import bind-9.11.4-22.P2.el8
This commit is contained in:
commit
23892d136e
3
.bind.metadata
Normal file
3
.bind.metadata
Normal file
@ -0,0 +1,3 @@
|
||||
f01eada382fb2bd4d1fcab3f6f83bd3ebc35a9ab SOURCES/bind-9.11.4-P2.tar.gz
|
||||
1dc72fe31e4c84853ea2d016e36f0419d1885fa0 SOURCES/config-18.tar.bz2
|
||||
a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data
|
3
.gitignore
vendored
Normal file
3
.gitignore
vendored
Normal file
@ -0,0 +1,3 @@
|
||||
SOURCES/bind-9.11.4-P2.tar.gz
|
||||
SOURCES/config-18.tar.bz2
|
||||
SOURCES/random.data
|
79
SOURCES/README.sdb_pgsql
Normal file
79
SOURCES/README.sdb_pgsql
Normal file
@ -0,0 +1,79 @@
|
||||
PGSQL BIND SDB driver
|
||||
|
||||
The postgresql BIND SDB driver is of experimental status and should not be
|
||||
used for production systems.
|
||||
|
||||
Usage:
|
||||
|
||||
o Use the named_sdb process ( put ENABLE_SDB=yes in /etc/sysconfig/named )
|
||||
|
||||
o Edit your named.conf to contain a database zone, eg. :
|
||||
|
||||
zone "pgdb.net." IN {
|
||||
type master;
|
||||
database "pgsql bind pgdb localhost pguser pgpasswd";
|
||||
# ^- DB name ^-Table ^-host ^-user ^-password
|
||||
};
|
||||
|
||||
o Create the database zone table
|
||||
The table must contain the columns "name", "rdtype", and "rdata", and
|
||||
is expected to contain a properly constructed zone. The program "zonetodb"
|
||||
creates such a table.
|
||||
|
||||
zonetodb usage:
|
||||
|
||||
zonetodb origin file dbname dbtable
|
||||
|
||||
where
|
||||
origin : zone origin, eg "pgdb.net."
|
||||
file : master zone database file, eg. pgdb.net.db
|
||||
dbname : name of postgresql database
|
||||
dbtable: name of table in database
|
||||
|
||||
Eg. to import this zone in the file 'pgdb.net.db' into the 'bind' database
|
||||
'pgdb' table:
|
||||
|
||||
---
|
||||
#pgdb.net.db:
|
||||
$TTL 1H
|
||||
@ SOA localhost. root.localhost. ( 1
|
||||
3H
|
||||
1H
|
||||
1W
|
||||
1H )
|
||||
NS localhost.
|
||||
host1 A 192.168.2.1
|
||||
host2 A 192.168.2.2
|
||||
host3 A 192.168.2.3
|
||||
host4 A 192.168.2.4
|
||||
host5 A 192.168.2.5
|
||||
host6 A 192.168.2.6
|
||||
host7 A 192.168.2.7
|
||||
---
|
||||
|
||||
Issue this command as the pgsql user authorized to update the bind database:
|
||||
|
||||
# zonetodb pgdb.net. pgdb.net.db bind pgdb
|
||||
|
||||
will create / update the pgdb table in the 'bind' db:
|
||||
|
||||
$ psql -dbind -c 'select * from pgdb;'
|
||||
name | ttl | rdtype | rdata
|
||||
----------------+------+--------+-----------------------------------------------------
|
||||
pgdb.net | 3600 | SOA | localhost. root.localhost. 1 10800 3600 604800 3600
|
||||
pgdb.net | 3600 | NS | localhost.
|
||||
host1.pgdb.net | 3600 | A | 192.168.2.1
|
||||
host2.pgdb.net | 3600 | A | 192.168.2.2
|
||||
host3.pgdb.net | 3600 | A | 192.168.2.3
|
||||
host4.pgdb.net | 3600 | A | 192.168.2.4
|
||||
host5.pgdb.net | 3600 | A | 192.168.2.5
|
||||
host6.pgdb.net | 3600 | A | 192.168.2.6
|
||||
host7.pgdb.net | 3600 | A | 192.168.2.7
|
||||
(9 rows)
|
||||
|
||||
I've tested exactly the above configuration with bind-sdb-9.3.1+ and it works OK.
|
||||
|
||||
NOTE: If you use pgsqldb SDB, ensure the postgresql service is started before the named
|
||||
service .
|
||||
|
||||
USE AT YOUR OWN RISK!
|
612
SOURCES/bind-9.10-dist-native-pkcs11.patch
Normal file
612
SOURCES/bind-9.10-dist-native-pkcs11.patch
Normal file
@ -0,0 +1,612 @@
|
||||
diff --git a/bin/Makefile.in b/bin/Makefile.in
|
||||
index f0c504a..ce7a2da 100644
|
||||
--- a/bin/Makefile.in
|
||||
+++ b/bin/Makefile.in
|
||||
@@ -11,8 +11,8 @@ srcdir = @srcdir@
|
||||
VPATH = @srcdir@
|
||||
top_srcdir = @top_srcdir@
|
||||
|
||||
-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \
|
||||
- @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
|
||||
+SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
|
||||
+ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
|
||||
TARGETS =
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
|
||||
index 1d0c4ce..7b7f89b 100644
|
||||
--- a/bin/dnssec-pkcs11/Makefile.in
|
||||
+++ b/bin/dnssec-pkcs11/Makefile.in
|
||||
@@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@
|
||||
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
|
||||
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES}
|
||||
|
||||
CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
|
||||
- @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
|
||||
+ @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
|
||||
CWARNINGS =
|
||||
|
||||
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
|
||||
-ISCLIBS = ../../lib/isc/libisc.@A@
|
||||
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
|
||||
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
|
||||
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
|
||||
+ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
|
||||
|
||||
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
|
||||
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
|
||||
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
|
||||
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
|
||||
|
||||
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
|
||||
|
||||
@@ -37,10 +37,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
|
||||
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
|
||||
|
||||
# Alphabetically
|
||||
-TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
|
||||
- dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
|
||||
- dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \
|
||||
- dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@
|
||||
+TARGETS = dnssec-keygen-pkcs11@EXEEXT@ dnssec-signzone-pkcs11@EXEEXT@ \
|
||||
+ dnssec-keyfromlabel-pkcs11@EXEEXT@ dnssec-dsfromkey-pkcs11@EXEEXT@ \
|
||||
+ dnssec-revoke-pkcs11@EXEEXT@ dnssec-settime-pkcs11@EXEEXT@ \
|
||||
+ dnssec-verify-pkcs11@EXEEXT@ dnssec-importkey-pkcs11@EXEEXT@
|
||||
|
||||
OBJS = dnssectool.@O@
|
||||
|
||||
@@ -61,15 +61,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
|
||||
-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
@@ -77,7 +77,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
|
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
|
||||
-c ${srcdir}/dnssec-signzone.c
|
||||
|
||||
-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
@@ -85,19 +85,19 @@ dnssec-verify.@O@: dnssec-verify.c
|
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
|
||||
-c ${srcdir}/dnssec-verify.c
|
||||
|
||||
-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
dnssec-revoke.@O@ ${OBJS} ${LIBS}
|
||||
|
||||
-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
dnssec-settime.@O@ ${OBJS} ${LIBS}
|
||||
|
||||
-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
dnssec-importkey.@O@ ${OBJS} ${LIBS}
|
||||
|
||||
@@ -108,16 +108,14 @@ docclean manclean maintainer-clean::
|
||||
|
||||
installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
|
||||
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
|
||||
|
||||
install-man8: ${MANPAGES}
|
||||
${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
|
||||
|
||||
-install:: ${TARGETS} installdirs install-man8
|
||||
+install:: ${TARGETS} installdirs
|
||||
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
|
||||
|
||||
uninstall::
|
||||
- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
|
||||
for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done
|
||||
|
||||
clean distclean::
|
||||
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
|
||||
index 1d0c4ce..11538cf 100644
|
||||
--- a/bin/dnssec/Makefile.in
|
||||
+++ b/bin/dnssec/Makefile.in
|
||||
@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@
|
||||
|
||||
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
|
||||
|
||||
-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
|
||||
+CDEFINES = -DVERSION=\"${VERSION}\" \
|
||||
@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
|
||||
CWARNINGS =
|
||||
|
||||
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
|
||||
index d92bc9a..a8c42a4 100644
|
||||
--- a/bin/named-pkcs11/Makefile.in
|
||||
+++ b/bin/named-pkcs11/Makefile.in
|
||||
@@ -43,26 +43,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
|
||||
DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
|
||||
|
||||
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
|
||||
- ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
|
||||
- ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
|
||||
+ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \
|
||||
+ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \
|
||||
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
|
||||
|
||||
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
|
||||
+CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@
|
||||
|
||||
CWARNINGS =
|
||||
|
||||
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
|
||||
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
|
||||
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
|
||||
-ISCLIBS = ../../lib/isc/libisc.@A@
|
||||
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
|
||||
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
|
||||
LWRESLIBS = ../../lib/lwres/liblwres.@A@
|
||||
BIND9LIBS = ../../lib/bind9/libbind9.@A@
|
||||
|
||||
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
|
||||
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
|
||||
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
|
||||
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
|
||||
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
|
||||
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
|
||||
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
|
||||
|
||||
@@ -71,15 +71,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
|
||||
|
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
|
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
|
||||
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
|
||||
+ @LIBS@
|
||||
|
||||
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
|
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
|
||||
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
|
||||
+ @LIBS@
|
||||
|
||||
SUBDIRS = unix
|
||||
|
||||
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@
|
||||
+TARGETS = named-pkcs11@EXEEXT@
|
||||
|
||||
GEOIPLINKOBJS = geoip.@O@
|
||||
|
||||
@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
|
||||
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
|
||||
zoneconf.@O@ \
|
||||
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
|
||||
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
|
||||
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
|
||||
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
|
||||
|
||||
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
|
||||
|
||||
@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \
|
||||
tkeyconf.c tsigconf.c update.c xfrout.c \
|
||||
zoneconf.c \
|
||||
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
|
||||
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
|
||||
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
|
||||
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
|
||||
|
||||
MANPAGES = named.8 lwresd.8 named.conf.5
|
||||
|
||||
@@ -146,14 +144,14 @@ server.@O@: server.c
|
||||
-DPRODUCT=\"${PRODUCT}\" \
|
||||
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
|
||||
|
||||
-named@EXEEXT@: ${OBJS} ${DEPLIBS}
|
||||
+named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS}
|
||||
export MAKE_SYMTABLE="yes"; \
|
||||
export BASEOBJS="${OBJS} ${UOBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
-lwresd@EXEEXT@: named@EXEEXT@
|
||||
+lwresd@EXEEXT@: named-pkcs11@EXEEXT@
|
||||
rm -f lwresd@EXEEXT@
|
||||
- @LN@ named@EXEEXT@ lwresd@EXEEXT@
|
||||
+ @LN@ named-pkcs11@EXEEXT@ lwresd@EXEEXT@
|
||||
|
||||
doc man:: ${MANOBJS}
|
||||
|
||||
@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
|
||||
|
||||
install-man: install-man5 install-man8
|
||||
|
||||
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
|
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
|
||||
+install:: named-pkcs11@EXEEXT@ installdirs
|
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
|
||||
uninstall::
|
||||
- rm -f ${DESTDIR}${mandir}/man5/named.conf.5
|
||||
- rm -f ${DESTDIR}${mandir}/man8/lwresd.8
|
||||
- rm -f ${DESTDIR}${mandir}/man8/named.8
|
||||
- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
|
||||
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
|
||||
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@
|
||||
|
||||
@DLZ_DRIVER_RULES@
|
||||
|
||||
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
|
||||
index d92bc9a..6d2bfd1 100644
|
||||
--- a/bin/named/Makefile.in
|
||||
+++ b/bin/named/Makefile.in
|
||||
@@ -47,7 +47,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
|
||||
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
|
||||
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
|
||||
|
||||
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
|
||||
+CDEFINES = @CONTRIB_DLZ@ @CRYPTO@
|
||||
|
||||
CWARNINGS =
|
||||
|
||||
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
|
||||
index a058c91..d4b689a 100644
|
||||
--- a/bin/pkcs11/Makefile.in
|
||||
+++ b/bin/pkcs11/Makefile.in
|
||||
@@ -15,13 +15,13 @@ top_srcdir = @top_srcdir@
|
||||
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
-CINCLUDES = ${ISC_INCLUDES}
|
||||
+CINCLUDES = ${ISC_PKCS11_INCLUDES}
|
||||
|
||||
CDEFINES =
|
||||
|
||||
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
|
||||
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
|
||||
|
||||
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
|
||||
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
|
||||
|
||||
DEPLIBS = ${ISCDEPLIBS}
|
||||
|
||||
diff --git a/configure.in b/configure.in
|
||||
index 849fa94..69e6373 100644
|
||||
--- a/configure.in
|
||||
+++ b/configure.in
|
||||
@@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI)
|
||||
AC_SUBST(DST_GSSAPI_INC)
|
||||
AC_SUBST(DNS_GSSAPI_LIBS)
|
||||
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
|
||||
+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
|
||||
|
||||
#
|
||||
# Applications linking with libdns also need to link with these libraries.
|
||||
#
|
||||
|
||||
AC_SUBST(DNS_CRYPTO_LIBS)
|
||||
+AC_SUBST(DNS_CRYPTO_PK11_LIBS)
|
||||
|
||||
#
|
||||
# was --with-randomdev specified?
|
||||
@@ -1554,11 +1556,11 @@ fi
|
||||
AC_MSG_CHECKING(for OpenSSL library)
|
||||
OPENSSL_WARNING=
|
||||
openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
|
||||
-if test "yes" = "$want_native_pkcs11"
|
||||
-then
|
||||
- use_openssl="native_pkcs11"
|
||||
- AC_MSG_RESULT(use of native PKCS11 instead)
|
||||
-fi
|
||||
+# if test "yes" = "$want_native_pkcs11"
|
||||
+# then
|
||||
+# use_openssl="native_pkcs11"
|
||||
+# AC_MSG_RESULT(use of native PKCS11 instead)
|
||||
+# fi
|
||||
|
||||
if test "auto" = "$use_openssl"
|
||||
then
|
||||
@@ -1571,6 +1573,7 @@ then
|
||||
fi
|
||||
done
|
||||
fi
|
||||
+CRYPTO_PK11=""
|
||||
OPENSSL_ECDSA=""
|
||||
OPENSSL_GOST=""
|
||||
OPENSSL_ED25519=""
|
||||
@@ -1592,11 +1595,10 @@ case "$with_gost" in
|
||||
;;
|
||||
esac
|
||||
|
||||
-case "$use_openssl" in
|
||||
- native_pkcs11)
|
||||
- AC_MSG_RESULT(disabled because of native PKCS11)
|
||||
+if test "$want_native_pkcs11" = "yes"
|
||||
+then
|
||||
DST_OPENSSL_INC=""
|
||||
- CRYPTO="-DPKCS11CRYPTO"
|
||||
+ CRYPTO_PK11="-DPKCS11CRYPTO"
|
||||
CRYPTOLIB="pkcs11"
|
||||
OPENSSLECDSALINKOBJS=""
|
||||
OPENSSLECDSALINKSRCS=""
|
||||
@@ -1606,7 +1608,9 @@ case "$use_openssl" in
|
||||
OPENSSLGOSTLINKSRCS=""
|
||||
OPENSSLLINKOBJS=""
|
||||
OPENSSLLINKSRCS=""
|
||||
- ;;
|
||||
+fi
|
||||
+
|
||||
+case "$use_openssl" in
|
||||
no)
|
||||
AC_MSG_RESULT(no)
|
||||
DST_OPENSSL_INC=""
|
||||
@@ -1638,7 +1642,7 @@ case "$use_openssl" in
|
||||
If you do not want OpenSSL, use --without-openssl])
|
||||
;;
|
||||
*)
|
||||
- if test "yes" = "$want_native_pkcs11"
|
||||
+ if false # test "yes" = "$want_native_pkcs11"
|
||||
then
|
||||
AC_MSG_RESULT()
|
||||
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
|
||||
@@ -2066,6 +2070,7 @@ AC_SUBST(OPENSSL_ED25519)
|
||||
AC_SUBST(OPENSSL_GOST)
|
||||
|
||||
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
|
||||
+DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS"
|
||||
|
||||
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
|
||||
if test "yes" = "$with_aes"
|
||||
@@ -2384,6 +2389,7 @@ esac
|
||||
AC_SUBST(PKCS11LINKOBJS)
|
||||
AC_SUBST(PKCS11LINKSRCS)
|
||||
AC_SUBST(CRYPTO)
|
||||
+AC_SUBST(CRYPTO_PK11)
|
||||
AC_SUBST(PKCS11_ECDSA)
|
||||
AC_SUBST(PKCS11_GOST)
|
||||
AC_SUBST(PKCS11_ED25519)
|
||||
@@ -5497,8 +5503,11 @@ AC_CONFIG_FILES([
|
||||
bin/delv/Makefile
|
||||
bin/dig/Makefile
|
||||
bin/dnssec/Makefile
|
||||
+ bin/dnssec-pkcs11/Makefile
|
||||
bin/named/Makefile
|
||||
bin/named/unix/Makefile
|
||||
+ bin/named-pkcs11/Makefile
|
||||
+ bin/named-pkcs11/unix/Makefile
|
||||
bin/nsupdate/Makefile
|
||||
bin/pkcs11/Makefile
|
||||
bin/python/Makefile
|
||||
@@ -5572,6 +5581,10 @@ AC_CONFIG_FILES([
|
||||
lib/dns/include/dns/Makefile
|
||||
lib/dns/include/dst/Makefile
|
||||
lib/dns/tests/Makefile
|
||||
+ lib/dns-pkcs11/Makefile
|
||||
+ lib/dns-pkcs11/include/Makefile
|
||||
+ lib/dns-pkcs11/include/dns/Makefile
|
||||
+ lib/dns-pkcs11/include/dst/Makefile
|
||||
lib/irs/Makefile
|
||||
lib/irs/include/Makefile
|
||||
lib/irs/include/irs/Makefile
|
||||
@@ -5596,6 +5609,24 @@ AC_CONFIG_FILES([
|
||||
lib/isc/unix/include/Makefile
|
||||
lib/isc/unix/include/isc/Makefile
|
||||
lib/isc/unix/include/pkcs11/Makefile
|
||||
+ lib/isc-pkcs11/$arch/Makefile
|
||||
+ lib/isc-pkcs11/$arch/include/Makefile
|
||||
+ lib/isc-pkcs11/$arch/include/isc/Makefile
|
||||
+ lib/isc-pkcs11/$thread_dir/Makefile
|
||||
+ lib/isc-pkcs11/$thread_dir/include/Makefile
|
||||
+ lib/isc-pkcs11/$thread_dir/include/isc/Makefile
|
||||
+ lib/isc-pkcs11/Makefile
|
||||
+ lib/isc-pkcs11/include/Makefile
|
||||
+ lib/isc-pkcs11/include/isc/Makefile
|
||||
+ lib/isc-pkcs11/include/isc/platform.h
|
||||
+ lib/isc-pkcs11/include/pk11/Makefile
|
||||
+ lib/isc-pkcs11/include/pkcs11/Makefile
|
||||
+ lib/isc-pkcs11/tests/Makefile
|
||||
+ lib/isc-pkcs11/nls/Makefile
|
||||
+ lib/isc-pkcs11/unix/Makefile
|
||||
+ lib/isc-pkcs11/unix/include/Makefile
|
||||
+ lib/isc-pkcs11/unix/include/isc/Makefile
|
||||
+ lib/isc-pkcs11/unix/include/pkcs11/Makefile
|
||||
lib/isccc/Makefile
|
||||
lib/isccc/include/Makefile
|
||||
lib/isccc/include/isccc/Makefile
|
||||
diff --git a/lib/Makefile.in b/lib/Makefile.in
|
||||
index 81270a0..bcb5312 100644
|
||||
--- a/lib/Makefile.in
|
||||
+++ b/lib/Makefile.in
|
||||
@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@
|
||||
# Attempt to disable parallel processing.
|
||||
.NOTPARALLEL:
|
||||
.NO_PARALLEL:
|
||||
-SUBDIRS = isc isccc dns isccfg bind9 lwres irs samples
|
||||
+SUBDIRS = isc isc-pkcs11 isccc dns dns-pkcs11 isccfg bind9 lwres irs samples
|
||||
TARGETS =
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
|
||||
index 4a8549e..6a19906 100644
|
||||
--- a/lib/dns-pkcs11/Makefile.in
|
||||
+++ b/lib/dns-pkcs11/Makefile.in
|
||||
@@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@
|
||||
|
||||
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
|
||||
|
||||
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
|
||||
- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
|
||||
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
|
||||
+ ${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
|
||||
|
||||
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
|
||||
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
|
||||
|
||||
CWARNINGS =
|
||||
|
||||
-ISCLIBS = ../../lib/isc/libisc.@A@
|
||||
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
|
||||
|
||||
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
|
||||
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
|
||||
|
||||
LIBS = @LIBS@
|
||||
|
||||
@@ -146,15 +146,15 @@ version.@O@: version.c
|
||||
-DLIBAGE=${LIBAGE} \
|
||||
-c ${srcdir}/version.c
|
||||
|
||||
-libdns.@SA@: ${OBJS}
|
||||
+libdns-pkcs11.@SA@: ${OBJS}
|
||||
${AR} ${ARFLAGS} $@ ${OBJS}
|
||||
${RANLIB} $@
|
||||
|
||||
-libdns.la: ${OBJS}
|
||||
+libdns-pkcs11.la: ${OBJS}
|
||||
${LIBTOOL_MODE_LINK} \
|
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
|
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \
|
||||
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
|
||||
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
|
||||
+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
|
||||
|
||||
include: gen
|
||||
${MAKE} include/dns/enumtype.h
|
||||
@@ -180,25 +180,25 @@ code.h: gen
|
||||
./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; }
|
||||
|
||||
gen: gen.c
|
||||
- ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
|
||||
+ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc-pkcs11/include \
|
||||
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
|
||||
|
||||
-timestamp: include libdns.@A@
|
||||
+timestamp: include libdns-pkcs11.@A@
|
||||
touch timestamp
|
||||
|
||||
-testdirs: libdns.@A@
|
||||
+testdirs: libdns-pkcs11.@A@
|
||||
|
||||
installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
|
||||
|
||||
install:: timestamp installdirs
|
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir}
|
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir}
|
||||
|
||||
uninstall::
|
||||
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@
|
||||
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@
|
||||
|
||||
clean distclean::
|
||||
- rm -f libdns.@A@ timestamp
|
||||
+ rm -f libdns-pkcs11.@A@ timestamp
|
||||
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
|
||||
rm -f include/dns/rdatastruct.h
|
||||
rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h
|
||||
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
|
||||
index ba53ef1..d1f1771 100644
|
||||
--- a/lib/isc-pkcs11/Makefile.in
|
||||
+++ b/lib/isc-pkcs11/Makefile.in
|
||||
@@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \
|
||||
-I${srcdir}/@ISC_THREAD_DIR@/include \
|
||||
-I${srcdir}/@ISC_ARCH_DIR@/include \
|
||||
-I./include \
|
||||
- -I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@
|
||||
-CDEFINES = @CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
|
||||
+ -I${srcdir}/include ${DNS_PKCS11_INCLUDES}
|
||||
+CDEFINES = @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
|
||||
CWARNINGS =
|
||||
|
||||
# Alphabetically
|
||||
@@ -107,40 +107,40 @@ version.@O@: version.c
|
||||
-DLIBAGE=${LIBAGE} \
|
||||
-c ${srcdir}/version.c
|
||||
|
||||
-libisc.@SA@: ${OBJS} ${SYMTBLOBJS}
|
||||
+libisc-pkcs11.@SA@: ${OBJS} ${SYMTBLOBJS}
|
||||
${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS}
|
||||
${RANLIB} $@
|
||||
|
||||
-libisc-nosymtbl.@SA@: ${OBJS}
|
||||
+libisc-pkcs11-nosymtbl.@SA@: ${OBJS}
|
||||
${AR} ${ARFLAGS} $@ ${OBJS}
|
||||
${RANLIB} $@
|
||||
|
||||
-libisc.la: ${OBJS} ${SYMTBLOBJS}
|
||||
+libisc-pkcs11.la: ${OBJS} ${SYMTBLOBJS}
|
||||
${LIBTOOL_MODE_LINK} \
|
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
|
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11.la -rpath ${libdir} \
|
||||
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
|
||||
${OBJS} ${SYMTBLOBJS} ${LIBS}
|
||||
|
||||
-libisc-nosymtbl.la: ${OBJS}
|
||||
+libisc-pkcs11-nosymtbl.la: ${OBJS}
|
||||
${LIBTOOL_MODE_LINK} \
|
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \
|
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-nosymtbl.la -rpath ${libdir} \
|
||||
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
|
||||
${OBJS} ${LIBS}
|
||||
|
||||
-timestamp: libisc.@A@ libisc-nosymtbl.@A@
|
||||
+timestamp: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@
|
||||
touch timestamp
|
||||
|
||||
-testdirs: libisc.@A@ libisc-nosymtbl.@A@
|
||||
+testdirs: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@
|
||||
|
||||
installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
|
||||
|
||||
install:: timestamp installdirs
|
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc.@A@ ${DESTDIR}${libdir}
|
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc-pkcs11.@A@ ${DESTDIR}${libdir}
|
||||
|
||||
uninstall::
|
||||
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc.@A@
|
||||
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc-pkcs11.@A@
|
||||
|
||||
clean distclean::
|
||||
- rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
|
||||
- libisc-nosymtbl.la timestamp
|
||||
+ rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \
|
||||
+ libisc-pkcs11-nosymtbl.la timestamp
|
||||
diff --git a/make/includes.in b/make/includes.in
|
||||
index fa86ad1..3cfbe9f 100644
|
||||
--- a/make/includes.in
|
||||
+++ b/make/includes.in
|
||||
@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
|
||||
|
||||
TEST_INCLUDES = \
|
||||
-I${top_srcdir}/lib/tests/include
|
||||
+
|
||||
+ISC_PKCS11_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
|
||||
+ -I${top_srcdir}/lib/isc-pkcs11 \
|
||||
+ -I${top_srcdir}/lib/isc-pkcs11/include \
|
||||
+ -I${top_srcdir}/lib/isc-pkcs11/unix/include \
|
||||
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_THREAD_DIR@/include \
|
||||
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_ARCH_DIR@/include
|
||||
+
|
||||
+DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
|
||||
+ -I${top_srcdir}/lib/dns-pkcs11/include
|
309
SOURCES/bind-9.10-sdb.patch
Normal file
309
SOURCES/bind-9.10-sdb.patch
Normal file
@ -0,0 +1,309 @@
|
||||
diff --git a/bin/Makefile.in b/bin/Makefile.in
|
||||
index ce7a2da..4e6a824 100644
|
||||
--- a/bin/Makefile.in
|
||||
+++ b/bin/Makefile.in
|
||||
@@ -11,8 +11,8 @@ srcdir = @srcdir@
|
||||
VPATH = @srcdir@
|
||||
top_srcdir = @top_srcdir@
|
||||
|
||||
-SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
|
||||
- check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
|
||||
+SUBDIRS = named named-sdb named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
|
||||
+ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools tests
|
||||
TARGETS =
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
|
||||
index 6d2bfd1..d3f42e8 100644
|
||||
--- a/bin/named-sdb/Makefile.in
|
||||
+++ b/bin/named-sdb/Makefile.in
|
||||
@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@
|
||||
#
|
||||
# Add database drivers here.
|
||||
#
|
||||
-DBDRIVER_OBJS =
|
||||
-DBDRIVER_SRCS =
|
||||
+DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@
|
||||
+DBDRIVER_SRCS = ldapdb.c pgsqldb.c sqlitedb.c dirdb.c
|
||||
DBDRIVER_INCLUDES =
|
||||
-DBDRIVER_LIBS =
|
||||
+DBDRIVER_LIBS = -lldap -llber -lsqlite3 -lpq
|
||||
|
||||
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
|
||||
|
||||
@@ -79,7 +79,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
|
||||
|
||||
SUBDIRS = unix
|
||||
|
||||
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@
|
||||
+TARGETS = named-sdb@EXEEXT@
|
||||
|
||||
GEOIPLINKOBJS = geoip.@O@
|
||||
|
||||
@@ -146,7 +146,7 @@ server.@O@: server.c
|
||||
-DPRODUCT=\"${PRODUCT}\" \
|
||||
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
|
||||
|
||||
-named@EXEEXT@: ${OBJS} ${DEPLIBS}
|
||||
+named-sdb@EXEEXT@: ${OBJS} ${DEPLIBS}
|
||||
export MAKE_SYMTABLE="yes"; \
|
||||
export BASEOBJS="${OBJS} ${UOBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
@@ -173,8 +173,6 @@ statschannel.@O@: bind9.xsl.h
|
||||
|
||||
installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
|
||||
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
|
||||
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
|
||||
|
||||
install-man5: named.conf.5
|
||||
${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
|
||||
@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
|
||||
|
||||
install-man: install-man5 install-man8
|
||||
|
||||
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
|
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
|
||||
+install:: ${TARGETS} installdirs
|
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
|
||||
uninstall::
|
||||
- rm -f ${DESTDIR}${mandir}/man5/named.conf.5
|
||||
- rm -f ${DESTDIR}${mandir}/man8/lwresd.8
|
||||
- rm -f ${DESTDIR}${mandir}/man8/named.8
|
||||
- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
|
||||
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
|
||||
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-sdb@EXEEXT@
|
||||
|
||||
@DLZ_DRIVER_RULES@
|
||||
|
||||
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
|
||||
index bb639d9..555c4d9 100644
|
||||
--- a/bin/named-sdb/main.c
|
||||
+++ b/bin/named-sdb/main.c
|
||||
@@ -91,6 +91,10 @@
|
||||
* Include header files for database drivers here.
|
||||
*/
|
||||
/* #include "xxdb.h" */
|
||||
+#include "ldapdb.h"
|
||||
+#include "pgsqldb.h"
|
||||
+#include "sqlitedb.h"
|
||||
+#include "dirdb.h"
|
||||
|
||||
#ifdef CONTRIB_DLZ
|
||||
/*
|
||||
@@ -1061,6 +1065,11 @@ setup(void) {
|
||||
ns_main_earlyfatal("isc_app_start() failed: %s",
|
||||
isc_result_totext(result));
|
||||
|
||||
+ ldapdb_clear();
|
||||
+ pgsqldb_clear();
|
||||
+ dirdb_clear();
|
||||
+ sqlitedb_clear();
|
||||
+
|
||||
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
|
||||
ns_g_product, ns_g_version,
|
||||
@@ -1261,6 +1270,75 @@ setup(void) {
|
||||
isc_result_totext(result));
|
||||
#endif
|
||||
|
||||
+ result = ldapdb_init();
|
||||
+ if (result != ISC_R_SUCCESS)
|
||||
+ {
|
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
+ ISC_LOG_ERROR,
|
||||
+ "SDB ldap module initialisation failed: %s.",
|
||||
+ isc_result_totext(result)
|
||||
+ );
|
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
+ ISC_LOG_ERROR,
|
||||
+ "SDB ldap zone database will be unavailable."
|
||||
+ );
|
||||
+ }else
|
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
+ ISC_LOG_NOTICE, "SDB ldap zone database module loaded."
|
||||
+ );
|
||||
+
|
||||
+ result = pgsqldb_init();
|
||||
+ if (result != ISC_R_SUCCESS)
|
||||
+ {
|
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
+ ISC_LOG_ERROR,
|
||||
+ "SDB pgsql module initialisation failed: %s.",
|
||||
+ isc_result_totext(result)
|
||||
+ );
|
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
+ ISC_LOG_ERROR,
|
||||
+ "SDB pgsql zone database will be unavailable."
|
||||
+ );
|
||||
+ }else
|
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
+ ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded."
|
||||
+ );
|
||||
+
|
||||
+ result = sqlitedb_init();
|
||||
+ if (result != ISC_R_SUCCESS)
|
||||
+ {
|
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
+ ISC_LOG_ERROR,
|
||||
+ "SDB sqlite3 module initialisation failed: %s.",
|
||||
+ isc_result_totext(result)
|
||||
+ );
|
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
+ ISC_LOG_ERROR,
|
||||
+ "SDB sqlite3 zone database will be unavailable."
|
||||
+ );
|
||||
+ }else
|
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
+ ISC_LOG_NOTICE, "SDB sqlite3 DB zone database module loaded."
|
||||
+ );
|
||||
+
|
||||
+ result = dirdb_init();
|
||||
+ if (result != ISC_R_SUCCESS)
|
||||
+ {
|
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
+ ISC_LOG_ERROR,
|
||||
+ "SDB directory DB module initialisation failed: %s.",
|
||||
+ isc_result_totext(result)
|
||||
+ );
|
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
+ ISC_LOG_ERROR,
|
||||
+ "SDB directory DB zone database will be unavailable."
|
||||
+ );
|
||||
+ }else
|
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
+ ISC_LOG_NOTICE, "SDB directory DB zone database module loaded."
|
||||
+ );
|
||||
+
|
||||
+
|
||||
ns_server_create(ns_g_mctx, &ns_g_server);
|
||||
|
||||
#ifdef HAVE_LIBSECCOMP
|
||||
@@ -1303,6 +1381,11 @@ cleanup(void) {
|
||||
|
||||
dns_name_destroy();
|
||||
|
||||
+ ldapdb_clear();
|
||||
+ pgsqldb_clear();
|
||||
+ sqlitedb_clear();
|
||||
+ dirdb_clear();
|
||||
+
|
||||
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
ISC_LOG_NOTICE, "exiting");
|
||||
ns_log_shutdown();
|
||||
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
|
||||
index 6d2bfd1..86f8587 100644
|
||||
--- a/bin/named/Makefile.in
|
||||
+++ b/bin/named/Makefile.in
|
||||
@@ -45,9 +45,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
|
||||
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
|
||||
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
|
||||
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
|
||||
- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
|
||||
+ @DST_OPENSSL_INC@
|
||||
|
||||
-CDEFINES = @CONTRIB_DLZ@ @CRYPTO@
|
||||
+CDEFINES = @CRYPTO@
|
||||
|
||||
CWARNINGS =
|
||||
|
||||
@@ -71,11 +71,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
|
||||
|
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
|
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
|
||||
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
|
||||
+ @LIBS@
|
||||
|
||||
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
|
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
|
||||
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
|
||||
+ @LIBS@
|
||||
|
||||
SUBDIRS = unix
|
||||
|
||||
@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
|
||||
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
|
||||
zoneconf.@O@ \
|
||||
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
|
||||
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
|
||||
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
|
||||
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
|
||||
|
||||
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
|
||||
|
||||
@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \
|
||||
tkeyconf.c tsigconf.c update.c xfrout.c \
|
||||
zoneconf.c \
|
||||
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
|
||||
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
|
||||
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
|
||||
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
|
||||
|
||||
MANPAGES = named.8 lwresd.8 named.conf.5
|
||||
|
||||
@@ -195,7 +193,5 @@ uninstall::
|
||||
rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
|
||||
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
|
||||
|
||||
-@DLZ_DRIVER_RULES@
|
||||
-
|
||||
named-symtbl.@O@: named-symtbl.c
|
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c
|
||||
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
|
||||
index c7e0868..95ab742 100644
|
||||
--- a/bin/sdb_tools/Makefile.in
|
||||
+++ b/bin/sdb_tools/Makefile.in
|
||||
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
|
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
|
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
|
||||
|
||||
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@
|
||||
+TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
|
||||
|
||||
-OBJS = zone2ldap.@O@ zonetodb.@O@
|
||||
+OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
|
||||
|
||||
-SRCS = zone2ldap.c zonetodb.c
|
||||
+SRCS = zone2ldap.c zonetodb.c zone2sqlite.c
|
||||
|
||||
MANPAGES = zone2ldap.1
|
||||
|
||||
@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
|
||||
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
|
||||
|
||||
+zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS}
|
||||
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
|
||||
+
|
||||
clean distclean manclean maintainer-clean::
|
||||
rm -f ${TARGETS} ${OBJS}
|
||||
|
||||
@@ -60,4 +63,5 @@ installdirs:
|
||||
install:: ${TARGETS} installdirs
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
|
||||
diff --git a/configure.in b/configure.in
|
||||
index 62536a6..f571a4f 100644
|
||||
--- a/configure.in
|
||||
+++ b/configure.in
|
||||
@@ -5445,6 +5445,8 @@ AC_CONFIG_FILES([
|
||||
bin/named/unix/Makefile
|
||||
bin/named-pkcs11/Makefile
|
||||
bin/named-pkcs11/unix/Makefile
|
||||
+ bin/named-sdb/Makefile
|
||||
+ bin/named-sdb/unix/Makefile
|
||||
bin/nsupdate/Makefile
|
||||
bin/pkcs11/Makefile
|
||||
bin/python/Makefile
|
||||
@@ -5469,6 +5471,7 @@ AC_CONFIG_FILES([
|
||||
bin/python/isc/tests/dnskey_test.py
|
||||
bin/python/isc/tests/policy_test.py
|
||||
bin/rndc/Makefile
|
||||
+ bin/sdb_tools/Makefile
|
||||
bin/tests/Makefile
|
||||
bin/tests/headerdep_test.sh
|
||||
bin/tests/optional/Makefile
|
18
SOURCES/bind-9.10-use-of-strlcat.patch
Normal file
18
SOURCES/bind-9.10-use-of-strlcat.patch
Normal file
@ -0,0 +1,18 @@
|
||||
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
|
||||
index d56bc56..99c3314 100644
|
||||
--- a/bin/sdb_tools/zone2ldap.c
|
||||
+++ b/bin/sdb_tools/zone2ldap.c
|
||||
@@ -817,11 +817,11 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
|
||||
}
|
||||
|
||||
|
||||
- strlcat (dn, tmp, sizeof (dn));
|
||||
+ strncat (dn, tmp, sizeof (dn) - strlen (dn));
|
||||
}
|
||||
|
||||
sprintf (tmp, "dc=%s", dc_list[0]);
|
||||
- strlcat (dn, tmp, sizeof (dn));
|
||||
+ strncat (dn, tmp, sizeof (dn) - strlen (dn));
|
||||
|
||||
fflush(NULL);
|
||||
return dn;
|
131
SOURCES/bind-9.11-CVE-2018-5743-atomic.patch
Normal file
131
SOURCES/bind-9.11-CVE-2018-5743-atomic.patch
Normal file
@ -0,0 +1,131 @@
|
||||
From 94e08314024c812063bf99bd191a46265a2ba49f Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Wed, 24 Apr 2019 21:10:26 +0200
|
||||
Subject: [PATCH] Missing atomic fix to original CVE patch
|
||||
|
||||
---
|
||||
bin/named/client.c | 18 +++++++-----------
|
||||
bin/named/include/named/interfacemgr.h | 5 +++--
|
||||
bin/named/interfacemgr.c | 7 +++++--
|
||||
3 files changed, 15 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/bin/named/client.c b/bin/named/client.c
|
||||
index 3ada6e9..d3bf47d 100644
|
||||
--- a/bin/named/client.c
|
||||
+++ b/bin/named/client.c
|
||||
@@ -405,12 +405,10 @@ tcpconn_detach(ns_client_t *client) {
|
||||
static void
|
||||
mark_tcp_active(ns_client_t *client, isc_boolean_t active) {
|
||||
if (active && !client->tcpactive) {
|
||||
- isc_atomic_xadd(&client->interface->ntcpactive, 1);
|
||||
+ isc_refcount_increment0(&client->interface->ntcpactive, NULL);
|
||||
client->tcpactive = active;
|
||||
} else if (!active && client->tcpactive) {
|
||||
- uint32_t old =
|
||||
- isc_atomic_xadd(&client->interface->ntcpactive, -1);
|
||||
- INSIST(old > 0);
|
||||
+ isc_refcount_decrement(&client->interface->ntcpactive, NULL);
|
||||
client->tcpactive = active;
|
||||
}
|
||||
}
|
||||
@@ -557,7 +555,7 @@ exit_check(ns_client_t *client) {
|
||||
if (client->mortal && TCP_CLIENT(client) &&
|
||||
client->newstate != NS_CLIENTSTATE_FREED &&
|
||||
!ns_g_clienttest &&
|
||||
- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
|
||||
+ isc_refcount_current(&client->interface->ntcpaccepting) == 0)
|
||||
{
|
||||
/* Nobody else is accepting */
|
||||
client->mortal = ISC_FALSE;
|
||||
@@ -3321,7 +3319,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
|
||||
isc_result_t result;
|
||||
ns_client_t *client = event->ev_arg;
|
||||
isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
|
||||
- uint32_t old;
|
||||
|
||||
REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
|
||||
REQUIRE(NS_CLIENT_VALID(client));
|
||||
@@ -3341,8 +3338,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
|
||||
INSIST(client->naccepts == 1);
|
||||
client->naccepts--;
|
||||
|
||||
- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
|
||||
- INSIST(old > 0);
|
||||
+ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
|
||||
|
||||
/*
|
||||
* We must take ownership of the new socket before the exit
|
||||
@@ -3473,8 +3469,8 @@ client_accept(ns_client_t *client) {
|
||||
* quota is tcp-clients plus the number of listening
|
||||
* interfaces plus 1.)
|
||||
*/
|
||||
- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
|
||||
- (client->tcpactive ? 1 : 0));
|
||||
+ exit = (isc_refcount_current(&client->interface->ntcpactive) >
|
||||
+ (client->tcpactive ? 1U : 0U));
|
||||
if (exit) {
|
||||
client->newstate = NS_CLIENTSTATE_INACTIVE;
|
||||
(void)exit_check(client);
|
||||
@@ -3532,7 +3528,7 @@ client_accept(ns_client_t *client) {
|
||||
* listening for connections itself to prevent the interface
|
||||
* going dead.
|
||||
*/
|
||||
- isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
|
||||
+ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
|
||||
index d9ac90f..aa21049 100644
|
||||
--- a/bin/named/include/named/interfacemgr.h
|
||||
+++ b/bin/named/include/named/interfacemgr.h
|
||||
@@ -43,6 +43,7 @@
|
||||
#include <isc/magic.h>
|
||||
#include <isc/mem.h>
|
||||
#include <isc/socket.h>
|
||||
+#include <isc/refcount.h>
|
||||
|
||||
#include <dns/result.h>
|
||||
|
||||
@@ -73,11 +74,11 @@ struct ns_interface {
|
||||
/*%< UDP dispatchers. */
|
||||
isc_socket_t * tcpsocket; /*%< TCP socket. */
|
||||
isc_dscp_t dscp; /*%< "listen-on" DSCP value */
|
||||
- int32_t ntcpaccepting; /*%< Number of clients
|
||||
+ isc_refcount_t ntcpaccepting; /*%< Number of clients
|
||||
ready to accept new
|
||||
TCP connections on this
|
||||
interface */
|
||||
- int32_t ntcpactive; /*%< Number of clients
|
||||
+ isc_refcount_t ntcpactive; /*%< Number of clients
|
||||
servicing TCP queries
|
||||
(whether accepting or
|
||||
connected) */
|
||||
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
|
||||
index 96c080b..2ce97bb 100644
|
||||
--- a/bin/named/interfacemgr.c
|
||||
+++ b/bin/named/interfacemgr.c
|
||||
@@ -384,8 +384,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
|
||||
* connections will be handled in parallel even though there is
|
||||
* only one client initially.
|
||||
*/
|
||||
- ifp->ntcpaccepting = 0;
|
||||
- ifp->ntcpactive = 0;
|
||||
+ isc_refcount_init(&ifp->ntcpaccepting, 0);
|
||||
+ isc_refcount_init(&ifp->ntcpactive, 0);
|
||||
|
||||
ifp->nudpdispatch = 0;
|
||||
|
||||
@@ -616,6 +616,9 @@ ns_interface_destroy(ns_interface_t *ifp) {
|
||||
|
||||
ns_interfacemgr_detach(&ifp->mgr);
|
||||
|
||||
+ isc_refcount_destroy(&ifp->ntcpactive);
|
||||
+ isc_refcount_destroy(&ifp->ntcpaccepting);
|
||||
+
|
||||
ifp->magic = 0;
|
||||
isc_mem_put(mctx, ifp, sizeof(*ifp));
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
868
SOURCES/bind-9.11-CVE-2018-5743.patch
Normal file
868
SOURCES/bind-9.11-CVE-2018-5743.patch
Normal file
@ -0,0 +1,868 @@
|
||||
From b2929ff50a7676563177bc52a372ddcae48cb002 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Wed, 24 Apr 2019 20:09:07 +0200
|
||||
Subject: [PATCH] 5200. [security] tcp-clients settings could be
|
||||
exceeded in some cases, which could lead to
|
||||
exhaustion of file descriptors. (CVE-2018-5743) [GL
|
||||
#615]
|
||||
|
||||
---
|
||||
bin/named/client.c | 421 +++++++++++++++++++------
|
||||
bin/named/include/named/client.h | 13 +-
|
||||
bin/named/include/named/interfacemgr.h | 13 +-
|
||||
bin/named/interfacemgr.c | 9 +-
|
||||
lib/isc/include/isc/quota.h | 7 +
|
||||
lib/isc/quota.c | 33 +-
|
||||
6 files changed, 385 insertions(+), 111 deletions(-)
|
||||
|
||||
diff --git a/bin/named/client.c b/bin/named/client.c
|
||||
index b7d8a98..e1acaf1 100644
|
||||
--- a/bin/named/client.c
|
||||
+++ b/bin/named/client.c
|
||||
@@ -243,7 +243,7 @@ static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
|
||||
static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
|
||||
dns_dispatch_t *disp, isc_boolean_t tcp);
|
||||
static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp,
|
||||
- isc_socket_t *sock);
|
||||
+ isc_socket_t *sock, ns_client_t *oldclient);
|
||||
static inline isc_boolean_t
|
||||
allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr,
|
||||
isc_uint8_t ecs_addrlen, isc_uint8_t *ecs_scope, dns_acl_t *acl);
|
||||
@@ -295,6 +295,119 @@ ns_client_settimeout(ns_client_t *client, unsigned int seconds) {
|
||||
}
|
||||
}
|
||||
|
||||
+/*%
|
||||
+ * Allocate a reference-counted object that will maintain a single pointer to
|
||||
+ * the (also reference-counted) TCP client quota, shared between all the
|
||||
+ * clients processing queries on a single TCP connection, so that all
|
||||
+ * clients sharing the one socket will together consume only one slot in
|
||||
+ * the 'tcp-clients' quota.
|
||||
+ */
|
||||
+static isc_result_t
|
||||
+tcpconn_init(ns_client_t *client, isc_boolean_t force) {
|
||||
+ isc_result_t result;
|
||||
+ isc_quota_t *quota = NULL;
|
||||
+ ns_tcpconn_t *tconn = NULL;
|
||||
+
|
||||
+ REQUIRE(client->tcpconn == NULL);
|
||||
+
|
||||
+ /*
|
||||
+ * Try to attach to the quota first, so we won't pointlessly
|
||||
+ * allocate memory for a tcpconn object if we can't get one.
|
||||
+ */
|
||||
+ if (force) {
|
||||
+ result = isc_quota_force(&ns_g_server->tcpquota, "a);
|
||||
+ } else {
|
||||
+ result = isc_quota_attach(&ns_g_server->tcpquota, "a);
|
||||
+ }
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ return (result);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * A global memory context is used for the allocation as different
|
||||
+ * client structures may have different memory contexts assigned and a
|
||||
+ * reference counter allocated here might need to be freed by a
|
||||
+ * different client. The performance impact caused by memory context
|
||||
+ * contention here is expected to be negligible, given that this code
|
||||
+ * is only executed for TCP connections.
|
||||
+ */
|
||||
+ tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn));
|
||||
+
|
||||
+ isc_refcount_init(&tconn->refs, 1);
|
||||
+ tconn->tcpquota = quota;
|
||||
+ quota = NULL;
|
||||
+ tconn->pipelined = ISC_FALSE;
|
||||
+
|
||||
+ client->tcpconn = tconn;
|
||||
+
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+}
|
||||
+
|
||||
+/*%
|
||||
+ * Increase the count of client structures sharing the TCP connection
|
||||
+ * that 'source' is associated with; add a pointer to the same tcpconn
|
||||
+ * to 'target', thus associating it with the same TCP connection.
|
||||
+ */
|
||||
+static void
|
||||
+tcpconn_attach(ns_client_t *source, ns_client_t *target) {
|
||||
+ int refs;
|
||||
+
|
||||
+ REQUIRE(source->tcpconn != NULL);
|
||||
+ REQUIRE(target->tcpconn == NULL);
|
||||
+ REQUIRE(source->tcpconn->pipelined);
|
||||
+
|
||||
+ isc_refcount_increment(&source->tcpconn->refs, &refs);
|
||||
+ INSIST(refs > 1);
|
||||
+ target->tcpconn = source->tcpconn;
|
||||
+}
|
||||
+
|
||||
+/*%
|
||||
+ * Decrease the count of client structures sharing the TCP connection that
|
||||
+ * 'client' is associated with. If this is the last client using this TCP
|
||||
+ * connection, we detach from the TCP quota and free the tcpconn
|
||||
+ * object. Either way, client->tcpconn is set to NULL.
|
||||
+ */
|
||||
+static void
|
||||
+tcpconn_detach(ns_client_t *client) {
|
||||
+ ns_tcpconn_t *tconn = NULL;
|
||||
+ int refs;
|
||||
+
|
||||
+ REQUIRE(client->tcpconn != NULL);
|
||||
+
|
||||
+ tconn = client->tcpconn;
|
||||
+ client->tcpconn = NULL;
|
||||
+
|
||||
+ isc_refcount_decrement(&tconn->refs, &refs);
|
||||
+ if (refs == 0) {
|
||||
+ isc_quota_detach(&tconn->tcpquota);
|
||||
+ isc_mem_free(ns_g_mctx, tconn);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/*%
|
||||
+ * Mark a client as active and increment the interface's 'ntcpactive'
|
||||
+ * counter, as a signal that there is at least one client servicing
|
||||
+ * TCP queries for the interface. If we reach the TCP client quota at
|
||||
+ * some point, this will be used to determine whether a quota overrun
|
||||
+ * should be permitted.
|
||||
+ *
|
||||
+ * Marking the client active with the 'tcpactive' flag ensures proper
|
||||
+ * accounting, by preventing us from incrementing or decrementing
|
||||
+ * 'ntcpactive' more than once per client.
|
||||
+ */
|
||||
+static void
|
||||
+mark_tcp_active(ns_client_t *client, isc_boolean_t active) {
|
||||
+ if (active && !client->tcpactive) {
|
||||
+ isc_atomic_xadd(&client->interface->ntcpactive, 1);
|
||||
+ client->tcpactive = active;
|
||||
+ } else if (!active && client->tcpactive) {
|
||||
+ uint32_t old =
|
||||
+ isc_atomic_xadd(&client->interface->ntcpactive, -1);
|
||||
+ INSIST(old > 0);
|
||||
+ client->tcpactive = active;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/*%
|
||||
* Check for a deactivation or shutdown request and take appropriate
|
||||
* action. Returns ISC_TRUE if either is in progress; in this case
|
||||
@@ -384,7 +497,8 @@ exit_check(ns_client_t *client) {
|
||||
INSIST(client->recursionquota == NULL);
|
||||
|
||||
if (NS_CLIENTSTATE_READING == client->newstate) {
|
||||
- if (!client->pipelined) {
|
||||
+ INSIST(client->tcpconn != NULL);
|
||||
+ if (!client->tcpconn->pipelined) {
|
||||
client_read(client);
|
||||
client->newstate = NS_CLIENTSTATE_MAX;
|
||||
return (ISC_TRUE); /* We're done. */
|
||||
@@ -402,10 +516,13 @@ exit_check(ns_client_t *client) {
|
||||
*/
|
||||
INSIST(client->recursionquota == NULL);
|
||||
INSIST(client->newstate <= NS_CLIENTSTATE_READY);
|
||||
- if (client->nreads > 0)
|
||||
+
|
||||
+ if (client->nreads > 0) {
|
||||
dns_tcpmsg_cancelread(&client->tcpmsg);
|
||||
- if (client->nreads != 0) {
|
||||
- /* Still waiting for read cancel completion. */
|
||||
+ }
|
||||
+
|
||||
+ /* Still waiting for read cancel completion. */
|
||||
+ if (client->nreads > 0) {
|
||||
return (ISC_TRUE);
|
||||
}
|
||||
|
||||
@@ -413,14 +530,49 @@ exit_check(ns_client_t *client) {
|
||||
dns_tcpmsg_invalidate(&client->tcpmsg);
|
||||
client->tcpmsg_valid = ISC_FALSE;
|
||||
}
|
||||
+
|
||||
+ /*
|
||||
+ * Soon the client will be ready to accept a new TCP
|
||||
+ * connection or UDP request, but we may have enough
|
||||
+ * clients doing that already. Check whether this client
|
||||
+ * needs to remain active and allow it go inactive if
|
||||
+ * not.
|
||||
+ *
|
||||
+ * UDP clients always go inactive at this point, but a TCP
|
||||
+ * client may need to stay active and return to READY
|
||||
+ * state if no other clients are available to listen
|
||||
+ * for TCP requests on this interface.
|
||||
+ *
|
||||
+ * Regardless, if we're going to FREED state, that means
|
||||
+ * the system is shutting down and we don't need to
|
||||
+ * retain clients.
|
||||
+ */
|
||||
+ if (client->mortal && TCP_CLIENT(client) &&
|
||||
+ client->newstate != NS_CLIENTSTATE_FREED &&
|
||||
+ !ns_g_clienttest &&
|
||||
+ isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
|
||||
+ {
|
||||
+ /* Nobody else is accepting */
|
||||
+ client->mortal = ISC_FALSE;
|
||||
+ client->newstate = NS_CLIENTSTATE_READY;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Detach from TCP connection and TCP client quota,
|
||||
+ * if appropriate. If this is the last reference to
|
||||
+ * the TCP connection in our pipeline group, the
|
||||
+ * TCP quota slot will be released.
|
||||
+ */
|
||||
+ if (client->tcpconn) {
|
||||
+ tcpconn_detach(client);
|
||||
+ }
|
||||
+
|
||||
if (client->tcpsocket != NULL) {
|
||||
CTRACE("closetcp");
|
||||
isc_socket_detach(&client->tcpsocket);
|
||||
+ mark_tcp_active(client, ISC_FALSE);
|
||||
}
|
||||
|
||||
- if (client->tcpquota != NULL)
|
||||
- isc_quota_detach(&client->tcpquota);
|
||||
-
|
||||
if (client->timerset) {
|
||||
(void)isc_timer_reset(client->timer,
|
||||
isc_timertype_inactive,
|
||||
@@ -428,45 +580,26 @@ exit_check(ns_client_t *client) {
|
||||
client->timerset = ISC_FALSE;
|
||||
}
|
||||
|
||||
- client->pipelined = ISC_FALSE;
|
||||
-
|
||||
client->peeraddr_valid = ISC_FALSE;
|
||||
|
||||
client->state = NS_CLIENTSTATE_READY;
|
||||
- INSIST(client->recursionquota == NULL);
|
||||
-
|
||||
- /*
|
||||
- * Now the client is ready to accept a new TCP connection
|
||||
- * or UDP request, but we may have enough clients doing
|
||||
- * that already. Check whether this client needs to remain
|
||||
- * active and force it to go inactive if not.
|
||||
- *
|
||||
- * UDP clients go inactive at this point, but TCP clients
|
||||
- * may remain active if we have fewer active TCP client
|
||||
- * objects than desired due to an earlier quota exhaustion.
|
||||
- */
|
||||
- if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) {
|
||||
- LOCK(&client->interface->lock);
|
||||
- if (client->interface->ntcpcurrent <
|
||||
- client->interface->ntcptarget)
|
||||
- client->mortal = ISC_FALSE;
|
||||
- UNLOCK(&client->interface->lock);
|
||||
- }
|
||||
|
||||
/*
|
||||
* We don't need the client; send it to the inactive
|
||||
* queue for recycling.
|
||||
*/
|
||||
if (client->mortal) {
|
||||
- if (client->newstate > NS_CLIENTSTATE_INACTIVE)
|
||||
+ if (client->newstate > NS_CLIENTSTATE_INACTIVE) {
|
||||
client->newstate = NS_CLIENTSTATE_INACTIVE;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (NS_CLIENTSTATE_READY == client->newstate) {
|
||||
if (TCP_CLIENT(client)) {
|
||||
client_accept(client);
|
||||
- } else
|
||||
+ } else {
|
||||
client_udprecv(client);
|
||||
+ }
|
||||
client->newstate = NS_CLIENTSTATE_MAX;
|
||||
return (ISC_TRUE);
|
||||
}
|
||||
@@ -478,41 +611,51 @@ exit_check(ns_client_t *client) {
|
||||
/*
|
||||
* We are trying to enter the inactive state.
|
||||
*/
|
||||
- if (client->naccepts > 0)
|
||||
+ if (client->naccepts > 0) {
|
||||
isc_socket_cancel(client->tcplistener, client->task,
|
||||
ISC_SOCKCANCEL_ACCEPT);
|
||||
+ }
|
||||
|
||||
/* Still waiting for accept cancel completion. */
|
||||
- if (! (client->naccepts == 0))
|
||||
+ if (client->naccepts > 0) {
|
||||
return (ISC_TRUE);
|
||||
+ }
|
||||
|
||||
/* Accept cancel is complete. */
|
||||
- if (client->nrecvs > 0)
|
||||
+ if (client->nrecvs > 0) {
|
||||
isc_socket_cancel(client->udpsocket, client->task,
|
||||
ISC_SOCKCANCEL_RECV);
|
||||
+ }
|
||||
|
||||
/* Still waiting for recv cancel completion. */
|
||||
- if (! (client->nrecvs == 0))
|
||||
+ if (client->nrecvs > 0) {
|
||||
return (ISC_TRUE);
|
||||
+ }
|
||||
|
||||
/* Still waiting for control event to be delivered */
|
||||
- if (client->nctls > 0)
|
||||
+ if (client->nctls > 0) {
|
||||
return (ISC_TRUE);
|
||||
-
|
||||
- /* Deactivate the client. */
|
||||
- if (client->interface)
|
||||
- ns_interface_detach(&client->interface);
|
||||
+ }
|
||||
|
||||
INSIST(client->naccepts == 0);
|
||||
INSIST(client->recursionquota == NULL);
|
||||
- if (client->tcplistener != NULL)
|
||||
+ if (client->tcplistener != NULL) {
|
||||
isc_socket_detach(&client->tcplistener);
|
||||
+ mark_tcp_active(client, ISC_FALSE);
|
||||
+ }
|
||||
|
||||
- if (client->udpsocket != NULL)
|
||||
+ if (client->udpsocket != NULL) {
|
||||
isc_socket_detach(&client->udpsocket);
|
||||
+ }
|
||||
|
||||
- if (client->dispatch != NULL)
|
||||
+ /* Deactivate the client. */
|
||||
+ if (client->interface != NULL) {
|
||||
+ ns_interface_detach(&client->interface);
|
||||
+ }
|
||||
+
|
||||
+ if (client->dispatch != NULL) {
|
||||
dns_dispatch_detach(&client->dispatch);
|
||||
+ }
|
||||
|
||||
client->attributes = 0;
|
||||
client->mortal = ISC_FALSE;
|
||||
@@ -537,10 +680,13 @@ exit_check(ns_client_t *client) {
|
||||
client->newstate = NS_CLIENTSTATE_MAX;
|
||||
if (!ns_g_clienttest && manager != NULL &&
|
||||
!manager->exiting)
|
||||
+ {
|
||||
ISC_QUEUE_PUSH(manager->inactive, client,
|
||||
ilink);
|
||||
- if (client->needshutdown)
|
||||
+ }
|
||||
+ if (client->needshutdown) {
|
||||
isc_task_shutdown(client->task);
|
||||
+ }
|
||||
return (ISC_TRUE);
|
||||
}
|
||||
}
|
||||
@@ -650,7 +796,7 @@ client_start(isc_task_t *task, isc_event_t *event) {
|
||||
return;
|
||||
|
||||
if (TCP_CLIENT(client)) {
|
||||
- if (client->pipelined) {
|
||||
+ if (client->tcpconn != NULL) {
|
||||
client_read(client);
|
||||
} else {
|
||||
client_accept(client);
|
||||
@@ -660,7 +806,6 @@ client_start(isc_task_t *task, isc_event_t *event) {
|
||||
}
|
||||
}
|
||||
|
||||
-
|
||||
/*%
|
||||
* The client's task has received a shutdown event.
|
||||
*/
|
||||
@@ -2301,6 +2446,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
|
||||
client->nrecvs--;
|
||||
} else {
|
||||
INSIST(TCP_CLIENT(client));
|
||||
+ INSIST(client->tcpconn != NULL);
|
||||
REQUIRE(event->ev_type == DNS_EVENT_TCPMSG);
|
||||
REQUIRE(event->ev_sender == &client->tcpmsg);
|
||||
buffer = &client->tcpmsg.buffer;
|
||||
@@ -2484,18 +2630,27 @@ client_request(isc_task_t *task, isc_event_t *event) {
|
||||
/*
|
||||
* Pipeline TCP query processing.
|
||||
*/
|
||||
- if (client->message->opcode != dns_opcode_query)
|
||||
- client->pipelined = ISC_FALSE;
|
||||
- if (TCP_CLIENT(client) && client->pipelined) {
|
||||
- result = isc_quota_reserve(&ns_g_server->tcpquota);
|
||||
- if (result == ISC_R_SUCCESS)
|
||||
- result = ns_client_replace(client);
|
||||
+ if (TCP_CLIENT(client) &&
|
||||
+ client->message->opcode != dns_opcode_query)
|
||||
+ {
|
||||
+ client->tcpconn->pipelined = ISC_FALSE;
|
||||
+ }
|
||||
+ if (TCP_CLIENT(client) && client->tcpconn->pipelined) {
|
||||
+ /*
|
||||
+ * We're pipelining. Replace the client; the
|
||||
+ * replacement can read the TCP socket looking
|
||||
+ * for new messages and this one can process the
|
||||
+ * current message asynchronously.
|
||||
+ *
|
||||
+ * There will now be at least three clients using this
|
||||
+ * TCP socket - one accepting new connections,
|
||||
+ * one reading an existing connection to get new
|
||||
+ * messages, and one answering the message already
|
||||
+ * received.
|
||||
+ */
|
||||
+ result = ns_client_replace(client);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
- ns_client_log(client, NS_LOGCATEGORY_CLIENT,
|
||||
- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
|
||||
- "no more TCP clients(read): %s",
|
||||
- isc_result_totext(result));
|
||||
- client->pipelined = ISC_FALSE;
|
||||
+ client->tcpconn->pipelined = ISC_FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -3051,8 +3206,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
|
||||
client->signer = NULL;
|
||||
dns_name_init(&client->signername, NULL);
|
||||
client->mortal = ISC_FALSE;
|
||||
- client->pipelined = ISC_FALSE;
|
||||
- client->tcpquota = NULL;
|
||||
+ client->tcpconn = NULL;
|
||||
client->recursionquota = NULL;
|
||||
client->interface = NULL;
|
||||
client->peeraddr_valid = ISC_FALSE;
|
||||
@@ -3062,6 +3216,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
|
||||
client->filter_aaaa = dns_aaaa_ok;
|
||||
#endif
|
||||
client->needshutdown = ns_g_clienttest;
|
||||
+ client->tcpactive = ISC_FALSE;
|
||||
|
||||
ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
|
||||
NS_EVENT_CLIENTCONTROL, client_start, client, client,
|
||||
@@ -3156,9 +3311,10 @@ client_read(ns_client_t *client) {
|
||||
|
||||
static void
|
||||
client_newconn(isc_task_t *task, isc_event_t *event) {
|
||||
+ isc_result_t result;
|
||||
ns_client_t *client = event->ev_arg;
|
||||
isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
|
||||
- isc_result_t result;
|
||||
+ uint32_t old;
|
||||
|
||||
REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
|
||||
REQUIRE(NS_CLIENT_VALID(client));
|
||||
@@ -3168,13 +3324,18 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
|
||||
|
||||
INSIST(client->state == NS_CLIENTSTATE_READY);
|
||||
|
||||
+ /*
|
||||
+ * The accept() was successful and we're now establishing a new
|
||||
+ * connection. We need to make note of it in the client and
|
||||
+ * interface objects so client objects can do the right thing
|
||||
+ * when going inactive in exit_check() (see comments in
|
||||
+ * client_accept() for details).
|
||||
+ */
|
||||
INSIST(client->naccepts == 1);
|
||||
client->naccepts--;
|
||||
|
||||
- LOCK(&client->interface->lock);
|
||||
- INSIST(client->interface->ntcpcurrent > 0);
|
||||
- client->interface->ntcpcurrent--;
|
||||
- UNLOCK(&client->interface->lock);
|
||||
+ old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
|
||||
+ INSIST(old > 0);
|
||||
|
||||
/*
|
||||
* We must take ownership of the new socket before the exit
|
||||
@@ -3207,6 +3368,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
|
||||
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
|
||||
"accept failed: %s",
|
||||
isc_result_totext(nevent->result));
|
||||
+ tcpconn_detach(client);
|
||||
}
|
||||
|
||||
if (exit_check(client))
|
||||
@@ -3244,20 +3406,13 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
|
||||
* telnetting to port 53 (once per CPU) will
|
||||
* deny service to legitimate TCP clients.
|
||||
*/
|
||||
- client->pipelined = ISC_FALSE;
|
||||
- result = isc_quota_attach(&ns_g_server->tcpquota,
|
||||
- &client->tcpquota);
|
||||
- if (result == ISC_R_SUCCESS)
|
||||
- result = ns_client_replace(client);
|
||||
- if (result != ISC_R_SUCCESS) {
|
||||
- ns_client_log(client, NS_LOGCATEGORY_CLIENT,
|
||||
- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
|
||||
- "no more TCP clients(accept): %s",
|
||||
- isc_result_totext(result));
|
||||
- } else if (ns_g_server->keepresporder == NULL ||
|
||||
- !allowed(&netaddr, NULL, NULL, 0, NULL,
|
||||
- ns_g_server->keepresporder)) {
|
||||
- client->pipelined = ISC_TRUE;
|
||||
+ result = ns_client_replace(client);
|
||||
+ if (result == ISC_R_SUCCESS &&
|
||||
+ (ns_g_server->keepresporder == NULL ||
|
||||
+ !allowed(&netaddr, NULL, NULL, 0, NULL,
|
||||
+ ns_g_server->keepresporder)))
|
||||
+ {
|
||||
+ client->tcpconn->pipelined = ISC_TRUE;
|
||||
}
|
||||
|
||||
client_read(client);
|
||||
@@ -3273,12 +3428,66 @@ client_accept(ns_client_t *client) {
|
||||
|
||||
CTRACE("accept");
|
||||
|
||||
+ /*
|
||||
+ * Set up a new TCP connection. This means try to attach to the
|
||||
+ * TCP client quota (tcp-clients), but fail if we're over quota.
|
||||
+ */
|
||||
+ result = tcpconn_init(client, ISC_FALSE);
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ isc_boolean_t exit;
|
||||
+
|
||||
+ ns_client_log(client, NS_LOGCATEGORY_CLIENT,
|
||||
+ NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
|
||||
+ "TCP client quota reached: %s",
|
||||
+ isc_result_totext(result));
|
||||
+
|
||||
+ /*
|
||||
+ * We have exceeded the system-wide TCP client quota. But,
|
||||
+ * we can't just block this accept in all cases, because if
|
||||
+ * we did, a heavy TCP load on other interfaces might cause
|
||||
+ * this interface to be starved, with no clients able to
|
||||
+ * accept new connections.
|
||||
+ *
|
||||
+ * So, we check here to see if any other clients are
|
||||
+ * already servicing TCP queries on this interface (whether
|
||||
+ * accepting, reading, or processing). If we find that at
|
||||
+ * least one client other than this one is active, then
|
||||
+ * it's okay *not* to call accept - we can let this
|
||||
+ * client go inactive and another will take over when it's
|
||||
+ * done.
|
||||
+ *
|
||||
+ * If there aren't enough active clients on the interface,
|
||||
+ * then we can be a little bit flexible about the quota.
|
||||
+ * We'll allow *one* extra client through to ensure we're
|
||||
+ * listening on every interface; we do this by setting the
|
||||
+ * 'force' option to tcpconn_init().
|
||||
+ *
|
||||
+ * (Note: In practice this means that the real TCP client
|
||||
+ * quota is tcp-clients plus the number of listening
|
||||
+ * interfaces plus 1.)
|
||||
+ */
|
||||
+ exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
|
||||
+ (client->tcpactive ? 1 : 0));
|
||||
+ if (exit) {
|
||||
+ client->newstate = NS_CLIENTSTATE_INACTIVE;
|
||||
+ (void)exit_check(client);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ result = tcpconn_init(client, ISC_TRUE);
|
||||
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If this client was set up using get_client() or get_worker(),
|
||||
+ * then TCP is already marked active. However, if it was restarted
|
||||
+ * from exit_check(), it might not be, so we take care of it now.
|
||||
+ */
|
||||
+ mark_tcp_active(client, ISC_TRUE);
|
||||
+
|
||||
result = isc_socket_accept(client->tcplistener, client->task,
|
||||
client_newconn, client);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
- UNEXPECTED_ERROR(__FILE__, __LINE__,
|
||||
- "isc_socket_accept() failed: %s",
|
||||
- isc_result_totext(result));
|
||||
/*
|
||||
* XXXRTH What should we do? We're trying to accept but
|
||||
* it didn't work. If we just give up, then TCP
|
||||
@@ -3286,13 +3495,37 @@ client_accept(ns_client_t *client) {
|
||||
*
|
||||
* For now, we just go idle.
|
||||
*/
|
||||
+ UNEXPECTED_ERROR(__FILE__, __LINE__,
|
||||
+ "isc_socket_accept() failed: %s",
|
||||
+ isc_result_totext(result));
|
||||
+
|
||||
+ tcpconn_detach(client);
|
||||
+ mark_tcp_active(client, ISC_FALSE);
|
||||
return;
|
||||
}
|
||||
+
|
||||
+ /*
|
||||
+ * The client's 'naccepts' counter indicates that this client has
|
||||
+ * called accept() and is waiting for a new connection. It should
|
||||
+ * never exceed 1.
|
||||
+ */
|
||||
INSIST(client->naccepts == 0);
|
||||
client->naccepts++;
|
||||
- LOCK(&client->interface->lock);
|
||||
- client->interface->ntcpcurrent++;
|
||||
- UNLOCK(&client->interface->lock);
|
||||
+
|
||||
+ /*
|
||||
+ * The interface's 'ntcpaccepting' counter is incremented when
|
||||
+ * any client calls accept(), and decremented in client_newconn()
|
||||
+ * once the connection is established.
|
||||
+ *
|
||||
+ * When the client object is shutting down after handling a TCP
|
||||
+ * request (see exit_check()), if this value is at least one, that
|
||||
+ * means another client has called accept() and is waiting to
|
||||
+ * establish the next connection. That means the client may be
|
||||
+ * be free to become inactive; otherwise it may need to start
|
||||
+ * listening for connections itself to prevent the interface
|
||||
+ * going dead.
|
||||
+ */
|
||||
+ isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -3363,15 +3596,17 @@ ns_client_replace(ns_client_t *client) {
|
||||
REQUIRE(client->manager != NULL);
|
||||
|
||||
tcp = TCP_CLIENT(client);
|
||||
- if (tcp && client->pipelined) {
|
||||
+ if (tcp && client->tcpconn != NULL && client->tcpconn->pipelined) {
|
||||
result = get_worker(client->manager, client->interface,
|
||||
- client->tcpsocket);
|
||||
+ client->tcpsocket, client);
|
||||
} else {
|
||||
result = get_client(client->manager, client->interface,
|
||||
client->dispatch, tcp);
|
||||
+
|
||||
}
|
||||
- if (result != ISC_R_SUCCESS)
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
return (result);
|
||||
+ }
|
||||
|
||||
/*
|
||||
* The responsibility for listening for new requests is hereby
|
||||
@@ -3557,9 +3792,12 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
|
||||
client->dscp = ifp->dscp;
|
||||
|
||||
if (tcp) {
|
||||
+ mark_tcp_active(client, ISC_TRUE);
|
||||
+
|
||||
client->attributes |= NS_CLIENTATTR_TCP;
|
||||
isc_socket_attach(ifp->tcpsocket,
|
||||
&client->tcplistener);
|
||||
+
|
||||
} else {
|
||||
isc_socket_t *sock;
|
||||
|
||||
@@ -3577,7 +3815,8 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
-get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
|
||||
+get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
|
||||
+ ns_client_t *oldclient)
|
||||
{
|
||||
isc_result_t result = ISC_R_SUCCESS;
|
||||
isc_event_t *ev;
|
||||
@@ -3585,6 +3824,7 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
|
||||
MTRACE("get worker");
|
||||
|
||||
REQUIRE(manager != NULL);
|
||||
+ REQUIRE(oldclient != NULL);
|
||||
|
||||
if (manager->exiting)
|
||||
return (ISC_R_SHUTTINGDOWN);
|
||||
@@ -3617,14 +3857,15 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
|
||||
ns_interface_attach(ifp, &client->interface);
|
||||
client->newstate = client->state = NS_CLIENTSTATE_WORKING;
|
||||
INSIST(client->recursionquota == NULL);
|
||||
- client->tcpquota = &ns_g_server->tcpquota;
|
||||
|
||||
client->dscp = ifp->dscp;
|
||||
|
||||
client->attributes |= NS_CLIENTATTR_TCP;
|
||||
- client->pipelined = ISC_TRUE;
|
||||
client->mortal = ISC_TRUE;
|
||||
|
||||
+ tcpconn_attach(oldclient, client);
|
||||
+ mark_tcp_active(client, ISC_TRUE);
|
||||
+
|
||||
isc_socket_attach(ifp->tcpsocket, &client->tcplistener);
|
||||
isc_socket_attach(sock, &client->tcpsocket);
|
||||
isc_socket_setname(client->tcpsocket, "worker-tcp", NULL);
|
||||
diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
|
||||
index 262b906..0f54d22 100644
|
||||
--- a/bin/named/include/named/client.h
|
||||
+++ b/bin/named/include/named/client.h
|
||||
@@ -9,8 +9,6 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
-/* $Id: client.h,v 1.96 2012/01/31 23:47:31 tbox Exp $ */
|
||||
-
|
||||
#ifndef NAMED_CLIENT_H
|
||||
#define NAMED_CLIENT_H 1
|
||||
|
||||
@@ -77,6 +75,13 @@
|
||||
*** Types
|
||||
***/
|
||||
|
||||
+/*% reference-counted TCP connection object */
|
||||
+typedef struct ns_tcpconn {
|
||||
+ isc_refcount_t refs;
|
||||
+ isc_quota_t *tcpquota;
|
||||
+ isc_boolean_t pipelined;
|
||||
+} ns_tcpconn_t;
|
||||
+
|
||||
/*% nameserver client structure */
|
||||
struct ns_client {
|
||||
unsigned int magic;
|
||||
@@ -91,6 +96,7 @@ struct ns_client {
|
||||
int nupdates;
|
||||
int nctls;
|
||||
int references;
|
||||
+ isc_boolean_t tcpactive;
|
||||
isc_boolean_t needshutdown; /*
|
||||
* Used by clienttest to get
|
||||
* the client to go from
|
||||
@@ -129,8 +135,7 @@ struct ns_client {
|
||||
dns_name_t signername; /*%< [T]SIG key name */
|
||||
dns_name_t * signer; /*%< NULL if not valid sig */
|
||||
isc_boolean_t mortal; /*%< Die after handling request */
|
||||
- isc_boolean_t pipelined; /*%< TCP queries not in sequence */
|
||||
- isc_quota_t *tcpquota;
|
||||
+ ns_tcpconn_t *tcpconn;
|
||||
isc_quota_t *recursionquota;
|
||||
ns_interface_t *interface;
|
||||
|
||||
diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
|
||||
index 36870f3..d9ac90f 100644
|
||||
--- a/bin/named/include/named/interfacemgr.h
|
||||
+++ b/bin/named/include/named/interfacemgr.h
|
||||
@@ -9,8 +9,6 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
-/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */
|
||||
-
|
||||
#ifndef NAMED_INTERFACEMGR_H
|
||||
#define NAMED_INTERFACEMGR_H 1
|
||||
|
||||
@@ -75,9 +73,14 @@ struct ns_interface {
|
||||
/*%< UDP dispatchers. */
|
||||
isc_socket_t * tcpsocket; /*%< TCP socket. */
|
||||
isc_dscp_t dscp; /*%< "listen-on" DSCP value */
|
||||
- int ntcptarget; /*%< Desired number of concurrent
|
||||
- TCP accepts */
|
||||
- int ntcpcurrent; /*%< Current ditto, locked */
|
||||
+ int32_t ntcpaccepting; /*%< Number of clients
|
||||
+ ready to accept new
|
||||
+ TCP connections on this
|
||||
+ interface */
|
||||
+ int32_t ntcpactive; /*%< Number of clients
|
||||
+ servicing TCP queries
|
||||
+ (whether accepting or
|
||||
+ connected) */
|
||||
int nudpdispatch; /*%< Number of UDP dispatches */
|
||||
ns_clientmgr_t * clientmgr; /*%< Client manager. */
|
||||
ISC_LINK(ns_interface_t) link;
|
||||
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
|
||||
index d8c7188..96c080b 100644
|
||||
--- a/bin/named/interfacemgr.c
|
||||
+++ b/bin/named/interfacemgr.c
|
||||
@@ -384,8 +384,9 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
|
||||
* connections will be handled in parallel even though there is
|
||||
* only one client initially.
|
||||
*/
|
||||
- ifp->ntcptarget = 1;
|
||||
- ifp->ntcpcurrent = 0;
|
||||
+ ifp->ntcpaccepting = 0;
|
||||
+ ifp->ntcpactive = 0;
|
||||
+
|
||||
ifp->nudpdispatch = 0;
|
||||
|
||||
ifp->dscp = -1;
|
||||
@@ -520,9 +521,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
|
||||
*/
|
||||
(void)isc_socket_filter(ifp->tcpsocket, "dataready");
|
||||
|
||||
- result = ns_clientmgr_createclients(ifp->clientmgr,
|
||||
- ifp->ntcptarget, ifp,
|
||||
- ISC_TRUE);
|
||||
+ result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, ISC_TRUE);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
UNEXPECTED_ERROR(__FILE__, __LINE__,
|
||||
"TCP ns_clientmgr_createclients(): %s",
|
||||
diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h
|
||||
index b9bf598..36c5830 100644
|
||||
--- a/lib/isc/include/isc/quota.h
|
||||
+++ b/lib/isc/include/isc/quota.h
|
||||
@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc_quota_t **p);
|
||||
* quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
|
||||
*/
|
||||
|
||||
+isc_result_t
|
||||
+isc_quota_force(isc_quota_t *quota, isc_quota_t **p);
|
||||
+/*%<
|
||||
+ * Like isc_quota_attach, but will attach '*p' to the quota
|
||||
+ * even if the hard quota has been exceeded.
|
||||
+ */
|
||||
+
|
||||
void
|
||||
isc_quota_detach(isc_quota_t **p);
|
||||
/*%<
|
||||
diff --git a/lib/isc/quota.c b/lib/isc/quota.c
|
||||
index 3ddff0d..20976a4 100644
|
||||
--- a/lib/isc/quota.c
|
||||
+++ b/lib/isc/quota.c
|
||||
@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) {
|
||||
UNLOCK("a->lock);
|
||||
}
|
||||
|
||||
-isc_result_t
|
||||
-isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
|
||||
-{
|
||||
+static isc_result_t
|
||||
+doattach(isc_quota_t *quota, isc_quota_t **p, isc_boolean_t force) {
|
||||
isc_result_t result;
|
||||
- INSIST(p != NULL && *p == NULL);
|
||||
+ REQUIRE(p != NULL && *p == NULL);
|
||||
+
|
||||
result = isc_quota_reserve(quota);
|
||||
- if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
|
||||
+ if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) {
|
||||
+ *p = quota;
|
||||
+ } else if (result == ISC_R_QUOTA && force) {
|
||||
+ /* attach anyway */
|
||||
+ LOCK("a->lock);
|
||||
+ quota->used++;
|
||||
+ UNLOCK("a->lock);
|
||||
+
|
||||
*p = quota;
|
||||
+ result = ISC_R_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
return (result);
|
||||
}
|
||||
|
||||
+isc_result_t
|
||||
+isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) {
|
||||
+ return (doattach(quota, p, ISC_FALSE));
|
||||
+}
|
||||
+
|
||||
+isc_result_t
|
||||
+isc_quota_force(isc_quota_t *quota, isc_quota_t **p) {
|
||||
+ return (doattach(quota, p, ISC_TRUE));
|
||||
+}
|
||||
+
|
||||
void
|
||||
-isc_quota_detach(isc_quota_t **p)
|
||||
-{
|
||||
+isc_quota_detach(isc_quota_t **p) {
|
||||
INSIST(p != NULL && *p != NULL);
|
||||
isc_quota_release(*p);
|
||||
*p = NULL;
|
||||
--
|
||||
2.20.1
|
||||
|
44
SOURCES/bind-9.11-CVE-2018-5744-test.patch
Normal file
44
SOURCES/bind-9.11-CVE-2018-5744-test.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 4b9bfa5c8cae6f81e94af0f582bf9686320144db Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Mon, 10 Dec 2018 13:33:54 +1100
|
||||
Subject: [PATCH] check that multiple KEY-TAG trust-anchor-telemetry options
|
||||
don't leak memory
|
||||
|
||||
(cherry picked from commit 4b1dc4a5445e9561f2208f9388cf9f9e2cfcbe51)
|
||||
(cherry picked from commit f545e9dff1f0eadcdea5531ef7062324d232c716)
|
||||
(cherry picked from commit 2bda5ac2e1635ac10a595c4ff155516ded7abec2)
|
||||
---
|
||||
bin/tests/system/dnssec/tests.sh | 13 ++++++++++++-
|
||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
|
||||
index 3156668..b1907c7 100644
|
||||
--- a/bin/tests/system/dnssec/tests.sh
|
||||
+++ b/bin/tests/system/dnssec/tests.sh
|
||||
@@ -3508,11 +3508,22 @@ status=`expr $status + $ret`
|
||||
|
||||
echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns4.test$n || ret=1
|
||||
+$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
||||
grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
+echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)"
|
||||
+ret=0
|
||||
+$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
||||
+grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1
|
||||
+grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1
|
||||
+(cd "$SYSTEMTESTTOP" && $PERL ./stop.pl dnssec ns1) || ret=1
|
||||
+(cd "$SYSTEMTESTTOP" && $PERL ./start.pl --noclean --restart --port ${PORT} dnssec ns1) || ret=1
|
||||
+n=`expr $n + 1`
|
||||
+test "$ret" -eq 0 || echo_i "failed"
|
||||
+status=`expr $status + $ret`
|
||||
+
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
--
|
||||
2.20.1
|
||||
|
31
SOURCES/bind-9.11-CVE-2018-5744.patch
Normal file
31
SOURCES/bind-9.11-CVE-2018-5744.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From a4e1db793d4971d87631276ea57808074ed2c1c7 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Thu, 21 Feb 2019 17:23:53 +0100
|
||||
Subject: [PATCH 1/3] Fix CVE-2018-5744
|
||||
|
||||
5110. [security] Named leaked memory if there were multiple Key Tag
|
||||
EDNS options present. (CVE-2018-5744) [GL #772]
|
||||
---
|
||||
bin/named/client.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/bin/named/client.c b/bin/named/client.c
|
||||
index b9ebc93..b7d8a98 100644
|
||||
--- a/bin/named/client.c
|
||||
+++ b/bin/named/client.c
|
||||
@@ -2112,6 +2112,12 @@ process_keytag(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
|
||||
return (DNS_R_OPTERR);
|
||||
}
|
||||
|
||||
+ /* Silently drop additional keytag options. */
|
||||
+ if (client->keytag != NULL) {
|
||||
+ isc_buffer_forward(buf, (unsigned int)optlen);
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+
|
||||
client->keytag = isc_mem_get(client->mctx, optlen);
|
||||
if (client->keytag != NULL) {
|
||||
client->keytag_len = (isc_uint16_t)optlen;
|
||||
--
|
||||
2.20.1
|
||||
|
48
SOURCES/bind-9.11-CVE-2019-6471.patch
Normal file
48
SOURCES/bind-9.11-CVE-2019-6471.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From 66c074b707318005d50f14910678ba451877a7a6 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Wed, 19 Jun 2019 12:28:08 +0200
|
||||
Subject: [PATCH] Fix CVE-2019-6471
|
||||
|
||||
5244. [security] Fixed a race condition in dns_dispatch_getnext()
|
||||
that could cause an assertion failure if a
|
||||
significant number of incoming packets were
|
||||
rejected. (CVE-2019-6471) [GL #942]
|
||||
---
|
||||
lib/dns/dispatch.c | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
|
||||
index 321459ebcb..ae5c9c0fc7 100644
|
||||
--- a/lib/dns/dispatch.c
|
||||
+++ b/lib/dns/dispatch.c
|
||||
@@ -3419,13 +3419,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
|
||||
disp = resp->disp;
|
||||
REQUIRE(VALID_DISPATCH(disp));
|
||||
|
||||
- REQUIRE(resp->item_out == ISC_TRUE);
|
||||
- resp->item_out = ISC_FALSE;
|
||||
-
|
||||
ev = *sockevent;
|
||||
*sockevent = NULL;
|
||||
|
||||
LOCK(&disp->lock);
|
||||
+
|
||||
+ REQUIRE(resp->item_out == ISC_TRUE);
|
||||
+ resp->item_out = ISC_FALSE;
|
||||
+
|
||||
if (ev->buffer.base != NULL)
|
||||
free_buffer(disp, ev->buffer.base, ev->buffer.length);
|
||||
free_devent(disp, ev);
|
||||
@@ -3570,6 +3571,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
|
||||
isc_task_send(disp->task[0], &disp->ctlevent);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * disp must be locked.
|
||||
+ */
|
||||
static void
|
||||
do_cancel(dns_dispatch_t *disp) {
|
||||
dns_dispatchevent_t *ev;
|
||||
--
|
||||
2.20.1
|
||||
|
35
SOURCES/bind-9.11-export-isc-config.patch
Normal file
35
SOURCES/bind-9.11-export-isc-config.patch
Normal file
@ -0,0 +1,35 @@
|
||||
diff --git a/export-libs/Makefile b/export-libs/Makefile
|
||||
index df15ea8..13f416b 100644
|
||||
--- a/export-libs/Makefile
|
||||
+++ b/export-libs/Makefile
|
||||
@@ -404,20 +404,18 @@ installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
|
||||
|
||||
install:: isc-config.sh installdirs
|
||||
- ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
|
||||
- rm -f ${DESTDIR}${bindir}/bind9-config
|
||||
- ln ${DESTDIR}${bindir}/isc-config.sh ${DESTDIR}${bindir}/bind9-config
|
||||
- ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
|
||||
- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
|
||||
- ln ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1
|
||||
- ${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
|
||||
+ ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}/isc-export-config.sh
|
||||
+ rm -f ${DESTDIR}${bindir}/bind9-export-config
|
||||
+ ln ${DESTDIR}${bindir}/isc-export-config.sh ${DESTDIR}${bindir}/bind9-export-config
|
||||
+ ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
|
||||
+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
|
||||
+ ln ${DESTDIR}${mandir}/man1/isc-export-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-export-config.1
|
||||
|
||||
uninstall::
|
||||
- rm -f ${DESTDIR}${sysconfdir}/bind.keys
|
||||
- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
|
||||
- rm -f ${DESTDIR}${mandir}/man1/isc-config.sh.1
|
||||
- rm -f ${DESTDIR}${bindir}/bind9-config
|
||||
- rm -f ${DESTDIR}${bindir}/isc-config.sh
|
||||
+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
|
||||
+ rm -f ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
|
||||
+ rm -f ${DESTDIR}${bindir}/bind9-export-config
|
||||
+ rm -f ${DESTDIR}${bindir}/isc-export-config.sh
|
||||
|
||||
tags:
|
||||
rm -f TAGS
|
39
SOURCES/bind-9.11-export-suffix.patch
Normal file
39
SOURCES/bind-9.11-export-suffix.patch
Normal file
@ -0,0 +1,39 @@
|
||||
diff --git a/configure.in b/configure.in
|
||||
index e6cd6a4..988b0a7 100644
|
||||
--- a/configure.in
|
||||
+++ b/configure.in
|
||||
@@ -5116,6 +5116,8 @@ AC_SUBST(BUILD_CPPFLAGS)
|
||||
AC_SUBST(BUILD_LDFLAGS)
|
||||
AC_SUBST(BUILD_LIBS)
|
||||
|
||||
+AC_SUBST(LIBDIR_SUFFIX)
|
||||
+
|
||||
#
|
||||
# Commands to run at the end of config.status.
|
||||
# Don't just put these into configure, it won't work right if somebody
|
||||
diff --git a/isc-config.sh.in b/isc-config.sh.in
|
||||
index 110191a..5a64004 100644
|
||||
--- a/isc-config.sh.in
|
||||
+++ b/isc-config.sh.in
|
||||
@@ -12,16 +12,17 @@ prefix=@prefix@
|
||||
exec_prefix=@exec_prefix@
|
||||
exec_prefix_set=
|
||||
includedir=@includedir@
|
||||
+libdir_suffix=@LIBDIR_SUFFIX@
|
||||
arch=$(uname -m)
|
||||
|
||||
case $arch in
|
||||
x86_64 | amd64 | sparc64 | s390x | ppc64)
|
||||
- libdir=/usr/lib64
|
||||
- sec_libdir=/usr/lib
|
||||
+ libdir=/usr/lib64${libdir_suffix}
|
||||
+ sec_libdir=/usr/lib${libdir_suffix}
|
||||
;;
|
||||
* )
|
||||
- libdir=/usr/lib
|
||||
- sec_libdir=/usr/lib64
|
||||
+ libdir=/usr/lib${libdir_suffix}
|
||||
+ sec_libdir=/usr/lib64${libdir_suffix}
|
||||
;;
|
||||
esac
|
||||
|
39
SOURCES/bind-9.11-fips-code-includes.patch
Normal file
39
SOURCES/bind-9.11-fips-code-includes.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From 68baeb7211ba2fcd4eff53d987e9b70ba38294cb Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Thu, 20 Dec 2018 11:52:12 +0100
|
||||
Subject: [PATCH] Fix implicit declaration warning
|
||||
|
||||
isc_md5_available() function is not declared before its use. Include
|
||||
header providing it in files that use it.
|
||||
---
|
||||
bin/tests/system/tkey/keydelete.c | 1 +
|
||||
lib/dns/tsig.c | 1 +
|
||||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
|
||||
index 36ee6c7..6051cd2 100644
|
||||
--- a/bin/tests/system/tkey/keydelete.c
|
||||
+++ b/bin/tests/system/tkey/keydelete.c
|
||||
@@ -21,6 +21,7 @@
|
||||
#include <isc/hash.h>
|
||||
#include <isc/log.h>
|
||||
#include <isc/mem.h>
|
||||
+#include <isc/md5.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/sockaddr.h>
|
||||
#include <isc/socket.h>
|
||||
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
|
||||
index 70805bb..33870f3 100644
|
||||
--- a/lib/dns/tsig.c
|
||||
+++ b/lib/dns/tsig.c
|
||||
@@ -18,6 +18,7 @@
|
||||
|
||||
#include <isc/buffer.h>
|
||||
#include <isc/mem.h>
|
||||
+#include <isc/md5.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/refcount.h>
|
||||
#include <isc/serial.h>
|
||||
--
|
||||
2.14.5
|
||||
|
1516
SOURCES/bind-9.11-fips-code.patch
Normal file
1516
SOURCES/bind-9.11-fips-code.patch
Normal file
File diff suppressed because it is too large
Load Diff
1781
SOURCES/bind-9.11-fips-tests.patch
Normal file
1781
SOURCES/bind-9.11-fips-tests.patch
Normal file
File diff suppressed because it is too large
Load Diff
100
SOURCES/bind-9.11-host-idn-disable.patch
Normal file
100
SOURCES/bind-9.11-host-idn-disable.patch
Normal file
@ -0,0 +1,100 @@
|
||||
From 145fac914bf47128307aea702fed7eb74b65cadd Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Tue, 25 Sep 2018 18:08:46 +0200
|
||||
Subject: [PATCH] Disable IDN from environment as documented
|
||||
|
||||
Manual page of host contained instructions to disable IDN processing
|
||||
when it was built with libidn2. When refactoring IDN support however,
|
||||
support for disabling IDN in host and nslookup was lost. Use also
|
||||
environment variable and document it for nslookup, host and dig.
|
||||
|
||||
Support variable CHARSET=ASCII to disable IDN, supported in downstream
|
||||
RH patch since RHEL 5.
|
||||
---
|
||||
bin/dig/dig.docbook | 4 +++-
|
||||
bin/dig/dighost.c | 9 +++++++--
|
||||
bin/dig/host.docbook | 2 +-
|
||||
bin/dig/nslookup.docbook | 15 +++++++++++++++
|
||||
4 files changed, 26 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
|
||||
index fedd288..d5dba72 100644
|
||||
--- a/bin/dig/dig.docbook
|
||||
+++ b/bin/dig/dig.docbook
|
||||
@@ -1288,7 +1288,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
|
||||
reply from the server.
|
||||
If you'd like to turn off the IDN support for some reason, use
|
||||
parameters <parameter>+noidnin</parameter> and
|
||||
- <parameter>+noidnout</parameter>.
|
||||
+ <parameter>+noidnout</parameter> or define
|
||||
+ the <envar>IDN_DISABLE</envar> environment variable.
|
||||
+
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
|
||||
index 7408193..d46379d 100644
|
||||
--- a/bin/dig/dighost.c
|
||||
+++ b/bin/dig/dighost.c
|
||||
@@ -822,12 +822,17 @@ make_empty_lookup(void) {
|
||||
looknew->seenbadcookie = ISC_FALSE;
|
||||
looknew->badcookie = ISC_TRUE;
|
||||
#ifdef WITH_IDN_SUPPORT
|
||||
- looknew->idnin = ISC_TRUE;
|
||||
+ looknew->idnin = (getenv("IDN_DISABLE") == NULL);
|
||||
+ if (looknew->idnin) {
|
||||
+ const char *charset = getenv("CHARSET");
|
||||
+ if (charset && !strcmp(charset, "ASCII"))
|
||||
+ looknew->idnin = ISC_FALSE;
|
||||
+ }
|
||||
#else
|
||||
looknew->idnin = ISC_FALSE;
|
||||
#endif
|
||||
#ifdef WITH_IDN_OUT_SUPPORT
|
||||
- looknew->idnout = ISC_TRUE;
|
||||
+ looknew->idnout = looknew->idnin;
|
||||
#else
|
||||
looknew->idnout = ISC_FALSE;
|
||||
#endif
|
||||
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
|
||||
index 9c3aeaa..42cbbf9 100644
|
||||
--- a/bin/dig/host.docbook
|
||||
+++ b/bin/dig/host.docbook
|
||||
@@ -378,7 +378,7 @@
|
||||
<command>host</command> appropriately converts character encoding of
|
||||
domain name before sending a request to DNS server or displaying a
|
||||
reply from the server.
|
||||
- If you'd like to turn off the IDN support for some reason, defines
|
||||
+ If you'd like to turn off the IDN support for some reason, define
|
||||
the <envar>IDN_DISABLE</envar> environment variable.
|
||||
The IDN support is disabled if the variable is set when
|
||||
<command>host</command> runs.
|
||||
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
|
||||
index 3aff4e9..86a09c6 100644
|
||||
--- a/bin/dig/nslookup.docbook
|
||||
+++ b/bin/dig/nslookup.docbook
|
||||
@@ -478,6 +478,21 @@ nslookup -query=hinfo -timeout=10
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
+ <refsection><info><title>IDN SUPPORT</title></info>
|
||||
+
|
||||
+ <para>
|
||||
+ If <command>nslookup</command> has been built with IDN (internationalized
|
||||
+ domain name) support, it can accept and display non-ASCII domain names.
|
||||
+ <command>nslookup</command> appropriately converts character encoding of
|
||||
+ domain name before sending a request to DNS server or displaying a
|
||||
+ reply from the server.
|
||||
+ If you'd like to turn off the IDN support for some reason, define
|
||||
+ the <envar>IDN_DISABLE</envar> environment variable.
|
||||
+ The IDN support is disabled if the variable is set when
|
||||
+ <command>nslookup</command> runs.
|
||||
+ </para>
|
||||
+ </refsection>
|
||||
+
|
||||
<refsection><info><title>FILES</title></info>
|
||||
|
||||
<para><filename>/etc/resolv.conf</filename>
|
||||
--
|
||||
2.14.4
|
||||
|
206
SOURCES/bind-9.11-kyua-pkcs11.patch
Normal file
206
SOURCES/bind-9.11-kyua-pkcs11.patch
Normal file
@ -0,0 +1,206 @@
|
||||
From d0433a314534e104f52acf2a0a96a68dd84305ae Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Tue, 2 Jan 2018 18:13:07 +0100
|
||||
Subject: [PATCH] Fix pkcs11 variants atf tests
|
||||
|
||||
Add dns-pkcs11 tests Makefile to configure
|
||||
|
||||
Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
|
||||
---
|
||||
configure.in | 1 +
|
||||
lib/Atffile | 2 ++
|
||||
lib/Kyuafile | 2 ++
|
||||
lib/dns-pkcs11/tests/Makefile.in | 10 +++++-----
|
||||
lib/dns-pkcs11/tests/dh_test.c | 3 ++-
|
||||
lib/isc-pkcs11/tests/Makefile.in | 6 +++---
|
||||
lib/isc-pkcs11/tests/hash_test.c | 32 +++++++++++++++++++++++++-------
|
||||
7 files changed, 40 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/configure.in b/configure.in
|
||||
index 67b3aab..4767eeb 100644
|
||||
--- a/configure.in
|
||||
+++ b/configure.in
|
||||
@@ -5579,6 +5579,7 @@ AC_CONFIG_FILES([
|
||||
lib/dns-pkcs11/include/Makefile
|
||||
lib/dns-pkcs11/include/dns/Makefile
|
||||
lib/dns-pkcs11/include/dst/Makefile
|
||||
+ lib/dns-pkcs11/tests/Makefile
|
||||
lib/irs/Makefile
|
||||
lib/irs/include/Makefile
|
||||
lib/irs/include/irs/Makefile
|
||||
diff --git a/lib/Atffile b/lib/Atffile
|
||||
index 93bbb01..4db3dce 100644
|
||||
--- a/lib/Atffile
|
||||
+++ b/lib/Atffile
|
||||
@@ -3,7 +3,9 @@ Content-Type: application/X-atf-atffile; version="1"
|
||||
prop: test-suite = bind9
|
||||
|
||||
tp: dns
|
||||
+tp: dns-pkcs11
|
||||
tp: irs
|
||||
tp: isc
|
||||
+tp: isc-pkcs11
|
||||
tp: isccfg
|
||||
tp: lwres
|
||||
diff --git a/lib/Kyuafile b/lib/Kyuafile
|
||||
index ff9fc56..eaaf0dc 100644
|
||||
--- a/lib/Kyuafile
|
||||
+++ b/lib/Kyuafile
|
||||
@@ -2,7 +2,9 @@ syntax(2)
|
||||
test_suite('bind9')
|
||||
|
||||
include('dns/Kyuafile')
|
||||
+include('dns-pkcs11/Kyuafile')
|
||||
include('irs/Kyuafile')
|
||||
include('isc/Kyuafile')
|
||||
+include('isc-pkcs11/Kyuafile')
|
||||
include('isccfg/Kyuafile')
|
||||
include('lwres/Kyuafile')
|
||||
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
|
||||
index 2a6571b..f25a784 100644
|
||||
--- a/lib/dns-pkcs11/tests/Makefile.in
|
||||
+++ b/lib/dns-pkcs11/tests/Makefile.in
|
||||
@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@
|
||||
|
||||
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
|
||||
@DST_OPENSSL_INC@
|
||||
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
|
||||
+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
|
||||
|
||||
-ISCLIBS = ../../isc/libisc.@A@
|
||||
-ISCDEPLIBS = ../../isc/libisc.@A@
|
||||
-DNSLIBS = ../libdns.@A@ @DNS_CRYPTO_LIBS@
|
||||
-DNSDEPLIBS = ../libdns.@A@
|
||||
+ISCLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@
|
||||
+ISCDEPLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@
|
||||
+DNSLIBS = ../libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
|
||||
+DNSDEPLIBS = ../libdns-pkcs11.@A@
|
||||
|
||||
LIBS = @LIBS@ @ATFLIBS@
|
||||
|
||||
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
|
||||
index 036d27a..eb6554f 100644
|
||||
--- a/lib/dns-pkcs11/tests/dh_test.c
|
||||
+++ b/lib/dns-pkcs11/tests/dh_test.c
|
||||
@@ -63,7 +63,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) {
|
||||
ret = dst_key_computesecret(key, key, &buf);
|
||||
ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY);
|
||||
ret = key->func->computesecret(key, key, &buf);
|
||||
- ATF_REQUIRE_EQ(ret, DST_R_COMPUTESECRETFAILURE);
|
||||
+ /* PKCS11 variant gives different result, accept both */
|
||||
+ ATF_REQUIRE(ret == DST_R_COMPUTESECRETFAILURE || ret == DST_R_INVALIDPRIVATEKEY);
|
||||
|
||||
dst_key_free(&key);
|
||||
dns_test_end();
|
||||
diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
|
||||
index f7fa538..818dae4 100644
|
||||
--- a/lib/isc-pkcs11/tests/Makefile.in
|
||||
+++ b/lib/isc-pkcs11/tests/Makefile.in
|
||||
@@ -17,10 +17,10 @@ VERSION=@BIND9_VERSION@
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@
|
||||
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\""
|
||||
+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
|
||||
|
||||
-ISCLIBS = ../libisc.@A@ @ISC_OPENSSL_LIBS@
|
||||
-ISCDEPLIBS = ../libisc.@A@
|
||||
+ISCLIBS = ../libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
|
||||
+ISCDEPLIBS = ../libisc-pkcs11.@A@
|
||||
|
||||
LIBS = @LIBS@ @ATFLIBS@
|
||||
|
||||
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
|
||||
index 5b8a374..c1891c2 100644
|
||||
--- a/lib/isc-pkcs11/tests/hash_test.c
|
||||
+++ b/lib/isc-pkcs11/tests/hash_test.c
|
||||
@@ -74,7 +74,7 @@ typedef struct hash_testcase {
|
||||
|
||||
typedef struct hash_test_key {
|
||||
const char *key;
|
||||
- const int len;
|
||||
+ const unsigned len;
|
||||
} hash_test_key_t;
|
||||
|
||||
/* non-hmac tests */
|
||||
@@ -957,8 +957,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
+ int len = ISC_MAX(test_key->len, ISC_SHA1_DIGESTLENGTH);
|
||||
+
|
||||
+ memset(buffer, 0, ISC_SHA1_DIGESTLENGTH);
|
||||
memmove(buffer, test_key->key, test_key->len);
|
||||
- isc_hmacsha1_init(&hmacsha1, buffer, test_key->len);
|
||||
+ isc_hmacsha1_init(&hmacsha1, buffer, len);
|
||||
isc_hmacsha1_update(&hmacsha1,
|
||||
(const isc_uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
@@ -1120,8 +1123,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
+ int len = ISC_MAX(test_key->len, ISC_SHA224_DIGESTLENGTH);
|
||||
+
|
||||
+ memset(buffer, 0, ISC_SHA224_DIGESTLENGTH);
|
||||
memmove(buffer, test_key->key, test_key->len);
|
||||
- isc_hmacsha224_init(&hmacsha224, buffer, test_key->len);
|
||||
+ isc_hmacsha224_init(&hmacsha224, buffer, len);
|
||||
isc_hmacsha224_update(&hmacsha224,
|
||||
(const isc_uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
@@ -1283,8 +1289,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
+ int len = ISC_MAX(test_key->len, ISC_SHA256_DIGESTLENGTH);
|
||||
+
|
||||
+ memset(buffer, 0, ISC_SHA256_DIGESTLENGTH);
|
||||
memmove(buffer, test_key->key, test_key->len);
|
||||
- isc_hmacsha256_init(&hmacsha256, buffer, test_key->len);
|
||||
+ isc_hmacsha256_init(&hmacsha256, buffer, len);
|
||||
isc_hmacsha256_update(&hmacsha256,
|
||||
(const isc_uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
@@ -1452,8 +1461,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
+ int len = ISC_MAX(test_key->len, ISC_SHA384_DIGESTLENGTH);
|
||||
+
|
||||
+ memset(buffer, 0, ISC_SHA384_DIGESTLENGTH);
|
||||
memmove(buffer, test_key->key, test_key->len);
|
||||
- isc_hmacsha384_init(&hmacsha384, buffer, test_key->len);
|
||||
+ isc_hmacsha384_init(&hmacsha384, buffer, len);
|
||||
isc_hmacsha384_update(&hmacsha384,
|
||||
(const isc_uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
@@ -1621,8 +1633,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
+ int len = ISC_MAX(test_key->len, ISC_SHA512_DIGESTLENGTH);
|
||||
+
|
||||
+ memset(buffer, 0, ISC_SHA512_DIGESTLENGTH);
|
||||
memmove(buffer, test_key->key, test_key->len);
|
||||
- isc_hmacsha512_init(&hmacsha512, buffer, test_key->len);
|
||||
+ isc_hmacsha512_init(&hmacsha512, buffer, len);
|
||||
isc_hmacsha512_update(&hmacsha512,
|
||||
(const isc_uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
@@ -1765,8 +1780,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
+ int len = ISC_MAX(test_key->len, ISC_MD5_DIGESTLENGTH);
|
||||
+
|
||||
+ memset(buffer, 0, ISC_MD5_DIGESTLENGTH);
|
||||
memmove(buffer, test_key->key, test_key->len);
|
||||
- isc_hmacmd5_init(&hmacmd5, buffer, test_key->len);
|
||||
+ isc_hmacmd5_init(&hmacmd5, buffer, len);
|
||||
isc_hmacmd5_update(&hmacmd5,
|
||||
(const isc_uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
--
|
||||
2.14.3
|
||||
|
256
SOURCES/bind-9.11-oot-manual.patch
Normal file
256
SOURCES/bind-9.11-oot-manual.patch
Normal file
@ -0,0 +1,256 @@
|
||||
From e462d022a9dc52c40aece6f8ba3123ff3ffa59ed Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Wed, 25 Jul 2018 12:24:16 +0200
|
||||
Subject: [PATCH] Use make automatic variables to install updated manuals
|
||||
|
||||
Make will choose modified manual from build directory or original from source
|
||||
directory automagically. Take advantage of install tool feature.
|
||||
Install all files in single command instead of iterating on each of them.
|
||||
---
|
||||
bin/check/Makefile.in | 8 +++++---
|
||||
bin/confgen/Makefile.in | 9 +++++----
|
||||
bin/delv/Makefile.in | 6 ++++--
|
||||
bin/dig/Makefile.in | 8 ++++----
|
||||
bin/dnssec/Makefile.in | 6 ++++--
|
||||
bin/named/Makefile.in | 13 +++++++++----
|
||||
bin/pkcs11/Makefile.in | 9 ++++-----
|
||||
bin/python/Makefile.in | 8 ++++----
|
||||
bin/tools/Makefile.in | 25 +++++++++++++++----------
|
||||
9 files changed, 54 insertions(+), 38 deletions(-)
|
||||
|
||||
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
|
||||
index 12f48d2d23..d8eac4c714 100644
|
||||
--- a/bin/check/Makefile.in
|
||||
+++ b/bin/check/Makefile.in
|
||||
@@ -83,12 +83,14 @@ installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
|
||||
|
||||
-install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
|
||||
+install-man8: ${MANPAGES}
|
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
|
||||
+ (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
|
||||
+
|
||||
+install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs install-man8
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
|
||||
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
|
||||
- (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
|
||||
|
||||
uninstall::
|
||||
rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
|
||||
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
|
||||
index 87f13dda4b..7865c0c73e 100644
|
||||
--- a/bin/confgen/Makefile.in
|
||||
+++ b/bin/confgen/Makefile.in
|
||||
@@ -95,13 +95,14 @@ installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
|
||||
|
||||
-install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
|
||||
+install-man8: rndc-confgen.8 ddns-confgen.8
|
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
|
||||
+ (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
|
||||
+
|
||||
+install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs install-man8
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
- ${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
|
||||
- ${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
|
||||
(cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@)
|
||||
- (cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
|
||||
|
||||
uninstall::
|
||||
rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8
|
||||
diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in
|
||||
index e2d2802262..19361a83ea 100644
|
||||
--- a/bin/delv/Makefile.in
|
||||
+++ b/bin/delv/Makefile.in
|
||||
@@ -63,10 +63,12 @@ installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
|
||||
|
||||
-install:: delv@EXEEXT@ installdirs
|
||||
+install-man1: delv.1
|
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
|
||||
+
|
||||
+install:: delv@EXEEXT@ installdirs install-man1
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
|
||||
delv@EXEEXT@ ${DESTDIR}${bindir}
|
||||
- ${INSTALL_DATA} ${srcdir}/delv.1 ${DESTDIR}${mandir}/man1
|
||||
|
||||
uninstall::
|
||||
rm -f ${DESTDIR}${mandir}/man1/delv.1
|
||||
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
|
||||
index 773ac46395..3edd951e7e 100644
|
||||
--- a/bin/dig/Makefile.in
|
||||
+++ b/bin/dig/Makefile.in
|
||||
@@ -91,16 +91,16 @@ installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
|
||||
|
||||
-install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
|
||||
+install-man1: ${MANPAGES}
|
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
|
||||
+
|
||||
+install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs install-man1
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
|
||||
dig@EXEEXT@ ${DESTDIR}${bindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
|
||||
host@EXEEXT@ ${DESTDIR}${bindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
|
||||
nslookup@EXEEXT@ ${DESTDIR}${bindir}
|
||||
- for m in ${MANPAGES}; do \
|
||||
- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
|
||||
- done
|
||||
|
||||
uninstall::
|
||||
for m in ${MANPAGES}; do \
|
||||
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
|
||||
index 1be1d5ffc6..1d0c4ce5c1 100644
|
||||
--- a/bin/dnssec/Makefile.in
|
||||
+++ b/bin/dnssec/Makefile.in
|
||||
@@ -110,9 +110,11 @@ installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
|
||||
|
||||
-install:: ${TARGETS} installdirs
|
||||
+install-man8: ${MANPAGES}
|
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
|
||||
+
|
||||
+install:: ${TARGETS} installdirs install-man8
|
||||
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
|
||||
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
|
||||
|
||||
uninstall::
|
||||
for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
|
||||
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
|
||||
index 1c413973d0..03e4cb849b 100644
|
||||
--- a/bin/named/Makefile.in
|
||||
+++ b/bin/named/Makefile.in
|
||||
@@ -172,12 +172,17 @@ installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
|
||||
|
||||
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
|
||||
+install-man5: named.conf.5
|
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
|
||||
+
|
||||
+install-man8: named.8 lwresd.8
|
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
|
||||
+
|
||||
+install-man: install-man5 install-man8
|
||||
+
|
||||
+install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
|
||||
- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
|
||||
- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
|
||||
- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
|
||||
|
||||
uninstall::
|
||||
rm -f ${DESTDIR}${mandir}/man5/named.conf.5
|
||||
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
|
||||
index ae9061626c..a058c91214 100644
|
||||
--- a/bin/pkcs11/Makefile.in
|
||||
+++ b/bin/pkcs11/Makefile.in
|
||||
@@ -71,7 +71,10 @@ installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
|
||||
|
||||
-install:: ${TARGETS} installdirs
|
||||
+install-man8: ${MANPAGES}
|
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
|
||||
+
|
||||
+install:: ${TARGETS} installdirs install-man8
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ \
|
||||
${DESTDIR}${sbindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ \
|
||||
@@ -80,10 +83,6 @@ install:: ${TARGETS} installdirs
|
||||
${DESTDIR}${sbindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-tokens@EXEEXT@ \
|
||||
${DESTDIR}${sbindir}
|
||||
- ${INSTALL_DATA} ${srcdir}/pkcs11-list.8 ${DESTDIR}${mandir}/man8
|
||||
- ${INSTALL_DATA} ${srcdir}/pkcs11-destroy.8 ${DESTDIR}${mandir}/man8
|
||||
- ${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8
|
||||
- ${INSTALL_DATA} ${srcdir}/pkcs11-tokens.8 ${DESTDIR}${mandir}/man8
|
||||
|
||||
uninstall::
|
||||
rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8
|
||||
diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
|
||||
index aa678d47ab..064c404e2f 100644
|
||||
--- a/bin/python/Makefile.in
|
||||
+++ b/bin/python/Makefile.in
|
||||
@@ -47,13 +47,13 @@ installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
|
||||
|
||||
-install:: ${TARGETS} installdirs
|
||||
+install-man8: ${MANPAGES}
|
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
|
||||
+
|
||||
+install:: ${TARGETS} installdirs install-man8
|
||||
${INSTALL_SCRIPT} dnssec-checkds ${DESTDIR}${sbindir}
|
||||
${INSTALL_SCRIPT} dnssec-coverage ${DESTDIR}${sbindir}
|
||||
${INSTALL_SCRIPT} dnssec-keymgr ${DESTDIR}${sbindir}
|
||||
- ${INSTALL_DATA} ${srcdir}/dnssec-checkds.8 ${DESTDIR}${mandir}/man8
|
||||
- ${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8
|
||||
- ${INSTALL_DATA} ${srcdir}/dnssec-keymgr.8 ${DESTDIR}${mandir}/man8
|
||||
if test -n "${PYTHON}" ; then \
|
||||
if test -n "${DESTDIR}" ; then \
|
||||
${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \
|
||||
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
|
||||
index 7bf2af4cea..c395bc7462 100644
|
||||
--- a/bin/tools/Makefile.in
|
||||
+++ b/bin/tools/Makefile.in
|
||||
@@ -119,17 +119,27 @@ installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
|
||||
|
||||
-nzd:
|
||||
+nzd-man: named-nzd2nzf.8
|
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
|
||||
+
|
||||
+nzd: nzd-man
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-nzd2nzf@EXEEXT@ \
|
||||
${DESTDIR}${sbindir}
|
||||
- ${INSTALL_DATA} ${srcdir}/named-nzd2nzf.8 ${DESTDIR}${mandir}/man8
|
||||
|
||||
-dnstap:
|
||||
+dnstap-man: dnstap-read.1
|
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
|
||||
+
|
||||
+dnstap: dnstap-man
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} dnstap-read@EXEEXT@ \
|
||||
${DESTDIR}${bindir}
|
||||
- ${INSTALL_DATA} ${srcdir}/dnstap-read.1 ${DESTDIR}${mandir}/man1
|
||||
|
||||
-install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@
|
||||
+install-man1: arpaname.1 named-rrchecker.1 mdig.1
|
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
|
||||
+
|
||||
+install-man8: named-journalprint.8 nsec3hash.8
|
||||
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
|
||||
+
|
||||
+install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ install-man1 install-man8
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ \
|
||||
${DESTDIR}${bindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ \
|
||||
@@ -144,13 +154,8 @@ install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@
|
||||
${DESTDIR}${sbindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} mdig@EXEEXT@ \
|
||||
${DESTDIR}${bindir}
|
||||
- ${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
|
||||
${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8
|
||||
- ${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8
|
||||
- ${INSTALL_DATA} ${srcdir}/named-rrchecker.1 ${DESTDIR}${mandir}/man1
|
||||
- ${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8
|
||||
${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8
|
||||
- ${INSTALL_DATA} ${srcdir}/mdig.1 ${DESTDIR}${mandir}/man1
|
||||
|
||||
uninstall::
|
||||
rm -f ${DESTDIR}${mandir}/man1/mdig.1
|
||||
--
|
||||
2.14.4
|
||||
|
27
SOURCES/bind-9.11-pk11.patch
Normal file
27
SOURCES/bind-9.11-pk11.patch
Normal file
@ -0,0 +1,27 @@
|
||||
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
|
||||
index 640519a..fc40472 100644
|
||||
--- a/lib/dns/dst_internal.h
|
||||
+++ b/lib/dns/dst_internal.h
|
||||
@@ -59,6 +59,9 @@
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/rsa.h>
|
||||
#endif
|
||||
+#if PKCS11CRYPTO
|
||||
+#include <pk11/pk11.h>
|
||||
+#endif
|
||||
|
||||
ISC_LANG_BEGINDECLS
|
||||
|
||||
diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
|
||||
index aa8907a..603712a 100644
|
||||
--- a/lib/isc/include/pk11/internal.h
|
||||
+++ b/lib/isc/include/pk11/internal.h
|
||||
@@ -13,6 +13,8 @@
|
||||
#ifndef PK11_INTERNAL_H
|
||||
#define PK11_INTERNAL_H 1
|
||||
|
||||
+#include <pk11/pk11.h>
|
||||
+
|
||||
/*! \file pk11/internal.h */
|
||||
|
||||
ISC_LANG_BEGINDECLS
|
120
SOURCES/bind-9.11-rh1205168.patch
Normal file
120
SOURCES/bind-9.11-rh1205168.patch
Normal file
@ -0,0 +1,120 @@
|
||||
From 90416594843a56550e40b11561807786219ce1c4 Mon Sep 17 00:00:00 2001
|
||||
From: Evan Hunt <each@isc.org>
|
||||
Date: Mon, 11 Sep 2017 15:01:36 -0700
|
||||
Subject: [PATCH] remap getaddrinfo() to irs_getgetaddrinfo()
|
||||
|
||||
The libirs version of getaddrinfo() cannot be called from within BIND9.
|
||||
|
||||
fix prototypes
|
||||
---
|
||||
lib/irs/include/irs/netdb.h.in | 94 ++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 94 insertions(+)
|
||||
|
||||
diff --git a/lib/irs/include/irs/netdb.h.in b/lib/irs/include/irs/netdb.h.in
|
||||
index 23dcd37..f36113d 100644
|
||||
--- a/lib/irs/include/irs/netdb.h.in
|
||||
+++ b/lib/irs/include/irs/netdb.h.in
|
||||
@@ -150,6 +150,100 @@ struct addrinfo {
|
||||
#define NI_DGRAM 0x00000010
|
||||
|
||||
/*
|
||||
+ * Define to map into irs_ namespace.
|
||||
+ */
|
||||
+
|
||||
+#define IRS_NAMESPACE
|
||||
+
|
||||
+#ifdef IRS_NAMESPACE
|
||||
+
|
||||
+/*
|
||||
+ * Use our versions not the ones from the C library.
|
||||
+ */
|
||||
+
|
||||
+#ifdef getnameinfo
|
||||
+#undef getnameinfo
|
||||
+#endif
|
||||
+#define getnameinfo irs_getnameinfo
|
||||
+
|
||||
+#ifdef getaddrinfo
|
||||
+#undef getaddrinfo
|
||||
+#endif
|
||||
+#define getaddrinfo irs_getaddrinfo
|
||||
+
|
||||
+#ifdef freeaddrinfo
|
||||
+#undef freeaddrinfo
|
||||
+#endif
|
||||
+#define freeaddrinfo irs_freeaddrinfo
|
||||
+
|
||||
+#ifdef gai_strerror
|
||||
+#undef gai_strerror
|
||||
+#endif
|
||||
+#define gai_strerror irs_gai_strerror
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
+extern int getaddrinfo (const char *name,
|
||||
+ const char *service,
|
||||
+ const struct addrinfo *req,
|
||||
+ struct addrinfo **pai);
|
||||
+extern int getnameinfo (const struct sockaddr *sa,
|
||||
+ socklen_t salen, char *host,
|
||||
+ socklen_t hostlen, char *serv,
|
||||
+ socklen_t servlen, int flags);
|
||||
+extern void freeaddrinfo (struct addrinfo *ai);
|
||||
+extern const char *gai_strerror (int ecode);
|
||||
+
|
||||
+/*
|
||||
+ * Define to map into irs_ namespace.
|
||||
+ */
|
||||
+
|
||||
+#define IRS_NAMESPACE
|
||||
+
|
||||
+#ifdef IRS_NAMESPACE
|
||||
+
|
||||
+/*
|
||||
+ * Use our versions not the ones from the C library.
|
||||
+ */
|
||||
+
|
||||
+#ifdef getnameinfo
|
||||
+#undef getnameinfo
|
||||
+#endif
|
||||
+#define getnameinfo irs_getnameinfo
|
||||
+
|
||||
+#ifdef getaddrinfo
|
||||
+#undef getaddrinfo
|
||||
+#endif
|
||||
+#define getaddrinfo irs_getaddrinfo
|
||||
+
|
||||
+#ifdef freeaddrinfo
|
||||
+#undef freeaddrinfo
|
||||
+#endif
|
||||
+#define freeaddrinfo irs_freeaddrinfo
|
||||
+
|
||||
+#ifdef gai_strerror
|
||||
+#undef gai_strerror
|
||||
+#endif
|
||||
+#define gai_strerror irs_gai_strerror
|
||||
+
|
||||
+int
|
||||
+getaddrinfo(const char *hostname, const char *servname,
|
||||
+ const struct addrinfo *hints, struct addrinfo **res);
|
||||
+
|
||||
+int
|
||||
+getnameinfo(const struct sockaddr *sa, IRS_GETNAMEINFO_SOCKLEN_T salen,
|
||||
+ char *host, IRS_GETNAMEINFO_BUFLEN_T hostlen,
|
||||
+ char *serv, IRS_GETNAMEINFO_BUFLEN_T servlen,
|
||||
+ IRS_GETNAMEINFO_FLAGS_T flags);
|
||||
+
|
||||
+void freeaddrinfo (struct addrinfo *ai);
|
||||
+
|
||||
+IRS_GAISTRERROR_RETURN_T
|
||||
+gai_strerror(int ecode);
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
+/*
|
||||
* Tell Emacs to use C mode on this file.
|
||||
* Local variables:
|
||||
* mode: c
|
||||
--
|
||||
2.9.5
|
||||
|
14
SOURCES/bind-9.11-rh1410433.patch
Normal file
14
SOURCES/bind-9.11-rh1410433.patch
Normal file
@ -0,0 +1,14 @@
|
||||
diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c
|
||||
index 0ce5e42..556d920 100644
|
||||
--- a/lib/dns/dyndb.c
|
||||
+++ b/lib/dns/dyndb.c
|
||||
@@ -130,9 +130,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
|
||||
instname, filename);
|
||||
|
||||
flags = RTLD_NOW|RTLD_LOCAL;
|
||||
-#ifdef RTLD_DEEPBIND
|
||||
- flags |= RTLD_DEEPBIND;
|
||||
-#endif
|
||||
|
||||
handle = dlopen(filename, flags);
|
||||
if (handle == NULL)
|
288
SOURCES/bind-9.11-rh1624100.patch
Normal file
288
SOURCES/bind-9.11-rh1624100.patch
Normal file
@ -0,0 +1,288 @@
|
||||
From 25ff8ab2b0772262d358272a3ed70a24fc6e4887 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
|
||||
Date: Wed, 25 Apr 2018 14:04:31 +0200
|
||||
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
|
||||
|
||||
(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d)
|
||||
|
||||
Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp()
|
||||
|
||||
(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c)
|
||||
|
||||
Fix the isc_safe_memwipe() usage with (NULL, >0)
|
||||
|
||||
(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
|
||||
---
|
||||
bin/dnssec/dnssec-signzone.c | 2 +-
|
||||
lib/dns/nsec3.c | 4 +--
|
||||
lib/dns/spnego.c | 4 +--
|
||||
lib/isc/Makefile.in | 8 ++---
|
||||
lib/isc/include/isc/safe.h | 18 ++++------
|
||||
lib/isc/safe.c | 81 --------------------------------------------
|
||||
lib/isc/tests/safe_test.c | 20 -----------
|
||||
7 files changed, 13 insertions(+), 124 deletions(-)
|
||||
delete mode 100644 lib/isc/safe.c
|
||||
|
||||
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
|
||||
index 53be1f5c60..351296a356 100644
|
||||
--- a/bin/dnssec/dnssec-signzone.c
|
||||
+++ b/bin/dnssec/dnssec-signzone.c
|
||||
@@ -786,7 +786,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
|
||||
|
||||
static int
|
||||
hashlist_comp(const void *a, const void *b) {
|
||||
- return (isc_safe_memcompare(a, b, hash_length + 1));
|
||||
+ return (memcmp(a, b, hash_length + 1));
|
||||
}
|
||||
|
||||
static void
|
||||
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
|
||||
index d364308aaf..37b6a8a7fe 100644
|
||||
--- a/lib/dns/nsec3.c
|
||||
+++ b/lib/dns/nsec3.c
|
||||
@@ -1950,7 +1950,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
|
||||
* Work out what this NSEC3 covers.
|
||||
* Inside (<0) or outside (>=0).
|
||||
*/
|
||||
- scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length);
|
||||
+ scope = memcmp(owner, nsec3.next, nsec3.next_length);
|
||||
|
||||
/*
|
||||
* Prepare to compute all the hashes.
|
||||
@@ -1974,7 +1974,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
|
||||
return (ISC_R_IGNORE);
|
||||
}
|
||||
|
||||
- order = isc_safe_memcompare(hash, owner, length);
|
||||
+ order = memcmp(hash, owner, length);
|
||||
if (first && order == 0) {
|
||||
/*
|
||||
* The hashes are the same.
|
||||
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
|
||||
index ce3e42d650..079d4c1b4a 100644
|
||||
--- a/lib/dns/spnego.c
|
||||
+++ b/lib/dns/spnego.c
|
||||
@@ -369,7 +369,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
|
||||
|
||||
/* mod_auth_kerb.c */
|
||||
|
||||
-static int
|
||||
+static isc_boolean_t
|
||||
cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
|
||||
{
|
||||
unsigned char *p;
|
||||
@@ -393,7 +393,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
|
||||
if (((OM_uint32) *p++) != gssoid->length)
|
||||
return (GSS_S_DEFECTIVE_TOKEN);
|
||||
|
||||
- return (isc_safe_memcompare(p, gssoid->elements, gssoid->length));
|
||||
+ return (!isc_safe_memequal(p, gssoid->elements, gssoid->length));
|
||||
}
|
||||
|
||||
/* accept_sec_context.c */
|
||||
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
|
||||
index ba53ef1091..98acffffc9 100644
|
||||
--- a/lib/isc/Makefile.in
|
||||
+++ b/lib/isc/Makefile.in
|
||||
@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
|
||||
parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \
|
||||
ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \
|
||||
rwlock.@O@ \
|
||||
- safe.@O@ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
|
||||
+ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
|
||||
string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
|
||||
tm.@O@ timer.@O@ version.@O@ \
|
||||
${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
|
||||
@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
|
||||
netaddr.c netscope.c pool.c ondestroy.c \
|
||||
parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \
|
||||
ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
|
||||
- safe.c serial.c sha1.c sha2.c sockaddr.c stats.c string.c \
|
||||
+ serial.c sha1.c sha2.c sockaddr.c stats.c string.c \
|
||||
strtoul.c symtab.c task.c taskpool.c timer.c \
|
||||
tm.c version.c
|
||||
|
||||
@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
|
||||
-safe.@O@: safe.c
|
||||
- ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \
|
||||
- -c ${srcdir}/safe.c
|
||||
-
|
||||
version.@O@: version.c
|
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
|
||||
-DVERSION=\"${VERSION}\" \
|
||||
diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
|
||||
index f29f00bac6..b8a0b2290c 100644
|
||||
--- a/lib/isc/include/isc/safe.h
|
||||
+++ b/lib/isc/include/isc/safe.h
|
||||
@@ -15,27 +15,21 @@
|
||||
|
||||
/*! \file isc/safe.h */
|
||||
|
||||
-#include <isc/types.h>
|
||||
-#include <stdlib.h>
|
||||
+#include <isc/boolean.h>
|
||||
+#include <isc/lang.h>
|
||||
+
|
||||
+#include <openssl/crypto.h>
|
||||
|
||||
ISC_LANG_BEGINDECLS
|
||||
|
||||
-isc_boolean_t
|
||||
-isc_safe_memequal(const void *s1, const void *s2, size_t n);
|
||||
+#define isc_safe_memequal(s1, s2, n) ISC_TF(!CRYPTO_memcmp(s1, s2, n))
|
||||
/*%<
|
||||
* Returns ISC_TRUE iff. two blocks of memory are equal, otherwise
|
||||
* ISC_FALSE.
|
||||
*
|
||||
*/
|
||||
|
||||
-int
|
||||
-isc_safe_memcompare(const void *b1, const void *b2, size_t len);
|
||||
-/*%<
|
||||
- * Clone of libc memcmp() which is safe to differential timing attacks.
|
||||
- */
|
||||
-
|
||||
-void
|
||||
-isc_safe_memwipe(void *ptr, size_t len);
|
||||
+#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len)
|
||||
/*%<
|
||||
* Clear the memory of length `len` pointed to by `ptr`.
|
||||
*
|
||||
diff --git a/lib/isc/safe.c b/lib/isc/safe.c
|
||||
deleted file mode 100644
|
||||
index 5c9e1e2d13..0000000000
|
||||
--- a/lib/isc/safe.c
|
||||
+++ /dev/null
|
||||
@@ -1,81 +0,0 @@
|
||||
-/*
|
||||
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
- *
|
||||
- * This Source Code Form is subject to the terms of the Mozilla Public
|
||||
- * License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
- *
|
||||
- * See the COPYRIGHT file distributed with this work for additional
|
||||
- * information regarding copyright ownership.
|
||||
- */
|
||||
-
|
||||
-/*! \file */
|
||||
-
|
||||
-#include <config.h>
|
||||
-
|
||||
-#include <isc/safe.h>
|
||||
-#include <isc/string.h>
|
||||
-#include <isc/util.h>
|
||||
-
|
||||
-#ifdef WIN32
|
||||
-#include <windows.h>
|
||||
-#endif
|
||||
-
|
||||
-#ifdef _MSC_VER
|
||||
-#pragma optimize("", off)
|
||||
-#endif
|
||||
-
|
||||
-isc_boolean_t
|
||||
-isc_safe_memequal(const void *s1, const void *s2, size_t n) {
|
||||
- isc_uint8_t acc = 0;
|
||||
-
|
||||
- if (n != 0U) {
|
||||
- const isc_uint8_t *p1 = s1, *p2 = s2;
|
||||
-
|
||||
- do {
|
||||
- acc |= *p1++ ^ *p2++;
|
||||
- } while (--n != 0U);
|
||||
- }
|
||||
- return (ISC_TF(acc == 0));
|
||||
-}
|
||||
-
|
||||
-
|
||||
-int
|
||||
-isc_safe_memcompare(const void *b1, const void *b2, size_t len) {
|
||||
- const unsigned char *p1 = b1, *p2 = b2;
|
||||
- size_t i;
|
||||
- int res = 0, done = 0;
|
||||
-
|
||||
- for (i = 0; i < len; i++) {
|
||||
- /* lt is -1 if p1[i] < p2[i]; else 0. */
|
||||
- int lt = (p1[i] - p2[i]) >> CHAR_BIT;
|
||||
-
|
||||
- /* gt is -1 if p1[i] > p2[i]; else 0. */
|
||||
- int gt = (p2[i] - p1[i]) >> CHAR_BIT;
|
||||
-
|
||||
- /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */
|
||||
- int cmp = lt - gt;
|
||||
-
|
||||
- /* set res = cmp if !done. */
|
||||
- res |= cmp & ~done;
|
||||
-
|
||||
- /* set done if p1[i] != p2[i]. */
|
||||
- done |= lt | gt;
|
||||
- }
|
||||
-
|
||||
- return (res);
|
||||
-}
|
||||
-
|
||||
-void
|
||||
-isc_safe_memwipe(void *ptr, size_t len) {
|
||||
- if (ISC_UNLIKELY(ptr == NULL || len == 0))
|
||||
- return;
|
||||
-
|
||||
-#ifdef WIN32
|
||||
- SecureZeroMemory(ptr, len);
|
||||
-#elif HAVE_EXPLICIT_BZERO
|
||||
- explicit_bzero(ptr, len);
|
||||
-#else
|
||||
- memset(ptr, 0, len);
|
||||
-#endif
|
||||
-}
|
||||
diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
|
||||
index f721cd1096..ea3e61f98d 100644
|
||||
--- a/lib/isc/tests/safe_test.c
|
||||
+++ b/lib/isc/tests/safe_test.c
|
||||
@@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) {
|
||||
"\x00\x00\x00\x00", 4));
|
||||
}
|
||||
|
||||
-ATF_TC(isc_safe_memcompare);
|
||||
-ATF_TC_HEAD(isc_safe_memcompare, tc) {
|
||||
- atf_tc_set_md_var(tc, "descr", "safe memcompare()");
|
||||
-}
|
||||
-ATF_TC_BODY(isc_safe_memcompare, tc) {
|
||||
- UNUSED(tc);
|
||||
-
|
||||
- ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0);
|
||||
- ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0);
|
||||
- ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0);
|
||||
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
|
||||
- "\x00\x00\x00\x00", 4) == 0);
|
||||
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
|
||||
- "\x00\x00\x00\x01", 4) < 0);
|
||||
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02",
|
||||
- "\x00\x00\x00\x00", 4) > 0);
|
||||
-}
|
||||
-
|
||||
ATF_TC(isc_safe_memwipe);
|
||||
ATF_TC_HEAD(isc_safe_memwipe, tc) {
|
||||
atf_tc_set_md_var(tc, "descr", "isc_safe_memwipe()");
|
||||
@@ -67,7 +49,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
|
||||
/* These should pass. */
|
||||
isc_safe_memwipe(NULL, 0);
|
||||
isc_safe_memwipe((void *) -1, 0);
|
||||
- isc_safe_memwipe(NULL, 42);
|
||||
|
||||
/*
|
||||
* isc_safe_memwipe(ptr, size) should function same as
|
||||
@@ -106,7 +87,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
|
||||
*/
|
||||
ATF_TP_ADD_TCS(tp) {
|
||||
ATF_TP_ADD_TC(tp, isc_safe_memequal);
|
||||
- ATF_TP_ADD_TC(tp, isc_safe_memcompare);
|
||||
ATF_TP_ADD_TC(tp, isc_safe_memwipe);
|
||||
return (atf_no_error());
|
||||
}
|
||||
--
|
||||
2.14.4
|
||||
|
2199
SOURCES/bind-9.11-rt31459.patch
Normal file
2199
SOURCES/bind-9.11-rt31459.patch
Normal file
File diff suppressed because it is too large
Load Diff
91
SOURCES/bind-9.11-rt46047-2.patch
Normal file
91
SOURCES/bind-9.11-rt46047-2.patch
Normal file
@ -0,0 +1,91 @@
|
||||
From c79ff443ba029eaf7da8781aef0b1ddbed467781 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Fri, 14 Jun 2019 12:30:01 +0200
|
||||
Subject: [PATCH] Fix OpenSSL random generator warnings Squashed commit of the
|
||||
following:
|
||||
|
||||
commit 70492c6361e55309dae0e48ae031e295f0a46a5e
|
||||
Author: Evan Hunt <each@isc.org>
|
||||
Date: Sat Sep 16 21:01:06 2017 -0700
|
||||
|
||||
[master] silence compiler warning
|
||||
|
||||
(cherry picked from commit 6e5ae91479408540f04337c9dc27c3f3fffae6c7)
|
||||
|
||||
commit 4d8c2767b584d993eb898d2210c85ffce214d1dc
|
||||
Author: Mark Andrews <marka@isc.org>
|
||||
Date: Fri Dec 22 08:48:38 2017 +1100
|
||||
|
||||
add POST(argc);
|
||||
|
||||
(cherry picked from commit be5a0eaa7adafc454658e09672d865eb453baeab)
|
||||
(cherry picked from commit 0163c3b8130cbed705c3267948ab49eebe26286d)
|
||||
|
||||
commit c64b5b10a3a175482b89eddbe63d8b5107a2fbf3
|
||||
Author: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Thu Jun 13 22:23:14 2019 +0200
|
||||
|
||||
fixup! completed and corrected the crypto-random change
|
||||
---
|
||||
bin/named/server.c | 3 +++
|
||||
bin/tests/system/tkey/keydelete.c | 1 +
|
||||
lib/dns/tests/dstrandom_test.c | 3 +--
|
||||
3 files changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index db0270900f..1afb461226 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -8100,6 +8100,8 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
}
|
||||
#endif
|
||||
} else {
|
||||
+ result = isc_entropy_createfilesource(ns_g_entropy,
|
||||
+ randomdev);
|
||||
#ifdef PATH_RANDOMDEV
|
||||
if (ns_g_fallbackentropy != NULL) {
|
||||
level = ISC_LOG_INFO;
|
||||
@@ -8893,6 +8895,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
|
||||
server->in_roothints = NULL;
|
||||
server->blackholeacl = NULL;
|
||||
server->keepresporder = NULL;
|
||||
+ server->rngctx = NULL;
|
||||
|
||||
/* Must be first. */
|
||||
CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
|
||||
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
|
||||
index 3d5ac74486..55ebb66a60 100644
|
||||
--- a/bin/tests/system/tkey/keydelete.c
|
||||
+++ b/bin/tests/system/tkey/keydelete.c
|
||||
@@ -172,6 +172,7 @@ main(int argc, char **argv) {
|
||||
randomfile = argv[2];
|
||||
argv += 2;
|
||||
argc -= 2;
|
||||
+ POST(argc);
|
||||
}
|
||||
keyname = argv[1];
|
||||
|
||||
diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c
|
||||
index d2c72e7685..56738d14a4 100644
|
||||
--- a/lib/dns/tests/dstrandom_test.c
|
||||
+++ b/lib/dns/tests/dstrandom_test.c
|
||||
@@ -14,8 +14,6 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
-/* $Id$ */
|
||||
-
|
||||
/*! \file */
|
||||
|
||||
#include <config.h>
|
||||
@@ -24,6 +22,7 @@
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
+#include <unistd.h>
|
||||
|
||||
#include <isc/entropy.h>
|
||||
#include <isc/mem.h>
|
||||
--
|
||||
2.20.1
|
||||
|
764
SOURCES/bind-9.11-rt46047.patch
Normal file
764
SOURCES/bind-9.11-rt46047.patch
Normal file
@ -0,0 +1,764 @@
|
||||
From dc861636b6bcb4a028b2392347a57a61bb5ece6e Mon Sep 17 00:00:00 2001
|
||||
From: Evan Hunt <each@isc.org>
|
||||
Date: Thu, 28 Sep 2017 10:09:22 -0700
|
||||
Subject: [PATCH] completed and corrected the crypto-random change
|
||||
|
||||
4724. [func] By default, BIND now uses the random number
|
||||
functions provided by the crypto library (i.e.,
|
||||
OpenSSL or a PKCS#11 provider) as a source of
|
||||
randomness rather than /dev/random. This is
|
||||
suitable for virtual machine environments
|
||||
which have limited entropy pools and lack
|
||||
hardware random number generators.
|
||||
|
||||
This can be overridden by specifying another
|
||||
entropy source via the "random-device" option
|
||||
in named.conf, or via the -r command line option;
|
||||
however, for functions requiring full cryptographic
|
||||
strength, such as DNSSEC key generation, this
|
||||
cannot be overridden. In particular, the -r
|
||||
command line option no longer has any effect on
|
||||
dnssec-keygen.
|
||||
|
||||
This can be disabled by building with
|
||||
"configure --disable-crypto-rand".
|
||||
[RT #31459] [RT #46047]
|
||||
---
|
||||
bin/confgen/keygen.c | 12 +++---
|
||||
bin/dnssec/dnssec-keygen.docbook | 24 +++++++----
|
||||
bin/dnssec/dnssectool.c | 12 +++---
|
||||
bin/named/client.c | 3 +-
|
||||
bin/named/config.c | 4 +-
|
||||
bin/named/controlconf.c | 19 +++++---
|
||||
bin/named/include/named/server.h | 2 +
|
||||
bin/named/interfacemgr.c | 1 +
|
||||
bin/named/query.c | 1 +
|
||||
bin/named/server.c | 52 +++++++++++++---------
|
||||
bin/nsupdate/nsupdate.c | 4 +-
|
||||
bin/tests/system/pipelined/pipequeries.c | 4 +-
|
||||
bin/tests/system/tkey/keycreate.c | 4 +-
|
||||
bin/tests/system/tkey/keydelete.c | 4 +-
|
||||
doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++-------
|
||||
doc/arm/notes.xml | 23 +++++++++-
|
||||
lib/dns/dst_api.c | 7 ++-
|
||||
lib/dns/include/dst/dst.h | 14 +++++-
|
||||
lib/dns/openssl_link.c | 3 +-
|
||||
lib/isc/include/isc/entropy.h | 50 +++++++++++++++------
|
||||
lib/isc/include/isc/random.h | 28 +++++++-----
|
||||
lib/isccfg/namedconf.c | 2 +-
|
||||
22 files changed, 218 insertions(+), 110 deletions(-)
|
||||
|
||||
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
|
||||
index fa439cc..a7ad417 100644
|
||||
--- a/bin/confgen/keygen.c
|
||||
+++ b/bin/confgen/keygen.c
|
||||
@@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
|
||||
|
||||
DO("create entropy context", isc_entropy_create(mctx, &ectx));
|
||||
|
||||
- if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
|
||||
- randomfile = NULL;
|
||||
- open_keyboard = ISC_ENTROPY_KEYBOARDYES;
|
||||
- }
|
||||
#ifdef ISC_PLATFORM_CRYPTORANDOM
|
||||
- if (randomfile != NULL &&
|
||||
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
|
||||
- randomfile = NULL;
|
||||
+ if (randomfile == NULL) {
|
||||
isc_entropy_usehook(ectx, ISC_TRUE);
|
||||
}
|
||||
#endif
|
||||
+ if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
|
||||
+ randomfile = NULL;
|
||||
+ open_keyboard = ISC_ENTROPY_KEYBOARDYES;
|
||||
+ }
|
||||
DO("start entropy source", isc_entropy_usebestsource(ectx,
|
||||
&entropy_source,
|
||||
randomfile,
|
||||
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
|
||||
index 96dfef6..1c84b06 100644
|
||||
--- a/bin/dnssec/dnssec-keygen.docbook
|
||||
+++ b/bin/dnssec/dnssec-keygen.docbook
|
||||
@@ -349,15 +349,23 @@
|
||||
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
- Specifies the source of randomness. If the operating
|
||||
- system does not provide a <filename>/dev/random</filename>
|
||||
- or equivalent device, the default source of randomness
|
||||
- is keyboard input. <filename>randomdev</filename>
|
||||
- specifies
|
||||
+ Specifies a source of randomness. Normally, when generating
|
||||
+ DNSSEC keys, this option has no effect; the random number
|
||||
+ generation function provided by the cryptographic library will
|
||||
+ be used.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ If that behavior is disabled at compile time, however,
|
||||
+ the specified file will be used as entropy source
|
||||
+ for key generation. <filename>randomdev</filename> is
|
||||
the name of a character device or file containing random
|
||||
- data to be used instead of the default. The special value
|
||||
- <filename>keyboard</filename> indicates that keyboard
|
||||
- input should be used.
|
||||
+ data to be used. The special value <filename>keyboard</filename>
|
||||
+ indicates that keyboard input should be used.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ The default is <filename>/dev/random</filename> if the
|
||||
+ operating system provides it or an equivalent device;
|
||||
+ if not, the default source of randomness is keyboard input.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
|
||||
index 4ea9eaf..5dd9475 100644
|
||||
--- a/bin/dnssec/dnssectool.c
|
||||
+++ b/bin/dnssec/dnssectool.c
|
||||
@@ -239,18 +239,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
||||
ISC_LIST_INIT(sources);
|
||||
}
|
||||
|
||||
+#ifdef ISC_PLATFORM_CRYPTORANDOM
|
||||
+ if (randomfile == NULL) {
|
||||
+ isc_entropy_usehook(*ectx, ISC_TRUE);
|
||||
+ }
|
||||
+#endif
|
||||
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
|
||||
usekeyboard = ISC_ENTROPY_KEYBOARDYES;
|
||||
randomfile = NULL;
|
||||
}
|
||||
|
||||
-#ifdef ISC_PLATFORM_CRYPTORANDOM
|
||||
- if (randomfile != NULL &&
|
||||
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
|
||||
- randomfile = NULL;
|
||||
- isc_entropy_usehook(*ectx, ISC_TRUE);
|
||||
- }
|
||||
-#endif
|
||||
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
|
||||
usekeyboard);
|
||||
|
||||
diff --git a/bin/named/client.c b/bin/named/client.c
|
||||
index b7d8a98..56d475c 100644
|
||||
--- a/bin/named/client.c
|
||||
+++ b/bin/named/client.c
|
||||
@@ -1605,7 +1605,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
|
||||
|
||||
isc_buffer_init(&buf, cookie, sizeof(cookie));
|
||||
isc_stdtime_get(&now);
|
||||
- isc_random_get(&nonce);
|
||||
+ nonce = ((isc_rng_random(ns_g_server->rngctx) << 16) |
|
||||
+ isc_rng_random(ns_g_server->rngctx));
|
||||
|
||||
compute_cookie(client, now, nonce, ns_g_server->secret, &buf);
|
||||
|
||||
diff --git a/bin/named/config.c b/bin/named/config.c
|
||||
index c50f759..c1e72ef 100644
|
||||
--- a/bin/named/config.c
|
||||
+++ b/bin/named/config.c
|
||||
@@ -92,7 +92,9 @@ options {\n\
|
||||
# pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
|
||||
port 53;\n\
|
||||
prefetch 2 9;\n"
|
||||
-#ifdef PATH_RANDOMDEV
|
||||
+#if defined(ISC_PLATFORM_CRYPTORANDOM)
|
||||
+" random-device none;\n"
|
||||
+#elif defined(PATH_RANDOMDEV)
|
||||
" random-device \"" PATH_RANDOMDEV "\";\n"
|
||||
#endif
|
||||
" recursing-file \"named.recursing\";\n\
|
||||
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
|
||||
index 237e8dc..b905475 100644
|
||||
--- a/bin/named/controlconf.c
|
||||
+++ b/bin/named/controlconf.c
|
||||
@@ -322,9 +322,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
|
||||
|
||||
static void
|
||||
control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
||||
- controlconnection_t *conn;
|
||||
- controllistener_t *listener;
|
||||
- controlkey_t *key;
|
||||
+ controlconnection_t *conn = NULL;
|
||||
+ controllistener_t *listener = NULL;
|
||||
+ ns_server_t *server = NULL;
|
||||
+ controlkey_t *key = NULL;
|
||||
isccc_sexpr_t *request = NULL;
|
||||
isccc_sexpr_t *response = NULL;
|
||||
isc_uint32_t algorithm;
|
||||
@@ -335,16 +336,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
||||
isc_buffer_t *text;
|
||||
isc_result_t result;
|
||||
isc_result_t eresult;
|
||||
- isccc_sexpr_t *_ctrl;
|
||||
+ isccc_sexpr_t *_ctrl = NULL;
|
||||
isccc_time_t sent;
|
||||
isccc_time_t exp;
|
||||
isc_uint32_t nonce;
|
||||
- isccc_sexpr_t *data;
|
||||
+ isccc_sexpr_t *data = NULL;
|
||||
|
||||
REQUIRE(event->ev_type == ISCCC_EVENT_CCMSG);
|
||||
|
||||
conn = event->ev_arg;
|
||||
listener = conn->listener;
|
||||
+ server = listener->controls->server;
|
||||
algorithm = DST_ALG_UNKNOWN;
|
||||
secret.rstart = NULL;
|
||||
text = NULL;
|
||||
@@ -455,8 +457,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
||||
* Establish nonce.
|
||||
*/
|
||||
if (conn->nonce == 0) {
|
||||
- while (conn->nonce == 0)
|
||||
- isc_random_get(&conn->nonce);
|
||||
+ while (conn->nonce == 0) {
|
||||
+ isc_uint16_t r1 = isc_rng_random(server->rngctx);
|
||||
+ isc_uint16_t r2 = isc_rng_random(server->rngctx);
|
||||
+ conn->nonce = (r1 << 16) | r2;
|
||||
+ }
|
||||
eresult = ISC_R_SUCCESS;
|
||||
} else
|
||||
eresult = ns_control_docommand(request, listener->readonly, &text);
|
||||
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
|
||||
index d8179a6..e03d24d 100644
|
||||
--- a/bin/named/include/named/server.h
|
||||
+++ b/bin/named/include/named/server.h
|
||||
@@ -17,6 +17,7 @@
|
||||
#include <isc/log.h>
|
||||
#include <isc/magic.h>
|
||||
#include <isc/quota.h>
|
||||
+#include <isc/random.h>
|
||||
#include <isc/sockaddr.h>
|
||||
#include <isc/types.h>
|
||||
#include <isc/xml.h>
|
||||
@@ -131,6 +132,7 @@ struct ns_server {
|
||||
char * lockfile;
|
||||
|
||||
isc_uint16_t transfer_tcp_message_size;
|
||||
+ isc_rng_t * rngctx;
|
||||
};
|
||||
|
||||
struct ns_altsecret {
|
||||
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
|
||||
index d8c7188..50f924e 100644
|
||||
--- a/bin/named/interfacemgr.c
|
||||
+++ b/bin/named/interfacemgr.c
|
||||
@@ -15,6 +15,7 @@
|
||||
|
||||
#include <isc/interfaceiter.h>
|
||||
#include <isc/os.h>
|
||||
+#include <isc/random.h>
|
||||
#include <isc/string.h>
|
||||
#include <isc/task.h>
|
||||
#include <isc/util.h>
|
||||
diff --git a/bin/named/query.c b/bin/named/query.c
|
||||
index accbf3b..d89622d 100644
|
||||
--- a/bin/named/query.c
|
||||
+++ b/bin/named/query.c
|
||||
@@ -18,6 +18,7 @@
|
||||
#include <isc/hex.h>
|
||||
#include <isc/mem.h>
|
||||
#include <isc/print.h>
|
||||
+#include <isc/random.h>
|
||||
#include <isc/rwlock.h>
|
||||
#include <isc/serial.h>
|
||||
#include <isc/stats.h>
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index ca789e5..db02709 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -8076,21 +8076,30 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
* Open the source of entropy.
|
||||
*/
|
||||
if (first_time) {
|
||||
+ const char *randomdev = NULL;
|
||||
+ int level = ISC_LOG_ERROR;
|
||||
obj = NULL;
|
||||
result = ns_config_get(maps, "random-device", &obj);
|
||||
- if (result != ISC_R_SUCCESS) {
|
||||
- isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
|
||||
- NS_LOGMODULE_SERVER, ISC_LOG_INFO,
|
||||
- "no source of entropy found");
|
||||
- } else {
|
||||
- const char *randomdev = cfg_obj_asstring(obj);
|
||||
+ if (result == ISC_R_SUCCESS) {
|
||||
+ if (!cfg_obj_isvoid(obj)) {
|
||||
+ level = ISC_LOG_INFO;
|
||||
+ randomdev = cfg_obj_asstring(obj);
|
||||
+ }
|
||||
+ }
|
||||
+ if (randomdev == NULL) {
|
||||
#ifdef ISC_PLATFORM_CRYPTORANDOM
|
||||
- if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
|
||||
- isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
|
||||
+ isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
|
||||
#else
|
||||
- int level = ISC_LOG_ERROR;
|
||||
- result = isc_entropy_createfilesource(ns_g_entropy,
|
||||
- randomdev);
|
||||
+ if ((obj != NULL) && !cfg_obj_isvoid(obj))
|
||||
+ level = ISC_LOG_INFO;
|
||||
+ isc_log_write(named_g_lctx, NS_LOGCATEGORY_GENERAL,
|
||||
+ NS_LOGMODULE_SERVER, level,
|
||||
+ "no source of entropy found");
|
||||
+ if ((obj == NULL) || cfg_obj_isvoid(obj)) {
|
||||
+ CHECK(ISC_R_FAILURE);
|
||||
+ }
|
||||
+#endif
|
||||
+ } else {
|
||||
#ifdef PATH_RANDOMDEV
|
||||
if (ns_g_fallbackentropy != NULL) {
|
||||
level = ISC_LOG_INFO;
|
||||
@@ -8101,8 +8110,8 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
NS_LOGCATEGORY_GENERAL,
|
||||
NS_LOGMODULE_SERVER,
|
||||
level,
|
||||
- "could not open entropy source "
|
||||
- "%s: %s",
|
||||
+ "could not open "
|
||||
+ "entropy source %s: %s",
|
||||
randomdev,
|
||||
isc_result_totext(result));
|
||||
}
|
||||
@@ -8122,7 +8131,6 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
}
|
||||
isc_entropy_detach(&ns_g_fallbackentropy);
|
||||
}
|
||||
-#endif
|
||||
#endif
|
||||
}
|
||||
}
|
||||
@@ -8911,6 +8919,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
|
||||
CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
|
||||
&server->tkeyctx),
|
||||
"creating TKEY context");
|
||||
+ CHECKFATAL(isc_rng_create(ns_g_mctx, ns_g_entropy, &server->rngctx),
|
||||
+ "creating random numbers context");
|
||||
|
||||
/*
|
||||
* Setup the server task, which is responsible for coordinating
|
||||
@@ -9117,7 +9127,8 @@ ns_server_destroy(ns_server_t **serverp) {
|
||||
|
||||
if (server->zonemgr != NULL)
|
||||
dns_zonemgr_detach(&server->zonemgr);
|
||||
-
|
||||
+ if (server->rngctx != NULL)
|
||||
+ isc_rng_detach(&server->rngctx);
|
||||
if (server->tkeyctx != NULL)
|
||||
dns_tkeyctx_destroy(&server->tkeyctx);
|
||||
|
||||
@@ -13018,10 +13029,10 @@ newzone_cfgctx_destroy(void **cfgp) {
|
||||
|
||||
static isc_result_t
|
||||
generate_salt(unsigned char *salt, size_t saltlen) {
|
||||
- int i, n;
|
||||
+ size_t i, n;
|
||||
union {
|
||||
unsigned char rnd[256];
|
||||
- isc_uint32_t rnd32[64];
|
||||
+ isc_uint16_t rnd16[128];
|
||||
} rnd;
|
||||
unsigned char text[512 + 1];
|
||||
isc_region_t r;
|
||||
@@ -13031,9 +13042,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
|
||||
if (saltlen > 256U)
|
||||
return (ISC_R_RANGE);
|
||||
|
||||
- n = (int) (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t);
|
||||
- for (i = 0; i < n; i++)
|
||||
- isc_random_get(&rnd.rnd32[i]);
|
||||
+ n = (saltlen + sizeof(isc_uint16_t) - 1) / sizeof(isc_uint16_t);
|
||||
+ for (i = 0; i < n; i++) {
|
||||
+ rnd.rnd16[i] = isc_rng_random(ns_g_server->rngctx);
|
||||
+ }
|
||||
|
||||
memmove(salt, rnd.rnd, saltlen);
|
||||
|
||||
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
|
||||
index 46c7acf..a0d0278 100644
|
||||
--- a/bin/nsupdate/nsupdate.c
|
||||
+++ b/bin/nsupdate/nsupdate.c
|
||||
@@ -281,9 +281,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
||||
}
|
||||
|
||||
#ifdef ISC_PLATFORM_CRYPTORANDOM
|
||||
- if (randomfile != NULL &&
|
||||
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
|
||||
- randomfile = NULL;
|
||||
+ if (randomfile == NULL) {
|
||||
isc_entropy_usehook(*ectx, ISC_TRUE);
|
||||
}
|
||||
#endif
|
||||
diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
|
||||
index 810d99e..d7d10e2 100644
|
||||
--- a/bin/tests/system/pipelined/pipequeries.c
|
||||
+++ b/bin/tests/system/pipelined/pipequeries.c
|
||||
@@ -279,9 +279,7 @@ main(int argc, char *argv[]) {
|
||||
ectx = NULL;
|
||||
RUNCHECK(isc_entropy_create(mctx, &ectx));
|
||||
#ifdef ISC_PLATFORM_CRYPTORANDOM
|
||||
- if (randomfile != NULL &&
|
||||
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
|
||||
- randomfile = NULL;
|
||||
+ if (randomfile == NULL) {
|
||||
isc_entropy_usehook(ectx, ISC_TRUE);
|
||||
}
|
||||
#endif
|
||||
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
|
||||
index 4f2f5b4..0894db7 100644
|
||||
--- a/bin/tests/system/tkey/keycreate.c
|
||||
+++ b/bin/tests/system/tkey/keycreate.c
|
||||
@@ -255,9 +255,7 @@ main(int argc, char *argv[]) {
|
||||
ectx = NULL;
|
||||
RUNCHECK(isc_entropy_create(mctx, &ectx));
|
||||
#ifdef ISC_PLATFORM_CRYPTORANDOM
|
||||
- if (randomfile != NULL &&
|
||||
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
|
||||
- randomfile = NULL;
|
||||
+ if (randomfile == NULL) {
|
||||
isc_entropy_usehook(ectx, ISC_TRUE);
|
||||
}
|
||||
#endif
|
||||
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
|
||||
index 0975bbe..5b8a470 100644
|
||||
--- a/bin/tests/system/tkey/keydelete.c
|
||||
+++ b/bin/tests/system/tkey/keydelete.c
|
||||
@@ -182,9 +182,7 @@ main(int argc, char **argv) {
|
||||
ectx = NULL;
|
||||
RUNCHECK(isc_entropy_create(mctx, &ectx));
|
||||
#ifdef ISC_PLATFORM_CRYPTORANDOM
|
||||
- if (randomfile != NULL &&
|
||||
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
|
||||
- randomfile = NULL;
|
||||
+ if (randomfile == NULL) {
|
||||
isc_entropy_usehook(ectx, ISC_TRUE);
|
||||
}
|
||||
#endif
|
||||
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
|
||||
index a5d9e2e..2a96f71 100644
|
||||
--- a/doc/arm/Bv9ARM-book.xml
|
||||
+++ b/doc/arm/Bv9ARM-book.xml
|
||||
@@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
|
||||
<term><command>random-device</command></term>
|
||||
<listitem>
|
||||
<para>
|
||||
- The source of entropy to be used by the server. Entropy is
|
||||
- primarily needed
|
||||
- for DNSSEC operations, such as TKEY transactions and dynamic
|
||||
- update of signed
|
||||
- zones. This options specifies the device (or file) from which
|
||||
- to read
|
||||
- entropy. If this is a file, operations requiring entropy will
|
||||
- fail when the
|
||||
- file has been exhausted. If not specified, the default value
|
||||
- is
|
||||
- <filename>/dev/random</filename>
|
||||
- (or equivalent) when present, and none otherwise. The
|
||||
- <command>random-device</command> option takes
|
||||
- effect during
|
||||
- the initial configuration load at server startup time and
|
||||
- is ignored on subsequent reloads.
|
||||
+ Specifies a source of entropy to be used by the server.
|
||||
+ This is a device or file from which to read entropy.
|
||||
+ If it is a file, operations requiring entropy
|
||||
+ will fail when the file has been exhausted.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Entropy is needed for cryptographic operations such as
|
||||
+ TKEY transactions, dynamic update of signed zones, and
|
||||
+ generation of TSIG session keys. It is also used for
|
||||
+ seeding and stirring the pseudo-random number generator,
|
||||
+ which is used for less critical functions requiring
|
||||
+ randomness such as generation of DNS message transaction
|
||||
+ ID's.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ If <command>random-device</command> is not specified, or
|
||||
+ if it is set to <literal>none</literal>, entropy will be
|
||||
+ read from the random number generation function supplied
|
||||
+ by the cryptographic library with which BIND was linked
|
||||
+ (i.e. OpenSSL or a PKCS#11 provider).
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ The <command>random-device</command> option takes
|
||||
+ effect during the initial configuration load at server
|
||||
+ startup time and is ignored on subsequent reloads.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ If BIND is built with
|
||||
+ <command>configure --disable-crypto-rand</command>, then
|
||||
+ entropy is <emphasis>not</emphasis> sourced from the
|
||||
+ cryptographic library. In this case, if
|
||||
+ <command>random-device</command> is not specified, the
|
||||
+ default value is the system random device,
|
||||
+ <filename>/dev/random</filename> or the equivalent.
|
||||
+ This default can be overridden with
|
||||
+ <command>configure --with-randomdev</command>.
|
||||
+ If no system random device exists, then no entropy source
|
||||
+ will be configured, and <command>named</command> will only
|
||||
+ be able to use pseudo-random numbers.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
|
||||
index d3fdb5e..fbc78a0 100644
|
||||
--- a/doc/arm/notes.xml
|
||||
+++ b/doc/arm/notes.xml
|
||||
@@ -115,7 +115,28 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
- None.
|
||||
+ By default, BIND now uses the random number generation functions
|
||||
+ in the cryptographic library (i.e., OpenSSL or a PKCS#11
|
||||
+ provider) as a source of high-quality randomness rather than
|
||||
+ <filename>/dev/random</filename>. This is suitable for virtual
|
||||
+ machine environments, which may have limited entropy pools and
|
||||
+ lack hardware random number generators.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ This can be overridden by specifying another entropy source via
|
||||
+ the <command>random-device</command> option in
|
||||
+ <filename>named.conf</filename>, or via the <command>-r</command>
|
||||
+ command line option. However, for functions requiring full
|
||||
+ cryptographic strength, such as DNSSEC key generation, this
|
||||
+ <emphasis>cannot</emphasis> be overridden. In particular, the
|
||||
+ <command>-r</command> command line option no longer has any
|
||||
+ effect on <command>dnssec-keygen</command>.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ This can be disabled by building with
|
||||
+ <command>configure --disable-crypto-rand</command>, in which
|
||||
+ case <filename>/dev/random</filename> will be the default
|
||||
+ entropy source. [RT #31459] [RT #46047]
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
|
||||
index 803e7b3..29a4fef 100644
|
||||
--- a/lib/dns/dst_api.c
|
||||
+++ b/lib/dns/dst_api.c
|
||||
@@ -276,8 +276,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
|
||||
#endif
|
||||
#if defined(OPENSSL) || defined(PKCS11CRYPTO)
|
||||
#ifdef ISC_PLATFORM_CRYPTORANDOM
|
||||
- if (dst_entropy_pool != NULL)
|
||||
+ if (dst_entropy_pool != NULL) {
|
||||
isc_entropy_sethook(dst_random_getdata);
|
||||
+ }
|
||||
#endif
|
||||
#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
|
||||
dst_initialized = ISC_TRUE;
|
||||
@@ -2015,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
|
||||
else
|
||||
flags |= ISC_ENTROPY_BLOCKING;
|
||||
#ifdef ISC_PLATFORM_CRYPTORANDOM
|
||||
+ /* get entropy directly from crypto provider */
|
||||
return (dst_random_getdata(buf, len, NULL, flags));
|
||||
#else
|
||||
+ /* get entropy from entropy source or hook function */
|
||||
return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
|
||||
-#endif
|
||||
+#endif /* ISC_PLATFORM_CRYPTORANDOM */
|
||||
#endif /* PKCS11CRYPTO */
|
||||
}
|
||||
|
||||
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
|
||||
index d9b6ab6..e8c1a3c 100644
|
||||
--- a/lib/dns/include/dst/dst.h
|
||||
+++ b/lib/dns/include/dst/dst.h
|
||||
@@ -161,8 +161,18 @@ isc_result_t
|
||||
dst_random_getdata(void *data, unsigned int length,
|
||||
unsigned int *returned, unsigned int flags);
|
||||
/*%<
|
||||
- * \brief Return data from the crypto random generator.
|
||||
- * Specialization of isc_entropy_getdata().
|
||||
+ * Gets random data from the random generator provided by the
|
||||
+ * crypto library, if BIND was built with --enable-crypto-rand.
|
||||
+ *
|
||||
+ * See isc_entropy_getdata() for parameter usage. Normally when
|
||||
+ * this function is available, it will be set up as a hook in the
|
||||
+ * entropy context, so that isc_entropy_getdata() is a front-end to
|
||||
+ * this function.
|
||||
+ *
|
||||
+ * Returns:
|
||||
+ * \li ISC_R_SUCCESS on success
|
||||
+ * \li ISC_R_NOTIMPLEMENTED if BIND is built with --disable-crypto-rand
|
||||
+ * \li DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error
|
||||
*/
|
||||
|
||||
isc_boolean_t
|
||||
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
|
||||
index c1e1bde..91e87d0 100644
|
||||
--- a/lib/dns/openssl_link.c
|
||||
+++ b/lib/dns/openssl_link.c
|
||||
@@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) {
|
||||
|
||||
isc_result_t
|
||||
dst_random_getdata(void *data, unsigned int length,
|
||||
- unsigned int *returned, unsigned int flags) {
|
||||
+ unsigned int *returned, unsigned int flags)
|
||||
+{
|
||||
#ifdef ISC_PLATFORM_CRYPTORANDOM
|
||||
#ifndef DONT_REQUIRE_DST_LIB_INIT
|
||||
INSIST(dst__memory_pool != NULL);
|
||||
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
|
||||
index d9deb8a..2d37363 100644
|
||||
--- a/lib/isc/include/isc/entropy.h
|
||||
+++ b/lib/isc/include/isc/entropy.h
|
||||
@@ -9,8 +9,6 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
-/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */
|
||||
-
|
||||
#ifndef ISC_ENTROPY_H
|
||||
#define ISC_ENTROPY_H 1
|
||||
|
||||
@@ -190,9 +188,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
|
||||
/*!<
|
||||
* \brief Create an entropy source that is polled via a callback.
|
||||
*
|
||||
- * This would
|
||||
- * be used when keyboard input is used, or a GUI input method. It can
|
||||
- * also be used to hook in any external entropy source.
|
||||
+ * This would be used when keyboard input is used, or a GUI input method.
|
||||
+ * It can also be used to hook in any external entropy source.
|
||||
*
|
||||
* Samples are added via isc_entropy_addcallbacksample(), below.
|
||||
* _addcallbacksample() is the only function which may be called from
|
||||
@@ -233,15 +230,32 @@ isc_result_t
|
||||
isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
|
||||
unsigned int *returned, unsigned int flags);
|
||||
/*!<
|
||||
- * \brief Extract data from the entropy pool. This may load the pool from various
|
||||
- * sources.
|
||||
+ * \brief Get random data from entropy pool 'ent'.
|
||||
+ *
|
||||
+ * If a hook has been set up using isc_entropy_sethook() and
|
||||
+ * isc_entropy_usehook(), then the hook function will be called to get
|
||||
+ * random data.
|
||||
+ *
|
||||
+ * Otherwise, randomness is extracted from the entropy pool set up in BIND.
|
||||
+ * This may cause the pool to be loaded from various sources. Ths is done
|
||||
+ * by stirring the pool and returning a part of hash as randomness.
|
||||
+ * (Note that no secrets are given away here since parts of the hash are
|
||||
+ * XORed together before returning.)
|
||||
+ *
|
||||
+ * 'flags' may contain ISC_ENTROPY_GOODONLY, ISC_ENTROPY_PARTIAL, or
|
||||
+ * ISC_ENTROPY_BLOCKING. These will be honored if the hook function is
|
||||
+ * not in use. If it is, the flags will be passed to the hook function
|
||||
+ * but it may ignore them.
|
||||
*
|
||||
- * Do this by stiring the pool and returning a part of hash as randomness.
|
||||
- * Note that no secrets are given away here since parts of the hash are
|
||||
- * xored together before returned.
|
||||
+ * Up to 'length' bytes of randomness are retrieved and copied into 'data'.
|
||||
+ * (If 'returned' is not NULL, and the number of bytes copied is less than
|
||||
+ * 'length' - which may happen if ISC_ENTROPY_PARTIAL was used - then the
|
||||
+ * number of bytes copied will be stored in *returned.)
|
||||
*
|
||||
- * Honor the request from the caller to only return good data, any data,
|
||||
- * etc.
|
||||
+ * Returns:
|
||||
+ * \li ISC_R_SUCCESS on success
|
||||
+ * \li ISC_R_NOENTROPY if entropy pool is empty
|
||||
+ * \li other error codes are possible when a hook is in use
|
||||
*/
|
||||
|
||||
void
|
||||
@@ -306,13 +320,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
|
||||
void
|
||||
isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff);
|
||||
/*!<
|
||||
- * \brief Mark/unmark the given entropy structure as being hooked.
|
||||
+ * \brief Configure entropy context 'ectx' to use the hook function
|
||||
+ *
|
||||
+ * Sets the entropy context to call the hook function for random number
|
||||
+ * generation, if such a function has been configured via
|
||||
+ * isc_entropy_sethook(), whenever isc_entropy_getdata() is called.
|
||||
*/
|
||||
|
||||
void
|
||||
isc_entropy_sethook(isc_entropy_getdata_t myhook);
|
||||
/*!<
|
||||
- * \brief Set the getdata hook (e.g., for a crypto random generator).
|
||||
+ * \brief Set the hook function.
|
||||
+ *
|
||||
+ * The hook function is a global value: only one hook function
|
||||
+ * can be set in the system. Individual entropy contexts may be
|
||||
+ * configured to use it, or not, by calling isc_entropy_usehook().
|
||||
*/
|
||||
|
||||
ISC_LANG_ENDDECLS
|
||||
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
|
||||
index ba53ebf..b575728 100644
|
||||
--- a/lib/isc/include/isc/random.h
|
||||
+++ b/lib/isc/include/isc/random.h
|
||||
@@ -9,8 +9,6 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
-/* $Id: random.h,v 1.20 2009/01/17 23:47:43 tbox Exp $ */
|
||||
-
|
||||
#ifndef ISC_RANDOM_H
|
||||
#define ISC_RANDOM_H 1
|
||||
|
||||
@@ -21,13 +19,23 @@
|
||||
#include <isc/mutex.h>
|
||||
|
||||
/*! \file isc/random.h
|
||||
- * \brief Implements a random state pool which will let the caller return a
|
||||
- * series of possibly non-reproducible random values.
|
||||
+ * \brief Implements pseudo random number generators.
|
||||
+ *
|
||||
+ * Two pseudo-random number generators are implemented, in isc_random_*
|
||||
+ * and isc_rng_*. Neither one is very strong; they should not be used
|
||||
+ * in cryptography functions.
|
||||
+ *
|
||||
+ * isc_random_* is based on arc4random if it is available on the system.
|
||||
+ * Otherwise it is based on the posix srand() and rand() functions.
|
||||
+ * It is useful for jittering values a bit here and there, such as
|
||||
+ * timeouts, etc, but should not be relied upon to generate
|
||||
+ * unpredictable sequences (for example, when choosing transaction IDs).
|
||||
*
|
||||
- * Note that the
|
||||
- * strength of these numbers is not all that high, and should not be
|
||||
- * used in cryptography functions. It is useful for jittering values
|
||||
- * a bit here and there, such as timeouts, etc.
|
||||
+ * isc_rng_* is based on ChaCha20, and is seeded and stirred from the
|
||||
+ * system entropy source. It is stronger than isc_random_* and can
|
||||
+ * be used for generating unpredictable sequences. It is still not as
|
||||
+ * good as using system entropy directly (see entropy.h) and should not
|
||||
+ * be used for cryptographic functions such as key generation.
|
||||
*/
|
||||
|
||||
ISC_LANG_BEGINDECLS
|
||||
@@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx);
|
||||
isc_uint16_t
|
||||
isc_rng_uniformrandom(isc_rng_t *rngctx, isc_uint16_t upper_bound);
|
||||
/*%<
|
||||
- * Returns a uniformly distributed pseudo random 16-bit unsigned
|
||||
- * integer.
|
||||
+ * Returns a uniformly distributed pseudo-random 16-bit unsigned integer
|
||||
+ * less than 'upper_bound'.
|
||||
*/
|
||||
|
||||
ISC_LANG_ENDDECLS
|
||||
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
|
||||
index 8d496ff..dd08187 100644
|
||||
--- a/lib/isccfg/namedconf.c
|
||||
+++ b/lib/isccfg/namedconf.c
|
||||
@@ -1106,7 +1106,7 @@ options_clauses[] = {
|
||||
{ "pid-file", &cfg_type_qstringornone, 0 },
|
||||
{ "port", &cfg_type_uint32, 0 },
|
||||
{ "querylog", &cfg_type_boolean, 0 },
|
||||
- { "random-device", &cfg_type_qstring, 0 },
|
||||
+ { "random-device", &cfg_type_qstringornone, 0 },
|
||||
{ "recursing-file", &cfg_type_qstring, 0 },
|
||||
{ "recursive-clients", &cfg_type_uint32, 0 },
|
||||
{ "reserved-sockets", &cfg_type_uint32, 0 },
|
||||
--
|
||||
2.20.1
|
||||
|
45
SOURCES/bind-9.11-unit-disable-random.patch
Normal file
45
SOURCES/bind-9.11-unit-disable-random.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From c89b0e288f923af69b97e8acc29250b262be7d1e Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Thu, 21 Feb 2019 22:42:27 +0100
|
||||
Subject: [PATCH] Disable random_test
|
||||
|
||||
It fails too often on some architecture, failing the whole build along.
|
||||
Because it runs two times for pkcs11 and normal build and any of
|
||||
subtests can occasionally fail, stop it.
|
||||
|
||||
It can be used again by defining 'unstable' variable in Kyuafile.
|
||||
---
|
||||
lib/isc/tests/Atffile | 3 ++-
|
||||
lib/isc/tests/Kyuafile | 2 +-
|
||||
2 files changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/isc/tests/Atffile b/lib/isc/tests/Atffile
|
||||
index 8681844..74a4a77 100644
|
||||
--- a/lib/isc/tests/Atffile
|
||||
+++ b/lib/isc/tests/Atffile
|
||||
@@ -20,7 +20,8 @@ tp: pool_test
|
||||
tp: print_test
|
||||
tp: queue_test
|
||||
tp: radix_test
|
||||
-tp: random_test
|
||||
+# random test fails too often
|
||||
+#tp: random_test
|
||||
tp: regex_test
|
||||
tp: result_test
|
||||
tp: safe_test
|
||||
diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
|
||||
index 1c510c1..a86824a 100644
|
||||
--- a/lib/isc/tests/Kyuafile
|
||||
+++ b/lib/isc/tests/Kyuafile
|
||||
@@ -19,7 +19,7 @@ atf_test_program{name='pool_test'}
|
||||
atf_test_program{name='print_test'}
|
||||
atf_test_program{name='queue_test'}
|
||||
atf_test_program{name='radix_test'}
|
||||
-atf_test_program{name='random_test'}
|
||||
+atf_test_program{name='random_test', required_configs='unstable'}
|
||||
atf_test_program{name='regex_test'}
|
||||
atf_test_program{name='result_test'}
|
||||
atf_test_program{name='safe_test'}
|
||||
--
|
||||
2.20.1
|
||||
|
196
SOURCES/bind-9.11-zone2ldap.patch
Normal file
196
SOURCES/bind-9.11-zone2ldap.patch
Normal file
@ -0,0 +1,196 @@
|
||||
From 738d12594972ad816e8cff9821f760aa0682fd08 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Tue, 18 Dec 2018 16:06:26 +0100
|
||||
Subject: [PATCH] Make absolute hostname by dns API instead of strings
|
||||
|
||||
Duplicate all strings in dc_list. Free allocated memory on each record.
|
||||
---
|
||||
bin/sdb_tools/zone2ldap.c | 72 +++++++++++++++++++++++++++++------------------
|
||||
1 file changed, 45 insertions(+), 27 deletions(-)
|
||||
|
||||
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
|
||||
index acf160b..cc482dc 100644
|
||||
--- a/bin/sdb_tools/zone2ldap.c
|
||||
+++ b/bin/sdb_tools/zone2ldap.c
|
||||
@@ -87,6 +87,10 @@ int get_attr_list_size (char **tmp);
|
||||
/* Get a DN */
|
||||
char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone);
|
||||
|
||||
+/* Free a DN list */
|
||||
+static void
|
||||
+free_dc_list(char **dc_list);
|
||||
+
|
||||
/* Add to RR list */
|
||||
void add_to_rr_list (char *dn, char *name, char *type, char *data,
|
||||
unsigned int ttl, unsigned int flags);
|
||||
@@ -123,6 +127,7 @@ static char dNSTTL []="dNSTTL";
|
||||
static char zoneName []="zoneName";
|
||||
static char dc []="dc";
|
||||
static char sameZone []="@";
|
||||
+static char dot []=".";
|
||||
/* LDAPMod mod_values: */
|
||||
static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
|
||||
static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
|
||||
@@ -396,6 +401,8 @@ main (int argc, char **argv)
|
||||
}
|
||||
|
||||
}
|
||||
+
|
||||
+ free_dc_list(dc_list);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -451,12 +458,17 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
|
||||
char data[2048];
|
||||
char **dc_list;
|
||||
char *dn;
|
||||
+ size_t argzone_len;
|
||||
+ isc_boolean_t omit_dot;
|
||||
|
||||
isc_buffer_t buff;
|
||||
isc_result_t result;
|
||||
|
||||
isc_buffer_init (&buff, name, sizeof (name));
|
||||
- result = dns_name_totext (dnsname, ISC_TRUE, &buff);
|
||||
+ argzone_len = strlen(argzone);
|
||||
+ /* If argzone is absolute, output absolute name too */
|
||||
+ omit_dot = ISC_TF(!(argzone_len > 0 && argzone[argzone_len-1] == '.'));
|
||||
+ result = dns_name_totext (dnsname, omit_dot, &buff);
|
||||
isc_result_check (result, "dns_name_totext");
|
||||
name[isc_buffer_usedlength (&buff)] = 0;
|
||||
|
||||
@@ -478,6 +490,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
|
||||
printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data);
|
||||
|
||||
add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT);
|
||||
+ free_dc_list(dc_list);
|
||||
}
|
||||
|
||||
|
||||
@@ -538,12 +551,9 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
if (tmp->attrs == (LDAPMod **) NULL)
|
||||
fatal("calloc");
|
||||
|
||||
- for (i = 0; i < (int)flags; i++)
|
||||
- {
|
||||
- tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod));
|
||||
- if (tmp->attrs[i] == (LDAPMod *) NULL)
|
||||
- fatal("malloc");
|
||||
- }
|
||||
+ tmp->attrs[0] = (LDAPMod *) malloc (sizeof (LDAPMod));
|
||||
+ if (tmp->attrs[0] == (LDAPMod *) NULL)
|
||||
+ fatal("malloc");
|
||||
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
|
||||
tmp->attrs[0]->mod_type = objectClass;
|
||||
|
||||
@@ -559,9 +569,18 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
return;
|
||||
}
|
||||
|
||||
+ for (i = 1; i < (int)flags-1; i++)
|
||||
+ {
|
||||
+ tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod));
|
||||
+ if (tmp->attrs[i] == (LDAPMod *) NULL)
|
||||
+ fatal("malloc");
|
||||
+ }
|
||||
+ tmp->attrs[i] = NULL;
|
||||
+
|
||||
+
|
||||
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
|
||||
tmp->attrs[1]->mod_type = relativeDomainName;
|
||||
- tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
|
||||
+ tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 3);
|
||||
|
||||
if (tmp->attrs[1]->mod_values == (char **)NULL)
|
||||
fatal("calloc");
|
||||
@@ -705,25 +724,16 @@ char **
|
||||
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
{
|
||||
char *tmp;
|
||||
- int i = 0;
|
||||
+ int i = 0, j = 0;
|
||||
char *hname=0L, *last=0L;
|
||||
int hlen=strlen(hostname), zlen=(strlen(zone));
|
||||
|
||||
/* printf("hostname: %s zone: %s\n",hostname, zone); */
|
||||
- hname=0L;
|
||||
if(flags == DNS_OBJECT)
|
||||
{
|
||||
- if( (zone[ zlen - 1 ] == '.') && (hostname[hlen - 1] != '.') )
|
||||
- {
|
||||
- hname=(char*)malloc(hlen + 1);
|
||||
- hlen += 1;
|
||||
- sprintf(hname, "%s.", hostname);
|
||||
- hostname = hname;
|
||||
- }
|
||||
if(strcmp(hostname, zone) == 0)
|
||||
{
|
||||
- if( hname == 0 )
|
||||
- hname=strdup(hostname);
|
||||
+ hname=strdup(hostname);
|
||||
last = strdup(sameZone);
|
||||
}else
|
||||
{
|
||||
@@ -731,8 +741,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
||( strcmp( hostname + (hlen - zlen), zone ) != 0)
|
||||
)
|
||||
{
|
||||
- if( hname != 0 )
|
||||
- free(hname);
|
||||
hname=(char*)malloc( hlen + zlen + 1);
|
||||
if( *zone == '.' )
|
||||
sprintf(hname, "%s%s", hostname, zone);
|
||||
@@ -740,8 +748,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
sprintf(hname,"%s",zone);
|
||||
}else
|
||||
{
|
||||
- if( hname == 0 )
|
||||
- hname = strdup(hostname);
|
||||
+ hname = strdup(hostname);
|
||||
}
|
||||
last = hname;
|
||||
}
|
||||
@@ -754,18 +761,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
for (tmp = strrchr (hname, '.'); tmp != (char *) 0;
|
||||
tmp = strrchr (hname, '.'))
|
||||
{
|
||||
- if( *( tmp + 1 ) != '\0' )
|
||||
+ tmp[0] = '\0';
|
||||
+ if( tmp[1] != '\0' )
|
||||
{
|
||||
- *tmp = '\0';
|
||||
dn_buffer[i++] = ++tmp;
|
||||
}else
|
||||
{ /* trailing '.' ! */
|
||||
- dn_buffer[i++] = strdup(".");
|
||||
- *tmp = '\0';
|
||||
+ dn_buffer[i++] = dot;
|
||||
if( tmp == hname )
|
||||
break;
|
||||
}
|
||||
}
|
||||
+ for (j=0; j<i; j++)
|
||||
+ {
|
||||
+ dn_buffer[j] = strdup(dn_buffer[j]);
|
||||
+ }
|
||||
if( ( last != hname ) && (tmp != hname) )
|
||||
dn_buffer[i++] = hname;
|
||||
dn_buffer[i++] = last;
|
||||
@@ -825,6 +835,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
|
||||
return dn;
|
||||
}
|
||||
|
||||
+static void
|
||||
+free_dc_list(char **dc_list)
|
||||
+{
|
||||
+ for (; *dc_list; dc_list++) {
|
||||
+ free(*dc_list);
|
||||
+ *dc_list=NULL;
|
||||
+ }
|
||||
+}
|
||||
|
||||
/* Initialize LDAP Conn */
|
||||
void
|
||||
--
|
||||
2.14.5
|
||||
|
63
SOURCES/bind-9.3.1rc1-sdb_tools-Makefile.in
Normal file
63
SOURCES/bind-9.3.1rc1-sdb_tools-Makefile.in
Normal file
@ -0,0 +1,63 @@
|
||||
srcdir = @srcdir@
|
||||
VPATH = @srcdir@
|
||||
top_srcdir = @top_srcdir@
|
||||
|
||||
VERSION=@BIND9_VERSION@
|
||||
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include \
|
||||
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
|
||||
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES}
|
||||
|
||||
CDEFINES = -DBIND9
|
||||
|
||||
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
|
||||
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
|
||||
ISCLIBS = ../../lib/isc/libisc.@A@
|
||||
LWRESLIBS = ../../lib/lwres/liblwres.@A@
|
||||
BIND9LIBS = ../../lib/bind9/libbind9.@A@
|
||||
|
||||
DNSDEPLIBS = ../../lib/dns/libdns.@A@
|
||||
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
|
||||
ISCDEPLIBS = ../../lib/isc/libisc.@A@
|
||||
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
|
||||
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
|
||||
|
||||
DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
|
||||
${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
|
||||
|
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
|
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
|
||||
|
||||
TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@
|
||||
|
||||
OBJS = zone2ldap.@O@ zonetodb.@O@
|
||||
|
||||
SRCS = zone2ldap.c zonetodb.c
|
||||
|
||||
MANPAGES = zone2ldap.1
|
||||
|
||||
EXT_CFLAGS =
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
|
||||
zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS}
|
||||
|
||||
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
|
||||
|
||||
clean distclean manclean maintainer-clean::
|
||||
rm -f ${TARGETS} ${OBJS}
|
||||
|
||||
installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
|
||||
|
||||
install:: ${TARGETS} installdirs
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
|
62
SOURCES/bind-9.3.2-redhat_doc.patch
Normal file
62
SOURCES/bind-9.3.2-redhat_doc.patch
Normal file
@ -0,0 +1,62 @@
|
||||
diff --git a/bin/named/named.8 b/bin/named/named.8
|
||||
index cd990a9..890be36 100644
|
||||
--- a/bin/named/named.8
|
||||
+++ b/bin/named/named.8
|
||||
@@ -358,6 +358,57 @@ The default configuration file\&.
|
||||
/var/run/named/named\&.pid
|
||||
.RS 4
|
||||
The default process\-id file\&.
|
||||
+.PP
|
||||
+.SH "NOTES"
|
||||
+.PP
|
||||
+.TP
|
||||
+\fBRed Hat SELinux BIND Security Profile:\fR
|
||||
+.PP
|
||||
+By default, Red Hat ships BIND with the most secure SELinux policy
|
||||
+that will not prevent normal BIND operation and will prevent exploitation
|
||||
+of all known BIND security vulnerabilities . See the selinux(8) man page
|
||||
+for information about SElinux.
|
||||
+.PP
|
||||
+It is not necessary to run named in a chroot environment if the Red Hat
|
||||
+SELinux policy for named is enabled. When enabled, this policy is far
|
||||
+more secure than a chroot environment. Users are recommended to enable
|
||||
+SELinux and remove the bind-chroot package.
|
||||
+.PP
|
||||
+With this extra security comes some restrictions:
|
||||
+.PP
|
||||
+By default, the SELinux policy does not allow named to write any master
|
||||
+zone database files. Only the root user may create files in the $ROOTDIR/var/named
|
||||
+zone database file directory (the options { "directory" } option), where
|
||||
+$ROOTDIR is set in /etc/sysconfig/named.
|
||||
+.PP
|
||||
+The "named" group must be granted read privelege to
|
||||
+these files in order for named to be enabled to read them.
|
||||
+.PP
|
||||
+Any file created in the zone database file directory is automatically assigned
|
||||
+the SELinux file context named_zone_t .
|
||||
+.PP
|
||||
+By default, SELinux prevents any role from modifying named_zone_t files; this
|
||||
+means that files in the zone database directory cannot be modified by dynamic
|
||||
+DNS (DDNS) updates or zone transfers.
|
||||
+.PP
|
||||
+The Red Hat BIND distribution and SELinux policy creates three directories where
|
||||
+named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
|
||||
+/var/named/data. By placing files you want named to modify, such as
|
||||
+slave or DDNS updateable zone files and database / statistics dump files in
|
||||
+these directories, named will work normally and no further operator action is
|
||||
+required. Files in these directories are automatically assigned the 'named_cache_t'
|
||||
+file context, which SELinux allows named to write.
|
||||
+.PP
|
||||
+\fBRed Hat BIND SDB support:\fR
|
||||
+.PP
|
||||
+Red Hat ships named with compiled in Simplified Database Backend modules that ISC
|
||||
+provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them
|
||||
+.PP
|
||||
+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb.
|
||||
+.PP
|
||||
+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
|
||||
+.br
|
||||
+.PP
|
||||
.RE
|
||||
.SH "SEE ALSO"
|
||||
.PP
|
519
SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch
Normal file
519
SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch
Normal file
@ -0,0 +1,519 @@
|
||||
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
|
||||
index 95ab742..6069f09 100644
|
||||
--- a/bin/sdb_tools/Makefile.in
|
||||
+++ b/bin/sdb_tools/Makefile.in
|
||||
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
|
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
|
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
|
||||
|
||||
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
|
||||
+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
|
||||
|
||||
-OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
|
||||
+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@
|
||||
|
||||
-SRCS = zone2ldap.c zonetodb.c zone2sqlite.c
|
||||
+SRCS = zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c
|
||||
|
||||
MANPAGES = zone2ldap.1
|
||||
|
||||
@@ -53,6 +53,9 @@ zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
|
||||
zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
|
||||
|
||||
+ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS}
|
||||
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS}
|
||||
+
|
||||
clean distclean manclean maintainer-clean::
|
||||
rm -f ${TARGETS} ${OBJS}
|
||||
|
||||
@@ -62,6 +65,7 @@ installdirs:
|
||||
|
||||
install:: ${TARGETS} installdirs
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
|
||||
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
|
||||
index 23dd873..d56bc56 100644
|
||||
--- a/bin/sdb_tools/zone2ldap.c
|
||||
+++ b/bin/sdb_tools/zone2ldap.c
|
||||
@@ -65,6 +66,9 @@ ldap_info;
|
||||
/* usage Info */
|
||||
void usage (void);
|
||||
|
||||
+/* Check for existence of (and possibly add) containing dNSZone objects */
|
||||
+int lookup_dns_zones( ldap_info *ldinfo);
|
||||
+
|
||||
/* Add to the ldap dit */
|
||||
void add_ldap_values (ldap_info * ldinfo);
|
||||
|
||||
@@ -81,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
|
||||
int get_attr_list_size (char **tmp);
|
||||
|
||||
/* Get a DN */
|
||||
-char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag);
|
||||
+char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone);
|
||||
|
||||
/* Add to RR list */
|
||||
void add_to_rr_list (char *dn, char *name, char *type, char *data,
|
||||
@@ -103,11 +107,27 @@ void
|
||||
init_ldap_conn ();
|
||||
void usage();
|
||||
|
||||
-char *argzone, *ldapbase, *binddn, *bindpw = NULL;
|
||||
-const char *ldapsystem = "localhost";
|
||||
-static const char *objectClasses[] =
|
||||
- { "top", "dNSZone", NULL };
|
||||
-static const char *topObjectClasses[] = { "top", NULL };
|
||||
+static char *argzone, *ldapbase, *binddn, *bindpw = NULL;
|
||||
+
|
||||
+/* these are needed to placate gcc4's const-ness const-ernations : */
|
||||
+static char localhost[] = "localhost";
|
||||
+static char *ldapsystem=&(localhost[0]);
|
||||
+/* dnszone schema class names: */
|
||||
+static char topClass [] ="top";
|
||||
+static char dNSZoneClass[] ="dNSZone";
|
||||
+static char objectClass [] ="objectClass";
|
||||
+static char dcObjectClass[]="dcObject";
|
||||
+/* dnszone schema attribute names: */
|
||||
+static char relativeDomainName[]="relativeDomainName";
|
||||
+static char dNSTTL []="dNSTTL";
|
||||
+static char zoneName []="zoneName";
|
||||
+static char dc []="dc";
|
||||
+static char sameZone []="@";
|
||||
+/* LDAPMod mod_values: */
|
||||
+static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
|
||||
+static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
|
||||
+static char *dn_buffer [64]={NULL};
|
||||
+
|
||||
LDAP *conn;
|
||||
unsigned int debug = 0;
|
||||
|
||||
@@ -131,12 +151,12 @@ main (int argc, char **argv)
|
||||
isc_result_t result;
|
||||
char *basedn;
|
||||
ldap_info *tmp;
|
||||
- LDAPMod *base_attrs[2];
|
||||
- LDAPMod base;
|
||||
+ LDAPMod *base_attrs[5];
|
||||
+ LDAPMod base, dcBase, znBase, rdnBase;
|
||||
isc_buffer_t buff;
|
||||
char *zonefile=0L;
|
||||
char fullbasedn[1024];
|
||||
- char *ctmp;
|
||||
+ char *ctmp, *zn, *dcp[2], *znp[2], *rdn[2];
|
||||
dns_fixedname_t fixedzone, fixedname;
|
||||
dns_rdataset_t rdataset;
|
||||
char **dc_list;
|
||||
@@ -149,7 +169,7 @@ main (int argc, char **argv)
|
||||
extern char *optarg;
|
||||
extern int optind, opterr, optopt;
|
||||
int create_base = 0;
|
||||
- int topt;
|
||||
+ int topt, dcn, zdn, znlen;
|
||||
|
||||
if (argc < 2)
|
||||
{
|
||||
@@ -157,7 +177,7 @@ main (int argc, char **argv)
|
||||
exit (-1);
|
||||
}
|
||||
|
||||
- while ((topt = getopt (argc, argv, "D:w:b:z:f:h:?dcv")) != -1)
|
||||
+ while ((topt = getopt (argc, argv, "D:Ww:b:z:f:h:?dcv")) != -1)
|
||||
{
|
||||
switch (topt)
|
||||
{
|
||||
@@ -180,6 +200,9 @@ main (int argc, char **argv)
|
||||
if (bindpw == NULL)
|
||||
fatal("strdup");
|
||||
break;
|
||||
+ case 'W':
|
||||
+ bindpw = getpass("Enter LDAP Password: ");
|
||||
+ break;
|
||||
case 'b':
|
||||
ldapbase = strdup (optarg);
|
||||
if (ldapbase == NULL)
|
||||
@@ -301,27 +324,62 @@ main (int argc, char **argv)
|
||||
{
|
||||
if (debug)
|
||||
printf ("Creating base zone DN %s\n", argzone);
|
||||
-
|
||||
+
|
||||
dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP);
|
||||
- basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC);
|
||||
|
||||
- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
|
||||
+ basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC, argzone);
|
||||
+ if (debug)
|
||||
+ printf ("base DN %s\n", basedn);
|
||||
+
|
||||
+ for (ctmp = &basedn[strlen (basedn)], dcn=0; ctmp >= &basedn[0]; ctmp--)
|
||||
{
|
||||
- if ((*ctmp == ',') || (ctmp == &basedn[0]))
|
||||
+ if ((*ctmp == ',') || (ctmp == &basedn[0]))
|
||||
{
|
||||
+
|
||||
base.mod_op = LDAP_MOD_ADD;
|
||||
- base.mod_type = (char*)"objectClass";
|
||||
- base.mod_values = (char**)topObjectClasses;
|
||||
+ base.mod_type = objectClass;
|
||||
+ base.mod_values = topObjectClasses;
|
||||
base_attrs[0] = (void*)&base;
|
||||
- base_attrs[1] = NULL;
|
||||
-
|
||||
+
|
||||
+ dcBase.mod_op = LDAP_MOD_ADD;
|
||||
+ dcBase.mod_type = dc;
|
||||
+ dcp[0]=dc_list[dcn];
|
||||
+ dcp[1]=0L;
|
||||
+ dcBase.mod_values=dcp;
|
||||
+ base_attrs[1] = (void*)&dcBase;
|
||||
+
|
||||
+ znBase.mod_op = LDAP_MOD_ADD;
|
||||
+ znBase.mod_type = zoneName;
|
||||
+ for( zdn = dcn, znlen = 0; zdn >= 0; zdn-- )
|
||||
+ znlen += strlen(dc_list[zdn])+1;
|
||||
+ znp[0] = (char*)malloc(znlen+1);
|
||||
+ znp[1] = 0L;
|
||||
+ for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- )
|
||||
+ zn+=sprintf(zn,"%s%s",dc_list[zdn],
|
||||
+ ((zdn > 0) && (*(dc_list[zdn-1])!='.')) ? "." : ""
|
||||
+ );
|
||||
+
|
||||
+ znBase.mod_values = znp;
|
||||
+ base_attrs[2] = (void*)&znBase;
|
||||
+
|
||||
+ rdnBase.mod_op = LDAP_MOD_ADD;
|
||||
+ rdnBase.mod_type = relativeDomainName;
|
||||
+ rdn[0] = strdup(sameZone);
|
||||
+ rdn[1] = 0L;
|
||||
+ rdnBase.mod_values = rdn;
|
||||
+ base_attrs[3] = (void*)&rdnBase;
|
||||
+
|
||||
+ dcn++;
|
||||
+
|
||||
+ base.mod_values = topObjectClasses;
|
||||
+ base_attrs[4] = NULL;
|
||||
+
|
||||
if (ldapbase)
|
||||
{
|
||||
if (ctmp != &basedn[0])
|
||||
sprintf (fullbasedn, "%s,%s", ctmp + 1, ldapbase);
|
||||
else
|
||||
- sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
|
||||
-
|
||||
+ sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -330,8 +388,13 @@ main (int argc, char **argv)
|
||||
else
|
||||
sprintf (fullbasedn, "%s", ctmp);
|
||||
}
|
||||
+
|
||||
+ if( debug )
|
||||
+ printf("Full base dn: %s\n", fullbasedn);
|
||||
+
|
||||
result = ldap_add_s (conn, fullbasedn, base_attrs);
|
||||
ldap_result_check ("intial ldap_add_s", fullbasedn, result);
|
||||
+
|
||||
}
|
||||
|
||||
}
|
||||
@@ -409,14 +472,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
|
||||
isc_result_check (result, "dns_rdata_totext");
|
||||
data[isc_buffer_usedlength (&buff)] = 0;
|
||||
|
||||
- dc_list = hostname_to_dn_list (name, argzone, DNS_OBJECT);
|
||||
+ dc_list = hostname_to_dn_list ((char*)name, argzone, DNS_OBJECT);
|
||||
len = (get_attr_list_size (dc_list) - 2);
|
||||
- dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC);
|
||||
+ dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC, argzone);
|
||||
|
||||
if (debug)
|
||||
printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data);
|
||||
|
||||
- add_to_rr_list (dn, dc_list[len], type, data, ttl, DNS_OBJECT);
|
||||
+ add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT);
|
||||
}
|
||||
|
||||
|
||||
@@ -456,7 +519,8 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
int attrlist;
|
||||
char ldap_type_buffer[128];
|
||||
char charttl[64];
|
||||
-
|
||||
+ char *zn;
|
||||
+ int znlen;
|
||||
|
||||
if ((tmp = locate_by_dn (dn)) == NULL)
|
||||
{
|
||||
@@ -483,13 +547,13 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
fatal("malloc");
|
||||
}
|
||||
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
|
||||
- tmp->attrs[0]->mod_type = (char*)"objectClass";
|
||||
+ tmp->attrs[0]->mod_type = objectClass;
|
||||
|
||||
if (flags == DNS_OBJECT)
|
||||
- tmp->attrs[0]->mod_values = (char**)objectClasses;
|
||||
+ tmp->attrs[0]->mod_values = objectClasses;
|
||||
else
|
||||
{
|
||||
- tmp->attrs[0]->mod_values = (char**)topObjectClasses;
|
||||
+ tmp->attrs[0]->mod_values =topObjectClasses;
|
||||
tmp->attrs[1] = NULL;
|
||||
tmp->attrcnt = 2;
|
||||
tmp->next = ldap_info_base;
|
||||
@@ -498,7 +562,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
}
|
||||
|
||||
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
|
||||
- tmp->attrs[1]->mod_type = (char*)"relativeDomainName";
|
||||
+ tmp->attrs[1]->mod_type = relativeDomainName;
|
||||
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
|
||||
|
||||
if (tmp->attrs[1]->mod_values == (char **)NULL)
|
||||
@@ -527,7 +591,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
fatal("strdup");
|
||||
|
||||
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
|
||||
- tmp->attrs[3]->mod_type = (char*)"dNSTTL";
|
||||
+ tmp->attrs[3]->mod_type = dNSTTL;
|
||||
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
|
||||
|
||||
if (tmp->attrs[3]->mod_values == (char **)NULL)
|
||||
@@ -540,14 +604,25 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
if (tmp->attrs[3]->mod_values[0] == NULL)
|
||||
fatal("strdup");
|
||||
|
||||
+ znlen=strlen(gbl_zone);
|
||||
+ if ( *(gbl_zone + (znlen-1)) == '.' )
|
||||
+ { /* ldapdb MUST search by relative zone name */
|
||||
+ zn = (char*)malloc(znlen);
|
||||
+ strncpy(zn,gbl_zone,znlen-1);
|
||||
+ *(zn + (znlen-1))='\0';
|
||||
+ }else
|
||||
+ {
|
||||
+ zn = gbl_zone;
|
||||
+ }
|
||||
+
|
||||
tmp->attrs[4]->mod_op = LDAP_MOD_ADD;
|
||||
- tmp->attrs[4]->mod_type = (char*)"zoneName";
|
||||
+ tmp->attrs[4]->mod_type = zoneName;
|
||||
tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2);
|
||||
|
||||
if (tmp->attrs[4]->mod_values == (char **)NULL)
|
||||
fatal("calloc");
|
||||
|
||||
- tmp->attrs[4]->mod_values[0] = gbl_zone;
|
||||
+ tmp->attrs[4]->mod_values[0] = zn;
|
||||
tmp->attrs[4]->mod_values[1] = NULL;
|
||||
|
||||
tmp->attrs[5] = NULL;
|
||||
@@ -558,7 +633,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
else
|
||||
{
|
||||
|
||||
- for (i = 0; tmp->attrs[i] != NULL; i++)
|
||||
+ for (i = 0; tmp->attrs[i] != NULL; i++)
|
||||
{
|
||||
sprintf (ldap_type_buffer, "%sRecord", type);
|
||||
if (!strncmp
|
||||
@@ -632,44 +707,70 @@ char **
|
||||
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
{
|
||||
char *tmp;
|
||||
- static char *dn_buffer[64];
|
||||
int i = 0;
|
||||
- char *zname;
|
||||
- char *hnamebuff;
|
||||
-
|
||||
- zname = strdup (hostname);
|
||||
- if (zname == NULL)
|
||||
- fatal("strdup");
|
||||
-
|
||||
- if (flags == DNS_OBJECT)
|
||||
- {
|
||||
-
|
||||
- if (strlen (zname) != strlen (zone))
|
||||
- {
|
||||
- tmp = &zname[strlen (zname) - strlen (zone)];
|
||||
- *--tmp = '\0';
|
||||
- hnamebuff = strdup (zname);
|
||||
- if (hnamebuff == NULL)
|
||||
- fatal("strdup");
|
||||
- zname = ++tmp;
|
||||
- }
|
||||
- else
|
||||
- hnamebuff = (char*)"@";
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
- zname = zone;
|
||||
- hnamebuff = NULL;
|
||||
- }
|
||||
-
|
||||
- for (tmp = strrchr (zname, '.'); tmp != (char *) 0;
|
||||
- tmp = strrchr (zname, '.'))
|
||||
- {
|
||||
- *tmp++ = '\0';
|
||||
- dn_buffer[i++] = tmp;
|
||||
- }
|
||||
- dn_buffer[i++] = zname;
|
||||
- dn_buffer[i++] = hnamebuff;
|
||||
+ char *hname=0L, *last=0L;
|
||||
+ int hlen=strlen(hostname), zlen=(strlen(zone));
|
||||
+
|
||||
+/* printf("hostname: %s zone: %s\n",hostname, zone); */
|
||||
+ hname=0L;
|
||||
+ if(flags == DNS_OBJECT)
|
||||
+ {
|
||||
+ if( (zone[ zlen - 1 ] == '.') && (hostname[hlen - 1] != '.') )
|
||||
+ {
|
||||
+ hname=(char*)malloc(hlen + 1);
|
||||
+ hlen += 1;
|
||||
+ sprintf(hname, "%s.", hostname);
|
||||
+ hostname = hname;
|
||||
+ }
|
||||
+ if(strcmp(hostname, zone) == 0)
|
||||
+ {
|
||||
+ if( hname == 0 )
|
||||
+ hname=strdup(hostname);
|
||||
+ last = strdup(sameZone);
|
||||
+ }else
|
||||
+ {
|
||||
+ if( (hlen < zlen)
|
||||
+ ||( strcmp( hostname + (hlen - zlen), zone ) != 0)
|
||||
+ )
|
||||
+ {
|
||||
+ if( hname != 0 )
|
||||
+ free(hname);
|
||||
+ hname=(char*)malloc( hlen + zlen + 1);
|
||||
+ if( *zone == '.' )
|
||||
+ sprintf(hname, "%s%s", hostname, zone);
|
||||
+ else
|
||||
+ sprintf(hname,"%s",zone);
|
||||
+ }else
|
||||
+ {
|
||||
+ if( hname == 0 )
|
||||
+ hname = strdup(hostname);
|
||||
+ }
|
||||
+ last = hname;
|
||||
+ }
|
||||
+ }else
|
||||
+ { /* flags == DNS_TOP */
|
||||
+ hname = strdup(zone);
|
||||
+ last = hname;
|
||||
+ }
|
||||
+
|
||||
+ for (tmp = strrchr (hname, '.'); tmp != (char *) 0;
|
||||
+ tmp = strrchr (hname, '.'))
|
||||
+ {
|
||||
+ if( *( tmp + 1 ) != '\0' )
|
||||
+ {
|
||||
+ *tmp = '\0';
|
||||
+ dn_buffer[i++] = ++tmp;
|
||||
+ }else
|
||||
+ { /* trailing '.' ! */
|
||||
+ dn_buffer[i++] = strdup(".");
|
||||
+ *tmp = '\0';
|
||||
+ if( tmp == hname )
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ if( ( last != hname ) && (tmp != hname) )
|
||||
+ dn_buffer[i++] = hname;
|
||||
+ dn_buffer[i++] = last;
|
||||
dn_buffer[i] = NULL;
|
||||
|
||||
return dn_buffer;
|
||||
@@ -681,24 +782,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
* exception of "@"/SOA. */
|
||||
|
||||
char *
|
||||
-build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag)
|
||||
+build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
|
||||
{
|
||||
int size;
|
||||
- int x;
|
||||
+ int x, znlen;
|
||||
static char dn[1024];
|
||||
char tmp[128];
|
||||
+ char zn[DNS_NAME_MAXTEXT+1];
|
||||
|
||||
bzero (tmp, sizeof (tmp));
|
||||
bzero (dn, sizeof (dn));
|
||||
size = get_attr_list_size (dc_list);
|
||||
+ znlen = strlen(zone);
|
||||
+ if ( *(zone + (znlen-1)) == '.' )
|
||||
+ { /* ldapdb MUST search by relative zone name */
|
||||
+ memcpy(&(zn[0]),zone,znlen-1);
|
||||
+ *(zn + (znlen-1))='\0';
|
||||
+ zone = zn;
|
||||
+ }
|
||||
for (x = size - 2; x > 0; x--)
|
||||
{
|
||||
if (flag == WI_SPEC)
|
||||
{
|
||||
if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl))
|
||||
- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%d,", dc_list[x], ttl);
|
||||
+ sprintf (tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
|
||||
else if (x == (size - 2))
|
||||
- sprintf(tmp, "relativeDomainName=%s,",dc_list[x]);
|
||||
+ sprintf(tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
|
||||
else
|
||||
sprintf(tmp,"dc=%s,", dc_list[x]);
|
||||
}
|
||||
@@ -724,6 +833,7 @@ void
|
||||
init_ldap_conn ()
|
||||
{
|
||||
int result;
|
||||
+ char ldb_tag[]="LDAP Bind";
|
||||
conn = ldap_open (ldapsystem, LDAP_PORT);
|
||||
if (conn == NULL)
|
||||
{
|
||||
@@ -733,7 +843,7 @@ init_ldap_conn ()
|
||||
}
|
||||
|
||||
result = ldap_simple_bind_s (conn, binddn, bindpw);
|
||||
- ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
|
||||
+ ldap_result_check ("ldap_simple_bind_s", ldb_tag , result);
|
||||
}
|
||||
|
||||
/* Like isc_result_check, only for LDAP */
|
||||
@@ -750,8 +860,6 @@ ldap_result_check (const char *msg, char *dn, int err)
|
||||
}
|
||||
}
|
||||
|
||||
-
|
||||
-
|
||||
/* For running the ldap_info run queue. */
|
||||
void
|
||||
add_ldap_values (ldap_info * ldinfo)
|
||||
@@ -759,14 +867,14 @@ add_ldap_values (ldap_info * ldinfo)
|
||||
int result;
|
||||
char dnbuffer[1024];
|
||||
|
||||
-
|
||||
if (ldapbase != NULL)
|
||||
sprintf (dnbuffer, "%s,%s", ldinfo->dn, ldapbase);
|
||||
else
|
||||
sprintf (dnbuffer, "%s", ldinfo->dn);
|
||||
|
||||
result = ldap_add_s (conn, dnbuffer, ldinfo->attrs);
|
||||
- ldap_result_check ("ldap_add_s", dnbuffer, result);
|
||||
+ ldap_result_check ("ldap_add_s", dnbuffer, result);
|
||||
+
|
||||
}
|
||||
|
||||
|
||||
@@ -777,5 +885,5 @@ void
|
||||
usage ()
|
||||
{
|
||||
fprintf (stderr,
|
||||
- "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] "
|
||||
+ "zone2ldap -D [BIND DN] [-w BIND PASSWORD | -W:prompt] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] "
|
||||
"[-c Create LDAP Base structure][-d Debug Output (lots !)] \n ");}
|
230
SOURCES/bind-9.3.2b2-sdbsrc.patch
Normal file
230
SOURCES/bind-9.3.2b2-sdbsrc.patch
Normal file
@ -0,0 +1,230 @@
|
||||
diff --git a/contrib/sdb/bdb/bdb.c b/contrib/sdb/bdb/bdb.c
|
||||
index 23594bb..b3c6619 100644
|
||||
--- a/contrib/sdb/bdb/bdb.c
|
||||
+++ b/contrib/sdb/bdb/bdb.c
|
||||
@@ -43,7 +43,7 @@
|
||||
#include <dns/lib.h>
|
||||
#include <dns/ttl.h>
|
||||
|
||||
-#include <named/bdb.h>
|
||||
+#include "bdb.h"
|
||||
#include <named/globals.h>
|
||||
#include <named/config.h>
|
||||
|
||||
diff --git a/contrib/sdb/ldap/zone2ldap.c b/contrib/sdb/ldap/zone2ldap.c
|
||||
index 07c89bc..23dd873 100644
|
||||
--- a/contrib/sdb/ldap/zone2ldap.c
|
||||
+++ b/contrib/sdb/ldap/zone2ldap.c
|
||||
@@ -63,16 +63,16 @@ typedef struct LDAP_INFO
|
||||
ldap_info;
|
||||
|
||||
/* usage Info */
|
||||
-void usage ();
|
||||
+void usage (void);
|
||||
|
||||
/* Add to the ldap dit */
|
||||
void add_ldap_values (ldap_info * ldinfo);
|
||||
|
||||
/* Init an ldap connection */
|
||||
-void init_ldap_conn ();
|
||||
+void init_ldap_conn (void);
|
||||
|
||||
/* Ldap error checking */
|
||||
-void ldap_result_check (char *msg, char *dn, int err);
|
||||
+void ldap_result_check (const char *msg, char *dn, int err);
|
||||
|
||||
/* Put a hostname into a char ** array */
|
||||
char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
|
||||
@@ -88,7 +88,7 @@ void add_to_rr_list (char *dn, char *name, char *type, char *data,
|
||||
unsigned int ttl, unsigned int flags);
|
||||
|
||||
/* Error checking */
|
||||
-void isc_result_check (isc_result_t res, char *errorstr);
|
||||
+void isc_result_check (isc_result_t res, const char *errorstr);
|
||||
|
||||
/* Generate LDIF Format files */
|
||||
void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata,
|
||||
@@ -97,11 +97,17 @@ void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata,
|
||||
/* head pointer to the list */
|
||||
ldap_info *ldap_info_base = NULL;
|
||||
|
||||
+ldap_info *
|
||||
+locate_by_dn (char *dn);
|
||||
+void
|
||||
+init_ldap_conn ();
|
||||
+void usage();
|
||||
+
|
||||
char *argzone, *ldapbase, *binddn, *bindpw = NULL;
|
||||
-char *ldapsystem = "localhost";
|
||||
-static char *objectClasses[] =
|
||||
+const char *ldapsystem = "localhost";
|
||||
+static const char *objectClasses[] =
|
||||
{ "top", "dNSZone", NULL };
|
||||
-static char *topObjectClasses[] = { "top", NULL };
|
||||
+static const char *topObjectClasses[] = { "top", NULL };
|
||||
LDAP *conn;
|
||||
unsigned int debug = 0;
|
||||
|
||||
@@ -128,7 +134,7 @@ main (int argc, char **argv)
|
||||
LDAPMod *base_attrs[2];
|
||||
LDAPMod base;
|
||||
isc_buffer_t buff;
|
||||
- char *zonefile;
|
||||
+ char *zonefile=0L;
|
||||
char fullbasedn[1024];
|
||||
char *ctmp;
|
||||
dns_fixedname_t fixedzone, fixedname;
|
||||
@@ -304,9 +310,9 @@ main (int argc, char **argv)
|
||||
if ((*ctmp == ',') || (ctmp == &basedn[0]))
|
||||
{
|
||||
base.mod_op = LDAP_MOD_ADD;
|
||||
- base.mod_type = "objectClass";
|
||||
- base.mod_values = topObjectClasses;
|
||||
- base_attrs[0] = &base;
|
||||
+ base.mod_type = (char*)"objectClass";
|
||||
+ base.mod_values = (char**)topObjectClasses;
|
||||
+ base_attrs[0] = (void*)&base;
|
||||
base_attrs[1] = NULL;
|
||||
|
||||
if (ldapbase)
|
||||
@@ -363,7 +369,7 @@ main (int argc, char **argv)
|
||||
* I should probably rename this function, as not to cause any
|
||||
* confusion with the isc* routines. Will exit on error. */
|
||||
void
|
||||
-isc_result_check (isc_result_t res, char *errorstr)
|
||||
+isc_result_check (isc_result_t res, const char *errorstr)
|
||||
{
|
||||
if (res != ISC_R_SUCCESS)
|
||||
{
|
||||
@@ -470,20 +476,20 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
if (tmp->attrs == (LDAPMod **) NULL)
|
||||
fatal("calloc");
|
||||
|
||||
- for (i = 0; i < flags; i++)
|
||||
+ for (i = 0; i < (int)flags; i++)
|
||||
{
|
||||
tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod));
|
||||
if (tmp->attrs[i] == (LDAPMod *) NULL)
|
||||
fatal("malloc");
|
||||
}
|
||||
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
|
||||
- tmp->attrs[0]->mod_type = "objectClass";
|
||||
+ tmp->attrs[0]->mod_type = (char*)"objectClass";
|
||||
|
||||
if (flags == DNS_OBJECT)
|
||||
- tmp->attrs[0]->mod_values = objectClasses;
|
||||
+ tmp->attrs[0]->mod_values = (char**)objectClasses;
|
||||
else
|
||||
{
|
||||
- tmp->attrs[0]->mod_values = topObjectClasses;
|
||||
+ tmp->attrs[0]->mod_values = (char**)topObjectClasses;
|
||||
tmp->attrs[1] = NULL;
|
||||
tmp->attrcnt = 2;
|
||||
tmp->next = ldap_info_base;
|
||||
@@ -492,7 +498,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
}
|
||||
|
||||
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
|
||||
- tmp->attrs[1]->mod_type = "relativeDomainName";
|
||||
+ tmp->attrs[1]->mod_type = (char*)"relativeDomainName";
|
||||
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
|
||||
|
||||
if (tmp->attrs[1]->mod_values == (char **)NULL)
|
||||
@@ -521,7 +527,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
fatal("strdup");
|
||||
|
||||
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
|
||||
- tmp->attrs[3]->mod_type = "dNSTTL";
|
||||
+ tmp->attrs[3]->mod_type = (char*)"dNSTTL";
|
||||
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
|
||||
|
||||
if (tmp->attrs[3]->mod_values == (char **)NULL)
|
||||
@@ -535,7 +541,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
fatal("strdup");
|
||||
|
||||
tmp->attrs[4]->mod_op = LDAP_MOD_ADD;
|
||||
- tmp->attrs[4]->mod_type = "zoneName";
|
||||
+ tmp->attrs[4]->mod_type = (char*)"zoneName";
|
||||
tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2);
|
||||
|
||||
if (tmp->attrs[4]->mod_values == (char **)NULL)
|
||||
@@ -648,7 +654,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
zname = ++tmp;
|
||||
}
|
||||
else
|
||||
- hnamebuff = "@";
|
||||
+ hnamebuff = (char*)"@";
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -727,12 +733,12 @@ init_ldap_conn ()
|
||||
}
|
||||
|
||||
result = ldap_simple_bind_s (conn, binddn, bindpw);
|
||||
- ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result);
|
||||
+ ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
|
||||
}
|
||||
|
||||
/* Like isc_result_check, only for LDAP */
|
||||
void
|
||||
-ldap_result_check (char *msg, char *dn, int err)
|
||||
+ldap_result_check (const char *msg, char *dn, int err)
|
||||
{
|
||||
if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
|
||||
{
|
||||
diff --git a/contrib/sdb/pgsql/pgsqldb.c b/contrib/sdb/pgsql/pgsqldb.c
|
||||
index 50d3cba..516eb9f 100644
|
||||
--- a/contrib/sdb/pgsql/pgsqldb.c
|
||||
+++ b/contrib/sdb/pgsql/pgsqldb.c
|
||||
@@ -23,7 +23,7 @@
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
-#include <pgsql/libpq-fe.h>
|
||||
+#include <libpq-fe.h>
|
||||
|
||||
#include <isc/mem.h>
|
||||
#include <isc/print.h>
|
||||
diff --git a/contrib/sdb/pgsql/zonetodb.c b/contrib/sdb/pgsql/zonetodb.c
|
||||
index b8f5912..ff2d135 100644
|
||||
--- a/contrib/sdb/pgsql/zonetodb.c
|
||||
+++ b/contrib/sdb/pgsql/zonetodb.c
|
||||
@@ -37,7 +37,7 @@
|
||||
#include <dns/rdatatype.h>
|
||||
#include <dns/result.h>
|
||||
|
||||
-#include <pgsql/libpq-fe.h>
|
||||
+#include <libpq-fe.h>
|
||||
|
||||
/*
|
||||
* Generate a PostgreSQL table from a zone.
|
||||
@@ -54,6 +54,9 @@ char *dbname, *dbtable;
|
||||
char str[10240];
|
||||
|
||||
void
|
||||
+closeandexit(int status);
|
||||
+
|
||||
+void
|
||||
closeandexit(int status) {
|
||||
if (conn != NULL)
|
||||
PQfinish(conn);
|
||||
@@ -61,6 +64,9 @@ closeandexit(int status) {
|
||||
}
|
||||
|
||||
void
|
||||
+check_result(isc_result_t result, const char *message);
|
||||
+
|
||||
+void
|
||||
check_result(isc_result_t result, const char *message) {
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
fprintf(stderr, "%s: %s\n", message,
|
||||
@@ -84,7 +90,8 @@ quotestring(const unsigned char *source, unsigned char *dest) {
|
||||
}
|
||||
*dest++ = 0;
|
||||
}
|
||||
-
|
||||
+void
|
||||
+addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata);
|
||||
void
|
||||
addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata) {
|
||||
unsigned char namearray[DNS_NAME_MAXTEXT + 1];
|
27
SOURCES/bind-9.5-PIE.patch
Normal file
27
SOURCES/bind-9.5-PIE.patch
Normal file
@ -0,0 +1,27 @@
|
||||
--- bind-9.5.0b2/bin/named/Makefile.in.pie 2008-02-11 17:21:47.000000000 +0100
|
||||
+++ bind-9.5.0b2/bin/named/Makefile.in 2008-02-11 17:22:10.000000000 +0100
|
||||
@@ -100,8 +100,12 @@ HTMLPAGES = named.html lwresd.html named
|
||||
|
||||
MANOBJS = ${MANPAGES} ${HTMLPAGES}
|
||||
|
||||
+EXT_CFLAGS = -fpie
|
||||
+
|
||||
@BIND9_MAKE_RULES@
|
||||
|
||||
+LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
|
||||
+
|
||||
main.@O@: main.c
|
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
|
||||
-DVERSION=\"${VERSION}\" \
|
||||
diff -up bind-9.5.0b2/bin/named/unix/Makefile.in.pie bind-9.5.0b2/bin/named/unix/Makefile.in
|
||||
--- bind-9.5.0b2/bin/named/unix/Makefile.in.pie 2008-02-11 17:22:21.000000000 +0100
|
||||
+++ bind-9.5.0b2/bin/named/unix/Makefile.in 2008-02-11 17:23:00.000000000 +0100
|
||||
@@ -19,6 +19,8 @@ srcdir = @srcdir@
|
||||
VPATH = @srcdir@
|
||||
top_srcdir = @top_srcdir@
|
||||
|
||||
+EXT_CFLAGS = -fpie
|
||||
+
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \
|
53
SOURCES/bind-9.5-dlz-64bit.patch
Normal file
53
SOURCES/bind-9.5-dlz-64bit.patch
Normal file
@ -0,0 +1,53 @@
|
||||
diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in
|
||||
index 47525af..eefe3c3 100644
|
||||
--- a/contrib/dlz/config.dlz.in
|
||||
+++ b/contrib/dlz/config.dlz.in
|
||||
@@ -17,6 +17,13 @@
|
||||
#
|
||||
dlzdir='${DLZ_DRIVER_DIR}'
|
||||
|
||||
+AC_MSG_CHECKING([for target libdir])
|
||||
+AC_RUN_IFELSE([int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}],
|
||||
+ [target_lib=lib64],
|
||||
+ [target_lib=lib],
|
||||
+)
|
||||
+AC_MSG_RESULT(["$target_lib"])
|
||||
+
|
||||
#
|
||||
# Private autoconf macro to simplify configuring drivers:
|
||||
#
|
||||
@@ -292,9 +299,9 @@ case "$use_dlz_bdb" in
|
||||
then
|
||||
break
|
||||
fi
|
||||
- elif test -f "$dd/lib/lib${d}.so"
|
||||
+ elif test -f "$dd/${target_lib}/lib${d}.so"
|
||||
then
|
||||
- dlz_bdb_libs="-L${dd}/lib -l${d}"
|
||||
+ dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
|
||||
break
|
||||
fi
|
||||
done
|
||||
@@ -396,7 +403,7 @@ case "$use_dlz_ldap" in
|
||||
*)
|
||||
DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver,
|
||||
[-I$use_dlz_ldap/include],
|
||||
- [-L$use_dlz_ldap/lib -lldap -llber])
|
||||
+ [-L$use_dlz_ldap/${target_lib} -lldap -llber])
|
||||
|
||||
AC_MSG_RESULT(
|
||||
[using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include])
|
||||
@@ -432,11 +439,11 @@ then
|
||||
odbcdirs="/usr /usr/local /usr/pkg"
|
||||
for d in $odbcdirs
|
||||
do
|
||||
- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
|
||||
+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
|
||||
then
|
||||
use_dlz_odbc=$d
|
||||
dlz_odbc_include="-I$use_dlz_odbc/include"
|
||||
- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc"
|
||||
+ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc"
|
||||
break
|
||||
fi
|
||||
done
|
31
SOURCES/bind-9.9.1-P2-dlz-libdb.patch
Normal file
31
SOURCES/bind-9.9.1-P2-dlz-libdb.patch
Normal file
@ -0,0 +1,31 @@
|
||||
diff -up bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb bind-9.10.1b1/contrib/dlz/config.dlz.in
|
||||
--- bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb 2014-08-04 12:33:09.320735111 +0200
|
||||
+++ bind-9.10.1b1/contrib/dlz/config.dlz.in 2014-08-04 12:41:46.888241910 +0200
|
||||
@@ -263,7 +263,7 @@ case "$use_dlz_bdb" in
|
||||
# Check other locations for includes.
|
||||
# Order is important (sigh).
|
||||
|
||||
- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
|
||||
+ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db"
|
||||
# include a blank element first
|
||||
for d in "" $bdb_incdirs
|
||||
do
|
||||
@@ -288,16 +288,9 @@ case "$use_dlz_bdb" in
|
||||
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
|
||||
for d in $bdb_libnames
|
||||
do
|
||||
- if test "$dd" = "/usr"
|
||||
+ if test -f "$dd/${target_lib}/lib${d}.so"
|
||||
then
|
||||
- AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}")
|
||||
- if test $dlz_bdb_libs != "yes"
|
||||
- then
|
||||
- break
|
||||
- fi
|
||||
- elif test -f "$dd/${target_lib}/lib${d}.so"
|
||||
- then
|
||||
- dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
|
||||
+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
|
||||
break
|
||||
fi
|
||||
done
|
85
SOURCES/bind-9.9.1-P2-multlib-conflict.patch
Normal file
85
SOURCES/bind-9.9.1-P2-multlib-conflict.patch
Normal file
@ -0,0 +1,85 @@
|
||||
diff --git a/config.h.in b/config.h.in
|
||||
index e1364dd921..1dc65cfb21 100644
|
||||
--- a/config.h.in
|
||||
+++ b/config.h.in
|
||||
@@ -588,7 +588,7 @@ int sigwait(const unsigned int *set, int *sig);
|
||||
#undef PREFER_GOSTASN1
|
||||
|
||||
/* The size of `void *', as computed by sizeof. */
|
||||
-#undef SIZEOF_VOID_P
|
||||
+/* #undef SIZEOF_VOID_P */
|
||||
|
||||
/* Define to 1 if you have the ANSI C header files. */
|
||||
#undef STDC_HEADERS
|
||||
diff --git a/configure.in b/configure.in
|
||||
index 73b1c8ccbb..129fc3f311 100644
|
||||
--- a/configure.in
|
||||
+++ b/configure.in
|
||||
@@ -3523,14 +3523,14 @@ AC_TRY_COMPILE([
|
||||
#include <sys/socket.h>
|
||||
#include <netdb.h>
|
||||
int getnameinfo(const struct sockaddr *, socklen_t, char *,
|
||||
- socklen_t, char *, socklen_t, unsigned int);],
|
||||
+ socklen_t, char *, socklen_t, int);],
|
||||
[ return (0);],
|
||||
- [AC_MSG_RESULT(socklen_t for buflen; u_int for flags)
|
||||
+ [AC_MSG_RESULT(socklen_t for buflen; int for flags)
|
||||
AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t,
|
||||
[Define to the sockaddr length type used by getnameinfo(3).])
|
||||
AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t,
|
||||
[Define to the buffer length type used by getnameinfo(3).])
|
||||
- AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int,
|
||||
+ AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int,
|
||||
[Define to the flags type used by getnameinfo(3).])],
|
||||
[AC_TRY_COMPILE([
|
||||
#include <sys/types.h>
|
||||
@@ -3557,7 +3557,7 @@ int getnameinfo(const struct sockaddr *, size_t, char *,
|
||||
[AC_MSG_RESULT(not match any subspecies; assume standard definition)
|
||||
AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t)
|
||||
AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
|
||||
-AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])])
|
||||
+AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)])])])
|
||||
|
||||
#
|
||||
# ...and same for gai_strerror().
|
||||
diff --git a/isc-config.sh.in b/isc-config.sh.in
|
||||
index a8a0a89e88..b5e94ed13e 100644
|
||||
--- a/isc-config.sh.in
|
||||
+++ b/isc-config.sh.in
|
||||
@@ -13,7 +13,18 @@ prefix=@prefix@
|
||||
exec_prefix=@exec_prefix@
|
||||
exec_prefix_set=
|
||||
includedir=@includedir@
|
||||
-libdir=@libdir@
|
||||
+arch=$(uname -m)
|
||||
+
|
||||
+case $arch in
|
||||
+ x86_64 | amd64 | sparc64 | s390x | ppc64)
|
||||
+ libdir=/usr/lib64
|
||||
+ sec_libdir=/usr/lib
|
||||
+ ;;
|
||||
+ * )
|
||||
+ libdir=/usr/lib
|
||||
+ sec_libdir=/usr/lib64
|
||||
+ ;;
|
||||
+esac
|
||||
|
||||
usage()
|
||||
{
|
||||
@@ -132,6 +143,16 @@ if test x"$echo_libs" = x"true"; then
|
||||
if test x"${exec_prefix_set}" = x"true"; then
|
||||
libs="-L${exec_prefix}/lib"
|
||||
else
|
||||
+ if [ ! -x $libdir/libisc.so ] ; then
|
||||
+ if [ ! -x $sec_libdir/libisc.so ] ; then
|
||||
+ echo "Error: ISC libs not found in $libdir"
|
||||
+ if [ -d $sec_libdir ] ; then
|
||||
+ echo "Error: ISC libs not found in $sec_libdir"
|
||||
+ fi
|
||||
+ exit 1
|
||||
+ fi
|
||||
+ libdir=$sec_libdir
|
||||
+ fi
|
||||
libs="-L${libdir}"
|
||||
fi
|
||||
if test x"$libirs" = x"true" ; then
|
42
SOURCES/bind-95-rh452060.patch
Normal file
42
SOURCES/bind-95-rh452060.patch
Normal file
@ -0,0 +1,42 @@
|
||||
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
|
||||
index f657c30..ff9a2d2 100644
|
||||
--- a/bin/dig/dighost.c
|
||||
+++ b/bin/dig/dighost.c
|
||||
@@ -1694,6 +1694,13 @@ clear_query(dig_query_t *query) {
|
||||
|
||||
if (query->timer != NULL)
|
||||
isc_timer_detach(&query->timer);
|
||||
+
|
||||
+ if (query->waiting_senddone) {
|
||||
+ debug("send_done not yet called");
|
||||
+ query->pending_free = ISC_TRUE;
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
lookup = query->lookup;
|
||||
|
||||
if (lookup->current_query == query)
|
||||
@@ -1719,10 +1726,7 @@ clear_query(dig_query_t *query) {
|
||||
isc_mempool_put(commctx, query->recvspace);
|
||||
isc_buffer_invalidate(&query->recvbuf);
|
||||
isc_buffer_invalidate(&query->lengthbuf);
|
||||
- if (query->waiting_senddone)
|
||||
- query->pending_free = ISC_TRUE;
|
||||
- else
|
||||
- isc_mem_free(mctx, query);
|
||||
+ isc_mem_free(mctx, query);
|
||||
}
|
||||
|
||||
/*%
|
||||
@@ -2811,9 +2815,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
|
||||
isc_event_free(&event);
|
||||
|
||||
if (query->pending_free)
|
||||
- isc_mem_free(mctx, query);
|
||||
+ clear_query(query);
|
||||
|
||||
- check_if_done();
|
||||
+ check_next_lookup(l);
|
||||
UNLOCK_LOOKUP;
|
||||
}
|
||||
|
23
SOURCES/bind-96-old-api.patch
Normal file
23
SOURCES/bind-96-old-api.patch
Normal file
@ -0,0 +1,23 @@
|
||||
diff -up bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c
|
||||
--- bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api 2008-11-24 13:28:13.000000000 +0100
|
||||
+++ bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c 2008-11-24 13:28:23.000000000 +0100
|
||||
@@ -25,6 +25,7 @@
|
||||
/* Using LDAPv3 by default, change this if you want v2 */
|
||||
#ifndef LDAPDB_LDAP_VERSION
|
||||
#define LDAPDB_LDAP_VERSION 3
|
||||
+#define LDAP_DEPRECATED 1
|
||||
#endif
|
||||
|
||||
#include <config.h>
|
||||
diff -up bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c
|
||||
--- bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api 2008-11-24 13:29:05.000000000 +0100
|
||||
+++ bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c 2008-11-24 13:29:14.000000000 +0100
|
||||
@@ -13,6 +13,8 @@
|
||||
* ditched dNSDomain2 schema support. Version 0.3-ALPHA
|
||||
*/
|
||||
|
||||
+#define LDAP_DEPRECATED 1
|
||||
+
|
||||
#include <errno.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
1
SOURCES/bind.tmpfiles.d
Normal file
1
SOURCES/bind.tmpfiles.d
Normal file
@ -0,0 +1 @@
|
||||
d /run/named 0755 named named -
|
95
SOURCES/bind93-rh490837.patch
Normal file
95
SOURCES/bind93-rh490837.patch
Normal file
@ -0,0 +1,95 @@
|
||||
? patch
|
||||
? lib/isc/lex.c.rh490837
|
||||
Index: lib/isc/lex.c
|
||||
===================================================================
|
||||
RCS file: /var/snap/bind9/lib/isc/lex.c,v
|
||||
retrieving revision 1.86
|
||||
diff -p -u -r1.86 lex.c
|
||||
--- lib/isc/lex.c 17 Sep 2007 09:56:29 -0000 1.86
|
||||
+++ lib/isc/lex.c 6 Apr 2009 13:24:15 -0000
|
||||
@@ -425,17 +425,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigne
|
||||
if (source->is_file) {
|
||||
stream = source->input;
|
||||
|
||||
-#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED)
|
||||
- c = getc_unlocked(stream);
|
||||
-#else
|
||||
- c = getc(stream);
|
||||
-#endif
|
||||
- if (c == EOF) {
|
||||
- if (ferror(stream)) {
|
||||
- source->result = ISC_R_IOERROR;
|
||||
- result = source->result;
|
||||
+ result = isc_stdio_fgetc(stream, &c);
|
||||
+
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ if (result != ISC_R_EOF) {
|
||||
+ source->result = result;
|
||||
goto done;
|
||||
}
|
||||
+
|
||||
source->at_eof = ISC_TRUE;
|
||||
}
|
||||
} else {
|
||||
Index: lib/isc/include/isc/stdio.h
|
||||
===================================================================
|
||||
RCS file: /var/snap/bind9/lib/isc/include/isc/stdio.h,v
|
||||
retrieving revision 1.13
|
||||
diff -p -u -r1.13 stdio.h
|
||||
--- lib/isc/include/isc/stdio.h 19 Jun 2007 23:47:18 -0000 1.13
|
||||
+++ lib/isc/include/isc/stdio.h 6 Apr 2009 13:24:15 -0000
|
||||
@@ -72,6 +72,9 @@ isc_stdio_sync(FILE *f);
|
||||
* direct counterpart in the stdio library.
|
||||
*/
|
||||
|
||||
+isc_result_t
|
||||
+isc_stdio_fgetc(FILE *f, int *ret);
|
||||
+
|
||||
ISC_LANG_ENDDECLS
|
||||
|
||||
#endif /* ISC_STDIO_H */
|
||||
Index: lib/isc/unix/errno2result.c
|
||||
===================================================================
|
||||
RCS file: /var/snap/bind9/lib/isc/unix/errno2result.c,v
|
||||
retrieving revision 1.17
|
||||
diff -p -u -r1.17 errno2result.c
|
||||
--- lib/isc/unix/errno2result.c 19 Jun 2007 23:47:18 -0000 1.17
|
||||
+++ lib/isc/unix/errno2result.c 6 Apr 2009 13:24:15 -0000
|
||||
@@ -43,6 +43,7 @@ isc__errno2result(int posixerrno) {
|
||||
case EINVAL: /* XXX sometimes this is not for files */
|
||||
case ENAMETOOLONG:
|
||||
case EBADF:
|
||||
+ case EISDIR:
|
||||
return (ISC_R_INVALIDFILE);
|
||||
case ENOENT:
|
||||
return (ISC_R_FILENOTFOUND);
|
||||
Index: lib/isc/unix/stdio.c
|
||||
===================================================================
|
||||
RCS file: /var/snap/bind9/lib/isc/unix/stdio.c,v
|
||||
retrieving revision 1.8
|
||||
diff -p -u -r1.8 stdio.c
|
||||
--- lib/isc/unix/stdio.c 19 Jun 2007 23:47:18 -0000 1.8
|
||||
+++ lib/isc/unix/stdio.c 6 Apr 2009 13:24:15 -0000
|
||||
@@ -115,3 +115,22 @@ isc_stdio_sync(FILE *f) {
|
||||
return (isc__errno2result(errno));
|
||||
}
|
||||
|
||||
+isc_result_t
|
||||
+isc_stdio_fgetc(FILE *f, int *ret) {
|
||||
+ int r;
|
||||
+ isc_result_t result = ISC_R_SUCCESS;
|
||||
+
|
||||
+#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED)
|
||||
+ r = fgetc_unlocked(f);
|
||||
+#else
|
||||
+ r = fgets(f);
|
||||
+#endif
|
||||
+
|
||||
+ if (r == EOF)
|
||||
+ result = ferror(f) ? isc__errno2result(errno) : ISC_R_EOF;
|
||||
+
|
||||
+ *ret = r;
|
||||
+
|
||||
+ return result;
|
||||
+}
|
||||
+
|
51
SOURCES/bind97-rh478718.patch
Normal file
51
SOURCES/bind97-rh478718.patch
Normal file
@ -0,0 +1,51 @@
|
||||
diff --git a/configure.in b/configure.in
|
||||
index 896e81c1ce..73b1c8ccbb 100644
|
||||
--- a/configure.in
|
||||
+++ b/configure.in
|
||||
@@ -4275,6 +4275,10 @@ if test "yes" = "$use_atomic"; then
|
||||
AC_MSG_RESULT($arch)
|
||||
fi
|
||||
|
||||
+if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then
|
||||
+ AC_MSG_ERROR([XADDQ present but disabled by Fedora patch!])
|
||||
+fi
|
||||
+
|
||||
if test "yes" = "$have_atomic"; then
|
||||
AC_MSG_CHECKING([compiler support for inline assembly code])
|
||||
|
||||
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
|
||||
index 2ff522342f..58df86adb3 100644
|
||||
--- a/lib/isc/include/isc/platform.h.in
|
||||
+++ b/lib/isc/include/isc/platform.h.in
|
||||
@@ -289,19 +289,25 @@
|
||||
* If the "xaddq" operation (64bit xadd) is available on this architecture,
|
||||
* ISC_PLATFORM_HAVEXADDQ will be defined.
|
||||
*/
|
||||
-@ISC_PLATFORM_HAVEXADDQ@
|
||||
|
||||
/*
|
||||
- * If the 32-bit "atomic swap" operation is available on this
|
||||
- * architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined.
|
||||
+ * If the 64-bit "atomic swap" operation is available on this
|
||||
+ * architecture, ISC_PLATFORM_HAVEATOMICSTOREQ" will be defined.
|
||||
*/
|
||||
-@ISC_PLATFORM_HAVEATOMICSTORE@
|
||||
+
|
||||
+#ifdef __x86_64__
|
||||
+#define ISC_PLATFORM_HAVEXADDQ 1
|
||||
+#define ISC_PLATFORM_HAVEATOMICSTOREQ 1
|
||||
+#else
|
||||
+#undef ISC_PLATFORM_HAVEXADDQ
|
||||
+#undef ISC_PLATFORM_HAVEATOMICSTOREQ
|
||||
+#endif
|
||||
|
||||
/*
|
||||
- * If the 64-bit "atomic swap" operation is available on this
|
||||
+ * If the 32-bit "atomic swap" operation is available on this
|
||||
* architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined.
|
||||
*/
|
||||
-@ISC_PLATFORM_HAVEATOMICSTOREQ@
|
||||
+@ISC_PLATFORM_HAVEATOMICSTORE@
|
||||
|
||||
/*
|
||||
* If the "compare-and-exchange" operation is available on this architecture,
|
30
SOURCES/bind97-rh645544.patch
Normal file
30
SOURCES/bind97-rh645544.patch
Normal file
@ -0,0 +1,30 @@
|
||||
diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolver.c
|
||||
--- bind-9.9.4rc2/lib/dns/resolver.c.rh645544 2013-08-19 10:30:52.000000000 +0200
|
||||
+++ bind-9.9.4rc2/lib/dns/resolver.c 2013-09-06 17:58:03.864165823 +0200
|
||||
@@ -1138,7 +1138,7 @@ log_edns(fetchctx_t *fctx) {
|
||||
*/
|
||||
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
|
||||
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
|
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
|
||||
"success resolving '%s' (in '%s'?) after %s",
|
||||
fctx->info, domainbuf, fctx->reason);
|
||||
|
||||
@@ -3804,7 +3804,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrin
|
||||
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
|
||||
isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
|
||||
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
|
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
|
||||
"lame server resolving '%s' (in '%s'?): %s",
|
||||
namebuf, domainbuf, addrbuf);
|
||||
}
|
||||
@@ -3831,7 +3831,7 @@ log_formerr(fetchctx_t *fctx, const char
|
||||
}
|
||||
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
|
||||
- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
|
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
|
||||
"DNS format error from %s resolving %s%s%s: %s",
|
||||
nsbuf, fctx->info, clmsg, clbuf, msgbuf);
|
||||
}
|
14
SOURCES/bind97-rh669163.patch
Normal file
14
SOURCES/bind97-rh669163.patch
Normal file
@ -0,0 +1,14 @@
|
||||
diff -up bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 bind-9.7.2-P3/lib/lwres/lwconfig.c
|
||||
--- bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 2011-01-28 14:48:38.934472578 +0100
|
||||
+++ bind-9.7.2-P3/lib/lwres/lwconfig.c 2011-01-28 14:49:50.421326035 +0100
|
||||
@@ -612,6 +612,10 @@ lwres_conf_parse(lwres_context_t *ctx, c
|
||||
break;
|
||||
}
|
||||
|
||||
+ /* Ignore options with no parameters */
|
||||
+ if (stopchar == '\n')
|
||||
+ continue;
|
||||
+
|
||||
if (strlen(word) == 0U)
|
||||
rval = LWRES_R_SUCCESS;
|
||||
else if (strcmp(word, "nameserver") == 0)
|
44
SOURCES/bind99-rh640538.patch
Normal file
44
SOURCES/bind99-rh640538.patch
Normal file
@ -0,0 +1,44 @@
|
||||
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
|
||||
index 1079421..f11abd1 100644
|
||||
--- a/bin/dig/dig.docbook
|
||||
+++ b/bin/dig/dig.docbook
|
||||
@@ -1177,6 +1177,39 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
+ <refsection><info><title>RETURN CODES</title></info>
|
||||
+ <para>
|
||||
+ <command>Dig</command> return codes are:
|
||||
+ <variablelist>
|
||||
+ <varlistentry>
|
||||
+ <listitem>
|
||||
+ <para>0: Everything went well, including things like NXDOMAIN</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <listitem>
|
||||
+ <para>1: Usage error</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <listitem>
|
||||
+ <para>8: Couldn't open batch file</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <listitem>
|
||||
+ <para>9: No reply from server</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <listitem>
|
||||
+ <para>10: Internal error</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ </variablelist>
|
||||
+ </para>
|
||||
+ </refsection>
|
||||
+
|
||||
<refsection><info><title>FILES</title></info>
|
||||
|
||||
<para><filename>/etc/resolv.conf</filename>
|
148
SOURCES/dnszone.schema
Normal file
148
SOURCES/dnszone.schema
Normal file
@ -0,0 +1,148 @@
|
||||
# A schema for storing DNS zones in LDAP
|
||||
#
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL'
|
||||
DESC 'An integer denoting time to live'
|
||||
EQUALITY integerMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
|
||||
DESC 'The class of a resource record'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName'
|
||||
DESC 'The name of a zone, i.e. the name of the highest node in the zone'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName'
|
||||
DESC 'The starting labels of a domain name'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
|
||||
DESC 'domain name pointer, RFC 1035'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
|
||||
DESC 'host information, RFC 1035'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
|
||||
DESC 'mailbox or mail list information, RFC 1035'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
|
||||
DESC 'text string, RFC 1035'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
|
||||
DESC 'for AFS Data Base location, RFC 1183'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
|
||||
DESC 'Signature, RFC 2535'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
|
||||
DESC 'Key, RFC 2535'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
|
||||
DESC 'IPv6 address, RFC 1886'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
|
||||
DESC 'Location, RFC 1876'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
|
||||
DESC 'non-existant, RFC 2535'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
|
||||
DESC 'service location, RFC 2782'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
|
||||
DESC 'Naming Authority Pointer, RFC 2915'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
|
||||
DESC 'Key Exchange Delegation, RFC 2230'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
|
||||
DESC 'certificate, RFC 2538'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
|
||||
DESC 'A6 Record Type, RFC 2874'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
|
||||
DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
|
||||
DESC 'Delegation Signer, RFC 3658'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
|
||||
DESC 'RRSIG, RFC 3755'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
|
||||
DESC 'NSEC, RFC 3755'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone'
|
||||
SUP top STRUCTURAL
|
||||
MUST ( zoneName $ relativeDomainName )
|
||||
MAY ( DNSTTL $ DNSClass $
|
||||
ARecord $ MDRecord $ MXRecord $ NSRecord $
|
||||
SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $
|
||||
MINFORecord $ TXTRecord $ SIGRecord $ KEYRecord $
|
||||
AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $
|
||||
NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
|
||||
DNAMERecord ) )
|
20
SOURCES/generate-rndc-key.sh
Executable file
20
SOURCES/generate-rndc-key.sh
Executable file
@ -0,0 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
|
||||
|
||||
if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
|
||||
echo -n $"Generating /etc/rndc.key:"
|
||||
if /usr/sbin/rndc-confgen -a -A hmac-sha256 -r /dev/urandom > /dev/null 2>&1
|
||||
then
|
||||
chmod 640 /etc/rndc.key
|
||||
chown root:named /etc/rndc.key
|
||||
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.key
|
||||
success $"/etc/rndc.key generation"
|
||||
echo
|
||||
else
|
||||
failure $"/etc/rndc.key generation"
|
||||
echo
|
||||
fi
|
||||
fi
|
41
SOURCES/ldap2zone.1
Normal file
41
SOURCES/ldap2zone.1
Normal file
@ -0,0 +1,41 @@
|
||||
.\" Copyright (C) 2004, 2005 Stig Venaas <venaas@uninett.no>
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\" Manpage written by Jan Gorig
|
||||
.TH ldap2zone 1 "15 March 2010" "BIND9"
|
||||
.SH NAME
|
||||
ldap2zone - Creates zone file from LDAP dnszone information
|
||||
.SH SYNOPSIS
|
||||
.B ldap2zone zone-name LDAP-URL default-ttl [serial]
|
||||
.SH DESCRIPTION
|
||||
ldap2zone is a tool that reads info for a zone from LDAP and constructs a standard plain ascii zone file that is written to the standard output. The LDAP information has to be stored using the dnszone schema. The schema is used by BIND with LDAP back-end.
|
||||
|
||||
\fBzone-name\fR
|
||||
.RS 4
|
||||
Name of the zone, eg "mydomain.net."
|
||||
.RE
|
||||
.PP
|
||||
\fBLDAP-URL\fR
|
||||
.RS 4
|
||||
LDAP URL to dnszone information
|
||||
.RE
|
||||
.PP
|
||||
\fBdefault-ttl\fR
|
||||
.RS 4
|
||||
Default TTL value to be used in zone
|
||||
.RE
|
||||
.PP
|
||||
\fBserial\fR
|
||||
.RS 4
|
||||
(optional) Program checks this number to be different than SOA serial number.
|
||||
.RE
|
||||
|
||||
.SH "EXIT STATUS"
|
||||
Exits with 0 on success or 1 on failure.
|
||||
.SH "SEE ALSO"
|
||||
named(8) ldap(3)
|
||||
http://www.venaas.no/dns/ldap2zone/
|
||||
.SH "COPYRIGHT"
|
||||
Copyright (C) 2004, 2005 Stig Venaas
|
411
SOURCES/ldap2zone.c
Normal file
411
SOURCES/ldap2zone.c
Normal file
@ -0,0 +1,411 @@
|
||||
/*
|
||||
* Copyright (C) 2004, 2005 Stig Venaas <venaas@uninett.no>
|
||||
* $Id: ldap2zone.c,v 1.1 2007/07/24 15:18:00 atkac Exp $
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*/
|
||||
|
||||
#define LDAP_DEPRECATED 1
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <ctype.h>
|
||||
|
||||
#include <ldap.h>
|
||||
|
||||
struct string {
|
||||
void *data;
|
||||
size_t len;
|
||||
};
|
||||
|
||||
struct assstack_entry {
|
||||
struct string key;
|
||||
struct string val;
|
||||
struct assstack_entry *next;
|
||||
};
|
||||
|
||||
struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key);
|
||||
void assstack_push(struct assstack_entry **stack, struct assstack_entry *item);
|
||||
void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item);
|
||||
void printsoa(struct string *soa);
|
||||
void printrrs(char *defaultttl, struct assstack_entry *item);
|
||||
void print_zone(char *defaultttl, struct assstack_entry *stack);
|
||||
void usage(char *name);
|
||||
void err(char *name, const char *msg);
|
||||
int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val);
|
||||
|
||||
struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key) {
|
||||
for (; stack; stack = stack->next)
|
||||
if (stack->key.len == key->len && !memcmp(stack->key.data, key->data, key->len))
|
||||
return stack;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
void assstack_push(struct assstack_entry **stack, struct assstack_entry *item) {
|
||||
item->next = *stack;
|
||||
*stack = item;
|
||||
}
|
||||
|
||||
void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item) {
|
||||
struct assstack_entry *p;
|
||||
|
||||
item->next = NULL;
|
||||
if (!*stack) {
|
||||
*stack = item;
|
||||
return;
|
||||
}
|
||||
/* find end, should keep track of end somewhere */
|
||||
/* really a queue, not a stack */
|
||||
p = *stack;
|
||||
while (p->next)
|
||||
p = p->next;
|
||||
p->next = item;
|
||||
}
|
||||
|
||||
void printsoa(struct string *soa) {
|
||||
char *s;
|
||||
size_t i;
|
||||
|
||||
s = (char *)soa->data;
|
||||
i = 0;
|
||||
while (i < soa->len) {
|
||||
putchar(s[i]);
|
||||
if (s[i++] == ' ')
|
||||
break;
|
||||
}
|
||||
while (i < soa->len) {
|
||||
putchar(s[i]);
|
||||
if (s[i++] == ' ')
|
||||
break;
|
||||
}
|
||||
printf("(\n\t\t\t\t");
|
||||
while (i < soa->len) {
|
||||
putchar(s[i]);
|
||||
if (s[i++] == ' ')
|
||||
break;
|
||||
}
|
||||
printf("; Serialnumber\n\t\t\t\t");
|
||||
while (i < soa->len) {
|
||||
if (s[i] == ' ')
|
||||
break;
|
||||
putchar(s[i++]);
|
||||
}
|
||||
i++;
|
||||
printf("\t; Refresh\n\t\t\t\t");
|
||||
while (i < soa->len) {
|
||||
if (s[i] == ' ')
|
||||
break;
|
||||
putchar(s[i++]);
|
||||
}
|
||||
i++;
|
||||
printf("\t; Retry\n\t\t\t\t");
|
||||
while (i < soa->len) {
|
||||
if (s[i] == ' ')
|
||||
break;
|
||||
putchar(s[i++]);
|
||||
}
|
||||
i++;
|
||||
printf("\t; Expire\n\t\t\t\t");
|
||||
while (i < soa->len) {
|
||||
putchar(s[i++]);
|
||||
}
|
||||
printf(" )\t; Minimum TTL\n");
|
||||
}
|
||||
|
||||
void printrrs(char *defaultttl, struct assstack_entry *item) {
|
||||
struct assstack_entry *stack;
|
||||
char *s;
|
||||
int first;
|
||||
size_t i;
|
||||
char *ttl, *type;
|
||||
int top;
|
||||
|
||||
s = (char *)item->key.data;
|
||||
|
||||
if (item->key.len == 1 && *s == '@') {
|
||||
top = 1;
|
||||
printf("@\t");
|
||||
} else {
|
||||
top = 0;
|
||||
for (i = 0; i < item->key.len; i++)
|
||||
putchar(s[i]);
|
||||
if (item->key.len < 8)
|
||||
putchar('\t');
|
||||
putchar('\t');
|
||||
}
|
||||
|
||||
first = 1;
|
||||
for (stack = (struct assstack_entry *) item->val.data; stack; stack = stack->next) {
|
||||
ttl = (char *)stack->key.data;
|
||||
s = strchr(ttl, ' ');
|
||||
*s++ = '\0';
|
||||
type = s;
|
||||
|
||||
if (first)
|
||||
first = 0;
|
||||
else
|
||||
printf("\t\t");
|
||||
|
||||
if (strcmp(defaultttl, ttl))
|
||||
printf("%s", ttl);
|
||||
putchar('\t');
|
||||
|
||||
if (top) {
|
||||
top = 0;
|
||||
printf("IN\t%s\t", type);
|
||||
/* Should always be SOA here */
|
||||
if (!strcmp(type, "SOA")) {
|
||||
printsoa(&stack->val);
|
||||
continue;
|
||||
}
|
||||
} else
|
||||
printf("%s\t", type);
|
||||
|
||||
s = (char *)stack->val.data;
|
||||
for (i = 0; i < stack->val.len; i++)
|
||||
putchar(s[i]);
|
||||
putchar('\n');
|
||||
}
|
||||
}
|
||||
|
||||
void print_zone(char *defaultttl, struct assstack_entry *stack) {
|
||||
printf("$TTL %s\n", defaultttl);
|
||||
for (; stack; stack = stack->next)
|
||||
printrrs(defaultttl, stack);
|
||||
};
|
||||
|
||||
void usage(char *name) {
|
||||
fprintf(stderr, "Usage:%s zone-name LDAP-URL default-ttl [serial]\n", name);
|
||||
exit(1);
|
||||
};
|
||||
|
||||
void err(char *name, const char *msg) {
|
||||
fprintf(stderr, "%s: %s\n", name, msg);
|
||||
exit(1);
|
||||
};
|
||||
|
||||
int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val) {
|
||||
struct string key;
|
||||
struct assstack_entry *rr, *rrdata;
|
||||
|
||||
/* Do nothing if name or value have 0 length */
|
||||
if (!name->bv_len || !val->bv_len)
|
||||
return 0;
|
||||
|
||||
/* see if already have an entry for this name */
|
||||
key.len = name->bv_len;
|
||||
key.data = name->bv_val;
|
||||
|
||||
rr = assstack_find(*stack, &key);
|
||||
if (!rr) {
|
||||
/* Not found, create and push new entry */
|
||||
rr = (struct assstack_entry *) malloc(sizeof(struct assstack_entry));
|
||||
if (!rr)
|
||||
return -1;
|
||||
rr->key.len = name->bv_len;
|
||||
rr->key.data = (void *) malloc(rr->key.len);
|
||||
if (!rr->key.data) {
|
||||
free(rr);
|
||||
return -1;
|
||||
}
|
||||
memcpy(rr->key.data, name->bv_val, name->bv_len);
|
||||
rr->val.len = sizeof(void *);
|
||||
rr->val.data = NULL;
|
||||
if (name->bv_len == 1 && *(char *)name->bv_val == '@')
|
||||
assstack_push(stack, rr);
|
||||
else
|
||||
assstack_insertbottom(stack, rr);
|
||||
}
|
||||
|
||||
rrdata = (struct assstack_entry *) malloc(sizeof(struct assstack_entry));
|
||||
if (!rrdata) {
|
||||
free(rr->key.data);
|
||||
free(rr);
|
||||
return -1;
|
||||
}
|
||||
rrdata->key.len = strlen(type) + strlen(ttl) + 1;
|
||||
rrdata->key.data = (void *) malloc(rrdata->key.len);
|
||||
if (!rrdata->key.data) {
|
||||
free(rrdata);
|
||||
free(rr->key.data);
|
||||
free(rr);
|
||||
return -1;
|
||||
}
|
||||
sprintf((char *)rrdata->key.data, "%s %s", ttl, type);
|
||||
|
||||
rrdata->val.len = val->bv_len;
|
||||
rrdata->val.data = (void *) malloc(val->bv_len);
|
||||
if (!rrdata->val.data) {
|
||||
free(rrdata->key.data);
|
||||
free(rrdata);
|
||||
free(rr->key.data);
|
||||
free(rr);
|
||||
return -1;
|
||||
}
|
||||
memcpy(rrdata->val.data, val->bv_val, val->bv_len);
|
||||
|
||||
if (!strcmp(type, "SOA"))
|
||||
assstack_push((struct assstack_entry **) &(rr->val.data), rrdata);
|
||||
else
|
||||
assstack_insertbottom((struct assstack_entry **) &(rr->val.data), rrdata);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
char *s, *hostporturl, *base = NULL;
|
||||
char *ttl, *defaultttl;
|
||||
LDAP *ld;
|
||||
char *fltr = NULL;
|
||||
LDAPMessage *res, *e;
|
||||
char *a, **ttlvals, **soavals, *serial;
|
||||
struct berval **vals, **names;
|
||||
char type[64];
|
||||
BerElement *ptr;
|
||||
int i, j, rc, msgid;
|
||||
struct assstack_entry *zone = NULL;
|
||||
|
||||
if (argc < 4 || argc > 5)
|
||||
usage(argv[0]);
|
||||
|
||||
hostporturl = argv[2];
|
||||
|
||||
if (hostporturl != strstr( hostporturl, "ldap"))
|
||||
err(argv[0], "Not an LDAP URL");
|
||||
|
||||
s = strchr(hostporturl, ':');
|
||||
|
||||
if (!s || strlen(s) < 3 || s[1] != '/' || s[2] != '/')
|
||||
err(argv[0], "Not an LDAP URL");
|
||||
|
||||
s = strchr(s+3, '/');
|
||||
if (s) {
|
||||
*s++ = '\0';
|
||||
base = s;
|
||||
s = strchr(base, '?');
|
||||
if (s)
|
||||
err(argv[0], "LDAP URL can only contain host, port and base");
|
||||
}
|
||||
|
||||
defaultttl = argv[3];
|
||||
|
||||
rc = ldap_initialize(&ld, hostporturl);
|
||||
if (rc != LDAP_SUCCESS)
|
||||
err(argv[0], "ldap_initialize() failed");
|
||||
|
||||
if (argc == 5) {
|
||||
/* serial number specified, check if different from one in SOA */
|
||||
fltr = (char *)malloc(strlen(argv[1]) + strlen("(&(relativeDomainName=@)(zoneName=))") + 1);
|
||||
sprintf(fltr, "(&(relativeDomainName=@)(zoneName=%s))", argv[1]);
|
||||
msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0);
|
||||
if (msgid == -1)
|
||||
err(argv[0], "ldap_search() failed");
|
||||
|
||||
while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) {
|
||||
/* not supporting continuation references at present */
|
||||
if (rc != LDAP_RES_SEARCH_ENTRY)
|
||||
err(argv[0], "ldap_result() returned cont.ref? Exiting");
|
||||
|
||||
/* only one entry per result message */
|
||||
e = ldap_first_entry(ld, res);
|
||||
if (e == NULL) {
|
||||
ldap_msgfree(res);
|
||||
err(argv[0], "ldap_first_entry() failed");
|
||||
}
|
||||
|
||||
soavals = ldap_get_values(ld, e, "SOARecord");
|
||||
if (soavals)
|
||||
break;
|
||||
}
|
||||
|
||||
ldap_msgfree(res);
|
||||
if (!soavals) {
|
||||
err(argv[0], "No SOA Record found");
|
||||
}
|
||||
|
||||
/* We have a SOA, compare serial numbers */
|
||||
/* Only checkinf first value, should be only one */
|
||||
s = strchr(soavals[0], ' ');
|
||||
s++;
|
||||
s = strchr(s, ' ');
|
||||
s++;
|
||||
serial = s;
|
||||
s = strchr(s, ' ');
|
||||
*s = '\0';
|
||||
if (!strcmp(serial, argv[4])) {
|
||||
ldap_value_free(soavals);
|
||||
err(argv[0], "serial numbers match");
|
||||
}
|
||||
ldap_value_free(soavals);
|
||||
}
|
||||
|
||||
if (!fltr)
|
||||
fltr = (char *)malloc(strlen(argv[1]) + strlen("(zoneName=)") + 1);
|
||||
if (!fltr)
|
||||
err(argv[0], "Malloc failed");
|
||||
sprintf(fltr, "(zoneName=%s)", argv[1]);
|
||||
|
||||
msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0);
|
||||
if (msgid == -1)
|
||||
err(argv[0], "ldap_search() failed");
|
||||
|
||||
while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) {
|
||||
/* not supporting continuation references at present */
|
||||
if (rc != LDAP_RES_SEARCH_ENTRY)
|
||||
err(argv[0], "ldap_result() returned cont.ref? Exiting");
|
||||
|
||||
/* only one entry per result message */
|
||||
e = ldap_first_entry(ld, res);
|
||||
if (e == NULL) {
|
||||
ldap_msgfree(res);
|
||||
err(argv[0], "ldap_first_entry() failed");
|
||||
}
|
||||
|
||||
names = ldap_get_values_len(ld, e, "relativeDomainName");
|
||||
if (!names)
|
||||
continue;
|
||||
|
||||
ttlvals = ldap_get_values(ld, e, "dNSTTL");
|
||||
ttl = ttlvals ? ttlvals[0] : defaultttl;
|
||||
|
||||
for (a = ldap_first_attribute(ld, e, &ptr); a != NULL; a = ldap_next_attribute(ld, e, ptr)) {
|
||||
char *s;
|
||||
|
||||
for (s = a; *s; s++)
|
||||
*s = toupper(*s);
|
||||
s = strstr(a, "RECORD");
|
||||
if ((s == NULL) || (s == a) || (s - a >= (signed int)sizeof(type))) {
|
||||
ldap_memfree(a);
|
||||
continue;
|
||||
}
|
||||
|
||||
strncpy(type, a, s - a);
|
||||
type[s - a] = '\0';
|
||||
vals = ldap_get_values_len(ld, e, a);
|
||||
if (vals) {
|
||||
for (i = 0; vals[i]; i++)
|
||||
for (j = 0; names[j]; j++)
|
||||
if (putrr(&zone, names[j], type, ttl, vals[i]))
|
||||
err(argv[0], "malloc failed");
|
||||
ldap_value_free_len(vals);
|
||||
}
|
||||
ldap_memfree(a);
|
||||
}
|
||||
|
||||
if (ptr)
|
||||
ber_free(ptr, 0);
|
||||
if (ttlvals)
|
||||
ldap_value_free(ttlvals);
|
||||
ldap_value_free_len(names);
|
||||
/* free this result */
|
||||
ldap_msgfree(res);
|
||||
}
|
||||
|
||||
/* free final result */
|
||||
ldap_msgfree(res);
|
||||
|
||||
print_zone(defaultttl, zone);
|
||||
return 0;
|
||||
}
|
12
SOURCES/named-chroot-setup.service
Normal file
12
SOURCES/named-chroot-setup.service
Normal file
@ -0,0 +1,12 @@
|
||||
[Unit]
|
||||
Description=Set-up/destroy chroot environment for named (DNS)
|
||||
BindsTo=named-chroot.service
|
||||
Wants=named-setup-rndc.service
|
||||
After=named-setup-rndc.service
|
||||
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files
|
||||
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files
|
23
SOURCES/named-chroot.files
Normal file
23
SOURCES/named-chroot.files
Normal file
@ -0,0 +1,23 @@
|
||||
# Configuration of files used in chroot
|
||||
# Following files are made available after named-chroot.service start
|
||||
# if they are missing or empty in target directory.
|
||||
/etc/localtime
|
||||
/etc/named.root.key
|
||||
/etc/named.conf
|
||||
/etc/named.rfc1912.zones
|
||||
/etc/rndc.conf
|
||||
/etc/rndc.key
|
||||
/etc/named.iscdlv.key
|
||||
/etc/crypto-policies/back-ends/bind.config
|
||||
/etc/protocols
|
||||
/etc/services
|
||||
/etc/named.dnssec.keys
|
||||
/etc/pki/dnssec-keys
|
||||
/etc/named
|
||||
/usr/lib64/bind
|
||||
/usr/lib/bind
|
||||
/run/named
|
||||
# Warning: the order is important
|
||||
# If a directory containing $ROOTDIR is listed here,
|
||||
# it MUST be listed last. (/var/named contains /var/named/chroot)
|
||||
/var/named
|
30
SOURCES/named-chroot.service
Normal file
30
SOURCES/named-chroot.service
Normal file
@ -0,0 +1,30 @@
|
||||
# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
|
||||
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
|
||||
# broken when rsyslogd daemon is restarted (due update, for example).
|
||||
|
||||
[Unit]
|
||||
Description=Berkeley Internet Name Domain (DNS)
|
||||
Wants=nss-lookup.target
|
||||
Requires=named-chroot-setup.service
|
||||
Before=nss-lookup.target
|
||||
After=named-chroot-setup.service
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
Environment=NAMEDCONF=/etc/named.conf
|
||||
EnvironmentFile=-/etc/sysconfig/named
|
||||
Environment=KRB5_KTNAME=/etc/named.keytab
|
||||
PIDFile=/var/named/chroot/run/named/named.pid
|
||||
|
||||
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
|
||||
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
|
||||
|
||||
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
|
||||
|
||||
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
|
||||
|
||||
PrivateTmp=false
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
26
SOURCES/named-pkcs11.service
Normal file
26
SOURCES/named-pkcs11.service
Normal file
@ -0,0 +1,26 @@
|
||||
[Unit]
|
||||
Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
|
||||
Wants=nss-lookup.target
|
||||
Wants=named-setup-rndc.service
|
||||
Before=nss-lookup.target
|
||||
After=network.target
|
||||
After=named-setup-rndc.service
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
Environment=NAMEDCONF=/etc/named.conf
|
||||
EnvironmentFile=-/etc/sysconfig/named
|
||||
Environment=KRB5_KTNAME=/etc/named.keytab
|
||||
PIDFile=/run/named/named.pid
|
||||
|
||||
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
|
||||
ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
|
||||
|
||||
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
|
||||
|
||||
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
|
||||
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
12
SOURCES/named-sdb-chroot-setup.service
Normal file
12
SOURCES/named-sdb-chroot-setup.service
Normal file
@ -0,0 +1,12 @@
|
||||
[Unit]
|
||||
Description=Set-up/destroy chroot environment for named-sdb
|
||||
BindsTo=named-sdb-chroot.service
|
||||
Wants=named-setup-rndc.service
|
||||
After=named-setup-rndc.service
|
||||
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on /etc/named-chroot.files
|
||||
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off /etc/named-chroot.files
|
30
SOURCES/named-sdb-chroot.service
Normal file
30
SOURCES/named-sdb-chroot.service
Normal file
@ -0,0 +1,30 @@
|
||||
# Don't forget to add "$AddUnixListenSocket /var/named/chroot_sdb/dev/log"
|
||||
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
|
||||
# broken when rsyslogd daemon is restarted (due update, for example).
|
||||
|
||||
[Unit]
|
||||
Description=Berkeley Internet Name Domain (DNS)
|
||||
Wants=nss-lookup.target
|
||||
Requires=named-sdb-chroot-setup.service
|
||||
Before=nss-lookup.target
|
||||
After=named-sdb-chroot-setup.service
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
Environment=NAMEDCONF=/etc/named.conf
|
||||
EnvironmentFile=-/etc/sysconfig/named
|
||||
Environment=KRB5_KTNAME=/etc/named.keytab
|
||||
PIDFile=/var/named/chroot_sdb/run/named/named.pid
|
||||
|
||||
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot_sdb -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
|
||||
ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} -t /var/named/chroot_sdb $OPTIONS
|
||||
|
||||
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
|
||||
|
||||
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
|
||||
|
||||
PrivateTmp=false
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
1
SOURCES/named-sdb.8
Normal file
1
SOURCES/named-sdb.8
Normal file
@ -0,0 +1 @@
|
||||
.so man8/named.8.gz
|
26
SOURCES/named-sdb.service
Normal file
26
SOURCES/named-sdb.service
Normal file
@ -0,0 +1,26 @@
|
||||
[Unit]
|
||||
Description=Berkeley Internet Name Domain (DNS)
|
||||
Wants=nss-lookup.target
|
||||
Wants=named-setup-rndc.service
|
||||
Before=nss-lookup.target
|
||||
After=named-setup-rndc.service
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
Environment=NAMEDCONF=/etc/named.conf
|
||||
EnvironmentFile=-/etc/sysconfig/named
|
||||
Environment=KRB5_KTNAME=/etc/named.keytab
|
||||
PIDFile=/run/named/named.pid
|
||||
|
||||
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
|
||||
ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} $OPTIONS
|
||||
|
||||
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
|
||||
|
||||
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
|
||||
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
7
SOURCES/named-setup-rndc.service
Normal file
7
SOURCES/named-setup-rndc.service
Normal file
@ -0,0 +1,7 @@
|
||||
[Unit]
|
||||
Description=Generate rndc key for BIND (DNS)
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
|
||||
ExecStart=/usr/libexec/generate-rndc-key.sh
|
59
SOURCES/named.conf
Normal file
59
SOURCES/named.conf
Normal file
@ -0,0 +1,59 @@
|
||||
//
|
||||
// named.conf
|
||||
//
|
||||
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
|
||||
// server as a caching only nameserver (as a localhost DNS resolver only).
|
||||
//
|
||||
// See /usr/share/doc/bind*/sample/ for example named configuration files.
|
||||
//
|
||||
|
||||
options {
|
||||
listen-on port 53 { 127.0.0.1; };
|
||||
listen-on-v6 port 53 { ::1; };
|
||||
directory "/var/named";
|
||||
dump-file "/var/named/data/cache_dump.db";
|
||||
statistics-file "/var/named/data/named_stats.txt";
|
||||
memstatistics-file "/var/named/data/named_mem_stats.txt";
|
||||
secroots-file "/var/named/data/named.secroots";
|
||||
recursing-file "/var/named/data/named.recursing";
|
||||
allow-query { localhost; };
|
||||
|
||||
/*
|
||||
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
|
||||
- If you are building a RECURSIVE (caching) DNS server, you need to enable
|
||||
recursion.
|
||||
- If your recursive DNS server has a public IP address, you MUST enable access
|
||||
control to limit queries to your legitimate users. Failing to do so will
|
||||
cause your server to become part of large scale DNS amplification
|
||||
attacks. Implementing BCP38 within your network would greatly
|
||||
reduce such attack surface
|
||||
*/
|
||||
recursion yes;
|
||||
|
||||
dnssec-enable yes;
|
||||
dnssec-validation yes;
|
||||
|
||||
managed-keys-directory "/var/named/dynamic";
|
||||
|
||||
pid-file "/run/named/named.pid";
|
||||
session-keyfile "/run/named/session.key";
|
||||
|
||||
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
|
||||
include "/etc/crypto-policies/back-ends/bind.config";
|
||||
};
|
||||
|
||||
logging {
|
||||
channel default_debug {
|
||||
file "data/named.run";
|
||||
severity dynamic;
|
||||
};
|
||||
};
|
||||
|
||||
zone "." IN {
|
||||
type hint;
|
||||
file "named.ca";
|
||||
};
|
||||
|
||||
include "/etc/named.rfc1912.zones";
|
||||
include "/etc/named.root.key";
|
||||
|
252
SOURCES/named.conf.sample
Normal file
252
SOURCES/named.conf.sample
Normal file
@ -0,0 +1,252 @@
|
||||
/*
|
||||
Sample named.conf BIND DNS server 'named' configuration file
|
||||
for the Red Hat BIND distribution.
|
||||
|
||||
See the BIND Administrator's Reference Manual (ARM) for details, in:
|
||||
file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
|
||||
Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
|
||||
its manual.
|
||||
*/
|
||||
|
||||
options
|
||||
{
|
||||
// Put files that named is allowed to write in the data/ directory:
|
||||
directory "/var/named"; // "Working" directory
|
||||
dump-file "data/cache_dump.db";
|
||||
statistics-file "data/named_stats.txt";
|
||||
memstatistics-file "data/named_mem_stats.txt";
|
||||
secroots-file "data/named.secroots";
|
||||
recursing-file "data/named.recursing";
|
||||
|
||||
|
||||
/*
|
||||
Specify listenning interfaces. You can use list of addresses (';' is
|
||||
delimiter) or keywords "any"/"none"
|
||||
*/
|
||||
//listen-on port 53 { any; };
|
||||
listen-on port 53 { 127.0.0.1; };
|
||||
|
||||
//listen-on-v6 port 53 { any; };
|
||||
listen-on-v6 port 53 { ::1; };
|
||||
|
||||
/*
|
||||
Access restrictions
|
||||
|
||||
There are two important options:
|
||||
allow-query { argument; };
|
||||
- allow queries for authoritative data
|
||||
|
||||
allow-query-cache { argument; };
|
||||
- allow queries for non-authoritative data (mostly cached data)
|
||||
|
||||
You can use address, network address or keywords "any"/"localhost"/"none" as argument
|
||||
Examples:
|
||||
allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
|
||||
allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
|
||||
*/
|
||||
|
||||
allow-query { localhost; };
|
||||
allow-query-cache { localhost; };
|
||||
|
||||
/* Enable/disable recursion - recursion yes/no;
|
||||
|
||||
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
|
||||
- If you are building a RECURSIVE (caching) DNS server, you need to enable
|
||||
recursion.
|
||||
- If your recursive DNS server has a public IP address, you MUST enable access
|
||||
control to limit queries to your legitimate users. Failing to do so will
|
||||
cause your server to become part of large scale DNS amplification
|
||||
attacks. Implementing BCP38 within your network would greatly
|
||||
reduce such attack surface
|
||||
*/
|
||||
recursion yes;
|
||||
|
||||
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
|
||||
|
||||
/* Enable serving of DNSSEC related data - enable on both authoritative
|
||||
and recursive servers DNSSEC aware servers */
|
||||
dnssec-enable yes;
|
||||
|
||||
/* Enable DNSSEC validation on recursive servers */
|
||||
dnssec-validation yes;
|
||||
|
||||
/* In Fedora we use /run/named instead of default /var/run/named
|
||||
so we have to configure paths properly. */
|
||||
pid-file "/run/named/named.pid";
|
||||
session-keyfile "/run/named/session.key";
|
||||
|
||||
managed-keys-directory "/var/named/dynamic";
|
||||
|
||||
/* In Fedora we use system-wide Crypto Policy */
|
||||
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
|
||||
include "/etc/crypto-policies/back-ends/bind.config";
|
||||
};
|
||||
|
||||
logging
|
||||
{
|
||||
/* If you want to enable debugging, eg. using the 'rndc trace' command,
|
||||
* named will try to write the 'named.run' file in the $directory (/var/named).
|
||||
* By default, SELinux policy does not allow named to modify the /var/named directory,
|
||||
* so put the default debug log file in data/ :
|
||||
*/
|
||||
channel default_debug {
|
||||
file "data/named.run";
|
||||
severity dynamic;
|
||||
};
|
||||
};
|
||||
|
||||
/*
|
||||
Views let a name server answer a DNS query differently depending on who is asking.
|
||||
|
||||
By default, if named.conf contains no "view" clauses, all zones are in the
|
||||
"default" view, which matches all clients.
|
||||
|
||||
Views are processed sequentially. The first match is used so the last view should
|
||||
match "any" - it's fallback and the most restricted view.
|
||||
|
||||
If named.conf contains any "view" clause, then all zones MUST be in a view.
|
||||
*/
|
||||
|
||||
view "localhost_resolver"
|
||||
{
|
||||
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
|
||||
* If all you want is a caching-only nameserver, then you need only define this view:
|
||||
*/
|
||||
match-clients { localhost; };
|
||||
recursion yes;
|
||||
|
||||
# all views must contain the root hints zone:
|
||||
zone "." IN {
|
||||
type hint;
|
||||
file "/var/named/named.ca";
|
||||
};
|
||||
|
||||
/* these are zones that contain definitions for all the localhost
|
||||
* names and addresses, as recommended in RFC1912 - these names should
|
||||
* not leak to the other nameservers:
|
||||
*/
|
||||
include "/etc/named.rfc1912.zones";
|
||||
};
|
||||
view "internal"
|
||||
{
|
||||
/* This view will contain zones you want to serve only to "internal" clients
|
||||
that connect via your directly attached LAN interfaces - "localnets" .
|
||||
*/
|
||||
match-clients { localnets; };
|
||||
recursion yes;
|
||||
|
||||
zone "." IN {
|
||||
type hint;
|
||||
file "/var/named/named.ca";
|
||||
};
|
||||
|
||||
/* these are zones that contain definitions for all the localhost
|
||||
* names and addresses, as recommended in RFC1912 - these names should
|
||||
* not leak to the other nameservers:
|
||||
*/
|
||||
include "/etc/named.rfc1912.zones";
|
||||
|
||||
// These are your "authoritative" internal zones, and would probably
|
||||
// also be included in the "localhost_resolver" view above :
|
||||
|
||||
/*
|
||||
NOTE for dynamic DNS zones and secondary zones:
|
||||
|
||||
DO NOT USE SAME FILES IN MULTIPLE VIEWS!
|
||||
|
||||
If you are using views and DDNS/secondary zones it is strongly
|
||||
recommended to read FAQ on ISC site (www.isc.org), section
|
||||
"Configuration and Setup Questions", questions
|
||||
"How do I share a dynamic zone between multiple views?" and
|
||||
"How can I make a server a slave for both an internal and an external
|
||||
view at the same time?"
|
||||
*/
|
||||
|
||||
zone "my.internal.zone" {
|
||||
type master;
|
||||
file "my.internal.zone.db";
|
||||
};
|
||||
zone "my.slave.internal.zone" {
|
||||
type slave;
|
||||
file "slaves/my.slave.internal.zone.db";
|
||||
masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
|
||||
// put slave zones in the slaves/ directory so named can update them
|
||||
};
|
||||
zone "my.ddns.internal.zone" {
|
||||
type master;
|
||||
allow-update { key ddns_key; };
|
||||
file "dynamic/my.ddns.internal.zone.db";
|
||||
// put dynamically updateable zones in the slaves/ directory so named can update them
|
||||
};
|
||||
};
|
||||
|
||||
key ddns_key
|
||||
{
|
||||
algorithm hmac-md5;
|
||||
secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
|
||||
};
|
||||
|
||||
view "external"
|
||||
{
|
||||
/* This view will contain zones you want to serve only to "external" clients
|
||||
* that have addresses that are not match any above view:
|
||||
*/
|
||||
match-clients { any; };
|
||||
|
||||
zone "." IN {
|
||||
type hint;
|
||||
file "/var/named/named.ca";
|
||||
};
|
||||
|
||||
recursion no;
|
||||
// you'd probably want to deny recursion to external clients, so you don't
|
||||
// end up providing free DNS service to all takers
|
||||
|
||||
// These are your "authoritative" external zones, and would probably
|
||||
// contain entries for just your web and mail servers:
|
||||
|
||||
zone "my.external.zone" {
|
||||
type master;
|
||||
file "my.external.zone.db";
|
||||
};
|
||||
};
|
||||
|
||||
/* Trusted keys
|
||||
|
||||
This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
|
||||
have to configure at least one trusted key.
|
||||
|
||||
Note that no key written below is valid. Especially root key because root zone
|
||||
is not signed yet.
|
||||
*/
|
||||
/*
|
||||
trusted-keys {
|
||||
// Root Key
|
||||
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
|
||||
E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
|
||||
zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
|
||||
MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
|
||||
/lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
|
||||
iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
|
||||
Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
|
||||
|
||||
// Key for forward zone
|
||||
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
|
||||
3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
|
||||
OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
|
||||
lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
|
||||
8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
|
||||
iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
|
||||
SCThlHf3xiYleDbt/o1OTQ09A0=";
|
||||
|
||||
// Key for reverse zone.
|
||||
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
|
||||
VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
|
||||
tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
|
||||
yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
|
||||
4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
|
||||
zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
|
||||
7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
|
||||
52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
|
||||
};
|
||||
*/
|
12
SOURCES/named.logrotate
Normal file
12
SOURCES/named.logrotate
Normal file
@ -0,0 +1,12 @@
|
||||
/var/named/data/named.run {
|
||||
missingok
|
||||
su named named
|
||||
create 0644 named named
|
||||
postrotate
|
||||
/usr/bin/systemctl reload named.service > /dev/null 2>&1 || true
|
||||
/usr/bin/systemctl reload named-chroot.service > /dev/null 2>&1 || true
|
||||
/usr/bin/systemctl reload named-sdb.service > /dev/null 2>&1 || true
|
||||
/usr/bin/systemctl reload named-sdb-chroot.service > /dev/null 2>&1 || true
|
||||
/usr/bin/systemctl reload named-pkcs11.service > /dev/null 2>&1 || true
|
||||
endscript
|
||||
}
|
6
SOURCES/named.rwtab
Normal file
6
SOURCES/named.rwtab
Normal file
@ -0,0 +1,6 @@
|
||||
dirs /var/named
|
||||
|
||||
files /var/named/named.ca
|
||||
files /var/named/named.empty
|
||||
files /var/named/named.localhost
|
||||
files /var/named/named.loopback
|
26
SOURCES/named.service
Normal file
26
SOURCES/named.service
Normal file
@ -0,0 +1,26 @@
|
||||
[Unit]
|
||||
Description=Berkeley Internet Name Domain (DNS)
|
||||
Wants=nss-lookup.target
|
||||
Wants=named-setup-rndc.service
|
||||
Before=nss-lookup.target
|
||||
After=named-setup-rndc.service
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
Environment=NAMEDCONF=/etc/named.conf
|
||||
EnvironmentFile=-/etc/sysconfig/named
|
||||
Environment=KRB5_KTNAME=/etc/named.keytab
|
||||
PIDFile=/run/named/named.pid
|
||||
|
||||
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
|
||||
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
|
||||
|
||||
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
|
||||
|
||||
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
|
||||
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
17
SOURCES/named.sysconfig
Normal file
17
SOURCES/named.sysconfig
Normal file
@ -0,0 +1,17 @@
|
||||
# BIND named process options
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# OPTIONS="whatever" -- These additional options will be passed to named
|
||||
# at startup. Don't add -t here, enable proper
|
||||
# -chroot.service unit file.
|
||||
#
|
||||
# NAMEDCONF=/etc/named/alternate.conf
|
||||
# -- Don't use -c to change configuration file.
|
||||
# Extend systemd named.service instead or use this
|
||||
# variable.
|
||||
#
|
||||
# DISABLE_ZONE_CHECKING -- By default, service file calls named-checkzone
|
||||
# utility for every zone to ensure all zones are
|
||||
# valid before named starts. If you set this option
|
||||
# to 'yes' then service file doesn't perform those
|
||||
# checks.
|
117
SOURCES/setup-named-chroot.sh
Executable file
117
SOURCES/setup-named-chroot.sh
Executable file
@ -0,0 +1,117 @@
|
||||
#!/bin/bash
|
||||
|
||||
ROOTDIR="$1"
|
||||
CONFIG_FILES="${3:-/etc/named-chroot.files}"
|
||||
|
||||
usage()
|
||||
{
|
||||
echo
|
||||
echo 'This script setups chroot environment for BIND'
|
||||
echo 'Usage: setup-named-chroot.sh ROOTDIR <on|off> [chroot.files]'
|
||||
}
|
||||
|
||||
if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then
|
||||
echo 'Wrong number of arguments'
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Exit if ROOTDIR doesn't exist
|
||||
if ! [ -d "$ROOTDIR" ]; then
|
||||
echo "Root directory $ROOTDIR doesn't exist"
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! [ -r "$CONFIG_FILES" ]; then
|
||||
echo "Files list $CONFIG_FILES doesn't exist" 2>&1
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
|
||||
dev_create()
|
||||
{
|
||||
DEVNAME="$ROOTDIR/dev/$1"
|
||||
shift
|
||||
if ! [ -e "$DEVNAME" ]; then
|
||||
/bin/mknod -m 0664 "$DEVNAME" $@
|
||||
/bin/chgrp named "$DEVNAME"
|
||||
if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then
|
||||
/usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || :
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
dev_chroot_prep()
|
||||
{
|
||||
dev_create random c 1 8
|
||||
dev_create urandom c 1 9
|
||||
dev_create zero c 1 5
|
||||
dev_create null c 1 3
|
||||
}
|
||||
|
||||
files_comment_filter()
|
||||
{
|
||||
if [ -d "$1" ]; then
|
||||
grep -v '^[[:space:]]*#' "$1"/*.files
|
||||
else
|
||||
grep -v '^[[:space:]]*#' "$1"
|
||||
fi
|
||||
}
|
||||
|
||||
mount_chroot_conf()
|
||||
{
|
||||
if [ -n "$ROOTDIR" ]; then
|
||||
# Check devices are prepared
|
||||
dev_chroot_prep
|
||||
files_comment_filter "$CONFIG_FILES" | while read -r all; do
|
||||
# Skip nonexistant files
|
||||
[ -e "$all" ] || continue
|
||||
|
||||
# If mount source is a file
|
||||
if ! [ -d "$all" ]; then
|
||||
# mount it only if it is not present in chroot or it is empty
|
||||
if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
|
||||
touch "$ROOTDIR$all"
|
||||
mount --bind "$all" "$ROOTDIR$all"
|
||||
fi
|
||||
else
|
||||
# Mount source is a directory. Mount it only if directory in chroot is
|
||||
# empty.
|
||||
if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
|
||||
mount --bind --make-private "$all" "$ROOTDIR$all"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
umount_chroot_conf()
|
||||
{
|
||||
if [ -n "$ROOTDIR" ]; then
|
||||
files_comment_filter "$CONFIG_FILES" | while read -r all; do
|
||||
# Check if file is mount target. Do not use /proc/mounts because detecting
|
||||
# of modified mounted files can fail.
|
||||
if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
|
||||
umount "$ROOTDIR$all"
|
||||
# Remove temporary created files
|
||||
[ -f "$all" ] && rm -f "$ROOTDIR$all"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
case "$2" in
|
||||
on)
|
||||
mount_chroot_conf
|
||||
;;
|
||||
off)
|
||||
umount_chroot_conf
|
||||
;;
|
||||
*)
|
||||
echo 'Second argument has to be "on" or "off"'
|
||||
usage
|
||||
exit 1
|
||||
esac
|
||||
|
||||
exit 0
|
55
SOURCES/setup-named-softhsm.sh
Executable file
55
SOURCES/setup-named-softhsm.sh
Executable file
@ -0,0 +1,55 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# This script will initialise token storage of softhsm PKCS11 provider
|
||||
# in custom location. Is useful to store tokens in non-standard location.
|
||||
|
||||
SOFTHSM2_CONF="$1"
|
||||
TOKENPATH="$2"
|
||||
GROUPNAME="$3"
|
||||
# Do not use this script for real keys worth protection
|
||||
# This is intended for crypto accelerators using PKCS11 interface.
|
||||
# Uninitialized token would fail any crypto operation.
|
||||
PIN=1234
|
||||
|
||||
set -e
|
||||
|
||||
if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
|
||||
echo "Usage: $0 <config file> <token directory> [group]" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! [ -f "$SOFTHSM2_CONF" ]; then
|
||||
cat << SED > "$SOFTHSM2_CONF"
|
||||
# SoftHSM v2 configuration file
|
||||
|
||||
directories.tokendir = ${TOKENPATH}
|
||||
objectstore.backend = file
|
||||
|
||||
# ERROR, WARNING, INFO, DEBUG
|
||||
log.level = ERROR
|
||||
|
||||
# If CKF_REMOVABLE_DEVICE flag should be set
|
||||
slots.removable = false
|
||||
SED
|
||||
else
|
||||
echo "Config file $SOFTHSM2_CONF already exists" >&2
|
||||
fi
|
||||
|
||||
[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
|
||||
|
||||
export SOFTHSM2_CONF
|
||||
|
||||
if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
|
||||
then
|
||||
echo "Token in ${TOKENPATH} is already initialized" >&2
|
||||
else
|
||||
echo "Initializing tokens to ${TOKENPATH}..."
|
||||
softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN
|
||||
|
||||
if [ -n "$GROUPNAME" ]; then
|
||||
chgrp -R -- "$GROUPNAME" "$TOKENPATH"
|
||||
chmod -R -- g=rX,o= "$TOKENPATH"
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
|
2
SOURCES/trusted-key.key
Normal file
2
SOURCES/trusted-key.key
Normal file
@ -0,0 +1,2 @@
|
||||
. 3600 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
|
||||
. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
|
53
SOURCES/zone2sqlite.1
Normal file
53
SOURCES/zone2sqlite.1
Normal file
@ -0,0 +1,53 @@
|
||||
.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\" Copyright (C) 2000, 2001 Internet Software Consortium.
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and/or distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" Manpage written by Jan Gorig
|
||||
.TH zone2sqlite 1 "15 March 2010" "BIND9"
|
||||
.SH NAME
|
||||
zone2sqlite - Load BIND 9 zone file into SQLite database
|
||||
.SH SYNOPSIS
|
||||
.B zone2sqlite zone zonefile dbfile dbtable
|
||||
.SH DESCRIPTION
|
||||
zone2sqlite parses DNS zone file and creates database for use with SQLite BIND SDB driver.
|
||||
|
||||
\fBzone\fR
|
||||
.RS 4
|
||||
Zone origin, eg "mydomain.net."
|
||||
.RE
|
||||
.PP
|
||||
\fBzonefile\fR
|
||||
.RS 4
|
||||
Master zone database file, eg. mydomain.net.zone
|
||||
.RE
|
||||
.PP
|
||||
\fBdbfile\fR
|
||||
.RS 4
|
||||
Name of SQLite database file
|
||||
.RE
|
||||
.PP
|
||||
\fBdbtable\fR
|
||||
.RS 4
|
||||
Name of table in database
|
||||
.RE
|
||||
|
||||
.SH "EXIT STATUS"
|
||||
Exits with 0 on success or 1 on failure.
|
||||
.SH "SEE ALSO"
|
||||
named(8)
|
||||
.SH "COPYRIGHT"
|
||||
Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.br
|
||||
Copyright \(co 2000, 2001 Internet Software Consortium.
|
||||
.br
|
53
SOURCES/zonetodb.1
Normal file
53
SOURCES/zonetodb.1
Normal file
@ -0,0 +1,53 @@
|
||||
.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\" Copyright (C) 2000, 2001 Internet Software Consortium.
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and/or distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" Manpage written by Jan Gorig
|
||||
.TH zonetodb 1 "15 March 2010" "BIND9"
|
||||
.SH NAME
|
||||
zonetodb - Generate a PostgreSQL table from a zone.
|
||||
.SH SYNOPSIS
|
||||
.B zonetodb origin file dbname dbtable
|
||||
.SH DESCRIPTION
|
||||
zonetodb parses DNS zone file and creates table in selected database for use with PostgreSQL BIND SDB driver.
|
||||
|
||||
\fBzone\fR
|
||||
.RS 4
|
||||
Zone origin, eg "pgdb.net."
|
||||
.RE
|
||||
.PP
|
||||
\fBfile\fR
|
||||
.RS 4
|
||||
Master zone database file, eg. pgdb.net.db
|
||||
.RE
|
||||
.PP
|
||||
\fBdbname\fR
|
||||
.RS 4
|
||||
Name of PostgreSQL database (database must exist)
|
||||
.RE
|
||||
.PP
|
||||
\fBdbtable\fR
|
||||
.RS 4
|
||||
Name of table in database
|
||||
.RE
|
||||
|
||||
.SH "EXIT STATUS"
|
||||
Exits with 0 on success or 1 on failure.
|
||||
.SH "SEE ALSO"
|
||||
named(8)
|
||||
.SH "COPYRIGHT"
|
||||
Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
|
||||
.br
|
||||
Copyright \(co 2000, 2001 Internet Software Consortium.
|
||||
.br
|
4015
SPECS/bind.spec
Normal file
4015
SPECS/bind.spec
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user