diff --git a/1314-master-dnssec-checkds-s.patch b/1314-master-dnssec-checkds-s.patch new file mode 100644 index 0000000000000000000000000000000000000000..461847171180313ceaad6ec13962f8f16dffa513 --- /dev/null +++ b/1314-master-dnssec-checkds-s.patch @@ -0,0 +1,183 @@ +From 3b4f23cdbfa3f285d06eea8c4101650d2ab4e945 Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Thu, 26 Oct 2017 21:05:11 -0700 +Subject: [PATCH 1314/3677] [master] dnssec-checkds -s + +4794. [func] "dnssec-checkds -s" specifies a file from which + to read a DS set rather than querying the parent. + [RT #44667] +--- + CHANGES | 8 +- + bin/python/dnssec-checkds.docbook | 24 +++--- + bin/python/isc/checkds.py.in | 49 ++++++----- + bin/tests/system/checkds/clean.sh | 2 - + bin/tests/system/checkds/dig.pl | 2 - + bin/tests/system/checkds/dig.sh | 3 - + bin/tests/system/checkds/prep.example.db | 121 ++++++++++++++++++++++++++++ + bin/tests/system/checkds/prep.example.ds.db | 2 + + bin/tests/system/checkds/tests.sh | 9 +++ + doc/arm/notes.xml | 8 ++ + 10 files changed, 190 insertions(+), 38 deletions(-) + create mode 100644 bin/tests/system/checkds/prep.example.db + create mode 100644 bin/tests/system/checkds/prep.example.ds.db + +diff --git a/bin/python/dnssec-checkds.docbook b/bin/python/dnssec-checkds.docbook +index 91716bc..069d6e9 100644 +--- a/bin/python/dnssec-checkds.docbook ++++ b/bin/python/dnssec-checkds.docbook +@@ -42,20 +42,13 @@ + + + dnssec-checkds +- +- + + +- zone +- +- +- dnssec-dsfromkey +- + +- +- ++ ++ + zone +- ++ + + + DESCRIPTION +@@ -93,6 +86,17 @@ + + + ++ -s file ++ ++ ++ Specifies a prepared dsset file, such as would be generated ++ by dnssec-signzone, to use as a source for ++ the DS RRset instead of querying the parent. ++ ++ ++ ++ ++ + -d dig path + + +diff --git a/bin/python/isc/checkds.py.in b/bin/python/isc/checkds.py.in +index ce50355..a161554 100644 +--- a/bin/python/isc/checkds.py.in ++++ b/bin/python/isc/checkds.py.in +@@ -34,7 +34,11 @@ class SECRR: + if not rrtext: + raise Exception + +- fields = rrtext.decode('ascii').split() ++ # 'str' does not have decode method in python3 ++ if type(rrtext) is not str: ++ fields = rrtext.decode('ascii').split() ++ else: ++ fields = rrtext.split() + if len(fields) < 7: + raise Exception + +@@ -89,35 +93,39 @@ class SECRR: + # Generate a set of expected DS/DLV records from the DNSKEY RRset, + # and report on congruency. + ############################################################################ +-def check(zone, args, masterfile=None, lookaside=None): ++def check(zone, args): + rrlist = [] +- cmd = [args.dig, "+noall", "+answer", "-t", "dlv" if lookaside else "ds", +- "-q", zone + "." + lookaside if lookaside else zone] +- fp, _ = Popen(cmd, stdout=PIPE).communicate() ++ if args.dssetfile: ++ fp = open(args.dssetfile).read() ++ else: ++ cmd = [args.dig, "+noall", "+answer", "-t", ++ "dlv" if args.lookaside else "ds", "-q", ++ zone + "." + args.lookaside if args.lookaside else zone] ++ fp, _ = Popen(cmd, stdout=PIPE).communicate() + + for line in fp.splitlines(): +- rrlist.append(SECRR(line, lookaside)) ++ rrlist.append(SECRR(line, args.lookaside)) + rrlist = sorted(rrlist, key=lambda rr: (rr.keyid, rr.keyalg, rr.hashalg)) + + klist = [] + +- if masterfile: +- cmd = [args.dsfromkey, "-f", masterfile] +- if lookaside: +- cmd += ["-l", lookaside] ++ if args.masterfile: ++ cmd = [args.dsfromkey, "-f", args.masterfile] ++ if args.lookaside: ++ cmd += ["-l", args.lookaside] + cmd.append(zone) + fp, _ = Popen(cmd, stdout=PIPE).communicate() + else: + intods, _ = Popen([args.dig, "+noall", "+answer", "-t", "dnskey", + "-q", zone], stdout=PIPE).communicate() + cmd = [args.dsfromkey, "-f", "-"] +- if lookaside: +- cmd += ["-l", lookaside] ++ if args.lookaside: ++ cmd += ["-l", args.lookaside] + cmd.append(zone) + fp, _ = Popen(cmd, stdin=PIPE, stdout=PIPE).communicate(intods) + + for line in fp.splitlines(): +- klist.append(SECRR(line, lookaside)) ++ klist.append(SECRR(line, args.lookaside)) + + if len(klist) < 1: + print("No DNSKEY records found in zone apex") +@@ -136,7 +144,8 @@ def check(zone, args, masterfile=None, lookaside=None): + rr.keyid, SECRR.hashalgs[rr.hashalg])) + + if not found: +- print("No %s records were found for any DNSKEY" % ("DLV" if lookaside else "DS")) ++ print("No %s records were found for any DNSKEY" % ++ ("DLV" if args.lookaside else "DS")) + + return found + +@@ -151,10 +160,6 @@ def parse_args(): + sbindir = 'bin' if os.name == 'nt' else 'sbin' + + parser.add_argument('zone', type=str, help='zone to check') +- parser.add_argument('-f', '--file', dest='masterfile', type=str, +- help='zone master file') +- parser.add_argument('-l', '--lookaside', dest='lookaside', type=str, +- help='DLV lookaside zone') + parser.add_argument('-d', '--dig', dest='dig', + default=os.path.join(prefix(bindir), 'dig'), + type=str, help='path to \'dig\'') +@@ -162,6 +167,12 @@ def parse_args(): + default=os.path.join(prefix(sbindir), + 'dnssec-dsfromkey'), + type=str, help='path to \'dig\'') ++ parser.add_argument('-f', '--file', dest='masterfile', type=str, ++ help='zone master file') ++ parser.add_argument('-l', '--lookaside', dest='lookaside', type=str, ++ help='DLV lookaside zone') ++ parser.add_argument('-s', '--dsset', dest='dssetfile', type=str, ++ help='prepared DSset file') + parser.add_argument('-v', '--version', action='version', + version=version) + args = parser.parse_args() +@@ -178,5 +189,5 @@ def parse_args(): + ############################################################################ + def main(): + args = parse_args() +- found = check(args.zone, args, args.masterfile, args.lookaside) ++ found = check(args.zone, args) + exit(0 if found else 1) + +-- +1.8.3.1 + diff --git a/2432-check-param_template-i-.pValue-is-non-NULL.patch b/2432-check-param_template-i-.pValue-is-non-NULL.patch new file mode 100644 index 0000000000000000000000000000000000000000..02eaf26c3dac6f1d33150f9c8847085b6c798927 --- /dev/null +++ b/2432-check-param_template-i-.pValue-is-non-NULL.patch @@ -0,0 +1,53 @@ +From 8ac0152651725cfa3dd887f9f73e6ff9671ce2dd Mon Sep 17 00:00:00 2001 +From: Bill Parker +Date: Tue, 10 Jul 2018 12:34:00 +1000 +Subject: [PATCH 2432/3677] check param_template[i].pValue is non NULL + +--- + bin/pkcs11/pkcs11-keygen.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c +index fe314ab..9631c0e 100644 +--- a/bin/pkcs11/pkcs11-keygen.c ++++ b/bin/pkcs11/pkcs11-keygen.c +@@ -657,8 +657,18 @@ main(int argc, char *argv[]) { + } + + /* Allocate space for parameter attributes */ +- for (i = 0; i < param_attrcnt; i++) ++ for (i = 0; i < param_attrcnt; i++) { ++ param_template[i].pValue = NULL; ++ } ++ ++ for (i = 0; i < param_attrcnt; i++) { + param_template[i].pValue = malloc(param_template[i].ulValueLen); ++ if (param_template[i].pValue == NULL) { ++ fprintf(stderr, "malloc failed\n"); ++ error = 1; ++ goto exit_params; ++ } ++ } + + rv = pkcs_C_GetAttributeValue(hSession, domainparams, + dsa_param_template, DSA_PARAM_ATTRS); +@@ -713,9 +723,13 @@ main(int argc, char *argv[]) { + + exit_params: + /* Free parameter attributes */ +- if (keyclass == key_dsa || keyclass == key_dh) +- for (i = 0; i < param_attrcnt; i++) +- free(param_template[i].pValue); ++ if (keyclass == key_dsa || keyclass == key_dh) { ++ for (i = 0; i < param_attrcnt; i++) { ++ if (param_template[i].pValue != NULL) { ++ free(param_template[i].pValue); ++ } ++ } ++ } + + exit_domain: + /* Destroy domain parameters */ +-- +1.8.3.1 + diff --git a/2497-refcount-errors-on-error-paths.patch b/2497-refcount-errors-on-error-paths.patch new file mode 100644 index 0000000000000000000000000000000000000000..9d8e42b41f2279d1f959b9aa71bf9ac169e89450 --- /dev/null +++ b/2497-refcount-errors-on-error-paths.patch @@ -0,0 +1,53 @@ +From 4093efc900e250a39f9669e3d740a4286a0edb9c Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 31 Jul 2018 17:41:45 +1000 +Subject: [PATCH 2497/3677] refcount errors on error paths + +--- + lib/dns/rbtdb.c | 3 --- + lib/dns/view.c | 1 + + 2 files changed, 1 insertion(+), 3 deletions(-) + +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index e332802..01c7cd8 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -8368,7 +8368,6 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type, + if (result != ISC_R_SUCCESS) { + while (i-- > 0) { + NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock); +- isc_refcount_decrement(&rbtdb->node_locks[i].references, NULL); + isc_refcount_destroy(&rbtdb->node_locks[i].references); + } + goto cleanup_deadnodes; +@@ -8491,7 +8490,6 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type, + rbtdb->current_version = allocate_version(mctx, 1, 1, ISC_FALSE); + if (rbtdb->current_version == NULL) { + isc_refcount_decrement(&rbtdb->references, NULL); +- isc_refcount_destroy(&rbtdb->references); + free_rbtdb(rbtdb, ISC_FALSE, NULL); + return (ISC_R_NOMEMORY); + } +@@ -8513,7 +8511,6 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type, + sizeof(*rbtdb->current_version)); + rbtdb->current_version = NULL; + isc_refcount_decrement(&rbtdb->references, NULL); +- isc_refcount_destroy(&rbtdb->references); + free_rbtdb(rbtdb, ISC_FALSE, NULL); + return (result); + } +diff --git a/lib/dns/view.c b/lib/dns/view.c +index e36576f..7751535 100644 +--- a/lib/dns/view.c ++++ b/lib/dns/view.c +@@ -311,6 +311,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, + dns_tsigkeyring_detach(&view->dynamickeys); + + cleanup_references: ++ isc_refcount_decrement(&view->references, NULL); + isc_refcount_destroy(&view->references); + + cleanup_fwdtable: +-- +1.8.3.1 + diff --git a/2559-Do-not-remove-errors-from-the-OpenSSL-error-queue-in.patch b/2559-Do-not-remove-errors-from-the-OpenSSL-error-queue-in.patch new file mode 100644 index 0000000000000000000000000000000000000000..a5a6f2c2b9bdca5802bead20e6ebf51b0a098a1e --- /dev/null +++ b/2559-Do-not-remove-errors-from-the-OpenSSL-error-queue-in.patch @@ -0,0 +1,11 @@ +--- a/lib/dns/openssl_link.c 2019-04-17 06:00:00.086000000 -0400 ++++ b/lib/dns/openssl_link_1.c 2019-04-17 06:03:38.556000000 -0400 +@@ -385,7 +385,7 @@ dst__openssl_destroy(void) { + static isc_result_t + toresult(isc_result_t fallback) { + isc_result_t result = fallback; +- unsigned long err = ERR_get_error(); ++ unsigned long err = ERR_peek_error(); + #if defined(HAVE_OPENSSL_ECDSA) && \ + defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) + int lib = ERR_GET_LIB(err); diff --git a/2574-Do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch b/2574-Do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch new file mode 100644 index 0000000000000000000000000000000000000000..02bba3757f8d4c6bd887ca6337a6377ea96029e5 --- /dev/null +++ b/2574-Do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch @@ -0,0 +1,13 @@ +--- a/lib/dns/resolver.c 2019-04-17 06:06:06.700000000 -0400 ++++ b/lib/dns/resolver_1.c 2019-04-17 06:08:47.697000000 -0400 +@@ -8419,7 +8419,9 @@ resquery_response(isc_task_t *task, isc_ + if (result != ISC_R_SUCCESS) + FCTXTRACE3("noanswer_response", result); + } +- if (result != DNS_R_DELEGATION) { ++ if (result == DNS_R_DELEGATION) { ++ result = ISC_R_SUCCESS; ++ } else { + /* + * At this point, AA is not set, the response + * is not a referral, and the server is not a diff --git a/2711-Align-CMSG-buffers-to-a-void-boundary-fixes-crash-on.patch b/2711-Align-CMSG-buffers-to-a-void-boundary-fixes-crash-on.patch new file mode 100644 index 0000000000000000000000000000000000000000..39a74df447c1861adcd43f9f3911504bd8af9b57 --- /dev/null +++ b/2711-Align-CMSG-buffers-to-a-void-boundary-fixes-crash-on.patch @@ -0,0 +1,47 @@ +From 17212cf9965a1a0ec8412b807fe08f74e059cc1c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= +Date: Fri, 7 Sep 2018 09:34:32 +0200 +Subject: [PATCH 2711/3677] Align CMSG buffers to a void* boundary, fixes crash + on architectures with strict alignment CHANGES entry + +--- + CHANGES | 3 +++ + lib/isc/include/isc/util.h | 5 +++++ + lib/isc/unix/socket.c | 5 +++-- + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h +index bb0c885..acc3d64 100644 +--- a/lib/isc/include/isc/util.h ++++ b/lib/isc/include/isc/util.h +@@ -260,6 +260,11 @@ extern void mock_assert(const int result, const char* const expression, + #define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS) + + /*% ++ * Alignment ++ */ ++#define ALIGN(x, a) (((x) + (a) - 1) & ~((typeof(x))(a)-1)) ++ ++/*% + * Misc + */ + #include +diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c +index 343cec2..62a00cd 100644 +--- a/lib/isc/unix/socket.c ++++ b/lib/isc/unix/socket.c +@@ -315,8 +315,9 @@ typedef isc_event_t intev_t; + + #define CMSG_SP_INT 24 + +-#define RECVCMSGBUFLEN (2*(CMSG_SP_IN6PKT + CMSG_SP_TIMESTAMP + CMSG_SP_TCTOS)+1) +-#define SENDCMSGBUFLEN (2*(CMSG_SP_IN6PKT + CMSG_SP_INT + CMSG_SP_TCTOS)+1) ++/* Align cmsg buffers to be safe on SPARC etc. */ ++#define RECVCMSGBUFLEN ALIGN(2*(CMSG_SP_IN6PKT + CMSG_SP_TIMESTAMP + CMSG_SP_TCTOS)+1, sizeof(void*)) ++#define SENDCMSGBUFLEN ALIGN(2*(CMSG_SP_IN6PKT + CMSG_SP_INT + CMSG_SP_TCTOS)+1, sizeof(void*)) + + /*% + * The number of times a send operation is repeated if the result is EINTR. +-- +1.8.3.1 + diff --git a/2776-Fix-crash-caused-by-race-condition-in-timer-creation.patch b/2776-Fix-crash-caused-by-race-condition-in-timer-creation.patch new file mode 100644 index 0000000000000000000000000000000000000000..5625134d61faf3c9c3dd52c8b03bdcc1ae4d2598 --- /dev/null +++ b/2776-Fix-crash-caused-by-race-condition-in-timer-creation.patch @@ -0,0 +1,22 @@ +--- a/lib/isc/timer.c 2018-09-04 00:04:41.000000000 -0400 ++++ b/lib/isc/timer_1.c 2019-04-17 23:40:41.930000000 -0400 +@@ -472,8 +472,10 @@ isc__timer_create(isc_timermgr_t *manage + result = schedule(timer, &now, ISC_TRUE); + else + result = ISC_R_SUCCESS; +- if (result == ISC_R_SUCCESS) ++ if (result == ISC_R_SUCCESS){ ++ *timerp = (isc_timer_t *)timer; + APPEND(manager->timers, timer, link); ++ } + + UNLOCK(&manager->lock); + +@@ -486,7 +488,6 @@ isc__timer_create(isc_timermgr_t *manage + return (result); + } + +- *timerp = (isc_timer_t *)timer; + + return (ISC_R_SUCCESS); + } diff --git a/2865-free-key-on-error.patch b/2865-free-key-on-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..f51cb4fbe2955cb4b04e39cb11844cb4b846a68f --- /dev/null +++ b/2865-free-key-on-error.patch @@ -0,0 +1,26 @@ +From 607c2d7441b5b56272765dfd6ee56de983c3b407 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Fri, 19 Oct 2018 19:23:39 +1100 +Subject: [PATCH 2865/3677] free key on error + +--- + lib/dns/dst_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index 7685dcb..c0684d9 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -802,6 +802,9 @@ dst_key_fromgssapi(const dns_name_t *name, gss_ctx_id_t gssctx, + *keyp = key; + result = ISC_R_SUCCESS; + out: ++ if (result != ISC_R_SUCCESS) { ++ dst_key_free(&key); ++ } + return result; + } + +-- +1.8.3.1 + diff --git a/2879-expand-the-pool-then-copy-over-the-old-entries-so-we.patch b/2879-expand-the-pool-then-copy-over-the-old-entries-so-we.patch new file mode 100644 index 0000000000000000000000000000000000000000..f8eca082ce7e122eac5bc1ded2f8bd68ef73a170 --- /dev/null +++ b/2879-expand-the-pool-then-copy-over-the-old-entries-so-we.patch @@ -0,0 +1,49 @@ +From afde30fe9b1fd43595290a6763db6d52e0903c5a Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Fri, 19 Oct 2018 19:36:17 +1100 +Subject: [PATCH 2879/3677] expand the pool then copy over the old entries so + we that failures do not break the old pool; also don't leak the new pool on + error + +--- + lib/isc/pool.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/lib/isc/pool.c b/lib/isc/pool.c +index 5c693a6..8fb2a45 100644 +--- a/lib/isc/pool.c ++++ b/lib/isc/pool.c +@@ -131,21 +131,22 @@ isc_pool_expand(isc_pool_t **sourcep, unsigned int count, + newpool->init = pool->init; + newpool->initarg = pool->initarg; + +- /* Copy over the objects from the old pool */ +- for (i = 0; i < pool->count; i++) { +- newpool->pool[i] = pool->pool[i]; +- pool->pool[i] = NULL; +- } +- + /* Populate the new entries */ + for (i = pool->count; i < count; i++) { +- result = pool->init(&newpool->pool[i], pool->initarg); ++ result = newpool->init(&newpool->pool[i], ++ newpool->initarg); + if (result != ISC_R_SUCCESS) { +- isc_pool_destroy(&pool); ++ isc_pool_destroy(&newpool); + return (result); + } + } + ++ /* Copy over the objects from the old pool */ ++ for (i = 0; i < pool->count; i++) { ++ newpool->pool[i] = pool->pool[i]; ++ pool->pool[i] = NULL; ++ } ++ + isc_pool_destroy(&pool); + pool = newpool; + } +-- +1.8.3.1 + diff --git a/2985-Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch b/2985-Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch new file mode 100644 index 0000000000000000000000000000000000000000..445f324ba9e81926b89d3e5b05d5a57f07fffc76 --- /dev/null +++ b/2985-Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch @@ -0,0 +1,228 @@ +--- a/bin/dig/dighost.c 2019-04-18 00:14:08.120000000 -0400 ++++ b/bin/dig/dighost_1.c 2019-04-18 02:34:32.947000000 -0400 +@@ -1822,9 +1822,9 @@ clear_query(dig_query_t *query) { + + debug("clear_query(%p)", query); + +- if (query->timer != NULL) ++ if (query->timer != NULL){ + isc_timer_detach(&query->timer); +- ++ } + if (query->waiting_senddone) { + debug("send_done not yet called"); + query->pending_free = ISC_TRUE; +@@ -1833,13 +1833,15 @@ clear_query(dig_query_t *query) { + + lookup = query->lookup; + +- if (lookup->current_query == query) ++ if (lookup->current_query == query){ + lookup->current_query = NULL; +- +- if (ISC_LINK_LINKED(query, link)) ++ } ++ if (ISC_LINK_LINKED(query, link)){ + ISC_LIST_UNLINK(lookup->q, query, link); +- if (ISC_LINK_LINKED(query, clink)) ++ } ++ if (ISC_LINK_LINKED(query, clink)){ + ISC_LIST_UNLINK(lookup->connecting, query, clink); ++ } + if (ISC_LINK_LINKED(&query->recvbuf, link)) + ISC_LIST_DEQUEUE(query->recvlist, &query->recvbuf, + link); +@@ -1856,6 +1858,7 @@ clear_query(dig_query_t *query) { + isc_mempool_put(commctx, query->recvspace); + isc_buffer_invalidate(&query->recvbuf); + isc_buffer_invalidate(&query->lengthbuf); ++ query->magic = 0; + isc_mem_free(mctx, query); + } + +@@ -2807,13 +2810,14 @@ setup_lookup(dig_lookup_t *lookup) { + + for (serv = ISC_LIST_HEAD(lookup->my_server_list); + serv != NULL; +- serv = ISC_LIST_NEXT(serv, link)) { ++ serv = ISC_LIST_NEXT(serv, link)) ++ { + query = isc_mem_allocate(mctx, sizeof(dig_query_t)); +- if (query == NULL) ++ if (query == NULL){ + fatal("memory allocation failure in %s:%d", + __FILE__, __LINE__); +- debug("create query %p linked to lookup %p", +- query, lookup); ++ } ++ debug("create query %p linked to lookup %p", query, lookup); + query->lookup = lookup; + query->timer = NULL; + query->waiting_connect = ISC_FALSE; +@@ -2838,9 +2842,9 @@ setup_lookup(dig_lookup_t *lookup) { + ISC_LIST_INIT(query->lengthlist); + query->sock = NULL; + query->recvspace = isc_mempool_get(commctx); +- if (query->recvspace == NULL) ++ if (query->recvspace == NULL){ + fatal("memory allocation failure"); +- ++ } + isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE); + isc_buffer_init(&query->lengthbuf, query->lengthspace, 2); + isc_buffer_init(&query->slbuf, query->slspace, 2); +@@ -2848,6 +2852,7 @@ setup_lookup(dig_lookup_t *lookup) { + + ISC_LINK_INIT(query, clink); + ISC_LINK_INIT(query, link); ++ query->magic = DIG_QUERY_MAGIC; + ISC_LIST_ENQUEUE(lookup->q, query, link); + } + +@@ -2856,9 +2861,10 @@ setup_lookup(dig_lookup_t *lookup) { + extrabytes = 0; + dighost_printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg, + ISC_TRUE); +- if (lookup->stats) ++ if (lookup->stats){ + printf(";; QUERY SIZE: %u\n\n", + isc_buffer_usedlength(&lookup->renderbuf)); ++ } + } + return (ISC_TRUE); + } +@@ -2893,20 +2899,26 @@ send_done(isc_task_t *_task, isc_event_t + } + + query = event->ev_arg; ++ REQUIRE(DIG_VALID_QUERY(query)); + query->waiting_senddone = ISC_FALSE; + l = query->lookup; + +- if (l->ns_search_only && !l->trace_root && !l->tcp_mode) { ++ if (!query->pending_free && l->ns_search_only && ++ !l->trace_root && !l->tcp_mode) ++ { + debug("sending next, since searching"); + next = ISC_LIST_NEXT(query, link); +- if (next != NULL) ++ if (next != NULL){ + send_udp(next); ++ } + } + + isc_event_free(&event); + +- if (query->pending_free) ++ if (query->pending_free){ ++ query->magic = 0; + clear_query(query); ++ } + + check_next_lookup(l); + UNLOCK_LOOKUP; +@@ -2924,6 +2936,7 @@ cancel_lookup(dig_lookup_t *lookup) { + debug("cancel_lookup()"); + query = ISC_LIST_HEAD(lookup->q); + while (query != NULL) { ++ REQUIRE(DIG_VALID_QUERY(query)); + next = ISC_LIST_NEXT(query, link); + if (query->sock != NULL) { + isc_socket_cancel(query->sock, global_task, +@@ -2943,6 +2956,7 @@ bringup_timer(dig_query_t *query, unsign + dig_lookup_t *l; + unsigned int local_timeout; + isc_result_t result; ++ REQUIRE(DIG_VALID_QUERY(query)); + + debug("bringup_timer()"); + /* +@@ -3007,7 +3021,7 @@ send_tcp_connect(dig_query_t *query) { + isc_result_t result; + dig_query_t *next; + dig_lookup_t *l; +- ++ REQUIRE(DIG_VALID_QUERY(query)); + debug("send_tcp_connect(%p)", query); + + l = query->lookup; +@@ -3145,7 +3159,7 @@ send_udp(dig_query_t *query) { + isc_result_t result; + isc_buffer_t *sendbuf; + dig_query_t *next; +- ++ REQUIRE(DIG_VALID_QUERY(query)); + debug("send_udp(%p)", query); + + l = query->lookup; +@@ -3248,6 +3262,7 @@ connect_timeout(isc_task_t *task, isc_ev + + LOCK_LOOKUP; + query = event->ev_arg; ++ REQUIRE(DIG_VALID_QUERY(query)); + l = query->lookup; + isc_event_free(&event); + +@@ -3335,7 +3350,7 @@ tcp_length_done(isc_task_t *task, isc_ev + LOCK_LOOKUP; + sevent = (isc_socketevent_t *)event; + query = event->ev_arg; +- ++ REQUIRE(DIG_VALID_QUERY(query)); + recvcount--; + INSIST(recvcount >= 0); + +@@ -3412,7 +3427,7 @@ launch_next_query(dig_query_t *query, is + isc_result_t result; + dig_lookup_t *l; + isc_buffer_t *buffer; +- ++ REQUIRE(DIG_VALID_QUERY(query)); + INSIST(!free_now); + + debug("launch_next_query()"); +@@ -3491,7 +3506,7 @@ connect_done(isc_task_t *task, isc_event + LOCK_LOOKUP; + sevent = (isc_socketevent_t *)event; + query = sevent->ev_arg; +- ++ REQUIRE(DIG_VALID_QUERY(query)); + INSIST(query->waiting_connect); + + query->waiting_connect = ISC_FALSE; +@@ -4460,6 +4475,7 @@ do_lookup(dig_lookup_t *lookup) { + lookup->pending = ISC_TRUE; + query = ISC_LIST_HEAD(lookup->q); + if (query != NULL) { ++ REQUIRE(DIG_VALID_QUERY(query)); + if (lookup->tcp_mode) + send_tcp_connect(query); + else +--- a/bin/dig/include/dig/dig.h 2018-09-04 00:04:41.000000000 -0400 ++++ b/bin/dig/include/dig/dig_1.h 2019-04-18 02:36:44.313000000 -0400 +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -90,6 +91,9 @@ typedef struct dig_message dig_message_t + #endif + typedef ISC_LIST(dig_server_t) dig_serverlist_t; + typedef struct dig_searchlist dig_searchlist_t; ++#define DIG_QUERY_MAGIC ISC_MAGIC('D','i','g','q') ++ ++#define DIG_VALID_QUERY(x) ISC_MAGIC_VALID((x), DIG_QUERY_MAGIC) + + /*% The dig_lookup structure */ + struct dig_lookup { +@@ -199,6 +203,7 @@ isc_boolean_t sigchase; + + /*% The dig_query structure */ + struct dig_query { ++ unsigned int magic; + dig_lookup_t *lookup; + isc_boolean_t waiting_connect, + pending_free, diff --git a/2998-Use-larger-buffers-on-snprintf-buffer-overflow-false.patch b/2998-Use-larger-buffers-on-snprintf-buffer-overflow-false.patch new file mode 100644 index 0000000000000000000000000000000000000000..ba6b7d456d79fab44571cfc38d4892af9a120cf5 --- /dev/null +++ b/2998-Use-larger-buffers-on-snprintf-buffer-overflow-false.patch @@ -0,0 +1,52 @@ +--- a/lib/dns/rdata/generic/loc_29.c 2018-09-04 00:04:41.000000000 -0400 ++++ b/lib/dns/rdata/generic/loc_291.c 2019-04-18 00:09:34.927000000 -0400 +@@ -454,11 +454,12 @@ totext_loc(ARGS_TOTEXT) { + isc_boolean_t east; + isc_boolean_t below; + isc_region_t sr; +- char buf[sizeof("89 59 59.999 N 179 59 59.999 E " +- "-42849672.95m 90000000m 90000000m 90000000m")]; + char sbuf[sizeof("90000000m")]; + char hbuf[sizeof("90000000m")]; + char vbuf[sizeof("90000000m")]; ++ /* "89 59 59.999 N 179 59 59.999 E " */ ++ /* "-42849672.95m 90000000m 90000000m 90000000m"; */ ++ char buf[8*6 + 12*1 + 2*10 + sizeof(sbuf)+sizeof(hbuf)+sizeof(vbuf)]; + unsigned char size, hp, vp; + unsigned long poweroften[8] = { 1, 10, 100, 1000, + 10000, 100000, 1000000, 10000000 }; +@@ -550,7 +551,7 @@ totext_loc(ARGS_TOTEXT) { + altitude -= 10000000; + } + +- snprintf(buf, sizeof(buf), ++ snprintf(NULL, 0, + "%d %d %d.%03d %s %d %d %d.%03d %s %s%lu.%02lum %s %s %s", + d1, m1, s1, fs1, north ? "N" : "S", + d2, m2, s2, fs2, east ? "E" : "W", +--- a/lib/dns/rdata/in_1/dhcid_49.c 2018-09-04 00:04:41.000000000 -0400 ++++ b/lib/dns/rdata/in_1/dhcid_491.c 2019-04-18 00:12:14.143000000 -0400 +@@ -35,9 +35,8 @@ fromtext_in_dhcid(ARGS_FROMTEXT) { + static inline isc_result_t + totext_in_dhcid(ARGS_TOTEXT) { + isc_region_t sr, sr2; +- char buf[sizeof(" ; 64000 255 64000")]; +- size_t n; +- ++ /* " ; 64000 255 64000" */ ++ char buf[5 + 3*5 + 1]; + REQUIRE(rdata->type == dns_rdatatype_dhcid); + REQUIRE(rdata->rdclass == dns_rdataclass_in); + REQUIRE(rdata->length != 0); +@@ -55,10 +54,9 @@ totext_in_dhcid(ARGS_TOTEXT) { + if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) { + RETERR(str_totext(/* ( */ " )", target)); + if (rdata->length > 2) { +- n = snprintf(buf, sizeof(buf), " ; %u %u %u", ++ snprintf(NULL, 0, " ; %u %u %u", + sr2.base[0] * 256U + sr2.base[1], + sr2.base[2], rdata->length - 3U); +- INSIST(n < sizeof(buf)); + RETERR(str_totext(buf, target)); + } + } diff --git a/3022-Fix-a-shutdown-race-in-bin-dig-dighost.c.patch b/3022-Fix-a-shutdown-race-in-bin-dig-dighost.c.patch new file mode 100644 index 0000000000000000000000000000000000000000..15561c73ce2041a9af24e24fe5987def75a0023d --- /dev/null +++ b/3022-Fix-a-shutdown-race-in-bin-dig-dighost.c.patch @@ -0,0 +1,35 @@ +From 462175659674a10c0d39c7c328f1a5324ce2e38b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Tue, 13 Nov 2018 13:50:47 +0100 +Subject: [PATCH 3022/3677] Fix a shutdown race in bin/dig/dighost.c + +If a tool using the routines defined in bin/dig/dighost.c is sent an +interruption signal around the time a connection timeout is scheduled to +fire, connect_timeout() may be executed after destroy_libs() detaches +from the global task (setting 'global_task' to NULL), which results in a +crash upon a UDP retry due to bringup_timer() attempting to create a +timer with 'task' set to NULL. Fix by preventing connect_timeout() from +attempting a retry when shutdown is in progress. +--- + bin/dig/dighost.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index f4e5e55..410b634 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -2902,6 +2902,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) { + + INSIST(!free_now); + ++ if (cancel_now) { ++ UNLOCK_LOOKUP; ++ return; ++ } ++ + if ((query != NULL) && (query->lookup->current_query != NULL) && + ISC_LINK_LINKED(query->lookup->current_query, link) && + (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) { +-- +1.8.3.1 + diff --git a/3046-uninitalize-memory-read-on-error-path.patch b/3046-uninitalize-memory-read-on-error-path.patch new file mode 100644 index 0000000000000000000000000000000000000000..4968db34aa9f907a20040e5ea7d1fe1a9a77e7ea --- /dev/null +++ b/3046-uninitalize-memory-read-on-error-path.patch @@ -0,0 +1,25 @@ +From 4eadebe2b2feade839d8f178e6ddf8b4406d093a Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Fri, 9 Nov 2018 15:32:33 +1100 +Subject: [PATCH 3046/3677] uninitalize memory read on error path + +--- + lib/dns/nta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/nta.c b/lib/dns/nta.c +index 73674b3..498b7f1 100644 +--- a/lib/dns/nta.c ++++ b/lib/dns/nta.c +@@ -149,7 +149,7 @@ dns_ntatable_create(dns_view_t *view, + isc_task_detach(&ntatable->task); + + cleanup_ntatable: +- isc_mem_put(ntatable->view->mctx, ntatable, sizeof(*ntatable)); ++ isc_mem_put(view->mctx, ntatable, sizeof(*ntatable)); + + return (result); + } +-- +1.8.3.1 + diff --git a/3318-Allow-unsupported-alg-in-zone-w-dnssec-signzone.patch b/3318-Allow-unsupported-alg-in-zone-w-dnssec-signzone.patch new file mode 100644 index 0000000000000000000000000000000000000000..ddef69034d540e928ae832e349e81fc56f886d52 --- /dev/null +++ b/3318-Allow-unsupported-alg-in-zone-w-dnssec-signzone.patch @@ -0,0 +1,77 @@ +From 1dd11fc754baf396bb3040527087b14f0678dd83 Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Tue, 18 Dec 2018 12:14:04 +0100 +Subject: [PATCH 3318/3677] Allow unsupported alg in zone /w dnssec-signzone + +dnssec-signzone should sign a zonefile that contains a DNSKEY record +with an unsupported algorithm. Current behavior is that it will +fail, hitting a fatal error. The fix detects unsupported algorithms +and will not try to add it to the keylist. + +Also when determining the maximum iterations for NSEC3, don't take +into account DNSKEY records in the zonefile with an unsupported +algorithm. +--- + lib/dns/dnssec.c | 8 ++++++++ + lib/dns/include/dns/dnssec.h | 2 +- + lib/dns/nsec3.c | 11 ++++++++++- + 3 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c +index c12ecac..e255b6e 100644 +--- a/lib/dns/dnssec.c ++++ b/lib/dns/dnssec.c +@@ -1622,6 +1622,14 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, + result = dns_rdataset_next(&keys)) { + dns_rdata_reset(&rdata); + dns_rdataset_current(&keys, &rdata); ++ ++ /* Skip unsupported algorithms */ ++ REQUIRE(rdata.type == dns_rdatatype_key || ++ rdata.type == dns_rdatatype_dnskey); ++ REQUIRE(rdata.length > 3); ++ if (!dst_algorithm_supported(rdata.data[3])) ++ goto skip; ++ + RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey)); + dst_key_setttl(pubkey, keys.ttl); + +diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h +index 50930b6..e60375e 100644 +--- a/lib/dns/include/dns/dnssec.h ++++ b/lib/dns/include/dns/dnssec.h +@@ -274,7 +274,7 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory, + /*%< + * Search 'directory' for K* key files matching the name in 'origin'. + * Append all such keys, along with use hints gleaned from their +- * metadata, onto 'keylist'. ++ * metadata, onto 'keylist'. Skip any unsupported algorithms. + * + * Requires: + *\li 'keylist' is not NULL +diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c +index 861e909..f30d695 100644 +--- a/lib/dns/nsec3.c ++++ b/lib/dns/nsec3.c +@@ -1811,8 +1811,17 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version, + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) { + dns_rdata_t rdata = DNS_RDATA_INIT; +- + dns_rdataset_current(&rdataset, &rdata); ++ ++ /* Skip unsupported algorithms when ++ * calculating the maximum iterations. ++ */ ++ REQUIRE(rdata.type == dns_rdatatype_key || ++ rdata.type == dns_rdatatype_dnskey); ++ REQUIRE(rdata.length > 3); ++ if (!dst_algorithm_supported(rdata.data[3])) ++ continue; ++ + isc_buffer_init(&buffer, rdata.data, rdata.length); + isc_buffer_add(&buffer, rdata.length); + CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass, +-- +1.8.3.1 + diff --git a/3543-fix-memory-leak.patch b/3543-fix-memory-leak.patch new file mode 100644 index 0000000000000000000000000000000000000000..1da4f13caf911b2883d39e5faef456cdaeba36a8 --- /dev/null +++ b/3543-fix-memory-leak.patch @@ -0,0 +1,112 @@ +From 7114d16098b0cf4910e06490fa70758f1c2c62a3 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Fri, 15 Feb 2019 08:52:16 +1100 +Subject: [PATCH 3543/3677] fix memory leak + +--- + lib/dns/spnego_asn1.c | 56 +++++++++++++++++++++++++++++++-------------------- + 1 file changed, 34 insertions(+), 22 deletions(-) + +diff --git a/lib/dns/spnego_asn1.c b/lib/dns/spnego_asn1.c +index fb51b0d..46e487a 100644 +--- a/lib/dns/spnego_asn1.c ++++ b/lib/dns/spnego_asn1.c +@@ -467,25 +467,25 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz + FORW; + { + int dce_fix; +- if ((dce_fix = fix_dce(reallen, &len)) < 0) +- return ASN1_BAD_FORMAT; ++ if ((dce_fix = fix_dce(reallen, &len)) < 0) { ++ e = ASN1_BAD_FORMAT; ++ goto fail; ++ } + { + size_t newlen, oldlen; + + e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 0, &l); +- if (e) +- return e; +- else { +- p += l; +- len -= l; +- ret += l; ++ FORW; ++ { + e = der_get_length(p, len, &newlen, &l); + FORW; + { + int mydce_fix; + oldlen = len; +- if ((mydce_fix = fix_dce(newlen, &len)) < 0) +- return ASN1_BAD_FORMAT; ++ if ((mydce_fix = fix_dce(newlen, &len)) < 0) { ++ e = ASN1_BAD_FORMAT; ++ goto fail; ++ } + e = decode_MechTypeList(p, len, &(data)->mechTypes, &l); + FORW; + if (mydce_fix) { +@@ -511,11 +511,15 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz + { + int mydce_fix; + oldlen = len; +- if ((mydce_fix = fix_dce(newlen, &len)) < 0) +- return ASN1_BAD_FORMAT; ++ if ((mydce_fix = fix_dce(newlen, &len)) < 0) { ++ e = ASN1_BAD_FORMAT; ++ goto fail; ++ } + (data)->reqFlags = malloc(sizeof(*(data)->reqFlags)); +- if ((data)->reqFlags == NULL) +- return ENOMEM; ++ if ((data)->reqFlags == NULL) { ++ e = ENOMEM; ++ goto fail; ++ } + e = decode_ContextFlags(p, len, (data)->reqFlags, &l); + FORW; + if (mydce_fix) { +@@ -541,11 +545,15 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz + { + int mydce_fix; + oldlen = len; +- if ((mydce_fix = fix_dce(newlen, &len)) < 0) +- return ASN1_BAD_FORMAT; ++ if ((mydce_fix = fix_dce(newlen, &len)) < 0) { ++ e = ASN1_BAD_FORMAT; ++ goto fail; ++ } + (data)->mechToken = malloc(sizeof(*(data)->mechToken)); +- if ((data)->mechToken == NULL) +- return ENOMEM; ++ if ((data)->mechToken == NULL) { ++ e = ENOMEM; ++ goto fail; ++ } + e = decode_octet_string(p, len, (data)->mechToken, &l); + FORW; + if (mydce_fix) { +@@ -571,11 +579,15 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz + { + int mydce_fix; + oldlen = len; +- if ((mydce_fix = fix_dce(newlen, &len)) < 0) +- return ASN1_BAD_FORMAT; ++ if ((mydce_fix = fix_dce(newlen, &len)) < 0) { ++ e = ASN1_BAD_FORMAT; ++ goto fail; ++ } + (data)->mechListMIC = malloc(sizeof(*(data)->mechListMIC)); +- if ((data)->mechListMIC == NULL) +- return ENOMEM; ++ if ((data)->mechListMIC == NULL) { ++ e = ENOMEM; ++ goto fail; ++ } + e = decode_octet_string(p, len, (data)->mechListMIC, &l); + FORW; + if (mydce_fix) { +-- +1.8.3.1 + diff --git a/CVE-2018-5743-atomic-fix.patch b/CVE-2018-5743-atomic-fix.patch new file mode 100644 index 0000000000000000000000000000000000000000..8246b0c6a76d1a58c00b80913dba8445f33bb38e --- /dev/null +++ b/CVE-2018-5743-atomic-fix.patch @@ -0,0 +1,131 @@ +Backport of: + +From 17623d26e4e7b0fd45f2b39f00cd46e6044ce4c1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Wed, 17 Apr 2019 15:22:27 +0200 +Subject: [PATCH] Replace atomic operations in bin/named/client.c with + isc_refcount reference counting + +--- + bin/named/client.c | 18 +++++++----------- + bin/named/include/named/interfacemgr.h | 5 +++-- + bin/named/interfacemgr.c | 7 +++++-- + 3 files changed, 15 insertions(+), 15 deletions(-) + +Index: bind9-9.11.4+dfsg/bin/named/client.c +=================================================================== +--- bind9-9.11.4+dfsg.orig/bin/named/client.c 2019-04-24 15:25:11.891463104 -0400 ++++ bind9-9.11.4+dfsg/bin/named/client.c 2019-04-24 15:25:42.091541114 -0400 +@@ -399,12 +399,10 @@ tcpconn_detach(ns_client_t *client) { + static void + mark_tcp_active(ns_client_t *client, isc_boolean_t active) { + if (active && !client->tcpactive) { +- isc_atomic_xadd(&client->interface->ntcpactive, 1); ++ isc_refcount_increment0(&client->interface->ntcpactive, NULL); + client->tcpactive = active; + } else if (!active && client->tcpactive) { +- uint32_t old = +- isc_atomic_xadd(&client->interface->ntcpactive, -1); +- INSIST(old > 0); ++ isc_refcount_decrement(&client->interface->ntcpactive, NULL); + client->tcpactive = active; + } + } +@@ -551,7 +549,7 @@ exit_check(ns_client_t *client) { + if (client->mortal && TCP_CLIENT(client) && + client->newstate != NS_CLIENTSTATE_FREED && + !ns_g_clienttest && +- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0) ++ isc_refcount_current(&client->interface->ntcpaccepting) == 0) + { + /* Nobody else is accepting */ + client->mortal = ISC_FALSE; +@@ -3314,7 +3312,6 @@ client_newconn(isc_task_t *task, isc_eve + isc_result_t result; + ns_client_t *client = event->ev_arg; + isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event; +- isc_uint32_t old; + + REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN); + REQUIRE(NS_CLIENT_VALID(client)); +@@ -3334,8 +3331,7 @@ client_newconn(isc_task_t *task, isc_eve + INSIST(client->naccepts == 1); + client->naccepts--; + +- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1); +- INSIST(old > 0); ++ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL); + + /* + * We must take ownership of the new socket before the exit +@@ -3466,8 +3462,8 @@ client_accept(ns_client_t *client) { + * quota is tcp-clients plus the number of listening + * interfaces plus 1.) + */ +- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > +- (client->tcpactive ? 1 : 0)); ++ exit = (isc_refcount_current(&client->interface->ntcpactive) > ++ (client->tcpactive ? 1U : 0U)); + if (exit) { + client->newstate = NS_CLIENTSTATE_INACTIVE; + (void)exit_check(client); +@@ -3525,7 +3521,7 @@ client_accept(ns_client_t *client) { + * listening for connections itself to prevent the interface + * going dead. + */ +- isc_atomic_xadd(&client->interface->ntcpaccepting, 1); ++ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL); + } + + static void +Index: bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h +=================================================================== +--- bind9-9.11.4+dfsg.orig/bin/named/include/named/interfacemgr.h 2019-04-24 15:25:11.891463104 -0400 ++++ bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h 2019-04-24 15:26:03.943597701 -0400 +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + + #include + +@@ -73,11 +74,11 @@ struct ns_interface { + /*%< UDP dispatchers. */ + isc_socket_t * tcpsocket; /*%< TCP socket. */ + isc_dscp_t dscp; /*%< "listen-on" DSCP value */ +- isc_int32_t ntcpaccepting; /*%< Number of clients ++ isc_refcount_t ntcpaccepting; /*%< Number of clients + ready to accept new + TCP connections on this + interface */ +- isc_int32_t ntcpactive; /*%< Number of clients ++ isc_refcount_t ntcpactive; /*%< Number of clients + servicing TCP queries + (whether accepting or + connected) */ +Index: bind9-9.11.4+dfsg/bin/named/interfacemgr.c +=================================================================== +--- bind9-9.11.4+dfsg.orig/bin/named/interfacemgr.c 2019-04-24 15:25:11.891463104 -0400 ++++ bind9-9.11.4+dfsg/bin/named/interfacemgr.c 2019-04-24 15:25:11.891463104 -0400 +@@ -384,8 +384,8 @@ ns_interface_create(ns_interfacemgr_t *m + * connections will be handled in parallel even though there is + * only one client initially. + */ +- ifp->ntcpaccepting = 0; +- ifp->ntcpactive = 0; ++ isc_refcount_init(&ifp->ntcpaccepting, 0); ++ isc_refcount_init(&ifp->ntcpactive, 0); + + ifp->nudpdispatch = 0; + +@@ -616,6 +616,9 @@ ns_interface_destroy(ns_interface_t *ifp + + ns_interfacemgr_detach(&ifp->mgr); + ++ isc_refcount_destroy(&ifp->ntcpactive); ++ isc_refcount_destroy(&ifp->ntcpaccepting); ++ + ifp->magic = 0; + isc_mem_put(mctx, ifp, sizeof(*ifp)); + } diff --git a/CVE-2018-5743.patch b/CVE-2018-5743.patch new file mode 100644 index 0000000000000000000000000000000000000000..784d9a022226f23500fe0e04328f2d08f280618a --- /dev/null +++ b/CVE-2018-5743.patch @@ -0,0 +1,872 @@ +Description: fix limiting simultaneous TCP clients is ineffective +Origin: backported from patch provided by ISC + +Index: bind9-9.11.4+dfsg/bin/named/client.c +=================================================================== +--- bind9-9.11.4+dfsg.orig/bin/named/client.c 2019-04-24 05:05:24.068523718 -0400 ++++ bind9-9.11.4+dfsg/bin/named/client.c 2019-04-24 05:16:21.089731949 -0400 +@@ -243,10 +243,11 @@ static void ns_client_dumpmessage(ns_cli + static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp, + dns_dispatch_t *disp, isc_boolean_t tcp); + static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, +- isc_socket_t *sock); ++ isc_socket_t *sock, ns_client_t *oldclient); + static inline isc_boolean_t +-allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr, +- isc_uint8_t ecs_addrlen, isc_uint8_t *ecs_scope, dns_acl_t *acl); ++allowed(isc_netaddr_t *addr, dns_name_t *signer, ++ isc_netaddr_t *ecs_addr, isc_uint8_t ecs_addrlen, ++ isc_uint8_t *ecs_scope, dns_acl_t *acl); + static void compute_cookie(ns_client_t *client, isc_uint32_t when, + isc_uint32_t nonce, const unsigned char *secret, + isc_buffer_t *buf); +@@ -296,6 +297,119 @@ ns_client_settimeout(ns_client_t *client + } + + /*% ++ * Allocate a reference-counted object that will maintain a single pointer to ++ * the (also reference-counted) TCP client quota, shared between all the ++ * clients processing queries on a single TCP connection, so that all ++ * clients sharing the one socket will together consume only one slot in ++ * the 'tcp-clients' quota. ++ */ ++static isc_result_t ++tcpconn_init(ns_client_t *client, isc_boolean_t force) { ++ isc_result_t result; ++ isc_quota_t *quota = NULL; ++ ns_tcpconn_t *tconn = NULL; ++ ++ REQUIRE(client->tcpconn == NULL); ++ ++ /* ++ * Try to attach to the quota first, so we won't pointlessly ++ * allocate memory for a tcpconn object if we can't get one. ++ */ ++ if (force) { ++ result = isc_quota_force(&ns_g_server->tcpquota, "a); ++ } else { ++ result = isc_quota_attach(&ns_g_server->tcpquota, "a); ++ } ++ if (result != ISC_R_SUCCESS) { ++ return (result); ++ } ++ ++ /* ++ * A global memory context is used for the allocation as different ++ * client structures may have different memory contexts assigned and a ++ * reference counter allocated here might need to be freed by a ++ * different client. The performance impact caused by memory context ++ * contention here is expected to be negligible, given that this code ++ * is only executed for TCP connections. ++ */ ++ tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn)); ++ ++ isc_refcount_init(&tconn->refs, 1); ++ tconn->tcpquota = quota; ++ quota = NULL; ++ tconn->pipelined = ISC_FALSE; ++ ++ client->tcpconn = tconn; ++ ++ return (ISC_R_SUCCESS); ++} ++ ++/*% ++ * Increase the count of client structures sharing the TCP connection ++ * that 'source' is associated with; add a pointer to the same tcpconn ++ * to 'target', thus associating it with the same TCP connection. ++ */ ++static void ++tcpconn_attach(ns_client_t *source, ns_client_t *target) { ++ int refs; ++ ++ REQUIRE(source->tcpconn != NULL); ++ REQUIRE(target->tcpconn == NULL); ++ REQUIRE(source->tcpconn->pipelined); ++ ++ isc_refcount_increment(&source->tcpconn->refs, &refs); ++ INSIST(refs > 1); ++ target->tcpconn = source->tcpconn; ++} ++ ++/*% ++ * Decrease the count of client structures sharing the TCP connection that ++ * 'client' is associated with. If this is the last client using this TCP ++ * connection, we detach from the TCP quota and free the tcpconn ++ * object. Either way, client->tcpconn is set to NULL. ++ */ ++static void ++tcpconn_detach(ns_client_t *client) { ++ ns_tcpconn_t *tconn = NULL; ++ int refs; ++ ++ REQUIRE(client->tcpconn != NULL); ++ ++ tconn = client->tcpconn; ++ client->tcpconn = NULL; ++ ++ isc_refcount_decrement(&tconn->refs, &refs); ++ if (refs == 0) { ++ isc_quota_detach(&tconn->tcpquota); ++ isc_mem_free(ns_g_mctx, tconn); ++ } ++} ++ ++/*% ++ * Mark a client as active and increment the interface's 'ntcpactive' ++ * counter, as a signal that there is at least one client servicing ++ * TCP queries for the interface. If we reach the TCP client quota at ++ * some point, this will be used to determine whether a quota overrun ++ * should be permitted. ++ * ++ * Marking the client active with the 'tcpactive' flag ensures proper ++ * accounting, by preventing us from incrementing or decrementing ++ * 'ntcpactive' more than once per client. ++ */ ++static void ++mark_tcp_active(ns_client_t *client, isc_boolean_t active) { ++ if (active && !client->tcpactive) { ++ isc_atomic_xadd(&client->interface->ntcpactive, 1); ++ client->tcpactive = active; ++ } else if (!active && client->tcpactive) { ++ uint32_t old = ++ isc_atomic_xadd(&client->interface->ntcpactive, -1); ++ INSIST(old > 0); ++ client->tcpactive = active; ++ } ++} ++ ++/*% + * Check for a deactivation or shutdown request and take appropriate + * action. Returns ISC_TRUE if either is in progress; in this case + * the caller must no longer use the client object as it may have been +@@ -384,7 +498,8 @@ exit_check(ns_client_t *client) { + INSIST(client->recursionquota == NULL); + + if (NS_CLIENTSTATE_READING == client->newstate) { +- if (!client->pipelined) { ++ INSIST(client->tcpconn != NULL); ++ if (!client->tcpconn->pipelined) { + client_read(client); + client->newstate = NS_CLIENTSTATE_MAX; + return (ISC_TRUE); /* We're done. */ +@@ -402,10 +517,13 @@ exit_check(ns_client_t *client) { + */ + INSIST(client->recursionquota == NULL); + INSIST(client->newstate <= NS_CLIENTSTATE_READY); +- if (client->nreads > 0) ++ ++ if (client->nreads > 0) { + dns_tcpmsg_cancelread(&client->tcpmsg); +- if (client->nreads != 0) { +- /* Still waiting for read cancel completion. */ ++ } ++ ++ /* Still waiting for read cancel completion. */ ++ if (client->nreads > 0) { + return (ISC_TRUE); + } + +@@ -413,14 +531,49 @@ exit_check(ns_client_t *client) { + dns_tcpmsg_invalidate(&client->tcpmsg); + client->tcpmsg_valid = ISC_FALSE; + } ++ ++ /* ++ * Soon the client will be ready to accept a new TCP ++ * connection or UDP request, but we may have enough ++ * clients doing that already. Check whether this client ++ * needs to remain active and allow it go inactive if ++ * not. ++ * ++ * UDP clients always go inactive at this point, but a TCP ++ * client may need to stay active and return to READY ++ * state if no other clients are available to listen ++ * for TCP requests on this interface. ++ * ++ * Regardless, if we're going to FREED state, that means ++ * the system is shutting down and we don't need to ++ * retain clients. ++ */ ++ if (client->mortal && TCP_CLIENT(client) && ++ client->newstate != NS_CLIENTSTATE_FREED && ++ !ns_g_clienttest && ++ isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0) ++ { ++ /* Nobody else is accepting */ ++ client->mortal = ISC_FALSE; ++ client->newstate = NS_CLIENTSTATE_READY; ++ } ++ ++ /* ++ * Detach from TCP connection and TCP client quota, ++ * if appropriate. If this is the last reference to ++ * the TCP connection in our pipeline group, the ++ * TCP quota slot will be released. ++ */ ++ if (client->tcpconn) { ++ tcpconn_detach(client); ++ } ++ + if (client->tcpsocket != NULL) { + CTRACE("closetcp"); + isc_socket_detach(&client->tcpsocket); ++ mark_tcp_active(client, ISC_FALSE); + } + +- if (client->tcpquota != NULL) +- isc_quota_detach(&client->tcpquota); +- + if (client->timerset) { + (void)isc_timer_reset(client->timer, + isc_timertype_inactive, +@@ -428,45 +581,26 @@ exit_check(ns_client_t *client) { + client->timerset = ISC_FALSE; + } + +- client->pipelined = ISC_FALSE; +- + client->peeraddr_valid = ISC_FALSE; + + client->state = NS_CLIENTSTATE_READY; +- INSIST(client->recursionquota == NULL); +- +- /* +- * Now the client is ready to accept a new TCP connection +- * or UDP request, but we may have enough clients doing +- * that already. Check whether this client needs to remain +- * active and force it to go inactive if not. +- * +- * UDP clients go inactive at this point, but TCP clients +- * may remain active if we have fewer active TCP client +- * objects than desired due to an earlier quota exhaustion. +- */ +- if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) { +- LOCK(&client->interface->lock); +- if (client->interface->ntcpcurrent < +- client->interface->ntcptarget) +- client->mortal = ISC_FALSE; +- UNLOCK(&client->interface->lock); +- } + + /* + * We don't need the client; send it to the inactive + * queue for recycling. + */ + if (client->mortal) { +- if (client->newstate > NS_CLIENTSTATE_INACTIVE) ++ if (client->newstate > NS_CLIENTSTATE_INACTIVE) { + client->newstate = NS_CLIENTSTATE_INACTIVE; ++ } + } + + if (NS_CLIENTSTATE_READY == client->newstate) { + if (TCP_CLIENT(client)) { + client_accept(client); +- } else ++ } else { + client_udprecv(client); ++ } + client->newstate = NS_CLIENTSTATE_MAX; + return (ISC_TRUE); + } +@@ -478,41 +612,50 @@ exit_check(ns_client_t *client) { + /* + * We are trying to enter the inactive state. + */ +- if (client->naccepts > 0) ++ if (client->naccepts > 0) { + isc_socket_cancel(client->tcplistener, client->task, + ISC_SOCKCANCEL_ACCEPT); ++ } + + /* Still waiting for accept cancel completion. */ +- if (! (client->naccepts == 0)) ++ if (client->naccepts > 0) { + return (ISC_TRUE); ++ } + + /* Accept cancel is complete. */ +- if (client->nrecvs > 0) ++ if (client->nrecvs > 0) { + isc_socket_cancel(client->udpsocket, client->task, + ISC_SOCKCANCEL_RECV); ++ } + + /* Still waiting for recv cancel completion. */ +- if (! (client->nrecvs == 0)) ++ if (client->nrecvs > 0) { + return (ISC_TRUE); ++ } + + /* Still waiting for control event to be delivered */ +- if (client->nctls > 0) ++ if (client->nctls > 0) { + return (ISC_TRUE); +- +- /* Deactivate the client. */ +- if (client->interface) +- ns_interface_detach(&client->interface); ++ } + + INSIST(client->naccepts == 0); + INSIST(client->recursionquota == NULL); +- if (client->tcplistener != NULL) ++ if (client->tcplistener != NULL) { + isc_socket_detach(&client->tcplistener); +- +- if (client->udpsocket != NULL) ++ mark_tcp_active(client, ISC_FALSE); ++ } ++ if (client->udpsocket != NULL) { + isc_socket_detach(&client->udpsocket); ++ } + +- if (client->dispatch != NULL) ++ /* Deactivate the client. */ ++ if (client->interface != NULL) { ++ ns_interface_detach(&client->interface); ++ } ++ ++ if (client->dispatch != NULL) { + dns_dispatch_detach(&client->dispatch); ++ } + + client->attributes = 0; + client->mortal = ISC_FALSE; +@@ -537,10 +680,13 @@ exit_check(ns_client_t *client) { + client->newstate = NS_CLIENTSTATE_MAX; + if (!ns_g_clienttest && manager != NULL && + !manager->exiting) ++ { + ISC_QUEUE_PUSH(manager->inactive, client, + ilink); +- if (client->needshutdown) ++ } ++ if (client->needshutdown) { + isc_task_shutdown(client->task); ++ } + return (ISC_TRUE); + } + } +@@ -650,7 +796,7 @@ client_start(isc_task_t *task, isc_event + return; + + if (TCP_CLIENT(client)) { +- if (client->pipelined) { ++ if (client->tcpconn != NULL) { + client_read(client); + } else { + client_accept(client); +@@ -660,7 +806,6 @@ client_start(isc_task_t *task, isc_event + } + } + +- + /*% + * The client's task has received a shutdown event. + */ +@@ -2301,6 +2446,7 @@ client_request(isc_task_t *task, isc_eve + client->nrecvs--; + } else { + INSIST(TCP_CLIENT(client)); ++ INSIST(client->tcpconn != NULL); + REQUIRE(event->ev_type == DNS_EVENT_TCPMSG); + REQUIRE(event->ev_sender == &client->tcpmsg); + buffer = &client->tcpmsg.buffer; +@@ -2484,18 +2630,27 @@ client_request(isc_task_t *task, isc_eve + /* + * Pipeline TCP query processing. + */ +- if (client->message->opcode != dns_opcode_query) +- client->pipelined = ISC_FALSE; +- if (TCP_CLIENT(client) && client->pipelined) { +- result = isc_quota_reserve(&ns_g_server->tcpquota); +- if (result == ISC_R_SUCCESS) +- result = ns_client_replace(client); ++ if (TCP_CLIENT(client) && ++ client->message->opcode != dns_opcode_query) ++ { ++ client->tcpconn->pipelined = ISC_FALSE; ++ } ++ if (TCP_CLIENT(client) && client->tcpconn->pipelined) { ++ /* ++ * We're pipelining. Replace the client; the ++ * replacement can read the TCP socket looking ++ * for new messages and this one can process the ++ * current message asynchronously. ++ * ++ * There will now be at least three clients using this ++ * TCP socket - one accepting new connections, ++ * one reading an existing connection to get new ++ * messages, and one answering the message already ++ * received. ++ */ ++ result = ns_client_replace(client); + if (result != ISC_R_SUCCESS) { +- ns_client_log(client, NS_LOGCATEGORY_CLIENT, +- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, +- "no more TCP clients(read): %s", +- isc_result_totext(result)); +- client->pipelined = ISC_FALSE; ++ client->tcpconn->pipelined = ISC_FALSE; + } + } + +@@ -3051,8 +3206,7 @@ client_create(ns_clientmgr_t *manager, n + client->signer = NULL; + dns_name_init(&client->signername, NULL); + client->mortal = ISC_FALSE; +- client->pipelined = ISC_FALSE; +- client->tcpquota = NULL; ++ client->tcpconn = NULL; + client->recursionquota = NULL; + client->interface = NULL; + client->peeraddr_valid = ISC_FALSE; +@@ -3062,6 +3216,7 @@ client_create(ns_clientmgr_t *manager, n + client->filter_aaaa = dns_aaaa_ok; + #endif + client->needshutdown = ns_g_clienttest; ++ client->tcpactive = ISC_FALSE; + + ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL, + NS_EVENT_CLIENTCONTROL, client_start, client, client, +@@ -3156,9 +3311,10 @@ client_read(ns_client_t *client) { + + static void + client_newconn(isc_task_t *task, isc_event_t *event) { ++ isc_result_t result; + ns_client_t *client = event->ev_arg; + isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event; +- isc_result_t result; ++ isc_uint32_t old; + + REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN); + REQUIRE(NS_CLIENT_VALID(client)); +@@ -3168,13 +3324,18 @@ client_newconn(isc_task_t *task, isc_eve + + INSIST(client->state == NS_CLIENTSTATE_READY); + ++ /* ++ * The accept() was successful and we're now establishing a new ++ * connection. We need to make note of it in the client and ++ * interface objects so client objects can do the right thing ++ * when going inactive in exit_check() (see comments in ++ * client_accept() for details). ++ */ + INSIST(client->naccepts == 1); + client->naccepts--; + +- LOCK(&client->interface->lock); +- INSIST(client->interface->ntcpcurrent > 0); +- client->interface->ntcpcurrent--; +- UNLOCK(&client->interface->lock); ++ old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1); ++ INSIST(old > 0); + + /* + * We must take ownership of the new socket before the exit +@@ -3207,6 +3368,7 @@ client_newconn(isc_task_t *task, isc_eve + NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), + "accept failed: %s", + isc_result_totext(nevent->result)); ++ tcpconn_detach(client); + } + + if (exit_check(client)) +@@ -3244,20 +3406,13 @@ client_newconn(isc_task_t *task, isc_eve + * telnetting to port 53 (once per CPU) will + * deny service to legitimate TCP clients. + */ +- client->pipelined = ISC_FALSE; +- result = isc_quota_attach(&ns_g_server->tcpquota, +- &client->tcpquota); +- if (result == ISC_R_SUCCESS) +- result = ns_client_replace(client); +- if (result != ISC_R_SUCCESS) { +- ns_client_log(client, NS_LOGCATEGORY_CLIENT, +- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, +- "no more TCP clients(accept): %s", +- isc_result_totext(result)); +- } else if (ns_g_server->keepresporder == NULL || +- !allowed(&netaddr, NULL, NULL, 0, NULL, +- ns_g_server->keepresporder)) { +- client->pipelined = ISC_TRUE; ++ result = ns_client_replace(client); ++ if (result == ISC_R_SUCCESS && ++ (ns_g_server->keepresporder == NULL || ++ !allowed(&netaddr, NULL, NULL, 0, NULL, ++ ns_g_server->keepresporder))) ++ { ++ client->tcpconn->pipelined = ISC_TRUE; + } + + client_read(client); +@@ -3273,12 +3428,66 @@ client_accept(ns_client_t *client) { + + CTRACE("accept"); + ++ /* ++ * Set up a new TCP connection. This means try to attach to the ++ * TCP client quota (tcp-clients), but fail if we're over quota. ++ */ ++ result = tcpconn_init(client, ISC_FALSE); ++ if (result != ISC_R_SUCCESS) { ++ isc_boolean_t exit; ++ ++ ns_client_log(client, NS_LOGCATEGORY_CLIENT, ++ NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, ++ "TCP client quota reached: %s", ++ isc_result_totext(result)); ++ ++ /* ++ * We have exceeded the system-wide TCP client quota. But, ++ * we can't just block this accept in all cases, because if ++ * we did, a heavy TCP load on other interfaces might cause ++ * this interface to be starved, with no clients able to ++ * accept new connections. ++ * ++ * So, we check here to see if any other clients are ++ * already servicing TCP queries on this interface (whether ++ * accepting, reading, or processing). If we find that at ++ * least one client other than this one is active, then ++ * it's okay *not* to call accept - we can let this ++ * client go inactive and another will take over when it's ++ * done. ++ * ++ * If there aren't enough active clients on the interface, ++ * then we can be a little bit flexible about the quota. ++ * We'll allow *one* extra client through to ensure we're ++ * listening on every interface; we do this by setting the ++ * 'force' option to tcpconn_init(). ++ * ++ * (Note: In practice this means that the real TCP client ++ * quota is tcp-clients plus the number of listening ++ * interfaces plus 1.) ++ */ ++ exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > ++ (client->tcpactive ? 1 : 0)); ++ if (exit) { ++ client->newstate = NS_CLIENTSTATE_INACTIVE; ++ (void)exit_check(client); ++ return; ++ } ++ ++ result = tcpconn_init(client, ISC_TRUE); ++ RUNTIME_CHECK(result == ISC_R_SUCCESS); ++ } ++ ++ /* ++ * If this client was set up using get_client() or get_worker(), ++ * then TCP is already marked active. However, if it was restarted ++ * from exit_check(), it might not be, so we take care of it now. ++ */ ++ mark_tcp_active(client, ISC_TRUE); ++ + result = isc_socket_accept(client->tcplistener, client->task, + client_newconn, client); + if (result != ISC_R_SUCCESS) { +- UNEXPECTED_ERROR(__FILE__, __LINE__, +- "isc_socket_accept() failed: %s", +- isc_result_totext(result)); + /* + * XXXRTH What should we do? We're trying to accept but + * it didn't work. If we just give up, then TCP +@@ -3286,13 +3495,37 @@ client_accept(ns_client_t *client) { + * + * For now, we just go idle. + */ ++ UNEXPECTED_ERROR(__FILE__, __LINE__, ++ "isc_socket_accept() failed: %s", ++ isc_result_totext(result)); ++ ++ tcpconn_detach(client); ++ mark_tcp_active(client, ISC_FALSE); + return; + } ++ ++ /* ++ * The client's 'naccepts' counter indicates that this client has ++ * called accept() and is waiting for a new connection. It should ++ * never exceed 1. ++ */ + INSIST(client->naccepts == 0); + client->naccepts++; +- LOCK(&client->interface->lock); +- client->interface->ntcpcurrent++; +- UNLOCK(&client->interface->lock); ++ ++ /* ++ * The interface's 'ntcpaccepting' counter is incremented when ++ * any client calls accept(), and decremented in client_newconn() ++ * once the connection is established. ++ * ++ * When the client object is shutting down after handling a TCP ++ * request (see exit_check()), if this value is at least one, that ++ * means another client has called accept() and is waiting to ++ * establish the next connection. That means the client may be ++ * be free to become inactive; otherwise it may need to start ++ * listening for connections itself to prevent the interface ++ * going dead. ++ */ ++ isc_atomic_xadd(&client->interface->ntcpaccepting, 1); + } + + static void +@@ -3363,15 +3596,17 @@ ns_client_replace(ns_client_t *client) { + REQUIRE(client->manager != NULL); + + tcp = TCP_CLIENT(client); +- if (tcp && client->pipelined) { ++ if (tcp && client->tcpconn != NULL && client->tcpconn->pipelined) { + result = get_worker(client->manager, client->interface, +- client->tcpsocket); ++ client->tcpsocket, client); + } else { + result = get_client(client->manager, client->interface, + client->dispatch, tcp); ++ + } +- if (result != ISC_R_SUCCESS) ++ if (result != ISC_R_SUCCESS) { + return (result); ++ } + + /* + * The responsibility for listening for new requests is hereby +@@ -3557,9 +3792,12 @@ get_client(ns_clientmgr_t *manager, ns_i + client->dscp = ifp->dscp; + + if (tcp) { ++ mark_tcp_active(client, ISC_TRUE); ++ + client->attributes |= NS_CLIENTATTR_TCP; + isc_socket_attach(ifp->tcpsocket, + &client->tcplistener); ++ + } else { + isc_socket_t *sock; + +@@ -3577,7 +3815,8 @@ get_client(ns_clientmgr_t *manager, ns_i + } + + static isc_result_t +-get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock) ++get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock, ++ ns_client_t *oldclient) + { + isc_result_t result = ISC_R_SUCCESS; + isc_event_t *ev; +@@ -3585,6 +3824,7 @@ get_worker(ns_clientmgr_t *manager, ns_i + MTRACE("get worker"); + + REQUIRE(manager != NULL); ++ REQUIRE(oldclient != NULL); + + if (manager->exiting) + return (ISC_R_SHUTTINGDOWN); +@@ -3617,14 +3857,15 @@ get_worker(ns_clientmgr_t *manager, ns_i + ns_interface_attach(ifp, &client->interface); + client->newstate = client->state = NS_CLIENTSTATE_WORKING; + INSIST(client->recursionquota == NULL); +- client->tcpquota = &ns_g_server->tcpquota; + + client->dscp = ifp->dscp; + + client->attributes |= NS_CLIENTATTR_TCP; +- client->pipelined = ISC_TRUE; + client->mortal = ISC_TRUE; + ++ tcpconn_attach(oldclient, client); ++ mark_tcp_active(client, ISC_TRUE); ++ + isc_socket_attach(ifp->tcpsocket, &client->tcplistener); + isc_socket_attach(sock, &client->tcpsocket); + isc_socket_setname(client->tcpsocket, "worker-tcp", NULL); +Index: bind9-9.11.4+dfsg/bin/named/include/named/client.h +=================================================================== +--- bind9-9.11.4+dfsg.orig/bin/named/include/named/client.h 2019-04-24 05:05:24.068523718 -0400 ++++ bind9-9.11.4+dfsg/bin/named/include/named/client.h 2019-04-24 05:18:09.894205195 -0400 +@@ -9,8 +9,6 @@ + * information regarding copyright ownership. + */ + +-/* $Id: client.h,v 1.96 2012/01/31 23:47:31 tbox Exp $ */ +- + #ifndef NAMED_CLIENT_H + #define NAMED_CLIENT_H 1 + +@@ -77,6 +75,13 @@ + *** Types + ***/ + ++/*% reference-counted TCP connection object */ ++typedef struct ns_tcpconn { ++ isc_refcount_t refs; ++ isc_quota_t *tcpquota; ++ isc_boolean_t pipelined; ++} ns_tcpconn_t; ++ + /*% nameserver client structure */ + struct ns_client { + unsigned int magic; +@@ -91,6 +96,7 @@ struct ns_client { + int nupdates; + int nctls; + int references; ++ isc_boolean_t tcpactive; + isc_boolean_t needshutdown; /* + * Used by clienttest to get + * the client to go from +@@ -127,10 +133,9 @@ struct ns_client { + isc_stdtime_t now; + isc_time_t tnow; + dns_name_t signername; /*%< [T]SIG key name */ +- dns_name_t * signer; /*%< NULL if not valid sig */ ++ dns_name_t *signer; /*%< NULL if not valid sig */ + isc_boolean_t mortal; /*%< Die after handling request */ +- isc_boolean_t pipelined; /*%< TCP queries not in sequence */ +- isc_quota_t *tcpquota; ++ ns_tcpconn_t *tcpconn; + isc_quota_t *recursionquota; + ns_interface_t *interface; + +Index: bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h +=================================================================== +--- bind9-9.11.4+dfsg.orig/bin/named/include/named/interfacemgr.h 2019-04-24 05:05:24.068523718 -0400 ++++ bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h 2019-04-24 05:05:24.068523718 -0400 +@@ -9,8 +9,6 @@ + * information regarding copyright ownership. + */ + +-/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */ +- + #ifndef NAMED_INTERFACEMGR_H + #define NAMED_INTERFACEMGR_H 1 + +@@ -75,9 +73,14 @@ struct ns_interface { + /*%< UDP dispatchers. */ + isc_socket_t * tcpsocket; /*%< TCP socket. */ + isc_dscp_t dscp; /*%< "listen-on" DSCP value */ +- int ntcptarget; /*%< Desired number of concurrent +- TCP accepts */ +- int ntcpcurrent; /*%< Current ditto, locked */ ++ isc_int32_t ntcpaccepting; /*%< Number of clients ++ ready to accept new ++ TCP connections on this ++ interface */ ++ isc_int32_t ntcpactive; /*%< Number of clients ++ servicing TCP queries ++ (whether accepting or ++ connected) */ + int nudpdispatch; /*%< Number of UDP dispatches */ + ns_clientmgr_t * clientmgr; /*%< Client manager. */ + ISC_LINK(ns_interface_t) link; +Index: bind9-9.11.4+dfsg/bin/named/interfacemgr.c +=================================================================== +--- bind9-9.11.4+dfsg.orig/bin/named/interfacemgr.c 2019-04-24 05:05:24.068523718 -0400 ++++ bind9-9.11.4+dfsg/bin/named/interfacemgr.c 2019-04-24 05:19:06.102432272 -0400 +@@ -384,8 +384,9 @@ ns_interface_create(ns_interfacemgr_t *m + * connections will be handled in parallel even though there is + * only one client initially. + */ +- ifp->ntcptarget = 1; +- ifp->ntcpcurrent = 0; ++ ifp->ntcpaccepting = 0; ++ ifp->ntcpactive = 0; ++ + ifp->nudpdispatch = 0; + + ifp->dscp = -1; +@@ -520,9 +521,7 @@ ns_interface_accepttcp(ns_interface_t *i + */ + (void)isc_socket_filter(ifp->tcpsocket, "dataready"); + +- result = ns_clientmgr_createclients(ifp->clientmgr, +- ifp->ntcptarget, ifp, +- ISC_TRUE); ++ result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, ISC_TRUE); + if (result != ISC_R_SUCCESS) { + UNEXPECTED_ERROR(__FILE__, __LINE__, + "TCP ns_clientmgr_createclients(): %s", +Index: bind9-9.11.4+dfsg/lib/isc/include/isc/quota.h +=================================================================== +--- bind9-9.11.4+dfsg.orig/lib/isc/include/isc/quota.h 2019-04-24 05:05:24.068523718 -0400 ++++ bind9-9.11.4+dfsg/lib/isc/include/isc/quota.h 2019-04-24 05:05:24.068523718 -0400 +@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc + * quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA). + */ + ++isc_result_t ++isc_quota_force(isc_quota_t *quota, isc_quota_t **p); ++/*%< ++ * Like isc_quota_attach, but will attach '*p' to the quota ++ * even if the hard quota has been exceeded. ++ */ ++ + void + isc_quota_detach(isc_quota_t **p); + /*%< +Index: bind9-9.11.4+dfsg/lib/isc/quota.c +=================================================================== +--- bind9-9.11.4+dfsg.orig/lib/isc/quota.c 2019-04-24 05:05:24.068523718 -0400 ++++ bind9-9.11.4+dfsg/lib/isc/quota.c 2019-04-24 05:05:24.068523718 -0400 +@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) { + UNLOCK("a->lock); + } + +-isc_result_t +-isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) +-{ ++static isc_result_t ++doattach(isc_quota_t *quota, isc_quota_t **p, isc_boolean_t force) { + isc_result_t result; +- INSIST(p != NULL && *p == NULL); ++ REQUIRE(p != NULL && *p == NULL); ++ + result = isc_quota_reserve(quota); +- if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) ++ if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) { ++ *p = quota; ++ } else if (result == ISC_R_QUOTA && force) { ++ /* attach anyway */ ++ LOCK("a->lock); ++ quota->used++; ++ UNLOCK("a->lock); ++ + *p = quota; ++ result = ISC_R_SUCCESS; ++ } ++ + return (result); + } + ++isc_result_t ++isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) { ++ return (doattach(quota, p, ISC_FALSE)); ++} ++ ++isc_result_t ++isc_quota_force(isc_quota_t *quota, isc_quota_t **p) { ++ return (doattach(quota, p, ISC_TRUE)); ++} ++ + void +-isc_quota_detach(isc_quota_t **p) +-{ ++isc_quota_detach(isc_quota_t **p) { + INSIST(p != NULL && *p != NULL); + isc_quota_release(*p); + *p = NULL; +Index: bind9-9.11.4+dfsg/lib/isc/win32/libisc.def.in +=================================================================== +--- bind9-9.11.4+dfsg.orig/lib/isc/win32/libisc.def.in 2019-04-24 05:05:24.068523718 -0400 ++++ bind9-9.11.4+dfsg/lib/isc/win32/libisc.def.in 2019-04-24 05:05:24.068523718 -0400 +@@ -519,6 +519,7 @@ isc_portset_removerange + isc_quota_attach + isc_quota_destroy + isc_quota_detach ++isc_quota_force + isc_quota_init + isc_quota_max + isc_quota_release diff --git a/CVE-2018-5745.patch b/CVE-2018-5745.patch new file mode 100644 index 0000000000000000000000000000000000000000..7b4e97d0ad48d153bf3908e5c8ac583bd29e7445 --- /dev/null +++ b/CVE-2018-5745.patch @@ -0,0 +1,71 @@ +Description: fix assertion failure when a trust anchor rolls over to an + unsupported key algorithm when using managed-keys +Origin: provided by ISC + +Index: bind9-9.11.4+dfsg/lib/dns/include/dst/dst.h +=================================================================== +--- bind9-9.11.4+dfsg.orig/lib/dns/include/dst/dst.h 2019-02-20 09:01:27.450680701 +0100 ++++ bind9-9.11.4+dfsg/lib/dns/include/dst/dst.h 2019-02-20 09:01:27.446680698 +0100 +@@ -67,8 +67,7 @@ typedef struct dst_context dst_context_ + #define DST_ALG_HMACSHA512 165 /* XXXMPA */ + #define DST_ALG_INDIRECT 252 + #define DST_ALG_PRIVATE 254 +-#define DST_ALG_EXPAND 255 +-#define DST_MAX_ALGS 255 ++#define DST_MAX_ALGS 256 + + /*% A buffer of this size is large enough to hold any key */ + #define DST_KEY_MAXSIZE 1280 +Index: bind9-9.11.4+dfsg/lib/dns/zone.c +=================================================================== +--- bind9-9.11.4+dfsg.orig/lib/dns/zone.c 2019-02-20 09:01:27.450680701 +0100 ++++ bind9-9.11.4+dfsg/lib/dns/zone.c 2019-02-20 09:01:27.450680701 +0100 +@@ -3873,9 +3873,10 @@ compute_tag(dns_name_t *name, dns_rdata_ + dns_rdatatype_dnskey, dnskey, &buffer); + + result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey); +- if (result == ISC_R_SUCCESS) ++ if (result == ISC_R_SUCCESS) { + *tag = dst_key_id(dstkey); +- dst_key_free(&dstkey); ++ dst_key_free(&dstkey); ++ } + + return (result); + } +@@ -9315,6 +9316,17 @@ keyfetch_done(isc_task_t *task, isc_even + + dns_keydata_todnskey(&keydata, &dnskey, NULL); + result = compute_tag(keyname, &dnskey, mctx, &keytag); ++ if (result != ISC_R_SUCCESS) { ++ /* ++ * Skip if we cannot compute the key tag. ++ * This may happen if the algorithm is unsupported ++ */ ++ dns_zone_log(zone, ISC_LOG_ERROR, ++ "Cannot compute tag for key in zone %s: %s " ++ "(skipping)", ++ namebuf, dns_result_totext(result)); ++ continue; ++ } + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + /* +@@ -9426,6 +9438,17 @@ keyfetch_done(isc_task_t *task, isc_even + continue; + + result = compute_tag(keyname, &dnskey, mctx, &keytag); ++ if (result != ISC_R_SUCCESS) { ++ /* ++ * Skip if we cannot compute the key tag. ++ * This may happen if the algorithm is unsupported ++ */ ++ dns_zone_log(zone, ISC_LOG_ERROR, ++ "Cannot compute tag for key in zone %s: %s " ++ "(skipping)", ++ namebuf, dns_result_totext(result)); ++ continue; ++ } + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE); diff --git a/CVE-2019-6465.patch b/CVE-2019-6465.patch new file mode 100644 index 0000000000000000000000000000000000000000..1fc492c0e8ddcf789d21e634ebb460fd3daf7741 --- /dev/null +++ b/CVE-2019-6465.patch @@ -0,0 +1,25 @@ +Description: fix controls for zone transfers not being properly applied to + Dynamically Loadable Zones (DLZs) if the zones are writable +Origin: provided by ISC + +Index: bind9-9.11.4+dfsg/bin/named/xfrout.c +=================================================================== +--- bind9-9.11.4+dfsg.orig/bin/named/xfrout.c 2019-02-20 09:02:00.710689380 +0100 ++++ bind9-9.11.4+dfsg/bin/named/xfrout.c 2019-02-20 09:02:00.706689381 +0100 +@@ -803,12 +803,12 @@ ns_xfr_start(ns_client_t *client, dns_rd + result = dns_zt_find(client->view->zonetable, question_name, 0, NULL, + &zone); + +- if (result != ISC_R_SUCCESS) { ++ if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) { + /* +- * Normal zone table does not have a match. +- * Try the DLZ database ++ * The normal zone table does not have a match, or this is ++ * marked in the zone table as a DLZ zone. Check the DLZ ++ * databases for a match. + */ +- // Temporary: only searching the first DLZ database + if (! ISC_LIST_EMPTY(client->view->dlz_searched)) { + result = dns_dlzallowzonexfr(client->view, + question_name, diff --git a/README.sdb_pgsql b/README.sdb_pgsql new file mode 100644 index 0000000000000000000000000000000000000000..c10c29468907a3a897126e79a11863f7f6a3dc70 --- /dev/null +++ b/README.sdb_pgsql @@ -0,0 +1,79 @@ + PGSQL BIND SDB driver + +The postgresql BIND SDB driver is of experimental status and should not be +used for production systems. + +Usage: + +o Use the named_sdb process ( put ENABLE_SDB=yes in /etc/sysconfig/named ) + +o Edit your named.conf to contain a database zone, eg. : + +zone "pgdb.net." IN { + type master; + database "pgsql bind pgdb localhost pguser pgpasswd"; + # ^- DB name ^-Table ^-host ^-user ^-password +}; + +o Create the database zone table + The table must contain the columns "name", "rdtype", and "rdata", and + is expected to contain a properly constructed zone. The program "zonetodb" + creates such a table. + + zonetodb usage: + + zonetodb origin file dbname dbtable + + where + origin : zone origin, eg "pgdb.net." + file : master zone database file, eg. pgdb.net.db + dbname : name of postgresql database + dbtable: name of table in database + + Eg. to import this zone in the file 'pgdb.net.db' into the 'bind' database + 'pgdb' table: + +--- +#pgdb.net.db: +$TTL 1H +@ SOA localhost. root.localhost. ( 1 + 3H + 1H + 1W + 1H ) + NS localhost. +host1 A 192.168.2.1 +host2 A 192.168.2.2 +host3 A 192.168.2.3 +host4 A 192.168.2.4 +host5 A 192.168.2.5 +host6 A 192.168.2.6 +host7 A 192.168.2.7 +--- + +Issue this command as the pgsql user authorized to update the bind database: + +# zonetodb pgdb.net. pgdb.net.db bind pgdb + +will create / update the pgdb table in the 'bind' db: + +$ psql -dbind -c 'select * from pgdb;' + name | ttl | rdtype | rdata +----------------+------+--------+----------------------------------------------------- + pgdb.net | 3600 | SOA | localhost. root.localhost. 1 10800 3600 604800 3600 + pgdb.net | 3600 | NS | localhost. + host1.pgdb.net | 3600 | A | 192.168.2.1 + host2.pgdb.net | 3600 | A | 192.168.2.2 + host3.pgdb.net | 3600 | A | 192.168.2.3 + host4.pgdb.net | 3600 | A | 192.168.2.4 + host5.pgdb.net | 3600 | A | 192.168.2.5 + host6.pgdb.net | 3600 | A | 192.168.2.6 + host7.pgdb.net | 3600 | A | 192.168.2.7 +(9 rows) + +I've tested exactly the above configuration with bind-sdb-9.3.1+ and it works OK. + +NOTE: If you use pgsqldb SDB, ensure the postgresql service is started before the named + service . + +USE AT YOUR OWN RISK! diff --git a/Use-clock_gettime-instead-of-gettimeofday.patch b/Use-clock_gettime-instead-of-gettimeofday.patch new file mode 100644 index 0000000000000000000000000000000000000000..4247641542f602131d5709f4d5476cdd89458d21 --- /dev/null +++ b/Use-clock_gettime-instead-of-gettimeofday.patch @@ -0,0 +1,161 @@ +diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c +index f06d31a5508c2d3f7227063c21d9d4563789e72a..da25e5bf8e07639c8f70420a5c3f3c98a36a0548 100644 +--- a/lib/isc/unix/time.c ++++ b/lib/isc/unix/time.c +@@ -36,16 +36,7 @@ + #define NS_PER_MS 1000000 /*%< Nanoseconds per millisecond. */ + #define US_PER_S 1000000 /*%< Microseconds per second. */ + +-/* +- * All of the INSIST()s checks of nanoseconds < NS_PER_S are for +- * consistency checking of the type. In lieu of magic numbers, it +- * is the best we've got. The check is only performed on functions which +- * need an initialized type. +- */ +- +-#ifndef ISC_FIX_TV_USEC +-#define ISC_FIX_TV_USEC 1 +-#endif ++#define CLOCKSOURCE CLOCK_MONOTONIC + + /*% + *** Intervals +@@ -54,32 +49,6 @@ + static const isc_interval_t zero_interval = { 0, 0 }; + const isc_interval_t * const isc_interval_zero = &zero_interval; + +-#if ISC_FIX_TV_USEC +-static inline void +-fix_tv_usec(struct timeval *tv) { +- isc_boolean_t fixed = ISC_FALSE; +- +- if (tv->tv_usec < 0) { +- fixed = ISC_TRUE; +- do { +- tv->tv_sec -= 1; +- tv->tv_usec += US_PER_S; +- } while (tv->tv_usec < 0); +- } else if (tv->tv_usec >= US_PER_S) { +- fixed = ISC_TRUE; +- do { +- tv->tv_sec += 1; +- tv->tv_usec -= US_PER_S; +- } while (tv->tv_usec >=US_PER_S); +- } +- /* +- * Call syslog directly as was are called from the logging functions. +- */ +- if (fixed) +- (void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected"); +-} +-#endif +- + void + isc_interval_set(isc_interval_t *i, + unsigned int seconds, unsigned int nanoseconds) +@@ -141,76 +110,52 @@ isc_time_isepoch(const isc_time_t *t) { + + isc_result_t + isc_time_now(isc_time_t *t) { +- struct timeval tv; ++ struct timespec ts; + char strbuf[ISC_STRERRORSIZE]; + + REQUIRE(t != NULL); + +- if (gettimeofday(&tv, NULL) == -1) { ++ if (clock_gettime(CLOCKSOURCE, &ts) == -1) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf); + return (ISC_R_UNEXPECTED); + } + +- /* +- * Does POSIX guarantee the signedness of tv_sec and tv_usec? If not, +- * then this test will generate warnings for platforms on which it is +- * unsigned. In any event, the chances of any of these problems +- * happening are pretty much zero, but since the libisc library ensures +- * certain things to be true ... +- */ +-#if ISC_FIX_TV_USEC +- fix_tv_usec(&tv); +- if (tv.tv_sec < 0) +- return (ISC_R_UNEXPECTED); +-#else +- if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S) ++ if (ts.tv_sec < 0 || ts.tv_nsec < 0 || ts.tv_nsec >= NS_PER_S) { + return (ISC_R_UNEXPECTED); +-#endif ++ } + + /* + * Ensure the tv_sec value fits in t->seconds. + */ +- if (sizeof(tv.tv_sec) > sizeof(t->seconds) && +- ((tv.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U) ++ if (sizeof(ts.tv_sec) > sizeof(t->seconds) && ++ ((ts.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U) + return (ISC_R_RANGE); + +- t->seconds = tv.tv_sec; +- t->nanoseconds = tv.tv_usec * NS_PER_US; ++ t->seconds = ts.tv_sec; ++ t->nanoseconds = ts.tv_nsec; + + return (ISC_R_SUCCESS); + } + + isc_result_t + isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) { +- struct timeval tv; ++ struct timespec ts; + char strbuf[ISC_STRERRORSIZE]; + + REQUIRE(t != NULL); + REQUIRE(i != NULL); + INSIST(i->nanoseconds < NS_PER_S); + +- if (gettimeofday(&tv, NULL) == -1) { ++ if (clock_gettime(CLOCKSOURCE, &ts) == -1) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf); + return (ISC_R_UNEXPECTED); + } + +- /* +- * Does POSIX guarantee the signedness of tv_sec and tv_usec? If not, +- * then this test will generate warnings for platforms on which it is +- * unsigned. In any event, the chances of any of these problems +- * happening are pretty much zero, but since the libisc library ensures +- * certain things to be true ... +- */ +-#if ISC_FIX_TV_USEC +- fix_tv_usec(&tv); +- if (tv.tv_sec < 0) +- return (ISC_R_UNEXPECTED); +-#else +- if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S) ++ if (ts.tv_sec < 0 || ts.tv_nsec < 0 || ts.tv_nsec >= NS_PER_S) { + return (ISC_R_UNEXPECTED); +-#endif ++ } + + /* + * Ensure the resulting seconds value fits in the size of an +@@ -218,12 +163,12 @@ isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) { + * note that even if both values == INT_MAX, then when added + * and getting another 1 added below the result is UINT_MAX.) + */ +- if ((tv.tv_sec > INT_MAX || i->seconds > INT_MAX) && +- ((long long)tv.tv_sec + i->seconds > UINT_MAX)) ++ if ((ts.tv_sec > INT_MAX || i->seconds > INT_MAX) && ++ ((long long)ts.tv_sec + i->seconds > UINT_MAX)) + return (ISC_R_RANGE); + +- t->seconds = tv.tv_sec + i->seconds; +- t->nanoseconds = tv.tv_usec * NS_PER_US + i->nanoseconds; ++ t->seconds = ts.tv_sec + i->seconds; ++ t->nanoseconds = ts.tv_nsec + i->nanoseconds; + if (t->nanoseconds >= NS_PER_S) { + t->seconds++; + t->nanoseconds -= NS_PER_S; diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch new file mode 100644 index 0000000000000000000000000000000000000000..6f66dc167f820740c48d3bb62290ccb49c67227f --- /dev/null +++ b/bind-9.10-dist-native-pkcs11.patch @@ -0,0 +1,612 @@ +diff --git a/bin/Makefile.in b/bin/Makefile.in +index f0c504a..ce7a2da 100644 +--- a/bin/Makefile.in ++++ b/bin/Makefile.in +@@ -11,8 +11,8 @@ srcdir = @srcdir@ + VPATH = @srcdir@ + top_srcdir = @top_srcdir@ + +-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \ +- @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests ++SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \ ++ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests + TARGETS = + + @BIND9_MAKE_RULES@ +diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in +index 1d0c4ce..7b7f89b 100644 +--- a/bin/dnssec-pkcs11/Makefile.in ++++ b/bin/dnssec-pkcs11/Makefile.in +@@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ ++CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES} + + CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \ +- @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" ++ @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" + CWARNINGS = + +-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ +-ISCLIBS = ../../lib/isc/libisc.@A@ +-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ ++ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ ++ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@ + +-DNSDEPLIBS = ../../lib/dns/libdns.@A@ +-ISCDEPLIBS = ../../lib/isc/libisc.@A@ ++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ++ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ + + DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} + +@@ -37,10 +37,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ + NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@ + + # Alphabetically +-TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \ +- dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \ +- dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \ +- dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@ ++TARGETS = dnssec-keygen-pkcs11@EXEEXT@ dnssec-signzone-pkcs11@EXEEXT@ \ ++ dnssec-keyfromlabel-pkcs11@EXEEXT@ dnssec-dsfromkey-pkcs11@EXEEXT@ \ ++ dnssec-revoke-pkcs11@EXEEXT@ dnssec-settime-pkcs11@EXEEXT@ \ ++ dnssec-verify-pkcs11@EXEEXT@ dnssec-importkey-pkcs11@EXEEXT@ + + OBJS = dnssectool.@O@ + +@@ -61,15 +61,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} + + @BIND9_MAKE_RULES@ + +-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} ++dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} ++dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} ++dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +@@ -77,7 +77,7 @@ dnssec-signzone.@O@: dnssec-signzone.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ + -c ${srcdir}/dnssec-signzone.c + +-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} ++dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +@@ -85,19 +85,19 @@ dnssec-verify.@O@: dnssec-verify.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ + -c ${srcdir}/dnssec-verify.c + +-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} ++dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} ++dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-revoke.@O@ ${OBJS} ${LIBS} + +-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} ++dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-settime.@O@ ${OBJS} ${LIBS} + +-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} ++dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-importkey.@O@ ${OBJS} ${LIBS} + +@@ -108,16 +108,14 @@ docclean manclean maintainer-clean:: + + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} +- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + + install-man8: ${MANPAGES} + ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 + +-install:: ${TARGETS} installdirs install-man8 ++install:: ${TARGETS} installdirs + for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done + + uninstall:: +- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done + for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done + + clean distclean:: +diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in +index 1d0c4ce..11538cf 100644 +--- a/bin/dnssec/Makefile.in ++++ b/bin/dnssec/Makefile.in +@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@ + + CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ + +-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \ ++CDEFINES = -DVERSION=\"${VERSION}\" \ + @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" + CWARNINGS = + +diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in +index d92bc9a..a8c42a4 100644 +--- a/bin/named-pkcs11/Makefile.in ++++ b/bin/named-pkcs11/Makefile.in +@@ -43,26 +43,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ + DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ + + CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ +- ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ +- ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ ++ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \ ++ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \ + ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ + +-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@ ++CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@ + + CWARNINGS = + +-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ + ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ + ISCCCLIBS = ../../lib/isccc/libisccc.@A@ +-ISCLIBS = ../../lib/isc/libisc.@A@ ++ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ + ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ + LWRESLIBS = ../../lib/lwres/liblwres.@A@ + BIND9LIBS = ../../lib/bind9/libbind9.@A@ + +-DNSDEPLIBS = ../../lib/dns/libdns.@A@ ++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ + ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ + ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ +-ISCDEPLIBS = ../../lib/isc/libisc.@A@ ++ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ + LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@ + BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ + +@@ -71,15 +71,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ + + LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ +- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ ++ @LIBS@ + + NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \ +- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ ++ @LIBS@ + + SUBDIRS = unix + +-TARGETS = named@EXEEXT@ lwresd@EXEEXT@ ++TARGETS = named-pkcs11@EXEEXT@ + + GEOIPLINKOBJS = geoip.@O@ + +@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ + tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ + zoneconf.@O@ \ + lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ +- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ +- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} ++ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ + + UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ + +@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \ + tkeyconf.c tsigconf.c update.c xfrout.c \ + zoneconf.c \ + lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ +- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ +- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} ++ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c + + MANPAGES = named.8 lwresd.8 named.conf.5 + +@@ -146,14 +144,14 @@ server.@O@: server.c + -DPRODUCT=\"${PRODUCT}\" \ + -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c + +-named@EXEEXT@: ${OBJS} ${DEPLIBS} ++named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS} + export MAKE_SYMTABLE="yes"; \ + export BASEOBJS="${OBJS} ${UOBJS}"; \ + ${FINALBUILDCMD} + +-lwresd@EXEEXT@: named@EXEEXT@ ++lwresd@EXEEXT@: named-pkcs11@EXEEXT@ + rm -f lwresd@EXEEXT@ +- @LN@ named@EXEEXT@ lwresd@EXEEXT@ ++ @LN@ named-pkcs11@EXEEXT@ lwresd@EXEEXT@ + + doc man:: ${MANOBJS} + +@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8 + + install-man: install-man5 install-man8 + +-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} +- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) ++install:: named-pkcs11@EXEEXT@ installdirs ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir} + + uninstall:: +- rm -f ${DESTDIR}${mandir}/man5/named.conf.5 +- rm -f ${DESTDIR}${mandir}/man8/lwresd.8 +- rm -f ${DESTDIR}${mandir}/man8/named.8 +- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@ +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@ + + @DLZ_DRIVER_RULES@ + +diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in +index d92bc9a..6d2bfd1 100644 +--- a/bin/named/Makefile.in ++++ b/bin/named/Makefile.in +@@ -47,7 +47,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ + ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ + ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ + +-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@ ++CDEFINES = @CONTRIB_DLZ@ @CRYPTO@ + + CWARNINGS = + +diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in +index a058c91..d4b689a 100644 +--- a/bin/pkcs11/Makefile.in ++++ b/bin/pkcs11/Makefile.in +@@ -15,13 +15,13 @@ top_srcdir = @top_srcdir@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = ${ISC_INCLUDES} ++CINCLUDES = ${ISC_PKCS11_INCLUDES} + + CDEFINES = + +-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ ++ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@ + +-ISCDEPLIBS = ../../lib/isc/libisc.@A@ ++ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ + + DEPLIBS = ${ISCDEPLIBS} + +diff --git a/configure.in b/configure.in +index 849fa94..69e6373 100644 +--- a/configure.in ++++ b/configure.in +@@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI) + AC_SUBST(DST_GSSAPI_INC) + AC_SUBST(DNS_GSSAPI_LIBS) + DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS" ++DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS" + + # + # Applications linking with libdns also need to link with these libraries. + # + + AC_SUBST(DNS_CRYPTO_LIBS) ++AC_SUBST(DNS_CRYPTO_PK11_LIBS) + + # + # was --with-randomdev specified? +@@ -1554,11 +1556,11 @@ fi + AC_MSG_CHECKING(for OpenSSL library) + OPENSSL_WARNING= + openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw" +-if test "yes" = "$want_native_pkcs11" +-then +- use_openssl="native_pkcs11" +- AC_MSG_RESULT(use of native PKCS11 instead) +-fi ++# if test "yes" = "$want_native_pkcs11" ++# then ++# use_openssl="native_pkcs11" ++# AC_MSG_RESULT(use of native PKCS11 instead) ++# fi + + if test "auto" = "$use_openssl" + then +@@ -1571,6 +1573,7 @@ then + fi + done + fi ++CRYPTO_PK11="" + OPENSSL_ECDSA="" + OPENSSL_GOST="" + OPENSSL_ED25519="" +@@ -1592,11 +1595,10 @@ case "$with_gost" in + ;; + esac + +-case "$use_openssl" in +- native_pkcs11) +- AC_MSG_RESULT(disabled because of native PKCS11) ++if test "$want_native_pkcs11" = "yes" ++then + DST_OPENSSL_INC="" +- CRYPTO="-DPKCS11CRYPTO" ++ CRYPTO_PK11="-DPKCS11CRYPTO" + CRYPTOLIB="pkcs11" + OPENSSLECDSALINKOBJS="" + OPENSSLECDSALINKSRCS="" +@@ -1606,7 +1608,9 @@ case "$use_openssl" in + OPENSSLGOSTLINKSRCS="" + OPENSSLLINKOBJS="" + OPENSSLLINKSRCS="" +- ;; ++fi ++ ++case "$use_openssl" in + no) + AC_MSG_RESULT(no) + DST_OPENSSL_INC="" +@@ -1638,7 +1642,7 @@ case "$use_openssl" in + If you do not want OpenSSL, use --without-openssl]) + ;; + *) +- if test "yes" = "$want_native_pkcs11" ++ if false # test "yes" = "$want_native_pkcs11" + then + AC_MSG_RESULT() + AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) +@@ -2066,6 +2070,7 @@ AC_SUBST(OPENSSL_ED25519) + AC_SUBST(OPENSSL_GOST) + + DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS" ++DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS" + + ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" + if test "yes" = "$with_aes" +@@ -2384,6 +2389,7 @@ esac + AC_SUBST(PKCS11LINKOBJS) + AC_SUBST(PKCS11LINKSRCS) + AC_SUBST(CRYPTO) ++AC_SUBST(CRYPTO_PK11) + AC_SUBST(PKCS11_ECDSA) + AC_SUBST(PKCS11_GOST) + AC_SUBST(PKCS11_ED25519) +@@ -5497,8 +5503,11 @@ AC_CONFIG_FILES([ + bin/delv/Makefile + bin/dig/Makefile + bin/dnssec/Makefile ++ bin/dnssec-pkcs11/Makefile + bin/named/Makefile + bin/named/unix/Makefile ++ bin/named-pkcs11/Makefile ++ bin/named-pkcs11/unix/Makefile + bin/nsupdate/Makefile + bin/pkcs11/Makefile + bin/python/Makefile +@@ -5572,6 +5581,10 @@ AC_CONFIG_FILES([ + lib/dns/include/dns/Makefile + lib/dns/include/dst/Makefile + lib/dns/tests/Makefile ++ lib/dns-pkcs11/Makefile ++ lib/dns-pkcs11/include/Makefile ++ lib/dns-pkcs11/include/dns/Makefile ++ lib/dns-pkcs11/include/dst/Makefile + lib/irs/Makefile + lib/irs/include/Makefile + lib/irs/include/irs/Makefile +@@ -5596,6 +5609,24 @@ AC_CONFIG_FILES([ + lib/isc/unix/include/Makefile + lib/isc/unix/include/isc/Makefile + lib/isc/unix/include/pkcs11/Makefile ++ lib/isc-pkcs11/$arch/Makefile ++ lib/isc-pkcs11/$arch/include/Makefile ++ lib/isc-pkcs11/$arch/include/isc/Makefile ++ lib/isc-pkcs11/$thread_dir/Makefile ++ lib/isc-pkcs11/$thread_dir/include/Makefile ++ lib/isc-pkcs11/$thread_dir/include/isc/Makefile ++ lib/isc-pkcs11/Makefile ++ lib/isc-pkcs11/include/Makefile ++ lib/isc-pkcs11/include/isc/Makefile ++ lib/isc-pkcs11/include/isc/platform.h ++ lib/isc-pkcs11/include/pk11/Makefile ++ lib/isc-pkcs11/include/pkcs11/Makefile ++ lib/isc-pkcs11/tests/Makefile ++ lib/isc-pkcs11/nls/Makefile ++ lib/isc-pkcs11/unix/Makefile ++ lib/isc-pkcs11/unix/include/Makefile ++ lib/isc-pkcs11/unix/include/isc/Makefile ++ lib/isc-pkcs11/unix/include/pkcs11/Makefile + lib/isccc/Makefile + lib/isccc/include/Makefile + lib/isccc/include/isccc/Makefile +diff --git a/lib/Makefile.in b/lib/Makefile.in +index 81270a0..bcb5312 100644 +--- a/lib/Makefile.in ++++ b/lib/Makefile.in +@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@ + # Attempt to disable parallel processing. + .NOTPARALLEL: + .NO_PARALLEL: +-SUBDIRS = isc isccc dns isccfg bind9 lwres irs samples ++SUBDIRS = isc isc-pkcs11 isccc dns dns-pkcs11 isccfg bind9 lwres irs samples + TARGETS = + + @BIND9_MAKE_RULES@ +diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in +index 4a8549e..6a19906 100644 +--- a/lib/dns-pkcs11/Makefile.in ++++ b/lib/dns-pkcs11/Makefile.in +@@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@ + + USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ + +-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ +- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ ++CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ ++ ${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ + +-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} ++CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} + + CWARNINGS = + +-ISCLIBS = ../../lib/isc/libisc.@A@ ++ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ + +-ISCDEPLIBS = ../../lib/isc/libisc.@A@ ++ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ + + LIBS = @LIBS@ + +@@ -146,15 +146,15 @@ version.@O@: version.c + -DLIBAGE=${LIBAGE} \ + -c ${srcdir}/version.c + +-libdns.@SA@: ${OBJS} ++libdns-pkcs11.@SA@: ${OBJS} + ${AR} ${ARFLAGS} $@ ${OBJS} + ${RANLIB} $@ + +-libdns.la: ${OBJS} ++libdns-pkcs11.la: ${OBJS} + ${LIBTOOL_MODE_LINK} \ +- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ ++ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \ + -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ +- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} ++ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} + + include: gen + ${MAKE} include/dns/enumtype.h +@@ -180,25 +180,25 @@ code.h: gen + ./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; } + + gen: gen.c +- ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \ ++ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc-pkcs11/include \ + ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS} + +-timestamp: include libdns.@A@ ++timestamp: include libdns-pkcs11.@A@ + touch timestamp + +-testdirs: libdns.@A@ ++testdirs: libdns-pkcs11.@A@ + + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} + + install:: timestamp installdirs +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir} ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir} + + uninstall:: +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@ + + clean distclean:: +- rm -f libdns.@A@ timestamp ++ rm -f libdns-pkcs11.@A@ timestamp + rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h + rm -f include/dns/rdatastruct.h + rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h +diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in +index ba53ef1..d1f1771 100644 +--- a/lib/isc-pkcs11/Makefile.in ++++ b/lib/isc-pkcs11/Makefile.in +@@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \ + -I${srcdir}/@ISC_THREAD_DIR@/include \ + -I${srcdir}/@ISC_ARCH_DIR@/include \ + -I./include \ +- -I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@ +-CDEFINES = @CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\" ++ -I${srcdir}/include ${DNS_PKCS11_INCLUDES} ++CDEFINES = @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"${PROVIDER}\" + CWARNINGS = + + # Alphabetically +@@ -107,40 +107,40 @@ version.@O@: version.c + -DLIBAGE=${LIBAGE} \ + -c ${srcdir}/version.c + +-libisc.@SA@: ${OBJS} ${SYMTBLOBJS} ++libisc-pkcs11.@SA@: ${OBJS} ${SYMTBLOBJS} + ${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS} + ${RANLIB} $@ + +-libisc-nosymtbl.@SA@: ${OBJS} ++libisc-pkcs11-nosymtbl.@SA@: ${OBJS} + ${AR} ${ARFLAGS} $@ ${OBJS} + ${RANLIB} $@ + +-libisc.la: ${OBJS} ${SYMTBLOBJS} ++libisc-pkcs11.la: ${OBJS} ${SYMTBLOBJS} + ${LIBTOOL_MODE_LINK} \ +- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \ ++ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11.la -rpath ${libdir} \ + -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ + ${OBJS} ${SYMTBLOBJS} ${LIBS} + +-libisc-nosymtbl.la: ${OBJS} ++libisc-pkcs11-nosymtbl.la: ${OBJS} + ${LIBTOOL_MODE_LINK} \ +- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \ ++ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-nosymtbl.la -rpath ${libdir} \ + -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ + ${OBJS} ${LIBS} + +-timestamp: libisc.@A@ libisc-nosymtbl.@A@ ++timestamp: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ + touch timestamp + +-testdirs: libisc.@A@ libisc-nosymtbl.@A@ ++testdirs: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ + + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} + + install:: timestamp installdirs +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc.@A@ ${DESTDIR}${libdir} ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc-pkcs11.@A@ ${DESTDIR}${libdir} + + uninstall:: +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc.@A@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc-pkcs11.@A@ + + clean distclean:: +- rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \ +- libisc-nosymtbl.la timestamp ++ rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \ ++ libisc-pkcs11-nosymtbl.la timestamp +diff --git a/make/includes.in b/make/includes.in +index fa86ad1..3cfbe9f 100644 +--- a/make/includes.in ++++ b/make/includes.in +@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ + + TEST_INCLUDES = \ + -I${top_srcdir}/lib/tests/include ++ ++ISC_PKCS11_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \ ++ -I${top_srcdir}/lib/isc-pkcs11 \ ++ -I${top_srcdir}/lib/isc-pkcs11/include \ ++ -I${top_srcdir}/lib/isc-pkcs11/unix/include \ ++ -I${top_srcdir}/lib/isc-pkcs11/@ISC_THREAD_DIR@/include \ ++ -I${top_srcdir}/lib/isc-pkcs11/@ISC_ARCH_DIR@/include ++ ++DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \ ++ -I${top_srcdir}/lib/dns-pkcs11/include diff --git a/bind-9.10-sdb.patch b/bind-9.10-sdb.patch new file mode 100644 index 0000000000000000000000000000000000000000..7874a5c51a72a7c87989f7bce5d73ed25dc36135 --- /dev/null +++ b/bind-9.10-sdb.patch @@ -0,0 +1,309 @@ +diff --git a/bin/Makefile.in b/bin/Makefile.in +index ce7a2da..4e6a824 100644 +--- a/bin/Makefile.in ++++ b/bin/Makefile.in +@@ -11,8 +11,8 @@ srcdir = @srcdir@ + VPATH = @srcdir@ + top_srcdir = @top_srcdir@ + +-SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \ +- check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests ++SUBDIRS = named named-sdb named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \ ++ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools tests + TARGETS = + + @BIND9_MAKE_RULES@ +diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in +index 6d2bfd1..d3f42e8 100644 +--- a/bin/named-sdb/Makefile.in ++++ b/bin/named-sdb/Makefile.in +@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@ + # + # Add database drivers here. + # +-DBDRIVER_OBJS = +-DBDRIVER_SRCS = ++DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@ ++DBDRIVER_SRCS = ldapdb.c pgsqldb.c sqlitedb.c dirdb.c + DBDRIVER_INCLUDES = +-DBDRIVER_LIBS = ++DBDRIVER_LIBS = -lldap -llber -lsqlite3 -lpq + + DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers + +@@ -79,7 +79,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + + SUBDIRS = unix + +-TARGETS = named@EXEEXT@ lwresd@EXEEXT@ ++TARGETS = named-sdb@EXEEXT@ + + GEOIPLINKOBJS = geoip.@O@ + +@@ -146,7 +146,7 @@ server.@O@: server.c + -DPRODUCT=\"${PRODUCT}\" \ + -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c + +-named@EXEEXT@: ${OBJS} ${DEPLIBS} ++named-sdb@EXEEXT@: ${OBJS} ${DEPLIBS} + export MAKE_SYMTABLE="yes"; \ + export BASEOBJS="${OBJS} ${UOBJS}"; \ + ${FINALBUILDCMD} +@@ -173,8 +173,6 @@ statschannel.@O@: bind9.xsl.h + + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} +- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 +- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + + install-man5: named.conf.5 + ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5 +@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8 + + install-man: install-man5 install-man8 + +-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} +- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) ++install:: ${TARGETS} installdirs ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir} + + uninstall:: +- rm -f ${DESTDIR}${mandir}/man5/named.conf.5 +- rm -f ${DESTDIR}${mandir}/man8/lwresd.8 +- rm -f ${DESTDIR}${mandir}/man8/named.8 +- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@ +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-sdb@EXEEXT@ + + @DLZ_DRIVER_RULES@ + +diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c +index bb639d9..555c4d9 100644 +--- a/bin/named-sdb/main.c ++++ b/bin/named-sdb/main.c +@@ -91,6 +91,10 @@ + * Include header files for database drivers here. + */ + /* #include "xxdb.h" */ ++#include "ldapdb.h" ++#include "pgsqldb.h" ++#include "sqlitedb.h" ++#include "dirdb.h" + + #ifdef CONTRIB_DLZ + /* +@@ -1061,6 +1065,11 @@ setup(void) { + ns_main_earlyfatal("isc_app_start() failed: %s", + isc_result_totext(result)); + ++ ldapdb_clear(); ++ pgsqldb_clear(); ++ dirdb_clear(); ++ sqlitedb_clear(); ++ + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, + ISC_LOG_NOTICE, "starting %s %s%s%s ", + ns_g_product, ns_g_version, +@@ -1261,6 +1270,75 @@ setup(void) { + isc_result_totext(result)); + #endif + ++ result = ldapdb_init(); ++ if (result != ISC_R_SUCCESS) ++ { ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB ldap module initialisation failed: %s.", ++ isc_result_totext(result) ++ ); ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB ldap zone database will be unavailable." ++ ); ++ }else ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_NOTICE, "SDB ldap zone database module loaded." ++ ); ++ ++ result = pgsqldb_init(); ++ if (result != ISC_R_SUCCESS) ++ { ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB pgsql module initialisation failed: %s.", ++ isc_result_totext(result) ++ ); ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB pgsql zone database will be unavailable." ++ ); ++ }else ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded." ++ ); ++ ++ result = sqlitedb_init(); ++ if (result != ISC_R_SUCCESS) ++ { ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB sqlite3 module initialisation failed: %s.", ++ isc_result_totext(result) ++ ); ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB sqlite3 zone database will be unavailable." ++ ); ++ }else ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_NOTICE, "SDB sqlite3 DB zone database module loaded." ++ ); ++ ++ result = dirdb_init(); ++ if (result != ISC_R_SUCCESS) ++ { ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB directory DB module initialisation failed: %s.", ++ isc_result_totext(result) ++ ); ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB directory DB zone database will be unavailable." ++ ); ++ }else ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_NOTICE, "SDB directory DB zone database module loaded." ++ ); ++ ++ + ns_server_create(ns_g_mctx, &ns_g_server); + + #ifdef HAVE_LIBSECCOMP +@@ -1303,6 +1381,11 @@ cleanup(void) { + + dns_name_destroy(); + ++ ldapdb_clear(); ++ pgsqldb_clear(); ++ sqlitedb_clear(); ++ dirdb_clear(); ++ + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, + ISC_LOG_NOTICE, "exiting"); + ns_log_shutdown(); +diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in +index 6d2bfd1..86f8587 100644 +--- a/bin/named/Makefile.in ++++ b/bin/named/Makefile.in +@@ -45,9 +45,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ + CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ + ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ + ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ +- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ ++ @DST_OPENSSL_INC@ + +-CDEFINES = @CONTRIB_DLZ@ @CRYPTO@ ++CDEFINES = @CRYPTO@ + + CWARNINGS = + +@@ -71,11 +71,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ + + LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ +- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ ++ @LIBS@ + + NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \ +- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ ++ @LIBS@ + + SUBDIRS = unix + +@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ + tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ + zoneconf.@O@ \ + lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ +- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ +- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} ++ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ + + UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ + +@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \ + tkeyconf.c tsigconf.c update.c xfrout.c \ + zoneconf.c \ + lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ +- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ +- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} ++ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c + + MANPAGES = named.8 lwresd.8 named.conf.5 + +@@ -195,7 +193,5 @@ uninstall:: + rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@ + ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ + +-@DLZ_DRIVER_RULES@ +- + named-symtbl.@O@: named-symtbl.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c +diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in +index c7e0868..95ab742 100644 +--- a/bin/sdb_tools/Makefile.in ++++ b/bin/sdb_tools/Makefile.in +@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ + LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ + +-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ ++TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ + +-OBJS = zone2ldap.@O@ zonetodb.@O@ ++OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ + +-SRCS = zone2ldap.c zonetodb.c ++SRCS = zone2ldap.c zonetodb.c zone2sqlite.c + + MANPAGES = zone2ldap.1 + +@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS} + zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS} + ++zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS} ++ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS} ++ + clean distclean manclean maintainer-clean:: + rm -f ${TARGETS} ${OBJS} + +@@ -60,4 +63,5 @@ installdirs: + install:: ${TARGETS} installdirs + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir} + ${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 +diff --git a/configure.in b/configure.in +index 62536a6..f571a4f 100644 +--- a/configure.in ++++ b/configure.in +@@ -5445,6 +5445,8 @@ AC_CONFIG_FILES([ + bin/named/unix/Makefile + bin/named-pkcs11/Makefile + bin/named-pkcs11/unix/Makefile ++ bin/named-sdb/Makefile ++ bin/named-sdb/unix/Makefile + bin/nsupdate/Makefile + bin/pkcs11/Makefile + bin/python/Makefile +@@ -5469,6 +5471,7 @@ AC_CONFIG_FILES([ + bin/python/isc/tests/dnskey_test.py + bin/python/isc/tests/policy_test.py + bin/rndc/Makefile ++ bin/sdb_tools/Makefile + bin/tests/Makefile + bin/tests/headerdep_test.sh + bin/tests/optional/Makefile diff --git a/bind-9.10-use-of-strlcat.patch b/bind-9.10-use-of-strlcat.patch new file mode 100644 index 0000000000000000000000000000000000000000..2a399165f996d3b45cd978e47a686b82c763af65 --- /dev/null +++ b/bind-9.10-use-of-strlcat.patch @@ -0,0 +1,18 @@ +diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c +index d56bc56..99c3314 100644 +--- a/bin/sdb_tools/zone2ldap.c ++++ b/bin/sdb_tools/zone2ldap.c +@@ -817,11 +817,11 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone) + } + + +- strlcat (dn, tmp, sizeof (dn)); ++ strncat (dn, tmp, sizeof (dn) - strlen (dn)); + } + + sprintf (tmp, "dc=%s", dc_list[0]); +- strlcat (dn, tmp, sizeof (dn)); ++ strncat (dn, tmp, sizeof (dn) - strlen (dn)); + + fflush(NULL); + return dn; diff --git a/bind-9.11-export-suffix.patch b/bind-9.11-export-suffix.patch new file mode 100644 index 0000000000000000000000000000000000000000..e3ba29cf6ed65f24a8e77c4737bcbb6c8ff151ab --- /dev/null +++ b/bind-9.11-export-suffix.patch @@ -0,0 +1,39 @@ +diff --git a/configure.in b/configure.in +index e6cd6a4..988b0a7 100644 +--- a/configure.in ++++ b/configure.in +@@ -5116,6 +5116,8 @@ AC_SUBST(BUILD_CPPFLAGS) + AC_SUBST(BUILD_LDFLAGS) + AC_SUBST(BUILD_LIBS) + ++AC_SUBST(LIBDIR_SUFFIX) ++ + # + # Commands to run at the end of config.status. + # Don't just put these into configure, it won't work right if somebody +diff --git a/isc-config.sh.in b/isc-config.sh.in +index 110191a..5a64004 100644 +--- a/isc-config.sh.in ++++ b/isc-config.sh.in +@@ -12,16 +12,17 @@ prefix=@prefix@ + exec_prefix=@exec_prefix@ + exec_prefix_set= + includedir=@includedir@ ++libdir_suffix=@LIBDIR_SUFFIX@ + arch=$(uname -m) + + case $arch in + x86_64 | amd64 | sparc64 | s390x | ppc64) +- libdir=/usr/lib64 +- sec_libdir=/usr/lib ++ libdir=/usr/lib64${libdir_suffix} ++ sec_libdir=/usr/lib${libdir_suffix} + ;; + * ) +- libdir=/usr/lib +- sec_libdir=/usr/lib64 ++ libdir=/usr/lib${libdir_suffix} ++ sec_libdir=/usr/lib64${libdir_suffix} + ;; + esac + diff --git a/bind-9.11-fips-code.patch b/bind-9.11-fips-code.patch new file mode 100644 index 0000000000000000000000000000000000000000..2dccdea09a13c118c2065a775a37690c2b0a0339 --- /dev/null +++ b/bind-9.11-fips-code.patch @@ -0,0 +1,1516 @@ +From fb8665aebd79ea33cb255f578544e1738f5bbb58 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 2 Aug 2018 23:34:45 +0200 +Subject: [PATCH 1/2] Squashed commit of the following: +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit b49f70ce0575b6b52a71b90fe0376dbf16f92c6b +Author: Petr Menšík +Date: Mon Jan 22 14:12:37 2018 +0100 + + Update system tests to detect MD5 disabled at runtime + +commit 80ceffee4860c24baf70bc9a8653d92731eda2e4 +Author: Petr Menšík +Date: Thu Aug 2 14:53:54 2018 +0200 + + Avoid warning about undefined parameters + +commit e4ad4363e3d1acaac58456117579f02761f38fdc +Author: Petr Menšík +Date: Wed Jun 20 19:31:19 2018 +0200 + + Fix rndc-confgen default algorithm, report true algorithm in usage. + +commit 7e629a351010cb75e0589ec361f720085675998c +Author: Petr Menšík +Date: Fri Feb 23 21:21:30 2018 +0100 + + Cleanup only if initialization was successful + +commit 2101b948c77cbcbe07eb4a1e60f3e693b2245ec6 +Author: Petr Menšík +Date: Mon Feb 5 12:19:28 2018 +0100 + + Ensure dst backend is initialized first even before hmac algorithms. + +commit 7567c7edde7519115a9ae7e20818c835d3eb1ffe +Author: Petr Menšík +Date: Mon Feb 5 12:17:54 2018 +0100 + + Skip initialization of MD5 based algorithms if not available. + +commit 5782137df6b45a6d900d5a1c250c1257227e917a +Author: Petr Menšík +Date: Mon Feb 5 10:21:27 2018 +0100 + + Change secalgs skipping to be more safe + +commit f2d78729898182d2d19d5064de1bec9b66817159 +Author: Petr Menšík +Date: Wed Jan 31 18:26:11 2018 +0100 + + Skip MD5 algorithm also in case of NULL name + +commit 32a2ad4abc7aaca1c257730319ad3c27405d3407 +Author: Petr Menšík +Date: Wed Jan 31 11:38:12 2018 +0100 + + Make MD5 behave like unknown algorithm in TSIG. + +commit 13cd3f704dce568fdf24a567be5802b58ac6007b +Author: Petr Menšík +Date: Tue Nov 28 20:14:37 2017 +0100 + + Select token with most supported functions, instead of demanding it must support all functions + + Initialize PKCS#11 always until successfully initialized + +commit a71df74abdca4fe63bcdf542b81a109cf1f495b4 +Author: Petr Menšík +Date: Mon Jan 22 16:17:44 2018 +0100 + + Handle MD5 unavailability from DST + +commit dd82cb263efa2753d3ee772972726ea08bcc639b +Author: Petr Menšík +Date: Mon Jan 22 14:11:16 2018 +0100 + + Check runtime flag from library and applications, fail gracefully. + +commit c7b2f87f07ecae75b821a908e29f08a42371e32e +Author: Petr Menšík +Date: Mon Jan 22 08:39:08 2018 +0100 + + Modify libraries to use isc_md5_available() if PK11_MD5_DISABLE is not + defined. + TODO: pk11.c should accept slot without MD5 support. + +commit 0b8e470ec636b9e350b5ec3203eb2b4091415fde +Author: Petr Menšík +Date: Mon Jan 22 07:21:04 2018 +0100 + + Add runtime detection whether MD5 is useable. +--- + bin/confgen/keygen.c | 10 ++++- + bin/confgen/rndc-confgen.c | 36 +++++------------- + bin/dig/dig.c | 7 ++-- + bin/dig/dighost.c | 14 +++++-- + bin/dnssec/dnssec-keygen.c | 14 +++++++ + bin/named/config.c | 25 ++++++++++++- + bin/nsupdate/nsupdate.c | 24 +++++++----- + bin/rndc/rndc.c | 3 +- + bin/tests/optional/hash_test.c | 78 ++++++++++++++++++++------------------- + bin/tests/system/tkey/keycreate.c | 3 ++ + bin/tests/system/tkey/keydelete.c | 18 ++++++--- + lib/bind9/check.c | 10 +++++ + lib/dns/dst_api.c | 23 ++++++++---- + lib/dns/dst_internal.h | 3 +- + lib/dns/dst_parse.c | 18 +++++++-- + lib/dns/hmac_link.c | 20 +++------- + lib/dns/opensslrsa_link.c | 6 +++ + lib/dns/pkcs11rsa_link.c | 33 +++++++++++++++-- + lib/dns/rcode.c | 21 ++++++++++- + lib/dns/tests/rsa_test.c | 29 ++++++++------- + lib/dns/tests/tsig_test.c | 1 + + lib/dns/tkey.c | 9 +++++ + lib/dns/tsec.c | 8 +++- + lib/dns/tsig.c | 17 +++++---- + lib/isc/include/isc/md5.h | 3 ++ + lib/isc/md5.c | 59 +++++++++++++++++++++++++++++ + lib/isc/pk11.c | 58 ++++++++++++++++++++--------- + lib/isc/tests/hash_test.c | 9 +++-- + lib/isccc/cc.c | 42 +++++++++++++-------- + 29 files changed, 424 insertions(+), 177 deletions(-) + +diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c +index 453c641dba..11cc54dd46 100644 +--- a/bin/confgen/keygen.c ++++ b/bin/confgen/keygen.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -73,7 +74,7 @@ alg_fromtext(const char *name) { + p = &name[5]; + + #ifndef PK11_MD5_DISABLE +- if (strcasecmp(p, "md5") == 0) ++ if (strcasecmp(p, "md5") == 0 && isc_md5_available()) + return DST_ALG_HMACMD5; + #endif + if (strcasecmp(p, "sha1") == 0) +@@ -132,6 +133,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, + switch (alg) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_HMACMD5: ++ if (isc_md5_available() == ISC_FALSE) { ++ fatal("unsupported algorithm %d\n", alg); ++ } else if (keysize < 1 || keysize > 512) { ++ fatal("keysize %d out of range (must be 1-512)\n", ++ keysize); ++ } ++ break; + #endif + case DST_ALG_HMACSHA1: + case DST_ALG_HMACSHA224: +diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c +index 2925baf32f..d7d8418073 100644 +--- a/bin/confgen/rndc-confgen.c ++++ b/bin/confgen/rndc-confgen.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -62,7 +63,7 @@ const char *progname; + + isc_boolean_t verbose = ISC_FALSE; + +-const char *keyfile, *keydef; ++const char *keyfile, *keydef, *algdef; + + ISC_PLATFORM_NORETURN_PRE static void + usage(int status) ISC_PLATFORM_NORETURN_POST; +@@ -70,13 +71,12 @@ usage(int status) ISC_PLATFORM_NORETURN_POST; + static void + usage(int status) { + +-#ifndef PK11_MD5_DISABLE + fprintf(stderr, "\ + Usage:\n\ + %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \ + [-s addr] [-t chrootdir] [-u user]\n\ + -a: generate just the key clause and write it to keyfile (%s)\n\ +- -A alg: algorithm (default hmac-md5)\n\ ++ -A alg: algorithm (default %s)\n\ + -b bits: from 1 through 512, default 256; total length of the secret\n\ + -c keyfile: specify an alternate key file (requires -a)\n\ + -k keyname: the name as it will be used in named.conf and rndc.conf\n\ +@@ -85,24 +85,7 @@ Usage:\n\ + -s addr: the address to which rndc should connect\n\ + -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\ + -u user: set the keyfile owner to \"user\" (requires -a)\n", +- progname, keydef); +-#else +- fprintf(stderr, "\ +-Usage:\n\ +- %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \ +-[-s addr] [-t chrootdir] [-u user]\n\ +- -a: generate just the key clause and write it to keyfile (%s)\n\ +- -A alg: algorithm (default hmac-sha256)\n\ +- -b bits: from 1 through 512, default 256; total length of the secret\n\ +- -c keyfile: specify an alternate key file (requires -a)\n\ +- -k keyname: the name as it will be used in named.conf and rndc.conf\n\ +- -p port: the port named will listen on and rndc will connect to\n\ +- -r randomfile: source of random data (use \"keyboard\" for key timing)\n\ +- -s addr: the address to which rndc should connect\n\ +- -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\ +- -u user: set the keyfile owner to \"user\" (requires -a)\n", +- progname, keydef); +-#endif ++ progname, keydef, algdef); + + exit (status); + } +@@ -138,13 +121,14 @@ main(int argc, char **argv) { + progname = program; + + keyname = DEFAULT_KEYNAME; +-#ifndef PK11_MD5_DISABLE +- alg = DST_ALG_HMACMD5; +-#else +- alg = DST_ALG_HMACSHA256; +-#endif + serveraddr = DEFAULT_SERVER; + port = DEFAULT_PORT; ++ alg = DST_ALG_HMACSHA256; ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available()) ++ alg = DST_ALG_HMACMD5; ++#endif ++ algdef = alg_totext(alg); + + isc_commandline_errprint = ISC_FALSE; + +diff --git a/bin/dig/dig.c b/bin/dig/dig.c +index d4808ada67..9dff7c8ecd 100644 +--- a/bin/dig/dig.c ++++ b/bin/dig/dig.c +@@ -17,6 +17,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -1757,10 +1758,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, + ptr = ptr2; + ptr2 = ptr3; + } else { +-#ifndef PK11_MD5_DISABLE +- hmacname = DNS_TSIG_HMACMD5_NAME; +-#else + hmacname = DNS_TSIG_HMACSHA256_NAME; ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available()) ++ hmacname = DNS_TSIG_HMACMD5_NAME; + #endif + digestbits = 0; + } +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index ecefc98453..94c428ed30 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -77,6 +77,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1243,9 +1244,10 @@ parse_hmac(const char *hmac) { + digestbits = 0; + + #ifndef PK11_MD5_DISABLE +- if (strcasecmp(buf, "hmac-md5") == 0) { ++ if (strcasecmp(buf, "hmac-md5") == 0 && isc_md5_available()) { + hmacname = DNS_TSIG_HMACMD5_NAME; +- } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { ++ } else if (strncasecmp(buf, "hmac-md5-", 9) == 0 && ++ isc_md5_available()) { + hmacname = DNS_TSIG_HMACMD5_NAME; + digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128); + } else +@@ -1365,7 +1367,13 @@ setup_file_key(void) { + switch (dst_key_alg(dstkey)) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_HMACMD5: +- hmacname = DNS_TSIG_HMACMD5_NAME; ++ if (isc_md5_available()) { ++ hmacname = DNS_TSIG_HMACMD5_NAME; ++ } else { ++ printf(";; Couldn't create key %s: bad algorithm\n", ++ keynametext); ++ goto failure; ++ } + break; + #endif + case DST_ALG_HMACSHA1: +diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c +index 6fc3ab0979..fc04356ed4 100644 +--- a/bin/dnssec/dnssec-keygen.c ++++ b/bin/dnssec/dnssec-keygen.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -560,6 +561,19 @@ main(int argc, char **argv) { + "\"-a RSAMD5\"\n"); + INSIST(freeit == NULL); + return (1); ++ } else if (strcasecmp(algname, "HMAC-MD5") == 0) { ++ if (isc_md5_available()) { ++ alg = DST_ALG_HMACMD5; ++ } else { ++ fprintf(stderr, ++ "The use of HMAC-MD5 was disabled\n"); ++ return (1); ++ } ++ } else if (strcasecmp(algname, "RSAMD5") == 0 && ++ isc_md5_available() == ISC_FALSE) { ++ fprintf(stderr, "The use of RSAMD5 was disabled\n"); ++ INSIST(freeit == NULL); ++ return (1); + } else if (strcasecmp(algname, "HMAC-MD5") == 0) { + alg = DST_ALG_HMACMD5; + #else +diff --git a/bin/named/config.c b/bin/named/config.c +index 54bc37fff7..c50f759ddd 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -17,6 +17,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -966,6 +967,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name, + return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits)); + } + ++static inline int ++algorithms_start() { ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available() == ISC_FALSE) { ++ int i = 0; ++ while (algorithms[i].str != NULL && ++ algorithms[i].hmac == hmacmd5) { ++ i++; ++ } ++ return i; ++ } ++#endif ++ return 0; ++} ++ + isc_result_t + ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, + unsigned int *typep, isc_uint16_t *digestbits) +@@ -975,7 +991,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, + isc_uint16_t bits; + isc_result_t result; + +- for (i = 0; algorithms[i].str != NULL; i++) { ++ for (i = algorithms_start(); algorithms[i].str != NULL; i++) { + len = strlen(algorithms[i].str); + if (strncasecmp(algorithms[i].str, str, len) == 0 && + (str[len] == '\0' || +@@ -998,7 +1014,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, + if (name != NULL) { + switch (algorithms[i].hmac) { + #ifndef PK11_MD5_DISABLE +- case hmacmd5: *name = dns_tsig_hmacmd5_name; break; ++ case hmacmd5: ++ if (isc_md5_available()) { ++ *name = dns_tsig_hmacmd5_name; break; ++ } else { ++ return (ISC_R_NOTFOUND); ++ } + #endif + case hmacsha1: *name = dns_tsig_hmacsha1_name; break; + case hmacsha224: *name = dns_tsig_hmacsha224_name; break; +diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c +index 6967b49754..bb5d50038f 100644 +--- a/bin/nsupdate/nsupdate.c ++++ b/bin/nsupdate/nsupdate.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -474,9 +475,10 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len, + strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf))); + + #ifndef PK11_MD5_DISABLE +- if (strcasecmp(buf, "hmac-md5") == 0) { ++ if (strcasecmp(buf, "hmac-md5") == 0 && isc_md5_available()) { + *hmac = DNS_TSIG_HMACMD5_NAME; +- } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { ++ } else if (strncasecmp(buf, "hmac-md5-", 9) == 0 && ++ isc_md5_available()) { + *hmac = DNS_TSIG_HMACMD5_NAME; + result = isc_parse_uint16(&digestbits, &buf[9], 10); + if (result != ISC_R_SUCCESS || digestbits > 128) { +@@ -589,10 +591,10 @@ setup_keystr(void) { + exit(1); + } + } else { +-#ifndef PK11_MD5_DISABLE +- hmacname = DNS_TSIG_HMACMD5_NAME; +-#else + hmacname = DNS_TSIG_HMACSHA256_NAME; ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available()) ++ hmacname = DNS_TSIG_HMACMD5_NAME; + #endif + name = keystr; + n = s; +@@ -729,7 +731,8 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { + switch (dst_key_alg(dstkey)) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_HMACMD5: +- hmacname = DNS_TSIG_HMACMD5_NAME; ++ if (isc_md5_available()) ++ hmacname = DNS_TSIG_HMACMD5_NAME; + break; + #endif + case DST_ALG_HMACSHA1: +@@ -1604,12 +1607,13 @@ evaluate_key(char *cmdline) { + return (STATUS_SYNTAX); + } + namestr = n + 1; +- } else +-#ifndef PK11_MD5_DISABLE +- hmacname = DNS_TSIG_HMACMD5_NAME; +-#else ++ } else { + hmacname = DNS_TSIG_HMACSHA256_NAME; ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available()) ++ hmacname = DNS_TSIG_HMACMD5_NAME; + #endif ++ } + + isc_buffer_init(&b, namestr, strlen(namestr)); + isc_buffer_add(&b, strlen(namestr)); +diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c +index 5c29caf86b..617b06b4a1 100644 +--- a/bin/rndc/rndc.c ++++ b/bin/rndc/rndc.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -634,7 +635,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, + algorithmstr = cfg_obj_asstring(algorithmobj); + + #ifndef PK11_MD5_DISABLE +- if (strcasecmp(algorithmstr, "hmac-md5") == 0) ++ if (strcasecmp(algorithmstr, "hmac-md5") == 0 && isc_md5_available()) + algorithm = ISCCC_ALG_HMACMD5; + else + #endif +diff --git a/bin/tests/optional/hash_test.c b/bin/tests/optional/hash_test.c +index bf2891ad4c..b5f0a1c5f5 100644 +--- a/bin/tests/optional/hash_test.c ++++ b/bin/tests/optional/hash_test.c +@@ -90,43 +90,47 @@ main(int argc, char **argv) { + print_digest(s, "sha224", digest, ISC_SHA224_DIGESTLENGTH/4); + + #ifndef PK11_MD5_DISABLE +- s = "abc"; +- isc_md5_init(&md5); +- memmove(buffer, s, strlen(s)); +- isc_md5_update(&md5, buffer, strlen(s)); +- isc_md5_final(&md5, digest); +- print_digest(s, "md5", digest, 4); +- +- /* +- * The 3 HMAC-MD5 examples from RFC2104 +- */ +- s = "Hi There"; +- memset(key, 0x0b, 16); +- isc_hmacmd5_init(&hmacmd5, key, 16); +- memmove(buffer, s, strlen(s)); +- isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); +- isc_hmacmd5_sign(&hmacmd5, digest); +- print_digest(s, "hmacmd5", digest, 4); +- +- s = "what do ya want for nothing?"; +- strlcpy((char *)key, "Jefe", sizeof(key)); +- isc_hmacmd5_init(&hmacmd5, key, 4); +- memmove(buffer, s, strlen(s)); +- isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); +- isc_hmacmd5_sign(&hmacmd5, digest); +- print_digest(s, "hmacmd5", digest, 4); +- +- s = "\335\335\335\335\335\335\335\335\335\335" +- "\335\335\335\335\335\335\335\335\335\335" +- "\335\335\335\335\335\335\335\335\335\335" +- "\335\335\335\335\335\335\335\335\335\335" +- "\335\335\335\335\335\335\335\335\335\335"; +- memset(key, 0xaa, 16); +- isc_hmacmd5_init(&hmacmd5, key, 16); +- memmove(buffer, s, strlen(s)); +- isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); +- isc_hmacmd5_sign(&hmacmd5, digest); +- print_digest(s, "hmacmd5", digest, 4); ++ if (isc_md5_available()) { ++ s = "abc"; ++ isc_md5_init(&md5); ++ memmove(buffer, s, strlen(s)); ++ isc_md5_update(&md5, buffer, strlen(s)); ++ isc_md5_final(&md5, digest); ++ print_digest(s, "md5", digest, 4); ++ ++ /* ++ * The 3 HMAC-MD5 examples from RFC2104 ++ */ ++ s = "Hi There"; ++ memset(key, 0x0b, 16); ++ isc_hmacmd5_init(&hmacmd5, key, 16); ++ memmove(buffer, s, strlen(s)); ++ isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); ++ isc_hmacmd5_sign(&hmacmd5, digest); ++ print_digest(s, "hmacmd5", digest, 4); ++ ++ s = "what do ya want for nothing?"; ++ strlcpy((char *)key, "Jefe", sizeof(key)); ++ isc_hmacmd5_init(&hmacmd5, key, 4); ++ memmove(buffer, s, strlen(s)); ++ isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); ++ isc_hmacmd5_sign(&hmacmd5, digest); ++ print_digest(s, "hmacmd5", digest, 4); ++ ++ s = "\335\335\335\335\335\335\335\335\335\335" ++ "\335\335\335\335\335\335\335\335\335\335" ++ "\335\335\335\335\335\335\335\335\335\335" ++ "\335\335\335\335\335\335\335\335\335\335" ++ "\335\335\335\335\335\335\335\335\335\335"; ++ memset(key, 0xaa, 16); ++ isc_hmacmd5_init(&hmacmd5, key, 16); ++ memmove(buffer, s, strlen(s)); ++ isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); ++ isc_hmacmd5_sign(&hmacmd5, digest); ++ print_digest(s, "hmacmd5", digest, 4); ++ } else { ++ fprintf(stderr, "Skipping disabled MD5 algorithm\n"); ++ } + #endif + + /* +diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c +index 2a0ee94888..489f4390dc 100644 +--- a/bin/tests/system/tkey/keycreate.c ++++ b/bin/tests/system/tkey/keycreate.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -142,6 +143,8 @@ sendquery(isc_task_t *task, isc_event_t *event) { + static char keystr[] = "0123456789ab"; + + isc_event_free(&event); ++ if (isc_md5_available() == ISC_FALSE) ++ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); + + result = ISC_R_FAILURE; + if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1) +diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c +index 7057c318e4..36ee6c7d21 100644 +--- a/bin/tests/system/tkey/keydelete.c ++++ b/bin/tests/system/tkey/keydelete.c +@@ -225,12 +225,18 @@ main(int argc, char **argv) { + result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey); + CHECK("dst_key_fromnamedfile", result); + #ifndef PK11_MD5_DISABLE +- result = dns_tsigkey_createfromkey(dst_key_name(dstkey), +- DNS_TSIG_HMACMD5_NAME, +- dstkey, ISC_TRUE, NULL, 0, 0, +- mctx, ring, &tsigkey); +- dst_key_free(&dstkey); +- CHECK("dns_tsigkey_createfromkey", result); ++ if (isc_md5_available()) { ++ result = dns_tsigkey_createfromkey(dst_key_name(dstkey), ++ DNS_TSIG_HMACMD5_NAME, ++ dstkey, ISC_TRUE, ++ NULL, 0, 0, ++ mctx, ring, &tsigkey); ++ dst_key_free(&dstkey); ++ CHECK("dns_tsigkey_createfromkey", result); ++ } else { ++ dst_key_free(&dstkey); ++ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); ++ } + #else + dst_key_free(&dstkey); + CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); +diff --git a/lib/bind9/check.c b/lib/bind9/check.c +index 3da83a7ae2..1a3d534799 100644 +--- a/lib/bind9/check.c ++++ b/lib/bind9/check.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -2572,6 +2573,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) { + } + + algorithm = cfg_obj_asstring(algobj); ++#ifndef PK11_MD5_DISABLE ++ /* Skip hmac-md5* algorithms */ ++ if (isc_md5_available() == ISC_FALSE && ++ strncasecmp(algorithm, "hmac-md5", 8) == 0) { ++ cfg_obj_log(algobj, logctx, ISC_LOG_ERROR, ++ "disabled algorithm '%s'", algorithm); ++ return (ISC_R_DISABLED); ++ } ++#endif + for (i = 0; algorithms[i].name != NULL; i++) { + len = strlen(algorithms[i].name); + if (strncasecmp(algorithms[i].name, algorithm, len) == 0 && +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index 4f3d6ac55c..dbece0ac56 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -190,6 +190,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, + dst_result_register(); + + memset(dst_t_func, 0, sizeof(dst_t_func)); ++ ++#ifdef OPENSSL ++ RETERR(dst__openssl_init(engine)); ++#elif PKCS11CRYPTO ++ RETERR(dst__pkcs11_init(mctx, engine)); ++#endif + #ifndef PK11_MD5_DISABLE + RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5])); + #endif +@@ -199,7 +205,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, + RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384])); + RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512])); + #ifdef OPENSSL +- RETERR(dst__openssl_init(engine)); + #ifndef PK11_MD5_DISABLE + RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5], + DST_ALG_RSAMD5)); +@@ -233,14 +238,18 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, + RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448])); + #endif + #elif PKCS11CRYPTO +- RETERR(dst__pkcs11_init(mctx, engine)); + #ifndef PK11_MD5_DISABLE +- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5])); ++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5], ++ DST_ALG_RSAMD5)); + #endif +- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1])); +- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1])); +- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256])); +- RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512])); ++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1], ++ DST_ALG_RSASHA1)); ++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1], ++ DST_ALG_NSEC3RSASHA1)); ++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256], ++ DST_ALG_RSASHA256)); ++ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512], ++ DST_ALG_RSASHA512)); + #ifndef PK11_DSA_DISABLE + RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA])); + RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA])); +diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h +index 640519a5ba..deb7ed4e13 100644 +--- a/lib/dns/dst_internal.h ++++ b/lib/dns/dst_internal.h +@@ -245,7 +245,8 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp); + isc_result_t dst__hmacsha512_init(struct dst_func **funcp); + isc_result_t dst__opensslrsa_init(struct dst_func **funcp, + unsigned char algorithm); +-isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp); ++isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp, ++ unsigned char algorithm); + #ifndef PK11_DSA_DISABLE + isc_result_t dst__openssldsa_init(struct dst_func **funcp); + isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp); +diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c +index b0e5c895c6..03f2b8ace8 100644 +--- a/lib/dns/dst_parse.c ++++ b/lib/dns/dst_parse.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -393,6 +394,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, + switch (alg) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_RSAMD5: ++ if (isc_md5_available()) ++ return (check_rsa(priv, external)); ++ else ++ return (DST_R_UNSUPPORTEDALG); + #endif + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: +@@ -418,7 +423,10 @@ check_data(const dst_private_t *priv, const unsigned int alg, + return (check_eddsa(priv, external)); + #ifndef PK11_MD5_DISABLE + case DST_ALG_HMACMD5: +- return (check_hmac_md5(priv, old)); ++ if (isc_md5_available()) ++ return (check_hmac_md5(priv, old)); ++ else ++ return (DST_R_UNSUPPORTEDALG); + #endif + case DST_ALG_HMACSHA1: + return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg)); +@@ -637,11 +645,13 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, + } + + #ifdef PK11_MD5_DISABLE +- check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg, +- ISC_TRUE, external); ++ if (alg == DST_ALG_RSA) ++ alg = DST_ALG_RSASHA1; + #else +- check = check_data(priv, alg, ISC_TRUE, external); ++ if (isc_md5_available() == ISC_FALSE && alg == DST_ALG_RSA) ++ alg = DST_ALG_RSASHA1; + #endif ++ check = check_data(priv, alg, ISC_TRUE, external); + if (check < 0) { + ret = DST_R_INVALIDPRIVATEKEY; + goto fail; +diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c +index 59aa4705e5..21bfa44450 100644 +--- a/lib/dns/hmac_link.c ++++ b/lib/dns/hmac_link.c +@@ -338,25 +338,17 @@ static dst_func_t hmacmd5_functions = { + + isc_result_t + dst__hmacmd5_init(dst_func_t **funcp) { +-#ifdef HAVE_FIPS_MODE + /* +- * Problems from OpenSSL are likely from FIPS mode ++ * Prevent use of incorrect crypto + */ +- int fips_mode = FIPS_mode(); +- +- if (fips_mode != 0) { +- UNEXPECTED_ERROR(__FILE__, __LINE__, +- "FIPS mode is %d: MD5 is only supported " +- "if the value is 0.\n" +- "Please disable either FIPS mode or MD5.", +- fips_mode); ++ ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available() == ISC_FALSE) { ++ /* Intentionally skip initialization */ ++ return (ISC_R_SUCCESS); + } + #endif + +- /* +- * Prevent use of incorrect crypto +- */ +- + RUNTIME_CHECK(isc_md5_check(ISC_FALSE)); + RUNTIME_CHECK(isc_hmacmd5_check(0)); + +diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c +index f4847bbe74..126cebca19 100644 +--- a/lib/dns/opensslrsa_link.c ++++ b/lib/dns/opensslrsa_link.c +@@ -1801,6 +1801,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) { + + if (*funcp == NULL) { + switch (algorithm) { ++#ifndef PK11_MD5_DISABLE ++ case DST_ALG_RSAMD5: ++ if (isc_md5_available()) ++ *funcp = &opensslrsa_functions; ++ break; ++#endif + case DST_ALG_RSASHA256: + #if defined(HAVE_EVP_SHA256) || !USE_EVP + *funcp = &opensslrsa_functions; +diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c +index 56955203e9..af6008d4dd 100644 +--- a/lib/dns/pkcs11rsa_link.c ++++ b/lib/dns/pkcs11rsa_link.c +@@ -94,10 +94,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { + #endif + + /* +- * Reject incorrect RSA key lengths. ++ * Reject incorrect RSA key lengths or disabled algorithms. + */ + switch (dctx->key->key_alg) { + case DST_ALG_RSAMD5: ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available() == ISC_FALSE) ++ return (ISC_R_FAILURE); ++#endif ++ /* FALLTHROUGH */ + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: + /* From RFC 3110 */ +@@ -634,6 +639,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { + switch (key->key_alg) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_RSAMD5: ++ if (isc_md5_available() == ISC_FALSE) ++ return (ISC_R_FAILURE); ++ + mech.mechanism = CKM_MD5; + break; + #endif +@@ -790,6 +798,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { + switch (key->key_alg) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_RSAMD5: ++ if (isc_md5_available() == ISC_FALSE) ++ return (ISC_R_FAILURE); ++ + der = md5_der; + derlen = sizeof(md5_der); + hashlen = ISC_MD5_DIGESTLENGTH; +@@ -1014,6 +1025,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + switch (key->key_alg) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_RSAMD5: ++ if (isc_md5_available() == ISC_FALSE) ++ return (ISC_R_FAILURE); ++ + der = md5_der; + derlen = sizeof(md5_der); + hashlen = ISC_MD5_DIGESTLENGTH; +@@ -2217,11 +2231,22 @@ static dst_func_t pkcs11rsa_functions = { + }; + + isc_result_t +-dst__pkcs11rsa_init(dst_func_t **funcp) { ++dst__pkcs11rsa_init(dst_func_t **funcp, unsigned char algorithm) { + REQUIRE(funcp != NULL); + +- if (*funcp == NULL) +- *funcp = &pkcs11rsa_functions; ++ if (*funcp == NULL) { ++ switch (algorithm) { ++#ifndef PK11_MD5_DISABLE ++ case DST_ALG_RSAMD5: ++ if (isc_md5_available()) ++ *funcp = &pkcs11rsa_functions; ++ break; ++#endif ++ default: ++ *funcp = &pkcs11rsa_functions; ++ break; ++ } ++ } + return (ISC_R_SUCCESS); + } + +diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c +index 937d8fc1ec..d1fa8d5870 100644 +--- a/lib/dns/rcode.c ++++ b/lib/dns/rcode.c +@@ -14,6 +14,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -347,17 +348,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { + return (dns_mnemonic_totext(cert, target, certs)); + } + ++static inline struct tbl * ++secalgs_tbl_start() { ++ struct tbl *algs = secalgs; ++ ++#ifndef PK11_MD5_DISABLE ++ if (isc_md5_available() == ISC_FALSE) { ++ while (algs->name != NULL && ++ algs->value == DNS_KEYALG_RSAMD5) ++ ++algs; ++ } ++#endif ++ return algs; ++} ++ + isc_result_t + dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) { + unsigned int value; +- RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff)); ++ ++ RETERR(dns_mnemonic_fromtext(&value, source, ++ secalgs_tbl_start(), 0xff)); + *secalgp = value; + return (ISC_R_SUCCESS); + } + + isc_result_t + dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) { +- return (dns_mnemonic_totext(secalg, target, secalgs)); ++ return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start())); + } + + void +diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c +index 224cf5b475..44040dd8b7 100644 +--- a/lib/dns/tests/rsa_test.c ++++ b/lib/dns/tests/rsa_test.c +@@ -19,6 +19,7 @@ + #include + #include + ++#include + #include + #include + +@@ -225,23 +226,25 @@ ATF_TC_BODY(isc_rsa_verify, tc) { + /* RSAMD5 */ + + #ifndef PK11_MD5_DISABLE +- key->key_alg = DST_ALG_RSAMD5; ++ if (isc_md5_available()) { ++ key->key_alg = DST_ALG_RSAMD5; + +- ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC, +- ISC_FALSE, &ctx); +- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); ++ ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC, ++ ISC_FALSE, &ctx); ++ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); + +- r.base = d; +- r.length = 10; +- ret = dst_context_adddata(ctx, &r); +- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); ++ r.base = d; ++ r.length = 10; ++ ret = dst_context_adddata(ctx, &r); ++ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); + +- r.base = sigmd5; +- r.length = 256; +- ret = dst_context_verify(ctx, &r); +- ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); ++ r.base = sigmd5; ++ r.length = 256; ++ ret = dst_context_verify(ctx, &r); ++ ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); + +- dst_context_destroy(&ctx); ++ dst_context_destroy(&ctx); ++ } + #endif + + /* RSASHA256 */ +diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c +index ee025c2387..c403d9954d 100644 +--- a/lib/dns/tests/tsig_test.c ++++ b/lib/dns/tests/tsig_test.c +@@ -14,6 +14,7 @@ + #include + #include + ++#include + #include + #include + +diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c +index d9f68e50b1..a8edde47b5 100644 +--- a/lib/dns/tkey.c ++++ b/lib/dns/tkey.c +@@ -242,6 +242,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness, + unsigned char digests[32]; + unsigned int i; + ++ if (isc_md5_available() == ISC_FALSE) ++ return (ISC_R_NOTIMPLEMENTED); ++ + isc_buffer_usedregion(shared, &r); + + /* +@@ -318,6 +321,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, + } + + #ifndef PK11_MD5_DISABLE ++ if (isc_md5_available() == ISC_FALSE) { ++ tkey_log("process_dhtkey: MD5 was disabled"); ++ tkeyout->error = dns_tsigerror_badalg; ++ return (ISC_R_SUCCESS); ++ } ++ + if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) { + tkey_log("process_dhtkey: algorithms other than " + "hmac-md5 are not supported"); +diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c +index a367291f23..37baad7437 100644 +--- a/lib/dns/tsec.c ++++ b/lib/dns/tsec.c +@@ -11,6 +11,7 @@ + + #include + ++#include + #include + #include + +@@ -63,7 +64,12 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key, + switch (dst_key_alg(key)) { + #ifndef PK11_MD5_DISABLE + case DST_ALG_HMACMD5: +- algname = dns_tsig_hmacmd5_name; ++ if (isc_md5_available()) { ++ algname = dns_tsig_hmacmd5_name; ++ } else { ++ isc_mem_put(mctx, tsec, sizeof(*tsec)); ++ return (DNS_R_BADALG); ++ } + break; + #endif + case DST_ALG_HMACSHA1: +diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c +index bdcc581bc3..70805bb709 100644 +--- a/lib/dns/tsig.c ++++ b/lib/dns/tsig.c +@@ -270,7 +270,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, + (void)dns_name_downcase(&tkey->name, &tkey->name, NULL); + + #ifndef PK11_MD5_DISABLE +- if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { ++ if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) && ++ isc_md5_available()) { + tkey->algorithm = DNS_TSIG_HMACMD5_NAME; + if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) { + ret = DNS_R_BADALG; +@@ -496,7 +497,8 @@ destroyring(dns_tsig_keyring_t *ring) { + static unsigned int + dst_alg_fromname(dns_name_t *algorithm) { + #ifndef PK11_MD5_DISABLE +- if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { ++ if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) && ++ isc_md5_available()) { + return (DST_ALG_HMACMD5); + } else + #endif +@@ -680,7 +682,8 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, + REQUIRE(secret != NULL); + + #ifndef PK11_MD5_DISABLE +- if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { ++ if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) && ++ isc_md5_available()) { + if (secret != NULL) { + isc_buffer_t b; + +@@ -1280,7 +1283,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + return (ret); + if ( + #ifndef PK11_MD5_DISABLE +- alg == DST_ALG_HMACMD5 || ++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || + #endif + alg == DST_ALG_HMACSHA1 || + alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || +@@ -1449,7 +1452,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + + if ( + #ifndef PK11_MD5_DISABLE +- alg == DST_ALG_HMACMD5 || ++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || + #endif + alg == DST_ALG_HMACSHA1 || + alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || +@@ -1590,7 +1593,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { + goto cleanup_querystruct; + if ( + #ifndef PK11_MD5_DISABLE +- alg == DST_ALG_HMACMD5 || ++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || + #endif + alg == DST_ALG_HMACSHA1 || + alg == DST_ALG_HMACSHA224 || +@@ -1769,7 +1772,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { + goto cleanup_context; + if ( + #ifndef PK11_MD5_DISABLE +- alg == DST_ALG_HMACMD5 || ++ (alg == DST_ALG_HMACMD5 && isc_md5_available()) || + #endif + alg == DST_ALG_HMACSHA1 || + alg == DST_ALG_HMACSHA224 || +diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h +index e5f46dd9c7..9d11f9f8b6 100644 +--- a/lib/isc/include/isc/md5.h ++++ b/lib/isc/include/isc/md5.h +@@ -89,6 +89,9 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest); + isc_boolean_t + isc_md5_check(isc_boolean_t testing); + ++isc_boolean_t ++isc_md5_available(void); ++ + ISC_LANG_ENDDECLS + + #endif /* !PK11_MD5_DISABLE */ +diff --git a/lib/isc/md5.c b/lib/isc/md5.c +index 740d863b1b..aefd16478f 100644 +--- a/lib/isc/md5.c ++++ b/lib/isc/md5.c +@@ -35,6 +35,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -53,6 +54,9 @@ + #define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) + #endif + ++static isc_once_t available_once = ISC_ONCE_INIT; ++static isc_boolean_t available = ISC_FALSE; ++ + void + isc_md5_init(isc_md5_t *ctx) { + ctx->ctx = EVP_MD_CTX_new(); +@@ -84,8 +88,33 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { + ctx->ctx = NULL; + } + ++static void ++do_detect_available() { ++ isc_md5_t local; ++ isc_md5_t *ctx = &local; ++ unsigned char digest[ISC_MD5_DIGESTLENGTH]; ++ ++ ctx->ctx = EVP_MD_CTX_new(); ++ RUNTIME_CHECK(ctx->ctx != NULL); ++ available = ISC_TF(EVP_DigestInit(ctx->ctx, EVP_md5()) == 1); ++ if (available) ++ (void)EVP_DigestFinal(ctx->ctx, digest, NULL); ++ EVP_MD_CTX_free(ctx->ctx); ++ ctx->ctx = NULL; ++} ++ ++isc_boolean_t ++isc_md5_available() { ++ RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available) ++ == ISC_R_SUCCESS); ++ return available; ++} ++ + #elif PKCS11CRYPTO + ++static isc_once_t available_once = ISC_ONCE_INIT; ++static isc_boolean_t available = ISC_FALSE; ++ + void + isc_md5_init(isc_md5_t *ctx) { + CK_RV rv; +@@ -128,6 +157,31 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { + pk11_return_session(ctx); + } + ++static void ++do_detect_available() { ++ isc_md5_t local; ++ isc_md5_t *ctx = &local; ++ CK_RV rv; ++ CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; ++ ++ if (pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, ++ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS) ++ { ++ rv = pkcs_C_DigestInit(ctx->session, &mech); ++ isc_md5_invalidate(ctx); ++ available = (ISC_TF(rv == CKR_OK)); ++ } else { ++ available = ISC_FALSE; ++ } ++} ++ ++isc_boolean_t ++isc_md5_available() { ++ RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available) ++ == ISC_R_SUCCESS); ++ return available; ++} ++ + #else + + static void +@@ -337,6 +391,11 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { + memmove(digest, ctx->buf, 16); + isc_safe_memwipe(ctx, sizeof(*ctx)); /* In case it's sensitive */ + } ++ ++isc_boolean_t ++isc_md5_available() { ++ return ISC_TRUE; ++} + #endif + + /* +diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c +index fc75a46154..48e1031974 100644 +--- a/lib/isc/pk11.c ++++ b/lib/isc/pk11.c +@@ -191,13 +191,12 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { + LOCK(&alloclock); + if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0)) + isc_mem_attach(mctx, &pk11_mctx); ++ UNLOCK(&alloclock); ++ ++ LOCK(&sessionlock); + if (initialized) { +- UNLOCK(&alloclock); +- return (ISC_R_SUCCESS); +- } else { +- LOCK(&sessionlock); +- initialized = ISC_TRUE; +- UNLOCK(&alloclock); ++ result = ISC_R_SUCCESS; ++ goto unlock; + } + + ISC_LIST_INIT(tokens); +@@ -237,6 +236,7 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { + } + #endif + #endif /* PKCS11CRYPTO */ ++ initialized = ISC_TRUE; + result = ISC_R_SUCCESS; + unlock: + UNLOCK(&sessionlock); +@@ -273,9 +273,14 @@ pk11_finalize(void) { + pk11_mem_put(token, sizeof(*token)); + token = next; + } ++ LOCK(&alloclock); + if (pk11_mctx != NULL) + isc_mem_detach(&pk11_mctx); ++ UNLOCK(&alloclock); ++ ++ LOCK(&sessionlock); + initialized = ISC_FALSE; ++ UNLOCK(&sessionlock); + return (ret); + } + +@@ -589,6 +594,8 @@ scan_slots(void) { + pk11_token_t *token; + unsigned int i; + isc_boolean_t bad; ++ unsigned int best_rsa_algorithms = 0; ++ unsigned int best_digest_algorithms = 0; + + slotCount = 0; + PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount)); +@@ -601,6 +608,8 @@ scan_slots(void) { + PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount)); + + for (i = 0; i < slotCount; i++) { ++ unsigned int rsa_algorithms = 0; ++ unsigned int digest_algorithms = 0; + slot = slotList[i]; + PK11_TRACE2("slot#%u=0x%lx\n", i, slot); + +@@ -640,11 +649,12 @@ scan_slots(void) { + if ((rv != CKR_OK) || + ((mechInfo.flags & CKF_SIGN) == 0) || + ((mechInfo.flags & CKF_VERIFY) == 0)) { +-#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE) +- bad = ISC_TRUE; +-#endif + PK11_TRACEM(CKM_MD5_RSA_PKCS); + } ++#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE) ++ else ++ ++rsa_algorithms; ++#endif + rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS, + &mechInfo); + if ((rv != CKR_OK) || +@@ -687,8 +697,14 @@ scan_slots(void) { + if (bad) + goto try_dsa; + token->operations |= 1 << OP_RSA; +- if (best_rsa_token == NULL) ++ if (best_rsa_token == NULL) { ++ best_rsa_token = token; ++ best_rsa_algorithms = rsa_algorithms; ++ } else if (rsa_algorithms > best_rsa_algorithms) { ++ pk11_mem_put(best_rsa_token, sizeof(*best_rsa_token)); + best_rsa_token = token; ++ best_rsa_algorithms = rsa_algorithms; ++ } + + try_dsa: + bad = ISC_FALSE; +@@ -756,11 +772,12 @@ scan_slots(void) { + bad = ISC_FALSE; + rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo); + if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { +-#ifndef PK11_MD5_DISABLE +- bad = ISC_TRUE; +-#endif + PK11_TRACEM(CKM_MD5); + } ++#ifndef PK11_MD5_DISABLE ++ else ++ ++digest_algorithms; ++#endif + rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo); + if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { + bad = ISC_TRUE; +@@ -788,11 +805,12 @@ scan_slots(void) { + } + rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo); + if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { +-#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE) +- bad = ISC_TRUE; +-#endif + PK11_TRACEM(CKM_MD5_HMAC); + } ++#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE) ++ else ++ ++digest_algorithms; ++#endif + rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo); + if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { + #ifndef PK11_SHA_1_HMAC_REPLACE +@@ -830,8 +848,14 @@ scan_slots(void) { + } + if (!bad) { + token->operations |= 1 << OP_DIGEST; +- if (digest_token == NULL) ++ if (digest_token == NULL) { ++ digest_token = token; ++ best_digest_algorithms = digest_algorithms; ++ } else if (digest_algorithms > best_digest_algorithms) { ++ pk11_mem_put(digest_token, sizeof(*digest_token)); + digest_token = token; ++ best_digest_algorithms = digest_algorithms; ++ } + } + + /* ECDSA requires digest */ +diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c +index 18759903be..6bc45b1ad3 100644 +--- a/lib/isc/tests/hash_test.c ++++ b/lib/isc/tests/hash_test.c +@@ -2008,7 +2008,8 @@ ATF_TP_ADD_TCS(tp) { + * various cryptographic hashes. + */ + #ifndef PK11_MD5_DISABLE +- ATF_TP_ADD_TC(tp, md5_check); ++ if (isc_md5_available()) ++ ATF_TP_ADD_TC(tp, md5_check); + #endif + ATF_TP_ADD_TC(tp, sha1_check); + +@@ -2016,7 +2017,8 @@ ATF_TP_ADD_TCS(tp) { + ATF_TP_ADD_TC(tp, isc_hash_function_reverse); + ATF_TP_ADD_TC(tp, isc_hash_initializer); + #ifndef PK11_MD5_DISABLE +- ATF_TP_ADD_TC(tp, isc_hmacmd5); ++ if (isc_md5_available()) ++ ATF_TP_ADD_TC(tp, isc_hmacmd5); + #endif + ATF_TP_ADD_TC(tp, isc_hmacsha1); + ATF_TP_ADD_TC(tp, isc_hmacsha224); +@@ -2024,7 +2026,8 @@ ATF_TP_ADD_TCS(tp) { + ATF_TP_ADD_TC(tp, isc_hmacsha384); + ATF_TP_ADD_TC(tp, isc_hmacsha512); + #ifndef PK11_MD5_DISABLE +- ATF_TP_ADD_TC(tp, isc_md5); ++ if (isc_md5_available()) ++ ATF_TP_ADD_TC(tp, isc_md5); + #endif + ATF_TP_ADD_TC(tp, isc_sha1); + ATF_TP_ADD_TC(tp, isc_sha224); +diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c +index 7225ab4a37..42b30466be 100644 +--- a/lib/isccc/cc.c ++++ b/lib/isccc/cc.c +@@ -270,11 +270,15 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac, + switch (algorithm) { + #ifndef PK11_MD5_DISABLE + case ISCCC_ALG_HMACMD5: +- isc_hmacmd5_init(&ctx.hmd5, secret->rstart, +- REGION_SIZE(*secret)); +- isc_hmacmd5_update(&ctx.hmd5, data, length); +- isc_hmacmd5_sign(&ctx.hmd5, digest); +- source.rend = digest + ISC_MD5_DIGESTLENGTH; ++ if (isc_md5_available()) { ++ isc_hmacmd5_init(&ctx.hmd5, secret->rstart, ++ REGION_SIZE(*secret)); ++ isc_hmacmd5_update(&ctx.hmd5, data, length); ++ isc_hmacmd5_sign(&ctx.hmd5, digest); ++ source.rend = digest + ISC_MD5_DIGESTLENGTH; ++ } else { ++ return (ISC_R_FAILURE); ++ } + break; + #endif + +@@ -348,14 +352,18 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, + { + unsigned int hmac_base, signed_base; + isc_result_t result; ++ const isc_boolean_t md5 = ISC_TF(algorithm == ISCCC_ALG_HMACMD5); + + #ifndef PK11_MD5_DISABLE ++ if (md5 && isc_md5_available() == ISC_FALSE) ++ return (ISC_R_NOTIMPLEMENTED); ++ + result = isc_buffer_reserve(buffer, +- 4 + ((algorithm == ISCCC_ALG_HMACMD5) ? ++ 4 + ((md5) ? + sizeof(auth_hmd5) : + sizeof(auth_hsha))); + #else +- if (algorithm == ISCCC_ALG_HMACMD5) ++ if (md5) + return (ISC_R_NOTIMPLEMENTED); + result = isc_buffer_reserve(buffer, 4 + sizeof(auth_hsha)); + #endif +@@ -374,7 +382,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, + * we know what it is. + */ + #ifndef PK11_MD5_DISABLE +- if (algorithm == ISCCC_ALG_HMACMD5) { ++ if (md5) { + hmac_base = (*buffer)->used + HMD5_OFFSET; + isc_buffer_putmem(*buffer, + auth_hmd5, sizeof(auth_hmd5)); +@@ -440,7 +448,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, + if (!isccc_alist_alistp(_auth)) + return (ISC_R_FAILURE); + #ifndef PK11_MD5_DISABLE +- if (algorithm == ISCCC_ALG_HMACMD5) ++ if (algorithm == ISCCC_ALG_HMACMD5 && isc_md5_available()) + hmac = isccc_alist_lookup(_auth, "hmd5"); + else + #endif +@@ -455,12 +463,16 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, + switch (algorithm) { + #ifndef PK11_MD5_DISABLE + case ISCCC_ALG_HMACMD5: +- isc_hmacmd5_init(&ctx.hmd5, secret->rstart, +- REGION_SIZE(*secret)); +- isc_hmacmd5_update(&ctx.hmd5, data, length); +- isc_hmacmd5_sign(&ctx.hmd5, digest); +- source.rend = digest + ISC_MD5_DIGESTLENGTH; +- break; ++ if (isc_md5_available()) { ++ isc_hmacmd5_init(&ctx.hmd5, secret->rstart, ++ REGION_SIZE(*secret)); ++ isc_hmacmd5_update(&ctx.hmd5, data, length); ++ isc_hmacmd5_sign(&ctx.hmd5, digest); ++ source.rend = digest + ISC_MD5_DIGESTLENGTH; ++ break; ++ } else { ++ return (ISC_R_FAILURE); ++ } + #endif + + case ISCCC_ALG_HMACSHA1: +-- +2.14.4 + diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch new file mode 100644 index 0000000000000000000000000000000000000000..f7a998dfb89149e1742d8f4c972036a45017df51 --- /dev/null +++ b/bind-9.11-fips-tests.patch @@ -0,0 +1,1781 @@ +From 35b53607724ec4b5d4060385218c39ccd0d78a4d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 2 Aug 2018 23:46:45 +0200 +Subject: [PATCH 2/2] Squashed commit of the following: +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa +Author: Petr Menšík +Date: Wed Mar 7 20:35:13 2018 +0100 + + Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available. + +commit ab303db70082db76ecf36493d0b82ef3e8750cad +Author: Petr Menšík +Date: Wed Mar 7 18:11:10 2018 +0100 + + Changed root key to be RSASHA256 + + Change bad trusted key to be the same algorithm. + +commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8 +Author: Petr Menšík +Date: Wed Mar 7 16:56:17 2018 +0100 + + Change used key to not use hmac-md5 + + Fix upforwd test, do not use hmac-md5 + +commit aec891571626f053acfb4d0a247240cbc21a84e9 +Author: Petr Menšík +Date: Wed Mar 7 15:54:11 2018 +0100 + + Increase bitsize of DSA key to pass FIPS 140-2 mode. + +commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696 +Author: Petr Menšík +Date: Wed Mar 7 15:41:08 2018 +0100 + + Fix tsig and rndc tests for disabled md5 + + Use hmac-sha256 instead of hmac-md5. + +commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67 +Author: Petr Menšík +Date: Wed Mar 7 13:21:00 2018 +0100 + + Add md5 availability detection to featuretest + +commit f389a918803e2853e4b55fed62765dc4a492e34f +Author: Petr Menšík +Date: Wed Mar 7 10:44:23 2018 +0100 + + Change tests to not use hmac-md5 algorithms if not required + + Use hmac-sha256 instead of default hmac-md5 for allow-query +--- + bin/tests/system/acl/ns2/named1.conf.in | 4 +- + bin/tests/system/acl/ns2/named2.conf.in | 4 +- + bin/tests/system/acl/ns2/named3.conf.in | 6 +-- + bin/tests/system/acl/ns2/named4.conf.in | 4 +- + bin/tests/system/acl/ns2/named5.conf.in | 4 +- + bin/tests/system/acl/tests.sh | 32 +++++------ + bin/tests/system/allow-query/ns2/named10.conf.in | 2 +- + bin/tests/system/allow-query/ns2/named11.conf.in | 4 +- + bin/tests/system/allow-query/ns2/named12.conf.in | 2 +- + bin/tests/system/allow-query/ns2/named30.conf.in | 2 +- + bin/tests/system/allow-query/ns2/named31.conf.in | 4 +- + bin/tests/system/allow-query/ns2/named32.conf.in | 2 +- + bin/tests/system/allow-query/ns2/named40.conf.in | 4 +- + bin/tests/system/allow-query/tests.sh | 18 +++---- + bin/tests/system/catz/ns1/named.conf.in | 2 +- + bin/tests/system/catz/ns2/named.conf.in | 2 +- + bin/tests/system/checkconf/bad-tsig.conf | 2 +- + bin/tests/system/checkconf/good.conf | 2 +- + bin/tests/system/digdelv/ns2/example.db | 15 +++--- + bin/tests/system/digdelv/tests.sh | 28 +++++----- + bin/tests/system/dlv/ns1/sign.sh | 4 +- + bin/tests/system/dlv/ns2/sign.sh | 4 +- + bin/tests/system/dlv/ns3/sign.sh | 69 ++++++++++++------------ + bin/tests/system/dlv/ns6/sign.sh | 66 ++++++++++++----------- + bin/tests/system/dnssec/ns1/sign.sh | 4 +- + bin/tests/system/dnssec/ns2/sign.sh | 12 ++--- + bin/tests/system/dnssec/ns3/sign.sh | 20 +++---- + bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +- + bin/tests/system/dnssec/tests.sh | 8 +-- + bin/tests/system/feature-test.c | 14 +++++ + bin/tests/system/filter-aaaa/ns1/sign.sh | 4 +- + bin/tests/system/filter-aaaa/ns4/sign.sh | 4 +- + bin/tests/system/notify/ns5/named.conf.in | 6 +-- + bin/tests/system/notify/tests.sh | 6 +-- + bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- + bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- + bin/tests/system/nsupdate/setup.sh | 7 ++- + bin/tests/system/nsupdate/tests.sh | 11 +++- + bin/tests/system/rndc/setup.sh | 2 +- + bin/tests/system/rndc/tests.sh | 23 ++++---- + bin/tests/system/tsig/clean.sh | 1 + + bin/tests/system/tsig/ns1/named.conf.in | 10 +--- + bin/tests/system/tsig/ns1/rndc5.conf.in | 11 ++++ + bin/tests/system/tsig/setup.sh | 4 ++ + bin/tests/system/tsig/tests.sh | 67 ++++++++++++++--------- + bin/tests/system/tsiggss/setup.sh | 2 +- + bin/tests/system/upforwd/ns1/named.conf.in | 2 +- + bin/tests/system/upforwd/tests.sh | 2 +- + 48 files changed, 287 insertions(+), 225 deletions(-) + create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in + +diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in +index 0ea6502708..026db3f134 100644 +--- a/bin/tests/system/acl/ns2/named1.conf.in ++++ b/bin/tests/system/acl/ns2/named1.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in +index b877880554..d8f50be255 100644 +--- a/bin/tests/system/acl/ns2/named2.conf.in ++++ b/bin/tests/system/acl/ns2/named2.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in +index 0a950622a2..aa54088138 100644 +--- a/bin/tests/system/acl/ns2/named3.conf.in ++++ b/bin/tests/system/acl/ns2/named3.conf.in +@@ -33,17 +33,17 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key three { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in +index 7cdcb6e341..606a3452d8 100644 +--- a/bin/tests/system/acl/ns2/named4.conf.in ++++ b/bin/tests/system/acl/ns2/named4.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in +index 4b4e05027a..0e679a821d 100644 +--- a/bin/tests/system/acl/ns2/named5.conf.in ++++ b/bin/tests/system/acl/ns2/named5.conf.in +@@ -34,12 +34,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh +index 09f31f2bb9..f88f0d4430 100644 +--- a/bin/tests/system/acl/tests.sh ++++ b/bin/tests/system/acl/tests.sh +@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" + # key "one" should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + + # any other key should be fine + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + copy_setports ns2/named2.conf.in ns2/named.conf +@@ -39,18 +39,18 @@ sleep 5 + # prefix 10/8 should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # any other address should work, as long as it sends key "one" + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + echo_i "testing nested ACL processing" +@@ -62,31 +62,31 @@ sleep 5 + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # but only one or the other should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + t=`expr $t + 1` +@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 + # and other values? right out + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two +@@ -108,31 +108,31 @@ sleep 5 + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + echo_i "testing allow-query-on ACL processing" +diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in +index 1569913b37..e9c5c2d574 100644 +--- a/bin/tests/system/allow-query/ns2/named10.conf.in ++++ b/bin/tests/system/allow-query/ns2/named10.conf.in +@@ -12,7 +12,7 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in +index 18ac91c6e7..2b1c8739d8 100644 +--- a/bin/tests/system/allow-query/ns2/named11.conf.in ++++ b/bin/tests/system/allow-query/ns2/named11.conf.in +@@ -12,12 +12,12 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in +index b8248444dd..dd48945bf8 100644 +--- a/bin/tests/system/allow-query/ns2/named12.conf.in ++++ b/bin/tests/system/allow-query/ns2/named12.conf.in +@@ -12,7 +12,7 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in +index aeb1540e95..bfce58bddd 100644 +--- a/bin/tests/system/allow-query/ns2/named30.conf.in ++++ b/bin/tests/system/allow-query/ns2/named30.conf.in +@@ -12,7 +12,7 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in +index d4b743281a..e0f52526ba 100644 +--- a/bin/tests/system/allow-query/ns2/named31.conf.in ++++ b/bin/tests/system/allow-query/ns2/named31.conf.in +@@ -12,12 +12,12 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in +index c0259387e7..87afb3fa3a 100644 +--- a/bin/tests/system/allow-query/ns2/named32.conf.in ++++ b/bin/tests/system/allow-query/ns2/named32.conf.in +@@ -12,7 +12,7 @@ + controls { /* empty */ }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in +index d83b376cfd..d726b9480b 100644 +--- a/bin/tests/system/allow-query/ns2/named40.conf.in ++++ b/bin/tests/system/allow-query/ns2/named40.conf.in +@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; + acl badaccept { 10.53.0.1; }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh +index fb6059d5b8..f9601564a2 100644 +--- a/bin/tests/system/allow-query/tests.sh ++++ b/bin/tests/system/allow-query/tests.sh +@@ -190,7 +190,7 @@ rndc_reload + + echo_i "test $n: key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -203,7 +203,7 @@ rndc_reload + + echo_i "test $n: key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -216,7 +216,7 @@ rndc_reload + + echo_i "test $n: key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -349,7 +349,7 @@ rndc_reload + + echo_i "test $n: views key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -362,7 +362,7 @@ rndc_reload + + echo_i "test $n: views key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -375,7 +375,7 @@ rndc_reload + + echo_i "test $n: views key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -508,7 +508,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -518,7 +518,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -528,7 +528,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in +index 74b7d371b7..c35376640d 100644 +--- a/bin/tests/system/catz/ns1/named.conf.in ++++ b/bin/tests/system/catz/ns1/named.conf.in +@@ -61,5 +61,5 @@ zone "catalog4.example" { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm hmac-sha256; + }; +diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in +index ee83efbee4..35ced08842 100644 +--- a/bin/tests/system/catz/ns2/named.conf.in ++++ b/bin/tests/system/catz/ns2/named.conf.in +@@ -70,5 +70,5 @@ zone "catalog4.example" { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm hmac-sha256; + }; +diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf +index 21be03e9d2..e57c30875c 100644 +--- a/bin/tests/system/checkconf/bad-tsig.conf ++++ b/bin/tests/system/checkconf/bad-tsig.conf +@@ -11,7 +11,7 @@ + + /* Bad secret */ + key "badtsig" { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "jEdD+BPKg=="; + }; + +diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf +index 9ab35b38a5..486551ae64 100644 +--- a/bin/tests/system/checkconf/good.conf ++++ b/bin/tests/system/checkconf/good.conf +@@ -153,6 +153,6 @@ dyndb "name" "library.so" { + system; + }; + key "mykey" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "qwertyuiopasdfgh"; + }; +diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db +index f4e30f51e5..9f53e31c97 100644 +--- a/bin/tests/system/digdelv/ns2/example.db ++++ b/bin/tests/system/digdelv/ns2/example.db +@@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890 + ;; + ;; we are not testing DNSSEC behavior, so we don't care about the semantics + ;; of the following records. +-dnskey 300 DNSKEY 256 3 1 ( +- AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg +- +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD +- Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R +- b9VIE5x7KNHAYTvTO5d4S8M= +- ) ++dnskey 300 DNSKEY 256 3 8 ( ++ AwEAAaWmCoDpj2K59zcpqnmnQM7IC/XbjS6jIP7uTBR4X7p1bdQJzAeo ++ EnMhnpnxPp0j+20eZm4847DB2U+HuHy79Mvqd3aozTmfBJvzjKs9qyba ++ zY/ZHn6BDYxNJiFfjSS/VJ1KuQPDbpCzhm2hbvT5s9nSOaG0WyRk+d+R ++ qEca11E7ZKkmmNiGlyzMAgfmTTBwgxWBAAhvd9nU1GqD6eQ6Z63hpTc/ ++ KDIHnFTo7pOcZ4z5urIKUMCMcFytedETlEoR5CIWGPdQq2eIEEMfn5ld ++ QqdEZRHVErD9og8aluJ2s767HZb8LzjCfYgBFoT9/n48T75oZLEKtSkG ++ /idCeeQlaLU= ++ ) + + ; TTL of 3 weeks + weeks 1814400 A 10.53.0.2 +diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh +index 1b25c4ddfc..5dbf20a3e1 100644 +--- a/bin/tests/system/digdelv/tests.sh ++++ b/bin/tests/system/digdelv/tests.sh +@@ -62,7 +62,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +multi +norrcomments works for dnskey (when default is rrcomments)($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -70,7 +70,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +multi +norrcomments works for soa (when default is rrcomments)($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > dig.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null && ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < dig.out.test$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -78,7 +78,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +rrcomments works for DNSKEY($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -86,7 +86,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -94,7 +94,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +short +nosplit works($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < dig.out.test$n > /dev/null || ret=1 ++ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -102,7 +102,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +short +rrcomments works($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1 ++ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -118,7 +118,7 @@ if [ -x ${DIG} ] ; then + echo_i "checking dig +short +rrcomments works($n)" + ret=0 + $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 +- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1 ++ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -543,7 +543,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +multi +norrcomments works for dnskey (when default is rrcomments)($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -551,7 +551,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +multi +norrcomments works for soa (when default is rrcomments)($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null && ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -559,7 +559,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +rrcomments works for DNSKEY($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -567,7 +567,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1 ++ grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -575,7 +575,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +short +rrcomments works ($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "S8M= ; ZSK; alg = RSAMD5 ; key id = 30795$" < delv.out.test$n > /dev/null || ret=1 ++ grep "aLU= ; ZSK; alg = RSASHA256 ; key id = 36895$" < delv.out.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +@@ -583,7 +583,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +short +nosplit works ($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=" < delv.out.test$n > /dev/null || ret=1 ++ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=" < delv.out.test$n > /dev/null || ret=1 + if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi + f=`awk '{print NF}' < delv.out.test$n` + test "${f:-0}" -eq 14 || ret=1 +@@ -594,7 +594,7 @@ if [ -x ${DELV} ] ; then + echo_i "checking delv +short +nosplit +norrcomments works ($n)" + ret=0 + $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 +- grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < delv.out.test$n > /dev/null || ret=1 ++ grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < delv.out.test$n > /dev/null || ret=1 + if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi + f=`awk '{print NF}' < delv.out.test$n` + test "${f:-0}" -eq 4 || ret=1 +diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh +index b8151620cc..2a62e583b8 100755 +--- a/bin/tests/system/dlv/ns1/sign.sh ++++ b/bin/tests/system/dlv/ns1/sign.sh +@@ -23,8 +23,8 @@ infile=root.db.in + zonefile=root.db + outfile=root.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh +index 6f84d7a525..e128303a22 100755 +--- a/bin/tests/system/dlv/ns2/sign.sh ++++ b/bin/tests/system/dlv/ns2/sign.sh +@@ -24,8 +24,8 @@ zonefile=druz.db + outfile=druz.pre + dlvzone=utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh +index bcc9922e26..846dbcc0df 100755 +--- a/bin/tests/system/dlv/ns3/sign.sh ++++ b/bin/tests/system/dlv/ns3/sign.sh +@@ -19,6 +19,7 @@ echo_i "dlv/ns3/sign.sh" + dlvzone=dlv.utld. + dlvsets= + dssets= ++bits=1024 + + zone=child1.utld. + infile=child.db.in +@@ -26,8 +27,8 @@ zonefile=child1.utld.db + outfile=child1.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -42,8 +43,8 @@ zonefile=child3.utld.db + outfile=child3.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -58,8 +59,8 @@ zonefile=child4.utld.db + outfile=child4.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -73,8 +74,8 @@ zonefile=child5.utld.db + outfile=child5.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -88,8 +89,8 @@ infile=child.db.in + zonefile=child7.utld.db + outfile=child7.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -103,8 +104,8 @@ infile=child.db.in + zonefile=child8.utld.db + outfile=child8.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -118,8 +119,8 @@ zonefile=child9.utld.db + outfile=child9.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -132,8 +133,8 @@ zonefile=child10.utld.db + outfile=child10.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -147,8 +148,8 @@ outfile=child1.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -164,8 +165,8 @@ outfile=child3.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -181,8 +182,8 @@ outfile=child4.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -197,8 +198,8 @@ outfile=child5.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -213,8 +214,8 @@ zonefile=child7.druz.db + outfile=child7.druz.signed + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP + cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile +@@ -228,8 +229,8 @@ infile=child.db.in + zonefile=child8.druz.db + outfile=child8.druz.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -243,8 +244,8 @@ zonefile=child9.druz.db + outfile=child9.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -258,8 +259,8 @@ outfile=child10.druz.signed + dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP" + dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP" + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -272,8 +273,8 @@ infile=dlv.db.in + zonefile=dlv.utld.db + outfile=dlv.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh +index 1e398625f1..4ed19acd1f 100755 +--- a/bin/tests/system/dlv/ns6/sign.sh ++++ b/bin/tests/system/dlv/ns6/sign.sh +@@ -16,13 +16,15 @@ SYSTESTDIR=dlv + + echo_i "dlv/ns6/sign.sh" + ++bits=1024 ++ + zone=grand.child1.utld. + infile=child.db.in + zonefile=grand.child1.utld.db + outfile=grand.child1.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -36,8 +38,8 @@ zonefile=grand.child3.utld.db + outfile=grand.child3.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -51,8 +53,8 @@ zonefile=grand.child4.utld.db + outfile=grand.child4.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -66,8 +68,8 @@ zonefile=grand.child5.utld.db + outfile=grand.child5.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -81,8 +83,8 @@ zonefile=grand.child7.utld.db + outfile=grand.child7.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -96,8 +98,8 @@ zonefile=grand.child8.utld.db + outfile=grand.child8.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -111,8 +113,8 @@ zonefile=grand.child9.utld.db + outfile=grand.child9.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -125,8 +127,8 @@ zonefile=grand.child10.utld.db + outfile=grand.child10.signed + dlvzone=dlv.utld. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -138,8 +140,8 @@ infile=child.db.in + zonefile=grand.child1.druz.db + outfile=grand.child1.druz.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -153,8 +155,8 @@ zonefile=grand.child3.druz.db + outfile=grand.child3.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -168,8 +170,8 @@ zonefile=grand.child4.druz.db + outfile=grand.child4.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -183,8 +185,8 @@ zonefile=grand.child5.druz.db + outfile=grand.child5.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -198,8 +200,8 @@ zonefile=grand.child7.druz.db + outfile=grand.child7.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -213,8 +215,8 @@ zonefile=grand.child8.druz.db + outfile=grand.child8.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -228,8 +230,8 @@ zonefile=grand.child9.druz.db + outfile=grand.child9.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -242,8 +244,8 @@ zonefile=grand.child10.druz.db + outfile=grand.child10.druz.signed + dlvzone=dlv.druz. + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh +index 198d60ae15..d89a539ffd 100644 +--- a/bin/tests/system/dnssec/ns1/sign.sh ++++ b/bin/tests/system/dnssec/ns1/sign.sh +@@ -27,7 +27,7 @@ cp ../ns2/dsset-in-addr.arpa$TP . + grep "8 [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP + cp ../ns6/dsset-optout-tld$TP . + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` + + cat $infile $keyname.key > $zonefile + +@@ -48,6 +48,6 @@ cp managed.conf ../ns4/managed.conf + # + # Save keyid for managed key id test. + # +-keyid=`expr $keyname : 'K.+001+\(.*\)'` ++keyid=`expr $keyname : 'K.+008+\([0-9]*\)'` + keyid=`expr $keyid + 0` + echo "$keyid" > managed.key.id +diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh +index 9078459ac8..9dcd028eb5 100644 +--- a/bin/tests/system/dnssec/ns2/sign.sh ++++ b/bin/tests/system/dnssec/ns2/sign.sh +@@ -29,8 +29,8 @@ do + cp ../ns3/dsset-$subdomain.example$TP . + done + +-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` +-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` ++keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` ++keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -89,8 +89,8 @@ zone=in-addr.arpa. + infile=in-addr.arpa.db.in + zonefile=in-addr.arpa.db + +-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` +-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` ++keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` ++keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone` + + cat $infile $keyname1.key $keyname2.key >$zonefile + $SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null +@@ -101,7 +101,7 @@ privzone=private.secure.example. + privinfile=private.secure.example.db.in + privzonefile=private.secure.example.db + +-privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone` ++privkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $privzone` + + cat $privinfile $privkeyname.key >$privzonefile + +@@ -115,7 +115,7 @@ dlvinfile=dlv.db.in + dlvzonefile=dlv.db + dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP + +-dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone` ++dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $dlvzone` + + cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile + +diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh +index 330abf7feb..f95a6b7ea8 100644 +--- a/bin/tests/system/dnssec/ns3/sign.sh ++++ b/bin/tests/system/dnssec/ns3/sign.sh +@@ -28,7 +28,7 @@ zone=bogus.example. + infile=bogus.example.db.in + zonefile=bogus.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -38,8 +38,8 @@ zone=dynamic.example. + infile=dynamic.example.db.in + zonefile=dynamic.example.db + +-keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` +-keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone` ++keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` ++keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone -f KSK $zone` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +@@ -49,7 +49,7 @@ zone=keyless.example. + infile=generic.example.db.in + zonefile=keyless.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -69,7 +69,7 @@ zone=secure.nsec3.example. + infile=secure.nsec3.example.db.in + zonefile=secure.nsec3.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -82,7 +82,7 @@ zone=nsec3.nsec3.example. + infile=nsec3.nsec3.example.db.in + zonefile=nsec3.nsec3.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -95,7 +95,7 @@ zone=optout.nsec3.example. + infile=optout.nsec3.example.db.in + zonefile=optout.nsec3.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -108,7 +108,7 @@ zone=nsec3.example. + infile=nsec3.example.db.in + zonefile=nsec3.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -121,7 +121,7 @@ zone=secure.optout.example. + infile=secure.optout.example.db.in + zonefile=secure.optout.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +@@ -498,7 +498,7 @@ zone=badds.example. + infile=bogus.example.db.in + zonefile=badds.example.db + +-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` ++keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone` + + cat $infile $keyname.key >$zonefile + +diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad +index ed30460bda..e6b112630e 100644 +--- a/bin/tests/system/dnssec/ns5/trusted.conf.bad ++++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad +@@ -10,5 +10,5 @@ + */ + + trusted-keys { +- "." 256 3 1 "AQO6Cl+slAf+iuieDim9L3kujFHQD7s/IOj03ClMOpKYcTXtK4mRpuULVfvWxDi9Ew/gj0xLnnX7z9OJHIxLI+DSrAHd8Dm0XfBEAtVtJSn70GaPZgnLMw1rk5ap2DsEoWk="; ++ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV"; + }; +diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh +index bb2315fbf3..315666825e 100644 +--- a/bin/tests/system/dnssec/tests.sh ++++ b/bin/tests/system/dnssec/tests.sh +@@ -1690,7 +1690,7 @@ ret=0 + $RNDCCMD 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i + keyid=`cat ns1/managed.key.id` + cp ns4/named.secroots named.secroots.test$n +-linecount=`grep "./RSAMD5/$keyid ; trusted" named.secroots.test$n | wc -l` ++linecount=`grep "./RSASHA256/$keyid ; trusted" named.secroots.test$n | wc -l` + [ "$linecount" -eq 1 ] || ret=1 + linecount=`cat named.secroots.test$n | wc -l` + [ "$linecount" -eq 10 ] || ret=1 +@@ -3018,7 +3018,7 @@ echo_i "check dig's +nocrypto flag ($n)" + ret=0 + $DIG $DIGOPTS +norec +nocrypto DNSKEY . \ + @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1 +-grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 ++grep '256 3 8 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 + grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 + $DIG $DIGOPTS +norec +nocrypto DS example \ + @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1 +@@ -3130,8 +3130,8 @@ do + alg=`expr $alg + 1` + continue;; + 3) size="-b 512";; +- 5) size="-b 512";; +- 6) size="-b 512";; ++ 5) size="-b 1024";; ++ 6) size="-b 1024";; + 7) size="-b 512";; + 8) size="-b 512";; + 10) size="-b 1024";; +diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c +index 9612450ab4..5eee6aa4f8 100644 +--- a/bin/tests/system/feature-test.c ++++ b/bin/tests/system/feature-test.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + + #ifdef WIN32 +@@ -45,6 +46,7 @@ usage() { + fprintf(stderr, " --have-geoip\n"); + fprintf(stderr, " --have-libxml2\n"); + fprintf(stderr, " --ipv6only=no\n"); ++ fprintf(stderr, " --md5\n"); + fprintf(stderr, " --rpz-nsdname\n"); + fprintf(stderr, " --rpz-nsip\n"); + fprintf(stderr, " --with-idn\n"); +@@ -136,6 +138,18 @@ main(int argc, char **argv) { + #endif + } + ++ if (strcmp(argv[1], "--md5") == 0) { ++#ifdef PK11_MD5_DISABLE ++ return (1); ++#else ++ if (isc_md5_available()) { ++ return (0); ++ } else { ++ return (1); ++ } ++#endif ++ } ++ + if (strcmp(argv[1], "--rpz-nsip") == 0) { + #ifdef ENABLE_RPZ_NSIP + return (0); +diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh +index f7555810a0..4a7d89004a 100755 +--- a/bin/tests/system/filter-aaaa/ns1/sign.sh ++++ b/bin/tests/system/filter-aaaa/ns1/sign.sh +@@ -21,8 +21,8 @@ infile=signed.db.in + zonefile=signed.db.signed + outfile=signed.db.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh +index f7555810a0..4a7d89004a 100755 +--- a/bin/tests/system/filter-aaaa/ns4/sign.sh ++++ b/bin/tests/system/filter-aaaa/ns4/sign.sh +@@ -21,8 +21,8 @@ infile=signed.db.in + zonefile=signed.db.signed + outfile=signed.db.signed + +-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` ++keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` ++keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null` + + cat $infile $keyname1.key $keyname2.key >$zonefile + +diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in +index cfcfe8fa2f..0a1614d527 100644 +--- a/bin/tests/system/notify/ns5/named.conf.in ++++ b/bin/tests/system/notify/ns5/named.conf.in +@@ -10,17 +10,17 @@ + */ + + key "a" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "aaaaaaaaaaaaaaaaaaaa"; + }; + + key "b" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "bbbbbbbbbbbbbbbbbbbb"; + }; + + key "c" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "cccccccccccccccccccc"; + }; + +diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh +index ad20e3eaca..5a9ce4688a 100644 +--- a/bin/tests/system/notify/tests.sh ++++ b/bin/tests/system/notify/tests.sh +@@ -186,16 +186,16 @@ ret=0 + $NSUPDATE << EOF + server 10.53.0.5 ${PORT} + zone x21 +-key a aaaaaaaaaaaaaaaaaaaa ++key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa + update add added.x21 0 in txt "test string" + send + EOF + + for i in 1 2 3 4 5 6 7 8 9 + do +- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ + txt > dig.out.b.ns5.test$n || ret=1 +- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \ + txt > dig.out.c.ns5.test$n || ret=1 + grep "test string" dig.out.b.ns5.test$n > /dev/null && + grep "test string" dig.out.c.ns5.test$n > /dev/null && +diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in +index 1d999adc39..26b6b7c9ab 100644 +--- a/bin/tests/system/nsupdate/ns1/named.conf.in ++++ b/bin/tests/system/nsupdate/ns1/named.conf.in +@@ -32,7 +32,7 @@ controls { + }; + + key altkey { +- algorithm hmac-md5; ++ algorithm hmac-sha512; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in +index b4ecf96668..1adb33eb0b 100644 +--- a/bin/tests/system/nsupdate/ns2/named.conf.in ++++ b/bin/tests/system/nsupdate/ns2/named.conf.in +@@ -24,7 +24,7 @@ options { + }; + + key altkey { +- algorithm hmac-md5; ++ algorithm hmac-sha512; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh +index 32674eb382..2331b30b00 100644 +--- a/bin/tests/system/nsupdate/setup.sh ++++ b/bin/tests/system/nsupdate/setup.sh +@@ -59,7 +59,12 @@ EOF + + $DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key + +-$DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++if $FEATURETEST --md5; then ++ $DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++else ++ echo -n > ns1/md5.key ++fi ++ + $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key + $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key + $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key +diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh +index 2a01d1e46d..e8659587c3 100755 +--- a/bin/tests/system/nsupdate/tests.sh ++++ b/bin/tests/system/nsupdate/tests.sh +@@ -680,7 +680,14 @@ fi + n=`expr $n + 1` + ret=0 + echo_i "check TSIG key algorithms ($n)" +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++if $FEATURETEST --md5 ++then ++ ALGS="md5 sha1 sha224 sha256 sha384 sha512" ++else ++ ALGS="sha1 sha224 sha256 sha384 sha512" ++ echo_i "skipping disabled md5 algorithm" ++fi ++for alg in $ALGS; do + $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 + server 10.53.0.1 ${PORT} + update add ${alg}.keytests.nil. 600 A 10.10.10.3 +@@ -688,7 +695,7 @@ send + END + done + sleep 2 +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 + done + if [ $ret -ne 0 ]; then +diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh +index 850c4d2744..09a3e0f9ad 100644 +--- a/bin/tests/system/rndc/setup.sh ++++ b/bin/tests/system/rndc/setup.sh +@@ -37,7 +37,7 @@ make_key () { + sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf + } + +-make_key 1 ${EXTRAPORT1} hmac-md5 ++$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 + make_key 2 ${EXTRAPORT2} hmac-sha1 + make_key 3 ${EXTRAPORT3} hmac-sha224 + make_key 4 ${EXTRAPORT4} hmac-sha256 +diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh +index d364e6fea0..dbf3bc6780 100644 +--- a/bin/tests/system/rndc/tests.sh ++++ b/bin/tests/system/rndc/tests.sh +@@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + n=`expr $n + 1` +-echo_i "testing rndc with hmac-md5 ($n)" +-ret=0 +-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 +-for i in 2 3 4 5 6 +-do +- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +-done +-if [ $ret != 0 ]; then echo_i "failed"; fi +-status=`expr $status + $ret` ++if $FEATURETEST --md5 ++then ++ echo_i "testing rndc with hmac-md5 ($n)" ++ ret=0 ++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 ++ for i in 2 3 4 5 6 ++ do ++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 ++ done ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=`expr $status + $ret` ++else ++ echo_i "skipping rndc with hmac-md5 ($n)" ++fi + + n=`expr $n + 1` + echo_i "testing rndc with hmac-sha1 ($n)" +diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh +index 576ec70f76..cb7a852189 100644 +--- a/bin/tests/system/tsig/clean.sh ++++ b/bin/tests/system/tsig/clean.sh +@@ -20,3 +20,4 @@ rm -f */named.run + rm -f ns*/named.lock + rm -f Kexample.net.+163+* + rm -f keygen.out? ++rm -f ns1/named.conf +diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in +index fbf30c6dc4..f61657d7cf 100644 +--- a/bin/tests/system/tsig/ns1/named.conf.in ++++ b/bin/tests/system/tsig/ns1/named.conf.in +@@ -21,10 +21,7 @@ options { + notify no; + }; + +-key "md5" { +- secret "97rnFx24Tfna4mHPfgnerA=="; +- algorithm hmac-md5; +-}; ++# md5 key appended by setup.sh at the end + + key "sha1" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +@@ -51,10 +48,7 @@ key "sha512" { + algorithm hmac-sha512; + }; + +-key "md5-trunc" { +- secret "97rnFx24Tfna4mHPfgnerA=="; +- algorithm hmac-md5-80; +-}; ++# md5-trunc key appended by setup.sh at the end + + key "sha1-trunc" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in +new file mode 100644 +index 0000000000..4117830adb +--- /dev/null ++++ b/bin/tests/system/tsig/ns1/rndc5.conf.in +@@ -0,0 +1,11 @@ ++ ++key "md5" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5; ++}; ++ ++key "md5-trunc" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5-80; ++}; ++ +diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh +index 656e9bbcd8..628c5bbac1 100644 +--- a/bin/tests/system/tsig/setup.sh ++++ b/bin/tests/system/tsig/setup.sh +@@ -17,3 +17,7 @@ $SHELL clean.sh + copy_setports ns1/named.conf.in ns1/named.conf + + test -r $RANDFILE || $GENRANDOM 400 $RANDFILE ++if $FEATURETEST --md5 ++then ++ cat ns1/rndc5.conf.in >> ns1/named.conf ++fi +diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh +index f731fa604c..cade35bc1d 100644 +--- a/bin/tests/system/tsig/tests.sh ++++ b/bin/tests/system/tsig/tests.sh +@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f + + status=0 + +-echo_i "fetching using hmac-md5 (old form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 +-fi +- +-echo_i "fetching using hmac-md5 (new form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5 (old form)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 ++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++ ++ echo_i "fetching using hmac-md5 (new form)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 ++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5" + fi + + echo_i "fetching using hmac-sha1" +@@ -87,12 +92,17 @@ fi + # Truncated TSIG + # + # +-echo_i "fetching using hmac-md5 (trunc)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 +-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5 (trunc)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 ++ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5 (trunc)" + fi + + echo_i "fetching using hmac-sha1 (trunc)" +@@ -141,12 +151,17 @@ fi + # Check for bad truncation. + # + # +-echo_i "fetching using hmac-md5-80 (BADTRUNC)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 +-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5-80 (BADTRUNC)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 ++ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5-80 (BADTRUNC)" + fi + + echo_i "fetching using hmac-sha1-80 (BADTRUNC)" +diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh +index 5da33cfde0..fb108b02bd 100644 +--- a/bin/tests/system/tsiggss/setup.sh ++++ b/bin/tests/system/tsiggss/setup.sh +@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE + + copy_setports ns1/named.conf.in ns1/named.conf + +-key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.` ++key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.` + cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db +diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in +index e0a30cda15..6a77b1ce52 100644 +--- a/bin/tests/system/upforwd/ns1/named.conf.in ++++ b/bin/tests/system/upforwd/ns1/named.conf.in +@@ -10,7 +10,7 @@ + */ + + key "update.example." { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; + }; + +diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh +index b0694bbd5c..9adae8228e 100644 +--- a/bin/tests/system/upforwd/tests.sh ++++ b/bin/tests/system/upforwd/tests.sh +@@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + + echo_i "updating zone (signed) ($n)" + ret=0 +-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - < +Date: Tue, 25 Sep 2018 18:08:46 +0200 +Subject: [PATCH] Disable IDN from environment as documented + +Manual page of host contained instructions to disable IDN processing +when it was built with libidn2. When refactoring IDN support however, +support for disabling IDN in host and nslookup was lost. Use also +environment variable and document it for nslookup, host and dig. + +Support variable CHARSET=ASCII to disable IDN, supported in downstream +RH patch since RHEL 5. +--- + bin/dig/dig.docbook | 4 +++- + bin/dig/dighost.c | 9 +++++++-- + bin/dig/host.docbook | 2 +- + bin/dig/nslookup.docbook | 15 +++++++++++++++ + 4 files changed, 26 insertions(+), 4 deletions(-) + +diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook +index fedd288..d5dba72 100644 +--- a/bin/dig/dig.docbook ++++ b/bin/dig/dig.docbook +@@ -1288,7 +1288,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr + reply from the server. + If you'd like to turn off the IDN support for some reason, use + parameters +noidnin and +- +noidnout. ++ +noidnout or define ++ the IDN_DISABLE environment variable. ++ + + + +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index 7408193..d46379d 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -822,12 +822,17 @@ make_empty_lookup(void) { + looknew->seenbadcookie = ISC_FALSE; + looknew->badcookie = ISC_TRUE; + #ifdef WITH_IDN_SUPPORT +- looknew->idnin = ISC_TRUE; ++ looknew->idnin = (getenv("IDN_DISABLE") == NULL); ++ if (looknew->idnin) { ++ const char *charset = getenv("CHARSET"); ++ if (charset && !strcmp(charset, "ASCII")) ++ looknew->idnin = ISC_FALSE; ++ } + #else + looknew->idnin = ISC_FALSE; + #endif + #ifdef WITH_IDN_OUT_SUPPORT +- looknew->idnout = ISC_TRUE; ++ looknew->idnout = looknew->idnin; + #else + looknew->idnout = ISC_FALSE; + #endif +diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook +index 9c3aeaa..42cbbf9 100644 +--- a/bin/dig/host.docbook ++++ b/bin/dig/host.docbook +@@ -378,7 +378,7 @@ + host appropriately converts character encoding of + domain name before sending a request to DNS server or displaying a + reply from the server. +- If you'd like to turn off the IDN support for some reason, defines ++ If you'd like to turn off the IDN support for some reason, define + the IDN_DISABLE environment variable. + The IDN support is disabled if the variable is set when + host runs. +diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook +index 3aff4e9..86a09c6 100644 +--- a/bin/dig/nslookup.docbook ++++ b/bin/dig/nslookup.docbook +@@ -478,6 +478,21 @@ nslookup -query=hinfo -timeout=10 + + + ++ IDN SUPPORT ++ ++ ++ If nslookup has been built with IDN (internationalized ++ domain name) support, it can accept and display non-ASCII domain names. ++ nslookup appropriately converts character encoding of ++ domain name before sending a request to DNS server or displaying a ++ reply from the server. ++ If you'd like to turn off the IDN support for some reason, define ++ the IDN_DISABLE environment variable. ++ The IDN support is disabled if the variable is set when ++ nslookup runs. ++ ++ ++ + FILES + + /etc/resolv.conf +-- +2.14.4 + diff --git a/bind-9.11-kyua-pkcs11.patch b/bind-9.11-kyua-pkcs11.patch new file mode 100644 index 0000000000000000000000000000000000000000..ab2182844c1a08811e04ac896240865ca12c99d0 --- /dev/null +++ b/bind-9.11-kyua-pkcs11.patch @@ -0,0 +1,206 @@ +From d0433a314534e104f52acf2a0a96a68dd84305ae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 2 Jan 2018 18:13:07 +0100 +Subject: [PATCH] Fix pkcs11 variants atf tests + +Add dns-pkcs11 tests Makefile to configure + +Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode +--- + configure.in | 1 + + lib/Atffile | 2 ++ + lib/Kyuafile | 2 ++ + lib/dns-pkcs11/tests/Makefile.in | 10 +++++----- + lib/dns-pkcs11/tests/dh_test.c | 3 ++- + lib/isc-pkcs11/tests/Makefile.in | 6 +++--- + lib/isc-pkcs11/tests/hash_test.c | 32 +++++++++++++++++++++++++------- + 7 files changed, 40 insertions(+), 16 deletions(-) + +diff --git a/configure.in b/configure.in +index 67b3aab..4767eeb 100644 +--- a/configure.in ++++ b/configure.in +@@ -5579,6 +5579,7 @@ AC_CONFIG_FILES([ + lib/dns-pkcs11/include/Makefile + lib/dns-pkcs11/include/dns/Makefile + lib/dns-pkcs11/include/dst/Makefile ++ lib/dns-pkcs11/tests/Makefile + lib/irs/Makefile + lib/irs/include/Makefile + lib/irs/include/irs/Makefile +diff --git a/lib/Atffile b/lib/Atffile +index 93bbb01..4db3dce 100644 +--- a/lib/Atffile ++++ b/lib/Atffile +@@ -3,7 +3,9 @@ Content-Type: application/X-atf-atffile; version="1" + prop: test-suite = bind9 + + tp: dns ++tp: dns-pkcs11 + tp: irs + tp: isc ++tp: isc-pkcs11 + tp: isccfg + tp: lwres +diff --git a/lib/Kyuafile b/lib/Kyuafile +index ff9fc56..eaaf0dc 100644 +--- a/lib/Kyuafile ++++ b/lib/Kyuafile +@@ -2,7 +2,9 @@ syntax(2) + test_suite('bind9') + + include('dns/Kyuafile') ++include('dns-pkcs11/Kyuafile') + include('irs/Kyuafile') + include('isc/Kyuafile') ++include('isc-pkcs11/Kyuafile') + include('isccfg/Kyuafile') + include('lwres/Kyuafile') +diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in +index 2a6571b..f25a784 100644 +--- a/lib/dns-pkcs11/tests/Makefile.in ++++ b/lib/dns-pkcs11/tests/Makefile.in +@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@ + + CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ + @DST_OPENSSL_INC@ +-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\"" ++CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" + +-ISCLIBS = ../../isc/libisc.@A@ +-ISCDEPLIBS = ../../isc/libisc.@A@ +-DNSLIBS = ../libdns.@A@ @DNS_CRYPTO_LIBS@ +-DNSDEPLIBS = ../libdns.@A@ ++ISCLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@ ++ISCDEPLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@ ++DNSLIBS = ../libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ ++DNSDEPLIBS = ../libdns-pkcs11.@A@ + + LIBS = @LIBS@ @ATFLIBS@ + +diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c +index 036d27a..eb6554f 100644 +--- a/lib/dns-pkcs11/tests/dh_test.c ++++ b/lib/dns-pkcs11/tests/dh_test.c +@@ -63,7 +63,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) { + ret = dst_key_computesecret(key, key, &buf); + ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY); + ret = key->func->computesecret(key, key, &buf); +- ATF_REQUIRE_EQ(ret, DST_R_COMPUTESECRETFAILURE); ++ /* PKCS11 variant gives different result, accept both */ ++ ATF_REQUIRE(ret == DST_R_COMPUTESECRETFAILURE || ret == DST_R_INVALIDPRIVATEKEY); + + dst_key_free(&key); + dns_test_end(); +diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in +index f7fa538..818dae4 100644 +--- a/lib/isc-pkcs11/tests/Makefile.in ++++ b/lib/isc-pkcs11/tests/Makefile.in +@@ -17,10 +17,10 @@ VERSION=@BIND9_VERSION@ + @BIND9_MAKE_INCLUDES@ + + CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@ +-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\"" ++CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\"" + +-ISCLIBS = ../libisc.@A@ @ISC_OPENSSL_LIBS@ +-ISCDEPLIBS = ../libisc.@A@ ++ISCLIBS = ../libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@ ++ISCDEPLIBS = ../libisc-pkcs11.@A@ + + LIBS = @LIBS@ @ATFLIBS@ + +diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c +index 5b8a374..c1891c2 100644 +--- a/lib/isc-pkcs11/tests/hash_test.c ++++ b/lib/isc-pkcs11/tests/hash_test.c +@@ -74,7 +74,7 @@ typedef struct hash_testcase { + + typedef struct hash_test_key { + const char *key; +- const int len; ++ const unsigned len; + } hash_test_key_t; + + /* non-hmac tests */ +@@ -957,8 +957,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) { + hash_test_key_t *test_key = test_keys; + + while (testcase->input != NULL && testcase->result != NULL) { ++ int len = ISC_MAX(test_key->len, ISC_SHA1_DIGESTLENGTH); ++ ++ memset(buffer, 0, ISC_SHA1_DIGESTLENGTH); + memmove(buffer, test_key->key, test_key->len); +- isc_hmacsha1_init(&hmacsha1, buffer, test_key->len); ++ isc_hmacsha1_init(&hmacsha1, buffer, len); + isc_hmacsha1_update(&hmacsha1, + (const isc_uint8_t *) testcase->input, + testcase->input_len); +@@ -1120,8 +1123,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) { + hash_test_key_t *test_key = test_keys; + + while (testcase->input != NULL && testcase->result != NULL) { ++ int len = ISC_MAX(test_key->len, ISC_SHA224_DIGESTLENGTH); ++ ++ memset(buffer, 0, ISC_SHA224_DIGESTLENGTH); + memmove(buffer, test_key->key, test_key->len); +- isc_hmacsha224_init(&hmacsha224, buffer, test_key->len); ++ isc_hmacsha224_init(&hmacsha224, buffer, len); + isc_hmacsha224_update(&hmacsha224, + (const isc_uint8_t *) testcase->input, + testcase->input_len); +@@ -1283,8 +1289,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) { + hash_test_key_t *test_key = test_keys; + + while (testcase->input != NULL && testcase->result != NULL) { ++ int len = ISC_MAX(test_key->len, ISC_SHA256_DIGESTLENGTH); ++ ++ memset(buffer, 0, ISC_SHA256_DIGESTLENGTH); + memmove(buffer, test_key->key, test_key->len); +- isc_hmacsha256_init(&hmacsha256, buffer, test_key->len); ++ isc_hmacsha256_init(&hmacsha256, buffer, len); + isc_hmacsha256_update(&hmacsha256, + (const isc_uint8_t *) testcase->input, + testcase->input_len); +@@ -1452,8 +1461,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) { + hash_test_key_t *test_key = test_keys; + + while (testcase->input != NULL && testcase->result != NULL) { ++ int len = ISC_MAX(test_key->len, ISC_SHA384_DIGESTLENGTH); ++ ++ memset(buffer, 0, ISC_SHA384_DIGESTLENGTH); + memmove(buffer, test_key->key, test_key->len); +- isc_hmacsha384_init(&hmacsha384, buffer, test_key->len); ++ isc_hmacsha384_init(&hmacsha384, buffer, len); + isc_hmacsha384_update(&hmacsha384, + (const isc_uint8_t *) testcase->input, + testcase->input_len); +@@ -1621,8 +1633,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) { + hash_test_key_t *test_key = test_keys; + + while (testcase->input != NULL && testcase->result != NULL) { ++ int len = ISC_MAX(test_key->len, ISC_SHA512_DIGESTLENGTH); ++ ++ memset(buffer, 0, ISC_SHA512_DIGESTLENGTH); + memmove(buffer, test_key->key, test_key->len); +- isc_hmacsha512_init(&hmacsha512, buffer, test_key->len); ++ isc_hmacsha512_init(&hmacsha512, buffer, len); + isc_hmacsha512_update(&hmacsha512, + (const isc_uint8_t *) testcase->input, + testcase->input_len); +@@ -1765,8 +1780,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) { + hash_test_key_t *test_key = test_keys; + + while (testcase->input != NULL && testcase->result != NULL) { ++ int len = ISC_MAX(test_key->len, ISC_MD5_DIGESTLENGTH); ++ ++ memset(buffer, 0, ISC_MD5_DIGESTLENGTH); + memmove(buffer, test_key->key, test_key->len); +- isc_hmacmd5_init(&hmacmd5, buffer, test_key->len); ++ isc_hmacmd5_init(&hmacmd5, buffer, len); + isc_hmacmd5_update(&hmacmd5, + (const isc_uint8_t *) testcase->input, + testcase->input_len); +-- +2.14.3 + diff --git a/bind-9.11-oot-manual.patch b/bind-9.11-oot-manual.patch new file mode 100644 index 0000000000000000000000000000000000000000..b090b9f04b12c8e9dcf78da81974ac51d8b8fe6b --- /dev/null +++ b/bind-9.11-oot-manual.patch @@ -0,0 +1,256 @@ +From e462d022a9dc52c40aece6f8ba3123ff3ffa59ed Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Wed, 25 Jul 2018 12:24:16 +0200 +Subject: [PATCH] Use make automatic variables to install updated manuals + +Make will choose modified manual from build directory or original from source +directory automagically. Take advantage of install tool feature. +Install all files in single command instead of iterating on each of them. +--- + bin/check/Makefile.in | 8 +++++--- + bin/confgen/Makefile.in | 9 +++++---- + bin/delv/Makefile.in | 6 ++++-- + bin/dig/Makefile.in | 8 ++++---- + bin/dnssec/Makefile.in | 6 ++++-- + bin/named/Makefile.in | 13 +++++++++---- + bin/pkcs11/Makefile.in | 9 ++++----- + bin/python/Makefile.in | 8 ++++---- + bin/tools/Makefile.in | 25 +++++++++++++++---------- + 9 files changed, 54 insertions(+), 38 deletions(-) + +diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in +index 12f48d2d23..d8eac4c714 100644 +--- a/bin/check/Makefile.in ++++ b/bin/check/Makefile.in +@@ -83,12 +83,14 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + +-install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs ++install-man8: ${MANPAGES} ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8) ++ ++install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs install-man8 + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir} + (cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@) +- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done +- (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8) + + uninstall:: + rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8 +diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in +index 87f13dda4b..7865c0c73e 100644 +--- a/bin/confgen/Makefile.in ++++ b/bin/confgen/Makefile.in +@@ -95,13 +95,14 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + +-install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs ++install-man8: rndc-confgen.8 ddns-confgen.8 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8) ++ ++install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs install-man8 + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir} +- ${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8 + (cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@) +- (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8) + + uninstall:: + rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8 +diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in +index e2d2802262..19361a83ea 100644 +--- a/bin/delv/Makefile.in ++++ b/bin/delv/Makefile.in +@@ -63,10 +63,12 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 + +-install:: delv@EXEEXT@ installdirs ++install-man1: delv.1 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 ++ ++install:: delv@EXEEXT@ installdirs install-man1 + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ + delv@EXEEXT@ ${DESTDIR}${bindir} +- ${INSTALL_DATA} ${srcdir}/delv.1 ${DESTDIR}${mandir}/man1 + + uninstall:: + rm -f ${DESTDIR}${mandir}/man1/delv.1 +diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in +index 773ac46395..3edd951e7e 100644 +--- a/bin/dig/Makefile.in ++++ b/bin/dig/Makefile.in +@@ -91,16 +91,16 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 + +-install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs ++install-man1: ${MANPAGES} ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 ++ ++install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs install-man1 + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ + dig@EXEEXT@ ${DESTDIR}${bindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ + host@EXEEXT@ ${DESTDIR}${bindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \ + nslookup@EXEEXT@ ${DESTDIR}${bindir} +- for m in ${MANPAGES}; do \ +- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \ +- done + + uninstall:: + for m in ${MANPAGES}; do \ +diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in +index 1be1d5ffc6..1d0c4ce5c1 100644 +--- a/bin/dnssec/Makefile.in ++++ b/bin/dnssec/Makefile.in +@@ -110,9 +110,11 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + +-install:: ${TARGETS} installdirs ++install-man8: ${MANPAGES} ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ ++install:: ${TARGETS} installdirs install-man8 + for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done +- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done + + uninstall:: + for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done +diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in +index 1c413973d0..03e4cb849b 100644 +--- a/bin/named/Makefile.in ++++ b/bin/named/Makefile.in +@@ -172,12 +172,17 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + +-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs ++install-man5: named.conf.5 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5 ++ ++install-man8: named.8 lwresd.8 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ ++install-man: install-man5 install-man8 ++ ++install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} + (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) +- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 + + uninstall:: + rm -f ${DESTDIR}${mandir}/man5/named.conf.5 +diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in +index ae9061626c..a058c91214 100644 +--- a/bin/pkcs11/Makefile.in ++++ b/bin/pkcs11/Makefile.in +@@ -71,7 +71,10 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + +-install:: ${TARGETS} installdirs ++install-man8: ${MANPAGES} ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ ++install:: ${TARGETS} installdirs install-man8 + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ \ + ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ \ +@@ -80,10 +83,6 @@ install:: ${TARGETS} installdirs + ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-tokens@EXEEXT@ \ + ${DESTDIR}${sbindir} +- ${INSTALL_DATA} ${srcdir}/pkcs11-list.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/pkcs11-destroy.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/pkcs11-tokens.8 ${DESTDIR}${mandir}/man8 + + uninstall:: + rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8 +diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in +index aa678d47ab..064c404e2f 100644 +--- a/bin/python/Makefile.in ++++ b/bin/python/Makefile.in +@@ -47,13 +47,13 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + +-install:: ${TARGETS} installdirs ++install-man8: ${MANPAGES} ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ ++install:: ${TARGETS} installdirs install-man8 + ${INSTALL_SCRIPT} dnssec-checkds ${DESTDIR}${sbindir} + ${INSTALL_SCRIPT} dnssec-coverage ${DESTDIR}${sbindir} + ${INSTALL_SCRIPT} dnssec-keymgr ${DESTDIR}${sbindir} +- ${INSTALL_DATA} ${srcdir}/dnssec-checkds.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/dnssec-keymgr.8 ${DESTDIR}${mandir}/man8 + if test -n "${PYTHON}" ; then \ + if test -n "${DESTDIR}" ; then \ + ${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \ +diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in +index 7bf2af4cea..c395bc7462 100644 +--- a/bin/tools/Makefile.in ++++ b/bin/tools/Makefile.in +@@ -119,17 +119,27 @@ installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + +-nzd: ++nzd-man: named-nzd2nzf.8 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ ++nzd: nzd-man + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-nzd2nzf@EXEEXT@ \ + ${DESTDIR}${sbindir} +- ${INSTALL_DATA} ${srcdir}/named-nzd2nzf.8 ${DESTDIR}${mandir}/man8 + +-dnstap: ++dnstap-man: dnstap-read.1 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 ++ ++dnstap: dnstap-man + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} dnstap-read@EXEEXT@ \ + ${DESTDIR}${bindir} +- ${INSTALL_DATA} ${srcdir}/dnstap-read.1 ${DESTDIR}${mandir}/man1 + +-install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ ++install-man1: arpaname.1 named-rrchecker.1 mdig.1 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1 ++ ++install-man8: named-journalprint.8 nsec3hash.8 ++ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8 ++ ++install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ install-man1 install-man8 + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ \ + ${DESTDIR}${bindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ \ +@@ -144,13 +154,8 @@ install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ + ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} mdig@EXEEXT@ \ + ${DESTDIR}${bindir} +- ${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1 + ${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/named-rrchecker.1 ${DESTDIR}${mandir}/man1 +- ${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8 + ${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/mdig.1 ${DESTDIR}${mandir}/man1 + + uninstall:: + rm -f ${DESTDIR}${mandir}/man1/mdig.1 +-- +2.14.4 + diff --git a/bind-9.11-pk11.patch b/bind-9.11-pk11.patch new file mode 100644 index 0000000000000000000000000000000000000000..d80231495888fd7f92cbc0bd316238572cc15132 --- /dev/null +++ b/bind-9.11-pk11.patch @@ -0,0 +1,27 @@ +diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h +index 640519a..fc40472 100644 +--- a/lib/dns/dst_internal.h ++++ b/lib/dns/dst_internal.h +@@ -59,6 +59,9 @@ + #include + #include + #endif ++#if PKCS11CRYPTO ++#include ++#endif + + ISC_LANG_BEGINDECLS + +diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h +index aa8907a..603712a 100644 +--- a/lib/isc/include/pk11/internal.h ++++ b/lib/isc/include/pk11/internal.h +@@ -13,6 +13,8 @@ + #ifndef PK11_INTERNAL_H + #define PK11_INTERNAL_H 1 + ++#include ++ + /*! \file pk11/internal.h */ + + ISC_LANG_BEGINDECLS diff --git a/bind-9.11-rh1205168.patch b/bind-9.11-rh1205168.patch new file mode 100644 index 0000000000000000000000000000000000000000..181cec9f32d103b38303b8dc99c8825eb7181b43 --- /dev/null +++ b/bind-9.11-rh1205168.patch @@ -0,0 +1,120 @@ +From 90416594843a56550e40b11561807786219ce1c4 Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Mon, 11 Sep 2017 15:01:36 -0700 +Subject: [PATCH] remap getaddrinfo() to irs_getgetaddrinfo() + +The libirs version of getaddrinfo() cannot be called from within BIND9. + +fix prototypes +--- + lib/irs/include/irs/netdb.h.in | 94 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 94 insertions(+) + +diff --git a/lib/irs/include/irs/netdb.h.in b/lib/irs/include/irs/netdb.h.in +index 23dcd37..f36113d 100644 +--- a/lib/irs/include/irs/netdb.h.in ++++ b/lib/irs/include/irs/netdb.h.in +@@ -150,6 +150,100 @@ struct addrinfo { + #define NI_DGRAM 0x00000010 + + /* ++ * Define to map into irs_ namespace. ++ */ ++ ++#define IRS_NAMESPACE ++ ++#ifdef IRS_NAMESPACE ++ ++/* ++ * Use our versions not the ones from the C library. ++ */ ++ ++#ifdef getnameinfo ++#undef getnameinfo ++#endif ++#define getnameinfo irs_getnameinfo ++ ++#ifdef getaddrinfo ++#undef getaddrinfo ++#endif ++#define getaddrinfo irs_getaddrinfo ++ ++#ifdef freeaddrinfo ++#undef freeaddrinfo ++#endif ++#define freeaddrinfo irs_freeaddrinfo ++ ++#ifdef gai_strerror ++#undef gai_strerror ++#endif ++#define gai_strerror irs_gai_strerror ++ ++#endif ++ ++extern int getaddrinfo (const char *name, ++ const char *service, ++ const struct addrinfo *req, ++ struct addrinfo **pai); ++extern int getnameinfo (const struct sockaddr *sa, ++ socklen_t salen, char *host, ++ socklen_t hostlen, char *serv, ++ socklen_t servlen, int flags); ++extern void freeaddrinfo (struct addrinfo *ai); ++extern const char *gai_strerror (int ecode); ++ ++/* ++ * Define to map into irs_ namespace. ++ */ ++ ++#define IRS_NAMESPACE ++ ++#ifdef IRS_NAMESPACE ++ ++/* ++ * Use our versions not the ones from the C library. ++ */ ++ ++#ifdef getnameinfo ++#undef getnameinfo ++#endif ++#define getnameinfo irs_getnameinfo ++ ++#ifdef getaddrinfo ++#undef getaddrinfo ++#endif ++#define getaddrinfo irs_getaddrinfo ++ ++#ifdef freeaddrinfo ++#undef freeaddrinfo ++#endif ++#define freeaddrinfo irs_freeaddrinfo ++ ++#ifdef gai_strerror ++#undef gai_strerror ++#endif ++#define gai_strerror irs_gai_strerror ++ ++int ++getaddrinfo(const char *hostname, const char *servname, ++ const struct addrinfo *hints, struct addrinfo **res); ++ ++int ++getnameinfo(const struct sockaddr *sa, IRS_GETNAMEINFO_SOCKLEN_T salen, ++ char *host, IRS_GETNAMEINFO_BUFLEN_T hostlen, ++ char *serv, IRS_GETNAMEINFO_BUFLEN_T servlen, ++ IRS_GETNAMEINFO_FLAGS_T flags); ++ ++void freeaddrinfo (struct addrinfo *ai); ++ ++IRS_GAISTRERROR_RETURN_T ++gai_strerror(int ecode); ++ ++#endif ++ ++/* + * Tell Emacs to use C mode on this file. + * Local variables: + * mode: c +-- +2.9.5 + diff --git a/bind-9.11-rh1410433.patch b/bind-9.11-rh1410433.patch new file mode 100644 index 0000000000000000000000000000000000000000..b7fdc48073963120252da76cf31e8bdd878cdb55 --- /dev/null +++ b/bind-9.11-rh1410433.patch @@ -0,0 +1,14 @@ +diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c +index 0ce5e42..556d920 100644 +--- a/lib/dns/dyndb.c ++++ b/lib/dns/dyndb.c +@@ -130,9 +130,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname, + instname, filename); + + flags = RTLD_NOW|RTLD_LOCAL; +-#ifdef RTLD_DEEPBIND +- flags |= RTLD_DEEPBIND; +-#endif + + handle = dlopen(filename, flags); + if (handle == NULL) diff --git a/bind-9.11-rh1624100.patch b/bind-9.11-rh1624100.patch new file mode 100644 index 0000000000000000000000000000000000000000..954661cf6162f9585ade48270a9ebcd48a95d64c --- /dev/null +++ b/bind-9.11-rh1624100.patch @@ -0,0 +1,288 @@ +From 25ff8ab2b0772262d358272a3ed70a24fc6e4887 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Wed, 25 Apr 2018 14:04:31 +0200 +Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts + +(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d) + +Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp() + +(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c) + +Fix the isc_safe_memwipe() usage with (NULL, >0) + +(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846) +--- + bin/dnssec/dnssec-signzone.c | 2 +- + lib/dns/nsec3.c | 4 +-- + lib/dns/spnego.c | 4 +-- + lib/isc/Makefile.in | 8 ++--- + lib/isc/include/isc/safe.h | 18 ++++------ + lib/isc/safe.c | 81 -------------------------------------------- + lib/isc/tests/safe_test.c | 20 ----------- + 7 files changed, 13 insertions(+), 124 deletions(-) + delete mode 100644 lib/isc/safe.c + +diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c +index 53be1f5c60..351296a356 100644 +--- a/bin/dnssec/dnssec-signzone.c ++++ b/bin/dnssec/dnssec-signzone.c +@@ -786,7 +786,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, + + static int + hashlist_comp(const void *a, const void *b) { +- return (isc_safe_memcompare(a, b, hash_length + 1)); ++ return (memcmp(a, b, hash_length + 1)); + } + + static void +diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c +index d364308aaf..37b6a8a7fe 100644 +--- a/lib/dns/nsec3.c ++++ b/lib/dns/nsec3.c +@@ -1950,7 +1950,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, + * Work out what this NSEC3 covers. + * Inside (<0) or outside (>=0). + */ +- scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length); ++ scope = memcmp(owner, nsec3.next, nsec3.next_length); + + /* + * Prepare to compute all the hashes. +@@ -1974,7 +1974,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, + return (ISC_R_IGNORE); + } + +- order = isc_safe_memcompare(hash, owner, length); ++ order = memcmp(hash, owner, length); + if (first && order == 0) { + /* + * The hashes are the same. +diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c +index ce3e42d650..079d4c1b4a 100644 +--- a/lib/dns/spnego.c ++++ b/lib/dns/spnego.c +@@ -369,7 +369,7 @@ gssapi_spnego_decapsulate(OM_uint32 *, + + /* mod_auth_kerb.c */ + +-static int ++static isc_boolean_t + cmp_gss_type(gss_buffer_t token, gss_OID gssoid) + { + unsigned char *p; +@@ -393,7 +393,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid) + if (((OM_uint32) *p++) != gssoid->length) + return (GSS_S_DEFECTIVE_TOKEN); + +- return (isc_safe_memcompare(p, gssoid->elements, gssoid->length)); ++ return (!isc_safe_memequal(p, gssoid->elements, gssoid->length)); + } + + /* accept_sec_context.c */ +diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in +index ba53ef1091..98acffffc9 100644 +--- a/lib/isc/Makefile.in ++++ b/lib/isc/Makefile.in +@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ + parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \ + ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \ + rwlock.@O@ \ +- safe.@O@ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ ++ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ + string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \ + tm.@O@ timer.@O@ version.@O@ \ + ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS} +@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \ + netaddr.c netscope.c pool.c ondestroy.c \ + parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \ + ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \ +- safe.c serial.c sha1.c sha2.c sockaddr.c stats.c string.c \ ++ serial.c sha1.c sha2.c sockaddr.c stats.c string.c \ + strtoul.c symtab.c task.c taskpool.c timer.c \ + tm.c version.c + +@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@ + + @BIND9_MAKE_RULES@ + +-safe.@O@: safe.c +- ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \ +- -c ${srcdir}/safe.c +- + version.@O@: version.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ + -DVERSION=\"${VERSION}\" \ +diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h +index f29f00bac6..b8a0b2290c 100644 +--- a/lib/isc/include/isc/safe.h ++++ b/lib/isc/include/isc/safe.h +@@ -15,27 +15,21 @@ + + /*! \file isc/safe.h */ + +-#include +-#include ++#include ++#include ++ ++#include + + ISC_LANG_BEGINDECLS + +-isc_boolean_t +-isc_safe_memequal(const void *s1, const void *s2, size_t n); ++#define isc_safe_memequal(s1, s2, n) ISC_TF(!CRYPTO_memcmp(s1, s2, n)) + /*%< + * Returns ISC_TRUE iff. two blocks of memory are equal, otherwise + * ISC_FALSE. + * + */ + +-int +-isc_safe_memcompare(const void *b1, const void *b2, size_t len); +-/*%< +- * Clone of libc memcmp() which is safe to differential timing attacks. +- */ +- +-void +-isc_safe_memwipe(void *ptr, size_t len); ++#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len) + /*%< + * Clear the memory of length `len` pointed to by `ptr`. + * +diff --git a/lib/isc/safe.c b/lib/isc/safe.c +deleted file mode 100644 +index 5c9e1e2d13..0000000000 +--- a/lib/isc/safe.c ++++ /dev/null +@@ -1,81 +0,0 @@ +-/* +- * Copyright (C) Internet Systems Consortium, Inc. ("ISC") +- * +- * This Source Code Form is subject to the terms of the Mozilla Public +- * License, v. 2.0. If a copy of the MPL was not distributed with this +- * file, You can obtain one at http://mozilla.org/MPL/2.0/. +- * +- * See the COPYRIGHT file distributed with this work for additional +- * information regarding copyright ownership. +- */ +- +-/*! \file */ +- +-#include +- +-#include +-#include +-#include +- +-#ifdef WIN32 +-#include +-#endif +- +-#ifdef _MSC_VER +-#pragma optimize("", off) +-#endif +- +-isc_boolean_t +-isc_safe_memequal(const void *s1, const void *s2, size_t n) { +- isc_uint8_t acc = 0; +- +- if (n != 0U) { +- const isc_uint8_t *p1 = s1, *p2 = s2; +- +- do { +- acc |= *p1++ ^ *p2++; +- } while (--n != 0U); +- } +- return (ISC_TF(acc == 0)); +-} +- +- +-int +-isc_safe_memcompare(const void *b1, const void *b2, size_t len) { +- const unsigned char *p1 = b1, *p2 = b2; +- size_t i; +- int res = 0, done = 0; +- +- for (i = 0; i < len; i++) { +- /* lt is -1 if p1[i] < p2[i]; else 0. */ +- int lt = (p1[i] - p2[i]) >> CHAR_BIT; +- +- /* gt is -1 if p1[i] > p2[i]; else 0. */ +- int gt = (p2[i] - p1[i]) >> CHAR_BIT; +- +- /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */ +- int cmp = lt - gt; +- +- /* set res = cmp if !done. */ +- res |= cmp & ~done; +- +- /* set done if p1[i] != p2[i]. */ +- done |= lt | gt; +- } +- +- return (res); +-} +- +-void +-isc_safe_memwipe(void *ptr, size_t len) { +- if (ISC_UNLIKELY(ptr == NULL || len == 0)) +- return; +- +-#ifdef WIN32 +- SecureZeroMemory(ptr, len); +-#elif HAVE_EXPLICIT_BZERO +- explicit_bzero(ptr, len); +-#else +- memset(ptr, 0, len); +-#endif +-} +diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c +index f721cd1096..ea3e61f98d 100644 +--- a/lib/isc/tests/safe_test.c ++++ b/lib/isc/tests/safe_test.c +@@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) { + "\x00\x00\x00\x00", 4)); + } + +-ATF_TC(isc_safe_memcompare); +-ATF_TC_HEAD(isc_safe_memcompare, tc) { +- atf_tc_set_md_var(tc, "descr", "safe memcompare()"); +-} +-ATF_TC_BODY(isc_safe_memcompare, tc) { +- UNUSED(tc); +- +- ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0); +- ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0); +- ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0); +- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00", +- "\x00\x00\x00\x00", 4) == 0); +- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00", +- "\x00\x00\x00\x01", 4) < 0); +- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02", +- "\x00\x00\x00\x00", 4) > 0); +-} +- + ATF_TC(isc_safe_memwipe); + ATF_TC_HEAD(isc_safe_memwipe, tc) { + atf_tc_set_md_var(tc, "descr", "isc_safe_memwipe()"); +@@ -67,7 +49,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) { + /* These should pass. */ + isc_safe_memwipe(NULL, 0); + isc_safe_memwipe((void *) -1, 0); +- isc_safe_memwipe(NULL, 42); + + /* + * isc_safe_memwipe(ptr, size) should function same as +@@ -106,7 +87,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) { + */ + ATF_TP_ADD_TCS(tp) { + ATF_TP_ADD_TC(tp, isc_safe_memequal); +- ATF_TP_ADD_TC(tp, isc_safe_memcompare); + ATF_TP_ADD_TC(tp, isc_safe_memwipe); + return (atf_no_error()); + } +-- +2.14.4 + diff --git a/bind-9.11-rt31459.patch b/bind-9.11-rt31459.patch new file mode 100644 index 0000000000000000000000000000000000000000..6208ef27224b75c534e529faddc045c37964957c --- /dev/null +++ b/bind-9.11-rt31459.patch @@ -0,0 +1,2199 @@ +From ae9c9ef5a5ba06cf57b5a87b5f2bbc71649ba41b Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Tue, 12 Sep 2017 19:05:46 -0700 +Subject: [PATCH] rebased rt31459c + +[rt31459d] update the newer tools + +[rt31459d] setup entropy in dns_lib_init() + +[rt31459d] silence compiler warning + +DNS_OPENSSL_LIBS -> DST_OPENSSL_LIBS + +Include new unit test +--- + bin/confgen/keygen.c | 7 + + bin/dnssec/dnssec-dsfromkey.c | 8 +- + bin/dnssec/dnssec-importkey.c | 8 +- + bin/dnssec/dnssec-revoke.c | 8 +- + bin/dnssec/dnssec-settime.c | 8 +- + bin/dnssec/dnssec-signzone.c | 11 +- + bin/dnssec/dnssec-verify.c | 8 +- + bin/dnssec/dnssectool.c | 11 +- + bin/named/server.c | 6 + + bin/nsupdate/nsupdate.c | 18 ++- + bin/tests/makejournal.c | 6 +- + bin/tests/system/pipelined/pipequeries.c | 20 ++- + bin/tests/system/pipelined/tests.sh | 4 +- + bin/tests/system/rsabigexponent/bigkey.c | 4 + + bin/tests/system/tkey/keycreate.c | 26 +++- + bin/tests/system/tkey/keydelete.c | 26 +++- + bin/tests/system/tkey/tests.sh | 8 +- + bin/tools/mdig.c | 3 +- + configure | 250 ++++++++++++++++++------------- + configure.in | 77 +++++++++- + lib/dns/dst_api.c | 21 ++- + lib/dns/include/dst/dst.h | 8 + + lib/dns/lib.c | 17 ++- + lib/dns/openssl_link.c | 72 ++++++++- + lib/dns/pkcs11.c | 29 +++- + lib/dns/tests/Atffile | 1 + + lib/dns/tests/Kyuafile | 1 + + lib/dns/tests/Makefile.in | 7 + + lib/dns/tests/dnstest.c | 14 +- + lib/dns/tests/dstrandom_test.c | 105 +++++++++++++ + lib/dns/win32/libdns.def.in | 7 + + lib/isc/entropy.c | 24 +++ + lib/isc/include/isc/entropy.h | 12 ++ + lib/isc/include/isc/platform.h.in | 5 + + lib/isc/include/isc/types.h | 2 + + lib/isc/pk11.c | 12 +- + lib/isc/win32/include/isc/platform.h.in | 5 + + win32utils/Configure | 29 +++- + 38 files changed, 704 insertions(+), 184 deletions(-) + create mode 100644 lib/dns/tests/dstrandom_test.c + +diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c +index 11cc54d..fa439cc 100644 +--- a/bin/confgen/keygen.c ++++ b/bin/confgen/keygen.c +@@ -165,6 +165,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, + randomfile = NULL; + open_keyboard = ISC_ENTROPY_KEYBOARDYES; + } ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (randomfile != NULL && ++ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { ++ randomfile = NULL; ++ isc_entropy_usehook(ectx, ISC_TRUE); ++ } ++#endif + DO("start entropy source", isc_entropy_usebestsource(ectx, + &entropy_source, + randomfile, +diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c +index 94a982c..897c497 100644 +--- a/bin/dnssec/dnssec-dsfromkey.c ++++ b/bin/dnssec/dnssec-dsfromkey.c +@@ -495,14 +495,14 @@ main(int argc, char **argv) { + + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); +- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); +- if (result != ISC_R_SUCCESS) +- fatal("could not initialize hash"); + result = dst_lib_init(mctx, ectx, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + if (result != ISC_R_SUCCESS) + fatal("could not initialize dst: %s", + isc_result_totext(result)); ++ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); ++ if (result != ISC_R_SUCCESS) ++ fatal("could not initialize hash"); + isc_entropy_stopcallbacksources(ectx); + + setup_logging(mctx, &log); +@@ -564,8 +564,8 @@ main(int argc, char **argv) { + if (dns_rdataset_isassociated(&rdataset)) + dns_rdataset_disassociate(&rdataset); + cleanup_logging(&log); +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + cleanup_entropy(&ectx); + dns_name_destroy(); + if (verbose > 10) +diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c +index 2edf614..840316c 100644 +--- a/bin/dnssec/dnssec-importkey.c ++++ b/bin/dnssec/dnssec-importkey.c +@@ -406,14 +406,14 @@ main(int argc, char **argv) { + + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); +- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); +- if (result != ISC_R_SUCCESS) +- fatal("could not initialize hash"); + result = dst_lib_init(mctx, ectx, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + if (result != ISC_R_SUCCESS) + fatal("could not initialize dst: %s", + isc_result_totext(result)); ++ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); ++ if (result != ISC_R_SUCCESS) ++ fatal("could not initialize hash"); + isc_entropy_stopcallbacksources(ectx); + + setup_logging(mctx, &log); +@@ -457,8 +457,8 @@ main(int argc, char **argv) { + if (dns_rdataset_isassociated(&rdataset)) + dns_rdataset_disassociate(&rdataset); + cleanup_logging(&log); +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + cleanup_entropy(&ectx); + dns_name_destroy(); + if (verbose > 10) +diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c +index 10fad0b..0b68e99 100644 +--- a/bin/dnssec/dnssec-revoke.c ++++ b/bin/dnssec/dnssec-revoke.c +@@ -182,14 +182,14 @@ main(int argc, char **argv) { + + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); +- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); +- if (result != ISC_R_SUCCESS) +- fatal("Could not initialize hash"); + result = dst_lib_init2(mctx, ectx, engine, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + if (result != ISC_R_SUCCESS) + fatal("Could not initialize dst: %s", + isc_result_totext(result)); ++ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); ++ if (result != ISC_R_SUCCESS) ++ fatal("Could not initialize hash"); + isc_entropy_stopcallbacksources(ectx); + + result = dst_key_fromnamedfile(filename, dir, +@@ -271,8 +271,8 @@ main(int argc, char **argv) { + + cleanup: + dst_key_free(&key); +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + cleanup_entropy(&ectx); + if (verbose > 10) + isc_mem_stats(mctx, stdout); +diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c +index 360cdb9..b7bf171 100644 +--- a/bin/dnssec/dnssec-settime.c ++++ b/bin/dnssec/dnssec-settime.c +@@ -380,14 +380,14 @@ main(int argc, char **argv) { + + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); +- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); +- if (result != ISC_R_SUCCESS) +- fatal("Could not initialize hash"); + result = dst_lib_init2(mctx, ectx, engine, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + if (result != ISC_R_SUCCESS) + fatal("Could not initialize dst: %s", + isc_result_totext(result)); ++ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); ++ if (result != ISC_R_SUCCESS) ++ fatal("Could not initialize hash"); + isc_entropy_stopcallbacksources(ectx); + + if (predecessor != NULL) { +@@ -672,8 +672,8 @@ main(int argc, char **argv) { + if (prevkey != NULL) + dst_key_free(&prevkey); + dst_key_free(&key); +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + cleanup_entropy(&ectx); + if (verbose > 10) + isc_mem_stats(mctx, stdout); +diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c +index 1bea357..53be1f5 100644 +--- a/bin/dnssec/dnssec-signzone.c ++++ b/bin/dnssec/dnssec-signzone.c +@@ -3459,14 +3459,15 @@ main(int argc, char *argv[]) { + if (!pseudorandom) + eflags |= ISC_ENTROPY_GOODONLY; + +- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); +- if (result != ISC_R_SUCCESS) +- fatal("could not create hash context"); +- + result = dst_lib_init2(mctx, ectx, engine, eflags); + if (result != ISC_R_SUCCESS) + fatal("could not initialize dst: %s", + isc_result_totext(result)); ++ ++ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); ++ if (result != ISC_R_SUCCESS) ++ fatal("could not create hash context"); ++ + isc_stdtime_get(&now); + + if (startstr != NULL) { +@@ -3878,8 +3879,8 @@ main(int argc, char *argv[]) { + dns_master_styledestroy(&dsstyle, mctx); + + cleanup_logging(&log); +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + cleanup_entropy(&ectx); + dns_name_destroy(); + if (verbose > 10) +diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c +index 792510a..dc32765 100644 +--- a/bin/dnssec/dnssec-verify.c ++++ b/bin/dnssec/dnssec-verify.c +@@ -280,15 +280,15 @@ main(int argc, char *argv[]) { + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); + +- result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); +- if (result != ISC_R_SUCCESS) +- fatal("could not create hash context"); +- + result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING); + if (result != ISC_R_SUCCESS) + fatal("could not initialize dst: %s", + isc_result_totext(result)); + ++ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); ++ if (result != ISC_R_SUCCESS) ++ fatal("could not create hash context"); ++ + isc_stdtime_get(&now); + + rdclass = strtoclass(classname); +diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c +index dc32c90..4ea9eaf 100644 +--- a/bin/dnssec/dnssectool.c ++++ b/bin/dnssec/dnssectool.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -233,7 +234,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { + if (*ectx == NULL) { + result = isc_entropy_create(mctx, ectx); + if (result != ISC_R_SUCCESS) +- fatal("could not create entropy object"); ++ fatal("could not create entropy object: %s", ++ isc_result_totext(result)); + ISC_LIST_INIT(sources); + } + +@@ -242,6 +244,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { + randomfile = NULL; + } + ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (randomfile != NULL && ++ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { ++ randomfile = NULL; ++ isc_entropy_usehook(*ectx, ISC_TRUE); ++ } ++#endif + result = isc_entropy_usebestsource(*ectx, &source, randomfile, + usekeyboard); + +diff --git a/bin/named/server.c b/bin/named/server.c +index 59a8998..ee5186c 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -8083,6 +8084,10 @@ load_configuration(const char *filename, ns_server_t *server, + "no source of entropy found"); + } else { + const char *randomdev = cfg_obj_asstring(obj); ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0) ++ isc_entropy_usehook(ns_g_entropy, ISC_TRUE); ++#else + int level = ISC_LOG_ERROR; + result = isc_entropy_createfilesource(ns_g_entropy, + randomdev); +@@ -8117,6 +8122,7 @@ load_configuration(const char *filename, ns_server_t *server, + } + isc_entropy_detach(&ns_g_fallbackentropy); + } ++#endif + #endif + } + } +diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c +index bb5d500..46c7acf 100644 +--- a/bin/nsupdate/nsupdate.c ++++ b/bin/nsupdate/nsupdate.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -269,7 +270,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { + if (*ectx == NULL) { + result = isc_entropy_create(mctx, ectx); + if (result != ISC_R_SUCCESS) +- fatal("could not create entropy object"); ++ fatal("could not create entropy object: %s", ++ isc_result_totext(result)); + ISC_LIST_INIT(sources); + } + +@@ -278,6 +280,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { + randomfile = NULL; + } + ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (randomfile != NULL && ++ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { ++ randomfile = NULL; ++ isc_entropy_usehook(*ectx, ISC_TRUE); ++ } ++#endif + result = isc_entropy_usebestsource(*ectx, &source, randomfile, + usekeyboard); + +@@ -948,11 +957,11 @@ setup_system(void) { + } + } + +- setup_entropy(gmctx, NULL, &entropy); ++ if (entropy == NULL) ++ setup_entropy(gmctx, NULL, &entropy); + + result = isc_hash_create(gmctx, entropy, DNS_NAME_MAXWIRE); + check_result(result, "isc_hash_create"); +- isc_hash_init(); + + result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr); + check_result(result, "dns_dispatchmgr_create"); +@@ -976,6 +985,9 @@ setup_system(void) { + check_result(result, "dst_lib_init"); + is_dst_up = ISC_TRUE; + ++ /* moved after dst_lib_init() */ ++ isc_hash_init(); ++ + attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP; + attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6; + +diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c +index fed59be..9f125da 100644 +--- a/bin/tests/makejournal.c ++++ b/bin/tests/makejournal.c +@@ -100,12 +100,12 @@ main(int argc, char **argv) { + CHECK(isc_mem_create(0, 0, &mctx)); + CHECK(isc_entropy_create(mctx, &ectx)); + +- CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); +- hash_active = ISC_TRUE; +- + CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING)); + dst_active = ISC_TRUE; + ++ CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); ++ hash_active = ISC_TRUE; ++ + CHECK(isc_log_create(mctx, &lctx, &logconfig)); + isc_log_registercategories(lctx, categories); + isc_log_setcontext(lctx); +diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c +index 379b6a3..810d99e 100644 +--- a/bin/tests/system/pipelined/pipequeries.c ++++ b/bin/tests/system/pipelined/pipequeries.c +@@ -202,6 +202,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) { + + int + main(int argc, char *argv[]) { ++ char *randomfile = NULL; + isc_sockaddr_t bind_any; + struct in_addr inaddr; + isc_result_t result; +@@ -222,7 +223,7 @@ main(int argc, char *argv[]) { + UNUSED(argv); + + isc_commandline_errprint = ISC_FALSE; +- while ((c = isc_commandline_parse(argc, argv, "p:")) != -1) { ++ while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) { + switch (c) { + case 'p': + result = isc_parse_uint16(&port, +@@ -233,6 +234,9 @@ main(int argc, char *argv[]) { + exit(1); + } + break; ++ case 'r': ++ randomfile = isc_commandline_argument; ++ break; + case '?': + fprintf(stderr, "%s: invalid argument '%c'", + argv[0], c); +@@ -274,10 +278,18 @@ main(int argc, char *argv[]) { + + ectx = NULL; + RUNCHECK(isc_entropy_create(mctx, &ectx)); +- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data")); +- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (randomfile != NULL && ++ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { ++ randomfile = NULL; ++ isc_entropy_usehook(ectx, ISC_TRUE); ++ } ++#endif ++ if (randomfile != NULL) ++ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); + + RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); ++ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); + + taskmgr = NULL; + RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); +@@ -330,8 +342,8 @@ main(int argc, char *argv[]) { + isc_task_detach(&task); + isc_taskmgr_destroy(&taskmgr); + +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + isc_entropy_detach(&ectx); + + isc_log_destroy(&lctx); +diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh +index a6720ce..9063b1f 100644 +--- a/bin/tests/system/pipelined/tests.sh ++++ b/bin/tests/system/pipelined/tests.sh +@@ -19,7 +19,7 @@ status=0 + + echo_i "check pipelined TCP queries" + ret=0 +-$PIPEQUERIES -p ${PORT} < input > raw || ret=1 ++$PIPEQUERIES -p ${PORT} -r $RANDFILE < input > raw || ret=1 + awk '{ print $1 " " $5 }' < raw > output + sort < output > output-sorted + diff ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; } +@@ -43,7 +43,7 @@ status=`expr $status + $ret` + + echo_i "check keep-response-order" + ret=0 +-$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1 ++$PIPEQUERIES -p ${PORT} -r $RANDFILE ++ < inputb > rawb || ret=1 + awk '{ print $1 " " $5 }' < rawb > outputb + diff refb outputb || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c +index 4462f2e..f1230d8 100644 +--- a/bin/tests/system/rsabigexponent/bigkey.c ++++ b/bin/tests/system/rsabigexponent/bigkey.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -183,6 +184,9 @@ main(int argc, char **argv) { + + CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()"); + CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()"); ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ isc_entropy_usehook(ectx, ISC_TRUE); ++#endif + CHECK(isc_entropy_usebestsource(ectx, &source, + "../random.data", + ISC_ENTROPY_KEYBOARDNO), +diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c +index 489f439..4f2f5b4 100644 +--- a/bin/tests/system/tkey/keycreate.c ++++ b/bin/tests/system/tkey/keycreate.c +@@ -206,6 +206,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { + int + main(int argc, char *argv[]) { + char *ourkeyname; ++ char *randomfile; + isc_taskmgr_t *taskmgr; + isc_timermgr_t *timermgr; + isc_socketmgr_t *socketmgr; +@@ -225,10 +226,21 @@ main(int argc, char *argv[]) { + + RUNCHECK(isc_app_start()); + ++ randomfile = NULL; ++ + if (argc < 2) { + fprintf(stderr, "I:no DH key provided\n"); + exit(-1); + } ++ if (strcmp(argv[1], "-r") == 0) { ++ if (argc < 4) { ++ fprintf(stderr, "I:no DH key provided\n"); ++ exit(-1); ++ } ++ randomfile = argv[2]; ++ argv += 2; ++ argc -= 2; ++ } + ourkeyname = argv[1]; + + if (argc >= 3) +@@ -242,14 +254,22 @@ main(int argc, char *argv[]) { + + ectx = NULL; + RUNCHECK(isc_entropy_create(mctx, &ectx)); +- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data")); +- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (randomfile != NULL && ++ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { ++ randomfile = NULL; ++ isc_entropy_usehook(ectx, ISC_TRUE); ++ } ++#endif ++ if (randomfile != NULL) ++ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); + + log = NULL; + logconfig = NULL; + RUNCHECK(isc_log_create(mctx, &log, &logconfig)); + + RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); ++ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); + + taskmgr = NULL; + RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); +@@ -328,8 +348,8 @@ main(int argc, char *argv[]) { + + isc_log_destroy(&log); + +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + isc_entropy_detach(&ectx); + + isc_mem_destroy(&mctx); +diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c +index 36ee6c7..0975bbe 100644 +--- a/bin/tests/system/tkey/keydelete.c ++++ b/bin/tests/system/tkey/keydelete.c +@@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { + int + main(int argc, char **argv) { + char *keyname; ++ char *randomfile; + isc_taskmgr_t *taskmgr; + isc_timermgr_t *timermgr; + isc_socketmgr_t *socketmgr; +@@ -156,10 +157,21 @@ main(int argc, char **argv) { + + RUNCHECK(isc_app_start()); + ++ randomfile = NULL; ++ + if (argc < 2) { + fprintf(stderr, "I:no key to delete\n"); + exit(-1); + } ++ if (strcmp(argv[1], "-r") == 0) { ++ if (argc < 4) { ++ fprintf(stderr, "I:no DH key provided\n"); ++ exit(-1); ++ } ++ randomfile = argv[2]; ++ argv += 2; ++ argc -= 2; ++ } + keyname = argv[1]; + + dns_result_register(); +@@ -169,14 +181,22 @@ main(int argc, char **argv) { + + ectx = NULL; + RUNCHECK(isc_entropy_create(mctx, &ectx)); +- RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data")); +- RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (randomfile != NULL && ++ strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { ++ randomfile = NULL; ++ isc_entropy_usehook(ectx, ISC_TRUE); ++ } ++#endif ++ if (randomfile != NULL) ++ RUNCHECK(isc_entropy_createfilesource(ectx, randomfile)); + + log = NULL; + logconfig = NULL; + RUNCHECK(isc_log_create(mctx, &log, &logconfig)); + + RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); ++ RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); + + taskmgr = NULL; + RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); +@@ -265,8 +285,8 @@ main(int argc, char **argv) { + + isc_log_destroy(&log); + +- dst_lib_destroy(); + isc_hash_destroy(); ++ dst_lib_destroy(); + isc_entropy_detach(&ectx); + + isc_mem_destroy(&mctx); +diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh +index 9f90dd7..fad6c83 100644 +--- a/bin/tests/system/tkey/tests.sh ++++ b/bin/tests/system/tkey/tests.sh +@@ -33,7 +33,7 @@ for owner in . foo.example. + do + echo "I:creating new key using owner name \"$owner\"" + ret=0 +- keyname=`$KEYCREATE $dhkeyname $owner` || ret=1 ++ keyname=`$KEYCREATE -r $RANDFILE $dhkeyname $owner` || ret=1 + if [ $ret != 0 ]; then + echo "I:failed" + status=`expr $status + $ret` +@@ -55,7 +55,7 @@ do + + echo "I:deleting new key" + ret=0 +- $KEYDELETE $keyname || ret=1 ++ $KEYDELETE -r $RANDFILE $keyname || ret=1 + if [ $ret != 0 ]; then + echo "I:failed" + fi +@@ -75,7 +75,7 @@ done + + echo "I:creating new key using owner name bar.example." + ret=0 +-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1 ++keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1 + if [ $ret != 0 ]; then + echo "I:failed" + status=`expr $status + $ret` +@@ -116,7 +116,7 @@ status=`expr $status + $ret` + + echo "I:recreating the bar.example. key" + ret=0 +-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1 ++keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1 + if [ $ret != 0 ]; then + echo "I:failed" + status=`expr $status + $ret` +diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c +index 1f5dd4c..4e3bfa5 100644 +--- a/bin/tools/mdig.c ++++ b/bin/tools/mdig.c +@@ -1933,12 +1933,11 @@ main(int argc, char *argv[]) { + + ectx = NULL; + RUNCHECK(isc_entropy_create(mctx, &ectx)); ++ RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); + RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); + RUNCHECK(isc_entropy_getdata(ectx, cookie_secret, + sizeof(cookie_secret), NULL, 0)); + +- RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY)); +- + ISC_LIST_INIT(queries); + parse_args(ISC_FALSE, argc, argv); + if (server == NULL) +diff --git a/configure b/configure +index c83773a..ac1ea3f 100755 +--- a/configure ++++ b/configure +@@ -640,6 +640,7 @@ ac_includes_default="\ + + ac_subst_vars='LTLIBOBJS + LIBOBJS ++LIBDIR_SUFFIX + BUILD_LIBS + BUILD_LDFLAGS + BUILD_CPPFLAGS +@@ -825,6 +826,7 @@ XMLSTATS + NZDTARGETS + NZDSRCS + NZD_TOOLS ++ISC_PLATFORM_CRYPTORANDOM + PKCS11_TEST + PKCS11_ED25519 + PKCS11_GOST +@@ -1037,6 +1039,7 @@ with_eddsa + with_aes + enable_openssl_hash + with_cc_alg ++enable_crypto_rand + with_lmdb + with_libxml2 + with_libjson +@@ -1730,6 +1733,7 @@ Optional Features: + --enable-threads enable multithreading + --enable-native-pkcs11 use native PKCS11 for all crypto [default=no] + --enable-openssl-hash use OpenSSL for hash functions [default=no] ++ --enable-crypto-rand use the crypto provider for random [default=yes] + --enable-largefile 64-bit file support + --enable-backtrace log stack backtrace on abort [default=yes] + --enable-symtable use internal symbol table for backtrace +@@ -16486,6 +16490,7 @@ case "$use_openssl" in + $as_echo "disabled because of native PKCS11" >&6; } + DST_OPENSSL_INC="" + CRYPTO="-DPKCS11CRYPTO" ++ CRYPTOLIB="pkcs11" + OPENSSLECDSALINKOBJS="" + OPENSSLECDSALINKSRCS="" + OPENSSLEDDSALINKOBJS="" +@@ -16500,6 +16505,7 @@ $as_echo "disabled because of native PKCS11" >&6; } + $as_echo "no" >&6; } + DST_OPENSSL_INC="" + CRYPTO="" ++ CRYPTOLIB="" + OPENSSLECDSALINKOBJS="" + OPENSSLECDSALINKSRCS="" + OPENSSLEDDSALINKOBJS="" +@@ -16512,6 +16518,7 @@ $as_echo "no" >&6; } + auto) + DST_OPENSSL_INC="" + CRYPTO="" ++ CRYPTOLIB="" + OPENSSLECDSALINKOBJS="" + OPENSSLECDSALINKSRCS="" + OPENSSLEDDSALINKOBJS="" +@@ -16521,7 +16528,7 @@ $as_echo "no" >&6; } + OPENSSLLINKOBJS="" + OPENSSLLINKSRCS="" + as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path +-If you don't want OpenSSL, use --without-openssl" "$LINENO" 5 ++If you do not want OpenSSL, use --without-openssl" "$LINENO" 5 + ;; + *) + if test "yes" = "$want_native_pkcs11" +@@ -16552,6 +16559,7 @@ $as_echo "not found" >&6; } + as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5 + fi + CRYPTO='-DOPENSSL' ++ CRYPTOLIB="openssl" + if test "/usr" = "$use_openssl" + then + DST_OPENSSL_INC="" +@@ -17213,8 +17221,6 @@ fi + # Use OpenSSL for hash functions + # + +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using OpenSSL for hash functions" >&5 +-$as_echo_n "checking for using OpenSSL for hash functions... " >&6; } + ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" + case $want_openssl_hash in + yes) +@@ -17583,6 +17589,86 @@ if test "rt" = "$have_clock_gt"; then + LIBS="-lrt $LIBS" + fi + ++# ++# Use the crypto provider (OpenSSL/PKCS#11) for random functions ++# ++ ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using the crypto library (vs. builtin) for random functions" >&5 ++$as_echo_n "checking for using the crypto library (vs. builtin) for random functions... " >&6; } ++# Check whether --enable-crypto-rand was given. ++if test "${enable_crypto_rand+set}" = set; then : ++ enableval=$enable_crypto_rand; want_crypto_rand="$enableval" ++else ++ want_crypto_rand="auto" ++fi ++ ++if test "$want_crypto_rand" = "auto" ++then ++ case "$CRYPTOLIB" in ++ "") ++ want_crypto_rand="no" ++ ;; ++ pkcs11) ++ want_crypto_rand="yes" ++ ;; ++ openssl) ++ saved_cflags="$CFLAGS" ++ saved_libs="$LIBS" ++ CFLAGS="$CFLAGS $DST_OPENSSL_INC" ++ LIBS="$LIBS $DST_OPENSSL_LIBS" ++ if test "$cross_compiling" = yes; then : ++ want_crypto_rand="yes" ++else ++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++ ++#include ++ ++unsigned char buf[128]; ++ ++int main() ++{ ++ if (RAND_bytes(buf, 128) != 1) ++ return (1); ++ return (0); ++} ++ ++_ACEOF ++if ac_fn_c_try_run "$LINENO"; then : ++ want_crypto_rand="yes" ++else ++ want_crypto_rand="no" ++fi ++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ ++ conftest.$ac_objext conftest.beam conftest.$ac_ext ++fi ++ ++ CFLAGS="$saved_cflags" ++ LIBS="$saved_libs" ++ ;; ++ *) ++ as_fn_error $? "Unknown crypto library define $CRYPTOLIB" "$LINENO" 5 ++ ;; ++ esac ++fi ++case $want_crypto_rand in ++ yes) ++ if test "$CRYPTOLIB" = "" ++ then ++ as_fn_error $? "No crypto library for random functions" "$LINENO" 5 ++ fi ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$CRYPTOLIB\"" >&5 ++$as_echo "\"$CRYPTOLIB\"" >&6; } ++ ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\"" ++ ;; ++ no) ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM" ++ ;; ++esac ++ ++ + # + # was --with-lmdb specified? + # +@@ -19665,9 +19751,12 @@ _ACEOF + if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5 + $as_echo "size_t for buflen; int for flags" >&6; } +- $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T size_t" >>confdefs.h ++ # Changed to solve multilib conflict on Fedora ++ # AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, size_t) ++ # AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t) ++ $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T socklen_t" >>confdefs.h + +- $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T size_t" >>confdefs.h ++ $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T socklen_t" >>confdefs.h + + $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h + +@@ -21032,12 +21121,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" + ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" + ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" + if test "yes" = "$use_atomic"; then +- have_atomic=yes # set default +- case "$host" in +- i[3456]86-*) +- # XXX: some old x86 architectures actually do not support +- # (some of) these operations. Do we need stricter checks? +- # The cast to long int works around a bug in the HP C Compiler ++ # The cast to long int works around a bug in the HP C Compiler + # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects + # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. + # This bug is HP SR number 8606223364. +@@ -21070,6 +21154,11 @@ cat >>confdefs.h <<_ACEOF + _ACEOF + + ++ have_atomic=yes # set default ++ case "$host" in ++ i[3456]86-*) ++ # XXX: some old x86 architectures actually do not support ++ # (some of) these operations. Do we need stricter checks? + if test $ac_cv_sizeof_void_p = 8; then + arch=x86_64 + have_xaddq=yes +@@ -21078,39 +21167,6 @@ _ACEOF + fi + ;; + x86_64-*|amd64-*) +- # The cast to long int works around a bug in the HP C Compiler +-# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +-# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +-# This bug is HP SR number 8606223364. +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of void *" >&5 +-$as_echo_n "checking size of void *... " >&6; } +-if ${ac_cv_sizeof_void_p+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (void *))" "ac_cv_sizeof_void_p" "$ac_includes_default"; then : +- +-else +- if test "$ac_cv_type_void_p" = yes; then +- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +-as_fn_error 77 "cannot compute sizeof (void *) +-See \`config.log' for more details" "$LINENO" 5; } +- else +- ac_cv_sizeof_void_p=0 +- fi +-fi +- +-fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_void_p" >&5 +-$as_echo "$ac_cv_sizeof_void_p" >&6; } +- +- +- +-cat >>confdefs.h <<_ACEOF +-#define SIZEOF_VOID_P $ac_cv_sizeof_void_p +-_ACEOF +- +- + if test $ac_cv_sizeof_void_p = 8; then + arch=x86_64 + have_xaddq=yes +@@ -21141,6 +21197,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } + $as_echo "$arch" >&6; } + fi + ++if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then ++ as_fn_error $? "XADDQ present but disabled by Fedora patch!" "$LINENO" 5 ++fi ++ + if test "yes" = "$have_atomic"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5 + $as_echo_n "checking compiler support for inline assembly code... " >&6; } +@@ -23428,6 +23488,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" + # + dlzdir='${DLZ_DRIVER_DIR}' + ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for target libdir" >&5 ++$as_echo_n "checking for target libdir... " >&6; } ++if test "$cross_compiling" = yes; then : ++ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 ++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} ++as_fn_error $? "cannot run test program while cross compiling ++See \`config.log' for more details" "$LINENO" 5; } ++else ++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);} ++_ACEOF ++if ac_fn_c_try_run "$LINENO"; then : ++ target_lib=lib64 ++else ++ target_lib=lib ++fi ++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ ++ conftest.$ac_objext conftest.beam conftest.$ac_ext ++fi ++ ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$target_lib\"" >&5 ++$as_echo "\"$target_lib\"" >&6; } ++ + # + # Private autoconf macro to simplify configuring drivers: + # +@@ -23758,11 +23842,11 @@ $as_echo "no" >&6; } + $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; } + ;; + *) +- if test -d "$use_dlz_mysql/lib/mysql" ++ if test -d $use_dlz_mysql/${target_lib}/mysql + then +- mysql_lib="$use_dlz_mysql/lib/mysql" ++ mysql_lib=$use_dlz_mysql/${target_lib}/mysql + else +- mysql_lib="$use_dlz_mysql/lib" ++ mysql_lib=$use_dlz_mysql/${target_lib} + fi + + CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL" +@@ -23847,7 +23931,7 @@ $as_echo "" >&6; } + # Check other locations for includes. + # Order is important (sigh). + +- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db" ++ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db" + # include a blank element first + for d in "" $bdb_incdirs + do +@@ -23872,57 +23956,9 @@ $as_echo "" >&6; } + bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" + for d in $bdb_libnames + do +- if test "$dd" = "/usr" ++ if test -f "$dd/${target_lib}/lib${d}.so" + then +- as_ac_Lib=`$as_echo "ac_cv_lib_$d''_db_create" | $as_tr_sh` +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for db_create in -l$d" >&5 +-$as_echo_n "checking for db_create in -l$d... " >&6; } +-if eval \${$as_ac_Lib+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- ac_check_lib_save_LIBS=$LIBS +-LIBS="-l$d $LIBS" +-cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +-/* Override any GCC internal prototype to avoid an error. +- Use char because int might match the return type of a GCC +- builtin and then its argument prototype would still apply. */ +-#ifdef __cplusplus +-extern "C" +-#endif +-char db_create (); +-int +-main () +-{ +-return db_create (); +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- eval "$as_ac_Lib=yes" +-else +- eval "$as_ac_Lib=no" +-fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +-LIBS=$ac_check_lib_save_LIBS +-fi +-eval ac_res=\$$as_ac_Lib +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +-$as_echo "$ac_res" >&6; } +-if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then : +- dlz_bdb_libs="-l${d}" +-fi +- +- if test $dlz_bdb_libs != "yes" +- then +- break +- fi +- elif test -f "$dd/lib/lib${d}.so" +- then +- dlz_bdb_libs="-L${dd}/lib -l${d}" ++ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}" + break + fi + done +@@ -24081,10 +24117,10 @@ $as_echo "no" >&6; } + DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include" + DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include" + fi +- if test -n "-L$use_dlz_ldap/lib -lldap -llber" ++ if test -n "-L$use_dlz_ldap/${target_lib} -lldap -llber" + then +- DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/lib -lldap -llber" +- DLZ_DRIVER_LDAP_LIBS="-L$use_dlz_ldap/lib -lldap -llber" ++ DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/${target_lib} -lldap -llber" ++ DLZ_DRIVER_LDAP_LIBS="-L$use_dlz_ldap/${target_lib} -lldap -llber" + fi + + +@@ -24170,11 +24206,11 @@ fi + odbcdirs="/usr /usr/local /usr/pkg" + for d in $odbcdirs + do +- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a ++ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a + then + use_dlz_odbc=$d + dlz_odbc_include="-I$use_dlz_odbc/include" +- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc" ++ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc" + break + fi + done +@@ -24449,6 +24485,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" + + + ++ ++ + # + # Commands to run at the end of config.status. + # Don't just put these into configure, it won't work right if somebody +@@ -26839,6 +26877,8 @@ report() { + echo " IPv6 support (--enable-ipv6)" + test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ + echo " OpenSSL cryptography/DNSSEC (--with-openssl)" ++ test "no" = "$want_crypto_rand" || \ ++ echo " Crypto provider entropy source (--enable-crypto-rand)" + test "X$PYTHON" = "X" || echo " Python tools (--with-python)" + test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" + test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" +@@ -26879,6 +26919,8 @@ report() { + echo " Very verbose query trace logging (--enable-querytrace)" + test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)" + ++ echo " Cryptographic library for DNSSEC: $CRYPTOLIB" ++ + echo " Dynamically loadable zone (DLZ) drivers:" + test "no" = "$use_dlz_bdb" || \ + echo " Berkeley DB (--with-dlz-bdb)" +@@ -26926,6 +26968,8 @@ report() { + echo " ECDSA algorithm support (--with-ecdsa)" + test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ + echo " EDDSA algorithm support (--with-eddsa)" ++ test "yes" = "$want_crypto_rand" || \ ++ echo " Crypto provider entropy source (--enable-crypto-rand)" + + test "yes" = "$enable_seccomp" || \ + echo " Use libseccomp system call filtering (--enable-seccomp)" +diff --git a/configure.in b/configure.in +index 9a1d16d..849fa94 100644 +--- a/configure.in ++++ b/configure.in +@@ -1597,6 +1597,7 @@ case "$use_openssl" in + AC_MSG_RESULT(disabled because of native PKCS11) + DST_OPENSSL_INC="" + CRYPTO="-DPKCS11CRYPTO" ++ CRYPTOLIB="pkcs11" + OPENSSLECDSALINKOBJS="" + OPENSSLECDSALINKSRCS="" + OPENSSLEDDSALINKOBJS="" +@@ -1610,6 +1611,7 @@ case "$use_openssl" in + AC_MSG_RESULT(no) + DST_OPENSSL_INC="" + CRYPTO="" ++ CRYPTOLIB="" + OPENSSLECDSALINKOBJS="" + OPENSSLECDSALINKSRCS="" + OPENSSLEDDSALINKOBJS="" +@@ -1622,6 +1624,7 @@ case "$use_openssl" in + auto) + DST_OPENSSL_INC="" + CRYPTO="" ++ CRYPTOLIB="" + OPENSSLECDSALINKOBJS="" + OPENSSLECDSALINKSRCS="" + OPENSSLEDDSALINKOBJS="" +@@ -1632,7 +1635,7 @@ case "$use_openssl" in + OPENSSLLINKSRCS="" + AC_MSG_ERROR( + [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path +-If you don't want OpenSSL, use --without-openssl]) ++If you do not want OpenSSL, use --without-openssl]) + ;; + *) + if test "yes" = "$want_native_pkcs11" +@@ -1662,6 +1665,7 @@ If you don't want OpenSSL, use --without-openssl]) + AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found]) + fi + CRYPTO='-DOPENSSL' ++ CRYPTOLIB="openssl" + if test "/usr" = "$use_openssl" + then + DST_OPENSSL_INC="" +@@ -2135,7 +2139,6 @@ fi + # Use OpenSSL for hash functions + # + +-AC_MSG_CHECKING(for using OpenSSL for hash functions) + ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" + case $want_openssl_hash in + yes) +@@ -2402,6 +2405,67 @@ if test "rt" = "$have_clock_gt"; then + LIBS="-lrt $LIBS" + fi + ++# ++# Use the crypto provider (OpenSSL/PKCS#11) for random functions ++# ++ ++AC_MSG_CHECKING(for using the crypto library (vs. builtin) for random functions) ++AC_ARG_ENABLE(crypto-rand, ++ [ --enable-crypto-rand use the crypto provider for random [[default=yes]]], ++ want_crypto_rand="$enableval", want_crypto_rand="auto") ++if test "$want_crypto_rand" = "auto" ++then ++ case "$CRYPTOLIB" in ++ "") ++ want_crypto_rand="no" ++ ;; ++ pkcs11) ++ want_crypto_rand="yes" ++ ;; ++ openssl) ++ saved_cflags="$CFLAGS" ++ saved_libs="$LIBS" ++ CFLAGS="$CFLAGS $DST_OPENSSL_INC" ++ LIBS="$LIBS $DST_OPENSSL_LIBS" ++ AC_TRY_RUN([ ++#include ++ ++unsigned char buf[128]; ++ ++int main() ++{ ++ if (RAND_bytes(buf, 128) != 1) ++ return (1); ++ return (0); ++} ++], ++ [want_crypto_rand="yes"], ++ [want_crypto_rand="no"], ++ [want_crypto_rand="yes"]) ++ CFLAGS="$saved_cflags" ++ LIBS="$saved_libs" ++ ;; ++ *) ++ AC_MSG_ERROR([Unknown crypto library define $CRYPTOLIB]) ++ ;; ++ esac ++fi ++case $want_crypto_rand in ++ yes) ++ if test "$CRYPTOLIB" = "" ++ then ++ AC_MSG_ERROR([No crypto library for random functions]) ++ fi ++ AC_MSG_RESULT(["$CRYPTOLIB"]) ++ ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\"" ++ ;; ++ no) ++ AC_MSG_RESULT(no) ++ ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM" ++ ;; ++esac ++AC_SUBST(ISC_PLATFORM_CRYPTORANDOM) ++ + # + # was --with-lmdb specified? + # +@@ -4235,12 +4299,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" + ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" + ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" + if test "yes" = "$use_atomic"; then ++ AC_CHECK_SIZEOF([void *]) + have_atomic=yes # set default + case "$host" in + [i[3456]86-*]) + # XXX: some old x86 architectures actually do not support + # (some of) these operations. Do we need stricter checks? +- AC_CHECK_SIZEOF([void *]) + if test $ac_cv_sizeof_void_p = 8; then + arch=x86_64 + have_xaddq=yes +@@ -4249,7 +4313,6 @@ if test "yes" = "$use_atomic"; then + fi + ;; + x86_64-*|amd64-*) +- AC_CHECK_SIZEOF([void *]) + if test $ac_cv_sizeof_void_p = 8; then + arch=x86_64 + have_xaddq=yes +@@ -5613,6 +5676,8 @@ report() { + echo " IPv6 support (--enable-ipv6)" + test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ + echo " OpenSSL cryptography/DNSSEC (--with-openssl)" ++ test "no" = "$want_crypto_rand" || \ ++ echo " Crypto provider entropy source (--enable-crypto-rand)" + test "X$PYTHON" = "X" || echo " Python tools (--with-python)" + test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" + test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" +@@ -5653,6 +5718,8 @@ report() { + echo " Very verbose query trace logging (--enable-querytrace)" + test "no" = "$atf" || echo " Automated Testing Framework (--with-atf)" + ++ echo " Cryptographic library for DNSSEC: $CRYPTOLIB" ++ + echo " Dynamically loadable zone (DLZ) drivers:" + test "no" = "$use_dlz_bdb" || \ + echo " Berkeley DB (--with-dlz-bdb)" +@@ -5700,6 +5767,8 @@ report() { + echo " ECDSA algorithm support (--with-ecdsa)" + test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ + echo " EDDSA algorithm support (--with-eddsa)" ++ test "yes" = "$want_crypto_rand" || \ ++ echo " Crypto provider entropy source (--enable-crypto-rand)" + + test "yes" = "$enable_seccomp" || \ + echo " Use libseccomp system call filtering (--enable-seccomp)" +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index dbece0a..803e7b3 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -274,6 +274,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, + #ifdef GSSAPI + RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); + #endif ++#if defined(OPENSSL) || defined(PKCS11CRYPTO) ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (dst_entropy_pool != NULL) ++ isc_entropy_sethook(dst_random_getdata); ++#endif ++#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ + dst_initialized = ISC_TRUE; + return (ISC_R_SUCCESS); + +@@ -293,11 +299,19 @@ dst_lib_destroy(void) { + for (i = 0; i < DST_MAX_ALGS; i++) + if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL) + dst_t_func[i]->cleanup(); ++#if defined(OPENSSL) || defined(PKCS11CRYPTO) ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (dst_entropy_pool != NULL) { ++ isc_entropy_usehook(dst_entropy_pool, ISC_FALSE); ++ isc_entropy_sethook(NULL); ++ } ++#endif + #ifdef OPENSSL + dst__openssl_destroy(); + #elif PKCS11CRYPTO + (void) dst__pkcs11_destroy(); + #endif /* if OPENSSL, elif PKCS11CRYPTO */ ++#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ + if (dst__memory_pool != NULL) + isc_mem_detach(&dst__memory_pool); + if (dst_entropy_pool != NULL) +@@ -2000,13 +2014,17 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { + flags &= ~ISC_ENTROPY_GOODONLY; + else + flags |= ISC_ENTROPY_BLOCKING; ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ return (dst_random_getdata(buf, len, NULL, flags)); ++#else + return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags)); ++#endif + #endif /* PKCS11CRYPTO */ + } + + unsigned int + dst__entropy_status(void) { +-#ifndef PKCS11CRYPTO ++#if !defined(PKCS11CRYPTO) && !defined(ISC_PLATFORM_CRYPTORANDOM) + #ifdef GSSAPI + unsigned int flags = dst_entropy_flags; + isc_result_t ret; +@@ -2029,6 +2047,7 @@ dst__entropy_status(void) { + #endif + return (isc_entropy_status(dst_entropy_pool)); + #else ++ /* Doesn't matter as it is not used in this case. */ + return (0); + #endif + } +diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h +index fcc7b47..d9b6ab6 100644 +--- a/lib/dns/include/dst/dst.h ++++ b/lib/dns/include/dst/dst.h +@@ -157,6 +157,14 @@ dst_lib_destroy(void); + * Releases all resources allocated by DST. + */ + ++isc_result_t ++dst_random_getdata(void *data, unsigned int length, ++ unsigned int *returned, unsigned int flags); ++/*%< ++ * \brief Return data from the crypto random generator. ++ * Specialization of isc_entropy_getdata(). ++ */ ++ + isc_boolean_t + dst_algorithm_supported(unsigned int alg); + /*%< +diff --git a/lib/dns/lib.c b/lib/dns/lib.c +index 53237d5..c6d83e9 100644 +--- a/lib/dns/lib.c ++++ b/lib/dns/lib.c +@@ -9,14 +9,13 @@ + * information regarding copyright ownership. + */ + +-/* $Id: lib.c,v 1.19 2009/09/03 00:12:23 each Exp $ */ +- + /*! \file */ + + #include + + #include + ++#include + #include + #include + #include +@@ -77,6 +76,7 @@ static unsigned int references = 0; + static void + initialize(void) { + isc_result_t result; ++ isc_entropy_t *ectx = NULL; + + REQUIRE(initialize_done == ISC_FALSE); + +@@ -87,11 +87,14 @@ initialize(void) { + result = dns_ecdb_register(dns_g_mctx, &dbimp); + if (result != ISC_R_SUCCESS) + goto cleanup_mctx; +- result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE); ++ result = isc_entropy_create(dns_g_mctx, &ectx); + if (result != ISC_R_SUCCESS) + goto cleanup_db; ++ result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE); ++ if (result != ISC_R_SUCCESS) ++ goto cleanup_ectx; + +- result = dst_lib_init(dns_g_mctx, NULL, 0); ++ result = dst_lib_init(dns_g_mctx, ectx, 0); + if (result != ISC_R_SUCCESS) + goto cleanup_hash; + +@@ -99,11 +102,17 @@ initialize(void) { + if (result != ISC_R_SUCCESS) + goto cleanup_dst; + ++ isc_hash_init(); ++ isc_entropy_detach(&ectx); ++ + initialize_done = ISC_TRUE; + return; + + cleanup_dst: + dst_lib_destroy(); ++ cleanup_ectx: ++ if (ectx != NULL) ++ isc_entropy_detach(&ectx); + cleanup_hash: + isc_hash_destroy(); + cleanup_db: +diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c +index ec6dc7f..c1e1bde 100644 +--- a/lib/dns/openssl_link.c ++++ b/lib/dns/openssl_link.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -46,8 +47,6 @@ + #include + #endif + +-static RAND_METHOD *rm = NULL; +- + #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + static isc_mutex_t *locks = NULL; + static int nlocks; +@@ -57,6 +56,9 @@ static int nlocks; + static ENGINE *e = NULL; + #endif + ++#ifndef ISC_PLATFORM_CRYPTORANDOM ++static RAND_METHOD *rm = NULL; ++ + static int + entropy_get(unsigned char *buf, int num) { + isc_result_t result; +@@ -102,6 +104,7 @@ entropy_add(const void *buf, int num, double entropy) { + return (1); + } + #endif ++#endif /* !ISC_PLATFORM_CRYPTORANDOM */ + + #if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + static void +@@ -190,7 +193,7 @@ _set_thread_id(CRYPTO_THREADID *id) + isc_result_t + dst__openssl_init(const char *engine) { + isc_result_t result; +-#if !defined(OPENSSL_NO_ENGINE) ++#if !defined(OPENSSL_NO_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM) + ENGINE *re; + #else + UNUSED(engine); +@@ -220,6 +223,7 @@ dst__openssl_init(const char *engine) { + ERR_load_crypto_strings(); + #endif + ++#ifndef ISC_PLATFORM_CRYPTORANDOM + rm = mem_alloc(sizeof(RAND_METHOD) FILELINE); + if (rm == NULL) { + result = ISC_R_NOMEMORY; +@@ -231,6 +235,7 @@ dst__openssl_init(const char *engine) { + rm->add = entropy_add; + rm->pseudorand = entropy_getpseudo; + rm->status = entropy_status; ++#endif + + #if !defined(OPENSSL_NO_ENGINE) + #if !defined(CONF_MFLAGS_DEFAULT_SECTION) +@@ -264,6 +269,7 @@ dst__openssl_init(const char *engine) { + } + } + ++#ifndef ISC_PLATFORM_CRYPTORANDOM + re = ENGINE_get_default_RAND(); + if (re == NULL) { + re = ENGINE_new(); +@@ -276,9 +282,21 @@ dst__openssl_init(const char *engine) { + ENGINE_free(re); + } else + ENGINE_finish(re); ++#endif + #else ++#ifndef ISC_PLATFORM_CRYPTORANDOM + RAND_set_rand_method(rm); ++#endif + #endif /* !defined(OPENSSL_NO_ENGINE) */ ++ ++ /* Protect ourselves against unseeded PRNG */ ++ if (RAND_status() != 1) { ++ FATAL_ERROR(__FILE__, __LINE__, ++ "OpenSSL pseudorandom number generator " ++ "cannot be initialized (see the `PRNG not " ++ "seeded' message in the OpenSSL FAQ)"); ++ } ++ + return (ISC_R_SUCCESS); + + #if !defined(OPENSSL_NO_ENGINE) +@@ -286,10 +304,14 @@ dst__openssl_init(const char *engine) { + if (e != NULL) + ENGINE_free(e); + e = NULL; ++#ifndef ISC_PLATFORM_CRYPTORANDOM + mem_free(rm FILELINE); + rm = NULL; + #endif ++#endif ++#ifndef ISC_PLATFORM_CRYPTORANDOM + cleanup_mutexinit: ++#endif + #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + CRYPTO_set_locking_callback(NULL); + DESTROYMUTEXBLOCK(locks, nlocks); +@@ -304,14 +326,17 @@ void + dst__openssl_destroy(void) { + #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) + OPENSSL_cleanup(); ++#ifndef ISC_PLATFORM_CRYPTORANDOM + if (rm != NULL) { + mem_free(rm FILELINE); + rm = NULL; + } ++#endif + #else + /* + * Sequence taken from apps_shutdown() in . + */ ++#ifndef ISC_PLATFORM_CRYPTORANDOM + if (rm != NULL) { + #if OPENSSL_VERSION_NUMBER >= 0x00907000L + RAND_cleanup(); +@@ -319,6 +344,7 @@ dst__openssl_destroy(void) { + mem_free(rm FILELINE); + rm = NULL; + } ++#endif + #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) + CONF_modules_free(); + #endif +@@ -454,11 +480,45 @@ dst__openssl_getengine(const char *engine) { + } + #endif + +-#else /* OPENSSL */ ++isc_result_t ++dst_random_getdata(void *data, unsigned int length, ++ unsigned int *returned, unsigned int flags) { ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++#ifndef DONT_REQUIRE_DST_LIB_INIT ++ INSIST(dst__memory_pool != NULL); ++#endif ++ REQUIRE(data != NULL); ++ REQUIRE(length > 0); + +-#include ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++ if ((flags & ISC_ENTROPY_GOODONLY) == 0) { ++ if (RAND_pseudo_bytes((unsigned char *)data, (int)length) < 0) ++ return (dst__openssl_toresult2("RAND_pseudo_bytes", ++ DST_R_OPENSSLFAILURE)); ++ } else { ++ if (RAND_bytes((unsigned char *)data, (int)length) != 1) ++ return (dst__openssl_toresult2("RAND_bytes", ++ DST_R_OPENSSLFAILURE)); ++ } ++#else ++ UNUSED(flags); + +-EMPTY_TRANSLATION_UNIT ++ if (RAND_bytes((unsigned char *)data, (int)length) != 1) ++ return (dst__openssl_toresult2("RAND_bytes", ++ DST_R_OPENSSLFAILURE)); ++#endif ++ if (returned != NULL) ++ *returned = length; ++ return (ISC_R_SUCCESS); ++#else ++ UNUSED(data); ++ UNUSED(length); ++ UNUSED(returned); ++ UNUSED(flags); ++ ++ return (ISC_R_NOTIMPLEMENTED); ++#endif ++} + + #endif /* OPENSSL */ + /*! \file */ +diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c +index 5a2c502..8eaef53 100644 +--- a/lib/dns/pkcs11.c ++++ b/lib/dns/pkcs11.c +@@ -13,12 +13,15 @@ + + #include + ++#include ++ + #include + #include + + #include + #include + ++#include "dst_internal.h" + #include "dst_pkcs11.h" + + isc_result_t +@@ -34,12 +37,32 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line, + return (fallback); + } + ++isc_result_t ++dst_random_getdata(void *data, unsigned int length, ++ unsigned int *returned, unsigned int flags) { ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ isc_result_t ret; + +-#else /* PKCS11CRYPTO */ ++#ifndef DONT_REQUIRE_DST_LIB_INIT ++ INSIST(dst__memory_pool != NULL); ++#endif ++ REQUIRE(data != NULL); ++ REQUIRE(length > 0); ++ UNUSED(flags); + +-#include ++ ret = pk11_rand_bytes(data, (int) length); ++ if ((ret == ISC_R_SUCCESS) && (returned != NULL)) ++ *returned = length; ++ return (ret); ++#else ++ UNUSED(data); ++ UNUSED(length); ++ UNUSED(returned); ++ UNUSED(flags); + +-EMPTY_TRANSLATION_UNIT ++ return (ISC_R_NOTIMPLEMENTED); ++#endif ++} + + #endif /* PKCS11CRYPTO */ + /*! \file */ +diff --git a/lib/dns/tests/Atffile b/lib/dns/tests/Atffile +index 953082d..603c4b5 100644 +--- a/lib/dns/tests/Atffile ++++ b/lib/dns/tests/Atffile +@@ -10,6 +10,7 @@ tp: dbversion_test + tp: dh_test + tp: dispatch_test + tp: dnstap_test ++tp: dstrandom_test + tp: dst_test + tp: geoip_test + tp: gost_test +diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile +index 0353a73..cb2324d 100644 +--- a/lib/dns/tests/Kyuafile ++++ b/lib/dns/tests/Kyuafile +@@ -10,6 +10,7 @@ atf_test_program{name='dh_test'} + atf_test_program{name='dispatch_test'} + atf_test_program{name='dnstap_test'} + atf_test_program{name='dst_test'} ++atf_test_program{name='dstrandom_test'} + atf_test_program{name='geoip_test'} + atf_test_program{name='gost_test'} + atf_test_program{name='keytable_test'} +diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in +index 58fa872..625e809 100644 +--- a/lib/dns/tests/Makefile.in ++++ b/lib/dns/tests/Makefile.in +@@ -40,6 +40,7 @@ SRCS = acl_test.c \ + dnstap_test.c \ + dst_test.c \ + dnstest.c \ ++ dstrandom_test.c \ + geoip_test.c \ + gost_test.c \ + keytable_test.c \ +@@ -71,6 +72,7 @@ TARGETS = acl_test@EXEEXT@ \ + dh_test@EXEEXT@ \ + dispatch_test@EXEEXT@ \ + dnstap_test@EXEEXT@ \ ++ dstrandom_test@EXEEXT@ \ + dst_test@EXEEXT@ \ + geoip_test@EXEEXT@ \ + gost_test@EXEEXT@ \ +@@ -255,6 +257,11 @@ tsig_test@EXEEXT@: tsig_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + tsig_test.@O@ dnstest.@O@ ${DNSLIBS} \ + ${ISCLIBS} ${LIBS} + ++dstrandom_test@EXEEXT@: dstrandom_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ++ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ ++ dstrandom_test.@O@ ${DNSLIBS} \ ++ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS} ++ + unit:: + sh ${top_builddir}/unit/unittest.sh + +diff --git a/lib/dns/tests/dnstest.c b/lib/dns/tests/dnstest.c +index fb9ef53..344a7c2 100644 +--- a/lib/dns/tests/dnstest.c ++++ b/lib/dns/tests/dnstest.c +@@ -120,12 +120,12 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) { + CHECK(isc_mem_create(0, 0, &mctx)); + CHECK(isc_entropy_create(mctx, &ectx)); + +- CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); +- hash_active = ISC_TRUE; +- + CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING)); + dst_active = ISC_TRUE; + ++ CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)); ++ hash_active = ISC_TRUE; ++ + if (logfile != NULL) { + isc_logdestination_t destination; + isc_logconfig_t *logconfig = NULL; +@@ -169,14 +169,14 @@ dns_test_begin(FILE *logfile, isc_boolean_t start_managers) { + + void + dns_test_end(void) { +- if (dst_active) { +- dst_lib_destroy(); +- dst_active = ISC_FALSE; +- } + if (hash_active) { + isc_hash_destroy(); + hash_active = ISC_FALSE; + } ++ if (dst_active) { ++ dst_lib_destroy(); ++ dst_active = ISC_FALSE; ++ } + if (ectx != NULL) + isc_entropy_detach(&ectx); + +diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c +new file mode 100644 +index 0000000..d2c72e7 +--- /dev/null ++++ b/lib/dns/tests/dstrandom_test.c +@@ -0,0 +1,105 @@ ++/* ++ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") ++ * ++ * Permission to use, copy, modify, and/or distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH ++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY ++ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, ++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM ++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE ++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ++ * PERFORMANCE OF THIS SOFTWARE. ++ */ ++ ++/* $Id$ */ ++ ++/*! \file */ ++ ++#include ++ ++#include ++ ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include ++ ++isc_mem_t *mctx = NULL; ++isc_entropy_t *ectx = NULL; ++unsigned char buffer[128]; ++ ++ATF_TC(isc_entropy_getdata); ++ATF_TC_HEAD(isc_entropy_getdata, tc) { ++ atf_tc_set_md_var(tc, "descr", ++ "isc_entropy_getdata() examples"); ++ atf_tc_set_md_var(tc, "X-randomfile", ++ "testdata/dstrandom/random.data"); ++} ++ATF_TC_BODY(isc_entropy_getdata, tc) { ++ isc_result_t result; ++ unsigned int returned, status; ++ int ret; ++ const char *randomfile = atf_tc_get_md_var(tc, "X-randomfile"); ++ ++ isc_mem_debugging |= ISC_MEM_DEBUGRECORD; ++ result = isc_mem_create(0, 0, &mctx); ++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ result = isc_entropy_create(mctx, &ectx); ++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ result = dst_lib_init(mctx, ectx, 0); ++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ isc_entropy_usehook(ectx, ISC_TRUE); ++ ++ returned = 0; ++ result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), ++ &returned, 0); ++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ ATF_REQUIRE(returned == sizeof(buffer)); ++ ++ status = isc_entropy_status(ectx); ++ ATF_REQUIRE_EQ(status, 0); ++ ++ isc_entropy_usehook(ectx, ISC_FALSE); ++#endif ++ ++ ret = chdir(TESTS); ++ ATF_REQUIRE_EQ(ret, 0); ++ ++ result = isc_entropy_createfilesource(ectx, randomfile); ++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ ++ returned = 0; ++ result = isc_entropy_getdata(ectx, buffer, sizeof(buffer), ++ &returned, 0); ++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); ++ ATF_REQUIRE(returned == sizeof(buffer)); ++ ++ status = isc_entropy_status(ectx); ++ ATF_REQUIRE(status > 0); ++ ++ dst_lib_destroy(); ++ isc_entropy_detach(&ectx); ++ ATF_REQUIRE(ectx == NULL); ++ isc_mem_destroy(&mctx); ++ ATF_REQUIRE(mctx == NULL); ++} ++ ++/* ++ * Main ++ */ ++ATF_TP_ADD_TCS(tp) { ++ ATF_TP_ADD_TC(tp, isc_entropy_getdata); ++ ++ return (atf_no_error()); ++} ++ +diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in +index d48eeb2..213e9d9 100644 +--- a/lib/dns/win32/libdns.def.in ++++ b/lib/dns/win32/libdns.def.in +@@ -1480,6 +1480,13 @@ dst_lib_destroy + dst_lib_init + dst_lib_init2 + dst_lib_initmsgcat ++@IF PKCS11 ++dst_random_getdata ++@ELSE PKCS11 ++@IF OPENSSL ++dst_random_getdata ++@END OPENSSL ++@END PKCS11 + dst_region_computeid + dst_region_computerid + dst_result_register +diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c +index 232094a..a85650b 100644 +--- a/lib/isc/entropy.c ++++ b/lib/isc/entropy.c +@@ -103,11 +103,15 @@ struct isc_entropy { + isc_uint32_t initialized; + isc_uint32_t initcount; + isc_entropypool_t pool; ++ isc_boolean_t usehook; + unsigned int nsources; + isc_entropysource_t *nextsource; + ISC_LIST(isc_entropysource_t) sources; + }; + ++/*% Global Hook */ ++static isc_entropy_getdata_t hook; ++ + /*% Sample Queue */ + typedef struct { + isc_uint32_t last_time; /*%< last time recorded */ +@@ -556,6 +560,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, + + LOCK(&ent->lock); + ++ if (ent->usehook && (hook != NULL)) { ++ UNLOCK(&ent->lock); ++ return (hook(data, length, returned, flags)); ++ } ++ + remain = length; + buf = data; + total = 0; +@@ -707,6 +716,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) { + ent->refcnt = 1; + ent->initialized = 0; + ent->initcount = 0; ++ ent->usehook = ISC_FALSE; + ent->magic = ENTROPY_MAGIC; + + isc_entropypool_init(&ent->pool); +@@ -1286,3 +1296,17 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, + */ + return (final_result); + } ++ ++void ++isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff) { ++ REQUIRE(VALID_ENTROPY(ectx)); ++ ++ LOCK(&ectx->lock); ++ ectx->usehook = onoff; ++ UNLOCK(&ectx->lock); ++} ++ ++void ++isc_entropy_sethook(isc_entropy_getdata_t myhook) { ++ hook = myhook; ++} +diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h +index d52c43e..d9deb8a 100644 +--- a/lib/isc/include/isc/entropy.h ++++ b/lib/isc/include/isc/entropy.h +@@ -303,6 +303,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, + * isc_entropy_createcallbacksource(). + */ + ++void ++isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff); ++/*!< ++ * \brief Mark/unmark the given entropy structure as being hooked. ++ */ ++ ++void ++isc_entropy_sethook(isc_entropy_getdata_t myhook); ++/*!< ++ * \brief Set the getdata hook (e.g., for a crypto random generator). ++ */ ++ + ISC_LANG_ENDDECLS + + #endif /* ISC_ENTROPY_H */ +diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in +index d7a5bec..0166b79 100644 +--- a/lib/isc/include/isc/platform.h.in ++++ b/lib/isc/include/isc/platform.h.in +@@ -344,6 +344,11 @@ + */ + @ISC_PLATFORM_HAVESTRINGSH@ + ++/* ++ * Define if the random functions are provided by crypto. ++ */ ++@ISC_PLATFORM_CRYPTORANDOM@ ++ + /* + * Define if the hash functions must be provided by OpenSSL. + */ +diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h +index f161faf..dec577e 100644 +--- a/lib/isc/include/isc/types.h ++++ b/lib/isc/include/isc/types.h +@@ -93,6 +93,8 @@ typedef struct isc_time isc_time_t; /*%< Time */ + typedef struct isc_timer isc_timer_t; /*%< Timer */ + typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */ + ++typedef isc_result_t (*isc_entropy_getdata_t)(void *, unsigned int, ++ unsigned int *, unsigned int); + typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *); + typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int); + +diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c +index 48e1031..74566c9 100644 +--- a/lib/isc/pk11.c ++++ b/lib/isc/pk11.c +@@ -327,14 +327,16 @@ pk11_rand_seed_fromfile(const char *randomfile) { + ret = isc_stdio_open(randomfile, "r", &stream); + if (ret != ISC_R_SUCCESS) + goto cleanup; +- ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc); +- if (ret!= ISC_R_SUCCESS) +- goto cleanup; ++ while (ret == ISC_R_SUCCESS) { ++ ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc); ++ if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF)) ++ goto cleanup; ++ (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc); ++ } + ret = isc_stdio_close(stream); + stream = NULL; +- if (ret!= ISC_R_SUCCESS) ++ if (ret != ISC_R_SUCCESS) + goto cleanup; +- (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc); + + cleanup: + if (stream != NULL) +diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in +index de6a434..2c32782 100644 +--- a/lib/isc/win32/include/isc/platform.h.in ++++ b/lib/isc/win32/include/isc/platform.h.in +@@ -74,6 +74,11 @@ + #define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn) + #define ISC_PLATFORM_NORETURN_POST + ++/* ++ * Define if the random functions are provided by crypto. ++ */ ++@ISC_PLATFORM_CRYPTORANDOM@ ++ + /* + * Define if the hash functions must be provided by OpenSSL. + */ +diff --git a/win32utils/Configure b/win32utils/Configure +index e9f4680..79bb178 100644 +--- a/win32utils/Configure ++++ b/win32utils/Configure +@@ -381,6 +381,7 @@ my @substdefh = ("AES_CC", + my %configdefp; + + my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP", ++ "ISC_PLATFORM_CRYPTORANDOM", + "ISC_PLATFORM_HAVEATOMICSTORE", + "ISC_PLATFORM_HAVEATOMICSTOREQ", + "ISC_PLATFORM_HAVECMPXCHG", +@@ -509,7 +510,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); + + # enable-xxx/disable-xxx + +-my @enablelist = ("developer", ++my @enablelist = ("crypto-rand", ++ "developer", + "fixed-rrset", + "intrinsics", + "isc-spnego", +@@ -571,6 +573,7 @@ my @help = ( + "\nOptional Features:\n", + " enable-intrinsics enable instrinsic/atomic functions [default=yes]\n", + " enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n", ++" enable-crypto-rand use crypto provider for random [default=yes]\n", + " enable-openssl-hash use OpenSSL for hash functions [default=yes]\n", + " enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n", + " enable-filter-aaaa enable filtering of AAAA records [default=yes]\n", +@@ -614,7 +617,9 @@ my $want_clean = "no"; + my $want_unknown = "no"; + my $unknown_value; + my $enable_intrinsics = "yes"; ++my $cryptolib = ""; + my $enable_native_pkcs11 = "no"; ++my $enable_crypto_rand = "yes"; + my $enable_openssl_hash = "auto"; + my $enable_filter_aaaa = "yes"; + my $enable_isc_spnego = "yes"; +@@ -823,6 +828,10 @@ sub myenable { + if ($val =~ /^yes$/i) { + $enable_native_pkcs11 = "yes"; + } ++ } elsif ($key =~ /^crypto-rand$/i) { ++ if ($val =~ /^no$/i) { ++ $enable_crypto_rand = "no"; ++ } + } elsif ($key =~ /^openssl-hash$/i) { + if ($val =~ /^yes$/i) { + $enable_openssl_hash = "yes"; +@@ -1106,6 +1115,11 @@ if ($verbose) { + } else { + print "native-pkcs11: disabled\n"; + } ++ if ($enable_crypto_rand eq "yes") { ++ print "crypto-rand: enabled\n"; ++ } else { ++ print "crypto-rand: disabled\n"; ++ } + if ($enable_openssl_hash eq "yes") { + print "openssl-hash: enabled\n"; + } else { +@@ -1449,6 +1463,7 @@ if ($enable_intrinsics eq "yes") { + + # enable-native-pkcs11 + if ($enable_native_pkcs11 eq "yes") { ++ $cryptolib = "pkcs11"; + if ($use_openssl eq "auto") { + $use_openssl = "no"; + } +@@ -1658,6 +1673,7 @@ if ($use_openssl eq "yes") { + $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); + } + ++ $cryptolib = "openssl"; + $configcond{"OPENSSL"} = 1; + $configdefd{"CRYPTO"} = "OPENSSL"; + $configvar{"OPENSSL_PATH"} = "$openssl_path"; +@@ -2209,6 +2225,15 @@ if ($cookie_algorithm eq "sha1") { + die "Unrecognized cookie algorithm: $cookie_algorithm\n"; + } + ++# enable-crypto-rand ++if ($enable_crypto_rand eq "yes") { ++ if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) { ++ die "No crypto provider for random functions\n"; ++ } ++ $configdefp{"ISC_PLATFORM_CRYPTORANDOM"} = "\"$cryptolib\""; ++} ++print "Cryptographic library for DNSSEC: $cryptolib"; ++ + # enable-openssl-hash + if ($enable_openssl_hash eq "yes") { + if ($use_openssl eq "no") { +@@ -3531,6 +3556,7 @@ exit 0; + # --enable-developer partially supported + # --enable-newstats (9.9/9.9sub only) + # --enable-native-pkcs11 supported ++# --enable-crypto-rand supported + # --enable-openssl-version-check included without a way to disable it + # --enable-openssl-hash supported + # --enable-threads included without a way to disable it +@@ -3556,6 +3582,7 @@ exit 0; + # --with-gost supported + # --with-aes supported + # --with-cc-alg supported ++# --with-randomdev not supported on WIN32 (makes no sense) + # --with-geoip supported + # --with-gssapi supported with MIT (K)erberos (f)or (W)indows + # --with-lmdb no supported on WIN32 (port is not reliable) +-- +2.14.4 + diff --git a/bind-9.11-rt46047.patch b/bind-9.11-rt46047.patch new file mode 100644 index 0000000000000000000000000000000000000000..915b0ab0dd5e759478122603e79cc2504c4f06fe --- /dev/null +++ b/bind-9.11-rt46047.patch @@ -0,0 +1,765 @@ +From 1ab1aabcf9b2b8de144bab7a3ff5d9f7e6ec9ad4 Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Thu, 28 Sep 2017 10:09:22 -0700 +Subject: [PATCH] completed and corrected the crypto-random change + +4724. [func] By default, BIND now uses the random number + functions provided by the crypto library (i.e., + OpenSSL or a PKCS#11 provider) as a source of + randomness rather than /dev/random. This is + suitable for virtual machine environments + which have limited entropy pools and lack + hardware random number generators. + + This can be overridden by specifying another + entropy source via the "random-device" option + in named.conf, or via the -r command line option; + however, for functions requiring full cryptographic + strength, such as DNSSEC key generation, this + cannot be overridden. In particular, the -r + command line option no longer has any effect on + dnssec-keygen. + + This can be disabled by building with + "configure --disable-crypto-rand". + [RT #31459] [RT #46047] +--- + bin/confgen/keygen.c | 12 +++---- + bin/dnssec/dnssec-keygen.docbook | 24 +++++++++----- + bin/dnssec/dnssectool.c | 12 +++---- + bin/named/client.c | 3 +- + bin/named/config.c | 4 ++- + bin/named/controlconf.c | 19 +++++++---- + bin/named/include/named/server.h | 2 ++ + bin/named/interfacemgr.c | 1 + + bin/named/query.c | 1 + + bin/named/server.c | 53 ++++++++++++++++++------------ + bin/nsupdate/nsupdate.c | 4 +-- + bin/tests/system/pipelined/pipequeries.c | 4 +-- + bin/tests/system/tkey/keycreate.c | 4 +-- + bin/tests/system/tkey/keydelete.c | 4 +-- + doc/arm/Bv9ARM-book.xml | 55 ++++++++++++++++++++++---------- + doc/arm/notes.xml | 23 ++++++++++++- + lib/dns/dst_api.c | 7 ++-- + lib/dns/include/dst/dst.h | 14 ++++++-- + lib/dns/openssl_link.c | 3 +- + lib/isc/include/isc/entropy.h | 50 +++++++++++++++++++++-------- + lib/isc/include/isc/random.h | 28 ++++++++++------ + lib/isccfg/namedconf.c | 2 +- + 22 files changed, 219 insertions(+), 110 deletions(-) + +diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c +index fa439cc..a7ad417 100644 +--- a/bin/confgen/keygen.c ++++ b/bin/confgen/keygen.c +@@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, + + DO("create entropy context", isc_entropy_create(mctx, &ectx)); + +- if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { +- randomfile = NULL; +- open_keyboard = ISC_ENTROPY_KEYBOARDYES; +- } + #ifdef ISC_PLATFORM_CRYPTORANDOM +- if (randomfile != NULL && +- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { +- randomfile = NULL; ++ if (randomfile == NULL) { + isc_entropy_usehook(ectx, ISC_TRUE); + } + #endif ++ if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { ++ randomfile = NULL; ++ open_keyboard = ISC_ENTROPY_KEYBOARDYES; ++ } + DO("start entropy source", isc_entropy_usebestsource(ectx, + &entropy_source, + randomfile, +diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook +index 96dfef6..1c84b06 100644 +--- a/bin/dnssec/dnssec-keygen.docbook ++++ b/bin/dnssec/dnssec-keygen.docbook +@@ -349,15 +349,23 @@ + -r randomdev + + +- Specifies the source of randomness. If the operating +- system does not provide a /dev/random +- or equivalent device, the default source of randomness +- is keyboard input. randomdev +- specifies ++ Specifies a source of randomness. Normally, when generating ++ DNSSEC keys, this option has no effect; the random number ++ generation function provided by the cryptographic library will ++ be used. ++ ++ ++ If that behavior is disabled at compile time, however, ++ the specified file will be used as entropy source ++ for key generation. randomdev is + the name of a character device or file containing random +- data to be used instead of the default. The special value +- keyboard indicates that keyboard +- input should be used. ++ data to be used. The special value keyboard ++ indicates that keyboard input should be used. ++ ++ ++ The default is /dev/random if the ++ operating system provides it or an equivalent device; ++ if not, the default source of randomness is keyboard input. + + + +diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c +index 4ea9eaf..5dd9475 100644 +--- a/bin/dnssec/dnssectool.c ++++ b/bin/dnssec/dnssectool.c +@@ -239,18 +239,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { + ISC_LIST_INIT(sources); + } + ++#ifdef ISC_PLATFORM_CRYPTORANDOM ++ if (randomfile == NULL) { ++ isc_entropy_usehook(*ectx, ISC_TRUE); ++ } ++#endif + if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { + usekeyboard = ISC_ENTROPY_KEYBOARDYES; + randomfile = NULL; + } + +-#ifdef ISC_PLATFORM_CRYPTORANDOM +- if (randomfile != NULL && +- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { +- randomfile = NULL; +- isc_entropy_usehook(*ectx, ISC_TRUE); +- } +-#endif + result = isc_entropy_usebestsource(*ectx, &source, randomfile, + usekeyboard); + +diff --git a/bin/named/client.c b/bin/named/client.c +index b9ebc93..20e5f39 100644 +--- a/bin/named/client.c ++++ b/bin/named/client.c +@@ -1605,7 +1605,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, + + isc_buffer_init(&buf, cookie, sizeof(cookie)); + isc_stdtime_get(&now); +- isc_random_get(&nonce); ++ nonce = ((isc_rng_random(ns_g_server->rngctx) << 16) | ++ isc_rng_random(ns_g_server->rngctx)); + + compute_cookie(client, now, nonce, ns_g_server->secret, &buf); + +diff --git a/bin/named/config.c b/bin/named/config.c +index c50f759..c1e72ef 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -92,7 +92,9 @@ options {\n\ + # pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\ + port 53;\n\ + prefetch 2 9;\n" +-#ifdef PATH_RANDOMDEV ++#if defined(ISC_PLATFORM_CRYPTORANDOM) ++" random-device none;\n" ++#elif defined(PATH_RANDOMDEV) + " random-device \"" PATH_RANDOMDEV "\";\n" + #endif + " recursing-file \"named.recursing\";\n\ +diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c +index 237e8dc..b905475 100644 +--- a/bin/named/controlconf.c ++++ b/bin/named/controlconf.c +@@ -322,9 +322,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) { + + static void + control_recvmessage(isc_task_t *task, isc_event_t *event) { +- controlconnection_t *conn; +- controllistener_t *listener; +- controlkey_t *key; ++ controlconnection_t *conn = NULL; ++ controllistener_t *listener = NULL; ++ ns_server_t *server = NULL; ++ controlkey_t *key = NULL; + isccc_sexpr_t *request = NULL; + isccc_sexpr_t *response = NULL; + isc_uint32_t algorithm; +@@ -335,16 +336,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { + isc_buffer_t *text; + isc_result_t result; + isc_result_t eresult; +- isccc_sexpr_t *_ctrl; ++ isccc_sexpr_t *_ctrl = NULL; + isccc_time_t sent; + isccc_time_t exp; + isc_uint32_t nonce; +- isccc_sexpr_t *data; ++ isccc_sexpr_t *data = NULL; + + REQUIRE(event->ev_type == ISCCC_EVENT_CCMSG); + + conn = event->ev_arg; + listener = conn->listener; ++ server = listener->controls->server; + algorithm = DST_ALG_UNKNOWN; + secret.rstart = NULL; + text = NULL; +@@ -455,8 +457,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { + * Establish nonce. + */ + if (conn->nonce == 0) { +- while (conn->nonce == 0) +- isc_random_get(&conn->nonce); ++ while (conn->nonce == 0) { ++ isc_uint16_t r1 = isc_rng_random(server->rngctx); ++ isc_uint16_t r2 = isc_rng_random(server->rngctx); ++ conn->nonce = (r1 << 16) | r2; ++ } + eresult = ISC_R_SUCCESS; + } else + eresult = ns_control_docommand(request, listener->readonly, &text); +diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h +index d8179a6..e03d24d 100644 +--- a/bin/named/include/named/server.h ++++ b/bin/named/include/named/server.h +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -131,6 +132,7 @@ struct ns_server { + char * lockfile; + + isc_uint16_t transfer_tcp_message_size; ++ isc_rng_t * rngctx; + }; + + struct ns_altsecret { +diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c +index d8c7188..50f924e 100644 +--- a/bin/named/interfacemgr.c ++++ b/bin/named/interfacemgr.c +@@ -15,6 +15,7 @@ + + #include + #include ++#include + #include + #include + #include +diff --git a/bin/named/query.c b/bin/named/query.c +index accbf3b..d89622d 100644 +--- a/bin/named/query.c ++++ b/bin/named/query.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/bin/named/server.c b/bin/named/server.c +index ca789e5..1413e85 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -8076,21 +8076,30 @@ load_configuration(const char *filename, ns_server_t *server, + * Open the source of entropy. + */ + if (first_time) { ++ const char *randomdev = NULL; ++ int level = ISC_LOG_ERROR; + obj = NULL; + result = ns_config_get(maps, "random-device", &obj); +- if (result != ISC_R_SUCCESS) { +- isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, +- NS_LOGMODULE_SERVER, ISC_LOG_INFO, +- "no source of entropy found"); +- } else { +- const char *randomdev = cfg_obj_asstring(obj); ++ if (result == ISC_R_SUCCESS) { ++ if (!cfg_obj_isvoid(obj)) { ++ level = ISC_LOG_INFO; ++ randomdev = cfg_obj_asstring(obj); ++ } ++ } ++ if (randomdev == NULL) { + #ifdef ISC_PLATFORM_CRYPTORANDOM +- if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0) +- isc_entropy_usehook(ns_g_entropy, ISC_TRUE); ++ isc_entropy_usehook(ns_g_entropy, ISC_TRUE); + #else +- int level = ISC_LOG_ERROR; +- result = isc_entropy_createfilesource(ns_g_entropy, +- randomdev); ++ if ((obj != NULL) && !cfg_obj_isvoid(obj)) ++ level = ISC_LOG_INFO; ++ isc_log_write(named_g_lctx, NS_LOGCATEGORY_GENERAL, ++ NS_LOGMODULE_SERVER, level, ++ "no source of entropy found"); ++ if ((obj == NULL) || cfg_obj_isvoid(obj)) { ++ CHECK(ISC_R_FAILURE); ++ } ++#endif ++ } else { + #ifdef PATH_RANDOMDEV + if (ns_g_fallbackentropy != NULL) { + level = ISC_LOG_INFO; +@@ -8101,8 +8110,8 @@ load_configuration(const char *filename, ns_server_t *server, + NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, + level, +- "could not open entropy source " +- "%s: %s", ++ "could not open " ++ "entropy source %s: %s", + randomdev, + isc_result_totext(result)); + } +@@ -8122,7 +8131,6 @@ load_configuration(const char *filename, ns_server_t *server, + } + isc_entropy_detach(&ns_g_fallbackentropy); + } +-#endif + #endif + } + } +@@ -8911,6 +8919,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { + CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy, + &server->tkeyctx), + "creating TKEY context"); ++ server->rngctx = NULL; ++ CHECKFATAL(isc_rng_create(ns_g_mctx, ns_g_entropy, &server->rngctx), ++ "creating random numbers context"); + + /* + * Setup the server task, which is responsible for coordinating +@@ -9117,7 +9128,8 @@ ns_server_destroy(ns_server_t **serverp) { + + if (server->zonemgr != NULL) + dns_zonemgr_detach(&server->zonemgr); +- ++ if (server->rngctx != NULL) ++ isc_rng_detach(&server->rngctx); + if (server->tkeyctx != NULL) + dns_tkeyctx_destroy(&server->tkeyctx); + +@@ -13018,10 +13030,10 @@ newzone_cfgctx_destroy(void **cfgp) { + + static isc_result_t + generate_salt(unsigned char *salt, size_t saltlen) { +- int i, n; ++ size_t i, n; + union { + unsigned char rnd[256]; +- isc_uint32_t rnd32[64]; ++ isc_uint16_t rnd16[128]; + } rnd; + unsigned char text[512 + 1]; + isc_region_t r; +@@ -13031,9 +13043,10 @@ generate_salt(unsigned char *salt, size_t saltlen) { + if (saltlen > 256U) + return (ISC_R_RANGE); + +- n = (int) (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t); +- for (i = 0; i < n; i++) +- isc_random_get(&rnd.rnd32[i]); ++ n = (saltlen + sizeof(isc_uint16_t) - 1) / sizeof(isc_uint16_t); ++ for (i = 0; i < n; i++) { ++ rnd.rnd16[i] = isc_rng_random(ns_g_server->rngctx); ++ } + + memmove(salt, rnd.rnd, saltlen); + +diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c +index 46c7acf..a0d0278 100644 +--- a/bin/nsupdate/nsupdate.c ++++ b/bin/nsupdate/nsupdate.c +@@ -281,9 +281,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { + } + + #ifdef ISC_PLATFORM_CRYPTORANDOM +- if (randomfile != NULL && +- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { +- randomfile = NULL; ++ if (randomfile == NULL) { + isc_entropy_usehook(*ectx, ISC_TRUE); + } + #endif +diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c +index 810d99e..d7d10e2 100644 +--- a/bin/tests/system/pipelined/pipequeries.c ++++ b/bin/tests/system/pipelined/pipequeries.c +@@ -279,9 +279,7 @@ main(int argc, char *argv[]) { + ectx = NULL; + RUNCHECK(isc_entropy_create(mctx, &ectx)); + #ifdef ISC_PLATFORM_CRYPTORANDOM +- if (randomfile != NULL && +- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { +- randomfile = NULL; ++ if (randomfile == NULL) { + isc_entropy_usehook(ectx, ISC_TRUE); + } + #endif +diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c +index 4f2f5b4..0894db7 100644 +--- a/bin/tests/system/tkey/keycreate.c ++++ b/bin/tests/system/tkey/keycreate.c +@@ -255,9 +255,7 @@ main(int argc, char *argv[]) { + ectx = NULL; + RUNCHECK(isc_entropy_create(mctx, &ectx)); + #ifdef ISC_PLATFORM_CRYPTORANDOM +- if (randomfile != NULL && +- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { +- randomfile = NULL; ++ if (randomfile == NULL) { + isc_entropy_usehook(ectx, ISC_TRUE); + } + #endif +diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c +index 0975bbe..5b8a470 100644 +--- a/bin/tests/system/tkey/keydelete.c ++++ b/bin/tests/system/tkey/keydelete.c +@@ -182,9 +182,7 @@ main(int argc, char **argv) { + ectx = NULL; + RUNCHECK(isc_entropy_create(mctx, &ectx)); + #ifdef ISC_PLATFORM_CRYPTORANDOM +- if (randomfile != NULL && +- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) { +- randomfile = NULL; ++ if (randomfile == NULL) { + isc_entropy_usehook(ectx, ISC_TRUE); + } + #endif +diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml +index a5d9e2e..2a96f71 100644 +--- a/doc/arm/Bv9ARM-book.xml ++++ b/doc/arm/Bv9ARM-book.xml +@@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0] + random-device + + +- The source of entropy to be used by the server. Entropy is +- primarily needed +- for DNSSEC operations, such as TKEY transactions and dynamic +- update of signed +- zones. This options specifies the device (or file) from which +- to read +- entropy. If this is a file, operations requiring entropy will +- fail when the +- file has been exhausted. If not specified, the default value +- is +- /dev/random +- (or equivalent) when present, and none otherwise. The +- random-device option takes +- effect during +- the initial configuration load at server startup time and +- is ignored on subsequent reloads. ++ Specifies a source of entropy to be used by the server. ++ This is a device or file from which to read entropy. ++ If it is a file, operations requiring entropy ++ will fail when the file has been exhausted. ++ ++ ++ Entropy is needed for cryptographic operations such as ++ TKEY transactions, dynamic update of signed zones, and ++ generation of TSIG session keys. It is also used for ++ seeding and stirring the pseudo-random number generator, ++ which is used for less critical functions requiring ++ randomness such as generation of DNS message transaction ++ ID's. ++ ++ ++ If random-device is not specified, or ++ if it is set to none, entropy will be ++ read from the random number generation function supplied ++ by the cryptographic library with which BIND was linked ++ (i.e. OpenSSL or a PKCS#11 provider). ++ ++ ++ The random-device option takes ++ effect during the initial configuration load at server ++ startup time and is ignored on subsequent reloads. ++ ++ ++ If BIND is built with ++ configure --disable-crypto-rand, then ++ entropy is not sourced from the ++ cryptographic library. In this case, if ++ random-device is not specified, the ++ default value is the system random device, ++ /dev/random or the equivalent. ++ This default can be overridden with ++ configure --with-randomdev. ++ If no system random device exists, then no entropy source ++ will be configured, and named will only ++ be able to use pseudo-random numbers. + + + +diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml +index d3fdb5e..a8ad92d 100644 +--- a/doc/arm/notes.xml ++++ b/doc/arm/notes.xml +@@ -105,7 +105,28 @@ + + + +- None. ++ By default, BIND now uses the random number generation functions ++ in the cryptographic library (i.e., OpenSSL or a PKCS#11 ++ provider) as a source of high-quality randomness rather than ++ /dev/random. This is suitable for virtual ++ machine environments, which may have limited entropy pools and ++ lack hardware random number generators. ++ ++ ++ This can be overridden by specifying another entropy source via ++ the random-device option in ++ named.conf, or via the -r ++ command line option. However, for functions requiring full ++ cryptographic strength, such as DNSSEC key generation, this ++ cannot be overridden. In particular, the ++ -r command line option no longer has any ++ effect on dnssec-keygen. ++ ++ ++ This can be disabled by building with ++ configure --disable-crypto-rand, in which ++ case /dev/random will be the default ++ entropy source. [RT #31459] [RT #46047] + + + +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index 803e7b3..29a4fef 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -276,8 +276,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, + #endif + #if defined(OPENSSL) || defined(PKCS11CRYPTO) + #ifdef ISC_PLATFORM_CRYPTORANDOM +- if (dst_entropy_pool != NULL) ++ if (dst_entropy_pool != NULL) { + isc_entropy_sethook(dst_random_getdata); ++ } + #endif + #endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */ + dst_initialized = ISC_TRUE; +@@ -2015,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { + else + flags |= ISC_ENTROPY_BLOCKING; + #ifdef ISC_PLATFORM_CRYPTORANDOM ++ /* get entropy directly from crypto provider */ + return (dst_random_getdata(buf, len, NULL, flags)); + #else ++ /* get entropy from entropy source or hook function */ + return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags)); +-#endif ++#endif /* ISC_PLATFORM_CRYPTORANDOM */ + #endif /* PKCS11CRYPTO */ + } + +diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h +index d9b6ab6..e8c1a3c 100644 +--- a/lib/dns/include/dst/dst.h ++++ b/lib/dns/include/dst/dst.h +@@ -161,8 +161,18 @@ isc_result_t + dst_random_getdata(void *data, unsigned int length, + unsigned int *returned, unsigned int flags); + /*%< +- * \brief Return data from the crypto random generator. +- * Specialization of isc_entropy_getdata(). ++ * Gets random data from the random generator provided by the ++ * crypto library, if BIND was built with --enable-crypto-rand. ++ * ++ * See isc_entropy_getdata() for parameter usage. Normally when ++ * this function is available, it will be set up as a hook in the ++ * entropy context, so that isc_entropy_getdata() is a front-end to ++ * this function. ++ * ++ * Returns: ++ * \li ISC_R_SUCCESS on success ++ * \li ISC_R_NOTIMPLEMENTED if BIND is built with --disable-crypto-rand ++ * \li DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error + */ + + isc_boolean_t +diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c +index c1e1bde..91e87d0 100644 +--- a/lib/dns/openssl_link.c ++++ b/lib/dns/openssl_link.c +@@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) { + + isc_result_t + dst_random_getdata(void *data, unsigned int length, +- unsigned int *returned, unsigned int flags) { ++ unsigned int *returned, unsigned int flags) ++{ + #ifdef ISC_PLATFORM_CRYPTORANDOM + #ifndef DONT_REQUIRE_DST_LIB_INIT + INSIST(dst__memory_pool != NULL); +diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h +index d9deb8a..2d37363 100644 +--- a/lib/isc/include/isc/entropy.h ++++ b/lib/isc/include/isc/entropy.h +@@ -9,8 +9,6 @@ + * information regarding copyright ownership. + */ + +-/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */ +- + #ifndef ISC_ENTROPY_H + #define ISC_ENTROPY_H 1 + +@@ -190,9 +188,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent, + /*!< + * \brief Create an entropy source that is polled via a callback. + * +- * This would +- * be used when keyboard input is used, or a GUI input method. It can +- * also be used to hook in any external entropy source. ++ * This would be used when keyboard input is used, or a GUI input method. ++ * It can also be used to hook in any external entropy source. + * + * Samples are added via isc_entropy_addcallbacksample(), below. + * _addcallbacksample() is the only function which may be called from +@@ -233,15 +230,32 @@ isc_result_t + isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length, + unsigned int *returned, unsigned int flags); + /*!< +- * \brief Extract data from the entropy pool. This may load the pool from various +- * sources. ++ * \brief Get random data from entropy pool 'ent'. ++ * ++ * If a hook has been set up using isc_entropy_sethook() and ++ * isc_entropy_usehook(), then the hook function will be called to get ++ * random data. ++ * ++ * Otherwise, randomness is extracted from the entropy pool set up in BIND. ++ * This may cause the pool to be loaded from various sources. Ths is done ++ * by stirring the pool and returning a part of hash as randomness. ++ * (Note that no secrets are given away here since parts of the hash are ++ * XORed together before returning.) ++ * ++ * 'flags' may contain ISC_ENTROPY_GOODONLY, ISC_ENTROPY_PARTIAL, or ++ * ISC_ENTROPY_BLOCKING. These will be honored if the hook function is ++ * not in use. If it is, the flags will be passed to the hook function ++ * but it may ignore them. + * +- * Do this by stiring the pool and returning a part of hash as randomness. +- * Note that no secrets are given away here since parts of the hash are +- * xored together before returned. ++ * Up to 'length' bytes of randomness are retrieved and copied into 'data'. ++ * (If 'returned' is not NULL, and the number of bytes copied is less than ++ * 'length' - which may happen if ISC_ENTROPY_PARTIAL was used - then the ++ * number of bytes copied will be stored in *returned.) + * +- * Honor the request from the caller to only return good data, any data, +- * etc. ++ * Returns: ++ * \li ISC_R_SUCCESS on success ++ * \li ISC_R_NOENTROPY if entropy pool is empty ++ * \li other error codes are possible when a hook is in use + */ + + void +@@ -306,13 +320,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, + void + isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff); + /*!< +- * \brief Mark/unmark the given entropy structure as being hooked. ++ * \brief Configure entropy context 'ectx' to use the hook function ++ * ++ * Sets the entropy context to call the hook function for random number ++ * generation, if such a function has been configured via ++ * isc_entropy_sethook(), whenever isc_entropy_getdata() is called. + */ + + void + isc_entropy_sethook(isc_entropy_getdata_t myhook); + /*!< +- * \brief Set the getdata hook (e.g., for a crypto random generator). ++ * \brief Set the hook function. ++ * ++ * The hook function is a global value: only one hook function ++ * can be set in the system. Individual entropy contexts may be ++ * configured to use it, or not, by calling isc_entropy_usehook(). + */ + + ISC_LANG_ENDDECLS +diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h +index ba53ebf..b575728 100644 +--- a/lib/isc/include/isc/random.h ++++ b/lib/isc/include/isc/random.h +@@ -9,8 +9,6 @@ + * information regarding copyright ownership. + */ + +-/* $Id: random.h,v 1.20 2009/01/17 23:47:43 tbox Exp $ */ +- + #ifndef ISC_RANDOM_H + #define ISC_RANDOM_H 1 + +@@ -21,13 +19,23 @@ + #include + + /*! \file isc/random.h +- * \brief Implements a random state pool which will let the caller return a +- * series of possibly non-reproducible random values. ++ * \brief Implements pseudo random number generators. ++ * ++ * Two pseudo-random number generators are implemented, in isc_random_* ++ * and isc_rng_*. Neither one is very strong; they should not be used ++ * in cryptography functions. ++ * ++ * isc_random_* is based on arc4random if it is available on the system. ++ * Otherwise it is based on the posix srand() and rand() functions. ++ * It is useful for jittering values a bit here and there, such as ++ * timeouts, etc, but should not be relied upon to generate ++ * unpredictable sequences (for example, when choosing transaction IDs). + * +- * Note that the +- * strength of these numbers is not all that high, and should not be +- * used in cryptography functions. It is useful for jittering values +- * a bit here and there, such as timeouts, etc. ++ * isc_rng_* is based on ChaCha20, and is seeded and stirred from the ++ * system entropy source. It is stronger than isc_random_* and can ++ * be used for generating unpredictable sequences. It is still not as ++ * good as using system entropy directly (see entropy.h) and should not ++ * be used for cryptographic functions such as key generation. + */ + + ISC_LANG_BEGINDECLS +@@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx); + isc_uint16_t + isc_rng_uniformrandom(isc_rng_t *rngctx, isc_uint16_t upper_bound); + /*%< +- * Returns a uniformly distributed pseudo random 16-bit unsigned +- * integer. ++ * Returns a uniformly distributed pseudo-random 16-bit unsigned integer ++ * less than 'upper_bound'. + */ + + ISC_LANG_ENDDECLS +diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c +index 8d496ff..dd08187 100644 +--- a/lib/isccfg/namedconf.c ++++ b/lib/isccfg/namedconf.c +@@ -1106,7 +1106,7 @@ options_clauses[] = { + { "pid-file", &cfg_type_qstringornone, 0 }, + { "port", &cfg_type_uint32, 0 }, + { "querylog", &cfg_type_boolean, 0 }, +- { "random-device", &cfg_type_qstring, 0 }, ++ { "random-device", &cfg_type_qstringornone, 0 }, + { "recursing-file", &cfg_type_qstring, 0 }, + { "recursive-clients", &cfg_type_uint32, 0 }, + { "reserved-sockets", &cfg_type_uint32, 0 }, +-- +2.14.4 + diff --git a/bind-9.11.4-P2.tar.gz b/bind-9.11.4-P2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..356af5beed75cbe98e187f42836ee0fb23102c54 Binary files /dev/null and b/bind-9.11.4-P2.tar.gz differ diff --git a/bind-9.3.1rc1-sdb_tools-Makefile.in b/bind-9.3.1rc1-sdb_tools-Makefile.in new file mode 100644 index 0000000000000000000000000000000000000000..c7e0868a03b41a2bda605b171ed0def6c9b94e91 --- /dev/null +++ b/bind-9.3.1rc1-sdb_tools-Makefile.in @@ -0,0 +1,63 @@ +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +VERSION=@BIND9_VERSION@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include \ + ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ + ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} + +CDEFINES = -DBIND9 + +DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ +ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ +ISCCCLIBS = ../../lib/isccc/libisccc.@A@ +ISCLIBS = ../../lib/isc/libisc.@A@ +LWRESLIBS = ../../lib/lwres/liblwres.@A@ +BIND9LIBS = ../../lib/bind9/libbind9.@A@ + +DNSDEPLIBS = ../../lib/dns/libdns.@A@ +ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ +ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ +ISCDEPLIBS = ../../lib/isc/libisc.@A@ +LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@ +BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ + +DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ + ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} + +LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ + +TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ + +OBJS = zone2ldap.@O@ zonetodb.@O@ + +SRCS = zone2ldap.c zonetodb.c + +MANPAGES = zone2ldap.1 + +EXT_CFLAGS = + +@BIND9_MAKE_RULES@ + +zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS} + +zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS} + +clean distclean manclean maintainer-clean:: + rm -f ${TARGETS} ${OBJS} + +installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 + +install:: ${TARGETS} installdirs + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} + ${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 diff --git a/bind-9.3.2b1-fix_sdb_ldap.patch b/bind-9.3.2b1-fix_sdb_ldap.patch new file mode 100644 index 0000000000000000000000000000000000000000..d027bb92c9c505e12b8f161e686263b1d39f5ba6 --- /dev/null +++ b/bind-9.3.2b1-fix_sdb_ldap.patch @@ -0,0 +1,519 @@ +diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in +index 95ab742..6069f09 100644 +--- a/bin/sdb_tools/Makefile.in ++++ b/bin/sdb_tools/Makefile.in +@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ + LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ + +-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ ++TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ + +-OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ ++OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@ + +-SRCS = zone2ldap.c zonetodb.c zone2sqlite.c ++SRCS = zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c + + MANPAGES = zone2ldap.1 + +@@ -53,6 +53,9 @@ zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS} + zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS} + ++ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS} ++ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS} ++ + clean distclean manclean maintainer-clean:: + rm -f ${TARGETS} ${OBJS} + +@@ -62,6 +65,7 @@ installdirs: + + install:: ${TARGETS} installdirs + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir} ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir} + ${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 +diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c +index 23dd873..d56bc56 100644 +--- a/bin/sdb_tools/zone2ldap.c ++++ b/bin/sdb_tools/zone2ldap.c +@@ -65,6 +66,9 @@ ldap_info; + /* usage Info */ + void usage (void); + ++/* Check for existence of (and possibly add) containing dNSZone objects */ ++int lookup_dns_zones( ldap_info *ldinfo); ++ + /* Add to the ldap dit */ + void add_ldap_values (ldap_info * ldinfo); + +@@ -81,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags); + int get_attr_list_size (char **tmp); + + /* Get a DN */ +-char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag); ++char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone); + + /* Add to RR list */ + void add_to_rr_list (char *dn, char *name, char *type, char *data, +@@ -103,11 +107,27 @@ void + init_ldap_conn (); + void usage(); + +-char *argzone, *ldapbase, *binddn, *bindpw = NULL; +-const char *ldapsystem = "localhost"; +-static const char *objectClasses[] = +- { "top", "dNSZone", NULL }; +-static const char *topObjectClasses[] = { "top", NULL }; ++static char *argzone, *ldapbase, *binddn, *bindpw = NULL; ++ ++/* these are needed to placate gcc4's const-ness const-ernations : */ ++static char localhost[] = "localhost"; ++static char *ldapsystem=&(localhost[0]); ++/* dnszone schema class names: */ ++static char topClass [] ="top"; ++static char dNSZoneClass[] ="dNSZone"; ++static char objectClass [] ="objectClass"; ++static char dcObjectClass[]="dcObject"; ++/* dnszone schema attribute names: */ ++static char relativeDomainName[]="relativeDomainName"; ++static char dNSTTL []="dNSTTL"; ++static char zoneName []="zoneName"; ++static char dc []="dc"; ++static char sameZone []="@"; ++/* LDAPMod mod_values: */ ++static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL }; ++static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL }; ++static char *dn_buffer [64]={NULL}; ++ + LDAP *conn; + unsigned int debug = 0; + +@@ -131,12 +151,12 @@ main (int argc, char **argv) + isc_result_t result; + char *basedn; + ldap_info *tmp; +- LDAPMod *base_attrs[2]; +- LDAPMod base; ++ LDAPMod *base_attrs[5]; ++ LDAPMod base, dcBase, znBase, rdnBase; + isc_buffer_t buff; + char *zonefile=0L; + char fullbasedn[1024]; +- char *ctmp; ++ char *ctmp, *zn, *dcp[2], *znp[2], *rdn[2]; + dns_fixedname_t fixedzone, fixedname; + dns_rdataset_t rdataset; + char **dc_list; +@@ -149,7 +169,7 @@ main (int argc, char **argv) + extern char *optarg; + extern int optind, opterr, optopt; + int create_base = 0; +- int topt; ++ int topt, dcn, zdn, znlen; + + if (argc < 2) + { +@@ -157,7 +177,7 @@ main (int argc, char **argv) + exit (-1); + } + +- while ((topt = getopt (argc, argv, "D:w:b:z:f:h:?dcv")) != -1) ++ while ((topt = getopt (argc, argv, "D:Ww:b:z:f:h:?dcv")) != -1) + { + switch (topt) + { +@@ -180,6 +200,9 @@ main (int argc, char **argv) + if (bindpw == NULL) + fatal("strdup"); + break; ++ case 'W': ++ bindpw = getpass("Enter LDAP Password: "); ++ break; + case 'b': + ldapbase = strdup (optarg); + if (ldapbase == NULL) +@@ -301,27 +324,62 @@ main (int argc, char **argv) + { + if (debug) + printf ("Creating base zone DN %s\n", argzone); +- ++ + dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP); +- basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC); + +- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--) ++ basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC, argzone); ++ if (debug) ++ printf ("base DN %s\n", basedn); ++ ++ for (ctmp = &basedn[strlen (basedn)], dcn=0; ctmp >= &basedn[0]; ctmp--) + { +- if ((*ctmp == ',') || (ctmp == &basedn[0])) ++ if ((*ctmp == ',') || (ctmp == &basedn[0])) + { ++ + base.mod_op = LDAP_MOD_ADD; +- base.mod_type = (char*)"objectClass"; +- base.mod_values = (char**)topObjectClasses; ++ base.mod_type = objectClass; ++ base.mod_values = topObjectClasses; + base_attrs[0] = (void*)&base; +- base_attrs[1] = NULL; +- ++ ++ dcBase.mod_op = LDAP_MOD_ADD; ++ dcBase.mod_type = dc; ++ dcp[0]=dc_list[dcn]; ++ dcp[1]=0L; ++ dcBase.mod_values=dcp; ++ base_attrs[1] = (void*)&dcBase; ++ ++ znBase.mod_op = LDAP_MOD_ADD; ++ znBase.mod_type = zoneName; ++ for( zdn = dcn, znlen = 0; zdn >= 0; zdn-- ) ++ znlen += strlen(dc_list[zdn])+1; ++ znp[0] = (char*)malloc(znlen+1); ++ znp[1] = 0L; ++ for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- ) ++ zn+=sprintf(zn,"%s%s",dc_list[zdn], ++ ((zdn > 0) && (*(dc_list[zdn-1])!='.')) ? "." : "" ++ ); ++ ++ znBase.mod_values = znp; ++ base_attrs[2] = (void*)&znBase; ++ ++ rdnBase.mod_op = LDAP_MOD_ADD; ++ rdnBase.mod_type = relativeDomainName; ++ rdn[0] = strdup(sameZone); ++ rdn[1] = 0L; ++ rdnBase.mod_values = rdn; ++ base_attrs[3] = (void*)&rdnBase; ++ ++ dcn++; ++ ++ base.mod_values = topObjectClasses; ++ base_attrs[4] = NULL; ++ + if (ldapbase) + { + if (ctmp != &basedn[0]) + sprintf (fullbasedn, "%s,%s", ctmp + 1, ldapbase); + else +- sprintf (fullbasedn, "%s,%s", ctmp, ldapbase); +- ++ sprintf (fullbasedn, "%s,%s", ctmp, ldapbase); + } + else + { +@@ -330,8 +388,13 @@ main (int argc, char **argv) + else + sprintf (fullbasedn, "%s", ctmp); + } ++ ++ if( debug ) ++ printf("Full base dn: %s\n", fullbasedn); ++ + result = ldap_add_s (conn, fullbasedn, base_attrs); + ldap_result_check ("intial ldap_add_s", fullbasedn, result); ++ + } + + } +@@ -409,14 +472,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl) + isc_result_check (result, "dns_rdata_totext"); + data[isc_buffer_usedlength (&buff)] = 0; + +- dc_list = hostname_to_dn_list (name, argzone, DNS_OBJECT); ++ dc_list = hostname_to_dn_list ((char*)name, argzone, DNS_OBJECT); + len = (get_attr_list_size (dc_list) - 2); +- dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC); ++ dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC, argzone); + + if (debug) + printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data); + +- add_to_rr_list (dn, dc_list[len], type, data, ttl, DNS_OBJECT); ++ add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT); + } + + +@@ -456,7 +519,8 @@ add_to_rr_list (char *dn, char *name, char *type, + int attrlist; + char ldap_type_buffer[128]; + char charttl[64]; +- ++ char *zn; ++ int znlen; + + if ((tmp = locate_by_dn (dn)) == NULL) + { +@@ -483,13 +547,13 @@ add_to_rr_list (char *dn, char *name, char *type, + fatal("malloc"); + } + tmp->attrs[0]->mod_op = LDAP_MOD_ADD; +- tmp->attrs[0]->mod_type = (char*)"objectClass"; ++ tmp->attrs[0]->mod_type = objectClass; + + if (flags == DNS_OBJECT) +- tmp->attrs[0]->mod_values = (char**)objectClasses; ++ tmp->attrs[0]->mod_values = objectClasses; + else + { +- tmp->attrs[0]->mod_values = (char**)topObjectClasses; ++ tmp->attrs[0]->mod_values =topObjectClasses; + tmp->attrs[1] = NULL; + tmp->attrcnt = 2; + tmp->next = ldap_info_base; +@@ -498,7 +562,7 @@ add_to_rr_list (char *dn, char *name, char *type, + } + + tmp->attrs[1]->mod_op = LDAP_MOD_ADD; +- tmp->attrs[1]->mod_type = (char*)"relativeDomainName"; ++ tmp->attrs[1]->mod_type = relativeDomainName; + tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2); + + if (tmp->attrs[1]->mod_values == (char **)NULL) +@@ -527,7 +591,7 @@ add_to_rr_list (char *dn, char *name, char *type, + fatal("strdup"); + + tmp->attrs[3]->mod_op = LDAP_MOD_ADD; +- tmp->attrs[3]->mod_type = (char*)"dNSTTL"; ++ tmp->attrs[3]->mod_type = dNSTTL; + tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2); + + if (tmp->attrs[3]->mod_values == (char **)NULL) +@@ -540,14 +604,25 @@ add_to_rr_list (char *dn, char *name, char *type, + if (tmp->attrs[3]->mod_values[0] == NULL) + fatal("strdup"); + ++ znlen=strlen(gbl_zone); ++ if ( *(gbl_zone + (znlen-1)) == '.' ) ++ { /* ldapdb MUST search by relative zone name */ ++ zn = (char*)malloc(znlen); ++ strncpy(zn,gbl_zone,znlen-1); ++ *(zn + (znlen-1))='\0'; ++ }else ++ { ++ zn = gbl_zone; ++ } ++ + tmp->attrs[4]->mod_op = LDAP_MOD_ADD; +- tmp->attrs[4]->mod_type = (char*)"zoneName"; ++ tmp->attrs[4]->mod_type = zoneName; + tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2); + + if (tmp->attrs[4]->mod_values == (char **)NULL) + fatal("calloc"); + +- tmp->attrs[4]->mod_values[0] = gbl_zone; ++ tmp->attrs[4]->mod_values[0] = zn; + tmp->attrs[4]->mod_values[1] = NULL; + + tmp->attrs[5] = NULL; +@@ -558,7 +633,7 @@ add_to_rr_list (char *dn, char *name, char *type, + else + { + +- for (i = 0; tmp->attrs[i] != NULL; i++) ++ for (i = 0; tmp->attrs[i] != NULL; i++) + { + sprintf (ldap_type_buffer, "%sRecord", type); + if (!strncmp +@@ -632,44 +707,70 @@ char ** + hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) + { + char *tmp; +- static char *dn_buffer[64]; + int i = 0; +- char *zname; +- char *hnamebuff; +- +- zname = strdup (hostname); +- if (zname == NULL) +- fatal("strdup"); +- +- if (flags == DNS_OBJECT) +- { +- +- if (strlen (zname) != strlen (zone)) +- { +- tmp = &zname[strlen (zname) - strlen (zone)]; +- *--tmp = '\0'; +- hnamebuff = strdup (zname); +- if (hnamebuff == NULL) +- fatal("strdup"); +- zname = ++tmp; +- } +- else +- hnamebuff = (char*)"@"; +- } +- else +- { +- zname = zone; +- hnamebuff = NULL; +- } +- +- for (tmp = strrchr (zname, '.'); tmp != (char *) 0; +- tmp = strrchr (zname, '.')) +- { +- *tmp++ = '\0'; +- dn_buffer[i++] = tmp; +- } +- dn_buffer[i++] = zname; +- dn_buffer[i++] = hnamebuff; ++ char *hname=0L, *last=0L; ++ int hlen=strlen(hostname), zlen=(strlen(zone)); ++ ++/* printf("hostname: %s zone: %s\n",hostname, zone); */ ++ hname=0L; ++ if(flags == DNS_OBJECT) ++ { ++ if( (zone[ zlen - 1 ] == '.') && (hostname[hlen - 1] != '.') ) ++ { ++ hname=(char*)malloc(hlen + 1); ++ hlen += 1; ++ sprintf(hname, "%s.", hostname); ++ hostname = hname; ++ } ++ if(strcmp(hostname, zone) == 0) ++ { ++ if( hname == 0 ) ++ hname=strdup(hostname); ++ last = strdup(sameZone); ++ }else ++ { ++ if( (hlen < zlen) ++ ||( strcmp( hostname + (hlen - zlen), zone ) != 0) ++ ) ++ { ++ if( hname != 0 ) ++ free(hname); ++ hname=(char*)malloc( hlen + zlen + 1); ++ if( *zone == '.' ) ++ sprintf(hname, "%s%s", hostname, zone); ++ else ++ sprintf(hname,"%s",zone); ++ }else ++ { ++ if( hname == 0 ) ++ hname = strdup(hostname); ++ } ++ last = hname; ++ } ++ }else ++ { /* flags == DNS_TOP */ ++ hname = strdup(zone); ++ last = hname; ++ } ++ ++ for (tmp = strrchr (hname, '.'); tmp != (char *) 0; ++ tmp = strrchr (hname, '.')) ++ { ++ if( *( tmp + 1 ) != '\0' ) ++ { ++ *tmp = '\0'; ++ dn_buffer[i++] = ++tmp; ++ }else ++ { /* trailing '.' ! */ ++ dn_buffer[i++] = strdup("."); ++ *tmp = '\0'; ++ if( tmp == hname ) ++ break; ++ } ++ } ++ if( ( last != hname ) && (tmp != hname) ) ++ dn_buffer[i++] = hname; ++ dn_buffer[i++] = last; + dn_buffer[i] = NULL; + + return dn_buffer; +@@ -681,24 +782,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) + * exception of "@"/SOA. */ + + char * +-build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag) ++build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone) + { + int size; +- int x; ++ int x, znlen; + static char dn[1024]; + char tmp[128]; ++ char zn[DNS_NAME_MAXTEXT+1]; + + bzero (tmp, sizeof (tmp)); + bzero (dn, sizeof (dn)); + size = get_attr_list_size (dc_list); ++ znlen = strlen(zone); ++ if ( *(zone + (znlen-1)) == '.' ) ++ { /* ldapdb MUST search by relative zone name */ ++ memcpy(&(zn[0]),zone,znlen-1); ++ *(zn + (znlen-1))='\0'; ++ zone = zn; ++ } + for (x = size - 2; x > 0; x--) + { + if (flag == WI_SPEC) + { + if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl)) +- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%d,", dc_list[x], ttl); ++ sprintf (tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]); + else if (x == (size - 2)) +- sprintf(tmp, "relativeDomainName=%s,",dc_list[x]); ++ sprintf(tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]); + else + sprintf(tmp,"dc=%s,", dc_list[x]); + } +@@ -724,6 +833,7 @@ void + init_ldap_conn () + { + int result; ++ char ldb_tag[]="LDAP Bind"; + conn = ldap_open (ldapsystem, LDAP_PORT); + if (conn == NULL) + { +@@ -733,7 +843,7 @@ init_ldap_conn () + } + + result = ldap_simple_bind_s (conn, binddn, bindpw); +- ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result); ++ ldap_result_check ("ldap_simple_bind_s", ldb_tag , result); + } + + /* Like isc_result_check, only for LDAP */ +@@ -750,8 +860,6 @@ ldap_result_check (const char *msg, char *dn, int err) + } + } + +- +- + /* For running the ldap_info run queue. */ + void + add_ldap_values (ldap_info * ldinfo) +@@ -759,14 +867,14 @@ add_ldap_values (ldap_info * ldinfo) + int result; + char dnbuffer[1024]; + +- + if (ldapbase != NULL) + sprintf (dnbuffer, "%s,%s", ldinfo->dn, ldapbase); + else + sprintf (dnbuffer, "%s", ldinfo->dn); + + result = ldap_add_s (conn, dnbuffer, ldinfo->attrs); +- ldap_result_check ("ldap_add_s", dnbuffer, result); ++ ldap_result_check ("ldap_add_s", dnbuffer, result); ++ + } + + +@@ -777,5 +885,5 @@ void + usage () + { + fprintf (stderr, +- "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] " ++ "zone2ldap -D [BIND DN] [-w BIND PASSWORD | -W:prompt] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] " + "[-c Create LDAP Base structure][-d Debug Output (lots !)] \n ");} diff --git a/bind-9.3.2b2-sdbsrc.patch b/bind-9.3.2b2-sdbsrc.patch new file mode 100644 index 0000000000000000000000000000000000000000..46e183c149f83ee2bc388f9087941f3d337f2fb4 --- /dev/null +++ b/bind-9.3.2b2-sdbsrc.patch @@ -0,0 +1,230 @@ +diff --git a/contrib/sdb/bdb/bdb.c b/contrib/sdb/bdb/bdb.c +index 23594bb..b3c6619 100644 +--- a/contrib/sdb/bdb/bdb.c ++++ b/contrib/sdb/bdb/bdb.c +@@ -43,7 +43,7 @@ + #include + #include + +-#include ++#include "bdb.h" + #include + #include + +diff --git a/contrib/sdb/ldap/zone2ldap.c b/contrib/sdb/ldap/zone2ldap.c +index 07c89bc..23dd873 100644 +--- a/contrib/sdb/ldap/zone2ldap.c ++++ b/contrib/sdb/ldap/zone2ldap.c +@@ -63,16 +63,16 @@ typedef struct LDAP_INFO + ldap_info; + + /* usage Info */ +-void usage (); ++void usage (void); + + /* Add to the ldap dit */ + void add_ldap_values (ldap_info * ldinfo); + + /* Init an ldap connection */ +-void init_ldap_conn (); ++void init_ldap_conn (void); + + /* Ldap error checking */ +-void ldap_result_check (char *msg, char *dn, int err); ++void ldap_result_check (const char *msg, char *dn, int err); + + /* Put a hostname into a char ** array */ + char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags); +@@ -88,7 +88,7 @@ void add_to_rr_list (char *dn, char *name, char *type, char *data, + unsigned int ttl, unsigned int flags); + + /* Error checking */ +-void isc_result_check (isc_result_t res, char *errorstr); ++void isc_result_check (isc_result_t res, const char *errorstr); + + /* Generate LDIF Format files */ + void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, +@@ -97,11 +97,17 @@ void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, + /* head pointer to the list */ + ldap_info *ldap_info_base = NULL; + ++ldap_info * ++locate_by_dn (char *dn); ++void ++init_ldap_conn (); ++void usage(); ++ + char *argzone, *ldapbase, *binddn, *bindpw = NULL; +-char *ldapsystem = "localhost"; +-static char *objectClasses[] = ++const char *ldapsystem = "localhost"; ++static const char *objectClasses[] = + { "top", "dNSZone", NULL }; +-static char *topObjectClasses[] = { "top", NULL }; ++static const char *topObjectClasses[] = { "top", NULL }; + LDAP *conn; + unsigned int debug = 0; + +@@ -128,7 +134,7 @@ main (int argc, char **argv) + LDAPMod *base_attrs[2]; + LDAPMod base; + isc_buffer_t buff; +- char *zonefile; ++ char *zonefile=0L; + char fullbasedn[1024]; + char *ctmp; + dns_fixedname_t fixedzone, fixedname; +@@ -304,9 +310,9 @@ main (int argc, char **argv) + if ((*ctmp == ',') || (ctmp == &basedn[0])) + { + base.mod_op = LDAP_MOD_ADD; +- base.mod_type = "objectClass"; +- base.mod_values = topObjectClasses; +- base_attrs[0] = &base; ++ base.mod_type = (char*)"objectClass"; ++ base.mod_values = (char**)topObjectClasses; ++ base_attrs[0] = (void*)&base; + base_attrs[1] = NULL; + + if (ldapbase) +@@ -363,7 +369,7 @@ main (int argc, char **argv) + * I should probably rename this function, as not to cause any + * confusion with the isc* routines. Will exit on error. */ + void +-isc_result_check (isc_result_t res, char *errorstr) ++isc_result_check (isc_result_t res, const char *errorstr) + { + if (res != ISC_R_SUCCESS) + { +@@ -470,20 +476,20 @@ add_to_rr_list (char *dn, char *name, char *type, + if (tmp->attrs == (LDAPMod **) NULL) + fatal("calloc"); + +- for (i = 0; i < flags; i++) ++ for (i = 0; i < (int)flags; i++) + { + tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod)); + if (tmp->attrs[i] == (LDAPMod *) NULL) + fatal("malloc"); + } + tmp->attrs[0]->mod_op = LDAP_MOD_ADD; +- tmp->attrs[0]->mod_type = "objectClass"; ++ tmp->attrs[0]->mod_type = (char*)"objectClass"; + + if (flags == DNS_OBJECT) +- tmp->attrs[0]->mod_values = objectClasses; ++ tmp->attrs[0]->mod_values = (char**)objectClasses; + else + { +- tmp->attrs[0]->mod_values = topObjectClasses; ++ tmp->attrs[0]->mod_values = (char**)topObjectClasses; + tmp->attrs[1] = NULL; + tmp->attrcnt = 2; + tmp->next = ldap_info_base; +@@ -492,7 +498,7 @@ add_to_rr_list (char *dn, char *name, char *type, + } + + tmp->attrs[1]->mod_op = LDAP_MOD_ADD; +- tmp->attrs[1]->mod_type = "relativeDomainName"; ++ tmp->attrs[1]->mod_type = (char*)"relativeDomainName"; + tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2); + + if (tmp->attrs[1]->mod_values == (char **)NULL) +@@ -521,7 +527,7 @@ add_to_rr_list (char *dn, char *name, char *type, + fatal("strdup"); + + tmp->attrs[3]->mod_op = LDAP_MOD_ADD; +- tmp->attrs[3]->mod_type = "dNSTTL"; ++ tmp->attrs[3]->mod_type = (char*)"dNSTTL"; + tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2); + + if (tmp->attrs[3]->mod_values == (char **)NULL) +@@ -535,7 +541,7 @@ add_to_rr_list (char *dn, char *name, char *type, + fatal("strdup"); + + tmp->attrs[4]->mod_op = LDAP_MOD_ADD; +- tmp->attrs[4]->mod_type = "zoneName"; ++ tmp->attrs[4]->mod_type = (char*)"zoneName"; + tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2); + + if (tmp->attrs[4]->mod_values == (char **)NULL) +@@ -648,7 +654,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) + zname = ++tmp; + } + else +- hnamebuff = "@"; ++ hnamebuff = (char*)"@"; + } + else + { +@@ -727,12 +733,12 @@ init_ldap_conn () + } + + result = ldap_simple_bind_s (conn, binddn, bindpw); +- ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result); ++ ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result); + } + + /* Like isc_result_check, only for LDAP */ + void +-ldap_result_check (char *msg, char *dn, int err) ++ldap_result_check (const char *msg, char *dn, int err) + { + if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS)) + { +diff --git a/contrib/sdb/pgsql/pgsqldb.c b/contrib/sdb/pgsql/pgsqldb.c +index 50d3cba..516eb9f 100644 +--- a/contrib/sdb/pgsql/pgsqldb.c ++++ b/contrib/sdb/pgsql/pgsqldb.c +@@ -23,7 +23,7 @@ + #include + #include + +-#include ++#include + + #include + #include +diff --git a/contrib/sdb/pgsql/zonetodb.c b/contrib/sdb/pgsql/zonetodb.c +index b8f5912..ff2d135 100644 +--- a/contrib/sdb/pgsql/zonetodb.c ++++ b/contrib/sdb/pgsql/zonetodb.c +@@ -37,7 +37,7 @@ + #include + #include + +-#include ++#include + + /* + * Generate a PostgreSQL table from a zone. +@@ -54,6 +54,9 @@ char *dbname, *dbtable; + char str[10240]; + + void ++closeandexit(int status); ++ ++void + closeandexit(int status) { + if (conn != NULL) + PQfinish(conn); +@@ -61,6 +64,9 @@ closeandexit(int status) { + } + + void ++check_result(isc_result_t result, const char *message); ++ ++void + check_result(isc_result_t result, const char *message) { + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "%s: %s\n", message, +@@ -84,7 +90,8 @@ quotestring(const unsigned char *source, unsigned char *dest) { + } + *dest++ = 0; + } +- ++void ++addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata); + void + addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata) { + unsigned char namearray[DNS_NAME_MAXTEXT + 1]; diff --git a/bind-9.5-PIE.patch b/bind-9.5-PIE.patch new file mode 100644 index 0000000000000000000000000000000000000000..a525b9b02d306688a85528e4436ded4f36455f19 --- /dev/null +++ b/bind-9.5-PIE.patch @@ -0,0 +1,27 @@ +--- bind-9.5.0b2/bin/named/Makefile.in.pie 2008-02-11 17:21:47.000000000 +0100 ++++ bind-9.5.0b2/bin/named/Makefile.in 2008-02-11 17:22:10.000000000 +0100 +@@ -100,8 +100,12 @@ HTMLPAGES = named.html lwresd.html named + + MANOBJS = ${MANPAGES} ${HTMLPAGES} + ++EXT_CFLAGS = -fpie ++ + @BIND9_MAKE_RULES@ + ++LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack ++ + main.@O@: main.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ + -DVERSION=\"${VERSION}\" \ +diff -up bind-9.5.0b2/bin/named/unix/Makefile.in.pie bind-9.5.0b2/bin/named/unix/Makefile.in +--- bind-9.5.0b2/bin/named/unix/Makefile.in.pie 2008-02-11 17:22:21.000000000 +0100 ++++ bind-9.5.0b2/bin/named/unix/Makefile.in 2008-02-11 17:23:00.000000000 +0100 +@@ -19,6 +19,8 @@ srcdir = @srcdir@ + VPATH = @srcdir@ + top_srcdir = @top_srcdir@ + ++EXT_CFLAGS = -fpie ++ + @BIND9_MAKE_INCLUDES@ + + CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \ diff --git a/bind-9.5-dlz-64bit.patch b/bind-9.5-dlz-64bit.patch new file mode 100644 index 0000000000000000000000000000000000000000..ec064c6b04a389fc965f9af3fbd36536da585a74 --- /dev/null +++ b/bind-9.5-dlz-64bit.patch @@ -0,0 +1,53 @@ +diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in +index 47525af..eefe3c3 100644 +--- a/contrib/dlz/config.dlz.in ++++ b/contrib/dlz/config.dlz.in +@@ -17,6 +17,13 @@ + # + dlzdir='${DLZ_DRIVER_DIR}' + ++AC_MSG_CHECKING([for target libdir]) ++AC_RUN_IFELSE([int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}], ++ [target_lib=lib64], ++ [target_lib=lib], ++) ++AC_MSG_RESULT(["$target_lib"]) ++ + # + # Private autoconf macro to simplify configuring drivers: + # +@@ -292,9 +299,9 @@ case "$use_dlz_bdb" in + then + break + fi +- elif test -f "$dd/lib/lib${d}.so" ++ elif test -f "$dd/${target_lib}/lib${d}.so" + then +- dlz_bdb_libs="-L${dd}/lib -l${d}" ++ dlz_bdb_libs="-L${dd}/${target_lib} -l${d}" + break + fi + done +@@ -396,7 +403,7 @@ case "$use_dlz_ldap" in + *) + DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver, + [-I$use_dlz_ldap/include], +- [-L$use_dlz_ldap/lib -lldap -llber]) ++ [-L$use_dlz_ldap/${target_lib} -lldap -llber]) + + AC_MSG_RESULT( + [using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include]) +@@ -432,11 +439,11 @@ then + odbcdirs="/usr /usr/local /usr/pkg" + for d in $odbcdirs + do +- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a ++ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a + then + use_dlz_odbc=$d + dlz_odbc_include="-I$use_dlz_odbc/include" +- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc" ++ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc" + break + fi + done diff --git a/bind-9.9.1-P2-dlz-libdb.patch b/bind-9.9.1-P2-dlz-libdb.patch new file mode 100644 index 0000000000000000000000000000000000000000..866ed8f6ee72e4cab08686c65b6bb24b9fe639dc --- /dev/null +++ b/bind-9.9.1-P2-dlz-libdb.patch @@ -0,0 +1,31 @@ +diff -up bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb bind-9.10.1b1/contrib/dlz/config.dlz.in +--- bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb 2014-08-04 12:33:09.320735111 +0200 ++++ bind-9.10.1b1/contrib/dlz/config.dlz.in 2014-08-04 12:41:46.888241910 +0200 +@@ -263,7 +263,7 @@ case "$use_dlz_bdb" in + # Check other locations for includes. + # Order is important (sigh). + +- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db" ++ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db" + # include a blank element first + for d in "" $bdb_incdirs + do +@@ -288,16 +288,9 @@ case "$use_dlz_bdb" in + bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" + for d in $bdb_libnames + do +- if test "$dd" = "/usr" ++ if test -f "$dd/${target_lib}/lib${d}.so" + then +- AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}") +- if test $dlz_bdb_libs != "yes" +- then +- break +- fi +- elif test -f "$dd/${target_lib}/lib${d}.so" +- then +- dlz_bdb_libs="-L${dd}/${target_lib} -l${d}" ++ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}" + break + fi + done diff --git a/bind-9.9.1-P2-multlib-conflict.patch b/bind-9.9.1-P2-multlib-conflict.patch new file mode 100644 index 0000000000000000000000000000000000000000..96506dd7a290742924fef8be3b4feb0420a339e7 --- /dev/null +++ b/bind-9.9.1-P2-multlib-conflict.patch @@ -0,0 +1,85 @@ +diff --git a/config.h.in b/config.h.in +index e1364dd921..1dc65cfb21 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -588,7 +588,7 @@ int sigwait(const unsigned int *set, int *sig); + #undef PREFER_GOSTASN1 + + /* The size of `void *', as computed by sizeof. */ +-#undef SIZEOF_VOID_P ++/* #undef SIZEOF_VOID_P */ + + /* Define to 1 if you have the ANSI C header files. */ + #undef STDC_HEADERS +diff --git a/configure.in b/configure.in +index 73b1c8ccbb..129fc3f311 100644 +--- a/configure.in ++++ b/configure.in +@@ -3523,14 +3523,14 @@ AC_TRY_COMPILE([ + #include + #include + int getnameinfo(const struct sockaddr *, socklen_t, char *, +- socklen_t, char *, socklen_t, unsigned int);], ++ socklen_t, char *, socklen_t, int);], + [ return (0);], +- [AC_MSG_RESULT(socklen_t for buflen; u_int for flags) ++ [AC_MSG_RESULT(socklen_t for buflen; int for flags) + AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t, + [Define to the sockaddr length type used by getnameinfo(3).]) + AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t, + [Define to the buffer length type used by getnameinfo(3).]) +- AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int, ++ AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int, + [Define to the flags type used by getnameinfo(3).])], + [AC_TRY_COMPILE([ + #include +@@ -3557,7 +3557,7 @@ int getnameinfo(const struct sockaddr *, size_t, char *, + [AC_MSG_RESULT(not match any subspecies; assume standard definition) + AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t) + AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t) +-AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])]) ++AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)])])]) + + # + # ...and same for gai_strerror(). +diff --git a/isc-config.sh.in b/isc-config.sh.in +index a8a0a89e88..b5e94ed13e 100644 +--- a/isc-config.sh.in ++++ b/isc-config.sh.in +@@ -13,7 +13,18 @@ prefix=@prefix@ + exec_prefix=@exec_prefix@ + exec_prefix_set= + includedir=@includedir@ +-libdir=@libdir@ ++arch=$(uname -m) ++ ++case $arch in ++ x86_64 | amd64 | sparc64 | s390x | ppc64) ++ libdir=/usr/lib64 ++ sec_libdir=/usr/lib ++ ;; ++ * ) ++ libdir=/usr/lib ++ sec_libdir=/usr/lib64 ++ ;; ++esac + + usage() + { +@@ -132,6 +143,16 @@ if test x"$echo_libs" = x"true"; then + if test x"${exec_prefix_set}" = x"true"; then + libs="-L${exec_prefix}/lib" + else ++ if [ ! -x $libdir/libisc.so ] ; then ++ if [ ! -x $sec_libdir/libisc.so ] ; then ++ echo "Error: ISC libs not found in $libdir" ++ if [ -d $sec_libdir ] ; then ++ echo "Error: ISC libs not found in $sec_libdir" ++ fi ++ exit 1 ++ fi ++ libdir=$sec_libdir ++ fi + libs="-L${libdir}" + fi + if test x"$libirs" = x"true" ; then diff --git a/bind-95-rh452060.patch b/bind-95-rh452060.patch new file mode 100644 index 0000000000000000000000000000000000000000..dac3a8d5b62bbf74b935c6a7b9f49438b67736fd --- /dev/null +++ b/bind-95-rh452060.patch @@ -0,0 +1,42 @@ +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index f657c30..ff9a2d2 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -1694,6 +1694,13 @@ clear_query(dig_query_t *query) { + + if (query->timer != NULL) + isc_timer_detach(&query->timer); ++ ++ if (query->waiting_senddone) { ++ debug("send_done not yet called"); ++ query->pending_free = ISC_TRUE; ++ return; ++ } ++ + lookup = query->lookup; + + if (lookup->current_query == query) +@@ -1719,10 +1726,7 @@ clear_query(dig_query_t *query) { + isc_mempool_put(commctx, query->recvspace); + isc_buffer_invalidate(&query->recvbuf); + isc_buffer_invalidate(&query->lengthbuf); +- if (query->waiting_senddone) +- query->pending_free = ISC_TRUE; +- else +- isc_mem_free(mctx, query); ++ isc_mem_free(mctx, query); + } + + /*% +@@ -2811,9 +2815,9 @@ send_done(isc_task_t *_task, isc_event_t *event) { + isc_event_free(&event); + + if (query->pending_free) +- isc_mem_free(mctx, query); ++ clear_query(query); + +- check_if_done(); ++ check_next_lookup(l); + UNLOCK_LOOKUP; + } + diff --git a/bind-96-old-api.patch b/bind-96-old-api.patch new file mode 100644 index 0000000000000000000000000000000000000000..d181d3ef64187bbeb1d0b00571779fbcc0febb69 --- /dev/null +++ b/bind-96-old-api.patch @@ -0,0 +1,23 @@ +diff -up bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c +--- bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api 2008-11-24 13:28:13.000000000 +0100 ++++ bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c 2008-11-24 13:28:23.000000000 +0100 +@@ -25,6 +25,7 @@ + /* Using LDAPv3 by default, change this if you want v2 */ + #ifndef LDAPDB_LDAP_VERSION + #define LDAPDB_LDAP_VERSION 3 ++#define LDAP_DEPRECATED 1 + #endif + + #include +diff -up bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c +--- bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api 2008-11-24 13:29:05.000000000 +0100 ++++ bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c 2008-11-24 13:29:14.000000000 +0100 +@@ -13,6 +13,8 @@ + * ditched dNSDomain2 schema support. Version 0.3-ALPHA + */ + ++#define LDAP_DEPRECATED 1 ++ + #include + #include + #include diff --git a/bind.spec b/bind.spec new file mode 100644 index 0000000000000000000000000000000000000000..526960a691f089d143801c9ced2afe3c93db8c45 --- /dev/null +++ b/bind.spec @@ -0,0 +1,1049 @@ +%bcond_with LMDB +%bcond_with DLZ +%bcond_with KYUA +%bcond_with SYSTEMTEST +%bcond_without UNITTEST +%bcond_without SDB +%bcond_without GSSTSIG +%bcond_without PKCS11 +%bcond_without EXPORT_LIBS + +%{?!bind_uid: %global bind_uid 25} +%{?!bind_gid: %global bind_gid 25} +%{!?_export_dir:%global _export_dir /bind9-export/} +%undefine _strict_symbol_defs_build + +Name: bind +Summary: Domain Name System (DNS) Server (named) +License: MPLv2.0 +Version: 9.11.4 +Release: 12 +Epoch: 32 +Url: http://www.isc.org/products/BIND/ +Source0: https://ftp.isc.org/isc/bind9/9.11.4/bind-%{version}-P2.tar.gz +Source1: named.sysconfig +Source2: named.logrotate +Source3: bind-9.3.1rc1-sdb_tools-Makefile.in +Source4: dnszone.schema +Source5: README.sdb_pgsql +Source6: named.conf.sample +Source7: named.conf +Source8: config-18.tar.bz2 +Source9: ldap2zone.c +Source10: ldap2zone.1 +Source11: named-sdb.8 +Source12: zonetodb.1 +Source13: zone2sqlite.1 +Source14: bind.tmpfiles.d +Source15: trusted-key.key +Source16: named.service +Source17: named-chroot.service +Source18: named-sdb.service +Source19: named-sdb-chroot.service +Source20: setup-named-chroot.sh +Source21: generate-rndc-key.sh +Source22: named.rwtab +Source23: named-chroot-setup.service +Source24: named-sdb-chroot-setup.service +Source25: named-setup-rndc.service +Source26: named-pkcs11.service +Source27: setup-named-softhsm.sh +Source28: named-chroot.files +Source29: random.data + +BuildRequires: openssl-devel libtool autoconf pkgconfig libcap-devel python3-devel python3-ply docbook-style-xsl +BuildRequires: libidn2-devel libxml2-devel GeoIP-devel make systemd selinux-policy findutils sed libxslt + +%if %{with SDB} +BuildRequires: openldap-devel libpq-devel sqlite-devel mariadb-connector-c-devel libdb-devel +%endif + +%if %{with KYUA} +#BuildRequires: libatf-c-devel kyua +%else +BuildRequires: gcc-c++ +%endif + +%if %{with PKCS11} +BuildRequires: softhsm +%endif + +%if %{with SYSTEMTEST} +BuildRequires: net-tools perl(Net::DNS) perl(Net::DNS::Nameserver) +%endif + +%if %{with GSSTSIG} +BuildRequires: krb5-devel +%endif + +%if %{with LMDB} +BuildRequires: lmdb-devel +%endif + +Requires: systemd coreutils shadow-utils glibc-common grep policycoreutils-python-utils +Requires: python3-bind = %{epoch}:%{version}-%{release} libselinux-utils selinux-policy bind-libs = %{epoch}:%{version}-%{release} +Provides: bind-config = 30:9.3.2-34.fc6 caching-nameserver = 31:9.4.1-7.fc8 dnssec-conf = 1.27-2 +Provides: bind-license +Obsoletes: bind-config < 30:9.3.2-34.fc6 caching-nameserver < 31:9.4.1-7.fc8 dnssec-conf < 1.27-2 +Obsoletes: bind-license + +Patch0001: bind-9.5-PIE.patch +Patch0003: bind-9.5-dlz-64bit.patch +Patch0004: bind-95-rh452060.patch +Patch0005: bind93-rh490837.patch +Patch0006: bind97-rh478718.patch +Patch0007: bind97-rh645544.patch +Patch0008: bind-9.9.1-P2-dlz-libdb.patch +Patch0009: bind-9.9.1-P2-multlib-conflict.patch +Patch0010: bind-9.11-rh1410433.patch +Patch0011: bind-9.11-rh1205168.patch +Patch0012: bind-9.11-export-suffix.patch +Patch0013: bind-9.11-oot-manual.patch +Patch0014: bind-9.11-pk11.patch +Patch0015: bind-9.11-fips-code.patch +Patch0016: bind-9.11-fips-tests.patch +Patch0017: bind-9.11-rt31459.patch +Patch0018: bind-9.11-rt46047.patch +Patch0019: bind-9.11-rh1624100.patch +Patch0020: bind-9.11-host-idn-disable.patch +Patch0021: bind-9.10-dist-native-pkcs11.patch +Patch0022: bind-9.11-kyua-pkcs11.patch +Patch0023: bind-96-old-api.patch +Patch0024: bind-9.3.2b2-sdbsrc.patch +Patch0025: bind-9.10-sdb.patch +Patch0026: bind-9.3.2b1-fix_sdb_ldap.patch +Patch0027: bind-9.10-use-of-strlcat.patch +Patch0028: bind99-rh640538.patch +Patch0029: bind97-rh669163.patch + +Patch6001: 1314-master-dnssec-checkds-s.patch +Patch6002: 2432-check-param_template-i-.pValue-is-non-NULL.patch +Patch6003: 2497-refcount-errors-on-error-paths.patch +Patch6004: 2559-Do-not-remove-errors-from-the-OpenSSL-error-queue-in.patch +Patch6005: 2574-Do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch +Patch6006: 2711-Align-CMSG-buffers-to-a-void-boundary-fixes-crash-on.patch +Patch6007: 2776-Fix-crash-caused-by-race-condition-in-timer-creation.patch +Patch6008: 2865-free-key-on-error.patch +Patch6009: 2879-expand-the-pool-then-copy-over-the-old-entries-so-we.patch +Patch6010: 2985-Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch +Patch6011: 2998-Use-larger-buffers-on-snprintf-buffer-overflow-false.patch +Patch6012: 3022-Fix-a-shutdown-race-in-bin-dig-dighost.c.patch +Patch6013: 3046-uninitalize-memory-read-on-error-path.patch +Patch6014: 3318-Allow-unsupported-alg-in-zone-w-dnssec-signzone.patch +Patch6015: 3543-fix-memory-leak.patch +Patch6016: Use-clock_gettime-instead-of-gettimeofday.patch +Patch6017: CVE-2018-5743.patch +Patch6018: CVE-2018-5743-atomic-fix.patch +Patch6019: CVE-2018-5745.patch +Patch6020: CVE-2019-6465.patch + +Patch9000: feature-bind99-euler-range-port.patch +Patch9001: bugfix-nslookup-norec.patch +Patch9002: bugfix-named-log-time.patch + +%description +Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name +System (DNS) protocols and provides an openly redistributable reference +implementation of the major components of the Domain Name System. +This package includes the components to operate a DNS server. + +%if %{with PKCS11} +%package pkcs11 +Summary: Bind with native PKCS#11 functionality for crypto +Requires: systemd bind-libs-lite = %{epoch}:%{version}-%{release} +Requires: bind = %{epoch}:%{version}-%{release} bind-libs = %{epoch}:%{version}-%{release} +Recommends: softhsm + +Provides: bind-pkcs11-libs = %{epoch}:%{version}-%{release} bind-pkcs11-utils = %{epoch}:%{version}-%{release} +Obsoletes:bind-pkcs11-libs < %{epoch}:%{version}-%{release} bind-pkcs11-utils < %{epoch}:%{version}-%{release} + +%description pkcs11 +This is a version of BIND server built with native PKCS#11 functionality. +It is important to have SoftHSM v2+ installed and some token initialized. +For other supported HSM modules please check the BIND documentation. + +%package pkcs11-devel +Summary: Development files for Bind libraries compiled with native PKCS#11 +Requires: bind-pkcs11 = %{epoch}:%{version}-%{release} +Requires: bind-devel = %{epoch}:%{version}-%{release} + +%description pkcs11-devel +This a set of development files for BIND libraries (dns, isc) compiled +with native PKCS#11 functionality. +%endif + +%if %{with SDB} +%package sdb +Summary: BIND server with database backends and DLZ support +Requires: systemd bind-libs = %{epoch}:%{version}-%{release} +Requires: bind = %{epoch}:%{version}-%{release} bind-libs-lite = %{epoch}:%{version}-%{release} + +%description sdb +BIND (Berkeley Internet Name Domain) is an implementation of the DNS +(Domain Name System) protocols. BIND includes a DNS server (named-sdb) +which has compiled-in SDB (Simplified Database Backend) which includes +support for using alternative Zone Databases stored in an LDAP server +(ldapdb), a postgreSQL database (pgsqldb), an sqlite database (sqlitedb), +or in the filesystem (dirdb), in addition to the standard in-memory RBT +(Red Black Tree) zone database. It also includes support for DLZ +(Dynamic Loadable Zones) +%endif + +%package libs-lite +Summary: Libraries for working with the DNS protocol +Obsoletes:bind-libbind-devel < 31:9.3.3-4.fc7 +Provides: bind-libbind-devel = 31:9.3.3-4.fc7 +Requires: bind-license = %{epoch}:%{version}-%{release} + +%description libs-lite +Lite libs of BIND. + +%package libs +Summary: Libraries for BIND +Requires: bind-license = %{epoch}:%{version}-%{release} +Requires: bind-libs-lite = %{epoch}:%{version}-%{release} + +%description libs +BIND suite libraries. + +%package utils +Summary: Utilities for bind +Requires: bind-libs = %{epoch}:%{version}-%{release} +Requires: bind-libs-lite = %{epoch}:%{version}-%{release} +Requires: python3-bind = %{epoch}:%{version}-%{release} + +%description utils +Bind-utils contains a collection of utilities for querying DNS (Domain +Name System) name servers to find out information about Internet +hosts. These tools will provide you with the IP addresses for given +host names, as well as other information about registered domains and +network addresses. + +You should install bind-utils if you need to get information from DNS name +servers. + + + +%package devel +Summary: Header files and libraries needed for BIND DNS development +Requires: bind = %{epoch}:%{version}-%{release} bind-libs = %{epoch}:%{version}-%{release} bind-libs-lite = %{epoch}:%{version}-%{release} +Provides: bind-libbind-devel = 31:9.3.3-4.fc7 bind-lite-devel +Obsoletes: bind-libbind-devel < 31:9.3.3-4.fc7 bind-lite-devel + +%description devel +The bind-devel package contains full version of the header files and libraries +required for development with ISC BIND 9. + +%package chroot +Summary: A chroot runtime environment for the ISC BIND DNS server, named(8) +Prefix: /var/named/chroot +Requires: bind = %{epoch}:%{version}-%{release} grep + +%description chroot +This package contains a tree of files which can be used as a +chroot(2) jail for the named(8) program from the BIND package. +Based on the code from Jan "Yenya" Kasprzak + +%if %{with SDB} +%package sdb-chroot +Summary: A chroot runtime environment for the ISC BIND DNS server, named-sdb(8) +Prefix: /var/named/chroot_sdb +Requires: bind-sdb = %{epoch}:%{version}-%{release} grep + +%description sdb-chroot +This package contains a tree of files which can be used as a +chroot(2) jail for the named-sdb(8) program from the BIND package. +Based on the code from Jan "Yenya" Kasprzak +%endif + +%package -n python3-bind +Summary: A module allowing rndc commands to be sent from Python programs +Requires: bind = %{epoch}:%{version}-%{release} +Requires: python3 python3-ply %{py3_dist ply} +BuildArch: noarch +%{?python_provide:%python_provide python3-bind} +%{?python_provide:%python_provide python3-isc} + +%description -n python3-bind +This package provides a module which allows commands to be sent to rndc directly from Python programs. + +%if %{with EXPORT_LIBS} +%package export-libs +Summary: ISC libs for DHCP application +Provides: bind99-libs = 9.9.11-4 +Obsoletes: bind99-libs < 9.9.11-4 + +%description export-libs +BIND (Berkeley Internet Name Domain) is an implementation of the DNS +(Domain Name System) protocols. This package set contains only export +version of BIND libraries, that are used for building ISC DHCP. + +%package export-devel +Summary: Header files and libraries needed for BIND export libraries +Requires: bind-export-libs = %{epoch}:%{version}-%{release} openssl-devel libcap-devel +Obsoletes: bind99-devel < 9.9.11-4 +Conflicts: bind99-devel + +%description export-devel +This package contains export version of the header files and libraries +required for development with ISC BIND. These headers and libraries +are used for building ISC DHCP. +%endif + +%prep +%setup -q -n %{name}-%{version}-P2 + +%patch0001 -p1 +%patch0003 -p1 +%patch0004 -p1 +%patch0005 -p0 +%patch0006 -p1 +%patch0007 -p1 +%patch0008 -p1 +%patch0009 -p1 +%patch0010 -p1 +%patch0011 -p1 +%patch0012 -p1 +%patch0013 -p1 +%patch0014 -p1 +%patch0015 -p1 +%patch0016 -p1 +%patch0017 -p1 +%patch0018 -p1 +%patch0019 -p1 +%patch0020 -p1 + +mkdir lib/dns/tests/testdata/dstrandom +cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data + +%if %{with PKCS11} +cp -r bin/named bin/named-pkcs11 +cp -r bin/dnssec bin/dnssec-pkcs11 +cp -r lib/isc lib/isc-pkcs11 +cp -r lib/dns lib/dns-pkcs11 +%patch0021 -p1 +%patch0022 -p1 +%endif + +%if %{with SDB} +%patch0023 -p1 +mkdir bin/named-sdb +mkdir bin/sdb_tools +cp -r bin/named/* bin/named-sdb +%patch0024 -p1 +cp -fp contrib/sdb/ldap/ldapdb.[ch] bin/named-sdb +cp -fp contrib/sdb/pgsql/pgsqldb.[ch] bin/named-sdb +cp -fp contrib/sdb/sqlite/sqlitedb.[ch] bin/named-sdb +cp -fp contrib/sdb/dir/dirdb.[ch] bin/named-sdb +cp -fp %{SOURCE9} bin/sdb_tools/ldap2zone.c +cp -fp %{SOURCE3} bin/sdb_tools/Makefile.in +cp -fp contrib/sdb/ldap/{zone2ldap.1,zone2ldap.c} bin/sdb_tools +cp -fp contrib/sdb/pgsql/zonetodb.c bin/sdb_tools +cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools +%patch0025 -p1 +%patch0026 -p1 +%patch0027 -p1 +%endif + +%patch0028 -p1 +%patch0029 -p1 + +%patch9000 -p1 +%patch9001 -p1 +%patch6001 -p1 +%patch6002 -p1 +%patch6003 -p1 +%patch6004 -p1 +%patch6005 -p1 +%patch6006 -p1 +%patch6007 -p1 +%patch6008 -p1 +%patch6009 -p1 +%patch6010 -p1 +%patch6011 -p1 +%patch6012 -p1 +%patch6013 -p1 +%patch6014 -p1 +%patch6015 -p1 +%patch6016 -p1 +%patch6017 -p1 +%patch6018 -p1 +%patch6019 -p1 +%patch6020 -p1 +%patch9002 -p1 + +%build +%define _configure "../configure" +%define unit_prepare_build() \ + cp -uv Kyuafile Atffile "%{1}/" \ + find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' \ + find lib -name 'Kyuafile' -exec cp -uv '{}' "%{1}/{}" ';' \ + find lib -name 'Atffile' -exec cp -uv '{}' "%{1}/{}" ';' \ + find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ + find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ + +%define systemtest_prepare_build() \ + cp -Tuav bin/tests "%{1}/bin/tests/" \ + cp -uv version "%{1}" + +%if %{with KYUA} + ATF_PATH=/usr +%else + ATF_PATH=yes +%endif + +export CFLAGS="$CFLAGS $RPM_OPT_FLAGS" +export CPPFLAGS="$CPPFLAGS -DDIG_SIGCHASE" +export STD_CDEFINES="$CPPFLAGS" + +sed -i -e 's/RELEASEVER=\(.*\)/RELEASEVER=\1-%{version}-%{release}/' version + +libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f + +mkdir build +pushd build +export LIBDIR_SUFFIXi= + +%configure \ + --with-python=%{__python3} --with-libtool --localstatedir=/var \ + --enable-threads --enable-ipv6 --enable-filter-aaaa --with-pic \ + --disable-static --includedir=%{_includedir}/bind9 --with-geoip \ + --with-tuning=large --with-libidn2 --enable-openssl-hash \ + --enable-fixed-rrset --enable-full-report \ + --with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets \ +%if %{with PKCS11} + --enable-native-pkcs11 --with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \ +%endif +%if %{with SDB} + --with-dlopen=yes --with-dlz-ldap=yes --with-dlz-postgres=yes \ + --with-dlz-mysql=yes --with-dlz-filesystem=yes --with-dlz-bdb=yes \ +%endif +%if %{with GSSTSIG} + --with-gssapi=yes --disable-isc-spnego \ +%endif +%if %{with LMDB} + --with-lmdb=yes \ +%else + --with-lmdb=no \ +%endif +%if %{with UNITTEST} + --with-atf=${ATF_PATH} +%endif + +make -j32 + +cp -rv doc/* ../doc/ +pushd bin/dig +make man +popd +pushd bin/python +make man +popd + +%if ! %{with KYUA} +ATF_PATH="`pwd`/unit/atf" +sed -i -e '/^SUBDIRS =/s/atf-src//i' unit/Makefile +%endif + +popd # build + +%unit_prepare_build build +%systemtest_prepare_build build + +%if %{with EXPORT_LIBS} +cp isc-config.sh.1 isc-export-config.sh.1 +mkdir export-libs +pushd export-libs +export LIBDIR_SUFFIX=%{_export_dir} +%{configure} \ + --with-libtool --disable-static --disable-epoll --disable-kqueue \ + --libdir=%{_libdir}%{_export_dir} --enable-openssl-hash \ + --includedir=%{_includedir}%{_export_dir}/ --disable-threads \ + --enable-fixed-rrset --disable-rpz-nsip --disable-rpz-nsdname \ + --without-lmdb --without-libxml2 --without-libjson \ + --without-zlib --without-dlopen --enable-full-report \ +%if %{with GSSTSIG} + --with-gssapi=yes --disable-isc-spnego \ +%endif +%if %{with UNITTEST} + --with-atf=${ATF_PATH} +%endif + +mv isc-config.sh isc-export-config.sh + +sed -i \ +-e '/^SUBDIRS =/s/.*/SUBDIRS = make lib/i' \ +-e 's/isc-config.sh/isc-export-config.sh/g' \ +-e 's/bind9-config/bind9-export-config/g' \ +Makefile + +sed -i -e "/^SUBDIRS =/s/.*/SUBDIRS = isc dns isccfg irs/i" lib/Makefile +sed -i -e '/^SUBDIRS =/s/atf-src//i' unit/Makefile + +for lib in isc dns isccfg irs; do + find . -name Makefile -exec sed "s/lib${lib}\./lib${lib}-export\./g" -i {} \; + sed -e "s/-l${lib}\([^[:alpha:]]\)/-l${lib}-export\1/g" \ + -e "s/lib${lib}\./lib${lib}-export\./g" \ + -i isc-export-config.sh +done + +make -j32 +popd + +%unit_prepare_build export-libs +sed -e '/^\s*include(.*-pkcs11/ d' -e '/^\s*include(.*lwres/ d' -i export-libs/lib/Kyuafile +%endif #end EXPORT_LIBS + +%check + +%if %{with SYSTEMTEST} +if [ "`whoami`" = 'root' ]; then + set -e + chmod -R a+rwX . + pushd bin/tests + pushd system + ./ifconfig.sh up + popd + make test + e=$? + pushd system + ./ifconfig.sh down + popd + popd + if [ "$e" -ne 0 ]; then + echo "ERROR: 'make test' failed. Aborting." + exit $e; + fi +fi +%endif + +%install +mkdir -p ${RPM_BUILD_ROOT}/var/log +mkdir -p ${RPM_BUILD_ROOT}/run/named +mkdir -p ${RPM_BUILD_ROOT}/etc/logrotate.d +mkdir -p ${RPM_BUILD_ROOT}%{_libdir}/bind +mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/{man1,man5,man8} +mkdir -p ${RPM_BUILD_ROOT}/var/named/{slaves,data,dynamic} +mkdir -p ${RPM_BUILD_ROOT}/var/named/chroot/{dev,etc,var,run/named} +mkdir -p ${RPM_BUILD_ROOT}/var/named/chroot/var/{log,named,tmp} +mkdir -p ${RPM_BUILD_ROOT}/var/named/chroot/etc/crypto-policies/back-ends +mkdir -p ${RPM_BUILD_ROOT}/var/named/chroot/etc/{pki/dnssec-keys,named} +mkdir -p ${RPM_BUILD_ROOT}/var/named/chroot/%{_libdir}/bind +pushd ${RPM_BUILD_ROOT}/var/named/chroot/var +ln -s ../run run +popd +touch ${RPM_BUILD_ROOT}/var/named/chroot/etc/named.conf + +%if %{with SDB} +mkdir -p ${RPM_BUILD_ROOT}/var/named/chroot_sdb/{dev,etc,var,run/named} +mkdir -p ${RPM_BUILD_ROOT}/var/named/chroot_sdb/var/{log,named,tmp} +mkdir -p ${RPM_BUILD_ROOT}/var/named/chroot_sdb/etc/crypto-policies/back-ends +mkdir -p ${RPM_BUILD_ROOT}/var/named/chroot_sdb/etc/{pki/dnssec-keys,named} +mkdir -p ${RPM_BUILD_ROOT}/var/named/chroot_sdb/%{_libdir}/bind +pushd ${RPM_BUILD_ROOT}/var/named/chroot_sdb/var +ln -s ../run run +popd +touch ${RPM_BUILD_ROOT}/var/named/chroot_sdb/etc/named.conf +%endif + +pushd build +%make_install +popd + +%if %{with EXPORT_LIBS} +pushd export-libs +%make_install + +mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/ld.so.conf.d +echo "%{_libdir}%{_export_dir}" > ${RPM_BUILD_ROOT}%{_sysconfdir}/ld.so.conf.d/%{name}-export-%{_arch}.conf +cp -fp config.h ${RPM_BUILD_ROOT}%{_includedir}%{_export_dir} +rm -rf ${RPM_BUILD_ROOT}%{_includedir}%{_export_dir}/pkcs11/ +rm -f ${RPM_BUILD_ROOT}%{_includedir}%{_export_dir}/pk11/{constants,internal,pk11,result}.h +popd +%endif + +rm -f ${RPM_BUILD_ROOT}/etc/bind.keys +install -d ${RPM_BUILD_ROOT}%{_unitdir} +install -d ${RPM_BUILD_ROOT}%{_libexecdir} +install -d ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig +install -m 644 %{SOURCE16} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE17} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE23} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE25} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 755 %{SOURCE20} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh +install -m 755 %{SOURCE21} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh +install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named +install -m 644 %{SOURCE28} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files +install -m 644 %{SOURCE2} ${RPM_BUILD_ROOT}/etc/logrotate.d/named + +%if %{with SDB} +install -m 644 %{SOURCE18} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE19} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE24} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE10} ${RPM_BUILD_ROOT}%{_mandir}/man1/ldap2zone.1 +install -m 644 %{SOURCE11} ${RPM_BUILD_ROOT}%{_mandir}/man8/named-sdb.8 +install -m 644 %{SOURCE12} ${RPM_BUILD_ROOT}%{_mandir}/man1/zonetodb.1 +install -m 644 %{SOURCE13} ${RPM_BUILD_ROOT}%{_mandir}/man1/zone2sqlite.1 +%endif + +%if %{with PKCS11} +install -m 644 %{SOURCE26} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 755 %{SOURCE27} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh +pushd ${RPM_BUILD_ROOT}%{_mandir}/man8 +ln -s named.8.gz named-pkcs11.8.gz +ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz +ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz +ln -s dnssec-verify.8.gz dnssec-verify-pkcs11.8.gz +ln -s dnssec-settime.8.gz dnssec-settime-pkcs11.8.gz +ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz +ln -s dnssec-coverage.8.gz dnssec-coverage-pkcs11.8.gz +ln -s dnssec-signzone.8.gz dnssec-signzone-pkcs11.8.gz +ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz +ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz +ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz +popd +%endif + +%if %{with SDB} +install -d ${RPM_BUILD_ROOT}/etc/openldap/schema +install -m 644 %{SOURCE4} ${RPM_BUILD_ROOT}/etc/openldap/schema/dnszone.schema +install -m 644 %{SOURCE5} contrib/sdb/pgsql/ +%endif + +install -m 644 lib/isc/unix/errno2result.h ${RPM_BUILD_ROOT}%{_includedir}/bind9/isc +cp -fp build/config.h ${RPM_BUILD_ROOT}/%{_includedir}/bind9 + +find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';'; + +touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log +tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE8} +touch ${RPM_BUILD_ROOT}/etc/rndc.key +touch ${RPM_BUILD_ROOT}/etc/rndc.conf +install -m 640 %{SOURCE7} ${RPM_BUILD_ROOT}/etc/named.conf + +mkdir -p sample/etc sample/var/named/{data,slaves} +mkdir ${RPM_BUILD_ROOT}/etc/named + +install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/trusted-key.key +install -m 644 %{SOURCE6} sample/etc/named.conf +install -m 644 %{SOURCE7} named.conf.default +install -m 644 ${RPM_BUILD_ROOT}/etc/named.rfc1912.zones sample/etc/named.rfc1912.zones +install -m 644 ${RPM_BUILD_ROOT}/var/named/{named.ca,named.localhost,named.loopback,named.empty} sample/var/named + +mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir} +mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d +install -m 644 %{SOURCE14} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/named.conf +install -m 644 %{SOURCE22} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named + +%pre +if [ "$1" -eq 1 ]; then + /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :; + /usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /bin/false -d /var/named -c Named named >/dev/null 2>&1 || :; +fi + +%post +/sbin/ldconfig +%selinux_set_booleans named_write_master_zones=1 +if [ "$1" -eq 1 ]; then + [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ; + [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key + [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key +else +if getent passwd named | grep ':/sbin/nologin$' >/dev/null; then + usermod -s /bin/false named +fi +fi + +%systemd_post named.service + +%preun +%systemd_preun named.service + +%postun +/sbin/ldconfig +%selinux_unset_booleans named_write_master_zones=1 +%systemd_postun_with_restart named.service + +%post libs -p /sbin/ldconfig + +%postun libs -p /sbin/ldconfig + +%post libs-lite -p /sbin/ldconfig + +%postun libs-lite -p /sbin/ldconfig + + +%if %{with SDB} +%post sdb +%systemd_post named-sdb.service + +%preun sdb +%systemd_preun named-sdb.service + +%postun sdb +%systemd_postun_with_restart named-sdb.service + +%endif #end SDB + +%if %{with PKCS11} +%post pkcs11 +/sbin/ldconfig +%systemd_post named-pkcs11.service + +%preun pkcs11 +%systemd_preun named-pkcs11.service + +%postun pkcs11 +/sbin/ldconfig +%systemd_postun_with_restart named-pkcs11.service + +%endif #end PKCS11 + +%triggerpostun -n bind -- bind <= 32:9.5.0-20.b1 +if [ "$1" -gt 0 ]; then + [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key + [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key +fi + +%triggerun -- bind < 32:9.9.0-0.6.rc1 +/sbin/chkconfig --del named >/dev/null 2>&1 || : +/bin/systemctl try-restart named.service >/dev/null 2>&1 || : + +%if %{with EXPORT_LIBS} +%post export-libs +/sbin/ldconfig + +%postun export-libs +/sbin/ldconfig + +%endif + +%define chroot_fix_devices() \ +if [ $1 -gt 1 ]; then \ + for DEV in "%{1}/dev"/{null,random,zero}; do \ + if [ -e "$DEV" -a "$(/bin/stat --printf="%G %a" "$DEV")" = "root 644" ]; then \ + /bin/chmod 0664 "$DEV" \ + /bin/chgrp named "$DEV" \ + fi \ + done \ +fi + +%post chroot +%systemd_post named-chroot.service +%chroot_fix_devices /var/named/chroot + +%posttrans chroot +if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then + [ -x /sbin/restorecon ] && /sbin/restorecon /var/named/chroot/dev/* > /dev/null 2>&1; +fi + +%preun chroot +%systemd_preun named-chroot.service named-chroot-setup.service + +%postun chroot +%systemd_postun_with_restart named-chroot.service + +%if %{with SDB} + +%post sdb-chroot +%systemd_post named-sdb-chroot.service +%chroot_fix_devices /var/named/chroot_sdb + +%posttrans sdb-chroot +if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then + [ -x /sbin/restorecon ] && /sbin/restorecon /var/named/chroot_sdb/dev/* > /dev/null 2>&1; +fi + +%preun sdb-chroot +%systemd_preun named-sdb-chroot.service + +%postun sdb-chroot +%systemd_postun_with_restart named-sdb-chroot.service + +%endif #end SDB + +%clean +rm -rf ${RPM_BUILD_ROOT} + +%files +%license COPYRIGHT +%doc CHANGES README named.conf.default doc/arm/*html doc/arm/*pdf sample/ +%{_libdir}/bind +%{_bindir}/named-rrchecker +%{_bindir}/mdig +%{_sbindir}/named-journalprint +%{_sbindir}/named-checkconf +%{_sbindir}/lwresd +%{_sbindir}/named +%{_sbindir}/rndc* +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named +%config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key +%{_tmpfilesdir}/named.conf +%{_sysconfdir}/rwtab.d/named +%{_libexecdir}/generate-rndc-key.sh +%{_unitdir}/named.service +%{_unitdir}/named-setup-rndc.service + +%{_mandir}/man1/mdig.1* +%{_mandir}/man1/named-rrchecker.1* +%{_mandir}/man5/named.conf.5* +%{_mandir}/man5/rndc.conf.5* +%{_mandir}/man8/rndc.8* +%{_mandir}/man8/named.8* +%{_mandir}/man8/lwresd.8* +%{_mandir}/man8/named-checkconf.8* +%{_mandir}/man8/rndc-confgen.8* +%{_mandir}/man8/named-journalprint.8* + +%defattr(0640,root,named,0750) +%dir %{_sysconfdir}/named +%config(noreplace) %verify(not link) %{_sysconfdir}/named.conf +%config(noreplace) %verify(not link) %{_sysconfdir}/named.rfc1912.zones + +%defattr(0660,root,named,01770) +%dir %{_localstatedir}/named + +%defattr(0660,named,named,0770) +%dir %{_localstatedir}/named/slaves +%dir %{_localstatedir}/named/data +%dir %{_localstatedir}/named/dynamic +%ghost %{_localstatedir}/log/named.log + +%defattr(0640,root,named,0750) +%config %verify(not link) %{_localstatedir}/named/named.ca +%config %verify(not link) %{_localstatedir}/named/named.localhost +%config %verify(not link) %{_localstatedir}/named/named.loopback +%config %verify(not link) %{_localstatedir}/named/named.empty +%ghost %config(noreplace) %{_sysconfdir}/rndc.key +%ghost %config(noreplace) %{_sysconfdir}/rndc.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/named + +%defattr(-,named,named,-) +%dir /run/named + +%files libs +%{_libdir}/libbind9.so.160* +%{_libdir}/libisccc.so.160* +%{_libdir}/liblwres.so.160* + +%files libs-lite +%{_libdir}/libdns.so.1102* +%{_libdir}/libirs.so.160* +%{_libdir}/libisc.so.169* +%{_libdir}/libisccfg.so.160* + + +%files utils +%{_bindir}/dig +%{_bindir}/delv +%{_bindir}/host +%{_bindir}/nslookup +%{_bindir}/nsupdate +%{_bindir}/arpaname +%{_sbindir}/ddns-confgen +%{_sbindir}/tsig-keygen +%{_sbindir}/genrandom +%{_sbindir}/nsec3hash +%{_sbindir}/dnssec* +%{_sbindir}/isc-hmac-fixup +%{_sbindir}/named-checkzone +%{_sbindir}/named-compilezone +%if %{with LMDB} +%{_sbindir}/named-nzd2nzf +%endif + +%if %{with PKCS11} +%exclude %{_sbindir}/dnssec*pkcs11 +%endif +%{_mandir}/man1/host.1* +%{_mandir}/man1/nsupdate.1* +%{_mandir}/man1/dig.1* +%{_mandir}/man1/delv.1* +%{_mandir}/man1/nslookup.1* +%{_mandir}/man1/arpaname.1* +%{_mandir}/man8/ddns-confgen.8* +%{_mandir}/man8/tsig-keygen.8* +%{_mandir}/man8/genrandom.8* +%{_mandir}/man8/nsec3hash.8* +%{_mandir}/man8/dnssec*.8* +%if %{with PKCS11} +%exclude %{_mandir}/man8/dnssec*-pkcs11.8* +%endif +%{_mandir}/man8/isc-hmac-fixup.8* +%{_mandir}/man8/named-checkzone.8* +%{_mandir}/man8/named-compilezone.8* +%if %{with LMDB} +%{_mandir}/man8/named-nzd2nzf.8* +%endif +%{_sysconfdir}/trusted-key.key + +%if %{with SDB} + +%files sdb +%doc contrib/sdb/ldap/README.ldap contrib/sdb/ldap/INSTALL.ldap contrib/sdb/pgsql/README.sdb_pgsql +%dir %{_sysconfdir}/openldap/schema +%config(noreplace) %{_sysconfdir}/openldap/schema/dnszone.schema +%{_sbindir}/named-sdb +%{_sbindir}/zone2ldap +%{_sbindir}/ldap2zone +%{_sbindir}/zonetodb +%{_sbindir}/zone2sqlite +%{_unitdir}/named-sdb.service +%{_mandir}/man1/zone2ldap.1* +%{_mandir}/man1/ldap2zone.1* +%{_mandir}/man1/zonetodb.1* +%{_mandir}/man1/zone2sqlite.1* +%{_mandir}/man1/isc-config.sh.1* +%{_mandir}/man1/bind9-config.1* +%{_mandir}/man3/lwres* +%{_mandir}/man8/named-sdb.8* + +%endif #end SDB + + +%files devel +%dir %{_includedir}/bind9 +%dir %{_includedir}/bind9/pk11 +%{_libdir}/libbind9.so +%{_libdir}/libisccc.so +%{_libdir}/liblwres.so +%{_libdir}/libdns.so +%{_libdir}/libirs.so +%{_libdir}/libisc.so +%{_libdir}/libisccfg.so +%{_includedir}/bind9/config.h +%{_includedir}/bind9/bind9 +%{_includedir}/bind9/isccc +%{_includedir}/bind9/lwres +%{_includedir}/bind9/dns +%{_includedir}/bind9/dst +%{_includedir}/bind9/irs +%{_includedir}/bind9/isc +%{_includedir}/bind9/pk11/site.h +%{_includedir}/bind9/isccfg +%{_bindir}/isc-config.sh +%{_bindir}/bind9-config + +%files chroot +%config(noreplace) %{_sysconfdir}/named-chroot.files +%{_unitdir}/named-chroot.service +%{_unitdir}/named-chroot-setup.service +%{_libexecdir}/setup-named-chroot.sh + +%defattr(0664,root,named,-) +%ghost %dev(c,1,3) %verify(not mtime) /var/named/chroot/dev/null +%ghost %dev(c,1,8) %verify(not mtime) /var/named/chroot/dev/random +%ghost %dev(c,1,9) %verify(not mtime) /var/named/chroot/dev/urandom +%ghost %dev(c,1,5) %verify(not mtime) /var/named/chroot/dev/zero + +%defattr(0640,root,named,0750) +%dir /var/named/chroot +%dir /var/named/chroot/{dev,etc,var,run} +%dir /var/named/chroot/etc/{named,pki} +%dir /var/named/chroot/etc/pki/dnssec-keys +%dir /var/named/chroot/etc/crypto-policies +%dir /var/named/chroot/etc/crypto-policies/back-ends +%ghost %config(noreplace) /var/named/chroot/etc/named.conf + +%defattr(-,root,root,-) +%dir /var/named/chroot/{usr,%{_libdir}} +%dir /var/named/chroot/%{_libdir}/bind + +%defattr(0660,root,named,01770) +%dir /var/named/chroot/var/named + +%defattr(0660,named,named,0770) +%dir /var/named/chroot/var/{tmp,log} + +%defattr(-,named,named,-) +%dir /var/named/chroot/run/named +/var/named/chroot/var/run + +%if %{with SDB} + +%files sdb-chroot +%config(noreplace) %{_sysconfdir}/named-chroot.files +%{_unitdir}/named-sdb-chroot.service +%{_unitdir}/named-sdb-chroot-setup.service +%{_libexecdir}/setup-named-chroot.sh + +%defattr(0664,root,named,-) +%ghost %dev(c,1,3) %verify(not mtime) /var/named/chroot_sdb/dev/null +%ghost %dev(c,1,8) %verify(not mtime) /var/named/chroot_sdb/dev/random +%ghost %dev(c,1,9) %verify(not mtime) /var/named/chroot_sdb/dev/urandom +%ghost %dev(c,1,5) %verify(not mtime) /var/named/chroot_sdb/dev/zero + +%defattr(0640,root,named,0750) +%dir /var/named/chroot_sdb +%dir /var/named/chroot_sdb/{dev,etc,var,run} +%dir /var/named/chroot_sdb/etc/{named,pki} +%dir /var/named/chroot_sdb/etc/pki/dnssec-keys +%dir /var/named/chroot_sdb/etc/crypto-policies +%dir /var/named/chroot_sdb/etc/crypto-policies/back-ends +%ghost %config(noreplace) /var/named/chroot_sdb/etc/named.conf + +%defattr(0660,root,named,01770) +%dir /var/named/chroot_sdb/var/named + +%defattr(-,root,root,-) +%dir /var/named/chroot_sdb/{usr,%{_libdir}} +%dir /var/named/chroot_sdb/%{_libdir}/bind + +%defattr(0660,named,named,0770) +%dir /var/named/chroot_sdb/var/{tmp,log} + +%defattr(-,named,named,-) +%dir /var/named/chroot_sdb/run/named +/var/named/chroot_sdb/var/run + +%endif #end SDB + +%if %{with PKCS11} + +%files pkcs11 +%{_sbindir}/named-pkcs11 +%{_sbindir}/dnssec*pkcs11 +%{_sbindir}/pkcs11-* +%{_libdir}/libdns-pkcs11.so.1102* +%{_libdir}/libisc-pkcs11.so.169* +%{_unitdir}/named-pkcs11.service +%{_libexecdir}/setup-named-softhsm.sh +%{_mandir}/man8/*pkcs11*.8* + +%files pkcs11-devel +%{_libdir}/lib*-pkcs11.so +%{_includedir}/bind9/pk11/*.h +%{_includedir}/bind9/pkcs11 +%exclude %{_includedir}/bind9/pk11/site.h + +%endif #end PKCS11 + +%if %{with EXPORT_LIBS} + +%files export-libs +%dir %{_libdir}/%{_export_dir} +%{_libdir}/%{_export_dir}/libdns-export.so.1102* +%{_libdir}/%{_export_dir}/libirs-export.so.160* +%{_libdir}/%{_export_dir}/libisc-export.so.169* +%{_libdir}/%{_export_dir}/libisccfg-export.so.160* +%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-export-%{_arch}.conf + +%files export-devel +%{_libdir}/%{_export_dir}/lib*-export.so +%{_includedir}/%{_export_dir}/{dns,dst,irs,isc,isccfg} +%{_includedir}/%{_export_dir}/pk11/site.h +%{_includedir}/%{_export_dir}/config.h +%attr(0755,root,root) %{_bindir}/isc-export-config.sh +%{_bindir}/bind9-export-config +%{_mandir}/man1/*-export-config*.1* + +%endif #end EXPORT_LIBS + +%files -n python3-bind +%{python3_sitelib}/*.egg-info +%{python3_sitelib}/isc/ + + +%changelog +* Sat Dec 21 2019 openEuler Buildteam - 9.11.4-12 +- Package init diff --git a/bind.tmpfiles.d b/bind.tmpfiles.d new file mode 100644 index 0000000000000000000000000000000000000000..640a656170fbb4ede4dd65aa2ff3f864a697f07d --- /dev/null +++ b/bind.tmpfiles.d @@ -0,0 +1 @@ +d /run/named 0755 named named - diff --git a/bind93-rh490837.patch b/bind93-rh490837.patch new file mode 100644 index 0000000000000000000000000000000000000000..230d7a707d44fb3fd9e979a97712240c220a471b --- /dev/null +++ b/bind93-rh490837.patch @@ -0,0 +1,95 @@ +? patch +? lib/isc/lex.c.rh490837 +Index: lib/isc/lex.c +=================================================================== +RCS file: /var/snap/bind9/lib/isc/lex.c,v +retrieving revision 1.86 +diff -p -u -r1.86 lex.c +--- lib/isc/lex.c 17 Sep 2007 09:56:29 -0000 1.86 ++++ lib/isc/lex.c 6 Apr 2009 13:24:15 -0000 +@@ -425,17 +425,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigne + if (source->is_file) { + stream = source->input; + +-#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED) +- c = getc_unlocked(stream); +-#else +- c = getc(stream); +-#endif +- if (c == EOF) { +- if (ferror(stream)) { +- source->result = ISC_R_IOERROR; +- result = source->result; ++ result = isc_stdio_fgetc(stream, &c); ++ ++ if (result != ISC_R_SUCCESS) { ++ if (result != ISC_R_EOF) { ++ source->result = result; + goto done; + } ++ + source->at_eof = ISC_TRUE; + } + } else { +Index: lib/isc/include/isc/stdio.h +=================================================================== +RCS file: /var/snap/bind9/lib/isc/include/isc/stdio.h,v +retrieving revision 1.13 +diff -p -u -r1.13 stdio.h +--- lib/isc/include/isc/stdio.h 19 Jun 2007 23:47:18 -0000 1.13 ++++ lib/isc/include/isc/stdio.h 6 Apr 2009 13:24:15 -0000 +@@ -72,6 +72,9 @@ isc_stdio_sync(FILE *f); + * direct counterpart in the stdio library. + */ + ++isc_result_t ++isc_stdio_fgetc(FILE *f, int *ret); ++ + ISC_LANG_ENDDECLS + + #endif /* ISC_STDIO_H */ +Index: lib/isc/unix/errno2result.c +=================================================================== +RCS file: /var/snap/bind9/lib/isc/unix/errno2result.c,v +retrieving revision 1.17 +diff -p -u -r1.17 errno2result.c +--- lib/isc/unix/errno2result.c 19 Jun 2007 23:47:18 -0000 1.17 ++++ lib/isc/unix/errno2result.c 6 Apr 2009 13:24:15 -0000 +@@ -43,6 +43,7 @@ isc__errno2result(int posixerrno) { + case EINVAL: /* XXX sometimes this is not for files */ + case ENAMETOOLONG: + case EBADF: ++ case EISDIR: + return (ISC_R_INVALIDFILE); + case ENOENT: + return (ISC_R_FILENOTFOUND); +Index: lib/isc/unix/stdio.c +=================================================================== +RCS file: /var/snap/bind9/lib/isc/unix/stdio.c,v +retrieving revision 1.8 +diff -p -u -r1.8 stdio.c +--- lib/isc/unix/stdio.c 19 Jun 2007 23:47:18 -0000 1.8 ++++ lib/isc/unix/stdio.c 6 Apr 2009 13:24:15 -0000 +@@ -115,3 +115,22 @@ isc_stdio_sync(FILE *f) { + return (isc__errno2result(errno)); + } + ++isc_result_t ++isc_stdio_fgetc(FILE *f, int *ret) { ++ int r; ++ isc_result_t result = ISC_R_SUCCESS; ++ ++#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED) ++ r = fgetc_unlocked(f); ++#else ++ r = fgets(f); ++#endif ++ ++ if (r == EOF) ++ result = ferror(f) ? isc__errno2result(errno) : ISC_R_EOF; ++ ++ *ret = r; ++ ++ return result; ++} ++ diff --git a/bind97-rh478718.patch b/bind97-rh478718.patch new file mode 100644 index 0000000000000000000000000000000000000000..ef4449039f1058a573595bac9a39eff3b2a71f79 --- /dev/null +++ b/bind97-rh478718.patch @@ -0,0 +1,51 @@ +diff --git a/configure.in b/configure.in +index 896e81c1ce..73b1c8ccbb 100644 +--- a/configure.in ++++ b/configure.in +@@ -4275,6 +4275,10 @@ if test "yes" = "$use_atomic"; then + AC_MSG_RESULT($arch) + fi + ++if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then ++ AC_MSG_ERROR([XADDQ present but disabled by Fedora patch!]) ++fi ++ + if test "yes" = "$have_atomic"; then + AC_MSG_CHECKING([compiler support for inline assembly code]) + +diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in +index 2ff522342f..58df86adb3 100644 +--- a/lib/isc/include/isc/platform.h.in ++++ b/lib/isc/include/isc/platform.h.in +@@ -289,19 +289,25 @@ + * If the "xaddq" operation (64bit xadd) is available on this architecture, + * ISC_PLATFORM_HAVEXADDQ will be defined. + */ +-@ISC_PLATFORM_HAVEXADDQ@ + + /* +- * If the 32-bit "atomic swap" operation is available on this +- * architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined. ++ * If the 64-bit "atomic swap" operation is available on this ++ * architecture, ISC_PLATFORM_HAVEATOMICSTOREQ" will be defined. + */ +-@ISC_PLATFORM_HAVEATOMICSTORE@ ++ ++#ifdef __x86_64__ ++#define ISC_PLATFORM_HAVEXADDQ 1 ++#define ISC_PLATFORM_HAVEATOMICSTOREQ 1 ++#else ++#undef ISC_PLATFORM_HAVEXADDQ ++#undef ISC_PLATFORM_HAVEATOMICSTOREQ ++#endif + + /* +- * If the 64-bit "atomic swap" operation is available on this ++ * If the 32-bit "atomic swap" operation is available on this + * architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined. + */ +-@ISC_PLATFORM_HAVEATOMICSTOREQ@ ++@ISC_PLATFORM_HAVEATOMICSTORE@ + + /* + * If the "compare-and-exchange" operation is available on this architecture, diff --git a/bind97-rh645544.patch b/bind97-rh645544.patch new file mode 100644 index 0000000000000000000000000000000000000000..d1d8429f9d85eb76ec781a976f505df560b2fe43 --- /dev/null +++ b/bind97-rh645544.patch @@ -0,0 +1,30 @@ +diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolver.c +--- bind-9.9.4rc2/lib/dns/resolver.c.rh645544 2013-08-19 10:30:52.000000000 +0200 ++++ bind-9.9.4rc2/lib/dns/resolver.c 2013-09-06 17:58:03.864165823 +0200 +@@ -1138,7 +1138,7 @@ log_edns(fetchctx_t *fctx) { + */ + dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED, +- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, ++ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), + "success resolving '%s' (in '%s'?) after %s", + fctx->info, domainbuf, fctx->reason); + +@@ -3804,7 +3804,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrin + dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); + isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS, +- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, ++ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), + "lame server resolving '%s' (in '%s'?): %s", + namebuf, domainbuf, addrbuf); + } +@@ -3831,7 +3831,7 @@ log_formerr(fetchctx_t *fctx, const char + } + + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, +- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE, ++ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), + "DNS format error from %s resolving %s%s%s: %s", + nsbuf, fctx->info, clmsg, clbuf, msgbuf); + } diff --git a/bind97-rh669163.patch b/bind97-rh669163.patch new file mode 100644 index 0000000000000000000000000000000000000000..125049fb722495f3eddcff9beb8ea1310274613d --- /dev/null +++ b/bind97-rh669163.patch @@ -0,0 +1,14 @@ +diff -up bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 bind-9.7.2-P3/lib/lwres/lwconfig.c +--- bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 2011-01-28 14:48:38.934472578 +0100 ++++ bind-9.7.2-P3/lib/lwres/lwconfig.c 2011-01-28 14:49:50.421326035 +0100 +@@ -612,6 +612,10 @@ lwres_conf_parse(lwres_context_t *ctx, c + break; + } + ++ /* Ignore options with no parameters */ ++ if (stopchar == '\n') ++ continue; ++ + if (strlen(word) == 0U) + rval = LWRES_R_SUCCESS; + else if (strcmp(word, "nameserver") == 0) diff --git a/bind99-rh640538.patch b/bind99-rh640538.patch new file mode 100644 index 0000000000000000000000000000000000000000..5066a1450a3fdb4f7130b483cf0e47fe29a00440 --- /dev/null +++ b/bind99-rh640538.patch @@ -0,0 +1,44 @@ +diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook +index 1079421..f11abd1 100644 +--- a/bin/dig/dig.docbook ++++ b/bin/dig/dig.docbook +@@ -1177,6 +1177,39 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr + + + ++ RETURN CODES ++ ++ Dig return codes are: ++ ++ ++ ++ 0: Everything went well, including things like NXDOMAIN ++ ++ ++ ++ ++ 1: Usage error ++ ++ ++ ++ ++ 8: Couldn't open batch file ++ ++ ++ ++ ++ 9: No reply from server ++ ++ ++ ++ ++ 10: Internal error ++ ++ ++ ++ ++ ++ + FILES + + /etc/resolv.conf diff --git a/bugfix-named-log-time.patch b/bugfix-named-log-time.patch new file mode 100644 index 0000000000000000000000000000000000000000..0e80c762db733cf492976b835c124d9fc95f0c70 --- /dev/null +++ b/bugfix-named-log-time.patch @@ -0,0 +1,146 @@ +diff -upNr b/lib/isc/include/isc/util.h a/lib/isc/include/isc/util.h +--- b/lib/isc/include/isc/util.h 2019-07-30 19:52:09.600000000 +0800 ++++ a/lib/isc/include/isc/util.h 2019-07-30 21:39:03.400000000 +0800 +@@ -233,7 +233,7 @@ + * Time + */ + #define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS) +- ++#define TIME_REAL_NOW(tp) RUNTIME_CHECK(isc_time_real_now((tp)) == ISC_R_SUCCESS) + /*% + * Alignment + */ +diff -upNr b/lib/isc/log.c a/lib/isc/log.c +--- b/lib/isc/log.c 2019-07-30 19:52:09.610000000 +0800 ++++ a/lib/isc/log.c 2019-07-30 21:39:03.410000000 +0800 +@@ -1498,7 +1498,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcat + time_string[0] == '\0') { + isc_time_t isctime; + +- TIME_NOW(&isctime); ++ TIME_REAL_NOW(&isctime); + isc_time_formattimestamp(&isctime, time_string, + sizeof(time_string)); + } +@@ -1545,7 +1545,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcat + * which fall within the duplicate_interval + * range. + */ +- TIME_NOW(&oldest); ++ TIME_REAL_NOW(&oldest); + if (isc_time_subtract(&oldest, &interval, + &oldest) + != ISC_R_SUCCESS) +@@ -1622,7 +1622,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcat + strlcpy(message->text, lctx->buffer, + size); + +- TIME_NOW(&message->time); ++ TIME_REAL_NOW(&message->time); + + ISC_LINK_INIT(message, link); + ISC_LIST_APPEND(lctx->messages, +diff -upNr b/lib/isc/unix/include/isc/time.h a/lib/isc/unix/include/isc/time.h +--- b/lib/isc/unix/include/isc/time.h 2019-07-30 19:52:09.600000000 +0800 ++++ a/lib/isc/unix/include/isc/time.h 2019-07-30 21:39:03.400000000 +0800 +@@ -149,6 +149,8 @@ isc_time_now(isc_time_t *t); + */ + + isc_result_t ++isc_time_real_now(isc_time_t *t); ++isc_result_t + isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i); + /*%< + * Set *t to the current absolute time + i. +diff -upNr b/lib/isc/unix/time.c a/lib/isc/unix/time.c +--- b/lib/isc/unix/time.c 2019-07-30 19:52:09.600000000 +0800 ++++ a/lib/isc/unix/time.c 2019-07-30 21:39:03.400000000 +0800 +@@ -36,6 +36,9 @@ + #define NS_PER_MS 1000000 /*%< Nanoseconds per millisecond. */ + #define US_PER_S 1000000 /*%< Microseconds per second. */ + ++#ifndef ISC_FIX_TV_USEC ++#define ISC_FIX_TV_USEC 1 ++#endif + #define CLOCKSOURCE CLOCK_MONOTONIC + + /*% +@@ -44,6 +47,27 @@ + + static const isc_interval_t zero_interval = { 0, 0 }; + const isc_interval_t * const isc_interval_zero = &zero_interval; ++#if ISC_FIX_TV_USEC ++static inline void ++fix_tv_usec(struct timeval *tv) { ++ isc_boolean_t fixed = ISC_FALSE; ++ if (tv->tv_usec < 0) { ++ fixed = ISC_TRUE; ++ do { ++ tv->tv_sec -= 1; ++ tv->tv_usec += US_PER_S; ++ } while (tv->tv_usec < 0); ++ } else if (tv->tv_usec >= US_PER_S) { ++ fixed = ISC_TRUE; ++ do { ++ tv->tv_sec += 1; ++ tv->tv_usec -= US_PER_S; ++ } while (tv->tv_usec >=US_PER_S); ++ } ++ if (fixed) ++ (void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected"); ++} ++#endif + + void + isc_interval_set(isc_interval_t *i, +@@ -105,6 +129,50 @@ isc_time_isepoch(const isc_time_t *t) { + + + isc_result_t ++isc_time_real_now(isc_time_t *t) { ++ struct timeval tv; ++ char strbuf[ISC_STRERRORSIZE]; ++ ++ REQUIRE(t != NULL); ++ ++ if (gettimeofday(&tv, NULL) == -1) { ++ isc__strerror(errno, strbuf, sizeof(strbuf)); ++ UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf); ++ return (ISC_R_UNEXPECTED); ++ } ++ ++ /* ++ * Does POSIX guarantee the signedness of tv_sec and tv_usec? If not, ++ * then this test will generate warnings for platforms on which it is ++ * unsigned. In any event, the chances of any of these problems ++ * happening are pretty much zero, but since the libisc library ensures ++ * certain things to be true ... ++ */ ++#if ISC_FIX_TV_USEC ++ fix_tv_usec(&tv); ++ if (tv.tv_sec < 0) ++ return (ISC_R_UNEXPECTED); ++#else ++ if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S) ++ return (ISC_R_UNEXPECTED); ++#endif ++ ++ /* ++ * Ensure the tv_sec value fits in t->seconds. ++ */ ++ if (sizeof(tv.tv_sec) > sizeof(t->seconds) && ++ ((tv.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U) ++ return (ISC_R_RANGE); ++ ++ t->seconds = tv.tv_sec; ++ t->nanoseconds = tv.tv_usec * NS_PER_US; ++ ++ return (ISC_R_SUCCESS); ++} ++ ++ ++ ++isc_result_t + isc_time_now(isc_time_t *t) { + struct timespec ts; + char strbuf[ISC_STRERRORSIZE]; diff --git a/bugfix-nslookup-norec.patch b/bugfix-nslookup-norec.patch new file mode 100644 index 0000000000000000000000000000000000000000..a67899ad2437e7a87b92e7af96ae3656c9b0a89a --- /dev/null +++ b/bugfix-nslookup-norec.patch @@ -0,0 +1,19 @@ +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +--- a/bin/dig/dighost.c.orig 2011-03-11 07:46:58.000000000 +0100 ++++ b/bin/dig/dighost.c 2011-10-28 14:31:29.806591603 +0200 +@@ -3291,8 +3291,13 @@ + } else { + if (!l->ns_search_only) { + fputs(l->cmdline, stdout); +- printf(";; connection timed out; no servers could be " +- "reached\n"); ++ if (!next_origin(ISC_LIST_HEAD(l->q))) { ++ printf(";; connection timed out; no servers could be " ++ "reached\n"); ++ } else { ++ printf(";; connection timed out; trying next " ++ "origin\n"); ++ } + } + cancel_lookup(l); + check_next_lookup(l); diff --git a/config-18.tar.bz2 b/config-18.tar.bz2 new file mode 100644 index 0000000000000000000000000000000000000000..249ee69b0bf7a58b3403593b2b828ffcbce46fdb Binary files /dev/null and b/config-18.tar.bz2 differ diff --git a/dnszone.schema b/dnszone.schema new file mode 100644 index 0000000000000000000000000000000000000000..cb72a3fd923962030c23bfd105e7f6a92fe1378f --- /dev/null +++ b/dnszone.schema @@ -0,0 +1,148 @@ +# A schema for storing DNS zones in LDAP +# +attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' + DESC 'An integer denoting time to live' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) + +attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' + DESC 'The class of a resource record' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName' + DESC 'The name of a zone, i.e. the name of the highest node in the zone' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName' + DESC 'The starting labels of a domain name' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' + DESC 'domain name pointer, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' + DESC 'host information, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' + DESC 'mailbox or mail list information, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' + DESC 'text string, RFC 1035' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord' + DESC 'for AFS Data Base location, RFC 1183' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' + DESC 'Signature, RFC 2535' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' + DESC 'Key, RFC 2535' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord' + DESC 'IPv6 address, RFC 1886' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord' + DESC 'Location, RFC 1876' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord' + DESC 'non-existant, RFC 2535' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord' + DESC 'service location, RFC 2782' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' + DESC 'Naming Authority Pointer, RFC 2915' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' + DESC 'Key Exchange Delegation, RFC 2230' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' + DESC 'certificate, RFC 2538' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' + DESC 'A6 Record Type, RFC 2874' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' + DESC 'Non-Terminal DNS Name Redirection, RFC 2672' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' + DESC 'Delegation Signer, RFC 3658' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' + DESC 'RRSIG, RFC 3755' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' + DESC 'NSEC, RFC 3755' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone' + SUP top STRUCTURAL + MUST ( zoneName $ relativeDomainName ) + MAY ( DNSTTL $ DNSClass $ + ARecord $ MDRecord $ MXRecord $ NSRecord $ + SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $ + MINFORecord $ TXTRecord $ SIGRecord $ KEYRecord $ + AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $ + NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ + DNAMERecord ) ) diff --git a/feature-bind99-euler-range-port.patch b/feature-bind99-euler-range-port.patch new file mode 100644 index 0000000000000000000000000000000000000000..19f8e87c5055d29752c23be2cbe280a5d454bf59 --- /dev/null +++ b/feature-bind99-euler-range-port.patch @@ -0,0 +1,282 @@ +diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c +index c93651d..d03ef2d 100644 +--- a/lib/dns/dispatch.c ++++ b/lib/dns/dispatch.c +@@ -49,6 +49,7 @@ + #include + #include + ++const char *conffile = "/etc/dns_port.conf"; + typedef ISC_LIST(dns_dispentry_t) dns_displist_t; + + typedef struct dispsocket dispsocket_t; +@@ -1933,6 +1934,168 @@ open_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local, + return (ISC_R_SUCCESS); + } + ++static int convert_num(char *str) ++{ ++ int negative = 0; ++ int tval; ++ int val = 0; ++ int base = 10; ++ char *ptr = str; ++ if (str == NULL) ++ return -ISC_R_FAILURE; ++ ++ if (*ptr == '-') { ++ negative = 1; ++ ++ptr; ++ } ++ ++ do { ++ tval = *ptr++; ++ /* XXX assumes ASCII... */ ++ if (tval >= '0') ++ tval -= '0'; ++ else { ++ syslog (LOG_ERR, "Bogus number: %s.", str); ++ return -ISC_R_BADNUMBER; ++ } ++ if (tval >= base) { ++ syslog (LOG_ERR, "Bogus number: %s.", str); ++ return -ISC_R_BADNUMBER; ++ } ++ val = val * base + tval; ++ } while (*ptr); ++ ++ if (negative) ++ val = -val; ++ return val; ++} ++ ++static int str_token(char *str, int *digit, unsigned int len, const char *semi) ++{ ++ int num = 0; ++ char *p; ++ p = strtok(str, semi); ++ while (p !=NULL) { ++ if (num >= len-1) { ++ digit[num] = '\0'; ++ break; ++ } ++ /* convert string to integer */ ++ digit[num] = convert_num(p); ++ if (digit[num] < 0) ++ return -ISC_R_BADNUMBER; ++ ++ p = strtok(NULL, semi); ++ num++; ++ } ++ ++ return num; ++} ++ ++static int parse_port_config(const char *buffer, const char *sub_buf, int *ports, unsigned int len, const char *semi) ++{ ++ char *str; ++ char string[256] = {0}; ++ int start, end; ++ int ret = -ISC_R_DISABLED; ++ ++ if (str = strstr(buffer, sub_buf)) { ++ start = strlen(sub_buf); ++ end = strlen(str); ++ strncpy(string, str + start, end - start -1); ++ /* string segmentation with semi character */ ++ ret = str_token(string, ports, len, semi); ++ if (ret < 0) ++ return -ISC_R_BADNUMBER; ++ } ++ ++ return ret; ++} ++ ++static isc_result_t ++parse_config(const char *file, in_port_t *port_lo, in_port_t *port_hi, in_port_t *no_use_ports) ++{ ++ FILE *fp; ++ char *str = NULL; ++ char buffer[256] = {0}; ++ int ports[8] = {0}; ++ int unports[17] = {0}; ++ int i = 0; ++ int ret; ++ ++ fp = fopen(file, "r"); ++ if (fp) { ++ while (fgets(buffer, 256, fp)) { ++ const char *buffer_s = buffer; ++ str = buffer; ++ /* skip the comment line */ ++ while (isspace(*str)) ++ str++; ++ if (strncmp(str, "#", 1) == 0) ++ continue; ++ /* get default set of dispatch ports */ ++ ret = parse_port_config(buffer_s, "dns-range-port", ports, 8, " "); ++ if (ret == 2) { ++ *port_lo = (in_port_t)ports[0]; ++ *port_hi = (in_port_t)ports[1]; ++ if (*port_lo < 1024 || *port_hi > 65535 || *port_lo > *port_hi) { ++ syslog(LOG_ERR, ++ "Unexpected ports contents in %s file.", file); ++ fclose(fp); ++ fp = NULL; ++ return ISC_R_INVALIDFILE; ++ } ++ } else if (ret != -ISC_R_DISABLED){ ++ syslog(LOG_ERR, ++ "Unexpected ports contents in %s file.", file); ++ fclose(fp); ++ fp = NULL; ++ return ISC_R_INVALIDFILE; ++ } ++ /* get excluded ports */ ++ ret = parse_port_config(buffer_s, "dns-excluded-ports", unports, 17, " "); ++ if (ret > 0) { ++ while (unports[i] != '\0') { ++ no_use_ports[i] = (in_port_t)unports[i]; ++ i++; ++ } ++ } else if (ret != -ISC_R_DISABLED) { ++ syslog(LOG_ERR, ++ "Unexpected ports contents in %s file.", file); ++ fclose(fp); ++ fp = NULL; ++ return ISC_R_INVALIDFILE; ++ } ++ } ++ ++ fclose(fp); ++ fp = NULL; ++ return ISC_R_SUCCESS; ++ } ++ ++ syslog(LOG_ERR, ++ "Open %s fail, return.\n", file); ++ return ISC_R_FILENOTFOUND; ++} ++ ++/*% ++ * Create a temporary port list to set the initial default set of dispatch ++ * ports and excluded ports. This is almost meaningless as the application will ++ * normally set the ports explicitly, but is provided to fill some minor corner ++ * cases. ++ */ ++static isc_result_t ++create_portset_by_range(isc_mem_t *mctx, isc_portset_t **portsetp, in_port_t port_lo, in_port_t port_hi, in_port_t *no_use_ports) { ++ isc_result_t result; ++ ++ result = isc_portset_create(mctx, portsetp); ++ if (result != ISC_R_SUCCESS) ++ return (result); ++ isc_portset_addrange_by_range(*portsetp, port_lo, port_hi, no_use_ports); ++ ++ return (ISC_R_SUCCESS); ++} ++ + /*% + * Create a temporary port list to set the initial default set of dispatch + * ports: [1024, 65535]. This is almost meaningless as the application will +@@ -1963,6 +2125,9 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy, + isc_result_t result; + isc_portset_t *v4portset = NULL; + isc_portset_t *v6portset = NULL; ++ in_port_t port_lo = 1024; ++ in_port_t port_hi = 65535; ++ in_port_t no_use_ports[17] = {0}; + + REQUIRE(mctx != NULL); + REQUIRE(mgrp != NULL && *mgrp == NULL); +@@ -2063,14 +2228,23 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy, + mgr->nv6ports = 0; + mgr->magic = DNS_DISPATCHMGR_MAGIC; + +- result = create_default_portset(mctx, &v4portset); ++ /* parse port list file, get default set of dispatch ports and excluded ports */ ++ result = parse_config(conffile, &port_lo, &port_hi, no_use_ports); + if (result == ISC_R_SUCCESS) { +- result = create_default_portset(mctx, &v6portset); +- if (result == ISC_R_SUCCESS) { +- result = dns_dispatchmgr_setavailports(mgr, +- v4portset, +- v6portset); +- } ++ create_portset_by_range(mctx, &v4portset, port_lo, port_hi, no_use_ports); ++ if (result == ISC_R_SUCCESS) ++ result = create_portset_by_range(mctx, &v6portset, port_lo, port_hi, no_use_ports); ++ } ++ else { ++ result = create_default_portset(mctx, &v4portset); ++ if (result == ISC_R_SUCCESS) ++ result = create_default_portset(mctx, &v6portset); ++ } ++ ++ if (result == ISC_R_SUCCESS) { ++ result = dns_dispatchmgr_setavailports(mgr, ++ v4portset, ++ v6portset); + } + if (v4portset != NULL) + isc_portset_destroy(mctx, &v4portset); +diff --git a/lib/isc/include/isc/portset.h b/lib/isc/include/isc/portset.h +index 774d6bb..cfd0bcb 100644 +--- a/lib/isc/include/isc/portset.h ++++ b/lib/isc/include/isc/portset.h +@@ -125,6 +125,19 @@ isc_portset_addrange(isc_portset_t *portset, in_port_t port_lo, + */ + + void ++isc_portset_addrange_by_range(isc_portset_t *portset, in_port_t port_lo, ++ in_port_t port_hi, in_port_t *no_use_ports); ++/*%< ++ * Add a subset of [port_lo, port_hi] (inclusive) and no_use_ports(exclusive) to the portset. Ports in the ++ * subset may or may not be stored in portset. ++ * ++ * Requires: ++ *\li 'portlist' to be valid. ++ *\li port_lo <= port_hi ++ *\li no_use_ports > 0 ++ */ ++ ++void + isc_portset_removerange(isc_portset_t *portset, in_port_t port_lo, + in_port_t port_hi); + /*%< +diff --git a/lib/isc/portset.c b/lib/isc/portset.c +index 471ca8e..0ebd79f 100644 +--- a/lib/isc/portset.c ++++ b/lib/isc/portset.c +@@ -128,6 +128,31 @@ isc_portset_addrange(isc_portset_t *portset, in_port_t port_lo, + } + + void ++isc_portset_addrange_by_range(isc_portset_t *portset, in_port_t port_lo, ++ in_port_t port_hi, in_port_t *no_use_ports) ++{ ++ in_port_t p; ++ int i, flag; ++ REQUIRE(portset != NULL); ++ REQUIRE(port_lo <= port_hi); ++ ++ p = port_lo; ++ do { ++ i = 0; ++ flag = 0; ++ while (no_use_ports[i] != '\0') { ++ if (no_use_ports[i] == p) { ++ flag = 1; ++ break; ++ } ++ i++; ++ } ++ if (flag == 0) ++ portset_add(portset, p); ++ } while (p++ < port_hi); ++} ++ ++void + isc_portset_removerange(isc_portset_t *portset, in_port_t port_lo, + in_port_t port_hi) + { diff --git a/generate-rndc-key.sh b/generate-rndc-key.sh new file mode 100644 index 0000000000000000000000000000000000000000..dde7f7098e0b00c3b76cda45516f0cbc23f8382b --- /dev/null +++ b/generate-rndc-key.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +. /etc/rc.d/init.d/functions + +# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf + +if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then + echo -n $"Generating /etc/rndc.key:" + if /usr/sbin/rndc-confgen -a -A hmac-sha256 -r /dev/urandom > /dev/null 2>&1 + then + chmod 640 /etc/rndc.key + chown root:named /etc/rndc.key + [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.key + success $"/etc/rndc.key generation" + echo + else + failure $"/etc/rndc.key generation" + echo + fi +fi diff --git a/ldap2zone.1 b/ldap2zone.1 new file mode 100644 index 0000000000000000000000000000000000000000..a48c69f60a9f2762b09136628605d1385240febb --- /dev/null +++ b/ldap2zone.1 @@ -0,0 +1,41 @@ +.\" Copyright (C) 2004, 2005 Stig Venaas +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" Manpage written by Jan Gorig +.TH ldap2zone 1 "15 March 2010" "BIND9" +.SH NAME +ldap2zone - Creates zone file from LDAP dnszone information +.SH SYNOPSIS +.B ldap2zone zone-name LDAP-URL default-ttl [serial] +.SH DESCRIPTION +ldap2zone is a tool that reads info for a zone from LDAP and constructs a standard plain ascii zone file that is written to the standard output. The LDAP information has to be stored using the dnszone schema. The schema is used by BIND with LDAP back-end. + +\fBzone-name\fR +.RS 4 +Name of the zone, eg "mydomain.net." +.RE +.PP +\fBLDAP-URL\fR +.RS 4 +LDAP URL to dnszone information +.RE +.PP +\fBdefault-ttl\fR +.RS 4 +Default TTL value to be used in zone +.RE +.PP +\fBserial\fR +.RS 4 +(optional) Program checks this number to be different than SOA serial number. +.RE + +.SH "EXIT STATUS" +Exits with 0 on success or 1 on failure. +.SH "SEE ALSO" +named(8) ldap(3) +http://www.venaas.no/dns/ldap2zone/ +.SH "COPYRIGHT" +Copyright (C) 2004, 2005 Stig Venaas diff --git a/ldap2zone.c b/ldap2zone.c new file mode 100644 index 0000000000000000000000000000000000000000..80e79199df9ff4eabec21cdecc1af2f3c7ff7b78 --- /dev/null +++ b/ldap2zone.c @@ -0,0 +1,411 @@ +/* + * Copyright (C) 2004, 2005 Stig Venaas + * $Id: ldap2zone.c,v 1.1 2007/07/24 15:18:00 atkac Exp $ + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + */ + +#define LDAP_DEPRECATED 1 + +#include +#include +#include +#include + +#include + +struct string { + void *data; + size_t len; +}; + +struct assstack_entry { + struct string key; + struct string val; + struct assstack_entry *next; +}; + +struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key); +void assstack_push(struct assstack_entry **stack, struct assstack_entry *item); +void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item); +void printsoa(struct string *soa); +void printrrs(char *defaultttl, struct assstack_entry *item); +void print_zone(char *defaultttl, struct assstack_entry *stack); +void usage(char *name); +void err(char *name, const char *msg); +int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val); + +struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key) { + for (; stack; stack = stack->next) + if (stack->key.len == key->len && !memcmp(stack->key.data, key->data, key->len)) + return stack; + return NULL; +} + +void assstack_push(struct assstack_entry **stack, struct assstack_entry *item) { + item->next = *stack; + *stack = item; +} + +void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item) { + struct assstack_entry *p; + + item->next = NULL; + if (!*stack) { + *stack = item; + return; + } + /* find end, should keep track of end somewhere */ + /* really a queue, not a stack */ + p = *stack; + while (p->next) + p = p->next; + p->next = item; +} + +void printsoa(struct string *soa) { + char *s; + size_t i; + + s = (char *)soa->data; + i = 0; + while (i < soa->len) { + putchar(s[i]); + if (s[i++] == ' ') + break; + } + while (i < soa->len) { + putchar(s[i]); + if (s[i++] == ' ') + break; + } + printf("(\n\t\t\t\t"); + while (i < soa->len) { + putchar(s[i]); + if (s[i++] == ' ') + break; + } + printf("; Serialnumber\n\t\t\t\t"); + while (i < soa->len) { + if (s[i] == ' ') + break; + putchar(s[i++]); + } + i++; + printf("\t; Refresh\n\t\t\t\t"); + while (i < soa->len) { + if (s[i] == ' ') + break; + putchar(s[i++]); + } + i++; + printf("\t; Retry\n\t\t\t\t"); + while (i < soa->len) { + if (s[i] == ' ') + break; + putchar(s[i++]); + } + i++; + printf("\t; Expire\n\t\t\t\t"); + while (i < soa->len) { + putchar(s[i++]); + } + printf(" )\t; Minimum TTL\n"); +} + +void printrrs(char *defaultttl, struct assstack_entry *item) { + struct assstack_entry *stack; + char *s; + int first; + size_t i; + char *ttl, *type; + int top; + + s = (char *)item->key.data; + + if (item->key.len == 1 && *s == '@') { + top = 1; + printf("@\t"); + } else { + top = 0; + for (i = 0; i < item->key.len; i++) + putchar(s[i]); + if (item->key.len < 8) + putchar('\t'); + putchar('\t'); + } + + first = 1; + for (stack = (struct assstack_entry *) item->val.data; stack; stack = stack->next) { + ttl = (char *)stack->key.data; + s = strchr(ttl, ' '); + *s++ = '\0'; + type = s; + + if (first) + first = 0; + else + printf("\t\t"); + + if (strcmp(defaultttl, ttl)) + printf("%s", ttl); + putchar('\t'); + + if (top) { + top = 0; + printf("IN\t%s\t", type); + /* Should always be SOA here */ + if (!strcmp(type, "SOA")) { + printsoa(&stack->val); + continue; + } + } else + printf("%s\t", type); + + s = (char *)stack->val.data; + for (i = 0; i < stack->val.len; i++) + putchar(s[i]); + putchar('\n'); + } +} + +void print_zone(char *defaultttl, struct assstack_entry *stack) { + printf("$TTL %s\n", defaultttl); + for (; stack; stack = stack->next) + printrrs(defaultttl, stack); +}; + +void usage(char *name) { + fprintf(stderr, "Usage:%s zone-name LDAP-URL default-ttl [serial]\n", name); + exit(1); +}; + +void err(char *name, const char *msg) { + fprintf(stderr, "%s: %s\n", name, msg); + exit(1); +}; + +int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val) { + struct string key; + struct assstack_entry *rr, *rrdata; + + /* Do nothing if name or value have 0 length */ + if (!name->bv_len || !val->bv_len) + return 0; + + /* see if already have an entry for this name */ + key.len = name->bv_len; + key.data = name->bv_val; + + rr = assstack_find(*stack, &key); + if (!rr) { + /* Not found, create and push new entry */ + rr = (struct assstack_entry *) malloc(sizeof(struct assstack_entry)); + if (!rr) + return -1; + rr->key.len = name->bv_len; + rr->key.data = (void *) malloc(rr->key.len); + if (!rr->key.data) { + free(rr); + return -1; + } + memcpy(rr->key.data, name->bv_val, name->bv_len); + rr->val.len = sizeof(void *); + rr->val.data = NULL; + if (name->bv_len == 1 && *(char *)name->bv_val == '@') + assstack_push(stack, rr); + else + assstack_insertbottom(stack, rr); + } + + rrdata = (struct assstack_entry *) malloc(sizeof(struct assstack_entry)); + if (!rrdata) { + free(rr->key.data); + free(rr); + return -1; + } + rrdata->key.len = strlen(type) + strlen(ttl) + 1; + rrdata->key.data = (void *) malloc(rrdata->key.len); + if (!rrdata->key.data) { + free(rrdata); + free(rr->key.data); + free(rr); + return -1; + } + sprintf((char *)rrdata->key.data, "%s %s", ttl, type); + + rrdata->val.len = val->bv_len; + rrdata->val.data = (void *) malloc(val->bv_len); + if (!rrdata->val.data) { + free(rrdata->key.data); + free(rrdata); + free(rr->key.data); + free(rr); + return -1; + } + memcpy(rrdata->val.data, val->bv_val, val->bv_len); + + if (!strcmp(type, "SOA")) + assstack_push((struct assstack_entry **) &(rr->val.data), rrdata); + else + assstack_insertbottom((struct assstack_entry **) &(rr->val.data), rrdata); + return 0; +} + +int main(int argc, char **argv) { + char *s, *hostporturl, *base = NULL; + char *ttl, *defaultttl; + LDAP *ld; + char *fltr = NULL; + LDAPMessage *res, *e; + char *a, **ttlvals, **soavals, *serial; + struct berval **vals, **names; + char type[64]; + BerElement *ptr; + int i, j, rc, msgid; + struct assstack_entry *zone = NULL; + + if (argc < 4 || argc > 5) + usage(argv[0]); + + hostporturl = argv[2]; + + if (hostporturl != strstr( hostporturl, "ldap")) + err(argv[0], "Not an LDAP URL"); + + s = strchr(hostporturl, ':'); + + if (!s || strlen(s) < 3 || s[1] != '/' || s[2] != '/') + err(argv[0], "Not an LDAP URL"); + + s = strchr(s+3, '/'); + if (s) { + *s++ = '\0'; + base = s; + s = strchr(base, '?'); + if (s) + err(argv[0], "LDAP URL can only contain host, port and base"); + } + + defaultttl = argv[3]; + + rc = ldap_initialize(&ld, hostporturl); + if (rc != LDAP_SUCCESS) + err(argv[0], "ldap_initialize() failed"); + + if (argc == 5) { + /* serial number specified, check if different from one in SOA */ + fltr = (char *)malloc(strlen(argv[1]) + strlen("(&(relativeDomainName=@)(zoneName=))") + 1); + sprintf(fltr, "(&(relativeDomainName=@)(zoneName=%s))", argv[1]); + msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0); + if (msgid == -1) + err(argv[0], "ldap_search() failed"); + + while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) { + /* not supporting continuation references at present */ + if (rc != LDAP_RES_SEARCH_ENTRY) + err(argv[0], "ldap_result() returned cont.ref? Exiting"); + + /* only one entry per result message */ + e = ldap_first_entry(ld, res); + if (e == NULL) { + ldap_msgfree(res); + err(argv[0], "ldap_first_entry() failed"); + } + + soavals = ldap_get_values(ld, e, "SOARecord"); + if (soavals) + break; + } + + ldap_msgfree(res); + if (!soavals) { + err(argv[0], "No SOA Record found"); + } + + /* We have a SOA, compare serial numbers */ + /* Only checkinf first value, should be only one */ + s = strchr(soavals[0], ' '); + s++; + s = strchr(s, ' '); + s++; + serial = s; + s = strchr(s, ' '); + *s = '\0'; + if (!strcmp(serial, argv[4])) { + ldap_value_free(soavals); + err(argv[0], "serial numbers match"); + } + ldap_value_free(soavals); + } + + if (!fltr) + fltr = (char *)malloc(strlen(argv[1]) + strlen("(zoneName=)") + 1); + if (!fltr) + err(argv[0], "Malloc failed"); + sprintf(fltr, "(zoneName=%s)", argv[1]); + + msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0); + if (msgid == -1) + err(argv[0], "ldap_search() failed"); + + while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) { + /* not supporting continuation references at present */ + if (rc != LDAP_RES_SEARCH_ENTRY) + err(argv[0], "ldap_result() returned cont.ref? Exiting"); + + /* only one entry per result message */ + e = ldap_first_entry(ld, res); + if (e == NULL) { + ldap_msgfree(res); + err(argv[0], "ldap_first_entry() failed"); + } + + names = ldap_get_values_len(ld, e, "relativeDomainName"); + if (!names) + continue; + + ttlvals = ldap_get_values(ld, e, "dNSTTL"); + ttl = ttlvals ? ttlvals[0] : defaultttl; + + for (a = ldap_first_attribute(ld, e, &ptr); a != NULL; a = ldap_next_attribute(ld, e, ptr)) { + char *s; + + for (s = a; *s; s++) + *s = toupper(*s); + s = strstr(a, "RECORD"); + if ((s == NULL) || (s == a) || (s - a >= (signed int)sizeof(type))) { + ldap_memfree(a); + continue; + } + + strncpy(type, a, s - a); + type[s - a] = '\0'; + vals = ldap_get_values_len(ld, e, a); + if (vals) { + for (i = 0; vals[i]; i++) + for (j = 0; names[j]; j++) + if (putrr(&zone, names[j], type, ttl, vals[i])) + err(argv[0], "malloc failed"); + ldap_value_free_len(vals); + } + ldap_memfree(a); + } + + if (ptr) + ber_free(ptr, 0); + if (ttlvals) + ldap_value_free(ttlvals); + ldap_value_free_len(names); + /* free this result */ + ldap_msgfree(res); + } + + /* free final result */ + ldap_msgfree(res); + + print_zone(defaultttl, zone); + return 0; +} diff --git a/named-chroot-setup.service b/named-chroot-setup.service new file mode 100644 index 0000000000000000000000000000000000000000..237a909299b5648a8aa458e959c6d1d0210e890b --- /dev/null +++ b/named-chroot-setup.service @@ -0,0 +1,12 @@ +[Unit] +Description=Set-up/destroy chroot environment for named (DNS) +BindsTo=named-chroot.service +Wants=named-setup-rndc.service +After=named-setup-rndc.service + + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files +ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files diff --git a/named-chroot.files b/named-chroot.files new file mode 100644 index 0000000000000000000000000000000000000000..b38cbe68dd5cae77fb0326cc2c5226fb35b4c811 --- /dev/null +++ b/named-chroot.files @@ -0,0 +1,23 @@ +# Configuration of files used in chroot +# Following files are made available after named-chroot.service start +# if they are missing or empty in target directory. +/etc/localtime +/etc/named.root.key +/etc/named.conf +/etc/named.rfc1912.zones +/etc/rndc.conf +/etc/rndc.key +/etc/named.iscdlv.key +/etc/crypto-policies/back-ends/bind.config +/etc/protocols +/etc/services +/etc/named.dnssec.keys +/etc/pki/dnssec-keys +/etc/named +/usr/lib64/bind +/usr/lib/bind +/run/named +# Warning: the order is important +# If a directory containing $ROOTDIR is listed here, +# it MUST be listed last. (/var/named contains /var/named/chroot) +/var/named diff --git a/named-chroot.service b/named-chroot.service new file mode 100644 index 0000000000000000000000000000000000000000..5732b1c6fc2eaf50130afeb5fc1f5355ba3529c6 --- /dev/null +++ b/named-chroot.service @@ -0,0 +1,30 @@ +# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log" +# line to your /etc/rsyslog.conf file. Otherwise your logging becomes +# broken when rsyslogd daemon is restarted (due update, for example). + +[Unit] +Description=Berkeley Internet Name Domain (DNS) +Wants=nss-lookup.target +Requires=named-chroot-setup.service +Before=nss-lookup.target +After=named-chroot-setup.service +After=network.target + +[Service] +Type=forking +Environment=NAMEDCONF=/etc/named.conf +EnvironmentFile=-/etc/sysconfig/named +Environment=KRB5_KTNAME=/etc/named.keytab +PIDFile=/var/named/chroot/run/named/named.pid + +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' +ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS + +ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' + +ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' + +PrivateTmp=false + +[Install] +WantedBy=multi-user.target diff --git a/named-pkcs11.service b/named-pkcs11.service new file mode 100644 index 0000000000000000000000000000000000000000..c1a19d1aaa2e1451e13e71ca7f42ebe604baf6a4 --- /dev/null +++ b/named-pkcs11.service @@ -0,0 +1,26 @@ +[Unit] +Description=Berkeley Internet Name Domain (DNS) with native PKCS#11 +Wants=nss-lookup.target +Wants=named-setup-rndc.service +Before=nss-lookup.target +After=network.target +After=named-setup-rndc.service + +[Service] +Type=forking +Environment=NAMEDCONF=/etc/named.conf +EnvironmentFile=-/etc/sysconfig/named +Environment=KRB5_KTNAME=/etc/named.keytab +PIDFile=/run/named/named.pid + +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' +ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS + +ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' + +ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' + +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/named-sdb-chroot-setup.service b/named-sdb-chroot-setup.service new file mode 100644 index 0000000000000000000000000000000000000000..5a3e173c60476af8e495879c47eeec31aa0d3d92 --- /dev/null +++ b/named-sdb-chroot-setup.service @@ -0,0 +1,12 @@ +[Unit] +Description=Set-up/destroy chroot environment for named-sdb +BindsTo=named-sdb-chroot.service +Wants=named-setup-rndc.service +After=named-setup-rndc.service + + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on /etc/named-chroot.files +ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off /etc/named-chroot.files diff --git a/named-sdb-chroot.service b/named-sdb-chroot.service new file mode 100644 index 0000000000000000000000000000000000000000..5294f4767195c8dd864eac2be131931aa169b1db --- /dev/null +++ b/named-sdb-chroot.service @@ -0,0 +1,30 @@ +# Don't forget to add "$AddUnixListenSocket /var/named/chroot_sdb/dev/log" +# line to your /etc/rsyslog.conf file. Otherwise your logging becomes +# broken when rsyslogd daemon is restarted (due update, for example). + +[Unit] +Description=Berkeley Internet Name Domain (DNS) +Wants=nss-lookup.target +Requires=named-sdb-chroot-setup.service +Before=nss-lookup.target +After=named-sdb-chroot-setup.service +After=network.target + +[Service] +Type=forking +Environment=NAMEDCONF=/etc/named.conf +EnvironmentFile=-/etc/sysconfig/named +Environment=KRB5_KTNAME=/etc/named.keytab +PIDFile=/var/named/chroot_sdb/run/named/named.pid + +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot_sdb -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' +ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} -t /var/named/chroot_sdb $OPTIONS + +ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' + +ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' + +PrivateTmp=false + +[Install] +WantedBy=multi-user.target diff --git a/named-sdb.8 b/named-sdb.8 new file mode 100644 index 0000000000000000000000000000000000000000..1e456c31aeebfba999fd97b6586a24292c35dd45 --- /dev/null +++ b/named-sdb.8 @@ -0,0 +1 @@ +.so man8/named.8.gz \ No newline at end of file diff --git a/named-sdb.service b/named-sdb.service new file mode 100644 index 0000000000000000000000000000000000000000..b80ec172927514b453b41877f3f1c4a7bb47a47c --- /dev/null +++ b/named-sdb.service @@ -0,0 +1,26 @@ +[Unit] +Description=Berkeley Internet Name Domain (DNS) +Wants=nss-lookup.target +Wants=named-setup-rndc.service +Before=nss-lookup.target +After=named-setup-rndc.service +After=network.target + +[Service] +Type=forking +Environment=NAMEDCONF=/etc/named.conf +EnvironmentFile=-/etc/sysconfig/named +Environment=KRB5_KTNAME=/etc/named.keytab +PIDFile=/run/named/named.pid + +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' +ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} $OPTIONS + +ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' + +ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' + +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/named-setup-rndc.service b/named-setup-rndc.service new file mode 100644 index 0000000000000000000000000000000000000000..ff85e3c745634227df913d775f14d075d3c9730a --- /dev/null +++ b/named-setup-rndc.service @@ -0,0 +1,7 @@ +[Unit] +Description=Generate rndc key for BIND (DNS) + +[Service] +Type=oneshot + +ExecStart=/usr/libexec/generate-rndc-key.sh diff --git a/named.conf b/named.conf new file mode 100644 index 0000000000000000000000000000000000000000..1dc9d1590736f3c3415a802a7c4bf1b616801833 --- /dev/null +++ b/named.conf @@ -0,0 +1,59 @@ +// +// named.conf +// +// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS +// server as a caching only nameserver (as a localhost DNS resolver only). +// +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// + +options { + listen-on port 53 { 127.0.0.1; }; + listen-on-v6 port 53 { ::1; }; + directory "/var/named"; + dump-file "/var/named/data/cache_dump.db"; + statistics-file "/var/named/data/named_stats.txt"; + memstatistics-file "/var/named/data/named_mem_stats.txt"; + secroots-file "/var/named/data/named.secroots"; + recursing-file "/var/named/data/named.recursing"; + allow-query { localhost; }; + + /* + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ + recursion yes; + + dnssec-enable yes; + dnssec-validation yes; + + managed-keys-directory "/var/named/dynamic"; + + pid-file "/run/named/named.pid"; + session-keyfile "/run/named/session.key"; + + /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ + include "/etc/crypto-policies/back-ends/bind.config"; +}; + +logging { + channel default_debug { + file "data/named.run"; + severity dynamic; + }; +}; + +zone "." IN { + type hint; + file "named.ca"; +}; + +include "/etc/named.rfc1912.zones"; +include "/etc/named.root.key"; + diff --git a/named.conf.sample b/named.conf.sample new file mode 100644 index 0000000000000000000000000000000000000000..a6cdc5efe6297e12685a0d280fd22770792a8546 --- /dev/null +++ b/named.conf.sample @@ -0,0 +1,252 @@ +/* + Sample named.conf BIND DNS server 'named' configuration file + for the Red Hat BIND distribution. + + See the BIND Administrator's Reference Manual (ARM) for details, in: + file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html + Also see the BIND Configuration GUI : /usr/bin/system-config-bind and + its manual. +*/ + +options +{ + // Put files that named is allowed to write in the data/ directory: + directory "/var/named"; // "Working" directory + dump-file "data/cache_dump.db"; + statistics-file "data/named_stats.txt"; + memstatistics-file "data/named_mem_stats.txt"; + secroots-file "data/named.secroots"; + recursing-file "data/named.recursing"; + + + /* + Specify listenning interfaces. You can use list of addresses (';' is + delimiter) or keywords "any"/"none" + */ + //listen-on port 53 { any; }; + listen-on port 53 { 127.0.0.1; }; + + //listen-on-v6 port 53 { any; }; + listen-on-v6 port 53 { ::1; }; + + /* + Access restrictions + + There are two important options: + allow-query { argument; }; + - allow queries for authoritative data + + allow-query-cache { argument; }; + - allow queries for non-authoritative data (mostly cached data) + + You can use address, network address or keywords "any"/"localhost"/"none" as argument + Examples: + allow-query { localhost; 10.0.0.1; 192.168.1.0/8; }; + allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; }; + */ + + allow-query { localhost; }; + allow-query-cache { localhost; }; + + /* Enable/disable recursion - recursion yes/no; + + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ + recursion yes; + + /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */ + + /* Enable serving of DNSSEC related data - enable on both authoritative + and recursive servers DNSSEC aware servers */ + dnssec-enable yes; + + /* Enable DNSSEC validation on recursive servers */ + dnssec-validation yes; + + /* In Fedora we use /run/named instead of default /var/run/named + so we have to configure paths properly. */ + pid-file "/run/named/named.pid"; + session-keyfile "/run/named/session.key"; + + managed-keys-directory "/var/named/dynamic"; + + /* In Fedora we use system-wide Crypto Policy */ + /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ + include "/etc/crypto-policies/back-ends/bind.config"; +}; + +logging +{ +/* If you want to enable debugging, eg. using the 'rndc trace' command, + * named will try to write the 'named.run' file in the $directory (/var/named). + * By default, SELinux policy does not allow named to modify the /var/named directory, + * so put the default debug log file in data/ : + */ + channel default_debug { + file "data/named.run"; + severity dynamic; + }; +}; + +/* + Views let a name server answer a DNS query differently depending on who is asking. + + By default, if named.conf contains no "view" clauses, all zones are in the + "default" view, which matches all clients. + + Views are processed sequentially. The first match is used so the last view should + match "any" - it's fallback and the most restricted view. + + If named.conf contains any "view" clause, then all zones MUST be in a view. +*/ + +view "localhost_resolver" +{ +/* This view sets up named to be a localhost resolver ( caching only nameserver ). + * If all you want is a caching-only nameserver, then you need only define this view: + */ + match-clients { localhost; }; + recursion yes; + + # all views must contain the root hints zone: + zone "." IN { + type hint; + file "/var/named/named.ca"; + }; + + /* these are zones that contain definitions for all the localhost + * names and addresses, as recommended in RFC1912 - these names should + * not leak to the other nameservers: + */ + include "/etc/named.rfc1912.zones"; +}; +view "internal" +{ +/* This view will contain zones you want to serve only to "internal" clients + that connect via your directly attached LAN interfaces - "localnets" . + */ + match-clients { localnets; }; + recursion yes; + + zone "." IN { + type hint; + file "/var/named/named.ca"; + }; + + /* these are zones that contain definitions for all the localhost + * names and addresses, as recommended in RFC1912 - these names should + * not leak to the other nameservers: + */ + include "/etc/named.rfc1912.zones"; + + // These are your "authoritative" internal zones, and would probably + // also be included in the "localhost_resolver" view above : + + /* + NOTE for dynamic DNS zones and secondary zones: + + DO NOT USE SAME FILES IN MULTIPLE VIEWS! + + If you are using views and DDNS/secondary zones it is strongly + recommended to read FAQ on ISC site (www.isc.org), section + "Configuration and Setup Questions", questions + "How do I share a dynamic zone between multiple views?" and + "How can I make a server a slave for both an internal and an external + view at the same time?" + */ + + zone "my.internal.zone" { + type master; + file "my.internal.zone.db"; + }; + zone "my.slave.internal.zone" { + type slave; + file "slaves/my.slave.internal.zone.db"; + masters { /* put master nameserver IPs here */ 127.0.0.1; } ; + // put slave zones in the slaves/ directory so named can update them + }; + zone "my.ddns.internal.zone" { + type master; + allow-update { key ddns_key; }; + file "dynamic/my.ddns.internal.zone.db"; + // put dynamically updateable zones in the slaves/ directory so named can update them + }; +}; + +key ddns_key +{ + algorithm hmac-md5; + secret "use /usr/sbin/dnssec-keygen to generate TSIG keys"; +}; + +view "external" +{ +/* This view will contain zones you want to serve only to "external" clients + * that have addresses that are not match any above view: + */ + match-clients { any; }; + + zone "." IN { + type hint; + file "/var/named/named.ca"; + }; + + recursion no; + // you'd probably want to deny recursion to external clients, so you don't + // end up providing free DNS service to all takers + + // These are your "authoritative" external zones, and would probably + // contain entries for just your web and mail servers: + + zone "my.external.zone" { + type master; + file "my.external.zone.db"; + }; +}; + +/* Trusted keys + + This statement contains DNSSEC keys. If you want DNSSEC aware resolver you + have to configure at least one trusted key. + + Note that no key written below is valid. Especially root key because root zone + is not signed yet. +*/ +/* +trusted-keys { +// Root Key +"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/ + E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3 + zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz + MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M + /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M + iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI + Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3"; + +// Key for forward zone +example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe + 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb + OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC + lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt + 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b + iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn + SCThlHf3xiYleDbt/o1OTQ09A0="; + +// Key for reverse zone. +2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA + VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0 + tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0 + yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ + 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06 + zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL + 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD + 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib"; +}; +*/ diff --git a/named.logrotate b/named.logrotate new file mode 100644 index 0000000000000000000000000000000000000000..5df448f80a7be6f705a3a5b26acc352ed54a443f --- /dev/null +++ b/named.logrotate @@ -0,0 +1,12 @@ +/var/named/data/named.run { + missingok + su named named + create 0644 named named + postrotate + /usr/bin/systemctl reload named.service > /dev/null 2>&1 || true + /usr/bin/systemctl reload named-chroot.service > /dev/null 2>&1 || true + /usr/bin/systemctl reload named-sdb.service > /dev/null 2>&1 || true + /usr/bin/systemctl reload named-sdb-chroot.service > /dev/null 2>&1 || true + /usr/bin/systemctl reload named-pkcs11.service > /dev/null 2>&1 || true + endscript +} diff --git a/named.rwtab b/named.rwtab new file mode 100644 index 0000000000000000000000000000000000000000..2cb3a41807f7e97dc018c50745cbe4d18b1509f2 --- /dev/null +++ b/named.rwtab @@ -0,0 +1,6 @@ +dirs /var/named + +files /var/named/named.ca +files /var/named/named.empty +files /var/named/named.localhost +files /var/named/named.loopback diff --git a/named.service b/named.service new file mode 100644 index 0000000000000000000000000000000000000000..6a162ad15e28c2b3510907eb23d22682408a084b --- /dev/null +++ b/named.service @@ -0,0 +1,26 @@ +[Unit] +Description=Berkeley Internet Name Domain (DNS) +Wants=nss-lookup.target +Wants=named-setup-rndc.service +Before=nss-lookup.target +After=named-setup-rndc.service +After=network.target + +[Service] +Type=forking +Environment=NAMEDCONF=/etc/named.conf +EnvironmentFile=-/etc/sysconfig/named +Environment=KRB5_KTNAME=/etc/named.keytab +PIDFile=/run/named/named.pid + +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' +ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS + +ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' + +ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' + +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/named.sysconfig b/named.sysconfig new file mode 100644 index 0000000000000000000000000000000000000000..5f6f81769fcac7b3ac6eb13fb3b5022c312007e1 --- /dev/null +++ b/named.sysconfig @@ -0,0 +1,17 @@ +# BIND named process options +# ~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# OPTIONS="whatever" -- These additional options will be passed to named +# at startup. Don't add -t here, enable proper +# -chroot.service unit file. +# +# NAMEDCONF=/etc/named/alternate.conf +# -- Don't use -c to change configuration file. +# Extend systemd named.service instead or use this +# variable. +# +# DISABLE_ZONE_CHECKING -- By default, service file calls named-checkzone +# utility for every zone to ensure all zones are +# valid before named starts. If you set this option +# to 'yes' then service file doesn't perform those +# checks. diff --git a/random.data b/random.data new file mode 100644 index 0000000000000000000000000000000000000000..354add021c50385a89450e5babe1977007bb3352 Binary files /dev/null and b/random.data differ diff --git a/setup-named-chroot.sh b/setup-named-chroot.sh new file mode 100644 index 0000000000000000000000000000000000000000..5e68915266c6e081e04893dad9a3f9f5c9846525 --- /dev/null +++ b/setup-named-chroot.sh @@ -0,0 +1,117 @@ +#!/bin/bash + +ROOTDIR="$1" +CONFIG_FILES="${3:-/etc/named-chroot.files}" + +usage() +{ + echo + echo 'This script setups chroot environment for BIND' + echo 'Usage: setup-named-chroot.sh ROOTDIR [chroot.files]' +} + +if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then + echo 'Wrong number of arguments' + usage + exit 1 +fi + +# Exit if ROOTDIR doesn't exist +if ! [ -d "$ROOTDIR" ]; then + echo "Root directory $ROOTDIR doesn't exist" + usage + exit 1 +fi + +if ! [ -r "$CONFIG_FILES" ]; then + echo "Files list $CONFIG_FILES doesn't exist" 2>&1 + usage + exit 1 +fi + +dev_create() +{ + DEVNAME="$ROOTDIR/dev/$1" + shift + if ! [ -e "$DEVNAME" ]; then + /bin/mknod -m 0664 "$DEVNAME" $@ + /bin/chgrp named "$DEVNAME" + if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then + /usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || : + fi + fi +} + +dev_chroot_prep() +{ + dev_create random c 1 8 + dev_create urandom c 1 9 + dev_create zero c 1 5 + dev_create null c 1 3 +} + +files_comment_filter() +{ + if [ -d "$1" ]; then + grep -v '^[[:space:]]*#' "$1"/*.files + else + grep -v '^[[:space:]]*#' "$1" + fi +} + +mount_chroot_conf() +{ + if [ -n "$ROOTDIR" ]; then + # Check devices are prepared + dev_chroot_prep + files_comment_filter "$CONFIG_FILES" | while read -r all; do + # Skip nonexistant files + [ -e "$all" ] || continue + + # If mount source is a file + if ! [ -d "$all" ]; then + # mount it only if it is not present in chroot or it is empty + if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then + touch "$ROOTDIR$all" + mount --bind "$all" "$ROOTDIR$all" + fi + else + # Mount source is a directory. Mount it only if directory in chroot is + # empty. + if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then + mount --bind --make-private "$all" "$ROOTDIR$all" + fi + fi + done + fi +} + +umount_chroot_conf() +{ + if [ -n "$ROOTDIR" ]; then + files_comment_filter "$CONFIG_FILES" | while read -r all; do + # Check if file is mount target. Do not use /proc/mounts because detecting + # of modified mounted files can fail. + if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then + umount "$ROOTDIR$all" + # Remove temporary created files + [ -f "$all" ] && rm -f "$ROOTDIR$all" + fi + done + fi +} + +case "$2" in + on) + mount_chroot_conf + ;; + off) + umount_chroot_conf + ;; + *) + echo 'Second argument has to be "on" or "off"' + usage + exit 1 +esac + +exit 0 diff --git a/setup-named-softhsm.sh b/setup-named-softhsm.sh new file mode 100644 index 0000000000000000000000000000000000000000..7ae0a6de8ff8409b7627ae2c6b1e94be728f2c81 --- /dev/null +++ b/setup-named-softhsm.sh @@ -0,0 +1,55 @@ +#!/bin/sh +# +# This script will initialise token storage of softhsm PKCS11 provider +# in custom location. Is useful to store tokens in non-standard location. + +SOFTHSM2_CONF="$1" +TOKENPATH="$2" +GROUPNAME="$3" +# Do not use this script for real keys worth protection +# This is intended for crypto accelerators using PKCS11 interface. +# Uninitialized token would fail any crypto operation. +PIN=1234 + +set -e + +if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then + echo "Usage: $0 [group]" >&2 + exit 1 +fi + +if ! [ -f "$SOFTHSM2_CONF" ]; then +cat << SED > "$SOFTHSM2_CONF" +# SoftHSM v2 configuration file + +directories.tokendir = ${TOKENPATH} +objectstore.backend = file + +# ERROR, WARNING, INFO, DEBUG +log.level = ERROR + +# If CKF_REMOVABLE_DEVICE flag should be set +slots.removable = false +SED +else + echo "Config file $SOFTHSM2_CONF already exists" >&2 +fi + +[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH" + +export SOFTHSM2_CONF + +if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null +then + echo "Token in ${TOKENPATH} is already initialized" >&2 +else + echo "Initializing tokens to ${TOKENPATH}..." + softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN + + if [ -n "$GROUPNAME" ]; then + chgrp -R -- "$GROUPNAME" "$TOKENPATH" + chmod -R -- g=rX,o= "$TOKENPATH" + fi +fi + +echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\"" diff --git a/trusted-key.key b/trusted-key.key new file mode 100644 index 0000000000000000000000000000000000000000..df2fd0ddbf2bde0973944ad732b4d5487a9746a0 --- /dev/null +++ b/trusted-key.key @@ -0,0 +1,2 @@ +. 3600 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= +. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= diff --git a/zone2sqlite.1 b/zone2sqlite.1 new file mode 100644 index 0000000000000000000000000000000000000000..689782740f7538cf1b21dffca987de6d549189da --- /dev/null +++ b/zone2sqlite.1 @@ -0,0 +1,53 @@ +.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" +.\" Permission to use, copy, modify, and/or distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" Manpage written by Jan Gorig +.TH zone2sqlite 1 "15 March 2010" "BIND9" +.SH NAME +zone2sqlite - Load BIND 9 zone file into SQLite database +.SH SYNOPSIS +.B zone2sqlite zone zonefile dbfile dbtable +.SH DESCRIPTION +zone2sqlite parses DNS zone file and creates database for use with SQLite BIND SDB driver. + +\fBzone\fR +.RS 4 +Zone origin, eg "mydomain.net." +.RE +.PP +\fBzonefile\fR +.RS 4 +Master zone database file, eg. mydomain.net.zone +.RE +.PP +\fBdbfile\fR +.RS 4 +Name of SQLite database file +.RE +.PP +\fBdbtable\fR +.RS 4 +Name of table in database +.RE + +.SH "EXIT STATUS" +Exits with 0 on success or 1 on failure. +.SH "SEE ALSO" +named(8) +.SH "COPYRIGHT" +Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/zonetodb.1 b/zonetodb.1 new file mode 100644 index 0000000000000000000000000000000000000000..897e74fdfd1df26b6d54564df0345e291f0b4a82 --- /dev/null +++ b/zonetodb.1 @@ -0,0 +1,53 @@ +.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" +.\" Permission to use, copy, modify, and/or distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" Manpage written by Jan Gorig +.TH zonetodb 1 "15 March 2010" "BIND9" +.SH NAME +zonetodb - Generate a PostgreSQL table from a zone. +.SH SYNOPSIS +.B zonetodb origin file dbname dbtable +.SH DESCRIPTION +zonetodb parses DNS zone file and creates table in selected database for use with PostgreSQL BIND SDB driver. + +\fBzone\fR +.RS 4 +Zone origin, eg "pgdb.net." +.RE +.PP +\fBfile\fR +.RS 4 +Master zone database file, eg. pgdb.net.db +.RE +.PP +\fBdbname\fR +.RS 4 +Name of PostgreSQL database (database must exist) +.RE +.PP +\fBdbtable\fR +.RS 4 +Name of table in database +.RE + +.SH "EXIT STATUS" +Exits with 0 on success or 1 on failure. +.SH "SEE ALSO" +named(8) +.SH "COPYRIGHT" +Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br