packages/bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
songnannan 2019-12-28 09:41:34 +08:00
parent 0a16f5513a
commit e152f570a8
82 changed files with 14818 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

183
1314-master-dnssec-checkds-s.patch Normal file
View File

@ -0,0 +1,183 @@
From 3b4f23cdbfa3f285d06eea8c4101650d2ab4e945 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 26 Oct 2017 21:05:11 -0700
Subject: [PATCH 1314/3677] [master] dnssec-checkds -s
4794. [func] "dnssec-checkds -s" specifies a file from which
to read a DS set rather than querying the parent.
[RT #44667]
---
CHANGES | 8 +-
bin/python/dnssec-checkds.docbook | 24 +++---
bin/python/isc/checkds.py.in | 49 ++++++-----
bin/tests/system/checkds/clean.sh | 2 -
bin/tests/system/checkds/dig.pl | 2 -
bin/tests/system/checkds/dig.sh | 3 -
bin/tests/system/checkds/prep.example.db | 121 ++++++++++++++++++++++++++++
bin/tests/system/checkds/prep.example.ds.db | 2 +
bin/tests/system/checkds/tests.sh | 9 +++
doc/arm/notes.xml | 8 ++
10 files changed, 190 insertions(+), 38 deletions(-)
create mode 100644 bin/tests/system/checkds/prep.example.db
create mode 100644 bin/tests/system/checkds/prep.example.ds.db
diff --git a/bin/python/dnssec-checkds.docbook b/bin/python/dnssec-checkds.docbook
index 91716bc..069d6e9 100644
--- a/bin/python/dnssec-checkds.docbook
+++ b/bin/python/dnssec-checkds.docbook
@@ -42,20 +42,13 @@
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-checkds</command>
- <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
- <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">dig path</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">dsfromkey path</replaceable></option></arg>
- <arg choice="req" rep="norepeat">zone</arg>
- </cmdsynopsis>
- <cmdsynopsis sepchar=" ">
- <command>dnssec-dsfromkey</command>
- <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
- <arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">dig path</replaceable></option></arg>
- <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">dsfromkey path</replaceable></option></arg>
+ <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+ <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="req" rep="norepeat">zone</arg>
- </cmdsynopsis>
+ </cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
@@ -93,6 +86,17 @@
</varlistentry>
<varlistentry>
+ <term>-s <replaceable class="parameter">file</replaceable></term>
+ <listitem>
+ <para>
+ Specifies a prepared dsset file, such as would be generated
+ by <command>dnssec-signzone</command>, to use as a source for
+ the DS RRset instead of querying the parent.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-d <replaceable class="parameter">dig path</replaceable></term>
<listitem>
<para>
diff --git a/bin/python/isc/checkds.py.in b/bin/python/isc/checkds.py.in
index ce50355..a161554 100644
--- a/bin/python/isc/checkds.py.in
+++ b/bin/python/isc/checkds.py.in
@@ -34,7 +34,11 @@ class SECRR:
if not rrtext:
raise Exception
- fields = rrtext.decode('ascii').split()
+ # 'str' does not have decode method in python3
+ if type(rrtext) is not str:
+ fields = rrtext.decode('ascii').split()
+ else:
+ fields = rrtext.split()
if len(fields) < 7:
raise Exception
@@ -89,35 +93,39 @@ class SECRR:
# Generate a set of expected DS/DLV records from the DNSKEY RRset,
# and report on congruency.
############################################################################
-def check(zone, args, masterfile=None, lookaside=None):
+def check(zone, args):
rrlist = []
- cmd = [args.dig, "+noall", "+answer", "-t", "dlv" if lookaside else "ds",
- "-q", zone + "." + lookaside if lookaside else zone]
- fp, _ = Popen(cmd, stdout=PIPE).communicate()
+ if args.dssetfile:
+ fp = open(args.dssetfile).read()
+ else:
+ cmd = [args.dig, "+noall", "+answer", "-t",
+ "dlv" if args.lookaside else "ds", "-q",
+ zone + "." + args.lookaside if args.lookaside else zone]
+ fp, _ = Popen(cmd, stdout=PIPE).communicate()
for line in fp.splitlines():
- rrlist.append(SECRR(line, lookaside))
+ rrlist.append(SECRR(line, args.lookaside))
rrlist = sorted(rrlist, key=lambda rr: (rr.keyid, rr.keyalg, rr.hashalg))
klist = []
- if masterfile:
- cmd = [args.dsfromkey, "-f", masterfile]
- if lookaside:
- cmd += ["-l", lookaside]
+ if args.masterfile:
+ cmd = [args.dsfromkey, "-f", args.masterfile]
+ if args.lookaside:
+ cmd += ["-l", args.lookaside]
cmd.append(zone)
fp, _ = Popen(cmd, stdout=PIPE).communicate()
else:
intods, _ = Popen([args.dig, "+noall", "+answer", "-t", "dnskey",
"-q", zone], stdout=PIPE).communicate()
cmd = [args.dsfromkey, "-f", "-"]
- if lookaside:
- cmd += ["-l", lookaside]
+ if args.lookaside:
+ cmd += ["-l", args.lookaside]
cmd.append(zone)
fp, _ = Popen(cmd, stdin=PIPE, stdout=PIPE).communicate(intods)
for line in fp.splitlines():
- klist.append(SECRR(line, lookaside))
+ klist.append(SECRR(line, args.lookaside))
if len(klist) < 1:
print("No DNSKEY records found in zone apex")
@@ -136,7 +144,8 @@ def check(zone, args, masterfile=None, lookaside=None):
rr.keyid, SECRR.hashalgs[rr.hashalg]))
if not found:
- print("No %s records were found for any DNSKEY" % ("DLV" if lookaside else "DS"))
+ print("No %s records were found for any DNSKEY" %
+ ("DLV" if args.lookaside else "DS"))
return found
@@ -151,10 +160,6 @@ def parse_args():
sbindir = 'bin' if os.name == 'nt' else 'sbin'
parser.add_argument('zone', type=str, help='zone to check')
- parser.add_argument('-f', '--file', dest='masterfile', type=str,
- help='zone master file')
- parser.add_argument('-l', '--lookaside', dest='lookaside', type=str,
- help='DLV lookaside zone')
parser.add_argument('-d', '--dig', dest='dig',
default=os.path.join(prefix(bindir), 'dig'),
type=str, help='path to \'dig\'')
@@ -162,6 +167,12 @@ def parse_args():
default=os.path.join(prefix(sbindir),
'dnssec-dsfromkey'),
type=str, help='path to \'dig\'')
+ parser.add_argument('-f', '--file', dest='masterfile', type=str,
+ help='zone master file')
+ parser.add_argument('-l', '--lookaside', dest='lookaside', type=str,
+ help='DLV lookaside zone')
+ parser.add_argument('-s', '--dsset', dest='dssetfile', type=str,
+ help='prepared DSset file')
parser.add_argument('-v', '--version', action='version',
version=version)
args = parser.parse_args()
@@ -178,5 +189,5 @@ def parse_args():
############################################################################
def main():
args = parse_args()
- found = check(args.zone, args, args.masterfile, args.lookaside)
+ found = check(args.zone, args)
exit(0 if found else 1)
--
1.8.3.1

53
2432-check-param_template-i-.pValue-is-non-NULL.patch Normal file
View File

@ -0,0 +1,53 @@
From 8ac0152651725cfa3dd887f9f73e6ff9671ce2dd Mon Sep 17 00:00:00 2001
From: Bill Parker <wp02855@gmail.com>
Date: Tue, 10 Jul 2018 12:34:00 +1000
Subject: [PATCH 2432/3677] check param_template[i].pValue is non NULL
---
bin/pkcs11/pkcs11-keygen.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
index fe314ab..9631c0e 100644
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -657,8 +657,18 @@ main(int argc, char *argv[]) {
}
/* Allocate space for parameter attributes */
- for (i = 0; i < param_attrcnt; i++)
+ for (i = 0; i < param_attrcnt; i++) {
+ param_template[i].pValue = NULL;
+ }
+
+ for (i = 0; i < param_attrcnt; i++) {
param_template[i].pValue = malloc(param_template[i].ulValueLen);
+ if (param_template[i].pValue == NULL) {
+ fprintf(stderr, "malloc failed\n");
+ error = 1;
+ goto exit_params;
+ }
+ }
rv = pkcs_C_GetAttributeValue(hSession, domainparams,
dsa_param_template, DSA_PARAM_ATTRS);
@@ -713,9 +723,13 @@ main(int argc, char *argv[]) {
exit_params:
/* Free parameter attributes */
- if (keyclass == key_dsa || keyclass == key_dh)
- for (i = 0; i < param_attrcnt; i++)
- free(param_template[i].pValue);
+ if (keyclass == key_dsa || keyclass == key_dh) {
+ for (i = 0; i < param_attrcnt; i++) {
+ if (param_template[i].pValue != NULL) {
+ free(param_template[i].pValue);
+ }
+ }
+ }
exit_domain:
/* Destroy domain parameters */
--
1.8.3.1

53
2497-refcount-errors-on-error-paths.patch Normal file
View File

@ -0,0 +1,53 @@
From 4093efc900e250a39f9669e3d740a4286a0edb9c Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 31 Jul 2018 17:41:45 +1000
Subject: [PATCH 2497/3677] refcount errors on error paths
---
lib/dns/rbtdb.c | 3 ---
lib/dns/view.c | 1 +
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index e332802..01c7cd8 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -8368,7 +8368,6 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
if (result != ISC_R_SUCCESS) {
while (i-- > 0) {
NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock);
- isc_refcount_decrement(&rbtdb->node_locks[i].references, NULL);
isc_refcount_destroy(&rbtdb->node_locks[i].references);
}
goto cleanup_deadnodes;
@@ -8491,7 +8490,6 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
rbtdb->current_version = allocate_version(mctx, 1, 1, ISC_FALSE);
if (rbtdb->current_version == NULL) {
isc_refcount_decrement(&rbtdb->references, NULL);
- isc_refcount_destroy(&rbtdb->references);
free_rbtdb(rbtdb, ISC_FALSE, NULL);
return (ISC_R_NOMEMORY);
}
@@ -8513,7 +8511,6 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
sizeof(*rbtdb->current_version));
rbtdb->current_version = NULL;
isc_refcount_decrement(&rbtdb->references, NULL);
- isc_refcount_destroy(&rbtdb->references);
free_rbtdb(rbtdb, ISC_FALSE, NULL);
return (result);
}
diff --git a/lib/dns/view.c b/lib/dns/view.c
index e36576f..7751535 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -311,6 +311,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
dns_tsigkeyring_detach(&view->dynamickeys);
cleanup_references:
+ isc_refcount_decrement(&view->references, NULL);
isc_refcount_destroy(&view->references);
cleanup_fwdtable:
--
1.8.3.1

11
2559-Do-not-remove-errors-from-the-OpenSSL-error-queue-in.patch Normal file
View File

@ -0,0 +1,11 @@
--- a/lib/dns/openssl_link.c 2019-04-17 06:00:00.086000000 -0400
+++ b/lib/dns/openssl_link_1.c 2019-04-17 06:03:38.556000000 -0400
@@ -385,7 +385,7 @@ dst__openssl_destroy(void) {
static isc_result_t
toresult(isc_result_t fallback) {
isc_result_t result = fallback;
- unsigned long err = ERR_get_error();
+ unsigned long err = ERR_peek_error();
#if defined(HAVE_OPENSSL_ECDSA) && \
defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
int lib = ERR_GET_LIB(err);

13
2574-Do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch Normal file
View File

@ -0,0 +1,13 @@
--- a/lib/dns/resolver.c 2019-04-17 06:06:06.700000000 -0400
+++ b/lib/dns/resolver_1.c 2019-04-17 06:08:47.697000000 -0400
@@ -8419,7 +8419,9 @@ resquery_response(isc_task_t *task, isc_
if (result != ISC_R_SUCCESS)
FCTXTRACE3("noanswer_response", result);
}
- if (result != DNS_R_DELEGATION) {
+ if (result == DNS_R_DELEGATION) {
+ result = ISC_R_SUCCESS;
+ } else {
/*
* At this point, AA is not set, the response
* is not a referral, and the server is not a

47
2711-Align-CMSG-buffers-to-a-void-boundary-fixes-crash-on.patch Normal file
View File

@ -0,0 +1,47 @@
From 17212cf9965a1a0ec8412b807fe08f74e059cc1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
Date: Fri, 7 Sep 2018 09:34:32 +0200
Subject: [PATCH 2711/3677] Align CMSG buffers to a void* boundary, fixes crash
on architectures with strict alignment CHANGES entry
---
CHANGES | 3 +++
lib/isc/include/isc/util.h | 5 +++++
lib/isc/unix/socket.c | 5 +++--
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
index bb0c885..acc3d64 100644
--- a/lib/isc/include/isc/util.h
+++ b/lib/isc/include/isc/util.h
@@ -260,6 +260,11 @@ extern void mock_assert(const int result, const char* const expression,
#define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
/*%
+ * Alignment
+ */
+#define ALIGN(x, a) (((x) + (a) - 1) & ~((typeof(x))(a)-1))
+
+/*%
* Misc
*/
#include <isc/deprecated.h>
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index 343cec2..62a00cd 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -315,8 +315,9 @@ typedef isc_event_t intev_t;
#define CMSG_SP_INT 24
-#define RECVCMSGBUFLEN (2*(CMSG_SP_IN6PKT + CMSG_SP_TIMESTAMP + CMSG_SP_TCTOS)+1)
-#define SENDCMSGBUFLEN (2*(CMSG_SP_IN6PKT + CMSG_SP_INT + CMSG_SP_TCTOS)+1)
+/* Align cmsg buffers to be safe on SPARC etc. */
+#define RECVCMSGBUFLEN ALIGN(2*(CMSG_SP_IN6PKT + CMSG_SP_TIMESTAMP + CMSG_SP_TCTOS)+1, sizeof(void*))
+#define SENDCMSGBUFLEN ALIGN(2*(CMSG_SP_IN6PKT + CMSG_SP_INT + CMSG_SP_TCTOS)+1, sizeof(void*))
/*%
* The number of times a send operation is repeated if the result is EINTR.
--
1.8.3.1

22
2776-Fix-crash-caused-by-race-condition-in-timer-creation.patch Normal file
View File

@ -0,0 +1,22 @@
--- a/lib/isc/timer.c 2018-09-04 00:04:41.000000000 -0400
+++ b/lib/isc/timer_1.c 2019-04-17 23:40:41.930000000 -0400
@@ -472,8 +472,10 @@ isc__timer_create(isc_timermgr_t *manage
result = schedule(timer, &now, ISC_TRUE);
else
result = ISC_R_SUCCESS;
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS){
+ *timerp = (isc_timer_t *)timer;
APPEND(manager->timers, timer, link);
+ }
UNLOCK(&manager->lock);
@@ -486,7 +488,6 @@ isc__timer_create(isc_timermgr_t *manage
return (result);
}
- *timerp = (isc_timer_t *)timer;
return (ISC_R_SUCCESS);
}

26
2865-free-key-on-error.patch Normal file
View File

@ -0,0 +1,26 @@
From 607c2d7441b5b56272765dfd6ee56de983c3b407 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 19 Oct 2018 19:23:39 +1100
Subject: [PATCH 2865/3677] free key on error
---
lib/dns/dst_api.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 7685dcb..c0684d9 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -802,6 +802,9 @@ dst_key_fromgssapi(const dns_name_t *name, gss_ctx_id_t gssctx,
*keyp = key;
result = ISC_R_SUCCESS;
out:
+ if (result != ISC_R_SUCCESS) {
+ dst_key_free(&key);
+ }
return result;
}
--
1.8.3.1

49
2879-expand-the-pool-then-copy-over-the-old-entries-so-we.patch Normal file
View File

@ -0,0 +1,49 @@
From afde30fe9b1fd43595290a6763db6d52e0903c5a Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 19 Oct 2018 19:36:17 +1100
Subject: [PATCH 2879/3677] expand the pool then copy over the old entries so
we that failures do not break the old pool; also don't leak the new pool on
error
---
lib/isc/pool.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/lib/isc/pool.c b/lib/isc/pool.c
index 5c693a6..8fb2a45 100644
--- a/lib/isc/pool.c
+++ b/lib/isc/pool.c
@@ -131,21 +131,22 @@ isc_pool_expand(isc_pool_t **sourcep, unsigned int count,
newpool->init = pool->init;
newpool->initarg = pool->initarg;
- /* Copy over the objects from the old pool */
- for (i = 0; i < pool->count; i++) {
- newpool->pool[i] = pool->pool[i];
- pool->pool[i] = NULL;
- }
-
/* Populate the new entries */
for (i = pool->count; i < count; i++) {
- result = pool->init(&newpool->pool[i], pool->initarg);
+ result = newpool->init(&newpool->pool[i],
+ newpool->initarg);
if (result != ISC_R_SUCCESS) {
- isc_pool_destroy(&pool);
+ isc_pool_destroy(&newpool);
return (result);
}
}
+ /* Copy over the objects from the old pool */
+ for (i = 0; i < pool->count; i++) {
+ newpool->pool[i] = pool->pool[i];
+ pool->pool[i] = NULL;
+ }
+
isc_pool_destroy(&pool);
pool = newpool;
}
--
1.8.3.1

228
2985-Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch Normal file
View File

@ -0,0 +1,228 @@
--- a/bin/dig/dighost.c 2019-04-18 00:14:08.120000000 -0400
+++ b/bin/dig/dighost_1.c 2019-04-18 02:34:32.947000000 -0400
@@ -1822,9 +1822,9 @@ clear_query(dig_query_t *query) {
debug("clear_query(%p)", query);
- if (query->timer != NULL)
+ if (query->timer != NULL){
isc_timer_detach(&query->timer);
-
+ }
if (query->waiting_senddone) {
debug("send_done not yet called");
query->pending_free = ISC_TRUE;
@@ -1833,13 +1833,15 @@ clear_query(dig_query_t *query) {
lookup = query->lookup;
- if (lookup->current_query == query)
+ if (lookup->current_query == query){
lookup->current_query = NULL;
-
- if (ISC_LINK_LINKED(query, link))
+ }
+ if (ISC_LINK_LINKED(query, link)){
ISC_LIST_UNLINK(lookup->q, query, link);
- if (ISC_LINK_LINKED(query, clink))
+ }
+ if (ISC_LINK_LINKED(query, clink)){
ISC_LIST_UNLINK(lookup->connecting, query, clink);
+ }
if (ISC_LINK_LINKED(&query->recvbuf, link))
ISC_LIST_DEQUEUE(query->recvlist, &query->recvbuf,
link);
@@ -1856,6 +1858,7 @@ clear_query(dig_query_t *query) {
isc_mempool_put(commctx, query->recvspace);
isc_buffer_invalidate(&query->recvbuf);
isc_buffer_invalidate(&query->lengthbuf);
+ query->magic = 0;
isc_mem_free(mctx, query);
}
@@ -2807,13 +2810,14 @@ setup_lookup(dig_lookup_t *lookup) {
for (serv = ISC_LIST_HEAD(lookup->my_server_list);
serv != NULL;
- serv = ISC_LIST_NEXT(serv, link)) {
+ serv = ISC_LIST_NEXT(serv, link))
+ {
query = isc_mem_allocate(mctx, sizeof(dig_query_t));
- if (query == NULL)
+ if (query == NULL){
fatal("memory allocation failure in %s:%d",
__FILE__, __LINE__);
- debug("create query %p linked to lookup %p",
- query, lookup);
+ }
+ debug("create query %p linked to lookup %p", query, lookup);
query->lookup = lookup;
query->timer = NULL;
query->waiting_connect = ISC_FALSE;
@@ -2838,9 +2842,9 @@ setup_lookup(dig_lookup_t *lookup) {
ISC_LIST_INIT(query->lengthlist);
query->sock = NULL;
query->recvspace = isc_mempool_get(commctx);
- if (query->recvspace == NULL)
+ if (query->recvspace == NULL){
fatal("memory allocation failure");
-
+ }
isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
isc_buffer_init(&query->lengthbuf, query->lengthspace, 2);
isc_buffer_init(&query->slbuf, query->slspace, 2);
@@ -2848,6 +2852,7 @@ setup_lookup(dig_lookup_t *lookup) {
ISC_LINK_INIT(query, clink);
ISC_LINK_INIT(query, link);
+ query->magic = DIG_QUERY_MAGIC;
ISC_LIST_ENQUEUE(lookup->q, query, link);
}
@@ -2856,9 +2861,10 @@ setup_lookup(dig_lookup_t *lookup) {
extrabytes = 0;
dighost_printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg,
ISC_TRUE);
- if (lookup->stats)
+ if (lookup->stats){
printf(";; QUERY SIZE: %u\n\n",
isc_buffer_usedlength(&lookup->renderbuf));
+ }
}
return (ISC_TRUE);
}
@@ -2893,20 +2899,26 @@ send_done(isc_task_t *_task, isc_event_t
}
query = event->ev_arg;
+ REQUIRE(DIG_VALID_QUERY(query));
query->waiting_senddone = ISC_FALSE;
l = query->lookup;
- if (l->ns_search_only && !l->trace_root && !l->tcp_mode) {
+ if (!query->pending_free && l->ns_search_only &&
+ !l->trace_root && !l->tcp_mode)
+ {
debug("sending next, since searching");
next = ISC_LIST_NEXT(query, link);
- if (next != NULL)
+ if (next != NULL){
send_udp(next);
+ }
}
isc_event_free(&event);
- if (query->pending_free)
+ if (query->pending_free){
+ query->magic = 0;
clear_query(query);
+ }
check_next_lookup(l);
UNLOCK_LOOKUP;
@@ -2924,6 +2936,7 @@ cancel_lookup(dig_lookup_t *lookup) {
debug("cancel_lookup()");
query = ISC_LIST_HEAD(lookup->q);
while (query != NULL) {
+ REQUIRE(DIG_VALID_QUERY(query));
next = ISC_LIST_NEXT(query, link);
if (query->sock != NULL) {
isc_socket_cancel(query->sock, global_task,
@@ -2943,6 +2956,7 @@ bringup_timer(dig_query_t *query, unsign
dig_lookup_t *l;
unsigned int local_timeout;
isc_result_t result;
+ REQUIRE(DIG_VALID_QUERY(query));
debug("bringup_timer()");
/*
@@ -3007,7 +3021,7 @@ send_tcp_connect(dig_query_t *query) {
isc_result_t result;
dig_query_t *next;
dig_lookup_t *l;
-
+ REQUIRE(DIG_VALID_QUERY(query));
debug("send_tcp_connect(%p)", query);
l = query->lookup;
@@ -3145,7 +3159,7 @@ send_udp(dig_query_t *query) {
isc_result_t result;
isc_buffer_t *sendbuf;
dig_query_t *next;
-
+ REQUIRE(DIG_VALID_QUERY(query));
debug("send_udp(%p)", query);
l = query->lookup;
@@ -3248,6 +3262,7 @@ connect_timeout(isc_task_t *task, isc_ev
LOCK_LOOKUP;
query = event->ev_arg;
+ REQUIRE(DIG_VALID_QUERY(query));
l = query->lookup;
isc_event_free(&event);
@@ -3335,7 +3350,7 @@ tcp_length_done(isc_task_t *task, isc_ev
LOCK_LOOKUP;
sevent = (isc_socketevent_t *)event;
query = event->ev_arg;
-
+ REQUIRE(DIG_VALID_QUERY(query));
recvcount--;
INSIST(recvcount >= 0);
@@ -3412,7 +3427,7 @@ launch_next_query(dig_query_t *query, is
isc_result_t result;
dig_lookup_t *l;
isc_buffer_t *buffer;
-
+ REQUIRE(DIG_VALID_QUERY(query));
INSIST(!free_now);
debug("launch_next_query()");
@@ -3491,7 +3506,7 @@ connect_done(isc_task_t *task, isc_event
LOCK_LOOKUP;
sevent = (isc_socketevent_t *)event;
query = sevent->ev_arg;
-
+ REQUIRE(DIG_VALID_QUERY(query));
INSIST(query->waiting_connect);
query->waiting_connect = ISC_FALSE;
@@ -4460,6 +4475,7 @@ do_lookup(dig_lookup_t *lookup) {
lookup->pending = ISC_TRUE;
query = ISC_LIST_HEAD(lookup->q);
if (query != NULL) {
+ REQUIRE(DIG_VALID_QUERY(query));
if (lookup->tcp_mode)
send_tcp_connect(query);
else
--- a/bin/dig/include/dig/dig.h 2018-09-04 00:04:41.000000000 -0400
+++ b/bin/dig/include/dig/dig_1.h 2019-04-18 02:36:44.313000000 -0400
@@ -24,6 +24,7 @@
#include <isc/formatcheck.h>
#include <isc/lang.h>
#include <isc/list.h>
+#include <isc/magic.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/sockaddr.h>
@@ -90,6 +91,9 @@ typedef struct dig_message dig_message_t
#endif
typedef ISC_LIST(dig_server_t) dig_serverlist_t;
typedef struct dig_searchlist dig_searchlist_t;
+#define DIG_QUERY_MAGIC ISC_MAGIC('D','i','g','q')
+
+#define DIG_VALID_QUERY(x) ISC_MAGIC_VALID((x), DIG_QUERY_MAGIC)
/*% The dig_lookup structure */
struct dig_lookup {
@@ -199,6 +203,7 @@ isc_boolean_t sigchase;
/*% The dig_query structure */
struct dig_query {
+ unsigned int magic;
dig_lookup_t *lookup;
isc_boolean_t waiting_connect,
pending_free,

52
2998-Use-larger-buffers-on-snprintf-buffer-overflow-false.patch Normal file
View File

@ -0,0 +1,52 @@
--- a/lib/dns/rdata/generic/loc_29.c 2018-09-04 00:04:41.000000000 -0400
+++ b/lib/dns/rdata/generic/loc_291.c 2019-04-18 00:09:34.927000000 -0400
@@ -454,11 +454,12 @@ totext_loc(ARGS_TOTEXT) {
isc_boolean_t east;
isc_boolean_t below;
isc_region_t sr;
- char buf[sizeof("89 59 59.999 N 179 59 59.999 E "
- "-42849672.95m 90000000m 90000000m 90000000m")];
char sbuf[sizeof("90000000m")];
char hbuf[sizeof("90000000m")];
char vbuf[sizeof("90000000m")];
+ /* "89 59 59.999 N 179 59 59.999 E " */
+ /* "-42849672.95m 90000000m 90000000m 90000000m"; */
+ char buf[8*6 + 12*1 + 2*10 + sizeof(sbuf)+sizeof(hbuf)+sizeof(vbuf)];
unsigned char size, hp, vp;
unsigned long poweroften[8] = { 1, 10, 100, 1000,
10000, 100000, 1000000, 10000000 };
@@ -550,7 +551,7 @@ totext_loc(ARGS_TOTEXT) {
altitude -= 10000000;
}
- snprintf(buf, sizeof(buf),
+ snprintf(NULL, 0,
"%d %d %d.%03d %s %d %d %d.%03d %s %s%lu.%02lum %s %s %s",
d1, m1, s1, fs1, north ? "N" : "S",
d2, m2, s2, fs2, east ? "E" : "W",
--- a/lib/dns/rdata/in_1/dhcid_49.c 2018-09-04 00:04:41.000000000 -0400
+++ b/lib/dns/rdata/in_1/dhcid_491.c 2019-04-18 00:12:14.143000000 -0400
@@ -35,9 +35,8 @@ fromtext_in_dhcid(ARGS_FROMTEXT) {
static inline isc_result_t
totext_in_dhcid(ARGS_TOTEXT) {
isc_region_t sr, sr2;
- char buf[sizeof(" ; 64000 255 64000")];
- size_t n;
-
+ /* " ; 64000 255 64000" */
+ char buf[5 + 3*5 + 1];
REQUIRE(rdata->type == dns_rdatatype_dhcid);
REQUIRE(rdata->rdclass == dns_rdataclass_in);
REQUIRE(rdata->length != 0);
@@ -55,10 +54,9 @@ totext_in_dhcid(ARGS_TOTEXT) {
if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
RETERR(str_totext(/* ( */ " )", target));
if (rdata->length > 2) {
- n = snprintf(buf, sizeof(buf), " ; %u %u %u",
+ snprintf(NULL, 0, " ; %u %u %u",
sr2.base[0] * 256U + sr2.base[1],
sr2.base[2], rdata->length - 3U);
- INSIST(n < sizeof(buf));
RETERR(str_totext(buf, target));
}
}

35
3022-Fix-a-shutdown-race-in-bin-dig-dighost.c.patch Normal file
View File

@ -0,0 +1,35 @@
From 462175659674a10c0d39c7c328f1a5324ce2e38b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Tue, 13 Nov 2018 13:50:47 +0100
Subject: [PATCH 3022/3677] Fix a shutdown race in bin/dig/dighost.c
If a tool using the routines defined in bin/dig/dighost.c is sent an
interruption signal around the time a connection timeout is scheduled to
fire, connect_timeout() may be executed after destroy_libs() detaches
from the global task (setting 'global_task' to NULL), which results in a
crash upon a UDP retry due to bringup_timer() attempting to create a
timer with 'task' set to NULL. Fix by preventing connect_timeout() from
attempting a retry when shutdown is in progress.
---
bin/dig/dighost.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index f4e5e55..410b634 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -2902,6 +2902,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
INSIST(!free_now);
+ if (cancel_now) {
+ UNLOCK_LOOKUP;
+ return;
+ }
+
if ((query != NULL) && (query->lookup->current_query != NULL) &&
ISC_LINK_LINKED(query->lookup->current_query, link) &&
(ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
--
1.8.3.1

25
3046-uninitalize-memory-read-on-error-path.patch Normal file
View File

@ -0,0 +1,25 @@
From 4eadebe2b2feade839d8f178e6ddf8b4406d093a Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 9 Nov 2018 15:32:33 +1100
Subject: [PATCH 3046/3677] uninitalize memory read on error path
---
lib/dns/nta.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/dns/nta.c b/lib/dns/nta.c
index 73674b3..498b7f1 100644
--- a/lib/dns/nta.c
+++ b/lib/dns/nta.c
@@ -149,7 +149,7 @@ dns_ntatable_create(dns_view_t *view,
isc_task_detach(&ntatable->task);
cleanup_ntatable:
- isc_mem_put(ntatable->view->mctx, ntatable, sizeof(*ntatable));
+ isc_mem_put(view->mctx, ntatable, sizeof(*ntatable));
return (result);
}
--
1.8.3.1

77
3318-Allow-unsupported-alg-in-zone-w-dnssec-signzone.patch Normal file
View File

@ -0,0 +1,77 @@
From 1dd11fc754baf396bb3040527087b14f0678dd83 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <github@pletterpet.nl>
Date: Tue, 18 Dec 2018 12:14:04 +0100
Subject: [PATCH 3318/3677] Allow unsupported alg in zone /w dnssec-signzone
dnssec-signzone should sign a zonefile that contains a DNSKEY record
with an unsupported algorithm. Current behavior is that it will
fail, hitting a fatal error. The fix detects unsupported algorithms
and will not try to add it to the keylist.
Also when determining the maximum iterations for NSEC3, don't take
into account DNSKEY records in the zonefile with an unsupported
algorithm.
---
lib/dns/dnssec.c | 8 ++++++++
lib/dns/include/dns/dnssec.h | 2 +-
lib/dns/nsec3.c | 11 ++++++++++-
3 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index c12ecac..e255b6e 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1622,6 +1622,14 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin,
result = dns_rdataset_next(&keys)) {
dns_rdata_reset(&rdata);
dns_rdataset_current(&keys, &rdata);
+
+ /* Skip unsupported algorithms */
+ REQUIRE(rdata.type == dns_rdatatype_key ||
+ rdata.type == dns_rdatatype_dnskey);
+ REQUIRE(rdata.length > 3);
+ if (!dst_algorithm_supported(rdata.data[3]))
+ goto skip;
+
RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
dst_key_setttl(pubkey, keys.ttl);
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 50930b6..e60375e 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -274,7 +274,7 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
/*%<
* Search 'directory' for K* key files matching the name in 'origin'.
* Append all such keys, along with use hints gleaned from their
- * metadata, onto 'keylist'.
+ * metadata, onto 'keylist'. Skip any unsupported algorithms.
*
* Requires:
*\li 'keylist' is not NULL
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 861e909..f30d695 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1811,8 +1811,17 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&rdataset)) {
dns_rdata_t rdata = DNS_RDATA_INIT;
-
dns_rdataset_current(&rdataset, &rdata);
+
+ /* Skip unsupported algorithms when
+ * calculating the maximum iterations.
+ */
+ REQUIRE(rdata.type == dns_rdatatype_key ||
+ rdata.type == dns_rdatatype_dnskey);
+ REQUIRE(rdata.length > 3);
+ if (!dst_algorithm_supported(rdata.data[3]))
+ continue;
+
isc_buffer_init(&buffer, rdata.data, rdata.length);
isc_buffer_add(&buffer, rdata.length);
CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,
--
1.8.3.1

112
3543-fix-memory-leak.patch Normal file
View File

@ -0,0 +1,112 @@
From 7114d16098b0cf4910e06490fa70758f1c2c62a3 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 15 Feb 2019 08:52:16 +1100
Subject: [PATCH 3543/3677] fix memory leak
---
lib/dns/spnego_asn1.c | 56 +++++++++++++++++++++++++++++++--------------------
1 file changed, 34 insertions(+), 22 deletions(-)
diff --git a/lib/dns/spnego_asn1.c b/lib/dns/spnego_asn1.c
index fb51b0d..46e487a 100644
--- a/lib/dns/spnego_asn1.c
+++ b/lib/dns/spnego_asn1.c
@@ -467,25 +467,25 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz
FORW;
{
int dce_fix;
- if ((dce_fix = fix_dce(reallen, &len)) < 0)
- return ASN1_BAD_FORMAT;
+ if ((dce_fix = fix_dce(reallen, &len)) < 0) {
+ e = ASN1_BAD_FORMAT;
+ goto fail;
+ }
{
size_t newlen, oldlen;
e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 0, &l);
- if (e)
- return e;
- else {
- p += l;
- len -= l;
- ret += l;
+ FORW;
+ {
e = der_get_length(p, len, &newlen, &l);
FORW;
{
int mydce_fix;
oldlen = len;
- if ((mydce_fix = fix_dce(newlen, &len)) < 0)
- return ASN1_BAD_FORMAT;
+ if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
+ e = ASN1_BAD_FORMAT;
+ goto fail;
+ }
e = decode_MechTypeList(p, len, &(data)->mechTypes, &l);
FORW;
if (mydce_fix) {
@@ -511,11 +511,15 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz
{
int mydce_fix;
oldlen = len;
- if ((mydce_fix = fix_dce(newlen, &len)) < 0)
- return ASN1_BAD_FORMAT;
+ if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
+ e = ASN1_BAD_FORMAT;
+ goto fail;
+ }
(data)->reqFlags = malloc(sizeof(*(data)->reqFlags));
- if ((data)->reqFlags == NULL)
- return ENOMEM;
+ if ((data)->reqFlags == NULL) {
+ e = ENOMEM;
+ goto fail;
+ }
e = decode_ContextFlags(p, len, (data)->reqFlags, &l);
FORW;
if (mydce_fix) {
@@ -541,11 +545,15 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz
{
int mydce_fix;
oldlen = len;
- if ((mydce_fix = fix_dce(newlen, &len)) < 0)
- return ASN1_BAD_FORMAT;
+ if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
+ e = ASN1_BAD_FORMAT;
+ goto fail;
+ }
(data)->mechToken = malloc(sizeof(*(data)->mechToken));
- if ((data)->mechToken == NULL)
- return ENOMEM;
+ if ((data)->mechToken == NULL) {
+ e = ENOMEM;
+ goto fail;
+ }
e = decode_octet_string(p, len, (data)->mechToken, &l);
FORW;
if (mydce_fix) {
@@ -571,11 +579,15 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz
{
int mydce_fix;
oldlen = len;
- if ((mydce_fix = fix_dce(newlen, &len)) < 0)
- return ASN1_BAD_FORMAT;
+ if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
+ e = ASN1_BAD_FORMAT;
+ goto fail;
+ }
(data)->mechListMIC = malloc(sizeof(*(data)->mechListMIC));
- if ((data)->mechListMIC == NULL)
- return ENOMEM;
+ if ((data)->mechListMIC == NULL) {
+ e = ENOMEM;
+ goto fail;
+ }
e = decode_octet_string(p, len, (data)->mechListMIC, &l);
FORW;
if (mydce_fix) {
--
1.8.3.1

131
CVE-2018-5743-atomic-fix.patch Normal file
View File

@ -0,0 +1,131 @@
Backport of:
From 17623d26e4e7b0fd45f2b39f00cd46e6044ce4c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 17 Apr 2019 15:22:27 +0200
Subject: [PATCH] Replace atomic operations in bin/named/client.c with
isc_refcount reference counting
---
bin/named/client.c | 18 +++++++-----------
bin/named/include/named/interfacemgr.h | 5 +++--
bin/named/interfacemgr.c | 7 +++++--
3 files changed, 15 insertions(+), 15 deletions(-)
Index: bind9-9.11.4+dfsg/bin/named/client.c
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/client.c 2019-04-24 15:25:11.891463104 -0400
+++ bind9-9.11.4+dfsg/bin/named/client.c 2019-04-24 15:25:42.091541114 -0400
@@ -399,12 +399,10 @@ tcpconn_detach(ns_client_t *client) {
static void
mark_tcp_active(ns_client_t *client, isc_boolean_t active) {
if (active && !client->tcpactive) {
- isc_atomic_xadd(&client->interface->ntcpactive, 1);
+ isc_refcount_increment0(&client->interface->ntcpactive, NULL);
client->tcpactive = active;
} else if (!active && client->tcpactive) {
- uint32_t old =
- isc_atomic_xadd(&client->interface->ntcpactive, -1);
- INSIST(old > 0);
+ isc_refcount_decrement(&client->interface->ntcpactive, NULL);
client->tcpactive = active;
}
}
@@ -551,7 +549,7 @@ exit_check(ns_client_t *client) {
if (client->mortal && TCP_CLIENT(client) &&
client->newstate != NS_CLIENTSTATE_FREED &&
!ns_g_clienttest &&
- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
+ isc_refcount_current(&client->interface->ntcpaccepting) == 0)
{
/* Nobody else is accepting */
client->mortal = ISC_FALSE;
@@ -3314,7 +3312,6 @@ client_newconn(isc_task_t *task, isc_eve
isc_result_t result;
ns_client_t *client = event->ev_arg;
isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
- isc_uint32_t old;
REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
REQUIRE(NS_CLIENT_VALID(client));
@@ -3334,8 +3331,7 @@ client_newconn(isc_task_t *task, isc_eve
INSIST(client->naccepts == 1);
client->naccepts--;
- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
- INSIST(old > 0);
+ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
/*
* We must take ownership of the new socket before the exit
@@ -3466,8 +3462,8 @@ client_accept(ns_client_t *client) {
* quota is tcp-clients plus the number of listening
* interfaces plus 1.)
*/
- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
- (client->tcpactive ? 1 : 0));
+ exit = (isc_refcount_current(&client->interface->ntcpactive) >
+ (client->tcpactive ? 1U : 0U));
if (exit) {
client->newstate = NS_CLIENTSTATE_INACTIVE;
(void)exit_check(client);
@@ -3525,7 +3521,7 @@ client_accept(ns_client_t *client) {
* listening for connections itself to prevent the interface
* going dead.
*/
- isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
+ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
}
static void
Index: bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/include/named/interfacemgr.h 2019-04-24 15:25:11.891463104 -0400
+++ bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h 2019-04-24 15:26:03.943597701 -0400
@@ -43,6 +43,7 @@
#include <isc/magic.h>
#include <isc/mem.h>
#include <isc/socket.h>
+#include <isc/refcount.h>
#include <dns/result.h>
@@ -73,11 +74,11 @@ struct ns_interface {
/*%< UDP dispatchers. */
isc_socket_t * tcpsocket; /*%< TCP socket. */
isc_dscp_t dscp; /*%< "listen-on" DSCP value */
- isc_int32_t ntcpaccepting; /*%< Number of clients
+ isc_refcount_t ntcpaccepting; /*%< Number of clients
ready to accept new
TCP connections on this
interface */
- isc_int32_t ntcpactive; /*%< Number of clients
+ isc_refcount_t ntcpactive; /*%< Number of clients
servicing TCP queries
(whether accepting or
connected) */
Index: bind9-9.11.4+dfsg/bin/named/interfacemgr.c
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/interfacemgr.c 2019-04-24 15:25:11.891463104 -0400
+++ bind9-9.11.4+dfsg/bin/named/interfacemgr.c 2019-04-24 15:25:11.891463104 -0400
@@ -384,8 +384,8 @@ ns_interface_create(ns_interfacemgr_t *m
* connections will be handled in parallel even though there is
* only one client initially.
*/
- ifp->ntcpaccepting = 0;
- ifp->ntcpactive = 0;
+ isc_refcount_init(&ifp->ntcpaccepting, 0);
+ isc_refcount_init(&ifp->ntcpactive, 0);
ifp->nudpdispatch = 0;
@@ -616,6 +616,9 @@ ns_interface_destroy(ns_interface_t *ifp
ns_interfacemgr_detach(&ifp->mgr);
+ isc_refcount_destroy(&ifp->ntcpactive);
+ isc_refcount_destroy(&ifp->ntcpaccepting);
+
ifp->magic = 0;
isc_mem_put(mctx, ifp, sizeof(*ifp));
}

872
CVE-2018-5743.patch Normal file
View File

@ -0,0 +1,872 @@
Description: fix limiting simultaneous TCP clients is ineffective
Origin: backported from patch provided by ISC
Index: bind9-9.11.4+dfsg/bin/named/client.c
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/client.c 2019-04-24 05:05:24.068523718 -0400
+++ bind9-9.11.4+dfsg/bin/named/client.c 2019-04-24 05:16:21.089731949 -0400
@@ -243,10 +243,11 @@ static void ns_client_dumpmessage(ns_cli
static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
dns_dispatch_t *disp, isc_boolean_t tcp);
static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp,
- isc_socket_t *sock);
+ isc_socket_t *sock, ns_client_t *oldclient);
static inline isc_boolean_t
-allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr,
- isc_uint8_t ecs_addrlen, isc_uint8_t *ecs_scope, dns_acl_t *acl);
+allowed(isc_netaddr_t *addr, dns_name_t *signer,
+ isc_netaddr_t *ecs_addr, isc_uint8_t ecs_addrlen,
+ isc_uint8_t *ecs_scope, dns_acl_t *acl);
static void compute_cookie(ns_client_t *client, isc_uint32_t when,
isc_uint32_t nonce, const unsigned char *secret,
isc_buffer_t *buf);
@@ -296,6 +297,119 @@ ns_client_settimeout(ns_client_t *client
}
/*%
+ * Allocate a reference-counted object that will maintain a single pointer to
+ * the (also reference-counted) TCP client quota, shared between all the
+ * clients processing queries on a single TCP connection, so that all
+ * clients sharing the one socket will together consume only one slot in
+ * the 'tcp-clients' quota.
+ */
+static isc_result_t
+tcpconn_init(ns_client_t *client, isc_boolean_t force) {
+ isc_result_t result;
+ isc_quota_t *quota = NULL;
+ ns_tcpconn_t *tconn = NULL;
+
+ REQUIRE(client->tcpconn == NULL);
+
+ /*
+ * Try to attach to the quota first, so we won't pointlessly
+ * allocate memory for a tcpconn object if we can't get one.
+ */
+ if (force) {
+ result = isc_quota_force(&ns_g_server->tcpquota, &quota);
+ } else {
+ result = isc_quota_attach(&ns_g_server->tcpquota, &quota);
+ }
+ if (result != ISC_R_SUCCESS) {
+ return (result);
+ }
+
+ /*
+ * A global memory context is used for the allocation as different
+ * client structures may have different memory contexts assigned and a
+ * reference counter allocated here might need to be freed by a
+ * different client. The performance impact caused by memory context
+ * contention here is expected to be negligible, given that this code
+ * is only executed for TCP connections.
+ */
+ tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn));
+
+ isc_refcount_init(&tconn->refs, 1);
+ tconn->tcpquota = quota;
+ quota = NULL;
+ tconn->pipelined = ISC_FALSE;
+
+ client->tcpconn = tconn;
+
+ return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Increase the count of client structures sharing the TCP connection
+ * that 'source' is associated with; add a pointer to the same tcpconn
+ * to 'target', thus associating it with the same TCP connection.
+ */
+static void
+tcpconn_attach(ns_client_t *source, ns_client_t *target) {
+ int refs;
+
+ REQUIRE(source->tcpconn != NULL);
+ REQUIRE(target->tcpconn == NULL);
+ REQUIRE(source->tcpconn->pipelined);
+
+ isc_refcount_increment(&source->tcpconn->refs, &refs);
+ INSIST(refs > 1);
+ target->tcpconn = source->tcpconn;
+}
+
+/*%
+ * Decrease the count of client structures sharing the TCP connection that
+ * 'client' is associated with. If this is the last client using this TCP
+ * connection, we detach from the TCP quota and free the tcpconn
+ * object. Either way, client->tcpconn is set to NULL.
+ */
+static void
+tcpconn_detach(ns_client_t *client) {
+ ns_tcpconn_t *tconn = NULL;
+ int refs;
+
+ REQUIRE(client->tcpconn != NULL);
+
+ tconn = client->tcpconn;
+ client->tcpconn = NULL;
+
+ isc_refcount_decrement(&tconn->refs, &refs);
+ if (refs == 0) {
+ isc_quota_detach(&tconn->tcpquota);
+ isc_mem_free(ns_g_mctx, tconn);
+ }
+}
+
+/*%
+ * Mark a client as active and increment the interface's 'ntcpactive'
+ * counter, as a signal that there is at least one client servicing
+ * TCP queries for the interface. If we reach the TCP client quota at
+ * some point, this will be used to determine whether a quota overrun
+ * should be permitted.
+ *
+ * Marking the client active with the 'tcpactive' flag ensures proper
+ * accounting, by preventing us from incrementing or decrementing
+ * 'ntcpactive' more than once per client.
+ */
+static void
+mark_tcp_active(ns_client_t *client, isc_boolean_t active) {
+ if (active && !client->tcpactive) {
+ isc_atomic_xadd(&client->interface->ntcpactive, 1);
+ client->tcpactive = active;
+ } else if (!active && client->tcpactive) {
+ uint32_t old =
+ isc_atomic_xadd(&client->interface->ntcpactive, -1);
+ INSIST(old > 0);
+ client->tcpactive = active;
+ }
+}
+
+/*%
* Check for a deactivation or shutdown request and take appropriate
* action. Returns ISC_TRUE if either is in progress; in this case
* the caller must no longer use the client object as it may have been
@@ -384,7 +498,8 @@ exit_check(ns_client_t *client) {
INSIST(client->recursionquota == NULL);
if (NS_CLIENTSTATE_READING == client->newstate) {
- if (!client->pipelined) {
+ INSIST(client->tcpconn != NULL);
+ if (!client->tcpconn->pipelined) {
client_read(client);
client->newstate = NS_CLIENTSTATE_MAX;
return (ISC_TRUE); /* We're done. */
@@ -402,10 +517,13 @@ exit_check(ns_client_t *client) {
*/
INSIST(client->recursionquota == NULL);
INSIST(client->newstate <= NS_CLIENTSTATE_READY);
- if (client->nreads > 0)
+
+ if (client->nreads > 0) {
dns_tcpmsg_cancelread(&client->tcpmsg);
- if (client->nreads != 0) {
- /* Still waiting for read cancel completion. */
+ }
+
+ /* Still waiting for read cancel completion. */
+ if (client->nreads > 0) {
return (ISC_TRUE);
}
@@ -413,14 +531,49 @@ exit_check(ns_client_t *client) {
dns_tcpmsg_invalidate(&client->tcpmsg);
client->tcpmsg_valid = ISC_FALSE;
}
+
+ /*
+ * Soon the client will be ready to accept a new TCP
+ * connection or UDP request, but we may have enough
+ * clients doing that already. Check whether this client
+ * needs to remain active and allow it go inactive if
+ * not.
+ *
+ * UDP clients always go inactive at this point, but a TCP
+ * client may need to stay active and return to READY
+ * state if no other clients are available to listen
+ * for TCP requests on this interface.
+ *
+ * Regardless, if we're going to FREED state, that means
+ * the system is shutting down and we don't need to
+ * retain clients.
+ */
+ if (client->mortal && TCP_CLIENT(client) &&
+ client->newstate != NS_CLIENTSTATE_FREED &&
+ !ns_g_clienttest &&
+ isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
+ {
+ /* Nobody else is accepting */
+ client->mortal = ISC_FALSE;
+ client->newstate = NS_CLIENTSTATE_READY;
+ }
+
+ /*
+ * Detach from TCP connection and TCP client quota,
+ * if appropriate. If this is the last reference to
+ * the TCP connection in our pipeline group, the
+ * TCP quota slot will be released.
+ */
+ if (client->tcpconn) {
+ tcpconn_detach(client);
+ }
+
if (client->tcpsocket != NULL) {
CTRACE("closetcp");
isc_socket_detach(&client->tcpsocket);
+ mark_tcp_active(client, ISC_FALSE);
}
- if (client->tcpquota != NULL)
- isc_quota_detach(&client->tcpquota);
-
if (client->timerset) {
(void)isc_timer_reset(client->timer,
isc_timertype_inactive,
@@ -428,45 +581,26 @@ exit_check(ns_client_t *client) {
client->timerset = ISC_FALSE;
}
- client->pipelined = ISC_FALSE;
-
client->peeraddr_valid = ISC_FALSE;
client->state = NS_CLIENTSTATE_READY;
- INSIST(client->recursionquota == NULL);
-
- /*
- * Now the client is ready to accept a new TCP connection
- * or UDP request, but we may have enough clients doing
- * that already. Check whether this client needs to remain
- * active and force it to go inactive if not.
- *
- * UDP clients go inactive at this point, but TCP clients
- * may remain active if we have fewer active TCP client
- * objects than desired due to an earlier quota exhaustion.
- */
- if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) {
- LOCK(&client->interface->lock);
- if (client->interface->ntcpcurrent <
- client->interface->ntcptarget)
- client->mortal = ISC_FALSE;
- UNLOCK(&client->interface->lock);
- }
/*
* We don't need the client; send it to the inactive
* queue for recycling.
*/
if (client->mortal) {
- if (client->newstate > NS_CLIENTSTATE_INACTIVE)
+ if (client->newstate > NS_CLIENTSTATE_INACTIVE) {
client->newstate = NS_CLIENTSTATE_INACTIVE;
+ }
}
if (NS_CLIENTSTATE_READY == client->newstate) {
if (TCP_CLIENT(client)) {
client_accept(client);
- } else
+ } else {
client_udprecv(client);
+ }
client->newstate = NS_CLIENTSTATE_MAX;
return (ISC_TRUE);
}
@@ -478,41 +612,50 @@ exit_check(ns_client_t *client) {
/*
* We are trying to enter the inactive state.
*/
- if (client->naccepts > 0)
+ if (client->naccepts > 0) {
isc_socket_cancel(client->tcplistener, client->task,
ISC_SOCKCANCEL_ACCEPT);
+ }
/* Still waiting for accept cancel completion. */
- if (! (client->naccepts == 0))
+ if (client->naccepts > 0) {
return (ISC_TRUE);
+ }
/* Accept cancel is complete. */
- if (client->nrecvs > 0)
+ if (client->nrecvs > 0) {
isc_socket_cancel(client->udpsocket, client->task,
ISC_SOCKCANCEL_RECV);
+ }
/* Still waiting for recv cancel completion. */
- if (! (client->nrecvs == 0))
+ if (client->nrecvs > 0) {
return (ISC_TRUE);
+ }
/* Still waiting for control event to be delivered */
- if (client->nctls > 0)
+ if (client->nctls > 0) {
return (ISC_TRUE);
-
- /* Deactivate the client. */
- if (client->interface)
- ns_interface_detach(&client->interface);
+ }
INSIST(client->naccepts == 0);
INSIST(client->recursionquota == NULL);
- if (client->tcplistener != NULL)
+ if (client->tcplistener != NULL) {
isc_socket_detach(&client->tcplistener);
-
- if (client->udpsocket != NULL)
+ mark_tcp_active(client, ISC_FALSE);
+ }
+ if (client->udpsocket != NULL) {
isc_socket_detach(&client->udpsocket);
+ }
- if (client->dispatch != NULL)
+ /* Deactivate the client. */
+ if (client->interface != NULL) {
+ ns_interface_detach(&client->interface);
+ }
+
+ if (client->dispatch != NULL) {
dns_dispatch_detach(&client->dispatch);
+ }
client->attributes = 0;
client->mortal = ISC_FALSE;
@@ -537,10 +680,13 @@ exit_check(ns_client_t *client) {
client->newstate = NS_CLIENTSTATE_MAX;
if (!ns_g_clienttest && manager != NULL &&
!manager->exiting)
+ {
ISC_QUEUE_PUSH(manager->inactive, client,
ilink);
- if (client->needshutdown)
+ }
+ if (client->needshutdown) {
isc_task_shutdown(client->task);
+ }
return (ISC_TRUE);
}
}
@@ -650,7 +796,7 @@ client_start(isc_task_t *task, isc_event
return;
if (TCP_CLIENT(client)) {
- if (client->pipelined) {
+ if (client->tcpconn != NULL) {
client_read(client);
} else {
client_accept(client);
@@ -660,7 +806,6 @@ client_start(isc_task_t *task, isc_event
}
}
-
/*%
* The client's task has received a shutdown event.
*/
@@ -2301,6 +2446,7 @@ client_request(isc_task_t *task, isc_eve
client->nrecvs--;
} else {
INSIST(TCP_CLIENT(client));
+ INSIST(client->tcpconn != NULL);
REQUIRE(event->ev_type == DNS_EVENT_TCPMSG);
REQUIRE(event->ev_sender == &client->tcpmsg);
buffer = &client->tcpmsg.buffer;
@@ -2484,18 +2630,27 @@ client_request(isc_task_t *task, isc_eve
/*
* Pipeline TCP query processing.
*/
- if (client->message->opcode != dns_opcode_query)
- client->pipelined = ISC_FALSE;
- if (TCP_CLIENT(client) && client->pipelined) {
- result = isc_quota_reserve(&ns_g_server->tcpquota);
- if (result == ISC_R_SUCCESS)
- result = ns_client_replace(client);
+ if (TCP_CLIENT(client) &&
+ client->message->opcode != dns_opcode_query)
+ {
+ client->tcpconn->pipelined = ISC_FALSE;
+ }
+ if (TCP_CLIENT(client) && client->tcpconn->pipelined) {
+ /*
+ * We're pipelining. Replace the client; the
+ * replacement can read the TCP socket looking
+ * for new messages and this one can process the
+ * current message asynchronously.
+ *
+ * There will now be at least three clients using this
+ * TCP socket - one accepting new connections,
+ * one reading an existing connection to get new
+ * messages, and one answering the message already
+ * received.
+ */
+ result = ns_client_replace(client);
if (result != ISC_R_SUCCESS) {
- ns_client_log(client, NS_LOGCATEGORY_CLIENT,
- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
- "no more TCP clients(read): %s",
- isc_result_totext(result));
- client->pipelined = ISC_FALSE;
+ client->tcpconn->pipelined = ISC_FALSE;
}
}
@@ -3051,8 +3206,7 @@ client_create(ns_clientmgr_t *manager, n
client->signer = NULL;
dns_name_init(&client->signername, NULL);
client->mortal = ISC_FALSE;
- client->pipelined = ISC_FALSE;
- client->tcpquota = NULL;
+ client->tcpconn = NULL;
client->recursionquota = NULL;
client->interface = NULL;
client->peeraddr_valid = ISC_FALSE;
@@ -3062,6 +3216,7 @@ client_create(ns_clientmgr_t *manager, n
client->filter_aaaa = dns_aaaa_ok;
#endif
client->needshutdown = ns_g_clienttest;
+ client->tcpactive = ISC_FALSE;
ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
NS_EVENT_CLIENTCONTROL, client_start, client, client,
@@ -3156,9 +3311,10 @@ client_read(ns_client_t *client) {
static void
client_newconn(isc_task_t *task, isc_event_t *event) {
+ isc_result_t result;
ns_client_t *client = event->ev_arg;
isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
- isc_result_t result;
+ isc_uint32_t old;
REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
REQUIRE(NS_CLIENT_VALID(client));
@@ -3168,13 +3324,18 @@ client_newconn(isc_task_t *task, isc_eve
INSIST(client->state == NS_CLIENTSTATE_READY);
+ /*
+ * The accept() was successful and we're now establishing a new
+ * connection. We need to make note of it in the client and
+ * interface objects so client objects can do the right thing
+ * when going inactive in exit_check() (see comments in
+ * client_accept() for details).
+ */
INSIST(client->naccepts == 1);
client->naccepts--;
- LOCK(&client->interface->lock);
- INSIST(client->interface->ntcpcurrent > 0);
- client->interface->ntcpcurrent--;
- UNLOCK(&client->interface->lock);
+ old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
+ INSIST(old > 0);
/*
* We must take ownership of the new socket before the exit
@@ -3207,6 +3368,7 @@ client_newconn(isc_task_t *task, isc_eve
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
"accept failed: %s",
isc_result_totext(nevent->result));
+ tcpconn_detach(client);
}
if (exit_check(client))
@@ -3244,20 +3406,13 @@ client_newconn(isc_task_t *task, isc_eve
* telnetting to port 53 (once per CPU) will
* deny service to legitimate TCP clients.
*/
- client->pipelined = ISC_FALSE;
- result = isc_quota_attach(&ns_g_server->tcpquota,
- &client->tcpquota);
- if (result == ISC_R_SUCCESS)
- result = ns_client_replace(client);
- if (result != ISC_R_SUCCESS) {
- ns_client_log(client, NS_LOGCATEGORY_CLIENT,
- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
- "no more TCP clients(accept): %s",
- isc_result_totext(result));
- } else if (ns_g_server->keepresporder == NULL ||
- !allowed(&netaddr, NULL, NULL, 0, NULL,
- ns_g_server->keepresporder)) {
- client->pipelined = ISC_TRUE;
+ result = ns_client_replace(client);
+ if (result == ISC_R_SUCCESS &&
+ (ns_g_server->keepresporder == NULL ||
+ !allowed(&netaddr, NULL, NULL, 0, NULL,
+ ns_g_server->keepresporder)))
+ {
+ client->tcpconn->pipelined = ISC_TRUE;
}
client_read(client);
@@ -3273,12 +3428,66 @@ client_accept(ns_client_t *client) {
CTRACE("accept");
+ /*
+ * Set up a new TCP connection. This means try to attach to the
+ * TCP client quota (tcp-clients), but fail if we're over quota.
+ */
+ result = tcpconn_init(client, ISC_FALSE);
+ if (result != ISC_R_SUCCESS) {
+ isc_boolean_t exit;
+
+ ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+ NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
+ "TCP client quota reached: %s",
+ isc_result_totext(result));
+
+ /*
+ * We have exceeded the system-wide TCP client quota. But,
+ * we can't just block this accept in all cases, because if
+ * we did, a heavy TCP load on other interfaces might cause
+ * this interface to be starved, with no clients able to
+ * accept new connections.
+ *
+ * So, we check here to see if any other clients are
+ * already servicing TCP queries on this interface (whether
+ * accepting, reading, or processing). If we find that at
+ * least one client other than this one is active, then
+ * it's okay *not* to call accept - we can let this
+ * client go inactive and another will take over when it's
+ * done.
+ *
+ * If there aren't enough active clients on the interface,
+ * then we can be a little bit flexible about the quota.
+ * We'll allow *one* extra client through to ensure we're
+ * listening on every interface; we do this by setting the
+ * 'force' option to tcpconn_init().
+ *
+ * (Note: In practice this means that the real TCP client
+ * quota is tcp-clients plus the number of listening
+ * interfaces plus 1.)
+ */
+ exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
+ (client->tcpactive ? 1 : 0));
+ if (exit) {
+ client->newstate = NS_CLIENTSTATE_INACTIVE;
+ (void)exit_check(client);
+ return;
+ }
+
+ result = tcpconn_init(client, ISC_TRUE);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ }
+
+ /*
+ * If this client was set up using get_client() or get_worker(),
+ * then TCP is already marked active. However, if it was restarted
+ * from exit_check(), it might not be, so we take care of it now.
+ */
+ mark_tcp_active(client, ISC_TRUE);
+
result = isc_socket_accept(client->tcplistener, client->task,
client_newconn, client);
if (result != ISC_R_SUCCESS) {
- UNEXPECTED_ERROR(__FILE__, __LINE__,
- "isc_socket_accept() failed: %s",
- isc_result_totext(result));
/*
* XXXRTH What should we do? We're trying to accept but
* it didn't work. If we just give up, then TCP
@@ -3286,13 +3495,37 @@ client_accept(ns_client_t *client) {
*
* For now, we just go idle.
*/
+ UNEXPECTED_ERROR(__FILE__, __LINE__,
+ "isc_socket_accept() failed: %s",
+ isc_result_totext(result));
+
+ tcpconn_detach(client);
+ mark_tcp_active(client, ISC_FALSE);
return;
}
+
+ /*
+ * The client's 'naccepts' counter indicates that this client has
+ * called accept() and is waiting for a new connection. It should
+ * never exceed 1.
+ */
INSIST(client->naccepts == 0);
client->naccepts++;
- LOCK(&client->interface->lock);
- client->interface->ntcpcurrent++;
- UNLOCK(&client->interface->lock);
+
+ /*
+ * The interface's 'ntcpaccepting' counter is incremented when
+ * any client calls accept(), and decremented in client_newconn()
+ * once the connection is established.
+ *
+ * When the client object is shutting down after handling a TCP
+ * request (see exit_check()), if this value is at least one, that
+ * means another client has called accept() and is waiting to
+ * establish the next connection. That means the client may be
+ * be free to become inactive; otherwise it may need to start
+ * listening for connections itself to prevent the interface
+ * going dead.
+ */
+ isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
}
static void
@@ -3363,15 +3596,17 @@ ns_client_replace(ns_client_t *client) {
REQUIRE(client->manager != NULL);
tcp = TCP_CLIENT(client);
- if (tcp && client->pipelined) {
+ if (tcp && client->tcpconn != NULL && client->tcpconn->pipelined) {
result = get_worker(client->manager, client->interface,
- client->tcpsocket);
+ client->tcpsocket, client);
} else {
result = get_client(client->manager, client->interface,
client->dispatch, tcp);
+
}
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
/*
* The responsibility for listening for new requests is hereby
@@ -3557,9 +3792,12 @@ get_client(ns_clientmgr_t *manager, ns_i
client->dscp = ifp->dscp;
if (tcp) {
+ mark_tcp_active(client, ISC_TRUE);
+
client->attributes |= NS_CLIENTATTR_TCP;
isc_socket_attach(ifp->tcpsocket,
&client->tcplistener);
+
} else {
isc_socket_t *sock;
@@ -3577,7 +3815,8 @@ get_client(ns_clientmgr_t *manager, ns_i
}
static isc_result_t
-get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
+get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
+ ns_client_t *oldclient)
{
isc_result_t result = ISC_R_SUCCESS;
isc_event_t *ev;
@@ -3585,6 +3824,7 @@ get_worker(ns_clientmgr_t *manager, ns_i
MTRACE("get worker");
REQUIRE(manager != NULL);
+ REQUIRE(oldclient != NULL);
if (manager->exiting)
return (ISC_R_SHUTTINGDOWN);
@@ -3617,14 +3857,15 @@ get_worker(ns_clientmgr_t *manager, ns_i
ns_interface_attach(ifp, &client->interface);
client->newstate = client->state = NS_CLIENTSTATE_WORKING;
INSIST(client->recursionquota == NULL);
- client->tcpquota = &ns_g_server->tcpquota;
client->dscp = ifp->dscp;
client->attributes |= NS_CLIENTATTR_TCP;
- client->pipelined = ISC_TRUE;
client->mortal = ISC_TRUE;
+ tcpconn_attach(oldclient, client);
+ mark_tcp_active(client, ISC_TRUE);
+
isc_socket_attach(ifp->tcpsocket, &client->tcplistener);
isc_socket_attach(sock, &client->tcpsocket);
isc_socket_setname(client->tcpsocket, "worker-tcp", NULL);
Index: bind9-9.11.4+dfsg/bin/named/include/named/client.h
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/include/named/client.h 2019-04-24 05:05:24.068523718 -0400
+++ bind9-9.11.4+dfsg/bin/named/include/named/client.h 2019-04-24 05:18:09.894205195 -0400
@@ -9,8 +9,6 @@
* information regarding copyright ownership.
*/
-/* $Id: client.h,v 1.96 2012/01/31 23:47:31 tbox Exp $ */
-
#ifndef NAMED_CLIENT_H
#define NAMED_CLIENT_H 1
@@ -77,6 +75,13 @@
*** Types
***/
+/*% reference-counted TCP connection object */
+typedef struct ns_tcpconn {
+ isc_refcount_t refs;
+ isc_quota_t *tcpquota;
+ isc_boolean_t pipelined;
+} ns_tcpconn_t;
+
/*% nameserver client structure */
struct ns_client {
unsigned int magic;
@@ -91,6 +96,7 @@ struct ns_client {
int nupdates;
int nctls;
int references;
+ isc_boolean_t tcpactive;
isc_boolean_t needshutdown; /*
* Used by clienttest to get
* the client to go from
@@ -127,10 +133,9 @@ struct ns_client {
isc_stdtime_t now;
isc_time_t tnow;
dns_name_t signername; /*%< [T]SIG key name */
- dns_name_t * signer; /*%< NULL if not valid sig */
+ dns_name_t *signer; /*%< NULL if not valid sig */
isc_boolean_t mortal; /*%< Die after handling request */
- isc_boolean_t pipelined; /*%< TCP queries not in sequence */
- isc_quota_t *tcpquota;
+ ns_tcpconn_t *tcpconn;
isc_quota_t *recursionquota;
ns_interface_t *interface;
Index: bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/include/named/interfacemgr.h 2019-04-24 05:05:24.068523718 -0400
+++ bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h 2019-04-24 05:05:24.068523718 -0400
@@ -9,8 +9,6 @@
* information regarding copyright ownership.
*/
-/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */
-
#ifndef NAMED_INTERFACEMGR_H
#define NAMED_INTERFACEMGR_H 1
@@ -75,9 +73,14 @@ struct ns_interface {
/*%< UDP dispatchers. */
isc_socket_t * tcpsocket; /*%< TCP socket. */
isc_dscp_t dscp; /*%< "listen-on" DSCP value */
- int ntcptarget; /*%< Desired number of concurrent
- TCP accepts */
- int ntcpcurrent; /*%< Current ditto, locked */
+ isc_int32_t ntcpaccepting; /*%< Number of clients
+ ready to accept new
+ TCP connections on this
+ interface */
+ isc_int32_t ntcpactive; /*%< Number of clients
+ servicing TCP queries
+ (whether accepting or
+ connected) */
int nudpdispatch; /*%< Number of UDP dispatches */
ns_clientmgr_t * clientmgr; /*%< Client manager. */
ISC_LINK(ns_interface_t) link;
Index: bind9-9.11.4+dfsg/bin/named/interfacemgr.c
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/interfacemgr.c 2019-04-24 05:05:24.068523718 -0400
+++ bind9-9.11.4+dfsg/bin/named/interfacemgr.c 2019-04-24 05:19:06.102432272 -0400
@@ -384,8 +384,9 @@ ns_interface_create(ns_interfacemgr_t *m
* connections will be handled in parallel even though there is
* only one client initially.
*/
- ifp->ntcptarget = 1;
- ifp->ntcpcurrent = 0;
+ ifp->ntcpaccepting = 0;
+ ifp->ntcpactive = 0;
+
ifp->nudpdispatch = 0;
ifp->dscp = -1;
@@ -520,9 +521,7 @@ ns_interface_accepttcp(ns_interface_t *i
*/
(void)isc_socket_filter(ifp->tcpsocket, "dataready");
- result = ns_clientmgr_createclients(ifp->clientmgr,
- ifp->ntcptarget, ifp,
- ISC_TRUE);
+ result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, ISC_TRUE);
if (result != ISC_R_SUCCESS) {
UNEXPECTED_ERROR(__FILE__, __LINE__,
"TCP ns_clientmgr_createclients(): %s",
Index: bind9-9.11.4+dfsg/lib/isc/include/isc/quota.h
===================================================================
--- bind9-9.11.4+dfsg.orig/lib/isc/include/isc/quota.h 2019-04-24 05:05:24.068523718 -0400
+++ bind9-9.11.4+dfsg/lib/isc/include/isc/quota.h 2019-04-24 05:05:24.068523718 -0400
@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc
* quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
*/
+isc_result_t
+isc_quota_force(isc_quota_t *quota, isc_quota_t **p);
+/*%<
+ * Like isc_quota_attach, but will attach '*p' to the quota
+ * even if the hard quota has been exceeded.
+ */
+
void
isc_quota_detach(isc_quota_t **p);
/*%<
Index: bind9-9.11.4+dfsg/lib/isc/quota.c
===================================================================
--- bind9-9.11.4+dfsg.orig/lib/isc/quota.c 2019-04-24 05:05:24.068523718 -0400
+++ bind9-9.11.4+dfsg/lib/isc/quota.c 2019-04-24 05:05:24.068523718 -0400
@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) {
UNLOCK(&quota->lock);
}
-isc_result_t
-isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
-{
+static isc_result_t
+doattach(isc_quota_t *quota, isc_quota_t **p, isc_boolean_t force) {
isc_result_t result;
- INSIST(p != NULL && *p == NULL);
+ REQUIRE(p != NULL && *p == NULL);
+
result = isc_quota_reserve(quota);
- if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
+ if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) {
+ *p = quota;
+ } else if (result == ISC_R_QUOTA && force) {
+ /* attach anyway */
+ LOCK(&quota->lock);
+ quota->used++;
+ UNLOCK(&quota->lock);
+
*p = quota;
+ result = ISC_R_SUCCESS;
+ }
+
return (result);
}
+isc_result_t
+isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) {
+ return (doattach(quota, p, ISC_FALSE));
+}
+
+isc_result_t
+isc_quota_force(isc_quota_t *quota, isc_quota_t **p) {
+ return (doattach(quota, p, ISC_TRUE));
+}
+
void
-isc_quota_detach(isc_quota_t **p)
-{
+isc_quota_detach(isc_quota_t **p) {
INSIST(p != NULL && *p != NULL);
isc_quota_release(*p);
*p = NULL;
Index: bind9-9.11.4+dfsg/lib/isc/win32/libisc.def.in
===================================================================
--- bind9-9.11.4+dfsg.orig/lib/isc/win32/libisc.def.in 2019-04-24 05:05:24.068523718 -0400
+++ bind9-9.11.4+dfsg/lib/isc/win32/libisc.def.in 2019-04-24 05:05:24.068523718 -0400
@@ -519,6 +519,7 @@ isc_portset_removerange
isc_quota_attach
isc_quota_destroy
isc_quota_detach
+isc_quota_force
isc_quota_init
isc_quota_max
isc_quota_release

71
CVE-2018-5745.patch Normal file
View File

@ -0,0 +1,71 @@
Description: fix assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
Origin: provided by ISC
Index: bind9-9.11.4+dfsg/lib/dns/include/dst/dst.h
===================================================================
--- bind9-9.11.4+dfsg.orig/lib/dns/include/dst/dst.h 2019-02-20 09:01:27.450680701 +0100
+++ bind9-9.11.4+dfsg/lib/dns/include/dst/dst.h 2019-02-20 09:01:27.446680698 +0100
@@ -67,8 +67,7 @@ typedef struct dst_context dst_context_
#define DST_ALG_HMACSHA512 165 /* XXXMPA */
#define DST_ALG_INDIRECT 252
#define DST_ALG_PRIVATE 254
-#define DST_ALG_EXPAND 255
-#define DST_MAX_ALGS 255
+#define DST_MAX_ALGS 256
/*% A buffer of this size is large enough to hold any key */
#define DST_KEY_MAXSIZE 1280
Index: bind9-9.11.4+dfsg/lib/dns/zone.c
===================================================================
--- bind9-9.11.4+dfsg.orig/lib/dns/zone.c 2019-02-20 09:01:27.450680701 +0100
+++ bind9-9.11.4+dfsg/lib/dns/zone.c 2019-02-20 09:01:27.450680701 +0100
@@ -3873,9 +3873,10 @@ compute_tag(dns_name_t *name, dns_rdata_
dns_rdatatype_dnskey, dnskey, &buffer);
result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS) {
*tag = dst_key_id(dstkey);
- dst_key_free(&dstkey);
+ dst_key_free(&dstkey);
+ }
return (result);
}
@@ -9315,6 +9316,17 @@ keyfetch_done(isc_task_t *task, isc_even
dns_keydata_todnskey(&keydata, &dnskey, NULL);
result = compute_tag(keyname, &dnskey, mctx, &keytag);
+ if (result != ISC_R_SUCCESS) {
+ /*
+ * Skip if we cannot compute the key tag.
+ * This may happen if the algorithm is unsupported
+ */
+ dns_zone_log(zone, ISC_LOG_ERROR,
+ "Cannot compute tag for key in zone %s: %s "
+ "(skipping)",
+ namebuf, dns_result_totext(result));
+ continue;
+ }
RUNTIME_CHECK(result == ISC_R_SUCCESS);
/*
@@ -9426,6 +9438,17 @@ keyfetch_done(isc_task_t *task, isc_even
continue;
result = compute_tag(keyname, &dnskey, mctx, &keytag);
+ if (result != ISC_R_SUCCESS) {
+ /*
+ * Skip if we cannot compute the key tag.
+ * This may happen if the algorithm is unsupported
+ */
+ dns_zone_log(zone, ISC_LOG_ERROR,
+ "Cannot compute tag for key in zone %s: %s "
+ "(skipping)",
+ namebuf, dns_result_totext(result));
+ continue;
+ }
RUNTIME_CHECK(result == ISC_R_SUCCESS);
revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE);

25
CVE-2019-6465.patch Normal file
View File

@ -0,0 +1,25 @@
Description: fix controls for zone transfers not being properly applied to
Dynamically Loadable Zones (DLZs) if the zones are writable
Origin: provided by ISC
Index: bind9-9.11.4+dfsg/bin/named/xfrout.c
===================================================================
--- bind9-9.11.4+dfsg.orig/bin/named/xfrout.c 2019-02-20 09:02:00.710689380 +0100
+++ bind9-9.11.4+dfsg/bin/named/xfrout.c 2019-02-20 09:02:00.706689381 +0100
@@ -803,12 +803,12 @@ ns_xfr_start(ns_client_t *client, dns_rd
result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
&zone);
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) {
/*
- * Normal zone table does not have a match.
- * Try the DLZ database
+ * The normal zone table does not have a match, or this is
+ * marked in the zone table as a DLZ zone. Check the DLZ
+ * databases for a match.
*/
- // Temporary: only searching the first DLZ database
if (! ISC_LIST_EMPTY(client->view->dlz_searched)) {
result = dns_dlzallowzonexfr(client->view,
question_name,

79
README.sdb_pgsql Normal file
View File

@ -0,0 +1,79 @@
PGSQL BIND SDB driver
The postgresql BIND SDB driver is of experimental status and should not be
used for production systems.
Usage:
o Use the named_sdb process ( put ENABLE_SDB=yes in /etc/sysconfig/named )
o Edit your named.conf to contain a database zone, eg. :
zone "pgdb.net." IN {
type master;
database "pgsql bind pgdb localhost pguser pgpasswd";
# ^- DB name ^-Table ^-host ^-user ^-password
};
o Create the database zone table
The table must contain the columns "name", "rdtype", and "rdata", and
is expected to contain a properly constructed zone. The program "zonetodb"
creates such a table.
zonetodb usage:
zonetodb origin file dbname dbtable
where
origin : zone origin, eg "pgdb.net."
file : master zone database file, eg. pgdb.net.db
dbname : name of postgresql database
dbtable: name of table in database
Eg. to import this zone in the file 'pgdb.net.db' into the 'bind' database
'pgdb' table:
---
#pgdb.net.db:
$TTL 1H
@ SOA localhost. root.localhost. ( 1
3H
1H
1W
1H )
NS localhost.
host1 A 192.168.2.1
host2 A 192.168.2.2
host3 A 192.168.2.3
host4 A 192.168.2.4
host5 A 192.168.2.5
host6 A 192.168.2.6
host7 A 192.168.2.7
---
Issue this command as the pgsql user authorized to update the bind database:
# zonetodb pgdb.net. pgdb.net.db bind pgdb
will create / update the pgdb table in the 'bind' db:
$ psql -dbind -c 'select * from pgdb;'
name | ttl | rdtype | rdata
----------------+------+--------+-----------------------------------------------------
pgdb.net | 3600 | SOA | localhost. root.localhost. 1 10800 3600 604800 3600
pgdb.net | 3600 | NS | localhost.
host1.pgdb.net | 3600 | A | 192.168.2.1
host2.pgdb.net | 3600 | A | 192.168.2.2
host3.pgdb.net | 3600 | A | 192.168.2.3
host4.pgdb.net | 3600 | A | 192.168.2.4
host5.pgdb.net | 3600 | A | 192.168.2.5
host6.pgdb.net | 3600 | A | 192.168.2.6
host7.pgdb.net | 3600 | A | 192.168.2.7
(9 rows)
I've tested exactly the above configuration with bind-sdb-9.3.1+ and it works OK.
NOTE: If you use pgsqldb SDB, ensure the postgresql service is started before the named
service .
USE AT YOUR OWN RISK!

161
Use-clock_gettime-instead-of-gettimeofday.patch Normal file
View File

@ -0,0 +1,161 @@
diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
index f06d31a5508c2d3f7227063c21d9d4563789e72a..da25e5bf8e07639c8f70420a5c3f3c98a36a0548 100644
--- a/lib/isc/unix/time.c
+++ b/lib/isc/unix/time.c
@@ -36,16 +36,7 @@
#define NS_PER_MS 1000000 /*%< Nanoseconds per millisecond. */
#define US_PER_S 1000000 /*%< Microseconds per second. */
-/*
- * All of the INSIST()s checks of nanoseconds < NS_PER_S are for
- * consistency checking of the type. In lieu of magic numbers, it
- * is the best we've got. The check is only performed on functions which
- * need an initialized type.
- */
-
-#ifndef ISC_FIX_TV_USEC
-#define ISC_FIX_TV_USEC 1
-#endif
+#define CLOCKSOURCE CLOCK_MONOTONIC
/*%
*** Intervals
@@ -54,32 +49,6 @@
static const isc_interval_t zero_interval = { 0, 0 };
const isc_interval_t * const isc_interval_zero = &zero_interval;
-#if ISC_FIX_TV_USEC
-static inline void
-fix_tv_usec(struct timeval *tv) {
- isc_boolean_t fixed = ISC_FALSE;
-
- if (tv->tv_usec < 0) {
- fixed = ISC_TRUE;
- do {
- tv->tv_sec -= 1;
- tv->tv_usec += US_PER_S;
- } while (tv->tv_usec < 0);
- } else if (tv->tv_usec >= US_PER_S) {
- fixed = ISC_TRUE;
- do {
- tv->tv_sec += 1;
- tv->tv_usec -= US_PER_S;
- } while (tv->tv_usec >=US_PER_S);
- }
- /*
- * Call syslog directly as was are called from the logging functions.
- */
- if (fixed)
- (void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
-}
-#endif
-
void
isc_interval_set(isc_interval_t *i,
unsigned int seconds, unsigned int nanoseconds)
@@ -141,76 +110,52 @@ isc_time_isepoch(const isc_time_t *t) {
isc_result_t
isc_time_now(isc_time_t *t) {
- struct timeval tv;
+ struct timespec ts;
char strbuf[ISC_STRERRORSIZE];
REQUIRE(t != NULL);
- if (gettimeofday(&tv, NULL) == -1) {
+ if (clock_gettime(CLOCKSOURCE, &ts) == -1) {
isc__strerror(errno, strbuf, sizeof(strbuf));
UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
return (ISC_R_UNEXPECTED);
}
- /*
- * Does POSIX guarantee the signedness of tv_sec and tv_usec? If not,
- * then this test will generate warnings for platforms on which it is
- * unsigned. In any event, the chances of any of these problems
- * happening are pretty much zero, but since the libisc library ensures
- * certain things to be true ...
- */
-#if ISC_FIX_TV_USEC
- fix_tv_usec(&tv);
- if (tv.tv_sec < 0)
- return (ISC_R_UNEXPECTED);
-#else
- if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
+ if (ts.tv_sec < 0 || ts.tv_nsec < 0 || ts.tv_nsec >= NS_PER_S) {
return (ISC_R_UNEXPECTED);
-#endif
+ }
/*
* Ensure the tv_sec value fits in t->seconds.
*/
- if (sizeof(tv.tv_sec) > sizeof(t->seconds) &&
- ((tv.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U)
+ if (sizeof(ts.tv_sec) > sizeof(t->seconds) &&
+ ((ts.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U)
return (ISC_R_RANGE);
- t->seconds = tv.tv_sec;
- t->nanoseconds = tv.tv_usec * NS_PER_US;
+ t->seconds = ts.tv_sec;
+ t->nanoseconds = ts.tv_nsec;
return (ISC_R_SUCCESS);
}
isc_result_t
isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) {
- struct timeval tv;
+ struct timespec ts;
char strbuf[ISC_STRERRORSIZE];
REQUIRE(t != NULL);
REQUIRE(i != NULL);
INSIST(i->nanoseconds < NS_PER_S);
- if (gettimeofday(&tv, NULL) == -1) {
+ if (clock_gettime(CLOCKSOURCE, &ts) == -1) {
isc__strerror(errno, strbuf, sizeof(strbuf));
UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
return (ISC_R_UNEXPECTED);
}
- /*
- * Does POSIX guarantee the signedness of tv_sec and tv_usec? If not,
- * then this test will generate warnings for platforms on which it is
- * unsigned. In any event, the chances of any of these problems
- * happening are pretty much zero, but since the libisc library ensures
- * certain things to be true ...
- */
-#if ISC_FIX_TV_USEC
- fix_tv_usec(&tv);
- if (tv.tv_sec < 0)
- return (ISC_R_UNEXPECTED);
-#else
- if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
+ if (ts.tv_sec < 0 || ts.tv_nsec < 0 || ts.tv_nsec >= NS_PER_S) {
return (ISC_R_UNEXPECTED);
-#endif
+ }
/*
* Ensure the resulting seconds value fits in the size of an
@@ -218,12 +163,12 @@ isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) {
* note that even if both values == INT_MAX, then when added
* and getting another 1 added below the result is UINT_MAX.)
*/
- if ((tv.tv_sec > INT_MAX || i->seconds > INT_MAX) &&
- ((long long)tv.tv_sec + i->seconds > UINT_MAX))
+ if ((ts.tv_sec > INT_MAX || i->seconds > INT_MAX) &&
+ ((long long)ts.tv_sec + i->seconds > UINT_MAX))
return (ISC_R_RANGE);
- t->seconds = tv.tv_sec + i->seconds;
- t->nanoseconds = tv.tv_usec * NS_PER_US + i->nanoseconds;
+ t->seconds = ts.tv_sec + i->seconds;
+ t->nanoseconds = ts.tv_nsec + i->nanoseconds;
if (t->nanoseconds >= NS_PER_S) {
t->seconds++;
t->nanoseconds -= NS_PER_S;

612
bind-9.10-dist-native-pkcs11.patch Normal file
View File

@ -0,0 +1,612 @@
diff --git a/bin/Makefile.in b/bin/Makefile.in
index f0c504a..ce7a2da 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -11,8 +11,8 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \
- @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
+SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
+ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
index 1d0c4ce..7b7f89b 100644
--- a/bin/dnssec-pkcs11/Makefile.in
+++ b/bin/dnssec-pkcs11/Makefile.in
@@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES}
CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
- @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
+ @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS = ../../lib/isc/libisc.@A@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
@@ -37,10 +37,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
-TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
- dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
- dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \
- dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@
+TARGETS = dnssec-keygen-pkcs11@EXEEXT@ dnssec-signzone-pkcs11@EXEEXT@ \
+ dnssec-keyfromlabel-pkcs11@EXEEXT@ dnssec-dsfromkey-pkcs11@EXEEXT@ \
+ dnssec-revoke-pkcs11@EXEEXT@ dnssec-settime-pkcs11@EXEEXT@ \
+ dnssec-verify-pkcs11@EXEEXT@ dnssec-importkey-pkcs11@EXEEXT@
OBJS = dnssectool.@O@
@@ -61,15 +61,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
+dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
+dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -77,7 +77,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-signzone.c
-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -85,19 +85,19 @@ dnssec-verify.@O@: dnssec-verify.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-verify.c
-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-revoke.@O@ ${OBJS} ${LIBS}
-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
+dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-settime.@O@ ${OBJS} ${LIBS}
-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
+dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-importkey.@O@ ${OBJS} ${LIBS}
@@ -108,16 +108,14 @@ docclean manclean maintainer-clean::
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install-man8: ${MANPAGES}
${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
-install:: ${TARGETS} installdirs install-man8
+install:: ${TARGETS} installdirs
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
uninstall::
- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done
clean distclean::
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 1d0c4ce..11538cf 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
+CDEFINES = -DVERSION=\"${VERSION}\" \
@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
CWARNINGS =
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
index d92bc9a..a8c42a4 100644
--- a/bin/named-pkcs11/Makefile.in
+++ b/bin/named-pkcs11/Makefile.in
@@ -43,26 +43,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
- ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
- ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
+ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \
+ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
-ISCLIBS = ../../lib/isc/libisc.@A@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
@@ -71,15 +71,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
SUBDIRS = unix
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@
+TARGETS = named-pkcs11@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -146,14 +144,14 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
-named@EXEEXT@: ${OBJS} ${DEPLIBS}
+named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS}
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
-lwresd@EXEEXT@: named@EXEEXT@
+lwresd@EXEEXT@: named-pkcs11@EXEEXT@
rm -f lwresd@EXEEXT@
- @LN@ named@EXEEXT@ lwresd@EXEEXT@
+ @LN@ named-pkcs11@EXEEXT@ lwresd@EXEEXT@
doc man:: ${MANOBJS}
@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
install-man: install-man5 install-man8
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
+install:: named-pkcs11@EXEEXT@ installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
uninstall::
- rm -f ${DESTDIR}${mandir}/man5/named.conf.5
- rm -f ${DESTDIR}${mandir}/man8/lwresd.8
- rm -f ${DESTDIR}${mandir}/man8/named.8
- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@
@DLZ_DRIVER_RULES@
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index d92bc9a..6d2bfd1 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -47,7 +47,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+CDEFINES = @CONTRIB_DLZ@ @CRYPTO@
CWARNINGS =
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
index a058c91..d4b689a 100644
--- a/bin/pkcs11/Makefile.in
+++ b/bin/pkcs11/Makefile.in
@@ -15,13 +15,13 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${ISC_INCLUDES}
+CINCLUDES = ${ISC_PKCS11_INCLUDES}
CDEFINES =
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
DEPLIBS = ${ISCDEPLIBS}
diff --git a/configure.in b/configure.in
index 849fa94..69e6373 100644
--- a/configure.in
+++ b/configure.in
@@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
#
# Applications linking with libdns also need to link with these libraries.
#
AC_SUBST(DNS_CRYPTO_LIBS)
+AC_SUBST(DNS_CRYPTO_PK11_LIBS)
#
# was --with-randomdev specified?
@@ -1554,11 +1556,11 @@ fi
AC_MSG_CHECKING(for OpenSSL library)
OPENSSL_WARNING=
openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
-if test "yes" = "$want_native_pkcs11"
-then
- use_openssl="native_pkcs11"
- AC_MSG_RESULT(use of native PKCS11 instead)
-fi
+# if test "yes" = "$want_native_pkcs11"
+# then
+# use_openssl="native_pkcs11"
+# AC_MSG_RESULT(use of native PKCS11 instead)
+# fi
if test "auto" = "$use_openssl"
then
@@ -1571,6 +1573,7 @@ then
fi
done
fi
+CRYPTO_PK11=""
OPENSSL_ECDSA=""
OPENSSL_GOST=""
OPENSSL_ED25519=""
@@ -1592,11 +1595,10 @@ case "$with_gost" in
;;
esac
-case "$use_openssl" in
- native_pkcs11)
- AC_MSG_RESULT(disabled because of native PKCS11)
+if test "$want_native_pkcs11" = "yes"
+then
DST_OPENSSL_INC=""
- CRYPTO="-DPKCS11CRYPTO"
+ CRYPTO_PK11="-DPKCS11CRYPTO"
CRYPTOLIB="pkcs11"
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
@@ -1606,7 +1608,9 @@ case "$use_openssl" in
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
- ;;
+fi
+
+case "$use_openssl" in
no)
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
@@ -1638,7 +1642,7 @@ case "$use_openssl" in
If you do not want OpenSSL, use --without-openssl])
;;
*)
- if test "yes" = "$want_native_pkcs11"
+ if false # test "yes" = "$want_native_pkcs11"
then
AC_MSG_RESULT()
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
@@ -2066,6 +2070,7 @@ AC_SUBST(OPENSSL_ED25519)
AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
+DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS"
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
@@ -2384,6 +2389,7 @@ esac
AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(CRYPTO)
+AC_SUBST(CRYPTO_PK11)
AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_ED25519)
@@ -5497,8 +5503,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
+ bin/dnssec-pkcs11/Makefile
bin/named/Makefile
bin/named/unix/Makefile
+ bin/named-pkcs11/Makefile
+ bin/named-pkcs11/unix/Makefile
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5572,6 +5581,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
+ lib/dns-pkcs11/Makefile
+ lib/dns-pkcs11/include/Makefile
+ lib/dns-pkcs11/include/dns/Makefile
+ lib/dns-pkcs11/include/dst/Makefile
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
@@ -5596,6 +5609,24 @@ AC_CONFIG_FILES([
lib/isc/unix/include/Makefile
lib/isc/unix/include/isc/Makefile
lib/isc/unix/include/pkcs11/Makefile
+ lib/isc-pkcs11/$arch/Makefile
+ lib/isc-pkcs11/$arch/include/Makefile
+ lib/isc-pkcs11/$arch/include/isc/Makefile
+ lib/isc-pkcs11/$thread_dir/Makefile
+ lib/isc-pkcs11/$thread_dir/include/Makefile
+ lib/isc-pkcs11/$thread_dir/include/isc/Makefile
+ lib/isc-pkcs11/Makefile
+ lib/isc-pkcs11/include/Makefile
+ lib/isc-pkcs11/include/isc/Makefile
+ lib/isc-pkcs11/include/isc/platform.h
+ lib/isc-pkcs11/include/pk11/Makefile
+ lib/isc-pkcs11/include/pkcs11/Makefile
+ lib/isc-pkcs11/tests/Makefile
+ lib/isc-pkcs11/nls/Makefile
+ lib/isc-pkcs11/unix/Makefile
+ lib/isc-pkcs11/unix/include/Makefile
+ lib/isc-pkcs11/unix/include/isc/Makefile
+ lib/isc-pkcs11/unix/include/pkcs11/Makefile
lib/isccc/Makefile
lib/isccc/include/Makefile
lib/isccc/include/isccc/Makefile
diff --git a/lib/Makefile.in b/lib/Makefile.in
index 81270a0..bcb5312 100644
--- a/lib/Makefile.in
+++ b/lib/Makefile.in
@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@
# Attempt to disable parallel processing.
.NOTPARALLEL:
.NO_PARALLEL:
-SUBDIRS = isc isccc dns isccfg bind9 lwres irs samples
+SUBDIRS = isc isc-pkcs11 isccc dns dns-pkcs11 isccfg bind9 lwres irs samples
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
index 4a8549e..6a19906 100644
--- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in
@@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
+ ${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
CWARNINGS =
-ISCLIBS = ../../lib/isc/libisc.@A@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
LIBS = @LIBS@
@@ -146,15 +146,15 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libdns.@SA@: ${OBJS}
+libdns-pkcs11.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libdns.la: ${OBJS}
+libdns-pkcs11.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
include: gen
${MAKE} include/dns/enumtype.h
@@ -180,25 +180,25 @@ code.h: gen
./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; }
gen: gen.c
- ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
+ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc-pkcs11/include \
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
-timestamp: include libdns.@A@
+timestamp: include libdns-pkcs11.@A@
touch timestamp
-testdirs: libdns.@A@
+testdirs: libdns-pkcs11.@A@
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir}
uninstall::
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@
clean distclean::
- rm -f libdns.@A@ timestamp
+ rm -f libdns-pkcs11.@A@ timestamp
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
rm -f include/dns/rdatastruct.h
rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
index ba53ef1..d1f1771 100644
--- a/lib/isc-pkcs11/Makefile.in
+++ b/lib/isc-pkcs11/Makefile.in
@@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \
-I${srcdir}/@ISC_THREAD_DIR@/include \
-I${srcdir}/@ISC_ARCH_DIR@/include \
-I./include \
- -I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@
-CDEFINES = @CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+ -I${srcdir}/include ${DNS_PKCS11_INCLUDES}
+CDEFINES = @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
CWARNINGS =
# Alphabetically
@@ -107,40 +107,40 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libisc.@SA@: ${OBJS} ${SYMTBLOBJS}
+libisc-pkcs11.@SA@: ${OBJS} ${SYMTBLOBJS}
${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS}
${RANLIB} $@
-libisc-nosymtbl.@SA@: ${OBJS}
+libisc-pkcs11-nosymtbl.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libisc.la: ${OBJS} ${SYMTBLOBJS}
+libisc-pkcs11.la: ${OBJS} ${SYMTBLOBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${SYMTBLOBJS} ${LIBS}
-libisc-nosymtbl.la: ${OBJS}
+libisc-pkcs11-nosymtbl.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-nosymtbl.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${LIBS}
-timestamp: libisc.@A@ libisc-nosymtbl.@A@
+timestamp: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@
touch timestamp
-testdirs: libisc.@A@ libisc-nosymtbl.@A@
+testdirs: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc-pkcs11.@A@ ${DESTDIR}${libdir}
uninstall::
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc.@A@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc-pkcs11.@A@
clean distclean::
- rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
- libisc-nosymtbl.la timestamp
+ rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \
+ libisc-pkcs11-nosymtbl.la timestamp
diff --git a/make/includes.in b/make/includes.in
index fa86ad1..3cfbe9f 100644
--- a/make/includes.in
+++ b/make/includes.in
@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
TEST_INCLUDES = \
-I${top_srcdir}/lib/tests/include
+
+ISC_PKCS11_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/isc-pkcs11 \
+ -I${top_srcdir}/lib/isc-pkcs11/include \
+ -I${top_srcdir}/lib/isc-pkcs11/unix/include \
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_THREAD_DIR@/include \
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_ARCH_DIR@/include
+
+DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/dns-pkcs11/include

309
bind-9.10-sdb.patch Normal file
View File

@ -0,0 +1,309 @@
diff --git a/bin/Makefile.in b/bin/Makefile.in
index ce7a2da..4e6a824 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -11,8 +11,8 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
- check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
+SUBDIRS = named named-sdb named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
+ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools tests
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
index 6d2bfd1..d3f42e8 100644
--- a/bin/named-sdb/Makefile.in
+++ b/bin/named-sdb/Makefile.in
@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@
#
# Add database drivers here.
#
-DBDRIVER_OBJS =
-DBDRIVER_SRCS =
+DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@
+DBDRIVER_SRCS = ldapdb.c pgsqldb.c sqlitedb.c dirdb.c
DBDRIVER_INCLUDES =
-DBDRIVER_LIBS =
+DBDRIVER_LIBS = -lldap -llber -lsqlite3 -lpq
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
@@ -79,7 +79,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@
+TARGETS = named-sdb@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
@@ -146,7 +146,7 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
-named@EXEEXT@: ${OBJS} ${DEPLIBS}
+named-sdb@EXEEXT@: ${OBJS} ${DEPLIBS}
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
@@ -173,8 +173,6 @@ statschannel.@O@: bind9.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install-man5: named.conf.5
${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
install-man: install-man5 install-man8
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
+install:: ${TARGETS} installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir}
uninstall::
- rm -f ${DESTDIR}${mandir}/man5/named.conf.5
- rm -f ${DESTDIR}${mandir}/man8/lwresd.8
- rm -f ${DESTDIR}${mandir}/man8/named.8
- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-sdb@EXEEXT@
@DLZ_DRIVER_RULES@
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
index bb639d9..555c4d9 100644
--- a/bin/named-sdb/main.c
+++ b/bin/named-sdb/main.c
@@ -91,6 +91,10 @@
* Include header files for database drivers here.
*/
/* #include "xxdb.h" */
+#include "ldapdb.h"
+#include "pgsqldb.h"
+#include "sqlitedb.h"
+#include "dirdb.h"
#ifdef CONTRIB_DLZ
/*
@@ -1061,6 +1065,11 @@ setup(void) {
ns_main_earlyfatal("isc_app_start() failed: %s",
isc_result_totext(result));
+ ldapdb_clear();
+ pgsqldb_clear();
+ dirdb_clear();
+ sqlitedb_clear();
+
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
ns_g_product, ns_g_version,
@@ -1261,6 +1270,75 @@ setup(void) {
isc_result_totext(result));
#endif
+ result = ldapdb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB ldap module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB ldap zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB ldap zone database module loaded."
+ );
+
+ result = pgsqldb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB pgsql module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB pgsql zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded."
+ );
+
+ result = sqlitedb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB sqlite3 module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB sqlite3 zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB sqlite3 DB zone database module loaded."
+ );
+
+ result = dirdb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB directory DB module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB directory DB zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB directory DB zone database module loaded."
+ );
+
+
ns_server_create(ns_g_mctx, &ns_g_server);
#ifdef HAVE_LIBSECCOMP
@@ -1303,6 +1381,11 @@ cleanup(void) {
dns_name_destroy();
+ ldapdb_clear();
+ pgsqldb_clear();
+ sqlitedb_clear();
+ dirdb_clear();
+
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "exiting");
ns_log_shutdown();
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 6d2bfd1..86f8587 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -45,9 +45,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
+ @DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @CRYPTO@
+CDEFINES = @CRYPTO@
CWARNINGS =
@@ -71,11 +71,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
SUBDIRS = unix
@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -195,7 +193,5 @@ uninstall::
rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
-@DLZ_DRIVER_RULES@
-
named-symtbl.@O@: named-symtbl.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
index c7e0868..95ab742 100644
--- a/bin/sdb_tools/Makefile.in
+++ b/bin/sdb_tools/Makefile.in
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@
+TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
-OBJS = zone2ldap.@O@ zonetodb.@O@
+OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
-SRCS = zone2ldap.c zonetodb.c
+SRCS = zone2ldap.c zonetodb.c zone2sqlite.c
MANPAGES = zone2ldap.1
@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
+zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
+
clean distclean manclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
@@ -60,4 +63,5 @@ installdirs:
install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/configure.in b/configure.in
index 62536a6..f571a4f 100644
--- a/configure.in
+++ b/configure.in
@@ -5445,6 +5445,8 @@ AC_CONFIG_FILES([
bin/named/unix/Makefile
bin/named-pkcs11/Makefile
bin/named-pkcs11/unix/Makefile
+ bin/named-sdb/Makefile
+ bin/named-sdb/unix/Makefile
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5469,6 +5471,7 @@ AC_CONFIG_FILES([
bin/python/isc/tests/dnskey_test.py
bin/python/isc/tests/policy_test.py
bin/rndc/Makefile
+ bin/sdb_tools/Makefile
bin/tests/Makefile
bin/tests/headerdep_test.sh
bin/tests/optional/Makefile

18
bind-9.10-use-of-strlcat.patch Normal file
View File

@ -0,0 +1,18 @@
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
index d56bc56..99c3314 100644
--- a/bin/sdb_tools/zone2ldap.c
+++ b/bin/sdb_tools/zone2ldap.c
@@ -817,11 +817,11 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
}
- strlcat (dn, tmp, sizeof (dn));
+ strncat (dn, tmp, sizeof (dn) - strlen (dn));
}
sprintf (tmp, "dc=%s", dc_list[0]);
- strlcat (dn, tmp, sizeof (dn));
+ strncat (dn, tmp, sizeof (dn) - strlen (dn));
fflush(NULL);
return dn;

39
bind-9.11-export-suffix.patch Normal file
View File

@ -0,0 +1,39 @@
diff --git a/configure.in b/configure.in
index e6cd6a4..988b0a7 100644
--- a/configure.in
+++ b/configure.in
@@ -5116,6 +5116,8 @@ AC_SUBST(BUILD_CPPFLAGS)
AC_SUBST(BUILD_LDFLAGS)
AC_SUBST(BUILD_LIBS)
+AC_SUBST(LIBDIR_SUFFIX)
+
#
# Commands to run at the end of config.status.
# Don't just put these into configure, it won't work right if somebody
diff --git a/isc-config.sh.in b/isc-config.sh.in
index 110191a..5a64004 100644
--- a/isc-config.sh.in
+++ b/isc-config.sh.in
@@ -12,16 +12,17 @@ prefix=@prefix@
exec_prefix=@exec_prefix@
exec_prefix_set=
includedir=@includedir@
+libdir_suffix=@LIBDIR_SUFFIX@
arch=$(uname -m)
case $arch in
x86_64 | amd64 | sparc64 | s390x | ppc64)
- libdir=/usr/lib64
- sec_libdir=/usr/lib
+ libdir=/usr/lib64${libdir_suffix}
+ sec_libdir=/usr/lib${libdir_suffix}
;;
* )
- libdir=/usr/lib
- sec_libdir=/usr/lib64
+ libdir=/usr/lib${libdir_suffix}
+ sec_libdir=/usr/lib64${libdir_suffix}
;;
esac

1516
bind-9.11-fips-code.patch Normal file
View File

File diff suppressed because it is too large Load Diff

1781
bind-9.11-fips-tests.patch Normal file
View File

File diff suppressed because it is too large Load Diff

100
bind-9.11-host-idn-disable.patch Normal file
View File

@ -0,0 +1,100 @@
From 145fac914bf47128307aea702fed7eb74b65cadd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 25 Sep 2018 18:08:46 +0200
Subject: [PATCH] Disable IDN from environment as documented
Manual page of host contained instructions to disable IDN processing
when it was built with libidn2. When refactoring IDN support however,
support for disabling IDN in host and nslookup was lost. Use also
environment variable and document it for nslookup, host and dig.
Support variable CHARSET=ASCII to disable IDN, supported in downstream
RH patch since RHEL 5.
---
bin/dig/dig.docbook | 4 +++-
bin/dig/dighost.c | 9 +++++++--
bin/dig/host.docbook | 2 +-
bin/dig/nslookup.docbook | 15 +++++++++++++++
4 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index fedd288..d5dba72 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -1288,7 +1288,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
reply from the server.
If you'd like to turn off the IDN support for some reason, use
parameters <parameter>+noidnin</parameter> and
- <parameter>+noidnout</parameter>.
+ <parameter>+noidnout</parameter> or define
+ the <envar>IDN_DISABLE</envar> environment variable.
+
</para>
</refsection>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 7408193..d46379d 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -822,12 +822,17 @@ make_empty_lookup(void) {
looknew->seenbadcookie = ISC_FALSE;
looknew->badcookie = ISC_TRUE;
#ifdef WITH_IDN_SUPPORT
- looknew->idnin = ISC_TRUE;
+ looknew->idnin = (getenv("IDN_DISABLE") == NULL);
+ if (looknew->idnin) {
+ const char *charset = getenv("CHARSET");
+ if (charset && !strcmp(charset, "ASCII"))
+ looknew->idnin = ISC_FALSE;
+ }
#else
looknew->idnin = ISC_FALSE;
#endif
#ifdef WITH_IDN_OUT_SUPPORT
- looknew->idnout = ISC_TRUE;
+ looknew->idnout = looknew->idnin;
#else
looknew->idnout = ISC_FALSE;
#endif
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
index 9c3aeaa..42cbbf9 100644
--- a/bin/dig/host.docbook
+++ b/bin/dig/host.docbook
@@ -378,7 +378,7 @@
<command>host</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
- If you'd like to turn off the IDN support for some reason, defines
+ If you'd like to turn off the IDN support for some reason, define
the <envar>IDN_DISABLE</envar> environment variable.
The IDN support is disabled if the variable is set when
<command>host</command> runs.
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
index 3aff4e9..86a09c6 100644
--- a/bin/dig/nslookup.docbook
+++ b/bin/dig/nslookup.docbook
@@ -478,6 +478,21 @@ nslookup -query=hinfo -timeout=10
</para>
</refsection>
+ <refsection><info><title>IDN SUPPORT</title></info>
+
+ <para>
+ If <command>nslookup</command> has been built with IDN (internationalized
+ domain name) support, it can accept and display non-ASCII domain names.
+ <command>nslookup</command> appropriately converts character encoding of
+ domain name before sending a request to DNS server or displaying a
+ reply from the server.
+ If you'd like to turn off the IDN support for some reason, define
+ the <envar>IDN_DISABLE</envar> environment variable.
+ The IDN support is disabled if the variable is set when
+ <command>nslookup</command> runs.
+ </para>
+ </refsection>
+
<refsection><info><title>FILES</title></info>
<para><filename>/etc/resolv.conf</filename>
--
2.14.4

206
bind-9.11-kyua-pkcs11.patch Normal file
View File

@ -0,0 +1,206 @@
From d0433a314534e104f52acf2a0a96a68dd84305ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 2 Jan 2018 18:13:07 +0100
Subject: [PATCH] Fix pkcs11 variants atf tests
Add dns-pkcs11 tests Makefile to configure
Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
---
configure.in | 1 +
lib/Atffile | 2 ++
lib/Kyuafile | 2 ++
lib/dns-pkcs11/tests/Makefile.in | 10 +++++-----
lib/dns-pkcs11/tests/dh_test.c | 3 ++-
lib/isc-pkcs11/tests/Makefile.in | 6 +++---
lib/isc-pkcs11/tests/hash_test.c | 32 +++++++++++++++++++++++++-------
7 files changed, 40 insertions(+), 16 deletions(-)
diff --git a/configure.in b/configure.in
index 67b3aab..4767eeb 100644
--- a/configure.in
+++ b/configure.in
@@ -5579,6 +5579,7 @@ AC_CONFIG_FILES([
lib/dns-pkcs11/include/Makefile
lib/dns-pkcs11/include/dns/Makefile
lib/dns-pkcs11/include/dst/Makefile
+ lib/dns-pkcs11/tests/Makefile
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
diff --git a/lib/Atffile b/lib/Atffile
index 93bbb01..4db3dce 100644
--- a/lib/Atffile
+++ b/lib/Atffile
@@ -3,7 +3,9 @@ Content-Type: application/X-atf-atffile; version="1"
prop: test-suite = bind9
tp: dns
+tp: dns-pkcs11
tp: irs
tp: isc
+tp: isc-pkcs11
tp: isccfg
tp: lwres
diff --git a/lib/Kyuafile b/lib/Kyuafile
index ff9fc56..eaaf0dc 100644
--- a/lib/Kyuafile
+++ b/lib/Kyuafile
@@ -2,7 +2,9 @@ syntax(2)
test_suite('bind9')
include('dns/Kyuafile')
+include('dns-pkcs11/Kyuafile')
include('irs/Kyuafile')
include('isc/Kyuafile')
+include('isc-pkcs11/Kyuafile')
include('isccfg/Kyuafile')
include('lwres/Kyuafile')
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
index 2a6571b..f25a784 100644
--- a/lib/dns-pkcs11/tests/Makefile.in
+++ b/lib/dns-pkcs11/tests/Makefile.in
@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
@DST_OPENSSL_INC@
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
-ISCLIBS = ../../isc/libisc.@A@
-ISCDEPLIBS = ../../isc/libisc.@A@
-DNSLIBS = ../libdns.@A@ @DNS_CRYPTO_LIBS@
-DNSDEPLIBS = ../libdns.@A@
+ISCLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@
+ISCDEPLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@
+DNSLIBS = ../libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
+DNSDEPLIBS = ../libdns-pkcs11.@A@
LIBS = @LIBS@ @ATFLIBS@
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
index 036d27a..eb6554f 100644
--- a/lib/dns-pkcs11/tests/dh_test.c
+++ b/lib/dns-pkcs11/tests/dh_test.c
@@ -63,7 +63,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) {
ret = dst_key_computesecret(key, key, &buf);
ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY);
ret = key->func->computesecret(key, key, &buf);
- ATF_REQUIRE_EQ(ret, DST_R_COMPUTESECRETFAILURE);
+ /* PKCS11 variant gives different result, accept both */
+ ATF_REQUIRE(ret == DST_R_COMPUTESECRETFAILURE || ret == DST_R_INVALIDPRIVATEKEY);
dst_key_free(&key);
dns_test_end();
diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
index f7fa538..818dae4 100644
--- a/lib/isc-pkcs11/tests/Makefile.in
+++ b/lib/isc-pkcs11/tests/Makefile.in
@@ -17,10 +17,10 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\""
+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
-ISCLIBS = ../libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCDEPLIBS = ../libisc.@A@
+ISCLIBS = ../libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
+ISCDEPLIBS = ../libisc-pkcs11.@A@
LIBS = @LIBS@ @ATFLIBS@
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
index 5b8a374..c1891c2 100644
--- a/lib/isc-pkcs11/tests/hash_test.c
+++ b/lib/isc-pkcs11/tests/hash_test.c
@@ -74,7 +74,7 @@ typedef struct hash_testcase {
typedef struct hash_test_key {
const char *key;
- const int len;
+ const unsigned len;
} hash_test_key_t;
/* non-hmac tests */
@@ -957,8 +957,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_SHA1_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_SHA1_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacsha1_init(&hmacsha1, buffer, test_key->len);
+ isc_hmacsha1_init(&hmacsha1, buffer, len);
isc_hmacsha1_update(&hmacsha1,
(const isc_uint8_t *) testcase->input,
testcase->input_len);
@@ -1120,8 +1123,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_SHA224_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_SHA224_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacsha224_init(&hmacsha224, buffer, test_key->len);
+ isc_hmacsha224_init(&hmacsha224, buffer, len);
isc_hmacsha224_update(&hmacsha224,
(const isc_uint8_t *) testcase->input,
testcase->input_len);
@@ -1283,8 +1289,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_SHA256_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_SHA256_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacsha256_init(&hmacsha256, buffer, test_key->len);
+ isc_hmacsha256_init(&hmacsha256, buffer, len);
isc_hmacsha256_update(&hmacsha256,
(const isc_uint8_t *) testcase->input,
testcase->input_len);
@@ -1452,8 +1461,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_SHA384_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_SHA384_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacsha384_init(&hmacsha384, buffer, test_key->len);
+ isc_hmacsha384_init(&hmacsha384, buffer, len);
isc_hmacsha384_update(&hmacsha384,
(const isc_uint8_t *) testcase->input,
testcase->input_len);
@@ -1621,8 +1633,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_SHA512_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_SHA512_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacsha512_init(&hmacsha512, buffer, test_key->len);
+ isc_hmacsha512_init(&hmacsha512, buffer, len);
isc_hmacsha512_update(&hmacsha512,
(const isc_uint8_t *) testcase->input,
testcase->input_len);
@@ -1765,8 +1780,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
+ int len = ISC_MAX(test_key->len, ISC_MD5_DIGESTLENGTH);
+
+ memset(buffer, 0, ISC_MD5_DIGESTLENGTH);
memmove(buffer, test_key->key, test_key->len);
- isc_hmacmd5_init(&hmacmd5, buffer, test_key->len);
+ isc_hmacmd5_init(&hmacmd5, buffer, len);
isc_hmacmd5_update(&hmacmd5,
(const isc_uint8_t *) testcase->input,
testcase->input_len);
--
2.14.3

256
bind-9.11-oot-manual.patch Normal file
View File

@ -0,0 +1,256 @@
From e462d022a9dc52c40aece6f8ba3123ff3ffa59ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 25 Jul 2018 12:24:16 +0200
Subject: [PATCH] Use make automatic variables to install updated manuals
Make will choose modified manual from build directory or original from source
directory automagically. Take advantage of install tool feature.
Install all files in single command instead of iterating on each of them.
---
bin/check/Makefile.in | 8 +++++---
bin/confgen/Makefile.in | 9 +++++----
bin/delv/Makefile.in | 6 ++++--
bin/dig/Makefile.in | 8 ++++----
bin/dnssec/Makefile.in | 6 ++++--
bin/named/Makefile.in | 13 +++++++++----
bin/pkcs11/Makefile.in | 9 ++++-----
bin/python/Makefile.in | 8 ++++----
bin/tools/Makefile.in | 25 +++++++++++++++----------
9 files changed, 54 insertions(+), 38 deletions(-)
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index 12f48d2d23..d8eac4c714 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -83,12 +83,14 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
+install-man8: ${MANPAGES}
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+ (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
+
+install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs install-man8
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
- (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
uninstall::
rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index 87f13dda4b..7865c0c73e 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -95,13 +95,14 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
+install-man8: rndc-confgen.8 ddns-confgen.8
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+ (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
+
+install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs install-man8
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
- ${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
(cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@)
- (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
uninstall::
rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8
diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in
index e2d2802262..19361a83ea 100644
--- a/bin/delv/Makefile.in
+++ b/bin/delv/Makefile.in
@@ -63,10 +63,12 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
-install:: delv@EXEEXT@ installdirs
+install-man1: delv.1
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
+
+install:: delv@EXEEXT@ installdirs install-man1
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
delv@EXEEXT@ ${DESTDIR}${bindir}
- ${INSTALL_DATA} ${srcdir}/delv.1 ${DESTDIR}${mandir}/man1
uninstall::
rm -f ${DESTDIR}${mandir}/man1/delv.1
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index 773ac46395..3edd951e7e 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -91,16 +91,16 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
-install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
+install-man1: ${MANPAGES}
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
+
+install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs install-man1
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
dig@EXEEXT@ ${DESTDIR}${bindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
host@EXEEXT@ ${DESTDIR}${bindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
nslookup@EXEEXT@ ${DESTDIR}${bindir}
- for m in ${MANPAGES}; do \
- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
- done
uninstall::
for m in ${MANPAGES}; do \
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 1be1d5ffc6..1d0c4ce5c1 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -110,9 +110,11 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: ${TARGETS} installdirs
+install-man8: ${MANPAGES}
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs install-man8
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
uninstall::
for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 1c413973d0..03e4cb849b 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -172,12 +172,17 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
+install-man5: named.conf.5
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
+
+install-man8: named.8 lwresd.8
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install-man: install-man5 install-man8
+
+install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
uninstall::
rm -f ${DESTDIR}${mandir}/man5/named.conf.5
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
index ae9061626c..a058c91214 100644
--- a/bin/pkcs11/Makefile.in
+++ b/bin/pkcs11/Makefile.in
@@ -71,7 +71,10 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: ${TARGETS} installdirs
+install-man8: ${MANPAGES}
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs install-man8
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ \
${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ \
@@ -80,10 +83,6 @@ install:: ${TARGETS} installdirs
${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-tokens@EXEEXT@ \
${DESTDIR}${sbindir}
- ${INSTALL_DATA} ${srcdir}/pkcs11-list.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/pkcs11-destroy.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/pkcs11-tokens.8 ${DESTDIR}${mandir}/man8
uninstall::
rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8
diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
index aa678d47ab..064c404e2f 100644
--- a/bin/python/Makefile.in
+++ b/bin/python/Makefile.in
@@ -47,13 +47,13 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-install:: ${TARGETS} installdirs
+install-man8: ${MANPAGES}
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs install-man8
${INSTALL_SCRIPT} dnssec-checkds ${DESTDIR}${sbindir}
${INSTALL_SCRIPT} dnssec-coverage ${DESTDIR}${sbindir}
${INSTALL_SCRIPT} dnssec-keymgr ${DESTDIR}${sbindir}
- ${INSTALL_DATA} ${srcdir}/dnssec-checkds.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/dnssec-keymgr.8 ${DESTDIR}${mandir}/man8
if test -n "${PYTHON}" ; then \
if test -n "${DESTDIR}" ; then \
${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
index 7bf2af4cea..c395bc7462 100644
--- a/bin/tools/Makefile.in
+++ b/bin/tools/Makefile.in
@@ -119,17 +119,27 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-nzd:
+nzd-man: named-nzd2nzf.8
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+nzd: nzd-man
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-nzd2nzf@EXEEXT@ \
${DESTDIR}${sbindir}
- ${INSTALL_DATA} ${srcdir}/named-nzd2nzf.8 ${DESTDIR}${mandir}/man8
-dnstap:
+dnstap-man: dnstap-read.1
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
+
+dnstap: dnstap-man
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} dnstap-read@EXEEXT@ \
${DESTDIR}${bindir}
- ${INSTALL_DATA} ${srcdir}/dnstap-read.1 ${DESTDIR}${mandir}/man1
-install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@
+install-man1: arpaname.1 named-rrchecker.1 mdig.1
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
+
+install-man8: named-journalprint.8 nsec3hash.8
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ install-man1 install-man8
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ \
${DESTDIR}${bindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ \
@@ -144,13 +154,8 @@ install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@
${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} mdig@EXEEXT@ \
${DESTDIR}${bindir}
- ${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/named-rrchecker.1 ${DESTDIR}${mandir}/man1
- ${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/mdig.1 ${DESTDIR}${mandir}/man1
uninstall::
rm -f ${DESTDIR}${mandir}/man1/mdig.1
--
2.14.4

27
bind-9.11-pk11.patch Normal file
View File

@ -0,0 +1,27 @@
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index 640519a..fc40472 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -59,6 +59,9 @@
#include <openssl/objects.h>
#include <openssl/rsa.h>
#endif
+#if PKCS11CRYPTO
+#include <pk11/pk11.h>
+#endif
ISC_LANG_BEGINDECLS
diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
index aa8907a..603712a 100644
--- a/lib/isc/include/pk11/internal.h
+++ b/lib/isc/include/pk11/internal.h
@@ -13,6 +13,8 @@
#ifndef PK11_INTERNAL_H
#define PK11_INTERNAL_H 1
+#include <pk11/pk11.h>
+
/*! \file pk11/internal.h */
ISC_LANG_BEGINDECLS

120
bind-9.11-rh1205168.patch Normal file
View File

@ -0,0 +1,120 @@
From 90416594843a56550e40b11561807786219ce1c4 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Mon, 11 Sep 2017 15:01:36 -0700
Subject: [PATCH] remap getaddrinfo() to irs_getgetaddrinfo()
The libirs version of getaddrinfo() cannot be called from within BIND9.
fix prototypes
---
lib/irs/include/irs/netdb.h.in | 94 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 94 insertions(+)
diff --git a/lib/irs/include/irs/netdb.h.in b/lib/irs/include/irs/netdb.h.in
index 23dcd37..f36113d 100644
--- a/lib/irs/include/irs/netdb.h.in
+++ b/lib/irs/include/irs/netdb.h.in
@@ -150,6 +150,100 @@ struct addrinfo {
#define NI_DGRAM 0x00000010
/*
+ * Define to map into irs_ namespace.
+ */
+
+#define IRS_NAMESPACE
+
+#ifdef IRS_NAMESPACE
+
+/*
+ * Use our versions not the ones from the C library.
+ */
+
+#ifdef getnameinfo
+#undef getnameinfo
+#endif
+#define getnameinfo irs_getnameinfo
+
+#ifdef getaddrinfo
+#undef getaddrinfo
+#endif
+#define getaddrinfo irs_getaddrinfo
+
+#ifdef freeaddrinfo
+#undef freeaddrinfo
+#endif
+#define freeaddrinfo irs_freeaddrinfo
+
+#ifdef gai_strerror
+#undef gai_strerror
+#endif
+#define gai_strerror irs_gai_strerror
+
+#endif
+
+extern int getaddrinfo (const char *name,
+ const char *service,
+ const struct addrinfo *req,
+ struct addrinfo **pai);
+extern int getnameinfo (const struct sockaddr *sa,
+ socklen_t salen, char *host,
+ socklen_t hostlen, char *serv,
+ socklen_t servlen, int flags);
+extern void freeaddrinfo (struct addrinfo *ai);
+extern const char *gai_strerror (int ecode);
+
+/*
+ * Define to map into irs_ namespace.
+ */
+
+#define IRS_NAMESPACE
+
+#ifdef IRS_NAMESPACE
+
+/*
+ * Use our versions not the ones from the C library.
+ */
+
+#ifdef getnameinfo
+#undef getnameinfo
+#endif
+#define getnameinfo irs_getnameinfo
+
+#ifdef getaddrinfo
+#undef getaddrinfo
+#endif
+#define getaddrinfo irs_getaddrinfo
+
+#ifdef freeaddrinfo
+#undef freeaddrinfo
+#endif
+#define freeaddrinfo irs_freeaddrinfo
+
+#ifdef gai_strerror
+#undef gai_strerror
+#endif
+#define gai_strerror irs_gai_strerror
+
+int
+getaddrinfo(const char *hostname, const char *servname,
+ const struct addrinfo *hints, struct addrinfo **res);
+
+int
+getnameinfo(const struct sockaddr *sa, IRS_GETNAMEINFO_SOCKLEN_T salen,
+ char *host, IRS_GETNAMEINFO_BUFLEN_T hostlen,
+ char *serv, IRS_GETNAMEINFO_BUFLEN_T servlen,
+ IRS_GETNAMEINFO_FLAGS_T flags);
+
+void freeaddrinfo (struct addrinfo *ai);
+
+IRS_GAISTRERROR_RETURN_T
+gai_strerror(int ecode);
+
+#endif
+
+/*
* Tell Emacs to use C mode on this file.
* Local variables:
* mode: c
--
2.9.5

14
bind-9.11-rh1410433.patch Normal file
View File

@ -0,0 +1,14 @@
diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c
index 0ce5e42..556d920 100644
--- a/lib/dns/dyndb.c
+++ b/lib/dns/dyndb.c
@@ -130,9 +130,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
instname, filename);
flags = RTLD_NOW|RTLD_LOCAL;
-#ifdef RTLD_DEEPBIND
- flags |= RTLD_DEEPBIND;
-#endif
handle = dlopen(filename, flags);
if (handle == NULL)

288
bind-9.11-rh1624100.patch Normal file
View File

@ -0,0 +1,288 @@
From 25ff8ab2b0772262d358272a3ed70a24fc6e4887 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 25 Apr 2018 14:04:31 +0200
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d)
Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp()
(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c)
Fix the isc_safe_memwipe() usage with (NULL, >0)
(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
---
bin/dnssec/dnssec-signzone.c | 2 +-
lib/dns/nsec3.c | 4 +--
lib/dns/spnego.c | 4 +--
lib/isc/Makefile.in | 8 ++---
lib/isc/include/isc/safe.h | 18 ++++------
lib/isc/safe.c | 81 --------------------------------------------
lib/isc/tests/safe_test.c | 20 -----------
7 files changed, 13 insertions(+), 124 deletions(-)
delete mode 100644 lib/isc/safe.c
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 53be1f5c60..351296a356 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -786,7 +786,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
static int
hashlist_comp(const void *a, const void *b) {
- return (isc_safe_memcompare(a, b, hash_length + 1));
+ return (memcmp(a, b, hash_length + 1));
}
static void
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index d364308aaf..37b6a8a7fe 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1950,7 +1950,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
* Work out what this NSEC3 covers.
* Inside (<0) or outside (>=0).
*/
- scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length);
+ scope = memcmp(owner, nsec3.next, nsec3.next_length);
/*
* Prepare to compute all the hashes.
@@ -1974,7 +1974,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
return (ISC_R_IGNORE);
}
- order = isc_safe_memcompare(hash, owner, length);
+ order = memcmp(hash, owner, length);
if (first && order == 0) {
/*
* The hashes are the same.
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
index ce3e42d650..079d4c1b4a 100644
--- a/lib/dns/spnego.c
+++ b/lib/dns/spnego.c
@@ -369,7 +369,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
/* mod_auth_kerb.c */
-static int
+static isc_boolean_t
cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
{
unsigned char *p;
@@ -393,7 +393,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
if (((OM_uint32) *p++) != gssoid->length)
return (GSS_S_DEFECTIVE_TOKEN);
- return (isc_safe_memcompare(p, gssoid->elements, gssoid->length));
+ return (!isc_safe_memequal(p, gssoid->elements, gssoid->length));
}
/* accept_sec_context.c */
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index ba53ef1091..98acffffc9 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \
ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \
rwlock.@O@ \
- safe.@O@ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
+ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
tm.@O@ timer.@O@ version.@O@ \
${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
netaddr.c netscope.c pool.c ondestroy.c \
parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \
ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
- safe.c serial.c sha1.c sha2.c sockaddr.c stats.c string.c \
+ serial.c sha1.c sha2.c sockaddr.c stats.c string.c \
strtoul.c symtab.c task.c taskpool.c timer.c \
tm.c version.c
@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@
@BIND9_MAKE_RULES@
-safe.@O@: safe.c
- ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \
- -c ${srcdir}/safe.c
-
version.@O@: version.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
index f29f00bac6..b8a0b2290c 100644
--- a/lib/isc/include/isc/safe.h
+++ b/lib/isc/include/isc/safe.h
@@ -15,27 +15,21 @@
/*! \file isc/safe.h */
-#include <isc/types.h>
-#include <stdlib.h>
+#include <isc/boolean.h>
+#include <isc/lang.h>
+
+#include <openssl/crypto.h>
ISC_LANG_BEGINDECLS
-isc_boolean_t
-isc_safe_memequal(const void *s1, const void *s2, size_t n);
+#define isc_safe_memequal(s1, s2, n) ISC_TF(!CRYPTO_memcmp(s1, s2, n))
/*%<
* Returns ISC_TRUE iff. two blocks of memory are equal, otherwise
* ISC_FALSE.
*
*/
-int
-isc_safe_memcompare(const void *b1, const void *b2, size_t len);
-/*%<
- * Clone of libc memcmp() which is safe to differential timing attacks.
- */
-
-void
-isc_safe_memwipe(void *ptr, size_t len);
+#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len)
/*%<
* Clear the memory of length `len` pointed to by `ptr`.
*
diff --git a/lib/isc/safe.c b/lib/isc/safe.c
deleted file mode 100644
index 5c9e1e2d13..0000000000
--- a/lib/isc/safe.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/safe.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#ifdef WIN32
-#include <windows.h>
-#endif
-
-#ifdef _MSC_VER
-#pragma optimize("", off)
-#endif
-
-isc_boolean_t
-isc_safe_memequal(const void *s1, const void *s2, size_t n) {
- isc_uint8_t acc = 0;
-
- if (n != 0U) {
- const isc_uint8_t *p1 = s1, *p2 = s2;
-
- do {
- acc |= *p1++ ^ *p2++;
- } while (--n != 0U);
- }
- return (ISC_TF(acc == 0));
-}
-
-
-int
-isc_safe_memcompare(const void *b1, const void *b2, size_t len) {
- const unsigned char *p1 = b1, *p2 = b2;
- size_t i;
- int res = 0, done = 0;
-
- for (i = 0; i < len; i++) {
- /* lt is -1 if p1[i] < p2[i]; else 0. */
- int lt = (p1[i] - p2[i]) >> CHAR_BIT;
-
- /* gt is -1 if p1[i] > p2[i]; else 0. */
- int gt = (p2[i] - p1[i]) >> CHAR_BIT;
-
- /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */
- int cmp = lt - gt;
-
- /* set res = cmp if !done. */
- res |= cmp & ~done;
-
- /* set done if p1[i] != p2[i]. */
- done |= lt | gt;
- }
-
- return (res);
-}
-
-void
-isc_safe_memwipe(void *ptr, size_t len) {
- if (ISC_UNLIKELY(ptr == NULL || len == 0))
- return;
-
-#ifdef WIN32
- SecureZeroMemory(ptr, len);
-#elif HAVE_EXPLICIT_BZERO
- explicit_bzero(ptr, len);
-#else
- memset(ptr, 0, len);
-#endif
-}
diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
index f721cd1096..ea3e61f98d 100644
--- a/lib/isc/tests/safe_test.c
+++ b/lib/isc/tests/safe_test.c
@@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) {
"\x00\x00\x00\x00", 4));
}
-ATF_TC(isc_safe_memcompare);
-ATF_TC_HEAD(isc_safe_memcompare, tc) {
- atf_tc_set_md_var(tc, "descr", "safe memcompare()");
-}
-ATF_TC_BODY(isc_safe_memcompare, tc) {
- UNUSED(tc);
-
- ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0);
- ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0);
- ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0);
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
- "\x00\x00\x00\x00", 4) == 0);
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
- "\x00\x00\x00\x01", 4) < 0);
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02",
- "\x00\x00\x00\x00", 4) > 0);
-}
-
ATF_TC(isc_safe_memwipe);
ATF_TC_HEAD(isc_safe_memwipe, tc) {
atf_tc_set_md_var(tc, "descr", "isc_safe_memwipe()");
@@ -67,7 +49,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
/* These should pass. */
isc_safe_memwipe(NULL, 0);
isc_safe_memwipe((void *) -1, 0);
- isc_safe_memwipe(NULL, 42);
/*
* isc_safe_memwipe(ptr, size) should function same as
@@ -106,7 +87,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
*/
ATF_TP_ADD_TCS(tp) {
ATF_TP_ADD_TC(tp, isc_safe_memequal);
- ATF_TP_ADD_TC(tp, isc_safe_memcompare);
ATF_TP_ADD_TC(tp, isc_safe_memwipe);
return (atf_no_error());
}
--
2.14.4

2199
bind-9.11-rt31459.patch Normal file
View File

File diff suppressed because it is too large Load Diff

765
bind-9.11-rt46047.patch Normal file
View File

@ -0,0 +1,765 @@
From 1ab1aabcf9b2b8de144bab7a3ff5d9f7e6ec9ad4 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 28 Sep 2017 10:09:22 -0700
Subject: [PATCH] completed and corrected the crypto-random change
4724. [func] By default, BIND now uses the random number
functions provided by the crypto library (i.e.,
OpenSSL or a PKCS#11 provider) as a source of
randomness rather than /dev/random. This is
suitable for virtual machine environments
which have limited entropy pools and lack
hardware random number generators.
This can be overridden by specifying another
entropy source via the "random-device" option
in named.conf, or via the -r command line option;
however, for functions requiring full cryptographic
strength, such as DNSSEC key generation, this
cannot be overridden. In particular, the -r
command line option no longer has any effect on
dnssec-keygen.
This can be disabled by building with
"configure --disable-crypto-rand".
[RT #31459] [RT #46047]
---
bin/confgen/keygen.c | 12 +++----
bin/dnssec/dnssec-keygen.docbook | 24 +++++++++-----
bin/dnssec/dnssectool.c | 12 +++----
bin/named/client.c | 3 +-
bin/named/config.c | 4 ++-
bin/named/controlconf.c | 19 +++++++----
bin/named/include/named/server.h | 2 ++
bin/named/interfacemgr.c | 1 +
bin/named/query.c | 1 +
bin/named/server.c | 53 ++++++++++++++++++------------
bin/nsupdate/nsupdate.c | 4 +--
bin/tests/system/pipelined/pipequeries.c | 4 +--
bin/tests/system/tkey/keycreate.c | 4 +--
bin/tests/system/tkey/keydelete.c | 4 +--
doc/arm/Bv9ARM-book.xml | 55 ++++++++++++++++++++++----------
doc/arm/notes.xml | 23 ++++++++++++-
lib/dns/dst_api.c | 7 ++--
lib/dns/include/dst/dst.h | 14 ++++++--
lib/dns/openssl_link.c | 3 +-
lib/isc/include/isc/entropy.h | 50 +++++++++++++++++++++--------
lib/isc/include/isc/random.h | 28 ++++++++++------
lib/isccfg/namedconf.c | 2 +-
22 files changed, 219 insertions(+), 110 deletions(-)
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
index fa439cc..a7ad417 100644
--- a/bin/confgen/keygen.c
+++ b/bin/confgen/keygen.c
@@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
DO("create entropy context", isc_entropy_create(mctx, &ectx));
- if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
- randomfile = NULL;
- open_keyboard = ISC_ENTROPY_KEYBOARDYES;
- }
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (randomfile != NULL &&
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
}
#endif
+ if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
+ randomfile = NULL;
+ open_keyboard = ISC_ENTROPY_KEYBOARDYES;
+ }
DO("start entropy source", isc_entropy_usebestsource(ectx,
&entropy_source,
randomfile,
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 96dfef6..1c84b06 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -349,15 +349,23 @@
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
- Specifies the source of randomness. If the operating
- system does not provide a <filename>/dev/random</filename>
- or equivalent device, the default source of randomness
- is keyboard input. <filename>randomdev</filename>
- specifies
+ Specifies a source of randomness. Normally, when generating
+ DNSSEC keys, this option has no effect; the random number
+ generation function provided by the cryptographic library will
+ be used.
+ </para>
+ <para>
+ If that behavior is disabled at compile time, however,
+ the specified file will be used as entropy source
+ for key generation. <filename>randomdev</filename> is
the name of a character device or file containing random
- data to be used instead of the default. The special value
- <filename>keyboard</filename> indicates that keyboard
- input should be used.
+ data to be used. The special value <filename>keyboard</filename>
+ indicates that keyboard input should be used.
+ </para>
+ <para>
+ The default is <filename>/dev/random</filename> if the
+ operating system provides it or an equivalent device;
+ if not, the default source of randomness is keyboard input.
</para>
</listitem>
</varlistentry>
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 4ea9eaf..5dd9475 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -239,18 +239,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
ISC_LIST_INIT(sources);
}
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (randomfile == NULL) {
+ isc_entropy_usehook(*ectx, ISC_TRUE);
+ }
+#endif
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
usekeyboard = ISC_ENTROPY_KEYBOARDYES;
randomfile = NULL;
}
-#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (randomfile != NULL &&
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
- isc_entropy_usehook(*ectx, ISC_TRUE);
- }
-#endif
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
usekeyboard);
diff --git a/bin/named/client.c b/bin/named/client.c
index b9ebc93..20e5f39 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -1605,7 +1605,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
isc_buffer_init(&buf, cookie, sizeof(cookie));
isc_stdtime_get(&now);
- isc_random_get(&nonce);
+ nonce = ((isc_rng_random(ns_g_server->rngctx) << 16) |
+ isc_rng_random(ns_g_server->rngctx));
compute_cookie(client, now, nonce, ns_g_server->secret, &buf);
diff --git a/bin/named/config.c b/bin/named/config.c
index c50f759..c1e72ef 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -92,7 +92,9 @@ options {\n\
# pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
port 53;\n\
prefetch 2 9;\n"
-#ifdef PATH_RANDOMDEV
+#if defined(ISC_PLATFORM_CRYPTORANDOM)
+" random-device none;\n"
+#elif defined(PATH_RANDOMDEV)
" random-device \"" PATH_RANDOMDEV "\";\n"
#endif
" recursing-file \"named.recursing\";\n\
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index 237e8dc..b905475 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -322,9 +322,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
static void
control_recvmessage(isc_task_t *task, isc_event_t *event) {
- controlconnection_t *conn;
- controllistener_t *listener;
- controlkey_t *key;
+ controlconnection_t *conn = NULL;
+ controllistener_t *listener = NULL;
+ ns_server_t *server = NULL;
+ controlkey_t *key = NULL;
isccc_sexpr_t *request = NULL;
isccc_sexpr_t *response = NULL;
isc_uint32_t algorithm;
@@ -335,16 +336,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
isc_buffer_t *text;
isc_result_t result;
isc_result_t eresult;
- isccc_sexpr_t *_ctrl;
+ isccc_sexpr_t *_ctrl = NULL;
isccc_time_t sent;
isccc_time_t exp;
isc_uint32_t nonce;
- isccc_sexpr_t *data;
+ isccc_sexpr_t *data = NULL;
REQUIRE(event->ev_type == ISCCC_EVENT_CCMSG);
conn = event->ev_arg;
listener = conn->listener;
+ server = listener->controls->server;
algorithm = DST_ALG_UNKNOWN;
secret.rstart = NULL;
text = NULL;
@@ -455,8 +457,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
* Establish nonce.
*/
if (conn->nonce == 0) {
- while (conn->nonce == 0)
- isc_random_get(&conn->nonce);
+ while (conn->nonce == 0) {
+ isc_uint16_t r1 = isc_rng_random(server->rngctx);
+ isc_uint16_t r2 = isc_rng_random(server->rngctx);
+ conn->nonce = (r1 << 16) | r2;
+ }
eresult = ISC_R_SUCCESS;
} else
eresult = ns_control_docommand(request, listener->readonly, &text);
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index d8179a6..e03d24d 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -17,6 +17,7 @@
#include <isc/log.h>
#include <isc/magic.h>
#include <isc/quota.h>
+#include <isc/random.h>
#include <isc/sockaddr.h>
#include <isc/types.h>
#include <isc/xml.h>
@@ -131,6 +132,7 @@ struct ns_server {
char * lockfile;
isc_uint16_t transfer_tcp_message_size;
+ isc_rng_t * rngctx;
};
struct ns_altsecret {
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index d8c7188..50f924e 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -15,6 +15,7 @@
#include <isc/interfaceiter.h>
#include <isc/os.h>
+#include <isc/random.h>
#include <isc/string.h>
#include <isc/task.h>
#include <isc/util.h>
diff --git a/bin/named/query.c b/bin/named/query.c
index accbf3b..d89622d 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -18,6 +18,7 @@
#include <isc/hex.h>
#include <isc/mem.h>
#include <isc/print.h>
+#include <isc/random.h>
#include <isc/rwlock.h>
#include <isc/serial.h>
#include <isc/stats.h>
diff --git a/bin/named/server.c b/bin/named/server.c
index ca789e5..1413e85 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -8076,21 +8076,30 @@ load_configuration(const char *filename, ns_server_t *server,
* Open the source of entropy.
*/
if (first_time) {
+ const char *randomdev = NULL;
+ int level = ISC_LOG_ERROR;
obj = NULL;
result = ns_config_get(maps, "random-device", &obj);
- if (result != ISC_R_SUCCESS) {
- isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
- NS_LOGMODULE_SERVER, ISC_LOG_INFO,
- "no source of entropy found");
- } else {
- const char *randomdev = cfg_obj_asstring(obj);
+ if (result == ISC_R_SUCCESS) {
+ if (!cfg_obj_isvoid(obj)) {
+ level = ISC_LOG_INFO;
+ randomdev = cfg_obj_asstring(obj);
+ }
+ }
+ if (randomdev == NULL) {
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
- isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
+ isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
#else
- int level = ISC_LOG_ERROR;
- result = isc_entropy_createfilesource(ns_g_entropy,
- randomdev);
+ if ((obj != NULL) && !cfg_obj_isvoid(obj))
+ level = ISC_LOG_INFO;
+ isc_log_write(named_g_lctx, NS_LOGCATEGORY_GENERAL,
+ NS_LOGMODULE_SERVER, level,
+ "no source of entropy found");
+ if ((obj == NULL) || cfg_obj_isvoid(obj)) {
+ CHECK(ISC_R_FAILURE);
+ }
+#endif
+ } else {
#ifdef PATH_RANDOMDEV
if (ns_g_fallbackentropy != NULL) {
level = ISC_LOG_INFO;
@@ -8101,8 +8110,8 @@ load_configuration(const char *filename, ns_server_t *server,
NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER,
level,
- "could not open entropy source "
- "%s: %s",
+ "could not open "
+ "entropy source %s: %s",
randomdev,
isc_result_totext(result));
}
@@ -8122,7 +8131,6 @@ load_configuration(const char *filename, ns_server_t *server,
}
isc_entropy_detach(&ns_g_fallbackentropy);
}
-#endif
#endif
}
}
@@ -8911,6 +8919,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
&server->tkeyctx),
"creating TKEY context");
+ server->rngctx = NULL;
+ CHECKFATAL(isc_rng_create(ns_g_mctx, ns_g_entropy, &server->rngctx),
+ "creating random numbers context");
/*
* Setup the server task, which is responsible for coordinating
@@ -9117,7 +9128,8 @@ ns_server_destroy(ns_server_t **serverp) {
if (server->zonemgr != NULL)
dns_zonemgr_detach(&server->zonemgr);
-
+ if (server->rngctx != NULL)
+ isc_rng_detach(&server->rngctx);
if (server->tkeyctx != NULL)
dns_tkeyctx_destroy(&server->tkeyctx);
@@ -13018,10 +13030,10 @@ newzone_cfgctx_destroy(void **cfgp) {
static isc_result_t
generate_salt(unsigned char *salt, size_t saltlen) {
- int i, n;
+ size_t i, n;
union {
unsigned char rnd[256];
- isc_uint32_t rnd32[64];
+ isc_uint16_t rnd16[128];
} rnd;
unsigned char text[512 + 1];
isc_region_t r;
@@ -13031,9 +13043,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
if (saltlen > 256U)
return (ISC_R_RANGE);
- n = (int) (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t);
- for (i = 0; i < n; i++)
- isc_random_get(&rnd.rnd32[i]);
+ n = (saltlen + sizeof(isc_uint16_t) - 1) / sizeof(isc_uint16_t);
+ for (i = 0; i < n; i++) {
+ rnd.rnd16[i] = isc_rng_random(ns_g_server->rngctx);
+ }
memmove(salt, rnd.rnd, saltlen);
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 46c7acf..a0d0278 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -281,9 +281,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
}
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (randomfile != NULL &&
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(*ectx, ISC_TRUE);
}
#endif
diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
index 810d99e..d7d10e2 100644
--- a/bin/tests/system/pipelined/pipequeries.c
+++ b/bin/tests/system/pipelined/pipequeries.c
@@ -279,9 +279,7 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (randomfile != NULL &&
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
}
#endif
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
index 4f2f5b4..0894db7 100644
--- a/bin/tests/system/tkey/keycreate.c
+++ b/bin/tests/system/tkey/keycreate.c
@@ -255,9 +255,7 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (randomfile != NULL &&
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
}
#endif
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
index 0975bbe..5b8a470 100644
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
@@ -182,9 +182,7 @@ main(int argc, char **argv) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (randomfile != NULL &&
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
}
#endif
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index a5d9e2e..2a96f71 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<term><command>random-device</command></term>
<listitem>
<para>
- The source of entropy to be used by the server. Entropy is
- primarily needed
- for DNSSEC operations, such as TKEY transactions and dynamic
- update of signed
- zones. This options specifies the device (or file) from which
- to read
- entropy. If this is a file, operations requiring entropy will
- fail when the
- file has been exhausted. If not specified, the default value
- is
- <filename>/dev/random</filename>
- (or equivalent) when present, and none otherwise. The
- <command>random-device</command> option takes
- effect during
- the initial configuration load at server startup time and
- is ignored on subsequent reloads.
+ Specifies a source of entropy to be used by the server.
+ This is a device or file from which to read entropy.
+ If it is a file, operations requiring entropy
+ will fail when the file has been exhausted.
+ </para>
+ <para>
+ Entropy is needed for cryptographic operations such as
+ TKEY transactions, dynamic update of signed zones, and
+ generation of TSIG session keys. It is also used for
+ seeding and stirring the pseudo-random number generator,
+ which is used for less critical functions requiring
+ randomness such as generation of DNS message transaction
+ ID's.
+ </para>
+ <para>
+ If <command>random-device</command> is not specified, or
+ if it is set to <literal>none</literal>, entropy will be
+ read from the random number generation function supplied
+ by the cryptographic library with which BIND was linked
+ (i.e. OpenSSL or a PKCS#11 provider).
+ </para>
+ <para>
+ The <command>random-device</command> option takes
+ effect during the initial configuration load at server
+ startup time and is ignored on subsequent reloads.
+ </para>
+ <para>
+ If BIND is built with
+ <command>configure --disable-crypto-rand</command>, then
+ entropy is <emphasis>not</emphasis> sourced from the
+ cryptographic library. In this case, if
+ <command>random-device</command> is not specified, the
+ default value is the system random device,
+ <filename>/dev/random</filename> or the equivalent.
+ This default can be overridden with
+ <command>configure --with-randomdev</command>.
+ If no system random device exists, then no entropy source
+ will be configured, and <command>named</command> will only
+ be able to use pseudo-random numbers.
</para>
</listitem>
</varlistentry>
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index d3fdb5e..a8ad92d 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -105,7 +105,28 @@
<itemizedlist>
<listitem>
<para>
- None.
+ By default, BIND now uses the random number generation functions
+ in the cryptographic library (i.e., OpenSSL or a PKCS#11
+ provider) as a source of high-quality randomness rather than
+ <filename>/dev/random</filename>. This is suitable for virtual
+ machine environments, which may have limited entropy pools and
+ lack hardware random number generators.
+ </para>
+ <para>
+ This can be overridden by specifying another entropy source via
+ the <command>random-device</command> option in
+ <filename>named.conf</filename>, or via the <command>-r</command>
+ command line option. However, for functions requiring full
+ cryptographic strength, such as DNSSEC key generation, this
+ <emphasis>cannot</emphasis> be overridden. In particular, the
+ <command>-r</command> command line option no longer has any
+ effect on <command>dnssec-keygen</command>.
+ </para>
+ <para>
+ This can be disabled by building with
+ <command>configure --disable-crypto-rand</command>, in which
+ case <filename>/dev/random</filename> will be the default
+ entropy source. [RT #31459] [RT #46047]
</para>
</listitem>
</itemizedlist>
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 803e7b3..29a4fef 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -276,8 +276,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
#endif
#if defined(OPENSSL) || defined(PKCS11CRYPTO)
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (dst_entropy_pool != NULL)
+ if (dst_entropy_pool != NULL) {
isc_entropy_sethook(dst_random_getdata);
+ }
#endif
#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
dst_initialized = ISC_TRUE;
@@ -2015,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
else
flags |= ISC_ENTROPY_BLOCKING;
#ifdef ISC_PLATFORM_CRYPTORANDOM
+ /* get entropy directly from crypto provider */
return (dst_random_getdata(buf, len, NULL, flags));
#else
+ /* get entropy from entropy source or hook function */
return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
-#endif
+#endif /* ISC_PLATFORM_CRYPTORANDOM */
#endif /* PKCS11CRYPTO */
}
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index d9b6ab6..e8c1a3c 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -161,8 +161,18 @@ isc_result_t
dst_random_getdata(void *data, unsigned int length,
unsigned int *returned, unsigned int flags);
/*%<
- * \brief Return data from the crypto random generator.
- * Specialization of isc_entropy_getdata().
+ * Gets random data from the random generator provided by the
+ * crypto library, if BIND was built with --enable-crypto-rand.
+ *
+ * See isc_entropy_getdata() for parameter usage. Normally when
+ * this function is available, it will be set up as a hook in the
+ * entropy context, so that isc_entropy_getdata() is a front-end to
+ * this function.
+ *
+ * Returns:
+ * \li ISC_R_SUCCESS on success
+ * \li ISC_R_NOTIMPLEMENTED if BIND is built with --disable-crypto-rand
+ * \li DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error
*/
isc_boolean_t
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index c1e1bde..91e87d0 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) {
isc_result_t
dst_random_getdata(void *data, unsigned int length,
- unsigned int *returned, unsigned int flags) {
+ unsigned int *returned, unsigned int flags)
+{
#ifdef ISC_PLATFORM_CRYPTORANDOM
#ifndef DONT_REQUIRE_DST_LIB_INIT
INSIST(dst__memory_pool != NULL);
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
index d9deb8a..2d37363 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
@@ -9,8 +9,6 @@
* information regarding copyright ownership.
*/
-/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */
-
#ifndef ISC_ENTROPY_H
#define ISC_ENTROPY_H 1
@@ -190,9 +188,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
/*!<
* \brief Create an entropy source that is polled via a callback.
*
- * This would
- * be used when keyboard input is used, or a GUI input method. It can
- * also be used to hook in any external entropy source.
+ * This would be used when keyboard input is used, or a GUI input method.
+ * It can also be used to hook in any external entropy source.
*
* Samples are added via isc_entropy_addcallbacksample(), below.
* _addcallbacksample() is the only function which may be called from
@@ -233,15 +230,32 @@ isc_result_t
isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
unsigned int *returned, unsigned int flags);
/*!<
- * \brief Extract data from the entropy pool. This may load the pool from various
- * sources.
+ * \brief Get random data from entropy pool 'ent'.
+ *
+ * If a hook has been set up using isc_entropy_sethook() and
+ * isc_entropy_usehook(), then the hook function will be called to get
+ * random data.
+ *
+ * Otherwise, randomness is extracted from the entropy pool set up in BIND.
+ * This may cause the pool to be loaded from various sources. Ths is done
+ * by stirring the pool and returning a part of hash as randomness.
+ * (Note that no secrets are given away here since parts of the hash are
+ * XORed together before returning.)
+ *
+ * 'flags' may contain ISC_ENTROPY_GOODONLY, ISC_ENTROPY_PARTIAL, or
+ * ISC_ENTROPY_BLOCKING. These will be honored if the hook function is
+ * not in use. If it is, the flags will be passed to the hook function
+ * but it may ignore them.
*
- * Do this by stiring the pool and returning a part of hash as randomness.
- * Note that no secrets are given away here since parts of the hash are
- * xored together before returned.
+ * Up to 'length' bytes of randomness are retrieved and copied into 'data'.
+ * (If 'returned' is not NULL, and the number of bytes copied is less than
+ * 'length' - which may happen if ISC_ENTROPY_PARTIAL was used - then the
+ * number of bytes copied will be stored in *returned.)
*
- * Honor the request from the caller to only return good data, any data,
- * etc.
+ * Returns:
+ * \li ISC_R_SUCCESS on success
+ * \li ISC_R_NOENTROPY if entropy pool is empty
+ * \li other error codes are possible when a hook is in use
*/
void
@@ -306,13 +320,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
void
isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff);
/*!<
- * \brief Mark/unmark the given entropy structure as being hooked.
+ * \brief Configure entropy context 'ectx' to use the hook function
+ *
+ * Sets the entropy context to call the hook function for random number
+ * generation, if such a function has been configured via
+ * isc_entropy_sethook(), whenever isc_entropy_getdata() is called.
*/
void
isc_entropy_sethook(isc_entropy_getdata_t myhook);
/*!<
- * \brief Set the getdata hook (e.g., for a crypto random generator).
+ * \brief Set the hook function.
+ *
+ * The hook function is a global value: only one hook function
+ * can be set in the system. Individual entropy contexts may be
+ * configured to use it, or not, by calling isc_entropy_usehook().
*/
ISC_LANG_ENDDECLS
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
index ba53ebf..b575728 100644
--- a/lib/isc/include/isc/random.h
+++ b/lib/isc/include/isc/random.h
@@ -9,8 +9,6 @@
* information regarding copyright ownership.
*/
-/* $Id: random.h,v 1.20 2009/01/17 23:47:43 tbox Exp $ */
-
#ifndef ISC_RANDOM_H
#define ISC_RANDOM_H 1
@@ -21,13 +19,23 @@
#include <isc/mutex.h>
/*! \file isc/random.h
- * \brief Implements a random state pool which will let the caller return a
- * series of possibly non-reproducible random values.
+ * \brief Implements pseudo random number generators.
+ *
+ * Two pseudo-random number generators are implemented, in isc_random_*
+ * and isc_rng_*. Neither one is very strong; they should not be used
+ * in cryptography functions.
+ *
+ * isc_random_* is based on arc4random if it is available on the system.
+ * Otherwise it is based on the posix srand() and rand() functions.
+ * It is useful for jittering values a bit here and there, such as
+ * timeouts, etc, but should not be relied upon to generate
+ * unpredictable sequences (for example, when choosing transaction IDs).
*
- * Note that the
- * strength of these numbers is not all that high, and should not be
- * used in cryptography functions. It is useful for jittering values
- * a bit here and there, such as timeouts, etc.
+ * isc_rng_* is based on ChaCha20, and is seeded and stirred from the
+ * system entropy source. It is stronger than isc_random_* and can
+ * be used for generating unpredictable sequences. It is still not as
+ * good as using system entropy directly (see entropy.h) and should not
+ * be used for cryptographic functions such as key generation.
*/
ISC_LANG_BEGINDECLS
@@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx);
isc_uint16_t
isc_rng_uniformrandom(isc_rng_t *rngctx, isc_uint16_t upper_bound);
/*%<
- * Returns a uniformly distributed pseudo random 16-bit unsigned
- * integer.
+ * Returns a uniformly distributed pseudo-random 16-bit unsigned integer
+ * less than 'upper_bound'.
*/
ISC_LANG_ENDDECLS
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 8d496ff..dd08187 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1106,7 +1106,7 @@ options_clauses[] = {
{ "pid-file", &cfg_type_qstringornone, 0 },
{ "port", &cfg_type_uint32, 0 },
{ "querylog", &cfg_type_boolean, 0 },
- { "random-device", &cfg_type_qstring, 0 },
+ { "random-device", &cfg_type_qstringornone, 0 },
{ "recursing-file", &cfg_type_qstring, 0 },
{ "recursive-clients", &cfg_type_uint32, 0 },
{ "reserved-sockets", &cfg_type_uint32, 0 },
--
2.14.4

BIN
bind-9.11.4-P2.tar.gz Normal file
View File

Binary file not shown.

63
bind-9.3.1rc1-sdb_tools-Makefile.in Normal file
View File

@ -0,0 +1,63 @@
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include \
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES}
CDEFINES = -DBIND9
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@
OBJS = zone2ldap.@O@ zonetodb.@O@
SRCS = zone2ldap.c zonetodb.c
MANPAGES = zone2ldap.1
EXT_CFLAGS =
@BIND9_MAKE_RULES@
zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS}
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
clean distclean manclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1

519
bind-9.3.2b1-fix_sdb_ldap.patch Normal file
View File

@ -0,0 +1,519 @@
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
index 95ab742..6069f09 100644
--- a/bin/sdb_tools/Makefile.in
+++ b/bin/sdb_tools/Makefile.in
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
-OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@
-SRCS = zone2ldap.c zonetodb.c zone2sqlite.c
+SRCS = zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c
MANPAGES = zone2ldap.1
@@ -53,6 +53,9 @@ zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
+ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS}
+
clean distclean manclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
@@ -62,6 +65,7 @@ installdirs:
install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
index 23dd873..d56bc56 100644
--- a/bin/sdb_tools/zone2ldap.c
+++ b/bin/sdb_tools/zone2ldap.c
@@ -65,6 +66,9 @@ ldap_info;
/* usage Info */
void usage (void);
+/* Check for existence of (and possibly add) containing dNSZone objects */
+int lookup_dns_zones( ldap_info *ldinfo);
+
/* Add to the ldap dit */
void add_ldap_values (ldap_info * ldinfo);
@@ -81,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
int get_attr_list_size (char **tmp);
/* Get a DN */
-char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag);
+char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone);
/* Add to RR list */
void add_to_rr_list (char *dn, char *name, char *type, char *data,
@@ -103,11 +107,27 @@ void
init_ldap_conn ();
void usage();
-char *argzone, *ldapbase, *binddn, *bindpw = NULL;
-const char *ldapsystem = "localhost";
-static const char *objectClasses[] =
- { "top", "dNSZone", NULL };
-static const char *topObjectClasses[] = { "top", NULL };
+static char *argzone, *ldapbase, *binddn, *bindpw = NULL;
+
+/* these are needed to placate gcc4's const-ness const-ernations : */
+static char localhost[] = "localhost";
+static char *ldapsystem=&(localhost[0]);
+/* dnszone schema class names: */
+static char topClass [] ="top";
+static char dNSZoneClass[] ="dNSZone";
+static char objectClass [] ="objectClass";
+static char dcObjectClass[]="dcObject";
+/* dnszone schema attribute names: */
+static char relativeDomainName[]="relativeDomainName";
+static char dNSTTL []="dNSTTL";
+static char zoneName []="zoneName";
+static char dc []="dc";
+static char sameZone []="@";
+/* LDAPMod mod_values: */
+static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
+static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
+static char *dn_buffer [64]={NULL};
+
LDAP *conn;
unsigned int debug = 0;
@@ -131,12 +151,12 @@ main (int argc, char **argv)
isc_result_t result;
char *basedn;
ldap_info *tmp;
- LDAPMod *base_attrs[2];
- LDAPMod base;
+ LDAPMod *base_attrs[5];
+ LDAPMod base, dcBase, znBase, rdnBase;
isc_buffer_t buff;
char *zonefile=0L;
char fullbasedn[1024];
- char *ctmp;
+ char *ctmp, *zn, *dcp[2], *znp[2], *rdn[2];
dns_fixedname_t fixedzone, fixedname;
dns_rdataset_t rdataset;
char **dc_list;
@@ -149,7 +169,7 @@ main (int argc, char **argv)
extern char *optarg;
extern int optind, opterr, optopt;
int create_base = 0;
- int topt;
+ int topt, dcn, zdn, znlen;
if (argc < 2)
{
@@ -157,7 +177,7 @@ main (int argc, char **argv)
exit (-1);
}
- while ((topt = getopt (argc, argv, "D:w:b:z:f:h:?dcv")) != -1)
+ while ((topt = getopt (argc, argv, "D:Ww:b:z:f:h:?dcv")) != -1)
{
switch (topt)
{
@@ -180,6 +200,9 @@ main (int argc, char **argv)
if (bindpw == NULL)
fatal("strdup");
break;
+ case 'W':
+ bindpw = getpass("Enter LDAP Password: ");
+ break;
case 'b':
ldapbase = strdup (optarg);
if (ldapbase == NULL)
@@ -301,27 +324,62 @@ main (int argc, char **argv)
{
if (debug)
printf ("Creating base zone DN %s\n", argzone);
-
+
dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP);
- basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC);
- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
+ basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC, argzone);
+ if (debug)
+ printf ("base DN %s\n", basedn);
+
+ for (ctmp = &basedn[strlen (basedn)], dcn=0; ctmp >= &basedn[0]; ctmp--)
{
- if ((*ctmp == ',') || (ctmp == &basedn[0]))
+ if ((*ctmp == ',') || (ctmp == &basedn[0]))
{
+
base.mod_op = LDAP_MOD_ADD;
- base.mod_type = (char*)"objectClass";
- base.mod_values = (char**)topObjectClasses;
+ base.mod_type = objectClass;
+ base.mod_values = topObjectClasses;
base_attrs[0] = (void*)&base;
- base_attrs[1] = NULL;
-
+
+ dcBase.mod_op = LDAP_MOD_ADD;
+ dcBase.mod_type = dc;
+ dcp[0]=dc_list[dcn];
+ dcp[1]=0L;
+ dcBase.mod_values=dcp;
+ base_attrs[1] = (void*)&dcBase;
+
+ znBase.mod_op = LDAP_MOD_ADD;
+ znBase.mod_type = zoneName;
+ for( zdn = dcn, znlen = 0; zdn >= 0; zdn-- )
+ znlen += strlen(dc_list[zdn])+1;
+ znp[0] = (char*)malloc(znlen+1);
+ znp[1] = 0L;
+ for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- )
+ zn+=sprintf(zn,"%s%s",dc_list[zdn],
+ ((zdn > 0) && (*(dc_list[zdn-1])!='.')) ? "." : ""
+ );
+
+ znBase.mod_values = znp;
+ base_attrs[2] = (void*)&znBase;
+
+ rdnBase.mod_op = LDAP_MOD_ADD;
+ rdnBase.mod_type = relativeDomainName;
+ rdn[0] = strdup(sameZone);
+ rdn[1] = 0L;
+ rdnBase.mod_values = rdn;
+ base_attrs[3] = (void*)&rdnBase;
+
+ dcn++;
+
+ base.mod_values = topObjectClasses;
+ base_attrs[4] = NULL;
+
if (ldapbase)
{
if (ctmp != &basedn[0])
sprintf (fullbasedn, "%s,%s", ctmp + 1, ldapbase);
else
- sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
-
+ sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
}
else
{
@@ -330,8 +388,13 @@ main (int argc, char **argv)
else
sprintf (fullbasedn, "%s", ctmp);
}
+
+ if( debug )
+ printf("Full base dn: %s\n", fullbasedn);
+
result = ldap_add_s (conn, fullbasedn, base_attrs);
ldap_result_check ("intial ldap_add_s", fullbasedn, result);
+
}
}
@@ -409,14 +472,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
isc_result_check (result, "dns_rdata_totext");
data[isc_buffer_usedlength (&buff)] = 0;
- dc_list = hostname_to_dn_list (name, argzone, DNS_OBJECT);
+ dc_list = hostname_to_dn_list ((char*)name, argzone, DNS_OBJECT);
len = (get_attr_list_size (dc_list) - 2);
- dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC);
+ dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC, argzone);
if (debug)
printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data);
- add_to_rr_list (dn, dc_list[len], type, data, ttl, DNS_OBJECT);
+ add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT);
}
@@ -456,7 +519,8 @@ add_to_rr_list (char *dn, char *name, char *type,
int attrlist;
char ldap_type_buffer[128];
char charttl[64];
-
+ char *zn;
+ int znlen;
if ((tmp = locate_by_dn (dn)) == NULL)
{
@@ -483,13 +547,13 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("malloc");
}
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[0]->mod_type = (char*)"objectClass";
+ tmp->attrs[0]->mod_type = objectClass;
if (flags == DNS_OBJECT)
- tmp->attrs[0]->mod_values = (char**)objectClasses;
+ tmp->attrs[0]->mod_values = objectClasses;
else
{
- tmp->attrs[0]->mod_values = (char**)topObjectClasses;
+ tmp->attrs[0]->mod_values =topObjectClasses;
tmp->attrs[1] = NULL;
tmp->attrcnt = 2;
tmp->next = ldap_info_base;
@@ -498,7 +562,7 @@ add_to_rr_list (char *dn, char *name, char *type,
}
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[1]->mod_type = (char*)"relativeDomainName";
+ tmp->attrs[1]->mod_type = relativeDomainName;
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[1]->mod_values == (char **)NULL)
@@ -527,7 +591,7 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("strdup");
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[3]->mod_type = (char*)"dNSTTL";
+ tmp->attrs[3]->mod_type = dNSTTL;
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[3]->mod_values == (char **)NULL)
@@ -540,14 +604,25 @@ add_to_rr_list (char *dn, char *name, char *type,
if (tmp->attrs[3]->mod_values[0] == NULL)
fatal("strdup");
+ znlen=strlen(gbl_zone);
+ if ( *(gbl_zone + (znlen-1)) == '.' )
+ { /* ldapdb MUST search by relative zone name */
+ zn = (char*)malloc(znlen);
+ strncpy(zn,gbl_zone,znlen-1);
+ *(zn + (znlen-1))='\0';
+ }else
+ {
+ zn = gbl_zone;
+ }
+
tmp->attrs[4]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[4]->mod_type = (char*)"zoneName";
+ tmp->attrs[4]->mod_type = zoneName;
tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2);
if (tmp->attrs[4]->mod_values == (char **)NULL)
fatal("calloc");
- tmp->attrs[4]->mod_values[0] = gbl_zone;
+ tmp->attrs[4]->mod_values[0] = zn;
tmp->attrs[4]->mod_values[1] = NULL;
tmp->attrs[5] = NULL;
@@ -558,7 +633,7 @@ add_to_rr_list (char *dn, char *name, char *type,
else
{
- for (i = 0; tmp->attrs[i] != NULL; i++)
+ for (i = 0; tmp->attrs[i] != NULL; i++)
{
sprintf (ldap_type_buffer, "%sRecord", type);
if (!strncmp
@@ -632,44 +707,70 @@ char **
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
{
char *tmp;
- static char *dn_buffer[64];
int i = 0;
- char *zname;
- char *hnamebuff;
-
- zname = strdup (hostname);
- if (zname == NULL)
- fatal("strdup");
-
- if (flags == DNS_OBJECT)
- {
-
- if (strlen (zname) != strlen (zone))
- {
- tmp = &zname[strlen (zname) - strlen (zone)];
- *--tmp = '\0';
- hnamebuff = strdup (zname);
- if (hnamebuff == NULL)
- fatal("strdup");
- zname = ++tmp;
- }
- else
- hnamebuff = (char*)"@";
- }
- else
- {
- zname = zone;
- hnamebuff = NULL;
- }
-
- for (tmp = strrchr (zname, '.'); tmp != (char *) 0;
- tmp = strrchr (zname, '.'))
- {
- *tmp++ = '\0';
- dn_buffer[i++] = tmp;
- }
- dn_buffer[i++] = zname;
- dn_buffer[i++] = hnamebuff;
+ char *hname=0L, *last=0L;
+ int hlen=strlen(hostname), zlen=(strlen(zone));
+
+/* printf("hostname: %s zone: %s\n",hostname, zone); */
+ hname=0L;
+ if(flags == DNS_OBJECT)
+ {
+ if( (zone[ zlen - 1 ] == '.') && (hostname[hlen - 1] != '.') )
+ {
+ hname=(char*)malloc(hlen + 1);
+ hlen += 1;
+ sprintf(hname, "%s.", hostname);
+ hostname = hname;
+ }
+ if(strcmp(hostname, zone) == 0)
+ {
+ if( hname == 0 )
+ hname=strdup(hostname);
+ last = strdup(sameZone);
+ }else
+ {
+ if( (hlen < zlen)
+ ||( strcmp( hostname + (hlen - zlen), zone ) != 0)
+ )
+ {
+ if( hname != 0 )
+ free(hname);
+ hname=(char*)malloc( hlen + zlen + 1);
+ if( *zone == '.' )
+ sprintf(hname, "%s%s", hostname, zone);
+ else
+ sprintf(hname,"%s",zone);
+ }else
+ {
+ if( hname == 0 )
+ hname = strdup(hostname);
+ }
+ last = hname;
+ }
+ }else
+ { /* flags == DNS_TOP */
+ hname = strdup(zone);
+ last = hname;
+ }
+
+ for (tmp = strrchr (hname, '.'); tmp != (char *) 0;
+ tmp = strrchr (hname, '.'))
+ {
+ if( *( tmp + 1 ) != '\0' )
+ {
+ *tmp = '\0';
+ dn_buffer[i++] = ++tmp;
+ }else
+ { /* trailing '.' ! */
+ dn_buffer[i++] = strdup(".");
+ *tmp = '\0';
+ if( tmp == hname )
+ break;
+ }
+ }
+ if( ( last != hname ) && (tmp != hname) )
+ dn_buffer[i++] = hname;
+ dn_buffer[i++] = last;
dn_buffer[i] = NULL;
return dn_buffer;
@@ -681,24 +782,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
* exception of "@"/SOA. */
char *
-build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag)
+build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
{
int size;
- int x;
+ int x, znlen;
static char dn[1024];
char tmp[128];
+ char zn[DNS_NAME_MAXTEXT+1];
bzero (tmp, sizeof (tmp));
bzero (dn, sizeof (dn));
size = get_attr_list_size (dc_list);
+ znlen = strlen(zone);
+ if ( *(zone + (znlen-1)) == '.' )
+ { /* ldapdb MUST search by relative zone name */
+ memcpy(&(zn[0]),zone,znlen-1);
+ *(zn + (znlen-1))='\0';
+ zone = zn;
+ }
for (x = size - 2; x > 0; x--)
{
if (flag == WI_SPEC)
{
if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl))
- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%d,", dc_list[x], ttl);
+ sprintf (tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
else if (x == (size - 2))
- sprintf(tmp, "relativeDomainName=%s,",dc_list[x]);
+ sprintf(tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
else
sprintf(tmp,"dc=%s,", dc_list[x]);
}
@@ -724,6 +833,7 @@ void
init_ldap_conn ()
{
int result;
+ char ldb_tag[]="LDAP Bind";
conn = ldap_open (ldapsystem, LDAP_PORT);
if (conn == NULL)
{
@@ -733,7 +843,7 @@ init_ldap_conn ()
}
result = ldap_simple_bind_s (conn, binddn, bindpw);
- ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
+ ldap_result_check ("ldap_simple_bind_s", ldb_tag , result);
}
/* Like isc_result_check, only for LDAP */
@@ -750,8 +860,6 @@ ldap_result_check (const char *msg, char *dn, int err)
}
}
-
-
/* For running the ldap_info run queue. */
void
add_ldap_values (ldap_info * ldinfo)
@@ -759,14 +867,14 @@ add_ldap_values (ldap_info * ldinfo)
int result;
char dnbuffer[1024];
-
if (ldapbase != NULL)
sprintf (dnbuffer, "%s,%s", ldinfo->dn, ldapbase);
else
sprintf (dnbuffer, "%s", ldinfo->dn);
result = ldap_add_s (conn, dnbuffer, ldinfo->attrs);
- ldap_result_check ("ldap_add_s", dnbuffer, result);
+ ldap_result_check ("ldap_add_s", dnbuffer, result);
+
}
@@ -777,5 +885,5 @@ void
usage ()
{
fprintf (stderr,
- "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] "
+ "zone2ldap -D [BIND DN] [-w BIND PASSWORD | -W:prompt] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] "
"[-c Create LDAP Base structure][-d Debug Output (lots !)] \n ");}

230
bind-9.3.2b2-sdbsrc.patch Normal file
View File

@ -0,0 +1,230 @@
diff --git a/contrib/sdb/bdb/bdb.c b/contrib/sdb/bdb/bdb.c
index 23594bb..b3c6619 100644
--- a/contrib/sdb/bdb/bdb.c
+++ b/contrib/sdb/bdb/bdb.c
@@ -43,7 +43,7 @@
#include <dns/lib.h>
#include <dns/ttl.h>
-#include <named/bdb.h>
+#include "bdb.h"
#include <named/globals.h>
#include <named/config.h>
diff --git a/contrib/sdb/ldap/zone2ldap.c b/contrib/sdb/ldap/zone2ldap.c
index 07c89bc..23dd873 100644
--- a/contrib/sdb/ldap/zone2ldap.c
+++ b/contrib/sdb/ldap/zone2ldap.c
@@ -63,16 +63,16 @@ typedef struct LDAP_INFO
ldap_info;
/* usage Info */
-void usage ();
+void usage (void);
/* Add to the ldap dit */
void add_ldap_values (ldap_info * ldinfo);
/* Init an ldap connection */
-void init_ldap_conn ();
+void init_ldap_conn (void);
/* Ldap error checking */
-void ldap_result_check (char *msg, char *dn, int err);
+void ldap_result_check (const char *msg, char *dn, int err);
/* Put a hostname into a char ** array */
char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
@@ -88,7 +88,7 @@ void add_to_rr_list (char *dn, char *name, char *type, char *data,
unsigned int ttl, unsigned int flags);
/* Error checking */
-void isc_result_check (isc_result_t res, char *errorstr);
+void isc_result_check (isc_result_t res, const char *errorstr);
/* Generate LDIF Format files */
void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata,
@@ -97,11 +97,17 @@ void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata,
/* head pointer to the list */
ldap_info *ldap_info_base = NULL;
+ldap_info *
+locate_by_dn (char *dn);
+void
+init_ldap_conn ();
+void usage();
+
char *argzone, *ldapbase, *binddn, *bindpw = NULL;
-char *ldapsystem = "localhost";
-static char *objectClasses[] =
+const char *ldapsystem = "localhost";
+static const char *objectClasses[] =
{ "top", "dNSZone", NULL };
-static char *topObjectClasses[] = { "top", NULL };
+static const char *topObjectClasses[] = { "top", NULL };
LDAP *conn;
unsigned int debug = 0;
@@ -128,7 +134,7 @@ main (int argc, char **argv)
LDAPMod *base_attrs[2];
LDAPMod base;
isc_buffer_t buff;
- char *zonefile;
+ char *zonefile=0L;
char fullbasedn[1024];
char *ctmp;
dns_fixedname_t fixedzone, fixedname;
@@ -304,9 +310,9 @@ main (int argc, char **argv)
if ((*ctmp == ',') || (ctmp == &basedn[0]))
{
base.mod_op = LDAP_MOD_ADD;
- base.mod_type = "objectClass";
- base.mod_values = topObjectClasses;
- base_attrs[0] = &base;
+ base.mod_type = (char*)"objectClass";
+ base.mod_values = (char**)topObjectClasses;
+ base_attrs[0] = (void*)&base;
base_attrs[1] = NULL;
if (ldapbase)
@@ -363,7 +369,7 @@ main (int argc, char **argv)
* I should probably rename this function, as not to cause any
* confusion with the isc* routines. Will exit on error. */
void
-isc_result_check (isc_result_t res, char *errorstr)
+isc_result_check (isc_result_t res, const char *errorstr)
{
if (res != ISC_R_SUCCESS)
{
@@ -470,20 +476,20 @@ add_to_rr_list (char *dn, char *name, char *type,
if (tmp->attrs == (LDAPMod **) NULL)
fatal("calloc");
- for (i = 0; i < flags; i++)
+ for (i = 0; i < (int)flags; i++)
{
tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod));
if (tmp->attrs[i] == (LDAPMod *) NULL)
fatal("malloc");
}
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[0]->mod_type = "objectClass";
+ tmp->attrs[0]->mod_type = (char*)"objectClass";
if (flags == DNS_OBJECT)
- tmp->attrs[0]->mod_values = objectClasses;
+ tmp->attrs[0]->mod_values = (char**)objectClasses;
else
{
- tmp->attrs[0]->mod_values = topObjectClasses;
+ tmp->attrs[0]->mod_values = (char**)topObjectClasses;
tmp->attrs[1] = NULL;
tmp->attrcnt = 2;
tmp->next = ldap_info_base;
@@ -492,7 +498,7 @@ add_to_rr_list (char *dn, char *name, char *type,
}
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[1]->mod_type = "relativeDomainName";
+ tmp->attrs[1]->mod_type = (char*)"relativeDomainName";
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[1]->mod_values == (char **)NULL)
@@ -521,7 +527,7 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("strdup");
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[3]->mod_type = "dNSTTL";
+ tmp->attrs[3]->mod_type = (char*)"dNSTTL";
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[3]->mod_values == (char **)NULL)
@@ -535,7 +541,7 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("strdup");
tmp->attrs[4]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[4]->mod_type = "zoneName";
+ tmp->attrs[4]->mod_type = (char*)"zoneName";
tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2);
if (tmp->attrs[4]->mod_values == (char **)NULL)
@@ -648,7 +654,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
zname = ++tmp;
}
else
- hnamebuff = "@";
+ hnamebuff = (char*)"@";
}
else
{
@@ -727,12 +733,12 @@ init_ldap_conn ()
}
result = ldap_simple_bind_s (conn, binddn, bindpw);
- ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result);
+ ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
}
/* Like isc_result_check, only for LDAP */
void
-ldap_result_check (char *msg, char *dn, int err)
+ldap_result_check (const char *msg, char *dn, int err)
{
if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
{
diff --git a/contrib/sdb/pgsql/pgsqldb.c b/contrib/sdb/pgsql/pgsqldb.c
index 50d3cba..516eb9f 100644
--- a/contrib/sdb/pgsql/pgsqldb.c
+++ b/contrib/sdb/pgsql/pgsqldb.c
@@ -23,7 +23,7 @@
#include <string.h>
#include <stdlib.h>
-#include <pgsql/libpq-fe.h>
+#include <libpq-fe.h>
#include <isc/mem.h>
#include <isc/print.h>
diff --git a/contrib/sdb/pgsql/zonetodb.c b/contrib/sdb/pgsql/zonetodb.c
index b8f5912..ff2d135 100644
--- a/contrib/sdb/pgsql/zonetodb.c
+++ b/contrib/sdb/pgsql/zonetodb.c
@@ -37,7 +37,7 @@
#include <dns/rdatatype.h>
#include <dns/result.h>
-#include <pgsql/libpq-fe.h>
+#include <libpq-fe.h>
/*
* Generate a PostgreSQL table from a zone.
@@ -54,6 +54,9 @@ char *dbname, *dbtable;
char str[10240];
void
+closeandexit(int status);
+
+void
closeandexit(int status) {
if (conn != NULL)
PQfinish(conn);
@@ -61,6 +64,9 @@ closeandexit(int status) {
}
void
+check_result(isc_result_t result, const char *message);
+
+void
check_result(isc_result_t result, const char *message) {
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "%s: %s\n", message,
@@ -84,7 +90,8 @@ quotestring(const unsigned char *source, unsigned char *dest) {
}
*dest++ = 0;
}
-
+void
+addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata);
void
addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata) {
unsigned char namearray[DNS_NAME_MAXTEXT + 1];

27
bind-9.5-PIE.patch Normal file
View File

@ -0,0 +1,27 @@
--- bind-9.5.0b2/bin/named/Makefile.in.pie 2008-02-11 17:21:47.000000000 +0100
+++ bind-9.5.0b2/bin/named/Makefile.in 2008-02-11 17:22:10.000000000 +0100
@@ -100,8 +100,12 @@ HTMLPAGES = named.html lwresd.html named
MANOBJS = ${MANPAGES} ${HTMLPAGES}
+EXT_CFLAGS = -fpie
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
+
main.@O@: main.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
diff -up bind-9.5.0b2/bin/named/unix/Makefile.in.pie bind-9.5.0b2/bin/named/unix/Makefile.in
--- bind-9.5.0b2/bin/named/unix/Makefile.in.pie 2008-02-11 17:22:21.000000000 +0100
+++ bind-9.5.0b2/bin/named/unix/Makefile.in 2008-02-11 17:23:00.000000000 +0100
@@ -19,6 +19,8 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
+EXT_CFLAGS = -fpie
+
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \

53
bind-9.5-dlz-64bit.patch Normal file
View File

@ -0,0 +1,53 @@
diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in
index 47525af..eefe3c3 100644
--- a/contrib/dlz/config.dlz.in
+++ b/contrib/dlz/config.dlz.in
@@ -17,6 +17,13 @@
#
dlzdir='${DLZ_DRIVER_DIR}'
+AC_MSG_CHECKING([for target libdir])
+AC_RUN_IFELSE([int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}],
+ [target_lib=lib64],
+ [target_lib=lib],
+)
+AC_MSG_RESULT(["$target_lib"])
+
#
# Private autoconf macro to simplify configuring drivers:
#
@@ -292,9 +299,9 @@ case "$use_dlz_bdb" in
then
break
fi
- elif test -f "$dd/lib/lib${d}.so"
+ elif test -f "$dd/${target_lib}/lib${d}.so"
then
- dlz_bdb_libs="-L${dd}/lib -l${d}"
+ dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
break
fi
done
@@ -396,7 +403,7 @@ case "$use_dlz_ldap" in
*)
DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver,
[-I$use_dlz_ldap/include],
- [-L$use_dlz_ldap/lib -lldap -llber])
+ [-L$use_dlz_ldap/${target_lib} -lldap -llber])
AC_MSG_RESULT(
[using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include])
@@ -432,11 +439,11 @@ then
odbcdirs="/usr /usr/local /usr/pkg"
for d in $odbcdirs
do
- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
then
use_dlz_odbc=$d
dlz_odbc_include="-I$use_dlz_odbc/include"
- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc"
+ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc"
break
fi
done

31
bind-9.9.1-P2-dlz-libdb.patch Normal file
View File

@ -0,0 +1,31 @@
diff -up bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb bind-9.10.1b1/contrib/dlz/config.dlz.in
--- bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb 2014-08-04 12:33:09.320735111 +0200
+++ bind-9.10.1b1/contrib/dlz/config.dlz.in 2014-08-04 12:41:46.888241910 +0200
@@ -263,7 +263,7 @@ case "$use_dlz_bdb" in
# Check other locations for includes.
# Order is important (sigh).
- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
+ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db"
# include a blank element first
for d in "" $bdb_incdirs
do
@@ -288,16 +288,9 @@ case "$use_dlz_bdb" in
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
for d in $bdb_libnames
do
- if test "$dd" = "/usr"
+ if test -f "$dd/${target_lib}/lib${d}.so"
then
- AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}")
- if test $dlz_bdb_libs != "yes"
- then
- break
- fi
- elif test -f "$dd/${target_lib}/lib${d}.so"
- then
- dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
break
fi
done

85
bind-9.9.1-P2-multlib-conflict.patch Normal file
View File

@ -0,0 +1,85 @@
diff --git a/config.h.in b/config.h.in
index e1364dd921..1dc65cfb21 100644
--- a/config.h.in
+++ b/config.h.in
@@ -588,7 +588,7 @@ int sigwait(const unsigned int *set, int *sig);
#undef PREFER_GOSTASN1
/* The size of `void *', as computed by sizeof. */
-#undef SIZEOF_VOID_P
+/* #undef SIZEOF_VOID_P */
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
diff --git a/configure.in b/configure.in
index 73b1c8ccbb..129fc3f311 100644
--- a/configure.in
+++ b/configure.in
@@ -3523,14 +3523,14 @@ AC_TRY_COMPILE([
#include <sys/socket.h>
#include <netdb.h>
int getnameinfo(const struct sockaddr *, socklen_t, char *,
- socklen_t, char *, socklen_t, unsigned int);],
+ socklen_t, char *, socklen_t, int);],
[ return (0);],
- [AC_MSG_RESULT(socklen_t for buflen; u_int for flags)
+ [AC_MSG_RESULT(socklen_t for buflen; int for flags)
AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t,
[Define to the sockaddr length type used by getnameinfo(3).])
AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t,
[Define to the buffer length type used by getnameinfo(3).])
- AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int,
+ AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int,
[Define to the flags type used by getnameinfo(3).])],
[AC_TRY_COMPILE([
#include <sys/types.h>
@@ -3557,7 +3557,7 @@ int getnameinfo(const struct sockaddr *, size_t, char *,
[AC_MSG_RESULT(not match any subspecies; assume standard definition)
AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t)
AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
-AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])])
+AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)])])])
#
# ...and same for gai_strerror().
diff --git a/isc-config.sh.in b/isc-config.sh.in
index a8a0a89e88..b5e94ed13e 100644
--- a/isc-config.sh.in
+++ b/isc-config.sh.in
@@ -13,7 +13,18 @@ prefix=@prefix@
exec_prefix=@exec_prefix@
exec_prefix_set=
includedir=@includedir@
-libdir=@libdir@
+arch=$(uname -m)
+
+case $arch in
+ x86_64 | amd64 | sparc64 | s390x | ppc64)
+ libdir=/usr/lib64
+ sec_libdir=/usr/lib
+ ;;
+ * )
+ libdir=/usr/lib
+ sec_libdir=/usr/lib64
+ ;;
+esac
usage()
{
@@ -132,6 +143,16 @@ if test x"$echo_libs" = x"true"; then
if test x"${exec_prefix_set}" = x"true"; then
libs="-L${exec_prefix}/lib"
else
+ if [ ! -x $libdir/libisc.so ] ; then
+ if [ ! -x $sec_libdir/libisc.so ] ; then
+ echo "Error: ISC libs not found in $libdir"
+ if [ -d $sec_libdir ] ; then
+ echo "Error: ISC libs not found in $sec_libdir"
+ fi
+ exit 1
+ fi
+ libdir=$sec_libdir
+ fi
libs="-L${libdir}"
fi
if test x"$libirs" = x"true" ; then

42
bind-95-rh452060.patch Normal file
View File

@ -0,0 +1,42 @@
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index f657c30..ff9a2d2 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -1694,6 +1694,13 @@ clear_query(dig_query_t *query) {
if (query->timer != NULL)
isc_timer_detach(&query->timer);
+
+ if (query->waiting_senddone) {
+ debug("send_done not yet called");
+ query->pending_free = ISC_TRUE;
+ return;
+ }
+
lookup = query->lookup;
if (lookup->current_query == query)
@@ -1719,10 +1726,7 @@ clear_query(dig_query_t *query) {
isc_mempool_put(commctx, query->recvspace);
isc_buffer_invalidate(&query->recvbuf);
isc_buffer_invalidate(&query->lengthbuf);
- if (query->waiting_senddone)
- query->pending_free = ISC_TRUE;
- else
- isc_mem_free(mctx, query);
+ isc_mem_free(mctx, query);
}
/*%
@@ -2811,9 +2815,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
isc_event_free(&event);
if (query->pending_free)
- isc_mem_free(mctx, query);
+ clear_query(query);
- check_if_done();
+ check_next_lookup(l);
UNLOCK_LOOKUP;
}

23
bind-96-old-api.patch Normal file
View File

@ -0,0 +1,23 @@
diff -up bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c
--- bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api 2008-11-24 13:28:13.000000000 +0100
+++ bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c 2008-11-24 13:28:23.000000000 +0100
@@ -25,6 +25,7 @@
/* Using LDAPv3 by default, change this if you want v2 */
#ifndef LDAPDB_LDAP_VERSION
#define LDAPDB_LDAP_VERSION 3
+#define LDAP_DEPRECATED 1
#endif
#include <config.h>
diff -up bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c
--- bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api 2008-11-24 13:29:05.000000000 +0100
+++ bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c 2008-11-24 13:29:14.000000000 +0100
@@ -13,6 +13,8 @@
* ditched dNSDomain2 schema support. Version 0.3-ALPHA
*/
+#define LDAP_DEPRECATED 1
+
#include <errno.h>
#include <string.h>
#include <stdlib.h>

1049
bind.spec Normal file
View File

File diff suppressed because it is too large Load Diff

1
bind.tmpfiles.d Normal file
View File

@ -0,0 +1 @@
d /run/named 0755 named named -

95
bind93-rh490837.patch Normal file
View File

@ -0,0 +1,95 @@
? patch
? lib/isc/lex.c.rh490837
Index: lib/isc/lex.c
===================================================================
RCS file: /var/snap/bind9/lib/isc/lex.c,v
retrieving revision 1.86
diff -p -u -r1.86 lex.c
--- lib/isc/lex.c 17 Sep 2007 09:56:29 -0000 1.86
+++ lib/isc/lex.c 6 Apr 2009 13:24:15 -0000
@@ -425,17 +425,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigne
if (source->is_file) {
stream = source->input;
-#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED)
- c = getc_unlocked(stream);
-#else
- c = getc(stream);
-#endif
- if (c == EOF) {
- if (ferror(stream)) {
- source->result = ISC_R_IOERROR;
- result = source->result;
+ result = isc_stdio_fgetc(stream, &c);
+
+ if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_EOF) {
+ source->result = result;
goto done;
}
+
source->at_eof = ISC_TRUE;
}
} else {
Index: lib/isc/include/isc/stdio.h
===================================================================
RCS file: /var/snap/bind9/lib/isc/include/isc/stdio.h,v
retrieving revision 1.13
diff -p -u -r1.13 stdio.h
--- lib/isc/include/isc/stdio.h 19 Jun 2007 23:47:18 -0000 1.13
+++ lib/isc/include/isc/stdio.h 6 Apr 2009 13:24:15 -0000
@@ -72,6 +72,9 @@ isc_stdio_sync(FILE *f);
* direct counterpart in the stdio library.
*/
+isc_result_t
+isc_stdio_fgetc(FILE *f, int *ret);
+
ISC_LANG_ENDDECLS
#endif /* ISC_STDIO_H */
Index: lib/isc/unix/errno2result.c
===================================================================
RCS file: /var/snap/bind9/lib/isc/unix/errno2result.c,v
retrieving revision 1.17
diff -p -u -r1.17 errno2result.c
--- lib/isc/unix/errno2result.c 19 Jun 2007 23:47:18 -0000 1.17
+++ lib/isc/unix/errno2result.c 6 Apr 2009 13:24:15 -0000
@@ -43,6 +43,7 @@ isc__errno2result(int posixerrno) {
case EINVAL: /* XXX sometimes this is not for files */
case ENAMETOOLONG:
case EBADF:
+ case EISDIR:
return (ISC_R_INVALIDFILE);
case ENOENT:
return (ISC_R_FILENOTFOUND);
Index: lib/isc/unix/stdio.c
===================================================================
RCS file: /var/snap/bind9/lib/isc/unix/stdio.c,v
retrieving revision 1.8
diff -p -u -r1.8 stdio.c
--- lib/isc/unix/stdio.c 19 Jun 2007 23:47:18 -0000 1.8
+++ lib/isc/unix/stdio.c 6 Apr 2009 13:24:15 -0000
@@ -115,3 +115,22 @@ isc_stdio_sync(FILE *f) {
return (isc__errno2result(errno));
}
+isc_result_t
+isc_stdio_fgetc(FILE *f, int *ret) {
+ int r;
+ isc_result_t result = ISC_R_SUCCESS;
+
+#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED)
+ r = fgetc_unlocked(f);
+#else
+ r = fgets(f);
+#endif
+
+ if (r == EOF)
+ result = ferror(f) ? isc__errno2result(errno) : ISC_R_EOF;
+
+ *ret = r;
+
+ return result;
+}
+

51
bind97-rh478718.patch Normal file
View File

@ -0,0 +1,51 @@
diff --git a/configure.in b/configure.in
index 896e81c1ce..73b1c8ccbb 100644
--- a/configure.in
+++ b/configure.in
@@ -4275,6 +4275,10 @@ if test "yes" = "$use_atomic"; then
AC_MSG_RESULT($arch)
fi
+if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then
+ AC_MSG_ERROR([XADDQ present but disabled by Fedora patch!])
+fi
+
if test "yes" = "$have_atomic"; then
AC_MSG_CHECKING([compiler support for inline assembly code])
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
index 2ff522342f..58df86adb3 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
@@ -289,19 +289,25 @@
* If the "xaddq" operation (64bit xadd) is available on this architecture,
* ISC_PLATFORM_HAVEXADDQ will be defined.
*/
-@ISC_PLATFORM_HAVEXADDQ@
/*
- * If the 32-bit "atomic swap" operation is available on this
- * architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined.
+ * If the 64-bit "atomic swap" operation is available on this
+ * architecture, ISC_PLATFORM_HAVEATOMICSTOREQ" will be defined.
*/
-@ISC_PLATFORM_HAVEATOMICSTORE@
+
+#ifdef __x86_64__
+#define ISC_PLATFORM_HAVEXADDQ 1
+#define ISC_PLATFORM_HAVEATOMICSTOREQ 1
+#else
+#undef ISC_PLATFORM_HAVEXADDQ
+#undef ISC_PLATFORM_HAVEATOMICSTOREQ
+#endif
/*
- * If the 64-bit "atomic swap" operation is available on this
+ * If the 32-bit "atomic swap" operation is available on this
* architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined.
*/
-@ISC_PLATFORM_HAVEATOMICSTOREQ@
+@ISC_PLATFORM_HAVEATOMICSTORE@
/*
* If the "compare-and-exchange" operation is available on this architecture,

30
bind97-rh645544.patch Normal file
View File

@ -0,0 +1,30 @@
diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolver.c
--- bind-9.9.4rc2/lib/dns/resolver.c.rh645544 2013-08-19 10:30:52.000000000 +0200
+++ bind-9.9.4rc2/lib/dns/resolver.c 2013-09-06 17:58:03.864165823 +0200
@@ -1138,7 +1138,7 @@ log_edns(fetchctx_t *fctx) {
*/
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
"success resolving '%s' (in '%s'?) after %s",
fctx->info, domainbuf, fctx->reason);
@@ -3804,7 +3804,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrin
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
"lame server resolving '%s' (in '%s'?): %s",
namebuf, domainbuf, addrbuf);
}
@@ -3831,7 +3831,7 @@ log_formerr(fetchctx_t *fctx, const char
}
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
"DNS format error from %s resolving %s%s%s: %s",
nsbuf, fctx->info, clmsg, clbuf, msgbuf);
}

14
bind97-rh669163.patch Normal file
View File

@ -0,0 +1,14 @@
diff -up bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 bind-9.7.2-P3/lib/lwres/lwconfig.c
--- bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 2011-01-28 14:48:38.934472578 +0100
+++ bind-9.7.2-P3/lib/lwres/lwconfig.c 2011-01-28 14:49:50.421326035 +0100
@@ -612,6 +612,10 @@ lwres_conf_parse(lwres_context_t *ctx, c
break;
}
+ /* Ignore options with no parameters */
+ if (stopchar == '\n')
+ continue;
+
if (strlen(word) == 0U)
rval = LWRES_R_SUCCESS;
else if (strcmp(word, "nameserver") == 0)

44
bind99-rh640538.patch Normal file
View File

@ -0,0 +1,44 @@
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index 1079421..f11abd1 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -1177,6 +1177,39 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</para>
</refsection>
+ <refsection><info><title>RETURN CODES</title></info>
+ <para>
+ <command>Dig</command> return codes are:
+ <variablelist>
+ <varlistentry>
+ <listitem>
+ <para>0: Everything went well, including things like NXDOMAIN</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <listitem>
+ <para>1: Usage error</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <listitem>
+ <para>8: Couldn't open batch file</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <listitem>
+ <para>9: No reply from server</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <listitem>
+ <para>10: Internal error</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+ </refsection>
+
<refsection><info><title>FILES</title></info>
<para><filename>/etc/resolv.conf</filename>

146
bugfix-named-log-time.patch Normal file
View File

@ -0,0 +1,146 @@
diff -upNr b/lib/isc/include/isc/util.h a/lib/isc/include/isc/util.h
--- b/lib/isc/include/isc/util.h 2019-07-30 19:52:09.600000000 +0800
+++ a/lib/isc/include/isc/util.h 2019-07-30 21:39:03.400000000 +0800
@@ -233,7 +233,7 @@
* Time
*/
#define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
-
+#define TIME_REAL_NOW(tp) RUNTIME_CHECK(isc_time_real_now((tp)) == ISC_R_SUCCESS)
/*%
* Alignment
*/
diff -upNr b/lib/isc/log.c a/lib/isc/log.c
--- b/lib/isc/log.c 2019-07-30 19:52:09.610000000 +0800
+++ a/lib/isc/log.c 2019-07-30 21:39:03.410000000 +0800
@@ -1498,7 +1498,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcat
time_string[0] == '\0') {
isc_time_t isctime;
- TIME_NOW(&isctime);
+ TIME_REAL_NOW(&isctime);
isc_time_formattimestamp(&isctime, time_string,
sizeof(time_string));
}
@@ -1545,7 +1545,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcat
* which fall within the duplicate_interval
* range.
*/
- TIME_NOW(&oldest);
+ TIME_REAL_NOW(&oldest);
if (isc_time_subtract(&oldest, &interval,
&oldest)
!= ISC_R_SUCCESS)
@@ -1622,7 +1622,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcat
strlcpy(message->text, lctx->buffer,
size);
- TIME_NOW(&message->time);
+ TIME_REAL_NOW(&message->time);
ISC_LINK_INIT(message, link);
ISC_LIST_APPEND(lctx->messages,
diff -upNr b/lib/isc/unix/include/isc/time.h a/lib/isc/unix/include/isc/time.h
--- b/lib/isc/unix/include/isc/time.h 2019-07-30 19:52:09.600000000 +0800
+++ a/lib/isc/unix/include/isc/time.h 2019-07-30 21:39:03.400000000 +0800
@@ -149,6 +149,8 @@ isc_time_now(isc_time_t *t);
*/
isc_result_t
+isc_time_real_now(isc_time_t *t);
+isc_result_t
isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i);
/*%<
* Set *t to the current absolute time + i.
diff -upNr b/lib/isc/unix/time.c a/lib/isc/unix/time.c
--- b/lib/isc/unix/time.c 2019-07-30 19:52:09.600000000 +0800
+++ a/lib/isc/unix/time.c 2019-07-30 21:39:03.400000000 +0800
@@ -36,6 +36,9 @@
#define NS_PER_MS 1000000 /*%< Nanoseconds per millisecond. */
#define US_PER_S 1000000 /*%< Microseconds per second. */
+#ifndef ISC_FIX_TV_USEC
+#define ISC_FIX_TV_USEC 1
+#endif
#define CLOCKSOURCE CLOCK_MONOTONIC
/*%
@@ -44,6 +47,27 @@
static const isc_interval_t zero_interval = { 0, 0 };
const isc_interval_t * const isc_interval_zero = &zero_interval;
+#if ISC_FIX_TV_USEC
+static inline void
+fix_tv_usec(struct timeval *tv) {
+ isc_boolean_t fixed = ISC_FALSE;
+ if (tv->tv_usec < 0) {
+ fixed = ISC_TRUE;
+ do {
+ tv->tv_sec -= 1;
+ tv->tv_usec += US_PER_S;
+ } while (tv->tv_usec < 0);
+ } else if (tv->tv_usec >= US_PER_S) {
+ fixed = ISC_TRUE;
+ do {
+ tv->tv_sec += 1;
+ tv->tv_usec -= US_PER_S;
+ } while (tv->tv_usec >=US_PER_S);
+ }
+ if (fixed)
+ (void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
+}
+#endif
void
isc_interval_set(isc_interval_t *i,
@@ -105,6 +129,50 @@ isc_time_isepoch(const isc_time_t *t) {
isc_result_t
+isc_time_real_now(isc_time_t *t) {
+ struct timeval tv;
+ char strbuf[ISC_STRERRORSIZE];
+
+ REQUIRE(t != NULL);
+
+ if (gettimeofday(&tv, NULL) == -1) {
+ isc__strerror(errno, strbuf, sizeof(strbuf));
+ UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
+ return (ISC_R_UNEXPECTED);
+ }
+
+ /*
+ * Does POSIX guarantee the signedness of tv_sec and tv_usec? If not,
+ * then this test will generate warnings for platforms on which it is
+ * unsigned. In any event, the chances of any of these problems
+ * happening are pretty much zero, but since the libisc library ensures
+ * certain things to be true ...
+ */
+#if ISC_FIX_TV_USEC
+ fix_tv_usec(&tv);
+ if (tv.tv_sec < 0)
+ return (ISC_R_UNEXPECTED);
+#else
+ if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
+ return (ISC_R_UNEXPECTED);
+#endif
+
+ /*
+ * Ensure the tv_sec value fits in t->seconds.
+ */
+ if (sizeof(tv.tv_sec) > sizeof(t->seconds) &&
+ ((tv.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U)
+ return (ISC_R_RANGE);
+
+ t->seconds = tv.tv_sec;
+ t->nanoseconds = tv.tv_usec * NS_PER_US;
+
+ return (ISC_R_SUCCESS);
+}
+
+
+
+isc_result_t
isc_time_now(isc_time_t *t) {
struct timespec ts;
char strbuf[ISC_STRERRORSIZE];

19
bugfix-nslookup-norec.patch Normal file
View File

@ -0,0 +1,19 @@
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
--- a/bin/dig/dighost.c.orig 2011-03-11 07:46:58.000000000 +0100
+++ b/bin/dig/dighost.c 2011-10-28 14:31:29.806591603 +0200
@@ -3291,8 +3291,13 @@
} else {
if (!l->ns_search_only) {
fputs(l->cmdline, stdout);
- printf(";; connection timed out; no servers could be "
- "reached\n");
+ if (!next_origin(ISC_LIST_HEAD(l->q))) {
+ printf(";; connection timed out; no servers could be "
+ "reached\n");
+ } else {
+ printf(";; connection timed out; trying next "
+ "origin\n");
+ }
}
cancel_lookup(l);
check_next_lookup(l);

BIN
config-18.tar.bz2 Normal file
View File

Binary file not shown.

148
dnszone.schema Normal file
View File

@ -0,0 +1,148 @@
# A schema for storing DNS zones in LDAP
#
attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL'
DESC 'An integer denoting time to live'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
DESC 'The class of a resource record'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName'
DESC 'The name of a zone, i.e. the name of the highest node in the zone'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName'
DESC 'The starting labels of a domain name'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
DESC 'domain name pointer, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
DESC 'host information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
DESC 'mailbox or mail list information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
DESC 'text string, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
DESC 'for AFS Data Base location, RFC 1183'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
DESC 'Signature, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
DESC 'Key, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
DESC 'IPv6 address, RFC 1886'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
DESC 'Location, RFC 1876'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
DESC 'non-existant, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
DESC 'service location, RFC 2782'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
DESC 'Naming Authority Pointer, RFC 2915'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
DESC 'Key Exchange Delegation, RFC 2230'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
DESC 'certificate, RFC 2538'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
DESC 'A6 Record Type, RFC 2874'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
DESC 'Delegation Signer, RFC 3658'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
DESC 'RRSIG, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
DESC 'NSEC, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone'
SUP top STRUCTURAL
MUST ( zoneName $ relativeDomainName )
MAY ( DNSTTL $ DNSClass $
ARecord $ MDRecord $ MXRecord $ NSRecord $
SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $
MINFORecord $ TXTRecord $ SIGRecord $ KEYRecord $
AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $
NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
DNAMERecord ) )

282
feature-bind99-euler-range-port.patch Normal file
View File

@ -0,0 +1,282 @@
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index c93651d..d03ef2d 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -49,6 +49,7 @@
#include <dns/tcpmsg.h>
#include <dns/types.h>
+const char *conffile = "/etc/dns_port.conf";
typedef ISC_LIST(dns_dispentry_t) dns_displist_t;
typedef struct dispsocket dispsocket_t;
@@ -1933,6 +1934,168 @@ open_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
return (ISC_R_SUCCESS);
}
+static int convert_num(char *str)
+{
+ int negative = 0;
+ int tval;
+ int val = 0;
+ int base = 10;
+ char *ptr = str;
+ if (str == NULL)
+ return -ISC_R_FAILURE;
+
+ if (*ptr == '-') {
+ negative = 1;
+ ++ptr;
+ }
+
+ do {
+ tval = *ptr++;
+ /* XXX assumes ASCII... */
+ if (tval >= '0')
+ tval -= '0';
+ else {
+ syslog (LOG_ERR, "Bogus number: %s.", str);
+ return -ISC_R_BADNUMBER;
+ }
+ if (tval >= base) {
+ syslog (LOG_ERR, "Bogus number: %s.", str);
+ return -ISC_R_BADNUMBER;
+ }
+ val = val * base + tval;
+ } while (*ptr);
+
+ if (negative)
+ val = -val;
+ return val;
+}
+
+static int str_token(char *str, int *digit, unsigned int len, const char *semi)
+{
+ int num = 0;
+ char *p;
+ p = strtok(str, semi);
+ while (p !=NULL) {
+ if (num >= len-1) {
+ digit[num] = '\0';
+ break;
+ }
+ /* convert string to integer */
+ digit[num] = convert_num(p);
+ if (digit[num] < 0)
+ return -ISC_R_BADNUMBER;
+
+ p = strtok(NULL, semi);
+ num++;
+ }
+
+ return num;
+}
+
+static int parse_port_config(const char *buffer, const char *sub_buf, int *ports, unsigned int len, const char *semi)
+{
+ char *str;
+ char string[256] = {0};
+ int start, end;
+ int ret = -ISC_R_DISABLED;
+
+ if (str = strstr(buffer, sub_buf)) {
+ start = strlen(sub_buf);
+ end = strlen(str);
+ strncpy(string, str + start, end - start -1);
+ /* string segmentation with semi character */
+ ret = str_token(string, ports, len, semi);
+ if (ret < 0)
+ return -ISC_R_BADNUMBER;
+ }
+
+ return ret;
+}
+
+static isc_result_t
+parse_config(const char *file, in_port_t *port_lo, in_port_t *port_hi, in_port_t *no_use_ports)
+{
+ FILE *fp;
+ char *str = NULL;
+ char buffer[256] = {0};
+ int ports[8] = {0};
+ int unports[17] = {0};
+ int i = 0;
+ int ret;
+
+ fp = fopen(file, "r");
+ if (fp) {
+ while (fgets(buffer, 256, fp)) {
+ const char *buffer_s = buffer;
+ str = buffer;
+ /* skip the comment line */
+ while (isspace(*str))
+ str++;
+ if (strncmp(str, "#", 1) == 0)
+ continue;
+ /* get default set of dispatch ports */
+ ret = parse_port_config(buffer_s, "dns-range-port", ports, 8, " ");
+ if (ret == 2) {
+ *port_lo = (in_port_t)ports[0];
+ *port_hi = (in_port_t)ports[1];
+ if (*port_lo < 1024 || *port_hi > 65535 || *port_lo > *port_hi) {
+ syslog(LOG_ERR,
+ "Unexpected ports contents in %s file.", file);
+ fclose(fp);
+ fp = NULL;
+ return ISC_R_INVALIDFILE;
+ }
+ } else if (ret != -ISC_R_DISABLED){
+ syslog(LOG_ERR,
+ "Unexpected ports contents in %s file.", file);
+ fclose(fp);
+ fp = NULL;
+ return ISC_R_INVALIDFILE;
+ }
+ /* get excluded ports */
+ ret = parse_port_config(buffer_s, "dns-excluded-ports", unports, 17, " ");
+ if (ret > 0) {
+ while (unports[i] != '\0') {
+ no_use_ports[i] = (in_port_t)unports[i];
+ i++;
+ }
+ } else if (ret != -ISC_R_DISABLED) {
+ syslog(LOG_ERR,
+ "Unexpected ports contents in %s file.", file);
+ fclose(fp);
+ fp = NULL;
+ return ISC_R_INVALIDFILE;
+ }
+ }
+
+ fclose(fp);
+ fp = NULL;
+ return ISC_R_SUCCESS;
+ }
+
+ syslog(LOG_ERR,
+ "Open %s fail, return.\n", file);
+ return ISC_R_FILENOTFOUND;
+}
+
+/*%
+ * Create a temporary port list to set the initial default set of dispatch
+ * ports and excluded ports. This is almost meaningless as the application will
+ * normally set the ports explicitly, but is provided to fill some minor corner
+ * cases.
+ */
+static isc_result_t
+create_portset_by_range(isc_mem_t *mctx, isc_portset_t **portsetp, in_port_t port_lo, in_port_t port_hi, in_port_t *no_use_ports) {
+ isc_result_t result;
+
+ result = isc_portset_create(mctx, portsetp);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ isc_portset_addrange_by_range(*portsetp, port_lo, port_hi, no_use_ports);
+
+ return (ISC_R_SUCCESS);
+}
+
/*%
* Create a temporary port list to set the initial default set of dispatch
* ports: [1024, 65535]. This is almost meaningless as the application will
@@ -1963,6 +2125,9 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
isc_result_t result;
isc_portset_t *v4portset = NULL;
isc_portset_t *v6portset = NULL;
+ in_port_t port_lo = 1024;
+ in_port_t port_hi = 65535;
+ in_port_t no_use_ports[17] = {0};
REQUIRE(mctx != NULL);
REQUIRE(mgrp != NULL && *mgrp == NULL);
@@ -2063,14 +2228,23 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
mgr->nv6ports = 0;
mgr->magic = DNS_DISPATCHMGR_MAGIC;
- result = create_default_portset(mctx, &v4portset);
+ /* parse port list file, get default set of dispatch ports and excluded ports */
+ result = parse_config(conffile, &port_lo, &port_hi, no_use_ports);
if (result == ISC_R_SUCCESS) {
- result = create_default_portset(mctx, &v6portset);
- if (result == ISC_R_SUCCESS) {
- result = dns_dispatchmgr_setavailports(mgr,
- v4portset,
- v6portset);
- }
+ create_portset_by_range(mctx, &v4portset, port_lo, port_hi, no_use_ports);
+ if (result == ISC_R_SUCCESS)
+ result = create_portset_by_range(mctx, &v6portset, port_lo, port_hi, no_use_ports);
+ }
+ else {
+ result = create_default_portset(mctx, &v4portset);
+ if (result == ISC_R_SUCCESS)
+ result = create_default_portset(mctx, &v6portset);
+ }
+
+ if (result == ISC_R_SUCCESS) {
+ result = dns_dispatchmgr_setavailports(mgr,
+ v4portset,
+ v6portset);
}
if (v4portset != NULL)
isc_portset_destroy(mctx, &v4portset);
diff --git a/lib/isc/include/isc/portset.h b/lib/isc/include/isc/portset.h
index 774d6bb..cfd0bcb 100644
--- a/lib/isc/include/isc/portset.h
+++ b/lib/isc/include/isc/portset.h
@@ -125,6 +125,19 @@ isc_portset_addrange(isc_portset_t *portset, in_port_t port_lo,
*/
void
+isc_portset_addrange_by_range(isc_portset_t *portset, in_port_t port_lo,
+ in_port_t port_hi, in_port_t *no_use_ports);
+/*%<
+ * Add a subset of [port_lo, port_hi] (inclusive) and no_use_ports(exclusive) to the portset. Ports in the
+ * subset may or may not be stored in portset.
+ *
+ * Requires:
+ *\li 'portlist' to be valid.
+ *\li port_lo <= port_hi
+ *\li no_use_ports > 0
+ */
+
+void
isc_portset_removerange(isc_portset_t *portset, in_port_t port_lo,
in_port_t port_hi);
/*%<
diff --git a/lib/isc/portset.c b/lib/isc/portset.c
index 471ca8e..0ebd79f 100644
--- a/lib/isc/portset.c
+++ b/lib/isc/portset.c
@@ -128,6 +128,31 @@ isc_portset_addrange(isc_portset_t *portset, in_port_t port_lo,
}
void
+isc_portset_addrange_by_range(isc_portset_t *portset, in_port_t port_lo,
+ in_port_t port_hi, in_port_t *no_use_ports)
+{
+ in_port_t p;
+ int i, flag;
+ REQUIRE(portset != NULL);
+ REQUIRE(port_lo <= port_hi);
+
+ p = port_lo;
+ do {
+ i = 0;
+ flag = 0;
+ while (no_use_ports[i] != '\0') {
+ if (no_use_ports[i] == p) {
+ flag = 1;
+ break;
+ }
+ i++;
+ }
+ if (flag == 0)
+ portset_add(portset, p);
+ } while (p++ < port_hi);
+}
+
+void
isc_portset_removerange(isc_portset_t *portset, in_port_t port_lo,
in_port_t port_hi)
{

20
generate-rndc-key.sh Normal file
View File

@ -0,0 +1,20 @@
#!/bin/bash
. /etc/rc.d/init.d/functions
# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
echo -n $"Generating /etc/rndc.key:"
if /usr/sbin/rndc-confgen -a -A hmac-sha256 -r /dev/urandom > /dev/null 2>&1
then
chmod 640 /etc/rndc.key
chown root:named /etc/rndc.key
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.key
success $"/etc/rndc.key generation"
echo
else
failure $"/etc/rndc.key generation"
echo
fi
fi

41
ldap2zone.1 Normal file
View File

@ -0,0 +1,41 @@
.\" Copyright (C) 2004, 2005 Stig Venaas <venaas@uninett.no>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\" Manpage written by Jan Gorig
.TH ldap2zone 1 "15 March 2010" "BIND9"
.SH NAME
ldap2zone - Creates zone file from LDAP dnszone information
.SH SYNOPSIS
.B ldap2zone zone-name LDAP-URL default-ttl [serial]
.SH DESCRIPTION
ldap2zone is a tool that reads info for a zone from LDAP and constructs a standard plain ascii zone file that is written to the standard output. The LDAP information has to be stored using the dnszone schema. The schema is used by BIND with LDAP back-end.
\fBzone-name\fR
.RS 4
Name of the zone, eg "mydomain.net."
.RE
.PP
\fBLDAP-URL\fR
.RS 4
LDAP URL to dnszone information
.RE
.PP
\fBdefault-ttl\fR
.RS 4
Default TTL value to be used in zone
.RE
.PP
\fBserial\fR
.RS 4
(optional) Program checks this number to be different than SOA serial number.
.RE
.SH "EXIT STATUS"
Exits with 0 on success or 1 on failure.
.SH "SEE ALSO"
named(8) ldap(3)
http://www.venaas.no/dns/ldap2zone/
.SH "COPYRIGHT"
Copyright (C) 2004, 2005 Stig Venaas

411
ldap2zone.c Normal file
View File

@ -0,0 +1,411 @@
/*
* Copyright (C) 2004, 2005 Stig Venaas <venaas@uninett.no>
* $Id: ldap2zone.c,v 1.1 2007/07/24 15:18:00 atkac Exp $
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*/
#define LDAP_DEPRECATED 1
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <ldap.h>
struct string {
void *data;
size_t len;
};
struct assstack_entry {
struct string key;
struct string val;
struct assstack_entry *next;
};
struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key);
void assstack_push(struct assstack_entry **stack, struct assstack_entry *item);
void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item);
void printsoa(struct string *soa);
void printrrs(char *defaultttl, struct assstack_entry *item);
void print_zone(char *defaultttl, struct assstack_entry *stack);
void usage(char *name);
void err(char *name, const char *msg);
int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val);
struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key) {
for (; stack; stack = stack->next)
if (stack->key.len == key->len && !memcmp(stack->key.data, key->data, key->len))
return stack;
return NULL;
}
void assstack_push(struct assstack_entry **stack, struct assstack_entry *item) {
item->next = *stack;
*stack = item;
}
void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item) {
struct assstack_entry *p;
item->next = NULL;
if (!*stack) {
*stack = item;
return;
}
/* find end, should keep track of end somewhere */
/* really a queue, not a stack */
p = *stack;
while (p->next)
p = p->next;
p->next = item;
}
void printsoa(struct string *soa) {
char *s;
size_t i;
s = (char *)soa->data;
i = 0;
while (i < soa->len) {
putchar(s[i]);
if (s[i++] == ' ')
break;
}
while (i < soa->len) {
putchar(s[i]);
if (s[i++] == ' ')
break;
}
printf("(\n\t\t\t\t");
while (i < soa->len) {
putchar(s[i]);
if (s[i++] == ' ')
break;
}
printf("; Serialnumber\n\t\t\t\t");
while (i < soa->len) {
if (s[i] == ' ')
break;
putchar(s[i++]);
}
i++;
printf("\t; Refresh\n\t\t\t\t");
while (i < soa->len) {
if (s[i] == ' ')
break;
putchar(s[i++]);
}
i++;
printf("\t; Retry\n\t\t\t\t");
while (i < soa->len) {
if (s[i] == ' ')
break;
putchar(s[i++]);
}
i++;
printf("\t; Expire\n\t\t\t\t");
while (i < soa->len) {
putchar(s[i++]);
}
printf(" )\t; Minimum TTL\n");
}
void printrrs(char *defaultttl, struct assstack_entry *item) {
struct assstack_entry *stack;
char *s;
int first;
size_t i;
char *ttl, *type;
int top;
s = (char *)item->key.data;
if (item->key.len == 1 && *s == '@') {
top = 1;
printf("@\t");
} else {
top = 0;
for (i = 0; i < item->key.len; i++)
putchar(s[i]);
if (item->key.len < 8)
putchar('\t');
putchar('\t');
}
first = 1;
for (stack = (struct assstack_entry *) item->val.data; stack; stack = stack->next) {
ttl = (char *)stack->key.data;
s = strchr(ttl, ' ');
*s++ = '\0';
type = s;
if (first)
first = 0;
else
printf("\t\t");
if (strcmp(defaultttl, ttl))
printf("%s", ttl);
putchar('\t');
if (top) {
top = 0;
printf("IN\t%s\t", type);
/* Should always be SOA here */
if (!strcmp(type, "SOA")) {
printsoa(&stack->val);
continue;
}
} else
printf("%s\t", type);
s = (char *)stack->val.data;
for (i = 0; i < stack->val.len; i++)
putchar(s[i]);
putchar('\n');
}
}
void print_zone(char *defaultttl, struct assstack_entry *stack) {
printf("$TTL %s\n", defaultttl);
for (; stack; stack = stack->next)
printrrs(defaultttl, stack);
};
void usage(char *name) {
fprintf(stderr, "Usage:%s zone-name LDAP-URL default-ttl [serial]\n", name);
exit(1);
};
void err(char *name, const char *msg) {
fprintf(stderr, "%s: %s\n", name, msg);
exit(1);
};
int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val) {
struct string key;
struct assstack_entry *rr, *rrdata;
/* Do nothing if name or value have 0 length */
if (!name->bv_len || !val->bv_len)
return 0;
/* see if already have an entry for this name */
key.len = name->bv_len;
key.data = name->bv_val;
rr = assstack_find(*stack, &key);
if (!rr) {
/* Not found, create and push new entry */
rr = (struct assstack_entry *) malloc(sizeof(struct assstack_entry));
if (!rr)
return -1;
rr->key.len = name->bv_len;
rr->key.data = (void *) malloc(rr->key.len);
if (!rr->key.data) {
free(rr);
return -1;
}
memcpy(rr->key.data, name->bv_val, name->bv_len);
rr->val.len = sizeof(void *);
rr->val.data = NULL;
if (name->bv_len == 1 && *(char *)name->bv_val == '@')
assstack_push(stack, rr);
else
assstack_insertbottom(stack, rr);
}
rrdata = (struct assstack_entry *) malloc(sizeof(struct assstack_entry));
if (!rrdata) {
free(rr->key.data);
free(rr);
return -1;
}
rrdata->key.len = strlen(type) + strlen(ttl) + 1;
rrdata->key.data = (void *) malloc(rrdata->key.len);
if (!rrdata->key.data) {
free(rrdata);
free(rr->key.data);
free(rr);
return -1;
}
sprintf((char *)rrdata->key.data, "%s %s", ttl, type);
rrdata->val.len = val->bv_len;
rrdata->val.data = (void *) malloc(val->bv_len);
if (!rrdata->val.data) {
free(rrdata->key.data);
free(rrdata);
free(rr->key.data);
free(rr);
return -1;
}
memcpy(rrdata->val.data, val->bv_val, val->bv_len);
if (!strcmp(type, "SOA"))
assstack_push((struct assstack_entry **) &(rr->val.data), rrdata);
else
assstack_insertbottom((struct assstack_entry **) &(rr->val.data), rrdata);
return 0;
}
int main(int argc, char **argv) {
char *s, *hostporturl, *base = NULL;
char *ttl, *defaultttl;
LDAP *ld;
char *fltr = NULL;
LDAPMessage *res, *e;
char *a, **ttlvals, **soavals, *serial;
struct berval **vals, **names;
char type[64];
BerElement *ptr;
int i, j, rc, msgid;
struct assstack_entry *zone = NULL;
if (argc < 4 || argc > 5)
usage(argv[0]);
hostporturl = argv[2];
if (hostporturl != strstr( hostporturl, "ldap"))
err(argv[0], "Not an LDAP URL");
s = strchr(hostporturl, ':');
if (!s || strlen(s) < 3 || s[1] != '/' || s[2] != '/')
err(argv[0], "Not an LDAP URL");
s = strchr(s+3, '/');
if (s) {
*s++ = '\0';
base = s;
s = strchr(base, '?');
if (s)
err(argv[0], "LDAP URL can only contain host, port and base");
}
defaultttl = argv[3];
rc = ldap_initialize(&ld, hostporturl);
if (rc != LDAP_SUCCESS)
err(argv[0], "ldap_initialize() failed");
if (argc == 5) {
/* serial number specified, check if different from one in SOA */
fltr = (char *)malloc(strlen(argv[1]) + strlen("(&(relativeDomainName=@)(zoneName=))") + 1);
sprintf(fltr, "(&(relativeDomainName=@)(zoneName=%s))", argv[1]);
msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0);
if (msgid == -1)
err(argv[0], "ldap_search() failed");
while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) {
/* not supporting continuation references at present */
if (rc != LDAP_RES_SEARCH_ENTRY)
err(argv[0], "ldap_result() returned cont.ref? Exiting");
/* only one entry per result message */
e = ldap_first_entry(ld, res);
if (e == NULL) {
ldap_msgfree(res);
err(argv[0], "ldap_first_entry() failed");
}
soavals = ldap_get_values(ld, e, "SOARecord");
if (soavals)
break;
}
ldap_msgfree(res);
if (!soavals) {
err(argv[0], "No SOA Record found");
}
/* We have a SOA, compare serial numbers */
/* Only checkinf first value, should be only one */
s = strchr(soavals[0], ' ');
s++;
s = strchr(s, ' ');
s++;
serial = s;
s = strchr(s, ' ');
*s = '\0';
if (!strcmp(serial, argv[4])) {
ldap_value_free(soavals);
err(argv[0], "serial numbers match");
}
ldap_value_free(soavals);
}
if (!fltr)
fltr = (char *)malloc(strlen(argv[1]) + strlen("(zoneName=)") + 1);
if (!fltr)
err(argv[0], "Malloc failed");
sprintf(fltr, "(zoneName=%s)", argv[1]);
msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0);
if (msgid == -1)
err(argv[0], "ldap_search() failed");
while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) {
/* not supporting continuation references at present */
if (rc != LDAP_RES_SEARCH_ENTRY)
err(argv[0], "ldap_result() returned cont.ref? Exiting");
/* only one entry per result message */
e = ldap_first_entry(ld, res);
if (e == NULL) {
ldap_msgfree(res);
err(argv[0], "ldap_first_entry() failed");
}
names = ldap_get_values_len(ld, e, "relativeDomainName");
if (!names)
continue;
ttlvals = ldap_get_values(ld, e, "dNSTTL");
ttl = ttlvals ? ttlvals[0] : defaultttl;
for (a = ldap_first_attribute(ld, e, &ptr); a != NULL; a = ldap_next_attribute(ld, e, ptr)) {
char *s;
for (s = a; *s; s++)
*s = toupper(*s);
s = strstr(a, "RECORD");
if ((s == NULL) || (s == a) || (s - a >= (signed int)sizeof(type))) {
ldap_memfree(a);
continue;
}
strncpy(type, a, s - a);
type[s - a] = '\0';
vals = ldap_get_values_len(ld, e, a);
if (vals) {
for (i = 0; vals[i]; i++)
for (j = 0; names[j]; j++)
if (putrr(&zone, names[j], type, ttl, vals[i]))
err(argv[0], "malloc failed");
ldap_value_free_len(vals);
}
ldap_memfree(a);
}
if (ptr)
ber_free(ptr, 0);
if (ttlvals)
ldap_value_free(ttlvals);
ldap_value_free_len(names);
/* free this result */
ldap_msgfree(res);
}
/* free final result */
ldap_msgfree(res);
print_zone(defaultttl, zone);
return 0;
}

12
named-chroot-setup.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Set-up/destroy chroot environment for named (DNS)
BindsTo=named-chroot.service
Wants=named-setup-rndc.service
After=named-setup-rndc.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files

23
named-chroot.files Normal file
View File

@ -0,0 +1,23 @@
# Configuration of files used in chroot
# Following files are made available after named-chroot.service start
# if they are missing or empty in target directory.
/etc/localtime
/etc/named.root.key
/etc/named.conf
/etc/named.rfc1912.zones
/etc/rndc.conf
/etc/rndc.key
/etc/named.iscdlv.key
/etc/crypto-policies/back-ends/bind.config
/etc/protocols
/etc/services
/etc/named.dnssec.keys
/etc/pki/dnssec-keys
/etc/named
/usr/lib64/bind
/usr/lib/bind
/run/named
# Warning: the order is important
# If a directory containing $ROOTDIR is listed here,
# it MUST be listed last. (/var/named contains /var/named/chroot)
/var/named

30
named-chroot.service Normal file
View File

@ -0,0 +1,30 @@
# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
# broken when rsyslogd daemon is restarted (due update, for example).
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
Requires=named-chroot-setup.service
Before=nss-lookup.target
After=named-chroot-setup.service
After=network.target
[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/var/named/chroot/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=false
[Install]
WantedBy=multi-user.target

26
named-pkcs11.service Normal file
View File

@ -0,0 +1,26 @@
[Unit]
Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
Wants=nss-lookup.target
Wants=named-setup-rndc.service
Before=nss-lookup.target
After=network.target
After=named-setup-rndc.service
[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=true
[Install]
WantedBy=multi-user.target

12
named-sdb-chroot-setup.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Set-up/destroy chroot environment for named-sdb
BindsTo=named-sdb-chroot.service
Wants=named-setup-rndc.service
After=named-setup-rndc.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on /etc/named-chroot.files
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off /etc/named-chroot.files

30
named-sdb-chroot.service Normal file
View File

@ -0,0 +1,30 @@
# Don't forget to add "$AddUnixListenSocket /var/named/chroot_sdb/dev/log"
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
# broken when rsyslogd daemon is restarted (due update, for example).
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
Requires=named-sdb-chroot-setup.service
Before=nss-lookup.target
After=named-sdb-chroot-setup.service
After=network.target
[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/var/named/chroot_sdb/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot_sdb -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} -t /var/named/chroot_sdb $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=false
[Install]
WantedBy=multi-user.target

1
named-sdb.8 Normal file
View File

@ -0,0 +1 @@
.so man8/named.8.gz

26
named-sdb.service Normal file
View File

@ -0,0 +1,26 @@
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
Wants=named-setup-rndc.service
Before=nss-lookup.target
After=named-setup-rndc.service
After=network.target
[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=true
[Install]
WantedBy=multi-user.target

7
named-setup-rndc.service Normal file
View File

@ -0,0 +1,7 @@
[Unit]
Description=Generate rndc key for BIND (DNS)
[Service]
Type=oneshot
ExecStart=/usr/libexec/generate-rndc-key.sh

59
named.conf Normal file
View File

@ -0,0 +1,59 @@
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

252
named.conf.sample Normal file
View File

@ -0,0 +1,252 @@
/*
Sample named.conf BIND DNS server 'named' configuration file
for the Red Hat BIND distribution.
See the BIND Administrator's Reference Manual (ARM) for details, in:
file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
its manual.
*/
options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
secroots-file "data/named.secroots";
recursing-file "data/named.recursing";
/*
Specify listenning interfaces. You can use list of addresses (';' is
delimiter) or keywords "any"/"none"
*/
//listen-on port 53 { any; };
listen-on port 53 { 127.0.0.1; };
//listen-on-v6 port 53 { any; };
listen-on-v6 port 53 { ::1; };
/*
Access restrictions
There are two important options:
allow-query { argument; };
- allow queries for authoritative data
allow-query-cache { argument; };
- allow queries for non-authoritative data (mostly cached data)
You can use address, network address or keywords "any"/"localhost"/"none" as argument
Examples:
allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
*/
allow-query { localhost; };
allow-query-cache { localhost; };
/* Enable/disable recursion - recursion yes/no;
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
dnssec-enable yes;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation yes;
/* In Fedora we use /run/named instead of default /var/run/named
so we have to configure paths properly. */
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
managed-keys-directory "/var/named/dynamic";
/* In Fedora we use system-wide Crypto Policy */
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
/*
Views let a name server answer a DNS query differently depending on who is asking.
By default, if named.conf contains no "view" clauses, all zones are in the
"default" view, which matches all clients.
Views are processed sequentially. The first match is used so the last view should
match "any" - it's fallback and the most restricted view.
If named.conf contains any "view" clause, then all zones MUST be in a view.
*/
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
match-clients { localhost; };
recursion yes;
# all views must contain the root hints zone:
zone "." IN {
type hint;
file "/var/named/named.ca";
};
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* not leak to the other nameservers:
*/
include "/etc/named.rfc1912.zones";
};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localnets; };
recursion yes;
zone "." IN {
type hint;
file "/var/named/named.ca";
};
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* not leak to the other nameservers:
*/
include "/etc/named.rfc1912.zones";
// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
/*
NOTE for dynamic DNS zones and secondary zones:
DO NOT USE SAME FILES IN MULTIPLE VIEWS!
If you are using views and DDNS/secondary zones it is strongly
recommended to read FAQ on ISC site (www.isc.org), section
"Configuration and Setup Questions", questions
"How do I share a dynamic zone between multiple views?" and
"How can I make a server a slave for both an internal and an external
view at the same time?"
*/
zone "my.internal.zone" {
type master;
file "my.internal.zone.db";
};
zone "my.slave.internal.zone" {
type slave;
file "slaves/my.slave.internal.zone.db";
masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
// put slave zones in the slaves/ directory so named can update them
};
zone "my.ddns.internal.zone" {
type master;
allow-update { key ddns_key; };
file "dynamic/my.ddns.internal.zone.db";
// put dynamically updateable zones in the slaves/ directory so named can update them
};
};
key ddns_key
{
algorithm hmac-md5;
secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
};
view "external"
{
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not match any above view:
*/
match-clients { any; };
zone "." IN {
type hint;
file "/var/named/named.ca";
};
recursion no;
// you'd probably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers
// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:
zone "my.external.zone" {
type master;
file "my.external.zone.db";
};
};
/* Trusted keys
This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
have to configure at least one trusted key.
Note that no key written below is valid. Especially root key because root zone
is not signed yet.
*/
/*
trusted-keys {
// Root Key
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
/lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
// Key for forward zone
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
SCThlHf3xiYleDbt/o1OTQ09A0=";
// Key for reverse zone.
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
};
*/

12
named.logrotate Normal file
View File

@ -0,0 +1,12 @@
/var/named/data/named.run {
missingok
su named named
create 0644 named named
postrotate
/usr/bin/systemctl reload named.service > /dev/null 2>&1 || true
/usr/bin/systemctl reload named-chroot.service > /dev/null 2>&1 || true
/usr/bin/systemctl reload named-sdb.service > /dev/null 2>&1 || true
/usr/bin/systemctl reload named-sdb-chroot.service > /dev/null 2>&1 || true
/usr/bin/systemctl reload named-pkcs11.service > /dev/null 2>&1 || true
endscript
}

6
named.rwtab Normal file
View File

@ -0,0 +1,6 @@
dirs /var/named
files /var/named/named.ca
files /var/named/named.empty
files /var/named/named.localhost
files /var/named/named.loopback

26
named.service Normal file
View File

@ -0,0 +1,26 @@
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
Wants=named-setup-rndc.service
Before=nss-lookup.target
After=named-setup-rndc.service
After=network.target
[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=true
[Install]
WantedBy=multi-user.target

17
named.sysconfig Normal file
View File

@ -0,0 +1,17 @@
# BIND named process options
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# OPTIONS="whatever" -- These additional options will be passed to named
# at startup. Don't add -t here, enable proper
# -chroot.service unit file.
#
# NAMEDCONF=/etc/named/alternate.conf
# -- Don't use -c to change configuration file.
# Extend systemd named.service instead or use this
# variable.
#
# DISABLE_ZONE_CHECKING -- By default, service file calls named-checkzone
# utility for every zone to ensure all zones are
# valid before named starts. If you set this option
# to 'yes' then service file doesn't perform those
# checks.

BIN
random.data Normal file
View File

Binary file not shown.

117
setup-named-chroot.sh Normal file
View File

@ -0,0 +1,117 @@
#!/bin/bash
ROOTDIR="$1"
CONFIG_FILES="${3:-/etc/named-chroot.files}"
usage()
{
echo
echo 'This script setups chroot environment for BIND'
echo 'Usage: setup-named-chroot.sh ROOTDIR <on|off> [chroot.files]'
}
if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then
echo 'Wrong number of arguments'
usage
exit 1
fi
# Exit if ROOTDIR doesn't exist
if ! [ -d "$ROOTDIR" ]; then
echo "Root directory $ROOTDIR doesn't exist"
usage
exit 1
fi
if ! [ -r "$CONFIG_FILES" ]; then
echo "Files list $CONFIG_FILES doesn't exist" 2>&1
usage
exit 1
fi
dev_create()
{
DEVNAME="$ROOTDIR/dev/$1"
shift
if ! [ -e "$DEVNAME" ]; then
/bin/mknod -m 0664 "$DEVNAME" $@
/bin/chgrp named "$DEVNAME"
if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then
/usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || :
fi
fi
}
dev_chroot_prep()
{
dev_create random c 1 8
dev_create urandom c 1 9
dev_create zero c 1 5
dev_create null c 1 3
}
files_comment_filter()
{
if [ -d "$1" ]; then
grep -v '^[[:space:]]*#' "$1"/*.files
else
grep -v '^[[:space:]]*#' "$1"
fi
}
mount_chroot_conf()
{
if [ -n "$ROOTDIR" ]; then
# Check devices are prepared
dev_chroot_prep
files_comment_filter "$CONFIG_FILES" | while read -r all; do
# Skip nonexistant files
[ -e "$all" ] || continue
# If mount source is a file
if ! [ -d "$all" ]; then
# mount it only if it is not present in chroot or it is empty
if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
touch "$ROOTDIR$all"
mount --bind "$all" "$ROOTDIR$all"
fi
else
# Mount source is a directory. Mount it only if directory in chroot is
# empty.
if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
mount --bind --make-private "$all" "$ROOTDIR$all"
fi
fi
done
fi
}
umount_chroot_conf()
{
if [ -n "$ROOTDIR" ]; then
files_comment_filter "$CONFIG_FILES" | while read -r all; do
# Check if file is mount target. Do not use /proc/mounts because detecting
# of modified mounted files can fail.
if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
umount "$ROOTDIR$all"
# Remove temporary created files
[ -f "$all" ] && rm -f "$ROOTDIR$all"
fi
done
fi
}
case "$2" in
on)
mount_chroot_conf
;;
off)
umount_chroot_conf
;;
*)
echo 'Second argument has to be "on" or "off"'
usage
exit 1
esac
exit 0

55
setup-named-softhsm.sh Normal file
View File

@ -0,0 +1,55 @@
#!/bin/sh
#
# This script will initialise token storage of softhsm PKCS11 provider
# in custom location. Is useful to store tokens in non-standard location.
SOFTHSM2_CONF="$1"
TOKENPATH="$2"
GROUPNAME="$3"
# Do not use this script for real keys worth protection
# This is intended for crypto accelerators using PKCS11 interface.
# Uninitialized token would fail any crypto operation.
PIN=1234
set -e
if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
echo "Usage: $0 <config file> <token directory> [group]" >&2
exit 1
fi
if ! [ -f "$SOFTHSM2_CONF" ]; then
cat << SED > "$SOFTHSM2_CONF"
# SoftHSM v2 configuration file
directories.tokendir = ${TOKENPATH}
objectstore.backend = file
# ERROR, WARNING, INFO, DEBUG
log.level = ERROR
# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false
SED
else
echo "Config file $SOFTHSM2_CONF already exists" >&2
fi
[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
export SOFTHSM2_CONF
if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
then
echo "Token in ${TOKENPATH} is already initialized" >&2
else
echo "Initializing tokens to ${TOKENPATH}..."
softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN
if [ -n "$GROUPNAME" ]; then
chgrp -R -- "$GROUPNAME" "$TOKENPATH"
chmod -R -- g=rX,o= "$TOKENPATH"
fi
fi
echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""

2
trusted-key.key Normal file
View File

@ -0,0 +1,2 @@
. 3600 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=

53
zone2sqlite.1 Normal file
View File

@ -0,0 +1,53 @@
.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000, 2001 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" Manpage written by Jan Gorig
.TH zone2sqlite 1 "15 March 2010" "BIND9"
.SH NAME
zone2sqlite - Load BIND 9 zone file into SQLite database
.SH SYNOPSIS
.B zone2sqlite zone zonefile dbfile dbtable
.SH DESCRIPTION
zone2sqlite parses DNS zone file and creates database for use with SQLite BIND SDB driver.
\fBzone\fR
.RS 4
Zone origin, eg "mydomain.net."
.RE
.PP
\fBzonefile\fR
.RS 4
Master zone database file, eg. mydomain.net.zone
.RE
.PP
\fBdbfile\fR
.RS 4
Name of SQLite database file
.RE
.PP
\fBdbtable\fR
.RS 4
Name of table in database
.RE
.SH "EXIT STATUS"
Exits with 0 on success or 1 on failure.
.SH "SEE ALSO"
named(8)
.SH "COPYRIGHT"
Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000, 2001 Internet Software Consortium.
.br

53
zonetodb.1 Normal file
View File

@ -0,0 +1,53 @@
.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000, 2001 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" Manpage written by Jan Gorig
.TH zonetodb 1 "15 March 2010" "BIND9"
.SH NAME
zonetodb - Generate a PostgreSQL table from a zone.
.SH SYNOPSIS
.B zonetodb origin file dbname dbtable
.SH DESCRIPTION
zonetodb parses DNS zone file and creates table in selected database for use with PostgreSQL BIND SDB driver.
\fBzone\fR
.RS 4
Zone origin, eg "pgdb.net."
.RE
.PP
\fBfile\fR
.RS 4
Master zone database file, eg. pgdb.net.db
.RE
.PP
\fBdbname\fR
.RS 4
Name of PostgreSQL database (database must exist)
.RE
.PP
\fBdbtable\fR
.RS 4
Name of table in database
.RE
.SH "EXIT STATUS"
Exits with 0 on success or 1 on failure.
.SH "SEE ALSO"
named(8)
.SH "COPYRIGHT"
Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000, 2001 Internet Software Consortium.
.br