto-rand</command>, then
+ entropy is <emphasis>not</emphasis> sourced from the
+ cryptographic library. In this case, if
+ <command>random-device</command> is not specified, the
+ default value is the system random device,
+ <filename>/dev/random</filename> or the equivalent.
+ This default can be overridden with
+ <command>configure --with-randomdev</command>.
+ If no system random device exists, then no entropy source
+ will be configured, and <command>named</command> will only
+ be able to use pseudo-random numbers.
</para>
</listitem>
</varlistentry>
diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml
new file mode 100644
index 0000000..89a4961
--- /dev/null
+++ b/doc/arm/notes-rh-changes.xml
@@ -0,0 +1,42 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes_rh_changes"><info><title>Red Hat Specific Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ By default, BIND now uses the random number generation functions
+ in the cryptographic library (i.e., OpenSSL or a PKCS#11
+ provider) as a source of high-quality randomness rather than
+ <filename>/dev/random</filename>. This is suitable for virtual
+ machine environments, which may have limited entropy pools and
+ lack hardware random number generators.
+ </para>
+ <para>
+ This can be overridden by specifying another entropy source via
+ the <command>random-device</command> option in
+ <filename>named.conf</filename>, or via the <command>-r</command>
+ command line option. However, for functions requiring full
+ cryptographic strength, such as DNSSEC key generation, this
+ <emphasis>cannot</emphasis> be overridden. In particular, the
+ <command>-r</command> command line option no longer has any
+ effect on <command>dnssec-keygen</command>.
+ </para>
+ <para>
+ This can be disabled by building with
+ <command>configure --disable-crypto-rand</command>, in which
+ case <filename>/dev/random</filename> will be the default
+ entropy source. [RT #31459] [RT #46047]
+ </para>
+ </listitem>
+ </itemizedlist>
+</section>
+
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 589a347..052a0bd 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -40,6 +40,7 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.1.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.0.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-rh-changes.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-eol.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-thankyou.xml"/>
</section>
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 1eccbe7..1933993 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -2017,10 +2017,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
else
flags |= ISC_ENTROPY_BLOCKING;
#ifdef ISC_PLATFORM_CRYPTORANDOM
+ /* get entropy directly from crypto provider */
return (dst_random_getdata(buf, len, NULL, flags));
#else
+ /* get entropy from entropy source or hook function */
return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
-#endif
+#endif /* ISC_PLATFORM_CRYPTORANDOM */
#endif /* PKCS11CRYPTO */
}
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 6813c96..665574d 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -163,8 +163,18 @@ isc_result_t
dst_random_getdata(void *data, unsigned int length,
unsigned int *returned, unsigned int flags);
/*%<
- * \brief Return data from the crypto random generator.
- * Specialization of isc_entropy_getdata().
+ * Gets random data from the random generator provided by the
+ * crypto library, if BIND was built with --enable-crypto-rand.
+ *
+ * See isc_entropy_getdata() for parameter usage. Normally when
+ * this function is available, it will be set up as a hook in the
+ * entropy context, so that isc_entropy_getdata() is a front-end to
+ * this function.
+ *
+ * Returns:
+ * \li ISC_R_SUCCESS on success
+ * \li ISC_R_NOTIMPLEMENTED if BIND is built with --disable-crypto-rand
+ * \li DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error
*/
bool
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index ffe0a69..5e48686 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -484,7 +484,8 @@ dst__openssl_getengine(const char *engine) {
isc_result_t
dst_random_getdata(void *data, unsigned int length,
- unsigned int *returned, unsigned int flags) {
+ unsigned int *returned, unsigned int flags)
+{
#ifdef ISC_PLATFORM_CRYPTORANDOM
#ifndef DONT_REQUIRE_DST_LIB_INIT
INSIST(dst__memory_pool != NULL);
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
index c40a18c..c7cb17d 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
@@ -189,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
/*!<
* \brief Create an entropy source that is polled via a callback.
*
- * This would
- * be used when keyboard input is used, or a GUI input method. It can
- * also be used to hook in any external entropy source.
+ * This would be used when keyboard input is used, or a GUI input method.
+ * It can also be used to hook in any external entropy source.
*
* Samples are added via isc_entropy_addcallbacksample(), below.
* _addcallbacksample() is the only function which may be called from
@@ -232,15 +231,32 @@ isc_result_t
isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
unsigned int *returned, unsigned int flags);
/*!<
- * \brief Extract data from the entropy pool. This may load the pool from various
- * sources.
+ * \brief Get random data from entropy pool 'ent'.
*
- * Do this by stirring the pool and returning a part of hash as randomness.
- * Note that no secrets are given away here since parts of the hash are
- * xored together before returned.
+ * If a hook has been set up using isc_entropy_sethook() and
+ * isc_entropy_usehook(), then the hook function will be called to get
+ * random data.
*
- * Honor the request from the caller to only return good data, any data,
- * etc.
+ * Otherwise, randomness is extracted from the entropy pool set up in BIND.
+ * This may cause the pool to be loaded from various sources. Ths is done
+ * by stirring the pool and returning a part of hash as randomness.
+ * (Note that no secrets are given away here since parts of the hash are
+ * XORed together before returning.)
+ *
+ * 'flags' may contain ISC_ENTROPY_GOODONLY, ISC_ENTROPY_PARTIAL, or
+ * ISC_ENTROPY_BLOCKING. These will be honored if the hook function is
+ * not in use. If it is, the flags will be passed to the hook function
+ * but it may ignore them.
+ *
+ * Up to 'length' bytes of randomness are retrieved and copied into 'data'.
+ * (If 'returned' is not NULL, and the number of bytes copied is less than
+ * 'length' - which may happen if ISC_ENTROPY_PARTIAL was used - then the
+ * number of bytes copied will be stored in *returned.)
+ *
+ * Returns:
+ * \li ISC_R_SUCCESS on success
+ * \li ISC_R_NOENTROPY if entropy pool is empty
+ * \li other error codes are possible when a hook is in use
*/
void
@@ -305,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
void
isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
/*!<
- * \brief Mark/unmark the given entropy structure as being hooked.
+ * \brief Configure entropy context 'ectx' to use the hook function
+ *
+ * Sets the entropy context to call the hook function for random number
+ * generation, if such a function has been configured via
+ * isc_entropy_sethook(), whenever isc_entropy_getdata() is called.
*/
void
isc_entropy_sethook(isc_entropy_getdata_t myhook);
/*!<
- * \brief Set the getdata hook (e.g., for a crypto random generator).
+ * \brief Set the hook function.
+ *
+ * The hook function is a global value: only one hook function
+ * can be set in the system. Individual entropy contexts may be
+ * configured to use it, or not, by calling isc_entropy_usehook().
*/
ISC_LANG_ENDDECLS
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
index f8aed34..17c551b 100644
--- a/lib/isc/include/isc/random.h
+++ b/lib/isc/include/isc/random.h
@@ -9,8 +9,6 @@
* information regarding copyright ownership.
*/
-/* $Id: random.h,v 1.20 2009/01/17 23:47:43 tbox Exp $ */
-
#ifndef ISC_RANDOM_H
#define ISC_RANDOM_H 1
@@ -21,13 +19,23 @@
#include <isc/mutex.h>
/*! \file isc/random.h
- * \brief Implements a random state pool which will let the caller return a
- * series of possibly non-reproducible random values.
+ * \brief Implements pseudo random number generators.
+ *
+ * Two pseudo-random number generators are implemented, in isc_random_*
+ * and isc_rng_*. Neither one is very strong; they should not be used
+ * in cryptography functions.
+ *
+ * isc_random_* is based on arc4random if it is available on the system.
+ * Otherwise it is based on the posix srand() and rand() functions.
+ * It is useful for jittering values a bit here and there, such as
+ * timeouts, etc, but should not be relied upon to generate
+ * unpredictable sequences (for example, when choosing transaction IDs).
*
- * Note that the
- * strength of these numbers is not all that high, and should not be
- * used in cryptography functions. It is useful for jittering values
- * a bit here and there, such as timeouts, etc.
+ * isc_rng_* is based on ChaCha20, and is seeded and stirred from the
+ * system entropy source. It is stronger than isc_random_* and can
+ * be used for generating unpredictable sequences. It is still not as
+ * good as using system entropy directly (see entropy.h) and should not
+ * be used for cryptographic functions such as key generation.
*/
ISC_LANG_BEGINDECLS
@@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx);
uint16_t
isc_rng_uniformrandom(isc_rng_t *rngctx, uint16_t upper_bound);
/*%<
- * Returns a uniformly distributed pseudo random 16-bit unsigned
- * integer.
+ * Returns a uniformly distributed pseudo-random 16-bit unsigned integer
+ * less than 'upper_bound'.
*/
ISC_LANG_ENDDECLS
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 1c45d5c..91693b5 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1109,7 +1109,7 @@ options_clauses[] = {
{ "pid-file", &cfg_type_qstringornone, 0 },
{ "port", &cfg_type_uint32, 0 },
{ "querylog", &cfg_type_boolean, 0 },
- { "random-device", &cfg_type_qstring, 0 },
+ { "random-device", &cfg_type_qstringornone, 0 },
{ "recursing-file", &cfg_type_qstring, 0 },
{ "recursive-clients", &cfg_type_uint32, 0 },
{ "reserved-sockets", &cfg_type_uint32, 0 },
--
2.21.1

42
bind-9.11-serve-stale-dbfix.patch
View File

@ -1,42 +0,0 @@
From 20848d8284951481051f6ebdeb8128c05c7e82e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 11 Nov 2019 16:56:52 +0100
Subject: [PATCH] Move stale_ttl from middle to the end
bind-dyndb-ldap is using rdataset structure. Do not modify its body,
move stale_ttl to the end. Make it binary compatible.
---
lib/dns/include/dns/rdataset.h | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index 97071ed496..a0c6afe624 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -137,11 +137,6 @@ struct dns_rdataset {
dns_rdataclass_t rdclass;
dns_rdatatype_t type;
dns_ttl_t ttl;
- /*
- * Stale ttl is used to see how long this RRset can still be used
- * to serve to clients, after the TTL has expired.
- */
- dns_ttl_t stale_ttl;
dns_trust_t trust;
dns_rdatatype_t covers;
@@ -178,6 +173,11 @@ struct dns_rdataset {
void * private7;
/*@}*/
+ /*
+ * Stale ttl is used to see how long this RRset can still be used
+ * to serve to clients, after the TTL has expired.
+ */
+ dns_ttl_t stale_ttl;
};
/*!
--
2.20.1

3859
bind-9.11-serve-stale.patch
View File

File diff suppressed because it is too large Load Diff

39
bind-9.11-tests-pkcs11.patch
View File

@ -1,39 +0,0 @@
From 66298a12b09784eab2c052ab22f87bb2b2f1267b Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 1 Mar 2019 15:55:46 +0100
Subject: [PATCH] Detect correctly pkcs11 support
It fails now always, because oot builds are not supported by
cleanpkcs11.sh.
---
bin/tests/system/cleanpkcs11.sh | 2 +-
bin/tests/system/conf.sh.in | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/bin/tests/system/cleanpkcs11.sh b/bin/tests/system/cleanpkcs11.sh
index b974708..3bbef4c 100644
--- a/bin/tests/system/cleanpkcs11.sh
+++ b/bin/tests/system/cleanpkcs11.sh
@@ -12,6 +12,6 @@
SYSTEMTESTTOP=.
. $SYSTEMTESTTOP/conf.sh
-if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi
+if [ ! -x "$PK11DESTROY" ]; then exit 1; fi
$PK11DEL -w0 > /dev/null 2>&1
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index a446c18..ede1203 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -46,6 +46,7 @@ CHECKZONE=$TOP/bin/check/named-checkzone
CHECKCONF=$TOP/bin/check/named-checkconf
PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
+PK11DESTROY=$TOP/bin/pkcs11/pkcs11-destroy
PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
JOURNALPRINT=$TOP/bin/tools/named-journalprint
VERIFY=$TOP/bin/dnssec/dnssec-verify
--
2.20.1

65
bind-9.11-tests-variants.patch
View File

@ -1,65 +0,0 @@
From 9576e960ad3719aa9c1707734ad7ba0eccf16e5f Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 1 Mar 2019 15:48:20 +0100
Subject: [PATCH] Make alternative named builds testable in system tests
Red Hat has alternative variant builds of named, which are not ever
tested by system tests. New variables make it relatively easy to test
alternative variants.
For sdb variant use:
export NAMED_VARIANT=-sdb DNSSEC_VARIANT=
For pkcs variant use:
export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
---
bin/tests/system/conf.sh.in | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 6f2dbcd..05605ae 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -37,7 +37,7 @@ DISABLED_ALGORITHM=ECDSAP384SHA384
DISABLED_ALGORITHM_NUMBER=14
DISABLED_BITS=384
-NAMED=$TOP/bin/named/named
+NAMED=$TOP/bin/named${NAMED_VARIANT}/named${NAMED_VARIANT}
# We must use "named -l" instead of "lwresd" because argv[0] is lost
# if the program is libtoolized.
LWRESD="$TOP/bin/named/named -l"
@@ -48,14 +48,14 @@ NSUPDATE=$TOP/bin/nsupdate/nsupdate
DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
-KEYGEN=$TOP/bin/dnssec/dnssec-keygen
-KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
-SIGNER=$TOP/bin/dnssec/dnssec-signzone
-REVOKE=$TOP/bin/dnssec/dnssec-revoke
-SETTIME=$TOP/bin/dnssec/dnssec-settime
-DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
+KEYGEN=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keygen${DNSSEC_VARIANT}
+KEYFRLAB=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keyfromlabel${DNSSEC_VARIANT}
+SIGNER=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-signzone${DNSSEC_VARIANT}
+REVOKE=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-revoke${DNSSEC_VARIANT}
+SETTIME=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-settime${DNSSEC_VARIANT}
+DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT}
HOST=$TOP/bin/dig/host
-IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
+IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT}
CHECKDS=$TOP/bin/python/dnssec-checkds
COVERAGE=$TOP/bin/python/dnssec-coverage
KEYMGR=$TOP/bin/python/dnssec-keymgr
@@ -75,7 +75,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
MDIG=$TOP/bin/tools/mdig
NZD2NZF=$TOP/bin/tools/named-nzd2nzf
FSTRM_CAPTURE=@FSTRM_CAPTURE@
-FEATURETEST=$TOP/bin/named/feature-test
+FEATURETEST=$TOP/bin/named${NAMED_VARIANT}/feature-test${NAMED_VARIANT}
RANDFILE=$TOP/bin/tests/system/random.data
--
2.21.1

30
bind-9.11-unit-disable-random.patch
View File

@ -1,30 +0,0 @@
From 373f07148217a8e70e33446f5108fb42d1079ba6 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 21 Feb 2019 22:42:27 +0100
Subject: [PATCH] Disable random_test
It fails too often on some architecture, failing the whole build along.
Because it runs two times for pkcs11 and normal build and any of
subtests can occasionally fail, stop it.
It can be used again by defining 'unstable' variable in Kyuafile.
---
lib/isc/tests/Kyuafile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
index 4cd2574..9df2340 100644
--- a/lib/isc/tests/Kyuafile
+++ b/lib/isc/tests/Kyuafile
@@ -19,7 +19,7 @@ tap_test_program{name='pool_test'}
tap_test_program{name='print_test'}
tap_test_program{name='queue_test'}
tap_test_program{name='radix_test'}
-tap_test_program{name='random_test'}
+tap_test_program{name='random_test', required_configs='unstable'}
tap_test_program{name='regex_test'}
tap_test_program{name='result_test'}
tap_test_program{name='safe_test'}
--
2.20.1

16
bind-9.11.12.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABAgAdFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAl2WMooACgkQdLtrmky7
PThv2RAAnXNLYTzXtH6ls29tRm5Hc+D6UaeqcWDNQ4BpkRVhrFxtukalGCi9mmB6
NPJzFyXmaOW654pypCIuEgqJNFUpDtLzLzT7SUF+mhm+5plsaRSBnh4mq87l5KSp
twODAPnfCJV+HBk5RmToLEstAbGQ7xEBTyQtZoFkY+V7zEFwENKiCvWsoSWOkYR3
zXo3sKjc83HV9ShbW/mCtbZf5L0qlbrKOAzqJfAFMhNNJi8kMbmr/Zi2sIfN+Rhv
g8HQo89Epv6r51yAdeED8idIX4rKjjcEtHrZeDmLdCcdHgSEj2sIlH92Joce6vL0
S59A0rItIXm6fW8sz6WNpcj4tVtWYbIYjXZ4SPFNkaUrHv8cUekq+5vbI+v07Gh3
2bhtDsDyTY5I1/AsY/EFmwkCAjUS00jZryBnuJpLB3v5JtUog4ek32yLBzPrqRBo
1876j4nlXAia8mG0OgJNWZ0gHyUPe/TgfR8fQDLmHxHHlKrJNTEwY6bLW8jzFTX1
zk510fI1K7J9tiQgf5wcBQ2h3EBlqzDNIJDovoATzLYIf0HKyVegh/vnQdtdEhUR
1DzJAt3bsBfAP1AFfWPD/ACu5Zdm7SxY1wE/pjkwttDU3sRZqOfuwNBGeolu3cVN
O9/h1zsyVeVS0ui2vu4+V4EvNitmXsVbG2doDq9L5yBiIKGO2Ew=
=GCy6
-----END PGP SIGNATURE-----

BIN
bind-9.11.21.tar.gz
View File

Binary file not shown.

16
bind-9.11.21.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABAgAdFiEElc7aJWscoKFfMC+1lSGn7V2s6RgFAl8Fgc8ACgkQlSGn7V2s
6Rj/ThAAlpExE5fpqdUFncwGzw1XTBHuHOlvQN4cJQseL/6c0O7lwjUxddAKYNyB
+TnGEgbd+OG6ifvxIG7m/4JkTuuw7hdj88MNHhhD6r7BnnTnwWL50qlL1McbhOCG
ThqbxCOL+ncg48f/LytXj02l38dt136lxJlpkwyHaykMJO4Im19Te69hWROftKpP
X4c3/GtJL5ZMtFxUyHpvHv0MJbZrLgys9+R7FtOlSckSgCMIj/D2fiPBCpNkY2uN
DdLkOe5oVqpypQfY2K1NbyJPaUUkDfnf2VHNF/c6DLLzCz/kYA14QxJjDKGtKV20
5tDJF+7buDqi/egUCB3VNagPWgYyIbVFR/VGReepOR+gedEiqwyN0Q0B76VEtB7H
lkeMRol07wm88tLHTIH+JpgGz7vYSyIPgZ3K/gJMmJUgk70zArlzb/WSMrfVtJqd
irB/cPiKhlG3Ktau7/LgVeX7s5isoXImwQ3JgSTlw2ZlhkT7PzALkVbT7CRtjOT9
+VqEA7iYClBuSgdFv9Dr41pho9bWBjGvATekSTHnQJfGvSvtGzD+XbxhyLhJQnZ+
XgsZ0uQZxzxqHk23TirGIA3iWSwIFGxeLYsTzg9wY4Qx8pwjDZVD0hrkuKaRQZS3
CrxBfqzT8zTD9okforH/E3tau38ENZO42XqQDXdAjw+ioMjqUOM=
=I3HH
-----END PGP SIGNATURE-----

83
bind-9.14-config-pkcs11.patch Normal file
View File

@ -0,0 +1,83 @@
From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 18 Oct 2019 21:30:52 +0200
Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h
Building two variants with the same common code requires to unset
USE_PKCS11 on part of build. That is not possible with config.h value.
Move it as normal define to CDEFINES.
---
bin/confgen/Makefile.in | 2 +-
configure.ac | 8 ++++++--
lib/dns/dst_internal.h | 12 +++++++++---
3 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index 1b7512d..c126bf3 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
-CDEFINES =
+CDEFINES = @USE_PKCS11@
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
diff --git a/configure.ac b/configure.ac
index f5483fe..08a7d8a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST])
AC_SUBST([PKCS11_TOOLS])
AC_SUBST([PKCS11_MANS])
+USE_PKCS11='-DUSE_PKCS11=0'
+USE_OPENSSL='-DUSE_OPENSSL=0'
AC_SUBST([CRYPTO])
AS_CASE([$CRYPTO],
- [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])],
- [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])])
+ [pkcs11],[USE_PKCS11='-DUSE_PKCS11=1'],
+ [USE_OPENSSL='-DUSE_OPENSSL=1'])
+AC_SUBST(USE_PKCS11)
+AC_SUBST(USE_OPENSSL)
# preparation for automake
# AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"])
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index 2c3b4a3..55e9dc4 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -38,6 +38,13 @@
#include <isc/stdtime.h>
#include <isc/types.h>
+#ifndef USE_PKCS11
+#define USE_PKCS11 0
+#endif
+#ifndef USE_OPENSSL
+#define USE_OPENSSL (! USE_PKCS11)
+#endif
+
#if USE_PKCS11
#include <pk11/pk11.h>
#include <pk11/site.h>
@@ -116,11 +123,10 @@ struct dst_key {
void *generic;
dns_gss_ctx_id_t gssctx;
DH *dh;
-#if USE_OPENSSL
- EVP_PKEY *pkey;
-#endif /* if USE_OPENSSL */
#if USE_PKCS11
pk11_object_t *pkey;
+#else
+ EVP_PKEY *pkey;
#endif /* if USE_PKCS11 */
dst_hmac_key_t *hmac_key;
} keydata; /*%< pointer to key in crypto pkg fmt */
--
2.26.2

95
bind-9.14-json-c.patch Normal file
View File

@ -0,0 +1,95 @@
From 0698eb93f6e618d2882ae2c8758c5fa87524bea6 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 23 Jul 2019 12:10:39 +0200
Subject: [PATCH] Allow explicitly using json-c but not libjson
Separate detection of json support. Allows explicit use of json-c when
jsoncpp package is found. Have to use --without-libjson --with-json-c.
---
configure.ac | 52 +++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 41 insertions(+), 11 deletions(-)
diff --git a/configure.ac b/configure.ac
index f7978e4..40b4f9f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1331,7 +1331,6 @@ AC_ARG_WITH(libjson,
use_libjson="$withval", use_libjson="auto")
have_libjson=""
-have_libjson_c=""
case "$use_libjson" in
no)
libjson_libs=""
@@ -1347,7 +1346,43 @@ case "$use_libjson" in
LIBS="$LIBS -L${d}/lib"
fi
have_libjson="yes"
- elif test -f "${d}/include/json-c/json.h"
+ fi
+ done
+ ;;
+ *)
+ if test -f "${use_libjson}/include/json/json.h"
+ then
+ libjson_cflags="-I${use_libjson}/include"
+ LIBS="$LIBS -L${use_libjson}/lib"
+ have_libjson="yes"
+ else
+ AC_MSG_ERROR([$use_libjson/include/json/json.h not found.])
+ fi
+ ;;
+esac
+
+#
+# was --with-json-c specified?
+#
+AC_ARG_WITH(json-c,
+ AS_HELP_STRING([--with-json-c[=PATH]],
+ [build with json-c library [yes|no|path]]),
+ use_json_c="$withval", use_json_c="$use_libjson")
+
+if test "X${have_libjson}" != "X"
+then
+ # Do not use if libjson were found
+ use_json_c=no
+fi
+
+have_libjson_c=""
+case "$use_json_c" in
+ no)
+ ;;
+ auto|yes)
+ for d in /usr /usr/local /opt/local
+ do
+ if test -f "${d}/include/json-c/json.h"
then
if test ${d} != /usr
then
@@ -1360,19 +1395,14 @@ case "$use_libjson" in
done
;;
*)
- if test -f "${use_libjson}/include/json/json.h"
- then
- libjson_cflags="-I${use_libjson}/include"
- LIBS="$LIBS -L${use_libjson}/lib"
- have_libjson="yes"
- elif test -f "${use_libjson}/include/json-c/json.h"
+ if test -f "${use_json_c}/include/json-c/json.h"
then
- libjson_cflags="-I${use_libjson}/include"
- LIBS="$LIBS -L${use_libjson}/lib"
+ libjson_cflags="-I${use_json_c}/include"
+ LIBS="$LIBS -L${use_json_c}/lib"
have_libjson="yes"
have_libjson_c="yes"
else
- AC_MSG_ERROR([$use_libjson/include/json{,-c}/json.h not found.])
+ AC_MSG_ERROR([$use_json_c/include/json-c/json.h not found.])
fi
;;
esac
--
2.20.1

16
bind-9.14.7.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABAgAdFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAl2WMpEACgkQdLtrmky7
PTh/sg//QbNRAQvADQfwF1PPo+JxB+3WzQ9oJAWeHbOoiubwkUwO9xE+BEnTNd5o
oM1lSLqFxNykOTaoeJlqPftPod1cxo7lSzkwflugGyB/59wliCpqCg053YV4x9mO
QggvA/E50+0FI/Om/7v4GHGADu/JE83FovOueWAB0LgqfDSD6QFcNFF9sUJJ4P7r
FcEXSWj8QbrHMWBKncZUOpD2ECotvtrYmi0DTHl1XfigESDQpWtsnTFuabCCsvkh
ch9wQRplAes2Mf/aS5tl1y0QKKBFuEjtGiTdgrDl6o9GLnx6CueX5saZehu2EVkr
fq2vEYUC2lRQSjuxSMMJ3L0TGUcl7+ixlAIISS2K9L5Xx7MhBXt/EH5KiKPfsEet
3EH+DhxV5uXjDU7MgvREnxT+ssV23e0HWTz4tVVQ9LpvYmWPIgLcSOhHCc57yoQF
c46V0f69dMWbMAlQ93EZSG274ZvpIszpK8+3hGI3/TuDFFgiQJeJJBFVtYJMle69
3mEEclfzO7fBiXZFec6nVx2309bL64bafN7zszPKXl4XgoefOfD0v0eWqQT4fxfm
dnGC0qMqSZs5F+d0fISV5JUUNYzt9PZjvnzqLLGOeTF6l3/n9G1mmNsXcxJ1OEIF
6qh1oO7JTPjt0MFhKac4QjNQi/Bnp25O3I/PRyWZCbiwXkyvyQU=
=ZT7s
-----END PGP SIGNATURE-----

60
bind-9.16-redhat_doc.patch Normal file
View File

@ -0,0 +1,60 @@
From 3a161af91bffcd457586ab466e32ac8484028763 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 17 Jun 2020 23:17:13 +0200
Subject: [PATCH] Update man named with Red Hat specifics
This is almost unmodified text and requires revalidation. Some of those
statements are no longer correct.
---
bin/named/named.rst | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/bin/named/named.rst b/bin/named/named.rst
index 6fd8f87..3cd6350 100644
--- a/bin/named/named.rst
+++ b/bin/named/named.rst
@@ -228,6 +228,41 @@ Files
``/var/run/named/named.pid``
The default process-id file.
+Notes
+~~~~~
+
+**Red Hat SELinux BIND Security Profile:**
+
+By default, Red Hat ships BIND with the most secure SELinux policy
+that will not prevent normal BIND operation and will prevent exploitation
+of all known BIND security vulnerabilities. See the selinux(8) man page
+for information about SElinux.
+
+It is not necessary to run named in a chroot environment if the Red Hat
+SELinux policy for named is enabled. When enabled, this policy is far
+more secure than a chroot environment. Users are recommended to enable
+SELinux and remove the bind-chroot package.
+
+*With this extra security comes some restrictions:*
+
+By default, the SELinux policy does not allow named to write outside directory
+/var/named. That directory used to be read-only for named, but write access is
+enabled by default now.
+
+The "named" group must be granted read privelege to
+these files in order for named to be enabled to read them.
+Any file updated by named must be writeable by named user or named group.
+
+Any file created in the zone database file directory is automatically assigned
+the SELinux file context *named_zone_t* .
+
+The Red Hat BIND distribution and SELinux policy creates three directories where
+named were allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
+*/var/named/data*. The service is able to write and file under */var/named* with appropriate
+permissions. They are used for better organisation of zones and backward compatibility.
+Files in these directories are automatically assigned the '*named_cache_t*'
+file context, which SELinux always allows named to write.
+
See Also
~~~~~~~~
--
2.26.2

BIN
bind-9.16.23.tar.xz Normal file
View File

Binary file not shown.

17
bind-9.16.23.tar.xz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIzBAABAgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmGKhMcACgkQxbTukxqf
nf1EbQ//YXsBbMtyI3c0MoleSi5zwzcpCTZTWTFHqH5WUiruLMDF453j/Fn2zaSC
WuaUnhN61dR+BVtX+D2Y8GiVQFICo5X1nJj0jb/TcflXFq7YLWUAO0NPwPkBL1J4
/PA0YCp1zYcvBXIxTKaU7AcBxlKmcGLdZcgCyGU6NSKaOJSxHOWXM460uD/crskB
iSPEbMevN9TTJs9webztJNKH/3BuNkOD9SFb6JlUIQqwKx1v8rosgdI7BvgGMZqy
s+10+GlIRFFvsX2XkX8BnjDlQ1QdzDOAoyCU+Se9rXDqu+zZf1VN4ReUCSDuPYf9
z+GW1EbMxuZzEKrEIJvhnVNNiHqtKVaK6IIUX5bHqgPLEx87HxJMOPmbyBc1kDAe
0WCmsITaq62WvKOG8Ho8wLrlG4AAO5+A7xit4bJ4XUtLiqyt+9FUIeEFY9nZb/6O
OXK9eBMZHZ++r52RtA+GYZllkNRpzwnULOdR/9svVQuc10/MjnRoFqInzLlqwfwm
2q6r372oWn8+MUvjQVBgzprn5BvY+HDo2gNEYEi5QyR3ql2dX/Qz7iUdUfhRvMNL
FdPt3B3kktfOV98p/imrIwLwVVWwKBlphntkRxLtSZBs3nbo27F/ND54fixC2eCa
epB6FF5IquzQ/MOiz4uql3YexNDQQ+7N2IGPJVMwO2ILAyZDNOQ=
=pVtf
-----END PGP SIGNATURE-----

63
bind-9.3.1rc1-sdb_tools-Makefile.in
View File

@ -1,63 +0,0 @@
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include \
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES}
CDEFINES = -DBIND9
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@
OBJS = zone2ldap.@O@ zonetodb.@O@
SRCS = zone2ldap.c zonetodb.c
MANPAGES = zone2ldap.1
EXT_CFLAGS =
@BIND9_MAKE_RULES@
zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS}
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
clean distclean manclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1

68
bind-9.3.2-redhat_doc.patch
View File

@ -1,68 +0,0 @@
diff --git a/bin/named/named.8 b/bin/named/named.8
index ef10ef4..3150b22 100644
--- a/bin/named/named.8
+++ b/bin/named/named.8
@@ -349,6 +349,63 @@ The default configuration file\&.
/var/run/named/named\&.pid
.RS 4
The default process\-id file\&.
+.PP
+.SH "NOTES"
+.PP
+.TP
+\fBRed Hat SELinux BIND Security Profile:\fR
+.PP
+By default, Red Hat ships BIND with the most secure SELinux policy
+that will not prevent normal BIND operation and will prevent exploitation
+of all known BIND security vulnerabilities . See the selinux(8) man page
+for information about SElinux.
+.PP
+It is not necessary to run named in a chroot environment if the Red Hat
+SELinux policy for named is enabled. When enabled, this policy is far
+more secure than a chroot environment. Users are recommended to enable
+SELinux and remove the bind-chroot package.
+.PP
+With this extra security comes some restrictions:
+.PP
+By default, the SELinux policy does not allow named to write any master
+zone database files. Only the root user may create files in the $ROOTDIR/var/named
+zone database file directory (the options { "directory" } option), where
+$ROOTDIR is set in /etc/sysconfig/named.
+.PP
+The "named" group must be granted read privelege to
+these files in order for named to be enabled to read them.
+.PP
+Any file created in the zone database file directory is automatically assigned
+the SELinux file context named_zone_t .
+.PP
+By default, SELinux prevents any role from modifying named_zone_t files; this
+means that files in the zone database directory cannot be modified by dynamic
+DNS (DDNS) updates or zone transfers.
+.PP
+The Red Hat BIND distribution and SELinux policy creates three directories where
+named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
+/var/named/data. By placing files you want named to modify, such as
+slave or DDNS updateable zone files and database / statistics dump files in
+these directories, named will work normally and no further operator action is
+required. Files in these directories are automatically assigned the 'named_cache_t'
+file context, which SELinux allows named to write.
+.PP
+\fBRed Hat BIND SDB support:\fR
+.PP
+Red Hat ships named with compiled in Simplified Database Backend modules that ISC
+provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them
+.PP
+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb.
+.PP
+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
+.br
+.PP
+\fBRed Hat system-config-bind:\fR
+.PP
+Red Hat provides the system-config-bind GUI to configure named.conf and zone
+database files. Run the "system-config-bind" command and access the manual
+by selecting the Help menu.
+.PP
.RE
.SH "SEE ALSO"
.PP

511
bind-9.3.2b1-fix_sdb_ldap.patch
View File

@ -1,511 +0,0 @@
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
index 95ab742..5059a17 100644
--- a/bin/sdb_tools/Makefile.in
+++ b/bin/sdb_tools/Makefile.in
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
+TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ ldap2zone@EXEEXT@
-OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
+OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ ldap2zone.@O@
-SRCS = zone2ldap.c zonetodb.c zone2sqlite.c
+SRCS = zone2ldap.c zonetodb.c zone2sqlite.c ldap2zone.c
MANPAGES = zone2ldap.1
@@ -47,6 +47,9 @@ EXT_CFLAGS =
zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS}
+ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS}
+
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
@@ -64,4 +67,5 @@ install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
index e0e9207..d59936c 100644
--- a/bin/sdb_tools/zone2ldap.c
+++ b/bin/sdb_tools/zone2ldap.c
@@ -73,7 +73,7 @@ void add_ldap_values (ldap_info * ldinfo);
void init_ldap_conn (void);
/* Ldap error checking */
-void ldap_result_check (const char *msg, char *dn, int err);
+void ldap_result_check (const char *msg, const char *dn, int err);
/* Put a hostname into a char ** array */
char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
@@ -82,7 +82,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
int get_attr_list_size (char **tmp);
/* Get a DN */
-char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag);
+char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone);
/* Add to RR list */
void add_to_rr_list (char *dn, char *name, char *type, char *data,
@@ -104,11 +104,26 @@ void
init_ldap_conn ();
void usage();
-char *argzone, *ldapbase, *binddn, *bindpw = NULL;
-const char *ldapsystem = "localhost";
-static const char *objectClasses[] =
- { "top", "dNSZone", NULL };
-static const char *topObjectClasses[] = { "top", NULL };
+static char *argzone, *ldapbase, *binddn, *bindpw = NULL;
+
+/* these are needed to placate gcc4's const-ness const-ernations : */
+static char localhost[] = "localhost";
+static char *ldapsystem=&(localhost[0]);
+/* dnszone schema class names: */
+static char topClass [] ="top";
+static char dNSZoneClass[] ="dNSZone";
+static char objectClass [] ="objectClass";
+static char dcObjectClass[]="dcObject";
+/* dnszone schema attribute names: */
+static char relativeDomainName[]="relativeDomainName";
+static char dNSTTL []="dNSTTL";
+static char zoneName []="zoneName";
+static char dc []="dc";
+static char sameZone []="@";
+/* LDAPMod mod_values: */
+static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
+static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
+static char *dn_buffer [64]={NULL};
LDAP *conn;
unsigned int debug = 0;
@@ -120,7 +135,7 @@ static void
fatal(const char *msg) {
perror(msg);
if (conn != NULL)
- ldap_unbind_s(conn);
+ ldap_unbind_ext_s(conn, NULL, NULL);
exit(1);
}
@@ -132,12 +147,13 @@ main (int argc, char **argv)
isc_result_t result;
char *basedn;
ldap_info *tmp;
- LDAPMod *base_attrs[2];
- LDAPMod base;
+ LDAPMod *base_attrs[5];
+ LDAPMod base, dcBase, znBase, rdnBase;
isc_buffer_t buff;
char *zonefile=0L;
char fullbasedn[1024];
char *ctmp;
+ char *zn, *dcp[2], *znp[2], *rdn[2];
dns_fixedname_t fixedzone, fixedname;
dns_rdataset_t rdataset;
char **dc_list;
@@ -150,7 +166,7 @@ main (int argc, char **argv)
extern char *optarg;
extern int optind, opterr, optopt;
int create_base = 0;
- int topt;
+ int topt, dcn, zdn, znlen;
if (argc < 2)
{
@@ -158,7 +174,7 @@ main (int argc, char **argv)
exit (-1);
}
- while ((topt = getopt (argc, argv, "D:w:b:z:f:h:?dcv")) != -1)
+ while ((topt = getopt (argc, argv, "D:Ww:b:z:f:h:?dcv")) != -1)
{
switch (topt)
{
@@ -181,6 +197,9 @@ main (int argc, char **argv)
if (bindpw == NULL)
fatal("strdup");
break;
+ case 'W':
+ bindpw = getpass("Enter LDAP Password: ");
+ break;
case 'b':
ldapbase = strdup (optarg);
if (ldapbase == NULL)
@@ -302,17 +321,51 @@ main (int argc, char **argv)
printf ("Creating base zone DN %s\n", argzone);
dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP);
- basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC);
+ basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC, argzone);
+ if (debug)
+ printf ("base DN %s\n", basedn);
- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
+ for (ctmp = &basedn[strlen (basedn)], dcn=0; ctmp >= &basedn[0]; ctmp--)
{
if ((*ctmp == ',') || (ctmp == &basedn[0]))
{
base.mod_op = LDAP_MOD_ADD;
- base.mod_type = (char*)"objectClass";
+ base.mod_type = objectClass;
base.mod_values = (char**)topObjectClasses;
base_attrs[0] = (void*)&base;
- base_attrs[1] = NULL;
+
+ dcBase.mod_op = LDAP_MOD_ADD;
+ dcBase.mod_type = dc;
+ dcp[0]=dc_list[dcn];
+ dcp[1]=0L;
+ dcBase.mod_values=dcp;
+ base_attrs[1] = (void*)&dcBase;
+
+ znBase.mod_op = LDAP_MOD_ADD;
+ znBase.mod_type = zoneName;
+ for( zdn = dcn, znlen = 0; zdn >= 0; zdn-- )
+ znlen += strlen(dc_list[zdn])+1;
+ znp[0] = (char*)malloc(znlen+1);
+ znp[1] = 0L;
+ for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- )
+ zn+=sprintf(zn,"%s%s",dc_list[zdn],
+ ((zdn > 0) && (*(dc_list[zdn-1])!='.')) ? "." : ""
+ );
+
+ znBase.mod_values = znp;
+ base_attrs[2] = (void*)&znBase;
+
+ rdnBase.mod_op = LDAP_MOD_ADD;
+ rdnBase.mod_type = relativeDomainName;
+ rdn[0] = strdup(sameZone);
+ rdn[1] = 0L;
+ rdnBase.mod_values = rdn;
+ base_attrs[3] = (void*)&rdnBase;
+
+ dcn++;
+
+ base.mod_values = topObjectClasses;
+ base_attrs[4] = NULL;
if (ldapbase)
{
@@ -329,6 +382,10 @@ main (int argc, char **argv)
else
sprintf (fullbasedn, "%s", ctmp);
}
+
+ if( debug )
+ printf("Full base dn: %s\n", fullbasedn);
+
result = ldap_add_s (conn, fullbasedn, base_attrs);
ldap_result_check ("initial ldap_add_s", fullbasedn, result);
}
@@ -408,14 +465,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
isc_result_check (result, "dns_rdata_totext");
data[isc_buffer_usedlength (&buff)] = 0;
- dc_list = hostname_to_dn_list (name, argzone, DNS_OBJECT);
+ dc_list = hostname_to_dn_list ((char*)name, argzone, DNS_OBJECT);
len = (get_attr_list_size (dc_list) - 2);
- dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC);
+ dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC, argzone);
if (debug)
printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data);
- add_to_rr_list (dn, dc_list[len], type, data, ttl, DNS_OBJECT);
+ add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT);
}
@@ -455,7 +512,8 @@ add_to_rr_list (char *dn, char *name, char *type,
int attrlist;
char ldap_type_buffer[128];
char charttl[64];
-
+ char *zn;
+ int znlen;
if ((tmp = locate_by_dn (dn)) == NULL)
{
@@ -482,10 +540,10 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("malloc");
}
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[0]->mod_type = (char*)"objectClass";
+ tmp->attrs[0]->mod_type = objectClass;
if (flags == DNS_OBJECT)
- tmp->attrs[0]->mod_values = (char**)objectClasses;
+ tmp->attrs[0]->mod_values = objectClasses;
else
{
tmp->attrs[0]->mod_values = (char**)topObjectClasses;
@@ -497,7 +555,7 @@ add_to_rr_list (char *dn, char *name, char *type,
}
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[1]->mod_type = (char*)"relativeDomainName";
+ tmp->attrs[1]->mod_type = relativeDomainName;
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[1]->mod_values == (char **)NULL)
@@ -526,7 +584,7 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("strdup");
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[3]->mod_type = (char*)"dNSTTL";
+ tmp->attrs[3]->mod_type = dNSTTL;
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[3]->mod_values == (char **)NULL)
@@ -539,14 +597,25 @@ add_to_rr_list (char *dn, char *name, char *type,
if (tmp->attrs[3]->mod_values[0] == NULL)
fatal("strdup");
+ znlen=strlen(gbl_zone);
+ if ( gbl_zone[znlen-1] == '.' )
+ { /* ldapdb MUST search by relative zone name */
+ zn = (char*)malloc(znlen);
+ memcpy(zn, gbl_zone, znlen-1);
+ zn[znlen-1]='\0';
+ }else
+ {
+ zn = gbl_zone;
+ }
+
tmp->attrs[4]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[4]->mod_type = (char*)"zoneName";
+ tmp->attrs[4]->mod_type = zoneName;
tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2);
if (tmp->attrs[4]->mod_values == (char **)NULL)
fatal("calloc");
- tmp->attrs[4]->mod_values[0] = gbl_zone;
+ tmp->attrs[4]->mod_values[0] = zn;
tmp->attrs[4]->mod_values[1] = NULL;
tmp->attrs[5] = NULL;
@@ -557,7 +626,7 @@ add_to_rr_list (char *dn, char *name, char *type,
else
{
- for (i = 0; tmp->attrs[i] != NULL; i++)
+ for (i = 0; tmp->attrs[i] != NULL; i++)
{
sprintf (ldap_type_buffer, "%sRecord", type);
if (!strncmp
@@ -631,44 +700,70 @@ char **
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
{
char *tmp;
- static char *dn_buffer[64];
int i = 0;
- char *zname;
- char *hnamebuff;
-
- zname = strdup (hostname);
- if (zname == NULL)
- fatal("strdup");
-
- if (flags == DNS_OBJECT)
- {
-
- if (strlen (zname) != strlen (zone))
- {
- tmp = &zname[strlen (zname) - strlen (zone)];
- *--tmp = '\0';
- hnamebuff = strdup (zname);
- if (hnamebuff == NULL)
- fatal("strdup");
- zname = ++tmp;
- }
- else
- hnamebuff = (char*)"@";
- }
- else
- {
- zname = zone;
- hnamebuff = NULL;
- }
-
- for (tmp = strrchr (zname, '.'); tmp != (char *) 0;
- tmp = strrchr (zname, '.'))
- {
- *tmp++ = '\0';
- dn_buffer[i++] = tmp;
- }
- dn_buffer[i++] = zname;
- dn_buffer[i++] = hnamebuff;
+ char *hname=0L, *last=0L;
+ int hlen=strlen(hostname), zlen=(strlen(zone));
+
+/* printf("hostname: %s zone: %s\n",hostname, zone); */
+ hname=0L;
+ if(flags == DNS_OBJECT)
+ {
+ if( (zone[ zlen - 1 ] == '.') && (hostname[hlen - 1] != '.') )
+ {
+ hname=(char*)malloc(hlen + 1);
+ hlen += 1;
+ sprintf(hname, "%s.", hostname);
+ hostname = hname;
+ }
+ if(strcmp(hostname, zone) == 0)
+ {
+ if( hname == 0 )
+ hname=strdup(hostname);
+ last = strdup(sameZone);
+ }else
+ {
+ if( (hlen < zlen)
+ ||( strcmp( hostname + (hlen - zlen), zone ) != 0)
+ )
+ {
+ if( hname != 0 )
+ free(hname);
+ hname=(char*)malloc( hlen + zlen + 1);
+ if( *zone == '.' )
+ sprintf(hname, "%s%s", hostname, zone);
+ else
+ sprintf(hname,"%s",zone);
+ }else
+ {
+ if( hname == 0 )
+ hname = strdup(hostname);
+ }
+ last = hname;
+ }
+ }else
+ { /* flags == DNS_TOP */
+ hname = strdup(zone);
+ last = hname;
+ }
+
+ for (tmp = strrchr (hname, '.'); tmp != (char *) 0;
+ tmp = strrchr (hname, '.'))
+ {
+ if( *( tmp + 1 ) != '\0' )
+ {
+ *tmp = '\0';
+ dn_buffer[i++] = ++tmp;
+ }else
+ { /* trailing '.' ! */
+ dn_buffer[i++] = strdup(".");
+ *tmp = '\0';
+ if( tmp == hname )
+ break;
+ }
+ }
+ if( ( last != hname ) && (tmp != hname) )
+ dn_buffer[i++] = hname;
+ dn_buffer[i++] = last;
dn_buffer[i] = NULL;
return dn_buffer;
@@ -680,30 +775,38 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
* exception of "@"/SOA. */
char *
-build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag)
+build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
{
int size;
- int x;
- static char dn[1024];
- char tmp[128];
+ int x, znlen;
+ static char dn[DNS_NAME_MAXTEXT*3/2];
+ char tmp[DNS_NAME_MAXTEXT*3/2];
+ char zn[DNS_NAME_MAXTEXT+1];
bzero (tmp, sizeof (tmp));
bzero (dn, sizeof (dn));
size = get_attr_list_size (dc_list);
+ znlen = strlen(zone);
+ if ( zone[znlen-1] == '.' )
+ { /* ldapdb MUST search by relative zone name */
+ memcpy(&(zn[0]),zone,znlen-1);
+ zn[znlen-1]='\0';
+ zone = zn;
+ }
for (x = size - 2; x > 0; x--)
{
if (flag == WI_SPEC)
{
if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl))
- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%u,", dc_list[x], ttl);
+ snprintf (tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
else if (x == (size - 2))
- sprintf(tmp, "relativeDomainName=%s,",dc_list[x]);
+ snprintf(tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
else
- sprintf(tmp,"dc=%s,", dc_list[x]);
+ snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
}
else
{
- sprintf(tmp, "dc=%s,", dc_list[x]);
+ snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
}
@@ -732,19 +835,18 @@ init_ldap_conn ()
}
result = ldap_simple_bind_s (conn, binddn, bindpw);
- ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
+ ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result);
}
/* Like isc_result_check, only for LDAP */
void
-ldap_result_check (const char *msg, char *dn, int err)
+ldap_result_check (const char *msg, const char *dn, int err)
{
if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
{
- fprintf(stderr, "Error while adding %s (%s):\n",
- dn, msg);
- ldap_perror (conn, dn);
- ldap_unbind_s (conn);
+ fprintf(stderr, "Error while adding %s (%s):\n%s",
+ dn, msg, ldap_err2string(err));
+ ldap_unbind_ext_s (conn, NULL, NULL);
exit (-1);
}
}
@@ -758,16 +860,15 @@ add_ldap_values (ldap_info * ldinfo)
int result;
char dnbuffer[1024];
-
if (ldapbase != NULL)
sprintf (dnbuffer, "%s,%s", ldinfo->dn, ldapbase);
else
sprintf (dnbuffer, "%s", ldinfo->dn);
result = ldap_add_s (conn, dnbuffer, ldinfo->attrs);
- ldap_result_check ("ldap_add_s", dnbuffer, result);
-}
+ ldap_result_check ("ldap_add_s", dnbuffer, result);
+}
@@ -776,5 +877,5 @@ void
usage ()
{
fprintf (stderr,
- "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] "
+ "zone2ldap -D [BIND DN] [-w BIND PASSWORD | -W:prompt] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] "
"[-c Create LDAP Base structure][-d Debug Output (lots !)] \n ");}

230
bind-9.3.2b2-sdbsrc.patch
View File

@ -1,230 +0,0 @@
diff --git a/contrib/sdb/bdb/bdb.c b/contrib/sdb/bdb/bdb.c
index 23594bb..b3c6619 100644
--- a/contrib/sdb/bdb/bdb.c
+++ b/contrib/sdb/bdb/bdb.c
@@ -43,7 +43,7 @@
#include <dns/lib.h>
#include <dns/ttl.h>
-#include <named/bdb.h>
+#include "bdb.h"
#include <named/globals.h>
#include <named/config.h>
diff --git a/contrib/sdb/ldap/zone2ldap.c b/contrib/sdb/ldap/zone2ldap.c
index 07c89bc..23dd873 100644
--- a/contrib/sdb/ldap/zone2ldap.c
+++ b/contrib/sdb/ldap/zone2ldap.c
@@ -63,16 +63,16 @@ typedef struct LDAP_INFO
ldap_info;
/* usage Info */
-void usage ();
+void usage (void);
/* Add to the ldap dit */
void add_ldap_values (ldap_info * ldinfo);
/* Init an ldap connection */
-void init_ldap_conn ();
+void init_ldap_conn (void);
/* Ldap error checking */
-void ldap_result_check (char *msg, char *dn, int err);
+void ldap_result_check (const char *msg, char *dn, int err);
/* Put a hostname into a char ** array */
char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
@@ -88,7 +88,7 @@ void add_to_rr_list (char *dn, char *name, char *type, char *data,
unsigned int ttl, unsigned int flags);
/* Error checking */
-void isc_result_check (isc_result_t res, char *errorstr);
+void isc_result_check (isc_result_t res, const char *errorstr);
/* Generate LDIF Format files */
void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata,
@@ -97,11 +97,17 @@ void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata,
/* head pointer to the list */
ldap_info *ldap_info_base = NULL;
+ldap_info *
+locate_by_dn (char *dn);
+void
+init_ldap_conn ();
+void usage();
+
char *argzone, *ldapbase, *binddn, *bindpw = NULL;
-char *ldapsystem = "localhost";
-static char *objectClasses[] =
+const char *ldapsystem = "localhost";
+static const char *objectClasses[] =
{ "top", "dNSZone", NULL };
-static char *topObjectClasses[] = { "top", NULL };
+static const char *topObjectClasses[] = { "top", NULL };
LDAP *conn;
unsigned int debug = 0;
@@ -128,7 +134,7 @@ main (int argc, char **argv)
LDAPMod *base_attrs[2];
LDAPMod base;
isc_buffer_t buff;
- char *zonefile;
+ char *zonefile=0L;
char fullbasedn[1024];
char *ctmp;
dns_fixedname_t fixedzone, fixedname;
@@ -304,9 +310,9 @@ main (int argc, char **argv)
if ((*ctmp == ',') || (ctmp == &basedn[0]))
{
base.mod_op = LDAP_MOD_ADD;
- base.mod_type = "objectClass";
- base.mod_values = topObjectClasses;
- base_attrs[0] = &base;
+ base.mod_type = (char*)"objectClass";
+ base.mod_values = (char**)topObjectClasses;
+ base_attrs[0] = (void*)&base;
base_attrs[1] = NULL;
if (ldapbase)
@@ -363,7 +369,7 @@ main (int argc, char **argv)
* I should probably rename this function, as not to cause any
* confusion with the isc* routines. Will exit on error. */
void
-isc_result_check (isc_result_t res, char *errorstr)
+isc_result_check (isc_result_t res, const char *errorstr)
{
if (res != ISC_R_SUCCESS)
{
@@ -470,20 +476,20 @@ add_to_rr_list (char *dn, char *name, char *type,
if (tmp->attrs == (LDAPMod **) NULL)
fatal("calloc");
- for (i = 0; i < flags; i++)
+ for (i = 0; i < (int)flags; i++)
{
tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod));
if (tmp->attrs[i] == (LDAPMod *) NULL)
fatal("malloc");
}
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[0]->mod_type = "objectClass";
+ tmp->attrs[0]->mod_type = (char*)"objectClass";
if (flags == DNS_OBJECT)
- tmp->attrs[0]->mod_values = objectClasses;
+ tmp->attrs[0]->mod_values = (char**)objectClasses;
else
{
- tmp->attrs[0]->mod_values = topObjectClasses;
+ tmp->attrs[0]->mod_values = (char**)topObjectClasses;
tmp->attrs[1] = NULL;
tmp->attrcnt = 2;
tmp->next = ldap_info_base;
@@ -492,7 +498,7 @@ add_to_rr_list (char *dn, char *name, char *type,
}
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[1]->mod_type = "relativeDomainName";
+ tmp->attrs[1]->mod_type = (char*)"relativeDomainName";
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[1]->mod_values == (char **)NULL)
@@ -521,7 +527,7 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("strdup");
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[3]->mod_type = "dNSTTL";
+ tmp->attrs[3]->mod_type = (char*)"dNSTTL";
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[3]->mod_values == (char **)NULL)
@@ -535,7 +541,7 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("strdup");
tmp->attrs[4]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[4]->mod_type = "zoneName";
+ tmp->attrs[4]->mod_type = (char*)"zoneName";
tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2);
if (tmp->attrs[4]->mod_values == (char **)NULL)
@@ -648,7 +654,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
zname = ++tmp;
}
else
- hnamebuff = "@";
+ hnamebuff = (char*)"@";
}
else
{
@@ -727,12 +733,12 @@ init_ldap_conn ()
}
result = ldap_simple_bind_s (conn, binddn, bindpw);
- ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result);
+ ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
}
/* Like isc_result_check, only for LDAP */
void
-ldap_result_check (char *msg, char *dn, int err)
+ldap_result_check (const char *msg, char *dn, int err)
{
if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
{
diff --git a/contrib/sdb/pgsql/pgsqldb.c b/contrib/sdb/pgsql/pgsqldb.c
index 50d3cba..516eb9f 100644
--- a/contrib/sdb/pgsql/pgsqldb.c
+++ b/contrib/sdb/pgsql/pgsqldb.c
@@ -23,7 +23,7 @@
#include <string.h>
#include <stdlib.h>
-#include <pgsql/libpq-fe.h>
+#include <libpq-fe.h>
#include <isc/mem.h>
#include <isc/print.h>
diff --git a/contrib/sdb/pgsql/zonetodb.c b/contrib/sdb/pgsql/zonetodb.c
index b8f5912..ff2d135 100644
--- a/contrib/sdb/pgsql/zonetodb.c
+++ b/contrib/sdb/pgsql/zonetodb.c
@@ -37,7 +37,7 @@
#include <dns/rdatatype.h>
#include <dns/result.h>
-#include <pgsql/libpq-fe.h>
+#include <libpq-fe.h>
/*
* Generate a PostgreSQL table from a zone.
@@ -54,6 +54,9 @@ char *dbname, *dbtable;
char str[10240];
void
+closeandexit(int status);
+
+void
closeandexit(int status) {
if (conn != NULL)
PQfinish(conn);
@@ -61,6 +64,9 @@ closeandexit(int status) {
}
void
+check_result(isc_result_t result, const char *message);
+
+void
check_result(isc_result_t result, const char *message) {
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "%s: %s\n", message,
@@ -84,7 +90,8 @@ quotestring(const unsigned char *source, unsigned char *dest) {
}
*dest++ = 0;
}
-
+void
+addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata);
void
addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata) {
unsigned char namearray[DNS_NAME_MAXTEXT + 1];

21
bind-9.5-PIE.patch
View File

@ -1,8 +1,10 @@
--- bind-9.5.0b2/bin/named/Makefile.in.pie 2008-02-11 17:21:47.000000000 +0100
+++ bind-9.5.0b2/bin/named/Makefile.in 2008-02-11 17:22:10.000000000 +0100
@@ -100,8 +100,12 @@ HTMLPAGES = named.html lwresd.html named
MANOBJS = ${MANPAGES} ${HTMLPAGES}
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index eb622d1..37053a7 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -117,8 +117,12 @@ SRCS = builtin.c config.c control.c \
tkeyconf.c tsigconf.c zoneconf.c \
${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
+EXT_CFLAGS = -fpie
+
@ -13,10 +15,11 @@
main.@O@: main.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
diff -up bind-9.5.0b2/bin/named/unix/Makefile.in.pie bind-9.5.0b2/bin/named/unix/Makefile.in
--- bind-9.5.0b2/bin/named/unix/Makefile.in.pie 2008-02-11 17:22:21.000000000 +0100
+++ bind-9.5.0b2/bin/named/unix/Makefile.in 2008-02-11 17:23:00.000000000 +0100
@@ -19,6 +19,8 @@ srcdir = @srcdir@
diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in
index fd9ca8d..f1c102c 100644
--- a/bin/named/unix/Makefile.in
+++ b/bin/named/unix/Makefile.in
@@ -11,6 +11,8 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@

54
bind-9.9.1-P2-multlib-conflict.patch
View File

@ -1,54 +0,0 @@
diff --git a/config.h.in b/config.h.in
index 4ecaa8f..2f65ccc 100644
--- a/config.h.in
+++ b/config.h.in
@@ -600,7 +600,7 @@ int sigwait(const unsigned int *set, int *sig);
#undef PREFER_GOSTASN1
/* The size of `void *', as computed by sizeof. */
-#undef SIZEOF_VOID_P
+/* #undef SIZEOF_VOID_P */
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
diff --git a/isc-config.sh.in b/isc-config.sh.in
index a8a0a89..b5e94ed 100644
--- a/isc-config.sh.in
+++ b/isc-config.sh.in
@@ -13,7 +13,18 @@ prefix=@prefix@
exec_prefix=@exec_prefix@
exec_prefix_set=
includedir=@includedir@
-libdir=@libdir@
+arch=$(uname -m)
+
+case $arch in
+ x86_64 | amd64 | sparc64 | s390x | ppc64)
+ libdir=/usr/lib64
+ sec_libdir=/usr/lib
+ ;;
+ * )
+ libdir=/usr/lib
+ sec_libdir=/usr/lib64
+ ;;
+esac
usage()
{
@@ -132,6 +143,16 @@ if test x"$echo_libs" = x"true"; then
if test x"${exec_prefix_set}" = x"true"; then
libs="-L${exec_prefix}/lib"
else
+ if [ ! -x $libdir/libisc.so ] ; then
+ if [ ! -x $sec_libdir/libisc.so ] ; then
+ echo "Error: ISC libs not found in $libdir"
+ if [ -d $sec_libdir ] ; then
+ echo "Error: ISC libs not found in $sec_libdir"
+ fi
+ exit 1
+ fi
+ libdir=$sec_libdir
+ fi
libs="-L${libdir}"
fi
if test x"$libirs" = x"true" ; then

42
bind-95-rh452060.patch
View File

@ -1,42 +0,0 @@
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index aa5315d..1fa711a 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -1814,6 +1814,13 @@ clear_query(dig_query_t *query) {
if (query->timer != NULL)
isc_timer_detach(&query->timer);
+
+ if (query->waiting_senddone) {
+ debug("send_done not yet called");
+ query->pending_free = true;
+ return;
+ }
+
lookup = query->lookup;
if (lookup->current_query == query)
@@ -1839,10 +1846,7 @@ clear_query(dig_query_t *query) {
isc_mempool_put(commctx, query->recvspace);
isc_buffer_invalidate(&query->recvbuf);
isc_buffer_invalidate(&query->lengthbuf);
- if (query->waiting_senddone)
- query->pending_free = true;
- else
- isc_mem_free(mctx, query);
+ isc_mem_free(mctx, query);
}
/*%
@@ -2892,9 +2896,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
isc_event_free(&event);
if (query->pending_free)
- isc_mem_free(mctx, query);
+ clear_query(query);
- check_if_done();
+ check_next_lookup(l);
UNLOCK_LOOKUP;
}

23
bind-96-old-api.patch
View File

@ -1,23 +0,0 @@
diff -up bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c
--- bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api 2008-11-24 13:28:13.000000000 +0100
+++ bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c 2008-11-24 13:28:23.000000000 +0100
@@ -25,6 +25,7 @@
/* Using LDAPv3 by default, change this if you want v2 */
#ifndef LDAPDB_LDAP_VERSION
#define LDAPDB_LDAP_VERSION 3
+#define LDAP_DEPRECATED 1
#endif
#include <config.h>
diff -up bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c
--- bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api 2008-11-24 13:29:05.000000000 +0100
+++ bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c 2008-11-24 13:29:14.000000000 +0100
@@ -13,6 +13,8 @@
* ditched dNSDomain2 schema support. Version 0.3-ALPHA
*/
+#define LDAP_DEPRECATED 1
+
#include <errno.h>
#include <string.h>
#include <stdlib.h>

1742
bind.spec
View File

File diff suppressed because it is too large Load Diff

4
bind.yaml
View File

@ -1,4 +0,0 @@
version_control: git
src_repo: https://gitlab.isc.org/isc-projects/bind9.git
tag_prefix: bind9-
seperator: _

83
bind93-rh490837.patch
View File

@ -1,81 +1,34 @@
diff --git a/lib/isc/include/isc/stdio.h b/lib/isc/include/isc/stdio.h
index 1f44b5a..a3625f9 100644
--- a/lib/isc/include/isc/stdio.h
+++ b/lib/isc/include/isc/stdio.h
@@ -69,6 +69,9 @@ isc_stdio_sync(FILE *f);
* direct counterpart in the stdio library.
*/
+isc_result_t
+isc_stdio_fgetc(FILE *f, int *ret);
+
ISC_LANG_ENDDECLS
#endif /* ISC_STDIO_H */
diff --git a/lib/isc/lex.c b/lib/isc/lex.c
index a8955bc..fc6103b 100644
index cd44fe3..5b7c539 100644
--- a/lib/isc/lex.c
+++ b/lib/isc/lex.c
@@ -434,17 +434,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
if (source->is_file) {
stream = source->input;
@@ -27,6 +27,8 @@
#include <isc/string.h>
#include <isc/util.h>
-#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED)
- c = getc_unlocked(stream);
-#else
- c = getc(stream);
-#endif
- if (c == EOF) {
- if (ferror(stream)) {
- source->result = ISC_R_IOERROR;
- result = source->result;
+ result = isc_stdio_fgetc(stream, &c);
+#include "../errno2result.h"
+
+ if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_EOF) {
+ source->result = result;
typedef struct inputsource {
isc_result_t result;
bool is_file;
@@ -422,7 +424,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
#endif /* if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED) */
if (c == EOF) {
if (ferror(stream)) {
- source->result = ISC_R_IOERROR;
+ source->result = isc__errno2result(errno);
result = source->result;
goto done;
}
+
source->at_eof = true;
}
} else {
diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
index 2f12bcc..5bfd648 100644
index e3e2644..5e58600 100644
--- a/lib/isc/unix/errno2result.c
+++ b/lib/isc/unix/errno2result.c
@@ -40,6 +40,7 @@ isc___errno2result(int posixerrno, bool dolog,
case EINVAL: /* XXX sometimes this is not for files */
@@ -37,6 +37,7 @@ isc___errno2result(int posixerrno, bool dolog, const char *file,
case EINVAL: /* XXX sometimes this is not for files */
case ENAMETOOLONG:
case EBADF:
+ case EISDIR:
return (ISC_R_INVALIDFILE);
case ENOENT:
return (ISC_R_FILENOTFOUND);
diff --git a/lib/isc/unix/stdio.c b/lib/isc/unix/stdio.c
index e60fa65..77f0b13 100644
--- a/lib/isc/unix/stdio.c
+++ b/lib/isc/unix/stdio.c
@@ -149,3 +149,22 @@ isc_stdio_sync(FILE *f) {
return (isc__errno2result(errno));
}
+isc_result_t
+isc_stdio_fgetc(FILE *f, int *ret) {
+ int r;
+ isc_result_t result = ISC_R_SUCCESS;
+
+#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED)
+ r = fgetc_unlocked(f);
+#else
+ r = fgets(f);
+#endif
+
+ if (r == EOF)
+ result = ferror(f) ? isc__errno2result(errno) : ISC_R_EOF;
+
+ *ret = r;
+
+ return result;
+}
+

226
bind97-exportlib.patch Normal file
View File

@ -0,0 +1,226 @@
diff -up bind-9.9.3rc2/isc-config.sh.in.exportlib bind-9.9.3rc2/isc-config.sh.in
diff -up bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib bind-9.9.3rc2/lib/export/dns/Makefile.in
--- bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/lib/export/dns/Makefile.in 2013-05-13 10:45:22.574089729 +0200
@@ -35,9 +35,9 @@ CDEFINES = -DUSE_MD5 @USE_OPENSSL@ @USE_
CWARNINGS =
-ISCLIBS = ../isc/libisc.@A@
+ISCLIBS = ../isc/libisc-export.@A@
-ISCDEPLIBS = ../isc/libisc.@A@
+ISCDEPLIBS = ../isc/libisc-export.@A@
LIBS = @LIBS@
@@ -116,29 +116,29 @@ version.@O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libdns.@SA@: ${OBJS}
+libdns-export.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libdns.la: ${OBJS}
+libdns-export.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-export.la \
-rpath ${export_libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
-timestamp: libdns.@A@
+timestamp: libdns-export.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-export.@A@ \
${DESTDIR}${export_libdir}/
clean distclean::
- rm -f libdns.@A@ timestamp
+ rm -f libdns-export.@A@ timestamp
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
rm -f include/dns/rdatastruct.h
diff -up bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib bind-9.9.3rc2/lib/export/irs/Makefile.in
--- bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/lib/export/irs/Makefile.in 2013-05-13 10:45:22.575089729 +0200
@@ -43,9 +43,9 @@ SRCS = context.c \
gai_sterror.c getaddrinfo.c getnameinfo.c \
resconf.c
-ISCLIBS = ../isc/libisc.@A@
-DNSLIBS = ../dns/libdns.@A@
-ISCCFGLIBS = ../isccfg/libisccfg.@A@
+ISCLIBS = ../isc/libisc-export.@A@
+DNSLIBS = ../dns/libdns-export.@A@
+ISCCFGLIBS = ../isccfg/libisccfg-export.@A@
LIBS = @LIBS@
@@ -62,26 +62,26 @@ version.@O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libirs.@SA@: ${OBJS} version.@O@
+libirs-export.@SA@: ${OBJS} version.@O@
${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
${RANLIB} $@
-libirs.la: ${OBJS} version.@O@
+libirs-export.la: ${OBJS} version.@O@
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs-export.la \
-rpath ${export_libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} version.@O@ ${LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS}
-timestamp: libirs.@A@
+timestamp: libirs-export.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libirs-export.@A@ \
${DESTDIR}${export_libdir}/
clean distclean::
- rm -f libirs.@A@ libirs.la timestamp
+ rm -f libirs-export.@A@ libirs-export.la timestamp
diff -up bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isccfg/Makefile.in
--- bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/lib/export/isccfg/Makefile.in 2013-05-13 10:45:22.576089729 +0200
@@ -30,11 +30,11 @@ CINCLUDES = -I. ${DNS_INCLUDES} -I${expo
CDEFINES =
CWARNINGS =
-ISCLIBS = ../isc/libisc.@A@
-DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS = ../isc/libisc-export.@A@
+DNSLIBS = ../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
-ISCCFGDEPLIBS = libisccfg.@A@
+ISCCFGDEPLIBS = libisccfg-export.@A@
LIBS = @LIBS@
@@ -58,26 +58,26 @@ version.@O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libisccfg.@SA@: ${OBJS}
+libisccfg-export.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libisccfg.la: ${OBJS}
+libisccfg-export.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg-export.la \
-rpath ${export_libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${LIBS} ${DNSLIBS} ${ISCLIBS}
-timestamp: libisccfg.@A@
+timestamp: libisccfg-export.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisccfg-export.@A@ \
${DESTDIR}${export_libdir}/
clean distclean::
- rm -f libisccfg.@A@ timestamp
+ rm -f libisccfg-export.@A@ timestamp
diff -up bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isc/Makefile.in
--- bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/lib/export/isc/Makefile.in 2013-05-13 10:45:22.576089729 +0200
@@ -100,6 +100,10 @@ SRCS = @ISC_EXTRA_SRCS@ \
LIBS = @LIBS@
+# Note: the order of SUBDIRS is important.
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
SUBDIRS = include unix nls @ISC_THREAD_DIR@
TARGETS = timestamp
@@ -113,26 +117,26 @@ version.@O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libisc.@SA@: ${OBJS}
+libisc-export.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libisc.la: ${OBJS}
+libisc-export.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-export.la \
-rpath ${export_libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${LIBS}
-timestamp: libisc.@A@
+timestamp: libisc-export.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-export.@A@ \
${DESTDIR}${export_libdir}
clean distclean::
- rm -f libisc.@A@ libisc.la timestamp
+ rm -f libisc-export.@A@ libisc-export.la timestamp
diff -up bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib bind-9.9.3rc2/lib/export/samples/Makefile.in
--- bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/lib/export/samples/Makefile.in 2013-05-13 10:45:22.577089729 +0200
@@ -31,15 +31,15 @@ CINCLUDES = -I${srcdir}/include -I../dns
CDEFINES =
CWARNINGS =
-DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS = ../isc/libisc.@A@
-ISCCFGLIBS = ../isccfg/libisccfg.@A@
-IRSLIBS = ../irs/libirs.@A@
+DNSLIBS = ../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS = ../isc/libisc-export.@A@
+ISCCFGLIBS = ../isccfg/libisccfg-export.@A@
+IRSLIBS = ../irs/libirs-export.@A@
-DNSDEPLIBS = ../dns/libdns.@A@
-ISCDEPLIBS = ../isc/libisc.@A@
-ISCCFGDEPLIBS = ../isccfg/libisccfg.@A@
-IRSDEPLIBS = ../irs/libirs.@A@
+DNSDEPLIBS = ../dns/libdns-export.@A@
+ISCDEPLIBS = ../isc/libisc-export.@A@
+ISCCFGDEPLIBS = ../isccfg/libisccfg-export.@A@
+IRSDEPLIBS = ../irs/libirs-export.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}

51
bind97-rh478718.patch
View File

@ -1,51 +0,0 @@
diff --git a/configure.ac b/configure.ac
index 26c509e..c1bfd62 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4152,6 +4152,10 @@ if test "yes" = "$use_atomic"; then
AC_MSG_RESULT($arch)
fi
+if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then
+ AC_MSG_ERROR([XADDQ present but disabled by Fedora patch!])
+fi
+
if test "yes" = "$have_atomic"; then
AC_MSG_CHECKING([compiler support for inline assembly code])
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
index c902d46..9c7c342 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
@@ -284,19 +284,25 @@
* If the "xaddq" operation (64bit xadd) is available on this architecture,
* ISC_PLATFORM_HAVEXADDQ will be defined.
*/
-@ISC_PLATFORM_HAVEXADDQ@
/*
- * If the 32-bit "atomic swap" operation is available on this
- * architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined.
+ * If the 64-bit "atomic swap" operation is available on this
+ * architecture, ISC_PLATFORM_HAVEATOMICSTOREQ" will be defined.
*/
-@ISC_PLATFORM_HAVEATOMICSTORE@
+
+#ifdef __x86_64__
+#define ISC_PLATFORM_HAVEXADDQ 1
+#define ISC_PLATFORM_HAVEATOMICSTOREQ 1
+#else
+#undef ISC_PLATFORM_HAVEXADDQ
+#undef ISC_PLATFORM_HAVEATOMICSTOREQ
+#endif
/*
- * If the 64-bit "atomic swap" operation is available on this
+ * If the 32-bit "atomic swap" operation is available on this
* architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined.
*/
-@ISC_PLATFORM_HAVEATOMICSTOREQ@
+@ISC_PLATFORM_HAVEATOMICSTORE@
/*
* If the "compare-and-exchange" operation is available on this architecture,

22
bind97-rh645544.patch
View File

@ -1,31 +1,31 @@
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index ecb3ddb..f7f73cd 100644
index 31549c6..65a14b6 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -1456,7 +1456,7 @@ log_edns(fetchctx_t *fctx) {
@@ -1762,7 +1762,7 @@ log_edns(fetchctx_t *fctx) {
*/
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
"success resolving '%s' (in '%s'?) after %s",
fctx->info, domainbuf, fctx->reason);
@@ -4667,7 +4667,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
"success resolving '%s' (in '%s'?) after %s", fctx->info,
domainbuf, fctx->reason);
}
@@ -5298,7 +5298,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
"lame server resolving '%s' (in '%s'?): %s",
namebuf, domainbuf, addrbuf);
"lame server resolving '%s' (in '%s'?): %s", namebuf,
domainbuf, addrbuf);
}
@@ -4685,7 +4685,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
@@ -5316,7 +5316,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
"DNS format error from %s resolving %s for %s: %s",
nsbuf, fctx->info, fctx->clientstr, msgbuf);
"DNS format error from %s resolving %s for %s: %s", nsbuf,
fctx->info, fctx->clientstr, msgbuf);
}

14
bind97-rh669163.patch
View File

@ -1,14 +0,0 @@
diff -up bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 bind-9.7.2-P3/lib/lwres/lwconfig.c
--- bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 2011-01-28 14:48:38.934472578 +0100
+++ bind-9.7.2-P3/lib/lwres/lwconfig.c 2011-01-28 14:49:50.421326035 +0100
@@ -612,6 +612,10 @@ lwres_conf_parse(lwres_context_t *ctx, c
break;
}
+ /* Ignore options with no parameters */
+ if (stopchar == '\n')
+ continue;
+
if (strlen(word) == 0U)
rval = LWRES_R_SUCCESS;
else if (strcmp(word, "nameserver") == 0)

44
bind99-rh640538.patch
View File

@ -1,44 +0,0 @@
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index 1079421..f11abd1 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -1177,6 +1177,39 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</para>
</refsection>
+ <refsection><info><title>RETURN CODES</title></info>
+ <para>
+ <command>Dig</command> return codes are:
+ <variablelist>
+ <varlistentry>
+ <listitem>
+ <para>0: Everything went well, including things like NXDOMAIN</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <listitem>
+ <para>1: Usage error</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <listitem>
+ <para>8: Couldn't open batch file</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <listitem>
+ <para>9: No reply from server</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <listitem>
+ <para>10: Internal error</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+ </refsection>
+
<refsection><info><title>FILES</title></info>
<para><filename>/etc/resolv.conf</filename>

107
bugfix-named-log-time.patch
View File

@ -1,107 +0,0 @@
diff -upNr b/lib/isc/include/isc/util.h a/lib/isc/include/isc/util.h
--- b/lib/isc/include/isc/util.h 2019-07-30 19:52:09.600000000 +0800
+++ a/lib/isc/include/isc/util.h 2019-07-30 21:39:03.400000000 +0800
@@ -233,6 +233,7 @@
* Time
*/
#define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
+#define TIME_REAL_NOW(tp) RUNTIME_CHECK(isc_time_real_now((tp)) == ISC_R_SUCCESS)
#ifdef CLOCK_BOOTTIME
#define TIME_MONOTONIC(tp) RUNTIME_CHECK(isc_time_boottime((tp)) == ISC_R_SUCCESS)
#endif
diff -upNr b/lib/isc/log.c a/lib/isc/log.c
--- b/lib/isc/log.c 2019-07-30 19:52:09.610000000 +0800
+++ a/lib/isc/log.c 2019-07-30 21:39:03.410000000 +0800
@@ -1498,7 +1498,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcat
time_string[0] == '\0') {
isc_time_t isctime;
- TIME_NOW(&isctime);
+ TIME_REAL_NOW(&isctime);
isc_time_formattimestamp(&isctime, time_string,
sizeof(time_string));
}
@@ -1545,7 +1545,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcat
* which fall within the duplicate_interval
* range.
*/
- TIME_NOW(&oldest);
+ TIME_REAL_NOW(&oldest);
if (isc_time_subtract(&oldest, &interval,
&oldest)
!= ISC_R_SUCCESS)
@@ -1622,7 +1622,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcat
strlcpy(message->text, lctx->buffer,
size);
- TIME_NOW(&message->time);
+ TIME_REAL_NOW(&message->time);
ISC_LINK_INIT(message, link);
ISC_LIST_APPEND(lctx->messages,
diff -upNr b/lib/isc/unix/include/isc/time.h a/lib/isc/unix/include/isc/time.h
--- b/lib/isc/unix/include/isc/time.h 2019-07-30 19:52:09.600000000 +0800
+++ a/lib/isc/unix/include/isc/time.h 2019-07-30 21:39:03.400000000 +0800
@@ -149,6 +149,8 @@ isc_time_now(isc_time_t *t);
*/
isc_result_t
+isc_time_real_now(isc_time_t *t);
+isc_result_t
isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i);
/*%<
* Set *t to the current absolute time + i.
diff -upNr b/lib/isc/unix/time.c a/lib/isc/unix/time.c
--- b/lib/isc/unix/time.c 2019-07-30 19:52:09.600000000 +0800
+++ a/lib/isc/unix/time.c 2019-07-30 21:39:03.400000000 +0800
@@ -105,6 +129,50 @@ isc_time_isepoch(const isc_time_t *t) {
isc_result_t
+isc_time_real_now(isc_time_t *t) {
+ struct timeval tv;
+ char strbuf[ISC_STRERRORSIZE];
+
+ REQUIRE(t != NULL);
+
+ if (gettimeofday(&tv, NULL) == -1) {
+ isc__strerror(errno, strbuf, sizeof(strbuf));
+ UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
+ return (ISC_R_UNEXPECTED);
+ }
+
+ /*
+ * Does POSIX guarantee the signedness of tv_sec and tv_usec? If not,
+ * then this test will generate warnings for platforms on which it is
+ * unsigned. In any event, the chances of any of these problems
+ * happening are pretty much zero, but since the libisc library ensures
+ * certain things to be true ...
+ */
+#if ISC_FIX_TV_USEC
+ fix_tv_usec(&tv);
+ if (tv.tv_sec < 0)
+ return (ISC_R_UNEXPECTED);
+#else
+ if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
+ return (ISC_R_UNEXPECTED);
+#endif
+
+ /*
+ * Ensure the tv_sec value fits in t->seconds.
+ */
+ if (sizeof(tv.tv_sec) > sizeof(t->seconds) &&
+ ((tv.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U)
+ return (ISC_R_RANGE);
+
+ t->seconds = tv.tv_sec;
+ t->nanoseconds = tv.tv_usec * NS_PER_US;
+
+ return (ISC_R_SUCCESS);
+}
+
+
+
+isc_result_t
isc_time_now(isc_time_t *t) {
struct timeval tv;
char strbuf[ISC_STRERRORSIZE];

19
bugfix-nslookup-norec.patch
View File

@ -1,19 +0,0 @@
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
--- a/bin/dig/dighost.c.orig 2011-03-11 07:46:58.000000000 +0100
+++ b/bin/dig/dighost.c 2011-10-28 14:31:29.806591603 +0200
@@ -3291,8 +3291,13 @@
} else {
if (!l->ns_search_only) {
fputs(l->cmdline, stdout);
- printf(";; connection timed out; no servers could be "
- "reached\n");
+ if (!next_origin(ISC_LIST_HEAD(l->q))) {
+ printf(";; connection timed out; no servers could be "
+ "reached\n");
+ } else {
+ printf(";; connection timed out; trying next "
+ "origin\n");
+ }
}
cancel_lookup(l);
check_next_lookup(l);

534
codesign2021.txt Normal file
View File

@ -0,0 +1,534 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m
r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk
pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI
yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG
ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0
/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh
qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF
UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv
SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D
o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt
LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB
tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln
EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA
1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj
tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+
5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn
Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF
JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI
hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa
xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd
gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX
pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP
vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf
6f2op3tMuQINBFwq9BQBEAC59lflbMmvSVkCHFoakdjokwGviNU4I/hOsNmHALYr
gJc0z88ss2KxbOq6JZoW9QOEHz2QLGsSGKnBUViEGvXoINDGuvzKFqHdEjGsExiF
FPGAgCQA2CSEZZ8MlITNdq4DuSti1LetjCF9d7hw2xOQs9ucxSXIslyqPbCdlxki
33tov40VE/J8jDUp9Rv27e0H2x4Nhu9MRQt4vTtpOcelYzl/dtPAmsnY4U/Nex4I
LM+JU2HcG/5i0nWkxOtz9Qc7kOgm4cuwXTCJw9KukPS3CykV1H/StPp43JyxoK1X
gZDMFww+9jupqLletmYKqCW6jVbqXr4Xlisq9Ey3LIWRQ0Zw/LB2NKU/jgnJGtLa
7O8VRWJKwkCtyYUbZMksKiGex7zCqPDR0hRVuYNsTjONobnrOS+7ST7ThbCndc+A
5mtuXpxuFffIuG78a3R3N30RF6g18peTfaEHMpqz+914HkNl6Ns445Zh+2rJkLUu
8O++tgWEUrpUajN9nosWaXWHOf7E9qGnm1G/3f9P3Nd5U+b3OKUYyqb+CNGCHyiN
bE1Cg3MnKpM9Yi9aZu4Qg/dPdxMWrqUmkmyDf6x/Oh8ZZkIacFlAaqbysQ6hRaJo
p7UG9AJfXHynj/Hz+1dNpUOlAIairFe3T2mWQO4Yy6IMgLEGVodZRHaMugdzZwus
HwARAQABiQI8BBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlwq9BQCGwwF
CQPslwAACgkQdLtrmky7PTikHw/8CZ+DnggV4AuI86spuMLdtUBDOux/T0gvyxSW
f8sJkjH0eAYAmP9/flJDfmwra5yNaINfqoLFWtaYLpxpBcWBc4VIoiWqVp2aaCPi
wh0sznCPiduiYcKGkHmupX8aCQXBYFDeQ8Jq1e9zwGD7Mon7BeBO48Vd5/IT1H5I
u5qzaCtD2ECO9MYdhuqJjFKU0MVzVocsBDdtLvrfnUwe4wc6kvOgHQ6RkMJU1bgY
0Sqstsg12vnREAr4uihnZQEihsRmNdiiv0DYVaRK92PLPpfVAox1Axq2HpH3WT87
RpsFruXLj/zTl4AZczfDVd/Z4yWmJSzr0F5igkGSUrxo0ye2kNES6cmOGI9TgmgP
NLGXlC/su5fKXKjRgkD1ibJ0qFNNxF3Cwpz/+cav9ySDgFGX5Vu0kFi93fEYHshD
6lP9M5qS/2oKiykCGvcRCNU/9emdYlF37H52rxRerBaZN6dYMTjZw2vsEMUl06pL
llbLiwjPix2OlLFcwH3yKJG0pKkpEImBdJwHtJh5uHzfkSAbZjJAZ2Ekw7sLqiT0
85hAGovywGpHMiYkqhNUO84fjZYCsrAlZMdriY92IMcQhmWQ416t5zcle2Xgx+/x
zBnktvx9KIH/HwBa+qym5z/uFC2S6zhNyC61LV/CEDCmcUi2lUXr7vcIxCsmxuUF
1ONbRP65Ag0EXFtUfAEQAN5tk4luE92Ed4E92VlgTetGMHyxwOlZ2OsK6l+Z5ML0
wzomAITgMQwG0FeT6HX7vB+luVhg0XAZUW/K0bme8ZEO0dbHB3Vn07wXHhmq7QXH
/ACftkvevIT610dHskrtIvE5rZfj1P/wtjRTxDrkjhlGj9vhUxxcCkKadzDdBJGo
dP+Zh02d/4cc++LePNqZ3eJWm0JLghqKxzTv0MV1r6G1ZeykFzXeWY+La8ZCRaON
LcHjI7wlpyTJA9WGmyAphtEHM4fQqKLxtebIDo7m4glgR12nlV6B53gUT96PcKuA
Y/UPRiTV6nHyUtuL1EGTAVLsMDmtDbdSdtLLVbJXVmA+tapABa4amMxNVNY3QSUj
cAbECcTyVmVJfIT5fJW4eOMhWtrIGMspWoO5It0pl4K8jhCzIcfoXQ0olCSeC9fE
tljE7qzRzYQUUvN1VZPVX0Yw/xSwOutv4mxmNRWY9HW1M/jGoRAboqN8WhCbldak
a0XCH3U4rWXB/8HHb8KP4+q4ssVyPuEQ/v1UNNRk9AB25NPEh5PMdcf7HU8IcUHX
THEfd7zZVJ0l4FSsnGeuJfMrnRIpNOYX65ikeoTwmDU3ZjWfmSy7F5hTLw8WOEB4
EKpnplyV1QN/j3317/M9PxvB8IOvyNF2okeurtHFMmI/lGwy51akp6iHMkbBDm5n
ABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9OAUCXFtUfAIbAgUJ
A70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBJXO2iVrHKChXzAvtZUhp+1drOkY
BQJcW1R8AAoJEJUhp+1drOkY94wQAKb2fED9Up/xHEOjZm5ODK5LCVHy0KMATiTf
5SiJhRtqaRbimPH1WB3XMLls3FJZnm+UngIfwCsoWo0rksFUNmqFi6t4Cj/UB/Zv
29EnDT9BAeG5fP+Op5PDCsu4qnLv3oam35oV9yZLRkLhBd/EkRGEA/q27WnpiYCx
Jv5uPOJBWQqu32aE6st23PpY/QWDWOhGPfcWCecu1rIe+2BCs0UjfO0KOT8HYWNh
nGpsEZ+TmDKjRxMTYWKguEb9evEihl6kUwmQZgROdhBes63Yq4ku9rBXvRhCYbwS
odhjx2soDRcNmzxNV1Ply8a+2bwRHPnOeyyxEHFAwjkyXo7ZqGtenwSriG0LOW87
y3Yw63O+oAlGLIB3psBSj4wZVGme9485HVICAFcJ3jXqsXSIJdzW61nGerB2r2Qk
Bn7yYIvHg3iOToB0alfNw2QuDtCZTNefvlHFnoashRhkk0yWzBerleFJbijx4+Vr
FaOH35BO1T3rgBmGkDW6gewoZMHEcmzTDoxxmbXiRvY+5o7b+ul/yzwhnJz3f5jk
7+Adnr9qAGMD2o3rCRBHV3lSEkLhBL+bfmsEYEor1fd+pDFoEKKjpDP6bgDcZyGv
O0mmr7Y/6ZrnKWxOrmNXieOTLbpY22tXv43QLgyiPcjhCfphT95IxqdNfMfOiI9k
IQf8g7GBciIP/1mbdnMj6Hg0J9IbI/XX/DWATOVMdDhq38VcggOHRjZk2lY99+4V
Au1wRHa/Io/CENikYzI00deSzhrN+tdUK/TCZI0Ft5Lykmti2ilmkIQGsBuD9gu/
2bmWkNJEdpHeC/+oxntDFj43CpyKpPAarrw+4XiYNK+1+4WZsQRL0jJuKJ754v/o
NTaSd8GOCyFR7q8SVH4tig9DjkZjYjFFMnWkxdpnDX56/AfdS+x5EaRHKCJoGChT
+pHimvKe+MxBxpwJr4JpGddklin+6xUF5jTG6322hz385wsagGvmH2XliOu47a+7
xUei7w3S1qtVCfdhtBEWL5i021yVYlrw+rUCwpFMIXAPA/p44O/qY06sQXJ01Fym
JCbOnjtVYX9gdF8fMKoDXAcvEtSulBNpXDongWp50BDfVoA7h9oDsxL5kw0GpkJn
uVMYLpO+iOqoEA3bJfsCedilkcz6UamLb+6RXMupKQaZ006Bu75Rm+h6PdicdiKD
jJY/7PbGuUmXxuSFT92v0hATlpEIQ8H8laEcnb8apiX2qOyGUHnb7pfYoNqvCm06
3NP2igCtiGkzAohiHfhztfy2UApiTtXmPu3EhEUMooB+0Lt0zzY+e1cnFKRbJHvQ
ZidiOJfKuqp6upPvEgKYMRCAU4+nLT3MVbralo726JnDqrDJvCqAamhfuQINBFxb
VNsBEADcRGjaY+/ZVWBlQWvgy08ObhQbTRglb8thrcPeTR7211JJwAJemuTWwCjF
SVDH8JJ0Ss8rBcbitrGI3i3mcgJRQ1hILR2HT0bbmMLufCxZzQBjJm76H8XN++k6
bd8HCYGXMguUaHRRHAcV+P18e3qGizgL7c8Vln9fbhowkX9yi/WhiL2uoXC3+XSa
C08TzwjKPb9Wnct6uCBAzMp8S7KW6P18vZyBTRBrugA9eZrGEe25rhy9szlJcajc
VeMiDMf058z7ait5t43AfUzd5zrD6c+ZGYIku88oY55LsZVcvn9o7I+UNbNJdiek
IpLae3Dgrie3QgDyfzPV1vXT2X8LaegOsNIkSo6jzjdKE0ZNg4xVSuPdr5jujYBN
z2k1lqV/Q/Ccpqzs0NsgnXnY8RDDrrmJhdy/ZrCMsXpbTK5KryR+JoDEiuyJ7YO2
jTOCo6zQ631jvi7XUeHAFIdQ7eYRklJwABwj/IMXY++O8JBLO7iZ1dvvu3pfY7pg
dQvPgDttVAIxrNxMMj39LRbb6LE+eclWcTfGCMr3O6LOOLwkMnDWEkJAz7JMtWqr
2l+9xF9Dq7CkxHPP87dLTMNGIDr38bJ83CSmDPlBoaljTYgrlatBTV2hGMjPgEcB
jOgg6QyRGpO2N0SVBnD8PfBI7a7CwQw3BHOJtH8vPUkXZoafoQARAQABiQRyBBgB
CAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVNsCGwIFCQO9IQACQAkQdLtr
mky7PTjBdCAEGQEIAB0WIQTXDITmS1WOW8zsByEy4hdfHXV6KgUCXFtU2wAKCRAy
4hdfHXV6KoJ9D/9IUN+s4gSiyWnqfq+UK5q86DTbC+OyQpAY/U/VDi/jQXDUaXzu
f25cCgyl4Xgf6nNTE6IEdgJCL4R6bChxJOHNpZ8/N3ckb/Q5xHKZ/5k5wFv7nxUk
vunzxB0wUgCLkn4oy4B8QbTMuRz1qcSdehUyZAlfkr7o/J5UO8FtgaMuNACxZNlO
JW5AjTDdbEW0MZapAgjx7+oTQMDtz9q4afuPaGJ3fTz4Vx1+mYt59b1h6xaMTXJi
8egJF0U4n/tJ+3gxAIhF7tQRPdNEwG+2Kw/YNyrLMY+nbazhlgUIIkk2IH3Ztd0S
XnNd7gV/slN80T9CtHtaDlH2FkeAd1unynxsDd/TLb1gLHem5iDsFuZBaIyHetdY
TlvT3SlKnDQr0FBTe86Kuv7n/ZNoU4lceXhUXTcataxKdxKEJt2x1Ei/hMHSVjaY
3ir57tuOUDMkl6hpL3sYiq7cMGUAnLH9nBZbbcNdfChDiM24mGmXaNoITutVAHS4
uNunSL1l13hJ1hnGY79j4l+CgnPx7LHzBmLh4PPWKM3RYqwgaPEkflVQr1JOOKMM
x4bpllEtzpvVAIaF73tlsOQRRN1Aah67gvkWKqiZrXc0Sx/yh8EO/6bImb87rtVr
0kjeDGEiuGYXsszNBCmVjHal5kLUKaESefzd223zeaFe9foO2HrnsFb9B34ZD/9J
W5M+42QFd+tOLh1ue/5xToiyggGh1MX9axDqHiRu2w+E7kNuuws2426aupUQ3yPD
4dSwR428U14ytM90bZXztKFDgFAaQJ/4YVEGPSbLHFc4VlhDHpGljl8J7vI5xPOm
Ruc9aabtXwd065nQ2csk1DliiA4jpS9dUq/flH2oGj4b2OSGFvR5oC7oERHMpUA0
p+wY3vnjkSVnWqV98yEBCFcZvpOy8J5KDZxYZvZydUvZ3ny5W6QPg8OKriqrCAKW
QXds47vRIiAasK14duLgex6il7HmboaqqOhRhevtBAHBJpB1z6Aq0SMwcKwdtTId
GTSoQd0R77ZGYvR3StpAwl8rJhCNwJHu2euA3hYPWHg0pF0L8pFbfUwOYf1dU+uQ
4xAJQKcCteQ7B0pawp+Hxp/0erB5c5PUUck38ze1ZoGm/oqh24XZ/amPVWE9nYSo
VTJwnbqWsfI6mzKdBHr5MP5zW5ei0PAo3lFb5gvVzJ2TqaGJvrh907I9R5Nwd6GM
wAWAzZ/nCLflSNyPyJ3ftxY6pGyCBJsycY7gBQD9i1xU0bxONltqSyifwQ0rt7yr
iwSI0VRnv8K3M2iTAdDm44bX6oHzljgiYachlV6IGmO3vdVVrCDhm+b+ia1bnQ/1
H7itWEwllkUCCtaDwEcf8o3OdbS9S5KEbwH7YUD967kCDQRcW1UMARAAvl+0jUaB
UkQWBflWy4Wd8Gcf3lzOqbARdpM/iztebc7RbLnv0TNFQPV4TD9RoP+rY4dJzC8w
/rlxlhD3DiGcI3of3o/3pN6jss4wKyy9Jcg7uCo/fcspOoPOwigAUfBYTd2rWNvI
/pPUl7zmavQR2+TyQ4IHWG52zAABGej/tf3Ma6WGHC4QeTkh7LtHn3JFRCoFy101
x60bJqIWONfR6+5UAOL/P+zTteEMsO3v7dWCWHX/tcYLrhCEH1CNnyPS7v7TF+Ys
uOGL7sSmQOUAcgldfUfTACw84YqViu5BSYiww18Eg1l66UcQFnhwB3fTGwzb3oPM
npAv2wAZ9gyFGzRgcH8QnXRm/SLDWlTaMIJS//0p/gXifCAdBZA/skBt+E4hQ5Sr
9iXGNMueR3bn7u8Pcoc1DpSJENE5H0nB62l3/OiSl/k7mJMGlUv6wKr42xNnIM6M
hO97axjRXy/XQz5n6ktyn9xRngkQNL9Ynj+i8E0k/xv5jA39EGAKOXxQFf8357sA
DnZ5g/Yf0Yr1c+TNIIRXER/k/KMavB52mguTNqCsewO5aje4Gq4vKd5P+jOKGopA
C4idTLkHutZTiakod7lW2jmjpm6P7oyAeAhDNEroNrbOIw0SaujHBmJtxgK1Q929
y/EaH5vJyWfMFyUqM7CQBqUU/HRLERsebM8AEQEAAYkEcgQYAQgAJhYhBK4/rHln
EexZ/AB6pHS7a5pMuz04BQJcW1UMAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkB
CAAdFiEErtYi/gIHfrS1wUbBQqJ50kjNwxAFAlxbVQwACgkQQqJ50kjNwxAf5xAA
hBhcOeqLgeXbUu0CCTKlnG6D7H8sQJWXCSsh9pAXffv58b4f0ntJ1TztKfVd79hS
BCcXRc/9+MhUUzR79NvFWWZMWqJ6MucjAkkOBRoc7c85PawYTI7e1zSapLPJEHG0
xDzK8ClxwGEvlA4O/eGGVFaCTkxdTQg95fDXfghab6j89GI8Ghc9rC9V8RUgGVQV
qJJkBJ/gECJJp3holB4/w/I/sU+9AHXGKJvSJJ62fpmY143Y5JQk+I8DxoT0kIq4
W2iZVAQMzQGpAOXkDuHk7a7J/QuL78CuoG98GOsfTd7nNsgPTZ07cPYGOxXeNR5U
9DlYOBWDwsf6d+D+tHLB8KzH3MWnWa3crjE3a/sgrDEad0CmAJzHXuCyPMy8vPQn
uxIai/gw2POq8YQMoKW5S80perLuN73FxAumjK9a2hYVdZNtABwrlW/6ELruv1se
mMjUq6oDyFio0rGy/uzCItl13hIr1Ii7B/SPz9dNnCagV8aiUmKXRk3HKoEXf34I
xWlod0szWopnP31NXNKHihs46ORSMrjnzFKjRcJsnipdins+DHJYroYhtOjNtsb/
WV3D4tSerG3xKF/v3ssn2VsjcgK5HY/k9iUol/dvoP0bJ+rKs/fzt8oAqEexiRnV
cPnj/zAiBOt1940+0vTWaNYOPDkq872S48GNybOC342u2xAAnAp5myKostxjyQn3
E/7/G1OWHaJW5kx/HCqHCWjgwwLOmhssNn8kpTf3ybvt5uhMolIF95RjFB3gBOfU
vw0sqMvEoBoGSMSTSc3zD05RBsWWFD9qwvPMXtn0gYaH39ISAFnxXrtrQ7dDD1d2
LcBErdttnxEhUnT4/0YIat+r2PhmYYDYviKsuOy8MC/sJIxvhYEpbyPQnPksUzA4
wmAbVNPlzqU2oWPrLT2tlxUue3z6VS/YHDcsLSgjVOMWSusLMh1+D76Y+Lcr9kVz
nRu+dYXh4I6OBnlT1VuzEVmrf69NFwh8j3PaVn0I0NEDU7mMa+5W0QYuJIsXZonq
SI2uIu64ZOVd+D8WmCEZO/Kmk5PMXs+0fMcFD9mOeFaiOdz+PIlHAsrxwKXr4Q5z
zzu/wEOaqAVa2bJywTbl8MntQUY/XeD94MvdlSAwO3Ll1BpQ5NfXjm3YpP6Uyqlj
pkrYQL56iqucgYn61jLSXhFHGLXSZs2G48ggN2mHtf6ZQeAJ4D2DIXRj4uqIHoJf
7MWDui8u+cJsw/F0ZerPsCN/CpkEoj4FW4F4O3JbiieYSUK7lxc0qyDdbQiVCVl/
08wNToe3RctSzsQ99tCwfVWqLVcTVb+0aeSaNykb+qW30bHW7AUYs/qKiapQFzZz
QZnpHXGmVe93fDfILx3yUCA8Yia5Ag0EXFtVOgEQAOS7GFDH2DGXPMJzSdS7a/zZ
ewP4bM42n2Ku3XiCyXG173p4ppNdOLS3l7JrRflMhjfBtETCOV8B4z0B9wCZZywz
iLOt8+0A0zpY7EHZNvMRjZyq/s0FCKLtnlqo/KNwiJPRvQazZ6+UOSffEQEGpNKs
1ycZIDb1tk8iRpRvtCin8CeLRLf+2BxHbWBewnCSCl80rC89PTcvPf+jmtcDJqDQ
z/blp2CT1JUo1xdzyHYdIa/kQ2PBQo02ejBVs0vDjbzuYVQzZV3q6cYnYwGPtpTB
Ot8GXuA1X3qYx0MlZwGEYpiTFS+Ju4cJrYofuBOudXpfux2uAPkJskw+ro5k1I/q
fptRWDbZ4fGgROmUXBPg29XdyVExYgAbVeBdHWX30sCHs8+c8wzWkdAY/BgdCySg
EVLiDmSfMekH2H1N9ncwzhwNlHk2BaYTR9hWdZ7lrH7BbT8g6SVSge/eqgvjKI33
AUmragvNQ1B3362yqLK/FJOHyJiYd6DKfkq4E+ysw+C+qIo51qVNkqRqT0M7HhwZ
AvaoeykrGIE5vq6jHa9+MxDlsN5Sf7gNgx2dk0d7LAJR6AmYNqRS2V+837XfogMc
bB90ZyK2rOzDN3f48jaqXA8TX2CSun01RoPdCPZm0M/uxTZxOFzoatrkpEVbx/3x
sjvuPVa7qkKdgUuo/PhBABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2ua
TLs9OAUCXFtVOgIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBHkdfriO
vI0BOENKrDPfNZrnpgp5BQJcW1U6AAoJEDPfNZrnpgp5JY4QAMry7TcsRIZJCVlC
qecIAjyJizWz5dEwScba0BDU4rv/h42CvXJlySZpbgUEyB4SBggEnu/dKVbsd/t0
TXRNg80Zs/pTFVbwcg+sDgIg1wZldZbClLfvgk0xLoDl5vq+K4SAQwSLTSPHQyYu
8IxkrKmbBdBSXlgnmcHK2lDXrzWYJDEYEyFPV4pC3cHicCygSc/4eepUz+crEF6Z
IE1df4LRv9h5CgsLewMv5nQ1EjxTo9mX1GiSh3e7KcfS98FgIQl3oy+yO2cmVVVq
x5ggDcRI2sUbXa3D3kjAo2tUIA1nUMFLIrii+aZawOsf64VMdIs2OXEi5XFR+Zdw
t+Bx6lUKZ3/tntStZitJdK8/RUbhmYQ8Tu01vxt/IAN+07VxWyZwcFB5KuC+lKtO
/0vwyhyiOlHm8lzV/5qwFPusB4bNk/2uLPUaavJdrBpmB0t9pol/NFCRzW5MKFvu
Qw35QyFVR0IBeaGjRc5J9yxbzi78umN1iHZbDjXFA7oRa9tkM2AP8V2anxSHUyon
UN6OuLqSM2frA8iZcl0S7qcepYNF1ix9PhdQHXy0H7hoikXMLIiCl/unW5pVTs6q
KnmxmRz9ZcqvvuVXbeY9C+kZE0LOBTZMljuS1Hcs69RU3rA18swfN5CTXw12ZwQZ
SsnRhi2X28Tn8SD0vrEsEf08q3XshDwP/0MvBBfymXd+5MzxlvMg8vGJeFuDMEFN
cpETa7Xzzz5Eir3ETtxpUWPCriqmCpnlIWidNwbg+LlyTeYUDPIDnMtEX5ySmYGn
BI8ykvAKm/XTfr0PWOEAXcmxTC3oMhvYEhIyGHZOFJQxIo7vmrwZKi2wqMnKMPq+
XXHgvtZe5tNbESI27APeQCMVZLVnVVa0D1JRFYBuwNoJXhWbAIKlIjBGv05NvK71
e4x0zEY2mXxLBbsxVBvHhpg29HseX/AhHvUAcBehJ+sqnenXZqdeNhgBIeZubXq6
A/gfscswF/Ocp63Z/vqAjEmvUKwAxNKrKlwLVShVvobPx2N4hH4ZT7p58cjhMhQz
Lm4whTHy1hvBIR6j/Lo2eOkkVhiMlrrvWJIAEic3Gzj5f7XOsVr7CXjkSdoXHOIR
63ZDO/9Wy6ygu8vCdiIFlyRyUBLnGhUYVbRYnTU58tQMfEYy30ZKF4vxz4Ysxoy1
oJa6emaa33Nn1Z2kE64AaW4wbUJ57nROuFdoYTwJ02vyc51J4s0C94EA+a5VrQkN
J7bT8P9G5gksp4b1WyoFm+O4aU5Sx+XpSO2IZFuBL05anF57Pm6Bz3LJX6sEYima
chv72q7PYeYbETrl4DZxE2xlEiMUvN4DH/RExpPWeUsVMFtS5n60n5+AW1EYyGJ9
mfWlvZ0xCjQ3uQINBFxbVW4BEAC/gtho2rZl6/+/szkOfEumAdFwyQbtM5CnJyuU
rnrneWWlnNPLeaHml5a9yrcgOZ15QgnFD5YOHZ/S9L40goML8cB118etk9uE7vMv
EtwxbkqZXTlqdxpFI/SzT4jJCa9XFQ2uA+KdmKmGW9EagtdLql2B9ziMhH0Ha6Y9
5x+9+7/oRYU+ddmAbwrJjdn6bCuYQ7QVpccFC67qdpy2I97v03hst7yGT1FbrIjE
sF4nMig6Uhwma5Edqm2dLaVXeZ+Fl0WeQCnWjprZMvkHCAxjTBlQpmvvwcQwqHot
s832s96l/Sd5R6r+TWU0lTtXpcxL6t7MXfW+BInkqg0ZiHG1Znni6SwfatzDv6W2
lJW2pj3Ub++JulEIkbct1f+TEeeLU0RbJmWlL/qe24fodKg1ixH0gyxsRKzdBUIf
vgCkrzwLFgJEHRISjQzIASVtDdt8QoIqX8XALgjMBgAnZqtYrAEdFImWys0K1zOu
MbuPcTImufz5ObnKM7rRMdCO9z+cHGs0TT2vUvPPuOsNYL1GX4EfrCp2eLKahjJQ
BCxfatn4mFqHVmR/4a7vqq1j4Qfj3h08z7QVrNwGWAF3r8nmaHdaT0m55xctMRQa
3N3UaYj0IQ08CSUJq5e005Z5Oinbt2O4paxnG4/UbJXpRiLEVU5Ja17IBsDfZydx
W//ZlQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVW4C
GwIFCQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQQVaJBoXqDfahNx7yAXzF2x
8AiEBwUCXFtVbgAKCRAXzF2x8AiEB3iPEACI735VFBDd4E6wlGAA12Av+XnWSruo
Te7zGdKo2SuZ1gN1PYdNgflbifYCYajnQENp92N3q263Sq3MDf+EZYKijJ3EoU6y
chjOJR6ge+UgKPdGQc7Lu61wWECBFaL6TMXCedcZ/Xd0xT2IbvK8qsKsITDjiDOh
DUqdjVeyPXyfkmSrF5P3hvNxJvPbQ6k5Igx9JA+unLXxatljAeh1whnchRQAIKkx
l19Nr1z+odFD+tzCX4HQmUfHRXgBiJICyIxWB+U7USqLtqk+7DE893meceSt0Mz0
JgLct0E5EFfCdwbehnl5NJeay8XEdcfjUkeyb/VAVxWYUBiG72okUIaIP7xR5MW1
P6ecdTr0GzOC1SySpfyT0+ot0rtXGSnXrBzpY6nU14hDoV3g/FMas+qz1smTtOVi
1MVakDRf4QyP9Jqf4q4/GosRrgBvXZHi+zWkKuf+DXPcL/q6MfgHvQc6tFMh5ONQ
snrF3Bca3BQDT2GKjSukeG3JmECHmKtQk22jhk6T9DJ3518yw29El9tUgraaZ5Fo
Gen3TYCxA2BhV2LYCSLSHiTPdtUsbDuIP/FXaFXr34nAtKKOSSY6nP8SMzCPSEMN
iscfdjejR1Xd012T/mLqVCBzFJWyX2RaUdygSWUpt/QdvWa4pXCgYZjEVidraOws
VWMbb0zuI9KCseOaD/4jd+awtnRUj2SbGeJSVnqDPk0Hk8ndFebAo70uQGATkLXC
m5ls0RDU2xHZumuUk+b74Y1KjwdqF65NEmfjaSQ6B8gnCO69eKHcUT821ED9bwfa
4XpgsOMEoZklvFByax0JMS4JEJU/xfsLmfeuXVirN9Z82vxAXG8fuK8bso6VLG/J
Mpxhq1Zv24NQ+uevvh9loyWMcaw3IqPvQzNlyuuya3rXJYZHSH7TauYgqWySXiGS
H6oXl6Ej4GR3t5uWwHKvEREQer+KPZV3uXRnrTpgITy+PxZ9ywmPwmPBHcD6c0P+
g0lNNtDdvw69qy+oh7JaqqYaDvedseN39UgBSx++ewRhq0OTikAD/BCv1zhPizlD
9BHAOsCxrgnz0WsONYKFAE8vtNo/wB//djf/zqMsI3iWdbWqM9e/muEEV4jQRWLW
TWp1XTqqvkc6TsLBBNO5zisJ0VwSfDyRUplr/IWeUl9FrRngjBJqF2nl90US5p3o
uk5wUWdjFa0haFyDgZNFwyFr85mex+o6qIC3oif7UjC4kHPe4wzvHDYAxrHMB6MY
QvrcXzULmInot3qRAr5duUNbQbrjdtVvOQFvjowBP5Scu5ZBSzc0O2TUUSKgnJZS
Bs7+yswfgyhYzusbxlOdA+iE2Y8GuovamGYTbsdCxDStOMfZnaiXuLL04Uy1PQ==
=fX+D
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF/u5KMBEAC0hPiTonjYEe5FqNzFn73KmcN8KGD2wzujmWWLnFXGEVDEpFcS
ULQDshhCclwNeXUArUey4nficwpqUe+Xl2h4dP4z7yh3WiL5nA5JRjJjw8KJQGVW
AkgiZTnJHH8DrzNt9LnDL516qMDJarTHemDUUUZLNxnuv0RDEhDxsXWiVCQZZcw/
41yIY97uCf30dsDwnckVl3iEmYaGTYavWbKP60S8WaxO0YG57RI1etmlIQ0nMmka
4bvFnwwb9Jdnwle4LIiRMCGymsheaKCKrEZgIJY+idyBuExLLykiL8iNBj2Pzi7z
XSCniH9qcEwfqgZlP/KZwujLhGOc4c4peNwpuDGcmYZoAsUD8CZ8H/LU1FIR2A1u
/UrRREtC8nNTDGxCckSMEquHNURfMk1QmDbJ9gaa9aOk0AArxuTxyj6Cn+KQd5l5
0mN0R1sDVQq9xWdvnB7N0d3MDhnV7f19iUhi3KYvjVTkCMXjhNXjDH/KXFKoFhKa
9SkxYGfW25inwSQoqbP1TE5+rESf57bo+XFxfVQuYfVJ5BlZobz+sRl2iDQyBJDM
uDFyXE/t+E76BmwyHeOI1weqUMYebqHgu0x76dTYj9yWgWdQAC1pXi15/MTIaOtQ
hWezb5rkI2yZqaZLaRBOIRBIPM5C5AOjL2XbfwUuSr2W4+TvxLocxi48DwARAQAB
tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
LCAyMDIxLTIwMjIpIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBH4ckayA
MKWlnR76uXUPPIdyPkASBQJf7uSjAhsPBQkD60WABQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEHUPPIdyPkAS0lMP/2IgMErScBUaXrZXqYXoluR8xU0p9DyZEBx+
ZGNAcJ2CTPAbn3FrkNGNpK4SOCLXEZPKOQ09umaIxl8H6uEGaTut1JLj1qGaZ8ID
4gAeQcTIN9OQA5ElQo+ci20XE9JSvzqY1zb04EkMuVL678xPCYJhUSLS0MAQkcDJ
JQLN17SwNi4vGqzVhnwKUviQU9/s+LRUkThsTg4qT0fNnmGoVJXqrshxJa2ZWM6J
QtOWBgJiC6xZ+zRiZS898L0tekU4o9yxtnnDWry2bI+mJbxAp94ZAXgKahOU7LKV
3SPxkx7TAng24nOWi1EaP51pe7usTFH1BR3CUHZdoIQ4xruZGkt/qPumskofzl+1
8bw1bEFbq8S6jC+twT3JUcE02HbEIbrd6l2T8pYBXaojFggGjUTSv9d5YUN5N9U/
/Qy0o3xZwHNdXLx6xSrUO+NT5JU1Nh/0sutEH7ru/YqFZof9vfCbV86y8fIOPgk8
LkJNUSu4QCJ1PHKB+fJp7yAhlPkOXNG1b9+W/hVp96rdkovpCUkLD83s+suQyJGk
QB7Qpem7nS4zp7/Naui+g3M3p/uRSzZgELTnXNyY//bw9fOqx5SDLjSUslUMz+TH
sFTwfo/Mot70MPHMe6aE6tdTDoJTcv4Iim/8MDhJ6yqKt8sxprataZoWwFi6zAF9
BzWkJcrbuQINBF/u5P4BEACso8iLzFJ+M1wqcsCDup+GtRMzte04CAlLmaLgyzfL
3xxBo4AUgX6UbUCGycG878JVn52S6Nsl6FlasmyH00MGjZt1CuNz4htfSmLGcBMj
IwQv1CYR8bm9EPwR15NaWdgzJHShCduMHv4HdfqSa6UQfzO/P8mwioER19fkDQSE
U1KsY0yl//ipWiW3ZJGShGHLnn4YbxogQtsRPESKUsQ9MtzuMt3ehGtkN4RguOXC
6pCWP8J4F9lgjSZ+uLOQKV4rmpbSMXntOJi2nu+14Zj36enW8xyAXO/w5z/wci2G
LN/aa/v2a3GM3WJQsPNzpDwB+pr1n0Kp+wK6K7siVmDoV+WecD2KNNgOuSyUve7h
BjWRM9W13LsgLGhKJA8yUpPvhXk91vLRUhwFJ2GUirxLPLs2TSTjHlHvhcPy6aX2
HxbHkcOt53n2h0zx7ntl1N7XHozMWmHphPsSvOZ5StuQRAFvfE63EyfR84KUPIbZ
kvftbAJPKCJC8W6GqhfORzYZqldDNNva5iYHF1OItF79ZLGI56diNsBV9SOVKk4d
f9Qp6urYOd+9RGQGmCQte/WSFaU9z9QYPEGl1NlmGAWt7KKyB6QXZH1oEMwXtPd8
4GQX3XGtyggEp6BGwkFFWRQzF1EZ0maRPrpN4bpQqLXSJiqQxsX+FAcOkhpo6X7b
8QARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5P4CGwIF
CQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQTpq255IzwEFuiZP0UMA6+pClln
xAUCX+7k/gAKCRAMA6+pCllnxDtmD/0YCUccmKudW9PiQw7mI1HSuwL6aS+MlG6/
LJ79nmi6TTpe87NDcEv2bBpVWYcQK87smCxIYyuj4SCZuBQivjyuecipRoG14PUh
KU8UiqdF+vKDvUAA7huOBlR4dgr7/KvjirnbwO3mGouwZszDOLvaHuO403+TPm1b
mJtEA9y6Wbk/+PTtfPymQwnaiJkPhQ6Q7ZbyasRIisO3MRPacUjt2DXFi5VV/Mya
8o5Pae3zY+5SjMyE2siPnVE4/nzp424jDzSq4DGEUip/x+QYHFwxhCJmdZlRIFmn
vSCAGXBpyPVbckC0Gw8kZ8HsGzNbMbx/VjDG3LFT8TR2Djsh99/6icO1J+jDkPNn
IFEsYjAw7Tos5IPhIT1XkSCW84KqBG5pGI5h7fJzf19sR7Ki6XyFe6VYvggeQIS7
VN1ISl3tRN/dk0GbrKkUKr0OVfaRD0wXQHTzbec8Fs43G0z/DKoFutGB/J3yjAmw
IOcP5R6rqjhVp4APQpsB51XCaaqEXaXZyMWrKILbPIjlE6FHeh1qd+zdIjullnF2
YZv89HU9dIXxKr35CM8f3BWm4D4cRjsUOWoGhMNwdHzHYOdys6T72KBK9D2irz8C
L0bycjN+SIpde/auo+dQKqKD3/ipr4dyKJyOUsls9cyhxkFp031cZ5rWbXcLJ8/s
1BeVPjFCngqPD/9rMKA6kCSnTo+rSqZRxo9RlQwy4K6xfPPdHZvBi3A4UYCsurgl
qLtFtGG8SMWigmUZWLT6uhsi0orR5wfG7vzajF0Hcd8yuWa4zGeu0rFJXgG64Pyj
nJHtv2Tzi8DNY5Y+8mfXqUewyEUXQLxnLqpGlPjNUAJKvjm4SstNadewgWeb6F8x
UQJc8owGmK5+yZQ5LZj6bjt9Dr3SCM3Og/iS5XK5POGUJgtgXLXp3uy7p9SzsJ73
qhrDII/YqSwToMu8tUv4xEGxyceVPDm+ywde5SXYmtvMYrq5DBdlalZ9kBlC5fyc
IIzKoIOOkKKpa/YAyKdLTk8ZByjDk1RrdcOyP4VNpCvyisf6JPwWfKdM5mxf47hb
s7zioUH7miUGA6i5TNi1e+DU2mL92sJwQ0WkHw6KaUez2Y9CaD8hZnQw/h/JcNq6
nb8y0GR8h7qWms3K0rtSs8SuDXUsdZrFAeURivccmohXddtt0FDzkheKGXs27SSl
8oOCh+jl/hEUzz2mJGFwRBo0FI5ipN51IfjhMJ8zzSmvfrtdwT2Tu6wSY9DLsYR7
0tWGOc2HA6o7kdcC1V0p2jvQct281FrC9dTXFgcDuGUBYhzEZeWwjuYQXBzMquF6
ersVnPo/Z5l1SnkK+wVBQbf4igHOaobl0AQxnb86W4CXBTZ3CvRq6o8vWbkCDQRf
7uUlARAA7oTlVZXhdVlPnSQlnI5JwovG2jEIrRifpbyavlhlosX+rgtQ5EILn0DS
PJ35CNfOAeOcLQeRrJAZj6w/x9FHWfKRAHUeiTTsVDzTrDyJBCVuC40ck587KVUc
GuB3vee03/y8qAczj5TZNaDdl+4qAzOFQuV4MjwJOx5fsXZw3dUAS7pw1mTkAYTh
nz557buc8JJCxrebT6FvN8bugk7LJ8SYmI154Q5wCdXB6Q42sdSMFlKKPYRRmIvX
vI4Ytl/J35v43gCLbXccTWQpBX+ra75sndS2hYGQhcC+WdNtt4THgU6Sb7ErpJK7
7A1r1Wf0WSioQ2VWjT0QbUE+6IXD1J8duh6ZgzuqppMm13aDdMDZGwdcxlFw+vlo
bM+IAX+QgzPjslM3FHVvvfCLka+ctMO+lL0bz1G4njNEXcIAILhmoqRI4ItVH7Nl
ZI3pAfLLB4qbhTKTIiS+uIoA82RU86ozr5oJZCsJa5N5EpJnYxnjv2tYhU42eh+j
hyM+5ra1dXtveKvL5SkVuRUlPZvgOuwQ14Qnj6sv8CmtBpyVpupHmY2RbNtLVLdH
Ix3lyQbgVo9iMJIoXiPXmcRWCgLgOeuETjFXsEcFLxuN+D0My0dtwWcg+271vtPn
0orTObxkctFK+V32ByJYxVvytNCW245bICpxCicxmh5kYEmQCnMAEQEAAYkEcgQY
AQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uUlAhsCBQkD60WAAkAJEHUP
PIdyPkASwXQgBBkBCAAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAl/u5SUACgkQ
xbTukxqfnf2aeg//ZspIr4ETVf3ai0dXCm2Pf6gpM7QUfI9fPUHymvBhNrNhfZqN
ADpzbJefzLif8as7kUr904zTc5Jse5a0MzCrMyEwTDIoCKDv2ktLq1L20bwflZs+
oP27CYC5FkJYgLYPrQZ/7hRC8EWjgn6v3seJtEo8G73kiVEBOnxVEfGZ8zxmX1Cp
aOWfhiFYCmkEe6Ck9hG+OaWt7+WW0wWT1UFiluzRRAEMROcCUtyB5IPCqCH/Rz/m
/bE6G+lHZo6OY/wY2q/oW2f9JB/4QyJeSI+fkjY/wDjfNQjiPMLfZctv25IeZYVY
ZvIKrdnjbzRe+GwYLg5G/SbpSOEb5O55Ps8mNUpYFaMCfefW+DG48a4WyUGzFr52
BMKvHKtc6c7P3+muBAqcNZYxRqyLIQiYiV9CCjpIV1WgUeedroHUXvJF/SAvNVvB
ZR00I/D2hsD9BFh3B1FEYbw7GuYuG27Z6fgRolOQUeTabjQLI386SV3IxZ1KFwm4
GU8BTbUA2zwT3hu/BaaCI5jTSLyBpdo10b1wgMEnqmXG6AbNdxFVEWwE+CE++BHW
0YBhKp8fghHwwN1fwTCV+QyA4Qn6EBVDkTrUPKqTeCmHzt3AQh8WVrsmrodyr5Yp
69LoRnlkLcGJiOCKMOmkop9Z32ckGieYHrl24Dw6hmUSWDG+pBn0ezbSPit3FhAA
qD2y1VzqxsaCOD634Ltq8AbvphP8XZPrrsC3DIA36ITaCQDa5Cn7madLCXy/uP6N
+tojtzXf4tUzumwGJGFLtdMXNmuEuXrj++NrU1xcscbvDn5O4NDMadwI1EDlQo7w
uWK9jaQAVhF7iDEBEazZe26knQFxC0my4SyO1uQaEg3BKHj6z7dkAjzWJaQZhzql
yrRzbCiVUUI8ZkrgM/+/6NJohUG/had6DoefgK6H8/yjgVx1Wtx+XAuBQ2cvclhc
TAmHs128dWduNHxI2Yx+uM4kuHYpPKBwdEh91ZNeNqtBJURfSVjBCjKkTYiS7kiv
XyvQOBdZVeSVpj/QoAfaUlQoBVm7aF6xf7GtYlVzjMsLYdpjXhy4ZbQQVUuPI+1f
yFkw8PpASZ3gvO6KQ4V2w3hOYAxYQ1kSwTtaA7+18nyv65VolTmAotmLun94UKn7
zjopByBnC/XEqsU3tibg9A7xQ2KUpWkpmG35f4ZR9aEIxSe2Jmm+Se0JfiAq6Szf
dyWvr/TzaS/BZL4WEPk2Vw/mzWEPZOscpIkBFGK+Ul7yuXvbrbwr+zmAikHmTb1V
XfPb9eBnwDDuRHhLBym4FMrPjzeziAxxkScTfDjWq6rvMmaEe1CX+dj6ldx9Jp9d
iUngol89eSgAQOtptjcit5o0Y0Mu/RF6KIBG89ghFly5Ag0EX+7lVAEQAKFx5asK
W7A9BNKPkaXgym0AlW2szQR1nwxi3APLVLS0Al9Y/3mnBbYyO84HDr82AtMSWSMY
UZIKtkUj2sVqUb+xHOPkY/MenyoBrCl2qaTVJ89nnWMUjtrX2qk0O09+ByoYXTit
BVPAIZ/qZfGNB+Dsp1haNKRdowkf6WXkw7A9dHB5isVmaM/Z0THNJRHwc6mcqbEV
M4fDL+OCx6m2KQHTHirk+OE9Nwral82IIqj3d5UBHmjHAbQNXTDzZbWg6tYbLN3I
EYxSRQpkJZIVheyBmWFZuivm4hCDZxJlZ1sgxQeIZk6wR2LBR6ccTW6PH11PhIpr
6O8aQh8JUMg+/aJK2eQXINozYdjOTUjnWAUeUqML7Pg/vERRAgHXO9Z+NTIEWEOo
Ee+8WOFmrmfjb9Uz27DtymhUjOl0ryiG6F1b90t1rZvVKWR2OaCUhICm88o3MCgb
HFeOh7v3tnQb2Uot7kY1hgch6j1MNYWGb8LjwoTAmx9okEv9mh119k+SdVJP6wsX
ZtL4860vTfTw6RQM7rkZBzTyf4qCvU5uRSd2u6JqtUhw4m/gkKQyW8jLEkqX7JaT
+iEBgPzjALvfSWDbDgst0szqU5jltYpgjG3On7/ZGFFJrkB06orUvovxLThWWvm1
iugw4/av3n64hl/yfxvKQHLQA3Kfkjjzc3oPABEBAAGJBHIEGAEIACYWIQR+HJGs
gDClpZ0e+rl1DzyHcj5AEgUCX+7lVAIbAgUJA+tFgAJACRB1DzyHcj5AEsF0IAQZ
AQgAHRYhBGFPhWcuJXtdQn6ZBiGZBzrXgrS4BQJf7uVUAAoJECGZBzrXgrS4jfkP
/ApYZIRnBL+LdTPYdbZDYXotkE6RO6ZsPdcV1G6na5jJ7igdVuvoz5nP3rX+oQoH
6k9DysQzyh/SkXRPnbOOyvQsI7atmH7SkhNn7ke8zmEJLzApHA0ZMGXtBJHQkZwA
5LDWIQb8HbtJTBr2DyJcQdpRmP3hHDgyYgwg0AUG/2JEwYqps+/pqJCrLSP+GLOA
ia+wRH9xwv1Vl2gIxWXqEO6U3puqUg+0z1Av4Gj/xzuw1F3eLrOfgklhpASc8QtC
89kx1nhFS+OybQfRAH7YN9DKE5L1kJxQ4t+uW8TiXf9r+MdcVMEI3LATZRtgowFc
493g7EkTppmqabFns9OamyxXdIzLAKoKvykr7HPCBWUnZn2I2RrcGQltRBQlR0Mb
jO+sFi89XnFPwXIw/t/9zoq1bXCGTt7H5RtrfxC1wTYXqLEdV9pptNj7j5mlff9g
DMw1v3MfUxbz9gIDzs7ANnw3SkWi+d0v0bLadWdItkq2WKvvgB58NJtKPc8Jwilh
nO7W31U/kv8FR9JcFXzS9+Y6ejIClF4FAwr5tK07N/xSFAKEs5kyAYEKxP6vI59m
5h+tO8cws+pi4gqfWa3t3b+dVzKl9AIkWAYjq9FvbfiqZgKTlTviSUMpmK5qJVld
72+NiolUVniJbw9Z10ps4G4zmXSl1ZxyKnehUzcKyPieEEsP/1/tctQx1LhVu0TJ
RLtWrE523hqxpqDdF8/QrNp9dX3YVoEkMQW3YYir2oERtaosWXmRjldq5dNfgtwc
lhG+/CP5rxNeCJlI+b64pC/yQMCrbz/V74aAipuv7ZZMflgr7ZD5i3jyM/7/AunS
qOUPwkKrjetNF85eibeO7c0Y9/HhILkLQ8EoNfJshdc0/scwMZEpLHTMAHSrxCAV
FuhLsF9epenA6IbtuMsp43aSxshX05RH7F94uj4VCMUSs/90viB5njItpPdZCqUH
eXSvLSjxqsmS4Tz9Dn+uWvxleBLRRcpZykuNLGgwVXafWftWbA+U9KaJnDWFdzjJ
+gAsWfHfFBOa1RfXYP++e+VJflcHaEZ4byLG5Zf1HqAvvcaShAVuMXY1hoYJinvh
uk1zJRW9dP7apZx7BXWxbWcn8LMR5GFfunl/M2iNASmkqxJ9gvy6TBRWJu2QeNbN
5Ks0/GDUawQqvhmM3V6zFQWVsPwaHpufIaGqnKC2gXaIHXPP0ldyXdLXwgZ+6A7D
IEqHQB2BDbiJtovk6GaK8PUCEHTiDmRF/mBzlpBJOn+Hc5ELufgr9E2lkrKJzFag
CBCucNhVEaUedFrycxfSALing7DJPWb5cobu9K+3T9L3k57XgxSAj+g6vOxHuxHL
ve1IPheCWfkKpJH5faFDWKpJYYPauQINBF/u5YABEADgWTS7wFA39XvpWNHSfAAR
2/nlGWuTvD7zoirzUwOd2+I2XYwgl910KsznhlqDrHZlqKuGRjQlbpyTbsOH2N5k
IE+0uEXidU3iwslSZ33RLL0h9+czDnlgijYXLCg5ScswBEC1E/kXX685AUCTPX2n
D1+Ymxxgov3AvItVxKDd3N5ERsy6hYWPK4ACXt47hJFqPfPtnQe2IdFkRm3bOuX/
X79Kb5N6cAoao65Tpsix1pm6tTNww0+THzIWzK/yhi1/tUOv/QJMEVAxeBAPr+Pm
mvjHvsI9RNQt7VnoHVkqJhPDxyQZR2IOVQXvlYyCtkPA4WQlyxLzWM24TG8xhD1v
zZzA8qs//o9QI8OLg2ZYxplC4lW6GEZk3GnrTXs7bW6HUq+RlayIbDw7oMs30jAv
YyDdQpZrYuZvsWKbKu+65Yi3M5kW0v96LT3ueMJaL/RanL9JhAWuEqyezffsBZ5a
88/i0n9FJ8cQ1fZq2/GLq/mN2JZ3e/HSWynTnlmk+qGk2bq0cRFJNHAs2HNAm0Id
pjSFCPmek9j30wp2c2knML+SsSw5h6570mwILuKwFr6i2hyFlPk4H7nP04vPQ8P2
Pu5O/Cfg9rPSBjIi9FsNS8/a29sSuOmsSGHZnMrVUpGw+iKmx/jVejOtqe6hYydu
MSQtIU59E2fq5TM4tub6qwARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88
h3I+QBIFAl/u5YACGwIFCQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQQjoUGa
YHzyVyZWN3UsTffOV4ELlAUCX+7lgAAKCRAsTffOV4ELlDerEACBP9kAH17GHloL
XJjd1IHttRWU2Qs/VV0H14g14hgRz2/Qa7KRR4mGrXPKS/ctMkDXwlvs4HPUTeO4
MMT38hwxv54AjW7CtF8DR3EQFXKR51roICQognvqpPe1auNERdLzAdcn+NoHEQB7
eyPqjQM3OGGq0SVRwNnv777o+Kd8Ncv/4fR1xvA20Ds94G5vCYpHB6J+lPPVXBmz
rOYSf+QZWsXjAZdnAAYkpEjfJhNrqvqSoRxZ0dweCqieenm8Nzt/vdL9nT3+4AGy
5hmaAG2ENj5AhI194gtgACvKwCl5hF0VKMhtm5d9SWS+1quHzgn3UFh3VZrfjPid
CR64mIu3RpZe7EcR+lMl7gCJxdFlHVD3z1lbz2V6u+xH4ZsLrTY+v8kDxzY8ojM/
zDbnlEK+xzA9akhlaD3D3wKXRVuSlrxfEVv14mwKN5AYHN7bLL3bjOo9WYtLznH6
Av4GqXSQ+LOl0+6bLKmD68/N0q2IiZwUSOsxTE1fUdYPF8eiN8L+35Qt0jwybieU
a3JYtmO8EW4ZEmjJGwKgyrf+eigJN2/0AeBwcJyUw1YfzaqqS35NNyn5eKANyFQ2
ZhIjuXRyBOoUMBAx2TSm7FGeFOIw+aQgap6HuGbZ0EZBz6hr9ogNC9FVXCPENKo+
GdTGoIEs0n6gGOPP5ssp7xUK3420AM3HEACSmYaNC1Gfq2d81fI0TBJ9ATCRPo14
MjJGiWaFaXoVp/lQeOvlX2JyBG2I6fhMGPGKntCfX+/MERLNAiahQgOjvnOCQdlL
hbq+6loQ1eSTX2AXpRlQpvyxLuebbM+HX3N/9mqAksgQdljmqoJQbiE/HqXqjmKe
16ylU3Rjabyc2p/31p7hm0IJ/3yqDsM06FUBJ108SALQyVvKqRA6q1t/Odb3xgt2
isbCEgvhJ8kYz3LQkvTW75rSa1cM53Udd1rbyo1t0PaOSGeUZw73/nY1+6LtUEg7
Q0x4ohL1UE7z7+14mAtn4OvGDuZJil7Lf4cPszf0SFoHPs8iUFpSorBwn3u+5ZXW
NYFblPU2WK3O52qZqsjuQI/gK7uQhXjJO5nA5M8Yv7bVrbLMOj64hdOpNbd56Ycc
qwYbHZL3WyRAN7TNg5ZlHgIVac22StawjXiHWDGaAXpCaHJn8ryM3LY+LTz16R2M
bi+HVaw+0fY9f/mIcOdT6AyDg+V200GkGXL6aw0LZkBZmDin+OMmL7AS8TZ4dvZt
zj+sykcT8DsaFj5Au6zHJoCnsuShMquHOA/vcUkhoe8/E2Y2QdiX7zwDM8vFM8tX
DujFLNPIZuItcVEpE3ysFV2ZfVgBXoxTlZUQxdgJBQ0zg6Ez7rDYEAhVqo2gY9sk
XtN80X/unsjGSbkCDQRf7uWiARAA3i7pu8/QvukeIBoIk1V0GHGPjX+GeV3fR4fu
ciYgx+NKTXT/oJ/89KVeetT4CSnGEZcEpAvsBL3hsiblJYyLVmeoCniFlU+rMem4
zYP2PnEX70Q56d6SjBArs3K1FZK25S5qqv5ceM10NVRwPufV1RIuui6mQLm2ZwlY
JyyANZZXMrHMJdaHpK9mMBSSF42MFQZhcauQCrhMhcpmZKn0D2+PpRveYwSr43Qi
qBWR2INTDmj/V3ERMviE7vLajWQcmDdcrBp4u3miAJcJSn3XR5SiuL5W77jFEzgJ
zR8yTC4hWE60nWJOk8UrEbpLyr7mBE0Tr7+1IBMgVXh8WHyzLE2ENREFvtp8KlSS
y47Ky9n+5aqPI4M7epMNwU/ZGQnC8o3yX0zZL1tKq0fTAw1Ly4NGE1gRbmzrQcCh
qUHg/J4KFYBMg8eCAzuPp4CRk8wUzu4fRWrOraoz/7bvhH8ilgPu1teLLKzDdOdx
QAaiz/nGy00ICNbYqifR5m73K/rDdjtIqgsMp9Az0mEpgVNq8SPzM5grqAnP/iww
QxwFftiXq/pEP2d8rn65e8NikN42Q28PH1D/uBYnOuVdZUvjU9wwywmfyr+NZMaH
X9sN8R3Kk990W9VxwdOTITpAjz0qMtpE7i/GwPEtpZPTIfl54+cVKvyUjBuTXkWn
vXN+6MkAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uWi
AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEEBjEqvVaiYb6sKxATk1aQ
aqvQi4MFAl/u5aIACgkQk1aQaqvQi4P2Mg/9FXfsIZAgPN/Dq95y1fHG8jsPXEoY
VNY1codxxAaNqvBXZkfJbFwSYpLY3xIbyxHuGuOtC9NpIy9M1+PR7MsxtZAvSjP+
flP/12x+6nP2H3NWOICpsY1tNOnQe2SjKJxZXHFnDqDBgKpv3QfKUHmYEdExJe3p
NQrjZAgmdbEHeoj+P2VV5vqRrJoqNV/pUbM9czfEHeMVMm/mwWNOi/paCh1y/PxZ
Mkj2bqLMRFfML9O/7QOJRxu3wQwl6jJHj4o6CHks6t237FSB+qZhhQP+vR2CZl5w
lQ4trw0wpNgbZRIMlU3tUfFQ+KdFsM7UqwzwrVgWFur5r7KrFzJN88EKSplrIY0q
se6S5b58H7Tw1jtfjb/xF6jQz5aoZ9xemd8roLReRpKPq70o2eIP1HkjCtqmd5Xc
RQaVEUvlv34WZQ5w2eA1bEBESjbrKhX+H0Un0msUS0JpnpegRNZqW3Bedeos0usy
MsfqMYmZEcZb3hw51XnSb8B/WhkSmcoEuECRxeCu1tw0pn7o4GemAeqT5ng8LXeE
RJhrUTlCIyRab8TIQZvmf6XjneT0stZLKCoZUXO+7FH7F7nPsew1dU+WFIauQX71
PkZp2JMT7W57HKPuEillF8v5+H1k9Jq/2k+ZdgmT1Gd27nALBOc7q8rr00Lf6BU3
K+XsfWo+p08CXKudfQ/+JFzzpyKeX5nVqiqbxqUakPy/Ot010/7457YVpvcLmcvT
Yn4cR0dottl96lp5wT1jN7VXfZu/tsHEtTg1ofeExNuCL8DZVsSN836idRmObhLP
dnYmThZcXBJ3RgSniQNwvuuGUtpH7OXb5vnAOe42+n3yucxhPI9Gzo5g6fTqWwb+
qwh39ydxtiv3v3jgFixJLj/HH3MsxTm6cNUTWNLzvX+HugBeuOfyDG9++fe3UmZe
MczAF9N9tDFP+0b1diXywJWfSdVLBmMARYeh0Swjud60SQLTqaqXVfPSECGo9LVc
wot2u4q67QhUC2OTKiTkF6QVE05iKoPEPkCTmMvSpbHF3ERZE3J6YsVg17Uc7LrZ
7DRRF+03mu4njS8LvIoeBuqsB96mNQNH/PwLSANWTtclCwj2C9W1HKy3zKjnu3kC
PHLzwQFEO28TE5EsblnBdA8ozNIV887V7yw89MxPhpuXRn8BVAU1S9Dj7j3mNHLj
rVAgZmr/nx3oDt8VfOZpK8u3u1voZdC+cnTBdcG2gzM8Ya+h8C60Y8dFzykr8hr4
b5gDeDI1OkQ2vOQHtnQPdscYKl0v1ntHq2wrFuCIol4WneKh3Jrvdb37cL971u4g
dpw0jTO/ykCvLlipxjJ/NrnXFb6TriZRgWZqiIwY2lKEfZDXqc/iOa2L0yBr21a5
Ag0EX+7luwEQAM/CQdinTzIHaEJsCe42g6tt4dBC/UC4wD367rJcyJbEd+qaLJwS
CQUbg/wrEdRT+aROHVKLwrvXxtgJs0x15vvFTurkn1BnNMh7p8woYwip7PKrNn2+
96Yg7Aqc3a3gkDQeF8Q7uipOH/5feJh6l7Iu718pvnDUw4UFZt/RUrdqseFXVwr/
ffSalLx7gJhL3mYuU1qpJZxsonNwAS43eViagI0FHSqixB5kPgFcbBf3BIiisOCy
a1L9a+zSt1y1aEFC7m+9YlGJA3C0/X8s+dK0VWOrJlP/WmKUp3Epxpu6srsBItcT
YMuGA82/03YAJ+jpGMRb+X1Dq9vuOUxvDjG+G10Cgew2EjiAkXpVg/1NsCrQWRbs
KtFf5PXGfKCO0i8hEzwmJLd5OlNIIiup450iX4eS77Tey69hGyweLIC4YDPDwFpp
bkDdRG6nDvePbEHi5z1L41NaWNa0wEyh28OqrmD0FCcGukk24pBVemVEx0En4siQ
la6/1QXQlG/wTi7Yi71V/4oz7iZ4lSPWs0ACFGD9W5InlRykiRXC1cV27f+qMw9u
Y6UbgvN70cWflK5C7e2h/eAQfxj+seYFUjMnJTkXiZE85m63p1Yu2A1c9+jqJ0L3
Lfn5YIQdtWdY3Qc1RIQYPVRl5NcgXIPV7TwjvnjowuHjWX0IQbhv61lNABEBAAGJ
BHIEGAEIACYWIQR+HJGsgDClpZ0e+rl1DzyHcj5AEgUCX+7luwIbAgUJA+tFgAJA
CRB1DzyHcj5AEsF0IAQZAQgAHRYhBOJesM8c6ASdR/HZpjPhDkoYOo5GBQJf7uW7
AAoJEDPhDkoYOo5GhpcQALowCpZ8UowMWlQFfZ2ySJalnZM6S2RxCFiss4W9pGuu
9PKuN2wdXW3HGkBGDAuQgLwanSfhGSt/urT3+DT40OlDMzanRwEK0qiSaSs/xBtK
dNL7JmGbcWTXpNP3aHhfYhVOg7NJnsfZ8Ti3dfuv3ZrjcLvgdnZ/s6O9S3gU8DtH
fpnOfE3hxjUEHEw9hs9Otc6foCqMDZDvfU3emYduD5AvTiXYdeD/mZBD4OmF99II
XWNuQexAJ+xgOPdvXaYt0lBuXmfMcn/1hrU3RJqguwnPZ2cU5zo41/uSbdsFrTHK
yEOLTn0XYYk07mZGdscljzmXbpsbAC4Jp8CDBhUfdzfi1n3AOyblk1nywfionLlz
HDtfWQYCxp16N8S2MU7tA1w8rFNwVDVwmxIfgjLrjPAgvqSpCmLHTXNBfdLUYRAv
SpY9TR+U4YOOuEx2Niwnprdjm1qilN+fmPR3tWvVChlD3kHmSpi1+9ix+xizlBjN
eZ08Eq5rDBPsTpqJmoNS8pHE0EL3IVpcB1pZ5rd6UBSa7LoMLeWwWm7Ap5VZALfp
jMNws4SA2q5OTRY2or/+m1+cfDWIP+2XQV4YaNFMbO7XKr3vnUOxY9gyADqfRJiv
DljHiw5iLzbkaHs7dYJOPNMGMlRzZfkkxg6Patx44TQ2rO7LnyCgVdFZWDHNevgR
Z8AP/152xfh3qsOnT+R32Rt8CcwXmKFxLylgpjegcUmbutow9zdlX26qZ67cJ/3p
hNLZgAYKPrGecGA0BJ2UzsPEKKz8I/dAp96LpHo/24WqUamh1z2PRAgyJGC43zm0
rA/KAlcht8bbI/VuZ5eAYXjH01QfPS7i7fFOryYYFqfH+BTp3ZEr/A7FkcOZXmNV
Gg4+oC2t6cJnzDsM0MUJ7dgNAHTLGx6RZZahdE3LJ8oVJ8Vek9KtjJbPr143EZLt
ymkiy93pzLUaKWfCZJCCI9nfJnNZnvoQXv0l3wnrQIFE14Fv0jbTALHRgRJlB4cZ
i3teEuf7shSDsd13JDdfmxMsxnfeVsIUPa+J0GBSbe14JHXlcd0t03cpbzO547Qb
rFpD98XO6Y7OefWD3pwDF2Izjnn4Cny/hpUIEO1A2j4qHhUkqmnFmBO6yIFic637
CJnYe3uU7ss/TNIUKLhujqlcNl8WeOMVPbhnCuOhyQh2aioAKn1yiQ1EgNSIGIVD
LwqMt0kxI52/aDkZgCcEfBFC1c17IeUH+G0HMGm49/acFHkhX61S4efXhvzH5J0l
Dr+0qk4aVKNwqkUNp56GSMLhiiSYivX9Xa4qQGNlmrki1pC2DamlTXDLB67XQcRp
dAc+4nNTK4E/czrr0+wlkgz7pC1MAllCLilyTSPGnKIPlOd2uQINBF/u5d0BEADF
+6hDuKvzbmKWZNXjJK6Em/5nnzBOa155YQLN91zMs6COI4p+YuIVPPzVWZYR0yHs
gTWw45cMV+RYwuL/P+1Z84bgOyPloIVF9VQjOC+wB3Gn4qmTzobr6q+UfQVvUiUQ
8fGG11teWvYpWiG91uialjHZmrpAOQxjHRxHPpi0cZtTFEqinCIy6c942xbtZnzf
nzPpxkKl0a8s1eKZ0KlDK6Ab59nxAinilohXRg/U6sqypsyLl41L0qMZek5dEt4C
r3spdSkZgxqJpLTqQy/5VB4pcfEaIaank3sLxhpil/oQiq+38WA0VkICQyeiCsvf
eEKyt1C6COBNH+olegUxudTKDHFthyGMPRz3McI5jHxCyru0mfLJag2hHXzgGoaD
VkYIwkvyVsHWDqrZMMXcCIUVlpphxtHo1M32AATnWFe4K1nFdbejR9XC5xWOgwbT
zCblqporHzU0c8WBbfJ0Y10IDrHsa/F08PkFvVN48Ydik6rcwowSPxP+59Q9AKLh
Isd2hzfWU2zAbG5Ph1wecwlYR3tp/0i3uSTDXfuuaY+vrqpoECN6fnSg8NxiBbjU
JR0Ju6KDM2SeBUz5hp9BzL8+OPTogRZoinxBogrRAvdGLOnLG5hMjBezzF8UEvp6
IMisGHBZgXoX4Juvf78RE8JOwHa+HUejj5kYiQW6TwARAQABiQRyBBgBCAAmFiEE
fhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5d0CGwIFCQPrRYACQAkQdQ88h3I+QBLB
dCAEGQEIAB0WIQT2AU9wN9W7TuO6I3E56nu98JFFWwUCX+7l3QAKCRA56nu98JFF
W5whD/9Hu5cnJ0hnzqk3MQsdMXbTNLsv+KePV71kcMRat4hjw2Li/TUaC8xtA81d
O/1obmsuoDAgv82KlQ7DLDXjFk2q45lJdgZxAkN3dEoYakdTIEi11FvwbhV+qxZK
jTq3jFQho4i3GDLgrvBMG4B1TGMH0IPux9fmBGpxYKmp1GjhpgoMXp9bqzsV/mPZ
TxPlmIpeJEO2jeCWKhHHw6rzwGjF68G3HiJ0TqvjdCtcNrwd3GTDsdEJtUl49aqF
M7VfoqKjVdRO/YDL//+TJNOYz5EBGjIZxbhgZJ9Qz+geSBx9GJtDWdq193ofFi39
oleTFnEMj+OeIr1Bc2pc8Z3HJttFknicJDkeze3mM0CZAkhVkLFy6DvAQkXrgvfp
AUYFACQW8E2XmRBiKd4huojWYz5QGSEIk2fYRVhse2HAUZ9gTODSX2L13nls+BEi
sArsmSFA/RQslDXW+Jl+P0e37BzN51uk2Dg4ylJUBgcpTRUn4Q8c1DgHDhkEVnBI
ny2H/MFuhImw9g5xqlBfCEKh5D8D0e4fX28MhSsBlOCeIKJoY85U3GNY0tlIwAt8
M7IIHe1n1qncPbAMmq0K48J1lfyTEbXpnSfArzEdbnosjBUaiQX5EwA656eZ6wb3
Vq02UDei6KPuOosl4Voy+Ffq5MCkanVMA97/0wV3CeCvQYGbsvsUD/9fLYc3yH7A
0xksK7PImztDR8MLsUPoiv/vnfZ+WJJ+YJ0TKAHm1ZO3NqeZmD7XoWHKwh83zsK8
x/JUASCBN16isC+Ym6IwF83/HXJfKNvvotkr2WG6Dv8Vg1Hhk2Iv5y3EMbFa9rfv
6vjxho+0sYrraJH8qQAM08IIOi7+afrkR/ikgA8V7ymqmdxtMMHZqG+h5R0VGTVw
QBxZ5/ZiY56Qn5UH2m0Tc2AHOcAQTvCEwyb19IPyhif+rek3npSvKtDc6WBJioyi
gvDhl+jgIfcIo77w6GthgbFc9k68Je56Peu2J30zWj76Z+Di1OJhAj1wFr4/XT5o
c1MB/Vfyx3hEPRDNz7dRaDqoVnYVdoI0blyCiSkD9I4/axb4X3xN2SK4XA/zv+Lb
1FbCM1XFL2aF+09tk+77EVdWsBmQpOArD0d54E1YulBGaxVm5QKfov23KiqHIFVF
8WYqJqNJwbJRZii7klczkVm3wFte3NWK7HW8kfF147lv0z3AiZYnk0O6Mj1ip3R8
Qm5yiv57DbbgIMkSPWCpEtFGHIoK2msJ2bQcizh2WGxLos00RTx3IVAeSAS54+kr
rMBg50wNczcGHKPDUKLwkYczgHonUtljAkeXnTl69rifChI+KpjHNtF6dFgC1aSt
MOud6HhAcd0f3lmuPzCGGp4YOQx9tV139bkCDQRf7uX4ARAAxaybudQK4fMIzLiV
grIzthhb3/DK83PNohTNMemM2V2z1Ij5Dlu2XNDypMdR0rKM/QI3zWud1+vd2h/l
QZlg58FspvrY6I7hI+cbdRldVaAKDGQHo5Bi0a7BkonZvS/0wnNUPIhy/znzXtXR
f4L7ePZMofH/2shz4TZ1yNpU8zaomY6eNjSc51P4vVxtDQ4QofQeJEn8aO9a4whu
O0TVEAPKRYBRgjM8faDuUJtLfiC3OrhLg+B7JVSF3di4JITAyafPbZACLjV7Umxb
SUL3qTJZVpIuhF0xQOCE+WRx3Xs7lkPdHMqP2OaJ8Y4ymR08cSfIP2XFKsQFtoqT
VyMQgGgI6VXF8OfnCnGgx0Do1vJNoL0neFzVXpCPPzh1RbcrtndZWum/1R4egkYg
J8TPQH5X391J58Uwd5l9/ZDdoSeeQYdtTR4YQ8//ATFO3hoSRvES4U6ZwO8LM6di
ra6pqb6j0liT+DdcBwE4C1bGJMJ6d93S5SfH3llDIMJo7uJDbKILFMES9rg7S6I8
+SW75TjKUk4Y7L8R8qwURqEyuOOGfaQXirqvji4PdcGDBiIk2Oq69Ky6lmlJgyIH
SZ7SO1JXk0yAJTXb+a6FJTLFxidkIZzu+LhLBn/MhAPjVyv3qCTQ7O0lu8Mfcqg5
8hhJ6IE79PBHS3z8ok+mFK0iGrcAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76
uXUPPIdyPkASBQJf7uX4AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEE
JFV3TUL9/mucOD64/hACvFlwgR8FAl/u5fgACgkQ/hACvFlwgR+LoRAAgtIgaKb4
ZY8qoAFZeph+Syg+mMKfPJkBuGUedJl6IxbHBSg2mhnCjJ0bmdqxsAXgtcSUqmtZ
Yw9NyoGgiVjs+gu5sQp1Oxc2/keQXaVksTkoXwdnf+2iXyp1WPeeLGySHmzuwy9c
eExt+h0mVmBgFls2wNdFGPbVfiT3PvFkwqsnta6HebDTN4pMzvG1IIGV7L5KRo1E
dmkrt3lXQWmdgHl3JoNQ9v/Jgf4jo6gDw53YvJFKJcaOOAS3d4CzPWmcLzcy4mf0
9YI3DoQCbYL3cRNelUwzUF2L6QyPCwonXemLCmfkBgsSVqvW4fq8qbEHGF2fK7x3
d7bZEsUiGCt/tXOkDkNJ31T/mC35nxZfcj8AMPixO+BnAeKeYC37LbQD76jrw526
tUXsAF+QON5DPeot+e8bIx9qSbvdqpXDkK4lGcRTuS2OVC8J9XfDTch4wm3Kd4P4
lDdRAJWnLfVay0m05LGlekWdEzcjP8KDaICH9rEs6f9e1gy6mTEBnBW//41BxELT
KxoTGlcX3yEhCmK36g5C/+d6b7Ji5arGGTCa96v/xG32KYc1zfn3TYkCx06pPUbz
iAl2l0MTpGeqz2hJMOGA3JuxwlksJKqnPYy0hHKdVW4Pnn25NeXcBp8wpkt8VZOR
bzjw/TJB7qvJHoRo1tat85Uij9rAXqTyO8Ea0hAAi/EfuiDDy3GV7bvjFSA1XEjL
d+F40g2X0QG/PHTScYB4rFJwV0GFUxLHr4g7iypAVI+BB4EYikx8gpee6B0g3J+r
aCFDDrRPDKdqrpZK53oYcBPkdSBbCr5MAa/M3DerKBEgoBVUbaSHWN7OH2ae+5R6
X2ERmYZdW4PCj6lw7a+RhkAsgKo8RjonjV61ehQPZh20noI19Q80BYYSCfHHvzy5
vwvByhmTMJNrl3PDpBy9/TwBR5DpnHfOPJX6bnl3pdu65F2TRM6yoFbfoUiEqrXV
4wC1I++N9VjrQvXSp0ik/XaMWq87wLIg+1owElJIzwyZWukQkZMAYtesVFz20YwC
7Nu8SNr/NTSCH1EqLsS4YhBTsjpc2T8AqUlgxKrilmLbrj64PXgMsQ9WYm5zwlC5
UA5eky5YhETFJ25dIaplMm47aIbPSH5f9y5eYPkfOCoMu5oDzDzoXdH9V1YfsHqa
8bboSgTdariC23x38E9PaWQNyY2MFKL6cFt2ilIsMSSD6JAm1x8kBtn1bBopG588
7mTDtlqHCw/QrTuLreJG9KJ1dQFJ/Q42+csH09l081wlv4BBuVlN1Xmj+c2sWn90
l1BPZfYHd9jhggI96yTZhfTfFbSMSuGPQyqHnwDYdA3cNj5BYievBkO5FZaCe9SZ
4xcYgqlVpv15O7VrD+I=
=Uugw
-----END PGP PUBLIC KEY BLOCK-----

173
dnssec-checkds-s.patch
View File

@ -1,173 +0,0 @@
From 3b4f23cdbfa3f285d06eea8c4101650d2ab4e945 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 26 Oct 2017 21:05:11 -0700
Subject: [PATCH 1314/3677] [master] dnssec-checkds -s
4794. [func] "dnssec-checkds -s" specifies a file from which
to read a DS set rather than querying the parent.
[RT #44667]
---
CHANGES | 8 +-
bin/python/dnssec-checkds.docbook | 24 +++---
bin/tests/system/checkds/clean.sh | 2 -
bin/tests/system/checkds/dig.pl | 2 -
bin/tests/system/checkds/dig.sh | 3 -
bin/tests/system/checkds/prep.example.db | 121 ++++++++++++++++++++++++++++
bin/tests/system/checkds/prep.example.ds.db | 2 +
bin/tests/system/checkds/tests.sh | 9 +++
doc/arm/notes.xml | 8 ++
10 files changed, 190 insertions(+), 38 deletions(-)
create mode 100644 bin/tests/system/checkds/prep.example.db
create mode 100644 bin/tests/system/checkds/prep.example.ds.db
diff --git a/bin/python/dnssec-checkds.docbook b/bin/python/dnssec-checkds.docbook
index 91716bc..069d6e9 100644
--- a/bin/python/dnssec-checkds.docbook
+++ b/bin/python/dnssec-checkds.docbook
@@ -42,20 +42,13 @@
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-checkds</command>
- <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
- <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">dig path</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">dsfromkey path</replaceable></option></arg>
- <arg choice="req" rep="norepeat">zone</arg>
- </cmdsynopsis>
- <cmdsynopsis sepchar=" ">
- <command>dnssec-dsfromkey</command>
- <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
- <arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">dig path</replaceable></option></arg>
- <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">dsfromkey path</replaceable></option></arg>
+ <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+ <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="req" rep="norepeat">zone</arg>
- </cmdsynopsis>
+ </cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
@@ -93,6 +86,17 @@
</varlistentry>
<varlistentry>
+ <term>-s <replaceable class="parameter">file</replaceable></term>
+ <listitem>
+ <para>
+ Specifies a prepared dsset file, such as would be generated
+ by <command>dnssec-signzone</command>, to use as a source for
+ the DS RRset instead of querying the parent.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-d <replaceable class="parameter">dig path</replaceable></term>
<listitem>
<para>
diff --git a/bin/python/isc/checkds.py.in b/bin/python/isc/checkds.py.in
index ce50355..a161554 100644
--- a/bin/python/isc/checkds.py.in
+++ b/bin/python/isc/checkds.py.in
@@ -89,39 +93,43 @@ class SECRR:
# Generate a set of expected DS/DLV records from the DNSKEY RRset,
# and report on congruency.
############################################################################
-def check(zone, args, masterfile=None, lookaside=None):
+def check(zone, args):
rrlist = []
- cmd = [args.dig, "+noall", "+answer", "-t", "dlv" if lookaside else "ds",
- "-q", zone + "." + lookaside if lookaside else zone]
- fp, _ = Popen(cmd, stdout=PIPE).communicate()
+ if args.dssetfile:
+ fp = open(args.dssetfile).read()
+ else:
+ cmd = [args.dig, "+noall", "+answer", "-t",
+ "dlv" if args.lookaside else "ds", "-q",
+ zone + "." + args.lookaside if args.lookaside else zone]
+ fp, _ = Popen(cmd, stdout=PIPE).communicate()
for line in fp.splitlines():
if type(line) is not str:
line = line.decode('ascii')
- rrlist.append(SECRR(line, lookaside))
+ rrlist.append(SECRR(line, args.lookaside))
rrlist = sorted(rrlist, key=lambda rr: (rr.keyid, rr.keyalg, rr.hashalg))
klist = []
- if masterfile:
- cmd = [args.dsfromkey, "-f", masterfile]
- if lookaside:
- cmd += ["-l", lookaside]
+ if args.masterfile:
+ cmd = [args.dsfromkey, "-f", args.masterfile]
+ if args.lookaside:
+ cmd += ["-l", args.lookaside]
cmd.append(zone)
fp, _ = Popen(cmd, stdout=PIPE).communicate()
else:
intods, _ = Popen([args.dig, "+noall", "+answer", "-t", "dnskey",
"-q", zone], stdout=PIPE).communicate()
cmd = [args.dsfromkey, "-f", "-"]
- if lookaside:
- cmd += ["-l", lookaside]
+ if args.lookaside:
+ cmd += ["-l", args.lookaside]
cmd.append(zone)
fp, _ = Popen(cmd, stdin=PIPE, stdout=PIPE).communicate(intods)
for line in fp.splitlines():
if type(line) is not str:
line = line.decode('ascii')
- klist.append(SECRR(line, lookaside))
+ klist.append(SECRR(line, args.lookaside))
if len(klist) < 1:
print("No DNSKEY records found in zone apex")
@@ -136,7 +144,8 @@ def check(zone, args, masterfile=None, lookaside=None):
rr.keyid, SECRR.hashalgs[rr.hashalg]))
if not found:
- print("No %s records were found for any DNSKEY" % ("DLV" if lookaside else "DS"))
+ print("No %s records were found for any DNSKEY" %
+ ("DLV" if args.lookaside else "DS"))
return found
@@ -151,10 +160,6 @@ def parse_args():
sbindir = 'bin' if os.name == 'nt' else 'sbin'
parser.add_argument('zone', type=str, help='zone to check')
- parser.add_argument('-f', '--file', dest='masterfile', type=str,
- help='zone master file')
- parser.add_argument('-l', '--lookaside', dest='lookaside', type=str,
- help='DLV lookaside zone')
parser.add_argument('-d', '--dig', dest='dig',
default=os.path.join(prefix(bindir), 'dig'),
type=str, help='path to \'dig\'')
@@ -162,6 +167,12 @@ def parse_args():
default=os.path.join(prefix(sbindir),
'dnssec-dsfromkey'),
type=str, help='path to \'dnssec-dsfromkey\'')
+ parser.add_argument('-f', '--file', dest='masterfile', type=str,
+ help='zone master file')
+ parser.add_argument('-l', '--lookaside', dest='lookaside', type=str,
+ help='DLV lookaside zone')
+ parser.add_argument('-s', '--dsset', dest='dssetfile', type=str,
+ help='prepared DSset file')
parser.add_argument('-v', '--version', action='version',
version=version)
args = parser.parse_args()
@@ -178,5 +189,5 @@ def parse_args():
############################################################################
def main():
args = parse_args()
- found = check(args.zone, args, args.masterfile, args.lookaside)
+ found = check(args.zone, args)
exit(0 if found else 1)
--
1.8.3.1

148
dnszone.schema
View File

@ -1,148 +0,0 @@
# A schema for storing DNS zones in LDAP
#
attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL'
DESC 'An integer denoting time to live'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
DESC 'The class of a resource record'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName'
DESC 'The name of a zone, i.e. the name of the highest node in the zone'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName'
DESC 'The starting labels of a domain name'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
DESC 'domain name pointer, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
DESC 'host information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
DESC 'mailbox or mail list information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
DESC 'text string, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
DESC 'for AFS Data Base location, RFC 1183'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
DESC 'Signature, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
DESC 'Key, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
DESC 'IPv6 address, RFC 1886'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
DESC 'Location, RFC 1876'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
DESC 'non-existant, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
DESC 'service location, RFC 2782'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
DESC 'Naming Authority Pointer, RFC 2915'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
DESC 'Key Exchange Delegation, RFC 2230'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
DESC 'certificate, RFC 2538'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
DESC 'A6 Record Type, RFC 2874'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
DESC 'Delegation Signer, RFC 3658'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
DESC 'RRSIG, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
DESC 'NSEC, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone'
SUP top STRUCTURAL
MUST ( zoneName $ relativeDomainName )
MAY ( DNSTTL $ DNSClass $
ARecord $ MDRecord $ MXRecord $ NSRecord $
SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $
MINFORecord $ TXTRecord $ SIGRecord $ KEYRecord $
AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $
NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
DNAMERecord ) )

13
do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch
View File

@ -1,13 +0,0 @@
--- a/lib/dns/resolver.c 2019-04-17 06:06:06.700000000 -0400
+++ b/lib/dns/resolver_1.c 2019-04-17 06:08:47.697000000 -0400
@@ -8419,7 +8419,9 @@ resquery_response(isc_task_t *task, isc_
if (result != ISC_R_SUCCESS)
FCTXTRACE3("noanswer_response", result);
}
- if (result != DNS_R_DELEGATION) {
+ if (result == DNS_R_DELEGATION) {
+ result = ISC_R_SUCCESS;
+ } else {
/*
* At this point, AA is not set, the response
* is not a referral, and the server is not a

282
feature-bind99-euler-range-port.patch
View File

@ -1,282 +0,0 @@
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index c93651d..d03ef2d 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -49,6 +49,7 @@
#include <dns/tcpmsg.h>
#include <dns/types.h>
+const char *conffile = "/etc/dns_port.conf";
typedef ISC_LIST(dns_dispentry_t) dns_displist_t;
typedef struct dispsocket dispsocket_t;
@@ -1933,6 +1934,168 @@ open_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
return (ISC_R_SUCCESS);
}
+static int convert_num(char *str)
+{
+ int negative = 0;
+ int tval;
+ int val = 0;
+ int base = 10;
+ char *ptr = str;
+ if (str == NULL)
+ return -ISC_R_FAILURE;
+
+ if (*ptr == '-') {
+ negative = 1;
+ ++ptr;
+ }
+
+ do {
+ tval = *ptr++;
+ /* XXX assumes ASCII... */
+ if (tval >= '0')
+ tval -= '0';
+ else {
+ syslog (LOG_ERR, "Bogus number: %s.", str);
+ return -ISC_R_BADNUMBER;
+ }
+ if (tval >= base) {
+ syslog (LOG_ERR, "Bogus number: %s.", str);
+ return -ISC_R_BADNUMBER;
+ }
+ val = val * base + tval;
+ } while (*ptr);
+
+ if (negative)
+ val = -val;
+ return val;
+}
+
+static int str_token(char *str, int *digit, unsigned int len, const char *semi)
+{
+ int num = 0;
+ char *p;
+ p = strtok(str, semi);
+ while (p !=NULL) {
+ if (num >= len-1) {
+ digit[num] = '\0';
+ break;
+ }
+ /* convert string to integer */
+ digit[num] = convert_num(p);
+ if (digit[num] < 0)
+ return -ISC_R_BADNUMBER;
+
+ p = strtok(NULL, semi);
+ num++;
+ }
+
+ return num;
+}
+
+static int parse_port_config(const char *buffer, const char *sub_buf, int *ports, unsigned int len, const char *semi)
+{
+ char *str;
+ char string[256] = {0};
+ int start, end;
+ int ret = -ISC_R_DISABLED;
+
+ if (str = strstr(buffer, sub_buf)) {
+ start = strlen(sub_buf);
+ end = strlen(str);
+ strncpy(string, str + start, end - start -1);
+ /* string segmentation with semi character */
+ ret = str_token(string, ports, len, semi);
+ if (ret < 0)
+ return -ISC_R_BADNUMBER;
+ }
+
+ return ret;
+}
+
+static isc_result_t
+parse_config(const char *file, in_port_t *port_lo, in_port_t *port_hi, in_port_t *no_use_ports)
+{
+ FILE *fp;
+ char *str = NULL;
+ char buffer[256] = {0};
+ int ports[8] = {0};
+ int unports[17] = {0};
+ int i = 0;
+ int ret;
+
+ fp = fopen(file, "r");
+ if (fp) {
+ while (fgets(buffer, 256, fp)) {
+ const char *buffer_s = buffer;
+ str = buffer;
+ /* skip the comment line */
+ while (isspace(*str))
+ str++;
+ if (strncmp(str, "#", 1) == 0)
+ continue;
+ /* get default set of dispatch ports */
+ ret = parse_port_config(buffer_s, "dns-range-port", ports, 8, " ");
+ if (ret == 2) {
+ *port_lo = (in_port_t)ports[0];
+ *port_hi = (in_port_t)ports[1];
+ if (*port_lo < 1024 || *port_hi > 65535 || *port_lo > *port_hi) {
+ syslog(LOG_ERR,
+ "Unexpected ports contents in %s file.", file);
+ fclose(fp);
+ fp = NULL;
+ return ISC_R_INVALIDFILE;
+ }
+ } else if (ret != -ISC_R_DISABLED){
+ syslog(LOG_ERR,
+ "Unexpected ports contents in %s file.", file);
+ fclose(fp);
+ fp = NULL;
+ return ISC_R_INVALIDFILE;
+ }
+ /* get excluded ports */
+ ret = parse_port_config(buffer_s, "dns-excluded-ports", unports, 17, " ");
+ if (ret > 0) {
+ while (unports[i] != '\0') {
+ no_use_ports[i] = (in_port_t)unports[i];
+ i++;
+ }
+ } else if (ret != -ISC_R_DISABLED) {
+ syslog(LOG_ERR,
+ "Unexpected ports contents in %s file.", file);
+ fclose(fp);
+ fp = NULL;
+ return ISC_R_INVALIDFILE;
+ }
+ }
+
+ fclose(fp);
+ fp = NULL;
+ return ISC_R_SUCCESS;
+ }
+
+ syslog(LOG_ERR,
+ "Open %s fail, return.\n", file);
+ return ISC_R_FILENOTFOUND;
+}
+
+/*%
+ * Create a temporary port list to set the initial default set of dispatch
+ * ports and excluded ports. This is almost meaningless as the application will
+ * normally set the ports explicitly, but is provided to fill some minor corner
+ * cases.
+ */
+static isc_result_t
+create_portset_by_range(isc_mem_t *mctx, isc_portset_t **portsetp, in_port_t port_lo, in_port_t port_hi, in_port_t *no_use_ports) {
+ isc_result_t result;
+
+ result = isc_portset_create(mctx, portsetp);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ isc_portset_addrange_by_range(*portsetp, port_lo, port_hi, no_use_ports);
+
+ return (ISC_R_SUCCESS);
+}
+
/*%
* Create a temporary port list to set the initial default set of dispatch
* ports: [1024, 65535]. This is almost meaningless as the application will
@@ -1963,6 +2125,9 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
isc_result_t result;
isc_portset_t *v4portset = NULL;
isc_portset_t *v6portset = NULL;
+ in_port_t port_lo = 1024;
+ in_port_t port_hi = 65535;
+ in_port_t no_use_ports[17] = {0};
REQUIRE(mctx != NULL);
REQUIRE(mgrp != NULL && *mgrp == NULL);
@@ -2063,14 +2228,23 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
mgr->nv6ports = 0;
mgr->magic = DNS_DISPATCHMGR_MAGIC;
- result = create_default_portset(mctx, &v4portset);
+ /* parse port list file, get default set of dispatch ports and excluded ports */
+ result = parse_config(conffile, &port_lo, &port_hi, no_use_ports);
if (result == ISC_R_SUCCESS) {
- result = create_default_portset(mctx, &v6portset);
- if (result == ISC_R_SUCCESS) {
- result = dns_dispatchmgr_setavailports(mgr,
- v4portset,
- v6portset);
- }
+ create_portset_by_range(mctx, &v4portset, port_lo, port_hi, no_use_ports);
+ if (result == ISC_R_SUCCESS)
+ result = create_portset_by_range(mctx, &v6portset, port_lo, port_hi, no_use_ports);
+ }
+ else {
+ result = create_default_portset(mctx, &v4portset);
+ if (result == ISC_R_SUCCESS)
+ result = create_default_portset(mctx, &v6portset);
+ }
+
+ if (result == ISC_R_SUCCESS) {
+ result = dns_dispatchmgr_setavailports(mgr,
+ v4portset,
+ v6portset);
}
if (v4portset != NULL)
isc_portset_destroy(mctx, &v4portset);
diff --git a/lib/isc/include/isc/portset.h b/lib/isc/include/isc/portset.h
index 774d6bb..cfd0bcb 100644
--- a/lib/isc/include/isc/portset.h
+++ b/lib/isc/include/isc/portset.h
@@ -125,6 +125,19 @@ isc_portset_addrange(isc_portset_t *portset, in_port_t port_lo,
*/
void
+isc_portset_addrange_by_range(isc_portset_t *portset, in_port_t port_lo,
+ in_port_t port_hi, in_port_t *no_use_ports);
+/*%<
+ * Add a subset of [port_lo, port_hi] (inclusive) and no_use_ports(exclusive) to the portset. Ports in the
+ * subset may or may not be stored in portset.
+ *
+ * Requires:
+ *\li 'portlist' to be valid.
+ *\li port_lo <= port_hi
+ *\li no_use_ports > 0
+ */
+
+void
isc_portset_removerange(isc_portset_t *portset, in_port_t port_lo,
in_port_t port_hi);
/*%<
diff --git a/lib/isc/portset.c b/lib/isc/portset.c
index 471ca8e..0ebd79f 100644
--- a/lib/isc/portset.c
+++ b/lib/isc/portset.c
@@ -128,6 +128,31 @@ isc_portset_addrange(isc_portset_t *portset, in_port_t port_lo,
}
void
+isc_portset_addrange_by_range(isc_portset_t *portset, in_port_t port_lo,
+ in_port_t port_hi, in_port_t *no_use_ports)
+{
+ in_port_t p;
+ int i, flag;
+ REQUIRE(portset != NULL);
+ REQUIRE(port_lo <= port_hi);
+
+ p = port_lo;
+ do {
+ i = 0;
+ flag = 0;
+ while (no_use_ports[i] != '\0') {
+ if (no_use_ports[i] == p) {
+ flag = 1;
+ break;
+ }
+ i++;
+ }
+ if (flag == 0)
+ portset_add(portset, p);
+ } while (p++ < port_hi);
+}
+
+void
isc_portset_removerange(isc_portset_t *portset, in_port_t port_lo,
in_port_t port_hi)
{

2
generate-rndc-key.sh Normal file → Executable file
View File

@ -17,7 +17,7 @@ fi
if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
echo -n $"Generating /etc/rndc.key:"
if /usr/sbin/rndc-confgen -a -A hmac-sha256 -r /dev/urandom > /dev/null 2>&1
if /usr/sbin/rndc-confgen -a -A hmac-sha256 > /dev/null 2>&1
then
chmod 640 /etc/rndc.key
chown root:named /etc/rndc.key

41
ldap2zone.1
View File

@ -1,41 +0,0 @@
.\" Copyright (C) 2004, 2005 Stig Venaas <venaas@uninett.no>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\" Manpage written by Jan Gorig
.TH ldap2zone 1 "15 March 2010" "BIND9"
.SH NAME
ldap2zone - Creates zone file from LDAP dnszone information
.SH SYNOPSIS
.B ldap2zone zone-name LDAP-URL default-ttl [serial]
.SH DESCRIPTION
ldap2zone is a tool that reads info for a zone from LDAP and constructs a standard plain ascii zone file that is written to the standard output. The LDAP information has to be stored using the dnszone schema. The schema is used by BIND with LDAP back-end.
\fBzone-name\fR
.RS 4
Name of the zone, eg "mydomain.net."
.RE
.PP
\fBLDAP-URL\fR
.RS 4
LDAP URL to dnszone information
.RE
.PP
\fBdefault-ttl\fR
.RS 4
Default TTL value to be used in zone
.RE
.PP
\fBserial\fR
.RS 4
(optional) Program checks this number to be different than SOA serial number.
.RE
.SH "EXIT STATUS"
Exits with 0 on success or 1 on failure.
.SH "SEE ALSO"
named(8) ldap(3)
http://www.venaas.no/dns/ldap2zone/
.SH "COPYRIGHT"
Copyright (C) 2004, 2005 Stig Venaas

127
makefile-replace-libs.py Executable file
View File

@ -0,0 +1,127 @@
#!/usr/bin/python3
import re
import argparse
"""
Script for replacing Makefile ISC_INCLUDES with runtime flags.
Should translate part of Makefile to use isc-config.sh instead static linked sources.
ISC_INCLUDES = -I/home/pemensik/rhel/bind/bind-9.11.12/build/lib/isc/include \
-I${top_srcdir}/lib/isc \
-I${top_srcdir}/lib/isc/include \
-I${top_srcdir}/lib/isc/unix/include \
-I${top_srcdir}/lib/isc/pthreads/include \
-I${top_srcdir}/lib/isc/x86_32/include
Should be translated to:
ISC_INCLUDES = $(shell isc-config.sh --cflags isc)
"""
def isc_config(mode, lib):
if mode:
return '$(shell isc-config.sh {mode} {lib})'.format(mode=mode, lib=lib)
else:
return ''
def check_match(match, debug=False):
"""
Check this definition is handled by internal library
"""
if not match:
return False
lib = match.group(2).lower()
ok = not lib_filter or lib in lib_filter
if debug:
print('{status} {lib}: {text}'.format(status=ok, lib=lib, text=match.group(1)))
return ok
def fix_line(match, mode):
lib = match.group(2).lower()
return match.group(1)+isc_config(mode, lib)+"\n"
def fix_file_lines(path, debug=False):
"""
Opens file and scans fixes selected parameters
Returns list of lines if something should be changed,
None if no action is required
"""
fixed = []
changed = False
with open(path, 'r') as fin:
fout = None
line = next(fin, None)
while line:
appended = False
while line.endswith("\\\n"):
line += next(fin, None)
inc = re_includes.match(line)
deplibs = re_deplibs.match(line)
libs = re_libs.match(line)
newline = None
if check_match(inc, debug=debug):
newline = fix_line(inc, '--cflags')
elif check_match(deplibs, debug=debug):
newline = fix_line(libs, None)
elif check_match(libs, debug=debug):
newline = fix_line(libs, '--libs')
if newline and line != newline:
changed = True
line = newline
fixed.append(line)
line = next(fin, None)
if not changed:
return None
else:
return fixed
def write_lines(path, lines):
fout = open(path, 'w')
for line in lines:
fout.write(line)
fout.close()
def print_lines(lines):
for line in lines:
print(line, end='')
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Makefile multiline include replacer')
parser.add_argument('files', nargs='+')
parser.add_argument('--filter', type=str,
default='isc isccc isccfg dns lwres bind9 irs',
help='List of libraries supported by isc-config.sh')
parser.add_argument('--check', action='store_true',
help='Test file only')
parser.add_argument('--print', action='store_true',
help='Print changed file only')
parser.add_argument('--debug', action='store_true',
help='Enable debug outputs')
args = parser.parse_args()
lib_filter = None
re_includes = re.compile(r'^\s*((\w+)_INCLUDES\s+=\s*).*')
re_deplibs = re.compile(r'^\s*((\w+)DEPLIBS\s*=).*')
re_libs = re.compile(r'^\s*((\w+)LIBS\s*=).*')
if args.filter:
lib_filter = set(args.filter.split(' '))
pass
for path in args.files:
lines = fix_file_lines(path, debug=args.debug)
if lines:
if args.print:
print_lines(lines)
elif not args.check:
write_lines(path, lines)
print('File {path} was fixed'.format(path=path))
else:
print('File {path} does not need fixing'.format(path=path))

3
named-chroot.files
View File

@ -16,6 +16,9 @@
/etc/named
/usr/lib64/bind
/usr/lib/bind
/usr/lib64/named
/usr/lib/named
/usr/share/GeoIP
/run/named
# Warning: the order is important
# If a directory containing $ROOTDIR is listed here,

12
named-sdb-chroot-setup.service
View File

@ -1,12 +0,0 @@
[Unit]
Description=Set-up/destroy chroot environment for named-sdb
BindsTo=named-sdb-chroot.service
Wants=named-setup-rndc.service
After=named-setup-rndc.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on /etc/named-chroot.files
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off /etc/named-chroot.files

30
named-sdb-chroot.service
View File

@ -1,30 +0,0 @@
# Don't forget to add "$AddUnixListenSocket /var/named/chroot_sdb/dev/log"
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
# broken when rsyslogd daemon is restarted (due update, for example).
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
Requires=named-sdb-chroot-setup.service
Before=nss-lookup.target
After=named-sdb-chroot-setup.service
After=network.target
[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/var/named/chroot_sdb/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot_sdb -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} -t /var/named/chroot_sdb $OPTIONS
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=false
[Install]
WantedBy=multi-user.target

1
named-sdb.8
View File

@ -1 +0,0 @@
.so man8/named.8.gz

26
named-sdb.service
View File

@ -1,26 +0,0 @@
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
Wants=named-setup-rndc.service
Before=nss-lookup.target
After=named-setup-rndc.service
After=network.target
[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=true
[Install]
WantedBy=multi-user.target

3
named.conf
View File

@ -30,15 +30,14 @@ options {
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};

55
named.conf.sample
View File

@ -63,10 +63,6 @@ options
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
dnssec-enable yes;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation yes;
@ -77,9 +73,7 @@ options
managed-keys-directory "/var/named/dynamic";
/* In Fedora we use system-wide Crypto Policy */
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
include "/etc/crypto-policies/back-ends/bind.config";
};
logging
@ -182,8 +176,8 @@ view "internal"
key ddns_key
{
algorithm hmac-md5;
secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
algorithm hmac-sha256;
secret "use /usr/sbin/ddns-confgen to generate TSIG keys";
};
view "external"
@ -214,39 +208,34 @@ view "external"
/* Trusted keys
This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
have to configure at least one trusted key.
should configure at least one trusted key.
Note that no key written below is valid. Especially root key because root zone
is not signed yet.
*/
/*
trusted-keys {
trust-anchors {
// Root Key
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
/lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
// Key for forward zone
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
SCThlHf3xiYleDbt/o1OTQ09A0=";
example.com. static-key 257 3 8 "AwEAAZ0aqu1rJ6orJynrRfNpPmayJZoAx9Ic2/Rl9VQW
LMHyjxxem3VUSoNUIFXERQbj0A9Ogp0zDM9YIccKLRd6
LmWiDCt7UJQxVdD+heb5Ec4qlqGmyX9MDabkvX2NvMws
UecbYBq8oXeTT9LRmCUt9KUt/WOi6DKECxoG/bWTykrX
yBR8elD+SQY43OAVjlWrVltHxgp4/rhBCvRbmdflunaP
Igu27eE2U4myDSLT8a4A0rB5uHG4PkOa9dIRs9y00M2m
Wf4lyPee7vi5few2dbayHXmieGcaAHrx76NGAABeY393
xjlmDNcUkF1gpNWUla4fWZbbaYQzA93mLdrng+M=";
// Key for reverse zone.
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
2.0.192.IN-ADDRPA.NET. initial-ds 31406 8 2 "F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D";
};
*/

10
named.root.key
View File

@ -1,4 +1,4 @@
managed-keys {
trust-anchors {
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
#
@ -9,11 +9,5 @@ managed-keys {
# file as initializing keys; thereafter, the keys in the
# managed key database will be trusted and maintained
# automatically.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
. initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
};

BIN
random.data
View File

Binary file not shown.

0
setup-named-chroot.sh Normal file → Executable file
View File

0
setup-named-softhsm.sh Normal file → Executable file
View File

10
softhsm2.conf.in Normal file
View File

@ -0,0 +1,10 @@
# SoftHSM v2 configuration file
directories.tokendir = @TOKENPATH@
objectstore.backend = file
# ERROR, WARNING, INFO, DEBUG
log.level = ERROR
# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false

1
trusted-key.key
View File

@ -1,2 +1 @@
. 3600 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=

53
zone2sqlite.1
View File

@ -1,53 +0,0 @@
.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000, 2001 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" Manpage written by Jan Gorig
.TH zone2sqlite 1 "15 March 2010" "BIND9"
.SH NAME
zone2sqlite - Load BIND 9 zone file into SQLite database
.SH SYNOPSIS
.B zone2sqlite zone zonefile dbfile dbtable
.SH DESCRIPTION
zone2sqlite parses DNS zone file and creates database for use with SQLite BIND SDB driver.
\fBzone\fR
.RS 4
Zone origin, eg "mydomain.net."
.RE
.PP
\fBzonefile\fR
.RS 4
Master zone database file, eg. mydomain.net.zone
.RE
.PP
\fBdbfile\fR
.RS 4
Name of SQLite database file
.RE
.PP
\fBdbtable\fR
.RS 4
Name of table in database
.RE
.SH "EXIT STATUS"
Exits with 0 on success or 1 on failure.
.SH "SEE ALSO"
named(8)
.SH "COPYRIGHT"
Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000, 2001 Internet Software Consortium.
.br

53
zonetodb.1
View File

@ -1,53 +0,0 @@
.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000, 2001 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" Manpage written by Jan Gorig
.TH zonetodb 1 "15 March 2010" "BIND9"
.SH NAME
zonetodb - Generate a PostgreSQL table from a zone.
.SH SYNOPSIS
.B zonetodb origin file dbname dbtable
.SH DESCRIPTION
zonetodb parses DNS zone file and creates table in selected database for use with PostgreSQL BIND SDB driver.
\fBzone\fR
.RS 4
Zone origin, eg "pgdb.net."
.RE
.PP
\fBfile\fR
.RS 4
Master zone database file, eg. pgdb.net.db
.RE
.PP
\fBdbname\fR
.RS 4
Name of PostgreSQL database (database must exist)
.RE
.PP
\fBdbtable\fR
.RS 4
Name of table in database
.RE
.SH "EXIT STATUS"
Exits with 0 on success or 1 on failure.
.SH "SEE ALSO"
named(8)
.SH "COPYRIGHT"
Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000, 2001 Internet Software Consortium.
.br