import bind-9.11.20-5.el8

c8 imports/c8/bind-9.11.20-5.el8
CentOS Sources 3 years ago committed by Andrew Lukoshko
parent c155b2de68
commit 864e18c0c8

@ -1,2 +1,2 @@
550367762a653ac5ed0eb04b316d06517650a925 SOURCES/bind-9.11.13.tar.gz
ff6ad0d3f9282a77786e93eb889154008ef1ccdf SOURCES/bind-9.11.20.tar.gz
a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data

2
.gitignore vendored

@ -1,2 +1,2 @@
SOURCES/bind-9.11.13.tar.gz
SOURCES/bind-9.11.20.tar.gz
SOURCES/random.data

@ -79,10 +79,10 @@ index 03a72d5..4c1cb6d 100644
@DLZ_DRIVER_RULES@
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
index 108b8d6..a943421 100644
index c9fc3cc..148ebb3 100644
--- a/bin/named-sdb/main.c
+++ b/bin/named-sdb/main.c
@@ -93,6 +93,10 @@
@@ -97,6 +97,10 @@
* Include header files for database drivers here.
*/
/* #include "xxdb.h" */
@ -93,7 +93,7 @@ index 108b8d6..a943421 100644
#ifdef CONTRIB_DLZ
/*
@@ -1069,6 +1073,11 @@ setup(void) {
@@ -1134,6 +1138,11 @@ setup(void) {
ns_main_earlyfatal("isc_app_start() failed: %s",
isc_result_totext(result));
@ -105,7 +105,7 @@ index 108b8d6..a943421 100644
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
ns_g_product, ns_g_version,
@@ -1269,6 +1278,75 @@ setup(void) {
@@ -1334,6 +1343,75 @@ setup(void) {
isc_result_totext(result));
#endif
@ -181,7 +181,7 @@ index 108b8d6..a943421 100644
ns_server_create(ns_g_mctx, &ns_g_server);
#ifdef HAVE_LIBSECCOMP
@@ -1311,6 +1389,11 @@ cleanup(void) {
@@ -1376,6 +1454,11 @@ cleanup(void) {
dns_name_destroy();
@ -288,10 +288,10 @@ index c7e0868..95ab742 100644
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/configure.ac b/configure.ac
index eff9f05..d05ad1f 100644
index f85f45f..7d28c52 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5429,6 +5429,8 @@ AC_CONFIG_FILES([
@@ -5400,6 +5400,8 @@ AC_CONFIG_FILES([
bin/named/unix/Makefile
bin/named-pkcs11/Makefile
bin/named-pkcs11/unix/Makefile
@ -300,9 +300,9 @@ index eff9f05..d05ad1f 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5453,6 +5455,7 @@ AC_CONFIG_FILES([
bin/python/isc/tests/dnskey_test.py
@@ -5424,6 +5426,7 @@ AC_CONFIG_FILES([
bin/python/isc/tests/policy_test.py
bin/python/isc/utils.py
bin/rndc/Makefile
+ bin/sdb_tools/Makefile
bin/tests/Makefile

@ -1,292 +0,0 @@
From a64853318ade406ef0db744918bb2828cf0a6247 Mon Sep 17 00:00:00 2001
From: Stephen Morris <stephen@isc.org>
Date: Thu, 5 Mar 2020 18:46:46 +0000
Subject: [PATCH] Add test for reduction in number of fetches
Add a system test that counts how many address fetches are made
for different numbers of NS records and checks that the number
are successfully limited.
(cherry picked from commit 5fb65f45443225180296b361a12be0fead5049f2)
---
bin/tests/system/resolver/clean.sh | 4 +-
bin/tests/system/resolver/ns4/named.conf.in | 5 ++
bin/tests/system/resolver/ns4/root.db | 4 +
bin/tests/system/resolver/ns4/sourcens.db | 89 +++++++++++++++++++++
bin/tests/system/resolver/ns5/named.conf.in | 9 ++-
bin/tests/system/resolver/ns6/named.conf.in | 15 ++++
bin/tests/system/resolver/ns6/targetns.db | 23 ++++++
bin/tests/system/resolver/tests.sh | 34 ++++++++
8 files changed, 180 insertions(+), 3 deletions(-)
create mode 100644 bin/tests/system/resolver/ns4/sourcens.db
create mode 100644 bin/tests/system/resolver/ns6/targetns.db
diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh
index 4dfde1f3e7..b3e4bc0b5d 100644
--- a/bin/tests/system/resolver/clean.sh
+++ b/bin/tests/system/resolver/clean.sh
@@ -17,8 +17,7 @@ rm -f */named.memstats
rm -f */named.run
rm -f */ans.run
rm -f */*.jdb
-rm -f dig.out dig.out.*
-rm -f dig.*.out.*
+rm -f dig.out dig.out.* dig.*.out.*
rm -f dig.*.foo.*
rm -f dig.*.bar.*
rm -f dig.*.prime.*
@@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db
rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
rm -f ns6/dsset-ds.example.net*
rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl
+rm -f ns6/named.stats*
rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
rm -f ns7/server.db ns7/server.db.jnl
rm -f resolve.out.*.test*
diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in
index c679dc3151..56fe5d0dd8 100644
--- a/bin/tests/system/resolver/ns4/named.conf.in
+++ b/bin/tests/system/resolver/ns4/named.conf.in
@@ -50,6 +50,11 @@ zone "broken" {
file "broken.db";
};
+zone "sourcens" {
+ type master;
+ file "sourcens.db";
+};
+
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db
index 721765d1be..ae541340da 100644
--- a/bin/tests/system/resolver/ns4/root.db
+++ b/bin/tests/system/resolver/ns4/root.db
@@ -24,3 +24,7 @@ example.net. NS ns.example.net.
ns.example.net. A 10.53.0.6
no-questions. NS ns.no-questions.
ns.no-questions. A 10.53.0.8
+sourcens. NS ns.sourcens.
+ns.sourcens. A 10.53.0.4
+targetns. NS ns.targetns.
+ns.targetns. A 10.53.0.6
diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db
new file mode 100644
index 0000000000..b02cc6e835
--- /dev/null
+++ b/bin/tests/system/resolver/ns4/sourcens.db
@@ -0,0 +1,89 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This zone contains a set of delegations with varying numbers of NS
+; records. This is used to check that BIND is limiting the number of
+; NS records it follows when resolving a delegation. It tests all
+; numbers of NS records up to twice the number followed.
+
+$TTL 60
+@ IN SOA marka.isc.org. ns.server. (
+ 2010 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
+ )
+@ NS ns
+ns A 10.53.0.4
+
+target1 NS ns.fake11.targetns.
+
+target2 NS ns.fake21.targetns.
+ NS ns.fake22.targetns.
+
+target3 NS ns.fake31.targetns.
+ NS ns.fake32.targetns.
+ NS ns.fake33.targetns.
+
+target4 NS ns.fake41.targetns.
+ NS ns.fake42.targetns.
+ NS ns.fake43.targetns.
+ NS ns.fake44.targetns.
+
+target5 NS ns.fake51.targetns.
+ NS ns.fake52.targetns.
+ NS ns.fake53.targetns.
+ NS ns.fake54.targetns.
+ NS ns.fake55.targetns.
+
+target6 NS ns.fake61.targetns.
+ NS ns.fake62.targetns.
+ NS ns.fake63.targetns.
+ NS ns.fake64.targetns.
+ NS ns.fake65.targetns.
+ NS ns.fake66.targetns.
+
+target7 NS ns.fake71.targetns.
+ NS ns.fake72.targetns.
+ NS ns.fake73.targetns.
+ NS ns.fake74.targetns.
+ NS ns.fake75.targetns.
+ NS ns.fake76.targetns.
+ NS ns.fake77.targetns.
+
+target8 NS ns.fake81.targetns.
+ NS ns.fake82.targetns.
+ NS ns.fake83.targetns.
+ NS ns.fake84.targetns.
+ NS ns.fake85.targetns.
+ NS ns.fake86.targetns.
+ NS ns.fake87.targetns.
+ NS ns.fake88.targetns.
+
+target9 NS ns.fake91.targetns.
+ NS ns.fake92.targetns.
+ NS ns.fake93.targetns.
+ NS ns.fake94.targetns.
+ NS ns.fake95.targetns.
+ NS ns.fake96.targetns.
+ NS ns.fake97.targetns.
+ NS ns.fake98.targetns.
+ NS ns.fake99.targetns.
+
+target10 NS ns.fake101.targetns.
+ NS ns.fake102.targetns.
+ NS ns.fake103.targetns.
+ NS ns.fake104.targetns.
+ NS ns.fake105.targetns.
+ NS ns.fake106.targetns.
+ NS ns.fake107.targetns.
+ NS ns.fake108.targetns.
+ NS ns.fake109.targetns.
+ NS ns.fake1010.targetns.
diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in
index 07205c9938..90818e4556 100644
--- a/bin/tests/system/resolver/ns5/named.conf.in
+++ b/bin/tests/system/resolver/ns5/named.conf.in
@@ -46,4 +46,11 @@ zone "delegation-only" {
type delegation-only;
};
-include "trusted.conf";
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in
index 7df48558b8..4b01f9ba14 100644
--- a/bin/tests/system/resolver/ns6/named.conf.in
+++ b/bin/tests/system/resolver/ns6/named.conf.in
@@ -22,6 +22,7 @@ options {
recursion no;
// minimal-responses yes;
querylog yes;
+ statistics-file "named.stats";
/*
* test that named loads with root-delegation-only that
* has a exclude list.
@@ -67,3 +68,17 @@ zone "delegation-only" {
type master;
file "delegation-only.db";
};
+
+zone "targetns" {
+ type master;
+ file "targetns.db";
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db
new file mode 100644
index 0000000000..036e64580b
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/targetns.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; In the test for checking how many NS records BIND will follow, this
+; zone marks the server as the one to which the NS lookups will be
+; directed.
+
+$TTL 300
+@ IN SOA marka.isc.org. ns.server. (
+ 2010 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
+ )
+ NS ns
+ns A 10.53.0.6
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index 12d2819e30..178ba4d79b 100755
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -247,6 +247,40 @@ if [ -x ${RESOLVE} ] ; then
status=`expr $status + $ret`
fi
+n=`expr $n + 1`
+echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)"
+# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS
+# records pointing to non-existent nameservers in the targetns zone on ns6.
+ret=0
+$RNDCCMD 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test
+for nscount in 1 2 3 4 5 6 7 8 9 10
+do
+ # Verify number of NS records at source server
+ $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n}
+ sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l`
+ test $sourcerecs -eq $nscount || ret=1
+ test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens"
+ # Expected queries = 2 * number of NS records, up to a maximum of 10.
+ expected=`expr 2 \* $nscount`
+ if [ $expected -gt 10 ]; then expected=10; fi
+ # Work out the queries made by checking statistics on the target before and after the test
+ $RNDCCMD 10.53.0.6 stats || ret=1
+ initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
+ mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n}
+ $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1
+ $RNDCCMD 10.53.0.6 stats || ret=1
+ final_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
+ mv ns6/named.stats ns6/named.stats.final.${nscount}.${n}
+ # Check number of queries during the test is as expected
+ actual=`expr $final_count - $initial_count`
+ if [ $actual -ne $expected ]; then
+ echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual"
+ ret=1
+ fi
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
n=`expr $n + 1`
echo_i "RT21594 regression test check setup ($n)"
ret=0
--
2.21.1

@ -1,78 +0,0 @@
From eee06b7744c4999ec3c7cb0654f97a9b4c79f77f Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 25 Mar 2020 17:44:51 +1100
Subject: [PATCH] Check that a 'BADTIME' response with 'QR=0' is handled as a
request
(cherry picked from commit 67ba3f8f3ab2a748dff1e8a2029fde3bc84ec3f1)
---
bin/tests/system/tsig/badtime | 37 ++++++++++++++++++++++++++++++++++
bin/tests/system/tsig/tests.sh | 9 +++++++++
2 files changed, 46 insertions(+)
create mode 100644 bin/tests/system/tsig/badtime
diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime
new file mode 100644
index 0000000000..7926404cfb
--- /dev/null
+++ b/bin/tests/system/tsig/badtime
@@ -0,0 +1,37 @@
+# Transaction ID
+1122
+# Standard query
+0000
+# Questions: 1, Additional: 1
+0001 0000 0000 0001
+# QNAME: isc.org
+03 69 73 63 03 6F 72 67 00
+# Type: A (Host Address)
+0001
+# Class: IN
+0001
+# Specially crafted TSIG Resource Record
+# Name: "sha256"
+06 73 68 61 32 35 36 00
+# Type: TSIG (Transaction Signature)
+00fa
+# Class: ANY
+00ff
+# TTL: 0
+00000000
+# RdLen: 29
+001d
+# Algorithm Name: hmac-sha256
+0b 68 6D 61 63 2D 73 68 61 32 35 36 00
+# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
+00 00 00 00 00 00
+# Fudge: 300
+012c
+# MAC Size: 0; MAC: empty
+0000
+# Original ID: 0
+0000
+# Error: BADSIG
+0010
+# Other Data Length: 0
+0000
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
index cade35bc1d..284aea1056 100644
--- a/bin/tests/system/tsig/tests.sh
+++ b/bin/tests/system/tsig/tests.sh
@@ -233,5 +233,14 @@ if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
+echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
+ret=0
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null
+$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1
+grep "status: NOERROR" dig.out.verify > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
--
2.21.1

@ -0,0 +1,57 @@
From c5a9fd85a19a63f88a5f17c7e6d074ee22364093 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 18 Aug 2020 10:53:33 +0200
Subject: [PATCH] Fix CVE-2020-8622
5476. [security] It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
(CVE-2020-8622) [GL #2028]
---
lib/dns/message.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/lib/dns/message.c b/lib/dns/message.c
index d9e341a..7c813a5 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
msg->header_ok = 0;
msg->question_ok = 0;
+ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
+ isc_buffer_usedregion(&origsource, &msg->saved);
+ } else {
+ msg->saved.length = isc_buffer_usedlength(&origsource);
+ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
+ if (msg->saved.base == NULL) {
+ return (ISC_R_NOMEMORY);
+ }
+ memmove(msg->saved.base, isc_buffer_base(&origsource),
+ msg->saved.length);
+ msg->free_saved = 1;
+ }
+
isc_buffer_remainingregion(source, &r);
if (r.length < DNS_MESSAGE_HEADERLEN)
return (ISC_R_UNEXPECTEDEND);
@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
}
truncated:
- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
- isc_buffer_usedregion(&origsource, &msg->saved);
- else {
- msg->saved.length = isc_buffer_usedlength(&origsource);
- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
- if (msg->saved.base == NULL)
- return (ISC_R_NOMEMORY);
- memmove(msg->saved.base, isc_buffer_base(&origsource),
- msg->saved.length);
- msg->free_saved = 1;
- }
if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
return (DNS_R_RECOVERABLE);
--
2.26.2

@ -0,0 +1,400 @@
From e8b7be1e1ff3e11bc8d592c3c8d6a0f0d69e9947 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 18 Aug 2020 10:54:39 +0200
Subject: [PATCH] Fix CVE-2020-8623
5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code
determining the number of bits in the PKCS#11 RSA public
key with a specially crafted packet. (CVE-2020-8623)
[GL #2037]
---
lib/dns/pkcs11dh_link.c | 15 ++++++-
lib/dns/pkcs11dsa_link.c | 8 +++-
lib/dns/pkcs11rsa_link.c | 79 +++++++++++++++++++++++++--------
lib/isc/include/pk11/internal.h | 3 +-
lib/isc/pk11.c | 61 ++++++++++++++++---------
5 files changed, 121 insertions(+), 45 deletions(-)
diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c
index e2b60ea..4cd8e32 100644
--- a/lib/dns/pkcs11dh_link.c
+++ b/lib/dns/pkcs11dh_link.c
@@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
CK_ATTRIBUTE *attr;
int special = 0;
+ unsigned int bits;
isc_result_t result;
isc_buffer_remainingregion(data, &r);
@@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
pub = r.base;
isc_region_consume(&r, publen);
- key->key_size = pk11_numbits(prime, plen_);
+ result = pk11_numbits(prime, plen_, &bits);
+ if (result != ISC_R_SUCCESS) {
+ goto cleanup;
+ }
+ key->key_size = bits;
dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
if (dh->repr == NULL)
@@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv;
isc_result_t ret;
int i;
+ unsigned int bits;
pk11_object_t *dh = NULL;
CK_ATTRIBUTE *attr;
isc_mem_t *mctx;
@@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
attr = pk11_attribute_bytype(dh, CKA_PRIME);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
return (ISC_R_SUCCESS);
diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c
index 12d707a..24d4c14 100644
--- a/lib/dns/pkcs11dsa_link.c
+++ b/lib/dns/pkcs11dsa_link.c
@@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv;
isc_result_t ret;
int i;
+ unsigned int bits;
pk11_object_t *dsa = NULL;
CK_ATTRIBUTE *attr;
isc_mem_t *mctx = key->mctx;
@@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
attr = pk11_attribute_bytype(dsa, CKA_PRIME);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
return (ISC_R_SUCCESS);
diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
index 6c280bf..86e136a 100644
--- a/lib/dns/pkcs11rsa_link.c
+++ b/lib/dns/pkcs11rsa_link.c
@@ -337,6 +337,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
#endif
+ REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS);
/*
* Reject incorrect RSA key lengths.
@@ -381,6 +382,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
for (attr = pk11_attribute_first(rsa);
attr != NULL;
attr = pk11_attribute_next(rsa, attr))
+ {
switch (attr->type) {
case CKA_MODULUS:
INSIST(keyTemplate[5].type == attr->type);
@@ -401,12 +403,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
memmove(keyTemplate[6].pValue, attr->pValue,
attr->ulValueLen);
keyTemplate[6].ulValueLen = attr->ulValueLen;
- if (pk11_numbits(attr->pValue,
- attr->ulValueLen) > maxbits &&
- maxbits != 0)
+ unsigned int bits;
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
+ &bits);
+ if (ret != ISC_R_SUCCESS ||
+ (bits > maxbits && maxbits != 0)) {
DST_RET(DST_R_VERIFYFAILURE);
+ }
break;
}
+ }
pk11_ctx->object = CK_INVALID_HANDLE;
pk11_ctx->ontoken = false;
PK11_RET(pkcs_C_CreateObject,
@@ -1086,6 +1092,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
keyTemplate[5].ulValueLen = attr->ulValueLen;
break;
case CKA_PUBLIC_EXPONENT:
+ unsigned int bits;
INSIST(keyTemplate[6].type == attr->type);
keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
attr->ulValueLen);
@@ -1094,10 +1101,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
memmove(keyTemplate[6].pValue, attr->pValue,
attr->ulValueLen);
keyTemplate[6].ulValueLen = attr->ulValueLen;
- if (pk11_numbits(attr->pValue,
- attr->ulValueLen)
- > RSA_MAX_PUBEXP_BITS)
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
+ &bits);
+ if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS)
+ {
DST_RET(DST_R_VERIFYFAILURE);
+ }
break;
}
pk11_ctx->object = CK_INVALID_HANDLE;
@@ -1475,6 +1484,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
CK_BYTE *exponent = NULL, *modulus = NULL;
CK_ATTRIBUTE *attr;
unsigned int length;
+ unsigned int bits;
+ isc_result_t ret = ISC_R_SUCCESS;
isc_buffer_remainingregion(data, &r);
if (r.length == 0)
@@ -1492,9 +1503,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
if (e_bytes == 0) {
if (r.length < 2) {
- isc_safe_memwipe(rsa, sizeof(*rsa));
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
- return (DST_R_INVALIDPUBLICKEY);
+ DST_RET(DST_R_INVALIDPUBLICKEY);
}
e_bytes = (*r.base) << 8;
isc_region_consume(&r, 1);
@@ -1503,16 +1512,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
}
if (r.length < e_bytes) {
- isc_safe_memwipe(rsa, sizeof(*rsa));
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
- return (DST_R_INVALIDPUBLICKEY);
+ DST_RET(DST_R_INVALIDPUBLICKEY);
}
exponent = r.base;
isc_region_consume(&r, e_bytes);
modulus = r.base;
mod_bytes = r.length;
- key->key_size = pk11_numbits(modulus, mod_bytes);
+ ret = pk11_numbits(modulus, mod_bytes, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
isc_buffer_forward(data, length);
@@ -1562,9 +1573,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
rsa->repr,
rsa->attrcnt * sizeof(*attr));
}
+ ret = ISC_R_NOMEMORY;
+
+ err:
isc_safe_memwipe(rsa, sizeof(*rsa));
isc_mem_put(key->mctx, rsa, sizeof(*rsa));
- return (ISC_R_NOMEMORY);
+ return (ret);
}
static isc_result_t
@@ -1743,6 +1757,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
pk11_object_t *pubrsa;
pk11_context_t *pk11_ctx = NULL;
isc_result_t ret;
+ unsigned int bits;
if (label == NULL)
return (DST_R_NOENGINE);
@@ -1829,7 +1844,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
return (ISC_R_SUCCESS);
@@ -1915,6 +1934,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
CK_ATTRIBUTE *attr;
isc_mem_t *mctx = key->mctx;
const char *engine = NULL, *label = NULL;
+ unsigned int bits;
/* read private key file */
ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
@@ -2058,12 +2078,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
INSIST(attr != NULL);
- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ if (bits > RSA_MAX_PUBEXP_BITS) {
DST_RET(ISC_R_RANGE);
+ }
dst__privstruct_free(&priv, mctx);
isc_safe_memwipe(&priv, sizeof(priv));
@@ -2098,6 +2128,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
pk11_context_t *pk11_ctx = NULL;
isc_result_t ret;
unsigned int i;
+ unsigned int bits;
UNUSED(pin);
@@ -2192,12 +2223,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
INSIST(attr != NULL);
- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ if (bits > RSA_MAX_PUBEXP_BITS) {
DST_RET(ISC_R_RANGE);
+ }
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
pk11_return_session(pk11_ctx);
isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
index 603712a..b9680bc 100644
--- a/lib/isc/include/pk11/internal.h
+++ b/lib/isc/include/pk11/internal.h
@@ -27,7 +27,8 @@ void pk11_mem_put(void *ptr, size_t size);
CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype);
-unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt);
+isc_result_t
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits);
CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj);
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
index 4b85527..9c450da 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -982,13 +982,15 @@ pk11_get_best_token(pk11_optype_t optype) {
return (token->slotid);
}
-unsigned int
-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
+isc_result_t
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) {
unsigned int bitcnt, i;
CK_BYTE top;
- if (bytecnt == 0)
- return (0);
+ if (bytecnt == 0) {
+ *bits = 0;
+ return (ISC_R_SUCCESS);
+ }
bitcnt = bytecnt * 8;
for (i = 0; i < bytecnt; i++) {
top = data[i];
@@ -996,26 +998,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
bitcnt -= 8;
continue;
}
- if (top & 0x80)
- return (bitcnt);
- if (top & 0x40)
- return (bitcnt - 1);
- if (top & 0x20)
- return (bitcnt - 2);
- if (top & 0x10)
- return (bitcnt - 3);
- if (top & 0x08)
- return (bitcnt - 4);
- if (top & 0x04)
- return (bitcnt - 5);
- if (top & 0x02)
- return (bitcnt - 6);
- if (top & 0x01)
- return (bitcnt - 7);
+ if (top & 0x80) {
+ *bits = bitcnt;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x40) {
+ *bits = bitcnt - 1;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x20) {
+ *bits = bitcnt - 2;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x10) {
+ *bits = bitcnt - 3;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x08) {
+ *bits = bitcnt - 4;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x04) {
+ *bits = bitcnt - 5;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x02) {
+ *bits = bitcnt - 6;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x01) {
+ *bits = bitcnt - 7;
+ return (ISC_R_SUCCESS);
+ }
break;
}
- INSIST(0);
- ISC_UNREACHABLE();
+ return (ISC_R_RANGE);
}
CK_ATTRIBUTE *
--
2.26.2

@ -0,0 +1,152 @@
From 221fb11e658e7dea1be6dbfd25e149f2d131e4fb Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 29 Jul 2020 23:36:03 +1000
Subject: [PATCH] Add a test for update-policy 'subdomain'
The new test checks that 'update-policy subdomain' is properly enforced.
(cherry picked from commit 393e8f643c02215fa4e6d4edf67be7d77085da0e)
Add a test for update-policy 'zonesub'
The new test checks that 'update-policy zonesub' is properly enforced.
(cherry picked from commit 58e560beb50873c699f3431cf57e215dc645d7aa)
---
bin/tests/system/nsupdate/ns1/named.conf.in | 12 +++++
bin/tests/system/nsupdate/tests.sh | 60 +++++++++++++++++++--
2 files changed, 68 insertions(+), 4 deletions(-)
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
index 26b6b7c9ab..540a984842 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -36,6 +36,16 @@ key altkey {
secret "1234abcd8765";
};
+key restricted.example.nil {
+ algorithm hmac-md5;
+ secret "1234abcd8765";
+};
+
+key zonesub-key.example.nil {
+ algorithm hmac-md5;
+ secret "1234subk8765";
+};
+
include "ddns.key";
zone "example.nil" {
@@ -44,7 +54,9 @@ zone "example.nil" {
check-integrity no;
check-mx ignore;
update-policy {
+ grant zonesub-key.example.nil zonesub TXT;
grant ddns-key.example.nil subdomain example.nil ANY;
+ grant restricted.example.nil subdomain restricted.example.nil ANY;
};
allow-transfer { any; };
};
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index b08c5220e7..5f09e8c5bf 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -428,7 +428,7 @@ EOF
# this also proves that the server is still running.
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
-grep "ANSWER: 0" dig.out.ns3.$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -443,7 +443,7 @@ EOF
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
-grep "ANSWER: 1" dig.out.ns3.$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1
grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -460,7 +460,7 @@ EOF
_ret=1
for i in 0 1 2 3 4 5 6 7 8 9; do
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
- if grep "ANSWER: 2" dig.out.ns3.$n > /dev/null; then
+ if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then
_ret=0
break
fi
@@ -485,7 +485,7 @@ EOF
_ret=1
for i in 0 1 2 3 4 5 6 7 8 9; do
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
- if grep "ANSWER: 1" dig.out.ns3.$n > /dev/null; then
+ if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then
_ret=0
break
fi
@@ -631,6 +631,58 @@ then
echo_i "failed"; status=1
fi
+n=`expr $n + 1`
+ret=0
+echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
+# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
+# and thus this UPDATE should succeed.
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
+server 10.53.0.1 ${PORT}
+key restricted.example.nil 1234abcd8765
+update add restricted.example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
+grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
+# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
+# thus this UPDATE should fail.
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
+server 10.53.0.1 ${PORT}
+key restricted.example.nil 1234abcd8765
+update add example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=`expr $n + 1`
+ret=0
+echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
+# grant zonesub-key.example.nil zonesub TXT;
+# the A record update should be rejected as it is not in the type list
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
+server 10.53.0.1 ${PORT}
+key zonesub-key.example.nil 1234subk8765
+update add zonesub.example.nil 0 IN A 1.2.3.4
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1
+grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
+# the TXT record update should be accepted as it is in the type list
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
+server 10.53.0.1 ${PORT}
+key zonesub-key.example.nil 1234subk8765
+update add zonesub.example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1
+grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1
+grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
n=`expr $n + 1`
ret=0
echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
--
2.26.2

@ -0,0 +1,32 @@
From e2aae621408c7622d094f13a67b928f911a2793b Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 18 Aug 2020 10:55:50 +0200
Subject: [PATCH] Fix CVE-2020-8624
5481. [security] "update-policy" rules of type "subdomain" were
incorrectly treated as "zonesub" rules, which allowed
keys used in "subdomain" rules to update names outside
of the specified subdomains. The problem was fixed by
making sure "subdomain" rules are again processed as
described in the ARM. (CVE-2020-8624) [GL #2055]
---
bin/named/zoneconf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 55f191b..b77a07c 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -239,7 +239,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
str = cfg_obj_asstring(matchtype);
CHECK(dns_ssu_mtypefromstring(str, &mtype));
- if (mtype == dns_ssumatchtype_subdomain) {
+ if (mtype == dns_ssumatchtype_subdomain &&
+ strcasecmp(str, "zonesub") == 0) {
usezone = true;
}
--
2.26.2

@ -1,35 +0,0 @@
diff --git a/export-libs/Makefile b/export-libs/Makefile
index df15ea8..13f416b 100644
--- a/export-libs/Makefile
+++ b/export-libs/Makefile
@@ -404,20 +404,18 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
install:: isc-config.sh installdirs
- ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
- rm -f ${DESTDIR}${bindir}/bind9-config
- ln ${DESTDIR}${bindir}/isc-config.sh ${DESTDIR}${bindir}/bind9-config
- ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
- ln ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1
- ${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
+ ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}/isc-export-config.sh
+ rm -f ${DESTDIR}${bindir}/bind9-export-config
+ ln ${DESTDIR}${bindir}/isc-export-config.sh ${DESTDIR}${bindir}/bind9-export-config
+ ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
+ ln ${DESTDIR}${mandir}/man1/isc-export-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-export-config.1
uninstall::
- rm -f ${DESTDIR}${sysconfdir}/bind.keys
- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
- rm -f ${DESTDIR}${mandir}/man1/isc-config.sh.1
- rm -f ${DESTDIR}${bindir}/bind9-config
- rm -f ${DESTDIR}${bindir}/isc-config.sh
+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
+ rm -f ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
+ rm -f ${DESTDIR}${bindir}/bind9-export-config
+ rm -f ${DESTDIR}${bindir}/isc-export-config.sh
tags:
rm -f TAGS

@ -1,4 +1,4 @@
From eb38d2278937ec3fe45d0af30cd080953bbb5b54 Mon Sep 17 00:00:00 2001
From a9b5785f174cf7fd74891fa64f6b69b9a9b55466 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 2 Jan 2018 18:13:07 +0100
Subject: [PATCH] Fix pkcs11 variants atf tests
@ -16,10 +16,10 @@ Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
6 files changed, 38 insertions(+), 16 deletions(-)
diff --git a/configure.ac b/configure.ac
index 0532feb..a83ddd5 100644
index 62ecf56..0940a7d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5578,6 +5578,7 @@ AC_CONFIG_FILES([
@@ -5476,6 +5476,7 @@ AC_CONFIG_FILES([
lib/dns-pkcs11/include/Makefile
lib/dns-pkcs11/include/dns/Makefile
lib/dns-pkcs11/include/dst/Makefile
@ -43,13 +43,13 @@ index 7c8bab0..eec9564 100644
include('isccfg/Kyuafile')
include('lwres/Kyuafile')
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
index 7671e1d..e237d5c 100644
index 22a06a8..5df5b15 100644
--- a/lib/dns-pkcs11/tests/Makefile.in
+++ b/lib/dns-pkcs11/tests/Makefile.in
@@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
@DST_OPENSSL_INC@
@DST_OPENSSL_INC@ ${MAXMINDDB_CFLAGS}
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
@ -65,10 +65,10 @@ index 7671e1d..e237d5c 100644
LIBS = @LIBS@ @CMOCKA_LIBS@
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
index 4dbfd82..a383b8e 100644
index a5bf46c..9ff2b76 100644
--- a/lib/dns-pkcs11/tests/dh_test.c
+++ b/lib/dns-pkcs11/tests/dh_test.c
@@ -86,7 +86,8 @@ dh_computesecret(void **state) {
@@ -88,7 +88,8 @@ dh_computesecret(void **state) {
result = dst_key_computesecret(key, key, &buf);
assert_int_equal(result, DST_R_NOTPRIVATEKEY);
result = key->func->computesecret(key, key, &buf);
@ -79,7 +79,7 @@ index 4dbfd82..a383b8e 100644
dst_key_free(&key);
}
diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
index 2fdee0b..a263b35 100644
index 36d2207..00dfbc9 100644
--- a/lib/isc-pkcs11/tests/Makefile.in
+++ b/lib/isc-pkcs11/tests/Makefile.in
@@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@
@ -97,10 +97,10 @@ index 2fdee0b..a263b35 100644
LIBS = @LIBS@ @CMOCKA_LIBS@
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
index 9c4d299..d9deba2 100644
index 4fafc38..5eb2be2 100644
--- a/lib/isc-pkcs11/tests/hash_test.c
+++ b/lib/isc-pkcs11/tests/hash_test.c
@@ -85,7 +85,7 @@ typedef struct hash_testcase {
@@ -84,7 +84,7 @@ typedef struct hash_testcase {
typedef struct hash_test_key {
const char *key;
@ -109,7 +109,7 @@ index 9c4d299..d9deba2 100644
} hash_test_key_t;
/* non-hmac tests */
@@ -956,8 +956,11 @@ isc_hmacsha1_test(void **state) {
@@ -955,8 +955,11 @@ isc_hmacsha1_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -122,7 +122,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha1_update(&hmacsha1,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1116,8 +1119,11 @@ isc_hmacsha224_test(void **state) {
@@ -1115,8 +1118,11 @@ isc_hmacsha224_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -135,7 +135,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha224_update(&hmacsha224,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1277,8 +1283,11 @@ isc_hmacsha256_test(void **state) {
@@ -1276,8 +1282,11 @@ isc_hmacsha256_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -148,7 +148,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha256_update(&hmacsha256,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1444,8 +1453,11 @@ isc_hmacsha384_test(void **state) {
@@ -1443,8 +1452,11 @@ isc_hmacsha384_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -161,7 +161,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha384_update(&hmacsha384,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1611,8 +1623,11 @@ isc_hmacsha512_test(void **state) {
@@ -1610,8 +1622,11 @@ isc_hmacsha512_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -174,7 +174,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha512_update(&hmacsha512,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1755,8 +1770,11 @@ isc_hmacmd5_test(void **state) {
@@ -1754,8 +1769,11 @@ isc_hmacmd5_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -188,5 +188,5 @@ index 9c4d299..d9deba2 100644
(const uint8_t *) testcase->input,
testcase->input_len);
--
2.20.1
2.21.1

@ -1,4 +1,4 @@
From 76594cba9a1e910bb36160d96fc3872349341799 Mon Sep 17 00:00:00 2001
From f27598743ab6e03271e26f23da4beba748d19c60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 25 Apr 2018 14:04:31 +0200
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
@ -24,10 +24,10 @@ Fix the isc_safe_memwipe() usage with (NULL, >0)
delete mode 100644 lib/isc/safe.c
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 6ddaebe..d921870 100644
index 6dded0c..a9c5557 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
@@ -784,7 +784,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
static int
hashlist_comp(const void *a, const void *b) {
@ -81,7 +81,7 @@ index ad77f24..670982a 100644
/* accept_sec_context.c */
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index 0fd0837..8ad54bb 100644
index 149552a..8529a86 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
@ -91,7 +91,7 @@ index 0fd0837..8ad54bb 100644
- safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
+ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
tm.@O@ timer.@O@ version.@O@ \
tm.@O@ timer.@O@ utf8.@O@ version.@O@ \
${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
netaddr.c netscope.c pool.c ondestroy.c \
@ -100,7 +100,7 @@ index 0fd0837..8ad54bb 100644
- safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
+ serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
strtoul.c symtab.c task.c taskpool.c timer.c \
tm.c version.c
tm.c utf8.c version.c
@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@
@ -284,5 +284,5 @@ index 266ac75..60e9181 100644
return (cmocka_run_group_tests(tests, NULL, NULL));
--
2.20.1
2.26.2

@ -1,65 +0,0 @@
From f9a37643528dc83b981156d0a1cf52e3d9a38322 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Mon, 2 Dec 2019 15:15:06 +0100
Subject: [PATCH] Fix GeoIP2 memory leak upon reconfiguration
Loaded GeoIP2 databases are only released when named is shut down, but
not during server reconfiguration. This causes memory to be leaked
every time "rndc reconfig" or "rndc reload" is used, as long as any
GeoIP2 database is in use. Fix by releasing any loaded GeoIP2 databases
before reloading them. Do not call dns_geoip_shutdown() until server
shutdown as that function releases the memory context used for caching
GeoIP2 lookup results.
(cherry picked from commit 670afbe84a87e202fa795079d9d6d1639bcf391d)
(cherry picked from commit 95a5589fa2ac3956fecfef780158a2745718c860)
---
bin/named/geoip.c | 2 --
bin/named/server.c | 6 ++++++
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/bin/named/geoip.c b/bin/named/geoip.c
index d560f8fbcf..0b11f6b803 100644
--- a/bin/named/geoip.c
+++ b/bin/named/geoip.c
@@ -243,6 +243,4 @@ ns_geoip_shutdown(void) {
ns_g_geoip->domain = NULL;
}
#endif /* HAVE_GEOIP2 */
-
- dns_geoip_shutdown();
}
diff --git a/bin/named/server.c b/bin/named/server.c
index ebe7ad4702..4d7d2210ff 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -72,6 +72,7 @@
#include <dns/events.h>
#include <dns/forward.h>
#include <dns/fixedname.h>
+#include <dns/geoip.h>
#include <dns/journal.h>
#include <dns/keytable.h>
#include <dns/keyvalues.h>
@@ -7684,6 +7685,10 @@ load_configuration(const char *filename, ns_server_t *server,
isc__socketmgr_setreserved(ns_g_socketmgr, reserved);
#if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2)
+ /*
+ * Release any previously opened GeoIP2 databases.
+ */
+ ns_geoip_shutdown();
/*
* Initialize GeoIP databases from the configured location.
* This should happen before configuring any ACLs, so that we
@@ -9030,6 +9035,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
#endif
#if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2)
ns_geoip_shutdown();
+ dns_geoip_shutdown();
#endif /* HAVE_GEOIP || HAVE_GEOIP2 */
dns_db_detach(&server->in_roothints);
--
2.21.1

@ -0,0 +1,31 @@
From 30753514ac06111da5b677fe7cdbafd696b1d620 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 22 Jul 2020 18:55:02 +0200
Subject: [PATCH] Prevent crash on dst initialization failure
server might be created, but not yet fully initialized, when fatal
function is called. Check both server and task before attaching
exclusive task.
(cherry picked from commit c5e7152cf04f75d0fe00163f076f4cc3cafce259)
(cherry picked from commit 35fbfaa4981333286437f26557db26863d4c5299)
---
bin/named/server.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index 3cd8daf99e..38780ad3d7 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -9341,7 +9341,7 @@ ns_server_destroy(ns_server_t **serverp) {
static void
fatal(ns_server_t *server, const char *msg, isc_result_t result) {
- if (server != NULL) {
+ if (server != NULL && server->task != NULL) {
/*
* Prevent races between the OpenSSL on_exit registered
* function and any other OpenSSL calls from other tasks
--
2.26.2

@ -1,90 +0,0 @@
From 7e2d9531a79d289ee99dd436da14efb6d9a505fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 3 Jun 2020 14:42:11 +0200
Subject: [PATCH] Change the invalid CIDR from parser error to warning
In [RT #43367], the BIND 9 changed the strictness of address / prefix
length checks:
Check prefixes in acls to make sure the address and
prefix lengths are consistent. Warn only in
BIND 9.11 and earlier.
Unfortunately, a regression slipped in and the check was made an error
also in the BIND 9.11. This commit fixes the regression, but turning
the error into a warning.
---
bin/tests/system/checkconf/tests.sh | 9 +++++++++
...conf => warn-address-prefix-length-mismatch.conf} | 12 ++++++++++--
lib/isccfg/parser.c | 9 ---------
util/copyrights | 2 +-
4 files changed, 20 insertions(+), 12 deletions(-)
rename bin/tests/system/checkconf/{bad-ipv4-prefix-dotted2.conf => warn-address-prefix-length-mismatch.conf} (70%)
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 85fb4839e9..d2b0daa35c 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -386,6 +386,15 @@ grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
+n=`expr $n + 1`
+echo_i "check that invalid address/prefix length generates a warning ($n)"
+ret=0
+$CHECKCONF warn-address-prefix-length-mismatch.conf > checkconf.out$n 2>/dev/null || ret=1
+LINES=$(grep -c "address/prefix length mismatch" < checkconf.out$n) || ret=1
+[ "$LINES" -eq 8 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
n=`expr $n + 1`
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)"
ret=0
diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
similarity index 70%
rename from bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
rename to bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
index 2c768c7e1a..5e3bc3f6ee 100644
--- a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
+++ b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
@@ -9,6 +9,14 @@
* information regarding copyright ownership.
*/
-acl myacl {
- 127.1/8; /* No-zero bits */
+zone example {
+ type master;
+ file "example.db";
+ auto-dnssec maintain;
+ allow-update {
+ 192.0.2.64/24;
+ 192.0.2.128/24;
+ 198.51.100.255/24;
+ 203.0.113.2/24;
+ };
};
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index e2af054661..44a1dfc37a 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -2634,15 +2634,6 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
"invalid prefix length");
return (ISC_R_RANGE);
}
- result = isc_netaddr_prefixok(&netaddr, prefixlen);
- if (result != ISC_R_SUCCESS) {
- char buf[ISC_NETADDR_FORMATSIZE + 1];
- isc_netaddr_format(&netaddr, buf, sizeof(buf));
- cfg_parser_error(pctx, CFG_LOG_NOPREP,
- "'%s/%u': address/prefix length "
- "mismatch", buf, prefixlen);
- return (ISC_R_FAILURE);
- }
} else {
if (expectprefix) {
cfg_parser_error(pctx, CFG_LOG_NEAR,
--
GitLab

@ -1,4 +1,4 @@
From 7e61714a5d1509ec79af42391e41eb1afc53063a Mon Sep 17 00:00:00 2001
From 5c29299e43db5a4e6f8b1b07af84dfe1687c4c2b Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 12 Sep 2017 19:05:46 -0700
Subject: [PATCH] rebased rt31459c
@ -71,10 +71,10 @@ index 5015abb..295e16f 100644
&entropy_source,
randomfile,
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
index 2c0c308..3e585af 100644
index d9d6bb9..de4b15f 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -494,14 +494,14 @@ main(int argc, char **argv) {
@@ -498,14 +498,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
@ -92,7 +92,7 @@ index 2c0c308..3e585af 100644
isc_entropy_stopcallbacksources(ectx);
setup_logging(mctx, &log);
@@ -571,8 +571,8 @@ main(int argc, char **argv) {
@@ -574,8 +574,8 @@ main(int argc, char **argv) {
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
@ -103,10 +103,10 @@ index 2c0c308..3e585af 100644
dns_name_destroy();
if (verbose > 10)
diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c
index 0d1e7f8..79c4d74 100644
index d65a514..04b3094 100644
--- a/bin/dnssec/dnssec-importkey.c
+++ b/bin/dnssec/dnssec-importkey.c
@@ -407,14 +407,14 @@ main(int argc, char **argv) {
@@ -404,14 +404,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
@ -124,7 +124,7 @@ index 0d1e7f8..79c4d74 100644
isc_entropy_stopcallbacksources(ectx);
setup_logging(mctx, &log);
@@ -458,8 +458,8 @@ main(int argc, char **argv) {
@@ -455,8 +455,8 @@ main(int argc, char **argv) {
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
@ -167,10 +167,10 @@ index 7d82dbf..10f9359 100644
if (verbose > 10)
isc_mem_stats(mctx, stdout);
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index f355903..6a2ca59 100644
index 7afcaee..1cfa511 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -382,14 +382,14 @@ main(int argc, char **argv) {
@@ -380,14 +380,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
@ -188,7 +188,7 @@ index f355903..6a2ca59 100644
isc_entropy_stopcallbacksources(ectx);
if (predecessor != NULL) {
@@ -674,8 +674,8 @@ main(int argc, char **argv) {
@@ -672,8 +672,8 @@ main(int argc, char **argv) {
if (prevkey != NULL)
dst_key_free(&prevkey);
dst_key_free(&key);
@ -199,7 +199,7 @@ index f355903..6a2ca59 100644
if (verbose > 10)
isc_mem_stats(mctx, stdout);
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index c6a0313..6ddaebe 100644
index 319a805..27ae4d4 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) {
@ -257,7 +257,7 @@ index 4c293bf..3263cbc 100644
rdclass = strtoclass(classname);
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index fbc7ece..31a99e7 100644
index 618ec5b..5654435 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -34,6 +34,7 @@
@ -293,7 +293,7 @@ index fbc7ece..31a99e7 100644
usekeyboard);
diff --git a/bin/named/server.c b/bin/named/server.c
index 7d85d3b..c782073 100644
index 4e503e5..f27071f 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -36,6 +36,7 @@
@ -304,7 +304,7 @@ index 7d85d3b..c782073 100644
#include <isc/portset.h>
#include <isc/print.h>
#include <isc/random.h>
@@ -8211,6 +8212,10 @@ load_configuration(const char *filename, ns_server_t *server,
@@ -8217,6 +8218,10 @@ load_configuration(const char *filename, ns_server_t *server,
"no source of entropy found");
} else {
const char *randomdev = cfg_obj_asstring(obj);
@ -315,7 +315,7 @@ index 7d85d3b..c782073 100644
int level = ISC_LOG_ERROR;
result = isc_entropy_createfilesource(ns_g_entropy,
randomdev);
@@ -8245,6 +8250,7 @@ load_configuration(const char *filename, ns_server_t *server,
@@ -8251,6 +8256,7 @@ load_configuration(const char *filename, ns_server_t *server,
}
isc_entropy_detach(&ns_g_fallbackentropy);
}
@ -688,7 +688,7 @@ index bf6dbb6..0416b21 100644
parse_args(false, argc, argv);
if (server == NULL)
diff --git a/configure b/configure
index ed002e0..a578874 100755
index 6d05371..33689c9 100755
--- a/configure
+++ b/configure
@@ -640,6 +640,7 @@ ac_includes_default="\
@ -699,7 +699,7 @@ index ed002e0..a578874 100755
BUILD_LIBS
BUILD_LDFLAGS
BUILD_CPPFLAGS
@@ -821,6 +822,7 @@ XMLSTATS
@@ -823,6 +824,7 @@ LIBXML2_CFLAGS
NZDTARGETS
NZDSRCS
NZD_TOOLS
@ -707,7 +707,7 @@ index ed002e0..a578874 100755
PKCS11_TEST
PKCS11_ED25519
PKCS11_GOST
@@ -1045,6 +1047,7 @@ with_eddsa
@@ -1047,6 +1049,7 @@ with_eddsa
with_aes
enable_openssl_hash
with_cc_alg
@ -715,7 +715,7 @@ index ed002e0..a578874 100755
with_lmdb
with_libxml2
with_libjson
@@ -1744,6 +1747,7 @@ Optional Features:
@@ -1749,6 +1752,7 @@ Optional Features:
--enable-threads enable multithreading
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
--enable-openssl-hash use OpenSSL for hash functions [default=no]
@ -723,7 +723,7 @@ index ed002e0..a578874 100755
--enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes]
--enable-symtable use internal symbol table for backtrace
@@ -17115,6 +17119,7 @@ case "$use_openssl" in
@@ -17144,6 +17148,7 @@ case "$use_openssl" in
$as_echo "disabled because of native PKCS11" >&6; }
DST_OPENSSL_INC=""